Both elements of risk (hazard severity and likelihood of occurrence) must be characterized. The inability to quantify and/or lack of historical data on a particular hazard does not exclude the hazard from this requirement1. Hazards are subdivided into sub-categories related to environment such as system states, environmental conditions or "initiating" and "contributing" hazards.
Realistically, a certain degree of safety risk must be accepted. Determining the acceptable level of risk is generally the responsibility of management. Any management decisions, including those related to safety, must consider other essential program elements. The marginal costs of implementing hazard control requirements in a system must be weighed against the expected costs of not implementing such controls.
The cost of not implementing hazard controls is often difficult to quantify before the fact. In order to quantify expected accident costs before the fact, two factors must be considered. These are related to risk and are the potential consequences of an accident and the probability of its occurrence. The more severe the consequences of an accident (in terms of dollars, injury, or national prestige, etc.) the lower the probability of its occurrence must be for the risk to be acceptable. In this case, it will be worthwhile to spend money to reduce the probability by implementing hazard controls. Conversely, accidents whose consequences are less severe may be acceptable risks at higher probabilities of occurrence and will consequently justify a lesser expenditure to further reduce the frequency of occurrence. Using this concept as a baseline, design limits must be defined.
In conducting hazard analysis, an accident scenario as shown in Figure 3-2 is a useful model for analyzing risk of harm due to hazards. Throughout this document, the term hazard will be used to describe scenarios that may cause harm. It is defined as a "Condition, event, or circumstance that could lead to or contribute to an unplanned or undesired event." Seldom does a single hazard cause an accident. More often, an accident occurs as the result of a sequence of causes termed initiating and contributory hazards. As can be seen below, contributory hazards involve consideration of the system state (e.g., operating environment) as well as failures or malfunctions.
Specific definitions for Severity and Probability to be used during all phases of the acquisition life cycle. These are shown in the tables below.
|Catastrophic||Results in multiple fatalities and/or loss of the system|
|Hazardous||Reduces the capability of the system or the operator ability to cope with adverse conditions to the extent that there would be: large reduction in safety margin or functional capability, physical distress/excessive workload such that operators cannot be relied upon to perform required tasks accurately or completely, serious or fatal injury to small number of personnel Fatal injury to ground personnel and/or general public|
|Major||Reduces the capability of the system or the operators to cope with adverse operating condition to the extent that there would be: significant reduction in safety margin or functional capability, significant increase in operator workload, conditions impairing operator efficiency or creating significant discomfort, physical distress to personnel including injuries, major occupational illness and/or major environmental damage, and/or major property damage|
|Minor||Does not significantly reduce system safety. Actions required by operators are well within their capabilities. Include: slight reduction in safety margin or functional capabilities, slight increase in workload such as routine workload changes, some physical discomfort to workers, minor occupational illness and/or minor environmental damage, and/or minor property damage|
|No||Safety effect has no effect on safety|
|Probable||Qualitative: Anticipated to occur one or more times during the entire system/operational life of an item. Quantitative: Probability of occurrence per operational hour is greater that 1 x 10-5|
|Remote||Qualitative: Unlikely to occur to each item during its total life. May occur several time in the life of an entire system or fleet. Quantitative: Probability of occurrence per operational hour is less than 1 x 10-5 , but greater than 1 x 10-7|
|Extremely Remote||Qualitative: Not anticipated to occur to each item during its total life. May occur a few times in the life of an entire system or fleet. Quantitative: Probability of occurrence per operational hour is less than 1 x 10-7 but greater than 1 x 10-9|
|Extremely Improbable||Qualitative: So unlikely that it is not anticipated to occur during the entire operational life of an entire system or fleet. Quantitative: Probability of occurrence per operational hour is less than 1 x 10-|
An example taken from MIL-STD-882C of the definitions used to define Severity of Consequence and Event Likelihood are in the tables below.
|Catastrophic||I||Death, and/or system loss, and/or severe environmental damage.|
|Critical||II||Severe injury, severe occupational illness, major system and/or environmental damage.|
|Marginal||III||Minor injury, minor occupational illness, and/or minor system damage, and/or environmental damage.|
|Negligible||IV||Less then minor injury, occupational illness, or lee then minor system or environmental damage.|
|Frequent||A||Likely to occur frequently|
|Probable||B||Will occur several times in the life of system.|
|Occasional||C||Likely to occur some time in the life of the system.|
|Remote||D||Unlikely but possible to occur in the life of the system.|
|Inprobable||E||So unlikely, it can be assumed that occurrence may not be experienced.|
Source: FAA Office of System Safety
Copyright ©2000-2016 Geigle Safety Group, Inc. All rights reserved. Federal copyright prohibits unauthorized reproduction by any means without permission. Students may reproduce materials for personal study. Disclaimer: This material is for training purposes only to inform the reader of occupational safety and health best practices and general compliance requirement and is not a substitute for provisions of the OSH Act of 1970 or any governmental regulatory agency. CertiSafety is a division of Geigle Safety Group, Inc., and is not connected or affiliated with the U.S. Department of Labor (DOL), or the Occupational Safety and Health Administration (OSHA).