SIST EN 16602-40-02:2014

SLOVENSKI STANDARD
SIST EN 16602-40-02:2014
01-november-2014
1DGRPHãþD
SIST EN 14738:2004
Zagotavljanje varnih proizvodov v vesoljski tehniki - Analiza nevarnosti
Space product assurance - Hazard analysis
Raumfahrtproduktsicherung - Gefahrenanalyse
Assurance produit des projets spatiaux - Analyse de risques
Ta slovenski standard je istoveten z: EN 16602-40-02:2014
ICS:
03.100.40 Raziskave in razvoj Research and development
49.140 Vesoljski sistemi in operacije Space systems and
operations
SIST EN 16602-40-02:2014 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN 16602-40-02:2014

---------------------- Page: 2 ----------------------

SIST EN 16602-40-02:2014


EUROPEAN STANDARD
EN 16602-40-02

NORME EUROPÉENNE

EUROPÄISCHE NORM
September 2014
ICS 49.140 Supersedes EN 14738:2004
English version
Space product assurance - Hazard analysis
Assurance produit des projets spatiaux - Analyse de Raumfahrtproduktsicherung - Gefahrenanalyse
risques
This European Standard was approved by CEN on 13 March 2014.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving
this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning
such national standards may be obtained on application to the CEN-CENELEC Management Centre or to any CEN and CENELEC
member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC Management Centre
has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia,
Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.







CEN-CENELEC Management Centre:
Avenue Marnix 17, B-1000 Brussels
© 2014 CEN/CENELEC All rights of exploitation in any form and by any means reserved Ref. No. EN 16602-40-02:2014 E
worldwide for CEN national Members and for CENELEC
Members.

---------------------- Page: 3 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
Table of contents
Foreword . 4
Introduction . 5
1 Scope . 6
2 Normative references . 7
3 Terms, definitions and abbreviated terms . 8
3.1 Terms from other standards . 8
3.2 Terms specific to the present standard . 8
3.3 Abbreviated terms. 10
4 Principles of hazard analysis . 11
4.1 Hazard analysis concept . 11
4.2 Role of hazard analysis . 14
4.3 Hazard analysis process . 14
4.3.1 Overview . 14
4.3.2 Overview of the hazard analysis process . 15
4.4 Hazard analysis implementation . 17
4.4.1 Overview . 17
4.4.2 General considerations . 17
4.4.3 Type of project considerations . 17
4.4.4 Documentation of hazard analysis . 17
4.5 Hazard analysis documentation . 18
4.6 Integration of hazard analysis activities . 18
4.7 Objectives of hazard analysis . 18
5 Requirements . 20
5.1 Hazard analysis requirements . 20
5.2 Hazard analysis steps and tasks . 20
5.2.1 Step 1: Define hazard analysis implementation requirements . 20
5.2.2 Step 2: Identify and assess the hazards . 22
5.2.3 Step 3: Decide and act . 25
5.2.4 Step 4: Track, communicate and accept the hazards . 27
2

---------------------- Page: 4 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
Annex A (informative) Examples of generic hazards . 28
Annex B (informative) Hazard and safety risk register (example) and
ranked hazard and safety risk log (example) . 30
Annex C (informative) Background information . 33
C.1 Preliminary hazard analysis (PHA) . 33
C.2 Subsystem hazard analysis (SSHA) . 33
C.3 System hazard analysis (SHA) . 34
C.4 Operating hazard analysis (OHA) . 34
Bibliography . 35

Figures
Figure 4-1: Hazards and hazard scenarios . 12
Figure 4-2: Example of a hazard tree . 12
Figure 4-3: Example of a consequence tree . 12
Figure 4-4: Reduction of hazards . 13
Figure 4-5: Interface to FMECA and CC&M analysis . 13
Figure 4-6: The process of hazard analysis . 15
Figure 4-7: The steps and cycles in the hazard analysis process . 16
Figure 4-8: The nine tasks associated with the four steps of the hazard analysis
process . 16
Figure B-1 : Example of a hazard and safety risk register (see also ECSS-M-ST-80) . 31
Figure B-2 : Example of a ranked hazard and safety risk log . 32

Tables
Table 5-1: Example of a safety consequence severity categorization . 21
Table 5-2: Example of a hazard matrix . 23
Table 5-3: Example of a hazard manifestation list . 23
Table 5-4: Example of a hazard scenario list . 25


3

---------------------- Page: 5 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
Foreword
This document (EN 16602-40-02:2014) has been prepared by Technical
Committee CEN/CLC/TC 5 “Space”, the secretariat of which is held by DIN.
This standard (EN 16602-40-02:2014) originates from ECSS-Q-ST-40-02C.
This European Standard shall be given the status of a national standard, either
by publication of an identical text or by endorsement, at the latest by March
2015, and conflicting national standards shall be withdrawn at the latest by
March 2015.
Attention is drawn to the possibility that some of the elements of this document
may be the subject of patent rights. CEN [and/or CENELEC] shall not be held
responsible for identifying any or all such patent rights.
This document supersedes EN 14738:2004.
This document has been prepared under a mandate given to CEN by the
European Commission and the European Free Trade Association.
This document has been developed to cover specifically space systems and has
therefore precedence over any EN covering the same scope but with a wider
domain of applicability (e.g. : aerospace).
According to the CEN-CENELEC Internal Regulations, the national standards
organizations of the following countries are bound to implement this European
Standard: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic,
Denmark, Estonia, Finland, Former Yugoslav Republic of Macedonia, France,
Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania,
Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the United
Kingdom.
4

---------------------- Page: 6 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
Introduction
Safety analysis comprises hazard analysis, safety risk assessment and
supporting analyses as defined in ECSS-Q-ST-40. The objective of safety
analysis is to identify, assess, reduce, accept, and control safety hazards and the
associated safety risks in a systematic, proactive, complete and cost effective
manner, taking into account the project’s technical and programmatic
constraints. Safety analysis can be implemented through an iterative process,
with iterations being determined by the project progress through the different
project phases, and by changes to a given project baseline.
Hazard analysis comprises the identification classification and reduction of
hazards. Hazard analysis can be implemented at each level of the
customer-supplier network. Hazard analysis activities at lower level can
contribute to system level safety analysis. System level safety analysis can
determine lower level hazard analysis activities.
Hazard analysis interfaces with dependability analysis, in particular FMECA.
Safety risk assessment interfaces with quantitative dependability analysis, in
particular reliability analysis. Safety risk assessment contributes to project risk
management. Ranking of safety risks according to their criticality for project
success, allowing management to direct its attention to the essential safety
issues, is part of the major objectives of risk management.
Safety risk assessment is further addressed in ECSS-Q-ST-40.
5

---------------------- Page: 7 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
1
Scope
This Standard details the hazard analysis requirements of ECSS-Q-ST-40; it
defines the principles, process, implementation, and requirements of hazard
analysis.
It is applicable to all European space projects where during any project phase
there exists the potential for hazards to personnel or the general public, space
flight systems, ground support equipment, facilities, public or private property
or the environment.
This standard may be tailored for the specific characteristics and constrains of a
space project in conformance with ECSS-S-ST-00.
6

---------------------- Page: 8 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
2
Normative references
The following normative documents contain provisions which, through
reference in this text, constitute provisions of this ECSS Standard. For dated
references, subsequent amendments to, or revision of any of these publications
do not apply, However, parties to agreements based on this ECSS Standard are
encouraged to investigate the possibility of applying the more recent editions of
the normative documents indicated below. For undated references, the latest
edition of the publication referred to applies.

EN reference Reference in text Title
EN 16001-00-01 ECSS-S-ST-00-01 ECSS system — Glossary of terms
EN 16601-80 ECSS-M-ST-80 Space project management — Risk management
EN 16602-40 ECSS-Q-ST-40 Space product assurance — Safety

7

---------------------- Page: 9 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
3
Terms, definitions and abbreviated terms
3.1 Terms from other standards
For the purpose of this Standard, the terms and definitions from ECSS-S-ST-00-01
apply, in particular for the following terms:
requirement
3.2 Terms specific to the present standard
3.2.1 consequence tree
set of hazard scenarios leading to the same safety consequence
3.2.2 detection time
time span between the occurrence of the initiator event and its detection
through the observable symptoms
3.2.3 hazard
existing or potential condition of an item that can result in a mishap
NOTE 1 [ISO 14620 2]
NOTE 2 This condition can be associated with the
design, fabrication, operation, or environment
of the item, and has the potential for mishaps.
[ISO 14620 2]
NOTE 3 Hazards are potential threats to the safety of a
system. They are not events, but the
prerequisite for the occurrence of hazard
scenarios with their negative effects on safety in
terms of the safety consequences.
3.2.4 hazard acceptance
decision to tolerate the consequences of the hazard scenarios when they occur
3.2.5 hazard analysis
systematic and iterative process of the identification, classification and
reduction of hazards
8

---------------------- Page: 10 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
3.2.6 hazard control
preventive or mitigation measure, associated to a hazard scenario, which is
introduced into the system design and operation to avoid the events or to
interrupt their propagation to consequence
3.2.7 hazard elimination
removal of a hazard from a particular hazard manifestation
3.2.8 hazard manifestation
presence of specific hazards in the technical design, operation and environment
of a system
3.2.9 hazard minimization
substitution of a hazard in the hazard manifestation by another hazard of the
same type but with a lower potential threat
NOTE For instance high toxicity to low toxicity.
3.2.10 hazard reduction
process of elimination or minimization and control of hazards
3.2.11 hazard scenario
sequence of events leading from the initial cause to the unwanted safety
consequence
NOTE The cause can be a single initiating event, or an
additional action or a change of condition
activating a dormant problem.
3.2.12 hazard tree
set of hazard scenarios originating from the same set of hazard manifestations
3.2.13 hazardous
property of an item and its environment which provides the potential for
mishaps
NOTE [ISO 14620 2]
3.2.14 observable symptoms
evidence that indicates that an undesirable event has occurred
NOTE Observable symptoms appear during the
propagation time.
3.2.15 reaction time
time span between the detection and the occurrence of the consequence
NOTE This is the time span available for mitigating
actions after detection of the occurrence of the
initiator event.
9

---------------------- Page: 11 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
3.2.16 residual hazard
hazard remaining after implementation of hazard reduction
3.2.17 resolved hazard
hazard that is reduced, the reduction verified and the hazard considered
acceptable
NOTE Resolved hazards are submitted for formal
acceptance.
3.2.18 scenario propagation time
time span between the occurrence of the initiator event and the occurrence of
the consequence
3.2.19 severity of safety consequence
measure of the gravity of damage with respect to safety
3.3 Abbreviated terms
For the purpose of this Standard, the abbreviated terms from ECSS-S-ST-00-01
and the following apply:

Abbreviation Meaning
CC&M common cause and common failure mode analysis
DRD document requirements definition
FMECA failure modes, effects and criticality analysis
GSE ground support equipment
NASA National Aeronautics and Space Administration
OHA operating hazard analysis
PHA preliminary hazard analysis
SHA system hazard analysis
SSHA subsystem hazard analysis

10

---------------------- Page: 12 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
4
Principles of hazard analysis
4.1 Hazard analysis concept
Hazard analysis is based on the following hazard analysis concept, which is
depicted in Figure 4-1 to Figure 4-4.
Hazards, which are present through hazard manifestations in the system, are
activated if initiating events (i.e. cause) occur. Hazard scenarios reflect the
system behaviour to the activated hazards in terms of event propagation from
causes to safety consequences, as depicted in Figure 4-1. The occurrence of
events is coupled to observable symptoms in the system. Safety consequences
are characterized by their severity.
Different hazard scenarios can originate from the same hazard. Furthermore,
different hazard scenarios can lead to the same safety consequence. For an
example, see Table 5-4. The collection of hazard scenarios originating from the
same hazard manifestation is collated into a hazard tree, as illustrated in Figure
4-2. The collection of hazard scenarios leading to the same safety consequence is
collated into a consequence tree, as illustrated in Figure 4-3.
Hazards are reduced by either eliminating them or, if this is not possible, by
minimizing and controlling them, as shown in Figure 4-4. Hazards are
eliminated through the removal of specific potentially safety threatening system
characteristics. Hazards are minimized through reducing the level or amount of
specific potentially safety threatening system characteristics. Hazards are
controlled through the prevention of the occurrence or reduction of the
likelihood and mitigation of the effects of events. Occurrence of the events can
be detected through their observable symptoms.
For example: A hazard to driving a car is “poor weather conditions”, and the
hazard is manifested by “ice on the road”. The cause “rapid change of
direction” can lead to the event “loss of control” and finally to the consequence
“death of driver”. Hazard elimination can be achieved by “delaying the
journey”, and hazard minimization by gritting the road. There are various
methods for hazard control which impact on different parts of the process:
“driving slowly” impacts on the cause; “using snow-chains” impacts on the link
between cause and event; “fitting airbag” impacts on the link between event
and consequence.
11

---------------------- Page: 13 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)

Hazard Hazard scenarios
manifestation
Cause Events Consequence
Hazard
Hazard Cause Events Consequence
Propagation time

Figure 4-1: Hazards and hazard scenarios

Hazard Hazard scenarios
manifestation
Cause Events Consequence
Hazard
Cause Events Consequence
Propagation time

Figure 4-2: Example of a hazard tree

Hazard Hazard scenarios
manifestation
Cause Events Consequence
Hazard
Hazard
Cause Events
Propagation time

Figure 4-3: Example of a consequence tree
12

---------------------- Page: 14 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)

Hazard reduction
Hazard Hazard Hazard
and
elimination minimization control
Hazard Hazard scenarios
manifestation
Hazard Cause Events Consequence
Cause Events Consequence
Hazard
Propagation time
Removal or change of hazards, elimination of event, or interruption of event


Figure 4-4: Reduction of hazards
Failure causes as identified through FMECA and other analyses, such as
common cause and common failure mode analysis (CC&M), can represent
causes of hazard scenarios, as depicted in Figure 4-5.
Hazard Hazard scenarios
manifestation
Consequence
Hazard Cause Events
Failure Failure event
Consequence -
Failure modes -
cause - FMECA
FMECA
FMECA
- FMECA
Common mode - Common cause -
CC&M CC&M


Figure 4-5: Interface to FMECA and CC&M analysis
13

---------------------- Page: 15 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
4.2 Role of hazard analysis
Hazard analysis is the principal deterministic safety analysis which assists
engineers and managers in including safety aspects in the engineering practices
and the decision-making process throughout the project life cycle in design,
construction, testing, operation, maintenance, and disposal, together with their
interfaces.
Hazard analysis provides essential input to the safety risk assessment for a
system.
4.3 Hazard analysis process
4.3.1 Overview
The hazard analysis process comprises the steps and tasks necessary to identify
and classify hazards, to achieve hazard reduction. The basic steps are:
• Step 1: define the hazard analysis implementation requirements;
• Step 2: identify and classify the hazards;
• Step 3: decide and act on the hazards;
• Step 4: track, communicate and accept the hazards.
The process of hazard analysis, including iteration of its tasks, is summarized in
Figure 4-6.
14

---------------------- Page: 16 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)

1. Define analysis
requirements
2. Identify and
  classify hazards
Iterate tasks
3. Decide and act
Reduce
on hazards
hazards
No Are hazards
acceptable?
Yes
4. Track,
communicate and
accept the hazards

Figure 4-6: The process of hazard analysis
4.3.2 Overview of the hazard analysis process
The iterative four-step hazard analysis process is illustrated in Figure 4-7. The
tasks within each of these steps are shown in Figure 4-8.
Step 1 comprises the establishment of the scope and purpose of hazard analysis,
the hazard analysis planning (Task 1), and the definition of the system to be
analysed (Task 2). Step 1 is performed at the beginning of a project. According
to the scope and purpose, the implementation of the hazard analysis process
consists of a number of “hazard analysis cycles” over the project’s duration,
comprising the necessary revisions of the analysis requirements and the Steps 2
to 4, subdivided in the seven Tasks 3 to 9.
The period designated in Figure 4-7 as the “Hazard analysis process” comprises
all the phases of the project concerned, as defined in ECSS-M-ST-10. The
frequency and the events at which cycles are required in a project (only 3 are
shown in Figure 4-7 for illustration purposes) depend on the needs and
complexity of the project, and are defined during Step 1 at the beginning of the
project.
15

---------------------- Page: 17 ----------------------

Hazard analysis cycle


SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
Step 1
Step 1 Step 1
Define analysis
Revise analysis Revise analysis
requirements
requirements requirements
Step 2
Step 2
Step 2
Identify and
Identify and
Identify and
classify hazards classify hazards
classify hazards
Step 3
Step 3 Step 3
Decide and act
Decide and act Decide and act
on hazards
on hazards on hazards
Step 4 Step 4
Step 4
Track, com- Track, com-
Track, com-
municate and municate and
municate and
accept hazards accept hazards
accept hazards
Hazard analysis process
Hazard analysis documentation
Project phases

Figure 4-7: The steps and cycles in the hazard analysis process

Step 1 Task 1: Define the hazard analysis scope, objectives and

the hazard analysis planning.
Define hazard analysis implementation
requirements
Task 2: Define the system baseline to be analysed.
Task 3: Identify hazard manifestations.
Step 2

Identify and classify the hazards
Task 4: Identify and classify hazard scenarios.
Task 5: Decide if the hazards can be accepted.
Step 3

Decide and act
Task 6: Reduce the hazards.

Task 7: Recommend acceptance.
Step 4
Task 8: Track and communicate the hazards.
Track, communicate and accept the
hazards
Task 9: Accept the hazards.

Figure 4-8: The nine tasks associated with the four steps of the hazard analysis
process
16

---------------------- Page: 18 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
4.4 Hazard analysis implementation
4.4.1 Overview
Implementation of hazard analysis in a project is based on single or multiple,
i.e. iterative, application of the hazard analysis process. The tasks associated
with the individual steps of the hazard analysis process vary according to the
scope and objectives specified for hazard analysis. The scope and objectives of
hazard analysis depend on the type and phase of the project.
Hazard analysis requires commitment in each actor’s organization, and the
establishment of clear lines of responsibility and accountability. Project
management has overall responsibility for the implementation of hazard
analysis, ensuring an integrated, coherent hazard analysis approach.
4.4.2 General considerations
Hazard analysis is implemented as a team effort, with tasks and responsibilities
being assigned to the functions and individuals within the project organization
with the relevant expertise in the areas of safety and engineering concerned by
a given hazard.
The results of hazard analysis are used as input to project reviews and project
management during the evolution of the system.
Annex C provides background information on traditionally performed hazard
analyses.
4.4.3 Type of project considerations
Hazard analysis activities differ according to the type of project and required
safety effort. However, the hazard analysis process is the same in each case.
Hazard analysis activities are linked to different types of projects, such as:
a. Hazard analysis at sub-supplier level for safety of part of the spacecraft
design and the operation of a manned or unmanned mission and as input
to system safety efforts.
b. Hazard analysis at prime supplier level for system safety of total space
system design and the operation of a manned or unmanned mission.
c. Hazard analysis at any supplier level for payload safety.
d. Hazard analysis at any supplier level for safety of spacecraft verification
activities.
e. Hazard analysis at any supplier level for safety of other ground activities,
operations and launch.
4.4.4 Documentation of hazard analysis
Hazard analyses are documented to ensure that all associated decisions are
traceable and defensible.
17

---------------------- Page: 19 ----------------------

SIST EN 16602-40-02:2014
EN 16602-40-02:2014 (E)
Every task of the hazard analysis process is documented.
Example forms for summarizing the results of the tasks are presented in ECSS-
Q-ST-40 DRD for Hazard reports. See Annex B of this Standard for examples.
4.5 Hazard analysis documentation
The hazard analysis process is documented to ensure that the scope and
objectives of hazard analysis are established, understood, implemented and
maintained, and that an audit trail can track the origin and rationale of all safety
related decisions made during the life of the project.
4.6 Integration of hazard analysis activities
Hazard analysis activities are performed at different levels of the
customer-supplier chain. The lower level hazard analysis activities are
integrated into the system level hazard analysis activities. The proper and
effective integration of these tasks is of major importance and is typically
achieved by applying the following:
a. The top down approach from the system to lower level is to identify the
required lower level hazard analysis inputs. The required inputs are
linked to knowledge of the domain.
b. The lower level task is to consider that domain and to develop and
provide the required input to the next level up.
c. The system level task, using a bottom-up approach, logically and
effectively integrates the lower level hazard analysis inputs into the
system level hazard analysis.
The above statements 4.6a to 4.6c assist in achieving the following results:
1. Proper allocation of the consequence severity categories at system
level.
2. Proper development and implementation of hazard reduction.
3. Identification of the unresolved hazards in a timely manner.
4. Assurance that all aspects are considered in order to optimize and
harmon
...