Session Sixteen

Safety and Health
For
Engineers
Roger L. Brauer
Safety and Health/MA/May'14
Session #16
20 May 2014
Agenda
Human Behavior & Performance in Safety
System Safety
The Human Behavior & Performance in Safety
Theories of Behavior
There are many theories of behaviors. Some are descriptive theories that
allow some characterization or classification of a person after observing that
persons behavior. Some theories are predictive: they attempt to predict what a
person will do given information about their past, their surroundings, or internal
attributes. The information is obtained by introspective, subjective, or objective
means.
Early theorists believe that behavior had biological origins. Theories related
observable behavior to such things as instincts, habits, and conditioned reflexes
fromrepeated stimuli. Later, other theorists looked to underlying elements within a
individual that were not accessible through introspection by the individual. Others
looked to many factor that together cause behavior: inherited traits and
characteristics and environmental factors that lead to a persons behavior. The
inherited traits may be both physiological an psychological. The environmental
factors may be an accumulation of experiences and particular situations or
conditions surrounding one at any moment.
Human Behavior
Human behavior is very complex and it is not fully predictable. Often, behaviors
contribute to accidents. Behavior is affected by many things, including physiological
conditions, biochemistry, health, relationship with others, personal desires and goals
and so forth (see Table performance Shaping Factors).
Human Behavior..continued
Motivation
Motivation is that part of psychology that deals with getting someone to perform
desired behaviors or actions. Motivation involves content and process theories.
Content looks at the characteristics of an individual or his/her environment that
stimulate performances or action and at what variables influence desired actions.
Process looks at the linkages between content andspecific actions and addresses
the question of how to tap needs and outcomes to achieve desired actions.
Although no theory of motivations is fully supported by research studies, some
provide a framework for working with people toward desired actions and
performance. A fewtheories are summarizedinthis section.
Herzberg
Herzbergs theory is a content theory that looks at work outcomes rather
than needs. He proposed two types of outcomes that affect behavior:
intrinsic factors and extrinsic factors. Intrinsic factors involve the work itself
and recognition of ones work. Extrinsic factors include rewards associated
with the work, such as pay, relations with co-workers and superiors, and
working conditions. Whereas Herzberg believed that only attainment of
intrinsic factors can sustain motivation toward organization goals, research
suggests that both are important and there are significant differences among
people in their preference for outcomes.
Maslow
Maslowdeveloped a hierarchyof needs that has been quite popular. His
theoryis a content theory that looks within an individual for variables
that effect desiredperformance. His hierarchy consisted of five classes
of needs. he thought that the needs at the base of the hierarchy had to be
satisfiedfirst, before higher ones were very meaningful. Higher ones
became more important as lower ones were satisfied. His five classes of
needs inascendingorder are:
1. Physiological needs, suchas hunger and thirst
2. Safetyneeds (primary body needs)
3. Social needs, suchas friendshipand affiliation
4. Esteem, includingself-esteemand the esteemof others
5. self-actualization, suchas reachingones potential
Research suggest that basic needs do not diminish as they are
satisfied.
Vroom
Vroom addressed the motivation process. In his expectancy theory, there
are three concepts. The first is the attractiveness of outcomes (valence of
outcome). The theory does not concern itself with which outcomes. The
second concept is the belief a person has about the link between an action
and the outcome (instrumentality perceptions). For example, one may feel
that achieving some performance deserve a raise. The third concept is a
persons belief about the effort required in an activity and the likelihood of
successful completion of the activity (expectancy perceptions). In summary,
Vrooms expectancy theory states that when a persons expectancy
perceptions for an activity are high and instrumentality perceptions
linking the activity to attractive outcomes are high, the person will be highly
motivated to engage in the activity. Related studies suggest that
desired behavior is most often achieved if rewards are given every time
the behavior is achieved, rather than occasionally. It is also important to
state clearlythe linkage between behavior and reward.
The implication of Vrooms theory and related work is that people can be
motivated to perform when there are clearly defined linkages between
behaviors, and rewards, the linkages are implemented consistently, and
rewards are given regularly when a desired behavior is achieved.
J udgment
One definition for judgment is deciding or discriminating. It is the operations of the mind
in which one compares information, evaluates values and formulates a decision, or
reaches a conclusion. The decision or conclusion may be expressed verbally or may
result in an action. Formulating judgments reaching decisions can be deliberate or can
extend over time. One may rely on information available from memory or drawn from
careful compilationfromvarious sources.
People differ in their ability to make judgments. Quick judgments and decision may be
critical. In making quick decisions, one relies heavily on previous knowledge and
experience available from memory. The action taken as result of a judgment is more
likely to be a desirable action when there is a rich background of knowledge,
experience, and compiledinformation.
Emotion
People are not robots. People have feelings and emotions. Emotions may be
experienced internally or exhibited through actions. Behavioral literature describes many
kinds of emotions, including fear, joy, anger, grief, guilt, pride, love, hate, pity, and
anxiety. Emotions may be generated by situations at home or at work and they may be
associated with other people, with activities, or with conditions. Control of emotions and
acceptable emotional expressions as well as control of the situations that generate them
are very important. Communications and management of interpersonal relations are
means by which emotion-generated situations can be reduced. Emotions can be
disruptiveor facilitating, depending on the situation.
Attitudes, Opinions, and Beliefs
Attitudes, opinions, and beliefs are much the same thing: judgments or sentiments
that the mind forms about something or someone. One also may hold attitudes
about groups of people, social institutions, or issues. Attitudes may be positive or
negative and are usually enduring. Attitudes an individual has can be inferred from
their actions in certain situations and fromverbal statements. Formal assessment
of attitudes involves the use of carefully developed survey instruments. An attitude
survey has many statements about situations or actions with which respondents
agree or disagree. Results provide a picture of individual or group attitudes
situations covered inthe survey.
Attitudes may be related to behavior. For example, one may have attitudes about
another person, such as supervisor. However, attitudes are not always a predictor
of behavior. A personmay knowthe effects of an action are bad, but continue to do
it. Some call this cognitive dissonance. An example is a person who knows that
smokingcanleadto heart and lungdisease, but continues to smoke.
Individual Differences
People are not alike. They differ in shape, size, strength, reaction time, physical
condition, health, and physiological performance. They differ in ability to perform
in actions; in knowledge, skills, and abilities; in the ability to form judgment and
make decisions; in attitudes and beliefs; in emotions; and in social and economics
way.
The differences are not fixed they are variable. Individuals change over time.
Some differences take care of themselves. The heart and respiratory rates are
elevated when people exercise, but after resting, they return to normal. In other
cases, people change through various means. Performance is changed through
training, knowledge is changed through education, and some physical conditions
are changed through medication. The important points are that people differ and
individuals differ over time.
Safe behavior
Previous chapter discussed the idea there are two causes for accidents: unsafe conditions and
unsafe acts. A significant part of the accident formula is unsafe acts. Why do people perform
unsafe acts? How does one prevent unsafe acts fromoccurring? These are behavioral issues.
Understanding human behavior gives clues to managing behavior. The three Es of safety
suggest ideas to prevent unsafe acts. Education, enforcement, and engineering all have a role.
Enthusiasm, a fourth E, has a role, too. Other concepts apply too.
Education
Most behaviors are learned, learning may be informal. Studies suggest that by age
6years, people have acquired half their knowledge and skills. Children learn to walk
and talk by trial and error. They obtain a great deal of reinforcement from those
around them. Higher concepts and abstract learning usually occur in school.
Education and training provide the knowledge and skills people require to act safely.
Toavoid accidents and injuries, one must first recognize dangers in a situation. Not
everyone brings the same knowledge and experience to a situation; not
everyone will recognize or perceive a danger that may be inherently present or may
develop. For example, some workers may not recognize that a guard should be in
place on a machine because they may not have experience with equipment and
maynot recognize a danger or knowwhat protection is appropriate. In another case, a
dangerous situation develops rapidly. A child runs into the street after a ball. A
driver may recognize the danger developing after seeing the ball roll into the
street and the child near the curb. In another situation, the driver may not see a
danger when a child is merely playing near a curb.
Human Behavior and Safety
Enforcement
Enforcement involves formalized rules and procedures and following them.
Compliance can depend on self-discipline but more often, enforcement involves
someone else auditing the actions of others. With enforcement, there may be
some consequence for not acting properly. For example, one company gives
drivers responsibility for their vehicles. Failure to drive properly results in loss of that
job. Unsatisfactory performance of tasks can led to other management-
imposed outcomes both positive and negative.
Engineering
In many cases, engineers can design to prevent certain behaviors from
occurring. They also can design so that certain behaviors are not likely to cause
the performer harm.
Human Behavior and Safety..continued
Communication
Communication is an important part of education. People cannot performcorrectly if they are
not told what dangers to look for, what procedures to follow, or how to act safely.
Communication may involve training classes, supervisors instructions and comments, training
videos and computer programs, published procedures and rules, and warnings and
instructions. They may even involve stimulations. People cannot be expected to decide and act
on their own if they do not have the knowledge, skills, and experience to recognize a
dangerous condition and to knowwhat actions are appropriate as it develops or when it occurs.
Feedback
Knowledge of results -feedback- is an essential ingredient in learning. Correct behavior
must be reinforced, and performance is greatly enhanced by knowledge of results. If
someone does something correctly, they need to know; if they do it incorrectly, they
also need to know. Safe behavior requires feedback on performance. Feedback on
wearing of personal protective equipment -a safe behavior- is important in gaining user
cooperation.
Several methods are used to provide feedback. Feedback may be verbal comments
from someone else or reports of measured results of actions. For example, a report
may contain the number of parts produced, the number of errors, or the accident rate.
Feedbackmaybe awards or rewards.
If individual performances is important, feedback should be givento individuals; if group
performance is important, it should be directed to the group. In some cases, both
individual and group feedbackare needed.
Immediate feedback is generally better than delayed feedback. Actions can be divided
into short increments or small elements, and feedback on these small components is
usually better than feedback on large components. Feedback should be precise. If
there is a particular task or component of a larger action, feedback should reflect
correct or incorrect performance of the individual components. Reinforcement should
be as oftenas practicallypossible.
J obSafetyAnalysis
J ob Safety Analysis (J SA) is one technique to help what behaviors in an operation are
safe and correct. It is a form of task analysis that is sometimes called job hazard
analysis. In the analysis, one breaks down an operation into activities of workers. The
analyst identifies the hazards associated with each activity in the operation, and for
each activity, the analyst describes how to perform the job correctly and safely (see
attachment) People have used a variety of forms for completing a J SA analysis. The
hazard analysis and recommended practices can become part of a user manual,
operationmanual, or trainingprogram.
A J SA can be completed concurrently with other forms of task analysis common to
industrial engineering practice. Such process analyses look at work flow, motion
economy, time for each job element, eye movement, and hand and foot movement. A
J SA should consider abnormal activities and conditions, not just normal, routine
operations. It is often under the unusual situations (when things go wrong) that
accidents and injuries occur. Even activities like cleaning and maintenance are non
routine. People often make the wrong decisions or take the wrong course of action in
adverse situations. As discussed earlier, hazards during non routine, abnormal
operations need to be protectedbydesign.
WORKSHEET
FOR J OB
SAFETY
ANALYSIS
J ob J SA by
Supervisor Date of Analysis Reviewed by
Department Work Group Approved by
Brief description of job, its beginning and end, and desired results
Required or recommended personal protective equipment for all tasks (Special requirements are noted with each
task.)
SEQUENCE OF TASKS OR
STEPS
POTENTIAL HAZARDS AND
INCIDENTS
SAFE J OB PROCEDURES
Risk-TakingBehavior
For many activities, it is obvious that performing an action will not produce an accident
or injury every time. A person will take a chance. For example, one does not get in an
accident everytime one rides a car. Therefore, one mayreason that wearing a seat belt
is not always necessary. Similar reasoning suggests that one can operate a machine
without a guard in pace, because one does not always become injured. People who are
risk takers, are involved in accidents more frequently, and have higher absentee rates
fromwork thanthosewho are not risk takers.
Risk-taking behavior is greater under some circumstances than others. For example,
most people will take greater risks when they have a choice, but are reluctant to take
risks when it is required. Individuals are less likely to take risks when they are anxious
and are more likely to take risks when they understand what is going on. For example,
many people are afraid to undergo surgery. However, the more the individuals knows
about a surgical procedure, the less reluctance there is to undergo the surgery.
Individuals are not willing to take risks when the status quo has strong value. People
are reluctant to change, because there is often a fear of the unknown and they are
satisfiedwith the way the things are.
Risk taking is affected by peoples perception of the risk. There are many things that
affect peoples estimates of risk. They may think that risk is greater than it really is or
less that it really is.
Risk-TakingBehavior..continued
There are differences between group risk-taking behavior and individual risk-taking
behavior. For example, fear tends to trigger group behavior. When fear is aroused,
people choose to be together with others. Conversely, when people are anxious, they
choose to be alone. Examples of groups are family, friends, work groups, command
groups, or groups structuredaround coping with common or sharedstresses or threats.
Groups have informal structures, whereas organizations haveformal structures.
Biorhythms
After the emergence of various behavioral theories, attempts were made to link the
theoretical components to the likelihood or accidents. One concept that has draw
widespread attention is the use of biorhythms to predict the likelihood of accidents or
other undesirable events caused or influenced by behavior or condition. Although some
early studies appear to show that biorhythms affect accidents, more recent studies
havenot been able to suchaffects.
Biorhythms are not to be confused with biological rhythms. The theory of biorhythms
stems from the early nineteenth century and it has so many followers that handheld
biorhythms calculators are easily purchased. The concept suggests three precise, fixed
rhythms that originate at birth and affect events in an individuals life. These three
rhythms have 23-, 28-, and 33-day periods or cycles, receptively. The congruence of
theperiods is saidto affectevents, moods, and actions of a person.
Alcohol and Drugs
Alcohol and drugs do contribute to accidents and injuries. There is a strong
relationship between motor vehicle deaths and alcohol levels of drivers and
betweenfire deaths andbloodalcohol.
Employers face problems of employees drinking on the job or coming to work with
alcohol in their blood. Results of one study indicate that employees who abuse
alcohol are absent 16 times more often than those who do not, receive three
times more sick leave, have four times the accidents, and are five times more
likely to receive workers compensation. Both street drugs and prescription drugs
can increase the likelihood of accidents. When any drug reduces physical or
mental performance, the chances of error, poor judgment, and accidents increase.
Many companies have programs to assist employees with alcohol and drug
problems that affect their work and the loss and claims rates. Some employers
use drug and alcohol screening programs during hiring or employment. For some
jobs that can affect the safety of others, laws may require drug and alcohol
monitoring.
There are many ways to remove or reduce hazards through design. Sometimes
engineers forget to consider user capabilities and limitations, user behavior, and the
use environment. Understanding people and their behavior is an important element of
design. For example, running a pipe along a floor surface creates a tripping hazard. It
does not make any difference that the activity near the pipe is a production activity or
a maintenance and repair activity. The probability for an accident may be lower for
certain activities, because walking near the pipe must avoid falling over it, that is,
special actions to stepover it are required.
Design problems may be even more subtle. A change in surface friction properties
may create a slipping hazard. During initial steps on a surface, a walker gains a feel
for the resistance underfoot. When there is a sudden change in resistance to a
slipperier surface and the walker is not aware of the change, the gait must be
adjusted suddenly fromthe first to the second condition. A failure to adjust can lead to
feet slipping out fromunder the person and a fall. Similarly, a suddenchange to a high
friction surface will require adjustments. Failure to adjust may lead to a fall forward
because the second surface prevents any movement between the shoe and the
surface.
Designing for Human Behavior
Designing for human behavior must anticipate foreseeable activities, and defining
what is foreseeable requires a knowledge of what people do in various circumstances.
It is not enough, for example, to safeguard machines for normal operations or
production use. The designer must protect workers involved in cleaning, setup and
maintenance. In many cases, the designer can reduce hazards by incorporating
features that are less dependent onpeople protectingthemselves.
Designing for people must anticipate a range of ages and capabilities. Will the users
be normal adults? Will the users have disabilities? What might the disabilities be?
Could the users also be children? Will users be large or small? The field of human
factors engineering or ergonomics addresses may of the capabilities and limitations of
people and howto designwith theminmind.
Dealing with the design problems requires analysis to identify the potential behaviors
and errors in behaviors that can lead to accidents and injuries. Techniques to identify
these behaviors include J SA or some derivative of it and testing of designs with users
that adequately represent the population of potential users. Other methods may also
be useful.
Some people have the notion that safety is nothingmore than a lot of common sense.
There are manyproblems with the approachwhen one considers humanbehavior.
What is common sense? The dictionary says it is sound, ordinary sense or good
judgment. Common means a characteristic shared by a group at large, or belonging
or pertaining to the community at large. Sense means sound perception or reasoning
or correct judgment, or the ability to perceive or discern. It infers sensibility or a quick
reactionto actions of objects or others.
The ability to perceive and recognize hazards is important to safety. To take corrective
action, people need an ability to recognize the danger in a rapidly developing
situation. People need skill in making good judgments or decisions about corrective
actions to be safe.
One problem with common sense as a basic premise for safety is that human
capabilities for achieving safe behavior are not universal. Individuals vary in their
training, experience, knowledge, skill, and ability to recognize hazards, to perceive
dangerous situations in a timely manner, to make sound judgments, and to take the
correct protective actionwithout error.
Safety and Common Sense
Safety and Common Sense..continued
Most people would agree that children do not have common sense. When does on
obtain common sense? How can you tell if someone has it?
Leaving safety to common sense suggest that somehow safety in a complex society
will result if people are left to their own devices. Accident are caused. Safety is
achieved by thorough analysis, good design, and solid development of knowledge
and skills through training and management. It is not an innate characteristic common
to society. The desire to be safe is common; the actions required to achieve it are not.
Another aspect of safety related to human behavior is job stress. Physical disorders
that stem from behavioral problems, such as anxiety, fear, and other forms of
psychological stress, are called psychosomatic disorders. The psychological condition
manifests itself inphysical disorders of various kinds.
J ob stress is becoming more important in safety. It seems to increase with the
increase in the number of high-paced, demanding jobs. In addition, more and more
claims for job stress receive workers compensation. J ob stress is common in
managementpositions. However, it occur inmanyother kinds of positions as well.
Various conditions or situations in our lives cause our body to react. A scare causes
the heart rate to increase, blood pressure to rise, and adrenaline to be secreted. Even
sweating may start. J ob situations may produce similar effects in the body. Certain
tasks may be difficult to perform and produce similar reactions. There may be
deadlines to meet, difficult social situations, difficult to handle co-workers, or
presentations to make, all of which may produce similar responses. Continued
stresses and chronically complex and difficult work situations may lead to more
extreme health problems. Researchers identified major events in life that are related
to subsequent illness andassignedweightings to these events..
J ob and Other Stresses
J ob and Other Stresses..continued
Stress may be positive or negative. The bodys reactions to stress help us to
concentrate and perform. Some people do better under pressure. When there is no
opportunity to relax or escape fromthe stress conditions, stress can be negative and
can lead to reduced performance and health problems. The term burnout is closely
associated with prolonged job stress. A number of factors contribute to job stress; not
enough time to complete a job, lack of clear direction and goals, lack of clear
instruction, absence of recognition or reward, lack of opportunity to participate,
responsibility without authority, prejudice and bigotry, poor interaction with others
because of differing goals and values, unpleasant or dangerous work conditions, lack
of control over jobperformance, and jobinsecurity.
There are several techniques people can use to help reduce and manage stress.
First, they must recognize the situations and conditions that lead to stress and they
need to sense the body reactions that are symptoms of job stress. Applying one or
more relaxation techniques can help reduce stress. A deep breath or simple exercises
followed by relaxation can help. Another technique is getting away from certain
difficultsituations. Modifications inlifestyle, suchas exercise, also mayhelp.
Risk Management
Risk and Losses
In life there are events that results in gains or losses for people and organizations. Most
people do not want losses, although they will take a chance at achieving a gain in the face
of some potential loss. Risk involves avoidance of losses and unwanted consequences as
well as probabilityand potential for losses.
Rowe defines risk as the potential for realization of unwanted, negative consequences of an
event. Risk aversion is action taken to control or reduce risk. There are many definition of
risk. For safety and health, a common definition of risk infers a quantitative concepts. Risk
is the product of frequency and severity of potential losses. Frequency is the probability of
occurrence of an event, such as once per week or once per year or once every 100 years.
Severity is the potential loss when an event occurs. The loss may be expressed in human
terms, such as loss of life, serious injury, serious illness, number of cancer cases, and so
forth. The loss may also be expressed in financial terms, like dollars lost, cost to replace
loss equipment, cost of downtime, or cost to replace facilities. Loss may be expressed in
legal terms, suchas claims, lawsuit, and liability.
There are formal methods and risk management methods. Risk assessment and
management applies to general operation of a business ultimately are financial. The idea of
risk for a business has a broad meaning that implies any kind of detriment to a business.
Companies apply risk to financial decisions, security or trade secrets and computer
systems, and other potential losses. Risk also is used in dealing with losses associated with
accidents, human error, and health exposures. It is the latter aspect of risk that this
discussionaddresses.
Risk Management
Risk Management
The Process
Riskmanagement involves five components:
1. Riskidentification
2. Riskanalysis
3. Eliminatingor reducingrisks
4. Financingrisks
5. Administeringthe risk management process
The objectives of risk management can be divided into two groups; pre loss and
post loss objectives. Pre loss objectives address those things that may happen.
Post loss objectives involves application of resources to recover completely and
quicklyfroma loss. See table below, defines pre loss andpost loss objectives.
Risk Management
Risk Management.continued
Pre loss objectives
Economy Minimizing the economic expenditures consistent with post loss goals for
safety programs, risk identification and analysis, insurance premiums, and
so forth
Reduction in anxiety Reducing the fear and worry over potential losses
Meeting externally
imposed obligations
Satisfying safety, health, and environmental regulations; satisfying
employee-benefit plans; acquiring required insurance
Social responsibility Meeting the demands for good citizenship to employees, customers,
suppliers, and the community. Maintaining public image and social
consciousness
Table Risk Management objectives
Risk Management
Risk Management .continued
Post loss objectives
Survival Being able to resume operations after a loss
Continuity of operations To return to or continue full operations following an interruption. Three may
be reduction in earnings. Keeping human and material resources available
Earnings stability Keeping earning stable through continued operations with cost control or
from funds to replace lost earnings
Continued growth Finding ways to expand growth by product development, market expansion,
acquisition, and mergers
Social responsibility Taking care of employees, customers, suppliers, and the public. Maintaining
public relations and public image.
Table Risk Management objectives .continued
Risk Management
RiskIdentification
Risk identification is not an easy task because it is easy to overlook something. It
requires training and experience to see unsafe conditions and foresee unsafe
acts. It is not easy to see how combinations of things and the complexity of
operations, equipment, and facilities canleadto undesirable events.
The goal in risk identification is to reduce uncertainty in describing factors that
contribute to accidents, injuries, illnesses, and death. Risk identification involves
identification of hazards. It improves understanding of risks for particular situations
or groups. Risk identifications is conducted to determine whether and to what
degree effects in one situation apply to another. It involves gathering facts and
data. In risk identification, data are analyzed to determine what components
contribute to a process that produces injury or illness and to establish if data from
particular cases canbe generalized to other situations or populations.
Risk Management
RiskIdentification.continued
There are many techniques for identifying risks. Hazard recognition is an important
element. One approach is drawing in the past knowledge and history of accidents.
Another approach is applying systematic techniques. It may be necessary to use
specialist to help identify risks, because the specialists have unique knowledge and
experience and may recognize some important hazards that others may overlook.
Checklists of hazards and conditions producing hazards can be developed and used
for comparison with the proposed or actual operation, process, equipment, or system.
Sometimes energy and energy release analysis are used to identify what failures in a
system might occur and what the consequences might be. Sometimes analysis of
humanbehavior and underlyingmotivatingfactors helps identifyrisks.
Frequencyand severity data fromaccidents can help identify risks. Areviewof accident
records and classification of accident data can help. Various statistical methods applied
to accident data will help reveal trends in losses and what factors contribute to
accidents and injuries. Analyzing claims, such as worker compensation claims or
customer claims against products, will help isolatefactors associatedwith losses.
Risk Management
RiskAnalysis
Risk analysis is applying qualitative or quantitative techniques to potential risks. It
reduces the uncertainties in measuring risks and usually involves frequency and
severity. Frequency deals with the likelihood that an event will occur or that a hazard
will be present. Severityis the effect of an event when it occurs. It is measuredin death,
injuries, disease or illnesses, or loss of equipment or property. Severity may also be
expresses in financial terms.
Administeringin Process
The final step in risk management is administering the process. Part of administration is
setting levels of risk. A company or organization must decide what level of risk it will
assume and what level it will transfer. Another aspect of administration is assigning
resources to the process. The process may require specialists for risk identification and
analysis and financial specialists to help determine the overall costs, benefits, and most
economical way to finance risks. Administering the process necessitates monitoring
and evaluating if reductions are achieved, if frequency and severity actually resulted as
projected, and if expenditures achieve the benefits that were anticipated. Another
aspect of administering the process is selecting methods to be used and tracking items
analyzed, hazards identified, analysis applied, and decisions made.
System safety is an approach to accident prevention that involves the detection of
deficiencies in system components that have a potential for failure or an accident
potential. System safety is the application of technical and managerial skills to the
systematic, forward-looking identification, and control of hazards throughout the life
cycle of a system, project, program, or activity. In the context, a systemis an itemof
equipment or a process. Examples of complex systems are aircraft, weapons,
productionplants, vehicles, and buildings.
The key element in system safety in hazard analysis. The process identifies,
anticipates, and control hazards. The hazard analysis may consider the entire life
cycle of a system. Many kinds of controls extend fromthe hazard analysis. They may
be engineering controls that modify a system to eliminate or reduce the hazard to
acceptable levels. Controls include management policy and procedures and
identification and implementation of training for system operators, maintainers, and
support staff. Controls may include operating procedures, emergency response, and
other plans and application of many consensus standards and government standards
andregulations for safety.
System Safety
System Safety
General Procedures
OSHAProcess SafetyStandard
The OSHA Process Safety Standard incorporates many system safety concepts.
For example, the standard calls for an experienced team to identify and analyze
hazards (process hazard analysis, or PHA) using one or more of the following
methods:
What-if
Checklist
What-if / checklist
Hazardand OperabilityStudy(HAZOP)
Failure Mode and Effects Analysis (FMEA)
FaultTreeAnalysis
Anappropriate equivalent method
System Safety
General Procedures....continued
The analysis is thenuse to address:
1. The hazards of the process
2. Identification of precious incidents that had a potential for catastrophic
consequences in the workplace
3. Engineeringand administrativecontrols
4. Consequences of failure of engineeringand administrativecontrols
5. Facilitysiting
6. Humanfactors
7. Qualitativeevaluationof possible safetyand healtheffectof control failures
The final step is establishing a system to address the teams findings and
recommendations in a timelymanner through anactionplanand schedule
A process hazards checklist is simply a list of possible problems and areas to be checked. The
list reminds the reviewer or operator of the potential problemareas. A checklist can be used
during the design of a process to identify design hazards, or it can be used before process
operation.
A classic example is an automobile checklist that one might review before driving away
ona vacation. This checklistmight containthe following items:
check oil in engine
Check air pressures in tires
Check fluid level in radiator
Check air filter
Check fluid level in windshield washer tank
Check headlights and taillights
Check exhaust systemfor leaks
Check fluids levels in brake system
Check gasoline level in tank
Checklist for chemical processes can be detailed, involving hundreds or even thousands of
items. But, as illustrated in the vacation example, the effort expended in developing and using
checklists canyield significantresults.
System Safety
Process Hazards Checklist
System Safety
Process Hazards Checklist....continued
Atypical process design safetychecklist is shown in example checklist table Note that
three check off columns are provided. The first column is used to indicate those areas that
have been thoroughly investigated. The second column is used for those items that do not
apply to the particular process. The last column is used to mark those areas requiring
further investigation. Extensive notes on individual areas are kept separate from the
checklist.
The design of the checklist depends on the intent. A checklist intended for use during
the initial design of the process will be considerably different from a checklist used for a
process change. Some companies have checklist for specific pieces of equipment, such as
a heat exchanger or a distillationcolumn.
Checklist should be applied only during the preliminary stages of hazards
identification and should not be used as a replacement for a more complete hazard
identification procedure. Checklists are most effective in identifying hazards arising from
process design, plant layout, storageof chemical, electrical systems, and so forth.
System Safety
General Layout Complete Do Not Comply Further Study
1. Area properly drained
2.
3.
etc
Building Complete Do Not Comply Further Study
1. Adequate ladders, stairway
2.
3.
etc
Table Checklist
System Safety
Process Complete Do Not Comply Further Study
1. Hazardous reaction possible
2.
3.
etc
Pipe Complete Do Not Comply Further Study
1. Safety shower & eye bath
2.
3.
etc
Table Checklist.continued
The HAZOP study is a formal procedure to identify hazards in a chemical process facility. The
procedureis effectivein identifyinghazards and is well acceptedbythe chemical industry.
The basic ides is to let the mind go free in a controlled fashion in order to consider all the
possibleways that process and operational failures canoccur.
Before the HAZOP study is started, detailed information on the process must be
available. This includes up-to-date process flowdiagrams (PFDs), process and instrumentation
diagrams (P&IDs), detailed equipment specifications, material of construction, and mass and
energybalances.
The full HAZOP study requires a committee composed of a cross-section of experienced
plant, laboratory, technical, and safety professionals. One individual must be trained HAZOP
leader and serves as the committee chair. This person leads the discussion and must be
experience with the HAZOP procedure and the chemical process under review. One individual
must also be assigned the task of recording the results, although a number of vendors provide
software to performthis function on a personal computer. The committee meets on a regular
basis for a few hours each time. The meeting duration must be short enough to ensure
continuing interest and input fromall committee members. A large process might take several
months of biweekly meetings to complete the HAZOP study. Obviously, a complete HAZOP
study requires a large investment in time and effort, but the value of the result is well worth the
effort.
System Safety
Hazards and Operability Studies
System Safety
Hazards and Operability Studies....continued
The HAZOP procedure uses the following steps to completean analysis:
1. Begin with a detailed flowsheet. Break the flowsheet into a number of process units.
Thus the reactor area might be one unit, and the storage tank another. Select a unit for
study.
2. Choosea studynode (vessel, line, operatinginstruction)
3. Describe the design intent of the study node. For example, vessel V-1 is designed to
storethe benzene feedstockand provideit on demandto the reactor.
4. Pick a process parameter: flow, level, temperature, pressure, concentration, pH,
viscosity state (solid, liquid, or gas), agitation, volume, reaction, sample, component,
start, stop, stability, power, inert.
5. Apply a guide word to the process parameter to suggest possible deviations. A list of
guide words is shown in Table 10-3. Some of the guide word process parameter
combinations are meaningless, as shown in Tables 10-4 and 10-5for process lines and
vessels.
6. If the deviation is applicable, determine possible causes and note any protective
systems
7. Evaluatethe consequences of the deviation(if any)
8. Recommendaction
9. Recordall information
System Safety
10. Repeat steps 5 through 9 until all applicable guide words have been applied to the
chosenprocess parameter
11. Repeat steps 4 through 10 until all applicable process parameters have been
consideredfor the givenstudynode
12. Repeat steps 2 through 11 until all study node have been considered for the given
sectionand proceedto the next sectionon the flowsheet
The guide word as well as, part of, and other than can sometimes be conceptually
difficult to apply. as well as means that something else happens in addition to the
intended design intention. This could be boiling of liquid, transfer of some additional
component, or the transfer of some fluid somewhere else than expected. part of means
that one of the components is missing or the streamis being preferentially pumped to only
part of the process. Other than applies to situations in which a material is substituted for
the expected material, words sooner than, later than, and where else are
applicableto batchprocessing.
An important part of the HAZOP procedure is the organization required to record and
use the results. There are many methods to accomplish this and most companies
customizetheir approachto fit their particular way of doingthings.
System Safety
Table 10-6 presents one type of basic HAZOP form. The first column, denoted Item,
is used to provide a unique identifier for each case considered. The numbering system
used is a number-letter combination. Thus the designation 1A would designate the first
study node and the first guide word. The second column list the study node considered.
The third column lists the process parameter, and the fourth column lists the deviations or
guide words. The next three columns are the most important results of the analysis. The
first column lists the possible causes. Three causes are determined by the committee and
are based on the specific deviation-guide word combination. The next column lists the
possible consequences of the deviation. The last column lists the action required to prevent
the hazard fromresulting in an accident. Notice that the items listed in these three columns
are numbered consecutively. The last several columns are used to track the work
responsibilityand completionof the work.
Fault Tree Analysis
Fault tree analysis is one systemsafety method often used for complex systems.
Fault tree analysis, which was originated by H.A. Watson at Bell Telephone
Laboratories is 1962, is a boolean logic concept that evaluates events. The procedure
relies on building a tree structureas shown in figure 36-3. At the top is the principal or
top undesired event, which is broken down into contributing factors that are further
subdivided into event causes. Fault tree analysis is a deductive process that moves
fromthe general to the specific. Combinations of events are considered in the causal
chain. Interactions between events and elements of the systemare a vital part of this
method.
Fault tree analysis as applied to system safety relies on preliminary hazard
analyses (PHA) or other analysis techniques to identify major undesirable events.
The tree is developed further from PHA and other analysis. After the tree is
constructed, qualitative, or quantitative analysis is performed. To performquantitative
analysis, a probability must be assigned to each event cause. Today, computer
systems make the procedure of consructing and analyzing fault trees quite easy.
Qualitativeanalysis provides insights into fault paths and critical event causes.
Fault Tree Analysis
Limitations of Fault Tree Analysis
Analysis of a fault tree can be no better than the events identified for it. A major
limitation of fault tree analysis is failure to identiy all the events that may lead to a top
event. Failure to include an event may simply be oversight, but it may be lack of
experience and knowledge of the systemand its behavior or potential behavior. When
a systemis being developed andanalyzed for failures and undesired events, one may
not have insight into the kinds of things that may lead to faults and failures in the
future or may not be experienced with materials and components used and their
potential failure modes.
Another significant difficulty is assigning valid probabilities to event causes.
Although considerable data on equipment performance are available from reliability
engineering and other sources, placing probabilities on human activities with precision
can be quite difficult. Humans may behave very differently under ideal conditions
compared with stressful, boring, or distracting conditions. In addition, different people
may act quite differently under the same conditions. Data banks on human errors
provide reasonable information on simple human errors, but there is little information
for estimatingmistakes on higher-level tasks involvingcognitive functions.
Another limitation on the use of fault tree analysis is cost. Compiling the
knowledge for, constructing the fault tree, and assigning probabilities to tree elements
canbe laborious and costly.
Fault tree analysis uses a particular set of symbols. Figure 36-4 illustrates commonly
usedsymbols. There are some variations insymbologyamongpractitioners.
Fault Tree Analysis
Fault Tree Symbols
Events
There are four kinds of events and symbols.
A fault event, which is represented by a rectangle, is a top or intermediate
event that must be described further in the tree. For quantitive
analysis, a probability for a fault event is computed from
elements below it in the tree.
A basic event is an event for which there will be no further analysis. It is
represented by a circle and it is the terminus of a branch in the fault tree.
Probabilities are assigned to basic events when quantitative analysis is
performed.
Events
An undeveloped event is represented by a diamond and is an event that an
analyst chooses not to analyze. Although it may merit further analysis, an
undeveloped event simply may be a curiosity or may not be critical to the problem
at hand. Probabilities may be assigned to undeveloped events. Sometimes an
undeveloped event of known cause is not developed further, but there is deeper
knowledge about that branch of the tree. In diagraming such undeveloped
events, some people use a double diamond.
A normal event is one that has two states: it occurs or doesnt occur. Normal
events are represented by a house shape and are sometimes called switch
events. In many cases, analysis of a tree should consider normal events in each
of their two states. Frequently, normal events have probabilities of 1.0 or 0.0;
sometimes other probabilities are assigned.
Fault Tree Analysis
Fault Tree Symbols..continued
Logic Gates
Because the elements in a fault tree are related by boolean algebra, symbols are
used to depict the kind of relationship among elements. Basic logic relationships
are OR and AND, and are represented by gate symbols. Both AND and OR gate
symbols have unique shapes.
An OR gate indicates that any one of the input events can cause an output event.
When quantitative analysis is conducted, probabilities for input events attached to
anOR gate are summedto computethe probabilityof the output event.
The other basic logic gates is an AND gate, which indicates that all of the input
events must occur to cause the output event. In quantitative analysis, the
probabilityof an output event is the product of all input events.
Fault Tree Analysis
Special Notations
There are other logical relationships that can occur in a fault tree. Various notations
to ANDand OR symbols indicate that special logical relationships or other symbols
are used. For example, two input events for an OR gate may be mutually
exclusive; that is, one excludes the other from occuring. An exclusive notation
attachedto the OR gate indicates this condition.
There may be a condition in which at least two of three input events are necessary
for an output event to occur at an AND gate. A notation A
i
2 attached to the
ANDgate would note this special condition.
In another situation, one or more input events may have to occur before a third one
has any consequence. This is called a priority modification. A notation C R
1
, R
2
would indicate that input event C is not significant unless input events R
1
and R
2
occur first.
Fault Tree Analysis
Special Notations
Another variation, called a summation gate, is the possibility of having input
events that must have certain levels before the output will occur. A summation
gate may apply to either an OR or AND gate. A summation sign or note with the
gate indicates this special condition.
Sometimes a complex array of conditions determines if an output event will occur
at a gate. An Mnotation on a gate indicates that a complex matrix of conditions
is processedby this gate.
For some events, certain conditions must be present for the input events to be
included in the tree. The input events may inhibit or enable the output event. A
hexagon symbol represents aninhibit gate.
Fault Tree Analysis
Special Notations
When there is not enough space to complete a fault tree, it must be broken into
parts. Discontinuities are represented by a transfer symbol that has the shape of a
triangle. Identifying numbers or letters on both segments of a drawing indicate
where they tie together functionally. A fault tree may have identical branches at
more than one location. A transfer symbol reduces the need to completely
represent the branches at eachlocationinthe tree.
Fault Tree Analysis
Fault Tree Analysis
Events
PrimaryFailures
Primary failures are internal problems with components that make them
inoperative. Repairing a primary failure returns a component to full operation. A
primary failure also is defined as a failure of a component within the design
envelope, such as an inherent characteristics of a component that causes the
component to fail. The primary failure of one component cannot contribute to
primaryfailure inanother component
An event describes any element of a fault tree that represents an
occurrence. Events may be normal events, failures or faults. Failures are attributes of
components that interrupt the function of the component. For example, an electronic
relaythat sticks openis a failure event.
Fault events are events that contribute to component or system faults. A
fault is a condition (not necessarily a failure) of a system, subsystem, or components
that contributes to the possible occurrence of an undesired event. For example, failing
to act in response to a fire alarmis a fault, but a deaf person not being able to hear an
alarmis a failure.
There are four classes of causal events that appear in fault trees. Primary
refers to internal attributes or conditions of components; secondary refers to
somethingoutside a component.
Fault Tree Analysis
Events..continued
SecondaryFailures
Secondary failures are external problems that make components inoperative.
Repairing a secondary failure does not return a component to operation. A
secondary failure is the failure of a component outside the design envelope, such
as environmental conditions that affect a component. A primary or secondary
failure of one component or a group of components can cause a secondary failure
inanother component.
PrimaryFaults
Primary faults are events that are abnormal within an operation. They can lead to
undesiredconditions in a system
SecondaryFaults
Secondary Faults are events causations that are external causations. One formof
secondary fault is a command fault: an inadvertent operation of a component
resulting from failure of a control element. An example is accidentally bumping a
control switchthat energizes a circuit.
Development of a fault tree begins by selecting the top event. Usually the top
event is selected as the most important, most severe or most undesired event. The
system to which the top event applies then is clearly defined and the state of the
systemmust also be specified. Thenone begins to construct the fault tree.
The first tier of events includes those are necessary and sufficient causes for the
top event. Other tiers are added, and then logical relationship among events are
added. It is better to include generic causes at upper levels in a fault tree. This makes
it easier to include detailedfaults and failures in the tree structure.
Constructing a Fault Tree
Fault Tree Analysis
There are several approaches to analyzing a fault tree. Methods involve
quantitativeand qualitative analysis.
QualitativeAnalysis of Fault Trees
Creating a fault tree gives analyst insight into the causes of an undesired event
andto systembehavior. This alone maymakethe exercise worthwhile.
Analyzing a Fault Tree
Fault Tree Analysis
QualitativeAnalysis of Fault Trees (..continued)
The elements of a fault tree can be evaluated to gain further insight into the
causes of a top event. Causes within the tree can be evaluated and judgments
can be made about the likelihood of faults or failures contributing to the top event.
Each event sequence can be looked at, and those that are most likely can be
consideredfirst.
Another approach is to find the most likely sequences by analyzing the gates
using products of input events for AND gates and sums of input events for OR
gates. Products of values less than one are smaller than their sums. With this in
mind, the most likely event sequence often can be identified quickly by tracing
each branch of the tree fromthe top event to the bottomevent. Branches linked
by OR gates typically have high probabilities of occurrence, whereas branches
linkedbyANDgates typicallyhave lowprobabilities of occurrence.
Analyzing a Fault Tree..continued
Fault Tree Analysis
QuantitativeAnalysis of Fault Trees
Quantitative analysis begins at each bottom end of a branch. To perform
quantitative analysis on fault trees, a probability must be assigned to each basis
and normal event. Probabilities of occurrence may also be assigned to each
undevelopedevent.
An algebra is applied to each logic gate to determine the probability of
each intermediate event. Ultimately, the analysis calculates the probability for the
top event. Example 36-1 illustrates the fundamentals of this process for the fault
tree.
Cut Sets
Cut sets are any sequence of events (reading from the bottom of the branch to
the top event) that leads to the occurrence of the top event. Each sequence that
leads to the top event can be analyzed separately and then compared to the
others. The comparison will help identify which sequence is most likely to cause
the top event.
Analyzing a Fault Tree..continued
Example 36-1
Event Probability for Events (Frequency in Days)
D 3.45 x 10
-7
J 6.89 x 10
-4
K 7.33 x 10
-3
L 6.05 x 10
-3
M 1.88 x 10
-4
Whatis the most likelycause for event B?
The probabilityfor event Dis given. The probabilityfor event E is
P(J) x P(K) =(6.89 x 10
-4
)(7.33 x 10
-3
)
=5.05 x 10
-6
The probabilityfor event F is
P(L) x P(M) =(6.05x10
-3
)(1.88x10
-4
)
=1.137 x 10
-6
Event E is the most likely cause. However, event F has a very similar
probability and should be given careful consideration in selecting controls.
System Safety
Failure Mode and Effects Analysis
Failure mode and effects analysis (FMEA) is an inductive procedure that moves from
the specific to the general. Examples of FMEA can be found in the formof diagnostic charts
for automobile or appliance repair. The emphasis is not on events, but on conditions. FMEA
analyzes equipment or components; it relates conditions of components to conditions of the
systemof which they are a part. Failures in components are traced to determine their effects
onthe system. Of greatestinterest are effects that impact safety.
FMEA uses special tables and charts to log data during the analysis. One element of a
typical worksheet is a component description. The worksheet identifies which individual or
combinations of components are analyzed. The worksheet has a column for failure mode.
Additional columns list effects on other components and effects on the system. The
worksheet also contains a column to identifythe hazard category or risk assessment code. It
may also estimate failure frequency and effects probabilities, which may be qualitative or
quantitative. Finally there is usually a column to identify control method, that is, to indicate,
howto preventthe failure or howto protect against its consequences.
In working across the data columns of a FMEA chart, it is important to recognize that
there are many more relationship among data elements than one failure mode for each item,
one cause for each failure, one effect for each cause, and so forth.
From a completed FMEA, a critical item list (CIL) can be developed. This list includes
failures that exceed the acceptable level of risk. The CIL may be used for more detailed
safety analysis. Figure 36-6 is an example of a FMEA worksheet

Session Sixteen

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Session Sixteen

Uploaded by

Copyright:

Available Formats

Safety and Health

You might also like