1、BSI Standards PublicationBS EN 16602-40-02:2014Space product assurance Hazard analysisBS EN 16602-40-02:2014 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of EN16602-40-02:2014. It supersedes BS EN 14738:2004 which iswithdrawn.The UK participation in its preparation
2、 was entrusted to TechnicalCommittee ACE/68, Space systems and operations.A list of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctappl
3、ication. The British Standards Institution 2014. Published by BSI StandardsLimited 2014ISBN 978 0 580 84275 7ICS 49.140Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee
4、 on 30 September 2014.Amendments issued since publicationDate Text affectedBS EN 16602-40-02:2014EUROPEAN STANDARD NORME EUROPENNE EUROPISCHE NORM EN 16602-40-02 September 2014 ICS 49.140 Supersedes EN 14738:2004 English version Space product assurance - Hazard analysis Assurance produit des projets
5、 spatiaux - Analyse de risques Raumfahrtproduktsicherung - Gefahrenanalyse This European Standard was approved by CEN on 13 March 2014. CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European Standard the status of
6、 a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC member. This European Standard exists in three official versions (English, Fre
7、nch, German). A version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC Management Centre has the same status as the official versions. CEN and CENELEC members are the national standards bodies and n
8、ational electrotechnical committees of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal
9、, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom. CEN-CENELEC Management Centre: Avenue Marnix 17, B-1000 Brussels 2014 CEN/CENELEC All rights of exploitation in any form and by any means reserved worldwide for CEN national Members and for CENELEC Members. Ref. No
10、. EN 16602-40-02:2014 E BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 2 Table of contents Foreword 4 Introduction 5 1 Scope . 6 2 Normative references . 7 3 Terms, definitions and abbreviated terms 8 3.1 Terms from other standards 8 3.2 Terms specific to the present standard . 8 3.3 Abbreviated term
11、s. 10 4 Principles of hazard analysis 11 4.1 Hazard analysis concept . 11 4.2 Role of hazard analysis 14 4.3 Hazard analysis process . 14 4.3.1 Overview . 14 4.3.2 Overview of the hazard analysis process 15 4.4 Hazard analysis implementation . 17 4.4.1 Overview . 17 4.4.2 General considerations . 17
12、 4.4.3 Type of project considerations 17 4.4.4 Documentation of hazard analysis 17 4.5 Hazard analysis documentation 18 4.6 Integration of hazard analysis activities . 18 4.7 Objectives of hazard analysis . 18 5 Requirements 20 5.1 Hazard analysis requirements 20 5.2 Hazard analysis steps and tasks
13、. 20 5.2.1 Step 1: Define hazard analysis implementation requirements . 20 5.2.2 Step 2: Identify and assess the hazards 22 5.2.3 Step 3: Decide and act 25 5.2.4 Step 4: Track, communicate and accept the hazards 27 BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 3 Annex A (informative) Examples of gen
14、eric hazards . 28 Annex B (informative) Hazard and safety risk register (example) and ranked hazard and safety risk log (example) 30 Annex C (informative) Background information . 33 C.1 Preliminary hazard analysis (PHA) . 33 C.2 Subsystem hazard analysis (SSHA) . 33 C.3 System hazard analysis (SHA)
15、 . 34 C.4 Operating hazard analysis (OHA) . 34 Bibliography . 35 Figures Figure 4-1: Hazards and hazard scenarios . 12 Figure 4-2: Example of a hazard tree . 12 Figure 4-3: Example of a consequence tree . 12 Figure 4-4: Reduction of hazards . 13 Figure 4-5: Interface to FMECA and CC it defines the p
16、rinciples, process, implementation, and requirements of hazard analysis. It is applicable to all European space projects where during any project phase there exists the potential for hazards to personnel or the general public, space flight systems, ground support equipment, facilities, public or pri
17、vate property or the environment. This standard may be tailored for the specific characteristics and constrains of a space project in conformance with ECSS-S-ST-00. BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 7 2 Normative references The following normative documents contain provisions which, thro
18、ugh reference in this text, constitute provisions of this ECSS Standard. For dated references, subsequent amendments to, or revision of any of these publications do not apply, However, parties to agreements based on this ECSS Standard are encouraged to investigate the possibility of applying the mor
19、e recent editions of the normative documents indicated below. For undated references, the latest edition of the publication referred to applies. EN reference Reference in text Title EN 16001-00-01 ECSS-S-ST-00-01 ECSS system Glossary of terms EN 16601-80 ECSS-M-ST-80 Space project management Risk ma
20、nagement EN 16602-40 ECSS-Q-ST-40 Space product assurance Safety BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 8 3 Terms, definitions and abbreviated terms 3.1 Terms from other standards For the purpose of this Standard, the terms and definitions from ECSS-S-ST-00-01 apply, in particular for the fol
21、lowing terms: requirement 3.2 Terms specific to the present standard 3.2.1 consequence tree set of hazard scenarios leading to the same safety consequence 3.2.2 detection time time span between the occurrence of the initiator event and its detection through the observable symptoms 3.2.3 hazard exist
22、ing or potential condition of an item that can result in a mishap NOTE 1 ISO 14620 2 NOTE 2 This condition can be associated with the design, fabrication, operation, or environment of the item, and has the potential for mishaps. ISO 14620 2 NOTE 3 Hazards are potential threats to the safety of a sys
23、tem. They are not events, but the prerequisite for the occurrence of hazard scenarios with their negative effects on safety in terms of the safety consequences. 3.2.4 hazard acceptance decision to tolerate the consequences of the hazard scenarios when they occur 3.2.5 hazard analysis systematic and
24、iterative process of the identification, classification and reduction of hazards BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 9 3.2.6 hazard control preventive or mitigation measure, associated to a hazard scenario, which is introduced into the system design and operation to avoid the events or to
25、interrupt their propagation to consequence 3.2.7 hazard elimination removal of a hazard from a particular hazard manifestation 3.2.8 hazard manifestation presence of specific hazards in the technical design, operation and environment of a system 3.2.9 hazard minimization substitution of a hazard in
26、the hazard manifestation by another hazard of the same type but with a lower potential threat NOTE For instance high toxicity to low toxicity. 3.2.10 hazard reduction process of elimination or minimization and control of hazards 3.2.11 hazard scenario sequence of events leading from the initial caus
27、e to the unwanted safety consequence NOTE The cause can be a single initiating event, or an additional action or a change of condition activating a dormant problem. 3.2.12 hazard tree set of hazard scenarios originating from the same set of hazard manifestations 3.2.13 hazardous property of an item
28、and its environment which provides the potential for mishaps NOTE ISO 14620 2 3.2.14 observable symptoms evidence that indicates that an undesirable event has occurred NOTE Observable symptoms appear during the propagation time. 3.2.15 reaction time time span between the detection and the occurrence
29、 of the consequence NOTE This is the time span available for mitigating actions after detection of the occurrence of the initiator event. BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 10 3.2.16 residual hazard hazard remaining after implementation of hazard reduction 3.2.17 resolved hazard hazard th
30、at is reduced, the reduction verified and the hazard considered acceptable NOTE Resolved hazards are submitted for formal acceptance. 3.2.18 scenario propagation time time span between the occurrence of the initiator event and the occurrence of the consequence 3.2.19 severity of safety consequence m
31、easure of the gravity of damage with respect to safety 3.3 Abbreviated terms For the purpose of this Standard, the abbreviated terms from ECSS-S-ST-00-01 and the following apply: Abbreviation Meaning CC “using snow-chains” impacts on the link between cause and event; “fitting airbag” impacts on the
32、link between event and consequence. BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 12 Hazard Hazard manifestation Cause Events Consequence Propagation time Hazard scenarios Cause Events Consequence Hazard Figure 4-1: Hazards and hazard scenarios Hazard Hazard manifestation Cause Events Consequence Pr
33、opagation time Hazard scenarios Cause Events Consequence Figure 4-2: Example of a hazard tree Hazard Hazard manifestation Cause Events Consequence Propagation time Hazard scenarios Events Hazard Cause Figure 4-3: Example of a consequence tree BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 13 Hazard H
34、azard manifestation Cause Events Consequence Propagation time Hazard scenarios Hazard Cause Events Consequence Hazard reduction Hazard elimination Hazard minimization Hazard control Removal or change of hazards, elimination of event, or interruption of event and Figure 4-4: Reduction of hazards Fail
35、ure causes as identified through FMECA and other analyses, such as common cause and common failure mode analysis (CC Step 2: identify and classify the hazards; Step 3: decide and act on the hazards; Step 4: track, communicate and accept the hazards. The process of hazard analysis, including iteratio
36、n of its tasks, is summarized in Figure 4-6. BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 15 1. Define analysis requirements 2. Identify and classify hazards 3. Decide and act on hazards 4. Track, communicate and accept the hazards Are hazards acceptable? Reduce hazards Iterate tasks Yes No Figure
37、4-6: The process of hazard analysis 4.3.2 Overview of the hazard analysis process The iterative four-step hazard analysis process is illustrated in Figure 4-7. The tasks within each of these steps are shown in Figure 4-8. Step 1 comprises the establishment of the scope and purpose of hazard analysis
38、, the hazard analysis planning (Task 1), and the definition of the system to be analysed (Task 2). Step 1 is performed at the beginning of a project. According to the scope and purpose, the implementation of the hazard analysis process consists of a number of “hazard analysis cycles” over the projec
39、ts duration, comprising the necessary revisions of the analysis requirements and the Steps 2 to 4, subdivided in the seven Tasks 3 to 9. The period designated in Figure 4-7 as the “Hazard analysis process” comprises all the phases of the project concerned, as defined in ECSS-M-ST-10. The frequency a
40、nd the events at which cycles are required in a project (only 3 are shown in Figure 4-7 for illustration purposes) depend on the needs and complexity of the project, and are defined during Step 1 at the beginning of the project. BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 16 Step 1 Define analysis
41、 requirements Step 2 Identify and classify hazards Step 3 Decide and act on hazards Step 4 Track, com- municate and accept hazards Step 1 Revise analysis requirements Step 2 Identify and classify hazards Step 3 Decide and act on hazards Step 4 Track, com- municate and accept hazards Step 1 Revise an
42、alysis requirements Step 2 Identify and classify hazards Step 3 Decide and act on hazards Step 4 Track, com- municate and accept hazards Hazard analysis process Hazard analysis documentation Project phases Figure 4-7: The steps and cycles in the hazard analysis process Step 1 Define hazard analysis
43、implementation requirements Step 2 Identify and classify the hazards Task 1: Define the hazard analysis scope, objectives and the hazard analysis planning. Task 2: Define the system baseline to be analysed. Task 3: Identify hazard manifestations. Task 4: Identify and classify hazard scenarios. Step
44、3 Decide and act Task 5: Decide if the hazards can be accepted. Task 6: Reduce the hazards. Task 7: Recommend acceptance. Step 4 Track, communicate and accept the hazards Task 8: Track and communicate the hazards. Task 9: Accept the hazards. HazardanalysiscycleFigure 4-8: The nine tasks associated w
45、ith the four steps of the hazard analysis process BS EN 16602-40-02:2014EN 16602-40-02:2014 (E) 17 4.4 Hazard analysis implementation 4.4.1 Overview Implementation of hazard analysis in a project is based on single or multiple, i.e. iterative, application of the hazard analysis process. The tasks as
46、sociated with the individual steps of the hazard analysis process vary according to the scope and objectives specified for hazard analysis. The scope and objectives of hazard analysis depend on the type and phase of the project. Hazard analysis requires commitment in each actors organization, and th
47、e establishment of clear lines of responsibility and accountability. Project management has overall responsibility for the implementation of hazard analysis, ensuring an integrated, coherent hazard analysis approach. 4.4.2 General considerations Hazard analysis is implemented as a team effort, with
48、tasks and responsibilities being assigned to the functions and individuals within the project organization with the relevant expertise in the areas of safety and engineering concerned by a given hazard. The results of hazard analysis are used as input to project reviews and project management during
49、 the evolution of the system. Annex C provides background information on traditionally performed hazard analyses. 4.4.3 Type of project considerations Hazard analysis activities differ according to the type of project and required safety effort. However, the hazard analysis process is the same in each case. Hazard analysis activities are linked to different types of projects, such as: a. Hazard analysis at sub-supplier level for safety of part of the spacecraft design and the operation of a manned or unmanned mission and as input to system safety efforts. b. Hazard an
