Re: [SystemSafety] Who applies risk acceptance principles - Part 2

From: GRAZEBROOK, Alvery N < >
Date: Tue, 4 Jun 2013 15:21:08 +0200


In my opinion, the number of instances of the system containing the failure mode should be considered. A function which might have a few other examples globally (e.g. a protection function in the signalling system for a nation) could tolerate the levels of failures discussed, but a function that is instantiated frequently (e.g. on every train carriage) could not tolerate such high levels of dangerous failures.

It is also the question of utility. I would not be content to tolerate anything like this level of risk if the benefit was only to support a marketing activity, but if the risk gave a significant benefit to society e.g. providing a mass-transit system to millions of people, perhaps the risk would be justified. So I think it is appropriate to consider value, and separation of 1st party risk vs. 3rd party risk, as part of the assessment process.

Regards,

            Alvery

From: systemsafety-bounces_at_xxxxxx Sent: 04 June 2013 12:08 PM
To: M Mencke; systemsafety_at_xxxxxx Subject: Re: [SystemSafety] Who applies risk acceptance principles - Part 2

Myriam,
There is a new ERA Report about Risk Acceptance, involving a "validation process". http://www.era.europa.eu/Document-Register/Pages/RAC-note-1-2013.aspx Basically, this is the proposal:
The following design targets shall apply to failures of functions of technical systems:
(a) For a failure that has a typical credible potential to lead directly to an accident affecting a
group of people and resulting in fatalities and/or severe injuries and/or major damages to the environment, the frequency of the failure of the function does not have to be reduced further if it is demonstrated to be less than or equal to 10-9 failures per operating hour.
(b) For a failure that has a typical credible potential to lead directly to an accident affecting an
individual person and resulting in fatality and/or severe injury, the frequency of the failure of the function does not have to be reduced further if it is demonstrated to be less than or equal to 10-7 failures per operating hour.
(c) For a failure that has a typical credible potential to lead directly to an accident resulting in
one or more light injuries, the frequency of the failure of the function does not have to be reduced further if it is demonstrated to be less than 10-5 failures per operating hour

The document includes some clarification and doubts, please read it before discussing it. I think that it is better to define a proper risk matrix (adjusting the CENELEC 50126 one, for example). But in any case, the "old paradigm of 10e-9" do not make sense, in my opinion... Javier Echarte
Altran Spain.

This e-mail and any attachment may contain confidential and/or privileged information. If you have received this e-mail and/or attachment in error, please notify the sender immediately and delete the e-mail and any attachment from your system. If you are not the intended recipient you must not copy, distribute, disclose or use the contents of the e-mail or any attachment. All e-mail sent to or from this address may be accessed by someone other than the recipient for system management and security reasons or for other lawful purposes. Airbus Operations Limited does not accept liability for any damage or loss which may be caused by software viruses. Airbus Operations Limited is registered in England and Wales under company number 3468788. The company's registered office is at New Filton House, Filton, Bristol, BS99 7AR.



The System Safety Mailing List
systemsafety_at_xxxxxx Received on Tue Jun 04 2013 - 15:22:02 CEST

This archive was generated by hypermail 2.3.0 : Sun Feb 17 2019 - 08:17:05 CET