曝光台 注意防骗
网曝天猫店富美金盛家居专营店坑蒙拐骗欺诈消费者
identify hazards and recommend solutions. The design details are known and the analyses cover all details
that are necessary to identify all possible risks. When evaluating an SSHA, the five points listed for the
PHA are applicable for the SSHA.
Most SSHAs are documented in the matrix format, while some are fault trees or other forms of logic
diagrams. Fault trees, by themselves, are incomplete and do not directly provide useful information. The
utility of fault trees come from the cut and path sets they generate and the analysis of the cut and path sets
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000
8- 27
for common cause failures and independence of failures/faults. Fault trees are good for analyzing a
specific undesired event (e.g., rupture of pressure tank), and can find sequential and simultaneous failures,
but are time consuming and expensive. The SSHAs are more detailed than the PHA and are intended to
show that the subsystem design meets the safety requirements in the subsystem specifications(s). If
hazards are not identified and corrected during the design process, they might not be identified and
corrected later when the subsystem designs are frozen and the cost of making a change is significantly
increased.
8.7.1 What Should be Found in a Subsystem Hazard Analysis?
There are many variations, but virtually all of them list key items in tabular form. As a minimum, there
should be information for:
· The subsystem, item, or component being analyzed
· Its function
· The hazards and risks
· The severity
· The likelihood of the risk. This likelihood should be based on existing controls.
· Controls (design, safety device, warning device, procedure, and personnel equipment).
Reduction of risk (risk severity and probability), if known.
· Risk control verification method(s).
· Recommended corrective actions should include any non-existing method for the control of
the risk. Corrective changes to bring the subsystem into compliance with contractual
requirements should already have been made.
· Status (open or closed).
8.7.2 What Should be the Level of Detail?
Determining the correct level of detail is a matter of judgment. One of the most important aspects of
conducting any analysis is knowing when to stop. It is not always practical to analyze all the way to the
individual nut and bolt or resistor and capacitor level, which seems like an obvious answer. To illustrate,
consider the following failures of an airliner fuel system:
· A fuel crossfeed valve fails partially open. This results in some
uncommanded fuel crossfeed (from one tank to another) and usually
is not a safety hazard. Therefore, further analysis will not be
necessary.
· A fuel jettison (dump) valve fails partially open. This will result in
loss of fuel during flight, so a serious hazard is present. Therefore
analyzing this valve's failure modes in detail (i.e., operating
mechanism, power sources, indicator lights) is appropriate.
FAA System Safety Handbook, Chapter 8: Safety Analysis/Hazard Analysis Tasks
December 30, 2000
8- 28
Hydraulics
Control Stick
(pitch and roll)
Rudder
Pedals
Interlock Lever Arm Push/Pull
Tube
Gimbal Positionxdcr
Interface
Throttles Engine
Condition
Flaps and
Spoilers
Crew
Controls
Elevators Ailerons Rudder
System Such
as an aircraft
(B747)
Landing
Gear
Fuselage Flight
Controls
Crew
Systems
Subsystem Wings
under study
Hazards
functionally
are here
Causes or
contributory
hazards are
here
Figure 8-5 Level of Analysis
Secondary (undeveloped) and environmental failures require judgment too. During most FTAs, these
failures usually are not developed (i.e., pursued further) as they may be beyond the scope of the analyses.
These failures are labeled by diamond symbols in a fault tree.
8.7.3 What Actions Were Taken on Identified Hazards?
The evaluator should focus on recommended actions, actions already taken, and planned follow-up
actions. A matrix format provides good visibility of recommend changes of a design or the addition of a
procedural step to control a hazard. It makes it simpler to track closing an open item based upon a
recommended change. Issues should be kept open until each hazard is positively controlled or until
someone documents accepting the hazard. Options include the following alternatives:
· Write the SOW so that the "final" SSHA is delivered when the production baseline design is
中国航空网 www.aero.cn
航空翻译 www.aviation.cn
本文链接地址:
System Safety Handbook系统安全手册下(39)
