Cover

Chapter 22: EPA’s Equivalent Process Safety Requirements—Risk Management Program (RMP)

Appendix III: Professional System Safety and Related Societies and Organizations

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400, fax 978-646-8600, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services please contact our Customer Care Department within the U.S. at 877-762-2974, outside the U.S. at 317-572-3993 or fax 317-572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print, however, may not be available in electronic format.

I just heard it again. A colleague of mine said that he has always taken the “systems view” with regard to system safety. I was once again surprised, shocked is probably a better word, that not everyone had that view. It reminded me that there remain varying views of the scope of system safety. The scope of the system safety discipline is broad, just like the industries that use the discipline. The system safety discipline has expanded well beyond the U.S. Department of Defense community and U.S. borders and, as such, its recognized discipline approach and broad scope are becoming better define.

The System Safety Society and most system safety professionals take a broad view of the scope of system safety, a “system view.” It considers the system safety discipline as analyzing all safety aspects for any size system (with a product being just a small system) throughout its entire life cycle. It uses a disciplined systems approach to manage safety risk by tapping into the known knowledge bases and using specific tools and techniques for analysis where knowledge bases do not exist or are insufficient for the technologies used in the system. Known knowledge bases include existing safety codes, safety standards, and lessons learned that have been developed in all technology areas. The system safety professional focuses more attention, however, where there are nonexistent or insufficient knowledge bases from which to draw upon. In this case, the system safety professional uses the specific tools and techniques available in the system safety profession to augment the lack of information in existing knowledge bases. The top-level analyses identify where new safety requirements are necessary and where existing safety codes and standards can be used. The system safety discipline bridges the gap when existing knowledge bases are lacking and manages safety risks by identifying hazards from the known knowledge bases and the tools and techniques of this profession.

Because the system safety professional focuses more attention where there are no or insufficient knowledge bases, some in industry perceive that the scope of the system safety discipline is just in those areas, where little or no knowledge bases exist. However, the scope of the system safety discipline is much broader and the system safety professional must have a complete understanding of how to use and apply the existing safety resources, in addition to when to use other system safety analyses to evaluate the entire system throughout its entire life cycle. Some colleagues refer to system safety as the “umbrella” safety, since you must draw upon all safety resources for the technologies involved in the design. The system safety discipline has an established methodology and unique tools for analysis. It establishes acceptable levels of risk as part of the process and does not necessarily seek zero risk or rely only on checklists or standards. It considers rare events and life-cycle operations and analyzes both normal and abnormal circumstances. The discipline manages for success using training, independent assessments, management commitment, and lessons learned and it plans for failure by establishing emergency response procedures, graceful degradation, surveillance, and maintenance.

This system safety discipline is unique because it addresses the safety of an entire system and its operations using existing knowledge bases and, where knowledge bases are insufficient, the tools of this profession. I am of the opinion that the methodology and tools of the system safety discipline should be applied to every system. I believe every company should develop and implement a system safety program that addresses the hazards in its organization, the products it purchases, and the systems that it designs and operates. Only the degree and depth of the system safety program will vary from system to system. As one colleague stated, I wouldn’t spend too much time on the analysis of a paper clip. Using the system safety discipline, I am convinced that a company will apply its resources more effectively and achieve success in its ability to effectively manage safety risks.

The second edition of this book not only updates the text with the current information on standards such as MIL-STD-882D, it also adds another important tool and approach for the system safety engineer: a discussion on process safety in the chemical industry. Dick Stephans provides in-depth information of how to apply the system safety process to this specialized discipline: the users, distributors, or manufacturers of hazardous chemicals and related materials such as flammables and explosives. Historical accidents have demonstrated the need for legislation and specific legislative requirements from the Occupational Safety and Health Administration (OSHA) and the Environmental Protection Agency (EPA) are presented along with examples to reinforce understanding. Dick Stephans highlights the value of the system safety philosophy, in this case, to the chemical process standards and the application of methodologies to satisfy those requirements.

It is common now to see the application of the system safety approach, tools, and techniques in more and more industries without using the words system safety. This is evident by the more than 100 techniques described in the System Safety Analysis Handbook. While I am thrilled that the philosophy continues to expand, it is important to understand the basis for which most of the techniques are derived to ensure that they are applied appropriately.

Professional credentials or experience in “systems safety” are not required to appreciate the potential value of the systems approach and system safety techniques to general safety and health practice. This book will help the reader move from system safety practice into far broader applications.

A joint conference of safety practitioners, led by the System Safety Society chapter in Washington, D.C., did much to expose the full capabilities of the systems approach to safety. The meeting produced a list of more than thirty techniques and approaches for use in system safety that were fully covered in the Journal of the System Safety Society. At least three interesting points emerged:

1. Only a few of the techniques were in regular use by system safety specialists.

2. Most of the techniques were in regular or partial use by members of the safety and health community who did not consider themselves system safety specialists or practitioners.

3. Most techniques had proponents who were not particularly receptive to other techniques. These backers were thus stakeholders in, and defenders of, a particular approach.

Bringing new ideas into the system is not easy, even if the ideas are good and people believe in them. They can be forced into practice, as the government has done on defense and certain other contracts. However, believers in the complete systems approach must also be able to convert their organizations to the idea. Few safety and health practitioners have the clout or skill to arrange this conversion.

A few system safety disciples and at least one government agency and one private group saw that no single approach leads to the level of safety performance needed for their complex operations. However, their ideas are not widely seen as having solid application in routine industrial safety and health practice. As a holistic approach emerged as a solution to long-range safety and health success, a few authors tried to place this complete approach into writing for the average practitioner. Their success was not spectacular, even when the material made good reading. The job of joining a holistic approach is harder because of the vested interests of various stakeholders and their approaches to safety and health problems. This book does not cast doubt on any of the viewpoints, but it does explore seldom-covered relationships that help us resolve their use for ourselves.

We find that the systems approach, old as it is, now figures prominently in most safety and health approaches and techniques. However, few system safety practitioners consider themselves as working in health fields such as stress management, wellness, industrial hygiene, or toxicology. Nevertheless, the fields are closely related to total practice. I have just reviewed the writings of two prominent industrial hygienists and a health physicist. Their success stems from viewing the whole system and any interacting systems—an interdisciplinary approach. Each of the three heads a major corporate safety and health department with “system safety” specialists. These three do not consider themselves system safety specialists but are wonders at applying a systems approach to their work.

One difficulty in applying certain systems approaches and techniques to problem solving is an inability of the practitioners to merge the various approaches and techniques, to relate them to each other, and to understand the relationship of diverse system safety techniques. Joe Stephenson shows in this text not only how the approaches vary, but also how they are similar and can interact with each other. This is a valuable service to the many disciplines and practitioners of the safety and health community.

Ranging from the traditional views of early systems safety adherents and developers, through the complete viewpoint of large-scale practitioners such as Idaho’s System Safety Development Center to the all-encompassing viewpoint of DeBono, Stephenson brings it all into perspective. He relates how those tasks are visualized and traditionally used by system safety practitioners. He demonstrates how some of the systems approaches interface with each other and what they mean to their mutual success. Finally, he has made clear how some systemic techniques interface and can combine to form a complete system to solve safety and health problems.

Joe Stephenson makes practical the application of system safety techniques to safety and health problems not previously amenable to system safety solutions. Seeing the forest instead of the trees is a unique contribution of this book. The interaction of many disciplines and specialties can be seen. This book is a common ground for assessing a systems approach to safety and health disciplines and practice.

As we continue into the twenty-first century, many challenges face the safety, engineering, and management communities. Risks and the potential for catastrophic loss are dramatically increasing as technology advances at an ever-increasing rate. The public demands a high level of safety in products and services, yet, in the face of world competition, the safety effort must be timely and cost-effective.

System safety tools and techniques currently used primarily in the aerospace, weapons, and nuclear industries offer great potential for meeting these challenges. The systematic application of system safety fundamentals early in the life cycle to produce “first time safe” products and services can provide significant, cost-effective gains in the safety effort in transportation, manufacturing, construction, utilities, facilities, and many other areas.

Yet, there are obstacles hampering current system safety efforts and restricting the expansion of system safety.

System safety continues, in many cases, to be more of an art than a science. The quality of system safety products is determined by the skill and talent of the individual analyst, not by the systematic application of accepted tools and techniques.

There is also a shortage of system safety engineers and of safety professionals, engineers, and managers trained in system safety.

A key factor is the lack of commonality of system safety terms, tools, and techniques.

The purpose of this book is to aid in expanding and improving the system safety effort to meet the needs of the next century by providing a basis for planning, evaluating, upgrading, conducting, and managing system safety programs.

It is designed to be used as a textbook, a planning guide, and a reference. This book is specifically written for:

Students and others generally unfamiliar with system safety should read it straight through, in order, and retain it as a reference.

Managers and planners may find skimming through Part 1 first helpful, but will benefit most from Part 2.

Experienced system safety professionals are encouraged to keep an open mind—some will initially view parts of the book as heresy!—and be patient. A large portion of the book will be old hat to many of you, but several new concepts, techniques, and approaches are presented. Current practitioners may benefit most from Part 3.

Part 4 and the appendices contain how-to and reference information that should be of value to all who are interested in the system safety effort.

Part 5 is a new part devoted to process safety and particularly the U.S. OSHA and EPA rules to provide for safety to workers, the public, and the environment for those sites using certain hazardous substances above a listed threshold quantity. Most important is that that the level of calculated risk provides sites with a roadmap for safety actions.

Part 6 provides a discussion of professionalism that is important reading for the student and practitioner as well. The focus is on the system safety professional, but much of the information pertains to other related environmental, health, and safety fields.

A concerted effort was made to present information in a useful, clear, systematic, and understandable manner, with an emphasis on practical applications.

In summary, managers, engineers, and safety professions—regardless of previous system safety knowledge—should benefit from this book, with students and others unfamiliar with system safety learning the most and those applying the knowledge benefiting the most.

There are several people who either directly or indirectly helped or inspired the update to System Safety 2000. The following are just some of those people:

Joe Stephensen—THE author and teacher of system safety. We will miss him and his contribution to system safety.

Paige Ripani, past national president of the System Safety Society, acknowledged not just for her foreword to the 2^nd edition, but also for more than 15 years of dedication to the field of system safety.

Pat Clemens is the unsung hero of system safety and risk analysis. Inspiration to many current (and future) system safety practitioners; former president of the Board of Certified Safety Professionals (BCSP).

Roger Brauer, the potentate of safety professionalism. We are indeed fortunate to have him in our midst. He has personally led a crusade to enhance the safety profession and the standard for safety professionals.

Paul Kryska—Leader and Manager of System Safety; National President of the Society at the time of publishing. Paul has vehemently practiced system safety in the Washington, D.C., area, in Albuquerque, NM, and now in Silicon Valley.

Warner Talso is the conscience of the System Safety Society and has been for more than ten years. He is the editorial power behind the publication of the first two editions of the System Safety Analysis Handbook. He is a best friend, a confident, and former Army nuclear weapons officer. I’ll miss our Saturday breakfast burritos since my wife and I have moved to Nevada.

Perry D’Antonio of Sandia National Laboratories—the person who turned the Society around in 1995 and 1996.

Curt Lewis—International Society of Air Safety Investigators’ Fellow and fellow director, BCSP. His daily Air Safety Bulletin is provided to thousands.

Fred Manuele, who provided the advice to “keep it a primer,” whose guidance during the development of the current edition of the book provided a theme upon which this edition was structured.

Major Bob Baker, “Mr. Air Force System Safety,” at the U.S. Air Force Safety Center at Kirtland AFB in New Mexico.

Michael Wilson and Pat McClure of the Los Alamos National Laboratory’s D-5, Nuclear Design and Risk Analysis Group, who are “leading the world in risk analysis” and also providing key support in and beyond the United States for security and nuclear power safety.

To my employer, ARES Corporation, a relatively small, highly specialized, and highly respected company where everyone learns and provides excellence to its clients. They have been a repeat sponsor of the International System Safety Conferences and a technical power in government and industry risk assessment.

Finally, to my wife and most fervent supporter, Jo, who allowed me to add this “volunteer” project to my plate in the midst of family, work, Board of Certified Safety Professionals activities, and System Safety Society obligations.

I would like to thank three groups, all of whom contributed to System Safety 2000, albeit in different ways.

1. Ted Ferry, for graciously tolerating harassment during his well-earned retirement first to review the proposal for the book and later to write the foreword.

2. Bill Johnson, also in retirement, for his review of the proposal and for initial development of the MORT approach to system safety.

3. Randy Nason and the C. H. Guernsey Company of Oklahoma City (C. N. Stover, Jr., president) for the opportunity to prepare the FMEA and FTA examples found in Chapters 14 and 15, respectively, and for permission to use them and the generic preliminary hazard analyses included as Appendix D.

4. Bob Murray and Webb, Murray and Associates, Inc. (WMA) of Houston for permission to use materials developed while I was working for WMA.

5. Patsy Day of WMA for her assistance in preparing most of the graphics and course materials taught for WMA. These materials provided a significant input to System Safety 2000.

6. Kelly Seidel, for use of his personal library, resource materials, and expertise while I was researching, organizing, and writing the manuscript. His input, advice, and moral support throughout the project were invaluable, as was his assistance in performing our “real jobs.”

7. All of the individuals who took the time and effort to respond to my questionnaires and to provide information found in the appendices.

Next, I would like to thank the individuals and organizations for and with whom I have worked during the last decade who have shared knowledge and afforded me the opportunity to learn, teach, and apply a variety of system safety tools on a variety of projects.

1. Reynolds Electrical and Engineering Company (REECo), an EG&G Company, Las Vegas. Special thanks to Collin Dunnam, Manager, Occupational Safety and Fire Protection, and the exceptional staff of safety professionals. While responsible for system safety for REECo at the Nevada Test Site, I was given the opportunity to apply system safety tools and techniques to projects in support of the nuclear weapons testing program.

2. System Safety Development Center (SSDC), EG&G Idaho, Idaho Falls, Idaho, Bob Nertney, director (at that time), and the instructional staff, particularly Dick Buys (now with Los Alamos National Laboratory). While serving as a satellite instructor for the System Safety Development Center, I had the opportunity to teach MORT-based system safety and to interact with the SSDC staff and the Department of Energy and DOE contractor safety community.

3. National Safety Council, Chicago, Carl Piepho, Manager, Safety Training Institute. Carl provided me with the opportunity to teach MORT-based courses worldwide to the USAF ground safety community and to teach professional development seminars (most on system safety) annually at the National Safety Congress.

4. Webb, Murray and Associates, Inc. (WMA), Houston, particularly Bob Webb, Bob Murray, and Billy Magee, officers, and the talented WMA safety engineers and consultants. My time as director of WMA’s Center for Advanced Safety Studies provided me with an opportunity to develop and teach system safety courses for NASA, DOD, DOT, and private industry and to participate in system safety projects.

5. From the U.S. Army, Don Pittenger, U.S. Army Corps of Engineers, and Paul Dierberger, U.S. Army Safety Center (also Harris Yeager, USAF; Craig Schilder, Naval Facilities Command; and Judy Sicka, U.S. Coast Guard) for the opportunity to develop and teach (through Kingsley Hendrick and the Department of Transportation’s Transportation Institute and WMA) the facility system safety course.

Finally, I would like to thank my family for the tolerance, support, and understanding provided during the weekends, holidays, and early morning hours when I was hibernating in my office agonizing over a missed deadline. Special thanks to my wife, Phyllis, for her typing, copying, and mailing services and for extraordinary patience. And a sincere apology to my family for all the things we did not do in 1989 and 1990.

PART I

INTRODUCTION TO SYSTEM SAFETY

CHAPTER 1

The History of System Safety

Prior to the 1940s, safety was generally achieved by attempting to control obvious hazards in the initial design and then correcting other problems as they appeared after a product was in use or at least in a testing phase. In other words, designers relied, at least in part, on a trial-and-error methodology. In the aviation field, this process became known as the fly-fix-fly approach. An aircraft would be designed using the best knowledge available, flown until problems were detected (or it crashed), and then the problems would be corrected and the aircraft would be flown again. This method obviously worked best with low, slow aircraft.

That this approach was not acceptable for certain programs—such as nuclear weapons and space travel—soon became apparent, at least to some. The consequences of accidents were too great. Trial-and-error and fly-fix-fly approaches were not adequate for systems that had to be first-time safe.

Thus, system safety was born, or, more accurately, evolved. The history of system safety consists of

The roots of the system safety effort extend back at least to the 1940s and 1950s. Accurately tracing the early transition from the traditional trial-and-error approach to safety to the first-time safe effort that lies at the heart of system safety is really impossible, but such a transition occurred as both aircraft and weapon systems became more complex and the consequences of accidents became less acceptable.

THE 1960s—MIL-STD-882, DOD, AND NASA

Even though the need for a more in-depth, upstream safety effort was recognized relatively early in the aviation and nuclear weapons fields, not until the 1960s did system safety begin to evolve as a separate discipline. In the 1960s

Most agree that one of the first major formal system safety efforts involved the Minuteman intercontinental ballistic missile (ICBM) program. A series of pre-Minuteman design-related silo accidents probably provided at least part of the incentive (U.S. Air Force 1987).

Early system safety requirements were generated by the U.S. Air Force Ballistic System Division. Early air force documents provided the basis for MIL-STD-882 (July 1969), “System Safety Program for Systems and Associated Subsystems and Equipment: Requirements for.” This document (and revisions MIL-STD-882A and MIL-STD-882B) became, and remain, the bible for the Department of Defense (DOD) system safety effort (Moriarty and Roland 1983).

In addition to weapon systems, other early significant system safety efforts were associated with the aerospace industry, including civil and military aviation and the space program.

Even though the National Aeronautical and Space Administration (NASA) developed its own system safety program and requirements, the development closely paralleled the MIL-STD-882 approach and the DOD effort, primarily because the two agencies tend to share contractors, personnel, and, to a lesser degree, missions.

Also, through the early to mid-1960s, the System Safety Society emerged. This professional organization was founded in the Los Angeles area by Roger Lockwood. Organizational meetings were held in 1962 and 1963. The organization was chartered as the Aerospace System Safety Society in California in 1964. The name was changed to System Safety Society in 1967 (Medford 1973). In 1973, the System Safety Society was incorporated as “an international, nonprofit, organization dedicated to the safety of systems, products, and services” (System Safety Society 1989).

THE 1970s—THE MANAGEMENT OVERSIGHT AND RISK TREE

In the late 1960s, the Atomic Energy Commission (AEC), aware of system safety efforts in the DOD and NASA communities, made the decision to hire William G. Johnson, retired manager of the National Safety Council, to develop a system safety program for the AEC.

In the mid-1970s AEC was reorganized into the Department of Energy (DOE). Even though the individual AEC programs and the AEC contractors had good (some better than others) safety programs in place, the programs and approaches varied widely. This lack of standardization or commonality made effective monitoring, evaluation, and control of safety efforts throughout the organization difficult, if not impossible.

Developing a new approach to system safety that incorporated the best features of existing system safety efforts

Providing a common approach to system safety and safety management to be used throughout the AEC and by AEC contractors

In 1973 a revised management oversight and risk tree (MORT) manual was published by the AEC. Even though Johnson borrowed heavily from existing DOD and NASA programs, his MORT program bore little resemblance to programs based on MIL-STD-882 (Johnson 1973).

The work by Bill Johnson was expanded and supplemented throughout the 1970s by the System Safety Development Center (SSDC) in Idaho Falls, Idaho. The MORT program provides the direction for this second major branch of the system safety effort.

THE 1980s—FACILITY SYSTEM SAFETY

Throughout the 1980s, three factors have driven system safety tools and techniques in areas other than the traditional aerospace, weapons, and nuclear fields.

First, the complexity and high cost of many nonflight, nonnuclear projects have dictated a more sophisticated upstream safety approach. Second, product liability litigation has provided added incentive to produce safe products, and, third, system safety experience has begun to demonstrate that upstream safety efforts lead to better design. System safety tools and techniques originally considered to be expensive but necessary add-ons have proven to be cost-effective planning and review tools.

Significant programs initiated or developed in the 1980s include the facility system safety efforts of the Naval Facilities Command and the U.S. Army Corps of Engineers and initiatives in the petrochemical industry.

The need for a system safety effort for major military construction projects resulted in the development of draft guidelines and facility system safety workshops for the military safety and engineering communities. By the end of the decade, facility system safety training programs for government employees were established, and similar courses for contractors were available. Regulations outlining facility system safety efforts were pending, and facility system safety efforts were being required on selected military construction projects. In addition, NASA was initiating facility system safety efforts, especially for new space station support facilities.

In 1985, the American Institute of Chemical Engineers (AIChE) initiated a project to produce the “Guidelines for Hazard Evaluation Procedures.” This document, prepared by Battelle, includes many system safety analysis tools. Even though frequently identified as hazard and operability (HazOp) programs, the methods being developed by the petrochemical industry to use preliminary hazard analyses, fault trees, failure modes, effects, and criticality analyses, as well as similar techniques to identify, analyze, and control risks systematically, look very much like system safety efforts tailored for the petrochemical industry (Goldwaite 1985).

THE 1990s—RISK-BASED PROCESS SYSTEM SAFETY

If the 1980s was designated as “facility safety,” then the 1990s should be identified as “process safety.” Prior to the 1990s, OSHA regulations were almost exclusively compliance-based. Very specific rules were promulgated and inspections were made to ensure that the rules were followed. The OSHA process safety regulation (29 CFR 1910.119) required that the risk associated with a manufacturing or chemical processing site with listed substances be assessed and appropriate actions be taken to mitigate the results of an accident to protect the workers.

In addition, there was greater interface with quality assurance (QA) to include the management of change segment so important to safety. An analogy related to the safety aspect of change management is advice given when first driving a car. As long as you are in the same lane and stay there, you are fairly safe, but when you have to move lanes or make a turn, you must be particularly careful and watchful about what you are about to do. Much the same can be said about changes to hardware and software during design, development, and fielding. It also became more apparent that the “quality” of input materials was very important to desired output product as well as to the safety performance of the product. Product impurities could weaken a structure and result in an undesired chemical reaction with intermediate chemical ingredients.

Further, the QA audit function is directly related to safety. QA audits with an encompassing scope include facility and process safety as one of the elements reviewed.

Milestone Standards Issue Events

System safety related events and guidance documentation evolution and emergence in the 1990s included: 882C in 93; the System Safety Analysis Handbook in 1993 (with a second edition in 1997). The Handbook is currently sold in more than 35 countries; PSM in 1992; RMP in 1996; Hazard Prevention changed to the Journal of System Safety in 1999; European Machining Standard, European Norm (EN) 1050 in 1997 that requires risk analysis prior to mechanical or electrical controls; the System Safety Society increases frequency of international conferences to annually; Center for Chemical Process Safety established; publication of the “System Safety and Risk Management—NIOSH Instructional Manual” by Dr. Rodney Simmons and Pat Clemens, both strong advocates of system safety and both very closely tied to the maturation of the Board of Certified Safety Professionals.

At the 1993 International System Safety Conference, the then Chief of Air Force Safety in his keynote presentation said that the two challenges for the 90s were in software system safety and in human factors. This was true then, and it is today, more than ten years later.

THE 2000s—QUEST FOR INTRINSIC SAFETY

As we progress into the new century there are both opportunities and challenges. Opportunities present themselves in the form of (1) the potential of integrating system software safety with control engineering to more closely achieve a level of “intrinsic safety” and (2) the proliferation of system safety as a discipline in other parts of the world. The challenges we face include the realization of security needs after the terrorist attack on the United States on September 11, 2000, Additional challenges and a future prediction are presented in Chapter 5.

We define intrinsic safety as safety designed and built into a system. Yes, this is an overlap with system safety. The two concepts are converging. Intrinsic safety is certainly a noble goal and one that should be continually pursued.

The proliferation of information on the Internet can be overwhelming. It is important to know how to move around the Internet using search engines, generic sites, and links. The Internet can provide much useful information in a relatively short period of time.

Milestone Standards Issue Events

MIL-STD-882D (10 FEB 2000); ANSI B11.TR3 (2000) which promulgated guidance related to safety through design; EN1050 (97) for risk assessment prior to the installation of new machinery; the U.S. Department of Energy’s 10 CFR 830 in 2001, effective in 2003 for nuclear safety management.

A new issue of Military Standard 882 in the year 2000 provided for a modified approach to system safety achievement. The Standard was renamed, as a “Standard Practice for System Safety” and its implementation is further discussed in Chapter 3 “Current Approaches to System Safety.” Suffice to say here, the standard allows for flexibility in implementation while preserving basic system safety requirements.

REVIEW QUESTIONS

1. Explain the fly-fix-fty approach to developing safe products.

2. What made the fly-fix-fly approach unacceptable? What were the first types of programs to seek something better than the fly-fix-fly approach?

3. How did MIL-STD-882B evolve? Where did it originate and who uses it now?

4. How did the MORT approach to system safety develop? Who developed it and who uses it?

5. Identify the three primary factors that drove the expansion of system safety during the 1980s.

6. Name three areas in which system safety efforts were initiated or developed during the 1980s.

7. Discuss why, although it is appropriate to transition to risk-based safety, it is not possible or appropriate to entirely do away with safety compliance.

8. Name two quality assurance program elements and explain their interface with system safety.

9. Name and explain why two locations outside the United States are becoming “centers” for safety standards development.

10. Although the Internet existed for a decade prior to the year 2000, why is it so much more popular today?

REFERENCES

Johnson, William G. 1973. MORT, The Management Oversight and Risk Tree. Washington, D.C.: U.S. Atomic Energy Commission.

Medford, Fred. 1973. History of the system safety society (SSS). Hazard Prevention 9(5):38–40.

Moriarty, Brian, and Roland, Harold E. 1983. System Safety Engineering and Management. New York: John Wiley & Sons.

U.S. Air Force. 1987. SDP 127-1: System Safety Handbook for the Acquisition Manager. Los Angeles: HQ Space Division/SE.

CHAPTER 2

Fundamentals of System Safety

BASIC DEFINITIONS

One of the major problems confronting the system safety community is a lack of standardization or commonality. (This problem is discussed in detail in Chapter 4.) Presenting “universally accepted” definitions to even basic terms is therefore difficult because, by and large, they do not exist. The following terms are defined in nontechnical language to ensure the reader understands each term as used in this book. Specific definitions from documents widely used in the system safety effort are contained in the glossary, and definitions used by specific organizations are included in Chapter 3.

Safety: Freedom from harm. Safety is achieved by doing things right the first time, every time.

System: A composite of people, procedures, and plant and hardware working within a given environment to perform a given task (Fig. 2-1).

System safety: The discipline that uses systematic engineering and management techniques to aid in making systems safe throughout their life cycles.

Safety community: That group of individuals who provide staff support to the line organization in support of the safety effort. It includes occupational and industrial safety, system safety, industrial hygiene, health, occupational medicine, environmental safety, fire protection, reliability, maintainability, and quality assurance personnel.

FUNDAMENTAL SAFETY CONCEPTS

1. Safety is a line responsibility.

2. Safety is productive.

3. Safety requires upstream effort.

4. Safety depends on the safety precedence sequence.

5. Systematic tools and techniques help.

Safety Is a Line Responsibility

Line managers and supervisors are responsible for the safety of their organizational units and operations. This old principle is extremely important in the safety world. This particular fundamental must be understood and accepted by all parts of the organization. The safety professional’s job is to provide the staff support necessary to ensure that the line organization is able to do its job well and effectively. The system safety effort does not relieve program or project managers or design engineers of their safety responsibilities.

Safety Is Productive

Safety is achieved by doing things right the first time, every time. If things are done right the first time, every time, we not only have a safe operation but also an extremely efficient, productive, cost-effective operation. Because the system safety effort was founded to meet the requirement for first-time safe operations, the system safety effort obviously supports this principle.

Safety Requires Upstream Effort

The safety of an operation is determined long before the people, procedures, and plant and hardware come together at the work site to perform a given task.

The selection of personnel, the ongoing and initial training, the development of the procedures, and the design of the facilities and equipment are the types of tasks that ultimately determine the safety of the workplace (Fig. 2-2). Safety professionals, managers, or supervisors who think they can have a significant impact on safety in the workplace by putting on a hard hat and safety shoes and meandering out with a clipboard to make the world safe are really fooling themselves if the upstream processes have not been done properly. Good safety practices must begin as far upstream as possible.

Improvements in safety can often be made for a minimal amount of money if they are made far enough upstream. Sometimes the same changes may be extremely costly to the point of being impractical or even impossible if the potential hazards or the shortcomings in the system are not recognized until the system comes together in the workplace. Again, the system safety effort directly supports this safety fundamental.

Safety Depends on the Safety Precedence Sequence

The fourth fundamental involves something called the safety precedence sequence. It is a prioritized list of controls that should be considered and applied, in sequence, to eliminate or control identified hazards.

The first and most effective way to control identified hazards is to eliminate them through design or engineering changes.

If controlling the hazards through improved design or engineering is impossible or impractical, the next course of action should be to use physical guards or barriers to separate potential unwanted energy flows or other hazards from potential targets.

As a last resort, after other methods have been exhausted, procedures and training should be used.

Even after all these controls have been applied, some residual risks may remain. Making most operations or systems totally risk-free is impossible. The residual risks should be identified and formally accepted by the appropriate level of management. If the residual risks are unacceptable, additional controls should be provided or the project should be abandoned.

For most operations, a combination of controls must be used. Correct application of the safety precedence sequence dictates that lower-level controls are not considered until all practical efforts have been exhausted at higher levels.

The safety precedence sequence originated as part of the system safety effort and is one of the few tools that is common to nearly all system safety efforts.

It is not, however, always called the safety precedence sequence. It is also known as the system safety precedence, the hazard reduction precedence sequence, the hazard control precedence sequence, the risk control sequence, and several other names. The fifth step (accept residual risks) is not always included.

PART I

INTRODUCTION TO SYSTEM SAFETY

CHAPTER 1

The History of System Safety

THE 1960s—MIL-STD-882, DOD, AND NASA

THE 1970s—THE MANAGEMENT OVERSIGHT AND RISK TREE

THE 1980s—FACILITY SYSTEM SAFETY

THE 1990s—RISK-BASED PROCESS SYSTEM SAFETY

Milestone Standards Issue Events

THE 2000s—QUEST FOR INTRINSIC SAFETY

Milestone Standards Issue Events

REVIEW QUESTIONS

REFERENCES

CHAPTER 2

Fundamentals of System Safety

BASIC DEFINITIONS

FUNDAMENTAL SAFETY CONCEPTS

Safety Is a Line Responsibility

Safety Is Productive

Safety Requires Upstream Effort

Safety Depends on the Safety Precedence Sequence

Systematic Tools and Techniques Help