Hazard Analysis

Both elements of risk (hazard severity and likelihood of occurrence) must be characterized. The inability to quantify and/or lack of historical data on a particular hazard does not exclude the hazard from this requirement1. Hazards are subdivided into sub-categories related to environment such as system states, environmental conditions or "initiating" and "contributing" hazards.

Realistically, a certain degree of safety risk must be accepted. Determining the acceptable level of risk is generally the responsibility of management. Any management decisions, including those related to safety, must consider other essential program elements. The marginal costs of implementing hazard control requirements in a system must be weighed against the expected costs of not implementing such controls.

The cost of not implementing hazard controls is often difficult to quantify before the fact. In order to quantify expected accident costs before the fact, two factors must be considered. These are related to risk and are the potential consequences of an accident and the probability of its occurrence. The more severe the consequences of an accident (in terms of dollars, injury, or national prestige, etc.) the lower the probability of its occurrence must be for the risk to be acceptable. In this case, it will be worthwhile to spend money to reduce the probability by implementing hazard controls. Conversely, accidents whose consequences are less severe may be acceptable risks at higher probabilities of occurrence and will consequently justify a lesser expenditure to further reduce the frequency of occurrence. Using this concept as a baseline, design limits must be defined.

Accident Scenario Relationships

In conducting hazard analysis, an accident scenario as shown in Figure 3-2 is a useful model for analyzing risk of harm due to hazards. Throughout this document, the term hazard will be used to describe scenarios that may cause harm. It is defined as a "Condition, event, or circumstance that could lead to or contribute to an unplanned or undesired event." Seldom does a single hazard cause an accident. More often, an accident occurs as the result of a sequence of causes termed initiating and contributory hazards. As can be seen below, contributory hazards involve consideration of the system state (e.g., operating environment) as well as failures or malfunctions.

Definitions of Severity and Probability

Specific definitions for Severity and Probability to be used during all phases of the acquisition life cycle. These are shown in the tables below.

Catastrophic	Results in multiple fatalities and/or loss of the system
Hazardous	Reduces the capability of the system or the operator ability to cope with adverse conditions to the extent that there would be: large reduction in safety margin or functional capability, physical distress/excessive workload such that operators cannot be relied upon to perform required tasks accurately or completely, serious or fatal injury to small number of personnel Fatal injury to ground personnel and/or general public
Major	Reduces the capability of the system or the operators to cope with adverse operating condition to the extent that there would be: significant reduction in safety margin or functional capability, significant increase in operator workload, conditions impairing operator efficiency or creating significant discomfort, physical distress to personnel including injuries, major occupational illness and/or major environmental damage, and/or major property damage
Minor	Does not significantly reduce system safety. Actions required by operators are well within their capabilities. Include: slight reduction in safety margin or functional capabilities, slight increase in workload such as routine workload changes, some physical discomfort to workers, minor occupational illness and/or minor environmental damage, and/or minor property damage
No	Safety effect has no effect on safety

Probable	Qualitative: Anticipated to occur one or more times during the entire system/operational life of an item. Quantitative: Probability of occurrence per operational hour is greater that 1 x 10-5
Remote	Qualitative: Unlikely to occur to each item during its total life. May occur several time in the life of an entire system or fleet. Quantitative: Probability of occurrence per operational hour is less than 1 x 10-5 , but greater than 1 x 10-7
Extremely Remote	Qualitative: Not anticipated to occur to each item during its total life. May occur a few times in the life of an entire system or fleet. Quantitative: Probability of occurrence per operational hour is less than 1 x 10-7 but greater than 1 x 10-9
Extremely Improbable	Qualitative: So unlikely that it is not anticipated to occur during the entire operational life of an entire system or fleet. Quantitative: Probability of occurrence per operational hour is less than 1 x 10-

MIL-STD-882C Definitions of Severity and Likelihood

An example taken from MIL-STD-882C of the definitions used to define Severity of Consequence and Event Likelihood are in the tables below.

Description	Category	Definition
Catastrophic	I	Death, and/or system loss, and/or severe environmental damage.
Critical	II	Severe injury, severe occupational illness, major system and/or environmental damage.
Marginal	III	Minor injury, minor occupational illness, and/or minor system damage, and/or environmental damage.
Negligible	IV	Less then minor injury, occupational illness, or lee then minor system or environmental damage.

Description	Level	Specific Event
Frequent	A	Likely to occur frequently
Probable	B	Will occur several times in the life of system.
Occasional	C	Likely to occur some time in the life of the system.
Remote	D	Unlikely but possible to occur in the life of the system.
Inprobable	E	So unlikely, it can be assumed that occurrence may not be experienced.

Source: FAA Office of System Safety

Certisafety Section Home Page