MORT Bill Johnson For AEC 1973 SAN8212

SAN 821-2
THE MANAGEMENT
OVERSIGHT AND
RISK TREE -MORT
INCLUDING SYSTEMS DEVELOPED BY THE
IDAHO OPERATIONS OFFICE A N D
AEROJET NUCLEAR COMPANY
by
W. G. JOHNSON
Grandjean
Lowman, Idaho 83637
(4566 River Street
Willoughby, Ohio 44094)
Prepared for the
U.S. A T O M I C ENERGY C O M M I S S I O N
Division of Operational Safety
Under Contract No. AT(o4-31-821
Submitted to AEC
February 12, 1973
T h i s r e p o r t was prepared a s an account of work
sponsored by t h e United S t a t e s Government, Neither
t h e United S t a t e s nor t h e United S t a t e s Atomic
Energy Commission, n o r any of t h e i r employees, nor
any of t h e i r c o n t r a c t o r s , s u b c o n t r a c t o r s , o r t h e i r
employees, makes any warranty, expressed o r implied,
o r assumes any l e g a l l i a b i l i t y o r r e s p o n s i b i l i t y
f o r t h e accuracy, completeness o r u s e f u l n e s s of any
information, a p p a r a t u s , product o r p r o c e s s d i s -
c l o s e d , o r r e p r e s e n t s t h a t its use would n o t
i n f r i n g e p r i v a t e l y owned r i g h t s .
For sale by the Superintendent of Documents, U.S. Government Printing Offiw, Washington, D.C.. 2M02
Abstract
A Iknagement Oversight and 2 i s k Tree (MORT) has provided a technique

f o r thorough, searching i n v e s t i g a t i o n of occupational a c c i d e n t s ard a n a l y s i s
of s a f e t y programs. MORT has been used t o improve s a f e t y i n s p e c i f i c a c t i v -
i t i e s and i n organizations. The announced goal is an order of magnitude
reduction i n a l r e a d y low accident rates o r p r o b a b i l i t i e s .
HORT is a formal, d i s c i p l i n e d l o g i c o r d e c i s i o n tree t o systemat-
i c a l l y relate and i n t e g r a t e a wide v a r i e t y of s a f e t y concepts:
Sequential r o l e s of energy, b a r r i e r s t o energy t r a n s f e r ,
e r r o r , change and r i s k . From these:
A new, f u n c t i o n a l d e f i n i t i o n of an accident.
Present b e s t s a f e t y p r a c t i c e s , system s a f e t y technology, and
behavioral, organizational and a n a l y t i c sciences. From these:
Methods of enhancing s a f e t y form a dynamic s a f e t y system
c o ~ o u with
s g e n e r a l systems f o r management of high
performance .
Safety program f e a t u r e s , some old and some new -- management
implementation, hazard and human f a c t o r s a n a l y s i s processes,
work processes, monitoring, information and organization
systems and services. From these:
A s t r u c t u r e and s p e c i f i c a n a l y t i c questions t o more
f u l l y u t i l i z e accident f a c t s t o improve t h e system.
Trials of XORT have shown an a b i l i t y t o assist persons from a d i s c i -
pline -- safety, management, engineering, s c i e n c e s o r o t h e r staff s p e c i a l -
t i e s and experienced craftsmen --t o quickly apply and broaden t h e i r
s k i l l s i n accident a n a l y s i s and s a f e t y review, and have provided a common
base f o r communication, cooperation, and planning f o r greater accident
control.
A t t h e same time, t h e d i s c i p l i n e d MO2T format h a s shoun f l e x i b i l i t y
i n rapid evaluation and a s s i m i l a t i o n of new experience, judgment, f i n d i n g s
o r technology.
Specific s a f e t y innovation and acceptance methods and p r o j e c t s have
been outlined f o r t r a n s i t i o n t o a comprehensive, s u p e r l a t i v e s a f e t y sys-
tem -- f o r t h e long term a "safer way of l i f e . "
D e t a i l s of program a p p l i c a t i o n a r e provided i n t e x t , figures, examples,
appendices and e x h i b i t s .
Contents
Abstract
Preface
Abbreviations
I. Introduction
The Study Plan
MORT
What Produces Hazards?

1. ~ c c i d etn/ ~ n c i d e n t
2. Energy and B a r r i e r s
3. Freqency-Severity Matrices as a Management Tool
4. Error as Accident Cause
5. The Role of Change i n Accidents
6. Sequences i n Accident Causation
7. The Role of Risk Management
111. How To Reduce Hazards
8. I n t e g r a t i n g System Safety with Present Best P r a c t i c e s
9. Method v s Content
10. Safety, Efficiency and Performance a r e Congruous
11. A s a f e t y System as a General Management System
12. General Safety Program Theses
I V . MORT
.
13 Development of "Accident Tree Analysis "
14. The MORT Diagrams - Introduction

15. Definition of Symbols
16, MORT C h a r t s
17. Fourth Generation of MORT
18. MORT Values, S t y l e s and Obstacles
V , Management Implementation of t h e Safety System

19. Management Policy and Direction
20. Management Implementation
21. Risk Assessment System
V I . Hazard Analysis Processes

22. System Safety and Hazard Analysis
23. Hazard Analysis Process Defined
24, Concepts and Requirement s--The Conceptual Phase
25. Design and Developlent Phase.
Contents, continued.
26. Human F a c t o r s Review
27. Design Organization, R e l i a b i l i t y and Q u a l i t y
28. Independent Review
V I I . Work Flow Processes

29. General Schematic of Work Flow Processes
30. supervision
31. Maintenance and Inspection
32. Procedures
33. Ehployee Selection and Tkairiing
34. Performance E r r o r s
35. Employee Motivation, P a r t i c i p a t i o n and Acceptance
VIII. Information Systems
36. Technical Information
37. Monitoring Systems
38. Accident I n v e s t i g a t i o n
39. The Organization's Information System
40. National Information Systems
41. Measurement Techniques
42. Management Assessment Methods
IX . Safety Promam Review

X. Transition
Appendices
Exhibits from Aerojet T r i a l s
Bibliographies :
General
Change Phenomena
Human Factors Engineering
Index
Preface
T h i s document was prepared under c o n t r a c t ~ ~ ( 0 4 - 3 ) - 8 2 w
1 i t h t h e United
S t a t e s Atomic Energy Commission as Phase V I I I of a s t u d y , "Development of
Systems C r i t e r i a f o r Accident Reporting and A n a l y s i s and f o r t h e Measurement
o f S a f e t y Performance."
The c o n t r a c t r e s u l t e d from an o r i g i n a l p r o p o s a l by t h e a u t h o r based on e a r l i e r

developmental work while on t h e s t a f f of t h e National S a f e t y Council (NSC),
c o n s u l t a t i o n work f o r government and p r i v a t e o r g a n i z a t i o n s , and seminars con-
ducted i n Europe. I n t h i s l a t t e r connection two t e x t s were p r e p a r e d , "New
Approaches t o I n d u s t r i a l S a f e t y " and "Product Safety" ( l 9 7 0 ) , and t h e s e
d e s c r i b e d much of t h e conceptual b a s i s f o r t h e study.
The g e n e r a l p r o p o s a l w a s as f o l l o w s :
"The U. S. Atomic Energy Commission h a s exemplary programs f o r t h e con-

t r o l of a c c i d e n t s and f i r e s , s i g n a l i z e d by numerous awards. Its work
i n such a r e a s as r e a c t o r s , r a d i a t i o n , weapons, and r e s e a r c h h a s developed
new methods of c o n t r o l l i n g unusual and e x o t i c problems, i n c l u d i n g s a f e
methods of u t i l i z i n g new m a t e r i a l s , energy s o u r c e s , and p r o c e s s e s .
"Despite p a s t accornplishements, human v a l u e s and o t h e r v a l u e s s t i m u l a t e

a c o n t i n u a l d e s i r e t o improve s a f e t y performance. Emerging concepts of
systems a n a l y s i s , a c c i d e n t c a u s a t i o n , human f a c t o r s , e r r o r r e d u c t i o n ,
and measurement of s a f e t y performance s t r o n g l y suggest t h e p r a c t i c a l i t y
of d e v e l o p i n g a h i g h e r o r d e r of c o n t r o l over ha7ards.
"This i s a p r o p o s a l t o f o r m u l a t e an i d e a l , comprehensive systems concept

of a c c i d e n t s and t h e i r c o n t r o l , and t o t e s t t h e u s e f u l n e s s of t h e con-
c e p t i n two ways:
1. D e s i m of improved a c c i d e n t r e p o r t and a n a l y s i s techniques.

2. Development of improved measurements of s a f e t y performance.
"The f o r m u l a t i o n of an i d e a l system a p p e a r s t o be a v a l u a b l e precondi-

t i o n f o r knowing what i n f o r m a t i o n t o seek a f t e r a n a c c i d e n t and what
a s p e c t s of performance t o seek t o measure.
"The judgments of 'improvement' i n r e p o r t s and measurements w i l l be

l a r g e l y s u b j e c t i v e , b u t w i l l be formulated by r e p r e s e n t a t i v e s of t h r e e
k i n d s of p u p s w i t h i n t h e Commission and i t s c o n t r a c t o r s :
1. P r o f e s s i o n a l s a f e t y staff,
2. F i r s t l i n e s u p e r v i s o r s ,
3. Management (government and c o n t r a c t o r ) .
"The c r i t e r i a suggested t o t h e s e groups w i l l i n c l u d e :
1. Improved u n d e r s t a n d i n g of accident-producing s i t u a t i o n s and

sequences.
2. Improved u n d e r s t a n d i n of c o n t r o l systems (and gaps).
3. P r a c t i c a l u s e f u l n e s s T i . e m, a c t i o n p o t e n t i a l ) of c e r t a i n ques-
t i o n s and measurements:
a. on a day-to-day o r o t h e r r o u t i n e b a s i s , o r
b. f o r o c c a s i o n a l review
"And f o r f i r s t l i n e supervisors, two a d d i t i o n a l c r i t e r i a :
4. Improved s e n s i t i v i t y t o changes and error-producing s i t u a t i o n s .
5. Improved c o n t r o l over non-safety aspects of work.
"Some objective measurement of accident reduction may be f e a s i b l e i n t h e
p i l o t phase.
"Although t h e formulation of an i d e a l systems concept seems a reasonable
g o a l today, there i s a s u b s t a n t i a l number of aspects warranting separate
i n v e s t i g a t i o n and experiment, which preclude a f u l l - s c a l e t e s t of a
comprehensive system. Thus, two short-range, a t t a i n a b l e goals --
reports
and measurements with a systems f l a v o r --
h x e been proposed above.
Nevertheless, it can be expected t h a t information and i n s i g h t would be
gained i n t h e following major areas:
1. Methods of balancing t h e amount of s a f e t y a n a l y s i s and r i s k manage-
ment a g a i n s t t h e s i z e of t h e r i s k . S p e c i f i c a l l y , i s a requirement
f o r formal systems s a f e t y a n a l y s i s economically j u s t i f i a b l e f o r
major r i s k s ?
2 . Methods of t r a i n i n g , e s p e c i a l l y f o r supervisors.
Specifically,
can t h e l o g i c and methodology of systems a n a l y s i s be applied prac-
t i c a l l y and economically t o r o u t i n e problems?
3. Role of change i n causing e r r o r , and t h e c l a s s i f i c a t i o n of changes.
4. Role of e r r o r s i n accidents, t h e c l a s s i f i c a t i o n of e r r o r s , and
the congruence of e r r o r s , accidents and other degradations i n
processes . I'
Phase I of the study produced a d r a f t t e x t combining t h e best occupational

s a f e t y p r a c t i c e s , system s a f e t y concepts of t h e aerospace and nuclear indus-
t r i e s , and other concepts advanced by behavioral and organizational s c i e n t i s t s .
Phase I1 produced a revised t e x t based on an extensive l i t e r a t u r e search and
c r i t i q u e by t h e NSC s t a f f , and review by t h e Division of Operational Safety
(DOS) of t h e United S t a t e s Atomic Energy Commission (AEc).
I n Phases 111 and I V of t h e study, emerging concepts were compared with

safetyprograms of c o n t r a c t o r s a t t h r e e AEC-supported research sites--Lawrence
Radiation Laboratory, now Lawrence Berkeley Laboratory, of t h e University of
California a t Berkeley (Lawrence); Sandia Laboratories, Albuquerque (sandia) ;
and Idaho Nuclear Corporation a t t h e National Reactor Testing S t a t i o n near
Idaho F a l l s (INC), Some concepts were t e s t e d p r e l i m i n a r i l y , a few concepts
were adopted by c o n t r a c t o r s , and considerable u s e f u l d a t a were compiled on
e f f e c t i v e operating s a f e t y programs as they might be compared with o r con-
t r i b u t e t o even higher i d e a l s of protection.
The most important r e s u l t of Phases 111 and I V was t h e evolution of a new

form of accident a n a l y s i s and program evaluation, The Management Oversight
and Risk Tree (MORT), This l o g i c t r e e began as an e f f o r t t o apply t h e Fault
Tree (a sys tem s a f e t y technique ) t o accident inves;tigation, but developed i n t o
a method of evaluating program f e a t u r e s , as well as t h e s p e c i f i c f a i l u r e s
which l e d t o accidents. MORT became t h e p r i n c i p a l b a s i s f o r organization and
preparation of a manual (Phase V) f o r t r i a l a p p l i c a t i o n of t h e system a t Aero-
' e t Nuclear Company ( ~ e r joe t ) on t h e National Reactor Test S t a t i o n , Idaho
?phase V I ) , and t h i s l a t t e r phase is continuing.
Phase V I I w i l l c o n s i s t of a s e r i e s of f o u r seminars o r workshops (one has been

held 1.
Phase V I I I of t h e s t u d y c o n s i s t s of p r e p a r a t i o n of t h i s t e x t which i n c o r p o r a t e s
r e s u l t s of an eighteen-month t e s t , p r i m a r i l y i n t h e Reactor Operations Division
of Aerojet (successor o r a n i z a t i o n t o INC), Also incorporated a r e r e s u l t s of
7
o t h e r c o n s u l t a t i o n work f o r example, f o r t h e National T r a n s p o r t a t i o n S a f e t y
Board (NTSB) and National Aeronautics and Space Administration (NASA),and f u r -
t h e r seminars a t f i v e European c i t i e s .
Purposes of This Manual.
The manual i s intended t o summarize t h e r e s u l t s of t h e s t u d y t o d a t e and form

t h e b a s i s f o r f u r t h e r a p p l i c a t i o n s of t h e concepts, e i t h e r i n whole o r a s
s e p a r a b l e concepts.
Accordingly, o n l y s o much of t h e d e t a i l e d f i n d i n g s and experience i n f i a s e s I

t o V I a s would c o n t r i b u t e t o understanding and a p p l i c a t i o n of t h e t e c h n Q e s h a s
been included. Additional d e t a i l w a s included i n i n t e r i m r e p o r t s t o AEC on
t h e e a r l i e r phases.
Credits .
Great c r e d i t i s due t h e AEC f o r i t s w i l l i n g n e s s t o undertake t h i s study. AEC's
occupational a c c i d e n t experience h a s been exemplary by comparison with g e n e r a l
i n d u s t r i a l experience, and e q u a l s t h e b e s t performance of l e a d i n g companies.
The d e s i r e t o f u r t h e r improve i s most commendable.
Assistance of t h e National S a f e t y Council staff i n t h e form of l i t e r a t u r e

s e a r c h e s and c r i t i q u e s h a s been invaluable. This manual i n c o r p o r a t e s many key
concepts c o l l e c t e d and developed by NSC s t a f f i n i t s t r a i n i n g and p u b l i c a t i o n
programs. Advance papers and d e l i b e r a t i o n s of t h e NSC Symposium on I n d u s t r i a l
S a f e t y Performance Measurement were a l s o valuable.
A s p e c i a l d e b t t o European f r i e n d s i s acknowledged. I n January 1970, I n d u s t r i a l

and Commercial Techniques Ltd. sponsored two-day seminars on "New Approaches t o
I n d u s t r i a l Safety" and "Product S a f e t y " and t h e comments and experience of
B r i t i s h s a f e t y p r o f e s s i o n a l s and management personnel were h e l p f u l . B r i t i s h
i n j u r y t r e n d s have p a r a l l e l e d our own and t h e y too seek improved methods. The
seminars were extended t o Switzerland and Germany i n mid-1971, and t o Amsterdam
and t h e Danish AEC i n l a t e 1972, and t h e MORT a n a l y s i s was u t i l i z e d . Leading
European b u s i n e s s and government agencies a r e moving away from a primary emphasis
on r e g u l a t i o n s toward a g r e a t e r emphasis on system s a f e t y . For example, Royal
Dutch S h e l l ' s new chemical complex i n England i s a v a l u a b l e f u l l - s c a l e a p p l i c a -
t i o n of hazard a n a l y s i s i n p r i v a t e non-governmental work.
The D i v i s i o n s of Operational S a f e t y a t AEC Headquarters and a t t h e San Francisco,

Albuquerque and Idaho Operations o f f i c e s have given i n d i s p e n s a b l e a s s i s t a n c e ,
n o t j u s t i n arrangements, but i n t e c h n i c a l advice and c r i t i q u e , and i n t r i a l s of
new approaches.
Most p a r t i c u l a r l y , t h e h i g h e s t t r i b u t e should be paid t o t h e s t a f f members,

both o p e r a t i o n a l and s a f e t y , of t h e t h r e e r e s e a r c h c o n t r a c t o r s ( ~ a r r r e n c e, Sandia
and A e r o j e t ) . These people a r e working a s s i d u o u s l y and i n t e l l i g e n t l y t o c o n t r o l
hazards i n d i f f i c u l t r e s e a r c h and development work. Their w i l l i n g n e s s t o h e l p
e v a l u a t e p r e s e n t s a f e t y programs a g a i n s t new, high s t a n d a r d s and i d e a l s was an
i n s p i r a t i o n and a major c o n t r i b u t i o n t o t h i s study.
Emphasis must be given t o t h e p o i n t t h a t t h e e a r l y work a t t h e t h r e e s i t e s was

intended t o t e s t new methods of measurement, not t o t e s t programs a t t h e s i t e s .
Could a measurement system be designed t o cope with t h e v a r i e d programs a t t h e
s i t e s ? Notwithstanding t h i s purpose, an impression of judgment was o f t e n
i n e v i t a b l e , and t h e temptation t o o f f e r recommendations w a s o f t e n p r e s e n t .
Therefore, an e x p l i c i t statement i s i n o r d e r , namely, t h e i r programs a r e out-
s t a n d i n g by conventional standards.
The t r i a l a t Aero j e t ( s t i l l c o n t i n u i n g ) h a s been extremely valuable. The

a u t h o r w a s f o r t u n a t e t h a t Aerojet was chosen f o r t h e t r i a l s because Aerojet
a l r e a d y had extremely low a c c i d e n t r a t e s and had i n p l a c e many of t h e program
elements which had been incorporated i n t o MORT, F u r t h e r , some f e a t u r e s of
A e r o j e t ' s program could be a s s i m i l a t e d i n t h e i r e n t i r e t y t o f i l l weak s p o t s
i n t h e p r i o r MORT a n a l y s i s ; independent review i s an example. Other concepts
i n MORT were g r e a t l y improved i n t h e process of a d a p t a t i o n t o Aerojet use.
Fred McMillan, Manager of t h e Reactor Operations Division (ROD),brought i n t e l -

l i g e n c e and d e t e r m i n a t i o n t o h i s e f f o r t t o "buy as much of t h e book as I can
a f f o r d , " Richard 0' Brien, Manager, Nuclear and Operational S a f e t y D i v i s i o n (NOS)
and h i s staff were always cooperative and h e l p f u l , D r . John M o r f i t t chaired an
a d v i s o r y committee which gave e x c e l l e n t counsel.
Dc. Robert J, Nertney and Jack Clark of NOS, and Jack Ford, McMillan's a s s i s -
t a n t , w i t h t h e a u t h o r , made up t h e MORT Team. Without t h e energy and s k i l l of
t h e s e t h r e e a s s o c i a t e s , p r o g r e s s i n developing MORT would have taken much
longer. Bob Nertney's p r i o r work on human f a c t o r s , as w e l l as h i s energy,
imagination and i n t e l l i g e n c e were invaluable.
Many of t h e c o n t r i b u t i o n s of Aerojet and i t s employees a r e s p e c i f i c a l l y acknow-

ledged i n t h e t e x t , but t h e r e a r e dozens of o t h e r s which helped p o l i s h and
develop MORT concepts. Warm f r i e n d s h i p s w i t h AEC and Aerojet personnel have
been an e x t r a bonus from t h e t r i a l s .
The a u t h o r h a s a l s o a p p r e c i a t e d t h e e f f o r t s of s a f e t y s t a f f s of NASA, NTSB, t h e

U.S. Geological Survey, and t h e National Bureau of Standards, whose c r i t i q u e ,
e x p l o r a t i o n and u s e of MORT helped both improve and v a l i d a t e concepts,
A g e n e r a l t r i b u t e should be paid t o t h e v a s t e f f o r t s of members of NSC and t h e

American S o c i e t y of S a f e t y Engineers (ASSE) whose p u b l i c a t i o n s and d i s c u s s i o n s
made numerous c o n t r i b u t i o n s which a r e acknowledged i n t h e t e x t .
The permissions of p u b l i s h e r s f o r use of copyrighted m a t e r i a l i s g r a t e f u l l y

acknowledged. Two management texts--J. M, J u r a n ' s Managerial Breakthrough and
Kepner-Tkegoe's The R a t i o n a l Manager, both published by McGraw-Hill Book Com-
pany--provided s u b s t a n t i a l a d d i t i o n s t o s & t y methodology, a s evidenced by
numerous c i t a t i o n s , t h e Juran f i g u r e s reproduced by permission.
Synthesis,
S y n t h e s i s of concepts i s a dangerous b u s i n e s s , p a r t i c u l a r l y when r e s e a r c h h a s

been s p a r s e and p o o r l y funded. However, a s y n t h e s i s of b e s t p r a c t i c e s may be
a h e l p f u l p r e c o n d i t i o n f o r f u r t h e r r e s e a r c h and f o r a s s i m i l a t i o n of new i d e a s ,
as r e l e v a n t v a r i a b l e s a r e more c l e a r l y perceived.
The r e s p o n s i b i l i t y f o r t h i s p a r t i c u l a r s y n t h e s i s r e s t s w i t h t h e a u t h o r , not with

t h o s e whose i d e a s and concepts have been so f r e e l y appropriated.
Abbreviations
Aero jet Aero j e t Nuclear Company
AEC U, S. Atomic Energy Commission
ANC Aero je t
ANPP Aerojet P o l i c i e s and Procedures
ANSI American National S t a n d a d s I n s t i t u t e
ASSE American Society of Safety Engineers
DOD Department of Defense
DOP Detailed Operating Procedure, Aerojet
DOS Division of Operational Safety, AEC
DOT Depastment of Transportation
FS&OC F i r e S a f e t y and Adequacy of Operating Conditions l i s t , AEC
HAP Hazard Analysis Process 223 )
HIP0 High P o t e n t i a l Incident (pa233 )
HP Health Pnysi c s
IP/V ~ n v e s t m e n t / ~ e n ei ft / ~ a l u e / T h r e a t (pa256)
INC Idaho Nuclear Company (predecessor t o ~ e rj oe t )
JIT Job I n s t r u c t i o n Training ( .317)
J SA
JSA-JIT-SO
Job Safety Analysis (p.317
Safety Observation plan (p.317)
7
Lawrence Lawrence Radiation Laboratory, University of C a l i f o r n i a , Berkeley
(now known as Lawrence Berkeley ~ a b o r a t o r ~ )
LC L i f e Cycle (p. 225,263 )
MORT Management Oversi&t and Risk Tree
NASA National Aeronautics and Space Administration
NFPA National F i r e Protection Association
NOS Nuclear and Operational Safety Division, Aerojet
NRTS National Reactor Testing S t a t i o n s , Idaho F a l l s , Idaho
NSC National Safety Council
NSIC Nuclear Safety Information Center, Oak Ridge, Tennessee
NTSB National Transportation S a f e t y Board
OSHA Occupational Health and Safety Act ( ~ d m i n i s t r a t i o n )
PJA Pre-Job Analysis (p.293)
PPL P r i o r i t y Problem L i s t (pa 435)
R&&A R e l i a b i l i t y and Q u a l i t y Assurance
ROD Reactor Operations Division ,
RSO Aeroi]et
Recorded S i g n i f i c a n t Observation a c r i t i c a l i n c i d e n t )
Sandia Sandia Laboratories, Albuquerque, N. M.
SAR Safety A n d y s i s Report, AEC
SOP Safe Operating Procedure ( ~ a n d i a )
SP Safe P r a c t i c e ( d i v i s i o n a l ) , Aero je t
SPIP Safety Propam Improvement P r o j e c t s ( ~ x h i b i t17)
SPS Safety Precedence Sequence (P.225)
SWP Safe Work Permit, Aero j e t (p.332)
T & Q Test and Q u a l i f i c a t i o n
I. INTRODUCTION
Many leading employers have a t t a i n e d low occupational i n j u r y r a t e s .
However, a f t e r some f o u r decades of accident r a t e decline, a plateau, followed
by a decade of upturn i n t h e r a t e s , has been a widespread experience both i n
t h e U. S. and abroad.
Occupational i n j u r i e s i n t h e U. S. had the following r e s u l t s i n 19711:
Death -- 14,200 persons
Permanent impairment -- 90,000 persons
Temporary t o t a l d i s a b i l i t i e s -- 2,200,000 persons
I n addition (with some discontinuity of d e f i n i t i o n s ) , occupational i n j u r i e s
which were "not bed disabling" had t h e following effect:
Activity r e s t r i c t i o n -- 2,635,000
Medically attended -- 3,912,000
Thus a t o t a l of some 8* million of 79 million people experienced pain and
s u f f e r i n g ranging from s l i g h t t o d i s a s t r o u s from occupational injury. First
a i d cases (not medically attended) would f u r t h e r swell the t o t a l s . And, if
we knew the f a c t s about occupational-related h e a l t h problems, the numbers would
f u r t h e r grow.
Tabulatable economic l o s s e s born by employers and employees t o t a l e d
$9,300,000,000. This is only an accumulation of selected c o s t s f o r which
d a t a a r e available. True c o s t s a r e c e r t a i n l y s u b s t a n t i a l l y higher.
Accident c o s t s axe only a f r a c t i o n of t o t a l e r r o r c o s t s , if we consider
together the e r r o r s which produce both accidents and o t h e r losses.
The d a t a include a g r i c u l t u r e and self-employed, l a r g e l y outside t h e pur-
view of employer-based programs. f i r t h e r , employer-based programs of t h e
h i s t o r i c types have had l i t t l e e f f e c t i n organizations (business and o t h e r )
with 5 o r 25, o r even 100 employees. The Occupational Health and Safety Act
(OSHA)is c u r r e n t l y having impacts i n t h i s type of establishment.
These shocking l o s s e s occur d e s p i t e t h e occupational s a f e t y progress i n
t h i s century. Indeed t h e l o s s e s have increased i n recent years.
Death r a t e s i n U. S. manufacturing hovered at 9, 10, o r 11 deaths per
100,000 workers f o r t h e years 1960-71. However, i n non-manuf acturing, death
r a t e s declined from 25 t o 20, perhaps because non-manufacturing organizations
only r e c e n t l y began use of preventive techniques e a r l i e r applied i n manufacturing.
NSC member r a t e s f o r f a t a l i t i e s and permanent d i s a b i l i t i e s continued t o
decline during t h e plateau period, but as temporary d i s a b i l i t y r a t e s increased
1. Accident Facts. National Safety Council, 1972 edition.

by 6% i n t e n years, t h e more serious i n j u r y r a t e s seemed t o move t o t h e i r
own plateau.
Large companies with the best programs have not found t h a t "more of t h e
same" renews progress. The s i t u a t i o n has been the cause of widespread concern
i n business and government'. (See, f o r example, "Has Safety Progress Ended, "
onal Safetv N e w s , October 1969, o r i n great d e t a i l , the hearings on OSHA. )
OSHA i t s e l f is r e a c t i o n t o t h e apparent i n a b i l i t y of t h e s a f e t y community t o
d e a l constructively with t h e plateau and upturn.
Thus, accidents (despite low r a t e s i n some organizations) produce signi-
f i c a n t numbers of i n j u r i e s t o people, r e s u l t i n s u b s t a n t i a l economic l o s s ,
and have been generally increasing.
Our concern f o r improved preventive methods, nevertheless, does not stem
from any s p e c i f i c , describable f a i l u r e of old methods as from a d e s i r e f o r
g r e a t e r success. Many employers a t t a i n a high degree of safety, but they
seek f u r t h e r improvement.
It is increasingly l e s s plausible t h a t t h e leading employers can make
f u r t h e r progress by simply doing more, o r b e t t e r , i n present program. Indeed,
it seems unlikely t h a t budget stringencies would permit simple program
strengthening. And some scaling down i n s a f e t y expenditures ( i n keeping with
o t h e r budgets) may be necessary.
Consequently, t h e development of new and b e t t e r approaches seems t h e only
course l i k e l y t o produce more s a f e t y f o r t h e same o r l e s s money.
Further, a properly executed s a f e t y system approach should make a major
contribution t o t h e organization's attainment of broader performance goals.
Figure 1-1. How Can We Climb Toward the Summit?
Residual r i s k s
We must g e t here
We are here
Controlled
Improved methods f o r a t t a i n i n g high i d e a l s of s a f e t y a r e available today.

They s e t a high and d i f f e r e n t goal: F i r s t Time Safe. The records of t h e
weapons, space and r e a c t o r programs a t t e s t t o the effectiveness of the methods.
We cannot e n t e r some new a r e a s of human a c t i v i t y on t h e basis of the
t r a d i t i o n a l s a f e t y approaches. You simply cannot g e t t o t h e moon by examining
t h e ashes of f a i l u r e s !
System safety concepts have been highly developed by M C and t h e Defense
and Space agencies and t h e i r contractors. Existing c o n t r a c t and l i c e n s i n g
s p e c i f i c a t i o n s r e q u i r e forms of r i s k a n a l y s i s and evaluation which grovide a
high degree of p r o t e c t i o n of both systems and personnel, where necessary, by
complex and sophisticated methods.
Some concepts more o r l e s s new t o s a f e t y can be borrowed from o t h e r f i e l d s
of c o n t r o l of work, such as r e l i a b i l i t y , q u a l i t y and e r r o r c o n t r o l , o r t h e
broader f i e l d of management science.
An improved order of occupational s a f e t y system seems possible i f t h e
b e s t of present p r a c t i c e s i s synthesized with t h e emerging system s a f e t x prac-
t i c e and t h e concepts a r t i c u l a t e d by behavioral s c i e n t i s t s , including those
studying organizational systems. B e t t e r understanding of technologic and
o r g a n i z a t i o n a l sciences, as w e l l as of t h e exponential e f f e c t s of change, i s
necessary.
If we s a y t h a t s a f e t y i s a s p e c i a l aspect of r e l i a b l e c o n t r o l of work, we
t a k e a g i a n t s t e p toward u s e f u l o r i e n t a t i o n toward management's o b j e c t i v e s i n
public o r p r i v a t e e n t e r p r i s e . When w e use a concept t h a t a c c i d e n t s a r e one
member of t h e broad family of e r r o r s and malfunctions, we take two a d d i t i o n a l
stepsr first, we show awareness of management's problem of c o n t r o l ; and
second, we open t h e l i t e r a t u r e on e r r o r c o n t r o l f o r s a f e t y adaptation. Errors
are e a s i e r t o study than accidents. On t h e o t h e r hand, observation of e r r o r s
r e q u i r e s a more a c t i v e , comprehensive and s o p h i s t i c a t e d recording system.
The new approaches hold g r e a t promise f o r renewing s a f e t y progress recorded
p r i o r t o t h e last f i f t e e n years. Some new approaches a r e more soundly based i n
the management process, as w e l l as t e c h n i c a l l y superior. They d e a l more
r e a l i s t i c a l l y with t h e most d i f f i c u l t v a r i a b l e , t h e human. 14ost important, t h e y
may give i n s i g h t i n t o a s a f e t y process which helps a l l of u s t o more r a p i d l y
evaluate our own experience and those of o t h e r s , and a s s i m i l a t e new ideas.
The concepts of an improved order of occupational s a f e t y system, an i d e a l ,
can help e s t a b l i s h c r i t e r i a and methods f o r measuring s a f e t y performance. The
concepts can a l s o guide accident i n v e s t i g a t i o n and a n a l y s i s t o obtain t h e f a c t s
needed t o renew s a f e t y progress.
I n d u s t r i a l a p p l i c a t i o n of system techniques, p a r t i c u l a r l y f o r new pro-

j e c t s , is needed even though we cannot redesign and r e b u i l d a l l plants. A
considerable number of e s s e n t i a l l y new concepts and procedures a r e a v a i l a b l e
today f o r use i n d i v i d u a l l y o r c o l l e c t i v e l y t o build g r e a t e r c o n t r o l over work
hazards, and thereby upgrade conventional s a f e t y programs. New plants, pro-
d u c t s , machines and materials provide a heavy flow of opportunities f o r use
of improved concepts.
The emphasis i n t h i s t e x t is on occupational s a f e t y , but a p p l i c a t i o n s of
system s a f e t y t o product, public, transportation and environmental accidents
a r e a l s o d e s i r a b l e and p r a c t i c a l .
Goals of t h e Studx.
For t h e study t i t l e , "Development of Systems C r i t e r i a f o r Accident Report-
i n g and Analysis and f o r the Measurement of Safety Performance," an extremely
high goal w a s conceptualized:
An order of magnitude reduction -- minus 90% --
For already low accident r a t e s and p r o b a b i l i t i e s -- by a
System congruous with management f o r high performance.
. Safety programming can be visualized a t f i v e levels:

1. Less than minimal compliance with regulations.
2 . Minimal compliance with enforced regulations.
3. Application of manuals and standards."
4. Advanced programming exemplified by AIZC and leading industries.**
5. System s a f e t y , o r as developed herein, a s a f e t y system (perhaps a s i x t h
level).
There a r e enough d a t a t o suggest t h a t t h e l e v e l s of programming may pro-
duce order of magnitude differences i n annual r a t e s f o r events d i s a s t r o u s t o
t h e e n t e r p r i s e , along t h e following l i n e s :
Program Level Disaster P r o b a b i l i t y

1. Sub-minimal 1x -3
2. Minimal 5x
lo,,
3. Manuals* 1 x 10
4. Advanced*"
5. Systems 1 x 10
The r e a c t o r s , f o r example, appear t o have a t t a i n e d the f i f t h l e v e l of
excellence.
On t h e o t h e r hand v a r i a b l e s of s i z e and d i f f i c u l t y cloud t h e data. Small
organizations have some advantages, as well as disadvantages. For example,
* For example, NSC ' s "Accident Prevention Manual f o r I n d u s t r i a l Operations, "
** For example, ASSE's Bibliographx (1967) may be a a i d e t o t h i s and t o systems,

but only as a reference list.
- 5 -
small s i z e f a v o r s personal communication about hazards, but almost precludes
p r o f e s s i o n a l o r s o p h i s t i c a t e d hazard analysis. A c t i v i t i e s which crowd tech-
nologic borders -- e.g., a round t r i p i n space -- may increase p r o b a b i l i t i e s
of major and d i s a s t r o u s events, even when f i f t h l e v e l techniques a r e used t o
achieve performance.
The r e l a t i o n of s a f e t y programming and performance r e q u i r e s f u r t h e r con-
c e p t u a l study, but a useful p i c t u r e seems t o emerge, as portrayed i n t h e
following f i g u r e r
Figure 1-2. Safety Program Levels.

Relation t o
Work Performance
Disastrous i n t e r r u p t i o n s
Some c o n f l i c t
Less c o n f l i c t
Some congruence
F u l l e r congruence
Accidents are congruent with e r r o r s , and s a f e t y can be congruent with

r e l i a b l e c o n t r o l of work, t h a t is, performance. Therefore, t h e s u p e r l a t i v e
s a f e t y program can be a means of a s s u r i n g attainment of general performance
objectives.
A schematic which l e a d s t o i n t e l l i g e n t and r a t i o n a l r i s k reduction' o r
acceptance begins t o show how g r e a t e r s a f e t y can support performance:
Figure 1-3. Safety Action Sequence.
Importance? Mechanism Analysis
lrom t h i s , some questions:

(1) Is t h e work important? How important? How c e r t a i n do you want t o be
t h a t t h i n g s won't go awry?
(2) Can you s t a t e performance and s a f e t y goals i n probability terms?
(3) Do you have a r a t i o n a l c l a s s i f i c a t i o n mechanism whereby t h e organiza-
t i o n knows what l e v e l of s a f e t y e f f o r t is desired?
(4) Have you defined t h e nature of hazard analysis?
(5) Do you have d e f i n i t i o n s as t o l e v e l of approval required f o r r e s i d u a l
r i s k reduction o r acceptance?
A s with so many system processes, t h e action sequence i n Figure 1-3 may
provide u s e f u l feedback t o t h e s a f e t y program l e v e l s shown i n Figure 1-2. The
most advanced organizations should show t h e congruence of s a f e t y and perfor-
mance, and lead t h e way i n methods. Then t h e organizations which l a g and show
t h e g r e a t e s t opposition t o OSHA's minimal regulations may gain i n s i g h t and
motivation f o r higher l e v e l s of performance planning. These can go well
beyond OSHA l e v e l s of protection, and can a i d and abet high performance.
Current pressure f o r a l l e v i a t i n g OSHA impact may be doubly misdirected.
It would weaken protection of people, and it would negate t h e desired r e l a t i o n
of s a f e t y t o high performance.
On t h e o t h e r hand, current emphasis on OSHA can impair t h e pursuit of

excellence -- and g r e a t e r excellence i n s a f e t y programs is unquestionably
t h e l o n g - t e n requirement f o r balanced emphasis on enforcement and voluntary
approaches. (A recent B r i t i s h study by a national Committee on Safety and
Health at iiork emphasises need f o r strong voluntary programs t o complement
and support enforcement.) The goal -- a more e f f e c t i v e s a f e t y system -- is
of major importance t o t h e proper r o l e of enforcement as well as t o volun-
t a r y leadership.
The Study Process. +

The study has consisted of a s e r i e s of cycles -- input-processing-output --
each output being used i n t h e succeeding phase. Briefly, the major phases
were as follows:
Sources ----+ Process ----+ Results
+--------------------------'
-----
I
Experience, Organize ,
Literature, Integrate,
NSC s t a f f review Develop concepts System description
AEC and Exploration at

contractor programs three s i t e s F i r s t MORT Tree
Continuing search, Tests i n l i t e r a t u r e

seminars and review
reviews Tests i n accidents
Aerojet programs Trials at Aero j e t This MOBT t e x t
Training
Applications
The type of work shown i n t h e i n i t i a l phase has continued throughout
t h e project .
Sources.
I n t h e mid-60's t h e accident r a t e plateau ( i n t r a f f i c and o t h e r f i e l d s ,

/ a s w e l l a s occupational) motivated the NSC s t a f f t o search f o r and endeavor
t o apply the system s a f e t y techniques which developed i n aerospace programs.
To t h i s e f f o r t was coupled trial use of systematic methods of changing
behavior i n l a r g e r groups, even t h e general public, by such techniques a s
human f a c t o r s study and "Innovation Diffusion," which l a t t e r seemed e f f e c t i v e
i n t h e e a r l i e s t e f f o r t s t o build acceptance of s e a t b e l t s (see Appendix H).
Simultaneous recognition of two r e l a t e d developments - the apparently
exponential e f f e c t s of changes over time, and a problem solving technique
based on change detection (~epner-TYegoe, 1965) - led t o a 1967 presentation
t o t h e NSC, " b f f e c t s of changeslTime However, t h e implied
needs f o r more e f f e c t i v e a c t i o n were vast and somewhat vague, and action
implications were not clear.
The NSC s t a f f did develop a "system safety" s h o r t course which covered
these diverse elements - aerospace techniques and behavior and change con-
trol - but p r a c t i c a l applications back on t h e job did not seem t o follow.
The author's B r i t i s h t e x t and seminars, "New Approaches t o I n d u s t r i a l Safety"
(1970) represented a f u r t h e r e f f o r t t o c r y s t a l i z e and apply these emerging
ideas, but again rapid application has not been evident.
Sfmultaneously t h e r e was increasing concern over the limited usefulness
of e x i s t i n g measurements of s a f e t y performance, as exemplified by t h e NSC -
symposium (1970). Most important f o r t h i s study, UC-DOS desired a searching
reexamination of AEZ's occupational accident r e p o r t and a n a l y s i s systems
which conformed with and a l s o exceeded national standards, but had been
l a r g e l y unreviewed f o r some time.
Thus, t h e f i v e f a c t o r s which p r i n c i p a l l y contributed t o both motivation
a,nd substance of t h i s study were:
1. A plateau, and an upturn i n r a t e s ,
2. D i s s a t i s f a c t i o n with t r a d i t i o n a l measures of performance,
3. Successes with system safety,
4. Change control as an increasing need,
5. Behavior and organizational science findings.
The l i t e r a t u r e of t h e National Safety Council (NSC) and the American
Society of Safety Engineers (ASSE) provided a wealth of material. The exten-
s i v e bibliography appended t o t h i s t e x t shows t h e wide range of o t h e r sources
utilized.
AEC b o w a m Findings i n this study a r e believed a p p l i c a b l e t o safety
generally; t h e i l l u s t r a t i o n s and conclusions are drawn s o l a r g e l y f r o m nuclear
energy research operations t h a t a general p i c t u r e of ;1EC occupational s a f e t y
programs is u s e f u l as a backdrop.
Contractor occupational s a f e t y programs a r e governed by AEC p o l i c i e s and
d i r e c t i v e s and monitored by AEX staff. Consequently, a general d e s c r i p t i o n of
AEC requirements s e r v e s as a framework f o r study of c o n t r a c t o r programs.
P a t t e r n s of h e a l t h and s a f e t y r e s p o n s i b i l i t i e s have g e n e r a l l y d i s t i n g u i s h e d
o r separated :
1. Weapons s a f e t y ,
2. Reactor s a f e t y (including c r i t i c a l i t y i n g e n e r a l ) ,
3 . Radiation s a f e t y and h e a l t h ,
4. Occupational s a f e t y , including f i r e , motor vehicle and damage accidents,
5. Environmental impact.
This study i s p r i m a r i l y concerned with t h e occupational s a f e t y category.
However, many f e a t u r e s of "system s a f e t y " are a l r e a d y u t i l i z e d i n t h e first
t h r e e c a t e g o r i e s and could be more f u l l y t r a n s f e r r e d t o t h e occupational f i e l d ;
conversely, an a n a l y s i s of system s a f e t y f o r general occupational purposes i s
seeming t o suggest improvements f o r t h e o t h e r f o u r programs.
One f o c a l point of MC program is t h e extensive list of standards provided
by AEC Manual Cliapter 0550, "Operational S a f e t y Standards." I n both i t s length
and i t s comprehensiveness, t h e list is equal o r s u p e r i o r t o t h a t of any o t h e r
organization. By including as recommended standards c e r t a i n comprehensive manuals,
t h e scope is extended well beyond t h e physical a s p e c t s and embraces management
p o l i c y and support, organization, staff, t r a i n i n g , communications, i n s p e c t i o n s
and measurement of performance.
r-rther, t h e AEC program r e q u i r e s p e r i o d i c a p p r a i s a l s of c o n t r a c t o r s a f e t y
programs. (chapter Ofjob. )
Accident i n v e s t i g a t i o n and r e p o r t i n g requirements ( ~ p p e n d i x0502) f u l f i l l
and exceed n a t i o n a l standards. Requirements f o r Boards of I n v e s t i g a t i o n and
in-depth i n v e s t i g a t i o n of s e r i o u s events are exemplary and unique, and provide
good examples of i n v e s t i g a t i o n . A "Serious Accident" newsletter, and many
t e c h n i c a l b u l l e t i n s disseminate s p e c i a l information.
v a r i e t y and number of U C Conference-training-stdards meetings (e .g. ,
conventional explosives, plutonium, o r pressure v e s s e l s ) is s o g r e a t as t o
suggest a c e n t r a l f o c a l point f o r c o n t r o l , coordination and f u r t h e r develop-
-9-
ment of such opportunities f o r professional growth and i n t e r n a l standards.
Not surprisingly, l i n e management r e s p o n s i b i l i t y from the first l e v e l of
c o n t r a c t o r ' s supervision t o the General Manager of AEC, and thence on t o the
Commission and t h e Congress, i s highly defined and responsive t o both needs
and opportunities. For example, t h e AEC's p r i o r i t y problem lists, called
"Fire Safety and Operating Conditions" lists have received heavy management
pressure t o i d e n t i f y and correct r i s k s (and do much of t h i s from current
operating budgets), an excellent example of management vigor i n pursuit of
safety!
The AEC program is an example of t h e best of present occupational s a f e t y
practice, and has been adequate t o earn f o r AEC many well-deserved awards.
*
But, it does not generally require f o r occupational s a f e t y t h e forms of
a n a l y s i s and a c t i o n u t i l i a e d i n "system safety" and exemplified i n major space,
weapons and r e a c t o r programs. Thus, f o r example, there are f e w non-nuclear
requirements f o r l i f e cycle analysis, documentation of analysis, hazard review
milestones, change review, o r trade-off a n a l y s i s of additional countermeasures.
I n addition, AEC and its contractors s u f f e r f r o m t h e same information
system d e f i c i e n c i e s i d e n t i f i e d i n t h e aerospace and national s a f e t y informa-
t i o n networks.
Three examples of system s a f e t y practice, two p o s i t i v e and one negative,
can be given.
The AEC r e a c t o r s a f e t y program embodies system s a f e t y c h a r a c t e r i s t i c s ,
although it has had its own s p e c i a l terminology r a t h e r than t h e jargon
of t h e aerospace industries. 3eactor s a f e t y uses Safety Analysis
Reports and supporting documentation, change review, l i f e cycle anal-
y s i s and independent review.
Another p s i t i v e example, "Safety Guidelines f o r High Energy Accel-
e r a t o r F a c i l i t i e s , " (1967) r e f l e c t s many system s a f e t y requirements --
trade-off c r i t e r i a , l i f e cycle analysis, periodic review, multiple
safeguards, procedure and personnel requirements, monitoring, emergency
plans, etc. This pamphlet provides p r i n c i p l e s which are not being
applied t o other a r e a s of AEC work.
A negative example, AEC has a requirement f o r an a p p r a i s a l of s a f e t y
i n t h e preliminary stages of new construction proposals. From a 1969
meeting of f i e l d s a f e t y d i r e c t o r s it could be gleaned t h a t the proce-
dure w a s not working well. However, probably of g r e a t e r significance
is the low conceptual l e v e l embodied i n t h e appraisals. For example,
a proposal f o r a c a f e t e r i a addition said, "No new harlards w i l l be
created." Obviously t h i s is almost t h e exact opposite of t h e l i f e cycle
a n a l y s i s which might be s t a r t e d by answering t h e question, "How many
accidents t o employees o r customers can be prevented during t h e l i f e of
t h i s f a c i l i t y if design f e a t u r e s a r e changed?"
Some research and development work undertaken by AEC contractors involves
high energy and is work close t o boundary conditions. Therefore, high orders of
system s a f e t y p r a c t i c e a r e , not only needed f o r s a f e t y , but may a l s o make
possible advanced research work.
AEC has more f u l l y integrated s t a f f organizations f o r t h e range of s a f e t y
problems encountered than do some of i t s contractors. Where weapons, r e a c t o r
o r o t h e r aspects of s a f e t y a r e organizationally divided, there is not always
f u l l exchange of information on a n a l y t i c techniques and competencies.
During t h i s study there has been much evidence of a p p l i c a b i l i t y and need
f o r f u l l e r exchange between reactor, weapons, r a d i a t i o n and o t h e r s a f e t y pro-
grams. Indeed a system approach t o occupational s a f e t y problems seems t o o f f e r
considerable p o t e n t i a l f o r improvement i n a l l f i e l d s , including t h e augmented
concern f o r proper waste management. A l l of t h e special kinds of accidents have
common features.
T r i a l s a t Aerojet. Aerojet Nuclear Company, whose AEC contract provides

f o r operation of experimental r e a c t o r s at t h e National Reactor Testing Station,
Idaho, was chosen as a s i t e f o r trial of MORT techniques. Lest there be any
impression t h a t Aerojet was l e s s than excellent p r i o r t o the 1971-72 year of
t h e trials, it is well t o c i t e some d a t a (including d a t a from predecessor
companies, P h i l l i p s Petroleum and Idaho ~ u c l e a rt)
Average employment, 1966-71 = 2,170.
Chemical
ANSI Injury Rates: 1951-70 1966-70 1971 Industry
Frequency r a t e 0.70 0.81 0.48 4.01
Severity rate 124 63 16 433
The organization has never had a f a t a l i t y .
A w a r d s t o t h e Phillips-INC-Aerojet succession (much the same s t a f f ) are
numerous, including:
The Idaho champions hi^! k 12-million man-hour no-lost-time i n j u r y awards,
December 4, 1962 t o January 14, 1966.
Idaho and AEC awards - 2 million man-hours, November 1966 t o March 1967.
NSC Award of Honor f o r 1970.
-
Idaho award million man-hours, ending October 1971.
The bus transportation system operated by Aerojet has earned d r i v i n g and
occupational i n j u r y awards.
Aerojet already had many f e a t u r e s of the system which was evolving
. .
--
hazard a n a l y s i s process, a n a l y t i c capacity, procedure, r e l i a b i l i t y and qual-
i t y assurance, monitoring, human f a c t o r s s t u d i e s and independent review.
NASA and NTSB, The publications and staff advice of t h e National Aero-
n a u t i c s and Space Administration, e s p e c i a l l y i n system s a f e t y , and of t h e
National Transportation Safety Board, i n i n v e s t i g a t i o n , had major significance.
Disciplines. I n a d d i t i o n t o various occupational s a f e t y s p e c i a l t i e s ,

including f i r e and i n d u s t r i a l hygiene, the work p r o f i t e d from publications
and d i s c u s s i o n s with a uide range of o t h e r groups --managers, u n i v e r s i t y and
o t h e r r e s e a r c h e r s , nuclear and system s a f e t y engineers, mathematicians, bio-
p h y s i c i s t s and h e a l t h p h y s i c i s t s , information s c i e n t i s t s , r e l i a b i l i t y and
q u a l i t y assurance engineers, and others.
Degree of Proof. By and l a r g e t h e system is an assemblage of i n d i v i d u a l

i d e a s with varying. degrees of proof. Many concepts a r e proposed s a f e t y a p p l i -
c a t i o n s of general theory developed by r e l a t e d sciences, e.g., behavior o r
organization.
An ordering of t h e degrees of support f o r a s p e c i f i c i d e a o r component
could be :
S c i e n t i f i c evidence:
a. Safety a p p l i c a t i o n , e.g., human f a c t o r s engineering.
b. General theory (not s p e c i f i c a l l y s a f e t y ) , e,g., acceptance of
innovations,
c. General s a f e t y theory generated from f i n d i n g s , e.g., Haddon's
energy b a r r i e r notion.
Intermediate proofs:
These could include widespread, s t r o n g convictions of values, e.g.,
Job Safety Analysis i n s t e e l and o t h e r i n d u s t r i e s ; l i t e r a t u r e search
as a standard p r a c t i c e i n science; o r codes, standiirds, and r e g u l a t i o n s
i n s a f e t y l a w and practice.
Minimal proofs :
This would include some, a f e w , o r a s i n g l e c l o s e l y r e l a t e d usage
with some proof of value, e.g., trend a n a l y s i s without c o n t r o l s o r
managerial opinion based on s t a t e d criteria, and includes some t r a d i -
t i o n a l approaches l a r g e l y untested.
Logic o r common sense.
Innovative hunch. 3 t o f i l l gaps.
MORT t h e emphasis has been t o u t i l i z e i d e a s as far up i n t h e hierarchy

as possible, but at t h e same time, f u l f i l l t h e l o g i c a l requirements where
necessary.
- 12 -
Processes and Results.
A foundation t e x t developed i n t h e first s i x months of t h e study endeavored
t o assemble and i n t e g r a t e t h e main f a c t o r s found i n t h e b e s t i n d u s t r i a l prac-
t i c e s and i n aerospace system safety. I n a d d i t i o n , literature and e x ~ e r d e n c ewith
concepts of energy, energy b a r r i e r s , e r r o r , change, sequence and r i s k were
examined and developed, p a r t i c u l a r l y a s they r e l a t e d t o a f u n c t i o n a l d e f i n i t i o n
of accidents. Behavioral and organizational sciences were screened f o r rele-
vant material. And t h e e f f o r t w a s t o create an integrated whole.
The e a r l i e s t focus w a s on accident i n v e s t i g a t i o n and reporting. It quickly
became apparent t h a t conventional, mass methods of r e p o r t and a n a l y s i s (ANSI
and o t h e r ) were s t e r i l e and unsuited t o any s u p e r l a t i v e system, t h a t a multi-
p l i c i t y of measurements were needed, and t h a t , if s a f e t y program standards were
only p a r t i c a l l y defined, t h e subsequent measurement of program f a i l u r e would be
vague and imprecise.
I n t h e first exploratory phases at three research sites it w a s clear t h a t
t r a d i t i o n a l methods of i n v e s t i g a t i n g and r e p o r t i n g accidents could not be
tinkered i n t o u s e f u l measurements of a comprehensive program. A shocking
absence of u s e f u l l i t e r a t u r e on methods of i n v e s t i g a t i o n had been noted e a r l i e r .
The r e s u l t w a s development of t h e Management Oversight and Risk Tree (MO~ZT).
I n a d d i t i o n t o present b e s t p r a c t i c e and system s a f e t y , MO3T endeavored t o
i n t e g r a t e s a f e t y concepts i n t o a coherent whole. Fundamental t o t h e l o g i c was
a s t a t e d concept:
"Since management ( s p e c i f i c a l l y t h e Chief Executive O f f i c e r ) has t h e l e g a l
and moral r e s p o n s i b i l i t y f o r s a f e t y , it follows t h a t s a f e t y information
and measurement programs should be primarily designed t o answer t h e
c r i t i c a l s a f e t y questions of management:
What a r e t h e nature and magnitude of t h e organization's accident
potentials?
What has been done t o reduce r i s k ?
What is t h e long-term l e v e l of r e s i d u a l r i s k ?
What a d d i t i o n a l measures t o reduce r i s k have been considered and
r e j e c t e d on " p r a c t i c a l " (investment/benefit/value grounds?
Are t h e s a f e t y programs and systems a c t u a l l y operating as described
i n manuals and procedures?"
The format and l o g i c of t h e Tree at t h a t point (i11onograph of April 27,
1971) were very much t h e product of t h e first t e x t plus t h e p a r t i c u l a r acci-
dent/incident events investigated o r reviewed. ( ~ a t e rAerojet s c i e n t i s t s were
t o push f o r t i g h t e n i n g and c l a r i f y i n g t h e logic. )
The exploratory phase a l s o revealed many a n a l y t i c methods of assuring
r e a c t o r and weapon s a f e t y which deserved a p p l i c a t i o n i n occupational safety.
MANAGEMENT OVERSIGHT & RISK TREE
MORT i s simply a l o g i c o r decision t r e e which s t r u c t u r e s causal
f a c t o r s and/or preventive measures - , i n an order which:
1. Makes e x p l i c i t :
a. The functions necessary

t o complete a process,
ih Functions
b. The s t e p s t o f u l f i l l a
function,
A Steps
c. Text references t o c r i t e r i a t o
judge when a s t e p is w e l l done. L'
2. Provides r e l a t i v e l y simple decision points, i n
a n a l y s i s o r review, a l b e i t a lengthy list.
3. Enables an a n a l y s t o r reviewer t o detectomissions

o r defects i n a process (or i n the t r e e i t s e l f ) .
MORT began a s an i n v e s t i g a t i v e
t o o l , but has shown value i n
program a p p r a i s a l and applica-
tion.
The s t r u c t u r e of MOBT organizes

t h e laxgely unstructured s a f e t y
l i t e r a t u r e and practice.
Causes of adverse consequences

a r e of t h r e e types:
Q
problems
b
(, 1 INJURIES, DAMAGE,
OTHER COSTS,
PERFORMANCE LOST,
DEGTED 1
SPECIFIC OVERSIGHTS MANAGEMENT
& OMISSIONS? ASSUMED SYSTEM LTA?
RISKS? ,
P
LTA = Less than adequate
( ~t ht i s point, a reader not f a m i l i a r with t h e t r e e
would probably be wise t o quickly review a t least t h e
first page of t h e d e t a i l e d diagrams i n Chapter 16. )
- 14 -
The trials a t Aerojet began with a s e r i e s of "Safety Program Improve-
ment P r o j e c t s " (SPIP), i n i t i a l l y 25, and l a t e r 29, separable NOIiT concepts
which were r e l e v a n t t o Aerojet problems.
The use of t h e SPIPs is discussed i n t h e chapter on Transition. How-
e v e r , here it should be noted t h a t t h e p r o j e c t s were p a r t s of MORT system,
but responsive t o k e r o j e t ' s expressed needs. I n t h a t sense t h e r e was no
o v e r a l l t r i a l of MORT as such, r a t h e r t h e r e w a s use of NO3T p a r t s t o see
how an e x c e l l e n t o r g a n i z a t i o n could f u r t h e r improve.
An i l l u s t r a t i o n of t h e symbiotic r e l a t i o n s h i p of A e r o j e t ' s systems and
MORT i s h i g h l y i n d i c a t i v e . A e r o j e t ' s independent review system i s super-
l a t i v e , and f i l l e d a gap i n MORT. MOiIT, on t h e o t h e r hand, shows t h a t
independent review i s no s u b s t i t u t e f o r a defined upstream hazard a n a l y s i s
process, and can only be a check on t h e process. Thus, both Aorojet sys-
tems and MOIiT improved through i n t e r a c t i o n .
Aerojet a l s o showed c l e a r l y t h e need f o r a m u l t i p l i c i t y of measures of
performance f o r d i f f e r e n t programs, and t h i s l e d t o t h e c o n s t r u c t i o n of t h e
first "War Room" t o d i s p l a y d a t a on s a f e t y plans, r e s u l t s and problems.
I n t h e long run, t h e most important c o n t r i b u t i o n of Aerojet may have
been t o provide a s i t u a t i o n i n which t h e model f o r a g e n e r a l and i d e a l i z e d
s a f e t y system, congruous with management methods, could develop from t h e
embryo systems o u t l i n e d i n v a r i o u s of t h e a u t h o r ' s p u b l i c a t i o n s from 1967
t o 1971.
Dmamic S a f e t y System. The model of t h i s system (described

i n Chapter 1 1 ) u s e s t h e elements of MORT t o c o n s t r u c t a
more p o s i t i v e , i n t e r a c t i n g , c y c l i c process a k i n t o good
management systems. I n a sense t h e dynamic s a f e t y system
i s a p o s i t i v e view of t h e negative, f a i l u r e - f i n d i n g MORT
process.
The trials have moved r a p i d l y i f one enumerates t h e s p e c i f i c develop-

ments, but slowly i n test of t h e whole MORT system. Each concept had t o be
c a r e f u l l y incorporated i n a r e a l - l i f e system and I'IOST is not j u s t a system,
but a "way of l i f e , " as one Aerojet s c i e n t i s t s a i d .
What was expected from t r i a l s of MORT a t Aerojet? -- very l i t t l e in
s c i e n t i f i c evidence, and intermediate proof, except t h i s : t h e t r i a l is a
s i n g l e case, but more v a r i a b l e s a r e controlled. Therefore, t h e s i n g l e case,
p r i o r evidence from other uses, might e s t a b l i s h an intermediate proof
o r conviction.
A s minimal proof, subjective opinion of managers o r s a f e t y o r technical
personnel are the primary basis. This can be subdivided i n t o several ques-
t ion t
1. Can the s a f e t y operation be performed, and how?
2. How c o s t l y is i t ?
3. Does it seem e f f e c t i v e ?
a. For s a f e t y ?
b. Does the place seem t o run b e t t e r , with b e t t e r performance, and
fewer troubles?
c. Are there any trend o r comparative d a t a ?
I n s h o r t then, t h e primary r e s u l t s t o be expected from the t r i a l were
minimal proof, but t h e differences from general s a f e t y development w i l l be
at l e a s t two:
1. P r a c t i c a l i t y :
a. Is it possible t o use Information Search, Job Safety Analysis,
Human Factors Review, NASA-structured a n a l y s i s o r review, review
with c r i t e r i a , etc., a l l i n the same context?
b. Do t o t a l c o s t s seem reasonable?
2. Effectiveness - i n an already highly developed system:
a. Do r e s u l t s seem good f o r safety?
b. Do r e s u l t s seem good f o r general performance?
This might mean, using a c t u a l quotes from AEC and Aerojet personnel, t h a t
"accident investigation r e p o r t s seem t o be considerably b e t t e r , " o r "the
craftsmen l a i d more requirements on themselves i n a job s a f e t y a n a l y s i s than
we would have dared t o prescribe, and they enjoyed the work." O r , with
respect t o general performance, a safety-related e f f o r t (emg. , functional
schematics , steps, and c r i t e r i a ) seems useful i n general management. O r ,
general management doctrines a r e useful i n s a f e t y ( ~ u r a n ' sControl Cycle and
Kepner-Tregoe ' s Problem ~ n a l y s i)s and i n t u r n these contribute t o overall
management.
Aerojet executives have been careful t o say t h a t the t r i a l s do not yet
provide a b a s i s f o r endorsement of MOBT, but have provided encouraging
r e s u l t s and they believe it is "the way t o go."
A four-day workshop f o r AEC headquarters and f i e l d s a f e t y personnel held
a t Aerojet helped improve organization, presentation, support and application
of MOIiT.
Any f i n a l proof of MOiT as a whole may be long-long-term, because i.t is a
"way of l i f e . "
Many, small tightly-controlled experiments, as well a s o v e r a l l
applications of the synthesis, would be needed.
On t h e o t h e r hand, MORT i s a synthesis of ideas and f a c t s , and t h e possi-
b i l i t y of another type of proof i s emerging, namely from use of t h e e n t i r e
system o r synthesis. This, taken with the support f o r individual components,
might l i f %MORT t o t h e s t a t u s of a t e n t a t i v e general theory and practice.
I n d i r e c t proof of usefulness of t h e o v e r a l l MOliT framework is frequently
provided by the easy assimilating of new findings reported i n current l i t e r a -
ture. This a l s o emphasizes f l e x i b l e and open-ended q u a l i t i e s predictive of
f u r t h e r development.
Developmental work has been l a r g e l y q u a l i t a t i v e . Quantification has
been f e a s i b l e i n only limited areas, f o r example, i n numbers of causal fac-
t o r s revealed by MORT, i n e r r o r and omission r a t e s , and i n exploring predic-
t i v e measures.
Certainly more d a t a a r e needed, p a r t i c u l a r l y f o r a wider
range of organizations. However, many omissions of s a f e t y measures, e.g.,
f a i l u r e t o make an information search, human f a c t o r s study, o r independent
review, c r e a t e "uncertainties" which w i l l l i k e l y remain d i f f i c u l t t o quantify*
Organization of t h e Text.
I n P a r t I1 of t h i s r e p o r t , What Produces Hazards? the concepts of energy
b a r r i e r s , e r r o r , change and sequence a r e developed. This leads t o a new,
more functional d e f i n i t i o n of accidents. The frequency-severity matrices
which develop from energy r e l a t i o n s h i p s a r e defined and explored a s manage-
ment t o o l s t o focus on t h e v i t a l sources. Basic r i s k management concepts
a r e introduced.
These concepts require r a t h e r more exposition than would be f e a s i b l e
i n presenting t h e MOZT l o g i c , and a l s o form background f o r some of the
s t r u c t u r e of MORT.
I n P a r t 111, How t o Reduce Hazards? methods of integrating. system s a f e t y
with present best practices, the value of v i s i b l e a n a l y t i c method t o handle
content o r subject matter, and t h e congruous r e l a t i o n s h i p of s a f e t y and per-
formance are discussed,
A model of a general s a f e t y management system is developed and shown t o
be congruous with a v a r i e t y of general management systems. This major propo-
s i t i o n has been only p a r t i a l l y t e s t e d , but stems from findings t h a t c e r t a i n
accidents are more nearly escapees from managerial controls than conven-
t i o n a l s a f e t y problems.
P a r t I and I1 r e s u l t s a r e t h e n used t o develop a s e t of g e n e r a l t h e s e s
as t o t h e n a t u r e of a s a f e t y program.
These concepts a l s o h e l p provide background f o r u n d e r s t a n d i n g t h e s t r u c -
t u r e of MORT.
P a r t I V , MORT, d e s c r i b e s t h e developanent of t h e Tree and t h e d e t a i l e d
a n a l y t i c l o g i c , as w e l l as a d i s c u s s i o n of v a l u e s and problems.
The MORT diagrams of management systems provide t h e o u t l i n e f o r t h e
-----
remainder of t h e t e x t .
In -
P-a r t V. management
- p o l i c y , implementation, and d e c i s i o n a r e d i s c u s s e d .
P a r t --
--- V -I , --
t h e Hazard Analysis Process, i n c l u d e s human f a c t o r s review and
and r i s k a n a l y s i s , a s p e c t s of s p e c i a l importance.
P a r t V I I c o v e r s ---------
Work Flow Processes and i n c l u d e s c o n t r o l o v e r t h e up-
stream p r o z e s s e s .by which work i n g r e d i e n t s -- t h i n g s , people, procedures and
supervision -- a r e developed. The important m a t t e r s of employee m o t i v a t i o n ,
p a r t i c i p a t i o n and feedback a r e d i s c u s s s d .
P a r t V I I I t a k e s up Information Systems, beginning w i t h d e s i g n of moni-
t o r i n g p l a n s which w i l l produce t h e needed d a t a (conventional a c c i d e n t r e p o r -
t i n g systems do n o t and cannot do t h i s ) . Data r e d u c t i o n and c o n t r o l o v e r
f i x e s provide t h e i n g r e d i e n t s f o r a management "War Room" which s e r v e s as
the control center f o r safety. Local and n a t i o n a l information network capa-
b i l i t i e s and d e f i c i e n c i e s a r e a l s o d i s c u s s e d .
P a r t VIII a l s o d i s c u s s e s some t e c h n i q u e s of measurement and assessment
-. .. ---
a c c i d e n t i n v e s t i g a t i o n , r a t e and incidence a n a l y s i s , group cause a n a l y s i s and
program and c o n t r o l e v a l u a t i o n . These a l s o provide e x h i b i t s f o r t h e War Room.
It i s common t o a s s e r t t h a t a c c i d e n t i n v e s t i g a t i o n i s "first and fundamental,"
which i s t r u e . We come t o t h e s u b j e c t r a t h e r l a t e , b u t we now know t h e k i n d s
o f information t o seek.
-
P a r-
t IX d i s c u s s e s s a f e t y pro- review and d e s c r i b e s t h e d e p l o r a b l e l a c k
of program d e f i n i t i o n and d a t a which n o t o n l y make measurement d i f f i c u l t , but
o p e r a t e t o s h i f t blame t o s u p e r v i s o r s and o p e r a t o r s r a t h e r t h a n management
and s a f e t y p r o f e s s i o n a l s .
P a r t X , T r a n s i t i o n , d i s c u s s e s some e x p e r i e n c e s , p a r t i c u l a r l y A e r o j e t ' s ,
i n a t t e m p t i n g t h e d i f f i c u l t t r a n s i t i o n t o new, h i g h l e v e l s of performance,
t h e s u p e r l a t i v e , and s u g g e s t s s t e p s t o be used.
Terms w i t h s p e c i a l meaning and d e f i n i t i o n , t h e seemingly i n e s c a p a b l e jar-
gon, a r e l i s t e d i n t h e Index w i t h r e f e r e n c e s t o t h e pages which d e f i n e t h e
terms. Some terms a r e a l s o i n c l u d e d i n t h e l i s t of Abbreviations up f r o n t ,
a g a i n w i t h page r e f e r e n c e s t o d e f i n i t i o n s .
Scope of Application.
A t t h e o u t s e t of t h i s study the scope was occupational s a f e t y , t h a t is,
employee i n j u r y , plant property damage and f i r e . It was suspected t h a t
improved methods would, however, be applicable t o other kinds of accidents --
nuclear, r a d i a t i o n , i n d u s t r i a l hygiene and waste management.
Since the author had no expertise i n t h e l a t t e r areas, a p r a c t i c e was
followed of awaiting views of others on MORT a p p l i c a b i l i t y i n t h e i r f i e l d s of
specialization.
One e a r l y MORT a n a l y s i s was "High Level S p i l l a t t h e Hilac" (see Appendix
A-1), a r a d i a t i o n event being chosen simply because it w a s s e r i o u s and there
was a good report.
Later, considerable methodology w a s absorbed from t h e s a f e t y programs
f o r nuclear weapons and nuclear reactors.
A s t h e study proceeded, t h e nature of waste management accidents suggested
t h a t MORT was c l e a r l y applicable t o t h e analysis of sudden system failures i n
waste control; t h a t is, l a r g e , unplanned discharges are accidents i n every
sense. One example was a clear-cut f a i l u r e t o consider human f a c t o r s and
e r r o r s , c e r t a i n t o occur i n time. Slaste management l i t e r a t u r e and practice
seem weak i n t h i s area.
MORT draws heavily on aerospace safety. On the other hand, those MORT
elements not present o r v i s i b l e i n aerospace s a f e t y almost c e r t a i n l y have
a p p l i c a b i l i t y there, examples being: independent review, monitoring, and
information systems.
During t h e past year, chemical and petroleum plants, pipelines, off-shore
d r i l l i n g , s t e e l producing and general manufacturing are a few f i e l d s i n which
MORT concepts have been thought t o be usable.
The findings and recommendations a r e based primarily upon s t u d i e s of
high enerpy research and development work, o f t e n approaching technological
boundary conditions.
This study should be f u l l y applicable t o production work, since t h e amount
and type of a n a l y s i s is more e a s i l y j u s t i f i e d f o r longer term production
cycles than f o r more r a p i d l y changing R & D cycles. Further, the number and
s i z e of controls necessary f o r r e l a t i v e l y s t a b l e production a r e l e s s than
f o r R & D, and thus more e a s i l y j u s t i f i a b l e .
Construction work, motor vehicle accidents and smaller p l a n t s a r e not now
covered i n MORT.
Over t h e years NSC's Construction Section has t r i e d a v a r i e t y of experi-
- 19 -
mental approaches -- one was d i r e c t l y t i e d t o b e t t e r planning (over and above
t h e usual management, supervision, t r a i n i n g , e t c . ) .
While t h e s e approaches
a r e used by t h e b e t t e r companies, and a r e r a t i o n a l and presumably b e n e f i c i a l
f o r both c o s t s and safety, t h e y simply have not caught on i n t h e industry.
Therefore, u n t i l a p i l o t p r o j e c t demonstrates t h a t MORT approaches can be
used, it would probably be wise t o r e l y heavily on codes, standards, and regu-
l a t i o n s f o r c e f u l l y and i n t e n s i v e l y applied, as i n U. S. Corps of Engineers'
experience which w a s extended i n t o the Manhattan P r o j e c t and c a r r i e d on by AEC.
Motor v e h i c l e accidents, t h e source of 18%of occupational fatalities,
a r e well handled by t h e present b e s t f l e e t s a f e t y p r a c t i c e s ( f o r example, NSC 's
Motor F l e e t Safety ~ a n u a l,) which i s much t h e present p r a c t i c e of AEC. However,
t h e MORT methodology -- c r a s h r e s i s t a n c e , and shock absorption, s e l e c t i o n ,
t r a i n i n g , e r r o r reduction and c o n t r o l -- a l s o r e f l e c t s major a s p e c t s of the
broad, n a t i o n a l t r a f f i c s a f e t y program. Every f l e e t can p r o f i t a b l y review
its p r a c t i c e s , e.g., i n vehicle selection, t o assure t h a t the best practice
followed. Transportation of hazardous materials is, however, an a c t i v i t y
c l e a r l y within t h e scope and methodology of MORT,
Smaller p l a n t s are u n l i k e l y t o be a b l e t o a f f o r d t h e e f f o r t of a c q u i r i n g
and using a complex technology. On t h e o t h e r hand, smallness g i v e s no immunity
from hazards! A Danish executive described one small chemical p l a n t as a "one
accident" p l a n t -- one accident and t h e r e is no plant! A chemical p l a n t employ-
i n g only seven people t o operate an exothermic process became a $750,000 l o s s ,
and t h i s is not small! From a p r a c t i c a l view a small p l a n t would have t o e n l i s t
o u t s i d e e x p e r t i s e i n proportion t o energy and l o s s potentials. Meanwhile,
f u r t h e r experience with,MORT may r e v e a l short-cuts f o r small p l a n t application.
Research 'dork.
It seems c l e a r t h a t system concepts can be applied t o l a r g e , high energy
facilities. Proportionate a p p l i c a t i o n t o smaller, lower energy facilities
should present no insuperable problems.
If t h e kinds of work and degree of hazard are g r o s s l y categorized, t h e
following broad c h a r a c t e r i z a t i o n s of present research s a f e t y program s t r e n g t h
and c o n t r o l seem d e f e n s i b l e $
Degree of Haeard
Catastrophic Critical P4arginal
Fixed, Major F a c i l i t i e s Good Control Good Control Weak Control
Other Sesearch Questionable Weak Weak
Support Functions Good Good Fair
For t h e f i x e d , major r e s e a r c h f a c i l i t i e s , it i s r e l a t i v e l y e a s y t o see a
model s a f e t y plan:
1. Safeguard t h e f a c i l i t y i t s e l f .
2a. Put p r e s s u r e on t h e experimenter t o conform t o s a f e p r a c t i c e s .
2b. Help t h e experimenters w i t h s a f e v a r i a n c e s when experimental needs
approach boundary conditions.
3. Have a system s a f e t y procedure ( a l a t h e Bevatron a t Lawrence, s e e
page 1
For l e s s permanent experimental set-ups, it i s l e s s e a s y t o conceive a
p l a n , but t h e e s s e n t i a l s seem t o r e s t on an i n i t i a l b a s i c review plan:
1. Basic experimenter ' s s a f e t y review. (A " p o s i t i v e t r e e " was developed
a t Sandia, s e e page .)
2a. S a f e t y staff a s s i s t experimenters.
2b. S a f e t y s t a f f monitor p o t e n t i a l s , changes, e r r o r s .
3. Documentation of review, of monitoring, of changes, e t c . , a n a u d i t a b l e
r e c o r d , both f o r s a f e t y and f o r r e s e a r c h e f f e c t i v e n e s s and v a l i d i t y .
There remain, how eve^, many unusual f a c e t s . For example, at a u n i v e r s i t y ,
a primary complication i s t h e d i v i s i o n of s u p e r v i s o r y a u t h o r i t y between f a c -
u l t y a d v i s o r s ( e s p e c i a l l y f o r graduate a s s i s t a n t s ) and t h e managers of more o r
l e s s permanent r e s e a r c h equipment. The f a c u l t y i s g e n e r a l l y weak i n s a f e t y
s u p e r v i s i o n ; t h e l a t t e r f o r c e t e n d s t o be s t r o n g e r , b u t h i g h l y v a r i a b l e .
There a r e s p e c i a l problems a r i s i n g from:
Research and development work
Involving high energies
A t o r n e a r baundary c o n d i t i o n s
With f r e q u e n t changes
And narrow e r r o r t o l e r a n c e l i m i t s .
It h a s been argued t h a t a c c i d e n t s a r e an a c c e p t a b l e by-product of r e s e a r c h
i n a r e a s of advanced technology. The r e v e r s e seems t r u e , w i t n e s s t h e aero-
space program. S a f e t y i s a necessary c o n d i t i o n f o r work n e a r boundary condi-
tions. The planning and f o r e s i g h t needed f o r s a f e t y a l s o give g r e a t e r assur-
ance of s u c c e s s f u l completion of v a l i d r e s e a r c h .
Much more needs t o be done i n r e s e a r c h o r g a n i z a t i o n s t o put s a f e t y i n a
context of long-term r e s u l t s , and t h e s t e p s taken t o a s s u r e experiment o r
t e s t v a l i d i t y , w i t h p r e s e r v a t i o n of t h e r e s e a r c h f a c i l i t y as a n added bonus!
During t h e s t u d y s e v e r a l a c c i d e n t s were reviewed wherein t h e changes and e r r o r s
which caused t h e a c c i d e n t s a l s o rendered t h e r e s e a r c h d a t a i n v a l i d !
Where Are We?
Assessment of MORT w i l l , of course, r e q u i r e a l e n g t h i e r period and inde-

pandent e v a l u a t i o n . An o b j e c t i v e , s c i e n t i f i c , o r modest a t t i t u d e would
suggest t h a t a p p r a i s a l wait. However, many of those who have used t h e sys-
tem as it was b e i n g developed have urged t h a t t h e p o s i t i v e c a s e be s t a t e d
now i n o r d e r t o begin t h e t a s k of persuading o t h e r s , p a r t i c u l a r l y management,
t o t a k e t h e time t o understand MORT and i n i t i a t e experimental trials.
The g o a l s and c r i t e r i a which guided t h e s t u d y provide a concise l i s t i n g
of some presumed advantages. I n a d d i t i o n , experience and comment t o d a t e
suggest o t h e r a t l e a s t t e n t a t i v e e v a l u a t i o n s .
MORT and a s s o c i a t e d systems seem t o provide, a t t h e l e a s t , a p l a c e t o
stand -- a foundation f o r planning f u r t h e r progress.
MORT Advantages and Disadvantages

G o a l - o r i e n t t -- emphasizes s a f e t y ' s r o l e i n b u i l d i n g high performance, and
c o n g r u i t y w i t h good management methods.
Comprehensive -- endeavors t o cover a l l a s p e c t s of s a f e t y i n a l l k i n d s of

work -- a g l o b a l scope !
But, t h i s c u r t a i l s d e p t h of t r e a t m e n t of any f a c e t , and a l s o t a x e s
experience and understanding.
Systematic -- i n t e g r a t e s , o r g a n i z e s , and s t r u c t u r e s s a f e t y i n t o f u n c t i o n a l l y
d e f i n e d r e l a t i o n s h i p s and measurements.
But, c r e a t e s a formidable amount of complex d e t a i l !
F l e x i b l e -- a s s i m i l a t e s new i d e a s and concepts, which i m p l i e s f u r t h e r devel-

opment and change, and r e q u i r e s a u s e r t o d e f i n e h i s premises and methods,
But, "cookbook" s o l u t i o n s a r e e a s i e r !
Innovative -- endeavors t o use new technology and concepts and f o s t e r e x p e r i -

ment, and t o o u t l i n e ways t o g a i n acceptance o f i n n o v a t i o n s ,
But, t h e r e a r e p a i n s i n innovation, and dangers of disappointment.
Humanistic -- a t t e m p t s t o cope w i t h t h e r i c h and e x a s p e r a t i n g human q u a l i t i e s

o f t h e people who o p e r a t e t h e system, exposes t h e i r problems, and guides t h e
s e r v i c e s t h e y need f o r e f f e c t i v e , s a t i s f y i n g work,
But, t h i s i s t h e a r e a about which we know t h e l e a s t , t h e o r i e s o f t e n
c o n f l i c t , and s u p e r - r a t i o n a l i t y may seem "unhuman."
Practical -- p i e c e s o f t h e system can be introduced f o r s e p a r a t e t e s t .

-- e f f o r t can be equated t o problem (but do n o t s k i p s t e p s ) .
-- p r o j e c t s can be adapted t o c o n s t r a i n t s and c o n d i t i o n s .
-- man-power used i n trials was n o t g r e a t .
-- concepts, s t a n d a r d s of judgment, information s e a r c h and a n a l y s i s
a r e cheap compared t o hardware and a c c i d e n t s .
-- a few good d a t a a r e cheaper t h a n s t e r i l e masses of information.
-- MORT a n a l y s e s a r e f a s t (with a l i t t l e p r a c t i c e ) and a r e always
. f a s t e r t h a n b l i n d searches.
-- MORT s o l u t i o n s a r e cheaper t h a n e n d l e s s b r u s h - f i r e f i x e s .
E f f e c t i v e -- t h e p r o o f s o r testimony f o r components a r e drawn from a wide

range of p r e s e n t p r a c t i c e s ,
But, t h e degree of proof i s l e s s than adequate, o f t e n s u b j e c t i v e , and
q u a l i t a t i v e , r a t h e r t h a n o b j e c t i v e and q u a n t i f i e d . And, much of t h e
l o g i c of t h e connecting system framework h a s had o n l y i n i t i a l ,
exploratory trial.
However, every a p p l i c a t i o n h a s improved i n v e s t i g a t i o n and a n a l y s i s . Nothing

g o t worse!
Unpleasant !
Rnphasis on management r e s p o n s i b i l i t y t e s t s understanding, p a t i e n c e ,
d e t e r m i n a t i o n , and maturity. The " j a c k a s s f a l l a c y " -- blaming people --
i s e a s i e r and more comfortable, even if l e s s productive.
But, management l e a d e r s h i p , v i g o r and competence a r e t h e r e a l determinants of

safety.
Risk a n a l y s i s (and u l t i m a t e acceptance of evaluated r i s k s ) can be

i m p o l i t i c , as w e l l a s harrowing.
But, t h e r e i s no r i s k l e s s place. Risk a n a l y s i s most o f t e n l e a d s t o r i s k

r e d u c t i o n and t h e r e a l l y dangerous s i t u a t i o n s a r e t h o s e unanalyzed!
When suggesting t h a t advantages be emphasized, a scientist-manager who

participated i n the study said:
I
"An inexperienced person can become p r o f i c i e n t i n a n a l y s i s simply
by c o n s c i e n t i o u s l y following a s e t p a t t e r n of i n s t r u c t i o n s . I b e l i e v e
t h a t t h i s i s perhaps t h e most v a l u a b l e f e a t u r e of t h e whole MORT con-
c e p t and should be emphasized. Opportunities t o upgrade t h e c a p a b i l i t i e s
of personnel i n a n e n t i r e component of a company without e x t e n s i v e
t r a i n i n g o r personnel replacement a r e a l l but nonexistent. Yet p r o p e r l y
used, t h i s i s e x a c t l y what MORT can do."
Unfinished Business
F u r t h e r s i m p l i f i c a t i o n and i n t e g r a t i o n a r e needed. For example, t h e MORT
Hazard Analysis Process ( c h a p t e r 23), t h e Framework f o r Analysis of Risk
( ~ i g - u r e21-3), and Aero j e t ' s Configuration Control Tree ( ~ x h i b i t3) are s i m -
ilar i n purpose and o v e r l a p i n degree. However, t h e t h r e e methods a r e mutu-
a l l y complementary, and f u r t h e r t r i a l i s needed t o develop a s y n t h e s i s .
Proof and q u a n t i f i c a t i o n a r e s o r e l y needed and should be f e a s i b l e , p a r t l y
a
because s o many v a r i a b l e s have now been defined.
Broader scope of a p p l i c a t i o n and more e x p e d i t i o u s t r a n s i t i o n t o new methods
can probably come o n l y from expanded t r a i n i n g and trials.
Most important, each a c c i d e n t , each f a i l u r e , must be used as a b a s i s f o r
improving t h e system.
0
I
I
I
I
I
Recipe Ingredients:
GETTING STARTED
One accident, problem o r program

One s e t of MORT diagrams
-
Red, green and blue pencils.
I
1. Color t h e bubbles ( c i r c l e s a r e b a s i c problems).
I
Red -- appears d e f i c i e n t .
Green --
appears oak.
Blue --
don't know.
2. For each blue bubble,

l i s t t h e questions needing answers.
3. Consult t h e cookbook i f d e f i n i t i o n s o r c r i t e r i a a r e needed.

4. Two-person dialogue greases the process.
5. Cooking time -- one houri f o r tough problems, u n t i l done.
6. Serves everyone.
This page intentionally blank
11. WHAT PRODUCES HAZARDS
This Part includes discussion of c e r t a i n
accident concepts which combine t o pro-
duce a new d e f i n i t i o n of an accident,
more functional f o r preventive purposes.
The accident d e f i n i t i o n which evolves is:
1. An unwanted t r a n s f e r of energy,
2. Because of lack of b a r r i e r s and/or controls,
3. Producing i n j u r y t o persons, property o r process,
4. Preceded by sequences of planning and operational e r r o r s , which:
a. Failed t o a d j u s t t o changes i n physical o r human f a c t o r s ,
b. And produced unsafe conditions and/or unsafe a c t s ,
5. Arising out of t h e r i s k i n an a c t i v i t y ,
6. And i n t e r r u p t i n g o r degrading t h e a c t i v i t y .
I.. ACCIDENT/INCIDENT.
An i n c i d e n t , a s we s h a l l d e f i n e the term, i s s i m i l a r t o an accident but
without i n j u r y o r damage (element number 3 i n the d e f i n i t i o n on page 25).
This ~ c c i d e n t / ~ n c i d e ndti s t i n c t i o n i s adopted from aerospace system
s a f e t y practice. It seems t o conform t o common usage. h he phrase "Acci-
d e n t / ~ n c i d e n t," however, is somewhat awkward, so the word accident i s gener-
a l l y used i n t h i s t e x t and construed a s including both kinds of events where
pertinent. )
It has been suggested t h a t the term accident be defined t o include a
"not n e c e s s a r i l y i n j u r i o u s o r damaging event. " ( ~ a r r a n t,s 1965. ) The
motivation behind t h e notion i s sound -- such events a r e within t h e scope
and concern of preventive e f f o r t . The "near miss" may have great import f o r
safety. Tarrants did not use the concept of "unwanted t r a n s f e r of energy,"
and thereby picked up some non-accident events. For example, an unwanted
r e l e a s e of energy may occur i n a non-injurious manner because of s a f e design.
It would i n t e r r u p t the a c t i v i t y a s was a n t i c i p a t e d , but hardly seems an
accident; r a t h e r , the opposite! The event i s an "incident."
Events of i n t e r e s t may be arranged i n order of increasing concern,
which i s a l s o the order of decreasing frequency:
Changes
1
Errors
1
unsafe Conditions and Unsafe Acts
i
Incidents
1
Injury Accidents Damage
Minimal Minimal
I
"Tabulatable"* I
t ( c l a s s e s defined
Temporary Total* on a logarithmic
1 ' scale)
Permanent**
1
Death
4
Multi -De a t h F a c i l i t y Destruction
* Definable i n a v a r i e t y of ways.
*+ May be broken i n t o subclasses by s e v e r i t y .
The b a s i c point t h a t an accident i s t h e u n i t event, and may produce multiple

i n j u r i e s and/or damage, would probably not need emphasis were it not t h a t so
much o c c u p a t i o n a l d a t a u s e s t h e " i n j u r y " as t h e u n i t event. Classification
of t h e s e r i o u s n e s s of e r r o r s and a c c i d e n t s may t h e r e b y be d i s t o r t e d , and t h e
magnitude of review and hazard r e d u c t i o n r e q u i r e d f o r changes may be unneces-
s a r i l y obscured. For example, i n a f r e q u e n c y - s e v e r i t y m a t r i x , t h e s e v e r i t y
s c a l e should r e f l e c t p o t e n t i a l s f o r m u l t i - i n j u r y and multi-death a c c i d e n t s ,
and a l l u n t o w a r d impacts should be included i n a s i n g l e r e s u l t .
I f we a r e s a t i s f i e d of t h e expedient need t o t a b u l a t e i n j u r i e s r a t h e r t h a n
a c c i d e n t s , t h e OSHA o r ANSI i n j u r y d e f i n i t i o n s may be simple and u s a b l e t o
d e r i v e a c o n t r o l f a c t , b u t non-functional f o r damage a c c i d e n t s and f o r preven-
t i o n purposes.
F u n c t i o n a l a s p e c t s of o u r d e f i n i t i o n of an a c c i d e n t can be suggested:
1. Energy p r e s e n t i n a t a s k i s a s s o c i a t e d w i t h performance of t h e t a s k
( t h a t i s , u s u a l 1y cannot be p r o h i b i t e d ) , b u t must be c o n t r o l l e d .
2. Excessive energy build-up i s a change, o r change r e l e a s e s t h e energy
i n a n unwanted manner.
3. If an a c t i v i t y h a s been proceding f r e e of a c c i d e n t s , change i n t h e
system i s "cause," o r an a n t e c e d e n t o f t h e problem.
4. If an a c t i v i t y i s new, t h e a c t i v i t y i t s e l f is change.
5. P l a n n i n g i s , by i n f e r e n c e , d e f i n e d as a n t i c i p a t i o n o f change, e r r o r ,
and p o t e n t i a l energy r e l e a s e , and a d v e r s e consequences of such.
6. Risk i s i n h e r e n t i n any a c t i v i t y .
I n p r a c t i c e t h e u s e f u l n e s s of t h i s d e f i n i t i o n w i l l depend i n p a r t on t h e
d e g r e e t o which people can be c o n s t r u c t i v e l y s e n s i t i z e d t o energy c o n t r o l , t o
changes and a p p r o p r i a t e counterchanges, and t o r i s k a n a l y s i s .
Hazard,
The s t a t e d d e f i n i t i o n of an a c c i d e n t s u g g e s t s a d e f i n i t i o n of hazard a s :
t h e p o t e n t i a l i n a n a c t i v i t y ( o r c o n d i t i o n o r circumstances) f o r an a c c i d e n t ,
particularly:
1. An unwanted t r a n s f e r of energy,
2. Which can occur i n random v a r i a t i o n s of normal o p e r a t i o n s o r from
changes i n p h y s i c a l o r human f a c t o r s .
Among t h e h a z a r d s t o be i d e n t i f i e d and c o n t r o l l e d are t h o s e which r e s u l t
from i n t e r a c t i o n of two o r more energy p o t e n t i a l s .
-
Risk.
The s t a t e d d e f i n i t i o n s of a c c i d e n t and h a z a r d , i n t u r n , suggest a d e f i n i -
t i o n of r i s k :
1. The p r o b a b i l i t y d u r i n g a period of a c t i v i t y ,
2. That a hazard,
.
3 W i l l r e s u l t i n accident,
4, With definable consequences.
The elements of definable p r o b a b i l i t y and consequences a r e p a r t i c u l a r l y
significant. This definable c h a r a c t e r i s t i c leads t o c l a s s i f i c a t i o n of r i s k s
as:
1. Assumed. ca.1~- -- before the accident. These a r e
u s u a l l y few i n number.
2. Uncertainties, e r r o r s . oversights. omissions -- and sometimes hunches
o r guesses, not well known u n t i l a f t e r an accident. These a r e u s u a l l y
l a r g e r i n number.
2. ENERGY AND BARRIERS
Energy i s t h e c a p a c i t y t o do work and i s t h e r e f o r e an e s s e n t i a l t o per-

formance. Energy use per c a p i t a has r i s e n on an exponential curve.
The energy forms which produce i n j u r y and damage a r e :
Kinetic, chemical, thermal, e l e c t r i c a l ,
ionizinq and non-ionizing r a d i a t i o n ,
acoustic, biologic,
and by i n t e r f e r i n g with normal energy exchange:
exclusion of oxygen and exposure t o elements.
A u s e f u l s e t of concepts of energy and b a r r i e r s was developed by Gibson
(1961) and Haddon (1966 and e a r l i e r ) . They made t h e point t h a t an accident
i s an abnormal o r unexpected r e l e a s e of energy. The concepts were u t i l i z e d
and improved by t h e U, S. Commission on Product Safety (1968-69).
The energy concept seems t o have s e v e r a l values:
Simplicity and o b j e c t i v i t y ,
Suggests common approaches t o a form of energy,
Suggests t h a t hazard modes f o r a kind of energy may be more e x p l i c i t
than t h e terms now used i n most accident s t a t i s t i c s analyses,
Suggests t h a t s c a l i n g of hazards (and preventive programs) may be
more e x p l i c i t f o r a given form of energy,
Provides a point of s i m i l a r i t y t o system a n a l y s i s of energy t r a n s f e r s ,
S e n s i t i z e s u s t o energy build-up, and t o r e l e a s e mechanisms,
Reminds u s t o consider a product o r s i t u a t i o n f o r a11 kinds of energy,
A l e r t s u s t o sequences of i n t e r a c t i o n of v a r i o u s forms of energy.
The human body (or any given o b j e c t ) has tolerance l e v e l s o r i n j u r y thresh-
o l d s f o r each form of energy, Energies, p a r t i c u l a r l y near o r above thresholds,
must b e ' q u a n t i f i e d t o determine t h e magnitude of c o n t r o l required. A summary
of t h e l i t e r a t u r e on energies and i n j u r y thresholds was prepared f o r t h e U. S.
National Commission on Product S a f e t y ( ~ e i n e r ,1969). Factors common i n
i n j u r y production, i n a d d i t i o n t o magnitude, were duration o r frequency of
exposure, and concentration of f o r c e s . The magnitudes of t o l e r a b l e f o r c e s ,
o f t e n expressed as exposure matrices, suggest g r e a t e r emphasis on generic
standards f o r energy t r a n s f e r , r a t h e r than standards f o r s p e c i f i c s i t u a t i o n s ,
which can be i n h i b i t i n g o r narrow s p e c i f i c a t i o n s .
...
McFarland (1967) s a i d :
" a l l a c c i d e n t a l i n j u r i e s (and damage) r e s u l t , (1) from t h e a p p l i -
c a t i o n of s p e c i f i c forms of energy i n amounts exceeding t h e r e s i s t a n c e
- 32 -
of t h e t i s s u e s ( o r s t r u c t u r e s ) upon which they impinge, o r (2) when
t h e r e i s interference i n t h e normal exchange of energy between t h e
..
organism and t h e environment (e g , a s i n suffocation by drowning) .
Thus, t h e various forms of energy ... c o n s t i t u t e t h e d i r e c t causes
of i n j u r i e s i n accidents. Also, prevention of ' i n j u r i e s can o f t e n be
achieved by controlling t h e source of the energy, o r t h e vehicles o r
c a r r i e r s through which t h e energy reaches t h e body.
"While t h e s p e c i f i c types of energy which give r i s e t o i n j u r i e s are
q u i t e l i m i t e d i n number, t h e forms i n which they abound and t h e
v a r i e t y of t h e vehicles o r c a r r i e r s of energy a r e innumerable. Man
himself i s constantly compounding t h i s s i t u a t i o n as he develops more
powerful sources of energy and p u t s t h e various kinds of energy to
new uses.''
The nuclear energy p r o j e c t s u t i l i z e energies i n g r e a t v a r i e t y and magni-

tude, This suggests t h a t energy-based accident concepts may have p a r t i c u l a r
value f o r AEC.
A weakness i n t h e "energy" concept i s that most accidents f a l l i n t h e
k i n e t i c category. This n e c e s s i t a t e s use of i n j u r y mode subclasses, such as:
f a l l (1 o r 2-level), nip, shear, c u t t i n g , and bodily motion. The concept
seems, a t t h i s time, l e a s t u s e f u l i n t h e s u b s t a n t i a l categories of s t r a i n s ,
s p r a i n s , and falls on one l e v e l , Nevertheless, advantages c i t e d seem increas-
ingly clear. Useful s t u d i e s i n k i n e t i c , chemical, e l e c t r i c a l , r a d i a t i o n and
biologic energies have been done.
Even f o r t h e broad grouping of accidents under k i n e t i c energy, t h e metic-
ulous t r a c i n g of energy flow has proven i n t h i s study t o be a u s e f u l a n a l y t i c
method t o make v i s i b l e t h e number of p r a c t i c a l p o t e n t i a l s f o r i n t e r r u p t i n g
energy flow, e i t h e r i n hazard a n a l y s i s o r i n accident investigation. Process
a u d i t can a l s o be guided by t h e meticulous energy t r a c e and c a r e f u l examina-
t i o n of p o t e n t i a l energy i n t e r a c t i o n s ,
We continuously use energy magnitudes i n everyday decisions, f o r example:
allowing g r e a t e r clearance f o r heavy, s w i f t l y moving o b j e c t s ; admitting a
c i g a r e t t e l i g h t e r but frowning on a can of gasoline; handling f l a s h l i g h t s , but
using 110 v o l t s only with controls, and avoiding "high" voltages; t o l e r a t i n g
i l l e g a l "lady f i n g e r " f i r e c r a c k e r s but avoiding a case of dynamite.
Three p r a c t i c a l requirements f o r c e us t o consider t h e f e a s i b i l i t y of
developing energy magnitude c r i t e r i a and energy-exposure matrices t o b e t t e r
express what we w i l l t o l e r a t e o r accept:
1. A t l e a s t order-of-magnitude energy d a t a a r e needed i n systems analysis.
2. The cost of c o n t r o l l i n g energy sources w i l l f o r c e u s t o choose between
c o n t r o l l i n g r e l a t i v e l y l a r g e numbers of small energies o r r e l a t i v e l y
s m a l l numbers of l a r g e energies .
3 . Delegation of decisions regarding p o t e n t i a l , harmful energy r e l e a s e s
i s a p r a c t i c a l necessity, and decisions o r feedbackcannot be system-
a t i c without standards of judgment.
Thus, whether we are e x p l i c i t o r not, we a r e using a decision standard
constructed somewhat as follows:
Figure 2-1. Risk Decision Standard.

Number of people involved
one few many
I 'I NO effects
Potential I1 No i n j u r y , i r r i t a t i n g
Energy I11 S l i g h t l y i n j u r i o u s
Effects IV Seriously i n j u r i ~ u s
V Fatal D
-
We do appear t o delegate decisions i n a r e a A t o the operator

l e v e l , i n B t o first l e v e l supervision, C t o middle o r senior
management, and D reserve f o r top management. Shall we dele-
g&e more s p e c i f i c a l l y , e.g., by specifying each l e v e l of each
energy and each source? Or s h a l l we attempt t o define (whether
i n general o r by s p e c i f i c a t i o n ) the permissible l i m i t s of
delegated a u t h o r i t y ? The s c a l i n g mechanisms suggested f o r t h e
Hazard Analysis Process and the development of improved energy
s c a l i n g mechanisms a r e more f u l l y discussed i n Chapter 24,
Barriers .
Haddon apparently originated t h e concept t h a t harmful e f f e c t s of energy
t r a n s f e r a r e commonly handled by one o r more of a succession of measures. As
expanded i n t h i s study, t h e " b a r r i e r s " are:
1. Limit t h e energy ( o r s u b s t i t u t e a s a f e r form),
2. Prevent t h e build up,
3. Prevent t h e release,
4. Provide f o r slow r e l e a s e ,
5. Channel the r e l e a s e away - that i s , separate i n time o r space,
6. Put a b a r r i e r on t h e energy source,
7. Put a b a r r i e r between t h e energy source and men o r objects,
8. Put a b a r r i e r on t h e man o r object - block o r attenuate the energy,
9. Raise t h e i n j u r y o r damage threshold,
10. Treat o r r e p a i r ,
ll. Rehabilitate.
These concepts hold a v a r i e t y of important implications f o r d a t a collec-
t i o n and a n a l y s i s , and f o r hazard reduction.
For ease of reference, t h e successive s t e p s (1 t o 9) have been called
"energy b a r r i e r s , " but t h i s connotes physical interventions. A procedure may
be t h e means of separating i n time o r space, f o r example, with a procedure of
f i r i n g explosives at t h e end of a s h i f t (but these have been called "paper
barriers"). S u b s t i t u t i n g a l e s s harmful energy may be a way t o " l i m i t t h e
energy" o r "prevent the build-up," and we see many of t h e s e b a r r i e r s i n s a f e t y
practice.
Haddon suggests t h a t t h e earrlier i n t h e b a r r i e r sequence the preventive
s t e p s can i n t e r r u p t t h e energy t r a n s f e r , t h e b e t t e r . He f u r t h e r suggests
t h a t t h e g r e a t e r t h e p o t e n t i a l damage, t h e e a r l i e r should be the i n t e r r u p t i o n
and multi-interrupti ons (redundancy) should be provided.
The portion of MORT a n a l y s i s dealing with f i n a l r e s u l t s of energies and
b a r r i e r s i s shown below.
Figure 2-2. Energy and B a r r i e r Tree
I "INCIDENT" I I ( 1 TEE: 1
I AFFECTED BY #1
ENERGY FLOW ENERGY FLOW
(LTA = l e s s than adequate )

One value i n t h e b a r r i e r concept seems t o be t h e way it provokes t h e
imagination t o see t h e varied p o s s i b i l i t i e s f o r safety. For example, grinding
wheel s a f e t y p r a c t i c e s r e f l e c t s e v e r a l of these sequential steps: prevent
excessive build-up, prevent r e l e a s e , put b a r r i e r s on t h e machine, and put a
b a r r i e r on t h e man.
A worksheet used i n a t r a i n i n g program i s shown i n Figure 2-3. The suc-
cessive protective f e a t u r e s f o r grinders a r e shown, plus a v a r i e t y of o t h e r
examples. The open space w a s used t o get other i l l u s t r a t i o n s from t h e c l a s s .
Figure 2-3. Examples of B a r r i e r s
Type Grinders Others

I
1. Limit . Speed . Low v o l t a g e instruments

energy l size 'Use s a f e r solvents
' Limit q u a n t i t i e s
1
, I Limit controls, fuses
2. Prevent I Use s h a r p t o o l s
build-up Gas d e t e c t o r s
, Floor loading
,Store Containment
3. Prevent ;Test : Insulation
release : ~ount ! Toe boards
;Tool Rest I Life l i n e
I Rupture
I
i disc
i
4. Provide r j S a f e t y valve
slow ( Seat b e l t s
release : , Shock a b s o r p t i o n
I
I
I Rope o f f a r e a
5. Channel / Exhaust A i s l e marking
away II
(separate )/
1
j E l e c t r i c a l grounding
Lock-outs, I n t e r - l o c k s
6. on
source
1 ~uard 1 Sprinklers
1 Filters
i I Acoustic treatment
I
1
7. Between /1 Glass
Shield
I Rail on a i s l e
F i r e doors
Welding s h i e l d s
I I
I
8. OnMan /Goggles Shoes, Hard h a t s
or Gloves, R e s p i r a t o r s
object
i! Heavy P r o t e c t o r s
9. Raise
Threshold
I Selection, calluses
Acclimatize t o h e a t o r cold
1 Damage r e s i s t a n t m a t e r i a l
I
/ Emergency showers
10. Ameliorate T r a n s f e r t o low r a d i a t i o n job
/
i
Rescue
i Emergency medical c a r e
11. Rehabili-
tate
- 36 -
Then t h e order of l i s t i n g can be used t o t e s t t h e r e l a t i v e e a l i n e s s i n t h e
sequence a g a i n s t e f f e c t i v e n e s s . The systematic use of successive b a r r i e r s
i s c l e a r l y apparent from examination of f i r e prevention p r o t e c t i o n f e a t u r e s .
A walk through t h e e x h i b i t a t t h e National Safety Congress w i l l give
c o l o r f u l evidence of t h e v a r i e t y and investment i n b a r r i e r s t o harmful energy.
If Haddon's b a r r i e r concept were j u s t a way of categorizing t h e many,
many p r o t e c t i v e f e a t u r e s i n present s a f e t y p r a c t i c e , t h e scheme might be only
an i n t e l l e c t u a l exercise. However, i n t h i s study, the meticulous a p p l i c a t i o n
of t h e b a r r i e r hierarchy t o s p e c i f i c energy t r a n s f e r p o i n t s has proven use-
f u l i n s t i m u l a t i n g i d e a s f o r use of t e s t e d methods and new, innovative methods
of i n t e r r u p t i n g t r a n s f e r . For example, i n t h e high-explosive p r e s s accident
( ~ ~ ~ e n A-3),
d i x t h e b a r r i e r d i s c i p l i n e applied t o a meticulous energy t r a c e
r a i s e d t h e question as t o why t h e press was given a f l u i d r e s e r v o i r l a r g e
enough t o push t h e ran t o an unwanted position. I n o t h e r accidents t h e use
of t h e method produced a "brainstorm" of i d e a s from young engineers, and some
proved p r a c t i c a l .
A l l t o o f r e q u e n t l y two energies i n t e r a c t -- f o r example, a l i f t truck
r u p t u r e s chemical apparatus. Such s i t u a t i o n s provide opportunity t o consider
two s e r i e s of energy b a r r i e r s , one s e t between t h e two energy sources, and
one s e t between t h e energy and t h e people.
The energy concept suggests t h a t s a f e t y i s pre-planned energy management
f o r high performance.
***
The energy source groups c u r r e n t l y i n use a t Aero j e t t o develop t h e next
generation of p r i o r i t y problem l i s t s a r e :
Potential 3.3 Toxic
1.1 E l e c t r i c a l 3.4 Flammable
1.2 Nuclear
1.3 G r a v i t a t i o n a l (m h ) 4. Thermal
1.4 Pressure v e s s e l $V)
1.5 Coiled Spring (kd 5. Radiant
Kinetic
5.1 Electromagnetic & P a r t i c u l a t e
2.1 Linear
1-2 X-Ray
2.2 Rotational
1-3 Light ( l a s e r )
Chemical and Biological 1-4 U l t r a v i o l e t
3.1 Corrosive 5.2 Acoustical
3.2 Explosive 5.3 Thermal ( r a d i a n t )
This grouping has seemed to be u s e f u l i n t h r e e ways: (1) s t i m u l a t i n g incident
o r s i t u a t i o n r e p o r t s , ( s ) s c a l i n g by magnitude, and (3) development of b a r r i e r
and t a r g e t i n f o n a t i o n which i n t u r n l e a d s t o p r o b a b i l i t y and consequence scaling.
3. FmQUENCY-SEVERITY MATRICES AS A MANAGEMENT TOOL
This chapter s u b - t i t l e could be : "What Produces What Amount o f Hazard?"

Harmful e f f e c t s of most energy forms operate through d i s t a n c e - i n t e n s i t y
matrices. These, i n t u r n , a r e t h e genesis of frequency-severity matrices
f o r harmful e f f e c t s . The frequency-severity matrices, i n t u r n , have impli-
c a t i o n s f o r d i r e c t i o n and a l l o c a t i o n of resources f o r reductions i n hazard,
and perhaps most important, provide t h e b a s i s f o r p r o j e c t i n g t h e inexorable
q u a l i t y of d i s a s t e r p o t e n t i a l s , and thereby generate f u l l e r understanding of
t h e precept:
WHAT CAN HAPPEN, WILL HAPPEN, t h e only u n c e r t a i n t y i s When! -

Energy matrices, coupled with d i s t r i b u t i o n of energy sources and people
i n space, produce matrices of i n j u r y frequency and s e v e r i t y by energy source
o r subtype, which a r e l i k e l y t o be u s e f u l i n a t l e a s t two ways:
1. Consideration of the unique i n j u r y production matrices of d i f f e r e n t
energy sources, and t h e r e f o r e , t h e i r unique negative e f f e c t on over-
a l l safety,
2. Longer term p r e d i c t i o n s of a spectrum of consequences, including
s e r i o u s outcomes, even though present experience may be s h o r t ,
v a r i a b l e and u n r e l i a b l e .
A matrix of major c a t e g o r i e s of work i n j u r i e s can be approximated from
National S a f e t y Council and U. S. Public Health Service d a t a on annual U.S.
t o t a l s as shown i n Figure 3-1. The estimate of medical and temporary par-
t i a l i n j u r i e s may not be accurate. The slope of t h e last two segments of
t h e l i n e approximates ' ~ 5 ' which i s t h e " l i n e of balance" on a log-log chart.
That i s , t h e more severe i n j u r i e s a r e decreasing i n frequency a t about t h e
same r a t e as t h e y i n c r e a s e i n seriousness. Thus t h e projected aggregate
impact of t h e last t h r e e groups is roughly equal, i f days charged a r e a
c o r r e c t measure.
Figure 3-2 shows t h e s i m i l a r i t i e s of broad i n d u s t r i a l groups. There a r e
differences, t o o -- note t h a t t h e chemical i n d u s t r y record is more l i k e con-
s t r u c t i o n than all i n d u s t r y i n slope toward deaths. Other d a t a (not pic-
tured) show g r e a t s i m i l a r i t y of AEC 10-year research d a t a and similar d a t a
from NSC chemical l a b s , f o r example, permanent p a r t i a l s were 7.2% and 6.7%
of d i s a b l i n g i n j u r i e s , respectively. Other examples a r e included i n Chapter 41.
Use of matrices t o a s s e s s t h e spectrum of s h o r t and long term i n j u r y and
Frequency-Severity Matrix-Type Chart f o r
All Industries, Chemical and Construction Industries
Standard Classes of Disabling Injuries
Average Time Charge

Temporary Totals Permanent P a r t i a l s Deaths
(+ permanent t o t a l s )
* per million man-hours
damage p o t e n t i a l s has advantages which seem t o include:
/
1. A format i s provided t o explore t h e degree t o which l e s s severe

c a t e g o r i e s a r e p r e d i c t i v e of more severe c a t e g o r i e s , p a r t i c u l a r l y
f o r a type of energy o r type of industry.
2 8 A continuum i s established t o which even more frequent e r r o r and
change d a t a , which a l s o may be p r e d i c t i v e , can be added,
3. The "sharp pencil" p r a c t i c e s t o lower i n j u r y c l a s s i f i c a t i o n of
c e r t a i n cases, which now plague standard occupational r a t e s , have
much l e s s e f f e c t on inferences.
4 A format i s provided whereby:
8
a. more severe temporaries and o t h e r events can be made v i s i b l e ,

b. multiple r e s u l t s of one accident ( i n j u r i e s and damage) can
be r e f l e c t e d ,
c. The u l t i m a t e long-term p o s s i b i l i t y (high o r low) of d i s a s t e r s
can be made v i s i b l e i f trend l i n e s a r e extended t o more s e r i o u s
results,
d. damage a c c i d e n t s and f i r e s can be s i m i l a r l y p l o t t e d using an
economic denominator t o equate damage t o i n j u r y , o r v i c e versa.
5 . ~nvestment/benefit implications of emphasizing minor v s . major
i n j u r i e s a r e more c l e a r l y implied.
The matrices have been explored i n some d e t a i l and a t a l l t h r e e s i t e s
during t h i s study. For a time it was f e l t they might be a primary manage-
ment t o o l . However, a t present t h e i r values seem t o l i e within t h e r i s k
assessment problem discussed i n Chapter 41, t h a t is, one of s e v e r a l t o o l s .
The matrix u s e s order-of-magnitude values of frequency and s e v e r i t y
p l o t t e d on log-log paper. The slope o r shape of t h e l i n e s gives an impor-
t a n t p i c t u r e , not t h e r e l a t i v e h e i g h t s of t h e l i n e s . The matrices can be
used f o r t h r e e purposes:
1. Visually p r o j e c t i n g r a r e event p o s s i b i l i t i e s , when organizational
exposure i s limited.
2. A l i n e sloping at l e s s than 45' i s a very dangerous l i n e - it may
signal a disaster.
3 . Management emphasis i n t e n s of t h e Pareto P r i n c i p l e , t h e " v i t a l
few" o r t h e " t r i v i a l many" can be assessed v i s u a l l y o r mathematically.
Thus f a r , no s u b s t a n t i a l l i t e r a t u r e on t h e matrix approach has been
l o c a t e d ; t h e quickest way t o f i n d it may be t o say it i s sparse! A paper
of F. R. Farmer, United Kingdom Atomic Energy Authority (1967), used such
matrices i n analyzing deployment of preventive e f f o r t . Occasionally a
log-log plot appears i n a technical safety paper, but the method has not been
given emphasis. (sumy, 1969, provides an example. )
The frequency-severity matrix when plotted on log-log paper commonly tends
toward a more o r l e s s s t r a i g h t l i n e , Fanner raised the question i n nuclear
radiation f i e l d s of whether preventive e f f o r t should be deployed:
1. Along the whole l i n e ,
2. On the high-frequency, low-severity portion,
3 . Or, on the low-frequency, high-severity portion?
I n t h i s study, f i r e data plotted by severity was predictive of a d i s a s t e r
because the l i n e w a s sloping at l e s s than 4.50, which is a "dangerous curve!"
For t h i s and other reasons (eag., managerial and public impact) the author
tends t o favor t h e t h i r d of Fsumer's alternatives.
Pareto's law and the high cost of the "vital few" a l s o favor t h e approach.
Pearson (1969) and Peterson (l9?l), both with Employers' Insurance of Wausau,
have urged such a t t e n t i o n , as has t h e i r company. A s a current example, the
Bureau of Mines has announced a special drive on cool mine haulage deaths, now
the leading cause.
The t r i c k y job of safety management is t o balance:
1. Review of every accident/- (and use incident r e c a l l t o gain
more reports) f o r individual preventive value,
2. Give special a t t e n t i o n t o the " v i t a l few."
Fire Matrices. During t h i s study a special report was provided t o AEC
indicating t h a t a "20-20 hindsight" analysis of events leading up t o a major
f i r e suggested t h a t r i s k of major l o s s might have been detected by a routine
form of analysis, namely, reporting of f i r e s by the order-of-magnitude l i m i t s
l i s t e d above. The matrix had an almost uncanny s t r a i g h t l i n e pointing at the
major f i r e . ( ~ i ~ u 3-3
re ) .
Later i n the study, at one s i t e , very sparse data (few f i r e s ) suggested
a s i m i l a r signal. ( ~ e p e a t e d l y ,this study has been handicapped by the f a c t
t h a t AEC s i t e s do not have enough accidents t o make r e l i a b l e projections -- a
good problem!) When the sparse data were examined at t h i s s i t e , it w a s discov-
ered t h a t the few f i r e s were a non-homogenous collection of events ranging from
f i r e s a s ordinarily understood, t o e l e c t r i c a l f a i l u r e s , t o a remote common-
c a r r i e r f i r e involving equipment, However, it didn't take long t o check out the
false alert.
There is enough d a t a t o warrant a strong recommendation that AEC o r any
other large organization i n s t i t u t e trial of an order-of-mmitude f i r e reporting
F i g u r e 3-3
Divergent Slopes of R a d i a t i o n and F i r e Data
Probability
Data
Actual
X
Fire
Radiat
Exposu
Severity
?Tote: Absolute v a l u e s f o r r a d i a t i o n and f i r e s a r e on d i f f e r e n t s c a l e s .
system, computerize the information, and ask the machine t o give s i g n a l s when
t h e d a t a warrant. AEC as a whole may be homogenous within t h e d e f i n i t i o n s
applicable t o predictive techniques. Individual s i t e s could p r o f i t a b l y watch
f i r e matrices, but if a proper system of reporting i s i n s t i t u t e d , a headquar-
t e r s computer could watch and a s s e s s t h e d a t a equally well o r b e t t e r , and could
send out s i g n a l s t o take a harder look at selected r i s k s . (A r e l a t e d f i r e -
predictive technique i s c i t e d i n Chapter 41 as "Extreme Value Technology." The
i n d i c a t i o n s a r e t h a t any l a r g e pool of f i r e information can p r o f i t a b l y be
organized t o send out warnings. )
The matrix can a l s o be executed as a t a b l e t o extend p r o b a b i l i t y and
consequences t o estimates which can then be a g g e g a t e d ; t h i s can be done f o r
days l o s t o r d o l l a r values, and f o r a year o r ten years. The t o t a l o r
aggregate then r e p r e s e n t s t h e exposure.
Average
Events Probability Consequences Extension
Total
When t h i s has been done f o r f i r e d a t a , the d o l l a r value of d i s a s t e r s with

low p r o b a b i l i t y may emerge as a s i g n i f i c a n t f i g u r e . The spectrum of conse-
quences i s useful i n r i s k analysis.
Comparisons of I n j u r y o r Damage Sources. AEC's r a d i a t i o n exposure d a t a

show sharp decreases i n exposure frequencies as exposures approach i n j u r y
thresholds, t h e contrary of t h e above c i t e d f i r e prediction. Thus, t h e d a t a
i n d i c a t e t h e e x i s t i n g r a d i a t i o n protection system i s not l i k e l y t o produce
h g e r numbers of s e r i o u s i n j u r i e s (except i f t h e system i s changed i n an un-
tow& manner).
The r e l a t i v e slopes of t h e f i r e and r a d i a t i o n l i n e s a r e shown i n Figure 3-3.
No s c a l e s a r e shown on t h e log-log c h a r t because t h e absolute d a t a a r e non-
comparable.
The h i s t o r i c s a f e t y precept, "prevent the minor i n j u r i e s and you prevent
t h e majors," seems, i n some p a r t , t r u e f o r a type of accident i n a given s i t u a -
tion. However, heavy emphasis on an o v e r a l l "frequency r a t e , " which i s essen-
t i a l l y a r a t e f o r temporary t o t a l d i s a b i l i t i e s , o r on r a t e s f o r even l e s s
serious i n j u r i e s , has perhaps done occupational s a f e t y a s much h a m a s good
since it f a i l s t o d i r e c t a t t e n t i o n t o t h e sources of t h e most severe accidents.
Heinrich (1959 and e a r l i e r ) had drawn a t t e n t i o n t o t h e high r a t i o of un-
s a f e a c t s and conditions t o i n j u r i e s , and t h e high r a t i o of minor t o major
i n j u r i e s , and c o r r e c t l y urged a t t e n t i o n t o t h e numerous events. However, t h e
p r i n c i p l e seems t o be misapplied i f a l l accident sources a r e lumped together,
because a t t e n t i o n w i l l be focussed on sources of minor i n j u r i e s r a t h e r than
major events.
A s e a r l y as 1940 Grieve of t h e NSC s t a f f r a i s e d the question of emphasis
on minor i n j u r i e s i n t h e e l e c t r i c u t i l i t y industry pointing out t h a t minor
i n j u r i e s (tending t o be bumps, bruises, minor c u t s and dust i n eyes) did not
focus on causes of e l e c t r i c shock f a t a l i t i e s .
Thus t h e minor t o major continuum has preventive values primarily within
a s p e c i f i c type of accident. I n t h i s study " c r i t i c a l incident" (near miss)
r e p o r t s w i l l be shown t o be predictive of more serious incidents i n ways i n
which t h e t y p i c a l first a i d cases a r e not.
The matrix i s an a i d t o management of the vital few; i t helps give v i s i -
b i l i t y t o t h e nature of problems, whereas t h e t y p i c a l i n j u r y r a t e s obscure
meanings.
The programming implications of t h e matrix a r e f u r t h e r displayed i n
Figure 3-4. m i l e we a r e a n t i c i p a t i n g l a t e r developments i n the t e x t , the
values f o r safety management a r e s u f f i c i e n t l y important t o warrant e a r l y display.
The consequences of accident/incidents a r e c l a s s i f i e d by magnitude. Inves-
t i g a t i o n of a l l of t h e s e has value f o r designing cures.
The l i m i t a t i o n on minor i n j u r i e s is t h a t they a r e l a r g e l y predictive of
minor i n j u r i e s .
The value i n incident r e p o r t s i s t h a t they may be predictive of major
events .
Two order-of-magnitude concepts were developed by DOD t o form a matrix use-
f u l i n decisions i n system s a f e t y . The categories were f i r s t :
4
"Probable (10 hours (or other u n i t s )
"Reasonably probable" (10 5 hours
"Remote " <lo7 hours
"Extremely remote" >lo7 hours
and second:
"Safe " = = failure r e s u l t s i n no major damage, not functional
damage, nor contributes t o i n j u r y o r damage.
"Marginal" = without major damage o r injury.
"Critical" = injury, damage s u b s t a n t i a l .
"Catastrophic" = l o s s of the system, death, o r multiple injury.
Consequences
Super-catastrophe
Catastrophe
Multi-death
- Figure 34..
Investigation
Preventive Implications of Matrix.
Cures
Q
4
- - - - - - Advanced Technology
- - - - - - - - - - - Incidents Do
Death Cumulate
Permanent in
Severe Disabling Sequences
A
Other Disabling I
I
Medical I
I
F i r s t Aid i
I
Big Incidents i
I
Small Incidents I
I
I
I
I
Critical
Incident
Studies .
(1) "Bodily Movement, NEc" (bumps, bruises, minor cuts, e t c .) I
may be largely predictive of minor i n j u r i e s , but they should Taps Operational Knowledge
a l l be screened individually; group study i f problem warrants.
(2) Big Incidents w i l l be known t o Management.
(3) Job Safety Analysis and C r i t i c a l Incident studies are t h e two best methods of finding small events
predictive of large events.
-46-
A matrix constructed with these terms, Figure 3-5. becomes a decision
aid.
Fiffure 3-5. ~ i k kTolerance Matrix

Safe Marginal Critical Catastrophic
Probable
I
Remotely Probable I
Remote
Extremely Remote
Tolerable? Tolerance Cannot

Level? Tolerate ?
Categories of situations t o be handled a t a given l e v e l of management

can be defined. I n system safety the direction and magnitude of preventive
e f f o r t can be guided.
A s t h i s study progressed, the notion of potential significance of a
s e r i e s of scalings of energy, preventive e f f o r t , and injury based on frequency-
s i z e matrices emerged. Such a s e r i e s presents some promise of unifying rather
divergent views of accident and safety problems. A present e f f o r t t o portray
such a s e r i e s of r e l a t i o n s i s i n Figure 3-6.
Figure 3-6 a* Energy, Prevention and Accident Matrices.
ENERGlES PREVENTIVE EFFORTS ACCIDENTS

- 1 -I
(by d i s c r e t e types)
I
I bontinuum = None, Minor e v e r i t y = a continuum
Regulations, from error-incident
High Standards, f i r s t aid
"Best Practice" medical
System Safety disabling
Analysis permanent
I
( ~ a z a r dAnaly- death
1' -I
s i s process) multi-death
catastrophic
Measurement f
The f i g u r e suggests:
-
Goals 4 P Values
i s controlled by
A spectrum simple a c t i o n s on remaining accidents,
of minor itemsj major s t i l l a spectrum,
energies a c t i o n on major ' \ trigger
problems feedback
----------
t o f u r t h e r improve
the effort
4. ERROR AS ACCIDENT CAUSE
Accidents have been characterized a s members of t h e broader family of

human e r r o r by Altman, Chapanis, Christensen, Rigby and Swain, and we s h a l l
l e a n heavily on them t o develop a concept of value i n e s t a b l i s h i n g mechanisms
of accident occurrence and explaining causation. E r r o r s a r e e a s i e r t o study
and l i t e r a t u r e on e r r o r reduction can be tapped.
P e t e r s (1966) defined e r r o r as:
"&ny s i g n i f i c a n t deviation from a previously established, required, o r
expected standard of human performance, t h a t r e s u l t s i n unwanted o r
undesirable time delay, d i f f i c u l t y , problem, trouble, incident, malfunc-
tion or failure ."
Rigby (1970) described e r r o r i n t h e following terms:
"Both people and what they do a r e very complex. I n t r e a t i n g complexity,
it has become customary t o presume that performance w i l l vary but t h a t
v a r i a b i l i t y i s not important s o long a s it i s within c e r t a i n limits.
When those limits a r e exceeded, we speak of d e f i c i e n c i e s -- of defects,
f a i l u r e s , accidents, and e r r o r s . Thus, i n t h e most general and most
p r a c t i c a l sense, a human e r r o r i s any member of a s e t of human a c t i o n s
t h a t exceeds some l i m i t of a c c e p t a b i l i t y . An e r r o r i s only an out-of-
tolerance action, and t h e most important ingredients i n any discussion
of e r r o r a r e g e f i n i t i o n s f o r both the s e t of a c t i o n s and t h e tolerance
l i m i t s t h a t define e r r o r s f o r those actions. (emphasis added)
"Every human a c t i o n i s an opportunity f o r e r r o r . An a c t i o n may be a
v i s i b l e a c t , such a s a c o n t r o l moveknt, an i n t e r n a l process, such a s
reading, o r even l a c k of a c t i v i t y , such a s waiting o r omitting a
procedural step."
Chapanis begins one paper with t h i s case h i s t o r y :
"... a shocked nation read t h a t s i x i n f a n t s had died
had been fed formulas prepared with salt instead of sugar. The e r r o r
...
because they
was traced t o a p r a c t i c a l nurse who had inadvertently f i l l e d a sugar

container with salt from one of two i d e n t i c a l , shiny, 20-gallon con-
t a i n e r s standing s i d e by s i d e under a low s h e l f , i n dim l i g h t , i n t h e
h o s p i t a l ' s main kitchen. A small paper t a g pasted t o t h e l i d of one
container bore t h e word 'Sugar' i n p l a i n handwriting. The t a g on t h e
o t h e r l i d was t o r n , but one could make out t h e l e t t e r s ' S . l t l on t h e
fragments t h a t remained. A s one h o s p i t a l board member put i t , 'Maybe
t h a t g i r l did mistake salt f o r sugar, but if so, we s e t her up f o r i t
j u s t a s s u r e l y as i f we'd s e t a trap."'
This t r a g i c case suggests many preventive s t e p s , but the one not acceptable
as "solution" i s t o t e l l nurses t o "read l a b e l s more carefully." Yet t h e solu-
t i o n s we see today on many accident r e p o r t s a r e equally s u p e r f i c i a l and inade-
quate. B e t t e r answers may l i e i n color o r shape coding cans, o r separation of
supplies, r a t h e r than simple solutions!
Further, Chapanis says:
"When a system f a i l s it does not f a i l f o r any one reason. It usually f a i l s
because the kinds of people who are trying t o operate the system, with the -
amount of t r a i n i n g they have had, a r e not able t o cope with t h e way the sys-
tem i s designed, following procedures thay a r e supposed t o follow, i n the
environment i n which the system has t o operate."
Some other examples of Chapannis ' s observations a r e :
1. "Many s i t u a t i o n s a r e e r r o r provocative."
2. "Given a population of human beings with known c h a r a c t e r i s t i c s , it i s
possible t o design t o o l s , appliances, and equipment t h a t best match t h e i r
capacities, l i m i t a t i o n s and weaknesses ."
3 . "The improvement i n system performance t h a t can be realized from the
redesign of equipment i s usually g r e a t e r than the gains t h a t can be r e a l -
ized from the selection and t r a i n i n g of personnel."
4. "For purposes of man-machine systems design there i s no e s s e n t i a l d i f -
ference between an e r r o r and an accident. The important thing i s t h a t both
an e r r o r and an accident i d e n t i f y a troublesome situation."
5. "The advantages of analyzing error-provocative s i t u a t i o n s are:
a. It i s e a s i e r t o c o l l e c t data on e r r o r s and near-misses than on
accidenks.
b. Errors occur much more frequently than do accidents. This means,
i n short, t h a t more d a t a a r e available.
c. Even more important than t h e f i r s t two points i s t h a t e r r o r -
provocative s i t u a t i o n s provide one with clues about what one can do
t o prevent e r r o r s , o r accidents, before they occur.
d. The study of e r r o r s and near-misses usually reveals a l l those s i t u -
a t i o n s t h a t r e s u l t i n accidents plus many s i t u a t i o n s t h a t could poten-
t i a l l y r e s u l t i n accidents but t h a t have not yet done so. I n short, by
studying error-provocative s i t u a t i o n s we can uncover dangerous o r unsafe
designs even before an accident has had a chance t o occur. This, i n
f a c t , i s one of the keys t o designing safety i n t o a system before i t i s
built.
e . I f we accept t h a t the e s s e n t i a l difference between an e r r o r and an
accident i s l a r g e l y a matter of chance, it follows t h a t any measure
based on accidents alone, such a s number of disabling i n j u r i e s , i n j u r y
frequency r a t e s , i n j u r y severity r a t e s , number of f i r s t a i d cases,
claim r a t e s , and so on, i s contaminated by a large proportion of pure
e r r o r v a r i a b i l i t y . I n s t a t i s t i c a l terms the r e l i a b i l i t y of any measure
i s inversely r e l a t e d t o the amount of random, o r pure e r r o r , variance
t h a t contributes t o it. It i s .likely t h a t t h e reason so many studies
of accident causation t u r n up with such marginally low relationships i s
the unstable, o r unreliable nature of the accident measure i t s e l f . "
6. "Design c h a r a c t e r i s t i c s t h a t increase the probability of e r r o r include a
job, s i t u a t i o n , o r system which:
a. Violates operator expectations,
b. Requires peformance beyond what an operator can d e l i v e r ,
c. Induces fatigue,
d. Provides inadequate f a c i l i t i e s o r information f o r the operator,
e . Is unnecessarily d i f f i c u l t o r unpleasant, o r
f . I s unnecessarily dangerous ."
To C h ~ p a n i swe a r e a l s o indebted f o r the following:
"To say t h a t an operator was i n a t t e n t i v e , c a r e l e s s , o r impulsive i s merely
t o say t h a t he i s human,
"The evidence i s c l e a r t h a t people make more h r r o r s with some devices
than they do with others. ..
A good systems engineer can usually build
a nearly i n f a l l i b l e system out of components t h a t individually may be no
more r e l i a b l e than a human being. The human f a c t o r s engineer believes t h a t
with s u f f i c i e n t ingenuity nearly i n f a l l i b l e systems can be b u i l t even i f
-
one of t h e components i s a human being."
A l t m m makes t h e following points:
1. Fragmentary e r r o r d a t a a r e more l i k e l y t o be u s e f u l than fragmentary
r e l i a b i l i t y or s a f e t y data.
2. Error analysis i s a f a c t o r i n t a s k analysis.
3. Value i n e r r o r analysis comes i n design and evaluation of e r r o r -
reducing techniques.
4. Errors can be classed according t o d e t e c t a b i l i t y , revocability, and
consequences - with obvious implications f o r kinds of preventive action.
5. E r r o r a n a l y s i s l e a d s o f t e n t o re-design, automation, and use of human
f a c t o r s engineering.
6. Error analysis a l s o leads t o monitoring, (a) t o i n t e r c e p t and ameliorate,
and ( b ) t o provide feedback t o operator.
I n routine i n d u s t r i a l and product s i t u a t i o n s , q u a n t i t a t i v e d a t a may not be
immediately a v a i l a b l e , but q u a l i t a t i v e use can be made of t h e l o g i c and p r a c t i c e
of e r r o r reduction, even while d a t a c o l l e c t i o n i s being implemented.
Accident s t u d i e s a r e , more and more, u t i l i z i n g concepts of e r r o r and e r r o r -
reduction (~rnericanI n s t i t u t e s of Reseazch, 1965). One occupational study
reported unsafe a c t s as due t o human e r r o r , and r e f e r r e d t o them as "microscale
Swain (1969) argues persuasively t h a t :

"... a means of increasing occupational s a f e t y i s one which recognizes
t h a t most human i n i t i a t e d accidents a r e due t o the f e a t u r e s i n a work
s i t u a t i o n which define what the worker must do and how he must do it
.. ...
t h e s i t u a t i o n approach, emphasizes s t r u c t u r i n g o r r e s t r u c t u r i n g t h e
work s i t u a t i o n t o prevent accidents from occurring. Use of t h i s approach
r e q u i r e s t h a t management recognize i t s r e s p o n s i b i l i t y (1) t o provide t h e
worker with a safety-prone work s i t u a t i o n and (2) t o forego t h e temptation
t o place the burden of accident prevention on t h e individual worker."
It is worth noting t h a t Swain's observation a p p l i e s equally t o general
performance, and supports a s a f e t y r e l a t i o n ,
An e r r o r reduction program i n NSC service shipments i n l9b8 provided t h e a
author-with i n t e r e s t i n g i n s i g h t on error-accident comparability.
The e r r o r r e p o r t form contained propaganda: "Errors a r e l i k e accidents.
They must be investigated t o be prevented." A l l preventive s t e p s were
p a r a l l e l t o NSC s a f e t y procedures. Investigations showed a close p a r a l l e l
between e r r o r s and accidents. The same kinds of improvements equipment,--
t r a i n i n g , procedure, supervision -- g r e a t l y reduced e r r o r s .
One s i g n i f i c a n t value i n human e r r o r a n a l y s i s i s t h e p o s s i b i l i t y of o b j e c - .
t i v e l y d e s c r i b i n g t h e behavior involved (by c o n t r a s t with t h e terms "unsafe
conditions" and "unsafe a c t s " commonly used i n s a f e t y ) .
The a n a l y t i c and c l a s s i f i c a t i o n schemes u t i l i z e d by Altman, Chapanis and
Rigby a l s o suggest t h e o b j e c t i v e nature of e r r o r study.
It i s u s e f u l t o remind ourselves of t h e e s s e n t i a l i t y of standards of judg-
ment i n any e r r o r - f r e e , r e l i a b l e c o n t r o l process. An e r r o r c o n s i s t s of an
improper a c t i o n o r omission where a standard of judgnent e x i s t s . For example,
i n a volume on d r i v e r behavior ( ~ n s u r a n c eI n s t i t u t e f o r Highway Safety, 1968)
two models of d r i v e r f u n c t i o n s a r e given i n more o r l e s s d e t a i l -- one n e g l e c t s
c r i t e r i a f o r judgment, t h e o t h e r suggests i t by a word, but is t h e r e a f t e r
s i l e n t on such implications a s ignorance of defensive d r i v i n g c r i t e r i a .
Rigby (1970) s a i d t h a t "tolerance l i m i t s " d e f i n e e r r o r s , as follows :
1. " B a r r i e r l i m i t s p h y s i c a l l y prevent o r l i m i t unacceptable performance

( e .g., r e t a i n e r s , s t o p s , o r highway d i v i d e r s ) ."
2. "Fixed l i m i t s a r e c l e a r l y and permanently e s t a b l i s h e d ( e .g., l i n e s on
a target or street d e t e n t s on switchs) .I1
3. "Empirical l i m i t s can be checked by measurement o r sampling during o r
a f t e r performance (e .g., hole diameters) ."
4. "Reference l i m i t s can be compared with t h e output i n time of doubt
( e .g., samples of good and bad s o l d e r j o i n t s ) ."
5 . "Caution l i m i t s a r e reinforced by warnings, signs, o r o t h e r i n d i c a t i o n s
(not always a v a i l a b l e a t t h e time of t h e a c t i o n ) ."
6. "Conventional l i m i t s a r e i n s t i l l e d by t r a i n i n g o r custom, but may not
be otherwise reinforced i n t h e work s i t u a t i o n . "
7. "Forensic limits are. subject t o debate and a r e o f t e n defined only
a f t e r the f a c t by a hearing o r other consensus."
"The above a r e i n o r d e r of decreasing e f f e c t i v e n e s s . Unfortunately, t h i s
order i s the inverse of -frequency. There a r e seldom well-defined l i m i t s
on human performance, and where one aspect of performance i s defined
o t h e r s a r e not. Yet, e r r o r s a r e fewer t o t h e degree t h a t workers under-
stand and can work within relevant tolerance' l i m i t s . "
Note t h a t h i s f i r s t tolerance limit pruvides a point of connection with
t h e B a r r i e r i d e a discussed e a r l i e r !
Note a l s o t&t h i s last two l i m i t s a r e t h e weakest -- custom, and debate
a f t e r t h e accident. Yet t h e s e i n e f f e c t i v e l i m i t s a r e very often seen i n a c c i -
dent investigations. If i n v e s t i g a t i o n s d e f i n e t h e t o l e r a n c e l i m i t s i n f o r c e
at t h e time of t h e a c c i d e n t s , we w i l l g e t such s t a t i s t i c s as:
% of t h e e r r o r l i m i t s were i n custom,
4of t h e e r r o r limits were i n debate!
The asking of questions about e r r o r d e f i n i t i o n s i n a c c i d e n t s would be
amusing, if it were not so serious. Further, when these same e r r o r tolerance
l i m i t s a r e applied t o examination of managerial f a c t o r s -- design, r i s k analysis,
s a f e t y s e r v i c e s and implementation -- t h e answers a r e even more alarming. Major
elements of t h e s a f e t y p r o w have weak and inadequate d e f i n i t i o n , and managerial
e r r o r s and omissions r e s u l t .
A note of optimism can be i n j e c t e d from t h e observation t h a t people --
managerial, t e c h n i c a l o r c r a f t -- often a r e doing b e t t e r jobs than a r e specified
when following t h e i r t r a i n i n g , custom o r innate i n t e l l i g e n c e . Therefore, any
move t o decrease vague o r unspecified e r r o r tolerance l i m i t s must not f a i l t o g e t
and incorporate the b e s t of present practice,
Surry (1968) conceptualized twelve points i n information processing and
r e a c t i o n which, as i n a c t u a l accident sequences, show numerous opportunities f o r
intervention o r improvement, and suggest system a n a l y s i s needs ( ~ i ~ u 4-1).
re
Her model may be a key t o a n a l y s i s of employee, supervisor, o r management deci-
s i o n s i n those kinds of emergency s i t u a t i o n s which emerge more slowly, and i f
not r e d i r e c t e d , develop i n t o major accident s/incidents . Even i n accidents
which develop with g r e a t speed, Surry's sequences provide u s e f u l guides f o r
d a t a t o be sought i n accident investigation. The nature of warning information
(eeg. ,a proposed change i n a hazardous material package) may be f a i r l y subtle.
From a management view, we could expand the term "physiological response" t o -
include "managerial response."
We s h a l l be t r a c i n g management e r r o r s as well as operator e r r o r s , There-
f o r e we have t h e i n t e r e s t i n g p o s s i b i l i t y t h a t more f a c t s on r a t i o n a l i z a t i o n
p r i o r t o management e r r o r may be available and may give g r e a t e r insight. We
s h a l l a l s o examine s u p e d i s o r actions i n emergencies and s h a l l f i n d almost no
l i t e r a t u r e on emergency problem solving standards a t t h e point of need.
Surry' s concept may s t r u c t u r e t h i s d i f f i c u l t ' aspect of supervision.
Among t h e apparently usable i d e a s from e r r o r a n a l y s i s i s the "false hypo-
t h e s i s " ( ~ a v i,s 1958) o r "unwarranted inference. " Davis used "preoccupation"
and "emergency mechanisms" as other concepts t o explain e r r o r s .
I n considering t h e unwarranted inference, a t l e a s t f o r management and
planners, we can make at l e a s t a few d i s t i n c t i o n s i n processes a s i l l u s t r a t e d
i n Figure 4-2, top of page 55.
Personal r i s k acceptance and avoidance have had l i t t l e study i n work s i t u -
ations. We can consider and measme f a i l u r e s i n perception and reaction i n
terms of t h e i r objective p r o b a b i l i t i e s . Human f a c t o r s design and t r a i n i n g can
a d j u s t t h e t a s k load and improve both s k i l l s and t h e i r assessment. But t h e
decision t o a c t o r not a c t i s based on a subjective estimate of task require-
I Man and Environment
Warning of
T
danger b u i l d u p 7
0
Perception f Perception of
warning?
Recognition of
warning?
Cognitive Danger
Processes
Decision to
attempt to avoid?
Physiological
Response
o Hazar Hazard - - Imminent Danger

Warning of
danger release?
/
I Perception of
Perception 1 warning?
I Recognition of Danger
Cognitive
II warning?
Recognition of
Release
Emergency
Period
--
Processes avoidance mode?
Decision to
attempt to avoid'?
t
Injury and/or Damage
Surry, 1968.
Figure 4-2. Decision F'remises i n Unwarranted Inferences .
Signal not
perceived
1 Lack of Know-
I ledge, e-ri-
I ence, standards
Lack of a
Hazard Ana-
l y s i s Process
Lack of
Time
Oversight
Undue Risk
Accept a c e
V
v
v TJnwarranted Inference
ments, s k i l l c a p a b i l i t y , and values of success, f a i l u r e , o r inaction. These

remaining value f a c t o r s a r e dependent on a t t i t u d e s , l i f e experience, social-
management pressures, psychological f a c t o r s , and biographical aspects, according
t o Rockwell (1968) who found t h e "high r i s k e r " underestimates t h e r i s k require-
ments and overestimates h i s c a p a b i l i t i e s . Rockwell a l s o found t h a t t h e "high
r i s k e r " tends t o seek l e s s information i n an experiment involving a psychomotor
task. (1f t h i s be t r u e f o r management tasks, and experience suggests it probably
i s , s a f e t y has an a d d i t i o n a l obstacle. )
Rockwell has counseled t h e design of systems which maintain a l e r t n e s s with-
out danger. Jones (1970) has urged t h a t s u f f i c i e n t s a f e t y decisions remain i n
a task t o heighten s k i l l and decision c a p a b i l i t i e s . These a r e d i f f i c u l t goals
and i n p a r t i a l c o n f l i c t with e r r o r reduction.
The laboratory s t u d i e s of non-industrial r i s k s i t u a t i o n s may provide some
help, but a r e not e a s i l y t r a n s f e r r e d t o p r a c t i c a l i n d u s t r i a l use. Consequently,
they have been held over t o Chapter 7, The Role of Risk Management, where the
more structured managerial s i t u a t i o n may provide a b e t t e r background f o r assessing
t h e i r usefulness.
Most l i t e r a t u r e on human e r r o r , as well as r i s k , i s concerned with personal
errors. I n t h i s study'we s h a l l a l s o examine managerial, supervisory and staff
e r r o r s , d e f i n e d a s omissions o r oversights i n a specified hazard reduction method
o r process. We have seen i n t h i s study t h a t some designers a r e more error-prone
than others (for example, i n f a i l u r e t o check f i e l d conditions u n t i l too l a t e ) .
When standards f o r performing such work a r e vague (as they usually a r e ) , t h e
designer's e r r o r p o t e n t i a l i s obviously greater than t h a t of the individual
operator since the designer's work a f f e c t s many people and situations.
The emotional overtones of the term "error" are a matter of some concern.
Perhaps a v a r i e t y of terms should be explored. For example, Webster says
"mistake implies misconception or inadvertence and i s seldom a harsh term."
Rigby counseled as follows:
"We can d e a l more effectively with human e r r o r i f we d e a l with it openly
and objectively a s a natural and inevitable f'unction of human v a r i a b i l i t y .
The term 'human e r r o r ' should connote no more sense of blame o r other
emotion than the term 'component failure.' It i s merely a way of describ-
ing probable events. Emotion only obscures understanding, and it i s as
wasteful t o spend one's time blaming and finger-pointing i n human a f f a i r s
as it i s t o curse a broken part."
I n any event, each e r r o r a t an operational l e v e l must be viewed a s stem-
ming from one or more planning or design e r r o r s a t higher levels. And a t
whatever l e v e l i n the organization, human factors review i s intended t o in-
crease the success r a t e of a l l the people who operate the system.
Although human factors review sometimes seems mechanistic i n i t s approach,
i t s purpose i s intensely humanistic. Reduction of the causes of f a i l u r e s a t
any l e v e l i n the system i s not only a contribution t o safety, but also a moral
obligation t o serve associates with the information and methods needed f o r
success.
We s h a l l return t o discussion of e r r o r reduction i n Human Factors Review,
and s h a l l a l s o draw on Swain's observations on e r r o r data collection i n
attempting t o design an improved accident data system. (chapter 26. )
However, the l a t t e r e f f o r t has not produced a general safety data system since
meaningful e r r o r data has come largely from e r r o r r a t e samples with task
specific definitions.
Unsafe Conditions and Unsafe Acts.

These categories of e r r o r s are extensively used i n accident data collec-
tion. However, the f a c t remains t h a t concepts of unsafe conditions and unsafe
a c t s a r e usually simplistic and definitions a r e variable from place t o place.
A decision a s t o what i s "unsafe" i s subjective and dependent on the
sophistication of the c l a s s i f i e r . For example, many "unsafe acts" have been
cured by human f a c t o r s engineers, and were probably, i n retrospect, "unsafe
conditions." Seemingly, the greater the lack of knowledge by the c l a s s i f i e r ,
the l a r g e r the "unsafe a c t " category, and the smaller the "unsafe condition"
category.
One study (source w i l l not be cited!) concluded:
"A t o t a l of 80% of a l l the o f f i c e accidents were caused by unsafe
a c t s and n e a r l y 75% were judged t o be s o l e l y the f a u l t of t h e
employee t o whom t h e accident occurred."
Christensen (1972) r e f e r r e d t o c a r e f u l l y compiled A i r Force d a t a showing
60% pure o r p a r t i a l e r r o r a s dubious d a t a since the r o l e of design e r r o r i n
causing p i l o t e r r o r remains unknown u n t i l studied intensively.
During t h e OSHA hearings, testimony w a s presented t o t h e e f f e c t t h a t 85%
of work accidents were due t o human f a c t o r s , only 1%due t o physical f a c t o r s .
Such numbers axe nonsense! A t one research s i t e the author encountered great
reluctance t o produce such data stored i n a computer because t h e d a t a were
known t o be so highly colored by t h e c l a s s i f i e r .
Tarrants (1963) did f i n d t h a t two i n v e s t i g a t o r s of comparable backgxund
obtained comparable r e s u l t s i n a " c r i t i c a l incident" study. And he gives
suggestions of making such c l a s s i f i c a t i o n s more useful. Tarrants properly
argues t h a t r e l i a b l e e r r o r d a t a a r e needed t o judge performance, but a t t a i n i n g
comparability is d i f f i c u l t and l e s s subjective use of c r i t i c a l incident d a t a
i s possible and valuable.
The terms "unsafe condition" and "unsafe a c t " may be with u s f o r some
t i m e , and may be u s e f u l if properly defined.
We can define an "unsafe a c t " a s an operational (employee) e r r o r . Most
accidents appear t o have one such e r r o r , and may have two o r more, t h e first
i n t h e sequence often being an operational e r r o r which c r e a t e s a'n "unsafe
condition. "
A l l work accidents have a sequence of planning (management) e r r o r s (or
assumed r i s k s ) which allowed t h e "unsafe condition" and t h e "unsafe a c t " t o
develop. The number of such planning e r r o r s detected w i l l depend on t h e
thoroughness and sophistication of t h e analyst. But, i f we u t i l i z e a defined
Hazard Analysis Process, e s p e c i a l l y a process with human f a c t o r s review, we a r e
more l i k e l y t o d e t e c t a l a r g e number of sequential e r r o r s .
5 THE ROLE OF CHANGE I N ACCIDENTS
The r o l e of change i n accidents, and more important, the significance and

usefulness of change-based preventive and a n a l y t i c methods, has emerged with
increasing c l a r i t y during th past t e n years.
H i s t o r i c a l l y , the change o r r e v i s i o n record on engineering drawings has
been both a basis f o r review and a f e r t i l e source of clues a s t o causal f a c t o r s
i n t h e event of trouble. But accident h i s t o r i e s show c l e a z l y t h a t a more
thorough ard searching review method i s needed if changes, p a r t i c u l a r l y unwanted
s i d e - e f f e c t s , a r e t o be controlled.
P r i o r t o WorZWar I1 the r o l e of "change work," such a s maintenance, con-
s t r u c t i o n and research, was recognized f o r i t s e f f e c t s on plant accident experi-
ence. Moves i n t o new, i n h e r e n t l y s a f e r f a c i l i t i e s were u s u a l l y accompanied by
temporarily increased accident r a t e s . However, p r a c t i c a l use of such observations
i n terms of preventive counterchange was f a r from c l e a r .
A s p e c i f i c change-based a n a l y t i c technique has been c i t e d i n system s a f e t y
analysis.
I n system s a f e t y parlance, a change i n "form, f i t o r function" of a p a r t
has s i g n a l l e d review of components and subsystems (including i n t e r f a c e s ) up-
wards i n the design review channel u n t i l no change i s demonstrated. Interest-
i n g l y , i n discussing organizational behavior i n general, and the hierarchy of
subsystems, S e i l e r (1967) observes t h a t change i n a p a r t has a v a s t l y g r e a t e r
e f f e c t on a sub-unit, and counsels a n a l y s i s of e f f e c t s on the sub-unit before
considering t h e t o t a l i t y .
So, whether hardware o r people a r e changed, any
change should be reviewed on up t h e system u n t i l no change can be demonstrated.
I n any organization there a r e r e a d i l y a v a i l a b l e d a t a on c e r t a i n c l a s s e s
of changes : new employees, t r a n s f e r s , work orders (classed by s i z e ) , and new
p r o j e c t s (classed by s i z e ) . A 1 1 such sources should be systematically canvassed
and then current d a t a can be h e l p f u l i n guiding s a f e t y a t t e n t i o n . Accident
r a t e s can be r e l a t e d t o these i n d i c e s of increased hazard.
An i l l u s t r a t i o n of change, and sequence of change may be helpful. Here i s
a case h i s t o r y and a puzzle:

Before Changes -- a l a r g e chemical plant had operated uneventfully
f o r years.
Change 1 -- The plant was replaced by a l a r g e r , more e f f i c i e n t plant.
Change 2 -- The first plant was decommissioned and p a r t i a l l y d i s a s -
sembled.
Change 3 -- The new plant d i d n ' t produce a s well a s expected ( a t f i r s t ) .
Change 4 -- Demand f o r product grew more than expected.
Change 5 -- Put t h e old plant back i n production.
Can you w r i t e t h e scenario a s t o what happened? ( ! The answer is i n a foot-
note on page & 2 , but t r y before you peek! )
I n another episode on a l e s s e r l e v e l , involving a three-stage compressor
developing 3,000 p s i f o r a research experiment, a lower pressure was drawn off
t o a c t u a t e a house c i r c u i t f o r pressure-actuated t o o l s . A l l went well.
Change 1 -- The 3,000 p s i compressor was no longer needed and w a s not
active .
Error 1 -- The equipment w a s seen by an outside pressure v e s s e l
expert who made some recommendations if t h e equipment w a s
ever used. The equipment w a s not tagged, marked o r made
inoperative.
Shange 2 -- After 1$years of non-use and non-maintenance,
Change 3 -- A mechanic decided t o a c t i v a t e t h e compressor t o use a
wrench t o remove a few b o l t s - a r a t h e r massive case of
overuse of energy!
Error 2 -- The p r o j e c t engineer i n charge of t h e work conducted no
perceptible pre-job s a f e t y a n a l y s i s .
Change 4 -- The mechanic s t a r t e d t h e compressor and it s h o r t l y blew up,
narrowly missing a one o r two f a t a l i t y accident.
Levens (1970) alluded t o change a s s t r e s s on a system previously i n a

s t a t e of dynamic equilibrium, and spoke of s t r e s s a s anything which d i s t u r b s
t h e normal (planned) functioning. Thus change i s an element i n hazard \
-'.
identification.
Regarding t h e r o l e of change, Altman (1970) said:
"We explored b r i e f l y before t h e need i n e r r o r a n a l y s i s t o allow f o r chang-
ing conditions. The r a p i d l y changing requirements and conditions of
modern industry have implications f o r l e a r n i n g and accidents. Indeed,
t r a i n i n g f o r s a f e t y might sometimes be almost easy were it not f o r contin-
gencie s and change " .
I n a broader sense, changes i n employment o r economic conditions may have
similar effects. Tuz and DeGrazia (1967) found:
" .,,,, t h e r e seems t o e x i s t a r a t h e r s i g n i f i c a n t r e l a t i o n s h i p between
c y c l i c a l f l u c t u a t i o n s i n economic v a r i a b l e s and changes i n accident f r e -
quency of manufacturing concerns when these accident r a t e s a r e suppressed
t o low l e v e l s . I r
An a n a l y s i s of r o u t i n e accident r e p o r t s from a number of corporations t o
d e t e c t t h e r o l e of change yielded two types of r e s u l t s :
1. Most r e p o r t s were g r o s s l y d e f i c i e n t i n i d e n t i f y i n g changes t h a t c o n t r i -
buted t o t h e s e r i e s of events t h a t r e s u l t e d i n t h e accident -- r e p o r t
forms did not ask t h e p e r t i n e n t questions.
2. Where r e p o r t s were, by chance, complete i n t h e n a r r a t i v e section, the
number of changes was so g r e a t it was amazing they d i d n ' t k i l l everybody!
A s i m i l a r finding f o r routine r e p o r t s was made i n the AEC study.
An i n t e r e s t i n g commentary on t h e r e l a t i o n of change and danger i s made by

McKie i n "The Company of ~nimals"(1966):
"... ,..
jungle man has an acute awareness of surroundings, t h a t i s , a sense
he has not l o s t o r has resurrected, atrophied o r dormant i n most of
u s , which warns him not only of d i r e c t danger, but a l s o of changes i n the
p a t t e r n s of jungle l i f e - changes which could be a prelude t o danger."
The s e n s i t i v i t y t o impending o r probable change may be a key component i n

t h e work of a good, experienced manager o r s a f e t y professional, which has some-
times been described a s having an "almost i n t u i t i v e " quality.
I n an accident
i n experimental equipment operating neas: technological boundaries ( ~ i g u r e5-l) ,
which the f i e l d s a f e t y engineer would have d i f f i c u l t y understanding o r analyzing
f o r hazard, there were numerous changes, performance problems and f a i l u r e s , and
a lengthy period of overtime work associated with "high energy" heaters, The
l a t t e r s i g n a l s of s t r e s s e s and energy could probably have been detected by an
observer a l e r t e d t o t h e i r significance.
Thus, one aspect of the work of a f i e l d
s a f e t y engineer seems susceptible t o more precise and u s e f u l d e f i n i t i o n . (see
Figure IX-2, page 453 f o r an application.)
I n discussing s e n s i t i v i t y t o change with a manager, he argued t h a t h i s
people were s e n s i t i v e a s t h e r e s u l t of s e v e r a l incidents, but t h i s i s an expen-
s i v e method of t r a i n i n g and w i l l atrophy with time. So t r a i n i n g o r other
s e n s i t i z i n g methods a r e needed.
An exploration i n supervisor t r a i n i n g f o r s e n s i t i v i t y t o change employing
some simple forms and questions was undertaken i n t h i s study, but the t r i a l was
l a r g e l y unsuccessf'ul.
A t Lawrence, a group of maintenance and job shop foremen were given a
"Change Docket" with two blank columns headed "Change sf' and "~ounterchange s ".
This was a l s o given t o t h e i r supervisor. The i n s t r u c t i o n s were t o e n t e r i n
t h e f i r s t column any " s i g n i f i c a n t changes which probably need thought and
attention" and i n t h e second column the preventive counterchanges needed.
Two examples were provided. The f i r s t , f o r a foreman, l i s t e d such things
a s a new press, a new material, a new employee, a rush order requiring over-
time, a person who was angry, an outbreak of f i r s t a i d cases, a q u a l i t y
( r e j e c t ) problem, and t h e supervisort s planned absence f o r personal reasons.
The second sheet, f o r the organization president, l i s t e d an increase i n
product l i a b i l i t y s u i t s , a marketing V. P. k i l l e d i n an off-the-job t r a f f i c
accident, "competent, responsible people a r e not available i n needed numbers,
and turnover i s high," "supervision i s d e t e r i o r a t i n g and here, too, turnover
i s rising." On both sheets some possible preventive counterchanges were
shown. Whether because changes were too numerous i n t h e i r work, or because
a new approach not w e l l understood i n management l e v e l s could not be
e a s i l y used, t h e men involved produced l i t t l e t h a t was h e l p f u l t o them.
I n t h e c l o s i n g interviews it was apparent t h a t t h e four-week t r i a l had
contributed l i t t l e , i f anything, t o change s e n s i t i v i t y . One foreman r e -
ported t h a t h i s absence due t o sickness had s t r u c k him a s a p o t e n t i a l l y
harmf'ul change. A l l a r e strongly oriented t o t h e p r a c t i c a l content of t h e i r
work, r a t h e r than a b s t r a c t concepts. And t h i s i s probably a s it should be.
Since l i n e supervision i n much of Lawrence's research operations i s
divided between t h e Division s t a f f s and t h e f a c u l t y who d i r e c t t h e graduate
a s s i s t a n t s , t r i a l s i n a normal l i n e production organization were not possible.
Another t r i a l and perhaps other approaches seem warranted when t h e change
concept i s more f u l l y developed i n managerial and s a f e t y s t a f f s .
Lawrence d i d , however, have two s a f e t y operations keyed t o t h e r o l e of

change :
I n a l a r g e building containing numerous chemical l a b o r a t o r i e s , a corps of
h e a l t h physics technicians, constantly moving about monitoring f o r radia-
t i o n hazards, had been t r a i n e d and s e n s i t i z e d t o note changes and d i f f e r e n c e s
and t o promptly r e p o r t them t o a chemical s a f e t y engineer f o r f i e l d review,
Five members of a chemical d i v i s i o n a l s a f e t y committee ( a s c i e n t i s t , business
manager, two l a b supervisors, and a maintenance machinist), a f t e r f o u r weeks'
t r i a l , f e l t t h e y were a l r e a d y s e n s i t i v e t o change and t h a t i t was, indeed,
t h e i r primary concern!
I n n e i t h e r group did t h e change concept appear t o enhance s e n s i t i v i t y t o
p o t e n t i a l hazards. Both groups, t h e h e a l t h physics monitors p a r t i c u l a r l y ,
f e l t t h a t t h e y were already s e n s i t i v e t o and a c t i n g on changes,
What i s t h e p r a c t i c a l significance of t h i s Change idea? The answers

seem t o be:
1. Systems fraught with changes u s u a l l y generate a d d i t i o n a l hazards (e .g.,

research, construction and maintenance, o r t r a n s f e r s t o new jobs), We
can be s e n s i t i v e t o t h e nature of "change work."
2 . We can be s e n s i t i v e t o change s i t u a t i o n s -- t r a n s f e r s , new machines, new
m a t e r i a l s , new operations, modifications, shut-down, s t a r t up, e t c .
3 . We can s t r i v e t o augment t h e e s s e n t i a l feedback t o d e t e c t those changes
that could contribute t o accident sequences.
4 a S e n s i t i v i t y t o change (and t h e possible need f o r an o f f s e t t i n g counter-
change) i s a mark of excellence f o r a manager, supervisor, o r s a f e t y
Answer t o episode, page 60.
m -- Put t h e old plant back i n production,

-- Restore necessary operating c o n t r o l s t o g e t back i n production a s
quickly as possible.
-- Lack of formal review f o r hazard a n a l y s i s and/or operational
Error
readiness .
-- Some redundant s a f e t y c o n t r o l s were not reactivated.
-- The p l a n t exploded, k i l l i n g s i x men,
professional. We can explore t r a i n i n g methods t o s e n s i t i z e supervisors
t o d e t e c t and r e a c t t o s i g n i f i c a n t change.
5. I n systems theory, review and counterchange t h e o r e t i c a l l y follow every
" s i g n i f i c a n t " change.
6. We have some new i d e a s as t o what t o seek i n accident i n v e s t i g a t i o n .
7. If a major problem has obscure cause, o r i f we want t o d i g out underlying
causes, we have a v a i l a b l e a r e l a t i v e l y s o p h i s t i c a t e d method t o search
f o r t h a t change which i s cause.
8. On t h e negative s i d e , change i s continuous and many changes apparent i n
accident r e p o r t s simply amount t o truisms. We have much t o l e a r n t o
s o r t wheat and chaff i n our perception of changes, and our subsequent
preventive counterchanges.
The point has been made t h a t an accident i s a f t e r t h e f a c t , post-mortem
o r "tombstone," and that e r r o r (unsafe condition and unsafe a c t ) i s before-
t h e - f a c t of an accident. It seems f u r t h e r t r u e t h a t "change" i s before-the-
f a c t of e r r o r . Therefore, a managerial system should be based on change i d e n t i -
-
f i e d and counterchanm.
Changes a r e myriad. If change i s t o be a u s e f u l c r i t e r i o n f o r systematic
s a f e t y a c t i o n , we shall be forced t o construct standards of judgment a s t o
kinds of changes t o be handled a t various l e v e l s according t o whether energy
management standards a r e a v a i l a b l e , o r new information i s needed.
Change-Based Analytic Methods

In 1967 t h e author s a i d :
"A b a s i c theory and a bcdy of experience i n d i c a t e Change t o be Cause of
a Problem, Some case h i s t o r i e s and sporadic experiences i n d i c a t e t h e
b a s i c theory may be a major contribution t o concepts of accident causa-
t i o n and may provide a foundation f o r improved methods of accident
invest i g a t i o n and prevention, "
Findings i n t h i s study confirm and expard on t h e e a r l i e r b e l i e f . The
b a s i c t h e s i s is:
For any system i n operation which has been going on s a t i s f a c -
t o r i l y (i.e., up t o some standard), Chawes associated with
energies and e r r o r s a r e Causal Factors of a Problem.
This provocative t h e s i s , which has considerable p o t e n t i a l f o r s a f e t y ,
was developed i n Rand s t u d i e s f o r the A i r Force. The concepts were made
e x p l i c i t i n a t e x t book, "The Rational Manager" ( ~ e ~ n e r - T r e g o e ,1965) and
a one-week t r a i n i n g course* which has been widely used i n business f o r c o n t r o l
of q u a l i t y and other aspects of work. I n t e r e s t i n g l y , a l a r g e proportion of
t h e examples used i n t h e t r a i n i n g course were accidents.
An example was c i t e d by a s a f e t y engineer who was a member of NSC:
A c a r manufacturer had serious q u a l i t y c o n t r o l problems on an assembly
l i n e . The Kepner-Tregoe cause analysis method traced cause t o weekly
t r a n s f e r s of employees on a s e n i o r i t y b a s i s t o f i l l vacancies, and the
proof was s u f f i c i e n t t o persuade t h e union t o accept monthly t r a n s f e r s .
The improvement i n q u a l i t y was a s expected. A n unanticipated dividend
was a decrease i n accidents. That i s , change was the cause of both
problems, poor q u a l i t y and accidents.
This case is e s p e c i a l l y valuable because of i t s implications about the congruous

character of c o n t r o l of work f o r q u a l i t y and accident prevention.
The above case a l s o i l l u s t r a t e s a common contrast between Kepner-Tregoe
methods and those a p p r e n t l y needed f o r accident a n a l y s i s and control--the
c o n t r a s t of single cause a n a l y s i s with multi-factoral analysis. Single cause
a n a l y s i s has g r e a t e f f i c i e n c y where it i s adequate. Experience before and during
t h i s study shows t h a t numerous changes, coupled with f a i l u r e s of successions of
energy control f e a t u r e s i n t e r a c t with l a t e n t , more o r l e s s continuous e r r o r s .
Thus t h e change-based a n a l y s i s and control m e t h d s used i n s a f e t y should r e f l e c t
t h e multiple, sequential r e a l i t i e s r a t h e r than r e l y on possibly s i m p l i s t i c
detection-correction of a s i n g l e causative change.
I n 1966 .the Kepner-Tregoe problem a n a l y s i s method cane t o the a t t e n t i o n
of t h e author. Several of u s on t h e NSC staff enrolled i n t h e t r a i n i n g classes.
The t r a i n i n g has been applied i n NSC systems a n a l y s i s courses, and has played
an important p a r t i n t h i s study. I n t h e Aerojet t r i a l s t h e Kepner-Tregoe t e x t
had s u b s t a n t i a l usage and was beneficial. But t h e best advice f o r any l a r g e
organization is t o e n r o l l a t l e a s t two staff members i n t h e t r a i n i n g course, and
then, a f t e r trials, consider organizationwide usage on a l l manner of problems.
Grizzly Bears. The author's first e f f o r t t o use Kepner-Tregoe a n a l y s i s

was i n a s s i s t i n g t h e National Park Service t o analyze t h e two g r i z z l y bear
f a t a l i t i e s i n Glacier Park i n 1967. Some of t h e experiences i n t h a t work
seemed unique a t t h e time, but they have been confirmed i n subsequent analyses
of occupational accidents and therefore t h e accidents and a n a l y t i c methods a r e
worth summarizing b r i e f l y :
From p r e s s r e p o r t s it seemed that cause was obscure,
A standard with 57 years experience t o v a l i d a t e it was: "Grizzly
bears do not seriously chew on people i n sleeping bags a t night."
The Deviation -two g i r l s i n sleeping bags were k i l l e d by two bears
i n a s i n g l e night. Chance? One i n a t r i l l i o n . The Kepner-Tregoe
method says, "Something i n t h e park has changed."
'4.Upon a r r i v a l a t Glacier Park t h e author was briefed f o r hours and1s
then read t r a n s c r i p t s of witness statements. I n about f i v e hours a l l
t h e f a c t s o r probable f a c t s of t h e two accidents were concisely d i s -
played i n an orderly way and showed t h e changes which were l i k e l y
causes. (NOexperimental v e r i f i c a t i o n i s possible i n such episodes,
so i f we a r e t o do something, our preventive a c t i o n must be based on
circumstanti a 1 evidence. )
5. The a n a l y t i c method was not f u l l y s a t i s f i e d , i n t h a t i t should d i s p l a y
a reportable change i n one bear (the other had grown old). When a
research b i o l o g i s t saw t h e information needed, he i n s t a n t l y supplied it --
a f r e s h f i v e inch cut on a f o o t of t h e bear. (1f you know what i n f o r -
mation t o seek, it is o f t e n r e a d i l y available. )
6. The basic cause -- a steady increase i n h i k e r s on t h e trails and t h e i r
garbage by l a t e summer of 1967 l i k e l y was producing exponential adverse
e f f e c t s on t h e bears' h a b i t of avoiding man. There were o t h e r f a c t o r s
(e.g., menstrual cycles), and t h e method was a l s o he1 f u l i n disposing
of possible causes not having circumstantial support e.g., a dog with
one party).
t:
7. The elements of a solution:
a. Revised doctrine on garbage (take it out).
b. Concise d o c t r i n e f o r v i s i t o r behavior (leaf l e t ) .
c. Better monitoring systems f o r bears and people. Ranger p a t r o l s and
employee r e p o r t s of bear sightings.
d. A t r i g g e r mechanism -- close t h e t r a i l a t t h e first r e p o r t of a
bear which i s not avoiding man.
Many of these e a r l y ideas w i l l be seen i n more f i l l y developed form i n
MORT, e s p e c i a l l y t h e multi-factoral aspect. A f u r t h e r example of m u l t i p l i c i t y
of f a c t o r s i s r e f l e c t e d i n another example developed during t h i s study.
I n an experimental h e a t e r accident ( ~ i g u r e5-1) t h e "IS" was a semi-scale
heater. The "IS NOT" most c l o s e l y resembling t h e "IS" was a predecessor quarter-
s c a l e heater. The d i s t i n c t i o n s and changes could then be l i s t e d , and they were
t h e technologic r o o t s of the accident. I n charting t h i s accident, t h e Figure
shows a l e f t hand t a b was added f o r "managerial controls" and i t was then evi-
dent t h a t d i s t i n c t i o n s and changes i n these had occurred which allowed t h e
technical problems t o cumulate and escalate. Other s t r e s s e s , such as lengthy
overtime, and t h e t r i g g e r event (closing a c i r c u i t breaker without checking f o r
cause) could a l s o be n e a t l y displayed.
The Change-Based Accident Analysis ( ~ i g u r e5-2) provides f o r examination
of 25 p o t e n t i a l f a c t o r s , but even t h a t number i s not f u l l y d e f i n i t i v e , and t h e
analyst should not h e s i t a t e t o add t o t h e l i s t a s t h e actual event d i c t a t e s .
I n the columnar spaces t h e c h a r a c t e r i s t i c s of accident s i t u a t i o n are speci-
f i e d as p r e c i s e l y as possible:
1. Present s i t u a t i o n
2. Prior s i t u a t i o n (or most nearly comparable s i t u a t i o n )
Figure 5-1
Heater element f a i l s , an6 o t h e r elements f a i l i n rapid sequence.
IS I i s SOT I . DISTI?r'CTIVE .
hYAT? emiscale Quarterscale Larger
Project Handling, p r o t e c t i o n more
difficult
Harder t o f i l l and construct
65 kw load 1 0 kw Closer t o t e c h n i c a l boundaries
Protracted f a i l u r e s i n develop-
ment. :hennocouple welds f a i l e d )
Lower r e l i a b i l i t y element l i k e l y t o f a i l
Elements brased i n place i n I n s e r t method used i n k Xore handling, 1-s r n n t r n l
San Diego scale? Not e a s i l y replaceable.
Reused o l d power c i r c u i t r y Designed f o r t a s k Less c o s t l y , quicker i g h t e r budget and schedule?
32 elements on a c i r c u i t 120 I f 1 f a i l s , load r i s e s 3%
r a t h e r than .8X
If 2 f a i l . 62, not 1.6%
I f 3 f a i l , 95, not 2.42
Etc., e t c . i n
escalation. i m e d i a t e l y . nny e l e n e n t s l i k e l y t o f a i l .
-
Protection Iingle-failure Double-failure Cheaper; l e s s s a i e i y
lanual c o n t r o l s Automated FI can e s c a l a t e wlin r e a c t i o n
t :me.
WHEN? ,fter protracted f a i h r e s Going well Protracted s t r e s s on people

Nearing deadline ny change i n schedule?
~ f t e rdays of 1 7 hours I~ormal l ~ c u t es t r e s s and f a t i g u e nor-provocative situation.
I I
Trigger: . element f a i l s
;UW. t o l d t e c h n i c i a n t o ailures escalate rapidly
r.e s e t breaker
- II II
Yanagerial rd hoc engr. 6 devel. group Established engr. div. Not s t r u c t u r e d , audited, wlo
Controla i n t e r n a l review, e t c .
hange from k s c a l e ?
I
"Faster ,cheaper ,more convenient"
'reject wlo independent review Present review system ( i n s t a l l e d w/o c r i t i q u e , by t e c h n i c a l l y
later) competent peers
II
'roccdurc wl?iOS personnel s a f e t y Review of hardware envelope 1.10 envelope. c a n ' t d e t e c t
review
h e n t i a l i t y I11 I o r I1 does not monitor auto-
matically.
! Special Reviews of R6E Review of a n a l y t i c s nor a u d i t
operations d l n detect against c r i t e r i a annot d e t e c t impending
iOS s u r v e i l l a n c e d l n d e t e c t ,Survs:::ance plan w l c r i t e r i a deviations.
rEC s u r v e i l l a n c e and a p p r a i s a l lSurveillance plan w l c r i t e r i a
dln detect
r f t e r repeated r e p o r t s t o manage- wlo r e p o r t s Management could a s s i s t , ~ u i d e , lanagement c h a i n impaired
ment correct
l i s k s assumed a t intermediate wlformal a n a l y s i s Decisions might have been :s t h i s a change o r normal?
1eve.l different
XB: Prepared t o show a n a l y t i c technique and a possible way of displaying f a c t o r s . NOS = S a f e t y

Facts represent t h c c o n s u l t n n t ' s undrsrotanding of the Board's Eindlngs. The concluslocs a r e h l s own. R & &' A = R e l i a b i l i t y
It is p r e c i s e l y b e c a u s e . AEC systems a r e highly s t r u c t u r e d t h a t gaps can be detected. and E s s e n t i a l i t y
3. Differences between 1 and 2
4. Changes i n t h e differences, o r r e s u l t i n g from the differences.
I n a complex, protracted event, the author found a time-ordered arrange-

ment helped d i s p l a y t h e sequences. One of t h e Glacier Park g r i z z l y bear fatal-
i t i e s i n 1967 was of t h i s nature.
I n an a n a l y s i s of two dropped loads by one crane, the number of columns
w a s doubled t o d i s t i n g u i s h events 1 and 2 , and then look f o r common f e a t u r e s
o r distinctions.
I n seeking relevant d i s t i n c t i o n s it i s productive t o compare the present

problemin terms of t h e same object t h e day before, t h e week before, t h e month
before, t h e year before. ( ~ fti r s t , t h e questions: How i s t h i s changed from
t h e hour before, e t c . , seem a l i t t l e s i l l y . But, when t h e changes and d i s t i n c -
t i o n s emerge they o f t e n prove t o be serious.) I n most cases t h e r e has been
change(s) which i s cause.
Change-Based a n a l y s i s i s usef'ul i n three stages of a problem:
1. Knowing what a d d i t i o n a l f a c t s a r e needed. Very o f t e n t h e relevant f a c t s
a r e quickly available i f t h e i r need i s pin-pointed, and t h i s i s much
more e f f i c i e n t than a half-blind search f o r "more information."
2. Finding obscure cause. A t t h e i n i t i a l stages who knows what t h e

causal f a c t o r s a r e ? Therefore, t h e use of t h e format as a convenient
way of summarizing f i n d i n g s and information needs as investigation
progresses i s recommended. For t h i s purpose it i s usually well t o
r u l e up a 17"x23" sheet on which t o organize c r y p t i c notes.
3 . Presenting findings i n a concise, precise and well-organized way.

Consequently, t h e use of t h e format, a t l e a s t as a worksheet, f o r any
s e r i o u s accident o r problem i s wise.
Aerojet has had extremely high standards f o r formal change review, espe-
c i a l l y f o r modifications and experiment i n s e r t i o n s i n reactors. A s c r i t e r i a
were upgraded, a s p e c i f i c requirement t o "define differences from previous
t e s t s " w a s added, p a r t l y as t h e r e s u l t of a change-induced accident probably
d e t e c t a b l e by the a n a l y t i c s i n Figure 5-1. This can be done i n a meaningful
way by simply changing t h e r i g h t hand column heading on t h e Change-Based
Accident Analysis Worksheet ( ~ i g u r e5-2) t o "Preventive Counterchanges" and
thus produce a " p o t e n t i a l problem a n a l y s i s workshed r e l a t e d t o changes" with
a capacity f o r d e t e c t i n g unwanted side e f f e c t s of improvement o r unplanned
change s .
Figure 5-3. P o t e n t i a l Problem Analysis Worksheet f o r Changes
Specify the change(s) i n t h i s pro.ject as com-
f
Present
.
pared with the most recent. and most comparable
past p r o j e c t s
PREVENTIVE
1 What ?
1-
Proposal
Prior Differences
COUNTERCHANGE .
Project?
Technology?
-
Who?
0
Extended list
Where ? as p e r t i n e n t
f r o m Fig. 5-2
-
When? --
Managerial
Controls?
Extent ?
b.
A NTSB (1971) r e p o r t on r i s k concepts s t r e s s e d the increased l e v e l s of r i s k

which r e s u l t e d from inadequate a n a l y s i s of changes i n methods of t r a n s p o r t i n g
hazardous m a t e r i a l s .
Reference t o t h e r o l e of change w i l l be found throughout the t e x t , often
taking t h e form of questions about s p e c i f i c changes.
I n s a f e t y program planning, a s e r i e s of schematics has been developed t o
show a c t i o n implications of change.
Figure 5-4. Action Implications of Change
Observed
Look f g r Cause 4b
- Look f o r Results
&
Take Action
Observed
A- +
Look f o r Change
I
- 4
Look f o r Cause
I
C
Take a c t i o n
Classification of Changes.
I n a presentation developed some time before the NSC s t a f f began t o give
study t o the phenomena of change, Roy Benson, Manager of NSCts I n d u s t r i a l
Department, had produced a display of "thought s t a r t e r s " on preventive changes.
Figure 5-5. Some Kinds of Counterchange

MODIFY
Color
RJURRANGE
Sequence
REXERSE
Oder
-
IiEDUCE
Omit
shape Pace Direction Shorten
Sound Components Split
Odor Schedule Condense
Motion Pattern
Meaning
Light
SUBSTITUTE COMBINE
Ingredients Blend
Related Power Unit s
Process Assortments
. Approach Ensembles
It seems likely t h a t t h i s a l s o i s one f i r s t approximation of a taxonomy

of changes which cause accidents. That i s , t o take the f i r s t i l l u s t r a t i o n i n
the Figure:.a new object i s introduced and superficially i s the same as i t s
predecessor; safety characteristics are different, but both are the same color;
an accident r e s u l t s ; solution - change color. I n a powder-powered t o o l acci-
dent, a tube extension was l e f t i n from a previous use and not detected. If
it had been colored red, the change might have been-detected. (Interlocking
with the shield would be b e t t e r , but more expensive.)
No complete taxonomy of changes has been discovered thus f a r i n the AEC
study, but some facets 'emerge with increasing c l a r i t y . For example:
Planned vs. Unplanned.
a. Planned - require scaled Hazard Analysis Process (HAP), and
affirmative safety action.
b. Unplanned - first, detect by monitoring. When detected, (2) make

immediate correction when necessary, and (3) require scaled HAP.
Actual vs. Potential o r Possible
a. Actual change i s detected by reports and observations.
b. Potential o r possible change requires analysis.
Time - deterioration of
- a process over time, interaction with other
changes .
4. Technological - the new projects and processes, p a r t i c u l a r l y near
technological boundaries.
-
5. Personal the many variables which a f f e c t performance capability.
-
6. Sociological closely related t o personal changes, but of broader
significance.
7. Organizational - s h i f t s i n u n i t r e s p o n s i b i l i t i e s may leave interface
gaps, p a r t i c u l a r l y when HAP was ill-defined, but done by austom by
some people.
8. Operational - changes i n procedures without safety review.
9. MACRO vs. MICRO
a. MACRO - overall organization data, e.g., new employees, t r a n s f e r s
and other operating data suggesting needs f o r preventive counter-
measures.
b. MICRO - p a r t i c u l a r events, a s c l a s s i f i e d by such a system as MORT,
but then through MORT leading back t o MACRO changes needed, such
a s management implementation.
A useful subdivision of micro-events might be e a r l y detection and
counteraction, e.g., a plan t o promote a supervisor and then
promote h i s a s s i s t a n t . What does t h i s change imply?
The use of MORT analysis, thus f a r , has been largely on a c l i n i c a l , case-

by-case basis. A moderate number of case h i s t o r i e s have been accumulated. But
a review of the cases t o develop a t i g h t c l a s s i f i c a t i o n o r taxonorqy of changes
u s e f u l i n preventive work has not been done and remains a project for
the future. On the other hand, findings have been incorporated i n Mm analysis
O
a s rapidly a s they appeared, so we are not wholly without answers t o such
questions a s :
1. Do types of change relevant t o accidents give c h a r a c t e r i s t i c advance
signals? Many of them d e f i n i t e l y do give signals.
2. Do types of changes point t o types of countermeasures? Here the indi-
cations a r e t h a t regulations may be a f i r s t l e v e l answer, but hazard
analysis, including human f a c t o r s review, i s usually needed.
Research needs would seem t o include study of c l u s t e r s of accidents by
type of change.
Some Awesome Changes. Beginning a s f a r back as the 5th century B.C. with
Heraclitus and Parmenides, and extending through such men a s Disraeli, the
r o l e of change i n society has been debated and discussed. However, the current
l i t e r a t u r e increasingly r e f e r s t o the d i r e c t i o n a l and exponential nature of
change i n modern society. For example, Gregory (1967) describes the exponential
increase i n the tempo of change and describes problems a s "children of change."
Another commentator used the acronym ROCOROC t o describe increases i n "the r a t e
of change of the r a t e of change." Wood (1967) begins a discussion with t h e
phrase, " A s we r i d e the t i g e r of exponential change ... I' Very apt f o r safety,
and we can c a l l the t i g e r ROCOROC! (see special bibliography a t end of book.
Directional means t h a t change most often keeps on going, and doesn't change
back. If you are hoping f o r a r e t u r n t o some "good old days," forget it! In
safety, t h i s means more technological challenges, not fewer.
Exponential means t h a t changes i n t e r a c t t o compound the e f f e c t s on accident
exposure. Larger r a i l r o a d cars o r trucks are f i l l e d with more exotic material
and go f a s t e r on roads with more t r a f f i c . New materials and advanced technolog-
i c a l equipment must often be operated with l e s s s k i l l e d and l e s s motivated
personnel. Thus exposure t o accidents tends t o move a s E?, E ~ , or E
8
&, .
The implications f o r the kind and amount of control which w i l l be needed are
c l e a r i n Figure 5-7 which takes a r a t h e r pessimistic view of our current r a t e
of s a f e t y progress.
Time
Figure 5-7. EFFECTS OF CHANGES
/
v C OUNTERCHANGES
FOR SAFETY
L
TIME
It i s not d i f f i c u l t t o see plant s i t i n g c r i t e r i a a s involving
(1) potential growth i n plant s i z e (and i n any of i t s adverse e f f e c t s )
(2) probable growth i n nearby plants,
(3) growth i n t r a f f i c and r e s i d e n t i a l density, and
(4) growth i n public concern.
4
Thus future impact i s a function of E , and should be reflected i n current
precautions and adjustments.
Toffler (1970) has described acceleration of change as an "elemental
force" and said we must control the r a t e of change o r suffer an adaptational
breakdown -- "future shock." Without choosing sides on t h i s issue, the e f f o r t
i n t h i s t e x t w i l l be t o outline some techniques whereby we might avoid the .
impending breakdown by effective adaptation.
The view t h a t ecologic t h r e a t s t o man a r e serious, and becoming more so,
i s pervasive i n the press and on the a i r . Any injury r a t e upturn may be just
one more evidence of systemic troubles poorly understood and inadequately aoped
with. There a r e reasons f o r believing t h a t more cogent and successful methods
of coping with t h r e a t s i n the r e l a t i v e l y controlled environment of employment
may have the added value of suggesting rationale, method, scale and pace
needed i n broader spheres.
The Change-Based methods (plus t h e grizzly bear episode) greatly aided
t h e author's e a r l y work on models of general s a f e t y systems. For t h e NSC
Boards and Conferences meeting i n October 1967 a presentation e n t i t l e d
b f f e c t s of changesItime showed the r o l e of exponential change. Figures 5-8
and 5-9, taken from t h a t presentation, show the sequential r o l e of change-error-
accident, and the general system shows the e d y seeds of t h e general system
evolved i n t h i s study -- t h a t is, information and analytic processes feeding
i n t o a dynamic performance-oriented system.
Interestingly, when the above presentation was given t o the 7th National
Park Service Management Safety Planning Conference, coupled with the r e s u l t s
of the grizzly bear cases, several senior executives said the system appeared
t o be a good way t o manage the parks i n general. So f a r a s we know, t h i s was
the f i r s t time any safety system was seen by management people as a general
management method f o r accomplishing anything. (1967. )
Ecosystem? A portion of the change l i t e r a t u r e l i s t e d i n the special
bibliography i s concerned with the r o l e of change i n ecosystems. In t h i s
sense Glacier Park, the Chicago Metropolitan Area, or an i n d u s t r i a l establish-
ment can all be managed a s ecosystems. A working f a m i l i a r i t y with the change
l i t e r a t u r e would supply insights helpful t o the safety professional.
I n the presentation t o NSC the author said t h i s :
-
Wnfortunately from the study of natural ecology, we have t i m e i n an exponen-
t i a l position i n our equation. And t h a t i s an awesome place t o put time.
5 -8. Sequential Role of Change-Error-Accident
Change
Figure 5-9. General System
- THE SYSTEM
MANAGEMENT^-^^+
PROCESS I
ALL
SAFETY
TECHNOLOGY
IS-'
COMPLEX TIME
SAFE
I I ELSE /
SAFETY
ROOM HUNCH I
It means t h a t between two periods of time, one decade versus the next decade,
t h a t when you put a "2" i n an equation, the problems of change get four times
as big, and t h i s , I am sorry t o say, i s what I think i s happening t o the
world r i g h t now. We are dealing with the exponential change i n our problems.
"Fortunately, I think we are also dealing with an exponential change i n our
capacities t o d e a l with problems. This i s what a l l of the hardware and
software i s about. So it would seem t o me we have t o see ourselves faced
with a sharply r i s i n g s e t of problems, such a s h i t us i n motor vehicle
safety the l a s t few years. If we expect t o stay a l i v e i n the world, e i t h e r
as users or as the National Safety Council, we must t a p exploding problem-
solving technology, and use it t o our own advantage.
@@Theforces of change are sweeping across the world. We must mount counter-
-
changes f o r safety and scale them with equivalent force. Man has proven
capacity t o adapt t o many aspects of past change, including safe handling
of growing energy resources. But the pace of change clearly indicates
the urgency of finding b e t t e r methods of dealing with accelerating e f f e c t s
of change.
V h i s i s a general safety method, but looks preliminarily as i f it may also

be a general method f o r accomplishing anything a t a l l . "
We are here concerned with the r o l e of change i n accidents. However, we
should not be unperceptive a s t o the r o l e of change i n the organization as a
whole. Congruence between general management and safety management may, indeed,
begin with t h i s perception of relevant, significant change, and the need f o r
preventive counterchange.
The organizational manager i s or should be concerned with changes and
p o t e n t i a l changes i n (1) economic, p o l i t i c a l , and s o c i a l factors which a f f e c t
h i s organization; (2) technology, h i s and t h a t of others; (3) physical, human,
and ultimately f i n a n c i a l resources of h i s organization; and then, of course,
(4) markets f o r raw materials and products; and (5) alternative developmental
potentials, e.g., h i s competitors o r obsolescence.
It i s not d i f f i c u l t t o perceive how the general manager's concerns f o r
items ( l ) , ( 2 ) , ( 3 ) and (5) above can and w i l l be reflected i n specific con-
cerns of the safety manager.
It would be nice i f the safety manager had an e x p l i c i t method, philosophy
o r practice whereby the general manager could e a s i l y see the safety manager
as a potent source of analytic and planning capability attuned t o the organi-
zation's problems and d i f f i c u l t i e s i n coping with change.
What remains t o be demonstrated is t h e degree t o which a safety e f f o r t
oriented t o change could assist t h e general manager i n solving organization
problems. We have had some encouraging experiences at Aerojet: f o r example,
we have used change a n a l y s i s techniques which seem simple and e f f e c t i v e on
s p e c i f i c projects. Broader safety-related changes o r p o t e n t i a l changes i n
t h e organization a s a whole remain t o be examined.
Systems a n a l y s i s methods provide t h e c a p a b i l i t y f o r an exponential
increase i n preventive power attuned t o t h e r a t e of change, provided t h a t
a n a l y s i s and research a r e proportionate t o changes and problems. A major
t h e s i s of t h i s t e x t i s t h a t a synthesis of s a f e t y p r a c t i c e i s needed t o "ride
t h e t i g e r of exponential change."
6. SEQUENCES I N ACCIDENT CAUSATION
Accidents a r e usually multi-factoral and develop through r e l a t i v e l y

lengthy sequences of changes and e r r o r s . There a r e strong indications t h a t
f o r t h e most serious events i n a r e l a t i v e l y well controlled work environment,
t h e sequences a r e often themselves numerous, and i n s e r i e s and p a r a l l e l .
This complexity a l s o means t h e r e were many opportunities t o intervene o r
i n t e m p t t h e sequences.
Schulzinger (1956) a f t e r a twenty-year study of 35,000 accidents
offered two provocative descriptions of sequences:
1. "a dynamic, variable constellation of signs, symptoms and circum-
stances which together determine o r influence the occurrence of an
accident."
2. "a synthesis of environmental, psychological, physiological,
characterological , and temporal f a c t o r s . "
MORT analysis of serious accidents t y p i c a l l y shows on the order of 25
s p e c i f i c f a c t o r s and 15 systemic f a i l u r e s , many of them linked i n causal o r
temporal sequences.
Levens (1970), i n Search I, pointed out t h a t , while not a s desirable as
preventive design, t h e hazard sequence o f f e r s multiple opportunities f o r
i n t e r r u p t i o n s by corrective o r protective action.
One accident r e p o r t showed cross-linked sequences of e r r o r s and changes
which could be diagrammed a s follows:
Figure 6-2. Sequences of Errors and Changes
Managerial
and
Planning
----
Supervisory
.r - r r
Employee Accident
Safety t e x t s have used a row of f a l l i n g dominoes as a model i l l u s t r a t i n g

t h e accident sequence. This may be such a gross simplification a s t o l i m i t
understanding.
A recent pipeline accident report by the National Transportation Safety
Board (NTSB) provides the basis f o r another sequential analysis (1972):
Figure 6-3. Gas P l ~ e l i n eAccident Seauence
I Faulty Weld ( Error
Leak i n Station E
J-L.-
LD Station Stops C
1 [ 1
rnptr JE opg:;nOt,
Crash Button
Not Used
m SlowStop
Upstream
WE Crew Slaw
Reading the reports of major investigations of NTSB i s very illuminating.

Substantial numbers of recommendations f o r interrupting sequences are normal.
Similarly, the major investigation reports prepared under AEC procedures
commonly show lengthy sequences of causal factors, an average of sixteen per
case f o r one sample.
Review of individual reports shows surprisingly frequent two and three
,7
person (or two department) involvements i n serious accidents. This could
a r i s e from the f a c t t h a t good organizations have successfilly handled the
simpler potentials. I n any event, it seems e s s e n t i a l t h a t accident investi-
gation methods and summaries give appropriate v i s i b i l i t y t o the complex
r e a l i t i e s , r a t h e r than s i m p l i s t i c , one-at-a-time, categorical l a b e l s of
conditions and a c t s .
Among t h e apparent sources of complexity revealed i n accidents, i s t h e
non-routine operating mode. Trials and t e s t s , maintenance and inspection,
change over o r r e p a i r , s t a r t i n g o r stopping, s p e c i a l jobs, trouble shooting
and i n c i p i e n t problems ( r a t h e r than normal r o u t i n e operations), appear with
s t a r t l i n g frequency i n thorough investigations. From t h e preventive view,
t h i s suggests t h a t t h e Hazard Analysis Process consider non-routine opera- ,
t i o n s and s p e c i f y needed controls. F a i l u r e t o see o r heed s i g n s of impending
trouble, and f a i l u r e t o pause o r s t o p f o r diagnosis/correction a r e frequent.
Thus HAP should give c a r e f u l thought t o s i g n a l s and appropriate action.
The use of conditional p r o b a b i l i t i e s (a measurement technique f i n d i n g
value i n medicine) has been suggested by Edwards (NSC Symposium, 1970) as a
method of hazard a n a l y s i s f o r lengthy sequences.
Since t h i s study has focussed on organiaations which have suppressed
accidents t o extremely low l e v e l s , the p o s s i b i l i t y t h a t simpler f a i l u r e s
have been most a f f e c t e d must be considered. I n organizations with higher
incidence r a t e s , simpler f a i l u r e s (and simple preventive measures) may be
more common. This p o s s i b i l i t y can be assessed against t h e following l o g i c :
1. Simple f a i l u r e s most a f f e c t e d (?)
Even simple f a i l u r e s have some sequences.
2. Complex f a i l u r e s l e a s t a f f e c t e d ?
a. Minor consequences -- c o s t s may limit investigation/correction.
b. Major consequences -- seazching study and redundant preventive
measures warranted.
One of t h e most u s e f u l attempts t o show t h e multi-factoral background of
an accident was t h e "Dynamics of Home Accidents" developed by NSC's Home
Safety Conference i n t h e mid-50 's. ( ~ i g u r e6-3. ) Unfortunately, no p a r a l l e l
occupational diagram has been developed. However, t h e model would be appro-
p r i a t e f o r a self-employed person, except t h a t it f a i l s t o recognize t h e r o l e
of purpose, goal and performance, which should be s t r e s s e d i n a l l models of
s a f e t y systems. The t y p i c a l i n d u s t r i a l s i t u a t i o n a l s o emphasizes managerial
planning and supervisory control and intervention.
Examination of occupational accident case h i s t o r i e s suggests that t h e
accident's antecedents o f t e n develop i n a number of sequences involving
physical, procedural and personal elements. Because t h e occupational s e t t i n g
i s more highly s t r u c t u r e d and controlled, we can look f o r t h e sequences of
Figure 6-3.
1. 11. 111. IV. V. MEASURABLE
F
BACKGROUND FACTORS
A ,-,
INITIATING FACTORS INTERMEDIATE FACTORS
A ,
-
IMMEDIATE FACTORS
\
(RECOGNIZABLE) RESULTS
* \
FACTORS
Littla KncmIdg* laud N o h
tittla Attention Machin* Breakdown -,
Itc. Baby CI*l kational
T*I.photu h g 1
"Get By" Atlitude
No S u w n i d o n
Distraction
ac. 3Shd
uc. T a k e a Chance"
Lo*
\I
P h p d 'cal and
hutOlxdor8:
I UNsWE
IateUigenw, INCREaBE IN ACT CPRIOOER
Sight. Hearing, MECIUWIW
Health, (BMAVIOR)
Coordination,
h p a h e n b , Etc. WITHIN GIVEN HAZARD
ENYlRoNldEWT ACTIVITY INCREASE IN
Hqh pmm'MN~
I
HOME
G r e a r on &or
DWEIlMG, tlammablm )li.hu*
YARD. ETC. Cluled up P--
H d Liquid
MaponSta
Aulomalic Control., MITIOATINO No INJURY

Guard., Etc. FACTOR OR M O E
I
I I M O n m s m AUTOMARC I Catch
(OR WWLloIBZP,
I 1
PWSON AW- CUT-0118, ETC.
I Handrail,
bother
I nerrrm
llor
R.daru
c a n t r d 1-
I Pmrron,
SUPP~~
Btc.
I RETURN TO N O W PR-URE, ETC. I
I I I
ACCIDENT PREVENTION (SAFETY) EFFORTS U P TO THIS POINT,-^
1 w ACCIDENT SEQUENCE
I
tt---------.
I
TOTAL ACCIDENT SITUATION
I
events which affected o r changed t h e separate elements:
Management
Planning and design
Work environment (including arrangement and s i g n a l s )
Machine (including t o o l s , and equipment and signals)
Material
Supervision
Task procedure
Worker
Fellow worker ( o r other t h i r d party)
Frequently we f i n d t h a t a number of sequences were developing over a
period of time before t h e culminating i n t e r a c t i o n . Events i n retrospect were
on a " c o l l i s i o n course."
Thus i f we superimpose the home accident model on t h e above f a c t o r s , we
begin t o have a t r u e r p i c t u r e of t h e complexity.
We have seen cases where
t h e personal background f a c t o r s of t h e designer and planner, t h e supervisor,
and h i s supervisor a l l contributed. For example, commenting on a s e r i o u s
incident generated i n p a r t by an anomaly i n hardware, i.e., a failure t o
match up, the d i v i s i o n manager s a i d , "The plan was w r i t t e n by my worst
project engineer and t h e job was being done on the graveyard s h i f t by
my worst maintenance foreman u i t h my weakest building supervisor. Four
other persons were involved, and three of them made mistakes."
Having spoken of lengthy sequences, a word of caution may be i n order.
I n e i t h e r a n a l y s i s o r prevention we aze wise t o order our thinking I n
terms of "closeness" t o the point of accident, That is, we begin uith t h e
accident and work back. Although background s i t u a t i o n s , if improved, may
a f f e c t hosts of accidents, t h e r e a r e grave dangers i n working on "problems
i n general." P a r t i c u l a r l y i n t r y i n g t o d e a l with t h e exasperating human
f a c t o r , we must begin with behavior, r a t h e r than beginning with t h e often
vague antecedent concepts of a t t i t u d e , r e s p o n s i b i l i t y , education, o r
motivation.
An NTSB representative has said:
"Our basic c r i t e r i o n f o r determining cause-effect
r e l a t i o n s h i p s of a p r a c t i c a l nature vis-a-vis
'problems i n general' i s t o i d e n t i f y them with real-
world remedial action, Safety-wise, it becomes
useless t o c i t e broad conclusions, and you o f t e n do
not r e a l i z e t h i s u n t i l you t r y t o write construc-
t i v e recommendations."
7, THE ROLF, OF RISK MANAGEMENT
Risk i s an inescapable f a c t o r i n any human a c t i v i t y .

The management of r i s k ( e i t h e r f o r an organization, an individual, o r
t h e public a t l a r g e ) should be assessed q u a n t i t a t i v e l y i n s o f a r as knowledge
permits. There i s nothing wrong with t h e notion of "calculated r i s k , "
except t h e common f i n d i n g t h a t it wasn't r e a l l y calculated! Efforts t o
c a l c u l a t e r i s k seem t o have a b e n e f i c i a l r e s u l t i n added e f f o r t t o improve
planning, design and controls--in short, l e s s r i s k ,
Statements t h a t there should be "zero r i s k , " i.e., no accidents, seem
laudable and i n s p i r i n g on t h e surface, They may work harm i n d i r e c t l y by
warping understanding of r i s k , hazard review and r i s k reduction techniques
(as well as causing cover up). Evaluation of r i s k i s almost impossible if
"zero accidents" (or "zero defects") i s t h e announced goal.
Y **
Risk taking behavior has had a modest amount of study, but t h i s has
been l a r g e l y on individual o r small group behavior and i n a b s t r a c t , labora-
tory situations. This has meant, vis-a-vis r e a l l i f e work, simplification
and i s o l a t i o n of v a r i a b l e s , weak incentives, use of students r a t h e r than
managers, supervisors and craftsmen, and lack of t h e r i c h information,
a n a l y t i c and s o c i a l context of occupational s a f e t y decisions. Experiments
allow l i t t l e room t o change t h e s i t u a t i o n (eag., by hazard removal). Risk
research choices a r e u s u a l l y presented as simple Yes-No a l t e r n a t i v e s .
Both t h e number of choices and t h e lack of modified o r combination s t r a t e g i e s
i s l i k e l y t o be a r t i f i c i a l ,
Further, as i n most behavioral sciences, there is s u b s t a n t i a l difference
of opinions and findings.
The occupational r i s k taking s i t u a t i o n i s s u b s t a n t i a l l y more complex,
but a l s o more structured, more a n a l y t i c and r a t i o n a l , more keyed t o longer-
term experience, and probably more e a s i l y improved. Consequently, it seems
most p r a c t i c a l t o proceed i n t h r e e steps:
1. Define t h e general format of t h e occupational r i s k taking s i t u a t i o n .
2 . Examine a s e l e c t i o n of behavioral science findings f o r possible use-
fulness in:
a, Managerial r i s k assessment
b. Personal r i s k assessment (remembering t h a t managers a r e people too!)
3 . Then define t h e basic elements of suggested organieational r i s k
assessment plans,
The Occupational S i t u a t i o n . The key elements of occupational r i s k
assessment ( a s contrasted with personal o r l a b o r a t o r y d e c i s i o n s ) seem t o be:
1. The nature of accident r e l a t e d f a c t o r s i s l i k e l y t o be b e t t e r under-
stood--the r o l e s of safeguarding, engineering, t r a i n i n g , supervision,
energy, e r r o r and change.
2. Information i s , o r can be, b e t t e r i n a number of a s p e c t s , fewer
uncertainties :
a. r i s k i d e n t i f i c a t i o n ,
b. r i s k a n a l y s i s , including p r o b a b i l i t i e s and consequences.
c. longer-term, broader experience, and reference t o experience
of o t h e r s ,
d. p i l o t t e s t s where needed.
3. Decision methods can be b e t t e r :
a. C r i t e r i a , including long-term and s o c i a l o r public concerns,
can be more e x p l i c i t .
b e Review i s b e t t e r .
c. Responsibility and a c c o u n t a b i l i t y a r e more c l e a r l y defined.
4. The nature of t h e d e c i s i o n i s u s u a l l y d i f f e r e n t :
a. The s i t u a t i o n and outcome a r e always modifiable by hazard
removal.
b e The choice of a l t e r n a t i v e s w i l l most f r e q u e n t l y enhance s a f e t y ,
parrticularly i f t h e a l t e r n a t i v e s a r e at l e a s t t h r e e :
(1) Continue unchanged ( i n some cases t h e s a f e a l t e r n a t i v e ) ,
(2) Modify moderately (including single-f a i l u r e f i x e s ; f a i l -
s a f e and cut-off p o i n t s ) ,
(3) Make major improvements (redesign, system study, redundant
protection).
I n some places, t h e s e key elements may be goals, r a t h e r than present
practices! If s o , t h e immediate work should be toward t h e s e goals.
It i s not necessary t o d i s c u s s each of t h e above elements i n d e t a i l - - t h e
remainder of t h e t e x t i s l a r g e l y i n these areas. However, a few s e l e c t e d
observations may h e l p t o v i s u a l i z e r i s k assessment i n ways which w i l l make
t h e behavioral science f i n d i n g s more meaningful:
Much of system s a f e t y a n a l y s i s i s intended t o reduce r i s k of f a i l u r e ,
but it w i l l a l s o increase information on t h e objective p r o b a b i l i t y of
failure.
Management r i s k decisions should consider t h e number of accidents e s t i -
mated a s l i k e l y over the l i f e cycle of an operation. For example, t e n
machines may be l i k e l y t o produce f o u r s e r i o u s i n j u r i e s over t h e i r l i f e
cycle i f not b e t t e r guarded. Qr,a design goal, such as, i n j u r y proba-
b i l i t y per man hour of 1 x 10- , can be s t a t e d . Thus, it may be e a s i e r
t o convince management of an inexorable q u a l i t y i n f u t u r e outcomes,
given time. Objective p r o b a b i l i t i e s from a n a l y s i s w i l l l i k e l y be given
g r e a t e r weight than i n an unstructured personal s i t u a t i o n . However,
Carter (1972) r e p o r t s some of t h e problems, a s well a s successes, i n
corporate attempts t o use. p r o b a b i l i s t i c methods i n r i s k a n a l y s i s .
An A i r Force study (1968) was summarized a s follows: "Arguments f o r an
acceptable individual r i s k c r i t e r i o n , t o be applied against any p a r t i c -
n12r hazardous operation, a r e developed. A 'one-in-a-million ' (0.000,001)
f a t a l i t y p r o b a b i l i t y is selected a s one which is consonant with those
normal hazards experienced i n r o u t i n e , day t o day l i v i n g , t h e recommenda-
t i o n i s made f o r A i r Force adaptation of a 0.000,001 individual r i s k
c r i t e r i o n f o r guidance i n t h e application of s a f e t y programs."
Outside experts i n r i s k evaluation (e.g., f o r f i r e r i s k o r i n d u s t r i a l
hygiene) may be used, both f o r t h e i r competence and because they may
have more p r e c i s e notions of p r o b a b i l i t i e s f o r l o n g - t e n exposures.
Senior executives commonly have t h e s k i l l of asking a s e r i e s of questions
t o determine t h e amount and q u a l i t y of a n a l y s i s behind a proposal and
thereby measure r e s i d u a l r i s k .
A declined r i s k by management may not be "inaction producing degrada-
tion;" t h e p r o j e c t may be sent back f o r more r i s k reduction. .However,
supercaution always has the p o t e n t i a l f o r degrading t a s k performance.
"A man sits as many r i s k s as he runs. " ( ~ h o r e a u ).
Risk Taking Behavior.

General r i s k research, e s s e n t i a l l y non-industrial, shows scholarly
views i n two groups represented by reviews e n t i t l e d :
1. "Emerging Technologies f o r Making Decisionsff--Edwards, Lindeman and
P h i l l i p s (1965).
Models (usually mathematical) represent decisions i n terms of
expected p r o b a b i l i t i e s and values, both r a t i o n a l and subjective.
Edward's models seem r e l e v a n t t o t h e type of hazard and r i s k an&-
l y s i s methods seen as necessary i n t h i s t e x t .
2. "Risk Taking as a F'unction of t h e Situation, t h e Person, and t h e
Groupw--Kogan and Wallach (1967).
Decisions show d i f f e r e n c e s i n various s i t u a t i o n s and individuals,
not explainable by t h e models of t h e f i r s t group. Most of u s
have seen considerable d i f f e r e n c e s i n r i s k a t t i t u d e s among individ-
u a l s , groups, and organizations.
Since both schools of thoughtseem t o o f f e r usable ideas f o r safety,
perhaps we need not choose s i d e s i n the argument.
Ward Edwards was a member of t h e group at t h e NSC Symposium whose
r e s u l t s are included as Appendix M. The group's views a r e consistent with
Edwardsf--indeed he contributed major points, p a r t i c u l a r l y t h e sections,
"Diagnosis" and "Effectiveness of Program. "
Kogan and Wallach r e p o r t f i n d i n g s which should be helpful.
S i t u a t i o n a l influences include:
1. When s k i l l ( r a t h e r than chance) a f f e c t s outcome, r i s k i e r a l t e r n a t i v e s
a r e selected.
2. More information i s sought when consequences a r e severe, and l e s s when
i n f o n a t i o n i s consistent o r costly. Seeking moderate., r a t h e r than
maximum, i n f o n a t i o n , a r e a l i s t i c choice, is indicated. ( ~ n d i v i d u a l
d i f f e r e n c e s i n information seeking a r e more heavily determined by
personal traits, d i s p o s i t i o n s toward r i s k o r conservatism.)
Deterrent values of c o s t s of f a i l u r e exceed values of success i n
decisions.
Personal v a r i a b l e s include:
Consistent d i f f e r e n c e s of individual i n c l i n a t i o n toward high, mod-
e r a t e and low r i s k a l t e r n a t i v e s .
No provable male-female d i f f e r e n c e s across t h e l i f e span, but a
tendency toward conservatism with aging.
Higher s o c i a l s t a t u s seems t o produce conservatism i n decisions, but
more p a r t i c i p a t i o n i n risk-involved decisions.
Highly motivated achievers i n d i c a t e preferences f o r calculated,
moderate r i s k s .
B e l i e f s t h a t individuals control t h e i r environment f o s t e r r i s k i e r
choices.
I n t e l l i g e n c e understandably a f f e c t s correctness of decisions, but
shows no s t a b l e connection with r i s k tendencies.
Maximal motivational disturbance seems associated with g r e a t e r consis-
tency of choice, r i s k y o r conservative, and l e s s adaptation t o environ-
ment o r f a i l u r e . Minimal motivational disturbance w a s r e l a t e d t o
r a t i o n a l i t y of choices and a d a p t a b i l i t y t o environment, r a t h e r than
consistent r i s k postures. ( ~ o t ethese are extreme f r a c t i o n s of a
general population. )
Group influences on risk-taking may be of two types with r a t h e r s u b t l e
distinction:
1. The correctness (freedom from e r r o r ) of a decision, e. g., from g r e a t e r
i n f o n a t i o n a l o r i n t e r d i s c i p l i n a r y a t t r i b u t e s , o r judiciousness.
2. The risk-taking aspect, and p a r t i c u l a r l y t h e group's influence on
s h i f t toward conservatism o r r i s k .
The first aspect, not t r u l y risk-taking, seems primary i n t h e common use
of groups i n organizations, and a l s o tends t o i n i t i a t e acceptance of decisions.
Certainly i n s a f e t y a review agency not inclusive of r e l e v a n t d i s c i p l i n e s w i l l
r e s u l t i n oversight o r error--that is, poor analysis.
For t h e risk-taking aspect, t h e r e i s some simple evidence f o r averaging
toward a c e n t r a l r i s k value, and f o r conservatism. However, these may only
operate against extreme individual positions and a g a i n s t extreme r i s k s . Kogan
and Wallach r e p o r t t h e "risky s h i f t phenomenon."
"The e f f e c t of group discussion t o a consensus on t h e dilemmas-of-choice
procedure i s t o increase t h e l e v e l of r i s k t h a t persons a r e disposed t o
take. "
A "risky s h i f t " phenomenon i s not necessarily bad--undue conservatism may
be equally dangerous. Thus, t h e n e t e f f e c t of group influences could be con-
strued t o give g r e a t e r wisdom, fewer extremes, and a s e l e c t i v e d i s p o s i t i o n
toward r i s k (progress?).
Since t h i s t e x t places considerable emphasis on groups and p a r t i c i p a t i o n ,
it seems worthwhile t o suggest t h e influences which a r e l i k e l y t o work t o
produce g r e a t e r s a f e t y , f o r example, i n a Job Safety Analysis t a s k involving
senior craftsmen:
1. Safety becomes a f o c a l goal.
2. S k i l l and knowledge of p a r t i c i p a n t s become s o c i a l l y important.
3. Information on r i s k s i s augmented.
4. Analysis r e v e a l s causal f a c t o r s , contingencies and control techniques.
5. Modification of t h e situation--hardware, procedure, arrangement, o r
personnel--is f e a s i b l e ,
6. Acceptance of higher standards i f fostered by peer development.
7. Performance (other than safety) may be sought, perhaps unconsciously.
I f SO, a "risky s h i f t " with compensating safeguards o r c o n t r o l s may
enhance s a f e t y and performance.
There remain some anomalies between r i s k y personal behavior and expressed
demands f o r s a f e t y which a r e frequently noted, and a f f e c t public and i n d u s t r i a l
relations. Risk acceptance i s s u b s t a n t i a l l y higher - f o r a c t i v i t i e s under our
c o n t r o l than f o r a c t i v i t i e s not under our control, according t o S t a r r (1969).
This suggests t h e p o s s i b i l i t y t h a t t h e employer-employee r e l a t i o n s h i p can
temper unduly r i s k y tendencies of both employer and employee,
There a l s o remains an ambivalent q u a l i t y i n r i s k , d i f f i c u l t t o define,
but impossible t o ignore, That is, achievement, growing s k i l l and pride, invex-
t i o n and innovation, and fun and creativity--perhaps "progress" however defined--
often l i e on t h e "no" o r r i s k y side. If r i s k were as simple as matching capa-
b i l i t i e s with requirements, we would have a Yes-No decision. But high capabil-
i t i e s with low requirements = boredom, j u s t as low c a p a b i l i t i e s with high
requirements = d i s a s t e r . Consider s k i i n g as an example i n a pictogram r e f l e c -
t i n g l e v e l s of s k i l l and t a s k challenge!
Figure 7-1. Risk in General

'Boredom
Skill
3 RISK
Fun
Achievement
Profit
Creativity
Accidents
Organizational Risk Assessment Plans
Risk evaluation provisions of NASA's manual (1970) express b a s i c manage-
ment and a n a l y t i c r e s p o n s i b i l i t i e s :
IT
The program manager ...
must assume c e r t a i n r i s k s t h a t a r e attendant
t o t h e design, manufacture, t e s t , and operation of t h e hardware
system t o e f f e c t i v e l y accomplish t h e mission f o r which t h e system
was developed. The acceptance of t h e s e r i s k s should be based on
thorough v i s i b i l i t y a s t o t h e nature of hazards and r i s k s t h a t a r e
i n e x i s t e n c e and t h e options and a l t e r n a t i v e s t o t h e acceptance of
the risks.
' h e d e c i s i o n on whether t o assume a r i s k i s c l e a r l y a program manage-
ment r e s p o n s i b i l i t y . This decision i s no b e t t e r than t h e q u a l i t y of
t h e r i s k d a t a t h a t serves a s a b a s i s f o r t h e decision. Accordingly,
t h e development of hazard and r i s k d a t a should be assigned a s a respon-
s i b i l i t y t o p r o f e s s i o n a l s whose t r a i n i n g and o r i e n t a t i o n cause them
manifest themselves ...

t o search out and f i n d t h e hazards i n t h e system before t h e s e hazards
" i n terms of i n j u r y , damage o r deskmction.
The b a s i c elements of sound r i s k assessment a r e :

1. A choice of a l t e r n a t i v e s ,
2. I d e n t i f i c a t i o n of hazards, and t h e p r o b a b i l i t y and consequences of
accidents,
3. Comparison of t h e l i k e l y outcomes a g a i n s t c r i t e r i a .
Figure 7-2. Basic Elements of Risk Assessment

Alternatives Identification Evaluation
F]
1 =
Combined
Rating
I Criteria I
C r i t e r i a o r values include not only t h e organization's s a f e t y g o a l s , but
a l s o c o s t , schedule, r e l i a b i l i t y and q u a l i t y and o t h e r i n t e r n a l c r i t e r i a , plus
employee and public concerns and c o n s t r a i n t s .
Progress has been made i n r i s k q u a n t i f i c a t i o n f o r systems s a f e t y , and it
i s believed t h a t q u a n t i f i e d r i s k reduction goals can i n c r e a s i n g l y be used as
c r i t e r i a i n designs and plans.
A Xisk Assessment System and a Framework f o r Analysis of Risks a r e described
i n Chapter 21 as a major aspect of management's implementation of safety.
Residual Risks.
Residual r i s k s can be c l a s s i f i e d a s follows:
I. Assumed risks-specific, named events, analyzed, and where possible,
calculated, and accepted by management a f t e r evaluation.
11. Other
A. Unevaluated--hazard known, not analyzed.
B. Unrecomized--hazard not known t o management.
1. Known and accepted a t lower levels.
2. Not known.
C. Uncertainties--omissions of major f a c e t s of the Hazard
Analysis Process, such a s information search, human f a c t o r s
review, t e s t and q u a l i f i c a t i o n , o r Job Safety Analysis.
I n MORT analysis, t h e t h r e e "other" groups a r e t r e a t e d as oversights,
omissions and e r r o r s . Data c o l l e c t i o n i s needed, but events t h u s far
examined i n d i c a t e :
Unevaluated and unrecognized hazards, and u n c e r t a i n t i e s
i n the analytic-decision process a r e frequent and conspic-
uous i n serious events--more so than assumed r i s k s .

-
93 -
111. HOW TO REDUCE HAZARDS
The major elements of t h e best occupational s a f e t y p r a c t i c e
and system s a f e t y a r e b r i e f l y described and compared t o show how
they may be integrated with mutual improvement. ( ~ e t a i l saxe
combined i n t o the MORT system of a n a l y s i s and evaluation.)
The new approaches a r e :
1. Separately usable p a r t s of a complex system,
2. Simple, when separated,
3. Cheap, i f scaled t o t h e s i z e of a problem.

The new approaches give g r e a t e r emphasis t o :
1. Method, r a t h e r than content,
2. V i s i b i l i t y f o r the a n a l y t i c process, r a t h e r than
j u s t conclusions.
Most important, i n t h i s P a r t we develop a model of a s a f e t g
system congruous with a goal-oriented high performance system,
and show t h e new model t o a l s o be c o ~ o u with

s a v a r i e t y of
general management methods.
The concepts i n P m t s I1 and I11 l e a d t o a statement of
general s a f e t y program theses.

8. INTEGRATING SYSTEM SAFETY WITH
PRFSENT BEST PRACTICES
A c l e a r l y a r t i c u l a t e d concept and method f o r reducing hazards i s essen-

t i a l i n knowing what t o look f o r i n accident investigation or i n evaluating
safety programs. Very high l e v e l ideals f o r hazard reduction procedures help
measure program performance i n good organizations and help establish future
program goals --f o r example, i s new plant construction preceded by thorough
l i f e cycle analysis i n early, conceptual stages?
We could categorize three concepts of high-level hazard reduction pro-
cesses:
Level N - the best occupational practice ( f a r above I, Sub-minimal; and
11, Regulations; or 111, Voluntary standards).
Level V - A "practical" combination of two concepts, IV and V I , above and
below.
LevelVI - the best of nuclear and aerospace system safety practice, a so-
called " gold-plated" e f f o r t .
Five significant characteristics of the highest degree of safety e f f o r t
(nuclear or aerospace) seem t o be:
1. Modern analytic methods, beginning a t conceptual stages.
2. Directed research programs t o f i l l information gaps.
3. Substantial investment i n hardware ( p r i o r i t y over software) .
4. Considerable investment i n software (personnel selection, training,
simulation).
5. Monitoring (observation, feedback) .
These programs were expensive, government-funded, and the objective was
" F i r s t Time Safe."
However, only a change i n amount, or degree, o r cost (based on what we
a r e willing t o invest according t o economic and s o c i a l c r i t e r i a ) would be
necessary t o apply these effective techniques t o any a c t i v i t y .
The type o r kind of safety work should not change, simply the amount.
I n system design we see the operation of two aspects of safety:
1. Standards - f o r example, f o r d a i l y exposure t o radiation, controls,
redundancy, limitation of e f f e c t s of severe accidents.
2. Non-standard design and planning - t o control other contingencies.
Also, we see the r o l e of these two aspects:
1. Minimum allowable performance,
2. Maximum desired performance.
I n s t e e l and o t h e r i n d u s t r i e s , a s an example of best business p r a c t i c e ,
we see a high degree of control a t the work s i t e :
Job Safety Analysis
Job I n s t r u c t i o n Training
Safety Observation Plan.
Also, somewhat apart, but f i r s t i n t h e i r hierarchy: a strong program of engi-
neering and environment control. These a r e strong and praiseworthy, but even
t h e i r cost might be f e l t t o be "uneconomic" by other companies.
Having praised t h e leading industry programs, we can proceed t o f i n d out
where even they f a l l short. The difference from system approaches may be i n
some measure degree o r quantity. There i s something more, however, a l l along
the line. There is a l s o a q u a l i t a t i v e difference i n s o p h i s t i c a t i o n , scope,
innovation, and most c e r t a i n l y i n t h e s c i e n t i f i c o r resexcch orientation.
System s a f e t y , on t h e other hand, s u f f e r s from t h e d i s c o n t i n u i t i e s of
p r o j e c t o r i e n t a t i o n and, when seen as c o s t l y , may be eliminated r a t h e r than
using t h e on-going i n d u s t r i a l approach.
A synthesis seems t o be an ultimate r e q u i r e m n t i f we a r e t o adequately
examine accidents and performance against a u n i f i e d standard. of comparison,
r a t h e r than two yardsticks. But before attempting i n MORT analysis what i s
seemingly t h e f i r s t synthesis, it i s probably well t o a t l e a s t roughly compare
t h e two l e v e l s of p r a c t i c e , and thereby e s t a b l i s h some o u t l i n e f o r i n t e g r a t i n g
t h e two. The notations a r e obviously c r y p t i c , r a t h e r than rully descriptive.
Present Best Practice System Safety
General Orienta-tion Continuous Project o r mission
Operational Pre-operational
System given System designed
-
Who?
Management Role "Vigorous" Not d i f f e r e n t
Policy and administration Contractual requirements
w e l l established Budget a l l o c a t i o n s f o r analysis
Supervi sion Accountable Not d i f f e r e n t
Trained
Special s t a f f Safety r e s p o n s i b i l i t y- Accountable f o r q u a l i t y of
(non- saf e t y ) sometimes unclear, o r a n a l y s i s f o r delegated
none flmctions
Safety s t a f f Consultant Same
Information r e s p o n s i b i l i t y
and s p e c i f i c a n a l y t i c
d u t i e s w e l l defined
Much "program administra- Probably l e s s
tive detail"
How? Present Best Practice System Safety
Process design Standards emphasized Analysis emphasized
(Standards inadequate)
Re search Neglected Emphasized t o answer questions
Data Collection Stereotyped, simplistic, Emphasized t o answer questions
and Analysis and not very u s e f u l
Review Before plans a r e used A t inception, a t prescribed
review points, and a t change.
Design Scope Not c l e a r Life cycle emphasis
Much reliance on Inputs assume llfitl' -
criteria
"retrofit" established.
Techniques Primarily "content1' Primarily "methods"
e.g., manuals System Safety Analysis
Human Factors Engineering
Procedures General r u l e s promulgated Prepared i n Design and Develop-
JSA, often designed on ment stages, more emphasis on
job, a f t e r work begins e a r l y preparation
Selection Medical exams and some Strongly oriented t o require-
selection ments and human f a c t o r s
Training JIT Methods and a i d s created i n
Development stage
Motivation Meetings, colmnittees, More personal, professional
propaganda, human
r e l a t i o n s emphasized
P a r t i c i p a t i o n usually Not d i f f e r e n t
sought
Discipline Where necessary Probably no d i f f e r e n t
Maintenance Preventive Maintainability designed
Monitoring Inspections Methods and schedules
developed i n design
Safety observation plans More emphasis on monitoring
Occupational practice tends t o be operational f o r a system a s given, and

may therefore be only expedient. System safety i s pre-operational f o r the
l i f e cycle of a system t o be created.
J e r r y Lederer, NASA safety d i r e c t o r , has c a l l e d the old approaches "tomb-
stone safety." (NASA, 1971.)
Mackenzie (1968) has said t h a t :
"Stripped t o the naked bones, system s a f e t y i s oriented t o 'hardware
systemst while i n d u s t r i a l s a f e t y i s more i n the d i r e c t i o n of a people-
."
directed a c t i v i t y
Miller (NASA, 1971) used t h e m i l i t a r y standard d e f i n i t i o n of system s a f e t y a s :
"The optimum degree of hazard elimination and/or c o n t r o l within t h e con-
s t r a i n t s of operational effectiveness, time and cost, attained through,
t h e s p e c i f i c application of management, s c i e n t i f i c and engineering
principles throughout a l l phases of a system l i f e cycle."
This brief comparison does not do justice t o e i t h e r process, but will be
qualified and expanded i n the d e t a i l s of MORT.
The early t e x t a l s o included the following brief summary of the synthesis:
I n both t h e best occupational safety practice and the best system safety prac-
t i c e , the Who? of hazard reduction i s identical:
1. Management i s vigorous i n pursuit of safety through managerial excellence,
because of humane and economic concern, and because hazard reduction i s
congruous with r e l i a b l e control of work and performance.
2. Line supervision i s accountable f o r performance with safety, i s trained
and motivated, and assisted a s necessary.
3. S t a f f . A specialized safety s t a f f serves a s consultant, advisor, expe-
d i t o r , designer of hazard reduction programs, and monitor and evaluator
of the effectiveness of the programs.
Other staff units have assigned safety functions consistent with t h e i r
objectives.
4. Employees are trained and motivated.
System safety i s project oriented, whereas the t y p i c a l occupational program
i s properly continuous. The sequential order of hazard reduction steps i n
occupational practice and systems practice are not so different t h a t they
cannot be integrated, i f hazard reduction i s viewed a s a Hazard Analysis
process or cycle triggered by planned changes or deviations. This concept
f a c i l i t a t e s the progressive adoption of the superior system safety analytic
techniques i n change projects which upgrade the effectiveness of present
business practice.
A primary focus of t h i s study has been how t o apply project-oriented,
system safety techniques t o on-going work, such a s business o r AEC. There
a r e indications t h a t aerospace, the originator of system safety techniques,
may a l s o need t o examine haw i t s agencies can u t i l i z e the "best practices" of
business and AEC t o handle i t s on-going, non-project a c t i v i t i e s .
Elements of an Ideal Hazard Reduction Program
1. Ssstem Safets Plan
2. Life Cycle scope f o r review, analysis and reduction.
3. Hazard Identification
by A. Preliminary analysis START EARLY
B. Detailed analysis
C. Operational analysis
u t i l i z i n g information from
D. Known precedents and experience
E. Engineering, including manuals, standards, e t c .
F . Hazard analysis techniques (system Safety Analysis)
G. Research
4. A Safety Precedence Sequence - which gives preference t o the p r i o r measures,
especially t o hardware.
A. Design
B. Safety devices
C . Warning devices
with concern for human factors through:
D. Full use of Human Factors Engineering
-
E. Procedures including anticipation of changes and emergencies, as in
Job Safety Analysis
F. Personnel selection
G. Personnel training, for example, Job Instruction Training
H. Motivation
1. "Innovation Diffusion" processes to produce wanted changes
2. Participation, group and social influences to build acceptance and
morale.
3. Human relations programs to help the individual
4. Communications to support the program.
-
Residual Risks estimated at three points in the Sequence:
A. After Hardware (A-D)
B. After Procedures (E)
C. At the end of the Sequence
Re-cycle Sequence if Risk is unacceptable.
Monitoring
A. Supervision, inspection, sampling, measurement, appraisal
B. To detect Deviations: Changes, Errors, Incidents, Accidents
C. Thus providing Hazard Analysis Triggers to reactivate the whole reduc-
tion cycle.
The Life Cycle phases of concern in any system are:
Conception +Safety starts here,
~efinition , RequirementS
Design, Development (including
procedures, training plans)
Construction, or Manufacture,
and Installation
Operation
Maintenance
Disposal -continues to here.
Hardware -- technical factors represented by adequate engineering have
historically and correctly been the preferred solutions. Although investment-
benefit calculations could raise questions about this strategy, the physical
and technical factors can be dealt with in greater certainty than the less
stable and less understood human factors. Further, a visibly good record on
hardware improvement is felt to be a precondition for motivating the people in
the system. Thus, hardware has precedence in the reduction sequence.
Brief History of System Safety.
The U. S. Air Force pioneered many concepts and techniques of system safety
analysis. One landmark was the work done on the Minuteman inter-continental
ballistic missile. The probability of an inadvertent launch of a missile was a
very small number. But when you multiplied the small probability per day by
twenty years and a thousand missiles you got a probability of an entirely dif-
- 100 -
ferent magnitude -- an unsatisfactory magnitude f o r the " l i f e cycle of the
system."
Bell Telephone Laboratories developed i n 1962, and Boeing then applied,
the "Fault Tree" analysis technique, which measures probabilities of various
undesired events, and thus t e l l s where preventive measures would yield the
greatest additional safety.
Two important principles were involved - first, calculate or estimate
f a i l u r e probabilities, and second, do t h i s f o r the " l i f e cycle" of the operation.
A t the same time systems i n weaponry were becoming too complex and expen-
sive t o permit continuing the older reliance on t e s t and retroactive improvement.
Analytic detection of f a i l u r e potentials i n advance became a necessity.
The man-in-space program has employed many system safety techniques from
i t s inception. A high degree of protection f o r astronauts (and others) was
attained.
The Apollo V f i r e which took the l i v e s of three astronauts showed t h a t a l l
human e f f o r t s are f a l l i b l e and led to, not only a reexamination and improvement
of the particular situation involved, but a l s o brought about a reorganization
and strengthening of the space agency's safety organization f o r manned space
f l i g h t programs.
Apollo X I 1 1 a l s o showed f a l l i b i l i t y , but also i n a positive manner, drama-
t i c a l l y showed the emergency values i n redundancy, procedures, training and
decision mechanisms.
The nuclear and manned space f l i g h t programs involve an essentially new
idea: F i r s t Time Safe. The missions a r e simply not ones which can be accom-
plished on the "old fashioned" premise t h a t things are "pretty good" o r "very
good," and w e ' l l investigate the ashes of our f a i l u r e s (a Fly-Fix-Fly routine) .
The job i s simply Zmpossible i f done by conventional methods.
M C has employed systematic analysis of the "maximum credible catastrophe"
t o assay the design of atomic reactors, and emphasizes a control principle of
independent review. Also, the AEC program f o r control of routine radiation
hazards exemplifies not only design and procedures, but a l s o the important
principle of monitoring.
Today system safety requirements i n military procurement are spelled out
i n d e t a i l . Increasingly, companies with aerospace experience are applying the
techniques t o no=-military projects; however, transfer i s f a r from automatic
unless the purchasers specif'y t h a t system safety i s a requirement.
Systems safety analysis has not only improved our technological capacities,
but a l s o has begun t o r a i s e public expectations a s t o what i s possible i n pro-
duct, transportation and occupational safety. Therefore, any corporate future
holds both the t h r e a t and the promise t h a t system safety procedures must be
applied (see, f o r example, Hayes 1971).
System safety analysis i s as much a l o g i c a l process a s a mathematical
process. Therefore, there can be no excuse f o r f a i l u r e t o begin using t h e
concepts, even though the research necessary f o r exact numbers and the time
and professional t a l e n t available f o r the analysis may both be inadequate.
Currie (1968) has provided a useful general discussion of system safety,
a more detailed hfstory of i t s evolution, and an extensive bibliography.
The term "system safety" a s used i n the aerospace industries was an aspect
of system engineering, which was usually a separable project or contract
approach, and system safety w a s sometimes a separate contract. This gives
r i s e t o some semantic problems, i n t h a t system safety, a s thus applied, i s an
e a r l y , f i n i t e phase i n a project, r a t h e r than the on-going management e f f o r t
c h a r a c t e r i s t i c of occupational safety. A system safety e f f o r t , despite i t s
considerable v i r t u e s , was seemingly somewhat s e t apart from the ultimate on-
going operat ions.
Safety professionals have had d i f f i c u l t y i n seeing how and where they
could use system s a f e t y techniques. Further, the contract organizational form
seem& t o divorce system s a f e t y from the ultimate operational a c t i v i t i e s , even
though the system safety tasks included operational requirements.
. F u r t h e r complicating understanding of system s a f e t y by safety professionals
w a s the substantial expense and new, sometimes complex, analytic technicques
developed by system safety. Neither of these i s a requirement f o r using a
systems approach, 3ut the difference between the simple logic of t h e e f f o r t ,
and the quantity of the e f f o r t was not clear.
We use the terms "system safety" and "system safety analysis" t o r e f e r
specifically t o the kinds of developments which took place i n the aerospace
industries (and i n reactor development, but not by the same name) We use the .
term "safety system" t o describe the kind of on-going development which now
appears needed i n occupational safety. This has several important implications
f o r safety systems:
1. Improved safety systems assimilate past programs ( i f they are effective).
2. Improved safety systems can be b u i l t by successive additions of prac-
t i c a l , e f f e c t i v e system elements (rather than leaping full-blown from a
large expense appropriation and a f i n i t e contract format ) ,
3 . Improved safety systems can be b u i l t from ideas which are no more than
moderately d i f f i c u l t or complex. (system safety analytic techniques,
e.g., the f a u l t t r e e , a r e covered i n t e x t s even now being published.)
4. Congruity with on-going management methods can be shown.
Adopting New Methods.
Whether viewed as system safety or the MORT system, the apparent complex.
new methods stimulates "instant objections" a s t o imagined d i f f i c u l t y
o r cost. Therefore a number of suggestions a r e i n order.
Separability. Evaluate and t r y the methods one a t a time. They a r e usable
separately. A t Aerojet two safety professionals began using a t o t a l of f i v e
concepts a f t e r j u s t a one-hour familiarization briefing on MORT.
A n o v e r a l l safety program could probably not be r e o r g a n i w o r upgraded t o
MORT standards i n one f e l l swoop. Rather, a program can be gradually
strengthened aver time.
Simplicity? The MORT process i s an attempt t o define a safety system i n
a s much d e t a i l a s possible. Big hazards o r big accidents deserve big review.
However, i f the simple e s s e n t i a l s of any method a r e t o be used i n scaled
down form, these e s s e n t i a l s must be v i s i b l e .
I n addition, the basic hazard
review logic i n big and little matters should not vary, only the amount of
study, and amount spent on hazard reduction.
The positive l o g i c t r e e developed by some 'chemists a f t e r a gold powder
explosion i n 1966 (F'igure 9-1) i s a good i l l u s t r a t i o n .
There is a great deal
more we can say about "hazards evaluation, " o r review of changes, and indepen-
dent review. Never%heless, the diagram i s a good p o r t r a i t of a basic process
f o r self-analysis by chemists.
l n i t i d l y we can focus on building a f u l l e r understanding of t h e safety
process a t management and supervisor l e v e l s , and among s c i e n t i f i c and technical
staffs. A s we progress we can, hopefully, make the process simple and usable
at c r a f t , operator and other employee l e v e l s , both t o pre-plan f o r saifety and
t o know when help is needed.
Costs? With some frequency, the concepts of system s a f e t y have been
rejected as expensive and j u s t i f i a b l e only when "gold plating" is warranted.
This is unjustified. Ideas and logic a r e not expensive. I f quantity of e f f o r t
is scaled t o s i z e of problem, and method of logic retained, cost i s manageable
and flexible.
The biggest cost i s i n the mental e f f o r t and i n i t i a t i v e of trying new
techniques.
I n the long run, the cost of any s a f e t y program, whether conventional o r
system safety, is small compared t o t o t a l investment and s m a l l compared t o
the cost of one big accident. Further, system methods w i l l enhance the whole
management process and can pay big dividends i n general performance.
9. METBOD vs . CONTENT
An examination of occupational safety l i t e r a t u r e reveals that descrip-
t i o n of methods of analyzing r i s k s , or reviewing f o r hazards, o r investiga-
t i n g accidents i s sparse. The bulk of the material describes specific,
t o p i c a l treatment of particular hazards, and takes the form of standards or
recommendations f o r given situations--this we s h a l l c a l l content.
System safety, on the other hand, stresses analytic methods and processes.
A more balanced emphasis on method vs. content offers a redundant examina-
t i o n of hazard:
1. The specific technology of a hazard's control can be reviewed,
2. The process of analysis can be reviewed.
This kind of redundant examination i s an articulated and well-developed
facet of the independent review system f o r nuclear weapons, and i s a l s o evolving
i n the nuclear c r i t i c a l i t y review system a t the National Reactor Testing Station.
The i d e a l of d u a l i t y i n method vs. content i s carried over i n t o the s t a f f
organization of the nuclear weapons safety group which has two small, highly
competent s t a f f s f o r the two aspects, namely, analysts and weapons experts.
Since method i s valuable precisely because it produces specific recom-
mendations f o r situations, some perhaps not found i n content, it i s worth
examining the two processes:
Recommendations
The redundancy of using both method and content (or technology) reviews
i s believed t o be a major avenue t o attainment of higher safety goals.
When a project comes before a review panel, the designer can be asked,
"Did you perform the analysis?" If the answer i s , "No," the review meeting
i s over!
Some of the distinctions are:
Method Content
Information Processing Technology
Process of Analysis Standads and Codes
Research Recommendations
System Components and specifics
Search Finite
Sometimes t h e d i s t i n c t i o n seems t o be:
Theory Practice
Sometimes t h i s And t h i s
works does not work
very well, well enough.
An exploration of t h i s view of a n a l y t i c method with supervisors of
chemical l a b o r a t o r i e s , f o r example, e l i c i t e d i n s t a n t understanding; t h a t i s ,
they saw t h e p o t e n t i a l s f o r improved control i f they could, not only monitor
a chemist's technical plans, but a l s o have agreed upon c r i t e r i a f o r evalu-
a t i n g t h e chemist f s s e l f -review process ( ~ i g u r e9-1). The methodology out-
l i n e d i n t h i s "Positive Tree" is a shortened hazard a n a l y s i s process.
"Brains" a r e an ingredient i n a successful organization, but not as an
a l t e r n a t i v e t o method. Method i s a means of enhancing t h e brain-power t h e
organization possesses, hopefully a l a r g e supply. Accidents i n "brainy"
organizations not having v i s i b l e s a f e t y method, f o r example i n some R & D
organizations, argue against r e l i a n c e on b r a i n s alone.
A g r e a t amount of u s e f u l methodology i s seemingly already i n existence
i n a l a r g e complex organization, but i s obscured by subject matter. A
conscious search-out i s required t o bring t h e experience and wisdom t o l i g h t .
Sometimes it needs b e t t e r a r t i c u l a t i o n , but then it i s available t o add t o
a synthesis of good practice.
Method, when i d e n t i f i e d , i s not infrequently t h e seemingly i n t u i t i v e
p r a c t i c e of good managers o r good engineers. &A a u d i t
For example, an R
of Aerojet's Engineering Division found that a v a r i e t y of sound methods were
being used by t h e staff even though not specified i n d i v i s i o n a l procedures.
The weakness i n t h e i n t u i t i v e , unspecified approach i s , of course, its varia-
b i l i t y over time and among people.
Method i s a l s o an e f f i c i e n t guide t o w h a t information t o seek. Needed
information i s very o f t e n r e a d i l y a v a i l a b l e i f t h e proper question i s pin-
pointed.
Safety professionals t y p i c a l l y put more emphasis on r u l e s and procedures,
and l e s s on a n a l y t i c method, than do managers and s c i e n t i s t s . Thus a f a c e t
of professional growth i n s a f e t y probably l i e s i n g r e a t e r use of method--
a n a l y t i c o r managerial.
Once a review o r a n a l y s i s method i s a r t i c u l a t e d as a standard p r a c t i c e ,
two key questions a r e f a i r , and often revealing:
WHERE SHOULD YOU BE ?

Figure 9-1.
POSITIVE THEE
Recommendations after
GOI~ Powtier Explosion, 1966
I
supervisor s 1
I L metals) I
Literature
Search
& Review
Hazards
Evaluation
rElEquipment
Order,
liness
Proper
Disposal
Where Necessary, Or Analyze

Small Pilot Runs
Changes
\ '
\ - - - ---
4 - - - - - ----' 1
* Safe Operating Procedure

These questions a r e featured on w a l l c h a r t s prepared f o r t h e Aerojet trials--
p o s t e r s f o r s a f e t y engineers!
From asking these questions, a dictum evolved:
FOLLOW THE PROCESS
Following an a n a l y t i c process has s e a t e f f i c i e n c y and f l e x i b i l i t y . If

you know where you a r e i n a process, you can take o f f on excursions and s i d e
trips :
Seek s p e c i a l information,
Use opportunities t o l e a p ahead,
Try a s o l u t i o n ,
Go back and v e r i f y an e a r l y s t e p ,
O r , even t r y another method.
When you have f i n i s h e d t h e excursion you can always r e t u r n t o t h e process,
and know where you are.
.lo . SAFETY i EFFICIENCY AND PERFORMANCE ARE CONGRUOUS
A s e a r l y a s 1922, a study (American Engineering Council, 1928) showed t h a t

r i s i n g productivity was accompanied by decreasing accident r a t e s , and vice
versa. However, there i s no way of knowing whether t h i s was cause-and e f f e c t ,
o r arose from common causes.
More recently studies have associated low accident r a t e s with such perfor-
mance c r i t e r i a a s p r o f i t a b i l i t y or low scrap and rework costs, labor and shop
costs, etc., but t h e v a l i d i t y of the studies has been i n doubt.
A past president of the American Society of Safety Engineers, John V.
G r i m a l d i , has given considerable study t o the r o l e of management i n safety.
A paper which drew i n p a r t on B r i t i s h experience i s p a r t i c u l a r l y helpful (1965).
This includes the view:
"There i s good evidence t h a t a close relationship e x i s t s between manage-
ment effectiveness and safety performance. We find t h a t when management
operates i t s enterprise with t a u t controls, t h e measurable elements t h a t
contribute t o business success may be noticeably improved."
However, Rockwell (1959) reported t h a t high productivity was associated
with high unsafe a c t r a t i o s i n one study of a small number of workers.
Notwithstanding some proof, belief i n the congruity of safety and e f f i c i -
ency r e s t s primarily on inferences from management views, from considera-
t i o n of what hazard review reveals about other, non-safety causes of disruption,
o r malfunction, o r e r r o r , and from personal experiences and case histories.
The author's convictions go back t o wartime experiences on the atomic bomb
project, f o r which it was reported:
"The project's d i r e c t o r s were aware of the close relationship
between s a f e t y and efficiency, and there are many project s t o r i e s
graphically i l l u s t r a t i n g the f a c t t h a t a job s a f e l y done i s more
quickly and c e r t a i n l y done, " (~ohnson,1945. )
Successful business managers, i n policy and personal statements, have
s a i d , "Safety and e f f i c i e n t operation a r e one and the same thing."
Logical r e l a t i o n s between e r r o r s and accidents, as well as planning and

performance, support the idea t h a t safety and performance are two f a c e t s of
the same management process.
The hypothesis t h a t accidents a r e congruent with errors, and safety with
good management, may be key t o f'urther progress i n two ways: (1)shaping
development of safety procedures and methods, and (2) justifying additional
safety investments a t the design and development phase of the system. Safety
programs i n the best organizations may be approaching a point of diminishing
returns, unless the proof or conviction of c o l l a t e r a l performance benefits
i s usable.
The overall r o l e of larger energies i n building higher performance indi-
cates t h a t control i s needed t o a t t a i n performance. I f p a r a l l e l progressions
are shown:
Low Energy,
High Energy,
Loose Control,
i
Tight Control,
+
Lower Performance,
Higher Performance,
then an equivalent progression of amount of safety controls can be shown:
"No v i s i b l e analysis"
"Pre-Job Analysis" Review
"Job Safety Analysis" and
"Safe Operating Procedure" Independent
"Hazard Analysis Process" Review
Safety Analysis Report (AEC standards) f
Thus, the quantity and quality of analysis and safety control increases pro-
portionate t o the energy control and management needed f o r high performance.
(see Figure 10-12.
_
Three cases analyzed i n t h i s study are interesting:
---
A safety coordinator's review of a proposed experiment produced the
ke,-; suggestion t h a t an alternate, easier-to-control source of radiation be
used. 'Phis made possible the more rapid, trouble-free completion of
the research.
.. A piece of experimental equipment yielded invalid t e s t r e s u l t s f o r a
', long period because of an error-provocative design which f i n a l l y pro-
duced a serious accident.
Exprimental equipment destroyed by e l e c t r i c i t y showed, i n the opinion
, c
of the investigating board, a likelihood t h a t the research data which might
+
have been produced would have been invalid f o r reasons related t o the
accident.
Special e f f o r t s should be made t o compile extensive f i l e s of such cases t o
counteract the negative views of safety a l l too common i n s c i e n t i f i c c i r c l e s ,
and sometimes i n managerial c i r c l e s .
The Right W a x .
Injury and damage accidents can be viewed a s special classes i n the larger
family of mistakes.
Some years ago a staff group within NSC undertook t o define the steps i n
an accident prevention methodology i n a document which was ultimately captioned
-109 -
Figure 10-1. Performance Depends on Controlled Energy
Performance
-
"The Right. Way i s the Safe Way ." (~ohnson, 1962) .
A s the s t a f f document emerged, General George Stewart, who was then serv-
ing a s Executive Vice President of NSC, said, "That's it! That i s precisely
how we completed a winter exercise involving transportation of 20,000 m i l i t a r y
personnel t o the Arctic and s a f e l y returned them a t the end of maneuvers with-
out k i l l i n g anybody. "
A
The steps i n The R i & t Wav can be quickly enumerated (more d e t a i l i s avail-
able i n the reference o r from the National Safety Council):
1. Define your objective - s t a t e what you want t o do.
2. I d e n t i f y hazards - f o r example, read the instructions!
-
3 . Prepare a sound plan what can happen w i l l happen!
4. F i -
x who i s i n charge of planning, inspections,
t r a i n i n g , supervision?
- plants, roads, parks, e t c .
5 . Seek good f a c i l i t i e s
6. Use proper equipment - easy t o use safely and minimizing i n j u r y p o t e n t i a l .
7. Build knowledge and s k i l l - use training!
8. Supervise performance - firmly, s k i l l f i l l y , create adequate checks.
9. Learn from experience - study accident causes.
10. Evaluate progress - results count.
This methodology i s not simply an accident prevention methodology.: It i s
a systematic approach t o accomplishing anything! It should not then surprise
you t h a t accident prevention can be a very revealing measure of people,
(A duPont president, Lammott Copeland, s a i d a speech t o t h i s point wah the
,-"first a d u l t speech on safety" he 'd heard !)
One plant manager (also d u ~ o n t )has said t h a t accident prevention is h i s
shazpest and keenest t o o l i n developing an organization which can a t t a i n the
corporate objective and t h a t , aside from humanitarian o r cost considerations
d i r e c t l y associated with accidents, it i s impossible t o conceive of an e f f i c i e n t
p l a n t which is operated unsafely.
"Safety i n Action," the National Safety Council's basic policy statement
(1949) sums the matter very nicely:
Snfety in pori~ive. It is doing tl~ingrthe right, way.

It is intemt in the welfare of othera.
It i s a contribution to g o d living, to t00d gm.
ernment and respect for law nnd order, to efficient
prodnction, and to the well-being of em- individual.
ll, A SAFETY SYSTEM AS A GENERAt MANAGEMENT SYS'IXM
During t h e Aerojet t r i a l s , there have been several major conceptual
developments:
1. A basic model of a "Safety System Congruous with a High Performance
System" was substantially improved,
2. The basic model of the safety system was developed t o show congruity
with t y p i c a l general management methods.
3 . The general management methods of J u a n ( 1 g 4 ) and Kepner-Tregoe (1965 )
were shown t o be very helpful, not only i n accident investigation and
monitoring, but a l s o i n various other phases of the safety process,
such a s hazard analysis or implementation.
4. Certain incidents a t Aerojet were a s much escapes from management con-
t r o l a s safety engineering problems.
5. It seemed t h a t clearer, articulated concepts of tested management
methods, and more frequent common use of such methods, might have
beneficial r e s u l t s i n the organization a s a whole, a s well a s f o r safety.
Thus, the model f o r the general safety system and i t s supporting models
of general management practices seem t o hold great promise f o r upgrading safety
7
work i n a manner congruous with genera1 management, and the p r i o r lack of such
models seems f'undamental t o insight and understanding of safety and other prob-
lems. The r e l a t i o n s of the safety organization t o the remainder of the organi-
zation could be much improved by common understanding and use of good management
methods.
The e a r l y stages of t h i s study included a modest search f o r models of pro-
ductive processes t o which safety models might be affixed. The sear&-m-s
largely unsuccessful - there a r e seemingly few such models. An exception was
,
Thurston' s "Concept of a Production System" ( 1963 a three-dimensional model
of a flow process; however, t h i s promising model did not appear as a general
model of a safety process - i t e r a t i v e cycles based on feedback were absent.
It i s t o be hoped t h a t a search f o r general models of production systems w i l l
be continued and t h a t safety can be shown a s an aspect of such a system models.
The approach which evolved was primarily based on aerospace system and
safety concepts, modified so a s t o be relatable t o an on-going organization,
r a t h e r than, o r i n addition to, a specific project.
System Concepts.
"A system i s an orderly arrangement of components which are
interrelated and which a c t and i n t e r a c t t o perform some task
or function i n a particular environment ." (Recht, 1965.)
Systems have purpose -
they are mission, task or performance oriented. But
there are always constraints of budget, schedule, performance, and l e g a l and
s o c i a l pressures o r values.
Systems are kept i n a dynamic s t a t e of equilibrium by means of feedback
loops of information and control - devices as old a s the earth, but re-invented
by man f o r modern technological purposes.Methods of managerial control of
enterprises are predicated on design and use of feedback loops f o r a l l essen-
t i a l aspects of the organization.
( ~ u r a n ,1964) Thus, systems are t i e d to-
gether with communications networks.
Safety is, then, a management subsystem i n an organization and can be
visualized and described a s (1) a hazard analysis process, (2) with feedback
loops i n organization operations t o provide managemnt with information on
hazard reduction, and (3) feedback loops t o inform managemnt a s t o deviations
from performance goals.
(1f a reader has d i f f i c u l t y using system ideas, he may wish
t o review Appendix B, "A Few Useful System Concepts" before
proceeding. )
Accidents occur when systems deviate from plans. Failures, errors, and
degradations i n performance are similar unwanted deviations. When a part of
a system i s altered or f a i l s , the system changes, and may then produce an
accident.
Why a r e we interested i n systems notions about occupational safety?
Because, i f safety i s a subsystem f n a larger system, it behooves us t o under-
stand t h e larger system, and t o construct a safety subsystem which i s a t l e a s t
consistent, hopefully i s congruous* and mutually reinforcing, and ideally,
helps the l a r g e r system accomplish i t s goals.
A good safety process holds great potential f o r helping an organization
reduce a l l manner of errors, malfunctions, deviations and failures. If t h i s
potential i s t o be seen, and used t o support t h e safety process, t h a t process
must be v i s i b l y presented a s a program congruous with management f o r high
performance.
Safety professionals commonly complain t h a t management or supervision or
employees are not "sold on safety." This may reveal more about safety profes-
sionals and t h e i r program ideas than it does about the others! Top managers,
on the other hand, complain t h a t safety professionals do not understand organi-
zational goals, and typically are not promotable upward i n the organization.
If a safety professional operates without useful concepts of how h i s
safety system correlates with a larger system, h i s effectiveness i s greatly
inhibited, h i s many opportunities for developing h i s management s k i l l s may be
largely wasted, h i s diagnostic s k i l l s may not be used t o solve general problems,
* Congruous: "being i n agreement, harmony o r correspondence; suitable,

appropriate .I1 ( ~ e b s t e)r
and h i s u l t i m a t e promotability has been found t o be impaired.
Further, t h e r e a r e ample reasons f o r believing t h a t systems approaches
hold many answers t o t h e problems of improving s a f e t y programs and t h e r e l a -
t i o n s between s a f e t y and t h e o t h e r functions i n an organization.
A S a f e t y System as a Management System.

A t its simplest l e v e l , a s a f e t y system (perhaps S a f e t y Management System
i s . a b e t t e r term) can be shown t o have but s i x elements:
SAFETY SYSTEM
Congruous with Gool-Oriented, High- Performance System
-
=
-1
Managemant
Decisions
-------
A
Participation 8
Work Flow Performance
0
0
Information
>' .'> fi ' Low
,4+.cu, - -.iLr- C L - t c
Such a s i m p l i f i c a t i o n has possible advantages i n summarizing a l l t h e com-

plex d e t a i l of MORT, as well as emphasizing s a f e t y support f o r management goals.
( ~ o t et h a t t h e above items are t h e t i t l e s of P a r t s i n t h i s MORT t e x t , and there-
f o r e t h e model shows how t h e p a r t s i n t e r r e l a t e . )
The general schematic ( ~ i g u r e11-2) presents i n more d e t a i l t h e major e l e -
ments i n t h i s same s a f e t y system c o ~ o u with
s a goal-oriented, high perfor-
mance system :
A MANAGEMENT DECISION PROCESS
Utilizes: Objectives, Requirements, Resources, and Constraints
t o establish: Goals
and develop: P o l i c i e s , Organization, Plans, and Implementation
a repertory of: Management Methods
requires: Evaluation of Planned Changes
WORK FLOW PROCESSES (many)
U t i l i z e : Supervision, Things, People and Procedures
.
Derived from "Upstream Processes" (e g. , design, construction, t r a i n i n g )
Figure l l - 2
DYNAMIC SAFETY SYSTEM

Congruous with Goal- Oriented, High Performance System
MANAGEMENT DECISION PROCESSES
GOALS
-\
--.
Reduced
Risk
04-\
/ \ \-----
a- I---
Participation
Feedback
Reward RISK
- 115 -
-
p%RFQRMANCE i s the output, but with Risk.
Deviations (accidents, errors, malfunctions) degrade performance, produce
Waste
-9
because the System Fails.

-
Goals are used t o measure Performance.
On t h i s basic work system, we superimpose the subsystem components which
we need for safety and for general performance:
Monitoring detects deviations from plans;
The Information component has three principal outputs:
measure Goal Attainment (level of excellence)
indicate Fix Needs (which become Planned Changes)
indicate Methods for fixes.
Planned Chanms
are put through a Hazard Analysis Process.
Results receive Evaluation,
-
and revised Plans are Implemented.
The ultimate results should be Reduced Risk.
Participation, Feedback, Rewards (and Penalties? )
are necessary t o Build Performance.
- -
The safety subsystem i s thus a dynamic feedback control modification
sequence, and an i t e r a t i v e process which can improve, improve, improve!
Naturally, the model i s l e s s complex than real-life activities. For
example, there are many fix cycles not shown: the employee receives a signal
and corrects a deviation, the supervisor does t h i s hour by hour continuously,
and the "upstream processes" are continuously observing t h e i r output (we hope)
and making adjustments and improvements.
-
A practical application of the Safety System schematic t o recent overhead
crane safety a c t i v i t i e s a t Aerojet i s represented by E h i b i t 1.
The exhibit shows how some real-life a c t i v i t i e s a t Aerojet follow a pattern
similar t o the model schematic.
Ageneral safety system operates through i t e r a t i v e cycles t o produce higher
and higher degrees of safety. The past system operations are projected i n t o a
likely need for a high-level, national study and follow-up t o secure the perfor-
mance characteristics desired - for example,
overhead cranes have acute need for
highly skilled, professional human factors review.
Management Methods are the l a t e s t added ingredient i n the schematic, Figure 11L2.
I t i s the purpose of a subsequent discussion i n t h i s chapter t o show that typi-
c a l good management methods are also i t e r a t i v e cycles u s e m i n safety analysis
and planning, as well as i n general management.
Examples of the operation of the "dynamic s a f e t y system" may be helpful.
I n another i l l u s t r a t i o n (~ig'ure11-3):
(1) A c r i t i c a l incident study* was made, one 'of the many monitoring plans.
The analyst then processed the information i n three ways (numbers keyed t o Figure below)
(2) He grouped r e l a t e d cases which, from h i s experience, might c u d a t e
i n more serious sequences and forwarded them t o management a s indicated
needs f o r f i x e s o r Planned Changes.
(3) He reproduced a l l cases i n bound books f o r branch management review.
(6) He made a key word index so, f o r example, a project engineer could c a l l
out the things and features of a new project and f i n d out what previous
troubles suggested f i x methods.
Fix needs (4) go through Hazard Analysis (5) with information search (6).
Results a r e evaluated and implemented (7) i n the work process (8).
Figure llm.3. Operation of the Safety System f o r a Study
I Implementation 1 (7)
.I
Fix Needs (4)
1' ( 5 ) (new
I
Hazard
Analysis
project)
1
L C r i t i c a l Incident Study
I
J
1
! I
4 f
I t
Analyst screens f o r
groups most serious
1
I 1
Entire case book t o
Branch Manager
I
Similar handling i s i n e f f e c t f o r a l l formal and informal incident reporting

plans.
A Repertory of General Management Methods.
Good management methods a r e ways of a t t a i n i n g goals and, a s such, can be
used a t a l l l e v e l s of an organization, and i n personal a s well a s organization
* called RSO, f o r "Recorded Significant Observation" a t Aerojet because i n

r e a c t o r terminology they a r e neither " c r i t i c a l " nor. "incidents." They a r e
just what the name implies, observations collected f o r formal study, .
activities. Greater proficiency i n managing human a f f a i r s is sorely needed
i n our society, and a proper c o l l a t e r a l objective of the s a f e t y system can be
t o increase s k i l l s i n a t t a i n i n g goals.
A repertory of tested management practices, r a t h e r than a simplistic
approach, seems best calculated t o meet the complex and varied needs of safety,
judging from experience before and during t h i s study. The safety professional
can use good management methods t o improve h i s s k i l l s and work, and h i s manage-
ment can help him t o grow.
A t the same time, and because accidents are a harsh and certain t e s t of
management systems, a s a f e t y system e f f o r t may help management people t o grow.
A recent serious accident was an escape from management controls, a s well as
an engineering fiasco. (see Figure 5-1)
From among the r a t h e r vast array of management protocols and d i c t a avail-
able f o r possible use, s i x were chosen f o r (1) t h e i r apparent relevance t o the
s a f e t y problem, and/or ( 2 ) present use by Aerojet, These s i x , by t h e i r nature
embrace several other theories o r practices. Also, these s i x seem t o be
adequate f o r a more detailed exposition of management methods, c r i t e r i a and
analysis i n the MORT approach t o cause analysis.
The six general management approaches, with b r i e f reasons f o r selection, are:
For reasons of excellence and apparent usefulness f o r safety:
1. Juran
a. Control t o existing standards,
b. Breakthrough t o new higher standards,
c. H i s disposition of t r a d i t i o n a l or conventional approaches.
2. Kepner-Tregoe
a. Problem Analysis Worksheet as:
(1) Accident investigation t o o l
(2) P o t e n t i a l problem analysis t o o l
b. Action Sequence r e l a t e d t o problems; t h i s because it w e l l repre-
sents what a hazard analysis process ought t o be. If read i n
an accident context, it sounds l i k e the outline of a Safety
Analysis Report!
3. Error Reduction (~mprovingHuman ~erformance):
a. Concepts described i n MORT
b. Concepts used by Sandia, and presumably r e f l e c t i n g AEC policy i n the
weapons area (e.g., Swain, 1972).
c. Setting the stage f o r several u s e f u l concepts including:
(1)Correcting error-provocative situations
(2) Management e r r o r s mirror higher management service
deficiencies.
. --- -
For reasons of l o c a l use:
4. Aeroj e t t s Management by Objectives Program
The reference l i t e r a t u r e supplied supervisors comprehends Drucker ' s
Managemnt by Objectives (1964) ; however, there are changes, semantic
and other, which may d i f f e r from Drucker. Also, the Aerojet l i t e r a -
t u r e supplied includes ;
5 . G. E. ' s Approach (incorporated i n Aerojet s material under the t i t l e ,
"The Professional Manager a t Aerojet Nuclear company.")
6. A "Traditional Approach" - delegate, hold accountable, and reward o r
penalize. This approach includes the very usef'ul concept t h a t "the
mark of a good manager i s f a s t action a t the trouble spots."
It i s probably not a s important which p a r t i c u l a r s e t of management concepts
i s a r t i c u l a t e d and used, a s t h a t some good s e t be c l e a r l y and e x p l i c i t l y chosen
and used. Only i f some reasonably firm platform of doctrine i s well known i n an
organization does it seem possible : (1)t o hold personnel t o any standard of
analysis, o r (2) t o judge t h e value of any standard of judgment and practice.
The purpose of the following material i s not a t a l l a f u l l exposition ( f o r
t h i s see the relevant t e x t s ) . Rather, what i s intended i s a platform from which
t o launch a study and subsequent use of a selection of management methods p a r t i -
c u l a r l y relevant t o safety.
1. Juran
a. J u r a n t s control cycle i s succintly pictured i n t h i s figure:
Figure ll- . J u r a n t s Feedback f o r Control of Anything
SUBJECT
IT MEASURES I T RECORDS
PERFORMANCE PERFORMANCE
II
VARIABLES
AFFECTING
PERFORMANCE THE EFFECTORS
\ I
-
C-
c
I T COMPARES
A C T l r A i WITH
DLSIRLD
PERFORMANCE
- -
(~eproducedby permission)
This simple schematic on control, a function considered important i n
every organization, i s l a r g e l y unknown t o the personnel (except R & a),
nor do personnel a r t i c u l a t e a useful s u b s t i t u t e concept. It has been d i f f i -
c u l t t o understand how people can effectively cooperate and communicate on
a day-to-day basis and on a basic subject without a common frame of reference.
It may be t h a t some aspects of the cooperative relationship, as well as the
underlying control imperfections, stem i n part from vague, unarticulated
concepts o f the process of control.
Juran (1964) provides a wealth of experience i n the design of each element
i n the control cycle.
b. Juran goes on t o a r t i c u l a t e the differences between Control and Break-
through t o new, higher l e v e l s of performance:
Figure 11-5. Juranss Managerial Breakthrough
Policy Making
S e t t i n g Objectives
OBJECTNES FOR CONTROL OBJE%TIVESFOR BHEAKTHROUGH

Unit of measure Breakthrough i n . a t t i t u d e s
Standard Use of Pareto principle
Sensor Organizing f o r breakthrough
Measuring performance i n knowledge
Interpretation of r e s u l t s Creation of "steering arm('

Decision making Creation of "diagnostic arm"
Action Diagnosis
Breakthrough i n c u l t u r a l pattern
Transition t o the new l e v e l
"The d r a s t i c differences exhibited by these two sequences make it
evident t h a t when we t a l k of a single sequence f o r managerial action,
we a r e s t r a i n i n g our c l a s s i f i c a t i o n beyond the e l a s t i c l i m i t . To be
sure, whether we a r e creating o r preventing change, we must organize,
select, t r a i n , motivate, etc. But the organization forms are d r a s t i -
c a l l y d i f f e r e n t . The motivations a r e d r a s t i c a l l y d i f f e r e n t . And so
on. Such differences should be brought out i n the open, r a t h e r than
be obscured by a common label.'' (~eproducedby permission)
We have endeavored t o consciously u t i l i z e J u r a n f s notions of "Breakthrough"
i n t h e MORT T r i a l s a t Aerojet, and they seem t o work.
To i n t e r - r e l a t e h i s two processes, we used the following figure:
Figure U-6.
JURAN
Breakthrough
F
Subject* Sensor Attitudes
r' 1 Steering
Correct- Compare
\ Transition-
I
I +
Breakthrough
I .
I
I Cultural
---
L ~ atern
t
I n order t o see the r e l a t i o n of the preceding figures t o the Safety System

(as postulated i n Figures 11-1and ll-2) it i s merely necessary t o visualize the
MORT Hazard Analysis Process as an adjunct process a t the following points:
- i n actions of Comparator and Effectors
1. J u a n ' s Control cycle
2. Jurants Breakthrough cycle - i n Diagnosis
Juran's t e x t contains useful materials on e r r o r reduction and training.
Since he has an extremely complete base i n general management experience and
s c i e n t i f i c study, his findings and observations w e extremely helpful i n
r e l a t i n g important f a c e t s of the safety problem t o common marrtgenent b e l i e f s
and practices.
2. Kepner-Tregoe ' s "Rational Manager"
A managerial system useful f o r safety purposes has been developed by Kepner

and Tregoe (1965) . The system, originally developed by R a n d Corporation f o r the
Air Force, but now widely used i n U. S. corporations, i s particularly appropri-
a t e f o r a safety system i n both language and logic - e.g., probable cause, mini-
urum t h r e a t , problem probability and seriousness, preventive action, t r i g g e r
contingent action.
The K-T Action Sequence (shown i n d e t a i l i n t h e i r t e x t ) can, a s with Juran,
a l s o be seen a s a simplified i t e r a t i v e cycle. Simplified, it can be superimposed
on the basic s a f e t y system schematic ( ~ i 11-2)
~ e f o r comparison purposes.
Figure ll-7.
KEPNER - TREGOE
Decision -Choose
I
Analysis
1
Problem
Analysis
Potential
Problem
Analysis
L\
Problems
C
Execute
Measure
A s with the Juran o r other methods, t h e beauty of such a simple connection

with the s a f e t y system is i n ease of a s s i m i l a t i o n and growth. One p i c t u r e of
a s a f e t y process can be seen, f i r s t , i n t h e simple functional flow of Figure 11-71
a second l e v e l of understanding can be gleaned from the Action Sequence and
o t h e r elements of t h e i r book; a t h i r d l e v e l of proficiency can be a t t a i n e d by
taking t h e K-T course (preferably t h e l a t t e r ) ; and ultimate gmwth can come
from use of the system, e s p e c i a l l y i n an organization which a l s o uses it widely
f o r general management.
The s a f e t y professional, whose problems of professional growth a r e so
widely discussed, would indeed be f o r t u n a t e i f his organization i s one of
those making intensive use of K-T methods. Many such organizations already
have excellent safety programs, and t h e s a f e t y professional would have a golden
opportunity t o e n l i s t h i s a s s o c i a t e s i n an organizational e f f o r t t o improve s a f e t y
by more f u l l y u t i l i z i n g modern management methods. Opportunities f o r dialogue
are always extremely valuable i n a s s i m i l a t i n g new methods.
Examples of t h e relevance of K-T methods f o r accident a n a l y s i s were given
i n Chapter 5, The Role of Change i n Accidents.
Kepner-Tregoe p a r t i c u l a r l y s t r e s s t h e quantified a n a l y s i s of a l t e r n a t i v e
s o l u t i o n s t o problems. (understandably they do not d e a l i n s p e c i f i c s of
p r o b a b i l i t i e s and consequences of energy r e l e a s e , as must be done i n safety. )
or broader problems o r f o r value aspects of problems, t h e i r methods
prove very useful. Consequently, an example i s shown as Appendix C , using
-122 -
t h e problem: How Can We S u b s t a n t i a l l y Improve Excellent S a f e t y bograms i n t h e
next Five Years?
***
I n general, t h e Juran and Kepner-Tregoe techniques seem t o have more
value f o r s a f e t y than any other management packages.
Since both management approaches have been used extensively i n t h e
trials a t Aerojet, as well as elsewhere, t o gain i n s i g h t i n t o methods
of improving s a f e t y , it may be f a i r t o o f f e r some comparative observations,
The i n t e n t of t h e cornprisons i s t o s t r e s s the point t h a t a r e p e r t o r y of
management methods i s needed i n safety.
Figure 11-8
Comparisons of Three Management Methods
Aspect S a f e t y System Juran Kepner-Tre~oe

Direct relevance Primary Good, but Excellent on Manage-
t o safety Objective Indi r e c t ment methods
Emphasis on Primary, but Good Excellent on methods
analysis covers numerous
details
Ehphasis on Complexity Primary Good
control r e q u i s~ complex (leading t e x t )
monitoring
Emphasis on High Intended t o be a Special Break- Selection of b e s t
Perfo rmanc e continuous through Goals alternatives
process
Emphasis on Strong Good as t o Weak
participation Breakthrough
& acceptance
Direct relevance Remains t o be Primary Primary, a t i g h t
t o general proven Broad base i n system
management management l i t e r -
ature
3 . " I m ~ r o v i zHuman Performance"

MORT a r t i c u l a t e s many error-reduction concepts a s evident i n t h e l i t e r a t u r e ,
but perhaps imperfectly s t a t e s o r synthesizes t h e concepts. (see ~ndex.)
S a n d i a t s a p p l i c a t i o n of such concepts t o t h e weapon s a f e t y program would
seem t o be t h e h i g h e s t development of t h e " s t a t e of t h e a r t , " and by t h e i r
p r a c t i c e and existence seem t o represent an AEC policy, but not p r e s e n t l y s t a t e d
a s applicable t o r e a c t o r s and o t h e r work.
E r r o r reduction concepts do an e x c e l l e n t job of s t a g e - s e t t i n g f o r f u r t h e r
s p e c i f i c a t i o n of t h e management c r i t e r i a and a n a l y s i s seemingly most usef'ul f o r
- 123 -
greater safety achievement. Specifically, these are a t l e a s t six:
1. Errors are an inevitable (rate-measurable) concomaitant of doing work
or anything.
2. Situations may be error-provocative - changing the s i t u a t i o n w i l l l i k e l y
do more than elocution o r discipline.
3. Many e r r o r definitions are "forensic" (which i s debatable, imprecise, and
ineffective) rather than precise.
4. Errors a t one l e v e l mirror service deficiencies a t a higher Level.
5 People mirror t h e i r bosses - i f managenent problems are solved i n t u i t i v e l y ,
or i f chance i s r e l i e d on f o r non-accident records, long-term success i s
unlikely.
6 . Conventional methods of documenting organizational procedures ( e i t h e r AEC
o r ~ e r o j e t )seem t o be somewhat e r r o r provocative.
I n the e a r l i e r stages of the MORT T r i a l s a t Aerojet, a memorandum, "Accep-
tance of Proceduralized Systems," was created. The material i s incorporated i n
t h i s text.
The Aerojet management material (MBO) contains the McGregorfs Theory X and 'Y
assumptions about people - Traditional and Potential.But t h e relationship of
these assumptions t o personnel, acceptance and e r r o r reduction practices i s f a r
from clear, and the f a c t t h a t the pendulum i s apparently swinging toward a mid-
point i n general managemnt practice i s not noted.
Figure ll-9 .
lM PROVING HUMAN PERFORMANCE

( Error Reduction)
~ r r o ; Rate
/ Reductions
Measure
[ ~ a s e don Swain IAEC - Sandia )and others]
More recently a monograph by Alan Swain of the Sandia human r e l i a b i l i t y
s t a f f was received: "Improving Human Performance .I1 (1972) This l a t t e r i s a
b e t t e r statement of the case than MORT. Additional copies were obtained f o r
study and possible policy revision i n the AEC-Aerojet context.
What i s suggested i s t h a t any organization review such l i t e r a t u r e , modify
suggested precepts a s may be warranted, and i s s u e more u s e f u l guidelines a s t o
t h e p o l i c i e s and practices which top management believes could improve human
~ e rormance
f .
Such policy must, of course, be supported by at l e a s t minimal s t a f f com-
petencies i n human f a c t o r s work, preferably so u t i l i z e d a s t o have organiza-
tTon-wide impact.
It i s believed t h a t such an action would l i k e l y have important e f f e c t s on
performance, and r e l a t e d aspects a s well as:
1. A negative philosophy and practice: "Who i s t o blame?" and "What should
the penalties be?" These tendencies have adverse e f f e c t s on morale and
performance, and i n h i b i t study of t h e underlying causes of malfunctions.
2. A negative, unrewazding method - that is, a suspension o r f i r i n g ,
usually r e s u l t s i n picking another apple out of the same barrel. The
hope f o r b e t t e r r e s u l t s i s probably forlorn, unless the s i t u a t i o n i s
changed.
3. The sometimes poor cooperative relationship between various l e v e l s of
an organization i n a t t a i n i n g common goals.
The need t o r a i s e such questions a r i s e s out of the study of safety, and
how safety may be improved, but the general management implications a r e d i f f i -
c u l t t o sidestep.
Special aspects of improving human performance a r e discussed i n Chapter 26,

Human Factors Review; Chapter 32, Procedures; Chapter 35, Motivation; and
elsewhere. The intention a t t h i s juncture i s t o emphasize the policy issue.
4. Professional Manager
This process, widely used and highly successful i n General E l e c t r i c and other
organizations, and used a t Aerojet, can be succinctly shown i n a simple schematic
i n Figure 11-10.
The method i s described i n nine pages of u s e f u l d e t a i l i n Aerojetts

"Managing by Objectives - Data f o r Supervisors and Foremen," August 13, 1971.
This method, while good and useful, i s be1ieve.d t o be l e s s e x p l i c i t and
u s e f u l f o r safety than t h e three foregoing methods.
F i m r e 11-10,
THE PROFESSIONAL MANAGER
Tarrants (1972) discussed t h i s approach. He presents a schematic, "An

I n d u s t r i a l Accident Prevention Communications and Control System," which shows
u s e f u l d e t a i l on constraints &nd pressures, but r e l a t e s safety t o d i r e c t finan-
c i a l l o s s r a t h e r than general performance.
5 . A e r o j e t t s "Management by Objectives"
The reference on MBO immediately above contains much u s e f u l material. The
p r i n c i p a l suggestion f o r increasing the usqf'ulness of t h i s program i s t o augment
it with one o r more of the Fully-rounded, problem-solving and i t e r a t i v e processes
previously described.
Figure ll-11.
MANAGEMENT BY OBJECTIVES
Mission ----t Goal -Objectives
I
6.- "Traditional Approaches"

These approaches, with i n c i s i v e action by an aggressive manager, were
used by e a r l i e r contractors a t NRTS, and a r e often mentioned by long-service
personnel who found t h a t the aggressive, safety-minded manager d i d , i n f a c t ,
take f a s t action at t h e trouble spots.
I n general, t h e t r a d i t i o n a l delegation of r e s p o n s i b i l i t y , a u t h o r i t y and
resources i s t h e main stem of AEC-contractor r e l a t i o n s h i p s , and should remain
so. However, wea;knesses, a s w e l l a s strengths, should be recognized. A f u l l
r e p e r t o r y of management methods should o f f s e t such weaknesses as:
1. L i t t l e guidance, analysis and f u t u r e correction, OR
2. Overly s p e c i f i c guidance on d e t a i l s , which i n t u r n i n h i b i t s broad, funda-
mental corrective changes and i n i t i a t i v e .
3. I n a period of limited rewards (due t o c o n s t r a i n t s ) , t h e penalty option
of t r a d i t i o n a l approaches may be over-used and be unproductive.
4. There a r e unfortunate tendencies t o "cover up" and "cover your number",
n e i t h e r of which does much f o r longer-term progress.
Two common t r a d i t i o n a l approaches a r e shown i n t h e f i g u r e below:
Figure U-12.
Policy Ma king I
Setting Objectives I Delegate
Planning to Meet Objectives Reward
I
Organizing to Execute the Plan
Selection and Training for
Manning the Organization
Motivation of the People
I
II
I
)-#.A Accountable
Appraising the Results I Penalize
A finding of t h i s study (discussed pages 193-95) t h a t Aerojet's well-

intended procedural documentation (and perhaps t h a t of AEC) produces signi-
f i c a n t functional inadequacies must probably be considered i n weighing the
ways i n which t r a d i t i o n a l approaches should be modified o r augmented. There
c e r t a i n l y i s no b a s i s f o r believing t h e t r a d i t i o n a l approaches could produce
an order-of-magnitude improvement, e i t h e r f o r s a f e t y o r f o r other goals. The
essence of an improved d i r e c t i v e format i s presented i n Figure 11-13.
Relating Management Methods t o t h e Safety System.
The elements of t h e various management approaches discussed can be por-
trayed as a generalized c y c l i c p r o c e s s , . a performance cycle, comparable with
t h e basic schematics of t h e s a f e t y system.
I n i t i a t i o n of an i t e r a t i v e cycle of improvement i s portrayed i n Figure 11-14.
This figure has already shown i t s e l f t o be a useful p i c t u r e f o r professionals
Figure 11-13.-
-I
GOOD PROCEDURES
,I. Functions :
s D 0
2. Steps to fulfill each Function
3. Criteria to Know When the Job is Well Donel
planning a s a f e t y program improvement.
Figure ll-14.
PERFORMANCE CYCLE
A REPERTORY OF MANAGEMENT METHODS USEFUL FOR SAFETY
I n order t o show the congruence of t h e general management methods

described and t h e general s a f e t y system, t h e models thereof have been con-
densed i n t o Figure 11-15, The c y c l i c , i t e r a t i v e character of a l l t h e methods
should be c l e a r , as should t h e i r general correspondence. The elements i n
Figure ll-15 a r e used i n w a l l c h a r t s a t Aerojet, a s reminders of t h e
relevance of management methods i n both problem solving and accident
investigation.
A d i f f e r e n t approach t o i n t e r r e l a t i n g management and s a f e t y systems i s
suggested by Peterson (1972). He uses a "managerial grid" t o diagnose and
describe management s t y l e s , and counsels adjustment of t h e s a f e t y system t o
t h e e x i s t i n g management s t y l e . This may be wise as an adjustment, but does
Figure 11-16. A Repertory of MANAGEMENT METHODS relevant t o the Safety System
SAFETY SYSTEM --- Congruous with Goal-Oriented, High- Performance System 7
A Repertory of Management
Participotion 8
I "I'
Performance
Methods Useful in the Sofety System
I
I
PERFORMANCE CYCLE
Decision
IMPROVING HUMAN PERFORMANCE

-
JURAN KEPNER - TREGOE (Error Reduction)
Breakthrough Decision -Choose Ph~losophy,
Analysis Assistance
7-
~ubject&ensor
i srry
Aiitudes
Proctice
I Si tuotion
THE PROFESSIONAL MANAGER
Problem
Correct- Compare Anolysis
I Dioqnosir
t I I
Transition-
i t
Weakthrough
Problems
I
Execute
I ~ r r o rRote
'
1 Cultural /
' /Reductions
1 Pattern Measure Measure
MANAGEMENT BY OBJECTIVES GOOD PROCEDURES
Mission- Gwl-Objectives Policy Moking Delegote

I Setting Objectives Reword
t
Comittment
Planning to Meet Objectives
Organizing to Execute the Plan
I
Selection and Training for H
-)!o. Accountable
Manning the Organization
2. Steps .to fulfill each Function
Motivation of the People
Penalize
Meosure Appraising the Results 3. Criteria to Know When the Jobis Well Done.
not seem t o be a route whereby s a f e t y can enhance and supplement managerial
methods improvement.
Uses of Safety Systems.

The presumed value of the Safety System Figures (11-1and 11-2) l i e s i n
provision of a conceptual framework f o r s a f e t y performance measurement and
accident a n a l y s i s i n order t o answer questions, such as,
1. What axe t h e e f f e c t s of c o n s t r a i n t s on (a) t h e adequacy of knowledge,
(b) t h e q u a l i t y of t h e hazard a n a l y s i s process, and ( c ) p r a c t i c a l i t y
of a l t e r n a t i v e countermeasures?
2 . Were planned changes subjected t o a hazard a n a l y s i s process? If so,
was t h e process inadequate? Or, w a s t h e f a i l u r e i n execution of t h e
hazard reduction measures? Or, were a d d i t i o n a l countermeasures r e -
jected on p r a c t i c a l grounds? O r , was there pure oversight?
3 . Do monitoring systems give management adequate assurance t h a t t h e sys-
tem i s operating according t o plan? And that plans a r e adequate?
Four key f a c t o r s a f f e c t i n g s a f e t y and other functions i n an organization
a r e : technological, human, organizational and s o c i a l inputs ( ~ e i l e,r 1967).
Accidents a r e systemic r e s u l t s of t h e f o u r f a c t o r s . I n t h e Safety System t h e
first t h r e e f a c t o r s can be seen - t h e f o u r t h , s o c i a l f a c t o r s within t h e sys-
tem, has been t r e a t e d as an aspect of t h e human f a c t o r , t o be affected by, and
a l s o a f f e c t i n g t h e p a r t i c i p a t i v e aspect of t h e system.
The system approach t o safety is, first a method of thinking which f o r c e s
one t o understand and describe a process; such descriptions help g u d against
oversights and weaknesses, and a l s o s e t t h e stage f o r monitoring t h e process.
The system approach provides a l o g i c a l way t o determine where a s a f e t y problem
i s i n t h e hazard reduction process, o r where a problem slipped through t h e
p r i o r hazard reduction process.
The system approach requires q u a n t i f i c a t i o n of information on t h e feedback
loops. Fortunate t o our present purpose of q u a n t i f i c a t i o n (given t h e dearth of
s a f e t y research), i s t h e view of system s a f e t y engineers t h a t "order of magni-
tude" estimates (of f o r c e s o r f a i l u r e s ) w i l l s u f f i c e i n t h e i n i t i a l stages of
analysis. And we s h a l l be hard put t o come up with even "order of magnitude"
estimates f o r some elements of t h e system.
The system approach i s e s s e n t i a l l y a performance-oriented synthesis of
"what i s known o r believed, forced upon us a t a p a r t i c u l a r s t a t e of knowledge.
A s such it then becomes a method of i d e n t i f y i n g gaps o r r a i s i n g questions f o r
study, p a r t i c u l a r l y i n t e r f a c e s o r i n t e r a c t i o n s a t a point i n time. Further, by
providing a context within which a m u l t i p l i c i t y of v a r i a b l e s can be considered
simultaneously, t h e system concept a i d s i n research.
However, Churchman (1970) constructed a hierarchy of measurements which he
thought was relevant t o safety with suggestive measures" (i.e., accident r a t e s )
a t one end of a spectrum which included "predictive, decisive and systemic
measures." With regard t o decisive measures., he said:
1. "Decisive information systems ... model the user within a bounded system.
2. "They recognize t h a t safety by i t s e l f i s only p a r t of the picture; reducing
...
accidents or accident p o t e n t i a l must be coupled with other objectives,
e.g., production ... The coupling consists of finding a common dimension.
3 . "Rarely expressed a s an index ( o r r a t e o r percentage),
4. " I n t h e decisive mode one cannot r e a l l y speak of safety a s such a s a sep-
a r a t e and i d e n t i f i a b l e aspect of a system. Instead we have t o think of
safety a s an inseparable element of a more comprehensive measure."
This seems t o imply t h a t non-safety measurements (e .g ., production) would
be used with safety measurements i n evaluating a feature of a safety program.
O f course such a measurement principle i s f u l l y consistent with the earlier-quoted
policy statements of corporations - e.g., "production with safety" and "safety
and production a r e one and t h e same thing. They cannot be separated."
Churchman says the concept of systemic measures, a s applied t o safety, may
be more than a decade away, but some of h i s points are valuable:
1. "The systemic information system i s interested i n the next higher level."
2. An example might be: "reduction i n accidents i n the factory i s the t h i r d
most important project of the system."
3 . The ambition i s "information about the whole system."
4. "The aim ... i s t o keep controversy alive, t o use action a s experiment, t o
create problems whose study w i l l increase scope of understanding."
5. It c o l l e c t s "rudiments of information ... but it never regards these
rudiments a s givens .I1
6. I f the rudiments d i f f e r significantly, "the system t r i e s t o a l t e r o r
enrich i t s model of reality." "Part of the control strategy of the
system i s t h e selection of those 'aspects of r e a l i t y t which provide it
with the best measure of i t s progress."
7. The system i s "eternally restless."
12. GENERAL SAFETY PROGRAM THESES
The general theses of a s a f e t y program based on t h e concepts thus far d i s -

cussed can be s t a t e d as follows:
I. A superlative s a f e t y system must e s t a b l i s h control over the r i s k s of
a c t u a l and p o t e n t i a l sequences of change, e r r o r and energy t r a n s f e r
which can cause i n j u r y , damage o r l o s s .
A. The control of energy with b a r r i e r s t o harmful, unwanted energy
t r a n s f e r i s t h e basic aim of t h e s a f e t y system.
B. Safe t a s k performance by employees -- managerial, t e c h n i c a l and
professional, c r a f t and operative -- r e q u i r e s correction of e r r o r -
provocative work s i t u a t i o n s . Safety-prone s i t u a t i o n s assist each
employee t o avoid hazardous e r r o r by adequate t a s k d e f i n i t i o n and
design of work t o f i t t h e people.
C, Monitoring t o d e t e c t unplanned change, and a n a l y s i s and counter-
change f o r a l l s i g n i f i c a n t changes a r e needed f o r timely protection.
D. Impending o r a c t u a l emergencies r e q u i r e expeditious i n t e r r u p t i o n
of harmful sequences t o prevent accidents, and r a p i d , e f f e c t i v e
atnelioration of accident r e s u l t s when they do occur.
11. The s a f e t y system draws on t h e b e s t knowledge and p r a c t i c e t o c r e a t e

v i s i b l e , d i s c i p l i n e d methods t o i d e n t i f y hazards and design adequate
c o n t r o l s , and thus minimizes e r r o r and oversights which can impair
performance as well as safety.
A. The b e s t p r a c t i c e s of l e a d e r s i n occupational s a f e t y a r e augmented
by, and integrated with emerging system s a f e t y procedures and
s c i e n t i f i c f i n d i n g s -- technical, behavioral and organizational.
B. The use of v i s i b l e , d i s c i p l i n e d a n a l y t i c method i s e f f i c i e n t and
e f f e c t i v e i n applying a wealth of s p e c i f i c standards and recommen-
d a t i o n s and a l s o d e t e c t i n g and correcting those situa-bns f o r which
progressively higher degrees of protection a r e f e a s i b l e .
C. A dynamic s&ety system has simple elements working together t o
achieve a high degree of s a f e t y i n a manner congruous with manage-
ment t o a t t a i n high performance goals.
111. The s p e c i f i c objective of t h e s a f e t y system i s t o compare adequately

analyzed a l t e r n a t i v e measures and s e l e c t the measures which provide
t h e lowest practicable l e v e l of r i s k i n a manner consistent with per-
formance and s o c i a l goals.
IV. The basic elements of a s a f e t y system a r e :

A. Management implementation of a sound s a f e t y policy.
B. A defined hazard a n a l y s i s process t o minimize e r r o r s and oversights.
C. Work s i t u a t i o n s which provide t h e environment and d i r e c t i o n t o enable
people t o perform capably and safely.
D. An information system which provides:
1. Monitoring t o promptly d e t e c t r i s k s and deviations from s a f e t y
plans.
2. Knowledge of hazards and corrective measures.
3 . Prompt, adequate feedback on s a f e t y performance.
E. Opportunities t o p a r t i c i p a t e f o r a l l members of t h e organization,
s e r v i c e s and a s s i s t a n c e t o help them f u l l y use t h e i r c a p a b i l i t i e s
f o r developing and implementing s a f e t y measures, and recognition
f o r good work on behalf of safety.
V. Transition t o a new, high order of s a f e t y i s possible if s a f e t y

a c t i v i t i e s a r e systematically defined, measured, assessed and improved
t o form a strong, comprehensive unified e f f o r t .
- 133 -
IV. MORT
The Management O v e r s i ~ h tand Risk Tree
MORT is a l o g i c t r e e which provides a disciplined method
of analyzing an accident. The Tree can, then, a l s o be a guide
as t o what f a c t s t o seek i n an investigation.
Since MORT is predicated on high-level i d e a l s as t o what
a s a f e t y program should be, it a l s o provides a format f o r s a f e t y
program evaluation,
MORT is s u f f i c i e n t l y searching and revealing t h a t f u l l s c a l e
a n a l y s i s of only a few s e r i o u s accidents/incidents w i l l r e v e a l
many needed program improvements. A few MORT analyses provide
more u s e f u l information than l e s s rigorous a n a l y s i s of l a r g e num-
b e r s of accidents. Therefore MORT a n a l y s i s i s cheap.
MORT i s too complex and time-consuming f o r use i n minor
accidents. However, it can guide t h e c o l l e c t i o n of objective
d a t a f o r portions of t h e t r e e i n an ongoing program of accumu-
l a t i n g u s e f u l facts about minor accident causation and t h e hazard
c o n t r o l program.
MORT i d e n t i f i e s 222 "basic problemsw--causative problems,
o r preventive measures. These, i n t u r n , underlie 98 generic
problems composing successively broader a r e a s i n management and
prevention. Yet t h e specified b a s i c problems, i f studied i n a
continuously more a n a l y t i c d i r e c t i o n , may be only a good beginning
i n a n a l y s i s , t h e r e may be other subproblems, and t h e r e c e r t a i n l y
a r e thousands of c r i t e r i a . Among the above concepts a r e about 70
new ideas" and t h i s i s highly subjective , depending on a -personfs

I1
background.
- 135 -
1 . DEVELOPMENT OF ACCIDENT "TRFE ANALYSIS"
I n e a r l i e r phases of t h i s study a number of questions were raised about

accident investigation and analysis, specifically, the shocking lack of a
methods l i t e r a t u r e was c r i t i c i z e d . The question was asked, "Is accident inves-
t i g a t i o n an i n t e l l e c t u a l l y disciplined procedure?" A n e s s e n t i a l l y negative
answer was given. Consequently, an exploratory method of accident analysis
was developed t o embody some energy transfer, change, and systems concepts
which b , d been discussed i n the background paper.
From data supplied during familiarization v i s i t s t o two AEC research
s i t e s , two major accidents were analyzed: "High Level S p i l l a t the Hilac1'
and "Environmental Chamber. " (~ppendicesA-1 and A-2. )
The e a r l y analytic 1
formats provided useful ways of exploring the voids i n systems approaches

p r i o r t o these two accidents. Several major impressions emerged from t h i s
work, namely:
1. Use of the forms (as then conceived) was dependent on a rather f u l l
understanding of the systems control procedures from which the forms
had been derived.
2. Therefore, the forms would not provide a p r a c t i c a l t e s t o r discipline
f o r accident investigators and analysts who might not be f u l l y
familiar with the premises.
3 . The logic of the analysis was not f u l l y c l e a r , j u s t the r e s u l t s .
Consequently, the use of a "Fault Tree," probably the most rigorous (and
expensive) systems analysis technique, was attempted.
A f i r s t t r i a l of a general, abstract "Tree" method was developed and
applied experimentally t o the "High Level S p i l l a t the Hilac," based primarily
on a report (9/24/59) published by Lawrence. (The r e s u l t s are shown i n Appendix
A-1. )
The f i r s t t r i a l led t o an impraved general Tree method, which was then
applied t o an environmental chamber accident. (see Appendix A-2. )
The second t r i a l led, i n turn, t o a t h i r d e f f o r t t o develop a general
method .
A t t h i s stage, major events were u t i l i z e d as examples f o r two reasons :
1. Only major events have reports with sufficiently detailed f a c t u a l find-
-
ings t o support any rigorous analysis against high standards of control.
2. Only major events would warrant the high standards of control hypothe-
sized i n the Tree.
The r e s u l t s of the f i r s t two applications of a logic t r e e t o two major
accidents were encouraging and s t a r t l i n g . The method was seemingly exposing
s i g n i f i c a n t numbers of basic problems not e x p l i c i t l y i d e n t i f i e d i n the orig-
i n a l reports, and was showing indications of the rigorous, disciplined mode
of analysis which had been sought. Further, once completed, the t r e e s provided
an all-important v i s i b i l i t y t o a n a l y t i c process which enabled a reviewer t o
review, ask searching questions, and a l t e r the analysis a s additional relevant
f a c t s o r h i s judgment might warrant.
As these analyses proceeded, the method was constantly being a l t e r e d and
expanded t o provide appropriate c r i t i c a l questions s p e c i f i c t o the two events.
However, a t the same time, using memories of other s i g n i f i c a n t accidents, a
general format of a more rigorous and universal logic t r e e was emerging.
The consequence k s developnent of a generalized analytic method,
Management Oversight and Risk Tree" (MORT),and t h i s Tree i n i t s t h i r d
generation was used i n the t r i a l s a t Aerojet. From the t r i a l s a fourth
generation t r e e i s emerging.
The term " f a u l t " was discarded because it implied blame; a l s o because
the method uses generalized f a i l u r e s (e.g., management f a i l u r e s ) on tracks
p a r a l l e l t o s p e c i f i c content f a i l u r e s , which i s not consistent with the
Fault Tree.
The generalized t r e e i s much more complex than any s p e c i f i c accident
-
t r e e because the former must indicate a l l the avenues which should be explored.
A s p e c i f i c accident analysis shows only the findings which were contributive
o r causal, o r negative even though not causal. However, i f analysis of a
s p e c i f i c accident showed graphically a l l of the aspects checked and found
e i t h e r i r r e l e v a n t o r s a t i s f a c t o r y , it would be equally complex (and t h i s has
usually been done on blank MORT worksheets leading up t o a f i n a l a n a l y s i s ) .
A l l through analysis of t h e two serious accidents and subsequent develop-
ment of MORT, management's r o l e was shown with increasing c l a r i t y . The data
needed were shown t o be f a c t s on management's c o n t r o l process, a s mch as the
f a c t s about a s p e c i f i c event.
I n t e r e s t i n g l y , and helpfully, MORT quickly displayed a capacity t o gain
management confidence despite the f a c t t h a t MORT puts the accidents on manage-
ment's doorstep. Two senior vice-presidents of a large research and develop-
ment organization said such things as: " i n t e r e s t i n g , valuable, very provocative,
and c e r t a i n l y opened my eyes t o a l o t of things," and "the f i r s t scholarly, i n
depth approach t o s a f e t y I've ever heard i n industry o r research." On the
technological side, Paul Hernandez of Lawrence, the "mother" of the hydrogen
bubble chamber, s a i d the analytic format would have saved t h e Board i n v e s t i -
gating the Cambridge explosion and f i r e many expensive meetings needed t o s e t t l e
- 137 -
on investigative and analytic approaches.
MORT, a t t h i s time, i s a complex analytic procedure. However, it can
guide analysis of t r u l y serious events, and a l s o guide d a t a collection by
sampling methods whereby a t r e e can be compiled f o r groups of l e s s serious
events. Also, as f u r t h e r experience i s gained, the key questions may emerge
i n an every more simplified format. Even today, t h e complex t r e e i s com-
posed of r e l a t i v e l y simple questions i n a l o g i c a l sequence.
Field sketches of MORT analysis of f i v e additional accidents are a l s o
reproduced i n Appendices A-3 t o 6. The purpose of using the o r i g i n a l sketches
i s t o show how the techniques can be employed flexibly t o meet the r e a l i t i e s
of situations.
I n addition, the cases (1through 6) show t h a t the technique i s evolving,
and suggest t h a t f u r t h e r evolvement w i l l be i n order. A s a m t t e r of f a c t ,
f u r t h e r experience may indicate t h a t some of the approaches used i n the e a r l y
work are superior, g ~ ad r e t u r n t o those forms of analysis may be i n order.
The r e s u l t s attained by e a r l y t r i a l s of MOKT analysis w i l l indicate why
the technique seems 'so promising. The basic investigation reports were good
reports, witness an average of 18 problems (and recommendations) i n f i v e
serious accidents. However, MOW analysis exposed an a d d i t i o n a l 2 0 problems
average per case f o r review and action. The t o t a l r e s u l t s f o r five serious
accidents were 197 problems o r 38 per case, a commentary on the complexity of
causal information. The average r e s u l t s f o r the f i v e cases were a s follows:
Nature of Identified Prior t o MORT Additional
Problem I n Report I n Follow Up ST - From MORT -
Tot a 1
Specific Content 15 2 17 7* 24
Systemic
+may include a few which w i l l be shown t o be impractical a f t e r review, e.g.,

by a Board.
x++ several of these a r e omissions of d i f f e r e n t steps i n the hazard review
process, but such an oversight is the equivalent t o overall gross f a i l u r e i n
such review.
It should be e x p l i c i t l y noted t h a t MORT analysis i s s e l f - f u l f i l l i n g . For
example, MORT pcstulates an information search a s an e s s e n t i a l step i n the
Hazard Analysis Process. The information search was not made; ergo we have a
potential.causa1 factor. That the information search would have produced useful
information i n any p a r t i c u l a r case must be evaluated. However, the assumption
can be tested against a retrospective review of what information was available,
If pertinent information was available, but not e a s i l y retrievable, we have
an additional defect i n the information system i t s e l f . Actually, the lack of
information search creates what has been termed e a r l i e r "uncertainty" r a t h e r
- 130 -
t h h "assumed r i s k . "
A s t h e general t r e e , MORT w a s u t i l i z e d , an extremely important conclu-
s i o n emerged: Since MORT was a method of analyzing a s i n g l e accident f o r
t h e f a i l u r e s which caused t h a t accident, it a l s o was a format f o r appraisal
and assessment of t h e s a f e t y promams which were intended t o control acci-
d e n t s i n generdl. Thus, i n the closing days of t h e work a t t h e t h r e e
research s i t e s , and i n t h e year-long trials a t Aerojet, the MORT format
was used t o show t h e strengths ard weaknesses of programs. MORT appeared
t o have t h e capacity t o ask searching ard relevant questions, seemed t o
show why conventional (ANSI) "cause analysis" d a t a w a s l i t t l e used i n deci-
sion making, and seemed t o provide a r a t i o n a l context wherein unusual,
varied, and sometimes divergent programs could be described and assessed.
14. 'ED73 MORT DIAGRAMS - INTRODUCTION
The t h i r d generation Tree (as developed by l a t e March 1 9 n ) i s presented

i n eight pages of diagrams. Page 1 presents the overview. The other pages
continue the analysis t o more specific subproblems.
Probably the best way t o get i n t o the use of a logic t r e e i s t o b r i e f l y
discuss some of the concepts on Page 1 of MORT. The the various symbols can
be explained.
A next s t e p would then be simply following through the diagrams visu&ly,
step-by-step, preferably applying them t o a program, problem or accidents. The
diagrams are, i n large part, self-explanatory, and each fork i n the Tree pre-
sents a r e l a t i v e l y simple question.
Then a review of the fourth generation MORT outline i s i n order. It repre-
s e n t s a somewhat tightened l o g i c f o r e s s e n t i a l l y the same concepts. The detailed
discussion of concepts constitutes the main body of t h i s t e x t and i s keyed t o
the t h i r d and fourth generations of MORT by reference and page numbers."
F i r s t , the f i n a l consequences of an adverse event are stated a t the head
of the page. They include not only a l l i n j u r i e s , and d i r e c t and indirect costs,
but a l s o the e f f e c t s of l o s s of current production and the adverse e f f e c t s on
q u a l i t y and quantity of output which frequently were occuring p r i o r t o the acci-
dent.
Second, a symbolic reference t o "Future Undesired Events" which w i l l be
affected by the Management System i s noted.
-
S. A l l contributing f a c t o r s i n the accident a r e seen a s Specific Oversights
and Omissions, u n t i l such t i m e a s they may be transferred t o Assumed Risks.
Assumed Risks a r e cumulated from specific decisions t h a t a solution t o a
problem i s not available, i s impractical, o r i s t o be delayed f o r stated reasons.
Assumed Risks are normal, expected aspects of any a c t i v i t y - even getting
up i n the morning, o r staying i n bed! Risks are inescapable.
Most important, the specific expression of assumed r i s k s very often provokes
additional study and e f f o r t t o reduce r i s k s . -
Unanalyzed r i s k s a r e not assumed
r i s k s , nor are "uncertainties" a s e a r l i e r defined.
G. Management System LTA. A judgment t h a t management i s " l e s s than adequate"

would not usually be expected from a single event, but it i s remarkable how
frequently in-depth reports of serious accidents do make such judgments, e.g.,
* I n e a r l y stages of familiarization with the process, it doesn't seem t o make

a great difference whether the t h i r d generation diagrams o r the fourth genera-
t i o n outline i s used. Either one w i l l produce a more searching, disciplined
analysis.
- 140 -
"lack of firm policy" i n the Hilac report.
I n t h i s version of the Tree, Management Systems are shown separate from the
process which produced the s p e c i f i c adverse event. Two purposes seem furthered:
1. A depiction of Management Systems w i l l suggest aspects of the back-
ground of the s p e c i f i c accident which should be closely examined.
2. The s p e c i f i c event may, i n turn, suggest which aspects of Managenat
Systems may t r u l y be "LTA" , t h a t i s , " l e s s than adequate . I 1
This consideration of. general management i s a conspicuous difference from
the Fault Tree technique - that i s , a generalized condition i s r e l a t e d , a t
l e a s t p ~ s u m p t i v e l yo r i n d i r e c t l y , t o the s p e c i f i c f a i l u r e s .
The system f a u l t s can be seen a s "planned foresight l e s s than adequate."
The s p e c i f i c f a u l t s use 20-20 hindsight t o detect omissions, oversights and
errors. Each of the l a t t e r may a l s o be t r a n s l a t a b l e i n t o system improvements
answering the question, "Why could it go wrong?"
The analysis proceeds primarily from the f a u l t s o r f a i l u r e s shown a s
"Specific Oversights and Omissions" with t r a n s f e r s t o Management or Assumed
Risks only a s the f a c t s demand. This i s the f i r s t of the "gatest' i n analysis
and perhaps the most rigorous and p o t e n t i a l l y unpleasant.
The continuation of the l o g i c working backward from the adverse event i s
shown a s follows:
SA.1 "Accident" - occurs when an unwanted t r a n s f e r of energy reaches persons

and/or objects .
SA2 Amelioration LTA - occurs a f t e r the i n i t i a l accident event. There a r e a
number of programs which,;should reduce the ultimate adverse e f f e c t s - preven-
t i o n of $ second event, f i r e fighting, rescue, medical service, and r e h a b i l i t a t i o n .
These may be LTA ( l e s s than adequate). A t r a n s f e r symbol shows t h a t
analysis of these programs i s d e t a i l e d on page 4 of the MORT diagrams. For example;
31 Prevent the Second Accident, The analytic process seems self-evident,
except perhaps t h a t t h i s phase i s distinguished from Emergency Shut eff (page 7).
The process f o r both phases i s s i m i l a r . A question t o be asked i s whether prac-
t i c e has occurred under emergency conditions, e.g., an e l e c t r i c a l f a i l u r e i n
the dark?
a4 Emergency Medical Service LTA. Check transportation times, Verify t h a t
the hospital meets the Emergency Room standards of the American College of
Surgeons.
SB1 "Incident" - an unwanted energy t r a n s f e r not necessarily r e s u l t i n g i n

i n j u r y o r damage. However, any "near miss" could be considered an incident
worthy of analysis, regardless of energy t r a n s f e r .
al. A d i s t i n c t i v e symbol c a l l s a t t e n t i o n t o the possible Failure t o Moni-
t o r and Review incidents. F ~ & could
R mean f a i l u r e t o d e t e c t p r i o r r e l a t e d
i n c i d e n t s and f a i l u r e t o e a r l i e r c o r r e c t causal f a c t o r s . Thus F ~ & becomes
R
a causal f a c t o r i n t h e current event.
SB2 B a r r i e r s LTA - t h e concept of successive b a r r i e r s t o t r a n s f e r of energy

seems very constructive, t h a t i s , suggests a v a r i e t y of p r a c t i c a l actions.
E a r l y and multiple b a r r i e r s should be associated with l a r g e r energies. (See
Chapter 2. )
The first f o u r b a r r i e r s should have been taken care of i n Concept and
Design. What about t h e next f o u r shown i n t h e diagram? ( A l l e i g h t are i n
t h e f o u r t h generation Tree.) Consider each kind of b a r r i e r separately f o r
p o t e n t i a l use.
Note t h e HE Press Explosion i n Appendix A. It shows a check of B a r r i e r s
f o r d i f f e r e n t c l a s s e s of persons and objects. Don't overlook questions of
shock absorption and how shock could be cushioned o r redirected.
The notion of Barriers, both t o separate energies and t o p r o t e c t people
and o b j e c t s should be most c a r e f u l l y considered f o r each energy t r a n s f e r .
This a n a l y s i s t e s t s t h e s k i l l and imagination, and has already been shown t o
be a provocative and c r i t i c a l s e r i e s of questions i n accident investigation.
SB3 Persons, Objects - t h e analysis ( a l s o d e t a i l e d on page 4) i s usually,

but not always, perfunctory. Questions of evasive action and functional
presence a r e examined.
SC1 Unwanted Energy Flow #I. This i s the energy which has t h e f i n a l , primary
r o l e i n t h e Incident. A small t r a n s f e r symbol calls attention t o the fact
t h a t t h e same a n a l y t i c process i s used elsewhere.
SC3 Unwanted Energy Flow 2, 3, ... n - a s i g n i f i c a n t , perhaps large, number

of serious accidents involve successive i n t e r a c t i o n s of d i f f e r e n t sources of
energy. This complexity suggests t h e importance of intermediate B a r r i e r s ( s c ~ ) ,
and thus gives f u r t h e r opportunities t o i n t e r r u p t the sequence. It a l s o sug-
g e s t s a d a t a c o l l e c t i o n goal: How many accidents involve i n t e r a c t i o n of two
o r more energies? I n 12 serious accidents, four had two forms of energy and
four had three forms.
Again note t h e HE Press diagram f o r a c a r e f u l breakdown of energy flow,
and note t h e number of b a r r i e r s t o energy flow. Also note t h a t t h e Hilac,
MAPP, and I n i a t o r s cases ( i n Appendix A) had two kinds of energy t o be
analyzed.
What triggered the first energy t r a n s f e-r ?
F i r e spread gives an i n t e r e s t i n g exerciee i n energy potentials, t r a n s f e r s
and barriers.
I n t h i s study there have been an interesting number of cases where analysts
untrained i n the technology were able t o suggest potential b a r r i e r s which had
been missed by the technologists who made the investigation!
.,
For Unwanted Energy Transfer #2, e t c a f a u l t t r e e t r a n s f e r symbol i s
used t o show t h a t the analysis used f o r "Unwanted Energy Flow #I1'i s poten-
t i a l l y useful f o r successive energy potentials (plus the requirement t o con-
s i d e r and foresee the potential interaction of energy forms, and provide needed
safeguards o r b a r r i e r s between energies).
Having introduced t h i s much of the logic and symbolism used i n MORT, it
would be well t o pause and show the definitions of symbols used i n subsequent
analyses .
-143 -
15. DEFINITION OF SYMBOLS
The symbolism was altered from t h a t of the Fault Tree f o r two reasons:
1. Efforts a t c l a r i t y -
f o r example, the AM) and OR gates should have
clearer symbolic distinctions.
-
2.. Efforts t o explain 'for example:
a. Failures t o monitor are judgmental as t o where i n the process
they occur, and could be shown a s specialized gates (rather than
independent f a i l u r e s ) ,
b. A v a r i e t y of contingent, fail-safe, and expected events should be
provided for, and distinguished from one another.
Faul Tree symbols are the subject of an ANSI code (~32.14-1962) so varia-
tions may be questioned. However, a human factors s p e c i a l i s t found the stan-
dard symbols error-provocative,
Figure 15-1. Tree Symbols

Events
. Anevent (usually a f a u l t or malcondition) expressed i n

functional terms.
.An event described by a basic component o r part f a i l u r e

(these are the "independent" events) .
An event a t which f a u l t sequence i s terminated f o r lack
of information o r consequences, o r f o r lack of solutions,
i n which case the event i s usually transferred t o
assumed r i s k s .
An event which i s satisfactory, s u a l l y used t o show

completion of l o g i c a l analysis.
An event t h a t i s nor-
mally expected t o
occur.
A contingency event
which alleviated o r
corrected.
-
/ /
-I-
A contingency event
which aggravated
problem.
A basic problem revealed i n
A
an investigation, and deser-
ving recording and correc-
tion, but not a factor i n
the a c t u a l event which
occurred.
Gates
A AND Gate - Requires coexistence of -

a l l gate inputs f o r output.
OR Gate -
Requires any one gate input f o r output, i f more
than one input e x i s t s , output w i l l s t i l l occur.
PRIORITY AND Gate -

Same as AND gate with the stipulation
t h a t one event must precede the other. Description i s
written i n oval.
INHIBIT Gate - I f input event occurs and the condition i s

s a t i s f i e d , an output event w i l l be generated; i f the con-
d i t i o n i s not satisfied, no output w i l l occur. Descrip-
t i o n of condition i s written i n figure.
Transfers
A Transfer symbol used t o transfer an e n t i r e sequence of

analytic operations from another part of the t r e e (essen-
t i a l l y a d i t t o mark), but the elemsnts may have different
numerical values o r d i f f e r e n t and appropriate nomenclature.
Transfer t o assumed r i s k s f o r problems f o r which there i s

no countermeasure, o r no practical countermeasure.
'3 Transfers t o another page f o r completion of process.
Abbreviations
LTA = Less Than Adequate
DIN = Did Not
D/NP = Did Not Provide
F/ = Failed, or Failure t o
F/M = Failed t o Monitor o r Measure
F/M&R Failed t o Monitor and Review
=
I n general the schematic layout of the diagrams was as follows:
1. horizontally - l e f t t o right, from e a r l i e r t o l a t e r i n the Safety Precedence
Sequence, and i n the concept of successive barriers t o energy transfers.
2. v e r t i c a l l y - frombottom toward top a s the causal sequences progressed.
- 145 -
Both of these rough dimensions a r e keyed t o time a s w e l l a s process.
Thus the rough order of arrangements can be seen as:
I EARLY
later
e LATER
Early)
(Early
t
early
The value i n t h i s arrangement seems t o be t h a t e a r l y interruption of acci-

dent sequences i s t o be preferred.
16. MORT CHARTS
A t t h i s point the eight pages of the charts should be reviewed b r i e f l y ,
but i n t h e i r e n t i r e t y ,
Many concepts, and the analytic process envisaged, should be l a r g e l y
self-explanatory.
Then, a second review of the charts should be made, t h i s time using t h e
cross references (code numbers and page numbers) t o consult t h e detailed
t e x t regasding items not c l e a r from the diagrams, A complete reading of the
t e x t i s necessary t o f u l l y develop the process,
Finally, practice and experience with the technique is needed t o develop
d e x t e r i t y and s k i l l ,
A l e s s studied, but p r a c t i c a l approach is described on page 23--a
t e s t e d recipe f o r GETI'ING S'l'WTED.
From experience with the diagrams the following suggestions can be givens
1. The analytic diagrams work best if they are used as work sheets and
pertinent f a c t s about an accident o r problem are noted i n margins at
appropriate places, Informality is a key--the diagran~w i l l take care
of the discipline, MORT is a screening guide, helps avoid personal
hobbies o r bias.
2. It has been common t o f i n d on a first reading of a report t h a t the
report of what happened seems complete. &It on second reading, and
continuing t o make notes on the MORT form, the gaps i n information
about what happened begin t o be revealed. Questions about why it could
h a ~ m nbegin t o emerge* If a "problemH shown i n MORT was s a t i s f a c t o r y
o r irrelevant, it helps t o write o.k., o r X out aspects not needed.
Red (bad) and green (good) can a l s o be used, with blue f o r "don't know."
3. A t h i r d , slower, more disciplined t r i p through the diagrams is then i n
order. It is usually necessary t o t r a c e energy flow meticulously on
a separate sheet, and then examine t h e nature of possible barriers,
step-by-step. Also, i f the diagrams do not c l e a r l y r e f l e c t adequate
l o g i c t o get t o t h e roots, draw special l i t t l e trees.
4, A t t h i s point you are probably ready t o mark up o r draw a tree. Do
not overlook the outline form shown f o r the Hilac case. However, the
outline i s only f o r easy reproduction of final r e s u l t s , not f o r analysis.
Cover Sheet -
It has proven useful t o have a place t o note c e r t a i n basic
f a c t s about each analysis. (see Figure on next page. )
MANAGEMENT OVERSIGHT
81 RISK TREE
MORT
Page 1
Typed Numbers Refer to
INJURIES, DAMAGE,
OTHER COSTS,
PERFORMANCE LOST,
DEGRADED
I FUTURE
UNDESIRED
EVENTS
I
1
~ e k Page.
t
114 SPECIFIC OVERSIGHTS

& OMISSIONS? 94,114 MANAGEMENT
SYSTEM LTA?
s
GAl
!
I
23 'INCIDENT"
AFFECTED BY #1
I "TRIGGERSr
LTA
II TECHNICAL
INF. LTA II PROCESS NOT
DEFINED
ENERGY FLOW ENERGY FLOW
Scl. A Sc3
MAINTENANCE INSPECTION SUPERVISION

LTA
Much 31, 1871

W.G. JDhnron
USAEC C o n m
AT 104-3)821
MORT
Page 2 1 I
MANAGEMENT
IMPLEMENTATION
LTA
341, 150 1
DATA ~ ~ ~ L Y S I S
321
d
I
L
I EXAMPLE
TIVES
DENTS
a6
" 189,3038312
I55 DELAYS STAFF FEED-
INFORMATION
GC2 A
KNOWLEDGE COMMUNICATIONS
SAFETY PROGRAM
REVIEW LTA
394
084 A
NO KNOWN KNOWN
I PRECEDENT PRECEDENT TERNAL
ORGANIZATION
LTA
A
01
CODES,
MANUALS
SCOPE
SERVICES COMMIT. & INTE- MONITOR
GRATION AUDIT.
bl
WGJ
3.31-71
HAZARD REVIEW
189 PROCESS NOT
DEFINED
GrJ
SAFETY D I N PRESCRIBE SAFETY

ANALYSIS LIFE CYCLE 216 ANALYSIS
SCOPE & NOS LTA
1 r4
193
I I
PRlORlTY
LEFT T O RIGHT
TlVES
r I
D I N DEFINE DESIGN &
CONCEPTS. DEVELOWENT
REQUIREMENTS
SD2
. .
Appendix F
MORT
page 4
I 2 I I -I I
PREVENT FIRE FIGHTING RESCUE EMERGENCY MEDICAL REHABILITATION
SECOND ACCIDENT LTA LTA SERVICE LTA LTA
.4
I PERSONS, OBJECTS I N
ENERGY CHANNEL
I
ON ENERGY ON PERSONS, SEPARATE
SOURCE OBJECTS TIME, SPACE
NO EVASIVE
ACTION FUNCTIONAL NON-FUNCTIONAL
MORT
page 5
I
D I N CONTROL ENERGY D I N SAFELY PROCEDURES
RELEASE CRITERIA LTA INDE-
PENDENT
U A
218 REVIEW
A 233
CHANGE REVIEW
192 ( CONCEPTS
REWIREMENTS LTA I STRUCTURE AUTOMATIC
L
b6
WARNINGS
219 MANUAL HUMAN
FACTORS
REVIEW
D I N SPECIFY DYNAMIC STATIC

TOLERABLE DISPLAYS DISPLAYS
RISK EXPOSED
OPERATE
SAFETY
m
COLORS,
UNDER-
'0
DESIGNED
MEDIATE
LINES
PER-
FORM-
JIGS,
ANCE
O
(maintenance)
MANIPU-
SAFETY
REDUN-
LIMIT
MORT
Page 6 r
HUMAN FACTORS
REVIEW LTA
223
DIN ESTABLISH DIN PREDICT

MAN-TASK REQUIREMENTS ERRORS
ISO2 a4 A
MEET CRITERIA
I 4 I
1 I
PLAN LTA EXECUTION LTA
a1 A rZ A
factors)
r-l
DIN SPECIFY
(task error)
OM
CAUSED
WGJ
351.71
MORT
Page 7
DIN DETECT, UNSAFE ACTS,

CORRECT. DESCRIPTIVE
HAZARDS
Lr-'
NON-TASK
PERI-
PHERAL HIBITED
COORD'T'N. PROGRAM
RELATED
M
EMERGENCY SHUT-OFF
A
I 258
DIN SUPERVISE
MORT
Page 8
1SDB
DIN USE JOB SI :ETY ANALYSIS 1 287
MOTIVATION
DEVIATIONS
-----------
.3
OUTSIDE
A
DEPARTMENT
VARIABILITY
h a
0
b7
CONTENT
The concepts of causation o r prevention postulated i n MORT have been
derived i n a number of ways:
1. I n analysis of events, specific accident slincident s , and i n analyzing
problems and programs:
a . The absence of measures has seemed t o be causative,
b. The presence of measures has seemed t o be preventive;
2. A similar opinion consensus of safety professionals a s revealed i n liter-
a t u r e and discussion.
3. Opinion consensus of non-safety professionals, most especially managers,
was similar, but had important additional impact:
a. The a r t i c u l a t i o n of a methodology made sense of safety (some said,
"For the f i r s t time ,)
"
b. Techniques were seen whereby the s k i l l s of the e n t i r e organization

might be b e t t e r u t i l i z e d i n the s a f e t y program.
17. F O GETEWLTIOI?
~ ~ OF ~ KOiiT
~
The t r i a l s a t Aerojet r e m a l e d a nunber of developmental needs, and a l s o

s u g ~ e z t e dnuzerous p o i n t s a t which l o g i c might be t i g b t e m d , d e t a i l e d , r e f i n e d
and izproved .
Consequently, i n r e c e n t months a somewhat improved o u t l i n e , p a r t i c u l a r l y
f o r t h e General Management System, was developed but has not been t e s t e d .
Experience has shown t h a t i n almost every category of the diagram o r o u t -
l i n e a f i n a l item "Other" o r "I:%at Else?" could be sho~m. Analysts should
not h e s i t a t e t o add items omitted from t h e a n a l y s i s .
Figure 17-1. Fourth Generatio3 XORT
Numbers refgr>o t e x t page:

G. General Management Systems Less Than Adequate (LTA) 114, 173
P o l i c y LTA 175
Goals LTA 206
Implementa Lion LTA 173 *
A. Methods, c r i t e r i a and a n a l y s i s LTA 185

B. Line r e s p o n s i b i l i t y LTA 190
C. S t a f f r e s p o n s i b i l i t y LTA 192
D. Organization and d i r e c t i v e s 193
1. Organization LTA
2. D i r e c t i v e s LTA
E. Management t r a i n i n g and a s s i s t a n c e LTA 195
F . Budgets LTA 189
G. Delays (= Assumed Risks) 189
H. Accountability LTA 198
I. Vigor and example LTA 200
Risk Assessment System LTA 205, 90
A. Information System LTA 343
1. Technical Informztion LTA 349
a . Knowledge LTA
( 1 ) Knolm Precedent
-(a) Codes, manuals, recommendations LTA* 260
(b) Precedent LTAG
( c ) L i s t s of e x p e r t i s e LTA 347 .
(d) S o l u t i o n r e s e a r c h LTA 97, 265
(2) No Known Precedent
(a) Accident i n v e s t i g a t i o n & a n a l y s i s LTA 375
(b) Research LTA 97
b. Comunicatlons LTA
-(I) I n t e r n a l 391
(a)ork not defined
(b) Operations LTA**
( 2 ) E x t e r n a l 411
( v o( r k not defined
( b ) Operations LTAH
*This d e c e p t i v e l y simple item i s t h e e n t r y i n t o the v a s t body of content catalogued

by t h e Nuclear Safety Information Center, NASA, and National Safety Council.
*Weak i n a l l of above systems, e s p e c i a l l y. r-e t r i e v a l .
. - Syfterna LTA 351
Monitoring
-
a . Kanagemnt routine supervision
b. Search-out
.
c ~ c c i - d e n t / ~ n c i d e nsys
d. RSO Studies L'I'kX-
t tetns LTA
e . Error sampling systems LTA

f . Routine - HP, inspection, e t c .
g . Upstrezm process audit LTA
h. General h e a l t h monitoring LTA
3. Data Reduction LTA 234
a. "Uors% Potential'' l i s t LTA 435 --
b. Surnmries, r a t e s , projections, trend analysis LTA 415
c. Diagnostic s t a t i s t i c a l analysis LTA 391
d. Depth analysis of s p e c i a l problems LTA
4. -
"Fix1' Controls (HAP Triggers LTA! 443
a . One-on-one f i x e s
.
b "Worst Potential" f i x e s
c . Planned change controls LTA
d. Unplanned change f i x e s LTA
e . New information use LTA
5. Managerial assessment LTA 435
B. Hazard Analysis Process C r i t e r i a LTA 223
1. Concepts and. Requirements LTA 237
D I N Specify Tolerable Risks 237
(1) Safety
(2) Performance
Safety Analysis Cri.teria LTA 238
(I) Plan LTA
(2) Scaling Xechanism LTA 238
(3) Analysis methods LTA 248
(4) D/N require a l t e r n a t i v e s 259, 90
(5) D/N specify s a f e t y precedence sequence ( e .g.,
p r i o r i t y f o r design) 225
( 6 ) D/N analyze environmental impact 259
D N Specify Requirements C r i t e r i a 260
&mc
(2) OHSA
(3) Other Federal
(4) S t a t e and Local
( 5 ) Other National Codes, Standards, and Recommendations
(6) I n t e r n a l Standards
D/N Specify Information Search 262
(1)Nature
( 2 j scope
Life Cycle Analysis LTA 225, 263
(1) D/N Specify Life Cycle Scope
(2) D/N require l i f e cycle use, and f a i l u r e estimates
(3) D/N require s a f e t y f a c t o r s f o r extended use
* The well-known " c r i t i c a l incident" technique,

- . i n AEC c a l l e d "Recorded
S i g n i f i c a n t Observations" f o r semantic reasons.
General design and plan c r i t e r i a LTA* 281
(1) Design planning techniques LTA
(2) Organizational and functional r e s p o n s i b i l i t i e s LTA
(3) Interfaces with operations, maintenance, t e s t
organizations LTA
(4) Definition of safety-related c r i t e r i a LTA.
(operating considerations and a v a i l a b i l i t y , mate-
r i a l s , fabrication, construction, t e s t , operation,
maintenance, and q u a l i t y assurance requirements.)
( 5 ) I n t e r n a l review
l!Jo hazard review
(1) D/M Require
(2)DIN Monitor
2. Design and Develo~mentProcedures LTA 267
Enernv -
-. control ~ r o c e d u r e sLTA
(1) Unnecessary exposed hazards
(2) Underdesign
(3) Automatic controls LTA 267
(4) Warnings LTA 268
(5) Manual controls LTA
(6) Safe energy release LTA
(7) Barriers LTA 33
Human Factors Eeview LTA 273
Maintenance plan IiTA 311
Inspection plan LTA 311
Arrangement LTA 269
Environment LTA 269
Operability Specifications LTA ** 269
(1) Test and q u a l i f i c a t i o n 269
(2) Supervision 297
(3) Procedure c r i t e r i a 315
(4) Personnel selection 325
(5) Personnel t r a i n i n g & qualification 325
(6) Personnel motivation 337
(7) Monitor points 351
(8) Emergency plans (including ameflorat ion) 306
Change review procedxres LTA 270
Disposal plan 271
General Design process LTA* Z81
(1) Procedures f o r code compliance
(2 Procedures f o r use af new codes
(3) Procedures f o r use of information
(4) Engineering studies t o assure compliance of c r i t e r i a
(5) I d e n t i f i c a t i o n of weaknesses and analysis of "trade offs"
(6) Provision f o r preventive design features
( 7 ) Standardization of p a r t s
(8) Qualification of non-standard p a r t s
( 9 ) Design descriptions
(10) Classification of items - e s s e n t i a l i t y and safety
(11) Identificatior, of i t e m s
* Based on RDT Standard 32-2T, USAF:C.

* This section, which has major importance, can be f'urther elaborated from
material i n Specific Oversights o r a new major section could be inserted a f t e r
Safety Program Review.
(12) Acceptance c r i t e r i a
(13) Interface c o n t r o l within design process
(14 ) Development planning
(15 ) Development and Q u a l i f i c a t i o n t e s t i n g
(16) Test c o n t r o l
(17) Development review
(18) F a i l u r e reporting
k. Independent review' 283
(1) Internal
(2) External
1. Configuration c o n t r o l 270
m. Documentation 271
n. F a s t Action, Expedient Cycle LTA 271
Safety Program Review LTA 445
1. D/N define i d e a l s
2. D/N describe and/or schematics LTA
3 . D/N monitor, a u d i t , compare 446
4. Organization LTA 4169
a. Scope LTA 4-48
b. I n t e g r a t i o n ( o r coordination) LTA
c. Management peer committees LTA 453
5 . s t a f f LTA 450, 454
6. Services LTA 455
R. Results - Injuries, Other Costs, Performance Lost or Degraded.
S. Specific Oversi@ts and Omissions

--
I. -Amelioration
--- -- - - . LTA 140
11. The Accident 25
111. Persons, Ob.je: c t s i n Energy Path
N. ~ a r r i e r sLTA 33
A, L i m i t t h e Energy (or s u b s t i t u t e a s a f e r form)
B, Prevent t h e Build-Up
C, Prevent t h e Release
D, Provide f o r Slow Release
E. On Energy Source
1. D/N provide (Assumed ~ i s k ? )
2, Barrier F/
3. D/N Use (rnsert by t r a n s f e r , analysis of D/N Use JSA)
4. None possible (~ssumed~ i s k ? )
F, Between Source & Person/Object )
G, On ~ e r s o n s / ~
j ebc t s ( ~ e ~ e 1-4
at
H, Separate i n Time o r Space ]above )
V, The Incident
VI, Unwanted Enerm Flows #1. 2, 3, ... n. 31
A . Barriers between energies LTA
(repeat Barrier analysis above f o r each energy i n t e r f a c e )
.
B rnf ormat ion LTA (repeat analysis G-FJ-A above)
.
C Hazard Review Process LTA ( r e p a t analysis G-AT-B above)
.D. Maintenance LTA 311
E. I n s p e c t i o n LTA 311
I?. Supervision LTA ( i n c l u d e s JSA & personnel) 297
su ask e r r o r s should r e q u i r e use of Rigby's " e r r o r t o l e r a n c e
l i n i t st' ( X ~ B T P, O52,155) s i n c e accident a r e v e a l all-too-common
r e l i a n c e on custom, h a b i t , arid f o r e n s i c l i m i t s . )
( ~ e t a i l sof above t h r e e items remain t h e same a s t h e preceding MORT

diagrams. )
AR. Assumed Risk 91
To be i n s e r t e d by name when i d e n t i f i e d , analyzed and accepted.
I n s e r t "Worst P o t e n t i a l " L i s t i n d i c a t i n g s t a t u s of study o r
planned c o r r e c t i o n s .
The f o u r t h generation of MORT w i l l be t e s t e d i n seminars and workshops,
and i n t h e continuing t r i a l s a t Aerojet. It can be expected t h a t a r e v i s e d
f o u r t h generation t r e e w i l l be a v a i l a b l e by July 1973.
Value s i.n MCHT .
The p r i n c i p a l values i n MORT seem t o be three :
1. Prcwide a d i s c i p l i n e d method of i n v e s t i g a t i n g , analyzing and recording
findings.
2. Provide a comprehensive framework f o r assessment of s a f e t y program.
3. Provide an orderly p a t t e r n f o r a s s i m i l a t i o n of new information on s a f e t y
programing, i . e . , f a c i l i t a t e professional growth.
The t h i r d of these i s proving very useful. New information frequently
drops i n t o place i n t h e diagrams. I f it f i t s , it narrows gaps and uncertain-
t i e s , and o f t e n strengthens concepts i n g r e a t e r degree than would be expected
from an i s o l a t e d finding.
These and other values a r e embraced i n Figures 18-1 and 18-2, v i s u a l s used
i n presenting the scheme.
A r e l a t e d aspect, research, seems f a c i l i t a t e d by improved concepts of
f a c t o r s needing t o be held constant f o r an experiment o r comparison.
F i n a l l y , t h e open-ended, experimental approach t o problems and s o l u t i o n s
h a s seemed t o be aided, provided t h a t a willingness t o modify t h e MORT a n a l y s i s
i s retained. R i g i d i t y i s s t i l l t o be avoided.
A l l i n a l l , it appears t h a t t h e MORT system i s a b a s i s f o r managing t h e
higher energies we u t i l i z e , and reducing t h e s t r e s s e s , accidents, and o t h e r
t r o u b l e s inherent i n our technology.
S t y l e s of MORT.
There could be a t l e a s t t h r e e a l t e r n a t e s t y l e s of MORT:
1. The present, f a i l y e type of t r e e ,
2. A p o s i t i v e t r e e , which organizes what should be done,
3. A question t r e e which asks what was needed.
The present, f a i l u r e t r e e seems t o provide a l o g i c , focus, and motivation
f o r searching a n a l y s i s . The motivation f a c t o r may be, i n part, a f e a r of being
shown wrong i n an i n v e s t i g a t i o n or analysis.
The p o s i t i v e t r e e tends t o be preachy and pious, a l o n g - l i s t of "you shoulds."
However, an experimental use of a p o s i t i v e t r e e i s embodied i n some 17"x23" w a l l
c h a r t s developed t o show t h a t t h e basic s a f e t y schematic (chapter 11) i s con-
s i s t e n t with t h e f o u r t h generation t r e e (chapter 1 7 ) , and t h a t t h e t r e e i s , i n
turn, an elaboration of the schematic. This c h a r t w i l l be used i n workshops
and i n t r i a l s a t Aerojet t o examine i t s value.
Inherently a p o s i t i v e t r e e has one possible advantage, namely an OR gate
-
f o r an aspect such a s B a r r i e r s says any b a r r i e r w i l l i n t e r r u p t t h e sequence.
MORT = A NEW SAFETY SYSTEM
CONTAINS : BEST ORGANIZATION PRACT ICES +
SYSTEMS SAFETY +
OTHER IDEAS - NOT WIDELY USED +
SOME THAT ARE NEW!
METHOD - ORIENTED (TO HANDLE CONTENT)
COMPREHENDS: I,E ,I S COHERENT & WHOLE

(NOT PARTIAL & FRAGMENTED)
FRAMEWORK - (A) FOR INVESTIGATION

(B) FOR PROGRAM
(C) FOR ASSIMILATION OF IDEAS & GROWTH
OP,' VIABLE - (A) CAN EXAMINE ITS FAILURES 8 CORRECT ITSELF
(B) I S THE LOW COST APPROACH!
GENERAL - (A) OCCUPATIONAL, FIRE
(B) RADIATION, TOXIC MATERIAL
NUCLEAR + WASTE
Figure 18-2
CRITICISM - "MORT I S TOO EXPENSIVE"

MORT I S PROBABLY THE LOW COST APPROACH
CONCEPTS
STANDARDS OF JUDGUVlENT
INFORMATION SEARCH
ANALYSIS
I) CHEAP COMPARED TO
HARDWARE
ACCIDENTS
MORT INVESTIGATIONS - CHEAP COMPARED TO:

A "TYPE AN BOARDS
B, STERILE MASS DATA FOR LOOO'S
MORT SOLUTIONS ARE CHEAPER THAN ENDLESS BRUSH FIRE FIXES THAT DON'T
STAY F IXED
SCALE MORT TO SIZE OF PROBLEM OR BUDGET
BUT, DON'T SKIP STEPS

This i s good i n showing t h e many roads t o i n j u r y prevention. I n a negative
-
t r e e an AND gate i s needed, t h a t i s , a l l b a r r i e r s t o energy t r a n s f e r were
absent o r f a i l e d .
A question form of t h e t r e e could be i d e a l i n some r e s p e c t s - provocative
and open ended. For example, "What c r i t e r i a and a n a l y s i s d i d management use
t o a s s e s s t h e s i t u a t i o n p r i o r t o t h e accident? O r , t o take a more d i f f i c u l t
question, "Are s a f e t y engineers present on a big, complex construction p r o j e c t
t o continue t h e study of s a f e o p e r a b i l i t y (not j u s t construction s a f e t y ) ? "
A t an English seminar t h e answer t o t h i s question f o r Royal Dutch S h e l l was
revealed t o be, "Yes."
One disadvantage of t h e questions seems t o be wordiness added t o an already
complex scheme. Also, t h e r e i s t h e l a c k of p r e c i s i o n , which seems t o deny
t h e existence of c r i t e r i a .
Another type of question about MORT i s : Should it represent t h e i d e a l s ,
o r should it r e p r e s e n t t h e a c t u a l standards e f f e c t i v e a t a given t i m e . This
question i s e a s i e r t o answer, because t h e answer i s , "Both." A t l e a s t two
s e t s of c r i t e r i a should be used i n any given environment:
1. The standards of program and prevention i n e f f e c t a t a given time,
but organize? i n t h e MORT format, An example might be, "Was Job
Safety Analysis required by management?"
2. The higher i d e a l s of MORT. For example, "Should management r e q u i r e
Job S a f e t y Analysis?" (if t h e answer above w a s "No). "Should manage-
ment r e q u i r e a v i s i b l e , recorded information search as a p a r t of a
Hazard Analysis Process?" o r "Should management r e q u i r e change
a n a l y s i s as p a r t of HAP?"
Further, t h e r e i s t h e a l t e r n a t i v e of having at l e a s t two i d e a l s :
1. t h e MORT i d e a l .
2. The i d e a l a r t i c u l a t e d by any s a f e t y professional i n s i m i l a r o u t l i n e
o r t r e e form. The l a t t e r may, of course, be t h e " p r a c t i c a l i d e a l "
f o r a given organization.
I n a sense it i s perhaps not so important which i d e a l be used a s t h a t t h e
a c t u a l and an i d e a l be a r t i c u l a t e d . If you d o n ' t agree with a MORT concept,
j u s t s e t down i n a c l e a r , a n a l y t i c format what you believe t o be t h e i d e a l s .
Any l o g i c t r e e becomes a method of s t r u c t u r i n g a problem. A s such it con-
t a i n s c e r t a i n " r u l e s of thumb:"or " h u e r i s t i c s " a s they a r e c a l l e d i n present-
day problem-solving techniques. An example would be a f a c t o r of s a f e t y
of seven i n a s t r u c t u r a l problem, o r a requirement f o r information search i n a
.- -
- -
hazard analysis process. These devices a r e necessary short-cuts t o a s a t i s -
factory solution, but not always the optimum solution. Thus, the t r e e anyone
may construct, using MORT a s a point of departure, i s an orderly way f o r
s t a t i n g the assumptions and devices which a given organization w i l l use t o
solve i t s s a f e t y problems.
The term " l e s s than adequate" could be varied i n several ways.
The term
derives from a finding by a management research organization -tihat people were
apparently more objective about scoring and accepting scoring i f a f i v e c l a s s
grouping was used:
1. Excellent
2. More than adequate
3. Adeqxate
4. Less than adequate
5. Poor.
The "poor" category i s often under-used. The " l e s s than adequate" term seemed
t o create fewer emotional problems.
Obviously we could score a l l the program features used i n MORT across
t h i s f i v e stage scoring system.
Another possible a l t e r n a t e form of MORT i s represented i n Figure 18-1.
The question i s : Should the analysis be presented as two p a r a l l e l , primary
t r e e s o r a s a s p e c i f i c t r e e stemming from an inverse management t r e e .
Figure 18-3. Some Alternative Forms of MORT

-
Usual Possible
Event This Event
A/aA A
X77
Systern
Top management Future
responsibility Events
I n many respects the portrayal on the r i g h t above seems the most accurate
and correct picture of the r o l e of the system i n a p a r t i c u l a r event.
Another question of format i s the choice of the f a u l t - t r e e type diagram
versus the outline format used i n Chapter 17 and i n Appendix A - 1 a s an a l t e r n a t e
format. The diagram has seemed t o be more provocative of thought and considera-
tion. On the other hand, the diagram i s more laborious, p a r t i c u l a r l y i f well
drawn artwork i s a requirement. The p r a c t i c a l s o l u t i o n s seem t o be (1) use t h e
diagram f o r a n a l y t i c work o r f i e l d sketches, and (2) use t h e o u t l i n e form f o r
formal reporting.
A l l of t h e s e a l t e r n a t e formats w i l l continue t o be examined, and deserve
t r i a l i n various organizations.
Obstacles.
Apparent c o s t and d i f f i c u l t y of MORT a n a l y s i s a r e s e r i o u s obstacles.
The c o s t i s , however, low compared with t h e o v e r a l l expenditure i n i n v e s t i -
gating s e r i o u s accidents. The c o s t i s low, f o r r e s u l t s obtained, compared with
t h e aggregate e f f o r t required f o r s u p e r f i c i a l i n v e s t i g a t i o n s of l a r g e r
numbers of events .
One o b s t a c l e i s t h e need f o r advance study of t h e method, w e l l before
t h e event t o be analyzed. However, one a n a l y s t used t h e method to good e f f e c t
without p r i o r study.
A s with any problem-solving technique, it i s d e s i r a b l e t h a t two o r more
persons be familiar with t h e method so t h a t dialogue i s possible. The
o b s t a c l e s a r e summarized i n - F i g u r e s 18-3 and 18-4, and o t h e r v i s u a l s used i n
presenting o r discussing MORT.
The g r e a t e s t o b s t a c l e i s seemingly an i n a b i l i t y t o g e t started--a
p a r a l y s i s of t h e w r i t i n g mechanism. For t h i s t h e cure seemed t o be i n t h e
r e c i p e f o r GETTING STARTED (page 23). This approach seems t o move an inexperi-
enced a n a l y s t t o a c t i o n . Thereafter, t h e process i s one of c o l l e c t i n g more
information and gradually f ormalieing and d i s c i p l i n i n g t h e analysis. me
f i n a l s t e p i s a meticulous a p p l i c a t i o n of t h e a n a l y t i c l o g i c t o t h e f i n a l
assembalage of f a c t s .
I n review of complex, highly t e c h n i c a l events, t h e a n a l y s i s commonly t a k e s
f o u r hours. For l e s s s e r i o u s and complex events, a s l i t t l e a s twenty minutes
has produced usef'ul r e s u l t s .
A s a p r a c t i c a l matter it i s w e l l t o keep i n mind t h a t t h e r e a r e simple
s o l u t i o n s t o many accident problems. On t h e " f a s t track" f o r known hazards
with known s o l u t i o n s , apply t h e s o l u t i o n . The problem i s a p p l i c a t i o n .
On t h e "slow track," t h a t i s f o r boundary problems o r known hazards with
-
imperfect s o l u t i o n s , t h e problem i s f i n d i n g b e t t e r s o l u t i o n s .
- 173 -
V. MANAGEMENT IMPLEMENTATION OF THE SAFETY SYSTEM
I n Chapter 11 a s a f e t y system congruous with management methods
and management f o r high performance was described. I n t h i s P a r t we
s h a l l examine some aspects of management implementation of such a
system--policies, c r i t e r i a and goals, budgets, delays, l i n e and staff
r e s p o n s i b i l i t y , d i r e c t i v e s and organization, t r a i n i n g and other assis-
tance, feedback, and t h e vigor and example of higher management.
We s h a l l begin t o examine management e r r o r s according t o t h e
methods and c r i t e r i a u s u a l l y applied only t o operator e r r o r s ,
Mainly, we s h a l l t r y t o make t h e point t h a t when an accident
occurs it is t h e system t h a t f a i l s , more than persons.
The r i s k assessment system i s discussed i n terms of methods and
goals. Some elements of t h e r i s k assessment system--the Hazard
Analysis Process, t h e information system, and s a f e t y prcrgcan review--
a r e obviously a p a r t of management implementation, but a r e discussed
i n subsequent sections as a matter of convenience i n breaking up a
l a r g e , complex subject.
The MORT a n a l y s i s has already served a u s e f u l purpose i n t h e
opinion of some Aerojet and other personnel by simply placing manwe-
ment implementation of s a f e t y out on t h e t a b l e as a proper t o p i c f o r
i n v e s t i g a t i o n , a n a l y s i s , and recommendation. Management i s wldely
recognized a s t h e most b a s i c and fundamental aspect of safety. It i s
a l s o t h e most d i f f i c u l t t o measure, A general s i l e n c e i n the s a f e t y
f i e l d on t h e s p e c i f i c c h a r a c t e r i s t i c s of e f f e c t i v e and i n e f f e c t i v e
management i s ending, and well it should.
To be unmistakably c l e a r and avoid s u r p r i s e s , i t must be empha-
sized t h a t when MORT i s operating properly, t h e r e s p o n s i b i l i t y f o r
accidents is traced t o top management f a i l u r e s and deficiences--
operating. technical, supervisory. and middle-management e r r o r s a r e

subsidiary t o t h e top management oversights and omissions which allowed
the f a i l u r e s t o occur.
The correction of an organizational weakness i s usually more
significant than the correction of a physical condition.
The Management System f a i l u r e s ( r i g h t hand of MORT diagram)
w i l l be discussed f i r s t , because such material gives broader, more
comprehensive guidance t o investigative questions than the specific
f a i l u r e s i n the accidents thus f a r analyzed. The systemic f a i l u r e s
suggest the kinds of specific data which should be sought f o r
individual accidents, or groups of accidents.
The revised MORT c r i t e r i a follow:
MANAGEMENT IMPLEMENTATION
1. Methods, c r i t e r i a and analysis
2. Line responsibility
3. Staff responsibility
4. Organization
5. Directives
6. Management training and assistance
7. Budgets
8. Delays (= Assumed Risks)
9. Accountability
10. Vigor and example
1 9 MANAGEMENT POLICY AM) DIXECTION
There i s broad agreement t h a t vigorous top management leadership i s an

e s s e n t i a l and conspicuous feature of the best corporate and government employee
s a f e t y programs.
Recent National Safety Congresses have featured presentations of just
such corporate programs, and it has been common f o r the president o r executive
vice-president t o lead off the presentation. Both words and a t t i t u d e displayed
leadership, and the management position was almost invariably crystallized i n
a policy statement or statement of corporate objectives which ranked safety
side-by-side with the other principal corporate objectives.
The report of a B r i t i s h chemical industry working party (1969) on U. S.
safety practices (an excellent and concise reference) provides an objective ,
independent appraisal:
"Safety policy i s based on the absolute conviction t h a t f o r maximum
p r o f i t a b i l i t y and e f f i c i e n t operation it i s necessary t o reduce damage
t o people and property, whether through accident o r f i r e , t o the
minimum. Supporting t h i s view i s the belief t h a t management has a
responsibility t o i t s employees t o provide a safe place t o work."
This summary statement touches on three motivations o r values of top
management, and review of policy statements and actions of corporations adds
others :
1. Welfare of the employee.
2. Cost of accidents and i n j u r i e s .
3 . Efficiency and effectiveness of the organization as a system.
4. Legal requirements.
5. Be a "good citizen" i n the c o m i t y .
Although a l l of these motivational forces are commonly found, the policy
statement of a p a r t i c u l a r organization i s not l i k e l y t o contain all, but i s
more l i k e l y t o emphasize one or the other. The NSC's I n d u s t r i a l Conference
collected a substantial group of such policy statements some years ago t o
attempt t o derive a general consensus. However, a consensus was not then
apparent and the out come was publication of many examples. (NSC , 1966).
If any given combination of the motivational forces has i n f a c t i n a par-
t i c u l a r organization produced the r e q u i s i t e top leadership, a l l well and good.
However, i f we a r e concerned with developing and building even greater leader-
ship, or creating such top leadership i n other organizations, we mst examine
the nature and force of the motivations.
The a t t i t u d e of concern f o r the welfare of the employee i s a f i n e and
wonderful thing. I t s history began i n 1906 when Judge Elbert Gary, president
of the United States S t e e l Corporation wrote:
"The United S t a t e s S t e e l Corporation expects i t s subsidiary companies t o
make every e f f o r t practicable t o prevent injury t o i t s employees. Expen-
d i t u r e s necessary f o r such purposes w i l l be authorized. Nothing which
will add t o the protection of the workmen should be neglected."
And a strong t r a d i t i o n has been b u i l t up i n U. S. S t e e l which has one of our
country's best programs. Certainly duPont, AT&T, Kodak, and General Motors,
j u s t t o c i t e a few other prominent examples, have powerful concern f o r employee
welfare .
The welfare motivation cannot be disparaged where it i s strong, but what
i f it i s weak? W i l l it be easy t o change such an a t t i t u d e ? It seems more d i f -
f i c u l t t o change than a l e s s emotional, more r a t i o n a l motivational basis.
An i n t e r e s t i n g insight i n t o motivation was given by Crawford Greenewalt,
while president of duPont. He said t h a t h i s company had had a safety program
f o r 150 years. The program was i n s t i t u t e d as the r e s u l t of a French law requir-
ing an explosives manufacturer t o l i v e on the premises with h i s family!
Some change i n management a t t i t u d e might be brought about by peers i n
other companies, a s f o r example i n safety a c t i v i t i e s of a trade association.
But i s the safety professional i n a favorable position t o change a welfare-
based a t t i t u d e ? Probably not.
***
The costs of accidents and i n j u r i e s and the motivation t o reduce them are
powerful, as f a r as they go. But there a r e problems i n getting complete data
on a l l d i r e c t costs, including damage, and even greater problems i n measuring
i n d i r e c t costs.
Costs are highly variable by industry (e .g., high i n lumbering, mining and
construction) .
Costs uiay be overwheldng i f catastrophic (e .g , a chemical .
plant o r refinery explosion, or major f i r e s i n general) .
Costs may be high i f
public or product l i a b i l i t y i s involved. I n a l l such organizations, cost
reduction: motivation may be useful.
The cost reduction motivation may not be strong enough t o do more than
g e t a program,started. Consequently, cost data and even insurance savings must
be used cautiously, t h a t is, they may boomerang t o place safety well down on
management's l i s t of concerns.
I f a safety program has reduced the cost of a compensation-medical insur-
ance program from $100,000 t o $60,000, the reported r e s u l t s w i l l never be
greeted with other than acclaim by a top manager. However, i f just before
and just a f t e r the acclamation, the top manager i s concerned about such
problems a s a multi-million d o l l a r plant expansion, q u a l i t y programs on a
million d o l l a r product l i n e , o r resignation of a s a l e s executive who pro-
duced a doubling of s a l e s i n f o u r years, you can guess where safety w i l l
wind up i n h i s prigrities--well down the l i s t !
Projection of worst p o t e n t i a l losses may be powerful.
One seemingly e f f e c t i v e technique has been t o equate accident losses t o
the amount of s a l e s needed t o recoup the losses.
A v a r i e t y of methods of cost calculation and cost motivation have been
urged. Heinrich found a four t o one r a t i o f o r i n d i r e c t and d i r e c t costs, a
useful number, but neither precise nor very persuasive. More recently Tuz and
DeGracia (1967) found a r a t i o of 7.2 t o 1. (Also see Brenner and Mathewson,
1969, and Simonds and G r i m a l d i , a l s o 1969.) Bird (1966) has given great v i s i -
b i l i t y t o the values i n property damage reporting and analysis, which i s a
valuable prevention tool, but i s not the same as relying on cost motivation of
management f o r the f'undamental t h r u s t supporting the safety program.
A primary t e n e t of t h i s t e x t i s t h a t a wide v a r i e t y of apparently non-
accident events a r e i n f a c t a l s o associated with safety v i a common cause. From
t h i s it must follow t h a t tabulatable costs of accidents, even i f i n d i r e c t
costs a r e put i n by a r a t i o or other method, w i l l inevitably understate the
t r u e value of eliminating accident factors.
The eff-iciency motivation, which seems t o be the primary and most f o r c e f u l

motivation, i s more d i f f i c u l t t o define and describe, even though studies as
-
e a r l y a s 1922 showed productivity and safety j o i n t l y varying: accidents down
- .
-and productivity up, and vice versa. Certainly what i s meant here i s something
more than just cost reduction. Perhaps it i s b e t t e r stated as the correct,
e f f i c i e n t , and error-free way t o operate and control. Hopefully, the safety
system schematics (chapter 11) w i l l advance t h i s e f f o r t .
A Canadian wood products company says, "Safety and e f f i c i e n t operation are
one and the same thing. They cannot be separated." Other significant quota-
t i o n s from management policy statements a r e available i n NSCts Data Sheet 585.
Certainly the companies c i t e d a s examples of strong welfare motivations
also recognize t h i s aspect. For example, the General Motors policy a l s o empha-
s i z e s t h a t a good safety record i s c l e a r evidence of good management. And the
duPont philosophy c l e a r l y r e f l e c t s a belief t h a t the safe way i s the only
proper way t o manage.
A duPont manager spoke of safety as h i s "sharpest t o o l t o measure super-
visory performance." The objective of s a f e t y was "essentially unquali-
f i e d i n h i s company. (cost and quality objectives are mutually qualify-
ing .) Therefore, i f a supervisor couldnt t manage t o get safety, he
probably couldnt t manage anything e l s e . Moser (1964) gives persuasive
arguments f o r "safety first." H i s own performance record, and t h a t of h i s
company i n the stock market, a t t e s t t o t h e i r credentials.
And i n another large company:
A highly illuminating story was t o l d by a Shreveport, Louisiana, plant
manager a t the time he was receiving a safety award. Some f i v e years
previous t h e p l a n t had been a t t h e poor end of the corporation's r a t i n g s
of a l l of i t s p l a n t s i n p r o f i t a b i l i t y , quality, waste control, employee
turnover - and safety. The plant had a f a t a l accident. The manager
received a wire from t h e president which asked, "Cantt Shreveport do any-
thing right?" The manager decided t o have the best s a f e t y program he could
mount. By t h e time Shreveport got t h e s a f e t y award, the plant had moved
near the t o p i n the r a t i n g s on p r o f i t a b i l i t y and efficiency. It could do
things the r i g h t way.
Among the production hindrances reported t o have the same causes a s acci-
dents are: reduced output, scrap and re-work, materials handling, man-hours
per u n i t , manchine-hours per u n i t , morale and turnover.
Somehow s a f e t y professionals a r e s t i l l weak i n the language and conceptual
development t o s t a t e the t r u e significance of accidents i n the o v e r a l l perfor-
mance of a company. The f a c t t h a t accidents i n t e r r u p t work, o r have human and
economic costs, i s not the f u l l measure of t h e i r r e l a t i o n t o efficiency. If
the accident i s seen a s a symptom of managerial f a i l u r e t o e s t a b l i s h r e l i a b l e
control of work, a s an e r r o r r e s u l t i n g from poor management or managerial omis-
sion, which a l s o produced i n e f f i c i e n c i e s , we s h a l l be c l o s e r t o the mark.
The principle t h a t "The Safe Way i s the Right Way" i s n o t based i n morality,
e t h i c s o r a welfare a t t i t u d e . It i s a principle of good management.
Pope and Nicolai (1968) had t h i s t o say:
"Management must be educated t o t h e f a c t t h a t the function of safety i s
t o l o c a t e and define operational e r r o r s involving incomplete decision-
making, f a u l t y judgments, administrative miscalculations, and j u s t plain
stupidity. These expressions a r e well understood up and down the ranks.
Success with t h i s approach i s possible, but it w i l l require considerable
study, discussion, and change of viewpoint before being accepted.''
General Motors has described safety a s "planned order," which i s r e a m
a system approach. When examining the r o l e of change i n accidents, we a l s o
saw i n change phenomena some i n t e r e s t i n g r e l a t i o n s t o e f f i c i e n t production
(e .g., the c a r assembly case) .
It would seem t h a t t h e efficiency-safety r e l a t i o n s h i p i s even more d i f f i -
c u l t t o measure i n government o r non-profit agencies which cannot use a s back-
ground, the r e l a t i v e l y simple p r o f i t yardstick.
***
The l e g i s l a t e d motivation f o r increased s a f e t y i s , of course, a primary
force i n t h e U. S. today due t o the passage of the Occupational Health and
Safety Act (OSHA). Considering t h a t OSHA standards represent a consensus of
past wisdom and recommendations, but hearing the screams about OSHA, one can
only conclude t h a t there were a l o t of hazards t o be corrected and t h a t many
are being corrected.
I n a t e x t f o r a B r i t i s h seminar prepared i n mid-1969 the author said:
Governmental regulation and inspection of working conditions i s primarily
a s t a t e responsibility i n the U. S., and a l l too many of our s t a t e s have
weak laws and regulations and inadequate inspection forces. The Federal
government i s rapidly moving i n t o t h i s area. Certainly adequate govern-
mental controls over minimal conditions a r e a must. But, the higher goals
of safety a r e not attainable by regulations, a t l e a s t not by the conven-
t i o n a l regulatory methods. Some new and potentially b e t t e r regulatory
methods have been proposed, but have hardly had serious thought i n most
circles.
It has frequently been said t h a t guarding i s superior i n England and
several European countries. For example, the chemical industry working
party said:
"Finally, the lack of guarding on machines i s p a r t i c u l a r l y noticeable,
and i s almost certainly due t o lack of l e g i s l a t i v e requirements.
Although the U. S. worker i s indoctrinated i n the need t o avoid con-
t a c t with machines, we believe t h a t the U. K. system of physical
protection i s better."
It i s d i f f i c u l t t o reconcile t h i s comparative condition with the generally
lower U. S. r a t e s . It i s said i n the U. S. t h a t European managements tend
t o comply with physical standards supplied by government inspectors, but
stop with t h a t action. Whereas U. S. companies have stronger management
-
and supervisory programs. Obviously our goal should be both, but it may
be t h a t the compensating e f f e c t s between government and private i n i t i a t i v e
prevent both being maximized.
It i s unfortunate t h a t a t precisely the time t h a t we should be aggressively
seeking improved methods, the U. S. i s primarily concerned with meeting minimal
conditions l a r g e l y attained i n Europe a decade o r more past.
***
It seems correct t o suggest that simple compliance with such regulations
a s OSHA w i l l e n t a i l a good past of the costs of a higher grade, performance-
oriented, hazard analysis process, but w i l l produce fewer benefits. Compliance
with regulations may become a c e i l i n g r a t h e r than a floor.
Optimum long-term relationships between OSHA and voluntary approaches a r e
extraordinarily d i f f i c u l t t o perceive a t t h i s time. However, B r i t i s h experi-
ence with national regulations may provide insight. Some British views of
U, S. management leadership a r e cited (page l 7 j ) , and the superiority of
B r i t i s h physical protection is cited above.
Some possible insight i n t o our U. S. s i t u a t i o n may be provided by Lord
Robens ' Committee Report t o Parliament ( ~ u l 1972) ~ , :
"We need a more s e l f -regulating system of provision f o r safety and
health a t work. The t r a d i t i o n a l approach based on ever-increasing,
detailed s t a t u t o r y regulation i s outdated, overcomplex and inadequate.
Reform should be aimed a t creating conditions f o r more effective s e l f -
regulation by employers and workpeople jointly.
"The e f f o r t s of industry and commerce t o tackle t h e i r own s a f e t y and
health problems should be encouraged, supported and supplemented by
up-to-date provisions unified within a s i n g l e , comprehensive framework
of l e g i s l a t i o n . Much g r e a t e r use should be made of agreed voluntary
standards and codes of p r a c t i c e t o promote progressively b e t t e r conditions.
"This broader and more f l e x i b l e framework would enable t h e s t a t u t o r y
inspection s e r v i c e s t o be used more c o n s t r u c t i v e l y i n a d v i s i n g and
a s s i s t i n g employers and workpeople. A t t h e same time i t would enable
them t o be concentrated more e f f e c t i v e l y on s e r i o u s problems where
t i g h t e r monitoring and c o n t r o l might be needed.
"There i s a l a c k of balance between t h e r e g u l a t o r y and voluntary elements
of t h e o v e r a l l 'system' of provision f o r s a f e t y and h e a l t h a t work. The
primary r e s p o n s i b i l i t y f o r doing something about present l e v e l s of occu-
p a t i o n a l a c c i d e n t s and d i s e a s e s l i e s with those who c r e a t e t h e r i s k s and
those who work with them. The s t a t u t o r y arrangements should be reformed
with t h i s i n mind. The present approach tends t o encourage people t o
t h i n k and behave as i f s a f e t y and h e a l t h at work were p r i m a r i l y a matter
of d e t a i l e d r e g u l a t i o n by e x t e r n a l agencies."
These B r i t i s h views suggest t h a t management, while d e a l i n g with t h e
requirements of OSHA, not f a i l t o work toward higher g o a l s , i n t h e i n t e r e s t s
of t o t a l performance a s well as safety.
It i s of f u r t h e r i n t e r e s t t h a t some of t h e b e s t current r e p o r t s of sys-
tem approaches t o occupat;onal s a f e t y a r e coming from European companies.
For example, a s e n i o r executive i n England ( ~ e p o l d s ,1970) o&lines a
s u c c e s s f u l program l a r g e l y consistent with t h i s t e x t .
The i n t e r r e l a t i o n s of public and employee p r o t e c t i o n p o l i c i e s i s highly

v a r i a b l e , depending on t h e nature of t h e industry. I n nuclear i n d u s t r i e s
p u b l i c p r o t e c t i o n i s t h e f i r s t consideration, and occupational s a f e t y program
has t h e c o l l a t e r a l value of helping t o ensure public p r o t e c t i o n by r e l i a b l e
c o n t r o l of work. But i n i n d u s t r y generally t h e occupational program, f r e c sntly
placed i n a personnel fuhction, has not commonly been r e l a t e d t o product sc.Pety
problems, nor always t o environmental problems. However, management concern
i n these a r e a s i s growing. Some product and waste management problems stem
from t h e same r o o t causes as occupational accidents, and a r e amenable t o simi-
l a r controls. Consequently, i t i s appropriate t o i n q u i r e whether and how
public p r o t e c t i o n p o l i c i e s a r e a r t i c u l a t e d and implemnted.
Public and environmental concerns w i l l undoubtedly have increasing i n f l u -
ence on a l l s a f e t y policy, including occupational safety.* It i s d i f f i c u l t t o
perceive t h e u l t i m a t e e f f e c t s on occupational s a f e t y of these broader concerns,
because they range f a r beyond t h e domain of employee s a f e t y . The increasing
concern f o r public s a f e t y may have a t l e a s t t h e following f o u r implications f o r
* "Public Safety: A Growing Factor i n Modern Design" ( ~ a t i o n a lAcademy of

~ n ~ i n e e r i ins~ an
) example.
employee safety:
1. Occupational safety i s increasingly a public concern, as i n OSHA, o r
a specific hazard such as "black lung" disease i n miners.
2. Occupational safety i s an aspect of r e l i a b l e control of work, thus
affecting a broad category of accidents i n waste management.
3 . Occupational safety i s a f a c t o r i n product safety, not only i n control
of work and workmanship, but a l s o i n prcduct design. The higher the
employee safety standards, the more d i f f i c u l t i s non-regard f o r protec-
t i v e principles i n products.
4. Occupational s a f e t y analysis, where well done, may provide analytic
techniques helpful i n the more d i f f i c u l t areas of environmental
impact.
Without knowing t h e r e l a t i v e force of these policy concerns, nor what
government-private methods may eventuate, it seems impossible t o predict the
ultimate impact of e s s e n t i a l l y public concerns, except t o say t h a t t h e i r force
w i l l ultimately increase i n policy areas normally considered the largely i n t e r -
nal organizational problem of employee safety.
Other motivational forces which appear t o hme been potent with top manage-
ment a r e personal pride i n safety accomplishments and pride i n a corporate image
of safety. It follows from t h i s t h a t opportunities should be sought f o r manage-
ment t o speak of i t s successes a t trade group meetings and i n the business
press. Trade association programs have been seen primarily f o r t h e i r values
i n reaching smaller employers, but t h e i r e f f e c t on leaders from l a r g e r organi-
zations has probably a l s o been great.
It has been said t h a t no aspect of management projects a b e t t e r image of
an organization than a sincere concern f o r safety.
Further, it i s common f o r management t o take an active part i n community
safety a f f a i r s as c i v i c leaders. And it appears t h a t such participation has
reinforced in-plant safety by supplying a strong, comprehensive philosophy.
A f a c t o r not widely discussed i s management's concern f o r employee r e l a -
-
t i o n s i n a time when so many aspects a r e union dominated and when such d e l i c a t e
matters a s productivity a r e involved. Safety i s an area of c l e a r mutual concern
and has been said t o be the topic on which i t i s e a s i e s t t o "get along," not t h a t
safety grievances and issues may not a t times a l s o be sore points. Strong
employee participation i n safety programs, a s f o r example i n Job Safety Analysis,
are required f o r effectiveness and acceptance of the safety program, and can
certainly make an important contribution t o i'mproved employee relations. A s
on-the-job programs have been extended t o off-the-job concerns, safety has been
the basis f o r a bond of mutual concern of manager and employee (provided the
work place has been made s a f e ) .
We commonly say t h a t s a f e t y begins with t o p management. But it may w e l l
be t h a t t h e concepts and p r a c t i c e s of leading U. S. managers a r e t h e end of -
s e v e r a l decades of evolvement and mutual influence, r a t h e r than t h e beginning.
And i f we wish t o take another management group from a more p r i m i t i v e t o a
more enlightened s t a t e , we may need a most c a r e f u l l y drawn, long-term plan f o r
b u i l d i n g understanding and acceptance.
* ++ *
The foregoing discussion suggests t h a t management b e l i e f s about
s a f e t y be concisely and f o r c e f u l l y a r t i c u l a t e d i n t h e a r e a s of employee
welfare, c o s t reduction, e f f i c i e n c y and performance, s o c i a l concern (laws,
environmental impact, product, and community), employee r e l a t i o n s , and
pride o r image. Each top management group must do t h i s f o r i t s e l f .
One p o l i c y aspect--practicality--remains t o be considered. There is
nothing wrong with a r t i c u l a t i n g p r a c t i c a l i t y . It has been w r i t t e n i n t o
many f e d e r a l laws as a proper c r i t e r i o n . (compliance with consensus
standards is, however, always p r a c t i c a b l e by d e f i n i t i o n ! )
To e s t a b l i s h a platform, Currie (1968) examined a wide v a r i e t y of
d e f i n i t i o n s and concluded t h a t t h e e s s e n t i a l s were b e s t captured i n t h i s
wording :
"Safety i s t h e objective conservation of men and equipment i n a timely
manner, and within t h e operational and economic requirements necessary
i n a progressive i n d u s t r i a l community."
A sampling of management p o l i c y statements (NSC, 1966) r e f l e c t s t h e
d i f f i c u l t i e s and range of i d e a s i n d e f i n i n g degrees of safety. Arranged i n
roughly descending order, they a r e :
"...operate our p l a n t s and o f f i c e s without accidents"

" ..
.work without danger" These a r e f i n e ,
" ...first importance" but probably
impractical
'I...maximum safety"
"...providing t h e s a f e s t conditions f o r our employees."
"Accident c o n t r o l i s thus e s s e n t i a l "
"Taking any a c t i o n necessary t o improve s a f e t y conditions."
" . . . c o n t r o l unnecessary l o s s . "
" ...everything within reason"
" ...every reasonable precautionr1
" ..
.every reasonable e f f o r t "
"...all p r a c t i c a l steps"
"...take time t o perform our work safely"
" ...an e f f e c t i v e s a f e t y program"
"...discharge our moral and l e g a l responsibility f o r safety" ! These may
.
'I. .meet accepted standards"
"...conform t o basic s a f e t y principles and sound management
practices. "
"Adequate :
not be
good
enough. I
"Production with safety" represents a somewhat d i f f e r e n t approach.
Moser (1964) gave sound reasons, subtly involved i n t h e organization ' s
and individual's performance goals, f o r putting safety first. Further, he
would appear t o discount the relevance of cost/effectiveness measures a s
applied d i r e c t l y t o safety program.
In MORT analysis:
GA1 Policy. Gharacteristics t o be examined include: Written? When updated?
Comprehensive f o r a l l major problems (e g . ., employee, transportation, public) ?
Comprehensive f o r a l l . major motivations (e .g., humane, cost, efficiency,
l e g a l compliance, work near boundary conditions)?
During the t r i a l s a t Aerojet, the corporate policy was revised. Excerpts
are : "It i s the policy of the Aerojet Nuclear Company:
a. To provide f o r employee safety, t o assure safe operation of govern-
ment f a c i l i t i e s , and t o comply with applicable government and
industry health and safety regulations.
b. To provide f o r a l l employees a safe place t o work, f r e e from recog-
nized hazards t h a t are l i k e l y t o cause death, serious injury, o r
illness.
c. To develop, operate and maintain the Atomic Energy Commissionfs
f a c i l i t i e s and i n s t a l l a t i o n s , f o r which it i s contractually respon-
sible, i n a manner calculated t o protect the health and safety of
the public, prevent damage t o govemunent o r private property,
minimize adverse e f f e c t s upon the environment, and preserve effec-
t i v e community relations, regarding health and safety matters.
d. To comply with a l l applicable health and safety rules and regula-
t i o n s of the Atomic Energy Connnission, including any special require-
ments formally imposed by the AEC Contracting Officer, t o comply with
the safety and health standards promulgated under the Occupational
Safety and Health Act (OSHA) of 1970, and t o adhere t o generally
recognized and accepted high standards of performance i n the areas of
occupational health, and nuclear, radiological, industrial. and f i r e
safety ."
"The goals of health and safety a r e congruous with, and inseperable from,
the goals of e f f i c i e n t and effective operation; i.e., t o achieve high
q u a l i t y performance without interruption due t o mishap, f a i l u r e or acci-
dent. Therefore, nuclear and operational safety i s primarily a l i n e
management responsibility."
I n an interim report, the author suggested the following format t o prop-
e r l y express what i s , . i n r e a l i t y , already AEC1s policy:
"Protection of the health and safety of employees and the public i s the
f i r s t consideration
. .
i n AEC programs. Associated e f f o r t s w i l l be directed
a t t h e prudent conservation and protection of government and private
property and the environment.
Safety i s congruous with, and inseparable from, management f o r e f f i c i e n t
attainment of goals, and i s supported by the r e l i a b i l i t y and quality
assurance programs which are a l s o required t o assure performance without
mishap, f a i l u r e , o r accident.
AEC pioneered the concept t h a t advanced technological development and
research near boundary conditions require prior analysis and planning t o
assure t h a t a c t i v i t i e s a t t a i n t h e goal, ' F i r s t Time Safe,' r a t h e r than
relying on t h e t r a d i t i o n a l sequences of t r i a l , accident, and correction.
Thus AEC expects t h a t adequate analysis and protective measures w i l l be
pruvided f o r a l l a c t i v i t i e s . Naturally the best u t i l i z a t i o n of resources
d i c t a t e s t h a t major hazards receive major attention and a proportionate
depth of preplanning, proceduralization, independent review, supervision,
and monitoring t o detect deviation from plans, prompt corrective measures
and appraisal of r e s u l t s .
AEC holds top management of every AEC contractor responsible f o r adequate
managerial systems t o f ' u l f i l l policy requirements and a t t a i n progres-
sively higher goals i n health and.safety."
20. MANAGEMENT IMPLEMENTATION
I n t h i s chapter we use the MORT diagrams, and code numbers therein.
GA2 Implementation,
a 1 C r i t e r i a and Analysis. Concept of r e l a t i n g overall methods t o the
s a f e t y program has been discussed i n Chapter 11. Any lack of use of an
adequate repertory of management methods suggests an organization may have
d i f f i c u l t y a t t a i n i n g high performance goals, as well a s high safety goals.
Sound p r a c t i c e s f o r acceptance of procedurhlized systems and improving
human performance begin here. A small beginning i n use of rewards i n a manner
suggested by the s c i e n t i f i c l i t e r a t u r e has been i n i t i a t e d a t Aerojet, by
attaching a routine commendation cycle t o one surveillance schematic. Also,
i n i t i a l Job Safety Analysis and " c r i t i c a l incident" studies seemed t o have
favorable e f f e c t s on morale and performance, as well as on safety. However,
a major policy study of methods of improving human performance and,subse-
quent implementation s t i l l seensto be i n order, l i k e l y i n most organizations.
It i s common t o assume t h a t safety i s compromised by value c o n f l i c t s i n
which safety motivations a r e of insufficient strength. However, we lack case
h i s t o r i e s which would pinpoint managerial factors i n terms of values. It
-
appears a t l e a s t as Likely, i n t h e best companies, that weaknesses i n safety
analysis, f a i l u r e s t o p r w i d e successive and a l t e r n a t i v e countermeasures, a r e
major factors.
A concept of a t t i t u d e s a s information processing structures has p o t e n t i a l
value i n designing programs t o change management b e l i e f s a s w e l l a s attempting
t o create some masuremnt of values and a t t i t u d e s . Schroeder (1970)has said:
"It i s not simply a question of the value of safety
question of the nature of t h i s belief ...
...
It i s rather a
'Immaturityf... i s the l e v e l
o r complexity of conceptual structure f o r processing information. The
i n i t i a l question i s t o determine the number of independent classes (or
...
scales) of information the person s e l e c t s as being relevant
weighting should a l s o be assessed ." , ...
If then we can define the c r i t e r i a of system safety which management ought
t o use i n assessing safety, we may a l s o have c r i t e r i a f o r measuring the strength
and nature of b e l i e f s i n p r a c t i c a l and useful ways. Such a method would a l s o
t e s t the limits of values by examining a larger l i s t of alternatives t o see
whether they might have changed a t t i t u d e s and decisions.
Examine the number and compexity of c r i t e r i a and constraints used i n
safety decisions i n order t o evaluate maturity of judgment. Faulty c r i t e r i a
o r analysis may l i e behind program imbalance. O r , conflicting c r i t e r i a (e . g . ,
hazard control versus freedom of researchers) may be unresolved. Is adequate
analysis demanded by management? Are alternative countermeasures examined?
What questions are used t o t e s t proposals?
A l l too often weak c r i t e r i a and analysis are reflected i n management
safety action ( a t whatever l e v e l ) , which i s frequently:
Re-Action rather than Pre-Action
1. Proportionate t o recency of 11
" 1. Proportionate t o catastrophe
l a t e s t catastrophes. potentials i n the future.
11
2. Topical i n terms of most " 2. Designed t o correct systemic
recent catastrophes failures .
3. I s perceived by some a s 11 " 3 . Balanced action proportionate
" over-reaction." t o t r u e potentials.
4. Sporadic. 1t " 4. Continuous
When safety clashes with budget and schedule constraints, the tr&e off
c r i t e r i a and mechanisms are weak ( t h i s may be a f a i l i n g of the safety profession,
r a t h e r than management). Wilmotte (NASA, 1971) has argued t h a t benefit compari-
sons tend t o the short run - costs, schedules, etc., - and suggests t h a t the
longer term uncertainties, even though d i f f i c u l t t o quantify, must be somehow
made known t o management. This seems a very useful point. For example, a
f a i l u r e t o require Information Search i n a Hazard Analysis Process creates great
uncertainty as t o performance - almost creat,es certainty t h a t previous e r r o r s
w i l l be repeated and performance degraded.
Wilmotte further suggests t h a t management require more confrontation
between alternative solutions i n i t s bases f o r choices and decisions.
Decision makers receive from proponents proposals which tend t o s t a t e a
strong, positive case f o r a project. The negative aspects are not emphasized
or w e l l presented. Consequently the requirement f o r alternatives and/or stan-
dard analytic requirements which will expose problems and obstacles are necessary.
Safety (or accidents) seem t o be a harsher, long term measure of performance
than any other yardstick except the long range p r o f i t a b i l i t y yardstick i n a
business. The d i f f i c u l t y with the budget-schedule-performance goals represented
i n a development or construction project i s t h a t short term accomplishment may
be a t expense of operational accidents, and ultimate performance degradation.
An example of inadequate c r i t e r i a could seemingly be seen i n a recent

accident which implied t h a t the project was expected to turn out well even
though :
1. Difficult research near technologic boundaries experienced repeated
failures ,
- 187 -
Budgets were cut,
Changes and delays occurred,
Work was transferred from a well-organized engineering group t o an
ad hoc group without off-setting counterchange,
Surveillance and review plans were inoperative,
Stated objectives omitted a major program,
Reorganization plans were held i n abeyance.
Thus, functions of management (above the f i r s t l e v e l of supervision) pro-
vide the following kinds of c r i t e r i a :
1. Planning and control adequacy
2. Trouble-shooting
-
3 . P r i o r i t y problem solving depth analysis, research and study, e t c .
4. Adequate work s i t e observation, inspection, review and analysis.
An example of simplistic, inadequate c r i t e r i a would be an assumption t h a t
safety i s attained by compliance with codes, standards, and regulations.
Legal inhibitions and ill-founded cost criticisms a r e two common obstacles
t o safety program improvement. The management handling of these obstacles
w i l l t e s t the adequacy and maturity of management's c r i t e r i a and analysis.
Frequently the lawyers who protect organizations a r e quick t o r a i s e poten-
t i a l L i a b i l i t y f e a r s a r i s i n g fmm information o r analysis intended t o improve
safety. The objections of lawyers, i f n o t circumvented i n ways which protect
both individuals and organizations, can s e t the stage f o r longer-range serious
accident and l i a b i l i t y problems. Any inhibition on program improvement i s , of
course, contrary t o wise public policy; i f not corrected voluntarily, the heavy
and often awkward hand of regulation w i l l be used by government.
Standards of judgment as t o what constitutes "reasonable care" by an
organization are r i s i n g rapidly. I n the near future MORT and/or other forms
of systems safety analysis w i l l almost certainly constitute yardsticks a s t o
the adequacy of safety programs a ayes i n NASA, 1971). Therefore, some lawyers
a r e saying t h a t the most careful search-out and analytic techniques are a
best answer t o "reasonable care .'I
A specific example of non-use of one MORT requirement i s i l l u s t r a t i v e .
MORT postulates use of the " C r i t i c a l Incident Technique" t o obtain otherwise
unavailable but valuable data on near-misses and similar incidents. Use of the
technique i n aviation safety has an i l l u s t r i o u s history. Nevertheless, an
e f f o r t t o systematically c o l l e c t such reports from scheduled a i r l i n e p i l o t s
foundered on l e g a l objections. Yet techniques f o r protecting individual p i l o t s
and organizations are available. Thus long-range safety i s sacrificed f o r
short-range protection. Management's f a i l u r e t o circumvent the bbstacles
suggests inadequate c r i t e r i a and immaturity. (A current inquiry i n t o an
English crash has identified t h i s same deficiency. )
Systems safety techniques i n general, and MORT during i t s short l i f e , have
often prompted quick, unstudied criticisms, such as, "too expensive," These
may be convenient l a b e l s f o r those who find it i n t e l l e c t u a l l y o r administra-
t i v e l y inconvenient t o change past methods.
Cost criticisms can be dealt. with i n four ways:
1. Many costs, as f o r example, f o r C r i t i c a l Incident studies, are marginal
and negligible - the people involved continue t o f u l f i l l t h e i r regular
task assignments.
2. Some improved methods are cheaper than old, sloppy methods, without even
considering the injury and damage which s l i p s through old loopholes.
3. Many systems methods are being developed i n low-cost forms. (see, f o r
example, Veselyrs i l l u s t r a t i o n s below, o r see the Section, "Accident
Investigation" which reports costs of MORT analyses.
4. Many MORT processes provide f o r scaling e f f o r t s t o size of problem, and
have low thresholds f o r minimum examination of any accident problem.
Again we see c r i t e r i a by which management can analyze i t s safety program
development.
The Fault Tree has been the most rigorous analytic method, but has been
vulnerable t o cost criticisms. Recht has provided simple i l l u s t r a t i o n s which
suggest t h a t the f i r s t requirement i s i n t e l l e c t u a l , namely, the willingness
t o develop improved s k i l l s . Further, an Aerojet s c i e n t i s t , Veseley (NASA,1971)
has cited uses of Fault Trees t o examine a l t e r n a t i v e approaches t o reactor
safety, which typically involved two man-weeks of engineering time and a few
minutes on a large computer. More or l e s s simultaneously, representatives
of the regulatory function of AEC a r e s t i l l saying, i n e f f e c t , "We've found
the Fault Tree too expensive." Hardly a tolerable position i n reactor safety.
Analysis. Recent events i n NASA, as well a s AFC-Aerojet, suggest need

f o r specific analytic devices t o discover where or how management implemen-
t a t i o n processes may f a i l .
The Life Cycle concept i s required i n the Hazard Analysis Process
( ~ i g u r e20-1) . I n addition, events suggest i t s continuing use as a manage-
ment device (a long wall chart, i f you please) i n the hope t h a t problems,
especially those with long leadtime f o r solution, be b e t t e r anticipated.
- 189 -
Figure 20-1.
Accidents
a2 Budgets. I n general, the budgets f o r v i s i b l e safety functions have not

been amenable t o simple yardstick measurements of any great value. Too much
depends on what specific functions a r e c l a s s i f i e d as "safety" i n a p a r t i c u l a r
accounting system. So, without most caref'ul definition of function, i n t e r -
organization comparisons should be treated with great caution. O f even greater
significance would be the very substantial budgets f o r design and construction
of safety features throughout the organization.
The l e v e l of budget support might be tested by l i s t i n g recent major
authorizations f o r substantial safety improvements, and l i s t i n g additional
protective measures not authorized. Budget records f o r the study or allevia-
t i o n of the worst problems can be reviewed. Particularly where high-level
peers constitute a safety committee, the quality and quantity of management
support could be assessed by examining decisions i n issues presented by such
a committee.
As with other aspects of management actions shown i n the MORT diagram,
the measurements are i n p a r t anecdotes o r case h i s t o r i e s .
a3 Delays. These 'become Assumed Risks. Frequently these are routine,

normal and acceptable management decisions. However, i n recent months, a
"Problem Postpaement Syndrome" has emerged as a concept.
The organizational syndrome whereby solutions t o safety problems are
postponed o r avoided i n e a r l y l i f e cycle phases of a project has been a recur-
r e n t concern within AEC and NASA, and the l a t t e r i s studying possible controls.
I n Figure 20-2, the f i r s t four phases of the l i f e cycle of a project are
shown. Needed steps i n the f i r s t two phases are l i s t e d i n the Hazard Analysis
Process.
Under constraints of budget, schedule and intermediate mission f u l f i l l -
ment (e.g., construction), steps tend t o be omitted o r s t i n t e d , and trade o f f
decisions tend t o avoid o r compromise safety. For example, f i r e protection
of instrumentation and computers may be minimal, r a t h e r than "improved r i s k "
which AEC requires.
I n l a t e r phases, some of these may be remedied by retro-fixes, but typi-
c a l l y with higher c o s t s and fewer safety benefits.
This process continues down t o and i n t o the operational phase during
which operation may be delayed o r degraded because of deficiencies, r e t r o -
f i x e s and expedients, which may have higher costlbenefit r a t i o s , o r contin-
uing deficiencies may be manifest i n accidents (with f u r t h e r degradation of
performance) . Ultimate c o s t s multiply. F i n a l mission fulfillment may be
impaired.
To control i n some degree the Hazard Analysis Process i t s e l f , a project
check l i s t f o r e n t r y of l e v e l of e f f o r t may be useful.
To control t h e omission of a known hazard simply because the planner's
constraints prevent appropriate solution work, NASA i s considering a Hazard
Inventory, a catalogue showing disposition of hazards and trade of's, thus
making r i s k s v i s i b l e . A,, NASA safety engineer suggested a long-hand docket,
maintained d a i l y , be u t i l i z e d f o r audit o r surveillance t o minimize the
doctored l i s t s which may t u r n up i n f i n a l reports.
A s with a given disease, e .g., measles, it i s probably useful t o have
a name of the common disease, i n t h i s case "Problem Postponement Syndrome,"
r a t h e r than j u s t l i s t the symptoms a s i f they were unique. Management's
detection and cure f o r t h i s desease i s a l s o a t e s t of maturity of c r i t e r i a .
a4 Line Responsibility. The safety r e s p o n s i b i l i t y of the l i n e organiza-

t i o n from the Chairman of the Board down through the f i r s t l i n e foreman t o
the individual employee i s made amply c l e a r i n the outstandingsafety pro-
grams. Written terms of reference, consistent with the safety policy, are
almost universal. And it follows t h a t safety performance i s a consideration
i n promoting an individual t o a b e t t e r position.
Figure 20-2.
PROBLEM POSTPONEMENT SYNDROME
INTERMEDIATE CONSTRAINT FINAL CONSTRAINTS
MISSION FULFILLMENT, BUDGET, SCHEDULE MISSION FULFILLMENT
J.
CoNFEPTS R
REQMTS 7 DESIGN R OPERATIONS
PREL. f LATER I
PROP. I WORK I CHANGES1
AECCUT-POINT'---- - INDEPENDENT REVIEW------L----------A
HAZARD ANALYSIS PROCESS

STEPS LEVEL OF COSTS
EFFORT
1.
2.
3.
1
1
1 1.
NAME 1
HAZARD INVENTORY
DISPOSITION RESULT
OK
SUBSEQUENT-^
4. Info. Search 2 FIXES
5.
6. 1
1
OK
8#
f. 1 Minimal
1 OK
OK
Inacceptable
OK
OK
v
-
Aerojet places primary r e s p o n s i b i l i t y f o r s a f e t y analysis on l i n e
management.
I n seeking full p a r t i c i p a t i o n i n the safety program by the e n t i r e manage-
ment organization, there a r e three mutually reinforcing approaches:
1. The basic l i n e responsibility.
2. Clear assignment of functional r e s p o n s i b i l i t i e s f o r appropriate e l e -
ments of the s a f e t y program t o various departments, e.g., engineering,
maintenance, research, t r a i n i n g , finance, transportation, e t c .
3. Management s a f e t y committees o r review boards, chaired by senior execu-
t i v e s , with revolving representation from various l e v e l s of supervision.
These three kinds of arrangements, with top leadership, can c r e a t e a team
approach.
The use of management committees could be seen a s interference with the
l i n e process. However, they seem t o have had considerable influence on peers,
and probably should be retained a s a c r i t e r i o n of program u n t i l other c r i t e r i a
emerge a s more s i g n i f i c a n t .
Considering the importance of l i n e responsibility, accident reports are
remarkably s i l e n t on the relevant actions o r f a i l u r e s t o a c t by upper and middle
management. Pertinent questions might. be:
1. When d i d higher supervision l a s t review plans applicable t o t h i s area?
What was found?
2. Have requirements, time o r budget f o r hazard review processes changed?
When? How?
3 . When d i d higher supervision l a s t inspect t h i s area? What was found?
4. When did higher supervision l a s t review the supervisor's inspection
reports? What was found as t o basic causes of unsafe conditions?
What was done?
5 . Describe the monitoring o r work sampling plans used by higher super-
vision t o audit performance.
6. When d i d higher supervision l a s t discuss s a f e t y with the supervisor?
Describe what happened.
7. Give instances of help given the supervisor by higher supervision.
a5 Staff. Examine provisions f o r assigning and implementing s p e c i f i c
safety m c t i o n s t o s t a f f departments, such as: engineering, maintenance,
purchasing, transportation, personnel, t r a i n i n g , health, security, q u a l i t y
control, e t c .
Firenze (1972) has recently organized the e s s e n t i a l s of a hazard control
management e f f o r t i n a system much similar t o the general s a f e t y system (~i@;-
ures 11-1 and 11-2). He uses h i s concept t o e f f e c t i v e l y argue tha- effort
cannot be c a r r i e d out by t h e s a f e t y staff, but r e q u i r e s cooperation of a l l
management subsystems--including manufacturing engineering, q u a l i t y control,
purchasing, maintenance, i n d u s t r i a l r e l a t i o n s , finance, and medical, More
important, he provides lists of t y p i c a l functions f o r each i n a n a l y s i s and
i n v e s t i g a t i o n ; improvement plans and implementation; a u d i t ; research develop-
ment and t e s t i n g ; provision and maintenance of adequate materials, equipment,
personnel and environment; information procurement and processing; and finan-
c i a l p r a c t i c a l i t y and performance.
a6 Directives and Organization. Implementation of s a f e t y policy i n de-

t a i l e d d i r e c t i v e s can be examined. C l a r i t y and use of schematics and flow
c h a r t s can be c r i t e r i a . Observation suggests t h a t d i r e c t i v e s may be overly
concerned with s p e c i f i c r u l e s f o r kinds of hazards, r a t h e r than t h e functions
of hazard review, monitoring, e t c . , again t h e d i s t i n c t i o n between method and
content. Also, d i r e c t i v e s tend t o over-react t o p a s t events and under-react
t o f'uture p o t e n t i a l s .
The MORT T r i a l s have made an unexpected contribution, very l i k e l y of consider-
a b l e significance, t o t h e concept of how e r r o r - f r e e procedures can be developed
and published. I n t h e e a r l i e s t stages of monitoring upstream processes, Clark
and Alvord of Aerojet detected s i g n i f i c a n t process gaps and f a i l u r e s i n the
i n i t i a l walks through various processes, d e s p i t e the extensive proceduraliza-
t i o n documentation of Aerojet. I n t e r e s t i n g l y , the s c i e n t i f i c l i t e r a t u r e ,
.
e g. , Berelson & S t e i n e r (1964), shows t h a t step-by-step procedures a r e b e t t e r
understood than t e x t paragraphs. The episode above l e d t h e Reactor Operations
Division Manager t o rework and r e v i s e h i s administrative methods, Figure 20-3
shows t h e method which evolved from t h e trials: block functional diagrams,
s t e p s t o f u l f i l l each function, and c r i t e r i a f o r knowing when t h e s t e p is
well done.
One strongly recommended s t e p i n studying t h e usefulness of t h e MORT
approach i s a simple walk-through of t h e process f o r producing t h e design and
plan f o r a project--almost universally a need f o r b e t t e r c r i t e r i a and arrange-
ments, and a b e t t e r statement of such, i s quickly detected. The work s i t u a -
t i o n i s o f t e n error-provocative.
I n p r e p k i n g d i r e c t i v e s f o r work processes i n t h e function-step-criteria
form it i s important t o note and include those things which a r e being done i n
ways b e t t e r than previously specified. The process gaps which a r e f i l l e d by
informal communications a r e a l i t t l e more d i f f i c u l t t o handle. On one hand,
it seems almost impossible t o specify t h e i n t r i c a t e web of useful communica-
tions. On the o t h e r hand, accident r e p o r t s reveal what happens when such
F i m ~
20-3.
BETTER PLANS AND PROCEDURES
REDUCE
SCHEMATICS
CONFUSION
FUNCTIONS 8r RELAT IONS CLARIFY
OVERLAPS
GAPS
MISSUNDERSTANDING INTER-RELATE
OMISSIONS STEPS IN A FUNCTION

COORDINATE
OBSCURITY
ASSIST
COMPLEXITY
CRITERIA FOR EVALUATION
MINIMIZE
LEGALISTIC
JARGON
* FOOTNOTES =
DETAIL, CASES,
MEASUREMENTS
LEGALISTIC
EXCEPTIONS, 81
INCLUSIONS
networks a r e damaged by a change i n t h e personnel. The question--is it
necessary and important t o safety?--will probably give the best guidance,
While t h e s u p e r i o r i t y of some organization forms over others can hardly
be denied, there i s a safety-related requirement t o make almost any organi-
zation work, Thus t h e a r t of management may make use of such s p e c i f i c ad
hoc devices as project teams, s p e c i a l assignments, matrix forms of organi-
zing, and complex webs of sociometric r e l a t i o n s t o achieve performance.
I n s h o r t , an organizational deficiency should not be seen as a causal fac-
t o r c o r r e c t i b l e only by reorganization. The schematics described i n Fig-
ure 20-3 r e f l e c t i n g informal a s well a s formal arrangements can adequately
handle processes which a r e interdepartmental and complex.
Additional examples of schematics used at Aerojet, such a s development
of procedures and OSHA variances a r e provided i n P a s t V I I , Work Flow
Processes i n a discussion of t h e upstream processes which govern q u a l i t y
of work s i t e i n t r e d i e n t s .
a 7 Training and Assistance. Although we t a l k of t h e r o l e of t h e supervisor

a s t h e "Key Man" and discuss supervisor t r a i n i n g , we should be aware t h a t t h e
chain of r e s p o n s i b i l i t y should be unbroken a t a l l l e v e l s of supervision. In
p r i n c i p l e , t h e supervisor t r a i n i n g program has reached a l l l e v e l s because t h e
higher ranking executives came up through t h e ranks, o r were affected by peers
i n s a f e t y committees o r decision making. Therefore, "management training"
might be more appropriate.
Formal t r a i n i n g programs a r e u n i v e r s a l i n t h e most successful companies.
The programs can be seen i n f o u r types:
1. General programs i n management and supervision,
2. Specific technology,
3. Human r e l a t i o n s and communications,
4. Safe-ty.
Most of t h e l a r g e r companies have t h e i r own s a f e t y t r a i n i n g programs. The
National Safety Council has produced a v a r i e t y of programs which have been
widely used: i n s t r u c t i o n a l methods include films and t e x t , c l a s s and home
study, and programmed learning. Some NSC courses combine human r e l a t i o n s and
safety, which has been a "two f o r one" d e a l .
Managentent associations, vocational schools, community colleges and s t a t e
labor departments make available a wide v a r i e t y of courses. Recently, commu-
n i t y s a f e t y councils have i n t e n s i f i e d t h e i r supervisor t r a i n i n g offerings.
Considering t h e c r i t i c a l importance of t h e t r a i n i n g needs of smaller e s t a b l i s h -
ments, there i s no s u b s t i t u t e f o r a comprehensive network of t r a i n i n g
opportunities .
DuPont makes the major point t h a t on-job experience i s the primary source
of training, p a r t i c u l a r l y the boss's example. I f then the management process
f o r hazard control conforms with sound principles f o r managemnt of any prob-
lem, the efficacy of on- job experience can be enhanced.
Relations (including some f r i c t i o n ) between successive echelons of an
organization, a s w e l l a s between s a f e t y and operating personnel, suggest t h a t
the r o l e of service be increased vis-a-vis the r o l e of policing. A useful
concept holds t h a t a deficiency a t one l e v e l i s mirrored by a service deficiency
a t the higher l e v e l . Thus, an accident or the finding of a hazard should
prompt three kinds of action:
1; Correction,
2. Reexamination of t h e prevention process,
3. Reexamination of higher-level services t o increase effectiveness of
the prevention process.
A method of appraising s a f e t y services provided from one l e v e l t o another
i n a multi-layer organization, o r from s t a f f t o l i n e a t a location, c o n s i s t s
of l i s t i n g the major technical operations of the organization, and then f o r
each l i s t i n g and evaluating service under the following categories (~ohnson,
e t a l , 1957):
1. Research and fact-finding.
2. Exchange of information - periodicals, b u l l e t i n s , meetings.
3. Standards and recommendations.
4. Training opportunities .
5. Technical assistance on problems.
6. Program aids.
7. Measurement of performance.
A t Lawrence the safety function i s very heavily oriented toward a service
r o l e , and t h i s seemed especially u s e f u l under university research conditions.
Figure 20-4 attempts t o show t h e service deficiency process a s it occurs
i n organizations, and accidents which r e f l e c t the deficiencies a r e not hard
t o find.
A discussion of low c o s t , e f f i c i e n t production of services using produc-
tion-line approaches i s included i n Part I X , Safety Program review.
If management allows a project form of organization ( a s contrasted with

use of the on-going, presumably well organized s t a f f departments), there i s a
FAILURE MIRRORS FAILURE:
* IN SERVICES AND ASSISTANCE
I_..._ r
.*:-*a#-
:* *'.
.a*-.. , FAILED 1 1 ) RESEARCH AND FACT FINDING
I
WHAT SERVICES ? 2) EXCHANGE OF INFORMATION
WHAT SERVICES
I L3. STANDARDS OF JUDGEMENT
- -
b4. TRAINING
k5. TECHNICAL ASSISTANCE
k6. PROGRAM AIDS
WHAT RESOURCES ? k 7 . MEASUREMENT OF
PERFORMANCE
FAILED I 8. COORDINATION
I I *IN PLANNING EVALUATION
I
-
I I
INVESTIGATE
I
I
CORRECT II
I I t
REQUIREMENTS
RESOURCES
CONSTRAINTS '
I
GOALS
CAN DO!
CAN'T DO!
special management responsibility t o see t h a t the various safety and review
functions are adequate and w e l l run.
a8 Accountability. Although a policy of holding supervisors accountable

f o r safety function i s commonly reported, the method of measuring such perfor-
mance i s f a r from clear. For example: What c r i t e r i a are used t o evaluate high
r a t e exposures, such a s maintenance, versus low r a t e functions, such a s office
work? How a t t a i n s t a t i s t i c a l r e l i a b i l i t y i n comparisons? How i n t e r p r e t
"bodily movement" accidents, such a s walking o r ordinary l i f t i n g , i n the absence
of c l e a r cut, effective, and managemnt-approved prevention programs?
Accountability without an appropriate control standard may have a negative
e f f e c t on supervisor attitudes.
Peterson (1969) provides a usef'ul checklist of f a c e t s i n developing
accountability: accounting f o r costs, appraisals, and measures of program,
including sampling. Unless the supervisor i s provided w i t h information,
training and aids, accountability may be capricious and unfair.
a9 Feedback. Accident investigations r e f l e c t p r i o r lack of feedback t o

management on a c t u a l operating conditions. Lack of feedback may allow hazards
t o go uncorrected, o r may i n h i b i t supervisory attainment of safety goals by
routine, good administration. Much evidence e x i s t s that lack of feedback i s
a l s o a cause of performance problems. Therefore, the development of a defined
feedback system i s a c r i t e r i o n of management implementation. (A more exten-
sive discussion of Monitoring i s i n a l a t e r section.)
The reporting upward of budget r e s t r i c t i o n s and delays (which create
assumed r i s k s ) should be particularly examined and a formal plan f o r reporting
worst potentials o r p r i o r i t y problems appears t o be a need. Otherwise only
good news f l o a t s up.
I n many organizations, non-safety, general operating control data and
monitoring systems have become well-developed (but probably not so f o r R & D
work). I n any organization, managementts c r i t e r i a f o r masuring generalperfor-
mance should be systematically and carefully reviewed f o r safety implications;
t h a t is, do we& points i n general operations r e f l e c t adverse situations which
a l s o a f f e c t safety?
During the t r i a l s a t Aerojet, it became c l e a r t h a t some incidents were
due t o deficiency i n ordinary channels of reporting. This led t o an e f f o r t
t o specify the needed redundancy i n managerial control systems.
The executive a t a higher l e v e l requires redundant sensing systems i f he
i s t o have assurance t h a t h i s systems are operating properly and are not f a i l i n g .
The f i r s t l e v e l of redundancy consists of the normal l i n e management
channel and the p a r a l l e l information channels from independent agencies such as
Safety, R & QA, , and management control o r audit, ( ~ h e s el a t t e r may a l l be
operating, but without unnecessary duplication of functions.)
On the f i r s t of these two, the l i n e channel, four types of information
should be required:
1. The normal l i n e channel of authority, requirements, resources, goals
and progress.
2. The system was operating properly. (This may be determined by audit,
i n which case the report may say "with the following exceptions which
a r e being corrected.")
3. The system i s not f a i l i n g .(This may be determined by one o r more of
-.
a v a r i e t y of monitoring devices -
RSO studies, surveillance, search
out, accidentlincident data, e t c ) .
4. Higher l e v e l verification, particuxarly when the above signals are not
received, o r are impaired.
On the redundant channels, information of types 2 and 3 i s required.
A t the higher management l e v e l the red signal l i g h t should glow whenever
any report (of six) has f a i l e d t o arrive, o r a negative report i s received.
If an intermediate l e v e l of management has been impaired by extended
absence on other assignments (as i n a recent accident), the higher l e v e l of
management must secure the needed information.
The types of information flow are then:
Figure 2 0 - 5 ~ Management Safety Information Flow
Vital feedback is a l s o provided by the R i s k Assessment Sys-

tem and i t s Information subsystem. This analytic format should show t h a t
management's c r i t e r i a and analysis must ensure t h a t bad news about r i s k s and
u n c e r t a i n t i e s flows upward e a r l y f o r corrective action, r a t h e r than a f t e r the
failure .
Bad news may be withheld i f higher management responses are adverse - e.g.,
"Why d i d n ' t you clean it up a long time ago?" Problems a r e d i f f i c u l t , o r they
would have been cured long ago. A proper management reception, a view t h a t a
problem report i s an opportunity t o give help, may be e s s e n t i a l t o the f r e e ,
upward flow of needed information.
a10 Vigor and Example. Vigor and example a r e d i f f i c u l t t o measure.

Leading corporate s a f e t y programs commonly have anecdotes of d i r e c t ,
personal a c t i o n (above and beyond t h e routine) by top executives. This i s
obviously an imperfect and unscaled yardstick, but nevertheless a v i t a l and
revealing c r i t e r i o n .
A t Lawrence, a l i t t l e inquiry produced an appropriate example: D r . John
Lawrence was known t o check employees f o r f i l m badges (radiation monitoring
devices). I f the employee did not have the badge, D r . Lawrence i s said t o
have explained the purpose and promise t o personally e s c o r t the v i o l a t o r off
the project i n the event of a second v i o l a t i o n .
I n t e r e s t i n g l y , a repeated use of i l l u s t r a t i v e anecdotes a t another research
-
s i t e produced no t a l e s of management vigor, and t h i s was a s i t e l a t e r c r i t i z e d
by AEC a s the worst of i t s type (although s t i l l good by conventional standards) .
A t a t h i r d s i t e , the anecdotes frequently t o l d involved a manager long
gone from the project, and the program seemed t o lack strong drive.
A small number of such examples of management concern may do a s much f o r
s a f e t y a s p o l i c i e s and specified standards. Therefore, an e f f o r t t o unearth
such t a l e s seemed t o produce p o s i t i v e or negative indications of the depth of
management conviction.
A few of the anecdotes used i n the exploration of vigor w i l l probably
be useful.
The Chairman of the Board of AT&T stopped h i s c a r t o c a l l a lineman off
a pole t o explain a s a f e t y procedure, and t o reemphasize.why s a f e t y proce-
dures a r e important t o both employees and the company. The news of t h i s
event crossed the country a t the speed of light!
Another example demonstrates the r o l e of t h e manager and the safety profes-
sional, a s well a s vigor,
A senior executive of one of the l a r g e s t o i l companies described h i s a t t i -
tude and action when he managed one of the world's l a r g e s t r e f i n e r i e s i n
the following terms:
"When I was shaving i n the morning, I asked myself, 'What can go wrong?'
"When I stopped a t a t r a f f i c l i g h t , I asked myself, 'What can go wrong?'
"When I got t o the refinery gate, I phoned my office t o say where I ' d be,
and then I went t o the place where something might go wrong.
"I usually found t h a t matters were properly controlled, but i f not, prompt
action on p o t e n t i a l trouble not only stopped the trouble, but also pro-
jected a management concern throughout the refinery. Even i f there wasn't
trouble, I found t h a t my concern was known, respected, and mirrored a t a l l
management and employee levels.
"If the refinery burns, the President c a l l s the manager, he doesn't c a l l
the safety d i r e c t o r .I1
The Reactor Operations Division Manager a t Aerojet provided confirmation
of the importance MORT attached t o t h i s f a c t o r of vigor.
If management vigor i s such an important factor, it would be nice t o have
a definition, as well as i l l u s t r a t i v e anecdotes. Webster uses the folowing
phrases :
1. "Active strength o r force of body o r mind."
2. "Intensity of: action o r effect."
O u r d e f i n i t i o n of managemnt vigor i n safety w i l l have t o specify some
additional aspects, such as:
3. Directed force - a high sense of safety values.
4. Hazard recognition
5. Search-out
6. Certainty t h a t what can go wrong, w i l l go wrong.
7. Fast action a t potential trouble spots.
I n short, the vigorous manager w i l l display a " k i l l e r instinct" f o r hazards.
It i s increasingly possible t o frame objective questions about manage-
ment vigor, coupled with management maturity:
Does management have a l i s t of residual r i s k s o r worst potential
problems? Are good studies available f o r these? What's being done?
When was safety policy l a s t reviewed? When last enunciated by top
management?
What safety actions have recently been taken? Were any of these taken
despite some i n t e r n a l opposition? L i s t the l a s t s i x major safety pro-
posals and shaw whether they were approved o r disapproved, Do the same
f o r c o l l a t e r a l areas - training, maintenance, engineering, e t c .
When did management l a s t formally assess the trend of accident r a t e s
and other indices of safety performance? What action was taken when
trends were unsatisfactory?
Has management assessed i t s feedback systems i n terms of the l a s t four
serious accidents/incidents?
The System F a i l s . Early i n the MORT t e x t , the view of the human f a c t o r s
specialists - accidents occur when the system f a i l s - was articulated. However, * ?
repeatedly i n accident o r e r r o r investigation, the question of blame i s a r i s i n g .

Therefore, the point - i s being repeated i n a number of schematics management -
methods, management assistance, a s well a s i n accident investigation - the sys-
tem f a i l s .
Any system should be designed t o be operated by reasonably competent people
of the types available, not super-men. To the degree a system r e l i e s on excel-
lence above the l e v e l s of reasonably available competence, the system w i l l f a i l .
The job of management i s thus presented a s making good people b e t t e r , helping
people grow i n competence and performance.
Views t h a t it i s systems t h a t f a i l and t h a t people require help and
assistance need not be weak nor f a i l t o challenge people. Rather the desired
vigor of management can display concern, but a l s o be directed i n t o counsel
and assistance t o develop the people.
A u s e f u l overview of management's r o l e i n general occupational s a f e t y prac-

t i c e i s provided by the r a t i n g s of aspects by 100 leading experts.
( ~ l a n e k ,1967.)
Rank Order of Major Safety Program Area
1. Supervisory P a r t i c i p a t i o n
2. Top Managemnt P a r t i c i p a t i o n
3. Engineering, Inspection, Maintenance
4. Middle Management P a r t i c i p a t i o n
5. Screening and Training of Employees
6. Records
7. Coordination by Safety Personnel
8. Motivational and Educational Techniques
Top Ten A c t i v i t i e s
1. Enforcing safe job procedures (implies written d e f i n i t i o n )
2. S e t t i n g an example by safe behavior
3. Middle management s e t t i n g an example by behavior i n accord with safety
requirements.
4. Training new o r transferred employees i n safe job procedures
5. Making safety a p a r t of every new employee's orientation
6. Top management s e t t i n g an example by behavior i n accorhnce with s a f e t y
regulations
7. Top management assigning someone t o coordinate s a f e t y on a f u l l or p a r t
time b a s i s .
8. Including s a f e t y i n supervisory t r a i n i n g courses
9. Top management publishing a policy expressing management's a t t i t u d e on s a f e t y .
10. Advising management i n the formulation of s a f e t y policy.
It i s i n t e r e s t i n g t h a t "motivational and educational techniques" was
ranked l a s t among major a r e a s , but t h a t " s e t t i n g an example" (perhaps the
strongest motivational force) accounted f o r t h r e e of the top t e n a c t i v i t i e s .
A study ( ~ l l e n ,1965) concluded:
" e f f e c t i v e management a c t i o n i s t h e key t o c o n t r o l l i n g and reducing indus-
t r i a l accidents. The q u a l i t y and quantity of management e f f o r t s i n the
promotion of s a f e t y a r e decisive i n motivating employees t o accept t h e i r
personal r e s p o-- n s i-b i l i t y f o r the prevention of i n d u s t r i a l i n j u r i e s . "
I n 1964 t h e author reported on c r i t e r i a used i n judging a s a f e t y compe-
t i t i o n among Federal agencies a s follows:
10. Are program objectives and performance
reviewed and analyzed at regular periodic
Management leadership
intervals?
1. Did a published policy issued by the 11. Has top management given adequate ex-
agency head exist throughout the contest pression of its interest and support of
year? aggressive accident prevention throughout
2. Is the agency policy clear, concise, direct, the year?
and all-inclusive in scope? 12. How often are regular and special reports
3. Is the ogency policy broadly publicized to on the agency accident record prepared
assure that it is known and understood by for and reviewed by top management?
oll concerned? 13. Does top management follow up on depart-
4. Is basic policy suported by guidance and ments or units with poor or unacceptable
instructions concerning organization, scope, accident records?
responsibilities, functions, personnel, stan-
dards, and awards? Assignmant of responsibiliies
5. Is the agency adequately staffed with 1. Do organization charts e%
rc
l a cleartul
safety personnel to assure o continuing line of organizational authority and re-
safety effort? Headquarters? Subordinate sponsibility?
echelons, activities, and units? 2. Do program directives relate the line of
6. Has ogency provided adequate funds for normal organizational responsibility. to the
aggressive and continuous safety program- agency program to prevent accidents?
ming? 3. Do agency instructions identify responsibility
7. Does the agency hove operating safety for funding, assignment of personnel, or-
rules and regulations? ganizational placement, functions, reviews,
8. Does the ogency support the Federal Safe- councils, programming, and coordination?
ty Council in holding offices, attendance at 4. Are duty requirements (responsibilities) of
meetings, and committee in project actvi- safety personnel at all levels spelled out in
ties? details?
9. Are program objectives established and 5. Are safety responsibilities of all headquar-
areas of special emphasis identified an an t e n staff elements clearly delineated?
annual basis? 6. Are the safety responsibilities of first-line
superiors and employees emphasized?
Further c r i t e r i a used i n t h e competition may be u s e f u 1 , i n considering t h e

depth and q u a l i t y of t h e Federal government's i n t e r n a l s a f e t y e f f o r t , a s
well a s i n developing c r i t e r i a f o r a general examination of s a f e t y progTam
measurement. These a r e l i s t e d i n P a r t IX, Safety Program Review.
- 205 -
21. RISK ASSESSMENT SYSTEM
Ga3 Risk Assessment System. The MORT c h a r t s postulate a r i s k assessment system

with t h e following elements :
1. Comparison with Goals.
2. Experience Data
a . Rates
b. Causes and circumstances.
3 . A Hazard Review Process with three f a c t o r s :
1
a . Triggers t o a c t i v a t e hazard analysis,
b. Knowledge and information on hazard reduction,
c . An adequate Hazard Analysis P r o c e s s d e f i n i t i o n showing a n a l y t i c
operations t o be performed.
4. Safety Program Review.
Before examing s p e c i f i c c r i t e r i a under t h e four headings, t h e purposes and
processes of a general r i s k assessment system should be examined. Background
discussion from Phase I1 follows.
The primary objectives of a r i s k assessment system should be t o provide a
manager ( a t any l e v e l ) with the information he needs t o :
1. Assess r e s i d u a l r i s k , and
2. Take appropriate action, i f he f i n d s r e s i d u a l r i s k unacceptable.
Important, but secondary objectives would include :
3. Comparative evaluation of two o r more u n i t s ,
4. Research evaluation of two o r more hazard reduction schemes t o add t o
t h e " s t a t e of t h e a r t . "
Discussion of measurement of occupational s a f e t y performazice has been
focused on questions 3 and 4, and not enough on t h e first two, primary
questions.
Repeating a basic view expressed e a r l i e r :
"Since mana ement ( s p e c i f i c a l l y t h e Chief Executive Officer of the
-Y-
organization has l e g a l and moral r e s p o n s i b i l i t y f o r s a f e t y , it seems
t o follow t h a t s a f e t y information and measurement programs should be
primarily designed t o answer the c r i t i c a l s a f e t y questions of management:
1. What a r e t h e nature and magnitude of t h e organization's acci-
dent p o t e n t i a l s ?
2. What has been done t o reduce r i s k ?
3. What is t h e long-term l e v e l of r e s i d u a l r i s k ?
4. What a d d i t i o n a l measures t o reduce r i s k have been considered and
r e j e c t e d on "practical" (~nvestment/benefit/value ) grounds?
5. Are.the s a f e t y programs a c t u a l l y operating a s described i n
manuals and procedures?"
It has been argued t h a t "safety performance" meansl~erforminga job
without undergoing o r causing i n j u r y , damage, o r loss." This may be satis-
f a c t o r y , as f a r a s i t goes, but if we specify that t h e p a s t must a l s o be PI
d i c t i v e . we broaden t h e requirements i n terms consonent with management's-
r e s p o n s i b i l i t i e s and information needs. But it i s p r e c i s e l y t h e predictive
value t h a t i s hard t o develop.
A viewpoint of s a f e t y measurement of p o t e n t i a l significance to managers
has been a r t i c u l a t e d f o r a i r l i n e accidents i n terms of t h e adverse e f f e c t s of
, )
number of catastrophes (not r a t e s ) on public confidence ( ~ u n d b e r ~1966 .
Translated i n t o occupational terms, t h i s implies t h a t t h e number of major
events (death, multi-death , major f i r e , explosion o r o t h e r d i s a s t e r ) w i l l
govern confidence i n t h e manager by h i s superiors o r o t h e r s outside the organi-
zation. This view seems consistent with t h e managerial trauma which appears
t o follow serious accidents. Consequently, t h e strong emphasis i n t r i a l pro-
cedures has been placed on l i m i t i n g severe consequences, and l e s s e r emphasis
on t h e l e s s severe i n j u r i e s which make up t h e conventional frequency r a t e s .
A concept of needed long-term measures ( f o r an organization o r a person)
i n terms of system e f f e c t s i s :
I. "Non- survivable " events
11. Degradation of performance
A . 'lNon-survivablett i n ma j o r p a r t s of
t h e system " C r i ticalt1
B. Major degradation i n p a r t s "Major"
C. Systemic degradation of t h e whole,
symptomized by frequent degradation "Minor"
of p a r t s (but frequent)
Such a concept should be c a r r i e d over i n t o t h e r i s k assessment system i n
both r a t e s and predictions.
The remainder of t h i s Chapter covers t h r e e topics:
1. Goals--policies and c r i t e r i a used t o assess r i s k .
2 . General System f o r Assessing Organizational Risks--a model f o r
periodic review of an organization as a whole.
3. Analysis of Project o r System Risk--two models f o r evaluation of
a specific activity,
Goals
The development and a r t i c u l a t i o n of goals i n occupational s a f e t y has not
been c o n s i s t e n t l y and s u f f i c i p n t l y well done t o provide strong, viable c r i -
t e r i a at times of r i s k assesdment . Consequently, occupational s a f e t y s u f f e r s
i n trade-offs with more s p e c i f i c , quantified, short-range, "practical" goals .
Goals a r e of two types having increasing s p e c i f i c i t y f o r r i s k decisions:
1. Policy and Implementation criteria--management approaches, broad
goals, and r i s k assessment methodology.
2. Project s p e c i f i c data.
Despite t h e supposed f o r c e of p o l i c y and management c r i t e r i a , t h e p r o j e c t
s p e c i f i c d a t a a r e l i k e l y t o p r e v a i l i n p r a c t i c a l decisions under pressures,
and s a f e t y f r e q u e n t l y comes out second b e s t i n these trade-offs. This i n d i -
c a t e s two kinds of developmental needs: (1) more usable statements of policy,
c r i t e r i a and r i s k assessment methods, the context f o r r i s k decisions, and
(2) b e t t e r hazard a n a l y s i s t o compete with quantified d a t a on non-safety
trade-offs.
Policy and Implementation C r i t e r i a . These can probably by c r y s t a l i z e d
i n t h r e e c a t e g o r i e s t o c l a r i f y relevance t o s p e c i f i c r i s k assessment:
1. Context of work--Are management policy, methods, d i r e c t i v e s , e r r o r -
reduction policy and s e r v i c e s , consistency and s t r e n g t h of support
f o r s a f e t y and r e l i a b l e control of work such a s t o define t h e envi-
ronment i n which a p r o j e c t w i l l be c a r r i e d out? (HOW a r e questions
r a i s e d i n Chapters 1 9 and 20 seen by p r o j e c t r i s k assessors?)
2. Broad goals :
a, Is t h e organization's goal l i m i t e d t o l e g a l compliance? O r , does
it seek higher degrees of s a f e t y ? Are investments i n s a f e t y going
well beyond t h e minima of codes, standards and r e g u l a t i o n s
commonly authorized ?
b. Is t h e organization's goal seen a s control of accidents a t past
levels? O r i s it working toward a breakthrough? Are goals
quantified i n p r o b a b i l i t y terms?
c. Risk assessment excellence and methodology, a s specified by manage-
ment, may be such a s t o f o r c e searching and thorough examination
of f a c t o r s i n r i s k , o r a l a c k of s p e c i f i c a t i o n s may permit super-
f i c i a l , poorly considered decisions. Affecting q u a l i t y of study
a r e the d e f i n i t i o n s of hazard a n a l y s i s process, l i f e cycle con-
cern, and the requirement f o r a n a l y s i s of a l t e r n a t i v e s and t h e i r
trade-offs, and the q u a l i t y of independent review agencies and
their criteria.
3. Project Specific Criteria--the c r i t e r i a immediately before those who
must a s s e s s r i s k and make decisions.
a. These involve t h e sometimes c o n f l i c t i n g c r i t e r i a of c o s t , schedule,
r e l i a b i l i t y and q u a l i t y assurance (usually, not a1ways, favorable
f o r s a f e t y ) , maintainability, and marketability--and saf e t y--and
long-term p r o f i t a b i l i t y .
b. It i s u s u a l l y l e s s d i f f i c u l t t o resolve trade-offs within one of
these competing a r e a s than between t h e areas.
c. Safety d a t a f o r a v a r i e t y of a l t e r n a t i v e s i s more l i k e l y t o be of
high q u a l i t y and t o provide a d e s i r a b l e f l e x i b i l i t y i n trade-off
considerations.
d, A d i f f i c u l t y occurs when s a f e t y d a t a a r e l e s s than conclusive.
Information may be i n broad categories, such as:
(1) Codes, standards and regulations,
(2) Recommendations--a partial consensus (eeg., i n t h e NSC),
(3) Limited study and known precedents,
(4) No known precedent o r study, but presumed hazard,
The first two w l l l o r d i n a r i l y be followed and very frequently, t h e
third. Both t h e t h i r d and t h e f o u r t h c l a s s e s w i l l be jeopardized
and e a s i l y put a s i d e if trade-offs of any s t r e n g t h appear.
e. General phrases, such as OSHA's "free of recognieed hazards ...
generally recognized i n t h e industry," and "potential f o r causing
death o r s e r i o u s i n jury" are relevant and binding, but s u f f e r
from t h e same l a c k of s p e c i f i c i t y as t h e term "practical."
The problem of d e f i n i n g s a f e t y l e v e l s is obv3ously d i f f i c u l t . One
method of d e f i n i n g goals might be conceptualized a s follows:
A l e v e l of "all p r a c t i c a l steps" t o reduce hazards i s a t t a i n e d when
r e s i d u a l r i s k s have a s e r i e s of a l t e r n a t i v e reduction measures which had
t o be r e j e c t e d a f t e r an InvestmentDenef i t / ~ a l u e / T h r e a t a n a l y s i s ,
This requirement would enable management t o follow t h e sound p r a c t i c e of
t e s t i n g t h e extremes and p u l l i n g back.
f . Some c r i t e r i a axe i n a r e a s d i f f i c u l t t o quantify--an
example i s
t h e trade-offs between " r e l i a b l e control of work" and "freedom of
researchers. " Researchers indulge i n a c e r t a i n amount of flag-
waving on t h i s issue--"reliable control of work" can a l s o mean
good research! But, e x t e r n a l r u l e s and procedures a r e r e s i s t e d by
some researchers, o f t e n by those who s h o r t l y destroy t h e equipment
o r k i l l someone. Management (perhaps t h e l a b d i r e c t o r ) does,
however, by word o r deed, have t o put h i s weight on goal and direc-
t i o n i n this kind of area.
Contml vs. Breakthrough? Goal d e f i n i t i o n i n terms of an order-of-

magnitude improvement i s relevant primarily t o the general assessment of
o r g a n i m t i o n a l r i s k s , r a t h e r than a s p e c i f i c o r p r o j e c t r i s k . However, even
i n t h e l a t t e r , it can be asked whether a p r o j e c t is designed t o meet t h e
higher goal.
The system approach c l e a r l y implies that short and long range goals
have been established f o r safety. The s e t t i n g of defined goals, qualified
by numbers where a t a l l possible, has a number of advantages:
1. It makes v i s i b l e t h e r i s k s we a r e w i l l i n g t o accept.
2. It helps measure progress.
3. The degree of challenge i n t h e goals helps determine t h e kind and
amount of resources we w i l l need.
If a goal i s t o h a l t accident increases, o r t o g e t a 10% reduction i n
accidents i n t e n years, we can make plans. If the goal i s a 50% reduction
i n f i v e years we s h a l l make a r a t h e r d i f f e r e n t plan. The l a t t e r goal i s
l i k e l y t o involve major changes and w i l l therefore demand major study and
plans.
There a r e said t o be S-shaped "Growth Curves" which tend t o describe
product and s e r v i c e cycles i n any organization. A slow r a t e of progress
characterizes introduction of an innovation, then a longer period of s t r a i g h t
l i n e growth i s terminated by a progressively decelerating r a t e of improvement.
If t h e occupational accident r a t e i s t h e inverse of t h e growth i n acceptance
of occupational s a f e t y ideas, t h e r a t e p a t t e r n s of t h e past 10-15 years would
f i t an S-curve assumption.
The "Growth Curve" notion holds t h a t a breakthrough t o a new cycle of
progress i s j u s t that--a breakthrough, something new has been added--and is
not a t t a i n a b l e by a simple increase i n e f f o r t .
I n Chapter 11J u r a n t s concept t h a t a breakthrough goal i s a t t a i n e d i n a
d i s t i n c t i v e manner was outlined. J u a n has defined Control a s change
. '
preven-
-.
t i o n and Breakthrough a s change production, o r a s we would say, "counterchange
production."
I n t h e Aerojet t r i a l s a breakthrough i s s u e emerged, namely, pace of -
improvement. Aerojet has an excellent program, but wants t o have t h e "best
safety system i n t h e world." Under budget and general mission c o n s t r a i n t s ,
what proportion of resources (including management a t t e n t i o n ) can be given t o
s a f e t y program improvement? A d i f f i c u l t , very p r a c t i c a l question. Endeavoring
t o formulate t h e i s s u e i n objective terms, two questions emerge:
- - What degree
1. Goal of excellence should be a t t a i n e d when?
2. Practice - What a d d i t i o n a l management a t t e n t i o n ,
budget and other
resources a r e being d i r e c t e d t o s a f e t y program improvement? What i s
being done t o involve and a c t i v a t e a l l personnel i n an upgraded s a f e t y
effort?
Goal d e f i n i t i o n i s a f a c e t of measurement as well a s r i s k assessment.
The magnitude of e f f o r t can be assessed i n terms of goals. It has been s a i d
t h a t many small gains can be made by "tinkering" (not a very good word f o r
safety) and i n general t h i s can be done by l i n e organization. Major gains
usually involve more sweeping changes, and require in-depth s t a f f study.
During the NSC Measurement Symposium, one group said:
"In order t o design e f f e c t i v e measurement programs it i s necessary t h a t :
-
" F i r s t , Goals must be c l e a r l y defined, including conflicting o r poten-
t i a l l y conflicting goals of the system o r organization. We need
these statements i n order t o judge trade-offs.
"Second, the information required f o r a decision must be known, o r
a t l e a s t defined. It i s a t l e a s t helpful, and perhaps necessary, t o
know what information decision-makers are l i k e l y t o use when decisions
are made I'.
Attaining Major Goals. I n a complex organizational situation, many steps
i n p a r a l l e l and sequence w i l l have t o be taken t o reach a major goal. The
charting of such steps, t h e i r relationships and t h e i r time requirements by
PERT Charts a r e an aid i n planning and assessing progress o r r i s k .
Milestones, points a t which progress i s assessed, are commonly lacking i n
occupational safety. The safety e f f o r t moves along on the basis of trying t o
"do better." O r , short-range program goals, such as s t a r t i n g a contest, o r
developing an inspection schedule, become the f o c a l points of e f f o r t s . Mile-
stones - f o r example, annual o r phase review of a five-year plan - can provide
the e s s e n t i a l measuring points.
The actions taken a f t e r disastrous events often constitute the s e t t i n g
of major impruvement goals. Goal formulation before d i s a s t e r s seems the more
rewarding approach.
Thus we have yet another aspect of measurement - the development and
s t a t u s of plans f o r a t t a i n i n g major goals. When were they l a s t assessed by
top management?
Probability Goals. The willingness and a b i l i t y t o quantify safety goals

seems e s s e n t i a l t o r i s k assessment f o r major progress i n r i s k reduction. During
t h i s study, probability values were found t o be used on several major projects.
A possible conceptualization of goals i n terms of three levels i s emerging:
1. The general l e v e l s of a l l U. S. work.
2. The l e v e l of "present best practice," a s i n AEC operations.
3. Future design goals or t a r g e t s .
Such goals, stated as probabilities i n injury per man-year, could be
expressed a s follows:
U. S. Work "Best Practice" Design Goal
Death 2 3- 10-5 1x lo-6
Disabling I njury 3 x lo-* 1 lo-3 1
Converted t o a guideline, such values would permit management t o say:
I n designing process o r work, endeavor t o lower r i s k t o 1 i n a million (deaths
per man-year), thus we can improve on present "best practice." If the nature
of work i s especially hazardous (e.g., some research work) and cannot be
improved, t h e general work r i s k i n the U. S., 2 deaths i n 10,000 man-years
should be considered a c e i l i n g we s h a l l not knowingly exceed.latter his
statement may not be acceptable, but i s given t o demonstrate a method.)
Other examples of probability goals w i l l be found on page 4 and i n the
project models l a t e r i n t h i s chapter. Such goal quantification is increas-
ingly p r a c t i c a l and e f f o r t s tow& t h i s end should be pressed.
General System f o r Assessina Ormnieation Risks

A model o r plan f o r the periodic ( ~ r e f e r a b monthly
l~ or
assessment of an organization's r i s k s is needed t o design an information sys-
tem which w i l l f i l l management's needs, Use of conventional frequency and
s e v e r i t y r a t e s , grossly inadequate and frequently misleading, has been so
pervasive t h a t an improved model i s needed t o define the other kinds of d a t a
which a r e more significant.
A manager (at any l e v e l ) appears t o need f i v e general categories of
information t o assess residual r i s k :
1. High Potential Situations--audit of the degree of control.
2. Planned Chanaes (new plant, equipment, employees, o r procedures )--
the q u a l i t y of the Hazard Analysis given t o changes.
3. Current HIP0 Deviations--changes , e r r o r s and accidents, and preven-
t i v e countermeasures taken.
4. Long-term and Short-term Assessment of Accident and k o r Rates--
numbers, costs.
5. The I j a f e t ~?roaram--what i s i t , i s it operating a s intended, and
wherein does it f a l l short of ideals?
A model f o r providing these kinds of information and indicating decision
points i s diagrammed i n Figure 21-1. In the t r i a l s a t Aerojet, the construc-
t i o n of the r i s k assessment system has generally followed t h e model.
The collection of d a t a on deviations--changes, e r r o r s , and accidents--
i s described i n great d e t a i l i n Part V I I I , Infomation System, p a r t i c u l a r l y
Chapter 37, Monitoring, and 41, Measurement Techniques. These cover both
(1) High Potential Events--managed by the name of the event, and (2) pro jec-
t i o n of general group numbers.
Figure 21-1. GENERAL SYSTEM F O R ASSESSING O R G A N I Z A T I O N RISK
PROGRAM --b -
RISK DEVIATIONS a
PERFORr
OPERATING General HIP0 Acci- MANCE
Program HIP0 SYSTEM Changes Ekrors dents
----
valuation
B
Audit
e* 1
--7-
I
Numbers Events
I
T T
DERADED
I- I 1
1 OPERATIONS
I
A I I
1 I I
,.-
I
- - - - t - .- -& Changes
Made
Measure
-) 1 Changes
I Made I I I I
- I I
t--
I
I
) Changes--~++
I
Project I
I 1-------- 7Future
I
I 1 ) System Changes
I
- - - 1- - - - - - - - - - - 1.t - ------
Not Made
I
!+ Program Changes
Not Made I I
I-----
Rescind Changes 4 1
---1 I
-her Changes RESIDUAL RISKS , I
I ProJect
el,AI
Further I I
4al"ti3- ---- t - 4 - I
I ----.
A 4 t--
I
OPERATIONS i
L
I 1
T )I Measure
chew? I measure I
I I
I I I
The events of i n t e r e s t (both HIP0 and general) should have a l s o been t h e
b a s i s f o r hazard a n a l y s i s . The manager needs t o know what changes were then
-
made i n t h e operating system t o lower r i s k , and what p o t e n t i a l changes were
not made (and i f any changes a r e s t i l l under study). He needs t h i s informa-
t i o n on individualEUP0 events and i n summary f o r general events i n order t o
a s s e s s t h e probable e f f e c t on f u t u r e r i s k p r o j e c t i o n s .
The events of i n t e r e s t a l s o monitor t h e hazard reduction program i t s e l f .
Why d i d t h e d e v i a t i o n s s l i p through the preventive network? Taken i n conjunc-
t i o n with e v a l u a t i v e s t u d i e s of t h e program, t h e events become the b a s i s f o r
changes i n the hazard reduction program, and t h e s e a r e a n t i c i p a t e d t o produce
l i k e l y f u t u r e changes i n t h e operating system t o f u r t h e r lower r i s k . Together
with p o t e n t i a l changes not made i n t h e program, t h e manager has a f u r t h e r b a s i s
f o r modifying t h e p r o j e c t i o n s of f'uture r i s k .
Audits of high p o t e n t i a l s i t u a t i o n s , such as high energy departments and
a c t i v i t i e s a r e a l s o shown, and would have e f f e c t s on t h e operating system.
Accident experience during t h e t r i a l s r e f l e c t s t h i s need,
Four kinds of d a t a then form t h e b a s i s f o r t h e assessment of r e s i d u a l
r i s k f o r f u t u r e operations :
Projections of past events.
Audits of high p o t e n t i a l s i t u a t i o n s .
Modifications i n t h e operating system.
Modifications i n t h e hazard reduction program, l i k e l y t o produce
f u r t h e r changes i n t h e operating system.
t h e manager f i n d s t h e r e s i d u a l r i s k unacceptable, he can take t h r e e
kinds of action:
1.' Rescind changes already made,
2. Order f u r t h e r changes,
3 . Order f u r t h e r evaluation.
After such a c t i o n , o r when forced by time, he accepts the r e s i d u a l r i s k
and proJects t h e probable performance i n f u t u r e operations.
Subsequently t h i s managerial cycle i s repeated.
The scheme implies t h a t a l l p o t e n t i a l changes have been evaluated t o the
p o i n t t h a t some a l t e r n a t i v e s a r e recommended and o t h e r s r e j e c t e d .
It i s understood t h a t a t each point i n t h e cycle, some standards of judg-
ment will be used f o r c l a s s i f y i n g and evaluating information, and standards
w i l l a l s o be used f o r evaluating c o r r e c t i v e a c t i o n s under consideration. A t
t h e inception t h e judgmental standards may be v a r i a b l e and highly personal -
t h e y become b e t t e r defined as t h e plan i s operated.
The model was developed from two kinds of considerations:
1. It seemed t o represent, a l b e i t laborously, the way good managers appear
t o manage.
2. It represents an extension of an i d e a l hazard reduction system, showing
how good managers ought t o manage.
The scheme appears capable of r e f l e c t i n g the way good managers take " f a s t
action a t the trouble spots i f the assumption i s made t h a t subordinates make
immediate reports of c e r t a i n kinds of HIP0 events .,(They don't wait f o r "Time
Period 2" i f t h a t period be construed a s a month or a year away. )
The model a l s o seems t o r e f l e c t a usable system f o r f i r s t l i n e managers,
intermediate managers, and top managers. A t each successive l e v e l , a s reports
a r e cumulated f o r higher management, the threshold l e v e l of EIFO events of i n t e r -
e s t i s automatically raised, and consequently more events are handled a s groups.
A t the top, management wants an assessmnt regarding d i s a s t e r p o t e n t i a l s
and big energies, major changes, c r i t i c a l e r r o r s , major accidents, (and wants
t o know what process was used t o assess them) and a l s o wants a continuing assess-
ment of general e r r o r and accident r a t e s , and programs t o control them. More
sophisticated analytic t o o l s can be used t o provide the data top managment needs.
The model has been exercised on a wide v a r i e t y of hypothetical and a c t u a l
cases (from available information on the l a t t e r ) and appears t o be v a l i d and
useful.
The model presents a necessarily multi-faceted view of s a f e t y performance:
1. What do deviation data (changes, e r r o r s , accidents) say a s to:
a. the past?
b. system c o r ~ c t i o n sneeded?
c . program improvements needed?
2. What do audit d a t a say?
3. What does the future hold:

a. judging from the past?
b. a f t e r changes i n the system?
c . and a f t e r changes i n program?
4. What more should be done t o make r i s k tolerable?
A s indicated i n the model, deviations a r e believed t o have degraded good
performance. Can t h i s be measured? After r e s i d u a l r i s k i s accepted, can
probable general performance i n terms of non-safety measure be projected?
W i l l performance measure up?
The model,then, may be u s e f u l i n exploring ways of assessing non-safety
sources of performance degradation.
Some aspects of r i s k assessment t o be t e s t e d a r e r e f l e c t e d i n t h e
following kinds of questions which might be asked by t o p management of
middle management :
1. What do you f e e l a r e our worst p o t e n t i a l s f o r catastrophe ( o r major
investment l o s s ) i n your area of r e s p o n s i b i l i t y ?
a. What has been done t o reduce these major p o t e n t i a l s ?
b. What more could be done,and what would it cost?
2. What are t h e provisions o r standing i n s t r u c t i o n s i n your organiza-
t i o n f o r hazard review of new o r revised operations?
3. P a r t i c i p a t i o n and high-level influence seem t o be fundamental t o
acceptance of s a f e t y procedures. What arrangements do you have f o r
involvement of high-level personnel i n t h e development and use of
basic s a f e t y guidelines? Active committees might be an example.
4. What a r e you doing t o a u d i t the s a e t y a s p e c t of your operations?
5. Give examples of help given f i r s t - l i n e supervisors s o t h a t they may
f u l f i l l t h e i r key r o l e s .
6. Do you r e c a l l any recent incidents wherein you personally intervened
t o upgrade s a f e t y conditions?
Analysis of Project o r System Risk
I n t h i s s e c t i o n we a r e concerned with evaluation and decision f o r a
s p e c i f i c p r o j e c t , a c t i v i t y , machine, o r system. Analytic methods can be
more s p e c i f i c , l e s s generalized. The broader goals of management policy
and implementation do not have as g r e a t f o r c e (perhaps they should).
Specific d a t a seem t o be more relevant. Cause-effect r e l a t i o n s a r e more
c l e a r , and decision a l t e r n a t i v e s b e t t e r defined.
Rhetoric s t i l l plays a part. "Let's be p r a c t i c a l , " i s usually t h e
slogan. Rhetorically induced " p r a c t i c a l i t y " may have such e f f e c t s as l o s s
of l i f e o r p l a n t , and may y i e l d a maximum OSHA penalty, o r may mean l e t ' s
do it t h e loose, error-prone way.
. It must be admitted t h a t t h e i n t u i t i v e approaches t o s a f e t y assessment
a r e u s u a l l y e a r l y c a s u a l t i e s i n t h e b a t t l e , and deservedly so. The problem
i s t o make a q u a l i f i e d protaganist of t h e s a f e t y proponent.
A well-defined and well-executed Hazard Analysis Process i s t h e sound
way t o strengthen s & t y ' s r o l e i n decision-making.
The r e l a t i o n s h i p s
between defined r i s k assessment models and the Hazard Analysis Process
described i n t h e next P a r t a r e three:
1. The r i s k assessment models form a s t r u c t u r e i n which HAP'S system
a n a l y s i s techniques operate.
2. The models a r e a l s o t h e arena i n which r e s u l t s of HAP w i l l be assessed.
3. On t h e o t h e r hand, t h e r i s k models do not f u l l y r e f l e c t t h e e a r l y ,
conceptual phases, which can do so much f o r s a f e t y , and they a r e weak
i n human aspect, and organizational contingencies and r e l a t i o n s which
too o f t e n r e s u l t i n unanticipated trouble.
The presentation of r i s k models does, however, seem t o provide a helpful
point of focus f o r t h e Hazard Analysis Process.
Tnree models a r e germane:
1. Simple--the elements shown i n Figure 7-2 (page 90).
2. Expedient--a model developed and used with s u b s t a n t i a l benefit when
more comprehensive techniques were not within resources.
3. A more ~omprehensivemodel.
There is no need t o comment f u r t h e r on t h e simple model, except t o say
t h a t i t s e s s e n t i a l s c a r r y over i n t o t h e succeeding two. The Expedient model
w i l l be described first. It i s a l s o quite simple, but some l i m i t a t i o n s
should be apparent when t h e Comprehensive model is discussed.
Expedient Model. This can be called t h e Browning model--its use by

Monsanto f o r analyzing petrochemical plant r i s k s was reported by Browning
(1969-70) a s having g r e a t p r a c t i c a l value when simplified, non-computerized
techniques and t h e normal complement of engineering time must be used. (The
term "expedient" i s intended as d e s c r i p t i v e , not derogatory. "Practical"
would be a good connotation, although t h e comprehensive model i s a l s o prac-
tical. I n any event, Browning's model i s an order-of-magnitude improvement
over t h e r a t h e r common i n t u i t i v e approaches.)
The model, c a l l e d Loss Analysis Diagram, uses some s p e c i a l terminology--
p a r t i a l l y t r a n s l a t e d i n t o MORT language. The model can be seen as shown i n
Figure 21-2.
F i m r e 21-2. Expedient Analysis of Pro.ject o r System Risks
* a
Probabilities
The failure-modes-and-effects and system-critical paths a r e derived
from p r o j e c t staff ( l i n e management f o r e x i s t i n g p r o j e c t s ) and employ a f a u l t -
t r e e format, except it i s described as l e s s detailed.
P r o b a b i l i t i e s a r e entered on t h e f a u l t t r e e only by order-of-magnitude
(exponents as used i n t h e t a b l e below). Short-cut r u l e s f o r developing t h e
t r e e a r e employed.
The Probable Maximum Loss i s derived by insurance underwriting estimate
procedures, r e a d i l y a v a i l a b l e , and includes business interruption.
The Trade-off P r o b a b i l i t i e s a r e t h e c r i t i c a l (only s t a t e d ) c r i t e r i a ,
as follows:
Size of Loss. $ -
TOP
Under 25,000 ............................... 10-I
25,000-100,000 ..................... . . .. lo-'
A s indicated i n t h e model, i f t h e probable maximum l o s s exceeds t h e

trade-off value, t h e r i s k is unacceptable and i s returned f o r improvement.
The references provide p r a c t i c a l examples, l o s s estimating procedures,
and t y p i c a l f a i l u r e r a t e s .
The short-cut, expedient and p r a c t i c a l aspects of t h i s r i s k assessment
method, validated i n p r a c t i c e , seem substantial. Aerojet s a f e t y and r e l i a -
b i l i t y personnel a r e t e s t i n g t h e technique f o r use on r i s k s below those
which employ Aero j e t ' s d e t a i l e d , computerized techniques r e f e r r e d t o e l s e -
where ( e e g . , Vesely, 19'71).
For those s a f e t y professionals who have had d i f f i c u l t y venturing i n t o
t h e f i e l d of system s a f e t y , t h i s technique appeass t o be a "best b e t ."
Com~rehensiveAnalysis of Pro-iect o r System Risk. This model was
derived from one prepared by t h e National Transportation Board e n t i t l e d
l?
Framework f o r Analysis of Risks Created by Dangerous Goods Movement" (1971).
The model has been modified t o f i t t h e occupational s i t u a t i o n , and a few
aspects found t o be s u b s t a n t i a l i n occupational accidents have been added.
(The term "comprehensive" i s used only t o d i s t i n g u i s h f r o m Browning's "expedi-
ent" version. Note t h a t NTSB a p t l y called t h e model a "framework," which
term c o r r e c t l y implies t h a t t h e r e i s more t o be said!)
I n publishing its document on r i s k concepts t h e NTSB said t h a t t h e lack
of a framework f o r a n a l y z i n g r i s k s g i v e s r i s e t o s e v e r a l d e f i c i e n c i e s i n
solutions:
1. Lack of c l a r i t y and u n i f o r m i t y of s t a t e d purpose,
2. Unrecognized v a r i a t i o n s i n r i s k and c o s t s of p r e c a u t i o n a r y measures,
3. Vagueness i n s t a t e m e n t s of hazards, r i s k s and consequences,
4. U n c e r t a i n t y a s t o weights given v a r i o u s a s p e c t s of r i s k and r i s k
r e d u c t i o n , and
5. U n c e r t a i n t y a s t o i d e n t i t y and n a t u r e of t r a d e - o f f s between a l t e r n a t e
solutions.
The comprehensive model (Figure 21-3 ) seems l a r g e l y s e l f -explanatory.
A few comments may h e l p understand t h e concepts, t h e elements added and t h e
e x t e n s i o n s of Browning's model. Also NTSB's t e x t i s v e r y h e l p f u l t o t h o s e
who u s e t h e model,
System d e f i n i t i o n i s made more e x p l i c i t . Conceptual g r a s p and b e n e f i t s ,
and r e s e a r c h and measurement may be enhanced.
This model ( ~ i g u r e21-3) i n s e r t s f o u r e x p l i c i t f a c t o r s :
1. I n i t i a l development of performance and r i s k c r i t e r i a .
2. Some c o n s i d e r a t i o n of possible/probable changes--a major source of
trouble.
3. E x p l i c i t p r o v i s i o n f o r l i f e c y c l e and numbers--a powerful support
f o r p r e v e n t i v e measures.
4. A r o l e f o r standards--necessary by l a w , and important. (NTSB t a k e s
an understandably jaundiced view of ad hoc, consensus standards.
They can be good, and a r e p r e s e n t c o n s t r a i n t s . )
P r o b a b i l i t y a n a l y s i s elements a r e s p e c i f i e d i n some d e t a i l ,
"Unconventional events" --qon-routine modes, continnencies and emerpencies--
have been s p e c i f i c a l l y c a l l e d o u t i n t h e model. Types of chronic problems were
described on page 81, and c o n t r i b u t e t o t h e e x a s p e r a t i n g d i f f i c u l t y of d e t e c t i n g
and d e f i n i n g t h e s e t of e v e n t s which w i l l confound t h e r o u t i n e c a l c u l a t i o n s .
Browning d e a l t i n order-of-magnitude p r o b a b i l i t i e s - - t h e h i s t o r i e s of unconven-
t i o n a l modes suggest t h a t normal f a i l u r e p r o b a b i l i t i e s have a f a c t o r of s a f e t y
(xl0 o r 1 o r d e r ) t o compensate f o r u n a n t i c i p a t e d sequences, p a r t i c u l a r l y when
a n a l y s i s i s expedient. A taxonomy of unconventional e v e n t s might be h e l p f u l
i n developing a p r o j e c t - s p e c i f i c i n v e n t o r y of p o s s i b l e (even probable) events.
C e r t a i n l y i n t e r a c t i o n ( p a r t i c u l a r l y damage t o t h e system being considered)
from a d j a c e n t f a c i l i t i e s , and t h e p o s s i b l e r o l e of malevolence could be examined.
F a i l u r e of B a r r i e r s i s shown i n a s p e c i a l r o l e because of t h e frequency
w i t h which e v e n t s i n t h e p r o b a b i l i t y chain i n t e r a c t w i t h t h e consequence chain.
Figure 21-3. Commehensive Analysis of Project o r System Risk
evelop
ctions
1
rl
Define eeded
C r i t e r i a of
Performance
and Risk
Delineate
Probable and 0Components
Potential
Changes
0Controls
Life Cycle
Plan and
H Properties
a t Risk
,Energy Release
Life 6r System
Support Degradation
Consumptive Reaction
Process is i t e r a t i v e and requires
control and reanalysis of changes,
and feedback from audit, monitoring
of system operations, and measurement
0Emergency
Responses
Other , --
of r i s k e f f e c t s not diagrammed,,
- 220 -
Elements A t Risk and Loss Modes a r e intended t o be comprehensive, and
would s u b s t a n t i a l l y expand Browning's model.
Criteria. NTSB did not i n s e r t a r o l e f o r goals a t t h e d e c i s i o n point.
The r o l e of g o a l s analyzed a t t h e o u t s e t of t h i s chapter warrants t h e i r s p e c i f i c
inclusion. C e r t a i n l y Browning's goal, while p r a c t i c a l and valuable f o r physical
l o s s p o t e n t i a l s , f a i l s t o consider o t h e r major goals. A subproblem i n a n a l y s i s
o r g o a l s i s suggested by t h e comprehensive model's reference t o a spectrum of
consequences--an i n t e g r a t i o n of minor-major r e s u l t s (a format f o r $ l o s s e s
w a s suggested on page 43). Thus, both a n a l y s i s and c r i t e r i a can be expanded
i n coverage and d e t a i l t o estimate the spectrum (or as an expedient, t h e value
of any probable maximum l o s s perhaps should be increased by an order-of-magni-
tude t o account f o r t h e proportionate number of l e s s e r events l i k e l y t o occur
from subsidiary sequences ) .
Wilmotte (NASA,1971) provides a r e v e a l i n g a n a l y s i s of t h e f a c t o r s i n
r i s k assessment, p a r t i c u l a r l y t h e a t t r i t i o n of s a f e t y values under c o n f l i c t i n g
pressures.
***
It would be extremely valuable t o have d a t a on t h e r e l a t i v e r o l e s of t h e
various types of r i s k s i n the h i s t o r i e s of s e r i o u s accidents. The i n d i v i d u a l
cases analyzed i n t h i s study strongly support t h e proposition t h a t :
It i s u n c e r t a i n t i e s i n t h e analvtic-decision mocesses which ~ r o d u c e
t h e s e r i o u s events, r a t h e r than named c a l c u l a t e d r i s k s .
Thus, t h e S p e c i f i c ( l e f t hand s i d e ) of t h e MORT diagrams can be used t o
d e t e c t t h e r i s k s t h a t management assumed, knowingly o r unknowingly. If know-
i n g l y , and r i s k assumption i s a proper and necessary f i n c t i o n , t h e accident
can be s a i d t o be due t o c a l c u l a t e d r i s k . However, t h e risk more frequently
was unalayzed and perhaps unknown, o r an "uncertainty" due t o a d e f e c t i n
a n a l y t i c o r preventive process.
A l l of t h e r i s k assessment system i s a p a r t of management implementation.
However, f o r convenience, discussion of t n e remaining portions of t h e system
i s i n t h e following sections:
Part V I - The Hazard Analysis Process
Part V I I - Work Flow Process
Part V I I I - Information System
Part M - Safety Program Review
The Hazard Analysis Process i s l a r g e l y unstated i n most organizations,
DOD, AEC and NASA being t h e exceptions, and we s h a l l borrow l i b e r a l l y from them.
Information and measurement systems are mostly primitive, and even where
well developed, seem t o f a i l t o provide types of data c r i t i c a l for decisions.
The meaning of the standard accident r a t e s i s ambiguous and misleading,
and present data on circumstances and causes i s questionable and has l i t t l e
decision value. Much accident data now stored i n computers i s so l i t t l e used
it could a s well be stored i n 18th century ledgers.
Some ideas f o r improved use of data f o r predictive o r decision purposes
are emerging. Ideas f o r b e t t e r computer-based use of data are being tested.
However, many t e s t s w i l l be needed before even present accident data are used
filly and properly; development of new, more useful data i s even more d i f f i c u l t .
Safety prcgram review i s sporadic and unorganized i n most organizations
(until after disasters) . A p a r t i a l exception i s audit and appraisal of subsid-
i a r y plants, but even here c r i t e r i a are weak. Most organizations lack a
simple outline or l i s t of what the safety program i s . Where a safety manual
e x i s t s , major e l e m n t s of actual program are often omitted.
Juran has an i n t e r e s t i n g c l a s s exercise: Design an "Executive Instrument
Panel" f o r a major problem. This i s a statement of the safety program measure-
ment problem.
VI. HAZARD ANALYSIS PROCESSES
The Hazard Analysis Process must be conceptualized and
defined. The f a i l u r e t o do s o i s probably t h e most g l a r i n g
s i n g l e weakness i n present-day p r o f e s s i o n a l s a f e t y work.
Cookbook recommentations, while u s e f u l and needed, f a i l
t o c l a r i f y t h e a n a l y t i c p r o c e s s o r method and t h e r e f o r e may
u n n e c e s s a r i l y i n h i b i t performance o r f a i l t o c o n t r o l
p o t e n t i a l l y hazardous innovations.
The l a c k of concept d e f i n i t i o n r e s u l t s i n a f a i l u r e t o
educate management, s c i e n t i s t s , and e n g i n e e r s i n t h e
i n t e l l e c t u a l d i s c i p l i n e s of t h e s a f e t y process.
A hazard a n a l y s i s should be r e q u i r e d f o r e v e r y a c t i v i t y .
The scope w i l l encompass t h e f u l l range o f p o t e n t i a l i n j u r y -
producing e n e r g i e s . The d e p t h of t h e a n a l y s i s should be
s c a l e d t o t h e magnitude of e n e r g i e s and o t h e r concerns, such
as program impact.
- 225 -
22, SYSTEM SAFETY AND HAZARD ANALYSIS
Two complementary system s a f e t y processes a r e i m p l i c i t and intertwined

i n the MORT diagrams of the Hazard Analysis Process (HAP), They a r e Life
Cycle phases and Safety Precedence Seauence (SPS). These processes have
been d e t a i l e d i n many ways i n the l i t e r a t u r e and a r e frequently alluded t o
i n t h i s t e x t , but a s p e c i f i c enumeration of the two processes a s r e f l e c t e d
i n MORT analysis i s warranted.
Life Cycle Phases a r e considered t o be:
1. Conception (including d e f i n i t i o n and requirements)
2. ~esi~n/Development
3. ~ a n uacture/~onstruction/Ins
f t a l l a t i o n of system components
4. Operation--procedures, personnel, maintenance, etc.
5. Disposal.
Recognition of the phases i n the l i f e cycle is frequent i n t h e l i t e r a -
t u r e , including AEC guidelines, but implementation of the concept is "LTA".
Even a f t e r the l i f e cycle phases a r e recognized, there i s a tendency t o do
s a f e t y analysis too l a t e . Consequently, some NASA requirements (1970) a r e
pertinent:
"Preliminary hazard analysis involves a comprehensive q u a l i t a t i v e
study of planned systems and equipments i n the intended operating
environment. Energy sources and inadvertent release of materials
should be areas of emphasis.. . provide the b a s i s f o r establishing
s a f e t y c r i t e r i a f o r inclusion i n the performance and design speci-
fications. -
"Detailed hazard analyses employing suitable a n a l y t i c a l techniques
must be employed i n the d e f i n i t i o n and design phases t o f u r t h e r iden-
t i f y p o t e n t i a l hazards and t o determine methods f o r the elimination
o r control. These analyses must cover the planned systems and sub-
systems with emphasis on the interfaces between these systems and
subsystems. The r e s u l t s of r e l i a b i l i t y , timeline, human e r r o r , ...
analyses must be used and extended wherever appropriate ..
"Operating hazard analyses must be conducted t o determine safety
requirements f o r personnel, procedures, and equipment used i n i n s t a l -
l a t i o n s , maintenance, support, t e s t i n g , operations, emergency escape,
egress, rescue and t r a i n i n g . The r e s u l t s ... w i l l provide the b a s i s
f o r design changes t o eliminate hazards o r provide s a f e t y devices.
They a l s o w i l l i d e n t i f y p o t e n t i a l hazardous operation time spans and
determine the need f o r s p e c i a l procedures t o be used i n servicing,
handling, storage and transportation.''
Safety Precedence Sequence i s here defined as:
1. Design
2. Safety Devices
3 . Warning Devices
4. H m n Factors review (recycling through previous three phases)
5. Procedures , including emergency procedures
6. Personnel
a. Supervision
b. Selection
c. Training
d. Motivation
7. Residual Risks.
Also from NASA, we have the following l i s t i n g of f i v e elements i n the
Safety Precedence Sequence :
1. "Design f o r Minimum Hazard. The major e f f o r t throughout the design
phases must be t o insure inherent s a f e t y through t h e selection of
appropriate design features such a s f a i l - s a f e devices, redundancy,
and increased ultimate s a f e t y f a c t o r .
2. "Safety Devices. Known hazards which cannot be eliminated through
design s e l e c t i o n should then be reduced t o the acceptable l e v e l
through the use of appropriate s a f e t y devices a s p a r t of the system,
subsystem, o r equipment.
3 . "Warning devices. Where it i s not possible t o preclude the existence
o r occurrence of a known hazard, devices should be employed f o r the
timely detection of the condition and the generation of an adequate
warning signal. Warning signals and t h e i r application must be de-
signed t o minimize the probability of wrong signals o r of improper
personnel reaction t o the signals.
4. "Special Procedures. If the possible e f f e c t s of an e x i s t i n g o r poten-
t i a l hazard cannot be reduced through design, o r the use of safety
and warning devices, s p e c i a l procedures must be developed t o enable
crews t o perform c r i t i c a l f'unctions once an emergency has developed.
It w i l l be seen t h a t NASA items 1-4 a r e included i n the SPS sequence and

NASA's item 5 i s last i n the MORT SPS sequence. Actually, NASA, i n other
documents, covers SPS items 4 and 6.
Review of the l i t e r a t u r e on the broad range of human f a c t o r s and r o l e s i n
accidents reveals a dearth of research, often c o n f l i c t i n g findings, and r e a l
d i f f i c u l t y i n developing any system&tic views useful i n arranging program p r i -
o r i t i e s o r measuring program and program effectiveness. However, there are
t o p i c a l areas which seem t o proceed roughly i n descending order of degree of
c e r t a i n t y i n knowledge, and t h i s a l s o seems t o be, i n p a r t , a descending order
of closeness t o the operational e r r o r s and behavior which immediately precede
t h e accident. Zhus, a u s e f u l extension of the Safety Precedence Sequence
was postulated :
4. Human Factors Engineering Review
5. fiocedures, p a r t i c u l a r l y Job Safety Analysis ( l e s s sophisticated
than HFE)
6. a. Supervision
6. b. Selection
6. c. Training, p a r t i c u l a r l y J e 1. T.
6. d. Motivation
a . Innovation Diffusion - a t t a i n i n g desired changes
b. Group and S o c i a l influences
c . Influencing individuals
(1)Human r e l a t i o n s , mental h e a l t h , alcohol programs
(2) A t t i t u d e s and p e r s o n a l i t y
d. Safety Communication Programs
( 1 ) Planning models
( 2 ) Communication guides
( 3 ) Program a n a l y s i s .
The d e t a i l s of these sequences of t h e human ele~llentsa r e worked i n t o the
MORT a n a l y s i s .
It seems u s e f u l t o express the two p r i n c i p a l concepts of the scope and
nature of Hazard reduction as a matrix with a succession aspect, l e f t t o right:
Figure 22-1. Sequential Relation of SPS and L i f e Cycle
SPS I. 11.
nception I relopment ICnstallation Operation Disposal
1. Design 4
2. S a f e t y Devices
3 . Warning Devices
4. H. F. Review
5. Procedures
6. a. Supervision
Selection
Training z
Motivation z
7. Residual Risk 1
The f i g u r e suggests t h a t s a f e t y e n t e r t h e process very e a r l y and i n f'unda-
mental ways (AM) r a t h e r than very l a t e and i n i n f e r i o r ways (zz).
I n general, t h e MORT diagram proceeds from l e f t t o r i g h t f o r both the
-
l i f e cycle and t h e Safety Precedence Sequence.
The p r i n c i p l e s of review a t various l i f e cycle phases a r e s u f f i c i e n t l y
important t o provide a quotation from an e a r l i e r r e p o r t on t h e Bevatron a t
Lawrence, which a l s o exemplifies o t h e r d o c t r i n e outlined i n t h i s t e x t : -.
During t h e v i s i t s t o Lawrence, considerable i n t e r e s t centered on t h e Beva-

t r o n because it' provides a p r a c t i c a l example of use of system s a f e t y p r i n -
c i p l e s . and thereby may o f f e r i n s i g h t a s t o how g e n e r a l laboratory o r
general occupational procedures may be upgraded.
Lawrence gave important a s s i s t a n c e i n t h e development of t h e "Safety Guide-
l i n e s f o r High Energy Accelerator F a c i l i t i e s " ( ~ . ~ , 1 9 6 7
prepared
) by t h e
National Accelerator S a f e t y Committee. The Guidelines have been d e t a i l e d ,
expanded, and s p e c i f i e d i n "Rules and Procedures f o r t h e Design and Opera-
t i o n of Hazardous Re search Equipment a t t h e Bevatron and 184-inch Cyclo-
tron," A p r i l 9, 1968, a s u b s t a n t i a l looseleaf manual.
The management of t h e Bevatron exemplifies i t s personal concern and a c t i v i t y
on behalf of s a f e t y , even a s t h e looseleaf manual v i s i b l y d i s p l a y s concern.
Lawrence personnel a r e a l s o p r o f e s s i o n a l l y a c t i v e i n laboratory s a f e t y .
probably most s i g n i f i c a n t i s t h e o r a l expression of p o l i c y and p r a c t i c e
by Bevatron management.
Manual provisions worthy of a t l e a s t b r i e f comment include statements f i x -
i n g p o l i c y and r e s p o n s i b i l i t i e s , a u t h o r i t y t o s t o p hazardous operations,
and d i s c i p l i n e ; a l a b s a f e t y organization which includes Hazardous Equip-
ment Safety Review, Engineering Safety and E l e c t r i c a l Safety Committees;
provisions f o r review e a r l y i n t h e l i f e cycle, design review and continu-
i n g review, and emphasis on procedures and c h e c k l i s t s , a s w e l l a s physi-
c a l standards.
An engineer i s assigned t o work with an experimenter a s soon a s a p r o j e c t
i s approved. He and t h e operating group as a whole provide s u b s t a n t i a l
s e r v i c e s and equipment t o h e l p t h e experimenter do what he wants t o do--
m. And t h e engineer monitors t h e experiment continuously, p w t i c u -
l a r l y f o r changes.
It seems almost superfluous t o add t h a t t h e Bevatron i t s e l f d i s p l a y s many
b u i l t i n safeguards. The experimental f l o o r i s , however, an a r e a of con-
tinuous change which poses g r e a t hazard p o t e n t i a l s of a l e s s e x o t i c nature,
e.g., crane operation and t r i p p i n g hazards. There was evidence of a t t e n -
t i o n t o high hazard p o t e n t i a l s , such a s t h e crane, and t h e r e was seemingly
l i t t l e s t a t i s t i c a l evidence t h a t t h e minor hazards, such a s t r i p p i n g , were
i n f a c t causing t r o u b l e .
I n Lawrence a s a whole t h e r e i s a system of "Building S a f e t y Supervisors"
appointed from among t h e s c i e n t i f i c o r t e c h n i c a l personnel of the building.
Thus, a s w e l l a s i n t h e t h r e e major committees, t h e r e i s heavy r e l i a n c e
on "peers" t o influence and guide research personnel.
The broad p o l i c y questions seemingly posed by t h e Guidelines and t h e Beva-
t r o n manual a r e :
1. I s research i n t h e l a b o r a t o r y as a whole d i f f e r e n t only i n l e v e l of
energy and value of f a c i l i t y ?
2. If t h e d i f f e r e n c e s a r e r e l a t i v e only t o t h e two above c r i t e r i a , can t h e
Bevatron plan and l o g i c be applied i n t h e l a b a s a whole?
3. How would t h e above c r i t e r i a determine change i n t h e degree of c o n t r o l
over hazards?
4. What a d d i t i o n a l c r i t e r i a a r e r e l e v a n t , e.g., cost?
A more s p e c i f i c comparison of Bevatron plans with t h e MOHT t r e e may
s e r v e a s a two-way t e s t .
Responsibility fixed .
The experimenter i s responsible. However, t h e
b u i l d i n g supervisor has a u t h o r i t y t o shut down o p e ~ a t i o n so r r e q u i r e
h i g h e r standards of p r o t e c t i o n .
Triffners. The major t r i g g e r is a newly-approved experiment, f o r which
a formal hazard review process i s e s t a b l i s h e d . Engineering s u r v e i l l a n c e
on t h e experimental f l o o r provides change review. I n a d d i t i o n , p e r i o d i c
review i s required.
Knowled e. Both knowledge and t e c h n i c a l a s s i s t a n c e (such a s an assigned
& a r e provided t o experimenters. L i s t s of a p p l i c a b l e codes and
c r i t e r i a a r e augmented by lists of resource persons f o r s p e c i a l problems.
Some equipment, e.g., hydrogen bubble chambers, is furnished.
HAP -- defined.
E a r l y review i s required. I n t h e conceptual stage a Lawrence physi-
c f s t reviews t h e experimenter's s t a t e d requirements t o h e l p screen
and l i m i t energy a s f e a s i b l e , and thereby reduce subsequent c o n t r o l
problems and emergency procedures .
Independent review of experimenter plans i s provided f o r conception,
design, pre-operation, and operation.
Procedures, c h e c k l i s t s , schematics, l o g s , maintenance plans, and
emergency procedures a r e required.
Training i s required where necessary.
Monitoring i s provided by engineers.
Documentation i s required ( a s i t i s on design and t e s t of pressure
vessels i n general).
Some forms of s a f e t y a n a l y s i s - e.g., f a i l s a f e , redundancy, and t e s t
and q u a l i f i c a t i o n s a r e s p e c i f i e d .
Other Aspects:
Goals f o r a c c e l e r a t o r s have been conceptualized ( ~ e r n a n d e z ,1969).
Maintenance of t h e a c c e l e r a t o r i t s e l f i s planned and schedules compu- -
t e r i z e d . The maintenance schedule i s adjusted by experience. A 90%
o p e r a t i n g e f f i c i e n c y h a s been a t t a i n e d , and t h e preventive program has
caught p o t e n t i a l generator f a i l u r e s of c r i t i c a l s i g n i f i c a n c e . The
s k i l l s required f o r maintenance ("heads not hands") have been defined.
Redundancy and F a i l Safe p r i n c i p l e s a r e evident i n t h e design of the
machine i t s e l f .
Audit Plans by a Lawrence i n t e r n a l group r e p r e s e n t i n g a l l a c c e l e r a -
t o r s were r e c e n t l y i n s t i t u t e d and provide an i n t e r e s t i n g confirmation
of some i n d u s t r y f i n d i n g s , namely,-the most rigorous i n s p e c t i o n s a r e
those of p e e r s e x p e r t i n t h e operations.
Catastrophe P o t e n t i a l . The explosion (and f i r e ) p o t e n t i a l f o r chemical
p l a n t s r e f x e c t s t h e same kinds of considerations which l e d t o system s a f e t y i n
aerospace work - new e x o t i c processes i n l a r g e r and l a r g e r magnitudes. The
precautions a l r e a d y taken and t h e causes of a c c i d e n t s which do occur r e f l e c t i n
some degree t h e same g e n e r a l p r i n c i p l e s and approaches used i n system s a f e t y ,
- 230 -
f o r example: provision of successive layers of defenses; automatic monitoring;
shut-off, and deluge systems; research on material c h a r a c t e r i s t i c s with p a r t i -
c u l a r need t o simulate operating conditions f o r such concerns a s pressure,
temperature, corrosion, etc.; automatic metering; consideration of r e l i e f and
venting coupled with safe disposition of vented materials; b e t t e r design of
emergency procedures; e t c . The h i s t o r i e s of some chemical plant explosions
reveals inadequate a t t e n t i o n t o the "What happens i f ... ? I 1 question. Also,
the l i t e r a t u r e is s i l e n t on such aspects a s design &otocols, information
search, and independent review.
One B r i t i s h chemical company has reported use of the Fault Tree method
and a quantified l e v e l of r i s k as a c r i t e r i o n i n chemical plant design.
Browning's expedient f a u l t - t r e e method was reported i n Chapter 21.
Some highly regarded s a f e t y engineers i n the chemical industry have
reportedly said t h a t system s a f e t y is not needed, and is j u s t a new name f o r
w h a t i s already being done (santos, 1967) . Neither view i s believed t o be
correct.
Certain catastrophe p o t e n t i a l s (e.g., i n chemical p l a n t s ) appear t o be
r e l a t i v e l y discontinuous with the incidence of minor events. F i r e s , on the
other hand, appear t o be more continuous. This frequency-severity relationship
f o r f i r e should be explored with matrices, because i f such analyses a r e v a l i d ,
they o f f e r a new way of showing management the long-term p o t e n t i a l s .
The transportation of hazardous materials i s an area of increasing national
concern, and it seems correct t o say t h a t the pace of improvement i n U. S.
Department of Transportation (DOT) programs i s too slow - the problems a r e grow-
ing more rapidly than controls. (NTSB, 1971)
Four aspects of the transportation problem can be i d e n t i f i e d f o r appro-
p r i a t e study and action:
1. Package design c r i t e r i a should be improved and modernized. Crash
resistance i s a c r i t e r i o n hardly recognized.
2. Emergency procedures a r e not e f f e c t i v e l y transmitted t o a s i t e of an
emergency. Talk of educating small town f i r e d e p a r t w n t s i s l a r g e l y non-
sense. A rapid information system f o r i d e n t i f i c a t i o n and recommendations
on a 24-hour b a s i s i s required, a s well a s placards and instructions
accompanying the vehicle.
3 . Transportation hazards sometimes sky-rocket when incompatible materials
a r e transported together and i n t e r a c t i n a crash. Subdivision of mag-
nitudes can be employed, a s w e l l as separation.
4. Plants a r e exposed t o two types of hazards:
a . Materials being delivered.
b. Exposure t o
(1) Ad jacent plant p o t e n t i a l s
(2) Materials i n t r a n s i t on adjacent t r a f f i c ways.
The National Transportation Safety Board has emphasized system s a f e t y i n
i t s work from i t s inception. For example, i n a r e p o r t (1971) of a l i q u e f i e d
oxygen tank t r u c k explosion, NTSB concluded a l i s t i n g of numerous f a c t o r s with:
" t h e absence of a requirement f o r a systematic search f o r hazards during
t h e development of t h e v e h i c l e ;
"gaps i n t h e scope of t h e d i f f e r e n t kinds of hazards addressed i n e x i s t i n g
codes and standards."
The system s a f e t y approach would imply t h a t management a t each l e v e l has
"most s e r i o u s r e s i d u a l r i s k " l i s t s i n order of s e v e r i t y and c r i t i c a l i t y a v a i l -
a b l e a t a l l times.
During t h e MORT T r i a l s a t Aerojet, a problem on t h e " p r i o r i t y problem
l i s t , " namely, overhead crane operation a t r e a c t o r s , was chosen as a c l a s s
e x e r c i s e i n a p p l i c a t i o n of t h e MORT hazard a n a l y s i s process. Various a s p e c t s
were i n v e s t i g a t e d by c l a s s members. Although t h e cranes a r e a l r e a d y high-
r e l i a b i l i t y cranes, p a r t i c i p a n t s and managers f e l t t h e study quickly revealed,
and i n an o ~ d e r l yway, t h e s e r i o u s gaps i n crane technology and operation.
Many of t h e f a c t o r s , e.g., human f a c t o r s engineering, a r e d i f f i c u l t t o r e c t i f y
at a local level. A need f o r n a t i o n a l study along s i m i l a r l i n e s w a s indicated.
General design l i t e r a t u r e shows i n c r e a s i n g concern f o r devices and methods
which h e l p prevent oversight and optimize s o l u t i o n s . Many such methods p a r a l l e l
s a f e t y - r e l a t e d techniques, e.g., c r i t e r i a - s o l u t i o n matrices, c y c l i c o r i t e r a -
t i v e processes, f a i l u r e modes, and provision f o r feedback. Some design con-
c e p t s o r methods a r e , however, l e s s formally s t r u c t u r e d , and a r e intended -to
develop open-mindedness a s w e l l a s t h e search f o r oversight, e.g., the use-of
t h e s i x fundamentalquestions: What? When? Where? Who? How? and Why? And
t h e s e h i s t o r i c search questions can be used i n a three-dimensional examination
of Media (information channels), Meaning (purposes and a c t i o n values) and Matter
( t h e p h y s i c a l f a c t o r s ) t o produce a s t r u c t u r e d search (Turner, 1968). From
t h e l i t e r a t u r e it appears t h a t t h e more open-ended forms of inquiry have gained
favor i n England, and the more d i s c i p l i n e d , but narrower, a n a l y t i c forms have
been used i n t h e U. S. Each approach has i t s merits and disadvantages, both
should probably be used.
whether design i s done i n t e r n a l l y o r by outside c o n t r a c t , it is increas-
i n g l y - c l e a r t h a t t h e customer, t h e u s e r of designs, w i l l be d i s s a t i s f i e d with
t h e products he r e c e i v e s , u n l e s s he has s p e c i f i e d t h e H a a d Analysis Process
he wants. F a i l i n g t h i s , t h e q u a l i t y of what he buys i s highly v a r i a b l e and
produces l a t e r troubles.
Since the c o s t s of a thorough, complete hazards a n a l y s i s a r e a r e c u r r e n t
problem, it i s w e l l t o place system s a f e t y a n a l y s i s c o s t s i n perspective - as
a general matter, successive c o s t l a y e r s may approach a 1 t o 20 r a t i o i n terms
of long-term operations, a s suggested by Figure 22-2.
The d i f f i c u l t y of optimizing long-term operating c o s t s and b e n e f i t s without
thorough system s a f e t y a n a l y s i s i s comparable i n d i f f i c u l t y t o balancing one
of t h e Great Pyramids of Egypt on i t s apex!
Figure 22-2. Costs of Svstem Safetv i n P e r s ~ e c t i v e
The r e s u l t s of a p r a c t i c e of s t i n t i n g t h e design phase and making l a t e r

c o r r e c t i o n s a r e shown below:
Figure 22-3, High Costs of R e t r o f i t and Recall
Present P r a c t i c e
Design Operations
23. A HAZARD ANALYSIS PROCESS DEFINED
I n the t h i r d generation MORT diagrams, the "Hazard Review Process" was

defined t o include the "Triggers" f o r use of hazard analysis. The fourth
generation MORT l i s t postulates the t r i g g e r s coming from the Monitoring and
Information Systems discussed i n Past VIII. However, the o r i g i n a l discussion
of t r i g g e r s , a s such, i s helpful i n seeing how the Hazard Analysis Process works.
Gc1 Triggers. Stimuli f o r the Hazard Analysis Proeess are needed.
a 1 Planned Changes. Historically, planned changes, such a s new construction,
a l t e r a t i o n s , new processes or machines, new materials, and new employees have
triggered accident prevention processes. %e l o g i c and accident experience suggest
an expansion of these opportunities f o r safety improvement, and increased formali-
zation and d e t a i l i n g of such t r i g g e r s i n approval channels.
Clearly the r a t h e r common s a f e t y review of plans and designs ( a f t e r comple-
t i o n ) should be preceded by the v a s t l y more p r o f i t a b l e review and input a t ,
conceptual stages. (strangely, not a l l s a f e t y engineers are eager t o get i n
a t the conceptual stage.)
Management should a l s o be aware of t h e common complaint t h a t the s a f e t y
group i s not t o l d of plansunti1 too l a t e . Management can e a s i l y correct t h i s
by withholding project approvals.
There a r e r e a l problems i n upgrading s a f e t y programs. But there seems t o
be l i t t l e or no excuse f o r f a i l i n g t o a t l e a s t t r y t o apply HAP i n f u l l t o the
next few l a r g e r planned changes . These are opportunities .
Accident investigations should always cover the hazard analysis procedures
i n effect when f a c i l i t i e s o r equipment were installed. If documents relevant t o
hazard analysis a r e lacking (as they often a r e ) , the lack should be noted.
a2 Unplanned Changes. Unplanned changes (normally unreviewed) i n people,

machines, work and environment commonly show up a s f a c t o r s i n accidents.
Better change detection techniques, especially f o r supervisors, and monitoring
f o r change i s e s s e n t i a l .
Periodic review requirements can detect unplanned, unreviewed changes.
a3 HIPO1s. High p o t e n t i a l s i t u a t i o n s , whether a c t u a l o r p o t e n t i a l incidents,

should be screened and collected from a l l possible sources. I n l i n e with t h e
"Pareto Principle" a small number of incidents will prove t o have the large
p o t e n t i a l f o r l o s s . A search-out plan f o r such incidents should be i n e f f e c t .
Allison (1965) has written extensively on experiences with HIP0 reporting
and analysis systems. However, the point t h a t a l l available data sources be
screened f o r HIFQ c h a r a c t e r i s t i c s seems more valuable than any specific method
of reporting o r analysis. Small numbers of HIFOfs a r e reported i n a c t u a l sys-
tems, f o r example, 3 HIPO's werereported a s compared t o 1,000 first aid cases
a t Sandia .
a4 C r i t i c a l Incidents. C r i t i c a l incident reporting has y e t t o be proven
p r a c t i c a l f o r trend analysis. However, the r e p o r t s collected have proven t o be
extremely helpful raw material f o r the hazard reduction m i l l , and a ~ . p r o b a b l y
second only t o serious accidents a s an information source. (see Chapter 37 and
Appendix D. )
a6 New Information. Results of research, i n c i d e n t r e p o r t s , new standards,
a l l provide t r i g g e r s f o r t h e review process. A t e s t , r e t r o s p e c t i v e i n a c c i -
dent i n v e s t i g a t i o n , i s whether a l i t e r a t u r e search would r e v e a l t h a t new
information was published but was not detected o r not used.
a 7 P r i o r i t y Problem L i s t s . Management should, a t a l l times, know what i t s

most s i g n i f i c a n t assumed r i s k s o r worst p o t e n t i a l s a r e thought t o be. The u s u a l
second order e f f e c t of such a l i s t i s a c t i o n t o reduce r i s k .
The recent " F i r e Safety and Adequacy of Operating Conditions" r e p o r t s
prepared a t AEC s i t e s a r e good i l l u s t r a t i o n s of t h e value of "worst p o t e n t i a l
l i s t s , " and much i s being accomplished i n eliminating the hazards revealed.
This study contemplates t h e preparation of PPL1s on a continuing b a s i s ,
and a s a two channel process through t h e l i n e organization a s w e l l a s the s a f e t y
d e p a r t w n t . (such a process avoids some of t h e problems associated with a
crash project."
The PPL's obtained informally from s a f e t y engineers a t two AEC s i t e s d i d ,
i n f a c t , c o n s i s t of matters deserving of management a t t e n t i o n , and subsequent
e x e r c i s e s a t Aerojet and i n a seminar confirm t h e i r value.
The hbsence of PPL's r e s u l t s i n major problems going without formal review,
u n t i l an accident occurs. (PPL i s not t h e same a s "worst c r e d i b l e catastrophe1'
used i n AEC nuclear s a f e t y plans f o r advance planning and review. PPL i s t h e
r e s i d u a l a f t e r review and reduction. )
The f o u r t h generation of MORT l i s t s t h e Hazard Analysis Process (HAP) a s
shown i n Figure 23-1.
The m a t e r i a l explaining t h e Hazard Analysis Process is organized as

follows :
Chapter 24
Conceptual Phase
Chapter 25 I Chapter 26
Human
particularly: Factors
Analysis Plan ---b
Information ------b -
Phase Review
I Chapter 27
a good, b a s i c Desim Organization
1
including R e l i a b i l i t y and Quality
Chapter 28, Independent Review

I
Introducing Improved Hazard Analysis Processes.
Even i n an e f f e c t i v e organization t h e introduction of a higher l e v e l Hazards
Analysis Process i s l i k e l y t o c o n s i s t of a moderately l a r g e number (5-10) changes
i n t h e HAP. I f t o o many changes a r e made a t t h e same time, t h e r e may be r i s k
of d i s r u p t i n g t h e e x i s t i n g system which has been working w e l l .
Figure 23-1.
HAZARD ANALYSIS PROCESS
1. Concepts and Requirements 2. Design and Development Procedures

a . Specify Goals 6 T o l e r a b l e R i s k s a . Energy C o n t r o l Procedures
(1) S a f e t y (1) Unnecessary Exposed Hazards
(2) Performance (2) Under Design
b. S a f e t y A n a l y s i s C r i t e r i a (3) Automatic C o n t r o l s
(1) P l a n ' (4) Warnings
(2) s c a l i n g Mechanism (5) Manual C o n t r o l s
(3) A n a l y s i s Methods (6) S a f e Energy Release
(4) Require A l t e r n a t i v e s (7) Barriers
(5) S p e c i f y s a f e t y precedence sequence b. Human F a c t o r s Review
(e.g., p r i o r i t y f o r d e s i g n ) c. Maintenance P l a n
'(6) Analyze Environmental Impact d. I n s p e c t i o n P l a n
c. S p e c i f y Requirements C r i t e r i a e. Arrangement
(1) AEC f . Environment
(2) OSHA g. O p e r a b i l i t y S p e c i f i c a t i o n s
(3) Other F e d e r a l (1) T e s t and Q u a l i f i c a t i o n
(4) S t a t e and Local (2) S u p e r v i s i o n
(5) Other National Codes, Standards, (3) Procedures C r i t e r i a
and Recornmendat i o n s (4) Personnel S e l e c t i o n
(6) I n t e r n a l Standards (5) Personnel T r a i n i n g & Q u a l i f i c a t i o n
d. s p e c i f y Information Search (6) Personnel Motivation
(1) Nature (7) Monitor P o i n t s
(2) Scope (8) Emergency P l a n s ( i n c l u d i n g
e. L i f e Cycle Analysis amelioration)
(1) S p e c i f y L i f e Cycle Scope h. Change Review Procedures
(2) Require L i f e Cycle Use, and i. D i s p o s a l P l a n
F a i l u r e Estimates j. 1ndependent &view
(3) Require S a f e t y F a c t o r s f o r (1) T e c h n i c a l l y Competent
Extended Use (2) Method & Content
k. Configuration C o n t r o l
N.B. The b a s i c d e s i g n process 1. Documentat i o n
must meet such c r i t e r i a as RDT n. F a s t Action, Expedient Cycle
Standard F2-2T, USAEC.
WHAT ELSE ? . WHEN ANALYSIS ENDS, ALL ELSE IS HUNCH !

The approach used has been t o perform an evaluation of present p r a c t i c e s
and list the improvements needed t o a t t a i n t h e higher standards. Then t h e
improvements a r e ranked i n an estimated order of importance. The most impor-
t a n t one o r two a r e introduced. When these a r e running smoothly, and have
j u s t i f i e d themselves, one o r two more can be considered.
An o u t l i n e f o r innovation follows:
1. Select a p o t e n t i a l l y important f a c e t .
2. Develop a protocol a s t o how the impravetcent might be made.
3. Try out the protocol on one o r two p r o j e c t s i n each area.
4. Assess r e s u l t s and values a s necessary, and revise.
5 . Try again, now including t h e protocol a s an independent review c r i t e r i o n .
6. Based on experience, prepare appropriate d i r e c t i v e s .
An a l t e r n a t i v e is t o apply i n d e t a i l a high-grade Hazard Analysis Process
t o one major new project.
24. CONCEPTSAND mQUIFZMENTS - THE CONCEPTUALPHASE
The importance of introducing s a f e t y i n t h e i n i t i a l stages of concept
and d e f i n i t i o n of requirements simply cannot be overemphasized. A l l too
often energies t o be used a r e not limited o r a l t e r e d , and s u b s t i t u t e processes
a r e not u t i l i z e d . Further, the common p r a c t i c e of s a f e t y review of completed
plans g e t s too l i t t l e s a f e t y because it i s too l a t e i n t h e design process.
Case h i s t o r i e s of p o s i t i v e contributions of s a f e t y i n the conceptual stages
should be systematically collected ( a few a r e reported from Lawrence).
MORT analysis of serious accidents confirms the values i n t h e conceptual
functions :
1. Unspecified " t o l e r a b l e risks" turned out t o be i n t o l e r a b l y large!
2. Safety input was often n i l .
3. Energies used were g r e a t e r than were needed f o r performance, and the
e x t r a , unneeded energy r a i s e d both c o s t s and trouble p o t e n t i a l .
4. S u b s t i t u t e s a f e r processes were not used.
"Openmindedness," a c r i t e r i o n once suggested by C. 0, Miller of the
National Transportation Safety Board, is often not evident. Rather t h e oppo-
s i t e , "We've always done it t h a t way."
I n t h e conceptual stage it i s h e l p f u l t o look a t the widest possible range
of considerations. For example :
1. Does " r e l i a b l e c o n t r o l of workf' assure t h a t energy i s controlled and
d i r e c t e d t o maximize performance? Are work controls a l s o s a f e t y controls?
2 . Would s u b s t i t u t e processes ( e .g., material handling equipment) help
performance a s w e l l a s safety?
3. Do s a f e t y c r i t e r i a play a proper p a r t i n decision information, f o r
example, would a p l a n t s i t e s e l e c t i o n c r e a t e commuting hazards? Would
people d r i v e i n t o t h e sun coming and going? Is terrai.n h i l l y ?
Are roads poor?
The conceptual phase o f f e r s t h e g r e a t e s t opportunity f o r most s a f e t y a t
l e a s t cost.
('The numbering system i n the following section conforms

t o the revised MORT, Figure 23-1.)
la. Specify Tolerable Risks and Goals

1 1 ) Safety (see previous discussion of Goals)
(2) Performance--what output over w h a t time, with w h a t r e l i a b i l i t y and
quality?
The s e t of values, e.g., minimizing adverse public o r employee r e a c t i o n s ,

concern f o r public o r customer protection, minimi~ingsystem disruption o r
f a i l u r e , long-term e f f e c t s (rather than short-term) may be given desired
emphasis i n the goal statement.
lb. Safety Analysis C r i t e r i a

1 1 ) Plan. The primary system s&ty requirements a r e defined as:
1. A system safety plan,
2. Hazard Analysis (defined ) ,
3. Safety Precedence Sequence.
The system safety plan i s e s s e n t i a l l y "who does what and when" i n analysis,
study and development. A detailed l i s t i n g of specific safety tasks t o be per-
formed and scheduled milestones t o measure performance are provided. Specifi-
c a l l y , there i s provision f o r safety assessment i n a l l program review.
An excellent overview of analysis plans i s provided by three figures from
the NASA System Safety Manual (1970) :
Figure 24-1. Safety Interfaces and Ty-pical Data Flow
Figure 24-2. System Safety Activities Functional Flow
Figure 24-3. Safety Analysis - Program Activity Relationship.
It i s c l e a r from figures 1 and 3 t h a t system safety, a s with design gener-
a l l y , i s an i t e r a t i v e process.
Despite the thoroughness of system safety work, the cost of system safety
i s reported t o be only 2% t o 4% of engineering costs in DOD.
(2) Scaling Mechanism. We do i n practice scale the seriousness of events

and possible events. And indeed we must scale events by some c r i t e r i a i n order
t o put a major portion of, available resources i n t o major problems.
From a humane view, we w o a l i k e t o prevent a l l accidents. But it simply
i s not p r a c t i c a l t o put a "gold-plated" e f f o r t i n t o each of the numerous acci-
dent problems which frequently r e s u l t i n minor i n j u r i e s . By some indefinite,
but very r e a l , yardsticks, we t r y t o put major e f f o r t s i n t o prevention of deaths,
crippling i n j u r i e s , and catastrophes.
Methods of scaling the amount of e f f o r t , analysis, or r i s k are presently
quite imperfect. Were it not t h a t we do and must scale magnitudes mentally,
and largely without reference standards, a's an everyday requirement, the
problem of improving scaling mechanisms could be cast aside as too d i f f i c u l t
and troublesome.
practice there appear t o be a t l e a s t f i v e types of scaling mechanisms:
Scaling by frequency (probabilities) and severity of e f f e c t s on people
or things (essentially a matrix).
Word descriptions of severity (e .g., the DOD c l a s s i f i c a t i o n of system
effects).
Fimre 24-1
SAFETY INTERFACES AND TYPICAL DATA FLOW
DRAWINGS, TfST REQUIREMENTS, OPERATIONS

& RED LINES
-- I ENGINEERING
I SYSTEM DESIGNED FOR MISSION
h
SAFETY CRITERIA, DESIGN 6 PROCEDURE ANALYSES, V
HARDWARE CHANGES, RECOMMENDATIONS
-
E
TBF-FMEA DATA, CRITICALITY LISTS
SAFETY ANALYSES,' SAFETY INSPECTION

REQUIREMENTS
R-SYSTEM HAS CERTAIN PROB-
ABILITY OF SUCCESS
QA-SYSTEM MANUFACTURED d TESTED

PER ENGINEERING REQUIREMENTS
'
r/
PROPOSED HARDWARE CHANGE
CONFIGURATION AS DESIGNED
MANAGEMENT CONFIGURATION
J
SYSTEM MANUFACTURED AS DESIGN

1
INPUT TO MANUFACTURING PLANNING
E
SYSTEMS TEST SYSTEM OPERATION VALIDATED

\
J
PERATIONS PROCEDURES
.
SYSTEM OPERATED WITHIN DESIGN
OPERATIONS
d MISSION PARAMETERS
OPERATIONS PROCEDURES ANALYSES
\
RISK EVALUATION DATA FOR RISK MANAGEMENT DECISIONS \
s/
_
Figure 24-2
SYSTW SAFETX ACTIVITIES FUNCTIONAL FLOW
IDEALIZED FUNCTIONS FOR NEW PROJECTS

To other
programs
Perform safety
analysis of
caaponents
Identify energy
sources, and the
design features ,
Identify areas
having inadequate
f;on~;i.of energy
Recom~end
corrective
t
Prepare SAR
subsystems and safety devices and

$? the system; procedure constraints management the rationale
the t e s t and established t o control decision f o r each major I
3 operations
procedures.
these energy sources
during the Life Cycle
levels. engineering
review and 8
of the system. Develop new o r mission. I
improved safety
c r i t e r i a and
requirements.
Obtain engineering
Review of Safety Revise existing or management approval
data and experience create new safety f o r release. Participate i n
from other programs. requirements and design and
c r i t e r i a that w i l l program reviews.
support the changing
needs of the Evaluate the effective-
evolving system. ness and adequacy of a l l
s a f e t y requirements and
criteria.
SAFETY ANALYSIS - PROGRAM ACTIVITY RELATIONSHIP
Preliminary System Definition System Design Manufacture, Test and
Analysis Operations
Feasibility
Studiee
crA
+ 4
General Safety m
Studies 4
*
Preliminary
I
Fault Hazard
Analysis
Logic Diagram Analysis

. With or Without Quantification
(Test Operations)
I ,
3. Categories of hazards (e .g. , explosives, flammable , high voltages,
pressure vessels) get major study i n contrast with l e s s e r study f o r
non-enumerated hazards. New construction o r a l t e r a t i o n s , new
chemicals, o r welding are examples of other a c t i v i t y scaling.
4. Some special hazards can be catagorized numerically by the amount of
energy (e g.. , voltages, temperatures, pressures or amounts of toxic
material).
5 . Experience, o r i n t e l l i g e n t hunch, may be used t o scale seriousness, and
therefore, amount of preventive e f f o r t .
Certainly none of these kinds of c r i t e r i a has been an e n t i r e l y s a t i s f a c t o r y
scaling mechanism. S h a l l we use one or another, or examine the f e a s i b i l i t y of
a r t i c u l a t i n g and then correlating.or combining the various bases? The l a t t e r
seems preferable, i f it can be made practical, and i f it expresses some consensus.
A s examples of scaling of preventive e f f o r t , we have a t one extreme the
almost unbounded Safety Analysis Plans f o r thermonuclear weapons and reactors;
a t an intermediate l e v e l , Sandia's requirement of written SOP1s f o r special
named hazards; and e s s e n t i a l l y no defined requirement f o r non-repetitive, "low
potential" operations.
These scalings, i n turn, are the basis f o r requirements f o r review, proce-
dures, etc., which are scaled as t o amount. However, inquiry has shown t h a t the
thresholds above which safety program features are invoked are often vague,
and the program application i s proportionately vague, sporadic, and inexact.
The consequence i s , of course, t h a t accidents occur i n part because of d i f f e r -
ences i n views as t o the c r i t e r i a t o be used t o judge amount of study o r review.
Another consequence i s f r i c t i o n over who (e g . ., professionals vs operators) i s
e n t i t l e d t o proceed with work without independent review, or f r i c t i o n over "too
much red tape." Other consequences may be excessive cost f o r study of minor
injury sources, or an organizational headache from the p r a c t i c a l need t o violate
management directives, such as a requirement f o r analysis of "any hazard ."
The absence of c r i t e r i a i s untenable - that i s , it leads t o loose or impro-
per scaling of e f f o r t s and a t the worst, t o a vagueness which tends t o de-
energize the t h r u s t of the hazard reduction process itse3-f.
Only order-of-magnitude classes are needed t o scale requirements f o r
preventive e f f o r t , and probably four t o s i x classes w i l l ultimately be ade-
quate. However, i n attempting t o categorize presently used thresholds, sub-
classes A and B w i l l be employed. A s an opening e f f o r t f o r discussions and
- 243 -
development we have, by accident results:
Category Typical Potential
Safe" Scratches $10
"Marginal" Medical $100
"Hazardous" Lost Time l e s s than 10 days $1,000
"Critical" or More than 10 days, or
"Dangerous" Permanent
"Catastrophic" Deaths, or 5 injuries
"Super Catastro-
phic" Multi -death
This table i s intended only as a f i r s t approximation t o categorize the

thresholds i n use.
The DOD definitions (preceded by a code from the above scale) are:
I-B -
"Safe : Failure will not result i n major system degradation, and w i l l
not produce system f h c t i o n a l damage or contribute t o system hazard or
personnel injury."
11-B "Marginal: Failure w i l l degrade the system t o some extent without major
system damage or personnel injury, but can be adequately counteracted
or controlled, "
I11 "Critical: Failure will degrade the system causing personnel injury,
& substantial system damage, or r e s u l t i n an unacceptable hazard necessita-
IV ting immediate corrective action f o r personnel and system survival."
V "Catastrophic: Failure w i l l produce severe degradation of the system
which will r e s u l t i n loss of the system or death, or multiple deaths, or
injuries " .
However, it i s reported that such types of word definitions are not
discriminating i n actual practice.
The AEC scale f o r accident/incident reporting uses the following thresholds :
I11 T Y P C Disabling injury (ANSI z16 .l)
XI-A Damage -
f i r e , explosion, over $50 )
111-A Damage -
other -
over $500 1 under $25,000
11-A (or I-B) Any motor vehicle accident
-
Radiation 3 r e m t o whole body
IV -I3 $25,000 t o $99,999
radiation - 5 rem
V TVPA Fatal, 5 injuries
$100,000
radiation 25 rem -
The radiation energy levels, as well as some other AEX reporting thresholds,
r e f l e c t public reaction and sensitivity as well as non-trauma concerns (pro-
t e c t genetic material) - another variable i n evaluating hazard and preventive
e f f o r t , and one which can be worked into a system of categories.
Sandia's guidelines f o r underground nuclear t e s t s employ t h e following
c l a s s i f i c a t i o n of hazardous conditions:
Class 1 - Safe A c t i v i t i e s , conditions, e t c . , such t h a t t h e physi-
c a l p r o p e r t i e s o r f u n c t i o n a l c h a r a c t e r i s t i c s do
not present any hazards t o personnel o r experiments.
Class 2 - Marginal A c t i v i t i e s , conditions, e t c . , such t h a t t h e physi-
c a l p r o p e r t i e s o r f u n c t i o n a l c h a r a c t e r i s t i c s do
present hazards t o personnel o r adjacent experi-
ments which can be c o n t r o l l e d by containment
f i x t u r e s , s p e c i a l handling and/or by a minimum
amount of p r o t e c t i v e clothing.
Class 3 - Dangerous A c t i v i t i e s , conditions, e t c . , such t h a t the physi-
c a l p r o p e r t i e s o r f u n c t i o n a l c h a r a c t e r i s t i c s could
r e s u l t i n i n j u r y t o personnel o r extensive damage
t o other experiments u n l e s s c o n t r o l l e d by l i m i t i n g
personnel access, providing s p e c i a l s a f e t y devices,
using s p e c i a l equipment such a s p r o t e c t i v e c l o t h i n g
and equipment (face s h i e l d s , r e s p i r a t o r s , e t c ) and/ .
o r using remote handling devices.
Class 4 - C r i t i ' c a l l y A c t i v i t i e s , conditions, e t c . , such t h a t t h e physi-
Dangerous c z l p r o p e r t i e s o r f u n c t i o n a l c h a r a c t e r i s t i c s a r e so
uazardous t o personnel, experiments, and/or o t h e r
test-event operations t h a t no preventative measures
can be taken t o reduce t h e hazards t o a Class 3
l e v e l o r l e s s . ( s t o p t h e operation!)
Examples of thresholds described by subject matter include:
AEC r e a c t o r safeguards, e s s e n t i a l l y unbounded.
Sandia's requirement f o r Safe Operating Procedures with independent s a f e t y
review f o r "operations and t e s t s involving explosives, pyrophoric mater' L s ,
compressed gases, mechanical o r p h y s i c a l h a z a r d s . "
Aerojet uses a threshold " p o t e n t i a l hazard" (11) t o r e q u i r e d e t a i l e d
Operating Procedures o r Safe Work Permits. But such a low threshold seems
unenforceable and impractical. This suggests need f o r a more f l e x i b l e h i e r -
archy of preventive measures:
I & I1 Pre-Job Analysis by operator
I11 Pre-Job Analysis by supervisor o r engineer
Iv Job Safety Analysis (from t h e operating department )
V Safe Operating Procedures with review.
VI Safety Analysis Reports and other r e a c t o r safeguards, unbounded.
The AEC guidelines f o r e l e c t r i c a l s a f e t y i n research employ s e v e r a l
t h r e shold s :
I joule
I11 15 joules, 300 v o l t s
Iv 50 joules
Lasers (no power s p e c i f i c a t i o n ) .
Nuclear c r i t i c a l i t y safeguards use weights of fissionable material a s
criteria.
Allison's HIP0 analysis method uses AF,C reporting c r i t e r i a , i n p a r t , and
has i n t e r e s t i n g differences and additions:
Type D --
Not High P o t e n t i a l
I n jury l e s s than 2 weeks
Damage $500-$1,000
N Type C - Injury g r e a t e r than 2 weeks
I11 $1,000 damage
Type B- 2 o r more i n j u r i e s
N permanent i njury
N damage g r e a t e r than $25,000, plus
Pressure -150,000 pounds t o t a l
IV Ty-pe A - comparable with AEC Type A, plus
200 gallons flammable
N pyrophoric, explosive, toxic
300,000 pounds pressure
Aerojet uses pressure-temperature c r i t e r i a t o guide types of protection i n
working on reactor loops.
A report prepared f o r the National Commission on Product Safety provides
discussion and d a t a on "biological tolerance t o various environmental
challenges .I1 ( ~ e i n e r ,1969.)
The models and data a r e too complex f o r simple,
yardstick use (but valuable t o designers and s a f e t y engineers working on a
s p e c i f i c product). However, the material can be h e l p f u l i n visualizing gross
yardsticks.
Fine (1971) has scaling methods a s a portion of h i s analytic method. His
formula and scoring ranges are: Risk = Consequences (1t o 100) x Exposure
(frequency) ( .1 t o 10) and Probability (of sequence completion) ( .1 t o 10) .
Expansion of the p r o b a b i l i t i e s shown i n the e a r l i e r section on Goals w i l l
l i k e l y be a f a c t o r i n scaling, a s dl1 l i f e cycle estimates of i n j u r i e s o r
deaths. Certainly one object used f o r one year i s d i f f e r e n t from 1000 of the
same object used 10 years, a t l e a s t a s f a r a s p r a c t i c a l supportable safety
analysis and precautions are concerned.
During the p i l o t phase of t h i s study it was proposed t h a t the wide v a r i e t y
of present scalings be studied and a "simple" scaling device be t e s t e d i n
organizational practice. The foregoing material permits a t l e a s t a schematic
model of a proposed mechanism, Figure 24-4.
I n any organization many more pertinent examples of kinds of a c t i v i t y
should be compared with accident data, which should permit f i l l i n g i n large
numbers of a c t i v i t y t i t l e s . Further, a p a r t i c u l a r supervisor (and h i s u n i t )
would only have t o know pertinent p a r t s of the array. A " f a i l safe" require-
ment could provide: If i n doubt, move t h e c l a s s i f i c a t i o n up.
Figure 24-4. Possible General Scheme

For Scaling P o t e n t i a l s and Preventive Action
Words Results (P values) Kinds of Energy Preventive

'lass
Defined Persons f Property Activity (by type) Action
Safe Walking
I scratches I $lo S i t t i n g
Lifting
I1 Marginal medical ,
1
$100 5' PJA
Height
l o s t time I 5-20 ' JSA
I11 Hazardous $1000 Height To be or
10 days I
Welding SWP
IV critical lodays
permanent
'
I
Vehicles
$10,000 201+
Height
detailed JSA
or
SOP
V Catastrophic
Death
5 injuries
Mult i -
' Explosives
$100~000 Flammables SOP
SAR
VI Super ($1,000,000 Reactors
death unbounded
The s c a l i n g mechanisms provide both a l e v e l of e f f o r t i n design and

development, and a l e v e l of approval. For example, f o r r e a c t o r s t h e Safety
Analysis Report, Operating Limits, and Technical S p e c i f i c a t i o n s a r e essen-
t i a l l y unbounded, and must be approved by AFK! Washington, and then only a f t e r
independent review.
A t Aerojet, a f i v e - t i e r documentation system, w i t h successively higher
approval requirements, i s used t o implement scaling. The f i r s t t i e r i s cor-
porate-wide P o l i c i e s and Procedures (ANPP) . Under t h i s t i e r , t h e Reactor
Operations Division has a "Standard Practice" (SP) (second t i e r ) which speci-
f i e s c r i t e r i a f o r r e q u i r i n g a "Detailed Operating Procedures" (DOP ( t h i r d
t i e r ) o r u s i n g an "Operating Manual" ( f o u r t h t i e r ) . For example, a DOP i s
required f o r "moving f u e l t h a t could cause c r i t i c a l i t y hazards and which i s
not covered by an SP o r ANPP," and t h i s means obtaining approval of an indepen-
dent Procedures Review Board, which has published and enforced i t s c r i t e r i a .
"Work I n s t r u c t i o n s and Information" ( f i f t h t i e r and uncontrolled) may be used
only when c r i t e r i a f o r use of t h e higher t i e r s do not apply. This type of
s c a l i n g seems t o work w e l l f o r highly proceduralized r e a c t o r work with i t s own
definitions. However, it operates with l e s s p r e c i s i o n i n non-reactor work.
Consequently, Aerojet personnel have conducted a number of i n t e r e s t i n g
explorations during t h e t r i a l . The s t a t u s of t h e work i s about a s follows:
1. A Frequency-Severity Matrix i s used.
a . Frequency v a r i e s from common ( 6 months) t o r a r e ( 1,000 years
of f a c i l i t y l i f e )
b. Consequences follow c l a s s i f i c a t i o n s above.
2. Scoring has been preliminarily validated by having various persons
r a t e named occurrences.
3 . LRvels of e f f o r t have been defined i n terms of:
a. Line management approval level,
b. l e v e l of analysis - formal SAR, checklist, or no formal requirement,
c . Independent review - scaled from a multi-discipline board review
t o f i e l d approval by safety engineer,
d. R e l i a b i l i t y and Quality Assurance level,
e . Safety Department l e v e l of e f f o r t ,
f . Subsequent monitoring, l e v e l of e f f o r t .
The mechanism was then exercised on a specific problem - which of a long
l i s t of operations and aspects should have p r i o r i t y i n an intensified monitoring
program. Ratings again showed an adequate degree of consistency. ( ~ x h i b i t2 )
The present s t a t u s suggests t h a t two kinds of mechanisms w i l l be needed:
1. Subject matter o r t o p i c a l r u l e s (flammable, explosives , fissionable
materials, ladders)
2. Matrices f o r use by scientists-engineers i n more probing studies of
r e l a t i v e importance.
And, each of these must be t i e d t o a l e v e l of e f f o r t system.
The dilemma of AEC i s probably typical.
1. A requirement f o r formal, intensive Safety Analysis Reports i s being
extended from reactors t o other kinds of f a c i l i t i e s ,
2. It i s desirablq; t h a t any a c t i v i t y be analyzed.
How can we broaden the coverage of a l l . a n a l y s i s without lowering the
requirements f o r the most serious hazards? Certainly every a c t i v i t y cannot have
a Safety Analysis Report of the depth t h a t AEX term implies. On %haother hand,
there are significant indications t h a t i n j u r i e s of minor consequence - bumps,
bruises, and scratches - may be overanalyzed a t the expense of study of c r i t i c a l
and catastrophic potentials.
I n summary, the explorations t o date suggest t h a t each organization
develop i t s own scaling mechanism. The e f f o r t w i l l be worthwhile because
proper analysis w i l l prevent accidents which may otherwise be shown t o r e s u l t
from vague scalings. The essence of a usable scaling mechanism seemsto be:
1. About s i x categories of events t o be defined i n several ways:
a. By~words, such a s " c r i t i c a l " ,
b. By examples of most common r e s u l t s , such a s "medical care (w/o
l o s t time)",
c. By a c t i v i t y , especially those hazardous a c t i v i t i e s i n the organi-
- 24.8-
zation, such as welding, explosives, flammables, etc.
d. By energy types and levels, as appropriate, such as pressure,
or temperature.
2 . Level of effort and approval.
Although the problem of developing such a scale is troublesome, to say
the least, the absence of such a mechanism is seemingly causing greater trouble
in the form of accidentslincidents, and subsequent recriminations.
(3) Analysis Methods

This criterion has at least two dimensions: (a) were the appropriate
analytic skills available in the organization (or from a consultant), and
(b) were they used?
Hazard Identification has been said to be "Number One ."The task can
be seen as having three elements:
1. Practical experience in the operation, and in search-out.
2 . Information on "known precedents," references.
3. Systematic analysis.
There is no substitute for practical experience in the operation. No
amount of library information or systems analysis can substitute for the know-
ledgeable man who analyzes and inspects and observes carefully. Levens (1969)
described the present day safety man as "almost intuitive" in detecting hazards,
and this is both a compliment and a limitation. The compliment is justified
because the skilled professional is so highly effective. But the limitations
pointed out by Levens are:
1. Analytic process is not monitorable, cannot be documented.
2. Analytic process usually cannot quantify the relative merits of
alternatives, no cost/benef it data.
3. Process breaks down in complex situations (some interfaces are omitted.
4. Graphic analytic forms are unavailable; teaching and persuasion are weak.
5. Thousands of combinations of potentials must be learned.
Krikorian gave an eight point summary of ASSEts Search I (1970) :
"1.The term 'hazard recognition1 ... a more-correct term would be
'identification and evaluation of accident-potential1 ...
''2: ...concerned with the man/machine/environment interactions resulting
from changeldeviation stress as they
lacis~-c~
harm to persons, but also functional damage, and system degraaation.
"3. 'Things1 are not hazards, or potential hazards. Events or a sequence
of events are hazards. They interact within a system and are caused by
the stress effects or the characteristics of people
-- ...
Events have both
a probability of occurrence and a time-sequence.
"4. When i d e n t i f y i n g accident-potential ...
look a t t h e big p i c t u r e , a t
t h e i n t e r a c t i o n s i n a system and i t s input/output, c o n s t r a i n t s , and con-
t r o l s . (Then small sections one a t a time) and look f o r selected events
t h a t might produce an undesirable outcome... ' t h e v i t a l few' instead of
the ' t r i v i a l many.'
"5. We a r e looking f o r events and p a t t e r n s (including behavior) i n order
t o d e t e c t changes beyond t h e normal -
such a s changes during s t a r t up
o r shut down, o r when a process goes wrong. ...
Processes usually move
along i n a s t a t e of dynamic equilibrium; but when something does go
wrong, t h e hazard increases - due t o the i n t e r a c t i o n of people t o cor-
r e c t the hazard.
"6. The use of ' check l i s t s ' i s valuable, ...
a s ' t o p i c a l guides. '
"7. ...
a machine i s merely an extension of t h e b i o l o g i c a l u n i t (man)
and various human c h a r a c t e r i s t i c s must be considered ...
"8. The safety-professional must use h i s n a t u r a l sense-organs f o r recog-
nizing accident-potential. ..
The safety-professional should always
remember ( a ) t h a t he can ask questions concerning problems o r s i t u a t i o n s
t h a t he doesn't understand, and ( b ) t h a t those problems most l i k e l y t o
occur w i l l not be present when he i s present."
A statement of Preliminary Safety Tasks from NASA (1970) i s h e l p f u l :

"a. A review of p e r t i n e n t h i s t o r i c a l s a f e t y d a t a from s i m i l a r systems.
b. A continuing review of t h e gross hardware requirements and concepts,
t o maintain an understanding of t h e evolving system.
C. A review of t h e proposed mission objectives.
d. Completion of t h e planning f o r follow-on s a f e t y a c t i v i t i e s .
e . The completion of preliminary hazard analyses t o i d e n t i f y p o t e n t i a l l y
hazardous systems and t o develop i n i t i a l s a f e t y requirements and
criteria.
f . P a r t i c i p a t i o n i n t r a d e s t u d i e s with t h e r e s u l t of the preliminary
hazard analyses i d e n t i f y i n g highly hazardous areas, with recommenda-
g - t i o n s a s t o t h e alternatives/.
I d e n t i f i c a t i o n of t h e requirement f o r s p e c i a l contractor s a f e t y s t u d i e s
t h a t may be required during system d e f i n i t i o n o r design.
h. Estimation of gross resource requirements f o r t h e system s a f e t y pro-
gram during t h e complete system l i f e cycle.
i. Preparation of an index document t h a t i d e n t i f i e s a l l p e r t i n e n t s a f e t y
d a t a developed during t h e l i f e cycle of t h e system ... updated a t t h e
conclusion of each major increment of the system development ..."
I n attempting t o describe a n a l y t i c methods, a d i f f i c u l t y i s t h a t many
forms of analysis have been given d i f f e r e n t l ' t r a d e names" and it i s somewhat
d i f f i c u l t t o perceive t h e generic forms.
P e t e r s (1968) (as well a s MacKenzie, 1968) l i s t e d some principal a n a l y t i c
techniques as:
1. "Gross-Hazard Analysis. Performed e a r l y i n design. Considers over-
a l l system a s w e l l a s individual components. Called 'grosst because it
i s the i n i t i a l s a f e t y study undertaken." ( s t e i n and Cochren (1967) suggest
a "Hazard Manifestations" - c l a s s i f i c a t i o n t o be used i n a matrix with hard-
ware ( o r other) system components .)
2. " C l a s s i f i c a t i o n of Hazards.I d e n t i f i e s types of hazards disclosed i n
s t e p 1 and c l a s s i f i e s them according t o p o t e n t i a l s e v e r i t y (would d e f e c t
o r f a i l u r e be c a t a s t r o p h i c ? ) I n d i c a t e s a c t i o n s and/or precautions neces-
s a r y t o reduce hazards. May involve preparation of manuals and t r a i n i n g
procedures .If
3. " F a i l u r e Modes and Effect%. Considers kinds of f a i l u r e s t h a t might
occur and t h e i r e f f e c t on t h e o v e r - a l l product o r system. Example: e f f e c t
on system t h a t w i l l r e s u l t from f a i l u r e of a s i n g l e component ( a r e s i s t o r
o r hydraulic valve, f o r example)." (sometimes c a l l e d "Hazard Modes and
Effects." See Figure 24-5 f o r Recht form and l i s t s of Aerojet captions.
FME Analysis is probably t h e most b a s i c system s a f e t y technique a d a good
point of departure i n venturing i n t o d e t a i l e d system a n a l y s i s .
4. "Hazard-Criticality Rankinq. Determines s t a t i s t i c a l , o r q u a n t i t a t i v e ,
p r o b a b i l i t y of hazard occurrence. Ranking of hazards i n t h e order of
'most c r i t i c a l 1 t o ' l e a s t c r i t i c a l . " '
5. "Fault-Tree Analysis. Traces probable hazard progression. Example:
If f a i l u r e occurs i n one component o r p a r t of t h e system, w i l l f i r e
result?" ( ~ l s o Recht , Hixenbaugh, &icson, Browning, Drie sen. )
6. '!Enerns-Transfer Analvsis .
Determines interchange of energy t h a t
occurs during a c a t a s t r o p h i c accident o r f a i l u r e . Analysis i s based
on t h e various energy i n p u t s t o t h e product o r system, and how these
i n p u t s w i l l r e a c t i n event of f a i l u r e o r c a t a s t r o p h i c accident."
7. "Catastrophe Analysis. I d e n t i f i e s f a i l u r e modes t h a t would c r e a t e a
c a t a s t r o p h i c accident."
8. " ~ ~ s t e m / ~ u b s ~ sI nt et emg r a t i o n .
Involves d e t a i l e d a n a l y s i s of i n t e r -
faces, p r i m a r i l y between systems." ( ~ i l l e rsays by. mock ups, simu-
l a t o r s , and t e s t s ...not w e l l defined and a challenge! I n t h i s study
such f a c t o r s a s l a c k of interdepartmental coordination repeatedly show
a s c a u s a l f a c t o r s . Other i n t e r f a c e problems a r e a l s o common.) .
9. "Maintenance-Hazard Analysis. Evaluates performance of t h e system from

a maintenance standpoint. W i l l i t be hazardous t o service and main-
t a i n ? W i l l maintenance procedures be a p t t o c r e a t e new hazards i n
t h e system?
10. "Human-Error Analysis. Defines s k i l l s required f o r operation and main-
tenance. Considers f a i l u r e modes i n i t i a t e d by human e r r o r and how
they would a f f e c t t h e system. Should be a major consideration i n
each step." (see Chapter 26.)
11. "Transportation-Hazard Analysis. Determines hazards t o shippers,
handlers and bystanders. Also considers what hazards may be ' c r e a t e d t
i n t h e system during shipping and handling."
M i l l e r ( 1968) used nomenclature d i f f e r i n g from t h e above : preliminary
hazards a n a l y s i s r a t h e r than gross hazard a n a l y s i s , and a grouping of " t r a d e
name" techniques under Hazard Modes and E f f e c t s , but a l s o introduced more
consideration of procedures, personnel, and job s a f e t y a n a l y s i s .
Trees. The uses of Fault-Trees and adaptations thereof i s increasing

rapidly. Even when modified forms axe used, a s i n Browning's expedient form
o r i n MORT, t h e assumptions and l o g i c a r e s t i l l made e x p l i c i t and v i s i b l e f o r
review. These q u a l i t i e s seem t o give considerable f l e x i b i l i t y without destroying
F a i l u r e Modes and E f f e c t s Analysis
Formats Used a t Aero j e t
For R e l i a b i l i t y :
Design C h a r a c t e r i s t i c
F a i l u r e Mode
Failure Probability
E f f e c t on System
E s s e n t i a l i t y Code
Control t o minimize :
Frequency
Effect
For P r i o r i t y Problem L i s t s :
Energy Sources :
Kinds
Amounts
Potential Targets
B a r r i e r s , Controls
Residual Risk
F a i l u r e Mode
F a i l u r e Mechanism
Consequence P o t e n t i a l
Frequency, Consequence Matrix Class
Action-Decision C l a s s e s
Authorit y l e v e l
Type a d d a t e Action Due
(For samples of t h e last two approache s
,
s e e F i g u r e 42-3 on page 4-42,)

t h e d i s c i p l i n e d c h a r a c t e r of t h e a n a l y s i s , when t h e dictum i s observed t h a t
causal f a c t o r s must be both " s u f f i c i e n t and necessary" f o r t h e chain of events.
(The b a s i c l o g i c and t h e symbols used i n MORT a r e given i n P a r t I V . )
The d e t e c t i o n of complex f a u l t paths, while always d i f f i c u l t , i s aided by
Fault-Tree l o g i c . A common a n a l y t i c device is:
Functional
0 0
Primary Secondary
Primary f a i l u r e s a r e those occurring under normal operations under

designed s t r e s s e s .
Secondary f a i l u r e s include n a t u r a l c a t a s t r o p h i c exposures (emg., wind)
and a termination symbol i s used. But, t h e s u b s t a n t i a l number of damaging
impacts from nearby exposures--other processes, m i s s i l e s , o r even male-
volence, suggests t h a t a f a i r proportion of t h e complex events r e q u i r e
c a r e f u l a t t e n t i o n t o neighboring p o t e n t i a l .
The so-called command f a i l u r e s occur when c o n t r o l s , r e l i e f devices, and
s i g n a l s (including human) d i r e c t t h e s t r e s s which r e s u l t s i n f a i l u r e .
NTSB1s (1972) "A Systematic Approach t o Pipeline Safety" provides an
example of Fault-Tree Analysis.
Hammer (NASA, 1971) suggested a Safety Consideration Tree (and provided
an example) t o be issued by the procuring agency f o r guidance of design
work.
The General Services Administration (1972) has developed a comprehensive
F i r e Fault Tree t o analyze f i r e safety. This t r e e becomes a format f o r
performance standards in
new building- construction.
Nielsen (1971) used two t r e e s t o show t h e l o g i c a l connections of causes
and consequences :
Causes Consequences
Nielson a l s o gives p a r t i c u l a r a t t e n t i o n t o r e p a i r o r o t h e r s p e c i a l s i t u a -
t i o n s and t o r o l e of delays i n operation of p r o t e c t i v e systems.
I n accident a n a l y s i s , t h e prevention of second accidents i s viewed a s an
ameliorative s t e p , But i n preplanning and design, such events a r e b e s t
t r e a t e d a s p a r t s of t h e energy sequence. An example was t h e introduction
of a hydrogen-using experiment i n t o a r e a c t o r building. Nielsen's t r e e i s
u s e f u l i n t h i s regard.
The P o s i t i v e Tree ( ~ i g u r e9-1) has seemed t o have more f o r c e i n a t t r a c t i n g
i n t e r e s t and i n persuasion than d i d t h e same recommendations i n t e x t f o m .
The b a s i c b u i l d i n g blocks of system s a f e t y a n a l y s i s a r e F a i l u r e Modes
and t h e Fault-Tree. The suggestion i s t h a t these with Schematics-Steps-
C r i t e r i a (Figure 20-3), which i s a l s o a t r e e , be f r e q u e n t l y and c o n s i s t e n t l y
used a s they have i n t h i s t e x t .
Other Analytic Methods. Appraisal of t h e more common a n a l y t i c methods
suggests needs f o r a d d i t i o n a l devices.
Change A n a l ~ s i s . Kepner-Tregoe (1965) suggest a n a l y t i c forms t o search
f o r cause, and p o t e n t i a l problem and d e c i s i o n a n a l y s i s warksheets. I n
t h e Role of Change (chapter 5 ) Change-Based forms f o r use i n accident
i n v e s t i g a t i o n were described. Developments i n Aerojet trials make i t pos-
s i b l e t o s p e c i f y i n more d e t a i l what might be required i n simple Change-
Counterchange d i s p l a y s i n a n a l y s i s . Two recent s e r i o u s i n c i d e n t s r e s u l t e d
from uncontlblled change. Thus, i n both conceptual and design s t a g e s , a
d i s p l a y should be required along t h e l i n e s of Figure 5-3.
Nertney Wheel. D r . R. J. Nertney of Aerojet developed t h e wheel concept
shown i n Figure 24-6--a provocative method of examining t h e successive
phases i n hardware-procedure-personnel development, and a l s o examining
t h e all-important i n t e r f a c e s between those t h r e e elements.
Without deprecating t h e s o p h i s t i c a t e d forms of system s a f e t y a n a l y s i s
(as b r i e f l y described by P e t e r s , e t a l ) t h e r e a r e s t r o n g i n d i c a t i o n s i n
t h e Aerojet t r i a l s t h a t very simple change a n a l y s i s of the type described
i n Figure 5-4, o r D r . Nertney's Wheel, w i l l catch l a r g e numbers of common
oversights.
Hazard Type. There i s an emerging concept t h a t types of hazards, cross-
c l a s s i f i e d by subsystems and components i s a d e s i r a b l e approach, p r i o r t o
t h e use of t h e various a n a l y t i c methods. Miller (summarizing Adams and
~ammer) (NASA,1971) and S t e i n and Cochran (1967) provide various l i s t s
which could be combined as follows:
Acceleration Moisture
Chemical d i s a s s o c i a t i o n Noise
Chemical replacement Oxidat ion
Contamination ,, Fre ssure
Control anomaly Radiation
Corrosion Shock & impact
Electrical Signal d a t a anomaly
Environment (physiological e f f e c t s ) S t r e s s concentrations
~xplosion/imp~osion Stress reversals
Falling objects Structural aberration
~ire/smoke Toxic
Heat & temperature Vibration
Leakage Weather
Human Error
Such a l i s t , when reviewed against each subsystem o r component, and
a g a i n s t a l i f e cycle diagram, i s reported t o be provocative and searching
i n e a r l y hazard i d e n t i f i c a t i o n .
Greene and Cinibulk (1971) developed a " c r i t i c a l i t y matrix" f o r personnel
s a f e t y based on a failure-mode a n a l y s i s of personnel hazards and using
p r o b a b i l i t y and a "hazard index" as t h e two dimensions. The hazard index
considers time a v a i l a b l e t o c o r r e c t conditions, a s well as long-term time
of exposure.
F'ailure Analysis. Currie (1968) l i s t s t y p i c a l elements t o be examined
i n a scope broader than t h e usual FMEA ( ~ i g u r e24-5).
"Operating Condition
F a i l u r e most l i k e l y
F a i l u r e most c r i t i c a l *
Impending F a i l u r e
~~m~toms/~eco~nition*
How t o i n s p e c t f o r it*
Actual F a i l u r e Mode
symptoms/~ecognit ion*
Troubleshooting t o i s o l a t e f a i l u r e source
Action by ~ p e r a t o r ( s ) .
Recommended Procedure
Possible A l t e r n a t i v e s
Possible E r r o r s *
Effects
On immediate conditions ( c o r r e c t a c t i o n and i n c o r r e c t a c t i o n by o p e r a t o r ( s ) ) *
On continued operations ( c o r r e c t a c t i o n & i n c o r r e c t a c t i o n by operator( s ) )*
O f subsequent a d d i t i o n a l f a i l u r e s within same system+
~ n t e r f a c e s / p o t e n t i a le f f e c t s on o t h e r systems*"
*items emphasize preventive viewpoint.
H a z d Vector. Canale (1966) proposed a new t e c h n i c a l d e f i n i t i o n of s a f e t y :

"The s a f e t y l e v e l of a system i s t h e p r o b a b i l i t y t h a t human and m a t e r i a l
resources a r e conserved by t h e c o n t r o l of a l l p o t e n t i a l l y hazardous
system i n p u t , output, and i n t e r n a l energies."
H i s model r e q u i r e s estimation of f a i l u r e r a t e s f o r various types of con-
t r o l s f o r each source of p o t e n t i a l l y hazardous energy. Through a "hazard
~ magnitude) a c o s t b a s i s f o r examining a d d i t i o n a l
vector" ( ~ r o b a b i l i tand
c o n t r o l s is established.
Time Line, Analysis of system inteGactions i n t h e operating period, and
on an extended time s c a l e f o r wear-out, r e p a i r , change, e t c . , i s h e l p f u l
i n d e t e c t i n g s p e c i f i c hazards of a "worn-on-worn" r e l a t i o n s h i p of compo-
nents, a s well as t h e abnormal and non-routine operating modes so produc-
t i v e of trouble.
Double-failure Analysis. Single f a i l u r e a n a l y s i s i s t h e primary t a s k ,
followed by double f a i l u r e a n a l y s i s f o r severe consequences. These a r e
q u a n t i f i e d i n t h e Fault-Tkee if detected, Special review f o r double
f a i l u r e p o t e n t i a l s i s a s p e c i f i c aspect of any good analysis.
Hazard Inventory. The l i s t of hazards i d e n t i f i e d , but perhaps not a l l
countered, i s e s s e n t i a l .
Human Factors Review--see Chapter 26.
Perhaps t h e most d i f f i c u l t aspect of a n a l y s i s i s i d e n t i f y i n g t h e sequences
o r combinations of f a i l u r e s i n advance. Accident i n v e s t i g a t i o n s o f t e n show
lengthy sequences, but a n a l y t i c methods tend toward "single f a i l u r e analysis."
A good d e a l of human ingenuity and a good h i s t o r i c a l information system a r e
required, i n a d d i t i o n t o a n a l y t i c method.
Throughout a l l of t h e forms of a n a l y s i s , it i s important t o r e t a i n v i s i b l e
record of a s p e c t s examined and found non-hazardous, a t l e a s t i n the working
papers used f o r review. I n a f a i l u r e mode a n a l y s i s , f o r example, when s e v e r i t y
o r frequency approach zero, show the numbers. I n a MORT a n a l y s i s , leave t h e
s a t i s f a c t o r y a s p e c t s i n the diagram colored green. Otherwise a review agent
must p l a y a guessing game as t o what has been studied.
~nvestment/~enefit/~alue/Threat.The c o s t s of a hazard countermeasure
a r e e a s i e r t o estimate than t h e b e n e f i t s . But t e c h n i c a l d i f f i c u l t i e s i n c o s t
estimation a r e numerous. A f t e r d e t a i l e d examination of t h e Planned Program
Budgeting System of t h e Department of Defense, t h e National S a f e t y Council recom-
mended (1968) a Ifbreak-even method." This would provide management with a judg-
ment of t h e percent reduction i n a c l a s s of accidents which would be necessary
t o ccxer countermeasure c o s t s .
"This simple technique i s seen a s an i n t e r i m approach t o evaluation of
alternative ... countermeasures ...Using t h i s simplified method w i l l
expose t h e a n a l y s t t o many of the basic problems ...
and w i l l y i e l d
q u a n t i t a t i v e information f o r the decision-maker."
Most occupational accident c o s t d a t a a r e so conceptually weak a s t o provide
law, inadequate estimates of p o t e n t i a l b e n e f i t s t o be derived.
An exploratory
study ( s t a n f o r d , 1964) f o r public accidents provided some usef'ul concepts, but
l i t t l e follow up research has ensued due t o l a c k of funds.
There i s g r e a t need f o r a usable " s t a t e of t h e a r t " summary, i n p a s t i c u l a r
f o r r e s u l t s of numerous s t u d i e s financed by t h e Department of Transportation.
The term "Investment" seems i n some ways preferable t o "cost" s i n c e c o s t s
of a countermeasure become confused with accident c o s t s , t h e reduction of t h e
l a t t e r being a "benefit."
Unless t h e non-monetary Values , p o s i t i v e o r negative, ( e g . ., p a r t i c i p a -
t i o n o r repression) associated with a measure a r e made e x p l i c i t , cost/benefit
s t u d i e s may be misleading. Also, i f t h e r e a r e t h r e a t s t o t h e use of t h e
countermeasure, t h e y should be noted.
A l l of t h e s e a s p e c t s should be required by a format so they w i l l r o u t i n e l y
be handled, and t h e "break-even" percent i n accident reduction b e n e f i t s can
be shown.
The Stanford Research I n s t i t u t e study (1964) used a f i g u r e (24-6)
t o show t h e t h e o r e t i c a l optimum of s a f e t y i n terms of aggregate c o s t s of acci-
d e n t s and prevention.
This curve shows t h a t an optimum i s a t t h e lowest point on t h e T o t a l
Cost curve. SRI, however, went on t o make t h e important p o i n t s t h a t ( 1 ) some
c o s t s of accidents a r e born outside t h e organization ( i n t h i s case by employees
o r the public), whereas (2) most c o s t s of prevention w i l l be within the orga-
nization, and (3) the point of optimization of t o t a l c o s t s f o r the community
w i l l therefore be a t a s u b s t a n t i a l l y higher l e v e l of s a f e t y than f o r the
organization only.
TOTAL DIRECT
INDIRECT
iL
SAFETY PROGRAM EFFORT
Regulation i s p a r t i a l , but far from complete, route t o minimize costs t o the

community. Therefore, the e n t i r e cost concept seems l i k e l y t o f a i l t o j u s t i f y
our i d e a l s , unless t h e i n t e r a c t i o n of s a f e t y with performance and e f f i c i e n c y
i s used t o strengthen management motivations.
I n short, cost/effectiveness measures may do more harm than good i f effec-
tiveness i s measured only by tabulatable costs.
Fine (1971) developed a costlbenefit weighting formula based on scaling
f i v e factors: consequences, exposure, probability, cost of measure, and degree
of correction. However, data needed f o r the calculations are often not avail-
able, and the method omits some of the considerations immediately above.
References t o the growing l i t e r a t u r e on system safety analysis techniques

(e .g., Miller, Gates and Scarpa, Kanda and Anello, plus others previously
c i t e d ) suggest t h a t it may perhaps not be so important which brand name of
analysis i s used, a s t h a t appropriate new forms of analysis be used. A l l of
them can greatly upgrade analytic processes.
Training i n the new analytic techniques i s increasingly available, f o r
, George Washington University
example, a t University of California (UCLA)
(washington, D . C .) , and University of Washington ( ~ e a t t l)e and National Safety
Council.
The above short discussion of analytic methods extends beyond the concep-
t u a l phase and through design and development phase i n t o the operational phase,
However, it seems important t o introduce these analytic techniques early i n
the conceptual phase so t h a t the f u l l scope of the analytic work t o be under-
taken w i l l be understood and planned.
Gnawing through a l l the touting of system safety analysis techniques i s the
question, "Why do things s t i l l go wrong?" The answers seem t o be somewhat varied:
1. System safety i s a special (potentially discontinuous) aspect of the
project-oriented aerospace e f f o r t . I f the system safety analysis e f f o r t
i s not funded, it w i l l not be done. Industry i s more continuous than
project oriented, and therefore well-organized design and other func-
tions hold a greater p o t e n t i a l f o r continuous action.
2. Allocation of resources may be too small o r too l a t e .
3. Project constraints may put hazards not solved i n the discard p i l e ,
since project managers are so heavily measured on budget-schedule per-
formance. The docket o r inventory of hazards and disposition being
considered by NASA i s an e f f o r t t o control t h i s phenomenon.
The probability of system f a i l u r e probably varies a s the square of the
delay i n i n j e c t i n g safety i n t o concepts and design.
Notwithstanding the obvious f a i l u r e s , the analytic techniques have
demonstrable value.
The g r e a t e s t s t r e n g t h of modern a n a l y t i c techniques i s complemented by
t h e i d e a t h a t a l l a n a l y s i s should y i e l d a choice of a l t e r n a t i v e s , with an
a n a l y s i s of trade-off c o s t / b e n e f i t s . A s i m p l i s t i c s i n g l e s o l u t i o n may be
a t r a p which e l i m i n a t e s b e t t e r o r cheaper a l t e r n a t i v e s . Therefore, a h a l l -
mark of good a n a l y s i s i s t h e d i s p l a y of a l t e r n a t i v e s o l u t i o n s , p a r t i c u l a r l y
those which give t h e manager t h e option of buying g r e a t e r p r o t e c t i o n .
1. b. (6) Analysis of Environmental Impact

The scope of t h e hazard a n a l y s i s should include environmental impact,
and p e r t i n e n t requirements must be i n s e r t e d i n the Safety Analysis Plan, and
f u l f i l l e d i n subsequent s t a g e s of Conception, Design, Operation, Disposal,
etc. Hayes (1971) reported as follows (abbreviated) :
The National Environmental Policy Act r e q u i r e s Government agencies t o
administer t h e i r a f f a i r s i n accordance with i t s p o l i c i e s r e l a t i n g t o con-
s e r v a t i o n and use of t h e environment, and assuring s a f e , healthy, produc-
t i v e , e s t h e t i c and c u l t u r a l l y pleasing surroundings, and other purposes.
These requirements w i l l f a l l on industry t o an increasing degree.
To accomplish these purposes agencies s h a l l -
" u t i l i z e a systematic, i n t e r d i s c i p l i n a r y approach which w i l l insure
t h e i n t e g r a t e d use of the n a t u r a l and s o c i a l sciences and t h e environ-
mental design a r t s i n planning and i n d e c i s i o n making which may have
an impact on man's environment;
"identif'y and develop methods and procedures ...
which w i l l i n s u r e t h a t
p r e s e n t l y unquantified environmental amenities and values may be given
appropriate consideration ...
along with economic and t e c h n i c a l consi-
derations;
"include i n every recommendation o r r e p o r t on proposals f o r l e g i s l a -
t i o n and o t h e r major Federal a c t i o n s s i g n i f i c a n t l y a f f e c t i n g t h e q u a l i t y
t h e human environment, a d e t a i l e d statement ...
on
(i) t h e environmental impact of t h e proposed a c t i o n ,
( i i ) any adverse environmental e f f e c t s which cannot be avoided should
t h e proposal be implemented,
( i i i ) a l t e r n a t i v e s t o t h e proposed a c t i o n ,
(iv) t h e r e l a t i o n s h i p between l o c a l short-term uses of man's environ-
ment, and t h e maintenance and enhancement of long-term productivity , and
(v) any i r r e v e r s i b l e and i r r e t r i e v a b l e commitments of resources.
"As w r i t t e n , those requirements paraphrase q u i t e s u i t a b l y t h e b a s i s f o r a
systems a n a l y s i s . The objective of a systems s a f e t y a n a l y s i s i s t o avoid
an undesired event, i n t h i s case one which w i l l p o l l u t e t h e environment.
I n a systems a n a l y s i s of a piece of hardware t h i s event i s equivalent t o
a f a i l u r e r e s u l t i n g i n damage or l o s s of a mission.
"The methods a v a i l a b l e such a s F a u l t Tree, FM & E f f e c t s , Gross Hazards
Analysis could be used t o i d e n t i f y the events which w i l l bring t h e pollu-
t i o n about.
"The s e l e c t i o n of a v a i l a b l e a l t e r n a t i v e s t o t h e proposed a c t i o n a s required
i n t h i s law w i l l become possible when, i n t h e a n a l y s i s , they a r e p i n pointed.
"The u s u a l hard requirement i n a system analysis i s t h a t each s t e p i s docu-
mented, and t h a t t h e whole analysis provides f o r sound management decisions."
Aerojet Nuclear Company does, of course, include a requirement f o r an
environmental impact statement i n i t s review c r i t e r i a .
1. c. Specify Requirements C r i t e r i a
It i s sound p r a c t i c e t o s p e c i f i c a l l y c a l l out t h e codes, standards,
manuals, recommendations, e t c . , deemed applicable t o a p r o j e c t . Accident
h i s t o r i e s not infrequently show f a i l u r e t o use such material, and p r i o r
documentation f a i l s t o show whether the f a i l u r e w a s oversight o r a considered
decision.
OSHA and other f e d e r a l , s t a t e , l o c a l regulations a r e primary. Regula-
t i o n s a r e normally d e f i n i t i o n s of e r r o r i n s p e c i f i c , pre-analyzed s i t u a t i o n s
where (a) a consensus process has defined needed precautions, o r (b) research
has defined harmful limits.
Since t h e a v a i l a b l e l i t e r a t u r e covers a l a r g e proportion of accident
f a c t o r s i t is unfortunate t h a t there a r e seldom d a t a on t h e documents actu-
a l l y used i n a n a l y s i s p r i o r t o accidents. For example:
1. What documentation was relevant?
2. Was it known a t t h e points of design andoperation? If not, why not?
3. Was it adequate? If not, why not?
Also, t h e question of need f o r a higher degree of protection than standards
i s warranted (and i s alluded t o i n AEC Manual 0550-034~).
Complicating t h e reliance on standards i s the generic standard - i.e.,
"improved r i s k " i n f i r e protection - not amenable t o easy code d e f i n i t i o n .
A major problem i n some standards and manuals i s t h e f a i l u r e t o make
v i s i b l e method of a n a l y s i s (AEc guidelines f o r a c c e l e r a t o r s and e l e c t r i c a l
s a f e t y i n research, a r e p o s i t i v e and constructive examples of good p r a c t i c e ) ,
A code defining t h e Hazard Analysis Process could be a proposed p o s i t i v e
f o r c e by r e q u i r i n g l i s t i n g of documents deemed pertinent.
There i s widespread c r i t i c i s m of the consensus process f o r developing codes,
manuals, and recommendations, but no d a t a on accidents r e s u l t i n g therefrom.
The p r i o r questions on codes, e t c . , would make it f e a s i b l e t o analyze t h e pos-
sible fail^ of t h e consensus process, p a r t i c u l a r l y f o r very serious accidents.
"Drawbacks t o Standards" has been a t o p i c of concern. ( ~ o u r n a lof American
Insurance, 1969. )
To some extent consensus standards a r e " p o l i t i c a l " r a t h e r than " s c i e n t i f i c . "
Consequently, any organization with the capacity should examine t h e b a s i s f o r
standards, r a t h e r than follow them slavishly.
The pace of development of standards has been too slow under t h e voluntary
system, and t h e r e a r e s t r o n g governmental pressures f o r improvement, e s p e c i a l l y
OSHA, A t the same time, t h e leading corporations, whose personnel perforce do
most of t h e work on t h e standards, meet many of t h e i r own needs with i n t e r n a l
standards capable of more r a p i d development and modification. Further, they
use t h e i r i n t e r n a l standards nationwide and a r e l i t t l e concerned over low
minimum public standards i n a g r e a t number of s t a t e s , because t h e i r i n t e r n a l
~ h ~ d a r da rse so much higher.
U, S. S t e e l ' s plans (1964) f o r a t t a i n i n g physical s a f e t y a r e t y p i c a l of
t h e past best practice. They say:
"Safe physical conditions can be e s t a b l i s h e d and maintained only i f three
b a s i c requirements a r e met:
(1) Safety standards a r e e s t a b l i s h e d and enforced i n t h e design
s p e c i f i c a t i o n s of equipment and f a c i l i t i e s ;
(2) Newly i n s t a l l e d o r changed f a c i l i t i e s a r e inspected and
approved f o r s a f e t y before they a r e released f o r operation
o r use; and
(3) s p e c i f i c r e s p o n s i b i l i t i e s a r e e s t a b l i s h e d f o r periodic inspec-
t i o n , and f o r prompt c o r r e c t i o n of d e f i c i e n c i e s o r immediate
shutdown of equipment i f a serious hazard i s found."
Then follows a lengthy l i s t i n g of standards relevant t o corporate opera-
t i o n s and covering such a r e a s a s v e n t i l a t i o n , s a n i t a t i o n , l i g h t i n g , explosion
and f i r e , and t o x i c m a t e r i a l s .
Some organizations, such as AEC, have adopted a l l a p p l i c a b l e public stan-
dards, published i n t e r n a l standards, and have gone so far a s t o promulgate NSC's
comprehensive Manual as an i n t e r n a l guide (although it i s not w r i t t e n i n stan-
dards fashion). Larger organizations f r e q u e n t l y publish i n t e r n a l guides c l o s e l y
r e l a t e d t o t h e i r operations, e.g., Sandia's Laboratory Guide.
Provision i s customarily e s t a b l i s h e d f o r s a f e t y engineering review of all
plans, but such review of completed plans i s too l a t e t o have maximum b e n e f i t .
/
The previous "best p r a c t i c e " should be augmented with t h e a n a l y t i c process

emerging.
The long-term r o l e of standards i s c a l l e d i n t o question by system s a f e t y
analysis. The goal i s a desired degree of s a f e t y , r a t h e r than simple confor-
mance with some standard. The day is not near when standards w i l l not be
needed, but t h e day i s here when they can be s e e n ' a s minimal.
It may a l s o be wise t o conceive of l e v e l s of standards--provide u l t r a -
high r e l i a b i l i t y standards f o r s p e c i a l needs, as f o r example f o r cranes around
such l o c a t i o n s as r e a c t o r s , space equipment o r s t e e l f'urnaces.
I n general, performance s t a n d d s a r e t o be preferred over specification
standards, because the former a r e l e s s l i k e l y t o i n h i b i t improvement. Perfor-
mance standards of certain types, such as AEC's radiation standards and OSHA's
c e i l i n g and exposure values f o r hazardous materials, a r e capable of being
s t e a d i l y raised as evidence warrants, and thus can be i n the nature of ggals,
s t e a d i l y r i s i n g minima. Thus, an organization's i n t e r n a l s t a n d d s should
specify values higher than l e g a l minima.
It would be i n t e r e s t i n g t o see w h a t would happen if a buyer asked a
machine manufacturer t o not only conform t o l e g a l codes but also supply a
Failure Mode and Effects analysis f o r h i s product!
1. d. Specify Information Search

The f a i l u r e t o require an information search i s probably the most glaring
single weakness i n a typical hazard analysis process.
During t h e Aerojet trials, a v a r i e t y of i n f o n a t i o n search methods were
t r i e d , some with considerable success, others handicapped by weaknesses i n
both national and l o c a l systems (as discussed i n Part ~ 1 1 1 ) .
Developments by May 1972 made it f e a s i b l e f o r the Aero j e t ' s ROD Manager
t o specify t o engineering divisions t h a t future proposals must contain the
f ollouing presentat ions on information search :
Incidents - a search of, and use of:
a. RDT Incidents
b. RSO Incidents t already key-word coded)
RSO #15 i s now key-word coded)
Codes. Standards. and Recommendations: L i s t those found applicable
and applied.
Change and Counterchange Display.
The l a s t item derived from the proofs i n two accident/incidents which c l e a r l y
resulted from uncontrolled and/or uncompensated changes.
The work thus f a r suggests the following d r a f t protocol f o r information
search :
1. The design u n i t originates an information search doulment which includes:
a. Description of the project i n sufficient d e t a i l t o include l i k e l y key-
words t o r e t r i e v e p r i o r experience. Where appropriate, t h i s includes
l i f e cycle use estimates and accident and e r r o r projections.
b. L i s t of known controlling documents:
(1)AEC, including Operating Limits and Tech ,Specs.
(2) Corporate documents , policies and procedures.
(3) ANSI, OSHA, ASME, ASTM and other codes and standards.
c. Preliminary Gross Hazards Analysis
(1) L i s t problems and p r i o r experience i n solutions.
(2) L i s t recognized information gaps f o r search a t NSIC , NASA, NSC,
i n t e r n a l sources, customers o r other sources.
Safety u t i l i z e s the above document t o produce:
a . Copies of relevant accident/incident and e r r o r reports of any nature.
Analysis there of.
b. Notations of additional relevant codes, standards, and other docu-
mentation.
c. L i s t of JSA controls available t o supplement the procedures.
d. Other comments and suggestions, including i n t e r n a l sources of exper-
t i s e , where pertinent.
Where necessary, conducts information search on non-nuclear, non-reactor
task components, as well as nuclear aspects.
R & QA performs similar review, i n particular providing l i s t s of
relevant incidents.
Line Management review supplies three needs:
a. Incident reports not elsewhere available,
b. Safety operation anomalies, requirements, and needs from use of
similar equipment,
c. Liaison designees f o r the l i f e of the project.
Upon completion of project, the information search record i s forwarded
a s an appendix f o r managemnt and independent review.
I n order t o maximize the scope a d value of the information search, a s much
a s p r a c t i c a l of the Conceptual phase should be included above, f o r example:
Specification of tolerable r i s k s :
a . Safety -
probability goals.
b. Performance -
e s s e n t i a l i t y classes, f a i l u r e s and e r r o r r a t e s and goals.
Energy reductions and limitations, where practical.
Substitute processes and energies.
Problems t o be l i s t e d include those of:
a. I n s t a l l e r s , constructors, fabricators,
.
b Adjacent employees ,
c . Downstream users, including t r a n s i t i o n t o new methods,
d. Environmental impacts, including r e s u l t s of abnormal operations.
Quantification of sglected variables i n f a i l u r e analysis i s useful, but
a l s o fraught with danger when variables omitted a r e of substantial s i g n i f i -
cance. I f the e f f e c t s of "no information search" and "no c r i t i c a l incident
studies" a r e taken together, the r i s k from unrecognized causes approaches
c e r t a i n t y of f a i l u r e .
1. e. Life Cycle Analysis

The l i f e cycle concept has t o be used f o r a time t o f u l l y appreciate its
tremendous potential f o r changing action. Essentially it b a r d s against two
weaknesses:
1. Failure t o see subsequent events as a design and plan responsTbility,
e.g., r e l i a b i l i t y of components, maintainability, and safe disposal.
2. Failure t o see the t r u e s i z e of a hazard over time.
We have a l l met designers who say, " I t ' s not my f a u l t , i t ' s the damn fools
who use them." But the new concept (and it i s finding i t s way i n t o law) says
. . -, - - - . "----
the designer o r the decision-maker can do something about hazards throughout
the l i f e cycle.
The l i f e cycle a l s o produces numbers of p o t e n t i a l accidents which a r e an
order of magnitude l a r g e r than the so-called normal expectation, o r the "hunch,"
o r t h e uncalculated r i s k . And, i f we equate action t o magnitude, a s we t r y t o
do, w e ' l l get a l o t more action out of l i f e cycle estimates.
I n t e r e s t i n g l y , one of the management p o l i c i e s o r i g i n a l l y assembled by NSC
includes the following:
"... Safety s t a r t s with planning and continues through design, purchasing,
fabrication, construction, operation and maintenance ... "
Besides l i f e cycle phases, the scope of l i f e cycle would include, not
only the prime mission equipment, but a l s o check out and t e s t equipment and
procedures,facilities f o r operations, procedures f o r operation, selection of
personnel, t r a i n i n g equipment and procedures, maintenance f a c i l i t i e s , equip-
ment and procedures, and product support.
The power of l i f e cycle numbers can be i l l u s t r a t e d i n two ways:
Probability of trouble,
t h i s machine, today - P (a small number)
100 machines - loop
f o r a year - 25,OOOP
f o r the l i f e cycle - 100, OOOP
200,000P
500, OOOP
Estimates of uses form a basis f o r e r r o r r a t e s .
The " l i f e cycle par" f o r 1,000 employees f o r 20 years f o r c e r t a i n i n d u s t r i e s
would amount t o :
"LIFE CYCLE PAR" All Manu- Electric Construc-
Industries f acturing Utility tion
Dead 4 1 8 15
Permanent I n j u r i e s 31 25 23 62
Disabling I n j u r i e s 575 1,300 500 500
Other medical I n j u r i e s 2,500 1,800 2,000 4,500
Direct Costs $900, 000 $~OO,OOO $~O,OOO $~,~OO,OOO
Total Costs $2,050,000 $~,~OO,OOO $2,000,000 $4,500,000
And f o r high r a t e companies, the t o t a l s would be two or three times a s great.
It i s not uncommon f o r large f a c i l i t i e s t o be used longer than o r i g i n a l l y
planned, o r t o maintain good performance with stretched out maintenance schedules
avidso son, 1970) . Therefore, c a r e f u l a t t e n t i o n t o p o t e n t i a l or l i k e l y extremes
i n uses w i l l . d
. i c t a t e augmented safety f a c t o r s .
- 265 -
1. f . General Desim and Pla,n C r i t e r i a - see Chapter 27
The conceptual phase terminates i n i n t e r n a l and/or independent review
t o ensure t h a t t h e project is ready t o move t o the design and development
phase.
Some future standaxds and information needs a r e d i f f i c u l t t o f i l l within

short-term constraints of a project. Long-term R D i s needed, as has been
recognized i n r e a c t o r development.
Two examples r e c e n t l y supplied by a B r i t i s h petroleum engineer are
illustrative:
Blanketing tanks with i n e r t gas w a s experimentally applied t o small
tankers and t e s t e d methods were then available f o r super-tankers.
Off-shore o i l d r i l l i n g should a n t i c i p a t e t h e p r o b a b i l i t y of deep
water wells and i n i t i a t e developmental research.
These i l l u s t r a t i o n s suggest thad an organization formally i n i t i a t e t h e
c o n c e ~ t u a lDhase of long-term pro.iects NOW so t h a t needed R & D g e t s s t a r t e d ,
I
The conceptual phase provides major s a f e t y inputs--analysis plan and .
methods, requirements and information. Design and development a r e the pro-

cesses of using t h e s e inputs.
When t h i n g s go wrong, we can be protected by redundancy, f a i l - s a f e
devices, and monitors which s i g n a l , but was t h e r e f u l l - s c a l e a p p l i c a t i o n of
such p r i n c i p l e s ? B a s i c a l l y , r i s k reduction p r i n c i p l e s a r e i d e n t i c a l with
present occupational s a f e t y content, but were techniques and p r i n c i p l e s f u l l y
applied? If t h e a n a l y t i c s a r e properly executed a t l e a s t p a r t i a l answers
w i l l be supplied i n the d e t a i l e d l o g i c and q u a n t i f i c a t i o n ,
Analytic l o g i c f o r evaluating Design i s shown i n MORT--page 3 ( G C ~ )
f o r design system and page 5 ( s D ~f)o r a c c i d e n t s , as well a s i n t h e revised
l i s t form i n Chapter 23, Note t h a t b a r r i e r s and amelioration, analyzed
s e p a r a t e l y i n accident i n v e s t i g a t i o n , a r e p a r t of t h e design process.
2.a. Enerm Control Procedures *

(1) Unnecessary exposed hazards.
(2) Design.
Analysis of "Structure Failed" u s u a l l y involves t h r e e elements of s t r e s s :
( a ) Energy Supply (which may be l i m i t e d i n t h e conceptual s t a g e o r by c e r t a i n
c l a s s e s of automatic c o n t r o l s ) , Energy Control (which i s diagrammed), o r (c)
Safe Release and B a r r i e r s and Amelioration (which a r e shown a s separate opera-
tions i n t h i s analysis).
Note t h a t stress i s produced when supply changes, and c o n t r o l and r e l i e f
a r e inadequate. Were t h e r e changes i n energy o r s t r u c t u r e ?
(3) Automatic Controls. (Also see MORT, page 5 .)
Note t h a t c o n t r o l s must be checked a s t o concept and design. A point f r e -
quently made by t h e system a n a l y s t s can be i l l u s t r a t e d here:
If a safeguard has a f a i l u r e p r o b a b i l i t y 1/1,000
and a redundancy i s added with 11500
we a t t a i n a Pf of 1/500,000.
Then, i f another redundancy i s added with 11800
we a t t a i n a Pf of 1/400,000,000.
They make t h e point t h a t more can probably be gained by skipping t h e second
redundancy and going t o another p a r t of t h e system., where pure oversight
may be t h e problem,
* See ASSE, Bibliography (1967) f o r extensive references on c o n t r o l techniques.

Since good accident a n a l y s i s w i l l o f t e n show a number of possible safe-
guards a t s e v e r a l points, t h e above concept i s h e l p f u l i n bringing f i n a l
recommendations down t o an optimum course of action.
(4) Warnings. ( ~ l s osee MORT, page 5. )
I n t h e hierarchy of t h e Safety Precedence Sequence, t h e t h i r d item,
"Warnings" seems r e l a t i v e l y weak. However, t h e frequency with which a c c i -
d e n t s a r e followed by recommendations concerning signs, l a b e l s , e t c . , sug-
g e s t s t h a t t h e presence o r absence of warnings a t t h e point of operations be
a consideration i n hazard a n a l y s i s and JSA, and be systematized and q u a n t i f i e d
i n accident i n v e s t i g a t i o n s . Warnings can be categorized a s p h y s i c a l o r human,
and dynamic o r s t a t i c .
Dynamic warnings include :
1. s i g n a l s , l i g h t s , b e l l s ,
2. gauges with red l i n e s ,
3. lock out o r t a g outs,
4. change s h e e t s .
S t a t i c warnings include:
1. Labels, c o l o r s ,
2. Data on magnitudes, c a p a c i t i e s o r operating l i m i t s , energies,
3; Procedural s t e p s ,
4. Requirements, such a s goggles.
Accident h i s t o r i e s suggest t h a t red l i n e s be more l i b e r a l l y used, a s simple
sometimes a s a s t r i p e of red f i n g e r n a i l polish.
J i g s , e t c . , may be classed a s warnings because they prevent e r r o r a s w e l l
a s f a c i l i t a t e performance.
(5) Manual Controls ( ~ l s osee MORT, page 5 ) .
(6) Safe Energy Release.

(7) B a r r i e r s .
Review Chapter 2 on t h e b a r r i e r idea. The f i r s t f o u r b a r r i e r s a r e d e f i n i t e
p a r t s of Concept and Design. What about t h e next four? They, too, can be
handled i n Design. Consider each kind of b a r r i e r s e p a r a t e l y f o r p o t e n t i a l use,
and consider b a r r i e r s between energies a s w e l l a s f o r people and objects.
Note t h e HE Press Explosion i n Appendix A. It shows a check of B a r r i e r s
f o r d i f f e r e n t c l a s s e s of persons and objects. Don't overlook questions of
shock absorption and how shock could be cushioned.
The notion of B a r r i e r s , both t o separate energies and t o p r o t e c t people
and o b j e c t s should be most c a r e f u l l y considered f o r each point i n the energy
sequence. This a n a l y s i s t e s t s t h e s k i l l and imagination, and has already been
shown t o be a provocative and c r i t i c a l s e r i e s of questions i n accident i n v e s t i -
gation.
'What might be called the "valve comedy" i l l u s t r a t e s a number of ideas.
A valve i s , of course, one example of possible b a r r i e r s . However, from a
design standpoint t h e standard symbol f o r valves should have a t a g attached:
Labeling, s i g n a l l i n g , shape as well as color coding, operating mode f l a g s ,

locks and i n t e r l o c k s , and automation a r e a l l examples of possible outputs of
processes above and below t o counteract frequent and seemingly i n e v i t a b l e e r r o r .
b. Human Factors Review (see Chapter 26).
c. Maintenance Plan (see MORT, page 6, SD3 ; a l s o see Chapter 31. )

Design f o r maintainability and i n s p e c t a b i l i t y should be given careful
consideration, as should t h e s p e c i f i c a t i o n of maintenance and inspection
methods, schedules and competencies.
d. Inspection Plan (see MORT, page 6, 3 ; a l s o see Chapter 31)
e . Arrangement. This possible deficiency i s l i k e Human Factors Engineering.

If there i s no study, the f a i l u r e s may not be apparent. Here we consider
space, proximity, crowding, convenience, order, freedom from interruption,
enclosures, work flow, storage, e t c .
f . Environment. Here we consider p a r t i c u l a r l y t h e physical s t r e s s e s (such

as those c i t e d i n human f a c t o r s reference material) as they may a f f e c t people
o r things.
g. Operability Specifications i n t h e seven a r e a s specified i n the MORT dia-

gram, and emergency plans. A few of these items need comment:
(1) Test and Qualification. The "dry run" o r demonstration proves out,
not only a l l associated hardware, but a l s o procedures - checks f o r oversights,
a d j u s t s t o f i n a l arrangement, and should provide some p a r t i c i p a t i o n .
(3) Procedures C r i t e r i a . I n general, engineers and designers are not
aware of t h e i r l i m i t a t i o n s i n w r i t i n g procedures f o r operating personnel, nor
of the need f o r selectionand t r a i n i n g c r i t e r i a f o r operators (not the same a s
t h e engineers), nor of supervisory problems. Therefore, l i a i s o n with operators
and independent review (and inputs) a r e needed. (see Chapter 32. )
(8) Emergency Plans a r e shown on pages 4 and 6 of t h e MORT diagrams and
discussed i n Part V I I .
h. Change Review hocedures. The a u t h o r i t y f o r changes and t h e review pro-

cedure t o be followed should be specified. Accident r e p o r t s give shocking
evidence of t h e important r o l e of unauthorized and undetected changes i n equip-
ment (see f o r example Appendices A-1, 2 and 4). It seems j u s t p l a i n nonsense
t o w a i t f o r a s e r i o u s accident before specifying change review requirements.
Aerojet has extensive a n a l y t i c and review requirements f o r modifications o r
changes i n i t s r e a c t o r s , and extends t h e same o r similar requirements t o non-
r e a c t o r work. The l a t t e r i s e f f e c t i v e on p r o j e c t s costing $2,000 o r more,
and many below t h a t l e v e l .
Change dockets on engineering drawing's a r e a routine requirement. A
consulting engineer r e p o r t s t h e docket i s h i s first s t e p i n trouble shooting.
There i s considerable indication t h a t change dockets at t h e point of operation
would be a redundant safeguard and an aid i n inspecting and trouble-shooting.
I n system parlance, change review should cover "f o m , f i t and function"
on up t h e part-component-subsystem chain t o a point where no change i s demon-
strated. Figure 5-3 w i l l help i n change review.
i. Disposal Plan. Disposal plans can include c r i t e r i a f o r aged, obsolete

equipment, as well as s a f e disposal.
.
j . Independent Review (see Chapter 28). -
k. Confipzlration Control. A s normally understood, configuration control i s
expressed by Aerojet i n t h e following terms:
"Establish uniform procedures which w i l l assure:
a. The proper review and documentation of modifications t o t h e
r e a c t o r s and associated f a c i l i t i e s .
b. The review of t h e procedures used i n t h e operation of t h e
plants .
"Use a controlled r e l e a s e design drawing and s p e c i f i c a t i o n system t o docu-
ment design changes t o the r e a c t o r s and associated f a c i l i t i e s .
"Accept, f o r use with t h e reactors, sponsor furnished systems and equip-
ment on t h e b a s i s of s p e c i f i c a t i o n s and design drawings provided by the
sponsor and approt'ed by t h e Manager, Test Reactor Operations Division."
The broader problem of maintaining a c t u a l control over plant configura-
t i o n s a t a l l times extends across a l l problems of design implementation of
requirements, through manufacture, transportation, i n s t a l l a t i o n , maintenance,
changes and f i e l d operations. A Configuration Control Analytical Tree
( ~ x h i b i t3) w a s developed by Rw J. Nertney. This type of t r e e i s , i n e f f e c t ,
a double-check on the adequacy of the e n t i r e system f o r controlling hardware.
Exhibit 3 can a l s o be useful i n accident investigation t o pin-point f a i l u r e
modes. Manufacture and transportation (covered by Aero j e t i n design specif ica-
t i o n s f o r manufacturing control, t r a c e a b i l i t y of p a r t s , pre-installation
inspection, e t c . ) are not shown. I f needed, the a n a l y t i c processes f o r manu-
f a c t u r i n g and transportation a r e t h e same as is shown f o r i n i t i a l i n s t a l l a t i o n .
1. Documentation. W e f i n d i n NASA plans t h i s statement:

"Effective application of System Safety requires c a r e f u l planning and
the preparation of appropriate documentation."
I s t h i s d i f f e r e n t than the emphasis on written i n s t r u c t i o n s which we have
seen i n outstanding s a f e t y programs? Yes, it is. The documentation of safety
c r i t e r i a and decisions by stages (preliminary analysis, d e f i n i t i o n , design and
preliminary development, and development and operations) i s more l i k e l y t o
expose assumptions (or hunches) which g e t l o s t i n the f i n a l document o r plan.
Additionally, there i s greater emphasis on the importance of d e t a i l e d
documentation.
During t h i s study, serious accidents have often shown very weak documenta-
t i o n on design and t e s t of the equipment involved. Investigators must then
guess a s t o what went wrong i n the design and t e s t process.
m. General Design Process (see Chapter 27) .

n. Fast Action, Fxpedient Cycle. Seemingly the more t h a t i s pre-scribed,
regarding hazard analysis, the more i s the compulsion t o emphasize the need f o r
the kind of quick, expedient hazard removal which has characterized the effec-
t i v e safety engineer. This extends t o the "stop operation" authority which
safety s t a f f s should have, acting through l i n e authority, but c u t t i n g across
channels a s hazard warrants. However, f a s t action expedients a r e f a r from a
s u b s t i t u t e f o r the improvements which r e s u l t from a we11 planned haeard
analysis cycle.
"Fast Action a t the trouble spots" has been said t o be the mark of a good
manager. Certainly it i s a l s o the mark of a good safety professional. Prompt
and aggressive pursuit of an important hazard reduction i s a necessary ingredi-
ent. "Before the f a c t " action i s cheapest i n the long run, even i f organizational
procedures a r e short cut.
Time delay between hazard detection and reduction i s a quantifiable item
f o r safety program measurement.
Questions on Planning and Hazard Review. From the preceding material the
following kinds of specific questions develop:
Date of last thorough hazard review? By whom? Review and approval,
by whom? Documentation?
1. With respect t o physical design:
a. Was the hazard identified?
b. What methods of control were u t i l i z e d ?
c. What methods of control were studied but found impractical?
d. Was any research f e l t necessary? Had it been i n i t i a t e d ?
e. What public o r private standards were applicable? Were they followed?
I f not, describe the process of approval u t i l i z e d f o r exceptions?
f. If process was hazardous, was remote operation possible?
g. Could manual handling be replaced by mechanical handling?
h. Could the task (or steps i n the task) be eliminated? How?
i. I f equipment o r components we* purchased, describe hazard review
procedure requixed of, o r u t i l i z e d by, t h e manufacturer.
2. With respect t o safety devices (fail-safe, redundant, guards, etc.) :
a. What safety devices were provided?
What safety devices were studied and found impractical?
b. What standards were applicable? Followed? Exceptions, how
approved?
3 . With respect t o warnings (gauges, instruments, audible and v i s i b l e
signals, operating l i m i t s , etc.):
a. What dynamic signal devices were provided? Were red l i n e s clear?
b. Were c r i t i c a l operating l i m i t s c l e a r l y posted? Were operating
l i m i t s controlled automatically or manually?
4. With respect t o human factors evaluation:
a. Were the t a s k and controls analyzed f o r e r r o r p o s s i b i l i t i e s ? When?
By Whom? Describe experience o r training i n human factors engineering.
b. Were controls, instruments and procedures the same f o r a l l similar
equipment? I f not, had differences resulted i n errors?
5. With respect t o procedures:
a. Were the procedures written, or oral?
b. Were they adequate and complete? Were they correct?
6. were emergency procedures:
a . Written o r oral?
b. Adequate and complete?
WHAT ELSE ?
WHEN ANALYSIS ENDS, ALL ELSE IS HUNCH !

26, HUMAN FACTORS REVIEW
Error w a s s t a t e d t o be a major causal f a c t o r i n accidents i n Chapter 4,

The f u r t h e r purpose of t h e e a r l y material was t o suggest by discussion o r
examples some s p e c i f i c approaches t o e r r o r reduction--for example, Rlgby's
categories of e r r o r tolerance limits (page 52) and Swain's work s i t u a t i o n
approach (page 51).
The organiz,ationts policy posture regarding e r r o r and human performance
was discussed i n Chapter 11, pages 122-24. Extending t h e policy discussion:
The reduction of e r r o r s i n the design, manufacture, t r a n s p o r t a t i o n ,
storage and use of thermo-nuclear weapons i s a matter of such over-
whelming importance t h a t the Sandia Laboratories of AEC have a "human
f a c t o r s " group which i s i n t h e Human Factors and Q u a l i t y Control Division
of t h e R e l i a b i l i t y Department. They make q u a n t i t a t i v e estimates of t h e
influence of human performance on t h e r e l i a b i l i t y and s a f e t y of nuclear
weapon systems. The philosophy and p r a c t i c e of t h i s group, sometimes
c a l l e d t h e "work s i t u a t i o n approach," a s contrasted with a "motivational
approach," i s consistent with findings of human f a c t o r s s p e c i a l i s t s i n
o t h e r a r e a s of work. Yet, the approach, which i s more o r l e s s a policy
aspect of weapons work, i s not widely, e x p l i c i t e l y , o r c o n s i s t e n t l y
used i n AEC programs. Some major s a f e t y gains could, therefore, be
anticipated from a conscious application of Sandia-AEC p r a c t i c e s t o
work i n general.
I n t h i s chapter we consider possible expedient ways i n which human fac-
t o r s c r i t e r i a can be applied t o planning and investigation i n t h e absence of
a corps of experts and s p e c i a l i s t s .
I d e n t i f i c a t i o n of s i t u a t i o n s which might have been improved by Human Fac-
t o r s Engineering o r Review i s one of t h e most d i f f i c u l t a n a l y t i c problems,
given the l a c k of professional HFE review i n most s i t u a t i o n s . Experience
i n d i c a t e s t h a t accidents previously a t t r i b u t e d t o "unsafe a c t s " a r e often
reduced a f t e r human f a c t o r s review and correction. This implies t h a t the
previous d e s c r i p t i o n of "unsafe a c t s " was l a r g e l y i n c o r r e c t , and t h a t we r e a l l y
had an "error-provocative" s i t u a t i o n , and therefore an "unsafe condition."
However, i n the absence of HFE professional review, how can the r e a l s i t u a t i o n
be appraised?
The obstacles t o simple approaches t o human f a c t o r s (ergonomics a s i t
is known i n ~ n k l a n d )were r e c e n t l y shown graphically by Dukes-hbes (1972).
He charted an ergonomic process whereby:
1. Fou'r basic s c i e n t i f i c f i e l d s
2, Break down i n t o e i g h t relevant major f i e l d s , which i n t u r n feed
3. Twenty-two s c i e n t i f i c s p e c i a l t i e s , which i n t u r n a r e synthesized i n t o
1% \ 4. Six major a r e a s , and i n t u r n
i
5. Create a science of ergonomics o r human f a c t o r s
6. Applicable i n t h i r t e e n i n d u s t r i a l areas and eleven non-industrial areas.
. .. . - - - +----
Quite a "ball of worms" f o r threshold o r minimal entry i n t o the f i e l d .
On the other hand, large numbers of specific applications a r e extremely
simple, f o r example:
1. Design of connectors i n e r r o r proof ways,
2. Shape coding of controls,
3. Numerical r e g i s t e r s r a t h e r than d i a l s ,
4. Controls convenient t o the small, f i f t h percentile users.
Some other recent examples of human factors f a u l t s may be helpf'Ul:
A small d i a l was cheaper than one with a larger face, so the small one
was chosen.
A new d i a l i n an old location was i n s t a l l e d without any red f l a g t o
signal the change.
Instrument and control were separated by 20 f e e t , ard around a corner.
Spurious signals f o s t e r disregard f o r alarms.
Unnecessarily t i g h t control l i m i t s create undue s t r e s s .
The HE Press accident i n Appendix A poses some human f a c t o r and e r r o r

r a t e questions.
Are there any simple questions which can be asked about an accident (or
a work s i t u a t i o n ) which would t r i g g e r an i n i t i a l grasp of the r o l e of human
factors? There i s a major task i n reducing HFE t o some simple key concepts
which managers, s c i e n t i s t s and supervisors can use a s they analyze work
situations. The material i n Chapter 4 provides some insight and guidance.
Garrick (1967) reports some general guidelines and c r i t e r i a :
"1. Human e r r o r r a t e increases a s a function of the constraints and demands
imposed on the operator.
"2. Human e r r o r r a t e i s d i r e c t l y proportional t o the length of tasks and
procedures; the number of controls and displays t o be operated; and the
number of communications, decisions, and calculations required by a system.
"3. The f a i l u r e of system elements, both human and equipment, should be
evaluated by f a i l u r e mode and effect analyses. Such analyses not only
evaluate the e f f e c t of human e r r o r but point out how it may be eliminated
or reduced i n e f f e c t .
"4. Although the trend i s t o automated systems t o remove the human factor
(the l e s s predictable element), it i s generally desirable t o incorporate
human backup and consider it i n r e l i a b i l i t y evaluations.
"5. The greatest source of human e r r o r i s generally found t o be i n the
design, fabrication, and inspection of equipment (up t o 80$) . Subsequent
t o s t a r t of normal operation, human e r r o r r a t e can be expected t o be
r e l a t i v e l y low as a d i r e c t cause of equipment or system f a i l u r e . Experi-
ence indicates t h i s t o be the case i n view of many design modifications,
repairs, and adjustments made during pre- and post-acceptance testing.
"6. Experience indicates t h a t human i n i t i a t e d f a i l u r e s should decrease
with completion of acceptance t e s t i n g and became completely random with
onset of normal operation.
"7. Human e r r o r s of a given type do tend t o repeat themselves i f the
f a c t o r s responsible f o r them a r e not corrected. These e r r o r s are symp-
tomatic of underlying defects i n design, procedures, o r personnel policies."
Garrick's t h i r d point is of critical'importance i n system safety analysis,

p a r t i c u l a r l y since so many analysts f a i l t o study the human role.
I n c r e a s i n ~Human Factors Capabilities. W e can conceive of three l e v e l s
of s k i l l which ought t o be equated t o s i z e of the problem:
1. Human f a c t o r s d e n t i s t s - - f o r example, those working i n the weapons
and some reactor programs.
2. Engineers and psychologists with HFE training--e.g., the short courses
a t University of Michigan or a t Sandia. ( ~ a n d i aa l s o has a one semes-
t e r , college l e v e l course, once. a year. )
3 . Other professionals without special training, but using checklists, etc.
Aerojet has one s c i e n t i s t i n the first category, and has begun a program
of t r a i n i n g i n t h e second category. The s c i e n t i s t has, over the years, given
l i t e r a t u r e and information, and some t r a i n i n g t o many personnel.
Swain (1970) has also spoken of the need f o r a team i n human f a c t o r s analysis
of systems o r tasks -
human factors s p e c i a l i s t s , engineers, operations research-
e r s , and others. !Be a c t u a l use of such a team would depend on the importance
of the t a s k and mission, but the competencies involved can be brought t o bear
a t a l o w l e v e l of hazard t o support longer-term mission fulfillment.
The c r i t e r i o n f o r minimum good practice seems t o l i e i n the compilation
and improvement i n use of design notebooks relevant t o the particular o r g a n i a -
tion. The costs should quickly be returned i n reduced error.
For present purposes some references l i k e l y t o be available t o safety
professionals seem t o f i l l that need : Brody, Currie, McFarland, Tamants, Surry,
Vilardo , plus two NSC manuals--f o r Industrial Operations and f o r Industrial
Hygiene. A longer, more general bibliography is provided as Appendix F, a s
well a s i n ASSE Bibliography (1967).
Within the AEC complex, a v a r i e t y of studies have been produced by Swain
and associates a t Sandia and Nertney a t Aerojet. See, f o r example, Description
of Human Factors Reports, Sandia Laboratories, 1970. I n the past year, Swain
produced a new t e x t , Design for Improving Human Performance i n Production, a
most useful summary of h i s "work situation" approach (but the t e x t i s unfortu-
nately only available from ond don) .
It is hard t o conceive t h a t any r e p e t i t i v e task of even moderate impor-
tance should not have a t l e a s t minimal. checklist review--this should be an
analytic criterion. How could even an amateur use of checklists do harm?
During t h e t r i a l s an i n c i d e n t demonstrated t h a t preventive a c t i o n i s
o f t e n q u i t e simple. An instrument technician put a repaired instrument pack-
age i n t o place i n a panel, but plugged t h e package i n t o t h e wrong socket,
t h u s s h u t t i n g down t h e process. Corrective a c t i o n : shorten the cord. Many
s i t u a t i o n s seem t o be of t h i s common sense type, r a t h e r than needing an in-
depth study. Therefore, a simple s e n s i t i v i t y t o t h e r o l e of human f a c t o r s
may be h e l p f u l .
The a n a l y t i c process shown i n t h e MORT diagram, page 6 (and reproduced
a s Figure 26-l) , confirms t o some key elements described i n HFE l i t e r a t u r e .
Its value i n i n v e s t i g a t i o n s by o t h e r than HFE s p e c i a l i s t s has been only
p a r t i a l l y tested.
What is c e r t a i n i s t h a t s p e c i f i c t a s k a n a l y s i s (as contrasted with more
general a n a l y s i s ) , estimation of e r r o r r a t e s and diagnosis of e r r o r causes,
can be constructive and successful i n reducing e r r o r s .
a1 Professional S k i l l s LTA. From the above defined l e v e l s of s k i l l s ,

determine whether t h e minircm l e v e l of c a p a b i l i t y i s present and has been used.
a2 D/N Describe Tasks. Step-by-step a n a l y s i s is a f e a t u r e of even Job

Safety Analysis a t t h e c r a f t l e v e l . But, of t h e designer, we can ask such
questions as:
For s t e p 1: How does operator know when t o a c t ? What t o do? When h e ' s
finished? What t o do next?
For s t e p 2: Repeat.
By t h i s a n a l y s i s we begin t o d e a l with t h e g r e a t range of v a r i a b i l i t y I
t a s k s , and the concept t h a t e r r o r s a r e t a s k s p e c i f i c .
a3 Allocation man-machine t a s k s LTA. Man excels a t some t a s k s , and i s

f l e x i b l e ; machines e x c e l a t o t h e r t a s k s . Checklists and a n a l y t i c processes
exist t o help allocation. Was anything done a t t h i s stage?
Juran (1964)~ speaking of business functions generally, provides a u s e f u l
s e t of c r i t e r i a (broader than t h e u s u a l man-machine c h e c k l i s t s ) a s t o where
various kinds of t a s k s can b e s t be assigned i n v i s u a l i z i n g a job a n a l y s i s .
As modified, h i s l i s t i s shown a s Figure 26-2.
Swain (1970) presents a number of man-machine a n a l y t i c formats t o be used
i n conjunction with a t a b l e of c r i t e r i a f o r man-machine trade-off consideration.
a 4 D/N E s t a b l i s h Man-Task Requirements. (see Rigby's d e f i n i t i o n s , page 2 ) .

The l a c k of usable t a s k d e f i n i t i ~ ~has
s been n o s t r e v e a l i n g when Rigby's
c r i t e r i a a r e applied.
- 278 -
Figure 26-2. Allocating Work Functions.
MACHINE, Etc. SUPERVISOR

Repetitive No standards
Standardized Changes
No judgment Human r e l a t i o n s
Hardware r e l i a b l e Coordination
Rapid, c e r t a i n actions Cooperation w i t h others
Violations
OPERATOR Failures
Work s t a b l e not correctable
Problems foreseen m aj o r
Procedures established Responsible agent ( l e s s bounded)
C r i t e r i a simple
Training p r a c t i c a l MANAGEMENT
"Self containeii" Process under control?
P a il u r es Budgets
correctable Risk decisions
minor Re sponsible agent (unbounded)
P a t t e r n recognition
Responsible agent (bounded)
Much human f a c t o r s study has been concerned with r e l a t i v e l y simple

tasks. The t a s k s of a highly s k i l l e d professional o r technician when opera-
t i n g complex process equipment present some unusual problems reported by
Rasmussen (1969). From a n a l y s i s of accidents i n nuclear i n d u s t r i e s and a i r
t r a n s p o r t , he offered t h e following o b s e k a t i o n s :
.
"Most of t h e accidents a r e i n i t i a t e d during periods with non-routine
operations (e g. , i n i t i a l operation, experiments, maintenance). Only
a few a r e r e l a t e d t o operational conditions t h a t have developed i n t o
routine, and they a r e a l l i n i t i a t e d by technical f a i l u r e s .
"Accidents i n i t i a t e d by human maloperation amount t o roughly three
q u a r t e r s of t h e t o t a l number of reported cases, and only i n a few cases
do simple accidental operations o r manipulations seem t o be of e s s e n t i a l
consequence, presumably because such simple maloperations have been fore-
seen and taken i n t o account during system design.
"In nearly a l l cases the operators would have been a b l e t o make an appro-
p r i a t e decision and c a r r y through t h e a c t i o n if t h e a c t u a l s t a t e of t h e
system had been known t o them.
I'T
...
~n approximately one t h i r d of t h e cases
not been followed.
...
a prescribed procedure has
A s such procedures a r e not operationallv optimal
i n normal circumstances, they a r e very l i k e l y t o be 'improved' by t h e
operator during h i s normal work a t t h e expense of s a f e t y margin.
"The majority of t h e f a i l u r e s can be a t t r i b u t e d t o t h e human operator
i n complex, non-routine s i t u a t i o n s when he has t o a d j u s t h i s procedures
while taking many parameters i n t o consideration.
"..the c r i t i c a l t a s k of t h e d i s p l a y system w i l l be t o support t h e oper-
a t o r i n t h e i d e n t i f i c a t i o n of h i s working conditions during abnormal
periods. " ( ~ m ~ h a s added is )
During t h i s study, i n c i d e n t s involving complex equipment i n non-operating
modes (i.e., no organieed d a t a display) showed that supervisors f a i l e d t o
c o l l e c t , organize and use a v a i l a b l e d a t a , and f u r t h e r had had l i t t l e guidance
on such tasks.
Personnel s e l e c t i o n c r i t e r i a , where v a l i d , w i l l emerge from t h i s function.
Few e r r o r s were found t o be emotionally cued i n a laboratory exercise,
(~mmons, 1957) suggesting t h a t objective a n a l y s i s of t a s k s and b e t t e r d e f i n i -
t i o n s may have strong bases.
bl ~hDefine Users. There i s a g r e a t range of human v a r i a b i l i t y . Was

w h a t was known about t h e employees who would be users, o r what could e a s i l y
be found out, defined and used i n design?
b2 Use of S t e r e o t m e s LTA. Here we begin use of t h e c h e c k l i s t s i n l i t e r a -

t u r e already cited. Were t h e c h e c k l i s t s used? Do any of t h e conditions i n
t h e accident v i o l a t e t h e stereotypes? For example, do we t u r n a control l e f t
t o move t h e device r i g h t ? Were controls coded by s i z e , c o l o r , o r shape?
b3. M. b5 Display. Mediation. Control r e q u i r e s t h e d i s t i n c t i o n of t h r e e

components of errors. This helps i d e n t i f y t h e s p e c i f i c remedy.
a 5 D/N & e d i c t Errors. A l l t a s k s seem t o have a basic human e r r o r r a t e

which i s r e l a t i v e l y consistent between t a s k s requiring s i m i l a s behavior e l e -
ments. The e r r o r rates have components of t h e types shown i n the MORT' dia-
gram, and the types help determine corrective action. Some t y p i c a l e r r o r
r a t e s from Garrick (1967) a r e a l s o provided i n Appendix E t o i l l u s t r a t e t h e i r
nature and range. Sandia has urged increased government support f o r c e n t r a l
error data stores.
The general dimensions of t h e e r r o r problem may be seen from (1) e r r o r
r a t e s from 1/100 t o 1/10,000 per t a s k , (2) 80-90% detected and corrected,
(3) 20-30% of remainder s i g n i f i c a n t , thus yielding (4) thousands of s i g n i f i -
cant e r r o r s per day i n l a r g e r establishments.
a4 b6 D/N Use Matrix is a c r y p t i c a l l u s i o n t o t h e T'HERP method, o r i g i n a l l y

developed by L. W. Rook (and reported i n ~ e c h t ) . The matrix as f u r t h e r
developed i s shown i n Figure 26-3.
The nature of t h e e r r o r , a s c l a s s i f i e d i n t h e matrix, becomes a guide
t o t h e nature of corrective action.
And, i f input and mediation a.re seen a s
information and information processing, and c o n t r o l as energy t r a n s f e r opera-
t i o n s , t h e a n a l y s i s becomes provocative f o r preventive measures.
Figure 26-3. System of Human Error Categories
I Behavior Com~onent
s of :
&
Due t o a c t s : Input Output

Mediation
(~is~lays) , (controls)
Intentional - incorrect
Intentional - out of sequence
Unintentional - a c t not
required
Omitted
Malevolent
Rigby f u r t h e r suggests a c l a s s i f i c a t i o n of e r r o r s with preventive implications:

1. Random - personnel selection, training, or supervision may help.
2. Systematic - one-sided l i m i t s , o r inadequate feedback, may be factors.
3 . Sporadic - our most d i f f i c u l t type, infrequent, not seemingly related
t o variables i n the work situation, not correctable by training or
indoctrination. Relations t o controllable conditions nnzst be found.
Hopefully, an organization's human f a c t o r s s k i l l s w i l l rapidly be up-

graded. However, i n the interim the above analysis should produce useful
ideas f o r plan review and accident analysis.
I n Part V I I , the Work Flow Process, we examine procedures, and how
they may be l e s s error-prone, and also the r o l e of supervision i n e r r o r
reduction.
Part VIII t r i e s t o integrate tabulatable aspects i n data collection.
27. DESIGN ORGANIZATION, FBLIABILITY AND QUALITY
Much of the safety analysis described i n the preceding three chapters
i s usually carried out by the basic design and engineering s t a f f . I n aero-
space, system safety i s sometimes a separate contract, subordinate t o the
primary design contract. In any organization, the s a f e t y group may have
s p e c i f i c defined functions, p a r t i c u l a r l y i n information search and always
i n independent review.
During the T r i a l s a t Aerojet safety was powerfully aided by competent,
well-organized design and engineering functions, and by the strong r e l i a -
b i l i t y and q u a l i t y assurance program. A s a matter of f a c t , it i s d i f f i c u l t
t o conceive t h a t Aerojet could have attained its present l e v e l of excellence
without well managed functions.
The engineering general c r i t e r i a i n the revised MORT are based d i r e c t l y
on an audit of the Engineering Division performed by R & QA according t o the
c r i t e r i a contained i n AECts RDT Standard 3'2-2T:
Concepts and Requirements .
General design and plan c r i t e r i a
(1) Design planning techniques
(2) Organizational and functional responsibilities
(3) Interfaces with operations, maintenance, t e s t organizations
(4) Definition of safety-related c r i t e r i a . (operating considerations and
a v a i l a b i l i t y , materials, fabrication, construction, t e s t , operation,
maintenance, and quality assurance requirements. )
(5) I n t e r n a l review.
De sian and D e v e l o ~ ~ n t
Procedures :
General design proqess
(1) Procedures f o r code compliance
(2) Procedures f o r use of new codes
(3) Procedures f o r use of information
(4) Engineering studies t o assure compliance of c r i t e r i a
(5) Identification of weaknesses and analysis of "trade offst'
( 6 ) Provision f o r preventive design features
(7) Standardization of p a r t s
(8) Qualification of non-standard p a r t s
( 9 ) Design descriptions
(10) Classification of items -
e s s e n t i a l i t y and safety
(ll)Acceptance c r i t e r i a
(12) Identification of items
(13) Interface control within design process
(14) Development planning
(15) Developmnt and qualification t e s t i n g
(16) Test control
( 17) Development review
(18) Failure reporting
It Is not uncommon, i n auditing o r reviewing a design process ( o r a manage-
ment o r work process) t o f i n d t h a t those doing t h e work a r e using some good
p r a c t i c e s not s p e c i f i c a l l y provided f o r i n t h e i r documentation. However,
l i t t l e permanent reliance can be placed on unstated, informal p r a c t i c e s .
They w i l l be highly variable with d i f f e r e n t persons and over time. Therefore,
s p e c i f i c c r i t e r i a and audited performance a r e indicated.
The basic l i n e r e s p o n s i b i l i t y f o r s a f e t y i s carried out i n t h e design
stage by staff groups, l a r g e l y engineering, but a l s o R & D groups. Since t h e
engineering groups do so much of t h e s a f e t y job and u s u a l l y do i t so well,
t h e r o l e of an independent s a f e t y function i s sometimes i n question.
It is argued t h a t design engineers can understand o r l e a r n t h e tech-
niques of s a f e t y , and t h i s is i n considerable p a r t t r u e .
Nevertheless, t h e independent s a f e t y function is believed necessary f o r
management assurance:
1. Benefits of design solutions should not be permitted t o obscure r i s k
and uncertainty. The l a t t e r commonly have weaker d a t a , and i f t h e
voice i s a l s o l o s t , unintended l a r g e r i s k s w i l l be assumed.
2. Designs and plans involve physical and human f a c t o r s . The r o l e of
human, s o c i a l and behavioral f a c t o r s i s u s u a l l y b e t t e r handled by
specialists.
The close r e l a t i o n s h i p of good design work and r e l i a b i l i t y i s appazent
i n an excellent s e t of p r o j e c t review c r i t e r i a prepared by an Aerojet r e l i -
ability engineer f o r use i n t h e independent review function. (see Exhibit 4.)
It must always be remembered t h a t there a r e p o t e n t i a l hazards i n r e l i e
a b i l i t y - s a f e t y trade-offs. For example, upgrading r e l i a b i l i t y t o continue t o
operate a process can impair protective systems. The goal must be protective
systems which do not f a i l , and which always work when called.
The R e l i a b i l i t y and Q u a l i t y Assurance function i s a strong complement t o
t h e s a f e t y program, and close mutual support i s evident a t Aerojet.
R & QA i s a l s o a preventive discipline--and uses problem reporting,
modern a n a l y t i c techniques f o r f a i l u r e and hazard i d e n t i f i c a t i o n and is con-
cerned with both engineered and human-based safeguards.
Safety and R & QA can mutually b e n e f i t from non-duplicative cooperation
i n design review, procedural control, construction/installation , operation/
maintenance, and t e s t (or t e s t supervision) f o r c r i t i c a l equipment, e .g. ,
cranes, pressure v e s s e l s , t e s t equipment, e t c . Recent AEC standards f o r R & &A
include material handling (#6) and shipping (#7 i n draft form). These have
already stimulated problem a n a l y s i s b e n e f i c i a l from a s a f e t y viewpoint.
Although design and production people perform major s a f e t y functions,
t h e r e i s ample evidence t h a t s a f e t y w i l l not g e t the a t t e n t i o n it r e q u i r e s
unless t h e r e i s independent s a f e t y review a t pre-established p o i n t s , "mile-
stones," i n t h e l i f e cycle process.
The independent review groups f i n d t h a t design and operations planners
do a b e t t e r job of s a f e t y when they know t h a t t h e r e w i l l be review, and t h a t
it w i l l examine two f a c e t s - analytic method and technology.
Plans which a r e s e n t forward should document r i s k reduction t r a d e - o f f s ,
and primary r e s i d u a l r i s k s , and should s t a t e what happens i n case of various
failures.
One head of a nuclear c r i t i c a l i t y review group emphasized:
The review group's r e s p o n s i b i l i t y t o search out, develop and s p e c i f y
a n a l y t i c technologies, and c i t e d examples.
Conventional s a f e t y approaches a r e negative, a s compared with t h e
p o s i t i v e approaches of providing a n a l y t i c technology and r e q u i r i n g
independent review.
Thus, t h e independent review (which i s a redundancy) should have i t s
i n t e r n a l redundancy - technology plus a n a l y t i c method - and method i s a safe-
guard of t h e t r u e independence of t h e review.
AEC has placed g r e a t emphasis on independent review beginning with
a u t h o r i z a t i o n of t h e r e a c t o r s themselves, and extending i n the f i e l d t o oper-
a t i o n s , modifications, procedures and personnel. Extremely high standards
a r e e s t a b l i s h e d f o r independence, o b j e c t i v i t y and t e c h n i c a l competence of
t h e members of multi-discipline review boards and agencies.
The composition of such Boards may present a trade-off question i f
advanced technology i s involved - t h a t i s , those who know t h e most may be
t h e designers/operators of the process under review. Thus knowledge and objec-
t i v i t y may be c o n f l i c t i n g c r i t e r i a . (Again, prescribed a n a l y t i c method i s
some safeguard.) Review Board membership of peers has a l s o had g r e a t i n f l u -
ence on t h e general s a f e t y climate a t two s i t e s , a c o l l a t e r a l advantage.
Group meetings a r e required, and unanimity i s a requirement; one "No" vote
produces a negative recommendation t o management f o r a proposal. The r o l e of
t h e Safety Department i s u s u a l l y f u l f i l l e d by Board representation.
Aerojet p o l i c i e s require l i n e m a n a g e ~ n tt o show p o s i t i v e evidence of
independent review, and a "water cooler" chat w i l l not s u f f i c e . Aerojet has
an extremely w e l l developed independent review system. I n Aerojet review
t h e d e f i n i t i o n of "independent" has been r a i s e d from t h e o r i g i n a l and u s u a l
concept of redundant s a f e t y a n a l y s i s . The f u r t h e r e f f o r t i s not t o have t h e
person who supplied t h e s a f e t y inputs involved i n t h e review, and i d e a l l y
not h i s a s s o c i a t e s . ('This avoids "incest!") Such a procedure i s d i f f i c u l t
f o r a small s t a f f . I n f a c t , t h e question can be asked a s t o whether an
independent review function can be overemphasized a s compared with o t h e r
e s s e n t i a l f'unctions i n t h e Hazard Analysis Process - i f HAP i s not w e l l done, e.g.,
i f t h e r e i s no information search, t h e r e may be t o o m c h t o c a t c h i n review.
Aerojet has a s h o r t c u t procedure - many changes which a r e improvements
i n s a f e t y can be reviewed and quickly approved o r a l l y , and documented l a t e r .
At, Aerojet t h e Nuclear and Operational Safety Division r e p o r t s d i r e c t l y
t o t h e Chief Executive O f f i c e r - it i s independent.
An NOS s e c t i o n head a t Aerojet had a u s e f u l overview of h i s independent
review function:
Figure 28-1. Independent Safety Functions
PRIMARY LINE Safet~
"E.'"".l
SAFETY REQUrnI'TTS
II IDENTIFY HAZARDS (I Independent

Identification
IT - 7 EVALUATE HA!ZAFDS
c- - - - - - - - -
I
Insependent
Review,
I
/
I n e a r l y work a t Aerojet (successor t o Idaho ~ u c l e a r )the r e l a t i o n s h i p
of various independent review plans t o the l i f e cycle w a s conceptualized i n
Figure 28-2. The abbreviations a r e :
T& & Training and Qualification

NOS Nuclear and Operational Safety
R & QA R e l i a b i l i t y and Quality Assurance
SWP Safe Work Permits
RDT A reportable incident
FS & OC F i r e Safety and Adequacy of Operating Conditions l i s t
The m u l t i p l i c i t y of review points and mechanisms, including a t r i e n n i a l
board t o review t h e review system, i s a t r u l y impressive e f f o r t t o create
safeguards against oversight.
The Aerojet review system has elements much broader than simple, indepen-
dent review of the Hazard Analysis Process. While some of these elements can
a l s o be seen a s f i e l d safety engineering, annual audit, monitoring o r accident
investigation, it seems best t o describe the Aerojet review system a s Aerojet
conceives it (see Figure 28-3) . The Figure i s explained a s follows :
A. The Process
A s indicated by the heavy blocks i n the top row, the process t o be
audited and reviewed may be broken down i n t o f i v e subprocesses:
(1) The personnel process which i s designed t o produce "reactor grade"
personnel a t the various work s i t e s .
(2) The procedural process which i s designed t o produce "reactor gradett
procedures a t the work s i t e s .
(3) The hardware process which i s designed t o produce "reactor gradeff
hardware a t the work s i t e s .
(4) A r e a c t o r modification and experiment process which functions on an
i n t e r m i t t e n t basis t o r e s u l t i n modification of the reactor-experiment
complex. This i s not a separate process but represents a functional,
coherent application of (I), (2) and (3) above.
(5) Other a c t i v i t i e s which a r e r e l a t e d peripherally t o nuclear o r reactor
safety and/or involve safety considerations other than nuclear and
r e a c t o r safety.
B. The System "Gates"
m e middle s e t of blocks indicate the independent review agencies which
are interposed a s "gated'between defined processes and f i e l d application
of the processes or process products.
These review agencies consist of multidisciplined groups selected accor-
ding t o the nature of the subject under review.
They conduct independent review of the process and/or the process product
and/or proposed a c t i v i t i e s p r i o r t o f i e l d implementation. Approval a c t ion
may be associated with these a c t i v i t i e s a s delegated by l i n e management.
The System Audit Processes
These a r e on the l e f t and consist of two basic s o r t s of audit processes:
(1) Audit processes which audit preparatory work being performed upstream
of the f i e l d a c t i v i t i e s .
(2) Audit processes which audit a c t u a l f i e l d a c t i v i t i e s .
D. Process Oriented Review A c t i v i t i e s 8
These are review a c t i v i t i e s on the f a r l e f t . They a r e designed t o review'

o v e r a l l process design, process function and c e r t a i n types of malf'unction
(accidents and incidents).
These review agencies consist of ad hoc multidisciplined groups selected
according t o the nature of the subject under review.
There a r e four classes of process oriented review agencies:
(1)v e t ? system review boards which perform management review of
t h e safety review system i t s e l f .
(2) The annual review boards which conduct annual reviews of the major
company projects and a c t i v i t i e s .
(3) The accident and incident review boards which conduct reviews of
c e r t a i n types of accidents and incidents.
(4) The special subject review boards which perform reviews of selected
subjects relevant t o nuclear and operational safety, e.g., shipping
of radioactive materials, e l e c t r i c a l safety, monitoring systems, e t c .
Most of the review agencies have published the c r i t e r i a which they w i l l
use i n review. Such publication has important e f f e c t s on improving the p r i o r
hazard analysis. (see MERl3 Board c r i t e r i a , Exhibit 5, ) The c r i t e r i a used
by one review board member a r e shown i n Exhibit 6 , It w i l l be noted t h a t
t h e form provides f o r scoring a proposal. This has had a marked e f f e c t on
D r . Nertney prepared Exhibit 7 t o display some of the f a c t o r s which

a f f e c t redundancy and independence. h.Nertney a l s o developed a
d e t a i l e d Fault Tree t o f a c i l i t a t e analysis o r developnrent of a review sys-
tem (Exhibit 8).
The s a f e t y department's "receiving office" i s the f o c a l point f o r review
of projects other than r e a c t o r s and c r i t i c a l f a c i l i t i e s . Coverage of projects
over $2,000 i s comprehensive due t o i n t e r n a l controls, and m c h i s reviewed
below t h a t l e v e l . The proposal routing sheet ( Exhibit 9 ) w i l l indicate
the scope and depth of coverage. Each reviewer has c r i t e r i a specific f o r h i s
role. By way of example, the f i r e reviewer's c r i t e r i a a r e shown i n Exhihits 10
and .11.
The annual reviews and accident reviews are thorough and exemplify good
audit and investigation procedures ( p a r t of what the author c l a s s i f i e s a s
The l i s t of review topics f o r which s p e c i a l boards a r e appointed i s

interesting:
Frequency
Transportation of Radioactive and Fissionable Materials 1yew
S i t e E l e c t r i c a l Systems 2 years
Training and Qualification 1 year
Topic Freauency
Overall Safety Review Program
Waste Management
Radiation Monitoring and Detection System 3 years
Definition and application of AEC Codes, Standards and Regulations 2 years
Reliability and &/A Activities 2 years
Internal Procedural Control Systems (including Surveillance and
Audit )
. 3years
Handling of Fissionable Materials (out of reactor) 3 years
Aerojet's superlative review system i s the product of several years
building and development. The system has a high degree of objectivity and
independence. Despite i t s apparent complexity, it i s economical; the work
i s spread widely among board member pools. The system i s simple t o use;
r e f e r a proposal t o an appropriate Board or t o NOS, the r e s t i s automatic.
I n 1972, as c r i t e r i a were developed and were scored, it was most i n t e r -
esting t o see high c r i t e r i a a d searching analysis increase spontaneously
from those participating i n the review process.
The major factors which can a f f e c t the quality of an independent review
' system can be expressed i n a schematic, as shown i n the Figure below:
Figure 28- . . Factors i n Independent Review

Independent Review System
I I
Input
GO&
which
Charter
-+Independence
meet -Technical
criteriad-
a
------ - - -,Competence
I Functions
I
'2)
I
I
I
Steps Y Situation-
'--,,,--,,-,--,,--- Related
Criteria Output
& Methods
Plans That
Work Well
Costs
Time - Budget - Bother
I WORK FLOW PROCESSES
A schematic or model of a work flow process is

used to analyze and suggest improvements and measures of
supervision, maintenance and inspection, procedures,
employee selection and training, and task performance.
A sequential approach to these factors in a work

process permits an increasingly probing examination.
Thus an incomplete hazard analysis process, or a faulty

supervisory or procedural process m s t be examined before
the roles of employee factors can be correctly assessed.
The discussion of supervision examines common failures

in terms of the services and assistance provided by higher
supervision, and thus reasserts management responsibility.
Last, employee motivation, participation and feed-
back systems are examined.

29. GENERAL S C ~ T I COF WORK FLOW PI?OCX~,SL~
During t h e Aerojet t r i a l s of MORT, a s an offshoot of t h e mz.jor i n i t i a l
t a s k of developing an adequate monitoring system, a need was seen f o r an over-
a l l concept of a work flow process, stemming *om a management decision process
and a hazard analysis process. S p e c i f i c a l l y , major monitoring resources had been
focused almost exclusively on t h e work s i t e , r a t h e r than t h e f u l l scope of
r e l e v a n t events. It quickly became c l e a r t h a t the "upstream processes" (design,
t r a i n i n g , e t c . ) which produced the ingredients of work--hardward, procedures,
and people--should be s c r u t i n i z e d , as well a s a c t u a l work s i t e operations.
Also, some major ingredients of s a f e t y at t h e work s i t e could be shown.
The schematic which evolved i s shown i n Figure 29-1. The hardware used
a t t h e work s i t e proceeds from two major processes--(l) t h e o r i g i n a l design
(covered by a Safety Analysis Report, construction, and Test and Qualification,
followed by documents on Operating Limits and Technical s p e c i f i c a t i o n s ) and (2 )
Modifications and P r o j e c t s (proceeding through a hazards analysis process,
through a Configuration and Document Control u n i t , and then through one o r
more of s e v e r a l independent review gates, such a s a Modification and Experi-
ment Review Board, Procedures Review Board, o r the Nuclear and Operating Safety
Unit). Technical Support ( s c i e n t i f i c and engineering) i s needed i n both hard-
ware processes. The hardware requires t h e kind of Maintenance and Inspection
discussed below.
Procedures, f o r a highly t e c h n i c a l operation, emanate from operations
management, but a r e supplemented by c r a f t manuals, job s a f e t y analysis involving
work s i t e people, and a Safe Work Permit issued by the s a f e t y u n i t f o r jobs
which involve any hazard. The procedures become a b a s i s f o r t r a i n i n g of various
c l a s s e s of personnel.
The Personnel subsystem shows r o l e s of higher supervision and c e r t a i n cate-
gories of personnel. The aspects abbreviated a r e :
S = Selection
T = Training
T/Q = Test and q u a l i f i c a t i o n
CS = Continuous suvreillance, e.g., f o r e r r o r s , personal changes, o r medical
factors.
A Pre-Job Briefing (PJB) i s shown a s an e s s e n t i a l f a c t o r i n acquainting
personnel with t h e p a r t i c u l a r job, changes from p r i o r work, emergency plans,
and operational readiness review a t the point of operation.
Errors, accidents and incidents a r e shown a s unwanted by-products or devi-
ations.
- 295 -
Work f i l e s are shown simply as an audit point f o r monitoring procedures,
review and sign o f f .
This basic, safety-related work schematic has proven t o be a useful t o o l
i n designing monitoring programs, a s well a s up-stream and work s i t e safety
programs. The discussion i n t h i s Part follows the organization of the sche-
matic, except t h a t hardware processes are considered t o have been f u l l y d i s -
cussed i n the p r i o r Part on the hazard analysis process.
A l l "upstream processe sy including the Hazard Analysis Process, are sus-
ceptible t o constructive analysis a s "work processest' i n themselves. That i s ,
design, o r t r a i n i n g can be analyzed as t o the hardware, procedures and person-
n e l they u t i l i z e . Thus "work process" may be l i k e a succession of mirrors
extending back t o an o r i g i n a l idea o r concept.
The remainder of t h i s Part i s organized a s Chapters:
30. Supervision
31. Maintenance and Inspection
32. Procedures
33. Employee Selection and Training
34. Performance Errors.
35. Employee Motivation and Feedback.
Among the kinds of upstream processes f o r hardware analyzed during the
T r i a l s a t Aerojet were such aspects a s a t o o l room controlling inspection and'
maintenance of tools, and the plans and operations whereby such equipment a s
anti-contamination clothing and health physics instruments were delivered t o
the work s i t e . I n a l l of these kinds of supplementary operations, the finding
i n major operations was repeated - namely, t h a t an initial walk-through audit
of operations produced a schematic, steps, and c r i t e r i a which immediately
highlighted gross deficiencies. This was t r u e even though processes were
under d i r e c t management of the safety division i t s e l f . Plans and specifications
were unreviewed, l e s s than precise, and s o m t i m s unknown t o those i n the
process, and a c t u a l operations differed widely from the theory and the adver-
tising. The need f o r auditing of upstream hardware processes was thus shown
f o r both major and minor hardwaze, and f o r hardware under operations and
safety management.
The general conclusion was:
Ade~uatework s i t e control and s a f e t y cannot be achieved
unless high q u a l i t y of "upstream processes" which produce
work s i t e ingredients i s audited and assured.
30. SUPERVISION
The function of supervision has been so much examined, and from these
examinations has come such a flood af l i t e r a t u r e , t h a t one more disserta-
t i o n might seem unnecessary and f r u i t l e s s . Certainly supervisors have an
adequate supply of advice on how they should do t h e i r jobs. What i s not -
apparent i n review of the l i t e r a t u r e i s t h a t factors beyond the control of
the supervisor, namely under contol of higher supervision and management, have
had the attention they deserve.
The r o l e of the f i r s t l i n e supervisor i n safety has been characterized
-
a s "the key man." While t h i s may be good propaganda f o r supervisors, it i s
akin t o the fallacious data which so often assign 85$ of the responsibility
f o r accidents t o the "human factor."
-
There can be no doubt t h a t the supervisor i s a key man i n safety.
The emphasis on supervisor t r a i n i n g i s appropriate and seemingly effec-
tive.* Large organizations have developed many such programs. Members of NSC
u s e a tremendous amount of the Council's training materials. Recently, NSC
has expanded i t s t r a i n i n g function t o make i t s "Key Man" course widely avail-
able through l o c a l safety councils. Other training programs are widely used;
f o r example, Lateiner (1969) has been active i n the f i e l d since a t l e a s t 1947
when he and the author were a s s i s t i n g the New York Transit Authority.
The emphasis on the r o l e of the supervisor i s , however, probably just a
s t e p on the road t o a superlative program. The supportive f'unctions which
emerge from t h i s study (as well a s the emphasis on management oversight and
e r r o r ) amount t o a r a t h e r d r a s t i c change i n the advertised r o l e of the super-
visor. If the supervisor i s t o f u l f i l l h i s responsibilities, he must have the
following kinds of supportive services, over and above general t r a i n i n g and
t r a i n i n g i n such subjects a s Job Safety Analysis.
1. Top and middle management support and assistance a s evidenced by
-
specific actions p r i o r t o serious accidents,
2. Monitoring services which t e l l how h i s operation i s functioning,
3 . Data i n usable form, such a s Shewhart control charts f o r accidents and
e r r o r s , diagnostic cause data, and access t o national data or cases a s
r e levant.
4. Finally (or f i r s t ) equipment and work situations which have the highest
possible degree of safety and r e l i a b i l i t y , including s t a f f study of
human factors. This impl2esupger management planning and audit of
the "upstream process" which produce w-k s i t e ingredients.
*See pages 195-97.
This l i s t i s suggestive r a t h e r than exhaustive, but seems t o make the
point.
An i l l u s t r a t i o n may be helpful. AEC, NASA, and such industries as s t e e l -
making have need f o r ultra-high r e l i a b i l i t y i n overhead and mobile crane
operations. Yet when Clark of Aerojet examined crane operations and national
data against MORT standards, he found gross deficiencies, including lack of
human factors analysis. Now suppose a very serious accident occurs i n a crane
operation - is it due t o an operator deficiency or a supervisory deficiency,
or i s it due t o deficiencies a t the national level, including crane manufac-
t u r e r s and purchasers?
There i s a d i f f i c u l t duality i n assessing supervisor responsibility a f t e r
a serious accident. No one can argue against a searching and hard-nosed
assessment, but the assessment of management's role i n support and service
t o the supervisor should be a t l e a s t a s searching and hard-nosed!
The general framework of t h i s chapter is, then, an examination of super-
visor f a i l u r e s i n a broader context, r a t h e r than a basic essay on supervision
as such. The general framework a l s o presumes t h a t a competent hazard analysis
process lightens the load on supervision, and t h a t he has competent and useful
advice and support on such matters a s procedures, job safety analysis, and
employee participation and support f o r the safety program. In b r i e f , MORT
traces supervisory f a i l u r e s t o deficiencies i n higher supervision, a seemingly
unique way of viewing aspects of safety supervision.
The function of Supervision (not the individual supervisor) must be exam-
ined a s one of the organization's primary methods of controlling Error, so-
called "Unsafe Conditions" and "Unsafe Acts." The focus i s on the organiza-
t i o n f o r control, r a t h e r than the individual employee's unsafe actions.
. The f'unctions of supervisors are s u f f i c i e n t l y numerous, time-consuming
and divergent t o deserve l i s t i n g and study:
1. Basic ~ a n a g e G n tfunctions :
a. Production
b. With safety
.
c Accountable f o r performance.
2. Special safety functions :
a. Planning
b. Procedure
c. Employee selection, training, motivation
d. Monitoring, inspecting and observing t o detect deviations
e. Hazard review and reduction.
Quite a load! And, a s we begin t o measure more precisely where t h i s ele-
ment i n the system f a i l s , the questions of adequacy of compensating assistance
t o t h e supervisor functions w i l l grow.
Most important, we must t r y t o discover what i n the management system
failed - not -
who.
Roethlesberger (1968) described the many c o n s t r a i n t s and d u t i e s under the
t i t l e , "The Foreman: Master and Victim of Double Talk." He said the super-
v i s o r y p o s i t i o n o f t e n embraced fourteen knowledge areas, many of which had a
s t a f f department t o which the supervisor must r e l a t e . He found t h a t , d e s p i t e
o f f i c i a l doctrin?, the supervisor commonly gave up and concentrated on perfor-
mance - getting t h e work out on schedule. Thus, management assistance and
t h e usable outputs of a s a f e t y program from the supervisor's viewpoint consti-
t u t e the f i r s t dimensions t o be examined.
The MORT analysis postulates an extremely high degree of supervisory con-
trol. Some might say it could be a t t a i n e d , f o r example, i n s t e e l making o r a t
r e a c t o r s , but not i n other types of work such a s maintenance. If t h i s be t r u e ,
t h e a n a l y t i c method need not be changed; r a t h e r c o l l e c t objective d a t a on t h e
deviations from high standards, and then make judgmental allowances i n reviewing
t h e d a t a on degree of control.
I n any organization, investigations should r e f l e c t the supervisory con-
t r o l c r i t e r i a a c t u a l l y i n e f f e c t i n t h e organization, a s well a s MORT c r i t e r i a .
Thus, two kinds of measurements a r e made: against organization norms, and
against MORT standards.
The f i r s t three basic problems (top l e f t of page 7 of the MORT diagrams)
a r e , i n e f f e c t , questions about the i n s t i t u t i o n of supervision. It i s well,
f i r s t , t o ask some general background questions:
1. Were t h e supervisor's r e s p o n s i b i l i t i e s c l e a r ? Were there any gaps o r
overlaps i n t h e supervisory assignments r e l a t e d t o the event? Was
inter-departmental coordination a f a c t o r ?
2. Describe the measures of general performance available f o r t h i s work
area (waste, q u a l i t y , rework, e t c . ) .
a . What was t h e most recent trend of such indices?
b. Have there been recent incidents i n general performance which were
l e s s than s a t i s f a c t o r y ? Satisfactory? More than s a t i s f a c t o r y ?
Using the MORT diagram system of c l a s s i f i c a t i o n and notation:
a 1 Help, Training LTA. The help and assistance given t o super-
v i s o r s t o enable them t o f u l f i l l t h e i r r o l e s may be grossly
-
deficient.
Feedback i s an a l l important need ( c i t e d i n t h e l i t e r a t u r e and i n MORT
analyses). However, d e f i c i e n c i e s i n feedback systems seem t o be frequent i n
three areas:
1. General feedback on a supervisor's performance seem LTA, judging from
the l i t e r a t u r e .
2.. S p e c i f i c feedback on s a f e t y performance i s LTA.
3. The organization's t r i g g e r s f o r HAP, o r i t s monitoring and s u r v e i l l a n c e
are frequently deficient. This p u t s a g r e a t e r burden of hazard detec-
t i o n on t h e supervisor.
Examples of d e f i c i e n c i e s i n feedback service t o supervisors a r e not h a r d
t o discover. If monthly c h a r t s of f i r s t a i d or o t h e r i n j u r i e s a r e supplied
without assessment of s t a t i s t i c a l significance (e . g. , quality control
c h a r t s with judgement l i m i t s ) , t h e r e s u l t s a r e capricious and u n f a i r , and put
an undeserved burden on t h e supervisor t o be h i s own s t a t i s t i c i a n . A t one
s i t e such c h a r t s were used, were e f f e c t i v e , and y e t were dropped f o r "budget
reasons.'' Today such c h a r t s can be printed out by t h e computer,.usually from
d a t a a l r e a d y stored i n t h e computer.
A t Aerojet, such c o n t r o l c h a r t s showed t h a t supervisors were apparently
\ able t o c o n t r o l e r r o r s near t h e lowest l i m i t of previous wide f l u c t u a t i o n s by
i
simply applying normal administrative controls; but t h e process took a year
t o implement. (This f a c e t i s f u r t h e r discussed i n Monitoring Systems, Chapter
37. )
It i s perhaps not so important what supervisor a s s i s t a n c e program be
used, a s t h a t r e s u l t s be assessed. For example, Lateiner (1969) discusses
Modern Techniques of Supervision and claims reductions of i n j u r y incidence
on t h e order of one-half i n many organizations using h i s program.
Leverage f o r s a f e t y unquestionably can be focussed a t t h e supervisory
level. The p r i n c i p a l question i s t h e form of the program, and t h e a s s i s t a n c e
given t h e supervisor i n implementing t h e program.
Hannaford (1965) o u t l i n e s a "Supervisory Factor Analysis" wherein t h e
s u p e r v i s o r ' s supervisor reviews, not only a Job Safety Analysis, but a l s o t h e
s u p e r v i s o r l s general e f f e c t i v e n e s s i n d i r e c t i n g work operations.
Aids, forms and materials can h e l p t h e supervisor. Some might see t h e
recording procedures of U. S. S t e e l ' s Job Safety Analysis - Job I n s t r u c t i o n
Training - S a f e t y Observation Plan (JSA-JIT-SO) a s onerous, but no one could
h e l p but f e e l t h a t t h e company had gone t o g r e a t ends t o h e l p the supervisor
c a r r y out h i s r e s p o n s i b i l i t i e s a s outlined i n Figure 30-1 on t h e next page.
Training. What t r a i n i n g had t h e supervisor been given? I n general super-
vision? I n safety? Has t h e t r a i n i n g program been evaluated? Row does it
measure up?
Since s a f e t y programs generally have emphasized subject matter r a t h e r than
hazard a n a l y s i s methods, we must ask whether s a f e t y t r a i n i n g provided a n a l y s i s
methods, including p r a c t i c a l handling o f emergencies.
BASIC ESSENTIALS JOB SAFETY
ANALYSIS
PROCEDURE
Safety Observations EXPERIENCE
CORPORATION
REPORT I N S P EC T l O N
We could expect the supervisor should have had t r a i n i n g i n JSA-JIT-SO (by
any l o c a l nomenclature). Had he?
Many supervisor t r a i n i n g programs a r e understandably long-term - that i s ,
a t o p i c o r a s e r i e s of t r a i n i n g meetings may be repeated only infrequently,
o r not a t a l l . Therefore, it i s important t o ask the what and when of super-
v i s o r t r a i n i n g a s they r e l a t e t o specific accidents. The immediacy of super-
v i s o r t r a i n i n g needs i s exemplified by Aerojet's provisions:
"Great s t r e s s i s l a i d on the supervisor's r e s p o n s i b i l i t y f o r the s a f e t y
of h i s employees and management helps the supervisor l e a r n how t o discharge
these r e s p o n s i b i l i t i e s .
"Each new supervisor (foremen included), whether promoted o r hired i n ,
must attend a s a f e t y indoctrination conducted by the Safety Section.
This indoctrination covers r e s p o n s i b i l i t i e s and procedures peculiar t o
the Company. I n addition, t h i s new supervisor i s loaned a copy of the
National Safety Council's Supervisors Safety Manual. Within four weeks,
the supervisor must return the manual and pass a written t e s t on the
material i n the manual.
"For a number of years, we have used successfully a Supervisors Safety
Program patterned similar t o the regular employee safety m e t i n g program.
It works i n t h i s manner.
"The Safety Supervisor s e l e c t s several suitable subjects and discusses
them with Management u n t i l four are selected f o r a years schedule. One
subject i s presented each quarter i n a s e r i e s of 30 t o 45 minute meetings
arranged t o accomodate a l l Supervisors a t a l l plants. A schedule of
subjects, m e t i n g times, dates and places i s prepared by Safety and given
t o a l l Supervisors p r i o r t o the f i r s t m e t i n g each year. The subjects
are assigned t o members of Health Physics and Safety t o prepare, or i f
on a technical subject t o a s p e c i a l i s t i n t h a t subject f i e l d . A typed
copy of the presentation i s given each Supervisor who attends. A com-
p l e t e numerical analysis of attendance a t each s e r i e s i s given Manage-
ment with a l i s t of names of Supervisors who f a i l e d t o attend. Action
by Management keeps attendance very high. Some subjects we have used
included :
Psychological Needs and Importance of Safety i n Supervision
ASA-216. Recording and Measuring Work Injury Experience
Hazardous Chemicals
Idaho Workmens Compensation Law
Selling a Safety Program and Conducting Safety Meetings
Movement or Handling of Radioactive Materials
Correct Use of Tools
F i r e Prevention and Protection
Accident Follow-up
Enforcement of Safety
Ridden Accident Expense and Risks"
On the Job Help may be d e f i c i e n t . Since accident reports on relevant
s a f e t y work of middle management are few, t h i s remains t o be assessed.
If d i r e c t i v e s f o r procedure development a r e LTA, ynenforceably high,
the supervisor's r o l e may be unclear.
Thus, a t l e a s t four general areas of supervisor preparation a r e presented
f o r iavestigation and measurement.
The vigor and example of the supervisor w i l l have important e f f e c t s on
employee bahavior. People mirror the behavior of t h e i r bosses. Equally, the
e f f e c t s of the behavior of t h e supervisor's boss on the supervisor w i l l be
great. Therefore, obJective questions should be directed t o t h i s point. What
was the nature and frequency of middle management display of sgfety concern
p r i o r t o the accident?
Continuing with the MORT analysis, we have:
A2 Time LTA. Accidents analyzed i n t h i s study suggest supervisors
-
may have n e i t h e r % h e help nor the time they need.
Objective d a t a on the supervisor's degree of control w i l l enable manage-
ment t o judge whether it has provided the basis f o r t h e degree of hazard control
which it desires. How frequently can t h e supervisor thoroughly examine each job?
a3 Transfer Plan LTA. When experience i n present or previous jobs
was analyzed i n some accidents, recent t r a n s f e r s of supervisors were
indicated t o be a common problem.
The t r a n s f e r protocol was examined and found t o be l a r g e l y non-existent !
I n c e r t a i n kinds of work, the safety documentation e x i s t s i n the department;
others, not so. . I n no case was there any requirement f o r orderly t r a n s f e r of
s a f e t y information, including information on personnel, from the old t o t h e
new supervisor. When one plan was described by the author as, apparently,
"A s l a p on t h e back, and 'good luck' !'I, no contrary evidence came forth.
Where reactor supervisors must pass a T & Q Board exam, on t h e other
hand, t h e i r supervisors take steps t o see t h a t they are qualified. This i s
an exception. What was the supervisor's experience i n t h i s department? In
t h i s type of work?How was he trained? Aerojet has a practice of maintaining
hazard catalogues f o r various areas -
t h i s f a c i l i t a t e s orderly t r a n s f e r of
r e s p o n s i b i l i t i e s f o r both supervision and safety personnel.
A t t h i s point it may be well t o repeat a portion of the MORT diagram
\
i n Figure 30-2.
To a considerable degree knowledge of hazards reposes i n the work force,
and must be e l i c i t e d i n suggestions o r i n formal " c r i t i c a l incidentf' studies.
The s k i l l s of a supervisor i n developing suggestions and innovative ideas
a r e discussed i n the Chap on Motivation. Certainly the.supervisor must be
receptive and accessible, and. must display vigor i n acting on suggestions i f
he wishes t o have access t o the knowledge which i s a l l around him.
b l DJN Detect Hazards.
Some questions which may be u s e f u l are: When did the supervisor l a s t
make an inspection of the area? Was a checklist used? Did it cover the fac-
t o r s i n t h i s accident? Was the checklist complete, correct, c l e a r , up t o date
Figure 30-2. Supervisor DIN
Detect, Correct Hazards
D/N DETECT.
CORRECT
HAZARDS I
1
DIN DETECT
bl A
DETECTION
PLAN LTA
COORD'T'N. PROGRAM
I II 1 ' I '
ar,d tailor-made f o r h i s department?

a. Was any unsafe condition present i n t h i s accident, present a t the
time of inspection? Was the condition detected?
b. When and why had conditions changed?
c. When was the next inspection scheduled?
If Appendix A i s consulted t o see how many physical defects occurred i n
the environmental chamber case, or how many e r r o r s were made i n the MAPP and
I n i t i a t o r accidents (and similar cases are i n the f i l e ) , the question of super-
v i s o r detection of hazards takes on new significance. These cases showed
gross deficiencies i n detection mechanisms, such a s t o warrant searching
inquiry. The number of deficiencies was n o t such a s could l i k e l y a r i s e spon-
taneously, just before the accident. These findings a l s o show c l e a r l y why
"single cause" data may be harmful.
c l Knowledge (Checklists) LTA .
This simple item opens a large area embracing the f u l l content of a l l jobs
i n the organization. ASSE1s Search I thoroughly examined the strengths and
weaknesses of checklists, and concluded t h a t a checklist specific t o the opera-
t i o n was valuable provided it concluded with open-ended, general questions.
So, i n an investigation, we can ask about the a v a i l a b i l i t y and use of such
l i s t s , a s well a s the general competence of the supervisor i n h i s area of work.
c2 Detection Plan LTA
d l Logs, Schematics LTA. Significant numbers of accident reports recom-
mend point-of-operation posting of schematics, procedures, warnings, emergency
procedures, continuous t e s t permits, change, maintenance and inspection logs,
and lock-outs o r t a g outs. This finding i s so frequent a s t o probably warrant
a generalized requirement :
Documentation should be conspicuously posted a t point-of-
operation f o r the kinds of events l i s t e d above.
Exceptions should be variances from thegeneral requirement only a f t e r a finding
of no need.
Accidents indicate a "change tagtt should be attached t o equipment when it
i s changed. Changes made f o r one job create surprises f o r the next user.
Not only will such a requirement be very helpful t o employees, but t h e i r
.
r e s p o n s i b i l i t i e s f o r maintaining and reviewing documentation can be increased.
Note how the supervisor's job changes. Instead of relying e n t i r e l y on
detective s k i l l s t o find out what's maving.out of control, he i s aided by on- -
the-spot, v i s i b l e records! And monitors, too, can do a quicker, b e t t e r job
of monitoring.
d2 Monitor Plan LTA. What guidance was given the supervisor i n
inspecting and monitoring? Did he use the guidance? Was he required t o have
any given frequency of personal contact with employees? And, i f so, was he
given guidance on detection of such growing problems a s alcoholism, drug use,
o r personal problems? The medical s t a f f can a s s i s t t h e supervisor i n four
ways : (1)by giving t r a i n i n g and advice on detection, (2) by its own a l e r t -
ness t o symptoms, (3) as a r e f e r r a l resource, and (4) a s the source of conclu-
sions from general health monitoring.
d3 D/N Review Changes. What guidance was given on review methods and
change- detection? Did he use the guidance? Questions are:
a. Were the changes Tnvolved known t o the supervisor? If so, describe
the hazard review given each known change.
b. What counterchanges were made f o r the known changes?
d4 D/N Correlate Errors. Were 'there any chronic e r r o r s a f f l i c t i n g
the process? Had the supervisor been t o l d they might correlate with safety
errors? Had he made the e f f o r t t o correlate?
Were there. any other signs, signals or warnings t h a t the process was
moving out of control?
c3 ?line LTA. Objective data may be collected by the following kinds
- *
of questions: Where was the supervisor a t the time of the accident? How f a r
. away? Was there an a s s i s t a n t supervisor i n d i r e c t charge?. Where was he?
b2 D/N Correct Hazards. Some f a c t s about non-correction were d e a l t with
i n detection. But some basic factors remain t o be examined.
c4 Inter-Department Coordination LTA. A seemingly significant number
of accidents are "two-department" accidents. How many? Since t h i s kind of
coordination i s a key responsibility of supervisors (rather than operators) we
should measure the factor.
c5 Delayed. These are r i s k s supervisors may have t o assume on behalf of
management due t o limited authority, budget or t i m e . How frequently do they
occur?
-
c6 On-Going Program (e .g., Housekeeping) LTA. Housekeeping i n some
laboratories i s about a s poor a s can be imagined or tolerated. The Hilac
report pointed out losses due t o poor storage plans. The AEC1s "Electrical
Safety Guides f o r Research" (Paragraph l b (5)) points out e l e c t r i c a l hazards
i n poor housekeeping. On the other hand, the t r u e r o l e of housekeeping i n the
accident experience i s unclear. Laboratory personnel may have developed a com-
pensatory adjustment t o gross housekeeping deficiencies. The s i t u a t i o n suggests
need f o r an evaluation of present practices, potential gains from improvements
(e .g., salvage and reuse of equipment, research quality improvement from
elimination of sloppiness, e t c . ) and enunciation and enforcement of r e a l i s t i c
and appropriate policies and plans.
When asked f o r an estimate of how much material disappeared from labora-
t o r i e s during a clean up campaign, one safety engineer said, "About half!"
Parts stored i n small laboratories become obsolete or deteriorate and
create hidden losses.
W r g e n c y Preparedness Plans.
As would be expected, the National Reactor Testing Station has well deveE
oped emergency plans. One feature i s worthy of note -a computerized photo-
graph r e t r i v a l system. This i s used not just i n emergencies, but t o describe
planned changes and t o give instructions t o designers or craftsmen. It helps
avoid embarrassing m i stakes .
Emergencies and Problems.
~ c c i d e n t s / i n c i d e n t sinvestigated during t h i s study reveal a significant
frequency of emerging events or sequences which were mishandled by supervisors.
Such reviews are, of course, retrospective -
t h a t i s , 20/20 hindsight! How-
ever, these events prompted a l i t e r a t u r e search on emergency problem handling,
which produced almost nothing on the supervisor's r o l e and conduct i n emer-
gencies (other than named events f o r which a solution was structured). The
analytic and decision mechanisms t o be used by supervisors i n handling unnamed
o r unstructured emergencies and problems are not described, other than broad
injunctions t o "maintain control, not panic, and a c t wisely." Such advice t o
a man i n trouble seems t o have s l i g h t value.
An examination of a variety of training outlines f o r supervisors showed
a vast range of t o p i c a l concerns, but nothing on the unstructured events which
seem t o g e t supervisors i n t o trouble, and often with serious repercussions f o r
the organization as well a s the man.
Emergency Preparedness Plans a s conventionally conceived are a valuable
and necessary p a r t of safety planning. Examination of such plans reveals
t h a t the emergencies conceived are on a "MACROff scale, and highly structured,
e.g., f o r tornado, flood, major f i r e or explosion, e t c . Such plans are ob-
viously good, but seemingly give l i t t l e guidance as t o what a supervisor should
do i n l e s s e r , unnamed emergencies - especially when these occur on the grave-
yard s h i f t , a s they frequently do.
I n consequence, Aerojet personnel and the author endeavored t o construct
a problem-solving routine which could be a basis f o r training, and hopefully
subsequent, p r a c t i c a l action.
I n studying emergency action, one can distinguish "MACRO and MICRO"
events - the former being large-scale problems of a defined nature and with pre-
defined solutions. However t h i s d i s t i n c t i o n blurs when procedures are highly
defined and c a l l out such emergencies as can be conceived and handled by pre-
planned actions. A great d e a l of sweat should go i n t o these definitions of
pre-planned action. Simulation of conceivable emergencies i s a valuable
training approach.
Hawever, a f t e r a l l MACRO and defined MICRO events are handled i n t h i s
manner, there remains a substantial number of emergencies o r problems t o be
handled by d i r e c t supervision.
The m d e l of decision processes i n an accident sequence (sumy,
Figure p- 9 9
4-1) may be usefUl i n stpdying emergency action, especially a s it develops
over a time period of a t l e a s t several minutes, o r perhaps a h a l f hour o r
more.
About two-fifths of the c r i t i c a l incidents (RSO' s) reported a t Aeroj e t
were case h i s t o r i e s of good solutions of incipient or emerging problems, but
study of these t o detect emergency problem handling mechanisms, other than
frequent references t o close monitoring and quick action, has not been carried
out, and might not be feasible f o r cryptic RSO reports.
I n discussion, it seemed t h a t the Kepner-Tregoe method outlined i n Chap-
t e r 11was an i d e a l problem solving technique, but f a r too complicated f o r
extemporaneous f i e l d use i n emergencies. If these conclusions be correct, the
problem i s one of defining e s s e n t i a l s of the K-T method i n such brevity a s
might be woven i n t o a s e t of guidelines f o r emergency action.
Emergency actions a r e analyzed i n two p a r t s of the MOTiT diagrams - on
page 7 as t o "emergency shut offff and on page 4, "Preventing Second Accident ."
The f i r s t r e l i e s on t h e second f o r a n a l y t i c method, and both r e l y on Task
E r r o r Analysis ( t r a n s f e r reference t o process B3, ~ ~ 5 Figure
1 , 11-3 .. However,
t h e Analytic format suggests some s i g n i f i c a n t aspects.
Figure 11-3. Prevent the Second Accident
PREVENT
SECOND ACCIDENT
a1 A
I
EXECUTION
bl
PERSONNEL. EQUIPMENT
Task
~rror)
CHANGE
The g u i d e l i n e s which wrre developed a t Aerojet and supplemental comments

follow :
Emergency Problem Guidelines
NOTE: There i s u s u a l l y some p r i o r i n d i c a t i o n of an approaching prob-
lem. Timely follow-up on i n d i c a t i o n s of changirx conditions
can prevent o r reduce t h e likelihood o r s e v e r i t y of many emergencies.
Alarms and Signals.
a . Believe alarms and s i g n a l s u n t i l proven f a l s e . DO NOT ASSUME signal^
are false.
b . Remember alarm s e t p o i n t values and t h e l o g i c of t h e s e t p o i n t s .
c . Take e x t r a measures t o monitor while t h e alarm condition e x i s t s , u n t - 1
t h e alarm i s proven f a l s e , o r when alarms a r e out of s e r v i c e .
Secure equipment and t a k e a c t i o n t o prevent t h e s i t u a t i o n from expanding:
a . Deenergize e l e c t r i c a l power o r other energy sources.
b. I s o l a t e system o r p a r t s of system.
c. Isolate affected area -
e s t a b l i s h a ~ e r i m e t e r , mark it, and place a
monitor t o watch it.
Avoid unnecessary h a s t e .
If there i s immediate s e r i o u s danger, take proplpt a c t i o n t o reduce
the danger o r c o r r e c t conditions, e.g., c a l l ambulance, c a l l F i r e
Department, evacuate t h e scene o r a r e a , c a r r y out s p e c i f i c applicable
Emergency Action Procedures.
Go slow o r STOP.
I n t h e circumstances confronting a performance-oriented supervisor,
t h e emergency i n j u n c t i o n t o "go slow" o r STOP seems strange. However,
examination of many accidents/incidents r e v e a l s t h i s t o be a c r i t i c a l ,
judgmental aspect of t h e process of handling problems.
One experienced s a f e t y engineer (Kling, 1969) s a i d : "Newton's laws
of motion, e s p e c i a l l y t h e one about a body continuing i n a s t r a i g h t
l i n e unless acted upon by an outside f o r c e , seem t o apply t o t h e
thought processes a s w e l l as t o m a t e r i a l masses."
The very human tendencies t o "push on" and " b u l l through" a r e commen-
dable, but fraught with p o s s i b i l i t i e s f o r escalating trouble.
Whenever possible --
STOP.
I n an'emergency, i t ' s not very u s e f u l t o say, "don't panic." But
s t r e s s (and incorrect decisions) can be alleviated by a stop-to-
think i n t e r v a l , almost regardless of need f o r f a s t action.
If there i s no immediate serious danger STOP
TEINK OUT and ANALYZE --
AND THEN ACT.
- -- COLLECT INFORMATION,
(1)Remember t h a t the problem i s due t o some change i n plant, equip-
ment, personnel o r procedure.
(2) Correction depends on a correct diagnosis of the relevant change,
i t s nature and location.
(3) Then neutralize o r counteract the troublesome change, o r take
action t o counter t h e change.
Above a l l , remember the "no hero" r u l e - heroes -
a r e too often dead
-
and wrong.
A p o t e n t i a l l y confusing finding i s t h a t i n marine d i s a s t e r s there was a
apparent f a i l u r e t o a c t i n time. But these p a r t i c u l a r kinds of acci-
dents, examined more closely, suggest t h a t f a i l u r e t o slow down, o r t o
change course, o r t o c a l l f o r help was a c t u a l l y involved--nothing i n
these i s inconsistent with the general notion of slowing down o r
stopping whenever possible.
4. Establish a command post, usually YOU.
a. Be sure a l l know the location.
-
b. Don't inadvertently allow others t o take over.
c. Keep the command post manned.
d. Check out communications with a l l manned s t a t i o n s .
5 . Seek and disseminate information.
a. Use a l l expertise available -
use c a l l out i f time permits. ( ~ r e v i -
ously indoctrinate personnel as t o the importance of information i n
decision processes -
which mans, f o r them, volunteer information
which i s relevant.)
b. When possible, v e r i f y a l l reports of conditions.
c. Log a l l information received, i f time permits. A t l e a s t c o l l e c t a l l
information i n one place, even i f i t ' s i n your head.
6. Notify appropriate people of problem.
a. Branch Manager o r higher management if Branch Manager i s not available.
b. Warning ~om&micationsc e n t e r - i f scale requires. i f not, do not h e s i -
t a t e t o use WCC a s a communication medium, e.g., t o contact other
plants, request assistance o r expertise.
c. Project Engineer, i f an experiment i s involved.
d. Get help - i n terms of people and equipment.
7. Apply the concept t h a t no decision can be made and implemented unless a t
l e a s t one a l t e r n a t i v e has been considered.
8. Take corrective action:
a. Clearly communicate decisions and v e r i f y t h a t personnel understand.
Require "action understood" and "action complete" reports.
b. Monitor indications which could show action giving expected r e s u l t s -
a l s o those t h a t could show the opposite.
-
c. Log a l l action ard r e s u l t s i n sequence.
d. Plan and i n i t i a t e f'urther corrective action based on i n i t i a l action
.
and r e s u l t s
e . If s i t u a t i o n expands t o Emergency Action Procedure l e v e l , declare so
and implement appropriate Emergency Action Procedure.
9. Do no r e - s t a r t or resume o r i g i n a l process u n t i l cause i s found, v e r i f i e d
and corrected.
Even i n the above cryptic form, the thought and command processes, while
perhaps u s e f u l i n training, become too lengthy t o structure practice i n actual
emergencies. Therefore, a short version, possibly retrievable i n emergencies,
should probably be used:
1. Hear ALARMS and SIGNALS
2. SECURE
3. -
STOP when possible
4. Establish C O W
5. Collect INFOIiMATION
6. -
G e t HEW
7. DIAGNOSE - consider ALTERNATIVES
8. -
ACT
9. Close out process when emergency has ended.
SD3 Maintenance LTA.
bl
b2
bl
D/N Specify.
F+
31.
of t h e Hazard Analysis Process.
o r poor maintenance.
b3
I - \
DIN SPECIFY
LTA
MAINTENANCE AM) INSPECTION
The MORT diagrams postulate a method of examining maintenance:
Figure 31-1.
LTA
Analysis of Maintenance
MAINTENANCE LTA
FAILURES
TENCE
CAUSE
!X
MAIN-
The same a n a l y t i c process i s postulated f o r inspection.

,
EXECUTION LTA
(task error)
The a n a l y t i c diagram i s l a r g e l y s e l f explanatory.

Requirements should emanate from t h e Development stage
operations as r a p i d l y a s possible.
Otherwise plans should be produced i n
Standards may apply, f o r example:
" A l l s a f e t y and warning devices including i n t e r l o c k s s h a l l be serviced
and checked f o r proper f'unctioning a t i n t e r v a l s not t o exceed s i x
months." (American National Standards ~ 4 3 . 1 )
D/N Analyze F a i l u r e s f o r Cause, e.g., worn out through use, misuse,
D/N Maintain P/O Log r e f e r s t o needs f o r logs, l a b e l s , o r color coding

a t t h e point of operation t o show maintenance s t a t u s , l i k e t h e tags on f i r e
extinguishers o r color coded q u a r t e r l y inspection tags on crane s l i n g s . Acci-
dent r e p o r t s indicate t h a t operators o r supervisors need such warnings.
b4 ~ a u s e d ~ r/e f e r s t o f a i l u r e s caused by maintenance mistakes and
e r r o r s i n t h e work. Some t y p i c a l questions a r e :
1. Describe t h e maintenance procedures and standards established f o r t h e
equipment involved.
a . Were maintenance r e s p o n s i b i l i t i e s allocated?
b. Was a c t u a l maintenance i n accordance with standards?
c. Was t h e unsafe condition ( i f any) covered by maintenance procedures?
d. When did t h e equipment l a s t have periodic maintenance o r r e p a i r ?
When was it next scheduled?
2. Were lock-out o r tag-out procedures applicable? Were work permits
required?
3. Are work orders reviewed for:
a . Maintenance employee safety?
b. Other employee safety?
c. Subsequent safety i n use?
If so, describe findings and actions.
S D ~ Inspections. Inspections are a routine method of hazard detection, a
basic monitoring process, and the type and nature of prescribed inspections
constitutes a major f a c e t of a safety program. Essentially an inspection
system i s a method of detecting (1) oversights, and (2) changes occuring
over time.
The common inspection systems can be categorized as follows:
1. Operational, by employee, a t s t a r t up, during, and a t change or shut
down.
2. Supervisory, same c h a r a c t e r i s t i c s .
3. Special - frequency and competence of personnel are usually specified
f o r pressure vessels, elevators, cranes, f i r e , i n d u s t r i a l hygiene, e t c .
4. Periodic
a. by supervisor - i n t e r n a l t o department,
b. by safety department, committee, e t c . , - externa1,to department.
To these should probably be added:
1. New, changed o r r e s t a r t e d equipment.
2. Sampling techniques t o audit the inspection systems.
3. Detailed, in-depth thorough inspections - 'less frequent than (4)
above, but more searching, and comprehensive. Accident reports sug-
gest t h a t routine inspections too often become superficial.
Checklists are generally considered desirable, but there are important
qualifications:
1. The checklist should be specific f o r the department or operation.
2. Checklists should be, a t l e a s t i n part, "topical" t o suggest explora-
t i o n of content and such topics as maintenance procedures, frequency
of process review, etc., as well.
3. Checklists should be made c l e a r (by any needed explanations) and
equated t o competence of inspectors.
The checklist i s , then, a written retention of the wisdom of past experi-
ence, and w i l l be no b e t t e r than t h a t wisdom. It i s a reminder. It must also
ask, "What Else?" I
Perhaps the biggest weakness i n inspections i s t o see them solely as

methods f o r detecting (and correcting) hazards. These they most certainly
are. But always the "cause behind the cause" i s the v i t a l thing. Why did
- 313 -
--
the change o r unsafe condition come i n t o being? What should be done about
the "why?" A common weakness i s f a i l u r e t o analyze inspection reports f o r
causes of d e f e c t s , t h a t i s , corrective action stops with item f i x e s r a t h e r than
system fixes. Thus we have a number of c r i t e r i a useful i n measuring the inspec-
t i o n aspect of a safety program.
The Environmental Chamber Case i n Appendix A
shows problems of both maintenance and inspection.
Two generalizations seem supportable:
1. Any piece of equipment or process should, upon acquisition, have an
established period and method of inspection (and maintenance).
2. The schedule should be shown and monitored i n two ways:
a. By a record on t h e equipment or a t the process, e.g., color t a g s on
b. On a master schedule.
slings.
Some u s e f u l questions are:

1. Describe the ins-pection plans (other than by supervision) applicable
t o t h i s area.
2. When was the area l a s t inspected? By whom? Attach report.
3 . Was the equipment, e t c . , involved i n t h i s accident inspected? What
was found?
4. If there was an unsafe condition i n the accident, did it apparently
e x i s t a t the time of the inspection. Why did the inspection miss the
change o r condition?
5. When was the next inspection scheduled?
6. Was an inspection docket maintained on the equipment? I n the work area?
Very recently, an analytic t r e e f o r thorough examination of the inspection
function was developed by D r . R. J. Nertney of Aerojet (see Exhibit 12).
- 315 -
32. PROCEDURFIS
Procedures c r i t e r i a a r e shown i n the MORT diagrams ( ~ i g ~ 32-1)

re a s an
aspect of t h e Hazard Analysis Process. Procedures recur i n the diagrams a s
an aspect of performance - what were the procedures i n r e p e t i t i v e and non-
r e p e t i t i v e t a s k s ( ~ i g u r e32-2) and were procedures followed (MORT,page 817
The l o g i c a l format of procedures a n a l y s i s i n MORT seems c l e a r i n t h e two
diagrams - the f i r s t (F'igure 32-1) applies t h e concepts of procedures c r i t e r i a ,
and the second ( ~ i g u r e32-2) provides an a c t i o n l o g i c whereby (1) work assign-
ment and s p e c i a l s a f e t y review a r e questioned, (2) t h e handling of r e p e t i t i v e
and non-repetitive t a s k s i s examined, (3) the r o l e of employee suggestions, i n
addition t o procedures c r i t e r i a , i s exposed f o r i n v e s t i g a t i o n and study.
Figure 32-1. Procedures C r i t e r i a
MEET CRITERIA
PERSONNEL
WIHDW. (human FACES SlONS
factors)
bl
ADEQUACY
Procedures can w e l l be scrutinized a s t o t h e i r sources - those which

emanate from a management process (reviewed a t the work l e v e l ) and those
which o r i g i n a t e a t the work l e v e l , such a s Job Safety Analysis (reviewed by
s a f e t y and management). This d i s t i n c t i o n i s important i n accident a n a l y s i s
t o see where and why procedures may have f a i l e d , but poses no problems i n
concept. That i s , a procedure from e i t h e r source may be adequate t o t h e
need, o r may be d e f i c i e n t .
The work c o n t r o l process a s visualized assigns procedures or Job Safety
Analysis a c r i t i c a l r o l e . I n many mass prcduction business organizations we
have seen a policy requiring w r i t t e n procedures f o r every t a s k . But non-
r e p e t i t i v e work, such a s research o r construction, f i n d s u n i v e r s a l coverage
more d i f f i c u l t .
Standardized, r e p e t i t i v e t a s k s can be covered by w r i t t e n procedures.
Figure 32-2. Action Aspects of Procedures
NON-REPETITIVE
DIN SUPERVISE
13
INCIDENT
STUDY
So we can inquire i n t o the frequency of r e p e t i t i o n and t h e magnitude of energy.
Theoretically, non-repetitive t a s k s involving s i g n i f i c a n t energy l e v e l s
should be personally supervised a s t o procedure.
Procedures a r e t h e f i f t h s t e p i n the Safety Precedence Sequence--after
design, s a f e t y devices, warning devices, and human f a c t o r s . Procedures a r e a
p a t of t h e i t e r a t i v e nature of t h e whole process i n t w o ways:
1. Their preparation may provide feedback and recycling t o design, devices,
o r HFE i n SPS .
2. Their preparation involves t h e same conceptual, design-development,
t e s t , and operational phases. If writing a good procedure i s d i f f i -
c u l t , t h e whole concept of t h e t a s k may be wrong, and the p r o j e c t may
recycle through HAP.
Procedures may vary from highly formalized and reviewed Safe Operating
Procedures t o Pre-Job Analysis. A Phase I1 statement of U. S. p r a c t i c e w i l l
be h e l p f u l :
The leading U. S. corporations develop a high degree of c o n t r o l over work
p r a c t i c e s by a three faceted program:
1. Every job should be subjected t o s a f e t y analysis.
2. Every employee should receive i n s t r u c t i o n i n performing each t a s k
i n accordance with the w r i t t e n analysis.
3 . The supervisor should not only see the man do the t a s k s a f e l y , but
have a planned observation program t o continuously monitor performance.
For convenience we r e f e r t o t h i s a s JSA-JIT-SO, t h a t i s , Job Safety Analysis,
Job I n s t r u c t i o n Training, Safety Observation.
Despite t h e manifold t a s k s t o be studied and controlled, s o w of the companies
have, over time, a t t a i n e d a remarkably high degree of coverage and control.
Thus, General Motors i s able t o d i r e c t :
"Develop s a f e t y i n s t r u c t i o n s f o r every job. Put these i n s t r u c t i o n s i n
w r i t i n g f o r every job i n t h e p l a n t . The supervisor should review t h e
s a f e t y m a s u r e s f o r each job before the employee s t a r t s t o work and then
follow up t o make sure he understands."
U. S. S t e e l said:
" L i s t a l l t h e occupations i n t h e department, and t h e jobs performed by
employees on those occupations. Then single out t h e jobs which repre-
sent t h e g r e a t e s t i n j u r y p o t e n t i a l s . These a r e t o be analyzed f i r s t . "
.Importantly, U. S. S t e e l says t h a t JSA-JIT-SO (with other f e a t u r e s of t h e i r
-
program) a r e applicable t o a l l the diverse operations of t h e company. It i s
not a program f o r j u s t high hazard operations o r big operations.
The advantages of the JSA-JIT-SO plan a r e numerous, but c e r t a i n l y include:
1. The p o t e n t i a l t o g e t s t a r t e d , and build a s you go.
2. The p o t e n t i a l t o measure performance i n three ways:
a . By accidents - was t h e job covered by JSA? O r , where did the
system f a i l ?
b. By inspections -if an unsafe p r a c t i c e i s observed, was it
covered by JSA? O r where did t h e system f a i l ?
c. supervisory reports indicating degree of coverage with JSA.
It i s axiomatic t h a t complex systems such a s organizations a r e operating i n
ways somewhat d i f f e r e n t than t h e d i r e c t i v e s , manuals, plans and procedures
which were presumed t o govern t h e i r operation. Some of these d e v i a t i o n s
may be very good, and may be compensation f o r l i m i t e d o r poor o r i m p r a c t i c a l
procedures .
There a r e two dangers i n the "operating procedure" apprwch:
1. Accident causes may be seen primarily a s d e v i a t i o n s from the proce-
dures, but c o r r e c t i o n may l i e elsewhere!
2. The procedure may be seen a s t h e "one best way" without much examina-
t i o n of a l t e r n a t i v e s !
Despite t h e emphasis on procedures i n U. S. s a f e t y p r a c t i c e , and t h e tremen-
dous number being w r i t t e n , few c r i t e r i a a r e seemingly used t o guide t h e prep-
a r a t i o n process. The c r i t e r i a needed a r e of two types:
1. Management process of preparation.
2. Review of t h e procedures themselves.
These kinds of c r i t e r i a make it abundantly c l e a r why procedures cannot be
informal, o r a l and unreviewed i n other than the lowest energy s i t u a t i o n s . If
t h e r e a r e poor c r i t e r i a - procedures can be f a t a l !
C r i t e r i a f o r t h e Procedure Development Process. A good example of some p a r t s
of t h e procedure process i s i n S a n d i a r s guidelines f o r underground t e s t s . The
context of t h e operation i s w e l l e s t a b l i s h e d , t o p i c s t o be included a r e defined,
and a format (including step-by-step) i s e s t a b l i s h e d . Sandia a l s o has a gen-
e r a l format f o r procedures. Rowever, these a r e hardly d e f i n i t i v e a s t o methods
of preparation.
Typical methods d o c t r i n e includes: "The f o u r basic s t e p s i n making a job
safety analysis are:
1. S e l e c t t h e job t o be analyzed.
2. Break t h e job down i n t o successive s t e p s .
3. I d e n t i f y t h e hazards and p o t e n t i a l accidents.
4. Develop ways t o eliminate t h e h a z a d s and prevent t h e p o t e n t i a l
."
accidents (NSCManual o r Supervisor Safety Manual. )
The U. S. S t e e l a n a l y s i s form f o r i d e n t i f y i n g t h e hazards i n each s t e p o r
operation uses a t h r e e - p a r t c l a s s i f i c a t i o n of hazards - Caught-Between,
Strike-Against, and Struck-By - t o prompt enumeration of a l l p o s s i b i l i t i e s f o r
i n j u r i o u s contact. The energy r e l e a s e concept could a l s o be explored f o r
analytic potential.
The Job Safety Analysis and t h e Safe Job Procedures a r e developed by t h e
foreman working with a small group of h i s most s k i l l e d craftsmen, and t h e i r
work i s reviewed by a management committee.
Obviously JSA may r e v e a l needs f o r guarding, d i s p l a y s , or s i g n a l s , b e t t e r
equipment, o r physical arrangements. And it i s understood t h a t , where a p p l i -
cable, physical r e v i s i o n s a r e preferred solutions. O r , t h e human t a s k may
be eliminated by assigning it t o the machine -
improved c o n t r o l s o r equipment.
The i t e r a t i v e nature of procedure development was suggested, and an opportu-
n i t y t o e x e r c i s e MORT a n a l y s i s , was provided by the following incident:
NSC's Research Department was doing a study of occupational s a f e t v of
urban p o l i c e . High speed p u r s u i t d r i v i n g i s a c o n t r o v e r s i a l source of
s e r i o u s accidents. When t h e MORT discussions moved t o Job Safety Analysis
requirements f o r r e p e t i t i v e t a s k s , e s p e c i a l l y those with high p o t e n t i a l ,
a not uncommon confusion was evident: (1) Was t h e t a s k r e p e t i t i v e ?
(2) Should any t r a i n i n g be given? O r , (3) should high speed p u r s u i t be
discontinued?
After some discussion, it became c l e a r t h a t r a t i o n a l a n a l y s i s would be
aided by following the sequential steps i n analysis. These i n order
would be :
1. Conception and requirements: What c r i t e r i a are t o be used i n the
decision t o pursue or not pursue? ( ~ . g . , seriousness of the apparent
crime.) What alternatives are available? What a r e I/B/V/T c r i t e r i a ?
2. Equipment: What design, maintenance and inspection requirements
should be established f o r equipment suitable f o r high speed pursuit?
3 . Job Safety Analysis: What hazards and countermeasures can be described
from data o r police experience? What i s the step-by-step procedure?
4. Training: What training (or p r i o r selection), and what practice are
needed t o minimize hazards of pursuit?
5. Supervision and Review: What data should be accumulated a s the basis
f o r management of t h i s a c t i v i t y , and possible subsequent modification of
policy o r practice?
This type of sequential analysis seems well calculated t o maximize safety
within operational requirements, and minimize conf'usion and controversy.
A key issue which might then be framed i n the l i g h t of the above kinds of
analysis might be :
Are the c r i t e r i a t o be used i n high speed pursuit decisions the same, or
d i f f e r e n t f o r : (a) A young o f f i c e r with specialized training and well-
maintained equipmnt? (b) A n older o f f i c e r without specialized t r a i n i n g
and with poorly maintained equipment?
Procedure preparation i s inherently the same as the Hazard Analysis Process
i t s e l f . I n particular, the knowledge input must be c l e a r . Known precedents
(including previous mistakes i n using similar procedures) are one basis f o r
present procedures. Therefore, a procedure can be examined f o r adequacy of
the knowledge input process.
There w i l l often be expertise not available t o the group doing a JSA, f o r
example, the biomechanics of l i f t i n g . Consequently, a JSA e f f o r t should be
supported by providing pertinent general l i t e r a t u r e .
The f i n a l step i n HAP i s independent review and t h i s i s a l s o a c r i t e r i o n f o r
the procedure process i t s e l f . (See Figure 28-3, Aerojetf s Review System.)
Three questions could prof i t a b l y be examined :
1. Should the documentation, especially f o r high energy procedures, be
extended t o provide management with cleas cut statements o f failure-modes,
consequences, trade-offs represented by the procedures, and summaries of
a l t e r n a t i v e countermeasures for higher protection which are not recommended
on p r a c t i c a l grounds?
2. What i s the threshold a t which procedures are required? Should the
threshold be progressively lowered t o cover a larger percentage of the
work?
3. If the threshold i s t o be lowered, what p r a c t i c a l short-cuts are
available t o develop procedures for lower energy operations?
The discussion of scaling mechanisms touched i n passing on a scaling of proce-
dures e f f o r t t o f i t magnitude of problem. Examination of procedures require-
ments and practice a t two research s i t e s suggested need f o r a more flexible
hierarchy of procedures, coupled with an e a s i e r , more nearly self-generating
method of working up from the operating l e v e l t o f i l l i n gaps l e f t in, or a t
the end of, highly formal Safe Operating Procedures. Job Safety Analysis
(as used i n many industries) and a l s o Pre-Job Analysis (step-by-step, but
extemporaneous, o r a l , unreviewed) would seem t o complete a spectrum of needed,
but f l e x i b l e controls. I n a d i f f e r e n t , l a t e r a l aspect, Safe Work Permits
(welding, radiation control, e t c . ) seem t o cover more acute aspects of a
s p e c i f i c t a s k a t a p a r t i c u l a r time and place, but not an adequate s u b s t i t u t e f o r JS*.
D i f f i c u l t aspects of work control are the routine mafntenance and c r a f t jobs.
These a r e said by the s k i l l e d craftsmen t o be covered by the manuals of the
trade. On the other hand, accidents i n t h i s work are-numerous, so t h e coverage
i s patently inadequate. It would seem t h a t a u s e f u l concept could be:
1. Manuals, e t c . , may be s u f f i c i e n t i f they include step-by-step proce-
dures and are i n writing, available, and used. I n other words, references
can be specific, and not "custom."
2. Job Safety Analysis i s needed f o r other r e p e t i t i v e tasks with more
than low p o t e n t i a l .
3 . Pre-Job Analysis i s needed (and i s step-by-step) f o r every task, even
those covered by 1. o r 2., and i s needed f o r t h e frequent breaks and
modifications i n routine which occur so frequently i n maintenance and
repair.
F're-job b r i e f i n g may a l s o constitute the "operational readiness" review

whereby the net e f f e c t s of a l l changes, maintenance, e t c . , since the l a s t
operation a r e analyzed f o r completeness, new h a z d s , e t c .
Thus, the needed, f l e x i b l e hierarchy may be:
1. Standard operating Procedures -
major documentation,
and one o r two independent reviews. I special
2. Manuals - with step-by-step procedures, and reviewed. Situations
3 . Job Safety Analysis (producing " safe job" procedures)

originating a t work l e v e l , and with o r without review.
4. --Job Analysis - a t the work l e v e l , step-by-step.
I covered by
Safe Work
Permits
I n a l l of these, the l o g i c of HAP-SPS-LC i s unvaried, just the amount of study
and review i s varied. Given these o r similar d e f i n i t i o n s , accident d a t a can
be collected a s t o coverage i n the above ways, or "out of bounds."
Sandia has computerized i t s extensive system of 250 o r more Safe Operating
Procedures f o r ease of up-date control and review, subject matter r e t r i e v a l ,
and cross-referencing .
C r i t e r i a f o r Review of Procedures.
The l i t e r a t u r e search, f i e l d work, and
.
accident analyses have accumulated c r i t e r i a which should be valuable i n pre-
paring o r reviewing procedures f o r oversight.
The best document t o date i s from NMA. D r . Preston T. F a r i s h ' s , "System
Safety C r i t e r i a f o r use i n Preparation o r Review of Procedures." I t s main
body was used i n MORT T r i a l s a t Aerojet. F a r i s h ' s introduction says:
"Poorly w r i t t e n or unclear procedures are one of the major causes of
accidents and incidents i n space vehicle operation. Investigations of
numerous incidents show t h a t j u s t such procedures were being used. I n
other cases, procedures did not e x i s t a t a l l .
"Inadequate procedures represent a s great a t h r e a t t o space vehicle
s a f e t y a s do f a u l t y hardware and careless work. A well-prepared proce-
dure leaves no doubt i n the mind of the person following it. Nothing
i s l e f t t o imagination o r guess. Values and u n i t s a r e spelled out, and
no step i s omitted because it. i s 'obvious. ' Instructions are c l e a r and
concise and the use of special t e s t equipment i s specified when required.
A proper procedure i s one t h a t has been authenticated by a responsible
individual and checked out against the hardware f o r which it i s intended."
The MORT diagram (Figure 32-1) generally follows Farish' s categories.
However, he adds a s e t of general requirements, as does the l i s t i n Appendix F.
I n three serious accidents, a t o t a l of 71, an average of 24, of Farish' s
c r i t e r i a were applicable t o the procedural deficiencies, and might have drawn
a t t e n t i o n t o those defects and prevented o r ameliorated consequences, i f
c r i t e r i a were used i n advance. Farish's c r i t e r i a are properly redundant -
t h a t i s , several c r i t e r i a might have brought out a given causal factor.
Another useful s e t of c r i t e r i a was prepared by D r . R. J. Nertney (1967).
D r . Nertney's studies employing the " c r i t i c a l incident" technique have sup-
ported a conclusion t h a t procedures developed from the top down a s a system
evolves will be lacking i n coverage of human misinterpretation and misunder-
standing, and may be somewhat divorced from job r e a l i t i e s , unless a special
e f f o r t i s made t o get employee feedback.
Engineers find it d i f f i c u l t t o
understand why the procedures they write are sometimes misunderstood on the
job, and engineers may have similar blind spots i n reviewing - therefore,
the c r i t e r i o n of on-job checking i s important.
I n the MORT T r i a l s a t Aerojet, Farish's c r i t e r i a were reworked by a
Procedures Review Board. The PRB l i s t , with additionalmodifications, is
provided as Appendix F.
Job Safety Analysis. The r e s u l t s of a job safety analysis can be evalu-
I n the MORT T r i a l s a t Aerojet, the U. S.
ated against the above c r i t e r i a .
S t e e l manual chapter on the subject was reproduced and used. The mnction was
a l s o summarized i n outline form a s follows:
Goal: (1) Determine p o t e n t i a l accident causes.
(2) Eliminate p o t e n t i a l accident causes.
I. Determine jobs t o be analyzed.
11. Establish p r i o r i t y i n which jobs are t o be analyzed.
A.
B.
C.
D.
E.
111. Method
A.
B.
. ~ r e q u e n c ~ 4 oassociated
f
Regularity (High Exposure Rate)

accidents)
Severity ( ~ c c i d e n tpotential)
Supervisory judgment
Job Changes ( ~ a z a r d snot clear)
Group discussion method

Direct observation method
I Five steps t o
decide proper
priority
N. Break down individual job i n t o steps or elements

V . Determine the contact p o s s i b i l i t i e s (environment)
A. Can the workman be struck by anything while doing the job step?
NOTE: A t t h i s point -
unless time prohibits - do not consider ways
of preventing contact - only i d e n t i f y the contact p o s s i b i l i t i e s .
B. Can the workman s t r i k e against anything doing the job step? (It i s
important, not only t o i d e n t i f y what the workman can s t r i k e against,
but a l s o how the contact could come about.)
C. Can the workman be caught between any objects doing the job step?
.
(e .g , look f o r "pinch" points. )
D. Can t h e workman be caught on o r i n anything doing the job step? (e.g.,
clothing i n machinery).
E. Can t h e workman f a l l doing the job step?
F. Miscellaneous accident p o s s i b i l i t i e s .
VI. Eliminate o r reduce contact p o s s i b i l i t i e s .
A. Establish a safe work procedure t h a t w i l l eliminate or reduce the
p o t e n t i a l contacts.
B. Change the condition of the environment which contributes t o the
C.
p o s s i b i l i t y of a contact ( t o o l s , equipment, machines, e t c .)
Wearing personal protective apparel.
.
V I I . Develop safe procedure
VIII.Safe job procedure appraisal
A. On-the - j ob review
B. Conference reviewT-} Participation
C. M a n a g e ~ n treview
The present Aerojet approach t o procedures has several supplementary

elements, a s follows:
1. The Detailed Operating Procedure i s reviewed by a Board and meets c r i t e r i a .
a. The DOP has been subjected t o JSA, o r a t l e a s t reviewed with the work force.
b. JSA's a r e created f o r standard tasks (e.g., crane operations) and a r e
plugged i n t o DOP ' s .
c. Engineering review of radiological o r toxic hazards i s performed, limits
a r e quantified, and corrective actions are specified i n advance.
d . A "Safe Work Permit" i s issued by s a f e t y personnel t o cover f i e l d condi-
t i o n s and requirements.
. 2. Standard Aerojet p o l i c i e s and procedures provide a frameof reference and context.
Thus, an integrated, comprehensive procedural system i s created.
Collecting Accident Data on Procedures. C a t l i n (1969) provides an example

of the key r o l e of procedures i n analyzing planning and operational f a i l u r e s .
Several s e t s of q u a l i t i e s can be visualized t o describe procedures:
1. Source
a. Higher l e v e l - from manuals, or from experts i n complex processes.
.
b Supervision
(1) Instructions
(2) Personal supervision
(3) Employee Participation (both t o pick up on-the-job experience
and f o r motivational reasons).
-
2. Form
a. Written
b. Oral
3. Hazard Review
a. Visible - thorough
b. Visible - slight
c . Not v i s i b l e .
4. F e a s i b i l i t y ( i n terms of task frequency)
a. Task r e p e t i t i v e (quantify as "daily, weekly, monthly, annually" )
b. Non-repetitive.
- - energy l e v e l .
5 . Need
Thus, i n an accident where a supervisor t o l d an employee, "Hey Joe, close
t h a t valve." The employee closed the wrong valve, r e s u l t i n g i n serious injury
when a flange was opened, and shutting down a major process. We can c l a s s i f y
the procedure a s follows:
1. Source - Supervision - personal
2. Form - Oral
3 . Hazafl Review - not v i s i b l e
4. F e a s i b i l i t y - task approximately monthly
5. Need - high energy.
An objective description of a "planning e r r o r (management)" i s emerging.
Results from numbers of accidents when so tabulated should give a useful assess-
ment of the s t a t u s of procedures and the major needs f o r the future.
Data on procedures may a l s o be compiled using Rigby's "error tolerance
l i m i t s " cited on page 52. "Custom and debate" axe a l l too common and lead
t o sloppy, unsafe performance.
A t Aerojet the use of Detailed Operating Procedures and Job Safety
Analysis a r e being worked i n t o a complementary and s t r u c t u r a l system
suitable f o r c l e a r and e f f i c i e n t guidance and good management. The simi-
l a r i t i e s , a s well a s some few differences, a r e shown i n Figure 32-3.
Figure 32-3. Similarities & Distinctions - Procedures & Job Safety Analysis
Procedures -
JSA
1. Originate a t : Higher l e v e l s 1 Working l e v e l s
2. Strengths: High p o t e n t i a l s , Use of c r a f t
Technical d i f f i c u l t y ,/ knowledge and
Control requirements,' experience
I n t e r - u n i t scope
'
i
3, C r i t e r i a i n p u t : Detailed, Simpler
Searching i
1
4. Information i n p u t ,
acc/inc . reports
Formal search
I
Inquiry t o safety
5. Draft Show f ailure-modes, Same scope,

consequences, l e s s formal
corrections I
f o r each s t e p
t
6. Specify "plug-ins": 1 Use JSA's
.
Standard t a s k s
(e g. , craine operation)
. ,
Components (e g. l i f t i n g )
2 Back up d a t a - e.g., engineering c a l c u l a t i o n s
3 On-site work permit requirements
7. Reviews: Informal \J Get work s i t e
I < !
experience
Formal Board Line & staff
8. Pre-job t r a i n i n g If needed I J I T routine
9. Pre-job b r i e f i n g both
10. F i e l d change procedure Formal I supervisor
11. Monitoring both
12. Post-use c r i t i q u e both
13. Revisions Formal procedure Less formal,
but i n w r i t i n g
I
14. Accident Analysis
a. C l a s s i f y e r r o r by Rigby's tolerance l i m i t s (page 52).
b. Describe d e v i a t i o n s ( ~ l u r a l )i n terms of s t e p s 1-13.
c. If e r r o r was i n s e l e c t i o n o r use of procedures o r JSA,
c l a s s i f y as follows:
(1) Re uirements ,LTA
(a) Scaling Mechanism LTA
( b ) Other d e f i n i t i o n s of use LTA
(2) Error by management .or supervision,
(3 ) Performance e r r o r .
33. EMPLOYEE SELECTION AND TRAINING
The MORT l o g i c f o r employee s e l e c t i o n and t r a i n i n g ( ~ i g u r e34-1, a portion
of Page 8 of t h e MORT diagrams) i s a p a r t of a general l o g i c of successive
elimination of p e r c e p t i b l e accident f a c t o r s i n i n v e s t i g a t i o n s o r s a f e t y program
reviews. I n t h i s context, t h e MORT l o g i c presumes a competent Hazard Analysis
Process, and e x c e l l e n t ( o r a t l e a s t adequate) Supervision and Procedures .
Employee s e l e c t i o n and t r a i n i n g , h e l p f u l a s they a r e , a r e not postulated a s
e f f e c t i v e ways of countering d e f e c t s i n t h e p r i o r processes.
Training c a p a c i t y t o r e f l e c t accumulated wisdom and r e c e n t experience i s ,
on t h e o t h e r hand, very o f t e n a "one best answer" t o problems, and t h e MORT
l o g i c i s not intended t o i n any way deprecate t h e values i n t r a i n i n g .
The MORT l o g i c p r e s e n t s an objective t e s t of s e l e c t i o n and t r a i n i n g - D/N
-
-
See o r Saw Correct Performance.
The idea of personnel a s output of a system of s e l e c t i o n , t r a i n i n g , proce-
dures and supervision i s t h e b a s i s f o r an "upstream a u d i t " of processes, a s
can be i n f e r r e d from t h e general s a f e t y system, and i t s monitoring subsystem.
The f i r s t "walk-through" of t h e Aerojet personnel subsystem showed gaps
which could be r e l a t e d t o a c t u a l i n c i d e n t s . For example, an experienced crane
operator s a i d of t r a i n i n g , "Who'll t r a i n me?" He l a t e r had a crane episode
which suggested t h a t t h e c r i t e r i a f o r s e l e c t i o n and t r a i n i n g of r e a c t o r grade
crane operators were "LTA." Upon examination t h e c r i t e r i a were found t o be,
i n f a c t , "much l e s s than adequate," o r "Poor."
The upstream a u d i t process produced an o u t l i n e of personnel subsystem
requirements , as follows :
I. S e l e c t i o n 2. New Reactor modifications
A. C r i t e r i a 3. New Reactor experiments
B. Testing 4. S p e c i a l c r a f t
11. Training 111. Test & Q u a l i f i c a t i o n
iP. Basic A. Basic
1. Doctrine 1. I n i t i a l
a. I n i t i a l 2. Continuous
b. Continuous 3. Periodic
c . Periodic B. S p e c i a l
2. Conduct 1. C r a f t q u a l i f i c a t i o n
' a. I n i t i a l 2 . New programs
.
b Continuous 3. Physical exam
c . Periodic IV. Current S t a t u s
B. S p e c i a l A. Medical
1. P l a n t f a m i l i a r i z a t i o n B. Supervisor Observations
The Test and Q u a l i f i c a t i o n f o r r e a c t o r personnel i s one of t h e "gates"

i n t h e Aerojet Review System (Figure 28-3) . The "current s t a t u s " i s assessed
by supervisory, medical, o r other observation.
Figure 34-1. Employee' Selection and Training
QI
cm
PREPARATION EMPLOYEE
MOTIVATION
LTA
SELECTION
ma
Selection. I n selection (SDS-a1 i n the MORT diagram) the twin factors of
c r i t e r i a and methods are exposed f o r study.
There i s a limited amount of information on safety-related physical capa-
c i t i e s f o r specific kinds of r i s k s ; substantially more f o r the driving task
than other tasks. Where performance can be c r i t i c a l , as f o r crane operators,
and objective requirements can be established, selection of personnel can play
a r o l e i n the human f a c t o r s chain. Selection i s widely practiced i n motor
vehicle f l e e t safety, but biographical data seem t o have greater r e l i a b i l i t y
than r e s u l t s of various types of psychological t e s t s . I n general, t e s t s have
not e f f e c t i v e l y discriminated those who w i l l have accidents from those who
w i l l not.
Crawford (1965) recommends:
"The h i r i n g procedure should be designed to-fit-the-man-to-the-job. Job
requirements should be analyzed t o identify job demands so an individual
with desired c h a r a c t e r i s t i c s be selected.
"Moreover, a review should be made of an individual's personal work h i s -
tory, which contains some of the best predictors of accidents: a previous
record of accidents. If an individual has had several accidents, he may
have other accidents. Accident predictors include: excessive or chronic
absences, frequent gripes or complaints, low productivity, i n e f f i c i e n t
work performance."
Crawford's suggestion should not reverse e a r l i e r emphasis on f i r s t doing a l l
possible t o f i t the job7 to the people t y p i c a l l y available.
I n any investigation, some questions on selection of personnel should be
answered, f o r example:
Describe applicable personnel standards, and review procedures established
..
(e g , medical exam) .
Did personnel meet the standards established f o r the work? When examined?
When reexamined?
Training. MORT analysis presumes that training i s auditable i n t e r n s of

the steps on page 325and f o r each of the relevant categories of personnel.
The MORT analysis uses the widely-accepted, simple yardstick of Job In-
struction Training (JIT) t o evaluate training:
1. Prepare the worker t o receive the instruction.
2. Present the operation - perform and describe.
3. T r y out h i s performance .
4. Follow-up.
( ~ d d e dd e t a i l s are i n the NSC manual and other publications. Interestingly,
Juran (1964) c i t e s JIT a s a "management universal.")
Again we see not only the elements i n upgrading a supervisor's a b i l i t y t o
t r a i n , but also the anatomy which enables us t o measure and t o trace a break-
down i n the system.
. - -
smith (1967) provides c r i t e r i a f o r judging t h e s t r e n g t h s and weaknesses
i n a six-phase t r a i n i n g propam developed by an NSC t r a i n i n g committee. The
phases a r e :
1. I d e n t i f y i n g Training Needs
2. Formulating Training Objectives
3 . Gathering Materials and Developing Course Outlines
4. S e l e c t i n g Training Methods and Techniques
5. Conducting Training Programs
6. Evaluating Training Programs
Altman (1970) analyzes t h r e e key f a c t o r s :
1. Monitoring and feedback
2. The r o l e of reinforcement schedules i n l e a r n i n g t o have accidents
3 . Transfer of t r a i n i n g and s a f e behavior.
Reinforcement mechanisms inherent i n t h e r o l e of t h e person d i f f e r
widely f o r f o u r c l a s s e s of r o l e s :
1. The c r i t i c a l worker whose performance i s always rewarded,
2. The s e r i e s worker who r e c e i v e s feedback only on t o t a l performance
of t h e s e r i e s ,
3. The p a r a l l e l worker who may receive p o s i t i v e feedback even though
he has e r r e d ,
4. The redundant worker whose feedback i s unrelated t o h i s performance
(and so he performs poorly! )
Learning curves a r e favorable-unfavorable i n terms of t h e 1-2-3-4 sequence above.
Transfer of t r a i n i n g may be p o s i t i v e o r negative depending on t h e s i m i l a r i t y
of s t i m u l i and responses. No assumption of t r a n s f e r could be r e l i e d upon without
examination of t h e elements of two t a s k s and a decision whether p o s i t i v e o r
negative c o r r e l a t i o n with e r r o r i s l i k e l y . Among techniques Altman urges i s :
"Being assured t h a t change does not f a l l a c i o u s l y depend upon p r o f i c i e n c i e s
which w i l l not r e a d i l y t r a n s f e r o r permit negative t r a n s f e r t o occur i n
c r i t i c a l operational situations."
Reinforcement of s a f e behavior based on Skinner's f i n d i n g s i s discussed
by Bird and Schlesinger ( 1 9 7 0 ) . The discussion ranges across t h r e e a r e a s i n
t h i s text:
1. Training - values i n reinforcement,
2. Enforcement - some negative s i d e e f f e c t s ,
3. Role of rewards - which extends i n t o our t o p i c of motivation.
Operations simulation i s highly e f f e c t i v e a s a t r a i n i n g device, and
a l s o c o n t r i b u t e s t o a hazard a n a l y s i s . I n i t i a l l y , r e a l i s t i c simulation
seems expensive, but should be examined a g a i n s t t h e c o s t s of emergency
a c t i o n s (good and bad) . Evaluated i n long-term r e s u l t s , simulation w i l l
often shaw up a s a low-cost approach. Simulation i s e a s i l y scaled from
class-room, i n t e l l e c t u a l problems through manual exercises t o electronic
and mechanical exercises which approach operational conditions. Given
t h i s range of simulation, a t e s t question i n an investigation could be:
Did training include any simulation related t o the event which occurred?
Programmed self-instruction i s being increasingly used. Low cost
and demonstrated learning potentials commend it. W o n t , a s an example,
has programmed instruction i n general subjects, such a s "Safety Principles"
and "Planning f o r Safety," as prerequisites f o r a wide v a r i e t y of specific
hazard t r a i n i n g topics.
Surry (1969) c i t e s studies showing effectiveness of i n i t i a l training i n
shortening a new employee's e a r l y period of accident susceptibility, but
l i t t l e or no long-term e f f e c t of i n i t i a l training.
Retraining and Requalification2 Accident reports often show a
recommendation f o r retraining or requalification t e s t i n g but such-
reports seem t o r e f l e c t a blind reliance on training or qualification,
r a t h e r than a reasoned finding t h a t such programs would i n f a c t have pre-
vented o r alleviated the event. If the roots of the accident are i n non-
acceptance o r weak motivation, training and tests may not correct the
deficiencies. One explosives accident involved the person who gave explo-
sive safety instruction -
and he deviated f r o m preachments and procedures
i n twelve ways! (~ppendix~6 .)
Training i s hardly an answer, nor i s
participation i n safety programming. Adequate monitoring and supervisory
follow-up seem closer t o the mark.
On the other hand, if new materials o r processes a r e involved, retraining
and requalification may well be useful measures.
The adoption of systemsafety methods can be seen a s a training
challenge. The need f o r safety training f o r new employees i s well recog-
nized. For example, AEC1s "Electrical Safety Guides f o r Research" says:
"A course i n e l e c t r i c a l safety should be provided f o r new laboratory
employees, commensurate i n coverage with each employee's work
assignment. "
Just what does t h i s niean? A cuurse i n e l e c t r i c a l safety, but not
pressure vessels, l i f t i n g , f i r e , etc? Commensurate "with each employee's
work assignment" -
how i s t h i s t o be done i n a course regularly available ?
Lawrence has a safety training course f o r new employees, but a s with
most such courses, the question can be asked a s t o whether it reaches new
employees when they are r e a l l y new and need it most, or whether it reaches
them l a t e r , when a c l a s s is f'ull, and need i s lessened. Effectiveness i s
not assessed .
A d i f f e r e n t kind of problem a t Lawrence, namely, general non-attendance
of graduate students, suggests some other questions about such training.
I s it t o be forced on these people, and with what r e s u l t s ? O r , i s t h e
challenge t o make t h e course so i n t e r e s t i n g and valuable t h a t graduate
students raise t h e course?
Perhaps t h e whole challenge t o systematic s a f e t y can be expressed
i n t h e challenge t o c r e a t e a t r a i n i n g experience which grad students see
a s an opportunity t o l e a r n about c r e a t i v e problem solving t o a t t a i n an
objective.
The challenge l i e s , then, i n t h e c o n t r a s t of Method and Content.
Can employees of whatever type be taught how t o analyze jobs and hazards,
o r must they be given lengthy "laundry l i s t s " of hazards?
34. PERFORMANCE ERRORS
MORT l o g i c f o r examining performance e r r o r s r e s t s on p r i o r processes of

hazard analysis, management o r supervisory detection of e r r o r provocative
s i t u a t i o n s , and procedures. Also, t h e r o l e of employee s e l e c t i o n and t r a i n i n g
( f o r example, a supervisor's use of a JSA-JIT-SO routine) a r e considered t o be
a p a r t of management and supervision. Thus, performance e r r o r s become a
r e s i d u a l of systemic strengths o r weaknesses.
Notwithstanding t h e major importance assigned t o p r i o r f a c t o r s i n t h e
work s i t u a t i o n , one t r a i n e r saw the end r e s u l t of NORT a s "blaming the oper-
a t o r f o r performance errors." The s a t i s f a c t o r y answer seemed t o l i e i n re-
emphasizing t h a t a t y p i c a l MORT a n a s i s shows 30 causal f a c t o r s before
considering employee performance e r r o r s .
The f i r s t t a s k i n analyzing performance e r r o r s i s d e s c r i p t i v e , t h a t i s ,
t h e e r r o r s could be tabulated a s "unsafe acts," using t h e ANSI recommended
method. However, t h i s has been shown t o be s o highly subjective a s t o be of
only marginal value, and a tabulation of e r r o r s i n terms of Rigbyts tolerance
l i m i t s i s l i k e l y t o have more value i n designing corrective measures. (see
Chapter 4 on Errors. )
The kinds of questions r a i s e d by MORT analysis a r e not the types commonly
asked on accident r e p o r t s , not answered by mass data, and q u i t e d i f f e r e n t
from t h e usual "unsafe act" taxonomies. The c l e a r implication i s t h a t there
could be few "unsafe a c t s " i n t h e sense of blameful employee f a i l u r e s unless
o r u n t i l t h e preventive s t e p s ( i n p r i o r i t y order from f r o n t t o back and l e f t
t o r i g h t on the MORT c h a r t s ) have been shown t o be adequate.
I n serious accidents analyzed with MORT, the numbers of systemic and
procedural d e f i c i e n c i e s were so g r e a t as t o warrant an impression t h a t "unsafe
acts" (not correctable by HFE and good planning, supervision, t r a i n i n g , e t c . )
a r e considerably fewer than implied by t h e s a f e t y l i t e r a t u r e . Further, if
t h e r e be a r e s p o n s i b i l i t y connotation t o "unsafe acts," t h e number of such
a c t s i s probably q u i t e small - motivational programs and forces, p o s i t i v e and
negative, being what they a r e .
The MORT analysis separates t a s k and non-task e r r o r s , and analysis pro-
ceeds more e a s i l y i f t h e l a t t e r a r e s e t aside f o r separate consideration.
Fringe a c t i v i t i e s , such a s going t o lunch, r e c r e a t i o n a l programs, e t c . , a s w e l l
a s horseplay, a r e separated from Task Performance whose c o n t r o l i s a prime
objective of t h e supervisory process and Job Safety Analysis.
Before moving i n t o t h e analysis of Task Performance Errors, two other
preliminary questions must be cleared away: ---
c 7 D/N Get Work Permit. There a r e s p e c i a l s i t u a t i o n s commonly covered
by work permits (sometimes a s extensions of procedures otherwise prescribed) .
These include such s u b j e c t s a s :
1. Welding permits
2. Continuous t e s t permits
3. Work orders
4. Other, o r general permits (such a s Aerojet's Safe Work Permit system).
The general Safe Work Permit system (including, a t Aerojet, r a d i a t i o n
l i m i t s and monitoring requirements) seems t o have advantages over s e v e r a l
separate systems.
A problem i n any system i s t h a t the permit may give a f a l s e sense of
security. For example, a permit f o r welding may have only been checked f o r
f i r e , o r a permit covering r a d i a t i o n may not have been checked f o r other haz-
ards. Both t h e form design and s i g n e r ' s t r a i n i n g should consider these forms
of oversight.
I n one accident a permit f o r hot work, which meant only t h a t a tank space
was f r e e of explosive vapors, w a s construed as a general approval. The worker
entered t h e space and w a s k i l l e d by an oxygen d e f i c i e n t atmosphere. Permit
format should a c t i v e l y work a g a i n s t t h i s type of e r r o r .
Continuous Test Permits. These appear d e s i r a b l e , but i n p r a c t i c e they
appear t o be issued f o r such long periods a s t o make questionable t h e i r ade-
quacy f o r conditions a t t h e time of t h e accident.
Work Orders. These should be reviewed from t h r e e s a f e t y viewpoints :
1. Employees doing t h e work,
2. Employees exposed during work,
3. Persons using t h e f a c i l i t y a f t e r change.
Both t h e a r e a supervisor and t h e maintenance supervisor should consider
a l l t h r e e views. Accident r e p o r t s suggest t h a t d u a l approvals on a l l t h r e e
p o i n t s should be required. But, examination of f i e l d procedures i n i s s u i n g
work permits suggest t h a t job 1. i s done well, job 2. i s done i n p a r t , and
job 3 . i s seldom done, o r p a r t i a l l y done, e.g., f o r code v i o l a t i o n s .
c l l Task Assignment LTA. Was t h e t a s k assignment one the supervisor
should make? Was t h e t a s k one an employee should assume within an approved
project?
I n a revised MORT format, these two aspects may be subjects t h a t should
be questioned e a r l i e r (e.g., c l l before c7, and both c l e a r l y review t o p i c s
before a p p l i c a t i o n of the JSA-JIT-SO r o u t i n e ) .
The subsequent MORT a n a l y s i s (pages 7 and 8 of t h e diagrams) stems d i r e c t l y
- 333 -
: 4 t h e JSA-JIT-SO sequence. Therefore, the i n i t i a l questions a r e d i r e c t e d
t o the existence of a Procedure o r Job Safety Analysis which meets any give^
s e t of c r i t e r i a .
c8 No Job Safety Analysis. This a n a l y s i s proceeds from a determina-

t i o n of t h e r e p e t i t i v e character of the task, Objective information is needed,
e.g., i s t h i s t a s k done continuously, hourly, d a i l y , weekly, monthly, e t c ?
d8 Repetitive. E i t h e r JSA w a s not required, o r was not made. I n the
l a t t e r case t h e r e could be F a i l u r e t o Monitor t h e coverage of t h e JSA program.
d9 Non-Repetitive r e q u i r e s a determination of low p o t e n t i a l o r high
p o t e n t i a l ( a s c a l i n g mechanism).
e3 Low P o t e n t i a l becomes an Assumed Risk.
e4 High P o t e a t i a l . (perhaps b e t t e r described a s "other than low
potential), A Pre-Job Analysis (an extemporaneous, but step-by-step review
comparable with JSA) should be made by the supervisor o r employee. s he
" p o s i t i v e t r e e " based on the Gold Powder explosion i s an example of Pre-Job
Analysis by a professional employee.) I f the t a s k is t r u l y high p o t e n t i a l ,
the supervisor should supervise d i r e c t l y and c o r r e c t l y . (cases i l l u s t r a t e
both needs. )
Perhaps one of the t r i c k i e s t aspects of MORT Analysis i s i n t h e t a s k
performance area--that i s , a high standard f o r JSA i s postulated. What i f
t h e JSA c r i t e r i a a r e not met? Does a n a l y s i s terminate with no JSA o r JSA-LTA?
The answer is, "No ! "
The a n a l y s i s i s continued with the a n a l y s i s using whatever c r i t e r i a a r e
available--custom, o r debatable, t o use Rigby's terms.
Thus t h e d i s t i n c t i o n s i n c8 No Job Safety Analysis may be t o f i r s t see
whether procedure c r i t e r i a were m e t , and second, if not met, how w e l l did
subsequent d e f i n i t i o n s , even i f o r a l , meet c r i t e r i a .
For example, were such o r a l c r i t e r i a f i t t i n g :
c9 t h a t i s , l e s s than adequate; o r were they more nearly ~ 1 0 1
c10 D/N use.
Without deprecating the values i n holding procedures and 3SA t o high
standards, t h e a n a l y s i s of a p a r t i c u l a r event seems t o proceed best by
(1) analyzing procedures against t h e highest c r i t e r i a , and
(2) i f procedures f a i l t o meet these high c r i t e r i a , continuing t h e
a n a l y s i s i n terms of c r i t e r i a then i n e f f e c t .
For example, i f c r i t e r i a t o be used by a supervisor were "forensic," i .e.,
debatable, analyze use of such c r i t e r i a a s were a v a i l a b l e t o t h e man, but
allow f o r t h e f a c t t h a t c r i t e r i a had not been w e l l defined by management.
Going through the MORT process of elimination f o r r o l e s of procedures
( o r JSA), r o l e s of s e l e c t i o n and t r a i n i n g , and t h e r o l e s a c t u a l l y played by
deviations from procedures, brings us f i n a l l y t o the r o l e s played by
normal v a r i a b i l i t y .
a3 Deviations. I n p r a c t i c e , Deviations have been analyzed even i f the

standards f o r job performance were vague--such limits a s "custom" o r
"forensic" (per ~ i ~ b y ) .
The chart shows contributions t o Deviations from both Normal V a r i a b i l i t y
and Changes. A t present the proportionate contribution of t h e two f a c t o r s i s
not known. Normal V a r i a b i l i t y i s visualized a s manageable i n degree through
Human Factors Review (and appropriate de signs and plans) whereas Change i s
more the purview of Supervision (detection and counterchange) -- such charac-
t e r i s t i c s a s ill, fatigued, personal problems, o r temporary handicaps.
Sources of changes and d a t a c o l l e c t i o n a r e discussed i n Appendix D.
bg DIN Observe. There a r e a wide v a r i e t y of corporate plans f o r s a f e t y
observations. By d e f i n i t i o n , we a r e t a l k i n g about s a f e t y observations by t h e
f i r s t l i n e supervisor (not inspections, a u d i t s , o r sampling by observers).
The plans can be seen i n the following elements:
1. The common sense, hour-by-hour observation of a department t o know
what i s happening.
2. The s p e c i a l follow-up t o observe new employees, o r new o r changed t a s k s .
3. A required number of recorded s a f e t y observations per time period, e.g.,
a . Two per employee per month, o r
b. Two employees per day.
Again we see the opportunities, not only f o r management guidance and d i r e c -
t i o n of supervisors, but a l s o the opportunities f o r analysis of system break-
downs and the measurement of performance.
I f we hypothesize the highest degree of c o n t r o l of work by a JSA-JIT-SO
plan, and a c t u a l l y s e t out t o measure and document a departmental s i t u a t i o n ,
we have t o face a very r e a l problem - the supervisor's time. An e n t r y of
N.D.T. (no damn time) should be a legitimate answer f o r a harassed super-
v i s o r , a t l e a s t u n t i l management gives supervisors more a i d s and helps, o r
has developed new experience and standards a s t o spans of c o n t r o l and s a f e t y
and other performance r e s u l t s t o be gained from authorizing higher degrees
of c o n t r o l (more time and budget).
One important point t h a t i s i m p l i c i t i n the JSA-JIT-SO system i s t h a t
t r a n s f e r s t o new jobs a r e "new employeestt t o t h a t job. W e s t i l l see accident
r e p o r t s which provide f o r t o t a l experience with t h e company, but not experi-
ence on the task. And t r a n s f e r s o r changed jobs appear t o be a more p r o l i f i c
source of e r r o r s than new employees.
c2 D/N Enforce. We come f i n a l l y t o t h e matter of r u l e observation and
discipline. A l l companies with strong programs have some d i s c i p l i n a r y system
f o r repeated o r major v i o l a t i o n s of r u l e s . Obviously t h e JSA-JIT-SO plan e l i m i -
n a t e s much need f o r d i s c i p l i n e by affirmative p r i o r a c t i o n . But, when d i s c i -
p l i n e i s weighed, the plan provides a background of c l e a r r u l e s , c l e a r under-
standing, and a l i m i t e d tolerance f o r v a r i a t i o n s .
Enforcement i s , i n theory, d i r e c t e d a t t h e small minority who w i l f u l l y
r e f u s e t o obey r u l e s , o r r e b e l a t conformance. I f a permissive a t t i t u d e pre-
v a i l s regarding adherence t o procedures, and rule-breaking is widespread,
enforcement i s probably not i n order--neiJ;her f a i r nor e f f e c t i v e . The general
s i t u a t i o n must be improved.
Bird and Schlesinger (1970) l i s t e d some s i d e e f f e c t s of punishment:
"1. The employee may continue t o behave t h e same way, but t r y harder t o
avoid being observed by t h e supervisor.
2. When t h e same behavior can lead t o both reward and punishment, t h e
employee w i l l be i n a s t a t e of c o n f l i c t .
3. Conflict l e a d s t o f r u s t r a t i o n and aggression: t h e employee i s l % k e l y
t o t r y t o take out h i s f r u s t r a t i o n by reduced output, substandard
q u a l i t y , damage, waste, o r f i g h t i n g with o t h e r workers."
A s a footnote he adds: "Of course, d i s c i p l i n e may be necessary, hut i t i s a
last resort--never a s o l u t i o n t o t h e motivational problem."
This s e c t i o n on supervision suggests such questions as:

Was t h e t a s k assigned by t h e supervisor?
a. What i n s t r u c t i o n s were given?
b. Was the t a s k assignment one which the supervisor should make?
c. Was t h e t a s k r e p e t i t i v e ? How frequently?
d. If t h e t a s k was non-repetitive, was t h e supervisor d i r e c t l y super-
vising? Do organization procedures require d i r e c t supervision of
non-repetitive t a s k s involving p o t e n t i a l injury?
e . If t h e t a s k was not assigned by t h e supervisor,
(1) Was it an employee-designed t a s k within the scope of an
approved p r o j e c t ?
(2) Was it a p e r i p h e r a l a c t i v i t y , not i n c o n f l i c t with r u l e s
( e .g. , going t o o r from work on premises, authorized work
breaks, e t c . ) ?
(3) O r , was it an a c t i v i t y unrelated o r prohibited?
2. Were t h e e r r o r s involved known t o the supervisor?
a. What a c t i o n had he taken?
b. Was c o r r e c t i o n delayed? How long? Why?
c. Had t h e r e been any employee r e p o r t s o r suggestions involving any
of t h e e r r o r s ? If so, what was the d i s p o s i t i o n ?
3. When d i d t h e supervisor l a s t see the man? Was he working according t o
procedure a t t h a t time?
a . When d i d t h e supervisor l a s t see the person do t h i s t a s k c o r r e c t l y ?
b. When d i d t h e supervisor l a s t d i s c u s s s a f e t y with t h e person?
What was discussed?
c. When did the supervisor l a s t make a safety observation (moni-
toring) on t h i s man's work?
4. Describe training methods, aids, o r procedures, which were specified.
5. Describe employee participation i n hazard review and procedure devel-
opment, i f any.
a. Was t h i s employee involved i n Job safety analysis?
6. Had emergency provisions been tested by simulation? How and when
tested?
Some of the complexity of interactions of changes, training and motiva-
t i o n are revealed i n the following incident:
A new employee was t o r e p a i r a leaking flange i n company with an experi-
enced employee. The senior man went f o r some material. The new employee,
motivated t o show h i s eagerness (the eager beaver again) checked a gauge
f o r pressure, saw eero pressure, forgot about the acid i n a r i s e r , and
opened the flange.
35. EMPLOYEE MOTIVATION, PARTICIPATION & ACCEPTANCE
The t i t l e of t h e Chapter begins t o expand considerations t o t h e needed dimen-

sions. Safety motivational programs, e,g., such common f e a t u r e s as p o s t e r s ,
c o n t e s t s , campaigns, interest-maintaining gimmicks, e t c . , a r e d i f f i c u l t t o
evaluate unless t h e r e i s some s t a t e d context of motivational p r i n c i p l e , i n c l u -
d i n g all-important opportunities t o p a r t i c i p a t e and t o b e n e f i t from necessary
feedback.
The organization of m a t e r i a l i n t h i s a r e a i s d i f f i c u l t because of t h e
l a c k of a framework of commonly accepted concepts.
MORT diagrams f o r a n a l y s i s d e a l with a small, f i n i t e l i s t of motivational
programs, t h e emphasis being on i d e a s with some firmness i n research support.
a4 Motivation. The a n a l y s i s d i s t i n g u i s h e s d i r e c t i n g the employee and moti-

v a t i o n , and w i l l examine i n t e r r e l a t i o n s .
-
Motivation i s t h e l a s t aspect of the Safety Precedence Sequence - partly
because we know t h e l e a s t about it, and p r t l y because t h e p r i o r a c t i o n s i n
SPS would seem t o be a p r e r e q u i s i t e f o r e f f e c t i v e motivation.
The MORT a n a l y s i s proceeds by f i r s t evaluating some s p e c i f i c aspects of
motivation f o r which t h e r e i s some f a c t u a l o r s c i e n t i f i c information. These
include, f o r example, schedule pressures, avoiding discomfort o r e f f o r t , and
t h e r o l e of management concern, v i g o r and example.
bl4 Job I n t e r e s t Building. Herzberg (1968) says :
"The psychology of motivation i s tremendously complex, and what has
been unraveled with any degree of assurance i s small indeed. But t h e
dismal r a t i o of knowledge t o speculation has not dampened t h e enthu-
siasm f o r new forms ,,of'snake o i l ' t h a t a r e constantly coming on t h e
market ... "
Herzberg then r e p o r t s on experiments i n job i n t e r e s t building and v e r t i c a l

loading. Reasons, research r e s u l t s , and p r i n c i p l e s a r e o f f e r e d . However, t h e
t h r u s t i s t o improve general performance. A s a f e t y problem w i l l be t h e degree
of freedom permitted i n high p o t e n t i a l s i t u a t i o n s , a problem which was e a r l i e r
seen i n t h e suggestions of Jones and Rockwell t h a t s a f e t y decisions be l e f t i n
jobs.
More r e c e n t l y , Walton (1972) r e p o r t s t h a t job i n t e r e s t building and o t h e r
sEngle phase motivationa2 approaches have not l i v e d up t o expectations. Nothing
l e s s d r a s t i c than comprehensive redesign of t h e workplace and work r e l a t i o n s
can g e t at t h e r o o t s of worker a l i e n a t i o n , i n Walton's view. I n r e p o r t i n g on
one experimental p l a n t , he says, "The s a f e t y record w a s one of t h e b e s t i n t h e
company...", but cautions t h a t new equipment and other v a r i a b l e s were p a r t i a l l y
responsible.
b15 Group Norms Conflict and small group norms can e f f e c t i v e l y f r u s t r a t e
t h e goals of t h e l a r g e r organization. Two p r a c t i c a l approaches a r e l i s t e d .
(Also see Appendix G. )
c3 JSA P a r t i c i p a t i o n . This second reference t o JSA i s only intended t o
show t h a t analysis, t r a i n i n g o r monitoring systems which provide opportunities
f o r p a r t i c i p a t i o n have double value because of t h e i n d i r e c t b e n e f i t s i n p a r t i -
cipation i t s e l f .
c4 Innovation Diffusion. This research-based concept of developing
desired behavior changes i s discussed a t length i n Appendix
It seemed apparent a t a l l t h r e e research s i t e s t h a t motivational programs
were not formulated o r judged and assessed from any clear-cut, a r t i c u l a t e d
concepts. Consequently, f o r new methods o r processes, obvious i n i t i a l s t u d i e s
appear t o be observations and t a b u l a t i o n s based on t h e step-by-step progres-
s i o n s i n innovation d i f f u s i o n and acceptance.
The development of increased s e a t b e l t use would be a p r a c t i c a l case f o r
use of innovation d i f f u s i o n techniques. While t h e start of an innovation
d i f f u s i o n program seems slow, t h a t is, taking time f o r i d e n t i f i c a t i o n and
personal work with key, i n f l u e n t i a l innovators, i t is o f t e n the short road
t o t h e goal. One-way messages won't work.
b16 Personal Conflict. Problems of interpersonal r e l a t i o n s a r e a l s o

discussed i n Appendix G. For t h e Deviant, t h e a v a i l a b l e answers seem t o be,
(1) t r e a t , (2) t r a n s f e r from a high p o t e n t i a l s i t u a t i o n , (3) terminate, o r
(4) tolerate--charge off t o Assumed Risks.
b17 General - ~ o t i v a t i o nProgram LTA. Swain (1965) argues a s follows :
"Aside from t h e ...d i f f i c u l t i e s and inconsistencies inherent i n t h e
slogan-and-sign approach t o safety, have s a f e t y motivation campaigns
been e f f e c t i v e i n modifying human behavior? What i s the record?
"A search i n t h e l i t e r a t u r e of i n d u s t r i a l psychology has f a i l e d t o show
-
a s i n g l e controlled experiment on t h e r e a l effectiveness of s a f e t y
motivation campaigns. A quotation from a USAF r e p o r t may be revealing:
Over t h e p a s t f i f t y years there have been innumerable campaigns
of s a f e t y education, using a l l t h e varied media of advertising
and propaganda. That the campaigns have i n some measure been
f r u i t f u l i s suggested by t h e general diminution of i n d u s t r i a l
accidents over t h e years... Much of t h i s reduction must, of
course, be a t t r i b u t e d t o s a f e t y engineering, i . e . , t o reducing
t h e hazards of t h e work s i t u a t i o n . I n f a c t , it i s very d i f f i c u l t (
t o i s o l a t e any p a r t of t h e improvement i n accident r a t e s and say:
'This i s due t o our s a f e t y education program.' The p o s s i b i l i t y i s [
not completely excluded t h a t changes i n t h e conditions of work
together with changes i n procedures f o r s e l e c t i n g and t r a i n i n g
personnel may account for a l l the gain. Controlled studies of the
e f f e c t s of safety education procedures appear t o be largely non-
existent. Many a r t i c l e s s t a t e the value of the safety education
program i n a particular industry, but most of these are promotional
a r t i c l e s offering l i t t l e data on the r e l a t i v e effectiveness of a
specific type of safety program."
A t a l l three s i t e s safety meetings seemed t o be a "necessary evil." They
are held, but t h e i r effectiveness i s questioned. However evaluations are not
carried out, nor are programs tested.
This study brought t o l i g h t three anomalous cases, a l l involving people
thought t o be well-motivated :
Meeting topic : Accident Shortly After:
1. F a l l s F a t a l f a l l from roof.
2. Hand tools Permanent t o t a l d i s a b i l i t y from powder-
pawered t o o l ,
3 . An accident was discussed
p a r t i a l amputation of finger
- Same kind of accident
same result.
-
moving heavy object.
These kinds of cases suggest the need f o r evaluating meetings. The
meetings are alleged t o be tiresome. If they are a l s o ineffective, why not
t r y something e l s e - and measure?
In other accidents the motivation f o r general performance seemed e x c e p
t i o n a l l y high--"eager beavers. " Can these people be changed, e,g, taught ,
hazard analysis, without slowing up t h e i r commendable drive?
Even i n the proceedings of otherwise excellent Accident Review Boards,
there are conclusions t h a t people should:
THIMC
Be ALERT
BE AWAHE
The mechanisms t o a t t a i n these s t a t e s are not defined.
-
what? Haw? Be Alert? f o r what? What are the signals?
--
Think about
The r o l e of supervisors can be examined against the guidelines suggested

by Bird and Schlesinger (1970)8
3. He w i l l spend more time recognizing and rewarding safe perfomance,
compared t o time spent i n disciplining employees f o r unsafe performance,
2, He w i l l strengthen and enhance the importance of management-standards
f o r safe performance.
3. He w i l l focus attention on the importance of safe performance.
4, He w i l l remind employees of the techniques of safe performance,
"5. He w i l l be seen by t h e men who work f o r him a s a c o l l e a
i n t h e i r welfare--rather than a s a d i s c i p l i n a r i a n ( o r 'nag' * e interested
The r o l e of p a r t i c i p a t i o n i n s a f e t y can be assessed i n a program o r i n an

accident by counting t h e s p e c i f i c opportunities. The form of p a r t i c i p a t i o n
seems l e s s important than t h e substance. The c r i t i c a l incident technique has
enough s t r e n g t h t o suggest i t s u n i v e r s a l value. On t h e o t h e r hand, most forms
of cooperation, including some advocated by unions (eag., labor-management
j o i n t committees) do not have records of proven value s u f f i c i e n t t o p r e f e r one
form over another.
Obviously i s s u e s of equity, u n d e r - u t i l i z a t i o n o r o u t r i g h t a l i e n a t i o n i n
t h e p l a n t w i l l play a r o l e i n t h e background leading up t o a c c i d e n t s , but
a s s e s s i n g t h e i r influence i n so-called s a f e t y s t u d i e s may be impractical.
I n Appendix G , Planek's Program Planning Model i s presented f o r use i n
any program, but it i s s p e c i f i c a l l y aimed a t motivational programs. The model
r e q u i r e s hard work, but may be l e s s p a i n f u l than t h e d i s i l l u s i o n of gimmicks
and slogans. The model suggests examination of premises and information about
a problem, d i r e c t . a n d d i f f .se methods of reaching t a r g e t groups, perceived
relevance of message by audience, modes of presentation (e. g. , humor vs.
shock) and e s p e c i a l l y audience c h a r a c t e r i s t i c s .
***
The s p i r i t of an organization, o r a s a f e t y program, cannot be ignored
o r underestimated. Lengthy periods without a d i s a b l i n g i n j u r y do not j u s t
happen. What is i n doubt i s whether propaganda did t h e t r i c k .
"The i n t a n g i b l e element of e s p r i t de corp i s one t h i n g t h a t s e p a r a t e s
healthy companies from candidates f o r t h e marble f o r e s t , " says a veteran
business analyst.
Lawrencets s a f e t y program i s not systems o r procedure oriented (with excep-
tions f o r certain areas). Yet Lawrence has a good record. Could it be t h a t
the high motivation f o r general performance, both i n t h e s a f e t y group and t h e
Lab a s a whole, i s a f a c t o r ?
Behavioral Science Findings.

During t h e MORT T r i a l s a t Aerojet four documents were used i n t h e design,
introduction and implementation of s p e c i f i c s a f e t y program improvement
projects:
1. Innovation Diffusion ( ~ ~ ~ e n H)
dix
2. Appendix G (from t h e e a r l y e d i t i o n of MORT) covered such t o p i c s a s :
a . p a r t i c i p a t i o n and s o c i a l f o r c e s
b. Supportive programs f o r t h e i n d i v i d u a l
c . The individual i n a sociotechnical context
d. The individual
e . Attitude
f . Changes i n people
g. Motivation.
3 . "Acceptance of Proceduralized Systems," (included a s Appendix I ) , a
summary paper produced because such acceptance can be seen a s the
Number One problem a t Aerojet. The paper covered such t o p i c s a s :
a . Defined system goals,
b. Present Aerojet systems,
c. Personal v a r i a b l e s i n behavior,
d. Sociology and psychology of acceptance,
e. Deviant p e r s o n a l i t i e s ,
f . A s o c i a l science framework f o r acceptance,
g. Local f a c t o r s ,
h . Suggested Aeroj e t approaches .
4. "Improving Human Performance ," Swain (1972), a new t e x t already d i s -
cussed a s a "management method . I '
To t h e degree possible those working on various MORT p r o j e c t s endeavored
t o use the four documents a s a frame of reference, and they seemed applicable
and u s e f u l . However, two executive reviews of t h e materials showed broad agree
ment with the findings, but p r d u c e d no consensus t h a t they would be u s e f u l a s
a published organizational reference o r guideline f o r management of the organi -
zation. The objections seemed t o c e n t e r on a "motherhood" tone of pious prin-
c i p l e s , and lack of clear-cut a c t i o n plans.
The l a c k of a c t i o n plans seems explainable by t h e view t h a t p r i n c i p l e s of
the type described a r e only a framework f o r handling serious current problems.
They a r e not a program, but r a t h e r a philosophy. They can, however, be t r a n s -
l a t e d i n t o a p r a c t i c e i n day-to-day work.
Something of a stalemate i n doctrine can probably be resolved only a f t e r
f u r t h e r t r i a l s and study. I n presenting t h i s problem area t o a seminar f o r
MC f i e l d s a f e t y d i r e c t o r s i n September, 1972, the m a t e r i a l was handled about
a s follows:
1. You w i l l spend a c a r e e r t r y i n g t o change human behavior.
2 . Review appropriate materials and s e t down, a t l e a s t i n outline form,
the group of findings, concepts and b e l i e f s you w i l l attempt t o use.
3 . Try out conscious applications of principle and measure e f f e c t s .
4. Modify your p r a c t i c e s based on experience.
No b e t t e r advice seems possible a t t h i s time. Consequently a r a t h e r sub-
s t a n t i a l body of reference m a t e r i a l i s presented i n t h e t h r e e Appendices H,
I and J.
Despite t h e problems, t h e r o l e of people i n MORT a n a l y s i s and t h e s a f e t y
program improvment p r o j e c t s a t Aerojet has seemed t o be c l a r i f i e d and s t e a d i l y
improved.
Role of People
As t h e l o g i c of the MORT system has been made more nearly whole and
t i g h t , and a s a n a l y t i c and o t h e r technology has been assembled, t h e emerging
system could impress one a s a dehumanized o r excessively technologic plan.
Fortunately, numbers of ways t o h e l p t h e people of t h e organization t o
do well a t t h e i r jobs, p a r t i c i p a t e i n standards s e t t i n g , and enhance job
i n t e r e s t a r e a l s o emerging. For example:
1. Improved concepts f o r management's r e s p o n s i b i l i t y and methods of
meeting t h e challenges.
2. Improved supervisory concepts f o r both problem solving and handling
people .
3. Improved s e r v i c e s by and from one l e v e l of management t o h e l p
subordinates .
4. B e t t e rmethods f o r s a f e t y professionals, most p a r t i c u l a r l y i n manage-
ment a r e a s .
5 . Greater a t t e n t i o n t o human f a c t o r s , and reducing e r r o r s by improving
t h e work s i t u a t i o n .
6. Higher standards f o r designers and planners t o h e l p them f u l f i l l t h e i r
r e s p o n s i b i l i t i e s , and t h e information and a n a l y t i c s e r v i c e s t o back
them up i n t h e i r work.
7. Increased p a r t i c 5 p a t i o n by t h e e n t i r e work force, a s i n RSO s t u d i e s o r
Job Safety Analysis.
These mutually r e i n f o r c i n g approaches t o helping t h e people c o n t r o l energy
and changes a r e seeming t o add up t o a f r i e n d l y , morale building, unifying
approach t o both safey and general performance goals. The techniques are kinder
t o t h e people i n t h e system i n t h a t they recognize peoples' shortcomings,
s u i t a b l y o f f s e t o r p r o t e c t t h e s e , and then build on t h e i r s t r e n g t h s .
Running through t h i s t e x t i s a seeming de-emphasis on personal, i n d i v i d u a l
responsibility. This impression probably stems from t h e strong emphasis on
helpinq people perform. The f i n a l r e l i a n c e w i l l , of course, be on i n d i v i d u a l
managers, supervisors and employees. But it i s t o be hoped and expected t h a t
t h e y w i l l be given t h e help they need, and t h a t personal r e s p o n s i b i l i t y w i l l
not be used t o excuse man-traps l e f t i n the system, unwittingly and unneccessarily.
VIII. INFORMATION SYSTEMS
provides c r i t e r i a f o r determining purposes, requirements and methods of con-

structing information sytems. Details o f h a s a d analysis were i n Part V I .
I n t h i s Part we consider the working d e t a i l s of an information system
which can implement the general r i s k reduction model, including hazard anal-
y s i s and control of a c t u a l work.
The present, revised MORT concept of the elements of an information sys-
tem i s a s foll0ws:
INFORMATION SYSTEM 1. Technical Information
a. Knowledge
(1) Known Precedent
(a) Codes, Manuals,
Reconmend a t i o n s
(b) Precedent
(c) L i s t s of E x p e r t i s e
(dl S o l u t i o n Research
(2) No Known Precedent
(a) Accident I n v e s t i g a t i o n
and Analysis
(b) Research
b. Communications
(1) I n t e r n a l
( a ) Network Defined
(b) Operat i o n s Adequate
(2) External
(a) Network Defined
(b) Operations Adequate
2. Monitoring Systems
a. Management Routine Supervision
b. Search-out
c. A c c i d e n t h c i d e n t Systems
d. RSO Studies
e. E r r o r Sampling Systems
f . Routine - HP, I n s p e c t i o n , e t c .
g. Upstream Process Audit
h. General Health Monitoring
Data Reduction
a. P r i o r i t y Problem L i s t
b . Summaries, Rates, P r o j e c t i o n s ,
Trend Analysis
c. Diagnostic St a t i s t i c a l Analysis
d. Depth Analysis of S p e c i a l Problems
4. "Fix" Controls (HRP T r i g g e r s )
a. One-on-one Fixes
b. " P r i o r i t y Problem" Fixes
c. Planned change Controls
MANAGEMENT ASSESSMENT d. Unplanned Change Fixes
e. New Information Use
5. Independent Audit & Appraisal
As organized in this text, perhaps the "revised list" should be revised!
-
Chapter 36 discusses some of the substance of technical information.
-
Chapter 37 Monitoring discusses ~rifw~iples and the specific system developed
at Aerojet.
-
Chapter 38 treats the major subject of accrQent investigation.
These two processes were developed before *t concepts of information net-
works finally responded to analysis and the concepts-in these three chapters
become primary inputs into:
-
Chapter 39 Internal information networks.
-
Chapter 40 Ekternal information networks.
The internal network at Aerojet is a low cost, simple system, but is al-
ready producing more useful information than much more expensive, computerized
systems used in many organizations.
The national information network has serious deficiencies.
Data reduction for management use, a most important need, took shape as
two primary functions:
-
Chapter 41 ~easurementmethods, some new and different concepts.
-
Chapter 42 The "War Room" or safety control room with visible displays on
measurement, error/accident reports, priority problem lists, upstream audit,
and other problems leads into a brief, more definitive report to management.
Purposes and Requirements.
The primary objectives of measurement systems for the manager were stated:
1. Assess residual risk;
2. Take action, if risk is unacceptable.
Much of the occupational accident statistical material is of dubious or
slight value for these two primary objectives. Standard injury rates are too
often focussed on awards and comparisons, not germane to the objectives, and
oversimplified and inadequate for any purposes. Group cause data compiled
according to standard methods has little demonstrable decision value.
In consequence, it seems desirable to carefilly separate ty-pes of data and
their uses. Without clear definitions we may find ourselves back in the jungle
of unrewarding arguments over standard rates which have confused and obscured
measurement problems.
If past accidents were a stable, reliable measure of risk, the problem
would be more simple. But accidents are statistically rare events. Therefore,
the more severe the accident potentially, and the smaller the size or exposure
of the unit, the less we can know from history about those potentials which
concern us most. At the extreme, we need to know risk of "non-survivable" events.
While minor accidentlincident reporting and e r r o r reporting have important
uses, p a r t i c u l a r l y i n preventive work, such data must be used very carefully
i n predicting severe events (see, f o r example, Figures3- 1, 3-3, pages 38 and 42).
Therefore, we need data on major, individual r i s k s by name (the "Priority
Problem List") and on safety program, as well as properly analyzed accident data.
The requirements t o s a t i s f y the objectives are l i s t e d i n a t a b l e below and
flow diagram ( ~ i g u r eVIII-1) on the following page. As indicated i n the chart
(by underlining) and i n the flow chart (by heavy boxes) the functions given
d e t a i l e d a t t e n t i o n w i l l be: Investigation, Group Cause Analysis, Incidence
Analysis, Program Evaluation, and Control Evaluation.
,
Primary Data Requirements and Uses i n Risk Reduction System
Input Operation Data Type Output
1. ~ c c i d e n t /
Incident
I Investigation IBasic (many
systems) Incidence
l6, 7, 9
Supplemental Preventive
--- --- - - - - -
In-Depth
- - - -
Preventive
- -
6, -
9
2. Potential ~ a z a r dMonitoring
l Search Out Preventive
3 . Deviations I Systematic 1 Preventive
16
I -I
4. Operational Systematic Rate bases
Systematic Evaluative
. --
I I
Cause Analysis Group ( Preventive 1 10, ll
I 4
I' Incidence !
Preventive 12
Analysis
- - - . - . -
1
-- I Predictive
Comparative
L -
1E
i - -
(Program Evaluation Program Design (17

17 1 Safety Programing ' Program
I
Preventive 1 18
Design '19
I -
- - - -.- - --
13, 19, 20 Control Evaluation
21. Future Plans
The following brief explanation i s key t o the chart and diagram:

I. ~ c c i d e n t / ~ n c i d e nreports
t f o r the Investigative process a r e of three types.
For prevention maxirmun numbers of reports are desired. For incidence, compara-
b i l i t y i s a criterion.
2. P o t e n t i a l Hazard -
a l l possible reports are needed, from operational,
safety o r general monitoring and surveillance.
3 . Deviations -
changes, e r r o r s , and incidents, systematically monitored a r e
needed f o r preventive and evaluative purposes.
4. Operational d a t a are needed a s r a t e bases.
5. Safety program should be systematically monitored, both f o r the safety super-
v i s o r ' s control of program, a s well a s f o r evaluation.
Figure V I I I - 1 .
DATA FLOW - RlSK REDUCTION SYSTEM

I
3 FUTURE
PAST
ACCIDENTAL * POTENTIAL @ POTENTIAL
POTENTIAL
1
LC INVESTIGATIONS
-
7
GROUP
CAUSE
ANA LYSlS
COMPARISONS
AWARDS
v
CONTROL
EVALUATION
A A
23
RESIDUAL
RISK
W
&
I
8 I
ANALYSIS
MONITORING < 18 I
15 4 1 L&l9J
-
SAFETY PROGRAMMING
16 PROGRAM EVALUATION
b
6. Investigation r e p o r t s (as well a s 7-10, Group Cause Analysis d a t a ) often
r e s u l t i n d i r e c t l i n e action t o reduce hazards.
8. Reports f o r Incidence Analysis (coupled with 4. Operational data) produce
r a t e s and predictions used t o (12) guide preventive e f f o r t s , (13) t o predict
r i s k , and (14) t o make i n t e r - u n i t comparisons, oftentimes f o r awards.
g., ll., U., and 15. a r e primary inputs f o r safety programming, r e s u l t i n g i n
18. s p e c i f i c preventive actions.
9., ll., U., and 16. a r e used t o evaluate safety programming.
17. Evaluations, with above program data, a r e used t o develop improved program
design.
19. Improved program designs, with estimated e f f e c t s , a r e reported f o r control
evaluation (which may include approvals).
20. " P r i o r i t y Problem l i s t s ," e f f e c t s of preventive actions (18), and additional
countermeasure p o s s i b i l i t i e s a r e put i n t o control evaluation.
l3., l9., and 20. a r e the basis f o r Control Evaluation, and (22) f u r t h e r actions
t o reduce r i s k and (23) estimates of r e s i d u a l r i s k .
The concepts of measurement and control generally used attempt t o follow

those of Juran (1964). However, much remains t o be done t o precisely describe
c o n t r o l e l e m n t s before Juran ' s high standards would be attained. (see pagell8. )
Planekts program planning model ( ~ p p e n d i x '9
-
d
i s usef'ul i n developing the
requirements f o r a planning process, f o r evaluation, and f o r prediction of
results .
During t h i s study, the author had the privilege of serving a s "Chairman
of Group III" a t the National Safety Council's Symposium on Measurement of
I n d u s t r i a l Safety Performance held i n Chicago, September 15-17, 1970. The
conclusions af the Group bear a strong resemblance t o those of the author.
Whether the group affected the chairman, or the chairman affected the group,
and i n what proportions, i s indeterminate. But the group's report i s so highly
germane t o the purpose of t h i s study, excerpts a r e reproduced a s A p p e n d i x 5
-
36. TECHNICAL IWOWTION
An information o r l i t e r a t u r e search has been s t a t e d t o be a key element
i n a Hazard Analysis Process. The pieces of information t o be handled by
i n t e r n a l and e x t e r n a l communications networks may range from research o r a
single precedent of accident o r f a i l u r e i n an advanced technological process
t o the v a s t bulk of codes, standards and recommendations, which a r e r e a l l y
action consensus based on many "known precedents."
From common observation t h e bookshelf l i b r a r i e s of safety professionals
a r e highly variable and somewhat spotty collections and dependent on the
memory and personality of the man.
One t e s t question used i n t h i s study was based on "ElectricaL Safety
Guide f o r Research," an item i n AEC1s Manual Chapter l i s t i n g recommended
standards. Among both AEC and contractor s a f e t y personnel there were many
individuals unfamiliar with the pamphlet, others who recalled but did not
use the pamphlet, and only one laboratory where it was i n common use. Not
unexpectedly, i n one serious property damage accident, t h e pamphlet was found
t o have been unknown t o the designers and safety personnel involved. The
pamphlet would have provided guidance and assistance.
Safety personnel commonly r e l y on t h e i r background of experience, and
make a l i t e r a t u r e search only when baffled by a problem. Thus assurance t h a t
a l l relevant material, including new information, i s applied i s lacking.
From the MORT T r i a l s a t Aerojet the content t o be handled, and minimal
access methods by a low cost i n t e r n a l information network, appear t o be
d i v i s i b l e i n t o threebroad groups, with d e t a i l e d d e f i n i t i o n of items t o be
included i n each group a s " a s p e c i f i c task f o r the l o c a l professionals.
I. Major Sources- t h i s would be a limited l i s t including such items a s
OSHA regulations, NSC's Manual and Data Sheets, ASSE1s bibliography,
and perhaps cumulative indices t o National Safety News and the Journal
of ASSE. For t h i s group, the information search protocol requires
consulting the individual index of each publication. The Department
of Labor has produced such an alphabetized index f o r OSHA.
11. Other Published Sources- t h i s would include pertinent l i s t s of
standards, reports, books, journal reports, e t c . These would have
a t l e a s t minimal key word coding of t i t l e s , and would be inserted i n
a combined index using the key word plan described i n Chapter 39.
111. Technical Expertise- a l i s t of t o p i c a l experts (primarily l o c a l ) , e.g.,
cranes, chemicals, i n d u s t r i a l hygiene o r f i r e , provides a u s e f u l
access t o specialized l i t e r a t u r e a s well a s consultation. The same
. - 350 -
key word system can i n t e r f i l e the names of experts with the material
i n Group 11.
Existing technical information can be comprehended and managed by such a method.
Research a s a means of providing needed technical information i s a posi-
t i v e , a r t i c u l a t e d channel i n aerospace and nuclear energy f i e l d s , but i s not
often used i n general occupational safety.
Research should be seen a s a way of answering the many, many questions
i n occupational safety. Yet business and industry have been singularly dere-
l i c t i n support; however, t h i s may be i n p a r t because proposals have not been
r e l a t e d t o adequate concepts of p r a c t i c a l system operations. Since research
has an important place i n system-safety approaches, it would seem appropriate
t o measure performance on t h i s f a c e t of programming. The sequence of Research-
Demonstration-Test-Evaluation-Application should be planned f o r . Support f o r
more basic research i s , however, a l s o a need.
A review of developmental problems i n safety research ( ~ l a n e k ,1969) sug-
g e s t s t h a t f a c t o r s include:
".. f a i l u r e t o view the accident phenomenon.comprehensively a s it
r e l a t e s t o other sciences"
"Very often, the i n a b i l i t y t o find suitable 'measures1 r e l a t e d t o the
accident s i t u a t i o n r e s t s on the inadequacies stemming from the s t a t e
of the a r t i n other behavioral and engineering d i s c i p l i n e s r a t h e r than
on a deficiency i n safety research."
"Without two-way communication between 'program' people and researchers,
the 'action1 people do not obtain the advantage of research thinking
and research findings, and researchers do not obtain the advantage of
d i r e c t knowledge of 'actionf people i n regard t o the s e t t i n g i n which
accidents happen and i n which research i s needed."
A statement of research needs i n occupational safety made i n 1963 ( ~ o c k -
well) remains l a r g e l y u n f u l f i l l e d i n 1972.
The much heralded information explosion (technical information doubling
every f i v e years) again presents the recurrent safety question of emphasis on
Method vs. Content. Although most accidents do not involve new technology, the
information system must f u l f i l l the needs of the organization. I n considering
technical information it i s obvious t h a t it i s the Content t h a t saves l i v e s .
Yet, i f t h e safety professional does not have Method of processing, retrieving,
and searching f o r relevant information, h e ' l l e i t h e r drown i n content, o r be
unaware of relevant content, o r both.
The information science people t a l k i n terms of establishing information
networks a s a r e a l i s t i c way of coping with the unending flood and continuum of
information. The construction of i n t e r n a l and external networks of informa-
t i o n i s thus a necessity t o make sense or system.
37. SAE3TY MONITORING SYSTEMS
S h o r t l y before t h e t r i a l of the MORT system began a t Aerojet, an incident
a t one of t h e r e a c t o r s l e d t o an AEC recommendation t h a t " a u d i t and surveil-
lance" be increased and improved. Thus major i n t e r e s t and study was and i s
focussed on t h e monitoring aspect of s a f e t y programming.
A wide v a r i e t y of monitoring plans had been used, o r were i n use by Aero-
jet. Thus a very f e r t i l e f i e l d f o r comparison, a n a l y s i s and planning was
presented. Aerojet and predecessor organizations hilli ips Petroleum Company
and Idaho Nuclear Company) had pioneered i n many forms of monitoring, and
could show persuasive evidence of values i n c e r t a i n plans and c o n t r o l s . Unfor-
t u n a t e l y , some of t h e b e t t e r plans, a s t h e r e s u l t of a succession of organiza-
t i o n a l changes, had lapsed.
The Aerojet goal, a s would be expected f o r materials t e s t i n g r e a c t o r s , i s
t h e very highest degree of s a f e t y and c o n t r o l . However, materials t e s t i n g
r e a c t o r s present t h e problems which stem from a constant succession of changes,
modifications, and experiment i n s e r t i o n s - a much more d i f f i c u l t s i t u a t i o n
than t h a t presented by r e l a t i v e l y s t a b l e and unchanging power r e a c t o r s . Con-
t r o l r e q u i r e s planning, engineering and development, and proceduralized opera-
t i o n of t h e h i g h e s t order of excellence. The monitoring systems should be of
an equally high order of e f f e c t i v e n e s s .
The Need f o r Monitoring.

It i s axiomatic t h a t complex systems depart from plans and procedures i n
some degree. Therefore, information systems a r e needed t o d e t e c t deviations,
i n i t i a t e c o r r e c t i o n s , determine d e v i a t i o n r a t e s and t r e n d s , and i n general
assure t h a t goals a r e a t t a i n e d .
The Nature of Monitoring.

MORT p r e s e n t s monitoring a s a f i n a l s t e p i n an i d e a l hazard reduction
program. The p r i n c i p a l elements of monitoring were l i s t e d a s follows:
A. Supervision, inspection, sampling, measurement, and a p p r a i s a l .
B. To d e t e c t changes, E r r o r s , Incidents, Accidents (we could add Devia-
tions i n general).
C. This providing Hazard Analysis Triggers t o r e a c t i v a t e the whole reduc-
t i o n cycle.
%.is d e f i n i t i o n c l e a r l y i n d i c a t e s t h a t fundamental, searching a n a l y s i s
should follow d e t e c t i o n of deviations. This d e f i n i t i o n should not obscure t h e
need f o r f a s t a c t i o n f i x e s t o immediately r e s t o r e t h e system t o operational
balance.
AEC' s Standard f o r Quality Assurance (1969) provides t h a t the scope of
q u a l i t y assurance includes the "means of control and v e r i f i c a t i o n whereby ..
safe, r e l i a b l e , economical operation w i l l be achieved." The nature of the
v e r i f i c a t i o n i s elaborated: "Quality achievement s h a l l be v e r i f i e d by indi-
viduals and organizations not d i r e c t l y responsible f o r performing the work
but who are responsible f o r checking, inspecting, auditing, o r otherwise v e r i -
fying t h a t the work has been performed s a t i s f a c t o r i l y . "
I n i t s report on the J-10 incident (previously alluded t o ) an AEC Investi-
gating Committee defined two aspects of monitoring as follows:
1. Surveillance: "An overview o r observation of an operation which may
include t o u r of a f a c i l i t y , review of logs, instrument calibration, etc."
2. Audit: "A detailed, in-depth review of any operation a s it i s being
performed by comparison of the operation with the approved procedure
t o determine the degree of procedural compliance."
Several aspects of monitoring which have emerged during the current study
a t Aerojet should be b r i e f l y enumerated (and w i l l be discussed i n more d e t a i l
later):
'
1. The so-called " c r i t i c a l incidentt' technique taps the information s t o r e
of operational personnel, and produces reports of large numbers of
valuable, predictive events which a r e d i f f i c u l t t o d e t e c t and r e l a t i v e l y
scarce i n the usual audit, inspection, arfi surveillance programs.
2. The raw d a t a from monitoring systems requires analysis and interpreta-
t i o n f o r managerial use. If voluminous reports of specific observations
a r e handled on a one-at-a-time, c r i s i s basis, operational continuity
may be impaired, and fundamental, more permanent solutions a r e unlikely.
3 . Those systems with b u i l t - i n feedback t o lower l e v e l s of supervision
appear t o stimulate the kind of immediate administrative action which
can build higher degrees of control.
4. The monitoring system should follow information through t o the deter-
mination of immediate, interim, and long-term action. However, long-
term action may require s u b s t a n t i a l study and t h i s may occur only a s
evidence builds up t o show a chronic problem's importance.
5. The monitoring system should a l s o follow the "upstreamtt processes by
which hardware, procedures, and personnel a r e developed and delivered
t o the work s i t e . The improvement of upstream processes may be more
important than the correction of a specific work s i t e e r r o r .
Thus, t h e concept of monitoring which i s being constructed has the
following elements :
A. Detection of changes, e r r o r s , incidents, accidents and other devia-
t i o n s from system plans;
B. By an optirmim mix of observation plans of the following kinds:
1. Normal, good supervision,
2. ~ c c i d e n t l ~ n c i d e n
reporting
t systems,
3. Audit, surveillance, checking, and inspection,
4. Worlr sampling,
5. OpeYational experience of personnel (prompted t o r e p o r t f u l l y and
accurately by appropriate study plans;
C. Work a t e observation and upstream process observations;
D. I n t e v n a l operational, a s w e l l a s independent, e x t e r n a l sources of
observations;
E. ~ 3 - k hd a t a analyzed and i n t e r p r e t e d t o provide :
1. The feedback bases f o r rapid a c t i o n a t appropriate l e v e l s of
supervision,
2. Longer-term assessment of r a t e s and trends t o i d e n t i f y p r i o r i t y
problems ;
F. Measurement of the f i x e s a t t a i n e d by t h e system.
This concept of monitoring i s intended t o have t h e broadest u s e f u l scope,
r a t h e r than t h e narrow scope of individual, s p e c i f i c observational plans o r
methods.
Development Work.
The purpose of developmental work a t Aerojet was suggested t o be: Develop
monitoring systems adequate t o a s s e s s the degree t o which t h e operating systems
conform t o prescribed requirements and procedures, provide a b a s i s f o r asses-
s i n g d e f i c i e n c i e s i n present c o n t r o l programs, and provide one element f o r
r e s i d u a l r i s k assessment.
I n a proposed s a f e t y project description t h e following observations were
made: There i s l i t t l e l i t e r a t u r e on monitoring systems. Therefore, Aerojet
has both the need, and t h e g r e a t opportunity, t o develop a documented system
of monitoring and surveillance. Such documentation can not only provide Aerojet
with a b e t t e r b a s i s f o r i t s monitoring systems, but a l s o make a major c o n t r i -
bution t o s a f e t y engineering p r i n c i p l e s .
Juran (1964), i n t h e second h a l f of h i s book, discusses c o n t r o l systems,
and was considered t o have f'urnished d e f i n i t i o n s and a frame of reference f o r
the study.
Basic t o c o n t r o l a r e standards of performance, and these a r e seen a s having
two major dimensions:
1. A safety program schematic and/or description which adequately describes
the safety and work systems t o be monitored.
2 . Error and deviation definitions which adequately describe the e r r o r
standards or l i m i t s encountered i n practice.
The inputs required f o r the design of a monitoring system(s) include:
1. Schematics and descriptions of operations and safety programs t o be
monitored.
a. Gwernmnt and other standards.
b. What programs (as described) should do,
c. What programs could do - against higher standards (e.g., MORT).
2. Error and deficiency definitions as established by (a) precise c r i t e r i a ,
(b) examples, (c) custom, habit or practice, o r (d) debatable.
Unfortunately, these are i n ascending order of frequency and descending
order of value.
3. Methods of sensing - f o r example, accident/incident reports, eyeballing
work, qualification t e s t s , c r i t i c a l incident studies, paper audit,
process audit.
4. Direction of attention - f o r example, "hot spots," a s well a s time,
place and other controls. I n t u i t i v e as well as defined controls seem
useful.
5. Assessment of apparent strengths and weakness of various methods.
6. Manpower and other budgets .
Unless elements 1. and 2. above are stated i n adequate d e t a i l , observa-
t i o n s w i l l be vague and debatable, and the efficiency of observation schemes
w i l l be low. Deviations w i l l be more d i f f i c u l t t o detect and w i l l , i n many
cases, represent the subjective opinion of the observer. Results can hardly
be reproducible measuremnts.
Although Aerojet i s highly proceduralized, incidents and accidents r e f l e c t
gaps i n the procedural system. For example, i n the J-10 incident the detailed
procedure f o r the work of removing an in-pile tube reflected an assumption
t h a t routine task components such as welding or use of a crane would be per-
formed i n accordance with a s e t of predetermined safe practices. But the prac-
t i c e s had not been reduced t o writing f o r incorporation by reference. Job
safety analysis, i f performed, had not been recorded.
Similarly, requirements f o r pre-job briefing of crews were not c l e a r l y
defined, nor was responsibility f o r stopping work when d i f f i c u l t y was encoun-
tered c l e a r and fixed. Thus "forensic" standards were used i n the incident
analysis. Such stardards are i n e f f i c i e n t i n the basic safety program and
-355 -
p a r t i c u l a r l y i n the monitoring of t h e program.
Inspection f o r compliance with codes, standards, manuals and w r i t t e n pro-
cedures can be highly objective. But there i s considerable s u b j e c t i v i t y a s
w e l l a s v a r i a b l e t e c h n i c a l competence i n other observations of so-called
"unsafe a c t s and unsafe conditions."
An anamoly i n monitoring i s t h a t t h e b e t t e r the d e f i n i t i o n of e r r o r , t h e
more t h e p o s s i b i l i t y of e r r o r detection and outwardly high e r r o r r a t e s .
A u s e f u l guide t o t h e scope of monitoring i s found i n the AEC Quality
Assurance Standard: "Operation, maintenance, and modification e f f o r t s include
q u a l i t y assurance through systematic planning of work; application of work
i n s t r u c t i o n s o r operating procedures f o r c o n t r o l l i n g operation, maintenance,
and modification; preparation of records and r e p o r t s of o p r a t i o n experience;
and performance of scheduled, periodic inspection and testing."
Early i n t h e developmental work it seemed c l e a r t h a t possible gaps i n t h e
program would have t o be defined i f monitoring was t o provide a b a s i s f o r a
t i g h t system of control. Thus, monttoring could y i e l d two types of observa-
tions: (1) deviations from the system a s promulgated, and (2) deviattons of
t h e promulgated system from a higher order system.
Ordinarily it would be expected t h a t a s a f e t y system would be f i r s t i m -
proved, and r e s u l t s then monitored. I n t h i s case, it became necessary t o a t
l e a s t postulate c e r t a i n s a f e t y program improvements f o r assessment i f moni-
t o r i n g was t o make a maximum contribution t o a high degree of control.
The e r r o r l i t e r a t u r e contributes, not only the notion of values i n precise
d e f i n i t i o n s of e r r o r , but a l s o t h e need t o c o l l e c t " e r r o r opportunity" d a t a
t o make possible t h e c a l c u l a t i o n of e r r o r r a t e s , o r conversely, r e l i a b i l i t y .
Few p a s t monitoring schemes had collected r a t e base data. Yet, i n i t i a l i n q u i r i e s
i n t o a v a i l a b i l i t y of such d a t a showed it w a s often r e a d i l y available - for
example, t o t a l warning t a g s checked a s compared with tags i n e r r o r , t o t a l t e s t s
required a s compared w i t h t e s t s not made o r not recorded. Thus, a valuable
c r i t e r i o n f o r evaluating any monitoring scheme emerged.
Not a l l monitoring schemes can r o u t i n e l y c o l l e c t error/opportunity data.
However, wherever p r a c t i c a l , an i n i t i a l r e p o r t of e r r o r should be followed up
t o g e t a r a t e assessment, preferably i n terms common t o e a r l i e r observations.
A basic concern i n developing monitoring systems i s t h e a c c e s s i b i l i t y of
i n f ormat ion :
a. Many actions o r conditions can be detected by observation a t t h e scene
by supervisors o r auditors.
b. Certain a c t i o n s "leave tracks" which can be detected i n records, condi-
t i o n s o r subsequent actions.
c . Some a c t i o n s a r e known only t o the persons who d i d them.
Only a few monitoring systems obtain the t h i r d c l a s s of d a t a .
The program p o s i t i o n and function of monitoring (and independent review,
a s w e l l ) should be a s downstream assurances t h a t the s a f e t y process i s operating
a s intended. The primary r e l i a n c e i s on upstream processes of hazard a n a l y s i s ,
hardware-procedure-personnel development, and work supervision. A desirable
s t r a t e g y would be t o optimize upstream processes. The a l l o c a t i o n of e f f o r t t o
downstream review and monitoring should be minimized a s possible and p r a c t i c a b l e
i n order t o a l l o c a t e maximum resources t o upstream preventive work.
Evaluation of S ~ e c i f i cMonitorinn Schemes.
The work of evaluation of various plans was performed i n l a r g e p a r t by
R. J. Nertney, Ph.D., Nuclear and Operational Safety Division, Aerojet. Dr.
Nertney was a b l e t o draw on h i s extensive experience i n supervising o r conduc-
t i n g e a r l i e r t r i a l s of many monitoring plans. Aerojet t h u s provided unique and
valuable experience, a s w e l l a s professional competence, f o r the in-depth assess-
ment of a wide v a r i e t y of monitoring plans.
The method employed was t o list some 23 d e s c r i p t o r s and c r i t e r i a of moni-
t o r i n g plans, and then s e t down a judgment of s t r e n g t h o r weakness of a plan
f o r each of t h e c r i t e r i a . Also, i f a program was design s e n s i t i v e , t h a t i s ,
could e a s i l y be swung from strong t o weak dependent on program design, such a
judgment was s e t down.
Later, the d e t a i l e d c r i t e r i a were combined i n t o a s i n g l e evaluation f o r
each of four broader c r i t e r i a : (1) lar c o s t , (2) r e l i a b i l i t y , (3) p e r c e p t i v i t y ,
and (4) a c t i o n propensity. A f i f t h broad c r i t e r i o n was then added, namely,
c a p a b i l i t y f o r upstream process a u d i t ( a s contrasted with work s i t e a u d i t ) .
As f i n a l l y u t i l i z e d the broad groups and d e t a i l e d c r i t e r i a were:
I. Low Cost
1. D i r e c t , a d d i t i o n a l expense
2. Negative impact of sampling mechanism on normal, organizational
activities.
3. Negative impact on other work from diversion of e f f o r t t o monitoring.
11. R e l i a b i l i t y
4. O b j e c t i v i t y
5. Ability to v a l i d a t e raw findings
6. Ability to s e t up monitoring and c o n t r o l systems
7. Ability to c l a s s i f y , s c a l e , and generalize conclusions
8. Ability to maintain observational e f f e c t i v e n e s s -
that is, relid
ability in a t t e n t i o n and seeing.
111. P e r c e p t i v i t y
9. Relevance t o operational s a f e t y problems.
10. Ability to reveal different safety-related infklrriiationth7n that.
already known to line management and superl:ision (qualit. t iiv
11. Tendency of auditors to direct effort into "proving" preestsb-
'\.
lished conclusions.
12. Scope--ability to monitor a wide varlety of organization work.
IV. Process Capability--ability to audit upstream processes which produce
hardware, procedures, and personnel.
Action Propensity
14. Ability to set up corrective feedback loops (mechanical)
15. Tendency for line organization to set up corrective feedback loops
without stimulation.
16. Ability to convert findings to specific operational response
(based on quantity and quality of data).
17. General acceptance by line organization.
18. Tendency for line organization to rationalize findings.
19. Visibility.
Results of the Evaluation are shown in Figure 37-1 on the next Page.
The 28 monitoring mechanisms evaluated according to the above criteria are
generally reported as follows: (a) Brief description, (b) Evaluation,
(c) Recommendation, (d) Subsequent Action.
I. The Operating Organization.
1. Management routine supervision -
the normal surveillance, trouble-shooting,
change and problem detection, with aggressive and vigorous search-out as
a characteristic to be desired and cultivated.
Evaluation: The marginal additional cost for safety functions is low.
Reliability and perceptivity are poor, and if this evaluation seems sur-
prising, the detailed criteria given above should be reviewed. Process
audit capability is good. Action Potential very high.
Recommendation: Continue to emphasize authority, control and prompt
action, and seasftivity to the role of changes.
At Aerojet certain incidents have in degree sensitized personnel to change,
but this is a costly route. One reactor has a system of daily reporting
of "anything of possible significance" not provided for in logs. The logs
record a variety of changes. The problem is in selecting significant
items from the mass of continuous changes.
-
Management audit time budgets internal to the operating unit time
requirements for the audit function outside the normal scope of responsi-
biiity, or allocated to back shifts or other functions not-normally-
organization . -
receiving necessary attention. Also, the Sam, from higher levels of the
Evaluation: A relatively costly program which it is suggested be redirec-

ted from the work site to process audit for which it probably has unique
capability.
Error sampling.
a. In-house staff sample errors. The operating manager's staff systemati-
cally sample operating errors using checklists or definitions. Aerojet's
predecessor organization utilized such a plan with Shewhart control
charts fed back to supervisors. There is need to standardize the denomina-
Figure 37-1. Results of Evaluation
Numbers from 0 to 1 = "Poor" to 4 = "Good or Strong" were used.
Low Relia- Percep- Process Action
Cost bility tivity Capability Propensity
I. The Operating Organization
1. Management routine super-
vision
--
2.a.Audit time internal
b.Audit time higher
3.a.In-House error sample
b .Project engineers
c.Supervisor checklist
--
4.a .Redundant training
b .Redundant operations
11. Safety
1.a.Field engineer
---
b.Health Physics
2.a.Sunreillance work
b .Surveillance paper
c.Surveillance review
b.Hq
--
3.a .Eq review
audit time
-
~.~.Rso C.I. Studies
b.Specia1 studies
5. Reporting Systems
a .~ccident/~ncident
b.RDT Incidents
.
c Control Charts
111. Other
1. Technical support
2. Conventional audit
3. Quality Assurance
4. Miscellaneous
-
5. Outside technology
-
Outside method
IV. AEC
1. Review
2. Audit time
tor, which is an hour of structured observation by the same or comparable

persons employing a relatively simple (14 class) definition of kinds of
errors to be observed.
-
Evaluation: The apparent results .were spectacular in a response time
of 5-6 months it appeared that normal administrative controls reduced
operating errors to relatively stable levels at the lower limit of pre-
p
viously wide fluctuations. Thus a substantially lower average rate was

produced. (Mgure 37-2. )
Recommendation: reinstate.
Action: This is the only recommended work site monitoring plan not yet
implemented.
Project engineers evaluate operating s h i f t s . This type of study proved
useful i n detecting i n t e r - s h i f t differences (or lack thereof) i n two
plants. ( ~ e r t n e ~ , - 1 9 6 5) . Repeat occasionally.
Supervisor checklist f o r reactor operators. The checklist was developed
by American I n s t i t u t e s f o r Research (1968) based on a " c r i t i c a l incident"
study of reactor operations. The l i s t provides task-specific definitions
of good and bad practice. or those not familiar with nuclear reactors,
it i s probably well t o say t h a t the errors do not permit a major nuclear
reaction, since the reactor "scrams" i t s e l f automatically f o r any kind of
instrument anomaly. Rowever, the e r r o r s do r e l a t e t o performance, experi-
ment handling, and more routine accident/incident types involving
personnel. ) (other
, . supervisor safety observation plans, such as U. S.
Steel' s plan shown i n Figure 30-1, &re not evaluated a t t h i s time,
although one or more will be suggested f o r other than reactor operations .)
Recommended, and carried out, May, 1972.
4. Redundant employee audits -
two examples of providing a redundant, extra
employee w l t h only a u a i t functions were evaluated:
a. Training representative audits procedural compliance,
b. Operations employee audits f o r a single type of f a u l t .
These expensive forms of audit have a limited usefulness because human
f a c t o r s studies have shown t h e i r u n r e l i a b i l i t y . I n the J-10 incident the
training representative f a i l e d t o function i n time of need.
The evaluations suggest the e f f o r t be discontinued, or redirected i n t o other
more effective programs.
Safety Division.
Field safety engineer -
inspection and search out. Routine inspection
reports (largely housekeeping) a r e valuable, but may not detect major
hazards. The independent search-out of hazards i s v i t a l , but i s highly
dependent on personal c h a r a c t e r i s t i c s and was d i f f i c u l t t o scale and
measure.
There was no doubt t h a t the work of the f i e l d safety professional was
highly valued, so Gcaling o r measurement was abandoned f o r the time being. .
Later, a schematic and audit plan was developed. See Part I X and Exhibit 16.
SGUJ
Health physics f i e l d monitoring -
a necessary, valuable, and routine
program
- -
i n reactor operations. The merits and values of fixed monitors
versus personal monitoring f o r radiation were not examined. Obviously
a mix of the two types i s needed. A computerized radiation badge
record system i s maintained.
2. Surveillance Branch - a unique organizational u n i t f o r independent monitor-
ing of both operations and the safety program i t s e l f . It includes:
a . Work audits and spot checks f o r procedural compliance,
b. Paper audits - e.g., review of work documents, such a s procedures, f o r
compliance with sign off and other requirements, and
-
c . Review f a i l u r e s detection and analysis of f a i l u r e s i n u t i l i z i n g Aero-
j e t ' s highly developed independent review processes.
Evaluation: a basic question has proven t o be the cost of specialized
safety observations as compared with general observation plans which include
safety. Thus, responsibility f o r f i e l d audit of procedural compliance has
now been concentrated i n the Quality Assurance program. Paper audits are
r e l a t i v e l y inexpensive, but produce the l e a s t significant information. The . .
recommendation was made t h a t major partions of time be shifted t o audit of
"upstream processes" and such interdepartmental processes as shipment of
radioactive materials. This has been done, a d -a list of 39 such special
audits prepared and rank-ordered by a scaling mechanism. The work pro-
ceeds well with schematics, steps and criteria for each such study.
3. Safety Division headquarters
-
Annual Reviews field reviews of overall program used as an input to
work of Review Boards. h he annual and special
- Boards are described
on page 238.) 1
-VC-/t4
These programs (at whatever level conducted) seem weak. They are highly
affected by the reviewer. They often concentrate on one program aspect
in order to attain depth (which implies that comprehensive review will
take five or ten years).
Restructuring in two respects is suggested: (1)adopt a comprehensive
framework for review, and (2) adopt a plan for internal ongoing pro-
gram measurement so that a comprehensive annual review is possible.
-
Audit Time Budget field review and audit of safety division f'unctions.
Audit of Safety Division furictions has value, but produces little in-
put for a manager's overall risk assessment. Results should be trans-
lated into operational inputs to management.
Also, a later recommendation was made that this time budget be syste-
matically directed to high energy units and locations, and utilize
.
the more intensive audit plan developed for field engineers. (part IX )
5yqz-
4. Special studies.
a. Reported Significant Observations (a substitute term for the tradi-
-
tional title Critical Incident studies. since the events are neither
"critical" nor "incidents" as.those t e k are used in nuclear opera-
tions). Such studies, whether by interview or questionnaire have
proven capacity to generate a greater quantity of relevant reports
than other monitoring techniques, so much so as to suggest their pres-
ence is an indispensable criterion of an excellent safety program.
RSO-CI a@ other special studies have excellent capabilities for direc-
tion at primary problems. Although Aerojet's predecessor organization
pioneered in the RSO-CI studies, a present review of their organiza-
tional impact suggests several weaknesses to be corrected. The raw
material was distributed, rather than classified and assessed in forms
suited for managerial action. The reports were not indexed and other-
wise made accessible to designers and planners. The principle reservoir
of information on potential troubles appears to be in the heads of the
people doing the work and their immediate supervisors and associates.
A limitation is, of course, their lack of knowledge of underlying fac-
tors. The so-called "critical incident" technique has produced more
information on the seemingly minor errors or deficiencies than other
forms of monitoring. And we now have persuasive case histories to show
the preexisting errors and deficiencies do, ultimately, occur sequen-
tially and create major incidents.
Several major, recent incidents have been shown to have occured by
sequential linkage of lesser events reported two or three years earlier
in RSO-CI studies. Thus, two major points are underscored:
(1) The RSO-CI studies do provide the necessary reports for the safety
process.
(2) The relevance of so-called minor deviations in causing major inci-
dents supports appropriate management attention to the minor events
a s they a r e currently reported.
Further discussion of incident r e c a l l i s i n AppendixD and a sample of
Aerojet's forms a r e provided i n Exhibit 13,
One RSO study has already been completed, and others a r e scheduled. Three
f i x cycles a r e set-up:
(1) Quick p u l l s of c l u s t e r s of reports showing high liklihood of cumulating
i n t o major sequences a r e furnished t o Branch managers.
(2) A l l reports i n an indexed binder a r e furnished t o l i n e management and
upstream processes, such as engineering or t r a i n i n g .
(3) Project engineers a r e required t o use the key word index and produce
an information display and analysis.
b. Other studies -
s p e c i a l questionnaires and a d y s e s t o detect problems
and causes. These task-oriented studies are a l s o an indispensable supple-
ment t o on-going, continuous monitoring systems.
5. Reporting Systems.
a. ~ c c i d e n t l ~ n c i d e n
reports
t of the basic AEC reporting system.
b. RDT Incidents - the a u x i l i a r y reporting system operated under RDT standards.
c. Control Charts -
Shewhart control charts were formerly used t o provide
supervisors with assessed feedback, with experience similar t o t h a t f o r
e r r o r charts .
Reporting systems a r e t h e most fundamental and valuable of independent
monitoring programs. However, they require v e r i f i c a t i o n of completeness
of reporting. Also, the records of follow-up action -
immediate, interim
and long-term -
should be complete and a c t i v e l y reviewed, a s i s the case
with the RDT system.
Reporting systems can be brought t o f u l l u t i l i t y only i f a f l e x i b l e , sup-
plemental reporting system i s inaugurated. An example of such a report,
one of a s e r i e s used f o r short periods t o get sample data, i s shown i n
Figure 37-3). , Further, the usefulness of reporting systems (as with RSO-
CI r e p o r t s ) w i l l depend on t h e i r a c c e s s i b i l i t y and r e t r i e v a l f o r future
engineering, development and planning.
The basic accidentlincident reporting systems of AEC are b r i e f l y l i s t e d
on page $ 9 : Also, a computerized process i s operated, including f i r s t
aid cases, by AEC-Idaho.
It i s e s s e n t i a l t h a t f i x cycles be established f o r accidentlincident reports
i n the manner required f o r AEC-RDT incident reporting: ( 1 ) Immediate ac-
t i o n , (2) interim action, and (3)long-term action.
Aerojet has placed the control charts i n operation. An e a r l y example i s
shown i n Figure 37-4.. The current charts are being printed out from a
standard computer program. They don't look p r e t t y , but a r e cheap and quick.
The calculations used t o derive control limits a r e standard:
I. A Poisson d i s t r i b u t i o n of accident r a t e s i s assumed.
2. Upper control l i m i t = + 1.64JTe
a . I = R x man hours i n period (expected i n j u r i e s a t r a t e R of previous
t8o years)
b. The l i m i t gives a 95% confidence l i m i t , t h a t i s , there i s only one
chance i n 20 t h a t an observed r a t e above the l i m i t could occur due
t o chance.
The i n t e r p r e t a t i o n of the charts can cause trouble, t h a t i s , the r a t e i s
Supplemental ~ccident/~ncident
Report
Proceduralization
1. Was task under a Detailed Operating Procedure? Yes - I

No.
2. Was task under a Safe Work Permit? -Yes -No.
Did either cover the specific safety aspects the task? -No.
Yes
4. Was there any other written safety procedure cwering the task? -Yes No.
If yes, specify.
5. Was the task repetitive? -Yes -No. About how frequently?
6. Describe the hazard review given the task prior to the accident. (Who?
When? What was decided?)
7. When did the supervisor last see the person do the task correctly?
8. When were the physical elements (area, tools, etc .) last inspected?
EFA OCCUPATIONAL INJURY CONTROL CHART
Previous -- '-Current
TOTAL AREA
-20
-40
GENERAL MAINTENANCE
OTHER
I 1 1 1 I t I I I I I I 1
JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC
Points obove zero cndicotes injuries obove n o r m a l

not "out of control." There i s l i k e l y an assignable cause f o r t h e varia-
t i o n , but t h i s ' could be added emphasis on reporting, o r a new, p r e t t y
nurse! The c h a r t s could be c a l l e d Change Control Charts. a'
/
One other reporting system, "High P o t e n t i a l Incidents" not meeting any
other c r i t e r i a , was not analyzed. (comment on HIP0 reporting w i l l be
found on page m.) A t no s i t e has a.HIP0 plan been found t o produce
more than a few valuable r e p o r t s , and Aerojet has such a plan, a s should
o t h e r s . However, t h e c r i t i c a l incident technique produces v a s t l y more
u s e f i l information.
111. Other.
1. Technical Support -monitoring functions. Operations supervisors can be
sensitized t o r e p o r t aberrations and deviations f o r t e c h n i c a l a n a l y s i s ,
and t h i s has been and i s being emphasized. I n such instances tech&.cal
assistance i s requested. However, t h e r e a r e p a s t i n c i d e n t s t o suggest
t h a t f i e l d monitoring and inquiry by t e c h n i c a l personnel w i l l l i k e l y pro-
duce e a r l i e r and more comprehensive detection of operating problems.
2. Conventional auditors -
t h e managerial s t a f f s who r e g u l a r l y a u d i t f i e l d
compliance can include some aspects of safety. Where p e r t i n e n t records
a r e available, large numbers of observations can be made a t low c o s t .
However, t h e forms of deviations of g r e a t e s t significance may not be
detected. .
3 . Q u a l i t y Assurance - t h i s major program, l a r g e l y hardware and procedure
oriented was evaluated t o only a s u p e r f i c i a l degree, p a r t l y because it i s
apparently very w e l l organized and operated. When t h e o v e r a l l monitoring
schemes were developed (and t h e current e f f o r t i s more concerned with
human e r r o r c o n t r o l ) it was suggested t h a t three p o t e n t i a l l y valuable
s t e p s be taken:
( 1 ) The present Quality Assurance programs be p l a c d i n perspective on t h e
s a f e t y program schematics,
(2) QA d a t a be integrated i n t o t h e managerial r i s k assessment plan,
(3) Dependent p a r t l y on r e s u l t s i n ( 1 ) and (2) above, a s a f e t y a u d i t and
evaluation of QA similar t o t h i s e f f o r t be considered.
To avoid duplication of e f f o r t , the p r i n c i p a l independent surveillance
r o l e was assigned t o R & &A. Valuable reports a r e being produced t o show
t h e procedure audited, number of steps, compliance (with nature of non-
compliance, v a r i a t i o n s , and revisions adequacy. A periodic r e p o r t showed
t h e following kinds of data:
Procedures audited 25
Total steps 1,497
Steps audited 1,390
Compliance v a r i a t i o n s 6, or 0.4%
(99.6% compliance )
Revisions needed 19, o r 1.4$.
Such d a t a can become a r e l i a b l e basis f o r trend analysis.
Confirming an e a r l y hope, the r e l i a b i l i t y and low e r r o r r a t e s produced
by t h i s plan produced a recommendation t h a t the surveillance e f f o r t could
be lightened and y e t maintain control, thus saving money a s well a s
benefiting employee a t t i t u d e and acceptance.
4. Miscellaneous "Look and Run" - the v a r i e t y of people who make casual,
c o l l a t e r a l observations.
5 . Outside experts
a. Technological
b. Methods or process of analysis o r program review.
AEC Surveillance
Periodic review and appraisal.
Audit time budgets.
( ~ e r o j e tdid not participate i n analysis o r evaluation of AEC programs. )
Comments above on annual review procedures seem relevant t o AEC programs,
but require first implementation by Aerojet . The * c r i t e r i a employed t o
evaluate Aerojet monitoring should be considered f o r use by AEC a s a pos-
s i b l e means of enhancing the values of i t s monitoring work. The values
i n independent observations seem clear. However, as possible and practi-
c a l , AEC should extend i t s e l f , for example, i n classifying a d scaling
significance of observations, collecting r a t e base data, o r giving atten-
t i o n t o upstream audit potentials.
Preliminary plans have been developed with MC-DOS t o perform i t s next
audit and review of Idaho operations by a system appraisal, because Aero-
j e t w i l l have most o r all of the basic data needed.
Inspections. A variety of these programs ranging through departmental or

divisional checks, f i e l d safety engineer monthly inspections, and R & QA audits
of cranes, slings and such equipment. The topic has already been discussed i n
Chapter 31.
I n the monitoring study, two recommendations were made regarding Aerojetts
many inspection programs:
(1) A detailed l i s t i n g of inspectional responsibilities so t h a t effective-
ness can be systematically audited and measured (Q,A may have t h i s i n
part ) .. ---
(2) Fuller use of point-of-operation maintenance and inspection logs t o

f a c i l i t a t e f i e l d monitoring.
Summarv of Monitor Plans.

I n order t o provide a fYamework f o r summary or analysis of overall plans
f o r monitoring, the general work process schematic ( ~ i g u r e29-1) was used.
This distinguishes primarily:
1. Work S i t e plans,
2. Upstream plans.
The Work S i t e plan f o r e r r o r reports was summarized and i s shown on the
next page.
From the study, it was argued t h a t improved control could be achieved by
a well-designed e f f o r t , a t l e s s cost, and with l e s s work s i t e impact. The
suggestions f o r e r r o r monitoring a t the work s i t e reduced levels of e f f o r t ,
but are s t i l l extensive. Several ineffective systems were dropped. The audit
time budgets could be transferred t o upstream work. Theoretically, it had been
Summary of Work S i t e Plans f o r Error Reports
Methods Internal Independent -
Who?
1. Management routine supervision x
2. In-house staff sample w/ control
charts. x
3. Injury control charts NOS
4. Check-list used by supervisors x
5.
6.
NOS f i e l d engineers*
HP monit orin@
NOS
NOS
7- Procedural surveillance &A
8. Spot checks* NOS
9. F i l e audits ?
10. RSO studies NOS
ll. Technical support
12. Miscellaneous x x
*subject t o NOS headquarters audit.
**internal input; external analysis.
possible t o have 16 people observing an operator, i f a l l monitors arrived

a t once - the a c t u a l record was seven!
With a l l plans, except number 2., implemented, the prediction seems
correct, fewermonitors and the f a c t o r of participation i n RSO studies have
had favorable morale effects.
Audit of Upstream Processes.

Upstream audit emerged a s a v i t a l and underemphasized aspect of moni-
toring. However, it i s probably best understood i n terms of some of the
specific schematics of Aerojetfs reactor operations.
I n the organizations studied t o date, there i s a notable absence of work
flow or safety program schematics and descriptions. Consequently, it i s
unnecessarily d i f f i c u l t t o examine the adequacy of monitoring programs and the
deviation or e r r o r definitions which monitoring requires. I n accident investi-
gations it i s d i f f i c u l t t o trace the upstream processes which should have
prevented the accident.
Even though the diagrams which have been developed f o r Aerojet are specific
t o t h a t organization, and are based on i t s procedures and organizational ele-
ments and responsibilities, it should be generally usef'ul t o examine Aerojet
schematics as instructional examples of values, problems detected, and methods
of analysis:
- 368 -
A basic safety-related work schematic was developed and subschematics
were developed for elements of the process.
The basic Work Flow schematic (~igure29-1,already discussed) can be
examined from the top down, or one can begin at the work site and proceed up-
stream to examine the process by which ingredients of work were delivered to
the work site. The latter approach has seemed to be of greater value in
producing potential audit points likely to be significant.
Within the time available in the study, only preliminary "walk through"
analysis of upstream processes was possible. But even a crude analysis re-
vealed a number of kinds of deficiencies:
1. Gaps in responsibility (particularly at interfaces).
2. Sequential operations in which each believes the other performs a
necessary task (the usual interface slippage).
3. Incomplete analyses.
4. Vague or nonexistent criteria for judging adequacy of an operation.
5. Specific hazard reduction operations of a higher order (MORT) which
are largely unfulfilled (e.g., literature search and human factors
engineering).
The impression was clear that Aerojetts fine, extensive effort at proce-
duralization results in lengthy documentation which needs simple schematics
and detailed audit to reveal the kinds of deficiencies suggested above.
A few details of the subschematics, in their original incomplete form,
are furnished in Exhibit 14 simply to illustrate the value of even a simple,
exploratory effort. Incomplete as they are, they show many possible audit
points. They led to the following specific recommendations:
1. List the processes requiring audit:
a. Major-ongoing processes, such as
(1)Engineering modifications,
(2) Projects
(3) Configuration and Document Control
-
(4)Hardware construction, installation, test, etc.
(5) Personnel Systems
(6) Procedure Systems
(7) Review agencies.
b. Safety functions.
(1)Anti-C Clothing
(2) Health Physics Instruments.
c. Inter-department functions
(1)Shipment of radioactive materials
(2) C r i t i c a l f a c i l i t i e s
(3) Preventive maintenance
( ~ a t e ra l i s t of 39 such topics was developed.)
2. Develop schematics, steps and c r i t e r i a .
The acceptance of the monitoring study was followed by major work t o
develop the needed schematics, steps and c r i t e r i a (pages 193-5). A wall chart
on the program showed the need:
-
MANY BLOCK FUNCTION WORK SCHEMATICS.
STEPS TO FULFILL EACH FUNCTION
CRITERIA TO KNOW WHEN THE JOB'S WELL DONE
A s rapidly a s these are completed, major portions of time a r e being

assigned t o audit and correction.
The analysis of upstream processes can be seen a s proceeding through
f i v e major phases:
1. Broad Function
2. Who Does What?
C r i t e r i a f o r measuring performance f o r each function
4. Measurement
a . Data Collection
.
b Assessment
Change -< 5. Action
N
-o Change
It i s possible t o use MOliT charts t o chart audit points and plans i n

operation, and f u r t h e r needs. Also, t h e Nertney Wheel, Figure 24-6, i s a
useful schematic t o design audit points and methods.
A step-by-step plan f o r design of a safety monitoring f'unction, a l s o
prepared by D r . Nertney, w i l l be found i n Exhibit 15.
MORT diagrams touch on dozens of monitoring systems. However, t h e l i s t
i s f a r from complete.
T t is useful t o make a separate l i s t of monitoring systems i n an accident,
using these kinds of questions:
Describe the monitoring (work sampling) procedures used t o measure the
s a f e t y l e v e l of t h i s work area.
a. When was the area l a s t monitored?
b. What were the findings? Was the l e v e l of safety improving or
retrogressing?
A s a general study, a s e t of d i a g r m s can be used t o note a l l t h e r;ionitorir.r;
systems present i n an or@ni.zation. F i l l i n g t h e gaps revealed i s a mcjor asyect
of program improvement.
. "
~ ~t s kiighly
~ developed
j ~ Independent
t Iieview System includes within it; i.uc;e~i.
a d Cperational Safety Division a smell u n i t , Cperations &rW?iilc;:ice i;rcicch, x i t h
t h e primary objective of observing, reviewing, e v a i u a t i r i , x - d r e p o r t i n cr> - > 1-L.* .I:
L C -
compliance with established s a f e t y r u l e s and stzndards.

I n addition, from i t s experience, t h e 3ranch r e p o r t s on r ; p a r e i x r i e ~ j ?i'!.r
a d d i t i o n a l controls, improved t r a i n i n g , and other possible impovezczts. it re-
views operating incicierii.~?rid near misses. The i3ranch a l ~ a~t mar.r;p;e:;t
, ? ; !-+
a u d i t s non-safety aspects of performance. Through s i'onnzl rcpcjrti:;.~::,rcfuern

f o r f a i l u r e s i n t h e review process, a s well a s by observztion, ti-:,?
"':-:1.;-1: Lr-l:."
a l s o audit t h e s a f e t y operations i n t e r n a l l y . The 3 r a ~ c hfzllcr;: ;.> to !,..
52.: .'- ::..L
'
recommendations a r e c a r r i e d out arid needed s t u d i e s s r e performed. A l l t;ir: 5:s in

addition t o t h e normal surveillance and sezrch out of f i e l d szi'ei; L:l;;;5.ilt?.~i'i;
. .
z?~~Is-
t r i a l hygieksts , and h e z l t h physicists.

Nonitoring can be seen a s of two types:
-
General i n conjunction with n o m a i a c t i v i t i e s ,
-
Specialized time o r personnel a l l o t e d s p e c i f i c a l l y r c t n c ::;cr.ltoring
function.
Sources of observations i n both categories can be seen as:
1. Field Observations,
-2. Creation of, o r review of, "paper" i n f o m ~ t i o n;;j-ct OP.:, e K ~ - x k
orders, o r departmental r e p o r t s of JSA coverage, or exert; o p e z t ing
. .,
reports .
A t one s i t e , preventive maintenance was computerized, but no one r o u t k e q a;cnitored
o v e r a l l attainment.
The four-way c l a s s i f i c a t i o n c w , i n t u r n , be divided ilito " p o t e c t l a - tro.;blel'
o r i e n t a t i o n and "work smpling" o r i e n t a t ion.
Correctly t h e bulk of a monitoring f o r c e should go t o t h e mots (tin?,ploce,
process) estimzted t o have t h e highest accident potential. The safety ea@neer ' s
s t u d i e s and i n t u i t i v e sensing combine t o help him f e r r e t out causes before tne acci-
dents occur. However, he may develop his comfortable k b l t s o i obzervilt1o:l;. 'ihere-
f o r e , a non-directed c o n t r o l i s needed.
Some portion of time, however small, should be azsigneci t o re:)roa~cLsie,ranciom-
ized observations. The long term value of n&ing comp~risonc, ~ n 9, d k ; l t ~ r ; gt h e ran-
domized system send observers t o "out-of-the-way," normal, supposed^,^ non-hazar-
dous operations i s believed t o be substantial.
The work sampling schemes can be of a wide variet, o l t j + s - c r i t i c ~ i::cident
i
. .
studies, observation t o u r s , etc. Pnotogrzphic methods zrc TeiEg ~t-2-iic:.
A l l of t h i s is i n addition t o the normal feedback given t o people t o
help them do a b e t t e r job,
Need f o r rapid feedback (monitoring) t o correct e r r o r s is axiomatic--and
increasingly recognized at the operator l e v e l of man-machine systems. But the
principle is not f u l l y implemented at the managerial l e v e l of occupational
systems,
Feedback devices should be b u i l t i n t o systems. Just as maintainability
and preventive maintenance plans a r e f a c e t s of the development process, so
plans f o r monitoring performance f o r conformance with plans a r e an essential
f o r management.
The need f o r monitoring systems a r i s e s from the principles of control
and "management by exception. " The s k i l l e d manager concentrates h i s attention
on the deviations from plan o r standard. To do t h i s , adequate monitor- sys-
tems must be i n place and operating t o give signals when deviations occur.
General Program Audits. Audits of the safety program of a plant o r of a

typical o r a high r a t e department of a plant, are a common feature of large
compaq and government programs. One company reports two t o four man-weeks
a s a normal requirement for a biennial audit. (windsor, 1969.) Most audits
use corporate headquarters personnel, but som a l s o use operating personnel
from similar plants ( ~ i l s o n ,1969). Naturally, e i t h e r type of personnel would
bring t o the audit a thorough knuwledge of organization practices and expec-
tations.
However, both a s t e e l company and the accelerator groups a t Lawrence
report that audits ream get tough when operating executives from comparable
i n s t a l l a t i o n s made the appraisals!
AEC has a comprehensive safety staff appraisal system. Greater use of
advanced technology groups from representative locations might be valuable.
Neither AEC nor its contractors ncrw have data systems which provide the
raw material t o "monitor, audit, compare" nor does any other organization.
The design of such systems should be a major program improvement objective.
The concepts discussed i n t h i s t e x t suggest an a l t e r e d o r additional
approach t o audit of an organization o r plant:
1, Adequacy of safety system design as compared with stated c r i t e r i a .
2. Results of system operations:
a, Data
b. Fixes
3. When was the monitoring system i t s e l f audited by the organization o r
plant? (~indin~ s action?)
and
4. How does the organization o r plant know the system is not failing?
5. Field spot checks t o v e r i f y above.
Auditing experiences on large-high-energy machines suggests, however,
t h a t system considerations, e.g., the need f o r s t r i c t change control, w i l l not
be seen by managers a s major needs unless incident data from a group of similas
machines i s available t o provide i l l u s t r a t i o n s .
Accident investigation i s , of course, one obvious way t o check t h e s a f e t y
program. The following questions are indicative:
1. Was the safety department's technical information adequate i n t h i s
case? Describe how relevant information had been transmitted and
disseminated .
Who? When?
2. When did the s a f e t y department l a s t inspect t h i s area? What r e s u l t s ?
3. Describe work sampling techniques applicable t o t h i s area by safety
department.
4. I s t h e safety program description and d a t a up t o date? What f e a t u r e s
should have prevented t h i s accident? Why d i d n ' t they work? Had t h e i r
effectiveness been t e s t e d o r v e r i f i e d ?
5. When was the safety 'ldget l a s t altered? Direction and percentage?
What i s growth i n t, d a t a b l e safety expenditures i n the l a s t f i v e years?
How does s a f e t y budget compare with the growth of organimtion?
Safety program a u d i t s could e a s i l y be discussed i n Part I X , Safety Program
Review, but it seems b e t t e r t o d e a l with t h i s aspect while monitoring concepts
a r e f r e s h i n our minds.
Data Reduction and Analysis.
Early i n the study it became very apparent t h a t data reduction, and anal- r;is
and i n t e r p r e t a t i o n were neglected f'unctions. Managers were deluged with raw
data. If each report was t o generate an individual fix, the top manager wou- .
have no time t o manage. There a r e s i t u a t i o n s where action i s based on a single

report (serious cases or t o s e t an example), but the kinds of f'undamental f i x e s
needed a r e more l i k e l y t o r e s u l t from numbers of cases, c a r e f u l diagnosis and
study, and a plan which enhances system operation, r a t h e r than producing continu-
ous perturbations of the system by rapidly changing emphases.
Past data were largely unclassified f o r diagnostic purposes, and lacked
adequate trend and r a t e measures.
Two positive examples of asskssment can be cited:
1. The e r r o r reported was 7 missed readings of a pressure gauge. The base
was 24 required readings (3 per day f o r 8 days). Therefore, the e r r o r
r a t e was 32$, o r r e l i a b i l i t y could be s t a t e d a s .68, a sharp contrast
t o the several 9's r e l i a b i l i t y of many reactor components.
2. Two checks of Warning Tags a t ROD showed:
lhmber checked Nwaber Deficient Error Rate
8-u-70 108 34 31%
3-19- 71 231 38 16%
A significant drop i n e r r o r r a t e i s shown.
Further, t h e 1971 data showed locations a s follows:
a t ATR 1%
a t ETR 27%
other 33%
!The IiMl Standard f o r Quality Assurance s e t s an impossibly high standard
f o r common deviations, t h a t is, "preclude repetition." However, the standard
goes on t o say, "Quality trends s h a l l be analyzed t o furnish a basis f o r
improvement i n work performance," and t h i s i s an eminently sound guideline.
An analytic function i s needed i n the Safety Division (so t h a t i t s pro-
ducts a r e processed f o r management use) and i n the operation manager's office
t o digest and i n t e r p r e t i n t e r n a l a s well a s external data.
A related need i s the kind of information center which could make relevant
past e r r o r data available t o planners i n usable form.
Health Monitoring.
The need f o r surveillance of general health of employees i n order t o
detect possibly job-related developments was discussed i n Congressional Com-
mittees during passage of the Occupational Health and Safety Act. The need
f o r such monitoring was a l s o voiced by a group of British safety directors
during a seminar on MORT techniques.
Potential general health problems a r e not readily related t o the types
of trauma-producing events diagrammed i n the MORT analyses. However, since
t h e need f o r surveillance of health seems clear, an analysis can be a r b i t r a r i l y
inserted a t an appropriate point i n MOICP.
F i r s t , l e t it be said t h a t certain types of health problems a r e already
covered :
1. Exposure t o radiation and toxic substances i s already susceptible t o
MORC analysis.
2. General environmental conditions (noise, heat, cold, o r any others)
which have been shown t o be related t o injury o r disease can be handled
as "Environment LTA" i n the MORT analysis .
Therefore, general health r e s u l t s of an unsuspected nature can be treated
a s an information problem i n which there i s "no known precedent."
No Known Precedent
/\
-
Analysis Past Accidents LTA

I
I F/T Monitor General Health I F/T Relate Effects t o Causes
- .- . - . . . .- . ... :,- .. I.. .. _. . i

. ..- I...
. .? ...... -- --
38. ACCIDENT INVESTIGATION
I n t h i s chapter we shall deal with the investigation, ana3ysis and
reporting of the single event, o r occasionally, a group of related events.
(cause analysis i n a s t a t i s t i c a l sense i s treated under information systems.)
The purpose of investigation i s t o guide and stimulate preventive actions
by the l i n e and staff organization. The emphasis should be on discovering all
cause-effect relationships from which p r a c t i c d corrective remedial action can
be derived.
The i n t e n t i s not t o place blame--all people err--but t o determine how
responsibilitf e s may be c l a r i f ied and supported and e r r o r s reduced. Pride,
s e n s i t i v i t y and protective actions aze nevertheless i n h i b i t i n g forces. An
analytic format which requires objective review of appropriate topics has
proven valuable i n counteracting such forces.
Collateral purposes of investigation may be f o r l a w enforcement o r f o r
evaluating l e g a l l i a b i l i t i e s . However, investigation s o l e l y f o r such purposes
i s seldom adequate f o r preventive purposes.
Also, investigation can be looked upon as answering public and profes-
sional c u r i o s i t y i n a "need t o know1' sense.
Although safety l i t e r a t u r e is r e p l e t e n i t h references t o the value and
importance of accident investigation and a n d y s i s , there i s an alarming and
s t a r t l i n g lack of t e x t material on methodology. One t e x t placed great empha-
sis on "getting the important f a c t s , " and then discussed tabulations n i t h an
introductory phrase, "Now that you have the important facts." The A N S I Method,
Z 16.2 (1962) is so weak i n causal concepts as t o provide l i t t l e of p r a c t i c a l
value, and much t h a t may be misleading, even bad guidance i n investigation.
Even a focus on mass data at a time when the "state of the a t " is so ill-
defined may lead t o a f a l s e conclusion that valid and useful data (i.e., ade-
quate t o design countermeasures) have been collected.
The analytic format of MORT, o r a t l e a s t the s t y l e of analysis, provides
one point of departure. To the extent MORT concepts permeate the preventive
program, understanding w i l l permit a t l e a s t modified MORT approaches t o
investigation of l e s s serious events.
AEC reports of in-depth, board investigations provide a standard of
excellence. The extensions of analysis of these events by MORT has been
possible only because the i n i t i a l investigations were very good.
Other examples of detailed analysis w i l l be found i n National Transpor-
t a t i o n Safety Board Reports (see p a r t i c u l a r l y the Waterloo, Nebraska school
bus accident report and "A Systematic Approach t o Pipeline Safety" f o r Tree
types of analysis).
The NTSB has s e v e r a l a t t r i b u t e s which should be understood:
1. Independence. The man who makes t h e regulations o r manages t h e f a c i l i -
t i e s should not i n v e s t i g a t e what may be "his" accident (i.e. , his error).
2. Good procedures.
3. Competent, trained staff.
A Board representative said:
"A prime a t t r i b u t e of t h e Board i s i t s typifying t h e check and balance
system needed t o review r e p o r t s , determine causes, make recommendations,
e t c . with an absence o r minimum of b i a s (except perhaps towards safety).
Should i n v e s t i g a t i o n r e s u l t s fundamentally funnel up t o one man, t h e out-
come might well be weighted i n one direction--actually favorable o r un-
favorable t o h i s o f f i c e . Some people have been observed t o be too
c r i t i c a l of themselves as well a s not c r i t i c a l enough. "
The Board's r e p o r t s provide excellent examples of i n v e s t i g a t i v e and
a n a l y t i c techniques, but these a r e , q u i t e understandably, obscured i n t h e
s p e c i f i c content of t h e event t h e Board i s a n a l y ~ i n g ;thus p r i n c i p l e o r
method of a n a l y s i s a r e not always apparent. The B o d has been urged t o
develop p r i n c i p l e s and methods f o r wider application i n transportation f i e l d s
and f o r t r a i n i n g , and has these i n t e n t i o n s , but budget inadequacies have
l a r g e l y s t i f l e d progress i n t h i s respect. The l e g i s l a t i v e h i s t o r y of t h e
Board and i t s predecessor show strong Congressional recognition of t h e
e s s e n t i a l i t y of independence.
A i r accident i n v e s t i g a t i o n s a r e t h e only available examples of mass pro-
cedures keyed t o adequate concepts. However, even these have weaknesses
stemming i n p a r t from legal requirements (cog., f i n d probable cause), and
have major , p o s i t i v e (but l a r g e l y unstated) premises--that i s , intensive and
exhaustive system safety a n a l y s i s p r i o r t o accidents and research a s needed
a f t e r accidents--which could mislead t h e casual observer as t o t h e nature of
i n v e s t i g a t i o n and a n a l y s i s requirements f o r t o p i c s other than a i r , particu-
l a r l y t h e r o l e of a high i d e a l of system s a f e t y might not be v i s i b l e .
Disaster r e p o r t s available from other f i e l d s of a c t i v i t y a r e highly
variable. Even those which a s e generally good (such as NFPA) have a tendency
t o become s i l e n t as they approach t h e b x d e r s of managerial responsibility--
planning e r r o r s , mostly omissions, and decision c r i t e r i a and mechanisms.
Various accident reporting forms provide, i n e f f e c t , a n a l y t i c a l frame-
works. However, t h e s e a r e , i n general, so s i m p l i s t i c a s t o give no g r e a t
guidance t o a n a l y s i s of serious events. I n general, forms may be b a r e l y ade-
quate i n t h e "What Happened" phase i f t h e n a r r a t i v e is well done, but l e s s
than adequate f o r other phases such as "Why It Happened" and successive
causal layers.
The possible exception i s t h e Department of t h e I n t e r i o r reporting sys-
tem (Pope, 1970) which provides f o r examination of successive l a y e r s of
causation i n terms of a c t i o n s needed by higher supervision, management, per-
sonnel, finance, and other support services. This form begins t o examine t h e
"Why" aspect. If it i s possible f o r a s i n g l e , simple form t o c o l l e c t adequate
f a c t s , t h e I n t e r i o r form is unquestionably a s t e p i n t h e r i g h t a n a l y t i c d i r e c -
tion. However, it i s unlikely t h a t t h e successive endorsements a s t o causal
f a c t o r s w i l l be seasching unless an a n a l y t i c method i s prescribed, and systems
a n a l y s i s is l i k e l y t o be weak o r absent.
The NSC and Federal occupational accident forms a r e intended t o provoke
analysis, but i n f a c t tend t o produce barely adequate information on what
happened, and s i m p l i s t i c , inadequate information on why t h e system f a i l e d .
For example, although t h e r o l e of management and supervision a r e said t o be
primary, a reading of thousands of such r e p o r t s shows only rare a n a l y s i s of
supervisory e r r o r s o r a c t i o n s , and complete silence on management system
deficiencies o r errors.
There is need f o r manuals f o r i n v e s t i g a t i n g occupational accidents.
Bradley (1967) discussed t h e deficiency i n t h e A i r Force (but used t r a f f i c
accidents t o develop a d r a f t approach).
Braunstein and Coleman (1967) said :
m~ccidentinvestigation may be considered a member of a large c l a s s
o f problem-solving tasks which require extensive experience f o r the
developent of e x p r t i s e . A charscteristic of t h i a class of tasks
is a marked d i f f i c u l t y in oonveying the f r u i t s of such expertise t o
the novice and thus avoiding the need for a duplication o f this experi-
ence. In addition t o the practical problem of trainirg new 'experts, 1
the inability o f persona t o describe the manner in whioh they perform
such tasks m a k e s it d i f f i c u l t t o develop a general understandhg o f
."
this type o f behavior and t o augment the human performer with artificial
intelligence devices
On many occasions, when pressed f o r description of accident in-pestiga-
t i o n technique, very competent s a f e t y engineers have ended by saying, "I
guess you j u s t follow your nose."
Causal Factors.
This discussion is predicated on the presence of a number of causal fac-
t o r s , r a t h e r than t h e f i n d i n g of "probable cause" (singular) which i s t h e
s t a t e d objective of s e v e r a l Federal s a f e t y laws and tends t o be an obstacle
t o proper a n a l y s i s (~ohnson, 1967 ) .
A good i n v e s t i g a t i o n of an accident/incident i n a complex system w i l l
commonly r e v e a l on t h e order of 25 s p e c i f i c e r r o r s and omissions and 15 sys-
temic failures--a t r u l y shocking s i t u a t i o n . If adequate medical o r psycho-
l o g i c a l expertise were used, t h e numbers would be even l a r g e r .
But a f t e r t h e i n i t i a l shock, pain, anger, f r u s t r a t i o n and humiliation
occasioned by such findings have abated somewhat, i t i s helpful and useful
t o remember:
1. Well-run systems f o s t e r precise i d e n t i f i c a t i o n of more e r r o r s
because d e f i n i t i o n s and tolerances a r e s t a t e d .
2. Complex systems (including working people themselves ) have many e r r o r
opportunities, and even low e r r o r r a t e s produce many deviations.
3. The l a r g e number of causal f a c t o r s revealed a r e correction omor-
t u n i t i e s - - f i x i n g any one w i l l usually i n t e r r u p t t h e sequence and
prevent the accident.
4. Fixing systemic f a i l u r e s w i l l prevent many f u t u r e e r r o r s and accidents.
Investigation, Analysis and Expertise.
The process of investigation can be seen as a mutually supporting
t r i a n g l e of competencies:
Investigation--definition, description, detection--fact collection.
Analysis--fact i n t e r p r e t a t i o n and arrangement based on accident concepts,
e s s e n t i a l l y s a f e t y analysis. But, most important, what kinds of f a c t s t o seek.
Expertise--the technology involved i n t h e event--what f a c t s may be,
energy and operating p a t t e r n s , and technical a c t i o n possible o r f e a s i b l e .
A l l t h r e e of these competencies a r e present i n an individual, but
u s u a l l y t h e higher l e v e l s of each competence a r e found i n d i f f e r e n t people.
Only t h e combination of t h e competencies can c r e a t e a disciplined investiga-
tion--the g r e a t e r t h e j o i n t competencies, t h e g r e a t e r t h e d i s c i p l i n e .
I n a time sequence1 i n v e s t i g a t i o n w i l l precede analysis; but t h e pro-
cess is iterative. Analysis requirements, i f known t o t h e i n v e s t i g a t o r ,
w i l l help him i n knowing which f a c t s may be relevant and needed, so a n a l y s i s
w i l l be discussed first. Analysis is a form of "independent review" of t h e
investigator,
The three f a c e t s a r e depicted ( ~ i g u r e38-1) along with t h e v a r i a b l e s
i n who i n v e s t i g a t e s o r analyzes, h i s competence and independence, and t h e
f a c t o r of organizational expectations. AEC, f o r example, has high standards
a s t o t h e q u a l i t y of investigation it expects, and t h i s prompts thoroughness,
searching inquiry, depth analysis, and v e r i f i c a t i o n of hypotheses where pos-
sible. A manual f o r i n v e s t i g a t i o n s would f u r t h e r enhance t h e process.
Costs of Investigation.
The c o s t s of high q u a l i t y investigations can be considerable, particu-
l a r l y if multi-disciplinary teams o r boards a r e used, o r i f research i s
Figure 38-1. Investi~ation-Analysis-ReportProcess
mdingl3
) +Conclusions
t 3.
1 Eiecomnendations
1
Organizational Expectations?
I
needed t o f i n d cause, but t h e e f f o r t s seem warranted f o r s e r i o u s e v e n t s ,
e s p e c i a l l y when systemic f a i l u r e s a r e revealed.
The c o s t s of u s i n g well-designed a n a l y t i c techniques a r e not g r e a t , and
i n p a r t o f f s e t any l a c k of m u l t i - d i s c i p l i n e resources.
The time r e q u i r e d f o r a n a l y t i c review of a c c i d e n t s by MORT ( o r by t h e
Kepner-Tregoe p r o c e s s ) g i v e s inexperienced people concern. I n one s e r i o u s
c a s e , MORT a n a l y s i s took 1$hours preliminary, 1 hour d i s c u s s i o n and review,
and 1%hours meticulous, a t o t a l of 4 hours. The Kepner-Tregoe process f o r
t h e two g r i z z l y bear a c c i d e n t s took about f i v e hours. I n less severe a c c i d e n t s
a quick MORT a n a l y s i s was completed i n 20 minutes per case f o r s i x cases.
These c o s t s a r e small compared with o t h e r investments i n t h e i n v e s t i g a t i o n .
MORT a n a l y s i s c o s t s l e s s than a mass d a t a program, and o n l y a few MORT
c a s e s a r e needed t o c l a r i f y s u b s t a n t i a l program improvement needs, d a t a not
a v a i l a b l e from mass t a b u l a t i o n s .
S c a l i n g of i n v e s t i g a t i v e e f f o r t i s a requirement, and w i l l g e n e r a l l y be
on "seriousness," but t h i s i n t u r n has s e v e r a l c o n s i d e r a t i o n s o t h e r than
s e v e r i t y (damages t o people and p r o p e r t y ) , such a s mission impact, p u b l i c
o r o t h e r s e n s i t i v i t y , p u b l i c involvement, and who i s involved, o r n o v e l t y
(new problem) o r recurrence (old problem needs thorough "look-see" ) .
Discussion of i n v e s t i g a t i o n w i l l be premised on s e r i o u s events, with f u l l
understanding t h a t minor e v e n t s use l e s s e f f o r t , and f u l l d a t a needs w i l l be
met by sampling with s h o r t , supplementary r e p o r t s , c r i t i c a l i n c i d e n t s t u d i e s ,
Examination of the v a l u e s from good AEC i n v e s t i g a t i o n s o r MORT a n a l y s e s
s u g g e s t s t h a t more u s e f u l information, p a r t i c u l a r l y systemic needs, w i l l be
obtained from a few good i n v e s t i g a t i o n s than from l a r g e numbers of marginal
o r superficial investigations. Thus t h e c o s t q u e s t i o n i s more n e a r l y a
q u e s t i o n of t h e manner of d i s t r i b u t i n g a v a i l a b l e resources. C e r t a i n l y some
in-depth i n v e s t i g a t i o n s should be conducted i n any o r g a n i z a t i o n of more than
moderate size.
What Should be Investigated?
-
Every accident o r incident should be investigated. I n practice, t h i s
means every i n j u r y , f i r e and motor vehicle accident, no matter how sli@,
property damage above $50, and any "high p o t e n t i a l " incident.
A t y p i c a l injury-scaling mechanism is:
Investigated by r Redemd byt

Mrst a i d and Supervisor Safety
medical Middle management
Disabling Supervision &
Safety
More serious Middle management, Plant laanagemnent
Safety, and/or Top management
a Board
For incidents, dependent on t h e p o t e n t i a l , t h e same scaling t a k e s place.
Some extremely valuable r e s u l t s have come from f u l l - s c a l e board i n v e s t i g a t i o n s
of i n c i d e n t s i n which there w a s no damage o r injury.
The Analysis Process.

I n order t o provide help t o an AEC Board whose members had g r e a t exper-
t i s e i n the technology involved, but l i t t l e experience (as is normal) i n
accident a n a l y s i s , a schematic ( ~ i g u r e38-2) was developed t o provide an ex-
p l i c i t l o g i c and technique f o r reducing a l a r g e volume of material t o a
concise and precise report i n t h e AEC format: Findings, Conclusions, Recom-
mendations.
1. The frame of reference f o r t h e investigation and t h e system which
f a i l e d should be established (manuals, d i r e c t i v e s , a u t h o r i t y ,
organization, e t c ) .
2. The event i s b r i e f l y described i n a preliminary way.
3. Then sources of f a c t s a r e depicted i n a general way.
4. The f a c t s from various sources a r e constantly being organiced by
a t l e a s t three a n a l y t i c methods:
a. MORT (shown inverted t o place f i n a l events near bottoms of sequences),
b. Change-Bawd Accgdent Analysis Wqrksheeet ( ~ i p u ~5e- 2 ) ,
c. Sequences--most e s p e c i a l l y t h e meticulous energy trace.
5. Note u a r t i c u l a r l x t h a t t h e a n a l y t i c methods i n t u r n generate hypo-
theses and thus provide ideas as t o what information is needed--an
i t e r a t i v e process.
F i m e . 78-2, Accident halyoir S o k m t L
Frames of Reference A n a l y t i c Methods Integration Or anization
The I n v e s t i g a t i o n
The System
What
--
What Should
Happened? lave Happened
r-- System and t h e Goal
MORT \ Relevance are Procedures People
The Event 4 di.nits
Immediacy
2
Sequence Y
Fact C o l l e c t i o n Managerial Cont r o i s
4 Patterns
Detective S k i l l s
Change-
I Adverse Consequences
Technical E x p e r t i s e
Standards o f Judgement
Based
Accident
Documents --)Finding - i f c l e a r , established
Testimony Q&A - Analysis
(Figure
e x i s - t i n g system requirement
Recorded Data
Physical Evidence 5-2)
Photographs
Observation
Sequences
-
Tests --rcConc l u s i o n - I
Other s t a n d a r d s of judgement
Operational
Trace (Should have done)
Theoretical
Reconstruction I
el at ed' Events
Hypotheses?
What Information is Needed?

I The System Failed!
- 382 -
The a n a l y t i c methods then provide raw m a t e r i a l f o r i n t e g r a t i o n i n t o
sequences and p a t t e r n s as t o What Happened? and What Should Have
Happened ?
The conversion of t h e above two sequences t o f i n d i n g s and conclu-
s i o n s i s handled i n t h e following manner:
a. What Happened = Findings
b. What Should Have Happened :
(1) Can be a Finding if t h e r e was a c l e a r , established e x i s t i n g
system requirement, i n which case a t y p i c a l format would be
D/N do . ( ~ Aerojet
t a f a i l u r e t o obtain t h e
required independent review would ba an example. )
(2) A l l e l s e i s Conclusion--that i s , standards of judgment as t o
what should have happened a r e not " c l e a r , e s t a b l i s h e d e x i s t i n g
system requirements."
A d i f f i c u l t s i t u a t i o n i s posed by accidents i n which causal sequences a r e
obscure. I f a board of i n v e s t i g a t o r s i s s c i e n t i f i c a l l y o r i e n t e d , and evidence
supports a f a c t "beyond a reasonable doubt," t h e board members should probably
have t h e l a t i t u d e t o submit a "finding." On t h e o t h e r hand, i f doubt e x i s t s ,
o r if a f i n d i n g i s more n e a r l y a group conclusion, such should probably be
reported as a conclusion. I n any event, t h e a r t i c u l a t i o n , use and r e p o r t i n g
of g u i d e l i n e s w i l l c o n t r i b u t e t o searching a n a l y s i s and avoid any r e a l confu-
s i o n as t o standards of judgment used i n preparing a report.
8. Drp-anization of t h e m a t e r i a l can be developed from t h e schematic i n
t h e upper r i g h t corner of Figure 38-2, and w i l l t y p i c a l l y c o n s i s t o f :
A statement of t h e system ( o r subsystem) and i t s goal.
One o r more sequences showing t h e development of t h e hardware involved.
The sequence by which procedures were developed and applied.
The sequences involving people--operators and supervisors--and organi-
zational units.
The managerial controls--those applicable, t h e sequences of l o s s of
c o n t r o l , and the improvements needed. This would include f a i l u r e s
of monitoring processes t o d e t e c t evolving changes, e r r o r s , o r
hazards.
F i n a l l y , t h e adverse consequence--injury, damage, performance
degradation, and program impact.
9. Report. The f i n d i n g s must support t h e conclusions, and t h e conclusions
support t h e recommendations, This may be a 1-1-1r e l a t i o n s h i p , o r
)1-1-1 b a s i s , o r general conclusions may stem from p r i o r conclusions,
and i n t u r n support one o r more recommendations. It seems d e s i r a b l e
t o assure t h i s tracking on a s i n g l e l a r g e worksheet (even though AEC's
f i n a l r e p o r t format provides t h a t Findings a r e i n Volume I and Conclu-
s i o n s and Recommendations i n Volume 11).
10. Note t h e schematic shows a general conclusion--The System Failed!
The immediate purpose i s t o a l l a y t h e concern of i n v e s t i g a t o r s t h a t
t h e i r r e s u l t s w i l l be used t o place blame o r a s a b a s i s f o r d i s c i p l i n e .
The note a l s o helps t o p management's awareness t h a t it was t h e i r sys-
tem, not people, who f a i l e d ( i n most cases).
MORT Analysis.
Although MORT has shown i t s e l f t o be a powerful a n a l y t i c t o o l i n t h e
hands of a few a n a l y s t s , it has not "caught on l i k e wildfire. " This has
r a i s e d questions as t o how it can be introduced and assimilated, and how
t r a i n i n g could be conducted. If not widely usable, MORT would not be of
g r e a t p r a c t i c a l significance.
The MORT diagrams, while intended t o guide rigorous f i n a l a n a l y s i s , a r e
q u i t e usable as "scratch pads" f o r notes of relevant f a c t o r s . I n t u r n , they
suggest many questions t o be asked. Naturally, t h e more one knows about t h e
a n a l y s i s , t h e b e t t e r t h e questions.
One technique which'has been used i n s e v e r a l cases i s described i n
"Getting Started" on page 23. I n one serious and complex accident, a b r i g h t ,
young f i r e prevention engineer used t h i s technique. A t t h e end of t h r e e
working days, he had t h e following r e s u l t s (over and above other Board and
regulas tasks) :
44 l i k e l y problems
_28 "don't knows"
82 t o t a l
The number i s l a r g e because of redundancy i n l i n e s of inquiry and redundancy
i n s p e c i f i c and system f a u l t s . The number o f problems w i l l l i k e l y reduce t o
on t h e order o f 2 5 s p e c i f i c and 15 systemic f a u l t s , a t y p i c a l "par" f o r a good
MORT analysis. The engineer a l s o had a good grasp of t h e information needed
t o resolve questions, and already had collected much of it. This work was
performed a f t e r only 30 minutes b r i e f i n g , and a s h o r t , l a t e r meeting t o supply
d e f i n i t i o n s not c l e a r i n t h e t e x t .
Paul Hernandez, t h e head of t h e Mechanical Engineering Department a t
Lawren~e~expressed
t h e view t h a t t h e MORT diagrams would have g r e a t l y reduced
t h e c o s t of t h e n a t i o n a l board which investigated the Cambridge bubble chamber
explosion and f i r e by guiding t h e board's work and reducing confusion over
a n a l y t i c processes.
A t present t h e two w a l l c h a r t s developed f o r use at Aerojet a r e excel-
l e n t " a n a l y t i c s c r a t c h pads" f o r use during an analysis. Analysts i n i t i a l l y
seem t o s u f f e r from p a r a l y s i s of t h e wrist, so we urge them t o start marking
up a sheet.
The question of whether o r not t o draw a s p e c i a l MORT Tree t o p o r t r a y an
accident (as i n MORT Appendix A ) , o r t o simply a t t a c h a marked up copy as an
e x h i b i t f o r t h e review agency, o r do both, i s judgmental. The value i n
drawing a s p e c i a l t r e e i s an e x p l i c i t p o r t r a y a l of r e l e v a n t causal f a c t o r s .
The value i n t h e marked up general t r e e i s t h a t t h e review agency can review
a v i s i b l e record of t h e a n a l y t i c process, including t h e f a c t o r s found satis-
f a c t o r y o r deemed not applicable.
One major e f f e c t of t h e MORT a n a l y s i s , widely noted a t Aerojet, i s t o
open t h e management system t o authorized, even required, analysis. Prior to
MORT, t h e a n a l y t i c process stopped s h o r t , a s it p r e s e n t l y does most places.
I n i n v e s t i g a t i o n s , it is q u i t e common t o f i n d e r r o r s o r f a u l t s which
a r e s e r i o u s , and should be recorded and corrected, but were not p a r t of t h e
c a u s a l sequences. For example, a procedure may have been adequate, although
it d i d not have t h e prescribed review. For t h e s e , a s p e c i a l symbol is
-
shown i n t h e t r e e :
6
It has been s a i d t h a t t h e q u a l i t y of a f a u l t t r e e hazard a n a l y s i s can
be judged by t h e number of l a y e r s i n t h e t r e e . The same can be s a i d of MORT
analyses of accidents. An experienced NASA i n v e s t i g a t o r described t h e a n a l y t i c
process as "peeling o f f l a y e r s a s i n an onion." I f t h i s metaphor i s used f o r
t h e MORT t r e e t h e process would look l i k e t h i s :
Figure 38-3. MORT Causal Layer Schematic
Specifics Management System
specific factors Many system deficiencies
MORT a n a l y s i s a l s o destroys t h e f a l s e l o g i c whereby t h e apparent absence

of system o r hardware d e f i c i e n c i e s i n a s u p e r f i c i a l i n v e s t i g a t i o n so o f t e n
l e a d s t o a conclusion of human f a i l u r e . I f t h e system has not been properly
analyzed according t o high standards, who can say.anything t r u t h f u l about
t h e r e l a t i v e r o l e s of system f a i l u r e s and personnel e r r o r s ?
Sea uences.
The MORT analyses i n Appendix A (1t o 6) show that meticulous t r a c i n g
of energy t r a n s f e r s and changes i s very o f t e n u s e f u l , even necessary. At
Aerojet, a number of accidents/incidents were of t h i s character. The sequences
u s u a l l y do not emerge i n sequential order. This suggests that t h e sequential
notes may have t o be redrafted i n extended o r corrected order during t h e
investigation.
Two s p e c i a l v i r t u e s of themeticulousenergy t r a c e a r e :
1, F a c i l i t a t e questioning and t e s t i n g of hypotheses,
2. F a c i l i t a t e use of t h e MORT b a r r i e r a n a l y s i s t o examine possible i n t e r -
ruptions. B a r r i e r a n a l y s i s has produced t e s t e d methods of interrup-
t i n g energy t r a n s f e r as well i n innovative and e f f e c t i v e ways.
Although t h e l i s t i n g of sequences is first an a n a l y t i c t o o l , t h e r e may
often be s u b s t a n t i a l value i n putting a time-sequenced event diagram i n t h e
f i n a l report. I n NTSB1s Systematic Approach t o Pipeline Safety (1972) such a
c h a r t of "events and causal f a c t o r s " was used t o show how system a n a l y s i s
could have i d e n t i f i e d hazards p r i o r t o t h e accident. Thirty-seven events and
f a c t o r s a r e concisely displayed.
Change-Based Analysis.
This methodology w a s discussed i n t h e chapter, "Role of Change i n Acci-
dents ," ard a worksheet ( ~ i g u r e5-2) was suggested ..
I n i t i a l l y i t was thought t h e change-based a n a l y s i s need be used only when
cause i s obscure. But, i n t h e e a r l y stages of investigation, who knows whether
cause i s obscure? Further, it i s q u i t e easy t o r u l e up a 17"x23" sheet of
paper a d keep interim, c r y p t i c note of f a c t s i n a p o t e n t i a l l y revealing pat-
t e r n , and as a guide t o what information t o seek. I n one a n a l y s i s of two
r e l a t e d accidents the technique revealed- several p o t e n t i a l f a c t o r s which had
not been checked out because t h e a n a l y t i c worksheet had not been maintained
as a current, working t o o l during t h e investigation.
F i n a l l y , i n another accident, the change-based format proved to be a very con-
c i s e method of displayirg t h e causal f a c t o r s and created a u s e f u l exhibit (Figure
5 1 ) The best advice is t o use worksheet (Figure 5-2) on every s e r i o u s accident.
Investigation Process.
This can be examined i n terms of should i n v e s t i g a t e , and.&I
-
Who involves questions of i n v e s t i g a t i v e s k i l l and t r a i n i n g , and degree
of competence i n t h e technological process involved.
It seems axiomatic that since l i n e management i s responsible, i t s basic
r i g h t , as well as duty, t o i n v e s t i g a t e cannot be abkogated. However, an
- 386 -
e s s e n t i a l element i n l i n e i n v e s t i g a t i v e r e s p o n s i b i l i t y i s a more searching
review and endorsement at each l e v e l of higher supervision, on up a s f a r as
seriousness warrants carrying t h e case. This can go on t o "mat Else?" i s
seen as necessary by higher supervision.
The question outside l i n e r e s p o n s i b i l i t y then becomes one of involving
a d d i t i o n a l expertise (from s a f e t y o r process people) and developing indepen-
dent review by s a f e t y o r others. I n p r a c t i c e these two ingredients begin t o
be added at a low threshold--that i s , t h e s a f e t y engineer usually screens
first a i d and o t h e r minor accident r e p o r t s f o r HIPO's and begins t o a s s i s t
and review supervisory investigations.
A s events progress toward t h e more serious, t h e AEC requirement f o r
Boards of Investigation represents a present "best practice. " The question
of independence deserves f u r t h e r consideration. A s events become more
serious, representation from a f i e l d operations staff may be added, and i f
even more serious, from headquarters s t a f f . But a r e these representatives
independent, o r a r e they p a r t of t h e d i r e c t i n g process? There i s no simple,
p r a c t i c a l r e s o l u t i o n of such a question. However, consideration (within
budget) could be given t o using more s u b s t a n t i a l representation from t h e
physical, managerial and a n a l y t i c technologies not involved i n t h e process;
i n major events, t h e use of independent s c i e n t i s t s and i n v e s t i g a t o r s should
be considered. The problems of independent review were a l s o discussed i n
terms of the MORT Hazard Analysis Process.
I n one serious AEC accident, t h e Board included t h e supervisor of the
man involved, t h e c o n t r a c t o r ' s s a f e t y engineer, and t h e f i e l d o f f i c e s a f e t y
engineer. The f i e l d o f f i c e engineer, himself, raised t h e question of "incest."
Such a s i t u a t i o n should probably be improved by added, more independent repre-
sentation. However, another safeguard i s t o i n s t r u c t t h e Board t o , at l e a s t ,
use t h e MORT format. This precludes t h e avoidance of questions simply because
they a r e s e n s i t i v e o r d i f f i c u l t . This again is t h e M e t h o d . ~ sContent redun-
dant safeguard on a process.
The A i r Force has Board Members' manuals and guides which seems a valu-
a b l e practice.
The great educational values of Board service suggest t h a t ' Boards be
used as frequently as budget and circumstances permit. Board members f r e -
quently express a recognition and determination t o do things d i f f e r e n t l y
when they r e t u r n t o t h e i r jobs.
The use of i n t e r d i s c i p l i n a r y teams has usually been limited t o research.
However, t h e A i r Force ( ~ c o t tA i r Force Base, 1967) developed in-house teams
drawing on competencies a v a i l a b l e t o a l a r g e i n s t a l l a t i o n . Such a procedure
should be examined f o r p r a c t i c a l i t y a t AEC s i t e s , e s p e c i a l l y f o r serious
accidents.
An obstacle t o good a n a l y s i s (or investigation) i s t h e tendency t o see
v i o l a t i o n s of procedures, standamis o r l a w s as "cause." Such v i o l a t i o n s may
be p a r t cause, but t h e standard may be wrong o r inadequate and other f a c t o r s
may be more important and a c t u a l l y more "causal." A standard i s j u s t t h a t ,
a standasd of judgment, but there w i l l be other, perhaps more important,
standards of judgment.
The persons who i n v e s t i g a t e o r review need o b j e c t i v i t y and open minds.
They should not just v e r i f y a given hypothesis o r theory, and should avoid
premature conclusions. The t r i c k i s t o g e t these a t t i t u d e s !
-
How t o i n v e s t i g a t e follows out t h e s k i l l s involved:
1. Advance plans
2. Detective work
3. Technical work
4. Analytic work.
Advance plans should be i n s t a t e of readiness f o r catastrophic events.
The a c t of planning w i l l a l s o e s t a b l i s h scaled down requirements f o r l e s s e r
events. Rescue and prevention of a d d i t i o n a l trouble a r e first order require-
ments. A l l necessary support and communication f a c i l i t i e s should be quickly
available. The management of the process should be c l e a r l y established and
exercised.
Detective s k i l l s include preservation of evidence, physically and by
photography, and by l o g s , sketches, and maps. The search-out of clues and
witnesses. Go-Look-Listen-Ask. S e n s i t i v i t y t o change i s helpful. "Don't
/
be surprised. "
Analytic t a l e n t s i n c h d e using concepts of sequences, l a y e r s , a n a l y t i c
formats, as well as scope--man, machine, environment, management, and pre-
vention--engineering, education and enforcement.
The technical team s k i l l s may be more d i f f i c u l t t o acquire (particu-
l a r l y medical o r psychological s k i l l s ) . A i r c r a f t i n v e s t i g a t i o n s use special-
ists i n subsystems--power, s t r u c t u r e , controls, human f a c t o r s , etc., and a r e
working within a highly defined system. However t h i s could not be seen as
d i f f e r e n t from other accident investigations, only more advanced--better!
The meticulous t r a c i n g of energy flow and control i s a f a c e t of air-
c r a f t i n v e s t i g a t i o n t o be emulated.
A note on motor vehicle cause a n a l y s i s w a s made i n an e a r l i e r section,
t h a t is, c l a s s i f i c a t i o n of defensive d r i v i n g p r a c t i c e s by a review board.
Material on commercial vehicle accident i n v e s t i g a t i o n is available (NSC Manu-
a l , 1970). Northwestern University T r a f f i c I n s t i t u t e has published extensive
material on police and research i n v e s t i g a t i o n methods.
Accident i n v e s t i g a t i o n r e p o r t s can be audited f o r i n t e r n a l consistency,
t h a t is, do any assignments of cause follow from t h e f a c t s as stated. Also,
i f r e p o r t s a r e poor, d i d higher supervision not recogniee d e f i c i e n c i e s , o r
not r e t u r n r e p o r t s f o r f u r t h e r work? Did higher supervision p a r t i c i p a t e i n
i n v e s t i g a t i o n i n any way? Other major a u d i t s of investigations are f o r
anal-vtic method--and assumptions v e r i f i e d , evidence.
Plans and b e r a t i o n a l Readiness.

It i s e s s e n t i a l t h a t plans f o r i n v e s t i g a t i n g serious accidents be i n a
s t a t e of operational readiness. There i s l i t t l e time t o study i n v e s t i g a t i v e
and a n a l y t i c techniques when a serious accident occurs. This suggests t h a t
plans and procedures be c a r e f u l l y designed, and t h a t p r a c t i c e on l e s s e r
events is needed t o develop s k i l l s . I n a l a r g e organization,
.. a cadre of
...,
trained, experienced i n v e s t i g a t o r s should be available t o assist f i e l d staff
and l o c a l staff.
The i n v e s t i g a t i o n manual (whether a formal, s p e c i a l document o r a l e s s
formal, loose l e a f assemblage of pertinent d i r e c t i v e s , plans, procedures
and c h e c k l i s t s ) should be immediately available.
Duties of b r i e f i n g Board
o r staff members on methodology, f o r example technical experts, should be
assigned. Guidelines f o r t h e assemblage of appropriate competencies should
be provided t h e group's appointing authority.
Channels of a u t h o r i t y and communications should be established. If
public accidents o r public o f f i c i a l s a r e involved, these should be specified
with a c t i o n s t o be taken.
Each s a f e t y professional should have a well equipped k i t of investiga-
t i v e t o o l s at h i s desk (or i n h i s cas) (and one additional k i t i n h i s personal
c a r i f circumstances make it possible t h a t he should respond quickly a t a site
o t h e r than h i s o f f i c e ) . The k i t includes such items as tape, f l a s h l i g h t ,
danger, warning and marking t a g s , s t a k e s and sample b o t t l e s , camera (if no
photographer i s a p a r t of t h e team), d i s t i n c t i v e tape t o mark o f f t h e inves-
t i g a t i v e a r e a , measuring devices appropriate t o h i s s p e c i a l t y , sketch pad
and c l i p b o d , forms f o r witness statements, various supplemental r e p o r t s
and checklists.
This type of i n v e s t i g a t i v e equipment i s not r e l a t e d t o t h e ameliorative
services--fire, rescue, emergency medical service--although under some c i r -
cunstances t h e respondent has some d u t i e s i n these areas. If appropriate,
f o r example, h i s car may be equipped with f i r e extinguisher and/or first a i d k i t .
General Checklist f o r Investigations.

A generalized c h e c k l i s t was developed by Thune (1969) and included t h e
following items (much abbreviated) :
1. Remember--accidents axe multi-factoral.
2. &-clean up destroys evidence.
--take photos
--make notes of conditions
--gather pieces, record l o c a t i o n s , rubbings, scratches, p i l e s of
d i r t may t e l l what w a s moving, which way, p o i n t s of impact, and
order i n coming t o r e s t .
3 . Listen--for clues t o sequence,
--causes.
4. Study--the evidence,
--ask Why?
--seek p r o m a t e and d i s t a l f a c t o r s .
5. Encourage--people who knew t h e process t o volunteer ideas.
6. Confer--with experts.
He concludes with write up of r e p o r t , and follow up.
A more d e t a i l e d checklist can be developed from one of t h e A i r Force
Manuals ( A i r Force M i l i t a r y A i r l i f t Command, 1966) . With some adaptation
t o occupational systems and much d e l e t i o n o f a i r c r a f t d e t a i l , t h e list i s
provided as Appendix J. Appropriate d e t a i l should be i n s e r t e d by any using
organization ( f o r example, a s p e c i f i c chemical plant would have very
d e t a i l e d c h e c k l i s t s on i t s p a r t i c u l a r chemic a1 p o s s i b i l i t i e s 1. However,
carrylng out t h e i n t e n t of t h i s c h e c k l i s t , d e s p i t e some remaining a i r c r a f t
f l a v o r , would unquestionably produce an excellent investigation.
39. TILF, ORGANIZATION'S I N F O W I O N SYSTEM
The MORT information system (page 343) and d a t a flow model (Figure
VIII-1) describe t h r e e kinds of inputs:
1. Technical Information,
2. Monitoring r e p o r t s (those flow, use and f i x cycles described w i l l not
be repeated i n t h e system below),
3 . Accident I n v e s t i g a t i o n s .
Considerable study has been given t o d a t a purposes and uses a t research s i t e s
and elsewhere. I n p a r t i c u l a r , uses of EDP coded information from r o u t i n e accident
r e p o r t s i n a v a r i e t y o f organizations was found t o have few u s e s and those of m a r -
g i n a l value, not warranting s u b s t a n t i a l investment without depth study and care-
f u l l y planned usages. Consequently t h e primary focus pointswhich developed were:
1. Simple key word coding of accident/incident r e p o r t s and o t h e r docu-
ments, i n d i c e s being e a s i l y merged by computer.
2. Action cycles t o g e t d a t a a p p l i c a t i o n .
3. Data reduction and a n a l y s i s f o r f u n c t i o n a l purposes.
4. Management assessment of d a t a .
Many key pieces of a comprehensive i n f o ~ n a t i o nsystem w e r e placed i n opera-
t i o n on a t l e a s t a p i l o t b a s i s , and a t low c o s t . The system showed g r e a t
promise of f u l f i l l i n g c r i t e r i a of relevance, t i m e l i n e s s , econow, accuracy,
f and f l e x i b i l i t y .
Concepts.
A t t h e conceptual stage, conc;lusions from e a r l i e r work were s e t down a s
follows :
The MORT diagram suggests t h a t t h e information a v a i l a b l e t o a decision-
maker a t t h e time of risk-acceptance i s a c r i t i c a l aspect of a r i s k reduc-
t i o n system. Therefore, a c c i d e n t s l i n c i d e n t s should be analyzed a s t o t h e
a v a i l a b i l i t y of known precedents and recommendations, and t h e reasons
f o r non-communicat ion and/or non-use .
It seems c l e a r t h a t conventional accident d a t a f i l e s , a s now c o n s t i t u t e d ,
provide very l i t t l e information of d e c i s i o n value.
It seems e q u a l l y c l e a r t h a t n a t i o n a l and l o c a l d a t a f i l e s a r e not u t i -
l i z i n g a T ~ a i l a b lcomputer
e techniques t o transmit a v a i l a b l e information t o
t h e point of need.
Although t h e f i r s t element i n design of an improved information system
i s primarily conceptual, and can be exercised on a hand-tabulation l e v e l ,
t h e focus should be on n a t i o n a l - l o c a l development of a computerized
information system. There a r e important d e f i c i e n c i e s i n t h e n a t i o n a l
information eystem.
The broad p r o j e c t here conceived r e q u i r e s execution of a v a r i e t y of
l o c a l and n a t i o n a l subprojects.
The safety professional must establish internal and external information
networks adequate to his needs, and should test and exercise the networks
systematically.
The network can be conceived in terms of kinds of information needed and
internal and external sources.
Figure 39-1 indicates the obvious, direct responsibility for managing
major internal sources:
1. The organization's accident-incident files.
2. The organization's direct research on significant questions.
3. Analytic studies of major problems.
4. The organization's methods and program
a. Standard operating plans
b. Committee, inspection and other inputs.
5. Standards, manuals, etc., used as internal guides.
The organizationtsscientific, technical and f'unctional staff are seen as
intermediate processors of the vast amount of literature relevant to the organi-
zation's work. The degree of formalization of these roles needed in the network
can be determined by (a) the criticality of the problems, and (b) deliberately
exercising the network on current problems, or retrospectively for accidents
which occur.
Figure 39-1
Professional
Internal External
~ccident
s/~ncident
s
Analytic studies I
I Methods, Manuals,
Safety Methods I
I
I
.
I Scientific, technical
I
Science and Technology

in General -
The external sources needed include (1) rapid, effective channel(s ) for
information or known precedents in other organizations, and (2) general sources
for safety research and technical information.
Conceptual Aspects of an Ideal ~ccident/~nformation System (~igure39-2)
has a central focus on operational responses. The genesis of this focus was
the observed, widespread collection of data of dubious value, indicating the
need to refocus on preventive value.
m e second focus was on diagnostic leads for search out or follow up and
-
response an important use, but one which also contains the premise that
statistical tables are seldom more than diagnostic, and that a requirement of
easy retrieval of original reports is an essential sequel to diagnosis, if
operational response is to be expected.
In the upper left section of Figure 39-2, the essentials of information
on department, area or geography, function, activity, occupation, source
(or agency of injury), and accident type are suggested to be individually
useful, but more importantly, are useful insofar as they produce, in com-
bination, "task specific" descriptions of error concentrations.
Identity of persons involved is also potentially relatable to personnel
data already stored in computers from other files, but such inter-relation-
ships are almost never explored or used in present EDP systems.
- --
Proceeding counter-clockwise in the diagram, the matter of rates that
is, consequences and denominators to get frequency and severity rates
(incidence and impact) is identified.
Nature of injuries and part of body injured are objective data and valu-
able as diagnostic aids.
"Subjective Data" include particularly the ANSI code classifications of
-
Hazardous Conditions and Unsafe Actsand such datahave not been shown to
be bases for operational responses. In the absence of MORT analysis, or
-
its equivalent, many of the data on causes are most certainly WRONG, and
dangerously misleading. (~irstdiscussed on page 56. )
"Keyword Retrieval," that is, retrieval by subject matter, is shown as a
need for codes, standards, etc., as w e l l as accidents/incidents and error
data. Later this was stated to be the primary, first requirement, since
EDP-coiled data of the ANSI type have little value, and practical, useful
studies almost always return to original reports for "task specific" Ian-
guage and classifications.
Moving to the upper right quad.rant, the MORT concept of analysis is shown
a primary aspect with four classes of outputs:
MORT analyses of a few serious accidents/incidents,
Supplemntal reports on short-term samples of accidents which collect
data on segments of Mom,
-
Program specification and measurement in sufficient detail as to
relate accidents to a program deficiency.
- -
Routine reports not a likely source of MORT type data but worthy
of experiment as sources of data on the quality of the Hazafi Analysis
CONCEPTUAL ASPECTS OF AN IDEAL ACCIDENT/ INCIDENT INFORMATION SYSTEM
Figure 39-2.
1-MPLETEFEW, SERIOUS
OTHER ,
[ ACCIDENTS
MORT
FILES CONCEPTUAL,
AREA
'IFUNCTION"
TASK SPECIFICS
I
- SUPPLEMENTAL
PARTIAL OVERALL CODE
-
OPEN -
REPORTS
ACTIVITY
OCCUPATION L
ENDED ?
SOURCE PROGRAM
SPECIFICATION
.. J
1
'1
ROUTINE REPORTS
CONSEQUENCES INFORMATION USEFUL FOR :
I
1. OPERATIONAL RESPONSES w
DENOMINATORS 'p
2. DIAGNOSTIC LEADS FOR
-
4
SEARCH-OUT OR FOLLOW-UP
NATURE OF INJURIES AND RESPONSE.
3. RESEARCH FOR RESPONSE ERROR
AND INFORMATION.
a
TOLERANCE '
L * LIMITS
COST/EFFECTlVENESS MONITORING REPORTS

COST OF OBSERVATION (SIMILARLY PROCESSED)
(1 ON 1 RESPONSE)
-
COST OF INDEXING
(X ON 1 RESPONSE) "INFORMATION AVAILABLE^^ BASIS =
l1NOT LESS THAN" INTERPRETATION
CODES KEYWORD RETRIEVAL USE VALUE
STANDARDS (NOT ELSEWHERE FREQUENCY OF USE CODE EACH SUB-INCIDENT IN REVERSE
PRECEDENTS PROVIDED ) TEMPORAL ORDER
i
EXTERNALS
I
CONSIDERATIONS OF REALISM:
SEQUENCES
I' 2- PERSON" EVENTS
Process (e .g., "not perceptible,I1 "extemporaneous," or "oral"
rather than documented), the presence and quality of procedures,
and in the same vein, the error tolerance limits (~igby).
Monitoring Reports are shown conceptually as being processed in the same
way as accident/incident reports, and this introduces a major innovation,
a major difference from present systems.
A variety of conceptual aspects are shown at the bottom of the schematic:
1. "Information available" basis. A major defect in some kinds of data
(e.g., Hazardous Conditions or Performance Errors) is lack of suffi-
cient investigation and/or analysis to render the data f'ull and com-
plete. Therefore, some potentially valuable data can be collected
-
on an "as available" and "at least" basis e.g., human factors review,
proceduralization, etc.
2. Complexity of the accident is a real analytic and preventive problem.
The possibility of EDP-coding of serious events as a series of inci-
dents is here suggested for exploration.
cost/~enefitaspects are then suggested.. First, the cost of an observa-
tion can be assessed against the immediate preventive action, "one on one"
response value. Costs of indexing, coding, and retrieval can, however,
be assessed only against longer-term operational responses. If long-term
responses are nil or do not use data and report retrieval, expenditures
for coding and retrival are wasted. Conversely, if data are not retriev-
able, long-term, effective responses (except for very serious accidents)
are less practical.
A Basic System.
Key aspects of the basic system are expressed in Figure 39-3, which began
to translate the foregoing considerations into operational terms.
A variety of Inputs was shown. A phaseof Processing, Distribution, and
Application in Fast Action Cycles is diagrammed.
In practice the Fast Action Cycles should be at least two:
1. Immediate oral transmission to the supervisor.
,
2. Rapid, written analysis to four addresses: Line manager, plus his
.
technical staff, safety headquarters, and fi e M
The second phase, Retrieval by Keyword List, is shown as the next major
consideration, ranking ahead of purely statistical tabulations. Examples of
specific information retrieval needs at Aerojet are easy to supply:
1. Cranes handling casks
2. Personnel working adjacent to canals
3. Removing in-pile tubes
4. Removing flux wires
5. Casks improperly labeled
6. Electrical lock outs (for complex systems)
These kinds of tasks and problems are not accurately or well identified in
F i ~ r e39-3.
SAFETY INFORM'ATION SYSTEM
STANDARDS
INPUTS
MONITOR REPORTS
ACC/ I.NC
FAST ACT ION
SEARCH
-t
METHODS OF IKORMATION
APPLI CAT1ON
TECH, STAFF
KNOWN PRECEDENTS KEY WORD RETRIEVAL
TECH, EXPERTS PRE-USE CODING ,
SAFETY
EXAMPLE MORT CODE I
-
7 INDEPENDENT REV IEW
PROGRAM DATA d
I
I
t s Is
ANALY
USE OF A f
DISTRIBUTION
TOP MGT,-
NAT IONAL
COMPUTERIZED
NETWORK
\
statistical types of categories. Also, retrieval of original reports is almost
always needed for efficient and effective analysis.
Pre-use codlng for statistical analysis is shown as a third requirement
and is discussed below in some detail.
The Figure postulates an anslytic process prior to distribution of data.
Two reasons can be inferred from present experience at several locations:
1. Analysis is necessary if misinterpretation is to be minimized. In the
same vein, interpretation and predictive values can be enhanced by
competent analysis.
2. Raw data, undigested, is unlikely to be used by busy designers and
managers, judging from past experience,
Distribution is shown as resulting from two processes:
1. User requests in terms of their projects and problems.
2. Automatic distributions originating in the information unit.
Application reflects the primary role of line management, but shows safeguards
in the independent NOS and Review processes. Thus top management has redun-
dant assurances of adequate application of information.
Uses of Operational Data.
Figure 39-4 cross-tabulates the principal Aerojet information inputs
(accident/incident systems and monitoring systems) against the major kinds of
uses of information. The inputs are defined in some detail in Chapter 37.
The principle kinds of uses are:
-
1. Summary Data aggregates and rates, and trends thereof, plus presen-
tations of such data as Shewhart control charts, and projective models
.
(extreme value, matrices, and perhaps reliability models)
-
2. Statistical Diagnostic Data circumstantial (rather than causal) to
identify clusters of accidents or errors warranting further study and
analysis. The most usef'ul tables are likely to be two to four vari-
able cross-classifications, e.g., by Occupation, Part of Body, Type of
Accident, and Nature of Injury as a diagnostic aid.
3. One-on-one Preventive Action (immediate and subsequent) is shown as a
use of every input. This use is so important as to warrant visible
display in the table as a universal requirement and a planned, audit-
able use.
4. Mass Data for Design or Intensive Study. Substantial data to be called
out when a process or design is being developed or changed, and data
for intensive study of problems identified by cases or diagnostic data
are believed to be the second most important kind of use. These have
Figure 39-4-
Information T.mes and Uses
gindr of Uses -
S w Om-on-on, ,Mae8 Data
Data, atatiatiocrl Prsventiva f orl*Deeign Saf ow
Projeotion M a g ~ o a t i o Aotion o r a t e n a i v e System
InPuts & Control Date (M S U ~ ) StuW Status
Ao &ocident/~naidentData
1. Wurs
a, OSHA
b. 216.2
o. F i r e t aid
2, Property Dauwp
3. Pire
4. Radiation Exposure
5. Vehicle
60 gI#)
7. Other U C defined
8. RDT Incidents
9. Supplemental
10, MXtT (eerious)
11. Other
B, Monitorin&
vo* Site
1 0 Ha!m@Bltlent x x
2. In-house eample x possible x poseible X
3, Supervisor obsen. x ? x ? X
4. l'U)S f i e l d e-o x poseible x
5. H.P.monitom x poerribla possible
6, Radiation badgse It X
7. Prooedural surveil. X x x x
8. Spot o h s o b x poaeible
9. P i l o audits x pooeible
10. BSO Inoidenta x X
11. Teohnioal Support x
17. QA x x
lei aos x x
19, - m a t Control X x
20. Annual Review x x
21. LLEC X X
22. Other and miace x x
v
almost invariably used original, detailed reports, r a t h e r than
summarized data.
5. Safety System Status. The safety system, as defined i n MORT o r tor-
porate schematics, must be audited and measured. Such data w i l l be
a summation of information fragments, r a t h e r than comprehensive f o r
a l l events.
Some inputs can give temporary o r continuous data on segments of
MORT - e.g., supplewntal reports on proceduralization o r hazard
review, or inhouse s t a f f samples of e r r o r r a t e s . MORT, f o r a few
serious accidents, may be complete. The larger number of inputs do,
however, provide observations or evaluations of p a r t i c u l a r aspects
or elements of MORT. The diverse character and coverage of inputs
should not be permitted t o obscure the need f o r a continuous and up-
to-day assessment of the safety system status.
Figure 39-4 was prepared a s a simplified analysis of inputs and kinds of
uses. It will be immediately apparent t h a t some inputs supply information,,
f o r two kinds of uses, some f o r three uses, and some f o r four. No single
source supplies data f o r a l l uses ( ~ u a l i t yAssurance seems t o be an exception,
but i s probably a substantial list of separable inputs, no one of which f i l l s
a l l needs).
The patterns which emerge i n the Figure a r e interesting, and appear t o
provide insights f o r the organization and operation of the information system:
1. Control data sources t o t a l 12.
Shewhart control charts a r e t o be prepared f o r organizationalunits. .
These should be based on t o t a l i n j u r i e s , but a s OSHA data accumu-
l a t e , t h e i r value can be assessed. I n order t o accumulate data by
organization ( ~ i vsion i and Branch) present EDP coding must be adequate.
2 . Only 5 sources seemed t o present important mass s t a t i s t i c a l p o s s i b i l i t i e s .
(EDP coding i s discussed below. )
3. Every source i s used i n one-on-one action.
Review of a l l . i n j u r y reports by the safety engineer and supervisor
i s required ; However, such action is not usually reviewed 'up t o
the l e v e l of Division Manager, and such routing i s suggested.
Further, some record of "fixes" i s required f o r summarization
the Division office. Similarly, the routing and action on each other
kind of input should be carefully reviewed f o r adequacy.
4. Mass data study (which may be f o r only a few relevant cases) came from
13 sources, and possibly 5 others, supporting need f o r key-word r e t r i e v a l .
5. Safety system s t a t u s by 20 data sources, underscoring need f o r system
schematics and other assessment methods.
Key Word Coding.
Several key-word coding systems of national centers were reviewed, but
provided no simple plan f o r use by a smaller, l o c a l system. Several experi-
ments i n coding sample batches of reports of various types, and r e s u l t s helped
provide simple coding protocols.
The system design which evolved was a s f o l l m s :
1. Every report must be reviewed by a cognizant professional - but he
cannot underline key words as he reviews, inconsistency and cost being
primary obstacles.
2. Key-word coding must be done i n the information unit, a t f i r s t by a
professional, l a t e r by a supervised, trained clerk.
3. User needs a r e likely t o center on an a c t i v i t y , one o r more sources,
-
who i s involved, and where.
4. Code only terms f o r which r e t r i e v a l i s l i k e l y f o r special study. (Add
t o vocabulary as deficiencies appear .)
5. -Establish protocols f o r information search on selected topics, f o r example:
a . "Fire" o r "Housekeeping" should u t i l i z e safety engineer's periodic
reports, not coded i n d e t a i l .
b..For a topic, e.g., "reactor top work,!' construct a l i s t of sources
l i k e l y t o be involved.
6. Among "sensitive" categories ( i n addition t o three examples l i s t e d
above) the category of "reactor instruments1' i s t o be coded by specific
major systems ( l i s t them) and a sub-item, maintenance and repair.
7. Indexing must be done by a person (or a group) operating from a defined,
consistent base .
8. Later, terms i n "the evolving vocabulary can be cross-indexed t o the
ANSI detailed source code (231 items) t o produce a cross-reference t o
information items i n EDP injury codes which might have been missed i n
key-word coding.
The system was i n i t i a l l y applied t o an RSO study ( c r i t i c a l incidents) .
Coding time was not burdensome f o r an experienced analyst, because he was thor-
oughly reviewing reports f o r c l u s t e r s o r potential sequences. Data t o be
punched i n t o cards was only: key word, major plant, location i n plant, and
an identifying report number. The computer print-out revealed clusters, and
was immediately put t o use i n project design. A similar report, preexisting,
f o r RDT incidents was a l s o used. Thus two valuable data sources were put t o
increased use a t low costs.
The p o t e n t i a l . f o r an incremental system whereby each data source i s consi-
dered separately a s a possible addition was analyzed f o r mobile and overhead
- 401 '
cranes. Twenty four sources were identified none of which could be overlooked
i n a comprehensive review of these accident sources.
The National Product Safety Commission had a procedure f o r routine d a i l y
indexing of incoming material which should be examined f o r interim applica-
bility. This was a temporary study commission, yet a computerized system was
operated with only a key punch i n the commission and access t o a GSA computer.
Daily indexing of a minimal character was accomplished a t lower cost than the
customary typed cards, logs and endless document routing. A weekly print-out
keeps everyone informed and should stimulate f i e l d office reports of relevant
projects.
The excellent experience of the NCPS with a "dump print" index of i t s
reports and communications strongly suggests t h a t the safety system be expanded,
increment by increment, continuously t e s t i n g values i n each increment.
The possible increments f o r addition t o the system include:
Codes, standards, regulations and technical l i t e r a t u r e (as discussed
i n Chapter 3 6 ) ,
I n t e r n a l policies and procedures (already indexed f o r one Division),
A l l accident-injury reports (supplementing EDP Codes),
Error and Hazard reports from whatever source,
Detailed Operating Procedures and Job Safety Analysis,
The source of the report, a s s i m e n t f o r studx (organization and person )'
and the location of problem need be coded i n addition t o the key word
and document number.
Methods l i t e r a t u r e using MORT terms
Group Cause Analysis and EDP Coding.
The flow chart f o r the r i s k reduction system postulates t h a t Investigation
reports are, or should be, adequate, and t h a t they are being fully exploited
f o r preventive changes a s individual reports, particularly those showing high
potential.
Our present concern i s the cause analysis of groups of reports f o r preven-
t i o n purposes; The r e s u l t s of such analyses w i l l have t h e i r decision value
as a primary c r i t e r i o n of worth. They should lead t o specific preventive
action, provide program guidance or point t o the need f o r f i r t h e r studies. If
one accident provokes some action, proper analysis of groups of reports should
provoke greater action.
Cause analysis i s , however, interlocked with questions of EDP coding.
The small, special studies usually employ categories and methods appropriate
t o the problems under study. I n any event, studies must be evaluated individually.
Cause analysis by EDP methods, usually standardized and simplistic, s p i t s
The small, special studies usually employ tailor-made categories and methods
appropriate t o the problems under study. ( ~ a t l i ,n Patterson and P h i l l i p s )
. .- . . --- -
o u t numbers of impressive s i z e . With standards (such a s ANSI) and l a r g e num-
b e r s , what could be more plausible? And l e s s useful? Unlikely as it may
seem t h e q u a l i t y of t h e d a t a i s o f t e n i n inverse r a t i o t o i t s quantity.
For some reasons we s h a l l s h o r t l y show, we must d i s t i n g u i s h two phases
of use :
1. Preliminary Diagnosis - notions of where trouble, p a s t , present and
f u t u r e , may l i e ; i n other words, clues. From t h i s phase (which includes
much presently published d a t a on causes) no published statements shculd
i s s u e - no statements implying, "Because ..... , so ...."
-
2. F i n a l Diagnosis - using s p e c i a l s t u d i e s and tabulations, r a t e bases,
on-the-spot surveys, t a s k s p e c i f i c analysis, e t c .
Given t h e d i s t i n c t i o n of these two phases it i s possible t o salvage much
u s e f u l information f'rom present EDP systems.
We can d i s t i n g u i s h four major c h a r a c t e r i s t i c s of various types of present
data :
1. Objective - data on name, department, length of servlce, occupation,
p a r t of b d y injured and nature of injury. Also type of accident and
source of i n j u r y a r e i n considerable degree objective and u s e f u l .
2. Subjective - unsafe conditions, agencies producing them, and unsafe a c t s .
3. "Messed up" - using the i n j u r y a s t h e u n i t event, and c o l l e c t i n g d a t a
on t h e injured person r a t h e r than t h e error-committing persons o r
departments.
4. Misleading - using a single-cause concept, o r a s i n g l e condition plus
s i n g l e a c t concept.
Data on t h e first, "objective," category should be compiled by a l l orga-
n i z a t i o n s as s t a t i s t i c a l , diagnostic data. The A N S I method (216.2) i s an
excellent method, although some i n d u s t r i e s seem t o have found t h a t a l t e r a -
t i o n s increase usefulness f o r them.
The second c l a s s of d a t a , "subjective," sometimes called cause codes,
have a l l t h e last t h r e e f a u l t s l i s t e d above. Therefore a moratorium on f u r -
t h e r publication outside t h e using organization i s strongly urged. Enough
hasm has been done, and w i l l take years t o correct.
The development trends which can be visualized, and should be encouraged,
a r e shown i n Figure 39-5 on t h e next page.
Some general suggestions on r o u t i n e l y t a b u l a t i n g d a t a by subproblems,
r a t h e r than " a l l accidents" can then be given.
Also, problems in conducting s t u d i e s f o r f i n a l diagnosis can be explored.
The use of computers can be valuable within the necessary q g a l i f i c a t i o n
Figure 39-5
Develop methods
which display
layers & sequences
b
General Management
process failures
a s t o type of information computerized. Modern quick-access f a c i l i t i e s can pro-

-
duce considerable data useful t o f i e l d personnel p r a c t i c a l service t o the
f i e l d i s a t e s t of any computer s e t up. Valuable studies can be made by
r e l a t i n g accident incidence data t o other data stored i n a large computer,
especially personnel data.
All three research s i t e s involved i n the study have computerized accident
data systems which follow, more o r less, the ANSI method. Sandiats system
-
could probably be called "best" of the three occupation coding i s excellent,
a c t i v i t y coding i s attempted, and research data ( e .g., environmental weather
data) are added t o codes. A quick-access method i s u t i l i z e d . However, cross-
tabulations usef'ul i n headquarters and f i e l d are only s t a r t i n g t o be used. With
a few s l i g h t reservations the Sandia system i s a s good as all but a f e w and far
superior t o most systems.
Fundamentally, the systems a t any of the three s i t e s produce l i t t l e infor-
mation of decision value, and the machine capacity a t two of the s i t e s i s
almost unused.
These problems stem from conceptual deficiencies a t the national level,
rather than from l o c a l d e f i c i e n c i e s .
Examples of (1) the need t o supplement coded cause data with additional
observations, measurements, and experience, and (2) the type of study needed
f o r low severity-high frequency topics are found i n National Saf et?t News,
September 1972, f o r s l i p s and falls.
Greenberg (1972 ) provides examples of useful diagnostic t a b l e s with
simple computer routines t o assess significance of minor/major injury ratios.
** jC
Present Objective Codings. The ANSI method i s t y p i c a l of some aspects of

these data. The suggested cause-related codes include: Nature of Injury,
Part of Body, Source of Injury - object, substance, exposure, or bodily motion
which produced injury, and Accident Type - event which d i r e c t l y resulted in
injury. (This l a t t e r c l a s s i f i c a t i o n may be improvable through use of energy
concepts and hazard c l a s s i f i c a t i o n ( s t e i n and Cochrane, 1967)). Source, a s
deflned, i s useful (but "Agency" requires a showing of unsafe condition which
i s subjective).
To these four objective ANSI codes are typically added, l o c a l l y defined
identification data such as name, department, occupation, length of service,
area, e t c . Such codes as occupation must be locally defined t o be compatible
with l o c a l records.
Activity (task) codes %re sometimes used, and are useful i f they are task-
specific t o the o r g a n i z a t l ~ n .
Severity, days l o s t , and cost data (with limited scope) are useful i n
evaluation and diagnosis.
Present Subjective Coding. Presumably e a r l i e r discussions i n t h i s paper
have adequately explained deficiencies believed t o e x i s t i n ANSI-type cause
data. (see particularly page 56 and Chapters on Change, Sequences, and MOF€C
Analysis. )
The incorrect information and fallacious concepts are perpetuated a l l
around us.* Thus, the plea t o Stop Now i n propagandizing nonsense.
I n fairness t o the ANSI method, i t s preamble alludes t o "general pstterns
of injury" and "guides t o areas, conditions, and circumstances t o which acci-
dent prevention e f f o r t s may be most profitably directed," which imply prelim-
inary diagnosis. Further, among i t s purposes i s a b i l i t y t o handle "mass data
and take i n t o account the wide variations i n completeness and accuracy." But
the sins committed i n the name of the method remain - how can valid data be
obtained from incomplete and inaccurate reports by using a conceptually weak
and misleading method? Yet tables reporting compilations of xx,000 reports by
an o f f i c i a l agency have a surface plausibility, and are widely quoted by those
with l i t t l e understanding of the problem (or from i n e r t i a ) .
Among the best, i f not the best, of the ada-ptations of the AI'?SI method,
i s the method used by Bethlehem S t e e l Company, especially a s it i s based on
* For a current example, see National Safety News, January 1971, p. 10.
- 405 -
a JSA-JIT-SO concept (see Appendix L) .
The c l a s s i f i c a t i o n s are as follows:
Category Items Code Capacity
1. Man Cause 17
2. Man cause background 15
3. Environmental cause 17
4. Environmental cause background 17
5. Actions t o prevent recurrence -
21
Totals i n -
5 Dimensions 87
This i s an admirable e f f o r t t o r e f l e c t m l t i f a c t o r i a l concepts. Coupled
with the use of intra-organization definitions and system, and a coding of J S A
number and step, the method i s proving most useful.
For comparison, the ANSI method would yield:

Category Items Code Capacity
1. Hazardous condition 47 1
2. Unsafe Act
-
Totals i n 2 Dimensions
The number of dimensions used provides a check on i n t e r n a l consistency
and v a l i d i t y , a point stressed by Bethlehem.
If any organization were t o seek a method f o r use tomorrow, the Bethle-
hem code (or t h a t of the U. S . Department of I n t e r i o r ) might be a good point
of departure. And certainly no one should discard present coding u n t i l a
b e t t e r a l t e r n a t e i s found. (~ethlehemforms and codes are i n Appendix L. )
Originally it was hoped t h a t a useful, valid cause coding applicable t o
all (or almost a l l ) accidents could be developed from such sources as: (1)MORT,
(2) Bethlehem S t e e l Company codes, (3) Sandia and Lawrence codes, and (4) ANSI
methods. The attempts have, thus f a r , been unsuccessf'ul. In n m r o u s trials,
coding c l a r i t y and definitions broke down due t o lack of a stated Hazard Anal-
ysis,F'rocess i n the o r i g i n a l reports. Despite the f a c t t h a t d i s c r e t e , mutually
exclusive categories may not be needed f o r preliminary analysis, so many
compromises were made a s t o v i t i a t e meaning and use.
Therefore, the primary needs seem t o be development along l i n e s indicated
e a r l y i n t h i s section before anything l i k e a uniform practice could be consid-
ered. It may be useful t o have data on the characteristics of s i x major sys-
tems compiled during the study. See Figure 39-6.
Error Classification. Those who have studied e r r o r s find t h a t the meaning-
f u l data usually involve numerous task-specific descriptions of acts.
The broad classes and types of e r r o r s described i n the l i t e r a t u r e are seen
- 406 -
inure 39-6. Characteristies of EDP Codes
.
l?sC
OSHA
ID Sandia ARSI A'ST Beth.St.
Number
x
Birthdw
X
Ocoupation X
Oocupation Class x
-- -
Semioe Total
Occupation
Job
Employer X
Area Promisee 3 x
Bature of Location 10
Department name Org* #
~ocidenthncident
Class x
Medioal Disposition
Extent
Days Out x
W e Charges
Cost8 X
Date X
Day of Week
Tino
Time elapsed
Objectire Data
Bat- of Injury 12 2x27
P a r t of Body 11 2x40
Aoc 10 2x44
Inj 18 425 Veh
15 2x21 12
Task 11 2x36 JW4d i g i t P
Aotivity 14 +16 Veh & step# 2 d i g i t
Koura on Duty %
Weather a& Solunar X
Subiective Data
Hazardow Condition
Unsafe Aot
Preventive Action 3x21
*ANSI codes source, and "Agencyw i f a hazardous oondition i s reported f o r the source.
Others sometimes use term *agencyn f o r source.
NB. Sandia and A%T s l a o provide additional motor vehicle oodes.
++Assign# i f g JSA and i f one needed.
primarily as taxonomies f o r use i n task-specific studies.
Despite these worcZs of warning, several attempts were made during t h i s
study t o use e r r o r c l a s s i f i c a t i o n , e i t h e r alone or i n combination with the COB
cepts of unsafe a c t . IIFne e f f o r t s thus f a r produced so= i n t e r e s t i n g ideas, but

nothing u s e f u l f o r "export."
For example, the e r r o r matrix a s adapted from
Rook was applied t o management errors -
the r e s u l t s were provocative but mostly
speculative. Error classifications, as well as unsafe act c l a s s i f i c a t i o n ,
founder on present ignorance of the underlying work situation. If a s i t u a t i o n
hasn't had good hazard analysis, the data seem e i t h e r inaccurate or meaningless.
However, the e f f o r t t o produce usef'ul e r r o r c l a s s i f i c a t i o n methods seems
worth pursuing. If a useable method can be found, it o f f e r s the hope of repor-
t i n g safety conditions, from a l l kinds of reports, i n common terms useful i n
other management problem areas.
A positive example of task-specific e r r o r l i s t s usef'ul i n accident/inci-
dent reporting i s the Reactor Operator Performance Checklist developed by
American I n s t i t u t e s of Research (1968).
Based on t h i s type of concept, other
task-specific studies of reactors have been made ( ~ e r t n e y ,1965).
A s e a r l y a s 1943, Grieve reported t h a t ANSI cause code t i t l e s were useful
only if each category w a s broken down i n t o task-specif;ic categories f o r a
specific source of accident. A t the same time such language eliminates much of t h
the subjective judgment from which ANSI data suffer.
Swain (1970) has defined e r r o r r a t e data needs i n terms which, i n large
part, preclude mass, standardized data systems. Rather he seeks uniform methods
of reporting task-specific studies. For e r r o r studies h i s report suggests:
I. "A procedure f o r establishing a non-computerized, manual entry, interim
human performance data bank,"
2. "Error r a t e as the basic c r i t e r i o n variable," and
3 . "Questions whether the gains realized from automatic high speed d a t a
r e t r i e v a l would be worth the added complexity ..'I and other associated
problems.
Examining Causal Layers. This objective would presume t o inquire i n t o the
management systems which produce accidents and errors. R. J. Nertney, human
factors s p e c i a l i s t a t Aerojet, has the belief t h a t minor e r r o r and accident data,
while having maxginalvalue as predictors of serious events, do have value i n
detecting the kinds of system deficiencies which can produce major events, and
has shown case h i s t o r i e s of minor events which cumulate i n t o sequences.
Management System Failures. The U. S. Department of I n t e r i o r ' s accident
record system i s predicated on successive review of accident reports t o deter-
mine f a i l u r e s and problems by functional responsibility: supervision, higher
supeniision, personnel, supply and l o g i s t i c s , engineering, finance, and legal.
(pope and Cresswell, 1965.) The Department has numerous i l l u s t r a t i o n s of the
value of i t s system. However, it i s believed t h a t t h i s i s only a f i r s t step
i n designing a system t o apprmch system safety objectives, and t h a t , without
depth review, reports of human e r r o r and condition defects w i l l tend t o be sub-
jective. It i s noteworthy and commendable t h a t the I n t e r i o r forms attempt t o
i d e n t i f y a v a r i e t y of manamment problems.
System Safety Failures. This paper i s replete with i l l u s t r a t i o n s of the
kinds of data believed necessary. However, f o r any broad, standardized system,
the information needs would center around a few key concepts:
1. Risk Assessment System,
2. Hazard Analysis Process, and a subclass, Life Cycle,
3 . Safety Precedence Sequence.
This approach would lead, f o r example, t o attempts t o get objective data on
the "Triggers" and "Information" available before and a f t e r an accident.
Since the system approaches t o be used as measurement standards are gen-
e r a l l y under-developed, it has seemed t h a t i n i t i a l analysis mightbe focused on
Procedures - a c e n t r a l point i n the Hazard Analysis Process, and an aspect f o r

which standardized and p r a c t i c a l c l a s s i f i c a t i o n s are attainable. The t e x t sug-
gests how the quantity and quality of Procedures might be assessed. (Also,
Catlin, 1969, provides a useful example. ) If Procedures are a useful base point,
analysis can then proceed i n two directions:
1. Backward i n the process t o attempt t o measure the elements of Hazard
Analysis.
2. Forward i n the process t o attempt t o measure supervisory coverage by
the JSA-JIT-SO concept.
I n t h i s approach, the f i r s t step would be a transfer code or statement of
equivalence between MORT concepts and the organization's operating safety pro-
gram. The data are then tabulated by the organization's c r i t e r i a .
An i l l u s t r a t i o n could be found i n Aerojetts Independent Review Program.
I n t h i s case Aerojet exceeds MORT s t a n d a d s . Aerojet could e a s i l y tabulate
a t what phase accident situations slipped through i t s Independent Review process.
Routine studies. A t one s i t e a f i e l d safety engineer was preparing, by
hand t a l l y of f i r s t a i d reports i n h i s f a c i l i t y , a cross-classification of
Occupation, Part of Body, and Nature of Injury. Such data were stored, unused,
i n the computer.
-
A drive t o help and service 'people w i t h presently usable data i s warranted.
Many cross-tabulations of f'unction-related and cause-related data can be
found by exploratory studies. (probably nothing of value w i l l be found i n one-
variable tabulations. And voluminous print-outs without summaries are waste-
f u l of time.)
Other Major Categories. Motor vehicle and f i r e accidents are other exam-
ples of ty-pes deserving special study. Their presence i n other f'unctional
tables may provide more confusion than l i g h t . That i s , cause-oriented data
could s e t aside motor vehicle accidents f o r separate study.
Computers. "Garbage i n , Garbage out" i s a common phrase. But much data
i n computers i s not garbage. A quick-access method, and a service-to-people,
decision-oriented, imaginative analyst can develop considerable useful data.
Accident data are not being correlated with other data i n the computer.
Therefore, much potentially useful data i s going unused. Two ty-pes of i l l u s -
t r a t i o n s are i n order:
1. Accident and occupation exposure data can.be used t o produce r a t e s by
occupation by simply using two separate computer tabulations.
2. ~ i c i d e n t sand such data a s t r a n s f e r s t o new jobs can be tabulated i n
research-type programs t o diagnose high accident r a t e situations.
This may require special programs, probably on a one-time basis.
Then accident type and circumstance data can be obtained by quick-
access methods.
The NSC Symposium1s Group 111 report ( ~ ~ ~ e n K)

d i has
x short sections on
Diagnosis and Decision-Making Potential, plus other usef'ul suggestions.
***
The organizationts information system does, of course, need an adequate
national system (chapter 40), good measurement techniques (chapter 41) and
management assessment methods (chapter 42).
- 411 -
40. NATIONAL INFOMTION SYSTEMS
The basic purposes and functions of a national system do not seem t o

d i f f e r from those of a l o c a l system, except i n a few respects:
Fast action cycles are l e s s important, but s t i l l necessary - f o r example,
a f l a s h b u l l e t i n on an emerging problem,
Information f o r operational decisions and application are s t i l l purposes,
Application a t a l o c a l l e v e l i s s t i l l primary, and t h i s r a i s e s the ques-
t i o n of speed, accuracy and relevance t o l o c a l u s e r s ,
Collation, translation, analysis and " s t a t e of the art" summaries should
emerge from national centers (rather than long, long bibliographies ) ,
Assessment f o r various types of national leadership or management i s a
function.
There a r e seemingly deficiencies i n these services a t a l l of the national
information centers, i n p a r t because the centers are underused.
Information Networks. S c i e n t i f i c information i s so broad and interrelated
t h a t the idea of networks of computerized systems has evolved.
The Highway Research Board of the National Academy of Sciences, and the
National Safety Council have a two-element system now. Several contractors t o
the National Highway Safety Bureau have recommended expansion t o three o r more
elements of concentration with f u l l exchange.
The NSC, Highway Research Board, and selected u n i v e r s i t i e s are primary
nodes i n the t r a f f i c system.
NSC has the function of screening (1) behavioral, social, mathematical,
engineering, and biomedical sciences ; (2) academic, professional, i n d u s t r i a l
and government sources ; (3) b u l l e t i n s , proceedings, journals , books, and tech-
n i c a l reports; (4) completed and in-progress research projects ; f o r safety
information, which also yields o c c u ~ a t i o n a linformation.
Thus it i s not d i f f i c u l t t o envisage a computerized occupational safety
information network ( ~ i g u r e40-1). Under such a concept, each center assumes
primary responsibility f o r coverage of i t s area and u t i l i z e s other centers i n
t h e i r specia1 areas s h n c t i o n s most ready and relevant f o r network t r i a l s axe:
1. General occupational safety NSC-
2. Nuclear safety - NSIC
3. Aerospace - NASA
I n i t i a l l y , these three major centers should be organized i n t o an e f f i c i e n t net-
-
work giving f a s t and complete service i n useful forms.
Other centers or nodes t o be added a r e not hard t o envisage:
4. Human f a c t o r s and aerospace - Harvard
Figure 40-1.
A Possible Computerized Information Net
NSC
General Safety Besearch *--+ Translators
General Safety Information
S e c t i o n a l Safety Information
Behavioral Journals
--- Periodicals
--??
f- "\ \- USERS
Harvard I
?J.
Human Factors
Q +-
UN1VE;RSITIES
Aerospace I HWYBB
Rgineering
TWE
ASSNS . Operat i o n s
Systems
5. F i r e - I l l i n o i s I n s t i t u t e of Technology
-
6. Aerospace and other m i l i t a r y centers, for
A major, chronic weakness i s i n the t r a n s l a t i o n of f i n d i n g s i n t o usable
form. I n a multi-layer organization, t h e headquarters has an intermediate s e r -
v i c e r e l a t i o n s h i p t o i t s branches. I n general, t h e broad spectrum of s c i e n t i f i c
and t e c h n i c a l information relevant t o s a f e t y r e q u i r e s " s t a t e of t h e art" t r a n s -
l a t i o n i n t o usable form, and t h i s i s a function of both i n t e r n a l s c i e n t i s t s who
know t h e organization's problems and/or e x t e r n a l agencies familiar with safety.
S t a t e of t h e a r t papers have t h e important c o l l a t e r a l function of reducing sub-
sequent needs f o r reference t o unwieldy, l a r g e numbers of references.
A growing number of pleas f o r b e t t e r s e r v i c e and r e p o r t s of progress a r e
being published, f o r example:
1. Nuclear Safety, a journal.
2. M i l l e r - The Safety Information Challenge. (1966)
3. System Safety - Progress Report on National Technical Information Center.
4. Montgomery - System Safety Information Exchange.
5. Pinkel - Data Requirements Analysis i n Support of System Safety (1971)
6. McIntyre, e t a 1 - A Technique f o r t h e Acquisition, Storage and R e t r i e v a l
- 413 '
of System Safety Information ( ~ i Force,

r 1970)
7. American Nuclear Society - Information Center on Nuclear Standards.
Both AEC and NASA have reported additional studies of information systems
underway.
Measurement of effectiveness of e x i s t i n g networks, i n t e r n a l and external,
should be determined by both study and conscious exercises. Initial trials
of remote terminals linked with major information centers seem t o be i n order.
I n the near future, on-line access t o remote information banks w i l l
become routine. Ekperiments t o develop safety-related experience a r e d e s i r -
able. An experiment between an AEC s i t e , NSC , and NSIC could provide u s e f u l ,
guidelines. (NSC does not now have on-line capacity, but should have it ,
I n t h e interim, telephone o r teletype could be used f o r regular
dialogue.) Such an arrangement between NSIC and NSC should be explored.
( w u c U ~ R SAJ?ETY, Vol. 7, contained some opinion on t r a i n i n g procedures f i l t e r e d
t o d i f f e r e n t audiences, s a f e t y organizations and other items which should be
of general application.)
I n MORT T r i a l s a t Aerojet, several t r i a l s of national centers produced
mixed r e s u l t s - good and poor. Telephone exchanges were necessary t o c l a r i f y
needs. Undigested volumes of information were received. Despite these prob-
lems, much good information was produced.
Local organizations sorely need improved national services.
Thus, if an accident investigation brings t o l i g h t accident information
i n the national network which would have been relevant t o the accident, the
f a c t and the causes of non-communication should be recorded.
Measurement techniques, specifically, Incidence Analysis brings us t o the
thicket i n the jungle where the opponents and proponents of standard injury
frequency r a t e s and severity r a t e s lurk. To avoid being jumped by the t i g e r s ,
we s h a l l approach very, very cautiously! However, a f t e r considerable hacking
around i n the jungle, it r e a l l y doesn't seem t h a t we can get where we must go
from there. New roads a r e more promising.
Proceeding carefully, it seems wise t o begin with where we want t o go,
and work backward.
I n the opening section we stated purposes of measurement, one of which
was t o help managers assess residual r i s k . Incidence Analysis was shown t o
have three functions. Using the flow chart numbers ( ~ i g u r eV I I I - 1 ) they are :
12. Preventive -
supply helpful information f o r program design and pro-
gram evaluation.
13. Predictive - provide s t a t i s t i c a l information useful i n assessing r i s k .
-
14. Comparative provide information f o r inter-unit rankings o r awards.
Preventive, the f i r s t of these, i s r a t h e r e a s i l y disposed of f o r the
moment. 1 t . c o n s i s t s of providing r a t e s plural, generally moving toward the
~ r r o r / ~ ~ ~ o r t type
u n i of .
t ~ comparison, e g ,, accident r a t e s of personnel trans-
ferred t o new jobs.
One of the f a c e t s of human f a c t o r s review which s p e c i a l i s t s have empha-
sized i s the i d e n t i f i c a t i o n of "error opportunities." I n t r a d i t i o n a l safety
effort, a new employee has been seen a s an accident prone situation, or i n the
language of human factors, an "error opportunity."
I n non-safety operating records, there should be a t l e a s t a modest number
of rate-base data, f o r example, new employees, transfers, changes i n occupation
o r s t a t u s (e .g., supervision), work orders i n production or maintenance, e t c .
A s rapidly a s such rate-base data are located and defined, the.tabulation
of comparable accident data should be i n s t i t u t e d t o derive r a t e numerators.
Pending explorations of e a s i l y obtained r a t e s , it does not appear worth-
while t o consider special, new rate-base data. But, i f the f i r s t t r i a l s are
encouraging, it may be worthwhile t o consider other, and perhaps new rate-bases,
e.g., new models of vehicles, machines, or other equipment. I n such cases it
would, of course, be necessary t o c o l l e c t data on former equipmnt as control
data.
These r a t e s or other indices a r e an aspect of Program Evaluation.
Comparison, the t h i r d of the purposes, i s or should be of minor signifib

came. Rankings are' useful f o r only gross c o ~ p a r i s o n s . (NSC Symposium Appen-
- 416 -
d i x M. Also see Journal of Safety Research f o r symposium papers. ) Awards
a r e nice, but even good plans such as those of NSC and AEC do not qualify a s
relevant t o r i s k of the major specific d i s a s t e r s and accident problems of an
organization. Too often, award ceremonies a r e clouded by shortly subsequent
d i s a s t e r s , and the award may have done a disservice.
The Predictive value of s t a t i s t i c a l data i s our primary present concern.
(~ame-of-the-hazard, p r i o r i t y problem information comes from another source
(flow items 19 and 20) ) .
During t h i s study, and prior thereto, a wide variety of approaches and
proposals f o r making standard and non-standard frequency and severity r a t e s
more meaningful t o management have been examined, and some new approaches t r i e d .
But, f o r reasons which w i l l be developed, the standard frequency and severity
r a t e s seem largely useless i n predicting r i s k and should, f o r the moment, be
forgotten. However, the ANSI injury definitions seem useful f o r predictive
purposes when supplemented with other data and processes i n ways d i f f e r e n t from
the standard r a t e s .
The f i v e basic s t a t i s t i c a l m e t h c d s of r i s k measurement and projection
recommended are :
1. Aggrega;te Long-Term Totals , \
2. Frequency-Severity Matrices,
3 . Extreme Value Projections,
4. Rates and Probabilities,
5 . Control Charts f o r Short-Term Fluctuations.
The f i r s t four methods constitute an approach t o informing management of
the seriousness and likelihood of long-term losses, including the worst l i k e l y
The f i f t h method i s t o t e s t significance of short-term fluctuations, and

has already been discussed i n Chapter 37. Naturally, the control charts can be
used f o r monthly, quarterly or annual data, and f o r plants a s well as departments.
Aggregate Long-Term Totals.

The size of aggregate long-term losses and potentials, past and f'uture,
determine the need f o r and size of the safety e f f o r t . I l l u s t r a t i o n s i n the
form of l i f e cycle estimates were shown i n a t a b l e on page 264, but only f o r
injuries.
The general goals of r i s k projection can be stated i n terms of a summary
table, Figure 41-1.
The general t a b l e constitutes a framework f o r collection of data i n
supporting tables and rates. The problems of estimation are not easy, but
neither are they unduly d i f f i c u l t .
Figure 41-1.
The Past Record The Risks?
Adverse JI
10 Years. Last Yea. 'Next Year
10Years
Likely Worst
Occupational Injury
Deaths
Disabling
Total
$ Costs
Motor Vehicle
Number of Accidents
$ Costs t
-
Fire
Number of F i r e s
$ Costs
-1
I
t
t
Other Damage I
Number of Accidents i
$ Costs 1
l
Total $ Costs
i I I
Adverse Events. The l i s t can be expanded t o include insurance costs (non-
duplicative), off-the-job i n j u r i e s , tornadoes, earthquakes, o r other d i s a s t e r s ,
customer or public injury o r l i a b i l i t y , o r any other events s i g n i f i c a n t t o the
organization. The l i s t e d items are simply key items from supporting t a b l e s
which w i l l display other d e t a i l behind the estimates. Cost figures, particu-
larly, require good footnotes, and two kinds of notes i l l u s t r a t e the problem,
f o r example:
1. The f i r s t note on injury costs might say t h a t Sandia's method of compu-
t i n g standard costs ( d i r e c t and i n d i r e c t ) was used.
2. A second note might say ( i f management believes i t ) t h a t t h e non-safety
losses from oversights and e r r o r s similar t o those i n accidents are
l i k e l y many times the l o s s figures shown.
The Past Record. This presumably i s a straightforward l i s t i n g , but i f
circumstances a l t e r e d during the last t e n years, the d a t a may require defini-
t i o n or modification t o make them a valid base f o r predicting r i s k . Past and
future periods of twenty years should a l s o be explored - the longer the period
the l e s s the s t a t i s t i c a l v a r i a b i l i t y . The purpose i s t o combat the human ten-
dency t o remember the good years (awards) and forget the bad ones ( d i s a s t e r s ) .
Some i l l u s t r a t i o n s of needed supporting data follow.
Detailed Occupational Injury Data. The supporting table should i d e a l l y
show i n g r e a t e s t d e t a i l the relevant categories i n a continuum:
Death - multi-death
single death
- 418 '
Permanent Total D i s a b i l i t y
Permanent P a r t i a l Disability:
Over 1,000 days charged )
100-1,000 days charged ) data needed*
Under 100 days charged )
Temporary Total Disability:
Over 100 days )
10-100 days ) data needed*
1-10 days 1
Less severe :
Medical
F i r s t Aid
* The ortiter-of-magnitude d a t a on days charged are u s e f u l i n constructing a
matrix. However, i f obtaining such past d a t a i s too laboriouk, the worst
value (days charged t o an accident, not an injury, can be e a s i l y determined
f o r the last 20 years i n order t o make e x t r e m value projections). (This same
comment applies t o motor vehicle, f i r e , and damage data discussed below. )
-
Cost. Conceptual weaknesses i n i n j u r y cost data have been .alluded t o i n
t h i s paper (see f o r example, page 176 and 256) . However, the Sandia (1971)
u n i t cost method has much t o commend i t , p a r t i c u l a r l y ease of application t o

current reports. It includes standard c o s t s , d i r e c t and i n d i r e c t , revised
annually. A method of making a gross adjustment f o r s a l a r y l e v e l and exact
adjustment f o r length of d i s a b i l i t y i s available.
With d a t a of the above types it i s believed possible t h a t usef'ulprojec-

t i o n s can be made by the estimating techniques presently available.
Detailed Motor Vehicle Data. There apparently a r e no data available on
a f l e e t operator's l o s s e s by s i z e , including h i s damages, and PD and PL losses
( l e s s recoveries). Data needed a r e believed t o be:
Over $100,000 $100-1,000
$10-100
Under $10
F i r e Losses. Both matrices and extreme value s t a t i s t i c s show promising
p o s s i b i l i t i e s , and national background d a t a may emerge when needs a r e known.
Some findings are discussed l a t e r . The size categories f o r which numbers are
needed are:
Over $100,000,000 (theoretical, so far!) $10,000-100,000
$100-1,000
$10-100
Under $10
This type of order-of-magnitude c l a s s i f i c a t i o n should become standard f o r a l l
summaries or computerized data. Obviously the l a s t , minor category of f i r e
o r damage may not be r e l i a b l y tabulatable, although a t closely controlled s i t e s
such a s those of AEC it may be indicative.
The use of national f i r e experience t o explore the predictive value of
small f i r e s f o r major f i r e s should be a major exploration.
Other damage. Data and c l a s s l i m i t s similar t o those shown f o r f i r e s
a r e needed.
One company, Lukens Steel, has made outstanding use of damage accident
reports. However, the primary emphasis i s on the preventive use of individual
damage reports, rather than l o s s r a t e s . On the premise t h a t a l l accident
reportsprovide important grist f o r the m i l l , the damage accident system i s
a considerable improvement when added t o injury data. On a premise t h a t manage-
ment i s cost-oriented, the measure i s a valuable addition t o management
incentives.
A technique t o be explored i s the plotting of motor vehicle, f i r e and
damage r a t e s on the personal injury matrix. A common denominator f o r i n j u r i e s
and damage i s needed, but seems t o be no great problem f o r t h i s type of
exploration of the slopes of curves.
The Risks? Some ways and means of making predictions ( r a t e s , matrices,
extreme value s t a t i s t i c s , quality control charts, etc.) will be described, and
others w i l l undoubtedly come i n t o being as the format i s used. Both data and
technology f o r r i s k prediction are now only f a i r , but knowing what i s needed
i s usually a good half of the b a t t l e of acquisition.
The "worst" prospect column i s intended t o show management what the worst
might be a t a "95$ l e v e l of confidence," a s the s t a t i s t i c i a n s say. This i s some-
times defined a s the "probable worst event."
Although "next yearf1 projections may be mathematically the same as ten
or twenty year projections, the next year data may be more r e l i a b l e i f derived
a s a 1/10 or 1/20 fraction of a long-term projection of serious events.
Exposures. The table might be augmented by three l i n e s :
Employment
Property Value
Motor Vehicles ( i n use)
If these exposures undergo r a d i c a l change from past t o future, suitable adjust-
ments or added footnotes would be needed. Presumably cost assumptions, e.g.,
" current year dollarsf1'should be stated.
Reference Values. If an organization has proven incidence of adverse events
a t r a t e s well below comparable organizations, it may be well t o i n s e r t some
reference values i n the form of aggregate losses which would be incurred i f
nmd r a t e s prevailed. The differences between predicted r i s k s and general
r i s k r a t e s are the benefit which helps j u s t i f y the safety expenditure.
Reference values can include three columns of projected aggregates based
on :
1. U. S. average r a t e s or probabilities,
.- -
2. "Good practice" r a t e s o r probabilities,
3. Organization goals.
The national "good practice," AEC experience, and the organization's
data should approach one another.
The reference values could be shown a s r a t e s or probabilities, but it
would be b e t t e r t o compute aggregates f o r exposures l i k e those of the organi-
zation.
Frequency-Severity Matrices.
This management t o o l was i n i t i a l l y described i n Chapter 3 ,
Figure 41- 2 shows the parallelism of Sandia a& NSC chemical laboratories.
Sandia had but one death i n the period, but by chance (bad) shows a s i m i l a r i t y
t o the broader experience. What i s Sandiars long-term potential? Not d i f f e r -
ent from NSC members generally? Thus, the background l i n e seems t o be a help-
f u l aid t o interpretation of r a r e event data. That i s , it seems unlikely t h a t
an organization would have a long-term death p o t e n t i a l s u f f i c i e n t l y d i f f e r e n t
t o change the general shape of the curves.
Figure 41-3 shows the parallelism of AEC research and production contrac-
t o r experience i n successive f i v e year periods.
Figure 41-4 shows some recently compiled data from AEC headquarters.
Lab A had a five-year f a t a l i t y experience similar t o t h a t of a l l AEC research
f o r t e n years. What i s Lab B1s apparent long-term p o t e n t i a l with no five-
year deaths? Likely t o be similar? O r l i k e l y t o be radically different?
Limits i n the usefulness of matrices also appear i n Figure 41-4 - that
i s , l i t e r a l extrapolations may not be i n order. Small differences i n slope
-
may give 2x o r 3x differences i n r a t e (but + lox not l i k e l y ) . Thus the advan-
tages seem t o be a visual, plausible projection of the order-of-magnitude of
long-term r i s k and a t o o l i n r i s k management emphasis.
What i s the point? To keep management from being surprised, t o be aware
of r i s k . The exact time and place of a major accident w i l l always be a sur-
prise. But the probabilistic certainty of i t s occurrence should not be a
surprise. As aforesaid, the impression i s e a s i l y formed t h a t management i n
plants with "good" r a t e s f o r temporary t o t a l s are quite taken aback when the
serious accidents occur. The background data were there, but the interpreta-
Nunbers of Injurf e s by Severity
Sandia and U S . Chemical Labratories
10 100
Average Tine Charge

Fi- 41-1
Ifumbers of Injuries by Severity
AEC Research and Production~Contrrictors
- 423 -
Figure 41-4.
Two Laboratories
One with Death, Other Not
compared with AEC Research
Temporary
Tota1
Disabilities
Severity ( ~ a y sCharged per case)

tions do not seemingly f i t what may very well happen next year, the year a f t e r ,
or perhaps tomorrow.
If we go back now t o our purpose, it was t o help management assess future
-
r i s k , p a r t i c u l a r l y of the "Vital Few." The matrix i s then an aid i n two ways:
1. Inferring " t r u t h from uncertainty"
2. Keeping strongly aware of the r e a l potentials f o r serious events.
Inferring i s always a risky business. But a t l e a s t we can display, r a t h e r
than obscure, the p o t e n t i a l f o r serious i n j u r i e s . If our own data i s unreliable,
b e t t e r t o remain s i l e n t than misinform management. The industry background pic-
ture, properly used, can be helpful.
Current awareness of serious potentials ( i n the absence of system safety)
i s a d i f f i c u l t thing t o assess. Past emphasis on injury frequency r a t e has
been pervasive. But i f , f o r serious accidents, the prime purpose of the f r e -
quency r a t e i s t o predict, th'e matrix exposes the questionable nature of t h i s
assumption. Further, the industry average, visually, "points" i n the general
direction of "truth." Management i s l e s s l i k e l y t o be l u l l e d . If there are
l i m i t s and qualifications t o the predictive value of the r a t e f o r temporary
t o t a l s (as there most certainly a r e ) , these can more readily be discussed than
when the potentials are obscured i n the standard types of r a t e s .
If it i s agreed t h a t the matrix has potential value, we can explore some
additional dimensions of the concept.
We can extend the matrix t o enter r a t e s f o r temporary p a r t i a l s , or
doctor cases, and examine the degree t o which they help predict the l e s s
stable r a t e f o r temporary t o t a l s . (somewhat i r r a t i o n a l l y we may create incen-
t i v e f o r f u l l reporting ,of f i r s t aid cases, t o get a ."good" slope f o r estima-
t i n g temporaries ) .
We can ask what the shape of the l i n e would be i f r a t e s f o r temporary
t o t a l s were plotted separately f o r 1-9, 10-99, and 100 plus days d i s a b i l i t y .
Would the predictive value of temporaries f o r more serious cases be increased?
Very l i k e l y . And the " v i t a l few'' temporaries with over 100 days d i s a b i l i t y
would be exposed f o r evaluation.
Error r a t e samples (unsafe a c t s and unsafe conditions) can be plotted, i f
converted t o a comparable man-hour or per-man r a t e base. Predictive value of
e r r o r r a t e s could be assessed and used.
And, i n a more pessimistic direction, given background data on multi-death
accidents, there i s no reason why a matrix could not have some predictive value
for the r e a l d i s a s t e r s , a t l e a s t create awareness.
The value of finely-scaled injury plottings cannot be f i l l y examined
because of lack of data. Where f i n e r plottings a r e available, the l i n e s appear
t o be more useful. Consequently, the following possible combination of the
c l a s s i n t e r v a l s suggested e a r l i e r i s s e t out f o r t r i a l :
Category Sub-classes
Multi -death
Deaths + Permanent Totals (single)
Permanent P a r t i a l s - over 1,000 days
PP - 100-1,000 days + TT over 100 days
PP - under 100 days + TT 10-100 days
Temporary Totals - 1-10 days
VII 'combine f o r plotting as .l-1 day
VIII F i r s t Aid )
During t h i s study a wide v a r i e t y of data have been tabulated t o examine

the proposition t h a t trends i n minor i n j u r i e s are predictive of trends i n
major i n j u r i e s . A s much negative data as positive data have appeared.
Greenberg (1972 ) used the wide s c a t t e r , great v a r i a b i l i t y of minor-ma jor

r a t i o s t o support a statement:
"one can therefore not propose any fixed r a t i o between one type of non-
disabling i n j u r y and disabling injury, f o r such a number would be meaning-
l e s s and valueless. "
If no fixed r a t i o , poor predictability,
Presently unexplained trends i n minor i n j u r i e s (intelligent guesses a r e
available) leave a t best moderate predictive value. Finer c l a s s i f i c a t i o n s of
scale and b e t t e r national data may be helpful. For the present, the impression
i s t h a t minor-major trends should be viewed i n the context of a matrix before
being taken a s significant. An exception is, of course, a hi&ly specific
type of accident--e.g., minor motor vehicle accidents a r e believed t o be pre-
d i c t i v e of major accidents, but only i n a context. That i s , urban bus acci-
dents may predict urban bus accidents, but not rural night-time drunk-driving
accidents.
The following specific recommenaations have been made f o r matrices:
1. Use a long-term matrix of frequency r a t e s f o r various severities,
extending a s low i n severity a s possible.
2. Add an even broader c r i t e r i o n from the long-term record of your most
nearly comparable industry.
3. Add the shorter-term experience of your organization.
4. I n s t i t u t e some sampling lpethod f o r assessing the l e v e l of general r i s k
(unsafe a c t s and unsafe conditions). I n s e r t (by dot) data from inten-
sive studies of e r r o r s or unsafe a c t s and conditions.
5. Get professional s t a t i s t i c a l help i n inferring s t a t u s and estimating or
guessing future probabilities and p o s s i b i l i t i e s .
6. You w i l l probably then want t o i n s t i t u t e a special study of d i s a s t e r
and serious accident potentials.
7. You w i l l a l s o very l i k e l y want matrices f o r the classes of energy and
kinds of operations which produce the bulk of the serious i n j u r i e s .
Extreme Value Projections.

The t h e o r e t i c a l basis f o r t h i s predictive technique seems t o be well
established umbel, 1954) .
The technique i s being used a t the National Reactor Testing Station t o
judge the significance and implications of weekly "worst value" radiation
readings. The technique was f i r s t used by Phillips Petroleum Company's Atomic
Energy Division i n 1964, and similar reports were compiled i n 1968 and 1970.
Figure 41-5 i s representative of the technique.
The figure represents "worst value" weekly radiation exposures arranged
from l o w t o high and plotted on cumulative probability paper. The "return
period" across the top indicates how frequently a value could be expected t o
recur.
I n Figure 41- 5, f o r example, an exposure of 1720 mrem would not be l i k e l y
t o occur i n l e s s than 220 weeks, presuming the control system continues t o
operate a s it did i n the past.
The l a r g e s t value plotted (arrow) indicates an event out of the "95% confi-
dence" l i m i t s , t h a t i s , one very much worth looking into!
Such an "outlier" presumably has .assignable cause(s) lying outside the
system. It can l i k e l y be corrected only as an individual event. Then look f o r
similar situations.
On the other hand, i f the s t r a i g h t l i n e projection (1720 @ 220 weeks) i s
unsatisfactory, the system must be changed.
For r i s k prediction the chart indicates the likelihood i n given time
periods f o r small and large values. This can be a basis f o r t e l l i n g manage-
ment what the "worst potential" i s f o r the next year, or the next long-term
period. Also, i n r i s k management, the technique provides triggers f o r hazard
analysis of extreme values.
The method i s quick and easy t o apply. D r . Nertney plotted worst value
figures f o r f i r e s and property damage reports i n a matter of a few hours. The
f i r e data (blessedly) were sparse, but showed a pattern. The property damage
data had more numbers and gave b e t t e r indications of the potential value of the
method. ( ~ i g u r e41-6) Only t r u e "outliers" could produce a $40,000 accident
i n l e s s than 5 years. The search i s then f o r big l o s s potentials, i f the sys-
tem i s acceptable as it stands.
A similar method was used i n a national f i r e study ( ~ i v i n g s t o n ,19679, but
the indications have apparently not been exploited i n f i r e - r e l a t e d industries.
The extreme value technique i s being experimentally applied i n England t o
predict occurrences and help assess "cost/benefit f i g u r e s f o r expenditures on
f i r e protection. " e en nett & Schoeters, 1973)
The f i r s t product of the method, the basic projection, i s very simple t o
use, because the cumulative r e l i a b i l i t y paper automatically does most of the
calculations. Proceed a s follows:
1. Select a period (e .g., weeks f o r a year, 2 weeks f o r 2 years, months
f o r two t o f i v e years, or years f o r 20 years) such as t o produce an
adequate number of plotting points (N).
2. Rank order the warst values f o r each of the above periods.
3. Select a left-hand scale which w i l l allow f o r values two t o three times

your worst value.
4. Divide 1.000 by ( ~ + 1 t) o get a plotting interval.
5. Begin plotting the lowest value a t 4 i n t e r v a l on the bottom scale ; and
plot remaining values a t 1 interval.
6. F i t a s t r a i g h t l i n e . Gumbel's formulae and tables give the i d e a l
method, but an eyeball l i n e usually suffices.
If the data f a i l t o follow a l i n e , o r i f there a r e clusters at the low o r
mid points, look f o r cause. In a plot of AEC property damage data (~ig-ure41-7,
a l s o prepared by D r . Nertney f o r the September seminar) it was necessary t o
convert the worst values t o r a t i o s , because the exposure (AEC t o t a l property
value) increased greatly during the period, i .e .g, raw data on t o t a l d o l l a r
losses were not homogeneous.
The matter of adding the 95$ confidence l i m i t s t o the chart can be approx-
imated by locating points 0.32T and 3.13T, where T i s the return period of
the l a r g e s t value plotted, and draw p a r a l l e l s t o the extrapolated s t r a i g h t l i n e .
(AS with many s t a t i s t i c a l techniques, consultation with mathematicians
o r s t a t i s t i c i a n s i n the organization i s desirable f o r e a r l y applications i)
Rates and Probabilities.

These seem t o require l i t t l e comment, except t o say t h a t a number of pro-
jections may be made from i n t e r n a l and external bases and from various refer-
;;.
i . .
ence values. Also, there may be merit i n separately projecting dissimilar
parts of an organization. Projections may themselves be fractional, t h a t i s ,
1/100 of a death, or 1/1000 of a million d o l l a r f i r e . Fractional projections
can, of course, be priced out as r i s k s .
Certainly great emphasis should be placed on getting useful bases f o r a
v a r i e t y of probability or r a t e calculations - not over-use of man-hours.
Significance Tests.
The injunction t o apply common t e s t s of s t a t i s t i c a l significance t o acci-
dent data which are distributed a s the basis f o r action has been voiced e a r l y
( ~ o o d e ,Mathewson, Littauer, ~ a r r a n t s )and l a t e (NSC Symposium, Appendix M ) ,
but seemingly with l i t t l e e f f e c t .
Much of the data now distributed, i n e f f e c t , suggests t h a t managers and
supervisors become s t a t i s t i c i a n s and make the necessary t e s t s .
The control charts (chapter 37) and the foregoing extreme value projections
a r e , hopefully, positive examples.
P h i l l i p s Petroleum Company a t NETS ( ~ d a h o )used "quality control" type
charts of e r r o r s and i n j u r i e s f o r supervisors and they were reported effec-
t i v e ( ~ e r t n e ~1965
, ) . Rapid, i n t e l l i g i b l e feedback on minor i n jury incidence
seemed t o stimulate supervisors t o use the normal devices of good administra-
t i o n (non-specific t o s a f e t y ) t o bring current r a t e s down t o a t l e a s t the
l e v e l of the best or lowest values recorded i n an uncontrolled situation,
Similar r e s u l t s are reported elsewhere.
This service t o supervisors was based on tabulations prepared by engineers
and was discontinued under conditions of budget s t r e s s i n a successor prganiza-
tion. If basic accident reports are computerized (as they should be, and are
e t ) , the machines can cheaply produce the necessary charts using
a t ~ e rj o
monthly, three-month and twelve-month-values a s moving averages, and thus give
supervisors good signals as t o when situations may be mving out of control.
Aerojet has reinstated the service ( ~ x h i b i t18), and Sandia recently i n s t i t u t e d
such procedures i n i t s r o u t h e reports.
One major c r i t i c i s m of the "standard" r a t e s centers around t h e i r s t a t i s -
t i c a l i n s t a b i l i t y i n measuring past performance a d assessing the future,
particularly f o r small u n i t s , The r a t e s have been accused of being "vague,
unstable, insensitive and of limited r e l i a b i l i t y . " I n the typical r a t e com-
parisons, the small u n i t looks l i k e a "hero" one period and a "dog1' the next.
Which i s correct? Probably neither. Is t h i s the kind of d a t a we want t o
give managemnt t o assess performance?
- 432 -
Periodic data have a tendency, well k n m i n s t a t i s t i c a l circles, t o
regress toward the mean. !l!his i s t o say that a "bad" year i s most often fol-
lowed by a "better" year, and a "goodf1 year, i s most often followed by a
"worse" year, i f short-term data are s t a t i s t i c a l l y variable. This phenomenon
has probably produced many heartaches for managers, and safety professionals
as w e l l .
All the t i m e these aberrations were occuring, the mean r a t e f o r recent
years was probably the best measure of progress or f'uture risk.
-
The computation of trend data can be quite flexible that is, a longer
term reliable trend can be established with 10 year t o 10 year comparisons, or
5 year t o 5 year, or i n a large organization, 2 year t o 2 year. Then both
long term and shorter term (annual, quarterly or monthly) trends can be assessed
with "quality control" methods.
Standard Injury Frequency and Severity Rates.
It should now be clear why present standard (ANSI)rates are deemed t o '
have very limited value. Can anything of use be salvaged? O f course. For
a starter, several principles ccnild be cited:
In l i s t i n g rates show the severity r a t e first, because it i s an index
reflecting management concern, namely, greater concern for most serious
accidents. (This i s a reversal of present general practice. )
Footnote the frequency r a t e as being essentially (95s) a r a t e f o r tem-
porary t o t a l d i s a b i l i t i e s .
Use very long-term, cumulative experience as primary, and l i s t current
experience as indicative.
Avoid detailed, rank-order listings. A t most use four broad groups, as:
"Good" Well below average
"Better than average" Below average
"Worse than average" Above average
"Poor" Well above average
Within those groups, l i s t units i n alphabetical or any non-ranked order.
Be wary of small differences i n rates - they probably have no meaning.
interim recommendations t o AEC the following additional thoughts were
offered:
* Tf current assessments of excellence are needed, tabulations should
-+g the relatively superior award qualification procedures of NSC
a? . -
(NB: NSC procedures referred t o are not those of the Sec-
ti- contests .)
2. Arrsnge operational data i n functional order, rather than rankings
by r a t e s .
Deemphasize cross-context comparisons unless operations are
reviewed f o r comparability. Discontinue a l l rankings based on small,
unreliable r a t e differences.
I n support of a l l the above recommendations, the following rationale was
stated:
Severity Rates. Management i s believed t o have the common-sense concept
t h a t it i s more important t o prevent the more serious events, than the
minor events. The Pareto principle of the "VitalFewl' i s relevant. Be-
tween the two standard ANSI r a t e s , the severity r a t e i s an easy choice.
Concepts of using separate r a t e s or matrices f o r d i f f e r e n t s e v e r i t i e s
remain t o be tested. Cost data a s a method of combining events i s not
widely available on a uniform basis. I n use of severity r a t e s , undue em-
phasis has been placed on "making sense" out of man-day time charges with
a man-hour denominator; the r a t e could be presented as a weighted index.
Lcng-Term Data. Perhaps the most serious criticism of commonly used
monthly or annual tabulations i s the high degree of uncertainty which would
surround management actions based on the data. It simply does not make
sense t o give management a table of numbers i n which random variations
obscure the meaning. Longer term data, up t o the l i m i t s of comparability,
are an obvious, e a s i l y used alternative.
Functional Arrangement. A s an alternative t o l i s t i n g s by r a t e rankings,
which have highly limited significance.and are subject t o gross misinter-
pretation, a l i s t i n g by process o r function i s preferred. Since standard
r a t e s a r e useful f o r only gross comparisons, f i n e comparisons should be
actively dismuraged.
However, subsequent tabulation by AEC headquarters indicated t h a t not even
five-year and ten-year severity r a t e s were s u f f i c i e n t l y s t a b l e measures
t o have broad usefulness, (see, f o r example, Figure 41-4 f o r Labs A and B. )
Consequently and from other t e s t s of long-term s e v e r i t y r a t e s , the over-
riding recommendation i s t o focus on future r i s k prediction and deempha-
-s i z e both standard r a t e s .
Further thoughts along the same l i n e w i l l be found i n Appendix M, which
gives the SymposPum's Group 111 closing points on the frequency r a t e ,
Presumably the foregoing discussions are s u f f i c i e n t t o a l s o suggest the
limited r i s k prediction value of r a t e s f o r minor i n j u r i e s , such as the Serious
Injury Index o r the new OSHA r a t e .
The following citation's of discussions of injury frequency r a t e s are
exhausting, but not exhaustive:
.,
Magyar, stephen Jr "Accident - s t a t i s t i c s , Their Meaning and Communication, "
National Safety News, September 1970.
"Do the figures Lie?11 Report No. 216.1, Occu~ationalHazards, September 1969
"Safety Performance Indicator Fills a Management Weed, " ASSE Journal, March 1969
Miller, Gene, "Going Off the Record?" National Safety News, April1968.
,
Van Zandt G. H. Perry and Blanchard, R. G., "A Debate, Resolved: That Injury
Frequency i s an Accurate Measure of Safety Pei-fonnance," NSC Transactions,
Vole 19, 1967.
Attaway, C, D., "Computing a True Accident Frequency Rate,ll ASSE Journal, Oct 1966. .
Cater, Bernard, "An Argument for the Revision of ASA Code 216.1 Part 1.2.4.-Tern-
porary Total Disability," ASSE Journal, January 1963.
huner, A. W., "The ASA Disabling Frequency Rate i s Not a Good Measure of Safety
,
Perf omance '' ASSE Journal, January 1963.
***
Essentially, the matrix says t h a t r a t e s can be useful i f they f i r s t are
broken down t o expose the data t o scrutiny, before hiding the nature of the
numbers i n the present standard r a t e s . A p r i o r report on Phase 111 included
f o r one s i t e :
The conventional occupational injury and accident r a t e s and cause coding
a r e largely irrelevant t o the rna.ior s a f e t y concerns of the Lab. The
data collected a r e not predictive of major trouble and have l i t t l e appar-
ent value i n decision making.
*+*
It i s r a t h e r well known t h a t the =re a c t of observing sometimes affects
what i s being observed. The f a c t s of observation and use, or misuse, of f r e -
quency r a t e s have certainly had e f f e c t s on tabulatable temporary t o t a l d i s a b i l -
ities -
so much so as t o impair the usef'ulness of the data and d i s c r e d i t safety
professionals. The adverse e f f e c t s of award-oriented data collection on the
quality of medical treatment are not always recognized, but some i n d u s t r i a l physi-
cians urgently wish t h a t adequate, proper medical treatment were a f i r s t concern,
and awards e f f e c t s second i n importance.
42. MANAGEMENT ASSESSMENT METHODS
Aside from routine assessments, and improved assessment hasurements and

predictions i n the ways outlined i n e a r l i e r chapters, the formal management
assessment focussed on two principal methods:
1. Preparation of " P r i o r i t y Problem L i s t s ,"
2. Construction of a "War Room" t o v i s i b l y display a l l indications of
adequate o r l e s s than adequate operation of the safety systems.
P r i o r i t y Problem L i s t s .
Managment should, a t a l l times, know what i t s most significant assumed
r i s k s are thought t o be. The usual second order e f f e c t of such a l i s t i s action
t o reduce r i s k .
The "Fire Safety and Adequacy of Operating Conditions" l i s t s prepared i n
e a r l y 1971 a t a l l AEC s i t e s provide an excellent i l l u s t r a t i o n of t h e need and
value i n PPLts. The needs revealed were significant and deserved correction.
Appropriations as well a s allocation of one-half of regular, budgeted plant
project f'unds were directed t o the needs, and great progress i s being shown i n
periodic reports. Rank-ordered p r i o r i t i e s a r e being applied t o corrections a t
an encouraging r a t e . Any delay f o r budget reasons becomes an assumed r i s k f o r
the present, but possibly adverse public reactions of "assuming risks" a r e more
than balanced by the record of steady reduction i n r i s k . This project had more
limited scope than the full range of safety. While i n general well executed,
the compilations suffered some from the crash nature of the project.
The MORT T r i a l contemplated the preparation of PPLfs on a continuing basis,
and a s a two-channel process through the l i n e organization as well a s the safety
department. (such a process avoids some of the poblems associated with a
5 ZSf
crash project. ) Use the FMEA form (~igure24-5) t o list and rank PPL's.
The PPLts obtained e a r l i e r and informally from safety engineers a t two AEC
s i t e s did, i n f a c t , consist of matters deserving of management attention.
The absence of PPL's r e s u l t s i n major problems going without formal review,
u n t i l an accident occurs. PPL i s not the same as the "worst credible catas-
trophe" used i n AF,C nuclear safety plans f o r advance planning and review. PPL
i s the residual a f t e r review and reduction, and i n on-going operations.
PPL1s give a f i n a l t h r u s t and force t o a monitoring program. The need f o r
PPL stems from repeated instances of management surprise a f t e r d i s a s t e r s , a l -
though underlying causes were more o r l e s s well known i n the organization.
Further, it i s easy i n any organization t o find serious problems which are
being lived with on a day-to-day basis. Finally, management i s e n t i t l e d t o know
i t s assumed r i s k s e x p l i c i t l y , and have i t s opportunity t o develop b e t t e r fixes.
An exercise i n a MORT c l a s s a t Aerojet was quite revealing, Despite Aero-
j e t ' s good safety program and i t s low accident r a t e s , a c l a s s assignment produced
f i r s t d r a f t , individual l i s t s of problems, most of which unquestionably deserved
top management review. I n addition, discussion revealed t h a t only about one-
t h i r d of the problems had a "5-10 page or other document which was the kind of
thoughtful study you'd be glad t o hand t o top management," and t h a t top manage-
ment probably had inadequate, marginal o r no information on one-half t o two-
t h i r d s of the problems. Experience a t other s i t e s suggests such a situation
i s a l l too t y p i c a l of even good safety programs. (~ndeed,a c l a s s exercise with
AEC Field Office safety directors produced almost i d e n t i c a l r e s u l t s i n propor-
tions of studies and top management awareness.)
An experimental procedure f o r developing PPLfs through redundant l i n e and
safety channels with cross-checking a t successive levels was i n i t i a t e d a t Aero-
j e t , as i l l u s t r a t e d i n the following figure:
Figure 42-1. P r i o r i t y Problem L i s t s
(Worst Potentials)
C = Coordination: -
But independent l i s t s may d i f f e r .
Thus f a r the l i s t s have been unstructured. They may consist of broad,
generic problems or highly specific problems. One man's t r i a l e f f o r t organized
specific problems under broad categories of l e v e l from d i s a s t e r s - t o serious.
It i s intended t h a t a f i n a l l i s t be rank ordered by estimated consequences
(probability x severity = r i s k ) rather than by severity alone.
Obviously, such l i s t s are "dynamiteff - why wasn't it corrected? who i s
t o blame? e t c . But the problems on the l i s t s are "cases of dynamite" - many
will explode, given time.
AEC's llFSW" already provided a f i n e example. Nevertheless the a c t u a l
development of the PPL lists has been a d e l i c a t e operation, and has not been a
hurried exercise. Much study went i n t o the l i s t s , and ample opportunity was
given t o managers t o correct subproblems or aspects a s possible.
The author's summary of early phases probably indicates the kinds of
problems which w i l l be typical, and a useful processing method:
The Division requested 37 management people i n d i r e c t operations and t h e i r
i n t e r n a l support groups t o provide t h e i r views of the p r i o r i t y problems.
The raw materials were not forwarded through successive layers of manage-
ment a s raw material f o r t h e i r estimates. The time constraints and the
d e l i c a t e nature of t h i s i n i t i a l sub-project suggested t h a t i n i t i a l c l a s s i -
f i c a t i o n and analysis, coordination and consensus r e s u l t s should be handled
a t a l e v e l which was aware of the f i n a l impact ( i .e., a report t o the very
top l e v e l s of AEC on i t s assumed r i s k s ) and the process whereby t h i s might
-
be feasible and p r a c t i c a l without k i l l i n g antbody l i t e r a l l y or figuratively.
Consequently the responses were first analyzed and c l a s s i f i e d by (1) a
management advisor, (2) the project consultant, and (3) the safety repre-
sentative on the project.
I
The raw material received was depressing reading; many sub-problems were
r e i t e r a t . ed i n various ways.
The i n i t i a l c l a s s i f i c a t i o n of raw material by management s t a f f showed the
following tabulations of items:
Manpower 26
I n d u s t r i a l Safety 10
Morale 23
Aged Plant Equipment 9
-Fuel Handling 13
Audit & Surveillance 8
Scheduling 12 Management Attitudes 6
Procedures ll Fiscal 4
Training 10 Support Performance 4
This analysis and grouping suggested a format f o r analysis and f i n a l out-
put. From subsequent t r i a l s and discussions, the following protocols emer-
ged a s an embryo method:
1. The raw material should be tabulated by knowledgeable s t a f f under p r i -
m a r - headings which emerged from the material. A t t h i s stage, no idea
-
should be omitted, but cryptic notations can be used. ( ~ o t et h a t such a
process i s reviewable and auditable)
2. The above analysis was then taken as i n i t i a l material f o r step 2 -
development of an analytic framework. This amounted t o the following
format :
Col. 1: One or twa. word l a b e l s of major problems (as c i t e d above)
Col. 2: "Sub-problems o r manifestations" -
the l a t t e r being a few-won3
report of the raw material. This was not, and need not be a rigor-
ously defined l i s t i n g -
a s a matter of opinion, much could be l o s t
i f t h i s s t e p was "hard" o r rigorous. The flavor should be retained.
Col. 3: Considerations. This seemed t o consist of several kinds of material:
a . It was a place t o s e t down salutions suggested by responders.
b. Facts of l i f e (e.g., nuclear matters need, first, s c i e n t i s t -
engineer bases, not operators)
c. Sub-sub-problems revealed i n raw material.
d. The analyst's relevant observations or questions t o be answered.
Col. 4: Possible actions: This i n t u r n seemed t o consist of several kinds
of material:
a . Specific, relevant actions
i ) i n being, or
i i ) planned, or
i i i ) possible
but generally not known t o the responders.
b. Management actions or plans not known t o lower levels (inclu-
ding immediate associates)
c. Interim actions t o "fix" aspects, but not related t o a general
study of a major problem. The question then being raised as t o
need, f e a s i b i l i t y , and resources f o r a major study (defined here
as a MORT-formatted study.)
d. A t t h i s point it became apparent t h a t there were i t e r a t i v e
cyclic aspects: e.g., problem = "dontt know where t o make knuw-
ledge and s k i l l availablett; response - "make suggestions" ;
response - "no one pays attentiontt; response = acknowledge and
commend e f f o r t , and report disposition o\f a l l . A graphic or
representative (footn0te)method f o r disposing of successive
extensions of problems was needed, but a t t h i s stage the purpose
could be served by simple arrows and symbols.
Col. 5: Trade-offs - 1 s t l e v e l above. The trade-offs made a t the next
highest l e v e l of management then needed t o be identified, not only
a s p r i o r l e v e l constraints, but as t o the assumed r i s k s implicit
i n constraints or decisions.
a . The constraints can be time, budget, r i s k or performance.
b. The trade-offs may be d i s t a n t i n time or causal r e l a t i o n .
c. A t the time of an accident/incident the general tone of reports
i s t h a t immediate management should have "done it better."
With t h i s , the role of p r i o r constraints on "doing it better"
seem t o be "ex~uses"and w i l l be (1) not proffered, or (2) not
accepted. A l l the time, the "impact statementstt prepared a f t e r
budget-schedule-performance changes probably provided the superior
Col. 6:
managers with assessment of the probabilities.
Trade-offs -
/
levels above 1 s t . Many constraints are impos
decisions two or more levels higher i n the organizati
are successively more immune t o conscious evalu
often imposed by s t a f f r a t h e r than line+w
/
n of r i s k , are
a r e largely unmen-
tioned when an incident occurs. !fhusthe topmost l e v e l of manage-
ment says, "I was uninformed.," - h e new system i s designed t o do
two things:
a . Provide a frame of reference whereby lower management reminds
upper managemfit of " impact statement st' which assessed r i s k .
b. Provide upper management with an assessment of the r i s k s it i s ,
i n f a c t , currently assuming.
I n the course of the above analysis, several generalities emerged:
i ) "Major" problems were often associated with a variety of
minor studies and f i x e s . Thus raising, i n a prominent way,
the question of need f o r a "major study." The general experi-
ence ( i n analysis) suggests t h a t (1) there are kinds of solu-
t i o n s not frequently conceived o r studied i n a s e r i e s of minor
fixes, and (2) these may be more l i k e l y t o be solved i n a
"major study," e.g., a major study warrants more extensive in-
formation search, more in-depth analysis of human factors, and
greater investments i n cures. On the other hand, a general
problem such as morale i s amenable t o many specific f i x e s .
i i ) Not unexpectedly, the problems identified by responders
are inter-related, t h a t i s , manpower o r morale are affected by
procedures, training, surveillance, e t a l . Thus, a second
l e v e l of analysis was indicated, namely t h a t responses be
r e c l a s s i f i e d closer t o the point of action, e.g., morale aspects
of procedures, training, or audit be handled under the l a t t e r
primary headings (where other aspects of procedures, training
or audit could be controlled).
i i i ) Responses affirmed not only need of p r i o r i t y problem analysis
t o s o r t , arrange and respond, but also the need t o communicate
past, present and future actions downward
morale, or other, similar diffuse problems,
-
particuhrly for
3 . Step 3 - Insertion of informal management views of top problems and

i n i t i a l responses t o f i r s t d r a f t analysis above.
4. Step 4 - Analyst reworking of raw material i n terms of above principles.
Specifically t h i s includes regrouping of o r i g i n a l responses under primary
work-oriented headings, t h a t is, under "morale" there are only cross
references t o procedures, audit, training, support division performance,
e t c . On t h i s basis, morale could continue ( i f responders thought so)
i n the number one position, even though solutions were cross-referenced
t o specific aspects.
After the i n i t i a l summary a t Division l e v e l , a number of months were
needed whereby Division managemnt did as much as was w i t h i n ' i t s power t o cor-
r e c t problems. The l i s t with study was then forwarded t o the President f o r
review. Meanwhile, the Safety Division has conducted i t s studies and analysis
and produced i t s l i s t . A s might be expected, the safety l i s t i s more oriented
t o specific major problems i n safety engineerin@;. The project is, of course,
m.
' T i
c o n t i n u i x and many improvernenta have been mde. ( ~ u r t h e rdiscussion, page 444. ) f
... - I,
The War Room.
From the number of Safety Program Improvement Projects ( SPIPS) described
thus f a r , it should not be surprising t h a t it became increasingly d i f f i c u l t t o
maintain an overview and assessment of the work. I n order t o maintain v i s i b i l i t y
f o r the analysis and r e s u l t s , not only f o r management, but t o brief others on
the plans and progress, a "Division War Room" display of the working papers was
organized on a blank w a l l some 20 f e e t i n length. (The display might have been
called " Safety Room" or "Safety Control ~oom.'I)
Although the "War Room" was a working room and not a polished display, it
served i t s purposes:(1) management information, (2) a working focus f o r the
MOKC team, and (3) a briefing room.
The general organization of the material i s shown i n Figure 42-2.
Basic Schematic - The Work Process Schematic, Figure 29-1, p. 294.
Data Assessment f o r Management was the focal panel. This meant (1) data
reduction by Safety and R & QA (fewer isolated, random reports) and then (2)
reduction by Division s t a f f(following techniques i n Chapter 41).
~ccident/Incident Reports used the control charts, matrices, r a t e s and
extreme value projections described i n Chapter 41.
Work S i t e Monitoring - the general plans developed i n Chapter 37, plus
i
reports of a c t u a l monitoring as they came i n - control charts, surveillance
reports, e t c .
Upstream Monitoring - a l s o from the plan developed i n Chapter 37. This
' 441 '
took over half the display because each process and subprocess f o r personnel,
procedures and hardware had t o be separately displayed.
1. I n the upper section, the audit r e s u l t s were shown (good and bad) i n
the format - schematics, steps, c r i t e r i a .
2. An intermediate section showed the s t a t u s of c r i t e r i a and implementa-
t i o n f o r each pertinent review agency.
3 . Three audit schedules and completion were shown: (a) self-audit,
(b) independent audit, and (c) customer upstream audit, e.g., where
a Division uses outputs of Engineering and audits its supplier.
4. I n the lower section each report of a specific oversight and omission
was posted on a 3x5 card, and remained posted u n t i l it had an item f i x
and a system fix - the l a t t e r being a correction of the "reason why
something went wrong. "
PPL and FS&OC s t a t u s were posted.
Fix Control (based on feedback and schematics, f o r each information input)
and special analyses and in-depth studies had a panel.
Information System - t h a t i s governing policies,
1
procedures, manuals,
l i t e r a t u r e , monitoring studies, case records, e t c . , were assembled.
I n addition, on other walls, were displays of model processes (e .g., MORT)
on which projects were plotted, SPIP progress charts, and MORT Team assignments
and projects.
A prototype display f o r the whole corporation was prepared t o show summary
progress along the same l i n e s i n each division of the company and i n each
branch of the safety division. I n addition, schematics, e t c . , were displayed
f o r specific safety division functions.
The next steps w i l l be t o reconstruct simpler division and corporate d i s -
plays, m c h condensed, but supported by f i l e data i n the room.
Ultimately, the display may be condensed t o an "Executive Instrument
Panel" f o r the safety function.
The exercise f u l f i l l e d its original purposes, and w a s helpful i n organi-
zing and d i r e c t i n g the work.
X * *
Gausch (1972) contrasted the subjective nature of many safety decisions

with science-oriented, quantified management decision methods coming i n t o
use. The Decision Table i s a simple method of beginning t o bridge the gap
between safety and management. After postulating a company-wide evaluation
(comparable with the PPL), Gausch i l l u s t r a t e d the condition table and action
table a s shown i n Figure 42-3. The upper condition table i s comparable with
scaling mechanisms shown i n Chapter 2.
5 k
d 4 . Figure 42-3. Hazard - Action-Table
This type of d e c i s i o n a i d should reduce t h e i n e r t i a o f t e n encountered

i n d e a l i n g w i t h numbers of major problems, s i n c e t h e t a b l e provides a simple
focus f o r action decisions.
The Decision-Action t a b l e should be a n e a t way t o move e r r o r r e p o r t s
through a f i x process, Action d a t e s can be e a r l i e r o r l a t e r dependent on
manpower. The r e s u l t s should be an o r d e r l y record of work i n p r o g r e s s and
action.
A method of o r g a n i z i n g a b r i e f r e p o r t t o t h e p r e s i d e n t o r c h i e f execu-
t i v e o f f i c e r i s i l l u s t r a t e d i n Figure 42-4. The MORT diagrams are marked up
t o r e f l e c t program s t r e n g t h s and weaknesses, which can a l s o be shown i n b r i e f
on t h e S a f e t y System ( ~ i g u r e11-1 o r 11-2). From t h e s e p r o j e c t s some are
s e l e c t e d t o f o m t h e S a f e t y Program Improvement P r o j e c t s .
The o r g a n i z a t i o n c h a r t can be marked up t o show t h e "hot s p o t s w - - u n i t s
o r p l a c e s w i t h high-energy and/or poor a c c i d e n t r a t e s . We can draw on a u d i t s
t o show system s t a t u s f o r each h o t s p o t , monitoring r e p o r t s f o r c u r r e n t s t a t u s ,
and a c t i o n planned.
The P r i o r i t y Problem L i s t and t h e F i x Control (grouped d a t a on t h e
l a t t e r ) a r e presented .
Such a format i s f l e x i b l e - - i t can be b r i e f e d down t o e s s e n t i a l s o r
expanded a s d e s i r e d .
The d a t a handling model presently under t r i a l use a t Aerojet employs t h e
following a n a l y t i c elements previously described:
1. The frame of reference f o r management assessment i s established i n
t h r e e ways :
a. P o l i c i e s , goals, c o n s t r a i n t s , commit merits (e. g. , to customers),
scope (damage, i n jury, public impact, program impact )
b. Program i d e a l s (such a s t h e three t r e e s shown i n Exhibits 3, 8, and
12, o r MORT i t s e l f )
c. Specific Aerojet d i r e c t i v e s (see Figure 20-3, page l 9 b f o r a model),
2. Information inputs f r o m Safety and R e l i a b i l i t y i n t h e following
principal areas :
a. Standards, codes and regulations,
b. Incident r e p o r t s ,
c, Audit and monitoring r e p o r t s (see Chapter 37).
3. The "hot spot" lists may be organizations, places, o r processes (such
as shipment of radioactive material).
4. Analysis on a non-duplicative b a s i s by Safety and Reliability--see energy
c l a s s e s (page 36 ) , analysis methods ( ~ i ~ u 24-5,
re page 251, and e i t h e r
Figure 21-2, page 216 o r Fi- a - 3 , page 219).
5. Data reduction following Figure 42-4 t o provide f o r each l e v e l of
authority:
a. Audit a d monitoring r e s u l t s , i n t e n s of
(1) System s a t i s f a c t o r y ,
(2) System improved,
(3 ) Errors, ,,oversights and omissions.
b. P r i o r i t y problems (residual r i s k s )
(1) Action s t a t u s (by suspense d a t e s ) ,
(2) Specific r i s k s t o be assumed o r returned f o r f u r t h e r improvement.
I n t h i s manner t h e o r i g i n a l exercises i n preparing P r i o r i t y Problem Lists
and building a War Room a r e s t e a d i l y moving toward quantified and analyzed bases
f o r management of s a f e t y and r i s k .
IX. SAFETY PROGRAM REVIEW 5, -
S a f e t y Program Review i s postulated as a major f a c e t of management assess-

ment of r i s k i n both t h e general r i s k assessment model ( ~ i g u r e21-1, page 212)
and i n t h e process of d a t a flow f o r r i s k reduction ( ~ i g - u r eV I I I - 1 , page 346).
The general scheme whereby such review can be conducted i s outlined i n
r e v i s e d MORT, as follows:
SAFETY PROGRAM REVIEW
1. Define I d e a l s
2. Descriptions and/or Schematics
3. Monitor, Audit, Compare
4. Organization
a. Scope
b. I n t e g r a t i o n (or Coordination)
c . Management
- Peer Committees
5. Staff
6. Services
Safety program a u d i t has already been p r e l i m i n a r i l y discussed as an
a s p e c t of Monitoring, Chapter 37.
Ideals.
The i d e a l s toward which a s a f e t y program is t o be developed, and a g a i n s t
which a procam can be measured, should be a r t i c u l a t e d . MORT c o n s t i t u t e s one
such i d e d It i s not so much important that MORT i d e a l s be accepted, a s t h a t
an organization's o r s a f e t y p r o f e s s i o n a l ' s i d e a l s be s t a t e d and described with
comparable s p e c i f i c i t y . If a MORT i d e a l i s not a t t a i n a b l e o r i n c o r r e c t , simply
s t a t e t h e a l t e r n a t e provisions which a r e tenable.
What should management know about (and r e q u i r e ) of a s a f e t y process?
1. E s s e n t i a l l y t h e management s i d e of MORT:
a. e s p e c i a l l y higher ranked m a t e r i a l ?
b. e s p e c i a l l y a r i s k assessment system?
c. e s p e c i a l l y a hazard a n a l y s i s process?
2, Plus?
a. a ' s a f e t y precedence sequence?
b. energy, b a r r i e r , change and e r r o r ?
c. e r r o r tolerance l i m i t s ?
d. e f f e c t i v e supervisor approaches?
I d e a l s a r e t h e working platform from which improvements a r e projected.
Descriptions and/or Schematics.

It seems fundamental t h a t the s a f e t y program i d e a l s and a c t u a l perfor-
mance be documented i n f a i r l y complete, even i f informal, operating manuals and
schematics and t h a t program operating d a t a be a v a i l a b l e and evaluated. But
such i s not very o f t e n t h e case. Thus management has l i t t l e assurance that
t h e program has a plan, i s operating according t o the plan, o r how any pro-
gram plan compares with a higher-level scheme of protection.
The suggestions : "Build an Executive Instrument Panel" o r "Build a W a r
Room" f o r any problem, seem well founded, A s matters stand, we don't have
t h e beginnings of a wiring diagram f o r most s a f e t y programs, L i t t l e wonder
they a r e poorly understood and t h a t management i s accused o f f k i l i n g i n support.
What i s needed i s not a l i t e r a r y masterpiece, but a conceptual picture of t h e
s a f e t y system (and l a t e r some numbers).
Almost universally i n t h i s and other s t u d i e s t h e r e has been a major l a c k
of o u t l i n e s and schematics which s u b s t a n t i a l l y describe a program. ( ~ e n ~ t h ~
procedural documents have the same index of confusion, gaps, and overlaps
found i n general i n t h i s study.)
The substance of t h i s t e x t r a i s e s many questions of s a f e t y program d e f i -
n i t i o n and substance. ( ~ a r examples
l ~ of simple program schematics a r e shown
by t h r e e f i g u r e s i n Chapter 28, Independent Review. )
The development of schematics, s t e p s , and c r i t e r i a i n operating d i v i -
s i o n s revealed many s a f e t y program gaps and deficiencies. But, when these
same a n a l y t i c techniques were applied t o s a f e t y d i v i s i o n operations, s i m i l a x
d e f e c t s were quickly apparent. It would seem t h a t program d e f i n i t i o n and
measurement i n s a f e t y should be a prime condition f o r proper working r e l a -
t i o n s with t h e operating organization and f o r s a f e t y budgets.
Fundamental t o understanding of hazard control processes i s a c l e a r under-
standing of major d i f f e r e n c e s i n project forms of organization (e.g., much of
NASA)and on-going functions (eWg., much of AEC and industry). What s a f e t y
d i s c i p l i n e and schematie is a given u n i t using? Universally, t h i s major
d i s t i n c t i o n is i l l - d e f i n e d , both i n system s a f e t y and occupational safety.
And, when a p r o j e c t form of organization i s used without appropriate s a f e t y
provisions, as an exception i n an on-going program, trouble a r i s e s . (see, f o r
example, page 66, Figure 5-1. )
~onitor/~udit/~ompare.
Measuring, as with i d e a l s , i s a concern of almost t h i s e n t i r e t e x t . Note,
f o r example, on page 369, how an accident can r a i s e questions about s a f e t y pro-
gram, as well as about management. See t h e section on program a u d i t s i n Chap-
t e r 37 and a l s o t h e r e examine the s a f e t y r o l e i n monitoring. Are these
functions f u l f i l l e d ?
Other measurement systems have been suggested (~ohnson,1964; Planek, 1967;
Attaway, 1969; Diekemper and Spartz, 1970). A l l express concepts and philos-
ophies of measuring, as well a s educating management.
F u r t h e r , from an e a r l i e r r e p o r t :
Program e v a l u a t i o n should not be divorced from program design. Measure-
ment d e v i c e s should be b u i l t i n t o program, r a t h e r t h a n r e t r o s p e c t i v e l y
developed. Thus t h e y a l s o become a p a r t of r e c y c l i n g program improve-
ment. P l a n e k l s Programming Planning Model ( ~ ~ ~ e n Gd) i and x t h e NSC
Measurement Symposium ( ~ ~ ~ e n Kd) i sxt r e s s t h e p o i n t and o f f e r guidance.
E v a l u a t i v e r e s e a r c h on programs can be of g r e a t p r a c t i c a l value. Summar-
i z i n g t h e l i t e r a t u r e , Caro (1969) enumerated some views on key a s p e c t s :
O b j e c t i v e s of e v a l u a t i o n :
1. Extent t o which t h e program achieves i t s g o a l ,
2. R e l a t i v e impact of program v a r i a b l e s ,
3. Role of program a s c o n t r a s t e d t o e x t e r n a l v a r i a b l e s .
Categories of e v a l u a t i o n :
1. E f f o r t - amount of a c t i o n
2. E f f e c t - r e s u l t s of e f f o r t
3. Process - how e f f e c t was achieved
4. E f f i c i e n c y - e f f e c t s i n r e l a t i o n t o c o s t .
Funding of e x t e r n a l measurement, a s w e l l a s i n t e r n a l s c i e n t i f i c r e s o u r c e s ,
should be u t i l i z e d i n conducting e v a l u a t i v e s t u d i e s . Frequently inexpen-
s i v e program e v a l u a t i o n schemes can be i n t e g r a t e d i n t o program p l a n s , and
t h i s should always be an o b j e c t i v e .
There i s nothing wrong, and a l o t t h a t i s good, i n measuring e f f o r t s ,
first o r d e r e f f e c t s , and program processes and e f f i c i e n c y , provided no
one l o s e s s i g h t of t h e u l t i m a t e measure--accident r e d u c t i o n s . A variety
of such measures i s diagrammed by Planek (Appendix H ) ,
T a r r a n t s (1965 and 1967) h a s urged e v a l u a t i o n and o f f e r e d numerous sugges-
t i o n s , p a r t i c u l a r l y on t h e need f o r e r r o r d a t a a s measures. A good example
of use of work sampling and o t h e r measures t o e v a l u a t e a S a f e t y Observation
t r a i n i n g program ( ~ a t t e r w h i t e ,1966) showed t h a t t h e program under s t u d y
w a s n o t e f f e c t i v e ; however, t h e c o l l a t e r a l recommendations which emerged
from t h e s t u d y repayed t h e c a r e f u l measurement e f f o r t . Other examples
have been given.
I n any measurement scheme t h e g e n e r a l o r g a n i z a t i o n g o a l s , v a l u e s and per-
formance must be evaluated. From an e a r l i e r r e p o r t :
Perhaps t h e b e s t example of Lawrence's problems i s t h e Nobel-prize-winning
f e a t of developing t h e hydrogen bubble chamger. This type of p r o j e c t n o t
o n l y probes boundaries of e x i s t i n g knowledge i n physics, b u t a l s o crowds
boundaries of s a f e t y technology (exceeded previous technology), and o n l y
a p p r o p r i a t e s a f e t y p r e c a u t i o n s could make f e a s i b l e t h e r e s e a r c h process
itself.
The major emphasis of Lawrence's s a f e t y program i s on support and assis-
t a n c e t o s c i e n t i s t s s o t h e y may f u l f i l l experimental requirements with
s a f e t y . E x o t i c hazards t o be c o n t r o l l e d a r e a f a r c r y from t h e more con-
v e n t i o n a l hazards of a production process. The philosophy i s not r e a l l y
d i f f e r e n t from t h e i n d u s t r i a l concept--production with s a f e t y . A t t h e
extremes of r i s k management f o r h i g h energy physics r e s e a r c h it i s even
more c l e a r than i n i n d u s t r y t h a t t h e work simply cannot be done without
s a f e t y - - c r e a t i v e , imaginative s a f e t y .
Management l e a d e r s h i p and r e s p o n s i b i l i t y c r i t e r i a used i n judging a Fed-
e r a l agency s a f e t y competition were l i s t e d e a r l i e r . The a d d i t i o n a l c r i t e r i a
used i n t h i s competition, while not considered t o be up t o MORT standards, do
present a v a r i e t y of u s e f u l questions ohso son, 1964).
7. Is special career training given to agency
Maintenance of safe safety personnel designed to improve their
working conditions performance as safety advisers?
1. Do program documenis provide for o regu- &Are safety contests and award programs
lar and orderly procedure of safety inspec- utilized to promote safety education?
tions? 9. Are accident reports used to identify train-
2. Does each echelon from units to agency ing needs?
headquarters utilize inspection schedules? Accident record system
3. Are deficiencies noted and official recom-
mendations submitted? 1. Daes the agency possess a firm policy and
4. Are inspection reports given appropriate definitive procedures and instructions for
and timely follow-up reviews? reporting accidents?
5. Are inspection procedures implemented ob- 2. Are reporting procedures compatible with
jectively and qualitotively as well as quan- the Bureau of Employees' Compensation
titatively? laws and administrative directives for re-
6. Are accident reports used to identify and porting injuries?
correct unsafe conditions? 3. Does the reporting system prescribe in-
7. Are provisions made for the supply and use ternal checks to insure eftlcient praceaing
of adequate and approved protective cloth- of reports prescribed by law?
ing and equipment? 4. Does the reporting system prescribe that
8. Is a safe and healthy place to work pro- accident reports be reviewed at and ap-
vided including safe equipment, safe tools, proved by higher levels of supervision?
and guarded machinery; physical conditions 5. Does the reporting system require thorough
such as ventilation, light, and noise? and complete investigation of accidents?
9. Are operations and process ~ l a n n e dand 6. Are accident reports combined for analyses
arranged with careful attention to safety? and identificotion of common factors of
causation, accident agency, and activities?
Establishing safety training and education 7. Does the accident reporting system pre-
1. Has the agency provided broad guidelines scribe for the periodic review of accident
and instructions for general and specific data and causation analysis?
safety training of personnel? 8. Does the agency disseminrrte accident data
2. Does the agency provide a systematic quali- and causation analysis to subordinate
ty program designed to keep caution alive echelons?
in the minds of personnel? 9. Does the reporting system provide for ac-
3. Is safety training integrated ,into broad cident analysis at installation and regional
agency training of supervisors? levels?
4. Is safety training included in orientation of 10.Are BEC and agency injury reports re-
new employees? Is safety stressed as an in- viewed for comparability of information?
tegral part of on-the-job instructions? Medico1 and first-aid systems
5. Are special safety training programs de-
1. Daes the agency provide adequote and
veloped and disseminated throughout the
timely first aid and medical treotment of
agency?
injured personnel?
6. 1s a systematic and energetic follow-up made
2. Daes the agency conduct health and sani-
of safety training programs to evaluate
tation surveys?
training effectiveness?
3. Does the agency conduct a preventive
medicine program for its personnel?
Scope and I n t e g r a t i o n .
Evidence of t h e wisdom of several organizational p r i n c i p l e s i s mounting:
1. The scope of t h e s a f e t y program should include a l l forms of hazards.
2. The s t a f f support f o r s a f e t y should be integrated i n one major u n i t ,
r a t h e r than s c a t t e r e d i n severa? places.
3. The s t a f f s a f e t y u n i t , i n order t o be capable of incependent review,
should r e p o r t t o t o p management without unnecessarily impeding l a y e r s
of organization.
The AEC p a t t e r n of Divisions of Operational Safety f u l f i l l s these c r i t e r i a .
A s s a f e t y programs take on a g r e a t e r systems and operational f l a v o r , the
l o c a t i o n of s a f e t y u n i t s should not characterize s a f e t y a s an " i n d u s t r i a l r e l a -
t i o n s , personnel, h e a l t h , medical, o r insurance" problem.
Where some s a f e t y functions a r e s p l i t off (e. g., nuclear c r i t i c a l i t y a t
some s i t e s ) and/or where relevant technologies such a s system s a f e t y a n a l y s i s
o r human f a c t o r s c a p a c i t i e s a r e organizationally remote, s p e c i f i c a c t i o n (e. g.,
a " s a f e t y council" o r study and improvement of day-to-day working arrangements)
should be used t o i n s u r e t h a t t h e organization uses its competencies.
The common i n d u s t r i a l separation of s a f e t y i n t o "personnel" and "product"
functions is probably a major obstacle t o a proper view of "operational" safe-
t y , and has seemingly put professional b l i n d e r s on the separated groups. Cer-
t a i n l y occupational s a f e t y i s not a "personnel" function, and simultaneous
placement of product s a f e t y i n design groups f r e q u e n t l y denies management t h e
values of independent, professional review of operational safety.
Organizational Placement.
From s t u d i e s , the common placement of t h e s a f e t y function i s two or
t h r e e organizational l a y e r s down from t h e Chief Executive Officer, seldom one.
And f u r t h e r , occupational s a f e t y i s l a r g e l y seen a s a "personnel" function.
During t h i s study an i n t e r e s t i n g conversation occurred with two vice-
presidents of a l a r g e R & D laboratory.
By way of i n d i c a t i n g t h e i r q u a l i f i c a t i o n s , each V. P. was d i r e c t i n g an
advanced technology d i v i s i o n with some 1,000 employees. One was t h e
"senior v.p." and had managed r e f i n e r i e s f o r a major petroleum company.
I n t h i s informal discussion, a p r i n c i p l e emerged i n t h e i r minds, namely,
t h e s a f e t y function should r e p o r t d i r e c t l y t o t h e President. However, a s
t h e discussion proceeded, they s a i d , i n e f f e c t , "The trouble with such a
proposition i s t h a t t h e s a f e t y d i r e c t o r s we see, probably t y p i c a l of the
group, have not gone through t h e usual succession of expanding managerial
assignments which develops t h e managerial c a p a c i t i e s required of a person
who r e p o r t s d i r e c t l y t o a president, A president gives l i t t l e guidance.
He's too busy d i r e c t i n g t h e company a s a whole. Consequently the s a f e t y
function should r e p o r t t o t h e president through a senior executive who
(hopefully) avoids t h e improper s t e r o t y p e s you have described. "
I n NASA's Manned Space F l i g h t Program, s a f e t y and r e l i a b i l i t y and q u a l i t y
assurance were l a s t reported a s grouped ( t h e i r functions and methods a r e s i m i l a r ) ,
r e p o r t i n g t o one d i r e c t o r .
One multi-plant company has common managerial supervision over s a f e t y and
human f a c t o r s , with a strong program i n the l a t t e r area.
If organizational arrangements have significance, and they probably do, t h e
following format seems t o convey t h e operational nature of the functions, t o
group f i v e c l o s e l y r e l a t e d functions, and t o emphasize the service and indepen-
dent review s t a t u s of t h e functions vis-a-vis l i n e management.
I n consequence of all of t h e above observations and organizational
approaches, a possible form t o be examined seems t o emerge:
Chief Executive
1
Executive f o r Improving Human Performance

1
1
f
*
1
an t 1
Industrial
1
Reliability
Saf e t 9 Factors Medicine Quality Personnel
Assurance
Occupational
I n d u s t r i a l Hygiene
F i r e Prevention
Transportation
Product
Nuclear
*The s p e c i a l t i e s may sometimes be separate u n i t s , but r e t e n t i o n within t h e
above framework seems t o have advantages.
While the above guidelines f o r s a f e t y organizations seem well supparted

i n t h e a u t h o r ' s experience, a more f l e x i b l e and studied approach may well
supplement, r e i n f o r c e o r contradict t h e guidelines, p a r t i c u l a r l y i n varied
i n d u s t r i e s and corporate types. Gausch (1972) draws on organizational s c i -
ences as well as experience t o suggest studied approaches which r e f l e c t t h e
a c t u a l i n t e r - r e l a t i o n s of functions and u n i t s , both formal and informal.
Certainly, Gauschfs s t a t e d goal of achieving an e f f e c t i v e synergy of unique
interpendent u n i t s is excellent.
Gausch c o r r e c t l y emphasizes t h a t e f f e c t i v e day-to-day working arrange-
ments may be q u i t e d i f f e r e n t from t h e formal, advertised relationships. How-
ever, a u d i t s of such r e l a t i o n s almost invariably show serious d e f i c i e n c i e s as
well as some s u b s t a n t i a l advantages. So a u d i t o r study would be a common
ground f o r developing program o r organization improvements.
-
Safety S t a f f Organization.
The matrix has been frequently used a s an organizational tool--discipline
v s function, The concept i s shown i n Figure IX-1. The d i s c i p l i n e s w i l l vary
widely, dependent on the organiatlon.
The functions of Research ( i n a d i s c i p l i n e ) , L i t e r a t u r e Search and
Analysis a r e u s u a l l y best organized by t h e d i s c i p l i n e s .
Field Service i n a geographically centralized u n i t may be s i m i l a r l y orga-
nized; i f geography-distance i s s i g n i f i c a n t , it can be organized as a geo-
graphically decentralized function representing the e n t i r e organization.
Information and Program Development a r e seemingly seldom well done if
Figure M - 1
SAFEZY ORGANIZATION MATRIX
Disciplines Functions
!
I Research i Analysis* : Field Training ,~nformation*f Program
I and
! Literature j
Service 1 I Development :
i Search I
I I
1
General 1 I
I
I
I
I
i
* Includes Standards and Recommendations

** Data c o l l e c t i o n , reduction, retrieval.
l e f t as c o l l a t e r a l functions of t h e d i s c i p l i n e s . D i s t i n c t s t a f f u n i t s and
assignments a r e needed. Pinkel (NASA) goes so f a r as t o suggest t h a t the
s a f e t y information function be established outside t h e s a f e t y off i c e t o
i n s u r e independence, and c l e a r measurenients of high q u a l i t y information
services.
The Prograq Development function may a l s o be the f o c a l point of t h e
research orientalkm, as well as having t h e basic system design and improve-
ment role.
I n addition, i f t h e Safety Review function i s emphasized (as at ~ e r o j e t )
a u n i t t o coordinate the work i s valuable.
Search-out and application of new technology i s handled as a c o l l a t e r a l
function i n most s a f e t y departments (other than some nuclear c r i t i c a l i t y
staffs). Handled i n t h i s manner, the function is grossly under-staffed and
under-emphasized. There is l i t t l e enough time f o r search-out and p r a c t i c a l l y
no time f o r application. Thus many technologies, p a r t i c u l a r l y a n a l y t i c a l and
behavioral, remain undiscovered and/or unused by s a f e t y s t a f f s . Two s o l u t i o n s
a r e suggested f o r management action and evaluations
1. Require s a f e t y professionals t o budget time f o r professional growth,
and t o expose themselves t o non-safety technology (5-16 of time),
2. I n a s a f e t y staff of any s i z e (eeg., f i v e o r more professionals),
require a l l o c a t i o n of one man t o t h e function of technology acquisi-
t i o n and application.
These approaches may r e s u l t i n more hazards undetected o r uncorrected i n
t h e s h o r t run, but should produce g r e a t l y improved s a f e t y performance i n t h e
very near future.
I n thoraugh accident investigation, p a r t i c u l a r a t t e n t i o n should be given
t o non-use by s a f e t y personnel of available technologies, and t h i s suggests
some independent accident i n v e s t i g a t i o n s by non-safety professionals.
Yardstick c r i t e r i a as t o numbers of professionals on a s a f e t y staff seem
t o have s l i g h t value, a s do yardstick budgets. Too much depends on functions
included and management expectations.
The c o l l e c t i o n of d a t a on program holds the p o s s i b i l i t y of providing
management with objective measurements of a c t i v i t i e s and gaps i n programs
whereby manpower requirements can be assessed.
Such d a t a can a l s o help i n measuring t h e coverage of key functions.
SpecSfically, under conditions of a u s t e r i t y , t h e proportionate emphasis on
key functions can be judged, and s h i f t s from lower p r i o r i t y functions can
be planned. For example, i n one budget-reduction case, "quality control"
type feedback of s a f e t y information t o supervisors was discontinued even
though it had been highly e f f e c t i v e . I n s e v e r a l o t h e r c ? c p s , nothing was
being spent on work sampling o r c r i t i c a l i n c i d e n t s t u d i e s . ?lore balanced
emphasis i n manpower a l l o c a t i o n s should be given t o functions I-rhich not only
provide s t r e n g t h i n t h e program, but a l s o simultaneously n o n i t c r s:crstenatically.
I n discussing monitoring, a d i f f i c u l t y i n s c a l i n g , measuring o r describing
t h e r o l e of a f i e l d s a f e t y engineer was reported, Later, a c a r e f u l a n a s i s of
a c t u a l and possible r o l e s not only c l a r i f i e d h i s present d u t i e s , but suggested
key r o l e s b a s i c t o planned a u d i t of high energy f u n c t i o n s , using a new, four-
way viewpoint f o r a u d i t : Is t h e u n i t (1) i n t h e system? (2 j complying with
codes and p r a c t i c e s ? (3) impacted by s a f e t y program? (4)impacted by changes,
d e l a y s , performance t r o u b l e s , e t c . ? (see Figure 5-1 and Exhibit 16.) Subse-
quent t r i a l s supported t h e usefulness of t h e concept. Reports organized by
t h e method were perceptive and f o r c e f u l ,
Figure IX-2
The a u d i t schematic i n d i c a t e s t h a t t h e f i e l d s a f e t y engineer w i l l endeavor t o
a s s u r e t h e d i r e c t o r and l i n e management t h a t a s p e c i f i c organizational u n i t
h a s an adequate system and i s not f a i l i n g from f o u r viewpoints.
Corporate System
Directives. a u d i t s , review by o t h e r s
High Energy
Regulations
Changes
Codes, standard.S
Safe P r a c t i c e s
Expertise
A Place
o r Unit
< Performance t r o u b l e s
Technical t r o u b l e s
Goal-budget-schedule
( t i g h t n e s s , changes)
hoeam
Manatzement Work Hazard
~mplementation Flow Information Participation
Supervision Availability JSA
Things Accessibility RSO
People Analysis Meetings
-------------
Procedures
Upstream Input from
Processes Computer
Peer Committees, Special-purpose and on-going committees and boards a r e

having g r e a t value at t h e t h r e e AEC research s i t e s , as well as elsewhere.
Not only i s advanced technological s k i l l u t i l i z e d , but involvement has i m -
proved s a f e t y a t t i t u d e s within s c i e n t i f i c and engineering groups. Seemingly
i m p l i c i t i n case h i s t o r i e s of e f f e c t i v e boards and committees is a p o s i t i v e ,
a c t i o n o r i e n t a t i o n towasd r e a l - l i f e problems, On-going groups sometimes bog
down i n l e s s e r problems and many have h i s t o r i e s of ineffectiveness. One
measure of a s a f e t y program i s t h e amount, q u a l i t y and e f f e c t i v e n e s s of peer
committees at various levels.
Professional S t a f f .
The best d e s c r i p t i o n of t h e scope and functions of t h e professional
s a f e t y p o s i t i o n is contained i n a statement adopted by t h e Board of Directors,
American Society of Safety Engineers, October 22, 1966. It describes many
a s p e c t s of t h e kind of s a f e t y system envisaged i n t h i s monograph.
Useful analyses of t h e organizational r o l e of t h e professional a r e
a l s o provided by t h e observers from t h e B r i t i s h Chemical Industry and by
Currie i n h i s Safety Task Checklist.
The a t t i t u d e s and concepts of e f f e c t i v e s a f e t y d i r e c t o r s about organi-
r a t i o n a l , technical and behavioral concepts were shown t o be d i f f e r e n t than
those of l e s s e f f e c t i v e s a f e t y d i r e c t o r s (&acey, 1970). The study examined
t h e strength and conviction of s a f e t y d i r e c t o r s on organizational factors--
position, management support and power--and technical (engineering) and
behavioral variables. Effectiveness w a s associated u i t h stronger convic-
t i o n s on both t e c h n i c a l and behavioral v a r i a b l e s , as well as p o s i t i o n and
power. However, management support scored low f o r a l l groups.
There a r e deep-seated problems i n these and similar findings. For some
years various t o p management men have commented p r i v a t e l y on t h e seemingly
mediocre (even poor) promotability of s a f e t y ~ r o f e s s i o n a l s(and even previ-
ously promising management t r a i n e e s r o t a t e d through t h e s a f e t y function).
Greenberg (1972) has commented f o r t h r i g h t l y on t h e often low educational
experience, promotability and organizational s t a t u s of s a f e t y professionals.
Given t h e congruence of safety and general performance, and t h e excel-
l e n t ASSE statement of scope and functions, such a s i t u a t i o n seems strange.
Safety engineers ought t o be highly s k i l l e d and very promotable "trouble
shooters" f o r t h e performance process.
Could t h e common mode of s a f e t y p r a c t i c e ("management by objection" ) be
a factor?
Is a staff r o l e i n personnel too g r e a t a divorce from operational manage-
ment ?
Could t h e search-out and application of organizational techniques more
congruent u i t h management methods be a helpful f a c t o r i n moving toward
both lower accident r a t e s and g r e a t e r personal progress?
Does t h e basic t a s k of simply applying codes, standards and regulations
s t i f l e and atrophy c r e a t i v e a b i l i t i e s ?
Are unevaluated promotional gimmicks and s t u n t s a d i s q u a l i f i c a t i o n f o r
r e a l - l i f e performance measurement?
Safety personnel should be judged according t o t h e usual management c r i -
t e r i a , as well as s a f e t y c r i t e r i a . Use of t r a i n i n g opportunities, and crea-
t i o n of t r a i n i n g opportunities i s a l s o a useful c r i t e r i o n .
- 455 --
Aspects of P r a c t i c a b i l i t y .
T r i a l s a t Acrojet produced encouraging c a s e s of p r o f e s s i o n a l a s s i m i l a -
t i o n of inprove? ne+,l-iods--in accident/incident i n v e s t i g a t i o n s , i n production
of f a u l t - d e t e c t i n g schematics, i n monitoring, i n s t u d i e s of major problems,
and i n b u i l d i n g acceptance and management understanding.
There i s a b e l i e f i n some elements of NASA and AEC t h a t a h i g h e r g o a l
-
also requires "new k i n d s of people." These a r e n o t " i n p l a c e of ," b u t " i n
a d d i t i o n t o " present. s a f e t y s t a f f s .
An exminat2.m oT t h e s a f e t y staffs of NASA and AEC r e v e a l s t h a t t h e
p r o f e s s i c n a l s t a f f s a r e a l r e a d y u t i l i z i n g many r e l a t i v e l y new s p e c i a l i z e d
p r o f e s s i o n a l s drawn from:
1. Nuclear s a f e t y !or aerospace o r system s a f e t y ) ,
2. Health physics,
3. I n d n s t r i a l hygiene,
4. F i r e s a f e t y engineering,
5. h i a n f a c t o r s engineering and psychology,
6 . Nathematics and system a n a l y s i s ,
7. &%ability and q u a l l t y assurance,
8. Management (of many d i s c i p l i n e s ) .
A s an i ~ t e r e s t i n gf a c t , t h e r e i s a s i g n i f i c a n t number of b i o p h y s i c i s t s
i n the field. Thus, t h e o b s e r v a t i o n t h a t t h e work may need "new k i n d s o f
people'' seems t o be a l r e a d y e v i d e n t i n p r a c t i c e . I n s a f e t y research areas,
t h o s e a c t i v e show a v e r y wide spread i n t h e sciences.
S t a f f Servi 2es.
'The s e r v i c e concept and t h e p r o p o s i t i o n t h a t " f a i l u r e m i r r o r s f a i l u r e , "
a r t i c u l a t e d i n Chapter 20, Management Implementation--specifically i n Figure
20-4, page 197--are probably a s powerful a s any i d e a s i n planned upgrading
of t h e s a f e t y prograin and t h e s a f e t y p r o f e s s i o n a l .
The h i e r a r c h y of s e r v i c e s o u t l i n e d i n Chapter 20 i s a conceptual p o i n t
of departure f o r s a f e t y program review. I n i t i a l l y , t h e concept of s a f e t y
s e r v i c e s can be a p p l i e d i n i n t e n s i v e i n v e s t i g a t i o n s of major a c c i d e n t s .
By
way of example, t h e f o l l o w i n g q u e s t i o n s can be used f o r t h e problems (imrne-
d i a t e and d l s t a l ) r e v e a l e d by t h e i n v e s t i g a t i o n :
Research
--
1. dhat r e l e v a n t r e s e a r c h had been conducted o r w a s i n process i n t h e
s a f e t y unl t ? Elsewhere i n t h e company? Outside t h e company?
Exchange of Information
2. What r e l e v a n t e x p l o r a t o r y o r s t a n d a r d s - s e t t i n g meetings had been
he1d""Y;'ere any state-oflthe-art s t u d i e s completed o r under way?
3. Was r e l e v a n t information on design c r i t e r i a ( e e g . , p a s t a c c i d e n t s )
proffered during design? Would such information i n digested o r
analyzed form have been quickly a v a i l a b l e i f requested?
Standards and Recommendations
4. What codes, standards and recommendations were r e l e v a n t ? Were they
known t o process designers and planners? To operations personnel?
Training
5. What r e l e v a n t s a f e t y t r a i n i n g had been given t o designers? Managers?
Operators ? --.
-. . .
Technical Assistance
6. Same a s 5.
Measurement of Performance
7. Had t h e planning process been audited? Deficiencies corrected?
8. Had t h e managerial process been audited and corrected?
9. What feedback on e r r o r had been provided t o operators? Supervisors?
Looking forward, t h e question i s how e f f i c i e n t l y i s t h e s a f e t y u n i t orga-
nized t o economically produce such s e r v i c e s a t p o i n t s of need? Levitt (1972)
has argued e f f e c t i v e l y f o r a "production-line approach t o service. " Examples
of such an approach would seem t o be evident i n s e v e r a l Aerojet arrangements;
1. The independent review system i s i n t e n s i v e and s o p h i s t i c a t e d , but cheap
and easy f o r customer use.
2. A s p e c i f i c i l l u s t r a t i o n of t h e above i s found i n Exhibit 9 whereby
review by t h e s a f e t y o f f i c e i s made more n e a r l y comprehensive, predic-
t a b l e and producible at low r o u t i n i z e d c o s t .
3. The provisions f o r low cost s e r v i c e , e.g, , information search (page 262).
4. The f i e l d s a f e t y engineer's a u d i t specified i n Figure I X Z i s more n e a r l y
measurable and reproducible on a mass b a s i s than t h e unstructured,
v a r i a b l e search-out t y p i c a l of t h e profession.
I n s h o r t , a view of s a f e t y s e r v i c e s as t h e e s s e n t i a l output of t h e s a f e t y
u n i t w i l l allow u s t o replace high c o s t , v a r i a b l e and e r r a t i c elegance with
lower c o s t , predictabld: products more n e a r l y attuned t o customer needs i n t h e
f i e l d , and more l i k e l y t o deserve budget support.
***
I n summary, a superior s a f e t y program w i l l be moving away from c r i s i s ,
"brush-f i r e " approaches toward :
1. Planned and measured programs,
2, Low c o s t , high volume s a f e t y s e r v i c e s ,
3. Professional growth evidenced by a c q u i s i t i o n of management s k i l l s
and modern methods.
The smaller t h e s a f e t y s t a f f t h e more method i s needed.
X. TRANSITION
A t r a n s i t i o n from "present best practice'' i n occupational s a f e t y t o a
higher l e v e l of practice having the p o s s i b i l i t y of an order-of-magnitude 9
reduction i n r i s k is a process of many changes--perhaps 50 o r more concepts,

if MORT is any measure, Such a change (or changes) is impossible and imprac-
t i c a l i f undertaken as a massive, directed e f f o r t , The t r a n s i t i o n could
occur only if dozens of innovations were tackled on a "bite size" scale,
found promising, and were persuasive and e f f e c t i v e i n an organization,
Why Bother? Because present "good" may not be "good enough, " The pace
of change may overwhelm us, with r i s i n g accident r a t e s , and even d i s a s t e r s ,
The pace of s a f e t y improvement must keep up with s o c i a l and technological
change o r the troubles most l i k e l y w i l l mt worse,
On the positive s i d e , t h e r e ' s the potential of b e t t e r manaaement of
s a f e t y and anything e l s e ,
How Much Transition? The process of t r a n s i t i o n t o b e t t e r programs
can be visualized i n a t l e a s t f o u r l e v e l s of effort8
1, Full-scale application t o an organization,
2, Full-scale application t o a major project,
3, Expedient application t o current problems,
4. Personal use by t h e s a f e t y professional,
Each of these l e v e l s of e f f o r t w i l l be discussed, but first some problem a r e a s
should be mentioned.
Some Problems, There are major problems which should be made e x p l i c i t .
They include, at t h e l e a s t r
1. The systems and technologies still need development and f u r t h e r
technolorn acquisition,
The answer seems t o be willingness t o t r y out ideas, enlis.ting
the broadest p m s i b l e cross-section of t h e organization i n the
developmental e f f o r t t o M e f u l l advantage of a l l competencies,
and willingness t o modify ideas based on actual trial experience.
2, The technology a t t h i s point seems complex,
One answer is simplification, of course t thus far t h e study e f f o s t
has been encyclopedic i n scope. I n i t i a l trials d i s t i l l e d and
digested some concepts and principles, But the main answer is:
k e e ~s p e c i f i c mo-iects s i m ~ l eand small,
3. Time and budwt a r e r e s t r i c t e d ,
The e f f o r t must be i n small, controllable increments, and the over-
a l l e f f o r t must be manageable, on a back out b a s i s i f necessary.
4. Keep t h e s t o r e open! The AEC s i t e s have missions which demand good,
continuous management f o r performance as well as safety.
The e f f o r t w i l l have t o involve small amounts of time of numbers of
key people, and not d i s r u p t t h e present, on-going and e f f e c t i v e
programs. However, t h e programs which have given AEC and i t s con-
t r a c t o r s , o r similar i n d u s t r i e s , good records a r e not p r e c i s e l y
defined nor a r e t h e y "proven" (inasmuch as they have not been defined
o r evaluated i n t h e d e t a i l suggestive of s c i e n t i f i c proof 1. For
example, t h e values of s a f e t y meetings were i n question at a l l t h r e e
MORT t r i a l s i t e s , but a r e continued without evaluation and with some
i n d i c a t i o n s of ineffectiveness. Trial of new approaches should not
be very dangerous--what i s dangerous i s i n e r t i a .
A t t h e same time, it i s not wise t o s u b s t i t u t e new programs f o r
old without temporary double-tracking. But, undue caution on inno-
vation i s probably as accident-producing as experimental f a i l u r e s ,
if i n c i d e n t s and l a c k of proof of present programs a r e considered.
Time taken from present program f o r innovation i s always a poten-
t i a l problem. However, if innovation i s t o be rapid and e f f e c t i v e ,
what i s suggested i s more small, clear-cut, i n c i s i v e and quick trials,
r a t h e r than p o t e n t i a l l y s t i f l i n g adherence t o t r a d i t i o n a l method.
A s a matter of f a c t , t h e dynamic impetus f o r innovation may more than
compensate f o r program t r a n s i t i o n , e.g., again, Job Safety Analysis
which o f t e n s t i m u l a t e s t h e enthusiasm of employees.
5. S e l l i n g i s always a problem.
The "innovation d i f f u s i o n " techniques believed applicable t o s e l l i n g
s a f e r behavior can be used. S t a r t with i n f l u e n t i a l innovators and
and help them evaluate and t e s t . No d i r e c t i v e s . Acceptance i s
e a s i e r i n a s t a b l e environment. If t h e organization is i n a s t a t e
of change, e.g., a reorganization o r a new l o c a t i o n , w a i t f o r s t a b l e
r e l a t i o n s before working f o r more changes.
6 . The concept of e r r o r a t management l e v e l s w i l l take some e x t r a s e l l i n g !
"Pacify" may be t h e complement t o "simplify." People make mistakes--
i f they do anything. Maybe information o r technology wasn't passed
on--an oversight. Or perhaps time o r o t h e r reasons prevent use--an
assumed r i s k . Maybe t h e technology doesn't e x i s t , o r i s j u s t emerging;
maybe imagination wasn't good enough by 20-20 hindsight. Live and
l e a r n , but l e t ' s learn. Objectivity about oversights and omissions
i s d e l i c a t e and d i f f i c u l t , but t h e a l t e r n a t i v e i s t h e present s i l e n c e
i n accident r e p o r t s regarding possible management improvements,
and consequently some misplaced s a f e t y e f f o r t s .
7. Competition with Safety Staff. Some objection t o MORT p r o j e c t s has
been encountered among s a f e t y professionals because, "When t h e con-
cepts a r e implemented l i n e management and technology groups w i l l have
a major share of t h e s a f e t y job." This seems as intended, a t l e a s t by
t h e author, but t h e possible objection should be noted.
8. Reading a book o r t r a i n i n g a few people w i l l not bring about t r a n s i -
tion.
Dialogue, leadership, a c a t a l y t i c agent and t e c h n i c a l a s s i s t a n c e
a r e needed.
Full-scale Application t o Organization

The following general approaches seem worthwhile:
1. Many, small exploratory, permissive, self-adapting projects.
2. A small amount of time (say 4 o r $1 of numbers of people t o d e v e l o ~
b e t t e r managers, b e t t e r problem s o l v e r s with s a f e t y as content.
3. Maintain an experimental o r i e n t a t i o n (but not had-nosed research at
t h i s time--too c o s t l y and too many years f o r r i g i d proofs). This i s
a t r i a l of a possible synthesis. Move t o research evaluation when
e a r l i e r trials suggest value.
4. Breaktbougk i s sought--use J u a n ' s management guidelines f o r t h i s
process.
Some requirements f o r a t r i a l application seem t o be:
1. A t a s i t e - -
a. A management team t h a t wants t o t r y out new approaches.
b. A f o c a l point f o r stimulation and any needed coordination i n a close
a s s o c i a t e of t h e t o p manager.
c. A f o c a l point f o r technology a c q u i s i t i o n and trial c l o s e t o t h e
safety director. Transition cannot be s t a f f e d by a l r e a d y busy
s a f e t y people. I n e f f e c t , a New Promam Development Unit must be
created, and s t a f f e d f u l l o r part-time with innovation-minded,
c r e a t i v e people.
2. A t the AEC Operations Office--a management innovator.
3. A t AEC Headquarters--
a. Bright, young, technology a c q u i s i t i o n people--technical assistance
from t h e n a t i o n a l l e v e l w i l l be needed,
b. Budget and staff f o r national problems (emg., information systems),
Given these approaches and requirements, a g r e a t d e a l of progress should
be apparent i n twelve months.
A 1 1 good plans w i l l be l o c a l plans. But an o u t l i n e based on Aerojet
t r i a l s may be h e l p f u l i n preparing a good l o c a l plan.
A preliminary evaluation of needs and i n t e r e s t s . Perhaps a b r i e f i n g
of key people.
Management endorsement of a study--plus assignment of a study team,
a t l e a s t one from management and one f o r safety.
Study and Plan
Review and compare present program a g a i n s t MORT standards,
P l o t major, apparent o r l i k e l y needs a g a i n s t some broad headings (e ,
t h e Safety Program Improvement P r o j e c t list i n Exhibit 17 o r use t h e
Table of Contents of t h i s t e x t ) , Rank order possible p r o j e c t s under
each major heading.
Select a l i m i t e d number of p r i o r i t y p r o j e c t s , such as:
Hazard Analysis Process. Try comprehensive information search on
s e v e r a l new projects.
Work Flow Process. Try Job Safety Analysis.
Monitoring Systems. Try a " c r i t i c a l incident" study i n one major
high energy area. B y an a u d i t of an upstream process (e.g.,
engineering ) .
Accident Investigation, Try MORT a n a l y s i s on t h e next few s e r i o u s
i n c i d e n t s o r accidents.
Probably a few more such p r o j e c t s w i l l suggest themselves.
Prepaze a b r i e f d e s c r i p t i o n of each p r o j e c t .
Plan t o spread t h e work--i.e., t h e safety engineers assigned t o t r y
MORT may not be t h e ones who h e l p start JSA.
Consider whethe* p r o j e c t s a r e t o be spread through t h e e n t i r e organi-
zation, o r t r i e d i n t h e a r e a of one, very i n t e r e s t e d manager. (The
l a t t e r w a s Aero j e t ' s approach. )
Prepare a plan. Include a Steering Committee and a Technical Committee.
A s possible, l e t timing be f l e x i b l e . It's good t o start a p r o j e c t a f t e r
an incident shows need.
Obtain management approval, including the appointment of a MORT Team--at
l e a s t one c l o s e a s s o c i a t e of t h e manager of t h e a r e a of study, and a t
l e a s t one from t h e New Program Development Unit.
Go t o work.
Full-scale Application t o a Pro.iect

S e l e c t a major project--such as a new p l a n t o r process.
Compare t h e p r o j e c t plan with MORT t o see what needs t o be done.
- 461 -
Provide staff f o r t h e MORT a n a l y s i s , i f p r o j e c t staff cannot do t h e work.
Keep a docket on work, c o s t s and perceived b e n e f i t s ,
Keep records on deviations from plans--cost o r schedule over-runs, rework,
d e l a y s due t o poor plans, accidents, etc.
Compare t h e record with scheduled and a c t u a l performance f o r two o r t h r e e
previous, comparable projects.
Expedient Trials
Compile a list of major problems i n t h e organization.
Try MORT a n a l y s i s on some of t h e most d i f f i c u l t problems.
However, be warned t h a t conclusions based on MORT may not be accepted by
managers of even a high energy process o r machine, unless t h e r e ' s been trouble,
If a s t a b l e system has been operating well, incident r e p o r t s from a broader
experience base w i l l be needed t o convince managers of t h e nature of t r o u b l e s
and t h e need f o r controls.
O r , as an a l t e r n a t i v e :
I d e n t i f y t h e managers who a r e Innovators.
Among t h e s e which have problems?
Other managers with s e r i o u s problems ?
Roughly grade t h e whole-organization on MORT diagrams.
Select a l i m i t e d number of SPIP's.
Perhaps: 1. Analyze one s e r i o u s accident with MORT
2 . Step up one H a ~ a r dAnalysis Process (follow t h e book! )
3. Do a small c r i t i c a l incident study i n one place
4, S t a r t o r extend JSA
5. Make a monitor plan f o r a hot spot
6. S t a r t t h e PPL
Personal. Professional Use
organizational t r i a l s of MORT a r e not f e a s i b l e , use MORT as one guide
t o growth:
1. Review MORT t o see how much you accept. Where you disagree, j o t down
your contrary views.
2. Use MORT t o analyze a problem o r an accident (use GEXTING STARTED
r e c i p e on page 231,
3. Use MORT t o c l a s s i f y new methods i d e a s i n t h e c u r r e n t l i t e r a t u r e .
Appendices
A. Early MORT Analyses

1. H I L A C
2. Environmental Chamber
3 . HE Press
4. W P Gas
5. F a l l s
6. I n i t i a t o r s
B. A Few U s e m System Concepts
C. Example of Analysis of Value Aspects of ~ l t e r n a t i v e s '
D, Discussion of C r i t i c a l Incident o r Incident Recall Techniques
E. Sample data on e r r o r r a t e s
F , Procedure Review C r i t e r i a
G , Paxticipat ion and Motivation
H. Innovation Diffusion
I. Acceptance of Proceduraliaed Systems a t Aerojet
J. Modified A i r Force Accident Investigation Checklist
K, NSC Symposium on Measurement of I n d u s t r i a l Safety Performance
A1 -1
-HILAC*
The "High Level S p i l l a t the HILAC" was extremely useful as an i n i t i a l

t r i a l of the MORT method because an excellent and detailed report had been
prepared and published by Lawrence ( ~ a r d e n ,Dailey, 1959). Further, the case
i l l u s t r a t e d the i n t e r a c t i o n of two d i f f e r e n t kirds of energy, and the concept
of successive barriers.
For necessary background, excerpts from the report a r e provided:
"ABSTRACT. On July 3, 1959, an incident occurred i n t h e Hilac Building

when t h e turning of t h e wrong valve resulted i n pressurizing a helium
cooling box, with a r e s u l t a n t 'blowout' of a t h i n fo
gas disintegrated experimental f o i l s made up with 10'
. The burs of IIe
dpm o f Cm2r4. The
r e s u l t a n t a c t i v i t y w a s quickly dispersed as airborne p a r t i c u l a t e s through-
out t h e building. The 27 people i n t h e building were evacuated within 10
minutes under surveillance of t h e Health Chemistry personnel; wherever
clothing proved t o be contaminated it was removed, and i n cases where nose
swipes were pertinent they were taken.
"Although an assumption of a combins;tion o f t h e worst conditions could

conceivably have r e s u l t e d i n 1 manf s inhaling between 2 and 4 times t h e
calculated allowable inhalation f o r short b u r s t s , eveluation from a i r anal-
y s i s and medical, t e s t s indicate t h a t it i s unlikely t h a t anyone a c t u a l l y
d i d receive t h i s emaunt.
"The building was cloeed duriag decontamination procedures, which required

about 30 people f o r 3 weeks i n d i r e c t decontamination work and 30 people
f o r 3 weeks i n i n d i r e c t work.
he cost of labor, material and other charges r e l a t e d t o t h e s p i l l amounted

t o about $30,500 without overhead; equipnent l o s s was held t o l e s s than
$2000. The l o s t time o f operation of t h e hilac has been evaluated a t
$26,000, so t h a t t h e t o t a l l o s s from t h e incident amounts to roughly $58,500.
'Vhe primary cause of t h e accident has been determined t o be an e r r o r by

t h e experimenter, ,Steps hgve been taken t o help insure against any recur- .
rence o f an uncontained r a d i a t i o n s p i l l a t t h e hilac, and t o decrease t h e
."
danger of exposure t o personnel i n t h e event t h a t a s p i l l should occur i n
t h e future
"CONCLUSIONS, It is c l e a r t h a t the primary cause o f t h e h i l a c curium s p i l l

was an e r r o r by an experimenter a t t h e hilac. Failure t o operate c e r t a i n
valves properly caused an overpressure on a O.l-mil nickel f o i l 'window' of
of a helium cooling chamber, so t h a t it ruptured; t h e r e s u l t a n t outrush of
.
helium shattered and dispersed t h e curium t a r g e t t h a t was j u s t outside t h e
chamber
"It should be pointed out, however, t h a t t h e chamber t h a t blew out contained

t m f o i l windows of i d e n t i c a l type -
one separating t h e atmosphere from t h e
helium and t h e other separating t h e helium from t h e accelerator tank vacuum.
I n a l l previous ruptures, t h e f o i l on t h e vacuum s i d e was involved, since
*HILAC = Heavy Ion Linear Accelerator

it i s always under one atmosphere higher presure than t h e other f o i l . The
r e s u l t i n such a case i s a small explosion into the tank, so t h a t t h e t a r g e t
i s not affected. That t h e f o i l a t t h e much lower pressure d i f f e r e n t i a l f a i l e d
i n t h i s s p i l l i n d i c a t e s a very unusual s i t u a t i o n .
"he cost, f o r which an upper l i m i t of $58,500 has been given, i s r e g r e t t a b l e

end serves t o i n d i c a t e the f i n a n c i a l j u s t i f i c a t i o n f o r c a r e f u l l y implemented
operating procedures and, where possible, design of experimental equipment
research --
i n such a way t h a t mistakes cannot r e s u l t i n s p i l l s . The time l o s t t o
three weeks --
i s a l s o an important consideration.
"Although t h e f i e l d of research i s one f o r which it i s admittedly v e ~ g

d i f f i c u l t t o s e t down routine-type safety procedures, t h e foregoing informa-
t i o n makes it c l e a r t h a t it i s incumbent on t h e Atonic Energy Commission,
t h e Lawrence Radiation Laboratory, and t h e researcher himself t o insure t h a t
everything possible is done t o prevent en occurrence of t h i s nature. This
means t h a t t h e research programs should be reviewed c a r e f u l l y f o r possible
improvements i n health and s a f e t y measures, and t h a t all possible e f f o r t s
should be made t o carry out suggestions made by t h e appropriate groups.
"The investigating committee commends t h e personnel of t h e h i l a c f o r prompt

and e f f e c t i v e a c t i o n following t h e s p i l l , and t h e members of t h e Health
Chtpistry department f o r t h e efficiency and thoroughness with which t h e
r a d i a t i o n problems were handled. I n p a r t i c u l a r , t h e Decontamination T e a n
i s t o be commended f o r s u b s t a n t i a l l y reducing both t h e l o s s i n research time
and t h e c o s t o f unusable e q u i p e n t by painstaking e f f o r t s and by application
of advanced decontamination techniques " .
%ECOMMENDATIONS.
1. A more c l e a r l y defined and forceful a t t i t u d e regarding health and s a f e t y
measures should be evidenced. The magnitude of contamination from t h i s
s p i l l can probably be a t t r i b u t e d , a t l e a s t i n p a r t , t o lack of firm policy.
2. Arrangements f o r obtaining t h e services of a physician quickly i n case
of a r a d i a t i o n incident should be made more workable. Although procedures
have been s e t up f o r such an emergency, about an hour and a half elapsed
before an M O D . could be reached f o r advice.
3. There should b& more storage space f o r apparatus not being currently
used. The presence of l a r g e a m u n t s of extraneous e q u i p e n t i n t h e experi-
ment a1 areas g r e a t l y complicated the t a s k of decontamination. Gocd house-
keeping p r a c t i c e s should be conscientiously enforced.
4 . A shower with catch basin should be provided near an e x t e r i o r door of t h e
building f o r removing surface radioactive contamination from personnel
involved i n s p i l l s . The existing shower i s designed f o r removal of chemicals
and w a s i n t h e a r e a of g r e a t e s t contamination. Hilac personnel found it
necessary i n t h i s aase t o t r a v e l more than a quarter of a mile t o shower.
5. An automatic alarm system actuated by an alpha a i r monitor should be
installed.
.
6. Primary enclosures, i .e , enclosures around individual pieces of experi-
mental equipment containing radioactive materials, should be provided.
7. Secondary enclosures should be provided t o i s o l a t e reasonable work
areas. These a r e a s should be individually ventilated."
I n the Hilac Tree Figure the RECOMMENDATIONS of Lawrence were keyed by *.

Additional a c t i o n s l a t e r taken by Lawrence were keyed **.
Notes for Tree on High Level S p i l l at the HILAC
(1)The consequences, a s estimated, did not include medical treatment Costs
and overhead which would be substantial. The p o s s i b i l i t y of long-term r a d i a t i o n
damage t o personnel could not be excluded. And, t h e research consequences were
not fully measured by down time.
The event could occur only because ( 2 ) General Management was "less than
adequate," (3) there were Omissions and Oversights, and/OR ( 4 ) t h e r e were Assumed
Risks,
7
( 2 ) General Management w a s " ~ e s sThan Adequate" (LTA) because t h e r e were
t h r e e problem areas:
( a ) " ~ a c kof Firm Policy" a s noted i n report

( b ) Action -- i.e., d i d not specify a hazard review procedure.
(c) D/N Monitor:

( i ) General operations t o detect e r r o r o r problem sources
( i i ) The s a f e t y program i t s e l f .
These a r e OR events -- any one can l e a d t o trouble.
( 4 ) The Assumed Risks are t r a n s f e r r e d from Onissions and Oversights when-

ever a decision i s made t h a t a solution to a problem is not available o r i s
impractical. Normally such decisions a r e management decisions, but i n t h i s case
t h e experimenter was allowed t o assume r i s k s f o r management.
( 3 ) The f i r s t l e v e l of a n a l y s i s o f events which determined outcane covers

an ameliorative stage a f t e r the accident occurrence (4 ) . Most events were 0 .k.,
but a few problems were identified.
( 4 ) The could r e s u l t i n exposure because a U t h r e e (AND g a t e ) events
occurred;
( 5 ) Persons/Objects were present (persons functional; some objects not
functional) and nr, evasive action was possible.
( 6 ) Barriers were LTA because:

( a ) The primary enclosure w a s made impractical by a C h w e , and no new
A1 - 5.
hood was constructed, because (al) t h e experimenter did not
communicate and ( a 2 ) t h e Health Chemistry group d i d not monitor
continuously.
(b) A separate exhaust f o r t h i s cave's a i r was postponed due t o
"end of t h e f i s c a l year" reasons -- an assumed r i s k .

(7) The t a r g e t disintegrated (reasons not c l e a r ) when it was struck by
pressurized helium. A temporary b a r r i e r w a s t h e o r e t i c a l l y possible since t h e
t a r g e t was not t o be bombarded.
(8) The highly radioactive t a r g e t was l e f t i n place a s a so-called s a f e t y
measure (which could be questioned) -- another assumed r i s k .

(9)The pressurized helium could be released toward t h e t a r g e t because
t h e r e was ( a ) no known precedent f o r such an event, and ( b ) t h e r e was no s a f e
release, e.g., a rupture d i s c a t < g p s i , and pointed away from t a r g e t . Since
such r e l e a s e may not be p r a c t i c a l , i t s absence becomes another assumed r i s k .
A general F a i l u r e to Monitor and Review experiments (F/EI&R)~S

noted.
(10) The equipment did not contain t h e energy because there wis undue
s t r e s s (11) and because t h e t a r g e t b a r r i e r f a i l e d a t 9 p s i while t h e vacuum-
s i d e b a r r i e r did not f a i l a t 25 p s i . If t h i s sequential f a i l u r e of b a r r i e r s
was t o have worked, t h e range of v a r i a b i l i t y of t h e f o i l s would have t o be
tested. t h e r e may have been p r i o r damage t o t h e f o i l which f a i l e d ( a Lack
of information). Knowledge LTA occurred because o f no known precedent. There
may have been an additional f a i l u r e i n t h e knowledge a r e a -- namely, t o conmuni-
c a t e o r specify t h e p r i n c i p l e s represented by pressure vessel codes; i n view of
potentials, t h e p r i n c i p l e s were applicable, even though t h e pressures were nominal.
(11) Undue s t r e s s occurred a s t h e r e s u l t of a combination of four f a i l u r e s
(an AM) g a t e )
(12) Did not l i m i t t h e pressure a v a i l a b l e , presumably because of f a i l -
ure t o define t h e maximum pressure needed; t h e r e f o r e no control of

supply o r no regulator, o r both.
(13) The apparatus had no sensor and automatic shut o f f -- presumably

another assumed r i s k .
(14) There was no audible and v i s i b l e signal.
Note -- (13) and ( 1 4 ) should be shown a t t h e l e f t of Ekperimenter Error

since t h e Hazard Reduction Precedence Sequence places these devices ahead of
human error.
(15) The experimenter e r r o r (opened supply and purge valves; then closed
purge valve and D/N open r e t u r n valve) could occur because the valves were not
interlocked, and t h e r e had apparently been no human f a c t o r s review which might
minimize error. I n addition, t h e r e had been previous similar experimenter
e r r o r s , without analysis and correction.
(16) The human e r r o r would occur because t h e r e was expectable human
variance OR expectable change i n persons o r interruptions, AND l a c k of' super-
vision o r adequate monitoring.
(17) The "lack of evident supervision" seems apparent from:
( a ) The l a c k of s e l e c t i o n c r i t e r i a f o r functions -- i.e., experimenters
selected f o r s c i e n t i f i c capability, r a t h e r than mechanical r e a l i a b i l i t y ,
and no o f f s e t t i n g provision of operators o r a "second man," -- a r i s k

i s assumed i n t h e process.
( b ) A l a c k of s a f e t y motivation i n t h e experimenter seems apparent.
( c ) Prior e r r o r s of t h e same t y p e were not detected and theref ore not
reviewed.
(18) Monitoring by Health Chemistry was l a t e r stepped up t o a more o r less
continuous basis.
The HILAC Tree i l l u s t r a t e s how two o r more sources of energy can be analyzed
f o r b a r r i e r s between.
Any problem not marked * or W* i s a problem made e x p l i c i t by t h e tree
analysis -- t h e r e a r e sixteen such problems. Some might be impractical t o
solve, i n which case they become assumed r i s k s .

Outline Form of B e e for H i ~ hLevel S p i l l a t HILAC
Certain costs, $58,500; others substantial.
Long-term injury? Research time lost.
9. Oversights and Qnissions
AR. Assumed Risks
G. General Management LTA
S. Oversights and Omissions
SA1. C m W widely dispersed; ~ s / o b j e c t sexposed
SA2. Amelioration
.
a. Shut-down oak, (NO 2nd)
b Evacuattrm 'largely o k
Z. Itad automatic alpha alarm*
..
c. Emergency equipment largely 0.k.
1. Add exterior showefl
d. Decontamination good
e. Medical Service LTA
1. 1st service delayed*
2. Follow-up o.k.3 Apparent research needs.
SA1.
-
Cm24.4 widely dispersed; persons/ob ject s exposed
SB1. Cm2U t a r g e t disintegrated Reason not c l e a r
S E . Barriers LTA
a, No primary enclosure
1. Was close-capture hood
2. Change made it impractical
I1
a D/N communicate change
b No new hood*
b. No secondary enclosure
1. Delay f o r budnet reason*
SB3. Persons/objects i n energy channel
- - - - - - - - - - - Assumed Wsk I11
a. Persons functional
b. No evasive action possible
c. Store unused equipment elsewhere*
SB1. Cm244 target disintegrated
SC1. Pressurized He released
SC2. No Temporary Barrier
SC3. Cm24f+ t a r g e t present
a. Safer not t o move?*
-- - - - - - - - - - - - - -
D/N bombard
Assumed Risk I1
SC1. Pressurized He released

a. ~ailure/monihor
SD1. Knowledge LTA
a. No known precedent
, .SD2. D/N contain energy
SD3. D/N Safely release ------------- Asswned Risk I
SD2. D/N contain energy
SEl. Undue s t r e s s
SE2. target barrier: F/W psi; vacuum b a r r i e r D/N l@ 25 p s i
a, D/N t e s t variance
b. Prior damue?
AR.
G.
Assumed Risks
I.
SE1. Undue Stress
D/N safely release He pressure

11. Safer not t o move C W t a r g e t
--
SF1. D/N limit pressure
a. D/N define reauirements
SF40 NO warninn si-1

SF2.
c. DIN
- - - - - - - - Assumed Risk I V
SF2. m e r i m e n t e r e r r o r
SF3; NO- automatic shut-off
m e r i m e n t e r error
SGl. D N interlock
SG2. D N review human factor
SG3. F T follow rocedure
a. Normal variance?
b. Changes?
monitor enough#
d. No evident supervision
111. Secondary enclosure delay f o r budget reason

IV. No automatic shut off He pressure
V. D/N select experimenter f o r operational r e l i a b i l i t y .
General Management LTA
G A L "Lack of firm policy"+
GA2. Action LTA
Assumed Risk V
a. D/N specify review procedure

GA3. D/N Monitor
a. Operations
b. Safety program
* Basic problems i n report

Other subsequent actions
Environmental Chamber
The explosion of an a l t i t u d e chamber resulted i n temporary t o t a l disabil-

i t i e s t o two employees and $1,000 damage. The accident could e a s i l y have
produced f a t a l i n j u r i e s .
Excerpts from two standard Fom 92 reports on t h e inJuries and a Form
AEC-283 report on t h e damage show as follows:
1. "Requirements c a l l e d f o r t e s t i n g electronic e q u i p e n t a t pressure

corresponding t o sea l e v e l and 250,000 f e e t a l t i t u d e .
2. "Ibployee was observing t e s t of electronic receiving u n i t i n a pressure-

, a l t i t u d e chamber t o provide sea l e v e l pressure. Operator erroneously
overpressurized chamber beyond its rating and 38" x 38" x l 1/4" tem-
pered g l a s s f r o n t blew out of chamber, and pieces of it struck employee.
3. "A pressure of 14.7 p s i gage was being applied instead of 14.7 p s i

absolute (2.5 p s i gage). The chamber was designed t o hold 4.2 p s i gage
a t t h i s altitude.
4. h he pressure was being increased gradually from 12.2 p s i absolute t o

14.7 p s i absolute. When approximately 14.0 p s i gage pressure was
reached, t h e door frame and g l a s s ruptured.
5. "Lack of proper instructions. Personnel were not aware of t h e difference
."
between gage and absolute pressure. Safety pressure r e l i e f valve had
been sealed shut
6. preventive a c t ion: , 3
(1) "A manometer indicating pressure i n terms of f e e t and mm w i l l be

i n s t a l l e d on each chamber.
(2) "Pressure switches w i l l be i n s t a l l e d which w i l l shut off air supply

at a predetermined pressure.
(3) "Factory s e t and sealed pressure r e l i e f valves will be i n s t a l l e d .

(4) "Vacuum/pressure rupture discs w i l l be installed.
( 5 ) "Consideration w i l l be given t o replacing pressure regulator valves

with an improved type."
7. Additional action:
(1) " A l l t e s t s involving a l t i t u d e chambers w i l l be reviewed and evalu-
ated by a responsible engineer i n charge of t h e equipment.
( 2 ) " A l l operators of a l t i t u d e chaaibers w i l l be retrained i n gage pressure,

absolute pressure, and a l t i t u d e concepts.
(3) "Personnel will be directed not t o place themselves i n front of

&or6 o r viewing ports of a l t i t u d e chambers.
8. "New pressure monitors a r e being obtained, pressure r e l i e f devices a r e
being i n s t a l l e d , and each setup w i l l be reviewed by t h e project leader.
It
Meetings with responsible organizations a r e being held t o determine
appropriate Laboratories-wide system f o r RLD pressure v e s s e l safety.
A l e t t e r i s being issued by t h e Safety Engineering Department t o a l l
technical organizations, reviewing incident and making safety recommen-
dations t h a t are applicable t o hazardous t e s t s . "
A d e t a i l e d i n t e r n a l report provided additional information; such a s :
1. D i f f i c u l t y i n g e t t i n g equalized pressure on clamps around door.
2. Ten years of operation may have overstressed and fatigued glass.
3. Switched gauge about e i g h t years ago from absolute pressure t o gauge

pressure.
4 . Two years ago t h e pressure r e l i e f valve was changed. A spring type

r e f r i g e r a t o r valve s e t a t 14.6 p s i w a s modified t o r e l i e v e at 5.0.
5. The equipment was v i s u a l l y checked.about f i v e months e a r l i e r .

6. No one knows when o r how r e l i e f valve was capped.
7. I n a subsequent t e s t t h e valve did not open u n t i l 240 p s i was reached,
and l a t e r opened a t 57-60.
8. I n t h e future r e l i e f s and sensors should be checked a t t h r e e month

intervals.
9. Gauges should be checked and calibrated "frequently and periodically. "

10. Viewing p o r t s should be of minimum s i z e .
A t a l a t e r date a three-day t r a i n i n g session i n pressure vessel s a f e t y was
conducted f o r 180 people.
The accident i s graphically analyzed i n t h e Exhibit attached.
Any basic problem ( c i r c l e ) marked * i s a problem i d e n t i f i e d i n t h e reports.
Any c i r c l e not so marked i s a problem r a i s e d by t h i s analysis.
The analysis on page 1 seems t o require l i t t l e comment.
On page 2 t h e l e f t hand section, Methods Less than Adequate, r e f l e c t s t h e
apparent l a c k of system s a f e t y programs which could control events of t h i s
nature on all types of equipment.
I n t h e Methods Section i s noted t h e school subsequently conducted. In the
absence ofa.prescribed hazard review procedure, a s e r i e s of schools on all major
hazards i s an approach of questionable effectiveness. The solution t o t h i s type

A2 -5
of problem seems t o l i e i n review procedures which bring events o f i n t e r e s t t o
t h e a t t e n t i o n of a small groue of competent people. Mass education i s l i k e l y t o
have only limited value and e f f e c t , and f o r only one special problem.
I n t h e section on "Content Control" on page 2 it w i l l be noted t h a t almost
a l l of t h e deficiencies noted were r e f l e c t e d i n the reports.
On page 3 we again see systemic deficiencies of which t h e s p e c i f i c accident
w a s only symptomatic. Specifically, a general lack of e f f e c t i v e maintenance and
inspection plans, and point-of-operation logs i s suggested by t h i s accident.
The r o l e of t h e supervisor is inadequately examined i n t h e reports -- t h i s
means t h e i n s t i t u t i o n of s u ~ e r v i s i o n ,not t h e man. To w i t , it i s suggested t h a t
t r a i n i n g and time may be inadequate f o r assigned functions.
Most important --. i n t h e absence of a JSAJIT-SO sequence implemented organ-
i z a t i o n wide, t h e e f f e c t o f such p l a t i t u d e s a s "reinstruct operator and give
c l o s e r supervision" w i l l have minimal, short term e f f e c t f o r t h i s operation -

and no effect whatsoever a t t h e locus of t h e next serious accident.
Basically, t h e a n a l y s i s suggests t h a t t h e safety system i s i n need of
improvement, whereas t h e conventional reports are so constructed a s t o focus on
t h e s p e c i f i c s of t h e event.
The site complied with AD2 reporting procedures. The reporting procedures
are inadequate because they do not suggest or imply t h a t t h e general safety
system may be i n question o r doubt. The next f a i l u r e of similar severity may
be i n an e n t i r e l y d i f f e r e n t content o r subject matter f i e l d .

Brief Summaries of Four Cases
A3 HEPress Press was used t o compress high explosives. The mushroom

p l a t e s e a l w a s omitted by e r r o r by a previously r e l i a b l e
operator, Fluids extruded through threads and a hole, then
the sac enclosure, extruded, t h Q t h e HE extruded, w a s heated
and exploded. The operator was i n a remote, shielded m a ;
other employees were not. Despite lack of control of adjacent
t r a f f i c , no h a r m w a s done t o t r a f f i c . The operator had a
personal. problem--wife se-dously ill. The report shows a
recommendation t o r e i n s t r u c t without any reasoning o r analysis
a s t o why such r e t r a i n i n g might have effect. A common recom-
mendation--enforce--is made even though f a i l u r e was not detected!
A4 MAPP Gas Liquid gas was being transferred from a supply t o a cylinder
by two experimenters.
A5 Falls Two almost i d e n t i c a l falls from slopirg roofs.
A6 Initiators Explosives i n i t a t o r s were being modified. Employee was t h e

one who gave s a f e t y instruction f o r t h i s kind of work. The
s t a t i c - f r e e room had other use intermittently, and had been
modified . -
A3 -4
Footnotes t o Case A1
#- not a push-button cheoklist for catastrophic potentials which has themlag

interlocklr t o not permit further operations t o be perfarned? (1n other words,
the computer won't l e t you proceed, so you have nothing t o do while waiting
exoept perform required etep! ) Then, f o r redundsrrcy, interlock hardwere end
compater! We need more "black boxesn f o r really high potential failures.
6 D/N r e s t r i c t press to one operation
Poor c r i t e r i a f o r roof need
D/N estimate l i f e oyale exposure
D/H estimate l i f e cycle error rates
D/N estimate l i f e cycle risk acceptance
100 Failure-Mode-and-Eff ect Amslysis
100 -0-Failure Analysis
:. Inadequate alternatives of oontrols and redundancy.
(on-the-right) 100 Human Facton, Review of Error Potential.
Appendix B. A Few Usef'ul System Concepts
People often complain t h a t they don't have a "feel" f o r what i s meant by
systems. On occasion, insight has seemed t o come f'rom thinking a l i t t l e about
various kinds of systems:
*A toaster w i t h bread and a housewife-operator i s a system.
*An unmanned s a t e l l i t e and a ground controller i s a system.
These first two are rather limited, o r "bounded ."

W r a f f i c i s a system, of which t r a f f i c l i g h t s and controls are a subsystem.
*A corporation (or a government department) is a system - perhaps imperfect
and very likely imperfectly understood, but nevertheless a system.
U.S. Congress, o r the Boy Scouts are systems.
Examine these systems against the definition a t the beginning of Chapter ll.
Can you name the components of these systems? Can you s t a t e how they interact?
*a*
This i s not 1 keztise on system cbvelopnant as si~ch, but t h e m am a fen
cizncepts fwuiamental t o underskmding and application of the text.
System Nomenclature. The usual auWiui8ion of systems i s r
The S y s t e m as a who16
Subyrtems
The d1ffj.cuLty begins r s h a the carbure+r &sS.gner sees the carburetor as a

system, while the automotive engineer mes the car as the system. . The National
Highway Safety Administratim in turn sees t h e car as a subsystem i n an ovc-rall
transportation sysfcm.
If we were more s t r i c t in .our terninology (and we probably uhauld be), we'd
have the follouixag arrangemnt:
Componsnts
Progrtm elements such as:
Iniannation
mtor3mg
Haaazd Analysis
up8treaUl Process
Work Flow Processes
Parts+ such a t
Accident Reports
BSO Shtdiee
Worst Rotential L i s t s
Informatson Search
Design
Supervlaion
Operating R u cedurea
Operating Personnel
Inpuboutput Models. It i s customary to develop system models i n terms of:

b
ZnPut )
__Function +Output
Variation on tbe term m c t i o n m a y include: processing, mediaklon, operation.
Naturw, *re may be one or more inplts and outpltso Ln general the rectangle
is uaed far a ilurtion, a ~ input
d or output i s shown cause or
Feedback. Systems are dynamic and employ feedback t o control the3aselvcrs and
reatore brlmum (homeortatis). A system model must then, show feedbockr.
System Models. Actual systens are f a r more cogplex than the simple models
which can be dram o r the more canplex mallhematical models which are increasing*
used. The test of a model is whetht r it u s e f i l l y explains speciflc aspects of how
system operates, a d whether data can, therefore, be collected and used to
impmve -tern operations, Or, when data collection i s not possible, the system
e l e m s t o r h c t l o n may be redesigned t o operate according to a plan, and thereby

b e o m susceptible t o laeasurement.
Iterative Cycles. Most systems employ euccessive i t e r a t i v e cycles to improve
a function. Such cycles were shown f o r the general management syrrtema dirrcuseed
above. Design i s i n i t s e l f an i t e r a t i v e Aurction. I n safety, a aeries of uses of
a Hasard M y u i s Process can be seen as follows:
I In conventional
r1
I t e r a t i v e HAP Cycles safety, accidents may
be the basis f o r successive improvements.
=l
T3m
I For nFirst Time Safen analyeis, inrsati-
I gatlon, research, mthod and thorougbneaa
I
4f
are used t o at-
o r with fewer failures.
8afety without failms,
System Elanents. One concept which has seemed to be useful in rnalysing

q&ea problem has been t h a t r e deal w i t h only tbree h c t i o n a l thiagst
Energy is here seen as the energy forms whic': produce work o r accidents, energy
stored in machines o r devices t o produce work o r contain and d i r e c t other energy, Or
stored i n money, o r a s exemplified by persons doing thingso

Information processing (collection, analysis, s toraf-e, r e t r i e v a l , analysis ) %I
a function of machine o r man.
Time has aspects of change and p r o b a b i l i s t i c deviations over time, and time f o r
energpinfornation processes t o develop.
People a r e seen as information processing and enera- devices. (Somewhat
inhuman, but we can compensate with humanistic philosophies of e r r o r reduction,
help and assistance, and Iruild5ng acceptance. )
-
Viability of a System. The v i a b i l i t y o f a system seems to be dependent on
three characteristics:
1. Its a h i l i t y t o examine i t s o m faj-lures and make both s p e c i f i c and syst.smic

corrections, but e s p e c i r d l y the l a t t e r .
2. Its abilitg to analyze and compare i t s e l f with otlwr ,systems (perhaps
Fecmse of indications of e f f i c a c y i n other systems), and as appropriate,
i n i t i a t e corrective changes.
3* Its abili t.y to deal. wi t.h new infonna t.ion and changes.
A conscious e f f o r t has been made t o use these three c r i t e r t a i n developing ?iORT,
and r e s u l t s t o d a t e have seemed t o be s a l ~ t a r y .

Appendix C. Example of Analysis of Value Aspects of Alternatives
-Most of MORT analysis i s quantified i n t e r n s of energies, b a r r i e r s ,
t w e t s , and p r o b a b i l i t i e s and consequences thereof. Quantification of
values is a l s o desirable.
The Kepner-Tregoe analysis of a l t e r n a t i v e s requires t h a t you s e t down
- -
MUSTS c r i t e r i a which must be met. Then desired c r i t e r i a a r e l i s t e d and
given weights a s t o importance. The author has inserted a column t o cate-
f s / ~ a l u s/Threats
gori ee 1nvestment s / ~ e n e it e (as outlined on 256) *
I n the example, four a l t e r n a t e plans, plus a supplementary plan t o
s u b s t a n t i a l l y improve safety are scored, The first number i n each column
is i t s score, and the second number i s the product of 'weight times score.
The programs evaluated are:
Present, same = continue present r a t e of improvement ( a standard of
comparison, but not usually a winner) .
Present, more = increase r a t e of imprwement with present type safety
programs.
Consensus, composite = an assembly of present best contractor programs.
-
M Om = inclusion of general management techniques and human f a c t o r s and
e r r o r reduction programs.
Supplemental - plus a funded s a f e t y research program.
To familiarize yourself with t h i s technique:
1. Examine, modify and add t o t h e author's c r i t e r i a ,
2. Examine and modify the weights assigned by the author,
3. Review scores assigned,
4. Re-compute aggregate scores.
Perhaps you have a candidate program which you want t o enter and score.
Notes f o r figure:
*except f o r items proven on I/B/v/T evaluation.
**occupational plus nuclear, radiation, etc.
k -
Appendix D i
C 2 ,
Discussion of C r i t i c a l Incident o r Incident Recall Techniaues

C r i t i c a l incident r e p o r t i n g has y e t t o be proven p r a c t i c a l as a trend
measurement technique. However, the r e p o r t s collected have proven t o be
extremely h e l p f u l raw m a t e r i a l f o r t h e hazard reduction m i l l . CIT was
developed by John C. Flanagan (1954); a l s o see Tarrant s (1965) f o r a s a f e t y
application.
The " c r i t i c a l incident technique" was summarized by OrShell and Bird (1969)
as follows (they used t h e term Incident ~ e c a l l ) :
,
"The Critical Incident Technique (CIT) i s one significant method of
identifying errors and unsafe conditions that contribute t o both
potential and actual injurious accidents. A s t r a t i f i e d random sample of
participant-observers i s asked t o report a l l c r i t i c a l incidents recalled
that produced or might have produced injury or property damage.
C I T grew out of the aviation psychology program of the Air Force. Many
cases were discovered of p i l o t s misreading i n s t m e n t s , failing t o detect
signals, and misunderstanding instructions. Analysis of these errors
suggested some logical remedies, such as the improvement i n readability
of some instnunents.
Several t e s t s of the Critical Incident Technique in industry have been
made. The results of a recent study a t a Baltimore industrial s i t e with
participation by the Division of Accident Research of the Bureau of Labor
S t a t i s t i c s revealed that :
1 ) The Critical Incident Technique dependably reveals causal factors i n
terms of error and unsafe conditions that lead t o industrial accidents;
2) The technique i s able t o identify causal factors associated. w i t h both
injurious and no-hjurious accidents.
3) The technique provides more information about accident causes and a
more sensitive measure of t o t a l accident performance than other available
methods of accident study.
4) Causes of nowinjurious accidents identified by CIT can be used t o
identify sources of potentially injurious accidents.
5) Use of C I T t o identify accident causes i s feasible.
Similar conclusions have come from other recent industrial studies using
the technique. I n addition, there are numerous modifications of CIT
currently being applied i n the aerospace and electronic industries, where
. i t has been developed into a highly successful and sophisticated e r r o r
removal t o o l i n quality control.
I n spite of a l l this positive evidence of i t s value when applied under
controlled circumstances, the Critical Incident Technique has not been
widely applied i n industry.
There are very practical reasons f o r this lag i n moving t o before-the-fact
methodology via the Critical Incident route. The major studies t h a t have
been reported on CIT were organized by researchers and academicians, who
"apparently did not have a fill appreciation f o r the everyday problems
and behavioral factors that influence the practical application and
success of a safety technique with supervision i n general industry."
O % h e l l and Bird also provide suggested fonns and procedures.
The emphasis which has been placed on CIT a s a measurement tool, ie, for
comparisons of units or periods, has probably misdirected attention away from
the tremendous value of individual recall reports a s triggers for the hazard
analysis and reduction process.
Since large numbers of valuable reports can be obtained, a criterion f o r
program evaluation i s the use of C n on a t l e a s t a minimal basis a s a method
of collecting incident data individually u s e m (but not necessarily valid
f o r camparing units).
A point could be made: No matter hw small the safety budget, some allo-
cated fraction of time should go i n t o c r i t i c a l incident studies. Experience
would then lead t o a consensus as t o optimal fractions of t i m e .
Appendix E
Excerpts from Tables of Human Error Rates
HUMAN RELIABILITY IN OPERATION O F
CONTROLS A N D DlSPLAYS
DEVICE AND PARAMETER RELIABILITY *

Circular Sc alc
Scalc Diamctcr, Inches:
0.9996
I). 9997
0.9993
Scalc Stylc:
Moving scalc
Moving pointer
Color -c o d d
Pointer Stylc:
Horizontal bar, 0 at base
Trianglc or vertical bar at base
Distancc Bctween Marks, Inches:

Less than 1/20
More than 1/20 to 114
Proportion of Scale ,Marks Numbered:
Nunlbcr of Units on Scalc:
* RcliaLility
is probability thht device with given paramcler w i l l be read or
operated correctly.
Source: Gq-rick (1967), which continues for two more pages.

Appendix E-2
-
HUMAN RELIABILITY IN THE P E R F O 3 M A N G E
OF VARIOUS TASKS
ERROR RATINGa% ESTIMATED

TASK ELEMENT MEAN STD. DEV. RELIABILITY
Read Technical Instructions

Read Time (Brush Recorder)
Read Electrical o r Flow lMeter
Inspect for Loose .Bolts and
Clamps
Position Multiple Position .
Electrical Switch
M a r k Position of Component
Inst all Lockwir e
Inspect for Bellows Distortion
lnstall M a r m o n Clamp
Install Gasket
Inspect f o r Rust and Corrosion
Install "0"Ring
Record Reading
Inspect for Dents, Cracks,
and Scratches
Read P r e s s u r e Gauge
Inspect for Frayed Shielding
Inspect for QC Seals
* E r r o r rating is a numerical assigned value indicating d e g r e e of difficulty

of task performance. The e r r o r rating is a m e a s u r e of the e r r o r potential
for the task accomplishment. The rating range is normally one t o t e n with
the digit 1 corresponding to least error poicntial aild the valcc 10 for m o s t
. e r r o r potential.
Source: Garrick (1967), which continues for eleven additional pages.

Appendix F
Criteria f o r Preparation or Review of Procedures
Source: Originally based on Fasish (1967), modified by an Aemjet hocedure
Review B o d , and mther modified by the author f o r t h i s text.
A. -lation between Procedure and.-H

1. Does the procedure contain a statement as t o the hardware configura-
tion against which it i s written?
2. Does the procedure contain background descriptive o r explanatory
information where needed?
3.,Does the procedure r e f l e c t or reference the l a t e s t revision t o drawings,
manuals or other procedures?
B. Adequacy of the Procedure.
1. I s t h i s the best way t o do the job?
2, I s the procedure clear, concise and free from ambiguity which could
lead t o wrong decisions?
3 Have calibration requirements been clearly defined?
4. Have c r i t i c a l red-line parameters been identified and clearly defined,
and have required values been specified?
5 Have corrective controls of these paranreters been clearly defined?
6. AE all values, switches and other controlling components identi-
f i e d and defined?
7. Are such items a s pressure limits, caution notes, safety distances, or
hazards peculiar t o t h i s operation clearly defined?
8. Is the procedure easy t o understand?
9 Are hard-to-locate components adequately defined and located?
10. Are job safety requirements defined
and tools checked f o r sufficiency?
-e .g., power off, pressure dawn,
ll. Is system operqtive a t end of job?

12. Is d e t a i l appropriate - not too much,
not too l i t t l e ?
13 Has the hardware involved i n the procedure been evaluated f o r human
factors and behavioral stereotype probkms? If not corrected, are
any such clearly identified?
14. Are monitoring points and methods of verifying adherence specified?
15 Is maintenance and/or inspection t o be verified? If so, i s a log
provided?
16. Is safe placement of other process personnel o r of equipment specified?
17 Were e r r o r s i n previous, similar processes studied f o r cause? Does
t h i s procedure correct such causes?
18. Have jigs and arrangements been provided t o minimize error?
C. Accuracy of the Procedure
1. Has the capacity of t h i s procedure t o accomplish i t s speqified purpose
been verified by internal review?
2. Are a l l gauges, controls, valves, etc., which are called out i n t h i s
procedure, described and labeled exactly a s they are actually?
3. A r e a l l setpoints o r other c r i t i c a l controls, e t c . , compatible with
values given i n control documents and stated i n the procedure?
4. Are the safety limitations i n t h i s procedure adequate f o r the job t o
be performed?
5. Are a l l steps i n the proper sequence?
D. Adequacy and Accuracy of the Supporting Documentation
1. Are a l l adequate supporting drawings, manuals, data sheets, sketches,
e t c . , e i t h e r l i s t e d i n t h i s procedure o r attached?
2. A r e a l l interfacing procedures l i s t e d i n t h i s procedure?
E. Securing Provisions
1. Does the procedure contain adequate instructions t o return the f a c i l i t y
o r hardware t o a safe operating o r standby condition?
2. Do these securing instructions contain step-by-step operations?
F. Backout Provisions
1. Can t h i s procedure put any component o r system i n a condition which
could be dangerous?
2. If so, does t h i s procedure contain emergency shutdown o r backout proce-
dures e i t h e r i n an appendix t o the procedure or a s an i n t e g r a l p a r t of
t h e procedure?
3 . I s the backout procedure o r instructions f o r i t s use included a t t h e
proper place i n the basic procedure?
G . Emergency Measures
1. Are there procedures f o r action i n case of enaergency conditions?
2. Does the procedure involve c r i t i c a l actions such t h a t pre-performance
briefing on possible hazards i s required?
3. Are adequate instructions e i t h e r included o r available f o r action : o
be taken under emrgency conditions? Are they i n the r i g h t place?
4. Are adequate shutdown p r o c e d m s available<anddo they cover a l l sys-
tems involved and are they available f o r emergency re-entry teams?
5. Does the procedure specify the requirenaents f o r an emergency team f o r
accident recovery, troubleshooting, o r investigative purposes where
necessary, and-describe the conditions under which the emergency team
w i l l be used and the hazards they may encounter or must avoid?
6. Does the procedure consider interfaces i n shutdawn procedures?
7. How w i l l changes be handled? What a r e thresholds f o r changes requiring
review?
8. Have emergency procedures been t e s t e d under the range of conditions
which may be encountered - e.g., a t night during power f a i l u r e ?
H. Caution and Warning Notes
1. Have caution and warning notes been included where appropriate?
2. Do caution and warning notes precede the operational steps containing
p o t e n t i a l hazards?
3 . A r e they adequate t o describe the p o t e n t i a l hazard?
4. Are they separate e n t r i e s with d i s t i n c t i v e bold type or other emphatic
display?
5. Do they include supporting s a f e t y control (health physics, safety
engineer, e t c . ) i f needed a t specific required steps i n the procedure?
6 . Are human-induced hazards identified and described by cautions and
warnings?
I. Reauirements f o r C c
1. H a s an adequate means of commwnication been provided?
2. W i l l l o s s of communications create a hazard?
3. I s the course of action c l e a r l y defined i n t h e event of l o s s of required
communications?
4. Has v e r i f i c a t i o n of c r i t i c a l communication been included where required?
5. W i l l l o s s of control o r monitoring capability of c r i t i c a l functions
create a hazard t o people o r hardware?
6. Have a l t e r n a t e means o r a course of action been c l e a r l y defined t o re-
gain control of monitoring functions?
7. Are the above s i t u a t i o n s flagged by cautions and warnings?
J. Sequence-of-Events Considerations
1. Can any operation i n the procedure i n i t i a t e an unscheduled or out-of-
sequence event?
2. Could it induce a hazardous condstion?
3. Is it i d e n t i f i e d by warnings or cautions?
4. Is it covered by emergency shutdown and backout procedures?
5. Are a l l sequence steps prescribed i n the procedure sequenced properly
and such t h a t they w i l l not contribute t o o r create a hazard t o the
hardware?
6. Have a l l steps which, i f performed out-of-sequence, could cause a
hazard been i d e n t i f i e d alld flagged?
7. Have a l l non-compatible simultaneous operations been i d e n t i f i e d and
suitably r e s t r i c t e d ?
8. Have these been prohibited by positive callout or separatton i n step-
by-step inclusion within tb t e x t of the procedure?
K, Environmental Considerations (Nqtural or ~nduced)
1. Have environmental requireprents been specified which constrain the i n i t i -
a t i v e of the procedure o r which would require shutdown of the action
or evacuation, once i n prggress?
2. Have the induced e n v i r o d n t s (radioactive, toxic or explosive atmos-
.
pheres, e t c ) been consigered?
3 . Have a l l l a t e n t hazards '(pessure, height, voltage, e t c .) i n adjacent
environments been considered?
4. Are there induced h a z a d s from simultaneous performance of more than
one procedure by personde1 within a given space?
L. Personnel Qualification ~ t a t k m e n t s
1. Has a requirement f o r c e r t i f i e d personnel been considered?
2. Is required frequency q'f re-check of personnel qualifications specified?
M. Interfacing Hardware and Procedures Noted
1. Have a l l interfaces been described by detailed callout?
2. Have interfacing operating procedures been identified o r written t o
ready equipment?
3 . Where more than one organizational element i s involved i n an operation,
have proper l i a i s o n and areas of responsibility been established?
N. Procedure Sign-Off
I. Is procedure t o be used a s an in-hand, l i t e r a l checklist?
2. Have step sign-off requirements been considered and identified and
appropriate spaces i n the procedure provided?
3 . Have procedure completion sign-off requirements been indicated (signa-
ture, authority, date, e t c ) ? .
4. I s supervisor v e r i f i c a t i o n of correct performance required?
0. General Requiremnts
Are the procedures s e t up such a s t o discourage a s h i f t change during
performance o r i n such a manner a s t o accomodate a s h i f t change?
Where s h i f t changes a r e necessary, does the procedure include o r refer-
ence s h i f t overlap and b r i e f i n g requirements?
I s there mandatory inspection, v e r i f i c a t i o n and system validation r e -
quired whenever the procedure requires breaking i n t o and reconnecting
a system?
Are safety prerequisites defined? Have a l l safety instructions been
spelled out i n d e t a i l t o a l l personnel?
Do the procedures require pre-checks of supporting equipment t o ensure
i t s compatibility and availability?
Has consideration f o r unique operations been written i n t o the procedures?
Do the procedures require walk-through or talk-through dry runs?
General supervision requirements - e.g., what i s t h e protocol f o r
t r a n s f e r of supervisor r e s p o n s i b i l i t i e s t o a successor?
Are r e s p o n s i b i l i t i e s of higher supervision specified?
P. Reference C o n s i k z & b u i
1. Have applicable quality assurance and r e l i a b i l i t y standards been con-
sidered?
2. Have applicable codes, standards and regulations been considered?
3 . Does the procedure comply with control documents?
4. Have hazards and system safety degradations been identified and con-
sidered against specific control standards and procedures?
5 . Have specific prerequisite administrative and other management approvals
been complied with?
6. Have comments been received from the people who w i l l do t h e work?
Q. Special Considerations
1. Has a documented safety analysis been considered f o r safety-related
deviations from normal practices or f o r unusual o r unpracticed
maneuvers?
2. Eave new r e s t r i c t i o n s or controls become effective t h a t a f f e c t the
-*-nnJl,-a in w ~ R h manner that new safety analyses may be required?
Appendix G
Participation and Motivation

( ~ x c e r p tfrom earlier report)
Participation and Social Forces

We have seen in innovation d i f f u s i o 8 the possibility of substanfive effects
from participation and inter-personal influences in acceptance of changes.
The management style of the organization, and its use of behavioral science
principles, aside from hm we design safety projects, will obviously have 8 pre-
dominant, o r a t 3e a s t underlying, effect on safety. High morale has been shown t o
be associated with acceptance of personal responsibility for safety. fan promotion
possibility has been sbwn t o b e associated with accidents.
* Appendix H
Seiler describes the strong influence of the social f a c t o r o r s o c i a l inputs
on behavior in terms of establishment a d maintenance of group norms. Obviously
such norms can be favorable o r unfavorable f o r safety, especially so i f a construc-

t i v e change i s desired. Therefore, planned programs f o r safety should include
identifiable elements which endeavor t o e n l i s t support from the social structure.

Perfolrnance of s c i e n t i s t s in a research organization was shown t o be related
t o group rasiah2ea i n v a r i e t y of values and experience, and nhen supenisor8 pro-

vide stimulation and sutomllpr. Thus a few possible guides f o r laboratoxy safety
can ?m perceived.
Partidpaidon in developpent of safety msasares can iamlve group leaders in
such ways a s t o promote, first, individual and then, group acceptance.

Participation, especially by a group, may supply valuable on-the-job know-how,
but has a limiting value where professional expertize i s required.
We now see more c l e a r l y why participative a c t i v i t i e s are not just a s option -
they are necessary to success. The case h i s t o r i e s of successful programs are
replete w i t h references t o need f o r participationo
ParticipatLon can, obviously, take many forms. -Committees a r e one of the
.. " --
f o r m very common
" <' t
- management committees t o build acceptance and team s p i r i t ,

-'
and committees w i t h employee participation ( i n some cases union-selected and in

others otherwise selected). I n those low-accident-rate companies which frown on
stress on 0- f o m a of p v t i c i p t i a n .
There are four common forms of safety committees:
1. Corporate, o r plant-wide - usually a management conunittee.
2. hepartmental - usually a connnittee of foremen.
3. Area - a committee of workmen.
G-3
However, there are wide variations f r o m this pattern, including plant labor-
management committees.
The functions of committees include:
1. Arouse and maintain interest.
2. Promote personal responsibility (management and employees )
3. Help integrate safety in operations
4. Provide f o r discussion
5. Help management evaluate suggestions
6. Develop team s p i r i t .
Written terms of reference f o r c d t t e e s are essential. Meetings should be
w e l l planned. Follow up t o secure action o r disposition on recornendations should

be unfailing. record of accomplishment shod d be built.
Specialized committees o r special functions of existing committees may
include inspection and accident investigation - however, committee work here is
d e f i n i t e l y no substitute for the pr3ma~gline responsibility. &cause committee
inspection and investigation may impair l i n e responsibilitg, such functions are
f-ed on many.
In planning the participation aspect of a safety program, the safety direc-

t o r will want t o take account of other pertinent a c t i v i t i e s - e.g., the presence
of a suggestion system.
The duPont company s t r e s s e s the value of discussion in problem solving
(safety o r other). They have an interesting pictogram, which says t h a t a
full discussion is the b e s t way t o get there first.
hFbnt Discussion Execution
Others Disc. Execution

1
fir& phced these aspects in a context of clear goah, Jab satlafaction, a d mutual
.-
Supportive Programs
Human r e l a t i o n s programs, a& mental health and alcoholism programs, are

\
additional examples of basic programs t o support and a s s i s t the individual, which
can have an important r e l a t i o n t o safety. Body concluded they could contribute

much and could profitably be expanded.
Presumably the role of safety i s t o provide data pertinent t o support of such
broad programs, ard t o u t i l i z e them t o the f u l l e s t .
The Individual i n a Sociotechnical Context
We s h a l l shortly come t o the f u z z i e s t areas of human factors - attitudes,

emotions, and personality - so we can profitably recapitulate t h e elements in h i s
environment which the Hazard Reduction mcedence 'Sequence has i d e a l l y provided.
The organization has now maximized i t s contributions i n the following areas:
1. Proven management concern - sincere and vigorous,

2. P. safeguarded environment,
3. Tasks and equipment integrated and e r r o r preventive - t o l e r a n t of human

limitations,
4. Good job safety procedures, job t r a i n i n g and superpision,
5. Safety improvement programs which provide f o r participation and group

refnforcement and support, ard
6. Fdgh morale and productivity through sound human relations, backed up ky

mental health resources where needed.
Sounds l i k e heaven8 However, i n a n i d e a l system it makes sense t o put prefer-
e n t i a l emphasis to those programs which have demonstrated some efficacy before
trying t o "change human natureon
The Individual
The individual person has been d e a l t with in terms of selection, adequate

training, good supervision, opportunities f o r participatAon, group influences,
morale and supportive services - a l l of which should be i n f l u e n t i a l i n producing
safe behavior. It remains t o ccnsider whether some additional problem variables -
negative attitudes, emotions, and so c i a 1 maladjustment can be constructively
affected.
EhPdg reports that tha mvidenco for relationships of attitudes to 8afet.y i r in

some conflict, and t h a t personality and psychological t e s t s have n o t been s u f f i -
c i e n t l y predictive to be of g r e a t use. Safety-related a t t i t u d e s may be the r e s u l t
of the broader morale building situation.
Emotions, emotional cycles, and p a r t i c u l a r l y emotions which disrupt tasks
requiring thought and decision have been shown t o be accident related.
The s o c i a l l y maladjusted, the deviates, and those in c o n f l i c t w i t h organiza-

t i o n and authority produce more than t h e i r share of accidents, perhaps because
group norms a r e l e s s effective*
McGlade says :
Y'he l i s t of psychological constructs i n accident causation is long. Safety

s p e c i a l i s t s are dog-eared from hearing the hacknejred phrases bandied about
concerning the &lationships of accidents and such psychological traits a s
"aggressiveness, " "hostility, " Itinsecurity, " nemotional i n s t a b i l i t y , n and
"resentment of authority.
"Safety s p e c i a l i s t s a r e disillusioned a s well a s dog-eared. Unfortmately,
none of these c h a r a c t e r i s t i c s has been i s o l a t e d i n r e l a t i o n to accident
incidence t o a degree necessary t o demonstrate i t s causative influence. It
i s more l i k e l y a configuration of these characteristics, as y e t unidentified,
which gives the c l e a r e s t picture of the accidentsusceptible individual.
Even i f such an i d e n t i f i c a t i o n were available, it might be meaningless in the
long run. Most individuals possess these c h a r a c t e r i s t i c s in varying degrees,
and it i s highly improbable t h a t diagnostic o r corrective measures could
ever be developed which would be v a l i d o r p r a c t i c a l i n a p p l i ~ a i d o n . ~
The action potentials a r e far f r o m clear. Certainly mass programs t o change
a t t i t u d e s and improve s o c i a l adjustment have not been forthcoming.
The person has a personality which gives him c e r t a i n needs (worth, achievement,
acceptability, etc.) and these in turn give him goals. Between needs and goals, we
ffnd emotions and frustrations. Our t a s k then i s t o build i n motivational programs

which attempt t o satis* needs, and provide supervision t o attempt t o control
adverse e f f e c t s of emotions.
Stikrd.. There has been a lot of apparent nanssnse on attitudes in aafety work,
e.g., "Oood attitah

d l important.'
i8 Actually, a man could have a Wrderfbl
attitude," and if he had poor standards of judgment o r poor habits, kill
someone i n the next few hours.
We can use pictograms t o t r a c e two divergent sequences:
A. Training -
, Better Standards Behavior
\Habit begins A i m s can intervene
B. No Training -* I l l - d e f h e d standards Behavior

\e stionable habits t i o n s may supervene
This conceptualization, if the s c i e n t i s t s can bear with the simplifications,

would provide u s with some framework f o r planning and investigation, and obviously w i l l
place a heavy load on close personal supervision t o d e t e c t relevant changes, and to
avoid creating e m t i o n a l problems.
Changes i n People. Discussion with experienced accident investigators suggests
t h a t information on personal problems and changes, sometimes highly personal, i s

quite often revealed o r hinted. Certainly personal privacy is a value t o be pro-
tected. B u t i f records are to remain s i l e n t on lmown variables, how s h a l l we improw

our work? How s h a l l we assess the need f o r additional supportive programs f o r t h e
individual? How s h a l l we diagnose our accident problems? A real dilemma.
Motivation
I n swmning up motivation f o r safety, McGlade and Campbell have touched on
s p e c i f i c aspects relevant to supervision, participation, s o c i a l f a c t o r s and human
relations: opportunity t o express oneself, job s a t i s f a c t i o n s which meet personal
needs, understanding, acceptance, security, reasonable autonomg, and freedom t o
be skillful. Morale e f f e c t s productivity and safety; and i f a t t i t u d e s are mutable

it i s though job-related satisfactions, r a t h e r than through propaganda.
Moaer provides a leas disaectim, tat equally persuasive philaem* uhieh

relates motivation f o r all aapects of perfonnanco t o mmgemmt's attifads on
safety.
Mass Communication.
Propaganda such a s s l o g k s , postsrs, l e a f l e t s and magazines, and p m g r a

devices such a s contests, constitute a highly v i s i b l e p a r t of many safety programs.
McGlade observes :
psychological research has demonstrated t h a t reliance on t-ypical publicity

campaigns of an informational o r admonitory nature which a r e intended t o
d i s p e l ignorance, a l t e r a t t i t u d e s , create o r change motives and consequent
behavior, o r make the population more Safety-minded, are of dubious value,
For they a r e based on such dubious assumptions as: individuals themselves a r e
l a r g e l y responsible f o r t h e i r own f a t e ; knowledge alone w i l l automatically lead
t o appropriate and safe s o c i a l behavior; propaganda will make unscrupulous men
moral o r unsafe men safe; and campaigns w i l l confer foresight on those who
lack it."
However, McGladels guidelines f o r communication can be helpful in designing
and evaluating programs.
nPsychological theory and research have evolved some general principles t o

guide us in developing s a f e t y mass comunications: the l i n e s of communication
should be a s d i r e c t and short a s possible; communication should be complete
and continuous; and communication must be based on confidence.
"There a r e a l s o some s p e c i f i c principles r e l a t i n g to mass communications:

(1) a person hears what he expects t o hear; ( 2 ) a person w i l l ignore infor-
mation which c o n f l i c t s with what he already hows; ( 3 ) the source of a message
is a determinant of the individual's acceptance of it; (4) the p a r t s of a
message are usually linked together i n a 'halo effect,' - i f the individual
r e j e c t s t h e first part of a message he w i l l tend t o r e j e c t a l l of it;
(5) people i n t e r p r e t a given stimulus i n d i f f e r e n t ways, and t h i s interpreta-
t i o n i s dependent to a l a r g e extent on t h e i r previous experiences; ( 6 ) words
mean d i f f e r e n t things to d i f f e r e n t people; and ( 7 ) vague messages often a c t
a s emotional stimulants, prompting feelings of insecurity and consequent
rejection.
"These principles a r e interwoven, arrl there are some basic lessons t o be learned
t h a t a r e relevant to t h e development and implementatLon of s a f e t y communicatiot~
The most obvious statement t h a t can be made i s that successful pmmunication
.
does not take place automatically when a message i s imparted. l h i s statement
appears self-wident and mundane, and y e t it i s an axiom a s often ignored a s not.
OThere are several guidelines which can serve t o place safety communications
in the proper perspective r e l a t i v e t o other safety management functions:
(1) mass communications a r e most e f f e c t i v e i n a supporting role, when used
to enhance and support operational aspects of the safety program; ( 2 ) safety
mass communications should be presented i n a planned sequence to support
specific aspects of the s e e t y program and specific safety promotional cam-
paigns, r a t h e r than haphazardly presented i n a "shot-gunn fashion; ( 3 ) repeti-
t i o n leads t o retention, therefore s a f e t y mass communications should be
repeated on a planned periodic basis in support of specific s a f e t y pmgram
features; (4) immediate benefits a t t r a c t more attention and positive reaction
than remote o r long-range ones, therefore safety mass communications should
be activated concurrently with safety program procedures and a c t i v i t i e s ;
( 5 ) the familiar i s grasped and supported more readily than the unfamiliar,
therefore, s a f e t y mass communications should l i n k new ideas t o accepted s a f e t y
procedures o r a c t i v i t i e s ; and ( 6 ) t h e objectives of a safety mass comics-
t i o n o r s e r i e s of colrrmunications should be limited in number so t h a t the
r e c i p i e n t can r e a d i l y absorb them."
Planekts promam planning model i s valuable f o r any ppgram plan, but
particularly f o r mass communications. (See figure next page. )
Some forms of one-way communication ( e .g., supervisor materials o r general
rule books) would be evaluated a s p a r t of the supervisor o r job analysis programs.
The injunction t o consider propaganda a s supportive f o r the basic program,
rather than a primary influence, i s wise advice.
A limited number of studies have indicated t h a t posters, i f relevant and
placed a t an action point, produce changes i n behavior. Psychologists have urged
t h a t posters not be amdety-producing.
Certainly recognition of achievements, such as award ceremonies, are a praper
and merited recognition of e f f o r t s and help build morale.
C r i t e r i a f o r designing programs t o maintain i n t e r e s t and obtain helpful
publicity a r e provided in the NSC manual and other references.
In recent years, off-the-job safety has been promoted by many organizations
because of the mmpany's concern f o r costs as well a s employee welfare. Initially

such campaigns appeared highly productive - bter evidence of effectiveness i s n o t
persuasive.
Family involvement, f o r example by material i n off-the-job safety sent t o
homes, has seemed helpful in stimulating personal discussion and involvement.

It does n o t seem a t dl l i k e l y t h a t llass communications rill have identifi-
able a f f e c t s on mass behavior. Therefore, the intermediate evaluations of message,
target, etc., eruggested by Planek should be emphasizeds w h i l e the rafbQ propam
ar a w b b i r maluafed trJr behavior aad accident indi-6.

I
a
DEFINITION DIAGNOSIS AND DECISION t EXECUTION :
m :
;
Operation: Define the current traffic Operation: List priority accident p r o b Operation: List activities under each Operation: Study effect of program ac.
safety situation. lems. program element including speci. tivities.
Basis: Highway safety program analysis. Basis: Frequency, severity, cost, public fic target groups and defined o b Basis: Reaching objectives within cost/
opinion. jectives. benefit exoectations.
Basis: Cost/benefit, judgment. pilot
Operation: Select countermeasures for tests. R & D information. Operation: Investigate final results of each
each problem. element i n traffic safety program.
Basis: Cost/benefit, composite calcula. Operation: Map out the chain of ac. Basis: Achieving final results within cost/
tion, R & D information. tivities in terms of groups and ob- benefit expectattons using selectii sta-
jectives to produce final results. tist*$ analysis.
Operation: Select elements in traffic Basis: Systems analysis, CPT, etc.
safety program.
Basir Resources, breakeven. payoff.
public opinion.
Appendix H . OVATION DIFFUSION
Acceptance of safety-related changes i s a goal of the safety program.

Indeed, it could be argued t h a t a primary a c t i v i t y of the safety professional
i s changing behavior.
i
The existence of a s e t of research-based concepts on methods of behavior

i
change, plus strong indications of proven effectiveness i n the f i e l d of

safety, seems reason enough t o select t h i s topic f o r special treatment as an
example of a v a i l a b i l i t y and use of guiding principles from the behavioral
sciences.
The concepts of the process of diff'usion and acceptance of innovations
provides a very usef'ul framework f o r program design and measurement. The
concepts a l s o help define and inter-relate the functions of group or i n t e r -
personal influence and mass communications, and thereby provide some guides
f o r separate evaluation of s o c i a l and propaganda forces.
The process was described i n NSC's Community Support Report (1968) a s
follows :
nResearch 'studies i n the agriculture community have produced findings which

can be usef'ul t o safety program planners faced with the pmblam of diffusing
new ideas and practices. Known aa innovatian diffusion the process is based
on tm generalil;ations revealed by the research. The -st is that the process
by which people accept new ideas is not a u n i t a c t but rather a series of compler
unit acts. This mental process consists of a t l e a s t fim stages. The second
generalhatdon i s that individuals can distinguish one stage from the other and
can designate points i n time when they went through each stage. The f i v e stages
are :
Awareness. A t t h i s stage the individual becomes aware of the proposed pragram.

Re knows about it but doesn't have the details concerning it. He may know
what it i s called but not how it w i l l work.
Interest. Here the individual wants more information a b u t the program. He

i r
m how what it is, how it w i l l work and nhat results are expected.
Also he may want to know how the program w i l l effect him personally .or h i s
group*
Ekaluation. A t t h i s stage the individual begins to make a manta1 trial of
the program. He applies the knowledge obtained f'rm the previous stages
and begins ta ask questions as to w hat the e f f e c t s of the program will be on
himself, his family and associates. He mighs the plus and minus factors.
Test. I f he decides the program + i l l work, has value and appears t o be the
m g t o do, he w i l l test it, maybe on a small scale a t f i r s t . He may discwe
it with colleagues o r others who have t r i e d it. He sees t h a t it has worked
elsenhere and learns t h a t the idea o r concept of the program works.
Acceptance. T h i s i s the final stage i n the mental process, the program i s
accepted and the individual i s satisfied with the program and will a c t i n
support of it*
"If the program planner knows the process he can use it to better identify nhat
stage the target person or group has reached.
"The r a t e of this process may be different f o r each target depending upon the
complexity of the program and the quality of the information obtained and
evaluated a t the various stageso For certain targets the process f o r a given
program and time may be shortened by h i s previous experience. He may a r e a *
be aware o r past the evaluation stage and need only to go thmugh the t e s t and
acceptance stages.
*lhe program planner can design the material f o r use by various targets and
community groups t o help them through the above process. Publicity f o r mass
communication can be purposely made t o start the target through this process.
The f i r s t two stages especially are adaptable t o one-way communications.
However, two-ww communication, questions and answers, i s needed i n the last
Chree stages. T h i s can be done by i n t e r p e r s o d techniquee, correspondence,
meetings, personal. contact, e tc.
.Wp to the present the average safety program plaplner has not consciously used
step bg step techniques such a s innovation diffusion i n program development and
executiono Gonerally speaking, he has made people aware of their programs and
haa created same interest, but most targets are l e f t a t this point t o go through
the *-way comamication stages on their om i n i t i a t i v e and a t t h e i r own paceow
One-way communications include posters, l e a f l e t s , written instructions,

magazines, newspapers, radio, television and meetings exclusively with speeches
o r films.
Two-way communications include committees, m e t i n g s with participation,
job analysis with participation, job training ( i f the supervisor uses two-way
discussion, a s he should), day-to-day contacts with managemen* and fellow-
workers, family l i f e (a value i n off -the- job safety a c t i v i t i e s ) , b u l l sessions
and gripe sessions.
"Innovators" (perhaps 3%
Acceptance i s defined a s a change i n behavior.
of a general population) and "Early Accepters" (perhaps 15%) can usually be
i d e n t i f i e d by name f o r personal attention.
These, and related concepts, provide the safety professional with a
sequential framework f o r building acceptance - both i n management and i n the
work force. If somewhat mechanistic and perhaps over-simplified, the procedure
more than makes up f o r i t s shortcomings by providing a unifying plan.
I f we use the 5-step yardstick of the Innovation Diffusion process, we
have a way of measuring where a person or group i s i n the process.
More important, we have a way of planning subsequent a c t i v i t i e s so t h a t
the nature of the material and the form of communication w i l l be effective i n
a t t a i n i n g the next stage toward acceptance. I n short, a planned program f o r
behavior change, without c a r e f i l planning f o r two-way communications, i s l i k e l y
to fail. A v i s u a l used i n presenting the program i s shown a s Figure H-1,
The studies have a l s o shown the need f o r expediters -
the process i s
l i k e l y t o slow o r s t a l l unless someone, usually the safety professional, finds
Figure H-1
'INNOVATION DIFFUSION'
I, AWARE
2, INTERESTED I 1 -
CAN DO
WAY
NEEDS
EXPEDITERS
2 - WAY
3, EVALUATE
4, TEST 1 NEEDED
5, ACCEPT = CHANGE I N BEHAVIOR
PERSONS HAVE INFLUENCE

PERSONS HAVE NAMES!
JDENTIFY TARGETS
USE S-CURVE TO KNOW WHERE YOU ARE!
E , ~ G I .LOOKING FOR INNOVATORS

out where the hang-up occurs and gets t h i s moving.
Additional reference material includes Juran (1964) (who has chapters on
"Breakthrough i n Attitudes" and "Resistance t o Change Cultural patterns" ) and
Currie (1968) (Thirteen Steps f o r ~nnovation) .
A report on worker acceptance of occupational safety measures reflected
f a c t o r s associated with innovation diffusion (suchman and Munoz) .
The innovation diffusion process has been shown t o follow a cumulative
S-curve , and there i s evidence t h a t the program which gets an idea t o the 15%
breakpoint, i f continued, can over time move acceptance t o 85%.
As we come closer and closer t o rull acceptance we begin t o see a logical,
proper and useful role f o r enforcement. (see Figure H-2, which presents the
cumulative S-curve a s a normal distribution. ) The c l e a r implication i s t h a t
enforcement i s a l a s t s t e p i n programming r a t h e r than an introductory or
primary step.
During the Aerojet t r i a l s , a number of program innovadonshave been intro-
duced i n a manner consistent with the above principles. These include: project
engineers' use of national information sources , the same engineers' use of
l o c a l information and change analysis, job safety analysis, a f i e l d safety
engineerst audit plan, c r i t e r i a f o r procedures review and other review boards,
and MORT analysis of accidents. I n a l l of these kinds of programs, acceptance
of a new idea (and perhaps some adjustment of the idea) preceded the issuance
of directives establishing the process. Handled i n t h i s fashion, the common
resistance t o directives and procedures can be largely overcome.
DEALING WITH DEVIANTS
CAN
ACCEPT I ACCEPT ACCEPT
I EDUCATE AND TRAIN IcOwn\oL*TR~
Appendix I..
ACCEPTANCE OF PROCEDURALIZED SYSTEMS AT AEROJET

The Problem
1. The acceptance of proceduralized systems can be seen a s a candidate f o r the
"number one present problem" of Aerojet, despite current audit records of
99.4$ compliance, a very high compliance r a t e .
"Hardware1' was, and always can be, the basic problem; but, hardware prob-
lems seem t o be generally well handled (with the exception of some human-
related o r human f a c t o r s hardware problems) .
2. Acceptance of procedures often means acceptance of change change i n a task- -
method, or the broad problem of Aerojet's change t o a proceduralized system.
There are relevant s o c i a l science findings.
3 . Acceptance involves a l l the complexities of human variables, and i s , there-
fore, a d i f f i c u l t problem.
4. Unplanned v a r i a b i l i t y , over-simplification, and spottiness, a s well a s
questionable effectiveness, characterize many programs and approaches t o
human variables.
5 . There i s no considered, e x p l i c i t and p r a c t i c a l basis f o r planning behavioral
programs -
no firm basis f o r designing a program modification-test-evalua-
tion-application cycle of behavior change.
6. I n consequence, a " s t a t e of t h e a r t " paper (modifiable always) seems t o be
a f i r s t requirement, and i s the objective of t h i s memorandum.
The Approach
This discussion t r e a t s the following aspects of acceptance:
1. Defined systems goals -
i . e . , systems t h a t work!
2 . Present Aerojet systems -
not working well enough.
-
3. Personal variables other than 4 and 5 below.
4. The "psychology and sociology of acceptance" -
participation, group
norms, and the s p i r i t of the group.
5. ~ e v i a n tpersonalities, and a possible r o l e f o r enforcement.
6. A framework based on the s o c i a l sciences i s outlined.
The consideration thus s t a t e d lead i n t o specific problems :
7. Training requirements.
8. Supervisory requirements.
9 . Monitoring requirements.
10. Participatory and other humanizing requirements.
These i n turn, suggest two requirements:
11. An experimental approach t o specific methods of gaining acceptance,
and suggestions of areas t o be explored.
12. Need f o r an i n t e r n a l group with the broadest available competence t o
maintain an advisory overview of programs t o gain acceptance.
Defined Systems Goals
The hardware should be adequate t o the t a s k before we can expect acceptance.
MORT suggests a sequence of aspects and procedures. The Hazard Analysis %ocess
should be w e l l defined and operative. A Safety Precedence Sequence which
places f i r s t emphasis on hardware and operability should be c l e a r l y stated-and
carried over i n t o practice. This SPS sequence includes human f a c t o r s engineer-
ing t o reduce error-provocative aspects of tasks.
Procedures t h a t work well can then be developed by use of adequate c r i t e r i a ,
including checks with the people who do the work, adequate Job Safety Analysis
f o r r e p e t i t i v e c r a f t assignments, corrections f o r f a u l t s revealed. by p a s t i n c i -
dent data, and provisions f o r prompt f i x e s of deficiencies i n hardware, proce-
dures or personnel.
Supervision based on the Job Safety Analysis-Job Instruction Training-Safety
Observation- sequence can then be e f f e c t i v e . Direct "Safety Observation" moni-
t o r i n g by supervisors can be augmnted by other, adequate monitoring schemes
which provide usable feedback on work well done, a s well a s f a i l u r e s .
Such a monitoring system provides indispensable bases f o r design of motiva-
t i o n a l programs l i k e l y t o be effective, including rewarding experiences f o r
work well done. The monitoring system should provide larger numbers of experi-
ences deserving reward, as contrasted with smaller numbers of experiences
meriting penalties. It seems t h a t a monitoring system producing only penalties
i s l i k e l y t o be ineffective, capricious, and variable.
Present Aeroj e t Systems.

The present Aerojet systems, while excellent by comparison with general indus-
t r i a l norms, do not f u l l y meet systems safety goals. The present ROD and NOS
e f f o r t s t o develop schematics and auditable c r i t e r i a are f i r s t steps i n improve-
ment. This, of course, must be followed by substantive corrections based on
audit findings.
Aerojet attempts t o document i n ANPP's-SP's-DOP's the systems by which the
company operates. This documentation seems well conceived, but has c e r t a i n
limitations which should be understood:
1. The l e g a l i s t i c language i s d i f f i c u l t t o understand and subject t o v a r i -
able interpretation. This suggests several s u p p l e ~ n t a r yapproaches:
a. Simple schematics and plain language flow diagrams which expose
basic systems. (plain language e d i t i n g of basic documents might
a l s o pay o f f . )
b. Appropriate interface and i n t e r n a l discussions t o develop under-
standing and implementation.
2. Complex systems always operate i n ways d i f f e r e n t from manuals, proce-
dures, e t c . This axiom has several significant implications:
a . Monitoring t o determine actuals i s needed.
b. An organizational imperative t o know t h a t the problems are not
solved by issuing d i r e c t i v e s must be a basis, conscious and expli-
c i t , f o r aggressive implementation of the substance behind the
d i r e c t i v e s . Failure t o observe t h i s imperative leads t o a t l e a s t
two problems :
(1) The f a l l a c y of believing t h a t things are changd or cured
- by issuing d i r e c t i v e s ,
(2) _ "Covering your number" t o show outward compliance with d i r e c -
t i v e s , but perhaps without substance.
c. Management and supervisors, technical personnel, and employees a r e
commonly using many sound practices (as well a s some p o t e n t i a l l y
unsound practices) not e x p l i c i t e l y covered i n manuals, e t c . Thus
t h e sound practices should be i d e n t i f i e d , and must be considered
f o r t r a n s l a t i o n i n t o directives, training, e t c . However, the ab-
sence of items i n directives, e t ~,. i s not a l l bad; it may provide
good practices and freedom f o r the humans t o use t h e i r c a p a b i l i t i e s .
It could be well argued t h a t Aerojet does not, today, have t h e basis f o r f u l l
acceptance of proceduralized systems. I n addition t o the comments above, there
seems .to be a deficiency i n the purely human and personal aspects of acceptance,
and as a corollary, perhaps some assumption that acceptance w i l l come about
because AEC (the customer) demands it. A l l of these aspects, i f present and
important, need examination, a guiding doctrine, and a program f o r progress.
Personal Variables i n Behavior.
Individual behavior w i l l be affected by psychological-sociological variables,
and f o r a few persons w i l l s t e m from deviant personalities (both discussed be-
.
low) Here we are first concerned with those system aspects of the problem
which f o s t e r or i n h i b i t safe behavior i n the individual.
The individual is a rational, goal-seeking, thinking element i n the Full system.
He i s also emotional, and h i s emotions may contribute strong motivation toward
making the system work, or may d e r a i l the system.
Perhaps the most useful place t o launch dissection of human variables i s from
a focus on safe habit formation. This gives us a t i e t o the training and
supervising functions i n the so-called t i g h t system. Safe habits i n thinking
and action are probably the keystone i n acceptable behavior. This suggests
needs for, not just step-by-step training i n actual tasks, but also training
i n haw t o analyze situations f o r r i s k , r i s k standariis, and an environment which
i s controlled (or disciplined) -
t h a t is, an environment i n which deviations
are promptly detected and corrected. Rewards and penalties w i l l reinforce o r
extinguish safe habits.
Within a general population which has safe habits, and f o r an individual within
such a population, there w i l l be variances i n behavior which are t o be expected
and therefore can be said t o be "normal." From this, e r r o r r a t e s (rather- than
perfect performance) w i l l be expected. A lowering of normal human e r r o r r a t e s
i s possible, but modifiable situational factors (error provocative aspects)
are more l i k e l y t o be productive than purely motivational factors.
Temporary emotional or physical factors can affect performance, and should,
where possible, be detected and corrected by supervisors, fellow employees,
and medical and counseling s t a f f s .
Sociology and Psychology of Acceptance.
More than a l i t t l e i s known about the sociology slad related psychology of behav-
i o r formation. %e roles of group norms and of participation i n fostering
acceptance are defined with usable, practical precision. Some protocols f o r
behavior change, such as "innovation diffusion" are relatively simple and have
been tested i n practice.
Thus, the f o m of safe procedure development (e .g., Job Safety and
.
checking with people who do the work) , and monitoring (e .g , RSO studies) have
sociologic virtues w e r and above the tangible products of such programs.
A l l programs should be examined f o r c o l l a t e r a l qualities which enhance or
inhibit safe behavior development.
There seems t o be such a thing a s "spirit" evidenced by hard work seeming easy,
d i f f i c u l t tasks well done, and potential hazards safely circumvented. S p i r i t
would seem t o have a t l e a s t the following aspects o r dimensions:
1. Performance goals - e i t h e r of the person or the organization.
If it be true that long-term s t a b i l i t y and growth i n Aerojet's role
i s contingent on i t s reputation f o r precise, error-free operation of
advanced systems, the articulation of such goals t o the work force
may be most helpful i n both of,these first two dimensions.
2. From these, benefits t o the person o r group.
3. Teamwork, and group identification.
-
4. Morale wbich may have many non-safety aspects, some of which may not
be modifiable within the safety program.
5. Leadership -
especially of management and supervision, but not exclu-
ding formal and informal leadership r o l e s among operating employees.
Deviant Personalities.
There i s limited evidence t h a t persons not well adjusted t o groups o r t o society,
a s measured by on-job r e l a t i o n s o r a biography showing evidences of c r e d i t ,
family, court and other c o n f l i c t s , o r alcoholism, have more than t h e i r share
of accidents.
However, the group i s not usually found t o have such significance t h a t i t s
complete removal would materially a l t e r o v e r a l l accident r a t e s .
However, t h e h i s t o r i c , common-law r o l e of enforcement i s directed a t a deviant
minority who do not voluntarily accept a code of conduct. This seems t o pro-
vide a basis f o r the r o l e of safety enforcement - namely penalties f o r w i l l f u l
o r repeated violations of c l e a r and workable procedures accepted by the major-
i t y . However, acceptance does not begin with enforcement penalties -
rather,
i s a terminal aspect.
This i s not t o say t h a t enforcement does not a f f e c t the general population.
It does. However, voluntary acceptance of change o r r u l e s s t i l l seems t o be
basic t o high l e v e l s of acceptance (or public support f o r enforcement).
The S-shaped innovation acceptance curve (alluded t o i n Chapter 36) a l s o c a r r i e s
the implication t h a t a f r a c t i o n of the population, perhaps one t o three percent
cannot be brought t o acceptance.
Menninger and Dunbar have written of the f r a c t i o n of accidents seemingly a t t r i -
butable t o purposive accident-producing behavior. Their findings are d i f f i c u l t
t o digest i n t o a positive preventive process. A recent review of the l i t e r a t u r e
, concluded ( ~ ~ g r e n1971)
, :
"Two p r a c t i c a l suggestions are advanced by Hirschfeld and Behan: (1) plant
medical personnel should watch f o r a sudden increase i n the number of sick
c a l l s an individual makes, and (2) l i n e supervisors should l i s t e n closely
t o t h e worker who may, i n h i s own fashion, be pleading f o r help."
A Social Science Framework f o r Acceptance
-
MORT.
I n MORT w i l l be found an analytic method r e f l e c t i n g some s o c i a l science findings
i n Motivation. Also provided i s an Appendix (taken from e a r l i e r Phase I1 work).
These should be reviewed.
The MORT T r i a l a t Aerojet has, i n some degree, endeavored t o use innovation
diffusion techniques. An i l l u s t r a t i o n may be helpful:
1. A project engineer, a f t e r hearing an explanation of the resources,
used the Nuclear Safety Information Center and received helpful infor-
mation. Two other engineers then sought information on where and how
NSIC services could be obtained.
2. This should s e t the stage f o r broader acceptance i n the project engi-
neering group f o r information search protocols t o be tested and evaluated.
3 . Based on such experience, a d i r e c t i v e w i l l l i k e l y be developed based
on t r i a l and acceptance.
Such an evolvement i s not the usual organizational approach t o d i r e c t i v e s and
procedures.
Note f u r t h e r i n t h i s case t h a t , i f a work s i t e e r r o r occurred f o r lack of
information search, the problem's causes could be seen i n successive e r r o r
layers: 1 s t layer, a work s i t e error; 2nd layer, a l e s s than i d e a l hardware
situation; 3rd layer, a project engineerfs oversight; 4th layer, deficiency
i n information search requirements; and 5th layer, a deficiency i n promoting
(or requiring) use of NSIC. Acceptance of procedures a t any l e v e l may, there-
fore, be contingent on a highel! order of-procedure acceptance and use.
Thus t h e proced&ralization and improvement of "upstream processes" the -
engineering and s c i e n t i f i c development of elements of a work s i t u a t i o n w i l l -
l i k e l y have e f f e c t s on operator acceptance of procedures. If e r r o r s i n hard-
ware o r procedures are seen by operators a s proceeding from vague, unproce-
duralized requiremnts i n t h e development process, operators w i l l probably be
l e s s l i k e l y t o accept t h e i r obligations.
The a l a c r i t y with which technical and professional personnel have accepted
improved hazard analysis procedures has been encouraging. When a review board
described c r i t e r i a f o r an information search and the presentation thereof a s
p a r t of supporting analytics, an engineer was able t o produce an excellent
exhibit t o support a modification within 24 hours -
a short ti= f o r t u r n
around from work open t o c r i t i c i s m t o work deserving praise.
The above two cases suggest t h a t engineering personnel may be eager t o accept
proceduralization of t h e i r work i f values are c l e a r .
"Human Behavior - An Inventory of S c i e n t i f i c Findings"
This i s the t i t l e of a t e x t ( ~ e r e l s o nand Steiner, 1964) believed t o be u s e f u l
i n constructing a cogent and coherent basis f o r programs intended t o develop
acceptance. Topics covered include :
1. Habit formation ( r o l e s of rewards and punishments, v a r i e t i e s of rewards,
and instrumental conditioning by a c t s a s simple a s a nod, a smile o r
expressed agreement, o r programmed learning, reinforcement schedules,
learning r a t e s , t r a n s f e r of training).
2. Thinking (concept formation, problem solving and creative thinking,
individual differences) .
3. Motivation (goal formation, s t r i v i n g f o r stimulation o r knowledge, a t -
tention g e t t i n g stimuli, s t r i v i n g f o r v a r i a b i l i t y , i n t e r e s t i n problems,
- a f f i l i a t i o n needs, s o c i a l hierarchies.
4. Face-to-Face Relations, i n Small Groups. These were believed t o be so
important t o safe or unsafe behavior t h a t examples of findings were
c i t e d i n the memo.
5 . Organizations (again specific examples of findings were c i t e d ) .
The Human Behavior Inventory, a s well as Altman (1970)~present observations
on transfer of training, for example:
" I f the new s k i l l presents stimuli t h a t are similar o r i d e n t i c a l t o those
i n a previous learning s i t u a t i o n , and the stimuli demand similar o r iden-
t i c a l responses, high positive t r a n s f e r usually r e s u l t s : i . e . , learning
of the new s k i l l progresses more rapidly than it would i f the s i t u a t i o n
were t o t a l l y new (e .g., learning motorcycling a f t e r bicycling)
if the new stimuli are i d e n t i c a l with the old but require similar but not
.
However,
i d e n t i c a l responses, then there i s only s l i g h t positive transfer: the

learning s i t u a t i o n i s so close t o the old one t h a t the previous response
tends t o persist."
" I f the new s i t u a t i o n presents stimuli t h a t are similar o r i d e n t i c a l t o
those i n a previous learning s i t u a t i o n but demands dissimilar o r opposite
responses, negative t r a n s f e r r e s u l t s : the previous response p e r s i s t s
and r e t a r d s acquisition of. the new one."
A s Aerojet procedures r e f l e c t successive changes i n a t a s k o r succession of
tasks, these principles have obvious relevance t o acceptance o r e r r o r .
Local Data.
D r . R. J. Nertney of Aerojet analyzed problems inherent i n developing accep-
tance of a formal, r i g i d management system on a population which has essen-
t i a l l y r u r a l and small town background. Many excellent suggestions f o r
improving communications were developed. What i s here proposed i s t h a t the
recommendations be reexamined i n the context of t h i s paper, and t h a t atten-
t i o n be given t o improved communications a s they w i l l p a r t i c u l a r l y r e l a t e t o
acceptance of t h e formal system.
Further, Nertney a l s o used l o c a l data t o i l l u s t r a t e the a p p l i c a b i l i t y of
generals For example : Human Factors Note #8,-November 18, 1966,
d e a l t with non-acce s s i b i l i t y of supervisors ; Note #g , November 22, 1966, d e a l t
with changing behavior; and Note #13, January 17, 1967, d e a l t with t a i l o r i n g
instructions t o the receiverst c h a r a c t e r i s t i c s .
A l l of t h i s type of material should be incorporated i n a general guideline
o r s e r i e s of references. The amount of time necessary t o assemble and apply
such guidelines i s l i k e l y t o be l e s s than t h e time spent straightening out
problems r e s u l t i n g from unguided o r unstructured acceptance e f f o r t s .
Suggested Aerojet Approaches.
The f i n d i n g s ' c i t e d above suggest t h a t maximum acceptance of a proceduralized
system i s more l i k e l y t o be attained i f programs and day-to-day r e l a t i o n s are
based on a well-considered, cogent and coherent statement of organizational
b e l i e f s and principles. Without such a statement o r guideline, management
actions a t various l e v e l s are more l i k e l y t o be variable, ineffective, or even
counter-productive. For example, the r o l e of penalties m a y be capricious,
emotionally biased, and even unfair. O r the recognition of rewards, i n t r a -
group r e l a t i o n s , p a r t i c i p a t i o n and discussion may be inadequate.
Aerojet should consider the formation of a qualified i n t e r n a l task force t o
develop an appropriate guideline.
Relation t o Aero-iet Proenrams.
Monitoring. Several new monitoring programs have been i n s t a l l e d . If these a r e
seen as "too much" surveillance, the programs could even be counter-productive.
To what extent can the monitoring programs be c a s t a s "a good thing because
they help t e l l us how we a r e doing?"
Adequate monitoring i s a f a c t o r i n h a b i t formation. Are good reports typi-
c a l l y followed by commendation o r favorable recognition t o reinforce safe
habits. Also, the monitoring system i t s e l f , by reinforcement of observing
tasks, becomes s e l f -reinf orcing .
Monitoring reports which provide rapid, usef'ul feedback (e.g., Shewhart Con-
t r o l Charts f o r supervisors) enable a l l normal sdministrative techniques t o
be used, and these can be based on sound concepts, f o r example, a s t o the
r o l e of informal groups i n building acceptance.
Monitoring schemes thus f a r i n s t a l l e d tend t o emphasize participation o r
discussion. Such f a c t o r s should f o s t e r acceptance.
,rocedure Development.
Improved c r i t e r i a , including a requirement f o r review w i t h those who w i l l do
-
the work should help build acceptance. ( ~ o t e Aeroj e t has done a superlative
job i n t h i s area.)
Job Safety Analysis., now being t r i e d experimentally, should be especially
h e l p f u l since discussion, involvement of leaders, and use of past experience
.
w i l l f o s t e r acceptance
Safety meeting plans should be revised. The MORT t e x t c i t e s clues a s t o
questionable effectiveness of meetings o f t h e usual type. Perhaps the group
which d r a f t s the guidelines could recommend b e t t e r use of meetings t o work
on p r i o r i t y problems u t i l i z i n g group participatory methods.
Neither a MORT format f o r the hazard analysis process, nor a DOP f o r work
performance need be seen a s i n f l e x i b l e o r immutable. If both are presented
a s bases f o r development and improvement by t h e personnel involved and r e a l
opportunities f o r participation i n improvement are provided, the procedural
programs themselves can help f u l f i l l the psychological needs f o r growth.
Appendix J
Modified A i r Force Accident Investigation Checklist
it contains elements of both ...

'Accident investigation is spoken of as both a science and an art. Certainly,
a controlled method/system is e s s e n t i a l , and
a cleas understanding of t h e techniques t o be used allows investigators t o
...
develop a 'feel' f o r what needs t o be done and how far t o pursue each course
of action.
Be knowledgeable a b u t board conduc* p r i o r t o pexforming board duties.
Decide what organization and procedures t o be used a& follow plan unless
you see a d e f i n i t e need f o r rearrasgement. Have s p e c i f i c tasks assigned
t o individuals ard insure t h a t each i s accomplished.
Explore every possible cause of t h e accident u n t i l i t is proved t o be an
a c t u a l cause or ruled out.
Recognize both the extent and l i n i t a t i o n s on your own knowledge about
technical subjects and c a l l on s p e c i a l i s t s i f necessary. ,
Not be discouraged if t h e cause is not immediately apparent and avoid

jumping t o what appears to be an obvious conclusion.
Record a l l evidence accurately; corroborate when possible @ evaluate
a l l statements and testimony.
Base your conclusions only on f a c t u a l evidence, Be familiar with reportzng
requirements t o e f f e c t i v e l y communicate f a c t s , findings and recommendations
t o people who must tkke corrective action."
A section on functional r e s p o n s i b i l i t i e s follows. The essence i s t h a t each
member of the team works, a d d i l i g e n t l y , (a) as a s p e c i a l t y o r d i s c i p l i n e , and
(b) a s a group member. Also included are r e s p o n s i b i l i t i e s f o r Board Chairman,
Recorder, Technical Advisor, Bead Member, e t c .
"How is an Accident Investigation Conducted" is described as follows ( s l i g h t l y
modified ) :
I n i t i a l Actions--getting s t a r t e d properly, Evidence can be l o s t while the
board is t r y i n g t o organize i t s e l f . Assemble and assign s p e c i f i c i n i t i a l
tasks to board members while enroute t o the scene. (1f board members t r a v e l
by d i f f e r e n t means, do t h i s as soon as possible).
Get a sbrt briefing from the man who controlled the scene.
Assign additional t a s k s or r e v i s e i n s t r u c t i o n s based on the briefing.
Go t o the accident scene.
Perform a general survey of the scene t o get a "feel" f o r the accident.
Bevent unnecessaxy handling o r moving of wreckage.
L i s t witnesses f o r questioning. Conduct a brief interview t o f i n d out
what each witness might contribute. Alert him t o a follow-up v i s i t .
Photograph wreckage and t h e wreckage area.
Then follows a description o f d u t i e s of various Board personnel i n language
appropriate t o the A i r Force. Pertinent excerpts seem t o be:
1. Release of information: "Reports...are used only within the organiza-
t i o n f o r the sole purpose of accident prevention. Reports axe considered
rivileffed documents and d i s t r i b u t i o n is limited. News releases should
f
Pe made only by t h e l o c a l ) infomation officer. "
2. Daily Meetingsr "Should hold meetings of the entire investigating
board at the close of every working day. These meetings should include
individual board members a d specialized group leader reports, instruc-
tions f o r the following day, administrative announcements, decisions
about requirement s f o r additional personnel/equipment. "
3. Board Proceedingst "Before questioning a witness, the b o d must
advise him of t h e parpose of t h e investigation and t h a t the evidence
may not be used i n disciplinasy actions, establishing pecuniary
l i a b i l i t y or l i n e of duty status, etc.
asked. ..
It is important that the Chairman exercise control over the questions
Collect a list of questions t o be asked each witness i n
advance so that needless repetition and non-pertinent questions can be
avoided. Once pre-axranged questions a r e answered, the board can follow
up with additional questions raised a s a r e s u l t of t h e testimony, but
caution must be exercised t o prevent wandering." (The NTSB has a pre-
hearing conference t o a r r q e orderly, relevant, non-duplicative t e s t i -
mony. Nothing i n t h i s pocedure should i n h i b i t a witness, but it could! )
%ye witness testimony should be corroborated. . Try t o find witnesses
that were located at different points so that observations can be
verified o r eliminated as inaccurate.
Be cautious about accepting nonexpert witness statements a t face
value. For example, most people w i l l describe an i n f l i g h t s t r u c t u r a l
f a i l u r e when p a r t s f a l l off the a i r c r a f t as an 'explosion.'
Witnesses should not be interrupted while e v i n g evidence except t o
prevent discussion of irrelevant topics."
Specific Checklists.
What follows is the "General Check L i s t f o r Investigations" (AF-MAC, 1966)
heavily edited t o delete air-related items, k r t retaining general headings of
a checklist whi& another type of a c t i v i t y sh& develops
1. a. Was there an alarm system?

b. Did it function?
c. Is it adequate?
d. Pre-accident planning functional i n use?
2. Guards posted, cognizant of t h e i r duties?
3. a. Rescue and f i r e procedures functional f o r t h i s
specific accident?
b. Haeards and dangers of cargo (or other factors)
e s t a b l i shed?
4; Medical a i d and evacuations rendered promptly and
efficiently?
5. A l l personnel concerned fully aware of responsi-
b i l i t i e s a d joint purpose?
6. Official photographer arrived promptly and began
- photographic responsibilities without delay?
7. a. Newsmen handled e f f i c i e n t l y , courteously?
b. Premature news releases avoided?
OW SCENE I DETAIIJZD SPECIFICSI
8. a. Witnesses p r e s e n t on the scene? 30. Instruments I a. Photographed?
b. A l l questioned f u l l y (names, addresses) ? b. Sketched?
c. Check made f o r missing witnesses? c. Readings recorded and compared?
9. Master sketch begun?
10. Search crew r e q u i r e d ?
,
.
d. Analysis given, if s i g n i f i c a n t ?
e Damage described?
f . Other?
11. Special a s s i s t a n c e obviously necessary? 31. Operator: a. Photographed?
12. Any. obvious s i g n s of s t r u c t u r a l f a i l u r e ? b. Condition described?
c. Safety device use noted?
13. Diagnostic d i s t a n c e s (between obstacles, pieces, d. Condition of items i n noted?
e t c . ) measured and recorded? e. Causes of i n j u r i e s described?
14. Occupants i d e n t i f i e d , evacuated promptly, posses- f . Special equipment noted?
s i o n s preserved? I
g. Operational records, etc., checked?
h. Condition of f l o o r , w a l l s , c e i l i n g , f i r e e x i t s ,
15. Claims o f f i c e r n o t i f i e d of e x t e r n a l damage? e t c . , checked?
16, R e s p o n s i b i l i t i e s defined i n i n t e r o r g a n i z a t i o n i. Lighting equipnent checked?
involvements? j. Other?
17. C i v i l a u t h o r i t i e s n o t i f i e d ? 32. Operator c o n t r o l s and s e t t i n g : 4
INITIAL SPECIFICS: a. Control p o s i t i o n s noted, r e l a t e d , e t c ? I
W
b. Radio s e t t i n g s , conditions, use, e t c . ?
18. A l l p a r t s , pieces, , equipment accounted f o r ? c. Automatic c o n t r o l s used?
d. P o s i t i o n of c o n t r o l s noted?
19. Any obvious o d d i t i e s o r anomalies? e. Other?
20. Means of energy t r a n s f e r determined i n meticulous 33. S t r u c t u r a l f a i l u r e :
t r a c e of evidence as t o path, speed o r f o r c e , e t c ? a. Determined operational (not impact ) ?
21. Secordary impacts, i f any, determined i n r e l a t i o n b e Causes of s t r u c t u r a l f a i l u r e ?
t o force? Effects? c. Impact f a i l u r e s excessive i n terms of occupant
safety?
22. Distance of t r a v e l (of energy involved) and s t r u c -
t u r a l displacement from i n i t i a l impact measured? 34. Other s a f e t y f e a t u r e s and equipment:
a. S t r u c t u r e s allowed reasonable s a f e t y f o r person-
23. Gouge marks measured (length, width, depth, shape, n e l without excessive breakage? With reasonable
e t c . ) and. d i s t a n c e between marks? absorption of impact f o r c e s ?
24. Manner of t r a v e l a f t e r impact taken i n t o considera- b. Redesign of f e a t u r e o r equipment f o r s a f e t y
t i o n and v e r i f i e d ? considered e s s e n t i a l ?
.i.
c. Operator v i s i o n clearance adequate?
25. Any o b j e c t s h i t d u r i n g post-impact t r a v e l ? ..- d. Respiratory equipment s a t i s f a c t o r y ?
26. Added a l l necessary d a t a t o master sketch? <, e. Safety design of s e a t s , h e i g h t , cushions,
i n jury p o t e n t i a l s thereon, e t c . ?
27. Checked c o n t r o l p o s i t i o n a s necessary? f . Safety design of instrument c o n t r o l s f o r ease of
28. Recorded dl p e r t i n e n t environmental conditions? use and d e l e t h a l i z a t i o n : appropriateness of
l o c a t i o n s , m a t e r i a l s used, s t r e n g t h , e l a s t i c i t y ,
29. Photo coverage checked with photographer? and absorption q u a l i t i e s , e t c . ?
35. Malfunctioning o r f a i l u r e of equipment:
a. Determined a s preimpact? 44.. Witness information r
b, Cause discovered? a, Complete?
c.
d
e.
. Maintenance record and h i s t o r y checked?
Maintenance personnel questioned?
System f a i l u r e checked throughout? Relation t o
b. Testimony r e l a t e d t o e v e n t s and evidence?
c. Useless testimony omitted?
d. Other?
f a i l u r e i n o t h e r systems?
f. Help of s p e c i a l i s t ( s ) needed? Obtained? 45, Operations :
g. Tech r e p s c a l l e d on (chemist, m e t a l l u r ~ i s t , e t c ) ? a, Personnel questioned, if appropriate?
h. Cause f a c t o r s of malfunctioning and/or f a i l u r e of be Planning checked?
equipment a s c e r t a i n e d ? c. Operator a t t i t u d e , conduct, e t c . ?
i, Other? d. Messages s e n t , received, attempted?
36, S t r u c t u r a l damage :
a. Preimpact and impact d i s t i n c t i o n s ?
.
e. Communications i n d i c a t i o n s , technique?
f Other?
be Any p a x t s o r p i e c e s missing? 46. Other supervision :

c. Extraneous a r t i c l e s involved? a. Medical supervision adequate?
d. Examined metal, wood, j o i n t s , e t c , ? be Management supervision adequate ?
\
e m Other? c. Other?
37. Energy Source : 47. Photography :
a. Damage checked, s t r u c t u r a l and operational? , ,
a. Wholly adequate clearr orderly, captioned?
b. F a u l t s checked, s t r u c t u r a l and o p e r a t i o n a l ? be Emphasis techniques used as e s s e n t i a l t o c l a r i t y ?
c. Evidence i n r e l a t i o n t o statements considered? c. Other?
d. Linkage, connections, breakage, e t c . ? ?
48. Samples : k
e. Energy t r a n s f e r mechanisms described?
f. Other? a. Suspense-date time, person o r agency handling?
b, S a q l e r e p o r t s included?
38, Communication system checked? c. Other?
39. Lighting system(s) involvement? 49. Charts and sketches:
40. Sequence of accident events: a. Adequate?
a. Determined? b. Appropriate ? ( ~ e s media t choice )
b e Exhibited (photography, sketch, e t c . ) ? c. Master sketch d e t a i l s completed?
c , Proved? d m Nonstadrd f a c i l i t i e s , i l l u s i o n producing condi-
t i o n s defined?
41. Damage ( r e p a i r o r replacement c o s t ) noted? e. Other?
42. Injury: 50. Wreckage released t o salvage crew?
a. Medical r e p o r t s completed ?
b. Causes of each i n j u r y determined? .
51 Finalized r e p o r t :
a. Well organized?
c. Autopsy r e p o r t f o r deceased?
b. Excess wordage, statements, photographs d e l e t e d ?
d. Preaccident human f a c t o r s checked?
e , Other? c. Supplementary d e t a i l s f i l e d ?
Minutes. )
orexample, Board
43. Operators, Supervisors, and a l l o t h e r personnel : d. Report complete, o r explanation and data addi-
a, Experience record? This type of operation? t i o n a l d a t a w i l l be submitted?
Last month? Last 24. hours? Etc.? ' e. Medical r e p o r t s , every person i n j u r e d ? ~ u t o p s ~
b e Mission c a p a b i l i t y analyzed?
c. Training h i s t o r y checked?
d. Mentd a p t i t u d e , a t t i t u d e , emotional tone, and
.
f o r deceased?
f A l l required s i g n a t u r e s ?
g. Other?
o t h e r human f a c t o r s checked? (personal, family)
e. Other?
The AF-MAC (1966) document a l s o contains appendices on processin tapes,
,
responsible person, d r a f t , apgroved reproduced),
t
recommending reading assignmsats, and a report s t a t u s schematic item,
I n response t o requests, the following qtartions were prepared as a possibki

improvement i n routine reportst
Sup~lementalQuestions f o r Accident Investiaations
1, Does a written procedure or job safety analysis exist f o r t h i s job?
Is it complete and correct?
2, Did the injured (and others i n the work crew) have job instntction
training f o r t h i s job?
3 was there a p-
job briefing?
4, What were the changes i n the material, equipment, job procedure o r people?
5 , When did tb changes (above) occur?

6, When did the supervisor last see the employee doing t h e task correctly?
7. When did the supervisor last see the employee before the accident?
Any special contact o r observation a t that t h e ?
8. Where was the supervisor at the time of t h e accident?
9, If there was unsafe equipment involved, when was it last inspected?
. . What was its condition then?
10. When was the next inspection scheduled?
11, What countermeasures should be introduced i n t o t h e system t o counter the
undesired change that occurred?
Supewieor Accident Report
Occupation -
Deeeription of Accident
( T binformation b for uw in pmvmtirrg M a r accidanb. h w e r questiom specifically, aa indicated by example.)
% How Wu Enrplgee InjudO (w:

Tb. JlCpd hbir m p a d 1.11 OE hir toea)
-- --- --
..-
Tok- to Prevent Similar Injurid

6. What Stap WCVB ( h d d : b e t e d men to sniot a& other in liftin8 b~,
locldr)
h ~ s 13
? 1.4- .REP.3hI76601 Stock NO.129.21
- 5-8 -
For Offies Urn Only
- - J-9
ACCIDENT REPORT
W3(Rw.Gll.M) MnndlrUSA.
I I I
8. Don i n i y was n& 9. M e of occidmt 19-2a lo. Time of -.dm1 11. Poaition Nth d Nme of d d W ZaJ1
Monh Dor yw - IUu 2 4 h o . r d ~ d l
13. L.nolh of m i c a in pori 14. k o g I h d 0 ~ 1 ~ 4 ~

iniY
ACCIDENT DESCRIPTION (20-221

20. Whor k b rsthe ~ n #
doing? J. S. A. No. a6-W
21. What bmk lob step wor b. doing) 1. S. A. Step No. 40-41
22. Whd bappmdt Dacrik in ordr (1) I)u mods aroa phpiwl p m i M (2) br b. wor doing the iob (3) rhghoppenad Hol cowed the md (4' the type a d agent of co(on.
G i n odditionol focn if mu-. (For example1 TL. *i& wan rcodlii I?'
rk way up a 12' ladder, ;prHiawd m the Imp rug mhd og0i.r) o v w k d pipe. He had Us left
aaroudthe-pipefarwppa(. h r u d o s k d g a h a r u h * h r ) ~ L o d ) o b a g m I ) u f r o u r d r l i m . A.b.didmI)uL.drpiro(.dorI)u*rHcolpip.CM(~Ym10tdl
todnfbarb.br. ~ L . l o d d r x o l l o ( H d m . n o r w m i l W d u a * . h b . b r , d l L o u g L a M p r r o p n . r c . hdamhquy.lrfnabqwadbubcwwd~*rUI.
tnuiwJ
14. C h d r h items [halo*) Ihot h yaw a p h k w.nmpanibIefaruhewmdcr*orno( d c n a d d k h 10~the d d n * . k~than om l k l may opply. Wfim in Inbmatbn
whm m c e s q . Omit lt No. 23 d m n d .CCh. 8842.80.14 11-84
wvna, oa omEn pERXmsl
~~idnot~maefhazard 08 0 Was WAOtiaml 14 [ZI Was n0, main0 pwran~lprohclh rquipmnt
~~idnorknowrofrwa~ 09 0 Was f a f i g 4 IS O l k undrlying caaa ,-,--,-,,--,.----- --------
03 nod la iewl lob &ill 10 0 W ~ ill
I d tin.
O4 to gain or ro*. tinn
~ried 11 Had tamp. i n l q handicap ...........................................................
0s E
l1,'~ a dto ovoid effort 12 Had perm. physical handicap
O6 Tried to -d diifarf 13 nod paar virion, h w i i ...........................................................
07 Fdkd to pwplan lob 16 Unabk to fom opWa, d udulying caaa
-
Man Cause Code: . .
01 "Operating o r using without authority.

02 F a i l u r e t o secure against unexpected movement.
03 Operating or working at unsafe speed
08 Failure t o warn o r signal a s required
05 Removing o r making sqfety devices inoperative
06 Using unsafe t o o l s and e q u i p e n t
07 Using s a f e t o o l s and e q u i p e n t unsafely
08 Assuming an unsafe position o r unsafe posture
09 Repairing, servicing o r r i d i n g hazardous equipment
1 0 Enga&.ng i n horseplay, d i s t r a c t i n g , teasing, etc.
11F a i l u r e t o wear prescribed personal protective equipment
12 Wearing unsafe personal a t t i r e
1 3 Use o f hands and f e e t instead of t o o l s
14 Deviation from recommended job procedure of J. S. A.
15 Failure t o keep out af danger zones
16 Manually l i f t i n g or handling materials improperly
17 Creating dangerous combinations of objects o r materials"
Environmental Cause Code:
Olt'Lack of s q e t y devices; inadequate safety devices

02 Lack of warning system; inadequate warning system
03 Flammability o r e x p l o s i b i l i t y
04 Susceptibility t o unexpected movement
05 Poor housekeeping
06 Protruding objects
7 Congestion and i n s q f f i c i e n t clearance
0
'
08 Hazardous atmospheric conditions
09 Poor arrangement, placement o r storage
1 0 Defect of t o o l s , equipment, e t c
3.l Inadequate illumination; excessive noise
12 Hazardous personal clothing
14 Lack of proper t o o l s and equipment f o r job
1 5 Weather conditions
16 Animals, i n s e c t s and poisonous p l a n t s
17 Heat o r cold exposurett
It w i l l be noted t h a t there are many items i n t h e Bethlehem codes which
can be keyed t o systems analysis. For example:
Deviation from recammended job procedure of JSA

Worn out through normal use
Abuse o r misuse by u s e r ( s )
Required inspection not c a r r i e d out
No inspection heretofore required
Unsafe basic design
Unsafe construct ion
Job Safety Analysis ordered
Revision qf SSA ordered
Written pre-job plan required
F're-job s a f e t y i n s t r u c t i o n required
Substitute t o o l , equipment, material required
Appendix K
National Safety Council Symposim on Measurement of I n d u s t r i a l Safety Performance

Excerpts from Rewrt of Group I11 September 17. 1970-
I n order t o design e f f e c t i v e measurement programs it i s necessary t h a t :
F i r s t , Goals must be c l e a r l y defined, including c o n f l i c t i n g o r p o t e n t i a l l y

c o n f l i c t i n g goals of the system o r organization. We need t h e s e statements
i n order t o judge trade-offs.
Second, t h e information required f o r a decision must be known, o r a t l e a s t

defined. It i s a t l e a s t helpful, and perhaps necessary, t o know what
information decision-slakers a r e l i k e l y t o use when decisions a r e made.
Measures of effectiveness should not be separated from program. We probably

cannot e f f e c t i v e l y measure program independent of program design. That is, t h e
s p e c i f i c f e a t u r e s of what it i s we a r e trying t o measure must be defined with
precision, o r t h e measures will be lacking i n relevant precision.
This implies, o r even Prges, t h a t measures o f effectiveness be b u i l t i n t o pro-

grams, ao t h a t d a t a relevant t o assessing effectiveness a r e collected before,
during and a f t e r t h e program.
We a l s o s a i d t h a t , when we c o l l e c t data, we should c o l l e c t d a t a t o improve

proRram -- t h a t is, i f measurement becomes controversial, it i s a t l e a s t a s
l i k e l y t h a t program i s suspect a s t h a t measurement techniques a r e suspect.
We found, o r thought we found, t h a t t h e s a f e t y professionals as a group are

apparently not aware o f , o r not s u f f i c i e n t l y aware t o explore, t h e measurement
technologies which e r e emerging and seeming t o be useful i n other, not dissim-
ilar f i e l d s--
f o r exemple , r e l i a b i l i t y , medic ine, o r aerospace accidents.
W e f e l t t h a t , f o r t h e purposes of these few days, measures had several objec-

t i v e s , such as:
1. Comparisons
a. Cross-context
departmenta.
-- i .e., compare industries, companies, p l a n t s o r
b, Trend
2. Diagnosis (what is happening and what should we do?)
3. Effectiveness o f program (Did what we did work? )
4. Parenthetically, a f u r t h e r purpose, t h a t is, t o describe t h e mwnitude

of a problem, national, s t a t e , o r l o c a l , i s important but --
d e f i n i t i o n e , r a t h e r than uniform, universally used standards w i l l suf-
f i c e f o r t h i s , and gross measures a r e probably adequate.
Current Measures.
For current measures i n widespread, general use -- t h i s is, t h e frequency and

s e v e r i t y rates defined i n ANSI 2.16.1 (and two s p e c i a l kinds of frequency r a t e s
a l s o t h e r e i n dq ined) we said:
1. The ANSI stsndard r e f l e c t s many assumptions which a r e (a) s t a t e d and

open t o serioue questions, and ( b ) unstated (and so f a r a s t h e t e x t o f
t h e standard reveals, unexamined ) but probably important.
2. These assumptions qualify and l i m i t the usefulness of the ANSI standard.
3. I f t h e assumptions a r e imperfectly understood, o r imperfect, t h e useful-

ness of t h e standard r a t e s w i l l be proportionally imperfect .
4. The s t a t e d assumptions, f o r example, man-hours a s t h e denominator of
t h e r a t i o , can be analyzed: Is a man-hour an adequate d e f i n i t i o n o f
an "error opportunity" f o r t h e puspose of comparing two situations?
Probably not.
5. The unstated assumptions r e f l e c t e d i n the standard would have t o be,

f i r s t , i d e n t i f i e d , before they can be analyzed, and before the analysis
could be examined. A standard which i s s i l e n t on i t s major trade-off
assumptions i s not l i k e l y t o be a good measurement t o o l .
6. The r a t e s based on expmded d e f i n i t i o n s of "serious" o r "disabling"

i n j u r i e s a r e e s s e n t i a l l y minor improvements on a measure t h a t is only
useful f o r gross comparisons.
7 . When discussion turned t o t h e current considerations of a measure

based on two v i s i t s t o a doctor (and which "double doctor v i s i t s "
would not have t o be counted) we can only report t h a t t h e s c i e n t i s t s
were unimpressed and even amused. This should not be construed a s
meaning t h a t t h e "double-doctor" r a t e i s worse than the ANSI standard
r a t e s -- they were r e f l e c t i n g t h e inadequacy of both measurement concepts.
8. Rates or r a t i o s a r e j u s t t h a t -- they have numerators and denominators.

Much time and thought has been given t o discussion of t h e numerator i n
ANSI and other rates. "EqubJ. time" should be given t o consideration
o f t h e denominator. The hman f a c t o r s people t o l d us they saw t h e i r
f i r s t t a s k i n useful r a t e construction a s a c a r e f u l i d e n t i f i c a t i o n of
"error opportunities. " Without such caxeful consideration, r a t e s may
have limited usefUness and may be misleading.
9. Safety performance should be reported both with and without a weighting

f o r hazardousness i n t h e denominator. The value of such weighting
could then be ascertained.
10. The widely used r a t e s a r e useful f o r only gross ( t h a t is, "routgh" o r

" f i r s t t r y " ) comparisons. They probably cannot be "tinkered" i n t o
substantially greater usefulness.
Cross-Context Com~arisons.
We s t r o w l y challenged t h e v a l i d i t y o f oresent r a t e s f o r cross-context compari-

-
sons -- t h a t i s comparisons of companies o r other organizations, comparisons
of plants within organizations, departments within establishments, o r indeed
functions within groups.
Having said, i n using r a t e s , give equal a t t e n t i o n t o t h e numerator and denomi-

nator, we then said, give equel a t t e n t i o n t o context before interpreting,
ascribing meaning, t o such r a t e s .
When we t o l d t h e s c i e n t i s t s t h a t present widely used r a t e s resulted i n a plant

with a r a t e of 2.43 being designated a s " f i r s t " o r % e t t e r Wthan a plant with
a r a t e of 2.58, we can again only report that they were amused.
Having said, "Give equal thought to numerator and denominator," they said,
"Give equal thought t o context. " The usefulness of measures f o r comparisons
w i l l depend on t h e adequacy of d e f i n i t i o n s and d a t a on events, on exposure,
and on canparability of context: low comparability of context, l i t t l e use-
fblness; no knowledge of comparability, l i t t l e meaning t o comparisons.
Present r a t e s *areuseful f o r only gross comparisons.
Trend.
When r a t e s ere used t o measure trend i n a u n i t , we do not completely escape
t h e need t o consider context we simply, and perhaps q u i t e usefully, l i m i t
I
context t o changes i n t h a t u n i t , which a r e e a s i e r t o judge o r measure.
S t a t i s t i c a l S i ~ n iicance.
f
A major question was raised: "Are any s t a t i s t i c a l t e s t s of significance o m -

monly applied i n t h e reportiqg and i n t e r p r e t a t i o n of present measures of
performance?" Unfortunately t h e answer had t o be, "Largely, no. " (such t e s t s
a r e a routine p a r t of t h e NSC and some other award plans, but not t h e usual
contests o r ratings. )
Thus r a t e s as presently uaed often c a s t improper doubt on a performance, o r

p r a i s e a performance which was o f dubious significance. Does it make sense t o
continuously provide management with t a b l e s of r a t e s whose significance i s
unessessed and dubious?
When t h e r e a r e stochastic o r random v a r i a t i o n s i n t h e time, place o r circum-

stances of accidents, t h i s type of v a r i a t i o n does not mean accidents a r e not
-
caused. It means, i n a s i t u a t i o n where multiple causal f a c t o r s a r e present,
random variations w i l l p l w a p a r t i n determining t h e timing of i n t e r a c t i o n of
t h e underlying variables.
A "rash" of accidents may be e s s e n t i a l l y a random interaction of underlying

f a c t o r s , o r it may have a special, new factor. Which i s it?
We were asked whether t h e r e had been many special studies of inter-accident

i n t e r v a l s and had t o answer t h e r e had seemingly been extremely few.
Diagnosis.
There are technologies of measurement f o r d i w n o s i s which a r e emerging and
safety .
being found useful i n comparable f i e l d s . They should be t r i e d i n occupational
Exa;lapkhs were :
Human Factors Engineering*

R e l i a b i l i t y Engineering -
f o r example, t h e methods of t h e Fault Tree,
perhaps simplified, can be applied t o analysis of p o t e n t i a l s o r t o
accidents.
Medical Science -- f o r example, a matrix of conditional probabilities.
(We were asked whether such matrices had been used experimentally i n
occupational safety and had t o say we thought not.)
It w a s emphasized t h a t sound diagnostic measurement requires, not only data on

t h e accident cases, but a l s o d a t a on t h e non-accident cases ( t h e population a t
r i s k and t h e control groups).
Effectiveness of program. The techniques f o r measures of program effectiveness

a l s o c o n s t i t u t e an emerging, nascent technology.
* A ~emOrWdm"Description of Human Factors Reports by Sandia ~ a b o r a t o r i e s "

was Sulmritted by our member, Alan Ewain.
We s a w a few examples of such techniques being experimentally applied i n other
f i e l d s . It was urged t h a t i n i t i a l t r i a l s of advanced techniques f o r occupational
s a f e t y be made by those who know t h e techniaues.
The requirements f o r application of modern measurement techmxlogy were s a i d t o

be two -- trials and education. T r i a l s require ( 1 ) guts, and ( 2 ) willingness
t o pay t h e r t l a t i v e l y high cost of innovation,
If trials a r e successful, education is required f o r dissemination of t h e tech-

nology. It i s not reasonable t o expect to be able t o "read a n i a r t i c l e w on
advanced technology and then apply it.
Measures Plural. A v a r i e t y of measures will be useful t o decision-rmakera i n
knowing t h e dimensions of accident propensity, predicting t h e future, and
lowering r i s k .
Useful measures a r e numerous, changing and dynamic, and should be self-renewing,
t h a t is, they should c o l l e c t the d a t a t o improve t h e measures themselves.
Most of t h e measures need not be uniform nationally. A s with medical data,
many of t h e variables are local. Therefore c o l l e c t l o c a l d a t a on l o c a l (i.e.
plant, department o r Amction) problems -- they a r e l i k e l y t o be more r e l i a b l e ,
more variables w i l l be known.
Our challenge i s not t o develop o r reform some simple, nationally applicable

measurement, with simple numerical indices. It i s r a t h e r t o develop promising
measurements which can be used i n specific s i t u a t i o n s and f o r relevant time
periods f o r purposes of accident study and reduction.
Measures should include records on (1) accident experience, (2) e r r o r s which

indicate unsafe behavior conditions, and ( 3 ) changes which could be prediative
of unsafe behavior o r conditions.
Performance measures should enable judgment of (1) t h e individual operator o r

user, ( 2 ) t h e manager o r maintainer of t h e accident context, and ( 3 ) t h e
conceiver and designer of the accident context; and should go t o behavior, t o
t h e t o o l , vehicle o r machine, and t o t h e system which controls t h e interactions.
We should measure and compare specific, a l t e r n a t e machines, personal protective
e q u i p e n t , methods and processes, using brand names and highly specific models
and types as necessary.
Decision-Makituz Potential. The decision-making p o t e n t i a l s of d a t a and measure-
ments should be ~nphasized. Current, commonly used r a t e s a r e weak i n decision
potential. Such r a t e s may indicate a performance i s excellent when, i f context
were known, it i o mediocre. Random v a r i a t i o n s a r e largely unassessed.
Measures will have g r e a t e r value i f they a r e s u f f i c i e n t l y descriptive t o
suggest what should be done.
During t h e discussions a v a r i e t y of suggestions were offered as t o how decision-
making p o t e n t i a l might be enhanced.
1. The apparent general lack of cross-tabulation of data was noted many
times, It was said t h a t one-variable d a t a tabulations indicate 9 r a t h e r
s i m p l i s t i c notion o r the events we a r e t r y i n g t o measure and control.
.
a. Industry plus "function"
m i n t enance
- .
Among t h e variables suggested f o r tabulation and cross-tabulat ion were:
e.g , transportation, material handling,
b. Energy type and energy b a r r i e r s (Gibson-Won concept )

c. Types of management intervention potential
d. Part of body a s r e l a t e d t o the above, and adequacy o f medical care.
e. More use of cost data. Cost d a t a holds a potential f o r showing
r e l a t i o n s with non-injury events and with non-accident c r i t e r i a
o f performance. Its use i s t o be construed, ipso facto, as
.
r e f l e c t i n g unconcern with human values.
f Data which w u l d show how t h e accident control system failed.
It w a s pointed out t h a t many of these types of data are ccomnonly sought and
found i n accident investigation, but t h a t they a r e not commonly seen i n pub-
l i s h e d suunnaries of data.
formance, was reemphasized --

The e a r l i e r injunction t o break program into p a r t s t o e f f e c t i v e l y measure per-
t h a t is, deci sion-making potential w i l l r e f l e c t
t h e program s p e c i f i c i t y of data.
Bi-Level R e w r t i q , A concept of a minimum routine report plus temporary sample

reports of a l a r g e number of t o p i c a l concerns w a s explained. The human f a c t o r s
s p e c i a l i s t s say, f o r t h e i r d i s c i p l i n e , it i s possible t o design questionnaires
f o r use by non-specialists t o obtain objective data. They would, however, set
up two requirements f o r a u s e f u l supplemental report
subject matter area, plus knowledge of questionnaire technology.
-- expert knowledge o f t h e
Seriousness Sequence. Early i n t h e discussions, a concept of sequence i n

seriousness of events was established and proved useful during t h e meeting.
The sequence used was:
Disaster
Mult i-death
Death
Permanent Injury (can be scaled)
Temporary T o t a l D i s a b i l i t y (can be scaled)
Lesser Injury
Temporary P a r t i a l (variously defined)
Medical Attention
First-aid Attention
No Ia$uq Accidents
Unsafe Conditions and Unsafe Acts
Err ore
Planning
Operational
Some of t h e points made apropos of such a sequence were:
1. Disasters, aad f a t a l i t y and permanent i n j u r i e s a r e not proper topics
f o r " s t a t i s t i c a l management,: but f o r very broad samples t h e r e may be
relevant s t a t i s t i c a l data.
2. The more serious events a r e even more r a r e than t h e l e s s serious events.
We therefore may need t o go t o t h e l e s s serious events t o g e t s u f f i -
e n t l y l a r g e nunbers f o r more r e l i a b l e s t a t i r t i c s .
3, The non-acc i d e n t s a r e constructively "before-the-f a c t , "

4. However, i f t h e l e s s serious events a r e used t o predict t h e more serious
events, t h e l i m i t a t i o n s and v a l i d i t y of t h e i r predictive value must be
arulyzed and tested.
The obvious point was made -- when an event r w e a l s hazard, don't wait f o r
nmtbers o r measures to t a k e action. On t h e other hand, don't go forever with-
out numbers and measures.
Alternate S t r a t e ~ i e s . There was considerable discussion of a l t e r n a t e s a f e t y

xmmgement s t r a t e g i e s :
1. Bnphaeize t h e prevention of t h e '%it& few" which account f o r the bulk

of human and economic costs, OR
h p h a s i z e t h e prevention of t h e "lesser many" which may a l s o reduce t h e

" v i t a l few;"
and a set of a l t e r n a t i v e s of a d i f f e r e n t sort:
2. Rnphasize that t h e g r e a t e s t reductions can be achieved by correcting
"accident prone work s i t u a t i o n s , " OR
Rnphaeize "accident prone behavior."
It was probably not t h e function of t h i s group t o reconmend a l t e r n a t e s t r a t e -

gies, but it c e r t a i n l y was our function t o point out t h a t the s t r a t e g i e s
selected (your assumptions) may very well color t h e data collected.
Although t h e discussion seemed t o favor t h e " v i t a l few" approach, coupled with

t h e "accident prone work s i t u a t i o n approach" a s management techniques, we
backed o f f from t h i s type of recommendation t o a strong recanmendation that t h e
data c o l l e c t i o n methods and measures be such a s t o give a v a l i d b a i i s f o r choos-
ing enphases and s t r a t e g i e s .
A Few S ~ e c iifc S u ~ ~ e s t i o n s .
One member suggested t h a t measurement of individual reactions t o r i s k i n

varioua s i t u a t i o n s , t h a t i e , accident propensity, be not measured by verbal
symbols, but by behavior measurement. However, others did not agree t h a t we
should, a t t h i s time, preclude any types of measurement.
Amther member suggested t h a t deviant behavior which was accident-producing
(dysfunctional r i s k taking) be r e l a t e d t o other forms of deviant behavior.
Also t h a t t h e aspect of out-of-plant accidents a s an aspect of deviant behavior
behavior in-plant .
not be neglected, p a r t i c u l a r l y where strong in-plant programs l i m i t deviant
There was no apparent disagreement.
Mechanisms f o r Progress. I n a short meeting such a s a symposium there i s t h e
opportunity t o glimpse t h e p o t e n t i a l s of a few new technologies and t o i n f e r '
t h a t t h e r e a r e l i k e l y many more p o t e n t i a l l y usef'ul technologies. Therefore,
t h e need f o r ongoing mechanisms i s evident to:
1. Help launch t r i a l 6 of promising technologies.
2. Identify other p o t e n t i a l l y useful technologies. (1f you don't know a
thing e x i s t s , it i s hard t o ask f o r i t . )
Three types of mechanisms were suggested:
1. Safety i n s t i t u t e s i n universities.
2. Special purpose committees within safety organizations (e.g .,
and ASSE) f u l l y representative of relevant d i s c i p l i n e s ( a s was
NSC
NSC's alcohol committee).

3. Safety coxmuittees within relevant professional and s c i e n t i f i c
societies.
Without such mechanisms t h e r e i s not l i k e l y t o be adequate t r a n s f e r of tech-

nology. Nor can t r a n s f e r be expected without both courage and funding of a
research-demonstrat ion-t rial-evaluat ion-application cycle.
P r a c t i c a l i t y . The f i r s t consideration of a measurement of safety performance

must be t o define and t e s t i t s useful limits and validity. Then t h e measure
must be made p r a c t i c a l , administratively feasible. This l a t t e r process may
involve simplified methods a s well a s t r a n s l a t i o n i n t o user language.
Ik Somethi%. I n our closing discussions, t h e advice was tendered, % n t t j u s t

do research, do something!" A s e t o f specifics was discussed and i s offered:
1. We should as rapidly as possible minimize t h e misuse of t h e disabling

injury frequency r a t e because it has t h e following limitations:
a. It does not c o r r e l a t e with professional judgement o f plant s a f e t y
program.
b. It does not c o r r e l a t e with accident costs.
c. It d e t e r s management safety action if r a t e s a r e "average" o r b e t t e r .
Management has been oversold on t h e significance of frequency r a t e s .
d. It degrades safety when awards a r e given despite the above facts.
e. It degrades safety when so many people know t h a t t h e c l a s s i f i c a t i o n
of accidents i s d i s t o r t e d by award motivations.
f . The r a t e is not understandable.
2. We should immediately begin t o t e s t modifications of r a t e s t o correct

apparent f a u l t s :
a. Change t h e events t o be counted (expand t h e d e f i n i t i o n s ) .
b. Change the measures of exposure.
c. Where man-hours a r e used, t r a n s l a t e i n t o meaningful terms, e.g.,
man-years, r a t h e r than an abstraction.
d. Test differences f o r s t a t i s t i c a l significance.
e. Explore methods of analysis of r a t e s t o increase t h e i r predictive
value.
3. I n recognition of t h e problems, we should define what ve eventually

want measures t o accomplish.
S w e e p i ~ ;Change. If major improvement i s t o be sought, it cannot be 'achieved

s o l e l y by "tinkering" changes, helpful a s they may be. Msjor changes usually
require more knowledge, extensive s t a f f study, and demonstrations and
evaluation.
Exhibits from the MORT Trials a t Aerojet
Recent Crane Safety A c t i v i t i e s a t Aero j e t Show t h e General Safety System
i n Operation.
Experimental Scaling Method.
Configuration Control Analytic Tree.

Review C r i t e r i a Used by a R e l i a b i l i t y and Quality Assurance Representative.
Modification and Experiment Review Board C r i t e r i a
Review C r i t e r i a of Nuclear and Operational Safety Representative.
Safety Review--Redundancy and Independence Scale.
Saf e t y Review--Analytic Tree.

NOS Division Review Routing Sheet.
10. F i r e Rating Sheet.
11. Fire Reviewer's Criteria.

12. Inspection C h a t .
13. "Systems Analysisn--the RSO Forms Used at Aerojet.

14. Sample Schematics f o r Upstream Audit.
15. The Safety Monitoring F'unction--A Step-By-Step Guide.
16, Field Safety Engineer 's Role.
17. Safety Program Improvement Projects.
18. Injury Control Chart p r e p r e d by computer.
Exhibit 1. . Recent Crane Safety A c t i v i t i e s a t Aerojet Show the General Safety System i n Operation
Planned
Changes
Hazard
Analysis
Evaluation
& Implementation
Up Stream
Processes
Work
-
Site
Operations
Monitor
* Acc/Inc -Information
System
I
\
1
This cycle
-
repeated. many
-- -- -- -
t variable
f i x needed * process specific f i x e s Operate c
Cranes a
RSo Studies problemll
~e{uire Clarkt s Specific f i x e s needed:

major ---c MORT Upgrade maintenance, --o
Study Study t r a i n i n g and t e s t s
C
d
upgrade
30 Ton Cranes lay On-
study reactor grade crane operation a
t o 50 T
Info
Future- Study
Search
Crane s
Required Retrieval
I
l a y on
study 4 I
'I
t o AEC
(and NASA)
major study store f o r
needed ---r t o develop ultra-high r e l i a b i l i t y crane operations ----------, application
Exhibit 2.
Experimental Scaling Method
An experiment i n s c a l i n g was conducted by two s a f e t y professionals
and a manager. Each independently r a t e d 36 t a s k s on a matrix of
p r o b a b i l i t y and consequences, shown on the next page. The
r a t i n g s were then combined a s shown by t h e i n i t i a l s i n t h e f i g u r e .
There was close correspondence between r a t e r s .
The f a r t h e r the trend l i n e i s t o t h e l e f t , and t h e s t e e p e r t h e
l i n e , the more urgent i s t h e process a u d i t and review. From t h e
r a t i n g s , t h e 36 p o t e n t i a l pmblem areas were arranged i n rank order
f o r in-depth review by t h e surveillance u n i t i n t h e s a f e t y division.

Exhibit 2, Crane transfer of heavy cask (> 1 ~ ) . Highly radioactivd material i~,ivolved.
Very
Anticipated Likely Unlikely Unlikely . Incredible
Day
\ Month
\1
Year
\ 5 year
\ 20 Yr. = Hypothetical PLant Lifetime
Exhibit 4.
Design Review C r i t e r i a Used by a R e l i a b i l i t y and Q u a l i t y Assurance Representative
Conceptual Review
1. Have the operational performance c r i t e r i a been established and docu-
mented?
2. Have the operational environmental c r i t e r i a been established and
documented?
3. Do t h e established performance and environmental c r i t e r i a meet customer
requirements?
4. Have the operational r e l i a b i l i t y requirements been established?
5. ~ o e ' sthe predicted r e l i a b i l i t y meet the r e l i a b i l i t y requirements?
6. Have a l t e r n a t e designs been investigated and an optimum selection
made ?
Preliminary Design Review
1. Have the check l i s t items f o r the conceptual review been answered
satisfactorily?
2. Has a f a i l u r e modes and e f f e c t s analysis been completed?
.
3 Have a l l preventive/correct ive actions been i n i t i a t e d t o eliminate
o r minimize a l l modes of f a i l u r e ?
4. Does the current r e l i a b i l i t y assessment and prediction indicate
t h a t the r e l i a b i l i t y requirements w i l l be met?
5. Have r e l i a b i l i t y analyses been made f o r alternate, designs?
6. Have trade-off relationships of r e l i a b i l i t y vs. weight, volume, main-
t a i n a b i l i t y , cost, schedule and producibility been maximized?
7. Are safety margjns f o r t h e design adequate t o compensate f o r uncer-
t a i n t i e s i n matepial properties, loads, environments and a n a l y t i c a l
methods?
8. Do the design spe\cification performance limits represent values which
can be attained wbthin the development -program?
.-
9. W i l l t h e d e v e l o p d n t t e s t program a s planned evaluate the performance

capability of the ,assembly o r component i n a l l c r i t i c a l modes of opera-
t i o n t o be met i n q u a l i f i c a t i o n testing?
10. W i l l development t sts permit evaluation of c r i t i c a l modes-of-failure
and t h e a b i l i t y of assembly o r component t o meet specified perfor-
mance Limits?
11. Has a t e s t progra includes peripheral t e s t i n g been planned t o
investigate the of specified c h a r a c t e r i s t i c s and pertinent
modes of f a i l u r e ?
12. Have a l l doubtful areas of material applications i n the assembly o r
component r e l a t i v e t o fatigue, creep, corrosion, e t c . , been investi-
gated by the Materials Engineering Division?
13. Has a f i n a l s t r e s s analysis of the assembly or component been corn-
ple ted?
14. Has a complete dynamic analysis been accomplished?
15. Does t h e assehbly o r component design provide f o r efficiency i n inspec-
t i o n and r e p p a b i l i t y f o r restoration t o operational effectiveness?
16. w i l l manufacturing and inspection v a r i a b i l i t y i n dimensions and proces-
sing degrade r e l i a b i l i t y below an acceptable level?
17. Have process control procedures and inspection procedures been prepared
f o r a l l assembly o r component fabrication operations requiring high
accuracy of adjustment, s p e c i a l equipment, s p e c i a l t o o l s , and techniques;
o r where inaccessability creates special problems?
18. Does the design incorporate positive features t h a t prohibit incorrect
installations?
19. Have adequate protective equipment and procedures been provided t o
prevent damage t o the assembly o r component during fabrication hand-
l i n g , t e s t , cleaning and shipping t o prevent degradation of r e l i a b i l i t y ?
20. Is the design conductive t o the maintenance of cleanliness and corro-
sion resistance?
21. Have a l l items requiring i d e n t i f i c a t i o n and t r a c e a b i l i t y been identified?
22. Have a l l r e l i a b i l i t y sensitive components been identified?
23. Has a p a r t s application review beenconducted f o r a l l purchased p a r t s ?
F i n a l Design Review
1. Have the check l i s t items f o r the preliminary design review been answered
satisfactorily?
2. Do the design specifications conform t o customer requirements?
3 . Have the drawings met a l l checking requirements?
4. Are the process and material specifications released?
5. Do the design specifications, drawings and process and material speci-
f i c a t i o n s contain a l l necessary r e l i a b i l i t y assurance provisions?
6 . Does t h e current r e l i a b i l i t y assessment and prediction indicate t h a t
the r e l i a b i l i t y requirements w i l l be met?
7. Has a r e l i a b i l i t y demonstration plan been established?
8. Have a l l action items from previous reviews been completed?
9. Have a l l r e l i a b i l i t y problems been resolved?
10. Has an integrated t e s t program been defined including incorporation of
s t a t i s t i c a l techniques and r e l i a b i l i t y t e s t i n g provisions?
11. If the design contains subcontractor or vendor supplied p a r t s , have
subcontractor and vendor r e l i a b i l i t y assurance provisions been required?
Exhibit 5.
Modification and Experiment Review Board C r i t e r i a

1. For Reactor Operations discipline:
&:Design i s such t h a t the reactor and experiment systems can be safely
and e f f i c i e n t l y operated.
b. Design permits operation within applicable specific reactor Operating
Limits document.
c. Design i s compatible with other operating features of the plant and
experiments.
d. Sufficient operational information i s included t o develop operating
procedures and designate experiment setpoints.
e. Maintenance and service provisions have been defined and s e t forth.
2. For Nuclear Engineering discipline :

a. Design work i s adequate and meets necessary safety considerations.
b. Complies with requirements of applicable specific reactor Technical
Specifications and other applicable codes and standards.
c. Sufficient i n s t a l l a t i o n instructions are provided t o assure a proper
and correct i n s t a l l a t i o n .
d. % a l i t y Control an& inspection requirements are defined.
e . Complies with the requirements of R & Q,A and configuration control.
f . Effects on the ... characteristics of the reactor are such t h a t the
plant i n t e g r i t y i.s not jeapard.ized o r the operational safety margin
i s not reduced below t h a t evaluated i n the safety analysis assoc2-
ated with the particular reactor.
g . Conformance wi%h existing instrumentation and control capabilities.
3. For Nuclear a d Operational Safety discipline:

a. Ituclear c r i t i c a l i t y hazards are minimized.
b. Safety evaluation has been performed and i s commensurate i n scope and
depth with pro--osed modification or experiment.
c. Safety evaluation shows t h a t the r i s k l e v e l of reactor operations
i s not increased beyond t h a t evaluated i n the safety analysis associ-
ated with the particular reactor.
d. Conforms t o health physics standards practices and other nuclear and
operational safety requirements.
e. Conforms with i n d u s t r i a l safety standards and practices.
4. For Nuclear Physics a d Technology discipline:
a. Corifoms t o the appropriate specific reactor Technical Specifications
and Operational Control documents.
b. !There 3s no adverse e f f e c t from the standpoint of reactor physics.
c. Consistent with existing, instrumentation and control capabilities.
d. Required reactor physics data have been obtained and evaluated,
including c r i t i c a l i t y calculations a s needed.
5. F o r - R e l i a b i l i t y and Quality Assurance d i s c i p l i n e :
a. Quality control. and inspection requirements a r e defined.
b. Complies with t h e requirements f o r R & QA and configuration control.
6. For a l l Board Members :

a . Conclusions s t a t e d i n proposal package a r e c l e a r l y supported by
appropria-t;e analyses.
b. Risks and system degradations are c l e a r l y i d e n t i f i e d .
Exhibit 6. Review Criteria of Nuclear and Operational S a f e t y Representative
Proposal :
Basic Request L e t t e r Reference:
Date :
I
Score I Item
I
I That nuclear c r i t i c a l i t y hazards a r e minimized.
A s a f e t y evaluation has been performed and i s commensurate i n scope and depth with t h e
proposed modification o r experiment.
The s a f e t y evaluation shows t h a t t h e r i s k l e v e l of r e a c t o r operations i s not increased

beyond t h a t evaluated i n t h e s a f e t y a n a l y s i s associated with t h e p a r t i c u l a r r e a c t o r .
Conformance t o Health Physics S t a n d w d P r a c t i c e s and t h e requirements contained i n

Reference 4.4.
-
Conformance with I n d u s t r i a l Safety Standards and P r a c t i c e s .
Conclusions s t a t e d i n t h e proposal package a r e c l e a r l y supported by a p p r o p r i a t e
analyses.
Risks and system degradations a r e c l e a r l y i d e n t i f i e d .
I Scoring System:
3. Criterion exceptionally w e l l s a t i s f i e d
2. Criterion well s a t i s f i e d
1. Criterion adequately s a t i s f i e d
0. Criterion inadequateljr satisfied (negative v o t e )
E x h i b i t 7, S a f e t y Review
Redundancy and Independence S c a l e
Minimal redundancy Camp? e t e Redundancy
and Independence and Independence
Role of S a f e t y Review Agent

1- -
Performs primary s a f e t y Not involved i n perform-

analysis t o operational m c e of primary s a f e t y
proposals sn:tlyr,j s
S p e c i f i e s proper codes, V a l i d a t e s codes, stand-

standards and regula- a r d s and r e g u l a t i o n s
tions O+ s e l e c t e d by o t h e r s
*o&@
High degree of p e r s o n a l *a. No p e r s o n a l i n t e r e s t i n
i n t e r e s t i n operatdonal +,* o p e r a t i o n a l impact of
impact of review deci- to % review d e c i s i o n s
sions "OQ,
QQ
Dependent on o p e r a t i n g &
",
, F i n a n c i a l l y independent
group f o r funding of o p e r a t i n g group
t
Common management o r Organizationally indepen-8
s u p e r v i s i o n w i t h opera- dent of o p e r a t i n g group
t i n g groups o r groups and groups performin?
performing primary primary snf e t y analyses
s a f e t y analyses
Rewrites proposals t o Rejects proposals with

meet review c r i t e r i a o r cause. Does not p a r t i c -
participates directly ipate i n rewrite
i n rewrite
Automatically u t i - Utilizes different

li zes same a n a l y t i c a l a n a l y t i c a l methodology
methodology as group and/or challenges ana-
performing primary l y t i c a l methodology used
s a f e t y analysis by group performing
primary s a f e t y a n a l y s i a
Exhibit 8,
Independent Safety Review System A n d y t i c a l Tree
This a n a l y t i c a l t r e e is designed f o r evaluation of independent s a f e t y review

systems. It is desimed t o indicate those f a c t o r s which m u s t be considered
i n evaluating an independent s a f e t y review system and its i r d i v i d u a l subsys-
tems a d elements.
The t r e e does not i t s e l f r e s u l t i n value jMgements i n t h e areas defined. For
example, the t r e e leads t o a conclusion t h a t "objectivity and independence"
must be considered i n system evaluation and goes on t o define those things
t h a t must be considered i n evaluating degree of o b j e c t i v i t y and independence,
It does not define t h e degree of o b j e c t i v i t y required, This must be detennined
on a case b a s i s depending on the nature of t h e material being reviewed and
s p e c i f i c c o n s t r a i n t s imposed on t h e system (AECM, i n t e r n a l ANC requirements,
etc.).
The t r e e i s designed t o be used as a part of an evaluative process which i n
its e n t i r e t y consists of t h e following steps: I
Analyze t h e work being conducted and i d e n t i f y and s c a l e the job hazards

on a probability-consequence basis,
I d e n t i f y the independent s a f e t y review agencies and elements.
Relate the s a f e t y review agencies t o t h e job ha&s i,e., what revlew
agency reviews each ha-dous job m c l a s s of jobs?
Use the a n a l y t i c a l t r e e as an outline i n establishing t h e system require-
ments f o r each job o r c l a s s of jobs, e.g., how much o b j e c t i v i t y and
independence i s required, what technical s k i l l s a r e required, e t c r
Etraluate t h e r e l a t e d review agency against a l l requirements so defined.
Key t o Symbols :
"and" gate, A l l subordinate items must be considemd,
"or" gate. One o r t h e other of the subordinate items may be

considered. Note t h a t i n system evaluation, t h e b a s i s f o r making
t h e "or" choice must be c l e a r l y defined unless t h e option is of no
concern. For example, i n the case of operating r e a c t o r s t h e "or"
.
choice f o r type of review w n c y must be a review board (AECM 8401
requirement )
"ditto." If one reaches a d i t t o terminal, he must t r a n s f e r t o

t h e t r i a n g l e with t h e same number i n another branch of t h e tree
t o continue downward.
C r i t e r i a t o be considered.
Terminal c r i t e r i a .
E ~ h . 8- 2
Independent Safety Review System Analytical Tree
Begin a t t h e t o p of c h a r t :
1.0 The o b j e c t i v e of the process under a n a l y s i s is t o perform independent
s a f e t y review i n an e f f e c t i v e manner.
1st "and " g a t e
2.0 The independent s a f e t y review process must provide f o r :
2.1 Review of P r o j e c t s and Proposals
2.2 Review of accidents and i n c i d e n t s i n t h e broad sense (evidences
of t h e systemk own f a i l u r e ) .
2.3 Review of t h e s a f e t y review system i t s e l f (against general
organizational and customer requirements and s p e c i f i c a t i o n s ) .
1st "or" e;ate
3.0 Independent review may be provided by:
3.1 An independent review agency
3.2 An i n t e r n a l working group review process which has, i t s e l f , been
reviewed by an independent review agency.
2nd "or" g a t e
4.0 The review agency (3.1 or 3.2) may c o n s i s t o f :
4.1 A review board
4.2 Individual review by one o r more review agents functioning indepen-
d e n t l y of one another.
\
2nd "and" g a t e
5.0 The review agency (4.1 o r 4.2) must be evaluated i n terms of t h e
following c h a r a c t e r i s t i c s :
5.1 Technical, Managerial and Analytical c a p a b i l i t y of t h e review agents.
5.2 The l e v e l of review e f f o r t applied.
5.3 The o b j e c t i v i t y and independence b u i l t i n t o the system.
5.4 The review and reporting c r i t e r i a u t i l i z e d .
5.5 The c o n t r o l ( a c t i o n ) e f f e c t i v e n e s s of the Review Agency,
5.6 The q u a l i t y of information input t o t h e Review Agency.
Each of the b a s i c c h a r a c t e r i s t i c s l i s t e d above (5.1 through 5.6) w i l l be
discussed i n turn. It should be noted t h a t s p e c i f i c requirements which m l r s t
be met by t h e various s a f e t y review system elements a r e determined by considera-
t i o n s external t o t h e t r e e i t s e l f . These considerations involve t h e nature of
t h e m t e r i a l t o be reviewed and i t s associated review requirements.
Re uirements axe of two types:
9s) Those requirements s e t e x t e r n a l t o t h e company, e. g. , AE(91-8401 require-
ments a s c l a r i f i e d a d i n t e r p r e t e d by AEC sources.
(b) Those requirements which a r e determined i n t e r n a l l y t o ANC and which are
generally based on probability-consequence considerations.
Branch 5.1 The review a e n t s must possess:

5.1.1 Engineering and s c i e n t i f i c c a p a b i l i t y appropriate t o t h e review task.
5.1.2 Managerial c a p a b i l i t y appropriate t o t h e review t a s k ,
5.1.3 Analytical review c a p a b i l i t y r e l a t i v e t o t h e review task.
This, i n t u r n , r e q u i r e s t h a t one consider t h e following c h a r a c t e r f s t i c s o f
t h e review agents as r e l a t e d t o 5.1.1, 5.1.2 and 5.1.3 above.
5.1.x.1 mutational background
5.1. x.2 Special Training
5.1.x.3 Present work assignment
5.1.x.4 Total experience
5.1.x.5 Continuing processes which e x i s t and a r e u t i l i z e d t o upgrade
t h e review agent's techniques and s k i l l s .
Branch 5.2 The l e v e l of e f f o r t must be appropriate t o the review tasks. This
includes two system c h a r a c t e r i s t i c s :
5.2.1 Appropriate funding and a l l o c a t i o n of resources t o each review task.
5.2.2 bogram and schedule arrangements which permit application of
resources t o the review tasks i n an appropriate manner.
Branch 5.3 The system must provide a l e v e l of independence and o b j e c t i v i t y
appropriate t o each review task. This includes three types of personnel
objectivity and independence:
5.3.1 The manager who has r e s p o n s i b i l i t y f o r converting the review agency's
a c t i v i t i e s t o control action must be s u f f i c i e n t l y independent and
objective.
5.3.2 The parent manager(s) t o whom t h e individual review agents report
must provide a climate which permits the review agents t o function
i n a s u f f i c i e n t l y independent and objective manner.
NOTE: The parent manager t o an individual review agent i s not neces-
s a r i l y the individual t o whom t h e review agency reports.
5.3.3 The review agents themselves must function i n an objective and
independent manner.
I n t h e case of each of t h e above (5.3.1 through 5.3.3) t h e individuals
involved must have:
5.3.x.1 The proper personal t r a i t s t o permit functioning i n an
e f f e c t i v e , objective and independent manner.
5.3.x.2 An appropriate v e r t i c a l organizational position i n t h e
working, supervision, managerial hierarchy.
5.3.x.3 An appropriate functional organizational position and
assignments.
Branch 5.4 The review c r i t e r i a used by the review agency (and individual agents)
must be properly defined i n such a manner a s t o r e s u l t i n appropriate review
action. This requires t h a t :
5.4.1 The c r i t e r i a a r e defined i n appropriate d e t a i l .
5.4.2 The c r i t e r i a a r e available and known.
5.4.3 The c r i t e r i a a r e appropriate t o the subject under review.
There a r e three aspects t o t h i s d e f i n i t i o n of c r i t e r i a f o r 5.4.1, 5.4,2
and 5.4.3 above:
5.4.x.1 The c r i t e r i a must be communicated t o the review agency by
t h e i r parent manager i n appropriate management control
language.
5.4.x.2 The 5.4.x.1 c r i t e r i a must be converted t o a proper working
language a t the i n t e r f a c e between the review agency and
the reviewee groups.
5.4.x.3 The 5.4.x.l and 5.4.x.2 c r i t e r i a must be converted t o an
appropriate working language f o r use by the review agents
tency i n the review agents day-to-day a c t i v i t i e s )

These expressions of review c r i t e r i a (5.4.x.1, 5.4,x.2 and 5.4.x.3)
.
themselves ( f o r handoff t o a l t e r n a t e s and t o provide consis-
may not be i d e n t i c a l statements and must, t h e ~ f o r ,e be validated

against one another f o r consistency i n basic content.
Branch 5.5 The system must possess a s u f f i c i e n t l y high degree of action effec-
tiveness. The review a c t i v i t y must r e s u l t i n appropriate organizational response.
Implementation of review agency action depends basically on three f a c t o r s ;
5.5.1 The c h a r a c t e r i s t i c s of the review agency's parent manager already
defined i n 5.3.x.1, 5.3.x.2 and 5.3.x.3.
5.5.2 The nature of t h e review agency's action which includes:
5.5.2.1 Go-no-go opinions based on the agencies ' assigned review
c r i t e r i a (approval-disapproval )-,
5.5.2.2 Conclusions and/or recommenda7ions based on the agency' s
assigned review c r i t e r i a .
I n t h e case of both 5.5.2.1 and 5.5.2.2 a c t i o n is dependent on:
j.5.2.x.l Existence of review and reporting c r i t e r i a
which a r e relevant, s u f f i c i e n t and a r e properly '
interpreted and applied.
5.5.2 .x.2 A responsive reykewee l i n e managerial p o s i t i o
3
having a p p r o d a t e c h m a c t e r i s t i c s (5.3.x.1,
5.3.x.2 and 5.3.x.3).
5.5.2.x.3 A manwment control system which defines
a p w p r i a t e d i r e c t control and which provides
stppropriate system performance information
through individual item audit and followup.
5.5.3 A protocol which r e s u l t s i n appropriate submission of items t o
proper review agencies f o r review, Effectiveness of t h i s portion
of the systan i s dependent on three f a c t o r s :
5.5.3.1 Characteristics of the l i n e (reviewee) managerial position
which i s responsible f o r subnitting items f o r review
(5.3.x.1, 5.3.2.2 and 5.3.x.3).
5.5.3.2 The c r i t e r i a which define those items which must be submitted
f o r review. These c r i t e r i a a r e subject t o t h e sam branch of
t h e a n a l y t i c a l t r e e a s the review c r i t e r i a themselves, t r a n s f e r
point 8 i n Branch 5.4,
5.5.3.3 Existense of audit information which i n d i c a t e s performance
and provides a b a s i s f o r remedial action i n the event of
misinterpretations or other d e f i n i t i v e or action inadequacies.
Branch 5.6 The review agency must have appropriate information inputs. These
consist of f i v e b a s i c s o r t s of information:
6 Proposals presented t o the review agency must contain complete infor-
mation relevant t o t h e review c r i t e r i a u t i l i z e d by the agency.
5.6.2 The review agency must possess appropriate systems information r e l e -
vant t o personnel, plant and hardware, and procedural and management
control subsystems.
5.6.3 The review agency must possess appropriate information r e g d i n g
, p o l i c i e s , procedures, codes, standards and regulations,
restraip
This i n udes such material generated by ANC, by AEC and by other
sources. r ' - .,
5.6.4 The review agency must have information r e l a t i n g t o appropriate

a n a l y t i c a l methodology (both technical methodology and review
methodology). This includes both:
5.6.4.1 S t a t e of t h e a&
5.6.4.2 Requirements r e l a t i v e ' t o prescribed methodology (e .g.
requirements f o r f orma1 single f a i l u r e analysis, e t c ) .
Exhibit 8 - 5
INDEPENDENT SAFETY REVIEW SYSTEM

ANALYTICAL TREE
Exhibit 9.
NGS DIV1::ION REVIEW EGUTING SmET Date G u t -

TITU: Gate D ~ l e
- 4
aa
Comments 0 n l a ~ p p r o v e n Letter & Date
Division Repres .
Exhibit 10.
Reivewer
Fire Rating Sheet ( ~ e f :REC-21-72, for criteria details)
Review Subject -..
Date
Rating Of
Propos a 1
I General Criterion
l ~ a t i nof~ depth of
Review
I
F i r e hazards a r e adequately described
(qualitative) .
I Fire hazards are adequately analyzed

(quantitative).
Adequate steps have been taken t o minimize and

control F i r e hazards (design, monitoring emergency
action, protective equipment, e t c . )
I Proposed actions and f a c i l i t i e s a r e i n compliance

with a l l applicable c d e s , standards and regulations
I
Scoring System:
3. Criterion exceptionally 3. Reviewed carefully

well s a t i s f i e d and conclusion is
highly valid.
2. Criterion well s a t i s f i e d
2. Reviewed i n ade-
1. Criterion adequately quate depth t o f e e l
satisfied comfortable with
0. Criterion inadequately conclusion.
satisfied.
1. Review marginal,
but adequate .
Detailed explanation f o r "1"ratings.
Exhibit 11. F i r e Reviewer's C r i t e r i a
NOS Representative :
A. Construct.ion and Occupancy Review 3. Heat Transfer (exposures )

1.
2.
Unifor-m Building Code compliance
Ehposure hazards C . Operational S u i t a b i l i t y
3. Build e x i t s requirements 1. Try t o determine i f t h e operation
4. Process hazards i s s u i t a b l e f o r t h e proposed
5. Alarm and s p e c i a l extinguishing l o c a t i o n from a f i r e hazard and
system requirements exposure standpoint.
6. C o q l i a n c e with AEC ID0 Manual
12044 " ~ e s i g nC r i t e r i a Manual" D. OSHA Requirements
7. General AEC "improve r i s k "
req~irements 1. Review proposal f o r compliance w i t h
OSHA requirements only f o r t h e
following s e c t i o n s of OSHA,
1. Special Process Hazards a. Subpart E - means of e g r e s s

a. Flammable l i q u i d use and . b. S u b ~ a r tH - hazardous m a t e r i a l s
storage c. Subpart L - Fire protection
b . Pyrophoric metals d. Subpart N - Materials handling
and s t o r a g e
c. E l e c t r i c a l i g n i t i o n sources
d. Heat i g n i t i o n sources e. Subpart S - electrical
e. What i s being exposed and
what i s exposing t h e process E. SAR
from a f i r e r i s k 1. Try t o determine i f p o t e n t i a l f i r e
f . Use of approved equipment hazards have been evaluated f o r r i s k
(UL and/or FM approved) and i f any f i r e p o t e n t i a l s i t u a t i o n s
g. Gases have been overlooked.
h. Ventilation
i. Special r i s k reduction F. Training Programs
equipment a v a i l a b l e (example :
extinguishing and d e t e c t i o n 1. The f i r e brigade i s t h e only t r a i n i n g
system) program I review.
2. Trade Offs on t h e F i r e Risk

a. Example: c o s t versus l o s s
potential
b. Automatic extinguishing system
a v a i l a b l e and i n s e r v i c e
c. A v a i l a b i l i t y of t h e f i r e
department and t r a i n e d f i r e
brigade
INSPECTION CHART
Exhibit 13.
"Systems Analysis'' - the RSO Forms Used at Aerojet
SYSTEMS ANALYSIS
Operational Safety
1. I em i n : Branch, at Area.
2. job t i t l e i s :
3. Date: .
Exhibit 13.
A s part of our continuing e f f o r t t o upgrade operational s a f e t y , we would

Uke t o obtain scme information fran each of you.
On t h e following peges we will ask you f o r examples of jobs performed by
your branch arhich you personally observed and i n which you f e e l exceptionally
high operational safety standards were maintained.
We vill, a l s o , ask f o r examples of jobs and operating s i t u a t i b n s i n which
operatianal safety standards were not s o high.
Each of your examples should be a brief, f a c t u a l account of somethinc t h a t :
1. Happened on a particular job at a specific time t h a t you personally
observed.
2. Involved handling of a job (or s i t u a t i o n ) t h a t you fudeed t o be especially
good frat t h e point of view of operational safety standards ( o r expecially
bad f ram t h e point of view of operational s a f e t y standards).
The examples needn't be spectacular o r dramatic. Rather, they should apply t o
day-to-day haadling' of jobs and operating situations.
There need nat have been an "incident" associated with your example. We're
e s p e c i a l l y interested i n s i t u a t i o n s which might have had serious consequences
o r whlch w h t result i n f u t u r e s a f e t y problems (under d i f f e r e n t conditions).
We, also, have a s p e c i a l i n t e r e s t i n deficiencies i n plant equipment and i n
-
basic plant design.
-
The examples should not include t h e names of t h e people involved. These reports
-
are t o be used only f o r research i n methods a d f a c i l i t i e s improvement. We a r e ,
theref ore, only interested i n what happened (or might have happened) ; not who
d i d it!
-
We've t r i e d t o a n t i c i p a t e some of t h e questions you might have regarding t h i s
study :
Why a r e you asking us?
The answer t o t h a t i s very simple. You're t h e experts. You're professional
are doing the work. I t ' s been demonstrated time and again
t h a t the people who a r e doing t h e job a r e t h e ones who know what's going on.
Does t h i s have anything t o do with checking up on individual people i n t h e
Pmch?
Absolutely not: You'll note t l n t ' w e don't ask yo11 t o put your names on tile
reporto :L&'= -
ask you not t o put mybody e l s e s n:Me i n your examples. We're
i n t e r m ~ t c do n l y in how the system works ;md whnt Branch and Division Mamt:emm.-~1
c:ul do t o h e l p
op@X?tti~~ll*
- i n your pruf essionnl g a l of conductilx t h e s a f e s t possiblcn
I've never seen anything l i k e t h i s before. Is t h i s something new and

experimenta l l
T h i s is not 811 experimental method. I t ' s been used a great deal both l o c a l l y
and i n other places.
Exhibit 13. (2)
Applications range from aircraft piloting t o teaching methods a t Colleges

aad Universities.
Ths m o d haa been used i n other R & D establishments including Oak Ridge
engineering design shops.
I've noticed t h a t two of the questionnaire sheets are white and twoare
colared. Why 16 that?
-
We're asking you f o r four examples.
(1) Most recent example of a job o r operating situation i n which you Peel
F c m h i g h standards of operational safety were maintained.
(2) Another example of a Job or operating situation i n which you f e e l

especially high standards of operational safety were maintained.
(3) Moat recent example of a job o r operating situation i n which you f e e l

higher standards of operational safety should have been maintained.
(4) Another example of a job o r operating situation i n which you f e e l

'-standards of operational safety should have been maintained.
-
If you look at t h e t o p of t h e sheets you'll see t h a t the white sheets aye f o r
good jobs ( j u s t l i k e "white hats" are f o r "good guys"). The c o l o ~ dsheets apply
t o jobs o r operating situations i n which highest standards of operational safety
-re not maintained.
A r e you interested i n any special s o r t s of things?
A s we s t a t e d e a r l i e r , we're especially interested i n design and equipment

problems i n the basic plants and supporting f a c i l i t i e s .
We, also, have a special i n t e r e s t i n things which are l i k e l y t o cause
operating incidents, especially i n the older plants.
What do I do when I've completed t h e sheets?
Give them t o your supervisor. The results w l l l be studied by an analyst

who is not a member of' your Branch.
Then what?
Recanm~ndntionswill be d e t o Branch and Division Management regarding
-- objective of doing your job i n t h e
changes designed t o assist --you i n your
m o s t safe and ePPe~%ivemanner.
Exhibit 13. (3)
-
From your experience, think of the most recent s i t u a t i o n where a Job o r
operating s i t u a t i o n involving your branch went e s p e c i a l l y well from t h e
point of viev of operational s a f e t y standards.
Ytren am3 where did t h i s happen? (~pproximatedate and place)
W k t equipnent and/or what type of job was involved?
Briefly describe t h e s i t u a t i o n at t h e time (process or reuctor running,

process or r e a c t o r shut down, abnormal operating conditions ,' e t c ) ..
2
N.B. A s indicated op the previous page, four

forms a r e used. The paragraph a t t h e top
i s moaified appropriately. Good incidents
are on white, and bad incidents on blue paper.
Exactly what happenedl( (use other side, i f necessary).
5. Why do you c l a s s i f y t h i s a s an example of p a r t i c u l a r l y high safety

standards?
6. What miglrt have been expected from conducting t h e job l e s s s a f e l y i n t h i s

situation (e.g.. personnel exposure, plant cont3mina%ion, gaseous o r liquid
.
e f f l u e n t release, e t c ) ?
Exhibit 14
Prod ect Engineering Flow Sheet
- ---I -- ---CS_
Maintenance
9 10
10
kt 14 -2 sheet )
Froject Engineering (~ardware?l~-,?
1 r
Reactor I Reactcr Canal Cispcsal
Sponsor Mockup )- Area
C -
Sponsor ships h e f i n r e t o mockup area along with radiographs.
Program Sontrcl representative. opens shiment.
PE inspects the shi-pent (verification of r i g h t materials only).
PE has QA, inspect the radiographs - if they a r e unsatisfactory, new ones a r e taken by QA.
PE writes' GWh's t o have equipment installed.
Maintenance people perf.0- a CL. u a l inspection when i n s t a l l i n g equipment.
There is no real codes, ktandards inspection.
PE verifies t h a t the installations are correct (process not formally auditable).
GWA 's written f o r equipment rewval.
GWA's written for e q u i p n t disposal ( b u r i a l ground, etc. ).
S&.fe.Ly co~:~iacrctlonsare &iscussed and QA standards.
PI3 c ~ n d c c t sliaison with other group specio.lists.
PE fcnis'ces S p x s o r wi-bh dzaTrings, Engineering requirerfients, e t c .
2. Sponsol: ou5:fits proposal t o I D f o r slpproval.
PE sends letter(Fl24 l e t t e r ) t o I D s t a t i n g whether t h e job ctzn be done o r

what chwdes a r c necessary.
PE assures coxripliance with engineering standards.

PE assures t h a t Sponsor has conpl.ied with $A, etc.
ID approval returned t o PE.
4, Sponsor and PE collaborate on formal design of project - by t h i s time most

of design i s already completed.
PE obtains assistence from other Tech. Specialists.

PE has no method f o r recall of previous experience.
Very l l t t l e contact with safety people.
5. PE. generates drafts of the following documents and sends t h e n t o GDC:

1) Preinsertion procedure
2) Insertion DOP
3) Removal DOP (this must be an approved document before insertion i s made).
4) Handling and shipping DOP (procedure t o dispose of the experiment m y
already be i n existence).
PE receives approved docwsents back from .CDC ( S ~ ~ D R flow

R sheet) but does
not sign f i n a l documents (sponsor does, however).
6. PE asks training branch t o s e t up session for operation personnel.
PE has no training input t o maintenance.
PE conducts t r s i n i n g session f o r operations.

7. PE sub~atspcka,oe t o l.EU3 ( ~ u s have
t cmpleted a hazards analysis).
Pi3 generates GWAVs t o Program Control Branch.
8. Work is scheduled.
9. Operations and Maintenance receive assignments
10. PE foll~ows3 ob t o coiqletion.

Exhibit 1 4 -5 =A REACTOR MODIFICATION CYCLE
r
-
D
-
a a A I 9 3 b
Need f o r
Change
Request f o r
Design and
safety
Proposed
Change Kith
%sis f o r
Safety
- Procedures Ir
Hardware
Acquisition
Installation - Testing Training - Operation
Analysis
L - - -- rl i I J r l r
1. Operations determines need f o r change.
2. Operations requests design and safety analysis from Engineering.

Operat ions not receiving adequate &
S a l l of t h e time.
Engineering-NOS interface unclear.
No evidence of l i t e r a t u r e search.
Responsibility f o r codes, standards, e t c . , r e s t s with Engineering.
3. Completed package submitted f o r necessary approvals (MERB, e t c ) ..

Operations u s u a l l y must v'btain additional support work from NOS-NT o r others.
4. Operations writes draft of necessary procedures and submits t o CDC.

Procedures routed through CDC chain .including PRB.
Operations accepts responsibility f o r s a f e t y of procedures and compatibility with other documentation - How they
assure t h i s is not clear.
No formal "Basis f o r Safety" submitted f o r PRB review.
Formal procedures returned f o r Operations signatures and publication.
5. Engineering i n i t i a t e s hardware acquisition

Engineering assures compliance with both &A and Safety CS&R.
Not c l e a r har t h i s is done.
Operations and Engineering collaborate on establishing e s s e n t i a l i t y levels.
Operations and Engineering eanetimes e s t a b l i s h f a c t o r y t e s t i n g requirements.
Receiving inspections a r e performed by QA t o Engineering established standards.
5. Zon't. Exhibit 1 4 -6
Operations r e U e s on Qflo r record retention.
No evidence of l i t e r a t u r e search f o r precedent hardware problems.
-
6. Instructions f o r i n s t a l l a t i o n originated by Engineering reviewed by Operatione.
Planning and Scheduling transforms Engineering package i n t o a smooth Maintenance package.
SWP may be required -
no other s a f e t y review of a c t u a l i n s t a l l a t i a n .
No evidence of c r a f t t r a i n i n g ( s p e c i f i c t o job).
- -
7. Operations originates "In Place Testing" requirements and Engineering writes the a c t u a l t e s t proceduree.
No v i s i b l e s a f e t y review of t e s t procedures.
Amount of t e s t i n g done often limited t o available "Shutdown Time" -
Operations does f e e l t h a t if they Jnsieted
shutdam could be extended.
-
8. Operations determines which modif ications w i l l require additional crew t r a i n i n g .

Training requests then coordinated through Training Branch.
9, Reactor i s operated.
---
.-
Exhibit 15. W"El'Y rJrgNITORING FUNCTXON
A Step-by-step Guide
Who Does
A. study Bas1c plant s a f ey analysis Assemble and catalogue basic safety analysis mat e r i s l .
material This includes Technical Specifications, Operating Limits,
SAR material, C o n t r ~ ldocuments, Procedural n a t e r i a l , e t c
Key plant s G e t y processes Extract t h e key processes from t h e material assembled i n
A. This wlll always include as a minimum:
(I) The b a ~ i cpersonnel t r a i n i n g & qualtfication
process.
(2) The 5asic hardware control processes.
(3) The basic methodology f o r generation and contl ti
of grocedwal systems.
These will be a.,igmented by t h e specific: processes
which p t e c t seetj! e z d p i n t s .
I----------- ------------ ---- ............................
Key plant safety processes Processes selected i n B vlll be charted according t o a
t w l~e v e l charting system:
( a ) A b a s i c ~ b l o c kdiagram which indicates t h e
e s s e n t i a l functions which must be performed i n
reaching the required end-pcint or product
( ~ i g u r eI).
( b ) A two dimensional chart ass.ociated wlth each
block w!~ich indAcates i n simple basic language
"who" does "what" t o implement t h e block
------.---------------------------------------------------.
( ~ i g u r e11).
D. Analyze P r ~ c e s s e sf c r oversights, omissic The process of p r f o m i n g ': w i l l automaticallj z a k e
and lack of d e f i n i t i o n oarisslons, oversights and lack cf d e f i n i t i c n clear%
Process oversights, omissions and Oversights and aanfssions a r e catalogued f o r followup end
---------- -- ----------
----------------------------------.
lack of definition ---L
reported t o aeproeriate m ~ n q--------_------------------.
emnt.
Processes f a r f a i l u r e points The processes 'selected and charted a r e analyzed f o r step1
having serious p o t e n t i a l conaeque which have serious f a i l u r e consequences.
ces of f a i l u r e
I--------------------&------------.
Monitoring checkpoints based on Monitoring checkpoints are established based on consequa

consequences of f a i l u r e ces of f a i l u r e .
----------------------------------------------------------<
Monitoring system Monitoring systcma sre designed aud estabushed using

s t a t e of t h e art technology regarding:
Sampling t o c h l o g y
Reduction ar?d normalization technology
Validation technology
Exhibit 15 - 2. THE SAFETY MONI(P0RING liC'NZIG!i
How Who Does

-- -----
I. Coordinate Monitcring &~gramwlth: Programs a r e cocrdinated'through l i a i s o n with other

( a ) Ctner z c r - i t ~ r i r r gcapability i n corporate groilpe:
ot'ner ccrporate groups. ( a ) Perfcrming mmitoring functions
(b) Technical experts. ( b ) Having special s k i l l s r e l a t e d t o state-of -the-&
monitoring technology.
( c ) Having general r e s p o n s i b i l i t y f o r management
information system
---------------- ---------------------------------------
Sample specified data a t the ,aonitor checkpoints.
J , . Observe System P e r f o m a x e
~ b s e n r e&her ccncwrent a c t i v i t i e s .
---------------I .................................... -------------------------------------------------------.--------------.
K. Interrogate Perso.me1 ir. geseral terms Input i s obtained from f i e l d personnel r e l a t i v e to:
Acute current safety problems
[ 3hronic safety prcblems
---------------
M. Validate
---------------
N. Report
Negative findings (unsafe conditions and s i t u a t i o n s )
[ Positive findings (system adequate and functioning
1
a s advert I sed)
--
0. Develop "Fix" recanmetidat tone
Exhibit 16
53Sa
Field Safety Engineer's Role
When the monitoring plan was being developed, the r o l e of the s a f e t y

engineer was of t h e greatest importance i n everyone's mind, but we could
not scale o r describe th function i n the way we could other monitoring
functions.
The judgements of the f i e l d engineer function a t t h a t time, and using
S 3 5 6 - ;bO
c r i t e r i a l i s t e d i n Chapter 37, were:
Desired Qualities Evaluation
Low cost High cost
Reliability F a i r l y good
Perceptivity Excellent
Process Audit Capability Moderate
Action Propensity Moderate
With proper counseling and assistance, it should be possible t o
increase r e l i a b i l i t y , process audit capability and action propensity.
A t tb same time, the f i e l d engineer function should be made scalable i n
various ways and i t s precise r o l e i n the o v e r a l l mission of assuring
corporate s a f e t y should be i d e n t i f i e d and measured.
The c r i t e r i a f o r
(I) i d e n t i f i c a t i o n of work, and
(2) evaluation on measurement
follow :
E x h i b i t 16 - 2.
A , Training a d Qualifications.
30 C o n s n l t a C i . w i t h line management to a s s i s t in developing a comprehensive,
effoctiv;' ~3ff3typrOQ?.73r .-
r
I C. Present I'rimnry Preventive Outputs
,
'
1. Seaxth out, general
2. Accidcnt Investigation and Review
3. ~ c c i d m t / ~ n c i d e nData
t Analysis (diagnostio)
i h. PeriocXc Inspctione
j 5. Approval of SMP1 s
I
1 D. Prouosed Preventive Outuuts
i I1 1. &sic Planned Audits (see note)

2. Somplin~Operations (scalable)
> !
: le AI-mud Reviews follow up --

!
i
2. Topical Roviens follow up as pertinent
3. woucz roports or referrals
w
Do Hx Schematic System Operations
Data (mrRates)
r~azardaDetected I
*
Short-term
I
Docmentatioa
Immediate or Schematics
Criteria
7
Safety +------] b-' line ~ ~ ~ n a g ~ m e n t*by management.

E, Other Functions
Design review
Procedure review
Training
a. Employee s a f e t y meeting packets
b. Supervisor s a f e t y program
c. F i r s t a i d t r a i n i n g
d. Campaigns
Role i n emergency planning.
Supervise p l a n t nurse,
Process M. V. operator applications.
Fire duties
Aid evaluation of medical r e s t r u c t i o n s .
I s s u e personal p r o t e c t i v e equipment,
Other assignments (specif Y).
Exhibit 16 - 3.
A. T r ~ d n i n q-
and Qualificztions. -
howledgc~required, t ~ importance c
Bocause of t h e tremendous range of detailed
o f h e l p and assistarice from supervision
and from expert specialists is emphasized, both for adequate s a f e t y coverage
and f o r j ~ r o f e s s i o n a lgronth* A personal growth program developed with
suaervisf on and carried out with field assistance of supervision seems
indicated.
B. Program development s k i l l w i l l depend on t h e supervision, t r a i n i n g and
a s s i s t a n c e provided by headquarters. For example, today only a few s a f e t y
personnel can design a comprehensive monitoring program. The c r i t e r i a a s
.
t o xhat c o n s t i t u t e s a "comprehensive, e f f e c t i v e s a f e t y program" a r e l e s s
than adequate
C.1. Search out. This is a most valuable function when a good engineer uses
h i s experience t o f e r r e t out hazards. The process, at i t s b e s t , h a s been
dexcribed as almost i n t u i t i v e . A s an adjunct of t h i s f u n c t i o n , t h e engineer
develops and maintains a catalogue o r inventory of h a ~ a r d su s e f u l i n planning
h i s work, and very u s e f u l a t any time of t r a n s i t i o n .
D.1. Basic Planned Audit. An a u d i t program should be developed with advice
and counsel of supervision t o cover agreed-upon topics.
a. Program Elements. A l o n g l i s t of t o p i c a l concerns such as chemicals,
personal p r o t e c t i v e equipment, l a d d e r s , e t c . For each of t h e s e , c r i t e r i a
on t h e scope and nature of an a u d i t should be e s t a b l i s h e d , p a r t i c u l a r l y
i n t h e i n i t i a l e f f o r t . Each engineer's plan would be tailor-made as t o
t o p i c s ard schedule t o f i t h i s area.
b. Organization Elements. A planned a u d i t of each organizational element
scaled t o t h e nature of t h e energy and work. I n a d d i t i o n t o t h e normal
search o u t , a s p e c i f i c purpose is t o d e t e c t an operation which i s
escaping t h e managerial c o n t r o l system (or
The purpose of t h i s basic program is t o provide t h e s a f e t y d i r e c t o r with
p o s i t i v e assurance t h a t , i n conjunction with other programs, a measurable
degree of c o n t r o l i s e s t a b l i s h e d corporate-wide.
The d i s p l a y f o r t h i s a u d i t d u t y would be along the following l i n e s :
Place or Unit
D.2. Samplbir:e Operatton3. No matter how small the time budget available for
sampling.. sono time s h u l d be allocated tot
a. Work sainpling i n hich hazard a r e a s
be Uncontxolled, random sampling of all operations or personnel.
Both of t h e s e should be designed t o produce e r r o r r a t e s and be defensible
fmm a sampling viewpoint. This program w i l l a l s o require t r a i n i n g and
a s s i s t a n c e i n i t s e a r l y stages.
Exhibit 16 - 4.
System Operations Data. A t l e a s t t h r e e programs should produce e r r o r r a t e
d a t a and other d a t a f o r trend analysis and system assessment.
-
Fixes. The schematic f o r f i x e s ard reporting should be made d e f i n i t e i n order
t o provide the engineer with a m i d e l i n e a s t o the action expected of him.
Management is, of course, responsible f o r a c t u a l f i x e s . Again, i n i n i t i a l
phases, t r a i n i n g a d assistance w i l l be required t o equip him t o u t i l i z e
f u n c t i o m l schematics, s t e p s a d c r i t e r i a i n t h e manner developed by the
operating divisions.
E. Other Functions. These are numerous and time consuming. Both the engineer
and s a f e t y management must know t h e approximate time d i s t r i b u t i o n between
these and the primary preventive detection and f i x work.
Establishment of C r i t e r i a
I n describing the abave schematic, some c r i t e r i a (comprehensive program ) have
been alluded to.
It now seems f e a s i b l e t o begin t o specify what c r i t e r i a might be applicable t o
t h e a u d i t function (see Figure IX-2 provided e a r l i e r ) . The a u d i t schematic
i n d i c a t e s t h a t t h e f i e l d s a f e t y engineer w i l l endeavor t o assure t h e d i r e c t o r
and linemanagement t h a t a s p e c i f i c organizational u n i t has an adequate system
and i s not f a i l i n g from four viewpoints.
The corporate system includes such strong f e a t u r e s a s independent review, etc.
Are they being applied?
The application of regulations, codes and standards, s a f e practices, and exper-
t i s e is the principal t h r u s t of t h e present work.
The r o l e of changes, performance o r technical troubles or problems, goal-budget-
schedule tightness, changes or trade-offs inimical t o szety, o r high energy i s
f o r c e f u l l y c l e a r i n t h e semi-scale heater accident and other accidents. The
f i e l d engineer may not be technically equipped t o analyze work close t o techno-
l o g i c a l boundaries, but properly trained and a s s i s t e d , he can detect t h e s i g n s
and s i g n a l s of impending trouble.
The program elements tk f i e l d engineer is t o monitor seem clear. Note t h a t two
inputs a r e shown from Safety headquarters. Note a l s o t h a t the somewhat nebulous
c h a r a c t e r i s t i c s of the important function of search-out (previously described a s
i n t u i t i v e ) a r e now beginn'hg t o be defined by the nature of the audit.
Services by Safety Headquarters

The schematic s e t s t h e stage, not just f o r planning and measurement of the
f i e l d engineer's work, but f o r measuremef~tof t h e s a f e t y headquarters service
r o l e . Take any s p e c i f i c aspect of the f i e l d engineer's work, or one i n which
he is weak, and list the assistance su-pervision recently provided.
Exhibit 17
. S a f e t y Program Improvement P r o - i e c t s
r l o n i t o r i n , ~S v s t e n s
1. General.
2. C r i t i c a l
f o r Supervisors
24. Logs, etc.
Reporting
AEC H e a d q u a r t e r s )
Improve Hazard A n a l v s i s P r o c e s s
10. S c a l i n g Xechanisms
11. C r i t e r i a f o r Procedure Development
12. Hazard A n a l y s i s P r o c e s s ( i n c l u d i n g Human F a c t o r s and Independent
Review)
13. J o b S a f e t y A n a l y s i s
14. S e l f - D i s c i p l i n e Method f o r S c i e n t i s t s s t a r t ?
26. S p e c i a l Hazard A n a l y s i s -
Handling Casks w i t h Cranes
R i s k Assessment Svstem
15. S a f e t y program Schematics ) Combined a s ( 1 ) F u n c t i o n a l Schematics,
16. S a f e t y Program ~ e s c r i p t i o n s ) ( 2 ) S t e p s , (3) C r i t e r i a , (4) Monitor
Points
25. S a f e t y Program Review
1 7 . R i s k P r o j e c t i o n Methods
18. R i s k E v a l u a t i o n Feedback t o S u p e r v i s i o n ( t r a n s f e r r e d t o M o n i t o r i n g )
19. Management R e p o r t s
a . ; P r i o r i t y Problem L i s t s
b. War Rooms
Mana~ement P r i n c i p l e s
20. P o l i c y R e v i s i o n
21. Goals
22. Breakthrough O r g a n i z a t i o n
23. I n n o v a t i o n D i f f u s i o n
27. Acceptance of P r o c e d u r a l i z e d Systems
28. E r r o r Reduction Philosophy and P r a c t i c e
29. S a f e t y System a s Management System.
Exhibit 18. Computer-Prepared Feedback
INJURY CONTROL CHRRTS-OTHERS

I 1972 - FEB :
1
References
Aerojet Nuclear. Managing by 0bjectives. 1971
- '
Policies and Procedures, Standard Practices (divisional) Detailed Opera-
ting Procedures.
Air Force. Team Approach to Motor Vehicle Collision Investigation. Scott Air
Force Base. 1967.
- Study Guide for Investigation of Aircraft Accidents. Military Airlift
M
-An Acceptable Individual Risk Criterion. Norton A .F . Base. 1968.
m e n , C. H. Effect of Management Attitude on Prevention and Control of
IBds?XtrialAccidents. 1965. Univ, of California, Los Angeles,
Allison, W. W. "Hi& Potential Accident Analysis ." ASSE Journal. July 1965.
Altman, James W. "Behavior and Accidents." Journal of Safety Research. Sep 1970,
American Institutes for Research. Experimental Study of Home Accident Behavior. 1965.
-
I
Performance of Nuclear Reactor Operators. 1968.
American Engineering Council. Safety Production. Harper & ROW, 1928.
American National Standards. Radiological Safety in Design and Operations of
Particle Accelerators. Dept. of Commerce. 199.
American National Standsrds Inst. Method of Recoding and Measuring Work
Injury Experience, ~6.1.
- Method of Recoding Basic Facts Relating to Nature and Occurrence of Work
Injuries, 216.2.
American Society of Safety Engineers. "Scope and Functions of the Professional
Safety Position." ASSE Journal. Dec. 1966.
- "search I:' ASSE Journal, Jan. through June 1970,
------Selected Bibliography of Reference Materials in Safety Engineering. 1967.
Ammons, C. H. Laboratory Study of Accidents. Montana State Univ. 1957.
hello, C. On Maximum-Likelihood Estimation of Failure Probabilities in Pres-
ence of Competing Risks. Research Analysis Corp. I%&-
Armed Services Explosives Safety Board. E2cplosives ~ccident/IncidentAbstracts.
Atomic Energy Commission. Electrical Safety Guides for Research. 1967.
-
-Quali
"Operational Safety Standards." At-c
- .
ty-Assurance Program Requirements 1969.
-
Energy Cmmission Manual.
- Safety Guidelines for High Energy Accelerator Facilities. 1967.
-
Attaway, C. D. "Safety Performance Indicator Fills Management Need." ASSE
Journal. Mar 1969.
Bennett, Arthur & Schoeters, Tec. Financial Times. London, Jan.2, 1973..
Berelson, Bernard and Steiner, Gary A. Human Behavior,fnventory of Scientific
Findinas. Harcourt, Brace and World. 1964.
Bird, Frank 5. & ~ernain, .~eorgeL. Damage Control. American Management ~ s s~966.
n
Bird, Frank E. & Schlesinger, Lawrence E. "Safe Behavior Reinforcement,"
ASSE Journal. ~une-1970,
Bracey, H. J. "Investigation into Effectiveness of Safety Directors as Influ-
enced by Selected Variables." Dissertation Abstracts Inti. Jan 1970.
Bradley,.Joseph H. We Are Reporting Ground not Investiga-
ting Tbem. USC. Inst of Aerospace. 1967.
Braunstein, Myron L.& Coleman, Ore1 F. "Information-Processing Model of Air-
craft Accident Investigator." Journal, Human Factors Society. ~ e .bl967.
Brenner, Robert & Mathewson, J.H. "Principle of Accident Effect Reporting."
ASSE Journal. Jan 1963
British Chemical Industry Safety Council. Safe and Sound. Summary National
Safety News. N w 1969.
Brody, Leon. Human Factors Research in Occupational Accident Prevention.
ASSE & Enter for Safety Education, New York Univ.
References, PaRe 2.
Browning, R. L. "Analyzing I n d u s t r i a l Risks. " Chemical Engineering. 0ct. 20,1969
-
- "Calculating Loss Exposures. " Nov. 17, 1969.
"EstimatLng Loss Probabilities. " Dec. 15, 1969
"Finding t h e C r i t i c a l Path t o Loss. " an .26,1970.
Canale, S. "System Safety Measurement and Control. " Annals of R e l i a b i l i t y and
Maintainability. July 1966.
Caro, Francis G. "Approaches t o Evaluative Research: A Review." Human Organi-
zation. Summer 1969.
Carter, Eugene E. "What a r e the Risks i n Risk Analysis ." Harvard Business
Review. July-Aug 1972.
Catlin, R. J. Radiation Accident Experience - Causes and Lessons Learned. AEC.5/69.
Chapanis, Alphonse. "The Error-Provocative Situation." Symposium on Measure-
ment of Safety Performance. NSC. 1970.
Christensen, Julien. "Overview of Human Factors Consideration i n Design."
National Saf e t Congress. ~ 1972.
Churchman, C. West. "Suggestive, Predictive, Decisive and Systemic Measure-
. .
ment s " Symposium NSC 1970. .
Committee on Safety & Health at Work. Report t o Parliament. Her Majesty's
Stationery Off ice. 1972
Crawford, Paul L. "Psychological Aspects of Accidents." Safety. Autumn 1965.
Currie, Robert. "Human Factors Engineering i s Optimizing Safety and System
Effectiveness." National Safety News. Aug. 1968.
- System Safety and I n d u s t r i a l Management. NSC. 1968.
Davis, D. R. "Human Errors and Transport Accidents." Ergonomics. Nov 1958.
Diekemper, Roman F. & Spartz, Donald A. "Quantitative and Qualitative Measure-
ment of I n d u s t r i a l Safety Activities." ASSE Journal. Dec 1970.
Driessen, Gerald J. Cause Tree Analysis: Measuring How Accidents Happen and
P r o b a b i l i t i e s of Their Causes. American Psychological Assoc. 1970.
Drucker, Peter F. The Practice of Manament. Harper & Row. 1964.
Dukes-Dubos, Francis N, M.D. "The Place of Ergonomics i n Science and Industry."
ASSE Journal. Oct. 1972. (Originally i n AIHA Journal)
Edwards, W., Lirximan, H,, P h i l l i p s , L.D. "Emerging Technologies f o r Making
Decisions." New Directions i n Psychology 11, Holt, Rinehart & Winston.1965.
Ericson, D . System Safety Analytical Technology - .
Fault !Tree Analysf s Boeing .l97O.
Farish, Preston T. System Safety C r i t e r i a f o r Use i n Preparation or Review of
Procedures. Marshall Space F l i g h t Center. 1967.
-
Farmer, F. R. S i t i n g C r i t e r i a New Approach. United Kingdom Atomic Energy Aut
9967
Fine, William T. "Mathematical Evaluations f o r Controlling Hazards." Journal
of Safety Research. 1971
Flanagan, John C. Psychological Bulletin. Psychological Assoc. July 1954.
Foundation f o r Research i n Human Behavior. The Obstinate Audience. 1965.
Garden, Nelson B. & Dailey, Carroll. High-Level S p i l l a t the Hilac. Univ. of
\ Calif. Lawrence Radiation Laboratom. 1959.
Garrick, B .J. Effect of Human Error and s t a t i c - component Failure on Engineered
System Safety R e l i a b i l i t y . Holmes and Narver. 1967.
Gates, Marvin & Scarpa,
-- Amerigo. "Risk Optimization." ASSE Journal. J u l y 1970.
Gausch, John P. "Safety and Decision-Making Tables. " ASSE Journal. Nov. 1972.
- "Loss Control -- and the Orenized Safety Effort." National Safety News.Oct.1972
General 'Services Administration. Building F i r e Safety C r i t e r i a . 1 9 ' p .
Gibson, James J. "Contribution of Experimental Psychology t o Formulation of Prob-
iem of Safety ."Behavioral proac aches t o Accident Research. Assn f o r
the Aid of Crippled Children. 1961.
Goode, H. P. "New Evaluation of Accident Frequency Figures ."
Natl .Safety News Jan. 1949.
References. p-.
Greenberg, Leo. "Planning and Organizing a Graduate Program i n Occupational
'Safety and Health. " ASSE Journal. October 1972.
- "Analyzing Work Injury Data with an Electronic Digital Computer."
- -
ASSE ~ o u r n a l . D&. 1972.
Greene, Kurt & Cinibulk, Walter. Quantitative Safety Analysis. &RC (Silver
Spring, ~ d . ) 1971.
Grieve, G. G. "Finding the Facts," National Safety News. July 1943.
.
Grimaldi , John V "Management and I n d u s t r i a l Achievement. " ASSE Journal. Nov 1965 .
Gumbel, Emil J. " S t a t i s t i c a l Theory of Extreme Values and Some P r a c t i c a l Applica-
tions ."Natl.Bureau of Standards Applied Mathematics Series. 1954.
.
Haddon, William Jr I' T h e P r e v e n t i o n i c i n e L i t t l e , .
Brown.
Hammer, Willie:9%iiy System Safety Program Can Fail."ment-Industqy ,
System Safety Conference. NASA. May 1971.
Hannaford, Earle S. "New Concept of Job Safety Analysis Includes Worker and
.
Supervisor " National Safety News. Nov 1965.
Hayes, Daniel F. "Reflections on System Safety and the Law." Government-Indus-
t r y Safety Conference. NASA. 1971.
Heinrich, H. W. I n d u s t r i a l Accident Prevention. McGraw-Hill. 1959.
Hernandez, H. Paul. Safety Guidelines f o r Accelerators. Lawrence Radiatn Lab. 1969.
Herzberg, Frederick. "One More Time: How t o Motivate Employees." Harvard
Busine s s Review. Jan-Fe b 1968.
Hixenbaugh, A. F. Fault Tree f o r Safety. Boeing. 1968.
Hughes, Charles L. "Safety ~otivation." National Safety Congress Trans. 1969.
Insurance I n s t i t u t e f o r Highway Safety. Driver Behavior. 1968:
Johnson, W. G. a f f e c t s of changed Time Exponential. NSC. 1967.
- New Approaches t o I n d u s t r i a l Safety. I n d u s t r i a l & Commercial Techniques
(London) 1970.
- "Overview of Accident Prevention." Journal of I n d u s t r i a l Medicine. 1962.
- .
"Park Management f o r Safety " Management Planning Conference. National
- Park Service. 1967.

Product Safety. I n d u s t r i a l & Commercial Techniques. 1970.
-"Safety and Accident Investigation." Federal Regulation of Product and
I n d u s t r i a l Safety. Federal Bar Association. 1967.
-"Report on ~ e d e r a lSafety Competition ."~ a to in k Safety News. Aug 1964.
- '
with Ashworth, Ray, Economos, James, Kreml, Franklin M. and Stewart,

'
George C. Time f o r Decision. Amr.Bar Assn, NSC, Northwestern U. 1957.

-"Super Secret and Super Safe. " National Safety News. Oct .l945 ,Feb,& June 19G,
Jones, D. F. Human Factors -
Occupational Safety. Ontario Dept of Labor. 1970.
Journal of American Insurance. A Brief History of Standards. Nov-Dec 1969.
.
Juran, J M. Managerial Breakthrough. McGraw H i l l . 1964.
Kanda, K. The Expansion of the System Safety Analysis i n the Realm of Proba-
b i l i t y . Boeing. 1967.
Kepner, Charles H. & Tregoe, Benjamin B. The Rational Manager. McGraw H i l l . 1965.
Kling, Alan L. "Meeting t h e Challenge of Emergency Planning." Natl Safety News Novt67
Kogan, Nathan & Walloch, Michael A. "Risk Taking a s a Function
tion, the Person and the Group." New Directions i n Psychology, 111.
Holt, Rinehart and Winston, 1967.
- Krikorian, M, See Search I. ASSE

Lateiner, Alfred Management and Controlling Employee Performance Lateiner 1969.
Levens, Ernest. "Hazard Recognition." National Safety Congress Trans. 1969.
. .
-"Processes, Search I."ASSE
L e v i t t , Theodore. "Production-line Approach t o Service." Harvard Business Review,
Sep-Oct 1972.
References, page 4.
Littauer, S. B. "Analytical and Mathematical Studies of Accident Causation."

T r a f f i c Safety. June 1957.
Livingston, William L. How Economics Guide Applied Research on F i r e Protection
Systems. Factory Mutual Research. 1967.
~undbe-The .
Allott~nt-of-Probability-Share Aeronautical Research I n s t .
of Sweden. 1966.
Mackenzie, E. Duncan. "On Stage - f o r System Safety." ASSE Journal. Oct 1968.
Mathewson, J .B. & Brenner, R. "Analysis of Accident SS ~-SE ~ o u r n a 1 . A 1956
~~.
McFarland, Ross A. "Application of Human Factors Engineering t o Safety Engi-
neering Problems." National Safety Congress Transactions. 1967.
- "Human Factors Engineering. " ASSE Journal. Feb 1964.
,
McGlade Francis. "Psychology i n Safety Management ."
ASSE Journal. Nov 1967.
McIntyre, G.B. e t a l . A Technique f o r Acquisition, Storage, and Retrieval of
System Safety Information (Air Force FWDS System). Martin-Marietta. 1970.
McKie, Ronald. The Company of Animals. Brace and World. 1966.
Miller, C. 0. Aerospace Safety, Selected References. I n s t . of Aerospace Safety
and Management, USC. June 1968.
- "Hazard Analysis and Identification i n System Safety Engineering." UME/AIAA/
SAE. R e l i a b i l i t y and Maintainability Conference. 1968.
- "The Safety " Information Challenm .
- " ASSE Journal. Seu - 1966.
-
Montgomery, L. C. System Safety Information Ecchange. J e t Propulsion Laboratory.
. -
Moser. W. C "Whv S a f e t s i n an I n d u s t r i a l Organization." -
National S a f e t s Conmess
.
' ~ r a n s a c t i o n s 1964.
National Academy of Engineering. Public Safety: A Growing actor i n Modern Desim.
National Aeronautics and Space Administration. Government-Industry s a f e t y Conf 19-71. .
-System Safety. NASA Safety Manual, Volume 3 . 1970.
National F i r e Protection Assn. General Management Responsibilities f o r Effects
of F-lre on Operations.
National Safety Council. Accident Facts. 1977.
- ~ c c i d e nPrevention
t Manual f o r 1ndus trial
Operations. 1969.
"Has Safety Progress Ended?" National Safety News. Oct. 1969.
-Fundamentals of I n d u s t r i a l Hygiene. 1971.
-Motor F l e e t Safety Manual. 1970.
-Report on S t a t e of the Art of Community Support and Models. 1968.
-"Safety Performance Measurement i n Industry." Journal of Safety Research.
- 1970.
-Seu - ( f u l l r e p o r t of Symposium p a r t i a l l y covered i n Appendix M)
~ u ~ e r v i s o sr a~f e
s t y Manual. l$7.
National ~ a f e - t y d e l i n e For Lockouts and Tags. Nov 1970.
Davenport, T. R e) .
Sept 1972 .
"Slip Study ~ u ~ ~ e z o l u t i o and
n s ""Outdoor F a l l s " (the l a t t e r by
National Technical Safety Information Center. Progress Report. 1969.

National Transportation Safety Board. Special Study of Risk Concepts i n Danger-
-
--
& -
ous Goods Transnortation Remlations. 1971- <.
Pipeline Accident Report, P h i l l i p s Pipe Line Company Propane Gas Explosion.1971.
-A Systematic Approach t o Pipeline Safety. 1972.
-Waterloo, Nebraska School Bus Train Accident. Sep 1968. This and many
other reports, p a r t i c u l a r l y i n occupational-related areas such a s r a i l -
roads and pipelines are quite valuable. A safety professional should ha
a sample of such reports, and probably should be on the l i s t f o r future.
Nertney, R. J. Effectiveness of Project Engineering Performance a t MTR, A
C r i t i c a l Incident Study. Idaho Nuclear. 1965.
- Field Evaluation and Control of Personnel Behavior. P h i l l i p s Petroleum.
-----Guidelines f o r Analysis of Step-by-step Procedures. Idaho Mzclear. 1967
-S h i f t Crew Performance Evaluation a t Nuclear Test Reactors. AEC. 1965.
..erences, page 5.
-elson, Dan S. The ~ause/~onsequence Diagram Method a s a Basis f o r Quantitative
Accident Analysis. Danish Atomic Energy Commission. May 1971.
O'Shell, H.E. & B i d , F.E. "Incident Recall." National Safety News. Oct 1969.
Patterson, D. E. and DeFatta, V. P. A Summary of Incidents Involving USAEC -
Shipments of Radioactive Materials, 1957-61. AEC. Kv. 1962.
Pearson, Marion W. "Pareto's Law and ~ d . e r nInjury Control." Journal of Safety
Research. June 1969.
Peters, George A. "Product Liability." Machine Design. Mar 28, 1968.
- "Human Error: Analysis and Control." ASSE Journal. Jan 1966.
Petersen, Daniel. "Accauntability
- - An O v e r l o o k e d ~ ~ ~Journal
Techniques of Safety Management. McGraw-Hill. 1971
SE Feb 1969
P h i l l i p s , C. Briggs. Causal Factors i n Microbiological Laboratory ~ c c i d e n t s

and Infections. U.S.Army. 1965.
Pinkel, I. Irving. 7 ' ~ a t aRequirements Analysis i n Support of System Safety."
~ o v e r k n t - I n d u s t r ySafety Conference. 1971
Planek, Thomas. "Developmental Problems i n Safety Research. " National Safety
Congress Transactions. 1969,
-
- e t a l . " I n d u s t r i a l Safety Study. 'I National Safety News. Aug 1967.
i n S t a t e of the A r t Community Support and Models. NSC. Mar.1968.
- .
Pope, W.C " ~ o m p u t e r ~ ~ aNews.f Maey 1970.
& Cresswell, T. J. "New Approach t o Safety Programs Management." ASSE
t
-
~
Journal. Aug 1965.

- ?
. .
Nicolae, E. R. Safety Aids Decision-Making Dept of I n t e r i o r . 1968.
Ramussen, Jens. Man-Machine Communication i n the Light of Accident Records.
Danish Atomic Energy Commission, July - 1969.
-
Recht, J. L. "System s a f e i y Analysis," National Safety News, Dec. 1965.
Reynolds, P. W. "What Managers Need. " I n d u s t r i a l Protection o on don )
Rigby, Lynn V. Nature of Error. Sandia. 1970 (previously by &er.Soc.for Quality
. Jan. 1970.
Control )
Rockwell, T. H.-~=es-ch Needs i n Occupational Safety. ASSE Journal. Jan 1963.
- "Safety Performance Measurement." Journal, I n d u s t r i a l Engineering. Jan-Feb 19.59.
- & Bunner, L. R."Information Seeking i n Risk Acceptance. ASSE Journal Feb 1968.
.
Roethlesberger, F. J Man-In-Organization. Harvard. 1968.
Rook, L. W. Reduction of Human h r i n I n d u s t r i a l Production. Sandia Lab. June 1962
Sandia Laboratories. Description of Human Factors Reports. Nov. 1972.*
- Recommended Safety Guides f o r I n d u s t r i a l Laboratories and Shops
-
Santos, Frank "Chemical Industry What i s i t s Future?" National Safety News Aug 1967.
Satterwhite, H. G. & LaJ?orge, R. M. "A Comparison of Thr-safety
.
Performance 'I ASSE Journal. Mar 1.966.
Schroeder,H. M. "Safety Performance Measuremnt ." .
Symposium. NSC 1970.
Schulzinger, M. S. M.D. The Accident Syndrome. Thomas. 1956.
Seiler, J.A. Systems Analysis i n Organizational Behavior. Irwin. 1967.
Simonds, R. H. & Grimaldi, J. V. Safety Management. Irwin. 1963.
.
Smith, L. C "Ingredients of an Organized Training Program. " National Safety
-
News. Jan 1967.
Stanford Research I n s t i t u t e . General Framework f o r Analysis of Costs of Waf-
f i c , Home and Public Accidents. 1964.
.
S t a r r , Chauncey .
"Social Benefit vs Technological Risk." Science. Sep. 19,1969.
Stein, R . J . & Cochran, J.L. Method f o r Hazards Identification. NASA 1967.
Suchman, E.A. & Munoz, R.A. "Accident Occurence and Control Among Sugar-Cane
Workers. " Journal, Occupational Medicine. Auge1967.
Surry, J, I n d u s t r i a l Accident Research
Toronto Univ. 1968.
-A Human Engineering Appraisal.
Swain, Alan D. Design Techniques f o r Improving Human Performance. I n d u s t r i a l

and Commercial Techniques (London). 1972.
.
References ~ag!&..
Swain, Alan D. Development of a Human Error Rate Data Bank. Sandia. 1970.
(Freviously by Department of the Navy
- Human Element i n System Development. 'Sandia. 1970. ( ~ r e v i o u s l yby
I n s t i t u t e of E l e c t r i c a l and Electronic ~ n g i n e e r s )
- Safety as a Design Feature i n Systems. ~ a n d i a . 1965.
Work Situation Approach t o Improving Job Safety. Sandia. 1969. ( b e v i -
OUSIY by ASSE)
Tarrants, W. E. "Application of I n f e r e n t i a l S t a t i s t i c s t o t h e Appraisal of
Safety Performance. " ASSE Journal. Mar 1967.
- "Applying Measurement Concepts t o t h e Appraisal of Safety Performance."
- -
- ASSE Journal. May 1965.

"Role of Human Factors Engineering i n Control of I n d u s t r i a l Accidents."
As23 Journal. Feb 1963.
- "Management of Accident Control. " ASSE Journal. Feb. 1972.
Thune, H. P. "How t o Investigate Accidents ."
I n d u s t r i a l S u p r v i s o r . 1969.
Thurston, P h i l l i p H. "The Concept of a Production System." Harvard Bus.Review
Turner, B. T. Management of Design. I n d u s t r i a l & Conrmerical Techniques. 1968.
U. S. S t e e l . Safety Program. 1964.
Vesely, W. E. "Fault Tree Applications within the Safety Program of Idaho
Nuclear Corporation." Government-Industry Safety Conference. NASA 1971.
Vilardo, Frank "Human Factors Engineering." National Safety News. Aug 1968.
Walton, Richard E. "How t o Counter Alienation i n t h e Plant." Harvard Business
Review. Nov-Dec.1972.
Weiner Associates. An Evaluation of Some Self-Regulatory Standards with
Respect t o Consumer Product Safety.
Wiest, Jerome D. "Hueristic Programs i n Decision Making." Harvard Bus.Rev.Sep-Oc 1966.
Wilson, C. E. "Making a Performance Audit." National Safety Congress Trans. 1969.
Windsor, Donald G. "A Survey Team's Evaluation." National Safety Congress
Transactions. 1969.
Wood, Robert C. i n Governing Urban Society. Academy of P o l i t i c a l and Social
.
Sciences 1967.
References on Change Phenomena -.
( ~ e f e r e n c e st o Juran on control of unwanted change and achievement of wanted

change, Kepner-Tregoe, Berelson and Steiner, and t h e author, are i n the gen-
e r a l l i s t of references because they r e l a t e d i r e c t l y t o safety. Adaptation
t o change and innovation i s included iniChapter 35 , "Motivation, Participa-
t i o n and Acceptance" and references therein a r e a l s o i n t h e general reference
list. )
Henry Adams. Education of Henry Adams. Houghton Mifflin, 1918.
Robert Ardrey. The T e r r i t o r i a l Imperative. Atheneum, New York, 1966.
H. G. Barnett. Innovation: t h e Basis of Cultural Change. McGraw-Hill, 1953.
Edward Bellamy. Looking Backward: 2000-1887. Dolphin Paperback, 1951.
Peter F. Drucker. Landmarks of Tomorrow. Harper & Row, 1959.
-
Enterprise Publications. Adjusting t o Change Ground Rule f o r Successful
Living. Chicago. 1963. An employee d i s t r i b u t i o n publication.
Fabun, Don. The Dynamics of Change. Prentice-Hall, 1967. This has an
excellent bibliography on the phenomena of change.
Fabun, Don. Dimensions of Change. Glencoe Press, 1971.
Fortune. The Changing American Market. Hanover House, 1955.
Fortune. U.S.A. The Permanent Revolution. Prentice-Hall, 1951.
John K. Galbraith. The Affluent Society. Mentor Book, 1958.

Carl
Olaf
.
E Gregory. ~azageuientof Intelligence. McGraw-Hill, 1967.
Helmer and Ted Gordon. Social Technology. Basic Books, 1967.
Eric Hoffer. The Ordeal of Change. Harper & Row, 1963,
Eric Hoffer. The True Believer. Harper & Bros., 1951.
Aldous Huxley. Brave New World Revisited. Harper & Bros., 1958.
Herman Kahn and Anthonlv J. Wiener. The Year - 2000: A Framework
- -- f o- r S ~ e c u l a -
-
Z - -
t i o n on the Next Thirty-three years. ~ a c m i G a n ,1967.

Konrad Z. Lorenz. King Solomon's Ring. Apollo Editions, 1952.
Marshall McLuhan. Understanding Media. McGraw-Hill.
.
Emmanuel G. Mesthene How ~ e c h n o l o ~Wyi l l Shape t h e Future. Processed paper,
Harvard University, September 1967.
Lewis Mumford. The Story of Utopias. Compass Books, 1962.

Gunnar Mvrdal. Beyond the Welfare S t & e .
Yale. 1960.
Claire k s s e l l and"^.^- Behavior: L i t t l e , Brown & Co., 1961.
Richard R. Salzrnan. The Impact of ~ m h t e of America, 1964.
c Institu
.
Donald A. Schon Technology and Change. Seymour Lawrence Book, 1967.
William L. Thomas, Jr. Man's Role i n Changing the Face of t h e Earth. Univer-
s i t s of Chicago Press, 1956.
..
? --
Alvin ~ o f f l e r The Fut.we a s a Way of Life. Horizon. Summer.. 1964. *
Alvin Tof f l e r Future Shock. ~ a n i o mHouse, 1970.

Arnold J. Toynbee. A Study of History. Oxford University Press, 1947.
h o l d J. Toynbee. C i v i l i z a t i o n on T r i a l . Oxford University Press, 1948.
U. S. Cabinet Secretaries. Communities of Tomorrow Conference. December, 1967.

Norbert Wiener. Cybernetics. John Wiley & Sons, Inc., 1948.
Norbert Wiener. The Human Use of Human Beings. Doubleday & Co , 1954. .
Robert C. Wood i n Governing Urban Society: New S c i e n t i f i c Approaches. The
American Academ~yof P o l i t i c a l and Social Sciences, May, 1967.
REFERENCES ON HUMAN FACTORS ENGINEERING
An Index of Electronic Equipment O o e r a t i l i t y valuation ~ o o k l e)t,

P i t t s b u r g h , Penn: American I n s t i t u t e s f o r Research.
An Index of Electronic Equipment Operability (Report of Develo~ment),

An Index of Electronic Equipment Operability ( ~ a t sa t o r e ) ,

An Index of Electronic Eauipment Operability ( ~ n s t r u c t i o nManual ) ,

Mil-STD 1412, Human Factors Design C r i t e r i a f o r M i l i t a r y Systems

Equipment and F a c i l i t i e s .
Bennet, E.; Degan, J.; & Spiegel, J. ( ~ d s . ) ,Human Factors i n Technology,

New York: McGraw-Hill, 1963.
.
Chapanis, A. ; Garner, W. R. ; & Morgan, C T. , Applied Experimental
Psycholorn , New York: John Wiley and Sons, Inc , 1947. .
DeGreen, K. (Ed.), Systems Psycholow, New York: McGraw-Hill, 1970.
Damon, A.; Stoudt, H. W.; & McFarland, R . A., The Human Body i n Equipment
Design, Cambridge, Mass. : Harvard University Press , 1966.
F i t t s , P. M., Engineering psychology and equipment design, Chap. 35 i n

S. S. Stevens ( ~ d)., Handbook of Ekperimental P s y c h o l o a , New York :
John Wiley and Sons, I n c . , 1951.
Fogel, L. J . , Biotechnolo : Concepts and Applications, New York:

Prentice
.
Gagne , R M. (Ed. ) , Psycholoaical P r i n c i p l e s i n System Development , ~ e w
York: Holt, Rinehart, & Winston, 1962.
Gagne, R. M.; E. A. Fleishman, P s y c h o l o ~ yand Human Performance, New York:

Holt , Rinehart , & Winston, 1959.
Harris, D. H.; Chaney, F. B., Human Factors i n Q u a l i t y Assurance,

New York : John Wiley and Sons, Inc , 1969. .
Howel, W. C.; and Goldstein, I. L., E n ~ i n e e r i nPsychology,
~ New York:
Appleton-Century Crofts, 1971.
Lindson, P. H.; and Norman, D. A . , Human Information Processinq: &

~ n t i o d u tion
c t o Psychology, New York : Academic P r e s s , 1972.
McCormick, E. J. , Human Factors Engineering, 3rd Edition, New York:

McGraw-Hill, 1970.
McFarland, R. E . , Human Factors i n Air Transport Desian,New York:

McGraw-Hill, 1946.
Meister, D., Human Factors: Theory and P r a c t i c e , New York: Wiley-
I n t e r s c i e n c e , 1971.
Meister, D; & Rabideau, G. F., Human Factors Evaluation i n System

Development, New York: Wiley, 1965.
Morgan, C. T. ; Cook, J. S. ; Chapanis, A . ; & Lund, M. W., Human

E n ~ i n e e r i nGuide
~ t o Equiment Design, New York : McGraw-Hill , 1963.
Murrel, K. F. H., Ruman Performance i n Industry, New York: Reinhold
Publishing Co., 1965.
Parsons, H. M., Man-Machine System Experiments, Baltimore, Md. : The

Johns Hopkins University P r e s s , 1972.
.
Singleton, W. T. ; Easterby , R. S. ; & Whitfield, D ( E d s ) , The Human .
Operator i n Complex Systems, London, England : Taylor & Francis Ltd. ,
1969
-
Singleton, W. T.; Fox, J. G . ; & Whitfield, D. ( ~ d s . ) , Measurement of Man
at work: An Appraisal of P h y s i o l o ~ i c a land Psycho1og;ical C r i t e r i a i n
Man-Machine Systems, London, England: Taylor & Francis Ltd., 1971.
Stok, T. L., The Worker and Q u a l i t y Control: Bureau of I n d u s t r i a l

Relations, University of Michigan, 1965.
'Swain, A. D., D e s i m Techniques f o r Improving Human Performance i n

Production: I n d u s t r i a l and Commercial Techniques Ltd., 30-32 F l e e t
S t r e e t , London E. C. 4, January 1972.
Woodson, W. E.; & Conover, D. W., Human Engineering Guide f o r Equipment

2nd E d i t i o n , Berkely, C a l i f . : University of C a l i f o r n i a P r e s s ,
-
INDEX
The underlined references below index the principal discussions of a topic.
The parenthetical references index the MORT diagrams and outline. Note t h a t
t h e MORT diagrams (pages 149-156) and the f o u r t h genera%ion MORT l i s t ages
159-163) a r e a l s o indexed t o the pertinent text.
Acceptance 337, Appendix I Employee r e l a ti om 181
Accident 25-26, 140, (149, 162 )
Accident Rates
(see Incidence analysis)
Enforcement [156 ) ,
Environment
4
Energy 31-36, 141, (149, 153, 161-2)
153, 161 , &

Accountability (150 ,l59), 198 Environmental Chamber case 135,
AEC i, 8, (160), 412, 422, numerous Appendix A2
others Environmental Impact (160), 259, Appen-
Aerojet ii, 10, 14, 118, Exhibits dix E
1-18, numerous others Error 27, 49-57, 117, 123, (154-5,
Alternatives 90, (151, 160), 186, 160) 250, 273-280, 331, 357
-
208, 219, Appendix B
Amelioration 14.0, (149, 1 5 2 , l 3,162)
tolerance l i m i t s 52 .
g('-Ui -4' 3 ~ 4 3 ~
Failure-Mode & Effect 216, 250
Analysis methods (lb9-lX,l60q, 188 Fault Tree 143, 250-53
248-2 59, 380
Arrangement (153, 161) 269
Audit 212-3, 361, a, (also see Monitoring ?-
Feedback 113, (1501, 1 8 , 299, 337
F i r e 41, (152), Exhibits 10-11

Barriers 33-36, 141, (149, 152-3, Fix Controls (160), 343
161-21, 218, 268 Goals 4, 113, (149, 1591, 206, 237
Breakthrough 119, 208
Budgets (150, 155, 1591, 189 Hazard 28, 93, 253
Hazard analysis process 5, 105, 114,
Catastrophe 206, 229, 343, 250 (149, 151, 160, 1621, 223-289
Change 27 9 - 7 2 , 114, 121, (150-1, Hazard i d e n t i f i c a t i o n 98,
155, 161J, 211, 233, 253, 262, Health (160), 222
270, 385 HE Press case Apperdix A3
Cause Analysis 137, (1501, 398, 401
Codes (see standards)
High potential (150 211, 233
Hilac case 135, Appendix A 1
-
Conceptual phase (151, 153, 160), Human Fact or s Engtneering (153-4, 161)
237-26 5 273-280
Configuration control (162), 270,
Exhibit 3 Incidence analy s i s 415-434
Consequences 219 Incident 2,140, (149, 162)
Construction 18 Incident Recall (see C r i t i c a l ~ n c i d e n t s )
Control 118, 208 Independent Review (151, 153, 1621, 282-
Exhibit 1 8
a,
c o n t r o l s T 5 3 , 161), 362, 289, Exhibits 5-11
Information systems 114, (149, 150, 159,
Costs 176, 232 (also see Investment) 160), 262, 343-402
,&.I
C r i t e r i a (150, 159, 160) 207, Innovation Diffusion (1561, 338, Appen-
220, 238 dix H
CriticaJ. incidents 116, (150, 155, Inspection (149, 1%.19, 161, 163).
1601, 187, 233, 262, 361, 269,,2.13 Exhibit 12
Appendix D, Exhibit 13 Investigation (150, l 5 9 ) , 375-89,
Append i x J
~nvestment /Benef it/value/'Rweat 256-8
Job Instruction Training 301
Job Safety Analysis (1551, 301, 317,
321, 333
Key word index 116, 400
Known precedent (150, 1591, 343
Efficiency 107-110, 122 Lawrence ii, 62, 135, 228 and others
Emergencies 140, (152, 155, 161), Life cycle 98, 148, (151, 160), 225,263
270, 306 Line r e s p o n s i b i l i t y (150,1591, 190
,
Index. page 2.
Logs (15.5)~ 304 R e l i a b i l i t y 263, 281-2: Exhibit 4
Rescue (152)
Maintenance (149, 151, 19, 161, Research 97, (150, 159)
1631, 250, 269, Research Work 1 8 , 19
Management needs 205 Review (see Hazard Analysis Process,
systems 114-130, 139, (149, Independent ~ e v i e w )
1-59), 173-221; 199 Risk 28, 33, 46, 85-91, 114, (149,
r o l e , 96, 175-184
1601, 237
Management Oversight and Risk r e s i d u a l , 91, 99, 139, 220
Tree 6, 12, 21, 133-171, 383 Risk Assessment System 90, (149, 159,
Matrix 37-47, 420 1 6 0 ) ~205-2219 346, 4.21
Measurement 129, 415-434,
Appendix K S a f e t y Precedence Sequence 98, (160) 225
Medical s e r v i c e 140, (152 ) ,373 S a f e t y Program review 131, (150,1621,
Method v s Content 103-106 211, 371, 4-45-456
Monitoring 5, 99 114, (150-1, Sandia ii, 275, 318, 421, and o t h e r s
153, 155, 160-11, 343, 51,
395, S m l i n g 5, 44, (151, 1601, 238-248,
446, E x h i b i t 15 Exhibit 2
MORT, examples Appendix A Schematics 193-5, 304, 369, 44.6, Exh.14
Motivation (151, 156, 1611, x- S e l e c t i o n , personnel (151, 156, 161) ,325
34-2, Appendix G Sequences
Motbr v e h i c l e 19
National S a f e t y Council ii, 7, staff (150, 1591, 192
81, 110, 422, o t h e r s S t a f f , s a f e t y 96, (150, 1621, 4-45-456,
National Aeronautics & Space Adm E x h i b i t 16
11, 225-6, 239-41, 412 Standards (150, 159, 1-60), 260, 262,281,
National Transportation Saf et y Suggestion systems (155)
Bead 11, 80, 83, 217 , 231 Supervision 96, (149, 13, 155, 161, 1653)
O p e r a b i l i t y (151, 1611, &
Organization, s a f e t y 193 systems-14, 75, 111-130, Appendix B,
OSHA 6 , (160), 178-180, 260 Exhibit 1
P a r t i c i p a t i o n 114, Apperdix G System S a f e t y 3, 95-102, 225-232
Peers (i50), Tasks (154,
1
7
Performance 10 -110, 114, l 2 7 , m
Personal c o n f l i c t 156). 338
p o l i c y 113, (149, 1591, 175-184,
Test (151. 153,
Training (150-1,
P r a c t i c a l i t y 15, 182
300, 327
T r a n s f e r s (15-5)~ 303
Pre-Job Analysis (155)~ 293 T r a n s i t i o n 23, 102, 170, 457-61, Exh.17
P r i o r i t v Problem L i s t s (150, 1601, Transportation 19, 230, 250
234, b35-9 Triggers (149, 1-50),
P r o b a b i l i t i e s 4, 210, 216, 218
Procedures 127, (151, 153, 154, Unsafe Acts and Conditions 27, 56, (155),
161), a,
Appendix F
315-3249 408, -
404
Upstream processes 113, (1601, 367
Program, s a f e t y 202,
Values 175, 207
measurement, (149, 150, 162) 159), 2QQ
Vigor (150, 156,
P r o j e c t i o n s 415-434
Public p r o t e c t i o n 18,O , Warnings (153)~ 268
Welfare 175
Q u a l i t y assurance 281-2, 365, Work Flow Process 113, 291-342
Exhibit 4 Work Permit (1551, 332
Radia&n 42, 421 Worst P o t e n t i a l L i s t s ( s e e P r i o r i t y
Rates (150, 160 , 211, 432 Problem L i s t s )
Recorded S i g n i f i c a n t Observations
(see C r i t i c a l ~ n c i d e nst )
Regulations 5, ( 60) 178-180
Rehabilitation ti52 7
U.S. GOVERNMENT PRINTING OFFICE: 1974- 5-749:70

MORT Bill Johnson For AEC 1973 SAN8212

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MORT Bill Johnson For AEC 1973 SAN8212

Uploaded by

Copyright:

Available Formats

SAN 821-2

Prepared for the

sponsored by t h e United S t a t e s Government, Neither

t h e United S t a t e s nor t h e United S t a t e s Atomic

Energy Commission, n o r any of t h e i r employees, nor

employees, makes any warranty, expressed o r implied,

f o r t h e accuracy, completeness o r u s e f u l n e s s of any

c l o s e d , o r r e p r e s e n t s t h a t its use would n o t

A Iknagement Oversight and 2 i s k Tree (MORT) has provided a technique

What Produces Hazards?

14. The MORT Diagrams - Introduction

V , Management Implementation of t h e Safety System

V I . Hazard Analysis Processes

V I I . Work Flow Processes

IX . Safety Promam Review

The c o n t r a c t r e s u l t e d from an o r i g i n a l p r o p o s a l by t h e a u t h o r based on e a r l i e r

"The U. S. Atomic Energy Commission h a s exemplary programs f o r t h e con-

"Despite p a s t accornplishements, human v a l u e s and o t h e r v a l u e s s t i m u l a t e

"This i s a p r o p o s a l t o f o r m u l a t e an i d e a l , comprehensive systems concept

1. D e s i m of improved a c c i d e n t r e p o r t and a n a l y s i s techniques.

"The f o r m u l a t i o n of an i d e a l system a p p e a r s t o be a v a l u a b l e precondi-

"The judgments of 'improvement' i n r e p o r t s and measurements w i l l be

1. Improved u n d e r s t a n d i n g of accident-producing s i t u a t i o n s and

Phase I of the study produced a d r a f t t e x t combining t h e best occupational

I n Phases 111 and I V of t h e study, emerging concepts were compared with

The most important r e s u l t of Phases 111 and I V was t h e evolution of a new

Phase V I I w i l l c o n s i s t of a s e r i e s of f o u r seminars o r workshops (one has been

Purposes of This Manual.

The manual i s intended t o summarize t h e r e s u l t s of t h e s t u d y t o d a t e and form

Accordingly, o n l y s o much of t h e d e t a i l e d f i n d i n g s and experience i n f i a s e s I

Assistance of t h e National S a f e t y Council staff i n t h e form of l i t e r a t u r e

A s p e c i a l d e b t t o European f r i e n d s i s acknowledged. I n January 1970, I n d u s t r i a l

The D i v i s i o n s of Operational S a f e t y a t AEC Headquarters and a t t h e San Francisco,

Most p a r t i c u l a r l y , t h e h i g h e s t t r i b u t e should be paid t o t h e s t a f f members,

Emphasis must be given t o t h e p o i n t t h a t t h e e a r l y work a t t h e t h r e e s i t e s was

The t r i a l a t Aero j e t ( s t i l l c o n t i n u i n g ) h a s been extremely valuable. The

Fred McMillan, Manager of t h e Reactor Operations Division (ROD),brought i n t e l -

Many of t h e c o n t r i b u t i o n s of Aerojet and i t s employees a r e s p e c i f i c a l l y acknow-

The a u t h o r h a s a l s o a p p r e c i a t e d t h e e f f o r t s of s a f e t y s t a f f s of NASA, NTSB, t h e

A g e n e r a l t r i b u t e should be paid t o t h e v a s t e f f o r t s of members of NSC and t h e

The permissions of p u b l i s h e r s f o r use of copyrighted m a t e r i a l i s g r a t e f u l l y

S y n t h e s i s of concepts i s a dangerous b u s i n e s s , p a r t i c u l a r l y when r e s e a r c h h a s

The r e s p o n s i b i l i t y f o r t h i s p a r t i c u l a r s y n t h e s i s r e s t s w i t h t h e a u t h o r , not with

1. Accident Facts. National Safety Council, 1972 edition.

Figure 1-1. How Can We Climb Toward the Summit?

Improved methods f o r a t t a i n i n g high i d e a l s of s a f e t y a r e available today.

I n d u s t r i a l a p p l i c a t i o n of system techniques, p a r t i c u l a r l y f o r new pro-

. Safety programming can be visualized a t f i v e levels:

Program Level Disaster P r o b a b i l i t y

* For example, NSC ' s "Accident Prevention Manual f o r I n d u s t r i a l Operations, "

** For example, ASSE's Bibliographx (1967) may be a a i d e t o t h i s and t o systems,

Figure 1-2. Safety Program Levels.

Accidents are congruent with e r r o r s , and s a f e t y can be congruent with

Importance? Mechanism Analysis

lrom t h i s , some questions:

On t h e o t h e r hand, current emphasis on OSHA can impair t h e pursuit of

The Study Process. +

AEC and Exploration at

Continuing search, Tests i n l i t e r a t u r e

I n t h e mid-60's t h e accident r a t e plateau ( i n t r a f f i c and o t h e r f i e l d s ,

T r i a l s a t Aerojet. Aerojet Nuclear Company, whose AEC contract provides

Disciplines. I n a d d i t i o n t o various occupational s a f e t y s p e c i a l t i e s ,

Degree of Proof. By and l a r g e t h e system is an assemblage of i n d i v i d u a l