page 192
•Hazard level (either likelihood and/or effects) should be indicated on a PHA, these levels are specific to the application. For example, NASA uses 1, 1R, 2, 2R, etc. Other methods may have several divisions between ‘impossible’ to ‘always’.
•Design criteria are used to specify constraints on a design to minimize or prevent a hazard. For example the hazard of an engine still running even after controller power has failed suggests that the motor must not operate when controller power is off.
•The operational phase which a hazard might occur in must also be considered. Some hazards will become more/less severe over the operational life.
Preliminary Hazard Analysis Form |
PHA Ref. #/Title |
Operation Mode
Subsystem/Operation
Effective
Engineer |
|
|
|
|
|
|
|
|
Date |
|
|
|
||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Hazardous |
|
Hazard |
|
Hazard |
|
Hazard |
|
Safety |
|
Hazard |
|
|||
|
|
|
|
|
|
|||||||||
Condition |
|
Cause |
|
Effect |
|
Level |
|
Requirements |
|
Control |
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Sheet of
8.1.9 Implemented Risk Management Programs
8.1.9.1 - NASA Safety Methods
page 193
•A large part of NASA’s policies deal with identifying potential problems, and eliminating or reducing them. This system has been recognized as successful and sufficient when properly implemented [Leveson, 1995, pg. 274]. These are not described in detail here, as they are somewhat distant from the design process, although they do provide a valuable source of feedback and control.
•NASA bases most of it’s analysis of systems on FMEA and CILs. (The CIL below is from [Leveson, 1995, pg. 283])
Shuttle Critical Items List - Orbiter
Subsystem: |
FMEA No.: |
Revision: |
|
Assembly: |
|||
Abort.: |
Crit. Func.: |
||
P/N RI: |
|||
|
Crit. Hdw.: |
||
P/N Vendor: |
Vehicle: |
||
|
|||
Quantity: |
Effectivity: |
|
|
|
|
||
|
Phase: |
|
|
|
Redundancy Screen: |
|
|
|
|
|
|
Prepared by: |
Approved by: |
Approved by (NASA): |
|
|
|
|
|
Item: |
|
|
|
Function: |
|
|
|
Failure Mode: |
|
|
|
Cause(s): |
|
|
Effect(s) on (A)Subsystem (B)Interfaces (C)Mission (D)Crew/Vehicle
Disposition and Rationale:
• The FMEA is done by contractors and, based on the results a criticality is assigned to each item. 1 - failure could cause loss of life or vehicle
1R - failure could cause loss of life or vehicle, but redundant hardware is present 1S - a ground support element that could cause loss of life or equipment
2 - failure could cause loss of mission