||This article may be too technical for most readers to understand. (March 2013)|
Note: Parts of this article are written from the perspective of aircraft safety analysis techniques and definitions; these may not represent current best practice and the article needs to be updated to represent a more generic description of hazard analysis and discussion of more modern standards and techniques.
A hazard analysis is used as the first step in a process used to assess risk. The result of a hazard analysis is the identification of different type of hazards. A hazard is a potential condition and exists or not (probability is 1 or 0). It may in single existence or in combination with other hazards (sometimes called events) and conditions become an actual Functional Failure or Accident (Mishap). The way this exactly happens in one particular sequence is called a scenario. This scenario has a probability (between 1 and 0) of occurrence. Often a system has many potential failure scenarios. It also is assigned a classification, based on the worst case severity of the end condition. Risk is the combination of probability and severity. Preliminary risk levels can be provided in the hazard analysis. The validation, more precise prediction (verification) and acceptance of risk is determined in the Risk assessment (analysis). The main goal of both is to provide the best selection of means of controlling or eliminating the risk. The term is used in several engineering specialties, including avionics, chemical process safety, safety engineering, reliability engineering and food safety.
Hazards and risk
A hazard is defined as a "Condition, event, or circumstance that could lead to or contribute to an unplanned or undesirable event." Seldom does a single hazard cause an accident or a functional failure. More often an accident or operational failure occurs as the result of a sequence of causes. A hazard analysis will consider system state, for example operating environment, as well as failures or malfunctions.
While in some cases, safety or reliability risk can be eliminated, in most cases a certain degree of risk must be accepted. In order to quantify expected costs before the fact, the potential consequences and the probability of occurrence must be considered. Assessment of risk is made by combining the severity of consequence with the likelihood of occurrence in a matrix. Risks that fall into the "unacceptable" category (e.g., high severity and high probability) must be mitigated by some means to reduce the level of safety risk.
IEEE STD-1228-1994 Software Safety Plans prescribes industry best practices for conducting software safety hazard analyses to help ensure safety requirements and attributes are defined and specified for inclusion in software that commands, controls or monitors critical functions. When software is involved in a system, the development and design assurance of that software is often governed by DO-178B. The severity of consequence identified by the hazard analysis establishes the criticality level of the software. Software criticality levels range from A to E, corresponding to the severity of Catastrophic to No Safety Effect. Higher levels of rigor are required for level A and B software and corresponding functional tasks and work products is the system safety domain are used as objective evidence of meeting safety criteria and requirements.
Recently a leading edge commercial standard was promulgated based on decades of proven system safety processes in DoD and NASA. ANSI/GEIA-STD-0010-2009 (Standard Best Practices for System Safety Program Development and Execution) is a demilitarized commercial best practice that uses proven holistic, comprehensive and tailored approaches for hazard prevention, elimination and control. It is centered around the hazard analysis and functional based safety process.
Severity definitions - Safety Related
|Catastrophic||Results in multiple fatalities and/or loss of the system|
|Hazardous||Reduces the capability of the system or the operator ability to cope with adverse conditions to the extent that there would be:
|Major||Reduces the capability of the system or the operators to cope with adverse operating conditions to the extent that there would be:
|Minor||Does not significantly reduce system safety. Actions required by operators are well within their capabilities. Include:
|No Safety Effect||Has no effect on safety|
Likelihood of occurrence
- Medical Device Risk Management - ISO 14971
- Failure mode and effects analysis
- Fault tree analysis
- Safety engineering
- Reliability engineering
- Occupational safety and health
- RTCA DO-178B (Software Considerations in Airborne Systems and Equipment Certification)
- RTCA DO-178C
- RTCA DO-254 (similar to DO-178B, but for hardware)
- SAE ARP4761 (System safety assessment process)
- SAE ARP4754 (System development process)
- MIL-STD-882 (Standard practice for system safety)
- ANSI/GEIA-STD-0010-2009 (Standard Best Practices for System Safety Program Development and Execution)
- IEEE STD 1228-1994 Software Safety Plans
- IEEE STD 1584-2002 IEEE Guide for Performing Arc Flash Hazard Calculations
- Center for Chemical Process Safety (1992). Guidelines for Hazard Evaluation Procedures, with Worked Examples (2nd ed.). Wiley-American Institute Of Chemical Engineers. ISBN 0-8169-0491-X.
- Bahr, Nicholas J. (1997). System Safety Engineering and Risk Assessment: A Practical Approach (Chemical Engineering) (1st ed.). Taylor & Francis Group. ISBN 1-56032-416-3.
- CFR, Title 29-Labor, Part 1910--Occupational Safety and Health Standards, § 1910.119
U.S. OSHA regulations regarding "Process safety management of highly hazardous chemicals" (especially Appendix C).
- FAA Order 8040.4 establishes FAA safety risk management policy.
- The FAA publishes a System Safety Handbook that provides a good overview of the system safety process used by the agency.
- IEEE 1584-2002 Standard which provides guidelines for doing arc flash hazard assessment.