•Ch-1 (System Safety: An Overview) and •Ch-2 (System Safety Concepts)

• ______ (e.g. operating restrictions, system performance, operational schedules, downtime, and actual dollars) are all elements of a ___________ operation which must be considered when determining validity of implementing any new compliance controls. • Proper utilization of system safety engineering has proven to be an excellent tool for ___________ value of such controls with regard to actual savings and reduction of risk.

Costs successful evaluating

• MIL-STD-882 represent a qualitative judgment on relative likelihood of occurrence of a mishap caused by uncorrected or uncontrolled _________. • When using severity and probability techniques simultaneously, hazards can be examined, qualified, addressed, and resolved based upon hazardous severity of a potential outcome and likelihood that such an outcome will occur. • If evaluation of a potential for mishap reveals a Category-I occurrence (catastrophic) with a Level-A probability (frequent), system safety effort would undoubtedly require elimination of hazard through design or provide for implementation of redundant hazard controls prior to system or project activation.

Hazard

• 5) _______ Acceptance: When operating in compliance with minimum standards established by applicable safety and health regulations, there may still be some level of residual risk which must inevitably be accepted. • How much risk is accepted or not accepted is a management decision.

Risk

• In occupational safety, ever-present requirement to achieve ___% compliance with written codes, rules, regulations, or established operating procedures is a challenge. • However, 100% "compliance" usually means a system has met only ___________ safety requirements.

100% minimum

• 4 pillars (PRAP) of a SMS (Safety Management System) program: 1) Safety Policy; is a recognized, written statement of its commitment to protect the health and safety of the employees, as well as the surrounding community. 2) Safety Risk Management; he identification, analysis and elimination (and/or mitigation to an. acceptable or tolerable level) of the hazards, as. well as the subsequent risks, that threaten the. viability of an organisation. 3) Safety Assurance; includes systematic and ongoing monitoring and recording of your safety performance, as well as evaluating your safety management processes and practices. 4) Safety Promotion.is a set of means, processes and procedures that are used to develop, sustain and improve aviation safety through awareness raising and changing behaviours.

4 Pillars of SMS

• An aircraft collision in midair would unarguably be classified as a Category-I mishap (catastrophic), hazard probability would fall into Level-__ (_______) classification based upon statistical history of midair collision occurrence. • System safety effort in this case would require specific, but relatively _________ controls to prevent such an occurrence.

D (Remote) minimal

• ________ gray, __________ gray, _______ gray, and _________ shade scheme for black and white print, has been applied for hazard. Color can be used too.

Dark Medium Light White

• E.g. X-rays, radiation therapy against known risks of human exposure to radiation. • Need to ensure optimum safety in a given system, industry, or process is absolutely essential. • __________ _______, if done to excess, can cause severe renal problems (water poisoning). • Safety becomes a function of situation in which it is measured.

Drinking water

• A facility for production of school desks will require several coats of lacquer to be applied to each desk surface. An enamel-based paint will also be used on under-structure of each desk. Facility have only one small open-faced paint booth. Ventilation will be provided and operator will be supplied with respiratory protection in form of disposable respirators. • However, during design phase, a system safety evaluation required identification of hazards including materials/chemicals planned to be used. • Analysis reveals that designated lacquer to be used contains an isocyanate derivative, which is extremely hazardous and will require an expensive supplied-air respiratory protection system.

Example-System Safety Precedence

Hazard: A condition or situation which exists within working environment capable of causing harm, injury, and/or damage. Risk: likelihood or possibility of hazard consequences in terms of severity and probability. Hazard __________: A categorical description of hazard level based upon real or perceived potential for causing harm, injury, and/or damage. Hazard ____________: likelihood that a condition or set of conditions will exist in a given situation or operating environment. ________: An occurrence which results in injury, damage, or both. ______ ______: An occurrence which could have resulted in injury, damage, or both, but did not.

Hazard Severity Hazard Probability Mishap near-miss

• Instead of making changes as a result of operational experience with system, system safety attempts to identify potential hazards before system is designed, to define and incorporate safety design criteria, and to build safety into design before system becomes operational. • Although standards are used in system safety, they usually are "process standards" rather than "product standards". • In 2011 development of a new American National Standards Institute/American Society of Safety Engineers (ANSI/ASSE) standard titled 'Prevention Through Design (PtD): Guidelines for Addressing Occupational Hazards and Risks in Design and Redesign Processes (ANSI/ASSE Z590.3-2011)'

Industrial Safety and System Safety

• ___________/____________safety focused primarily on controlling injuries to employees on job. • Industrial safety engineer deals with a fixed manufacturing _______ and ________ that have existed for a long time, many of which are accepted as necessary for operations. • They collect data during operational life of system and eliminate or control unacceptable hazards where possible or practical.

Industrial/Occupational design and hazards

Concept of "______" as relevant losses include: • Injury to nonemployees; • Damage to equipment, property, or environment; • Loss of mission.

Loss

1) Design for ______________ Risk: from _________ stages of product or system design, it should be designed for ___________ of hazards, if possible. • In reality this is not always __________ or feasible. • If an identified hazard cannot be eliminated, then risk associated with it should be reduced to an acceptable level of hazard probability through design selection.

Minimum First Elimination practical

• ___________ Intercontinental Ballistic Missile (ICBM) was one of first systems to have had a formal and defined system safety program. • In July of _____, US Department of Defense (DOD) published MIL-STD-882: "..........."

Minuteman 1969 "System Safety Program Requirements".

1) Management commitment and responsibility: safety policy 2) Safety accountabilities: • Responsibilities of managers and employees at different levels in the organization, with operationally critical areas when principal office holders are absent. 3) Coordination of emergency response planning: • Emergency Response Program (ERP) includes contingency plans when an emergency situation arises, business continuity contingency plan. 4) SMS Documentation: • Activities must be documented appropriately and be available to all employees.

Pillar-1: Safety Policy and Objectives

1) Hazard identification: • Typically based on a combination of reactive, proactive, and predictive safety management methods. 2) Risk assessment and mitigation: • Individual hazards are analyzed; their consequences are assessed and communicated throughout the organization. • Mitigation actions must be developed for those hazards presenting unacceptable operational risk.

Pillar-2: Safety Risk Management (SRM)

1) Safety performance monitoring and measurement: • Assessing the health of the organization, with an emphasis on safety, specific goals for improvements. • Monitoring of external sources and include participation in regional safety groups or safety data sharing organizations. 2) Management of Change (MOC): • Manage organizational responses to regulatory changes, operational procedures or new activities. • Safety reporting systems should have processes established to identify new risks and actively monitor performance in new areas of the operation. 3) Continuous improvement of the SMS program • Safety assurance utilizes quality tools (e.g. internal evaluations or independent audits) to assess organizational health. • Onsite assessments of operational management systems on a recurring basis provide opportunities for continuous improvement of processes and procedures for each functional area.

Pillar-3: Safety Assurance

1) Training and education • Address safety responsibilities, including complying with all operating and safety procedures, recognizing and reporting hazards. 2) Safety communication • Continuous improvement and learning is accomplished through the sharing of lessons learned (feedback) from investigations, hazard report analysis, and operational safety assessments.

Pillar-4: Safety Promotion

Develop _________ and ________: Where it is impractical to eliminate hazards through design selection or adequately reduce associated risk with safety warning devices, administrative controls (e.g. procedures and training) should be used to advise personnel how to safely operate hazardous system. • Procedures may include use of PPE as a means of protecting personnel from a hazardous condition. • Certain hazardous tasks and activities may be deemed critical and might require personnel to be certified as proficient. • Without special consideration, no warning, caution, or other form of written advisory should be used as only method of risk reduction for Category-I or CategoryII hazards

Procedures and Training

• Preliminary Hazard Analysis (PHA) • System Hazard Analysis (SHA) • Subsystem Hazard Analysis (SSHA) • Operating & Support Hazard Analysis (O&SHA) • Failure Mode and Effect Analysis (FMEA) • Fault Tree Analysis (FTA) • Fault (Functional) Hazard Analysis (FHA) • Management Oversight and Risk Tree (MORT) • Energy Trace and Barrier Analysis (ETBA) • Sneak Circuit Analysis (SCA) • Software Hazard Analysis (SWHA) • Common Cause Failure Analysis (CCFA) • Cause and Effect Analysis (CEA) • Event Tree Analysis (ETA) • Hazard and Operability Studies • Random Number Simulation Analysis (RNSA) • Health Hazard Analysis (HHA)

Risk Assessment Techniques

2) Incorporate __________ Devices: If identified hazards cannot be effectively eliminated, that risk should be reduced through use of engineering controls and safety devices. • These include fixed, automatic, or other protective safety design and hazard limitation/control features or devices. • Also, provisions should be made for periodic functional checks and maintenance of any safety devices. • 3) Provide __________ Devices: When neither design nor safety devices/engineering controls can effectively eliminate identified hazards or reduce associated risk, devices should be employed to detect condition and produce an adequate warning signal to alert personnel. • Warning signals and their application should be designed to minimize probability of personnel reacting incorrectly to signals and should be standardized within similar types of systems to avoid further confusion.

Safety Warning

________: A combination of people, procedures, facility, and/or equipment all functioning within a given or specified working environment to accomplish a specific task or set of tasks. _______: A measure of degree of freedom from risk or conditions that can cause death, physical harm, or equipment/property damage. System Safety _____________: An ordered listing of preferred methods of eliminating or controlling hazards (MIL-STD-882).

System Safety Precedence

• Outcome of that decision will be affected by numerous inputs and considerations, not least of which is cost. • It reflects an obvious interaction of both engineering and management considerations to bring about an optimal resolution of risk. • Final acceptance or rejection of residual risk becomes a decision of managing activity. • Utilization of system safety order of precedence allows management more choices in management of risk associated with their operations. • Proper consideration of system safety analysis process provides management a choice of hazardcontrol/risk-reduction techniques.

System Safety Criteria System Safety Precedence

• A working environment where people, operating procedures, equipment/hardware, and facilities (PPFE) are all integral factors. • Each of these elements themselves might also impose some degree of risk or hazard to people or equipment during performance of a task. • People can be hazardous to themselves or others in an industrial or technological working environment. • Inattention, lack of proper or adequate training, horseplay, fatigue, stress as well as substance abuse, personal problems (marriage, financial etc.) are all "human" factors that interfere with optimum or desirable human work performance.

System Safety Process

_________ ________: applies scientific, engineering and management principles to ensure adequate safety, timely identification of hazard risk, and initiation of actions to prevent or control those hazards throughout life cycle and within constraints of operational effectiveness, time, and cost. • System safety uses systems theory and systems engineering approaches to prevent foreseeable accident events and to minimize result of unforeseen events. • Term safety is relative.

System safety

• With increase in size and cost of plant equipment, changes and retrofits to increase safety are costly and may require discontinuing operations for a period of time. • ___________ _______ concerned primarily with new systems.

System safety

• In US, Occupational Safety and Health Administration (OSHA) claims that occupational injuries and fatalities have ________ between 60% to 65% during __year period of it existence between 1971 to 2011. • While such a statistic is certainly laudable, it also tells us that between 30% and 35% of workers in US are still suffering occupational injuries or fatalities. • Employers must do more. • Efforts associated with system safety attempt to exceed these minimum compliance standards and provide _______ level of safety (i.e. lowest level of acceptable risk) achievable for a given system.

decreased highest

• Certain __________/_____ can present hazards, even if operating as intended (pressure systems, nuclear reactors, powder-actuated hand tools etc). • Inadequately written or faulty operating instructions and _____________ can cause hazards to operational or task flow. • Hazards must be either eliminated or controlled to an __________ level of risk in order to accomplish goal of relocating hazardous chemicals. • System safety process will identify any ___________ actions which must be implemented before task is permitted to proceed.

equipment/tools procedures acceptable corrective action

• A ________ __________ involved in relocating several drums of a highly volatile, flammable solvent from one location of a plant to another. • Operator, his/her training, and level of experience. • Forklift and other associated equipment (drum handling attachment, securing devices etc.) must also be evaluated as potential sources of operational failure. • Facility in which drums are located should be designed to store such commodities. • Fire suppression equipment must be evaluated for adequacy. • Normal operating procedures as well as emergency/spill control requirements should be examined for proper considerations/controls.

forklift operator

• However, since some risk of hazard or accident exists even when certain systems or tasks operate as intended and designed (pressure systems, foundry operations, oil refinement etc.), total ________ level must be evaluated, and not just that associated with system or subsystem failures. • System safety effort would not be complete if all elements of __________ integrity are not evaluated.

hazard operational

• E.g. OSHA requires that __________ guarding be employed to protect operators of machines from hazards created by machining point of operation and/or other hazards associated with machine _________ [OSHA 29 CFR §1910.212(a)(1)]. • While no system can be considered 100% _________, system safety is an attempt to get as close as practical to this goal

machine operation reliable

• However, Challenger disaster in January, 1986 and loss of orbiter Columbia upon reentry in February, 2003 remind us that, proper ______________ of that system is still one of most important elements of success. • Programs pioneered by _________ and ________ were adopted by industry in nuclear power, refining, mass transportation, chemicals, healthcare, and computer programming. • With introduction of system safety discipline, fly-fixfly approach to systems was transformed into "identify, analyze, and eliminate" method of system safety assurance.

management military and NASA

• A _______ collision between ____ automobiles in a congested parking lot might be classified as a Category-IV mishap (negligible) with a hazard probability of Level-A (frequent) or Level B (probable). • Effort here would focus on implementing low-cost,_______ __________ because of high probability of occurrence. • Signs indicating right-of-way, wide parking spaces, low speed limits, placement of speed bumps, and so on, are some examples of such ________.

minor Two effective controls controls.

• System safety concept traced to _________ __________ industry of late 1940s. • By late 19__s to early 19___s, it was used by aviation and aerospace communities. • Prior to 1940s relied on a ______-and-_____ method of safe design when system complexity was simple.

missile production 1950 and 1960 trial-and-error method

• No drill press could be operated, forklift driven, petroleum refined, dinner cooked, microwave used, water boiled etc. without some __________ risk. • There is a risk trade-off between known benefits of improved medical diagnosis and treatment which result from use of radiation

operating

• Order of ______________ are of 5 basic steps (MIL-STD882): 1)Design for minimum risk 2) Incorporate safety devices 3)Provide warning devices 4)Develop procedures and training 5)Acceptance of residual/remaining risk

precedence

• They present an acceptable level of ____. • System safety is concerned with aspect of reducing risk(s) associated with a hazard to its lowest acceptable level. • No ________ could fly, no automobile could move, and no ship could be put out to sea if all hazards and all risk had to be completely eliminated first.

risk aircraft

• Most safety managers focus on ____ management and safety assurance. They _________ Safety Policy and Safety Promotion. • They are not alone. • When safety program matured, spend adequate time on Safety ______ and Safety Promotion _________.

risk neglect Policy and components

• MIL-STD-882 establishes system safety criteria to determine hazard ________, initially established for DOD. • Hazard severity categories provide a qualitative indication of relative severity of possible consequences of hazardous condition(s). • Criticality of addressing a Category-___ (catastrophic hazard), is much more important than a Category-__ (negligible) hazard.

severity, 1 and IV

• These became catalyst for development of __________ ____________, out of which grew concept of system safety. • System: Need to anticipate and fix problems before they occurred—a consideration of design as a "system." • Early years of space launch programs are catastrophic and examples of failures.

systems engineering

• Elements of _________ ____________ process where safety comprises only one part of this integrated engineering design approach. • _________ ____________ with element of systems safety engineering process—design aspect—can support identification of hazards in earliest phases of a project life cycle.

systems engineering Systems approach

• E.g. "fly-fix-fly" (safety-by-accident, after-the-fact design), an aircraft was designed based upon existing or known_________. • It was then flown low and _____, until problems developed or it crashed. • As systems grew more complex (e.g. __________ and maneuverability), "fly-fix-fly" philosophy was no longer feasible due to devastating results.

technology slow airspeed

• An extreme/severe hazard risk may be _________ if it can be demonstrated that its occurrence is highly improbable; whereas a probable hazard may be tolerable if it can be demonstrated that result of occurrence would be extremely mild. • Probability of a ________ _____ is inversely proportional to its severity. • Adequate identification and control of hazards in early stages of a product's life cycle will dictate nature and extent of such standard industrial tasks as _________ ___________, preventative maintenance, procedure development, purchasing requirements, engineering approaches, and product design criteria.

tolerable hazard risk personnel training

• Emphasis is placed on _________ employees following work rules specified in manuals, directives, and operating instructions within this environment rather than on removing hazards. • When accidents occur, they are investigated and action is taken to ________ likelihood of recurrence—either by changing plant or by changing employee work rules and training • Standards are enforced by government through occupational safety and health legislation.

training Reduce

• Any system containing some degree of risk is considered _______. • E.g. safety razors or safety matches are not entirely safe, only _____ than their alternatives.

unsafe safer

• By establishing an alphanumeric _________ __________ for risk occurrence in each severity category and level of probability, one can further classify and assess risk by degree of acceptance. • Matrix can be adjusted and modified to meet objectives of any given enterprise or operational parameters. • __ categories of severity and __ categories of probability, is often referred to as a "4 × 5 Risk Matrix". • Organizations may add a 5th severity value e.g. "____________" or "slight" or "no loss." Then it would be referred to as a "5 × 5 Risk Matrix." • Exact parameters and/or categories assigned are not concrete.

weighting system 4 and 5 insignificant