曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
examined or excluded
· Specification of desired analysis techniques and/or report formats.
8.5 How to Review and/or Specify a Safety Analysis
8.5.1 What is the Objective?
When evaluating any hazard analysis, the reviewer should place emphasis on the primary purposes for
performing the analysis. They all should provide the following:
· The identification of actual hazards and risks. Hazards may occur from either simultaneous
or sequential failures and from "outside" influences, such as environmental factors or
operator errors.
· An assessment of each identified risk. A realistic assessment considers the risk severity (i.e.,
what is the worst that can happen?) and the potential frequency of occurrence (i.e., how often
can the accident occur?). Risk as a function of expected loss is determined by the severity of
loss and how often the loss occurs. Some hazards are present all of the time, or most of the
time, but do not cause losses.
· Recommendations for resolution of the risk (i.e., what should we do about it?). Possible
solutions mapped into the safety precedence of Chapter 4 are shown in Figure 8-4.
HAZARD: Failure to extend landing gear prior to landing an aircraft.
Resolution Method Example
Change design to eliminate hazard. Use fixed (nonretractable) landing gear.
Use safety devices Have landing gear extend automatically when certain
parameters exist (e.g., airspeed, altitude).
Use warning devices Provide a warning light, horn, or voice if the landing gear
is not down when certain parameters are met (as in
above).
Use special training and procedures Instruct pilot to extend the gear prior to landing.
Incorporate in flight simulators. Place a step "Landing
Gear Down" in the flight manual.
Figure 8-4: Safety Precedence Hazard Resolution Example
8.5.2 Is the Analysis Timely?
The productivity of a hazard analysis is directly related to when in the development cycle of a system, the
analysis is performed. A Preliminary Hazard Analysis (PHA), for example, should be completed in time
to influence the safety requirements in specifications and interface documents. Therefore, the PHA
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000
8- 22
should be submitted prior to the preliminary design review. The instructions for a system request for
proposal (RFP) with critical safety characteristics should include the requirements to submit a draft PHA
with the proposal. This initial PHA provides a basis for evaluating the bidder's understanding of the
safety issues. As detailed design specifications and details emerge, the PHA must be revised. The
System Hazard Analysis and Subsystem Hazard Analyses (SHA and SSHA) are typically submitted prior
to a Critical Design Review (CDR) or other similar review. They cannot be completed until the design is
finalized at completion of the CDR. Finally, operating and support hazard analyses (O&SHA) are
typically submitted after operating, servicing, maintenance, and overhaul procedures are written prior to
initial system operation.
Analyses must be done in time to be beneficial. Determining that the timing was too late and rejecting the
analysis for this reason provides little benefit. For example, if an SHA is performed near the end of the
design cycle, it provides little benefit. The time to prevent this situation is during contract generation or
less efficiently at a major program milestone such as design review.
When reviewing an analysis the following may provide some insight as to whether an analysis was
performed in a timely manner:
· Is there a lack of detail in the reports? This lack of detail may also be due to insufficient
experience or knowledge on the analyst's part, or due to lack of detailed design information at
the time.
· Are hazards corrected by procedure changes, rather than through design changes? This may
indicate that hazards were detected too late to impact the design or that the safety program
did not receive the proper management attention.
· Are the controls for some hazards are difficult to assess and therefore require verification
through testing or demonstration? For example, consider an audio alarm control for
minimizing the likelihood of landing an aircraft in a wheels-up condition. The analyst or the
reviewer may realize that there are many potential audio alarms in the cockpit that may
require marginally too much time to shift through. The lack of a planned test or test details
should raise a warning flag. This may indicate poor integration between design, safety, and
test personnel or an inadequate understanding of system safety impact on the test program.
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册下(35)
