REG NASA SP-2010-580-2011 NASA System Safety Handbook Volume 1 System Safety Framework and Concepts for Implementation Version 1 0.pdf

1、 NASA/SP-2010-580 Version 1.0 November 2011 NASA System Safety Handbook Volume 1, System Safety Framework and Concepts for Implementation Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-Provided by IHSNot for ResaleNo reproduction or networking permi

2、tted without license from IHS-,-,-i NASA/SP-2010-580 Version 1.0 NASA System Safety Handbook Volume 1, System Safety Framework and Concepts for Implementation National Aeronautics and Space Administration NASA Headquarters Washington, D.C. 20546 November 2011Provided by IHSNot for ResaleNo reproduct

3、ion or networking permitted without license from IHS-,-,-ii Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-iii NASA STI Program in Profile Since its founding, NASA has been dedicated to the advancement of aeronautics and space science. The NASA scie

4、ntific and technical information (STI) program plays a key part in helping NASA maintain this important role. The NASA STI program operates under the auspices of the Agency Chief Information Officer. It collects, organizes, provides for archiving, and disseminates NASAs STI. The NASA STI program pro

5、vides access to the NASA Aeronautics and Space Database and its public interface, the NASA Technical Report Server, thus providing one of the largest collections of aeronautical and space science STI in the world. Results are published in both non-NASA channels and by NASA in the NASA STI Report Ser

6、ies, which includes the following report types: TECHNICAL PUBLICATION. Reports of completed research or a major significant phase of research that present the results of NASA Programs and include extensive data or theoretical analysis. Includes compilations of significant scientific and technical da

7、ta and information deemed to be of continuing reference value. NASA counterpart of peer-reviewed formal professional papers but has less stringent limitations on manuscript length and extent of graphic presentations. TECHNICAL MEMORANDUM. Scientific and technical findings that are preliminary or of

8、specialized interest, e.g., quick release reports, working papers, and bibliographies that contain minimal annotation. Does not contain extensive analysis. CONTRACTOR REPORT. Scientific and technical findings by NASA-sponsored contractors and grantees. CONFERENCE PUBLICATION. Collected papers from s

9、cientific and technical conferences, symposia, seminars, or other meetings sponsored or co-sponsored by NASA. SPECIAL PUBLICATION. Scientific, technical, or historical information from NASA programs, projects, and missions, often concerned with subjects having substantial public interest. TECHNICAL

10、TRANSLATION. English-language translations of foreign scientific and technical material pertinent to NASAs mission. Specialized services also include creating custom thesauri, building customized databases, and organizing and publishing research results. For more information about the NASA STI progr

11、am, see the following: Access the NASA STI program home page at http:/www.sti.nasa.gov E-mail your question via the Internet to helpsti.nasa.gov Fax your question to the NASA STI Help Desk at 443-757-5803 Phone the NASA STI Help Desk at 443-757-5802 Write to: NASA STI Help Desk NASA Center for Aeros

12、pace Information 7115 Standard Drive Hanover, MD 21076-1320 Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-iv Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-v ACKNOWLEDGMENTS The project manager and

13、 the authors express their gratitude to NASA Office of Safety and Mission Assurance (OSMA) management (Mr. Bryan OConnor, former Chief of OSMA; Mr. Terrence Wilcutt, Chief of OSMA; and Mr. Wilson Harkins, Deputy Chief of OSMA) for their support and encouragement in developing this document. The deve

14、lopment effort leading to this document was conducted in stages, and was supported through reviews and discussions by the NASA System Safety Steering Group (S3G) and by the additional contributors listed below (in alphabetical order). AUTHORS: Dr. Homayoon Dezfuli NASA Headquarters (Project Manager)

15、 Dr. Allan Benjamin Information Systems Laboratories Mr. Christopher Everett Information Systems Laboratories Dr. Curtis Smith Idaho National Laboratory Dr. Michael Stamatelatos NASA Headquarters Dr. Robert Youngblood Idaho National Laboratory NASA SYSTEM SAFETY STEERING GROUP MEMBERS: Mr. Michael B

16、lythe NASA Engineering and Safety Center Mr. Roger Boyer Johnson Space Center Mr. Bruce Bream Glenn Research Center Mr. Chester Everline Jet Propulsion Laboratory Dr. Martin Feather Jet Propulsion Laboratory Dr. Raymond Fuller Marshall Space Flight Center Dr. Frank Groen NASA Headquarters Dr. Nat Ja

17、mbulingam Goddard Space Flight Center Mr. K. C. Johnson Langley Research Center Mr. Mark Kowaleski NASA Safety Center Mr. Allan Layne Marshall Space Flight Center Dr. Jesse Leitner Goddard Space Flight Center Mr. Ronald Long Kennedy Space Center Dr. Donovan Mathias Ames Research Center Mr. William S

18、choren Glenn Research Center Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-vi ADDITIONAL CONTRIBUTORS: Mr. Alfredo Colon NASA Headquarters Mr. John Day Jet Propulsion Laboratory Mr. Anthony Diventi Goddard Space Flight Center Dr. Ewan Denney Ames R

19、esearch Center Dr. Lorraine Fesq Jet Propulsion Laboratory Mr. Burton Lewis Goddard Space Flight Center Mr. Shandy McMillian Goddard Space Flight Center Dr. Peter Rutledge Quality Assurance NPR 7123.1A; NPD 8700.1, NASA Policy for Safety and Mission Success 3; NPR 8705.2B, Human-Rating Requirements

20、for Space Systems 4; NPR 8000.4A, Agency Risk Management Procedural Requirements 5; and NASA/SP-2011-3422, NASA Risk Management Handbook 6. Homayoon Dezfuli, Ph.D. NASA System Safety Technical Fellow and the Chair of NASA System Safety Steering Group NASA Headquarters November 2011 Provided by IHSNo

21、t for ResaleNo reproduction or networking permitted without license from IHS-,-,-1 1 Purpose The purpose of Volume 1 of the NASA System Safety Handbook is to present the overall framework for System Safety and to provide the general concepts needed to implement the framework. The treatment addresses

22、 activities throughout the system life cycle to assure that the system meets safety performance requirements and is as safe as reasonably practicable. This handbook is intended for project management and engineering teams and for those with review and oversight responsibilities. It can be used both

23、in a forward-thinking mode to promote the development of safe systems, and in a retrospective mode to determine whether desired safety objectives have been achieved. The topics covered in this volume include general approaches for formulating a hierarchy of safety objectives, generating a correspond

24、ing hierarchical set of safety claims, characterizing the system safety activities needed to provide supporting evidence, and presenting a risk-informed safety case that validates the claims. Volume 2, to be completed in 2012, will provide specific guidance on the conduct of the major system safety

25、activities and the development of the evidence. Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-2 Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-3 2 Overview of System Safety 2.1 What is Safety? NPR

26、8715.3C and MIL-STD-882D 7 define safety as freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment. This concept of safety is inclusive of human safety, which includes workers directly involved in sys

27、tem interactions, workers not directly involved in system interactions, as well as members of the general public. Although this definition is broad, it focuses exclusively on physical, rather than functional, consequences. However, for systems such as non-recoverable spacecraft, damage to or loss of

28、 equipment may be meaningful only insofar as it translates into degradation or loss of mission objectives. Therefore, for the purposes of this handbook, freedom from conditions that can cause loss of mission (LOM) is also included in the definition of safety. Figure 2-1 illustrates the scope of pote

29、ntially impacted populations to which the concept of safety can apply. Figure 2-1. Impacted Populations within the Scope of Safety Sa f e tyHum an Sa f e tySa f e ty of E q u ipm en t/P r opert yEn vir onm en t al Sa f e tyI n v ol v ed W or k erSa f e tyNon - I n v ol v ed W or k erSa f e tyP u b l

30、icSa f e tyLos s of Miss io nDam ag e/ Los s of E q u ipm en t/P r ope rtySafety Safety is freedom from those conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment. In any given application, the specific scope of safet

31、y must be clearly defined by the stakeholders in terms of the entities to which it applies and the consequences against which it is assessed. For example, for non-reusable and/or non-recoverable systems, damage to or loss of equipment may be meaningful only insofar as it translates into degradation

32、or loss of mission objectives. Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-4 In any case, the population included in the definition of safety is context dependent, and it is up to the involved parties, including stakeholders, to unambiguously def

33、ine what constitutes safety for a given application in a given environment. Just as the scope of conditions relevant to safety is application specific, so too is the degree of “safety” that is considered acceptable. We do not expect to attain absolute safety, but we strive to attain a degree of safe

34、ty that fulfills obligations to the at-risk communities and addresses agency priorities. An adequately safe system is not necessarily one that completely precludes all conditions that can lead to undesirable consequences. Rather, an adequately safe system is one that adheres to the following fundame

35、ntal safety principles: An adequately safe system is assessed as meeting a minimum threshold level of safety, as determined by analysis, operating experience, or a combination of both. Below this level the system is considered unsafe. This minimum level of safety is not necessarily fixed over the li

36、fe of a system. As a system is operated and information is gained as to its strengths and weaknesses, design (hardware and software), and operational modifications are typically made which, over the long run, improve its safety performance.3 In particular, an initial level of safety performance may

37、be accepted for a developmental system, with the expectation that it will be improved as failure modes are “wrung out” over time. In such cases the level of tolerable safety can be expressed as a safety threshold against which current system performance is assessed, and a safety goal against which f

38、uture performance will be assessed. This attitude towards safety is now part of NASAs policy for certification of human space flight systems 4 as also reflected in NASAs agency-level safety goals and thresholds for crew transportation system missions to the International Space Station (ISS) 8. The s

39、afety threshold represents the initial minimum level of safety for the system, whereas the safety goal, which is set at a higher level of safety, represents the agencys expectations from continuous safety upgrades and improvements to the system throughout the acquisition life cycle. An adequately sa

40、fe system is as safe as reasonably practicable (ASARP). The ASARP concept is closely related to the “as low as reasonably achievable” (ALARA) and “as low as reasonably practicable” (ALARP) concepts that are common in U.S. nuclear applications and U.K. Health and Safety law, respectively 9, 10. A det

41、ermination that a 3 This is typically the case for production line items where operating experience can inform the design and operation of future units, and for reusable systems that can be modified prior to reuse. It is less the case for one-time, non-recoverable systems where the opportunity to mo

42、dify the system is limited. Provided by IHSNot for ResaleNo reproduction or networking permitted without license from IHS-,-,-5 system is ASARP entails weighing its safety performance against the sacrifice needed to further improve it. The system is ASARP if an incremental improvement in safety woul

43、d require a disproportionate deterioration of system performance in other areas. Thus, a system that is ASARP is one where safety improvement is given the highest priority within the constraints of operational effectiveness, time, and cost, throughout all phases of the system life cycle. These two p

44、rinciples of adequate safety must be maintained throughout all phases of the system life cycle. Opportunities to impact safety (or correspondingly, threats to safety) exist from concept studies to closeout, and system safety activities must be operative throughout. Quantitatively, safety can be char

45、acterized positively as the probability that undesirable consequences will be avoided, or negatively as the probability that undesirable consequences will be incurred. It is this second characterization that is most common, and which is typically equated with the term risk. Indeed, both the terms “a

46、s low as reasonably achievable” (ALARA) and “as low as reasonably practicable” (ALARP) refer to risk. However, the term risk is used in the NASA context as “the potential for performance shortfalls with respect to achieving explicitly established and stated performance requirements” 5, and that is t

47、he definition used in this Handbook. Consequently, the safety of a system is referred to here as its safety performance rather than as its risk. 2.2 What is System Safety? NPR 8715.3C defines system safety as the “application of engineering and management principles, criteria, and techniques to opti

48、mize safety within the constraints of operational effectiveness, time, and cost throughout all phases of the system life cycle.”4 The term system, as used here, refers to one integrated entity that performs a specified function and includes hardware, software, human elements, and consideration of the environment within which the system operates. 4 Adapted from 7. As Safe As Reasonably Practicable (ASARP) Being as safe as reasonably practicable (ASARP) is a fundamental principle of adequate safety. A de