President's Message From the Editor's Desk TBD In the Spotlight: Risk Communication Non-Coherent Fault Trees Can Be Misleading Chapter News Technology Corner Mark Your Calendar Clif's Notes Opinion About this Journal Classifieds Advertising in eJSS Contact Us Puzzle

Volume 42, No. 3 • May-June 2006
Clif's Notes

Do We Really Know What We Think We Know? (Or, What's in a Hazard?)

by Clifton A. Ericson II

Recently, I have been consulting on several different projects, and it has become painfully evident that each project team seems to have a different definition for the term hazard, and that they also have a different understanding of what comprises a hazard. After 40 to 45 years of system safety, you'd think that we would have had this term nailed. But it seems we don't, and some of the viewpoints are almost violently opposing. It might not seem important, but what I have realized is that the correct usage of the term can have a large impact on the system safety program and how it is conducted. In addition, our non-agreement on the definition of the term really confuses outsiders to the safety field and gives us a negative reputation.

The hazard definition controversy seems to boil down to a simple question: Do we really know what we think we know about hazards? In this article, I would like to analyze the term hazard from a historical viewpoint, ask a few questions and then open this topic for discussion. I really need reader feedback to help formulate a consensus, rather than just trying to give my own opinion. The Hive discussion forum, newly re-launched from the Society's Web site, provides a great venue for this.

Let's start by reviewing three significant terms from the various iterations of MIL-STD-882. The terms are hazard, mishap and risk.


MIL-STD-882      dated 15 July 1969
3.13 Hazard. Any real or potential condition that can cause injury or death to personnel, or damage to or loss of equipment or property.

Mishap — not defined.

Risk — not defined.

MIL-STD-882A      dated 28 June 1977
3.4.1 Hazard. An existing or potential condition that can result in a mishap (e.g., the presence of fuel in an undesired location is a hazard whereas the fuel itself is not).

3.3 Mishap. An unplanned event or series of events that result in death, injury, occupational illness, or damage to or loss of equipment or property.

3.4 Risk. An expression of possible loss in terms of hazard severity and hazard probability.

MIL-STD-882B      dated 30 March 1984
3.1.3 Hazard. A condition that is prerequisite to a mishap.

3.1.4 Hazardous Event. An occurrence that creates a hazard.

3.1.9 Mishap. An unplanned event or series of events that results in death, injury, occupational illness, or damage to or loss of equipment or property.

3.1.1.1 Risk. An expression of the possibility of a mishap in terms of hazard severity and hazard probability.

MIL-STD-882C      dated 19 January 1993
3.2.4 Hazard. A condition that is prerequisite to a mishap.

3.2.9 Mishap. An unplanned event or series of events resulting in death, injury, occupational illness, or damage to or loss of equipment or property, or damage to the environment. Accident.

3.2.11 Risk. An expression of the possibility/impact of a mishap in terms of hazard severity and hazard probability.


MIL-STD-882D      dated 10 February 2000
3.2.3 Hazard. Any real or potential condition that can cause injury, illness, or death to personnel; damage to or loss of a system, equipment or property; or damage to the environment.

3.2.6 Mishap. An unplanned event or series of events resulting in death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.

3.2.7 Mishap risk. An expression of the impact and possibility of a mishap in terms of potential mishap severity and probability of occurrence.

Some things to note from this comparison of progressive versions of MIL-STD-882 include:

  1. The definition of hazard has changed in each version (except B and C), and the currently proposed draft version E is planning another change.
  2. The term risk has transitioned from a) just risk, to b) hazard risk, to c) mishap risk.
  3. In version A, the hazard definition is slightly more informative, stating that the presence of fuel in an undesired location is a hazard, whereas the fuel itself is not.
  4. The definition of mishap has not changed significantly in each version.
  5. Version B contains a new term, hazardous event, but it is only in version B. Was this merely an anomaly or something useful?
  6. In all of the 882 versions, the definition of hazard is very general and even somewhat vague. It could not definitively support an opinion on what really comprises a hazard.

After reviewing all of the versions of 882, one has to wonder why the developers of the document did not give a better definition of hazard, one that would provide irrefutable understanding and guidance. Perhaps we don't really know what we thought we knew about hazards. It's no wonder we argue over hazards called out in analysis documents and in project reviews.

Here is the situation I have encountered in working with several different integrated project team groups: There seem to be two major viewpoints on what constitutes a hazard. It appears to me that this is probably common throughout industry also. I will refer to these viewpoints as Group 1 and Group 2, as follows:

Group 1
This group thinks that a hazard is a very minimal condition statement; it fulfills the definition, "A condition leading to a mishap." Example hazard statements might include:

  • Extremely high RF energy
  • Extremely high laser light
  • Loss of command and control
  • Loss of navigation

This group would then only have a total of perhaps 20 or 25 hazards in its system. It would then expand each of the hazards into possible mishaps by analyzing operational modes, failures, human error, etc. The end effect might be 300 to 500 different mishaps. The group would then track the mishaps and rate the risk of each mishap versus tracking the hazards. One question that comes up is, "When this group mitigates a hazard, is it the hazard with the short description, or is it the mishap with the long description?" It appears that what this group calls mishaps is really the list of detailed hazards that should be tracked and mitigated.

Group 2
This group thinks that a hazard is a unique set of circumstances, and requires that three basic elements be present in order for a hazard to exist: the hazard source, the hazard-initiating mechanisms and the hazard outcome. In this case, a hazard is a well-defined condition statement; it states exactly what the potential mishap outcome will be, as well as the specific events and conditions leading to this outcome. The theory for this group is that a hazard and a mishap are very closely linked to the same description; the hazard describes the potential condition of circumstances that can result in a specific outcome, while the mishap describes the same situation as an actuated event with a real outcome.

In this group, hazard statements might include:

  • Aircraft fuel is ignited by power from RF energy emanating from the radar, resulting in a fire.
  • The system laser is inadvertently switched on, causing personnel eye injury.
  • Loss of command and control of the aircraft flight control elevators results in aircraft crash.
  • Errors in the navigation algorithm result in controlled flight into terrain.

The hazards from Group 1 are considered to be basic hazard sources for the hazards identified here. The hazard sources are used to further identify and define the specific, unique hazards that they spawn. The hazard source is a prime constituent of a hazard; it is one of the three basic components of a hazard.

This group would begin hazard analysis with 20 or 25 hazard sources in its system, which might then expand into 300 to 500 different but unique hazards. The hazard trigger mechanisms might include operational modes, failures, human error, environmental factors, etc. These hazards would then be tracked in a hazard tracking system, and the mishap risk presented by each hazard would be assessed and mitigated.

Here are some points for discussion:

  1. In Group 1, it is not possible to track hazards, as required by MIL-STD-882; it is only possible to track mishaps. Is this a concern?
  2. In Group 1, the hazards cannot be combined under Top-Level Mishaps (TLMs) because a hazard such as Loss of Command and Control might fall under several different TLMs, such as Aircraft Crash, Inadvertent Weapon Release or Vehicle Collision. It appears that there is no possible capability for hazard distinction, refinement or grouping. Perhaps the hazards in Group 1 are really Top-Level Hazard categories, which will spawn many detailed hazards.
  3. MIL-STD-882C states under Task 106 that, "The contractor shall develop a method or procedure to document and track hazards and their controls thus providing an audit trail of hazard resolutions. A centralized file, computer data base or document called a 'Hazard Log' shall be maintained. The 'Hazard Log' shall contain as a minimum:
      a.  Description of each hazard to include associated hazard risk index. [Italics mine]
      b.  through g." [not included herein]

    It would seem that "description of each hazard" implies a detailed description containing the required three elements as described by Group 2.
  4. A hazard and a mishap are very much the same thing; the hazard is the precondition that defines in detail what the mishap will be and how it will occur, while the mishap is the actualized hazard with the resulting outcome described by the hazard. This is why the safety focus is on detailed hazard descriptions, because the hazard can only be mitigated when it is fully understood.
  5. Paragraph 4.4 of MIL-STD-882D defines the safety order of precedence criteria as:
    1. Eliminate hazards through design selection. If unable to eliminate an identified hazard, reduce the associated mishap risk to an acceptable level through design selection.
    2. Incorporate safety devices. If unable to eliminate the hazard through design selection, reduce the mishap risk to an acceptable level using protective safety features or devices.
    3. Provide warning devices. If safety devices do not adequately lower the mishap risk of the hazard, include a detection and warning system to alert personnel to the particular hazard.
    4. Develop procedures and training. Where it is impractical to eliminate hazards through design selection or to reduce the associated risk to an acceptable level with safety and warning devices, incorporate special procedures and training. Procedures may include the use of personal protective equipment. For hazards assigned Catastrophic or Critical mishap severity categories, avoid using warning, caution, or other written advisory as the only risk reduction method.

    It seems only reasonable that hazards cannot be mitigated as defined here unless all of the hazard ingredients are known, as suggested by Group 2. This information for a hazard could only be obtained if the detailed information surrounding a hazard were present. The minimal hazard theory of Group 1 could not achieve this.
  6. Although the basic hazard definition from 882 just defines a hazard as a condition, I believe it is more than a simple condition, such as "RF Energy Present in the System." Mishap risk can only be determined by evaluating the basic components and causal factors of a hazard. And, it would be pointless for a Hazard Tracking System to track simple hazard conditions. This leads me to believe that a hazard involves a full hazard description containing the three basic components: Source, Initiating Mechanism and Outcome.
  7. Although 882 has transitioned from hazard risk to mishap risk, they both really mean the same thing. When a hazard is actualized, it results in a mishap, and a hazard can only be fully comprehended when it describes the potential mishap that could result. Therefore, hazard risk predicts the severity and probability of a potential mishap, while mishap risk states the expected mishap severity and the probability of the hazard transitioning into a mishap via the hazard causal factors.

So, do we really know what we think we know about hazards, or are we just beating around the semantics bush? A hazard is a unique and specific condition that is prerequisite to a unique and specific mishap. A hazard source is a "danger" that exists, which can generate a unique hazard based on specific system design circumstances. Fuel present in a system is a danger, not a hazard; it certainly does not give us enough design information to mitigate a hazard risk. The presence of the fuel may lead to several different possible unique hazards, depending upon the unique features of the system design, and each of these potential mishaps can be defined in advance by a unique hazard. Thus, fuel presence is more accurately a danger or hazard source, while the location, fuel vapor presence mechanism and ignition mechanism are hazard initiation mechanisms (triggers) for the particular hazard-mishap.

Therefore, the questions we need to ask ourselves are:

  1. Does the safety discipline need to be more precise in its definition of a hazard?
  2. As described herein, which approach is more accurate, that of Group 1 or Group 2?
  3. Are there other hazard definition approaches that make more sense?

Please send me your comments, or post them at The Hive, and let me know your thoughts and opinions on this topic. I would like to summarize many different opinions in a future segment.

Regards,
Clif


Copyright © 2006 by Clifton A. Ericson II. All rights reserved.

Copyright © 2006 by the System Safety Society. All rights reserved. The double-sigma logo is a trademark of the System Safety Society. Other corporate or trade names may be trademarks or registered trademarks of their respective holders.