原则,工程安全：风险和不确定性的减少.pdf

Reliability Engineering and System Safety 93 2008 776 783 Principles of engineering safety Risk and uncertainty reduction Niklas Mo ller Sven Ove Hansson Department of Philosophy and the History of Technology Royal Institute of Technology Teknikringen 78B 100 44 Stockholm Sweden Received 29 December 2005 received in revised form 11 January 2007 accepted 20 March 2007 Available online 30 March 2007 Abstract This article provides a systematised account of safety engineering practices that clarifi es their relation to the goal of safety engineering namely to increase safety We list 24 principles referred to in the literature of safety engineering dividing them into four major categories Inherently safe design Safety reserves Safe fail and Procedural safeguards It emerges from this systematisation that important aspects of these methods can be better understood with the help of the distinction between risk and uncertainty r 2007 Elsevier Ltd All rights reserved Keywords Safety Risk Uncertainty Probabilistic risk analysis Safety engineering Probabilistic safety analysis Inherently safe design Safety factors Safe fail 1 Introduction Safety is a concern in virtually all engineering processes and systems In engineering practices there are many principles and methods recommended for the engineer as means to ensure safety Even though these principles are of paramount importance in the fi eld there is a lack of general accounts of safety principles The treatment in the literature is normally piecemeal often focusing only on a specifi c fi eld of engineering In this article we aim to provide a general categorisation of safety principles Based on a list of 24 principles referred to in the literature of safety engineering we will construct four general principles in which they are categorised representing different approaches to safety engineering In addition we will show how these principles can be understood against the background of decision theoretical distinctions that are made in risk assessment and risk analysis In Section 2 and Appendix A the 24 safety principles and the four overarchingprinciplesareintroduced Afterabrief presentation of risk assessment terminology in Section 3 the different classes of safety principles are discussed in some detail in Sections 4 6 and our general conclusions are summarised in Section 7 2 Principles and methods for engineering safety Although there are many specifi c treatments of safety considerations in the fi eld of safety engineering we are not aware of any fully general account The most common approach in the literature is to list a number of different principles and practices on different levels without the pretence of giving a general account e g 1 3 In the table in Appendix A we have identifi ed a large number of such principles and methods recommended in the engineer ing literate broadly construed As can easily be seen the principles are on different levels of abstraction and many are very closely related Attempts at generalised accounts of safety measures are naturally abstract in their taxonomy An example is Koivistio 4 p 18 who divides safety considerations into three different types 1 adherence to good practice 2 safety analysis and 3 inherently safe design Bahr 5 based on NASA 6 suggests a more substantial taxon omy and puts forward a stronger claim categorising hazard reduction into the following ordering of impor tance 1 Designing out the hazard 2 Safety devices 3 Warning devices 4 Special procedures and training ARTICLE IN PRESS 0951 8320 see front matter r 2007 Elsevier Ltd All rights reserved doi 10 1016 j ress 2007 03 031 Corresponding author Tel 4687908020 fax 4687909517 E mail address niklas moller infra kth se N Mo ller Firstly Bahr writes we should design out the hazard from the system p 14 If that is not possible we should control the hazard using various fail safe devices e g pressure valves relieving the system of dangerous pressure build up p 15 When designing out or controlling is not an option warning devices e g smoke alarm and procedures e g emergency shutdown and training should be used p 16 7 We have divided the principles listed in Appendix A into four categories or covering principles 1 Inherently safe design A recommended fi rst step in safety engineering is to minimise the inherent dangers in the process as far as possible This means that potential hazards are excluded rather than just enclosed or otherwise coped with Hence dangerous substances or reactions are replaced by less dangerous ones and this is preferred to using the dangerous substances in an encapsulated process Fireproof materials are used instead of infl ammable ones and this is considered superior to using infl ammable materials but keeping temperatures low For similar reasons performing a reaction at low temperature and pressure is considered superior to performing it at high temperature and pressure in a vessel constructed for these conditions 2 Safety reserves Constructions should be strong enough to resist loads and disturbances exceeding those that are intended A common way to obtain such safety reserves is to employ explicitly chosen numerical safety factors Hence if a safety factor of 2 is employed when building a bridge then the bridge is calculated to resist twice the maximal load for which it is intended 3 Safe fail There are many ways a complex system may fail The principle of safe fail means that the system should fail safely either that internal components may fail without the system as a whole failing or that the system fails without causing harm One common example is fail silence mechanisms fail silence also called negative feedback mechanisms are introduced to achieve self shutdown in case of device failure or when the operator loses control A classical example is the dead man s handle that stops the train when the driver falls asleep One of the most important safety measures in the nuclear industry is to ensure that reactors close down automatically in critical situations 4 Procedural safeguards There are several procedures and control mechanisms for enhancing safety ranging from general safety standards and quality assurance to training and behaviour control of the staff Procedural safeguards are especially important in identifying new potential harms audits job studies and controlling employee behaviour that cannot be designed out from the process warnings training One example of such procedural safeguards is regulation for vehicle operators to have ample time between actual driving in ordertopreventfatigue Frequenttrainingand checkups of staff is another Procedural safeguards areimportantasa soft supplementto hard engineering methods The covering principles represent different ways of achieving safety In practice several of these covering principles are simultaneously used and some of the principles listed in the Appendix may be categorised into more than one of the covering principles Furthermore there is a common denominator that we will focus on in the sections below the aim of reducing not only the risk but also the epistemic uncertainty involved 3 Probabilistic risk analysis and decision theory Before discussing the above mentioned principles in more detail they should be put in a broader context Safety engineering consists not only of principles for achieving safety but also of other practices in particular evaluative practices with which risks are assessed and the effects of safety measures are evaluated Safety engineering principles can only be understood against the background of these practices Contemporary risk and safety assessment is dominated by quantitative probabilistic methodology Methods such as probabilistic risk analysis PRA and probabilistic safety analysis PSA are frequently employed cf e g 7 8 and for a recent overview 9 Quantitative risk and safety analysis aims at measuring the risk of a system in this sense of risk and the aim for engineering safety is then to minimise it thus reaching the best possible safety Here risk is interpreted in terms of the possible adverse consequences and their probabilities the larger the probability of a hazardous event and the more severe this event is the larger the risk at hand The expected value the product of the probability and a measure of the severity of con sequences is normally used as a measure of the risk e g 10 11 p 3 12 Conceptualising safety as the inverse of the risk is frequently shown in the literature Misumi and Sato 14 p 135 44 write R isks are defi ned as the combina tion of the probability of occurrence of hazardous event and the severity of the consequence Safety is achieved by reducing a risk to a tolerable level cf also 13 p 3 4 I 5 15 p 8 9 This probabilistic understanding of risk and safety has a substantial justifi cation in the Bayesian framework 15 In the Bayesian decision theory probability in combination with a notion of utility is conceived of as representing all aspects of a decision maker s lack of knowledge 16 19 On a Bayesian construal all rational decisions are fully representable with precise probabilities since the rational decision makeralways atleastimplicitly assignsa probability value to each potential outcome Faced with new information the agent may change her probability assessment in accordance with Bayes theorem but she always assigns determinable probabilities to all states of affairs Thus in the Bayesian view all uncertainty about what will happen is codifi ed in the probability assessment ARTICLE IN PRESS N Mo ller S O Hansson Reliability Engineering and System Safety 93 2008 776 783777 for the outcome in hand A recent case for a basically Bayesian approach to risk analysis is found in Aven 20 who uses probability and probability calculus as the sole means for expressing uncertainty p xii In contrast to the Bayesian approach there is also what is called the classical view in decision theory in which a basic distinctionismadebetweensituationswithknown probabilities and situations where probabilities are un known or only partially known A distinction going back to Knight 21 p 20 Proponents of the classical view have pointed out that there is a large difference between situations with well determined probabilities such as coin tossing and less well determined situations such as assigning probabilities to whether a major accident will happen in a complex plant In the latter case there is epistemic uncertainty that according to these authors may not be reducible to a unique probability value in a rational way Although there is yet no consensus as to what is the best measure there has been a signifi cant amount of work trying to specify the notion cf Mo ller et al 22 Section 4 for an overview of the standard suggestions Considerations such as these have led many contempor ary theorists also of Bayesian bent to argue for the inclusion of non probabilistic epistemic uncertainty into the analysis 23 28 According to this view the identifi ca tion of safety with risk reduction may be simplistic and safety should instead be seen as regarding the reduction of both risk and uncertainty 1 4 Inherently safe design We will now discuss three of the four covering principles of safety engineering listed above inherently safe design safety reserves and safe fail There are three main reasons for focusing on these three covering principles First they represent three different perspectives on safe design removal of the hazards to prevent failure overdimen sioning of the structure to prevent failure or designing for failure not to be total failure Secondly they are if not necessarily so then at least in practice hard principles focusing on technical solutions to safety problems and thus most relevant for an analysis in terms of engineering The methods of category 4 procedural safeguards focus primarily on human action such as safeguards training of staff audits behaviour control etc Thirdly most of the specifi c principles listed in the appendix may be categorised into these three covering principles This is especially so in the case of safe fail more than a third of the listed principles can be categorised as applications of this principle Inherently safe design is arguably the most basic way of achieving safety If fl ammable substances are used in the system process taking away such substances also takes away the potential for disaster Inherently safe design thus refers to the practice of excluding the potential hazard entirely instead of controlling it In practice there are many forces working against the realisation of inherently safe design For reasons of effi ciency and cost effectiveness production plants trans port systems and other human designs have strived to control hazards rather than excluding them altogether Furthermore the dangerous element is often a funda mental part of the system either as the very substance motivating the system e g nuclear power plants or as in other ways necessary for the system e g fuel in various transport systems Focusing on the principle of inherently safe design however has been a way of questioning the necessity of many of these arrangements For example even if gaseous nitrogen is needed for a process step the nitrogen bottles do not have to be located in the operators work area but can be moved outside thus reducing the risk of asphyxiation 5 p 14 5 Often it is possible to replace a hazardous substance with another less hazardous one that can do the job Well known examples include using helium instead of hydrogen in balloons and reducing pesticide use by changing agricultural technologies In the context of processing plants Kletz 29 has suggested fi ve main principles and several additional ones for inherently safe er design intensifi cation substitution attenuation limitation of effects and simplifi cation Above we have given examples of intensifi cation availability of nitrogen only in the necessary process step not stored in the proximity of workers as well as substitution hydrogen replaced by helium and limitation of effects pesticide Attenuation refers to the method of attenuating substances to make them less fl ammable or toxic A more general principle includes avoidance of all types of hazardous concentrations such as accumulation of energy and storage of large quantities of hazardous substances in one place 30 p 174 An example of simplifi cation is the method of making incorrect assembly of a system part impossible for example by making asymmetric parts 2 p 108 9 Instead of training the staff to avoid incorrect assembly failure is simply made practically impossible The principle of inherently safe design aims at eliminat ing the sources of harm The natural interpretation of such a method is that we ensure that the harmful event will not take place if we remove the fl ammable substance fi re will not occur Naturally we may say that the probability of a harmful consequence is reduced However in most cases of inherently safe design we are dealing with issues that are hard to give a probabilistic treatment Arguably in line with the Bayesian approach to probability it is always possible to assign exact probability values Still the very kinds of situations referred to in Section 3 motivating inclusion of an account of epistemic uncertainty are present in applications of the principle of inherently safe design Inherently safe design is best viewed as a method for protection against the unforeseen it is not mainly the worker at the assembly line putting together the same parts ARTICLE IN PRESS 1We refer here to standard procedures in risk analysis in which the probability measures have not been extended to cover all the aspects that should be included according to a comprehensive Bayesian approach N Mo ller S O Hansson Reliability Engineering and System Safety 93 2008 776 783778 a hundred times a day that is in need of asymmetric parts impossible to assemble incorrectly but the passenger in a burning lower deck compartment trying to assemble the fi re extinguisher Naturally the worker in the assembly line also needs help not to make mistakes primarily in the cases where she is tired ill or absent minded i e the cases hardest to treat probabilistically The principle of inher ently safe design is a way to decrease the uncertainty about whether harmful events will take place The soundness of the principle even when meaningful probability estimates are diffi cult or impossible to obtain can be seen as an application of the understanding of safety as uncertainty reduction as well as risk reduction 5 Safety reserves Humans have presumably made use of safety reserves since the origin of our species They have added extra strength to their houses tools and other constructions in order to be on the safe side However the use of numerical factors for dimensioning safety reserves seems to be of relatively recent origin probably the latter half of the 19th century The earliest usage of the term recorded in the Oxford English Dictionary is from W J M Rankine s book A manual of applied mechanics from 1858 In the 1860s the German railroad engineer A Wohler recommended a factor of 2 for tension 31 The use of safety factors has been well established for a long time in structural mechanics and its many applications in different engineer ing disciplines Elaborate systems of safety factors have been developed and specifi ed in norms and standards A safety factor is typically specifi ed to protect against a particular integrity threatening mechanism and different safety factors can be used against different such mechan isms Hence one safety factor may be required for resistance to plastic deformation and another for fatigue resistance As already indicated a safety factor is most commonly expressed as the ratio between a measure of the maximal load not leading to the specifi ed type of failure and a corresponding measure of the applied load In some cases it may instead be expressed as the ratio betwee