Subsystem hazard analysis

The purpose of the project evaluation tree is to provide a relatively simple, straightforward, and efficient method of performing an in-depth evaluation or analysis of a project or operation. It is best suited for performing operating hazard analysis and accident analysis. It can also be a valuable review and inspection tool. If adequate information is available, PET analysis may be helpful in performing preliminary hazard analysis, subsystem hazard analysis, and system hazard analysis. 

Hierarchical Approach is a simple but powerful methodology for the synthesis of process flowsheets. It consists of a top-down analysis organised as a clearly defined sequence of tasks grouped in levels. Each level solves a fundamental problem as, number of plants, input/output structure, reactor design and recycle structure, separation system, energy integration, environmental analysis, safety and hazard analysis, and plantwide control. At each level, systematic methods can be applied for the synthesis of subsystems, as chemical reaction, separations, or heat exchangers network. 

Level 3 Blackbox Models Environment models Operator Task models HCI models Blackbox functional models Interface specifications Analysis plans and results. Subsystem Hazard Analysis... 

Most hazards analyses review a subset of a larger system. For example, a refinery hazards analysis team may carry out a hazards analysis on just the catalytic cracking unit, a pipeline company may analyze just the marine loading operations, or an offshore team may analyze just one platform in a larger complex. Yet these subsystems are part of larger systems, which means that hazards can be transferred to or from the other units across the interfaces. 

The Level 4 SSA is at the aircraft level and is the responsibihty of the aircraft integrator. For a modification (e.g. STC), it is scoped to consider the performance of the new system as well as the interaction between all affected aircraft systems. Safety requirements are functionally decomposed in a hierarchical structure from product (i.e. aircraft) level to subsystem (e.g. altitude display system) to components (e.g. Altitude Display Unit). At Level 4 the safety requirements are those requirements generated from the aireraft Functional Hazard Analysis (FHA) based on required aircraft functions... 

Common hazard analysis tasks include the preparation of a preliminary hazard analysis, systems and subsystem hazard analyses, and an operating hazard analysis. These tasks also aid in the hazard control and hazard reduction effort. 

As a project is developed and more detailed design data are available, a system hazard analysis (SHA) and subsystem hazard analyses (SSHAs) may be conducted to provide more detailed, in-depth risk assessment information. Two of the more widely used techniques for performing SHAs and SSHAs are the failure modes and effects analysis (FMEA) and fault tree analysis (FTA). 

Again the process involves a preliminary hazard analysis to be done very early in the concept stage, followed by subsystem hazard analysis as subsystems are developed, systems hazard analysis that looks at interfaces between subsystems, and, finally, the operating hazard analysis, which tends to add the human element and evaluate procedures. 

The MORT tools and techniques can be helpful in preparing a safety analysis report (SAR), the upstream safety product most frequently required for new DOE programs, but the more common system safety products (system safety program plan, preliminary hazard analysis, system/subsystem hazard analysis, operating hazard analysis) are not a dominant part of the MORT program and are seldom even referenced in System Safety Development Center (SSDC) documents. 

Laundry lists of analyses frequently mix types of analyses (preliminary hazard analysis, system hazard analysis, and operating hazard analysis) with the methods or techniques for performing analyses (fault tree analysis, energy trace and barrier analysis, failure modes and effects analysis, common cause analysis, change analysis, and so on). Whether fault hazard analysis is a type or a method depends upon the reference in use. For all practical purposes, fault hazard analysis and system (or subsystem) hazard analysis seem to be the same thing, which is apparently called gross hazard analysis occasionally. 

Hazard identification is continued throughout the design stage and documented in the preliminary hazard analysis (PHA), subsystem hazard analysis (SSHA), and the system hazard analysis (SHA). Even though the primary purpose of these products is to analyze previously identified hazards and to determine the adequacy of controls, every effort should be made to continue to identify new hazards, especially those associated with interfaces and changes. 

After the PHA is complete, first subsystem hazard analysis (SSHA) and, if required, system hazard analysis (SHA) are performed. Depending on the nature and complexity of the end product and the results of the PHA, SSHAs may be performed on all subsystems or just on selected critical subsystems. Unlike MIL-STD-882B, software analyses are not generally identified separately. If applicable, preliminary software hazard analysis is part of the PHA. Software should be treated as a subsystem and, if further software analysis is required, an SSHA can be performed on the software. 

The recommended techniques for preliminary hazard analysis are energy trace and barrier analysis (ETBA) and failure modes and effects analysis (FMEA). Recommended techniques for system and subsystem hazard analyses are FMEA, fault tree analysis (FTA), common cause analysis, sneak circuit analysis (for electrical, electronic, and some hydraulic or pneumatic circuits) and, of course, software hazard analysis for software. 

The subsystem hazard analysis (SSHA) provides detailed analysis of hazards associated with specific systems. Depending upon the complexity and nature... 

The subsystem hazard analysis report contains a description of the subsystem and a narrative summary of key findings that specifically address the adequacy of the controls placed on any high hazards associated with the end products, the level of residual risks that remain after controls have been applied, and recommendations for further analysis or testing. The report should also describe the techniques and methodology used in performing the analysis, including risk assessment and risk acceptance criteria. The report should also contain the hazard report worksheets used in the study. 

Figure 8-4 shows a subsystem hazard analysis worksheet. 

Worksheets are normally not required. If the complexity of the change dictates the use of worksheets, use the system/subsystem hazard analysis worksheet format depicted earlier in Figure 8-4. 

R0 HOUR SYSTEM SAFETY (CHAPTERS in PRUSRNARV HAZMTOMIALYSO (CHAPTERS) SUBSYSTEMS SYSTEM HAZARD ANALYSIS (CHPTt) OSMQE ANALYSE (CHAPTERS S.17) (CHAPTERS)... 

Based on the results of the PHA, recommendations made by 30% review boards, and guidance provided in the system safety program plan, detailed hazard analyses are made of specified (critical) subsystems. The techniques for these SSHAs are as outlined in the system safety program plan or as selected by the SSWG. Failure modes and effects analysis (FMEA) and/or fault tree analysis (FTA) are generally the techniques of choice. Software hazard analysis, common cause analysis, and/or sneak circuit analysis may also be appropriate. 

Preliminary drawings or sketches may be adequate to prepare a preliminary hazard list. More detailed drawings are required for a preliminary hazard analysis, and even more detail is required for subsystem and system hazard analyses. Analytical trees, copies of maintenance and operating procedures (if available), and site maps may also be helpful. 

Fault tree analysis is used primarily as a tool for conducting system or subsystem hazard analyses, even though qualitative or top-level (that is, limited number of tiers or detail) analyses may be used in performing preliminary hazard analyses. Generally, FTA is used to analyze failure of critical items (as determined by a failure mode and effects analysis or other hazard analysis) and other undesirable events capable of producing catastrophic (or otherwise unacceptable) losses. 

Fault hazard analysis is mentioned very frequently in system safety literature, sometimes as a type of analysis and occasionally as a technique. One NASA system safety document (NHB 1700.1-V3, System Safety) describes it as the analysis to be performed after the preliminary hazard analysis for further analysis of systems and subsystems and suggests that it can be either a separate analysis or an extension of the failure modes and effects analysis (NASA 1970). Most programs today (including NASA) refer to this analysis as the subsystem hazard analysis (SSHA) and the system hazard analysis (SHA). 

Safety analysis report (SAR) A document prepared to document the results of a hazard analysis performed on a system, subsystem or operation. Hie specific minimum data elements for an SAR will be defined by data deliverable requirements for the program or project (NSTS 22254). 

Subsystem hazard analysis (SSHA) As described in NHB 1700.1 (Vl-A) and this document. The SSHA is to identify hazards to personnel, vehicle and other systems caused by loss of function, energy source, hardware failures, personnel action or inaction, software deficiencies, interactions of components within the subsystem, inherent design characteristics such as sharp edges, and incompatible materials, and environmental conditions such as radiation and sand (NSTS 22254). 

As identified in a safety review (e.g., process hazard analysis [PHA], What-lf Analysis, Hazard and Operability Study [HAZOP]), a defined part (section or subsystem or item of equipment) of a process that has a design intention that is specific and distinct from the design intention of other process parts, which allows the study team to analyze the specific equipment or system in an organized fashion. 

The PHA (Figure 6.2) is perhaps the most critical analysis that will be performed because it is usually the first in-depth attempt to isolate the hazards of a new or, in some cases, modified system. The PHA will also provide rationale for hazard control and indicate the need for further, more detailed analyses, such as the subsystem hazard analysis (SSHA) and the system hazard analysis (SHA). The PHA is usually developed using the system safety techniques known as failure mode and effect analysis (FMEA) (Chapter 9) and/or the ETBA. Data required to complete... 

The information recorded on the PHA worksheet, together with the PHA report, will greatly facilitate the performance of other benehcial system analyses (such as the subsystem hazard analysis, the failure mode and effect analysis, and the operating and support hazard analysis) that may be accomplished during the remaining phases of the product life cycle. 

A subsystem hazard analysis (SSHA) or a system hazard analysis (SHA) may be required depending on the complexity of a given program or project. The SSHA and the SHA are often referred to as one in the same by many system safety professionals (Stephenson 1991). However, as explained here, the two methods are slightly different and, if used properly, provide for a more complete evaluation of a given system. 

---