A design principle in which each of the elements which make up a system is analyzed to determine the potential consequence of failure of that element, alone or in combination with any or all other elements of the system, to ensure that a failure or a combination of failures will not result in an unsafe condition. (NTSC)