Professional Documents
Culture Documents
SYSTEM SAFETY
ENGINEERING AND MANAGEMENT
Felix Redmill
Redmill Consultancy, London
Felix.Redmill@ncl.ac.uk
RISK
• Intolerability threshold:
– 1/10000 per year (for the public)
– 1/1000 per year (for employees)
Emergency
signal
P
A
P Controller
• What is safety?
• How can it be measured?
• What can give confidence that safety is high?
• Two components:
– Probability (likelihood) of occurrence
– Consequence (magnitude of outcome)
• R = f(P.C) or f(L.C)
• Avoid
• Eliminate
• Reduce
• Minimise - within defined constraints
• Transfer or share
- Financial risks may be insured
- Technical risks may be transferred to experts, maintainers
• Hedge
- Make a second investment, which is likely to succeed if the
first fails
• Accept
- Must do this in the end, when risks are deemed tolerable
- Need contingency plans to reduce consequences
(c) Felix Redmill, 2011 CERN, May '11 38
RISK IS OPEN TO PERCEPTION
• Voluntary or involuntary
• Control in hands of self or another
• Statistical or personal
• Level of knowledge, uncertainty
• Level of dread or fear evoked
• Short-term or long-term view
• Severity of outcome
• Value of the prize
• Level of excitement
• Status quo bias
Failure
or unsafe Accident
Safe state deviation
(in any Danger Disaster
mode)
Restoration
Recovery
1 Concept
Overall scope
2
definition
Overall safety
4
requirements
Safety requirements
5
allocation
Overall installation
12
and commissioning
Overall safety
13
validation
• Worst possible
• Worst credible
• Most likely
• “Average”
Threat to
security
Causal
Safety hazard
analysis
Threat of
damage Risk
Potential for
unreliability Consequence
analysis
Potential for
unavailability
• Definition of scope
– Define the objectives and scope of the study
• Hazard identification
– Define hazards and hazardous events
• Hazard analysis
– Determine the sequences leading to hazardous events
– Determine likelihood and consequences of hazardous
events
• Risk assessment
– Assess tolerability of risks associated with hazardous
events
• Scope definition
– Influences the nature and direction of the analysis
– Is a predisposing factor on its results
Hazard identification,
Risk identification
Risk mitigation,
Risk reduction,
Risk management
(c) Felix Redmill, 2011 CERN, May '11 79
AN APPROPRIATE CONVENTION?
Scope definition
Risk assessment
Emergency planning
• Checklists
• Brainstorming
• Expert judgement
• What-if analysis
• Audits and reports
• Site inspections
• Formal and informal staff interviews
• Interviews with others, such as customers, visitors
• Specialised techniques
P1 V1 V2 P2
Fluid A Vat R Fluid B
V3
Presentation of design
representation
Examine
design representation
methodically
Possible Examine
deviation from design intent consequences
? Yes and causes
No
Document
results
Define follow-up
work
Time up, or
No
completed study?
Yes
Agree documentation
Valve
Valve monitor Alarm Claxon Operator
operates O.K. relay O.K. O.K. responds Outcome
Yes Safe
Yes outcome
Yes No
No
Yes
No
Unsafe
No outcomes
No
Valve Alarm
Valve monitor relay Claxon Operator
operates functions operates sounds responds
Yes
Yes
Yes
Yes
No
No
No (P=0.8) Fire
controlled
Yes
No (P=0.9) Fire
contained
Required event
frequency
10 -7 per hour
AND
Likelihood Consequence
or
Frequency
Negligible Moderate High Catastrophic
High
Medium
Low
Likelihood Consequence
or
Frequency
High H2
Medium H1, H5 H6 H4
Low H3
Likelihood Consequence
or
Frequency
High C B A A
Medium D C B A
Low D D C B
• Refer the cell of each analysed hazard in the risk matrix to the
equivalent cell in the risk class matrix to determine the class
of the analysed risks
– So, Hazard 1 poses a D Class risk, Hazard 2 a B, etc.
• Risk class
– Defines the (relative) importance of risk reduction
– Provides a means of prioritising the handling of risks
– Can be equated to a defined type of action
• Risk class gives no indication of time criticality
– This must be derived from an understanding of the risk
• What is done to manage risks depends on circumstances
• We need to
– Extend risk analysis to include HRA
– Pay more attention to ergonomic considerations in
design
– Consider human cognition in interface design
– Produce guidelines on human factors in safety
• Safety is multi-dimensional, so take an interdisciplinary
approach
– Include ergonomists and psychologists in development
and operational teams
• Low-demand mode:
'Frequency of demands ... no greater than one per year'
• Safety integrity:
Probability of a safety-related system satisfactorily
performing the required safety functions under all the
stated conditions within a stated period of time
Control Protection
system system
Event frequency
10 -7
AND
Tolerable Tolerable
Residual level of Risk level of Risk
risk 1 risk 1 2 risk 2 1
Increasing
Necessary reduction of risk 1 risk
• Hazard identification
• Hazard analysis
• Risk assessment
– Resulting in requirements for risk reduction
• Safety requirements specification
– Functional requirements
– Safety integrity requirements
• Allocation of safety requirements to safety functions
– Safety functions to be performed
– Safety integrity requirements
• Allocation of safety functions to safety-related systems
– Safety functions to be performed
– Safety integrity requirements
Debilitating Remote 2
Distracting Unlikely 1