Optimal Abort Rules for Multiattempt Missions

Many real‐world systems use mission aborts to enhance their survivability. Specifically, a mission can be aborted when a certain malfunction condition is met and a risk of a system loss in the case of a mission continuation becomes too high. Usually, the rescue or recovery procedure is initiated upon the mission abort. Previous works have discussed a setting when only one attempt to complete a mission is allowed and this attempt can be aborted. However, missions with a possibility of multiple attempts can occur in different real‐world settings when accomplishing a mission is really important and the cost‐related and the time‐wise restrictions for this are not very severe. The probabilistic model for the multiattempt case is suggested and the tradeoff between the overall mission success probability (MSP) and a system loss probability is discussed. The corresponding optimization problems are formulated. For the considered illustrative example, a detailed sensitivity analysis is performed that shows specifically that even when the system's survival is not so important, mission aborting can be used to maximize the multiattempt MSP.     

Mission Abort Policy for Systems with Observable States of Standby Components

For some critical applications, successfully accomplishing the mission or surviving the system through aborting the mission and performing a rescue procedure in the event of certain deterioration condition being satisfied are both pivotal. This has motivated considerable studies on mission abort policies (MAPs) to mitigate the risk of system loss in the past several years, especially for standby systems that use one or multiple standby sparing components to continue the mission when the online component fails, improving the mission success probability. The existing MAPs are mainly based on the number of failed online components ignoring the status of the standby components. This article makes contributions by modeling standby systems subject to MAPs that depend not only on the number of failed online components but also on the number of available standby components remaining. Further, dynamic MAPs considering another additional factor, the time elapsed from the mission beginning in the event of the mission abort decision making, are investigated. The solution methodology encompasses an event-transition based numerical algorithm for evaluating the mission success probability and system survival probability of standby systems subject to the considered MAPs. Examples are provided to demonstrate the benefit of considering the state of standby components and elapsed operation time in obtaining more flexible MAPs.     

On the Limitations of Redundancies in the Improvement of System Reliability

Some program managers share a common belief that adding a redundant component to a system reduces the probability of failure by half. This is true only if the failures of the redundant components are independent events, which is rarely the case. For example, the redundant components may be subjected to the same external loads. There is, however, in general a decrease in the failure probability of the system. Nonetheless, the redundant element comes at a cost, even if it is less than that of developing the first one when both are based on the same design. Identical parts save the most in terms of design costs, but are subjected to common failure modes from possible design errors that limit the effectiveness of the redundancy. In the development of critical systems, managers thus need to decide if the costs of a parallel system are justified by the increase in the system's reliability. NASA, for example, has used redundant spacecraft to increase the chances of mission success, which worked well in the cases of the Viking and Voyager missions. These two successes, however, do not guarantee future ones. We present here a risk analysis framework accounting for dependencies to support the decision to launch at the same time a twin mission of identical spacecraft, given incremental costs and risk-reduction benefits of the second one. We illustrate this analytical approach with the case of the Mars Exploration Rovers launched by NASA in 2003, for which we had performed this assessment in 2001.     

Predicting the Validity of Expert Judgments in Assessing the Impact of Risk Mitigation Through Failure Prevention and Correction

Operational risk management of autonomous vehicles in extreme environments is heavily dependent on expert judgments and, in particular, judgments of the likelihood that a failure mitigation action, via correction and prevention, will annul the consequences of a specific fault. However, extant research has not examined the reliability of experts in estimating the probability of failure mitigation. For systems operations in extreme environments, the probability of failure mitigation is taken as a proxy of the probability of a fault not reoccurring. Using a priori expert judgments for an autonomous underwater vehicle mission in the Arctic and a posteriori mission field data, we subsequently developed a generalized linear model that enabled us to investigate this relationship. We found that the probability of failure mitigation alone cannot be used as a proxy for the probability of fault not reoccurring. We conclude that it is also essential to include the effort to implement the failure mitigation when estimating the probability of fault not reoccurring. The effort is the time taken by a person (measured in person-months) to execute the task required to implement the fault correction action. We show that once a modicum of operational data is obtained, it is possible to define a generalized linear logistic model to estimate the probability a fault not reoccurring. We discuss how our findings are important to all autonomous vehicle operations and how similar operations can benefit from revising expert judgments of risk mitigation to take account of the effort required to reduce key risks.     

An Approach to Vulnerability Analysis of Complex Industrial Systems

The concept of vulnerability of complex industrial systems is defined and discussed in relation to risk and system survivability. The discussion is illustrated by referring to a number of previous industrial accidents. The various risk factors, or threats, influencing an industrial system's vulnerability are classified and discussed. Both internal and external threats are covered. The general scope of vulnerability analysis is compared to traditional risk analysis approaches and main differences are illustrated. A general procedure for vulnerability analysis in two steps, including building of scenarios and preparation of relevant worksheets, is described and discussed.     

OPTIMAL ALLOCATIONS OF JOINT (COMMON) COSTS: A PARAMETRIC PROGRAMMING APPROACH

A parametric programming model for allocating joint costs is described and illustrated. Given M mutually exclusive missions and P alternative systems for accomplishing such missions, the model first determines the optimal choice of systems for all missions simultaneously. It then allocates both joint and separable costs such that no mission receives a greater cost allocation than any other mission alternative that might be suboptimal for the mission but nonoptimal when all missions are simultaneously considered. Although the model initially assumes a mission priority ranking, this assumption is relaxed later on as alternative rankings are evaluated and cost allocation ranges under all priority rankings are evaluated.     

Probabilistic Assessment of the Failure Risk of the Europa Clipper Spacecraft due to Radiations

The Europa mission approved in 2019 is still in the development phase. It is designed to conduct a detailed reconnaissance of that moon of Jupiter as it could possibly support life as we know it. This article is based on a top-down approach (mission → system → subsystems → components) to model the probability of mission failure. The focus here is on the case where the (uncertain) radiation load exceeds the (uncertain) capacity of critical subsystems of the spacecraft. The model is an illustrative quantification of the uncertainties about (1) the complex external radiation environment in repeated exposures, (2) the effectiveness of the shielding in different zones of the spacecraft, and (3) the components’ capacities, by modeling all three as dynamic random variables. A simulation including a sensitivity analysis is used to obtain the failure probability of the whole mission in forty-five revolutions around Jupiter. This article illustrates how probabilistic risk analysis based on engineering models, test results and expert opinions can be used in the early stages of the design of space missions when uncertainties are large. It also describes the optimization of the spacecraft design, taking into account the decisionmakers’ risk attitude and the mission resource constraints.     

Inherent Costs and Interdependent Impacts of Infrastructure Network Resilience

Recent studies in system resilience have proposed metrics to understand the ability of systems to recover from a disruptive event, often offering a qualitative treatment of resilience. This work provides a quantitative treatment of resilience and focuses specifically on measuring resilience in infrastructure networks. Inherent cost metrics are introduced: loss of service cost and total network restoration cost. Further, “costs” of network resilience are often shared across multiple infrastructures and industries that rely upon those networks, particularly when such networks become inoperable in the face of disruptive events. As such, this work integrates the quantitative resilience approach with a model describing the regional, multi‐industry impacts of a disruptive event to measure the interdependent impacts of network resilience. The approaches discussed in this article are deployed in a case study of an inland waterway transportation network, the Mississippi River Navigation System.     

Human Agency in Disaster Planning: A Systems Approach

Current approaches to risk management place insufficient emphasis on the system knowledge available to the assessor, particularly in respect of the dynamic behavior of the system under threat, the role of human agents (HAs), and the knowledge available to those agents. In this article, we address the second of these issues. We are concerned with a class of systems containing HAs playing a variety of roles as significant system elements—as decisionmakers, cognitive agents, or implementers—that is, human activity systems. Within this family of HAS, we focus on safety and mission‐critical systems, referring to this subclass as critical human activity systems (CHASs). Identification of the role and contribution of these human elements to a system is a nontrivial problem whether in an engineering context, or, as is the case here, in a wider social and public context. Frequently, they are treated as standing apart from the system in design or policy terms. Regardless of the process of policy definition followed, analysis of the risk and threats to such a CHAS requires a holistic approach, since the effect of undesirable, uninformed, or erroneous actions on the part of the human elements is both potentially significant to the system output and inextricably bound together with the nonhuman elements of the system. We present a procedure for identifying the potential threats and risks emerging from the roles and activity of those HAs, using the 2014 flooding in southwestern England and the Thames Valley as a contemporary example.     

Integrating Software into PRA: A Software-Related Failure Mode Taxonomy

Probabilistic risk assessment is a methodology to assess the probability of failure or success of a mission. Results provided by the risk assessment methodology are used to make decisions concerning choice of upgrades, scheduling of maintenance, decision to launch, etc. However, current PRA neglects the contribution of software to the risk of failure of the mission. Our research has developed a methodology to account for the impact of software to system failure. This article focuses on an element of the approach: a comprehensive taxonomy of software-related failure modes. Application of the taxonomy is discussed in this article. A validation of the taxonomy and conclusions drawn from this validation effort are described. Future research is also summarized.     

震后应急医疗救援流程效率评价研究

为了最大程度减少地震灾害造成的人员伤亡，实施快速有效的应急医疗救援，在资源有限情景下，迫切需要提高应急医疗救援效率。通过案例分析方法提出了震后应急医疗救援的一般流程，构建了应急医疗救援流程的模糊随机Petri网模型，根据模糊随机Petri网与马尔科夫链的同构关系，得到系统状态的稳态概率表达式，据此分析震后应急医疗救援流程中的关键环节。在此基础上，考虑医疗资源投入的数量与救援工作效率之间的关系，引入时效性评估函数对关键环节的实施效率进行评价，通过理论推导证明同一资源配比存在最优值。以"汶川地震"为例，通过动态和静态分析，得到各状态下稳态概率变化情况，明确了震后应急医疗救援流程的关键环节。以救援过程中资源的投入量作为自变量，通过算例仿真得出医疗资源确定情况下关键环节的最优资源配比。由此对震后应急医疗救援过程提出相应对策与建议，可以为地震灾害应急医疗救援工作部署提供决策支持，促进灾后医疗救援工作的有序进行，实现应急医疗救援效率的提升。     

Systems‐Based Guiding Principles for Risk Modeling,Planning, Assessment,Management, and Communication

This article is grounded on the premise that the complex process of risk assessment, management, and communication, when applied to systems of systems, should be guided by universal systems‐based principles. It is written from the perspective of systems engineering with the hope and expectation that the principles introduced here will be supplemented and complemented by principles from the perspectives of other disciplines. Indeed, there is no claim that the following 10 guiding principles constitute a complete set; rather, the intent is to initiate a discussion on this important subject that will incrementally lead us to a more complete set of guiding principles. The 10 principles are as follows: First Principle: Holism is the common denominator that bridges risk analysis and systems engineering. Second Principle: The process of risk modeling, assessment, management, and communication must be systemic and integrated. Third Principle: Models and state variables are central to quantitative risk analysis. Fourth Principle: Multiple models are required to represent the essence of the multiple perspectives of complex systems of systems. Fifth Principle: Meta‐modeling and subsystems integration must be derived from the intrinsic states of the system of systems. Sixth Principle: Multiple conflicting and competing objectives are inherent in risk management. Seventh Principle: Risk analysis must account for epistemic and aleatory uncertainties. Eighth Principle: Risk analysis must account for risks of low probability with extreme consequences. Ninth Principle: The time frame is central to quantitative risk analysis. Tenth Principle: Risk analysis must be holistic, adaptive, incremental, and sustainable, and it must be supported with appropriate data collection, metrics with which to measure efficacious progress, and criteria on the basis of which to act. The relevance and efficacy of each guiding principle is demonstrated by applying it to the U.S. Federal Aviation Administration complex Next Generation (NextGen) system of systems.     

Bootstrap Inference in Partially Identified Models Defined by Moment Inequalities: Coverage of the Identified Set

This paper introduces a novel bootstrap procedure to perform inference in a wide class of partially identified econometric models. We consider econometric models defined by finitely many weak moment inequalities, ² We can also admit models defined by moment equalities by combining pairs of weak moment inequalities.
which encompass many applications of economic interest. The objective of our inferential procedure is to cover the identified set with a prespecified probability. ³ We deal with the objective of covering each element of the identified set with a prespecified probability in Bugni (2010a).
We compare our bootstrap procedure, a competing asymptotic approximation, and subsampling procedures in terms of the rate at which they achieve the desired coverage level, also known as the error in the coverage probability. Under certain conditions, we show that our bootstrap procedure and the asymptotic approximation have the same order of error in the coverage probability, which is smaller than that obtained by using subsampling. This implies that inference based on our bootstrap and asymptotic approximation should eventually be more precise than inference based on subsampling. A Monte Carlo study confirms this finding in a small sample simulation.     

Integrating Risk and Resilience Approaches to Catastrophe Management in Engineering Systems

Recent natural and man‐made catastrophes, such as the Fukushima nuclear power plant, flooding caused by Hurricane Katrina, the Deepwater Horizon oil spill, the Haiti earthquake, and the mortgage derivatives crisis, have renewed interest in the concept of resilience, especially as it relates to complex systems vulnerable to multiple or cascading failures. Although the meaning of resilience is contested in different contexts, in general resilience is understood to mean the capacity to adapt to changing conditions without catastrophic loss of form or function. In the context of engineering systems, this has sometimes been interpreted as the probability that system conditions might exceed an irrevocable tipping point. However, we argue that this approach improperly conflates resilience and risk perspectives by expressing resilience exclusively in risk terms. In contrast, we describe resilience as an emergent property of what an engineering system does, rather than a static property the system has. Therefore, resilience cannot be measured at the systems scale solely from examination of component parts. Instead, resilience is better understood as the outcome of a recursive process that includes: sensing, anticipation, learning, and adaptation. In this approach, resilience analysis can be understood as differentiable from, but complementary to, risk analysis, with important implications for the adaptive management of complex, coupled engineering systems. Management of the 2011 flooding in the Mississippi River Basin is discussed as an example of the successes and challenges of resilience‐based management of complex natural systems that have been extensively altered by engineered structures.     

Success and failure in management buyouts

This paper outlines a model for examining the process of formulating a successful management buyout, taking the viewpoint of all concerned, viz., buyers, sellers, advisors, investors and employees. It arises out of the observation of, and involvement in, a number of buyout negotiations: some were completed but continue to falter; some were aborted; others are currently successful. The paper suggests that eventual success is a function of two main factors. The first is the probability of conflict, as defined by the buyout typology, and the second the decisions made, and not made, during negotiations. The latter includes such questions as, for the company: what to hive down: which management to involve; future customer relations; and for the deal: the setting of the price: the future role of investors; choosing advisors.     

Estimating the Probability of Rare Events: Addressing Zero Failure Data

Traditional statistical procedures for estimating the probability of an event result in an estimate of zero when no events are realized. Alternative inferential procedures have been proposed for the situation where zero events have been realized but often these are ad hoc, relying on selecting methods dependent on the data that have been realized. Such data‐dependent inference decisions violate fundamental statistical principles, resulting in estimation procedures whose benefits are difficult to assess. In this article, we propose estimating the probability of an event occurring through minimax inference on the probability that future samples of equal size realize no more events than that in the data on which the inference is based. Although motivated by inference on rare events, the method is not restricted to zero event data and closely approximates the maximum likelihood estimate (MLE) for nonzero data. The use of the minimax procedure provides a risk adverse inferential procedure where there are no events realized. A comparison is made with the MLE and regions of the underlying probability are identified where this approach is superior. Moreover, a comparison is made with three standard approaches to supporting inference where no event data are realized, which we argue are unduly pessimistic. We show that for situations of zero events the estimator can be simply approximated with , where n is the number of trials.     

A Note on Interpersonal and Communication Skills for IS Professionals: Evidence of Positive Influence

A recent article by Byrd and Turner (2001) reported that interpersonal skills on the part of information systems personnel had a negative influence on the success of systems as measured by competitive advantage. Several reasons were forwarded to account for this unexpected result, including lack of richness in the measure of these skills, the use of strategic success measures, the true complexity of interpersonal relations within an organization, and the sample of CIOs who may have a bias in favor of technical skills. We address these concerns by incorporating a set of communication skills into the interpersonal skills set, sampling users for a different set of stakeholders, and employing a more complex model based on theories of expectation. The results indicate that the impacts of interpersonal skills on system success is not a simple function of the perceived level of the IS staff's skill proficiency but is also determined by the understood expectations of skill requirements.     

Assessing Engineering Resilience for Systems with Multiple Performance Measures

Recently, efforts to model and assess a system's resilience to disruptions due to environmental and adversarial threats have increased substantially. Researchers have investigated resilience in many disciplines, including sociology, psychology, computer networks, and engineering systems, to name a few. When assessing engineering system resilience, the resilience assessment typically considers a single performance measure, a disruption, a loss of performance, the time required to recover, or a combination of these elements. We define and use a resilient engineered system definition that separates system resilience into platform and mission resilience. Most complex systems have multiple performance measures; this research proposes using multiple objective decision analysis to assess system resilience for systems with multiple performance measures using two distinct methods. The first method quantifies platform resilience and includes resilience and other “ilities” directly in the value hierarchy, while the second method quantifies mission resilience and uses the “ilities” in the calculation of the expected mission performance for every performance measure in the value hierarchy. We illustrate the mission resilience method using a transportation systems‐of‐systems network with varying levels of resilience due to the level of connectivity and autonomy of the vehicles and platform resilience by using a notional military example. Our analysis found that it is necessary to quantify performance in context with specific mission(s) and scenario(s) under specific threat(s) and then use modeling and simulation to help determine the resilience of a system for a given set of conditions. The example demonstrates how incorporating system mission resilience can improve performance for some performance measures while negatively affecting others.