ECSS-Q-ST-40-02C

15 November 2008

Space product
assurance
Hazard analysis

ECSS Secretariat
ESA-ESTEC
Requirements & Standards Division
Noordwijk, The Netherlands
ECSSQST4002C
15November2008
Foreword
This Standard is one of the series of ECSS Standards intended to be applied together for the
management, engineering and product assurance in space projects and applications. ECSS is a
cooperative effort of the European Space Agency, national space agencies and European industry
associationsforthepurposeofdevelopingandmaintainingcommonstandards.Requirementsinthis
Standardaredefinedintermsofwhatshallbeaccomplished,ratherthanintermsofhowtoorganize
and perform the necessary work. This allows existing organizational structures and methods to be
applied where they are effective, and for the structures and methods to evolve as necessary without
rewritingthestandards.
This Standard has been prepared by the ECCS Executive Secretariat, endorsed by the document and
disciplinefocalpointandapprovedbytheECSSTechnicalAuthority.
Disclaimer
ECSSdoesnotprovideanywarrantywhatsoever,whetherexpressed,implied,orstatutory,including,
butnotlimitedto,anywarrantyofmerchantabilityorfitnessforaparticularpurposeoranywarranty
that the contents of the item are errorfree. In no respect shall ECSS incur any liability for any
damages,including,butnotlimitedto,direct,indirect,special,orconsequentialdamagesarisingout
of, resulting from, or in any way connected to the use of this Standard, whether or not based upon
warranty, business agreement, tort, or otherwise; whether or not injury was sustained by persons or
propertyorotherwise;andwhetherornotlosswassustainedfrom,oraroseoutof,theresultsof,the
item,oranyservicesthatmaybeprovidedbyECSS.
Publishedby: ESARequirementsandStandardsDivision
ESTEC, P.O. Box 299,
2200 AG Noordwijk
The Netherlands
Copyright: 2008 by the European Space Agency for the members of ECSS
2
ECSSQST4002C
15November2008
Change log
ECSSQ4002A Firstissue
TransformingESAPSS01403intoanECSSStandard
ECSSQ4002B Neverissued
ECSSQST4002C Secondissue
15November2008 Majorchangesofthisversionwithregardtothepreviousversionare:
Theoriginalclause5wasmovedtoclause4.7.
Theoriginalclause6isnowclause5.
Theoriginalclause6.2wasmovedtoclause4.3.2.
Theoriginalclause6.4wasmovedtoclause4.6.
Theoriginalclause7wasmovedtoclauses4.4.24.4.4.
TheoriginalinformativeAnnexAwasmovedtotheinformativeAnnexA.
TheoriginalinformativeAnnexBwasmovedtotheinformativeAnnexB.
TheoriginalinformativeAnnexCwasmovedtotheinformativeAnnexC.

3
ECSSQST4002C
15November2008
Table of contents
Change log .................................................................................................................3
Introduction................................................................................................................6
1 Scope.......................................................................................................................7
2 Normative references .............................................................................................8
3 Terms, definitions and abbreviated terms............................................................9
3.1 Terms from other standards.......................................................................................9
3.2 Terms specific to the present standard......................................................................9
3.3 Abbreviated terms ....................................................................................................11
4 Principles of hazard analysis ..............................................................................12
4.1 Hazard analysis concept..........................................................................................12
4.2 Role of hazard analysis............................................................................................15
4.3 Hazard analysis process ..........................................................................................15
4.3.1 Overview.....................................................................................................15
4.3.2 Overview of the hazard analysis process...................................................16
4.4 Hazard analysis implementation ..............................................................................18
4.4.1 Overview.....................................................................................................18
4.4.2 General considerations...............................................................................18
4.4.3 Type of project considerations....................................................................18
4.4.4 Documentation of hazard analysis .............................................................18
4.5 Hazard analysis documentation...............................................................................19
4.6 Integration of hazard analysis activities....................................................................19
4.7 Objectives of hazard analysis...................................................................................19
5 Requirements........................................................................................................21
5.1 Hazard analysis requirements..................................................................................21
5.2 Hazard analysis steps and tasks..............................................................................21
5.2.1 Step 1: Define hazard analysis implementation requirements ...................21
5.2.2 Step 2: Identify and assess the hazards.....................................................23
5.2.3 Step 3: Decide and act...............................................................................26
4
ECSSQST4002C
15November2008
5.2.4 Step 4: Track, communicate and accept the hazards ................................28
Annex A (informative) Examples of generic hazards ...........................................29
Annex B (informative) Hazard and safety risk register (example) and
ranked hazard and safety risk log (example) ....................................................31
Annex C (informative) Background information...................................................34
C.1 Preliminary hazard analysis (PHA)...........................................................................34
C.2 Subsystem hazard analysis (SSHA) ........................................................................34
C.3 System hazard analysis (SHA).................................................................................35
C.4 Operating hazard analysis (OHA) ............................................................................35
Bibliography.............................................................................................................36

Figures
Figure 4-1: Hazards and hazard scenarios ............................................................................13
Figure 4-2: Example of a hazard tree.....................................................................................13
Figure 4-3: Example of a consequence tree ..........................................................................13
Figure 4-4: Reduction of hazards...........................................................................................14
Figure 4-5: Interface to FMECA and CC&M analysis.............................................................14
Figure 4-6: The process of hazard analysis ...........................................................................16
Figure 4-7: The steps and cycles in the hazard analysis process..........................................17
Figure 4-8: The nine tasks associated with the four steps of the hazard analysis
process ................................................................................................................17
Figure B-1 : Example of a hazard and safety risk register (see also ECSS-M-ST-80)...........32
Figure B-2 : Example of a ranked hazard and safety risk log.................................................33

Tables
Table 5-1: Example of a safety consequence severity categorization...................................22
Table 5-2: Example of a hazard matrix..................................................................................24
Table 5-3: Example of a hazard manifestation list .................................................................24
Table 5-4: Example of a hazard scenario list.........................................................................26

5
ECSSQST4002C
15November2008
Introduction
Safety analysis comprises hazard analysis, safety risk assessment and
supporting analyses as defined in ECSSQST40. The objective of safety
analysisistoidentify,assess,reduce,accept,andcontrolsafetyhazardsandthe
associated safety risks in a systematic, proactive, complete and cost effective
manner, taking into account the projects technical and programmatic
constraints. Safety analysis can be implemented through an iterative process,
with iterations being determined by the project progress through the different
projectphases,andbychangestoagivenprojectbaseline.
Hazard analysis comprises the identification classification and reduction of
hazards. Hazard analysis can be implemented at each level of the
customersupplier network. Hazard analysis activities at lower level can
contribute to system level safety analysis. System level safety analysis can
determinelowerlevelhazardanalysisactivities.
Hazard analysis interfaces with dependability analysis, in particular FMECA.
Safety risk assessment interfaces with quantitative dependability analysis, in
particular reliability analysis. Safety risk assessment contributes to project risk
management. Ranking of safety risks according to their criticality for project
success, allowing management to direct its attention to the essential safety
issues,ispartofthemajorobjectivesofriskmanagement.
SafetyriskassessmentisfurtheraddressedinECSSQST40.
6
ECSSQST4002C
15November2008
1
Scope
This Standard details the hazard analysis requirements of ECSSQST40; it
defines the principles, process, implementation, and requirements of hazard
analysis.
It is applicable to all European space projects where during any project phase
there exists the potential for hazards to personnel or the general public, space
flightsystems,groundsupportequipment,facilities,publicorprivateproperty
ortheenvironment.
Thisstandardmaybetailoredforthespecificcharacteristicsandconstrainsofa
spaceprojectinconformancewithECSSSST00.
7
ECSSQST4002C
15November2008
2
Normative references
The following normative documents contain provisions which, through
reference in this text, constitute provisions of this ECSS Standard. For dated
references,subsequentamendmentsto,orrevisionofanyofthesepublications
donotapply,However,partiestoagreementsbasedonthisECSSStandardare
encouragedtoinvestigatethepossibilityofapplyingthemorerecenteditionsof
the normative documents indicated below. For undated references, the latest
editionofthepublicationreferredtoapplies.

ECSSSST0001 ECSSsystemGlossaryofterms
ECSSMST80 SpaceprojectmanagementRiskmanagement
ECSSQST40 SpaceproductassuranceSafety

8
ECSSQST4002C
15November2008
3
Terms, definitions and abbreviated terms
3.1 Terms from other standards
ForthepurposeofthisStandard,thetermsanddefinitionsfromECSSSST0001
apply,inparticularforthefollowingterms:
requirement
3.2 Terms specific to the present standard
3.2.1 consequence tree
setofhazardscenariosleadingtothesamesafetyconsequence
3.2.2 detection time
time span between the occurrence of the initiator event and its detection
throughtheobservablesymptoms
3.2.3 hazard
existingorpotentialconditionofanitemthatcanresultinamishap
NOTE1 [ISO146202]
NOTE2 This condition can be associated with the
design, fabrication, operation, or environment
of the item, and has the potential for mishaps.
[ISO146202]
NOTE3 Hazards are potential threats to the safety of a
system. They are not events, but the
prerequisite for the occurrence of hazard
scenarioswiththeirnegativeeffectsonsafetyin
termsofthesafetyconsequences.
3.2.4 hazard acceptance
decisiontotoleratetheconsequencesofthehazardscenarioswhentheyoccur
3.2.5 hazard analysis
systematic and iterative process of the identification, classification and
reductionofhazards
9
ECSSQST4002C
15November2008
3.2.6 hazard control
preventive or mitigation measure, associated to a hazard scenario, which is
introduced into the system design and operation to avoid the events or to
interrupttheirpropagationtoconsequence
3.2.7 hazard elimination
removalofahazardfromaparticularhazardmanifestation
3.2.8 hazard manifestation
presenceofspecifichazardsinthetechnicaldesign,operationandenvironment
ofasystem
3.2.9 hazard minimization
substitution of a hazard in the hazard manifestation by another hazard of the
sametypebutwithalowerpotentialthreat
NOTE Forinstancehightoxicitytolowtoxicity.
3.2.10 hazard reduction
processofeliminationorminimizationandcontrolofhazards
3.2.11 hazard scenario
sequence of events leading from the initial cause to the unwanted safety
consequence
NOTE The cause can be a single initiating event, or an
additional action or a change of condition
activatingadormantproblem.
3.2.12 hazard tree
setofhazardscenariosoriginatingfromthesamesetofhazardmanifestations
3.2.13 hazardous
property of an item and its environment which provides the potential for
mishaps
NOTE [ISO146202]
3.2.14 observable symptoms
evidencethatindicatesthatanundesirableeventhasoccurred
NOTE Observable symptoms appear during the
propagationtime.
3.2.15 reaction time
timespanbetweenthedetectionandtheoccurrenceoftheconsequence
NOTE This is the time span available for mitigating
actions after detection of the occurrence of the
initiatorevent.
10
ECSSQST4002C
15November2008
3.2.16 residual hazard
hazardremainingafterimplementationofhazardreduction
3.2.17 resolved hazard
hazard that is reduced, the reduction verified and the hazard considered
acceptable
NOTE Resolved hazards are submitted for formal
acceptance.
3.2.18 scenario propagation time
time span between the occurrence of the initiator event and the occurrence of
theconsequence
3.2.19 severity of safety consequence
measureofthegravityofdamagewithrespecttosafety
3.3 Abbreviated terms
For the purpose of this Standard, the abbreviated terms from ECSSSST0001
andthefollowingapply:

Abbreviation Meaning
CC&M commoncauseandcommonfailuremodeanalysis
DRD documentrequirementsdefinition
FMECA failuremodes,effectsandcriticalityanalysis
GSE groundsupportequipment
NASA NationalAeronauticsandSpaceAdministration
OHA operatinghazardanalysis
PHA preliminaryhazardanalysis
SHA systemhazardanalysis
SSHA subsystemhazardanalysis

11
ECSSQST4002C
15November2008
4
Principles of hazard analysis
4.1 Hazard analysis concept
Hazard analysis is based on the following hazard analysis concept, which is
depictedinFigure41toFigure44.
Hazards, which are present through hazard manifestations in the system, are
activated if initiating events (i.e. cause) occur. Hazard scenarios reflect the
system behaviour to the activated hazards in terms of event propagation from
causes to safety consequences, as depicted in Figure 41. The occurrence of
events is coupled to observable symptoms in the system. Safety consequences
arecharacterizedbytheirseverity.
Different hazard scenarios can originate from the same hazard. Furthermore,
different hazard scenarios can lead to the same safety consequence. For an
example, see Table54. The collectionof hazard scenarios originatingfrom the
samehazardmanifestationiscollatedintoahazardtree,asillustratedinFigure
42.Thecollectionofhazardscenariosleadingtothesamesafetyconsequenceis
collatedintoaconsequencetree,asillustratedinFigure43.
Hazards are reduced by either eliminating them or, if this is not possible, by
minimizing and controlling them, as shown in Figure 44. Hazards are
eliminatedthroughtheremovalofspecificpotentiallysafetythreateningsystem
characteristics.Hazardsareminimizedthroughreducingtheleveloramountof
specific potentially safety threatening system characteristics. Hazards are
controlled through the prevention of the occurrence or reduction of the
likelihoodandmitigationoftheeffectsofevents.Occurrenceoftheeventscan
bedetectedthroughtheirobservablesymptoms.
For example: A hazard to driving a car is poor weather conditions, and the
hazard is manifested by ice on the road. The cause rapid change of
directioncanleadtotheeventlossofcontrolandfinallytotheconsequence
death of driver. Hazard elimination can be achieved by delaying the
journey, and hazard minimization by gritting the road. There are various
methods for hazard control which impact on different parts of the process:
drivingslowlyimpactsonthecause;usingsnowchainsimpactsonthelink
between cause and event; fitting airbag impacts on the link between event
andconsequence.
12
ECSSQST4002C
15November2008

Hazard
Hazard
manifestation
Cause Events Consequence
Propagation time
Hazard scenarios
Cause Events Consequence Hazard

Figure41:Hazardsandhazardscenarios

Hazard
Hazard
manifestation
Cause Events Consequence
Propagation time
Hazard scenarios
Cause Events Consequence

Figure42:Exampleofahazardtree

Hazard
Hazard
manifestation
Cause Events Consequence
Propagation time
Hazard scenarios
Events Hazard Cause

Figure43:Exampleofaconsequencetree
13
ECSSQST4002C
15November2008

Hazard
Hazard
manifestation
Cause Events Consequence
Propagation time
Hazard scenarios
Hazard Cause Events Consequence
Hazard reduction
Hazard
elimination
Hazard
minimization
Hazard
control
Removal or change of hazards, elimination of event, or interruption of event
and

Figure44:Reductionofhazards
Failure causes as identified through FMECA and other analyses, such as
common cause and common failure mode analysis (CC&M), can represent
causesofhazardscenarios,asdepictedinFigure45.
Hazard
Hazard
manifestation
Cause Events Consequence
Hazard scenarios
Failure modes -
FMECA
Failure
cause
- FMECA
Failure event
- FMECA
Consequence -
FMECA
Common mode -
CC&M
Common cause -
CC&M

Figure45:InterfacetoFMECAandCC&Manalysis
14
ECSSQST4002C
15November2008
4.2 Role of hazard analysis
Hazard analysis is the principal deterministic safety analysis which assists
engineersandmanagersinincludingsafetyaspectsintheengineeringpractices
and the decisionmaking process throughout the project life cycle in design,
construction,testing,operation,maintenance,anddisposal,togetherwiththeir
interfaces.
Hazard analysis provides essential input to the safety risk assessment for a
system.
4.3 Hazard analysis process
4.3.1 Overview
Thehazardanalysisprocesscomprisesthestepsandtasksnecessarytoidentify
andclassifyhazards,toachievehazardreduction.Thebasicstepsare:
Step1:definethehazardanalysisimplementationrequirements;
Step2:identifyandclassifythehazards;
Step3:decideandactonthehazards;
Step4:track,communicateandacceptthehazards.
Theprocessofhazardanalysis,includingiterationofitstasks,issummarizedin
Figure46.
15
ECSSQST4002C
15November2008

1. Define analysis
requirements
2. Identify and
classify hazards
3. Decide and act
on hazards
4. Track,
communicate and
accept the hazards
Are hazards
acceptable?
Reduce
hazards
Iterate tasks
Yes
No

Figure46:Theprocessofhazardanalysis
4.3.2 Overview of the hazard analysis process
The iterative fourstep hazard analysis process is illustrated in Figure 47. The
taskswithineachofthesestepsareshowninFigure48.
Step1comprisestheestablishmentofthescopeandpurposeofhazardanalysis,
the hazard analysis planning (Task 1), and the definition of the system to be
analysed(Task2).Step1isperformedatthebeginningofaproject.According
to the scope and purpose, the implementation of the hazard analysis process
consists of a number of hazard analysis cycles over the projects duration,
comprisingthenecessaryrevisionsoftheanalysisrequirementsandtheSteps2
to4,subdividedinthesevenTasks3to9.
TheperioddesignatedinFigure47astheHazardanalysisprocesscomprises
all the phases of the project concerned, as defined in ECSSMST10. The
frequency and the events at which cycles are required in a project (only 3 are
shown in Figure 47 for illustration purposes) depend on the needs and
complexityoftheproject,andaredefinedduringStep1atthebeginningofthe
project.
16
ECSSQST4002C
15November2008

Step1
Defineanalysis
requirements
Step2
Identifyand
classifyhazards
Step3
Decideandact
onhazards
Step4
Track,com
municateand
accepthazards
Step1
Reviseanalysis
requirements
Step2
Identifyand
classifyhazards
Step3
Decideandact
onhazards
Step4
Track,com
municateand
accepthazards
Step1
Reviseanalysis
requirements
Step2
Identifyand
classifyhazards
Step3
Decideandact
onhazards
Step4
Track,com
municateand
accepthazards
Hazardanalysisprocess
Hazardanalysisdocumentation
Projectphases

Figure47:Thestepsandcyclesinthehazardanalysisprocess

Step1
Definehazardanalysisimplementation
requirements
Step2
Identifyandclassifythehazards
Task1:Definethehazardanalysisscope,objectivesand
thehazardanalysisplanning.

Task2:Definethesystembaselinetobeanalysed.
Task3:Identifyhazardmanifestations.

Task4:Identifyandclassifyhazardscenarios.
Step3
Decideandact
Task5:Decideifthehazardscanbeaccepted.

Task6:Reducethehazards.

Task7:Recommendacceptance.
Step4
Track,communicateandacceptthe
hazards
Task8:Trackandcommunicatethehazards.

Task9:Acceptthehazards.
H
a
z
a
r
d

a
n
a
l
y
s
i
s

c
y
c
l
e

Figure48:Theninetasksassociatedwiththefourstepsofthehazardanalysis
process
17
ECSSQST4002C
15November2008
4.4 Hazard analysis implementation
4.4.1 Overview
Implementation of hazard analysis in a project is based on single or multiple,
i.e. iterative, application of the hazard analysis process. The tasks associated
with the individual steps of the hazard analysis process vary according to the
scope and objectives specified for hazard analysis. The scope and objectives of
hazardanalysisdependonthetypeandphaseoftheproject.
Hazard analysis requires commitment in each actors organization, and the
establishment of clear lines of responsibility and accountability. Project
management has overall responsibility for the implementation of hazard
analysis,ensuringanintegrated,coherenthazardanalysisapproach.
4.4.2 General considerations
Hazardanalysisisimplementedasateameffort,withtasksandresponsibilities
beingassignedtothefunctionsandindividualswithintheprojectorganization
withtherelevantexpertiseintheareasofsafetyandengineeringconcernedby
agivenhazard.
The results of hazard analysis are used as input to project reviews and project
managementduringtheevolutionofthesystem.
Annex C provides background information on traditionally performed hazard
analyses.
4.4.3 Type of project considerations
Hazard analysis activities differ according to the type of project and required
safety effort. However, the hazard analysis process is the same in each case.
Hazardanalysisactivitiesarelinkedtodifferenttypesofprojects,suchas:
a. Hazard analysis at subsupplier level for safety of part of the spacecraft
designandtheoperationofamannedorunmannedmissionandasinput
tosystemsafetyefforts.
b. Hazard analysis at prime supplier level for system safety of total space
systemdesignandtheoperationofamannedorunmannedmission.
c. Hazardanalysisatanysupplierlevelforpayloadsafety.
d. Hazardanalysisatanysupplierlevelforsafetyofspacecraftverification
activities.
e. Hazardanalysisatanysupplierlevelforsafetyofothergroundactivities,
operationsandlaunch.
4.4.4 Documentation of hazard analysis
Hazard analyses are documented to ensure that all associated decisions are
traceableanddefensible.
18
ECSSQST4002C
15November2008
Everytaskofthehazardanalysisprocessisdocumented.
ExampleformsforsummarizingtheresultsofthetasksarepresentedinECSS
QST40DRDforHazardreports.SeeAnnexBofthisStandardforexamples.
4.5 Hazard analysis documentation
The hazard analysis process is documented to ensure that the scope and
objectives of hazard analysis are established, understood, implemented and
maintained,andthatanaudittrailcantracktheoriginandrationaleofallsafety
relateddecisionsmadeduringthelifeoftheproject.
4.6 Integration of hazard analysis activities
Hazard analysis activities are performed at different levels of the
customersupplier chain. The lower level hazard analysis activities are
integrated into the system level hazard analysis activities. The proper and
effective integration of these tasks is of major importance and is typically
achievedbyapplyingthefollowing:
a. Thetopdownapproachfromthesystemtolowerlevelistoidentifythe
required lower level hazard analysis inputs. The required inputs are
linkedtoknowledgeofthedomain.
b. The lower level task is to consider that domain and to develop and
providetherequiredinputtothenextlevelup.
c. The system level task, using a bottomup approach, logically and
effectively integrates the lower level hazard analysis inputs into the
systemlevelhazardanalysis.
Theabovestatements4.6ato4.6cassistinachievingthefollowingresults:
1. Proper allocation of the consequence severity categoriesat system
level.
2. Properdevelopmentandimplementationofhazardreduction.
3. Identificationoftheunresolvedhazardsinatimelymanner.
4. Assurancethatallaspectsareconsideredinordertooptimizeand
harmonizehazardreduction.
4.7 Objectives of hazard analysis
Thegeneralobjectivesofhazardanalysisareto:
assessthelevelofsafetyofasysteminadeterministicway;
increasethelevelofsafetyofasystemthroughhazardreduction;
initiate the use of hazard reduction to drive the definition and
implementation of, for example, design and operation requirements,
specifications,concepts,procedures;
19
ECSSQST4002C
15November2008
provide a basis for defining adequate safety requirements, determining
the applicability of safety requirements, implementing safety
requirements, verifying their implementation, and demonstrating
complianceornoncompliance;
provideinputtosafetyriskassessmentandoverallriskmanagement;
supportsafetyrelatedprojectdecisions;
support safety submissions and reviews through documented evidence;
and
supportsafetycertificationofasystemthroughdocumentedevidence.
The specific objectives of hazard analysis with respect to a projectspecific
application are determined under Step 1 of the hazard analysis process see
clause4.3andclause5.

20
ECSSQST4002C
15November2008
5
Requirements
5.1 Hazard analysis requirements
a. Thesuppliershallperformthehazardanalysisaccordingtothefourstep
processcomprisingtheninetasksasdefinedinclause5.2.
b. The supplier shall document the outputs of hazard analysis in
conformance with the requirements of ECSSQST40, Hazard report
Documentrequirementsdefinition(DRD).
5.2 Hazard analysis steps and tasks
5.2.1 Step 1: Define hazard analysis
implementation requirements
5.2.1.1 Introduction
TheimplementationofhazardanalysisinaprojectstartswithStep1,whichis
performedatthebeginningoftheprojectandcomprisesTasks1and2.
5.2.1.2 Task 1: Define the scope, the objectives of hazard
analysis and the hazard analysis planning
a. Thesuppliershallperformtask1accordingtothefollowingprocedure:
1. Establish the purpose and application boundaries of hazard
analysis.
2. Definethetypeofprojectandrelevantpartoftheprojectlifecycle.
NOTE For type of project considerations refer to clause
4.4.3.
3. Identifyapplicablesafetyrequirements.
4. Define customer requirements and interfacing supplier
requirements.
5. Define the hazard analysis approach commensurate with the
purposeandincludingthenecessarydepthofanalysis.
6. Identifyrelevantinputdataforhazardanalysis.
21
ECSSQST4002C
15November2008
NOTE DatasuchasFMECAandCC&M,similaranalysis
from, for example, other projects, experience data,
systemmodelsandexpertjudgement.
7. Establish scoring schemes for the severity of safety consequences
fortheclassificationofhazardscenarioscommensuratewithECSS
QST40, Severity of hazardous event and the project risk
managementpolicyinconformancewithECSSMST80.
NOTE An example of such a scoring schema is given in
Table51,whichisconsistentwiththeSeverityof
consequencestablespecifiedinECSSQST40.
8. Use the consequence severity categories Catastrophic and
Critical in conformance with ECSSQST40 for any space
projectsandapplications.
NOTE In addition, other categories can be used to
complete the assessment of the safety
consequences.
Table51:Exampleofasafetyconsequenceseveritycategorization
Category Severity Severityofsafetyconsequence
1 Catastrophic Lossoflife,lifethreateningorpermanentlydisablinginjuryor
occupationalillness;
Lossofanelementofaninterfacingmannedflightsystem;
Lossoflaunchsitefacilitiesorlossofsystem;
Severedetrimentalenvironmentaleffects.
2 Critical Temporarilydisabling,butnotlifethreateninginjuryorillness;
Majordamagetoflightsystemsorlossoformajordamageto
groundfacilities;
Majordamagetopublicorprivateproperty;
Majordetrimentalenvironmentaleffects.
3 Marginal Minorinjury,minordisability,minoroccupationalillness;
Minorsystemorenvironmentaldamage.
4 Negligible Lessthanminorinjury,disability,occupationalillness;
Lessthanminorsystemorenvironmentaldamage.

9. Planthehazardanalysisapplication.
10. Establish criteria to determine the actions to be taken on hazards,
hazard reduction and the associated decision levels in the project
structure.
11. Define hazard acceptance criteria for individual hazards and
hazardscenarios.
12. Define the strategy, and the formats to be used for documenting
hazardanalysisdataandcommunicationofhazardanalysisresults
tothedecisionmakers,andformonitoringthehazards.
22
ECSSQST4002C
15November2008
13. Describethereview,decisionandimplementationflowwithinthe
projectconcerningallhazardanalysismatters.
5.2.1.3 Task 2: Define the system baseline to be analysed
a. Thesuppliershallperformtask2accordingtothefollowingprocedure:
1. Define and describe the design and operation subjected to hazard
analysis.
NOTE Thiscanbedrawings,proceduresandtestreports.
2. Revisethesystembaselinedefinitionforeachhazardanalysiscycle
withthelevelofdetailavailableatthattime.
NOTE Refertoconfigurationfiles,asdefinedbyECSSM
ST40,foravalidconfigurationbaselinedefinition.
5.2.2 Step 2: Identify and assess the hazards
5.2.2.1 Introduction
The purpose is to identify hazard manifestations and hazard scenarios and to
classifythemaccordingtotheconsequenceseverity.
5.2.2.2 Task 3: Identify hazard manifestations
a. Thesuppliershallperformtask3accordingtothefollowingprocedure:
1. Identify generic hazards applicable to the system design and
operationusingahazardmatrix.
NOTE1 ForexamplesofgenerichazardsrefertoAnnex
A.
NOTE2 The example in Table 52 shows part of a
hazard matrix, in this case for the ground
operation phase. Each element of the matrix
indicatestheapplicabilityofthegenerichazard
tothecorrespondingsubsystem.
2. Identify and give a detailed definition of system specific hazards
anddescribethemintheformofhazardmanifestations.
NOTE Table 53 shows an example of part of a list of
hazard manifestations. Each row of the list
describes the manifestation of the hazard for each
subsystemwithineachspecificmissionphase.
23
ECSSQST4002C
15November2008
Table52:Exampleofahazardmatrix
Hazardmatrixforgroundoperation
Subsystemelements
Generichazards
Propulsion
subsystem
Instruments
Communication
subsystem
Highpressure X
Hightemperature
Toxicity X X
Flammability X
X=applicable=notapplicable

Table53:Exampleofahazardmanifestationlist
Hazardmanifestationlist
Missionphase Subsystem Hazardmanifestation
Propulsion FillingofYlitresoftoxicpropellantinto
twotanksatapressureofX1Pa
Groundoperation
Instruments Paintingandsealmaterialusedin
instrumentcabinetAemittingtoxic
fumesifexposedtofire
Propulsion PropellantlinesunderpressureatX2Pa Inorbitoperation
Instruments Paintingandsealmaterialusedin
instrumentcabinetAemittingtoxic
fumesifexposedtofire

5.2.2.3 Task 4: Identify and classify the hazard scenarios

a. Thesuppliershallperformtask4accordingtothefollowingprocedure:
1. Identify the hazard scenarios associated with the hazard
manifestations by identifying the causes, events and safety
consequences, according to the hazard analysis planning by
performingthefollowingprocedure:
(a) Determine events triggering the hazards, i.e. causes,
descriptionofthecausesintermsofdefinitionofphysicalor
functional failures or other physical phenomena, which
bringabouttheactivationofthehazards.
(b) Determine the physical propagation of events from a cause
to the consequences, through investigation of the physical
layout of the system and assessment of mechanisms
involving physical damage propagation, and description of
the physical behaviour of the system in response to the
occurrenceofthecauses.
24
ECSSQST4002C
15November2008
(c) Determinethefunctionalpropagationofeventsfromacause
to the consequences through investigation of the functional
layout of the system and assessment of mechanisms
involving functional failure propagation, and description of
the functional behaviour of the system in response to the
occurrenceofthecauses.
NOTE A combination of the above cases 5.2.2.3a.1(a) to
5.2.2.3a.1(c)canalsoapply.
(d) Identifycommoncauseandcommonmodephenomenaand
theirpropagationtosafetyconsequences,anddescriptionof
the physical and functional behaviour of the system in
responsetotheoccurrenceoftheseevents.
NOTE Refer to ECSSQST40 for Commoncause and
commonmodefailureanalysis.
(e) Determine timerelated event propagation and the
description of the physical and functional behaviour of the
systeminresponsetotheoccurrenceoftheseevents.
(f) Determine operation sequence induced event propagation
associated with operational steps and procedures, and
description of the physical and functional behaviour of the
systeminresponsetotheoccurrenceoftheseevents.
(g) Determine failure events, as determined in the FMECA,
propagatingtosafetyconsequences.
NOTE FordetailsontheFMECArefertoECSSQST3002.
2. Identify the propagation time, the observable symptoms and the
detectiontimeforeachhazardscenario.
3. Determine the consequence severity of each hazard scenario
accordingtotheseveritycategorizationdefinedinclause5.2.1.2.
4. Determine the hazard trees by identifying all hazard scenarios
originatingfromoneandthesamehazardmanifestation.
5. Determine the consequence trees by identifying all hazard
scenariosleadingtooneandthesamesafetyconsequence.
6. Use the hazard and consequence trees to screen for additional
hazardscenarios.
7. Identify information sources, interfacing analysis and methods
usedtosupporttheidentificationprocessandtojustifythehazard
scenarios.
NOTE1 InterfacinganalysiscanbeaFMECA.
NOTE2 The example in Table 54 shows part of a
hazard scenario list. Each row of the list
describesthescenarioforeachmanifestationof
the hazard for each subsystem within each
specificmissionphase.
25
ECSSQST4002C
15November2008
Table54:Exampleofahazardscenariolist
Hazardscenariolistforinorbitphase
Hazard
Manifestation
Cause
Events
Consequence
Consequence
Severity
Observable
Symptoms
Propagation
andreaction
time
Inorbit
pressurized
manned
module:
Meteoritedebris
environment
Meteorite
debrisimpact
shellrupture
explosionloss
ofspacecraft
andastronauts
Catastrophic None Ptime:1s
Rtime:N/A
Meteorite
debrisimpact
shelldamage
leakagelossof
spacecraftand
astronauts
Catastrophic Module
pressure
drop
Ptime:3min
Rtime:<3min

5.2.3 Step 3: Decide and act

5.2.3.1 Introduction
In this step the acceptability of hazards and hazard reduction options is
analysedandtheappropriatehazardreductionstrategyisdetermined.
5.2.3.2 Task 5: Decide if the hazards can be accepted
a. Thesuppliershallperformtask5accordingtothefollowingprocedure:
1. Apply the hazard acceptance criteria to the hazards as defined in
clause5.2.1.2.
2. Identify the acceptable hazards and those that are subjected to
hazardreduction.
3. For acceptable hazards, proceed directly to 5.2.4; for unacceptable
hazardsproceedtoclause5.2.3.3.
5.2.3.3 Task 6: Reduce the hazards
a. Thesuppliershallperformtask6accordingtothefollowingprocedure:
1. Determine measures in the form of design and operation features
throughwhichthehazardscanbeeliminated.
2. Where hazards cannot be eliminated, determine measures in the
formofdesignandoperationfeaturesthroughwhichhazardscan
beminimizedandcontrolled.
26
ECSSQST4002C
15November2008
3. For hazard control, identify the preventive and mitigation
measuresinthefollowingorderofprecedence:
(a) Designandoperationfeaturesthatpreventtheoccurrenceof
acause.
NOTE Forexamplethroughsafetyfeatures.
(b) Design and operation features that prevent or interrupt the
physicalpropagationofacausetoanevent.
NOTE For example through introduction of physical
barriers.
(c) Design and operation features that prevent or interrupt the
functionalpropagationofacausetoanevent.
NOTE For example through introduction of functional
redundancy.
(d) Design and operation features that prevent or interrupt the
functional propagation of a cause to an event through
introduction of an emergency, warning and caution
function.
(e) Design and operation features that reduce the severity of a
consequence through introduction of a safing, escape or
rescuefeatureorfunction.
(f) Proceduresorchangesinoperationalstepsandprocedures.
4. Determine hazard reduction success, failure and verification
criteria.
5. Determineverificationmeansandmethodsfortheimplementation
ofhazardreduction.
6. Selectandprioritizethehazardreductionmeasures.
7. Verify hazard reduction through application of the verification
meansandmethods.
8. Identifytheresolvedandunresolvedhazards.
5.2.3.4 Task 7: Recommend acceptance
a. Thesuppliershallperformtask7accordingtothefollowingprocedure:
1. Submitthehazardanalysisresultsdata.
2. Presenttheunresolvedhazardsforfurtheraction.
3. Provide the rationale and supporting data for resolution and
acceptanceofthehazards.
27
ECSSQST4002C
15November2008
5.2.4 Step 4: Track, communicate and accept the
hazards
5.2.4.1 Introduction
The purpose of this step is to track, update, iterate and communicate hazards,
andfinallytoaccepttheresidualhazards.
5.2.4.2 Task 8: Track and communicate the hazards
a. Thesuppliershallperformtask8accordingtothefollowingprocedure:
1. Periodically assess and review all identified hazards and update
theresultsaftereachiterationofthehazardanalysisprocess.
2. Identifychangestoexistinghazards,andsubsequentlyinitiatenew
hazardanalysis.
3. Verify the performance and the effect of the hazard reduction
activities.
4. Identify and communicate the evolution of hazards over the
projectlifecycle.
5.2.4.3 Task 9: Accept the hazards
a. Thesuppliershallperformtask9accordingtothefollowingprocedure:
1. Submittheresidualhazardstoformalhazardacceptance.
2. Assess the performance of the hazard analysis processes and
implement improvement of the effectiveness based on experience
withprojectprogress.

28
ECSSQST4002C
15November2008
Annex A (informative)
Examples of generic hazards
a. Thermodynamicandfluidic
Pressure(difference,high,low,vacuum)
Temperature(difference,high,low)
Heattransfer
Fluidjet
Thermalpropertiesofmaterials
b. Electricalandelectromagnetic
Voltage(high,medium,low)
Staticelectricity
Electriccurrent(high,medium,low)
Magneticfield(induced,external)
Ionization
Sparks
c. Radiation
Light(infrared,visible,ultraviolet,laser)
Radioactivity(alpha,beta,gammarays)
Openfire
d. Chemical
Toxicity
Corrosiveness
Flammability
Explosiveness
Asphyxiant
Irritant
29
ECSSQST4002C
15November2008
e. Mechanical
Physicalimpactormechanicalenergy
Mechanicalpropertiesofmaterials(e.g.sharp,rough,slippery)
Vibration
f. Noise
Frequencyandintensity
g. Biological
Humanwaste
Microorganism
Carcinogenic
h. Psychological
i. Physical
Confinedspace
j. Environmentspace
Zerogravity
Vacuum
Atmosphericcomposition
Contaminants,pollutants
Meteoriteandspacedebris
Temperature(difference,low,high)
Radiation
SouthAtlanticanomaly
k. EnvironmentEarth
Environmentalextremes
Naturaldisasters
Lightning
30
ECSSQST4002C
15November2008
31
Annex B (informative)
Hazard and safety risk register (example)
and ranked hazard and safety risk log
(example)

ECSSQST4002C
15November2008
Project Organization Source Date and issue
WBS Ref. Controlled by
Supported by Approved by
Hazard description and safety risk magnitude
No. Hazard scenario title

Hazard manifestation

Cause, events and safety consequence
Safety consequence severity
(S)
Likelihood (L) Risk Index Risk Red* Yellow* Green*
Negligible Marginal Critical Catastrophic Minimum Low Medium High Maximum
(R = S x L)
Safety

IV III II I E D C B A

Numerical estimate:
Numerical risk and uncertainty contribution:
Hazard and safety risk decision and action
Accept hazard and safety risk Reduce hazard and safety risk
Hazard reduction measures

Hazard elimination:
Hazard minimization:
Hazard control:
Hazard reduction verification
means
Expected safety risk reduction

Severity, likelihood, risk index:
Numerical estimates:
Safety risk rank:
Actions Status
Agreed by project management Hazard status

*EnterRintheappropriatecolumn:correspondenceoftheriskindexscoresforred,yellowandgreenaredefinedintheprojectriskmanagementpolicy
FigureB1:Exampleofahazardandsafetyriskregister(seealsoECSSMST80)
32
ECSSQST4002C
15November2008
33

Project Organization Date and issue

Rank No. Hazard scenario title Risk * Red Yellow Green Actions and status
Safety
Safety
Safety
Safety
Safety
Safety
Safety
Safety
*EnterRfromHazardandsafetyriskregister
FigureB2:Exampleofarankedhazardandsafetyrisklog

ECSSQST4002C
15November2008
Annex C(informative)
Background information
C.1 Preliminary hazard analysis (PHA)
The purpose of the PHA is to identify safetycritical areas, to identify and
evaluatehazards,andtoidentifydesignandoperationsrequirementsneededin
theprogrammeconceptphase.
The PHA is performed to document an initial risk assessment of a concept or
system. It is based on the best available data, including data from similar
systems and lessons learned from other programmes The PHA provides
consideration of the following, as a minimum, for the identification and
evaluationofhazards:
a. Hazards sources (e.g. propellants, lasers, explosive, toxic substances,
corrosives,hazardousconstructionmaterials,pressuresystemsandother
energysources).
b. Safetyrelated interface considerations among various parts or elements
of the analysed item, facilities and GSE (e.g. material compatibility,
contamination, electromagnetic interference, inadvertent activation, fire
or explosion initiation and propagation, and hardware and software
controls).
c. Environmental constraints, including the operating environment (e.g.
drop, shock, vibration, extreme temperature, noise, exposure to toxic
substances, confined space, fire, electrostatic discharge, lightning,
electromagneticeffects,andionizingandnonionizingradiation).
d. Operatingtest,maintenance,andemergencyprocedures.
e. Facilities,supportequipmentandtraining.
f. Safetyrelated equipment, safeguards and possible alternative
approaches (e.g. monitoring, interlocks, redundancies, hardware or
softwarefailoperationalfailsafedesignconsideration,fireprotection,
personal protective equipment, ventilation and noise or radiation
attenuation).
C.2 Subsystem hazard analysis (SSHA)
ThepurposeoftheSSHAistoidentifyhazardstopersonnel,vehicles,andother
systems. The hazards can be caused by: loss of function; accidental activation;
energy source; hardware failure; software deficiencies; interaction of
34
ECSSQST4002C
15November2008
components with subsystem; inherent design characteristics such as sharp
edgesandincompatiblematerials;andenvironmentalconditions.
It defines the safetycritical functions, component fault conditions, generic
hazard, safetycritical operations and environments associated with the
subsystem.
C.3 System hazard analysis (SHA)
ThepurposeoftheSHAisquitesimilartotheSSHA,butrelatedtothesystem
level. Once the subsystem levels have been established, a combination of
subsystemsmakesupasystem.
The SHA accomplishes the same purpose as the SSHA, but in terms of the
interfacesandtheoverallsystemperformanceandoperation.
C.4 Operating hazard analysis (OHA)
The purposeof the OHAis to identifyhazardsandrecommend risk reduction
alternatives in procedurally controlled activities during all phases of intended
system usage. It can generally be part of the system hazard analysis (SHA),
sinceitisinterrelatedwithsystemsafetyfeatures.
OHA identifies and evaluates hazards resulting from the implementation of
operations or tasks performed by persons and equipment and considers the
following:
a. plannedsystemconfigurationateachactivityphase,
b. facilityinterfaces,
c. plannedenvironments,
d. supportingtoolsorotherequipmentspecifiedinuse,
e. operationortasksequenceandlimitations,
f. potential for unplanned events includinhazards introduced by human
error,and
g. the requirements for warnings, cautions and special emergency
procedures.
The OHA can be conducted in parallel with development of procedures for
manufacturing,processingandoperation.
35
ECSSQST4002C
15November2008
Bibliography
ECSSSST00 ECSSsystemDescription,implementationand
generalrequirements
ECSSMST10 SpaceprojectmanagementProjectplanningand
implementation
ECSSMST40 SpaceprojectmanagementConfigurationand
informationmanagement
ECSSQST3002 SpaceproductassuranceFailuremodes,effects(and
criticality)analysis(FMEA/FMECA)
ISO146202:2000 SpacesystemsSafetyrequirementsPart2:
Launchsiteoperations

36