The risk associated with a hazard is a function of its probability and severity. Identify hazard a.

The standard for hazard identification is a concise statement containing a source, mechanism, and outcome capturing relevant man, machine, and environment conditions that can lead to a mishap. By definition, a hazard is an actual or potential condition that can cause injury, illness, or death of personnel, damage to the environment, damage to or loss of equipment, property or mission degradation. In order to effectively describe a hazard, the hazard statement must consist of three basic components: (1) Source (an activity, condition, or environment where harm can occur). (2) Mechanism (means by which a trigger or initiator event can cause the source to bring about harm). (3) Outcome (the harm itself that might be suffered expressed as a severity).

2.1 Definition of Risk

The concept of risk includes both undesirable consequences and likelihoods, e.g., the number of people harmed, and the probability of occurrence of this harm. Sometimes, risk is defined as a set of single values, e.g., the expected values of these consequences. This is a summary measure and not a general definition. Producing probability distributions for the consequences affords a much more detailed description of risk. A very common definition of risk represents it as a set of triplets [2-1]: scenarios, likelihoods, and consequences. Determining risk generally amounts to answering the following questions: 1. What can go wrong? 2. How likely is it? 3. What are the associated consequences? The answer to the first question is a set of accident scenarios. The second question requires the evaluation of the probabilities of these scenarios, while the third estimates their consequences. Implicit within each question is that there are uncertainties. The uncertainties pertain to whether all the significant accident scenarios have been identified, and whether the probabilities of the scenarios and associated consequence estimates have properly taken into account the sources of variability and the limitations of the available information. Scenarios and uncertainties are among the most important components of a risk assessment. Figure 2-1 shows the implementation of these concepts in PRA. In this Figure, uncertainty analysis is shown to be an integral part of each step of the process rather than just a calculation that is performed at the end of the risk quantification.

Triplet Definition of Risk in PRA. The accident scenarios begin with a set of initiating events (IEs) that perturb the system (i.e., cause it to change its operating state or configuration), representing a deviation in the desired system operation. For each IE, the analysis proceeds by determining the pivotal events that are relevant to the evolution of the scenario which may (or may not) occur and may have either a mitigating or exacerbating effect on the accident progression. The frequencies of scenarios with undesired consequences are determined. Finally, the multitude of such scenarios is put together, with an understanding of the uncertainties, to create the risk profile of the system. This risk profile then supports risk management.

2.2 Risk Management at NASA

Risk management (RM) is an integral aspect of virtually every challenging human endeavor. Although the complex concepts that RM encapsulates and the many forms it can take make it difficult to effectively implement, effective risk management is critical to program and project

success. In the context of risk management, performance risk refers to shortfalls with respect to performance requirements in any of the mission execution domains of safety, technical, cost, and schedule. The term performance risk is also referred to simply as risk. This generalization makes the concept of risk broader than in typical PRA contexts where the term risk is used to characterize only safety performance, and not necessarily with respect to defined requirements. Individual risk is different from performance risk, in that it refers to a particular issue that is expressed in terms of a departure from the program/project plan assumptions. Individual risks affect performance risks but are not synonymous with them. For example, an unusually high attrition of design engineers could affect the date within which the design is completed and thereby affect the ability to launch within a required time window. The unexpectedly high attrition would be classified as an individual risk that affects the the ability to meet the required schedule for launch, a performance risk. The role of PRA in the context of risk management is to quantify each performance risk, taking into account the individual risks that surface during the program/project. Until recently, NASAs RM approach had been based almost exclusively on Continuous Risk Management (CRM), which stresses the management of individual risk issues during implementation. In December of 2008, NASA revised its RM approach, in order to more effectively foster proactive risk management. This approach, which is outlined in NPR 8000.4A, Agency Risk Management Procedural Requirements [2-2], and further developed in NASA/SPUncertainty Analysis Initiating Event Selection Scenario Development Scenario Modeling Scenario Frequency Evaluation Consequence Modeling

2.1 The Accident Precursor Concept

The Swiss Cheese Model of accident causation, originally proposed by James Reason [12], likens a systems barriers against severe failure to a series of slices of randomly-holed Swiss cheese arranged parallel to each other. Each slice could represent a safety process, preventative maintenance, a functional redundancy, etc. The holes represent latent conditions, possible severe stresses, opportunities for human error, adverse environmental conditions, or simply specific subsystem failures. Essentially, the holes in the cheese slices represent inherent vulnerabilities in the system to various events and conditions, and are continually varying in size and position in all slices. Using the Swiss Cheese Model, an accident can be represented as a trajectory through a momentary alignment in a set of holes (as shown by the red line in Figure 2-1). In other words, the causal failure mechanism can sequentially negotiate these holes thus compromising a barrier meant to obviate catastrophe and snowball to a full-blown accident. Whenever a failure mechanism manages to make it through one or more holes, but not all, it is effectively deflected from continuing to a severe consequence (as shown by the blue line in Figure 2-1) and it is cataloged as an anomaly.
Figure 2-1 The Swiss Cheese Model of Accident Causation

An anomaly can make an organization aware of failure mechanisms in the system that may, in combination with less favorable circumstances or left unattended for longer time periods, lead to a severe consequence. If there is indeed potential for the observed anomaly failure mechanism to recur and lead to an accident (i.e. a situation that has more severe consequences), then the anomaly may be called an accident precursor.

Anomaly An anomaly is an off-nominal occurrence or condition (e.g. a deviation outside of certified or approved design or performance specifications). Accident Precursor An accident precursor is an anomaly that signals the potential for more severe consequences that may occur in the future, due to causes that are discernible from its occurrence today. Such an event provides evidence that a failure mechanism is operative in the system and may pose a significant degree of risk, given the potential for it to recur with greater magnitude, or under less favorable conditions

Based on the above definition, we may now recognize well-known examples of accident precursors: O-ring blow-by at Space Shuttle Solid Rocket Booster (SRB) joint locations, prior to the loss of the Challenger. On several occasions prior to the fatal Challenger accident, blow-by events were witnessed at SRB field joints. Based on available proceedings, there were discussions and meetings after the blow-by occurrences on the potential for greater consequences. The conclusions based on available knowledge were that there was no potential for significant consequences. This observation signified that a failure mechanism was operative in the system however the potential for severe consequences was misunderstood. Foam loss from the Space Shuttle ET and Space Shuttle TPS debris damage, prior to the loss of Columbia. On numerous flights prior to the Columbia accident, foam was observed shedding from the ET and impacting the Orbiter TPS. On several of these occasions the TPS tile was impacted and damaged, but never with catastrophic results. Most notably, STS-45 demonstrated that impacts were possible to the wing-leading edge Reinforced Carbon-Carbon (RCC) TPS panels, and that the RCC material could be damaged by the impacts, as shown in Figure 2-2. These events demonstrated that a failure mechanism leading to TPS damage was active on multiple flights, representing a potential for recurrence with a greater magnitude. A well-known example of a precursor in the nuclear industry was the increased rate of containment air filter clogging prior to the discovery of significant vessel head erosion at the Davis-Besse nuclear power plant [13]. Upon initial review it was believed that the cause of the air filter clogs was due to the filter itself and other anomalies not associated with the eroding vessel head. It was only after the discovery of vessel head erosion that plant personnel understood that the anomalous air filter performance was due to airborne material from the eroding vessel head. Some examples of accident precursor types are: A near-miss because of chance or an opportune mitigation. An example of this type of precursor is the Shuttle TPS debris damage as observed on numerous flights prior to the loss of Columbia. On all previous flights critical TPS damage did not occur simply by chance that a debris impact of a great enough magnitude did not occur in a sensitive location. Faults that can become failure conditions without correction. An example of this might be a hairline crack in a fitting which is so small that it causes no leak or no loss of component function, but given time and use can grow to the point of leak or rupture. Unexpected operational behavior. For example, at times the operational environment of space can cause unintended effects to system operation. An

example might be a lubricant which becomes more viscous than expected when operating in the temperature and pressure extremes of space and creates a threat to system function. Reduced maintenance effectiveness. An example might be a quality inspection of a system which over time becomes routine and possibly mundane such that gaps in the inspection develop which allow potentially harmful conditions to be accepted for flight. Unexpected effects from aging of equipment. An example of this type of precursor could be a coolant system where over time the pH of the chemical coolant drops as it ages. This type of observation could indicate that the pH will continue to drop and degrade cooling function. The above examples of precursors and precursor types illustrates that there is no single template for describing an accident precursor. The connection between an anomaly and the potential for severe consequences can be relatively straightforward, as in the case of Columbia, or it can be indirect, as in the case of the Davis-Besse incident. It can relate solely to hardware behavior or it can involve human actions as well. The common element in all cases is an anomaly that is benign in its current instantiation, but which indicates the potential for more severe consequences.

2.2