April 2019 - System Safety: Understanding Your Risk

With the recent incidents involving the Boeing 737 Max 8, aircraft system safety has been taking over the news cycle. It is important to understand the complexity of system safety and keep in mind the many caveats involved in ensuring systems run, and continue to run, as expected. System safety touches on the design, analysis, test, certification, software function, pilot training and pilot procedures.

The overall goal of system safety is to identify risk in the system and reduce that risk to an acceptable level. It is a vital aspect during the design phase for safety critical systems. The systematic approach of identifying hazardous conditions of a system helps identify the root cause of a hazardous condition and provides mitigations to control the hazard.

Image
A hazard is defined as a potentially unsafe condition resulting from failures, malfunctions, external events, error or a combination thereof.

There are many documents which outline standard practices and guidelines regarding system safety. For commercial aircraft, it must be shown that all the requirements in the Code of Federal Regulations (CFR) Title 14 have been satisfied, specifically, 14 CFR Part 25 applicable to airworthiness standards for transport category aircraft. For civil airborne systems and equipment, SAE ARP 4761 may be used. Likewise, in military applications, MIL-STD-882E is the applicable U.S. Department of Defense standard pertaining to system safety.

The FAA and civil aviation communities also recognize RTCA’S DO-178 and DO-254 as an acceptable means of compliance to the FAA regulations for software/hardware aspects of certification. These documents provide guidance in the areas of software and hardware development, configuration management, verification and the interface to most approval authorities (e.g., FAA, EASA).

Designated Engineering Representatives (DERs) and/or Authorized Representatives (ARs) are responsible for finding that engineering data complies with the appropriate airworthiness standards. DERs and ARs are private persons who have been given authorizations to perform certain certification functions on behalf of the FAA. These authorizations are granted based on a person’s knowledge and experience in a particular field of aviation, such as aircraft manufacturing, engineering, or maintenance. Most avionics and aircraft manufacturers use DERs or ARs to assist in airworthiness certification activities.

Regardless of whether the system is for commercial or military use, the basic goal is to identify hazards and reduce or eliminate the risk associated with the hazards.

The system safety process consists of these basic steps:

  1. Document the system safety approach and safety requirements
  2. Identify and document hazards
  3. Assess and document risk
  4. Identify and document risk mitigation measures
  5. Reduce risk
  6. Verify and validate all safety requirements have been met
  7. Manage lifecycle risk

The goal regarding system safety should always be to eliminate the hazard, if possible. If it is not possible to eliminate the hazard, the associated risk should be reduced to the lowest acceptable level within the constraints of cost, schedule and performance. Hazards can be mitigated through:

  • Design alterations
  • Safety features or devices
  • Warning devices
  • Incorporating signage
  • Procedures
  • Training and personal protective equipment (PPE)

Once all the possible mitigations are identified, mitigations are selected and implemented to achieve an acceptable risk level.

The next step would be to validate the effectiveness of all selected risk mitigation measures and verify the safety requirements have been met through the appropriate analysis, testing, demonstration or inspection. Analyses include, but are not limited to:

  • Failure Mode and Effects Analysis (FMEA)
  • Fault Tree Analysis (FTA)
  • Common Cause Analysis (CCA)
  • Zonal Safety Analysis (ZSA)

Before exposing people, equipment or the environment to the known system-related hazards, the risk must be accepted by the appropriate authority.

Monitoring continues through any changes or updates that may be made to the system after it is fielded. Hazards are continuously identified and should continue to be mitigated throughout the system’s lifecycle. There must be effective communication between the user community and the system safety representative to collaborate, identify and manage new hazards and modify risk.

As systems become more automated and integrated with software, software system safety is an increasingly large and critical part of overall system safety. Software is generally application-specific and reliability parameters associated with it cannot be estimated in the same manner as hardware. The assessment of risk for software and software-controlled or software-intensive systems cannot rely solely on the severity and probability. Determining the probability of a failure of a single software function is difficult, at best, and cannot be based on historical data.

To assess software safety, an approach outlined in MIL-STD-882E can be used to help determine software’s contributions to system risk. This assessment considers the potential risk severity and the degree of control that software exercises over the hardware. The overall system safety as well as software system safety hazard analysis processes identify and mitigate specific software contributors to hazards and mishaps. The successful execution of pre-defined Level or Rigor (LOR) tasks increases the confidence that the software will perform as specified within its performance requirements, while simultaneously reducing the number of contributors to hazards that may exist in the system. LOR tasks include both analysis of software requirements, architecture, design and code as well as in-depth safety specific testing.

A properly conducted system safety program includes a multidisciplinary team to identify, assess and mitigate risks. Omnicon understands the complexity of system safety and has spent thousands of hours in supporting our customer’s programs. If you are developing a system or product where safety may be a concern, please contact us to learn more.

Overview

Resources

About Us

Omnicon provides custom engineering solutions for customers in aerospace, defense, transportation, medical and more.