military standard system safety program foreveryspec.com/mil-std/mil-std-1500-1599/download...3.12...

r fApproved for Public Release;Distribution [Jnlimited

4 b

,’.

MIL-STD-1574A (USAF]15 August 1979$upersedlngMIL-STD-1574 (USAF)15 March 1977

MILITARY STANDARD

SYSTEM SAFETY PROGRAM FOR

SPACE AND MISSILE SYSTEMS-—

FSC 1810

AMSC 32000

Downloaded from http://www.everyspec.com

MIL-STD-1574A (USAF)

DEPARThiENT OF THE AIR FORCEWashington, D.c. 20360

—

System Safety Program for Space and Missile Systems

MIL-STD-1574A (USAF) .

1. This Military Standard is approved for use by theDepartment of the Air Force, and is available for use by all .Departments and Agencies of the Department of Defense.

2. Beneficial comments (recommendations, additions,deletions) and any pertinent data which may be of use inimproving this document should be addressed to: SAMSO/AQM,P.O. BOX 92960, Worldway Postal Center, LOS Angeles, CA.90009, by using the self-addressed Standardization DocumentImprovement Proposal (DD Form 1426) appearing at the end ofthis document or by letter.

ii


FOREWORD

MIL-STD-1574A [USAF)

1. Accident prevention is of major concern throughoutthe life cycle of a system. Planning and implementation ofan effective system safety program, commensurate with therequirements of each phase of the acquisition process, is ofprime importance in minimizing risk of accidents and theirassociated cost impacts during the systems test andoperational phases. System safety responsibilities shall bean inherent part of every program and the implementation ofthe complete system safety program requires extensiveparticipation and support by many disciplines and functionalareas.

2. This document defines the management and technicalrequirements of a system safety program beginning during theconceptual phase of a development program and continuingthroughout a system’s life cycle. The requirements arepresented in a manner which facilitates tailoring to specificprogram needs. It is the intent of this document that suchtailoring, implemented through contract negotiation, beinterpreted as meeting the requirements of this standard.

3. MIL-STD-1574A is a tailored application ofMIL-STD-882A for space, missile, and related systems,

iii


MIL-STD-1S74A (USAF)

CONTENTS

Paragraphs Page

1.1.11.21.31.4

2.

3.3.13.23.33.43.53.63.73.83.93.103.115.125.133.143.15

4.4.14.1.14.1.24.1.34.24.34.3.14.3.24.44.5

4.64.74.84.94.9.1

.

s~opE ------------------- ---------------------

Purpose -------------- ----------------------Appl ication ---------- --------------------- -Tailoring ------------ ----------------------Compliance ----------- --------------------- -

REFERENCED DOCUMENTS (Not Applicable]

DEFINITIONS ------------ ---------------------Acci dent ------------- ---------------------Accident risk ------------------ -----------Accident risk factor --------------- -------Credible condit ion----------- -------------Critical funct ion------------ -------------Damage --------------- ---------------------Deviation ---------- -----------------------Hazard ---------------- --------------------}fajor injury ------------ ------------------

program safety requjrcments --------- ------Q~~alified safety engineer ---------------- -Safety concerns ------------ ---------------Safety cri t ical -------------- -------------Support equipment ------------- ------------System 10ss ---------------- ---------------

GENERAL REQUIREMENTS ----------- -----------Safety program management ----------- ------

Management system --------------- --------System safety program p~ an---------- ----System safety Organizat ion--------- -----

System safety program mi lestones ----------Integration funct ion------------- ---------

Integrating agency/contractor--- --------Associate contractors ---------- ---------

Subcontractors ------- ---------------------System s:ifet~ gruup dnd s~~ety rc~ie~..

team support ------------- ---------------Industria] safety ---------------- ---------Operational site safety --------------- ----Facilities --------------------- ----------Range safety --------------- ---------------

Missile flight ana]ys~s-------------- ---

1111

2

.

.

44446999

1111

iv


MI L- STD- 1574A (I ISAF)

(’CONTENTS (Continued)

Paragraphs

4 .9.24.104.114.124 .12.14 .12.24.134 .13.14.144.15

4.16

5.5.15 .1.15 .1.1.15 .1.1.25 .1.25( 354.-.5.25 .2.15 .2.2

... 5*~*35.~.45.~.55 .2.65 .2.75 .2.85 .2.9S.2.1O5.2.115.2.12

5.2.155.2.145 .2.14.15.2. 14.25.35.45.4.15.4.2

Missile systems safety --------------- ---Test safety ---------------- ---------------Support equipment ------------- ------------

Nuclear weapon safety ---------------- -----Critical function control ---------------Special nuclear safety analyses ---------

Radiological safety ---------------- -------Radioactive sources -------------- -------

Trade studies -------------- ---------------Government furnished equipment and

property --------------- -----------------Government furnished data -----------------

DETAILED REQUIREMENTS ------------ -----------. System safety criteria ------------- -------

Hazard level categor ies---------- -------Unacceptable conditions ----------- ----Acceptable condit ions ----------- ------

System safety precedence ----------- -----Design criteria ------------- ------------Deviations ----------- -------------------

System safety analyses ------------- -------Preliminary hazards analysis ------------

System safety checkli st--------- ---- ------System hazard analysis ------------- -------Interface hazard analysis’ ------------ ----Integrated system hazard analysis ---------Software safety analysi s------------- -----Integrated software safety analysis -------Operating hazard analysis ------------- ----Integrated operating hazard analysis ------Test/operating/maintenance procedures -----Related analysis ------------- -------------Implementation and effectiveness

verifi cation ------ ----------------------Accident risk assessment ------------ ----Analysis documentati on-------- ----------

Hazard report --------------- ----------Accident risk assessment report -------

Certification --------- ------------------Safety data ------------------ -----------

Deliverable data ------------------ ----Non-deliverable data ------------------

Page

131313141415161616

1717

171718181!320222223232s2s2626262727282828

-?92930303051313131


CONTENTS (Continued)

Paragraphs

5 .4.3 Data acquisitions and dissemination---5.4.4 Data files ----------------- -----------5.5 Training -------------- ------------------5.6 Audit program and program reviews -------5.6.1 Subcontractor audits ---------------- --5.6.2 Program reviews -------------- ---------

6. NOTES ------------------ ---------------------

APPENDIX BIBLIOGRAPHY ------------ --------------------

313232323333

33

35

.

.

vi



1. SCOPE

1.1 Pur ose.+

A system safety program, as specifiedherein, esta lls es administrative and technical means bywhich accident prevention requirements and policies are plan-ned, managed and implemented into the total program effort.The activities of the system safety program include: plan-ning, management, design, analysis, research, operationalfunctions, auditing and training. The purpose of the programis to identify significant accident risk and define methodsto cope effectively with that risk within program cost,schedule, performance, and technical acceptability para-meters. This standard defines the requirements for imple-mentation of system safety programs covering the life cycleof the system. It includes the safety requirements for thefollo~;ing activities/periods : design, development, test,Clteckout, modification, production, servicing, refurbishing,maintenance, transportation, handling, training, disposal,deployment, and normal and contingency operations. Thisstandard also defines the management and technical tasks andcontrols required to minimize accident risks caused by humanerror, environment, deficiency/inadequacy of design, andcomponent malfunction or interactions. Risks of concern arethose which could result in major injury or fatality topersonnel including flight or ground crews, or damage to thesystem including support equipment and facilities.

1.2 A lication.~-

This standard is applicable to allsystems involv~ng t~e development and use of experiments,flight vehicles, weapon systems, ground equipment andfacilities. A system typically includes the airborne andCround support equipment required to interface and operatewith the flight hardware; the personnel and ground supportequjpment required to service, test, checkout, maintain,refurbish, transport and handle the flight hardware; theground and flight software required to checkout and controlthe flight hardware; and the personnel required to service,test, maintain, and operate tl~e system.

1.3 Tailoring. The Purchasing Office will evaluate andtailor each—~equirement of this standard to realize themaximum compliance commensurate with the program phase beingconsidered. The requirements are presented in a manner whichfacilitates tailoring to specific program needs. Tailoringmay take the form of addition, alteration or deletion oftasks. In all cases, however, the inc]usion of requirements

1


M114-STD-J 574A (USAF)

of paragraph 3.11, Qua] if ied System Safety Engineer; 4.J ~Safety Program Management and 5.4, Safety Data, is mandatory.

1.4 Compliance. Compilance with all contractuallyimposed requirements of this standard is mandatory. Failure

to include any contractually imposed requirement in the con-tractor prepared plan does not mean or imply that the .requirement is not applicable unless specific-approval. 1Sgranted by the Contracting Officer. A devlatlon ~cquest mustbe submitted by the contractor in acco~dance \:ith paragraphS.1.4 and approved by the contracting officer.

2. REFERENCED DOCUMENTS: Not Applicable

.3. DEFINITIONS

3.1 Accident. An unplanned event or series of eventsthat resul~~ath or major injury to personnel or damageto the launch vehicle, experiments, spacecraft, associated

support equipment or facilities.

3.2 Accident risk. Measure of vulnerability to loss,damage or injury caused by a dangerous element, or factor-

5.3 Accident risk factor. A dangerous element of a

system, event> process or activity including casual factorssuch as design or programming deficiency, component mal-function, human errc~ or cn’:ircnment which can prcFsgate ahazard into an accident if adequate controls are not effec-t~vely applied.

3.4 Credible condition. A condition that can occur andis reasona~y l:kely to occur.

3.5 Critical function. As applied to nllclear svstems,those functions which apply directly to, or control , orreverse the enable, prearm, arm, unlock, release, ortargeting functions.


. .

MI L-Sl’D-1574A [USAF)

3.6 ~amage. Breakage, mangling, mutilation or ruin ofitems transmitted across system or component interfaces byinadvertent internal or external action including componentfailure and human error which could cause obstruction ofcritical functions or require repair or replacement.

3.7 Deviation. An alternate method of compliance withthe intent of specific requirements.

3.8 Hazard. An existing or potential condition thatcan result~n accident.

3.9 Major injury. Any injury which results in admis-sion to a hospital Such as bone fracture~ second or thirddegree burns, severe lacerations, internal injury, severeradiation exposure~ chemical or physical agent toxic expo-sure, or unconsciousness.

3.10 P~ogram safety requirements. Program safety re-quirements include the contractually imposed design andoperational requirements listed in compliance documents, orsystem specifications. Program safety requirements definesystem constraints and capabilities, establish acceptable andunacceptable risk conditions, or identify specific design andoperational criteria and approaches.

3.11 Qualified System Safety engineer. A technicallycompetent individual who is educated at least to the bachelor

.. of science level in engineering or related applied scienceand is registered as a professional engineer in one Of thestates or territories of the United States or has equivalentexperience approved by the Purchasing Office. Thisindividual shall have been assigned as a system safetyengineer on a full-time basis for..a mi~imum of four years inat least three of the six functional areas listed below:

a.

b.

c.

d.

e.

f.

System Safety Management

System Safety Analysis

System Safety Design

System Safety Research

System Safety Operations

Accident Investigation


MIL-STl)-1574A (USAF)

3.12 Safety concerns. Those identified safety critical _aspects or risk factors which cannot be satisfactorilyresolved or closed out by the contractor and must be elevatedto the purchasing office for resolution.

3.13 Safety critical. Any condition, event, operation,process, equipment, or system, with a potential for majorinjury or damage. *

3.14 Support equipment. Support equipment is allsystem equipment required to support the ground and flightphases of the mission. Support equipment includes aerospaceground equipment (AGE), maintenance ground equipment (MGE),transportation and handling (T6H) equipment, and equipmentused to support system deployment (i.e. , assembly tools andfixtures, test and checkout equipment, personnel support andprotection equipment).

3.1S System 10ss. Damage to an extent that rendersrepair impractical. Requires salvage or system replacement. “

4. GENERAL REQUIREMENTS

4.1 Safety program management.

4.1.1 Management system. The contractor shall estab-lish a safety management system to implement provisions ofthis standard commensurate with the program contractual re-quirements. The contractor program manager shall be respons-ible for the establishment, control, incorporation, directionand implementation of the system safety program policies andshall assure that the accident risk is identified andcontrolled or eliminated within established program accidentrisk acceptability parameters.

4.1.2 System Safety Program Plan. The contractor shallprepare a System Safety Program pla~’ased on the require-ments of this standard which are identified in the contractStatement of Work (Ref. Data Item Description DI-li-7047).The plans shall be implemented upon approval by theContracting Officer (PCO) and describe the system safetyactivities required during the life of the contractedprogram. The plan shall be updated at the end of eachprogram phase to describe tasks and responsibilities requiredfor the subsequent phase. The approved plan shall, on an

4


..


itreantaSt

em -quiy ciloand

by-item basis, accorements, tas!<s, andonflict between tl]e‘red application ofard shall apply.

unt for all contractuallyresponsibilities . In thecontractors approved plan

this standard the requirem

rcqueveand

ents

i redr.t of

theof the

The plan shall include:

a. Details of the system safety organization and fullparticulars of the System Safety Manager to ProgramManager relationship and accountability {pcra.4.1.3), including the following:

m The organization(s) directly responsible foreach subtask accomplishment. Co~any poli-cies, procedures and/or controls governingconduct of each subtask.

. (2) A composite listing of applicable Companypolicies, procedures and controls, by tit~e,number , and release date. Th;s section of t!~econtractor’s working system safety programplan(s) shall be maintained current and sub-ject to procuring activity review. T\~e p]ailneed not be resubmitted to the procuring activ-ity for minor changes and changes in releasedate(s).

(3) A chart showing the contractor’s programorganization and identifying the organiza-tional element assigned responsibility andauthority for implementing the system safetyprogram. The plan shall further identify tliesystem safety organization through a?l manage-ment and supervisory levels.

(4) The interfaces between the system safetyorganization and other organizations, (in-cluding cross-references to applicablesections of other program plans). Describethe purpose of each interface, such as hhatdata or information is transferred at tbcseinterfaces.

b. Details of how resolution and action relative tosystem safety will be affected at the programmanagement level possessing resolution authority.

5



c.

L1.

e.

f.

.

g“

bA .

Details of tl]e method by which prob?ems encounteredin the implementation of the System Safety Programand requirements are brought to the attention of the _Program Manager.

Description of procedures to be used to assure com-pletion of action regarding identified unacceptablerisks (paragraph 5.1.1.1.).

Description of met}~ods to be used in implementationof each task identified by the tailored applicationof this standard, including a breakout of taskimplementation responsibilities by organizationalcomponent discipline, functional area or any plannedsub-contractor activity (paragraph 4.1.3).

Description of internal controls for the proper andtimeiy iilentification and implementation of safetyrequirements affecting system design, operationalresources and personnel.

A schedule of the system safety activities and amilestone chart (paragraph 4.2) shcwing relation-ships of the system safety activities with otherprogram tasks and events.

Level of effort required for successful completionof contractually required tasks.

4.1.3 System safety organization. The contractor shallestablish a system safety organization which has centralizedaccident risk management authority delegated from the con-tractor program manager, to maintain a continuous overview ofthe technical and planning aspects of the total program. Thesystem safety organization shall be headed by an experiencedsystem safety manager \(ho sha]l be directly accountable tothe program manager for the conduct and effectiveness of allcontracted safety effort for tl~e entire program. The systemsafety manager shall meet the requirements established in5.il. The system safety manager shall be responsible for theprimary control, direction, supervision, and management oft!~e technical safety aspects of the program. He shall under-take himself, or direct accomplishment by personnel directlyunder his supervision, the technical tasks of the systemsafety program and provide guidance, assistance and surveil-]ancc for t]~e successful accomplis]lment of safety tasks to beundertaken by others not unde~ his direct supervision. Per-sonnel assigned to accomplish the technical safety tasks

6


MIL-STD-1574A (uSAFJ

shall have the necessary engineering qualifications and abasic understanding of the system safety processes, but donot have to meet the requirements established in 3.11. Thesystem s3fety manager shall be responsible for the effectiveimplementation of the following tasks for the program:

a.

b.

c.

d.

e.

f.

g“

h.

i.

Provide a single point of contact for the purchasingoffice, all contractor internal program elements,and other program associate or sub-contractors forsafety related matterso

Review, and provide input to all plans and contract-ual documents re?.ated to safety.

Flainta:n a log, for purchasing office review, of allprcgram documentation reviewed and record all con-currences, rlonconcurrencess reasons for nonconcur-rence, and actions taken to resolve any nonconcur-

-rence (see 5.4.4).

Maintain approva? authority over safety criticalprogram documentation, end all items related tosafety contained in the contract data requirementslist (CDRL).

Coordinate safety related matters with contractorprogram management and all program elements anddisciplir.es.

Provide internal approval and technical coordinationon deviations to the contractually imposed systemsafety requirements as defined in 5.1.4.

Conduct or arrange for internal audits of safetyprogram activities as defined in 5.6. Supportpurchasing office safety audits and inspections asrequired.

Coordinate system safety, industrial safety> andproduct safety activities on the

7rogram to ensure

total coverage (see paragraph 4.6 .

Establish internal reporting systems and proceduresfor investigation and disposition of accidents andsafety incidents, including potentially hazardousconditions not yet involved in an accident/ inci-dent . Report such matters to the purchasing officeas required by the contract.

7

— —.—.


NIIL-STD-1574A (USAF)

j. Provide participation in all requirements reviews.

k.

1.

m.

n.

o.

preliminary design reviews, critical design revie;sand scheduled safety reviews to assure that:

(1) All contractually imposed system safetyrequirements including those imposed by thisstandard are complied with.

(2) Safety program schedule and CDRL data deliver-ies are compatible.

(3) Hazard analysis methods and formats from allsafety program participants permit integrationin a cost effective manner.

(4) Technical data are provided to support thepreparation of the accident risk assessmentreport.

.

participate in all test, flight or operationalreadiness reviews and arrange for presentation ofrequired safety data.

Provide for technical support to program engineeringactivities on a daily basis. Such technical supportwill include consultation on safety related prcb-lems , research on new product development andresearch/interpretat ion of safety requirements,specifications and standards.

Provide participation in configuration control boardactivities as necessary to enable review and concur-rence with safety significant system configurationand changes thereto. .

Review all trade studies and identify those thatinvolve or effect safety. Provide participation inall safety related trade studies to assure thatSystem Safety trade criteria is developed and thefinal decision is made with proper consideration ofaccident risk (see paragraph 4.14).

Provide participation in program level statusmeetings where safety should be a topic of discus-sion. Provide the program manager the status of thethe system safety program and open action items.

allu ul.uL-czaac


MI L- SrrD- 1574A (uSAF)

P“ Provide for safety certification (para 5.4.1) ofsafety-critical program documentation and al? safetydata items contained in the contract data require-ments list (CURL).

4.2 System safety program milestones. The contractorshall prepare a milestone chart for the system safety effortspecified by the purchasing office which identifies repre-sentative tasks, applicable program milestones, inputrequired and program element responsibility for each, theoutput to be provided, and the schedule related to programmilestones (Para. 4.1.2g). Both program and safetymilestones shall be controlled by the program master schedule(pMS) and internal operations directives. Program milestonesshall be the major checkpoints at which data verifying systemsafety will be presented. The audit program (see paragraph5.6) shall be used to ensure major safety milestones andcheckpoiiits are met and proper data provided.

4.5 Inte~ration function.

4.3.1 Integrating agency/contractor . The integratorfor the safety functions of all associate contractors will bedesignated by- the purchasing office. The purchasing officeitself, another Government agency, or a contractor may be sodesignated. The system safety integrator designated to per-

. form this function shall:

a. Prepare an integrated system safety plan whjchestablishes the authority of the integrator anddefines the effort required from each associatecontractor for integration of system safety require-ments for the total system. Associate contractorsystem safety plans shall be incorporated as annexesto the integrated system safety plan. In addition tothe other contractually imposed requirements fromthis standard, the plan shall address and identify:

m Analyses to be conducted by eat? associatecontractor and format to be utilized.

(2) Data each associate contractor is required tosubmit to the integrator and its sclledu]edde] ivery keyed to program milestones.

9

. --- . - . . . ———e- ——: — - —.L - -: - > - -



(3) Schedule and other information consideredpertinent by the integrator.

(4) The method for the development of system levelrequirements to be allocated to each of theassociate contractors as a part of the systemspecification, end-item specifications, and/orother interface requirement documentation.

b. Initiate action through the contract manager toensure that each associate contractor is contract-ually required to be responsive to the system safetyprogram. Recommend contractual modifications wherethe need exists.

c. Conduct safety analyses of the integrated system,operations, and interfaces between assembled enditems. Analyses provided by associate contractors

d.

e.

f.

h.

- (see 4.3.2) Shall-be used in the conduct of thiseffort.

Provide an assessment of the accident risk presentedby the operation of the integrated system forapproval by the purchasing office.

Provide assistance and guidance to associatecontractors in the implementation of interfacesafety requirements.

Resolve differences between associate contractors inareas related to safety, especially during tradeoffstudies. Where problems cannot be resolved by theintegrator, a statement of the problem and the re-commended solution will be provided to thepurchasing office for resolution and action.

Ensure that information required by an associatecontractor from other associate contractors toaccomplish safety analyses is provided in a mutua10’agreed-to format for compatibility with the integ-rating process.

Develop a system for normal interchange and feedbackof information related to safety between the pur-chasing office, integrating contractor, and assoc-iate contractors.

10

.

.


bllL-sTD-1574A (USAF)

i. Schedule and conduct technical meetings between allassociate contractors to discuss, review, and integ-rate the safety effort.

j. Notify in writing any associate contractor of theirfailure to meet contract program or technical systemsafety reqllirements for which they are responsible.The integrator for the safety effort will send acopy of the notification letter to the purchasingoffice whenever such written notification has beengiven.

k. Participate as an active member of the PurchasingOffice System Safety Group (SSG) and shall presentthe integrated program safety status, results ofdesign, operations or safety reviews; summarizehazard analysis results, identify all problems andstatus of resolution; and accept and respond toaction items assigned by the chairman of the SSG.

4.3.2 Associate contractors. Associate contractorsshall provide sufficient level ot effort commensurate withcontractual responsibilities for conducting analyses ofeffects on end items, or inputs, normal or abnormal, fromother subsystems until such time as the integrator determinesthat such support is no longer necessary and such action isapproved by the purchasing office. The system safety managerfor each associate contractor shall control his own subcon-tractor system safety activities as defined in 4.4.

4.4 Subcontractors. Major subcontractors shall berequired to mainta~n suitable documentation of safety analy-ses they have performed in formats which will permit incor-poration of their data into the overall analysis program.Major subcontractors shall be required to develop systemsafety program plans that shall be included as annexes to theprime contractor’s system safety program plan. Lesser sub-contractors and vendors shall be required to provide infor-mation on component and subassembly characteristics includingfailure modes, failure rates, and possible hazards, whichwill permit prime contractor personnel to evaluate the itemsfor their impact on safety of the system. Applicable pro-visions of this standard shall be included in all contractswith major subcontractors.

.d . .



4.5 ~stcm safety~roup (SSG), and Safety Review Team(SRT) suppor~——-— “-– ‘--

4.5.1 The contractor shall provide support to the SSGas required by the SSG charter

4.5.2 The contractor shall provide assistance to thesafety review team to the extent necessary to support thesystem safety certification process.

4.6 Industrial safety. The contractor shall conductthe System Safety Program so that it supplements existingindustrial safety and toxicology activities. This coordin-ated effort shall assure that Government equipment or proper-ties being used or developed under contract are protectedfrom damage or accident risk. When contractor owned orleased equipment is being used in manufacturing, testing orhandling of products developed or produced under contract,analysis and operational proof checks shall be performed toshow that risk of damage to those products has been minimizedthrough proper design, maintenance, and operation by quall-fied personnel using approved procedures. This standard doesnot cover those functions the contractor is required by lawto perform under Federal or State Occupational Safety andHealth, Department of Transportation or Environmental Pro-tection Agency regulations.

4.7 Operational site safety. The contractor systemsafety program shall encompass operational site activities.These activities shall include all operations listed in theoperational time lines, including system installation, cl~eck-Out , modification, and operation. Particular attention shallbe given to operations and interfaces with ground supportequipment and to the needs of the operators relating to per-sonnel subsystems such as: panel layouts, individual opera-tor tasks, fatigue prevention, biomedical considerations, etc.

4.8 Facilities. The contractor shall include facil-ities in the system safety analyses activity (see S.2).Facility safety design criteria shall be incorporated in thefacility specifications. Consideration shall be given to thetest operational and maintenance aspects of the program.Identified requirements will include consideration of thecompatibility with standards equal to or better than thosespecified by Federal and Air Force Occupational Safety andHealth Regulations. The test and operations safety pro-cedures shall encompass all development, qualification,

12


MI1.-sISD-1574A [uSAF)

acceptance tests and operations. The procedures will includeinputs from the safety analyses and identify test andoperations facility and support requirements. The proceduresshall be upgraded and refined as required to correct defi-ciencies identified by the system safety analyses to incor-porate additional safety requirements.

4.9 Range safety. Compliance with the design andoperational criteria contained in the applicable range safetymanuals regulations and standards shall be considered in thesystem safety analysis of 5.2 and the system safety criteriaof 5.1.

4.9.1 Missile flight analysis. Flight analysis andflight termination system requirements are applicable to thesystem during all flight phases until payload impact ororbital insertion. The Accident Risk Assessment Report shallinclude all aspects of flight safety systems. (see 5.2.14.2)

4.9.~ Missile systems safety. Verification of systemdesign and operational planning compliance with range oroperating site safety requirements shall be documented in theAccident Risk Assessment Report. (see 5.2.14.2)

4.10 Test safety. The contractor shall establishinternal procedures for identification and timely action onelimination or control of potential hazardous test conditionsinduced by design deficiencies, unsafe acts or procedural].errors. Procedures shall be established to identify, review—and supervise potentially hazardous, high risk testsincluciing those tests performed specifically to obtain safetydata. The contractor system safety organization shall:

a. Review and approve of test plans, procedures andsafety surveillance procedures and changes to verifyincorporation of safety requirements identified bythe system analyses of 5.2 (See 5.2.10).

b. Assure that an assessment of accident risk isincluded in all pre-test readiness reviews.

4.?1 Su uort equi ment.-+- -%=

Safety requirements for supportequipment s al~~entl led in the system safety analyses(see 5.2). Support equipment safety design criteria shall beincorporated in the segment specifications. Safety require-ments for ground handling shall be developed and included inthe transportation and handling plans and procedures. Safetyrequirements [or operations and servicing shall be included

13


NIIL-STD- 1574A (USAF)

in the operational procedures. The procedures shall be up-graded and refined as required to correct deficiencies thatcould damage equipment or injure personnel. Specialattention shall be given to the planning, design and refur-bishment of reusable suppcrt equipment including equipmentcarried on flight vehicles to assure that safety is notdegraded by continued usage. Identified requirements forsupport equipment used at the operational site but not car-ried on flight vehicles shall include consideration to thecompatibility with standards equal to or better than thosespecified by Federal and Air Force Occupational Safety andHealth Regulations.

4.12 Nuclear weapon safety. The Department of Defensehas established four safety standards that are the basis fornuclear weapon system design and the safety rules governingnuclear weapon system operation. These standards requirethat, as a minimum, the system design shall incorporatepositive measure to:

a. Prevent any nu~lear weapon involved in an accidentor incident, or a jettisoned weapon, from producinga nuclear yield.

b. Prevent deliberate prcarming, arming, launching,firing, or releasing of any nuclear weapon, exceptupon execution of emergency war orders or whendirected by competent authority.

c. Prevent inadvertent prearming, arming, launching,firing, or releasing of any nuclear weapon.

d. Ensure the adequate security of each nuclear weapon.

The contractor system safety effort on a nuclear weaponsystem program shall directly support the objectives includedin these standards.

4.12.1 Critical function control. The contractor shallp~”ovide assurance that the four nuc~r safet~c standards of4.12 are met by designing each nuclear weapon s)?stem tocontrol critical functions in the sequence ~eadjng todetonation of the weapon. As a minimum, the functions ljstcdhe! ct.’ arc designated as critical and requi~e specific safety~.~t;~~~~ Cr rAc2rAz :Gr their control .

;4

-


MIL-STD-157’4A (USAF)

b. Intent Command signaling (weapon prearm function).

c. Arm/Unlock and Ignition/Release Commands (Launch orrelease function).

d. Launch/Release Environmental Sensing (Final Armingfunction).

4.12.2 Special nuclear safety analyses. The normalhazard analyses and Accident Risk Assessment specified inpara 5.2 of this standard apply to nuclear weapon systems-However, because of the dire political and military consequ-ences of an unauthorized or accidental nuclear or high explo-sive detonation, additional analyses are specified to demon-strate positive control of nuclear weapons in all probableenvironments . The following analyses, in whole or in Part>shall be Performed by the contractor on nuclear weapons pro-grams as ~pecified by the purchasing office:

a.

b.

c.

d.

.

A quantitative analysis to assure that the probabil-ity of Inadvertent Nuclear Detonation (IND), Inad-vertent Programmed Launch (IPL), Accidental MotorIgnition (AMI), Inadvertent Enabling or InadvertentPrearm (IPA) meets the numerical requirements speci-fied in applicable nuclear safety criteriadocuments.

An Unauthorized Launch (UL) analysis to define thetime, tools and equipment required to accomplishcertain actions leading to unauthorized launch. Theresults of this analysis are used by the nuclearsafety evaluation agency in determining which com-ponents require additional protection, either bYdesign or procedural means.

A Nuclear Safety Crosscheck Analysis (NSCCA) ofsoftware and certain firmware which directly orindirectly controls or could be modified to controlcritical weapon functions. This analysis, by anindependent contracting agency, must determine thatthe final version of software or firmware is freefrom programming which could contribute to unauthor-ized, accidental or inadvertent activation of criti-cal system function.

A Safety Engineering Analysis [SEA) of all tasks inmodification or test programs at operational sites.This analysis is specifically oriented towards

15

. - .● � ✍ � ✍ ✍ 2 —L ---- ..:--


MI1. -STII- 1574A (USAF)

identifying hazards to personnel and equipment inthe work area and is in addition to the analysis ofthe safety impact of the change to the weaponsystem.”

4.13 Radiological safety.

4.13.1 Radioactive sources. The contractor shall con-duct safety analyses for all applications of radioactivesources, nuclear power systems, and other systems havingsources of ionizing radiation. This analysis shall includecomplete assessment of the accident risk in the followingareas:

a

.

a. Normal mission analysis:

(1) Transportation, handling, calibration, testingand processing during pre-launch operations atthe launch site including use of nonflightsources.

(2)

(3)

Flight safety (launch,ballistic reentry, and

Recovery operations atsite.

flight to orbit orrandom reentry).

mission termination

b. Contingency analysis:

(1) Operational site accident (fire, explosion,impact, rupture, dispersal, and releasequantity).

(2) Flight accident.

(3J Abnormal re-entry, recovery, or

Abort conditions.

disposition.

(5) Accident mode and characteristics.

(6) Accident probability, normal missicn,worst case accident consequences.

a?lz

(71 Chemical toxicity and external radiation.

(8) Conclusions.

4.14 Trade studies. System safety engineeringpersonnel shall participate in all trade studies that have

16



been identified as being safety related (see 4.1.3 n).System Safety engineering shall ensure that safety impactitems and accident risk assessments are significantlyhighlighted and given appropriate weight as decisiondrivers. Documentation shall show that the accident risk forthe recommended solution is equal to or less than the otheralternatives being traded or provide sufficient justificationfor recommending another alternative. Results of tradestudies shall be reviewed to ensure that recommendations formanagement level decisions include the optimum safetyprovisions developed for each option.

4.15 Government furnished equipment and property.Where safety analysis or risk assessments are not providedwith Government furnished equipment and property? thecontractor shall identify this deficiency to the purchasingoffice as a safety concern. Upon purchasing office directionthe contractor shall perform a system safety analysis inaccordance with paragraph 5. An accident risk assessment,shall be provided in accordance with paragraph 5.2.14.2.Recommendations for action and resolution of identifiedproblems shall be included in an Accident Risk AssessmentReport and submitted to the procuring contracting office.

4.16 Government furnished data. Where adequate datarequired to complete contracted safety tasks is not provided,the contractor shall identify this deficiency to thepurchasing office as a safety concern. Upon purchasingoffice direction the contractor shall initiate efforts todevelop or obtain the required data.

5. DETAILED REQUIREMENTS

5.1 System safety criteria. Effective accident controlinvolves many aspects of system engineering including con-~iderations of severity and cost versus impact potential ,basic design options reaction time and procedural COntrOIS>etc. c

5.1.1 Hazard level categories. The contractor’saccident risk assessment eft orts and related hazards analysesshall reflect relative severity and probability ofoccurrence. These categories shall be be used for trackingrisk reduction. Probability of occurrence and severity maybe expressed qualitatively or quantitatively as dictated byspecific program requirement. Whatever method is used,

17

●


MI L- STD-1574A (USN)

conditions such as those in the following subparagraphs shallbe taken into consideration.

5.1.1.1 Unacceptable conditions. The followingexamples of representative safety critical conditions areconsidered unacceptable. Positive action and implementationverification is required to reduce the risk to an acceptablelevel asoffice.

a.

t?.

negotiated by the contractor and the purchasing

Single component failures, human error, or designfeatures which could cause an accident such as:

m

.

(21

Damage which inhibits launch, staging, primaryor secondary means of separating the payload,deplopnent of solar panels, firing of space-craft or retro-rocket motors, or otherwiseprevents the successful deployment or posi-tioning of the vehicle for orbital operations,retrieval, reentry, or landing operations.

Inadvertent arming or ignition of ordnancedevices; inadvertent actuation or deploymentof solar panels, antennas, staging devicestspring actuated covers, shrouds or any othersafety critical device; inadvertent activationof hazardous electrical power or initiation ofa command sequence which could cause an acci-dent ; overpressurization of a propellant orhigh pressure gas system.

Uncontrolled or unplanned venting, dumping,ejection, or leakage of propellants, corrosivematerials or high pressure gases.

Malfunction, accidental operation of anysingle component, or any human error whichcould result in the prewarming, arming>launching, firing or releasing of a nuclearweapon .

independent component failuresj dual humanerrors, o; a combina~ion of a component failure anda human error involving safety critical command andcontrol functions such as engine firing or stageseparation that could result in system loss.

18


.—

MIL-STD-1574A (.USAF)

c.

d.

e.

Generation of hazardous ionizing radiation or RFenergy when no provisions have been made to protectpersonnel or sensitive subsystems from damage oradverse effects.

Hazard level categories that are specified as unac-ceptable in the contract.

Packaging or handling procedures and characteristicswhich-co~ld cause an-accident for which no cont~olshave been provided to protect personnel or sensitiveequipment .

5.1.1.2 Acceptable conditions. The following approachesare considered acceptable for correcting unacceptable condi-tions such as those referenced in 5.1.1.1 and will require nofurther analysis once controlling actions are implemented.Specific verification of implementation and effectiveness ofcontrolling actions shall be provided (see 5.2.12). Hazardanalysis showing identification, correction, and close-outsshall be included in the accident risk assessment report.

3. A system design which requires two or more humanerrors or which requires two or more independentfailures or a combination of independent failuresand human error to result in an accident that doesnot involve safety critical command and controlfunctions which could cause system loss. Eventhough the unlikely event of multiple failures may

“appear to offer adequate protection, related tests,monitoring and specific flight preparation oper-ations should be specified to assure acceptable risklevels. When redundant components are utilized tomitigate accident risk, provisions shall be made toverify operation of both redundant components priorto entering into irreversible portions of safetycritical functions.

b. System designs that require at least three independ-ent failures, or three human errors, or a combin-ation of th”ree independant failures and human errorsfor safety critical command and control functionssuch as engine firing or stage separation before anyinadvertent operation occurs that could result insystem loss.

19



c. System designs which positively prevent errors inassembly, installation, or connection which couldresult in an accident.

d. System designs which positively prevent damage pro-pagation from one component to another or preventsufficient energy propagation to cause an accident.

e. System design limitations on operation, interaction,or sequencing which preclude occurrence of anaccident.

f. System designs that provide an approved safetyfactor, or fixed design allowance which minimizespossibilities of structural failure or release ofenergy sufficient to cause an accident.

g“ System designs that control energy buildup which. could potentially cause an accident (fuses, relief

h.

i.

j.

valves, electrical explosion proofing, etc~).

System designs in which component failure can betemporarily tolerated because of residual strengthor alternate operating paths so that operations cancontinue with a reduced but acceptable safetymargin. The assumptions made to reach the con-clusion of “temporarily tolerated failure” shall bedocumented.

System designs which positively alert the control-ling personnel to a hazardous situation for whichthe capability for operator reaction has been pro-vided.

System designs which minimize/control the use offlammable materials.

5.1,2 System safetv precedence. Contractor programmanagement acceptance ot credlb .

le risk shall be based uponthe magnitude of risk compared with the impact of compen-sating for it. Risks which are not totally controllable bydesign action because of impact on cost, performance orschedule, shall be dealt with at the highest feasible orderof precedence. Corrective action to be taken shall be in thefollowing order of precedence:

-

a. Design for minimum hazards. The contractor systemsafety organization shall ensure, to the maximum

20


MIL-sTD-1574A (USAF)

—.

b.

c.

d.

e.

extent practical, the inherent safety of the systemthrough the use of appropriate design features andqualified components. These features shall be sub-jected to analyses to provide a thorough review oftheir compatibility with maintenance, test andmission operations, and other task requirements. Inaddition, the design features shall be reviewed tominimize the probability of safety degradationbecause of human error. particular attention shallbe paid to primary system design to assure gradualdegradation of function to permit detection ofimpending hazardous conditions in sufficient time tocomplete automatic or manual control actions.

Safety devices. Risks which cannot be totally con-trolled through design selection, or which arediscovered too late For basic system redesign, shallbe reduced through the use of appropriate safetydevices, such as mechanical internal barriers orinhibiting mechanisms, as part of the system, sub-system or equipment.

Protective systems. In instances where accidentrisk exists and cannot be totally eliminated, thecontractor shall provide for emplopent of appropri-ate protection systems (i.e., fire suppression,radiation shielding, explosion or detonation blastshields, etc.).

Warning devices. Where it is not possible tototally preclude the existence or occurrence of aknown condition with a significant accident risk,reliable devices with proper emergency plans andprocedures shall be employed for timely detection ofthe condition and the generation of an adequatewarning signal. Warning signals shall be standard-ized within like types of systems, to minimize theprobability of improper personnel reaction to thesignals. Personnel shall be properly trainedregarding the purpose of the warning devices andwhat to do when signals are activated.

Special procedures. Where it is not possible toreduce the magnitude of the risk factors throu~hsystem design-or the use of safety or warning “devices, the contractor shall develop appropriateemergency procedures to effectively limit initiationof hazardous sequences. Provisions shall be made to

LJ.



train personnel regarding the use of these proced-ures. Demonstrations shall verify the effectivenessof such procedures. Control of hazardous conditionsby procedure alone shall be carried as a safetyconcern and shall require approval by the SystemSafety Manager, contractor program manager and thepurchasing office for risk acceptance.

5.1.3 Design criteria. The contractor shall establishsafety design criteria derived from all applicable datasources including compliance documents, reference documents,and the preliminary hazard analysis. This criteria shall bethe basis for developing system specification safety require-ments. The contractor shall continue to expand the criteriaand requirements for inclusion in development specificationsduring the subsequent program phases. Safety criteria,requirements and an assessment of compliance, will be pre-sented at appropriate program milestones such as preliminarydesign-review (PDR) and critical design review (CDR) and atscheduled safety reviews. The contractor shall implement aclosed loop system for assuring corrective action initiationand close-out for all safety related open items resultingfrom design and safety reviews.

5.1.4 Deviations. Contractor compliance with all con-tractually imposed technical and policy safety requirementsis mandatory unless the exceptions are approved by thecontracting officer. Requests for deviation will be preparedby the responsible contractor program function and submittedthrough the system safety manager to the purchasing office.The request shall include:

a. Identification of document, paragraph number, andfull statement of the requirement.

b. Statement of the exception being requested.

c. Detailed description of the proposed equivalentrequirement , policy method, or process to be used.

d. When requesting deviation of any contractuallyimposed technical s}’stem safety requirement, com-plete detailed technical justification for theexception, including analysis to show that theaccident risk of the proposed alternate requirement,method, or process is equal to or less than it wouldbe with the specified requirement.

22



e. Statement of impact should the exception be disap-proved.

After approval by the system safety manager, the request willbe processed in accordance with provisions of the contract.Deviations approved by the contracting officer will be main-tained as an appendix to the accident risk assessment report-

5.2 System safety analyses. The contractor shall sub-ject the system to a continuous iterative process of system-atic accident risk identification by qualitative analysis.System safety analyses and their interrelations are discussedin the following subparagraphs. Qualitative analyses shallinclude the techniques of independent systems safety engi-neering analysis, or other related analyses and utilizationof system safety check lists. Each identified accident riskfactor shall be resolved and verified in accordance with

xaragraph 5..2.12 before being considered closed. Any acci-ent risk factor that can not be resolved and verified in

accord~nce with paragraph 5.2.12 or any safety check listnoncompliance item shall be considered as a safety concernand will require program management action. The contractorshall require documentation” of contracting office decisions,if any, to accept risks associated with an identified safetYconcern. Such documentation shall be included in theaccident risk assessment report. While the analyses arelisted as separate tasks, they are to be performed as acontinuous effort commensurate with the program phase.

5.2.1 Preliminary hazards analysis. The contractorshall perform a preliminary hazard analysis to provide aninitial evaluation of safety critical aspects and accidentrisk factors. Listed below are representative safety criti-cal subsystems and operations associated with a typicalflight vehicle:

a. General.

(1) Handling operations: transportation, lifting,or rotation of vehicle elements or majorassemblies; mating/demating of stages,spacecraft or payload with booster stage.

(2) Radioactive components and materials (see 4.12)and 4.13.

23

—---



(3) Cryogenic fluid handling operations, propellanthandling operations, system leak tests.

b. Specific System Considerations.

Propellant loading systems, safe and arm pro-visions, ignition control, propellant condi-tioning such as specified mixing ratios ofpropellants and ambient environmental condi-tions, leak checks, system activation, andsafing. Solid motor assembly and test.

Pressurization system: proof or leak checks,loading and off-loading of pressurants, emer-gency detanking, venting decontamination anddisposal, toxic limits, ecological impacts,propellant tank pressurization control, emer-gency depressurization, post-mission safing,and aborted mission safing.

Attitude control system: leak checks, propel-lant and pressurant loading or offloading,system activation, and safing.

Ordnance: handling, transporting, installingand removing, connecting and disconnecting,checkout, storage and safing for abortedmissions in all phases of pre-mission and postmission activities.

Electrical power: handling, installing, con.

netting and activating batteries, connectingand power-up or power-down of ground or flightvehicle power supplies, and emergency removalof power supplies.

Guidance, navigation, and control: attitudeand guidance control during separation oper-ations.

Communications : Transmission of safety criti-Cz: systems data and reception of commands tocontrol/override safety critical functions andrange destruct command uplink.

Computerized sequences: Control of safetycritical functions by computer issued discretesto sequence the system.

24



(9) Instrumentation: Sensing and measurement ofsafety critical parameters, including those ofcaution and warning displays.

(10) Structural interfaces: Payload attachments andstage or spacecraft separation provisions.

(11) Lasers: all operations involving lasers.

The complete list of safety critical aspects, includingassociated accident risk factors developed as a result of thepreliminary hazards analysis, shall be refined as designs andoperational planning develop and shall provide the basis forall subsequent analysis activities.

5.2.2 System safety checklist. The contractor shallensure that safety requirements have been satisfied by use ofsuitable checklists or other effective means and a closedloop syst~m verification. The requirement source and verifi-cation of implementation by reference to the applicablespecification, drawing, procedure etc., shall be provided foreach checklist item. The close-out action shall be signedoff by the safety manager and the applicable subsystemmanagers. Each noncompliance item shall be documented by ahazard report and satisfactorily resolved before beingclosed. A composite response will be presented at safetyreviews as an assessment of compliance with requirements.

. . 5.2.3 System hazard analysis. The contractor shallperform a subsystem and system level hazard analysis for each “system element being developed to provide a comprehensiveevaluation of the risk being assumed when each system elementis put into operation. This analysis shall identify accidentrisk and establish design criteria and operational con-straints to eliminate or control accident risk. The analysisshall consider all planned and contingency operations in-cluding production, deployment, maintenance, repair, hand-ling, storage, transportation, testing, assembly and check-out, launch base operations, flight operations and disposal.Flight operations include launch or spacecraft separation andpositioning in orbit for operation or reentry, and landing.The analysis shall cover those conditions which have accidentpotential and could result in personnel injury or damage toother system elements (launch vehicle, payload or reentryvehicle, stage vehicle, support equipment, facilities, groundcrew, flight crew, etc.). Conditions which only result inperformance degradation are considered to fall within thejurisdiction of the engineering and reliability functions.

●

25



5.2.4 Interface hazard analysis. The contractor shallanalyze the Interface and InteractIons between each systemelement being developed and all other system elements (launchvehicle, experiments, payload or reentry vehicle, stagevehicle, support equipment, facilities, ground crew, flightcrew, etc.) to identify and control or eliminate all accidentrisk factors that could be transmitted across these inter-faces within the parameters specified by paragraph 5.1 andapplicable interface control documentation.

5.2.5 Integrated system hazard analysis. The con-tractor shall perform an integrated system level hazardanalysis to provide a comprehensive evaluation of the riskbeing assumed when the assembled system is put into oper-ation. This analysis shall identify accident risk, establishdesign criteria and operational constraints to eliminate orcontrol accident risk, and provide the basis for finalaccident- risk assessments. The analysis shall consider thecomplete system in all planned and contingency operationsincluding production, deployment, maintenance, repair, hand-ling, storage, transportation, testing, assembly and check-out , launch base operations, flight operations~ anddisposal. Flight operations include payload or spacecraftseparation and positioning in orbit for operation or bal-listic reentry and include those conditions which haveaccident potential and could result in damage to the launchvehicle, upperstage, experiments, spacecraft, or reentrYvehicle. Conditions which only results in performancedegradation are considered to fall within the jurisdiction ofthe engineering and reliability functions. The contractorshall assure that all interfaces within the system have beenappropriately analyzed, and shall conduct such system levelanalyses as necessary to complete the integrated systemhazard analysis.

5.2.6 Software safety analysis- The contractor shallanalyze the software of a system element to identify andeliminate software errors, faults or deficiencies relating tosafety critical commands and control functions. The analysisshall concentrate on potential errors in program requirementsdefinition, design, logic, coding, input de’~lce~ ma~h~matlcsand maintenance and shall consider overlapping conditions toassure that a non-planned event does not occur because of tworoutines changing a set state. This task shall includereview of computer program development specification~ flows~

26



and forms “B”. The analysis shall cover the human interfaceand the hardware/software interface and evaluate both theeffect of the software on other system elements and theeffect of other system elements on the software. Theanalysis shall assure safety critical functions are adequ-ately protected by inhibits, interlocks or hardwire. Theresults of the software safety task shall be a primary inputto the verification and validation software testing activity.

5.2.7 Integrated software safety analysis. The con-tractor shall perform an Integrated system level softwaresafety analysis to provide a comprehensive evaluation of therisk being assumed when the assembled system is subject tooperation or use. This analysis shall identify and eliminatesoftware errors, faults or deficiencies relating to safetycritical commands and control functions. The analysis shallconcentrate on potential errors in program requirementsdefinition, design, logic, coding, input device, mathematicsand maintenance and shall consider overlapping conditions toassure that a non-planned event does not occur at the inter-faces of system elements because of two routines changing aset state. This task shall include review of computerprogram development specifications, flows, forms “B” andsafety critical functions identified in paragraph 5.2.6 abovefor system elements= The analysis shall cover the humaninterface and the hardware/software interfaces across allsystem elements at the system level and evaluate both theeffect of the software on all system elements and the effectof other system elements on the software. The analysis shallassure safety critical functions are adequately protected byinhibits, interlocks, or hardwire. The results of the soft-ware safety task shall be a primary input to the verificationand validation software testing activity. The contractorshall assure that all interfaces within the system have beenappropriately analyzed and shall conduct a system level soft-ware safety analysis as necessary to complete the integratedsystem analysis.

5.2.8 Operating hazard analysis. The contractor shallperform an operating hazard analysls for each system elementbeing developed to ensure a systematic and complete evalu-ation of the functional aspects of the system. This analysisshall include developing safety sequence charts to identifytasks which require mandatory sequencing and whether or notconcurrent tasks are permissible. The analysis shall bebased on the system safety analysis and the test operationsfunctional flow diagrams, and shall provide the basis for

27

--------- -- --- ~——. > *


MIL- STD- 1574A [USAF)

inputs to detail test operation and maintenance plans andprocedure review. Analysis or test shall verify designaction to limit operation and interaction or sequencing ofsubsystems or components within the system element, as wellas procedural control of accepted risks.

5.2.9 Integrated operating hazard analysis. The con-tractor shall perform an integrated system level operatinghazard analysis to ensure a systematic and complete evalu-ation of the functional aspects of the system. This analysisshall include developing safety sequence charts to identifytasks which require mandatory sequencing and whether or notconcurrent tasks are permissible. The analysis shall bebased on the system safety analysis and the test operationsfunctional flow diagrams, and shall provide the basis forinputs to detail test operation and maintenance plans andprocedure review. Analysis or test shall verify designaction to limit operation and interaction or sequencing ofsystem elements as well as procedural control of acceptedrisks. The contractor shall assure that all interfaces with-in the system have been appropriately analyzed and shallconduct such system level analyses as necessary to completethe integrated operating hazard analysis.

5.2.10 Test/operating/maintenance procedures. Eachtest, operating or maintenance procedure includlng computercontrolled test sequences shall be reviewed by the systemsafety manager or his designated representative. The reviewshall be based on available data including the results of thesystem safety analysis and operating hazard analysis. Test,operating or maintenance procedures that involve or effectsafety shall be designated as safety critical procedures.Each procedure shall be validated prior to the first oper-ation. The system safety manager or his designated repre-sentative shall participate in the validation process. Thesystem safety manager or his designated representative shallapprove and sign each validated safety critical procedurewhen it meets all safety requirements and contains appropr-iate caution and warning notations. Deviations from approvedsafety critical procedures shall require reassessment of theprocedure and approval of the system safety manager or hisdesignated representative. The system safety manager or hisdesignated representative will also review all changes topreviously reviewed procedures to assure the changes do notimpact or effect safety.

5.2.11 Related analyses. The hazard identificationprocess shall not dupllcate other program analyses but shall

28

_—_______ —-——————.—————————. ———



utilize data produced by them. For example, the failure modeand effects analysis can be utilized to provide for identifi-cation of single or multiple failure points presenting acci-dent potential. The analyses format and procedures shallinclude provisions for identification of safety criticalfailure modes. This does not mean, however, that theserelated analysis techniques can be substituted in total forthe system safety analysis process.

5.2.12 Implementation and effectiveness verification.The contractor, as a part of the safety analyses, shalldevelop verification criteria for each identified accidentrisk factor. The verification criteria shall identify themethod or combination of methods that will be used to assurethat the proposed design or procedural solutions have beenimplemented and also assure that these solutions meet theprogram safety requirements. Verification methods includeexamination of specifications and drawing, review of pro-cedures, -independent analysis, inspection, demonstration,test, or combinations of these activities. Tests and demon-strations conducted shall conform to the requirements of4.10. Verification of implementation and effectiveness shallbe completed and documented on the hazard report (see5.2.14.1) before any item will be considered closed. Thesystem safety manager shall approve each item closed-out bysignature on the hazard report.

5.2.13 Accident risk assessment. The contractor shalldevelop and implement a comprehensive accident risk assess-ment procedure commensurate with system safety and otherprogram requirements to evaluate the overall accident riskand associated controls for the system element/s oncontract. The accident risk assessment procedure shall be anintegral part of the overall program risk management acti-vity. The implementation of design and operation controlsshall be balanced against cost, performance and scheduleconstraints . The accident risk assessment shall be a quali-tative evaluation of the interrelationships between theapplicable system elements including associated personnel,support equipment, software, and facilities, Accident riskassessment procedures shall apply to system development,trade-studies, operations planning and system modificationsor changes. The accident risk assessment shall be measuredagainst established accident risk acceptability parametersincluding those specified in para. 5.1. As a part of theaccident risk assessment, the contractor shall review andevaluate the results of all system safety analyses and data,related engineering analyses and data, and applicable

29



test and operations analysis and data and shall conductadditional analysis, as required, to assure that safeoperating limits and constraints have been established andthat all accident risk factors have been identified andeither satisfactorily eliminated or controlled within thespecified accident risk acceptability parameters or design-ated as safety concerns. The accident risk assessment mustclearly specify the additional accident risk involved witheach safety concern. The additional accident risk must beaccepted by the purchasing office before the safety concernis closed.

5.2.14 Analysis documentation. The contractor shalldocument and report the results oi the analysis activities toprovide required viability and tracibility for managementdecision and safety certification.

5.-2.14.1 Hazard report. A hazard report for eachaccident risk factor lncludlng those conditions defined in5.1.1.1 and non-compliance safety checklist items shall beprepared by the contractor system safety organization. Eachhazard report shall include information on how the hazardouscondition can propagate into an accident, the potentialeffects, and whether any established safety requirement hasbeen violated. The hazard report will include recommendedcorrective action to be initiated. Schematic drawings withthe critical paths or pertinent areas identified should beattached as necessary for illustration purposes. The hazardreport shall be used to document the status of actions takenon each identified accident risk factor. The hazard reportwill be jointly resolved between the responsible engineeringactivity and the system safety organization. Close-outaction shall provide traceability and shall be verified (see5.2.12) and approved by the contractor system safety managerand program manager. The ha:ard re~orts shall be incorpor-ated into a hazard 10R and includedin the Accident RiskAssessment Report (se= 5.2.14.2). Hazard report close-outaction will be approved by the purchasing office in thecourse of accident risk assessment report approval as indcated on the contract CDRL.

5.2.14.2 Accident risk assessment report. The con-—— .tractor shall Drepare an accident rls~ assessment report

i-

forthe system elernen~/’s on contract to verify that the systemdesign and operational planning meet program requirements(Data Item Description DI-S-30565A). The report shall bebased on the system safety anaiysis tasks that have beenperformed. The report shall provide a comprehensive

—— - - - —---———- — —— —— - ——— - — — —— a—— -~ * — – —



evaluation of the overall system accident risk, identifyoperating limits and constraints, and constitute the safetybaseline for operational planning and system modifications.

5.3 Certification. The contractor shall prepare acertification of compliance with all established safetyrequirements to support the flight readiness certificationfor each test flight or flight from a test range. Thecertification of compliance and substantiating data shall beincluded in the accident risk assessment report. Prior toreuse of any flight hardware, or subsequent flights with thesame type of system, the entire system shall be verifiedfor: (1) Correction of any safety deficiency encountered onprevious launches as directed by the Procuring ContractingOfficer; (z) Safety impact of any changes; and (3) Detailedinformation on maintenance or refurbishment.

5.4 Safety data

5.4.1 Deliverable data. Deliverable safety data, ascited on the Contract Data Requirement List (CDRL), shall bepresented in the format specified unless a modification hasbeen approved by the contracting officer. Where no format isindicated, the contractor may use any format that presentsthe information in a comprehensible manner. Managementapproval and submittal of all safety data produced incompliance with this standard shall constitute certificationthat accuracy, completeness and validity of safety data hasbeen attested to by a qualified system safety engineer (seeparagraph 3.11) and that the system can be operated safelywithin the parameters specified by the accident risk assess-ment report (see 5.2.14.2.).

5.4.2 Non-deliverable data. Information necessary forcontractor’s conduct ot the system safety effort but notcontractually required to be submitted shall be available foron-site review on request to persons authorized by the pur-chasing office.

5.4.3 Data acquisitions and dissemination. The con-tractor system safety manager shall:

a. Pursue an aggressive program of acquiring and main-taining current safety related information and datapertinent to the contract.

31 .



b. Establish a system of safety information feedback totheir design and safety personnel and to those oftheir associate and subordinate contractors.

c. Maintain liaison with purchasing office data sourcesto obtain: (1) Safety data as a design aid toprevent repetitive design or procedural deficien-cies; (2) Information on operational systems whichare similar to the system under this contract andshould be studied for past safety problems and theirsolutions; and (3) Authority for access of personnelto nonproprietary information on accident andfailure causes and preventive measures in possessionof Government agencies and contractors involved withthose systems.

5.4.4 Data files. The contractor shall maintain safetyrelated data generated on the program in the program safetydata fiIe. A log of all safety-significant documentationshall be maintained showing concurrence or nonconcurrence,reasons for nonconcurrence and corrective action taken toresolve the problem. The log shall be available for reviewby the purchasing office. The system safety organizationshall also organize and maintain frequently used referencedata.

5.5 Trainind“

Safety inputs to training programs shallbe tailore to t e personnel categories involved, andincluded in lesson plans and examinations. Safety trainingwill include such subjects as: Hazard types, recognition,causes , effects, and preventive and control measures;procedures, checklists , and human error; safeguards, safetydevices, and protective equipment; monitoring and warningdevices; and contingency procedures. Safety trainingprograms will be developed and provided for specific typesand levels of personnel: i.eo ~ managers> engineers andtechnicians involved in the design, product assurance, test,operations, production, and field support. Test, operations,and field support personnel will be certified as havingcompleted a training course in safety principles andmethods. Specific certification requirements will beestabiisned by a program certification board that includesthe system safety manager as a member. Contractor safetytraining shall also include Government personnel who will beinvolved in contractor activities.

5.6 Audit program and program reviews. System safetyaudits shall be conducted by the system safety manager and on

32

—

-*.


141L-STD-1574A (USAF)

a periodic basis by a contractor management team independentof the program. The audit shall measure the status of eachsafety task, interrelationship between safety and otherprogram disciplines, identification and implementation ofsafety requirements/criteri a, and documented evidence whichreflects planned vs actual safety accomplishment. Each auditshall evaluate program milestones and safety program mile-stones, incompatibilities that require remedial correctiveaction, and safety outputs to program requirements. Thecontractor shall initiate postive corrective actions wheredeficiencies are revealed by the audits. The system safetymanager shall also support Government system safety audits asmay be directed by the purchasing office. Components, equip-ment , conditions, designs, or procedures which provideunusual safety problems, shall be audited. Audits shallinclude verification or corrective action on problemsrevealed by previous audits.

5.6.-1 Subcontractor audits. Subcontractors shall beaudited by the prime contractor to ensure that: (1) They areproducing items whose design or quality will not degradesafety; (2) Safety analyses are conducted as required; and(3) Problems are being brought to the attention of their ownprogram managers and prime contractor management.

5.6.2 Program reviews. The system safety manager shallparticipate in all scheduled program, safety and designreviews. Presentation of system safety program status and..safety problems having program impact shall be included ineach program review. Presentation of hazard analysis status,identification of unacceptable accident potentials, andhazard reduction status, shall be included in each formalsystem review.

6. NOTES

6.1 Data requirements of this standard shall not bedelivered to the purchasing office unless specified by theContract Data Requirements List (CDRL)*

CUSTODIANAIR FORCE-19

PREPARING ACTIVITYAIR FORCE-19

(PROJECT 181O-FO19.I



(BLANK PAGE)


MIL-STD-1574.4 (USAF)

APPENDIX

BIBLIOGRAPHY

The fundamental documents applicable to the safety programare listed below. They are included for reference purposesonly and reflect the source of the requirements contained inthis standard.

Military s~ecifications

MIL-H-46855 Human Engineering Requirements for Mil-itary Systems, Equipment and Facilities

Military standards

MIL-STD-454

MIL-STD-882

MIL-STD-1385

MIL-STD-1247...

MIL-STD-1472

MIL-STD-1512

MIL-STD-1522

Standard General Requirements for Elec-tronic Equipment (Requirement 1 -Safety)

System Safety Program Requirements

Preclusion of Ordnance Hazards inElectromagnetic Fields, GeneralRequirements for

Marking, Functions and Hazard Designa-tions of Hose, Pipe and Tube Lines forAircraft, Missile and Space Systems

Human Engineering Design Criteria forMilitary Systems, Equipment and Facili-ties

Electroexplosive Subsystems, Electri-cally Initiated, Design Requirementsand Test Methods

Standard General Requirements for SafeDesign and Operation of PressurizedMissile and Space Systems

35

. . --- . . a — . ● –—. - -— - s*-.— 1. .



Other military publications

DOL)I 5000.36 System Safety Engineering and Management

AFR 12z-I The Air Force Nuclear Safety Program

AFR IZ2-Z Nuclear Weapon System Safety Studies,Safety Rules, and Operations Reviews.

~R 122-9 The Nuclear Safety Cross-Check Analysisand Certification Program for WeaponSystems Software

AFR 122-10

AFR 122-15

AFR 122-16

AFETRM 127-1

SAMTECM 127-1

AFR 127-4

AFR 127-8

SAMSOP 127-5

SAMSOR 127-8

AFM-127-1OO

AFM 127-200

AFM 127-201

AFM 161-30

I

Nuclear Weapon System Safety Design andEvaluation Criteria

Nuclear Power System Safety Studies andSurveys

Nuclear Safety Review Procedures forSpace Applications of Minor RadioactiveSources

Range Safety Manual, Volume 1

Range Safety Manual, Volume 1

Investigating and Reporting US AirForce Mishaps

Responsibilities of USAF System SafetyEngineering Programs

SAMSO Standard Satellite System SafetyDesign Criteria

System Safety Engineering

Explosive Safety Manual

Missile and Space Systems Accident/Incident Investigations

Missile Accident Prevention

Chemical Rocket/Propellant Hazards

36

————s——=.—..— . . .._=_=...-—— ——..—.=_______________


Non-Government publications

TOR-0076 (6451-03)-2 Fracture Control Criteria for SpaceShuttle Pressure Vessels andPressurized Systems, AerospaceCorporation Report, dated 5 December1975.

.

37


t=ANDAROIZATl~ DOCWENT IMPROVEMENT PROPOSAL

(b hamctknu - Rpmc SW)

r-1.OOCUMCNT NuMDcn I2 OOCUM8M7 TITL8

t

u

*ME OF SU9MITTINC3 ORGANIZATION

1. -

———$. PROBLEM AREAS

NtJm&f utd wordt~:

b. Ruemmondod Wordhg:

-.

e. Flomon/Rst Iondo for Ruommondotkn:

n VCNOOR

c1 Wcn

5. REMARKS

MAILING AODRESS (3nwt, City, 8h&, Z/? C-/ - Oe~

..

m FORM82 MAR 1426

S. OATR OF $U8Ml=~ON (YYUHDD)

●navtom 8DITION la o#OoLETR.

b

T

●


DEPARTMENT OF THE AIR FORCE

111111v 4

OFFKIAL ●USINES•sNA~TV FOR ●RIVATE USE ~ BUSINESS REPLY MAIL

FIRST CLASS ●ChMIT NO. 7323S WASH~NGTON D C

P&?A6~4

WILL SE PA(D 8Y THE DEPARTMENT OF THE AIR FORCE

SAMSO/AQMP.O. BOX 92960WORLDWAY POSTAL CENTERLOS ANGELES , CA 90009

——


military standard system safety program foreveryspec.com/mil-std/mil-std-1500-1599/download...3.12...

Documents