Subsystem hazard analysis generally

After the PHA is complete, first subsystem hazard analysis (SSHA) and, if required, system hazard analysis (SHA) are performed. Depending on the nature and complexity of the end product and the results of the PHA, SSHAs may be performed on all subsystems or just on selected critical subsystems. Unlike MIL-STD-882B, software analyses are not generally identified separately. If applicable, preliminary software hazard analysis is part of the PHA. Software should be treated as a subsystem and, if further software analysis is required, an SSHA can be performed on the software. 

The ETBA is an analytical technique that can be of great assistance in preparation of the preliminary hazard list (PHL). It can also be quite useful in the development of a preliminary hazard analysis (PHA), subsystem hazard analysis (SSHA), or the more general system hazard analysis (SHA). The ETBA can also be used, depending on the specific system under consideration, in the development of the operating and support hazard analysis (O SHA), and, of course, during the MORT process from which the ETBA evolved. 

Based on the results of the PHA, recommendations made by 30% review boards, and guidance provided in the system safety program plan, detailed hazard analyses are made of specified (critical) subsystems. The techniques for these SSHAs are as outlined in the system safety program plan or as selected by the SSWG. Failure modes and effects analysis (FMEA) and/or fault tree analysis (FTA) are generally the techniques of choice. Software hazard analysis, common cause analysis, and/or sneak circuit analysis may also be appropriate. 

Fault tree analysis is used primarily as a tool for conducting system or subsystem hazard analyses, even though qualitative or top-level (that is, limited number of tiers or detail) analyses may be used in performing preliminary hazard analyses. Generally, FTA is used to analyze failure of critical items (as determined by a failure mode and effects analysis or other hazard analysis) and other undesirable events capable of producing catastrophic (or otherwise unacceptable) losses. 

The fault hazard analysis (FHA)—also referred to as the functional hazard analysis—method follows an inductive reasoning approach to problem solving in that the analysis concentrates primarily on the specific and moves toward the general (TAI 1989). The FHA is an expansion of the FMEA (Stephenson 1991). As demonstrated in the previous chapter, the FMEA is concerned with the critical examination and documentation of the possible ways in which a system component, circuit, or piece of hardware may fail and the effect of that failure on the performance of that element. The FHA takes this evaluation a step further by determining the effect of such failures on the system, the subsystem, or personnel. In fact, when a FMEA has already been completed for a given system and information on the adverse safety effect of component or human failures is desired for that system, the safety engineer can often utilize the data from the FMEA as an input to the FHA. 

System Structure Analysis. After the identification of subsystems to be examined and the definition of undcsired events within the context of preliminary hazard analysis, events which lead to incidents are investigated. These event sequences can be represented as logic structure in a block diagram, a flow diagram, a fault tree, or a decision table. In the presentation which follows (Table 4.9.). a decision table was used. It contains, column by column, the combinations of system states which lead to the undesired event. The presentation permits qualitative identification of weak points in the system. In general, for example, the probability of a system state will decline with the growing number of failed components. The logic structure presentation could form the basis for further quantitative analyses. 

---