Chapter 1. Introduction to System Safety Engineering
1. System Safety Concepts
1.1 Why do we need safety engineering?
It is difficult to open a newspaper or turn on the television and not be reminded how dangerous
our world is. Both large-scale natural and man-made disasters seem to occur on an almost daily
basis. An accident at a plant in Bhopal, India, killed over 2,500 people. A nuclear power plant in
the Ukraine exploded and burned out of control, sending a radioactive cloud to over 20 countries,
severely affecting its immediate neighbors’ livestock and farming.
A total of 6.7 million injuries and illnesses in the United States were reported by private industry
in 1993. Two commuter trains in metropolitan Washington, DC, collided in 1996, killing
numerous passengers. Large oil tankers ran aground in Alaska and Mexico, spilling millions of
gallons of oil and despoiling the coastline. An automobile air-bag manufacturing plant exploded,
killing one worker, after it had had over 21 fire emergencies in one year. Swarms of helicopters
with television cameras were drawn to the plant after every call, creating a public relations
nightmare and forcing the government to shut down the plant temporarily.
Some of these accidents occurred many years ago. Some of them occurred very recently. Many
of the accidents crossed international borders and affected millions of people in other countries.
Many more did not extend beyond national borders but still affected a great number of people.
And some of the accidents didn’t kill anyone.
We all know how quickly technology is changing; as engineers, it is difficult just to keep up. As
technology advances by leaps and bounds, and business competition heats up with the
internationalization of the economy, turnaround time from product design to market launch is
shrinking quickly. The problem quickly becomes evident: How do we build products with high
quality, cheaply, quickly, and still safely?
An American Society of Mechanical Engineers national survey found that most design engineers
were very aware of the importance of safety and product liability in designs but did not know
how to use the system safety tools available. In fact, most of the engineers who responded said
that the only safety analyses they used were the application of safety factors in design, safety
checklists, and the use of compliance standards. Almost 80 percent of the engineers had never
taken a safety course in college, and more than 60 percent had never taken a short course in
safety through work. Also, 80 percent had never attended a safety conference and 70 percent had
never attended a safety lecture.
So how do engineers design, build and operate systems safely if they have never really been
prepared for it? And, to make matters worse, engineers are now more frequently called to testify
in court about failures in their designs.
Like most engineering problems, this one does have a solution. And the solution is not that
difficult to implement, nor costly. What it does entail is considerable forethought and systematic
engineering analysis. System safety engineering is not difficult to apply-in fact, it is almost easy.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
1.2 Cost of accidents
To gain a proper perspective on the economics of workplace accidents, we must view them in the
overall context of all accidents. The overall cost of all accidents in the United States is
approximately $800 billion annually. These costs include lost wages, medical expenses,
insurance administration, fire-related losses, property damage, and indirect costs.
Table 1-1 breaks down this overall amount by categories of accidents; Table 1-2 breaks them
down by cost categories. Notice in Table 1-1 that workplace accidents rank second behind motor
vehicle accidents in cost. Table 1-2 shows that the highest cost category is wages lost by workers
who are either injured or killed. The category of indirect losses from work accidents consists of
costs, associated with responding to accidents (i.e., giving first aid, filling out accidents reports,
handling work slowdowns).
Table 1-1 Accident costs in a typical year by accident type (in billions of dollars)
Motor vehicle accidents
Workplace accidents
Home accidents
Public Accidents
$722
$48
$18
$12
Table 1-2 Accident costs in a typical year by categories (in billions of dollars)
Wages lost
Medical expenses
Insurance administration
Property damage(motor vehicle)
Fire losses
Indirect losses for work accidents
$38
$24
$29
$27
$10
$23
Clearly accidents cost U.S. industry dearly. Every dollar spent responding to accidents is a dollar
that could have been reinvested in modernization, employee training, and other competitionenhancing activities.
Reference:
David L.Goetsch. 2003. Construction safety and Health. Columbus,Ohio: Prentice Hall Press.
1.3 Accidental deaths in the United States
Accidental deaths in the United States result from a variety of causes, including motor vehicle
accidents, falls, poisoning, drowning, fire-related injuries, suffocation( ingested object), firearms,
medical complications, air transport accidents, injuries from machinery, mechanical suffocation,
and the impact of falling objects. The NSC periodically computes death totals and death rates in
each of these categories. The statistics for a typical year are as follows:







Motor vehicle accidents. Motor vehicle accidents are the leading cause of accidental
deaths in the United States every year. They include deaths resulting from accidents
occur on or off the road. In a typical year, there are approximately 47,000 deaths from
this cause in the United States.
Falls. This category includes all deaths from fall except those associated with transport
vehicles. For example, a person who is killed as the result of falling while boarding a bus
or train would not be included in this category. In a typical year, there are approximately
13,000 deaths in the United States from falls.
Poisoning. The poisoning category is divided into two subcategories: (1) poisoning by
solids and liquids and (2) poisoning by gases and vapors. The first category includes
deaths that result from the ingestion of drugs, medicine, recognized solid and liquid
poisons, mushrooms, and shellfish; it does not include poisoning from spoiled food or
Salmonella species. The second category includes deaths caused by incomplete
combustion (e.g., gas vapors from an even or unlit pilot light) or from carbon monoxide
(e.g., exhaust fumes from an automobile). In a typical year, there are approximately 6,000
deaths in the first category and 1,000 in the second.
Drowning. This category includes work-related and now-work –related drowning but
excludes those associated with floods or other natural disasters. In a typical year, there
are approximately 5,000 deaths from drowning in the United States.
Fire-related injuries. This category includes deaths from burns, asphyxiation, falls, and
being struck by falling objects in a fire. In a typical year, there are more than 4,000 firerelated deaths in the United States.
Suffocation (ingested object). This category includes deaths from the ingestion of an
object that blocks the air passages. In many such deaths, the ingested object is food. In a
typical year, there are approximately 4,000 such suffocation deaths in the United States.
Firearms. This category includes deaths that result when recreational activities or
household accidents that involve firearms result in death. For example, a person killed in
the home while cleaning a firearm would be including in this category: however, a person
killed in combat would not be. In a typical year, there are approximately 2,000 deaths in
this category.

Others. This category includes deaths from medical complications arising out of mistakes
made by healthcare professionals, air transport injuries, interaction with machinery,
mechanical suffocation, and the impact of falling objects. In a typical year, there are more
than 14,000 deaths in these subcategories.
David L.Goetsch. 2003. Construction safety and Health. Columbus,Ohio: Prentice Hall Press.
1.4 Death rates in industry
A variety of agencies and organizations, including the Bureau of Labor Statistics, the National
Center for Health Statistics, and the NCS, collect data on death rates within industrial categories.
9 Such information can be used in a variety of ways, not the least of which is in assigning
workers’ compensations rates. The most widely used industrial categories are agriculture,
including farming, forestry, and fishing: mining and quarrying, including oil and gas drilling and
extraction; construction; manufacturing; transportation and public utilities; trade, both wholesale
and retail; services, including finance, insurance, and real estate; and federal, state, and local
government.
When death rates are computed on the basis of the number of deaths per 100,000 workers in
given year, the industry categories rank as follows (from highest death rate to lowest):
1.
2.
3.
4.
5.
6.
7.
8.
Mining and quarrying
Agriculture
Construction
Transportation/public utilities
Government
Manufacturing
Services
Trade
The construction industry ranks third in workplace deaths, but first in workplace injuries. The
ranking sometimes change slightly from year to year for example, agriculture and mining and
quarrying may exchange the first and second ranking in any given year. This is also true at the
low end of the rankings, with services and trade. However, generally, the ranking is as shown.
Reference:
David L.Goetsch. 2003. Construction safety and Health. Columbus, Ohio: Prentice Hall Press.
1.5 What is safety analysis?
Safety analysis is a generic term for study of the system, identification of dangerous aspects of
the system, and correction of them. System safety is the formal name for a comprehensive and
systematic examination of an engineering design or mature operation and control of any
particular hazards that could injure people or damage equipment.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
System safety engineering is an engineering discipline requiring specialized knowledge to apply
scientific and engineering principles, criteria, and techniques to identify and control hazards and
their associated risk to an acceptable level.
System safety engineering is a compilation of engineering analyses and management practices
that control dangerous situations, specifically:
 Identify the hazards in a system
 Determine the underlying causes of those hazards.
 Develop engineering or management controls to either eliminate the hazards or mitigate
their consequences.
 Verify that the controls are adequate and in place.
 Monitor the system after it has been changed and modify further as needed.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
System safety management is an element of program management that ensures accomplishment
of the correct mix of system safety tasks. This includes identification of system safety
requirements; planning, organizing, and controlling those efforts that are directed toward
achieving the safety goals; coordinating with other program elements; and analyzing, reviewing,
and evaluating the program to ensure effective and timely realization of the system safety
objectives.
The basic concept of system safety is that it is a formal process of intentionally designing in
safety by designing out hazards or reducing the mishap risk of hazards. It is a proactive process
performed throughout the system life cycle to save lives and resources by intentionally reducing
the likelihood of mishaps to an insignificant level. The system life cycle is typically defined as
the stages of concept, preliminary design, detailed design, test, manufacture, operation, and
disposal (demilitarization). In order to be proactive, safety must begin when system development
first begins at the conceptual stage.
The goal of system safety is to ensure the detection of hazards to the fullest extent possible and
provide for the introduction of protective measures early enough in system development to avoid
design changes late in the program. A safe design is a prerequisite for safe operations. Things
that can go wrong with systems are predictable, and something that is predictable is also
preventable. As Murphy’s law states “whatever can go wrong, will go wrong.” The goal of
system safety is to find out what can go wrong (before it does) and establish controls to prevent it
or reduce the probability of occurrence. This is accomplished through hazard identification and
mitigation.
Reference: Clifton A. Ericson. 2005. Hazard Analysis Techniques for System Safety. Hoboken, New Jersey:John
Wiley & Sons, Inc. Press
1.6 System safety and risk assessment
Many engineers confuse system with risk assessment and use the terms interchangeably. System
safety is the assurance that the system is safe for all people, environment, and equipment. Risk
assessment, like system safety engineering, can be used to determine how safe something is, but
it also can be used to determine the various trade-off alternatives to lower the risk in a system.
Risk in this case does not have to be related to safety; it could just mean the risk of losing market
share or delivering a product late.
The two concepts are combined. System safety engineering is considered a working part of the
risk assessment process. Engineers must use system safety engineering analyses to truly
understand what causes hazards and how they should be controlled. Risk assessment takes that
information and helps the engineer weigh the options and decide which is the most cost-effective.
At first glance, it seems that every industry performs safety and assessment differently. On closer
look, however, the fundamental precepts are the same: The methods are systematic and
comprehensive. An industry may favor one method over another, but in most cases this is mostly
out of tradition. Now is a good time to review the way different industries apply safety and try to
learn from each other. In most cases you can literally life the safety method from one industry
and apply it directly to another.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
1.7 A brief history of safety
Of course, the need for safety has always been with us. One of the earliest written references to
safety is from the Code of Hammurabi, around 1750 B.C. His code stated that if a house was
built and it fell due to poor construction, killing the owner, then the builder himself would be put
to death. The first laws covering compensation for injuries were codified in the Middle Ages.
Around 1834, Lloyd’s Register of British and Foreign Shipping was created, institutionalizing
the concept of safety and risk analysis. In 1877 Massachusetts passes a law to safeguard
machinery and also created employers’ liability laws.
At the end of the 19 century, a rash of boilers exploding gave urgency and impetus to the
American Society of Mechanical Engineers to create the Boiler and Pressure Vessel design codes
and standards. Beginning in 1911 the United States saw safety groups forming, and the National
Safety Council was founded in 1913.
Around the 1920s private companies started to create formalized safety programs. The early
1930s was the beginning of the implementation of accident prevention programs across the
United States. By the end of the decade, the American National Standards Institute had published
hundreds of industrial manuals.
Most of the current safety techniques and concepts were born at the end of World War II.
Operations research led the way, suggesting that the scientific method could be applied to the
safety profession. In fact, operations research gave some legitimacy to the use of quantitative
analysis in predicting accidents.
However, the system safety concept and profession really started during the American military
missile and nuclear programs in the 1950s and 1960s. Liquid-propellant missiles exploded
frequently and unexpectedly. During that period the Atlas and Titan programs saw many missiles
blow up in their silos during practice operations. Some of the accident investigations found that
these failures were due to design problems, operations deficiencies, and poor management
decisions.
Because of the loss of thousands of aircraft and pilots during the same time frame, the U.S. Air
Force started to pull together the concepts of system safety, and in April 1962 published BSD
Exhibit 62-41, “System Safety Engineering for the Development of Air Force Ballistic Missiles.”
Safety was also starting to enter the public mind. Ralph Nader publicized safety concerns during
the mid-1960s and started making people aware of how dangerous cars really were with his book,
Unsafe at Any Speed (published in 1965, Grossman, NY). He continued being a powerful voice
to the U.S. Congress to bring automobile design under federal control and to regulate consumer
protection.
In the United Kingdom in the early 1960s, Imperial Chemical Industries started developing the
concept of the HAZOP study (a chemical industry safety analysis). In 1974 it was presented at an
American Institute of Chemical Engineers conference on loss prevention.
The U.S. National Aeronautics and Space Administration (NASA) sponsored government
industry conference in the late 1960s and early 1970s to address system safety. Part of this was
safety technology transfer from the “man-rating” program-to develop ballistic missiles safe
enough to carry humans into space-of the Mercury program.
In 1970 the Occupational Safety and Health Administration (OSHA) published industrial safety
requirement. Later in the decade, the U.S. military published Mil-Std-882, “Requirements for
System Safety Program for Systems and Associated Subsystems and Equipment.” This document
is still considered the cornerstone of the system safety profession. It is one of the most cited
requirements in procurement contracts.
OSHA published a process safety standard for hazardous materials in 1992. This is one of the
strongest cross-fertilizations of system safety techniques taken from various industries and
applied to the chemical industry.
It is obvious that the system safety engineering profession, like all professions, has evolved over
time. In most cases, out of necessity-an unacceptable number of deaths, accidents, and loss of
revenue-engineers have been forced to take a more serious approach to designing safety into both
systems and products.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
1.8 The make-up of an accident
We may all say accidents happen. However, their occurrence may not only take human lives,
destroy millions of dollars in property and lost business, they may also cost us our jobs and
reputations. The Bhopal, India, accident in 1984 released methyl isocyanate and caused over
2,500 fatalities. In 1986, the NASA Space Shuttle Challenger disintegrated in flight in front of
millions of television viewers and killed seven astronauts, brought NASA to a standstill for two
years, and cost the agency billions of dollars. A petroleum refinery blew up in Houston, Texas, in
1989, killing 23workers, damaging property totaling US $750 million, and spewing debris from
the explosion over an area of 9km. Many thought that after the Three Mile Island and Chernobyl
nuclear power plant disasters we would finally get a handle on how to prevent accidents. U.S.
government statistics indicate that more than 350 chemical accidents a year result in death, injury,
or evacuation.
Accidents don’t just happen; they are a result of a long process, with many steps. Many times all
of these steps have to be completed before an accident can occur. If the engineer can prevent one
or more of these accident steps from occurring, then he can either prevent the mishap or at least
mitigate its effects. Part of system safety strategy is to intervene at various points along that
accident timeline.
An accident is an unplanned process of events that leads to undesired injury, loss of life, damage
to the system or the environment. This means that death in war is no accident, but a jeep crashing
on the way to battle is.
An incident or near-miss is an almost-accident. Three Mile Island was a radioactive near-miss.
No massive quantities of radioactivity were released to the environs, but they almost were.
Preliminary events can be anything that influences the initiating event. Examples of preliminary
events could be long working hours for chemical plant operators or poor or incomplete pump
maintenance. Preliminary events set the stage for a hazardous condition. If we can eliminate the
preliminary events or hazardous condition, then the accident cannot advance to the next stepinitiating events.
The initiating event, sometimes called the trigger event, is the actual mechanism or condition that
causes the accident to occur. It can be thought of as the spark that lights the fire. For example, a
valve sticks open on a process feed line, an electrical short causes a spark at a fueling depot, a
pressure regulator fails open in a cryogenic systems or a 220-V power feed is mated with a 110V system.
Intermediate events can have two effects: They may propagate or ameliorate the accident.
Functioning relief valves in a pressure system will ameliorate a system over-pressurization. No
pressure relief will propagate the hazardous condition and create an accident of system pressure
rupture. Defensive driving on highways helps us protect ourselves from the “other” crazy driver
or ameliorate the effects of his bad driving. Obviously, drunk driving does the opposite,
propagating and intensifying an already dangerous situation.
For example, first there is a hazardous condition-such as large quantities of flammable liquids.
Then the initiating event occurs-for example, a valve sticks open. The effect of a valve failed
open propagates a pressure rise in the system. Now, an in-line relief valve can mitigate the
effects of the initial event. If not, an accident ensues-explosion.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
1.9 How safe is safe enough?
The insurance industry functions by answering the question: How safe is safe enough?
Actuarial tables are based on the cost of an accident. One question the engineering must answer
is: How much am I willing to spend to protect myself from accidents (including lawsuits and lost
business revenue)? The U.S. National Safety Council publishes Accident Facts annually with
estimates of accident costs by industry. Their numbers include estimates for wages lost, medical
expenses, insurance administration cost, and uninsured costs. For example, an accidental death in
the aerospace industry with total death compensation is about $750,000 per person (U.S.
National Safety Council, 1991).
Of course, not all accidents or near misses result in personal injury or death. Part of the
determination of the cost of safety is how much downtime the plant is willing to endure before
replacing the broken machinery or cleaning up the mess. The real problem the engineer faces is
how to make technology safe without it costing too much. We can make a car nearly totally safe,
but we would never be able to use it. Part of the system safety engineering process is to help the
engineer identify what the hazards, the costs, and the associated risks are. It is almost always
much cheaper to “design out” the hazard while the product is still on the drafting table (or,
nowadays, on the computer screen) than out in the field.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
1.10 What is a hazard and other important concepts
Over the years there has been considerable confusion with the concepts of safety, risk, and
hazard. The major problem is that many people tend to interchange the words as if they mean the
same. On top of that, different industries often define the concepts differently.
The most important thing to remember is that system safety engineering is a combination of
management and systems engineering practices applied to the evaluation and reduction of risk in
a system and its operation. The objective of system safety is to identify hazards resulting from
the use or operation of a system and to eliminate or reduce the hazards to an acceptable level of
risk.
The system is the combination or interrelation of hardware, software, people, and the operating
environment. In system safety engineering you must look at the system from cradle to grave. In
other words, the system life cycle is the design, development, test, production, operation, and
retirement of the system. A nuclear power plant is one large system with operators, pressure
subsystems, etc. A far simpler example is a boy riding his bike. The bike, the boy, the street
(with all its traffic conditions), the weather, the time of day, and even other children make up the
system of “boy on his bike.”
A succinct definition is that a hazard is a condition that can cause injury or death, damage to or
loss of equipment or property, or environmental harm. Some typical hazards in various systems
are electrical discharge or shock, fire or explosion, rapid pressure release, and extreme high or
low temperature.
Of course, a hazard can be the result of a system or component failure, but it isn’t always. Failure
and hazard are frequently linked. There is an occupational hazard to associating the two. A
hazard can exist without anything failing. In other words, an engineer can actually “design” in a
hazard. Guns are very hazardous to life, especially when operated properly. To be successful in
system safety engineering we must look not only at failures and their associated hazards but also
at the normal system operation and its hazards.
Hazard addresses only the severity or end result. Risk combines the concept of severity of the
accident consequence and the likelihood of it occurring. In the simplest terms, risk is the
combination of the probability (or frequency of occurrence) and consequence (or severity) of a
hazard. There are risks always. There is a risk staying in bed and a different risk getting out of
bed. As much as we would love to have zero risk, that is a practical impossibility. Because we
cannot totally eliminate risk, we try to shrink it as much as possible. This can be done by
lowering either the probability or the severity of the hazard, or both. So,
Risk (consequence/time)=frequency(events/time)×magnitude(consequence/time)
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
1.11 The system safety process
The system safety process is really an easy concept to grasp. The overall purpose is to identify
hazards, eliminate or control them, and mitigate the residual risks. The process should combine
management oversight and engineering analyses to provide a comprehensive, systematic
approach to managing the system risks.
As with any problem, the first step is to define the boundary conditions or analysis objectives.
That is the scope or level of protection desired. One must understand what level of safety is
desired at what cost. The engineer needs to answer the question: How safe is safe enough? Other
questions to ask are:
 What constitutes a catastrophic accident?
 What constitutes a critical accident?
 Is the cost of preventing the accident acceptable?
Most industries approach this step in the same way. However, how they differentiate among
catastrophic, critical, minor, and negligible hazards may vary. The engineer will need to modify
the definitions to fit the particular problem. What is important is that these definitions are
determined before work begins. A rule-of-thumb definition for each is:
Catastrophic-any event that may cause death or serious personnel injury, or loss of system (e.g.,
anhydrous ammonia tanker truck overturns, resulting in a major spill)
Critical-any event that may cause severe injury, or loss of mission-critical hardware or highdollar-value equipment (e.g., regulator fails open and over-pressurizes a remote hydraulic line,
damaging equipment and bringing the system down for some days)
Minor-any event that may cause minor injury or minor system damage, but does not significantly
impact the mission (e.g., pressure control valve fails open, causing pressure drops and increased
caustic levels)
Negligible-any event that does not result in injury or system damage and does not affect the
mission (e.g., lose commercial power, causing shutdown or plant cafeteria)
The next step is system description. Some time should be given to grasping how the system
works and how the hardware, software, people, and environment all interact. If the system is not
described accurately, then the safety analysis and control program will be flawed.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
1.12 Hazard identification
Hazard identification is a crucial part of the system safety process. It really is impossible to
safeguard a system or control risks adequately without first identifying the hazards. An all-toofrequent mistake in safety engineering is to skip over this step, or not to give it adequate attention.
The hazard identification process is a kind of “safety brainstorming.” The purpose is to identify
as many hazards as are possible and credible. Through this process the engineer develops a
preliminary hazard list (PHL) and later will assess the impact on the system.
To develop a PHL the engineer will want to use various methods to gather the most exhaustive
list possible. This may include:
 Survey the site.
 Interview site personnel.
 Convene a technical experts panel.
 Analyze and compare similar systems.
 Identify codes, standards, and regulations.
 Review relevant technical data (electrical and mechanical drawings, analyses, operator
manuals and procedures, engineering reports, etc.).
 Analyze energy sources (Voltage/current sources, high/low temperature sources, etc.).
The next step is to analyze the hazards identified. A hazard analysis is a technique for studying
the cause/consequence relation of the hazard potential in a system. The purpose is to take the
preliminary hazard list one level deeper and assess how each hazard affects the system. Is it
catastrophic? Or is it critical? The hazard analysis will also assist the engineer in further
assessing which hazards are important and which are not and therefore do not need further study.
After hazards have been identified and analyzed, the engineer needs to control their occurrence
or mitigate their effects. This is done by evaluating the risks. Is the hazard likely to occur? If it
does, how much damage will result from the incident? The engineer needs to understand the
relationship between hazard cause and effect. With this information, the associated risks are then
ranked and engineering management is better able to determine which risks are worth controlling
and which risks require less attention.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
1.13 Hazard control
After evaluating the risks and ranking their importance, the engineer must control their effects.
Controls fall into two broad categories: engineering controls and management controls.
Engineering controls are changes in the hardware that either eliminate the hazards or mitigate
their risks. Some example engineering controls include: adding a relief valve to a 2,000-psi
oxygen system; building a berm around an oil storage tank; using only hermetically sealed
switches in an explosive environment; or putting in hard stops in rotating machinery to prevent
over-torquing.
Management controls are changes made to the organization itself. Developing and implementing
a plant safety plan is a good method of applying management controls to hazards. Some
examples are: using production-line employees as safety representatives for their areas; requiring
middle-management reviews and approvals of any plant or system modifications to consider
safety implications; or assigning signature authority to safety engineers for all engineering
change orders and drawings.
Once controls are in place, a method needs to be used to verify that the controls actually control
the hazards or mitigate the risks to an acceptable level. Verification of hazard controls is usually
accomplished through the company or engineering management structure. The most frequent
means is inspection. However, as we all know, inspection is also one of the most expensive ways
to assure that controls are in place. An effective method of hazard control verification is the use
of a closed-loop tracking and resolution process.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
1.14 Risk acceptance
Safety is only as important as management wants to make it. At this point in the safety process
this becomes obvious. After the system has been studied and hazards identified, then analyzed
and evaluated with controls in place, management must make the formal decisions of which risks
they are willing to take and which ones they will not take. At this point a good cost-benefit
analysis will help management make that decision. Sometimes this is not easy.
Part of the risk acceptance process is a methodical decision-making approach. If the risks are not
acceptable, then the system must be modified and the hazard identification process must be
followed once again. If the risks are acceptable, then good documentation with written rationale
is imperative to protect against liability claims.
Probably one of the key points of the system safety process is that it is a closed-loop system.
This means that the engineering and management organizations periodically review the safety
program, engineering processes, management organizations, and product field use. The
American automobile industry has lost billions of dollars in automobile recalls due to safety
problems, some of which possibly could have been avoided by periodic review of product use.
Reference:
Nicholas J.Bahr. 1997. System Safety Engineering and Risk Assessment: A Practical Approach. Washington, DC:
Tayler&Francies Press.
Quiz:
1. Functioning relief valves in a pressure system can prevent an accident in which following
stage: C
A.
B.
C.
D.
Hazardous condition
Initiating event
Propagation
Accident
2. The risk of the system is relative to : C
E. Frequency of events
F. Magnitude of the consequence
G. Both of A and B