a. Establish specific safety performance requirements (see A.4.3.2)
based on overall program requirements and system user inputs.
b. Establish a system safety organization or function and the required
lines of communication with associated organizations (government and
contractor). Establish interfaces between system safety and other
functional elements of the program, as well as with other safety and
engineering disciplines (such as nuclear, range, explosive, chemical, and
biological). Designate the organizational unit responsible for executing
each safety task. Establish the authority for resolution of identified
c. Establish system safety milestones and relate these to major program
milestones, program element responsibility, and required inputs and
d. Establish an incident alerting/notification, investigation, and
reporting process, to include notification of the program manager.
e. Establish an acceptable level of mishap risk, mishap probability and
severity thresholds, and documentation requirements (including but not
limited to hazards and residual mishap risk).
f. Establish an approach and methodology for reporting to the program
manager the following minimum information:
(1) Safety critical characteristics and features.
(2) Operating, maintenance, and overhaul safety requirements.
(3) Measures used to eliminate or mitigate hazards.
(4) Acquisition management of hazardous materials.
g. Establish the method for the formal acceptance and
documenting of residual mishap risks and the associated hazards.
h. Establish the method for communicating hazards, the
associated risks, and residual mishap risk to the system user.
i. Specify requirements for other specialized safety approvals
(e.g., nuclear, range, explosive, chemical, biological, electromagnetic
radiation, and lasers) as necessary (reference
6.6 and 6.7 ).
A.4.3.2 Safety performance requirements.
These are the general safety requirements needed to meet the core program
objectives. The more closely these requirements relate to a given program,
the more easily the designers can incorporate them into the system. In the
appropriate system specifications, incorporate the safety performance
requirements that are applicable, and the specific risk levels considered
acceptable for the system. Acceptable risk levels can be defined in terms
of: a hazard category developed through a mishap risk assessment matrix;
an overall system mishap rate; demonstration of controls required to
preclude unacceptable conditions; satisfaction of specified standards and
regulatory requirements; or other suitable mishap risk assessment
procedures. Listed below are examples of safety performance
a. Quantitative requirements. Quantitative
requirements are usually expressed as a failure or mishap rate, such as
"The catastrophic system mishap rate shall not exceed x.xx X 10-y
per operational hour."
b. Mishap risk requirements. Mishap risk
requirements could be expressed as "No hazards assigned a Catastrophic
mishap severity are acceptable." Mishap risk requirements could also be
expressed as a level defined by a mishap risk assessment (see
A.220.127.116.11.3), such as "No Category 3 or higher mishap risks are
c. Standardization requirements.
Standardization requirements are expressed relative to a known standard
that is relevant to the system being developed. Examples include: "The
system will comply with the laws of the State of XXXXX and be operable on
the highways of the State of XXXXX" or "The system will be designed to
meet ANSI Std XXX as a minimum."
A.4.3.3 Safety design requirements. The
program manager, in concert with the chief engineer and utilizing systems
engineering and associated system safety professionals, should establish
specific safety design requirements for the overall system. The objective
of safety design requirements is to achieve acceptable mishap risk through
a systematic application of design guidance from standards,
specifications, regulations, design handbooks, safety design checklists,
and other sources. Review these for safety design parameters and
acceptance criteria applicable to the system. Safety design requirements
derived from the selected parameters, as well as any associated acceptance
criteria, are included in the system specification. Expand these
requirements and criteria for inclusion in the associated follow-on or
lower level specifications. See general safety system design requirements
a. Hazardous material use is minimized, eliminated, or
associated mishap risks are reduced through design, including material
selection or substitution. When using potentially hazardous materials,
select those materials that pose the least risk throughout the life cycle
of the system.
b. Hazardous substances, components, and operations are
isolated from other activities, areas, personnel, and incompatible
c. Equipment is located so that access during operations,
servicing, repair, or adjustment minimizes personnel exposure to hazards
(e.g., hazardous substances, high voltage, electromagnetic radiation, and
cutting and puncturing surfaces).
d. Protect power sources, controls, and critical
components of redundant subsystems by physical separation or shielding, or
by other acceptable methods.
f. Consider safety devices that will minimize mishap risk
(e.g., interlocks, redundancy, fail safe design, system protection, fire
suppression, and protective measures such as clothing, equipment, devices,
and procedures) for hazards that cannot be eliminated. Make provisions for
periodic functional checks of safety devices when applicable.
g. System disposal (including explosive ordnance
disposal) and demilitarization are considered in the design.
h. Implement warning signals to minimize the probability
of incorrect personnel reaction to those signals, and standardize within
like types of systems.
i. Provide warning and cautionary notes in assembly,
operation, and maintenance instructions; and provide distinctive markings
on hazardous components, equipment, and facilities to ensure personnel and
equipment protection when no alternate design approach can eliminate a
hazard. Use standard warning and cautionary notations where multiple
applications occur. Standardize notations in accordance with commonly
accepted commercial practice or, if none exists, normal military
procedures. Do not use warning, caution, or other written advisory as the
only risk reduction method for hazards assigned to Catastrophic or
Critical mishap severity categories.
j. Safety critical tasks may require personnel
proficiency; if so, the developer should propose a proficiency
certification process to be used.
k. Severity of injury or damage to equipment or the
environment as a result of a mishap is minimized.
l. Inadequate or overly restrictive requirements
regarding safety are not included in the system specification.
m. Acceptable risk is achieved in implementing new
technology, materials, or designs in an itemís production, test, and
operation. Changes to design, configuration, production, or mission
requirements (including any resulting system modifications and upgrades,
retrofits, insertions of new technologies or materials, or use of new
production or test techniques) are accomplished in a manner that maintains
an acceptable level of mishap risk. Changes to the environment in which
the system operates are analyzed to identify and mitigate any resulting
hazards or changes in mishap risks.
A.18.104.22.168 Some program managers include the following
conditions in their solicitation, system specification, or contract as
requirements for the system design. These condition statements are used
optionally as supplemental requirements based on specific program
A.22.214.171.124.1 Unacceptable conditions. The
following safety critical conditions are considered unacceptable for
development efforts. Positive action and verified implementation is
required to reduce the mishap risk associated with these situations to a
level acceptable to the program manager.
a. Single component failure, common mode failure, human
error, or a design feature that could cause a mishap of Catastrophic or
Critical mishap severity catagories.
b. Dual independent component failures, dual independent
human errors, or a combination of a component failure and a human error
involving safety critical command and control functions, which could cause
a mishap of Catastrophic or Critical mishap severity catagories.
c. Generation of hazardous radiation or energy, when no
provisions have been made to protect personnel or sensitive subsystems
from damage or adverse effects.
d. Packaging or handling procedures and characteristics
that could cause a mishap for which no controls have been provided to
protect personnel or sensitive equipment.
e. Hazard categories that are specified as unacceptable
in the development agreement.
A.126.96.36.199.2 Acceptable conditions. The
following approaches are considered acceptable for correcting unacceptable
conditions and will require no further analysis once mitigating actions
are implemented and verified.
a. For non-safety critical command and control functions:
a system design that requires two or more independent human errors, or
that requires two or more independent failures, or a combination of
independent failure and human error.
b. For safety critical command and control functions: a
system design that requires at least three independent failures, or three
independent human errors, or a combination of three independent failures
and human errors.
c. System designs that positively prevent errors in
assembly, installation, or connections that could result in a mishap.
d. System designs that positively prevent damage
propagation from one component to another or prevent sufficient energy
propagation to cause a mishap.
e. System design limitations on operation, interaction,
or sequencing that preclude occurrence of a mishap.
f. System designs that provide an approved safety factor,
or a fixed design allowance that limits, to an acceptable level,
possibilities of structural failure or release of energy sufficient to
cause a mishap.
g. System designs that control energy build-up that could
potentially cause a mishap (e.g., fuses, relief valves, or electrical
h. System designs where component failure can be
temporarily tolerated because of residual strength or alternate operating
paths, so that operations can continue with a reduced but acceptable
i. System designs that positively alert the controlling
personnel to a hazardous situation where the capability for operator
reaction has been provided.
j. System designs that limit or control the use of
A.4.3.4 Elements of an effective system safety
effort. Elements of an effective system safety effort
a. Management is always aware of the mishap risks
associated with the system, and formally documents this awareness. Hazards
associated with the system are identified, assessed, tracked, monitored,
and the associated risks are either eliminated or controlled to an
acceptable level throughout the life cycle. Identify and archive those
actions taken to eliminate or reduce mishap risk for tracking and lessons
b. Historical hazard and mishap data, including lessons
learned from other systems, are considered and used.
c. Environmental protection, safety, and occupational
health, consistent with mission requirements, are designed into the system
in a timely, cost-effective manner. Inclusion of the appropriate safety
features is accomplished during the applicable phases of the system life
d. Mishap risk resulting from harmful environmental
conditions (e.g., temperature, pressure, noise, toxicity, acceleration,
and vibration) and human error in system operation and support is
e. System users are kept abreast of the safety of the
system and included in the safety decision