4. GENERAL REQUIREMENTS
This section defines the system safety requirements to perform throughout the
life cycle for any system, new development, upgrade, modification, resolution of
deficiencies, or technology development. When properly applied, these
requirements should ensure the identification and understanding of all known
hazards and their associated risks; and mishap risk eliminated or reduced to
acceptable levels. The objective of system safety is to achieve acceptable
mishap risk through a systematic approach of hazard analysis, risk assessment,
and risk management. This document delineates the minimum mandatory requirements
for an acceptable system safety program for any DoD system. When MIL-STD-882 is
required in a solicitation or contract, but no specific references are included,
then only the requirements in this section are applicable. System safety
requirements consist of the following:
Documentation of the system safety approach. Document the developer's and
program manager's approved system safety engineering approach. This
a. Describe the programís implementation using the requirements herein.
Include identification of each hazard analysis and mishap risk assessment
b. Include information on system safety integration into the overall
c. Define how hazards and residual mishap risk are communicated to and
accepted by the appropriate risk acceptance authority (see 4.7) and how
hazards and residual mishap risk will be tracked (see 4.8).
4.2 Identification of hazards. Identify
hazards through a systematic hazard analysis process encompassing detailed
analysis of system hardware and software, the environment (in which the
system will exist), and the intended use or application. Consider and use
historical hazard and mishap data, including lessons learned from other
systems. Identification of hazards is a responsibility of all program
members. During hazard identification, consider hazards that could occur
over the system life cycle.
Assessment of mishap risk. Assess
the severity and probability of the mishap risk associated with each
identified hazard, i.e., determine the potential negative impact of the
hazard on personnel, facilities, equipment, operations, the public, and the
environment, as well as on the system itself. The tables in Appendix A are
to be used unless otherwise specified.
4.4 Identification of mishap risk mitigation measures. Identify potential mishap risk mitigation alternatives and the
expected effectiveness of each alternative or method. Mishap risk mitigation
is an iterative process that culminates when the residual mishap risk has
been reduced to a level acceptable to the appropriate authority. The system
safety design order of precedence for mitigating identified hazards is:
a. Eliminate hazards through design selection. If unable to eliminate an identified hazard, reduce the
associated mishap risk to an acceptable level through design selection.
b. Incorporate safety devices. If unable to
eliminate the hazard through design selection, reduce the mishap risk to an
acceptable level using protective safety features or devices.
c. Provide warning devices. If safety devices
do not adequately lower the mishap risk of the hazard, include a detection
and warning system to alert personnel to the particular hazard.
d. Develop procedures and training. Where it
is impractical to eliminate hazards through design selection or to reduce
the associated risk to an acceptable level with safety and warning devices,
incorporate special procedures and training. Procedures may include the use
of personal protective equipment. For hazards assigned Catastrophic or
Critical mishap severity categories, avoid using warning, caution, or other
written advisory as the only risk reduction method.
Reduction of mishap risk to an acceptable level. Reduce the mishap risk through a mitigation approach mutually
agreed to by both the developer and the program manager. Communicate
residual mishap risk and hazards to the associated test effort for
Verification of mishap risk reduction.
Verify the mishap risk reduction and mitigation through appropriate
analysis, testing, or inspection. Document the determined residual mishap
risk. Report all new hazards identified during testing to the program
manager and the developer.
Review of hazards and acceptance of residual mishap risk by the appropriate authority. Notify the program manager of
identified hazards and residual mishap risk. Unless otherwise specified, the
suggested tables A-I through A-III of the appendix will be used to rank
residual risk. The program manager shall ensure that remaining hazards and
residual mishap risk are reviewed and accepted by the appropriate risk
acceptance authority (ref. table A-IV). The appropriate risk acceptance
authority will include the system user in the mishap risk review. The
appropriate risk acceptance authority shall formally acknowledge and
document acceptance of hazards and residual mishap risk.
Tracking of hazards, their closures, and residual mishap risk. Track hazards, their closure actions, and the
residual mishap risk. Maintain a tracking system that includes hazards,
their closure actions, and residual mishap risk throughout the system life
cycle. The program manager shall keep the system user advised of the hazards
and residual mishap risk.