Addressing the Safety of Programmable

Electronic Mining Systems: Lessons Learned

John J. Sammarco, P.E.

National Institute for Occupational Safety and Health

Cochran Mill Road, PO Box 18070
Pittsburgh, PA 15236

Abstract—The functional safety of programmable electronic overview of the NIOSH safety framework to address PE
(PE) mining systems is an international issue and concern. From functional safety is given and followed by a section describing
1995 to 2001, 11 PE-related mining incidents in the U.S. were the framework’s key concepts and elements. Lessons learned
reported by the Mine Safety and Health Administration are presented that continue to benefit mining and that could be
(MSHA); 71 PE-related mining incidents were reported in beneficial to other industries as well. The ensuing section
Australia. MSHA does not have regulations for formal describes the work’s impact nationally and internationally.
evaluations of the functional safety of PE mining systems. Hence, Lastly, future directions are discussed.
the National Institute for Occupational Safety and Health
(NIOSH), in partnership with MSHA and the industry, generated II. PURPOSE AND SIGNIFICANCE
the NIOSH safety framework for functional safety of PE mining The Pittsburgh Research Laboratory of NIOSH has a pro-
systems. An overview of the NIOSH framework is given; the key active project to generate best practice recommendations
framework elements, the safety life cycle and safety integrity addressing the functional safety of PE-based mining systems.
levels are detailed. The safety framework approach has The objective is to generate a mining industry specific,
impacted the national and Australian mining industries by comprehensive and systematic safety framework incorporating
enabling the industries to advance from an ad-hoc approach to a best practices and the latest international thinking for PES
formalized and systematic functional safety process. In functional safety.
retrospect, valuable lessons were learned for addressing
functional safety and for changing industry perspectives and Realization of this objective addresses two safety issues
practices. These lessons continue to benefit mining and are for the mining industry. First, the mining industry, on a
applicable to other industries as well. national or international basis, does not have a formalized,
systematic functional safety process for PE-based systems as
Keywords—Normal Accident Theory; mining safety; system done by other industries addressing PES functional safety.
complexity; programmable electronics Therefore, best practices are not uniformly utilized. Secondly,
MSHA does have regulations to formally address electrical
I. INTRODUCTION permissibility in mines; they have a wealth of knowledge,
Many industries are increasingly depending on expertise and experience in this area. MSHA does not have
programmable electronic systems (PES) in safety-critical formal regulations pertaining to PES functional safety. Even
applications; the mining industry is an active part of this though they have made progress in reducing fatalities and
rapidly growing trend. The mining industry is utilizing PE serious injuries involving PE-based mining systems, they
technology to improve safety and health, to increase realize a mining specific, formalized functional safety process
productivity, and improve competitive positions. When it is needed to reach their ambitious safety goals.
comes to PE technology, (i.e., software, programmable logic
controllers (PLC’s) and microprocessors), there are unique III. MISHAP DATA
technical and managerial challenges for system design, MSHA’s concerns with the functional safety of PE-based
verification, operation, maintenance, and assurance of mining systems began in 1990 with an unplanned longwall
functional safety. PE technology has unique failure modes shield pinning mishap [1]. Since then, functional safety has
different from mechanical or hardwired electronic systems grown to become a major issue and concern internationally
traditionally used in mining. Secondly, PE also adds a level of [2]. From 1995 to 2001, there were 11 PE-related mining
complexity that, if not properly addressed, can adversely incidents in the United States; four of these were fatalities [3].
affect worker safety. Most likely, the total numbers of incidents are under-reported
This paper presents a process to address the functional in the U.S. because near misses are not reported and accidents
safety of PE-based mining systems. The need to address this are not required to be reported if they don't involve worker
was driven by MSHA’s concerns and the supporting mishap lost-time.
data as described in the following two sections. Next, an

0-7803-7420-7/02/$17.00 © 2002 IEEE

692
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY ROURKELA. Downloaded on November 08,2023 at 13:28:30 UTC from IEEE Xplore. Restrictions apply.
 Australia reports all mining incidents; from 1995 to 2001 IV. THE NIOSH SAFETY FRAMEWORK
there were 71 incidents documented for underground coal The NIOSH safety framework is a practical treatment
mines in New South Wales (NSW) [4]. In both countries, the scaled in size and complexity to the mining industry [7]. It
majority of mishaps involved unexpected movements or draws heavily from International Electrotechnical
startups of PE-based mining systems. Next, a historical Commission (IEC) standard 61508 and other recognized
account of PE functional safety issues and approaches are standards. The scope is surface and underground safety
given. mining systems employing embedded, networked, and non-
In 1991, MSHA conducted a study of all longwall networked programmable electronics.
installations and found 35% had experienced unexpected The safety framework is for use by mining companies,
movements; they analyzed the data and categorized it as original equipment manufacturers, and aftermarket suppliers.
sticking or defective solenoid valves, programming problems It addresses the various life cycle stages of inception, design,
(software), water ingress, operator error or poor training, and functional safety assessment, commissioning, operation,
other miscellaneous problems [1]. Fig. 1 depicts a comparison maintenance, and decommissioning. The framework’s nine
of factors contributing to PE-based mishaps occurring in the parts, depicted by Fig. 2, are as follows:
U.S. and in NSW [4]; solenoid valve problems are the leading
factor contributing to PE-based mishaps. This does not appear Introduction [8] — This introduces basic system and
to be unique to mining; process industry data also identifies software safety concepts, discusses the need to address the
solenoid valves as a leading cause of failure [5]. functional safety of PE, and includes the benefits of a
system/software safety program. It also establishes a common
MSHA’s original response to the longwall mishaps knowledge base by defining key terms and concepts.
recommended improvements in “operator training, timely
maintenance, maintaining integrity of enclosure sealing, System Safety [9] — The concepts of safety life cycle and
maintaining alertness for abnormal operational sequences safety integrity level (SIL) are detailed. This is the core
which might be indicative of a software problem” [1]. These document of the safety framework.
recommendations focused on post-design “fixes.” This Software Safety [10] — This document builds on system
approach had some success but MSHA realized the approach’s safety concepts and provides specific recommendations for the
limitations for complex PE mining systems and they realized software subsystem.
the approach would not enable them to meet their ambitious
goals for reducing the mishap rate to as near zero as possible. Safety File [11] — This presents a systematic, complete,
In 1995, MSHA turned to NIOSH researchers for a new and consistent “proof of safety” that the system meets the
approach. NIOSH proposed a safety framework largely based appropriate levels of safety for the intended application. It
on the IEC 61508 safety lifecycle. Dransite chronicles these starts early and continues throughout the system’s life cycle.
events, and describes some PE mishaps as given in the Functional Safety Assessment [12] — This document
following excerpt [6]. establishes methods to determine the completeness and
“System emergency stop function did not always suitability of safety file evidence and justification. Various
work. The problem was due to a firmware change that levels of independent assessment are established based on the
pulse width modulated the drive signal to motor level of safety.
valves controlling the shields. The change allowed a Guidance — Four guidance documents help users apply
100 microsecond window where an emergency stop the safety framework concepts and recommendations. The
command would not be executed if the controller guidance information reinforces concepts, describes various
found the motor valve signal in an ‘off ’ state.” methodologies, and gives examples and references. The
“Unplanned shield movement due to erroneous documents provide information and references so that the user
location information from the shearer controller to the can more intelligently choose and implement the appropriate
shield advance system controller due to an intermittent methodologies given the user’s application and capabilities.
hardware fault in the shearer. The movement
occurred because of a programming change in the
P E S S a fe ty
shield advance system controller that inadvertently
F ram ew ork
deleted some code that rejected shearer location
information outside reasonable parameters.”

30%
S a fe ty S y ste m S o ftw a r e S a fe ty S a fety
25%
P rdim
In tro u cetio
r n S a fety S a fe ty F ile A s se ssm e n t
20%

15% U nite d S ta te s

10% G u id a n c e G u id a n c e G u id a n c e G u id a n c e
N e w S o uth
5% W a le s (N S W )
A ustr a lia Fig. 2. The NIOSH safety framework
0%
S o le n id So ftw a r e W a te r Im p r o p e r
V a lve s In g r e ss O pe r a tio n

Fig. 1. A comparison of factors contributing to PE-based mishaps in

the U.S. and NSW, Australia.
693
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY ROURKELA. Downloaded on November 08,2023 at 13:28:30 UTC from IEEE Xplore. Restrictions apply.
 A. Safety Framework Key Elements systematic errors. It enables safety to be “designed in” earlier
The safety framework’s key elements and concepts are rather than being addressed after the system’s design is
summarized. The two most fundamental concepts, as with completed. Early identification of hazards makes it easier and
IEC 61508, are the safety life cycle and SIL’s. More details less costly to address them. The life cycle concept is applied
are provided for these concepts followed by a brief summary during the entire life of the system because hazards can
of other key elements. become evident at later stages, or new hazards can be
1) Safety Life Cycle: The use of a safety life cycle helps to introduced by system modifications. The safety life cycle for
ensure that safety is applied in a systematic manner for all mining, Fig. 3, depicts an adaptation of the IEC safety life
phases of the system, thus reducing the potential for cycle [13].

Fig. 3. The safety life cycle. Adapted from IEC 61508

694
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY ROURKELA. Downloaded on November 08,2023 at 13:28:30 UTC from IEEE Xplore. Restrictions apply.
 Safety life cycle activities include identifying hazards,
analyzing the risks, assigning SIL’s, designing to eliminate or
PFDsys = PFDS + PFDL + PFDFE where (1)
reduce hazards, verifying SIL’s are attained, and documenting
the plans, processes and products of the safety life cycle.
These system safety activities start at the system level and PFDsys = Average probability of failure on demand (PFDavg) of
flow down to the subsystems and components. More detailed a system’s safety function;
information on the fundamentals of system safety is presented
by [8]. PFDS = PFDavg of a safety function for the sensor element(s);
2) Safety Integrity Levels: The concept of determining and PFDL = PFDavg of a safety function for the logic solver(s);
verifying SIL’s presented the most difficulty for the mining PFDFE = PFDavg of a safety function for the final element(s).
industry as evident from the many questions and discussions
The PFDavg calculations depend on the architecture where
during and after our workshops in the United States and 1oo1 denotes “1 out of 1" or a simplex system without
Australia. SIL is a term used to specify the probability that a redundancy and 2oo3 denotes a triple modular redundancy.
safety function satisfactorily performs given a set of Equation 2 is the calculation for a simplex system [15].
conditions and constraints. Qualitative or quantitative methods
are used to determine a SIL for each safety function.
PFDavg1oo1 = 0.5 *( λ * TI) where (2)
DU

Essentially, qualitative methods proportionally assign SIL’s to

ordinal measures of risk. Table 1 is an example of a calibrated
risk matrix for determining a risk rank and associated SIL for
each hazard. The matrix is based on hazard severity and PFDavg1oo1 = Average probability of failure on demand of a
frequency. The risk rankings range from one to four with four safety function for a single channel architecture and assuming
as the least desirable level of risk. mean time to repair is insignificant;
λ = Failure rate for dangerous undetected failure;
DU
TABLE I. RISK RANK AND SIL MATRIX
TI = Manual test interval or frequency.
Catastrophic Critical Marginal Negligible For example, a simplified safety shutdown circuit consists
Frequent 4, (SIL 3) 4, (SIL 3) 4, (SIL 3) 3, (SIL 2) of a stop switch, PLC, and hydraulic pump actuator connected
in series. The pump shuts down when the switch is pressed
Probable 4, (SIL 3) 4, (SIL 3) 3, (SIL 2) 2, (SIL 1) thus placing the system to a safe state. The shutdown circuit is
Occasional 4, (SIL 3) 3, (SIL 2) 2, (SIL 2) 2, (SIL 1) manually tested once a week or 168 hours.
Remote 3, (SIL 2) 2, (SIL 1) 2, (SIL 1) 1, - The switch fails to a dangerous state 5% of all failures and
the contactor fails dangerously 10% of the time. Neither
Improbable 2, (SIL 2) 2, (SIL 1) 2, (SIL 1) 1, - component has diagnostics so the dangerous failures are
undetected. The PFDavg is calculated as follows:
For mining, three SIL’s are used. The SIL defines the
degree or level of safety performance where SIL 3 requires the
PFDavg plc= 4.5 x 10-3 (supplied by the manufacturer)
highest level of safety performance. Table 2 is used to
determine the safety performance expressed as the average λ switch = λ contactor = 5 x 10-6 failures/hour
probability of failure on demand (PFD avg), the risk reduction λ switch = 5 x 10-6 (.05) = 2.5 x 10-8 (5% of failures are
DU

factor (RRF) and safety availability percentage. dangerous)

λ contactor = 5 x 10-6 (.10) = 5 x 10-7(10% of failures are
DU

TABLE II. QUANTITATIVE ASSIGNMENTS OF SAFETY PERFORMANCE FOR

SIL’S FOR A LOW-DEMAND OPERATION. dangerous)
TI =168 hours
SIL PFD avg. RRF % Availability
-1 -2
1 10 to 10 10 – 100 90.00 - 99.00 PFDsys = PFDavg plc + PFDavg switch + PFD avg contactor (3)
-3 -8 -7
-2 -3 =4.5x10 + ((2.5 x 10 + 5 x 10 ) / 2) x 168
2 10 to 10 100 - 1,000 99.00 - 99.90
-3 -4
PFDsys = 4.54 x 10-3
3 10 to 10 1,000 - 10,000 99.90 - 99.99

Using table 2 and the PFDsys, the safety shutdown circuit

The PFD for a system is determined by abstracting the meets a SIL of 2.
system to a sensor (S), a logic solver (L), and a final element
(FE) and using equation 1 [14]. 3) Other Key Elements: The following briefly describes
other key elements and concepts:

695
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY ROURKELA. Downloaded on November 08,2023 at 13:28:30 UTC from IEEE Xplore. Restrictions apply.
 • Safety is an emergent property of the entire system. NIOSH safety framework was an impetus to the committee’s
formation.
• Safety is not achieved in a discrete phase but in a
continuous set of life cycle phases from system concept to
decommissioning. Using a safety life-cycle enables safety to VI. LESSONS LEARNED
be addressed systematically and early. Lessons were learned after considerable expenditures of
time and other resources. Many times lessons learned become
• Multiple hazard analyses are needed throughout the evident in retrospect; many times the same lessons learned can
product’s development because each technique has particular be employed in future endeavors. Therefore, it’s important to
strengths, weaknesses, and purpose. identify and document these lessons. Our major lessons
• Management of change (MOC) is needed throughout learned are as follows:
the development and operation of the system and pertains to • Involve the industry early and continuously: The
both hardware and software. Modifications of safety-critical diversity of industry experiences, knowledge, and expertise,
software can and has introduced new, unforeseen hazards. proved to be an invaluable asset. This enabled us to address
• The independent assessment of safety should be areas we were not cognitive of, and it helped us to realize and
carried out incrementally. Conducting preliminary maintain a practical approach. Secondly, industry
assessments during development and design enables involvement helped improve our working relationships with
deficiencies and inadequacies to be detected earlier rather than MSHA and others in the industry.
waiting until the entire system is designed. • Identify and understand issues and perceptions: Early
in the project, software safety was identified as the leading
V. MINING INDUSTRY IMPACTS area to address. This perception was formed because people
The NIOSH safety framework formally and felt most uncomfortable with software and because they had
comprehensively addresses the functional safety of PE-based limited knowledge and experience in this area [6]. Our data
mining systems. This work takes the industry from an ad hoc analysis showed that few mishaps were attributed to software
approach initiated by the latest mishap to a proactive, errors.
systematic approach based on best practices tailored
specifically for mining. This has, and continues to have, a • Establish key concepts, terminology and definitions
early: This helped unify industry support and cooperation by
national and international impact on other government
establishing common and consistent understandings. It also
agencies, equipment manufacturers, operators, and academia
as evidenced by the following: reduced confusion and related anxieties.
• Decompose the problem: The safety framework was
• MSHA’s acceptance and support: They have adopted
the framework documents for use on a voluntary basis and decomposed into nine parts, each associated with a major life
cycle stage. This helped to sustain industry involvement and
they have provided exemplary support and cooperation. For
interest by breaking the problem into manageable parts. This
example, they co-hosted the U.S. workshop, maintained
industry participation through an industry workgroup they also enabled us to work in parallel on multiple parts. Lastly, it
enabled us to incrementally introduce new ideas and
organized, and were engaged in numerous discussions and
processes. Therefore, the industry’s first steps were
reviews of the work.
manageable and successful. The remaining parts were built
• Built industry awareness and knowledge: MSHA and upon these early successes.
the general mining industry is now aware of safety issues
driven by data and not perceptions. All parties involved with • Separate the concerns: The safety framework’s nine
parts were assembled into two groups: 1) recommendation
this work have also gained significant PES functional safety
documents describing what needed to be done in terms of
knowledge and expertise.
plans, processes and best practices; 2) guidance documents
• International recognition and utilization: containing supplemental information and examples to assist
- Mineral Resources NSW publicly announced they users to determine how to best implement the
support and will expect all new PE-based mining equipment to recommendations. Separation of the “what” from “how”
conform to the NIOSH safety framework. enabled us to maintain clarity and focus.

- Mineral Resources NSW and the Minerals Industry • Conduct industry workshops: An industry workshop
Safety and Health Centre in conjunction with the University of on PE safety concepts and the NIOSH safety framework was
Queensland requested and consequently received workshops held in the United States and Australia. The workshops
on the NIOSH safety framework. helped create an awareness of safety issues, transfer
fundamental knowledge concerning PE safety, and to obtain
- The course “Mineral Industry Risk Analysis” at the stakeholder feedback and input. Secondly, the workshops
University of Queensland is incorporating material from the enabled NIOSH researchers to focus the guidance documents
NIOSH safety framework. to address the most difficult and important areas identified by
• Research spin-off: MSHA’s Approval and workshop participants.
Certification Center formed an internal “Risk Management • Use scenarios to convey some types of information:
Development Committee” for non-electronic systems. The “There are lies, damn lies, and statistics.”- Mark Twain. The

696
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY ROURKELA. Downloaded on November 08,2023 at 13:28:30 UTC from IEEE Xplore. Restrictions apply.
 mining industry can be a cautious group with a “show me” to identify particular people, manufacturers, or mine sites.
attitude. We found that by adapting the scenario technique to a Time is compressed for illustrative purposes. The scenario
mining incident, we could quickly and effectively present a conveyed key points for PES functional safety. It also
relatively large amount of information to a broad audience, accommodated the perspectives of the manufacturer, union,
and with a high level of acceptance. mine operator, and MSHA.
Table 3 lists an abbreviated mine mishap scenario. It is a
composite and adaptation of actual events and is not intended

TABLE 3. EXAMPLE OF MINE MISHAP SCENARIO

Time Code People Narrative

(Cumulative)
DAY 1
8:30 a.m. NM 1 Machine moves unexpectedly, operator moves to escape. No injury.
8:45 a.m. — 1 Mine personnel contacted: Chief Mine Engineer, Maintenance Engineer, and Safety Engineer.
10:00 a.m. — 4 All mine personnel contacted arrive and begin troubleshooting.
10:45 a.m. LTI 4 Maintenance person squats between machine and rib to read diagnostic display. Machine moves
suddenly; person breaks arm trying to get out of the way. Medical assistance contacted.
10:50 a.m. — 4 MSHA District Manager, State Inspector, United Mine Workers of America (UMWA), and Field
Service Engineer contacted.
12:30 p.m. — 6 Medical assistance arrives; person is transported to hospital.
DAY 2
8:15 a.m. — 6 MSHA District Manager contacts mine, informing that MSHA will conduct a mishap
investigation.
12:00 noon — 11 MSHA District Accident Investigator, MSHA Technical Support, State Inspector, UMWA, and
Field Service Engineer arrive at the mine and begin working.
2:15 p.m. — 11 The process of duplicating the original problem of unexpected machine movement begins once
proper safety precautions are in place and test equipment is connected.
6:00 p.m. — 11 The problem is duplicated, and the pendant controller is identified as working improperly.
6:15 p.m. — 13 MSHA takes pendant controller to laboratory for analysis.
DAY 3
9:30 a.m. — 13 During analysis, MSHA finds an open electrical connection in the remote-control pendant.
MSHA also determines that the software contains an error, since it was supposed to detect this
condition. Manufacturer is contacted.
10:30 a.m. — 15 The manufacturer's hardware and software engineers determine that there is a software bug. The
original software is compared with the existing software used when the mishap occurred. A
safety-critical portion of software is missing. The software to detect and prevent the machine
from going to an unsafe state is missing.
12:00 noon — 15 It is determined that the safety-critical portion of software was inadvertently omitted due to the
rush to meet the customer's demands that the software be modified to add a new function by the
next day.
3:15 p.m. — 16 MSHA Inspectorate issues a citation to the mine operator.
5:00 p.m. — 16 MSHA Technical Support initiates a Recall/Retrofit Program for these pendant controllers.
DAY 4
5:30 a.m. — 16 Begin to repair pendant hardware and write a new software patch.
6:00 a.m. — 16 Fixes are tested and have resolved the problem.
7:00 a.m. — 17 Meeting with mine management and all those directly involved takes place to explain the
problem and the proposed fix.
8:30 a.m. — 17 All parties satisfied with the proposed fix.
9:00 a.m. — 17 The manufacturer begins loading pendant memory chips with the new software.
DAY 5
8:30 a.m. — 17 Service Engineer arrives with replacement memory chips for the pendant controllers and begins
installation.
NM Near miss. LTI Lost-time injury.

697
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY ROURKELA. Downloaded on November 08,2023 at 13:28:30 UTC from IEEE Xplore. Restrictions apply.
 First, after a mishap occurs, people are placed in Applications Society 32nd Annual Meeting, New
dangerous situations as they inspect, troubleshoot, move Orleans, LA.
equipment, and make repairs. Secondly, the scenario [3] MSHA [2001]. Fatal Alert Bulletins, Fatalgrams*
and Fatal Investigation Reports. Web page, [accessed
demonstrated the large expenditure of resources to address a May 2001]. Available at
mishap. Next, it demonstrates that PES functional safety www.msha.gov/fatals/fab.htm.
must be addressed for all life cycle stages, including [4] Waudby, JF [2001]. Underground Coal Mining
software modifications. Software is as much a part of the Remote Control of Mining Equipment: Known
system as the hardware. Before software modifications are Incidents of Unplanned Operation in New South
made, they must be analyzed to determine they will create a Wales (NSW) Underground Coal Mines. unpublished
new hazard or worsen an existing one. Lastly, mishaps [5] Gruhn, P, and Cheddie HL [1998]. Safety Shutdown
Systems: Design, Analysis and Justification.
typically result from more than one cause. In this scenario, Instrument Society of America (ISA), Research
hardware, software, poor work practices, and poor Triangle Park, NC, p. 121.
management practices combined to cause a lost-time injury [6] Dransite, GD [2000]. System Safety Applications in
to a maintenance person. Mining. 18th International System Safety
Conference, Sept.
VII. FUTURE DIRECTIONS [7] Sammarco, JJ [1999]. Safety Framework for
Programmable Electronics in Mining. Mining
MSHA studies of PE-based mining system mishaps have Engineering, Society of Mining Engineers,
concluded that mishaps typically involve multiple factors 51(12):30-33.
including complex interactions of software, hardware, [8] Sammarco JJ, Fisher TJ, Welsh, JH, and Pazuchanics
humans, and the application environment [6]. The mishaps MJ [2000]. Programmable Electronic Mining
from complex interactions are explained by Perrow’s Systems: Best Practice Recommendations (In Nine
Parts); Part 1: 1.0 Introduction, IC9456, NIOSH,
Normal Accident Theory (NAT) [15]. Perrow theorizes Pittsburgh, PA, pp. 1-10.
systems with the characteristics of interactive complexity [9] Sammarco JJ and Fisher TJ [2001]. Programmable
and tight coupling are prone to system accidents. Electronic Mining Systems: Best Practice
Interactively complex systems have the potential to generate Recommendations (In Nine Parts0; Part 2: 2.1
many unexpected, nonlinear branching paths among System Safety, IC9458, NIOSH, Pittsburgh, PA, pp.
subsystems. These interactions can be unexpected, 1-34.
incomprehensible, or unperceivable to system operators. [10] Fries, EF, Fisher TJ, and Jobes CC [2001].
Programmable Electronic Mining Systems: Best
Tightly coupled systems respond rapidly to these Practice Recommendations (In Nine Parts); Part 3:
unplanned interactions such that operators do not have the 2.2 Software Safety, IC9460, NIOSH, Pittsburgh,
time or ability to intervene properly. PA, pp. 1-33.
[11] Mowrey GL, Fries EF, Fisher TJ, and Sammarco JJ
It is expected that complex interactions will become [2002]. Programmable Electronic Mining Systems:
more problematic as the complexity and sophistication of Best Practice Recommendations (In Nine Parts); Part
PE based mining systems escalate. Many functions once 4: 4.0 Safety File, IC9461, NIOSH, Pittsburgh, PA.
hardwired are now being implemented by PE. This creates [12] Sammarco JJ, and Fries EF [2002]. Publication in
a level of complexity requiring more resources and more progress: Programmable Electronic Mining Systems:
expertise to assure and assess the safety of these complex Best Practice Recommendations (In Nine Parts); Part
5: 5.0 Independent Assessment.
PE based systems.
[13] IEC [1997]. Functional Safety of
NIOSH has begun research to address system Electrical/Electronic/Programmable Electronic
complexity. The research objective is to create a Safety-related Systems, Part 1: General
complexity assessment methodology to operationalize NAT Requirements. IEC 61508-1, International
Electrotechnical Commission.
for PE-based mining systems. The tasks to operationalize [14] IEC [1998]. Functional Safety of
NAT include the conversion of theory to practice by Electrical/Electronic/Programmable Electronic
establishing concrete, quantifiable system level complexity Safety-related Systems, Part 6: Examples of
metrics. The methodology serves to help identify, evaluate, Methods for the Determination of Safety Integrity
and reduce system complexities. Less complex systems are Levels. 61508-6, International Electrotechnical
Commission.
safer [15], have fewer systematic errors [16] and are easier
[15] Perrow C [1999]. Normal Accidents: Living with
to verify for safety. High-Risk Technologies. Princeton University Press,
Princeton, NJ.
REFERENCES [16] Selby, RW and Basili VR [1991]. Analyzing Error-
[1] Dransite GD [1992]. Ghosting of Electro-Hydraulic Prone System Structure. IEEE Transactions on
Longwall Shield Advance Systems. Published in Software Engineering 17(2)141-152.
proceedings of the 11th West Virginia University
International Electro-technology Conference,
Morgantown, WV, July 29-30, pp. 77-78.
[2] Sammarco JJ, Kohler JL, Novak T, and Morley LA
[1997]. Safety Issues and the Use of Software-
Controlled Equipment in the Mining Industry.
Published in the proceedings of the IEEE Industry

698
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY ROURKELA. Downloaded on November 08,2023 at 13:28:30 UTC from IEEE Xplore. Restrictions apply.