Beruflich Dokumente
Kultur Dokumente
Topics
What is System Safety Engineering?
When should System Safety be used?
How is System Safety done?
Who should perform System Safety
analyses?
What does System Safety Cost?
Why do System Safety?
M-05-02600-2
Whats a SYSTEM?
An operating procedure
An implantable insulin pump
The product
Equipment
Reputation
M-05-02600-4
Tree
Inventory
2 Top
Down
3 Bottom
Up
4 Logic
M-05-02600-5
What is RISK?
RISK: An expression of the combined
SEVERITY and PROBABILITY of HARM to an ASSET.
SYSTEM ASSETS*
may be:
Personnel
Equipment
Productivity
Product
Environment
others
RISK is an
attribute of a
HAZARD-ASSET
combination!
PROGRAMMATIC
ASSETS* may be:
Cost
Schedule
Mission
Performance
Constructability
others
THREATS to ASSETS
are called
HAZARDS.
M-05-02600-6
HAZARDS
SOURCE
Thusly:
MECHANISM
OUTCOME
SEVERITY
R = P x S = K1
Iso-risk
contours
0
NEVER
Likely
R = K2> K1
In
cr
e
Ri as
sk in
R = K3 > K2
Cataclysmic
PROBABILITY
RISK
is
CONSTANT
along any
ISO-RISK
CONTOUR.
PROBABILITY
is a function of
EXPOSURE
INTERVAL.
M-05-02600-8
SEVERITY
B
NOT
ACCEPTABLE
PROVISIONALLY
ACCEPTABLE
ACCEPTABLE
(de minimis)
0
0
Further
Risk
Reduction
Desirable.
PROBABILITY
M-05-02600-9
SEVERITY
F
I
II
SEVERITY
PROBABILITY
III
IV
PROBABILITY
M-05-02600-10
Catastrophi
c
II
Critical
III
Marginal
IV
Negligible
Probability of Mishap**
Personnel
Injury /
Illness
Equipment
Loss
$
Down
Time
Death
>1M
>4
Mo
Severe
Injury or
Severe
Illness
250K
to
1M
2Wks
to
4Mo
Minor
Injury or
Minor
Illness
1k
to
250K
1 Day
to
2Wks
No Injury
or Illness
<1K
<1
Day
Impossible
Improbable
Remote
Occasional
Probable
Frequent
1
2
3
*Adapted from MIL-STD-882D **Life Cycle: Personnel: 30 yrs / Others: Project Life
Risk Code/
Action
Imperative to
suppress risk
to lower levels
Operation
permissible
M-05-02600-11
Understanding
Understanding
Hazards
Hazards
Continuous
Hazard
Tracking
Continuous
Understanding
Understanding
Risk
Risk Options
Options
Risk Assessment
Assessing
Assessing Mishap
Mishap Risk
Risk
Understanding
Risk Drivers
Iterative
Risk Reduction
Changes
Risk Reduction
Identifying
Identifying Mitigation
Mitigation Measures
Measures
Reducing
Reducing Risk
Risk to
to Acceptable
Acceptable
Level
Level
Verifying
Verifying Risk
Risk Reduction
Reduction
M-05-02600-12
PROGRAMMATIC
RISK MANAGEMENT
treats its own
special classes
of hazards,
posing risk to,
e.g.:
Cost
Schedule
Performance
Constructability
others
Cross-Link Disciplines
ISNT RELIABILITY
ENGINEERING
ENOUGH?
USUALLY NOT!
Reliability
explores the
Probability of
Success, alone.
System Safety
explores the
Probability of
Failure AND its
Severity Penalty.
M-05-02600-13
Topics
What is System Safety Engineering?
When should System Safety be used?
How is System Safety done?
Who should perform System Safety
analyses?
What does System Safety Cost?
Why do System Safety?
M-05-02600-14
A typical approach:
L G
TIA IN
I
IN NN
A
PL
N T
IG EP
S
C
DE N
O
C
D
LE N
I
TA I G
DEDES
/
NN
IO O
AT ATI
C
RI ALL
B
FA NST
I
N
W
O G
ED TIN
K
A ES
SH T
E
I N I ON
T
U AT
RO ER
P
O
LIFE CYCLE
y
or
t
enIL)
v
In C
d L/
r
a H
az (P
is
ys s
l
na a
A nd ,
d
d
then
ar ) aate
z
A
Ha(PH dic
in
is
ys
l
a
Anee
n Tr s)
ow ult lysi or p
D
p- (Fa na d / -U is
o
A n m s
T
a tto aly A)
Bo An ME
(F
*NOTE
System includes hardware, software, procedures,
training / certification, maintenance protocol, etc.
the GLOBAL System.
Traditional
Approach
60%
30%
90%
Time
Saved
Enlightened
Approach
30%
60%
90%
M-05-02600-16
M-05-02600-17
and / or
Bottom-up Analysis
Subsystem
Level
Redundancy
F
F1
A
F2
C
Component
Level
Redundancy
F
A
C
M-05-02600-19
A near miss?
A loss event?
Then,
REVIEW / REVISE
the
ANALYSIS!
M-05-02600-20
Topics
What is System Safety Engineering?
When should System Safety be used?
How is System Safety done?
Who should perform System Safety
analyses?
What does System Safety Cost?
Why do System Safety?
M-05-02600-21
An Overview of Selected
Analytical Techniques
Preliminary Hazard Analysis
Hazard Inventory
Top-Down, or Bottom-Up, or Inside-Out
M-05-02600-22
IDENTIFY
HAZARDS
Personnel
Personnel
Checklists
Checklists
ASSESS
RISK *
Energy
EnergySource
Source
Inventory
Inventory
Product
Product
Environment
Environment
Productivity
Productivity
others
others
Prior
PriorWork
Workwith
with
Similar
SimilarSystems
Systems
Operating
Operating
Scenario
Scenario
Walkthroughs
Walkthroughs
Operational
Operational
Phase
PhaseReview:
Review:
Startup
Standard Run
Stressed Run
Standard Stop
Emergency Stop
Maintenance
others
others
others
Selection Criteria:
PROBABILITY
F E D C B A
I
II
III
Is Risk
Acceptable
?
No
Yes
IV
Document
Document
Severity
Severity
(for
(for Worst
Worst Risk
Risk outcome)
outcome)
Countermeasures
should not:
Probability
Probability
(of
(of Worst
Worst Risk
Risk outcome)
outcome)
SEVERITY
Equipment
Equipment
DEVELOP
COUNTERMEASURES
REASSES
REASSES
RISK
RISK
Effectiveness
Cost
Feasibility (Means &
Schedule)
Design
DesignSelection
Selection
Design
DesignAlteration
Alteration
Engineered
Engineered
Safety
SafetyFeatures
Features
Safety
SafetyDevices
Devices
Warning
WarningDevices
Devices
Procedures/
Procedures/
Training
Training
Effectiveness
Effectiveness
Hierarchy
Hierarchy
(Higher
(Higherisisbetter.)
better.)
M-05-02600-24
Chem/Int-001
HAZARD No.
HAZARD TITLE:
REVISED:
7/22/93
HAZARD DESCRIPTION
Flange Seal A-29 leakage, releasing pressurized UnFo3 chemical intermediate from containment system, producing
toxic vapors on contact with air and attacking nearby equipment.
25 years
EXPOSURE INTERVAL
ACTIVITY/PROCESS PHASE:
SEVERITY:
(worst credible)
PROBABILITY:
RISK CODE:
(from Matrix)
Personnel:
Equipment:
II
Downtime:
III
Environment:
Product:
(worst credible)
ADDITIONAL COUNTERMEASURES*
RISK CODE:
Code Each Countermeasure: (D) Design Alteration / (E) = Engineered Safety Features
(S) = Safety Devices / (W) = Warning Devices / (P) =Procedures/ Training
(from Matrix)
Personnel:
Equipment:
II
Downtime:
III
Environment:
Product:
Prepared by / Date:
(Designer/Analyst)
Identify applicable
operating phases.
Surround flange with sealed annular stainless steel catchment housing, with gravity runoff conduit led to Detecto-BoxTM containing detector/alarm feature and chemical neutralizer (S/W). Inspect flange at two-month intervals and re-gasket during annual plant
maintenance shut-down (P). Provide personal protective equipment and training for response/cleanup crew (S/P).
COMMENTS
Re-evaluate before sign-off reconsider Environment as asset.
Reviewed by / Date:
(System Safety Manager)
M-05-02600-25
Piece
PiecePart
Part
Component
Component
Subassembly
Subassembly
Assembly
Assembly
Subsystem
Subsystem
System
System
IDENTIFY
FAILURE MODES
(for each ITEM)
Mode
Mode11
Mode
Mode22
Mode
Mode33
Mode
Modenn
EVALUATE
SEVERITY and
PROBABILITY for
all MODE-EFFECT
combinations on
each ASSET:
ASSESS
RISK *
Personnel
Equipment
Product
Environment
Productivity
others
IDENTIFY
EFFECTS of
FAILURE
(in each MODE
for each ITEM)
Effect
Effect A
A
Effect
Effect B
B
II
III
Is Risk
Acceptable
?
No
Yes
IV
Document
Document
Severity
Severity
(for
(for Worst
Worst Risk
Risk outcome)
outcome)
REASSES
REASSES
RISK
RISK
Effect
Effect C
C
Effect
Effect N
N
Countermeasures
should not:
Selection Criteria:
PROBABILITY
F E D C B A
I
DEVELOP
COUNTERMEASURES
Probability
Probability
(of
(of Worst
Worst Risk
Risk outcome)
outcome)
SEVERITY
SELECT ITEM
INDENTURE
LEVEL
Effectiveness
Cost
Feasibility (Means &
Schedule)
Design
DesignSelection
Selection
Design
DesignAlteration
Alteration
Engineered
Engineered
Safety
SafetyFeatures
Features
Safety
SafetyDevices
Devices
Warning
WarningDevices
Devices
Procedures/
Procedures/
Training
Training
Effectiveness
Effectiveness
Hierarchy
Hierarchy
(Higher
(Higherisisbetter.)
better.)
M-05-02600-27
FMEA No.:
N/246.n
Project No.: Osh-004-92
Subsystem.: Illumination
System.: Headlamp Controls
Probability Interval.: 20 years
IDENT.
No.
ITEM/
FUNCTIONAL
IDENT.
FAILURE
MODE
Open w /
command
to close
Sheet 11 of 44
Date.: 6 Feb 92
Prep. by.: R.R. Mohr
Rev. by.: S. Perleman
Approved by.: G. Roper
FAILURE MODES
AND
EFFECTS ANALYSIS
FAILURE
CAUSE
FAILURE
EFFECT
Corrosion/or
mfg.defect/or
basic coil
failure
(open)
Loss of forward
illumination/
Impairment of night
vision/potential
collisions(s)
w/unilluminated
obstacles
T
A
R
G
E
T
RISK
ASSESSMENT
SEV
P I
E III
T I
M I
PROB
Risk
Code
D
D
D
D
2
3
2
2
ACTION
REQUIRED/REMARKS
M-05-02600-28
Power
Outage
Fault Trees
are
QUANTIFIABLE
but need
not be
quantified.
PROJECTOR
LAMP
OUTAGE
Unresolved
Lamp Failure
Inadvertent
Shutdown
Wiring
Failure
Tree shows
Probability
and its
Sources.
Basic
Lamp
Failure
No
Spare
Lamp
Operator
Error
Trip
and
Unplug
Internal
Wiring
Failure
External
Wiring
Failure
Topics
What is System Safety Engineering?
When should System Safety be used?
How is System Safety done?
Who should perform System Safety
analyses?
What does System Safety Cost?
Why do System Safety?
M-05-02600-31
SOLO ANALYSIS
is
HAZARDOUS!
Topics
What is System Safety Engineering?
When should System Safety be used?
How is System Safety done?
Who should perform System Safety
analyses?
What does System Safety Cost?
Why do System Safety?
M-05-02600-33
Cost
Recklessness
al
Co
st
:T
Program Costs :
Program Development
Training
Operating Costs
Reviews/Audits
Potential
Equipment
Gains
tc.
=C
Majority-Case
Codeworthiness
Philanthropy
Minimum Total Cost
(Stockholder Bliss )
+L
Losses :
Potential
Gains
st
ating Co
r
e
p
O
m
ty Progra
C = Safe
L = Co
st of Lo
sses
Man-hours
Medical Costs
Equipment Damage
Schedule Delays
Productivity
Fines / Penalties
tc.
M-05-02600-35
Topics
What is System Safety Engineering?
When should System Safety be used?
How is System Safety done?
Who should perform System Safety
analyses?
What does System Safety Cost?
Why do System Safety?
M-05-02600-36
M-05-02600-37
RELIABILITY
ENGINEERING
views the probability that the
system will operate on
command, and throughout
the period of need, with
unimpaired performance.
SYSTEM SAFETY views the
probability that the system
will fail in a way that results in
loss, AND the severity of loss.
A Closing Caveat
To dig deeper
System Engineering Toolbox for Design-Oriented Engineers B. E. Goldberg, et al. A
compendium of methods dealing both with hazard recognition/risk assessment and with
reliability engineering, this work describes a broad spectrum of analytical techniques. For
each technique, the authors present a working level description, advice on applications,
application procedure, examples, a description of advantages and limitations, and a
bibliography of other resources. 1994 NASA Reference Publication 1358; Soft cover;
large format; 303 pp
System Safety and Risk Management P. L. Clemens and R. J. Simmons. Intended as a
guide for engineering college educators, this text presents the basic elements of system
safety practice and risk management principles. Lesson-by-lesson chapters and
demonstration problems deal with applying selected analytical techniques. Hazard
inventory methods are presented, as are logic tree approaches. 1998 National Institute
for Occupational Safety and Health, Centers for Disease Control and Prevention, Public
Health Service; Soft Cover; large format; 282 pp. (NIOSH Order No. 96-37768)
Safeware System Safety and Computers Nancy G. Leveson. An especially learned
treatment of system safety viewed as a discipline to be applied in practical ways to the
resolution of problems in discovering and managing risk. Fundamentals are treated in depth
(e.g., the concept of causality). Analytical methods are presented, and there relative
advantages and shortcomings are discussed. The importance of the role of software is
emphasized, and problems in developing software risk assessments with reasonable
confidence are discussed. Appendices analyze disasters and include a detailed treatment
of the six Therac-25 massive overdose cases. 1995 Addison-Wesley; Hard cover; 680 pp.
(ISBN 0-201-11972-2)
M-05-02600-40
more digging
Assurance Technologies Principles and Practices Dev G. Raheja. Directed to design
engineers at all levels of expertise, this volume devotes separate chapters to each of the
product/system assurance technologies i.e.: reliability engineering, maintainability
engineering, system safety engineering, quality assurance engineering, logistics support
engineering, human factors engineering, software performance assurance, and system
effectiveness. (Introductory material provides background information on the influence of
the assurance technologies on profits and on statistical concepts.) The treatment of each
topic provides both an overview and in-depth, detailed coverage, with carefully selected
illustrative examples. 1991 McGraw-Hill, Inc.; Hard cover; 341 pp. (ISBN 0-07-051212-4)
Loss Prevention in the Process Industries F. P. Lees. Monumentally important, tutorially
prepared, and globally thorough exposition of risk assessment and reliability engineering
principles and techniques, generously laced with case studies. 1996 Butterworths; Hard
cover; Three volumes; 1316 pp. (ISBN 0-7506-1547-8)
M-05-02600-41
Contact Information:
Pat Clemens
256.327.3707
A-P-T Research, Inc.
pclemens@apt-research.com
M-05-02600-42