The role of safety analysis in accident prevention

Accrd. Am/. & Prev Vol 20. No Prtnted I” Great Britatn

1. pp. 67-85,

ocol-4575m s3.00 + .cKi 8 1988 Pergamon JournalsLtd

1988

THE RULE OF SAFETY ANALYSIS IN ACCIDENT PR~VE~~~ JOUKO SUOKAS Technical Research Centre of Finland, Occupational Safety Engineering Laboratory, Box 656, SF-33101 Tampere, Finland (Received

9 April 1986; in revised form 15 February 1987)

Abstract-The need for safety analysis has grown in the fields of nuclear industry, civil and military aviation and space te~hnolagy where the potential for accidents with far-reaching consequences for employees, the public and the environment is most apparent. Later the use of safety anatysis has spread widely to other industrial branches. General systems theory, accident theories and scientific. management represent domains that have influenced the development of safety anatysis. These reiations are shortly presented and the cwmmon methods employed in safety analysis are described and structured according to the aim of the search and to the search strategy. A framework for the evaluation of the coverage of the search procedures employed in different methods of safety analysis is presented. The framework is then used in an heuristic and in an empiric evaluation of hazard and wperabiiity study (HAZOP), work safety analysis (WSA), action error analysis (AEA) and management oversight and risk tree (MORT). Finally, some re~mme~datious on the use of safety analysis for preventing accidents are presented.

INTRODUCTION

In the evaluation of the safety level of a production system, injury frequency and severity rates and other information based on accidents are not sensitive or representative enough to serve as criteria for directing and planning measures to achieve safety improvements. This has been argued in the field of occupational safety [Tarrants, 1%3], but it is also particularly valid in the field of major hazards, i.e., activities involving the rare possibility of accidents leading to multiple deaths and extensive material and environmental damage. There has, for some decades now, been a marked tendency for the size of plants to increase [Lees, 1980) This tendency has been concomitant with the growing potential for accidents with even more far-reaching consequences for employees, the public and the environment, as well as the potential for costly production disturbances [Farmer, 1981; Advisory Committee on Major Hazards, 19791. On the other hand, the complexity of systems has made it more difficult for the designer to consider carefully even the most impo~ant hazards in the planning of a system, or for the operator to handle all normal situations and disturbances in a safe manner at the operational stage. The aim of the paper is to present the development of safety analysis and the relationship between safety analysis, accident investigation and safety managements Moreover, the aim is to present some possibilities for evaluating the limitations of safety analysis in order to promote the proper use of the methods of safety analysis and the results obtained by them. In the beginning the concepts and theoretical background of safety analysis and the connections to accident investigation are viewed. Then, after disciplining the methods used for hazard identification a framework for evaluating the coverage of safety analysis is presented. The framework is applied in an heuristic and empiric evaluation of four different methods of safety analysis. Finally, some proposals on the use of safety analysis far preventing accidents are presented. THE

USE

OF SAFETY

ANALYSIS

Safety analyses have been applied to a variety of targets, such as: - Design. The examination of a new system in order to identify and assess potential hazards and to eliminate or control them 67

J.

68

SLJOKAS

Licensing. The examination of a planned or an existing system for demonstrating the safety level in order to gain acceptance for its operation from the authorities or the public - Operation. The examination of an existing system for the identification and assessment of hidden hazards in order to achieve an improvement in the safety level and to formulate a risk management policy.

There has in recent years been a clear increase in interest among the authorities of a number of countries to create legislation concerning the use of safety analysis in sectors outside the nuclear industry, too. The legislation enables the authorities in e.g., six European Community countries to require a safety analysis, or according to the terms used in the national laws, a safety survey, safety report, safety analysis or safety study [Kafka, 19841. EEC directive 82/501, also known as the Seveso directive, is a recent effort at presenting common guidelines and recommendations on situations where national authorities should require the use of safety analysis [EEC, 1982; Oyez, 1983 and Ryder, 19841. In the United States a bill on safety analysis, the “Risk Assessment Research and Demonstration Act of 1983”, was introduced in the House of Representatives in 1983 [Miller, 1984 and The House of Representatives, 19831. Norway was the first of the Nordic countries to refer explicitly to safety analysis when it required the use of quantitative safety analysis in the off-shore industry [Norwegian Petroleum Directorate, 19811. Recently bills have been presented on the revision of the occupational safety legislation [Labour Protection 1983 Committee, 19841 and the chemical legislation in Finland [Chemical Legislation Committee, 19861. These committee reports also include a reference to safety analysis. While the early applications of safety analysis have mainly been voluntary and based on the motivation and benefit perceived by individual enterprises, the trends in legislation are probably increasing the number of safety analyses which are likely to be carried out on an authority’s initiative. The objective of safety analysis may then easily be to demonstrate the safety level in order to achieve a licence for operation. This trend also incurs an increasing need for more precise knowledge of the limitations of different methods of safety analysis and explicit definitions of the acceptable level of detail of an analysis and the documentation required. DEVELOPMENT

OF SAFETY

ANALYSIS

The development of safety analysis began in the fields of nuclear industry, civil and military aviation and space technology, where the possibility of accidents with far-reaching consequences and problems in the design of complicated systems were most apparent. It then spread to other sectors, such as the chemical industry, offshore technology, the transportation of hazardous materials, the mining and paper industries, to mention just a few examples [Vinje, 19841. Several domains of science have contributed to the evolution of the structured thinking and systematic methods of safety analysis, The basic approach of safety analysis relies on the principles and rules for the diagnosis and control of systems developed in general systems theory. At the outset of an analysis a model describing the structure and function of a system is constructed. Then, in the diagnostic phase, the acceptable and unacceptable system states are defined and the contributors with a capacity to result in unacceptable states are traced. Finally measures are planned to control the identified contributors. Accident research represents another important domain that has influenced the development of safety analysis. Accident theories and models aim to explain factors affecting the occurrence of accidents and concentrate investigation and data collection on the factors considered relevant. Correspondingly, safety analysis aims to obtain information on potential accident contributors and, hence, relies on accident theories and models in the search procedures. The development of system theory and process models

69

The role of safety analysis

the field of accident research have in particular influenced safety analysis. Accident theories represent an important domain trying to explain the occurrence of accidents and factors affecting them. Hence, the theories are a link with safety analysis expressing the families of factors relevant to safety and to be covered in the analysis (cf. Figs. 1. 9 and 11). However, the educational background in engineering of several of the persons involved in the development of safety analysis has emphasized the role of technical systems [Hovden, Sten & Tinmansvik, 19821. Scientific management represents a third domain with principles and methods that have influenced safety analysis. Problem analysis, potential problem analysis and decision trees are examples of methods developed for general planning and management purposes. These methods have also contributed to the thinking applied in safety analysis. For example, potential problem analysis can be considered as the predecessor of hazard and operability study [Knowlton, 19761. Correspondingly, decision trees and event trees have similar rules for branching and using probabilities; from each node there are always two branches which are mutually exclusive and represent the set of all alternative courses of events. Figure 2 shows an example of an event tree and the use of probabilities in the tree. Work study and ergonomics are examples of other activities which have contributed to the development of safety analysis, particularly in the field of occupational accidents.

in

WHAT

IS SAFETY

ANALYSIS?

Two main terms, safety analysis and risk analysis, are used in publications-often with the same meaning, describing the whole process in Fig. 3. Different methods of analysis are then employed at different stages in an examination. Safety analysis is here defined as a systematic examination of the structure and functions of a system aiming at identifying accident contributors, modelling potential accidents, and finding risk-reducing measures. The modelling phase in safety analysis may also include the application of component failure and human error data in order to calculate the frequencies of potential accidents. In this case the process may also be called probabilistic safety analysis. Safety analysis may then be continued with a risk assessment phase including the application of consequence assessment and calculation of the size of the risk. In the field

ACCIDENT ENERGYSYSTEM ETC.

PRONE THEORY FLOW THEORY THEORY

THEORIES

SYSTEM MODELS ( FACTORS DESCRIBING THE RELEiANT STRUCTURE AND FUNCTIONS OF SYSTEM)

ACCIDENT MODELS 1 FACTORS CONTRIBUTING TO THE OCCURRENCE OF ACCIDENTS)

SAFETY

ACCIDENT

ANALYSIS

Fig. 1. A three-phase

INVESTIGATION

MODELS

METHODS =OPERATIONALIZATION OF MODELS

hierarchical model describing the relationships between safety analysis and accident investigation.

J.

SUOKAS

7.9 x 10.j/YR

79

79x

79x

10.'/YR

x 10-6C/YR

10-BC/YR

YES

NO

H5

0.2

8.0 x IO-'/YR

2.4 x IO-'C/YR

8 0 x 10.'/YR

8.0 x IO-*C/YR

2 0 x 10.j/YR

0 1

Fig. 2. An example

32

x IO-'C/YR

of an event tree. The basic structure and the way of using the probabilities different branches are similar in event trees and decision trees.

in

$l 2

7

Quantification of risks

J

i 7

14 ‘&I

-

Documentation of results

Fig. 3. The mam steps m a safety/risk analysis. stopped is made on the basis of the complexity

The decision of the object

I on the level at which the analysis for analysis and the risk potential.

is

71

The role of safety analysis

100

RI

1000

Fig. 4. Diagram for the evaluation of societal risks suggested by the provmcial authorities of Groningen. Netherlands. (Province of Groningen, 1979).

of chemical accidents this usually means the use of gas dispersion models, fire and explosion models, toxicity data, meteorological data and population data. This procedure, resulting in a numerical figure for the size of the risk, is usually called risk analysis (sometimes also probabilistic risk analysis-PRA). The assessed risk is described typically as risk contours giving the probability that an individual will die in a given time period as a consequence of the identified hazards, or giving the social risk as f/N-curves expressing the frequencies of accidents resulting in accidents with at least N fatalities. Figure 4 shows an example of the use of f/Wcurves in defining the limits of an acceptable or unacceptable risk defined by the authorities of Groningen in the Netherlands concerning installations for dangerous materials [Province of Groningen, 19791. This paper concentrates on describing and evaluating the safety analysis methods. RELATIONSHIPS

BETWEEN SAFETY

SAFETY

ANALYSIS

AND

MANAGEMENT

Information on accidents is used as a basis for feedback control in an organization. Such information enables the difference between the goal and actual output of a system to be derived, which is then used as a variable to move the system back in the direction of this goal [Kjellen, 19841. Figure 5 shows how the knowledge of accident contributors obtained by safety analysis is employed for feedforward control. The knowledge obtained by safety analysis is used as a variable to change the system or to control the variable in order to increase the probability of meeting the defined goal. According to Ashby’s law of requisite variety [Ashby, 19561, full control over a system requires that the controller is capable of taking at least as many different measures or countermeasures as the system that he seeks to control may exhibit [Court van, 1967 and Gigh van, 19781. Although the full control of accidents is an unattainable goal [Kjellen, 19831, Ashby’s law clearly expresses the importance of a thorough identification of accident contributors. In maintaining a good standard of safety, getting a set of hazards identified and assessed with relevant risk-reducing measures is not the only constituent of great significance. It is also important to have full knowledge of the boundaries of a safety analysis and the assumptions employed in it. The assumptions made on the construction and

72

J. SUOKAS Plan or description of a produchon system

$

Operation of a productlon system A

-

Corrective actions

+ +.__

Knowledge on accident contributors

(

Safety analysts Fig. 5. A simplified feedforward control

model describmg how the information obtained by safety analysis assists the of safety management in order to keep a production systems inside the safety limits.

function of a system can serve as references for safety management at the operating stage when striving to keep the system in agreement with these references by means of training, instructions, inspections, tests, etc. STRUCTURING

THE

METHODS

AND

SAFETY

ANALYSIS

SEARCH

PROCESSES

OF

Because of the large variations in system structures, the nature of risks, the needs of and resources available for safety analysis, different types of methods and search procedures have been developed to meet the requirements. Often the methods are grouped into two classes-qualitative or quantitative-or described as inductive or deductive, or characterized as methods of identification or quantification [Concawe, 1982; Haasl, Roberts, Veseley & Goldberg, 1981 and Taylor, 19791. The practice in grouping and characterizing the methods varies in the literature. To structure the situation, a new proposal is presented in Table 1 and described below. The proposal is based on the idea of describing the methods according to the aim of the use-identification of accident contributors or modelling of accidents-presented by Salo, Fieandt, Himanen & Mankamo [1983] and Suokas [1985] and on the idea of characterizing the methods according to the search strategy-forward, backward or morphological analysis-presented by Rasmussen [1982]. The aim of this proposal is to rely more on the theories behind the methods and on the practical aims relating to the phases of safety analysis described in Fig. 3. A forward analysis is based on the structure of a system. The system is divided into a set of elements, after which potential changes are searched by applying postulated Table 1. Characterization of some main methods of safety analysis according to the search strategy and aim of the search (failure mode on effect analysis-FMEA, action error analysis-AEA, event tree analysis-ETA, fault tree analysis-FTA, cause-consequence analysis-CCA, hazard and operability study-HAZOP, work safety analysis-WSA, and management oversight and risk tree-MORT) (Suokas. 198.5) Aim of the Search

Search strategy Forward Backward Morphological

Identification of accident contributors FMEA, HAZOP,

Modelling of accidents ETA FTA

AEA WSA

MORT

CCA

The role of safety analysis

73

error/failure modes for each of the elements, and the effects of potential changes are then propagated through the system. Examples of clear forward analyses are failure

mode and effect analysis (FMEA), action error analysis (AEA) and event tree analysis (ETA) (see Table 1). These methods are described in greater detail in, for example, [Hickman, et al., 1981; IEC, 1982; MIL, 1980 and Taylor, 19791. A backward analysis begins by selecting a certain type of hazard or accident. Then the different paths leading to this specific hazard/accident are sought on the basis of the system structure and functions. The aim is to get a complete set of elements-possible and necessary-which can constitute the selected hazard/accident and to describe their interrelationships with a graphical model. Fault tree analysis (FTA) represents a typical backward search procedure. Figure 6 shows an example of a fault tree. The manual construction and evaluation of fault trees are described by, for example, Haasl, et al. [1981] and Hickman et al. [1981] and automatic construction by, for example, Apostolakis, Garribba & Volta [1980], Lapp & Powers [1977], Poucet [1983] and Taylor [1982]. The third search strategy-morphological analysis-represents a “bird’s-eye” search focusing directly on potentially hazardous elements. The analysis does not represent as clear a structure as e.g., forward search strategy. The morphological search is directed more by the structure and forms of the system being studied. The aim is to try to concentrate on the factors having the most significant influence on safety. The analysis begins with a search for hazard sources-energy concentrations and hazardous materials-and potential targets, such as people and vulnerable equipment. Then the possible and necessary paths which can lead to an accident are determined and the constituents are looked for among the normal and hazardous acts and functions (Rasmussen, 1982). Hazard and operability study (HAZOP), management oversight and risk tree (MORT) and work safety analysis (WSA) are examples of methods applying this search strategy. Descriptions of these methods can be found in [Chemical Industries Association, 1977;

NH3 RELEASE (CORRESPONDING RUPTURE OF A

TO THE PIPELINE 1

I

1

PIPELINE

LOADING ARMS COMPRESSORS

REFRIGERATED STORAGE

I VALVE V 209 REMAINS OPEN

a

OR

cl

AND

A

TRANSFER

RELIEF VALVE DOES NOT GET CLOSED

REFRIGERATED STORAGE IS FULL

GATE GATE IN/OUT

Fig. 6. An example of a fault tree. The tree is built from top to bottom. The basic events of the tree may have frequencies or probabilities allowing the calculation of the frequency of an accident.

AAP

20:

1-P

7

74

J. SUOKAS

Directorate-General of Labour, 1979; Johnson, 1980; Kletz, 1983 and Suokas & Rouhiainen, 19841. Lihou [1980] has also described a computer program to support the documentation of HAZOP and to draw fault trees from the results, Not all methods of safety analysis fall into only one of the groups presented earlier. For example, cause-consequence analysis represents a combination of the forward and backward search strategies. The examination begins by selecting a critical event. It is then followed by a search for factors which can constitute a critical event and by a propagation of the potential effects of the event [Nielsen, 1971 and Rasmussen & Pedersen, 19841. Finally, the interrelationships of the factors are described by a graphical model, a cause-consequence diagram. Figure 7 shows an example of a cause-consequence diagram. Correspondingly the MORT-method is not applied to only one of the aims of the search. The MORT-method has a dual nature and it can be applied to the investigation of an occurred or potential accident, or for a more general examination of the safety pitfalls in an organization. When the method is employed in accident investigation, the aim is to construct a model of the accident to be investigated. In the latter applicationthe examination of an organization-the object of the analysis is often wider and more obscure, containing different types of accident potentials. In this case the aim of the search is to identify accident contributors at a higher level and to direct the use of other methods of safety analysis to examine more closely the problems identified.

A FRAMEWORK

FOR SEARCH

THE

EVALUATION

OF

THE

PROCEDURES

Earlier the main methods of safety analysis were generally structured according to the aim of the search and the search strategy. However, a more detailed knowledge of the scope of the procedures employed in different methods is required for selecting suitable methods and for recognising the limitations of the methods. Therefore, a framework is presented for a more thorough evaluation of the procedures. The framework is based on the grouping of accident contributors into hazards, deviations and determining factors. These are defined here in the following way: A hazard represents the potential for an uncontrolled transfer of energy having the capacity to result in such undesired effects as death and injury. A dev~u~~o~is an event or a condition in the production process conflicting with the norm for the faultless and planned process. The d~~er~~~~~g~ac~or~are relatively stable properties of the production system affecting the occurrence or existence of a hazard. The determining factors vary only little in time and they were mainly born when the system was established [cf. Kjellen, 19831. The operationalization of the concepts is based on several studies on accident contributors and taxonomies for their classification as well as on the author’s own experience [ANSI, 1962; Johnson, 1980; Kjellen, 1983; Rasmussen, ef al., 19811. When operationalizing the concepts, the author did not strive towards a taxonomy. Instead, the aim of the operationalization was to obtain a logical framework for the evaluation of safety analysis and to be further developed after complementary experiences. The definition of a hazard was operationalized as follows: the potential for striking against; the potential for getting struck by; the potential for falling (on the same level); the potential for falling (to a lower Ievel); the potential for getting caught in, under or between; the potential for overexertion; the potential for contact with excessive temperature; the potential for contact with chemicals; the potential for contact with excessive pressure; the potential for contact with electricity. The classification is closely related to that presented in, for example, the American standard ANSI 216.2 for types of accident [ANSI, 19621. The main difference is in the expression of terms. Hazards are here expressed as potentials for an event while ANSI presents accident types as events that have occurred.

75

The role of safety analysis

BLOCKAGE INJECTOR

IN

THE BLOCKAGE IS OBSERVED

THE FEEDING OF HOT GAS IS STOPPED IN TIME

1

YES

1

NO

4

9

Fig. 7. An example of a cause-consequence tree. It represents a combination of the approaches employed in event trees and fault trees.

The operational descriptions of the concepts of deviation and determining factor are presented in Table 2. The operationalization was made by describing production systems as consisting of four subsystems: physical, human, information and management. The operationalization is described in greater detail by Suokas [1985]. ON THE

SCOPE

OF THE

SEARCH

PROCEDURES

The aim of the evaluation is first to carry out an heuristic analysis of the search procedures with the criteria presented earlier and then to evaluate the scope of the methods in a practical case. In the following, four methods-AEA, WSA, HAZOP and MORT-are selected for the evaluation. AEA represents the analysis of human procedures. AEA employs a forward search strategy for identifying potential deviations in human performance. The analysis is based on a step-by-step description of operation, test, and maintenance procedures. In each step potentials for a deviating performance are investigated. Typical outcomes of a deviating performance included in the scope of AEA are: forgetting a step, wrong order of steps, a step takes too long, etc. Different phases of human data processing, like information retrieval, analysis of obtained information, comparison of information with goals and decision making, are usually excluded from the scope of AEA. Only the external outcomes of the error modes in different steps are studied. Figure 8 shows an example of the documentation of AEA. AEA also produces some information on the physical subsystem. The procedure employed in AEA treats deviations in the human subsystem as contributors to potential

J. SUOKAS

76

Table 2. Operationahzation of the concepts: deviation and determining factor. The terms describe factors in a subsystem which are considered as relevant accident contributors. (cf. Suokas, 1985) Subsystem

Examples of possible determining factors

Examples of possible deviations

Physical

Pipelines and valves Control and alarm system Platforms and stairs Safety devices Auxiliary equipment Environment Equipment design Procedure design Operating/working procedures

Material flow Components Platforms and stairs Safety devices Auxiliary equipment Environment Installatton Inspection Operation Test and calibration Maintenance Coordination between activities Information flow Drawings Authorization of an activity Work scheduling and priontization

Human

Information

Training Operating and working instructions Storing and updating of drawings Condition monitoring Work scheduling and prioritization system Information gathering and processing Definition and integration of safety goals Definition of responsibility Definition of task contents and boundaries Allocation of resources

Definition of responsibility

Management

malfunctions in the physical subsystem. The treatment is close to that employed in FMEA when propagating the effect of component failures. WSA is a systematic investigation of working methods, machines and working environment in order to find out direct accident potentials [Suokas & Rouhiainen, 19841. A list of hazards and examples of their contributors is also presented to support the hazard identification. The aim is to identify hazards and their contributors connected with a system to be studied as comprehensively as possible. Because of the nature of the search pattern certain limitations are, however, presented by Suokas & Rouhiainen [1984]. WSA will cover only occasionally common hazards which are only indirectly

OCCUPATIONALSAFETY ACTION

WORK

24

ERROR

ENGINEERING

STEP

ACTION

MOUNTING

THE

IMPELLER AND

THE

HUB

ERROR

HUB

NUTS

REMAIN

THE IMPELLER

BLADE

LABORATORY

ANALYSlS

ANGLE

UNTIGHTENED

OR

MACHINE/SYSTEM

FLUE

TASK

MAINTENANCE

GAS BLOWER

PRIMARY

SECONDARY

CONSEQUENCES

CONSEQUENCES

LOOSENINGOFTHE

THE

COUPLING

ADJUSTMENTD(XS

THE

WHEN

IMPELLER

UNLOCKED

RUNNING

FALSECONNECTION

DISTURBANCES

OF THE

LUBRICATION

IS

BLADE

ANGLE

PAGE

11

DATE

16.1982

DRAFTED

DETECTION

BY

AEA-TEAM

MEASURES

ADJUSTMENT DIFFICULTIES

NOT FUNCTION

ADJUSTMENT WHEELS 25

FASTENING

THE

OILANDCOOLING WATER

PIPES

PIPES

IN AN,,

EOUIPMENT

TEST

FAILURE

(FOAMING

COOLING

MARKING

RUN

ACTION

THE

PIPES OR USING IN OIL

DIFFERENTTYPE

RESERVOIR.

OF FITTINGS

OIL IN THE

OIL AND

FOR

WATER

COOLING

PIPECONNECTION

WATER1

SO THAT

FALSE

CONNECTION

IS

IMPOSSIBLE 26

MOUNTING

THE

SEAL

LIP SEAL

FORGOTTEN

OR DAMAGED

OIL

LEAK

WHEN

MOUNTING RETAINING AND

THE

OF THE

THE

FASTENING

LOCK NUT IMPELLER

THE

INADEQUATE

RING

LOCK

NUT

EXCESSIVE

CONSUMPTION

OIL

UNIT

MOUNTED 27.

DISTURBANCESIN THE ADJUSTING

EG.

MOVE

IMPELLERMAY AXIALLY

EQUIPMENT

CHECK-UP

FAILURE

FOREMAN

LOOSE

OR FORGOTTEN

BEFORE FASTENING HOOD1

Fig. 8. An example of the form used in action error analysis (AEA).

(THE

THE

17

The role of safety analysis

with the work steps under study. The potential for contact with chemicals or excessive pressure caused by a release or an explosion in the proximity of the process part under study, but not operated in the task under analysis, is an example of the hazards not systematically included in WSA. The search for accident contributors is based on breaking a task down into a sequence of steps. At each of the steps the search begins with a heuristic consideration of relevant hazard types (cf. Fig. 9). Relevant contributors to the hazards and the contributors necessary (and relevant) to expose a worker to the hazards are then sought. The main emphasis is, however, on the search for hazard contributors. The factors contributing to exposure to a hazard, in particular, are studied in greater detail by the methods employed in accident modelling. All types of system functions and states-also the “normal’‘-are critically considered. The obvious result is that deviations and determining factors are both equally included in the analysis. The main search for deviations and determining factors focuses on the physical and human subsystems. The information subsystem is partly reviewed and the management subsystem completely excluded. An example illustrating WSA is presented in Fig. 10. The purpose of HAZOP is to identify all possible deviations from the way the design is expected to operate and all hazards associated with these deviations [Chemical Industries Association, 19771. In the search for deviations, a list of guide words (cf. Table 3) is applied to the process units, such as pipelines, tanks and reactors. The aim is to identify potential deviations in the parameters, such as flow, temperature, pressure, viscosity, etc. having both causes that are conceivable and consequences that are potentially hazardous. For example, [Chemical Industries Association, 1977; Kletz, 1983 and Wells, 19801 give lists of process parameters and other factors to be considered in a HAZOP-study. The pattern on which the search strategy is based includes the concept of deviation which may lead to the occurrence of a hazard, and it limits the application of the concept only to the process units, such as pipelines, tanks and reactors (cf. Fig. 11). This approach is based on the hypothesis that component failures, human errors and threats from the operating environment can be reflected on the process units as a change from the normal state or accepted values of the operating parameters. The aim is to include factors outside the process units in the examination when the contributors of the deviations in the process units-subsequently called primary deviations for convenience-are traced. While the search is based on primary deviations, hazards having more stable deconnected

Work step What are relevant hazards ? >

Hazard types

Effects

_ ,

What are relevant contributors to the hazards ?

4

What are necessary and relevant contributors IQ expose man to the hazards?

Fig. 9. A simplified description of the search procedure of work safety analysis (WSA).

78

J. SUOKAS OCCUPATIONALSAFETY #OAK

SAFETY

ENGINEERING

LABORATORY

ANALYSIS

MACHINEISYSTEM. BL/\CK LIQ”OR RECDYERY BOILER JOB SK2 STOKER’S TASK. THE BOlLER START VP

PAGE

1

DATE’ DRAFTED

109 BY

1992

RK/HP/MR

Fig. 10. An example of the form used in work safety analysis (WSA). (The letters used in the classrfication correspond to: P probability, C consequence and R risk, which is determined by multiplying P and C). P and C are typically assigned values from 1 to 5 describing the magnitude of the probability or the consequence of an accident. Classification “before” corresponds to the analysis situation and “after” to the level achievable by implementing the proposed measures.

termining factors as the only contributors are excluded. Determining factors are included when the contributors to primary deviations or to hazards generated by primary deviations are sought. The information usually available in a HAZOP-study and the examples of the contributing factors direct the examination mainly at the physical subsystem and partly also the human subsystem (particularly operator activities). It is therefore unusual to obtain deviations or determining factors from the information or management subsystems. An example of HAZOP-analysis is presented in Fig. 12. MORT represents an investigation of the structure and functioning of an organization. The investigation is based on the description of an organization and a list of questions to be put to the members of the organization. In the following, the evaluation of the search procedure mainly concerns the use of MORT for the purpose of identifying accident contributors and only partly the modelling of an occurred accident. The purpose of MORT is in this case to identify potential defects in the structure or in the functions of an organization that may allow the occurrence of accident potentials or may prevent their early identification. The questions employed in the search do not focus on specific hazards but more on the general way of planning, performing and Table 3. Examples of guide words used in HAZOP to support the identification of potential deviations in a process unit. (Wells, 1980) Guide word NONE MORE LESS PART OF OTHER

Examoles of deviations No flow, reverse flow More flow, higher temperature Lower flow, lower temperature Change in composition Activities other than normal operation (start up, shut down, testing, maintenance etc.)

19

The role of safety analysis 1

Process unit 4

What are relevant deviations ? Effects

Can a deviation lead to a hazard ?

What are relevant contributors to deviations ?

What are the necessary contributon ?

Fig. 11. A simplified description of the search procedure of hazard and operability study (HAZOP)

controlling different tasks to be done at different levels in an organization. The questions mainly focus on factors which may contribute to the occurrence of hazards. Some sets of questions do, however, also focus on situations where people may get exposed to hazards and on factors influencing the consequences of an accident. Most of the questions deal with the information and management subsystems. The physical and human subsystems are not systematically included in the scope of the search procedure. Because MORT focuses generally on an organization it tends to emphasize the identification of more stable determining factors. The identification of deviations concerns more a detailed investigation of activities or procedures performed by the organization. This kind of factor can be included in the scope of MORT when the method is applied to identify and model the constituents of an accident. I OCCUPATIONALSAFETY HAZARD

DEVIATION

AND

ENGINEERINGLABORATORY

OPERABILITY

STUDY

POTENTIAL

CAUSES

BLACK LIm.JOR RmxERY PLANT SUBSYSTEM EYAPORATlON PLANT 1 “NIT EVAPORATION “NIT 1 -STRONG

SYSTEM

:ONSEOUENCES

BOllER

8

PAGE.

1821982

DATE LlOVDRTANK

ACTION

DRAFTED

BY

REQUIRED

Fig. 12. An example of the form used in hazard and operability study (HAZOP).

HAZOPTEAM

80

J. SUOICAS EVALUATION

OF THE SCOPE OF SOME PRACTICAL CASE

METHODS

WITH

A

The four methods evaluated earlier on the basis of their search procedures are, in the following, evaluated with a practical case. As a basis for empiric evaluation a black liquor recovery boiler plant, including hazards induced by process maloperations, the appliances, human errors etc. was selected. The methods were applied in the order HAZOP, AEA, WSA and MORT. In the beginning of the safety analysis a more general method, a combination of brain storming and potential problem analysis (PPA), was used in order to train the participants from the plant in the thinking of safety analysis and to evaluate the information obtainable with a general and quick charting of hazards. All five methods were used by teams of representatives from the recovery boiler plant and the research institute. The size and composition of the team varied, according to the method employed. The objects of the methods also varied to some extent. PPA was used to obtain a general view of the plant rapidly, HAZOP reviewed the process system in greater detail, AEA focused on two maintenance tasks, WSA studied three operator tasks and MORT the maintenance organization. Therefore the number of hazards, deviations and determining factors identified by different methods should not be compared. The figures in the following tables represent more the type of information obtainable by a method. The performance of the analyses is described in greater detail by Reunanen & Suokas [1986]. The distribution of the identified hazards is shown in Table 4. According to the table HAZOP and PPA seem to concentrate on three types of hazards-the potential for contact with chemicals, excessive pressure or temperature. The potential for falling (to a lower level) is the most common hazard identified by WSA. In addition, of the hazard types the potential for striking against, the potential for falling (on the same level) and the potential for contact with chemicals or excessive temperature are well represented in the set of observations made with WSA. The hazards identified by AEA are rather evenly distributed amongst the different hazard types. MORT, focusing on safety pitfalls on a higher level-mainly from the point of view of organizing and performing safety related activities-did not identify any of the hazards. Several hazards belonging to the categories-potential for contact with excessive temperature or chemicals-were identified by PPA. HAZOP and WSA. There are, however, distinct differences between the characteristics of the hazards. The most significant difference concerns the consequences. Hazards identified by PPA and HAZOP

Table 4. Hazards identified by potential problem analysis (PPA), hazard and operability study (HAZOP), action error analysis (AEA), work safety analysis (WSA) or by management oversight and risk tree (MORT) in a black liquor recovery boiler plant. The figures in parentheses represent hazards also identified by a method/methods applied earlier, i.e., the overlap between the methods. (Suokas, 198.5) HAZOP

AEA

WSA

MORT

-

2 3

15 2(l)

-

17

2

-

1

1

11

-

13

-

-

6

22

-

28

-

-

3 -

2 3

Hazard

PPA

Potential for striking against Potential for getting struck by Potential for falling (on the same level) Potential for falling (to a lower level) Potential for getting caught in, under or between Potential for overexertion Potential for contact with excessive temperature Potential for contact with chemicals Potential for contact with excessive pressure Total

1

Total

5 3

2

10

3(2)

14(2)

25

6

16(6)

1

10(l)

25

4 13

13(3) 41(9)

1%)

79(4)

-

14 137

81

The role of safety analysis

nearly always resulted in several persons being exposed while only one person was usually exposed to hazards identified by WSA. The distribution of the deviations and determining factors identified by the different methods is shown in Table 5. According to the table, HAZOP seems to concentrate mainly on deviations in the physical subsystem. Almost half the deviations identified by HAZOP in the physical subsystem (46 percent) related to components in the process system, such as pumps, valves, pipelines, tanks and heat exchangers. Failures of components in the control and alarm system represented 13 percent. Deviations in the material flow represented 25 percent. These included changes in the composition of material or wrong material, a change in the flow direction (opposite flow or flow to a wrong pipeline or tank) and pipeline blockages. Deviations in the environment included cold weather, abnormal icing, air impurities, and tank car leak in the plant area. Hazards not identified by HAZOP included, for example, some of the component failures in building structures identified only by PPA. The deviations identified by HAZOP in the human subsystem related to operating and maintenance activities with four exceptions concerning the installation of safety valves and the testing and calibration of instruments. An erroneous opening/closing or forgetting to open/close a valve during operation or maintenance was the most typical deviation (80 percent). Forgetting to fill the economizer with water after maintenance and forgetting liquor injectors in the boiler during washing are examples of deviations identified from the borderline zone between maintenance and operation. WSA seems to concentrate on the physical subsystem and to have a tendency to identify more determining factors than deviations. Most of the deviations in the physical subsystem related to the material flow (47 percent) or to the environment (29 percent). Examples of these deviations are pipeline and pump blockages (which have to be opened with steam), overflows from evaporation units and disturbances in liquor injection into the boiler. Leaking valves are an example of the few component failures identified by WSA. The most typical determining factors identified by WSA in the physical subsystem related to pipelines and valves (32 percent), platforms and stairs (27 percent) and environment (30 percent). Examples of these are manual valves which cannot be operated without climbing on pipelines, pipelines and valves in walking ways, and slippery floors. Only a few determining factors concerning safety devices and auxiliary equipment were identified by WSA. Only a few factors were identified by WSA in the human subsystem. They related to deviations in inspection and operation and represented careless action rather than an erroneous act. MORT seems to be almost the only method enunciating accident contributors relating to the information and management subsystems. About 90 percent of the deviations

Table 5. Deviations and determining factors identified by potential problem analysis (PPA), hazard and operability study (HAZOP), action error analysis (AEA), work safety analysrs (WSA) or by management oversight and risk tree (MORT) in a black liquor recovery boiler plant. The figures in parentheses represent factors also identified by a method/methods applied earlier, i.e., the overlap between the methods. (Suokas, 1985) Subsystem Physical Human Information Management Total

Factor Deviation Determining Deviation Determining Deviation Determining Deviation Determining Deviation Determining

factor factor factor factor factor

PPA

HAZOP

AEA

WSA

MORT

Total

66 7 11 71 1

130(41) 3(l) 87(9) 3 -

7(l) 186 7 -

34(5) 66 9 2 -

192 81 117 7 24 20

217(50) 6(l)

30;) 8

2 4 3 2 17 20 23 22 49

4j5)

23 333 131

82

J.

SUOKAS

and determining factors identified in these two subsystems were yielded by MORT alone. AEA brought out the rest of the deviations identified in the information subsystem. The observations made by MORT in the information and management subsystems were of a similar magnitude. In the information subsystem, determining factors were rather equally distributed among the different types. In the management subsystem most determining factors concerned the definition of responsibilities and the definition of task contents and boundaries. The number of deviations identified in the information subsystem was greater than might have been expected on the basis of the evaluation of the search procedure. The deviations concerned exemplified situations and activities which were more closely analysed with the questions of MORT. More than half these deviations were related to information flow and coordination between activities. Only occasional observations were made in the physical and human subsystems. AEA concentrated on the identification of deviations in the human subsystem. Most of the deviations represented the omission of a step belonging to the task. The other types were a step made too early or too late. Only one deviation in the human subsystem concerned a false interpretation of information. Some deviations were also identified in the information subsystem. These concerned coordination between parallel activities and the information flow. The observations made in the physical subsystem mainly concerned the effects of deviating human performance. However, a few factors affecting the occurrence of deviations in the human subsystem were also identified by AEA in the physical subsystem. On the basis of the results of this study, no quantitative conclusions may be drawn about the number of hazards, deviations and determining factors which can be identified by the different methods. Different resources were used with each of the methods (from 20 man-days in both PPA and in AEA to 167 man-days in HAZOP). The size of the object also varied from one method to another. The sequence according to which the methods are used may also present a source for obtaining biased results. Since some persons were common to all analysis teams, they may bear in mind a transition from the results obtained with earlier methods. The influence of this phenomenon could be evaluated with similar analyses of other objects and by employing the methods in a different order. For these reasons it is not possible to give any absolute preferences among the methods studied. Nevertheless the results support the evaluations made earlier on the search procedures. HAZOP seems to concentrate mainly on deviations in the physical subsystem but also extracts information on deviations in the human subsystem, too. This is perhaps a consequence of the search procedure and of the performance of HAZOP on the basis of piping and instrumentation diagrams (PID). Factors connected with an information or a management subsystem are not described in an explicit form in this context, and this may have some influence on the complete absence of this type of factor from the HAZOP results. Another consequence of the use of PID’s is probably the absence of failures connected with building structures identified only by PPA. Determining factors are also quite difficult to identify with HAZOP, probably because of the nature of the search process (cf. On the Scope of the Search Procedures). However, the problem is not always having the information available in an analysis but rather asking different types of questions [cf. Kletz, 19811. In this study a version of MORT developed for the analysis of maintenance [Nertney, 19781 was used by a team in which several persons were the same as in HAZOP and had the same knowledge and experience of the system as during HAZOP. Since MORT focuses on the planning, organizing and steering of different activities, most of the factors extracted concerned information and management subsystems. Several of these aspects also contributed to the hazards and deviations already identified by HAZOP. CONCLUSIONS

Safety analysis is used more and more commonly for assuring the safety of new and existing production systems. This mainly has been done on a voluntary basis but the

The role of safety analysis

83

in legislation are probably increasing the number of analyses which are likely to be carried out on an authority’s initiative. Whatever the purposes of the analysis, the restrictions of safety analysis should be known. One of the most difficult phases in safety analysis concerns the identification of accident contributors [cf. Amendola, 1985; Dinsmore, 1985 and Waite, 19851. Reliability, coverage and validity are parametres which can be used to describe the quality of the identification phase. This evaluation must be based on the search procedures employed in the methods of safety analysis. This paper has presented a framework for determining the intended content of different methods. The framework was then applied in an heuristic and empiric evaluation. The framework presented should be seen as a first step when developing a basis for the qualitative evaluation of the methods. The framework probably evolves when complementary experiences are obtained on its use. This framework already presented a clear basis for evaluating the coverage of the search procedures employed in different methods for identifying accident contributors. The same framework and principles can also be used in other evaluations, such as comparisons between the results obtained by different methods or different analysis groups and comparisons of the results of a safety analysis with accidents occurring in similar systems. An example of the use of the framework for evaluating the interanalyst reliability and content validity of safety analysis has been reported by Suokas [1985]. Safety analysis and accident investigations represent complementary approaches both aiming at identifying accident potentials related to a system or an activity. The analysis of accidents, or more generally, the analysis of operational experience-accidents, critical incidents, component failures, human errors, etc.-can provide criteria for developing the theories, models and practices employed in safety analysis. The analysis of operational experience can also provide criteria for evaluating whether the abnormalities are included in the accepted hazards or whether they indicate circumstances overlooked in the safety analysis or flaws in safety management requiring adjustments to practice [cf. Advisory Committee on Major Hazards, 1984; Lees, 1982 and Suokas, 19861. The use of safety analysis as a reference for safety management obviously requires explicit and user-oriented documentation of the analysis, including its preconditions, models and data sources (if quantitative risk calculations have been made) [Cremer and Warner, 1980; von Herman, et al., 1984 and Hickman, et al., 19811. In particular, the knowledge and documentation of the coverage of the analysis and search methods, i.e. what has been included in the search for hazards and other contributors to potential accidents, is important for evaluating operating experience as a basis for safety management decisions in feedback control. In this respect, the knowledge and documentation of coverage is considered more important than attempts to reach high degrees of completeness [cf. Rasmussen and Pedersen, 19841. Whatever the aim of safety analysis, the limitations of the methods should always be known so that the correct choice can be made between the different methods and to provide a realistic basis for making decisions on risk-reducing measures and other riskcontrolling activities relying on safety analysis.

trends

REFERENCES Advisory Committee on Major Hazards, Second report. Her Majesty’s Stationery Office. London, 1979. Advisory Committee on Major Hazards, The control of major hazards. Third report. Her Majesty’s Stationery Office. London, 1984. Amendola A., Results of the reliability benchmark exercise and the future CEC-JRC programme. Int. ANSI ENS Topical Meeting on Probabilistic Safety Methods & Applications. San Francisco, California 24-28. Febr. 1985. Preprints, 1985. ANSI., Method of recording basic facts relating to the nature and occurrence of work injuries. ANSI 216.2. American National Standards Institute, 1962. Apostolakis G., Garribba S. and Volta G. (ed.), Synthesis and analysis methods for safety and reliability studies. Plenum Press. New York, 1980. Ashby W. R., An Introduction to Cybernetics. Chapman & Hall. London, 1956. Chemical Industries Association., A guide to hazard and operability studies. Chemical Industries Association Ltd. and Tonbridge Printers Ltd. Tonbridge, 1977. Chemical Legislation Committee., Asetus vaarallisista teollisuuskemikaaleista. (The decree on hazardous industrial chemicals). A proposal. Helsinki, 1986. (In Finnish).

84

J.

SUOKAS

Concawe., Methodologies for hazard analysis and risk assessment in the petroleum refining and storage industry. The oil companies study group for conservation of clean air and water-Europe, Concawe report 10/82. Den Haag, 1982. Court van H., Systems Analysis: A Diagnostic Approach. Harcourt Brace Jovanovich. New York, 1967. Cremer and Warner. An analysis of the Canvey report. Oyez Intelligence Reports. London, 1980. Dinsmore S. (ed.). PRA uses and techniques. A Nordic perspective. Oslo, Nordic Liaison Committee for Atomic Energy, 1985. Directorate-General of Labour. Hazard and operabii~ty study. Why? When? How? Directorate-General of Labour of the Ministry of Social Affairs, Report no. 3 E. Voorburg, 1979. EEC. Council directive on the major-accident hazards of certain industrial activities 82/501/EEC. Off. J. of the European Communities, August 230/l-230/18. 1982. Farmer E R., Recent advances in risk assessment. Ann. of Occup. Hyg. 24: 297-301, 1981. Gigh van, J. P., Applied General Systems Theory. Harper & Row. New York, 1978. Haasl D. F., Roberts N. H.. Veseley W. E. and Goldberg F. F., Fault tree handbook. U.S. Nuclear Regulatory Commission, NUREG-0492. Springfield, 1981. Herman von J. L., Parkinson W. J., Land R. E. and Leaver D. E., Documentation design for probabilistic risk assessment. Electric Power Research Institute, EPRI NP-3470. San Jose, California, 1984. Hickman, J. W. et al., PRA procedures guide. A guide to the performance of probabilistic risk assessments for nuclear power plants. U.S. Nuclear Regulatory Commission, NUREG/CR-2300. Springfield, 1981. The House of Representatives., Risk assessment research and demonstration act of 1983. Bill H. R. 4192. The House of Representatives. Washington, 1983. Hovden J., Sten T. and Tinmansvik R. K., Ulykker og risikoatferd i arbeidslivet. Yrkeslitteratur. Oslo, 1982. (in Norwegian). IEC., Analysis techniques for system reIiability. Part 2. Procedure for failure mode and effect analysis (FMEA). International Electrotechnical Commission, Technical Committee No 56: Reliability and Maintainability. Draft. April 1982. Johnson W. G., MORT safety assurance systems, Nattonal Safety Council and Marcel Dekker Inc. New York, 1980. Kafka F. L., The European chemical industry’s view of major hazards legislation. The 1984 European Major Hazards Conf. London 22-23 Mav 1984. Ovez Scientific and Technical Services Ltd. London. 1984. Kjellen U., Analysis and development of corporate practices for accident control. Royal Institute of Technology, TRITA-AVE-~1. Stockholm, 1983. Kjellen U., The deviation concept in occupational accident controi. Part I. Definition and classification. Act. Anal. & Prev. 16: 289-306, 1984. Kletz T. A.. Hazard analysis-the manager and the expert. Rel. Eng. 2: 35-43, 1981. Kletz T. A., HAZOP & HAZAN. Notes on the identification and assessment of hazards. The Institution of Chemical Engineers, Hazard Workshop Modules. Rugby, 1983. Knowlton R. E., Hazard and operability studies and their initial applications in R & D. R & If ~anagerne~~ 7: l-8, 1976. Labour Protection 1983 Committee. Vuoden 1983 tyiisuojelukomitean mretinto (Report of the labour protection 1983 committee). Komiteamietintd 1984: 65. Helsinki. 1984. (In Fintush). Lapp S. A. and Powers G.‘J., Computer aided synthesis of fault’trees. Z&E Trans. OR Rel. R-26 (1). 2-13. 1977. Lees F. P., Loss Prevention in the Process Industries. Butterworth & Co Ltd. London, 1980. Lees F. P., The hazard warning structure of major hazards. Trans. of fnd. Chem. Eng. 60: 211-221, 1982. Lihou D. A., Computer-aided operability studies for loss control. 3rd Int. Symp. on Loss Prevention and Safety Promotion in Process Industries. Basle 15-19 Sept. 1980. Preprints. Swiss Society of Chemical Engineers. Basle, 1980. MIL., Procedures for performing a failure mode, effects and criticality analysis. MIL-STD-1629 A. Department of Defence. Washington, 1980. Miller C. O., A new cause of legal action. Hazard Prevention 20: 4-12, 1984. Nertney R. J., Safety considerations in evaluation of maintenance programs. EG & G Idaho Inc., SSDC-12. Idaho Falls, Idaho, 1978. Nielsen D. S., The cause/consequence diagram method as a basis for qu~titative accident analysis. Ris$ National Laboratory, Rise-M-1374. Roskilde. 19’71. Norwegian Petroleum Directorate. Guidelines for safety evaluation of platform conceptual design. Norwegian Petroleum Directorate. Oslo, 1981. Oyez., Implementing the Seveso Directive. Conference Transcript Oyez Scientific & Technical Services Ltd. 1983. Poucet A., Computer aided fault tree synthesis. Joint Research Centre, Report EUR 8707 EN. Ispra, 1983. Province of Groningen, Pollution control and use of norms in Groningen -criteria for risks related to dangerous goods. Groningen, 1979. Rasmussen J., Human factors in high risk technology. In: Green A. E. (ed.) High Risk Safety Technology. John Wiley & Sons. New York, 1982. Rasmussen J., Carnino A., Griffon M., Mancini G. and Gagnolet P., Classification system for reporting events involving human malfunctions. Rise National Laboratory, Rise-M-2240. Roskilde, 1981. Rasmussen J. & Pedersen 0. M., Human factors in probabilistic risk analysis and in risk management. In: Operational safety of nuclear power plants. Int. Atomic Energy Agency. Vienna, 1984. Reunanen M. & Suokas J., Safety analysis of a black liquor recovery boiler plant. Technical Research Centre of Finland, Research notes 551. Espoo, 1986. Ryder E. A., Regulatory practices implementing the Seveso directive in Great Britain. Ann. des mines de Belgique 191: 17-24, 1984. Salo R., Fieandt J., Himanen R. and Mankamo T., Prosessijiirjestelmien riskianalyysi (Risk analysis of process systems). Technical Research Centre of Finland, Research Reports 171. Espoo, 1983. (In Finnish).

The role of safety analysis

85

Suokas J. and Rouhiainen V., Work safety analysis. Method description and user’s guide. Technical Research Centre of Finland, Research Reports 314. Espoo 1984. Suokas J., On the reliability and validity of safety analysis. Technical Research Centre of Finland, Publications 2.5. Espoo, 1985. Suokas J., The use of operational experience in safety analysis. SRE-symp. 1986. Otaniemi 14-16. Oct. 1986. Technical Research Centre of Finland, Preprints. Otaniemi, 1986. Tarrants W. E., An evaluation of the critical incident technique as a method for identifying industrial accident causal factors. New York University (A dissertation). New York, 1963. Taylor J. R., A background to risk analysis. Vol. I-IV. Rise National Laboratory, an unnumbered report. Roskdde, 1979. Taylor J. R., An algorithm for fault-tree construction. IEEE Trans. on Rel. R-31 (2) 137-146, 1982. Vinje E. A. (ed.)., Sikkerhetsanalyse som beslutningsunderlag. Yrkeslitteratur. Oslo, 1984. (In Norwegian). Waite P. J., Risk assessment-prediction and reality. An Int. Symp. on the Chem. Ind. after Bhopal. London 7-8. Nov. 1985. IBC Technical Services. London, 1985. Wells G. L., Safety in Process Plant Design. George Goodwin Limited. London, 1980.