Re: [sc] Define safety without risk and probabilities


Re: [sc] Define safety without risk and probabilities

From: Daniel Johnson <drdpj_at_xxxxxx>
Date: Wed, 30 Dec 2009 00:15:48 -0600
Message-ID: <C2D0E42A5767400D9FD7C1EBB46C75CD@xxxxxx> 
I agree that fundamentally risk can be associated with hazard exposure 
rather than hazard entry. However, in practice we commonly make conservative 
assumptions that result in risk being strongly associated with hazard entry.

Actual harm is due to the occurrence of events with an adverse impact.

A hazard is a state in which expected or intended operations may result in a 
harmful event. For example, a failed braking system on an aircraft means 
that an otherwise normal landing could result in a runway overrun and crash. 
The failed braking system is the hazardous state, the crash is the harmful 
event. Driving "Off the road" is a hazard-- by itself it may or may not 
result in an automobile crash, but expected operation of the automobile in 
that state is very likely to result in a crash.

Risk tolerance is associated with how many harmful events of a particular 
impact can be tolerated by the risk bearer within a given time period, e.g. 
the "frequency" of the events.  Clearly the frequency of harmful events is 
determined both by the number of times that the hazardous state is entered 
and the length of time spent in the hazardous state each time.

But note that the occurrence of the harmful event also depends on the 
expected or intended operations within that hazard.

When we do a preliminary safety assessment of an aircraft system with 
respect to mechanical failures, we assume that the worst-case operational 
conditions are in force when a hazardous state occurs. Hence the harmful 
event will occur immediately upon entry into the hazard and we can associate 
the impact of the harmful event with the hazard.  For example, if an engine 
speed governor fails in an engine designed without further safeguards, we 
assume with certainty that the result will be a catastrophic engine loss, 
even though this depends on whether the engine is being operated at a high 
throttle setting.  This provides a conservative engineering judgment that 
does not make undue assumptions about how the engine is actually being 
operated at the time of the hazard. It also means that evaluating the 
frequency of entering the hazardous state is equivalent to evaluating the 
frequency of the harmful event. But this is only a consequence contingent on 
this conservative assumption.

There are other safety assessments which are not this conservative. For 
example, standard engine inlets can ingest geese, which also may lead to 
catastrophic engine failure, which might in turn lead to aircraft loss. This 
hazardous exposure exists continuously during take-off and landing, but it 
is mitigated by the normal ability of geese to avoid aircraft. So both the 
exposure of the hazard (take-off and landing) and the probability of an 
expectable event (surprised geese in the immediate vicinity of the engine) 
is taken into consideration in evaluating the occurrence of the harmful 
event (catastrophic engine loss).

--Dr. Daniel P. Johnson
Honeywell International
Co-chair RTCA SC216 "Aeronautical Systems Security"


--------------------------------------------------
From: "Robin Cook" <robin@xxxxxx>
Sent: Saturday, December 26, 2009 12:27 PM
To: "Prof. Dr. Peter Bernard Ladkin" <ladkin@xxxxxx>; 
"Safecrit" <safety-critical@xxxxxx>
Subject: Re: [sc] Define safety without risk and probabilities

> Peter,
>
> I was concetrating on my orginal point rather than on your question.
> However I do wonder whether you are playing devil's advocate in order to 
> get
> me to make the point more clearly.
>
> My original comment:
> " One of our problems is the number of people who believe that you can
> define a hazard as a state and then meaningfully give it an attribute of
> frequency. .... mathematical nonsense."
>
> You asked which of the two assertions I considered to be nonsense.  I had
> some difficulty identifying two assertions but you are quite right there 
> are
> two assertions and further clarity is of benefit.
>
> The first assertion is that you can define a hazard as a state.  I have no
> problem with this; indeed I support this and regard this as the standard
> definition.  When considering hazardous events, I prefer to use this 
> second
> term in order to differentiate.
>
> The second assertion is that you can meaningfully give the hazard, as a
> state, an attribute of frequency.  In my previous mailing I expanded this
> slightly in order to be more explicit with the statement: "The 
> mathematical
> nonsense is trying to define a state by a *single* attribute of 
> "frequency"
> of
> entry into the state."  I then stated that if a single attribute was
> required for a hazard then it should be the "instantaneous probability" 
> and
> that this can be derived from the two attributes of "frequency" of entry
> into the state and "duration" of remaining in the state.
> ...

> Best regards
> Robin
Received on Wed 30 Dec 2009 - 06:15:55 GMT