Air Force System Safety Handbook - System Safety Society

More documents

Recommendations

Info

After using the checklist, there are some hints that may be helpful in selecting Tasks. For the customer, it is often better to time safety analyses deliverables based upon significant program milestones (like a preliminary design review) than to specify a certain number of days after contract award. This allows greater flexibility in case the design schedule changes. Whenever practical, consider requesting an update to an existing report instead of a whole new report. This can be a cost saver. If uncertainties exist in design which make a difference in what analysis is requested (ex. unsure if flight controls will be fly-by-wire or mechanical), leave the option to decide after the program has progressed. An example would be to add to the statement of work to perform fault tree analysis on a set number of topics mutually agreed upon at the system safety working group. Contractors should be particularly careful with contracts that require many analyses but few deliverables. It is especially important to keep an orderly backup file of all information that was used to support the deliverables. This file should be made available to the customer for review. This checklist can form part of a substantiation for additional budget or could surface areas for renegotiating or trading of tasks. Both customer and contractor can go beyond just identifying the particular MIL-STD-882 tasks. 4.7 Abuses. (16:C-1 to C-2) Various abuses to the process are noteworthy, such as boilerplate, smorgasbord, invisible, and cutup tailoring. The boilerplate utilizes verbiage that has been used numerous times before. It references the original MIL-STD-882, not the current version. Defenders of this method claim it is “proven effective” and has “management approval.” New start programs should use the latest version. It may be valuable as a method of time savings to utilize similar requirements from previous similar programs; however, it is often used for all programs regardless of similarities. The smorgasbord contains practically everything in MIL-STD-- 882. Many times, there is a long list of tasks with only a few deliverables. The theory behind this is if a little bit of 882 is good to have, a lot must be better. This burdens the contractor to programs; however, it is often used for all programs regardless of similarities. The smorgasbord contains practically everything in MIL-STD-- 882. Many times, there is a long list of tasks with only a few deliverables. The theory behind this is if a little bit of 882 is good to have, a lot must be better. This burdens the contractor to produce a lot of programs; however, it is often used for all programs regardless of similarities. The smorgasbord contains practically everything in MIL-STD-- 882. Many times, there is a long list of tasks with only a few deliverables. The theory behind this is if a little bit of 882 is good to have, a lot must be better. This burdens the contractor to This method suggests the customer views safety as a spectator sport. Customer involvement is essential to success. The application of MIL-STD-882D as a whole document should prevent this from occurring. Invisible tailoring of tasks is accomplished by omitting the very last paragraph of each task. This paragraph describes what the managing authority shall do. This is of no concern to the contractor. So, it is as if this task were never tailored. This misses the whole point of tailoring. Cutup contracts are ones which bear little resemblance to the original input by the customer’s safety department because it 37 was “revised” before final transmittal to the contractor. Unfortunately, the contractor will have to work with the customer’s safety department and try to satisfy their original needs without exceeding the bounds of the actual content. 4.8 Small Programs. (33:123-132) A major program may need most or all of the tasks in Deskbook applied to the program. Small programs are much different. There is a need for the further delineation of a set of recommended procedures for conducting a small system safety program. Such a program may be called for in such cases as small projects (e.g., the design and fabrication of a missile transport cart), projects with obviously minimal hazards (e.g., development of a new mechanical typewriter), projects that do not fit into the normal life cycle process (e.g., military facilities design and construction) and, unfortunately, projects for which the safety activity is dollar limited. The following are recommended as a minimum effort in a system safety program: 1. Prepare a preliminary hazards list (PHL). 2. Conduct a preliminary hazard analysis (PHA). 3. Assign a Risk Assessment Value for each item. 4. Assign a priority for taking the recommended action to eliminate or control the hazards, according to the Risk Assessment Values. 5. Evaluate the possibility of deleterious effects from interfaces between the recommended actions and other portions of the system. 6. Take the recommended actions to modify the system. 7. Prepare a System Safety Assessment Report as a wrap-up of the system safety program. The PHL can be derived in several ways. One of these is by the examination of the energy transfer in the system. This is based on the concept that all losses are created by an interference with the normal exchange of energy. The system is examined for incorrect, untimely, or omitted energy exchanges as a base for the PHL. There are also available hazard review checklists in which hazards are listed, together with the usual occurrence mode, the possible cause and the possible effects. The PHA is the initial development of the relationships between hazard causes (faults), effects, and recommended actions to be taken to eliminate or control the hazards. An in-depth hazard analysis generally follows the PHA with a subsystem hazard analysis, a system hazard analysis, and an operating and support hazard analysis, as appropriate, but for a small safety program, the PHA will usually suffice as the only formal analysis. A comprehensive evaluation is needed of the safety risks being assumed prior to test or evaluation of the system or at contract completion. It identifies all safety features of the hardware and system design and procedural hazards that may be present in the system being acquired and specific procedural controls and precautions that should be followed. It is to be remembered that the hazards encountered in a small program can be as severe and as likely to occur as those of a major program. Usually one can expect fewer hazards in a small program. Caution needs to be exerted to ensure that in tailoring the system safety effort to fit a small program, one does not perform a wholesale slashing, but
instead uses the tailoring process to obtain the optimum safety in the optimum system. 4.9 Government-Furnished Equipment. As part of a system acquisition effort, equipment may be specified by the government as part of the contract as providing necessary inputs or receiving outputs from the system being developed. This government-furnished equipment (GFE) must be analyzed for its interface with the new system, if such analysis hasn’t been previously accomplished in sufficient detail. The analysis was once considered a separate MIL-STD-882 task. However, GFE is now considered a part of the overall system and is analyzed as necessary as part of the overall systems analyses. The contract, therefore, must for GFE: a. If hazard data are available, identify the system safety analyses needed and when they are needed. b. Identify and perform any additional system safety analyses needed for interfaces between GFE and the rest of the system. (29:213-1) Usually, GFE has been in the military inventory long enough that unsatisfactory operating characteristics are well known or have been identified in previous hazard analyses. The SPO should identify these unsatisfactory characteristics or provide the analyses, if available, to the contractor, who will then compensate for these characteristics by using their interface design. However, some GFE may predate system safety concepts, adequate safety analyses may not have been done, or unsatisfactory operating characteristics of a new or modified system may not be known. Then, the contractor or the Air Force must do the necessary analyses for proper interface design. (27:5) 4.10 Commercial and Nondevelopmental Items. Commercial items, or “off-the-shelf” equipment, are commercially developed systems already being marketed publicly. Non-development items are systems that have been procured previously for other branches of the federal government, a state government, or for some foreign governments. By buying non-developmental items or off-the-shelf commercial equipment, the Air Force can save on development costs but can cause you some problems. As with GFE, the amount of attention required will vary, depending on the history and documentation available. Whether a subsystem (radio) or system (aircraft), the manufacturer should have done some type of failure mode analysis for their item. If the off-the-shelf equipment is used in a contractor-developed system, failure mode analysis, if well prepared, should be sufficient to allow the contractor to incorporate system safety in their design. For off-the-shelf equipment, or equipment with poorly prepared analyses, risk assessment gets trickier, especially if the equipment meets commercial safety requirements but has not been proven to meet all Air Force requirements. (27:5) While the off-the-shelf concept provides significant up-front cost and schedule benefits, major concern centers on ensuring adequate levels of safety and supportability. For the Air Force to benefit fully from off-the-shelf acquisitions, the system safety program must be able to ensure the operational safety of the final system without adding unnecessarily to its acquisition cost through extensive analysis efforts or signif 38 icant modifications. DOD 5000.2-R, discusses commercial items and nondevelopmental items, their intended use, and requirements and procedures for safe, cost-effective use consistent with mission requirements. In theory, FAA-certified passenger and cargo aircraft should be safe for similar roles in the Air Force. However, the Air Force Safety Agency conducted safety reviews of several off-the-shelf aircraft acquisitions and discovered problem areas: • AF training schedules require multiple touch-and-go landings. • AF tends to operate aircraft closer to their design limits; i.e., loads, speed, T/O run, landing, etc. • AF often modifies aircraft to a large extent. Some off-the-shelf aircraft manufacturers do not have system safety programs/staffs that can analyze these changes for their effect on the system and report the results as required of normal AF aircraft acquisitions. The end result is that the AF buys an aircraft configuration that was not fully FAA certified and uses it in a manner not totally analogous to the civilian usage on which its original safety record was based. It is safe to assume that neither the requirement for nor the effects of these necessary changes has been fully appreciated before the decision to acquire a given “off-the-shelf” aircraft. The safety lessons learned from a safety survey by AFSC of off-the-shelf AF acquisition are: • The AF needs to establish minimum requirements for up-front mission/usage analysis to define any differences and their potential safety impact on the system. • The AF needs to tell the bidding contractors what is required in the area of system safety analysis of Air Force-unique configuration/operations. • Once operational, the AF needs to restrict these aircraft to the missions intended unless in-depth analysis is done to assess the effects of new missions. (Ref 43) Program size and procurement schedules may severely limit the scope of the system safety program and require skillful, creative tailoring for the program. A small program may only require Tasks 101 and 301, while the MA could add Tasks 102, 105, and 203 for larger programs. The following are additional considerations(30:B-10): Market Investigation. It is suggested that the MA conduct a market investigation to determine, among other things, to which safety or other appropriate standards the system was designed. The MA must determine the extent to which the system is certified by agencies such as the FAA, Underwriters Labs, etc. and what those certifications mean when compared to mission requirements. Some basic questions in the market investigation include: a. Has the system been designed and built to meet applicable/any safety standards? Which ones? b. Have any hazard analyses been performed? Request copies. c. What is the mishap history for the system? Request specifics. d. Is protective equipment and/or procedures needed during operation, maintenance, storage, or transport. Request specifics. e. Does the system contain or use any hazardous materials, have potentially hazardous emissions, or generate hazardous waste? f. Are special licenses or certificates required to own, store, or use the system?
Page 1 and 2: “designing the safest possible sy
Page 3 and 4: Chapter Page Forward ..............
Page 5 and 6: Fig # Title Page 1-1 System Safety
Page 7 and 8: Acceptable Risk. That part of ident
Page 9 and 10: Articles/Papers REFERENCES 1. Cleme
Page 11 and 12: 1.3 Need for System Safety. Why is
Page 13 and 14: integrated with other factors that
Page 15 and 16: Figure 1-4 SYSTEM SAFETY OBJECTIVES
Page 17 and 18: 9. Nature and severity of hazards u
Page 19 and 20: CONCEPT EXPLORATION • Evaluate sy
Page 21 and 22: CONSTRUCTION (facilities) • Ensur
Page 23 and 24: existing levels of system safety an
Page 25 and 26: (a) Provides risk assessments to SA
Page 27 and 28: Block 5--Increased Safety Awareness
Page 29 and 30: 3.1 Definitions. System safety is a
Page 31 and 32: 3.4 Mishap Severity Categories and
Page 33 and 34: FREQUENCY OF OCCURRENCE Figure 3-5
Page 35 and 36: j. To point out to a designer how h
Page 37 and 38: g. Ensure that the appropriate syst
Page 39 and 40: Figure 4-1 FUNCTIONS OF SAFETY ORGA
Page 41 and 42: An explosive safety program encompa
Page 43 and 44: Quality assurance establishes polic
Page 45: safety requirements have been impos
Page 49 and 50: 5.1 SSPP--Task 102. (Note: Task num
Page 51 and 52: This section of the plan contains t
Page 53 and 54: program tasking should be sufficien
Page 55 and 56: h. Develop a method of exchanging s
Page 57 and 58: 7.1 Analyses. (28:39-40) Role of An
Page 59 and 60: d. Any other events, that considera
Page 61 and 62: CONCEPT STUDIES (PHL) SYSTEM SAFETY
Page 63 and 64: design specifications. In addition,
Page 65 and 66: a. Of the modes of failure, includi
Page 67 and 68: . Potential material substitutions
Page 69 and 70: are identified, monitored, and comp
Page 71 and 72: 9.1 Fault Hazard Analysis. (33:47-4
Page 73 and 74: The SCA of military systems has inc
Page 75 and 76: doors, sunglasses, machine guards,
Page 77 and 78: Checklists)? There are others, such
Page 79 and 80: not directly provide useful informa
Page 81 and 82: c. Procedures, manuals, etc. These
Page 83 and 84: shutdown. This is a relatively smal
Page 85 and 86: c. Perform or update the PHA done d
Page 87 and 88: (2) Adequate safety provisions are
Page 89 and 90: 11.1 Program Office Description. A
Page 91 and 92: management officer (DMO) is usually
Page 93 and 94: Once the details of these tasks are
Page 95 and 96: arrangements, an assessment of the
Page 97 and 98:
f. Assist the contractors in making
Page 99 and 100:
12.1 Contracting Principles. (34:6-
Page 101 and 102:
A SOO is attached to an RFP to spec
Page 103 and 104:
Type E - Material Specifications Ty
Page 105 and 106:
Type A--System/Segment Specificatio
Page 107 and 108:
13.1 Process. CHAPTER 13 EVALUATING
Page 109 and 110:
ascertain if the safety requirement
Page 111 and 112:
Develop and prepare program plans a
Page 113 and 114:
The contractor SSPP will be updated
Page 115 and 116:
Facility safety design criteria is
Page 117 and 118:
10. Skill in written and oral commu
Page 119 and 120:
eflect the local concern for operat
Page 121 and 122:
c. Review equipment installation, o
Page 123 and 124:
15.1 Acceptable/Unacceptable Risk.
Page 125 and 126:
FACILITIES SYSTEM SAFETY INDUSTRIAL
Page 127 and 128:
15.3 Biomedical Safety. (37:Chapter
Page 129 and 130:
• Mishap Class/system identificat
Page 131 and 132:
c. A Nuclear Safety Cross-check Ana
Page 133 and 134:
17.1 General. There are many variat
Page 135 and 136:
characteristics are under configura
Page 137 and 138:
The AFMC supplement to AFI-91-202 p
Page 139 and 140:
TRB DEFICIENCY REPORTS MISHAP REPOR
Page 141 and 142:
these elements should be investigat
Page 143 and 144:
The modification risk-assessment su
Page 145 and 146:
20.1 General. Test and Evaluation (
Page 147 and 148:
Development of these scenarios crea
Page 149 and 150:
isk, or to stop the test until the
Page 151 and 152:
Figure A-1. Mission Requirements/El
Page 153 and 154:
• Capability (task loading) • O
Page 155 and 156:
preliminary hazard list. The major
Page 157 and 158:
• System Hazard Analysis • Oper
Page 159 and 160:
sensitivity analysis. Here, an asse
Page 161:
(5) Revising Maintenance Requiremen
show all

Air Force System Safety Handbook - System Safety Society

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?