曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
which may or may not be appropriately related to system safety objectives. For example, activities of
committees may result in consensus, but the assumptions may not address specific hazards. The extensive
analysis that has been conducted in support of document development may not have considered the
appropriate risks. Also, the document may be out dated by rapid technological advancement.
As pointed out in the Final Report of the National Commission on Product Safety, industrial standards are
based on the desire to promote maximum acceptance within industry. To achieve this goal, the standards
are frequently innocuous and ineffective.4
Good engineering practice is required in all design fields. Certain basic practices can be utilized, but a
careful analysis must be conducted to ensure that the design is suitable for its intended use.
7.2.4 Independent Redundancy and Monitoring
Consider another inappropriate assumption; that the system is redundant and monitored, so it must be safe.
Unfortunately this may not be true. Proving that each redundant subsystem, or string, or leg is truly
redundant may not be totally possible. Proving that the system will work as intended is also a concern.
Take for example a complex microprocessor and its associated software. These complex systems are never
perfect according to Jones:
(response to all inputs not fully characterized), there may be remnant faults in
hardware/software and the system will become unpredictable in its response when exposed
to abnormal (unscheduled) conditions e.g. excess thermal, mechanical, chemical,
radiation environments.5
This being the case, what can the system safety engineer do to assure acceptable risk? How does one prove
independence and appropriate monitoring?
Defining acceptable risk is dependent on the specific entity under analysis, i.e., the project, process,
procedure, subsystem, or system. Judgment has to be made to determine what can be tolerated should a
loss occur. What is an acceptable catastrophic event likelihood? Is a single fatality acceptable, if the event
can occur once in a million chances? This risk assessment activity can be conducted during a system safety
working group effort within a safety review process. The point to be made here is that a simplistic
assumption, which is based upon a single hazard or risk control (redundancy and monitoring), may be over
simplistic.
4 Ibid. Hammer page26.
5 Jones, Malcolm, The Role of Microelectronics and Software in a Very High Consequence System, Proceedings of the 15th
International System Safety Conference - 1997, page 336.
FAA System Safety Handbook, Chapter 7: Integrated System Hazard Analysis
December 30, 2000
7 - 14
Proving true redundancy is not cut-and-dried in complex systems. It may be possible to design a hardware
subsystem and show redundancy, i.e. redundant flight control cables, redundant hydraulic lines, or
redundant piping. When there are complex load paths, complex microprocessors, and software, true
independence can be questioned. The load paths, microprocessors, and software must also be independent.
Ideally, different independent designs should be developed for each redundant leg. However, even
independent designs produced by different manufacturers may share a common failure mode if the
requirements given the software programmers is wrong.
The concepts of redundancy management should be appropriately applied.6 Separate microprocessors and
software should be independently developed. Single point failures should be eliminated if there are
common connections between redundant lags. The switch over control to accommodate redundancy
transfer should also be redundant. System safety would be concerned with the potential loss of transfer
capability due to a single common event.
Common events can eliminate redundancy. The use of similar hardware and software presents additional
risks, which can result in loss of redundancy. A less than adequate process, material selection, common
error in assembly, material degradation, quality control, inappropriate stress testing, or calculation
assumption; all can present latent risks which can result in common events. A general rule in system safety
states that the system is not redundant unless the state of the backup leg is known and the transfer is truly
independent.
Physical location is another important element when evaluating independence and redundancy. Appropriate
techniques of separation, protection, and isolation are important. In conducting Common Cause Analysis,
a technique described in the System Safety Analysis Handbook,7 as well as this handbook, not only is the
failure state evaluated, but possible common contributory events are also part of the equation. The analyst
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册下(19)
