Safety engineering

Both approaches share the goal of finding causal dependencies between a hazard on system level and failures of individual components.

In contrast to traditional methods, model-based techniques try to derive relationships between causes and consequences from some sort of model of the system.

These techniques are just ways of finding problems and of making plans to cope with failures, as in probabilistic risk assessment.

Failure Mode and Effects Analysis (FMEA) is a bottom-up, inductive analytical method which may be performed at either the functional or piece-part level.

The intent is to identify ways to make top events less probable, and verify that safety goals have been achieved.

When failure and event probabilities are unknown, qualitative fault trees may be analyzed for minimal cut sets.

The analysis is used during the design phase to identify process engineering hazards together with risk mitigation measures.

The methodology is described in the American Petroleum Institute Recommended Practice 14C Analysis, Design, Installation, and Testing of Basic Surface Safety Systems for Offshore Production Platforms.

The technique uses system analysis methods to determine the safety requirements to protect any individual process component, e.g. a vessel, pipeline, or pump.

[2] Each component is subject to a safety analysis to identify undesirable events (equipment failure, process upsets, etc.)

[3] The analysis also identifies a detectable condition (e.g. high pressure) which is used to initiate actions to prevent or minimize the effect of undesirable events.

[3][4] Inflow exceeds outflow Gas blowby (from upstream) Pressure control failure Thermal expansion Excess heat input Liquid slug flow Blocked or restricted liquid outlet Level control failure Other undesirable events for a pressure vessel are under-pressure, gas blowby, leak, and excess temperature together with their associated causes and detectable conditions.

[4] Once the events, causes and detectable conditions have been identified the next stage of the methodology uses a Safety Analysis Checklist (SAC) for each component.

For example, for the case of liquid overflow from a vessel (as above) the SAC identifies:[6] The analysis ensures that two levels of protection are provided to mitigate each undesirable event.

[2][9] X denotes that the detection device on the left (e.g. PSH) initiates the shutdown or warning action on the top right (e.g. ESV closure).

[14] Typically, safety guidelines prescribe a set of steps, deliverable documents, and exit criterion focused around planning, analysis and design, implementation, verification and validation, configuration management, and quality assurance activities for the development of a safety-critical system.

{as per FAA document AC 25.1309-1A} Most Western nuclear reactors, medical equipment, and commercial aircraft are certified[by whom?]

[citation needed] The cost versus loss of lives has been considered appropriate at this level (by FAA for aircraft systems under Federal Aviation Regulations).

The U.S. Department of Defense Standard Practice for System Safety (MIL–STD–882) places the highest priority on elimination of hazards through design selection.

Redundancy, fault tolerance, or recovery procedures are used for these situations (e.g. multiple independent controlled and fuel fed engines).

This also makes the system less sensitive for the reliability prediction errors or quality induced uncertainty for the separate items.

NASA's illustration showing high impact risk areas for the International Space Station
A fault tree diagram
Vessel level instrumentation
Vessel pressure instrumentation
A NASA graph shows the relationship between the survival of a crew of astronauts and the amount of redundant equipment in their spacecraft (the "MM", Mission Module).