Handbook of Safety Principles

Handbook of Safety Principles
Edited by
Niklas Moller, Sven Ove Hansson, Jan-Erik Holmberg, Carl Rollenhagen
CONTENTS
Preface xxv
List of Contributors xxvii
1 INTRODUCTION 1
Niklas Moller, Sven Ove Hansson, Jan-Erik Holmberg, ¨
and Carl Rollenhagen
1.1 Competition, Overlap, and Conflicts 1
1.2 A New Level in the Study of Safety Principles 2
1.3 Metaprinciples of Safety 3
1.4 Other Ways to Characterize Safety Principles 5
1.5 Conflicts Between Safety Principles 7
1.6 When Can Safety Principles Be Broken? 8
1.7 Safety in Context 9
References 10
2 PREVIEW 11
Niklas Moller, Sven Ove Hansson, Jan-Erik Holmberg, ¨
and Carl Rollenhagen
2.1 Part I: Safety Reserves 12
2.2 Part II: Information and Control 13
2.3 Part III: Demonstrability 16
2.4 Part IV: Optimization 17
2.5 Part V: Organizational Principles and Practices 20
vvi CONTENTS
Part I Safety Reserves 23
3 RESILIENCE ENGINEERING AND THE FUTURE OF SAFETY
MANAGEMENT 25
Erik Hollnagel
3.1 On the Origins of Resilience 25
3.2 The Resilience Engineering Understanding of “Resilience” 27
3.3 The Four Potentials for Resilience Performance 29
3.4 Safety Management Systems 31
3.5 Developing Definitions of Resilience 33
3.6 Managing the Potentials for Resilient Performance 34
3.6.1 Organizations of the First Kind 35
3.6.2 Organizations of the Second Kind 36
3.6.3 Organizations of the Third Kind 36
3.6.4 Organizations of the Fourth Kind 37
3.7 Resilience Management: LP-HI OR HP-LI? 37
References 39
4 DEFENSE-IN-DEPTH 42
Jan-Erik Holmberg
4.1 Introduction 42
4.2 Underlying Theory and Theoretical Assumptions 43
4.2.1 Definitions and Terminology 43
4.3 Redundancy, Diversity, and Separation Principles 44
4.3.1 Principle of Successive Barriers and Reducing
Consequences 46
4.3.2 Principle of Accident Prevention and Mitigation 47
4.3.3 Classification of Barriers 49
4.3.4 Safety Classification 50
4.3.5 Overall Safety Goals and Risk Acceptance Criteria vs.
Defense-in-Depth 51
4.4 Use and Implementation 53
4.4.1 Nuclear Power Plant Safety 53
4.4.2 Chemical Industry 54
4.4.3 Information Technology Security 55
4.4.4 Railway Safety 56
4.4.5 Automobile Safety 57CONTENTS vii
4.5 Empirical Research on use and Efficiency 57
4.6 Weaknesses, Limitations, and Criticism 57
4.7 Relations to Other Safety Principles 59
References 60
Further Reading 61
5 SAFETY BARRIERS 63
Lars Harms-Ringdahl and Carl Rollenhagen
5.1 Introduction 63
5.1.1 Classical and Radical Definitions of Barriers 64
5.1.2 Examples 64
5.2 Origin and Theoretical Background 65
5.2.1 Energy and Sequence Models 65
5.2.2 Extended Models 66
5.3 Definitions and Terminology 67
5.3.1 Examples of Barrier Definitions 67
5.3.2 Barriers and Barrier Systems 68
5.3.3 Alternatives to the Barrier Concept 69
5.3.4 Safety Functions 70
5.3.5 Conclusion 71
5.4 Classification of Barriers 71
5.4.1 General Considerations 71
5.4.2 System Level Classification 72
5.4.3 Classification Related to Accident Sequence 72
5.4.4 Physical and Non-physical Barriers 72
5.4.5 Administrative and Human Barriers 73
5.4.6 Passive and Active Barriers 73
5.4.7 Combined Models 74
5.4.8 Purpose of Barriers 75
5.5 Methods for Analysis of Safety Barriers 75
5.5.1 Energy Analysis 76
5.5.2 Event Tree Analysis 76
5.5.3 Fault Tree Analysis 77
5.5.4 Safety Barrier Diagrams 77
5.5.5 Management Oversight and Risk Tree 78viii CONTENTS
5.5.6 MTO Event Investigation 78
5.5.7 Safety Function Analysis 78
5.5.8 Reliability Techniques 78
5.6 Quality and Efficiency of Barriers 79
5.6.1 Design and Installation of Barriers 79
5.6.2 Management of Barrier Systems During Operation 80
5.6.3 Maintenance of Barriers 80
5.6.4 Summary of Barrier Management Principles 81
5.7 Discussion and Conclusions 82
5.7.1 The Classical and Radical Meaning 82
5.7.2 Empirical Research on Use and Efficiency 83
5.7.3 General Conclusions 83
5.7.4 Relations to the Other Chapters 84
References 84
6 FACTORS AND MARGINS OF SAFETY 87
Neelke Doorn and Sven Ove Hansson
6.1 Introduction 87
6.2 Origin and History 91
6.3 Definitions and Terminology 92
6.4 Underlying Theory and Theoretical Assumptions 94
6.4.1 Structural Engineering 95
6.4.2 Toxicology 97
6.5 Use and Implementation 98
6.5.1 Three Types of Numerical Safety Reserves 98
6.5.2 How Safety Factors are Determined 99
6.6 Empirical Research on Use and Efficiency 101
6.6.1 Engineering 101
6.6.2 Toxicology 102
6.7 Weaknesses, Limitations, and Criticism 103
6.8 Relations to Other Safety Principles 105
6.8.1 Probabilistic Analysis 105
6.8.2 Cost–Benefit Analysis 106
Acknowledgment 108
References 108
Further Reading 114CONTENTS ix
Part II Information and Control 115
7 EXPERIENCE FEEDBACK 117
Urban Kjellen ´
7.1 Introduction 117
7.1.1 Example 117
7.2 Origin and History 118
7.3 Definitions 121
7.4 Underlying Theories and Assumptions 122
7.4.1 Feedback Cycle for the Control of Anything 122
7.4.2 Safety Information Systems 124
7.4.3 The Diagnostic Process 125
7.4.4 Knowledge Management 126
7.5 Use and Implementation 127
7.5.1 Safety Practice in an Operational Setting 127
7.5.2 Risk Assessment 131
7.5.3 Transfer of Experience to New Construction Projects 132
7.5.4 Transfer of Experience from the Users to Design 133
7.6 Empirical Research on Use and Efficiency 135
7.7 Relations to Other Safety Principles 137
7.7.1 Safety Management 137
7.7.2 Resilience Engineering 138
7.7.3 Safety Indicators 138
7.7.4 Safety Culture 138
References 138
Further Reading 141
8 RISK AND SAFETY INDICATORS 142
Drew Rae
8.1 Introduction 142
8.2 Origin and History 143
8.3 Definitions and Terminology 145
8.4 Underlying Theory and Theoretical Assumptions 146
8.4.1 Past, Present, and Future Safety 146
8.4.2 Outcome Indicators 147
8.4.3 Risk Models and Precursor Events 148x CONTENTS
8.4.4 Status of Physical and Procedural Controls 150
8.4.5 Safe Behaviors 150
8.4.6 Amount and Quality of Safety Activity 151
8.4.7 Organizational Drivers and Attributes 151
8.4.8 Variability 152
8.5 Use and Implementation 152
8.5.1 Metrics Collection 152
8.5.2 Incentives and Accountability 153
8.5.3 Benchmarking and Comparison 153
8.5.4 Safety Management System Performance Monitoring 154
8.6 Empirical Research on Use and Efficacy 154
8.6.1 Usage of Indicators 154
8.6.2 Efficacy of Indicators 155
8.7 Weaknesses, Limitations, and Criticism 155
8.7.1 Underreporting and Distortion 155
8.7.2 The Regulator Paradox and Estimation of Rare Events 156
8.7.3 Confusion Between Process Safety and Personal
Safety Indicators 157
8.7.4 Unintended Consequences of Indirect Measurement 157
8.8 Relations to Other Safety Principles 158
8.8.1 Ensurance Principles 158
8.8.2 Assessment and Assurance Principles 159
References 159
9 PRINCIPLES OF HUMAN FACTORS ENGINEERING 164
Leena Norros and Paula Savioja
9.1 Introduction 164
9.2 Principle 1: HFE is Design Thinking 167
9.2.1 Description 167
9.2.2 Theoretical Foundation 168
9.2.3 Use and Implementation 170
9.2.4 Empirical Research on Use and Efficiency 170
9.3 Principle 2: HFE Studies Human as a Manifold Entity 172
9.3.1 Description 172
9.3.2 Theoretical Foundations 172
9.3.3 Use and Implementation 174
9.3.4 Empirical Research on Use and Efficiency 175CONTENTS xi
9.4 Principle 3: HFE Focuses on Technology in Use 177
9.4.1 Description 177
9.4.2 Theoretical Foundations 177
9.4.3 Use and Implementation 180
9.4.4 Empirical Research on Use and Efficiency 181
9.5 Principle 4: Safety is Achieved Through Continuous HFE 182
9.5.1 Description 182
9.5.2 Theoretical Foundation 182
9.5.3 Use and Implementation 183
9.5.4 Empirical Research on Use and Efficiency 185
9.6 Relation to Other Safety Principles 187
9.7 Limitations 188
9.8 Conclusions 189
References 190
Further Reading 195
10 SAFETY AUTOMATION 196
Bjorn Wahlstr ¨ om ¨
10.1 Introduction 196
10.1.1 Purpose of Safety Automation 197
10.1.2 Functions of I&C Systems 199
10.1.3 Allocation of Functions between Humans
and Automation 200
10.2 Origin and History 201
10.2.1 Roots of Safety Automation 201
10.2.2 Systems Design 202
10.2.3 Typical Design Projects 203
10.2.4 Analog and Digital I&C 204
10.3 Definitions and Terminology 205
10.3.1 System Life Cycles 205
10.3.2 Process and Product 206
10.3.3 Phases of Design 206
10.3.4 Operations 210
10.4 Underlying Theories and Assumptions 211
10.4.1 Systems of Systems 212
10.4.2 Building Reliability with Unreliable Parts 213xii CONTENTS
10.4.3 Reusability of Designs 213
10.4.4 Vendor Capability 213
10.4.5 Project Management 214
10.4.6 Regulatory Oversight 215
10.5 Use and Implementation 215
10.5.1 From Systems Design to I&C Design 215
10.5.2 Physical Realizations of I&C 216
10.5.3 Initial Considerations 216
10.5.4 I&C Design 217
10.5.5 Practices in Different Domains 220
10.6 Research on Use and Efficiency 220
10.6.1 Estimates of Project Cost and Duration 220
10.6.2 Support Systems for Design and Construction 221
10.6.3 Benefits of Using Safety Principles 221
10.7 Weaknesses, Limitations, and Criticism 222
10.7.1 What is Safe Enough? 222
10.7.2 Quality of Design 224
10.7.3 Field Programmable Gate Arrays 224
10.7.4 Cyber Security 224
10.7.5 Regulatory Acceptance 225
10.8 Relations to Other Safety Principles 225
10.8.1 Safety Reserves 226
10.8.2 Information and Control 226
10.8.3 Demonstrability 227
10.8.4 Optimization 227
10.8.5 Organizational Principles and Practices 228
10.9 Summary and Conclusions 228
References 229
11 RISK COMMUNICATION 235
Jan M. Gutteling
11.1 Introduction 235
11.1.1 Example 1 236
11.1.2 Risk Perception, Awareness, and Communication 236
11.1.3 This Chapter 238CONTENTS xiii
11.2 The Origin and History of Risk Communication as Academic
Field 238
11.2.1 Example 2 239
11.2.2 Changing Notions about Communication 239
11.2.3 Example 3 241
11.2.4 Conclusion 241
11.3 Underlying Assumptions, Concepts and Empirical Data on
Risk Communication Models 241
11.3.1 Information versus Communication 241
11.3.2 Risk Communication Aims 243
11.3.3 Diagnostic Risk Communication Studies 244
11.3.4 Social Amplification of Risk 245
11.3.5 Trust in Risk Communication 246
11.3.6 Socio-Cognitive Models 247
11.3.7 Risk Information Seeking Models 247
11.3.8 Risk Communication and Social Media 249
11.3.9 Conclusion 250
11.4 Weaknesses, Limitations, and Criticism 250
11.5 Final Word 252
References 252
Further Reading 257
12 THE PRECAUTIONARY PRINCIPLE 258
Sven Ove Hansson
12.1 Introduction 258
12.2 History and Current Use 259
12.3 Definitions 263
12.4 Underlying Theory 267
12.5 Research on Use and Efficiency 271
12.6 Weaknesses, Limitations, and Criticism 271
12.6.1 Is the Principle Asymmetric? 271
12.6.2 Strawman Criticism 273
12.7 Relation to Expected Utility and Probabilistic Risk Assessment 273
12.8 Relations to Other Safety Principles 276
12.8.1 Maximin 276
12.8.2 A Reversed Burden of Proof 278
12.8.3 Sound Science 278xiv CONTENTS
Acknowledgment 279
References 279
Further Reading 283
13 OPERATING PROCEDURE 284
Jinkyun Park
13.1 Introduction 284
13.2 Manual, Guideline, and Procedure 286
13.3 Existing Principles for Developing a Good Procedure 288
13.4 Additional Principle to Develop a Good Procedure 292
13.4.1 Tailoring the Level of Details 293
13.4.2 Tailoring the Complexity of Instructions 297
13.5 Concluding Remarks 299
References 301
Further Reading 304
14 HUMAN–MACHINE SYSTEM 305
Anna-Lisa Osvalder and Hakan Alm ˚
14.1 Human–Machine System 306
14.2 Complex Systems 307
14.3 To Control a Complex System 307
14.4 Operator Demands 308
14.4.1 Mental Models 308
14.4.2 Situation Awareness 310
14.4.3 Decision-Making 310
14.4.4 Mental Workload 311
14.5 Performance-Shaping Factors 313
14.5.1 Stressors 314
14.6 User Interface Design 315
14.6.1 Information Design 315
14.6.2 Design for Attention 316
14.6.3 Design for Perception 317
14.6.4 Design for Memory Functions 319
14.6.5 Feedback 320
14.6.6 Alarms 321CONTENTS xv
14.7 Demands on the Environment 322
14.7.1 Organization 322
14.7.2 Communication 324
14.8 Handling Complexity 327
References 329
Part III Demonstrability 331
15 QUALITY PRINCIPLES AND THEIR APPLICATIONS TO SAFETY 333
Bo Bergman
15.1 Introduction 333
15.2 Improvement Knowledge and its Application to Safety 338
15.2.1 Understanding Variation 338
15.2.2 Knowledge Theory 345
15.2.3 Psychology 348
15.2.4 System Thinking 348
15.3 Health-Care Improvement and Patient Safety 349
15.4 Weaknesses, Limitations, and Criticism 351
15.5 Some Personal Experiences 352
15.6 Relations to Other Safety Principles 353
References 355
Further Reading 360
16 SAFETY CASES 361
Tim Kelly
16.1 Introduction 361
16.2 Origins and History 361
16.2.1 Windscale 362
16.2.2 Flixborough 362
16.2.3 Piper Alpha 363
16.2.4 Clapham 363
16.2.5 The Introduction of Safety Cases—A Shift in
Emphasis 364
16.3 Definitions and Terminology 364
16.3.1 Safety Cases vs. Safety Case Reports 366
16.3.2 Other Terminology 367xvi CONTENTS
16.4 Underlying Theory 367
16.4.1 Safety Case Argumentation 367
16.4.2 Types of Safety Case Argument 369
16.4.3 Safety Case Lifecycle 372
16.4.4 Incremental Safety Case Development 373
16.4.5 Safety Case Maintenance 374
16.4.6 Safety Case Evaluation 375
16.4.7 Safety Case Confidence 376
16.5 Empirical Research on Use and Efficiency 377
16.6 Weaknesses, Limitations, and Criticisms 377
16.6.1 Other Criticisms 381
16.7 Relationship to Other Principles 382
References 383
Further Reading 385
17 INHERENTLY SAFE DESIGN 386
Rajagopalan Srinivasan and Mohd Umair Iqbal
17.1 Introduction 386
17.2 Origin and History of the Principle 387
17.3 Definitions and Terminology 388
17.4 Use and Implementation 389
17.4.1 Examples of Minimization 390
17.4.2 Examples of Substitution 391
17.4.3 Examples of Simplification 391
17.4.4 Example of Moderation 391
17.5 Empirical Research on Use and Efficiency 392
17.6 Weaknesses, Limitation, and Criticism 393
17.7 Relation to Other Principles 394
References 394
18 MAINTENANCE, MAINTAINABILITY, AND INSPECTABILITY 397
Torbjorn Ylip ¨ a¨a, Anders Skoogh, and Jon Bokrantz ¨
18.1 Introduction 397
18.1.1 The Piper Alpha Disaster 398
18.2 Origin and History 399CONTENTS xvii
18.3 Underlying Theory, Theoretical Assumptions, Definition, and
Terminology 400
18.4 Use and Implementation 405
18.5 Empirical Research on Use and Efficiency 408
18.6 Weaknesses, Limitations, and Criticism 409
18.7 Relations to Other Safety Principles 410
References 410
Further Reading 413
Part IV Optimization 415
19 ON THE RISK-INFORMED REGULATION FOR THE SAFETY
AGAINST EXTERNAL HAZARDS 417
Pieter van Gelder
19.1 Introduction 417
19.2 Risk-Regulation in Safety Against Environmental Risks 421
19.3 Dealing with Uncertainties in Risk-Informed Regulation 422
19.4 Limitations of the Current Risk Measures 424
19.5 Spatial Risk 426
19.6 Temporal Risk 429
19.7 Conclusions and Recommendations 431
Acknowledgment 432
References 432
20 QUANTITATIVE RISK ANALYSIS 434
Jan-Erik Holmberg
20.1 Introduction 434
20.2 Origin and History 435
20.3 Underlying Theory and Theoretical Assumptions 438
20.3.1 Risk 438
20.3.2 Probability 438
20.3.3 Uncertainty 439
20.3.4 Expected Value and Utility Principle 441
20.3.5 Risk Criteria 442
20.3.6 ALARP 442
20.3.7 Subsidiary Risk Criteria 443xviii CONTENTS
20.3.8 Event Tree–Fault Tree Modeling 445
20.3.9 Bayesian Belief Network 448
20.3.10 Bow-Tie Method 449
20.3.11 Monte Carlo Simulation 449
20.4 Use and Implementation 449
20.4.1 National Risk Criteria 449
20.4.2 IEC 61508 and Safety Integrity Levels 450
20.4.3 Nuclear Power Plants 452
20.4.4 Oil and Gas Industry in Europe 453
20.4.5 Railway Safety in Europe 455
20.4.6 Other Industries 455
20.5 Empirical Research on Use and Efficiency 456
20.6 Weaknesses, Limitations, and Criticism 456
20.7 Relations to Other Safety Principles 458
References 458
Further Reading 460
21 QUALITATIVE RISK ANALYSIS 463
Risto Tiusanen
21.1 Introduction 463
21.2 Origin and History of the Principle 464
21.3 Definitions 465
21.4 Underlying Theory and Theoretical Assumptions 466
21.4.1 Brainstorming 467
21.4.2 Preliminary Hazard Analysis 468
21.4.3 Scenario Analysis 468
21.4.4 Operating Hazard Analysis 468
21.4.5 HAZOP Studies 469
21.4.6 Risk Matrixes 470
21.5 Use and Implementation 471
21.5.1 Systems Engineering Approach to Risk Assessment 472
21.5.2 System-Safety Engineering 473
21.5.3 Industrial Safety Engineering 476
21.5.4 Machinery-Safety Engineering 477
21.5.5 Functional Safety Engineering 478
21.6 Strengths, Weaknesses, Limitations and Criticism 480CONTENTS xix
21.7 Experiences of Preliminary Hazard Identification Methods 482
21.8 Experiences of Hazop Studies 482
21.9 Experiences of Risk Estimation Methods 483
21.10 Summary of Strengths and Limitations 484
21.11 Experiences from Complex Machinery Applications 484
21.11.1 Change from Machines to Automated
Machine Systems 484
21.11.2 Case Studies on Qualitative Methods 489
21.11.3 Case Study Results 490
21.12 Relations to Other Safety Principles 491
References 491
22 PRINCIPLES AND LIMITATIONS OF COST–BENEFIT ANALYSIS
FOR SAFETY INVESTMENTS 493
Genserik Reniers and Luca Talarico
22.1 Introduction 493
22.2 Principles of Cost–Benefit Analysis 495
22.3 CBA Methodologies 497
22.3.1 CBA for Type I Accidents 499
22.3.2 CBA for Type II Safety Investments 504
22.3.3 Disproportion Factor 505
22.4 Conclusions 511
References 512
23 RAMS OPTIMIZATION PRINCIPLES 514
Yan-Fu Li and Enrico Zio
List of Acronyms 514
23.1 Introduction to Reliability, Availability, Maintainability, and
Safety (RAMS) Optimization 515
23.2 Multi-Objective Optimization 516
23.2.1 Problem Formulation 517
23.2.2 Pareto Optimality 518
23.3 Solution Methods 519
23.3.1 Weighted-Sum Approach 519
23.3.2 𝜀-Constraint Approach 520
23.3.3 Goal Programming 521
23.3.4 Evolutionary Algorithms 521xx CONTENTS
23.4 Performance Measures 523
23.5 Selection of Preferred Solutions 524
23.5.1 “Min–Max” Method 524
23.6 Guidelines for Implementation and Use 525
23.7 Numerical Case Study 527
23.8 Discussion 536
23.9 Relations to Other Principles 536
References 537
Further Reading 539
24 MAINTENANCE OPTIMIZATION AND ITS RELATION
TO SAFETY 540
Roger Flage
24.1 Introduction 540
24.2 Related Principles and Terms 541
24.2.1 Key Terms 541
24.2.2 Maintenance Optimization Models as Special Types
of Cost–Benefit Analysis 542
24.2.3 Risk Assessment and Risk Management 543
24.2.4 The ALARP Principle and Risk Acceptance Criteria 545
24.3 Maintenance Optimization 547
24.3.1 Theory 547
24.3.2 Use and Implementation 550
24.4 Discussion and Conclusions 556
Further Reading 559
References 561
25 HUMAN RELIABILITY ANALYSIS 565
Luca Podofillini
25.1 Introduction With Examples 565
25.2 Origin and History of the Principle 569
25.3 Underlying Theory and Theoretical Assumptions 572
25.4 Use and Implementation 576
25.5 Empirical Research on Use and Efficiency 578
25.6 Weaknesses, Limitations, and Criticism 583
25.7 Relationship with Other Principles 585
References 586CONTENTS xxi
26 ALARA, BAT, AND THE SUBSTITUTION PRINCIPLE 593
Sven Ove Hansson
26.1 Introduction 593
26.2 Alara 594
26.2.1 History and Current Use 594
26.2.2 Definitions and Terminology 596
26.2.3 Theory and Interpretation 596
26.2.4 Effects of Applying the Principle 600
26.2.5 Weaknesses and Criticism 601
26.3 Best Available Technology 601
26.3.1 History and Current Use 601
26.3.2 Definitions and Terminology 603
26.3.3 Theory and Interpretation 603
26.3.4 Effects of Applying the Principle 605
26.3.5 Weaknesses and Criticism 605
26.4 The Substitution Principle 606
26.4.1 History and Current Use 606
26.4.2 Definitions and Terminology 609
26.4.3 Theory and Interpretation 612
26.4.4 Effects of Applying the Principle 613
26.4.5 Weaknesses and Criticism 614
26.5 Comparative Discussion 615
26.5.1 Comparisons Between the Three Principles 615
26.5.2 Comparisons with Other Principles 616
Acknowledgment 618
References 618
Further Reading 624
Part V Organizational Principles and Practices 625
27 SAFETY MANAGEMENT PRINCIPLES 627
Gudela Grote
27.1 Introduction 627
27.2 Origin and History of the Principle 629
27.3 Definitions 629
27.4 Underlying Theory and Theoretical Assumptions 630
27.5 Use and Implementation 633xxii CONTENTS
27.6 Empirical Research on Use and Efficiency 634
27.6.1 Contextual factors 635
27.6.2 Examples for the effects of context on safety
management 638
27.7 Weaknesses, Limitations, and Criticism 640
27.8 Relations to Other Safety Principles 642
References 642
Further Reading 646
28 SAFETY CULTURE 647
Teemu Reiman and Carl Rollenhagen
28.1 Introduction 647
28.2 Origin and History 652
28.2.1 The Chernobyl Accident 652
28.2.2 Organizational Culture and Organizational Climate:
The Broader Context 653
28.2.3 Safety Climate 654
28.2.4 Organizational Culture and Safety Culture 655
28.3 Definitions and Terminology 656
28.4 Underlying Theory and Theoretical Assumptions 658
28.4.1 Some Common Features of Safety Culture Models 658
28.4.2 Theoretical Frameworks 659
28.5 Empirical Research 662
28.6 Use and Implementation 663
28.6.1 When and Where to Use the Concept? 663
28.6.2 Safety Culture as an Evaluation Framework 664
28.6.3 Developing Safety Culture 666
28.7 Weaknesses and Critique 667
28.8 Main Messages and What the Concept Tells About Safety 670
References 671
29 PRINCIPLES OF BEHAVIOR-BASED SAFETY 677
Steve Roberts and E. Scott Geller
29.1 Introduction 677
29.2 Origin and History of BBS 678
29.3 Leadership 680
29.4 Physical Environment/Conditions 683
29.5 Systems 683CONTENTS xxiii
29.6 Behaviors 689
29.7 Employee Involvement and Ownership 695
29.8 Person States 699
29.9 The Benefits of Behavior-Based Safety 701
29.10 Weaknesses, Limitations, and Criticisms 703
29.11 Relationship with Other Principles 705
References 707
Further Reading 710
30 PRINCIPLES OF EMERGENCY PLANS AND
CRISIS MANAGEMENT 711
Ann Enander
30.1 Introduction 711
30.1.1 Components in an Emergency Plan 712
30.1.2 Emergency Planning as a Process 713
30.1.3 Crisis Management in Theory and Practice 714
30.1.4 Crisis Leadership 715
30.2 Origin and History 716
30.3 Definitions and Terminology 717
30.3.1 Classifications and Typologies 719
30.4 Underlying Theory and Theoretical Assumptions 720
30.4.1 The Emergency Response Cycle 720
30.5 Use and Implementation 721
30.6 Empirical Research on Use and Efficiency 722
30.7 Weaknesses, Limitations, and Criticism 723
30.7.1 Myths and Misconceptions 724
30.7.2 Success or Failure 725
30.8 Relations to Other Safety Principles 725
References 726
Further Reading 731
31 SAFETY STANDARDS: CHRONIC CHALLENGES AND
EMERGING PRINCIPLES 732
Ibrahim Habli
31.1 Introduction 732
31.2 Definitions and Terminology 734
31.3 Organization of Safety Standards 734
31.3.1 Safety Lifecycle Models 735xxiv CONTENTS
31.4 Domain Specific Principles 736
31.4.1 Software Safety Assurance Principles 737
31.4.2 Automotive Functional Safety Principles 741
31.5 Development of Standards 742
31.6 Rationale in Standards 743
31.7 Chapter Summary 744
References 744
Further Reading 746
32 MANAGING THE UNEXPECTED 747
Jean-Christophe Le Coze
32.1 Introduction 747
32.2 Defining the Unexpected 750
32.2.1 The Unexpected, What Are We Dealing With?
Three Examples 750
32.2.2 Were These Disasters Unexpected, Surprising? 751
32.2.3 The Unexpected, a Highly Relative Category 752
32.3 Thirty Years of Research on the Unexpected 754
32.3.1 Conceptualizing the Unexpected: Four
Different Threads 754
32.3.2 Charles Perrow and Normal Accident 756
32.3.3 Barry Turner and Man-Made Disaster:
A “Kuhnian” Thread 758
32.3.4 Jens Rasmussen and Complexity: An Ashbyan Thread 760
32.3.5 Four Threads, Four Sensitivities, But Not Exclusive:
A Synthesis 764
32.4 Managing the Unexpected 766
32.4.1 Building Favorable Power Configurations
(vs. Marxian Thread) 767
32.4.2 Confronting Our Fallible (Cultural)
Constructs (vs. Kuhnian Thread) 769
32.4.3 Keeping Sight of the Relation Between Parts and
Whole (vs. Ashbyan Thread) 770
32.4.4 Limitations and Opening 771
32.5 Relation to Other Principles: Further Reading 771
32.6 Conclusion 772
References 772
Index 777 CONTENTS
Preface xxv
List of Contributors xxvii
1 INTRODUCTION 1
Niklas Moller, Sven Ove Hansson, Jan-Erik Holmberg, ¨
and Carl Rollenhagen
1.1 Competition, Overlap, and Conflicts 1
1.2 A New Level in the Study of Safety Principles 2
1.3 Metaprinciples of Safety 3
1.4 Other Ways to Characterize Safety Principles 5
1.5 Conflicts Between Safety Principles 7
1.6 When Can Safety Principles Be Broken? 8
1.7 Safety in Context 9
References 10
2 PREVIEW 11
Niklas Moller, Sven Ove Hansson, Jan-Erik Holmberg, ¨
and Carl Rollenhagen
2.1 Part I: Safety Reserves 12
2.2 Part II: Information and Control 13
2.3 Part III: Demonstrability 16
2.4 Part IV: Optimization 17
2.5 Part V: Organizational Principles and Practices 20
vvi CONTENTS
Part I Safety Reserves 23
3 RESILIENCE ENGINEERING AND THE FUTURE OF SAFETY
MANAGEMENT 25
Erik Hollnagel
3.1 On the Origins of Resilience 25
3.2 The Resilience Engineering Understanding of “Resilience” 27
3.3 The Four Potentials for Resilience Performance 29
3.4 Safety Management Systems 31
3.5 Developing Definitions of Resilience 33
3.6 Managing the Potentials for Resilient Performance 34
3.6.1 Organizations of the First Kind 35
3.6.2 Organizations of the Second Kind 36
3.6.3 Organizations of the Third Kind 36
3.6.4 Organizations of the Fourth Kind 37
3.7 Resilience Management: LP-HI OR HP-LI? 37
References 39
4 DEFENSE-IN-DEPTH 42
Jan-Erik Holmberg
4.1 Introduction 42
4.2 Underlying Theory and Theoretical Assumptions 43
4.2.1 Definitions and Terminology 43
4.3 Redundancy, Diversity, and Separation Principles 44
4.3.1 Principle of Successive Barriers and Reducing
Consequences 46
4.3.2 Principle of Accident Prevention and Mitigation 47
4.3.3 Classification of Barriers 49
4.3.4 Safety Classification 50
4.3.5 Overall Safety Goals and Risk Acceptance Criteria vs.
Defense-in-Depth 51
4.4 Use and Implementation 53
4.4.1 Nuclear Power Plant Safety 53
4.4.2 Chemical Industry 54
4.4.3 Information Technology Security 55
4.4.4 Railway Safety 56
4.4.5 Automobile Safety 57CONTENTS vii
4.5 Empirical Research on use and Efficiency 57
4.6 Weaknesses, Limitations, and Criticism 57
4.7 Relations to Other Safety Principles 59
References 60
Further Reading 61
5 SAFETY BARRIERS 63
Lars Harms-Ringdahl and Carl Rollenhagen
5.1 Introduction 63
5.1.1 Classical and Radical Definitions of Barriers 64
5.1.2 Examples 64
5.2 Origin and Theoretical Background 65
5.2.1 Energy and Sequence Models 65
5.2.2 Extended Models 66
5.3 Definitions and Terminology 67
5.3.1 Examples of Barrier Definitions 67
5.3.2 Barriers and Barrier Systems 68
5.3.3 Alternatives to the Barrier Concept 69
5.3.4 Safety Functions 70
5.3.5 Conclusion 71
5.4 Classification of Barriers 71
5.4.1 General Considerations 71
5.4.2 System Level Classification 72
5.4.3 Classification Related to Accident Sequence 72
5.4.4 Physical and Non-physical Barriers 72
5.4.5 Administrative and Human Barriers 73
5.4.6 Passive and Active Barriers 73
5.4.7 Combined Models 74
5.4.8 Purpose of Barriers 75
5.5 Methods for Analysis of Safety Barriers 75
5.5.1 Energy Analysis 76
5.5.2 Event Tree Analysis 76
5.5.3 Fault Tree Analysis 77
5.5.4 Safety Barrier Diagrams 77
5.5.5 Management Oversight and Risk Tree 78viii CONTENTS
5.5.6 MTO Event Investigation 78
5.5.7 Safety Function Analysis 78
5.5.8 Reliability Techniques 78
5.6 Quality and Efficiency of Barriers 79
5.6.1 Design and Installation of Barriers 79
5.6.2 Management of Barrier Systems During Operation 80
5.6.3 Maintenance of Barriers 80
5.6.4 Summary of Barrier Management Principles 81
5.7 Discussion and Conclusions 82
5.7.1 The Classical and Radical Meaning 82
5.7.2 Empirical Research on Use and Efficiency 83
5.7.3 General Conclusions 83
5.7.4 Relations to the Other Chapters 84
References 84
6 FACTORS AND MARGINS OF SAFETY 87
Neelke Doorn and Sven Ove Hansson
6.1 Introduction 87
6.2 Origin and History 91
6.3 Definitions and Terminology 92
6.4 Underlying Theory and Theoretical Assumptions 94
6.4.1 Structural Engineering 95
6.4.2 Toxicology 97
6.5 Use and Implementation 98
6.5.1 Three Types of Numerical Safety Reserves 98
6.5.2 How Safety Factors are Determined 99
6.6 Empirical Research on Use and Efficiency 101
6.6.1 Engineering 101
6.6.2 Toxicology 102
6.7 Weaknesses, Limitations, and Criticism 103
6.8 Relations to Other Safety Principles 105
6.8.1 Probabilistic Analysis 105
6.8.2 Cost–Benefit Analysis 106
Acknowledgment 108
References 108
Further Reading 114CONTENTS ix
Part II Information and Control 115
7 EXPERIENCE FEEDBACK 117
Urban Kjellen ´
7.1 Introduction 117
7.1.1 Example 117
7.2 Origin and History 118
7.3 Definitions 121
7.4 Underlying Theories and Assumptions 122
7.4.1 Feedback Cycle for the Control of Anything 122
7.4.2 Safety Information Systems 124
7.4.3 The Diagnostic Process 125
7.4.4 Knowledge Management 126
7.5 Use and Implementation 127
7.5.1 Safety Practice in an Operational Setting 127
7.5.2 Risk Assessment 131
7.5.3 Transfer of Experience to New Construction Projects 132
7.5.4 Transfer of Experience from the Users to Design 133
7.6 Empirical Research on Use and Efficiency 135
7.7 Relations to Other Safety Principles 137
7.7.1 Safety Management 137
7.7.2 Resilience Engineering 138
7.7.3 Safety Indicators 138
7.7.4 Safety Culture 138
References 138
Further Reading 141
8 RISK AND SAFETY INDICATORS 142
Drew Rae
8.1 Introduction 142
8.2 Origin and History 143
8.3 Definitions and Terminology 145
8.4 Underlying Theory and Theoretical Assumptions 146
8.4.1 Past, Present, and Future Safety 146
8.4.2 Outcome Indicators 147
8.4.3 Risk Models and Precursor Events 148x CONTENTS
8.4.4 Status of Physical and Procedural Controls 150
8.4.5 Safe Behaviors 150
8.4.6 Amount and Quality of Safety Activity 151
8.4.7 Organizational Drivers and Attributes 151
8.4.8 Variability 152
8.5 Use and Implementation 152
8.5.1 Metrics Collection 152
8.5.2 Incentives and Accountability 153
8.5.3 Benchmarking and Comparison 153
8.5.4 Safety Management System Performance Monitoring 154
8.6 Empirical Research on Use and Efficacy 154
8.6.1 Usage of Indicators 154
8.6.2 Efficacy of Indicators 155
8.7 Weaknesses, Limitations, and Criticism 155
8.7.1 Underreporting and Distortion 155
8.7.2 The Regulator Paradox and Estimation of Rare Events 156
8.7.3 Confusion Between Process Safety and Personal
Safety Indicators 157
8.7.4 Unintended Consequences of Indirect Measurement 157
8.8 Relations to Other Safety Principles 158
8.8.1 Ensurance Principles 158
8.8.2 Assessment and Assurance Principles 159
References 159
9 PRINCIPLES OF HUMAN FACTORS ENGINEERING 164
Leena Norros and Paula Savioja
9.1 Introduction 164
9.2 Principle 1: HFE is Design Thinking 167
9.2.1 Description 167
9.2.2 Theoretical Foundation 168
9.2.3 Use and Implementation 170
9.2.4 Empirical Research on Use and Efficiency 170
9.3 Principle 2: HFE Studies Human as a Manifold Entity 172
9.3.1 Description 172
9.3.2 Theoretical Foundations 172
9.3.3 Use and Implementation 174
9.3.4 Empirical Research on Use and Efficiency 175CONTENTS xi
9.4 Principle 3: HFE Focuses on Technology in Use 177
9.4.1 Description 177
9.4.2 Theoretical Foundations 177
9.4.3 Use and Implementation 180
9.4.4 Empirical Research on Use and Efficiency 181
9.5 Principle 4: Safety is Achieved Through Continuous HFE 182
9.5.1 Description 182
9.5.2 Theoretical Foundation 182
9.5.3 Use and Implementation 183
9.5.4 Empirical Research on Use and Efficiency 185
9.6 Relation to Other Safety Principles 187
9.7 Limitations 188
9.8 Conclusions 189
References 190
Further Reading 195
10 SAFETY AUTOMATION 196
Bjorn Wahlstr ¨ om ¨
10.1 Introduction 196
10.1.1 Purpose of Safety Automation 197
10.1.2 Functions of I&C Systems 199
10.1.3 Allocation of Functions between Humans
and Automation 200
10.2 Origin and History 201
10.2.1 Roots of Safety Automation 201
10.2.2 Systems Design 202
10.2.3 Typical Design Projects 203
10.2.4 Analog and Digital I&C 204
10.3 Definitions and Terminology 205
10.3.1 System Life Cycles 205
10.3.2 Process and Product 206
10.3.3 Phases of Design 206
10.3.4 Operations 210
10.4 Underlying Theories and Assumptions 211
10.4.1 Systems of Systems 212
10.4.2 Building Reliability with Unreliable Parts 213xii CONTENTS
10.4.3 Reusability of Designs 213
10.4.4 Vendor Capability 213
10.4.5 Project Management 214
10.4.6 Regulatory Oversight 215
10.5 Use and Implementation 215
10.5.1 From Systems Design to I&C Design 215
10.5.2 Physical Realizations of I&C 216
10.5.3 Initial Considerations 216
10.5.4 I&C Design 217
10.5.5 Practices in Different Domains 220
10.6 Research on Use and Efficiency 220
10.6.1 Estimates of Project Cost and Duration 220
10.6.2 Support Systems for Design and Construction 221
10.6.3 Benefits of Using Safety Principles 221
10.7 Weaknesses, Limitations, and Criticism 222
10.7.1 What is Safe Enough? 222
10.7.2 Quality of Design 224
10.7.3 Field Programmable Gate Arrays 224
10.7.4 Cyber Security 224
10.7.5 Regulatory Acceptance 225
10.8 Relations to Other Safety Principles 225
10.8.1 Safety Reserves 226
10.8.2 Information and Control 226
10.8.3 Demonstrability 227
10.8.4 Optimization 227
10.8.5 Organizational Principles and Practices 228
10.9 Summary and Conclusions 228
References 229
11 RISK COMMUNICATION 235
Jan M. Gutteling
11.1 Introduction 235
11.1.1 Example 1 236
11.1.2 Risk Perception, Awareness, and Communication 236
11.1.3 This Chapter 238CONTENTS xiii
11.2 The Origin and History of Risk Communication as Academic
Field 238
11.2.1 Example 2 239
11.2.2 Changing Notions about Communication 239
11.2.3 Example 3 241
11.2.4 Conclusion 241
11.3 Underlying Assumptions, Concepts and Empirical Data on
Risk Communication Models 241
11.3.1 Information versus Communication 241
11.3.2 Risk Communication Aims 243
11.3.3 Diagnostic Risk Communication Studies 244
11.3.4 Social Amplification of Risk 245
11.3.5 Trust in Risk Communication 246
11.3.6 Socio-Cognitive Models 247
11.3.7 Risk Information Seeking Models 247
11.3.8 Risk Communication and Social Media 249
11.3.9 Conclusion 250
11.4 Weaknesses, Limitations, and Criticism 250
11.5 Final Word 252
References 252
Further Reading 257
12 THE PRECAUTIONARY PRINCIPLE 258
Sven Ove Hansson
12.1 Introduction 258
12.2 History and Current Use 259
12.3 Definitions 263
12.4 Underlying Theory 267
12.5 Research on Use and Efficiency 271
12.6 Weaknesses, Limitations, and Criticism 271
12.6.1 Is the Principle Asymmetric? 271
12.6.2 Strawman Criticism 273
12.7 Relation to Expected Utility and Probabilistic Risk Assessment 273
12.8 Relations to Other Safety Principles 276
12.8.1 Maximin 276
12.8.2 A Reversed Burden of Proof 278
12.8.3 Sound Science 278xiv CONTENTS
Acknowledgment 279
References 279
Further Reading 283
13 OPERATING PROCEDURE 284
Jinkyun Park
13.1 Introduction 284
13.2 Manual, Guideline, and Procedure 286
13.3 Existing Principles for Developing a Good Procedure 288
13.4 Additional Principle to Develop a Good Procedure 292
13.4.1 Tailoring the Level of Details 293
13.4.2 Tailoring the Complexity of Instructions 297
13.5 Concluding Remarks 299
References 301
Further Reading 304
14 HUMAN–MACHINE SYSTEM 305
Anna-Lisa Osvalder and Hakan Alm ˚
14.1 Human–Machine System 306
14.2 Complex Systems 307
14.3 To Control a Complex System 307
14.4 Operator Demands 308
14.4.1 Mental Models 308
14.4.2 Situation Awareness 310
14.4.3 Decision-Making 310
14.4.4 Mental Workload 311
14.5 Performance-Shaping Factors 313
14.5.1 Stressors 314
14.6 User Interface Design 315
14.6.1 Information Design 315
14.6.2 Design for Attention 316
14.6.3 Design for Perception 317
14.6.4 Design for Memory Functions 319
14.6.5 Feedback 320
14.6.6 Alarms 321CONTENTS xv
14.7 Demands on the Environment 322
14.7.1 Organization 322
14.7.2 Communication 324
14.8 Handling Complexity 327
References 329
Part III Demonstrability 331
15 QUALITY PRINCIPLES AND THEIR APPLICATIONS TO SAFETY 333
Bo Bergman
15.1 Introduction 333
15.2 Improvement Knowledge and its Application to Safety 338
15.2.1 Understanding Variation 338
15.2.2 Knowledge Theory 345
15.2.3 Psychology 348
15.2.4 System Thinking 348
15.3 Health-Care Improvement and Patient Safety 349
15.4 Weaknesses, Limitations, and Criticism 351
15.5 Some Personal Experiences 352
15.6 Relations to Other Safety Principles 353
References 355
Further Reading 360
16 SAFETY CASES 361
Tim Kelly
16.1 Introduction 361
16.2 Origins and History 361
16.2.1 Windscale 362
16.2.2 Flixborough 362
16.2.3 Piper Alpha 363
16.2.4 Clapham 363
16.2.5 The Introduction of Safety Cases—A Shift in
Emphasis 364
16.3 Definitions and Terminology 364
16.3.1 Safety Cases vs. Safety Case Reports 366
16.3.2 Other Terminology 367xvi CONTENTS
16.4 Underlying Theory 367
16.4.1 Safety Case Argumentation 367
16.4.2 Types of Safety Case Argument 369
16.4.3 Safety Case Lifecycle 372
16.4.4 Incremental Safety Case Development 373
16.4.5 Safety Case Maintenance 374
16.4.6 Safety Case Evaluation 375
16.4.7 Safety Case Confidence 376
16.5 Empirical Research on Use and Efficiency 377
16.6 Weaknesses, Limitations, and Criticisms 377
16.6.1 Other Criticisms 381
16.7 Relationship to Other Principles 382
References 383
Further Reading 385
17 INHERENTLY SAFE DESIGN 386
Rajagopalan Srinivasan and Mohd Umair Iqbal
17.1 Introduction 386
17.2 Origin and History of the Principle 387
17.3 Definitions and Terminology 388
17.4 Use and Implementation 389
17.4.1 Examples of Minimization 390
17.4.2 Examples of Substitution 391
17.4.3 Examples of Simplification 391
17.4.4 Example of Moderation 391
17.5 Empirical Research on Use and Efficiency 392
17.6 Weaknesses, Limitation, and Criticism 393
17.7 Relation to Other Principles 394
References 394
18 MAINTENANCE, MAINTAINABILITY, AND INSPECTABILITY 397
Torbjorn Ylip ¨ a¨a, Anders Skoogh, and Jon Bokrantz ¨
18.1 Introduction 397
18.1.1 The Piper Alpha Disaster 398
18.2 Origin and History 399CONTENTS xvii
18.3 Underlying Theory, Theoretical Assumptions, Definition, and
Terminology 400
18.4 Use and Implementation 405
18.5 Empirical Research on Use and Efficiency 408
18.6 Weaknesses, Limitations, and Criticism 409
18.7 Relations to Other Safety Principles 410
References 410
Further Reading 413
Part IV Optimization 415
19 ON THE RISK-INFORMED REGULATION FOR THE SAFETY
AGAINST EXTERNAL HAZARDS 417
Pieter van Gelder
19.1 Introduction 417
19.2 Risk-Regulation in Safety Against Environmental Risks 421
19.3 Dealing with Uncertainties in Risk-Informed Regulation 422
19.4 Limitations of the Current Risk Measures 424
19.5 Spatial Risk 426
19.6 Temporal Risk 429
19.7 Conclusions and Recommendations 431
Acknowledgment 432
References 432
20 QUANTITATIVE RISK ANALYSIS 434
Jan-Erik Holmberg
20.1 Introduction 434
20.2 Origin and History 435
20.3 Underlying Theory and Theoretical Assumptions 438
20.3.1 Risk 438
20.3.2 Probability 438
20.3.3 Uncertainty 439
20.3.4 Expected Value and Utility Principle 441
20.3.5 Risk Criteria 442
20.3.6 ALARP 442
20.3.7 Subsidiary Risk Criteria 443xviii CONTENTS
20.3.8 Event Tree–Fault Tree Modeling 445
20.3.9 Bayesian Belief Network 448
20.3.10 Bow-Tie Method 449
20.3.11 Monte Carlo Simulation 449
20.4 Use and Implementation 449
20.4.1 National Risk Criteria 449
20.4.2 IEC 61508 and Safety Integrity Levels 450
20.4.3 Nuclear Power Plants 452
20.4.4 Oil and Gas Industry in Europe 453
20.4.5 Railway Safety in Europe 455
20.4.6 Other Industries 455
20.5 Empirical Research on Use and Efficiency 456
20.6 Weaknesses, Limitations, and Criticism 456
20.7 Relations to Other Safety Principles 458
References 458
Further Reading 460
21 QUALITATIVE RISK ANALYSIS 463
Risto Tiusanen
21.1 Introduction 463
21.2 Origin and History of the Principle 464
21.3 Definitions 465
21.4 Underlying Theory and Theoretical Assumptions 466
21.4.1 Brainstorming 467
21.4.2 Preliminary Hazard Analysis 468
21.4.3 Scenario Analysis 468
21.4.4 Operating Hazard Analysis 468
21.4.5 HAZOP Studies 469
21.4.6 Risk Matrixes 470
21.5 Use and Implementation 471
21.5.1 Systems Engineering Approach to Risk Assessment 472
21.5.2 System-Safety Engineering 473
21.5.3 Industrial Safety Engineering 476
21.5.4 Machinery-Safety Engineering 477
21.5.5 Functional Safety Engineering 478
21.6 Strengths, Weaknesses, Limitations and Criticism 480CONTENTS xix
21.7 Experiences of Preliminary Hazard Identification Methods 482
21.8 Experiences of Hazop Studies 482
21.9 Experiences of Risk Estimation Methods 483
21.10 Summary of Strengths and Limitations 484
21.11 Experiences from Complex Machinery Applications 484
21.11.1 Change from Machines to Automated
Machine Systems 484
21.11.2 Case Studies on Qualitative Methods 489
21.11.3 Case Study Results 490
21.12 Relations to Other Safety Principles 491
References 491
22 PRINCIPLES AND LIMITATIONS OF COST–BENEFIT ANALYSIS
FOR SAFETY INVESTMENTS 493
Genserik Reniers and Luca Talarico
22.1 Introduction 493
22.2 Principles of Cost–Benefit Analysis 495
22.3 CBA Methodologies 497
22.3.1 CBA for Type I Accidents 499
22.3.2 CBA for Type II Safety Investments 504
22.3.3 Disproportion Factor 505
22.4 Conclusions 511
References 512
23 RAMS OPTIMIZATION PRINCIPLES 514
Yan-Fu Li and Enrico Zio
List of Acronyms 514
23.1 Introduction to Reliability, Availability, Maintainability, and
Safety (RAMS) Optimization 515
23.2 Multi-Objective Optimization 516
23.2.1 Problem Formulation 517
23.2.2 Pareto Optimality 518
23.3 Solution Methods 519
23.3.1 Weighted-Sum Approach 519
23.3.2 𝜀-Constraint Approach 520
23.3.3 Goal Programming 521
23.3.4 Evolutionary Algorithms 521xx CONTENTS
23.4 Performance Measures 523
23.5 Selection of Preferred Solutions 524
23.5.1 “Min–Max” Method 524
23.6 Guidelines for Implementation and Use 525
23.7 Numerical Case Study 527
23.8 Discussion 536
23.9 Relations to Other Principles 536
References 537
Further Reading 539
24 MAINTENANCE OPTIMIZATION AND ITS RELATION
TO SAFETY 540
Roger Flage
24.1 Introduction 540
24.2 Related Principles and Terms 541
24.2.1 Key Terms 541
24.2.2 Maintenance Optimization Models as Special Types
of Cost–Benefit Analysis 542
24.2.3 Risk Assessment and Risk Management 543
24.2.4 The ALARP Principle and Risk Acceptance Criteria 545
24.3 Maintenance Optimization 547
24.3.1 Theory 547
24.3.2 Use and Implementation 550
24.4 Discussion and Conclusions 556
Further Reading 559
References 561
25 HUMAN RELIABILITY ANALYSIS 565
Luca Podofillini
25.1 Introduction With Examples 565
25.2 Origin and History of the Principle 569
25.3 Underlying Theory and Theoretical Assumptions 572
25.4 Use and Implementation 576
25.5 Empirical Research on Use and Efficiency 578
25.6 Weaknesses, Limitations, and Criticism 583
25.7 Relationship with Other Principles 585
References 586CONTENTS xxi
26 ALARA, BAT, AND THE SUBSTITUTION PRINCIPLE 593
Sven Ove Hansson
26.1 Introduction 593
26.2 Alara 594
26.2.1 History and Current Use 594
26.2.2 Definitions and Terminology 596
26.2.3 Theory and Interpretation 596
26.2.4 Effects of Applying the Principle 600
26.2.5 Weaknesses and Criticism 601
26.3 Best Available Technology 601
26.3.1 History and Current Use 601
26.3.2 Definitions and Terminology 603
26.3.3 Theory and Interpretation 603
26.3.4 Effects of Applying the Principle 605
26.3.5 Weaknesses and Criticism 605
26.4 The Substitution Principle 606
26.4.1 History and Current Use 606
26.4.2 Definitions and Terminology 609
26.4.3 Theory and Interpretation 612
26.4.4 Effects of Applying the Principle 613
26.4.5 Weaknesses and Criticism 614
26.5 Comparative Discussion 615
26.5.1 Comparisons Between the Three Principles 615
26.5.2 Comparisons with Other Principles 616
Acknowledgment 618
References 618
Further Reading 624
Part V Organizational Principles and Practices 625
27 SAFETY MANAGEMENT PRINCIPLES 627
Gudela Grote
27.1 Introduction 627
27.2 Origin and History of the Principle 629
27.3 Definitions 629
27.4 Underlying Theory and Theoretical Assumptions 630
27.5 Use and Implementation 633xxii CONTENTS
27.6 Empirical Research on Use and Efficiency 634
27.6.1 Contextual factors 635
27.6.2 Examples for the effects of context on safety
management 638
27.7 Weaknesses, Limitations, and Criticism 640
27.8 Relations to Other Safety Principles 642
References 642
Further Reading 646
28 SAFETY CULTURE 647
Teemu Reiman and Carl Rollenhagen
28.1 Introduction 647
28.2 Origin and History 652
28.2.1 The Chernobyl Accident 652
28.2.2 Organizational Culture and Organizational Climate:
The Broader Context 653
28.2.3 Safety Climate 654
28.2.4 Organizational Culture and Safety Culture 655
28.3 Definitions and Terminology 656
28.4 Underlying Theory and Theoretical Assumptions 658
28.4.1 Some Common Features of Safety Culture Models 658
28.4.2 Theoretical Frameworks 659
28.5 Empirical Research 662
28.6 Use and Implementation 663
28.6.1 When and Where to Use the Concept? 663
28.6.2 Safety Culture as an Evaluation Framework 664
28.6.3 Developing Safety Culture 666
28.7 Weaknesses and Critique 667
28.8 Main Messages and What the Concept Tells About Safety 670
References 671
29 PRINCIPLES OF BEHAVIOR-BASED SAFETY 677
Steve Roberts and E. Scott Geller
29.1 Introduction 677
29.2 Origin and History of BBS 678
29.3 Leadership 680
29.4 Physical Environment/Conditions 683
29.5 Systems 683CONTENTS xxiii
29.6 Behaviors 689
29.7 Employee Involvement and Ownership 695
29.8 Person States 699
29.9 The Benefits of Behavior-Based Safety 701
29.10 Weaknesses, Limitations, and Criticisms 703
29.11 Relationship with Other Principles 705
References 707
Further Reading 710
30 PRINCIPLES OF EMERGENCY PLANS AND
CRISIS MANAGEMENT 711
Ann Enander
30.1 Introduction 711
30.1.1 Components in an Emergency Plan 712
30.1.2 Emergency Planning as a Process 713
30.1.3 Crisis Management in Theory and Practice 714
30.1.4 Crisis Leadership 715
30.2 Origin and History 716
30.3 Definitions and Terminology 717
30.3.1 Classifications and Typologies 719
30.4 Underlying Theory and Theoretical Assumptions 720
30.4.1 The Emergency Response Cycle 720
30.5 Use and Implementation 721
30.6 Empirical Research on Use and Efficiency 722
30.7 Weaknesses, Limitations, and Criticism 723
30.7.1 Myths and Misconceptions 724
30.7.2 Success or Failure 725
30.8 Relations to Other Safety Principles 725
References 726
Further Reading 731
31 SAFETY STANDARDS: CHRONIC CHALLENGES AND
EMERGING PRINCIPLES 732
Ibrahim Habli
31.1 Introduction 732
31.2 Definitions and Terminology 734
31.3 Organization of Safety Standards 734
31.3.1 Safety Lifecycle Models 735xxiv CONTENTS
31.4 Domain Specific Principles 736
31.4.1 Software Safety Assurance Principles 737
31.4.2 Automotive Functional Safety Principles 741
31.5 Development of Standards 742
31.6 Rationale in Standards 743
31.7 Chapter Summary 744
References 744
Further Reading 746
32 MANAGING THE UNEXPECTED 747
Jean-Christophe Le Coze
32.1 Introduction 747
32.2 Defining the Unexpected 750
32.2.1 The Unexpected, What Are We Dealing With?
Three Examples 750
32.2.2 Were These Disasters Unexpected, Surprising? 751
32.2.3 The Unexpected, a Highly Relative Category 752
32.3 Thirty Years of Research on the Unexpected 754
32.3.1 Conceptualizing the Unexpected: Four
Different Threads 754
32.3.2 Charles Perrow and Normal Accident 756
32.3.3 Barry Turner and Man-Made Disaster:
A “Kuhnian” Thread 758
32.3.4 Jens Rasmussen and Complexity: An Ashbyan Thread 760
32.3.5 Four Threads, Four Sensitivities, But Not Exclusive:
A Synthesis 764
32.4 Managing the Unexpected 766
32.4.1 Building Favorable Power Configurations
(vs. Marxian Thread) 767
32.4.2 Confronting Our Fallible (Cultural)
Constructs (vs. Kuhnian Thread) 769
32.4.3 Keeping Sight of the Relation Between Parts and
Whole (vs. Ashbyan Thread) 770
32.4.4 Limitations and Opening 771
32.5 Relation to Other Principles: Further Reading 771
32.6 Conclusion 772
References 772
Index 777.INDEX
A(H1N1) influenza, 725
abstraction hierarchy complexity, 298
acceptable risk, 17, 435
criterion of, 441
level of, 457
acceptance criterion, 296
accident investigation, 117, 123–125,
129–130, 133
accidents
Challenger, Space Shuttle, 176, 647, 651,
655, 751, 757, 761, 765, 772
Chernobyl, xxviii, 20, 120, 394, 647, 649,
652–653, 656, 715, 717, 751, 757, 761
Clapham Junction, 763
Columbia, Space Shuttle, 647
explosion, in the port of Tianjin, 239
Exxon Valdez oil spill, 757
Fukushima, 572, 583, 647–649, 653,
758
Three Mile Island, 717, 756
Windscale, 361–362
Ackoff, Russell, 349
active failures, 69
actively caring for people, 680
age-based maintenance, 541
AHC, 298
Ahteensuu, Marko, 279, 594, 618
aircraft safety assessment, 736
air traffic management, 204, 364
ALAP, 595–596
ALARA, 2, 19–20, 451, 475, 491, 593–601,
615–618
alarm system, 58, 313, 321–322, 713, 715
ALARP, 19, 353, 436–437, 442–444, 451,
475, 477, 481, 483, 541, 543–547,
551–560, 596
algorithm
evolutionary, 515, 521, 526, 530, 532,
536
genetic, 521–522, 531
allowed best technology, 606
Alm, Hakan, xxvii, 15, 305 ˚
Alphen aan den Rijn, 430–431
anthrax, 722
arguments
deductive, 368
inductive, 368
layered model, 741
risk, 371
Ashby, Ross, 22, 754
Ashby’s Law of Requisite Variety, 123
as low as practicable, 595–596
as low as reasonably achievable, 2, 19–20,
451, 475, 491, 593–601, 615–618
as low as reasonably practicable, 19, 353,
436–437, 442–444, 451, 475, 477, 481,
483, 541, 543–547, 551–560, 596
assembly breakdown, 208
assessment of activity, 176
attention, divided, 317
auditory displays, 308, 317–320
automation, 328
automobile safety, 57
autonomy, 705
Handbook of Safety Principles, First Edition. Edited by Niklas Moller, Sven Ove Hansson, ¨
Jan-Erik Holmberg, and Carl Rollenhagen.
© 2018 John Wiley & Sons, Inc. Published 2018 by John Wiley & Sons, Inc.
777778 INDEX
Bannon, Liam, 168
barrier, 63–71, 81
active and passive, 73
classical view of, 82
classification of, 71
design and installation of, 79
function, 66–69, 71, 74
functional, 150
human, 73
incorporeal, 150
maintenance of, 80
management, 69, 71, 79–82
non-physical, 73
physical, 72
primary, 74
purpose of, 75
quality and efficiency of, 79
radical interpretation of, 82
strategy, 69
system, 45–47, 57, 59, 68, 74, 78, 80, 82
Bayesian belief network, 448, 582
Bayesian paradigm, 432
Bayes’ theorem, 310
BBN, 448, 582
BBS, 21, 158–159, 300, 677–679, 686, 689,
691, 693, 695, 699, 701–706, 748
behavior
direct, 690
improvement, 691
modification programs, 704
spurious, 206
behavioral sampling, 119
behavior-based
coaching, 702
feedback, 678
goal-setting, 678
incentives and rewards, 678
incident analysis, 678
leadership development, 678
safety, 21, 119, 158–159, 300, 677–679,
686, 689, 691, 693, 695, 699, 701–706,
748
safety, benefits of, 701
safety, criticisms of, 703
safety-training, 678, 704–705
behaviorism, 150
Beninson, Dan J., 600
BEP, 603, 605
Bergman, Bo, xxvii, 16, 333
Beronius, Anna, 279
best available control technology, 603
best available technology, 593–594,
601–606, 615–618
concept of, 605
not entailing excessive costs, 603
methodology of, 605
reference documents, 602
regulations of, 606
strategies of, 606
best environmental practice, 603, 605
best practicable
control technology, 603–604
environmental option, 603
means, 603
Bhopal, 757, 761
Birnbaum metric, 447–448
Bisphenol A, 259
Blackwell’s theorem, 554
blowout preventer, 750
Bokrantz, Jon, xxvii, 17, 397
bow-tie
diagram, 449
method, 48, 449
brain cramp, 688
brainstorming, 467, 482, 485
branch probabilities, 446
breakdown
assembly, 208
organizational, 208
product, 208
broad perspectives, 720
Buchanan, Richard, 169–170
capability, 718
capacitation, 4
capacity, 718
causality credo, 27, 34
causal primacy, 173
Challenger Space Shuttle accident, 176, 647,
651, 655, 751, 757, 761, 765, 772
check-lists, 485
of critical behavior, 691, 693INDEX 779
chemistry, green, 394, 608
Chernobyl accident, xxviii, 20, 120, 394,
647, 649, 652–653, 656, 715, 717, 751,
757, 761
cholera, 259–260
Clapham Junction accident, 763
climate change, 251
close-call reporting, 685
cognitive resources, 16
Columbia Space Shuttle accident, 647
common cause
analysis, 736
failure, 45, 54, 80, 213, 222
hypothesis, 149
communicative function, 179
community of practice, 125–127, 132–133
completeness, 206, 219, 222–223, 225, 371,
440, 583
complex reliability models, 446
compliance, 372
computer aided
design, 220
manufacturing, 220
conceptual design, 208–209, 214, 219,
226–227, 343, 464, 468, 482, 489–490
confidentiality, 225
configuration management, 205, 207,
210–211, 218, 221
consequence categories, 443
consequence-probability matrix, 470, 487
consistency, 181, 209, 219, 222–223, 225,
582, 735, 763
construction safety, 133
contextual analysis of activity, 175–176
contingency plan, 711
control chart, 339, 341
control, digital, 204
control engineering, 202, 220
control, and instrumentation, 196–202,
204–206, 209–211, 216, 218, 220–222,
227, 229
analog and digital, 204, 227
application of, 226
architecture of, 216, 218, 222, 225–226
digital, 218, 220, 228
failures of, 226
functions of, 218
platforms, 205, 215–216, 222
systems of, 14, 199, 202, 204–205, 217,
220, 224
vendors of, 216
control, internal, 118, 120, 137
controller action reliability analysis,
571
control technology
best available, 603
best practicable, 603–604
maximum achievable, 603
reasonably achievable, 603
core-task
analysis, 469
design, 172, 178–179, 183–184, 188–189
correctness, 222, 225
cost-benefit analysis, 4, 18, 106–108, 266,
274, 421, 430, 432, 441, 443, 458, 493,
495–499, 503–505, 507–509, 511–512,
541–543, 545–547, 559–560, 594, 604,
616, 734
ex ante, 496
ex post, 496
methodology of, 497
quantitative, 496, 507
cost-benefit framework, 430
cost-benefit optimization, 2, 4–5, 19, 267,
541, 544, 547, 556, 558
cost-benefit ratio, 498–499, 503
cost-benefit rationale, 540, 559
cost-effectiveness, 661
countervailing risks, 107
CPS, 168, 178, 190
crisis management, 711–712, 714–715,
717–720, 722, 724–726, 747
critical behavior checklist, 691, 693
critical risk, 454
cultural framework, 661
cultural-historical activity theory, 178, 184
culture, 660, 669
delineation of, 661
interpretive approach to, 660
national, 648
organizational, 648–649, 652, 665–666
subcultures, 649780 INDEX
cyber-physical systems, 168, 178, 190
cyber security, 224–225, 229, 247
decision
criteria, 453
theory, 436
deductive argument, 368
default toxicity, 276
defense, 69
defense-in-depth, 12, 42–49, 51–60, 63,
68–69, 72, 78, 84, 158, 212, 222–223,
226, 228, 368, 410, 445, 458, 649, 747,
760–761, 763
fallacy, 763
Delphi technique, 467
demand, physical, 312
Deming, Edwards W., 701
design
core-task, 172, 178–179, 183–184,
188–189
detailed, 43, 209, 217, 219, 226,
374
fail-safe, 59, 388
industrial, 168, 185, 204
inherently safe, 6, 16, 355, 386–388, 390,
393–394, 478, 560
parameter, 344
pattern, 214, 228
safety in, 135, 137
of systems, xxxiv, 59, 132, 202, 215,
479
thinking, 14, 167–171, 190
development assurance level, 733–734
diagnostic process, 125–126
digital control, 204
digitalization, 408
direct behaviors, 690
disasters
Katrina, Hurricane, 722, 724–725
Piper Alpha, 32, 120, 145, 361, 363, 398,
410, 494, 647, 761
Texas City Refinery, 145, 157,
495
displays, 317
disproportion factor, 505–506, 511
distribution arbitrariness, 96
diverse redundancy, 45
diversity, 59
divided attention, 317
Doorn, Neelke, xxvii, 12, 87
double-loop learning, 122, 138
Downer, John, 760
Dynes, Russell, 717
economic
rate of return, 501
risk, 465
ecotoxicity, 274–275
ecotoxicology, 268
efficacy of indicators, 155
Ellul, Jacques, 22, 754, 756
embryonic theories, 720
emergency management, 718
emergency operations plan, 711
emergency plan, 711–713, 718, 721–722,
724
components of, 712
operations, 711
response, 711
emergency response cycle, 720
emergency response plan, 711
emission
limit values, 602
lowest achievable rate, 603
employee participation, 684
Enander, Ann, xxviii, 711
energy
analysis, 76
model, 119–130
engineering
decision complexity, 298
design, 92, 168, 201–202, 220
ensurance principles, 158
environmental safety culture, 669
epistemic primacy, 173
equipment under control, 479
error, human, 688
analysis of, 706
assessment and reduction technique, 567,
570–575, 578–580
European Treaty, 261
event tree analysis, 76, 445, 543INDEX 781
evolutionary algorithm, 515, 521, 526, 530,
532
multi-objective, 526, 530, 536
single-objective, 526–527
expected
consequence, 690
developer, 288
end user, 288
utility, 457
utility principle, 441
value-based calculations, 541
experience
carrier, 131–135
explicit, 131
feedback, 13, 117–138, 121–122, 124,
131, 747
explosion, in the port of Tianjin, 239
extended parallel process model, 247
external
hazard, 417
regulation, 637, 640, 642
Exxon Valdez oil spill, 757
factionalism, 2
fail-safe design, 59, 388
failure
active, 69
concept of, 669
failure mode
effect analysis, 79, 454, 477
effects and criticality analysis, 543
Falzon, Pierre, 168
fatality risk of groups, 442
fault hazard analysis, 475
fault-tolerant system, 688
fault tree analysis, 77, 446, 475, 543
Federal Aviation Administration, 736,
768
feedback
control, 122, 137, 201–202
cycle, 13, 122
field
instrument, 218
programmable gate arrays, 224
Findeli, A., 169–170
Flage, Roger, xxviii, 19, 540
floating point, 204, 216
focused attention, 316
formative intervention, 186
fractional contribution, 447
Fukushima accident, 572, 583, 647–649,
653, 758
function, instrumental, 179
functional
barriers, 150
block, 204, 218–219
hazard assessment, 736
safety engineering, 478
safety standard, 735
Geller, Scott E., xxviii, 677
general quality principles, 2
generational distance, 523, 532–533
genetic algorithm, 521–522, 531
vector evaluated, 522
Giddens, Anthony, 751
Gilbert, T. F., 700
goal structuring notation, xxx–xxxi,
368–369, 380, 740
good programming technique, 219
governance process, 752
graded approach to safety, 212, 215,
222–223
green chemistry, 394, 608
Grice, H. P., 327
Grote, Gudela, xxix, 20, 627
group fatality risk, 442
GSN, xxx–xxxi, 368–369, 380, 740
Gutteling, Jan, xxix, 15, 235
Habli, Ibrahim, xxix, 21, 732
Hansson, Sven Ove, xxx, 12, 15, 19, 87, 258,
593
hard defenses, 69
hardware, 204–205, 211, 216–219, 224–225,
229
harmonization, 222, 225, 458, 628
Harms-Ringdahl, Lars, xxx, 12, 63
hazard
identification, 121, 372, 454, 467, 470,
476–478, 482–483, 490, 683–684
marine, 454782 INDEX
hazard (Continued)
operability, 18, 454, 467, 469–470, 475,
477, 480, 482–483, 486, 489–490, 543,
577
operating analysis, 467–469, 482–483,
489–490
preliminary analysis, 467–468, 475, 486,
489–490
preliminary list, 482
HAZOP, 18, 454, 467, 469–470, 475, 477,
480, 482–483, 486, 489–490, 543, 577
Heinrich, H. W., 65, 144
Heinrich model, 66
Heinrich’s Pyramid, 144
hierarchical task analysis, 469, 576
high reliability organization, 323–324, 658,
726
Holling, C. S., 26
Hollnagel, Erik, 12, 25, 174, 179, 182, 764,
772
Holmberg, Jan-Erik, xxxi, 12, 17, 42, 434,
618
Hughes, Thomas, 756
human error, 688
analysis, 706
assessment and reduction technique, 567,
570–575, 578–580
human factor, 14, 32, 747
engineering, xxxii, 4, 14, 84, 164–170,
172–173, 175–179, 181–183, 185–190,
226, 469, 560, 706
models, 752
resilience-oriented engineering, 182–183
human-machine system, 306–307
human performance, 78, 166, 284, 299, 313,
570–571, 573, 584, 586, 666
human reliability analysis, xxxiii, 19, 84,
159, 166, 300, 439, 453, 458, 565–586,
706
applications, 566
prospective, 566
retrospective, 566
human technology interaction, 469
ideal safety culture, 677
incident reporting and analysis, 683, 685
incremental safety case development, 373
indicators
efficacy of, 155
lagging, 146
individual risk, 429, 432
and fatality, 42
inductive argument, 368
industrial design, 168, 185, 204
influenza, A(H1N1), 725
information and control, 13
information technology security, 55
inherently safe design, 6, 16, 355, 386–388,
390, 393–394, 478, 560
inherent reliability, 410
inherent safety, 388, 607
sub-principles of, 16
injury
lost time frequency, 146–148
rate, recordable, 129, 146
Institute of Nuclear Power Operations, 664
instrumental function, 179
instrumentation and control, 196–202,
204–206, 209–211, 216, 218, 220–222,
227, 229
analog and digital, 204, 227
application of, 226
architecture of, 216, 218, 222, 225–226
digital, 218, 220, 228
failures of, 226
functions of, 218
platforms, 205, 215–216, 222
systems of, 14, 199, 202, 204–205, 217,
220, 224
vendors of, 216
integrated system validation, 166
integration, 209
integrity, 225, 383, 402, 450, 452–453, 717,
733–734, 740
interim safety case report, 373
internal control, 118, 120, 137
internal rate of return, 501–503
International Atomic Energy Agency, 664
interpretive work, 176–177, 183
intervention hierarchy, 694–695
Iqbal, Moh Umair, xxxi, 16, 386
ISO 9000, 120, 333–335, 352INDEX 783
Katrina, Hurricane, 722, 724–725
Keinonen, Turkka, 185
Kelly, Tim, xxxi, 16, 361
Kjellen, Urban, xxxi, 13, 117 ´
knowledge, 127, 132, 135
engineering, 752
improvement, 350
management, 13, 126
professional, 350
tacit, 127, 132
theory, 345
Kolmogrov axioms, 436
Kuhn, Thomas, 22, 754–755, 759–760
Kuutti, Kari, 168
lagging indicators, 146
latent conditions, 69
layered argument model, 741
leadership, 666
leading indicators, 146
learning
double-loop, 122, 138
spiral, 126, 132, 135
Le Coze, Jean-Christophe, xxxii, 22, 747,
772
Lewis, Clarence I., 345
lifecycle, 205, 207, 372–374, 376, 386, 389,
392–394, 486, 489, 734–736
Lindell, Bo, 600
Lisbon earthquake, 716
local circumstances, 69
logic, multi-valued, 445
Lord Cullen, 363
lost-time injury frequency rate, 146–148
lowest achievable emissions rate, 603
LTI-rate, 129–130
maintainability, 399–400, 404, 406, 514,
517, 542
field, 399
maintenance, 397–404, 516–517, 540–542,
548, 555–556, 559, 684, 747
age-based, 541
barriers, 80
clock-based, 541
condition-based, 401, 541
corrective, 210, 398, 400, 404, 409, 542,
549
efficiency of, 402
errors of, 398
failure-finding, 542
lean, 406–407
management of, 684
opportunistic, 542
optimization, 19, 540–541, 556, 559
planned, 401, 451
predictive, 210, 541
preventive, 541–543, 548
reactive, 401
risk-based, 401
supportability, 405
total productive, 17, 402
types, 402
value driven, 406
management
air-traffic, 204, 364
barrier, 69, 71, 79–82
configuration, 205, 207, 210–211, 218,
221
crisis, 711–712, 714–715, 717–720, 722,
724–726, 747
emergency, 718
industrial safety, 119
integrated risk, 2
maintenance, 684
oversight and risk tree, 78, 119, 749
predictive safety, 32–33
proactive safety, 32–33
project, 15, 133, 201, 203–204, 212, 214,
484
quality, xxvii, 13, 16, 117, 119–120,
125–126, 144, 333, 335, 349, 355, 560,
617, 629
resilience, 37–39
safety principles, 627, 648
scientific, 193, 333, 636
system factors, 78
systems engineering, 472
and systems of occupational heath, 135
managing the unexpected, 22, 595, 747, 766
marine hazards, 454
Markov models, 447784 INDEX
Marx, Karl, 22, 754–755, 758
maximin, 276
maximum achievable control technology,
603
McRae, Carl, 770
mean time between failures, 403
mean time to failure, 403
mean time to repair, 404
mental demand, 312
mental workload, 312
metaprinciples, 5, 9
of safety, 3, 11
methodological pluralism, 5
microprocessor, 204, 224
micro theories, 720
minimum safety requirements, 475
min-max method, 524
modality, 317
spatial, 317
visual, 317
Moller, Niklas, xxxii, 279 ¨
Monte Carlo, 436
simulation, 449
MOO, 515–523, 525–527, 530, 536
motivation, extrinsic, 348
Motor Industry Reliability Association,
744
Motor Industry Software Reliability
Association, 741
Mount Etna, 277
multi-criteria analysis, 507–508
scheme, 508
multi-objective evolutionary algorithm, 516,
523, 526, 530, 536
multi-objective genetic algorithm, 522
multi-objective optimization, 515–523,
525–527, 536
classical methods of, 530
multi-state series-parallel system, 527, 530
multi-valued logic, 445
NASA, 6, 312, 572, 651–652, 655, 757–758,
771
national risk criteria, 449
National Transport Safety Board, 767
negative state, 63
net present value, 497–504, 507, 512, 559
niched Pareto genetic algorithm, 522
Nicolini, D., 178
non-probabilistic (deterministic) safety
management framework, 456
normative theories, 720
Norros, Leena, xxxii, 14, 164
nuclear
action reliability analysis, 571
domain, 67, 228
risk criteria, 449
risk indicator, 92
safety culture, 653
safety reserve, 93, 98
Obama, Barack, 753
object oriented programming, 219
occupational exposure limit, 103
occupational health and safety management
systems, 135
offshore domain, 204
O’Hara, J., 166
OHSAS (18001), 120, 126, 137
ontological diversity of the human being,
173
operating hazard analysis, 467–469,
482–483, 489–490
operating procedures, 15
operational
amplifier, 202
definition, 145
limiting conditions, 211
safety case report, 373
operationalization, 145
operations research, 436
optimization principles, 18
organizational
breakdown, 208
climate, 649
culture, 648–649, 652, 655–666
deficiencies, 663
principles and practices, 20
structures, 661
Osvalder, Anna-Lisa, xxxii, 15, 305
outcome indicators, 47
overall safety goals, 51INDEX 785
paradigm, 759
shifts, 749
parameter design, 344
Pareto
dominance, 518
efficiency, 443
efficiency principle, 443
optimality, 517–519
Park, Jinkuyn, xxxiii, 15, 284
payback period, 503
people, actively caring for, 680
performance improvement potential, 700
personal
protective equipment, 691, 695
risks, 641
safety, 146, 638–639
physical demand, 312
PID-controller, 202
Pierce, Charles Sanders, 176
Piper Alpha disaster, 32, 120, 145, 361, 363,
398, 410, 494, 647, 761
Plan-Do-Check-Act cycle, 119
Podofillini, Luca, xxxiii, 19, 565
potential failure interval, 405
precautionary principle, 15, 258–266, 271,
273, 275–276, 544, 618
argumentative version, 263
prescriptive version, 263
precursor events, 148
preliminary
aircraft safety assessment, 736
hazard analysis, 467–468, 475, 486,
489–490
hazard list, 482
safety case report, 373
system safety assessment, 736
prescriptive safety cases, 379
principles
of accident prevention and mitigation, 47
of applying detailed step-by-step
instructions, 8
of assurance safety, 737
of automation, 8
of behavior-based safety, 21
of diversified safety systems, 8
of ensurance, 158
of expected utility, 274, 441
of expected value, 441
of experience feedback, 4
of general quality, 2
of human factors engineering, 14
metaprinciples, 3, 5, 9, 11
of optimization, 18
of Pareto efficiency, 443
precautionary, 15, 258–266, 271, 273,
275–276, 544, 617
of qualitative risk analysis, 464–465
of quality, 333–334
of rams optimization, 514
of reducing consequences, 47
of redundancy, 45
of safety, 7
of safety management, 627, 648
of simplicity in designs, 8
of simplification, 410
of striving for oversight and simplicity,
8
of substitution, 2, 19, 593–594, 609,
611–612, 614–618
of successive barriers, 46
prioritization, 4
proactive behavior, 320
proactive safety management, 32–33
probabilistic
risk analysis, 435, 452
risk assessment, 419, 453, 455, 543
safety assessment, 435, 452, 566,
568–569, 571–573, 580–583, 585
safety criteria, 436
probability
branch, 446
categories, 443
consequence matrix, 470, 487
estimates, 438
sequence, 446
subjective, 436
procedures
event-based (or event-oriented), 292
symptom-based (or symptom-oriented),
292
process safety, 146, 638–639, 668
culture of, 669786 INDEX
product
breakdown, 208
safety culture, 669
productive safety, 34
programming
good technique, 219
object oriented, 219
project management, 15, 133, 201, 203–204,
212, 214, 484
protection
layers, 70
motivation theory, 247
protective safety, 34
psychological function, 179
qualitative
analysis, 575
approach, 476
properties, 466
requirements, 452
risk analysis, 435, 463–467, 491, 706
risk analysis methods, 464
risk analysis principles, 464–465
risk assessment, 476, 489
risk identification, 491
quality
management, xxvii, 13, 16, 117, 119–120,
125–126, 144, 333, 335, 349, 355, 560,
617, 629
principles, 333–334
values, 334
quantitative analysis, 517
of risk, 17, 144, 151, 434–435, 438–441,
443, 445, 449, 452, 454, 456, 458,
464–466, 491, 543, 706
quantitative indicators, 142
quantitative risk assessment, 144, 543
Quarantelli, Henry, 717
Rae, Andrew, xxxiii, 13, 142
railway safety, 56
rams optimization principles, 514
randomness, 440
Rasmussen, Jens, 176, 179, 184, 760,
772
rate of return, economic, 501
reactive behavior, 320
real time, 218–219, 249, 771
reasonably achievable control technology,
603
Reason, James, 761
recordable injury rate, 146
redundancy, 44–45, 49, 58–59
diverse, 45
principle of, 45
regulatory oversight, 203, 212, 215, 222
Reiman, Teemu, xxxiii, 20, 647, 772
reliability, 514
centered maintenance, 17, 353, 355,
402
characteristics of, 552
complex models, 446
constraints of, 552
engineering, 211–213
optimization of, 515
techniques of, 78
theory of, 436
reliability engineering, 211–213
renewal theory, 436
Reniers, Genserik, xxxiv, 18, 493
requirements specification, 207, 214, 219,
221, 225, 373
requisite variety, 123, 223, 308, 670,
762
resilience, 25–29, 33–34, 60, 87–88, 355
analysis grid, 31
community, 719
concept of, 12, 28, 174, 182, 718
ecological, 26
engineering, xxx, 12, 25–29, 33–34,
38–39, 120, 130, 138, 158, 353–354,
632, 747, 772
management, 37–39
performance, 29, 35
resilience engineering, xxx, 12, 25–29,
33–34, 38–39, 120, 130, 138, 158,
353–354, 632, 747, 772
reusability, 213
rhize, 436
risk, 389, 465
acceptable, 17, 435
acceptable level, 457INDEX 787
acceptance criteria, 51, 441, 453
achievement worth, 447
analysis, 434, 436, 349, 441, 463–467,
489
analysis, principles, 435, 463–467, 491,
706
analysis, probabilistic, 435, 452
argument, 371
assessment, 17, 58, 99, 131, 434,
463–464, 466, 380–481, 540, 543, 618,
736, 747
assessment, probabilistic, 419, 453, 455,
543
business, 565
characterization, 434, 466
communication, xxix, 15, 159, 235,
237–252, 434, 456, 726, 748
countervailing, 107
criteria, 442, 453
criteria, nuclear, 449
criteria, subsidiary, 445
critical, 454
economic, 465
estimation, 477–478, 491
evaluation, 464, 466, 477–478
group fatality, 442
identification, 464, 466–467
increase factor, 447–448
indicators, 146
individual, 429, 432
influencing factors, 557
information, 237
investment, 465
management, 2, 17, 100, 235–238, 434,
483, 540, 543–544, 618, 630
matrix, 470, 487
military, 465
models of, 148–149
perception of, 15, 237
personal, 641
political, 465
probabilistic analysis, 435, 452
probabilistic assessment, 419, 453, 455,
543
process, of governance, 752
professional analysis, 436
programming, good technique, 219
qualitative analysis, 464
quantification of, 465–465
quantitative analysis, 17, 144, 151,
434–435, 438–441, 443, 445, 449, 452,
454, 456, 458, 464–466, 491, 543,
706
quantitative assessment, 144, 543
reduction of, 477, 540
safety assessment, 435, 452, 566,
568–569, 571–573, 580–583, 585
social, 465
spatial, 426
subsidiary criteria, 445
temporal, 429
treatment of, 466
types, 494
undesirable, 484
Risk Assessment Committee, 453
risk communication, xxix, 15, 159, 235,
237–252, 434, 456, 726, 748
democratic view of, 240
technical view of, 240
risk-informed regulation, 17, 417, 419
riskometer, 432
Roberts, Steve, xxxiv, 21, 677
robustness, 60
robust portfolio modeling, 550
Rollenhagen, Carl, xxxiv, 12, 20, 63, 108,
647, 772
Rosseau, Jean-Jacques, 716
Rossi, Harald H., 600
Ruden, Christina, 618 ´
safety assessment, 60
of aircraft, 736
of systems, 736
probabilistic, 435, 452, 566, 568–569,
571–573, 580–583, 585
reports, 367
safety automation, 14, 196–197, 201, 206,
218, 225, 228–229
roots of, 201
safety barrier, 59, 63, 68, 74–75, 83–84, 158,
223, 226, 410, 536, 747
diagrams, 77788 INDEX
safety case, 205, 210–211, 217–218, 221,
225, 227, 361, 364, 366–367, 371–372,
375, 377–378, 380–383
confidence of, 376
evaluation of, 375
maintenance, 374
report, 366
shelf-ware, 380
safety classification, 50–51, 54
safety climate, 649, 652, 654, 656, 663
safety communication, 683
safety constraint, 551
safety criticality, 21
safety-critical systems, 21
safety culture, 2, 20–21, 120, 138, 158, 228,
323, 641–642, 647–650, 652, 654–660,
662–664, 666–671, 677, 683–686, 706,
736, 747, 772
environmental, 669
ideal, 677
occupational, 669
predictive validity of, 662
studies of, 662
safety engineering, 107
safety factor, 87–93, 97, 100, 102–104, 107,
536
margins, 87
safety first, 641
safety function, 70–71
analysis of, 78
safety in design, 135, 137
safety indicator, 138, 142, 146, 153, 156,
158–159
safety information systems, 124–125, 138
safety integrity level, 450, 453, 733–734
safety, intrinsic, 388
safety investments, 511–512
safety justification report, 367
safety lifecycle models, 735
safety management, 20, 32, 42, 74, 118–121,
123–124, 126–128, 130, 134–135,
137–138, 458, 617, 627–630, 634,
637–638, 641–642, 648, 665, 670, 736
commercial aviation, 628
framework, non-probabilistic
(deterministic), 456
mountaineering, 628
principles of, 627, 648
proactive, 32–33
system, 31, 34, 144, 685, 772
safety margin, 94, 103, 158, 226, 536
safety metrics, 156
safety, occupational, 668
safety, operational, 284
safety, passive, 389
safety performance monitoring, 642
safety, personal, 146, 638–639
safety philosophy, 53, 188, 218, 222
safety principles, conflicts between, 7
safety reserve, 12, 87–88, 91–92, 99, 105,
226
safety risk, 465
safety standards, 21, 732, 734
procedures, 638
safety strategy, 57
safety training, 639
SARS, 722
Savioja, Paula, xxxiv, 14, 164
scenario analysis, 487
scientific management, 119, 333, 636
Second World War, 119, 144, 274, 400, 405,
436, 595, 716
self-regulation, 629, 635, 637, 639–640, 642
semantic primacy, 173
sensitivity to environment, 286, 288
sequence probabilities, 446
Shewart, Walter A., 338
Simon, Herbert, 169
single-loop learning, 122–123
single-objective evolutionary algorithm,
526–527
single-objective genetic algorithm, 521–522,
530, 532
site acceptance tests, 210
situation awareness, 8, 80, 173, 310, 313,
315, 328, 770
Skinner, B. F., 678
Skoogh, Anders, xxxv, 17, 397
social construct, 145
social constructivism, 655, 661
sociotechnical system, 663
soft defenses, 69INDEX 789
software, 201–202, 204–205, 214, 216–226,
228–229
software safety, 733, 737
assurance principles, 737
so far as is reasonably practicable, 596
spatial risk, 426
spiral, of learning, 126, 132, 135
spurious behavior, 206
Srinivasan, Rajagopalan, xxxv, 16, 386
stability, 26
step information complexity, 298
step logic complexity, 298
step size complexity, 298
stressors, 314
subcultures, 649
subjective probability, 436
subsidiary criterion, 443
subsidiary risk criteria, 445
substitution principle, 2, 19, 593–594, 609,
611–616, 618
surrogate criterion, 444
sustainability, 394
sustained attention, 317
systematic human error reduction and
prediction approach, 570
system, integrated validation, 166
system life cycles, 205
system safety, 540
assessments of, 736
systems design, xxxiv, 59, 132, 202, 215,
479
systems engineering approach, 472
systems engineering management, 472
systems of systems, xxxi, 211–212
systems usability, 180–183, 188–189
tacit experience, 132
Talarico, Luca, xxxv, 18, 493
task complexity, 298–301
task scope, 298
technical support organizations, 171
technique for human error rate prediction,
569, 572–575, 577, 579, 585
technological determinism, 756, 767, 772
technology
allowed best, 606
best available, 593–594, 601–606,
615–618
best available control, 603
best practicable control, 603–604
control, 603–604
of human interaction, 469
of information security, 55
temporal risk, 429
test-operate-test-exit unit, 632
Texas City Refinery disaster, 145, 157, 495,
647–648
theorem
Bayes’, 310
Blackwell’s, 554
theories
cultural-historical activity, 178, 184
decision, 436
embryonic, 720
micro, 720
normative, 720
protection motivation, 247
renewal, 436
Three Mile Island accident, 717, 756
Tiusanen, Risto, xxxv, 18, 463
tolerability criteria, 453
tolerable hazard rate, 444, 455
total productive maintenance, 17, 402
total quality management, 144, 333–334,
355
total recordable incident rate, 147
total recordable injury frequency rate,
129
toxicity, 611
default, 276
eco-, 274–275
toxicology, 97, 102, 268
eco-, 268
traffic management, 56
Treaty on the Functioning of the European
Union, 261
Treaty of Rome, 261
TRI-rate, 129
tsunami, 750, 752
Turing machine, 223
Turner, Barry, 772
types of risk, 494790 INDEX
ultra-resilient systems, 633
uncertainty, 95, 106, 422, 439, 445, 455,
458, 497, 499, 552, 618, 631–633
coping with, 635, 639–641
epistemic, 96
increases, 633
maintaining, 633
minimization of, 635, 639, 642
modeling of, 440
parametric, 440
reducing, 633
user experience, 176
validation, 209
value of preventing a fatality, 542, 547, 551,
554–555, 557
value of a statistical life, 509–511
van Gelder, Pieter, xxviii, 17, 417
Vaughan, Diane, 760
verification, 209
Vicente, Kim, 179
Virilio, Paul, 751
Vision Zero, 27, 616–617
visual displays, 317–320
Voltaire, 716
von Bertalanffy, Ludwig, 349
von Wright, G. H., 172
Wahlstrom, Bj ¨ orn, xxxvi, 14, 196 ¨
Wanda, Orlikowski J., 178
warning signals, 665
way of acting, 176–177, 180
Weber, Max, 758
Weick, Karl, 760, 766
Westrum, Ron, 759
Windscale accident, 361–362
workload, 312, 314
World Association of Nuclear Operators, 664
world class, 212, 214, 696
World Trade Center, 717
World War II, 119, 144, 274, 400, 405, 436,
595, 716
Ylipa¨a, Torbj ¨ orn, xxxvi, 17, 397 ¨
zero accident vision, 27, 616–617
zero injuries, 705
Zio, Enrico, xxxvi, 18, 514
كلمة سر فك الضغط : books-world.net
The Unzip Password : books-world.net
تعليقات