Figure 2-4 : Fault tree . ( Source : Wikipedia . 15 , 16 )
Safety integrity levels ( SIL ) 17 provide requirements for functional safety and include quantitative requirements on failure frequency and probability , tolerance for failures , software quality and governance and process management . This is supposed to aid the analysis .
The analysis depends on understanding the initiating events , hazards . A hazard is a “ condition that can cause injury or death , damage to or loss of equipment or property , or environmental harm ” 18 thus potentially leading to negative outcomes .
Hazards can be dealt with by ( 1 ) making sure they do not exist by designing them out , ( 2 ) by limiting their impact or ( 3 ) by training operators to manage them . For example , outlets have openings designed to match the plugs that go into them , making it hard to mismatch what is plugged in against the circuit , thus designing out a particular hazard . Circuit breakers can limit the impact of an overloaded circuit by breaking the circuit upon detection of an overload condition . Finally , training can be used to advise people to not replace fuses with larger capacity fuses incompatible with the wiring .
One way to manage risk is to create barriers to hazards , adopting an approach of defense in depth , to prevent hazards from causing harm . This was modeled by Reason as the “ Swiss Cheese Model ” – a loss occurs only if the holes in the various barriers line up ( some holes are latent conditions , others are active failures , others unsafe acts , for example ):
15
16
18
Harold E . Roland and Brian Moriarty , System Safety Engineering and Management , 2nd ed ( New York : Wiley , 1990 ).
24 July 2022