|
Hazard description models are important because they help system safety practitioners identify hazards and describe them in a way that is readily understood by others, which facilitates identifying effective mitigation measures. Without going into specific examples, hazard models historically have suffered from two shortfalls. First, they can be too complex, either in the way the components of a particular model are described or in the terminology used. Second, they are structured so that they cannot be applied to all classes of hazard. However, there is a model that is not overly complex and is flexible enough to describe most hazards: the source-mechanism-outcome model (S-M-O or SMO).
The first component of the model is simply the "source." A source is an activity, condition or circumstance that has the potential to do harm to an asset. An asset is defined as "something of value that must be protected." Assets include, but are not limited to, personnel, facilities, equipment, operations, data, the public and the environment, as well as the system itself. So when one begins to describe the hazard, one identifies what it is that has the potential to cause harm. Things that cause harm could be electrical power exposure, sharp edges, hydraulic pressure, height above the ground, temperature extremes, fire, radiation, explosives, hazardous material leaks or spills, operator error, fatigue, utility outage, potholes, ad infinitum.
The next component of the model is the "mechanism," that process or sequence of events that allows or enables the source to cause the harm. The mechanism might be described in simple terms, or it may require a complex multi-linear diagram to understand it.
Finally, there is the "outcome," that harm which the source brings about through the mechanism to the asset.
In a simple example, one may define a hazard as "being burned." Using the SMO model, heat is the source, the mechanism is the asset's (a person's) contact with the heat source, and the outcome is the burned skin. Bear in mind that in this example, there may be a range of injuries or damages with one outcome. The outcome of a burn could be skin redness and pain, blistering, extensive skin damage or even death. The structure of the model will become clearer as we look at its history and some more detailed examples.
History of the SMO Model
The first mention of the SMO model in the literature of system safety is in a compilation of one-page "tutorials," called the System Safety Scrapbook. These were authored by Pat Clemens, a long-time system safety practitioner and a past president of the Board of Certified Safety Professionals, who has developed and implemented many system safety programs in both government contracting and in the private sector. During the 1980s, under Pat's leadership, the safety office of Sverdrup Technology, Inc. produced a series of System Safety Scrapbook sheets. These sheets were published on an as-needed basis, and each dealt with a single aspect of system safety practice. Their purpose was to reinforce concepts presented in formal system safety classroom training, to foster improved communication in matters of system safety analysis and to sharpen basic "system savvy" and analytical skills. One of these sheets, number 84-3 (the third sheet issued in 1984), contains the first recorded mention of the SMO model. This sheet pointed out that when listing hazards, we often name a hazard according to the severity component of its risk, and we describe the consequence of the hazard rather than the hazard itself. The SMO model was created to counteract this tendency. The example given in this sheet is the hazard identified as "Fatal Highway Crash." In fact, this "hazard" is the consequence of many real hazards, such as excessive speed, worn tires, etc. To avoid this, the sheet encourages the practitioner to make the description of each hazard tell a story, a "little scenario that addresses the Source, the Mechanism and the Outcome (i.e., Consequences) that characterize the harm that is threatened by the hazard." In the Sheet 84-3 example, the scenario is, "Worn tires leading to blowout at high speed resulting in loss-of-control crash and driver fatality" [Ref. 1].
SMO next appeared in NASA Reference Publication 1358, System Engineering "Toolbox" for Design-Oriented Engineers, in 1994. This publication, authored by B.E. Goldberg, Pat Clemens and others, was produced by the Marshall Space Flight Center in Huntsville, Alabama. SMO was included in the section on preliminary hazard analysis authored by Clemens. It stated,
"(4) Detect and confirm hazards to the system. Identify the targets threatened by each hazard. A hazard is defined as an activity or circumstance posing 'a potential of loss or harm' to a target and is a condition required for an 'undesired loss event.' Hazards should be distinguished from consequences and considered in terms of a source (hazard), mechanism (process), and outcome (consequence). A team approach to identifying hazards, such as brainstorming (sec. 7.7), is recommended over a single analyst. If schedule and resource restraints are considerations, then a proficient engineer with knowledge of the system should identify the hazards, but that assessment should be reviewed by a peer
." [Ref. 2]
The SMO concept was again published in 1998 by the National Institute for Occupational Safety and Health in a publication called "System Safety and Risk Management: A Guide for Engineering Educators". [Ref. 3] This publication, co-authored by Clemens and Dr. Rodney Simmons, was an instructional module included in Project SHAPE (Safety and Health Awareness for Preventive Engineering), a collaborative project between NIOSH, professional engineering societies and engineering schools, to enhance the education of engineering students in occupational safety and health. Page III-3 of this publication defined a hazard as "a threat of potential harm" and described the SMO model in similar fashion as the Systems Engineering Toolbox did.
In 1998, Clemens included Sheet 98-1 in the System Safety Scrapbook titled: "Describing Hazards? Think Source / Mechanism / Outcome." In it, he gave a more detailed definition of these three elements of a hazard description. It reads:
"A hazard description contains three elements that express a threat:
- a source an activity and/or a condition that serves as the root
- a mechanism a means by which the source can bring about the harm
- an outcome the harm itself that might be suffered." [Ref. 4]
He goes on to say:
"An open-topped container of naphtha may be a source, but without a mechanism and an outcome, is it a hazard? Suppose it's in the middle of a desert no ignition sources and no personnel within several miles? Not much of a hazard. Relocate it to the basement of an occupied pre-school facility near a gas-fired furnace. Source, mechanism and outcome now become clear and it's a hazard." [Ref. 4]
And one last time to make the point, in 2003, Clemens highlighted the SMO model again in Scrapbook Sheet 03-01. He finished that sheet with this "bottom line" insight:
"If the reviewer/interpreter can't understand the hazard description, there's a good chance the analyst didn't understand the hazard! Describe hazards using a simple paradigm as a model.
Make it simple, but make it complete!
Source / Mechanism / Outcome will do the job most every time!" [Ref. 5]
next page »
|
