Hazards, Mishap, and Risk

Hazards, Mishap, and Risk

2.1 INTRODUCTION

In order to design in safety, hazards must be designed out (eliminated) or mitigated

(reduced in risk). Hazard identification is a critical system safety function, and thus

the correct understanding and appreciation of hazard theory is critical. This chapter

focuses on what constitutes a hazard in order that hazards can be recognized and

understood during the hazard identification, evaluation, and mitigation processes.

Hazard analysis provides the basic foundation for system safety. Hazard analysis is

performed to identify hazards, hazard effects, and hazard causal factors. Hazard analysis

is used to determine system risk, to determine the significance of hazards, and to

establish design measures that will eliminate or mitigate the identified hazards. Hazard

analysis is used to systematically examine systems, subsystems, facilities, components,

software, personnel, and their interrelationships, with consideration given

to logistics, training, maintenance, test, modification, and operational environments.

To effectively perform hazard analyses, it is necessary to understand what comprises

a hazard, how to recognize a hazard, and how to define a hazard. To develop the skills

needed to identify hazards and hazard causal factors, it is necessary to understand the

nature of hazards, their relationship to mishaps, and their effect upon system design.

Many important hazard-related concepts will be presented in this chapter, which

will serve as building blocks for hazard analysis and risk evaluation. In sum and substance,

humans inherently create the potential for mishaps. Potential mishaps exist

as hazards, and hazards exist in system designs. Hazards are actually designed in to

the systems we design, build, and operate. In order to perform hazard analysis, the

analyst must first understand the nature of hazards. Hazards are predictable, and

what can be predicted can also be eliminated or controlled.

Hazard Analysis Techniques for System Safety, by Clifton A. Ericson, II

2.2 HAZARD-RELATED DEFINITIONS

The overall system safety process is one of mishap risk management, whereby safety

is achieved through the identification of hazards, the assessment of hazard mishap

risk, and the control of hazards presenting unacceptable risk. This is a closed-loop

process, where hazards are identified, mitigated, and tracked until acceptable closure

action is implemented and verified. System safety should be performed in conjunction

with actual system development in order that the design can be influenced

by safety during the design development process, rather than trying to enforce more

costly design changes after the system is developed.

In theory this sounds simple, but in actual practice a common stumbling block

is the basic concept of what comprises a hazard, a hazard causal factor (HCF),

and a mishap. It is important to clearly understand the relationship between a hazard

and an HCF when identifying, describing, and evaluating hazards. To better

understand hazard theory, let us start by looking at some common safety-related

definitions.

Accident

1. An undesirable and unexpected event; a mishap; an unfortunate chance or

event (dictionary).

2. Any unplanned act or event that results in damage to property, material, equipment,

or cargo, or personnel injury or death when not the result of enemy

action (Navy OP4 & OP5).

Mishap

1. An unfortunate accident (dictionary).

2. An unplanned event or series of events resulting in death, injury, occupational

illness, damage to or loss of equipment or property, or damage to the environment

(MIL-STD-882D).

3. An unplanned event or series of events resulting in death, injury, occupational

illness, or damage to or loss of equipment or property, or damage to the

environment. Accident. (MIL-STD-882C). [Note the last word “accident” in

the definition.]

Hazard

1. To risk; to put in danger of loss or injury (dictionary).

2. Any real or potential condition that can cause injury, illness, or death to personnel;

damage to or loss of a system, equipment or property; or damage to the

environment (MIL-STD-882D).

3. A condition that is a prerequisite for an accident (Army AR 385-16).

14 HAZARDS, MISHAP, AND RISK

Risk

1. Hazard; peril; jeopardy (dictionary).

2. An expression of the impact and possibility of a mishap in terms of potential

mishap severity and probability of occurrence (MIL-STD-882D).

Note both the differences and similarities between the above definitions. It should be

apparent from these definitions that there is no significant differentiation between a

mishap and an accident, and these terms can be used interchangeably. To be consistent

with MIL-STD-882D terminology, the term mishap will be preferred over the

term accident.

The dictionary definition states that an accident or mishap is a random chance

event, which gives a sense of futility by implying that hazards are unpredictable

and unavoidable. System safety, on the other hand, is built upon the premise that

mishaps are not random events; instead they are deterministic and controllable

events. Mishaps and accidents do not just happen; they are the result of a unique

set of conditions (i.e., hazards), which are predictable when properly analyzed. A

hazard is a potential condition that can result in a mishap or accident, given that

the hazard occurs. This means that mishaps can be predicted via hazard identification.

And, mishaps can be prevented or controlled via hazard elimination, control,

or mitigation measures. This viewpoint provides a sense of control over the systems

we develop and utilize.

2.3 HAZARD THEORY

Per the system safety definitions, a mishap is an actual event that has occurred and

resulted in death, injury, and/or loss; and a hazard is a potential condition that can

potentially result in death, injury, and/or loss. These definitions lead to the principle

that a hazard is the precursor to a mishap; a hazard defines a potential event (i.e.,

mishap), while a mishap is the occurred event. This means that there is a direct

relationship between a hazard and a mishap, as depicted in Figure 2.1.

The concept conveyed by Figure 2.1 is that a hazard and a mishap are two separate

states of the same phenomenon, linked by a state transition that must occur.

Hazard

Elements

- Hazard Components

- Risk Factors

“After” State

Actual Consequences

“Before” State

Potential Conditions

State Transition Mishap

Figure 2.1 Hazard–mishap relationship.

2.3 HAZARD THEORY 15

You can think of these states as the before and after states. A hazard is a “potential

event” at one end of the spectrum that may be transformed into an “actual event”

(the mishap) at the other end of the spectrum based upon the state transition. An analogy

might be water, where water is one entity, but it can be in a liquid state or a

frozen state, and temperature is the transitional factor.

Figure 2.2 illustrates the hazard–mishap relationship from a different perspective.

In this viewpoint, a hazard and a mishap are at opposite ends of the same entity.

Again, some transitional event causes the change from the conditional hazard state

to the actualized mishap state. Note that both states look almost the same, the difference

being that the verb tense has changed from referring to a future potential event

to referring to the present actualized event, where some loss or injury has been

experienced. A hazard and a mishap are the same entity, only the state has changed,

from a hypothesis to a reality.

Mishaps are the immediate result of actualized hazards. The state transition from

a hazard to a mishap is based on two factors: (1) the unique set of hazard components

involved and (2) the mishap risk presented by the hazard components. The hazard

components are the items comprising a hazard, and the mishap risk is the probability

of the mishap occurring and the severity of the resulting mishap loss.

Mishap risk is a fairly straightforward concept, where risk is defined as:

Risk ¼ probability _ severity

The mishap probability factor is the probability of the hazard components occurring

and transforming into the mishap. The mishap severity factor is the overall

Mishap

consequence of the mishap, usually in terms of loss resulting from the mishap

(i.e., the undesired outcome). Both probability and severity can be defined and

assessed in either qualitative terms or quantitative terms. Time is factored into the

risk concept through the probability calculation of a fault event, for example,

PFAILURE ¼ 1.0 2 e2lT, where T ¼ exposure time and l ¼ failure rate.

The hazard component concept is a little more complex in definition. A hazard is

an entity that contains only the elements necessary and sufficient to result in a mishap.

The components of a hazard define the necessary conditions for a mishap and

the end outcome or effect of the mishap.

A hazard is comprised of the following three basic components:

1. Hazardous Element (HE) This is the basic hazardous resource creating the

impetus for the hazard, such as a hazardous energy source such as explosives

being used in the system.

2. Initiating Mechanism (IM) This is the trigger or initiator event(s) causing the

hazard to occur. The IM causes actualization or transformation of the hazard

from a dormant state to an active mishap state.

3. Target and Threat (T/T) This is the person or thing that is vulnerable to

injury and/or damage, and it describes the severity of the mishap event.

This is the mishap outcome and the expected consequential damage and loss.

The three components of a hazard form what is known in system safety as the hazard

triangle, as illustrated in Figure 2.3.

The hazard triangle illustrates that a hazard consists of three necessary and

coupled components, each of which forms the side of a triangle. All three sides of

the triangle are essential and required in order for a hazard to exist. Remove any

one of the triangle sides and the hazard is eliminated because it is no longer able

to produce a mishap (i.e., the triangle is incomplete). Reduce the probability of

the IM triangle side and the mishap probability is reduced. Reduce an element in

the HE or the T/T side of the triangle and the mishap severity is reduced. This aspect

of a hazard is useful when determining where to mitigate a hazard.

Hazard Triangle

Hazard

Initiating

Mechanism

Hazardous

Element

Target / Threat

Figure 2.3 Hazard triangle.

2.3 HAZARD THEORY 17

Table 2.1 provides some example items and conditions for each of the three

hazard components. To demonstrate the hazard component concept, consider a

detailed breakdown of the following example hazard: “Worker is electrocuted by

touching exposed contacts in electrical panel containing high voltage.” Figure 2.4

shows how this hazard is divided into the three necessary hazard components.

Note in this example that all three hazard components are present and can be

clearly identified. In this particular example there are actually two IMs involved.

The T/T defines the mishap outcome, while the combined HE and T/T define the

mishap severity. The HE and IM are the HCFs and define the mishap probability.

If the high-voltage component can be removed from the system, the hazard is eliminated.

If the voltage can be reduced to a lower less harmful level, then the mishap

severity is reduced.

Key hazard theory concepts to remember are:

. Hazards result in (i.e., cause) mishaps.

. Hazards are (inadvertently) built into a system.

. Hazards are recognizable by their components.

. A design flaw can be a mishap waiting to happen.

. A hazard will occur according to the hazard components involved.

. A hazard is a deterministic entity and not a random event.

. Hazards (and mishaps) are predictable and, therefore, are preventable or

controllable.

TABLE 2.1 Example Hazard Components

Hazardous Element Initiating Mechanism Target/Threat

. Ordnance . Inadvertent signal;

radio frequency (RF) energy

. Explosion; death/injury

. High-pressure tank . Tank rupture . Explosion; death/injury

. Fuel . Fuel leak and ignition source . Fire; loss of system;

death/injury

. High voltage . Touching an exposed contact . Electrocution; death/injury

Worker could be electrocuted T/T

by touching IM

exposed contacts in electrical panel IM

containing high voltage HE

Outcome

Causal

Factors

Hazard Hazard Components

Worker could be

electrocuted by

touching exposed

contacts in electrical

panel containing high

voltage.

Figure 2.4 Example of hazard components.

18 HAZARDS, MISHAP, AND RISK

2.4 HAZARD ACTUATION

Mishaps are the immediate result of actualized hazards. The state transition from a

hazard to a mishap is based on two factors: (1) the unique set of hazard components

involved and (2) the mishap risk presented by the hazard components. The hazard

components are the items comprising a hazard, and the mishap risk is the probability

of the mishap occurring and the severity of the resulting mishap loss.

Figure 2.5 depicts a hazard using the analogy of a molecule, which is comprised

of one or more atoms. The molecule represents a hazard, while the atoms represent

the three types of components that make up the molecule. The concept is that a

hazard is a unique entity, comprised of a unique set of components, similar to a molecule.

This set of components consists of three specific required elements: an HE,

IM, and T/T. All three specific elements are required, but each element can be

one, or more, in quantity. The molecule model indicates that there is no particular

order between the hazard components; they all merely exist within the hazard.

When the components within the hazard are in a specific alignment, the hazard

transitions from a conditional state to a mishap state. This viewpoint shows that

all of the randomly oriented hazard components must line up (or occur) in the correct

sequence before the mishap actually occurs. This cause for this sequence of events

determines the mishap probability, while the T/T determines the mishap severity.

The HE is always present, and the mishap occurs only when the IMs force the

transition.

Figure 2.6 presents another way of viewing the hazard–mishap relationship. The

spinning wheels represent all of the components forming a particular hazard. Only

when the timing is right, and all of the holes in the wheels line up perfectly, does the

hazard move from a potential to an actual mishap.

The hazard IMs must all

occur, with unique timing.

MISHAP

T/T

HE IM1 IM2 IM3 T/T

IM2

IM3

T/T

HE IM1

HAZARD

HAZARD ACTUATION

Figure 2.5 Hazard–mishap actuation (view 1).

2.4 HAZARD ACTUATION 19

There are two key points to remember about the hazard–mishap transition process.

One, there is generally some sort of energy buildup in the transition phase,

which ultimately causes the mishap damage. Two, there is usually a point of no

return for the mishap, where there is no possibility of it being reversed. Each individual

hazard is unique, and therefore this time period is unique to every hazard.

Figure 2.7 illustrates the hazard–mishap state transition. During the transition

phase, the energy buildup occurs as the IMs are occurring. This could also be viewed

as the elements of a function being completed, or a functional buildup occurring in a

rapid or slow process. It is during this time period that the levels of safety are degrading

and the transition process reaches a point of no return, where the hazard becomes

irreversible.

A system is designed and built to a specification for the purpose of performing an

intended function or functions. But, a system can also contain an inherent design

flaw that is capable of performing an unintended and undesirable function. It is

this design flaw that provides the necessary events and conditions that comprise a

hazard. Quite often this design flaw (hazard) is hidden from the designers because

it is not always obvious. These hazards can only be discovered and identified

through hazard analysis.

Mishaps do not just happen, they are the result of design flaws inadvertently built

into the system design. Thus, in a sense mishaps are predictable events. If a hazard is

Event

Hazard Condition

Actuation

Mishap

HE IM1 T/T

Timing

HE IM1 T/T

Figure 2.6 Hazard–mishap actuation (view 2).

• Time

• Energy or function buildup

• Point of no return is reached

• Levels of safety degraded

Transition

Phase

Mishap State

(Event)

Hazard State

(Condition)

Figure 2.7 Hazard–mishap actuation transition.

20 HAZARDS, MISHAP, AND RISK

eliminated or mitigated, the corresponding mishap is also eliminated or controlled.

Therefore, hazard identification and control, via hazard analysis, is the key to mishap

prevention.

2.5 HAZARD CAUSAL FACTORS

There is a difference between why hazards exist and how they exist. The basic

reason why hazards exist are: (1) They are unavoidable because hazardous elements

must be used in the system, and/or (2) they are the result of inadequate design safety

consideration. Inadequate design safety consideration results from poor or insufficient

design or the incorrect implementation of a good design. This includes

inadequate consideration given to the potential effect of hardware failures, sneak

paths, software glitches, human error, and the like. HCFs are the specific items

responsible for how a unique hazard exists in a system.

Figure 2.8 depicts the overall HCF model. This model correlates all of the factors

involved in hazard–mishap theory. The model illustrates that hazards create the

potential for mishaps, and mishaps occur based on the level of risk involved

(i.e., hazards and mishaps are linked by risk). The three basic hazard components

Environ

System

Hardware

Human

Level 2

T/T or

Outcome

HSE و بهداشت حرفه ای

ایمنی و بهداشت حرفه ای ( The Occupational Safety and Health blog)

Hazards, Mishap, and Risk

پیوندهای روزانه

نوشته‌های پیشین

آرشیو موضوعی