Preliminary System Safety Assessment

The output of this step is the issue of a Preliminary Aircraft Safety Assessment (PASA) and/or a Preliminary System Safety Assessment (PSSA), which ... 

For the purposes of the Preliminary System Safety Assessment (PSS A), the FHA considers functional failure modes only (i.e. not their probability of occurrence). Failure conditions identified at this level are not dependent on the way the functions are implemented or the system architecture. 

Preliminary System Safety Assessment The PSSA should have already been conducted and should have highlighted some of the architectural/installation requirements (such as physical and electrical segregation) needed to ensure appropriate levels of redundancy in system functionality during potential failure events. 

Requirements are identified, defined and documented. This includes allocated requirements from the Preliminary System Safety Assessment (PSSA) and derived requirements from the hardware safety assessment. 

The three main phases of safety assessment - Functional Hazard Assessment (FHA), Preliminary System Safety Assessment (PSSA) and initial stages of System Safety Assessment (SSA) - provide much of the Evidence needed for the Project Safety Case. 

The decomposition of Argl.3 (see Figure A.4 below) is similar in principle to that for Argl.2 above. The Context (C004) is the Preliminary System Safety Assessment (PSSA) - ie the derivation of Safety Requirements, expressed at the logical-architecture level. 

Preliminary system safety assessment Functional hazard analysis, FTA. 

Model Based Safety Assessment aims at supporting the Preliminary System Safety Assessment (PSSA) [8]. Before the PSSA is performed, the Functional Hazard Analysis identifies the Failure Conditions (e.g. safety critical situations of the system) and assesses their severity on a scale going from No Safety Effect (NSE) to Catastrophic (CAT). Then, during the Preliminary System Safety Assessment, safety models (or alternatively fault-trees) axe built and analysed. A safety model describes formally in which node a fault occurs and how this fault propagates inside the system architecture in order to cause a Failure Condition. 

The DAL is an index number ranking the safety-criticality of the system functions. This ranking implies that in order to make the system safe, greater development rigor must be applied to each successively critical level. Table 2.3 correlates the hardware DALs to the five classes of failure conditions and provides definitions of hardware failure conditions and their respective DALs. Initially, the hardware DAL for each hardware function is determined by the SSA process using a functional hazard analysis (FHA) to identify potential hazards and then the preliminary system safety assessment (PSSA) process allocates the safety requirements and associated failure conditions to the function implemented in the hardware. 

This section discusses a generic safety life cycle, illustrated in Figure 4, and its relationship to the system life cycle. The first row represents a generic and simplified version of the development process. The second row shows the main phases of the safety life cycle, which consists of Preliminary Hazard Identification (PHI), Functional Hazard Assessment (FHA), Preliminary System Safety Assessment (PSSA) and System Safety Assessment (SSA). The primary question to be answered during each phase is shown at the bottom of Figure 4. 

The Preliminary System Safety Assessment (PSSA) is performed at the design level. The PSSA shall answer the question Is tolerable risk achievable with the proposed solution Therefore it is verified whether the safety objectives can be... 

Under certain circumstances the safety criteria may be amended to suit the specific programme requirements (e.g. UAV safety criteria, or Military Operational Safety Criteria). However, this is subject to substantiation and agreement by the applicable regulatory authority, thus the declaration of the safety criteria (either in a separate safety criteria report, or as part of a safety plan or an early release of a preliminary system safety assessment). 

A preliminary system safety assessment (PSSA) is essential in order to determine (and agree) the depth of assessment needed, the criteria utilised and the manner in which the safety objectives are to be accomplished. The PSSA concentrates on the functions and vulnerabiUties of the system instead of the detailed analysis, and can thus be conducted prior to the definition of the system s architecture. The PSSA remains a live document until the final SSA can be issued. By the preliminary design review (PDR), the PSSA should include functional failure consequences to the aircraft and its occupants consequences of other possible malfunctions of a system (e.g. overheating) and their effects on surrounding systems consequences to the system of failure in other systems or parts of the aircraft, identification of any possible common-mode failures or cascade failures which my need detailed investigation the identification of possible vulnerabilities to flight crew or maintenance error. 

Analysis Generally implies a more specific, more detailed investigation. The terms analysis and assessment have broad definitions and the two terms are to some extent interchangeable. However, the term analysis generally implies a more specific, more detailed evaluation, while the term assessment may be a more general or broader evaluation but may include one or more types of analysis. In practice, the meaning comes from the specific application, e.g., fault tree analysis, Markov analysis, preliminary system safety assessment, etc. (AMC to CS25.1309). 

---