Richard A. Strong

Safety Analysis Systems Company

Integration and Communication. Many managers and safety professionals deal with similar work areas; therefore, an integrated information system is desired. Clearly, one wants integration where there are common goals. As an example, the DOD and NASA system safety report directives and the OSHA and EPA regulations require that much of the same information be recorded. Most managers desire methods of implementing changes for improving product safety. COSMIC uses PC capabilities so that users can integrate decision information. However, integration requires common software, data and formats. The work grew out of an unsolicited proposal *COSMIC WISDOM , Computerized Operational System Modeling for Workable, Intelligent System Development, Operation, and Maintenance. The COSMIC system has been reduced to practice in available software, StrongWareÒ .

Commercial Off The Shelf Software, COTSS, offers a cost-effective solution. Development and training costs and schedules may be reduced, relative to unique software. COTSS is continually upgraded as a matter of competition and technology at low cost. In the event that a user changes preference of a COTSS brand, existing data files may be exported and imported into the new COTSS. Virtually all COTSS are "Y2K compliant". COSMIC has common display screens and report forms for "The Big Three" COTSS database and spreadsheet software: Lotus; Microsoft; and Corel. Graphics and word processing are also desired and available.

User Groups. With common data and displays, users may share their information with other users and know the others will see the data presented and printable in the same displays, regardless of the COTSS being used. Users may exchange data via PC-to-PC, LAN, E-mail, FAX, Internet, WWW, or in a user newsgroup network.

Common data displays and reports. COSMIC provides nearly identical data structures, display screens, and report forms in all of the COTSS database software. Rather than the simple listing of fields in columns, that leads to lengthy printouts and repetitive screen scrolling, COSMIC displays and prints data on integrated forms. Displays are designed to be the natural way anyone would like to see data presented, in a single display of all pertinent information.

The desired use would be mainly to record hazard reports, as shown in Figure 1 below (sans color-coding), where a hazard is described in the way that the Military Standard Data Item Description prescribes, with numbered entries.

Single database structure. COSMIC database structure and forms have been developed to enable the various managers, engineers, testers to integrate both: DoD, SAE, and NASA system safety data; and DoL Occupational Safety and Health. Life Cycle cost is provided for, so managers can perform quantitative decision-making within the database, considering cost, schedule, and operational effectiveness. The structure utilizes the maximum files with almost 250 fields of data. Where users desire to enter more data, they can output databases to word processor and add more data.

Single Screen and Print Forms. COSMIC has a single database record to contain all of the required data concerning a given hazard. It presents all of the data on a single set of display screens and prints out the data on a single sheet.

Spreadsheet Templates. An optimum application would be a combination of a database for detailed information and a spreadsheet as an integrated system model. COSMIC uses a flowchart-style diagram scheme. This provides users with visibility of how events are related, system-wise. Displays use an intuitive grouping of data in object blocks that are based on the database records as objects. Object block relations are depicted with arrow, " >" , and other symbols to indicate flow-paths. All of the usual spreadsheet functionalities for calculations, including strings, and logic are available with simple notations, such as "Or" and "And" to show logic gates. An example is shown in Figure 2.

Single database structure. COSMIC database structure and forms have been developed to enable the various managers, engineers, testers to integrate both: DoD, SAE, and NASA system safety data; and DoL Occupational Safety and Health. Life Cycle cost is provided for, so that managers can perform quantitative decision- making within the database, considering cost, schedule, and operational effectiveness. The structure utilizes the maximum files with almost 250 fields of data. Where users desire to enter more data, they can output databases to word processor and add more data.

System Safety Program. COSMIC was developed from lessons learned from practice in the system safety discipline, so the description will begin from this viewpoint. The requirements were defined in the Military Standard MIL-STD-882 some 30 years ago. The DOD/ DOE/ DOT/ NASA standard for preventing losses is the system safety program.

The goal is, as Hugh Dryden said, "... to make known the overlooked and unexpected..."

There are several problems with the standard hazard analysis report required by MIL-STD-882, NASA V.1710, and other requirements. The main problem is that they are paper-based and so paper is usually printed and delivered, thereby precluding timely and cost-effective updating. Use of electronic PC communications by E-Mail or FAX of files provides for much shorter and cheaper submissions; however, accessing the data is problematical. There are no standards for databases as yet; however, COSMIC presents a desiderata based on the requirements. Other problems arise from the differing formats for the data; COSMIC provides for the formats.

Multiple Formats and Outputs. COSMIC data may also be entered and output in the form of:

1. Reliability Failure Modes and Effects Analysis, FMEA, per SAE J-1739 and QS-9000.

2. System Safety hazard reports per NASA V1700, MIL-STD 882, and DI-SAFT-80101;

3. Columnar hazard log reports for prioritized lists of hazards;

4. Presentation and training aids and viewgraphs and slide shows; and

5. Database for directives & documents as a knowledge reference;.

6. Word processor text records.

MIL-STD 882 includes requirements for EPA hazards. COSMIC also would provide for OSHA and EPA information:

1. Recording Material Safety Data Sheets, MSDSs, and summarizing MSDS data;

2. Creating container labels for hazardous materials, HazMats, and Hazardous Waste, HazWaste;

3. Inventorying HazMats with Threshold Planning Quantity spreadsheets;

4. EPA Form 0317, Emergency and Hazardous Chemical Inventory spreadsheets.

5. OSHA 101/301 with OSHA 101-style hazard report database forms and OSHA 200/300 summary spreadsheets;

6. Process Safety block diagrams via spreadsheet models; `

7. Performing self-audits with Program Evaluation Profile spreadsheet;

8. Documenting Job Safety Analyses and Work Plans/ checklists and; Training and equipment issue records.; and

9. Recording and summarizing Workers Compensation Claim data; and OSHA Incident Experience Modifiers.

Due to a heavy reliance on manual methods and unique software programs, there is no standardized method of documenting fault trees. Consequently, there is no data bank nor knowledge base, so analyses must be substantially begun from scratch. Typically, fault trees are concerned only with a Top Undesired Event, TUE, and do not relate to many of the other significant hazards, even though the essence of system safety requires a system hazard analysis. COSMIC provides for complete system fault trees with Multiple Undesired Events, MUEs. In a traditional fault tree, the vertical arrangement is different from the common horizontal charts, such as Gantt or PERT, used by management; information cannot be readily integrated. COSMIC models provide for horizontal flows to facilitate integration of management and safety information.

COSMIC extends the use of spreadsheets from the typical use in finance to create "smart" planning models. The added advantage over conventional flowcharts is that the numerical calculations, such as probabilities, may be incorporated into the spreadsheet. String calculations may be entered and recalculated in "What IF?" simulations.

In many cases, users may choose to work from preliminary spreadsheet models back to the hazard report database.

COSMIC provides simple guides for laying out trees and models. Rows are used for systems; subsystems; and components. Columns are used for phases in chronological or functional sequencing, left to right.

Relating Fault Trees to Hazard Reports. Data in the fault tree spreadsheet model object should match data in the database record object, so as to preclude omissions from data to model and vice versa. COSMIC includes "translator" text reports to ensure integrity; users can output data to "translator" files and then import them into the spreadsheet.

Subsystem Analysis, Operational and Support Hazard Analysis, and Reliability Failure Modes and Effects Analysis, FMEA, reports are often done in columnar landscape format. Sometimes, the data are duplicated in the analyses and reports. Conflicts have been observed where the analyses were not integrated. Safety, including occupational safety and health, environmental safety, and reliability should be integrated, thereby lessening duplication and conflict.

COSMIC provides for the integration by providing an FMEA form and report for the system safety data.

Decision-Making with MOST. It is noted that the 882 standard requires Life Cycle Cost, LCC, analysis for some hazards. Calculation of Future Values are included in COSMIC for users to compare LCCs or benefits between scenarios with hazards and with the recommended corrective actions, including residuals for both scenarios. COSMIC databases include hazard report screens that provide for quantitative decision-making with comparison of existing hazards and recommended actions in terms of Probability, Money, Operational effectiveness, Safety, and Time ("MOST"). The definition of the value of "Operational Effectiveness" is open for users to write. Fields are also provided for Special Factor and a Quality Metric, should users desire to break out the data for special management. Figures are automatically computed for the Service Life Cycle in terms of future values at designated investment. Non-recurring start-up costs are accounted for by considering the costs as loans to be repaid. In the operations analysis area, decision trees have been used to show the various scenarios stemming from decisions. If one holds that mishaps result from decisions, then they must be traced back to their sources in order to resolve the mishaps.

The rule is: Mishaps are the results of human decisions; one should provide for relating decisions to consequences.

Example of Fault and Decision Tree Spreadsheet. The hazard shown in Figure 2 is shown as a partial decision tree in Figure 3 with: Decision paths, "D"; Safety paths "S"; and Fault paths, "F". Safe paths are placed above Fault paths. "MA" is "Mission Accomplished". This emphasizes the causes as decisions.

                        +-----------------+            \                                      
 +-------------+     /->    Fuel sealed    >S          \                                      
 ¦ Vehicle fuel >- D<   +-----------------\            \                                      
 +-------------+     \->   Fuel leak/vent  >-F-\       \        /                 
                        +-----------------/    \       \        /   +---------\   
                        +-----------------+     >OR->->->AND-OR<->-> Fumes/Liq.>OR< 
 +-------------+     /->  HAZMAT sealed    >S  /                    +---------/   \ 
 ¦ HAZMAT/WASTE >- D<   +-----------------\    /                                  \
 +-------------+     \->  HAZMAT leak/vent >-F-/                                  \
                        +-----------------/                                       \ 
                                                                                  \ 
                        +-----------------+                                       >-AND>
 +-------------+     /->  Electric sealed  >S                                     /     
 ¦Electrical Eq >- D<   +-----------------\                                       /     
 +-------------+     \->  Electric spark   >-F->->\                               /    
                        +-----------------/       \                               /     
                                                  \                               /     
 +-------------+        +-----------------+       \                 +---------\   /     
 ¦ Natural     ¦     /->  Grounding Rods   >S      >OR-F ->->->->->  Igniter >->-/    
 ¦ Environment  >- D<   +-----------------\       /                 +---------/         
 +-------------+     \->  Lightning strike >- F->-/                                     
                        +-----------------/                                            
Figure 3. Fault Tree plus Decision Tree equals Double-Tree

COSMIC combines the two trees in a "Double-Tree", a single integrated diagram that shows both the consequences of the decisions and the causes of the losses. COSMICs may be printed and displayed continually to focus activities. In one case, a fault tree was developed for an unmanned reconnaissance system. Due to its size, it was displayed in a hallway. Many of the project engineers scanned the tree, seeking information, and one of them was heard to remark,

"It's the only way to see the whole system!" This expresses the visibility that may ultimately provide the control of risk for unplanned losses. COSMIC users may have the same visibility by viewing spreadsheet models on their PC screens.

COSMIC system models have been laid out in StrongWare for a large VIP transport plane, showing a typical flight profile with significant hazards and their MUEs, in a matrix of 7 rowblocks by 6 column blocks.

Expansion for System Modeling. The Double-Tree may be expanded to include all of the significant functions to become a system model for better planning. COSMIC is particularly useful where a system requires integration and teamwork. Quality Assurance, QA, can be considered for integration into the system model to ensure that the safety and reliability requirements are achieved through production, operation, and maintenance. QA can be extended from technical considerations to system management with Total Quality Management, TQM.

COSMIC translator reports provide for arranging both in similar arrangements in the spreadsheet models. Since the two modules are set up in the same fashion, the resultant COSMIC may be used to combine the TQM with all of the functions involved with the safety and reliability module. COSMIC software for TQM is similar to the safety and reliability software. A single integrated COSMIC might be used by all of the activities mentioned above. COSMIC models from subsystem managers and vendors may be incorporated into top system models by linking.

COSMIC models may be developed through a team approach similar to system safety groups. The process involves two major phases: first, modeling the existing operation; and second, solving problems to go from existing operations to TQM visions. The first phase would use a database record of each of the organization's significant operations or events. Financial, unit production quantity and quality, and schedule data is included, including the fishbone relations.

One may easily envision a COSMIC-style electronic version of an organizational safety and quality planning manual. Such a system could be used with a network server or website to keep all concerned up-to-date on a daily basis.

The well-known TQM fishbone is an excellent starting point for defining the process and the people that are involved in the process. Simply converting the fishbone into a COSMIC-style spreadsheet flow diagram might improve structuring the process and setting it up for including the other COSMIC capabilities.

Recognizing that every safety hazard has an equivalent management problem, one desires common, related methods in both arenas. The equivalent of tracing power in system safety compares in the management arena to tracing of dollars per unit of product and per unit of time for analyzing the system. The equivalent of a hazard report is a suggestion form, included in COSMIC. For the second phase, COSMIC draws from David Kolb and Min Basadur's INDUSTRIAL PSYCHOLOGY, as further developed by McBer Co. of Boston and further refined by the author. The process is said to yield a 200% increase in efficiency when compared to traditional methods. The process encourages identification of team members as four personality types and matches them to four steps in a structured problem-solving and planning process. COSMIC shifts the steps slightly and adds coaches to the teams. The process can also be used by the System Safety Group. Columnar logs are provided for prioritizing based on relative cost-effectiveness.

Financial Planning. COSMIC also provides a spreadsheet template for organizational budgeting and tax planning, with automatic calculation of tax items; therefor a user could plan ahead as far as desired to determine tax liabilities. As an added incentive for employees to learn and use COSMIC, a personal information and financial management module is included for them to use on their at-home personal computers.

COSMIC provides for including power data in the column to the right of the dollar figures. COSMIC also provides for including probabilistic data in TQM for units of production, so as to calculate unit cost, in the columns to the right of the dollar figures. Note the similar layouts in Figure 5 with a primary set, including:

1. mainstreams across for normal and real or desired events; and

2. below, the problem or hazard.

The secondary set or alternative or recommended action below that includes:

3. the solution "pro" or recommended corrective action; and

4. below this, the "con" or effects of the action.

Users can develop consequences for each of the two decision alternatives and follow them through to success or fixes or undesired events. Typically, the pair of primary and secondary is shown as a decision choice during planning. When plans go awry, then users can modify the model to insert rows and columns as needed to show the actual scenarios.

One can add any number of alternative actions and compare their results.

COSMIC provides a solution to the problem of achieving group decisions via means for stakeholders to vote specific dollars over time on each issue, as an alternative to using simple majority vote. Tallies may be input to the MOST decision-making. A database structure, ballot forms, and system models are provided for in COSMIC. The System Safety Group and the TQM Team can use the process as a way of making decisions, where consensus is not practical.

The COSMIC concept provides an ideal integrated information system. The StrongWare version has been marketed and improved for over seven years and has demonstrated one practical solution to the COSMIC desiderata: use of PCs with common COTSS software for integration of system safety, reliability, OSHA and EPA, Total Quality, and integrated modeling with spreadsheets.