Hazard analysis

Note: Parts of this article are written from the perspective of aircraft safety analysis techniques and definitions; these may not represent current best practice and the article needs to be updated to represent a more generic description of hazard analysis and discussion of more modern standards and techniques.

A hazard analysis is used as the first step in a process used to assess risk. The result of a hazard analysis is the identification of different type of hazards. A hazard is a potential condition and exists or not (probability is 1 or 0). It may in single existence or in combination with other hazards (sometimes called events) and conditions become an actual Functional Failure or Accident (Mishap). The way this exactly happens in one particular sequence is called a scenario. This scenario has a probability (between 1 and 0) of occurrence. Often a system has many potential failure scenarios. It also is assigned a classification, based on the worst case severity of the end condition. Risk is the combination of probability and severity. Preliminary risk levels can be provided in the hazard analysis. The validation, more precise prediction (verification) and acceptance of risk is determined in the Risk assessment (analysis). The main goal of both is to provide the best selection of means of controlling or eliminating the risk. The term is used in several engineering specialties, including avionics, chemical process safety, safety engineering, reliability engineering and food safety.[1]

Hazards and risk

A hazard is defined as a "Condition, event, or circumstance that could lead to or contribute to an unplanned or undesirable event." Seldom does a single hazard cause an accident or a functional failure. More often an accident or operational failure occurs as the result of a sequence of causes. A hazard analysis will consider system state, for example operating environment, as well as failures or malfunctions.

While in some cases, safety or reliability risk can be eliminated, in most cases a certain degree of risk must be accepted. In order to quantify expected costs before the fact, the potential consequences and the probability of occurrence must be considered. Assessment of risk is made by combining the severity of consequence with the likelihood of occurrence in a matrix. Risks that fall into the "unacceptable" category (e.g., high severity and high probability) must be mitigated by some means to reduce the level of safety risk.

IEEE STD-1228-1994 Software Safety Plans prescribes industry best practices for conducting software safety hazard analyses to help ensure safety requirements and attributes are defined and specified for inclusion in software that commands, controls or monitors critical functions. When software is involved in a system, the development and design assurance of that software is often governed by DO-178B. The severity of consequence identified by the hazard analysis establishes the criticality level of the software. Software criticality levels range from A to E, corresponding to the severity of Catastrophic to No Safety Effect. Higher levels of rigor are required for level A and B software and corresponding functional tasks and work products is the system safety domain are used as objective evidence of meeting safety criteria and requirements.

Recently a leading edge commercial standard was promulgated based on decades of proven system safety processes in DoD and NASA. ANSI/GEIA-STD-0010-2009 (Standard Best Practices for System Safety Program Development and Execution) is a demilitarized commercial best practice that uses proven holistic, comprehensive and tailored approaches for hazard prevention, elimination and control. It is centered around the hazard analysis and functional based safety process.

Severity definitions - Safety Related

Severity Definition
Catastrophic Results in multiple fatalities and/or loss of the system
Hazardous Reduces the capability of the system or the operator ability to cope with adverse conditions to the extent that there would be:
• Large reduction in safety margin or functional capability
• Crew physical distress/excessive workload such that operators cannot be relied upon to perform required tasks accurately or completely
• Serious or fatal injury to small number of occupants of aircraft (except operators)
• Fatal injury to ground personnel and/or general public
Major Reduces the capability of the system or the operators to cope with adverse operating conditions to the extent that there would be:
• Significant reduction in safety margin or functional capability
• Significant increase in operator workload
• Conditions impairing operator efficiency or creating significant discomfort
• Physical distress to occupants of aircraft (except operator) including injuries
• Major occupational illness and/or major environmental damage, and/or major property damage
Minor Does not significantly reduce system safety. Actions required by operators are well within their capabilities. Include:
• Slight reduction in safety margin or functional capabilities
• Slight increase in workload such as routine flight plan changes
• Some physical discomfort to occupants or aircraft (except operators)
• Minor occupational illness and/or minor environmental damage, and/or minor property damage
No Safety Effect Has no effect on safety

Likelihood of occurrence

Likelihood Definition
Probable
• Qualitative: Anticipated to occur one or more times during the entire system/operational life of an item.
• Quantitative: Probability of occurrence per operational hour is greater than ${\displaystyle 1\times 10^{-5}}$
Remote
• Qualitative: Unlikely to occur to each item during its total life. May occur several times in the life of an entire system or fleet.
• Quantitative: Probability of occurrence per operational hour is less than ${\displaystyle 1\times 10^{-5}}$, but greater than ${\displaystyle 1\times 10^{-7}}$
Extremely Remote
• Qualitative: Not anticipated to occur to each item during its total life. May occur a few times in the life of an entire system or fleet.
• Quantitative: Probability of occurrence per operational hour is less than ${\displaystyle 1\times 10^{-7}}$ but greater than ${\displaystyle 1\times 10^{-9}}$
Extremely Improbable
• Qualitative: So unlikely that it is not anticipated to occur during the entire operational life of an entire system or fleet.
• Quantitative: Probability of occurrence per operational hour is less than ${\displaystyle 1\times 10^{-9}}$