A General Theory of System Safety - PowerPoint Presentation

A General Theory of System Safety David R. Sadler, MSSE, BSME Department of the Navy, Naval Ordnance Safety and Security Activity Indian Head, Maryland, USA

Energy is a Hazard Some Examples Heat - 22 known deaths due to hot springs in Yellowstone National Park since 1890 Radiant – 1 known death due to Therac-25 radiation overdose of patientsNuclear - Sodium Reactor Experiment, 1959, complete loss of reactorChemical – 15 deaths at BP Texas City, TX, 2005 isomerization unit explosion Mechanical – 55 known deaths due to falling into the Grand Canyon, AZElectrical – 82 electrocutions reported by USA Department of Labor for 2016 Loss of control of sufficient energy will produce a Catastrophic Mishap

The Theory Energy is the universal hazard for catastrophic mishaps. This theory is limited to catastrophic mishaps.

What is a Hazard...It Depends Canada's National Centre for Occupational Health and Safety-CSA Z1002 / Hazard: A hazard is any source of potential damage, harm or adverse health effects on something or someone. USA Department of Defense-MIL-STD-882E / Hazard: A real or potential condition that could lead to an unplanned event or series of events (i.e. mishap) resulting in death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.USA Civilian-ANSI/IASSE Z10-2012 (2017) / Hazard: A condition, set of circumstances, or inherent property that can cause injury, illness, or death.

What is Catastrophic...It also Depends Definition of catastrophic harm depends on history, social customs, politics, and/or a given legal system(s). So the paper defines it as; Catastrophic Mishap is any event(s)that produces or results in harm that isbeyond the available resources for recovery.

What We Know About Risks RISK by Dr. John Adams, Routledge, 2001 Dr. Adams is a Professor at University College London and has been considering and writing about risk for decades. White Oval - Chemicals with a proven link to cancer. White Square – Chemicals tested for a link to cancer. Black Space – The set of known chemical substances.

Energy is Conserved but Not Inert Le Chatelier's principleIf a system in equilibrium is disturbed, the system will adjust itself to minimize the effect of the disturbance.                                        

Risk Assessments Typical Risk Assessment Starts by Collecting Information / Identifying Hazards – Low frequency hazards are difficult to model because we have limited understanding. Common hazards produce lots of data. From data we can learn. Building codes are an example of this learning process.

Risk Assessments - Learning Old Code Handrail New Code Handrail WHY? Lots of Data Frequent Events Forensic Analysis

Catastrophic Mishaps The linkage between the hazard, causal event(s), and catastrophic mishap are obscured; 1] Risk: Difficult to rigorously or universally define harm. 2] Cognitive Dissonance: Difficult to identify and control.3] Low Probability: Difficult to model and support the predictions.

Why are Catastrophic Hazards Hard? Energy Trace and Barrier Analysis (Accident Investigation) Focus on consequences versus causal factors. Not expected to identify; Ignition source, explosive vapors, logical errors, or the effects of multiple component failures.Failure Modes and Effects Analysis (Reliability Analysis) Focus on single point failures Not expected to identify multiple point failures. Dr. William Haddon (Not Predictive) All car injuries are the result of energy delivery to the body. Forensically driven risk mitigations based on lots of data. None Were Developed as a Safety Risk Assessment Tool No gap analysis

Energy Universal Hazard for Catastrophic Mishaps Energy as the universal hazard for catastrophic mishapschanges the way one identifies risk.

Energy Universal Hazard for Catastrophic Mishaps Boundary: Defines what is within the systemEnvironment: Everything outside the boundary that interacts with the system or is influenced by the system. M, P 2 , T 2 M, P 1 , T 1 Work Loss

Energy Universal Hazard for Catastrophic Mishaps Stepping Through the Risk Assessment # 1 Define the System and Boundaries# 2 Define the amounts and types of Energy Within the system boundary Crossing the system boundary# 3 Define energy states and uses# 4 Identify all targets that can be catastrophically harmed # 5 Identify linkage between energy and catastrophic targets # 6 Identify and Assess Risk(s)

Energy Universal Hazard for Catastrophic Mishaps Boeing 747 Center Fuel Tank Tank System Boundary # 1 Define the System and Boundaries

Energy Universal Hazard for Catastrophic Mishaps Boeing 747 Center Fuel Tank Tank System Boundary (Example does not consider the structure / grounding.) Fuel Lines In and Out Instrumentation Power Controls Air Ventilation Fuel and Air Types/Amount of Energy 1] AC Power 2] DC Power 3] Fuel/Air # 2 Define the amounts and types of Energy Within the system boundary Crossing the system boundary

Energy Universal Hazard for Catastrophic Mishaps Boeing 747 Center Fuel Tank Tank System Boundary Fuel Lines In and Out Instrumentation Power Controls Air Ventilation Fuel and Air Types/Amount of Energy 1] AC Power (Amps/Volts) 2] DC Power (Amps/Volts) 3] Fuel/Air Liquid Vapor Mix # 3 Define energy states and uses Fuel Pumps Sensors (Make Plane Go)

Energy Universal Hazard for Catastrophic Mishaps Boeing 747 Center Fuel Tank Tank System Boundary Fuel Lines In and Out Instrumentation Fuel Pumps Sensors Power Controls Fuel and Air Air Ventilation # 4 Identify all targets that can be catastrophically harmed Targets: People Types/Amount of Energy 1] AC Power (Amps/Volts) 2] DC Power (Amps/Volts) 3] Fuel/Air Liquid Vapor Mix (Make Plane Go)

Energy Universal Hazard for Catastrophic Mishaps Boeing 747 Center Fuel Tank Tank System Boundary Fuel Lines In and Out Instrumentation Fuel Pumps Sensors Power Controls Fuel and Air Air Ventilation Targets: People # 5 Identify linkage between energy and catastrophic targets Linkage: Boeing 747 (Make Plane Go) Types/Amount of Energy 1] AC Power (Amps/Volts) 2] DC Power (Amps/Volts) 3] Fuel/Air Liquid Vapor Mix

Energy Universal Hazard for Catastrophic Mishaps Boeing 747 Center Fuel Tank Tank System Boundary Fuel Lines In and Out Instrumentation Fuel Pumps Sensors Power Controls Fuel and Air Air Ventilation Targets: People Linkage: Boeing 747 # 6 Identify and Assess Risk(s) Catastrophic Risks Fire Exposition (Make Plane Go) Types/Amount of Energy 1] AC Power (Amps/Volts) 2] DC Power (Amps/Volts) 3] Fuel/Air Liquid Vapor Mix Controls: Electrical Insulation Breakers and Switches

Recap of Catastrophic ID and Assessment Searched for energy within and crossing the boundary of a B-747 center fuel tank. Documented the amounts, energy states, and uses. Identified the targets of energy release.Identified link between targets and energy release.Assessed RiskFire or Fuel/Air explosionLow frequency eventLoss of life – Catastrophic outcome

Energy Universal Hazard for Catastrophic Mishaps Boeing 747 Center Fuel Tank Tank System Boundary Fuel Lines In and Out Instrumentation Fuel Pumps Sensors Power Controls Fuel and Air Air Ventilation Targets: People Linkage: Boeing 747 TWA Flight 800 At about 4.5 Km, the plane exploded. New York All 230 people died. 17 July 1996 Fuel / Air Event in Center Fuel Tank (Make Plane Go) Types/Amount of Energy 1] AC Power (Amps/Volts) 2] DC Power (Amps/Volts) 3] Fuel/Air Liquid Vapor Mix

We Tend to Not Repeat the Same Catastrophe Twice...sort of Problems with the aircraft's [Flight 800] wiring were found, including evidence of arcing in the Fuel Quantity Indication System ( FQIS ) wiring which enters the tank. The FQIS on Flight 800 is known to have been malfunctioning; As a result of the investigation, new requirements were developed for aircraft to prevent future fuel tank explosions. Lowery, Joan (July 16, 2008). "Jet fuel-tank protection ordered". Seattle Post-Intelligencer. The Associated Press. Retrieved April 5, 2011.

Energy Universal Hazard for Catastrophic Mishaps It is easy to embrace all the analysis we can do; PHA, SRHA , ETBA , O&SHA , Naked Man, Fault Tree... None of them are Catastrophic centric. There is software safety, system safety, regulation based safety, and other types of safety professionals. Safety professional of all kinds need to have energy as the hazard for catastrophic mishaps as part of their safety perspective. What theory and method do you use to identify Low Frequency Catastrophic Mishaps?

Energy Universal Hazard for Catastrophic Mishaps Pros: Not dependent on the sample size for risk assessmentHazard is defined by energy amounts and targets Frequency of occurrence is assumed as low Challenges: Defining the boundary Identifying all sources of energy Identifying all energy/target linkage

Energy Universal Hazard for Catastrophic Mishaps Questions / Comments David R. Sadler, System Safety Engineer, 3817 Strauss Ave, Suite 108, Indian Head, MD 20640-5151,telephone - (301) 744-6073, email – David.R.Sadler@navy.mil .

David Sadler’s Bio David Sadler’s safety experience includes over 25 years in private industry and the Department of Defense, is a Mechanical Engineer, Electronics Engineer, and has a master’s in System Safety Engineering. He has received numerous awards recognizing his contributions, including the Secretary of the Navy Safety Excellence Award, Senate Productivity Award, and the Naval Sea Systems Command Star Award, as well as recognition for saving the life of a co-worker. His career includes deployment of safety critical software on United States Navy (USN) ships, development and testing of weapon systems aboard USN ships, published works in safety, a safety patent, Principal for Safety, Warfare System Engineer for CVN21, and Weapon System Explosives Safety Review Board member for the Naval Ordnance Safety and Security Activity. David is an expert in the identification and analysis of risk, risk management, and near miss