Journal of Loss Prevention in the Process Industries 29 (2014) 283 294
`
`Contents lists available at ScienceDirect
`
`Journal of Loss Prevention in the Process Industries
`
`j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / j l p
`
`System safety principles: A multidisciplinary engineering perspective
`Joseph H. Saleh a, *, Karen B. Marais b, Francesca M. Favaró a
`a School of Aerospace Engineering, Georgia Institute of Technology, USA
`b School of Aeronautics and Astronautics, Purdue University, USA
`
`a r t i c l e i n f o
`
`a b s t r a c t
`
`Article history:
`Received 30 January 2014
`Received in revised form
`3 April 2014
`Accepted 4 April 2014
`
`Keywords:
`Safety principles
`Fail-safe
`Safety margins
`Defense-in-depth
`Observability-in-depth
`System safety
`
`System safety is of particular importance for many industries. Broadly speaking, it refers to the state or
`objective of striving to sustainably ensure accident prevention through actions on multiple safety levers
`(technical, organizational, and regulatory). While complementary to risk analysis, it is distinct in one
`important way: risk analysis is anticipatory rationality examining the possibility of adverse events (or
`accident scenarios), and the tools of risk analysis support and in some cases quantify various aspects of
`this analysis effort. The end objective of risk analysis is to help identify and prioritize risks, inform risk
`management, and support risk communication. These tools however do not provide design or opera
`tional guidelines and principles for eliminating or mitigating risks. Such considerations fall within the
`purview of system safety.
`In this work, we propose a set of five safety principles, which are domain independent, technologically
`agnostic, and broadly applicable across industries. While there is a proliferation of detailed safety
`measures (tactics) in specific areas and industries, a synthesis of high level safety principles or strategies
`that are independent of any particular instantiation, and from which specific safety measures can be
`derived or related to, has pedagogical value and fulfills an important role in safety training and educa
`tion. Such synthesis effort also supports creativity and technical ingenuity in the workforce for deriving
`specific safety measures, and for implementing these principles and handling specific local or new risks.
`Our set of safety principles includes: (1) the fail safe principle; (2) the safety margins principle; (3) the
`un graduated response principle (under which we subsume the traditional “inherently safe design”
`principle); (4) the defense in depth principle; and (5) the observability in depth principle. We carefully
`examine each principle and provide examples that illustrate their use and implementation. We relate
`these principles to the notions of hazard level, accident sequence, and conditional probabilities of further
`hazard escalation or advancement of an accident sequence. These principles are a useful addition to the
`intellectual toolkit of engineers, decision makers, and anyone interested in safety issues, and they pro
`vide helpful guidelines during system design and risk management efforts.
`Ó 2014 Elsevier Ltd. All rights reserved.
`
`1. Introduction
`
`In this work, we provide a synthesis of system safety principles,
`and we examine their use and implementation in different settings.
`These high level principles are domain independent, technologi
`cally agnostic, and broadly applicable across various industries. The
`objective of this synthesis is mainly educational, and it is meant to
`serve a useful role in safety training and education. It can also
`support creativity and technical ingenuity in the workforce to
`conceive and implement these principles in new or different ways
`to handle specific local hazards, or new and emerging ones.
`
`* Corresponding author. Tel.: þ1 404 385 6711; fax: þ1 404 894 2760.
`E-mail address: jsaleh@gatech.edu (J.H. Saleh).
`
`http://dx.doi.org/10.1016/j.jlp.2014.04.001
`0950-4230/Ó 2014 Elsevier Ltd. All rights reserved.
`
`System safety is particularly important for many industries, such
`as the nuclear and the airline industries, and broadly speaking, it
`refers to the state or objective of striving to sustainably ensure
`accident prevention through actions on multiple safety levers, be
`they technical, organizational, or regulatory.
`Detailed safety measures abound for dealing with particular
`hazards, such as electrocution and fire, for example. But the pro
`liferation of safety measures in domain specific areas is not
`conducive to adapting or devising safety measures to handle new
`or emerging hazards, and more importantly it is not well suited
`for general safety education and training of engineers and
`decision makers. What is more useful for such audiences are
`general safety principles and strategies, from which specific safety
`measures can be derived or related to. The distinction between
`specific safety measures and general safety principles is somewhat
`
`UTC-2012.001
`
`GE v. UTC
`Trial IPR2016-01301
`
`

`

`284
`
`J.H. Saleh et al. / Journal of Loss Prevention in the Process Industries 29 (2014) 283 294
`
`similar to that between tactics and strategy in a military context:
`the former relates to specific moves and dispositions to achieve a
`local objective (e.g., moving soldiers and equipment, engaging in a
`skirmish or a battle), whereas the latter, strategy, relates to
`broader considerations for planning and organizing to succeed in
`a general conflict (e.g., war) with an opponent. More details on
`this distinction along with several examples follow in the subse
`quent sections.
`Considerations of system safety, and the related safety princi
`ples, while complementary to risk analysis, are distinct in one
`important way: risk analysis is anticipatory rationality examining
`the possibility of adverse events or accident scenarios, and the tools
`of risk analysis support, and in some cases help quantify various
`aspects of this analysis effort. Risk analysis has been described as
`addressing three main questions (Apostolakis, 2004; Kaplan &
`Garrick, 1981):
`
`(1) What can go wrong?
`(2) How likely it is?
`(3) What would be the consequences?
`
`The end objective of risk analysis is to help identify and prior
`itize risks, inform risk management, and support risk communi
`cation. These tools however do not provide design or operational
`guidelines or principles for eliminating or mitigating risks, and they
`are mainly concerned with process.1 Such considerations fall within
`the purview of system safety. The safety principles examined in this
`work provide guidelines and conceptual support during system
`design and operation for addressing the most important follow up
`question, namely:
`
`(4) What are you going to do about it [what can go wrong]? Or
`how are you going to defend against it?
`
`Previous efforts at synthesizing safety principles include the
`works by Haddon (1980a, 1980b), Möller and Hansson (2008), Kletz
`(1978, 1998, and subsequent works), and Khan and Amyotte (2003).
`The present article follows in the spirit of these works, and in some
`cases it builds and expands on them. These works are briefly
`reviewed in Section 2. Section 3 presents and examines the pro
`posed set of safety principles. Section 4 concludes this work.
`
`2. Brief literature review of safety principles
`
`2.1. Haddon’s safety principles and their energy centric
`underpinning
`
`Haddon’s work (1980a, 1980b) is a landmark in the study of the
`epidemiology of injury and accident prevention.2 It is grounded in
`the public health realm and conceptualizes injury as an epidemi
`ologic problem with agent(s), hosts, vectors (for the transmission of
`injury producing elements), and the environment (physical and
`social). Haddon’s contributions build on previous work by Gibson
`(1964, first presented in 1961) in which the agents of injury were
`
`1 They can help assess the effectiveness of a particular implementation of a safety
`principle once it has been devised. The literature on risk analysis is extensive (the
`topic is not the focus of the present work). The reader interested in a good intro-
`duction to risk analysis and management may consult the excellent works by
`Kaplan and Garrick (1981), Pate-Cornell (1996), Rasmussen (1997) and the ISO
`31000 (2009) and ISO 31010 (2009) standards.
`2 Rivara, Cummings, Koepsell, Grossman, and Maier (2001) consider an earlier
`work by Haddon et al. published in 1964 and entitled Accident Research: Methods
`and Approaches as “one of the most important milestones in the development of
`injury research” worldwide.
`
`first identified as various forms of energydthis idea is referred to
`nowadays as the energy model of accidents (Saleh, Marais, Bakolas,
`& Cowlagi, 2010):
`
`“Man [ . ] responds to the flux of energies which surround himd[
`. ] mechanical, thermal, and chemical. Some limited fields and
`ranges of energy produce stimuli for the sense organs; others
`induce physiological adjustments; still others produce injuries. [
`. ] Injuries to a living organism can be produced only by some
`energy interchange.” (Gibson, 1964)
`
`Haddon expanded on this energy basis of injuries, and the safety
`strategies he devised are fundamentally tied to this perspective:
`
`“A major class of [adverse] phenomena involves the transfer of
`energy in such ways and amounts, and at such rapid rates that
`inanimate and animate structures are damaged. The harmful in
`teractions with people and properties of [ . ] projectiles, moving
`vehicles, ionizing radiation, conflagrations [ . ] illustrate this class
`of phenomena.” (Haddon, 1980a; quote from earlier work by
`Haddon)
`
`Haddon’s development of the energy model led him to propose
`a set of safety strategies to guide the development of injury control
`mechanisms and safety interventions. The distinction between a
`safety strategy and a safety tactic/measure, previously noted, is
`important to keep in mind, and to be able to appreciate the
`distinctive contribution of Haddon. A safety strategy can be
`implemented in a variety of ways and measures, and domain
`specific knowledge is required, e.g., design and operation of a
`splitter tower at a refinery, as well as creativity and technical in
`genuity to translate a safety principle into a specific safety measure
`(examples are provided hereafter and further discussed in Section
`3). Haddon’s safety strategies include the following:
`
`i. Reduce the amount of hazard/energy brought into being in
`the first place (e.g., reduce speed of vehicles in the context of
`traffic safety);
`ii. Modify or reduce the rate of release of hazard/energy from its
`source (e.g., shutoff valves, nuclear reactor control rod);
`iii. Separate in time and space the energy source (hazard) from
`that which is to be protected; eliminate the intersections of
`hazard/energy and susceptible structure or individuals
`(Haddon argues that the use of sidewalks and phasing of
`pedestrian and vehicle traffic is one example of the imple
`mentation of this strategy; other examples include the more
`common use of physical barriers to separate hazard sources
`from individuals). This principle was described as preventing
`the etiological agent, the energy source, from reaching the
`susceptible host;
`iv. Make what is to be protected more resistant to damage from
`the hazard/energy (e.g., make structures more fire and
`earthquake resistant3; Runyan (2003) in discussing Had
`don’s principles provide the example of a bullet proof
`garment as an example of the implementation of this prin
`ciple for dealing with injuries from handguns).
`
`A detailed discussion of these principles can be found in Haddon
`(1980a, 1980b). These principles remain according to Runyan
`(2003) “an excellent brainstorming tool
`for developing ideas
`about a range” of possible safety interventions. Haddon’s principles
`can be found in Section 3, subsumed in part under the un graduated
`
`3 How to do this would be an example of a specific safety measure.
`
`UTC-2012.002
`
`

`

`J.H. Saleh et al. / Journal of Loss Prevention in the Process Industries 29 (2014) 283 294
`
`285
`
`response and the defense in depth principles, although expressed
`differently and tailored toward system accidents.
`
`2.2. Möller and Hansson synthesis of safety principles and the
`reduction of risk and uncertainty
`
`Möller and Hansson (2008) provided a much needed recent
`synthesis of engineering safety principles. The authors recognized
`that despite the importance of the topic, “there is a lack of general
`accounts of safety principles [in] the literature. The treatment is
`normally piecemeal, focusing only on specific [safety measures]” or
`methodological issues in probabilistic risk analysis (these topics are
`important, but they are downstream of the concerns with safety
`principles, as mentioned previously).
`The authors provided a list of 24 safety principles and subsumed
`them under four broad categories: (1) inherently safe design; (2)
`safety reserves; (3) safe fail; and (4) procedural safeguards.
`Although the authors did not acknowledge an energy basis of ac
`cidents, they related their safety principles to an important aspect,
`namely the probabilistic consequences of the implementation of
`said principles. To this effect, the authors argued, and provided
`ample examples, that the end objective of any safety principle is
`“not only to reduce the probabilities of negative events that have
`been foreseen and for which probability estimates have been pro
`vided, but also [to reduce] epistemic uncertainty.”
`The distinction between Möller and Hansson’s view and Had
`don’s is worth highlighting: in recognizing the energy basis of ac
`cidents, Haddon identified safety principles that are meant to limit
`or contain uncontrolled releases of energy, and to segregate in time
`and space energy sources from that which is to be protected. Möller
`and Hansson (2008) synthesized their safety principles under the
`various means by which they reduce risk and/or uncertainty. Both
`views are important and complementary, and while the former is
`content centric and allows some creativity in deriving novel safety
`measures (safety principles relate to the handling of energy sources
`and releases), the latter highlights process centric issues and ways
`for evaluating safety measures (safety principles relate to ways for
`reducing risks and/or uncertainties about accident occurrence).
`One limitation in Möller and Hansson’s work is that several
`themes described as safety principles are not principles, but specific
`safety measures in some cases, and too vague categories to be
`meaningful principles in other cases. For example, the authors list
`timed replacement, procedural safeguards, and redundancy as
`safety principles. They are not: timed replacement for instance is one
`maintenance technique (among many others); procedural safe
`guards is a broad descriptive term that is difficult to translate into an
`actual safety principle; and redundancy4 is more akin to a specific
`reliability improvement tactic, but it can backfire through common
`cause failure (Hoepfer, Saleh, & Marais, 2009). As such, redundancy,
`while an important consideration for engineers, cannot be taken as
`an unquestionable or always dependable safety measure. We revisit
`some of these considerations in more detail in Section 3.
`
`2.3. Kletz’s inherent safety design principle and its pillars
`
`Kletz first outlined the basis of the inherent safety design
`principle in 1978 in an article titled, “What you don’t have, can’t
`
`4 “Redundancy in design is the duplication (or more) of particular components of
`a system for the purpose of increasing the overall system reliability. Redundancy in
`effect seeks to: (1) limit the impact of a single component with low reliability on
`the overall system reliability; (2) improve the reliability of a critical component in
`the system; and it does so by creating a virtual equivalent component of greater
`reliability than the single component in question.” (Hoepfer et al., 2009).
`
`leak”. The work was based on the author’s experience with the
`chemical industry, and the principle was later further extended by
`the author (Kletz, 1998), as well as by others, for example Kletz and
`Amyotte (2010) and Khan and Amyotte (2003).
`The motivation for
`this principle came from a simple
`observation:
`
`“If we could design our plants so that they use safer raw materials
`and intermediates, or not so much hazardous ones, or use haz
`ardous ones at lower temperatures and pressures, then we would
`avoid, rather [than have to] solve our [safety] problems. Such plants
`can be described as [inherently] safe.” (Kletz, 1978)
`
`Kletz later formulated the inherent safety principle succinctly as
`one that guides the development of inherently safer designs:
`
`“An inherently safer design is one that avoids hazards instead of
`controlling them, particularly by removing or reducing the amount
`of hazardous material in the plant or the number of hazardous
`operations. [ . ] The words “inherently safer” imply that the plant or
`operation is safer because of its very nature, and not because [pro
`tective] equipment has been added on to make it safer.” (Kletz, 1998)
`
`The initial formulation (1978) referred to “intrinsically” safe
`plants, in contrast to “extrinsically” safe plants in which hazards
`were controlled by “extrinsic” protective equipment and safety
`features, instead of “intrinsically” safer processes. This distinction
`however was not maintained in other works by the author and
`others, and Kletz later replaced “intrinsically” with the now more
`common expression “inherently” safe.
`Note that the inherent safety design principle is also discussed
`in Möller and Hansson (2008) as a broad category under which
`several safety principles are subsumed. The authors explain that
`this principle entails “that potential hazards are excluded, not just
`enclosed or otherwise coped with. [For example] fireproof material
`are used instead of inflammable ones [ . ] and this is superior to
`using inflammable material but keeping temperatures low.”
`Kletz further developed the inherent safety design principle and
`identified several pillars for ways of achieving it. These pillars
`include what the author refers to as intensification, substitution,
`and attenuation. Table 1 provides a brief description of these and
`other pillars of the inherent safety principle. The reader interested
`in more details is referred to Kletz and Amyotte (2010), Goraya,
`Amyotte, and Khan (2004), Khan and Amyotte (2003), and
`Bollinger and Crowl (1997).
`A careful examination of the entries in Table 1 shows similarities
`between the pillars of the inherent safety principle and Haddon’s
`safety strategies. For example, the reduction of the amount of energy
`
`Table 1
`Pillars of the inherent safety design principle. Adapted from Kletz and Amyotte
`(2010) and Khan and Amyotte (2003).
`
`Principle
`
`Description
`
`Process Intensification (PI)
`and minimization
`
`Substitution
`
`Attenuation
`
`Limitation of effects
`
`Simplification
`
`Use smaller quantities of hazardous material
`and/or perform a hazardous procedure as few
`times as possible
`Replace hazardous materials/processes with
`safer ones
`Use hazardous materials in their least
`hazardous forms and/or operate the system at
`comparably safer operating conditions
`Opt for changes in the process design with less
`severe effects
`Avoid complexities in the process design and
`eliminate excessive use of add-on safety
`features and protective devices
`
`UTC-2012.003
`
`

`

`286
`
`Hi. Saleh et al. / Joumai oILoss Prevention in the Process Industries 29 (2014) 283 294
`
`Nominal coolant
`
`
`
`datedor (D)
`
`1
`Electric power (EP)
`
`
`
`Successful
`prevention
`
`Degradation
`
`Degradation
`
`Explosion
`
`Explosion
`
`Fig. 1. Simplified Event Tree Analysis for a reactor following the break of main coolant pipe (the initiating event). P
`Adapted from Billington and Allan (1992).
`
`probability of success: Q l
`
`P
`
`probability of faflure.
`
`contained in the process closely resembles Intensification. and the
`reduction of the rate of release of energy is similar to Attenuation.
`The difference in framing various (overlapping) safety principles
`by different authors is unsurprising. and it reflects to some extent
`their particular background and interests. Kletz's work.
`for
`example. as noted previously, is grounded in the chemical industry.
`and is best understood and readily applicable in that industry. It
`remains nonetheless relevant for other hazardous industries. The
`
`inherent safety design principle and its pillars will be subsumed in
`part under the un graduated response principle in Section 3.
`
`while we provide some simple formal representations of these
`safety principles and their consequences using probability notation
`and the Discrete Event Systems (DESs) formalism.5 these repre
`sentations are not necessary for the comprehension of the princi
`ples. The reader not familiar with such formalisms may skip the
`equations. and this will not compromise in any way his or her
`understanding of the safety principles.
`The notions of accident sequence and hazard level. whid1 are
`briefly reviewed next. can help further illuminate the purpose and
`consequences of these principles as will be seen shortly.
`
`2.4. Managerial and organizational safety principles or guidelines
`
`3.1. Background information: accident sequence and hazard level
`
`Although beyond the scope of the present work (with its engi
`neering focus on safety principles).
`it
`is worth noting that an
`important literature exists and addresses organizational safety
`principles or guidelines. The literature covers what is knows as
`High Reliability Organizations (HRO), and it empirically examines
`what successful organizations do—how they organize and manage
`hazardous systems and processes—to promote and ensure system
`safety. The reader interested in this line of inquiry is referred to the
`excellent work by Weick and Sutcliffe (2007) for a synthesis of the
`HRO literature.
`
`3. System safety principles
`
`Our proposed set of safety principles follows in the spirit of the
`works discussed in Section 2. and in some cases it builds and ex
`pands on them. The principles are first presented at some level of
`abstraction. which leaves them domain independent and broadly
`applicable across industries. Then some of their practical aspects
`are highlighted and examples are provided to illustrate their
`implementation in specific contexts.
`We relate our safety principles to the notions of hazard level.
`accident sequence. and conditional probabilities (of further hazard
`escalation or advancement of an accident sequence). Note that
`
`An accident sequence can be represented in the form of an
`event tree. starting with an off nominal initiating event and ter
`minating in the accident state—the uncontrolled release of energy
`and its consequences. For example. Fig.
`1 shows a simplified
`version of an Event Tree Analysis for a generic nuclear reactor. The
`initiating event here considered is the break of the main coolant
`pipe.
`The event tree reads from left no right. For example. in the path
`leading to the fourth consequence from the top (explosion). we
`have the following events: the main coolant pipe breaks; electric
`power is available upon demand to support the activation of the
`flow detector and emergency pumps: the flow detector operates
`properly and detects loss of main coolant; information is conveyed
`to activate redundant emergency pumps: pump 1 fails to activate;
`pump 2 also fails to activate. and this sequence of events leads to
`the explosion. The event tree can be further expanded to examine
`more possibilities and add further resolution to the consequences
`of the explosion and other branches (Saleh, Saltmarsh, Favaro, 81
`Brevault. 2013).
`
`5 Formal representation can provide additional precision in defining the safety
`principles and their consequences (beyond a textual description).
`UTC-2012.004
`
`
`
`

`

`
`
`}.H. Saleh et al. [Joumal of Loss Prevention in the Recess industries 29 (2014) 283 294
`
`
`
`
`Accident
`A1
`
`Accident
`A1
`
`
`
`
`Accident
`
` Initiating
`event
`IE1
`
`
`
`Nominal operations
`
`
`Off-nominal operations, system states
`
`Fig. 2. Illustrative example of the concept of accident sequence. with propagation of initiating events to accident states (Saleh et aL. 2013).
`
`For our purposes. we will note more generally that an acci
`dent sequence can be represented by the concatenation of a
`series of events (denoted by the letter “e"). starting from an off
`nominal initiating event (denoted by “IE") and leading to an
`accident (denoted by “A"). as shown in Eq. (1) and Fig. 2. Each
`event “e” presents two subscripts: the first one identifies its
`position inside the string 3. while the second one identifies the
`initiating event Event em defines an event that appears as a
`second link in a string 3 and that follows the initiating event IE1.
`Notice that more accidents correspond to each initiating event.
`and that different initiating events can lead to the same accident
`unfolding. For simplicity, in Fig. 2 we numerated the accidents
`starting from the top one as A1. The string 8 also has two sub
`scripts:
`the first corresponds to the initiating event. and the
`second to the final accident state. For example. Eq. (1 ) shows the
`accidents sequence represented by the string sub which starts
`with the initiating event [E1 and terminated in the accident state
`Akl
`
`81":
`
`IE1€2)1C3,1...€n,1Ak
`
`(1)
`
`For simplicity. we will occasionally drop the second subscript of
`an event e. and only index it with respect to its position in a given
`string as e, (the ith event in an acddent sequence).
`
`Eq. (1) is based on the mathematical framework of Discrete
`Event System (DES). The specifics are not relevant for our purposes
`(for details. see for example Cassandras & Iafortune. 2008). The
`important point is the way in which an accident sequence can be
`represented. namely as a string (denoted by the letter “s”) of events
`and with multiple possible paths between different initiating
`events and accident states.
`
`The conditional probability of accident Ak occurring given the
`occurrence of the initiating event [E can be written as follows:
`
`milk | 151')
`
`(2)
`
`This conditional probability is the sum over all paths starting
`from [E and leading to Ak. At a local level. given that an accident
`sequence has been initiated. the conditional probability that it will
`further advance or escalate is expressed as follows:
`
`P(€i+1
`
`lei)
`
`Or more generally:
`
`p(ek | e,-)
`
`for k > i
`
`(33)
`
`(3b)
`
`The idea of an acddent sequence and the conditional proba
`bilities associated with its escalation can help define or intuitively
`
`
`
`
`
`
`
`Hazardlevel
`
`Fig. 3. Illustrative example of an acddent sequence and hazard level escalation over time.
`
`Time
`
`UTC-2012.005
`
`

`

`
`
`288
`
`1H. Saieh et al. / Joumai ojioss Prevention in the Process industries 29 (2014) 283 294
`
`
`
`
`
`System response
`(propagation and potential
`consequences at the system level)
`
` Local failure or disruption
`(failure of component i
`or termination/disruption of its function)
`
`
`5"“
`
`Opera-
`tional
`
`Failed
`
`With
`
`Fall-Safe
`
`rd
`
`time
`
`Without
`FaiI~Safe
`
`Hazard
`level
`
`\
`~-’ \a‘l
`
`Accident‘<:::
`
`Accident
`triggering
`threshold
`
`condition
`
`Nominal
`
`’4
`
`time
`
`Hazard
`level
`
`Accident
`triggering
`threshold
`
`condition
`
`Nominal
`
`Fig. 4. Illustrative comparison of system behavior over time following a local failure. both with the implementation of the fail-safe principle and without it (id is the time of
`occunence of the failure of the component/ftmction of interst)
`
`'4
`
`time
`
`convey the notion of hazard level (H). intuitively. the hazard level
`can be conceived of as the closeness ofan accident to being released
`(Saleh. Haga, Favarb. 82 Bakolas. 2014). it is thus related to the extent
`an accident sequence has advanced: the further the sequence has
`escalated. the more hazardous the situation is. For example. using
`Eq. (1) and Fig. 2. we can note:
`
`These concepts. accident sequence. conditional probabilities of
`sequence escalation. and hazard level. will be referred to next when
`discussing the safety principles. They will help us illustrate for
`example the effects of these principles on the advancement of an
`accident sequence and on the dynamics of hazard escalation. as we
`will see shortly.
`
`H("31€2,1€3,1€4,1)
`
`> H ("31 92,1)
`
`(4)
`
`For the situation in the left hand side of Eq. (4). more adverse
`conditions are aligned and more events in the accident sequence
`have occurred than the situation in the right hand side. The left
`hand hazard level in the system or plant is thus higher and the
`accident is closer to being released. Fig. 3 shows a typical example
`of a relation between an accident sequence and the dynamics of
`hazard escalation. in this case. only one string and one outcome are
`shown (a generic accident A).
`The operation of a hazardous process or system involves the
`management and handling of the dynamics of its hazard level. The
`dynamics of hazard escalation can be both time driven and event
`driven. and all else being equal. the hazard level scales with the
`extent of potential adverse consequences (PAC). We indicate this
`functional dependency as follows:
`
`H H(t,e, PAC)
`
`(5)
`
`The conditional probabilities previously mentioned can also be
`added to the expression in Eq. (5). They are in its current form
`implicit in the string of events (e) of an accident sequence. Note that
`the potential adverse consequences are a function of both the
`amount of energy involved or being handled. and the extent of
`vulnerable resources in its neighborhood (people and structures).
`For example. a chemical plant in the middle of a densely populated
`city has a higher potential for adverse consequences than if it were
`sited in a remote industrial zone.
`
`3.2. The fail safe safety principle
`
`Consider a function performed or implemented by a particular
`item in a system. The failure of this item or disruption/termination
`of its function can propagate and affect the system in different
`ways. For example it can lead to a cascading failure (domino effect).
`which would result in a complete system failure or accident (e.g.,
`nodes in an electric power grids operating at maximum capacity). it
`can also remain confined to the neighborhood of the failed item and
`have a limited impact at the system level.
`The fail safe principle imposes, or is defined by. one particular
`solution to the problem of how a local failure affects the system
`level hazard. Specifically. the fail safe principle requires that the
`failure of an item in a system or disruption/termination of its
`function should result in operational conditions that (i) block an
`accident sequence from further advancing. and/or (ii) freeze the
`dynamics of hazard escalation in the system. thus preventing po
`tential harm or damage.
`in light of the concepts introduced in subsection 3.]. the effects
`of the fail safe principle can be expressed as follows:
`
`ef : failure of the item/function of interest at time Q,
`6H
`E 0 for t>tel
`
`and
`
`(6)
`
`p(ef+k|ef)
`
`0 ef+kes
`
`following e,
`UTC-2012.006
`
`

`

`J.H. Saleh et al. / Journal of Loss Prevention in the Process Industries 29 (2014) 283 294
`
`289
`
`Eq. (6) expresses the fact that the dynamics of hazard escalation
`are frozen after the failure of the item/function, and the accident
`sequence is blocked (see Fig. 4).
`Conversely, if the fail safe principle is not implemented, the
`item’s failure, or termination of the function it performs, would
`aggravate a situation by further escalating its level of hazard, thus
`initiating an accident sequence or leading to an accident, as shown
`in Fig. 4. For example, air brakes on trains and trucks are main
`tained in the open position by pressure in the lines; should the
`pressure drop because of leakage or any other failure mechanism,
`the brakes will be applied. A similar mechanism exists in elevators:
`a spring force activated electrically holds the brakes in the open
`position. In the event of a power failure, the brakes automatically
`engage. The difference between the brakes failing in the open po
`sition and leading to the free fall of the elevator, and the brakes
`failing in the engaged position thus preventing a hazardous situa
`tion from unfolding, is the result of a creative implementation of
`the fail safe principle in this particular situation. Popular legend
`notwithstanding, the only accidents involving elevators falling have
`occurred when the building itself has been catastrophically
`damaged (Paumgarten, 2008).
`Another example of the implementation of the fail safe princi
`ple is the “dead man’s switch” for train operators: should they fall
`asleep or become unconscious, the device is no longer held down,
`and as a result the brakes are applied. A similar device is used in
`chainsaws, snowmobiles, jet skis, and during aircraft refueling (the
`activity is stopped). More complex implementations of the fail safe
`principle can be found in nuclear react