Resources - System Safety

Models Used by System Safety for Analysis

The system safety program may use various models to describe a system under study. Two models are known as the 5M model and the SHEL model. While there are many other models available, these two recognize the interrelationships and integration of the hardware, software, human, environment and procedures.

The first step in performing safety risk management is describing the system under consideration. This description should include at a minimum, the functions, general physical characteristics, and operations of the system. Normally, detailed physical descriptions are not required unless the safety analysis is focused on this area.

Keep in mind that the reason for performing safety analyses is to identify hazards and risks and to communicate that information to the audience. At a minimum, the safety assessment should describe the system in sufficient detail that the projected audience can understand the safety risks.

A system description has both breadth and depth. The breadth of a system description refers to the system boundaries. Bounding means limiting the system to those elements of the system model that affect or interact with each other to accomplish the central mission(s) or function. Depth refers to the level of detail in the description. In general, the level of detail in the description varies inversely with the breadth of the system. For a very broad system the description would be very general in nature with little detail on individual components. On the other hand, a simple system, such as a valve in a landing gear design, could include a lot of detail to support the assessment.

First, a definition of “system” is needed. MIL-STD-882C (System Safety Program Requirements) define a system as:

A composite at any level of complexity, of personnel, procedures, material, tools, equipment, facilities, and software. The elements of this composite entity are used together in the intended operation or support environment to perform a given task or achieve a specific production, support, or mission requirement.

Graphically, this is represented by the 5M and SHEL models, which depict, in general, the types of elements that should be considered within most systems.

5M model of System Engineering

• Msn - Mission: central purpose or functions

• Man - Human element

• Mach - Machine: hardware and software

• Media - Environment: ambient and operational environment

• Mgt- Management: procedures, policies, and regulations

Mission. The mission is the purpose or central function of the system. This is the reason that all the other elements are brought together.

Man. This is the human element of a system. If a system requires humans for operation, maintenance, or installation this element must be considered in the system description.

Machine. This is the hardware and software (including firmware) element of a system.

Media. Media is the environment in which a system will be operated, maintained, and installed. This environment includes operational and ambient conditions. Operational environment means the conditions in which the mission or function is planned and executed. Operational conditions are those involving things such as air traffic density, communication congestion, workload, etc. Part of the operational environment could be described by the type of operation (air traffic control, air carrier, general aviation, etc.) and phase (ground taxiing, takeoff, approach, enroute, transoceanic, landing, etc.). Ambient conditions are those involving temperature, humidity, lightning, electromagnetic effects, radiation, precipitation, vibration, etc.

Management. Management includes the procedures, policy, and regulations involved in operating, maintaining, installing, and decommissioning a system.

SHELL Model of a system

S= Software (procedures, symbology, etc.
H= Hardware (machine)
E= Environment (operational and ambient)
L= Liveware (human element)

In the SHELL model, the match or mismatch of the blocks (interface) is just as important as the characteristics described by the blocks themselves. These blocks may be re-arranged as required to describe the system. A connection between blocks indicates an interface between the two elements.

Each element of the system should be described both functionally and physically if possible. A function is defined as...

"An action or purpose for which a system, subsystem, or element is designed to perform."

Functional description: A functional description should describe what the system is intended to do, and should include subsystem functions as they relate to and support the system function.

Physical characteristics: A physical description provides the audience with information on the real composition and organization of the tangible system elements. As before, the level of detail varies with the size and complexity of the system, with the end objective being adequate audience understanding of the safety risk.

Source: FAA Office of System Safety

Certisafety Section Home Page

Copyright ©2000-2016 Geigle Safety Group, Inc. All rights reserved. Federal copyright prohibits unauthorized reproduction by any means without permission. Students may reproduce materials for personal study. Disclaimer: This material is for training purposes only to inform the reader of occupational safety and health best practices and general compliance requirement and is not a substitute for provisions of the OSH Act of 1970 or any governmental regulatory agency. CertiSafety is a division of Geigle Safety Group, Inc., and is not connected or affiliated with the U.S. Department of Labor (DOL), or the Occupational Safety and Health Administration (OSHA).