下载文档原格式
海因西里第三块骨牌系统安全理论海因里希首先提出了事故因果连锁论,用以阐明导致伤亡事故的各种原因及与事故间的关系。
该理论认为,伤亡事故的发生不是一个孤立的事件,尽管伤害可能在某瞬间突然发生,却是一系列事件相继发生的结果。
海因里希模型这5块骨牌依次是:1、遗传及社会环境(M)。
遗传及社会环境是造成人的缺点的原因。
遗传因素可能使人具有鲁莽、固执、粗心等不良性格;社会环境可能妨碍教育,助长不良性格的发展。
这是事故因果链上最基本的因素。
2、人的缺点(P)人的缺点是由遗传和社会环境因素所造成,是使人产生不安全行为或事物产生不安全状态的主要原因。
这些缺点既包括各类不良性格,也包括缺乏安全生产知识和技能等后天的不足。
3、人的不安全行为和物的不安全状态(H)所谓人的不安全行为或物的不安全状态是指那些曾经引起过事故,或可能引起事故的人的行为,或机械、物质的状态,它们是造成事故的直接原因。
例如,在起重机的吊荷下停留、不发信号就启动机器、工作时间打闹或拆除安全防护装置等都属于人的不安全行为;没有防护的传动齿轮、裸露的带电体或照明不良等属于物的不安全状态。
4、事故(D)即由物体、物质或放射线等对人体发生作用受到伤害的、出乎意料的、失去控制的事件。
例如,坠落、物体打击等使人员受到伤害的事件是典型的事故。
5、伤害(A)直接由于事故而产生的人身伤害。
人们用多米诺骨牌来形象地描述这种事故因果连锁关系,得到图中那样的多米诺骨牌系列。
在多米诺骨牌系列中,一颗骨牌被碰倒了,则将发生连锁反应,其余的几颗骨牌相继被碰倒。
如果移去连锁中的一颗骨牌,则连锁被破坏,事故过程被终止。
海因里希认为,企业安全工作的中心就是防止人的不安全行为,消除机械的或物质的不安全状态,中断事故连锁的进程而避免事故的发生。
系统安全工程理论系统安全工程首创于美国,而且第一使用于军事工业方面。
20 世纪 50 年月末,科学技术进步的一个显着特点是设施、工艺和产品愈来愈复杂。
战略武器的研制、宇宙开发和核电站建设等使得作为现代先进科学技术标记的复杂巨系统接踵问世。
这些复杂巨系统常常由数以千、万计的元件、零件构成,元件、零件之间以特别复杂的关系相连结;在它们被研制和被利用的过程中经常波及到高能量。
系统中的细小的差错便可能惹起大批的能量不测开释,致使灾害性的事故。
这些复杂巨系统的安全性问题遇到了人们的关注。
人们在开发研制、使用和保护这些复杂巨系统的过程中,渐渐萌生了系统安全的基本思想。
作为现代事故预防理论和方法系统的系统安全产生于美国研制民兵式洲际导弹的过程中。
系统安全部是人们为预防复杂巨系统事故而开发、研究出来的安全理论、方法系统。
所谓系统安全,是在系统寿命时期内应用系统安全工程和管理方法,辨别系统中的危险源,并采纳控制举措使其危险性最小,进而使系统在规定的性能、时间和成本范围内达到最正确的安全程度。
系统安全在很多方面发展了事故致因理论。
系统安全以为,系统中存在的危险源是事故发生的原由。
不一样的危险源可能有不一样的危险性。
危险性是指某种危险源致使事故、造成人员损害、财物破坏或环境污染的可能性。
因为不可以完全地除去全部的危险源,也就不存在绝对的安全。
所谓的安全,只可是是没有超出同意限度的危险。
所以,系统安全的目标不是事故为零,而是最正确的安全程度。
系统安全以为可能不测开释的能量是事故发生的根来源因,而对能量控制的无效是事故发生的直接原由。
这波及能量控制举措的靠谱性问题。
在系统安全研究中,不行靠被以为是不安全的原由;靠谱性工程是系统安全工程的基础之一。
研究靠谱性时,波及物的要素时,使用故障这一术语;波及人的要素时,使用人失误这一术语。
这些术语的含义较过去的人的不安全行为、物的不安全状态深刻的多。
一般地,一同事故的发生是很多人失误和物的故障互相复杂关系、共同作用的结果,即很多事故致因要素复杂作用的结果。
一、引言随着社会经济的快速发展,各类事故频发,给人民群众的生命财产安全带来了严重威胁。
为提高事故预防和应急处置能力,保障人民群众的生命财产安全,本文基于安全系统理论,对事故预案进行分析,以期为我国事故预防与应急处置提供理论参考。
二、安全系统理论概述安全系统理论是一种研究事故发生原因、事故预防与应急处置的理论。
其主要观点如下:1. 事故发生是系统性的,包括人的不安全行为、物的不安全状态和管理缺陷等多方面因素。
2. 事故预防与应急处置应从系统角度出发,对事故发生的各个环节进行综合分析,找出事故发生的原因,并采取相应的预防措施。
3. 事故预防与应急处置应遵循系统性、层次性、动态性和可持续性原则。
三、事故预案的理论分析1. 事故预案的编制依据事故预案的编制依据主要包括以下几个方面:(1)国家法律法规和政策:如《中华人民共和国安全生产法》、《生产安全事故应急条例》等。
(2)行业标准和规范:如《石油化工企业事故应急预案编制导则》等。
(3)企业实际情况:包括企业生产规模、生产工艺、设备设施、人员素质等。
2. 事故预案的内容事故预案应包括以下内容:(1)事故类型及危害程度:明确预案适用的事故类型,如火灾、爆炸、泄漏、中毒等,并评估事故危害程度。
(2)事故预防措施:针对事故类型,提出相应的预防措施,如技术改造、设备更新、安全培训等。
(3)事故应急处置程序:明确事故发生后的应急处置程序,包括报警、救援、疏散、医疗救护等。
(4)事故应急资源:明确事故应急处置所需的物资、设备、人员等资源。
(5)事故应急演练:定期组织应急演练,提高应急处置能力。
3. 事故预案的动态调整事故预案应根据企业实际情况、行业发展趋势、法律法规政策变化等因素进行动态调整,以确保预案的有效性和实用性。
四、事故预案的实施与评估1. 事故预案的实施事故预案的实施应遵循以下原则:(1)及时性:事故发生后,应立即启动应急预案,迅速开展应急处置。
(2)有效性:采取有效措施,最大限度地减少事故危害。
系统安全理论
1.系统安全理论的含义
系统安全,是指在系统生命周期内应用系统安全管理及系统安全工程原理,识别危险源并使其危险性减至最小,从而使系统在规定的性能、时间和成本范围内达到最佳的安全程度。
2.系统安全理论的主要观点
(1)在事故致因理论方面,改变了人们只注重操作人员的不安全行为而忽略硬件的故障在事故致因中作用的传统观念,开始考虑如何通过改善物的系统的可靠性来提高复杂系统的安全性,从而避免事故。
(2)没有任何一种事物是绝对安全的,任何事物中都潜伏着危险因素。
(3)不可能根除一切危险源和危险,可以减少来自现有危险源的危险性,应减少总的危险性而不是只消除几种选定的危险。
(4)由于人的认识能力有限,有时不能完全认识危险源和危险,即使认识了现有的危险源,随着技术的进步又会产生新的危险源。
受技术、资金、劳动力等因素的限制,对于认识了的危险源也不可能完全根除,因此,只能把危险降低到可接受的程度,即可接受的危险。
安全工作的目标就是控制危险源,努力把事故发生概率降到最低,万一发生事故,把伤害和损失控制在最低程度上。
Chapter 3:Principles of System Safety3.1 DEFINITION OF SYSTEM SAFETY............................ERROR! BOOKMARK NOT DEFINED.3.2PLANNING PRINCIPLES (2)3.3HAZARD ANALYSIS (3)3.4COMPARATIVE SAFETY ASSESSMENT (9)3.5RISK MANAGEMENT DECISION MAKING (12)3.6SAFETY ORDER OF PRECEDENCE (12)3.7 BEHAVIORAL-BASED SAFETY (15)3.8 MODELS USED BY SYSTEM SAFETY FOR ANALYSIS (15)3.0 Principles of System Safety3.1 Definition of System SafetySystem safety is a specialty within system engineering that supports program risk management. It is the application of engineering and management principles, criteria and techniques to optimize safety. The goal of System Safety is to optimize safety by the identification of safety related risks, eliminating or controlling them by design and/or procedures, based on acceptable system safety precedence. As discussed in Chapter 2, the FAA AMS identifies System Safety Management as a Critical Functional Discipline to be applied during all phases of the life cycle of an acquisition. FAA Order 8040.4 establishes a five step approach to safety risk management as: Planning, Hazard Identification, Analysis, Assessment, and Decision. The system safety principles involved in each of these steps are discussed in the following paragraphs.3.2 Planning PrinciplesSystem safety must be planned. It is an integrated and comprehensive engineering effort that requires a trained staff experienced in the application of safety engineering principles. The effort is interrelated, sequential and continuing throughout all program phases. The plan must influence facilities, equipment, procedures and personnel. Planning should include transportation, logistics support, storage, packing, and handling, and should address Commercial Off-the-Shelf (COTS) and Non-developmental Items (NDI). For the FAA AMS applications of system safety, a System Safety Management Plan is needed in the Pre-investment Decision phases to address the management objectives, responsibilities, program requirements, and schedule (who?, what?, when?, where?, and why?). After the Investment Decision is made and a program is approved for implementation, a System Safety Program Plan is needed. See Chapter 5, for details on the preparation of a SSPP.3.2.1 Managing Authority (MA) RoleThroughout this document, the term Managing Authority (MA) is used to identify the responsible entity for managing the system safety effort. In all cases, the MA is a FAA organization that has responsibility for the program, project or activity. Managerial and technical procedures to be used must be approved by the MA. The MA resolves conflicts between safety requirements and other design requirements, and resolves conflicts between associate contractors when applicable. See Chapter 5 for a discussion on Integrated System Safety Program Plans.3.2.2 Defining System Safety RequirementsSystem safety requirements must be consistent with other program requirements. A balanced program attempts to optimize safety, performance and cost. System safety program balance is the product of the interplay between system safety and the other three familiar program elements of cost, schedule, and performance as shown in Figure 3-1. Programs cannot afford accidents that will prevent the achievement of the primary mission goals. However, neither can we afford systems that cannot perform due to unreasonable and unnecessary safety requirements. Safety must be placed in its proper perspective. A correct safety balance cannot be achieved unless acceptable and unacceptable conditions are established early enough in the program to allow for the selection of the optimum design solution and/or operational alternatives. Defining acceptable and unacceptable risk is as important for cost-effective accident prevention as is defining cost and performance parameters.Safety effortCost - $Figure 3-1: Cost vs. Safety Effort (Seeking Balance)3.3 Hazard AnalysisBoth elements of risk (hazard severity and likelihood of occurrence) must be characterized. The inability to quantify and/or lack of historical data on a particular hazard does not exclude the hazard from this requirement 1. The term "hazard" is used generically in the early chapters of this handbook. Beginning with Chapter 7, hazards are subdivided into sub-categories related to environment such as system states, environmental conditions or "initiating" and "contributing" hazards.Realistically, a certain degree of safety risk must be accepted. Determining the acceptable level of risk is generally the responsibility of management. Any management decisions, including those related to safety, must consider other essential program elements. The marginal costs of implementing hazard control requirements in a system must be weighed against the expected costs of not implementing such controls. The cost of not implementing hazard controls is often difficult to quantify before the fact. In order to quantify expected accident costs before the fact, two factors must be considered. These are related to risk and are the potential consequences of an accident and the probability of its occurrence. The more severe the consequences of an accident (in terms of dollars, injury, or national prestige, etc.) the lower the probability of its occurrence must be for the risk to be acceptable. In this case, it will be worthwhile to spend money to reduce the probability by implementing hazard controls. Conversely, accidents whose consequences are less severe may be acceptable risks at higher probabilities of occurrence and will consequently justify a lesser expenditure to further reduce the frequency of occurrence. Using this concept as a baseline, design limits must be defined.1 FAA Order 8040.4 Paragraph 5.c.3.3.1 Accident Scenario RelationshipsIn conducting hazard analysis, an accident scenario as shown in Figure 3-2 is a useful model for analyzing risk of harm due to hazards. Throughout this System Safety Handbook, the term hazard will be used to describe scenarios that may cause harm. It is defined in FAA Order 8040.4 as a "Condition, event, or circumstance that could lead to or contribute to an unplanned or undesired event." Seldom does a single hazard cause an accident. More often, an accident occurs as the result of a sequence of causes termed initiating and contributory hazards. As shown in Figure 3-2, contributory hazards involve consideration of the system state (e.g., operating environment) as well as failures or malfunctions. In chapter 7 there is an in-depth discussion of this methodology.Figure 3-2: Hazard Scenario Model3.3.2 Definitions for Use in the FAA Acquisition ProcessThe FAA System Engineering Council (SEC) has approved specific definitions for Severity and Likelihood to be used during all phases of the acquisition life cycle. These are shown in Table 3-2 and Table 3-3.Table 3-2: Severity Definitions for FAA AMS ProcessCatastrophic Results in multiple fatalities and/or loss of the systemHazardous Reduces the capability of the system or the operator ability to cope with adverse conditions to the extent that there would be:Large reduction in safety margin or functional capabilityCrew physical distress/excessive workload such that operators cannot be relied upon to perform required tasks accurately or completely(1) Serious or fatal injury to small number of occupants of aircraft(except operators)Fatal injury to ground personnel and/or general publicMajor Reduces the capability of the system or the operators to cope with adverse operating condition to the extent that there would be – Significant reduction in safety margin or functional capability Significant increase in operator workloadConditions impairing operator efficiency or creating significant discomfortPhysical distress to occupants of aircraft (except operator) including injuriesMajor occupational illness and/or major environmental damage, and/or major property damageMinor Does not significantly reduce system safety. Actions required by operators are well within their capabilities. IncludeSlight reduction in safety margin or functional capabilitiesSlight increase in workload such as routine flight plan changes Some physical discomfort to occupants or aircraft (except operators)Minor occupational illness and/or minor environmental damage, and/or minor property damageNo Safety Effect Has no effect on safetyTable 3-3: Likelihood of Occurrence DefinitionsProbable Qualitative: Anticipated to occur one or more times during the entire system/operational life of an item.Quantitative: Probability of occurrence per operational hour is greater that 1 x10-5Remote Qualitative: Unlikely to occur to each item during its total life. May occur several time in the life of an entire system or fleet.Quantitative: Probability of occurrence per operational hour is less than 1 x 10-5, but greater than 1 x 10-7Extremely Remote Qualitative: Not anticipated to occur to each item during its total life. May occur a few times in the life of an entire system or fleet.Quantitative: Probability of occurrence per operational hour is less than 1 x 10-7 but greater than 1 x 10-9Extremely Improbable Qualitative: So unlikely that it is not anticipated to occur during the entire operational life of an entire system or fleet.Quantitative: Probability of occurrence per operational hour is less than 1 x 10-9MIL-STD-882 Definitions of Severity and LikelihoodAn example taken from MIL-STD-882C of the definitions used to define Severity of Consequence and Event Likelihood are in Tables 3-4 and 3-5, respectively.Table 3-4: Severity of ConsequenceTable 3-5: Event Likelihood (Probability)3.3.3 Comparison of FAR and JAR Severity ClassificationsOther studies have been conducted to define severity and event likelihood for use by the FAA. A comparison of the severity classifications for the FARs and JARs from one such study2 is contained in Table 3-6. JARs are the Joint Aviation Regulations with European countries.2 Aircraft Performance Comparative Safety Assessment Model (APRAM), Rannoch Corporation, February 28, 20003.4 Comparative Safety AssessmentSelection of some alternate design elements, e.g., operational parameters and/or architecture components or configuration in lieu of others implies recognition on the part of management that one set of alternatives will result in either more or less risk of an accident. The risk management concept emphasizes the identification of the change in risk with a change in alternative solutions. Safety Comparative Safety Assessment is made more complicated considering that a lesser safety risk may not be the optimum choice from a mission assurance standpoint. Recognition of this is the keystone of safety risk management. These factors make system safety a decision making tool. It must be recognized, however, that selection of the greater safety risk alternative carries with it the responsibility of assuring inclusion of adequate warnings, personnel protective systems, and procedural controls. Safety Comparative Safety Assessment is also a planning tool. It requires planning for the development of safety operating procedures and test programs to resolve uncertainty when safety risk cannot be completely controlled by design. It provides a control system to track and measure progress towards the resolution of uncertainty and to measure the reduction of safety risk.Assessment of risk is made by combining the severity of consequence with the likelihood of occurrence in a matrix. Risk acceptance criteria to be used in the FAA AMS process are shown in Figure 3-3 and3- 93-10Figure 3-3: Risk Acceptability MatrixFigure 3-4: Risk Acceptance CriteriaAn example based on MIL-STD-882C is shown in Figure 3-5. The matrix may be referred to as a Hazard Risk Index (HRI), a Risk Rating Factor (RRF), or other terminology, but in all cases, it is the criteria used by management to determine acceptability of risk.The Comparative Safety Assessment Matrix of Figure 3-5 illustrates an acceptance criteria methodology. Region R1 on the matrix is an area of high risk and may be considered unacceptable by the managing authority. Region R2 may be acceptable with management review of controls and/or mitigations, and R3 may be acceptable with management review. R4 is a low risk region that is usually acceptable without review.HAZARD CATEGORIESFREQUENCY OF OCCURENCEICATASTROPHIC II CRITICAL III MARGINAL IV NEGLIGIBLE (A) Frequent IA IIIA IVA (B) Probable R1 IBIIAIIB IIIB IVB (C) Occasional IC IIC IIIC IVC R4(D) Remote R2 IDIID IIID IVD (E) Improbable R3 IEIIE IIIEP IVEHazard Risk Index (HRI) Suggested CriteriaR1 UnacceptableR2 Must control or mitigate (MA review)R3 Acceptable with MA reviewR4 Acceptable without reviewFigure 3-5: Example of a Comparative Safety Assessment MatrixEarly in a development phase, performance objectives may tend to overshadow efforts to reduce safety risk. This is because sometimes safety represents a constraint on a design. For this reason, safety risk reduction is often ignored or overlooked. In other cases, safety risk may be appraised, but not fully enough to serve as a significant input to the decision making process. As a result, the sudden identification of a significant safety risk, or the occurrence of an actual incident, late in the program can provide an overpowering impact on schedule, cost, and sometimes performance. To avoid this situation, methods to reduce safety risk must be applied commensurate with the task being performed in each program phase.In the early development phase (investment analysis and the early part of solution implementation), the system safety activities are usually directed toward: 1) establishing risk acceptability parameters; 2) practical tradeoffs between engineering design and defined safety risk parameters; 3) avoidance of alternative approaches with high safety risk potential; 4) defining system test requirements to demonstrate safety characteristics; and, 5) safety planning for follow-on phases. The culmination of this effort is the safety Comparative Safety Assessment that is a summary of the work done toward minimization of unresolved safety concerns and a calculated appraisal of the risk. Properly done, it allows intelligent management decisions concerning acceptability of the risk.The general principles of safety risk management are:All system operations represent some degree of risk.Recognize that human interaction with elements of the system entails some element of risk.Keep hazards in proper perspective.Do not overreact to each identified risk, but make a conscious decision on how to deal with it.Weigh the risks and make judgments according to your own knowledge, inputs from subject matter experts, experience, and program need.It is more important to establish clear objectives and parameters for Comparative Safety Assessment related to a specific program than to use generic approaches and procedures.There may be no "single solution" to a safety problem. There are usually a variety of directions to pursue. Each of these directions may produce varying degrees of risk reduction. A combination of approaches may provide the best solution.Point out to designers the safety goals and how they can be achieved rather than tell him his approach will not work.There are no "safety problems" in system planning or design. There are only engineering or management problems that, if left unresolved, may lead to accidents.The determination of severity is made on a “worst credible case/condition” in accordance with MIL-STD-882, and AMJ 25.1309.• Many hazards may be associated with a single risk. In predictive analysis, risks are hypothesized accidents, and are therefore potential in nature. Severity assessment is maderegarding the potential of the hazards to do harm.3- 113.5 Risk Management Decision MakingFor any system safety effort to succeed there must be a commitment on the part of management. There must be mutual confidence between program managers and system safety management. Program managers need to have confidence that safety decisions are made with professional competence. System safety management and engineering must know that their actions will receive full program management attention and support. Safety personnel need to have a clear understanding of the system safety task along with the authority and resources to accomplish the task. Decision-makers need to be fully aware of the risk they are taking when they make their decisions. They have to manage program safety risk. For effective safety risk management, program managers should:Ensure that competent, responsible, and qualified engineers be assigned in program offices and contractor organizations to manage the system safety program.Ensure that system safety managers are placed within the organizational structure so that they have the authority and organizational flexibility to perform effectively.Ensure that all known hazards and their associated risks are defined, documented, and tracked as a program policy so that the decision-makers are made aware of the risks being assumed when the system becomes operational.Require that an assessment of safety risk be presented as a part of program reviews and at decision milestones. Make decisions on risk acceptability for the program and accept responsibility for that decision.3.6 Safety Order of PrecedenceOne of the fundamental principles of system safety is the Safety Order of Precedence in eliminating, controlling or mitigating a hazard. The Safety Order of Precedence is shown in Table 3-7. It will be referred to several times throughout the remaining chapters of this handbook.3- 12Table 3-7: Safety Order of PrecedenceDescription Priority DefinitionDesign for minimum risk. 1 Design to eliminate risks. If the identified riskcannot be eliminated, reduce it to an acceptablelevel through design selection.Incorporate safety devices. 2 If identified risks cannot be eliminated throughdesign selection, reduce the risk via the use offixed, automatic, or other safety design featuresor devices. Provisions shall be made forperiodic functional checks of safety devices. Provide warning devices. 3 When neither design nor safety devices caneffectively eliminate identified risks oradequately reduce risk, devices shall be used todetect the condition and to produce anadequate warning signal. Warning signals andtheir application shall be designed to minimizethe likelihood of inappropriate human reactionand response. Warning signs and placards shallbe provided to alert operational and supportpersonnel of such risks as exposure to highvoltage and heavy objects.Develop procedures and training. 4 Where it is impractical to eliminate risksthrough design selection or specific safety andwarning devices, procedures and training areused. However, concurrence of authority isusually required when procedures and trainingare applied to reduce risks of catastrophic,hazardous, major, or critical severity.Examples:• Design for Minimum Risk: Design hardware systems in accordance withFAA-G-2100g, i.e., use low voltage rather thanhigh voltage where access is provided formaintenance activities.• Incorporate Safety Devices If low voltage is unsuitable, provide interlocks.• Provide warning devices If safety devices are not practical, providewarning placards• Develop procedures and training Train maintainers to shut off power beforeopening high voltage panels3- 13opening high voltage panels 3- 143.7 Behavioral-Based SafetySafety management must be based on the behavior of people and the organizational culture. Everyone has a responsibility for safety and should participate in safety management efforts. Modern organization safety strategy has progressed from “safety by compliance” to more of an appropriate concept of “prevention by planning”. Reliance on compliance could translate to after-the-fact hazard detection, which does not identify organizational errors, that are often times, the contributors to accidents.Modern safety management, i.e.--“system safety management”-- adopts techniques of system theory, statistical analysis, behavioral sciences and the continuous improvement concept. Two elements critical to this modern approach are a good organizational safety culture and people involvement.The establishment of system safety working groups, analysis teams, and product teams accomplishes a positive cultural involvement when there are consensus efforts to conduct hazard analysis and manage system safety programs.Real-time safety analysis is conducted when operational personnel are involved in the identification of hazards and risks, which is the key to behavioral-based safety. The concept consists of a “train-the-trainer” format. See chapter 14 for a detailed discussion of how a selected safety team is provided the necessary tools and is taught how to:• Identify hazards, unsafe acts or conditions;• Identify “at risk” behaviors;• Collect the information in a readily available format for providing immediate feedback;• Train front-line people to implement and take responsibility for day-to-day operation of the program.The behavioral-based safety process allows an organization to create and maintain a positive safety culture that continually reinforces safe behaviors over unsafe behaviors. This will ultimately result in a reduction of risk. For further information concerning behavioral-based safety contact the FAA’s Office of System Safety.3.8 Models Used by System Safety for AnalysisThe AMS system safety program uses models to describe a system under study. These models are known as the 5M model and the SHEL model. While there are many other models available, these two recognize the interrelationships and integration of the hardware, software, human, environment and procedures inherent in FAA systems. FAA policy and the system safety approach is to identify and control the risks associated with each element of a system on a individual, interface and system level.The first step in performing safety risk management is describing the system under consideration. This description should include at a minimum, the functions, general physical characteristics, and operations of the system. Normally, detailed physical descriptions are not required unless the safety analysis is focused on this area.3- 15Keep in mind that the reason for performing safety analyses is to identify hazards and risks and to communicate that information to the audience. At a minimum, the safety assessment should describe the system in sufficient detail that the projected audience can understand the safety risks.A system description has both breadth and depth. The breadth of a system description refers to the system boundaries. Bounding means limiting the system to those elements of the system model that affect or interact with each other to accomplish the central mission(s) or function. Depth refers to the level of detail in the description. In general, the level of detail in the description varies inversely with the breadth of the system. For a system as broad as the National Airspace System (NAS) our description would be very general in nature with little detail on individual components. On the other hand, a simple system, such as a valve in a landing gear design, could include a lot of detail to support the assessment.First, a definition of “system” is needed. This handbook and MIL-STD-882i (System Safety Program Requirements) define a system as:Graphically, this is represented by the 5M and SHEL models, which depict, in general, the types of elements that should be considered within most systems.Figure 3-6: The Five-M ModelMission. The mission is the purpose or central function of the system. This is the reason that all the other elements are brought together.Man. This is the human element of a system. If a system requires humans for operation, maintenance, or installation this element must be considered in the system description.Machine. This is the hardware and software (including firmware) element of a system. Management. Management includes the procedures, policy, and regulations involved in operating, maintaining, installing, and decommissioning a system.(1) Media. Media is the environment in which a system will be operated, maintained, and installed. Thisenvironment includes operational and ambient conditions. Operational environment means the conditions in which the mission or function is planned and executed. Operational conditions are those involving things such as air traffic density, communication congestion, workload, etc. Part of the operational environment could be described by the type of operation (air traffic control, air carrier, general aviation, etc.) and phase (ground taxiing, takeoff, approach, enroute, transoceanic, landing, etc.).Ambient conditions are those involving temperature, humidity, lightning, electromagnetic effects, radiation, precipitation, vibration, etc.3- 17Figure 3-6: The SHELL ModelIn the SHELL model, the match or mismatch of the blocks (interface) is just as important as the characteristics described by the blocks themselves. These blocks may be re-arranged as required to describe the system. A connection between blocks indicates an interface between the two elements.3- 18Each element of the system should be described both functionally and physically if possible. A function is defined asAn action or purpose for which a system, subsystem, or element is designed to perform. Functional description: A functional description should describe what the system is intended to do, and should include subsystem functions as they relate to and support the system function. Review the FAA System Engineering Manual (SEM) for details on functional analysis.Physical characteristics: A physical description provides the audience with information on the real composition and organization of the tangible system elements. As before, the level of detail varies with the size and complexity of the system, with the end objective being adequate audience understanding of the safety risk.Both models describe interfaces. These interfaces come in many forms. The table below is a list of interface types that the system engineer may encounter.Interface Type ExamplesMechanical Transmission of torque via a driveshaft. Rocket motor in an ejectionseat.Control A control signal sent from a flight control computer to an actuator. Ahuman operator selecting a flight management system mode.Data A position transducer reporting an actuator movement to a computer. Acockpit visual display to a pilot.Physical An avionics rack retaining several electronic boxes and modules. Acomputer sitting on a desk. A brace for an air cooling vent. A flappinghinge on a rotor.Electrical A DC power bus supplying energy to an anti-collision light. A fanplugged into an AC outlet for current. An electrical circuit closing asolenoid.Aerodynamic A stall indicator on a wing. A fairing designed to prevent vortices fromimpacting a control surface on an aircraft.Hydraulic Pressurized fluid supplying power to an flight control actuator. A fuelsystem pulling fuel from a tank to the engine.Pneumatic An adiabatic expansion cooling unit supplying cold air to an avionicsbay. An air compressor supplying pressurized air to an engine airturbine starter.Electromagnetic RF signals from a VOR . A radar transmission.i MIL-STD-882. (1984). Military standard system safety program requirements. Department of Defense.3- 19。
安全系统管理理论一、安全系统理论系统科学是研究系统一般规律、系统的结构和系统优化的科学,它对于管理也具有一般方法论的意义。
因此,系统科学最最本的理论,即系统论、控制论和信息论,对现代企业的安全管理了具有基本的理论指导意义。
从系统科学基本原理出发,用系统论来指导认识安全管理的要素、关系和方向;用控制论来论证安全管理的对象、本质、目标和方法;用信息论来指导安全管理的过程、方式和策略。
通过安全系统理论和原理的认识和研究,将能提高现代企业安全管理的层次和水平。
1安全系统论原理系统原理就是运用系统理论对管理进行系统分析,以达到科学管理的优化目标。
系统原理的掌握和运用对提高管理效能有重大作用。
掌握和运用系统原理必须把握系统理论和系统分析。
1.1系统基本理论系统理论是指把对象视为系统进行研究的一般理论。
其基本概念是系统、要素。
系统是指由若干相互联系、相互作用的要素所构成的有特定功能与目的的有机整体。
系统按其组成性质,分为自然系统、社会系统、思维系统、人工系统、复合系统等,按系统与环境的关系分为孤立系统、封闭系统和开放系统。
系统具有六方面的特性:整体性。
是指充分发挥系统与系统、子系统与子系统之间的制约作用,以达到系统的整体效应。
稳定性。
即系统由于内部子系统或要素的运动,总是使整个系统趋向某一个稳定状态。
其表现是在外界相对微小的干扰下,系统的输出和输入之间的关系,系统的状态和系统的内部秩序(即结构)保持不变,或经过调节控制而保持不变的性质。
有机联系性。
即系统内部各要素之间以及系统与环境之间存在着相互联系、相互作用。
目的性。
即系统在一定的环境下,必然具有的达到最终状态的,特性,它贯穿于系统发展的全过程。
动态性。
即系统内部各要素间的关系及系统与环境的关系是时间的函数,即随着时间的推移而转变。
结构决定功能的特性。
系统的结构指系统内部各要素的排列组合方式。
系统的整体功能是由各要素的组合方式决定的。
要素是构成系统的基础,但一个系统的属性并不只由要素决定,它还依赖于系统的结构。
一、预防危害办法分类问题出发型方法:实质上是在事故发生后从中吸取经验教训,进行预防的办法。
例如从事故后果查找原因,采取措施以防止事故重复发生。
传统安全工作方法。
问题发现型方法:实质是从系统内部出发,研究各构成要素之间存在的安全上的联系,查出可能导致事故发生的各种危险因素及其发生途径,通过重建或改造原有系统来消除系统的危险性,把系统发生事故的可能性降低到最小限度。
二、系统工程(一)定义是组织管理“系统”的研究,规划、设计、制造、试验和使用的科学方法,是对所有系统都具有普遍意义的科学方法。
较明确地表述了:它属于工程技术,主要是组织管理的技术;它是解决工程活动全过程的技术;它具有普遍的适用性。
(二)系统分析是利用系统科学原理对系统进行研究、探索,从中找出规律的具体方法。
它是从系统的观点出发,以系统整体效益为目标,通过定性或定量的分析,找出系统中各要素之间的相互关系和各种可供决策者选择的方案,并对众多的方案进行综合评价,以求得最优方案的过程。
三、安全系统工程(一)定义是运用系统工程的原理和方法,对系统或生产过程中的危险性进行识别、分析、评价及预测,并根据其结果,采取综合安全措施予以控制或消除系统中存在的危险因素,使事故发生的可能性减少到最低限度,从而达到最佳的安全状态。
(二)解决的问题如何控制和消除导致人员死伤、职业病、设备或财产损失,最终实现在功能、时间、成本等规定的条件下,系统中人员和设备所受的伤害和损失为最小。
(三)安全系统工程能有效防患于未然的原因(1)使用系统工程方法,可以识别出存在于各个要素本身、要素之间的危险性。
利用系统可分割的属性,人们就可充分地、不遗漏地揭示存在于系统各要素(元件和子系统)中所存在的危险性,然后就可以采取措施对危险性加以消除,对不协调的部分加以调整,这就有可能消除事故的根源并使安全状态达到优化。
(2)使用系统工程的原理和方法,可以了解各要素间的相互关系,消除各要素由于互相依存、互相结合而产生的危险性。
安全生产管理系统理论1、现代安全管理的基本理论有哪些第二章安全管理原理第一节安全管理的理论与原则一、安全科学管理的组织原则1. 计划性原则2. 效果原则效应,3. 反馈原则4. 阶梯原则5. 系统性原则6. 不得混放并存原则7. 单项解决原则8. 同等原则9. 责任制原则10. 精神鼓励和物质鼓励相结合的原则11. 干部选择原则劳动保护干部应具有非常广泛的专业技能,劳动保护工程师应当掌握生产组织、经济学、教育学、心理学、人机工程和系统工程学。
二、安全生产五规律1. 社会主义条件下生产的安全规律这条规律的实质是,承认生产中的潜在危险,并对制订安全条例及其实施创造了原则上的可能性。
这一规律的作用受社会主义基本经济规律的制约,它将在劳动保护有组织有系统的机构中,在有目的的活动过程中付诸实现。
2. 劳动条件适应人的特点的规律人适应环境的可能性具有一定限度。
这一规律则要求构思新技术或设计新工艺过程,以及解决其他任务时,必须建立以人为中心的观点,必须首先设计操作者的活动,然后才是操作者使用的技术。
要重点研究以人为主体的能量系统中的危险及其消除措施。
3. 不断地有计划地改善劳动条件的规律这一规律是指随着社会主义现代化建设和生产方式的完善,坚定不移地改革劳动安全管理,减少生产中的有害后果。
这一规律可视为社会主义条件下有计划按比例发展国民经济总规律的局部体现。
4. 物质技术基础与劳动条件相适应的规律科学技术的进步从根本上改善着劳动条件,但不排除新的重要的危险因素的出现,或者有扩大其有害影响的可能性。
破坏这一规律,将导致新技术的效果的下降。
这一规律的实质是劳动条件的改善在时间上要与物质技术基础的发展阶段相适应。
5. 安全管理科学化的规律事故防止科学是一门经验科学。
它是以经验为基础而建立起来的。
经验是掌握客观事物所必须,将个别已经证明行之有效的经验加以科学整理,明确经验诸事实的相互关系而形成了一门知识体系。
这一科学体系是以人的能量系统为主体,结合外部能量作为附带方面的人的行为科学。
系统安全理论
系统安全理论是一门涉及多个专业领域的学科,它的内容涵盖了计算机系统的安全、网络安全、用户安全、信息安全等方面。
它研究的核心就是如何让计算机系统防止受到破坏或滥用的攻击。
一般来说,系统安全理论可以分为三个部分:系统安全架构、系统安全技术和安全管理政策。
系统安全架构是一个系统安全理论的基础,它关注的是如何设计和建立计算机系统的安全架构,以防止恶意攻击。
它包括安全架构的设计、安全功能的实现、安全策略的制定等。
系统安全技术是指实现安全架构的具体技术,它包括加密技术、认证技术、安全协议、安全管理软件和安全监测技术等。
安全管理政策是指在系统安全领域中制定的政策,它们主要是为了确保系统安全,实施安全管理政策可以确保系统安全,并有效地预防恶意攻击。
系统安全理论是一门融合了计算机科学、管理学和法律法规的复杂学科,它的研究内容涵盖了计算机系统的安全设计、系统安全技术和安全管理政策,有助于提高系统的安全性和可靠性,是保护系统安全的重要理论基础。
2012系统安全理论复习提纲一、安全评价应遵循的基本原理以及基本原理的具体内容。
答:常用的原理有:相关性原理;类推原理;惯性原理;量变到质变原理等•相关性原理:相关性是指一个系统,其属性、特征与事故和职业危害存在着因果的相关性。
•类推原理:类推(类比)原理是根据两个或两类对象之间存在着某些相同或相似的属性,从一个已知对象具有某个属性来推出另一个对象具有此种属性的一种推理过程。
用类推原理对系统进行评价的方法,即类推(类比)评价方法。
•惯性原理:任何事故在其发展过程中,从过去到现在以及延伸至将来,都具有一定的延续性,这种延续性称为惯性。
•量变到质变原理:任何一个事物在发展变化过程中都存在着从量变到质变的规律。
同样,在一个系统中,许多有关安全的因素也都一一存在着从量变到质变的过程。
在评价一个系统的安全时,也都离不开从量变到质变的原理。
二、预先危险性分析与危险性和可操作性研究方法的异同;以及两者在实际工作中的应用。
答:(1)预先危险性分析与危险性和可操作性都是对系统的安全状况进行分析的分析方法,但两者在优缺点和研究目的上有一定的差异性。
•预先危险分析一般应用于设计阶段,对新系统设计、已有系统改造方案设计及选址阶段,在人们还没有掌握该系统详细资料时,用于分析、辨识可能出现或已存在的危险因素,尽可能在设计阶段找出预防、改正、补救措施,消除或控制危险因素。
其优点是最初产品设计或系统开发时,可以利用预先危险分析的结果,提出应遵循的注意事项和对策措施,使得设计更安全可靠;由于在产品设计时,即可指出存在的主要危险,从一开始便可采取措施,排除、除低和控制危险,大大降低因产品造成危险的可能性和严重程度;③可用来制定设计管理方法和制定设计技术责任,以保证提高设计和加工的可靠性。
缺点是易受分析评价人员主观因素影响。
•危险和可操作研究是一种以引导词为引导,对过程中工艺状态的变化加以确定,找到装置及过程中存在的危害的一种评价方法。
研究的侧重点是工艺部分或操作步骤各种具体值,它的基本过程就是以引导词为引导,对过程中工艺状态的偏离设计意图加以确定,然后再继续分析造成的原因、后果及可采取的措施。
其优点:简便易行。
其缺点是受分析评价人员主观因素影响。
研究目的:通过系统分析新设计或已有工厂的生产工艺流程和工艺功能,来评价设备、装置的个别部位因误操作或机械故障而引起的潜在的危险,并评价其对整个工厂的影响。
(2)两者在实际中的应用分别是:•适用范围:①预先危险分析应该在系统或设备研制的初期进行,随着设计研制工作的进展,这种分析应不断进行,分析结果用于改进设计和制造。
②对于现役的系统或设备也可采用预先危险分析,考察其安全性。
•危险和可操作研究分析的适用范围是化工系统、热力水力系统的安全分析。
三、系统安全评价作为职业安全管理体系的主要核心内容,在进行实际的安全评价过程中,应遵循的评价程序。
答:第一步是准备阶段,主要进行现场勘查和资料收集工作;第二步第危险辨识阶段,对危险、有害因素进行分析和辨识,辨识危险源确定事故;第三步是就评价单位进行定性、定量评价,首先要划分评价单元,根据具体情况选择并确定评价方法,进而展开具体定性、定量评价工作,进行危险分级;第四步是安全对策措施阶段,针对评价结果提出相应的安全对策措施,并建立应急预案;第五步是结论及建议阶段,根据上述评价环节,作出评价结论;最后是编制评价报告。
具体安全评价的过程如右图示。
四、请根据自己对系统安全分析和安全评价的综合认识,结合企业的实际情况,综合分析系统安全分析和安全评价在企业安全管理和灾害防治中的作用。
(1)系统安全分析是从安全角度对系统中的危险因素进行分析,主要分析导致系统故障或事故的各种因素以及相关关系,目的是查明系统中的危险因素,以便采取相应措施消除系统故障或事故,达到系统安全运行的目的。
•系统安全分析的内容包括三个方面:其一是调查、分析直接或间接诱发事故或故障的可能因素;其二是调查和分析可能的故障或事故的后果。
其三是调查和分析防止伤害和损害的安全防护措施。
•系统安全分析是在企业各系统各阶段工作开始之前进行,预先发现系统可能存在的危险因素,全面掌握其基本特点,明确其对系统安全性影响的程度,根据系统存在的主要危险,采取有效的安全防护措施,改善企业的安全状况,实现提高企业的安全管理能力,避免或减少事故和灾害的发生。
因而系统安全分析对企业发现事故隐患,及时解决事故起到十分重要的作用,是企业安全管理的重要组成部分,对企业的安全管理起到至关重要的作用,有助于生产经营单位提高经济效益;有助于安全投资的合理选择;实现全过程安全控制,促进实现本质安全化生产;有助于提高生产经营单位的安全管理水平;有助于政府安全监管部门对生产经营单位的安全生产实行宏观控制;•【系统安全分析是使用系统工程的原理和方法辨别、分析系统存在的危险因素,并根据实际需要对其进行定性、定量描述的技术方法。
系统安全分析有多种形式和方法,使用中应注意:•①根据系统的特点、分析的要求和目的,采取不同的分析方法。
因为每种方法都有其自身的特点和局限性,并非处处通用。
使用中有时要综合应用多种方法,以取长补短或相互比较,验证分析结果的正确性。
•②使用现有分析方法不能死搬硬套,必要时要根据实用、好用的需要对其进行改造或简化。
•③不能局限于分析方法的应用,而应从系统原理出发,开发新方法,开辟新途径,还要在以往行之有效的一般分析方法基础上总结提高,形成系统性的安全分析方法。
】(2)系统安全评价是利用系统工程方法对拟建或已有工程、系统可能存在的危险性及其可能产生的后果进行综合分析、预测和评价,并根据可能导致的事故风险的大小,提出相应的安全对策措施,以达到工程、系统安全的过程。
安全评价贯穿于工程、系统的设计、建设、运行和退役整个生命周期的各个阶段。
对工程、系统进行安全评价既是企业、生产经营单位进行安全管理,搞好安全生产的重要保证,也是政府安全监督管理的需要。
•系统安全评价方法有多种,具体方法的选择应考虑评价对象的特点、规模,评价的要求和目的,采用不同的方法。
同时,在使用过程中也应和系统安全分析的使用要求一样,坚持实用和创新的原则。
过去20年,我国在许多领域都进行了系统安全评价的实际应用和理论研究,开发了许多实用性很强的评价方法,特别是企业安全评价技术和重大危险源的评估、控制技术。
•安全评价的意义有以下几点:1)有助于政府安全监督管理部门对企业的安全生产实行宏观控制;2)有助于安全投资的合理选择;3)有助于提供企业的安全管理水平;4)有助于保险公司对企业灾害实行风险管理。
•安全评价在企业安全管理和灾害防治中的作用体现在下面几个方面:1)可以使系统有效地减少事故和职业危害;2)可以系统地进行安全管理;3)可以用最少投资达到最佳安全效果;4)可以促进各项安全标准制定和可靠性数据积累;5)可以迅速提高安全技术人员业务水平。
•其现阶段存在的具体问题:①安全指标的确定.安全指标就是安全标准,什么样似的安全指标的合理的,科学的,还有待研究.;②安全分析方法的选择.也就是说什么样的分析方法的有效的,科学的,缺乏科学的认证法.不过解决这里的缺陷可以通过安全决策,相互对比,以达到最优方案;③分析过程中的危险源的确定,边际条件,危险单元,以及各个单元的危险度的确定还没有定论,只是凭经验而定,缺乏科学依据.。
五、危险因素辨识中常用的系统安全分析方法的类型有哪些。
答:常用的系统安全分析方法有安全检查表法(Safety Checklist);预先危险性分析(Preliminary Hazard Analysis,PHA);故障类型和影响分析(Failure Model and Effects Analysis,FMEA);危险性和可操作性研究(Hazard and Operability Analysis,HAZOP);事件树分析(Event Tree Analysis, ETA);事故树分析(Fault Tree Analysis,FTA);以及因果分析(Cause-Consequence Analysis,CCA)。
1.安全检查表法•是将被评价系统剖析,分成若干个单元或层次,列出各单元或各层次的危险因素,然后确定检查项目,把检查项目按单元或层次的组成顺序编制成表格,以提问或现场观察方式确定各检查项目的状况并填写到表格对应的项目上,从而对系统的安全状态进行评价。
•安全检查表法的内容:安全检查表分析利用检查条款按照相关的标准、规范等对已知的危险类别、设计缺陷以及与一般工艺设备、操作、管理有关的潜在危险性和有害性进行判别检查。
•优点:①简单明了,现场操作人员和管理人员都易于理解与使用;②克服了传统安全检查的缺陷;③不仅可起到指导和备忘录的作用,而且会使安全检查工作更为系统、全面和准确;④全面性、系统性、标准化、规范化;⑤分析的弹性很大,既可用于简单的快速分析,也可用于深层次的分析。
•缺点:(1)只能作定性的评价,不能给出定量的评价结果;(2)只能对已经存在的对象进行评价,如果要对处于规划或设计阶段的对象进行评价,必须找到相似或类似的对象。
•适用范围:适用于工程、系统的各个阶段。
常用于安全验收评价、安全现状评价、专项安全评价,而很少推荐用于安全预评价。
•安全检查表可以评价物质、设备和工艺,常用于专门设计的评价,检查表法也能用在新工艺(装置)的早期开发阶段,判定和估测危险,还可以对已经运行多年的在役(装置)的危险进行检查。
2.预先危险分析:•一般应用于设计阶段,对新系统设计、已有系统改造方案设计及选址阶段,在人们还没有掌握该系统详细资料时,用于分析、辨识可能出现或已存在的危险因素,尽可能在设计阶段找出预防、改正、补救措施,消除或控制危险因素。
•优点:①最初产品设计或系统开发时,可以利用预先危险分析的结果,提出应遵循的注意事项和对策措施,使得设计更安全可靠;②由于在产品设计时,即可指出存在的主要危险,从一开始便可采取措施,排除、除低和控制危险,大大降低因产品造成危险的可能性和严重程度;③可用来制定设计管理方法和制定设计技术责任,以保证提高设计和加工的可靠性。
•缺点:易受分析评价人员主观因素影响•预先危险分析的目的:①大体识别与系统有关的主要危险;②鉴别产生危险的原因;③预测事故出现对人体及系统产生的影响;④判定已识别的危险性等级,并提出消除或控制危险性的措施。
•适用范围:①预先危险分析应该在系统或设备研制的初期进行,随着设计研制工作的进展,这种分析应不断进行,分析结果用于改进设计和制造。
②对于现役的系统或设备也可采用预先危险分析,考察其安全性。
3.故障类型和影响分析方法:•故障类型和影响分析是将工作系统分割为子系统、设备或元件,逐个分析各自可能发生的故障类型及其产生的影响,以便采取相应的防治措施,提高系统的安全性的方法。
