Hazard Checklist

Returned to shipper using DOT-SP 14691Due to the regulatory discrepancies indicated, your shipment cannot be transported by FedEx.Tracking Number ___________________________________________ Date ______________________________________________________ Inspected By ______________________________________________ Emp # ____________________________________________________ For Dry Ice shipments, refer only to the shaded items (e.g., 1).1. □If international shipments (Form 400 series), ensure SRGshows “D” designation.2. □If 023 air waybills, correct statement(s) in the HandlingInformation box, as appropriate. [8.2.1; 8.2.3]3. □Complies with all applicable government and FedEx variations.[2.9.2; 2.9.4]4. If FedEx Express Lithium Battery Part 1 label (A45)is used:4a. □Shipper must be on the FedEx Express Part 1 (A45)Preapproval list. [FX-10] AND4b. □ A correctly completed IATA Lithium Battery Label must be on the package. [7.4.8]5. □Hazardous waste is prohibited. [USG-04; FX-05]6. □UN 1001, UN 1162, UN 1308 (packing group I), and UN 1873are prohibited. [FX-15]7. □Special Provision A2 (column M) prohibited even with competentauthority approval. [FX-16]The following must be on the Declaration and package:(Refer to IATA DGR 8.1.6.9.1 for allowed sequence on Declaration only.) 8a. □UN or ID number, preceded by the prefix “UN” or “ID”, is on the Declaration. [8.1.6.9.1, Step 1]8b. □UN or ID number, preceded by the prefix “UN” or “ID”, is marked on the package. [7.1.5.1 (a)]9a. □Proper shipping name (for ★ entries, the technical name in parentheses, or the word “SAMPLE”) is on the Declaration.For UN 2814 or UN 2900, technical name or “suspected categoryA infectious substance” in parentheses, is on the Declaration.[4.1.2.2; 8.1.6.9.1, Step 2; A140]9b. □Proper shipping name (for ★ entries, the technical name in parentheses, or the word “SAMPLE”) is marked on the package.[4.1.2.2; 7.1.5.1 (a)]10a. □Shipper and consignee name and address are on theDeclaration. May differ from that on the airbill [8.1.6.1; 8.1.6.2] 10b. □Shipper and consignee name and address are marked on the package. [7.1.5.1 (b)]11a. □“RQ”, if indicated as a package marking, must be on the Declaration. [2.9.2; USG-04]11b. □“RQ”, if indicated on the Declaration, must be marked on the package. [2.9.2; USG-04]12a. □DOT-E or DOT-SP approval number on the Declaration when shipped as a DOT exemption or special permit.12b. □DOT-E or DOT-SP approval number is marked on the package, if required.12c. □A copy of the DOT-E or DOT-SP letter must travel with the shipment, if required.13. If Special Provision A20 is shown in the Blue Pages:13a. □A statement similar to that shown in the Additional Handling block of Fig. 8.1.E must be on the Declaration. [A20]13b. □The Keep Away From Heat label must appear on the package.[A20]On the Declaration Only:Tracking number, airport/city of departure, and destination may be completed by the shipper or the Dangerous Goods Specialist. There must be at least 3 copies in English. 2 copies must have red hatchings. [FX-14]14. □Typewritten or computer generated. [FX-12]15. □Page of Pages. [8.1.6.4]16. □Passenger and Cargo Aircraft or Cargo Aircraft Onlylimitations correctly indicated. [8.1.6.5]17. □Radioactive deleted. [8.1.6.8]18. □Class or Division number(s), and when Class 1 is indicated,Compatibility Group letter must be included, matching column C.[8.1.6.9.1, Step 3]19. □Subsidiary Risk(s), if applicable, in parentheses, immediatelyfollowing class or division, matching column C. [8.1.6.9.1, Step 4] 20. □Packing group, when applicable (e.g., I, II or III), matchingcolumn E. If “SAMPLE” is used in place of the technical name,the shipper must select the most restrictive packing group for theproper shipping name. [3.11.1; 8.1.6.9.1, Step 5]21. □Number of packages and type of packaging (e.g., 1 fibreboardbox, 1 box fibreboard, or 1 4G fibreboard box).[8.1.6.9.2, Step 6 (a)]22. □Net quantity or gross weight (G) per package (in metric units)as allowed per the Packing Instruction, Special Provision, orDOT Special Permit, if applicable. [8.1.6.9.2, Step 6 ]23. □Packing Instruction number (e.g., 307 or Y419). Ensure allfurther requirements of the packing instruction have been met.[8.1.6.9.3, Step 8]24. □Name, title, place, date, and shipper’s signature. Signaturemay be typewritten for US domestic shipments, including USTerritories. [8.1.6.13; 8.1.6.14; 8.1.6.15]25. □24-hour emergency response telephone number; no beepersor pagers (not required for LTD QTY, or UN 1845, UN 2807,UN 2857, UN 2969, UN 3166, UN 3171, UN 3358, or ID 8000).[USG-12]26. □Shipper’s same signature next to amendments and alterations(changes). [8.1.2.6]27. □If UN 3268 or UN 0503, the EX number, CA number, or ProductCode on the Declaration. [USG-05]28. □If UN 1796, UN 1826, or UN 2031, Acid concentration is 40% orless and indicated. [FX-04]29a. □If UN 2315 or UN 3432, packaging used is acceptable per FX-06. 29b. □If UN 3077 or UN 3082 with a technical name of polychlorinated biphenyls (PCBs), packaging used is acceptable per FX-06. 30. □If UN 3090, shipper must be on the FedEx Express Fully-Regulated Lithium Battery Preapproval list. [FX-10]31. □“I DECLARE THAT ALL OF THE APPLICABLE AIRTRANSPORT REQUIREmENTS HAVE BEEN mET” mustappear in the additional handling information section or at theend of the certification statement. [8.1.6.12.2; 8.1.7]On the Package Only:32. □Package is in good condition, large enough, and free of leakage,odor, or external damage. FedEx branded packaging, includingFedEx brown boxes, must not be used. [5.0.1.2; 9.1.3; FX-11] 33. □Packageis permitted by the Packaging Instruction number.34. □strength rating(X, Y, or Z) corresponds with theX for PG I, II, or III; Y for PG II or III; or Z for PG III only; unless further limited by the packing instruction,Special Permit, or Special Provision. [6.0.4.2 (c)]35. □Primary hazard label, matching column D. The hazard labelmust be on same surface as the proper shipping name markingwhen package dimensions are adequate. [7.2.3.1; 7.2.3.2]On the Package Only (continued.):36. □Subsidiary risk label(s), matching column D. The subsidiaryrisk label, when required, must be adjacent (not opposite side) tothe primary hazard label. [7.2.3.2; 7.2.6.2.3]37. □If dry ice, the net weight (in metric units) written on the package.[7.1.5.1 (e)]38. □Cargo Aircraft Only label, when required, must be affixedon the same surface of the package near the primary hazardlabel(s). [7.2.4.2; 7.2.6.3]39. □If liquids in combination packages (including All Packed InOne)and overpacks, two package orientation labels (up arrows)on opposite sides (not required for Class 3 if inner receptaclesare 120 mL or less and Division 6.2 if inner receptacles are 50mL or less). [7.2.4.4]40. □Labels correctly applied, not obscured, not covering requiredmarkings; irrelevant markings, labels removed or obliterated.[7.1.1; 7.1.3.1; 7.1.3.2; 7.2.1; 7.2.4.5; 7.2.5; 7.2.6]Limited Quantity or LTD QTY:41a. □“LImITED QUANTITY” or “LTD QTY” is in the Authorization column on the Declaration when a “Y” packing instruction isused. [8.1.6.9.4, Step 9 (a)]41b. □“LImITED QUANTITY” or “LTD QTY” is marked on the package (not required for overpacks). [7.1.4.1; 7.1.5.3]41c. □Gross Weight of the completed package may not exceed30 kg (66 lb). [2.8.4.2]Explosives (Class 1):If 023 Air waybill, requires prior FedEx approval (prior KIAC booking) [FX-01].42. □Shippers of Fireworks 1.4G and Fireworks 1.4S must be on theFedEx Express Fireworks Preapproval list.43. Approval number (not required for ammunition, includingCartridges, Small Arms). [8.1.6.9.4, Step 9; USG-05]43a. □If DOT-E or DOT-SP, approval number on the Declaration, and a copy of the DOT-E or DOT-SP letter is attached, if required. OR 43b. □If CA or EX, approval number is either on the Declaration, or on the package (or both). A copy of the Approval document is notrequired.44. □Compatibility Group letter for explosives on the primary hazardlabel. [7.2.3.3 (b)]45. □Net quantity and Gross weight (G) (in metric units) are on thepackage. [7.1.5.1 (c)]46. □If Packing Instruction 101 is used, a Competent Authoritystatement similar to that shown in the packing instruction must beon the Declaration.Gases (Class 2):Labels of reduced size may be affixed to the shoulder of a cylinder. 47. □If the outer package is a compressed gas cylinder, thespecification markings must be stamped, engraved, or etched, ifapplicable. [6.4.2.1.1]48. If using Packing Instruction 202, then the following is required: 48a. □Cryogenic Liquid handling label. [7.2.4.3]48b. □The words “DO NOT DROP - HANDLE WITH CARE” on the package. [7.1.5.1 (g)]48c. □“KEEP UPRIGHT” must be at 120-degree intervals around a cylinder or on each side of a package. [7.1.5.1 (g)]48d. □Package orientation labels (Up arrows). [7.1.5.1 (g)]48e. □Instructions to be followed in the event of emergency, delay, or if the shipment is unclaimed. [7.1.5.1 (g)]49. □If UN 1072, must be packed in ATA Specification 300/Category lcontainers (unless overpacked) with required markings. [FX-13] 50a. □If UN 1057, approval must be on the Declaration. [USG-07]50b. □If UN 1057, approval must be marked on the package. [USG-07]Toxics (Division 6.1) Primary or Subsidiary Risk [FX-02; 2.9.4]:51a. □If 6.1 domestic shipments, packing group I or II (except UN 1230, Methanol),DOT-E or DOT-SP approval number on theDeclaration.51b. □If 6.1 domestic shipments, packing group I or II (except UN 1230, Methanol),DOT-E or DOT-SP approval number is on thepackage.51c. □If 6.1 domestic shipments, packing group I or II (except UN 1230, Methanol). A copy of the DOT-E or DOT-SP letter musttravel with the shipment.52. □If 6.1(except53. □If domestic or international shipments, packing group III, “PGIII” is written adjacent (not on opposite side) to the label. [FX-02] 54. □Class 2 substances with a toxic subsidiary risk label will notbe accepted for carriage. [FX-02]Infectious Substances (Division 6.2):Labels not more than 50% smaller than standard size may be used.55a. □The name and telephone number of a person responsible for the shipment on the Declaration. [8.1.6.11.4]55b. □The name and telephone number of a person responsible for56. □Package is [6.5.3.1.2]All Packed in One...57. □The dangerous goods are compatible. [5.0.2.11 (a) and (b)]58. □The words “ALL PACKED IN ONE” and packaging type on theDeclaration. [8.1.6.9.2, Step 6 (f)]59. □“Q” value is shown on the Declaration, and does not exceed1.0. The following are not included in the Q value calculation: dryice, commodities where columns H, J, and L indicate “No Limit”,commodities where columns J and L indicate gross weight perpackage, or commodities with the same UN number, packinggroup, and physical state. [5.0.2.11 (g) and (h)]60. □If the quantity limit in Columns J or L is shown as gross weight(G),the gross weight of the completed package must not exceedthe lowest applicable gross weight. [5.0.2.11(i)]Overpacks:61. □The dangerous goods are compatible. [5.0.1.5.1]62. □The words “OVERPACK USED” on the Declaration. [8.1.6.9.2,Step 7]63. □The word “OVERPACK” must be marked on the package if allmarkings and labels are not visible. [7.1.4.1]64. If Cargo Aircraft Only:64a. □ One package is contained in the overpack. OR64b. □ If more than one package is contained, they are assembled so clear visibility and easy access to them is possible. [5.0.1.5.3] OR 64c. □Shipment is Class 3, PG III without a subsidiary risk, or is a Class 6, 7, or 9. [5.0.1.5.3]ORm-D Only (49 CFR) - US Domestic Only (Includes US Territories): Tracking number, airport/city of departure and destination may be completed by the shipper or the Dangerous Goods Specialist. There must be at least 3 copies in English. 2 copies must have red hatchings. [FX-14] FedEx Service Guide requires compliance with all applicable FedEx variations.65. □Typewritten or computer generated. [FX-12]66a. □Proper shipping name is on the Declaration (Cartridges Small Arms, Cartridges Power Devices, or Consumer Commodity).[172.202 (a)]66b. □Proper shipping name is on the package (Cartridges Small Arms, Cartridges Power Devices, or Consumer Commodity).[172.301 (a)]67a. □“ORm-D” in the Class or Division column is on the Declaration.[172.202 (a)]67b. □“ORm-D-AIR” is on the package and enclosed within a rectangle. [172.316]68. □Number of packages and type of packaging (e.g., 1 box, 1drum, etc.) are on the Declaration. [172.202(a)]69. □Gross Weight (G) is on the Declaration.Limit is 66 lb/30 kg; maybe in lb or kg. [172.202 (a); 173.156]70. □Passenger and Cargo Aircraft or Cargo Aircraft Only isindicated on the Declaration. [172.203 (f)]71. □If Cargo Aircraft Only is indicated on the Declaration, a CargoAircraft Only label must be affixed to the package. [172.402(c)] 72a. □Name and address of both the shipper and consignee are on the Declaration.72b. □Name and address of either shipper or consignee on the package. [172.301 (d)]73. □Signature; may be typed. [172.204 (d)]74. □Required markings are not obscured.75. □Package is large enough, strong and free of leakage, odors, orexternal damage. [173.156; FX-11]76. □“I DECLARE THAT ALL OF THE APPLICABLE AIRTRANSPORT REQUIREmENTS HAVE BEEN mET” mustappear in the additional handling information section or at theend of the certification statement.[172.204(c)]Comments: _____________________________________ ______________________________________________ ______________________________________________ ______________________________________________ ______________________________________________ ______________________________________________ ______________________________________________ ______________________________________________Check here □ if 023 shipment (ATA, IP1, IXF) with no errors.When 023 shipment with no errors, file the checklist and a copy of the Declaration in the 13-month file.For further assistance, call 1-800-Go-FedEx (1-800-463-3339), then press 81 to be connected to the Dangerous Goods/Hazardous Materials Hotline.A customer job aid for IATA shipments is available at:/us/services/pdf/DG_Job_Aid_2009.pdfDISTRIBUTION: White copy - Return to ShipperYellow copy - Retain three days at origin, then discard EFFECTIVE: 01/01/09 © 2009 FedEx Express FedEx M-2140 01/09 LOGOS 139203 WCS All rights reserved.。

危险有害因素识别原则：PHA、安全检查表等十大工具危险、有害因素的识别原则在工业生产和工程项目中，危险和有害因素是导致事故和职业病的主要原因。

为了预防这些风险，需要对危险和有害因素进行识别和评估。

以下是常见的危险、有害因素的识别原则：1.预先危险性分析（Preliminary Hazard Analysis，PHA）2.PHA是一种在活动开始之前对可能的危险和有害因素进行识别、评估和分类的过程。

它主要用于初步筛选可能存在的高风险操作或设备。

3.安全检查表（Safety Checklist）4.安全检查表是一种用于识别潜在危险的标准化工具，通常由一系列问题或检查项组成，旨在评估特定设备、系统或操作的安全性。

5.故障类型及影响分析（Failure Modes and Effects Analysis，FMEA）6.FMEA是一种系统化的故障分析工具，用于识别系统或过程中潜在的故障模式，并评估其对系统性能的影响。

7.故障树分析（Fault Tree Analysis，FTA）8.FTA是一种逻辑图解方法，用于识别和分析系统中可能的故障路径。

它通过将高级故障（顶层）分解为更低级（中间和底级）的故障类型来识别潜在的危险因素。

9.事件树分析（Event Tree Analysis，ETA）10.ETA是一种系统化的风险分析工具，用于识别特定事件链可能导致的事故后果。

它通过从初始事件开始，分析并识别可能产生的后续事件来识别潜在的危险因素。

11.作业危害分析（Job Hazard Analysis，JHA）12.JHA是一种针对特定作业任务进行的风险评估方法，用于识别作业过程中可能面临的危害因素。

13.定量风险评估（Quantitative Risk Assessment，QRA）14.QRA是一种使用数学模型对危险因素进行量化和评估的方法，以确定其可能导致的损失或影响。

15.定性风险评估（Qualitative Risk Assessment，QRA）16.定性风险评估是一种基于经验和判断的方法，用于评估危险因素的性质、严重程度和可能性。

Hazard Analysis Critical Control Point (HACCP) StandardPrerequisite Programs ChecklistREQUIREMENTS RESULTS / COMMENTS 1.SANITATIONPlant has a documented Sanitation Program♦Master Cleaning Schedule has been developed.•Facility (floors, walls, non-processingequipment, etc are included•All process lines are included•Processing utensils are included♦Written cleaning procedures are developed for allplant areas and equipment•Food contact surfaces have been identified.•Chemicals, chemical concentration, detailedcleaning procedures, etc identified•Post-maintenance equipment cleaningrequired for food contact surfaces♦Cleaning activities are documented•Appropriate procedures used to verifycleaning chemical concentration•Appropriate used to verify equipment rinseprocedure following sanitation•Post sanitation/pre-start up inspectionscompleted♦Corrective action is documented♦Plant has validated cleaning procedures2.GMP PROGRAMSPlant has a documented 3rd party inspectionsPlant has a documented Internal InspectionProgram♦Internal inspections required and completed asscheduled♦Corrective action follow up required anddocumentedPlant has a documented Internal Audit Program♦Results completed and documented asscheduled♦Corrective action follow up required anddocumentedPlant has documented GMP Programs♦Personnel Hygiene Program•Employee uniform policy•Employee glove policy•Cuts, open sores, illness, etc policy♦Blood Borne Pathogen/Body Fluid Program•Clean up kit available♦Metal Detector Reject Review Program♦Sifter Tailing Review Program (if applicable)♦Air Quality Program♦Glass and Brittle Plastic Control ProgramPlant has a documented Buildings and Ground Program♦Design and construction standards areestablished♦Building exterior and grounds are properly maintained♦Building interior, maintenance, design,construction, lighting, ventilation foot traffic, etcsupport food safety♦Product flow is designed to reduce or eliminate the potential for cross contamination♦Sanitary facilities (rest rooms and hand washing facilities) maintained for employees.Plant has a documented Water Quality Program ♦ A water quality certificate is on file (city water) or annual checks completed (well).♦Internal water analysis (TPC/coliform) completed per plant schedule (at least twice per year)♦Ice is tested or a COA is available (if applicable) for TPC/Coliform♦Back flow preventors in place•Location(s) identified (must be on the main water line)•Annual certification completed on main water line♦Hoses have check valve at inlet.•Check valves are dated and replaced on pre-scheduled basisPlant has a documented Transportation and Storage Program♦Food carriers and distribution vehicles are inspected prior to unloading/loading•Truck, load and driver identification arechecked and documented•Bulk tank number recorded•Bulk tank wash tickets inspected•Wash ticket for current load or withinapproved schedule•Bulk seals verified against supplier record♦Appropriate facilities for raw material and finished product storage are provided•Date of receipt recorded•Lot number recorded♦Temperature controls are appropriate and monitored.Plant has a documented Equipment Maintenance Program♦Design standards established•Equipment is designed for the process.♦Equipment calibration procedures established and documented♦Equipment maintenance procedures established and documented•Preventative•EmergencyPlant has a documented Training Programs♦GMP♦Personnel Hygiene♦Sanitation♦Personal Safety♦HACCP•General training for all employees•Specific training for personnel at CCP’s♦All training activities documented3.FOOD SAFETY CUSTOMER COMPLAINTS Plant has a documented Customer/Consumer Complaint Program.♦Food safety complaints available at the plant♦Food Safety complaints separated from all other complaints♦Annual documented evaluation of food safety complaints by HACCP Team♦All food safety complaints investigated•Corrective action procedure in-place•Corrective action has been documented.4.TRACEABILITY AND RECALLPlant has a documented Traceability Program♦Name of records required for tracing product identified♦Location of trace records identified♦Lot identification procedures are included♦Traceability exercises conducted at least twice annually•Traceability exercise results are documented •Traceability exercise has been completed backwards (Supplier information, deliveryvehicle identification, date and quantity ofreceipt•Traceability exercise has been completed forwards (First point of shipment)•Traceability exercise effectiveness isdocumented. (At least two customerscontacted)o Customer data confirms plant data Plant has a documented Recall Program♦Plan is plant specific♦Plant Recall Team members identified•Coordinator identified•Alternates identified♦Emergency contact numbers available♦Roles and responsibilities for all Team Members documented•Method to identify and locate products(Traceability Program) identified•Recall exercises performed at least annually •Recall exercise results are documented.•Recall exercise time (from initial call to first team member to exercise completion)documented♦Post Recall exercise evaluation completed and documented.•Follow up to issues identified and addressed 5.CHEMICAL CONTROL PROGRAMPlant has a documented Chemical Control Program♦Chemical approval process identified♦ A Chemical Log is available.•All chemicals are identified•Sanitation chemical quantities agree with the Chemical Log.♦Chemical storage maintains control of chemicals ♦Chemical storage allows for separation of chemical types•Sanitation•Pest Control•Maintenance•Boilero Approved for incidental food contact ifsteam comes in direct contact with food •Laboratory♦MSDS forms available for all chemicals♦Contractor chemical approval procedure available•Approval procedure identified•MSDS forms available6.PEST CONTROL PROGRAMPlant has a documented Pest Control Program ♦Individual responsible (plant personnel) is identified♦There is a certified PCO on staff (if applicable) External Service♦An outside pest control service is used (Name)•Company’s license is available and current o License is for working in food plants •Insurance is available and current.•Applicator’s license available and current o License is for working in food plants Internal or External♦Record of pest control chemicals•All pest control chemicals identified•Pest control chemicals used according to label directions•MSDS sheets are available•Pest chemical labels available•Pest control chemicals stored in accordance with state and federal regulations (ifapplicable)♦Inspection or service reports are available •All pest activity is noted♦Pest control device information is on file •Map of all pest control devices is available•All rodent bait stations are located outside the facilityo Type of bait (liquid, granular, block)identified•Pheromone trap information notedo Pheromone traps are dated and current •Insect light traps notedo Light bulbs are dated and current♦Corrective action taken in regards to pest activities has been noted and recorded7.ALLERGEN CONTROL PROGRAMPlant has a documented Allergen Control Program♦Recognized allergens listed♦All allergen containing raw materials identified♦Warehouse has designated allergen storage area•Allergens are clearly identified.•Like allergens stored like above like♦All allergen containing formula identified♦Weigh area control procedures identified and implemented•Allergen containers have individual scoops or measuring devices♦All critical process/plant areas and equipment identified♦Cleaning procedures between allergen runs identified•Allergen cleaning activities documented♦Rework control implemented.•“Like into Like” procedure used•Rework usage documented♦Package labels for allergen containing products have appropriate allergens in their ingredientstatement.Hazard Analysis Critical Control Point (HACCP) StandardHACCP Manual & HACCP Plan ChecklistREQUIREMENTS RESULTS / COMMENTS SECTION 1: PLANT INFORMATION This is a descriptive section telling about theplant, where it is located, who is in charge andproducts produced.♦Plant description is completed•Address and contact information available♦Management Team is identified♦History of operation is completed♦Location of plant is identified♦Products produced are listedSECTION 2: HACCP TEAM This is a description of the HACCP Team.♦HACCP Team is identified♦HACCP Coordinator is identified•Training of the HACCP Coordinatoridentified♦HACCP Team represents all aspects ofoperation♦HACCP Team members participate in andunderstand the HACCP Plan development andimplementation.SECTION 3: PREREQUISITE PROGRAMS Each Prerequisite Program identified in theProcess Hazard Analysis should be described inthe manual. Information should becomprehensive enough that the reader will knowthe program is in effect, where it can be locatedand who is responsible for it.♦Sanitation Program♦Good Manufacturing Practices (GMPs)♦Customer Complaint Program♦Pest Control Program♦Chemical Control Program♦Recall Program♦Allergen Control Program♦Any other Prerequisite Program or ProcessControl identified in the Process Hazard AnalysisSECTION 4: INGREDIENT HAZARD ANALYSIS A Hazard Analysis should be completed for eachraw material used in the plant. Often a singlehazard analysis will be completed for all rawmaterials. The Raw Material Hazard Analysis willfocus on Biological, Chemical and Physicalhazards associated with the raw material. Qualityissues should not be addressed in this analysis. ♦All raw materials have been identified.♦All biological, chemical and physical hazardshave been noted.♦Hazards have been assessed for significance.♦Control measures have been developed andimplemented to control all hazards.♦External resources used to supplement TeamSECTION 5: PRODUCT DESCRIPTION A Product Description must be completed for eachprocess or family of products. This descriptionwill include general information about the product,a technical description of the product andpackage, and food safety issues and their controlassociated with the product.Finished Product or Process♦Finished product or process description isprovided.♦Distribution and storage conditions are outlined.♦Product use and consumer is identified.♦Sensitive group(s) (elderly, infirm, children, etc.)is (are) identified.♦ A technical description of the product or processis given.♦Product shelf life and lot identification isidentified.♦Possible food safety and misuse♦Food safety control activities identified for eachpossible food safety issue.♦Product Description is signed and dated by thesenior management representative.SECTION 6: FLOW DIAGRAM A flow diagram should be completed for eachprocess. This should start with raw materialreceiving and continue through the individualprocessing steps. The flow diagram should bedetailed enough to show each processing stepand each CCP.♦ A detailed Process Flow has been developed.•All operations are included.•Process Flow Diagram starts with Receivingand ends with Distribution / Shipping.•All process steps are identified.•Each CCP is identified on the flow diagram♦ A floor diagram is available.♦The Process Flow Diagram has been verified bythe HACCP Team.♦ A simplified Process Flow Diagram is in the Plan•Each CCP is identified on the flow diagramSECTION 7: PROCESS HAZARD ANALYSIS This information must be completed for each stepshown in the Process Flow Diagram. The ProcessHazard Analysis will focus on Biological, Chemicaland Physical hazards associated with the process.Quality issues should not be addressed in thisanalysis.♦ A hazard analysis has been completed for eachprocess step identified on the process flowdiagram. (Principle 1)♦All biological, chemical and physical hazardshave been noted.♦Hazards have been assessed for significance.♦Control measures have been developed andimplemented to control all hazards.♦External resources used to supplement Team♦The process hazard analysis worksheetadequately determines CCPs (if applicable)(Principle 2)•CCPs have been identified for eachsignificant hazard that is not controlled by apre-requisite program.•These are the correct CCPs to controlhazards.•External resources used to supplement TeamSECTION 8: MASTER PLAN The Master Plan is a single sheet for each product orgroup of products. It includes the plant information(name, location), product(s) name, distributionmethod, customer (general population, elderly,infants), and each of the seven HACCP principles(hazard analysis, CCPs, CLs, etc.).♦ A HACCP Master Plan has been developed foreach product, process or group of products.Master Plan♦ A Master Plan has been developed for eachCritical Control Point.•Critical Control Point(s) are indicated.•Critical Hazards (Biological, Physical, andChemical) are identified.•Critical Limit (Actual Measurable Value) isestablished for each CCP. (Principle 3)♦The critical limits have been verified by anoutside source.o Critical limits were determined by anoutside source.o Critical limits were determined byexperimentation.o External resources are being used tosupplement team knowledge.♦Monitoring requirements are established.(Principle 4)•Monitoring procedures specify who, what,when, how and where.•Frequency is sufficient to ensure control.•Product lot identification is consistent withmonitoring frequency.•Monitoring records are signed.•Monitoring records are verified on a timelybasis.♦Corrective Action in the event of a Critical Limitfailure during Monitoring is described.(Principle 5)•Corrective actions developed for each CCP.•Corrective actions ensure process has beenbrought under control.•Corrective actions ensure all suspect producthas been identified and captured.•Corrective actions include procedures toprevent recurrence.♦Verification procedures are described andimplemented. (Principle 6)•Verification procedures have beenimplemented to demonstrate effectiveness ofHACCP Plan.•Reference device(s) accreditation(s).♦Records are available for all CCP’s. (Principle 7)•All CCP critical limits have been met.•Corrective action records are available for alldeviations.•Records are available for all verificationactivities.•Record of “trained individual” training isavailable.•Records of employee training are available.♦There is a document control program.•All changes are recorded.•All changes are dated.Section 9: Deviation Report This may be a document developed by thecompany or one issued by a regulatory agency. Itmust include the product, date, lot number,description of the unusual occurrence, CL(s)exceeded, corrective action, any action to preventreoccurrence, recommended HACCP Planmodification (if necessary), signature of individualwho completed the form, date, and signature ofHACCP Coordinator and date. It is recommendedthe plant include a blank copy of their DeviationReport in their HACCP Plan.♦The manual contains a blank copy of theDeviation Record used by the facility.♦Validation Procedures are described andimplemented.•There is a program in place to verify HACCPPlan.•The HACCP Plan has been updated.•The HACCP Plan update has beendocumented.•The scientific basis for HACCP Plan isvalidated annually.•The scientific basis for HACCP Plan wasvalidated initially.。

危险因素辨识及安全生产、文明施工，目标管理：一，危险因素辨识1，危险源的关系一起事故的发生是两类危险源共同作用的结果。

根源危险源的存在是事故发生的前提，没有根源危险源就谈不上能量的意外释放，也无所谓事故。

如果没有状态危险源破坏对根源危险源的控制，也不会发生能量意外释放。

状态危险源的出现是根源危险源导致事故的必要条件。

在事故发生、发展过程中，两类危险源相互依存，相辅相成。

根源危险源在事故发生时释放出的能量是导致人员伤害的能量主体，决定事故后果的严重程度，根源危险源具有的能量越多，一旦发生事故，其后果越严重。

状态危险源往往是一些围绕根源危险源随机发生的现象，它们出现的难易决定事故发生的可能性大小。

两类危险源共同决定危险源的风险程度。

2，危险源的辨识由于状态危险源是围绕根源危险源随机出现的人、物、环境方面的问题，所以在危险源辨识过程中，首先要辨识系统中的根源危险源，其次要根据系统情况，辨识系统中的状态危险源。

通常，与根源危险源辨识相比，状态危险源辨识更有难度。

(1)．根源危险源的辨识作为根源危险源辨识的原则，应该认真考察系统中能量的利用、产生和转换情况，弄清系统中出现的能量物质或载体的类型，研究它们对人或物的危害，在此基础上来辨识根源危险源。

对于根源危险源的辨识，一般通过两种方式：一是对系统中的能量物质或载体进行分析或测试，确定其特性；二是根据以往的事故经验弄清导致各种事故发生的主要危险源类型，然后到实际中去发现这些类型的危险源。

表一列出了导致各种伤害事故的典型的根源危险源。

伤害事故类型与根源危险源值得注意的是，并非所有的能量物质或载体都是危险源，从实际安全工作角度，只有能量物质或载体所含有或承载的能量达到可以造成对人的伤害时，才将其能量物质或载体视为危险源。

例如，不必把承载安全电压的带电体都视为可能导致触电伤害的危险源。

（2）．状态危险源的辨识可以把状态危险源辨识方法粗略地分为两大类，对照法和系统安全分析法。

危险和可操作性研究（HAZOP）分析技术???危险和可操作性研究（HazardandOperabilityStudy，简称HAZOP）是以系统工程为基础的一种可用于定性分析或定量评价的危险性评价方法，用于探明生产装置和工艺过程中的危险及其原因，寻求必要对策。

分析???一、HAZOP 分析并采纳相关建议后，运行时出现的问题至少减少一个数量级。

???在通常情况下，HAZOP的研究目标应该是与液体或气体产品有关的承受高压的设备、设施或系统。

上述设备、设施或系统一般是带压后或投入使用后才能成为HAZOP 研究方法的研究对象，所以HAZOP的定义应该是：研究目标上的具体研究对象在试运或运行期间可能发生的与其本身内在危险性和本身操作有关的问题。

上述定义已经考虑了HAZOP应用范围不断扩大的趋势。

???二、HAZOP应用形式???HAZOP技术常用的形式有3中，即引导词方式（GuideWordApproach）、经验式（KnowledgeBasedHAZOP）和检查表式（Checklist）。

引导词方式主要用于对新的项目作系统的工艺和操作危害研究，并提出存在的安全隐患问题而经验式则主要依托原有经验对复用项目的相关及改变部分做HAZOP研究。

检查表式则主要用于项目的???三、一起，???范围的失常问题，引导词实际上是运行参数或运行条件的高度概括包括流量、压力、温度、组分、液位、物相、操作等。

???2.HAZOP具体步骤???HAZOP一般包括以下5个步骤：???（1）定义危险和可操作性分析所要分析的系统或活动；???（2）定义分析所关注的问题；???（3）分解被分析的系统并建立偏差；???（4）进行HAZOP工作；???（5??????（1???（2???（3???（4来；???（5???（6???通常的做法是成立一个多学科的研究小组。

该组人员以“有组织的自由讨论”形式一起工作。

在评审过程中，首先将被研究的系统或设施分解成HAZOP的最小研究单位——研究节点。

Chapter 4Preliminary Hazard List4.1INTRODUCTIONThe preliminary hazard list (PHL)is an analysis technique for identifying and listing potential hazards and mishaps that may exist in a system.The PHL is performed during conceptual or preliminary design and is the starting point for all subsequent hazard analyses.Once a hazard is identified in the PHL,the hazard will be used to launch in-depth hazard analyses and evaluations,as more system design details become available.The PHL is a means for management to focus on hazardous areas that may require more resources to eliminate the hazard or control risk to an acceptable level.Every hazard identified on the PHL will be analyzed with more detailed analysis techniques.This analysis technique falls under the conceptual design hazard analysis type (CD-HAT).The PHL evaluates design at the conceptual level,without detailed information,and it provides a preliminary list of hazards.There are no alternate names for this technique.4.2BACKGROUNDThe primary purpose of the PHL is to identify and list potential system hazards.A secondary purpose of the PHL is to identify safety critical parameters and mishap categories.The PHL analysis is usually performed very early in the design develop-ment process and prior to performing any other hazard analysis.The PHL is used as a management tool to allocate resources to particularly hazardous areas within the design,and it becomes the foundation for all other subsequent hazard analyses 55Hazard Analysis Techniques for System Safety ,by Clifton A.Ericson,IICopyright #2005John Wiley &Sons,Inc.56PRELIMINARY HAZARD LISTperformed on the program.Follow-on hazard analyses will evaluate these hazards in greater detail as the design detail progresses.The intent of the PHL is to affect the design for safety as early as possible in the development program.The PHL is applicable to any type of system at a conceptual or preliminary stage of development.The PHL can be performed on a subsystem,a single system,or an integrated set of systems.The PHL is generally based on preliminary design con-cepts and is usually performed early in the development process,sometimes during the proposal phase or immediately after contract award in order to influence design and mishap risk decisions as the design is formulated and developed.The technique,when applied to a given system by experienced system safety per-sonnel,is thorough at identifying high-level system hazards and generic hazards that may exist in a system.A basic understanding of hazard theory is essential as well as knowledge of system safety concepts.Experience with the particular type of system under investigation,and its basic components,is necessary in order to identify sys-tem hazards.The technique is uncomplicated and easily learned.Typical PHL forms and instructions are provided in this chapter.The PHL technique is similar to a brainstorming session,whereby hazards are postulated and collated in a list.This list is then the starting point for subsequent hazard analyses,which will validate the hazard and begin the process of identifying causal factors,risk,and mitigation methods.Generating a PHL is a prerequisite to performing any other type of hazard e of this technique is highly rec-ommended.It is the starting point for more detailed hazard analysis and safety tasks,and it is easily performed.4.3HISTORYThe technique was established very early in the history of the system safety discipline. It was formally instituted and promulgated by the developers of MIL-STD-882. 4.4THEORYThe PHL is a simple and straightforward analysis technique that provides a list of known and suspected hazards.A PHL analysis can be as simple as conducting a hazard brainstorming session on a system,or it can be a slightly more structured process that helps ensure that all hazards are identified.The PHL method described here is a pro-cess with some structure and rigor,with the application of a few basic guidelines.The PHL analysis should involve a group of engineers/analysts with expertise in a variety of specialized areas.The methodology described herein can be used by an individual analyst or a brainstorming group to help focus the analysis.The rec-ommended methodology also provides a vehicle for documenting the analysis results on a worksheet.Figure4.1shows an overview of the basic PHL process and summarizes the important relationships involved in the PHL process.This process consists of com-bining design information with known hazard information to identify hazards.4.5METHODOLOGY57Figure4.1Preliminary hazard list overview.Known hazardous elements and mishap lessons learned are compared to the system design to determine if the design concept utilizes any of these potential hazard elements.To perform the PHL analysis,the system safety analyst must have two things—design knowledge and hazard knowledge.Design knowledge means the analyst must posses a basic understanding of the system design,including a list of major components.Hazard knowledge means the analyst needs a basic understanding about hazards,hazard sources,hazard components,and hazards in similar systems. Hazard knowledge is primarily derived from hazard checklists and from lessons learned on the same or similar systems and equipment.In performing the PHL analysis,the analyst compares the design knowledge and information to hazard checklists.This allows the analyst to visualize or postulate possible hazards.For example,if the analyst discovers that the system design will be using jet fuel,he then compares jet fuel to a hazard checklist.From the hazard checklist it will be obvious that jet fuel is a hazardous element and that a jet fuel fire/explosion is a potential mishap with many different ignition sources presenting many different hazards.The primary output from the PHL is a list of hazards.It is also necessary and ben-eficial to collect and record additional information,such as the prime hazard causal factors(e.g.,hardware failure,software error,human error,etc.),the major mishap category for the hazard(e.g.,fire,inadvertent launch,physical injury,etc.),and any safety critical(SC)factors that will be useful for subsequent analysis(e.g.,SC function,SC hardware item,etc.).4.5METHODOLOGYTable4.1lists and describes the basic steps of the PHL process and summarizes the important relationships involved.A worksheet is utilized during this analysis process.The PHL process begins by acquiring design information in the form of the design concept,the operational concept,major components planned for use in the system,major system functions,and software functions.Sources for this information could include:statement of work(SOW),design specifications,sketches,drawings, or schematics.Additional design integration data can be utilized to betterunderstand,analyze,and model the system.Typical design integration data includes functional block diagrams,equipment indenture lists [e.g.,work breakdown struc-ture (WBS),reliability block diagrams,and concept of operations].If the design integration data is not available,the safety analyst may have to make assumptions in order to perform the PHL analysis.All assumptions should be documented.The next step in the PHL analysis is to acquire the appropriate hazard checklists.Hazard checklists are generic lists of items known to be hazardous or that might cre-ate potentially hazardous designs or situations.The hazard checklist should not be considered complete or all-inclusive.Hazard checklists help trigger the analyst’s recognition of potential hazardous sources from past lessons learned.Typical hazard checklists include:1.Energy sources2.Hazardous functionsTABLE 4.1PHL Analysis ProcessStepTask Description 1DefinesystemDefine,scope,and bound the system.Define the mission,mission phases,and mission environments.Understand the system design,operational concepts,and major system components.2Plan PHLEstablish PHL goals,definitions,worksheets,schedule,and process.Identify system elements and functions to be analyzed.3Select team Select all team members to participate in PHL and establishresponsibilities.Utilize team member expertise from severaldifferent disciplines (e.g.,design,test,manufacturing,etc.).4Acquire data Acquire all of the necessary design,operational,and process dataneeded for the analysis (e.g.,equipment lists,functional diagrams,operational concepts,etc.).Acquire hazard checklists,lessonslearned,and other hazard data applicable to the system.5Conduct PHL a.Construct list of hardware components and system functions.b.Evaluate conceptual system hardware;compare with hazardchecklists.c.Evaluate system operational functions;compare with hazardchecklists.d.Identify and evaluate system energy sources to be used;comparewith energy hazard checklists.e.Evaluate system software functions;compare with hazardchecklists.f.Evaluate possible failure states.6Build hazard list Develop list of identified and suspected system hazards and potentialsystem mishaps.Identify SCFs and TLMs if possible frominformation available.7Recommend corrective action Recommend safety guidelines and design safety methods that willeliminate or mitigate hazards.8Document PHL Document the entire PHL process and PHL worksheets in a PHLreport.Include conclusions and recommendations.58PRELIMINARY HAZARD LIST3.Hazardous operations4.Hazardous components5.Hazardous materials6.Lessons learned from similar type systems7.Undesired mishaps8.Failure mode and failure state considerationsWhen all of the data is available,the analysis can begin.PHL analysis involves comparing the design and integration information to the hazard checklists.If the sys-tem design uses a known hazard component,hazardous function,hazardous oper-ation,and the like,then a potential hazard exists.This potential hazard is recorded on the analysis form and then further evaluated with the level of design information that is available.Checklists also aid in the brainstorming process for new hazard possibilities brought about by the unique system design.PHL output includes:identified hazards,hazard causal factor areas(if possible),resulting mis-hap effect,and safety critical factors(if any).The overall PHL methodology is illustrated in Figure4.2a.In this methodology a system list is constructed that identifies planned items in the hardware,energyIndenturedEquipment List (IEL)(a)(b)4.5METHODOLOGY5960PRELIMINARY HAZARD LISTsources,functions,and software categories.Items on the system list are then com-pared to items on the various safety checklists.Matches between the two lists trig-gers ideas for potential hazards,which are then compiled in the PHL.The overall PHL methodology is demonstrated by the brief example in Figure4.2b.The system in this example involves the conceptual design for a new nuclear-powered aircraft carrier system.From the design and operational concept information(Fig.4.2)an indentured equipment list(IEL)is constructed for the PHL.The equipment on the IEL is then compared with the hazard checklists to stimulate hazard identification.For example,“Nuclear reactor”appears on the IEL and it also appears on the hazardous energy source checklist.This match(1a)triggers the identification of one or more possible hazards,such as“Reactor over temperature.”This hazard is then added to the PHL(1b)as hazard1.“Nuclear reactor”appears on the IEL and it also appears on the general mishaps checklist.This match(2a)triggers the identification of one or more possible hazards,“Accidental release of radioactive material.”This hazard is then added to the PHL (2b)as hazard4.“Missiles”appear on the IEL and“Inadvertent weapon launch”appears on the general mishaps checklist.This match(3a)triggers the identification of“inad-vertent missile launch”as a possible hazard,which is added to the PHL(3b)as hazard6.4.6WORKSHEETIt is desirable to perform the PHL analysis using a worksheet.The worksheet will help to add rigor to the analysis,record the process and data,and help support jus-tification for the identified hazards.The format of the analysis worksheet is not criti-cal,and typically columnar-type worksheets are utilized.The following basic information should be obtained from the PHL analysis worksheet:1.Actual and suspected hazards2.Top-level mishap3.Recommendations(such as safety requirements/guidelines that can beapplied)The primary purpose of a worksheet is to provide structure and documentation to the analysis process.The recommended PHL worksheet for system safety usage is shown in Figure4.3.In the PHL worksheet in the Figure4.3second column contains a list of system items from which hazards can easily be recognized.For example, by listing all of the system functions,hazards can be postulated by answering the questions:What if the function fails to occur?or What if the function occurs inadvertently?The PHL worksheet columns are defined as follows:1.System Element Type This column identifies the type of system items underanalysis,such as system hardware,system functions,system software,energy sources,and the like.2.Hazard Number This column identifies the hazard number for referencepurposes.3.System Item This column is a subelement of data item 1and identifies themajor system items of interest in the identified category.In the example to fol-low,the items are first broken into categories of hardware,software,energy sources,and functions.Hazards are postulated through close examination of each listed item under each category.For example,if explosives is an intended hardware element,then explosives would be listed under hardware and again under energy sources.There may be some duplication,but this allows for the identification of all explosives-related hazards.4.Hazard This column identifies the specific hazard that is created as a resultof the indicated system item.(Remember:Document all potential hazards,even if they are later proven by other analyses to be nonhazardous in this application.)5.Hazard Effects This column identifies the effect of the identified hazard.Theeffect would be described in terms of resulting system operation,misopera-tion,death,injury,damage,and so forth.Generally the effect is the resulting mishap.ments This column records any significant information,assumptions,recommendations,and the like resulting from the analysis.For example,safety critical functions (SCFs),top-level mishaps (TLMs),or system safety design guidelines might be identified here.Preliminary Hazard List AnalysisSystem Element Type:No.System Item Hazard Hazard Effects Comments 123456Figure 4.3PHL worksheet.4.6WORKSHEET 6162PRELIMINARY HAZARD LIST4.7HAZARD CHECKLISTSHazard checklists provide a common source for readily recognizing hazards.Since no single checklist is ever really adequate in itself,it becomes necessary to develop and utilize several different checklists.Utilizing several checklists may generate some repetition,but will also result in improved coverage of hazardous elements.Remember that a checklist should never be considered a complete andfinal list but merely a mechanism or catalyst for stimulating hazard recognition.Refer to Appendix C of this book for a more complete set of hazard checklists.To illustrate the hazard checklist concept,some example checklists are provided in Figures4.4 through4.8.These example checklists are not intended to represent ultimate check-list sources,but are some typical example checklists used in recognizing hazards.Figure4.4is a checklist of energy sources that are considered to be hazardous elements when used within a system.The hazard is generally from the various modes of energy release that are possible from hazardous energy sources.For example,electricity/voltage is a hazardous energy source.The various hazards that can result from undesired energy release include personnel electrocution, ignition source for fuels and/or materials,sneak path power for an unintended cir-cuit,and so forth.Figure4.5contains a checklist of general sources that have been found to produce hazardous conditions and potential accidents,when the proper system conditions are present.Figure4.6is a checklist of functions that are hazardous due to the critical nature of the mission.This checklist is an example particularly intended for space programs.Figure4.7is a checklist of operations that are considered hazardous due to the materials used or due to the critical nature of the operation.Figure4.8is a checklist of possible failure modes or failure states that are con-sidered hazardous,depending on the critical nature of the operation or function involved.This checklist is a set of key questions to ask regarding the state of thesubsystemcomponent,subsystem,or system functions.These are potential ways the Array Figure4.4Example of hazard checklist for energy sources.could fail and thereby result in creating a hazard.For example,when evaluating each subsystem,answering the question “Does fail to operate cause a hazard?”may lead to the recognition of a hazard.Note that when new hardware elements and functions are invented and used,new hazardous elements will be introduced requiring expanded and updatedchecklists.Figure 4.6Example of hazard checklist for spacefunctions.Figure 4.5Example of hazard checklist for general sources.4.7HAZARD CHECKLISTS 634.8GUIDELINESThe following are some basic guidelines that should be followed when completing the PHL worksheet:1.Remember that the objective of the PHL is to identify system hazards and /ormishaps.2.The best approach is to start by investigating system hardware items,systemfunctions,and system energy sources.3.Utilize hazard checklists and lessons learned for hazardrecognition.Figure 4.7Example of hazard checklist for generaloperations.Figure 4.8Example of hazard checklist for failure states.64PRELIMINARY HAZARD LIST4.9EXAMPLE:ACE MISSILE SYSTEM654.A hazard write-up should be understandable but does not have to be detailed indescription(i.e.,the PHL hazard does not have to include all three elements ofa hazard:hazardous element,initiating mechanisms,and outcome).Chapter2described the three components of a hazard:(1)hazardous element, (2)initiating mechanism,and(3)Threat and target(outcome).Typically when a hazard is identified and described,the hazard write-up description will identify and include all three components.However,in the PHL,a complete and full hazard description is not always provided.This is primarily because of the preliminary nature of the analysis and that all identified hazards are more fully investigated and described in the preliminary hazard analysis(PHA)and subsystem hazard analysis(SSHA).Figure 4.9shows how to apply the PHL guidelines when using the PHL worksheet.4.9EXAMPLE:ACE MISSILE SYSTEMIn order to demonstrate the PHL methodology,a hypothetical small missile system will be analyzed.The basic system design is shown in Figure4.10for the Ace Missile System.The major segments of the system are the missile segment and the weapon control system(WCS)segment.The missile segment includes only those components specifically comprising the missile.The WCS segment includes those components involved in command and control over the missile,such as the operator’s console,system computer,radar,system power,and so forth.The basic equipment and functions for this system are identified in Figure4.11. During the conceptual design stage,this is the typical level of information that is available.Some basic design decisions may be necessary,such as the type of engineState system effect for hazard.Look for “Missile” in hazard checklist. Find“Inadvertent Launch” as a potential hazard.Note simplified hazard write-up.Figure4.9PHL guidelines.to be utilized,jet or solid rocket.A design safety trade study might be performed to evaluate the hazards of a jet system versus a rocket system.From this basic design information a very credible list of hazards can easily be generated.Figure 4.12shows the basic planned operational phases for the missile system.As design development progresses,each of these phases will be expanded in greater detail.The lists of components,functions,and phases are generated by the missile project designers or the safety analyst.The PHL begins by comparing each system component and function to hazard checklists,to stimulate ideas on potential hazards involved with this system design.Tables 4.2,4.3,and 4.4contain a PHL analysis of the system hardware,functions,and energy sources,respectively.For example,Table 4.2evaluates system hardware010101011010101001010101101010100101010110101010- Warhead - Battery- Computer/SW - Destruct - Fuel- Rocket BoosterFigure 4.10Ace Missile System.IndenturedEquipment List (IEL)FunctionsPhasesEnergy SourcesFigure 4.11Ace Missile System conceptual information.66PRELIMINARY HAZARD LISTMissile Storage in Shipboard MagazineMissile Transportation To ShipMissile Storage in Land StorageSiteMissile Installation in Launch TubeMissile in Standby AlertMissileLaunch SequenceMissile Flight to TargetPhase 1Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7Figure 4.12Missile functional flow diagram of operational phases.TABLE 4.2PHL Analysis of Ace Missile System—System Hardware EvaluationPreliminary Hazard List AnalysisSystem Element Type:System HardwareNo.System Item HazardHazard Effects Comments PHL-1Missile structureMissile body breaks up resulting in fuelleakage;and ignition source causing fire Missile fireGroundoperationsPHL-2Missile structure Missile body breaks up causing missile crash Missile crash FlightPHL-3Missile warhead (W /H)Detonation of W /H explosives from fire,bullet,shock,etc.W /Hexplosives detonation Use insensitive munitions (IM)PHL-4Missile W /HInitiation of W /H from inadvertent initiation commands Inadvertent W /H initiation Initiation requires both arm and fire signals PHL-5Missile W /HMissile W /H fails to initiate DudUnexplodedordnance (UXO)concern PHL-6Missile engineEngine fails to start (missile crash)Incorrect target Unsafe missile state,fuel releasePHL-7Missile engine Engine fails during flight resulting in crash Incorrect target PHL-8Missile fuel subsystemEngine fuel tankleakage and ignition source present resulting in fireMissile firePHL-9MissilecomputerComputer inadvertently generates W /H Arm-1and Arm-2commands,causing W /H initiation Inadvertent W /H initiationPHL-10Missilecomputer Computer fails togenerate W /H Arm-1or Arm-2commands Inability to initiate W /H Dud;not a safety concern PHL-11MissilecomputerComputer inadvertently generates missile destruct commandInadvertent destructSafe separation issue(continued )4.9EXAMPLE:ACE MISSILE SYSTEM67starting with the first component in the IEL,missile body,then the warhead,then the engine,and so forth.In this example,the PHL worksheet was developed as a single long table extending over several pages,but the worksheet could have been broken into many single pages.TABLE 4.2ContinuedPreliminary Hazard List AnalysisSystem Element Type:System HardwareNo.System Item HazardHazard Effects CommentsPHL-12Missilecomputer Computer fails to generate missile destruct command Inability to destruct missile PHL-13Missile batteryBattery is inadvertently activated,providing power for W /H Arm and Fire commands Inadvertent W /H Initiation Mishap also requires Arm and Fire signalsPHL-14Missile batteryBattery electrolyte leakage occurs and ignition source present resulting in fireMissile firePHL-15Missile destruct subsystem Destruct system failsUnable to destruct missileAlso requires faultnecessitating destructPHL-16ReceiverReceiver fails—no communication with missileUnable to destruct missile PHL-17ReceiverReceiver fails—creates erroneous destruct commandInadvertent missile destruct PHL-18Rocket booster Inadvertent ignition of rocketInadvertent launch Uncontrolled flight PHL-19WCScomputer Computer inadvertently generates missile launch commands Inadvertent missile launchPHL-20WCS radarElectromagnetic radiation (EMR)injures exposed personnelPersonnel RF energy injuryPHL-21WCS radar EMR causes ignition of explosivesExplosives detonation PHL-22WCS radar EMR causes ignition of fuelMissile fuel fire PHL-23WCS powerHigh-voltage electronics causes fireCabinet fireSystem damage or personnel injury68PRELIMINARY HAZARD LISTThe following results should be noted from the PHL analysis of the Ace Missile System:1.A total of 40hazards have been identified by the PHL analysis.2.No recommended action resulted from the PHL analysis,only the identifi-cation of hazards.These hazards provide design guidance to the system areas that will present mishap risk and require further design attention for safety.3.Each of the 40hazards identified in the PHL will be carried into the PHA for further analysis and investigation.4.Although this PHL did not focus on SCFs and TLMs,it is possible to start gen-erating this information,as shown in Table 4.5.The TLMs shown in Table 4.5have been established from the entire list of PHL hazards.All of the identified hazards have been consolidated into these TLM categories.After establishing the TLMs,it was then possible to identify SCFs that are associated with cer-tain TLMs,as shown in Table 4.5.TABLE 4.3PHL Analysis of Ace Missile System—System Functions EvaluationPreliminary Hazard List AnalysisSystem Element Type:System FunctionsNo.System ItemHazardHazard EffectsCommentsPHL-24Warhead initiate Warhead initiatefunction occurs inadvertentlyInadvertent W /H initiation Initiation requiresArm-1and Arm-2functionsPHL-25Warhead initiate Warhead initiatefunction fails to occurDud warhead Not a safetyconcernPHL-26Missile launch Missile launch functionoccurs inadvertentlyInadvertentmissile launch PHL-27Missile self-test Self-test function fails,resulting in unknown missile statusUnsafe missile state PHL-28Missile destruct Missile destruct functionoccurs inadvertently Inadvertent missile destructPHL-29Missile navigation Errors occur in missile navigation function Incorrect target PHL-30Missile guidance Errors occur in missileguidance functionIncorrect target PHL-31Communications with missile Communication is lost,causing inability toinitiate missile destruct systemInability to destruct missile4.9EXAMPLE:ACE MISSILE SYSTEM694.10ADVANTAGES AND DISADVANTAGESThe following are advantages of the PHL technique:1.The PHL is easily and quickly performed.2.The PHL does not require considerable expertise for technique application.TABLE 4.5Missile System TLMs and SCFs from PHL Analysis TLM No.Top-Level MishapSCF1Inadvertent W /H initiation Warhead initiation sequence 2Inadvertent missile launch Missile launch sequence 3Inadvertent missile destruct Destruct initiation sequence4Incorrect target 5Missile fire6Missile destruct fails Destruct initiation sequence7Personnel injury8Unknown missile state9Inadvertent explosives detonationTABLE 4.4PHL Analysis of Ace Missile System—System Energy Sources EvaluationPreliminary Hazard List AnalysisSystem Element Type:System Energy Sources No.System Item HazardHazard Effects CommentsPHL-32Explosives Inadvertent detonation of W /H explosivesInadvertent W /H initiation PHL-33ExplosivesInadvertent detonation of missile destruct explosives Inadvertent missile destruct PHL-34ElectricityPersonnel injury during maintenance of high-voltageelectrical equipmentPersonnel electrical injury PHL-35BatteryMissile battery inadvertently activated Prematurebattery power Power to missile subsystems and W /H PHL-36Fuel Missile fuel ignition causing fireMissile fuel fire PHL-37RF energyRadar RF energy injures personnel Personnel injury from RF energy PHL-38RF energy Radar RF energy detonates W /H explosivesExplosives detonation PHL-39RF energy Radar RF energy detonates missile destruct explosives Explosives detonation PHL-40RF energyRadar RF energy ignites fuelMissile fuel fire70PRELIMINARY HAZARD LIST。

风险辨识顾名思义是为了识别风险，对项目或者工程可能产生的对人、物、环境产生危害进行识别，是风险管理的基础。

惟独在正确识别出自身所面临的风险的基础上，我们才干够主动选择适当有效的方法进行的处理。

风险辨识的系统学习是为公司运行所产生的风险提供一个有效的管理框架，确保所有危害能够被恰当识别，评估及控制，减少或者消除有关风险，以保护员工的安全、保障公司的资产、和避免施工中断。

风险系统辨识的框架首先要建立风险库，进行全面清理、全程管控，把关键过程及环节流程化、系统化，并落实风险控制措施，开展风险辨识系列活动及应急措施处理。

危（wei）险是指遭受损失、伤害、不利或者毁灭的可能性。

危（wei）险源是可能导致伤害或者疾病、财产损失、作业环境破坏或者其组合的根源或者状态。

风险是指某一特定危（wei）险情况发生的可能性和后果的组合。

风险有两种定义：一种定义强调了风险表现为不确定性；而另一种定义则强调风险表现为损失的不确定性。

若风险表现为不确定性，说明风险只能表现出损失，没有从风险中获利的可能性，属于狭义风险。

而风险表现为损失的不确定性，说明风险产生的结果可能带来损失、获利或者是无损失也无获利，属于广义风险，金融风险属于此类。

危（wei）险是有确定性的损失，你超速开车就说是危（wei）险，危（wei）险是你做的事情本身可以说有不正确的。

而你买股票就说是风险了，买股票这个事情没有正确与否，可能带来收益，也可能带来损失了。

风险辨识以预防为指导思想,可通过问询、交谈、查阅有关记录，获取外部信息，现场观察、流程分析等相结合方法。

常见的可用于建立职业健康安全管理体系的风险辨识方法有：专家调查法、安全检查表法(SCL)、危（wei）险和可操作性研究法(Hazard Operation，HAZOP)、故障类型和影响分析法(FMEA)。

包括：专家经验法、智暴法、德尔菲(Delphi)方法，专家调查法是较为简单的处理方法，相对来说比较容易操作。

Appendix CHazard ChecklistsThis chapter contains system safety hazard checklists from many different sources.Hazard checklists are an invaluable aid for assisting the system safety analyst in identifying hazards.For this reason,more the checklists are available greater will be the likelihood of identifying all hazards.In performing a hazard analysis,the analyst compares design knowledge and infor-mation to hazard checklists.This allows the analyst to visualize or postulate possible hazards.For example,if the analyst discovers that the system design will be using jet fuel,he then compares jet fuel to a hazard checklist.From the hazard checklist it will be obvious that jet fuel is a hazardous element and that a jet fuel fire /explosion is a poten-tial mishap with many different ignition sources presenting many different hazards.The hazard checklist should not be considered a complete,final,or all-inclusive list.Hazard checklists help trigger the analyst’s recognition of potential hazardous sources,from past lessons learned.Hazard checklists are not a replacement for good engineering analysis and judgment.A checklist is merely a mechanism or cat-alyst for stimulating hazard recognition.When using multiple hazard checklists redundant entries may occur.However,this nuisance factor should be overlooked for the overall value provided by many different clues.Table C.1lists the checklists included in Appendix C.C.1GENERAL HAZARDS CHECKLISTThis checklist is a general list of possible hazards sources.When performing a hazard analysis,each of these items should be considered for hazardous impact 483Hazard Analysis Techniques for System Safety ,by Clifton A.Ericson,IICopyright #2005John Wiley &Sons,Inc.484APPENDIX CTABLE C.1Hazard Checklist in Appendix CSection TitleC.1General Hazards ChecklistC.2Hazard Checklist for Energy SourcesC.3Hazard Checklist for General SourcesC.4Hazard Checklist for Space FunctionsC.5Hazard Checklist for General OperationsC.6Operational Hazard ChecklistC.7Hazard Checklist for Failure Stateswithin the system.The source for this checklist is NASA Reference Publication 1358,System Engineering“Toolbox”for Design Oriented Engineers,1994.Acceleration/Deceleration/GravityA Inadvertent motionA Loose object translationA ImpactsA Falling objectsA Fragments/missilesA Sloshing liquidsA Slip/tripA FallsChemical/Water ContaminationA System–cross connectionA Leaks/spillsA Vessel/pipe/conduit ruptureA Backflow/siphon effectCommon CausesA Utility outagesA Moisture/humidityA Temperature extremesA Seismic disturbance/impactA VibrationA FloodingA Dust/dirtA Faulty calibrationA FireAPPENDIX C485 A Single-operator couplingA LocationA RadiationA Wear-outA Maintenance errorA Vermin/varmints/mud daubersContingencies(Emergency Responses by System/Operators to“Unusual”Events)A“Hard”shutdowns/failuresA FreezingA FireA WindstormA HailstormA Utility outragesA FloodingA EarthquakeA Snow/ice loadControl SystemsA Power outageA Interferences(EMI/RFI)A MoistureA Sneak circuitA Sneak softwareA Lightning strikeA Grounding failureA Inadvertent activationElectricalA ShockA BurnsA OverheatingA Ignition of combustiblesA Inadvertent activationA Power outageA Distribution backfeedA Unsafe failure to operate486APPENDIX CA Explosion/electrical(electrostatic) A Explosion/electrical(arc)MechanicalA Sharp edges/pointsA Rotating equipmentA Reciprocating equipmentA Pinch pointsA Lifting weightsA Stability/topping potentialA Ejected parts/fragmentsA Crushing surfacesPneumatic/Hydraulic PressureA OverpressurizationA Pipe/vessel/duct ruptureA ImplosionA Mislocated relief deviceA Dynamic pressure loadingA Relief pressure improperly setA BackflowA CrossflowA Hydraulic ramA Inadvertent releaseA Miscalibrated relief deviceA Blown objectsA Pipe/hose whipA BlastTemperature ExtremesA Heat source/sinkA Hot/cold surface burnsA Pressure evaluationA Confined gas/liquidA ElevatedflammabilityA Elevated volatilityA Elevated reactivityA FreezingAPPENDIX C487 A Humidity/moistureA Reduced reliabilityA Altered structural properties(e.g.,embrittlement)Radiation(Ionizing)A AlphaA BetaA NeutronA GammaA X-RayRadiation(Nonionizing)A LaserA InfraredA MicrowaveA UltravioletFire/Flammability—Presence ofA FuelA Ignition sourceA OxidizerA PropellantExplosives(Initiators)A HeatA FrictionA Impact/shockA VibrationA Electrostatic dischargeA Chemical contaminationA LightningA Welding(stray current/sparks)Explosives(Effects)A MassfireA Blast overpressureA Thrown fragmentsA Seismic ground waveA Meteorological reinforcement488APPENDIX CExplosives(Sensitizes)A Heat/coldA VibrationA Impact/shockA Low humidityA Chemical contaminationExplosives(Conditions)A Explosive propellant presentA Explosive gas presentA Explosive liquid presentA Explosive vapor presentA Explosive dust presentLeaks/Spills(Material Conditions) A Liquid/cryogensA Gases/vaporsA Dusts—irritatingA Radiation sourcesA FlammableA ToxicA ReactiveA CorrosiveA SlipperyA OdorousA PathogenicA AsphyxiatingA FloodingA RunoffA Vapor propagationPhysiological(See Ergonomic)A Temperature extremesA Nuisance dusts/odorsA Baropressure extremesA FatigueA Lifted weightsA NoiseAPPENDIX C489 A Vibration(Raynaud’s syndrome)A MutagensA AsphyxiantsA AllergensA PathogensA Radiation(See Radiation)A CryogensA CarcinogensA TeratogensA ToxinsA IrritantsHuman Factors(See Ergonomic)A Operator errorA Inadvertent operationA Failure to operateA Operation early/lateA Operation out of sequenceA Right operation/wrong controlA Operated too longA Operate too brieflyErgonomic(See Human Factors)A FatigueA InaccessibilityA Nonexistent/inadequate“kill”switchesA GlareA Inadequate control/readout differentiationA Inappropriate control/readout locationA Faulty/inadequate control/readout labelingA Faulty work station designA Inadequate/improper illuminationUnannunciated Utility OutagesA ElectricityA SteamA Heating/coolingA Ventilation490APPENDIX CA Air conditioningA Compressed air/gasA Lubrication drains/slumpsA FuelA ExhaustMission PhasingA TransportA DeliveryA InstallationA CalibrationA CheckoutA Shake downA ActivationA Standard startA Emergency startA Normal operationA Load changeA Coupling/uncouplingA Stressed operationA Standard shutdownA Shutdown emergencyA Diagnosis/troubleshootingA MaintenanceC.2HAZARD CHECKLIST FOR ENERGY SOURCESThis checklist is a general list of potentially hazardous energy sources.A system that uses any of these energy sources will very likely have various associated hazards. This checklist was collected by C.Ericson.1.Fuels2.Propellants3.Initiators4.Explosive charges5.Charged electrical capacitors6.Storage batteries7.Static electrical charges8.Pressure containersAPPENDIX C4919.Spring-loaded devices10.Suspension systems11.Gas generators12.Electrical generators13.Radio frequency energy sources14.Radioactive energy sources15.Falling objects16.Catapulted objects17.Heating devices18.Pumps,blowers,fans19.Rotating machinery20.Actuating devices21.NuclearC.3HAZARD CHECKLIST FOR GENERAL SOURCESThis is another checklist of general items that often generates hazards within a sys-tem.When performing a hazard analysis,each of these items should be considered for hazardous impact within the system.This checklist was collected by C.Ericson.1.Acceleration2.Contamination3.Corrosion4.Chemical dissociation5.ElectricalShockThermalInadvertent activationPower source failureElectromagnetic radiation6.Explosion7.Fire8.Heat and temperatureHigh temperatureLow temperatureTemperature variations9.Leakage10.MoistureHigh humidityLow humidity492APPENDIX C11.Oxidation12.PressureHighLowRapid change13.RadiationThermalElectromagneticIonizingUltraviolet14.Chemical replacement15.Shock(mechanical)16.Stress concentrations17.Stress reversals18.Structural damage or failure19.Toxicity20.Vibration and noise21.Weather and environmentC.4HAZARD CHECKLIST FOR SPACE FUNCTIONSThis is checklist of general space-related functions that generally generates hazards within a system.When performing a hazard analysis each of these items should be considered for hazardous impact within the system.This checklist was collected byC.Ericson.1.Crew egress/ingress2.Ground-to-stage power transferunch escape4.Stagefiring and separation5.Ground control communication transfer6.Rendezvous and docking7.Ground control of crew8.Ground data communication to crew9.Extra vehicular activity10.In-flight tests by crew11.In-flight emergenciesLoss of communicationsLoss of power/controlAPPENDIX C493Fire toxicityExplosionLife support12.Reentry13.Parachute deployment and descent14.Crew recovery15.Vehicle safing and recovery16.Vehicle inerting and decontamination17.Payload mating18.Fairing separation19.Orbital injection20.Solar panel deployment21.Orbit positioning22.Orbit correction23.Data acquisition24.Midcourse correction25.Star acquisition(navigation)26.On-orbit performance27.RetrothrustC.5HAZARD CHECKLIST FOR GENERAL OPERATIONSThis is checklist of general operations that often generates hazards within a system. When performing a hazard analysis,each of these items should be considered for hazardous impact within the system.This checklist was collected by C.Ericson.1.Welding2.Cleaning3.Extreme temperature operations4.Extreme weight operations5.Hoisting,handling,and assembly operations6.Test chamber operations7.Proof test of major components/subsystems/systems8.Propellant loading/transfer/handling9.High-energy pressurization/hydrostatic-pneumostatic testing10.Nuclear component handling/checkout11.Ordnance installation/checkout/test12.Tank entry/confined space entry13.Transport and handling of end item494APPENDIX C14.Manned vehicle tests15.Staticfiring16.Systems operational validationsC.6OPERATIONAL HAZARD CHECKLISTThis is checklist of general operational considerations that often generates hazards within a system.When performing a hazard analysis,each of these items should be considered for hazardous impact within the system.This checklist was collected byC.Ericson.1.Work areaTripping,slipping,cornersIlluminationFloor load,pilingVentilationMoving objectsExposed surfaces—hot,electricCramped quartersEmergency exits2.Materials handlingHeavy,rough,sharpExplosivesFlammableAwkward,fragile3.ClothingLoose,ragged,soiledNecktie,jewelryShoes,high heelsProtective4.MachinesCutting,punching,formingRotating shaftsPinch pointsFlying piecesProjectionsProtective equipment5.ToolsNo toolsAPPENDIX C495Incorrect toolsDamaged toolsOut-of-tolerance tools6.EmergencyPlans,procedures,numbersEquipmentPersonnelTraining7.Safety DevicesFails to functionInadequateC.7HAZARD CHECKLIST FOR FAILURE STATESThis is checklist of failure modes or failure states that can generate hazards within a system.When performing a hazard analysis,each of these items should be con-sidered for hazardous impact within the system.This checklist was collected byC.Ericson.1.Fails to operate2.Operates incorrectly/erroneously3.Operates inadvertently4.Operates at incorrect time(early,late)5.Unable to stop operation6.Receives erroneous data7.Sends erroneous data。

JOB SAFETY ANALYSIS GUIDANCE作业安全分析简明指南1. INTRODUCTION （介绍）Job Safety Analysis （JSA） is a simple structure approach used to assess potential hazards associated with any identified activity and to ensure risks are minimized. JSA applies the sta ndard Hazard Man ageme nt Process （HMP） of:作业安全分析（JSA ）是一种常用于评估与作业有关的基本风险分析工具，以确保风险得以有效的控制。

JSA使用下列标准的危害管理过程（HMP）:* Identify the potential hazards and Evaluate the Risks识别潜在危害并评估风险* Establish controls （to avoid hazards）制定风险控制措施（控制消除危害）* Plan recovery measures （if things do go wrong）计划恢复措施（以防出现失误）This can be applied to any task.这个过程适用于任何作业任务。

2. Approach 步骤For larger or more complex tasks, the in itial JSA can be carried out as a desktop exercise at the office. However, a key principle is that the proper JSA is done in the field with people experieneed in the activities and with the facilities.JSA 一般在控制房或作业现场进行。

CSR Health & SafetyEach Departmental Manager is responsible for the Health & Safety of the department.各部門主管需負責該部門的健康與安全Responsibility cannot be delegated.職責是無法交付予他人Only authority can be delegated.只有權力可以授權給他人代理Each Departmental Manager must undertake as many risk assessments as needed to ensure the department is health & safe.各部門主管須盡可能進行風險評估，以確保該部門的健康與安全Each risk found must be rated as per page 2 & 3.各項發現的風險必須按照第2, 3頁的等級來區分Page 5 is the check list to be used第5頁是檢查表Page 6 is the risk assessment form to be used第6頁是風險評估表Page 7 is to be used if additional controls are required.第7 頁是若要需要更多的管制時需填寫的LIKELIHOOD可能性SEVERITY嚴重性HIGH –Expected HIGH - Fatality/disabling高- 預期會發生的高- i njury致命/傷殘, 受傷MEDIUM –Possible it will happen sometime MEDIUM – A period of absence 中等- 可能會發生的中等- with full recovery缺席一段期間, 充分的恢復LOW –Improbable (rarely/never) LOW –Minor injury allowing低- 不大可能（很少/沒有）低-people to stay at work小傷, 人員還可以工作RISK RATING 風險評級L* = Likelihood S* = Severity R* = Risk EstimateThis is the first part of the Risk assessment.When considering the hazards at this stage you must mentally remove the controls that are in place, as it is easy to consider that a task is of low likelihood or severity because the risk is already being controlled.The danger of this is that this incidental control may not be appreciated and may be removed by changing operators.Hazards with a risk rating of HIGH or MEDIUM are considered to be significant findings and require transferring onto the risk assessment record, to be re-assessed taking into account persons at risk and control measures put into place.If no significant findings are identified i.e. all hazards have a risk rating of LOW the risk assessment need proceed no further and the record kept for reference purposes.這是風險評估的第一部分，在這階段當有發現任何危險，必須適當的移除裝置，因為可以將它視為不太可能發生或嚴重性較低的風險，因為風險已經先控制。

HAZOP何为HAZOP？HAZOP一词是于20世纪70年代早期由ICI公司建立的提出的，其含义是危险与可操作分析（Hazard and Operability Analysis, 简称HAZOP）。

可操作性分析也称为安全操作研究，是以系统工程为基础的危险分析方法。

该方法采用表格式分析形式，具有专家分析法的特性，主要适用于连续性生产系统的安全分析与评价，是一种启发性的、实用性的定性分析方法。

HAZOP分析起源二十世纪世纪六十年代随着流程工业逐步大型化，越来越多的有毒和易燃化学品的使用，使得事故的规模变得越来越难以承受。

先前人们那种从事故中汲取经验教训的方法开始变得难以接受。

随着历史上一些重大事件的发生，一切基本的问题摆在了人们眼前：如何预知将要发生什么，对流程是否有恰当的技术理解，如何使流程设计易于管理。

这些事故案例使得人们急需一种系统化的结构化的分析方法，在设计阶段对将来潜在的危险有一个预先的认知，同时也需要工厂能够更多的容忍操作人员的事故和不正常的情况出现。

帝国化学公司（Imperial Chemical Industries PLC，以下简称：ICI）因此开发了危险和可操作性分析（HAZOP）技术。

HAZOP分析是一种系统化和结构化的定性危险评价手段，主要用于设计阶段对确定工程设计中存在的危险及操作问题。

HAZOP是一种使用引导词（guide words）为中心的分析方法，以审查设计的安全性以及危害的因果关系。

1974年ICI正式发布了HAZOP技术，Kletz等人在书中对HAZOP发展的历史和方法作了详尽的叙述。

其后历经ICI和英国化学工业协会（CIA）之大力推广此分析法逐渐由欧洲传播至北美、日本及沙特阿拉伯等国家。

很多国际型大公司和机构都根据自身企业特点制定了相应程序。

英美等国还将HAZOP列为强制性国标，强制相关企业遵守。

在国内方面，则是由台湾的黄清贤先生于1987年首先撰文介绍该法，在台湾为各大石化公司所推广及采用。

METHOD STATEMENT (MS) &JOB HAZARD ANALYSIS (JHA) 施工方案(MS)与工作危险性分析(JHA)INDEX 目录1 INTRODUCTION 引言2 DEFINITION OF THE RISK 风险定义3 GENERAL 概述4 ATTACHMENT 附件Attachment A 附件A - Job Hazard Analysis Checklist工作危险性检查表Attachment B 附件B - Job Hazard Assessment Work Sheet工作危险性评估工作表Attachment C 附件C – JHA & Method Statement – Process SummaryJHA & 施工方案–流程概要1 INTRODUCTION 引言The Method Statement (MS) &The Job Hazard Analysis (JHA) is the formal review and development procedure for the consideration of how work is to be accomplished and minimizing, eliminating and or controlling the risk during the operation and performance of the work. Included in this Site Safety Practice is an explanation for managers, discipline engineers, supervisors, foreman and also the workers in the basic step-by-step procedure conducting a JHA.施工方案(MS)与作业危险性分析（JHA）是为了考虑如何完成作业以及减少、消除和控制操作和工作执行期间的风险而进行的正式的检查和实施的程序。

Chapter 5Preliminary HazardAnalysis5.1INTRODUCTIONThe preliminary hazard analysis (PHA)technique is a safety analysis tool for identifying hazards,their associated causal factors,effects,level of risk,and mitigat-ing design measures when detailed design information is not available.The PHA provides a methodology for identifying and collating hazards in the system and establishing the initial system safety requirements (SSRs)for design from prelimi-nary and limited design information.The intent of the PHA is to affect the design for safety as early as possible in the development program.The PHA normally does not continue beyond the subsystem hazard analysis (SSHA).5.2BACKGROUNDThis analysis technique falls under the preliminary design hazard analysis type (PD-HAT)because it evaluates design at the preliminary level without detailed information.The analysis types are described in Chapter 3.Gross hazard analysis and potential hazard analysis are alternate names for this analysis technique.The purpose of the PHA is to analyze identified hazards,usually provided by the preliminary hazard list (PHL),and to identify previously unrecognized hazards early in the system development.The PHA is performed at the preliminary design level,as its name implies.In addition,the PHA identifies hazard causal factors,conse-quences,and relative risk associated with the initial design concept.The PHA 73Hazard Analysis Techniques for System Safety ,by Clifton A.Ericson,IICopyright #2005John Wiley &Sons,Inc.74PRELIMINARY HAZARD ANALYSISprovides a mechanism for identifying initial design SSRs that assist in designing in safety early in the design process.The PHA also identifies safety critical functions (SCFs)and top-level mishaps(TLMs)that provide a safety focus during the design process.The PHA is applicable to the analysis of all types of systems,facilities,oper-ations,and functions;the PHA can be performed on a unit,subsystem,system,or an integrated set of systems.The PHA is generally based on preliminary or baseline design concepts and is usually generated early in the system development process in order to influence design and mishap risk decisions as the design is developed into detail.The PHA technique,when methodically applied to a given system by experi-enced safety personnel,is thorough in identifying system hazards based on the lim-ited design data available.A basic understanding of hazard analysis theory is essential as well as knowledge of system safety concepts.Experience with,or a good working knowledge of,the particular type of system and subsystem is necessary in order to identify and analyze all hazards.The PHA methodology is uncomplicated and easily learned.Standard PHA forms and instructions are provided in this chapter,and standard hazard check-lists are readily available.The PHA is probably the most commonly performed hazard analysis technique. In most cases,the PHA identifies the majority of the system hazards.The remaining hazards are usually uncovered when subsequent hazard analyses are generated and more design details are available.Subsequent hazard analyses refine the hazard cause–effect relationship and uncover previously unidentified hazards and refine the design safety requirements.There are no alternatives to a PHA.A PHL might be done in place of the PHA,but this is not recommended since the PHL is only a list of hazards and not as detailed as a PHA and does not provide all of the required information.A subsystem hazard analy-sis(SSHA)might be done in place of the PHA,but this is not recommended since the SSHA is a more detailed analysis primarily of faults and failures that can create safety hazards.A modified failure mode and effects analysis(FMEA)could be used as a PHA,but this is not recommended since the FMEA primarily looks at failure modes only,while the PHA considers many more system aspects.Use of the PHA technique is highly recommended for every program,regardless of size or cost,to support the goal of identifying and mitigating all system hazards early in the program.The PHA is the starting point for further hazard analysis and safety tasks,is easily performed,and identifies a majority of the system hazards.The PHA is a primary system safety hazard analysis technique for a system safety program.5.3HISTORYThe PHA technique was established very early in the history of the system safety discipline.It was formally instituted and promulgated by the developers of MIL-STD-882.It was originally called a gross hazard analysis(GHA)because it was performed at a gross(preliminary)level of detail(see MIL-S-38130).5.4THEORY75 5.4THEORYFigure5.1shows an overview of the basic PHA process and summarizes the import-ant relationships involved in the PHA process.The PHA process consists of utilizing both design information and known hazard information to identify and evaluate hazards and to identify SC factors that are relevant to design safety.The PHA evalu-ates hazards identified by the PHL analysis in further detail.The purpose of the PHA is to identify hazards,hazard causal factors,hazard mis-hap risk,and SSRs to mitigate hazards with unacceptable risk during the preliminary design phase of system development.To perform the PHA analysis,the system safety analyst must have three things—design knowledge,hazard knowledge,and the PHL.Design knowledge means the analyst must possess a basic understanding of the system design,including a list of major components.Hazard knowledge means the analyst needs a basic understanding about hazards,hazard sources,hazard components(hazard element,initiating mechanism,and target/threat)and hazards in similar systems.Hazard knowledge is primarily derived from hazard checklists and from lessons learned on the same or similar systems.The starting point for the PHA is the PHL collection of identified hazards.The PHA evaluates these hazards in more detail.In addition,the analyst compares the design knowledge and information to hazard checklists in order to identify previously unfore-seen hazards.This allows the analyst to visualize or postulate possible hazards.For example,if the analyst discovers that the system design will be using jet fuel,he then compares jet fuel to a hazard checklist.From the hazard checklist it will be obvious that jet fuel is a hazardous element,and that a jet fuelfire/explosion is a poten-tial mishap with many different ignition sources presenting many different hazards.Output from the PHA includes identified and suspected hazards,hazard causal factors,the resulting mishap effect,mishap risk,SCFs,and TLMs.PHA output also includes design methods and SSRs established to eliminate and/or mitigate identified hazards.It is important to identify SCFs because these are the areas that generally affect design safety and that are usually involved in major system hazards.Since the PHA is initiated very early in the design phase,the data available to the ana-lyst may be incomplete and informal(i.e.,preliminary).Therefore,the analysis process should be structured to permit continual revision and updating as the conceptual approach is modified and refined.When the subsystem design details are complete enough to allowterminated.the analyst to begin the SSHA in detail,the PHA is generally Array Figure5.1PHA overview.5.5METHODOLOGYThe PHA methodology is shown in Figure5.2.This process uses design and hazard information to stimulate hazard and causal factor identification.The PHA analysis begins with hazards identified from the PHL.The next step is to once again employ the use of hazard checklists(as done in the PHL analysis)and undesired mishap checklists.The basic inputs for the PHA include the functionalflow diagram,the reliability block diagram,indentured equipment list,system design,PHL hazards, hazard checklists,and mishap checklists—thefirst three of these are derived from the system design by the various system design organizations.Hazard checklists are generic lists of known hazardous items and potentially hazardous designs,functions,or situations and are fully defined and discussed in Chapter4.Hazard checklists should not be considered complete or all-inclusive but merely a list of items to help trigger the analyst’s recognition of potential hazard sources from past lessons learned.Typical hazard checklists include:1.Energy sources2.Hazardous functions3.Hazardous operations4.Hazardous components5.Hazardous materials6.Lessons learned from similar type systems7.Undesired mishaps8.Failure mode and failure stateconsiderationsTLMs• Hazards• Mishaps• Causal sources• Risk• SCFs and TLMs• Mitigation methods• SSRsPHA WorksheetsSystem Design ToolsFigure5.2Preliminary hazard analysis methodology.76PRELIMINARY HAZARD ANALYSISRefer to Chapter4,on PHL analysis,for examples of each of these hazard checklists. Appendix C of this book contains a more complete set of hazard checklists that can be used in a PHA.Table5.1lists and describes the basic steps of the PHA process.This process involves analyzing PHL-identified hazards in more detail and performing a detailed analysis of the system against hazard checklists.TABLE5.1PHA ProcessStep Task Description1Definesystem.Define,scope,and bound the system.Define the mission,mission phases,and mission environments.Understand the systemdesign,operation,and major system components.2Plan PHA.Establish PHA definitions,worksheets,schedule,and process.Identify system elements and functions to be analyzed.3Establishsafetycriteria.Identify applicable design safety criteria,safety precepts/principles, safety guidelines,and safety critical factors.4Acquire data.Acquire all of the necessary design,operational,and process dataneeded for the analysis(e.g.,functional diagrams,drawings,operational concepts,etc.).Acquire hazard checklists,lessonslearned,and other hazard data applicable to the system.Acquireall regulatory data and information that are applicable.5ConductPHA.a.Construct list of equipment,functions,and energy sources foranalysis.b.Prepare a worksheet for each identified equipment item,function,and energy source.pare system hardware items with hazard checklists and TLMs.pare system operational functions with hazard checklistsand TLMs.pare system energy sources with energy hazard checklistsand TLMs.pare system software functions with hazard checklists andTLMs.g.Expand the list of SCFs and TLMs and utilize in the analysis.h.Be cognizant of functional relationships,timing,and concurrentfunctions when identifying hazards.i.Utilize hazard/mishap lessons learned from other systems.6Evaluate risk.Identify the level of mishap risk presented for each identified hazard,both with and without hazard mitigations in the system design.7Recommendcorrectiveaction.Recommend corrective action necessary to eliminate or mitigate identified hazards.Work with the design organization to translate the recommendations into SSRs.Also,identify safety features already in the design or procedures that are present for hazard mitigation.8Monitor correctiveaction.Review test results to ensure that safety recommendations and SSRs are effective in mitigating hazards as anticipated.9Trackhazards.Transfer newly identified hazards into the HTS.Update the HTS as hazards,hazard causal factors,and risk are identified in the PHA.10DocumentPHA.Document the entire PHA process and PHA worksheets in a PHA report.Include conclusions and recommendations.5.5METHODOLOGY7778PRELIMINARY HAZARD ANALYSISWhen performing a PHA,the following factors should be considered,as a minimum:1.Hazardous components(e.g.,energy sources,fuels,propellants,explosives,pressure systems,etc.)2.Subsystem interfaces(e.g.,signals,voltages,timing,human interaction,hardware,etc.)3.System compatibility constraints(e.g.,material compatibility,electromag-netic interference,transient current,ionizing radiation,etc.)4.Environmental constraints(e.g.,drop,shock,extreme temperatures,noiseand health hazards,fire,electrostatic discharge,lightning,X-ray,electro-magnetic radiation,laser radiation,etc.)5.Undesired states(e.g.,inadvertent activation,fire/explosive initiation andpropagation,failure to safe,etc.)6.Malfunctions to the system,subsystems,or computing system7.Software errors(e.g.,programming errors,programming omissions,logicerrors,etc.)8.Operating,test,maintenance,and emergency procedures9.Human error(e.g.,operator functions,tasks,requirements,etc.)10.Crash and survival safety(e.g.,egress,rescue,salvage,etc.)11.Life-cycle support(e.g.,demilitarization/disposal,EOD,surveillance,hand-ling,transportation,storage,etc.)12.Facilities,support equipment,and training13.Safety equipment and safeguards(e.g.,interlocks,system redundancy,fail-safe design considerations,subsystem protection,fire suppression systems, personal protective equipment,warning labels,etc.)14.Protective clothing,equipment,or devices15.Training and certification pertaining to safe operation and maintenance of thesystem16.System phases(test,manufacture,operations,maintenance,transportation,storage,disposal,etc.)5.6WORKSHEETThe PHA is a detailed hazard analysis utilizing structure and rigor.It is desirable to perform the PHA using a specialized worksheet.Although the format of the PHA analysis worksheet is not critical,it is important that,as a minimum,the PHA gen-erate the following information:1.System hazards2.Hazard effects(e.g.,actions,outcomes,mishaps)3.Hazard causal factors(or potential causal factor areas)5.6WORKSHEET794.Mishap risk assessment(before and after design safety features are implemented)5.SCFs and TLMs6.Recommendations for eliminating or mitigating the hazardsFigure5.3shows the columnar format PHA worksheet recommended for SSP usage. This particular worksheet format has proven to be useful and effective in many applications and it provides all of the information necessary from a PHA.The following instructions describe the information required under each column entry of the PHA worksheet:1.System This entry identifies the system under analysis.2.Subsystem/Function This entry identifies the subsystem or function underanalysis.3.Analyst This entry identifies the name of the PHA analyst.4.Date This entry identifies the date of the analysis.5.Hazard Number This column identifies the number assigned to the ident-ified hazard in the PHA(e.g.,PHA-1,PHA-2,etc.).This is for future refer-ence to the particular hazard source and may be used,for example,in the hazard action record(HAR)and the hazard tracking system(HTS).6.Hazard This column identifies the specific hazard being postulated andevaluated.(Remember:Document all hazard considerations,even if they are later proven to be nonhazardous.)7.Causes This column identifies conditions,events,or faults that could causethe hazard to exist and the events that can trigger the hazardous elements to become a mishap or accident.8.Effects This column identifies the effects and consequences of the hazard,should it occur.Generally,the worst-case result is the stated effect.The effect ultimately identifies and describes the potential mishap involved.Figure5.3Recommended PHA worksheet.80PRELIMINARY HAZARD ANALYSIS9.Mode This entry identifies the system mode(s)of operation,or operationalphases,where the identified hazard is of concern.10.Initial Mishap Risk Index(IMRI)This column provides a qualitativemeasure of mishap risk significance for the potential effect of the identified hazard,given that no mitigation techniques are applied to the hazard.Risk measures are a combination of mishap severity and probability,and the rec-ommended values from MIL-STD-882are shown below.Severity ProbabilityI.Catastrophic A.FrequentII.Critical B.ProbableIII.Marginal C.OccasionalIV.Negligible D.RemoteE.Improbable11.Recommended Action This column establishes recommended preventivemeasures to eliminate or mitigate the identified hazards.Recommendations generally take the form of guideline safety requirements from existing sources or a proposed mitigation method that is eventually translated intoa new derived SSR intended to mitigate the hazard.SSRs are generatedafter coordination with the design and requirements organizations.Hazard mitigation methods should follow the preferred order of precedence estab-lished in MIL-STD-882for invoking or developing safety requirements, which is shown below.Order of Precedence1.Eliminate hazard through design selection.2.Incorporate safety devices.3.Provide warning devices.4.Develop procedures and training.12.Final Mishap Risk Index(FMRI)This column provides a qualitativemeasure of mishap risk for the potential effect of the identified hazard, given that mitigation techniques and safety requirements are applied to the hazard.The same risk matrix table used to evaluate column10is also used here.ments This column provides a place to record useful informationregarding the hazard or the analysis process that are not noted elsewhere.This column can be used to record thefinal SSR number for the developed SSR,which will later be used for traceability.14.Status This column states the current status of the hazard,as being eitheropen or closed.5.7GUIDELINES81 5.7GUIDELINESThe following are some basic guidelines that should be followed when completing the PHA worksheet:1.Remember that the objective of the PHA is to identify system hazards,effects,causal factor areas,and risk.Another by-product of the PHA is the identification of TLMs and SCFs.2.Start by listing and systematically evaluating system hardware subsystems,system functions,and system energy sources on separate worksheet pages.For each of these categories identify hazards that may cause the TLMs ident-ified from the PHL.Also,utilize hazard checklists to identify new TLMs and hazards.3.PHL hazards must be converted to TLMs for the PHA.Utilize TLMs alongwith hazard checklists and lessons learned for hazard recognition to identify hazards.4.Do not worry about reidentifying the same hazard when evaluating systemhardware,system functions,and system energy sources.The idea is to pro-vide thorough coverage in order to identify all hazards.5.Expand each identified hazard in more detail to identify causal factors,effects,and risk.6.As causal factors and effects are identified,hazard risk can be determined orestimated.7.Continue to establish TLMs and SCFs as the PHA progresses and utilize inthe analysis.8.A hazard write-up in the PHA worksheet should be clear and understandablewith as much information necessary to understand the hazard.9.The PHL hazard column does not have to contain all three elements of ahazard:hazardous element(HE),initiating mechanisms(IMs)and outcome (O).The combined columns of the PHA worksheet can contain all three com-ponents of a hazard.For example,it is acceptable to place the HE in the hazard section,the IMs in the cause section,and the O in the effect section.The hazard,causes,and effects columns should together completely describe the hazard.e analysis aids to help recognize and identify new hazards,such as hazardchecklists,lesson learned from hazard databases and libraries,mishap inves-tigations,and the like.Also,use applicable hazards from the PHA of other similar systems.11.After performing the PHA,review the PHL hazards to ensure all have beencovered via the TLM process.This is because the PHL hazards were not incorporated one for one.Figure5.4shows how to apply the PHA guidelines when using the PHA worksheet.5.8EXAMPLE:ACE MISSILE SYSTEMTo demonstrate the PHA methodology,the same hypothetical Ace Missile System from Chapter 4will be used.The basic preliminary design is shown in Figure 5.5,however,note that the conceptual design changed slightly from the concept phase to the preliminary design phase (as happens in many development programs).The design concept has now expanded from a single missile system to multiple missiles in launch tubes.These changes will be reflected in the PHA.The major segments of the system are the missile segment and the weapon control system (WCS)segment.During preliminary design development,the system design has been modified and improved to include the following:1.Multiple missiles instead of a single missile.2.The missiles are now contained in launch tubes.3.A radio transmitter was added to WCS design for missile destructsubsystem.Inadv. LaunchFigure 5.4PHA guidelines.- Warhead - Battery - Computer/SW- Receiver- Destruct- Fuel- Rocket BoosterFigure 5.5Ace Missile System.82PRELIMINARY HAZARD ANALYSISFigure 5.6lists the major system components,functions,phases,and energy sources that should be considered for the PHA.This is the typical level of information avail-able for the PHA.Figure 5.6contains a preliminary indentured equipment list (IEL)for this system that will be used for the conduct of the PHA.This is the level of information typi-cally available during preliminary design.As the design development progresses,the IEL will be expanded in breadth and depth for the subsystem hazard analysis (SSHA).The IEL is basically a hierarchy of equipment that establishes relation-ships,interfaces,and equipment types.A new PHA worksheet page will be started for each IEL item.Sometimes a more detailed hierarchy is available at the time of the PHA,but usually it is not.The basic ground rule is that the higher level of detail goes into the PHA,and the more detailed breakdown goes into the SSHA.Sometimes the decision is quite obvious,while at other times the decision is somewhat arbitrary.In this example,the computer software would be included in the PHA only as a gen-eral category,and it would also be included in the SSHA when the indenture list is continued to a lower level of detail for the software (e.g.,module level).The PHA will analyze the system at the subsystem level because that is the level of design detail available.The SSHA will utilize the PHA hazards and carry the analysis a level lower as more design detail becomes available.It is also helpful when performing the PHA to utilize functional flow diagrams (FFDs)of the system if they are available.The FFD shows the steps that must take place in order to perform a particular system function.The FFD helps identifyIndenturedEquipment List (IEL)FunctionsEnergy SourcesPhasesFigure 5.6Ace Missile System information.Missile Storage in Shipboard MagazineMissile Transportationto ShipMissile Storage in Land StorageSiteMissile Installation in Launch TubeMissile In Standby AlertMissile Launch SequenceMissile Flight to TargetPhase 1 Phase 2 Phase 3 Phase 4 Phase 5 Phase 6 Phase 7Figure 5.7Ace Missile functional flow diagram of operational phases.5.8EXAMPLE:ACE MISSILE SYSTEM83subsystem interfaces and relationships that can be used in the analysis.Sometimes it is necessary for the system safety analyst to develop both IELs and FFDs if the pro-ject design team has not developed them.Figure 5.7is an FFD showing the basic planned operational phases for the missile system.As design development progresses,each of these phases will be expanded in greater detail.Figure 5.8is an FFD showing the elements and sequence of events required to generate the missile launch signal.Figure 5.9is an FFD showing the elements and sequence of events required to generate the missile launch signal.The hazards identified by the PHL analysis form the initial set of hazards for the PHA.Since the PHL hazards are generalized,brief,and mixed,it is better to condense the PHL hazards to TLMs and then use the TLMs for the hazard categories that the PHA should be considering for all aspects of the system design and operation.Table 5.2contains the list of TLMs resulting from the PHL analysis in Chapter 4.If a new PHA worksheet were started for every IEL item,system function,and system energy source,there would be a minimum of 26worksheets (14IEL items þ7functions þ5energy sources).In order to not overwhelm the reader,only 6worksheets are provided (5IEL items and 1function).These samples should provide sufficient information on how to perform the PHA.These same examples will be carried into the SSHA.Tables 5.3through 5.8contain five example work-sheets from the example missile system PHA.+28 VDCSignalFigure 5.8Ace Missile launch signal functional flow diagram.W/H SignalFigure 5.9Ace Missile warhead initiate signal functional flow diagram.84PRELIMINARY HAZARD ANALYSISThe following should be noted from the PHA of the Ace Missile System:1.The recommended action is not always in the form of a direct SSR.Additional research may be necessary to convert the recommendation into a meaningful design requirement.2.As a result of the PHA,TLM 10was added to the list of TLMs.The new TLM list is shown in Table 5.9..5.9ADVANTAGES AND DISADVANTAGESThe following are advantages of the PHA technique.The PHA:1.Is easily and quickly performed.2.Is comparatively inexpensive yet provides meaningful results.3.Provides rigor for focusing for the identification and evaluation of hazards.4.Is a methodical analysis technique.5.Identifies the majority of system hazards and provides an indication of system risk.mercial software is available to assist in the PHA process.While there are no disadvantages in the PHA technique,it is sometimes improperly depended upon as the only hazard analysis technique that is applied.5.10COMMON MISTAKES TO AVOIDWhen first learning how to perform a PHA,it is commonplace to commit some typical errors.The following is a list of common errors made during the conduct of a PHA.1.Not listing all concerns or credible hazards.It is important to list all possible suspected or credible hazards and not leave any potential concerns out of the analysis.TABLE 5.2Missile System TLMs from PHL Analysis TLM No.Top-Level Mishap1Inadvertent W /H explosives initiation 2Inadvertent launch3Inadvertent missile destruct 4Incorrect target 5Missile fire6Missile destruct fails 7Personnel injury8Unknown missile state9Inadvertent explosives detonation5.10COMMON MISTAKES TO AVOID85T A B L E 5.3A c e M i s s i l e S y s t e m P H A —W o r k s h e e t 1S y s t e m :A c e M i s s i l e S y s t e mS u b s y s t e m :M i s s i l e S t r u c t u r e S u b s y s t e mP r e l i m i n a r y H a z a r d A n a l y s i s A n a l y s t :D a t e :N o .H a z a r d C a u s e sE f f e c t s M o d eI M R IR e c o m m e n d e d A c t i o n F M R IC o m m e n t s S t a t u sP H A -1M i s s i l e s t r u c t u r e f a i l s ,r e s u l t i n g i n u n s t a b l e m i s s i l e fli g h t a n d m i s s i l e c r a s hM a n u f a c t u r i n g d e f e c t ;d e s i g n e r r o rU n s t a b l e fli g h t ,r e s u l t i n g i n c r a s h c a u s i n g d e a t h /i n j u r y ;i n c o r r e c t t a r g e t F l i g h t 1D U s e 5Âs a f e t y f a c t o r o n s t r u c t u r e d e s i g n 1E O p e n P H A -2M i s s i l e b o d y b r e a k s u p ,r e s u l t i n g i n f u e l l e a k a g e ;a n d i g n i t i o n s o u r c e ,c a u s i n g fir e M a n u f a c t u r i n g d e f e c t ;d e s i g n e r r o r M i s s i l e fir e ,c a u s i n g d e a t h /i n j u r yG r o u n d o p e r a t i o n s 1D U s e 5Âs a f e t y f a c t o r o n s t r u c t u r e d e s i g n 1E O p e nP H A -3M i s s i l e s t r u c t u r e f a i l s d u r i n g h a n d l i n g ,r e s u l t i n g i n p e r s o n n e l i n j u r y M a n u f a c t u r i n g d e f e c t ;d e s i g n e r r o r ;h a n d l i n g e q u i p m e n t f a i l u r eP e r s o n n e l i n j u r y P H S &T a 2DU s e 5Âs a f e t y f a c t o r o n s t r u c t u r e d e s i g n E s t a b l i s h S S R s f o r h a n d l i n g e q u i p m e n t 2E O p e nP a g e :1o f 6T e a c h i n g N o t e s :.F o c u s o f t h i s P H A w o r k s h e e t i s o n t h e m i s s i l e s t r u c t u r e s u b s y s t e m ..P H A -1w a s i d e n t i fie d f r o m m i s s i l e s t r u c t u r e c o n t r i b u t i o n s t o T L M -4(i n c o r r e c t t a r g e t )..P H A -2w a s i d e n t i fie d f r o m m i s s i l e s t r u c t u r e c o n t r i b u t i o n s t o T L M -5(m i s s i l e fir e )..P H A -3w a s i d e n t i fie d f r o m m i s s i l e s t r u c t u r e c o n t r i b u t i o n s t o T L M -7(p e r s o n n e l i n j u r y ).aP H S &T ¼p a c k a g i n g ,h a n d l i n g ,s t o r a g e ,a n d t r a n s p o r t a t i o n .86。