1 Workplace and Systems Safety CHAPTER 8 KEY POINTS Accidents result from a sequence of events with multiple causes. Examine accidents by using job safety analysis. Detail the accident sequence or system failure by using the fault tree analysis. Increase system reliability by adding backups and increasing component reliability. Consider trade-offs of various corrective actions by using cost-benefit analysis. Be familiar with OSHA safety requirements. Control hazards by Eliminating them completely, if possible Limiting the energy levels involved Using isolation, barriers, and interlocks Designing fail-safe equipment and systems Minimizing failures through increased reliability, safety factors, and monitoring Workplace safety is an extension of the concept of providing a good, safe, comfortable working environment for the operator, as discussed in Chapter 7. The primary goal here is not to increase production through more efficient working conditions or improved worker morale, but specifically to decrease the number of accidents, which potentially lead to injuries and loss of property. Traditionally, of foremost concern to the employer have been compliance with existing state and federal safety regulations and avoidance of a safety inspection by federal compliance officers (such as OSHA) with commensurate citations, fines, and penalties. However, more recently, the bigger driving force for implementing safety has been the escalating medical costs. Therefore, it only makes sense to implement a thorough safety program to reduce overall costs. Key issues 319
2 320 CHAPTER 8 of OSHA safety legislation and workers compensation are introduced in this chapter, along with a general theories for accident prevention and hazard control. However, details for correcting specific hazards are not addressed here, as there are numerous traditional textbooks on safety that cover these details (Asfahl, 2004; Banerjee, 2003; Goetsch, 2005; Hammer and Price, 2001; National Safety Council, 2000). These books will also address the setup and maintenance of safety management organizations and programs. 8.1 BASIC PHILOSOPHIES OF ACCIDENT CAUSATION AND PREVENTION Accident prevention is the tactical, sometimes relatively short-term, approach to controlling workers, materials, tools and equipment, and the workplace for the purpose of reducing or preventing the occurrence of accidents. This is in contrast to safety management, which is a relatively long-term strategic approach for the overall planning, education, and training of such activities. A good accident prevention process (see Figure 8.1) is an orderly approach very similar to the methods engineering program introduced in Chapter 2. The first step in the accident prevention process is the identification of the problem in a clear and logical form. Once the problem is identified, the safety engineer the needs to collect data and analyze them so as to understand the causation of the accident and identify possible remedies to prevent it or, if not completely prevent it, at least to reduce the effects or severity of the accident. In many cases, there may be several solutions, and the safety engineer will need to select one of these solutions. Then the remedy will have to be implemented and monitored to ensure that it is truly effective. If it is not effective, the engineer may need to repeat this process and attempt another, perhaps better remedy. This monitoring effectively closes the feedback cycle and ensures a continuous improvement process for accident prevention. DOMINO THEORY In identifying the problem, it is important to understand some of the theories of accident causation and the sequence of steps in an accident itself. One such Identify Problem Monitor Results Implement Remedy Collect Data Analyze Data Select Remedy Figure 8.1 Accident prevention process. (Adapted from: Heinrich, Petersen, and Roos, 1980)
3 CHAPTER 8 Workplace and Systems Safety 321 Lack of Control Basic Causes Immediate Causes Accident Injury Figure 8.2 The domino theory of an accident sequence. (Adapted from: Heinrich, Petersen, and Roos, 1980) theory is the domino theory, developed by Heinrich, Petersen, and Roos (1980) based on a series of theorems developed in the 1920s which formed the individual dominos (see Figure 8.2): 1. Industrial injuries (or loss of damages) result from accidents, which involve contact with an energy source and the consequent release of that energy. 2. Accidents are the result of immediate causes such as a. Unsafe acts by people b. Unsafe conditions in the workplace 3. The immediate causes result from more basic causes: a. The unsafe acts from personal factors such as lack of knowledge, skill, or simply the lack of motivation or care b. The unsafe conditions due to job factors, such as inadequate work standards, wear and tear, poor working conditions, due to either the environment or lack of maintenance 4. The basic causes result from an overall lack of control or proper management. This domino (the first in the sequence) is essentially the lack of a properly implemented or maintained safety program, which should include elements to properly identify and measure job activities, establish standards proper standards for those jobs, measure worker performance on those jobs, and correct worker performance as needed. Heinrich, Petersen, and Roos (1980) further postulated that the injury is simply the natural consequence of the previous events having taken place, similar to dominos falling in a chain reaction. As a proactive preventive measure, one could simply remove one of the previous dominos, thereby preventing the rest from falling and stopping the sequence prior to injury. They also emphasized that it was important to try to remove a domino as far upstream as possible, that is, to implement the corrective procedure as early as possible, at the root causes. The implication is that if effort is put into only preventing the injury, similar accidents will still occur in the future with potential for property damage and other types of injuries. As an adaptation of the domino theory, Heinrich, Petersen, and Roos (1980) also emphasized the concept of multiple causation; that is, behind each accident
4 322 CHAPTER 8 or injury there may be numerous contributing factors, causes, and conditions. These combine in a rather random fashion, such that it might be difficult to identify which, if any, of the factors was the major cause. Therefore, rather than try to find just one major cause, it would be best to try to identify and control as many causes as possible, so as to get the biggest overall effect on controlling or preventing the accident sequence. As an example, among unsafe acts caused by the human, which Heinrich, Petersen, and Roos (1980) claim amount to 88% of all accidents, there could be (1) horseplay, (2) operating equipment improperly, (3) intoxication or drugs, (4) purposefully negating safety devices, or (5) not stopping a machine before cleaning or removing a stuck piece. Among unsafe conditions, which amount to 10% of all accidents (the remaining 2% are unpreventable acts of God ), there could be (1) inadequate guards, (2) defective tools or equipment, (3) poorly designed machines or workplaces, (4) inadequate lighting, or (5) inadequate ventilation. Figure 8.3 demonstrates the effects of various corrective actions taken along the domino sequence as well as multiple causation for a scenario in which sparks created by a grinder could ignite solvent fumes and cause an explosion and fire, with resulting burns to the operator. The injury is defined by burns to the operator. The accident leading to the injury is an explosion and fire. The sequence could be stopped by having the operator wear a fire-protective suit. The accident still happens, but a severe injury is avoided. Obviously, this is not the best control method as fire still could occur with other consequences to property. Moving one domino backward, the fire was caused by sparks from the grinder igniting 1: Separate gas, grinder 2: Better inspection 1: Increase ventilation 2: Grinder material Lack of Control (1:Solvent stored at grinder, 2:Poor identification of work activities) Basic Causes (1: Less volatile solvent, 2:Grinder creates sparks) Immediate Causes (Sparks ignite fumes) Accident (Explosion/ fire) 1: Use spark arrester 2: Less concentrated fumes Injury (Burns) Fire protective suit Figure 8.3 A domino sequence for a grinder spark igniting a fire.
5 CHAPTER 8 Workplace and Systems Safety 323 volatile fumes in the grinding area. The sequence could be stopped at this stage by using a spark arrester or decreasing the concentration of the fumes through better ventilation. This still is a risky control measure as the spark arrester may not stop all sparks, and the ventilator may fail or slow during power brownouts. Moving backward another domino, more basic causes could include a couple of different factors (note the multiple causation) such as having such a volatile solvent and the fact that the grinder wheel acting on the casting creates sparks. The sequence could be stopped here by having a less volatile solvent or by installing a softer grinding wheel made of a different material that would not create sparks. Again these might not be most effective control measures with extremely hot weather increasing the vaporization of even a rather stable solvent and the grinding wheel perhaps creating sparks with harder castings. Furthermore they can have other, less positive consequences, such as a softer grinding wheel being less effective in smoothing the rough edges on the castings. The final domino of lack of control has probably a multitude of factors: poor identification of work activities that allowed the use of solvent in the grinding area, storage of a solvent in a work area, poor safety inspections, lack of awareness of the grinding operator, etc. At this stage, simply separating the dangerous elements, that is, removing the solvent from the grinding area, is the simplest, cheapest, and most effective solution. Although, strictly speaking, the Heinrich, Petersen, and Roos (1980) accidentratio triangle, which establishes the foundation for a major injury (see Figure 8.4a), is not an accident causation model, it emphasizes the necessity of moving backward in the accident progression sequence. For each major injury, most likely there were at least 29 minor injuries and 300 no-injury accidents, with untold hundreds or thousands of unsafe acts leading up to the base of the triangle. Therefore, rather than just reactively focus on the major injury or even the minor injuries, it makes sense for the safety engineer to look proactively, further back at the no-injury accidents and unsafe acts leading up to those accidents, as a field of opportunities to reduce potential injury and property damage costs and have a much more significant and effective total loss control program. This accidentratio triangle was later modified by Bird and Germain (1985) to include property damage and revised numbers (see Figure 8.4b). However, the basic philosophy remained the same. BEHAVIOR-BASED SAFETY MODELS More recent accident causation models have focused on behavioral aspects of the human operator. The basis for this approach lies in early crisis research of Hill (1949) followed by the quantification of these crises or more modest situational factors into life change units (LCUs) by Holmes and Rahe (1967) (see Table 8.1). The basic premise of the theory is that situational factors tax a person s capacity to cope with stress in the workplace (or life in general), leaving the person more likely to suffer an accident as the amount of stress increases. It was found that 37 percent of individuals who accumulated between 150 and 199 LCUs in 2 years had illnesses. As the LCUs increased from 200 to 299, 51 percent had illnesses,
6 324 CHAPTER 8 Major injury Minor injuries Accidents (a) Major injury Minor injuries Property damage Near misses (b) Figure 8.4 (a) Heinrich accident ratio triangle, (b) Bird and Germain (1985) accident ratio triangle. (Adapted from: Heinrich, Petersen, and Roos, 1980) and for those exceeding 300 LCUs, 79 percent had illnesses. This theory may help explain apparently accident-prone individuals and the need for having stressed workers avoid difficult or dangerous tasks. Another behavioral accident causation model is the motivation-rewardsatisfaction model presented by Heinrich, Petersen, and Roos (1980). It expands on Skinnerian concepts (Skinner, 1947) of positive reinforcement to achieve certain goals. In terms of safety, worker performance is dependent on the worker s motivation as well as the worker s ability to perform. In the main positive feedback cycle (see Figure 8.5), the better the worker performs; the better the worker is rewarded, the more the worker is satisfied, the greater the worker s motivation to perform better. This positive feedback could be applied both to safety performance and to worker productivity (which is the basis for wage incentive systems discussed in Chapter 17). The most current and popular variation of behavior-based safety training is the ABC model. At the center of the model is behavior (the B part) of the worker, or what the worker does as part of the accident sequence. The C part is the consequence of the worker s behavior, or the events taking place after the behavior, leading to a potential accident and injury. The first A parts are antecedents (sometimes termed activators) or events that take place before the behavior occurs. Typically, this will start out as a negative process, in which the safety engineer tries to correct unpleasant consequences and determine what behaviors and antecedents lead to these consequences. For example, an operator takes a shortcut across a moving conveyor a behavior. The antecedent may be break time as the operator tries to beat the lunchtime rush to get into the cafeteria line first. The
7 CHAPTER 8 Workplace and Systems Safety 325 Table 8.1 Table of Life Change Units Rank Life Event Mean Value 1 Death of spouse Divorce 73 3 Marital separation 65 4 Jail term 63 5 Death of close family member 63 6 Personal injury or illness 53 7 Marriage 50 8 Fired at work 47 9 Marital reconciliation Retirement Changes in family member s health Pregnancy Sex difficulties Gain of new family member Business readjustment Change in financial state Death of close friend Change to different line of work Change in number of arguments with spouse Mortgage over critical amount Foreclosure of mortgage or loan Change in work responsibilities Son or daughter leaving home Trouble with in-laws Outstanding personal achievement Wife beginning or stopping work Begin or end school Change in living conditions Revision of personal habits Trouble with boss Change in work-hours, conditions Change in residence Change in schools Change in recreation Change in church activities Change in social activities Mortgage or loan under critical amount Change in sleeping habits Change in number of family get-togethers Change in eating habits Vacation Christmas Minor violations of the law 11 Source: Heinrich, Petersen, and Roos, consequences are typically positive for the operator with more time to eat lunch, but in this particular instance are negative with an injury as the operator slipped on the conveyor. One approach in changing the behavior would be to post warnings on the dangers of jumping across the conveyor and to issue fines for violations.
8 326 CHAPTER 8 Boss Staff Management SELF Personality Achievement Style - Climate - Relations JOB CLIMATE THE JOB ITSELF Any fun? JOB MOTIVATIONAL FACTORS Can he or she achieve? Promotion? A sense of responsibility MOTIVATION PEER GROUP(S) Norms Pressures UNION Norms Pressures ABILITY PERFORMANCE REWARD SATISFACTION Boss Peer Union Self SELECTION Can he or she do it? TRAINING Does he or she know how? Figure 8.5 The motivation reward satisfaction model. Source: Heinrich, Petersen, and Roos, 1980 However, this a negative approach that would require major enforcement action. That is, changing antecedents can get behavior started, but in many cases are not sufficient to maintain that behavior, especially if the approach focuses on the negative. A better approach would be to use the motivation-reward-satisfaction model and focus on positive consequences. This could be achieved by staggering lunch breaks for employees so that all would enjoy a relaxing, unrushed lunch break. It is also important to realize that the most effective activators are correlated with the most effective consequences those that are positive, immediate, and certain. Generally, behavior-based approaches are quite popular and effective as an accident prevention method, especially considering that the large majority (up to 88 percent) of accidents are due to unsafe acts and behaviors on the part of workers. Unfortunately this approach focuses solely on people and not on physical hazards. So there should also be mechanisms and procedures in place for ensuring safe workplace conditions. Finally, one should be careful that such programs do not become convoluted from the original purpose of promoting safety. From personal experience, a manufacturing company had implemented a positive reinforcement program of providing safety incentives for production workers: all workers in a department achieving a particular safety goal, for example, a month without a recordable injury, were provided a free lunch in the cafeteria. If this record was extended to six months, they received a steak dinner at a popular
9 CHAPTER 8 Workplace and Systems Safety 327 restaurant; and if they reached one year, then they received a $200 gift certificate. Of course, if there was a recordable injury, they had to start over from scratch. As result, once the stakes got high, injured workers were strongly encouraged by fellow workers not to report the injury to the plant nurse, circumventing the original intent! 8.2 ACCIDENT PREVENTION PROCESS IDENTIFYING THE PROBLEM In identifying the problem, the same quantitative exploratory tools (such as Pareto analysis, fish diagram, Gantt chart, job-worksite analysis guide) discussed in Chapter 2 for methods engineering can also be used in the first step in the accident prevention process. Another tool that is effective in identifying whether one department is significantly more hazardous than another is the chi-square analysis. This analysis is based on the chi-square goodness of fit test between a sample and a population distribution in the form of categorical data in a contingency table. Practically, this is expressed as a difference between m observed and expected cell counts of injuries (or accidents or dollars): x 2 m a 1E i O i 2 2 >E i i where E i expected value H i O T /H T O i observed value O T total of observed values H i hours worked H T total of hours worked m number of areas compared If the resulting 2 is greater than x 2 a,m 1, the critical 2 at an error level of and with m 1 degrees of freedom, then there is a significant difference between the expected and observed values in injuries. Example 8.1 demonstrates an application for safety while more details on the statistical procedure can be found in Devore (2003). Chi-Square Analysis of Injury Data EXAMPLE 8.1 Dorben Co. has three main production departments: processing, assembly, and packing/ shipping. It is concerned with the apparent high number of injuries in processing and would like to know if this is a significant deviation from the rest of the plant. Chisquare analysis comparing the number of injuries in 2006 (shown in Table 8.2) with an expected number based on the number of exposure hours is the appropriate way to study the problem. The expected number of injuries in processing is found from E i H i O T >H T 900,000 36>2,900,
10 328 CHAPTER 8 Table 8.2 Observed and Expected Injuries Department Injuries O i Exposure (h) Expected Injuries E i Processing , Assembly 10 1,400, Packing/Shipping 4 600, Total 36 2,900, The expected numbers of injuries for the other departments are found similarly. Note that the total number of expected injuries should add to the total number of observed injuries, 36. x 2 m a 1E i O i 2 2 >E i > >7.4 i > The resultant value of 15.1 is greater than x , , found in Table A3 4 (Appendix 3). Therefore, the number of injuries in at least one department deviates significantly from the expected value based purely on exposure hours. This department, processing with 22 injuries instead of the expected 11.2, should then be studied in further detail to find the cause of this increase in injuries. COLLECT AND ANALYZE DATA JOB SAFETY ANALYSIS The second and third steps of the accident prevention process are the collecting and analyzing of data. The most common and basic tool for this is job safety analysis (JSA), sometimes also termed job hazard analysis or methods safety analysis. In a JSA, the safety engineer (1) breaks down a job into its component elements in a sequential order, (2) examines each element critically for a potential hazard or the possibility of an accident occurrence, and (3) identifies ways of improving the safety of this element. While the safety engineer is performing a JSA, she or he should focus on four major factors: 1. Worker: the operator, the supervisor, or any other individual that may be associated with this element 2. Method: the work procedures being utilized in this particular process 3. Machine: the equipment and tools being utilized 4. Material: the raw material, parts, components, fasteners, etc., that are being used or assembled in the process. Thus, any improvements could involve better training of or personal protective equipment for the operator, a new method, safer equipment and tools, and different and/or better materials and components. As an example, consider the process of machining a relatively large (40-lb) coupling, shown in Figure 8.6, with its associated JSA in Figure 8.7. The process involves (1) picking up the unfinished part from a crate, (2) setting it in the
11 CHAPTER 8 Workplace and Systems Safety Figure 8.6 Steps in the machining of a coupling Courtesy of Andris Freivalds. machine fixture, (3) tightening the fixture with a wrench, (4) blowing out machining chips (loosening the fixture and removing the coupling not shown, but equivalent to elements 3 and 2, respectively), (5) smoothing any rough edges with a hand grinder, and (6) placing the finished part in a packing carton. Potential hazards and appropriate controls corresponding to each element are shown in Figure 8.7. Common problems include high compressive forces while one is retrieving and placing the coupling in crates or packing cartons. These forces could be reduced by tilting the boxes for easier entry. Another problem is shoulder flexion with large torques while one is placing and/or removing the coupling into the machining fixture and tightening or loosening the fixture. These could be alleviated by lowering the fixture and having the stand closer to the fixture so that the elbows are bent closer to the optimum 90 angle. Personal protective equipment such as a dust mask would help with dust and gel gloves with hand vibration. JSAs provide several useful features that cross over into methods engineering. They are a simple, quick, and objective means of mapping all the relevant details. They can compare existing and proposed methods with potential effects not just on safety but also on production, which is a very useful application in terms of selling increased safety to management. Although quite qualitative, the JSA approach can be made more quantitative by adding probabilities, which leads into the very quantitative fault tree analysis, discussed later in Section 8.5.
12 Figure 8.7 Job safety analysis. 330
13 CHAPTER 8 Workplace and Systems Safety 331 SELECT A REMEDY RISK ANALYSIS AND DECISION MAKING Once JSAs have been completed and a variety of solutions have been suggested, the safety engineer will need to choose one for implementation. This can be done by using a variety of decision-making tools in the fourth step of the accident prevention process, select a remedy. Most of these tools are just as appropriate for selecting a new method for improved productivity and are presented in Chapter 9. However, one of these tools, risk analysis, is more suitable for safety because it calculates the potential risk for an accident or injury and the reduction of risk due to modifications. According to Heinrich, Petersen, and Roos (1980), the analysis is based on the premise that the risk for injury or loss cannot be completely eliminated; that only a reduction in risk or potential loss can be achieved. Furthermore, any modifications should consider maximum cost effectiveness. According to the method (Heinrich, Petersen, and Roos, 1980), the potential loss increases with (1) increased likelihood or probability that the hazardous event will occur, (2) increased exposure to the hazardous conditions, and (3) increased possible consequences of the hazardous event. Numerical values are assigned to each of the above three factors (see Table 8.2), and then an overall risk score is computed as a product of these factors (see Table 8.3). Note that these numerical values are rather arbitrary, and consequently the final risk score is also rather arbitrary. This, however, doesn t negate the method; it still serves as method to provide good relative comparison between different safety features or controls. As an example of risk analysis, consider an event that is conceivable but rather unlikely with a value of 0.5, with a weekly exposure and value of 3, and Table 8.3 Risk Analysis Factor Values Likelihood Values Exposure Values Expected 10 Continuous 10 Possible 6 Daily 6 Unusual 3 Weekly 3 Remote 1 Monthly 2 ~ Conceivable 0.5 Few/Year 1 ~ Impossible 0.1 Yearly 0.5 Possible Consequences Value Catastrophe (many fatalities, $10 8 damage) 100 Disaster (few fatalities, $10 7 damage) 40 Very serious (fatality?, $10 6 damage) 15 Serious (serious injuries, $10 5 damage) 7 Important (injuries, $10 4 damage) 3 Noticeable (first aid, $10 3 damage) 1 Adapted from: Heinrich, Petersen, and Roos (1980).
14 332 CHAPTER 8 Table 8.4 Risk Analysis and Cost-Effectiveness Risk Situation Value Very high risk, discontinue operations 400 High risk, immediate correction Substantial risk, correction needed Possible risk, attention needed Risk?, perhaps acceptable 20 Source: Heinrich, Petersen, and Roos (1980).,,,,, Figure 8.8 Risk analysis calculation. Source: Heinrich, Petersen, and Roos, very serious consequences with a value of 15. The resulting product yields a risk score of 22.5 ( ) which corresponds to a rather low risk, with possible attention needed, but not urgent attention. See Table 8.4. This same result can be achieved by using Figure 8.8 and a tie line to connect the two halves of the chart. The cost-effectiveness of two different remedies for the above risky event can be compared by using Figure 8.9. Remedy A reduces the risk by 75 percent but costs $50,000 while remedy B reduces the risk by only 50 percent, but also costs only $500. In terms of cost-effectiveness, remedy A is of doubtful merit and may have difficulty receiving financial support, while remedy B may well be justified because of its lower cost.
15 CHAPTER 8 Workplace and Systems Safety 333 B A Figure 8.9 Risk analysis and cost-effectiveness. Source: Heinrich, Petersen, and Roos, After an appropriate cost-effective remedy has been selected, the remedy needs to be implemented in the fifth step of the accident prevention method. This should occur at several levels. The safety engineer with appropriate technicians will install the appropriate safety devices or equipment. However, for a completely successful implementation, the individual operators and supervisors must also buy into the new approach. If they don t follow the correct procedures with the new equipment, any potential safety benefits may be lost. As an aside, this also presents an opportunity to discuss the 3 E s approach: engineering, education, and enforcement. The best remedy almost always is an engineering redesign. This will ensure strict safety and doesn t rely strictly on operator compliance. The next-best remedy is education; however, this does rely on operator compliance and may not always succeed, especially if workers do not follow the correct procedures. Lastly, there is enforcement of strict rules and use of personal protective equipment. This presumes worker noncompliance, requires strict checkups, instills resentment with negative reinforcement, and should be used as a last resort. MONITORING AND ACCIDENT STATISTICS The sixth and final step in the accident prevention process is the monitoring of the situation to evaluate the effectiveness of the new method. This provides feedback on the process and closes the loop by restarting the cycle in case the
16 334 CHAPTER 8 situation is not improving. Typically, numerical data provide a solid benchmark for monitoring any changes. These could be insurance costs, medical costs, or simply numbers of injuries and/or accidents. However, any of these numbers should be normalized to the worker exposure hours so that the numbers can be compared across locations and industries. Furthermore, OSHA recommends expressing injury statistics as incidence rate (IR) per 100 full-time employees per year: IR 200,000 I>H where I number of injuries in given time period H employee hours worked in same time period For OSHA record-keeping purposes, the injuries should be OSHA-recordable, or more than simple first-aid injuries. However, research has shown that there are considerable similarities between minor and major injuries (Laughery and Vaubel, 1993). Similarly, the severity rate (SR) monitors the number of lost-time (LT) days: SR 200,000 LT>H In addition to simply recording and monitoring the incidence rates as they change from month to month, the safety engineer should apply statistical control charting principles and look for long-term trends. The control chart (see Figure 8.10) is based on a normal distribution of the data and establishing a lower control limit (LCL) and a upper control limit (UCL) as defined by LCL x ns where x UCL x ns sample mean s sample standard deviation n level of control limits For example, for the case in which we would expect 100(1 ) percent of the data to fall between the upper and lower control limits, n would simply be the standard normal variable z /2. For 0.05, n becomes However, for many Figure 8.10 Statistical control limits. Source: Heinrich, Petersen, and Roos, 1980.
17 CHAPTER 8 Workplace and Systems Safety 335 UCL Figure 8.11 Red flagging with control chart. Adapted from: Heinrich, Petersen, and Roos, situations a higher lever of control is needed with n 3 or even n 6 (the Motorola six-sigma control level). For tracking accidents or injuries, the control chart is rotated sideways, and monthly data are plotted on the chart (see Figure 8.11). Obviously the lower control limit is of less concern (other than a nice pat on the back) than the upper control limit. Should several consecutive months fall above the upper control limit, this should be a red flag or signal to the safety engineer that there is a problem and a serious effort should be put into finding the cause. In addition to the red flagging, an alert safety engineer should have noticed the upward trend beginning several months previously and started a control action earlier. This trend analysis could be easily performed using a moving linear regression over varying multiple-month periods. 8.3 PROBABILITY METHODS The accident causation models discussed previously, especially the domino theory, implied a very deterministic response. That is far from the case. Grinding without safety glasses or walking under an unsupported roof in a coal mine at a given moment does not ensure an automatic accident and injury. However, there is a chance that an accident will occur, and the likelihood of that happening can be defined with a numeric probability. Probability is based on Boolean logic and algebra. Any event is defined by a binary approach; that is, at any given moment, there are only two states the event either exists and is true (T), or it does not exist and is false (F). There are three operators that define interactions between events: 1. AND, the intersection between two events, with symbol or (the dot sometimes is omitted) 2. OR, the union between events, with symbol or 3. NOT, the negation of an event, with the symbol. The interaction of two events X and Y, using these operators, follows a specific pattern termed the truth tables (see Table 8.5). Interactions between more than
18 336 CHAPTER 8 Table 8.5 Boolean Truth Tables X Y X Y X Y (Not) T T T T X X T F F T T F F T F T F T F F F F Table 8.6 Boolean Algebra Simplifications Basic laws: X X X XX 0 X X X X X 0 XT X XF 0 Distributive laws: XY XZ X(Y Z) (X Y)(X Z) X YZ XY XY X X YX X Y X XY X X(X Y) X X( X Y) XY (X Y) (X Y) X two events result in more complicated expressions, which necessitate an ordered processing to evaluate the resultant overall probability of the final accident or injury. The specific order or precedence that must be followed is as follows: ( ),,,. Also, certain groupings of events tend to appear repeatedly, so that if one recognizes these patterns, simplification rules can be applied to quicken the evaluation procedure. The most common rules are given in Table 8.6. The probability of an event P(X) is defined as the number of times event X occurs out of the total number occurrences: P 1X2 #X>#Total and P(X) must necessarily lie between 0 and 1. The probability of ORed events X Y, is defined as P 1X Y2 P 1X2 P 1Y2 P 1XY2 if the events are not mutually exclusive, and as P 1X Y2 P 1X2 P 1Y2 if the events are mutually exclusive. Two events are defined as mutually exclusive if the two events do not intersect, that is, X Y 0. Thus necessarily X and X are mutually exclusive. For the union of more than two events, an alternate expression, based on reverse logic, that is much easier to evaluate is more typically used: P 1X Y Z2 1 [1 P 1X2 ][1 P 1Y2 ][1 P 1Z2 ] The probability of ANDed events is defined as P 1XY2 P 1X2P 1Y2 (2) if the two events are independent, and as P 1XY2 P 1X2P 1Y>X2 P 1Y2P 1X>Y2 (3)
19 CHAPTER 8 Workplace and Systems Safety 337 if the two events are not independent. Two events are defined as independent if the occurrence of one event doesn t affect the occurrence of another event. Mathematically this is determined by equating Equations (2) and (3) and removing P(X) from both sides, yielding P 1Y2 P 1Y>X2 if the two events are independent. Rearrangement of Equation (3) also yields a commonly used expression that is termed Bayes rule: P 1Y>X2 P 1Y2P 1X>Y2>P 1X2 (5) Note that two events cannot be both mutually exclusive and independent, because being mutually exclusive necessarily defines as the one event defining the other one, that is, being dependent. Example 8.2 demonstrates these various calculations as well as independent and nonindependent events. More details on basic probability can be found in Brown (1976). (4) Independent and Not Independent Events EXAMPLE 8.2 Consider the number of occurrences of A being true (or 1) out of the total number of occurrences in Table 8.7a. This determines the probability of A: Note that the probability of A is the number of occurrences of being false (or 0) out of the total number of occurrences: Also P 1X2 can be found from Similarly the probability of Y is P 1X2 #X>#Total 7> P 1X2 #X>#Total 3> P 1X2 1 P 1X P 1Y2 #Y>#Total 4> The probability of A B is the number of occurrences of both A and B being true out of the total number of occurrences: P 1XY2 #XY>#Total 3> Table 8.7 Independent or Not Independent Events (a) X and Y are not independent X (b) X and Y are independent Y 0 1 Total Y 0 1 Total Total Total X
20 338 CHAPTER 8 The conditional probability of X given that Y has occurred (or is true) is defined as the number of occurrences of X from the Y 1 row: Similarly, Note also Bayes rule: P 1X>Y2 #X>#Total Y 3> P 1Y>X2 #Y>#Total X 3> P 1Y>X2 P 1Y2P 1X>Y2>P 1X > P 1Y>X2 Finally, for two events to be independent, Equation (4) must be true. But for Table 8.7a, we found that P(Y) 0.4 while P(Y/X) Therefore events X and Y are not independent. However in Table 8.7b, we find P 1X2 #X>#Total 9> P 1X>Y2 #X>#Total Y 6> Since both expressions are equal, events X and Y are independent. The same equivalence is found for P(Y) and P(Y/X): P 1Y2 #Y>#Total 10> P 1Y>X2 #Y>#Total X 6> RELIABILITY The term reliability defines the probability of the success of a system, which necessarily must depend on the reliability or the success of its components. A system could be either a physical product with physical components or an operational procedure with a sequence of steps or suboperations that need to be completed correctly for the procedure to succeed. These components or steps can be arranged in combinations using two different basic relationships: series and parallel arrangements. In a series arrangement (see Figure 8.12a), every component must succeed for the total system T to succeed. This can be expressed as the intersection of all components which if independent (in most cases), yields a probability of or if not independent, yields T A B C ABC P 1T2 P 1A2P 1B2P 1C2 P 1T2 P 1A2P 1B>A2P 1C>AB2 In a parallel arrangement, the total system succeeds if any one component succeeds. This can be expressed as an union of the component T A B C A B C