Home > White Papers > Preliminary Hazard Analysis

Preliminary Hazard Analysis

Preliminary hazard analysis (PHA) accomplishes the following tasks.

  1. Identify system hazards
  2. Translate system hazards into high-level system safety design constraints
  3. Assess hazards if required to do so
  4. Establish the hazard log

Remember, system hazards are not failures. Failures may contribute to hazards, but hazards are system states that, combined with certain environmental conditions, cause accidents. Below are example system hazards for automated train doors.

bulletTrain starts with door open.
bulletDoor opens while train is in motion.
bulletDoor opens while improperly aligned with the platform.
bulletDoor closes while someone is in the doorway.
bulletDoor that closes on an obstruction does not reopen or reopened door does not reclose.
bulletDoors cannot be opened for emergency evacuation.

Notice that there are not many hazards in the list. The goal is not a bulk of possible hazards, but a concise description of those conditions that are hazards. If a hazard list is too long, it is very likely that causes are being listed along with, or instead of, hazards. Below is another list of hazards, this time for an air traffic control system.

bulletControlled aircraft violate minimum separate standards (NMAC).
bulletAirborne controlled aircraft enters an unsafe atmospheric region.
bulletControlled airborne aircraft enters restricted airspace without authorization.
bulletControlled airborne aircraft gets too close to fixed obstacle other than a safe point of touchdown on an assigned runway (CFIT)
bulletControlled airborne aircraft and an intruder in controlled airspace violate minimum separation.
bulletControlled aircraft operates outside its performance envelope.
bulletAircraft on ground comes too close to moving objects or collides with stationary objects and leaves the paved area.
bulletAircraft enters a runway for which it does not have clearance.
bulletControlled aircraft executes an extreme maneuver within its performance envelope.
bulletLoss of aircraft control.

The following is an exercise in brainstorming a hazard list. Identify the system hazards for this cruise-control system:

The cruise control system operates only when the engine is running. When the driver turns the system on, the speed at which the car is traveling at that instant is maintained. The system monitors the car's speed by sensing the rate at which the wheels are turning, and it maintains desired speed by controlling the throttle position. After the system has been turned on, the driver may tell it to start increasing speed, wait a period of time, and then tell it to stop increasing speed. Throughout the time period, the system will increase the speed at a fixed rate, and then will maintain the final speed reached.

The driver may turn off the system at any time. The system will turn off if it senses that the accelerator has been depressed far enough to override the throttle control. If the system is on and senses that the brake has been depressed, it will cease maintaining speed but will not turn off. The driver may tell the system to resume speed, whereupon it will return to the speed it was maintaining before braking and resume maintenance of that speed.

Hazard identification can sound like an intimidating process. Stare at a blank page; then a miracle occurs; then read the final product. The truth is that there are a number of techniques to help in hazard identification. Use historical safety experience, lessons learned, trouble reports, hazard analyses, and accident and incident files. All of these things should be collected by a successful system safety effort. This may be more difficult if the organization has no history with the product type that it proposes to construct. In some industries, information may be available from other companies in that market segment. If not, regulatory bodies, industry consortia, or users groups for similar products may have some information.

Many industries also have published lists, checklists, standards, and codes of practice that may help guide hazard list development. For example, nuclear devices for use by the US military must address a pre-existing hazard list.

Examine basic energy sources, flows, high-energy items, hazardous materials (fuels, propellants, lasers, explosives, toxic substances, pressure systems) in the systems. How might these energies be released in an uncontrolled manner? How else might these energies participate in an accident? Often these materials suggest hazards, particular at their interface or boundary with the rest of the system. In general, look at potential interface problems such as material incompatibilities, possibilities for inadvertent activation, contamination, and adverse environmental scenarios. Use scientific investigation of physical, chemical, and other properties of the system, as well.

For more possible hazards, review the mission of the system and basic performance requirements including the environments in which operations will take place. Look at all possible system uses, all modes of operation, all possible environments, and all times during operation. Accidents often occur when systems are pushed to operate beyond the assumptions the designers had in mind, so examine likely scenarios of operation outside the planned environment of the system.

Lastly, think the entire process through, step by step, anticipating what might go wrong, how to prepare for it, and what to do if the worst happens.

Once the hazard list has been compiled, it must be translated into design constraints. This is not a difficult process, and a table from the train door example is shown below.

HAZARD DESIGN CRITERION
Train starts with door open. Train must not be capable of moving with any door open.
Door opens while train is in motion. Doors must remain closed while train is in motion.
Door opens while improperly aligned with station platform. Door must be capable of opening only after train is stopped and properly aligned with platform unless emergency exists (see below).
Door closes while someone is in doorway. Door areas must be clear before door closing begins.
Door that closes on an obstruction does not reopen or reopened door does not reclose. An obstructed door must reopen to permit removal obstruction and then automatically reclose.
Doors cannot be opened for emergency evacuation. Means must be provided to open doors anywhere when the train is stopped for emergency evacuation.

Notice that the design constraints derived from the hazard list do not delve in the mechanisms to conform with the design constraints. The design constraints are merely an expression of properties the system must have to eliminate or control the hazards in the hazard list. Another example, for part of an air traffic control system, is shown in the table below.

Hazards Requirements/Constraints

1. A pair of controlled aircraft violate minimum separation standards.

1a. ATC shall provide advisories that maintain safe separation between aircraft.

1b. ATC shall provide conflict alerts.

2. A controlled aircraft enters an unsafe atmospheric region. (icing conditions, wind shear areas, thunderstorm cells)

2a. ATC must not issue advisories that direct aircraft into areas with unsafe atmospheric conditions.

2b. ATC shall provide weather advisories and alerts to flight crews.

2c. ATC shall warn aircraft that enter an unsafe atmospheric region.

3. A controlled aircraft enters restricted airspace without authorization.

3a. ATC must not issue advisories that direct an aircraft into restricted airspace unless avoiding a greater hazard.

3b. ATC shall provide timely warnings to aircraft to prevent their incursion into restricted airspace.

4. A controlled aircraft gets too close to a fixed obstacle or terrain other than a safe point of touchdown on assigned runway.

4. ATC shall provide advisories that maintain safe separation between aircraft and terrain or physical obstacles.

5. A controlled aircraft and an intruder in controlled airspace violate minimum separation standards.

5. ATC shall provide alerts and advisories to avoid intruders if at all possible.

6. Loss of controlled aircraft or loss of airframe integrity.

6a. ATC must not issue advisories outside the safe performance envelope of the aircraft.

6b. ATC advisories must not distract or disrupt the crew from maintaining the safety of flight.

6c. ATC must not issue advisories that the pilot or aircraft cannot fly or that degrade the continued safe flight of the aircraft.

6d. ATC must not provide advisories that cause an aircraft to fall below the standard glide path or intersect it at the wrong place.

Hazards, after being identified, must be assessed. Hazards are often ranked on two axes, likelihood and severity. The combination of likelihood and severity creates a ranking for the hazard. See the next two figures for hazard level matrices.

Hazard level assessment can be challenging. There is often no way to determine likelihood, even qualitatively. With the advancing rate of change in technology, systems often involve new technology, creating many unknowns. Fortunately, severity is usually adequate to determine the effort to spend on eliminating or mitigating hazards, and severity is much easier to determine.

System risk assessment is, again, not feasible. It may be possible to establish qualitative criteria to evaluate potential risk. These criteria could be used to make deployment or technology decisions. But this will depend on the system being considered.

An example risk assessment can be found in the AATT (an advanced air traffic system) Safety Criterion:

The introduction of AATT tools will not degrade safety from the current level.

Risk assessment for each tool was based on:

bulletThe severity of worst possible loss associated with the tool
bulletThe likelihood that introduction of the tool would reduce the current safety level of the ATC system.

The following is an example of a severity level classification from a proposed JAA standard:

Class I: Catastrophic
bullet

Unsurvivable accident with hull loss.

Class II: Critical
bullet

Survivable accident with less than full hull loss; fatalities possible

Class III: Marginal
bullet

Equipment loss with possible injuries and no fatalities

Class IV: Negligible
bullet

Some loss of efficiency

bullet

Procedures able to compensate, but controller workload likely to be high until overall system       demand reduced.

bullet

Reportable incident events such as operational errors, pilot deviations, surface vehicle             deviation.

Example likelihood levels are shown below:

bulletUser tasks and responsibilities
Low: Insignificant or no change
Medium: Minor change
High: Significant change
bulletPotential for inappropriate human decision making
Low: Insignificant or no change
Medium: Minor change
High: Significant change
bullet

Potential for user distraction or disengagement from primary task

Low:

Insignificant or no change

Medium: Minor change
High: Significant change

bulletSafety margins
Low: Insignificant or no change
Medium: Minor change
High: Significant change
bulletPotential for reducing situation awareness
Low: Insignificant or no change
Medium: Minor change
High: Significant change
bulletSkills currently used and those necessary to backup and monitor new decision support tools
Low: Insignificant or no change
Medium: Minor change
High: Significant change
bulletIntroduction of new failure modes and hazard causes
Low: New tools have same function and failure modes as system components they are replacing
Medium: Introduced but well understood and effective mitigation measures can be designed
High: Introduced and cannot be classified under medium
bulletEffect of software on current system hazard mitigation measures
Low: Cannot render ineffective
High: Can render ineffective
bulletNeed for new system hazard mitigation measures
Low: Potential software errors will not require
High: Potential software errors could require

All hazards in the system must be entered into a hazard log. A hazard log is essential to any safety effort. The hazard log, part of the safety information system, tracks information about hazards from their initial identification through elimination or control. The hazard log should contain information such as:

bulletSystem, subsystem, unit
bulletDescription
bulletCause(s)
bulletPossible effects, effect on system
bulletCategory (hazard level -- probability and severity)
bulletCorrective or preventative measures, possible safeguards, recommended action
bulletOperational phase when hazardous
bulletResponsible group or person for ensuring safeguards provided.
bulletTests (verification) to be undertaken to demonstrate safety.
bulletOther proposed and necessary actions
bulletStatus of hazard resolution process.

Once the preliminary hazard analysis is complete, and the hazards are entered into the hazard log, system hazard analysis can begin. (Bear in mind that in any development process, there is lots of iteration and skipping around. It simply makes it easier to discuss each step if they are presented in isolation from the others.)

Home Products Services Publications White Papers About Us

Copyright 2003 Safeware Engineering Corporation. All rights reserved