SYSTEM SAFETY FOR THE 21ST CENTURY SYSTEM SAFETY FOR THE 21ST CENTURY THE UPDATED AND REVISED EDITION OF SYSTEM SAFETY 2000 Richard A. Stephans, PE, CSP ARES Corporation A JOHN WILEY & SONS, INC., PUBLICATION Copyright © 2004 by John Wiley & Sons,Inc.All rights reserved. Published by John Wiley & Sons,Inc.,Hoboken,New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced,stored in a retrieval system,or transmitted in any form or by any means,electronic,mechanical,photocopying,recording,scanning,or otherwise,except as permitted under Section 107 or 108 of the 1976 United States Copyright Act,without either the prior written permission of the Publisher,or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center,Inc.,222 Rosewood Drive,Danvers,MA 01923,978-750-8400,fax 978-646-8600,or on the web at www.copyright.com.Requests to the Publisher for permission should be addressed to the Permissions Department,John Wiley & Sons,Inc.,111 River Street,Hoboken,NJ 07030, (201) 748-6011,fax (201) 748-6008. Limit of Liability/Disclaimer of Warranty:While the publisher and author have used their best efforts in preparing this book,they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages,including but not limited to special,incidental,consequential,or other damages. For general information on our other products and services please contact our Customer Care Department within the U.S.at 877-762-2974,outside the U.S.at 317-572-3993 or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats.Some content that appears in print,however,may not be available in electronic format. Library of Congress Cataloging-in-Publication Data is available. ISBN 0-471-44454-5 Printed in the United States of America. 10 9 8 7 6 5 4 3 2 1 CONTENTS FOREWORD TO SYSTEM SAFETY FOR THE 21ST CENTURY xi FOREWORD TO SYSTEM SAFETY 2000 xiii PREFACE xv ACKNOWLEDGMENTS FOR SYSTEM SAFETY FOR THE 21ST CENTURY xvii ACKNOWLEDGMENTS FOR SYSTEM SAFETY 2000 xix PART I INTRODUCTION TO SYSTEM SAFETY 1 1. The History of System Safety 3 The 1960s—MIL-STD-882,DOD,and NASA 4 The 1970s—The Management Oversight and Risk Tree 5 The 1980s—Facility System Safety 5 The 1990s—Risk-Based Process System Safety 6 The 2000s—Quest for Intrinsic Safety 7 2. Fundamentals of System Safety 11 Basic Definitions 11 Fundamental Safety Concepts 11 System Safety Fundamentals 15 System Safety Tenets 22 3. Current Approaches to System Safety 25 Department of Defense 25 NASA 31 Facility System Safety 34 The Chemical Industry 37 Department of Energy 39 4. Problem Areas 43 Standardization 44 Risk Assessment Codes 46 Data 47 Communications 47 v vi CONTENTS Life Cycle 48 Education and Training 48 Human Factors 49 Software 49 5. The Future of System Safety 51 More First-Time Safe Systems 51 Cost-Effective Management Tools 51 The New Face of System Safety 52 Proactive or Reactive? 55 PART II SYSTEM SAFETY PROGRAM PLANNING AND MANAGEMENT 57 6. Establishing the Groundwork 59 Generic Model 59 Product Safety 60 Dual Programs 60 Planning and Development Methodology 60 7. Tasks 63 Hazard Identification 64 Hazard Analysis and Control 66 System Safety Support Tasks 69 8. System Safety Products 71 System Safety Program Plan 71 Preliminary Hazard List 73 Preliminary Hazard Analysis 74 Hazard Tracking Log 76 Subsystem Hazard Analysis 77 System Hazard Analysis 80 Operating Hazard Analysis 82 Change Analysis Report 83 Accident Analysis Report 84 9. Program Implementation 87 PART III ANALYTICAL AIDS 103 10. Analytical Trees 105 Purposes 107 Tree Construction 107 Fault Trees Versus Fault Tree Analysis 114 CONTENTS vii 11. Risk Assessment and Risk Acceptance 121 Risk Management Concepts 121 Risk Assessment Shortcomings 129 Total Risk Exposure Codes 130 12. Human Factors 135 Human Reliability 135 Human Error Rates 137 Improving Human Reliability 139 Human Factors for Engineering Design 142 PART IV SYSTEM SAFETY ANALYSIS TECHNIQUES 147 13. Energy Trace and Barrier Analysis 149 Purpose of ETBA 149 Input Requirements 149 General Approach 150 Instructions 150 14. Failure Mode and Effects Analysis 155 Purpose of FMEA 156 Input Requirements 156 General Approach 157 Instructions 157 Appendix:Sample FMEA 160 15. Fault Tree Analysis 169 Purpose of FTA 170 Input Requirements 170 General Approach 171 Instructions 172 Appendix:Sample FTA 181 16. Project Evaluation Tree 189 Purpose of PET 190 Input Requirements 190 General Approach 191 Instructions 192 Appendix:PET User’s Guide 197 viii CONTENTS 17. Change Analysis 211 Purpose 211 Input Requirements 212 General Approach 212 Instructions 213 18. Management Oversight and Risk Tree 217 Purpose of MORT and Mini-MORT 221 Input Requirements 221 General Approach 221 Instructions 229 19. Event and Causal Factors Charts 253 Purpose 253 Input Requirements 254 General Approach 254 Instructions 254 20. Other Analytical Techniques 261 Software Hazard Analysis 261 Common Cause Failure Analysis 262 Sneak Circuit Analysis 262 Extreme Value Projection 264 Time-Loss Analysis 267 Additional Techniques 270 PART V PROCESS SAFETY 275 21. Process Safety Management 277 Introduction 277 Background 277 Future 284 Summary 284 Appendix:List of Highly Hazardous Chemicals,Toxics and Reactives 287 22. EPA’s Equivalent Process Safety Requirements— Risk Management Program (RMP) 291 Background 291 Overall Risk Management Program 292 CONTENTS ix Summary 296 Appendix:Seventy-six Substances Listed Under 40 CFR 68 299 23. Process Safety Implementation 303 Introduction 303 PSM Implementation 303 RMP Implementation 312 Implementation Lessons 314 Summary 315 24. Process Safety Reviews 317 Introduction 317 Mechanics of an Individual Audit 320 Lessons 322 Summary 324 PART VI PROFESSIONALISM AND PROFESSIONAL DEVELOPMENT 327 25. Professionalism and Professional Development 329 Introduction 329 What is Professionalism? 329 Professional Development 332 Accreditation of Certifications 332 Why Become Certified? 334 Summary 337 APPENDICES 339 Appendix I: The Scope and Functions of the Professional Safety Position 339 Appendix II: System Safety Society Fundamental Principles and Canons 345 Appendix III:Professional System Safety and Related Societies and Organizations 351 GLOSSARY 357 REFERENCES 369 INDEX 373 FOREWORD TO SYSTEM SAFETY FOR THE 21ST CENTURY I just heard it again.A colleague of mine said that he has always taken the “systems view” with regard to system safety. I was once again surprised, shocked is probably a better word, that not everyone had that view. It reminded me that there remain varying views of the scope of system safety. The scope of the system safety discipline is broad,just like the industries that use the discipline.The system safety discipline has expanded well beyond the U.S.Department of Defense community and U.S.borders and,as such,its rec- ognized discipline approach and broad scope are becoming better define. The System Safety Society and most system safety professionals take a broad view of the scope of system safety, a “system view.” It considers the system safety discipline as analyzing all safety aspects for any size system (with a product being just a small system) throughout its entire life cycle.It uses a disciplined systems approach to manage safety risk by tapping into the known knowledge bases and using specific tools and techniques for analysis where knowledge bases do not exist or are insufficient for the technologies used in the system.Known knowledge bases include existing safety codes,safety stan- dards,and lessons learned that have been developed in all technology areas. The system safety professional focuses more attention,however,where there are nonexistent or insufficient knowledge bases from which to draw upon.In this case,the system safety professional uses the specific tools and techniques available in the system safety profession to augment the lack of information in existing knowledge bases.The top-level analyses identify where new safety requirements are necessary and where existing safety codes and standards can be used.The system safety discipline bridges the gap when existing knowledge bases are lacking and manages safety risks by identifying hazards from the known knowledge bases and the tools and techniques of this profession. Because the system safety professional focuses more attention where there are no or insufficient knowledge bases, some in industry perceive that the scope of the system safety discipline is just in those areas,where little or no knowledge bases exist.However,the scope of the system safety discipline is much broader and the system safety professional must have a complete under- standing of how to use and apply the existing safety resources,in addition to when to use other system safety analyses to evaluate the entire system throughout its entire life cycle.Some colleagues refer to system safety as the “umbrella”safety,since you must draw upon all safety resources for the tech- xi xii FOREWORD TO SYSTEM SAFETYFOR THE 21ST CENTURY nologies involved in the design.The system safety discipline has an established methodology and unique tools for analysis.It establishes acceptable levels of risk as part of the process and does not necessarily seek zero risk or rely only on checklists or standards. It considers rare events and life-cycle operations and analyzes both normal and abnormal circumstances. The discipline manages for success using training, independent assessments, management commitment, and lessons learned and it plans for failure by establishing emergency response procedures, graceful degradation, surveillance, and maintenance. This system safety discipline is unique because it addresses the safety of an entire system and its operations using existing knowledge bases and, where knowledge bases are insufficient, the tools of this profession. I am of the opinion that the methodology and tools of the system safety discipline should be applied to every system. I believe every company should develop and implement a system safety program that addresses the hazards in its organi- zation,the products it purchases,and the systems that it designs and operates. Only the degree and depth of the system safety program will vary from system to system.As one colleague stated, I wouldn’t spend too much time on the analysis of a paper clip.Using the system safety discipline,I am convinced that a company will apply its resources more effectively and achieve success in its ability to effectively manage safety risks. The second edition of this book not only updates the text with the current information on standards such as MIL-STD-882D,it also adds another impor- tant tool and approach for the system safety engineer:a discussion on process safety in the chemical industry.Dick Stephans provides in-depth information of how to apply the system safety process to this specialized discipline: the users,distributors,or manufacturers of hazardous chemicals and related mate- rials such as flammables and explosives. Historical accidents have demon- strated the need for legislation and specific legislative requirements from the Occupational Safety and Health Administration (OSHA) and the Environ- mental Protection Agency (EPA) are presented along with examples to rein- force understanding.Dick Stephans highlights the value of the system safety philosophy,in this case,to the chemical process standards and the application of methodologies to satisfy those requirements. It is common now to see the application of the system safety approach, tools, and techniques in more and more industries without using the words system safety.This is evident by the more than 100 techniques described in the System Safety Analysis Handbook.While I am thrilled that the philosophy con- tinues to expand,it is important to understand the basis for which most of the techniques are derived to ensure that they are applied appropriately. Past President,System Safety Society (1999–2001) PaigeV.Ripani