System Safety Process

Abstract

Including safety in all phases of a system development project is required to ensure an inherent view of safety, designing all safety prescriptions from the start in a proactive way, instead of a reactive approach where fixes are only applied following the recorded incidents or accidents. Being proactive about safety is an essential consideration in system safety engineering today. This chapter introduces the required ground for having safety considerations and all relevant safety processes built into the project development life cycle. Each phase of the inherent safety process is detailed, and connections are made with the traditional processes in engineering and project management, emphasizing the need for proactive safety from the inception of the project idea (pre-project phase) all the way into deployment. Artifacts produced in each phase, as well as the traceability that needs to be maintained among them, are laid out. Additionally, important sub-processes are algorithmically defined, with specific actions prescribed to bring the risks down to the tolerable zone.

Appendices

Exercise 4

Your team is in the middle of the preliminary hazard identification (PHI) phase, with the preliminary hazard list identified for the power press machine in the factory (Fig. 4.4). Your goal is first to analyze and evaluate the risk according to IEC 61508. Consider Catastrophic severity only in case of multiple fatalities; Critical in case of a single fatality or irreversible injury; Marginal in case of a nonfatal, reversible injury; and Negligible in case of minor or no injuries. Consider probability according to the failure range given in the table (see M3 lecture note). Then, argue the risk acceptance according to MEM (10⁻⁵ deaths per person per year). In case the risk is too high, prescribe a safety measure and reevaluate the risk until you can close it.

Fig. 4.4

Power press machine

• H1: Operator places his hand in a pressing area due to misuse and gets injured.

• H2: Press starts unintentionally during maintenance, with press mechanism active, potentially harming maintenance workers.

• H3: Press moves or topples due to imbalance and potentially harming the operator.

Your Tasks for the Exercise

• Analyze and evaluate the risk associated with hazards H1, H2, and H3 according to the IEC 61508 and the description above.

• Express the risk quantitatively (in failures per year).

• Evaluate the risk acceptability according to MEM.

• In case of inacceptable risk, prescribe a suitable safety measure.

• Reevaluate the risk and reassess its acceptability to close the hazard.

To-Do List

• Perform the exercise individually or with your peers. One can share the screen and keep notes, all contribute.

• Create presentables (e.g., drawing, filled in sheet).

• Discuss your solution and share it with others.

Note: Digital files for this exercise are available at sfs4.ex.nit-institute.com

Exercise 4 Template

Exercise 4 Sample Solutions

See several exemplary solutions to the exercise:

Solution 1

Review Comments by the Instructor

• Make sure to be able to argue the selection of the probability category. First, be sure to utilize the prescriptions of the respective standard (if any). Alternatively, failure or incident statistics may be needed from the previous system versions or referencing the system of similar functionality (with argumentation why and how the systems are similar!). In case no data of such kind exist, resort to failure rate manuals (e.g., MIL/FIDES in case of HW/mechanical component failures), or HMI studies for human factor/misuse. Finally, you might be able to create a guestimate with some generic argumentation, but in that case, you need to be conservative and select more strict values.

• When defining a sophisticated active safety measure, such as for H1, make sure to follow up PHI into FHE to break down the safety requirement to specific technical safety requirements which would define further constraints (e.g., detection delay) and then through SSE to verify if those constraints have been met (otherwise the safety measure may provide no use at all!!!)

• In PHI, make sure to do your analysis without ANY safety measures, even the intuitive/obvious ones (such as fixing the press to the factory floor). PHI addresses hazards that mostly stem from intended system functions; therefore, any nonfunctional (safety) prescriptions only come after this initial analysis!

Solution 2

Review Comments by the Instructor

• For hazard H2, you do not need to prescribe safety measures in case the risk is accepted in the first assessment. Even in the case the risk was not accepted, the prescribed safety measure might collide with the intended function (maintenance with press active).

• Make sure to be able to argue the selected probability values.

Solution 3

Review Comments by the Instructor

• Additional training as a safety measure is a valid option but is currently not preferred as the only safety measure for a hazard. Functional safety and active measures were added in the first place because the human factor was not able to provide adequate safety behavior (management, and staff), neglecting the procedures to the point of serious disasters (remember, e.g., Seveso).

• Reconsider probability/severity for H2 (e.g., how many workers actually may die, and how frequent is the maintenance).

• Decreasing severity after applying a safety measure is rarely possible, and usually, it is done by a passive safety measure. Auditors are particularly drawn toward the items with severity decreased, so very good argumentation would need to be provided in this regard. In your case at H2, adding mechanical blockage to prevent the press from operating may altogether cancel out the complete function behind H2 (see H2 description!). We will discuss availability vs safety in some of the subsequent lectures and courses.

• For H2, a redundant mechanism as an active safety measure might be considered, which would turn off the press via a relay switch in case of maintenance mode AND sensed press movement AND press not activated by a worker.

Solution 4

Review Comments by the Instructor

• Safety measure which requires the redesign of the function which is utilized mostly in an operating mode different from the mode in which the hazard occurs (such as in changing the pressure mode of the press) may bear the risk of introducing many new hazards in the next iteration and maybe violating the initial requirements for the system (particular collaboration with the complete pre-project/proposal team is required here!)

• The exercise is not fully finalized, since no reassessment has been provided.

Key Recap Questions

In this chapter, you have been analyzing the required system safety process. Now, concerning the system you discussed:

• Think about a few hazards.

• Can you analyze and evaluate risk?

• Was risk acceptable?

• Which risk mitigation measures can be applied?

• Do new measures affect the initially identified hazards?

Self-assessment

Now take the time to self-assess your knowledge by taking the quiz below. Each listed statement is either correct or incorrect. Please mark your answer and then check in the key at the end of the book.

1. 1.

   The most important process in system safety is operational system safety evaluation (OpSSE), allowing the reporting of incidents and accidents for the subsequent improvement of system design, as in the reactive safety approach.

2. 2.

   The inherent safety process, as in ISAPro, is performed independently from system engineering and project management processes.

3. 3.

   Hazards and corresponding safety goals are identified only in the pre-project phase, within preliminary hazard identification (PHI), since when they are signed off and used to assess safety implementation until the end of the system life cycle.

4. 4.

   Risk evaluation in the system safety process may yield an unacceptable risk level, in which safety measures need to be prescribed and the hazard identification phase repeated.

5. 5.

   Safety standards usually provide risk categorization levels based on which a set of measures/requirements are prescribed, which when implemented, render the system being acceptably safe.

6. 6.

   System safety allows the utilization of passive risk reduction measures, such as safety vests, helmets, and floor markings.

7. 7.

   The system safety evaluation phase (SSE) deals with the verification of fulfillment of safety requirements by the implemented system.

8. 8.

   In case of unacceptable risk, the system always needs to be redesigned.

9. 9.

   It is possible to alter the process prescribed by the safety standard to optimize the cost of system and safety engineering if providing appropriate argumentation.

10. 10.

    It is possible to judge that the evaluated risks which are too high with respect to MEM are tolerable (as per ALARP), in case we can find a reference system in operation and argument its functional and implementation similarity to our system.

Self-assessment Key

1. 1.

   False

2. 2.

   False

3. 3.

   False

4. 4.

   True

5. 5.

   True

6. 6.

   True

7. 7.

   True

8. 8.

   False

9. 9.

   True

10. 10.

    True