Integration and Interoperability Fratricide Safety
________________________________________________________
By Peggy L. Rogers and Michael G. Zemore
When most people hear the word safety, they often consider
a variety of conditions that may affect public and working class
sectors. For example, safety to some would mean product safety
(e.g., using products obtained as consumers), occupational
safety and health (e.g., workplace hazards and health factors),
personal safety (e.g., avoiding accident through precautionary
actions), or safety due to environmental conditions (e.g.,
extreme weather). Although these are all valid considerations
for the term safety, this article will address safety as an engineering
discipline falling within the systems engineering arena
as applied to military systems. The definition of System Safety
Engineering (SSE) is “an engineering discipline that employs
specialized knowledge and skills in applying scientific and engineering
principles, criteria, and techniques to identify hazards
and then to eliminate the hazards or reduce the associated risks
when the hazards cannot be eliminated.”1 In other words, an SSE
expert actively studies requirements and design proposals to
recommend alternatives that will lower the risk of accidents for
the life of the system. That would include accidents associated
with designing, producing, handling, installing, testing, maintaining,
operating or disposing of the system. Applying that
engineering philosophy to military systems ensures our highly
sophisticated combat systems, information infrastructures,
and weapons remain safe pre, during, and post mission. This
article will discuss the history of SSE and its transformation
from single system or component focus to the collection of
systems as a complex yet highly functional System of Systems
(SoS). It will then consider the challenges of applying SSE to an
even wider view of the mission engineering and warfighting
environments deemed Integration and Interoperability (I&I).
The Naval Ordnance Safety and Security Activity (NOSSA) is
leading the charge in defining system safety engineering’s application
to I&I, terming the resulting application I&I Fratricide
Safety. NOSSA has obtained the engineering support of the
Naval Surface Warfare Center, Dahlgren Division (NSWCDD),
in this quest to define and apply I&I fratricide safety analysis
techniques. There is a recognized critical need for an expansion
in the application of SSE to widen the view of analytical
assessment for systems in the real-world environments in
which our military operate. The goal is to lower the risk to the
warfighter and preserve valuable assets for the Department of
Defense (DoD).
Background/History
The formal application of SSE principles using
military standards began in the 1960’s, charged by
an alarming number of accidents. One such accident
occurred on the carrier USS Forrestal (CVA 59), a
defining example of the need for SSE and its application
to weapon systems. On 29 July, 1967, USS Forrestal
had several aircraft on deck preparing for flight
during combat operations. Aircraft, once taxied to the
runway, underwent manual procedures to electrically
connect wing mounted rockets for pending missions.
The procedures were performed on the runway as
a safeguard to ensure any potential mishap with a
rocket ignition would fire down the runway and off
the bow of the ship without hitting critical ship systems
or other aircraft on the flight deck. There were
two independent steps for electrical connectivity—one
to connect the electrical umbilical to the rocket and
a second to remove the arming pin. Once completed,
the pilot had control of the rockets using the fire
button in the cockpit. In the case of USS Forrestal,
the electrical umbilical was being connected while
the aircraft was parked and before it was positioned
for takeoff. This decreased the preparation time for
takeoff once the plane was on the runway. It seemed
acceptable at the time since any rocket activation still
required the arming pin to be removed (safety barrier)
and a firing signal. Unfortunately, on this particular
day during pre-flight preparations, a parked aircraft
with the electrical umbilical connected to a Zuni
rocket fired a rocket unintentionally as the aircraft
transitioned from external to internal power. Since
the aircraft was parked at the time, the rocket pointed
towards other aircraft on the deck. Once the rocket
fired and crossed the deck, it exploded into parked
aircraft causing tremendous fire and explosion. As
depicted in Figure 1, the crew of USS Forrestal worked
to extinguish the raging fire; 134 Sailors were lost
that day.
The obvious question was, how did the rocket fire
given the arming pin was inserted and the firing
button was not engaged by the pilot? In the investigation
that followed, it was determined the single act of
connecting the umbilical to the rocket while parked
did not cause the accident. As a matter of fact, no
single action caused the accident. With the umbilical
connected, the arming pin maintained electrical isolation
of the rocket from the fire switch in the cockpit.
The arming pin had a long tail attached to it for ease
in identification and removal on the flight line. Unfortunately,
it was determined the arming pin tail could
catch wind and become dislodged from the socket
without human intervention. On that day in July 1967,
it was windy on the flight deck and that arming pin
dislodged inadvertently. With the umbilical connected
and the arming pin dislodged, only the fire button in
the cockpit prevented inadvertent firing. There was
no pilot error that caused the rocket to release. The
rocket actually received an electrical signal to release
as a result of final aircraft power changeover. Once
the pilot appropriately transitioned the plane from
external to internal power, a power spike infiltrated
the circuit sending the inadvertent signal to fire the
rocket. The resulting mishap was infamous, the loss
of life devastating, and the need for system safety
engineering evident.
System Safety Engineering
After the incident aboard USS Forrestal and other
shipboard safety events, safety practitioners were
embedded within design teams to bring a unique
perspective to the systems engineering process, providing
alternative views on the consequences of design
decisions that could prove to be hazardous to the warfighter.
These practitioners implemented system safety
analysis techniques, many of which are used for individual
systems today. The safety practitioner would
concentrate on the weapon or energetic components as
the designs were typically single function intent with
stand-alone modes of operation. Safety techniques
such as fault tree analysis, event tree analysis, sneak
circuit analysis, failure modes and effects analysis,
and common cause failure analysis are examples of
safety analysis techniques implemented.
If one of these techniques, such as fault tree analysis,
had been applied to USS Forrestal and the Zuni
rocket-firing event prior to the accident, it would have
identified the conditions required for rocket ignition.
This would have allowed engineers to assign probability
numbers to each condition to characterize and
understand the potential for mishap. This, in turn,
would have allowed a focused effort on mitigations
to prevent probabilistic conditions that could lead
to mishap. In other words, this analysis technique
would likely have discovered the potential for arming
pin dislodgement and power surge, increasing the
potential for inadvertent rocket ignition. The analysis
results would have motivated the implementation of
mitigating measures to avoid the accident. The knowledge
gained from the USS Forrestal accident helped
institutionalize SSE and its application to individual
systems. That concentrated SSE effort and the associated
requirements for safety engineering evolved as
numerous analysis types and techniques were developed,
culminating in safer weapon systems and a
series of updates to MIL-STD-882, DoD Standard
Practice for System Safety.
Combat System Safety Engineering
Within the last 20 years, the portability of technology
and the introduction of software, firmware,
and programmable logic for major weapon system
functionality have significantly influenced shipboard
designs. Modern systems are now developed as
multi-functional and multi-mission Combat Systems
(CSs), as an arrangement of interdependent systems
that are associated or connected to provide warfighting
capability. It was the complex multi-functional
combat system approach that posed new questions
concerning safety. Given each individual system was
analyzed for safety, did that truly characterize the
risks of all systems interacting as a collective combat
system? The answer was no, and the system safety
engineering discipline was challenged to define and
execute safety programs that encompassed the SoS
philosophy for Navy acquisition. The system safety
community stepped up to the challenge by developing
analytical methods and safety risk assessment techniques
for collective combat systems, with NSWCDD
on the leading edge. The primary objective was, and
continues to be, identifying unique hazards that exist
within the CS context and mitigating those hazards
to prevent death, injury, and damage. The difficulty
in executing CS safety programs is that systems that
make up the SoS often have individual and independent
Program Managers, Principals for Safety, safety
analyses, engineering processes, schedule drivers,
and program urgencies. Thus, understanding and
characterizing all systems collectively as a CS and performing
the CS safety analyses within a constructive
and collaborative engineering environment is a challenge.
Meeting this challenge requires employment of
a safety engineering approach that was developed to
include special methods, techniques, and processes
while leveraging support from Navy leadership and
individual programs.
The combat system level safety analysis techniques
extend beyond individual system level analyses and
focus heavily on shipboard operations, operational
training, interfacing systems, contextual data threads,
situational awareness, and complex casualty configurations.
The scope of the analysis covers all systems
involved in situational awareness, command, and
control of the weapons on the platform. The SSE analysis
techniques applied to these scalable, dynamic,
SoS configurations are not necessarily different in
name from single system safety efforts, but are very
different in context and execution. The safety engineer
must understand the workings of any given system
and its contribution to the collective combat system
for consideration of hazards and mishap scenarios.
Therefore, the safety engineer for combat systems
must be a trained expert with contextual intellect,
chartered to understand and identify hazards associated
with the collection of systems. Figure 2 represents
the SoS context, a complex combat system aboard an
Aegis destroyer, delivering Anti-Submarine Warfare,
Anti-Air Warfare, Surface Warfare, Strike, and Ballistic
Missile Defense capabilities. In the figure, the
combat system diagram illustrates the number of
individual systems installed on the ship that interrelate
to make up the combat system configuration.
Battle Group System Safety Engineering
Performing safety analyses and mitigating risks for
a collective combat system has been an evolutionary
step for the safe training and use of shipboard weapons.
However, the fleet does not operate a collection
of ships, often called a battle group, as isolated platforms
steaming in close proximity with a hope of
defending against the adversary. On the contrary,
our fleet is comprised of numerous ships mixed and
matched in combination and configuration to best
maximize the capabilities for a given circumstance.
For a battle group, situational awareness, track databases,
and even weapon system engagements can be
shared across multiple platforms to manage all mission
objectives. In this case, the safety engineer would
not focus on hard-wire interfaces between systems
within a combat system configuration, but the distributive
functions of situational awareness, command,
and control across the battle group as illustrated in
Figure 3. Much like CS safety, this introduces new
challenges for the system safety engineering discipline
in defining and executing safety analyses. Studies
must focus on identifying and mitigating particular
mishap risk scenarios that span across multiple
platforms. In this case, the safety practitioner must
be an expert in battle group configurations, operations,
communications, and tactics. This safety expert
must utilize safety artifacts and engineering analyses
performed by the combat system safety teams as the
functional and foundational basis for assessment,
while combining that with unique skill and knowledge
to understand how multiple configurations,
communications and combat system operations could
create hazards beyond what an individual ship would
experience.
Integration and Interoperability Fratricide
As the evolution of naval warfighting capability
continues, we are now seeing an increased focus on
I&I. This includes the philosophical approach to engineering
as it relates to SoS and battle groups, but
extends beyond the battle group to adopt a focused
approach to mission accomplishment and mission
success. Utilizing this approach, every system engaged
within the construct of the operational Navy can be
evaluated for function, availability, operation, reliability,
communication, command, and effectiveness
towards the success of a mission. This approach
ensures a continued focus on mission success, as
opposed to early and individualized system definition
that may or may not support mission success
when deployed within the variety of combat system
configurations. Clearly, the focus on I&I and mission
success must include system safety. For any engineering
effort associated with energy and the potential for
injury and damage, safety and the system life cycle
must be considered during the engineering phases.
In this case, the safety engineering scope is centered
on fratricide, described as the unintentional impact
of dangerous energy to a friendly force or object.
One focus of I&I activity is to fully characterize
mission effects by viewing individual systems and
system performance within a defined kill chain. The
focus ensures end-to-end execution for any and all
of the kill chains defined. To support this activity, a
structured approach has been developed to define
mission models matched to supporting systems, platforms,
and baselines. The alignment provides the
kill chain assessment matched to warfare capability,
mission threads, functional requirements, and product
baselines. Although the methods, techniques,
and instruments for I&I fratricide safety are not
yet defined, the framework presented with the I&I
activities provides an opportunity for system safety
to engage in the mission engineering approach to
add functional requirements to support I&I fratricide
avoidance. Figure 4 provides an illustration of
operational views-flowed to effects/kill chains and
the technical baselines with an added objective of
fratricide avoidance.
As the Navy moves forward with I&I and the inclusion
of safety in the I&I fratricide avoidance initiative,
the intent is for NOSSA, in collaboration with Deputy
Assistant Secretary of the Navy (Research, Development,
Test, and Evaluation (DASN (RDT&E)), to
focus on integrating Mission Engineering, Systems
Engineering, and Software Systems Safety Engineering
into the I&I activity and SoS reviews utilizing the
standing Weapon System Explosives Safety Review
Board (WSESRB) and its current processes. The team
will discover and document how best to review and
assess the I&I characteristics of weaponized systems
to understand safety risks, identify hazards and causal
factors, assess mitigations, assess test and validations,
and issue I&I Safety Findings or Actions to applicable
programs under WSESRB review. Focus will be
on fleet weapon systems, combat systems, and the
respective network interfaces associated with fratricide.
The team will characterize the materials and
tools necessary to perform these tasks while providing
recommended taxonomy, processes, tools, and objective
quality evidence requirements for incorporation
into Navy policies and guidance, Systems Engineering
Technical Review (SETR) criteria, and Probability of
Program Success (PoPS)/Gate Reviews. The overall
objective is to apply Mission-Level Systems Engineering
to further enable the institution of Mission-Level
Engineering and I&I efforts in support of the Assistant
Secretary of the Navy (Research, Development, and
Acquisition) (ASN (RDA)) strategic goals surrounding
safety within the fleet.
Conclusion
The I&I fratricide safety engineering initiative will
provide valuable insight into the identification of
safety risks that have not been characterized in the
past. Knowledge is power, and the knowledge that is
gained from this engineering initiative will provide
the DoD the power to save lives, as well as provide
for a more effective contributor to the mission of the
warfighter.