Hazard Analysis
Both elements of risk (hazard severity and likelihood of occurrence) must be characterized. The inability
to quantify and/or lack of historical data on a particular hazard does not exclude the hazard from this
requirement1. Hazards are subdivided into sub-categories related to environment such as system states,
environmental conditions or "initiating" and "contributing" hazards.
Realistically, a certain degree of safety risk must be accepted. Determining the acceptable level of risk is
generally the responsibility of management. Any management decisions, including those related to safety,
must consider other essential program elements. The marginal costs of implementing hazard control
requirements in a system must be weighed against the expected costs of not implementing such controls.
The cost of not implementing hazard controls is often difficult to quantify before the fact. In order to
quantify expected accident costs before the fact, two factors must be considered. These are related to risk
and are the potential consequences of an accident and the probability of its occurrence. The more severe
the consequences of an accident (in terms of dollars, injury, or national prestige, etc.) the lower the
probability of its occurrence must be for the risk to be acceptable. In this case, it will be worthwhile to
spend money to reduce the probability by implementing hazard controls. Conversely, accidents whose
consequences are less severe may be acceptable risks at higher probabilities of occurrence and will
consequently justify a lesser expenditure to further reduce the frequency of occurrence. Using this
concept as a baseline, design limits must be defined.
Accident Scenario Relationships
In conducting hazard analysis, an accident scenario as shown in Figure 3-2 is a useful model for analyzing
risk of harm due to hazards. Throughout this document, the term hazard will be used to describe scenarios that may cause harm. It is defined as a "Condition, event, or circumstance that could lead to or contribute to an unplanned or undesired event." Seldom does a single hazard cause an accident. More often, an accident occurs as the result of a sequence of causes termed initiating and contributory hazards. As can be seen below, contributory hazards involve consideration of the system state (e.g., operating environment) as well as failures or malfunctions.
Definitions of Severity and Probability
Specific definitions for Severity and Probability to be used during all phases of the acquisition life cycle. These are shown in the tables below.
Severity Definitions for SSM Process
| Catastrophic |
Results in multiple fatalities and/or loss of the system |
| Hazardous |
Reduces the capability of the system or the operator ability to cope
with adverse conditions to the extent that there would be:
large reduction in safety margin or functional capability, physical distress/excessive workload such that operators
cannot be relied upon to perform required tasks accurately or
completely, serious or fatal injury to small number of personnel
Fatal injury to ground personnel and/or general public |
| Major |
Reduces the capability of the system or the operators to cope with
adverse operating condition to the extent that there would be: significant reduction in safety margin or functional capability, significant increase in operator workload, conditions impairing operator efficiency or creating significant
discomfort, physical distress to personnel including injuries, major occupational illness and/or major environmental damage, and/or major property damage |
| Minor |
Does not significantly reduce system safety. Actions required by
operators are well within their capabilities. Include: slight reduction in safety margin or functional capabilities, slight increase in workload such as routine workload changes, some physical discomfort to workers, minor occupational illness and/or minor environmental damage, and/or minor property damage |
| No |
Safety effect has no effect on safety |
Probability of Occurrence Definitions
| Probable |
Qualitative: Anticipated to occur one or more times during the entire
system/operational life of an item.
Quantitative: Probability of occurrence per operational hour is greater that 1 x
10-5 |
| Remote |
Qualitative: Unlikely to occur to each item during its total life. May occur
several time in the life of an entire system or fleet.
Quantitative: Probability of occurrence per operational hour is less than 1 x 10-5
, but greater than 1 x 10-7 |
| Extremely Remote |
Qualitative: Not anticipated to occur to each item during its total life. May
occur a few times in the life of an entire system or fleet.
Quantitative: Probability of occurrence per operational hour is less than 1 x 10-7
but greater than 1 x 10-9 |
| Extremely Improbable |
Qualitative: So unlikely that it is not anticipated to occur during the entire
operational life of an entire system or fleet.
Quantitative: Probability of occurrence per operational hour is less than 1 x 10- |
MIL-STD-882C Definitions of Severity and Likelihood
An example taken from MIL-STD-882C of the definitions used to define Severity of Consequence and
Event Likelihood are in the tables below.
Severity of Consequence
| Description |
Category |
Definition |
| Catastrophic |
I |
Death, and/or system loss, and/or severe
environmental damage. |
| Critical |
II |
Severe injury, severe occupational illness, major
system and/or environmental damage. |
| Marginal |
III |
Minor injury, minor occupational illness, and/or
minor system damage, and/or environmental
damage. |
| Negligible |
IV |
Less then minor injury, occupational illness, or lee
then minor system or environmental damage. |
Event Likelihood (Probability)
| Description |
Level |
Specific Event |
| Frequent |
A |
Likely to occur frequently |
| Probable |
B |
Will occur several times in the life of system. |
| Occasional |
C |
Likely to occur some time in the life of the
system. |
| Remote |
D |
Unlikely but possible to occur in the life of the
system. |
| Inprobable |
E |
So unlikely, it can be assumed that occurrence
may not be experienced. |
Comparative Safety Assessment
The risk management concept emphasizes the identification of the change in risk with a change in alternative solutions. Safety Comparative Safety Assessment is made more complicated considering that a lesser safety risk may not
be the optimum choice. Recognition of this is the keystone of safety risk management. These factors make system safety a decision making tool. It must be recognized, however, that selection of the greater safety risk alternative carries with it the responsibility of assuring inclusion of adequate warnings, personnel protective systems, and procedural controls.
SafetyComparative Safety Assessment is also a planning tool. It requires planning for the development of
safety operating procedures and test programs to resolve uncertainty when safety risk cannot be
completely controlled by design. It provides a control system to track and measure progress towards the
resolution of uncertainty and to measure the reduction of safety risk. Assessment of risk is made by combining the severity of consequence with the likelihood of occurrence in a matrix.
Risk Acceptability Matrix
| High Risk |
--Unacceptable. Tracking in the FAA
Hazard Tracking System is required until the risk is reduced and accepted. |
| Medium |
-- Acceptable with review by the appropriate
management authority. Tracking in the FAA
Hazard Tracking System is required until
the risk is accepted. |
| Low |
-- Low risk is acceptable without review.
No further tracking of the hazard
is required. |
Risk Acceptance Criteria
An example based on MIL-STD-882C is shown below. The matrix may be referred to as a Hazard Risk Index (HRI), a Risk Rating Factor (RRF), or other terminology, but in all cases, it is the criteria used
by management to determine acceptability of risk.
The Comparative Safety Assessment Matrix below illustrates an acceptance criteria methodology.
Region R1 on the matrix is an area of high risk and may be considered unacceptable by the managing
authority. Region R2 may be acceptable with management review of controls and/or mitigations, and R3
may be acceptable with management review. R4 is a low risk region that is usually acceptable without
review.
Example of a Comparative Safety Assessment Matrix
Early in a development phase, performance objectives may tend to overshadow efforts to reduce safety
risk. This is because sometimes safety represents a constraint on a design. For this reason, safety risk
reduction is often ignored or overlooked. In other cases, safety risk may be appraised, but not fully
enough to serve as a significant input to the decision making process. As a result, the sudden
identification of a significant safety risk, or the occurrence of an actual incident, late in the program can
provide an overpowering impact on schedule, cost, and sometimes performance. To avoid this situation,
methods to reduce safety risk must be applied commensurate with the task being performed in each
program phase.
In the early development phase (investment analysis and the early part of solution implementation), the
system safety activities are usually directed toward:
- establishing risk acceptability parameters
- practical tradeoffs between engineering design and defined safety risk parameters
- avoidance of alternative approaches with high safety risk potential
- defining system test requirements to demonstrate safety characteristics, and
- safety planning for follow-on phases.
The culmination of this effort is the safety Comparative Safety Assessment that is a summary of the work done toward minimization of unresolved safety concerns and a calculated appraisal of the risk. Properly done, it allows intelligent
management decisions concerning acceptability of the risk.
The general principles of safety risk management are:
- All system operations represent some degree of risk.
- Recognize that human interaction with elements of the system entails some element of risk.
- Keep hazards in proper perspective.
- Do not overreact to each identified risk, but make a conscious decision on how to deal with it.
- Weigh the risks and make judgments according to your own knowledge, inputs from subject matter experts, experience, and program need.
- It is more important to establish clear objectives and parameters for Comparative Safety Assessment related to a specific program than to use generic approaches and procedures.
- There may be no "single solution" to a safety problem. There are usually a variety of directions to pursue.
- Each of these directions may produce varying degrees of risk reduction. A combination of approaches may provide the best solution.
- Point out to designers the safety goals and how they can be achieved rather than tell him his approach will not work.
- There are no "safety problems" in system planning or design. There are only engineering or management problems that, if left unresolved, may lead to accidents.
- The determination of severity is made on a “worst credible case/condition” in accordance with MIL-STD-882C.
- Many hazards may be associated with a single risk. In predictive analysis, risks are
hypothesized accidents, and are therefore potential in nature. Severity assessment is made
regarding the potential of the hazards to do harm.
Source: FAA Office of System Safety
|
Copyright © 2000-2006 Geigle Communications. All rights reserved. Federal copyright law prohibits unauthorized reproduction by any means and imposes fines up to $25,000 for violations.
|
|
