Air Force System Safety Handbook - System Safety Society

More documents

Recommendations

Info

1.1 Definitions: System Safety and Safety System. To employ the concepts of system safety, it is necessary to understand what system safety is and what system safety strives to do. The ultimate objective of any organization within the Air Force is maximizing combat capability. One element in this maximizing process is protecting and conserving combat weapon systems and their support equipment. Preventing mishaps and reducing system losses is one important aspect of conserving these resources. System safety contributes to mishap prevention by minimizing system risks due to hazards consistent with other cost, schedule, and design requirements. The fundamental objective of system safety is to identify, eliminate or control, and document system hazards. This hierarchy of goals, illustrated in Figure 1-1, is the crucial framework for defining system safety. (41:15) Figure 1-1 MAX COMBAT CAPABILITY CONSERVE COMBAT RESOURCES PREVENT/MITIGATE MISHAP LOSSES EVALUATE AND MINIMIZE SYSTEM RISKS IDENTIFY, CONTROL, AND DOCUMENT SYSTEM HAZARDS System Safety Goals System Safety. The application of engineering and management principles, criteria, and techniques to optimize all aspects of safety within the constraints of operational effectiveness, time, and cost throughout all phases of the system life cycle. System. A composite, at any level of complexity, of personnel, procedures, materials, tools, equipment, facilities, and software. The elements of this composite entity are used together in the intended operational or support environment to perform a given task or achieve a specific production, support, or mission requirement. Safety. Freedom from those conditions that can cause death, injury, occupational illness, or damage to or loss of equipment or property, or damage to the environment. (30:3) CHAPTER 1 INTRODUCTION TO SYSTEM SAFETY 1 Some clarifications are needed with these definitions. Absolute safety is not possible because complete freedom from all hazardous conditions is not possible. Therefore, safety is a relative term that implies a level of risk that is both perceived and accepted. You will also note that “system” is also a relative term. A subsystem is a system itself with predetermined boundaries. System safety is not an absolute quantity either. System safety is an optimized level of risk that is constrained by cost, time, and operational effectiveness (performance). System safety requires that risk be evaluated and the level of risk accepted or rejected by an authority. This is the basic origin of system safety’s requirement for both engineering and management functions. Finally, system safety is a discipline employed from the initial design steps through system demilitarization or disposal (a.k.a. “cradle to grave or “womb to tomb”). 1.2 System Safety Objectives. A safe system is achieved through the implementation and careful execution of a system safety program. As stated previously, the ultimate objective of system safety is MAXIMIZED COMBAT CAPABILITY. The objectives of a system safety program are to ensure: (30:2) a. Safety, consistent with mission requirements is designed into the system in a timely, cost-effective manner. b. Hazards are identified, evaluated, and eliminated, or the associated risk reduced to a level acceptable to the managing activity (MA) throughout the entire life cycle of a system. c. Historical safety data, including lessons learned from other systems, are considered and used. d. Minimum risk is sought in accepting and using new designs, materials, and production and test techniques. e. Actions taken to eliminate hazards or reduce risk to a level acceptable to the MA are documented. f. Retrofit actions are minimized. g. Changes in design, configuration, or mission requirements are accomplished in a manner that maintains a risk level acceptable to the MA. h. Consideration is given to safety, ease of disposal, and demilitarization of any hazardous materials associated with the system. i. Significant safety data are documented as “lessons learned” and are submitted to data banks, design handbooks, or specifications. j. Hazards identified after production are minimized consistent with program restraints.
1.3 Need for System Safety. Why is system safety needed? The most obvious answer is it’s too expensive not to have a system safety program. In the mid-1950s, Air Force aircraft mishap rates were over 10 per 100,000 flight hours and annual losses were around $100 million. Mishap rates in the late 1980s were drastically reduced to less than 2 per 100,000 flight hours, but the cost of the annual losses was rapidly approaching a billion dollars (Figure 1-2). The number of design failures is hard to determine. Approximately one-third were due to logistics 20 15 10 5 0 CLASS A FLIGHT MISHAP RATE vs. ANNUAL COST Rate per 100,000 Hours Annual Loss ($ Hundred Million) 55 65 75 85 95 98 YEAR Figure 1-2 factors, but only a portion of the logistics factors were actually a design problem. Of the two-thirds that were caused by operations factors, some human factors design issues were also a problem. (42:1-2) There is also an associated loss of combat capability. The approximately 50 aircraft lost in 1989 represent assets of an entire fighter wing. Considering the relatively small size of the B-1 or B-2 fleets, one aircraft loss represents a real loss in combat capability. With fewer new weapons programs being initiated and the cost of these new systems increasing significantly, any loss or major damage may very well threaten the continuation of the weapons program. System safety programs are also a response to ethical demands made by society on industry in general. Engineers have a special responsibility in this social context. The engineers are involved with high-energy sources, hazardous materials, and new technologies that offer both tremendous benefits to society and the potential for catastrophic accidents. They have a special proximity to design problems. Their potential contribution is unique and irreplaceable. Because of their special training and their involvement in the design, they are best qualified to clarify the technical issues. They can define the risks involved and give the best available estimates of the costs of reducing or eliminating those risks. They are the first to see and to evaluate the dangers and risks of the technology. They work with and evaluate the systems while they are still in the design stage and are in a position to recognize potential dangers while something can still be done about them. Finally, engineers can propose and explore alternatives to the current technology that might avoid some problems altogether. (12:2-3) Although engineers are usually strong influences in risk assessment decisions, there are other forces at play. Engineering professional societies, organized public advocacy groups, 2 and political groups make their own demands on engineers to address technical and ethical safety issues. Public law, military regulations, standards, and specifications also address safety concerns. Corporate policy and actions have tremendous influence in safety issues as profits, continued contract awards, and corporate image are at stake. (12:3-6) Besides the cost of mishaps and ethical considerations, there is also a need to reduce the cost of modifications that result from design shortfalls. It is difficult to identify precisely the cost of safety modifications. Using available data, it is conservatively estimated that at least $110 million was spent on 66 safety changes for the F-14 from 1973 to 1982. For the F-15, only the engineering change proposal costs were readily available. Those amounted to approximately $40 million for 35 safety modifications. Despite the difficulty in obtaining accurate safety modification cost data, safety modifications appear to add at least 15-20 percent to the reported costs of accidents. They, like the accidents themselves, represent quite a cost-saving target for system safety. (33:1-3) 1.4 System Safety Costs. (6:1-4 to 1-6) How much does a system safety program cost? The implication of that question is whether system safety is worth the expense. Costs of system safety programs are quite small in proportion to contract costs. The contractor part of the F-14 system safety program was only about $5 million for 10 years (less than one-third of the cost of an airplane today). A really large program (e.g., B-1B) might have 30-40 government and contractor people involved at a peak period. Most programs need only one or two system safety personnel in the government program office and four or five at the peak of the contractor’s effort. One person can monitor several subsystem programs simultaneously. Clearly, the saving of just one aircraft by a system safety program pays for that program many times over. A specific assessment of system safety payoff is difficult at best. One can hardly “measure” something that does not happen such as an accident that has been prevented. Approaches other than absolute measurement can be significant as long as a reasonableness test is applied. Data concerning material failures accidents could be compared on a relative basis. Through 1981, the F-4 and F-14 aircraft had somewhat similar missions in the Navy. The F-4 did not have a formal system safety program, but the F-14 airframe did. Cumulative material failure accidents for the F-4 occurred at a rate of 9.52/100,000 hours. The comparable F-14 rate was 5.77/100,000 hours. These data do not “prove” the merit of a system safety program, however. Other factors such as differences in the state of the art applied in each program, different operational environments, design environments, and different contractors probably contributed to the difference between the F-4 and F-14 accident rates. Another way of assessing the payoff of system safety is to examine case histories. Examples abound where system safety personnel identified hazards, which were corrected before accidents occurred. Some examples are: • During the design of the F-18, fire hazard was minimized when a system safety engineer convinced program decision makers that a proposed increase in allowable bleed air duct temperature was dangerous and that a similar hazard could be avoided by ensuring that the bleed air shutoff valve closed when power was removed. • During a modification to the B-52, a system safety engineer noted that if the front lugs of the air launched cruise missile attachment retracted but the rear ones did not, parts of the pylon would tear from the wing and, together
Page 1 and 2: “designing the safest possible sy
Page 3 and 4: Chapter Page Forward ..............
Page 5 and 6: Fig # Title Page 1-1 System Safety
Page 7 and 8: Acceptable Risk. That part of ident
Page 9: Articles/Papers REFERENCES 1. Cleme
Page 13 and 14: integrated with other factors that
Page 15 and 16: Figure 1-4 SYSTEM SAFETY OBJECTIVES
Page 17 and 18: 9. Nature and severity of hazards u
Page 19 and 20: CONCEPT EXPLORATION • Evaluate sy
Page 21 and 22: CONSTRUCTION (facilities) • Ensur
Page 23 and 24: existing levels of system safety an
Page 25 and 26: (a) Provides risk assessments to SA
Page 27 and 28: Block 5--Increased Safety Awareness
Page 29 and 30: 3.1 Definitions. System safety is a
Page 31 and 32: 3.4 Mishap Severity Categories and
Page 33 and 34: FREQUENCY OF OCCURRENCE Figure 3-5
Page 35 and 36: j. To point out to a designer how h
Page 37 and 38: g. Ensure that the appropriate syst
Page 39 and 40: Figure 4-1 FUNCTIONS OF SAFETY ORGA
Page 41 and 42: An explosive safety program encompa
Page 43 and 44: Quality assurance establishes polic
Page 45 and 46: safety requirements have been impos
Page 47 and 48: instead uses the tailoring process
Page 49 and 50: 5.1 SSPP--Task 102. (Note: Task num
Page 51 and 52: This section of the plan contains t
Page 53 and 54: program tasking should be sufficien
Page 55 and 56: h. Develop a method of exchanging s
Page 57 and 58: 7.1 Analyses. (28:39-40) Role of An
Page 59 and 60: d. Any other events, that considera
Page 61 and 62:
CONCEPT STUDIES (PHL) SYSTEM SAFETY
Page 63 and 64:
design specifications. In addition,
Page 65 and 66:
a. Of the modes of failure, includi
Page 67 and 68:
. Potential material substitutions
Page 69 and 70:
are identified, monitored, and comp
Page 71 and 72:
9.1 Fault Hazard Analysis. (33:47-4
Page 73 and 74:
The SCA of military systems has inc
Page 75 and 76:
doors, sunglasses, machine guards,
Page 77 and 78:
Checklists)? There are others, such
Page 79 and 80:
not directly provide useful informa
Page 81 and 82:
c. Procedures, manuals, etc. These
Page 83 and 84:
shutdown. This is a relatively smal
Page 85 and 86:
c. Perform or update the PHA done d
Page 87 and 88:
(2) Adequate safety provisions are
Page 89 and 90:
11.1 Program Office Description. A
Page 91 and 92:
management officer (DMO) is usually
Page 93 and 94:
Once the details of these tasks are
Page 95 and 96:
arrangements, an assessment of the
Page 97 and 98:
f. Assist the contractors in making
Page 99 and 100:
12.1 Contracting Principles. (34:6-
Page 101 and 102:
A SOO is attached to an RFP to spec
Page 103 and 104:
Type E - Material Specifications Ty
Page 105 and 106:
Type A--System/Segment Specificatio
Page 107 and 108:
13.1 Process. CHAPTER 13 EVALUATING
Page 109 and 110:
ascertain if the safety requirement
Page 111 and 112:
Develop and prepare program plans a
Page 113 and 114:
The contractor SSPP will be updated
Page 115 and 116:
Facility safety design criteria is
Page 117 and 118:
10. Skill in written and oral commu
Page 119 and 120:
eflect the local concern for operat
Page 121 and 122:
c. Review equipment installation, o
Page 123 and 124:
15.1 Acceptable/Unacceptable Risk.
Page 125 and 126:
FACILITIES SYSTEM SAFETY INDUSTRIAL
Page 127 and 128:
15.3 Biomedical Safety. (37:Chapter
Page 129 and 130:
• Mishap Class/system identificat
Page 131 and 132:
c. A Nuclear Safety Cross-check Ana
Page 133 and 134:
17.1 General. There are many variat
Page 135 and 136:
characteristics are under configura
Page 137 and 138:
The AFMC supplement to AFI-91-202 p
Page 139 and 140:
TRB DEFICIENCY REPORTS MISHAP REPOR
Page 141 and 142:
these elements should be investigat
Page 143 and 144:
The modification risk-assessment su
Page 145 and 146:
20.1 General. Test and Evaluation (
Page 147 and 148:
Development of these scenarios crea
Page 149 and 150:
isk, or to stop the test until the
Page 151 and 152:
Figure A-1. Mission Requirements/El
Page 153 and 154:
• Capability (task loading) • O
Page 155 and 156:
preliminary hazard list. The major
Page 157 and 158:
• System Hazard Analysis • Oper
Page 159 and 160:
sensitivity analysis. Here, an asse
Page 161:
(5) Revising Maintenance Requiremen
show all

Air Force System Safety Handbook - System Safety Society

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?