曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
identifies the accident sequence in which common contributory events are possible due to physical
relationships.
Other analysis techniques also address location relationships, for example, vicinity analysis, and zonal
analysis. One must determine the possible outcome should a common event occur that can affect all legs of
redundancy simultaneously, e.g., a major fire within a particular fire division, an earthquake causing
common damage, fuel leakage in an equipment bay of an aircraft, or an aircraft strike into a hazardous
location.
Keep in mind that the designers of the Titanic considered compartmentalization for watertight construction.
However, they failed to consider latent common design flaws, such as defects in the steel plating, the state
of knowledge of the steel manufacturing process, or the affects of cold water on steel.
Another misconception relates to monitoring; i.e., that the system is safe because it is monitored. Safety
monitoring should be designed appropriately to assure that there is confidence in the knowledge of the
System State. The system is said to be balanced when it is functioning within appropriate design
parameters. Should the system become unbalanced, the condition must be recognized in order to stabilize
the system before the point of no return. This concept is illustrated in Figure 7-5. The "point of no return"
is the point beyond which damage or an accident may occur.
6 Redundancy Management requirements were developed for initial Space Station designs.
7 System Safety Society, System Safety Analysis Handbook, 2nd Edition, 1997. Pages 3-37 and 3-38.
FAA System Safety Handbook, Chapter 7: Integrated System Hazard Analysis
December 30, 2000
7 - 15
Figure 7-7: Event Flow
EVENTFLOW
Contingency Starts Detection Loss Control Starts
Recovery
Point of No
Return
Initiator
Event(s)
System in
Balance
Normal State
System Becomes
Unbalanced
System
Retest
Satisfactorily
SystemDown
System Rechecked
Harm
Monitoring devices can be incorporated into the design to check that conditions do not reach dangerous
levels (or imbalance) to ensure that no contingency exists or is imminent. Monitors8 can be used to
indicate:
· Whether or not a specific condition exists. If indication is erroneous, contributory
hazards can result.
· Whether the system is ready for operation or is operating satisfactorily as
programmed. An inappropriate ready indication or inappropriate satisfactory
indication can be a problem from a safety point of view.
· If a required input has been provided. An erroneous input indication can cause
errors and contributory hazards.
· Whether or not the output is being generated
7.2.5 Probability as a Risk Control
Probability is the expectancy that an event can take place a certain number of times in a specific number of
trials. Probabilities provide the foundations for numerous disciplines, scientific methodologies, and risk
evaluations. Probability is appropriate in reliability, statistical analysis, maintainability, and system
effectiveness.
Over time, the need for numerical evaluations of safety has generated an increase in the use of probabilities
for this purpose. In 1972, Hammer expressed concerns and objections about the use of quantitative
8 Ibid. Hammer, page 262.
FAA System Safety Handbook, Chapter 7: Integrated System Hazard Analysis
December 30, 2000
7 - 16
analysis to determine probability of an accident9. These concerns and objections are based on the following
reasons:
· A probability, such as reliability, guarantees nothing. Actually, a probability indicates
that a failure, error, or mishap is possible, even though it may occur rarely over a
period of time or during a considerable number of operations. Unfortunately, a
probability cannot indicate exactly when, during which operation, or to which person a
mishap will occur. It may occur during the first, last, or any intermediate operation in
a series. For example, a solid propellant rocket motor developed as the propulsion unit
for a missile had an overall reliability indicating that two motors of every 100,000
fired would probably fail. The first one tested blew up.
· Probabilities are projections determined from statistics obtained from past experience.
Although equipment to be used in actual operations may be exactly the same as the
equipment for which the statistics were obtained, the conditions under which it will be
operated may be different. In addition, variations in production, maintenance,
handling, and similar processes generally preclude two or more pieces of equipment
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册下(20)
