AN UPDATE ON THE REVISION TO MIL-STD-882E (SYSTEM SAFETY SOCIETY SHARING SESSION – 11 APR 2013) WONG FANG AIK/FAN YUE SANG Ministerial Emphasis On Safety “The SAF needs to carry out realistic training, and this will be done without compromise to safety” June 2008 “The underlying approach is not to wait for accidents or incidents to occur, but to reduce risks and minimise the chances/probability of incidents happening” March 2007 “Each loss of life in training or operations is one too many; We want to achieve ZERO FATALITIES!” March 2007 2 Ministerial Statement on NS Training Deaths Nov 2012 “The SAF has a robust training safety system in place…but more needs to be done” “The respective COIs have uncovered clear breaches of Training Safety Regulations (TSRs) that led to the deaths” The number of grenades used had clearly exceeded the limit specified in the TSRs There was specific instances of individual negligence. The Combat School of Intelligence had a weak safety culture Chief Safety Officer and the Platoon Comd have been relieved of their duties pending decision for a General Court Martial Head of Wing (School), School Sergeant Major, Exercise Supervising Officer and Exercise Conducting Officer have been relieved of their duties pending decision for a General Court Martial “Any Comd who ignores safety regulation, whether wilfully or negligently, puts his soldiers at risk, is not fit for command.” 3 Scope Introduction Purpose of Revision MIL-STD 882E Contents Key Changes In Summary MIL-STD -882E Introduction An Odyssey: MIL-STD-882 Series MIL-STD-882 – July 1969 MIL-STD-882A – June 1977 MIL-STD-882B – March 1984 MIL-STD-882B, Notice 1 – July 1987 MIL-STD-882C – Jan 1993 MIL-STD-882C, Notice 1 – Jan 1996 MIL-STD-882D – Feb 2000 MIL-STD-882E – May 2012 (GEIA-STD-0010 best practices issued in 2008) Purpose of Revision US Government and Industries desire to reinstate Task Descriptions from 882C in 882E. Allow these Tasks to be available and be specified in contract documents Aligns the safety standard practice with current DoD policy i. 8 Dec 2008 DOD incorporate requirement to use MIL-STD 882 process for Environment, Safety and Occupational Health (ESOH) risk management. ii. 7 Jan 2011 DASD(SE) required 882E be a standard, generic method for the identification, classification, and mitigation of hazards that can be practically applied by not only system safety professionals, but also by other functional disciplines such as fire protection engineers, occupational health engineers, etc Main Contents in 882E • Standard arranged into 3 Key Parts • General Requirements: 8 Mandatory Requirements 1. 2. 3. 4. 5. 6. 7. 8. Document the System Safety Approach Identify Hazards Assess Risk Identify Risk Mitigation Measures Reduce Risk Verify Risk Reduction Accept Risk Manage Life-Cycle Risk -100-Series tasks – Management -200-Series tasks – Analysis -300-Series tasks – Evaluation -400-Series tasks – Verification • Tasks (100 – 400 series): Optional • Appendix A: Guidance for The System Safety Effort Appendix B: Software System Safety Engineering and Analysis Key Changes Facilitates the use of 882E by multiple functional disciplines as an integral part of Systems Engg eg Environmental engineers, Fire protection engineers, Occupational health professional etc. Standardized and mandatory definitions in all contracts (Section 3 to Mil-Std-882E). Changed from 14 to 49 definitions. General Requirements (Section 4 to Mil-Std-882E) Risk Assessment Matrix updated For severity, dollar value on losses increased to reflect today’s program costs For probability, addition of a new Eliminated category Revised Risk Assessment Matrix – Shall be used Key Changes General Requirements (Section 4) 1. Document the System Safety Approach 2. Identify & document Hazards 3. Assess & document Risk 4. Identify & document Risk Mitigation Measures 5. Reduce Risk to an acceptable level 6. Verify, validate and document Risk Reduction 7. Review hazards and accept residue risk by the appropriate authority & document 8. Track hazards, their closures and residue risk Manage Life-Cycle Risk Key Changes Identify Risk Mitigation Measures System Safety Design Order of Precedence increased from 4 to 5. Eliminate Hazards Through Design Selection Reduce RiskNo Through Change Design Alteration If not able to select appropriate design, then consider design Incorporate Safety Engineered Features or change or alteration Devices Provide Warning Devices Features that actively interrupt the mishap sequence No Change • Emergency Develop cooling system of a nuclearand reactor Procedures Training Incorporate Procedures, Training, and • Uninterruptible PowerSignage, Supply (UPS) PPE TABLE I. Severity Categories SEVERITY CATEGORIES Severity Category Catastrophic Critical Marginal Negligible Severity Level Environment, Safety, and Occupational Health Mishap Result Criteria 1 Could result in one or more of the following: death, permanent total disability, irreversible significant environmental impact that violates law or regulation, or loss exceeding $10M. ($1M) 2 Could result in one or more of the following: permanent partial disability, injuries or occupational illness that may result in hospitalization of at least three personnel, reversible significant environmental impact causing a violation of law or regulation, or loss exceeding $1M but less than $10M. ($200k/$1M) 3 Could result in one or more of the following: injury or occupational illness resulting in 1 or more lost work days, reversible moderate environmental impact causing a violation of law or regulation, or loss exceeding $100K but less than $1M. ($10k/$200k) 4 Could result in one or more of the following: injury or illness resulting in a lost work day, minimal environmental impact violating law or regulation, or loss less than $100k $2K < x< $10K. TABLE II. Probability Levels PROBABILITY LEVELS Description Level Specific Individual Item Fleet or Inventory A Likely to occur often in the life of an item; with a probability of Continuously experienced. occurrence greater than 10-1 in that life. B Will occur several times in the life of an item; with a probability of occurrence less than 10-1 but greater than 10-2 in that life. Will occur frequently. C Likely to occur sometime in the life of an item; with a probability of occurrence less than 10-2 but greater than 10-3 in that life. Will occur several times. Remote D Unlikely, but possible to occur in the life of an item; with a probability of occurrence less than 10-3 but greater than 10-6 in that life. Unlikely but can reasonably be expected to occur. Improbable E So unlikely, it can be assumed occurrence may not be experienced in the life of an item; with a probability of occurrence of less than 10-6 in that life. Unlikely to occur, but possible. F Incapable of occurrence in the life of an item. This category is used when potential hazards are identified and later eliminated. Incapable of occurrence within the life of an item. This category is used when potential hazards are identified and later eliminated. Frequen t Probable Occasional Eliminated TABLE III. Risk Assessment Matrix RISK ASSESSMENT MATRIX Catastrophic (1) Critical (2) Marginal (3) Negligible (4) Frequent (A) High 1 High 3 Serious 7 Medium 13 Probable (B) High 2 High 5 Serious 9 Medium 16 Occasional (C) High 4 Serious 6 Medium 11 Low 18 Remote (D) Serious 8 Medium 10 Medium 14 Low 19 Improbable (E) Medium 12 Medium 15 Medium 17 Low 20 Eliminated (F) Eliminated Risk Assessment code (RAC) : eg 1A, 3E, etc Key Changes Re-introduced and revised optional task descriptions from 882C. Total 25 optional tasks. 100 series tasks - Management 200 series tasks - Analysis 300 series tasks - Evaluation 400 series tasks - Verification Included new Tasks Task 103 - Hazard Management Plan Task 106 - Hazard Tracking System Task 108 - Hazardous Materials Management Plan Task 208 - Functional Hazard Analysis Task 209 - System-of-Systems Hazard Analysis Task 210 - Environmental Hazard Analysis etc Key Changes Updated “Appendix A – Guidance for the System Safety Effort” Task application matrix updated Example on probability levels table includes quantitative values. Added Appendix B – Software System Safety Engineering and Analysis Additional detail on software system safety techniques and practices Based on DOD Joint Software System Safety Engineering handbook In Summary More reader-friendly: contents re-structured; clearer terminology. More up-to-date: incorporate current DOD policy and defines task descriptions to improve system safety practices. Use of 882E across all functional disciplines Improve consistency of system safety practices across programs. Task 100 Series - Management Task 100 Series - Management Task 101 Hazard Identification and Mitigation Effort Using The System Safety Methodology Task 102 System Safety Program Plan Task 103 Hazard Management Plan Task 104 Support of Government Reviews/Audits Task 105 Integrated Product Team/Working Group Support Task 106 Hazard Tracking System Task 107 Hazard Management Progress Report Task 108 Hazardous Materials Management Plan Task 200 Series - Analysis Task 200 Series - Analysis Task 201 Preliminary Hazard List Task 202 Preliminary Hazard Analysis Task 203 System Requirements Hazard Analysis Task 204 Subsystem Hazard Analysis Task 205 System Hazard Analysis Task 206 Operating and Support Hazard Analysis Task 207 Health Hazard Analysis Task 208 Functional Hazard Analysis Task 209 System-of-Systems Hazard Analysis Task 210 Environmental Hazard Analysis Task 300 Series – Evaluation Task 300 Series – Evaluation Task 301 Safety Assessment Report Task 302 Hazard Management Assessment Report Task 303 Test and Evaluation Participation Task 304 Review of Engineering Change Proposals, Change Notices, Deficiency Reports, Mishaps, and Requests for Deviation/Waiver Task 400 Series - Verification Task 400 Series - Verification Task 401 Safety Verification Task 402 Explosives Hazard Classification Data Task 403 Explosive Ordnance Disposal Data