• 热门标签

当前位置: 主页 > 航空资料 > 国外资料 >

时间:2010-05-10 19:53来源:蓝天飞行翻译 作者:admin
曝光台 注意防骗 网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者

·  Is there a lack of specific recommendations? Some incomplete or late hazard reports may
have vague recommendations such as "needs further evaluation" or "will be corrected by
procedures." Recommendations that could have or should have been acted on by the
contractor and closed out before the report was submitted are other clear indications of
inadequate attention. Recommendations to make the design comply with contractual
specifications and interface requirements are acceptable resolutions, provided the
specifications address the hazard(s) identified.
Ideally, the final corrective action(s) should be stated in the analysis. In most cases, this is not possible
because the design may not be finalized, or procedures have not been written. In either case, actions that
control risk to acceptable levels should be identified. For example, if a hazard requires procedural
corrective action, the report should state where the procedure would be found, even if it will be in a
document not yet written. If the corrective action is a planned design change, the report should state that,
and how the design change will be tracked (i.e., who will do what and when). In any case, the planned
specific risk control actions should be included in the data submission. These risks should be listed in a
hazard tracking and resolution system for monitoring.
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000
8- 23
If specific risk control implementation details are not yet known (as can happen in some cases), there are
two main options:
·  Keep the analysis open and periodically revise the report as risk control actions are
implemented. (This will require a contract change proposal if outside the scope of the original
statement of work (SOW)). For example, an SSHA might recommend adding a warning horn
to the gear "not down" lamp for an aircraft. After alternatives have been evaluated and a
decision made, the analysis report (and equipment specification) should be revised to include
"An auditory and a visual warning will be provided to warn if the landing gear is not
extended under the following conditions .....".
·  Close the analysis, but indicate how to track the recommendation. (Provisions for tracking
such recommendations must be within the scope of the contract's SOW.) This is usually done
for a PHA, which is rarely revised. For example, a PHA may recommend a backup
emergency hydraulic pump. The analysis should state something like ".. . recommend
emergency hydraulic pump that will be tracked under Section L of the hydraulic subsystem
hazard analysis." This method works fine if the contract's SOW requires the analyst to
develop a tracking system to keep hazards from getting lost between one analysis and the
next. The presence of a centralized hazard tracking system is a good indicator of a quality
system safety program and should be a contractual requirement.
8.5.3 Who Should Perform the Analysis?
The analyst performing the analysis needs to be an experienced system safety person familiar with the
system being analyzed. The system safety engineer should not only be familiar with the subsystem being
analyzed, but should also have some prior systems safety experience. As discussed in Chapter 4, the
required qualifications should match the nature of the system being evaluating. It is just as important not
to over specify as under specify. These personnel qualification issues need to be resolved in the System
Safety Program Plan, prior to the expenditure of assets by performing an inadequate
Failure Modes and Effects Analysis (FMEA) / Failure Modes, Effects, and Criticality Analysis (FMECA).
Some system safety analyses get a "jump start" from FMEAs or FMECAs prepared by reliability
engineers. The FMEA/FMECA data get incorporated into system safety analyses by adding a hazard
category or other appropriate entries. This saves staffing and funds. An FMEA/FMECA performed by a
reliability engineer will have different objectives than the safety engineer's analyses. The following
cautions should be noted:
·  Corrective action for hazards surfaced by these tools is the responsibility of the safety
engineer(s).
·  Sequential or multiple hazards may not be identified by the FMEA/FMECA.
·  Some hazards may be missing. This is because many hazards are not a result of component
failures (e.g., human errors, sneak circuits).
·  All failure modes are not hazards. If the FMECA is blindly used as the foundation for a
hazard analysis, time could be wasted on adding safety entries on non-safety critical systems.
 
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:System Safety Handbook系统安全手册下(36)