Hazard Analysis Techniques for System Safety

Hazard Analysis Techniques for System Safety\ \ By Clifton A. Ericson \ John Wiley & Sons\ Copyright © 2005 John Wiley & Sons, Inc.\ All right reserved.\ ISBN: 0-471-72019-4 \ \ \ Chapter One\ System Safety\ 1.1 INTRODUCTION\ We live in a world comprised of systems and risk. When viewed from an engineering perspective, most aspects of life involve systems. For example, houses are a type of system, automobiles are a type of system, and electrical power grids are another type of system. Commercial aircraft are systems that operate within an economical transportation system and a worldwide airspace control system. Systems have become a necessity for modern living.\ With systems and technology also comes exposure to mishaps because systems can fail or work improperly resulting in damage, injury, and deaths. The possibility that a system fails and results in death, injury, damage, and the like is referred to as mishap risk. For example, there is the danger that a traffic light will fail, resulting in the mishap of another auto colliding with your auto. Automobiles, traffic, and traffic lights form a unique system that we use daily, and we accept the mishap risk potential because the risk is small. There is the danger that the gas furnace in our house will fail and explode, thereby resulting in the mishap of a burned house, or worse. This is another unique system, with known adverse side effects that we choose tolive with because the mishap risk is small and the benefits are great.\ Our lives are intertwined within a web of different systems, each of which can affect our safety. Each of these systems has a unique design and a unique set of components. In addition, each of these systems contains inherent hazards that present unique mishap risks. We are always making a trade-off between accepting the benefits of a system versus the mishap risk it presents. As we develop and build systems, we should be concerned about eliminating and reducing mishap risk. Some risks are so small that they can easily be accepted, while other risks are so large they must be dealt with immediately. Mishap risk is usually small and acceptable when system design control (i.e., system safety) is applied during the development of the system.\ Risks are akin to the invisible radio signals that fill the air around us, in that some are loud and clear, some very faint, and some are distorted and unclear. Life, as well as safety, is a matter of knowing, understanding, and choosing the risk to accept. System safety is the formal process of identifying and controlling mishap risk. As systems become more complex and more hazardous, more effort is required to understand and manage system mishap risk.\ The key to system safety and effective risk management is the identification and mitigation of hazards. To successfully control hazards, it is necessary to understand hazards and know how to identify them. The purpose of this book is to better understand hazards and the tools and techniques for identifying them, in order that they can be effectively controlled during the development of a system.\ 1.2 SYSTEM SAFETY BACKGROUND\ The ideal objective of system safety is to develop a system free of hazards. However, absolute safety is not possible because complete freedomfromall hazardous conditions is not always possible, particularly when dealing with complex inherently hazardous systems, such as weapons systems, nuclear power plants, and commercial aircraft.\ Since it is generally not possible to eliminate all hazards, the realistic objective becomes that of developing a system with acceptable mishap risk. This is accomplished by identifying potential hazards, assessing their risks, and implementing corrective actions to eliminate or mitigate the identified hazards. This involves a systematic approach to the management of mishap risk. Safety is a basic part of the risk management process.\ Hazards will always exist, but their risk must and can be made acceptable. Therefore, safety is a relative term that implies a level of risk that is measurable and acceptable. System safety is not an absolute quantity, but rather an optimized level of mishap risk management that is constrained by cost, time, and operational effectiveness (performance). System safety requires that risk be evaluated, and the level of risk accepted or rejected by an appropriate decision authority. Mishap risk management is the basic process of system safety engineering and management functions. System safety is a process of disciplines and controls employed from the initial system design concepts, through detailed design and testing, to system disposal at the completion of its useful life (i.e., "cradle to grave" or "womb to tomb").\ The fundamental objective of system safety is to identify, eliminate or control, and document system hazards. System safety encompasses all the ideals of mishap risk management and design for safety; it is a discipline for hazard identification and control to an acceptable level of risk. Safety is a system attribute that must be intentionally designed into a product. From an historical perspective it has been learned that a proactive preventive approach to safety during system design and development is much more cost effective than trying to add safety into a system after the occurrence of an accident or mishap. System safety is an initial investment that saves future losses that could result from potential mishaps.\ 1.3 SYSTEM SAFETY CHARACTERIZATION\ System safety is the process of managing the system, personnel, environmental, and health mishap risks encountered in the design development, test, production, use, and disposal of systems, subsystems, equipment, materials, and facilities.\ A system safety program (SSP) is a formal approach to eliminate hazards through engineering, design, education, management policy, and supervisory control of conditions and practices. It ensures the accomplishment of the appropriate system safety management and engineering tasks. The formal system safety process has been primarily established by the U.S. Department of Defense (DoD) and its military branches and promulgated by MIL-STD-882. However, this same process is also followed in private industry for the development of commercial products, such as commercial aircraft, rail transportation, nuclear power, and automobiles, to mention just a few.\ The goal of system safety is the protection of life, systems, equipment, and the environment. The basic objective is the elimination of hazards that can result in death, injury, system loss, and damage to the environment. When hazard elimination is not possible, the next objective is to reduce the risk of a mishap through design control measures. Reducing mishap risk is achieved by reducing the probability of the mishap and/or the severity of the mishap.\ This objective can be attained at minimum cost when the SSP is implemented early in the conceptual phase and is continued throughout the system development and acquisition cycle. The overall complexity of today's systems, particularly weapons systems, is such that system safety is required in order to consciously prevent mishaps and accidents. Added to complexity is the inherent danger of energetic materials, the effects of environments, and the complexities of operational requirements. In addition, consideration must be given to hardware failures, human error, software interfaces, including programming errors, and vagaries of the environment.\ System safety is defined in MIL-STD-882D as follows:\ The application of engineering and management principles, criteria, and techniques to achieve acceptable mishap risk, within the constraints of operational effectiveness and suitability, time, and cost, throughout all phases of the system life cycle.\ The intent of system safety is mishap risk management through hazard identification and mitigation techniques. System safety engineering is an element of systems engineering involving the application of scientific and engineering principles for the timely identification of hazards and initiation of those actions necessary to prevent or control hazards within the system. It draws upon professional knowledge and specialized skills in the mathematical and scientific disciplines, together with the principles and methods of engineering design and analysis to specify, predict, evaluate, and document the safety of the system.\ System safety management is an element of program management that ensures accomplishment of the correct mix of system safety tasks. This includes identification of system safety requirements; planning, organizing, and controlling those efforts that are directed toward achieving the safety goals; coordinating with other program elements; and analyzing, reviewing, and evaluating the program to ensure effective and timely realization of the system safety objectives.\ The basic concept of system safety is that it is a formal process of intentionally designing in safety by designing out hazards or reducing the mishap risk of hazards. It is a proactive process performed throughout the system life cycle to save lives and resources by intentionally reducing the likelihood of mishaps to an insignificant level. The system life cycle is typically defined as the stages of concept, preliminary design, detailed design, test, manufacture, operation, and disposal (demilitarization). In order to be proactive, safety must begin when system development first begins at the conceptual stage.\ The goal of system safety is to ensure the detection of hazards to the fullest extent possible and provide for the introduction of protective measures early enough in system development to avoid design changes late in the program. A safe design is a prerequisite for safe operations. Things that can go wrong with systems are predictable, and something that is predictable is also preventable. As Murphy's law states "whatever can go wrong, will go wrong." The goal of system safety is to find out what can go wrong (before it does) and establish controls to prevent it or reduce the probability of occurrence. This is accomplished through hazard identification and mitigation.\ 1.4 SYSTEM SAFETY PROCESS\ MIL-STD-882D establishes the core system safety process in eight principal steps, which are shown in Figure 1.1. The core system safety process involves establishing an SSP to implement the mishap risk management process. The SSP is formally documented in the system safety program plan (SSPP), which specifies all of the safety tasks that will be performed, including the specific hazard analyses, reports, and so forth. As hazards are identified, their risk will be assessed, and hazard mitigation methods will be established to mitigate the risk as determined necessary. Hazard mitigation methods are implemented into system design via system safety requirements (SSRs). All identified hazards are converted into hazard action records (HARs) and placed into a hazard tracking system (HTS). Hazards are continually tracked in the HTS until they can be closed.\ It can be seen from the core system safety process that safety revolves around hazards. Hazard identification and elimination/mitigation is the key to this process. Therefore, it is critical that the system safety analyst understand hazards, hazard identification, and hazard mitigation.\ The core system safety process can be reduced to the process shown in Figure 1.2. This is a mishap risk management process whereby safety is achieved through the identification of hazards, the assessment of hazard mishap risk, and the control of hazards presenting unacceptable risk. This is a closed-loop process whereby hazards are identified and tracked until acceptable closure action is implemented and verified. It should be performed in conjunction with actual system development, in order that the design can be influenced during the design process, rather than trying to enforce design changes after the system is developed.\ System safety involves a life-cycle approach based on the idea that mishap and accident prevention measures must be initiated as early as possible in the life of a system and carried through to the end of its useful life. It is usually much cheaper and more effective to design safety features into an item of equipment than it is to add the safety features when the item is in production or in the field. Also, experience indicates that that some of the hazards in a newly designed system will escape detection, no matter how aggressive the safety program. Therefore, the safety program for a systemmust remain active throughout the life of the system to ensure that safety problems are recognized whenever they arise and that appropriate corrective action is taken.\ The key to system safety is the management of hazards. To effectively manage hazards, one must understand hazard theory and the identification of hazards. The purpose of this book is to better understand hazards and the tools and techniques for identifying them. When hazards are identified and understood, they can then be properly eliminated or mitigated.\ 1.5 SYSTEM CONCEPT\ 1.5.1 General System Model\ As implied in the name, system safety is involved with "systems" and with the many different characteristics and attributes associated with systems. Therefore, in order to effectively apply the system safety process, it is necessary to completely understand the term system and all of its ramifications. This includes understanding what comprises a system, how a system operates, system analysis tools, the life cycle of a system, and the system development process. A proactive and preventive safety process can only be effectively implemented if the proper system-oriented safety tasks are performed during the appropriate system life-cycle phases, in conjunction with utilizing the appropriate system engineering tools. The timing and content of safety tasks must coincide with certain system development domains to ensure safety success.\ The standard definition of a system from MIL-STD-882 is:\ A system is a composite, at any level of complexity, of personnel, procedures, materials, tools, equipment, facilities, and software. The elements of this composite entity are used together in the intended operational or support environment to perform a given task or achieve a specific purpose, support, or mission requirement.\ Essentially a system is a combination of subsystems interconnected to accomplish the system objective.\ A subsystem is a subset of the system that could include equipment, components, personnel, facilities, processes, documentation, procedures, and software interconnected in the system to perform a specific function that contributes to accomplishing the system objective.\ The system objective is a desired result to be accomplished by the system. The system objective defines the purpose for the system. System functions are the operations the system must perform in order to accomplish its objective. System functions are generally performed by subsystems and define how the system operates.\ Figure 1.3 depicts the generic concept of a system. This diagram shows a system comprised of many subsystems, with an interface between each subsystem. The system has an objective and is surrounded by a boundary and an environment. System safety analysis involves evaluation of all system aspects, including functions, subsystems, interfaces, boundaries, and environments and the overall system itself.\ 1.5.2 System Attributes\ Systems have many different attributes of interest to system safety. Defining and understanding a system's key attributes is necessary because they provide the framework for designing, building, operating, and analyzing systems. Key system attributes are shown in Table 1.1, where the major attribute categories are listed on the top row, with subelements identified below. Each of these attributes is usually addressed in system safety hazard analyses at some point in the system development program.\ (Continues...)\ \ \ \ \ Excerpted from Hazard Analysis Techniques for System Safety by Clifton A. Ericson Copyright © 2005 by John Wiley & Sons, Inc.. Excerpted by permission.\ All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.\ Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site. \ \

1System safety12Hazards, mishap, and risk133Hazard analysis types and techniques314Preliminary hazard list555Preliminary hazard analysis736Subsystem hazard analysis957System hazard analysis1158Operating and support hazard analysis1319Health hazard assessment15510Safety requirements/criteria analysis16911Fault tree analysis18312Event tree analysis22313Failure mode and effects analysis23514Fault hazard analysis26115Functional hazard analysis27116Sneak circuit analysis29117Petri net analysis (PNA)30718Markov analysis31719Barrier analysis33520Bent pin analysis35321Hazard and operability analysis36522Cause-consequence analysis38323Common cause failure analysis39724Management oversight risk tree analysis42325Software safety assessment43126Summary451