The engineering field is now so broad that we can become an expert in only a small part of it. Nevertheless, it is a mistake to restrict our reading to a specialized branch. We can learn much by reading widely and learning how others approach their problems. Safety engineers, in particular, can learn from each other. I have learned much from reading reports of railway and aircraft accidents and risk assessments in the nuclear industry.
Unfortunately, the books on other branches of engineering are often difficult to understand as we lack the specialized knowledge that the authors take for granted. Nicholas Bahr writes with such readers in mind. Even if you do not work in the process industry you can learn from this book how process safety experts identify and assess hazards. Their techniques may be useful elsewhere or they may suggest ways you can improve your own techniques. Similarly, process engineers can learn from others.
The emphasis of the book is on a systems approach, illustrated by case histories. Plants are so complex today that we cannot identify the hazards and operating problems just by looking at a drawing. A structured, systematic approach is essential. However, as the author points out, all a system can do is make sure that the knowledge and experience of the people involved are fully utilized. If they lack knowledge and experience, the system is just an empty shell. Knowledge and experience without a system achieve less than their potential; a system without knowledge and experience achieves nothing. This should be obvious, but is sometimes overlooked in the enthusiasm for downsizing.
The book makes it abundantly clear that safety is not a coat of paint added by a safety expert at the end of design, but an integral part of design. The safety expert can advise, monitor, and assist, but full involvement by the design team is essential. I hope, therefore, that this book will be widely read, not just by safety engineers but by all involved in the design and operation of complex systems. It is well written and easy to read.
Trevor Kletz, DSc, FEng
Preface to the Second Edition
Among the many objects to which a wise and free people find it necessary to direct their attention, that of providing for their safety seems to be the first. The safety of the people doubtless has relation to a great variety of circumstances and considerations, and consequently affords great latitude to those who wish to define it precisely and comprehensively.
Federalist #2
The Federalist Papers
Concerning Dangers from Foreign Force and Influence, 1787
John Jay
We all know that safety should be an integral part of the systems that we build and operate. The public demands that they are protected from accidents, yet the two constituencies—industry and government—do not always know how to reach this common goal. The reason I wrote this updated edition is that engineers and managers in companies need a succinct and practical way to effectively design safety into their systems and products within ever-increasing cost and time constraints. Government regulators need to better understand how to oversee those industries in such a way that protects the public, spurs innovation, and yet does not negatively impact the economy or competitiveness. This balance is not easy. This book will give both industry and government the practical insight and concrete success stories to make this happen. The purpose of this book is to give engineers and managers, working in companies and governments around the world, a pragmatic and reasonable approach to system safety and risk assessment techniques and to design viable safety management systems. It is written in easy-to-understand language that gives you the tools to implement tested solutions immediately. You can pick it up and use it at once by following the numerous worked examples taken from real-life engineering problems. There are practical tips and best practices that tell you how to prevent accidents but also how to put safety into your systems at a sensible price. There are numerous case studies from real disasters that go into detail describing what went wrong and the lessons learned. And there are case studies of where safety was done correctly and are best practices.
Because our work is becoming increasingly global, examples and lessons learned are taken from around the world to explain how they are used in industries such as manufacturing, consumer products, chemical process, oil and gas, aviation, mass transit, military and space, and commercial nuclear power. No one country or industry has got it all figured out and there is much to learn from each other. Each chapter also includes Notes from Nick’s File, actual experiences that I’ve lived through in applying the techniques discussed—successes and also my own failures.
Like the first edition, the book is aimed at working engineers who know that they need to build safe systems, but aren’t sure where to start. They don’t want to waste a lot of time sorting through the mountain of safety books that are more theoretical than practical or too narrowly focused. This book is for those looking for a single, comprehensive,
but pragmatic reference, not a shelf full. It also makes a good companion text to university engineering design courses and can be the basis of a system safety course.
The first three chapters lay the necessary foundation for understanding the concepts and their applications in many different industries in system safety engineering, risk assessment, and safety management systems. It discusses important definitions and concepts and illustrates their application and helps you understand the system safety process, what constitutes a best-in-class safety management system, and how to actually apply the concepts in reducing real hazards that will be demonstrated through the tools discussed later in the book. A safety maturity model helps you determine where your company fits on the safety continuum, and lagging and leading safety performance indicators help you measure success and progress. Practical suggestions of where to find good national and international safety standards will make your search for the best standards worldwide easier.
Many books describe safety management systems almost as a laundry list of safety activities, but Chapter 4 gives an easy-to-understand and realistic approach that fits logically together for designing, implementing, and auditing safety management systems. Numerous examples and best practices illustrate what you should and shouldn’t do in designing your safety management system. Safety culture must be embedded into your safety management system and this chapter gives you practical ways to do it.
Chapters 5 through 9 describe the different safety analysis tools available. Hazard Analysis, HAZOP, What-If, Fault Tree Analysis, Failure Modes, and Effects Analysis, Human Factors, Software Safety, and other safety tools are described with realistic worked examples. The chapters detail how to use them, give examples, describe common mistakes in using them, and also provide best practices and tips of how to apply them judiciously.
Chapter 10 discusses practical ways to find safety data and gives suggestions for creating your own safety knowledge management system to help you link all this information together. It also explains how to set up a safety training program and gives a sample safety training course outline used in a microprocessor production plant.
Unfortunately, accidents do happen. Chapter 11 helps you understand what to do when you must investigate an accident at your facility. It details how to set up the investigation team, investigate the accident, and document the results, lessons learned, and corrective actions. Companies and governments are learning the hard way the importance of how to communicate an accident to the public. This chapter tells you how to develop a crisis communication plan, common mistakes, and the dos and don’ts of communicating with the public during an accident.
Not enough has been written about how to develop balanced safety government oversight bodies and regulations. Chapter 12 focuses on how to set up a safety regulatory oversight body, its functions, and governance structure and how to implement them. Numerous examples from around the world are discussed, and a case study describes how one country developed their first safety oversight body ever. It also details another case study with the U.S. Federal Aviation Administration and explains how they’ve taken a strong and mature safety oversight program and made it even better by incorporating more advanced system safety techniques.
Chapter 13 describes the power of risk assessments. It discusses how risk is defined and how it is perceived differently. It takes these concepts and details a quantitative
risk assessment methodology and explains how to use it appropriately. But results need to be communicated to the public and others the right way. Suggestions for effectively communicating complicated risk information are also given.
Chapter 14 gives a detailed example of conducting a probabilistic risk assessment of launching a payload into space. Accident scenario generation, event trees, consequence determination, and uncertainty are described and worked through. It also discusses how this information can be used to determine safety costs.
The book includes appendices of useful lists to help you apply the system safety engineering and risk assessment tools and safety management system program described in the book. Typical energy sources, generic hazard checklists, and facility safety checklists are included. The final appendix gives you some useful website addresses for more information.
Accident rates are dropping worldwide; companies are more proactive in preventing accidents and disasters; governments seem to be using a more effective safety oversight process. Despite the overall statistics, we are still seeing shocking accidents worldwide. Why?
In the last few decades, we have seen a significant increase in operational complexity—rapid implementation of new and advanced technologies, just-in-time operations, increased complexity of quality assurance, and organizations themselves becoming more complex and global. At the same time, we are seeing much greater interdependencies in our systems, between systems and their operational environments, and these interdependencies are dynamic, not static.
Our companies and governments are creating more international alliances and unfortunately accidents are more transnational than before. Supply chain networks are very complex and business interruptions are less tolerable than earlier. Our global markets seem to be more unstable and very fluid. Corporations are facing not just increased competition from around the world and at home but also tougher internal financial constraints, controls, and oversight. Insurance costs continue to rise and labor movement now happens on a global scale. Natural disasters are a more significant threat than ever before.
On top of all these complexities, companies and governments are also facing a public that is much less tolerant to risk. The public perception of risk to a company’s brand and a government’s reputation has increased significantly in the last 20 years, and many have lost it overnight. It takes a long time to build a strong brand but it can be lost very quickly. It doesn’t take much for the public to quickly lose confidence in a company or government.
We still need to improve how we assess risks and manage their impacts. But we also have to do it in a cost-conscious way, balancing risk management with cost efficiencies—they are not mutually exclusive. Governments must also play a more proactive role in the safety oversight process, but still allow the free market to find their own solutions. Industry and government must work collaboratively to find the best solutions. Hopefully, this book will help take us closer to that goal. And, I also hope that this book demystifies safety from risk, shows its power, and proves that it can even be fun.
Preface to the First Edition
This book came about when I tried to find a comprehensive but inexpensive book that really shows an engineer how to design and build equipment that is safe. I was looking for something that I could give to working engineers who know nothing about safety, but who are asked to build their products safely. I couldn’t find anything that succinctly demonstrates the most important aspects of safety analysis and risk assessment. I wanted something written by an engineer, for engineers. Most books on the market describe what system safety is—not how to apply it.
The purpose of this book is to give engineers a comprehensive, practical guide on how to build safety into their products and industrial processes. It is for those who are concerned about safety but who have no idea where to start, nor wish to spend a lot of precious time trying to find out. This is a book for any engineer who has been told to build safe products and who wants one reference book, not a shelf full, that will show how to apply the concepts immediately, without wasting time on unnecessary things.
This book is very pragmatic—you can pick it up and use it at once by following the numerous worked examples of real-life engineering problems. There are practical tips that tell you how to avoid common mistakes engineers make. Many suggestions explain not only how to prevent disasters, but also how to put safety into your system for a reasonable price.
Most of all, key safety and risk methods are clearly discussed, with useful examples that show an engineer how to apply them to a job. Real-life examples are worked through, explaining why one system is safe and another is not.
Many features of system safety and risk assessment are common to various industrial situations, and one industry can learn from the experience of another. This book crosses various industries so that you can learn the best techniques from the chemical, nuclear, aerospace and military, manufacturing, and mass transit industries.
Though occupational safety has long been taught at universities, system safety is still not an integral part of the college engineering program. This book makes a very good companion text for engineering design courses.
The first three chapters describe why safety is important, what it is, and how different industries use it. Safety and risk concepts are briefly discussed so that the reader has the necessary foundation to understand, and use appropriately, the safety and risk techniques in later chapters.
Chapter 4 illustrates how to implement a cost-effective safety management organization quickly and efficiently. Examples demonstrate what not to do in a safety management program, including how others have failed and the mistakes that engineers typically make. Actual, successful system safety program and audit plans are included. Ideas are given to help you sell safety to your management.
The heart of the book are Chapters 6 through 9, where best system safety techniques from different industries are presented. Various kinds of hazard analyses are
detailed, with actual engineering examples of a laser and a hazardous waste storage facility, demonstrating how to do the analysis.
HAZOP and what-if /safety checklists, two of the most common safety methods in the chemical industry, are explained. Sample process problems, which engineers face every day at work, are shown. Other safety tools, such as fault tree analysis, failure modes and effects analysis, human factors safety analysis, and software safety, are explained. Examples of the use of these tools are also presented.
Chapter 10 provides useful information about how to create and maintain the necessary data management system to keep a system safety program running smoothly. The chapter also shows practical examples and suggests how to set up a safety awareness and training program.
No one likes to deal with accidents, yet they are inevitable. Chapter 11 provides useful information about how to set up your own investigation board, create a closedloop reporting system, and learn from the accident.
Many engineers are unaware of the power of risk assessment. This is a very costeffective technique that cannot only help you make your system safer, but also can help you decide how to allocate resources to do so in the most efficient way possible. Chapter 12 explains what risk assessment is. It discusses how the public perceives risk and offers suggestions about how best to communicate engineering risks to the public.
Chapter 13 details how to conduct a risk evaluation. The necessary models are developed and explained. A risk assessment example of launching a payload into space, describing how to decide which design or operational changes will make the system safe, and which will increase the risk, is given.
At the end of the book, appendices give the reader useful checklists to help in identifying hazards. Typical energy sources, hazard checklists, and facility safety checklists are included. Several Internet sources are listed so that you can get the best, most up-to-date safety and risk information available.
As technological systems become more and more complex, it becomes increasingly difficult to identify safety hazards and control their impact. The cost is measured not only in dollars lost due to accidents, but also in lawsuits by employees injured on the job, degradation of the environment, loss of market share, and even ruined reputations. Engineers are finding that safety and risk touch upon every aspect of the engineering system design, operation, and disposal life cycle.
It is obvious that many of our current system safety techniques have come about as the result of horrendous accidents. A lot of pain, suffering, and economic loss have been endured before we, as a society, decided to take safety more seriously. At the same time, however, through this difficult learning process we have found that making systems safer is not just something we should do because it is ethical and moral, but also because it makes very good business sense.
Engineers are making an honest effort to design, build, and operate their systems safely. Many engineers, however, just don’t have the necessary tools to do the job right. This book demonstrates that the way engineers produce safety in one industry can be used in another with few changes.
It is very important that safety is designed into the system or process. Failure to do so will eventually result in an accident, with the accompanying downtime, lost production, injuries, lawsuits, and possible loss of business.
System safety and risk assessment does not have to be an expensive part of designing and building technological products. If it is done early and efficiently, it will more than pay for itself.
The important point to remember is to take the various system safety tools discussed in this book and apply them as you see fit. The system safety analyses and programs are described and demonstrated in detail so that you can take these wellestablished methods and tailor them to your needs. What is critical is that the system safety process be comprehensive. It is much better to use a shortened safety analysis than none at all.
This book is intended to be used as a tool by practicing engineers in all disciplines, to help identify, control, and mitigate safety issues before they become serious problems. I also hope it demonstrates that there is absolutely no reason that safety has to be difficult, a problem, or mysterious. In fact, it can even be fun.
Acknowledgments
I thank Bill Crittenden and John Rauscher for their incisive comments and support in developing the HAZOP example. Albert Powell contributed significantly with his ideas for the facility hazard analysis section. Special thanks to Adrian Rad for supplying information for the laser example. Because their examples are so useful, I’ve reproduced them for this edition.
I also thank Mark Davis, Khalil Allen, and Jason Sergent for our numerous discussions and debates about how to best apply system safety. Special thanks to Len Neist for his insights and thoughts on how best to regulate system safety.
And of course a very special thanks to my children, David and Julian, for keeping me on task.
Thanks also to Phillip Johnson for help with graphics and Colin Holmes for the Waterfall Rail Accident photographs.
It is also a pleasure to express gratitude to the fine people at Taylor & Francis Group, for their support and enthusiasm in developing this book.
Author
Nicholas J. Bahr is an internationally recognized expert in system safety, risk assessment, and enterprise risk management systems and has over 25 years of professional experience working around the world. He has set up safety management systems for companies and helped governments improve their safety oversight programs. Over his career, Mr. Bahr has conducted programs for commercial and government clients, detailed technical risk assessments, implemented enterprise risk management business processes, and developed regulatory oversight programs throughout the United States, United Kingdom, Europe, South America, Australia, the Middle East, and North Africa. His diverse experience and background cover many industries including aerospace, utilities, oil and gas, manufacturing, and transportation.
After a high-profile rail accident in Australia, Mr. Bahr was asked to lead an international team conducting a safety management systems audit of both the regulator and the railway. The audit methodology is now considered the new international gold standard for safety management systems. His client engagements range from risk strategy for senior government and commercial executives, to detailed risk assessments for front-line management. He has helped CEOs, senior VPs, and senior government officials realize tangible and sustainable benefits from their safety and risk management programs. Mr. Bahr is a past U.S. delegate to various standardswriting bodies. Currently, Mr. Bahr is a principal at Booz Allen Hamilton and is the regional manager for the Middle East and North Africa.
1 Introduction
Better safe than sorry.
The way to be safe is never to be secure.
Nineteenth-century proverb
Gnomologia, 1732
Thomas Fuller
Appearances often are deceiving.
The Wolf in Sheep’s Clothing, c. 550 BCE Aesop
1.1 WHY DO WE NEED SAFETY ENGINEERING?
It is difficult to go on the Internet, open a newspaper, or turn on the television and not be reminded of how dangerous our world is. Both large-scale natural and man-made disasters seem to occur on an almost daily basis and seemingly never ending. An accident at a plant in Bhopal, India, in 1984, killed over 2500 people. A magnitude 9.0 earthquake and resulting tsunami in 2011 triggered a series of fires and explosions at a commercial nuclear power plant in Japan, resulting in three of the six reactors melting down and over 100,000 residents permanently evacuated.
Though there is a downward trend in fatal accidents in the United States and many other countries, recent high-profile accidents still command headlines worldwide. In 2011, a Chinese high-speed train collided into another killing 38 people. In the Gulf of Mexico, the oil company at the center of the worst oil spill in history put aside $41 billion in 2010 to pay for damages from the spill. An automobile airbag manufacturing plant exploded, killing one worker, after it had had over 21 fire emergencies in 1 year. Swarms of helicopters with television cameras were drawn to the plant after every call, creating a public relations nightmare and forcing the government to shut down the plant temporarily.
An airliner crashed into an apartment building in downtown Sao Paolo, Brazil, killing all on board and many in the apartment building. The Air France Concorde went from a 27-year record of zero crashes to a single crash in July 2000, killing 100 passengers and 9 crew members, becoming one of the worst aircraft-type safety records (due to the low frequency of flights). In June 2009, the new Airbus A330 flying from South America to Europe experienced an aerodynamic stall, caused by inconsistent sensor readings and inadequate pilot response, crashed into the Atlantic Ocean killing all 228 on board, resulting in the highest death toll of any aircraft type worldwide. Although it was the first crash while in commercial passenger flight, it was the second fatal accident of the new design. After hitting a flock of geese,
a commercial airliner miraculously landed safely, without loss of life, in the Hudson River right off of Manhattan in New York City. The April 2010 crash of the Polish Air Force Tu-154, likely due to human error, killed the current president and his wife, the national Polish bank president, chief of Polish general staff, deputy foreign minister, 15 members of parliament, and other political notables.
In 1995, the Air Route Traffic Control Center, Fremont, California, lost power, causing radar screens covering Northern California, Western Nevada, and 18 million square miles of Pacific Ocean to go dark for 34 min while 70 planes were in the air, almost resulting in two separate midair collisions. In another incident, a worker in downtown Chicago cut into a cable and brought down the entire Air Route Traffic Control System for thousands of square miles.
But it is not just builders, manufacturers, and operators that significantly impact accident rates—governments do too. An independent U.S. government panel (U.S. Department of Labor, 2012) found that government mine safety regulators and their leadership failed to heed warning signs or implement and enforce their own safety regulations that allowed a coal mine to operate unsafely, resulting in 29 deaths from an explosion and fire. A 2005 Special Commission of Inquiry (McInerney, 2005) in Australia found that both the railway operator and the regulator failed to carry out their safety duties adequately. The rail accident that killed seven followed on the heels of a previous rail accident in which government oversight was not sufficiently strengthened, resulting in the special commissioner to request the stand-up of an oversight board to ensure that both the rail regulator and the operator implemented safety improvements and strengthened oversight programs.
The commercial nuclear accident in Japan in 2011 followed a much more devastating nuclear power plant accident in Ukraine in 1986; the reactor explosion burned out of control, sending a radioactive cloud to over 20 countries, severely affecting its immediate neighbors’ livestock and farming. The Ukrainian disaster forced countries to rethink reactor safety. Government regulators worldwide instituted changes to their oversight regimes. But, just as many were starting to feel comfortable with commercial nuclear energy again, in 2011, 2 months after the Fukushima nuclear accident in Japan, Germany announced that it was shutting down all of its nuclear power plants by 2022. Germany gets 25% of its energy from commercial nuclear power plants.
Some of these accidents occurred many years ago. Some of them occurred recently. Many of the accidents crossed international borders and affected millions of people in other countries. Many more did not extend beyond national borders but still affected a great number of people. And some of the accidents did not kill anyone.
We all know how quickly technology is changing; as engineers, it is difficult just to keep up. As technology advances by leaps and bounds, and business competition heats up with the globalization of the economy, turnaround time from product design to market launch is shrinking dramatically. The problem quickly becomes evident: How do we build products with high quality, cheaply, quickly, and still safely? But also, we have to ask, how do governments protect the public and regulate industry without negatively impacting competitiveness or the national economy?
