Air Force System Safety Handbook - System Safety Society

More documents

Recommendations

Info

3.6 Risk Acceptance. Risk Acceptability. Accepting risk is a function of both risk assessment and risk management. Risk acceptance is not as simple a matter as it may first appear. Several points must be kept in mind. (1) Risk is a fundamental reality. (2) Risk management is a process of tradeoffs. (3) Quantifying risk doesn’t ensure safety. (4) Risk is a matter of perspective. Day and night, everywhere we turn, we are surrounded by a multitude of risks, some large and some so minimal that they can easily be overlooked, but all demanding, sooner or later, to be recognized (i.e., assessed) and dealt with (i.e., managed). Risks seem like the invisible radio signals that fill the air around us, some clear and some very faint, but all want to be heard. (16:26) We view taking risks as foolhardy, irrational, and to be avoided. Training children to avoid risk is an all-important duty of parenthood. Risks imposed on us by others are generally considered to be entirely unacceptable. Unfortunately, life is not like that. Everything we do involves risk. There are dangers in every type of travel, but there are dangers in staying home--40 percent of all fatal accidents occur there. There are dangers in eating—food is probably the most important cause of cancer and of several other diseases—but most people eat more than necessary. There are dangers in breathing—air pollution probably kills at least 10,000 Americans each year, inhaling natural radioactivity is believed to kill a similar number, and many diseases are contracted by inhaling germs. There are dangers in working--12,000 Americans are killed each year in job-related accidents, and probably 10 times that number die from job-related illness. But most alternatives to working are even more dangerous. There are dangers in exercising and dangers in not getting enough exercise. Risk is an unavoidable part of our everyday lives. Truly: Living is Dangerous. (16:26-27) Realistically, some mishap risk must be accepted. How much is accepted, or not accepted, is the prerogative of management. That decision is affected by many inputs....As tradeoffs are being considered and the design progresses, it may become evident that some of the safety parameters are forcing higher program risk. From the program manager’s perspective, a relaxation of one or more of the established parameters may appear to be advantageous when considering the broader perspective of cost and performance optimization. The program manager frequently will make a decision against the recommendation of his system safety manger. The system safety manager must recognize such management prerogatives. However, the prudent program manager must make his decision whether to fix the identified problem or formally document acceptance of the added risk. An adjustment of the original parameters would be required. Of course, the addition of personnel loss changes the picture considerably. When the program manager decides to accept the risk, the decision must be coordinated with all affected organizations and then documented so that in future years everyone will know and understand the elements of the decision and why it was made. (37:1-7) Quantitative Assessment. In any discussion of mishap risk management and risk assessment, the question of quantified acceptability parameters arises. While it is not impossible to obtain meaningful results from such a program, care should be exercised so that the program balance is not disturbed. In any high-risk system, there is a strong temptation to rely totally on statistical probability because it looks on the surface like a convenient way to measure safety. Before embarking in 25 this direction, be sure that the limitations and principles of this approach are well understood and that past engineering experience is not ignored. Quantitative acceptability parameters must be well defined, predictable, demonstrable, and above all, useful. They must be useful in the sense that they can be converted easily into design criteria. Many factors fundamental to system safety are not quantifiable. Design deficiencies are not easily examined from a statistical standpoint. Additionally, the danger exists that system safety analysts and managers will become so enamored with the statistics that simpler and more meaningful engineering processes are ignored. Quantification of certain specific failure modes, which depend on one of two system components, can be effective to bolster the decision to accept or correct it. Be careful! Arbitrarily assigning a quantitative measure for a system creates a strong potential for the model to mask a very serious risk. (37:1-8) In the design of certain high-risk systems such as nuclear power or weapon systems, there is a strong tendency to rely solely on statistical analysis. To program management, this appears reasonable because it provides a convenient medium to express safety in terms to which the uninitiated can relate. One trap for the unwary is the failure of occurrence. On one such program, risks with a probability of occurrence of 10 -42 were considered unacceptable! Let’s consider this in terms that we can easily relate to—money. If it can be assumed that a single dollar bill is three thousandths of an inch thick, the probability of selecting that bill from a stack of bills, which is 3 inches high (or 1,000 dollars), is 1 X 10 -3 (or 1 chance in 1,000). One million dollars is a stack 250 feet tall. The chance of selecting that single dollar bill from the stack is now 1 X 10 -6 or one chance in a million. When we go to 1 X10 -9 , or one chance in a billion, our stack is now over 47 miles high. One chance in a trillion--47,000 miles! When we talk in terms of 1 X 10 -42 our stack probably won’t fit in the galaxy! The probability of an undesired event approaches one occurrence in many times the life of the universe. The point is that we have to establish realistic, reachable safety goals so that management can make intelligent decisions. In this particular instance, the safety analysis dwelled upon the probability of the impossible, and allowed a single human error, with a probability of occurrence in the range of 1 X 10 -3 , to cause a near disaster; mainly, because it was not a quantifiable element. It is doubtful if the decision makers were fully aware of the mishap risks they were accepting but were placated by a large, impressive-looking number. (37:1-9) General risk management principles are: (37:1-9 to 1-10) a. All human activity involving a technical device or process entails some element of risk. b. Do not panic at every hazard; there are ways of controlling them. c. Keep problems in proper perspective. d. Weigh the risk and make judgments according to your own knowledge, experience, and program need. e. Encourage other program disciplines to adopt the same philosophy. f. System operations represent a gamble to some degree; good analysis tilts the odds in favor of the house. g. System safety analysis and risk assessment does not free us from reliance on good engineering judgment. h. It is more important to establish clear objectives and parameters for risk assessment than to find a cookbook approach and procedure. i. There is no “best solution” to a safety problem. There are a variety of directions to go. Each of these directions may produce some degree of risk reduction.
j. To point out to a designer how he can achieve a safety goal is much more effective than to tell him his approach will not work. k. Safety is a condition which seldom can be achieved totally in a practical manner. l. There are no “safety problems” in system planning or design. There are only engineering or management problems which, if left unresolved, can cause mishaps. Risk Perspectives. When talking about risks, we always have to distinguish between three different standpoints: 1. Standpoint of an INDIVIDUAL exposed to a hazard. An individual exposed to a hazard is primarily concerned with the questions: How large is the probability that I will be killed or injured in an accident? How much does my individual risk due to this hazard increase my normal fatality rate? In order to account for this standpoint in a risk analysis, it is therefore necessary to introduce the so-called INDIVIDUAL RISK defined as the (usually annual) probability that an identified person will be killed or injured as a consequence of an accident. 2. Standpoint of the SOCIETY. Besides being interested in guaranteeing minimum individual risk for each of its members, society is concerned about the total risk to the general public: How large are the total losses (e.g., per year) from a hazardous activity? To describe this standpoint, the aforementioned definition of risk as the expected damage of an activity applies. In the following, this risk, describing the standpoint of society, will be called the real COLLECTIVE RISK. If expressed in terms of annual risks, it corresponds to the respective value shown in actual accident statistics. Figure 3-7 26 3. Standpoint of the INSTITUTION RESPONSIBLE FOR THE ACTIVITY. The institution responsible for an activity can be a private company or a government agency. From their point of view, it is not only essential to keep individual risks of employees or other persons and the collective risk at a minimum. An institution’s concern is also to avoid catastrophic and spectacular accidents. As experience clearly demonstrates (Bhopal, Seveso, Challenger, etc.), such catastrophic accidents damage the reputation, the image, and even the prosperity of the, institution responsible for the activity. (13:9) 3.7 Residual Risk. The PM must know what residual risk exists in the system being acquired. For significant hazards, the PM is required to raise residual risk to higher levels of authority such as the Program Executive Officer or Air Force Acquisition Executive for action or acceptance. This requirement causes the contractor to document the actions taken within the scope of the contract. The PM may be able to apply additional resources or other remedies to help the contractor satisfactorily resolve the issue. If not, the PM can add his position to the contractors information and forward the matter to a higher decision level. Figure 3-7 is an example of a decision authority based on the hazard risk index. EXAMPLE DECISION AUTHORITY MATRIX FOR RESIDUAL RISK FREQUENT PERIODIC OCCASIONAL REMOTE IMPROBABLE CATASTROPHIC HIGH HIGH HIGH SERIOUS MEDIUM CRITICAL HIGH HIGH SERIOUS MEDIUM MEDIUM MARGINAL SERIOUS SERIOUS MEDIUM MEDIUM LOW NEGLIGIBLE MEDIUM MEDIUM LOW LOW LOW HAZARD RISK LEVEL DECISION AUTHORITY HIGH COMPONENT ACQUISITION EXECUTIVE SERIOUS PROGRAM EXECUTIVE OFFICER MEDIUM PROGRAM MANAGER LOW ACCEPTABLE WITHOUT REVIEW
Page 1 and 2: “designing the safest possible sy
Page 3 and 4: Chapter Page Forward ..............
Page 5 and 6: Fig # Title Page 1-1 System Safety
Page 7 and 8: Acceptable Risk. That part of ident
Page 9 and 10: Articles/Papers REFERENCES 1. Cleme
Page 11 and 12: 1.3 Need for System Safety. Why is
Page 13 and 14: integrated with other factors that
Page 15 and 16: Figure 1-4 SYSTEM SAFETY OBJECTIVES
Page 17 and 18: 9. Nature and severity of hazards u
Page 19 and 20: CONCEPT EXPLORATION • Evaluate sy
Page 21 and 22: CONSTRUCTION (facilities) • Ensur
Page 23 and 24: existing levels of system safety an
Page 25 and 26: (a) Provides risk assessments to SA
Page 27 and 28: Block 5--Increased Safety Awareness
Page 29 and 30: 3.1 Definitions. System safety is a
Page 31 and 32: 3.4 Mishap Severity Categories and
Page 33: FREQUENCY OF OCCURRENCE Figure 3-5
Page 37 and 38: g. Ensure that the appropriate syst
Page 39 and 40: Figure 4-1 FUNCTIONS OF SAFETY ORGA
Page 41 and 42: An explosive safety program encompa
Page 43 and 44: Quality assurance establishes polic
Page 45 and 46: safety requirements have been impos
Page 47 and 48: instead uses the tailoring process
Page 49 and 50: 5.1 SSPP--Task 102. (Note: Task num
Page 51 and 52: This section of the plan contains t
Page 53 and 54: program tasking should be sufficien
Page 55 and 56: h. Develop a method of exchanging s
Page 57 and 58: 7.1 Analyses. (28:39-40) Role of An
Page 59 and 60: d. Any other events, that considera
Page 61 and 62: CONCEPT STUDIES (PHL) SYSTEM SAFETY
Page 63 and 64: design specifications. In addition,
Page 65 and 66: a. Of the modes of failure, includi
Page 67 and 68: . Potential material substitutions
Page 69 and 70: are identified, monitored, and comp
Page 71 and 72: 9.1 Fault Hazard Analysis. (33:47-4
Page 73 and 74: The SCA of military systems has inc
Page 75 and 76: doors, sunglasses, machine guards,
Page 77 and 78: Checklists)? There are others, such
Page 79 and 80: not directly provide useful informa
Page 81 and 82: c. Procedures, manuals, etc. These
Page 83 and 84: shutdown. This is a relatively smal
Page 85 and 86:
c. Perform or update the PHA done d
Page 87 and 88:
(2) Adequate safety provisions are
Page 89 and 90:
11.1 Program Office Description. A
Page 91 and 92:
management officer (DMO) is usually
Page 93 and 94:
Once the details of these tasks are
Page 95 and 96:
arrangements, an assessment of the
Page 97 and 98:
f. Assist the contractors in making
Page 99 and 100:
12.1 Contracting Principles. (34:6-
Page 101 and 102:
A SOO is attached to an RFP to spec
Page 103 and 104:
Type E - Material Specifications Ty
Page 105 and 106:
Type A--System/Segment Specificatio
Page 107 and 108:
13.1 Process. CHAPTER 13 EVALUATING
Page 109 and 110:
ascertain if the safety requirement
Page 111 and 112:
Develop and prepare program plans a
Page 113 and 114:
The contractor SSPP will be updated
Page 115 and 116:
Facility safety design criteria is
Page 117 and 118:
10. Skill in written and oral commu
Page 119 and 120:
eflect the local concern for operat
Page 121 and 122:
c. Review equipment installation, o
Page 123 and 124:
15.1 Acceptable/Unacceptable Risk.
Page 125 and 126:
FACILITIES SYSTEM SAFETY INDUSTRIAL
Page 127 and 128:
15.3 Biomedical Safety. (37:Chapter
Page 129 and 130:
• Mishap Class/system identificat
Page 131 and 132:
c. A Nuclear Safety Cross-check Ana
Page 133 and 134:
17.1 General. There are many variat
Page 135 and 136:
characteristics are under configura
Page 137 and 138:
The AFMC supplement to AFI-91-202 p
Page 139 and 140:
TRB DEFICIENCY REPORTS MISHAP REPOR
Page 141 and 142:
these elements should be investigat
Page 143 and 144:
The modification risk-assessment su
Page 145 and 146:
20.1 General. Test and Evaluation (
Page 147 and 148:
Development of these scenarios crea
Page 149 and 150:
isk, or to stop the test until the
Page 151 and 152:
Figure A-1. Mission Requirements/El
Page 153 and 154:
• Capability (task loading) • O
Page 155 and 156:
preliminary hazard list. The major
Page 157 and 158:
• System Hazard Analysis • Oper
Page 159 and 160:
sensitivity analysis. Here, an asse
Page 161:
(5) Revising Maintenance Requiremen
show all

Air Force System Safety Handbook - System Safety Society

Create successful ePaper yourself

Delete template?

Save as template?