º½¿ÕÂÛ̳_º½¿Õ·­Òë_Ãñº½Ó¢Óï·­Òë_·ÉÐз­Òë

±êÌâ: Safety Assesment Before Investment Decision [´òÓ¡±¾Ò³]

×÷Õß: ˧¸ç    ʱ¼ä: 2008-12-21 20:55:01     ±êÌâ: Safety Assesment Before Investment Decision

FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 1 Chapter 4: Safety Assessments Before Investment Decision 4.0 SAFETY ASSESSMENTS BEFORE INVESTMENT DECISION...............................................2 4.1 OPERATIONAL SAFETY ASSESSMENT ...................................................................................3 4.2 COMPARATIVE SAFETY ASSESSMENT (CSA) ....................................................................10 FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 2 4.0 Safety Assessments Before Investment Decision Before the investment decision at JRC 2, there are two phases of the acquisition life cycle: Mission Analysis and Investment Analysis. The Pre-Investment phase of a program encompasses the Mission Analysis and Investment Analysis phases of the Acquisition cycle illustrated in Figure 4-1. System safety¡¯s purpose during these phases is twofold. The first purpose is to develop early safety requirements that form the foundation of the safety and system engineering efforts. The second purpose is to provide objective safety data to the management activity when making decisions. The early assessment of alternatives saves time and money, and permits the ¡°decision makers¡± to make informed, data driven decisions when considering alternatives. This section describes the System Safety assessments typically performed prior to the decision to approve a Mission Need at JRC-1, and prior to the decision to go forward with the program at JRC-2. The pre-investment safety assessments are: (1) Operational Safety Assessment (OSA) and (2) Comparative Safety Assessment (CSA). System Safety Products in the AMS Life Cycle Hazard Tracking & Incident Investig ation Track Medium and High Risks Closed Loop/Risk Accep tance Capture & Analyze Incidents Identify high risk trends for further detailed inv estigation Operating and Support Hazard Analysis (O&SHA) - Operating hazards (focus on the human errors/factors details - S upport and Maintenance Hazards System Hazard Analysis (SHA) - Looks at interfaces and env ironment (operating and amb ient) - NAS System Level Subsystem Hazard Analysis (SSHA) - NOT components (next level below System - Focus on faults and hazards at SS level - Detailed - A few safety requirements Comparative Safety Assessment (CSA)/Preliminary Hazard Analysis (PHA) - Top - down, focus on known system mission and approaches and changes at NAS system level - Preliminary in nature - Core Safety Requirements OSA - - System Level - - Preliminary (some assumptions) - S ome Safety Req uirements INTEGRATED PRODUCT DEVELOPMENT S YSTEM may fall out Figure 4-1: Safety Products in AMS Life Cycle An Operational Safety Assessment (OSA) has been designed to provide a disciplined, and internationally developed (RTCA SC189) method of objectively assessing the safety requirements of aerospace systems. In the FAA, the OSA is used to evaluate Communication, Navigation, Surveillance (CNS) and Air Traffic Management (ATM) systems. The OSA identifies and provides an assessment of the hazards in a system, FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 3 defines safety requirements, and builds a foundation for follow-on institutional safety analyses related to Investment Analysis, Solution Implementation, In-Service Management, and Service Life Extension. The OSA is composed of two fundamental elements: (1) the Operational Services & Environment Description (OSED), and (2) an Operational Hazard Assessment (OHA). The OSED is a description of the system physical and functional characteristics, the environment¡¯s physical and functional characteristics, air traffic services, and operational procedures. This description includes both the ground and air elements of the system to be analyzed. The OHA is a qualitative safety assessment of the operational hazards associated with the OSED. Each hazard is classified according to its potential severity. Each classified hazard is then mapped to a safety objective based on probability of occurrence. In general, as severity increases, the safety objective is to decrease probability of occurrence. The information contained in the OSA supports the early definition of system level requirements. It is not a risk assessment in a classical sense. Instead, the OSA¡¯s function is to determine the system¡¯s requirements early in the life cycle. The early identification and documentation of these requirements may improve system integration, lower developmental costs, and increase system performance and probability of program success. While the OSA itself is not a risk assessment, it does support further safety risk assessments that are required by FAA Order 8040.4. The follow-on safety assessments may build on the OSA¡¯s OSED and OHA, by using the hazard list, system descriptions, and severity codes identified in the OSA. The OSA also provides an essential input into CSA safety assessments that support trade studies and decision making in the operational and acquisition processes. The CSA is a safety assessment performed by system safety to assess the hazards and relative risks associated with alternatives in a change proposal. The alternatives can be design changes, procedure changes, or program changes. It is useful in trade studies and in decision-making activities where one or more options are being compared in a system or alternative evaluation. This type of risk assessment can be used by management to compare and rank risk reduction alternatives. More details on how to perform a CSA are included in section 4.2. 4.1 Operational Safety Assessment The OSA is intended to provide system level safety requirements assessment of aerospace CNS/ATM systems. As described above it is composed of two elements: (1) The Operational Environment Definition (OSED) and (2) the Operational Hazard Assessment (OHA). The OSA is based on an RTCA/SC-189 framework. 4.1.1 Operational Environment Definition (OED) The OED is basically a system description that may include all the elements of the 5M model. See chapter 3 for instructions on developing a system description. 4.1.2 OSA Tasks The steps within this task are: ¡¤ Define the boundaries of the system under consideration. Determine, separate, and document what elements of the system you will describe/analyze from those that you will not FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 4 describe/analyze. The result of this process is a model of the system under analysis that will be used to analyze hazards. ¡¤ Using models such as those described in chapter 3, describe the system physical and functional characteristics, the environment physical and functional characteristics, air traffic services, human elements (e.g. pilots and controllers, etc.) and operational procedures. ¡¤ From this description, determine and list the system functions. For example, the primary function of a precision navigation system is to provide CSA and flight crews with vertical and horizontal guidance to the desired landing area. These functions could be split if desired into vertical and horizontal guidance. Supporting functions would be those functions that provide the system the capability to perform the primary function. For instance a supporting function of the precision navigation system would be transmission of the RF energy for horizontal guidance. It is up to the system engineering team to determine how to group these functions and to what level to take the analysis. Detailed analyses would go into the lower level functions. Typically the OSA functional analysis is limited to the top-level functions. See FAA System Engineering Manual for more detailed guidance on functional analysis. 4.1.3 Operational Hazard Assessment The Operational Hazard Assessment (OHA) is the second part of the OSA. The OHA is a qualitative assessment of the hazards associated with the system described in the OSED. Determining functions and hazards Once the system has been bounded, described, and the functions determined in the OSED, the analyst is ready to determine the hazards associated with the system. For these types of assessments the best method is to assess scenarios containing a set of hazardous conditions. Therefore, the following definition can be used to define the hazards in a Preliminary Hazard List (PHL): Hazard The potential for harm. Unsafe acts or unsafe conditions that could result in an accident. (A hazard is not an accident). Hazard or hazardous condition. Anything, real or potential, that could make possible, or contribute to making possible, an accident. Hazard. A condition that is prerequisite to an accident Since the work has already been done in defining the system operational environment, it is often best to relate the functions of the system to hazards. For example, in analyzing the NAS, one would find the following functions of the NAS (listed in Table 4.1-1). These functions are then translated into hazards that would be included in the preliminary hazard list. For many of the listed hazards other conditions must be present before an accident could occur. These are detailed in the detailed description of the risk assessment. The purpose here is to develop a concise, clear, and understandable PHL. FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 5 Table 4-1: Examples of NAS System Functions and Their Associated Hazards NAS System function NAS System hazard Provide air ¨C ground voice communications. Loss of air ¨C ground voice communication. Provide CSA precision approach instrument guidance to runways. Loss of precision instrument guidance to the runway. Provide En Route Flight Advisories of severe weather. Lack EFAS warning of severe weather in flight path to CSA flight crew. In addition to the functional analysis, the following tools can be used to identify the foreseeable hazards to the system operation. These tools are listed in Table 4-2. Determining Severity of Consequence The severity of each hazard is determined by the worst credible outcome, or effect of the hazard on the CSA or system. This is done in accordance with MIL-STD-882 and FAR/AMJ 25.1309. Both documents state that the severity should consider all relevant stages of operation/flight and worst case conditions. See the risk determination Table 3-2 to define the severity levels of a hazard. Table 4-2: Safety Analysis Tools OPERATIONS ANALYSIS Purpose: To understand the flow of events. Method: List events in sequence. May use time checks. PRELIMINARY HAZARD ANALYSIS (PHA) Purpose: To get a quick hazard survey of all phases of an operation. In low hazard situations the PHA may be the final Hazard ID tool. Method: Tie it to the operations analysis. Quickly assess hazards using scenario thinking, brainstorming, experts, accident data, and regulations. Considers all phases of operations and provides early identification of highest risk areas. Helps prioritize area for further analysis. ¡°WHAT IF¡± TOOL Purpose: To capture the input of operational personnel in a brainstorming-like environment. Method: Choose an area (not the entire operation), get a group and generate as many ¡°what ifs¡± as possible. SCENARIO PROCESS TOOL Purpose: To use imagination and visualizations to capture unusual hazards. Method: Using the operations analysis as a guide, visualize the flow of events. LOGIC DIAGRAM Purpose: To add detail and rigor to the process through the use of graphic trees. Method: Three types of diagrams- positive, negative, and risk event. FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 6 CHANGE ANALYSIS Purpose: To detect the hazard implications of both planned and unplanned change. Method: Compare the current situation to a previous situation. CAUSE & EFFECT TOOL -- CHANGE ANALYSIS Purpose: To add depth and increased structure to the Hazard ID process through the use of graphic trees. Method: Draw the basic cause and effect diagram on a worksheet. Use a team knowledgeable of the operation to develop causal factors for each branch. Can be used as a positive or negative diagram. Purpose: To detect the hazard implications of both planned and unplanned change. Method: Compare the current situation to a previous situation. CAUSE & EFFECT TOOL Purpose: To add depth and increased structure to the Hazard ID process through the use of graphic trees. Method: Draw the basic cause and effect diagram on a worksheet. Use a team knowledgeable of the operation to develop causal factors for each branch. Can be used as a positive or negative diagram. OHA Tasks The tasks to be accomplished in this phase are: ¡¤ From the function list (or tools listed in Table 4-2) develop the list of hazards potentially existing in the system under study ¡¤ Determine the potential severity of each hazard in the hazard list by referring to the risk determination section of Chapter 3. 4.1.4 Allocation of Safety Objectives and Requirements (ASOR) The Allocation of Safety Objectives and Requirements (ASOR) is the process of using hazard severity to determine the objectives and requirements of the system. There are two levels of requirements in this process: (1) objectives (or goals) and (2) requirements (or minimum levels of acceptable performance). The purpose of the ASOR is to establish requirements that ensure that the probability of a hazard leading to an accident has an inverse relationship to the severity of occurrence. This inverse relationship is called the Target Level of Safety (TLS). For example, a ¡°hazardous¡± or severity 2 hazard would have a requirement (shown by arrows in Figure 4-1) to show by analysis or test to have a probability of occurrence of Extremely Remote or less than one in one-million operating hours for the fleet or system. The objective or (desired probability) in this case would be Extremely Improbable or one occurrence in one billion per operating hour for the fleet or system. See Figure 4-2 for the steps in this process. Once the TLS is determined for each hazard, requirements can be written to ensure that the appropriate hazard controls are established as system requirements. FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 7 Figure 4-2: Target Level of Safety Determination 4.1.5 Identification of High Level Hazard controls The next step is to determine the hazard controls. Controls are measures, design features, warnings, and procedures that mitigate or eliminate risk. They either reduce the severity or probability of a risk. System Safety uses an order of precedence when selecting controls to reduce risk (MIL-STD-882, 1984). This order of precedence as discussed in Section 3.6, and Table 3.6-1 Clearly risk reduction by design is the preferred method of mitigation. But even if the risk is reduced, the term ¡°reduction¡± still implies the existence of residual risk, which is the risk left over after the controls are applied. For example, residual risk can be controlled in a manner described in Table 4-3. This table describes the NAS System Function, NAS System Hazard, and NAS System Control. 1. Determine potential severity of each hazard in the OHA. 2. Map severity to this chart to determine probability requirement (minimum) and objective (desired) Target Level of Safety (TLS) 3. Allocate the safety objectives and requirements (ASOR) from the TLS to air and/or ground elements Steps Hazard Classification Likelihood Sever ity Probable A Major 3 Catastrophic 1 Hazardous 2 Minor 4 No Safety Effect 5 Remote B Extremely Remote C Extremely Improbable D High Risk Medium Risk Low Risk FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 8 Table 4-3: Development of Controls for Hazards in the NAS NAS System function NAS System hazard NAS System Controls Provide air - ground communications. Loss of air ¨C ground communication. Multiple communication channels. Multiple radios. Procedures for loss of communication. Phase dependent: communication is not always critical. Provide CSA precision approach instrument guidance to runways. Loss of precision instrument guidance to the runway. Reliability. Alternate approaches available. Procedures for alternate airport selection. Fuel reserve procedures. System detection and alert to CSA. Phase and condition (IMC vs. VMC) dependent. Provide En Route Flight Advisories of severe weather. Lack EFAS warning of severe weather to CSA flight crew. Early detection systems (satellite) for severe weather. Multiple dissemination means. Procedures (condition dependent) require alternate airports. Fuel reserve procedures. As the engineer performs the assessment, controls that do not yet exist can be identified and listed. These controls are included in the requirements of the OSA. This is done by turning the controls into measurable and testable requirements or ¡°shall¡± statements. A critical function of System Engineering is the determination and allocation of requirements early in the concept and definition phase. System Safety¡¯s function in this process is to develop safety-related requirements early in the design to facilitate System Engineering. A primary source of safety requirements is the OSA. The controls identified, both existing and recommended, should be translated into a set of system level requirements. For example, Table 4-4 lists the same hazards and controls that were examined in Table 4-3. The requirements are examples only and are meant for illustration. FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 9 Table 4-4: Examples of Controls and Requirements NAS System Function NAS System Hazard NAS System Controls NAS System Requirements Provide air to ground communicat- ions and control. Loss of air to ground communication and control. Multiple communication channels. Multiple radios. Procedures for loss of communication. Phase dependent: communication is not always critical. The NAS system shall provide for multiple communication modes in the enroute structure, at least 2 channels in each region being in the VHF frequency spectrum, and one available through the satellite communication system. The total Mean Time Between Failure (MTBF) of these systems may not be less than X hours. Provide CSA precision approach instrument guidance to runways. Loss of precision instrument guidance to the runway. Reliability. Alternate approaches available. Procedures for alternate airport selection. Fuel reserve procedures. System detection and alert to CSA. Phase and condition (IMC vs. VMC) dependent. The NAS shall provide at least two backup non-precision approaches at each airport with a precision approach capability. The NAS procedures shall require part 121 operators to select an alternate destination if the forecast weather at the planned destination is less than 500¡¯ and 1 mile over the destinations weather planning minimums within one hour of the planned arrival. Provide Enroute Flight Advisories of severe weather. Lack EFAS warning of severe weather to CSA flight crew. Early detection systems (satellite) for severe weather. Multiple dissemination means. Procedures (condition dependent) require alternate airports. Fuel reserve procedures. The NAS shall detect icing conditions greater than moderate accretion when it actually exists in any area of 10 miles square and at least 1000¡¯ thick for greater than 15 minutes duration. Tasks in the ASOR phase Determine existing and recommended hazard controls for each hazard. Develop requirements based on the TLS and controls. ¡¤ Allocate the requirements so that both ground CNS/ATM and airborne systems share the controls. FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 10 4.2 COMPARATIVE SAFETY ASSESSMENT (CSA) Comparative Safety Assessments (CSAs) are performed to assist management in the process of decision making. The CSA is a risk assessment, in that it defines both severity and likelihood in terms of the current risk of the system. Whereas an OSA defines the target level of safety, a risk assessment provides an estimation of the risk associated with the identified hazards. The first step within the CSA process involves describing the system under study in terms of the 5M model (chapter 3). Since most decisions are a selection of alternatives, each alternative must be described in sufficient detail to ensure the audience can understand the hazards and risks evaluated. Many times one of the alternatives will be ¡°no change¡±, or retaining the baseline system. A preliminary hazard list (PHL) is developed and then each hazard¡¯s risk is assessed in the context of the alternatives. After this is done, requirements and recommendations can be made based on the data in the CSA. A CSA should be written so that the decision-maker can clearly distinguish the relative safety merit of each alternative. An example (with instructions) of a CSA is included in Appendix B. 4.2.1 Principles of Comparative Safety Assessments In general, CSA should: Be objective Be unbiased Include all relevant data Use assumptions only if specific information is not available. If assumptions are made they should be conservative and clearly identified. Assumptions should be made in such a manner that they do not adversely affect the safety of the system. Define risk in terms of severity and likelihood in accordance with chapter 3, paragraph 3.4. Severity is independent of likelihood in that it can and should be defined without considering likelihood of occurrence. Likelihood is dependent on severity. The definition of likelihood should be made on how often an accident can be expected to occur, not how often the hazard occurs. Compare the results of the risk assessment of each hazard for each alternative considered in order to rank the alternatives for decision making purposes. Assess the safety risk reduction or other benefits associated with implementation of and compliance with an alternative under consideration. Assess risk in accordance with the risk determination defined in Tables 3-2 and 3-3. 4.2.2 Steps in performing a CSA Define the system under study in terms of the 5m model described in chapter 3 for the baseline system and all alternatives. Perform a functional analysis in accordance with the FAA System Engineering handbook. This analysis will result in a set of hierarchical functions that the system performs. From the functions and system description, develop a preliminary hazard list as described earlier in this chapter. List these PHL hazard conditions in the form contained in Appendix B Evaluate each hazard ¨C alternative combination for severity using the definitions contained in chapter 3. This must be done in accordance with the principles contained in this manual, which require evaluation of the hazard severity in the context of the worst credible conditions. FAA System Safety Handbook, Chapter 4: Pre-Investment Decision Safety Assessments December 30, 2000 4 - 11 Evaluate the likelihood of occurrence of the hazard conditions resulting in an accident at the level of severity indicated in (4) above. These definitions can be found in chapter 3, Table 7 of this guidebook. This means that the likelihood selected is the probability of an accident happening in the conditions described in (4), and not the probability of just the hazard occurring. Document the assumptions and justification for how severity and likelihood for each hazard condition was determined.




»¶Ó­¹âÁÙ º½¿ÕÂÛ̳_º½¿Õ·­Òë_Ãñº½Ó¢Óï·­Òë_·ÉÐз­Òë (http://bbs.aero.cn/) Powered by Discuz! X2