Safety analysis in design—Evaluation of a case study

Accid. Anal. & Prev. Vol. 19, No. 4, pp. 305-317. Printed in Great Britain.

wol-4575187 0 1987 Pergamon

1987

SAFETY ANALYSIS IN DESIGN-EVALUATION A CASE STUDY

$3.W + .oo Journais Ltd.

OF

LARS HARMS-RINGDAHL* Occupational Accident Research Unit, Royal Institute of Technology, S-100 44 Stockholm, Sweden. (Received 18 December

1985; in revised form 13 August 1986)

Abstract-Safety analysis was applied in the design of a section at a paper mill. The case study involved analysis of layout, transport system, machines, and a number of different activities. The purpose of the analysis was to find measures to decrease occupational accidents. Three years after the installation was finished the occurrence of accidents was investigated. There was a 56% decrease in the number of accidents; the number of working days lost due to accidents was diminished by 75% as compared to 4 years preceding. The results of the safety analysis were also evaluated with respect to the accidents which had occurred. The methods for safety analysis seem to have been efficient in identi~ing hazards. The general conclusion of the study is that safety analysis can be an effective tool to decrease occupational accident risks.

BACKGROUND

The main efforts to prevent occupational accidents are made at existing workplaces, and utilize experiences from accidents which have already occurred. Accident countermeasures can however be difficult to implement for economic reasons and it could be simpler and cheaper to introduce them from the be~nning. This is an argument for a better consideration of safety in the design stage. A general impression from a number of discussions at different companies is that safety is not systematically attended to during the design process. Fang and HarmsRingdahl [1983] have studied the design of three industrial installations from a safety point of view. The prevention of accidents received only little attention in the design phase and the approach was not systematic. The dominant safety activity was inspection at the site, when the installations were almost finished. The intention of this study was to demonstrate the possibility of systematically incorporating safety in the design process. Another objective was to develop and test methods for safety analysis used in such activities. The author was actively involved in the design of a part of a paper mill during 1981 and the first quarter of 1982. A part of the factory was constructed with new machines, etc. The new installation was put into operation in May 1982. A detailed description of the analyses of the different subsystems and of the methods used have been published earlier [Harms-Ringdahl, 19821. Therefore this paper takes up these parts relatively briefly. The analyzed system has been in operation for more than two years. The occurrence of occupational accidents have been studied. This has given a base for evaluation of the analyses. Two somewhat different approaches for evaluation are discussed.

SAFETY

ANALYSIS

METHODS

Choice of methods A large number of safety analysis methods have been developed. For example, Clemens [1982] has reviewed 25 different methods. A choice of appropriate methods *Present address: Folksam Insurance Group, Division for Research and Development, Stockholm. 305

Box 20 500, S-104 60

306

L. HARMS-RINGDAHL

be made. The basic criterion is their applicability for occupational other considerations in the choice of methods are:

must

accidents. Some

1. The whole system (or subsystem) including activities of different kinds should be considered. A systematic way of “going through” the system is needed-the method should facilitate this. 2. A systematic way of identifying the risks. 3. A systematic way of finding improvements. 4. Different types of methods will reveal different types of hazards and system defects, and they also will have varying deficiencies. Thus a set of methods representing complementary principles will be valuable. Based on these considerations, the following three methods were chosen as suitable for the present application: (i) job safety analysis (ii) energy analysis (iii) deviation analysis. Often more technically oriented methods for safety analysis are proposed [e.g., Ho, 1976; Health and Safety Executive, 19841. In this study Fault Tree Analysis and Failure Mode and Effect Analysis were originally considered. But they were found unsuitable in this application and the broader methods mentioned above were preferred. Job safety analysis

Job safety analysis is designed to analyze rather well-defined jobs in order to identify accident risks for people doing the tasks. The job is divided in subtasks, hazards in the subtasks are identified, and suitable corrective measures are proposed. The method can be used on the tasks of an individual or a group working on a limited part of a production system [McElroy, 1974; Pavlov, 1979; Harms-Ringdahl, 1982; Suokas and Rouhiainen, 19841. Energy analysts

Energy analysis is based on the principle that injury of a person is caused by an uncontrolled flow of energy. Analysis and control of energy are discussed in many articles and handbooks [e.g., Hammer, 1972 and Johnson, 19801. Energy analysis can be used both for complex and simple objects. Deviation analysis

Deviation analysis [Harms-Ringdahl, 19821 is based on the assumption that accidents often are preceded by deviations from the normal and planned functions in a system. It is supposed that accident risks can be decreased, if the deviations can be eliminated or controlled. The concept of deviations is used in other safety analysis methods, such as Change Analysis [Bullock, 19811 and Hazard and Operability Studies [CISHC, 19771, as well as in accident investigations and theories (Kjellen, 19841. In deviation analysis a comprehensive view of the production system is essential. Deviations are considered for technical, individual, and organizational functions. The object of the analysis is the functions of the system and activities involved. Deviation analysis can thus be said to represent a dynamic view of the man-machine system. In short, the steps of a deviation analysis are: 1. Structure the object to be analyzed, so that the important functions and activities are covered. 2. Divide into subsections. 3. Identify deviations, which might imply hazards. A check-list is used. 4. Propose countermeasures according to the strategy below: a) eliminate the possibility that the deviation can occur b) reduce the probability that it occurs c) reduce the consequences if it occurs d) develop procedures for early detection and suitable corrections.

307

Safety analysis in design ON EVALUATION

OF SAFETY

ANALYSIS

The safety analysis procedure

Safety analysis refers here to a systematic identification of hazards and systematic means of finding measures to reduce them. It is assumed that the goal of safety analysis is to obtain risk control. In this case that translates to as few accidents as possible shall occur in the new installation. Figure 1 is a block diagram of a safety analysis procedure. It is divided into seven different parts which are discussed below. 1. The safety policy of the company is fundamental to the likelihood of a successful analysis. The policy and its interpretation will define the scope of the analysis, the available resources for analysis, implementation of improvements, etc. But policy is not only defined by decisions made by top management, it also has an informal side such as attitudes among the people involved in the project. 2. In the identification of hazards, sufficient information about the analyzed object must be available. Information on different kinds of problems, defects, and earlier accidents are useful inputs to the analysis. 3. Identification of hazards is made by the application of one or more safety analysis methods. 4. Evaluation of the identified hazards must be done. In this case study the question was whether or not the hazard was acceptable. 5. If a hazard is judged as unacceptable, improvements are developed and evaluated. 6. Decisions are made as to whether or not the proposed improvements shall be implemented. 7. In the implementation stage the improvements are made. Figure 1 is a simplification of an analysis procedure that can, for example, involve several methods and is often iterative. More complex models are therefore quite common (see [SCRATCH, 19841). Also, the role of safety analyses in the design procedure should be considered. In the ideal application, proposals are made for the different subsystems. These proposals are analyzed and improvements are proposed. The results of these activities are a part of the basis for rational decisions. A decision can be an approval for direct implementation, or a demand for further development. In reality there are many activities in parallel and decisions are often made informally. Safety analysis will compete with many other activities in the design process; for economy, personnel, attention etc. Problems in risk control and safety analyses

Identification of hazards and preventing them in the design stage is difficult, as many things can fail. There can be different reasons why an accident can occur despite the efforts invested in prevention, In this section an outline of a model for describing problems in safety analysis and risk control with special attention to the application at design is discussed. In the literature various deficiencies in safety analysis have been discussed from different points of view. However, discussion is often limited to a part of the safety analysis procedure [Suokas, 19851. Different approaches can be used in the evaluation. One is to take the procedure of a safety analysis (Fig. 1) as the starting point. Deficiencies of different kinds can occur in each block. An extensive list of hypothetical problems can be made, some examples of which are shown in Table 1. Different kinds of deficiencies can arise with respect to the design procedure. Again a list of problems and deviations from the idealized procedure could be made. A major defect is that analysis is not made of a particular subsystem. There can be many reasons AAP

19:4-E

308

L.

HARMS-RlN~~At~L

SAFETY POLICY GOALSAND PURPOSE EXTENTAND LIMITS

RISK CONTROL

OF

THE

OF

PROBLEMS

SYSTEM ETC

1

Fig. 1. Safety analysis procedure for risk control.

Table 1. Examples of problems related to a safety analysis procedure Part of Procedure Safety policy

Information Identification of hazard

Evaluation of hazard Proposal of improvement Decision rmp~ementati~n

Examole of Problems Unclear goal, creating insufficient motivation. Part of the production system is excluded from analysis. Insufficient resources for analysis or implementation of improvements. The inf(~rmation about the system is not sufficiently detailed or is incorrect The system is changed making the analysis invalid. System is not analyzed. Incomplete analysis due to: -part of object excluded -superficial analysis. Oversight in analysis due to: -choice of unsuitable method(s) --poor skill of analyst or team -random error. Underesti~atiou of hazard means that improvements are excluded. No proposal found. Insufficient or otherwise poor proposal is made. Proposed improvement is not accepted meaning that the hazard remains. The proposed improvement is insufficiently implemented (distorted) compared to proposal, due to unclear specification.

Safety analysis in design

309

for this. Examples are that the hazards are regarded as neglible, that an analysis is regarded as too difficult, that time is lacking, etc. An alternative approach is to begin with the assumption that an accident has occurred. Why has the accident occurred despite efforts to identify hazards and correct them? Reasons for failures in analysis and risk control are then traced backwards. Figure 2 shows a picture of problems based on that approach. Many of the points in the tree are equivalent to those mentioned above, but here they are structured differently. The tree should be regarded as a tentative model. In other situations different problems might occur (see [Suokas, 19851). It should also be noted that the tree is not based on a strict taxonomy. Explanations for a specific accident can fall in more than one “box”. Figure 2a is drawn as a tree, where the starting point is an assumed accident. The first branch is whether or not the hazard was identified. If the hazard was not identified, the explanation could be either that the actual subsystem was not analyzed, or that the analysis was faulty. Problems after the identification of a hazard (Fig. 2b) can result from insufficient preventive actions, or that measures are not taken at all. That a subsystem is not analyzed can result from a number of factors (Fig. 2~). An area or subsystem could be excluded by mistake, oversight, lack of time, or a number of other explanations. The exclusions could also be intentional for various reasons, some of which are shown in the tree. Failure in an analysis (Fig. 2d) can be caused by incorrect information, changes of the system, or erroneous or incomplete information. Failures in performing an analysis can also occur for a number of reasons.

THE

CASE

STUDY

The case study concerns the reconstruction of a section at a paper mill. About six people work simultaneously in the section, which is operated on a five-shift basis. This means that about thirty people were affected by the redesign. In this section, paper rolls from the paper machine are cut into smaller rolls in rolling machines. The large rolls weighing about 10 tons are reduced to smaller rolls weighing between 100 kg and 3 tons. The rolls are then wrapped in paper in a wrapping machine. The rolls are transported through the stations with different kinds of equipment. One of the main reasons for the reconstruction was that a number of severe accidents had occurred at one of the rolling machines. Another reason for the redesign was to increase quality and production capacity. The creation of a more rational transport system was another goal. The reconstruction involved: 1. Layout, placing of machines etc. 2. Design of a transport system 3. Purchase of a new rolling machine 4. Reconstruction and reinstallation of an old rolling machine 5. Reconstruction and reinstallation of an old wrapping machine. Project organization Studies for reconstruction had been made earlier, the first of which was carried out in 1976. In autumn 1980 a new proposal was made, and the project was granted funding in February 1981. The new installation was put into operation in May 1982, as planned. A project group was established, consisting of the project leader, representatives for the employees, and different specialists at the company. A special group for safety and ergonomics was formed for the project. Seven persons were involved in this group, which consisted of the project engineer, three representatives for the employees, one foreman, one repairman, and the author. The author’s role was to act as a consultant on safety matters, to plan the safety work, and to perform the analyses. When a subsystem was analyzed, a special group was formed for that purpose. The size of the group varied between two and five people. The results were reported to the safety group, which made recommendations to the project group.

310

L. HARMS-RINGDAHL

-

ACCIDENT

-

IDENTIFIED HAZARD

HAZARD NOT PREVENTED -

NOT IDENTIFIED HAZARD

-

FAILURE ANALYSIS

IN

INSUFFICENT MEASURES TAKEN

INSUFFICIENTLY SPECIFIED DISTORTED DISTORTION IMPLEMENTATION

IN

(b)

Fig. 2. Tree describing

problems

related

to safety

analysis

and risk control

Analysis of layout and transport system The transport system and layout were considered to be important for safety. A lot of material was to be transported, including paper rolls weighing up to ten tons. A number of different types of transport equipment were to be used. The layout included the placing of machines, a power station, walls etc. The layout and transport system were dealt with at six special meetings with a length of about two hours. Six persons with different professional background took part in the meetings. The object of the analysis was a layout proposal. The analysis was aimed at making improvements, which were marked directly on the drawings and used to make an improved proposal. Deviation and energy analysis were applied. The approach of the analysis was to systematically check: 1. The normal material flow. 2. Special transports, such as waste handling ports were also included here.

and packing

material.

Manual

trans-

311

Safety analysis in design

~~1

AREA EXCLUDED CONSCIOUSLY

FAILURE

“CANNOT CHANGED”

BE

IN

EXCLUDED fAItURE IN PERFORMARCE

I

OVERSIGHT

Fig. 2. (Continued).

3. Pedestrians; on the job and passing the workplace. 4. Special attention was paid to industrial trucks, both in routine transport special tasks. 5. maintenance and repairs; important aspects were accessibility, transport, .1 lifting alas.

and and

Several layout changes were made after each discussion. This meant that the analysis had to be repeated a number of times. If a problem could not be solved at a meeting, the project engineer took the question back to the drawing board to solve it later. This can be seen as an integration of the safety analysis in the design process.

312

L. HARMS-RINGDAHL

Detailed checks of different subsystems or components in the transport system were not made. One reason for this was lack of time since equipment had to be ordered from manufacturers. Also the project engineer could be too busy at the appropriate time for analyses. The project engineer had an important role in the analyses. A layout drawing does not give complete information, as many assumptions and much thinking lies behind a design. The project engineer could give a more complete picture of this. It is also important to know what changes can be easily made, and where difficulties exist. Purchasing a paper-rolling machine Different kinds of equipment had to be purchased, including a paper-rolling machine. The company had experienced many accidents with such machines, and a goal was set to get as safe a machine as possible. In a rolling machine, the large rolls from the paper machine are transferred to smaller rolls. The role is unwound and passes a number of steel-cylinders and rotating knives. It is finally wound on to a set of smaller rolls. This type of machine is known to be hazardous and is often connected with high accident frequencies. A description of hazards and principles of such machines has been published by Turc-Baron and Ulysse [1981]. The analyses were made by a team of four members, and about three days were used. Drawings and specifications from two competing manufacturers were examined. It was also possible to analyze two similar rolling machines in operation using energy and deviation analyses. The result of the analyses was a list of about 30 points specifying safety improvements. The list was accepted both by the company and the manufacturers of rolling machines. It became a part of the machine specifications. Rebuilding existing machines A twenty-five year old rolling machine was included in the new installation. A reconstruction was undertaken in order to achieve a higher safety level. The job safety analysis was made by a foreman and the author. In this case the information on the tasks and on the system was easily available as direct observations and interviews could be made. The list of job tasks contained 36 points, and a mean time of 6 minutes was spent on each point. Energy and deviation analysis were used to get more complete information. After the hazard identification stage, safety improvements were discussed. About 50 ideas were proposed. The ideas were presented to the project group, and it was decided to implement most of the proposals. One important area was dangerous tasks in the neighborhood of rotating cylinders. These tasks could be changed, making them safer and at the same time more practical and convenient. The control system of the rolling machine had many defects from a safety point of view. Therefore a detailed proposal for a new control system was made. A machine for packing rolls was also part of the system and was analyzed. Energy and job safety analyses were applied, although in this case the ambitions were lower. One reason for this was that the machine would be changed after installation, and it was not clear what would be changed.

RESULTS

Practical results and experiences In this study the intention was to practically apply safety analysis in design of an industrial installation. This has also been done from the start of the project until the system was almost ready for operation. A large amount of time was spent on planning analyses and implementation. The author found early in the project that an active planning of the various activities was necessary. Coordination with the project schedule was pertinent. It was essential to

Safety analysis in

design

313

identify important decision situations and to have results ready from the analyses. Therefore design proposals had to be available in sufficiently good time to allow analyses to be made. The situation would otherwise be that the time would be too short to prepare proposals for improvements. Decisions made at special project meetings and informal decisions were both important. The aim was to present the results from an analysis as lists of specific measures. This was normally done at the project meetings but also sometimes in other situations. The majority of the measures were technical and concerned mechanical changes or improvements of control systems. Also a number of organizational changes were proposed, mainly concerning work routines and maintenance. Evaluation of whether or not the identified hazards were acceptable, was done at the group meetings. In general, the decisions were made in agreement. The judgments were based on the participants experiences, and formalized criteria were not used. To some extent official regulations could be used, but they were seldom precise enough. There was a positive attitude in the company to the research project and the aim to improve safety. Most suggestions on the lists were accepted directly, and much effort was invested in implementation and follow-up. The lists of improvements were extensive and contained several points. Many of them were implemented directly, whereas other were rejected later in contradiction to earlier decisions. There were some difficulties in completely realizing the goal of analyzing all parts of the system and making precise suggestions for improvements. These difficulties were related to changes in the design and time pressure in the project. Some problems were related to the design of the transport system and the general layout. A number of changes were made during the design, some of which were due to an analysis. As a result, some parts of the system were designed and implemented after the author had left the project. Another consequence was that the time became too short to study some parts of the equipment. Purchase orders had to be made directly. Other implementation problems concerned hazards for which a general non-detailed solution had been proposed. The consequence was solutions that did not give a satisfactorily safe system. It was possible to integrate safety analysis smoothly in the project, although some efforts in planning were required. The project was not delayed and the time schedule could be followed. There was a cost increase of a few percent, of which the main part was related to building construction. The amount of work in connection with safety analysis, proposals etc has been about 80 man days. 50 days for employees at the company were used. In most projects at the company there were similar working groups, which means that about the same time would have been used anyway. The author spent about 30 days directly working with the design project. Effect on accidents

The renovated section has been in operation since mid-1982. The accident frequency for the years 1978-1984 is shown in figure 3. As a comparison the frequency for the rest of the factory is shown. The frequency is the number of accidents causing one or more days of absence from work per one million working hours. Only employees working in production are included. The average frequency for the paper industry is about 50. In 1984 four accidents occurred in the new section and 21 in the rest of the factory. The accident frequency in the new section has decreased. A comparison can be made between the period 1978 to 1981 and 1983 to 1984, excluding 1982 as the year of rebuilding. The ratio between the frequencies is 0.44 corresponding to a decrease of 56%. Assuming a binomial distribution the 95% confidence interval for the ratio is estimated to 0.26 to 0.62. Thus the decrease is statistically significant (p < 0.001). Corresponding calculations for the rest of the factory give a ratio of 0.79 with an estimated standard deviation of 0.15. Another measure of accidents is severity-rate, which is calculated as the sum of days with absence from work due to accidents per one thousand working hours. The

L. HARMS-RINGDAHL

314

severity-rate for the actual section and for the rest of the factory is shown in figure 4. The average for the paper industry is estimated at about 1 .O. The number of days absent 1984 was 31 for the new section and 371 for the rest of the factory. There is a pronounced reduction of days absent for the new section. Comparing the same years the ratio was 0.25 corresponding to a reduction of ‘75%. For the rest of the factory the ratio was 1.1, an increase of 10%. The average number of days absent for injured workers was 11.8 days per accident during the first period and 6.4 for the last one. The difference is not significant (p > 0.05). Among the accidents in the first period there was one injury with permanent impairment, It was not included in the calculation of average days lost. In the severity rate calculation the officially reported number of days were used (about 30). Evaluation

of safety analysis

and risk control

During 1983 and 1984 seven accidents with absence from work have occurred at the section. Eight minor accidents have also been recorded. These 15 cases have been related to the safety analysis procedure. The result is shown in Table 2. The table is based on a simplification of the tree (Fig. 2). A problem was that some of the accidents are related to more than one “box” in the tree. The principal of the classification was to chose the first categorization in the table which was relevant. For six accidents the hazards had been identified. Measures to reduce them had also been proposed. In four of these the proposals were implemented. In two cases the solution was insufficient. In two other cases the implementation was poor. The first was a ladder, which was not resistant enough. The second concerned a lifting aid, which was not used. For the two remaining accidents proposals were made, but not implemented. In nine of the accidents the hazard was classified as not identified. In five of these an analysis was not performed of the actual area or activity. Of these, two accidents happened at a purchased standard machine, which was regarded as impossible to change. Three accidents happened at workplaces, which were designed after safety analyses were completed. There were four remaining accidents where hazards were not identified. Analyses were performed at the particular area, but the systems were changed later. The changes

FREQUENCY

(acc./Mh) a

STUDIED

0

REST

YEAR

78

79

80

81

82

OF

SECTION

OF FACTORY

CHANGE

83

84

YEAR Fig. 3. Accident frequency

mill. (Number

of accidents

before and after safety analysis and renovation of one section with absence from work per one million working hours.)

of a paper

31.5

Safety analysis in design

SEVERITY-RATE

(days/kh) I

IZBSTUDIED IREST

YEAR

78

79

80

81

82

SECTION

OF FACTORY

OF CHANGE

83

84

YEAR Fig. 4. Accident severity-rate before and after safety analysis and renovation of one section of a paper mill. (Number of days lost due to accidents per one thousand working hours.)

introduced new hazards, which were not foreseen. One of the changes caused two accidents. The purpose of that change was to solve a problem in handling heavy rolls. The solution was not successful, and the equipment was removed. However the floor was left uneven which contributed to two accidents. No accident was classified as a failure in the identification stage of an analysis. Of the 9 cases a few might have been missed (“random error”) or been judged as very unlikely to occur, if the actual area had been studied. DISCUSSION

One experience from this case study is that safety analysis can be applied practically in the design of an industrial installation. Traditionally, safety analysis has often been seen as the identi~cation and evaluation of risks. The scope here has been wider, including the development and implementation of measures. At the studied section the occurrence of accidents can be compared before and after the reconstruction, since the production is mainly the same. Accidents still occur at the section with a frequency above the average for the paper industry. However, the accident frequency has decreased by 56% and the days lost due to accidents by 75%. Besides safety analysis and preventive measures, the reconstruction itself might have contributed to the reduction. While the sole effect of reconstruction cannot be assessed, %ble 2. Accidents and near-accidents related to failures in risk control and safety analysis Description Hazard Identified Measures taken, but distorted or insufficient Measure not taken, but proposed Hazard Not Identified Subsystem not analyzed Information about system became wrong Failure in Performance of Analysis Number of Accidents AAP 19:4-p

Number 6 4 2 9 5 4 0 15

316

L. HARMS-RINGDAHL

the effect is probably negligible since a large number of hazards were identified and corrected in the original proposals. A contributing reason for the reduction can be a higher safety awareness among employees at the company as an effect of the safety analyses. A conclusion from the evaluation of the occurred accidents is, that the methods used have been satisfactorily efficient in identifying hazards. They have also been useful in stimulating ideas for safety improvements. The evaluation of accidents following renovation showed that none of these were related to a failure in safety analysis of a particular subsystem. However, this does not necessarily imply that all hazards would have been identified if the complete system had been analyzed. In this case study two or three different methods were used on each object. This has contributed to an increased completeness. It has not been evaluated, how much the addition of more methods contributes to the completeness. The evaluation of the accidents was done by the author, who also made the analyses. This might introduce some bias in the judgments. However, studying specific accidents might be less sensitive to subjectivity than a study of hypothetical hazards. Thus the methods have been satisfactorily accurate in this application. The reverse question is. whether they were too detailed or exacting. Comparatively little time was spent on directly analyzing-one to three days per subsystem. The author’s judgement is that Iess ambitious or less systematic methods would dinlinish the results, but it is difficult to judge to what extent. The overall impression is, that the approach has been a fairly good compromise between completeness and use of time. Besides a safer system, other benefits were obtained. Some of these were a reduction of the total transport work and better possibilities for provisional transports in case of a failure. To some extent safety analyses contributed to a reduced likelihood of damage to equipment and simplified reparations. Due to high production costs at a paper mill, a reduced probability of stoppage in the material flow can be important even if it is small. Another experience from the case study was the importance of a careful planning of analyses and implementation, This was necessary despite the good support of the company and the positive attitude among those involved. The planning was careful but not completely successful. All subsystems were not analyzed and all improvements were not satisfactorily implemented. The evaluation also showed, that such deficiencies were related to accidents, which later occurred. Another problem area concerned changes which occurred after a subsystem had already been studied. The general conclusion from this case study is that safety analysis in design can be an efficient tool in decreasing accident risks. While the methods can in themselves be fairly simple, it is important to consider organizational factors carefully in implementing them. REFERENCES Bullock M. G., Clznnge Control and Anaiysb, System Safety Development Center, SSDC-21. Idaho. 19111. CISHC (Chemical Industry Safety and Health Council of the Chemical Industries Association). A guide to hazard and operability studies. CISHC, London, 1977. Clemens P. E., A compendium of hazard identification and evaluation techniques for system safety application. Hazard Prevention, 18, 11-18, 1982. Fang G. and Harms-Ringdahl L., Safety considerations in the design o~‘factories--u study of three cases. International seminar on occupational accident research, Stockholm, Sweden, 1983. Hammer W., Handbook of system and product safety. Prentice-Hall. Englewood Cliffs. NJ. 1972. Harms-Ringdahl L., Riskanalys vid projektering-Ftirsdks verksamhet vid ett puppersbruk. Occupational Accident Research Unit. Royal Institute of Technology. Stockholm, Sweden. 1982. Health and Safety Executive, Guidance on tlze safe me of programmable electronic systems; Part 1: General requirements. Health and Safety Executive, London, 1984. HO M.-T., RCflexions sur I’analyse de la sCcuritt4 des syst2mes ses m&hvde.s et se,s problPmes. Cahier de notes documentuire, Institut national de recherche et de securite, 571-580, Paris, 1976. Johnson W. G., MORT Safety assurance systems. Marcel Dekker, New York. 1980. MC Elroy F. (Ed.), Accident Prevenfion manual for ~nd~trial Operation. National Safety Council (Seventh Edition), Chicago, 1974.

Safety analysis in design

317

KjellCn U., The deviation concept in occupational accident control-I. Accid. Anal. Prev. 16, 289-306, 1984. Pavlov P. V., Job safety analyses. System Safety Development Center, DOE 76-4.5119, Idaho, 1979. SCRATCH (Scandinavian Risk Analysis Technology Co-operation), Sikkerhetsanalyse som beslutningsunderlag. Yrkeslitteratur, Oslo, Norway, 1984. Suokas J., On the reliability and validity of some methods of safety analyses. Technical Research Centre of Finland, Espoo, Finland, 1985. Suokas J. and Rouhiainen V., Work safety analysis: Method description and users guide. Technical Research Centre of Finland, Espoo, Finland, 1984. Turc-Baron P. and Ulysse J., La stcuritC dans les industries de la papeterie 2: Les enrouleuses. Institut national de recherche et de s&wit& Paris, 1981.