Hazard Analysis Types and Tools

Terry Hardy
Great Circle Analytics, LLC
J une 1, 2010

Types of Hazard Analysis

The heart of the System Safety effort is the hazard analysis. A hazard analysis is an examination
of a system or subsystem to identify and classify each potential hazard according to its severity
and likelihood of occurrence and to develop mitigation measures to those hazards to protect the
public. A hazard analysis can take many forms. Typically, the following types of a hazard
analysis are used [Ericson 2005]:

Preliminary Hazard Analysis (PHA). The PHA is begun early in the concept phase of the
program or project to identify safety-critical areas, identify and evaluate hazards, and identify the
safety design and operation requirements needed in the concept phase. The PHA provides the
program or project with knowledge of the potential hazard causes and candidate controls. The
PHA actually starts with a list of potential hazards, called a Preliminary Hazard List, to assist in
the development of the PHA. The PHA is the initial effort in hazard analysis during the early
design phases. It identifies top level hazards and controls, provides a first look at the system risk,
and provides the foundation for future analyses. The PHA forms the basis of analyses performed
later as the development cycle progresses.

Subsystem Hazard Analysis (SSHA). The general purpose of the SSHA is to perform a safety risk
assessment of a systems subsystems at a greater depth than that provided in a PHA. The SSHA
verifies subsystem compliance with system/safety requirements, identifies previously
unidentified hazards associated with the subsystem, assesses the risk of the subsystem design,
considers human factors, functional and component failures, and functional relationships
between components in the subsystem including software, and recommends actions to control
the hazards. The SSHA effort should begin when the preliminary design and concept definition are
established, and it should continue through the detailed design of components, equipment, and software.

System/Integrated Hazard Analysis (SHA/IHA): Integrated Hazard Analysis should identify
hazard causes and controls that cross system functional and physical boundaries and should
identify the organizations responsible for assuring mitigation for the hazard causes. An
integrated hazard is an event or condition that is caused by or controlled by multiple systems,
elements, or subsystems. Systems that cross one or more system or element are considered
integrated systems and they are addressed by an integrated hazard analysis.

Operating and Support Hazard Analysis (O&SHA). The general purpose of the O&SHA is to
perform a detailed safety risk assessment of a systems operational and support procedures. The
O&SHA examines human induced hazards to hardware, software, equipment, facilities, and the
environment. An O&SHA describes what a human can do to create hazards and how the
hardware, software, equipment, facilities, and environment can create hazards for humans.
Generally, the O&SHA examines those operations that are procedurally controlled activities. It
identifies and evaluates hazards resulting from the implementation of operations or tasks
performed by persons during maintenance.

The hazard analysis focuses on identification and evaluation of existing and potential hazards
and hazardous conditions, and the recommended mitigation for the hazard sources and risk
found.

An important point should be made about analysis types and analysis tools. Subsystem Hazard
Analysis or System Hazard Analysis are types of analyses, or general classes of analyses. Types
of analyses are really addressing what gets analyzed --a system, a subsystem, a process. Each
type of analysis is supported by a number of tools. Technique or tools address how the analysis
is conducted, and what information comes from that analysis. The same tool (Fault Tree
Analysis, Event Tree Analysis, FMEA) can be used for each type of analysis [Clemens and
Warner 1995]. Tools will be discussed in a later Notebook entry.


Hazard Analysis Tools

Typically, a number of tools are used to perform the hazard analyses. In fact, one of the
problems in System Safety is that there are literally hundreds of methods for performing safety
analyses [Stephans and Talso 1993]. Examples and trade-offs of these tools and methodologies
exist in the literature [Ericson 2005, Vincoli 1997, Stephans 2004, Goldberg 1994], and therefore
will not be discussed here. Some of the more common safety analysis tools include the
following:

Fault Tree Analysis (FTA). FTA is a deductive System Safety analysis that provides qualitative
and quantitative measures of the likelihood of failure of a system, subsystem, or event. This
analysis estimates the likelihood that a top-level or causal event will occur, identifies possible
causes leading to that event, and documents the results of the analytic process to provide a
baseline for future studies of alternate designs.

Event Tree Analysis (ETA). ETA is a system analysis technique that explores responses to an
initiating event and enables assessment of the probabilities of unfavorable or favorable
outcomes.

Failure Modes and Effects Analysis (FMEA). FMEA is a system analysis by which each
potential failure in a system is analyzed to determine the effects on the system and to classify
each potential failure according to its severity and likelihood. FMEA are typically considered to
be reliability analysis tools, but they can be used as part of a System Safety analysis.

Cause/Effect Analysis. Cause/Effect Analysis graphically represents the relationships between a
problem and its possible causes. This technique is also known as a fishbone or Ishikawa diagram.

Functional Hazard Analysis (FHA). A FHA is a technique to identify all the hazards which can
affect the outcome of the principal functional activities that need to be carried out to accomplish
a given mission. Those hazards may consist of a loss of critical function, inadvertent activation
of the function, outside influences on the performance of the function, or some combination of
the three.

Human Error Analysis. A human error analysis is a technique to evaluate the potential for
hazard causes related to human interaction. A human error analysis ensures that human factors
engineering principles are applied to the design to eliminate or mitigate potential hazards
associated with the human-system interfaces.

Software Hazard Analysis. The Software Hazard Analysis provides a detailed hazard evaluation
of the systems software and firmware to identify and determine software contributions to system
hazards and to identify potential faults in software controls.

System Safety analysis tools tend to be divided into deductive methods and inductive methods.
Deductive methods start with a conclusion and try to determine all the premises needed to reach
that conclusion. From a hazard analysis standpoint this would mean that we start with an event
or hazard and try to determine all the ways that event could occur. Here we are asking, What
will cause a given hazard to occur? For example, deductive thinking could be to postulate that a
fire or explosion could occur in a chemical reactor and then to identify all the causes that could
lead to a fire or explosion (loss of cooling water, too much oxygen in the reactor, etc.). A Fault
Tree Analysis is a good example of a deductive method. Inductive methods do the opposite,
starting with an event and leading to a conclusion. In this case we are asking, What will happen
when a failure or condition occurs? Inductive analyses can be used in hazard analyses to
identify hazards, or help to identify what would happen if a part breaks. For example, inductive
thinking might be to ask what could happen if a valve gets clogged downstream of a reactor, and
the answer may be that pressure could build up in the reactor leading to fire and explosion. A
Failure Mode and Effects Analysis is an inductive technique. Not all tools are strictly deductive
or inductive; a Preliminary Hazard Analysis can serve both functions. Typically, deductive
techniques are used early in program development to establish relative risk and hazard priorities,
then inductive techniques are used as more specifics are obtained as the development cycle
proceeds. For complex systems, emphasis should be on combining deductive (top down)
techniques with inductive (bottom up) techniques to assure coverage [Ericson 2005, Goldberg
1994].


Clemens, P.L., and Warner, W.T., A Perspective on System Safety, Hazard Prevention, 1
st

Quarter, 1995.

Ericson, C.A., Hazard Analysis Techniques for System Safety, J ohn Wiley & Sons, 2005.

Goldberg, B.E., et al., System Engineering Toolbox for Design-Oriented Engineers, NASA
Reference Publication 1358, December 1994.


















2010 Great Circle Analytics
1238 Race Street, Denver, CO 80206
info@gcirc.com