IEEE Electrification Magazine - September 2017 - 49

xx
Safety is the ability of the system to show a safe

Availability
Safety
Figure 9. The dependability attributes.

Fault

Failure

us
at

* Component
Operation
* Physical
Layer
n
io
at

As previously mentioned, along with different set of concepts, different techniques have also been developed in
the past in each technical area. All these techniques can
be collected in the main dependability theory but keep
their individual aims and results, thus making it possible
to select the one best suited for each application. These
techniques are called enforcing techniques by dependability
theory and are aimed at analyzing and possibly improving
the system's dependability level, thus promoting a more
dependable (and therefore safe) design.

Maintainability
Dependability

tiv

Existing Techniques to Analyze
and Verify System's Safe Design

Reliability

behavior (which does not cause any damage) in the
presence of a nonacceptable failure.
A system's dependability can be threatened by failures, errors, and faults. A failure is a deviation of the service from the correct one, and it occurs at the operational
level. An error is a deviation of a state from its intended
and correct value. It occurs at the processing level (e.g.,
control systems). Since the service is a sequence of system states, a failure means that at least one state deviates from its correct value (i.e., the presence of an error). A
fault is the incorrect operation of a piece of equipment (a
component) occurring on a physical level. It may cause
an error or a failure or remain dormant. A causal link
between those categories is present, as faults cause errors
and errors cause failures. Moreover, a failure may generate a fault in another system, causing a consequent error
in this system, which subsequently generates another
failure. These relations are depicted in Figure 10.
Among the dependable attributes, safety is a peculiar
one, employing a slightly different set of concepts and
definitions. This is due to the different perspectives that
must be applied in evaluating safety in the framework of
dependability theory. While the other attributes are
focused on the menaces to the correct service, safety
evaluates the possible harmful consequences (to people,
things, and the environment) of an incorrect service.
Safety lexicon includes concepts such as hazard (the
potential source of harmful consequences), accident
(an unacceptable situation that compromises safety,
caused by an unintentional hazard), and risk (the danger level of an accident). The base concepts of safety
are described extensively in the International Electrotechnical Commission Standard 61508 (functional safety standard).
Regarding the SrTP regulation, its main aim is the
reduction of the consequences of a given casualty (below
a stated threshold) down to a level that allows the ship to
autonomously return to port. Such an aim is achievable
through the reduction of both the risk and frequency of
casualty occurrences. These topics can be addressed
through the dependability theory in its entirety thanks to
its comprehensive and systematic approach.

* Service
Delivering
* Operational
Layer

Error
Propagation

* Processing
Layer

Figure 10. The relationship between fault, error, and failure concepts.

Among the several techniques that can be found in
technical literature, some are worth mentioning: failure
modes and effects analysis (FMEA); fault tree analysis
(FTA); reliability block diagram (RBD); and hazard and
operability analysis (HAZOP). Such techniques are well
known and are currently used to design and analyze complex systems in mission-critical applications, thus making
sufficient a brief explanation of their scope and use.
FMEA was one of the first analysis techniques dedicated to systematic failure analysis. It was developed in the
military sector in the late 1950s with the aim to study
possible malfunctions in essential systems. The objective
of an FMEA is to provide a systematic, comprehensive,
and documented analysis to determine the relevant failure modes for the system. In addition, the analysts review
components and subsystems to identify failure modes,
causes, and effects of the overall system. The analysis
proceeds by examining single components to assess the
whole system's behavior. For each component, all the relevant data (such as causes and possible solutions) is collected in dedicated worksheets (called FMEA worksheets).
As a result, the analysts try to find the so-called single
point of failure, which is the single component's fault that
causes an overall system failure. This is the most common analysis performed in shipboard power systems, as
it is required by CSs for mission-critical applications [e.g.,
dynamic positioning (DP) and naval vessels].
IEEE Elec trific ation Magazine / S EP T EM BE R 2 0 1 7

Table of Contents for the Digital Edition of IEEE Electrification Magazine - September 2017