Hazard Checklists and Their Use in Hazard Identiﬁcation

Hazard Checklists And their use in Hazard Identiﬁcation

Matthew Squair www.criticaluncertainties.com Checklist version 1.2 cbn

06 July 2014

1 Abstract 1 Introduction

Checklists are a means by which engineering The primary purpose of a checklist is to iden- organisations pass on their hard earned engi- tify hazards, normally during the early part of neering experience. They are most useful in the a systems development program. They can be review of precedented designs and aleatory risk used as a standalone technique, or integrated while conversely they are of less use for iden- into other more structured techniques such as tifying unprecedented designs and technologies creative checklist. The checklist items included with their greater component of ontological risk. in section 2 are derived from the listed refer- Checklists are also a useful knowledge gover- ences. nance technique for trapping and retaining corporate knowledge. 1.1 Methodology

Contents 1.1.1 Standalone use

1 Introduction 2 During the hazard identification activity (for 1.1 Methodology ...... 2 example the PHL or PHA) an analyst com- 1.1.1 Standalone use ...... 2 pares the system design information to a set of 1.1.2 Creative checklist . . . . . 2 hazard checklists in order to discover hazards. 1.2 Mission phases ...... 3 For example if the design contains a high en- ergy radar then after comparing to the hazard 2 The hazard checklists 3 checklists it would become apparent that this 2.1 Functional hazards ...... 3 is a hazardous EMR emitting component and 2.2 Electrical hazards ...... 3 that exposure of personnel, fuel or ordinance 2.3 Mechanical hazards ...... 4 may result in a potential accident. 2.4 Pneumatic/hydraulic hazards . . 4 2.5 Acceleration/gravity hazards . . 4 2.6 Temperature hazards ...... 4 1.1.2 Creative checklist 2.7 Fire and flammability hazards . . 4 2.8 Radiation hazards ...... 5 The methodology was developed to identify haz- 2.9 Spaceflight hazards ...... 5 ards in chemical process and storage facilities. 2.10 Explosives ...... 5 A system specific checklist is created from generic 2.11 Leaks and spills ...... 6 checklists, system perturbations, hazards and 2.12 Contamination ...... 6 events that might lead to an undesired damage 2.13 Physiological ...... 6 state are brainstormed while previously devel- 2.14 Human error ...... 6 oped generic checklists are used to structure & 2.15 Ergonomics ...... 6 assist. 2.16 Control systems ...... 7 The created checklists for a specific system can 2.17 Un-annunciated utility outages . 7 contain human, environment and well as com- 2.18 Operator emergency responses . 7 ponent and subsystem related hazards. Three 2.19 Contingency operations . . . . . 7 matrices are then created in which specific ma- 2.20 Common causes ...... 7 terials, equipment and process elements of the system which are compared with each item on 3 Documenting the analysis 7 the checklist, respectively to identify a pos- sible association. If there is an association, 4 Advantages and disadvantages 8 then more work is done to investigate this haz- 5 Conclusions 8 ard/element combination. The technique is intended to be used during the 6 References 8 very early conceptual design phase, where only the material checklist matrix can be utilised, as

2 the design subsequently evolves the additional simply a beginning and should be further de- process and equipment matrices are in turn developed by the using organisation. The lists veloped. also (deliberately) contain redundant entries.

1.2 Mission phases 2.1 Functional hazards

While not hazards per se, mission phases or Functional failure modes (Simple): operational modes may have speciﬁc hazards • Service failure (omission) associated with them or increase the severity or likelihood of hazards: – total • Transport – partial • Delivery • Service failure (commission) • Installation – repetition • Calibration – spurious • Checkout • Value (coarse, subtle) • Shake down • Timing (early, late) • Activation Functional failure modes (Complex): • Standard start • Input (ﬂow rate, sequence) violations • Emergency start • Concurrent functions interactions • Normal operation • Load change 2.2 Electrical hazards

• Coupling/uncoupling • Shock • Stressed operation • Burns • Standard shutdown • Overheating • Emergency shutdown • Ignition of combustibles • Diagnosis/trouble shooting • inadvertent activation • Maintenance • Power outage • Others • Distribution backfeed The list of mission phases can be used to iden- • Unsafe failure to operate tify what specific phase or operational mode an identified hazard is applicable to and in the • Explosion/electrical (electrostatic) development of functional flow block diagrams • Explosion/electrical (arc) during the PHL and PHA. • Connector falls out • Connector clocking 2 The hazard checklists • Bent pin

All hazard checklists are incomplete. The fol- lowing lists, derived from the references are

3 2.3 Mechanical hazards • Blast (e.g from relief devices)

• Sharp edges/points 2.5 Acceleration/gravity hazards • Rotating equipment • slide limit stops • Loose object translation • assembly sequence ambiguity • Impacts • hinged access panels securing • Falling objects • how is rated load enforced? • Inadvertent motion • Reciprocating equipment • Fragments/missiles • Pinch points • Sloshing liquids/pogoing • Lifting weights • Slip/trip • Stability/toppling potential • Falls • Ejected parts/fragments 2.6 Temperature hazards • Crushing surfaces • Heat source/sink 2.4 Pneumatic/hydraulic hazards • Hot/cold surface burns

• Overpressurisation • Pressure elevation • Safe depressurisation • Conﬁned gas/liquid • Reverse installation • Elevated ﬂammability • Pipe/vessel/duct rupture • Elevated volatility • Tank burst • Elevated reactivity • Pressurant leakage • Freezing humidity/moisture • Implosion • Reduced reliability • Mislocated relief device • Altered structural properties (e.g. em- brittlement) • Dynamic pressure loading

• Relief pressure improperly set 2.7 Fire and flammability hazards • Backflow • Fuel • Accidental cross connection • Ignition source • Crossflow • Oxidizer • Pumping oscillation (pogoing) • Propellant • Hydraulic ram • Radiation (see Radiation/HERP) • Inadvertent release • Miscalibrated relief device • Blown objects • Pipe/hose whipping

4 2.8 Radiation hazards • Pilot incapacitation • Cabin atmosphere (O2, contam.) Ionizing • Cabin overpressure/loss • Alpha • Debris impact • Beta • Deployables failure • Neutron • EVA • Gamma • Remote manipulator impact • X-Ray • Cargo movement • HERP • Rendevous/docking collision Non-Ionizing • Laser 2.10 Explosives • Infrared • Microwave Initiators • High frequency (HF) • Heat • Ultraviolet • Friction • HERP/HERO/HERF effects • Impact/shock • high power/frequency • Vibration Components • Electrostatic discharge • Laser designators • Radiation (see Radiation/HERO) • Waveguides joints • Chemical contamination • Klystrons • Lighting • Cavity resonators • Welding (stray current/sparks) • Antenna horns Effects • Antenna farms • Mass fire • Blast overpressure 2.9 Spaceflight hazards • Thrown fragments • Seismic ground wave • Structural integrity • Meteorological reinforcement • Control surface loss Sensitizers • Thermal protection failure • Heat/cold • Propulsion explosion/failures • Vibration • Flight control actuators failures • Impact/shock • Flight control elex failures • Low humidity • Parachute failures • Chemical contamination • Stage separation failures Conditions • Flight safety systems failure

5 • Explosive propellant present • Lifted weights • Explosive gas present • Noise • Explosive liquid present • Vibration (Raynaud’s Syndrome) • Explosive vapor present • Mutagens • Explosive dust present • Asphyxiants • Allergens 2.11 Leaks and spills • Pathogens

• Liquids/cryogenic • Radiation (see Radiation/HERP) • Gases/vapors • Cryogenic • Dust-irritating • Carcinogens • Radiation sources • Teratogens • Flammable • Toxins • Toxic • Irritants • Reactive 2.14 Human error • Slippery Operator error 2.12 Contamination • Inadvertent operation

• System cross-connection • Failure to operate – Leaks/spills • Operation early/late – Odorous • Operation out-of-sequence – Pathogenic • Right operation/wrong control – Asphyxiating • Operate too long – Flooding • Operate too briefly – Run off 2.15 Ergonomics – Vapor propagation – Corrosive • Fatigue • Vessel/pipe/conduit rupture • Inaccessibility • Backflow/siphon effect • Nonexistent/inadequate ’kill’ switches • Glare 2.13 Physiological • Inadequate control differentiation

• Temperature extremes • Inadequate readout diﬀerentiation • Nuisance dusts/odors • Inappropriate control labeling • Baro-pressure extremes • Inappropriate readout labeling • Fatigue • Faulty workstation design

6 • Inadequate/improper illumination 2.19 Contingency operations • Inappropriate control location • Windstorm • Inappropriate readout location • Hailstorm • Utility outages 2.16 Control systems • Flooding • Power outage • Earthquake • Interference (EMI/ESI) • Bushﬁre • Moisture • Snow/ice load • Sneak circuit • Sneak software 2.20 Common causes • Lightning strike • Shared zones/environment • Grounding failure • Shared equipment • Inadvertent activation • Process dependencies • Human error (cognitive, procedural) 2.17 Un-annunciated utility outages • Single-operator coupling • Electricity • Utility outages • Steam • Moisture/humidity • Heating/Cooling • Temperature extremes • Ventilation • Seismic disturbance/impact • Air Conditioning • Vibration • Chilled water • Flooding • Compressed air/gas • Dust/dirt • Lubrication • Faulty calibration • Drains/sumps • Fire • Fuel • Location • Exhaust • Radiation • Wear-out 2.18 Operator emergency responses • Maintenance error • “Hard” shutdowns/failures • Vermin • Freezing • Fire 3 Documenting the analysis

Checklists lend themselves easily to form style documentation. Where a form is used to document a standalone analysis it should then be

7 retained on ﬁle as objective evidence, this can 6 References actually be legally important as it can be used to substantiate a claim of due diligence. NASA Reference Publication 1358, Systems En- If a project is using a hazard log, or formal gineering ’Toolbox’ for Design Oriented Engi- safety analyses, like a PHL or PHA, the re- neers, 1994. sults of the checklist analysis should be inte- Mohr, R.R., Preliminary Hazard Analysis (Lec- grated into the log or report. In this case it ture Presentation), Fourth Edition, Sverdrup is important to document in the log or report Technology, Inc., June 1993. not just the hazards that were identiﬁed but also those that were not, this gives users of the report or hazard log an idea of the coverage of the analysis.

4 Advantages and disadvantages

The advantages of checklists are that: • They can be used by non-system safety engineering experts, • They are useful for precedented technologies and standard designs, • They capture a wide range of previous knowledge and experience, and • They ensure that common or obvious prob- lems are not overlooked. While their disadvantages are that: • They are of limited use for unprecedented technologies or unique designs, • They can frame the process, leading to failing to recognise that hazards also ex- ist oﬀ the list and a failure to explore what’s not on the checklist, and • Deﬁnitionally they’ll miss hazards that have not been previously seen.

5 Conclusions

As with all system safety techniques checklists are not a magic bullet. However if prepared carefully and used appropriately they are good tool for ensuring that obvious issues are ad- dressed and that there is a home for corporate knowledge.