AN UPDATE ON THE REVISION TO MIL-STD-882E

( S Y S T E M S A F E T Y S O C I E T Y S H A R I N G S E S S I O N – 1 1 A P R 2 0 1 3 )

W O N G F A N G A I K / F A N Y U E S A N G

2

� “The SAF needs to carry out realistic training, and this will

be done without compromise to safety” June 2008

Ministerial Emphasis On Safety

� “The underlying approach is not to wait for accidents or

incidents to occur, but to reduce risks and minimise the

chances/probability of incidents happening” March 2007

� “Each loss of life in training or operations is one too many;

We want to achieve ZERO FATALITIES!” March 2007

3

� “The SAF has a robust training safety system in place…but more needs to be done”

Ministerial Statement on NS Training Deaths Nov 2012

� “The respective COIs have uncovered clear breaches of Training Safety Regulations (TSRs) that led to the deaths”

� The number of grenades used had clearly exceeded the limit specified in the TSRs� There was specific instances of individual negligence. The Combat School of

Intelligence had a weak safety culture

� Chief Safety Officer and the Platoon Comd have been relieved of their duties pending decision for a General Court Martial� Head of Wing (School), School Sergeant Major, Exercise Supervising Officer and Exercise Conducting Officer have been relieved of their duties pending decision for a General Court Martial

� “Any Comd who ignores safety regulation, whether wilfully or negligently, puts his soldiers at risk, is not fit for command.”

Scope

� Introduction

� Purpose of Revision

� MIL-STD 882E Contents

� Key Changes

� In Summary

MIL-STD -882E

An Odyssey: MIL-STD-882 Series

� MIL-STD-882 – July 1969

� MIL-STD-882A – June 1977

� MIL-STD-882B – March 1984

� MIL-STD-882B, Notice 1 – July 1987

� MIL-STD-882C – Jan 1993

� MIL-STD-882C, Notice 1 – Jan 1996

� MIL-STD-882D – Feb 2000

� MIL-STD-882E – May 2012

(GEIA-STD-0010 best practices issued in 2008)

Introduction

� US Government and Industries desire to reinstate Task Descriptions from 882C in 882E. Allow these Tasks to be available and be specified in contract documents

� Aligns the safety standard practice with current DoDpolicy

i. 8 Dec 2008 DOD incorporate requirement to use MIL-STD 882 process for Environment, Safety and Occupational Health (ESOH) risk management.

ii. 7 Jan 2011 DASD(SE) required 882E be a standard, generic method for the identification, classification, and mitigation of hazards that can be practically applied by not only system safety professionals, but also by other functional disciplines such as fire protection engineers, occupational health engineers, etc

Purpose of Revision

Main Contents in 882E

• Standard arranged into 3 Key Parts

• General Requirements: 8 Mandatory Requirements1. Document the System Safety Approach

2. Identify Hazards

3. Assess Risk

4. Identify Risk Mitigation Measures

5. Reduce Risk

6. Verify Risk Reduction

7. Accept Risk

8. Manage Life-Cycle Risk

• Tasks (100 – 400 series): Optional

• Appendix A: Guidance for The System Safety Effort

Appendix B: Software System Safety Engineering and Analysis

-100-Series tasks –Management

-200-Series tasks –Analysis

-300-Series tasks –Evaluation

-400-Series tasks –Verification

� Facilitates the use of 882E by multiple functional disciplines as an integral part of Systems Engg egEnvironmental engineers, Fire protection engineers, Occupational health professional etc.

� Standardized and mandatory definitions in all contracts (Section 3 to Mil-Std-882E). Changed from 14 to 49 definitions.

� General Requirements (Section 4 to Mil-Std-882E)

� Risk Assessment Matrix updated� For severity, dollar value on losses increased to reflect today’s

program costs� For probability, addition of a new Eliminated category� Revised Risk Assessment Matrix – Shall be used

Key Changes

Key Changes

� General Requirements (Section 4)

1. Document the System Safety Approach

2. Identify & document Hazards

3. Assess & document Risk

4. Identify & document Risk Mitigation Measures

5. Reduce Risk to an acceptable level

6. Verify, validate and document Risk Reduction

7. Review hazards and accept residue risk by the appropriate authority & document

8. Track hazards, their closures and residue risk Manage Life-Cycle Risk

Identify Risk Mitigation Measures

Key Changes

System Safety Design Order of Precedence increased from 4 to 5.

No Change

Eliminate Hazards Through Design Selection

No ChangeReduce Risk Through Design Alteration

If not able to select appropriate design, then consider designchange or alteration

Incorporate Safety Engineered Features or Devices

Features that actively interrupt the mishap sequence

• Emergency cooling system of a nuclear reactor

• Uninterruptible Power Supply (UPS)

Provide Warning Devices

No ChangeDevelop Procedures and Training

Incorporate Signage, Procedures, Training, and PPE

����

����

����

TABLE I. Severity Categories

SEVERITY CATEGORIES

Environment, Safety, and Occupational Health Mishap Result Criteria

Severity Level

Severity Category

Could result in one or more of the following: death, permanent totaldisability, irreversible significant environmental impact that violates lawor regulation, or loss exceeding $10M. ($1M)

Could result in one or more of the following: permanent partial disability,injuries or occupational illness that may result in hospitalization of at least threepersonnel, reversible significant environmental impact causing a violation oflaw or regulation, or loss exceeding $1M but less than $10M. ($200k/$1M)

Could result in one or more of the following: injury or occupational illnessresulting in 1 or more lost work days, reversible moderate environmentalimpact causing a violation of law or regulation, or loss exceeding $100K

but less than $1M. ($10k/$200k)

Could result in one or more of the following: injury or illness resulting in alost work day, minimal environmental impact violating law or regulation,or loss less than $100k $2K < x< $10K.

Catastrophic

Critical

Marginal

Negligible

1

2

3

4

TABLE II. Probability Levels

PROBABILITY LEVELS

Specific Individual ItemDescription Level Fleet or Inventory

Likely to occur often in the life of an item; with a probability of occurrence greater than 10-1 in that life.

Will occur several times in the life of an item; with a probability of occurrence less than 10-1 but greater than 10-2

in that life.

Likely to occur sometime in the life of an item; with a probability of occurrence less than 10-2 but greater than 10-3

in that life.

Unlikely, but possible to occur in the life of an item; with a probability of occurrence less than 10-3 but greater than 10-6

in that life.

So unlikely, it can be assumed occurrence may not be experienced in the life of an item; with a probability of occurrence of less than 10-6 in that life.

Incapable of occurrence in the life of an item. This category is used when potential hazards are identified and later eliminated.

Continuously experienced.

Will occur frequently.

Will occur several times.

Unlikely but can reasonably be expected to occur.

Unlikely to occur, but possible.

Incapable of occurrence within the life of an item. This category is used when potential hazards are identified and later eliminated.

A

B

C

D

E

F

Frequent

Probable

Occasional

Remote

Improbable

Eliminated

TABLE III. Risk Assessment Matrix

RISK ASSESSMENT MATRIX

Frequent(A)

Probable(B)

Occasional(C)

Remote(D)

Improbable(E)

Eliminated(F)

Catastrophic(1)

1

2

4

8

12

Eliminated

Critical(2)

3

5

6

10

15

Marginal(3)

7

9

11

14

17

Negligible(4)

13

16

18

19

20

Risk Assessment code (RAC) : eg 1A, 3E, etc

High

High

High

Serious

Medium

High

High

Serious

Medium

Medium

Serious

Serious

Medium

Medium

Medium

Medium

Medium

Low

Low

Low

� Re-introduced and revised optional task descriptions from 882C. Total 25 optional tasks. � 100 series tasks - Management� 200 series tasks - Analysis� 300 series tasks - Evaluation� 400 series tasks - Verification

� Included new Tasks � Task 103 - Hazard Management Plan � Task 106 - Hazard Tracking System� Task 108 - Hazardous Materials Management Plan� Task 208 - Functional Hazard Analysis� Task 209 - System-of-Systems Hazard Analysis� Task 210 - Environmental Hazard Analysis� etc

Key Changes

Key Changes

� Updated “Appendix A – Guidance for the System Safety Effort”� Task application matrix updated

� Example on probability levels table includes quantitative values.

� Added Appendix B – Software System Safety Engineering and Analysis� Additional detail on software system safety techniques and practices

� Based on DOD Joint Software System Safety Engineering handbook

� More reader-friendly: contents re-structured; clearer terminology.

� More up-to-date: incorporate current DOD policy and defines task descriptions to improve system safety practices.

� Use of 882E across all functional disciplines

� Improve consistency of system safety practices across programs.

In Summary

Task 100 Series - Management

Task 100 Series - Management

� Task 101 Hazard Identification and Mitigation Effort Using The System Safety Methodology

� Task 102 System Safety Program Plan

� Task 103 Hazard Management Plan

� Task 104 Support of Government Reviews/Audits

� Task 105 Integrated Product Team/Working Group Support

� Task 106 Hazard Tracking System

� Task 107 Hazard Management Progress Report

� Task 108 Hazardous Materials Management Plan

Task 200 Series - Analysis

Task 200 Series - Analysis

� Task 201 Preliminary Hazard List

� Task 202 Preliminary Hazard Analysis

� Task 203 System Requirements Hazard Analysis

� Task 204 Subsystem Hazard Analysis

� Task 205 System Hazard Analysis

� Task 206 Operating and Support Hazard Analysis

� Task 207 Health Hazard Analysis

� Task 208 Functional Hazard Analysis

� Task 209 System-of-Systems Hazard Analysis

� Task 210 Environmental Hazard Analysis

Task 300 Series – Evaluation

Task 300 Series – Evaluation

� Task 301 Safety Assessment Report

� Task 302 Hazard Management Assessment Report

� Task 303 Test and Evaluation Participation

� Task 304 Review of Engineering Change Proposals, Change Notices, Deficiency Reports, Mishaps, and Requests for Deviation/Waiver

Task 400 Series - Verification

Task 400 Series - Verification

� Task 401 Safety Verification

� Task 402 Explosives Hazard Classification Data

� Task 403 Explosive Ordnance Disposal Data