Safety Allocation and Preliminary Risk Analysis
How to perform a Safety Allocation and a Preliminary Risk Analysis ?
Safety Allocation is the initial step in the safety process. In the case where the return on experience, functional analysis, and mission profile have already been accurately defined, the scope and objectives can be established.
As a reminder, the scope of application is intrinsic to the system. In an ideal scenario, if no functional failure results in an accident, the system is considered safe. Incidents such as a meteor hitting the system and causing harm to users are not the system’s fault, and the same applies to vandalism. Any misuse beyond “reasonably foreseeable use” is considered out of scope.
The objective is to outline the initial set of safety requirements derived from the Preliminary Risk Analysis, forming the foundation for safety objectives and their respective demonstrations. The Preliminary Risk Analysis is designed for implementation at the project’s outset, when the system is not yet technologically defined. This process is analogous to Preliminary Danger Analysis, Functional Hazard Analysis, Preliminary Hazard Analysis, and Hazard Analysis and Risk Assessment in various fields.
The inputs include all functions and the return on experience, while the outputs comprise a list of safety requirements, also known as safety allocation, representing risk mitigation measures.
Various methodologies exist, each codified differently based on the activity sector or company standards. However, two widely used PRAs can be arbitrarily distinguished:
- The functional PRA, which takes and analyzes the list of functions as an input.
- The element PRA, which takes and analyzes the list of elements/components/subsystems at the desired granularity as an input.
How is a risk mitigated?
The PRA mitigates risks using one of the three possibilities below:
Code of Practice (CoP):
- This involves the utilization of norms, standards, good practices, tests, etc. It is a qualitative approach that must unambiguously justify the risk mitigation.
Explicit Demonstration:
- In this method, a failure rate and a Safety Integrity Level (SIL) must be determined. These values are intended to be demonstrated later in the project as new data from the design phase becomes available. SIL incorporates qualitative best practices, particularly for electronic and programmable electronics (especially in software development). The Failure Rate is later determined through a Failure Modes, Effects, and Criticality Analysis (FMECA) or a Fault Tree Analysis (FTA) depending on the system’s nature.
Reference to an Existing Product in Service:
- This approach is challenging to implement due to the heavy impact analysis required between the existing and new products. The mere possibility that a mission profile may be less favorable for the new product could significantly complicate the process. It is advisable to avoid this method whenever possible.
What is the form of the PRA?
The failure analysis for each function or component involves identifying all possible failure modes, including:
No Function:
- The function does not operate when requested.
Loss of Function:
- The function suddenly stops operating.
Untimely Function:
- The function suddenly activates when not requested.
Permanent Function:
- The function operates continuously.
Degraded Function:
- The function does not operate normally, requiring reflection and a return on experience. Various degraded failure modes are possible, and examples include:
- Sporadic function
- Loss of full function’s performance
- Miscellaneous perturbations in function
Case 1 : Functional Preliminary Risk Analysis
The rating of a risk in preliminary design
In cases where no return of experience is available, the list of functions serves as the primary data input. The remaining information will be incorporated during the design process. As previously mentioned, theoretically, the sole list of functions is adequate to identify all potential accidents.
Let’s proceed with constructing the Preliminary Risk Analysis. The essential information includes the function, its failure modes, and, for each failure mode, its effects on both its subsystem and the overall system, along with the severity that the system failure represents. Following this, proposed mitigations, including failure rate and safety integrity level tailored to the severity of the failure mode in accordance with the criticality matrix, are to be suggested.
Consider the function “to accelerate” in a power regulator for a ground mode of transport. Its effects are relatively consistent across various failure modes:
Function: To Accelerate
Failure Modes:
- No acceleration
- Sudden loss of acceleration
- Untimely acceleration
- Continuous acceleration
- Degraded acceleration (e.g., sporadic acceleration, loss of full acceleration performance, miscellaneous perturbations in acceleration)
Effects:
- On Subsystem and System: Potential disruptions in the vehicle’s power regulation leading to variations in acceleration.
Gravity of System Failure:
- Assess the severity and impact of the failure modes on the overall safety and functionality of the transport system.
Mitigation:
- Propose suitable mitigations for each failure mode, considering the failure rate and safety integrity level aligned with the gravity of the failure mode, as per the criticality matrix.
This approach ensures a comprehensive evaluation and mitigation strategy for potential risks associated with the “to accelerate” function in the power regulator for ground transportation.
As a mitigation strategy, it is advisable to incorporate several components:
Safety Integrity Level (SIL) for Qualitative E/E/EE Assessment:
- SIL provides a qualitative assessment of the electrical/electronic/electromechanical (E/E/EE) components’ safety integrity, ensuring their reliability and performance meet specified safety standards.
Targeted Hazard Rate (THR) for Quantitative E/E/EE Assessment:
- THR enables a quantitative evaluation of the E/E/EE components’ reliability by assessing the likelihood of hazardous events occurring within a specific timeframe.
Code of Practice (CoP) for Mechanical Subsystems:
- Incorporating a CoP, which could be a norm applicable in the targeted region, ensures that mechanical subsystems adhere to established industry standards and best practices, enhancing overall safety and performance.
Additionally, the function “To wipe the rain off the windshield” involves a specific technological choice based on return on experience. The mitigation recommending testing of the wiper system would not have been included if no technological choice had been made. While this technological orientation deviates from a purely functional approach, it is a common practice in the industry to integrate technological considerations into the Preliminary Risk Analysis process for comprehensive risk assessment and mitigation.
Case 2: Element Preliminary Risk analysis
Once the functional PRA is completed, the element PRA follows as soon as the elements are defined. The element PRA can serve as a response from a manufacturer to the functional PRA. The manufacturer integrates their technological knowledge and implementation into the functional basis. If the functional analysis and manufacturing are conducted within the same company, both tasks can be handled by the same person.
As mentioned earlier, it’s important to note that:
- The engine is an electrical component, and its associated risk mitigation involves an explicit demonstration with a targeted failure rate.
- The wiper arm is a mechanical component, so the associated risk mitigation is based on a code of practice or norm in this case.
- The wiping command is an electronic/programmable electronic component, and its associated risk mitigation involves an explicit demonstration with a targeted failure rate and a targeted Safety Integrity Level (SIL).
Finally, it’s worth mentioning that the methodology of “scanning” failure modes based on a repetitive sequence of “No,” “Loss of,” “Untimely,” “Permanent,” and “Degraded” is not mandatory and is often refined. Further details on this will be explored in the dedicated advanced section.
Where does the Preliminary Risk Analysis stand in the process?
The functional PRA serves as the initial step, followed by the element PRA if or when sufficient data is available. It’s important to note that both may not necessarily be authored by the same stakeholder. For instance, the client might provide a Preliminary Hazard Analysis (PHA) to the supplier, who then responds with the element PRA. In practice, it’s preferable for the manufacturer of the system or subsystem to produce its own PRA, leveraging their expertise.
Other forms of PRA are also widely employed:
Interface PRA:
- This involves a list of subsystems directly interfacing with users/operators as input.
Accident PRA:
- This incorporates a list of standard accidents as input.
In scenarios where a comprehensive return of experience database is available, and certain accidents or technological choices are prevalent across a range of products, adaptations of the PRA are possible. The PRA serves the purpose of conducting a pre-assessment using preliminary available data. As seen earlier, the PRA can focus solely on functional analysis (PRA function) or include standard foreseen subsystems and a list of generic accidents.
Detailed treatments of these variations will be explored in the advanced and template sections of the PRA. It’s even conceivable that, in cases with extensive Return of Experience (RoE), probability may be integrated into the PRA and become a standard.