U.S. Department of Defense Draft Military Standard (MIL-STD-882E)
Standard Practice for System Safety
The U.S. Department of Defense's (DoD) draft military standard MIL-STD-882E outlines a standard practice for conducting system safety, and it provides a consistent means of evaluating risks. Mishap risk must be identified, evaluated and mitigated to a level that is acceptable to the appropriate authority and is compliant with federal laws and regulations, executive orders, treaties and agreements. Program trade studies associated with mitigating mishap risk must consider total life-cycle cost in any decision.
The standard defines general safety requirements to perform throughout the life cycle for any system, new development, upgrade, modification, resolution of deficiencies or technology development. When properly applied, these requirements should ensure the identification and understanding of all known hazards and their associated risks, and mishap risk will be eliminated or reduced to acceptable levels.
Minimum mandatory requirements for an acceptable system safety program for any DoD system are also delineated in the standard.
General system safety requirements include:
1. Documenting the system safety approach.
Documenting the developer's and program manager's approved system safety engineering approach will:
Describe the program's implementation using the requirements.
Include information on system safety integration into the overall program structure and software development lifecycle.
Define how hazards and mishap risks are communicated to and accepted by the appropriate risk acceptance authority and how hazards and mishap risk will be tracked.
2. Identifying hazards.
Hazards are to be identified through a systematic hazard analysis process that encompasses detailed analysis of system hardware and software, the environment and the intended use or application. Identification of hazards is a responsibility of all program members.
3. Assessing mishap risk.
Assess the severity and probability or software control category of the mishap risk associated with each identified hazard to determine the potential negative impact of the hazard.
4. Identifying mishap risk mitigation measures.
Identify potential mishap risk mitigation alternatives and the expected effectiveness of each alternative or method. To mitigate identified hazards, the following procedures must be performed in the order given:
Eliminate hazards or reduce hazard risk through design selection.
Incorporate safety devices.
Provide warning devices.
Develop procedures and training.
5. Reducing mishap risk to an acceptable level.
Reduce the mishap risk through a mitigation approach that both the developer and program manager mutually agree upon.
6. Verifying mishap risk reduction.
Verify the mishap risk reduction and mitigation through appropriate analysis, testing or inspection. Document the determined mishap risk and report all new hazards identified during testing to the program manager and developer.
7. Reviewing hazards and accepting mishap risk by the appropriate authority.
Notify the program manager of identified hazards and mishap risk. The program manager will then ensure that remaining hazards and mishap risk are reviewed and accepted by the appropriate risk acceptance authority. The appropriate risk acceptance authority will formally acknowledge and document acceptance of hazards and mishap risk.
8. Tracking hazards, their closures and mishap risk.
Track hazards, their closure actions and the mishap risk by maintaining a tracking system that includes hazards, hazard severity and probability, hazard causes, controls for each cause and verification for each hazard control, their closure actions and mishap risk throughout the system life cycle.