|
Safety Trade-Off Study Example and Process
Table 2 illustrates an example of a safety-related trade-off analysis. There are three similar complex systems representing options A, B and C, which are to be evaluated (for propriety considerations an actual study is not being discussed). Trade-off tables or worksheets can be constructed to suit a particular analysis. In this example, the options have been indicated within the left-hand column, and along the top row, risk attributes have been designated. Choices are to be made between complex system design options using appropriate risk attributes.
Table 2 — An Example of a Safety Trade-off Analysis.
Click to enlarge
As with other safety analyses, experienced analysts can also apply various techniques in decision making. In this situation, the concept of utility analysis has been applied. As discussed above, a utility is a numerical rating assigned to possible outcomes a decision maker may consider. In a choice between alternatives, the one with the highest utility is preferred. Utility is an intrinsic value, a subjective judgment of relative worth, which is different for different people and for the same people under different circumstances.
A cell index factor and weight are to be used to calculate a product score. Each product score for each attribute is then summed into a total product score. The highest total risk score designates the selected option. See Table 2 for the evaluation factor key that indicates the cell index factor from 1 through 5, unfavorable to very favorable indication, and the weights, which range between 1 and 10, from low through high weight.
Defining Risk Attributes
 The risk attributes that are indicated along the top row are to be developed to suit the particular study and options to be evaluated. A risk attribute is a particular trait, quality or characteristic that defines a system risk. Within this example, many risk attributes have been indicated; they have been chosen to illustrate the extensiveness and difficulty when comparing complex systems and system risks. Care should be taken when attributes are being defined. Depending on criteria developed, there can be overlap in the attributes' definitions. Attributes should be defined so that they can be somewhat independent considerations. Example definitions of the risk attributes are discussed below.
Estimated High Risks to Mitigate — A preliminary hazard analysis (PHA) should be conducted prior to the trade study to identify initial risks associated with the concept or option. This is done to identify initial high risks. Here, enough detail is needed to identify hazards, which are initiators, contributors and primary hazards that are within the estimated adverse sequence(s) of events that can comprise a system risk.
Initial risk is identified by the application of the naked man principle. Minimal controls are to be baselined so that initial risk can be estimated. The analyst approximates the initial controls in the basic system that are needed for the concept functions, operations or architecture.
Another important aspect includes the PHA assumptions and methods applied; they should be consistent among the options under study.
Risk scales that are appropriate for the system also need to be developed. The scales are to include consistent severity, likelihood and exposure definitions. Criteria are also needed to establish low, mid-level and high initial system risk. As an end result, high and mid-level risks can be compared between options, keeping in mind the complexity issue.
Estimated Complexity to Mitigate Risks (Reaching successful mitigation) — Further approximations can be made concerning the complexity of mitigation. The analyst can estimate what controls are needed to ensure acceptable risk. The PHA is to be extended to track along with the potential progression of the system, and eventually develops into a system or sub-system analysis (SHA or SSHA) as the design progresses. Depending on the system under evaluation, it may be possible to estimate complexities associated with risk elimination or risk control (mitigation). For example, it may be expected that a highly automated system may have automated controls that can be very complex. There may be consideration for the use of administrative controls, keeping the human in the loop, or maintaining situational awareness of the state of a particular complicated process. These controls may require extensive analyses, studies, situations and testing. All of these factors add to the complexity of mitigation. Such recommendations can be made as an output of the system-level or sub-system level PHA. Judgment can then be applied as to the complexity of mitigation.
Estimated Cost of Mitigation (Cost is expected to be reasonable) — The cost associated with mitigation can be estimated, given the identification of risks and controls defined within the PHA. Various cost factors (weights) can be estimated associated with fixed and variable costs for each control identified. Further consideration should be given to present and future worth, the value of money given interest rates, inflation, etc.
Consider that there are many types of costs [Ref. 2]: Operating costs, product costs, direct and indirect costs, and actual and standard costs. The appropriate definition of cost depends on the purpose for which the cost is to be used. From a high-level and safety management point of view, consideration should be given to variable and non-variable costs, controllable and non-controllable costs, engineered, discretionary and committed costs. Ultimately, the end goal is to develop criteria for estimating high and mid-level control costs.
Estimated Benefits Gained in Safety — It may be apparent that a particular option will further enhance system safety and that additional benefits can be gained as a result of developing that specific option. For example, within particular Option X, a hazardous exposure to humans will be eliminated. Humans were normally exposed to a hazardous task, and now the task is to be automated. However, there may be software-related hazards and other complex system risks to address, which are associated with an automated process. Robots are to be used, and there may be a complicated set of tasks to set up and teach the robots to conduct specific actions. Technicians may be exposed to additional hazards while setting up the system or conducting maintenance actions.
Further consider, for example, that a highly hazardous process may be moved to a remote location, thereby eliminating the exposure to a particular population. The move will present additional risks that must be addressed.
A particular pharmaceutical process may be hazardous but controlled, and it is expected that the pharmaceutical will benefit a high percentage of a population suffering from a particular illness.
All assumptions and justifications for such risk-based decisions must be well documented, and all risks must be eliminated or controlled to an acceptable level. There is always a trade-off on risks when options are applied or when there are changes to a system. Any change to a system, no matter how seemingly unimportant, must also be evaluated from a system safety view.
Estimated Complexity of Recovery — When accidents or incidents occur, the system must be stabilized and brought back to its normal state. This is the consideration of the concept of the system accident, in that accidents are an adverse process and they progress within a life-cycle sequence.
The degree to which recovery can occur is an important element of risk. The analyst estimates the degree of recovery that is needed should the identified system risks occur — the system accident. It is possible to control the degree of harm by controlling the degree of abnormal energy release. It is also possible to have secondary occurrences that can increase the degree of harm and intensify the causality. These secondary occurrences present additional risks, which have to be eliminated or controlled. Recovery considers contingency during causality, first aid, firefighting, damage containment, damage control, emergency operations and securing the situation to ensure that no further harm occurs.
« previous page | next page »
|
