using the system safety methodology for esoh in...

Using the System Safety Methodology for ESOH in Acquisition

JSEM Conference TutorialMay 24, 2007

Patricia Huheey, ODUSD(I&E), 703-604-1846, [email protected] Asiello, ODUSD(I&E), 703-571-9068, [email protected]

Sherman Forbes, Karen Gill, Amanda Stokes, and Mike Parulis

2


• Overview of ESOH in Acquisition• ESOH Terminology• Eight Mandatory Steps of the System Safety Process (MIL-STD-882D)• Risk Assessment• System Safety Order of Precedence• Typical ESOH Efforts• Summary

Outline

3


Environment, Safety, and Occupational Health (ESOH)The term ESOH refers to all of the individual, but interrelated, disciplines that encompass environment, safety, and occupational health.

System SafetySystem safety is the application of engineering and management principles, criteria, and techniques to achieve acceptable risk, within the constraints of operational effectiveness and suitability, schedule, and cost throughout the system life cycle.

DoD policy requires the system safety methodology (defined in MIL-STD-882D) shall be used across the ESOH disciplines to identify hazards and mitigate risks through the systems engineering process. Note that mitigation measures optimized for only one of the disciplines can create hazards in other disciplines. Therefore, hazards assessments should include all three ESOH disciplines as well as the other system engineering disciplines.

4


DoD is committed to protecting private and public personnel from death, injury, or occupational illness; defense systems and infrastructure from accidental destruction or damage and environmental impacts; and public property while executing its mission.

DoD policy requires the PM to eliminate ESOH hazards where possible, and minimize ESOH risks throughout the system’s life cycle to an acceptable level.

In order to provide a standardized approach for ESOH risk management, DoD policy requires the use of MIL-STD-882D. This approach supports the warfighter by enabling safe and sustainable training, operations, and combat readiness.

5


• Protects military and civilian personnel by reducing hazards/risk to personnel and equipment

• Reduces accidents proactively

• Improves warfighting capability and combat readiness

• Reduces total ownership cost

• Lowers the risk of environmental damage and liabilities

• Prioritizes hazards for corrective action

• Reduces need for system retrofits

Why Implement ESOH Risk Management?

6


Acquisition ESOH Policy

Citation DoDI 5000.2, Operation of the Defense Acquisition System of May 2003, requires Program Managers (PMs) to:

E.3.T1/E.7.1.6

• Document hazardous materials used in the system and plan for the system’s demilitarization and disposal

• Provide Programmatic Environment, Safety, and Occupational Health Evaluation (PESHE):

o Required at Program Initiation for Ships, Milestones B & C, and Full-Rate Production Decision Review

o Includes: ESOH risks, the strategy for integrating into SE, ESOH roles and responsibilities, method for tracking hazard progress, and NEPA/EO 12114 Compliance Schedule

• Summarize PESHE in Acquisition Strategy

E5 • Ensure T&E Strategy assesses and ensures safety• Provide safety releases to developmental and operational testers prior to any test

using personnel• Ensure T&E planning considers environmental impacts/NEPA implications

7


USD (AT&L) Defense Acquisition System Safety memorandum of 23 Sep 04

• PMs must integrate system safety risk management into their overallsystems engineering and risk management processes

• PMs use MIL-STD-882D in all developmental and sustaining engineering activities

• PMs ensure the DoD 5000.2 requirement to integrate ESOH risk management strategy into the systems engineering process is incorporated into the Systems Engineering Plan (SEP)

• PMs identify ESOH hazards, assess the risks, mitigate the risks to acceptable levels, and then report on the status of residual risk acceptance decisions at technical reviews and at the appropriatemanagement levels in the Program Review Process

USD (AT&L) Reducing Preventable Accidents memorandum of 21 Nov 06

• All Acquisition Program Reviews and fielding decisions shall address the status of each High and Serious risk using the MIL-STD-882D system safety methodology

• All Acquisition Program Reviews and fielding decisions shall address compliance with applicable safety technology requirements, e.g.,insensitive munitions

Acquisition ESOH Policy, Cont.

8


USD (AT&L) Defense Acquisition System Safety –Environment, Safety, and Occupational Health (ESOH) Risk Acceptance memorandum of 7 Mar 07

• Prior to exposing people, equipment, or the environment to known system-related ESOH hazards – the associated risk levels, as defined in MIL-STD-882D, must be accepted by the authorities identified in DoDI 5000.2

• The user representative must be part of this process throughout the life cycle and must provide formal concurrence prior to all High and Serious risk acceptance decisions

Acquisition ESOH Policy, Cont.

9


• Overview of ESOH in Acquisition• Terminology• Eight Mandatory Steps of the System Safety Process (MIL-STD-882D)• Risk Assessment• System Safety Order of Precedence• Typical ESOH Efforts• Summary

Outline

10


The system life cycle extends from the initial Concept Refinement “pre-systems acquisition” phase through the ultimate disposal of the system. Throughout the life cycle, the Program Office team is responsible for providing and sustaining effective, affordable, safe, and timely systems to the users.

System Life Cycle

An integrated composite of people, products, (hardware, software, firmware), and processes that provide a capability to satisfy a stated need or objective.

System

IOCBA

Technology Development

System Development& Demonstration

Production & Deployment

Systems Acquisition

Operations & Support

C

User Needs &Technology Opportunities

Sustainment

Process entry at Milestone A, B, or C

Entrance criteria met before entering phase

Evolutionary Acquisition or Single Step to Full Capability

FRP DecisionReview

FOC

LRIP/IOT&ECritical Design Review

Pre-Systems Acquisition

Concept Refinement

ConceptDecision

11


Systems Engineering

The overarching process that a program team applies to transition from a stated capability to an operationally effective and suitable system. SE encompasses the application of SE processes across the acquisition life cycle and is intended to be the integrating mechanism for balanced solutions addressing capability needs, design considerations and constraints, as well as limitations imposed by technology, budget, and schedule. The SE processes are applied early in concept definition, and then continuously throughout the life cycle.

RiskA measure of the potential loss from a given hazard. Risk is a combined expression of loss severity and probability.

12


HazardAny real or potential condition that can cause injury, illness, or death; damage to or loss of a system, equipment or property; or damage to the environment.

Causal FactorOne or several mechanisms that create that hazard.

A brief narrative description of a potential mishap attributable to the hazard. A hazard description contains three elements that express the threat: a source, an activity or a condition that serves as the root; the mechanism(s) (causal factor(s)), the means by which the source can bring about the harm; and an outcome (mishap), the harm itself that might be suffered. NOTE: A combination of a source and mechanism(s) may have more than one outcome and with each outcome requiring a separate hazard description and risk assessment.

Hazard Description

13


An unplanned event or series of events resulting in death, injury, occupational illness, damage to or loss of equipment or property, damage to the environment. For the purposes of this presentation, the term mishap includes negative ESOH impacts.

Mishap

Mitigation MeasureMitigation measure refers to changes/controls made to a system to reduce ESOH risk to an acceptable level.

14


Environmental AspectIs a feature or characteristic of an activity, product, or service that affects or can affect the environment.

Any change to the environment wholly or partially resulting from an organization’s activities, products or services. An impact can be thought of as an “effect” or “outcome” of an environmental aspect. Environmental impacts can have a direct and decisive impact on the environment or contribute only partially or indirectly to a larger environmental change.

Environmental Impact

15


System Safety MIL-STD-882D

Environmental ISO 14001

Occupational HealthOHSAS 18001

Hazard Aspect Hazard

Mishap Impact Accident

Risk Significance Risk

Terminology

*Adapted from NDIA SE Conference 27 Oct 05, “ISO 14001, OHSAS 18001, and MIL-STD-882D and SE” by Ken Dormer for SAF/AQRE

16



Outline

17


MIL-STD-882D identifies the following eight mandatory steps, each of which is essential to achieve acceptable risk through a systematic engineering approach.

1. Document the system safety approach – The Program Office team documents the Government and contractors’ system safety engineering approach at the beginning of the concept refinement, then updates the approach periodically throughout the system's life cycle.

2. Identify hazards – The team conducts systematic, periodic hazard analysis of ever-increasing fidelity as the system design matures.

3. Assess the risk – For each identified hazard, the team determines the associated level of risk.

4. Identify risk mitigation measures – For each identified hazard, the team proposes alternatives/controls to eliminate the hazard or reduce the risk of the hazard to an acceptable level.

Eight System Safety Steps

18


5. Reduce risk to an acceptable level – For each identified hazard, the team selects the risk mitigation measure(s) that will be used to eliminate the hazard or reduce the risk to an acceptable level.

6. Verify risk reduction – For each identified hazard, the team verifies that the hazard has been eliminated or the risk mitigation measure(s) has reduced the risk of the hazard to an acceptable level.

7. Review hazards and accept risk by appropriate authority – Once each identified hazard has been mitigated, the Program Office formally documents the acceptance of the risk by the designated management authority.

8. Track hazards, their closures, and residual risk – The team maintains a tracking system to document hazards, mitigation measures, and hazard status throughout the cycle.

Eight System Safety Steps, Cont.

19


It is essential to document and integrate the Government’s and contractor’s engineering approach, to include:

• Strategy for managing ESOH risks in accordance with the system safety methodology, and integrating into the systems engineering process and overall program

• Defined organizational structure and lines of communication, roles and responsibilities, and ESOH tasks

• Risk Assessment and Acceptance Matrix to include definitions of severity categories and probability levels

• Closed-loop hazard tracking system throughout the system’s life cycle

• Process for communicating hazards, risk, and formal acceptance

Step 1: Document the System Safety Approach

20


When identifying hazards, it is essential to use a systematic hazard analysis process throughout the system’s life cycle.

The hazard analysis process increases in fidelity as the system evolves from evaluation of various concepts to detailed subsystem designs. Hazard analysis should include use of historical hazard and mishap data and lessons learned from other systems.

To identify hazards, the Program Office team considers the following system elements:

• Hardware and software• Operational environment/location in which the system

will be used• Intended use of the system• Interfaces including ancillary/support equipment and

infrastructure

Step 2: Identify Hazards

21


Once a hazard has been identified, the Program Office team defines the potential mishap that may result, and determines the risk level of each identified hazard.

The Program Office team applies the systematic risk assessment procedure to determine each identified hazard’s:

• Severity of consequence• Probability of occurrence

The risk level reflects the hazard (negative impact) on personnel, facilities, equipment, operations, the public, and the environment, as well as on the system itself.

Step 3: Assess Risk

22


After a hazard’s risk level has been defined, the next step is to determine alternatives/controls available to eliminate the hazard or to reduce the risk to an acceptable level.

If the hazard cannot be eliminated, the Program Office team explores and evaluates potential alternatives for reducing one or both of the following:

• Probability of the mishap occurring• Severity of the consequences resulting from the

mishap

The system safety order of precedence defines risk mitigation strategies, in order of most to least preferred.

Step 4: Identify Risk Mitigation Measures

23


The Program Office team selects the mitigation approach for each hazard. The objective is to lower the risk of each hazard to a level that is acceptable.

ESOH hazard mitigation options are evaluated with other trade options throughout the system’s life cycle.

The final design optimizes system capabilities within program cost, schedule, and performance requirements, including sustainability.

Step 5: Reduce Risk to Acceptable Level

24


Up to this point, hazards have been identified, risks assessed, and mitigation measures selected. Now, the Program Office team must:

1. Verify, validate, and document the effectiveness of the mitigation measures through one or more of the following:

• Testing • Analysis• Inspection

2. Mitigation measures are considered to be effective if they adequately reduce the risk to an acceptable level. If the measures are determined ineffective or do not adequately reduce the risk, identify additional mitigation measures.3. Identify and document any new hazards as a result of testing.

Step 6: Verify Risk Reduction

25


The PM must ensure that remaining hazards are reviewed and risks are accepted in accordance with DoD policy. Hazards remain open until mitigation measures are implemented, verified, validated, and the risk is formally accepted.

The user representative must be part of this process throughout the life cycle and must provide formal concurrence prior to all Serious and High risk acceptance decisions. It is imperative that the Program Office and the user representative actively coordinate throughout the process from hazard identification through risk acceptance.

Formal risk acceptance decision documentation must be maintained throughout the system’s life cycle.

Step 7: Review Hazards and Accept Risk by Appropriate Authority

26


Step 8: Track Hazards, Their Closures, and Residual Risk

Tracking of hazards, their closure, and residual risk is essential to the program’s success. After the system is fielded, the hazard tracking system must be maintained throughout the system’s life cycle.

All hazards that are identified remain in the hazard tracking system for the system’s life. This life cycle effort must consider any changes to the hardware/software, mishap data, changes to mission, system health data, and similar concerns.

The Program Office and user representative must maintain effective communication to identify new hazards and update risk assessments, as needed.

27



Outline

28


There are four steps to assess the risk of each identified hazard.

1. Severity Category: Assess the severity of the consequences of the mishap that could be caused by a specific hazard. Assign the associated severity category from the Severity Categories table from MIL-STD-882D.

2. Probability Level: Determine the likelihood (probability) of the hazard resulting in a mishap. Assign the associated probability level from the Probability Levels table from MIL-STD-882D.

3. Risk Value: Use the severity category and the probability level to assign the associated risk value from the MIL-STD-882D Risk Assessment Matrix.

4. Risk Category: Use the risk assessment value to assign the risk category.

Overview of Risk Assessment

29


Once a hazard has been identified, the Program Office team defines the potential mishap that may result. The criteria defined in the Severity Category table are used to assign the severity category.

Potential negative impacts on personnel, facilities, equipment, operations, public, environment, and the system itself are included as part of the risk assessment.

Severity Category Category Criteria

ICatastrophic

Could result in death, permanent total disability, loss exceeding $1M, or irreversible severe environmental damage that violates law or regulation.

IICritical

Could result in permanent partial disability, injuries or occupational illness that may result in hospitalization of at least three personnel, loss exceeding $200K but less than $1M, or reversible environmental damage causing a violation of law or regulation.

IIIMarginal

Could result in injury or occupational illness resulting in one or more lost work days(s), loss exceeding $20K but less than $200K, or mitigatible environmental damage without violation of law or regulation where restoration activities can be accomplished.

IVNegligible

Could result in injury or illness not resulting in a lost work day, loss exceeding $2K but less than $20K, or minimal environmental damage not violating law or regulation.

30


The likelihood of the occurrence of the potential mishap is determined. The Program Office team assigns the probability level based upon the causal factor of the hazard and the criteria defined in Probability Levels table.

It is imperative to clearly define categories of probability (including the interval or rate) to ensure consistent assessment of probability over the life of the system. For example, a 12 month interval or 100,000 flight/operating hours consistent with the platform.

Probability LevelsLevel Criteria

AFrequent

Likely to occur often in the life of an item, with a probability of occurrence in that greater than 10-1 life.

BProbable

Will occur several times in the life of an item, with a probability of occurrence less than 10-1 but greater than 10-2 in that life.

COccasional

Likely to occur some time in the life of an item, with a probability of occurrence less than 10-2 but greater than 10-3 in that life

DRemote

Unlikely but possible to occur in the life of an item, with a probability of occurrence less than 10-3 but greater than 10-6 in that life.

EImprobable

So unlikely, it can be assumed occurrence may not be experienced, with a probability of occurrence less than 10-6 in that life.

31


Once the severity category and probability level of the hazard has been assigned, the risk assessment matrix is utilized to determine the risk value. The risk value determines the risk category and acceptance authority.

Once the mitigation measures have been implemented and the risk verified and validated, the hazard is ready for closure.In order to close the hazard, the appropriate management level must formally accept the risk.

The risk acceptance authority for each category is defined in DoDI 5000.2, and is also included here.

Risk Assessment and Acceptance

32


Example Hazard Analysis Worksheet

Hazard Hazardous Effects

Causal Factors IS IP IRV IRC Risk Mitigation FS FP FRV FRC Status

Describe any real or potential condition that can cause injury, illness, or death to personnel; damage to or loss of a system, equipment or property; damage to the environment; or violation of law or regulation.

Describe the unplanned event or series of events resulting in death, injury, occupational illness, damage to or loss of equipment or property, damage to the environment, or violation of law or regulation.

The conditions that must occur to create the hazard.

An assessment of the hazardous effects as defined in the Hazard Severity Table.

The likelihood of the causal factor/mishap occurring as designed (w/o any risk mitigation measures).

The action or measure taken to alleviate or reduce risk. Mitigating actions can be in the form of design features, safety features, warning devices, written procedures or training.

An assessment of the hazardous effects (w/mitigation measures) as defined in the Hazard Severity Table.

The likelihood of the causal factor occurring (w/ risk mitigation measures).

Open/Closed

IS – Initial Risk Severity CategoryIP – Initial Risk Probability LevelIRV – Initial Risk ValueIRC – Initial Risk CategoryFS – Final Risk Severity CategoryFP – Final Risk Probability LevelFRV – Final Risk ValueFRC – Final Risk Category

33


Example – Contaminated Wash Water from Nickel-Cadmium Plated Compressor Blades on T-56 Turboprop Engine



Contamin. wash water from Ni-CdPlated Compressor Blades

Cd contamin. wash water effluent a NPS water pollutant in violation of State law (regulation of stormwaterdischarge/NPDES) with potential for citations with fines, and civil and/or criminal liability for improper disposal of hazardous waste. Cdcontaminated drinking water can result in acute and chronic health efforts.

Leaching of Cdinto the wash water/detergent effluent during engine flush operations. The compressor blades are plated with Ni-Cd as a sacrificial anode to control corrosion.

II

II

B

B

5

5

High

High

100 percent capture mandate for engine wash water requiring all DoD facilities to capture, contain, and properly treat or dispose of wash water effluent.

Develop new compressor blades made of aluminum to replace the Ni-Cd plated blades. New blade design will eliminate the possibility of Cd leaching into the wash water effluent by eliminating the use of a hazardous material.

III

None

C

None

11

None

Med

None

Closed. This Program implemented this risk mitigation measure, verified its effectiveness in reducing the risk, and the PM accepted the FRC. However, the PM directed that during subsequent rework/upgrade of the T-56 turboprop engine an alternative risk mitigation measure must eliminate the hazard.

Closed. The Program verified that new Al blade design eliminated the hazard. Thus, the PM had no residual risk to accept.

34


Mike Parulis, General Dynamics Electric Boat

35


SSGN ESOHHAZARD / IMPACT

IDENTIFICATION - CLOSURE -TRACKING PROCESS

WITH DATABASEIDENTIFY ESOH

HAZARD / IMPACT & RECOMMEND

RESOLUTION OR ACCEPTANCE

RECORD ESOH HAZARD / IMPACT AS

“OPEN”

MODIFY THE DESIGN TO RESOLVE THE ESOH HAZARD /

IMPACT

TEST TO VERIFY ESOH HAZARD /

IMPACT LEVEL OF RISK ACCEPTABILITY

PREPARE / MODIFY PROCEDURES /

TRAINING TO RESOLVE ESOH

HAZARD / IMPACT

ATTEST THAT THE MODIFIED DESIGN

RESOLVES THE ESOH HAZARD / IMPACT

ATTEST THAT THE TEST VERIFIES

DESIGN AND LEVEL OF RISK

ACCEPTABILITY

ATTEST THAT PROCEDURES /

TRAINING RESOLVE ESOH HAZARD /

IMPACT

IF PROCEDURE / TRAINING

MITIGATION, RECORD DETAILS IN “PAIL”

PERFORM ESOH HAZARD ANALYSIS

(Analyzing Activity)

ACCEPT ESOH HAZARD / IMPACT

WITHOUT MITIGATION

RECORD ESOH HAZARD / IMPACT AS

“CLOSED”

ESOH HAZARD / IMPACT IDENTIFICATION FORM

(Prepared by Analyzing Activity as part of ESOH Hazard Analysis or as hazards/impacts are otherwise

identified by other activities. Form is submitted to PMS398 for concurrence)

ESOH HAZARD / IMPACT CLOSURE FORM

ESOH HAZARD ANALYSIS REPORT

(Prepared by Analyzing Activity and submitted to PMS398)

ESOH HAZARD / IMPACT TRACKING DATABASE

(Maintained by each Analyzing Activity; reports can be accessed by

any program participant)

INPUT ESOH PROGRAM STATUS INTO THE

PESHEPESHE


PESHEPESHE


PESHEPESHE

ESOH PROGRAM STATUS REPORT FOR

THE PESHEPESHE

CONCUR WITH RECOMMENDED RESOLUTION OR

ACCEPTANCE(PMS398)


PESHEPESHE


PESHEPESHE


PESHEPESHE

ESOH PROGRAM STATUS REPORT TO SUPPORT WSESRBWSESRB

REVIEWS


PESHEPESHE


PESHEPESHE


PESHEPESHE

ESOH PROGRAM STATUS REPORT TO SUPPORT SSSTRPSSSTRP

REVIEWS

(Prepared by Analyzing Activity ; submitted to PMS398 for approval)

(Performed by system cognizant

activity or their agent)

36


SSGN ESOH HAZARD / IMPACTTRACKING DATABASE

DATABASE OPENING SCREEN (MENU)

37


HAZARD / IMPACTIDENTIFICATION

FORM

1) Initial Risk Severity Category

2) Initial Risk Probability Level

3) Initial Risk Value

4) Initial Risk Category

38


5) Final Risk Severity Category

6) Final Risk Probability Level

7) Final Risk Value

8) Final Risk Category

HAZARD / IMPACTCLOSURE

FORM

39


Example: Oil Spill

HAZARD / IMPACTIDENTIFICATION

FORM

40


1) Initial Risk Severity Category

2) Initial Risk Probability Level

3) Initial Risk Value

5) Final Risk Severity Category

6) Final Risk Probability Level

7) Final Risk Value

4) Initial Risk Category

8) Final Risk Category

Example: Oil Spill

41


Example: Exposure to/Disposal of Asbestos - System Hazard Analysis Worksheet



Components to be removed are identified in the parts list of various Rip Out (RO) drawings. Based on the part number description provided in the RO drawing's parts list, it has been determined that the component drawing issued to support the original design specified piece parts containing asbestos. Definitive documentation of the presence of asbestos is unavailable - the health hazard described is not certain, but it is possible.

Asbestos is a known human carcinogen and requires special handling/disposal considerations. Violation of environmental laws or regulations may result from the improper handling/disposal of asbestos.

Shipyards responsible for RO activities must be alert to the potential hazard of parts/piece parts containing asbestos. If asbestos is verified, special work procedures must be invoked for handling and disposing the component or piece parts, and workers in contact with the asbestos must use appropriate personal protective equipment.

II D 10 Med Electric Boat completed an ESOH review of RO drawings as part of the life cycle hazard analysis process identified in MIL-STD-882D and the Program ESOH Master Plan. ESOH hazards/impacts encountered in the RO drawing review process have been documented in the ESOH RO Hazard Database, as discussed in the Electric Boat ESOH Program Plan, maintained by Electric Boat D411 Life Cycle Engineering. This database was forwarded on a periodic basis to cognizant personnel at the Construction shipyards.

Construction shipyards have confirmed that procedures to protect workers from exposure to asbestos, including handling and disposal, are in place to ensure the proper handling/disposal of the component or piece part should the presence of asbestos be confirmed. Specific procedures to protect workers from exposure to asbestos, including handling and disposal have been documented.

II E 15 Med COMPLETE – NAVSEA Program Office has approved the Hazard Closure Form submitted by Electric Boat.

42


Example: Oil Spill - System Hazard Analysis Worksheet



Environmental damage from leak/rupture of external hydraulics system piping.

Reversible environmental damage causing a violation of law or regulation.

It is unlikely, but possible, that piping will be subjected to potential operational instances where it would be severed / ruptured causing a release of oil to the environment.

I E 15 Med Proper response to the hydraulic fluid discharge will minimize environmental damage and Navy liability.The appropriate Ship System Manual (SSM) to be updated per Manual Change Request (MCR) to include notification of the appropriate authorities and other spill response requirements (or reference to the applicable document), in the unlikely event of a casualty that results in the release of hydraulic fluid to the environment. The MCR added a paragraph in two sections (Hydraulic Ruptures subsections); "immediate action to mitigate the effects of a hydraulic rupture that results in discharge to the surrounding water (an oil spill) shall be taken IAW OPNAVINST 5090.1B and NSTM Ch 593, P2."

I E 15 Med OPEN - The MCR was submitted to NAVSEA Program Office for approval via Electric Boat letter. NAVSEA Program Office review in progress.

Hazard Closure Form to be submitted by Electric Boat to NAVSEA Program Office following MCR approval.

43


Example: Plastics Waste Fire Risk - System Hazard Analysis Worksheet



Stowage of plastics waste on submarines creates the potential increased risk of a damage causing fire due to the concentration of the plastics waste becoming fire sustaining fuel

A fire involving plastics waste in the environmental space could rapidly produce temperatures that could damage cabling and electrical cabinets, both vital for ship operations. Therefore, the severity of the damage would be considered "critical". If the fire were initiated in the environmental space, it is credible in some scenarios that this critical damage would occur before the fire was detected and suppressed.

The Act to Prevent Pollution from Ships (APPS) prohibits Navy submarines from disposing plastics at sea after December 31, 2008. Compacted plastics waste will result in a concentrated stowage of combustible materials, with a high fuel load. Forced air ventilation and exhaust of the unmanned environmental space where plastics waste will be stowed will aid rapid detection and early suppression of a plastics waste fire, but will increase the potential severity of such a fire.

II D 10 Med No ignition source in the environmental space exists that reasonably could be considered an initiator of a stowed compressed plastics waste fire to the degree of probability that would warrant a design change. Only conservatively is it conceived that there is even a remote likelihood of fire being initiated in the stowed plastics waste. Design changes required to mitigate the severity of a plastics waste fire, such as installing closable metal lockers, installing vent dampers and detection equipment, or sprinkling systems, would have a significant design and cost impact to the Program. Depending on the design change selected, the change would reduce the probability of fire occurrence to improbable and/or the mishap severity to marginal, but the overall Hazard Risk Index (HRI) would remain in the Medium category.

II D 10 Med CLOSED – A fire risk assessment report, providing the analysis of the subject potential hazard, was prepared by Electric Boat and submitted to the Program Office. No additional design changes are recommended in the stowage arrangement in the environmental space. The risk is considered acceptable by the Fire Fighting System Design/Build Team and the NAVSEA Program Office.

NAVSEA Program Office has approved the Hazard Closure Form submitted by Electric Boat.

44



Outline

45


System Safety Order of Precedence

• Eliminate Through Design Selection/Reduction Through Design Selection

• Incorporate Safety Devices

• Provide Warning Devices

• Develop Procedures and Training

Risk Mitigation Measures Terminology

Pollution Prevention Hierarchy

• Eliminate at the Source/Prevention and Reduction

• Reuse and Recycle

• Treatment

• Disposal

46


Most to Least Preferred Risk Mitigation Measures

1. Eliminate hazards through design selection

If unable to eliminate an identified hazard, reduce the associated risk though design selection.

2. Incorporate safety devices If unable to eliminate the hazard though design selection, reduce the risk using protective safety features or device.

3. Provide warning devices If safety devices do not adequately lower the risk of the hazard, include a detection and warning system to alert personnel to the particular hazard.

4. Develop procedures and training

Where it is impractical to eliminate hazards through design selection or to reduce associated risk to an acceptable level with safety and warning devices, incorporate special procedures and training. Procedures may include the use of personal protective equipment.

Note: For catastrophic or critical severity categories, avoid using warning, caution, or other written advisory as the only risk reduction method.

When comparing potential alternatives for eliminating the hazard or reducing the risk, the system developer should apply the MIL-STD-882D system safety order of precedence. The following are listed in order from the most to the least preferred risk mitigation measures:

Order of Precedence

47


Examples of mitigation measures to eliminate hazards/reduce the risk through design selection include:

• Eliminate:– Selecting a non-flammable hydraulic fluid rather than a flammable one– Replacing a hazardous material with a non-hazardous material– Asbestos free brake pads

• Reduce:– Use less hazardous materials and/or hazardous processes such as:

• IVD coating systems replacing traditional cadmium coating systems• Use of HFC-125 vice Halon 1301 for fire suppression • ODSs replaced with EPA substitutes

– Design of ventilation systems to evacuate toxic and/or explosive fumes and vapors (e.g., lead acid batteries, welding)

– Design system to minimize pollutants/particulate matter/emissions/noise– Use environmentally-preferred products such as items that are recyclable or is composed

of reused or recycled products– Front and rear vehicle brakes with separate brake fluid reservoirs

Eliminate hazards and reduce risk through design selection

48


Examples of safety/environmental devices include:• Automatic power shut down• Physical separation/containment• Water sprinkler systems activated by heat and smoke detectors• Air pollutant emission control technologies, such as filters/scrubbers/buffers• Industrial wastewater treatment systems• Safety relief valve• Automatic ground collision avoidance system for aircraft• Vehicle air bags

Incorporate safety/environmental devices

49


Warning devices requires a user to take an action.

Examples of warning devices include:• Fire, smoke, proximity alarms• Carbon monoxide or heat detectors• Annunciator panels• High-powered laser operation warning lights• DoT hazardous material warning placards• NFPA hazard rating label• Compressed gas cylinder labeling and coloring• Leakage detection alarms• System specific warning signs and placards

Provide warning devices

http://www.shippinglabels.com/xp/xp5_stockListingtable.asp?dept_id=4723&cols=4

http://www.shippinglabels.com/xp/xp5_stockListingtable.asp?Dept_id=4712&cols=4




http://www.shippinglabels.com/xp/xp5_stockListingtable.asp?dept_id=4726&cols=4

http://www.firemaster.co.nz/prod_mts168s.html

50


Examples of training and procedures used to reduce risk include:

• System training and operations manuals• System maintenance, handling, and disposal manuals• Hazardous materials and waste training• Explosive Ordnance Disposal (EOD) procedures• Hazardous communication training• Required use of personal protective equipment, such as:

- Respirators (air purifying and supplied air)- Gloves- Aprons- Hard hats- Chemical suits- Goggles- Ear plugs

Develop procedures and training

http://www.wolfhazmat.de/hazmat_wolf11.htm

51



Outline

52


Programmatic Environment, Safety, and Occupational Health Evaluation (PESHE)

The PESHE documents the PM’s ESOH planning and effort as part of the overall systems engineering and risk management processes; summarizes the overall status of ESOH hazards and associated risks to the program/government over the life cycle of the system; and supports decision-making and program oversight processes.

The PESHE starts as a planning document. As the program matures, the PESHE documents ongoing program ESOH efforts and ESOH risks.

The PESHE includes the following:• Strategy for integrating ESOH considerations into the systems engineering process • Identification of ESOH responsibilities• Identification of ESOH risks• Method for tracking progress in the management/mitigation of ESOH hazards and associated

risks in accordance with MIL-STD-882D• NEPA/EO 12114 Compliance Schedule

53


The SSPP describes in detail the tasks and activities of system safety management and system safety engineering required to support MIL-STD-882D.

The approved plan provides a formal basis of understanding between the Government and contractor on how the system safety program will be executed to meet contractual requirements, including general and specific provisions.

Elements of a SSPP include the system description, system safety organization and interfaces with systems engineering and other program elements, system safety methodology, hazard tracking, system safety tasks and associated milestones, system safety requirements and criteria, testing, and mishap investigation and reporting.

System Safety Program Plan (SSPP)

54


Hazardous Materials Management Plan (HMMP)

A HMMP describes how the PM and contractor will coordinate activities required to eliminate or reduce HM in the system, system components, associated support items, and required operations and support processes.

The HMMP identifies the HM prohibited and restricted, and requires documentation of the HM used in or associated with the system (including quantities and locations of the HM).

Where HM cannot be eliminated, the HMMP requires documenting the processes to properly identify, control, and track the HM to protect human health, environment, and support end user needs. The HM management effort should be integrated with the system’s hazard tracking system and demilitarization and disposal planning.

The HMMP should meet the requirements of the National Aerospace Standard (NAS) 411.

55


Regulatory Compliance Review

Regulatory compliance review includes:• HM use and HW generation• Safety (including explosives safety, ionizing

and non-ionizing radiation)• Human health (associated with exposure to

chemical, physical, biological, and/or ergonomic hazards, etc.)

• Environmental and occupational noise• Permits and pollutant/emissions limits• Impacts to the natural environment (e.g., air,

water, endangered species)• Energy efficiency, electronic waste, and

Green Procurement opportunities

The regulatory compliance review covers identifying and tracking regulatory compliance requirements that will or may impact the ability of the government to operate, maintain and train with the system as intended throughout the life cycle.

The regulatory compliance review is updated and tracked throughout the system’s life cycle.

The regulatory compliance review includes an evaluation of Federal, State, and local laws/statutes/regulations, Executive Orders, international agreements, and treaties.

56


Regulatory Compliance Review, Cont.

• Federal Facilities Compliance Act • National Environmental Policy Act• Endangered Species Act• Marine Mammal Protection Act• Essential Fish Habitat• Resource Conservation & Recovery Act• National Emissions Standards for Hazardous

Air Pollutants • Superfund Amendments and Reauthorization

Act• Executive Orders (e.g., 12114, 13423)

• Clean Air Act• Clean Water Act• Safe Drinking Water Act• Occupational Safety and Health Act• International Convention for the Prevention

of Marine Pollution from Ships• Noise Abatement Act• Federal Coastal Zone Management Act• National Historic Preservation• DOT regulations/requirements• Local area-specific regulations/requirements

(e.g., Air Installation Compatible Use Zone)

Potential Laws and Regulations Applicable to an Acquisition System

57


The SRCA documents the ESOH design requirements and criteria for a system during development.

The Program should initiate the SRCA during Concept Refinement and update it as each hazard analysis is conducted.

Requirements identified as a result of the hazard analyses feed back into the SRCA.The hazard analyses may validate the system’s established or derived requirements.

The SRCA provides the following:• Centralized repository of ESOH design

requirements and criteria • Input for the systems engineering derived

requirements development and allocation process

System Requirements/Criteria Analysis (SRCA)

58


NEPA/EO 12114 Analysis and DocumentationNEPA and EO 12114 applies to acquisition programs, and as such, the PM must:

• Conduct and document NEPA/EO 12114 analyses for which the PM is the action proponent• Provide system-specific analyses and data to support other organizations’ NEPA and EO

12114 analyses• Develop and maintain a compliance schedule covering all system related activities for the

NEPA and EO 12114

Examples of actions during the life cycle of a system that might require analysis in accordance with NEPA/EO 12114 include:

• Developmental Testing and Evaluation• Operational Testing and Evaluation• Live Fire Test and Evaluation• Training• Military Construction for an acquisition program• System Deployment (e.g., materiel fielding, beddown, homeporting, basing)• Relocations or Realignments• Major System Modifications• Demilitarization and Disposal

59


The PHL reports the results of the initial identification of hazards in a system.

The PHL is initiated during Concept Refinement and continues through Technology Development.

The PHL:• Identifies where to focus engineering

resources to develop more detailed hazard analyses

• Identifies top-level mishaps• Provides initial ESOH criteria for trade

studies

Examples of the initial PHL output include:• Inadvertent rocket motor ignition• Loss of flight control• Inadvertent pyrotechnic activation• Inadvertent warhead detonation• Loss of flight tracking system• Personnel exposed to:

- Hazardous materials- Electrical power- Radio frequency emissions- Blast overpressure- High pressure air- Toxic chemicals- Hot surfaces

• Equipment exposed- High humidity- Mechanical shock- Excessive heat

Preliminary Hazard List (PHL)

60


The PHA is an expansion of the PHL into a line-item listing of identified system hazards with subjective evaluations of each hazard’s severity, probability, and risk.

Programs should initiate the PHA early during SDD.

The PHA provides an early, comprehensive initial evaluation of the system’s hazards and associated risks. The PHA will help prioritize the program’s focus for more detailed, follow-on evaluations.

Preliminary Hazard Analysis (PHA)

61


The SSHA builds on the PHA during SDD, and provides a detailed listing of hazards unique to each subsystem.

The SHA is initiated after PHA and SSHA during SDD. The SHA consolidates the SSHAsand PHA.

The SSHA and SHA:• Validate system requirements• Recommend new/modified system

requirements• Provide baseline hazard assessments

for subsequent design changes

Subsystem and System Hazard Analyses (SSHA and SHA)

62


The HHA identifies and evaluates health hazards associated with the system to include during operations and maintenance, and recommends mitigation measures to eliminate or reduce the associated risk to an acceptable level.

Safety factors consist of those system design characteristics that serve to minimize the potential for mishaps causing death or injury to operators and maintainers or threaten the survival and/or operation of the system.

Occupational health factors are those system design features that serve to minimize the risk of injury, acute or chronic illness, or disability; and/or reduce job performance of personnel who operate, maintain, or support the system.

Health Hazard Assessment (HHA)

Typical health hazard issues addressed in the HHA include:

• Acoustical energy• Biological substances• Chemical substances• Oxygen deficiency• Radiation energy• Ionizing/Non-ionizing• Shock• Temperature extremes and humidity• Trauma• Physical• Musculoskeletal• Vibration

63


The O&SHA identifies hazards resulting from tasks and activities involving system operations and maintenance/sustainment.

This assessment includes identification of hazards associated with the operation, maintenance, and training with the system during the Operations and Support, and is initiated during SDD.

Mitigation measures may incorporate control technologies in facilities (e.g. paint booth, ventilation systems), revisions to processes/ procedures to operate/maintain the system (e.g. physical barriers) and use of support equipment (e.g., bomb hoists, safety harness systems).

The O&SHA provides the basis for development of:

• Warning systems• Safeguards• Procedures (normal and emergency)• Personnel protection equipment• Warnings and caution labeling• Training needs

Operating and Support Hazard Analysis (O&SHA)

64


The SAR provides a comprehensive evaluation of the risk at a point in time. It includes the following:

• Summary of the system safety program• Safety risk assessment methodology and acceptance criteria • Safety features of the hardware, software, and system design• Listing of all significant hazards and associated recommendations or precautions

required• HM associated with the system

The SAR can be prepared at various phases in a program’s life cycle and is typically first prepared/updated during SDD for safety board reviews and system-level testing, and updated to support system fielding.

Safety Assessment Report (SAR)

65


Management/Planning, Requirements, Analysis, and Assessments

A B C

Technology Development

System Development & Demonstration Production & Deployment Operations &

Support

Pre-Systems Acquisition Systems Acquisition Sustainment

ProgramInitiation

Critical Design Review FRP Decision Review

System Safety Management Plan

System Safety Program PlanPESHE/SSPP/HMMP

PHLPHL PHAPHAPHLPHL PHAPHA

SR/CARegulatory Compliance/SRCA

Concept Refinement

Concept Decision

SSHASSHA

O&SHAO&SHA

SHASHA

HHAHHA

Design Change Reviews & AnalysesDesign Change Reviews & Analyses

Hazard Tracking DatabaseHazard Tracking System

LRIP/OT&E

MIL -STD -2105B / MIL -S -901

Safety Assessment Reports Safety Assessment Reports

NEPA/EO 12114 Analysis and Documentation

66



Outline

67


Learning Goals:• Use the prescribed eight mandatory steps in MIL-STD-882D to eliminate

ESOH hazards where possible, and minimize ESOH risks.– Process occurs continuously throughout the life of the system– Recognize the application of the risk assessment matrix and the role of the risk

acceptance authority• Use the system safety order of precedence in developing mitigating

measures to either eliminate ESOH hazards or minimize ESOH risks.• Recognize typical ESOH tasks.

Summary

Applying the system safety methodology early and throughout the design process enables safe, sustainable training and operations

68


Points of Contact

Patricia Huheey, ODUSD(I&E), 703-604-1846, [email protected] Asiello, ODUSD(I&E), 703-571-9068, [email protected]

Sherman Forbes, SAF/AQRE, 703-588-7839, [email protected]

Karen Gill, Booz Allen Hamilton, 703-412-7436,[email protected] Stokes, Booz Allen Hamilton, 703-412-7835, [email protected] Parulis, General Dynamics Electric Boat, 860-443-6261, [email protected]

using the system safety methodology for esoh in...

Documents