Introduction
Over the previous sessions we have looked at how legislation was developed in the UK, who is responsible for ensuring that legislation is correctly applied and followed, and the purpose of safety cases in that context.
In this session we will be looking at safety systems, what they are, how they are applied and what their relevance is to how we work.
By the end of this section you will be able to evaluate the following:
- Occam’s razor
- The hierarchy of control measures
- Inherently safer design
- Active safety systems
- Passive safety systems
Occam’s Razor
Occam’s razor is a problem-solving principle that applies not just to safety but can sensibly be applied in almost all walks of life.
It is often misunderstood, misquoted and misapplied however, so, before examining safety systems in more detail, it makes sense to briefly look at what Occam’s Razor actually is.
The video below will give a brief overview of Occam’s razor – primarily from a philosophical point of view but it serves as an effective starting point:
Despite the implication of this graphic, Occam's razor is not a literal razor but rather it refers to cutting through to the core of matters. Occam is a misspelling of William of Ockham, the first person to propound the concept, but it has become the accepted spelling.
Whilst the philosophical basis of Occam’s razor is not really relevant to this course, the core idea holds true in science and engineering, as it does in most walks of life.
The most common misconception regarding Occam’s Razor however is that it says that the simplest solution is the best one – this is not the case. The idea is that if there are two competing theories, or two competing solutions to the same problem, in the absence of any other data, it is usually best to go for the simplest option, which is not the same thing. If one solution can be demonstrated to be better, then that is the solution that should be taken.
A good example of this is the famous Gordian Knot of Greek mythology. Here, a cart was tied to a post with a knot so complex no-one could untie it. Alexander the Great solved the problem by simply cutting through the knot with his sword.
This is clearly a very simply solution to the problem, but it is not necessarily the correct one. If the aim is simply to be able to move the cart, then as a solution it is acceptable, and applying the principles of Occam’s Razor it would be the way to go. However, what if the rope needed to be used again in the future? If this was the case then another solution would need to be found.
The Hierarchy of Control Measures
At the heart of all safety systems, no matter how advanced, is a method of managing risk. Managing risk comes combined with an acceptance of that risk, and that is indeed the case – all human activity carries some element of risk and this cannot be changed. The aim of safety management systems in the workplace is – as already discussed – to reduce risk to a level that is as low as reasonably practicable (ALARP).
However, when managing risk, there can be more than one way in which things can be reduced. Here we could apply Occam’s Razor, and indeed there are situations where this will happen, but before this, there is another process that is to be applied that is more apposite.
This is the hierarchy of control measures. This basic outline, shown below, was developed by NIOSH (National Institute of Occupational Safety and Health) in the USA and shows the effectiveness of various control methods that can be applied in the workplace in decreasing order of effectiveness.
Wikimedia - The NIOSH hierarchy of needs, demonstrating the effectiveness of various types of control
Hierarchy of controls from most effective to least. Elimination - Physically remove the hazard; Substitution - Replace the hazard; Engineering controls - Isolate people from the hazard; Administrative controls - change the way people work; PPE - protect the worker with Personal Protective Equipment.
As can be seen, elimination is always the most effective method. Generally, when the hierarchy is discussed elimination is taken to mean removal of parts of the task or removal of the hazard, however the first question that we should always ask is does the job need to be done at all? It is surprising how many tasks are carried out in the workplace that often apply to work or procedures that are no longer needed or have been superseded in some way. Apart from the fact that this is a waste of resource, as all tasks have inherent risk, carrying out work that is not necessary increases the risk of injury or work related ill-health; particularly stress.
The application of the hierarchy and examples of each level are nicely described in the following video:
The HSE also provides the following a document taken from the leader and worker involvement toolkit which shows the levels but also explains them in more detail in an easy reference chart. The document can be found here:
Inherently Safer Design
Of course the best place to introduce control of risk in any system is during the design stage, and indeed this is done without thinking – no designer will create a design for a boat that would sink at launch for example; inherently safer design is a specific methodology that was first postulated in the 1970s following the explosion at the Nypro Flixborough plant in 1974, that was mentioned in the first session. An in-depth knowledge of this incident is not vital, however for the sake of completeness we will include a brief explanation.
Just before 5PM, on Saturday 1st June 1974, an enormous explosion destroyed the Nypro chemical plant located near the village of Flixborough. In the explosion 28 people were killed and 36 were injured. Had it been a weekday this number would probably have been much higher.
Following the court of inquiry investigation into the disaster, it was established that the probable cause of the explosion was an uncontained leak of cyclohexane, which found a source of ignition. The leak was caused by an unapproved temporary repair that failed, following loading in a mode that had not been predicted.
The report of the court of inquiry is available in physical form from the national archives, but the matter that is of interest to us is the effect it had on the chemical industry, which was the first area to begin looking into inherently safer design (IHD).
Following the disaster Trevor Kletz, a chemist working for another chemical company (ICI) at the time, began to consider the causes of accidents in the chemical industry. Whilst most accidents could be attributed to human error, Kletz felt that saying most accidents were cause by human error was
“…no more useful than saying most falls are caused by gravity” (Kletz 2001)
This lead to the appearance of his article “What you don’t have can’t leak” (Kletz 1978) which, upon his retirement, he then further developed into the book “Process Plants: A Handbook for Inherently Safer Design” (Kletz & Amyotte 2010).
Inherently safer design is briefly explained in the following video:
In this second video, Inherently Safer Processes (ISP, basically a synonym of IHD specific to the chemical industry) is promoted following an accident in America in the early 21st century, showing that what may seem an obvious idea has not yet been adopted as globally as might be expected. It also includes a rather shocking revelation about what was a practice in the electrical generation industry:
As was discussed in both videos, inherently safer design can be complex in application, but at its core are four simple ideas:
- Minimise
- Substitute
- Moderate
- Simplify
Passive Safety Systems
The terms passive safety and passive safety systems can be used in two rather different ways within engineering, depending on the specific field.
In the automotive industry, which is where the term is most often encountered, passive safety systems are those systems that do not operate until an accident or incident has occurred.
Examples would be things such as seatbelts, airbags or crumple zones. They are explained further in the following short video:
In this video, General Electric discuss the passive safety systems of their new Economic Simplified Boiling Water Reactor (ESBWR) nuclear reactor:
As can be seen, in both cases passive safety systems and passive safety devices are a line of defence that is intended to operate in non-normal situations. The key difference is in how they operate.
Automotive passive safety systems, such as airbags, require the input of a sensor to make them operate. This sensor could be a human or could be mechanical, but the fact that a sensor is required would tend to mean that this would be classed as an active safety system (more on those later) in the nuclear industry. In the nuclear industry, passive safety systems generally only refers to those systems that will operate without an external input, due to natural laws – a prime example being the locating of control rods such that they will fall into the reactor under gravity if all else fails (although as was seen at Chernobyl even this system can fail; for interest here is a research paper on Control Rod Drop Failure). This latter definition is better in many ways, but it should be remembered that either type can be encountered.
An example of the latter definition is covered in this video that explains some of the physics of nuclear fission:
An example of a passive safety system can be found somewhere as simple as a well-organised refrigerator, where cooked food should always be stored above uncooked food. The logic here is simple – any bacteria or other pathogens falling from the uncooked food will not fall onto the cooked food, and any bacteria falling onto the uncooked food is not of concern as this food is going to be cooked anyway.
From engineering, the simplest example of passive safety systems that are likely to be encountered – in almost any field – are containment devices. These range from massive containment buildings encountered at the majority of nuclear generation plants, that are designed to contain the fallout from nuclear breakdown, to the much more simple bunded standing on which oil tanks are placed, intended to prevent spillage and run-off from reaching the local water courses and natural environment.
It is the case that gravity is the most commonly used final safety system in passive safety systems, and it is gravity that provides the motive force for most of the passive safety systems mentioned above to operate.
Passive Safety Failure – Fukushima Accident
In 2011 following a massive earthquake and tsunami the nuclear powerplant at Fukushima in Japan encountered a partial meltdown making it one of only two nuclear accidents to be graded at 7 on the International Nuclear Event Scale, the other being Chernobyl.
The following animation from Institut de Radioprotection et de S reté Nucléaire (ISRN) - the French equivalent of the Office for Nuclear Regulation (ONR) - explains what happened:
As can be seen from the video the majority of the safety features of the plant were not truly passive systems. To remove the residual decay heat there needed to be a circulation of coolant that was provided by an electrical system, in this case diesel generators being the final back up. In the case of the GE ESBWR reactor we encountered earlier, natural processes are used to maintain cooling – namely gravity making water drop and steam rise.
Even in the case of the ESBWR, however, the system is designed to operate for a maximum of 72 hours, which ties in nicely with what was discussed in the previous section, namely that nothing is inherently safe, but rather is inherently safer. No matter what, there will always be a risk.
Active Safety Systems
As with passive safety, active safety can again be used in two ways. Here the two ways are even more different.
In the automotive industry, particularly in the US, active safety refers to systems that are intended to prevent an accident or incident from occurring in the first place. This could be something as traditional as the service brake (or if taken to an extreme, the rear-view mirror) or could be something as advanced as the lane assist and automatic braking systems found on modern vehicles.
This more modern group is discussed in the following short video:
In most industries however, active safety systems mean those systems that require an input to operate. This does not necessarily mean they must be activated by an operator, but it does mean that some form of sensing system is required. Most safety systems in all industries are active safety systems.
Sticking with the nuclear theme, the control rods in normal operation are an active safety system, as they will require an operator or computer input for them to be driven into the reactor. Even in the extreme instance of a SCRAM (where the reactor is shut down completely in an emergency) the initial input is from an operator and hence this is an active safety control.
The SCRAM button on the EBR-1 reactor in Idaho. SCRAMS are more common than may be expected and are usually automatic. Greenpeace – who it must be noted have a conflict of interest - report at least 10 in the USA from 2004-2014. Of these at least 2 were manually initiated. Chernobyl remains the only known case of a failed manual SCRAM.
The differences between active and passive nuclear power plant safety systems are discussed in the video below, which although a little childish, does describe things in a straightforward way. Whilst the video directly relates to the nuclear industry the information it provides can be extrapolated into other industries:
From the aviation industry an interesting example of an active safety system is the Traffic Collision Avoidance System, known as TCAS. This system is interesting as, despite increasing automation in the aviation industry and the fact that the original systems began appearing in the 1980s, it is not a fully automatic system, and in many cases, it is not capable of automatic operation at all. Generally, the purpose of the TCAS systems is purely to alert the pilot to a potential collision risk in the area, and offer a possible way of avoiding the collision, but it will not automatically manoeuvre the aircraft out of danger. Some aircraft are capable of doing this – such as the A380 (Airbus, 2009) – but even here the system must be set to a specific mode by the pilot to be able to operate in this way.
Summary
As we have seen, no human action can ever be considered totally safe but there are a variety of methodologies and systems that we can use to improve the safety of a system, plant or process.
Inherently safer design is the best method of improving safety, as it seeks to create a system in which as much danger as possible is designed out. Following this, active and passive safety systems should be designed into the system, as appropriate, to ensure that any residual risk meets the intention of ALARP.
Finally, the question that must always be asked first is – does this need to be done at all?
References
Airbus, 2009. EASA certifies new “Autopilot/Flight Director” TCAS mode for A380. [online] available from: <https://www.airbus.com/newsroom/press-releases/en/2009/08/easa-certifies-new-autopilot-flight-director-tcas-mode-for-a380.html> (19th February 2020)
Crowl, D. A., 2009. Inherently Safer Chemical Processes: A lifecycle approach, 2nd Edition. Hoboken: Wiley
Kletz, T. A., 1978. “What you don’t have can’t leak”, Chemistry and Industry pp 287-292
Kletz, T. A., 2001. Learning from Accidents, 3rd Edition. London: Gulf Professional
Kletz, T. A. and Amyotte, P., 2010. Process Plants: A Handbook for Inherently Safer Design. Boca Raton: CRC Press
Pring, A. and Verne, J., 2018. Statistical Commentary: End of life care profiles, February 2018 update.[online] available from <https://www.gov.uk/government/publications/end-of-life-care-profiles-february-2018-update/statistical-commentary-end-of-life-care-profiles-february-2018-update> (19th February 2020)
Riccio, J., 2016. Nuclear Near Misses: A Decade of Accident Precursors at U.S. Nuclear Power Plants. [online]; available from <https://www.greenpeace.org/usa/wp-content/uploads/2016/05/nuclear-near-misses-a-decade-of-accidents-at-us-nuclear-energy-power-plants-may-2016-3mb.pdf?f3025c> (19th February 2020)