Safety Management in Multidisciplinary Systems. SSRM symposium TA University, 26 October 2011 By Boris Zaets AGENDA

Similar documents
Risk Management Qualitatively on Railway Signal System

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Safety-Critical Systems

Gamma-ray Large Area Space Telescope

SYSTEM SAFETY ENGINEERING AND MANAGEMENT

SYSTEM SAFETY REQUIREMENTS

North Coast Outfitters, LTD. Model SR901RT Multi-Purpose Utility Table SAFETY ASSESSMENT REPORT (SAR)

Purpose. Scope. Process flow OPERATING PROCEDURE 07: HAZARD LOG MANAGEMENT

Safety Critical Systems

Understanding safety life cycles

Safety-critical systems: Basic definitions

Using what we have. Sherman Eagles SoftwareCPR.

DATA ITEM DESCRIPTION Title: Failure Modes, Effects, and Criticality Analysis Report

A study on the relation between safety analysis process and system engineering process of train control system

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

Probability Risk Assessment Methodology Usage on Space Robotics for Free Flyer Capture

ALIGNING MOD POSMS SAFETY AND POEMS ENVIRONMENTAL RISK APPROACHES EXPERIENCE AND GUIDANCE

The Safety Case. Structure of Safety Cases Safety Argument Notation

Safety assessments for Aerodromes (Chapter 3 of the PANS-Aerodromes, 1 st ed)

EUROPEAN GUIDANCE MATERIAL ON INTEGRITY DEMONSTRATION IN SUPPORT OF CERTIFICATION OF ILS AND MLS SYSTEMS

PROCEDURE. April 20, TOP dated 11/1/88

1309 Hazard Assessment Fundamentals

Managing for Liability Avoidance. (c) Lewis Bass

FLIGHT TEST RISK ASSESSMENT THREE FLAGS METHOD

A Presentation to the International System Safety Society August 11, 2016 by Gary D. Braman Senior System Safety Engineer Sikorsky Aircraft

Aeronautical studies and Safety Assessment

Marine Risk Assessment

Safety of railway control systems: A new Preliminary Risk Analysis approach

LECTURE 3 MAINTENANCE DECISION MAKING STRATEGIES (RELIABILITY CENTERED MAINTENANCE)

XVII Congreso de Confiabilidad

The Safety Case. The safety case

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

CENELEC GUIDE 32. Guidelines for Safety Related Risk Assessment and Risk Reduction for Low Voltage Equipment. Edition 1,

Safety Standards Acknowledgement and Consent (SSAC) CAP 1395

AUSTRALIA ARGENTINA CANADA EGYPT NORTH SEA U.S. CENTRAL U.S. GULF. SEMS HAZARD ANALYSIS TRAINING September 29, 2011

Safety Risk Assessment Worksheet Title of Risk Assessment Risk Assessment Performed By: Date: Department:

Hazard analysis. István Majzik Budapest University of Technology and Economics Dept. of Measurement and Information Systems

Hazard Identification

D-Case Modeling Guide for Target System

Review and Assessment of Engineering Factors

Workshop Information IAEA Workshop

FP15 Interface Valve. SIL Safety Manual. SIL SM.018 Rev 1. Compiled By : G. Elliott, Date: 30/10/2017. Innovative and Reliable Valve & Pump Solutions

(C) Anton Setzer 2003 (except for pictures) A2. Hazard Analysis

1.0 PURPOSE 2.0 REFERENCES

Employ The Risk Management Process During Mission Planning

Gravity Probe-B System Reliability Plan

The Best Use of Lockout/Tagout and Control Reliable Circuits

18-642: Safety Plan 11/1/ Philip Koopman

Why do I need dual channel safety? Pete Archer - Product Specialist June 2018

QUANTIFYING THE TOLERABILITY OF POTENTIAL IGNITION SOURCES FROM UNCERTIFIED MECHANICAL EQUIPMENT INSTALLED IN HAZARDOUS AREAS

Integration of safety studies into a detailed design phase for a navy ship

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Annex 1 to Decision 2009/007/R

To comply with the OHS Act, the responsible manager must carry out and document the following:

ADVISORY MATERIAL JOINT AMJ

Ultima. X Series Gas Monitor

Biomedical Laboratory: Its Safety and Risk Management

DEPARTMENT OF THE NAVY NAVAL AIR SYSTEMS COMMAND RADM WILLIAM A. MOFFEIT BUILDING BUSE ROAD, BLDG 2272 PATUXENT RIVER, MARYLAND,

This manual provides necessary requirements for meeting the IEC or IEC functional safety standards.

Implementing IEC Standards for Safety Instrumented Systems

Pneumatic QEV. SIL Safety Manual SIL SM Compiled By : G. Elliott, Date: 8/19/2015. Innovative and Reliable Valve & Pump Solutions

SEMS II: BSEE should focus on eliminating human error

Policy for Evaluation of Certification Maintenance Requirements

SPR - Pneumatic Spool Valve

Solenoid Valves For Gas Service FP02G & FP05G

Vector to ZERO: HAZARD HUNT. 2. Mission/Task: 3. Begin Date: 4. End Date: 5. Date Prepared: 10. Develop Controls 11. Residual Risk Level

Eutectic Plug Valve. SIL Safety Manual. SIL SM.015 Rev 0. Compiled By : G. Elliott, Date: 19/10/2016. Innovative and Reliable Valve & Pump Solutions

Hands-On System Safety Basics, Focused on FHA

HS329 Risk Management Procedure

Determination of Safety Level for the Train Protection System at Ringbanen in Copenhagen

New Thinking in Control Reliability

Safe High Pressure Water Washing (HPWW) Requirement

DeZURIK. KSV Knife Gate Valve. Safety Manual

Process Safety Management Of Highly Hazardous Chemicals OSHA 29 CFR

Hydraulic (Subsea) Shuttle Valves

Calibration Requirements for Direct Reading Confined Space Gas Detectors

IIUM EVENT SAFETY RISK ASSESSMENT

CHAPTER 28 DEPENDENT FAILURE ANALYSIS CONTENTS

Advisory Circular (AC)

PIQCS HACCP Minimum Certification Standards

OIL & GAS. MTS DP Committee. Workshop in Singapore Session 4 Day 2. Unwanted Thrust

Engineering Safety into the Design

Software Safety Hazard Analysis

DeZURIK. KGC Cast Knife Gate Valve. Safety Manual

Job Hazard Analysis (JHA) What is Job Hazard Analysis (JHA)?

-JHA- Job. For Science and Engineering. Hazard Assessment

DeZURIK Double Block & Bleed (DBB) Knife Gate Valve Safety Manual

Solenoid Valves used in Safety Instrumented Systems

Failure modes and models

Bespoke Hydraulic Manifold Assembly

STCP 08-2 Issue 004: Circuit Live Trip & DAR Tests

3. Real-time operation and review of complex circuits, allowing the weighing of alternative design actions.

Hazard Identification

Workshop to Generate Guidelines For the Implementation of: 1 - Step 1 of State Safety Program (SSP) and 2 - Phases 1 & 2 of ICAO SMS

Release: 1. UEPOPL002A Licence to operate a reciprocating steam engine

Safety manual for Fisher GX Control Valve and Actuator

Safety Requirement Specification

Transcription:

Safety Management in Multidisciplinary Systems SSRM symposium TA University, 26 October 2011 By Boris Zaets 2008, All rights reserved. No part of this material may be reproduced, in any form or by any means, without permission in writing from RAM CRAFT Ltd. 1 AGENDA 1 Introduction 2 Safety standards and guidelines 4 System Safety Management 5 Safety Targets Definition and Allocation 6 Safety Analysis Technique 2 1

REFERENCES Military MIL-STD-882C System Safety Program Requirements MIL-STD-882D Standard Practice for System Safety UK DEF STAN 00- Safety Management Requirements for Defence Systems Defence 56, Issue 4 SAE ARP4761 Guidelines and Methods for Conducting the Safety Assessment Process on Civil Airborne System and Equipment NATO STANAG 4671 Unmanned Aerial Vehicles Systems Airworthiness Requirements (USAR) DO-254 Design Assurance Guidance For Airborne Electronic RTCA, Inc. Hardware DO-178 Software Considerations in Airborne Systems and Equipment Certification CENELEC EN 50126 Railway applications: Systematic Allocation of Safety Integrity Requirements 3 DEFINITIONS Safety: Freedom from those conditions that can cause death, injury, occupational illness, or damage to or loss of equipment or property, or damage to the environment Mishap: An unintended event, or sequence of events, that causes death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment Hazards: A physical situation, or state of a system, often following from some initiating event, that may lead to an Mishap Failure Condition Hazard Mishap 4 2

DEFINITIONS (cont.) System Safety Concept is the application of special technical and managerial skills to the systematic, forward looking identification and control of hazards throughout the life cycle of project, program or activity Safety Management: The application of organizational and management principles in order to achieve safety with high confidence. Risk Management is a process of ensuring that hazard and potential accidents are identified and managed, and is a process managed within the Safety Management System Safe does not imply that there is an absence of risk, but that the risk has been demonstrably reduced to a level that is Broadly Acceptable or Tolerable. 5 Safety Management Activities Identify all safety legislation, regulations, standards and particular requirements relevant to the safety of the system Define the system, its boundaries and its operating environment. The definition of the system shall include all relevant elements that constitute the system. Produce the Safety Management & Program Plans 6 3

Risk Management Activities Hazards and Mishaps (accidents) Identification Hazard Analysis Risk Estimation Risk Reduction Risk Acceptance 7 Mishap Criteria Categories Description Category Definition Catastrophic I Could result in death, permanent total disability, loss exceeding $1M, or irreversible severe environmental damage that violates law or regulation. Critical II Could result in permanent partial disability, injuries or occupational illness that may result in hospitalization of at least three personnel, loss exceeding $200K but less than $1M, or reversible environmental damage causing a violation of law or regulation. Marginal III Could result in injury or occupational illness resulting in one or more lost work days (s), loss exceeding $10K but less than $200K, or mitigatible environmental damage without violation of law or regulation where restoration activities can be complished. Negligible IV Could result in injury or illness not resulting in a lost work day, loss exceeding $2K but less than $10K, or minimal environmental damage not violating law or regulation. 8 4

Safety Objectives Example A set of safety requirements for a system will include requirements that directly relate to compliance with safety legislative, regulations, standards or customer policy, contractual requirements, and requirements that are derived from other safety requirements. SEVERITY Level Probability PROBABILITY Range Catastr. I Critical II Marginal III Negligible IV FREQUENT A x>10-1 1 3 7 13 PROBABLE B 10-2 <x<10-1 2 5 9 16 OCCASIONAL C 10-3 <x<10-2 4 6 11 18 REMOTE D 10-5 <x<10-3 8 10 14 19 IMPROBABLE E x<10-5 12 15 17 20 9 General System Safety Design Requirements - Example Eliminate identified hazards or reduce associated risk through design, including material selection or substitution. When potentially hazardous materials must be used, select those with least risk throughout the life cycle of the system. Locate equipment so that access during operations, servicing, maintenance, repair, or adjustment minimizes personnel exposure to hazards (e.g., hazardous chemicals, high voltage, electromagnetic radiation, cutting edges, or sharp points). Minimize risk resulting from excessive environmental conditions (e.g., temperature, pressure, noise, toxicity, acceleration and vibration). Design to minimize risk created by human error in the operation and support of the system. Consider alternate approaches to minimize risk from hazards that cannot be eliminated. Such approaches include interlocks, redundancy, fail safe design, system protection, fire suppression, and protective clothing, equipment, devices, and procedures. Protect the power sources, controls and critical components of redundant subsystems by physical separation or shielding. 10 5

Unacceptable Conditions - Example Single component failure, common mode failure, human error, or a design feature that could cause a mishap of Catastrophic or Critical mishap severity categories. Dual independent component failures, dual independent human errors, or a combination of a component failure and a human error involving safety critical command and control functions, which could cause a mishap of Catastrophic or Critical mishap severity categories. Generation of hazardous radiation or energy, when no provisions have been made to protect personnel or sensitive subsystems from damage or adverse effects. Packaging or handling procedures and characteristics that could cause a mishap for which no controls have been provided to protect personnel or sensitive equipment. Hazard categories that are specified as unacceptable in the development agreement. 11 Safety Assessment Process SAFETY REQUIREMENTS Preliminary Hazard List (PHL) SYSTEM SAFETY PROGRAM PLAN Preliminary Hazard Analysis (PHA) PHA Report System Hazard Analysis (SHA) System Change Hazard Analysis SHA Report S A R Operation & Support Hazard Analysis O&SHA Report Corrective Action and Mitigation Risk Estimation Safety Verification 12 6

System Safety Program Plan System Safety Programme Plan (SSPP) is the principal methodology for managing the achievement of the safety requirements. The SSPP shall include the following: Program scope and objectives System safety organization System safety program milestones Life Cycle phases General system safety requirements and criteria Hazard analysis techniques, format and depth System safety data Safety verification Audit program Training System safety interfaces 13 Functional Hazard Assessment Functional Hazard Assessment (FHA) is systematic examination of functions to identify and classify failure conditions of those functions according to their severity and it is performed in the early phases of the design. The FHA should identify the failure conditions for each phase of system life when the failure effect and classification vary from one phase to another. The FHA also establishes derived safety requirements needed to mitigate the function failure effects, which effect failure condition classification. As a result of FHA, the Hazard identification will be performed. This will create Preliminary Hazard List (PHL) and provides the basis for the initial Hazard Log. 14 7

FHA Example 15 Preliminary Hazard Analysis Preliminary Hazard Analysis (PHA) is a high level analysis of the functions of the system based on an appraisal of the system by a team with different areas of expertise, centred on What if? questions. It should consider all relevant available data, including the accident and incident data from similar systems recorded in the PHL Report. Preliminary Hazard Analysis (PHA) should identify failures contributing to the Hazards identified from the FHA. PHA is used to complete the failure conditions list and the corresponding safety requirements. It is also used to demonstrate how the system will meet the qualitative and quantitative requirements for various hazards identified PHA will include preliminary risk assessment and the proposed/ implemented mitigations PHA should be performed as early as possible during the system lifecycle in order to obtain maximum benefit. 16 8

PHA Example - Engine Cut in Flight System Phase Flight Effect of Hazard No propulsion, followed by Emergency Recovery Hazard cause Engine malfunction Fuel system malfunction Oil system malfunction Item Identification Fuel System, Oil System, Power system, Throttle actuator, Main Computer Risk assessment Severity: Critical Probability: Probable Hazard Indication BIT Mitigation Method Redundancy of Throttle actuator Redundancy of Propulsion sensors (RPM, Crank position, temperature, fuel level, oil level) Redundancy of fuel pumps Redundancy of relevant Power rails Redundancy of fuel pressure filters Redundancy of Central Computer 17 System Hazard Analysis System Hazard Analysis (SHA) is performed to refine and extend the identification and causes of hazards and accident sequences from the previous analyses, by consideration of the abstract functions of the system and subsequently the components that implement them. The difference between PHA and SHA is that a PHA is a method to evaluate proposed architectures and derive system/subsystem safety requirements; whereas the SHA is a verification that the implemented design meets both the quantitative and qualitative safety requirements defined in FHA and PHA. SHA is an iterative process that evolves throughout the program The SHA will comprise the results of activities stated in this SPP and in R&M Programme Plan. This will include: Failure Modes Effects and Criticality Analysis (FMECA). Fault Tree Analysis (FTA) Common Cause Analysis (CCA) 18 9

FTA Example Tree231 HAZ137 Drift off runway 4.22e-006 OR Tree1005-6 Arresting system malfunction 3.9e-006 Tree1005-5 Landing gears malfunction 3.04e-007 Tree231-5 Ground Roll Control malfunction 1.74e-008 OR Tree231-5-2 Both Position Control mode malfunction 2.22e-016 AND Tree237-1 VMSC HW failure 1.74e-008 Tree269-5-4-3 TOL Manual Disco Control mode malfunction 0.001 Tree231-5-2-1 Erroneous position identification in ATOL mode 1.83e-013 AND Tree225-1-1 Tree225-1-2 Erroneous position Erroneous position identification by identification by GPS ATOLS 3.57e-009 5.12e-005 19 FMECA Reference Document: MIL-STD-1629 - Failure Mode, Effect and Criticality Analysis (FMECA) FMECA is applied at the functional block level (or component level if required) and proceeds through increasing hierarchical levels (bottomup approach) until analysis is completed at System level. Ground rules and assumptions: Only one failure at a time in the analyzed unit is assumed. All input signals are assumed to be undistorted and all potential failures are supposed to be created by malfunction of the given functional block only. EE 1 System EE 2 1 2 3 NHE FM 1 FM 2 20 10

Operating and Support Hazard Analysis Operating and Support Hazard Analysis (O&SHA) consists of the identification and analysis of hazardous activities, or carried out under hazardous conditions, associated with the operation and support of sub-systems and equipment during various stages of the lifecycle. O&SHA evaluates hazardous tasks undertaken by operation and support staff during phases such as storage, transportation and operation of the system. O&SHA covers the hazards caused by system operation and have an impact on ground personnel and/or environment. O&SHA takes into account human failures 21 O&SHA Example: Inadvertent Laser Fire Turnaround Phase Background Hazard Description Effect of Hazard Hazard Cause Item Identification Preflight During preflight testing the Laser is activated according to LASER test procedure. Unintended Laser firing could expose operational personnel to radiation hazards. Laser activation may present a hazard to personnel and flammable materials. Laser activation must be at quite low power levels because the available power is concentrated into beams of very small cross sectional area The hazard to personnel is burning of the area of the body exposed to the radiation. The major hazard is eye damage, which may arise not only by direct illumination but also by reflected radiation. Possible hazard causes are human error or/and malfunction of safety interlock and HW/SW safety keys TE, PCDU, Central Computer, Mission Computer, Payload 22 11

Rational for Safety Assessment Risk Assessment Hazard Indication Mitigation Method O&SHA Example: Inadvertent Laser Fire Inadvertent Laser fire can happen as a result of safety margin reduction caused by single event or combination of several events: Inadvertent Laser Power ON. Inadvertent Laser Fire Command Inadvertent Laser Trigger Enable Severity: II Probability: Incredible Risk: Acceptable Hazard indication by BIT Laser Fire shall be performed only if the following conditions shall be fulfilled: Safe provisions of Laser Power by simultaneous activation of UAV Master Arm and Flight Tester Master Arm commands Laser Trigger Enable Laser Fire Command Application of Guard Payload cover during Payload test Usage of Warning labels and Safety goggles for operational personnel Adequate communication between Ground station and UAV operators 23 Safety Assessment The purpose of Safety Assessment is to perform and document a comprehensive evaluation of the mishap risk being assumed prior to test or operation of a system. Safety Assessment Report (SAR) summarizes the safety assessment activity. 24 12

RAMS Data Flow and Interfaces RAMS Program Plan FRACAS Reliability Prediction Maintainability Analysis System R&M Modeling and Analysis Safety Analysis FMECA Testability Analysis 25 13

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback