文档详细内容(约14页)
System Hazard Analysis Builds on PHA as a foundation (expands PHA) Considers system as a whole and identifies how system operation nterfaces and interactions between subsystems interface and interactions between system and operators component failures and normal (correct) behavior could contribute to system hazards Refines high-level safety design constraints Validates conformance of system design to design constraints Traces safety design constraints to individual components (based on functional decomposition and allocation) Hazard Causal Analysis Used to refine the high-level safety constraints into more detailed constraints Requires some type of model (even if only in head of analyst) Almost always involves some type of search through the system design(model) for states or conditions that could lead to system hazards Top-down Bottom-up Forward Backward
c ✙✝✟✚☎✝✟✄☎✛✟✔✓✜✣✢✥✤✟✦ ✠✘☛✟✌✎☛✟✏✑✓✒✂✔✟☛✟✖✁☎✄✎✗✄ System Hazard Analysis Builds on PHA as a foundation (expands PHA) Considers system as a whole and identifies how system operation interfaces and interactions between subsystems interface and interactions between system and operators component failures and normal (correct) behavior could contribute to system hazards. Refines high−level safety design constraints Validates conformance of system design to design constraints Traces safety design constraints to individual components. (based on functional decomposition and allocation) c ✙✝✟✚✎✝✟✄☎✛✟✔✓✜✧✢✥✤✟★ ✂✁☎✄☎✆✝✟✞✡✠☞☛✍✌✎☛✟✏✑✓✒✕✔✟☛✟✖✁✎✄☎✗✄ Hazard Causal Analysis Used to refine the high−level safety constraints into more detailed constraints. Requires some type of model (even if only in head of analyst) Almost always involves some type of search through the system design (model) for states or conditions that could lead to system hazards. Top−down Bottom−up Forward Backward
Forward vs, Backward search Initiating Final Initiation Final Events States Events States A dw nonhazard A nonhazard X」 HAZARD Bhx HAZARD C nonhazard Y nonhazard nonhazard z nonhazard Forward Search Backward search Top-Down Search TOP EVENT Intermediate or seudo Basic or primary events
c ✙✝✟✚☎✝✟✄✎✛✍✔✓✜✣✢✥✤✟✫ ✂✁☎✄☎✆✝✟✞✩✠✘☛✟✌☎☛✟✏✑✓✒✂✔✟☛✟✖✁☎✄☎✗✄ Forward vs. Backward Search Initiating Final Events States D C B A W Z Y X nonhazard HAZARD nonhazard nonhazard Forward Search Initiating Final Events States B A C D W Y Z X nonhazard HAZARD nonhazard nonhazard Backward Search c ✙✝✟✚☎✝✟✄✎✛✍✔✓✜✣✢✥✤✟✪ ✂✁☎✄☎✆✝✟✞✩✠✘☛✟✌☎☛✟✏✑✓✒✂✔✟☛✟✖✁☎✄☎✗✄ Top−Down Search TOP EVENT Basic or primary events Intermediate or pseudo−events
System Hazard Analysis Fault Tree Analysis Developed originally in 1961 for Minuteman Means of analyzing hazards, not identifying them Top-down search method Based on converging chains-of-events accident model Tree is simply a record of results; analysis done in head FT can be written as boolean expression and simplified to show specific combinations of identified basic events sufficient to cause the undesired top event(hazard If want quantified analysis and individual probabilities for all basic events are known, frequency of top event can be calculated Fault Tree Example System Hazard Anal Explosion Relief valve 1 Relief valve 2 Pressure does not open does not open too high Valve Computer does Valve Operator does not know to Operato failure not open failure inattentive alve 1 open valve 2 Sensor/ computer Computer Valve 1 Failure[output/does not issue Position/ Indicator too late command to Indicator/ Light fails open valve 1 fails ony
Leveson − 139 System Hazard Analysis c Fault Tree Analysis Developed originally in 1961 for Minuteman. Means of analyzing hazards, not identifying them. Top−down search method. Based on converging chains−of−events accident model. Tree is simply a record of results; analysis done in head. FT can be written as Boolean expression and simplified to show specific combinations of identified basic events sufficient to cause the undesired top event (hazard). If want quantified analysis and individual probabilities for all basic events are known, frequency of top event can be calculated. Leveson − 140 System Hazard Analysis Fault Tree Example c valve 1 too high Pressure fails on Position Indicator Valve 1 Light fails on Indicator Open too late output Computer not open does not open Relief valve 2 does not open Sensor Failure Operator does not know to open valve 2 Operator inattentive Valve failure failure Computer does Computer does not issue command to open valve 1 or and and or or Relief valve 1 Valve Explosion
Example Fault Tree for ATC Arrival Traffic A pair of controlled aircraft violate minimum separation standards Violation of minimum Violation of distance or time Violation of minimum separation in-trail separation while separation between streams between arrival traffic and on final approach to of aircraft landing on different departure traffic from nearb same runwa feeder airports OR Two aircraft on final Two aircraft landing An aircraft violates the An aircraft fails approach to parallel consecutively on different non-transgression zone to make tum runways not spatially runways in intersecting or while airport is conducting from base to staggered converging operations violate independent ILS approaches final approach min imum difference in to parallel runways threshold crossing time Example Fault Tree for ATC Arrival Traffic(2) Controller instructions do not cause aircraft to make necessary speed change OR Controller do Controller issues Controller issues Controller issues Controller issues not issue speed appropriate speed appropriate speed speed advisory speed advisory advisory but pilot ory and pile that does not too late to avoid does not receive it. receives it but does avoid separation separation not follow it violation Human Controller issi communication communication speed advise failure failure OR OR Radio failure Radio on wrong Psychological slip Wrong label abel in fre associated with misleading aircraft planview display screen
c ✙✝✟✚✎✝✟✄☎✛✟✔✓✜✧✢✥❫❴✢ ✂✁☎✄☎✆✝✟✞✡✠☞☛✟✌☎☛✟✏✑✓✒✕✔✟☛✟✖✁✎✄☎✗✄ Example Fault Tree for ATC Arrival Traffic ❪ ✸ ✸ ❖❁✶✰✵ ✺✣✭ ✬✼✭❀✳❁✷✂✺❂✭❀✹✥✹✻✴❉✱✶✰✵ ✺❂✬❄✺❂✶ ✷✴❯❄✵✭✰✹✶✴✷☎✻ ✯✱✵ ✳✴✵✥✯✽✲✴✯❭❃✼✻✰❖❁✶❀✺❂✶✴✷✾✵✭✰✳❋❃✮✷❙✶❀✳❁❉✴✶❀✺✎❉✧❃ ❅❈❆ t ✸ t ✸ t ✸ ✵✭✰✹✶✧✷✂✵✭✰✳❋✭ ✯✱✵ ✳✴✵✥✯✽✲✴✯ ✵✭✰✹✶✧✷✂✵✭✰✳❋✭ ❉✰✵❃✼✷☎✶✰✳❁✬✮✻❚✭❀✺✣✷✾✵ ✯❋✻ ✵✭❀✹✶✴✷✾✵✭✰✳❋✭ ✯✱✵✥✳✧✵✥✯✱✲✧✯✈❃✮✻✰❖❁✶❀✺✎✶✧✷✂✵✭✰✳ ✸☎✸ ✵ ✳❁♠❄✷✂✺❂✶✰✵ ✹◆❃✼✻❀❖❁✶✰✺❂✶✧✷✂✵✭✰✳❋❊●▲✴✵ ✹✻ ❃✮✻✰❖❁✶❀✺✎✶✧✷✂✵✭✰✳✱◗❘✻✴✷❙❊✐✻✧✻✰✳❋❃✼✷✾✺❂✻✴✶✰✯❋❃ ◗❁✻✧✷❙❊✐✻✧✻✰✳❋✶✰✺❬✺❬✵❯✮✶✰✹◆✷✾✺❂✶ ✵✬❩✶✰✳❁❉ ✸ ✸ ✸ ✸❙✸ ✸☎✸ ✸ ✭❀✳ ✵ ✳❁✶✰✹✉✶✰❖✴❖✧✺❂✭✴✶✴✬❄▲❋✷☎✭ ✭ ✶✰✵ ✺❂✬❄✺❂✶ ✷✰✹✶✰✳❁❉❀✵✥✳❘❍❚✭❀✳❋❉✰✵ ✻✰✺❂✻✰✳❘✷ ❉✴✻❀❖❁✶✰✺❂✷✾✲✴✺❂✻✱✷✾✺❂✶ ✵✬ ✺❂✭✰✯✇✳❘✻✴✶✰✺❬◗❁❏ ❃✮✶✰✯❋✻❳✺❬✲✴✳❁❊✐✶✧❏ ✸ ✺❬✲✧✳❁❊✐✶✴❏✼❃ ✻✴✻✴❉✧✻✰✺❡✶✰✵✥✺❬❖❘✭✰✺❂✷❙❃▼❛ ❅❈❆ ❥❊✐✭✱✶✰✵ ✸ ✸ ❥ ✸ ❪ ✸ ❪ ✸ ✸ ✺❂✬❄✺❂✶ ✷✴✭❀✳ ✵ ✳❁✶✰✹ ❊❦✭✱✶❀✵✥✺❂✬❄✺❂✶ ✷❀✹✶✰✳❘❉✰✵ ✳❁❍ ✳❋✶❀✵✥✺❂✬❄✺❂✶ ✷✧❯❄✵✭❀✹✶✧✷❙✻✧❃❧✷✾▲❁✻ ✳❋✶❀✵✥✺❂✬❄✺❂✶ ✷ ✶❀✵✥✹❃ ✶✰❖✴❖✧✺❂✭✴✶✴✬▼▲❤✷☎✭❳❖❁✶❀✺❂✶✰✹✥✹✻✰✹ ✬✼✭❀✳❁❃✼✻✧✬❄✲❁✷✾✵❯✮✻✰✹❏❩✭❀✳❋❉✰✵ ✸☎✸✻✰✺❂✻✰✳❘✷ ✳❁✭✰✳❘♠♥✷✾✺❂✶✰✳❁❃✮❍✰✺❂✻✴❃✼❃❄✵✭✰✳❋♦✮✭✰✳❁✻ ✷☎✭s✯❲✶✰❨◆✻✱✷✾✲✴✺❬✳ ✸ ✺❬✲✴✳❁❊✐✶✴❏✮❃❈✳❁✭✴✷✧❃❄❖❁✶✴✷✾✵✶✰✹ ✹❏ ✺❬✲✴✳❘❊❦✶✧❏✼❃❈✵✥✳✱✵ ✳❁✷☎✻✰✺❂❃✼✻✧✬✼✷✾✵✥✳❁❍✱✭❀✺ ❊●▲✴✵ ✹✻✱✶✰✵ ✺❬❖❁✭✰✺❂✷❀✵❃❩✬✼✭❀✳❁❉✰✲❘✬✼✷✂✵ ✳❁❍ ✺✎✭❀✯①◗❘✶✴❃✼✻✱✷☎✭ ❃✼✷☎✶✴❍✴❍✧✻✰✺❂✻✴❉✰❛ ✬✼✭❀✳❁❯✼✻❀✺✎❍❀✵✥✳❘❍✱✭✰❖❁✻✰✺❂✶✧✷✂✵✭✰✳❘❃❧❯▼✵✭❀✹✶✴✷☎✻ ✸ ✵✥✳❘❉✴✻✰❖❘✻✰✳❁❉✧✻✰✳❁✷❀♣❙P❘qr✶✰❖✴❖✧✺❂✭✴✶✴✬❄▲❘✻✴❃ ✵✥✳❁✶❀✹◆✶✰❖✧❖✴✺❂✭✴✶✴✬▼▲✴❛ ✸❙✸ ✯✱✵ ✳✴✵ ✯✱✲✴✯❭❉✰✵ ✻✰✺❂✻❀✳❁✬✼✻❳✵ ✳ ✷☎✭s❖❘✶✰✺❂✶✰✹ ✹✻❀✹✼✺❬✲✴✳❁❊✐✶✧❏✼❃❄❛ ✷✾▲✴✺❂✻✴❃❄▲❘✭✰✹❉✱✬❄✺❂✭✴❃✼❃▼✵✥✳❁❍✱✷✾✵ ✯❋✻✰❛ ✝✟✚✎✝✟✄☎✛✟✔✓✜✧✢✥❫✟❵ ✂✁☎✄☎✆✝✟✞✡✠☞☛✟✌☎☛✟✏✑✓✒✕✔✟☛✟✖✁✎✄☎✗✄ Example Fault Tree for ATC Arrival Traffic (2) ✿✭❀✳❁✷✾✺❂✭✰✹✥✹✻✰✺✡✵✥✳❘❃✼✷✾✺❬✲❁✬✼✷✾✵✭❀✳❁❃❩❉✴✭❳✳❁✭✧✷✴✬✼✶❀✲❁❃✼✻ ✶✰✵✥✺❂✬▼✺✎✶✸ ✷✧✷❙✭❳✯❋✶❀❨◆✻❳✳❁✻✧✬✼✻✴❃✼❃✮✶✰✺❂❏❩❃❄❖❁✻✧✻✴❉✱✬❄▲❁✶❀✳❁❍✴✻ ❅❈❆ ✿✭✰✳❘✷✂✺❂✭❀✹✥✹✻✰✺❡❉✴✭✴✻✧❃ ✿✭✰✳❘✷✂✺❂✭❀✹✥✹✻✰✺✡✵❃✼❃▼✲❁✻✴❃ ✿✭✰✳❘✷✂✺❂✭✰✹ ✹✻✰✺❢✵❃✼❃❄✲❘✻✴❃ ✿✭❀✳❁✷✾✺❂✭✰✹✥✹✻✰✺✡✵❃✮❃❄✲❁✻✧❃ ✿✭❀✳❁✷✾✺❂✭✰✹✥✹✻✰✺✡✵❃✮❃❄✲❁✻✧❃ ✳❘✭✴✷✰✵❃✼❃❄✲❘✻✱❃❄❖❁✻✴✻✧❉ ✶❀❖✴❖✴✺❂✭✰❖✧✺❬✵✶✧✷❙✻✱❃❄❖❘✻✴✻✴❉ ✶✰❖✧❖✴✺❂✭✰❖✧✺❣✵✶✴✷☎✻✱❃❄❖❁✻✧✻✴❉ ❃❄❖❁✻✴✻✧❉✱✶✴❉✴❯▼✵❃✼✭❀✺❂❏ ❃❄❖❁✻✴✻✧❉✱✶✴❉✴❯▼✵❃✼✭❀✺❂❏ ✶✧❉✴❯❄✵❃✼✭✰✺❂❏ ✶✧❉✴❯❄✵❃✼✭✰✺❂❏❈◗✴✲❘✷✰❖✴✵ ✹✭✧✷ ✶✴❉✧❯❄✵❃✼✭✰✺❂❏❩✶✰✳❁❉❳❖✧✵✥✹✭✴✷ ✷✂▲❘✶✴✷✴❉✧✭✴✻✴❃❈✳❁✭✧✷ ✷❙✭✧✭❳✹✶✴✷☎✻✱✷☎✭✱✶✴❯✼✭❀✵❉ ❉✧✭✴✻✴❃❈✳❁✭✧✷✰✺❂✻✴✬✮✻✰✵❯✮✻❳✵ ✷✾❛ ✺❂✻✴✬✮✻✰✵❯✮✻✴❃❈✵ ✷❀◗✴✲❁✷✧❉✴✭✴✻✧❃ ✶✴❯✼✭✰✵❉✱❃✼✻❀❖❁✶✰✺❂✶✴✷✾✵✭✰✳ ❃✼✻✰❖❁✶❀✺❂✶✴✷✾✵✭✰✳ ✸ ✳❁✭✧✷ ✭✰✹ ✹✭✴❊❜✵ ✷✂❛ ❯❄✵✭❀✹✶✧✷✂✵✭✰✳ ❯❄✵✭❀✹✶✧✷✂✵✭✰✳✴❛ ❅❈❆ ❑ ▲❁❏✼❃▼✵✬✮✶✰✹ ❱ ✲✴✯❲✶✰✳ ✿✭❀✳❁✷✾✺❂✭✰✹✥✹✻✰✺✡✵❃✮❃❄✲❁✻✧❃ ✬✮✭✰✯✱✯✱✲✴✳✧✵✬✮✶✴✷✂✵✭✰✳ ✬✼✭✰✯✱✯✽✲✴✳✴✵✬✼✶✴✷✾✵✭✰✳ ❃▼❖❁✻✴✻✧❉❚✶✧❉✴❯❄✵❃✼✭✰✺❂❏ ✸✶✰✵ ✸ ✸ ✹✥✲✧✺✎✻ ✶✰✵ ✹✥✲✧✺✎✻ ✷❙✭✱❊●✺❂✭✰✳❘❍❚✶❀✵✥✺❂✬❄✺❂✶ ✷ ❅❇❆ ❅❈❆ ❆✶✧❉✰✵✭ ✸✶❀✵✥✹ ✲✴✺❂✻ ❆✶✴❉✰✵✭✱✭✰✳❋❊●✺❂✭✰✳❁❍ ❑❃✼❏✼✬▼▲❁✭✰✹✭✴❍✰✵✬✼✶❀✹◆❃❄✹ ✵✥❖ ❝✺❂✭✰✳❘❍❳✹✶❀◗❁✻✰✹ P❁✶✰◗❘✻✰✹✼✵ ✳ c ✙ ✸ ✺✎✻✧■✰✲❁✻❀✳❁✬✼❏ ✶✴❃✼❃✮✭✴✬❄✵✶✴✷☎✻✴❉✱❊●✵ ✷✾▲ ✯✱✵❃▼✹✻✴✶✧❉✰✵ ✳❁❍ ✶✰✵ ✸ ✺❂✬❄✺❂✶ ✷✴✭✰✳ ❖✴✹✶✧✬✼✻✱✭✰✳ ❖✴✹✶✰✳❁❯▼✵✻✴❊❞❉✰✵❃❄❖✴✹✶✴❏ ❃✼✬❄✺❂✻✴✻❀✳
System Hazard Analysis FTA Evaluation Graphical format helps in understanding system and relationship between events Can be useful in tracing hazards to software interface and identifying potentially hazardous software behavior Cuts sets denote weak points of a complex design Dependencies(common-cause failure points)not easy to see Requires a detailed knowledge of design, construction, and operation of system System Hazard Analysis FTA Evaluation(2) A simplified representation of a complex process sometimes too simplified. Tends to concentrate on failures Quantitative evaluation may be misleading On U.s. space programs where FTA (and FMEA) were used extensively, 35%of actual in-flight malfunctions were not identified or were not identified as credible
\System Hazard Analysis FTA Evaluation Leveson − 143 c operation of system. Requires a detailed knowledge of design, construction, and Dependencies (common−cause failure points) not easy to see. Graphical format helps in understanding system and relationship between events. identifying potentially hazardous software behavior. Can be useful in tracing hazards to software interface and Cuts sets denote weak points of a complex design. c Leveson − 144 \System Hazard Analysis sometimes FTA Evaluation (2) A simplified representation of a complex process too simplified. Tends to concentrate on failures. Quantitative evaluation may be misleading. On U.S. space programs where FTA (and FMEA) were used extensively, 35% of actual in−flight malfunctions were not identified or were not identified as credible
