Accident Frequency Categorization

Definitions

Accident frequency categorization

the safety work product that categorizes:

Accidents in terms of accident frequency level
Hazards in terms of hazard accident frequency level or hazard frequency level

Accident Frequency Level (AFL)

a category of accidents based on the maximum frequency that they may occur

Hazard Accident Frequency Level (HAFL)

a category of hazards based on the maximum frequency that these hazards may cause an accident to occur

Hazard Frequency Level (HFL)

a category of hazards based on the maximum frequency that these hazards may occur

Objectives

The typical objectives of the accident frequency categorization are to:

Divide the continuum of accident (and hazard) frequencies into a small number of manageable and useful levels that can be treated as equivalence classes when dealing with safety risk and risk mitigation.

Benefits

The typical benefits of the accident frequency categorization are to:

Support hazard and safety risk analysis.
Help determine mandatory risk mitigation approaches.
Promote communication about safety.
Set safety policy (e.g., mandatory reporting)

The typical contents of the accident frequency categorization are:

Frequency Level
Definitions of associated ranges of frequencies

Stakeholders

The typical stakeholders of the accident frequency categorization are:

Producer:
- Safety Team
Evaluators:
- Safety Evaluation Team
Approvers:
- Project Management Team
- Customer Representative
Maintainers:
- Safety Team
Users:
- Safety Team, which uses the accident frequency categorization to produce hazard indices, which in turn are used to produce safety assurance levels and safety evidenc assurance levels.

Phases

Business Strategy: Not Applicable
Business Optimization: Not Applicable
Initiation: Completed
Construction: Maintained
Delivery: Maintained
Usage: Maintained
Retirement: Archived

Preconditions

The accident frequency categorization typically can be started if the following preconditions hold:

The initiation phase is started.
The safety team is adequately staffed and trained in safety program planning.

Inputs

The accident frequency categorization typically has the following inputs:

Work Products:
- Safety Program Plan
Stakeholders:
- Customer Representatives
- Safety Domain Experts

Guidelines

Because a hazard may exist without causing an accident, the probability that a hazard causes an accident equals the probability that the hazard exists multiplied by the probability that the hazard causes an accident if it exists.
Accident and hazard frequency is a function of the safety architecture, design, and implementation. By modifying the safety architecture, design, and implementation (e.g., adding safeguards), hazards and accidents can be eliminated and their frequency reduced.
Depending on the system, the frequencies of accident and hazards can vary more or less continuously from frequent to extremely rare. To make the number of frequency levels small and manageable, keep the number of frequency levels small (e.g., from 3 to 6).
The number and definitions of the individual frequency levels may be system specific, specific to a given application domain, or they may be determined based on the use of international standards.
Start with an accident frequency categorization from some international standard.
Modify the standard accident frequency categorizations to meet the needs of the endeavor.
Accident frequency layers may need to be developed for both individual systems (e.g., a single aircraft) and systems of systems (e.g., all aircraft in service).
Create hazard frequency layers by grouping hazards by the maximum severity of their associated accidents.

Because it is often extremely difficult to estimate the frequency of accidents due to software components, safety risk categorizations can be developed using software control categories instead.
The US Department of Defense military standard, Mishap Risk Management (MIL-STD-882D: 1998), defines software control categories as follows:

Software Control Categorization
Software Control Category	Definition
I	Software exercises autonomous control over potentially hazardous hardware systems, subsystems, or components, without the possibility of intervention to preclude the occurrence of a hazard. Failure of the software or a failure to prevent an event leads directly to a hazard occurrence.
IIa	Software exercises control over potentially hazardous hardware systems, subsystems, or components, without time for intervention by independent safety systems to mitigate the hazard.
IIb	Software item displays information requiring immediate operator action to mitigate a hazard.
IIIa	Software item issues commands over potentially hazardous hardware systems, subsystems, or components, requiring human action to complete the control function.
IIIb	Software generates information of a safety-critical nature used to make safety-critical decisions.
IV	Software does not control safety-critical hardware systems, subsystems, or components, and does not provide safety-critical information.

Conventions

The accident frequency categorization is typically constrained by the following conventions:

Content and Format Standard
MS Word Template
XML DTD
Inspection Checklist

Examples

As illustrated by the following example tables, the number and definitions of severity levels varies by application domain and international standards. Example accident frequency categorization tables from various international standards include:

Medical Equipment
Railways
United Kingdom Ministry of Defense
United States Department of Defence

Medical Equipment

The International Electrotechnical Commission (IEC) standard, Medical Electrical Equipment - Part 1: General Requirements for Safety (IEC 601-1-4: 1996), uses the following accident/hazard frequency levels but does not define them:

Accident/Hazard Severity Level
Frequent
Probable
Occasional
Remote
Improbable
Incredible

Railways

The European Community standard, Railway Applications: Software for Railway Control and Protection Systems (CENELEC EN 50128: 1997), defines accident/hazard frequency levels as follows:

Accident/Hazard Frequency Categorization
Frequency Level	Accident Definition	Hazard Definition
Frequent	Accidents are likely to occur frequently.	The hazard will be continuously experienced.
Probable	Accidents will occur several times.	The hazard can be expected to occur several often.
Occasional	Accidents are likely to occur several times.	The hazard can be expected to occur several times.
Remote	An accident is likely to occur at some time in the system lifecycle.	It can be reasonably expected for the hazard to occur.
Improbable	It is unlikely, but possible, for an accident to occur.	It can be assumed that the hazard may exceptionally occur.
Incredible	An accident is extremely unlikely to occur.	It can be assumed that the hazard may not occur.

United Kingdom Ministry of Defense

The United Kingdom Ministry of Defense military standard, Safety Management Requirements for Defence Systems Containing Programmable Electronics: Part 1 - Requirements (DEF STAN 00-56 (Part 1)/Issue 2: 1996), defines accident/hazard frequency levels as follows:

Accident Frequency Categorization
Accident Frequency Category	Definition
Frequent	Likely to be continually experienced during the operational life of all instances of the system
Probable	Likely to occur often during the operational life of all instances of the system
Occasional	Likely to occur several times during the operational life of all instances of the system
Remote	Likely to occur sometime during the operational life of all instances of the system
Improbable	Unlikely, but may exceptionally occur during the operational life of all instances of the system
Implausible	Extremely unlikely that the accident will occur at all during the operational life of all instances of the system given the assumptions about the domain and the system

United States Department of Defence

The US Department of Defense military standard, Mishap Risk Management (MIL-STD-882D: 1998), defines accident frequency levels as follows:

Accident Frequency Categorization
Accident Frequency Level	Instance Definition	Instance Lifetime Probability	All Instances Definition
Frequent	Likely to occur often in the life of an instance of the system	10 ^-1< Pr(x) <= 1	Continuously experienced
Probable	Will occur several time in the life of an instance of the system	10 ^-2< Pr(x) <= 10 ^-1	Will occur frequently
Occasional	Likely to occur some time in the life of an instance of the system	10 ^-3< Pr(x) <= 10 ^-2	Will occur several times
Remote	Unlikely but possible to occur several times in the life of an instance of the system	10 ^-6< Pr(x) <= 10 ^-3	Unlikely, but can reasonably be expected to occur
Improbable	So unlikely, it can be assumed not to occur during the life of an instance of the system	0 < Pr(x) =< 10 ^-6	Unlikely to occur, but possible