System Safety Engineering A Brief Overview for Product Liability ...

Text-only Preview

System Safety Engineering
A Brief Overview for Product Liability Attorneys
Keith Colombo, PE, CSP
While most everyone has an understanding of the term "safety," few outside the
aerospace and government contracting industries are familiar with System Safety
Engineering. This engineering function has been referred to as "accident
investigation before the accident" and "troubleshooting before the trouble." It is a
macroscopic as well as microscopic approach to the application of engineering
principles and social sciences for the purpose of identifying hazards and
determining accident prevention requirements.
The attorney specializing in product liability will find a great deal in common
between the objectives of any product safety program and those of System
Safety Engineering. This engineering discipline specializes in the methodology
and application of the techniques employed to produce a reasonably safe system
or product.
Safety efforts toward reducing the risks of accident and injury through design
have existed to some degree since the Industrial Revolution. There were no
organized or concentrated efforts to develop any methodologies or standardize
accident risk identification techniques until the formation of the System Safety
Society in 1962. The members of the organization were primarily representatives
and employees of the U.S. Government and U.S. Government contractors.
The United States Department of Defense (DoD) has long recognized the safety
responsibilities of manufacturers and suppliers of DoD systems. They developed
MIL-STD-8821, System Safety Program Requirements. First approved by the
DoD on July 15, 1969, the standard "provides uniform requirements for
developing and implementing a systems safety program of sufficient
comprehensiveness to identify the hazards of a system and to ensure that
adequate measures are taken to eliminate or control the hazards." The standard
outlines the features of a well developed system (product) safety program
regardless of the application. It also is an authoritative document that describes
the "Design Precedence: design for minimum hazard, apply safety devices
(guarding), and warn of residual hazard risk."
The military standard describes what the DoD believes is appropriate for safety
efforts associated with the design and production of military systems in order to
receive a system free of unreasonable risk. It provides for differences in the
complexity of various types of systems and products by requiring the government

contractor to provide a plan on compliance for approval by the DoD. For many,
the standard is considered the bible of System Safety.
Just as Industrial (or Occupational) Safety focuses on the control of hazards in
the workplace, System Safety focuses on the control of hazards associated with
a system or product. With this approach to safety, hazards are identified relative
to the system's entire life cycle, including operation, human interfaces,
maintenance, transportation, disposal, etc. System Safety Engineers, through
hazard analyses, attempt to identify and predict accident causes, assess
potential accident severity, evaluate accident probability and, in conjunction with
detailed design engineering, determine appropriate accident prevention
System Safety Engineering can also be defined through its objectives:
1. safety, consistent with the system's function;
2. safety, incorporated into the system as opposed to "patched" on; and,
3. safety, or assumed residual hazard risk is minimum, reasonable and
Obviously, this engineering function is intended to be, and is, most affective
when conducted concurrently with the system design process. The System
Safety Engineer is dedicated to eliminating unnecessary risk of damage and
injury while minimizing residual accident risk.
Some may suggest that the above begs for the definition of a system. MIL-STD-
882A defines "system" as the following:
"A composite, at any level of complexity, of personnel, materials, tools,
equipment, facilities, and software. The elements of this composite entity
are used together in the intended operational or support environment to
perform a given task or achieve a specific production, sup port, or mission

From the above definition, an experienced System Safety Engineer wil have
experience analyzing a wide variety of products and systems.
In analyzing systems there are essentially two primary and concurrent efforts.
The first is the identification of applicable safety requirements including those
generated by standards organizations such as the American National Standards
Institute (ANSI), the National Fire Protection Association (NFPA), and the
Occupational Safety & Health Administration (OSHA). Often, these requirements
are put in the form of checklists for dissemination to those responsible for design

incorporation. The checklists general y require a description of how each safety
requirement is satisfied by the design.
The second primary effort is the identification of hazards or potential accident
causes unique to the system that are not otherwise addressed in safety
standards. From this process additional hazard controls or safety requirements
are determined and evaluated to minimize the risks of damage and injury. A key
tool for predicting potential accident causes is hazard analysis.
System Safety Engineering is responsible for the development of many analysis
techniques, such as the Fault Tree. Failure Modes and Effects Analysis (FMEA),
Job Hazard Analysis (JHA), System and Subsystem Hazard Analyses (SHA,
SSHA), and the Operating and Support Hazard Analysis (O&SHA) are also a few
types of analyses. Checklists are also often used as well to assist in the hazard
identification process.
Of significance, common to many hazard identification techniques is the
recognition of energy sources and the evaluation of the means employed to
store, access, use, and dissipate energy within a system. Degreed engineers,
skil ed in the tools of System Safety, readily recognize energy sources. Many
serious injuries result from operator exposure to these energy sources. For
example, rotating shafts and pulleys are an example of kinetic energy; a high
voltage electrical circuit and the energy stored in a compressed spring are
different forms of potential energy. Significant accident risk can be minimized
with the appropriate control of these energy sources.
Although assessing potential accident severity is subjective in nature, the system
safety engineer is cautioned to consider the worst case. This is some times
difficult when, given the same hazard, there are multiple accident scenarios.
Confusing the issue is the probability of a specific resulting scenario with respect
to the probability of an accident occurring at al . However, various methodologies
have been developed to prioritize and quantify accident risk factors. Accident risk
factors are
1. the likelihood of the accident occurring; and,
2. the severity of the injury (or damage) should the accident occur. The
objective is reducing accident risk through affecting either or both of the
accident risk factors.
The probability of accident occurrence can be statistical y determined. If there is
any possibility of a hazard resulting in an accident, there is a probability. If there
is no possibility of an accident occurring, there is no hazard. Probabilities can be
either quantitative or qualitative and the selection is dependent on need and
available resources. Some hazard analyses incorporate quantification
techniques. The Fault Tree is the most common.

Additional specific activities of this engineering discipline include the fol owing:
• Evaluation of materials, design features, procedures, operational
concepts, and environments that wil affect safety.
• Identification of limitations and mar gins of safety.
• Reviews of similar system data for consideration in alternative designs.
• Participation in design tradeoff studies for evaluation of additional safety
• Assessment of training plans and programs.
• Reviews of engineering designs and specifications for hazard identification
and hazard control verification.
• Providing appropriate warnings in test procedures, manuals, and delivered
• Assessing procedures for storage, packaging, handling, and transportation
of the system.
• Evaluation of failures and accident investigations for corrective action
• Analyzing design changes or upgrades to identify new hazards and
ensure integrity of inherent safety.
In section 5.4 of the "A" revision of the DoD standard, the fol owing general
requirements for consideration in designs and operational procedures are listed:
• Review pertinent standards, specifications, regulations, design
handbooks, and other sources of design guidance for applicability to the
design of the system.
• Eliminate or control hazards identified by analyses or related engineering
efforts through design solution, material selection, or substitution.
Potential y hazardous materials (e.g., propel ants, explosives, hydraulic
fluids, solvents, lubricants or fuels) shal be selected to provide optimum
safety characteristics.
• Isolate hazardous substances, components, and operations from other
activities, areas, personnel, and incompatible materials.
• Locate equipment so that access during operation, maintenance, repair, or
adjustment minimizes personnel exposure to hazards (e.g., hazardous
chemicals, high voltage, electromagnetic radiation, cutting edges, or sharp
• Minimize hazards resulting from excessive environmental conditions (e.g.,
temperature, pressure, noise, toxicity, acceleration, and vibration).
• Design to minimize human error in the operation and support of the
• Consider alternate approaches to minimize hazards that cannot be
eliminated. Such approaches include interlocks, redundancy, fail safe
design, system protection, fire suppression, protective clothing,
equipment, and devices.

• Protect the power sources, controls, and critical components for redundant
subsystems by physical separation or shielding.
• Provide suitable warnings and caution notes in assembly, operations,
maintenance, and repair instructions, and distinctive markings on
hazardous components, equipment, or facilities to ensure personnel and
equipment protection. These shal be standardized in accordance with the
requirements of the managing activity.
• Minimize the severity of personnel injury or damage to equipment in the
event of a mishap (e.g., by incorporating crash worthy design features in
all man rated systems).
• Review design criteria for inadequate or overly restrictive requirements
regarding safety. Recommendations should be made for new design
criteria supported by study, analyses, or test data.
System Safety Engineering is a discipline whose focus is on the identification and
reduction of accident risk. It is responsible for the development of many hazard
identification methodologies and techniques. Application of these methodologies
is not restricted to any specific system. It is most effective in accomplishing its
objectives when employed concurrently with the design and development of a
system or product. The discipline combines the application of engineering
principles with social sciences and human factors. System Safety Engineers
apply their discipline to a wide variety of systems, products, facilities, operations,
and equipment. Engineers versed in this discipline may be a valuable source of
If professional certification in System Safety is indicative of qualification, few
individuals are qualified in System Safety and far fewer are experienced in
testifying as an expert. The 1993-1994 Directory from the Board of Certified
Safety Professionals (BCSP) lists approximately 200 individuals certified in
System Safety. Less than 50 are certified in Product Safety. Interestingly, the
CSP certification in System Safety as well as a State Professional Registration
specifical y in Safety Engineering are the only professional designations
recognized by MIL-STD-882A as pre-qualified for managing a DoD contractors'
system safety program.
MIL-STD-882 is currently in Revision "C." It can be obtained from the Defense
Printing Service Office, 700 Robbins Avenue, Building 4D, Philadelphia, PA
19111-5094, Phone 215-697-2667. For information on certification requirements
or on the BCSP contact them at 208 Burwash Avenue, Savoy, IL, 61874-9571.
Phone 217-359-9263.