Page 318 -
P. 318
11.3 Safety 301
Term Definition
Accident (or mishap) An unplanned event or sequence of events which results in human
death or injury, damage to property, or to the environment. An
overdose of insulin is an example of an accident.
Hazard A condition with the potential for causing or contributing to an
accident. A failure of the sensor that measures blood glucose is an
example of a hazard.
Damage A measure of the loss resulting from a mishap. Damage can range from
many people being killed as a result of an accident to minor injury or
property damage. Damage resulting from an overdose of insulin could
be serious injury or the death of the user of the insulin pump.
Hazard severity An assessment of the worst possible damage that could result from a
particular hazard. Hazard severity can range from catastrophic, where
many people are killed, to minor, where only minor damage results.
When an individual death is a possibility, a reasonable assessment of
hazard severity is ‘very high.’
Hazard probability The probability of the events occurring which create a hazard.
Probability values tend to be arbitrary but range from ‘probable’ (say
1/100 chance of a hazard occurring) to ‘implausible’ (no conceivable
situations are likely in which the hazard could occur). The probability of
a sensor failure in the insulin pump that results in an overdose is
probably low.
Risk This is a measure of the probability that the system will cause an
accident. The risk is assessed by considering the hazard probability, the
hazard severity, and the probability that the hazard will lead to an
accident. The risk of an insulin overdose is probably medium to low.
4. The system operators may generate inputs that are not individually incorrect but
Figure 11.6
Safety terminology which, in some situations, can lead to a system malfunction. An anecdotal
example of this occurred when an aircraft undercarriage collapsed whilst the
aircraft was on the ground. Apparently, a technician pressed a button that
instructed the utility management software to raise the undercarriage. The soft-
ware carried out the mechanic’s instruction perfectly. However, the system
should have disallowed the command unless the plane was in the air.
A specialized vocabulary has evolved to discuss safety-critical systems and it is
important to understand the specific terms used. Figure 11.6 summarizes some defi-
nitions of important terms, with examples taken from the insulin pump system.
The key to assuring safety is to ensure either that accidents do not occur or that
the consequences of an accident are minimal. This can be achieved in three comple-
mentary ways:
1. Hazard avoidance The system is designed so that hazards are avoided. For
example, a cutting system that requires an operator to use two hands to press
