The strategy for ensuring the safety of multi-function systems such as robots is: 1) Incorporate a fail-safe mechanism, and if this is not feasible, 2) Apply a fault-tolerant configuration, and 3) Excute qualitative and quantitative systems analyses. Widely accepted methods, such as fault-tree analysis, are now used for quantitative and qualitative hazard analysis of existing designs. However, comparable methods for designing hazard-control systems do not exist. We establish a hazard-control design methodology based on a categorization of action changes and the dissociation of action chains. In our methodology — 1) The damage process is modeled by propagation of actions among system elements, 2) The actions are put into the two groups (state-failure and function-failure), 3) The concept of action-linkage dissociation is developed for damage prevention, 4) Application rules for information-processing systems are defined, 5) Use of a systematic procedure to identify hazards and to conceptualize hazard-control systems is developed. We postulate that dissociations involving paths or sources lead to fail-safe systems, while those involving substitution-of-function lead to fault-tolerant systems. Examples involving robot systems demonstrate the new technology. © 1990 IEEE
