Analisis bahaya awal (PHA) menyelesaikan tugas-tugas berikut.

Identifikasi bahaya sistem

Terjemahkan bahaya sistem ke dalam kendala desain keamanan sistem tingkat tinggi
Menilai bahaya jika diperlukan untuk melakukannya
Tetapkan log bahaya
Ingat, bahaya sistem bukan kegagalan. Kegagalan dapat berkontribusi terhadap bahaya,
tetapi bahaya adalah sistem menyatakan bahwa, dikombinasikan dengan kondisi lingkungan
tertentu, menyebabkan kecelakaan. Di bawah ini adalah contoh bahaya sistem untuk pintu
kereta otomatis.

Kereta api dimulai dengan pintu terbuka.

Pintu terbuka saat kereta bergerak.

Pintu terbuka saat disejajarkan dengan platform.

Pintu tertutup saat seseorang ada di ambang pintu.

Pintu yang menutup pada obstruksi tidak membuka kembali atau membuka kembali pintu
tidak menutup kembali.

Pintu tidak dapat dibuka untuk evakuasi darurat.

Perhatikan bahwa tidak ada banyak bahaya dalam daftar. Tujuannya bukan sebagian besar
bahaya yang mungkin, tetapi deskripsi singkat dari kondisi-kondisi yang berbahaya itu. Jika
daftar bahaya terlalu panjang, sangat mungkin bahwa penyebabnya didaftar dengan, atau
sebagai pengganti, bahaya. Di bawah ini adalah daftar bahaya lainnya, kali ini untuk sistem
kontrol lalu lintas udara.

Pesawat yang dikendalikan melanggar standar terpisah minimum (NMAC).

Pesawat yang dikendalikan udara memasuki wilayah atmosfer yang tidak aman.

Pesawat udara terkontrol memasuki wilayah udara terbatas tanpa otorisasi.

Pesawat udara yang dikendalikan terlalu dekat dengan rintangan tetap selain dari titik aman
mendarat pada landasan yang ditugaskan (CFIT)

Pesawat udara terkendali dan penyusup di wilayah udara terkontrol melanggar pemisahan
minimum.

Pesawat terkontrol beroperasi di luar amplop kinerjanya.

Pesawat di tanah datang terlalu dekat dengan objek yang bergerak atau bertabrakan
dengan benda-benda yang tidak bergerak dan meninggalkan area beraspal.

Pesawat memasuki landasan yang tidak memiliki izin.

Pesawat terkontrol melakukan manuver ekstrim dalam amplop kinerjanya.

Hilangnya kontrol pesawat.
Berikut ini adalah latihan untuk melakukan brainstorming daftar bahaya. Identifikasi bahaya
sistem untuk sistem cruise control ini:
Sistem kontrol pelayaran beroperasi hanya ketika mesin sedang berjalan. Ketika pengemudi
menyalakan sistem, kecepatan mobil yang sedang berjalan pada saat itu dipertahankan.
Sistem memonitor kecepatan mobil dengan merasakan laju di mana roda berputar, dan
mempertahankan kecepatan yang diinginkan dengan mengendalikan posisi throttle. Setelah
sistem dinyalakan, pengemudi dapat memberitahukannya untuk mulai meningkatkan
kecepatan, menunggu beberapa waktu, dan kemudian memberitahukannya untuk berhenti
meningkatkan kecepatan. Sepanjang periode waktu, sistem akan meningkatkan kecepatan
pada tingkat yang tetap, dan kemudian akan mempertahankan kecepatan akhir yang
tercapai.
Pengemudi dapat mematikan sistem setiap saat. Sistem akan mati jika merasakan bahwa
akselerator telah ditekan cukup jauh untuk menimpa kontrol throttle. Jika sistem menyala
dan merasakan rem telah tertekan, ia akan berhenti mempertahankan kecepatan tetapi tidak
akan mati. Pengemudi dapat memberitahu sistem untuk melanjutkan sp

Preliminary hazard analysis (PHA) accomplishes the following tasks.

Identify system hazards

Translate system hazards into high-level system safety design constraints

Assess hazards if required to do so

Establish the hazard log

Remember, system hazards are not failures. Failures may contribute to hazards, but hazards are
system states that, combined with certain environmental conditions, cause accidents. Below are
example system hazards for automated train doors.

Train starts with door open.

Door opens while train is in motion.

Door opens while improperly aligned with the platform.

Door closes while someone is in the doorway.

Door that closes on an obstruction does not reopen or reopened door does not reclose.

Doors cannot be opened for emergency evacuation.

Notice that there are not many hazards in the list. The goal is not a bulk of possible hazards, but a
concise description of those conditions that are hazards. If a hazard list is too long, it is very likely
that causes are being listed along with, or instead of, hazards. Below is another list of hazards, this
time for an air traffic control system.

Controlled aircraft violate minimum separate standards (NMAC).

Airborne controlled aircraft enters an unsafe atmospheric region.

Controlled airborne aircraft enters restricted airspace without authorization.

Controlled airborne aircraft gets too close to fixed obstacle other than a safe point of touchdown on
an assigned runway (CFIT)

Controlled airborne aircraft and an intruder in controlled airspace violate minimum separation.

Controlled aircraft operates outside its performance envelope.

Aircraft on ground comes too close to moving objects or collides with stationary objects and leaves
the paved area.

Aircraft enters a runway for which it does not have clearance.

Controlled aircraft executes an extreme maneuver within its performance envelope.

Loss of aircraft control.

The following is an exercise in brainstorming a hazard list. Identify the system hazards for this cruise-
control system:

The cruise control system operates only when the engine is running. When the driver turns the
system on, the speed at which the car is traveling at that instant is maintained. The system monitors
the car's speed by sensing the rate at which the wheels are turning, and it maintains desired speed
by controlling the throttle position. After the system has been turned on, the driver may tell it to
start increasing speed, wait a period of time, and then tell it to stop increasing speed. Throughout
the time period, the system will increase the speed at a fixed rate, and then will maintain the final
speed reached.

The driver may turn off the system at any time. The system will turn off if it senses that the
accelerator has been depressed far enough to override the throttle control. If the system is on and
senses that the brake has been depressed, it will cease maintaining speed but will not turn off. The
driver may tell the system to resume sp

Hazard identification can sound like an intimidating process. Stare at a blank page;
then a miracle occurs; then read the final product. The truth is that there are a
number of techniques to help in hazard identification. Use historical safety
experience, lessons learned, trouble reports, hazard analyses, and accident and
incident files. All of these things should be collected by a successful system safety
effort. This may be more difficult if the organization has no history with the product
type that it proposes to construct. In some industries, information may be available
from other companies in that market segment. If not, regulatory bodies, industry
consortia, or users groups for similar products may have some information.

Many industries also have published lists, checklists, standards, and codes of
practice that may help guide hazard list development. For example, nuclear devices
for use by the US military must address a pre-existing hazard list.

Examine basic energy sources, flows, high-energy items, hazardous materials (fuels,
propellants, lasers, explosives, toxic substances, pressure systems) in the systems.
How might these energies be released in an uncontrolled manner? How else might
these energies participate in an accident? Often these materials suggest hazards,
particular at their interface or boundary with the rest of the system. In general, look at
potential interface problems such as material incompatibilities, possibilities for
inadvertent activation, contamination, and adverse environmental scenarios. Use
scientific investigation of physical, chemical, and other properties of the system, as
well.

For more possible hazards, review the mission of the system and basic performance
requirements including the environments in which operations will take place. Look at
all possible system uses, all modes of operation, all possible environments, and all
times during operation. Accidents often occur when systems are pushed to operate
beyond the assumptions the designers had in mind, so examine likely scenarios of
operation outside the planned environment of the system.

Lastly, think the entire process through, step by step, anticipating what might go
wrong, how to prepare for it, and what to do if the worst happens.
Once the hazard list has been compiled, it must be translated into design
constraints. This is not a difficult process, and a table from the train door example is
shown below.

HAZARD DESIGN CRITERION

Train starts with door open. Train must not be capable of moving with any door ope

Door opens while train is in motion. Doors must remain closed while train is in motion.

Door opens while improperly aligned with Door must be capable of opening only after train is
station platform. stopped and properly aligned with platform unless
emergency exists (see below).

Door closes while someone is in doorway. Door areas must be clear before door closing begins.

Door that closes on an obstruction does
not reopen or reopened door does not
reclose.
Doors cannot be opened for emergency
evacuation.
An obstructed door must reopen to permit removal
obstruction and then automatically reclose.
Means must be provided to open doors anywhere when
the train is stopped for emergency evacuation.

Notice that the design constraints derived from the hazard list do not delve in the
mechanisms to conform with the design constraints. The design constraints are
merely an expression of properties the system must have to eliminate or control the
hazards in the hazard list. Another example, for part of an air traffic control system, is
shown in the table below.

Hazards Requirements/Constraints
1. A pair of controlled aircraft violate minimum 1a. ATC shall provide advisories that maintain safe
separation standards. separation between aircraft.

1b. ATC shall provide conflict alerts.

2. A controlled aircraft enters an unsafe
atmospheric region. (icing conditions, wind
shear areas, thunderstorm cells)
2a. ATC must not issue advisories that direct aircra
into areas with unsafe atmospheric conditions.
2b. ATC shall provide weather advisories and alerts
to flight crews.

2c. ATC shall warn aircraft that enter an unsafe

atmospheric region.
3. A controlled aircraft enters restricted 3a. ATC must not issue advisories that direct an
airspace without authorization. aircraft into restricted airspace unless avoiding a
greater hazard.

3b. ATC shall provide timely warnings to aircraft to

prevent their incursion into restricted airspace.

4. A controlled aircraft gets too close to a fixed 4. ATC shall provide advisories that maintain safe
obstacle or terrain other than a safe point of separation between aircraft and terrain or physical
touchdown on assigned runway. obstacles.

5. A controlled aircraft and an intruder in 5. ATC shall provide alerts and advisories to avoid
controlled airspace violate minimum separation intruders if at all possible.
standards.

6. Loss of controlled aircraft or loss of airframe 6a. ATC must not issue advisories outside the safe
integrity. performance envelope of the aircraft.

6b. ATC advisories must not distract or disrupt the

crew from maintaining the safety of flight.

6c. ATC must not issue advisories that the pilot or

aircraft cannot fly or that degrade the continued saf
flight of the aircraft.

6d. ATC must not provide advisories that cause an

aircraft to fall below the standard glide path or
intersect it at the wrong place.

Hazards, after being identified, must be assessed. Hazards are often ranked on two
axes, likelihood and severity. The combination of likelihood and severity creates a
ranking for the hazard. See the next two figures for hazard level matrices.
Hazard level assessment can be challenging. There is often no way to determine
likelihood, even qualitatively. With the advancing rate of change in technology,
systems often involve new technology, creating many unknowns. Fortunately,
severity is usually adequate to determine the effort to spend on eliminating or
mitigating hazards, and severity is much easier to determine.

System risk assessment is, again, not feasible. It may be possible to establish
qualitative criteria to evaluate potential risk. These criteria could be used to make
deployment or technology decisions. But this will depend on the system being
considered.

An example risk assessment can be found in the AATT (an advanced air traffic
system) Safety Criterion:

The introduction of AATT tools will not degrade safety from the current level.

Risk assessment for each tool was based on:

The severity of worst possible loss associated with the tool

The likelihood that introduction of the tool would reduce the current safety level of
the ATC system.

The following is an example of a severity level classification from a proposed JAA

standard:

Class I: Catastrophic
Unsurvivable accident with hull loss.
Class II: Critical
Survivable accident with less than full hull loss; fatalities possible
Class III: Marginal
Equipment loss with possible injuries and no fatalities
Class IV: Negligible
Some loss of efficiency
Procedures able to compensate, but controller workload likely to be high until
overall system demand reduced.
Reportable incident events such as operational errors, pilot deviations, surface
vehicle deviation.

Example likelihood levels are shown below:

User tasks and responsibilities

Low: Insignificant or no change
Medium: Minor change
High: Significant change

Potential for inappropriate human decision making

Low: Insignificant or no change
Medium: Minor change
High: Significant change

Potential for user distraction or disengagement from primary task

Low: Insignificant or no change

Medium: Minor change
 High: Significant change

Safety margins
Low: Insignificant or no change
Medium: Minor change
High: Significant change

Potential for reducing situation awareness

Low: Insignificant or no change
Medium: Minor change
High: Significant change

Skills currently used and those necessary to backup and monitor new
decision support tools
Low: Insignificant or no change
Medium: Minor change
High: Significant change

Introduction of new failure modes and hazard causes

New tools have same function and failure modes as system components they are
Low:
replacing
Medium: Introduced but well understood and effective mitigation measures can be designed
High: Introduced and cannot be classified under medium

Effect of software on current system hazard mitigation measures

Low: Cannot render ineffective
High: Can render ineffective

Need for new system hazard mitigation measures

Low: Potential software errors will not require
High: Potential software errors could require

All hazards in the system must be entered into a hazard log. A hazard log is
essential to any safety effort. The hazard log, part of the safety information system,
tracks information about hazards from their initial identification through elimination or
control. The hazard log should contain information such as:

System, subsystem, unit

Description
Cause(s)
Possible effects, effect on system
Category (hazard level -- probability and severity)
Corrective or preventative measures, possible safeguards, recommended action
 Operational phase when hazardous
Responsible group or person for ensuring safeguards provided.
Tests (verification) to be undertaken to demonstrate safety.
Other proposed and necessary actions
Status of hazard resolution process.

Once the preliminary hazard analysis is complete, and the hazards are entered into
the hazard log, system hazard analysis can begin. (Bear in mind that in any
development process, there is lots of iteration and skipping around. It simply makes
it easier to discuss each step if they are presented in isolation from the others.)