Inspections and Investigations & SAFETY AUDITS & MANAGEMENT AUDITS On the one hand, they have to learn to understand the organizational aspects and take them into account in constructing safety programs. On the other hand, it is important that they be aware of the fact that the view of organizations is moving further and further away from the machine concept and placing a clear emphasis on less tangible and measurable factors such as organizational culture, behaviour modification, responsibility-raising or commitment. Today, safety policy is more and more distinctly being viewed as a way of achieving the two aims of reducing losses and optimizing corporate policy. Safety policy is therefore increasingly evolving into a reliable barometer of the soundness of the corporation’s success with respect to these aims. In order to measure progress, increased attention is being devoted to management and safety audits. It is not only economic circumstances that have given company heads new insights. New visions relating to management, organizational theory, total quality care and, in the same vein, safety care, are resulting in significant changes. The values, mission and organizational culture of a corporation according to McKinsey’s 7-S Framework
41
Embed
Inspections and investigations and audits what you really didnt know
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Inspections and Investigations
&
SAFETY AUDITS &
MANAGEMENT AUDITS
On the one hand, they have to
learn to understand the
organizational aspects and
take them into account in
constructing safety programs.
On the other hand, it is important that they be aware of the fact that the view of
organizations is moving further and further away from the machine concept and
placing a clear emphasis on less tangible and measurable factors such as
organizational culture, behaviour modification, responsibility-raising or commitment.
Today, safety policy is more and more distinctly being viewed as a way of achieving
the two aims of reducing losses and optimizing corporate policy. Safety policy is
therefore increasingly evolving into a reliable barometer of the soundness of the
corporation’s success with respect to these aims. In order to measure progress,
increased attention is being devoted to management and safety audits.
It is not only economic circumstances that have given company heads new insights.
New visions relating to management, organizational theory, total quality care and, in
the same vein, safety care, are resulting in significant changes.
The values, mission and organizational culture of a corporation according to
McKinsey’s 7-S Framework
The fundamental shifts can best be demonstrated on the basis of the model
presented by Scott (1978), which was also used by Peters and Waterman (1982). This
model uses two approaches:
1. The closed-system approaches deny the influence of developments from outside
the organization. With the mechanistic closed approaches, the objectives of an
organization are clearly defined and can be logically and rationally determined.
2. Open-system approaches take outside influences fully into account, and the
objectives are more the result of diverse processes, in which clearly irrational
factors contribute to decision making.
Organizational theories
There has been enormous development in management theory, moving from the
traditional rational and authoritarian machine model (Taylorism) to the human-
oriented organic model of human resources management (HRM).
Organizational effectiveness and efficiency are being more clearly linked to optimal
strategic management, a flat organizational structure and sound quality systems.
Furthermore, attention is now given to superordinate goals and significant values
that have a bonding effect within the organization, such as skills (on the basis of
which the organization stands out from its competitors) and a staff that is motivated
to maximum creativity and flexibility by placing the emphasis on commitment and
empowerment. With these open approaches, a management audit cannot limit itself
to a number of formal or structural characteristics of the organization. The audit
must also include a search for methods to map out less tangible and measurable
cultural aspects.
This fundamental change in the quality care system has taken place cumulatively in
the sense that each foregoing stage was integrated into the next. It is also clear that
while product control and safety inspection are facets more closely related to a
Tayloristic organizational concept, quality assurance is more associated with a
socio-technical system approach where the aim is not to betray the trust of the
(external) customer.
It is clear that there is also a very important difference in emphasis between quality
assurance as described in the ISO standards and the TQL approach of the ISO quality
assurance is an extended and improved form of quality inspection, focusing not only
on the products and internal customers, but also on the efficiency of the technical
processes. The objective of the inspection is to investigate the conformity with the
procedures set out in ISO. TQM, on the other hand, endeavours to meet the
expectations of all internal and external customers as well as all processes within
the organization, including the more soft and human-oriented ones. The involvement,
the commitment and the creativity of the employees are clearly important aspects of
TQM.
From Human Error to Integrated Safety
Safety policy has evolved in a similar manner to quality care. Attention has shifted
from post-factum incident analysis, with emphasis on the prevention of injuries, to a
more global approach. Safety is seen more in the context of “total loss control” - a
policy aimed at the avoidance of losses through management of safety involving the
interaction of people, processes, materials, equipment, installations and the
environment. Safety therefore focuses on the management of the processes that
could lead to losses. In the initial development period of safety policy the emphasis
was placed on a human error approach. Consequently, employees were given a
heavy responsibility for the prevention of industrial incidents.
Only recently, the emphasis in safety policy systems shifted into a social-system
approach, which is a logical step in the improvement of the prevention system. In
order to optimize the human/machine/environment system it is not sufficient to
ensure safe machines and tools by means of a well-developed prevention policy, but
there is also the need for a preventive maintenance system and the assurance of
security among all technical processes. Moreover, it is of crucial importance that
employees be sufficiently trained, skilled and motivated with regard to health and
safety objectives. Modern management entails an open, motivating corporate
culture, in which there is a common commitment to achieving key corporate
objectives in a participatory, team-based approach. In the safety-culture approach,
safety is an integral part of the objectives of the organizations and therefore an
essential part of everyone’s task, starting with top management and passing along
the entire hierarchical line down to employees on the shop floor.
Integrated safety
The concept of integrated safety immediately presents a number of central factors in
an integrated safety system, the most important of which can be summarized as
follows:
A clearly visible commitment from the top management. This commitment is not only
given on paper, but is translated right down to the shop floor in practical
achievements.
Active involvement of the hierarchical line and the central support departments.
Care for safety, health and welfare is not only an integral part of everyone’s task in
the production process, but is also integrated into the personnel policy, into
preventive maintenance, into the design stage and into working with third parties.
Full participation of the employees. Employees are full discussion partners with
whom open and constructive communication is possible, with their contribution
being given full weight. Indeed, participation is of crucial importance for carrying
through corporate and safety policy in an efficient and motivating way.
A suitable profile for a safety expert. The safety expert is no longer the technician or
jack of all trades, but is a qualified adviser to the top management, with particular
attention being devoted to optimizing the policy processes and the safety system. He
or she is therefore not someone who is only technically trained, but also a person
who, as a good organizer, can deal with people in an inspiring manner and
collaborate in a synergetic way with other prevention experts.
A pro-active safety culture. The key aspect of an integrated safety policy is a pro-
active safety culture, which includes, among other things, the following:
� Safety, health and welfare are the key ingredients of an organization’s value system
and of the objectives it seeks to attain.
� An atmosphere of openness prevails, based on mutual trust and respect.
� There is a high level of cooperation with a smooth flow of information and an
appropriate level of coordination.
� A pro-active policy is implemented with a dynamic system of constant improvement
perfectly matching the prevention concept.
� The promotion of safety, health and welfare is a key component of all decision-
making, consultations and teamwork.
� When industrial incidents occur, suitable preventive measures are sought, not a
scapegoat.
� Members of staff are encouraged to act on their own initiative so that they possess
the greatest possible authority, knowledge and experience, enabling them to
intervene in an appropriate manner in unexpected situations.
� Processes are set in motion with a view to promoting individual and collective
training to the maximum extent possible.
� Discussions concerning challenging and attainable health, safety and welfare
objectives are held on a regular basis.
Safety and Management Audits
General description
Safety audits are a form of risk analysis and evaluation in which a systematic
investigation is carried out in order to determine the extent to which the conditions
are present that provide for the development and implementation of an effective and
efficient safety policy. Each audit therefore simultaneously envisions the objectives
that must be realized and the best organizational circumstances to put these into
practice.
Each audit system should, in principle, determine the following:
� What is management seeking to achieve, by what means and by what strategy?
� What are the necessary provisions in terms of resources, structures, processes,
standards and procedures that are required to achieve the proposed objectives, and
what has been provided? What minimum program can be put forward?
� What are the operational and measurable criteria that must be met by the chosen
items to allow the system to function optimally?
The information is then thoroughly analysed to examine to what extent the current
situation and the degree of achievement meet the desired criteria, followed by a
report with positive feedback that emphasizes the strong points, and corrective
feedback that refers to aspects requiring further improvement.
Auditing and strategies for change
Each audit system explicitly or implicitly contains a vision both of an ideal
organization’s design and conceptualization, and of the best way of implementing
improvements.
Bennis, Benne and Chin distinguish three strategies for planned changes, each based
on a different vision of people and of the means of influencing behaviour:
� Power-force strategies are based on the idea that the behaviour of employees can
be changed by exercising sanctions.
� Rational-empirical strategies are based on the axiom that people make rational
choices depending on maximizing their own benefits.
� Normative-re-educative strategies are based on the premise that people are
irrational, emotional beings and in order to realize a real change, attention must also
be devoted to their perception of values, culture, attitudes and social skills.
The famous model devised by Danish risk specialist Rasmussen distinguishes among
the following three sorts of behaviour:
� Routine actions (skill-based behaviour) automatically follow the associated signal.
Such actions are carried out without one’s consciously devoting attention to them -
for example, touch-typing or manually changing gears when driving.
� Actions in accordance with instructions (rule-based) require more conscious
attention because no automatic response to the signal is present and a choice must
be made between different possible instructions and rules. These are often actions
which can be placed in an “if¼then” sequence, as in “If the meter rises to 50 then
this valve must be closed”.
� Actions based on knowledge and insight (knowledge-based) are carried out after a
conscious interpretation and evaluation of the different problem signals and the
possible alternative solutions. These actions therefore presuppose a fairly high
degree of knowledge of and insight into the process concerned, and the ability to
interpret unusual signals.
Strata in behavioural and cultural change
Based on the above, most audit systems (including those based on the ISO series of
standards) implicitly depart from power-force strategies or rational-empirical
strategies, with their emphasis on routine or procedural behaviour. This means that
insufficient attention is paid in these audit systems to “knowledge-based behaviour”
that can be influenced mainly via normative–re-educative strategies. Many audit
systems limit themselves to the question of whether a particular provision or
procedure is present. It is therefore implicitly assumed that the sheer existence of
this provision or procedure is a sufficient guarantee for the good functioning of the
system. Besides the existence of certain measures, there are always different other
“strata” (or levels of probable response) that must be addressed in an audit system
to provide sufficient information and guarantees for the optimum functioning of the
system.
In more concrete terms, the following example concerns response to a fire
emergency:
� A given provision, instruction or procedure is present (“sound the alarm and use the
extinguisher”).
� A given instruction or procedure is also familiarly known to the parties concerned
(workers know where alarms and extinguishers are located and how to activate and
use them).
� The parties concerned also know as much as possible as to the “why and
wherefore” of a particular measure (employees have been trained or educated in
extinguisher use and typical types of fires).
� The employee is also motivated to apply needful measures (self preservation, save
the job, etc.).
� There is sufficient motivation, competence and ability to act in unforeseen
circumstances (employees know what to do in the event fire gets out of hand,
requiring professional fire-fighting response).
� There are good human relations and an atmosphere of open communication
(supervisors, managers and employees have discussed and agreed upon fire
emergency response procedures).
� Spontaneous creative processes originate in a learning organiz-ation (changes in
procedures are implemented following “lessons learned” in actual fire situations).
PAS safety audit elements
PAS safety audit elements Correspondence with ISO
9001
1. Management responsibility
1.1. Safety policy 4.1.1.
1.2. Organization
1.2.1. Responsibility and authority 4.1.2.1.
1.2.2. Verification resources and
personnel
4.1.2.2.
1.2.3. Health and safety service 4.1.2.3.
1.3. Safety management system
review
4.1.3.
2. Safety management system 4.2.
3. Obligations 4.3.
4. Design control
4.1. General 4.4.1.
4.2. Design and development
planning
4.4.2.
4.3. Design input 4.4.3.
4.4. Design output 4.4.4.
4.5. Design verification 4.4.5.
4.6. Design changes 4.4.6.
5. Document control
5.1. Document approval and issue 4.5.1.
5.2. Document
changes/modifications
4.5.2.
6. Purchasing and contracting
6.1. General 4.6.1.
6.2. Assessment of suppliers and
contractors
4.6.2.
6.3. Purchasing data 4.6.3.
6.4. Third party’s products 4.7.
7. Identification 4.8.
8. Process control
8.1. General 4.9.1.
8.2. Process safety control 4.11.
9. Inspection
9.1. Receiving and pre-start-up
inspection
4.10.1.
4.10.3.
9.2. Periodic inspections 4.10.2.
9.3. Inspection records 4.10.4.
9.4. Inspection equipment 4.11.
9.5. Inspection status 4.12.
10. Incidents and incidents 4.13.
11. Corrective and preventive
action
4.13.
4.14.
12. Safety records 4.16.
13. Internal safety audits 4.17.
14. Training 4.18.
15. Maintenance 4.19.
16. Statistical techniques 4.20.
Several other systems are integrated in the PAS system:
� At a strategic level, the insights and requirements of ISO are of particular
importance.
� At a tactical level, the systematics of the “Management’s Oversight and Risk Tree”
encourages people to seek out what are the necessary and sufficient conditions in
order to achieve the desired safety result.
� At an operational level a multitude of sources could be drawn upon, including
existing legislation, regulations and other criteria such as the International Safety
Rating System (ISRS), in which the emphasis is placed on certain concrete
conditions that should guarantee the safety result.
The PAS constantly refers to the broader corporate policy within which the safety
policy is embedded. After all, an optimum safety policy is at the same time a product
and a producer of a pro-active company policy. Assuming that a safe company is at
the same time an effective and efficient organization and vice versa, special
attention is therefore devoted to the integration of safety policy in the overall policy.
Essential ingredients of a future-oriented corporate policy include a strong corporate
culture, a far-reaching commitment, the participation of the employees, a special
emphasis on the quality of the work, and a dynamic system of continual
improvement.
Formal procedures and directly identifiable results are indisputably important in
safety policy. However, it is not enough to base the safety system on this approach
alone. The future results of a safety policy are dependent on the present policy, on
the systematic efforts, on the constant search for improvements, and particularly on
the fundamental optimizing of processes that ensure durable results.
HAZARD ANALYSIS: THE INCIDENT CAUSATION MODEL
Human error is an important contributing cause in at least 90% of all industrial
incidents. While purely technical errors and uncontrollable physical circumstances
may also contribute to incident causation, human error is the paramount source of
failure. The increased sophistication and reliability of machinery means that the
proportion of causes of incidents attributed to human error increases as the absolute
number of incidents decreases. Human error is also the cause of many of those
incidents that, although not resulting in injury or death, nevertheless result in
considerable economic damage to a company. As such, it represents a major target
for prevention, and it will become increasingly important. For effective safety
management systems and risk identification programs it is important to be able to
identify the human component effectively through the use of general failure type
analysis.
The Nature of Human Error
Human error can be viewed as the failure to reach a goal in the way that was
planned, either from a local or wider perspective, due to unintentional or intentional
behaviour. Those planned actions may fail to achieve the desired outcomes for the
following four reasons:
1. Unintentional behaviour:
� The actions did not go as planned (slips).
� The action was not executed (lapses).
2. Intentional behaviour:
� The plan itself was inadequate (mistakes).
� There were deviations from the original plan (violations).
Deviations can be divided in three classes: skill-, rule- and knowledge-based errors.
1. At the skill-based level, behaviour is guided by pre-programd action schemes. The
tasks are routine and continuous, and feedback is usually lacking.
2. At the rule-based level, behaviour is guided by general rules. They are simple and
can be applied many times in specific situations. The tasks consist of relatively
frequent action sequences that start after a choice is made among rules or
procedures. The user has a choice: the rules are not automatically activated, but are
actively chosen.
3. Knowledge-based behaviour is shown in completely new situations where no rules
are available and where creative and analytical thinking is required.
In some situations, the term human limitation would be more appropriate than
human error.
When the situation is completely unknown, knowledge-based rules are applied. The
symptoms are examined in the light of knowledge about the system and its
components. This analysis can lead to a possible solution the implementation of
which constitutes a case of knowledge-based behaviour. (It is also possible that the
problem cannot be solved in a given way and that further knowledge-based rules
have to be applied.) All errors on this level are mistakes. Violations are committed
when a certain rule is applied that is known to be inappropriate: the thinking of the
worker may be that application of an alternative rule will be less time-consuming or
is possibly more suitable for the present, probably exceptional, situation. The more
malevolent class of violations involves sabotage, a subject that is not within the
scope of this article.
A comment often made with regard to a particular incident is, “Maybe the person did
not realize it at the time, but if he or she had not acted in a certain way, the incident
would not have happened.” Much of incident prevention is aimed at influencing the
crucial bit of human behaviour alluded to in this remark. In many safety management
systems, the solutions and policies suggested are aimed at directly influencing
human behaviour.
Six ways to induce safe behaviour and assessment of their cost-effectiveness
No. Way of influencing Cost Long-term
effect
Assessment
1 Don’t induce safe behaviour,
but make the system
“foolproof”.
High Low Poor
2 Tell those involved what to do. Low Low Medium
3 Reward and punish. Medium Medium Medium
4 Increase motivation and
awareness.
Medium Low Poor
5 Select trained personnel. High Medium Medium
6 Change the environment. High High Good
Do not attempt to induce safe behaviour, but make the system “foolproof”
Tell those involved what to do
Another option is to instruct all workers about every single activity in order to bring
their behaviour fully under the control of management. This will require an extensive
and not very practical task inventory and instruction
Reward and punish
Although reward and punishment schedules are powerful and very popular means for
controlling human behaviour, they are not without problems.
Increase motivation and awareness
Sometimes it is believed that people cause incidents because they lack motivation
or are unaware of danger. The effects of motivation enhancement programs are
positive only when coupled with behaviour modification techniques such as
employee involvement.
Select trained personnel
The first reaction to an incident is often that those involved must have been
incompetent.
Change the environment
Most behaviour occurs as a reaction to factors in the working environment: work
schedules, plans, and management expectations and demands.
The Incident Causation Model
In order to get more insight into the controllable parts of the incident causation
process, an understanding of the possible feedback loops in a safety information
system is necessary.
A safety information system
Incident investigation
When incidents are investigated, substantial reports are produced and decision-
makers receive information about the human error component of the incident.
Fortunately, this is becoming more and more obsolete in many companies. It is more
effective to analyse the “operational disturbances” that precede the incidents and
incidents. If an incident is described as an operational disturbance followed by its
consequences, then sliding from the road is an operational disturbance and getting
killed because the driver did not wear a safety belt is an incident. Barriers may have
been placed between the operational disturbance and the incident, but they failed or
were breached or circumvented.
Incident
An incident is a work related event during which:
injury, ill health, or fatality actually occurs, or
injury, ill health, or fatality could have occurred.
An accident is a type of incident. It is a work-related event
during which injury, ill health, or fatality actually occurs.
It is a type of incident.
A close call, near miss, near hit, or dangerous occurrence
is also a type of incident. It is a work-related event during
which injury, ill health, or fatality could have occurred,
but didn’t actually occur
Nonconformity
Nonconformity is the non fulfillment of a requirement or a deviation
from a standard. When an organization fails to meet requirements or
deviates from a standard, a nonconformity exists.
Preventive Action
Preventive actions are steps that are taken to remove the causes of
potential nonconformities or other undesirable situations that have
not yet occurred. Preventive actions address potential problems.
In general, the preventive action process can be thought of as a
risk analysis process.
Risk combines three elements: it starts with a potential event,
and then combines its probability with its potential severity.
In the context of OH&S, the concept of risk asks two future
oriented questions:
What is the probability that a particular hazardous
event or exposure will actually occur in the future?
How severe would the impact on health and safety be
if the hazardous event or exposure actually occurred?
A high risk hazardous event or exposure would have both a
high probability of occurring and a severe impact on OH&S if
it actually occurred. A high risk event or exposure is one that
is likely to cause severe injury or ill health.
Unsafe act auditing
A wrong act committed by an employee is called a “substandard act” and not an
“unsafe act” in this article: the notion of “unsafe” seems to limit the applicability of
the term to safety, whereas it can also be applied, for example, to environmental
problems. Substandard acts are sometimes recorded, but detailed information as to
which slips, mistakes and violations were performed and why they were performed is
hardly ever fed back to higher management levels.
Investigating the employee’s state of mind
Before a substandard act is committed, the person involved was in a certain state of
mind. If these psychological precursors, like being in a state of haste or feeling sad,
could be adequately controlled, people would not find themselves in a state of mind
in which they would commit a substandard act.
General failure types and their definitions
General failures Definitions
1. Design (DE) Failures due to poor design of a whole plant as well as
individual items of equipment
2. Hardware (HW) Failures due to poor state or unavailability of
equipment and tools
3. Procedures (PR) Failures due to poor quality of the operating
procedures with respect to utility, availability and
comprehensiveness
4. Error enforcing
conditions (EC)
Failures due to poor quality of the working
environment, with respect to circumstances that
increase the probability of mistakes
5. Housekeeping (HK) Failures due to poor housekeeping
6. Training (TR) Failures due to inadequate training or insufficient
experience
7. Incompatible
goals(IG)
Failures due to the poor way safety and internal
welfare are defended against a variety of other goals
like time pressure and a limited budget
8. Communication
(CO)
Failures due to poor quality or absence of lines of
communication between the various divisions,
departments or employees
9. Organization (OR) Failures due to the way the project is managed and
the company is operated
10. Maintenance
management (MM)
Failures due to poor quality of the maintenance
procedures regarding quality, utility, availability and
comprehensiveness
11. Defences (DF) Failures due to the poor quality of the protection
against hazardous situations
There are two GFTs that require some further explanation: maintenance
management and defences.
Maintenance management (MM)
Since maintenance management is a combination of factors that can be found in
other GFTs, it is not, strictly speaking, a separate GFT: this type of management is
not fundamentally different from other management functions. It may be treated as a
separate issue because maintenance plays an important role in so many incident
scenarios and because most organizations have a separate maintenance function.
Defences (DF)
The category of defences is also not a true GFT, as it is not related to the incident
causation process itself. This GFT is related to what happens after an operational
disturbance. It does not generate either psychological states of mind or substandard
acts by itself. It is a reaction that follows a failure due to the action of one or more
GFTs. While it is indeed true that a safety management system should focus on the
controllable parts of the incident causation chain before and not after the unwanted
incident, nevertheless the notion of defences can be used to describe the perceived
effectiveness of safety barriers after a disturbance has occurred and to show how
they failed to prevent the actual incident.
Managers need a structure that will enable them to relate identified problems to
preventive actions. Measures taken at the levels of safety barriers or substandard
acts are still necessary, although these measures can never be completely
successful. To trust “last line” barriers is to trust factors that are to a large extent
out of management control. Management should not attempt to manage such
uncontrollable external devices, but instead must try to make their organizations
inherently safer at every level.
Measuring the Level of Control over Human Error
Ascertaining the presence of the GFTs in an organization will enable incident
investigators to identify the weak and strong points in the organization. Given such
knowledge, one can analyse incidents and eliminate or mitigate their causes and
identify the structural weaknesses within a company and fix them before they in fact
contribute to an incident.
Incident investigation
The task of an incident analyst is to identify contributing factors and to categorize
them. The number of times a contributing factor is identified and categorized in
terms of a GFT indicates the extent to which this GFT is present. This is often done
by means of a checklist or computer analysis program.
Profile of an incident type
Some of the GFTs - design, procedures and incompatible goals - score consistently
high in all four particular incidents. This means that in each incident, factors have
been identified that were related to these GFTs. With respect to the profile of
incident 1, design is a problem. Housekeeping, although a major problem area in
incident 1, is only a minor problem if more than the first incident is analysed. It is
suggested that about ten similar types of incidents be investigated and combined in
a profile before far-reaching and possibly expensive corrective measures are taken.
HARDWARE HAZARDS
“Machine” hazards, those which are specific to the appurtenances and hardware
used in the industrial processes associated with pressure vessels, processing
equipment, powerful machines and other intrinsically risky operations. This article
does not address worker hazards, which implicate the actions and behaviour of
individuals, such as slipping on working surfaces, falling from elevations and hazards
from using ordinary tools. Since these hazards threaten anyone present and may
even be a threat to neighbours and the external environment, the analysis methods
and the means for prevention and control are similar to the methods used to deal
with risks to the environment from industrial activities.
Machine Hazards
Good quality hardware is very reliable, and most failures are caused by secondary
effects like fire, corrosion, misuse and so on. Nevertheless, hardware may be
highlighted in certain incidents, because a failing hardware component is often the
most conspicuous or visibly prominent link of the chain of events. Although the term
hardware is used in a broad sense, illustrative examples of hardware failures and
their immediate “surroundings” in incident causation have been taken from industrial
workplaces. Typical candidates for investigation of “machine” hazards include but
are not limited to the following:
� pressure vessels and pipes
� motors, engines, turbines and other rotating machines
� chemical and nuclear reactors
� scaffolding, bridges, etc.
� lasers and other energy radiators
� cutting and drilling machinery, etc.
� welding equipment.
Effects of Energy
Hardware hazards can include wrong use, construction errors or frequent overload,
and accordingly their analysis and mitigation or prevention can follow rather
different directions. However, physical and chemical energy forms that elude human
control often exist at the heart of hardware hazards. Therefore, one very general
method to identify hardware hazards is to look for the energies that are normally
controlled with the actual piece of equipment or machinery, such as a pressure
vessel containing ammonia or chlorine. Other methods use the purpose or intended
function of the actual hardware as a starting point and then look for the probable
effects of malfunctions and failures. For example, a bridge failing to fulfil its primary
function will expose subjects on the bridge to the risk of falling down; other effects
of the collapse of a bridge will be the secondary ones of falling items, either
structural parts of the bridge or objects situated on the bridge. Further down the
chain of consequences, there may be derived effects related to functions in other
parts of the system that were dependent on the bridge performing its function
properly, such as the interruption of emergency response vehicular traffic to another
incident.
Industrial Work Environment
Machine hazards also involve load or stress factors that may be dangerous in the
long run, such as the following:
� extreme working temperatures
� high intensities of light, noise or other stimuli
� inferior air quality
� extreme job demands or workloads.
These hazards can be recognized and precautions taken because the dangerous
conditions are already there. They do not depend on some structural change in the
hardware to come about and work a harmful result, or on some special event to
effect damage or injury. Long-term hazards also have specific sources in the working
environment, but they must be identified and evaluated through observing workers
and the jobs, instead of just analysing hardware construction and functions.
Dangerous hardware or machine hazards are usually exceptional and rather seldom
found in a sound working environment, but cannot be avoided completely. Several
types of uncontrolled energy, such as the following risk agents, can be the
immediate consequence of hardware malfunction:
� harmful releases of dangerous gas, liquids, dusts or other substances
� fire and explosion
� high voltages
� falling objects, missiles, etc.
� electric and magnetic fields
� cutting, trapping, etc.
� displacement of oxygen
� nuclear radiation, x rays and laser light
� flooding or drowning
� jets of hot liquid or steam.
Risk Agents
Moving objects. Falling and flying objects, liquid flows and jets of liquid or steam,
such as listed, are often the first external consequences of hardware or equipment
failure, and they account for a large proportion of incidents.
Chemical substances. Chemical hazards also contribute to worker incidents as well
as affecting the environment and the public. Traffic incidents involving gasoline or
chemical delivery trucks or other dangerous goods transports, unite two risk agents -
moving objects and chemical substances.
Electromagnetic energy. Electric and magnetic fields, x rays and gamma rays are all
manifestations of electromagnetism, but are often treated separately as they are
encountered under rather different circumstances. However, the dangers of
electromagnetism have some general traits: fields and radiation penetrate human
bodies instead of just making contact on the application area, and they cannot be
sensed directly, although very large intensities cause heating of the affected body
parts.
Triggering the Hardware Hazards
Both sudden and gradual shifts from the controlled - or “safe” - condition to one with
increased danger can come about through the following circumstances, which can
be controlled through appropriate organizational means such as user experience,
education, skills, surveillance and equipment testing:
� wear and overloads
� external impact (fire or impact)
� ageing and failure
� wrong supply (energy, raw materials)
� insufficient maintenance and repair
� control or process error
� misuse or misapplication
� hardware breakdown
� barrier malfunction.
Since proper operations cannot reliably compensate for improper design and
installation, it is important to consider the entire process, from selection and design
through installation, use, maintenance and testing, in order to evaluate the actual
state and conditions of the hardware item.
Hazard Case: The Pressurized Gas Tank
Gas can be contained in suitable vessels for storage or transport, like the gas and
oxygen cylinders used by welders. Often, gas is handled at high pressure, affording a
great increase in the storing capacity, but with higher incident risk. The key
incidental phenomenon in pressurized gas storage is the sudden creation of a hole in
the tank, with these results:
� the confinement function of the tank ceases
� the confined gas gets immediate access to the surrounding atmosphere.
The development of such an incident depends on these factors:
� the type and amount of gas in the tank
� the situation of the hole in relation to the tank’s contents
� the initial size and subsequent growth rate of the hole
� the temperature and pressure of the gas and the equipment
� the conditions in the immediate environment (sources of ignition, people, etc.).
The tank contents can be released almost immediately or over a period of time, and
result in different scenarios, from the burst of free gas from a ruptured tank, to
moderate and rather slow releases from small punctures.
The behaviour of various gases in the case of leakage
When developing release calculation models, it is most important to determine the
following conditions affecting the system’s potential behaviour:
� the gas phase behind the hole (gaseous or liquid?)
� temperature and wind conditions
� the possible entry of other substances into the system or their possible presence in
its surroundings
� barriers and other obstacles.
The exact calculations pertaining to a release process where liquefied gas escapes
from a hole as a jet and then evaporates (or alternatively, first becomes a mist of
droplets) are difficult. The specification of the later dispersion of the resultant
clouds is also a difficult problem. Consideration must be given to the movements and
dispersion of gas releases, whether the gas forms visible or invisible clouds and
whether the gas rises or stays at ground level.
Tank strength is affected by the history of tank use - first of all by the normal
wearing processes and the scratches and corrosion attacks typical of the particular
industry and of the application. Other historical parameters of particular interest
include:
� casual overpressure
� extreme heating or cooling (internal or external)
� mechanical impacts
� vibrations and stress
� substances that have been stored in or have passed through the tank
� substances used during cleansing, maintenance and repair.
The construction material - steel plate, aluminium plate, concrete for non-
pressurized applications, and so on - can undergo deterioration from these influences
in ways that are not always possible to check without overloading or destroying the
equipment during testing.
Hazard Analysis
The methods that have been developed to find the risks that may be relevant to a
piece of equipment, to a chemical process or to a certain operation are referred to
as “hazard analysis”. These methods ask questions such as: “What may possibly go
wrong?” “Could it be serious?” and “What can be done about it?” Different methods
of conducting the analyses are often combined to achieve a reasonable coverage,
but no such set can do more than guide or assist a clever team of analysts in their
determinations. The main difficulties with hazard analysis are as follows:
� availability of relevant data
� limitations of models and calculations
� new and unfamiliar materials, constructions and processes
� system complexity
� limitations on human imagination
� limitations on practical tests.
To produce usable risk evaluations under these circumstances it is important to
stringently define the scope and the level of “ambitiousness” appropriate to the
analysis at hand; for example, it is clear that one does not need the same sort of
information for insurance purposes as for design purposes, or for the planning of
protection schemes and the construction of emergency arrangements. Generally
speaking, the risk picture must be filled in by mixing empirical techniques (i.e.,
statistics) with deductive reasoning and a creative imagination.
Different risk evaluation tools - even computer programs for risk analysis—can be
very helpful. The hazard and operability study (HAZOP) and the failure mode and
effect analysis (FMEA ) are commonly used methods for investigating hazards,
especially in the chemical industry. The point of departure for the HAZOP method is
the tracing of possible risk scenarios based on a set of guide words; for each
scenario one has to identify probable causes and consequences. In the second
stage, one tries to find means for reducing the probabilities or mitigating the
consequences of those scenarios judged to be unacceptable. Fault trees and event
trees and the modes of logical analysis proper to incident causation structures and
probability reasoning are in no way specific to the analysis of hardware hazards, as
they are general tools for system risk evaluations.
Tracing hardware hazards in an industrial plant
To identify possible hazards, information on construction and function can be sought
from:
� actual equipment and plant
� substitutes and models
� drawings, electrical diagrams, piping and instrumentation (P/I) diagrams, etc.
� process descriptions
� control schemes
� operation modes and phases
� work orders, change orders, maintenance reports, etc.
By selecting and digesting such information, analysts form a picture of the risk
object itself, its functions and its actual use. Where things are not yet constructed -
or unavailable for inspection - important observations cannot be made and the
evaluation must be based entirely on descriptions, intentions and plans. Such
evaluation might seem rather poor, but in fact, most practical risk evaluations are
made this way, either in order to seek authoritative approval for applications to
undertake new construction, or to compare the relative safety of alternative design
solutions. Real life processes will be consulted for the information not shown on the
formal diagrams or described verbally by interview, and to verify that the information
gathered from these sources is factual and represents actual conditions. These