曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
reliability related engineering controls in this situation would be appropriate to system safety and would
1 Lowrance, William W., Of Acceptable Risk --- Science and the Determination of Safety, 1945, Copyright 1976 by William
Kaufmann, Inc.
FAA System Safety Handbook, Chapter 7: Integrated System Hazard Analysis
December 30, 2000
7 - 12
consider the overall reliability of the engine, fuel sub-systems, and the aerodynamics of the aircraft. The
system safety related controls would further consider other contributory hazards such as inappropriate
human reaction, and deviation from emergency procedures. The additional controls are administrative in
nature and involve design of emergency procedures, training, human response, communication procedures,
and recovery procedures.
In this example, the controls above would decrease the likelihood of the event and possibly the severity.
The severity would decrease as a result of a successful emergency landing procedure, where the pilot walks
away and there is minimal damage to the aircraft. The analyst must consider worst case credible scenarios
as well as any other credible scenarios that could result in less harm.
This has been a review of a somewhat complex potential system accident in which the hardware, the
human, and the environment were evaluated. There would be additional complexity if software were
included in the example. The aircraft could have been equipped with a fly-by-wire flight control system, or
an automated fuel system.
Software does not fail, but hardware and firmware can fail. Humans can make software-related errors.
Design requirements can be inappropriate. Humans can make errors in coding. The complexity or
extensive software design could add to the error potential. There could be other design anomalies, sneak
paths, and inappropriate do-loops. The sources of software error can be extensive according to Raheja,
“Studies show that about 60 percent of software errors are logic and design errors; the remainder are
coding -and service-related errors.” 2 There are specific software analysis and control methods that can be
successfully applied to contributory hazards, which are related to software.
Again referring to the adverse event model above, note that software errors can result in unsafe conditions
or they could contribute to unsafe acts. Software controls can be inappropriate. The verification of
controls could be less than adequate.
7.2.1 Risk Control Tradeoffs
What appears to be a design enhancement from a reliability standpoint will not inherently improve system
safety in all cases. In some cases risk can increase. In situations where such assumptions are made it may
be concluded that safety will be improved by application of a reliability control, for example, redundancy
may have been added within a design. The assumption may be that since it is a redundant system, it must
be safe. Be wary of such assumptions. The following paragraphs present an argument that an apparent
enhancement from a reliability view will not necessarily improve safety. Risk controls in the form of
design and administrative enhancements are discussed along with associated tradeoffs, in support of this
position.
7.2.2 Failure Elimination
A common misconception that has been known in the system safety community for many years was
discussed by Hammer3. It is that by eliminating failures, a product will not be automatically safe. A
product may have high reliability but it may be affected by a dangerous characteristic. A Final Report of
the National Commission of Product Safety (June 1970) discussed numerous products that have been
injurious because of such deficiencies.
2 Raheja, Dev G., Assurance Technologies --- Principles and Practices, McGraw-Hill, 1991, page 269.
3 Hammer, Willie, Handbook of System and Product Safety, Prentice - Hall, Inc., 1972 page 21.
FAA System Safety Handbook, Chapter 7: Integrated System Hazard Analysis
December 30, 2000
7 - 13
Consider that deficiencies are contributory hazards, unsafe acts and/or conditions that can cause harm.
Without appropriate hazard analysis how would it be possible to identify the contributors?
7.2.3 Conformance to Codes, Standards, and Requirements
Another misconception to be considered by a reliability engineer is that conformance to codes standards
and requirements provides assurance of acceptable risk. As indicated, appropriate system hazard analysis
is needed to identify system hazards, so that the associated risk can be eliminated or controlled to an
acceptable level.
Codes, standards, and requirements may not be appropriate, or they may be inadequate for the particular
design. Therefore, risk control may be inadequate. The documents may be the result of many efforts,
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册下(18)
