Chapter 8: Safety Analysis: Hazard Analysis Tasks

Text Preview:
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000



                                        Chapter 8:
                          Safety Analysis: Hazard Analysis Tasks

8.1 THE DESIGN PROCESS................................................................................................................2



8.2 ANALYSIS.......................................................................................................................................3



8.3 QUALITATIVE AND QUANTITATIVE ANALYSIS...................................................................7



8.4 DESIGN AND PRE-DESIGN SAFETY ACTIVITIES ................................................................10



8.5 HOW TO REVIEW AND/OR SPECIFY A SAFETY ANALYSIS..............................................21



8.6 EVALUATING A PRELIMINARY HAZARD ANALYSIS ........................................................25



8.7 EVALUATING A SUBSYSTEM HAZARD ANALYSIS.............................................................26



8.8 EVALUATING A SYSTEM HAZARD ANALYSIS ....................................................................29



8.9 EVALUATING AN OPERATING AND SUPPORT HAZARD ANALYSIS..............................30



8.10 EVALUATING A FAULT TREE ANALYSIS ...........................................................................31



8.11 EVALUATING QUANTITATIVE TECHNIQUES ...................................................................35
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000

8.0 Safety Analysis: Hazard Analysis Tasks

8.1 The Design Process
A systems safety program (SSP) can be proactive or reactive. A proactive SSP influences the design
process before that process begins. This approach incorporates safety features with minimal cost and
schedule impact. A reactive process is limited to safety engineering analysis performed during the design
process, or worse yet, following major design milestones. In this situation, the safety engineering staff is
in the position of attempting to justify redesign and its associated cost.

Figure 8.1-1 is a top-level summary of a proactive SSP. Initial safety criteria is established by the
managing activity (MA) and incorporated in the Request for Proposal (RFP) and subsequent contract and
prime item specification. The vehicle used by the MA is a Preliminary Hazard List (PHL). Following
contract award, the first technical task of a contractor's system safety staff is the flowdown of safety
criteria to subsystem specifications and the translation of such criteria into a simplified form easily usable
by the detailed design staff. The detailed criteria is generated from a Requirements Hazard Analysis
using the PHL and Preliminary Hazard Analysis (PHA) as inputs along with requirements from standards,
regulations, or other appropriate sources. Safety design criteria to control safety critical software
commands and responses (e.g., inadvertent command, failure to command, untimely command or
responses, or MA designated undesired events) must be included so that appropriate action can be taken
to incorporate them in the software and hardware specifications. This analysis, in some cases, is
performed before contract award.

                                                                           Prototype   Design     Production
  Mission Needs                                   Design                   Test        Approval   & Test
  Analysis




         Contract                 Safety Design            System Safety
         Requirements             Criteria                 Analysis




                        Additional                          Design
                        Safety                              Reviews
                        Requirements



                                       Figure 8-1: A Proactive System Safety Plan
An approach of expecting each member of the design staff to research and establish a list of safety
features is not only inefficient but high risk. The detailed designer has many "first" priorities and is
unlikely to give focused attention to safety. An efficient and effective approach is for the system safety
staff to compile comprehensive safety design criteria. These criteria should be in a simple to use format,
requiring little research or interpretation. A checklist is a good format that the design engineer can
frequently reference during the design process. The contractor's system safety staff and the MA can
subsequently use the same checklist for design safety auditing purposes.

Sources for detailed safety design criteria include Occupational Safety and Health Administration
(OSHA) standards, MIL-STD-454, Requirement 1, and MIL-STD-882. Design review is typically a
continual process using hazard analyses. Active participation at internal and customer design reviews is
also necessary to capture critical hazards and their characteristics. All major milestone design reviews
(reference FAA Order 1810.1F, paragraph 2-8) provide a formal opportunity for obtaining safety


                                                              8-   2
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000

information and precipitating active dialogue between the MA safety staff and the contractor's safety and
design engineering staff. All resulting action items should be documented with personnel responsibility
assignments and an action item closing date. No formal design review should be considered complete
until safety critical action items are closed out satisfactorily in the view of both the MA and the
contractor. That is, both must sign that the action has been satisfactorily closed out.

All critical hazards identified by either hazard analyses or other design review activities must be formally
documented. Notification of each should be provided to the appropriate contractor staff for corrective
action or control. The Hazard Tracking/Risk Resolution system in Chapter 4 of this handbook should be
used to track the status of each critical hazard.

8.2 Analysis

8.2.1 What is the Role of the Hazard Analysis?
Hazard analyses are performed to identify and define hazardous conditions/risks for the purpose of their
elimination or control. Analyses examine the system, subsystems, components, and interrelationships.
They also examine and provide inputs to the following National Airspace Integrated Logistics Support
(NAILS) elements:

         Training
         Maintenance
         Operational and maintenance environments
         System/component disposal

Steps in performing a hazard analysis:

    1.  Describe and bound the system in accordance with system description instructions in Chapter 3.
    2.  Perform functional analysis if appropriate to the system under study.
    3.  Develop a preliminary hazard list.
    4.  Identify contributory hazards, initiators, or any other causes.
    5.  Establish hazard control baseline by identifying existing controls when appropriate.
    6.  Determine potential outcomes, effects, or harm.
    7.  Perform a risk assessment of the severity of consequence and likelihood of occurrence.
    8.  Rank hazards according to risk.
    9.  Develop a set of recommendations and requirements to eliminate or control risks
    10. Provide managers, designers, test planners, and other affected decision makers with the
        information and data needed to permit effective trade-offs
    11. Conduct hazard tracking and risk resolution of medium and high risks. Verify that
        recommendations and requirements identified in Step 9 have been implemented.
    12. Demonstrate compliance with given safety related technical specifications, operational
        requirements, and design criteria.


8.2.2 What are the Basic Elements of A Hazard Analysis?
The analytical approach to safety requires four key elements if the resulting output is to impact the system
in a timely and cost effective manner. They are:

Hazard identification
        Identification



                                                8-   3
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000

           Evaluation
           Resolution
Timely solutions
Verification that safety requirements have been met or that risk is eliminated or controlled to              an
acceptable level

These concepts are described in detail below:

Identification of a risk is the first step in the risk control process. Identifying a risk provides no assurance
that it will be eliminated or controlled. The risk must be documented, evaluated (likelihood and severity),
and when appropriate, highlighted to those with decision making authority.

Evaluation of risks requires determination of how frequently a risk occurs and how severe it could be if
and accident occurs as a result of the hazards. A severe risk that has a realistic possibility of occurring
requires action; one that has an extremely remote chance may not require action. Similarly, a non-critical
accident that has a realistic chance of occurring may not require further study. Frequency may be
characterized qualitatively by terms such as "frequent" or "rarely." It may also be measured
quantitatively such as by a probability (e.g., one in a million flight hours). In summary, the evaluation
step prioritizes and focuses the system safety activity and maximizes the return-on-investment for safety
expenditures.

The timing of safety analysis and resulting corrective action is critical to minimize the impact on cost and
schedule. The later in the life cycle of the equipment that safety modifications are incorporated, the
higher the impact on cost and schedule. The analysis staff should work closely with the designers to feed
their recommendations or, at a minimum, objections back to the designers as soon as they are identified.
A safe design is the end product, not a hazard analysis. By working closely with the design team, hazards
can be eliminated or controlled in the most efficient manner. An inefficient alternate safety analysis
approach is when the safety engineer works alone in performing an independent safety analysis and
formally reports the results. This approach has several disadvantages.
Significant risks will be corrected later than the case where the design engineer is alerted to the problem
shortly after detection by the safety engineer. This requires a more costly fix, leads to program resistance
to change, and the potential implementation of a less effective control. The published risk may not be as
severe as determined by the safety engineer operating in a vacuum, or overcome by subsequent design
evolution.

Once the risks have been analyzed and evaluated, the remaining task of safety engineering is to follow the
development and verify that the agreed-upon safety requirements are met by the design or that the risks
are controlled to an acceptable level.

8.2.3 What is the Relationship Between Safety and Reliability?
Reliability and system safety analyses complement each other. They can each provide the other more
information than obtained individually. Neither rarely can be substituted for the other but, when
performed in collaboration, can lead to better and more efficient products.

Two reliability analyses (one a subset of the other) are often compared to hazard analyses. Performance
of a Failure Modes and Effects Analysis (FMEA) is the first step in generating the Failure Modes, Effects,
and Criticality Analysis (FMECA). Both types of analyses can serve as a final product depending on the



                                                  8-   4
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000

situation. An FMECA is generated from a FMEA by adding a criticality figure of merit. These analyses
are performed for reliability, and supportability information.

A hazard analysis uses a top-down methodology that first identifies risks and then isolates all possible (or
probable) causes. For an operational system, it is performed for specific suspect hazards. In the case of
the hazard analysis, failures, operating procedures, human factors, and transient conditions are included in
the list of hazard causes.

The FMECA is limited even further in that it only considers hardware failures. It may be performed
either top-down or bottom-up, usually the latter. It is generated by asking questions such as "If this fails,
what is the impact on the system? Can I detect it? Will it cause anything else to fail?" If so, the induced
failure is called a secondary failure.

Reliability predictions establish either a failure rate for an assembly (or component) or a probability of
failure. This quantitative data, at both the component and assembly level, is a major source of data for
quantitative reliability analysis. This understanding is necessary to use it correctly. In summary,
however, hazard analyses are first performed in a qualitative manner identifying risks, their causes, and
the significance of hazards associated with the risk.

8.2.4 What General Procedures Should Follow in the Performance of a Hazard Analysis?

Establish safety requirements baseline and applicable history (i.e., system restraints):

                Specifications/detailed design requirements
                Mission requirements (e.g., How is it supposed to operate?)
                General statutory regulations (e.g., noise abatement)
                Human factors standardized conventions (e.g., switches "up" or
                "forward" for on)
                Accident experience and failure reports




                                                 8-   5
Download Link:
Share Link: Forum Link:

More on Science & Technology

  • Picture: Math Boxes - Everyday Math - Login

    Math Boxes – Everyday Math – Login

    File Size: 1,819.53 KB, Pages: 5, Views: 1,265,954 views

    Math Boxes Objectives To introduce My Reference Book; and to introduce the t Math Boxes routine. www.everydaymathonline.com ePresentations eToolkit Algorithms EM Facts Family Assessment Common Curriculum Interactive Practice Workshop Letters Management Core State Focal Points Teacher's GameTM Standards Lesson Guide Teaching the Lesson Ongoing Learning …
  • Picture: A Study of the Relationship Between Students Anxiety and

    A Study of the Relationship Between Students Anxiety and

    File Size: 72.91 KB, Pages: 7, Views: 1,243,278 views

    US-China Education Review B 4 (2011) 579-585 Earlier title: US-China Education Review, ISSN 1548-6613 A Study of the Relationship Between Students' Anxiety and Test Performance on State-Mandated Assessments Rosalinda Hernandez, Velma Menchaca, Jeffery Huerta University of Texas Pan American, Edinburg, USA This study examined whether …
  • Picture: HIGH-EFFICIENCY UPFLOW FURNACE INSTALLER'S  - Crown Boiler

    HIGH-EFFICIENCY UPFLOW FURNACE INSTALLER’S – Crown Boiler

    File Size: 534.22 KB, Pages: 27, Views: 1,234,527 views

    HIGH-EFFICIENCY UPFLOW FURNACE INSTALLER'S INFORMATION MANUAL D ES IG N CE R TI F I ED ATTENTION, INSTALLER! After installing the ATTENTION, USER! Your furnace installer should furnace, show the user how to turn off gas and electricity to give you the documents listed on …
  • Picture: Raven/Johnson Biology 8e Chapter 12 1.

    Raven/Johnson Biology 8e Chapter 12 1.

    File Size: 99.62 KB, Pages: 9, Views: 79,724 views

    Raven/Johnson Biology 8e Chapter 12 1. A true-breeding plant is one that-- a. produces offspring that are different from the parent b. forms hybrid offspring through cross-pollination c. produces offspring that are always the same as the parent d. can only reproduce with itself The …
  • Picture: Math Skills for Business- Full Chapters 1 U1-Full Chapter

    Math Skills for Business- Full Chapters 1 U1-Full Chapter

    File Size: 3,860.88 KB, Pages: 188, Views: 95,920 views

    Math Skills for Business- Full Chapters 1 U1-Full Chapter- Algebra Chapter3 Introduction to Algebra 3.1 What is Algebra? Algebra is generalized arithmetic operations that use letters of the alphabet to represent known or unknown quantities. We can use y to represent a company's profit or …

Leave a Reply

Your email address will not be published. Required fields are marked *