Preliminary Hazard Analysis
Preliminary hazard analysis (PHA) accomplishes the following tasks.
Remember, system hazards are not failures. Failures may contribute to hazards, but hazards are system states that, combined with certain environmental conditions, cause accidents. Below are example system hazards for automated train doors.
Notice that there are not many hazards in the list. The goal is not a bulk of possible hazards, but a concise description of those conditions that are hazards. If a hazard list is too long, it is very likely that causes are being listed along with, or instead of, hazards. Below is another list of hazards, this time for an air traffic control system.
The following is an exercise in brainstorming a hazard list. Identify the system hazards for this cruise-control system:
The cruise control system operates only when the engine is running. When the driver turns the system on, the speed at which the car is traveling at that instant is maintained. The system monitors the car's speed by sensing the rate at which the wheels are turning, and it maintains desired speed by controlling the throttle position. After the system has been turned on, the driver may tell it to start increasing speed, wait a period of time, and then tell it to stop increasing speed. Throughout the time period, the system will increase the speed at a fixed rate, and then will maintain the final speed reached.
Hazard identification can sound like an intimidating process. Stare at a blank page; then a miracle occurs; then read the final product. The truth is that there are a number of techniques to help in hazard identification. Use historical safety experience, lessons learned, trouble reports, hazard analyses, and accident and incident files. All of these things should be collected by a successful system safety effort. This may be more difficult if the organization has no history with the product type that it proposes to construct. In some industries, information may be available from other companies in that market segment. If not, regulatory bodies, industry consortia, or users groups for similar products may have some information.
Many industries also have published lists, checklists, standards, and codes of practice that may help guide hazard list development. For example, nuclear devices for use by the US military must address a pre-existing hazard list.
Examine basic energy sources, flows, high-energy items, hazardous materials (fuels, propellants, lasers, explosives, toxic substances, pressure systems) in the systems. How might these energies be released in an uncontrolled manner? How else might these energies participate in an accident? Often these materials suggest hazards, particular at their interface or boundary with the rest of the system. In general, look at potential interface problems such as material incompatibilities, possibilities for inadvertent activation, contamination, and adverse environmental scenarios. Use scientific investigation of physical, chemical, and other properties of the system, as well.
For more possible hazards, review the mission of the system and basic performance requirements including the environments in which operations will take place. Look at all possible system uses, all modes of operation, all possible environments, and all times during operation. Accidents often occur when systems are pushed to operate beyond the assumptions the designers had in mind, so examine likely scenarios of operation outside the planned environment of the system.
Lastly, think the entire process through, step by step, anticipating what might go wrong, how to prepare for it, and what to do if the worst happens.
Once the hazard list has been compiled, it must be translated into design constraints. This is not a difficult process, and a table from the train door example is shown below.
Notice that the design constraints derived from the hazard list do not delve in the mechanisms to conform with the design constraints. The design constraints are merely an expression of properties the system must have to eliminate or control the hazards in the hazard list. Another example, for part of an air traffic control system, is shown in the table below.
Hazards, after being identified, must be assessed. Hazards are often ranked on two axes, likelihood and severity. The combination of likelihood and severity creates a ranking for the hazard. See the next two figures for hazard level matrices.
Hazard level assessment can be challenging. There is often no way to determine likelihood, even qualitatively. With the advancing rate of change in technology, systems often involve new technology, creating many unknowns. Fortunately, severity is usually adequate to determine the effort to spend on eliminating or mitigating hazards, and severity is much easier to determine.
System risk assessment is, again, not feasible. It may be possible to establish qualitative criteria to evaluate potential risk. These criteria could be used to make deployment or technology decisions. But this will depend on the system being considered.
An example risk assessment can be found in the AATT (an advanced air traffic system) Safety Criterion:
The introduction of AATT tools will not degrade safety from the current level.
Risk assessment for each tool was based on:
The following is an example of a severity level classification from a proposed JAA standard:
Example likelihood levels are shown below:
All hazards in the system must be entered into a hazard log. A hazard log is essential to any safety effort. The hazard log, part of the safety information system, tracks information about hazards from their initial identification through elimination or control. The hazard log should contain information such as:
Once the preliminary hazard analysis is complete, and the hazards are entered into the hazard log, system hazard analysis can begin. (Bear in mind that in any development process, there is lots of iteration and skipping around. It simply makes it easier to discuss each step if they are presented in isolation from the others.)
Copyright © 2003 - 2016 Safeware Engineering Corporation. All rights reserved