曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
analysis, human interface analysis, scenario analysis, and modeling techniques can be applied to determine
system risks, e.g., the inappropriate interaction of software, human (including procedures), machine, and
environment.
7.1.6 System Risk Identification
The overall system objective should be to design a complex system with acceptable risks. Since reliability
is the probability that a system will perform its intended function satisfactorily, this criteria should also
address the safety-related risks that directly equate to failures or the unreliability of the system. This
consideration includes hardware, firmware, software, humans, and environmental conditions.
Dr. Perrow in 1984 further indicated and enhanced the multi-linear logic discussion with the definition of a
system accident: “system accidents involve the unanticipated interaction of multiple failures.”
From a system safety viewpoint, the problem of risk identification becomes even more complex, in that the
dynamics of a potential system accident are also evaluated. When considering multi-event logic,
determining quantitative probability of an event becomes extensive, laborious, and possibly inconclusive.
The above model of the adverse event represents a convention (an estimation) of a potential system accident
with the associated top event: the harm expected, contributory hazards, less than adequate controls, and
possibly less than adequate verification. The particular potential accident has a specific initial risk and
residual risk.
Since risk is an expression of probable loss over a specific period of time or over a number of operational
cycles, risk is comprised of two major potential accident variables, loss and likelihood. The loss relates to
harm, or severity of consequence. Likelihood is more of a qualitative estimate of loss. Quantitative
likelihood estimates can be inappropriate since specific quantitative methods are questionable considering
the lack of relative appropriate data. Statistics can be misunderstood or manipulated to provide erroneous
FAA System Safety Handbook, Chapter 7: Integrated System Hazard Analysis
December 30, 2000
7 - 11
information. There are further contradictions, which add to complexity when multi-event logic is
considered. This logic includes event flow, initiation, verification/control/hazard interaction, human
response, and software error.
The overall intent of system safety is to prevent potential system accidents by the elimination of associated
risk, or by controlling the risk to an acceptable level. The point is that reliance on probability as the total
means of controlling risk can be inappropriate. Figures 7-1 through 7-3 provided examples of undesired
events that require multiple conditions to exist simultaneously and in a specific sequence. Figure 7-6
summarizes multi-event logic.
System Accident Sequence
Multi-linear Logic
Events
Where is the hazard --- a failure and / or error and / or anomaly?
OUTCOME
Figure 7-6: Multi-Event Logic
7.2 Risk Control
The concept of controlling risk is not new. Lowrance1 in 1945 had discussed the topic. It has been stated
that ”a thing is safe if the risks are judged to be acceptable.” The discussion recently has been expanded to
the risk associated with potential system accidents: system risks. Since risk is an expression of probable
loss over a specific period of time, two potential accident variables, loss and likelihood can be considered
the parameters of control. To control risk either the potential loss (severity or consequence) or its
likelihood is controlled. A reduction of severity or likelihood will reduce associated risk. Both variables
can be reduced or either variable can be reduced, thereby resulting in a reduction of risk.
The model of an adverse event above is used to illustrate the concept of risk control. For example, consider
a potential system accident where reliability and system safety design and administrative controls are
applied to reduce system risk. There is a top event, contributory hazards, less than adequate controls, and
less than adequate verification. The controls can reduce the severity and/or likelihood of the adverse event.
Consider the potential loss of a single engine aircraft due to engine failure. Simple linear logic would
indicate that a failure of the aircraft’s engine during flight would result in a forced landing possibly into
unsuitable terrain. Further multi-event logic which can define a potential system accident would indicate
additional complexities, e.g., loss of aircraft control due to inappropriate human reaction, deviation from
emergency landing procedures, less than adequate altitude, and/or less than adequate glide ratio. The
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册下(17)
