ML19322C350
| ML19322C350 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 06/28/1977 |
| From: | DEFENSE, DEPT. OF |
| To: | |
| References | |
| MIL-STD-882A, NUDOCS 8001160887 | |
| Download: ML19322C350 (25) | |
Text
I.
/ *,
e
./
l l
MIL-STD-882A
N 28 June 1977 SUPERSEDING MIL-STD-882 15 July 1969 e
}
l MILITARY STANDARD SYSTEM SAFETY PROGRAM REQUIREMENTS l
l FSC MISC gom,so887 As
3 9
MIL-STD-882A 28 June 1977 DEPARTMENT OF DEFENSE WASHINGTON, DC 20301 System Safety Program Requirements MIL-STD-882A 1.
This Military Standard is approved for use by all Departments and Agencies of the Department of Defense.
2.
Beneficial comments (recommendations, additions, deletions) and any pertinent data which may be of use in improving this document should be addressed to: HQ Air Force Systems Command (IGFS),' Andrews AFB, Washington, DC 20334, by using the self-addressed Standardization Document Improvement Proposal (DD Form 1426) appearing at the end of this document or by letter.
i 3.
MIL-STD-882A is exempt from OMB approval action. It is considered technical information incident to the design, production, or operation of contract items and is not subject to review under provisions of paragraph 9b, attachment A, OMB Circular A-40, revised by CMB Transmittal Memorandum No. 1, February 10, 1976.
- s, 99
=
ii
)
r
. ~..
T e
m e -
w
4 MIL-STD-882A 28 June 1977 m~
FOREWORD 1
The principal objective of a system safety program within the Department of Defense is to ensure that safety, consistent with mission requirements, is designed into systems, subsystems, equipment, and facilities, hereinafter referred to as systems.
DOD has approved this military standard for all DOD departments and agencies to use in developing system safety programs.
The degree of safety achieved in a system depends directly on management emphasis. Government and contractors will apply management emphasis to safety during '.be system acquisition process and throughout the life cycle of each i
system.
~
The success of the system safety effort depends on definitive statements for safety objectives and requirements by the managing activity and their trans-lation into functional hardware. A formal safety program that stresses early hazard identification and elimination or control is the principal contribution of effective system safety. Selective application and the tailoring of this military standard shall be accomplished, as indicated herein, to specify the extent of contractual and DoD in-house compliance.
/
e lii k
MIL-STD-882A 28 June 1977 CONTENTS
}
Page Paragraph 1.
SCOPE 1
1.1 1urpose 1
1.2 Application 1
1.3 Implementation 1
1 3.1 System safety program 1
1.3.2 System safety program plan 1
1.3.3 Contractual requirements 1
1.3.4 Applicability 1
1.3.5 Duplication of effort 1
136 Conflicting requirements 2
r 2.
REFERENCED DOCUMENTS 2
3 DEFINITIONS 2
3.1 Contractor 2
3.2 Managing activity 2
3.3 Mishap 2
3.4 Risk 2
3.4.1 Hazard 2
3.4.2 Hazard probability 2
3.4.3 Hazard severity 2
3.5 Safety 2
3.6 System 2
3.6.1 Subsystem 3
3.7 System safety 3
3.8 System safety engineering 3
3.9 System safety group 3
3.10 System safety management 3
_)
3.11 System safety program 3
3 12 System safety program plan (SSPP) 3 4
GENERAL REQUIREMENTS 3
4.1 System safety program objectives 3
4.2 System safety program requirements related 4
to life cycle phases 4.2.1 Milestone 0 - program initiation 4
4.2.1.1 Milestone 0 4
4.2.1.2 Program initiation phase 4
4.2.2 Demonstration and validation phase 5
4.2.3 Full-scale engineering development phase 6
4.2.4 Production and deployment phase 7
5.
DETAILED REQUIREMENTS 8
5.1 Development of the system safety program 8
5.1.1 Managing activity responsibilities 8
5.1.2 Contractor responsibilities 9
5.2 System safety organization 9
5.3 System safety program milestones and reviews 9
5.4 System safety requirements 10 5.4.1 General requirements 10 5.4.2 System safety precedence 11 5.4.3 Risk assessment 11 5.4.3 1 Hazard severity 11 5.4.3.2 Hazard probability 12 5.4.4 Action on identified hazards 12 5.5 Hazard analyses 12 5.5.1 Analysis type, format and technique 13 l
iv
{
)
l
.,=.-
MIL-STD-882A 28 June 1977 CONTENTS (Continued)
~
s Page Paragraph 5.5.1.1 - Preliminary hazard analysis 13 5.5.1.2 Subsystem hazard analysis 14 5.5.1 3 System hazard analysis 15 5.5.1.4 Operating and support hazard analyses 15
-5.6. System safety data 15 5.6.1 Acquisition and use of safety data 15 5.6.2 Mishap reporting 16 5.6.3 Deliverable data 16 5.6.4 Nondeliverable data 16 5.7 Safety testing and demonstrations 16 5.8 Training 16 5.9 Audit program 16 5.10 Other safety matters 17 APPENDIX System safety program plan 18 i
e e
t b
1 i
V s
.,.m...
-y v
MIL-STD-882A 28 June 1977 l
i s
THIS IS A t
l BLANK PAGE i
.s 2
I a
vi J
m l
l l
MIL-STD-882A 28 June 1977 i
'~'\\
i 1.
SCOPE 1.1 Puroese. This standard provides uniform requirements for developing and implementing a system safety program of sufficient comprehensiveness to identify the hazards of a system and to ensure that adequate measures are taken to eliminate or control the hazards.
1.2 Aenlication. This standard applies to DoD systems and facilities, including suppert, test, maintenance, and training equipment. It applies to all phases of the system life cycle; e.g., design, research and development, test and evaluation, production, operation and support, and modification and disposal. Tt.e requirements shall also be applied to DoD in-house programs.
1.3 Tmolamantation.
1.3.1 System saretv eronene. A system safety program shall be developed according to the requirements of this standard. The requirements for a system safety program shall be included in all applicable contracts negotiated by the DoD managing activities. These contracts include those negotiated (a) within each DoD agency, (b) by one DoD agency for another, and (c) by DoD for other government agencies. In addition, a system safety program will be developed for each DoD in-house program.
1.3.2 system saretv eronene otan.
System safety program planning shall be included in all phases of DoD system acquisition documentation. For major systems acquisition or planned acquisition, a system safety program plan shall be develooed. For nonmajor programs, system safety program plans shall be developed based on criteria such as mishap risk or as specified by the managing activity. The managing activity will either develop the system safety program plan or the contractor shall develop the plan based on system safety program requirements established by the managing activity. System safety program plans shall describe in detail how the program will be organized and conducted to implement the requirements of sections 4 and 5 of this military standard.
1.3.3 contractual recuirements. Tailored system safety program requirements shall be specified in the contractual provisiOLs to include input to the statement of work, contractor data requirements list (CDRL), general and special provision 3ections, annexes, and other contractual means. When a system safety program plan is required, the plan shall be submitted with the contractor's proposal and be subject to contract negotiation. Upon approval by the managing activity, the system safety program plan shall be an attachment to the contract, referenced in the statement of work, and become the basis for contractual requirements. Format and content requirements for a system safety program plan are included in the Appendix.
1 3.4 Ann 11cability. Each prov'.sion of this standard shall be reviewed by the managing activity to determine extent of applicability. *ailoring may take the form of deletion, alteration, or addition to the statement.' in 3, 4, and 5 to adapt this standard to specific system characteristics, p'agram management options, contractual structure 3r life cycle phases (see 4.2).
In tailoring the tasks, the detail and depth of the effort shall be defined by the managing activity and incorporated in the appropriate contractual or other program documents.
1 3.5 ouniteation or errert. The managing activity shall review the contract for duplication of effort between system safety program requirements and other elements of the program (e.g., reliability, maintainability, and human factors). This review may also be required of a contractor. System safety 1
i
~
MIL-STD-882A 28 June 1977 program requirements and tasks shall be cross-referenced in the system safety i
program plan or other contract documentation to avoid duplication of effort by the managing activity and the contractor.
1.3.6 cenritetina reeutramants. The managing activity shall specify in the statement of work that when conflicting requirements or deficiencies are identified within system safety program requirements, the contractor shall submit notification, with supporting rationale and proposed alternativra, to the managing activity for resolution.
2.
REFERENCED DOCUMENTS Referenced documents are not included in this document. Referenced documents required to supplement this military standard shall be specified in system specifications and contractual documents.
3.
DEFINITIONS g
The following defin1*tions apply to this standard.
3.1 centractor. A private sector enterprise or the organizational element of DoD (as used in this standard) engaged to provide services or products within agreed limits specified by the managing activity.
3.2 M=n=aina activity. The DoD organizational element of DoD that will plan, l
organize, direct, centract, and control tasks and associated functions appro-priate to the life cycle phase of the system.
3.3 Mishan. An unplarned event or series of events that result in death, injury,' occupational illness, or damage to or loss of equipment or property.
3.4 Risk. An expression of possible loss in terms of hazard severity and hazard probability.
3.4.1 Hazard. An existing or potential condition that can result in a mishap (e.g., the presence of fuel in an undesired location is a hazard whereas the fuel itself is not).
3.4.2 Harard erobability. The likelihood, expressed in quantitative or qualitative terms, that a hazard will occur.
3.4.3 E.tard severitv. A qualitative assessment of the worst potential consee
.4, defined by the degree of injury, occupational illness, property damage, or equipment damage that could ultimately occur.
3.5 Safety. Freedom from those conditior.s that can cause death, injury, occupational illness, or damage to or los: of equipment or property.
3.6 System. A composite, at any level (f complexity, of personnel, materials, tools, equipment, facilities, and software. The elements of this composite entity are used together in the intended operational or support environment to perform a given task or achieve a specific production, support, or mission requirement.
3.6.1 subsvstem. An element of a system that, in itself, may constitute a
- system, b
2
)
MIL-ST3-882A 28 June 1977 3.7 System saretv. The optimum degree of safety within the constraints or operational effectiveness, time, and cost attained through specific application of system safety management and engineering principles whereby hazards are identified and risk minimized throughout all phases of the system life cycle.
3.8 system sarety en,ineerin,. An element or system engineering requiring specialized professional knowledge and skills in applying scientific and engineering principles, criteria, and techniques to identify, eliminate, or control system hazards.
39 system saretv eroun.
A formally chartered group of persons organized to assist the program manager in achieving the system safety objectives.
3.10 Svstem naretv mannaemant.
An element of management that establishes the system safety program requirements and ensures the planning, implementation and accomplishment of tasks and activities to achieve system safety consistent with the overall program requirements.
3.11 System saretv orceram. The combined tasks and activities of system safety management and system safety engineering that enhance operational effectiveness by satisfying the system safety requirements in a timely, cost-effective manner throughout all phases of tne system life cycle.
3.12 System sarety crogram elan (3sPP). A formal document that fully describes the planned safety tasks requirad to meet the system safety require-ments, including organizational responsibilities, methods of accomplishment, milestones, depth of effort, and integration with other program engineering and management activities and related systems.
4 GENERAL REQUIREMENTS 4.1 System sarety crogram obiectives. The system safety program shall define a systematic approach to ensure that:
Safety consistent with mission requirements is designed into the system in a.
a timely, cost-effective manner.
b.
Hazards associated with each system are identified and evaluated, and eliminated or controlled to an acceptable level throughout the entire life cycle of a systam.
Historical safety data generated by other systems are considered and used, c.
where appropriate.
d.
Minimur risk is involved in acceptf nB and using of new designs, materials, and production and testieg techniruas.
Retrofit actions required to improve safety are minimized through the e.
timely inclusion of safety features during development and acquisition of a System.
f.
Modifications do not degrade the inherent safety of the system.
g.
Consideration is given to safety and ease of disposal and demilitarization of any hazardous materials associated with the system.
~.
I t
l j
i
. MIL-STD-882 A 128 June 1977 4.2 'Svaten saretv evenram renuiraments related to life evele nhmaan.
The
l system safety program requirements are related here to the life cycle of a major system to show how the requirements of this military standard will be met. When the system program is not designated as a major program, the phases will be related to the major system life cycle phases to determine the safety tasks required. The system safety program requirements relating to each life cycle phase shall be selectively applied and tailored depending on the intended use of the system. If the acquisition has been in process before establishing the requirement for a systes safety program, system safety program requirements normally performed during earlier phases will be evaluated for applicability to ensure risk is minimized. In all cases, the system safety program should be developed to facilitate continuation of the system safety effort into subsequent phases of the life cycle sequence; 1.e., program initiation, demonstration and validation, full-scale engineering development, and production and deployment (including operation, support, and disposal).
I 4.2.1 Milestone 0 - nronema initittien 4.2.1.1 Milestona 0 The system safety effort will support the definition of mission element needs by identifying safety deficiencies in existing or projected capability and by identifying opportunities for system safety to improve mission capability or reduce life cycle costs.
4 4.2.1.2 Pronram initiation nhnma.
System safety tasks applicable to the program initiation phase are those required to evaluate the alternative system l
concepts under consideration for development and establish the system safety l
program consistent with the identified mission need and life cycle require-
{
ments. System safety tasks will include the following:
a.
Evaluate all material, design features, procedures and operational concepts
~)
and envi onments under consideration which will affect safety throughout the s
i life cycle.
b.
Perform a preliminary hazard analysis (PHA) to identify hazards associated with each alternative concept.
c.
Identify possible safety interface problems.
d.
Highlight special areas of safety consideration, such as system limita-tions, risks, and man-rating requirements.
e.
Review safe and successful designs of similar systems for consideration in l
alternative concepts.
f.
Define the system safety requirements based on past experience with similar systems.
g.
Identify safety requirements that may require waiver during the system life cycle.
I-l h.
Identify any safety design analysis, test, demonstration and validation requirements.
l l
1.
Document the system safety analyses, results, and recommendations for each promising alternative system concept.
i i
l l
4 I
l l
I 1.
i MIL-STD-882A l
28 June 1977
- j. Prepare a summary report of the results of the system safety tasks conc 2cted during the program initiation phase to support the decision-making t
process.
P k.
Tailor the system safety program for the subsequent phases of the life cycle and include detailed requirements in the appropriate demonstration and validation phase contractual documents.
4.2.2 Demanatration and validation nhame.
System safety tasks during the demonstration and validation phase will be tailored to programs ranging from extensive study and analyses through hardware development to prototype testing, demonstration and validation. System safety tasks will include the following:
Prepare or update the SSPP to describe the proposed integrated system a.
safety effort planned for the demonstration and validation phase.
b.
Perform or update the PHA performed during the program initiation phase.
Prepare a PHA report of the proposed system concept in its intended use and operational environment.
Identify those technology, design, production, and operational and support c.
(0&S) risks having an impact on safety.
d.
Establish system safety requirements and criteria for verifying that requirements have been met, Participate in tradeoff studies to reflect the impact on system safety e.
requirements and risk. Recommend system design changes based on these studies to ensure that the optimum degree of safety is achieved consistent with performance and system requirements.
f.
Identify for inclusion in the appropri *e specifications any qualitative and quantitative system safety requirements for the system. Include contractor-furnished equipment, government-furnished equipment, ground support i
equipment, and all interfacing and 40nillary equipment.
l g.
Perform subsystem, system, and operating and support (0&S) hazards analyses.
h.
Review all test plans to ensure safe conduct of the tests.
1.
Ensure that hazards identified by analyses and tests are eliminated or controlled.
J.
Review training plans and programs for adequate safety considerations.
k.
Evaluate results of failure analyses and mishap investigations recorded during the demonstration and validation phase. Recommend redesign or other corrective action.
1.
Ensure that system safety requirements are incorporated into the system specification based on updated system safety studies, analyses, and tests.
I i
l l
1 5
i
MIL-STD-882A 26 June 1977 m.
Prepare a summary report of the results of the system safety tasks
-)
conducted during the demonstration and validation phase to support the decision-making process.
. n.
Continue to tailor the system safety program. Prepare an SSPP for the full-scale engineering development phase and initial production phase.
4.2 3 Full-sotle anaineerina develonment er.ase.
To provide support to the system engineering program, the system safety tasks during the full-scale engineering development phase will include the following:
a.
Ensure effective and timely implementation of the SSPP for the full-scale engineering development phmae.
b.
Review preliminary engineering designs to ensure that safety design requirements are incorporated and hazards identified during the demonstration and validation phase are eliminated or controlled.
c.
Update system safety requirements in system specifications.
d.
Perform or update subsystem, system, and O&S hazard analyses and safety studies concurrent with the design / test effort to identify design and operating and support hazards. Recommend any required design changes and control procedures.
- e. ' Identify testing facilities, test requirements, specifications, and criteria to ensure that design safety is verified. Review the teet plans and programs to ensure safe conduct of the tests.
f.
Participate in technical design and program reviews and present results of suesystem, system, and O&S hazard analyses.
g.
Identify and evaluate the effects of storage, shelf-life, packaging, transportation, handling, test, qperation, and maintenance on the safety of the system and its components.
h.
Evaluate results of failure analyses and mishap investigations recorded during full-scale engineering development. Recommend redesign or other corrective action.
1.
Identify, evaluate, and provide safety considerations for tradeoff studies.
~
J.
Review appropriate engineering documentation (drawings, specifications, etc.) to ensure safety considerations have been incorporated.
k.
Review, and provide safety inputs to, preliminary system operation and maintenance publications.
1.
Verify the adequacy of safety and warning devices, life support equipment, and personal protective equipment.
a m.
Provide safety inputs to training courses.
n.
Review the preliminary production engineering effort including purchase specifications, process quality control, inspection and acceptance, and test procedures to ensure that safety in the process and end product is established and maintained during production.
6
r MIL-STD-882A 28 June 1977 o.
Ensure requirements are developed for demilitarization and for safe disposal of hazardous materials and equipment.
p.
Prepare a summary report of the results of the system safety tasks conducted during the full-scale engineering developmera phase to support the decision-making process.
q.
Tailor system safety program requirements for the production and deployment phase.
4.2.4 Production and deolovment nhaae.
As part of the on-going system safety program, the system safety tasks during the production and deployment phase will include the following:
Prepare or update the SSPP to reflect the system safety program require-a.
ments for the production and deployment phase.
b.
Identify critical parts and assemblies, production techniques, assembly procedures, facilities, testing, and inspection requirements which may affect safety and will ensure:
(1) Adequate safety provisions are included in the planning and layout of the production line to establish safety control of the system within the production process and operations.
(2) Adequate safety provisions are included in inspections, tests, procedures, and checklists for quality control of the equipment being manufac-tured so that safety achieved in design is maintained during production.
(3) Production technical manuals or manufacturing procedures contain required warnings, cautions, and special procedures.
Verify that testing and evaluation is performed on early production c.
hardware to detect and correct safety deficiencies at the earliest opportunity.
d.
Review test plans and programs to ensure safe conduct of the tests.
Review warnings, cautions, and special procedures required for safe e.
operation and maintenance.
f.
Review procedures for storage, packaging, handling, and transportation to ensure that safety is maintained.
g.
Review procedures and monitor results of periodic field inspections or tests (including recall-for-tests) to ensure acceptable levels of safety are maintained. This includes identifying major or critical characteristics of safety significant items that deteriorats with age, environmental conditions, or other factors, h.
Update hazard analyses to identify any new hazards that may result from engineering changes. Ensure that the safety implications of the changes are considered in all configuration control actions.
1.
Evaluate results of failure analyses and mishap investigations. Recommend corrective action.
7
4 HIL-STD-882A 28 June 1977
- j. Monitor the system throughout the life cycle to determine the adequacy of w
the design, and cperating, maintenance, and emergency procedures.
f k.
Conduct a safety review of proposed new operating and maintenance proce-dures,.or changes, to ensure that the procedures, warnings, and cautions are adequate and inherent safety is not degraded. These reviews shall be documented as updates to the O&S hazards analyses.
1.
Analyze safety deficiency reports subwAtted by operating and support personnel.
Review capability and procedures for demilitarization and disposal of s.
hazardous saterial and equipment.
Document hazardous conditions and system deficiencies for development of n.
fellow-on requirements for modified or new systems.
o.
Update safety documentation, such as design handbooks, military standards and specifications,. to reflect safety " lessons learned".
5.
DETAILED REQUIREMENTS 5.1 Develons.nt or the system saretv nrogram. A total program shall be i
developed in which design antlyses, studies, and testing will identify system performance limitations, failure modes, safety margins, and critical operator tasks. All known facets of safety optimization including design, engineering, education, management policy and supervisory control shall be considered in the identifying and eliminating or controlling hazards. System safety management and engineering shall be integrated with other management and engineering disciplines in the interest of.an optimum system design. Procedures for development and integration of the system safety effort shall be applied across 3
the managing activity / contractor interface to assure a system safety program consistent with overall system requirements.
~)
5.1.1 Man==ina activity resconsibilities. The managing activity shall:
Establish, plan, organize, and implement an effective system safety program a.
that is integrated into all life cycle phases, i
b.
Establish definitive system safety program requirements for the procurement or development of a system. The reqtirements shall be set forth clearly in the appropriate system specifications and contractual documents and define:
(1) In the appropriate system spec.fications, the system safety performance and design requirements that are available and applicable.
(2) In the statement of work, the system safety requirements that cannot be defined in the system specifications. This would include general design guidelines in 5.4.1.
(3) In the statement of work and CDRL as $pplicable, the specified safety data; e.g., analyses, tests, or progress reports that will be required during the scope of the effort.
c.
Ensure that an SSPP is prepared that reflects in detail how the total program is to be conducted.
8 c
1 t
[
t.
L.
F '
I
~
]
MIL-STD-882A 28 June 1977 d.
Review and approve for implementation the SSPPs prepared oy the contractor.
e.
Supply historical safety data as available.
f.
Monitor contractors' system safety activities and review and approve deliverable data, if applicable, to ensure adequate performance and compliance with system safety requirements, g.
Ensure that the appropriate system specifications are updated to reflect results of analyses, tests, and evaluations.
h.
Evaluate new design criteria for inclusion into military specifications and standards and submit recommendations to the respective responsible organization.
1.
Establish system safety groups as appropriate to assist the program manager in developing and implementing a system safety program.
5.1.2 contractor reseensibilities. The contractor shall:
a.
Develop and submit an SSPP describing the proposed integrated safety effort in response to the specific requirements at the managing activity.
b.
Establish a system safety organization or function that shall manage and perform the overall system safety program, c.
Ensure effective and timely implementation of the SSPP, approved by the managing activity, and the system safety program in accordance with the contractual requirements.
d.
Establish interfacing procedures to subcontractors to meet the requirements of the managing activity, Support system safety group activities as required by the managing activity e.
and according to the contractual requirements.
5.2 System saretv crean4Tation. A system safety organization shall be pro-vided for the conduct and management of the system safety program for both the managing activity and contractor. The responsibilities and functions of those directly associated with system safety policies and implementation of the program shall be clearly defined. The authority delegated to this organization and the relationship between line, staff, and interdepartmental, project, functional, a 1 general management organization shall be identified. Personnel assigned to the -;**em safety program shall be identified including their qualifications, spect " c experience, and formal education or training.
53 System saretv crenram milestones and reviews. Each system safety program shall be planned to provide for periodic status reviews, presentations of hazard analyses and risk assessments, and evaluation of the overall effective-ness of the system safety effort. These reviews and assessments, conducted i
jointly by the managing activity and contractor, shall be performed concur-i rently with the appropriate program milestones. System safety shall be an agerja item of the appropriate scheduled progre7 or design review held for the system to assess the status of compliance with the system safety requirements.
These reviews shall identify any deficiencies of the system with respect to safety and provide guidance for further development. At the discretion of the managing activity, a system safety group may be established for selected systems or additional ad hoc safety reviews may be scheduled as required.
9 l
1
1 HIL-STD-082A 28 June 1977 5.4 system sarety recuirements. System safety requirements establish design
)
and operational safety criteria for hazard elimination or control and may establish a quantitative value designating the level of system safety.
5.4.1 Ceneral reautrements. System designs and operational procedures should consider the following:
Review pertinent standards, specifications, regulations, design handbooks, a.
and other sources of design guidance for applicability to the design of the
- system, b.
Eliminate or control hazards identified by analyses or related engineering efforts through design solution, material selection, or substitution. Poten-tially hazardous materials (e.g., propellants, explosives, hydraulic fluids, solvents, lubricants or fuels) shall be selected to provide optimum safety enaracteristics, c.
Isolate hazardous substances, components, and operations from other activities, areas, personnel, and incompatible materials.
d.
Locate equipmer.t so that access during operations, maintenance, repair, or adjustment minimizes personnel exposure to hazards (e.g., hazardous chemicals, high voltage, electromagnetic radiation, cutting edges, or sharp points),
Minimize hazards resulting from excessive environmental conditions (e.g.,
e.
temperature, pressure, noise, toxicity, acceleration and vibration).
f.
Design to minimize human error in the operation and support of the system.
g.
Consider alternate approaches to minimize hazards that cannot be elimin-ated. Such approaches include interlocks, redundancy, failsafe design, system protection, fire suppression, and protective clothing, equipment, and devices.
h.
Protect the power sources, controls and critical components for redundant subsystems by physical separation or shielding.
1.
Provide suitable warning and caution notes in assembly, operations, main-tenance, and repair instructions, and distinctive markings on hazardous components, equipment, or facilities to ensure personnel and equipment protection. These shall be standardized in accordance with the requirements of the managing activity.
J.
Minimize the severity of personnel injury or damage to equipment in the event of a mishap (e.g., by incorporating crashworthy design features in all man-rated systems),
k.
Review de.*1gn criteris for inadequate or overly restrictive requirements regarding safety. Recommendations snould be made for new design criteria supported by study, analyses, or test data.
t 5.4.2 Svstem safetv erecedence. The order of precedence for satisfying system safety requirements and resolving identified hazards shall be as specified:
i a.
Desian for minimum h=r=rd.
From the first, design to eliminate hazards.
If an identified hazard cannot be eliminated, control hazards through design selection.
l 10
)
l l
L
MIL-STD-882A 28 June 1977
'N b.
Safety divterf. Hazards that cannot be eliminated or controlled through i
design-selection shall be controlled to an acceptable level through tae use of fixed, automatic, or other protective safety design features er devices.
Provisions shall be made for periodic functional checks of safety devices.
c.
Warnine devices. When neither design nor safety devices can effectively eliminate or control an identified hazard, devices shall be used to detect the condition and to generate an adequate warning signal to correct the hazard or provide for personnel evacuation. Warning signals and their application shall be designed to minimize the probability of incorrect personnel reaction to the signals and shall be standardized within like types of systems.
d.
Procedures and'trainina.
Where it is impossible to eliminate or adequately control a hazard through design selection or use of safety and warning devices, prccedures and training shall be used to control the hazard. Procedures may include the use of personal protective equipment. ' Precautionary notations shall be standardized as specified by the managing activity. Safety critical tasks and activities may require certification of personnel proficiency.
5.4.3 Risk asseaament.
A risk assessment procedure commensurate with the system safety requirements shall be developed to establish priorities for corrective action and resolution of identified hazards. Since the priority for system safety is eliminating hazards by design, a risk assessment procedure considering hazard severity only will generally suffice during the early design phase to minimize hazards. When hazards are not eliminated during early design, a risk assessment procedure based upon the hazard probability, as well as hazard severity, may be required to establish priorities for corrective action and resolution of identified hazards. An example of a risk assessment is a numeric rank ordering of a mathematical combination arrived at by assigning numerical values to severity category and probability level.
5.4 3.1 Hazard severitv. Hazard severity categories are defined to provide a qualitative measure of the worst potential consequences resulting from personnel error, environmental conditions, design inadequacies, procedural deficiencies, system, subsystem or component failure or malfunction as follows:
a.
Catercrv I - Catastrechic. May cause death or system loss.
b.
Catezory TT - Critical. May cause severe injury, severe occupational illness, or major system damage.
c.
Category TTT - Marrinal. May cause miner injury, minor occupational illness, or minor system damage, d.
Catercry IV - Neglialble. Will not result in injury, occupational illness, or system damage.
These hazard severity categories provide guidance to a wide variety of programs. However, adaptation to a particular program may be required. This adaptation may include definite transition points between categories and further definition of the degree of injury or damage.
-f 5.4.3.2 Harard cretability. The probability that a hazard will occur during the planned life expectancy of the system can be described in potential occur-rences per unit of time, events, population,. items, or activity. Assigning a quantitative hazard probability to a potential design or procedural hazard is generally not possible early in the design process. A qualitative hazard probability may be derived from research, analysis, and evaluation of 11 f
I i
i
~
MIL-STD-882A 28 June 1977 historical safety data from similar systems. Supporting rationale for
)
assigning a hazard probability shall be documented in hazard analysis reports.
An example of a qualitative hazard probability ranking is:
i*
Descriptive Specific.Ind1 hcual Fleet or Word Level Item Inventory Frequent A
Likely to occur frequently Continuously experienced Reasonably B
Will occur several times in life Will occur frequently Probable of an ites Occasional C
Likely to occur sometime in life Will occur several times of an item Remote D
So unlikely, it can be assumed Unlikely to occur but that this hazard will not be possible experienced Extremely E
Probability of occurrence cannot So unlikely, it can Improbable be distinguished from zero be assumed that this hazard will not be experienced Impossible F
Physically impossible to occur Physically impossible I
to occur 5.4.4 Action on identified hmTned.
Action shall be taken to eliminate or minimize hazards revealed by analyses or related engineering efforts. Cata-
~')
strophic and critical hazards shall be eliminated or controlled. If these hazards cannot be eliminated or controlled to an acceptable level, the alternative controls and recommendations will be immediately presented to the managing activity. Hazard analyses and reports shall provide closed-locp procedures to ensure timely resolution of all identified hazards.
5.5 Havard analvses. Analyses are performed to identify hazardous conditions to effect their elimination or control during all life cycle phases. Analyses shall be made to systematically examine the system, subsystem, facility, components, software, personnel, and their interrelationship including logistics, training, maintenance, test, modification, and operational environ-i ments. The analyses shall be accomplished to do the following:
- a. Identify hazards, determine any needed corrective actions, and establish t
corrective action priorities.
l
(
b.
Determine and evaluate safety considerations in tradeoff studies.
l c.
Determine and evaluate appropriate safety design and procedural
)
requirements, l
d.
Provide documented evidence of compliance with specified safety tasks, l
objectives, and design requirements.
i l
Support life-cycle-cost and design-to-cost analyses.
e.
12 s
MIL-STD-882A 28 June 1977 The selection of specific methods and techniques.for performing these analyses is based _on the level of complexity of the system element under consideration and the extent of systes development. The hazard analyses methods and techniques selected for the systes safety program should provide for continuity l
throughout the system life cycle and interfacing of results from one analysis to another to ensure identified hazards are eu rected.
5.5.1 Analvain tvna-format mad techulana. Hazards analyses used in systes safety are (a) preliminary hazards analysis (PHA) which is an initial safety assessment of the system, (b) subsystem hazard analysis (SSHA) which provides for hazard iuentification associated with the functional relationship of-components and equipments comprising each subsystem, (c) system hazard analysis (SHA) wnich provides for hazard identification associated with subsystem interfaces, and (d) operating and support (0&S) hazard analyses which provide for an evaluation of procedural safety. Analyses may be qualitative or quanti-tative. The managing activity may specify the format and technique to be used for hazard ancivses requiring submittal or integration. The format may be a structured or unstructured narration, a matrix chart, or a logic model. Models e
and techniques should be compatible with those being applied by other disciplines on the same program so that results are comparable.
5.5.1.1 Preliminnev harmed annivnin. -A preliminary hazard analysis (PHA) shall be performed to obtain an initial risk assessment of a concept or system.
The purpose of a PHA is to identify safety critical areas, evaluate hazards, and identify the safety design criteria to be used. The PHA effort shall be initiated during the program initiation phase or earliest life cycle phases of the program so that safety considerations are included in tradeoff studies and I
design alternatives. Based on the best available data, hazardous conditions associated with the proposed design or function should be evaluated for hazard severity, hazard probability, risk, and operational constraint. Safety provisions and alternatives needed to eliminate or control hazardous conditions should be considered. The information shall be used in the developing system safety requiresents and in preparing performance and design specifications.
Also, the PHA is the basic hazard analysis which establishes the framework for other hazard analyses and safety engineering evaluation of the design. ' The PHA should consider the following for identification of hazards:
Hazardous components (e.g., energy sources, fuels, propellants, explosives, a.
and pressure systems).
b.
Safety related interface considerations among various elements of the system (e.g., material compatibilities, electromagnetic interference and other possibilities of inadvertent activation, fire / explosive initiation and propagation).
Environmental constraints including the normal operating environments c.
(e.g., drop, shock, extreme temperatures, noise and health hazards, fire,
{
electrostatic discharge, lightning, X-ray, electromagnetic radiation, and laser radiation).
d.
Operating, test, maintenance and emergency procedures (e.g., human error analysis of operator functions, tasks, and requirements; effect of environ-mental factors such as equipment layout and lighting requirements on human performance; life support requirements and their safety implications in sanned
- systems; crash safety; egress, rescue, survival, and salvage).
J 13 T-l v
,w.
m-
,. ~
.-e--
I MIL-STD-802A 26 June 1977 e.
Facilities, support equipmert, and training, (e.g., provisions for storage,
'N assembly, checkout, prooftesting of hazardous systems / assemblies which may include toxic, flammable, explosive, corrosive or cryogenic fluids; electrical power sources; training and certification pertaining to. safe operation and maintenance),
f.
Safety related equipment, safeguards, and possible alternate approaches (e.g., interlocks, system redundancy, failsafe design considerations, subsystem protection, fire suppression systems, and personal protective equipment).
5.5.1.2 sunsystem h=*=ed annivsis. An analysis applied to some element of the total system is called a subsystem hazard analysis (SSHA). SSHA shall be performed to identify. hazards associated with component failure modes and functional relationships of components and equipments comprising each subsystem. Such analysis should identify all components and equipments whose performance, performance degradation, functional failure, or inadvertent functioning could result in a hazard. The analysis should include a determin-ation of the modes of failure including all single point failures and the a
effects on safety when failures occur in subsystem components. SSHA should normally be performed during the demonstration and validation phase and should be started as soon as the actual design of the subsystem has been refined to the point where detailed design information is available. The format for this analysis must be carefully established to minimize problems in integrating suosystem hazard analyses into the system hazard analysis. Techniques that may be used to complete the SSHA include:
a.
Fault harmed annivsis - An inductive method of analysis which can be used exclusively as a qualitative analysis, or, if desired, expanded to a quantita-tive one. The fault hazard analysis requires a detailed investigation of the subsystem to determine component hazard modes, causes of those hazards, and resultant effects to the subsystem and its operation.
b.
Fault tree analysis - A deductive analytical tool used to analyze all events, faults, and occurrences and all their ccabinations that could cause or contribute to the occurrence of a defined undesired event. A qualitative or quantitative analysis may be conducted.
c.
Sneak circuit annivsis - Conducted on hardware and software to identify latent (sneak) circuits and conditions that inhibit desired functions or cause undesired functions to occur, without a component having failed. The analysis employs recognition of topological patterns which are characteristic of all
~
circuits and electrical / electronic systems.
'5.5.1.3 Svstem ha*=ed annivsis. System hazard analysis (SHA) shall be performed on subsystem interfaces to determine the safety problem areas of the total system. Techniques similar to those used for the SSHA should be used.
Such analyses should include a review of subsystems interrelationships for:
a.
Compliance with safety criteria.
b.
Possible independent, dependent, and simultaneous failures that could present a hazardous condition including failures of safety devices.
c.
Degradation in the safety of a subsystem or the tot, system from normal operation of another subsystem.
d.
Changes that occur within subsystems Lo the, the system hazard analysis can be updated accordingly.
14
MIL-STD-882A 28 June 1977 5.5.1.4 comratina and suneart harmed analvses. Operating and support (0&S) hazard analyses shall be performed to identify and control hazards and determine safety requirements for pers(
el, procedures, and equipment used in production, installation, maintenance, testing, modification, transportation, storage, operation, emergency escape, egress, rescue, training, and disposal during all phases of intended use as specified in the system requirements. The O&S hazard analyses begun in the demonstration and validation phase should be oriented to development and operational testing. As the lifs cycle proceeds to production and deployment, O&S problems should be included. The analyses will also address hazards to the system that may be induced by maintenance personnel. Engineering data, procedures, and instructions developed from the engineering design and initial test programs should be used in support of this effort. Results of these analyses should provide the basis for:
a.
Identifying a hazardous time period and actions required to minimize risk during this time.
b.
Design changes to eliminate and control hazards.
c.
Identifying requirements for safety devices and equipment and required maintenance procedures to detect their functional failure.
d.
Warnings, cautions, aid special and emergency procedures for operating and maintenance, e.
Special procedures for handling, storage, transportation, maintenance, and modification.
5.6 System saretv data 5.6.1 Acouisition and use or sarety data.
Safety data shall be used as an aid i
to prevent design deficiencies, particularly those of a repetitive nature.
Safety data are accumulated from prior progrcms, similar systems, earlier work on an on-going program, and other historical sources. The data are used to evaluate the safety of a system, or verify compliance with the system safety requirements. These data shall include: (a) mishap reports, (b) mishap probabilities, (c) failure rates, (d) test results, (e) system safety analyses, (f) failure mode and effects analyses, and (g) human factors data. Liaison with other data sources shall be sought and maintained to identify hazards and evaluate safety design deficiencies.
5.6.2 Mishmo reocrtina. The managing activity will specify requirements for reporting mishaps or malfunctions during the system safety program.
5.6 3 Deliverable data.
The managing activity will specify the deliverable safety data requirements in the contractor data requirements list (DD Form 1423) attached to a request for proposal, invitation for bid, or the contract, as appropriate. The SSPP and other required system safety data and reports submitted by the contractor will be subject to review and approval by the managing activity as specified in the CDRL.
5.6.4 Nondeliveranle data.
Nondeliverable data shall be indexed, filed, and maintained by the contractor for the time specified by the managing activity.
The data shall is made available at the contractor's facility for review and use by authorized representatives of the managing activi*y upon request.
15 s_
1
~
-MIL-STD-882A 28 June 1977 5.7 Safety testina and demonstratiens. Tests and demonstrations shall be
-}
defined to validate selected safety features of the system. Tests or demon-strations shall be performed cn safety critical equipment and procedures to determine the hazard severity or to estaclish the margin of safety of the design. Induced or simulated failures will be considered to demonstrate the failure mode and acceptability of safety critical equipment. Where hazards are identified during the development effort and it cannot be analytically determined whether the action taken will adequately control the hazard, safety tests shall be conducted to evaluate the effectiveness of the controls.
Subsequent SSPPs and test program plans shall be revised to include these i
tests. Where costs for safety testing would be prohibitive, safety characteristics or procedures may be verified by engineering analyses, analogy, laboratory test, functional mockups, or subscale/model simulation, when approved by the managing activity. Specific safety tests shall be integrated into appropriate system test and demonstration plans to the maximum extent possible. Test plans, procedures, and test results for all tests including design verification, operational evaluation, production acceptance, and shelf-life validation shall be reviewed to ensure that:
a.
Safety is adequately demonstrated.
b.
The testing will be conducted in a safe manner, All additional hazards introduced by testing procedures, instrumentation, c.
test hardware, environment, etc., are properly identified and controlled.
5.8 Trainina. Approved safety procedures shall be included in instruction lesson plans and stuoent examinations for the training of engineering, techni-cian, operating and maintenance personnel. Safety and warning devices, personal protective equipment, and emergency equipment shall be identified.
q 5.9 Audit eronram. Techniques and procedures shall be implemented to ensure
,)
that the objectives and requirements of the system safety program are being accomplished. Procedures shall also be included for ensuring adequate on-the-job safety surveillance during system installation, checkout, maintenance, and modification activities.
5.10 Other sarety matters. Specific requirements for other specialized safety activities (e.g., nuclear, range, explosive, chemical, biological, electro-magnetic radiation, and lasers) shall be included as necessary to satisfy the requirements of the managing activity.
a Custodians:
Preparing activity:
Army - AV Air Force - 10 Navy - AS Project No. MISC-0B11
}
Reviewer activities:
A rmy - AV, AT, EL, MU, MI Navy - AS, OS/SH, YD, SA, EC Air Force - 11, 13, 16, 19 l
l 16
)
~.
i MIL-STD-882A l
28 June 1977 APPENDIX SYSTEM SAFETY PROGRAM PLAN Format and content requirements for a systes safety program plan shall be as
. specified by the managing activity and in accordance with one of the following data requirements:
1 DD Porm 1664 identification numhar
~ (USAF)
DI-R-3531 DI-H-1320A (Army)
UDI-H-2041's (Navy)
=
(
f i
s i
f 1
1 I
i f
17 1
STANDARDlZATION DOCUMENT IMPROVEMENT PROPOSAL INSTRUCTIONS: This form is provided to solic't beneficial comments which may improve this document and enhance its use. DoD contractors, government activities, manufacturers, vendors, or other prospective users of the document are invited to submit comments to the government. Fold on lines on reverse side, staple in corner.
and send to preparing activity. Attach any pertinent data which may be of use in improving this document. If there are additional papers, attach to form and place both iri an envelope addressed to preparing activity. A i
response will be provided to the submitter, when name and address is provided, within 30 days indicating that the 1426 was received and when any appropriate action on it will be completed.
NOTE: This form shall not be used to submit requests for waivers, deviations or clarification of specification requirements on current contracts. Comments submitted on this form do not constitute or imply authorization to waive any portion of the referenced document (s) or to amend contractual requirements.
DOCUMENT IDENr#FIER (NumNr) AND r4TLk NAME OP ORGANIZATION AND ADDRESS OF SU8MITTER O vENDOa O USER O MANUPACTuRER l
O HAS ANY ' ART OP THE DOCUMENT CREATED PRO 8LEMS OR REQUIRED INTERPRETATION IN PROCUREMENT 1
C IS ANY PART OP IT TOO RIGID RESTRICTIVE. LOOSE OR AMBIGUOUS 7 PLEASE EXPLAIN 8ELOW.
USEP A. GIVE PARAGRAPH NUM8ER AND WORDING
- 8. RECOMMENDED WORDING CHANGE
(
C. REASON POR RECOMMENDED CH ANGE(S)
- 2. R E M A R K S l
l SUBMITTED 8 Y (Printed or typed name and address t>Prionati grELEPHCNE NO.
'3 ATE h PREVf ouS EDITION WILT. 8E USED.
i 1 OCT 76 l
l l
r