曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
· Humans are the least predictable links in complex systems since they may make
unpredictable errors.
· Faulty design and implementation of such systems will cause them to deviate.
· Deviations can cause contributory hazards and system accidents.
· Cookbook and generic approaches do not work when there are system accidents and
system risks to consider.
· It is not possible to segregate software, hardware, humans, and the environment, in the
system.
11 Ibid. Reheja, page 262.
FAA System Safety Handbook, Chapter 7: Integrated System Hazard Analysis
December 30, 2000
7 - 18
· It may not be possible to determine what went wrong, what failed, or what broke.
· The system does not have to break to contribute to the system accident.
· Planned functions can be contributory hazards.
· Software functions can be inadequate or inappropriate.
· It is unlikely that a change in part of the software does not affect system risk.
· A change in the application may change the risk.
· Software is not generic and is not necessarily reusable.
· The system can be “spoofed”.
· A single error can propagate throughout a complex system.
· Any software error, no matter how apparently inconsequential can cause contributory
events. Consider a process tool, automated calculations, automated design tools and
safety systems.
· It is very hard to appropriately segregate safety-critical software in open loosely
coupled systems.
· Combinations of contributory events can have catastrophic results.
Considering the many concerns and observations listed in these axioms, software-complex systems can be
successfully designed to accommodate acceptable risk through the implementation of appropriately
integrated specialty engineering programs that will identify, eliminate or control system risks.
7.3 Use of Historical Data
Pertinent historical system safety related data and specific lessons learned information is to be used to
enhance analysis efforts. For example, specific reliability data on non-developmental items (NDI) and
related equipment are appropriate. Specific operational and functional information on commercial-off-theshelf
(COTS) software and hardware to be used will also be appropriate. The suitability of NDI and
COTS is determined from historical data. Specific knowledge concerning past contingencies, incidents, and
accidents can also be used to refine analysis activities.
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000
Chapter 8:
Safety Analysis: Hazard Analysis Tasks
8.1 THE DESIGN PROCESS................................................................................................................2
8.2 ANALYSIS......................................................................................................................................3
8.3 QUALITATIVE AND QUANTITATIVE ANALYSIS...................................................................7
8.4 DESIGN AND PRE-DESIGN SAFETY ACTIVITIES ................................................................10
8.5 HOW TO REVIEW AND/OR SPECIFY A SAFETY ANALYSIS..............................................21
8.6 EVALUATING A PRELIMINARY HAZARD ANALYSIS........................................................25
8.7 EVALUATING A SUBSYSTEM HAZARD ANALYSIS.............................................................26
8.8 EVALUATING A SYSTEM HAZARD ANALYSIS....................................................................29
8.9 EVALUATING AN OPERATING AND SUPPORT HAZARD ANALYSIS..............................30
8.10 EVALUATING A FAULT TREE ANALYSIS...........................................................................31
8.11 EVALUATING QUANTITATIVE TECHNIQUES...................................................................35
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000
8- 2
8.0 Safety Analysis: Hazard Analysis Tasks
8.1 The Design Process
A systems safety program (SSP) can be proactive or reactive. A proactive SSP influences the design
process before that process begins. This approach incorporates safety features with minimal cost and
schedule impact. A reactive process is limited to safety engineering analysis performed during the design
process, or worse yet, following major design milestones. In this situation, the safety engineering staff is
in the position of attempting to justify redesign and its associated cost.
Figure 8.1-1 is a top-level summary of a proactive SSP. Initial safety criteria is established by the
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册下(22)
