Define & Compare Flowcharts of Each MethodTom Delong

3

» ANSI Process

» MIL-STD-882 Process

» Safety Cases

» SAE ARP 4761 Process

» Reports

Overview of Methods

4

ANSI Process

• Residual Risk Review & Acceptance

• Assess Mishap Risk

UnderstandingRisk Options

• Identify Mitigation Measures• Reduce Risk to Acceptable Level• Verify Risk Reduction

IterativeRisk Reduction

Changes

Understanding Risk Drivers

Risk Assessment

Risk Reduction

UnderstandingHazards

• Recognize & Document Hazards

• Tasks• Schedule• Team• Tools

• Document theSystem Safety Approach

Program Initiation

Hazard Identification

Risk Acceptance

• HazardTracking

Continuous

Continuous

T-05-00512

MaturingDesign

Life CycleMonitoring

5

ANSI Process

The matrix defines the “risk space” for a single-system and a declared exposure

duration (e.g., 1 year, 1 lifecycle).

H8

H4H5

H1H9

H3H6

H2H7

Probability

Sev

erit

y

• Expert Judgment• Historical Risk Experience• System Knowledge• Engineering Judgment• What is Known/not Known

• Numerical Analysis• Computer Models

1) Process:

• Checklists• System Energy Source Inventory• Prior Work with Similar Systems• Operating Scenario Walkthroughs• Operational Phase Review• Codes/Standards/Regulations

GENERIC SYSTEM SAFETY PROCESS

Hazard Identification and Tracking Risk Assessment1) Process:

PHL

The initial step produces a complete definition of the hazards associated with the system. This can be achieved by a variety of methods. Key elements of the risk assessment matrix are also defined.

Identify Hazards

For each identified hazard the severity and likelihood are established. The Risk Assessment Matrix is used to assess and display the risk.

Risk Assessment Matrix-Individual Hazards

Reduction Not

Needed

Reduction Needed

3) Products:HTS

Element 2 Element 3

Risk Reduction

1) Process:

2) Methods:

3) Products (typical):

Develop Candidate Countermeasures

Understand Risk Drivers

Select Countermeasures

Re-Assess and Accumulate Risks

Risk Reductions are achieved by understanding the risk, countermeasuring the risk according to an order of precedence, and reassessing risks.

othersSAR

CountermeasureSelection Criteria• Cost

(vs., accepting risk)

• Effectiveness(In reducing risk)

• Feasibility• Means• ScheduleCountermeasures shouldn’t:

1) Introduce new hazards2) Unacceptably Impair system performance

CountermeasureOrder of Precedence:1) Design Changes2) Engineered Safety Features3) Safety Devices4) Warning Devices5) Procedures/Training

Understanding risk causation can lead to prioritizing hazard reductions and/or direct countermeasure selection.

• Accumulate total system risk by proper mathematical protocol

• Validate Risk Reductions

Hazard Reports

Element 4

Understanding of Hazards

Understand Options to

Reduce

Element 1 Program Initiation

• Plans• Authorizations• Contract(s)• Team• Tools

SSHA SHAO&SHA OthersPHA

Risk Acceptance

Decision

Risk Acceptance

1) Compare to Consensus Standards fora) Protection of Personnelb) Societal Risk

2) Balance Risk with Needs

Residual Risk

3) Product:

1) Process:

2) Methods:

Properly designated decision-makers are provided sufficient information to make an informed decision concerning the acceptability of residual risk. All decisions are to be documented.

Documented Risk-Based Decision

Risk Need

Decision

Document

How Safe is Safe Enough?

Other Action(s)

• Further Reduce

• Deny Approval

• Forward to Higher Authority

Element 5

FMEA FTAEvent Trees

Others

Hazard Tracking

Iterative

2) Methods:

3) Products:

Includes:• Description• Assessed Risk• Potential and Selected Countermeasures• Accident Experience• Lessons Learned

2) Assessment Methods:

Assessrisks ofhazards

Assessment Approaches

ExampleConsensus

Standardfor Risk

Acceptability

Accept

LifecycleMonitoring Changes to

Reduce Risk

Understandingof Risk Drivers

6

MIL-STD-882 Process

Element 1:Document the System

Safety Approach

Element 2:Identify and

Document Hazards

Element 3:Assess and

Document Risk

Element 4:Identify and Document

Risk Mitigation Measures

Element 5:Reduce Risk

Element 6:Verify, Validate, and

Document Risk Reduction

Element 7:Accept Risk

and Document

Element 8:Manage Life-Cycle Risk

7

Safety Cases

8

A Simple Goal

Structure

G1

Press is acceptably safe to operate within Whatford Plant

C1

Press specification

C2

Press operation

C3

Whatford Plant

S1

Argument by addressing all identified operating hazards

S2Argument of compliance with all applicable safety standards and regulations

C4

All identified operating hazards

C5

All applicable safety standards and regulations

G2

Hazard of 'Operator Hands Trapped by Press Plunger' sufficiently mitigated

G3

Hazard of 'Operator Upper Body trapped by Press Plunger' sufficiently mitigated

G4

Hazard of 'Operator Hands Caught in Press Drive Machinery' sufficiently mitigated

G5

Press compliant with UK HSE Provision and Use of Work Equipment Regulations

G6

Press compliant with UK enactment of EU Machinery Directive

G7

PES element of press design compliant with IEC1508

Sn1

FTA analysis

Sn2

Formal verification

Sn3

SIL3 certificate

Sn4

Audit report

Sn5

Compliance sheet

9

SAE ARP 4761 Process

Determine Impact of S/W

Design

Define Initial System Safety

Design Requirements

SIL Testing Ground Testing Flight Testing

Determine severity of failure conditions on the A/C or aircrew

Determine S/W Levels

A/B/C/D/E

Allocate S/W functions to

appropriate CSCIsCSCs, CSUs

Software Requirements and Definition

System Safety Engineering IAW ARP 4761

Software Coding And

Unit Testing

PDR CDR

SOFTWARE DESIGN

Analyze System Hazards

Refine HazardMitigations and

Identify Derived Safety Reqmts

INTEGRATION TESING/ QUALIFICATION TESTING

Determine S/W Safety Involvement

Determine S/W Level

Define S/W Safety Critical Requirements

Determine S/W Safety

Hazard Mitigations

Define S/W Safety Verification

Requirements

Ensure Compliance with Safety-Critical Requirements

Conduct S/W Safety Analyses

Per 1228

DO-178B Software Design Assurance

SSPPper “882”

PSSA SSA

Software Safety IAW IEEE STD 1228

Perform Test Safety Analysis & Develop S-C Test

Requirements (FMETs/FTs/CWAs)

IntegrationSpecs &

SRSs

TDOCs

FHA

10

Safety Cases

Detail depends o

n the

regulatory

structu

re, e

tc.

11

» Following are key elements of most standards:Scope

System Description

System Hazards

Safety Requirements

Risk Assessment

Hazard Control / Risk Reduction Measures

Safety Analysis / Test

Safety Management System

Development Process Justification

Conclusions

Typical Safety Case Contents

12

Safety Assessment Report

Purpose» Historical record

» Comprehensive evaluation of risk 60 days prior to test

60 days prior to fielding

New phase of contract or completion

» Sent to DTIC & MANPRINT Database

» Provides manufacturer’s statement of risk control with justification

Contents» Introduction

» System description

» System operations

» System safety engineering

» Conclusions (signed statement)

» References