system safety program (ssp-task 100) establishing the foundation of a systematic process
TRANSCRIPT
System Safety ProgramSystem Safety Program(SSP-Task 100) (SSP-Task 100)
Establishing the foundation of a Establishing the foundation of a systematic process systematic process
Managements ResponsibilityManagements Responsibility
Plan, Organize, and Implement an effective System Plan, Organize, and Implement an effective System Safety Program Safety Program Integrate System Safety into all phases of the life cycleIntegrate System Safety into all phases of the life cycle Planned approach to task accomplishmentPlanned approach to task accomplishment
Responsibilities and Functions clearly definedResponsibilities and Functions clearly defined Establish a safety organization and provide qualified safety Establish a safety organization and provide qualified safety
personnelpersonnel Assurances (Accountability) that safety recommendations Assurances (Accountability) that safety recommendations
will be reconciledwill be reconciled Compliance insured by a System Safety Program Plan Compliance insured by a System Safety Program Plan
(SSPP) – A contractual requirement (SSPP) – A contractual requirement
System Safety Program PlanSystem Safety Program Plan(SSPP – Task 101)(SSPP – Task 101)
““Fail to plan and you plan to fail”Fail to plan and you plan to fail”
SSPP ObjectivesSSPP Objectives
Brief description of the proposed systemBrief description of the proposed system May be speculative during initial program plan May be speculative during initial program plan
preparationpreparation Defines systematic approach that will insure:Defines systematic approach that will insure:
Safe design consistent with system requirementsSafe design consistent with system requirements Timely deliveryTimely delivery Cost-effective mannerCost-effective manner
SSPP Objective (cont)SSPP Objective (cont)
Hazards are identified, evaluated, eliminated or Hazards are identified, evaluated, eliminated or controlled to an acceptable level throughout LCcontrolled to an acceptable level throughout LC
Minimum risk is involved in design, testing, Minimum risk is involved in design, testing, productionproduction
Supporting safety data from other systems are Supporting safety data from other systems are consideredconsidered
Retrofit/Change to improve safety minimizedRetrofit/Change to improve safety minimized Operational safety and maintainability Operational safety and maintainability
demonstrateddemonstrated System termination established with clear methods System termination established with clear methods
and procedures and procedures
System Safety Working GroupSystem Safety Working Group(SSWG – Task 104)(SSWG – Task 104)
Multi-disciplinary teamMulti-disciplinary team Normally comprised of:Normally comprised of:
Project ManagersProject Managers Design EngineersDesign Engineers Safety EngineersSafety Engineers End Users (customer)End Users (customer)
Project Management provides overall direction and Project Management provides overall direction and decision-making authoritydecision-making authority
Project Manager is chairman of the SSWG and Project Manager is chairman of the SSWG and provides liaison with higher levels of managementprovides liaison with higher levels of management
Excellent Example of SSPPExcellent Example of SSPP
MIL-STD 882DMIL-STD 882D
Hazard Tracking and Risk Hazard Tracking and Risk Resolution (Task 105)Resolution (Task 105)
Establish and maintain a single closed-loop Establish and maintain a single closed-loop tracking systemtracking system
Define methods to identify, document , and Define methods to identify, document , and track hazards – establish an audit trailtrack hazards – establish an audit trail
Deliver a “Hazard Log” as part of Deliver a “Hazard Log” as part of engineering reportsengineering reports
Hazard IdentificationHazard Identification
Systematic ProcessesSystematic Processes
1. HazardIdentification
2. RiskAssessment
3. Analyze Risk Control
Measures
4. Risk Controls
5. ImplementRisk Controls
6. Follow Through &
Review
1. HazardIdentification
2. RiskAssessment
3. Analyze Risk Control
Measures
4. Risk Controls
5. ImplementRisk Controls
6. Follow Through &
Review
What Constitutes a Hazard?What Constitutes a Hazard?
A real or potential condition that, when A real or potential condition that, when activated, can transform into a series of activated, can transform into a series of
interrelated events that result in damage to interrelated events that result in damage to equipment or property and or injury to equipment or property and or injury to
people. people.
Find the HazardsFind the Hazards
Safety Managers ViewSafety Managers View HazardHazard
An implied threat or danger, a potential An implied threat or danger, a potential condition waiting to become a losscondition waiting to become a loss
StimulusStimulus Required to initiate action from potential to Required to initiate action from potential to
kinetickinetic May be a:May be a:
Component out of toleranceComponent out of tolerance Maintenance failureMaintenance failure Operator failureOperator failure Any combination of other events and conditionsAny combination of other events and conditions
When Do We Look for When Do We Look for Hazards?Hazards?
The 5 Common Phases of a Systems Life The 5 Common Phases of a Systems Life CycleCycle Conceptual - ResearchConceptual - Research Design (Validation & Verification)Design (Validation & Verification) Development (Full-scale engineering & Development (Full-scale engineering &
production)production) Operational DeploymentOperational Deployment Termination & DisposalTermination & Disposal
Primary ObjectivePrimary Objective
The first major undertakings of a systematic The first major undertakings of a systematic safety effort must be to identify, analyze and safety effort must be to identify, analyze and control hazardscontrol hazards
Review operational goals, objectives & constraints Review operational goals, objectives & constraints – “Before the fact” process– “Before the fact” process Resources (people, time & money) must be consideredResources (people, time & money) must be considered
Preliminary Hazard List (PHL) developed by Preliminary Hazard List (PHL) developed by experts from multiple areas of expertise experts from multiple areas of expertise
PHL PurposePHL Purpose
The SSPP will seek this inputThe SSPP will seek this input List of hazards prepared and analyzed List of hazards prepared and analyzed
during the concept/definition phase (PHA)during the concept/definition phase (PHA) Handoff to System Safety Hazard Analysis Handoff to System Safety Hazard Analysis
(SSHA) effort(SSHA) effort Update list as the system matures and Update list as the system matures and
changeschanges
PHA PurposePHA Purpose
Identify and evaluate hazardsIdentify and evaluate hazards EliminateEliminate MitigateMitigate
Identify need to control those which can’t Identify need to control those which can’t be eliminatedbe eliminated Determine & Establish severityDetermine & Establish severity
System Safety personnel should be prepared System Safety personnel should be prepared to compete with other prioritiesto compete with other priorities Cost, Performance, Schedule, etc.Cost, Performance, Schedule, etc.
Hazard SeverityHazard Severity
A key factor in establishing a common A key factor in establishing a common understanding of a safety programs goalunderstanding of a safety programs goal
MIL-STD 882 suggests four categoriesMIL-STD 882 suggests four categories Cat 1: CatastrophicCat 1: Catastrophic Cat 2: CriticalCat 2: Critical Cat 3: MarginalCat 3: Marginal Cat 4: Negligible Cat 4: Negligible
Category DefinitionsCategory Definitions
CatastrophicCatastrophic Death or total system lossDeath or total system loss
CriticalCritical Severe injury, illness or major system damageSevere injury, illness or major system damage
MarginalMarginal Minor Injury or system damageMinor Injury or system damage
NegligibleNegligible Less than minor injury or system damageLess than minor injury or system damage
Analysis of the System TaskingAnalysis of the System Tasking
SSWG efforts would focus on the most SSWG efforts would focus on the most critical components of the mission critical components of the mission
Expert review of:Expert review of: Mission statementMission statement Previous accident/incident reportsPrevious accident/incident reports Operator reportsOperator reports All available historical dataAll available historical data
3 Basic Sources of Historical 3 Basic Sources of Historical Information Information
Expert Opinion (published & peer Expert Opinion (published & peer reviewed) reviewed)
Traditional Techniques (Inspections, Traditional Techniques (Inspections, Mishap Reports, Interviews, Audits)Mishap Reports, Interviews, Audits)
Previously developed Hazard Analysis Previously developed Hazard Analysis Tools (PHL’s and PHA’s)Tools (PHL’s and PHA’s)
Other Available SourcesOther Available Sources
Operational “Front Line” personnelOperational “Front Line” personnel An existing data base of “lessons learned”An existing data base of “lessons learned” An accident/incident (mishap) report fileAn accident/incident (mishap) report file An outside agency reviewAn outside agency review A previous self critical safety reviewA previous self critical safety review OSHA reportsOSHA reports EPA (HAZMAT) reportsEPA (HAZMAT) reports
List the HazardsList the Hazards
PHL reviewed & developedPHL reviewed & developed Preliminary Hazard Analysis (PHA) is the Preliminary Hazard Analysis (PHA) is the
initial look at the entire system initial look at the entire system PHA may be used in lieu of a PHLPHA may be used in lieu of a PHL As systems and sub-systems are developed As systems and sub-systems are developed
a more detailed Systems Hazard Analysis a more detailed Systems Hazard Analysis (SHA or SSHA) will provide more detailed (SHA or SSHA) will provide more detailed risk assessment informationrisk assessment information
Hazard Analysis MethodsHazard Analysis Methods
Failure Modes & Effects Analysis (FMEA)Failure Modes & Effects Analysis (FMEA) Systematic look at hardware piece by pieceSystematic look at hardware piece by piece Review of how each component could failReview of how each component could fail Considers how a failure effects other Considers how a failure effects other
components, sub-systems and systems as a components, sub-systems and systems as a whole whole
Risk assessment accomplished (severity & Risk assessment accomplished (severity & probability)probability)
Risk Assessment Code (RAC) assigned Risk Assessment Code (RAC) assigned
Hazard Analysis Methods Hazard Analysis Methods
Fault Tree Analysis (FTA)Fault Tree Analysis (FTA) Detailed review of a specific undesirable eventDetailed review of a specific undesirable event Deductive in natureDeductive in nature Top-down effortTop-down effort Normally reserved for critical failures or Normally reserved for critical failures or
mishapsmishaps
May be qualitative or quantitativeMay be qualitative or quantitative
Risk Assessment Code’sRisk Assessment Code’s The effort in System Safety is to provide The effort in System Safety is to provide
accurate, meaningful analysis of hazardsaccurate, meaningful analysis of hazards Objective review of useful data should promote Objective review of useful data should promote
enlightened choices by decision makers enlightened choices by decision makers Data – Information – KnowledgeData – Information – Knowledge
The RAC is used to prioritize hazards and The RAC is used to prioritize hazards and determine acceptabilitydetermine acceptability
The quality of the RAC determines the The quality of the RAC determines the credibility of the system safety effortcredibility of the system safety effort
MIL-STD 882 Risk MIL-STD 882 Risk Acceptance CriteriaAcceptance Criteria
RAC –1 UnacceptableRAC –1 Unacceptable RAC - 2 UndesirableRAC - 2 Undesirable RAC – 3 Acceptable with controlsRAC – 3 Acceptable with controls RAC – 4 AcceptableRAC – 4 Acceptable
Hazard Analysis MethodsHazard Analysis Methods
Operating Hazard Analysis (OHA)Operating Hazard Analysis (OHA) Also known as Operating & Support Hazard Analysis Also known as Operating & Support Hazard Analysis
(O&SHA)(O&SHA) ““What if” tool brings user into the loop What if” tool brings user into the loop
Integrates people and procedures into the systemIntegrates people and procedures into the system Diagrams the flow or sequence of eventsDiagrams the flow or sequence of events
Project Evaluation Tree (PET) may be used for Project Evaluation Tree (PET) may be used for OHA accomplishmentOHA accomplishment Systematic evaluation of man, machine, & proceduresSystematic evaluation of man, machine, & procedures
Hazard Analysis LogicHazard Analysis Logic
Inductive ReasoningInductive Reasoning Bottom Up Review --Asks “What if?”Bottom Up Review --Asks “What if?” PHA, SSHA, FMEAPHA, SSHA, FMEA
Deductive ReasoningDeductive Reasoning Top Down Review Asks “How can?”Top Down Review Asks “How can?” SHA, FTASHA, FTA
Intuitive-ExperientialIntuitive-Experiential Based on historical experience Based on historical experience Lessons Learned and/or Change Analysis Lessons Learned and/or Change Analysis
Composite Composite Combination of all (systems approach)Combination of all (systems approach)
The Tool BoxThe Tool Box
Preliminary Hazard Analysis (PHA)Preliminary Hazard Analysis (PHA) Concept PhaseConcept Phase
Sub-System Hazard Analysis (SHA)Sub-System Hazard Analysis (SHA) Design and Development Phase Design and Development Phase
System Hazard Analysis (SSHA)System Hazard Analysis (SSHA) Design, Development and early Operations PhaseDesign, Development and early Operations Phase
Operating & Support Hazard Analysis Operating & Support Hazard Analysis (O&SHA)(O&SHA) Operations and DisposalOperations and Disposal
More Hazard Identification More Hazard Identification ToolsTools
The 5 M model helps the SSWG to The 5 M model helps the SSWG to systematically review the interrelationships systematically review the interrelationships of the various composites in a system and of the various composites in a system and their interacting mishap causal factorstheir interacting mishap causal factors
Brainstorming or “what if” session with Brainstorming or “what if” session with operational personnel provides valuable operational personnel provides valuable insight and lessons learned that may or may insight and lessons learned that may or may not be part of the historical datanot be part of the historical data
MachineMachine MediumMedium
ManMan
MissionMission
ManagementManagement
5 M model5 M model
Man Man
Man as a Root CauseMan as a Root Cause
Generally accepted to be causal in 70-80% Generally accepted to be causal in 70-80% of mishapsof mishaps Incident review should question: “Is he Incident review should question: “Is he
involved or did he induce?”involved or did he induce?”
Areas to considerAreas to consider Selection: Is he capable?Selection: Is he capable? Training: Does he understand?Training: Does he understand? Motivation: Does he care?Motivation: Does he care?
HFAC’s HFAC’s
Efforts to integrate human factors into Efforts to integrate human factors into safety designs focus on 4 specific areas:safety designs focus on 4 specific areas: Behavioral StereotypesBehavioral Stereotypes Human EngineeringHuman Engineering Man-Machine Interface (& Tradeoffs)Man-Machine Interface (& Tradeoffs) Misuse AnalysisMisuse Analysis
Behavioral StereotypesBehavioral Stereotypes
Habit patterns compel us to act in a Habit patterns compel us to act in a predictable mannerpredictable manner
Learned behavior varies by groupsLearned behavior varies by groups Law of PrimacyLaw of Primacy Designs that do not consider the users Designs that do not consider the users
behavior patterns may be behavior patterns may be ERROR-ERROR-INDUCINGINDUCING
Error-Inducing ExemplarError-Inducing Exemplar(Have you driven a Ford lately?)(Have you driven a Ford lately?)
First vehicle you drove most likely had the First vehicle you drove most likely had the horn activated by pushing in the middle of horn activated by pushing in the middle of the steering wheelthe steering wheel
Ford Motor Company design co-located Ford Motor Company design co-located horn switch on the turn signal leverhorn switch on the turn signal lever
In a time compressed situation most In a time compressed situation most operators push the center of the wheel operators push the center of the wheel looking for a horn if neededlooking for a horn if needed
QUESTION ???QUESTION ???
Would an accident that occurred as a result of Would an accident that occurred as a result of a GM owner/driver failing to alert someone a GM owner/driver failing to alert someone
to an upcoming conflict because they to an upcoming conflict because they fumbled unsuccessfully to activate a horn on fumbled unsuccessfully to activate a horn on
a Ford they were using be an operator a Ford they were using be an operator involvedinvolved or or inducedinduced error? error?
Human EngineeringHuman Engineering
Ergonomics are the most developed human Ergonomics are the most developed human performance disciplineperformance discipline
Range and motion of equipment designed Range and motion of equipment designed for “average man”for “average man” A compromise for majority of operators A compromise for majority of operators
MIL-STD-1472DMIL-STD-1472D Basic human design criteria standardsBasic human design criteria standards
Man-Machine InterfaceMan-Machine Interface
Not to be confused with physical interfaceNot to be confused with physical interface Functional control – “whose got it?”Functional control – “whose got it?”
Human (manual) control with automated Human (manual) control with automated response should certain conditions be presentresponse should certain conditions be present
Automated controls with human monitors Automated controls with human monitors
Optimizing the system to do what each does Optimizing the system to do what each does best is the challenge in designbest is the challenge in design
Who Does What Best ???Who Does What Best ???
Misuse Analysis:Misuse Analysis:AKA Corollaries to Murphy’s LawAKA Corollaries to Murphy’s Law
““What can be used will be misused”What can be used will be misused” Future Darwin Award winners epitaphFuture Darwin Award winners epitaph
““New systems generate new problems” New systems generate new problems” SSWG should systematically review “what-why” SSWG should systematically review “what-why”
relationships to ID potential hazardsrelationships to ID potential hazards
Proper analysis of information and Proper analysis of information and implementation of controls demonstrate implementation of controls demonstrate Due DiligenceDue Diligence on behalf of managementon behalf of management
Are Humans a Hazard?Are Humans a Hazard? Human life support requirements are fairly Human life support requirements are fairly
intolerant of variation: intolerant of variation: Environmental factors must be maintained within a Environmental factors must be maintained within a
fairly narrow set of parametersfairly narrow set of parameters Lack of a temperate climate, light, soundproofing and Lack of a temperate climate, light, soundproofing and
other “creature comforts”can induce psychological and other “creature comforts”can induce psychological and physiological stress thus causing errorsphysiological stress thus causing errors
Human capabilities are relatively static compared Human capabilities are relatively static compared to machinesto machines
Machine capabilities continue to expand at high Machine capabilities continue to expand at high ratesrates
Compensating for Human ErrorCompensating for Human Error
Error-TolerantError-Tolerant designs are necessary to designs are necessary to mitigate known human deficienciesmitigate known human deficiencies Frequency of errors generally known by Frequency of errors generally known by
situationsituation Consider how your design comparesConsider how your design compares
Rates expressed in events per number of Rates expressed in events per number of exposures or task accomplishmentsexposures or task accomplishments
Upper limit of unaided human performance is Upper limit of unaided human performance is one error for every 100,000 attemptsone error for every 100,000 attempts
MachinesMachines
Machine as a Root CauseMachine as a Root Cause
System safety process analyzes each System safety process analyzes each component and operational procedure for it’s component and operational procedure for it’s hazard contributionhazard contribution Poor designPoor design Inadequate operating proceduresInadequate operating procedures Ill defined limitationsIll defined limitations Improper MaintenanceImproper Maintenance
Known component hazards as well as Design-Known component hazards as well as Design-Induced maintenance and personnel errors are Induced maintenance and personnel errors are part of the hazard identification processpart of the hazard identification process
Hierarchy of Hardware Terms Hierarchy of Hardware Terms SystemSystem
Sub-SystemSub-System AssembliesAssemblies Sub-assembliesSub-assemblies ComponentComponent
Interconnected to perform a specific Interconnected to perform a specific functionfunction
Interaction creates a series of logical and Interaction creates a series of logical and sequential outputssequential outputs
MediumMedium
Medium as a Root causeMedium as a Root cause System safety processes should analyze each System safety processes should analyze each
component and their intended or potential component and their intended or potential interrelation with their operating environment for interrelation with their operating environment for hazardshazards
Natural “acts of God” -- A phenomena?Natural “acts of God” -- A phenomena? Temperature variationsTemperature variations Earth QuakeEarth Quake VolcanoVolcano HurricaneHurricane
Known environmental hazards as well as Design-Known environmental hazards as well as Design-Induced limitations should be part of the Hazard Induced limitations should be part of the Hazard ID processID process
Even with properly identified hazards someone Even with properly identified hazards someone may chose to operation outside design may chose to operation outside design limitations – That is a limitations – That is a gamblegamble at best at best
Managing Threats Managing Threats
Management as a Root CauseManagement as a Root Cause
Lack of genuine commitment to safetyLack of genuine commitment to safety Example: Failure to adequately resource a SSPExample: Failure to adequately resource a SSP
Failure to act on safety recommendationsFailure to act on safety recommendations Severity & Probability quibbling or gambling – Severity & Probability quibbling or gambling –
“Playing the Numbers game” “Playing the Numbers game” Inadequate SOP’sInadequate SOP’s
Poorly developed PHA through O&SHAPoorly developed PHA through O&SHA Poor standards and controlsPoor standards and controls
Inadequate design “wished” into operationInadequate design “wished” into operation
Murphy’s Law for Murphy’s Law for Management Management
Technology is dominated by Technology is dominated by those who manage what they those who manage what they
don’t understanddon’t understand
The lowest temperature the system had previously experienced The lowest temperature the system had previously experienced was 53 degrees F and both the primary and secondary was 53 degrees F and both the primary and secondary
component had failed to function as designed. The predicted component had failed to function as designed. The predicted temperature for operation was approximately 26 degrees F. “…temperature for operation was approximately 26 degrees F. “…
data below 53 degree’s F was not available and [my] data below 53 degree’s F was not available and [my]
department could not prove it was unsafe to launch.”department could not prove it was unsafe to launch.”
Morton-Thiokol VP of Morton-Thiokol VP of Engineering, STS-51L Accident Engineering, STS-51L Accident
InvestigationInvestigation
1986 1986
MissionMission
Mission as a Root CauseMission as a Root Cause Some missions are higher in riskSome missions are higher in risk
Combat RescueCombat Rescue Poorly developed or ill-conceived Poorly developed or ill-conceived
Operation Eagle ClawOperation Eagle Claw IncompatibilitiesIncompatibilities
Unfamiliar organizations combined to operate Unfamiliar organizations combined to operate in new and complex role with erroneous in new and complex role with erroneous assumptionsassumptions
Poorly defined Poorly defined Desert One (Now what?)Desert One (Now what?)
Predictable & Preventable Predictable & Preventable Mission ResultsMission Results
Senate TestimonySenate Testimony
The Commander of the operation blamed the helicopter The Commander of the operation blamed the helicopter pilots immediately after the mission. However, in his pilots immediately after the mission. However, in his
critique to the Senate Armed Services Committee, he later critique to the Senate Armed Services Committee, he later attributed the failure to Murphy's Law and the use of an ad attributed the failure to Murphy's Law and the use of an ad
hoc organization for such a difficult mission. hoc organization for such a difficult mission.
“We went out and found bits and pieces, people and We went out and found bits and pieces, people and equipment, brought them together occasionally, and equipment, brought them together occasionally, and
then asked them to perform a highly complex then asked them to perform a highly complex mission," he said. "The parts all performed, but mission," he said. "The parts all performed, but
they didn't necessarily perform as a teamthey didn't necessarily perform as a team."
Hazard ID -- First, Last and Always! Hazard ID -- First, Last and Always! (Because what you don’t know can hurt you)(Because what you don’t know can hurt you)
1. HazardIdentification
2. RiskAssessment
3. Analyze Risk Control
Measures
4. Risk Controls
5. ImplementRisk Controls
6. Follow Through &
Review
Pitts’ Premise (PP) #1 Pitts’ Premise (PP) #1 “No matter how good it might look -- Sometimes it “No matter how good it might look -- Sometimes it just doesn’t pay to be on the ground floor of a new just doesn’t pay to be on the ground floor of a new
design”design”
Murphy’s New & Murphy’s New & Improved Two Story Improved Two Story
OuthouseOuthouse