R.R. Mohr
February 2002
5th Edition
2
8671
Some Definitions
4
8671
PHA An early or initial system safety study of potential loss events. It is a list or
inventory (PHL) of system hazards and includes qualitative, not quantitative,
assessments of risk for the individual hazards.
RISK (n.) long-term rate of loss the product of loss severity and loss probability
PHA Uses
A well done Preliminary Hazard Analysis:
5
8671
2.
Environment
Other
IDENTIFY/
VERIFY
HAZARDS
4.
HAZARD
2
HAZARD
3
TARGET
1
DEVELOP
COUNTERMEASURES
AND REEVALUATE
TARGET
3
TARGET
2
EVALUATE
WORST-CASE
SEVERITY
HAZARD
H
EVALUATE
PROBABILITY
TARGET
1
ABANDON
ACCEPT
(WAIVER)
AND
OR
ACCESS RISK
NO
6
8671
IS
RISK
ACCEPTABLE?
YES
STOP
7
8671
8
8671
9
8671
Appendix 1 provides a
Hazard Checklist
Consult checklists
Review System Safety studies from other similar systems
Review historical documents mishap files, near-miss reports,
OSHA injury data, National Safety Council data, manufacturers
reliability analyses, etc.
Consider external influences like local weather, environmental,
or personnel tendencies
Consider all operational/mission phases
Consider common causes
Brainstorm mentally develop credible problems and play What
if? games
Consider all energy sources. Whats necessary to keep them
under control? What happens if control is compromised or lost?
Describing Hazards
To avoid confusing a hazard with its consequence(s), follow this thought sequence:
SOURCE
MECHANISM
OUTCOME
10
8671
This
Source/Mechanism/Outcome
rhythm is sometimes called
a Hazard Scenario.
NO
H2 Explosion Damage
H2 concentration from
confined/unventilated battery
YES charging in presence of ignition
source(s) Detonation
Injury/Equipment Damage
Dont confuse a HAZARD
with its
CONSEQUENCES!
11
8671
BY HAZARD TYPE
Pinching
Crushing
Sharp Contact
Slip/Fall
Asphyxia
BY OPERATIONAL/MISSION PHASING
Make sure all analysts on a
Normal Operation
Transport
team use the same
Load
Change
Delivery
approach. (Ask the client if
Coupling/Uncoupling
there is a preference.)
Installation
Stressed Operation
Calibration
Standard Shutdown
Checkout
Emergency Shutdown
Shakedown
Trouble Shooting
Activation
Maintenance
Standard start
Emergency start Others
12
8671
BY SYSTEM ARCHITECTURE
System; Subsystem; Assembly; Subassembly; etc.
(Dont overlook Interfaces)!
Organization of the Analysis
BY ENERGY SOURCE
within the Report can follow
Chemical; Electrical; Mechanical; Pneumatic; the same format used in
Nuclear, etc.
identifying hazards i.e.:
Hazard Type, Operational
BY GEOGRAPHIC LOCATION
Phase, System Architecture,
Building; Wing; Floor; Area; Room; etc.
etc.
BY SYSTEM/SUBSYSTEM FUNCTION
Chassis/Frame; Body; Power Plant; Fuel System;
Cooling System; Drive Train; Electrical System;
Appendix 1 provides a
Lighting System; etc.
Hazard Checklist.
Assessing Risk
13
8671
Scalding burns
Worst Credible
Electrocution
We cant know what he really died of. Any one of these effects would have
been sufficient. And theres that statewide blackout a whole new opportunity
for worst-conceivable imaginations.
WORST-CREDIBLE-CASE is the theme for the System Safety Analyst. Be
truthful, thorough, and realistic. When there is genuine room for doubt or
concern, be pessimistic but do it realistically!
15
8671
Probability Important
Considerations
In evaluating risk, you wont have much problem assessing severity. The difficulty
comes in assessing probability. Few of us have had much experience dealing with
Severity I consequences, so we have only meager ability to assess probability.
Further, because our backgrounds differ, some hazards seem more real than
others. For example, a person living in a desert has a different view of drowning
hazards than someone who lives near a lake or ocean. Each of us has a different
sensitivity to certain hazards. If you pass a highway accident on the way to work,
youre likely to raise your assessment of that risk temporarily. A person living
near an ambulance dispatching center may have an elevated assessment of
human disaster events until he unconsciously filters out the sound of sirens. A
maintenance worker in a microcircuit assembly plant is probably more concerned
about hazards of dropped tools than is a maintenance worker in a granary whose
main concern is ignition sources. Neither is really wrong its just a matter of
differing experience and viewpoint.
No one person has unlimited experience. Its not safe to depend solely on one
analysts judgment. Its not fair to the analyst or the PHA. Involve several
analysts to ensure a more complete perspective.
16
8671
17
8671
Probability is meaningless
unless applied to a
specified Interval of
Exposure!
B
Probable
A
Frequent
An
EXPOSURE INTERVAL
must be scaled
II
Critical
III
Marginal
PROBABILITY and
SEVERITY must be
scaled
IV
Negligible
RISK CODE/
ACTIONS
Imperative to
suppress risk
to lower levels
Operation
permissible
TARGETS
must be selected
Then HAZARDS
must be found,
and RISK ASSESSED
Severity/Probability Interpretations*
SEVERITY OF CONSEQUENCES
CATEGORY/
DESCRIPTIVE
WORD
Provide
I
CATASTROPHIC
PERSONNEL
EQUIPMENT
ILLNESS/
LOSS ($) **
INJURY
Death
>1M
DOWN
TIME
PRODUCT
LOSS
SEVERITY
levels for
II
CRITICAL
Severe injury
or severe
occupational
illness
each
250K
to
1M
>4 months
2 weeks
to
4 months
TARGET.
III
MARGINAL
IV
NEGLIGIBLE
19
8671
Minor injury
or minor
occupational
illness
No injury
or illness
1K
to
250K
<1K
1 day
to
2 weeks
<1 day
ENVIRONMENTAL
EFFECT
Long-term 5 yrs or
greater) environmental
damage or requiring
>$1M to correct
and/or in penalties
stepwise
scaling of
PROBABILITY OF MISHAP**
Values
as for
Equipment
Loss
LEVEL
DESCRIPTIVE
WORD
DEFINITION
FREQUENT
Likely to occur
repeatedly in
system life cycle
PROBABLE
Likely to occur
several times in
system life cycle
Provide
stepwise
scaling
of
OCCASIONAL
REMOTE
Likely to occur
sometime in
system life cycle
Not likely to
occur in system
life cycle, but
possible
So unlikely it can
be assumed
IMPROBABLE occurrance may
not be
experienced
IMPOSSIBLE
PROBABILITY
Physically
impossible to
occur
Probability
is a
function of
exposure
interval.
20
8671
21
8671
Quit/Give up/Abandon, or
23
8671
Evaluating Countermeasures
EFFECTIVE PRECEDENCE
Obviously some countermeasures are more effective than others.
Here are five countermeasure categories*, listed in descending order
of effectiveness:
24
8671
*Many analysts code countermeasures as to their effectiveness ranking. Code letter indicators
such as these appear in the analysis itself.
Countermeasure Categories*
Explained
25
8671
*Many analysts code countermeasures as to their effectiveness ranking. Code letter indicators
such as these appear in the analysis itself.
Countermeasure Checklist
26
8671
Countermeasure Checklist
EXAMPLE ADMINISTRATIVE COUNTERMEASURES:
Abandon or shut down (?)
Relocate (D)
Educate and train (P)
Limit exposure duration, and/or distance (P)
Provide medical surveillance (P)
Provide warning/signals and train in proper steps (W/P)
Maintain high housekeeping standards (P)
Design train, and implement appropriate procedures for all operational/mission
phases and equipment (P)
OTHER EXAMPLE COUNTERMEASURES:
Employ guards, require ID (P)
Use adequate security methods (light dark areas, use motion sensors on doors,
windows, etc.) (W/P)
Provide and require proper PPE (S/P)
Use locks, blocks, interlocks (S/P)
27
8671
Selecting Countermeasures
WHEN SELECTING A COUNTERMEASURE, EXAMINE IT FOR:
I
30
8671
Prob
Sev
4.
5.
6.
31
8671
Personnel
Product
Environment
Equipment
Productivity (Downtime)
Reputation
Others
33
8671
That doesnt become just one more lousy form to fill out!
Appendix 2 provides a
selection of
Hazard Analysis Worksheet
designs.
Examples
with
instructions
for use.
I
II
III
D
C
C
2
2
3
Identify target(s)
Show hazard alphanumeric
designator.
Describe Hazard Source,
Mechanism,
Worst-credible Outcome
Prepared by/Date:
34
8671
Assess worst-credible
Severity, and Probability for
that outcome. Show Risk
(from assessment matrix) for
Hazard as-is i.e., with no
added countermeasures.
E Equipment
V Environment
Reassess
Probability/Severity, and
show Risk (from
assessment matrix) for
hazard, presuming new
countermeasures to be in
place. If Risk is not
acceptable, new
countermeasures must be
developed.
Approved by/Date:
Risk Code
P
E
T
Risk
After
Probability
Risk
Code
Addition
Probability
Revision
Hazard No. / Description
Initial
Severity
Analysis:
Description of Countermeasures
Hazard
Target*
System Number:
Srd-A (Chem/Int)
Risk
Before
Severity
I
II
III
E
D
D
3
3
3
Submitted by:
Date:
Originator or reviser
Hazard Description:
Describe the hazard as an act or condition that poses threat of harm or loss I.e., a condition prerequisite to a mishap.
Indicate the worst-credible outcome in terms of personnel injury/illness and equipment damage, to which the Initial Risk
Assessment applies (below). Description should state or imply: *source / * mechanism / *outcome for worst-credible case.
Maintenance:
Operation:
Mission Phase:
Check all that apply.
Hazard Target:
Personal Injury:
Personal Illness:
Equipment Damage:
Equipment
Severity:
Probability:
Risk Index:
35
8671
Government
Acceptance:
Submitted by:
Date:
Hazard Title: Loss of fwd. night vision from relay K-28 failure
Hazard Description:
Headlight Power Repeater Relay K-28 controls power to headlamps for both high- and low-beam functions. Relay K-28 is N.O. Relay coil failure would result in complete loss
of headlight function and drivers loss of forward visibility. At max highway speed, safe stopping distance approximates illuminated distance, except on curves, where loss of
control could occur. Vehicle damage and serious injury or death of occupants could result.
Maintenance:
Operation: x
Mission Phase:
Check all that apply.
Hazard Target:
Personal Injury: x
Personal Illness:
Equipment Damage: x
Equipment
Severity: II
Probability: D
Risk Index: 2
36
8671
MANPRINT
Manager:
Government
Acceptance:
HAZARD No.
HAZARD TITLE:
REVISED:
7/22/93
HAZARD DESCRIPTION
Flange Seal A-29 leakage, releasing pressurized UnFo3 chemical intermediate from containment system, producing
toxic vapors on contact with air and attacking nearby equipment.
25 years
EXPOSURE INTERVAL
ACTIVITY/PROCESS PHASE:
Personnel:
Equipment:
Downtime:
Environment:
Product:
(worst credible)
(from Matrix)
II
III
Personnel:
Equipment:
Downtime:
Environment:
Product:
Surround flange with sealed annular stainless steel catchment housing, with gravity runoff conduit led to Detecto-BoxTM containing detector/alarm feature and chemical neutralizer (S/W). Inspect flange at two-month intervals and re-gasket during annual plant
maintenance shut-down (P). Provide personal protective equipment and training for response/cleanup crew (S/P).
For each target, assess severity,
and probability for the worst-credible
outcome. Show risk (from
assessment matrix) for hazard-target
combination as-is i.e., with no
added countermeasures.
8671
RISK CODE:
Code Each Countermeasure: (D) Design Alteration / (E) = Engineered Safety Features
(S) = Safety Devices / (W) = Warning Devices / (P) =Procedures/ Training
(from Matrix)
II
III
Prepared by / Date:
(Designer/Analyst)
37
(worst credible)
Identify applicable
operating phases.
ADDITIONAL COUNTERMEASURES*
COMMENTS
In-plant diking protects environment from runoff.
Reviewed by / Date:
(System Safety Manager)
Hazard Logging
38
8671
Mission
Phase
(Standard
Run)
Hazard
Serial No.
(9 of 999)
39
8671
P
E
T
R
I
II
I
II
D
D
D
D
2
3
2
3
P
E
T
R
I
I
I
I
D
D
D
D
2
2
2
2
40
8671
Risk Code
Addition
Probability
Risk
Code
Revision
Hazard No. / Description
Severity
Probability
Initial
Severity
Analysis:
Risk
After
Description of Countermeasures
Hazard
Target*
System Number:
TC/A.a-46
Risk
Before
I
II
I
II
E
E
E
E
3
3
3
3
IV D
Install fuel vapor detection system set to 20% LEL for alarm
(W/P), 40% for automatic shutdown (E), 60% for fire suppressant
release and emergency evacuation (S/W/P).
I
I
I
I
E
E
E
E
3
3
3
3
Approved by/Date:
41
8671
1.
2.
All applicable targets are indicated for each hazard. Risk is assessed
separately for each hazard-target combination.
3.
5.
6.
42
8671
For all hazards posing unacceptable risk (as determined from Risk
Assessment Matrix), new countermeasures are described. (Countermeasure
types are indicated by code letter.) Risk is then reassessed for the same
hazards/targets, presuming the countermeasures to be in place (Risk After).
If Risk remains unacceptable, other or additional countermeasures must be
identified. Administrative features of the System Safety Program Plan must
prohibit operation without prescribed countermeasures in place.
Countermeasures must not intolerably compromise system performance and
must be examined to ensure against introducing new, unrecognized system
hazards.
Countermeasures most often reduce probability. Notice Example Hazard A64.001. It changes from I/D/2 to I/E/3. Severity is unchanged. The hazard can
still kill, but its less likely to do so (D to E).
Notice the countermeasure for Example Hazard A-64.002. Multiple means are
called for to measure pressure, but they are based on differing sensing
principles. (This is a preferred way to reduce common-cause vulnerability.)
43
8671
7.
8.
44
8671
45
8671
Work crews frequently enter the confined space (install and remove IG
bottles, etc.). Full-time occupancy is a reasonable assumption.
Prepare a PHA for all identifiable hazards to any possible target in or near
this confined space. Assume an exposure interval of 25 years.
CONTROL
ROOM
ALARM
ENTRY
POINT
ALARM
FORCED VENTILATION
BLOWER
O2
DETECTOR
O
2
DEFICIENCY
ALARM
INERT
GAS
DELIVERY
REGULATION
& METERING
SUMP
PUMP
Prepared by/Date:
47
8671
E Equipment
V Environment
Approved by/Date:
Risk Code
Risk
After
Probability
Description of Countermeasures
Risk
Code
Addition
Probability
Revision
Hazard No. / Description
Initial
Severity
Analysis:
Hazard
Target*
System Number:
Risk
Before
Severity
48
8671
49
8671
It may not include ALL hazards and the assessments may not be right. Most
PHA-ers have limited knowledge, intellect, and ability to prophesy. (If you
know someone without these limitations, be sure to include him on the team.)
i=n
(S ) (P )
i=1
R(Tot) =
Residual risk for every hazard in a system may be Acceptable. This means that
risk for each hazard is under acceptable control operation may proceed. Given
sufficient opportunity for several mishaps to occur, one or two or three or more
will do so! Risks for multiple, independent hazards add. A complex and/or highenergy system provides multiple opportunities for mishaps. As time passes, even
if probabilities are low, inevitably SOMETHING(S) will go wrong, eventually.
50
8671
51
8671
A PHA, even though prepared with exhaustive thoroughness and knowledge of all
equipment operations and procedural details, cannot evaluate THE COMBINED
EFFECTS of COEXISTING FAILURES. Consider this scenario:
COEXISTING FAILURES (between 1:00-1:30 p.m. on a given day, these faults,
failures, or non-optimal situations arise):
1. Broken water main to Bldgs. 402, 405, and 406 (which are clustered together)
2. Malfunctioning traffic signal near these buildings
3. Blocked vehicle access road to buildings 405 (delivery van)
4. Small fire reported in Bldg. 407.
5. Food poisoning disables 30% of Emergency Response crew
6. Construction and wide-load land-clearing equipment for new project arrive
Combined effects??? (Good Luck!)
A PHA can find and assess risk for each of the events one at a time. But that PHA
shouldn't be expected to evaluate risk from complex interactions. Use other system
safety analytical techniques when examining interactive, simultaneous, multiple
hazard/multiple mishap events MORT, fault tree analysis, event tree analysis,
cause-consequence analysis
CODES
STANDARDS
REGULATIONS
BUT
Codeworthy Systems may
still pose UNTENABLE
RISK!
52
8671
THE ANALYSIS
Targets recognized/ignored
Operational phases
Exposure interval
Say what is analyzed
Others
and
FINDINGS
Show Worksheets as
Appendix or attached
Table. Provide a
Hazard List as an index.
ANALYSIS WORKSHEETS
53
8671
Bibliography
54
8671
Appendix 1
A Hazards Checklist
55
8671
Hazards Checklist
Appendix 1
Electrical
Shock
Burns
Overheating
Ignition of combustibles inadvertent
activation
Power outage
Distribution backfeed
Unsafe failure to operate
Explosion/electrical (electrostatic)
Explosion/electrical (arc)
Mechanical
Sharp edges/points
Rotating equipment
Reciprocating equipment
Pinch points
Lifting weights
Stability/toppling potential
Ejected parts/fragments
Crushing surfaces
Neither this nor any other hazards checklist should be considered complete. This list
should be enlarged as experience dictates and contains intentional redundant entries.
56
8671
Hazards Checklist
Appendix 1
57
8671
Pneumatic/hydraulic pressure
Overpressurization
Pipe/vessel/duct rupture
Implosion
Mislocated relief device
Dynamic pressure loading
Relief pressure improperly set
Backflow
Crossflow
Hydraulic ram
Inadvertent release
Miscalibrated relief device
Blown objects
Pipe/hose whip
Blast
Acceleration/deceleration/ gravity
Loose object translation
Impacts
Falling objects
Inadvertent motion
Fragments/missiles
Sloshing liquids
Slip/trip
Falls
Hazards Checklist
Appendix 1
58
8671
Temperature Extremes
Heat source/sink
Hot/cold surface burns
Pressure elevation
Confined gas/liquid
Elevated flammability
Elevated volatility
Elevated reactivity
Freezing humidity/moisture
Reduced reliability
Altered structural properties
(e.g., embrittlement)
Fire/Flammability presence of
Fuel
Ignition source
Oxidizer
Propellant
Radiation
Ionizing
Alpha
Beta
Neutron
Gamma
X-Ray
Non-Ionizing
Laser
Infrared
Microwave
Ultraviolet
Hazards Checklist
Appendix 1
59
8671
Explosives
Initiators
Heat
Friction
Impact/shock
Vibration
Electrostatic discharge
Chemical contamination
Lighting
Welding (stray current/sparks)
Effects
Mass fire
Blast overpressure
Thrown fragments
Seismic ground wave
Meteorological reinforcement
Sensitizers
Heat/cold
Vibration
Impact/shock
Low humidity
Chemical contamination
Conditions
Explosive propellant present
Explosive gas present
Explosive liquid present
Explosive vapor present
Explosive dust present
Hazards Checklist
Appendix 1
Leaks/Spills
Materials conditions
Liquids/cryogens
Gases/vapors
Dust-irritating
Radiation sources
Flammable
Toxic
Reactive
Slippery
60
8671
Chemical/water contamination
System cross-connection
Leaks/spills
Odorous
Pathogenic
Asphyxiating
Flooding
Run off
Vapor propagation
Corrosive
Vessel/pipe/conduit rupture
Backflow/siphon effect
Hazards Checklist
Appendix 1
Allergens
Nuisance dusts/odors
Pathogens
Baropressure extremes
Fatigue
Cryogens
Lifted weights
Carcinogens
Noise
Teratogens
Toxins
Mutagens
Irritants
Asphyxiants
61
8671
Hazards Checklist
Appendix 1
8671
Fatigue
Inaccessibility
Nonexistent/inadequate kill switches
Glare
Inadequate Control/Readout
Differentiation
Control systems
62
Operator error
Inadvertent operation
Failure to operate
Operation early/late
Power outage
Interference (EMI/ESI)
Moisture
Sneak circuit
Operation out-of-sequence
Right operation/wrong control
Operate too long
Operate too briefly
Sneak software
Lightning strike
Grounding failure
Inadvertent activation
Hazards Checklist
Appendix 1
Air Conditioning
Compressed air/gas
Lubrication
Drains/sumps
Fuel
Exhaust
Flooding
Dust/dirt
Faulty calibration
Fire
Single-operator coupling
Location
Radiation
Wear-out
Maintenance error
Vermin/varmints/mud daubers
Contingencies
Emergency responses by system/operators to unusualevents:
Hard shutdowns/failures Windstorm
Flooding
Freezing
Earthquake
Hailstorm
Utility outages
Fire
Snow/ice load
63
8671
Hazards Checklist
Appendix 1
Mission phasing
Transport
Delivery
Installation
Calibration
Checkout
Shake down
Activation
Standard start
Emergency start
Normal operation
Load change
Coupling/uncoupling
Stressed operation
Standard shutdown
Emergency shutdown
Diagnosis/trouble shooting
Maintenance
All others?
Neither this nor any other hazards checklist should be considered complete. This list
should be enlarged as experience dictates and contains intentional redundant entries.
64
8671
Appendix 2
A Potpourri of PHA
Worksheets
65
8671
Appendix 2
PHA Worksheets
Matrix Preliminary Hazard Analysis
1.
2.
3.
4.
5.
6.
7.
8.
9.
SUBSYSTEM MODE HAZARDOUS
EVENT
HAZARDOUS EVENT POTENTIAL EFFECT HAZ.
CAUSING
OR
CONDITION
CONDITION CAUSING ACCIDENT
CLASS
HAZARDOUS
POTENTIAL
FUNCTION
CONDITION
ACCIDENT
10.
ACCIDENT PREVENTION
MEASURES
a.
HARDWARE
b.
PROCEDURES
c.
PERSONNEL
AFWL Form 2
66
8671
AFSC KAFB NM
Appendix 2
JON/TITLE
IN HOUSE
CONTRACT
LOCATION
START DATE
INITIAL
REVISION
ADDENDUM
DEADLINE FOR COMPLETION OF FURTHER ANALYSIS
Potential
Consequences
(As applicable)
REMARKS
Risk
Assessment
(Key on reverse)
Existing Countermeasures
(Safety Manual Stds, Operating Procedures, Prior Safety Analysis, Etc.)
SYSTEM HAZARDS
EXISTING COUNTERMEASURES
(Use additional forms as required) (Safety Manual Stds, Operating Procedures, Prior Safety Analysis, Etc.)
PREPARER
67
AFSC Form 2
JUN 85
8671
DATE
DSSO CERTIFICATION
1152
DATE
DATE
Further
Analysis
Required
Appendix 2
Preliminary Hazard Analysis
SYSTEM
SUBSYSTEM
ISSUE DATE:
ITEM/FUNCTION
SYSTEM
EVENT PHASE
HAZARD
DESCRIPTION
Source:
AFSC System Safety
Design Handbook
68
8671
PREPARED BY
PG
OF
REV
6
HAZARD
SAFETY
CORRECTIVE ACTION
PRIORITY
CLASSIFICATION PROVISIONS
Appendix 2
Preliminary Hazard Analysis
SYSTEM/FUNCTION
HAZARDOUS
ELEMENT
HAZARDOUS
CONDITION
Source:
NASA/Langley
Research Center
69
8671
SYSTEM/PROJECT
CONTRACT NO
OPERATING MODE
HAZARD
CAUSE
HAZARD
EFFECT
SHEET
OF
ANALYST:
DATE:
HAZARD
SEVERITY
CATEGORY
CORRECTIVE
ACTION
REMARKS
Appendix 2
UNDESIRED EVENT
CAUSE
Source:
NASA/Langley
Research Center
70
8671
EFFECT
HAZARD
LEVEL
ASSESSMENTS
RECOMMENDATION
Appendix 2
Preliminary Hazard Analysis Worksheet
Project Name
HAZARDOUS
ITEM
CONDITION
NO.
HAZARD
CAUSE(S)
Source:
NASA/Lewis
Research Center
HAZARD
EFFECTS
Date
Page___ of
Part Analyzed ___________
HAZARD
HAZARD
HAZARD
SEVERITY FREQUENCY RISK INDEX
HAZARD
CONTROLS
Appendix 2
Prepared by/Date:
72
8671
E Equipment
V Environment
Approved by/Date:
Risk Code
Probability
Addition
Risk
After
Severity
Revision
Hazard No. / Description
Initial
Description of Countermeasures
Risk
Code
Analysis:
Probability
System Number:
Risk
Before
Severity
Hazard Target*
Appendix 2
HAW No.: SSS-sss-A000
Original:
or, Revision No.:
Originator or reviser
Hazard Title:
Hazard Description:
Mission Phase:
Maintenance:
Operation:
Check all that apply.
Hazard Target:
Personal Injury:
Personal Illness:
Equipment Damage:
Severity:
Risk Index:
Equipment
Probability:
Risk Index:
Probability:
Risk Index:
Severity:
Probability:
Equipment
Risk Index:
Severity:
Comments:
Approvals (Date signatures):
Engr/Supv.:
System Safety
Engineer:
73
8671
MANPRINT
Manager:
Government
Acceptance:
Appendix 2
Hazard No.
Hazard Title:
Revised:
Hazard Description
Exposure Interval
Activity/Process Phase:
Additional Countermeasures*
Personnel:
Equipment:
Downtime:
Environment:
Product:
Post-Countermeasure Risk Assessment
(with additional countermeasures in place)
Risk Code:
Probability:
Severity:
Hazard Target(s):
(worst credible) (for exposure interval) (from Matrix)
(check all applicable)
Personnel:
Equipment:
Downtime:
Environment:
Product:
Prepared by/Date:
Designer/Analyst)
74
8671
*Mandatory for Risk Codes 1 & 2, unless permitted by Waiver. Personnel must
not be exposed to Risk Code 1 or 2 hazards.
Code Each Countermeasure: (D) Design Alteration / (E) = Engineered Safety Features
(S) = Safety Devices / (W) = Warning Devices / (P) =Procedures/ Training
Comments
Reviewed by/Date:
(System Safety Manager
Approved by/Date:
(Project Manager)