Air Force System Safety Handbook - System Safety Society
Air Force System Safety Handbook - System Safety Society
Air Force System Safety Handbook - System Safety Society
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
3.6 Risk Acceptance.<br />
Risk Acceptability. Accepting risk is a function of both risk<br />
assessment and risk management. Risk acceptance is not as<br />
simple a matter as it may first appear. Several points must be<br />
kept in mind.<br />
(1) Risk is a fundamental reality.<br />
(2) Risk management is a process of tradeoffs.<br />
(3) Quantifying risk doesn’t ensure safety.<br />
(4) Risk is a matter of perspective.<br />
Day and night, everywhere we turn, we are surrounded by a<br />
multitude of risks, some large and some so minimal that they<br />
can easily be overlooked, but all demanding, sooner or later,<br />
to be recognized (i.e., assessed) and dealt with (i.e.,<br />
managed). Risks seem like the invisible radio signals that fill<br />
the air around us, some clear and some very faint, but all want<br />
to be heard. (16:26)<br />
We view taking risks as foolhardy, irrational, and to be<br />
avoided. Training children to avoid risk is an all-important<br />
duty of parenthood. Risks imposed on us by others are<br />
generally considered to be entirely unacceptable.<br />
Unfortunately, life is not like that. Everything we do involves<br />
risk. There are dangers in every type of travel, but there are<br />
dangers in staying home--40 percent of all fatal accidents<br />
occur there. There are dangers in eating—food is probably<br />
the most important cause of cancer and of several other<br />
diseases—but most people eat more than necessary. There<br />
are dangers in breathing—air pollution probably kills at least<br />
10,000 Americans each year, inhaling natural radioactivity is<br />
believed to kill a similar number, and many diseases are contracted<br />
by inhaling germs. There are dangers in<br />
working--12,000 Americans are killed each year in job-related<br />
accidents, and probably 10 times that number die from<br />
job-related illness. But most alternatives to working are even<br />
more dangerous. There are dangers in exercising and<br />
dangers in not getting enough exercise. Risk is an<br />
unavoidable part of our everyday lives. Truly: Living is<br />
Dangerous. (16:26-27)<br />
Realistically, some mishap risk must be accepted. How much<br />
is accepted, or not accepted, is the prerogative of<br />
management. That decision is affected by many inputs....As<br />
tradeoffs are being considered and the design progresses, it<br />
may become evident that some of the safety parameters are<br />
forcing higher program risk. From the program manager’s<br />
perspective, a relaxation of one or more of the established<br />
parameters may appear to be advantageous when<br />
considering the broader perspective of cost and performance<br />
optimization. The program manager frequently will make a<br />
decision against the recommendation of his system safety<br />
manger. The system safety manager must recognize such<br />
management prerogatives. However, the prudent program<br />
manager must make his decision whether to fix the identified<br />
problem or formally document acceptance of the added risk.<br />
An adjustment of the original parameters would be required.<br />
Of course, the addition of personnel loss changes the picture<br />
considerably. When the program manager decides to accept<br />
the risk, the decision must be coordinated with all affected<br />
organizations and then documented so that in future years<br />
everyone will know and understand the elements of the<br />
decision and why it was made. (37:1-7)<br />
Quantitative Assessment. In any discussion of mishap risk<br />
management and risk assessment, the question of quantified<br />
acceptability parameters arises. While it is not impossible to<br />
obtain meaningful results from such a program, care should<br />
be exercised so that the program balance is not disturbed. In<br />
any high-risk system, there is a strong temptation to rely<br />
totally on statistical probability because it looks on the surface<br />
like a convenient way to measure safety. Before embarking in<br />
25<br />
this direction, be sure that the limitations and principles of this<br />
approach are well understood and that past engineering<br />
experience is not ignored. Quantitative acceptability<br />
parameters must be well defined, predictable, demonstrable,<br />
and above all, useful. They must be useful in the sense that<br />
they can be converted easily into design criteria. Many<br />
factors fundamental to system safety are not quantifiable.<br />
Design deficiencies are not easily examined from a statistical<br />
standpoint. Additionally, the danger exists that system safety<br />
analysts and managers will become so enamored with the<br />
statistics that simpler and more meaningful engineering<br />
processes are ignored. Quantification of certain specific<br />
failure modes, which depend on one of two system<br />
components, can be effective to bolster the decision to accept<br />
or correct it. Be careful! Arbitrarily assigning a quantitative<br />
measure for a system creates a strong potential for the model<br />
to mask a very serious risk. (37:1-8)<br />
In the design of certain high-risk systems such as nuclear<br />
power or weapon systems, there is a strong tendency to rely<br />
solely on statistical analysis. To program management, this<br />
appears reasonable because it provides a convenient medium<br />
to express safety in terms to which the uninitiated can relate.<br />
One trap for the unwary is the failure of occurrence. On one<br />
such program, risks with a probability of occurrence of 10 -42<br />
were considered unacceptable! Let’s consider this in terms<br />
that we can easily relate to—money. If it can be assumed that<br />
a single dollar bill is three thousandths of an inch thick, the<br />
probability of selecting that bill from a stack of bills, which is 3<br />
inches high (or 1,000 dollars), is 1 X 10 -3 (or 1 chance in<br />
1,000). One million dollars is a stack 250 feet tall. The<br />
chance of selecting that single dollar bill from the stack is now<br />
1 X 10 -6 or one chance in a million. When we go to 1 X10 -9 , or<br />
one chance in a billion, our stack is now over 47 miles high.<br />
One chance in a trillion--47,000 miles! When we talk in terms<br />
of 1 X 10 -42 our stack probably won’t fit in the galaxy! The<br />
probability of an undesired event approaches one occurrence<br />
in many times the life of the universe. The point is that we<br />
have to establish realistic, reachable safety goals so that<br />
management can make intelligent decisions. In this particular<br />
instance, the safety analysis dwelled upon the probability of<br />
the impossible, and allowed a single human error, with a<br />
probability of occurrence in the range of 1 X 10 -3 , to cause a<br />
near disaster; mainly, because it was not a quantifiable<br />
element. It is doubtful if the decision makers were fully aware<br />
of the mishap risks they were accepting but were placated by<br />
a large, impressive-looking number. (37:1-9)<br />
General risk management principles are: (37:1-9 to 1-10)<br />
a. All human activity involving a technical device or<br />
process entails some element of risk.<br />
b. Do not panic at every hazard; there are ways of<br />
controlling them.<br />
c. Keep problems in proper perspective.<br />
d. Weigh the risk and make judgments according to<br />
your own knowledge, experience, and program<br />
need.<br />
e. Encourage other program disciplines to adopt the<br />
same philosophy.<br />
f. <strong>System</strong> operations represent a gamble to some<br />
degree; good analysis tilts the odds in favor of the<br />
house.<br />
g. <strong>System</strong> safety analysis and risk assessment does<br />
not free us from reliance on good engineering<br />
judgment.<br />
h. It is more important to establish clear objectives and<br />
parameters for risk assessment than to find a<br />
cookbook approach and procedure.<br />
i. There is no “best solution” to a safety problem.<br />
There are a variety of directions to go. Each of<br />
these directions may produce some degree of risk<br />
reduction.