System Safety Analysis of Industrial Processes Using Fuzzy Methodology

Tony Venditti, Nguyen Duy Phuong Tran and Anb Dung Ngo


The operation of industrial machines involves various risks, particularly for the operators. In most jurisdictions, employers must take the necessary measures to protect the health, safety and physical integrity of the workers [1]. Among these measures, performing a risk assessment is paramount [1]. The importance of risk assessment appears clearly, for instance, in the European Machinery Directive, which requires a risk assessment to be performed and be documented during the machine design phase.

By the same token, engineers who design machines are required by their Professional Code of Practice to know and follow recognised safety standards which are published by various institutions around the world such as CSA, ISO, ANSI and others. These standards demand that a risk assessment is performed. Risk assessment more specifically requires identification of the hazards as well as an estimation (qualitative, as it is often seen in practice, or quantitative) of the probability of occurrence of the events associated with these hazards and of the gravity of the consequences following the event.

Risk and Uncertainty

By definition, risk analysis deals with uncertain situations, that is, with situations in which we do not have complete and accurate knowledge about the state of the system [2]. It is therefore very important to be able to represent uncertainty in risk analysis as adequately as possible.

Three types of uncertainties can be distinguished:

  • 1. completeness uncertainty;
  • 2. modelling uncertainty;
  • 3. parameter uncertainty.

The completeness of uncertainty refers to the question of whether all significant phenomena and all relationships have been considered. This uncertainty is difficult to quantify, but this type is a major contributor in a qualitative hazard analysis, especially with the identification of RAS.

Modelling uncertainty refers to the inadequacies and deficiencies in various models used to assess accident scenario probabilities and consequences. Availability and validity of these models may enable the assessment of different degrees of belief in each model. This is a major type of uncertainty in consequence assessment. This is a subjective type of uncertainty of knowledge elicited from experts, which is often incomplete, imprecise and fragmentary.

The imprecision and inaccuracies in the parameters which are used as an input to risk assessment models are called parameter uncertainty.

In addition, as we have seen, risk assessment is a complex subject shrouded in uncertainty and vagueness. Vague terms are unavoidable, since safety professionals often assess risks in qualitative linguistic terms.

Modelling Uncertainty With Fuzzy Sets

Under these circumstances, conventional approaches may not be able to model safety effectively. These safety assessment approaches, such as probabilistic risk assessment, have been widely utilised; but they may be difficult to use under circumstances where there is a lack of information about past experience. For these cases, fuzzy sets are a useful tool.

A fundamental idea behind the concept of a fuzzy number is that it may belong to more than one set [3].

This multiple membership to many sets concept provides not only a useful representation of uncertainties, but also a meaningful representation of vague concepts expressed in natural language [4]. Thus, fuzzy variables can reflect and express uncertainties in measurements, observations or knowledge. Traditional variables, which we may refer to as crisp variables, do not have this capability. Although the definition of states by crisp sets is mathematically correct, it is unrealistic in the face of unavoidable uncertainty for certain applications.

Applications of Fuzzy Concepts to Risk and Safety

Fuzzy logic has been used in various contexts related to work and safety [5], such as:

Oil drilling risk, safety and ergonomics in oil and gas refineries, construction site safety, safety in chemical process plants and many others.

Chemical Safety

Here is now an example of the use of fuzzy numbers in the context of chemical safety [6], compared the behaviour of an interval-based safety index and the fuzzy-logic approach for a simplified chemical reaction involved in the industrial production of acetic acid. The reaction takes place around the proposed pressure range (25-50 bar) and temperature range (150-300 °C). At a pressure of 24 bar and temperature of 149°C, the interval-based index indicates an inherent safety score of 27, while the fuzzy-logic-based index provides a score of 9.95. When conditions change to 25 bar and temperature to 150°C, the interval-based index yields an inherent safety score of 29, and the fuzzy-logic index a score of 10.04. When the conditions are changed to the upper limits of the temperature and pressure intervals (300°C and 50 bar), the interval-based index is not sensitive, resulting in a score of 29, while the fuzzy-logic index presents 10.83. These results show that the fuzzy approach is more sensitive to changes in index due to the smooth transitions between sub-ranges provided by the overlap of the fuzzy sets [6].

However, some others use fuzzy sets (distributions) that do not overlap for ease of analysis [7].

Fuzzy Risk Scale in Occupational Health and Safety

Risk indices are often used to estimate the risk levels associated with various industrial work situations [8]. The following example from [8] illustrates the concept.

Risk can be defined conveniently as:

Each parameter can be characterised by a score between say 0 and 10, which can be represented on a fuzzy scale. As explained previously, the idea of a fuzzy number is that it can belong to more than one set.

For instance, consider a potentially hazardous situation to which workers can be exposed. Experts have estimated that the probability of occurrence AL of an injury in such a situation as 7.69 on 10 (based on an accepted risk estimation scheme).

Fuzzy-logic based risk calculation shows that AL = 7.69 belongs at a 46.2% degree to the set ‘Reasonably Low’ and at a 53.8% degree to the fuzzy set ‘Average’. The same procedure is applied to the two other parameters AS and CSL. These fuzzy values can then be ‘aggregated’ so as to obtain a final value, expressed as a numerical value. Ultimately, the value of the Risk index can then be found by multiplication.

Risk Matrices

Risk matrices are another well-known technique used in occupational health and safety used to express risk levels [9].

The concept of a fuzzy number belonging to many sets can generate a risk matrix with more precise, nuanced risk levels. An example from reference [10], will illustrate the point.

Consider the following ‘traditional’ risk matrix, reported in Table 15.1. Consider a particular risk for which the risk index is calculated to be equal to 2 corresponding to a risk level ТА which is tolerable-acceptable. A fuzzy risk assessment, on the other hand, yields a value of 1.35 belonging to a 0.75 extent to the ТА fuzzy set and to a 0.25 extent to the A fuzzy set, Acceptable. Thus, the fuzzy assessment is more nuanced.

Fuzzy Concepts in Human Reliability Analyses.

Human error is a component of all industrial machines whenever human operation and interaction is necessary. Various techniques have been developed to analyse human reliability and estimate the probability of occurrence of a human error. Two such techniques are known by the acronyms HEART and CREAM (see [11] and [12]).


The HEART technique is based on the principle that any task performance is influenced by Error Promoting Conditions (EPCs), also called Performance Shaping Factors (PSFs) [11]. Nine generic tasks have been identified and for them, human (un)reliability values have been proposed.

The human error probability for a given task is calculated with the help of the expression:

Where P0 is the failure probability value associated with a generic identified task taken from a list of nine tasks. The factors, AP. are assigned to each EPC by experts and are used to modify the influence of the £PC on the

Table 15.1 An example of a standard risk matrix
















































Key: Frequency categories: A: remote, B: unlikely, C: very low, L: low, M: medium, H: high, G: very high; Severity categories: I: negligible, II: low, III: moderate, IV: high, V: catastrophic; risk categories: A: acceptable, ТА: tolerable-acceptable, TNA: tolerable-unacceptable, NA: unacceptable.

probability of occurrence of the actual task being considered. These factors can be expressed as fuzzy numbers reflecting the experts’ opinions.


The basis CREAM model assumes that the probability of human failure depends on the level of control and knowledge of the operator regarding the task which he is requested to perform [12].

Nine so-called Contextual Control Modes are defined, which are considered to determine four types of human actions that can be followed for a given task. These are defined as ‘scrambled’, ‘opportunistic’, ‘tactical’ and ‘strategic’. For each, human error probability is assumed according to Table 15.2.

For a given scenario in which the task is performed, the control mode is determined by nine Common Performance Conditions (CPCs) that qualify the context in terms of linguistic descriptors. For example, regarding ‘Adequacy of Organisation’ the descriptors are: ‘deficient’, ‘inefficient’, ‘efficient’ and ‘very efficient’, depending on whether the organisation reduces or improves human performance levels.

To estimate the probability of human error, the procedure applies ‘if- then-else’ fuzzy rules (fuzzy inference) following the logic of CREAM, as described above. The input parameters are the fuzzy CPCs sets, and the output values are the fuzzy action failure probabilities, in accordance with Table 15.2. An example will make the process clearer (from the same reference).

If the adequacy of organization (CPC number 1) is inefficient AND the working conditions (CPC number 2) are compatible AND the availability of procedures and plans (CPC number 4) is acceptable AND the adequacy of man machine interface and operational support (CPC number 3) is tolerable AND the number of simultaneous goals (CPC number 5) is more than actual capacity AND the available time (CPC number 6) is adequate AND the time of the day (CPC number 7) is day AND the adequacy of training and experience (CPC number 8) is highly accurate AND the crew collaboration quality (CPC number 9) is efficient, THEN the operator would act in a OPPORTUNISTIC way.

Table 15.2 Human action failure probability in CREAM method

Control Mode

Action Failure Probability


5 x 10'6 < p < 0.01


0.001 < p < 0.1


0.01 < p < 0.5



This fuzzy probability output is then defuzzified by one of the methods in use in fuzzy logic such as, for instance, the centroid method, thus yielding the crisp human failure probability value for the task being analysed.

These probability intervals quite naturally lend themselves to a triangular fuzzy number representation

Fuzzy Numbers

In safety analyses like the ones we just surveyed, then, we often do not know the precise values of the probabilities of occurrence or of failure of the systems or of its components. So one way to deal with this problem is to consider that the variables of interest follow a normal probability distribution with a mean value and a standard deviation. However, another approach to the problem is to use a fuzzy triangular number.

Definition of a Fuzzy Number

A fuzzy number is represented by three numbers < av a2, д, >. This representation is interpreted as a membership function, such as:

In this representation, д, corresponds to a membership value of 1 meaning that we think that the most probable value of the variable under consideration is ar So a, is akin to the mean value in a normal probability distribution. In this representation, we mean also that the variable under interest lies between the values д, and д,, which have ‘membership values’ of 0. In other words, д, and a, are akin to the 3c values from the mean in a standard normal probability distribution.

Introduction to Fuzzy Operations and Operators

In order to perform calculations on fuzzy fault trees, arithmetic operations on fuzzy numbers have to be introduced.

Basic Arithmetical Operations with Fuzzy Numbers for Ease of Computation

The following are the four operations that can be performed on fuzzy triangular numbers [13]:

Let pA = < av д„ a} > and pB = < bv b2, b} > where a( and Ь are positive numbers, then we have:

  • (i) Addition: pA + pB = < д, + bv a2 + b-,, д, + b} >
  • (ii) Subtraction: pA_pB = < Д, - b„ д, - b-,, a,-b^>
  • (iii) Multiplication: pA x pB = < д] b{, д, b-,, д. b3 >
  • (iv) Division: pA / pB = < ajb,, a2/b2, д/fe, >

A problem with triangular fuzzy numbers is that addition and subtraction as well as multiplication and division are not reciprocal operations. To overcome this difficulty, subtraction and division operations definitions have to be modified.

Thus, subtraction can be performed as < д, - b{, a2 - b„ д, - b} > if the following condition is satisfied [14]:


If this condition is not met, then the definition given above in (ii) applies.

As for division, this operation can be written as: pA/ pB = < ajbv ajb„ aJby > if the following condition is satisfied:


If this condition is false, then definition (iv) above applies.

246 T. Venditti, N. Duy Phuong Tran and A. Dung Ngo Fuzzy Operators

In order to calculate probabilities in a fuzzy fault tree, we need the ANF, ORF and NEGF operators. In a fuzzy fault tree, the probability of occurrence p of the top event in the ANF case is evaluated as follows:

As for the ORF case,

As for the negation operator, NEGF, it is simply Fuzzy Fault Tree Analysis

In order to illustrate these concepts, we will consider the case of a press brake used in many parts of industry. Our goal will be to evaluate a fuzzy fault tree whose top event is an accident such as: ‘an operator gets his hand caught between the closing dies of the press’.

Fuzzy Fault Tree (FSFT)

As the methodology that will be followed uses a fault tree, let us review this concept. A fault tree is a logical diagram that attempts to identify the ways that the various causes can combine to lead to an accident. Once this causal chain of events is established, the probability of occurrence of the accident can be calculated [15].

The situation under consideration will be that of an operator faced with an industrial machine such as a metal bending press (also often called a brake press). In such machines, a crushing zone exists due to the closing of mating parts. In order to do a more quantitative analysis, the probabilities of occurrence of the contributing (bottom) events must be determined or at least estimated. A press brake is a machine commonly found in the metal manufacturing industry. It is used to bend sheet metal in different shapes. A typical press brake is illustrated in Figure 15.1.

The machine is composed of two main structural components, a top beam mounted on a plate and a bottom table. Dies are clamped on the top and bottom parts. Either the top or the bottom half of the press then closes in (via a hydraulically-powered mechanism) on the stationary part. The operator holds the piece-part and actuates the closing motion with a foot pedal, in most applications. A hazardous situation is thus created from the proximity of the workers’ hands to the press closing motion. A possible undesirable event (often called a hazardous event) in such a situation is then that the worker gets his hands caught between the closing dies (the hazardous zone of the machine).

Press brake. Source

Figure 15.1 Press brake. Source: CSST Revue Prevention au travail. Quebec. Automne 2008.

These are indicated in the fault tree:

In this diagram, the boxes labelled Et and E2 represent events (causes) which can contribute to the occurrence of the accident.

Safety regulations and standards require that such machines be equipped with protective devices which either prevent entry of the operator in the hazardous zone or stop the hazardous motion when parts of the workers’ body are in the hazardous zone. The protective device often utilised with press brake takes the form of a light (laser) sensor beam which spans the length of the press and is mounted between the two dies. Such a device is shown in the above picture of a press brake (1 is the sensor beam and 2 refers to the emitting and receiving components of the device).

An accident can occur when the operator gets his hands caught between the closing dies. The contributing events that can lead to such an accident can then be represented in a fault tree and are:

  • • an equipment failure event such as the protective device fails while a worker is bending, E(;
  • • the human factor event, hands in danger zone due to wrong handling part, Er

The top event is then the result of the conjunction of events £, and E2 and its probability is therefore evaluated using an AND gate, as reported in Figure 15.2.

Fault tree

Figure 15.2 Fault tree.

Expert Elicitation

The data needed for the probability calculation were obtained from participants who were solicited for this purpose. These were eight bending press operators in a large manufacturing plant. The health and safety coordinator as well as the workers’ supervisor were also solicited.

A questionnaire was handed to them which consisted of a set of brief instructions followed by three questions which were provided with multiple possible answers to choose from. The three questions posed were the following:

  • 1 A bending sequence requires the worker to turn off a protective device in order to complete a certain bend due to the complexity of the shape. The worker must then turn the protective device back on to resume the bending sequence. What is your estimate of the probability that a worker forgets to re-activate the protective device?
  • 2 What is your estimate of the probability that the protective device fails while the worker is bending a part?
  • 3 What is the probability that a worker has his hands between the dies of the press while operating the machine?

The participants were given a choice of answers phrased in this manner:

  • (1) Very probable
  • (2) Probable
  • (3) Not too probable
  • (4) Improbable
  • (5) Very improbable

The questionnaire also contained examples corresponding to each of these probability statements to serve as comparison points.

A general introduction was given by the analyst to the participants in a group meeting on the shop floor, which consisted of presenting the thesis and its purpose. The questions and the choice of answers were read to the group. The questionnaire was then handed to them. The whole process took little time to complete.

The following Table 15.3 shows partial results of an expert elicitation conducted by the authors at one industrial establishment.

The aggregation is then taken as a weighted average of the experts’ opinions, the weighing method taking into account various factors.

Since linguistic terms are not mathematically operable, to cope with that difficulty, each linguistic term is associated with a fuzzy number, which represents the meaning of each generic verbal term.

The principle of this system is to pick a scale that matches all the linguistic terms in a row (attribute) of the decision matrix and use the fuzzy numbers on that scale to represent the meaning of these linguistic terms.

In this work, we thus adopted a scale which combines the direct fuzzy number translation approach with a probability level from recognised safety standards such as [16].

Opinion Aggregation

The final aggregated fuzzy estimate of the probabilities is obtained by simply taking the average of the experts’ estimates for each of the three components of the fuzzy numbers corresponding to the expert’s linguistic probability estimate, as given in the scale. No weighing has been done for the following reasons. All workers have extensive experience except for one worker who had 2.5 years’ experience. However, all workers get thorough technical training on all aspects of press brake operation. In addition, specific health and safety training sessions are periodically given to all workers. The company in question is a large, unionised, well-structured enterprise which performs extensive, on-going, health and safety monitoring and preventive activities.

First, the (fuzzy) probability of events E( and E, will be taken as being equal to:

For E, we get < 0.4125, 0.5000, 0.6125 > NO-6 For E, we get: < 0.225, 0.325, 0.450 > NO-6

Participant #


Years of experience

Questions #

1 Worker forgets to turn the laser back on

2 Protective device defective while worker bending part

3 Hands in die while operating press


Brake Press Operator



Very improbable

Very improbable





Very probable





Very probable

Very improbable






Very probable










2 5

Not too Probable

Not too Improbable

Not too Probable


EHS Coordinator



Very improbable







Not too probable

These estimates represent the experts’ estimates of the probability of occurrence of the events in question, expressed in linguistic, qualitative terms. In order for us to solve the fault tree for the top event probability, we need to first transform these qualitative statements into quantitative, fuzzy numbers. Then, the fuzzy estimates must be aggregated in order to obtain one final fuzzy probability estimate.

Table 15.4 Linguistic estimate to fuzzy number conversion

Very improbable

<0, 0.1, 0.2 >x 10-4


< 0.2, 0.3, 0.4 > x 10-4

Not too probable

<0.4, 0.5, 0.7 >x 10-4


< 0.7, 0.8, 0.90 > x 10-4

Very probable

< 0.90, 0.95, 1 > x 10-4

We are now in a position to finally calculate the fuzzy probability associated with the top event, according to the rules explained earlier:

<0.9281, 1.625, 2.756 > *10~12 Optimisation of a Fault Tree

The problem we wish to tackle is the following. We want to first define a cost function which is related to the accidents that can occur on an industrial process or machine. A legitimate objective is to minimise this cost function, given the constraints that must be faced. These constraints can be, typically, a maximum failure or accident rate imposed by safety or company or industry standards. This constraint might correspond to the probability of occurrence of the top event in a fault tree. In addition, the failure rates and occurrence probabilities must necessarily be numbers (in our case, triangular fuzzy ones) between 0 and 1.

The cost function can logically be thought to depend on the contributing (bottom) events in a fault tree. In such a fault tree, some of these factors can be taken as variables which can then be designed to achieve the required minimisation. These variables can be determined, in particular, in two ways. First, we may use a FFMEA approach. In this method, the contributing events are ranked by calculating the product fuzzy risk priority number (FRPN) of the probabilities of occurrence times the severity of each event and the detection capability of the system for each failure or accident event. We can then choose as design variables the ones with the highest rankings. The second way is to choose as variables, the ones that can be controlled.

Nonlinear Inequality Constraints Fuzzy Optimisation

The Problem

The problem just stated when formulated in mathematical terms will lead to a minimisation problem with many nonlinear inequality constraints (all in terms of fuzzy numbers) of the following general form:

where f and the functions hi are differentiable.

252 T. Venditti, N. Duy Phuong Tran and A. Dung Ngo Karush-Kubn-Tucker (KKT) Conditions

The stated problem can be solved using an extension of the Lagrange multipliers method

Method for Solving Fuzzy Nonlinear Equations

Once the satisfying conditions above have been determined, the final result will be a nonlinear equation in one of the unknown variables equal to zero.

The solution could be solved by the above method involving the Lagrange multipliers. However, the solution can also be found using the fmincon Matlab function, applied to the three members of the given fuzzy numbers at hand. This is the approach that will be taken here.

The design variables which will have been found can then be used to determine the minimised cost function, thus achieving our goal.

Example for a Press Brake

In order to perform the mathematical analysis, the example of the press brake. This problem statement will then lend itself to a mathematical representation as follows.

Referring to the fault tree presented in above, we will choose as design variables, a human factor variable and a method-related variable which we will denote by х> and /uXl. These are variables which can be controlled, for instance, by training and selection of experienced personnel. For this case, the probability associated with the top event will be taken as a given constraint nSf.

The cost function is composed of two components. The first reflects the cost of achieving a given level of reliability while the second part reflects the costs of accidents or failures, which can still occur. Thus the cost function is chosen to be of the following general form:

This expression reflects the fact that higher reliability (less accident) involves higher costs; hence the factors (1-^<Х() which express reliability are used instead of just fiXi which represent failure probabilities.

The coefficients /uCi are fuzzy numbers as well. The reason for this is that the cost of obtaining a certain component of required reliability varies with the supplier or, in the case of a human factor, it might vary with the person.

We will consider a quadratic cost function for calculation purposes.

So, our optimisation model will take the following form Minimise the Cost Function:

subject to:

/<ss is a variable introduced because of the < sign in the first condition.

The values of the coefficients will be taken, purely for demonstration purposes, as:

This problem was solved, with Matlab, using Lagrange multipliers and Newton’s root solving method. The algorithm checked the conditions on the fuzzy numbers stated in section and used the appropriate arithmetic operations.

With this method, we obtained the following results:

To test the validity of our results, we plotted the cost function (Figure 15.3) and found indeed a zero in the vicinity of 0.5.

The corresponding cost function value (as defined in Equation (1)) was CF = < 9.7022, 17.9457, 41.7209 > should be middle value 107.

We may conclude that this is a global minimum because A^ is calculated from Equation (a), inserting the found values of pixl and of цх is found to be positive, as necessary from the Kuhn-Tucker conditions. To the knowledge of the authors, similar results have not been previously published.

Plot of a cost function

Figure 15.3 Plot of a cost function.


In this chapter we presented a survey of applications of fuzzy methodology to occupational risk analysis. A safety analysis of an industrial bending press was analysed based on fuzzy fault tree analysis. The probabilities associated with the bottom events have been assumed in this chapter. These probabilities were assumed to possess a normal probability distribution which was converted into triangular fuzzy numbers. These fuzzy numbers possess particular algebra rules which were discussed and which will be used later on in this research. The fuzzy probability of occurrence of the top event, which represented a worker accident, was then calculated.

We also addressed a so-called inverse problem in static fuzzy fault tree analysis in which a cost function reflecting work accidents is minimised subject to the constraint that the accident probability of occurrence is specified, by regulation or standard. The problem was expressed mathematically as an optimisation problem and solved using a Matlab algorithm with fuzzy numbers as arguments. The optimised variables corresponding to the contributing events probabilities of occurrence were calculated as well as the cost. This gives the analyst target values to reach for the variables that are under his/her control.


Hietikko, Marita et al. Risk estimation studies in the context of a machine control function. Reliability Engineering and System Safety, 96 (2011), 767-774. Markowski, A.S. et al. Uncertainty aspects in process safety analysis. Journal of Loss Prevention in the Process Industries, 23 (2010), 446-454.

Markowski, A.S. et al. Fuzzy logic for process safety analysis. Journal of Loss Prevention in the Process Industries, 22 (2009), 695-702.

Kentel. Probabilistic-fuzzy health risk modeling. Stochastic Environmental Research and Risk Assessment, 18 (2004), 324-338.

Jamshidi et al. Developing a new fuzzy inference system for pipeline. Journal of Loss Prevention in the Process Industries, 26 (2013), 197-208.

Gentile et al. Development of a fuzzy logic-based inherent safety index. Trans IChemE, 81, Part В (2003), 444-456.

Mure et al. Fuzzy Application Procedure (FAP) for the risk assessment of occupational accidents. Journal of Loss Prevention in the Process Industries, 22 (2009), 593-599.

Gurcanli et al. An occupational safety risk analysis method at construction sites using fuzzy sets. International Journal of Industrial Ergonomics, 39 (2009), 371-387.

Markowski, A. et al. Fuzzy logic for piping risk assessment (pfLOPA). Journal of Loss Prevention in the Process Industries, 22 (2009), 921-927.

Markowski, A., M.S. Mannan. Fuzzy risk matrix. Journal of Hazardous Materials, 159 (2008), 152-157.

Akyuz, E. et al. A practical application of human reliability assessment for operating procedures of the emergency fire pump at ship. Ship and Offshore Structures, 13 (2008), 208-216.

Castiglia, F. et al. Analysis of operator human errors in hydrogen refueling stations: Comparison between human rate assessment techniques. International Journal of Hydrogen Energy, 38 (2013), 1166-1176.

Gani, A.N. A new operation on triangular fuzzy numbers for solving fuzzy linear programming problems. Applied Mathematical Sciences, 6, 11 (2012), 525-532.

Rogers, F., J. Younbae Fuzzy nonlinear optimization for the linear fuzzy real number system. International Mathematical Forum, 4, 12 (2009), 587-596.

Yiu, T.W. Fuzzy fault tree framework of construction dispute negotiation failure. IEEE Transactions on Engineering Management, 62, 2 (2015), 171-183.

Department of Defense USA. MIL-STD-882D Standard Practice for System Safety, 1993.

< Prev   CONTENTS   Source   Next >