Top left banner Top right banner
Bottom left banner Bottom right banner
Home : Home : Warfare Centers : NSWC Dahlgren : Resources : Leading Edge : I&I Leading Edge : RogersandZemore
Integration and Interoperability Fratricide Safety 

By Peggy L. Rogers and Michael G. Zemore

When most people hear the word safety, they often consider a variety of conditions that may affect public and working class sectors. For example, safety to some would mean product safety (e.g., using products obtained as consumers), occupational safety and health (e.g., workplace hazards and health factors), personal safety (e.g., avoiding accident through precautionary actions), or safety due to environmental conditions (e.g., extreme weather). Although these are all valid considerations for the term safety, this article will address safety as an engineering discipline falling within the systems engineering arena as applied to military systems. The definition of System Safety Engineering (SSE) is “an engineering discipline that employs specialized knowledge and skills in applying scientific and engineering principles, criteria, and techniques to identify hazards and then to eliminate the hazards or reduce the associated risks when the hazards cannot be eliminated.”1 In other words, an SSE expert actively studies requirements and design proposals to recommend alternatives that will lower the risk of accidents for the life of the system. That would include accidents associated with designing, producing, handling, installing, testing, maintaining, operating or disposing of the system. Applying that engineering philosophy to military systems ensures our highly sophisticated combat systems, information infrastructures, and weapons remain safe pre, during, and post mission. This article will discuss the history of SSE and its transformation from single system or component focus to the collection of systems as a complex yet highly functional System of Systems (SoS). It will then consider the challenges of applying SSE to an even wider view of the mission engineering and warfighting environments deemed Integration and Interoperability (I&I). The Naval Ordnance Safety and Security Activity (NOSSA) is leading the charge in defining system safety engineering’s application to I&I, terming the resulting application I&I Fratricide Safety. NOSSA has obtained the engineering support of the Naval Surface Warfare Center, Dahlgren Division (NSWCDD), in this quest to define and apply I&I fratricide safety analysis techniques. There is a recognized critical need for an expansion in the application of SSE to widen the view of analytical assessment for systems in the real-world environments in which our military operate. The goal is to lower the risk to the warfighter and preserve valuable assets for the Department of Defense (DoD).


The formal application of SSE principles using military standards began in the 1960’s, charged by an alarming number of accidents. One such accident occurred on the carrier USS Forrestal (CVA 59), a defining example of the need for SSE and its application to weapon systems. On 29 July, 1967, USS Forrestal had several aircraft on deck preparing for flight during combat operations. Aircraft, once taxied to the runway, underwent manual procedures to electrically connect wing mounted rockets for pending missions. The procedures were performed on the runway as a safeguard to ensure any potential mishap with a rocket ignition would fire down the runway and off the bow of the ship without hitting critical ship systems or other aircraft on the flight deck. There were two independent steps for electrical connectivity—one to connect the electrical umbilical to the rocket and a second to remove the arming pin. Once completed, the pilot had control of the rockets using the fire button in the cockpit. In the case of USS Forrestal, the electrical umbilical was being connected while the aircraft was parked and before it was positioned for takeoff. This decreased the preparation time for takeoff once the plane was on the runway. It seemed acceptable at the time since any rocket activation still required the arming pin to be removed (safety barrier) and a firing signal. Unfortunately, on this particular day during pre-flight preparations, a parked aircraft with the electrical umbilical connected to a Zuni rocket fired a rocket unintentionally as the aircraft transitioned from external to internal power. Since the aircraft was parked at the time, the rocket pointed towards other aircraft on the deck. Once the rocket fired and crossed the deck, it exploded into parked aircraft causing tremendous fire and explosion. As depicted in Figure 1, the crew of USS Forrestal worked to extinguish the raging fire; 134 Sailors were lost that day.

The obvious question was, how did the rocket fire given the arming pin was inserted and the firing button was not engaged by the pilot? In the investigation that followed, it was determined the single act of connecting the umbilical to the rocket while parked did not cause the accident. As a matter of fact, no single action caused the accident. With the umbilical connected, the arming pin maintained electrical isolation of the rocket from the fire switch in the cockpit. The arming pin had a long tail attached to it for ease in identification and removal on the flight line. Unfortunately, it was determined the arming pin tail could catch wind and become dislodged from the socket without human intervention. On that day in July 1967, it was windy on the flight deck and that arming pin dislodged inadvertently. With the umbilical connected and the arming pin dislodged, only the fire button in the cockpit prevented inadvertent firing. There was no pilot error that caused the rocket to release. The rocket actually received an electrical signal to release as a result of final aircraft power changeover. Once the pilot appropriately transitioned the plane from external to internal power, a power spike infiltrated the circuit sending the inadvertent signal to fire the rocket. The resulting mishap was infamous, the loss of life devastating, and the need for system safety engineering evident.

System Safety Engineering

After the incident aboard USS Forrestal and other shipboard safety events, safety practitioners were embedded within design teams to bring a unique perspective to the systems engineering process, providing alternative views on the consequences of design decisions that could prove to be hazardous to the warfighter. These practitioners implemented system safety analysis techniques, many of which are used for individual systems today. The safety practitioner would concentrate on the weapon or energetic components as the designs were typically single function intent with stand-alone modes of operation. Safety techniques such as fault tree analysis, event tree analysis, sneak circuit analysis, failure modes and effects analysis, and common cause failure analysis are examples of safety analysis techniques implemented.

If one of these techniques, such as fault tree analysis, had been applied to USS Forrestal and the Zuni rocket-firing event prior to the accident, it would have identified the conditions required for rocket ignition. This would have allowed engineers to assign probability numbers to each condition to characterize and understand the potential for mishap. This, in turn, would have allowed a focused effort on mitigations to prevent probabilistic conditions that could lead to mishap. In other words, this analysis technique would likely have discovered the potential for arming pin dislodgement and power surge, increasing the potential for inadvertent rocket ignition. The analysis results would have motivated the implementation of mitigating measures to avoid the accident. The knowledge gained from the USS Forrestal accident helped institutionalize SSE and its application to individual systems. That concentrated SSE effort and the associated requirements for safety engineering evolved as numerous analysis types and techniques were developed, culminating in safer weapon systems and a series of updates to MIL-STD-882, DoD Standard Practice for System Safety.

Combat System Safety Engineering

Within the last 20 years, the portability of technology and the introduction of software, firmware, and programmable logic for major weapon system functionality have significantly influenced shipboard designs. Modern systems are now developed as multi-functional and multi-mission Combat Systems (CSs), as an arrangement of interdependent systems that are associated or connected to provide warfighting capability. It was the complex multi-functional combat system approach that posed new questions concerning safety. Given each individual system was analyzed for safety, did that truly characterize the risks of all systems interacting as a collective combat system? The answer was no, and the system safety engineering discipline was challenged to define and execute safety programs that encompassed the SoS philosophy for Navy acquisition. The system safety community stepped up to the challenge by developing analytical methods and safety risk assessment techniques for collective combat systems, with NSWCDD on the leading edge. The primary objective was, and continues to be, identifying unique hazards that exist within the CS context and mitigating those hazards to prevent death, injury, and damage. The difficulty in executing CS safety programs is that systems that make up the SoS often have individual and independent Program Managers, Principals for Safety, safety analyses, engineering processes, schedule drivers, and program urgencies. Thus, understanding and characterizing all systems collectively as a CS and performing the CS safety analyses within a constructive and collaborative engineering environment is a challenge. Meeting this challenge requires employment of a safety engineering approach that was developed to include special methods, techniques, and processes while leveraging support from Navy leadership and individual programs.

The combat system level safety analysis techniques extend beyond individual system level analyses and focus heavily on shipboard operations, operational training, interfacing systems, contextual data threads, situational awareness, and complex casualty configurations. The scope of the analysis covers all systems involved in situational awareness, command, and control of the weapons on the platform. The SSE analysis techniques applied to these scalable, dynamic, SoS configurations are not necessarily different in name from single system safety efforts, but are very different in context and execution. The safety engineer must understand the workings of any given system and its contribution to the collective combat system for consideration of hazards and mishap scenarios. Therefore, the safety engineer for combat systems must be a trained expert with contextual intellect, chartered to understand and identify hazards associated with the collection of systems. Figure 2 represents the SoS context, a complex combat system aboard an Aegis destroyer, delivering Anti-Submarine Warfare, Anti-Air Warfare, Surface Warfare, Strike, and Ballistic Missile Defense capabilities. In the figure, the combat system diagram illustrates the number of individual systems installed on the ship that interrelate to make up the combat system configuration.

Battle Group System Safety Engineering

Performing safety analyses and mitigating risks for a collective combat system has been an evolutionary step for the safe training and use of shipboard weapons. However, the fleet does not operate a collection of ships, often called a battle group, as isolated platforms steaming in close proximity with a hope of defending against the adversary. On the contrary, our fleet is comprised of numerous ships mixed and matched in combination and configuration to best maximize the capabilities for a given circumstance. For a battle group, situational awareness, track databases, and even weapon system engagements can be shared across multiple platforms to manage all mission objectives. In this case, the safety engineer would not focus on hard-wire interfaces between systems within a combat system configuration, but the distributive functions of situational awareness, command, and control across the battle group as illustrated in Figure 3. Much like CS safety, this introduces new challenges for the system safety engineering discipline in defining and executing safety analyses. Studies must focus on identifying and mitigating particular mishap risk scenarios that span across multiple platforms. In this case, the safety practitioner must be an expert in battle group configurations, operations, communications, and tactics. This safety expert must utilize safety artifacts and engineering analyses performed by the combat system safety teams as the functional and foundational basis for assessment, while combining that with unique skill and knowledge to understand how multiple configurations, communications and combat system operations could create hazards beyond what an individual ship would experience.

Integration and Interoperability Fratricide

As the evolution of naval warfighting capability continues, we are now seeing an increased focus on I&I. This includes the philosophical approach to engineering as it relates to SoS and battle groups, but extends beyond the battle group to adopt a focused approach to mission accomplishment and mission success. Utilizing this approach, every system engaged within the construct of the operational Navy can be evaluated for function, availability, operation, reliability, communication, command, and effectiveness towards the success of a mission. This approach ensures a continued focus on mission success, as opposed to early and individualized system definition that may or may not support mission success when deployed within the variety of combat system configurations. Clearly, the focus on I&I and mission success must include system safety. For any engineering effort associated with energy and the potential for injury and damage, safety and the system life cycle must be considered during the engineering phases. In this case, the safety engineering scope is centered on fratricide, described as the unintentional impact of dangerous energy to a friendly force or object.

One focus of I&I activity is to fully characterize mission effects by viewing individual systems and system performance within a defined kill chain. The focus ensures end-to-end execution for any and all of the kill chains defined. To support this activity, a structured approach has been developed to define mission models matched to supporting systems, platforms, and baselines. The alignment provides the kill chain assessment matched to warfare capability, mission threads, functional requirements, and product baselines. Although the methods, techniques, and instruments for I&I fratricide safety are not yet defined, the framework presented with the I&I activities provides an opportunity for system safety to engage in the mission engineering approach to add functional requirements to support I&I fratricide avoidance. Figure 4 provides an illustration of operational views-flowed to effects/kill chains and the technical baselines with an added objective of fratricide avoidance.

As the Navy moves forward with I&I and the inclusion of safety in the I&I fratricide avoidance initiative, the intent is for NOSSA, in collaboration with Deputy Assistant Secretary of the Navy (Research, Development, Test, and Evaluation (DASN (RDT&E)), to focus on integrating Mission Engineering, Systems Engineering, and Software Systems Safety Engineering into the I&I activity and SoS reviews utilizing the standing Weapon System Explosives Safety Review Board (WSESRB) and its current processes. The team will discover and document how best to review and assess the I&I characteristics of weaponized systems to understand safety risks, identify hazards and causal factors, assess mitigations, assess test and validations, and issue I&I Safety Findings or Actions to applicable programs under WSESRB review. Focus will be on fleet weapon systems, combat systems, and the respective network interfaces associated with fratricide. The team will characterize the materials and tools necessary to perform these tasks while providing recommended taxonomy, processes, tools, and objective quality evidence requirements for incorporation into Navy policies and guidance, Systems Engineering Technical Review (SETR) criteria, and Probability of Program Success (PoPS)/Gate Reviews. The overall objective is to apply Mission-Level Systems Engineering to further enable the institution of Mission-Level Engineering and I&I efforts in support of the Assistant Secretary of the Navy (Research, Development, and Acquisition) (ASN (RDA)) strategic goals surrounding safety within the fleet.


The I&I fratricide safety engineering initiative will provide valuable insight into the identification of safety risks that have not been characterized in the past. Knowledge is power, and the knowledge that is gained from this engineering initiative will provide the DoD the power to save lives, as well as provide for a more effective contributor to the mission of the warfighter.

Article Images

Figure 1. Crew Members Fighting Fires Aboard USS Forrestal, 29 July 1967

Figure 2. USS Milius (DDG 69) with Aegis Combat System Illustration

Figure 3.  Four U.S. Ships with Unique Combat Systems Within a Battle Group Interacting

Figure 4. I&I Fratricide Safety within the Mission Engineering Construct

Article References

  1. Military Standard 882E, Department of Defense Standard Practice System Safety, 11 May 2012.