Publications

``High consequence`` operations are systems, structures, and/or strategies for which it is crucial to provide assured protection against some potential catastrophe or catastrophes. The word ``catastrophe`` implies a significant loss of a resource (e.g., money, lives, health, environment, national security, etc.). The implementation of operations that are to be as catastrophe-free as possible must incorporate a very high level of protection. Unfortunately, real world limitations on available resources, mainly money and time, preclude absolute protection. For this reason, conventional ``risk analysis`` focuses on ``cost-effective`` protection, demonstrating through analysis that the benefits of any protective measures chosen outweigh their cost. This is a ``crisp`` one-parameter (usually monetary) comparison. A major problem with this approach, especially for high consequence operations, is that it may not be possible to accurately determine quantitative ``costs,`` and furthermore, the costs may not be accurately quantifiable. Similarly, it may not be possible to accurately determine or to quantify the benefits of protection in high consequence operations. These weaknesses are addressed in this paper by introducing multiple parameters instead of a single monetary measure both for costs of implementing protective measures and their benefits. In addition, a fuzzy-algebra comparison based on fuzzy number theory is introduced as a tool in providing cost/benefit tradeoff depiction, with the incorporation of measures of the uncertainty that necessarily exists in the input information. The result allows a more informative comparison to be made through use of fuzzy results, especially at the extreme bounds of the uncertainty.

Many safety analyses depend on uncertain inputs and on mathematical models chosen from various alternatives, but give fixed results (implying no uncertainty). Conventional uncertainty analyses help, but are also based on assumptions and models, the accuracy of which may be difficult to assure. Some of the models and assumptions that on cursory examination seem reasonable can be misleading. As a result, quantitative assessments, even those accompanied by uncertainty measures, can give unwarranted impressions of accuracy. Because analysis results can be a major contributor to a safety-measure decision process, risk management depends on relating uncertainty to only the information available. The uncertainties due to abnormal environments are even more challenging than those in normal-environment safety assessments, and therefore require an even more cautious approach. A fuzzy-algebra analysis is proposed in this article that has the potential to appropriately reflect the information available and portray uncertainties well, especially for abnormal environments. © 1994 John Wiley & Sons, Inc.

More than 20 years ago, a philosophy was developed for the design and analysis of hardware systems to ensure that they would perform in a predictably safe manner, even in severe abnormal environments. This philosophy has been scrutinized and tested during the intervening years, and has proved successful in practice. A requirement guiding the development of the philosophy was that the resulting design must be simple enough to be amenable to analysis. The inherent simplicity is a safety attribute, because complex analyses, such as those represented by fault trees containing hundreds of branches, are extremely susceptible to error. There are many examples where such errors led analysts to believe systems were safe when they were not, with disastrous consequences. The purpose of this workshop problem is to determine whether the principles developed to ensure hardware safety are applicable in any way to safety-critical software systems. It is possible that hardware associations with software will need to be considered, but whether or not this is true is left as an aspect of the investigation. In order to put the ground rules in perspective, it will be necessary to establish some framework.

A related function takes place in situations where an intermediate memory device may be used to store the unique signal information. In this case, ''verification patterns'' are communicated back to the source as status of the memory in which the unique signal is stored. If properly used, unique signals and verification patterns can support acceptable abnormal-environment nuclear detonation safety. If improperly used, there is danger of a false sense of complacency. In this report, the potential danger of misunderstanding the implications of abnormal environments is described. Unfortunately, a number of common normal-environment assumptions and analytical techniques are sometimes applied to abnormal environment situations. Several of these are shown to be misleading for assessing unique signal performance in abnormal environments. Misapplied approaches can encourage communication system design features that may seriously degrade nuclear detonation safety. 8 refs., 10 figs.