|
The general mitigation for this hazard is to reduce environmental stressors as much as possible in order to sustain an adequate level of aircrew alertness and effectiveness, and to help the pilots keep their workload as low as practicable using cockpit automation and well-designed controls and displays that allow the pilot to focus on flight-safety-critical tasks and spend minimum time on less critical tasks. However, while this hazard description follows the SMO model, it is obviously too much to include in one hazard with so many sources contributing to one outcome through one mechanism.
The obvious solution is to break out the sources of the hazard so that each hazard has only one source. So, for example, one hazard might be focused on a stressor, a source, called "excessive heat." It might read, "Excessive heat in the cockpit, combined with other environmental stressors and task loading, brings the crew to the point where they cannot cope with the task load and lose situational awareness (LOSA). This results in failure to see and avoid obstacles or loss of control of the aircraft, resulting in impact with the terrain or obstacles and serious damage to or loss of aircraft, and serious or fatal injury to the crew."
Another hazard focused on a task load factor might read, "The alphanumeric keyboard configuration of the Control Display Units results in extended attention on data entry. This, combined with other task loading and environmental stressors, brings the crew to the point where they cannot cope with the task load and lose situational awareness (LOSA). This results in failure to see and avoid obstacles or loss of control of the aircraft, resulting in impact with the terrain or obstacles and serious damage to or loss of aircraft, and serious or fatal injury to the crew." To use a familiar analogy, the hazard of "breaking the camel's back," is broken down to eliminating or reducing the weight of each straw. Each source can be addressed by the various design teams and ultimately reduce the risk from the overarching mechanism and outcome of the hazard.
Using the SMO Model with Other Hazard Identification Tools
The SMO model can also be useful in conjunction with other hazard identification tools. For example, in DoD aviation programs, functional hazard analysis is being used more and more. This method identifies the functions of a system and its subsystems, then evaluates the safety impacts if the function fails or is degraded. The result is a rather extensive list of hazards that is closely tied to the requirements of the system. However, while this method does produce some good information about the safety of the system, it does not always identify what causes the function to fail.
This is where SMO can help. For a function to fail or degrade, there must be a source for the failure. If there are multiple sources, then there are actually multiple hazards. There is, as well, a mechanism or mechanisms that produce the function failure or degradation. The failure of a function should also produce an outcome or outcomes if more than one asset is involved. The outcome with the greatest risk is the assessed severity of the hazard. Thus, we see that while there are various effective tools used to identify a hazard, the SMO model is useful to grasp a quick understanding of the nature of a specific hazard, or whether that hazard is even a valid hazard.
Conclusion
As the above examples show, the SMO hazard description model is a useful tool in the toolbox of the system safety practitioner. It is simple, yet effective, in helping the practitioner understand the nature of a hazard once he or she has identified it using any hazard identification method. Using it, hazards are clearly and thoroughly described, making it much easier to identify and implement mitigators to reduce the residual risk. Because it is so flexible, the SMO model has been successfully applied to the hazards of a wide assortment of systems, and included in many system safety directives, instructions and training syllabi. This is why the Government Electronics and Information Technology Association's (GEIA) System Safety Committee (G-48) recommended the inclusion of the SMO model in the next revision of U.S. Military Standard 882, Standard Practice for System Safety.
About the Author
Don Swallom is currently a safety engineer for the United States Army Aviation and Missile Command Safety Office, Aviation System Safety Division, at Redstone Arsenal in Alabama. He holds a Bachelor of Science in Engineering Sciences from the United States Air Force Academy and a Master of Science in Systems Management from the University of Southern California. Prior to his current position, he served as a helicopter pilot, staff officer and developmental engineer in the United States Air Force. His last Air Force assignment was as the chief of safety for the Arnold Engineering Development Center, the world's largest complex of aerospace ground testing facilities. He collaborated on the system safety chapter of the Handbook of Human Systems Integration (John Wiley and Sons, 2003). He makes his home in Madison, Alabama.
References
1. Clemens, P.L. System Safety Scrapbook, Sheet 84-3, 10th Ed. A-P-T Research, Huntsville, Alabama, 2004.
2. Goldberg, B.E., et al. "System Engineering 'Toolbox' for Design-Oriented Engineers," NASA Reference Publication 1358, Marshall Space Flight Center, Alabama, 1994.
3. Clemens, P.L. and R.J. Simmons. "System Safety and Risk Management: A Guide for Engineering Educators," National Institute for Occupational Safety and Health, page III-3, Cincinnati, Ohio, http://www.cdc.gov/niosh/topics/SHAPE/pdfs/safriskengineer.pdf (Accessed March 12, 2006).
4. Clemens, Sheet 98-1.
5. Clemens, Sheet 03-01.
6. Ericson, C.A. Hazard Analysis Techniques for System Safety, page 93, John Wiley and Sons, Hoboken, New Jersey, 2005.
7. Military Standard 882E (Draft), Standard Practice for System Safety, pp. 5, 9, 27, 78, 80, Department of Defense, Washington DC, Feb. 1, 2006.
« previous page
|
