Home | Site Map |

Safety engineering


Safety engineering is used to assure that a life-critical system behaves as needed even when pieces fail. Safety engineering is stronglyrelated to systems engineering .

Safety engineers distinguish different extents of defective operation: A "fault" is said to occur when some piece of equipmentdoes not operate as designed. A "failure" only occurs if a human being (other than arepair person) has to cope with the situation. A "critical" failure endangers one or a few people. A "catastrophic" failureendangers, harms or kills a significant number of people.

Safety engineers also identify different modes of safe operation: A " probabilistically safe" system has no single point of failure, and enough redundant sensors, computers and effectors so that it is very unlikely to cause harm (usually "very unlikely"means less than one human life lost in a billion hours of operation). An "inherentlysafe" system is a clever mechanical arrangement that cannot be made to cause harm- obviously the best arrangement, but this isnot always possible. For example, "inherently safe" airplanes are not possible. A "fail-safe" system is one that cannot causeharm when it fails. A "fault-tolerant" system can continue to operate with faults, though its operation may be degraded in somefashion.

These terms combine to describe the safety needed by systems: For example, most biomedical equipment is only "critical," andoften another identical piece of equipment is nearby, so it can be merely "probabilistically fail-safe". Train signals can cause"catastrophic" accidents (imagine chemical releases from tank-cars) and are usually "inherently safe". Aircraft "failures" are "catastrophic" (at least for their passengers and crew,) so aircraft are usually"probabilistically fault-tolerant". Without any safety features, nuclearreactors might have "catastrophic failures", so real nuclear reactors are required to be at least "probabilisticallyfail-safe", and some pebble bed reactors are "inherentlyfault-tolerant".


4.1 Probabilistic Fault Tolerance: AddingRedundancy to Equipment and Systems
4.2 Inherent Fail-Safe Design

The Process

Ideally, safety-engineers take an early design of a system, analyze it to find what faults can occur, and then propose changesto make the system more safe. In an early design stage, often a fail-safe system can be made acceptably safe with a few sensors and some software to read them.Probabilitically fault-tolerant systems can often be made by using more, but smaller and less-expensive pieces of equipment.

Historically, many organizations viewed "safety engineering" as a process to produce documentation to gain regulatoryapproval, rather than a real asset to the engineering process. These same organizations have often made their views into a self-fulfilling prophecy by assigning less-ablepersonnel to safety engineering.

Far too often, rather than actually helping with the design, safety engineers are assigned to prove that an existing,completed design is safe. If a competent safety engineer then discovers significant safety problems late in the design process,correcting them can be very expensive. This project management error has wasted large sums of money in the development ofcommercial nuclear reactors .

Analysis Techniques

The two most common fault modeling techniques are called "failure modes and effects analysis" and "fault tree analysis." Thesetechniques are just ways of finding problems and of making plans to cope with failures.

Failure Modes and Effects Analysis

In the technique known as "failure modes and effects analysis", an engineer starts with a block diagram of a system. Theengineer then considers what happens if each block of the diagram fails. The engineer than draws up a table in which failures arepaired with their effects and an evaluation of the effects. The design of the system is then corrected, and the table adjusteduntil the system is not known to have unacceptable problems. Of course, the engineers may make mistakes. It's very helpful tohave several engineers review the failure modes and effects analysis.

Fault Tree Analysis

In the technique known as "fault tree analysis", an undesired effect is taken as the root of a tree of logic. Then, eachsituation that could cause that effect is added to the tree as a series of logic expressions. When fault trees have real numbers about failureprobabilities (often unavailable because of testing expense), computerprograms can calculate failure probabilities from fault trees. The classic computer program is the Idaho National Engineeringand Environmental Laboratory's SAPHIRE , which is used by the U.S. government toevaluate the safety and reliability of nuclear reactors , the space shuttle , and the International Space Station .

Unified Modeling Language (UML) activity diagrams have been usedas graphical components in a fault tree analysis.

Safety Certification

Usually a failure in safety- certified systems is acceptable if lessthan one life per 30 years of operation (109 seconds) is lost to mechanical failure. Most Western nuclear reactors,medical equipment, and commercial aircraft are certified to this level.

Preventing Failure

Probabilistic Fault Tolerance: Adding Redundancy to Equipment and Systems

Once a failure mode is identified, it can usually be prevented entirely by adding extra equipment to the system. For example,nuclear reactors emit dangerous radiation and contain nasty poisons , and nuclear reactions can cause so much heat that no substance can contain them. Therefore reactors have emergency core cooling systems to keep the temperature down,shielding to contain the radiation, and containments (usually several, nested) to prevent leakage.

Most biological organisms have extreme amounts of redundancy: multiple organs,multiple limbs, etc.

For any given failure, a fail-over, or redundancy can almost always be designed and incorporated into a system.

Inherent Fail-Safe Design

When adding equipment is impractical (usually because of expense), then the least expensive form of design is often"inherently fail-safe ". The typical approach is to arrange the system so thatordinary single failures cause the mechanism to shut down in a safe way.

One of the most common fail-safe systems is the overflow tube in baths and kitchen sinks . If the valve sticks open,rather than causing an overflow and damage, the tank spills into an overflow

Another common example is that in an elevator the cable supporting the car keeps spring-loaded brakes open. If the cablebreaks, the brakes grab rails, and the car does not fall.

Another common inherently fail-safe system is the pilot-light sensor in most gas furnaces. When the pilot light is off, thesensor cools down and a mechanical arrangement such as a bimetal switch disengagesthe gas valve, so that the house cannot fill with unburned gas.

Inherent fail-safes are common in medical equipment, traffic and railway signals, communications equipment, and safetyequipment.

The safety engineer

Personality and role

Oddly enough, personality issues can be paramount in a safety engineer. They must be personally pleasant, intelligent, andruthless with themselves and their organization. In particular, they have to be able to "sell" the failures that they discover,as well as the attendant expense and time needed to correct them. They can be the messengers of bad news.

Safety engineers have to be ruthless about getting facts from other engineers. It is common for a safety engineer to considersoftware, chemical, electronic, eletrical, mechanical, procedural, and training problems in the same day. Often the facts can bevery uncomfortable.


It is important to make the safety engineers part of a team, so that safety problems cannot be discounted as due to the safetyengineers' personality problems or ignored by firing a single engineer.

It is a severe safety problem if an engineering team or management discredits a safety engineer: either the manager appointeda poor engineer to the position, indicating that there may be numerous undiscovered safety issues, or the team has inverteddevelopment priorities and considers safety to be less important than upper management or government does.

See also

safety engieering, system, safeyt engineering, fault, safety engineerin, fail, safety engienering, engineer, safety engineerig, design, safey engineering, nuclear, safetye ngineering, effects, safety enginering, tree, saety engineering, problems, safety engineeirng, modes, safety enineering, process, safety egineering, operation, safety engineerng, personality, safety engnieering, mechanical, safety engineeing, life, safety negineering, tolerant, safet yengineering, catastrophic, safety ngineering, gas, afety engineering, expense, safety engineernig, down, , inherent, safety engineering, known, saftey engineering, team, safety engineerign, needed, safety engneering, management, safety egnineering, redundancy, safeti engineering, single, safety enigneering, certified, saefty engineering, early, sfaety engineering, saphire, asfety engineering, tank, safetyengineering, effect, safety enginereing, few, safet engineering, operate, sfety engineering, pieces, safty engineering, probabilistic...

This article is completely or partly from Wikipedia - The Free Online Encyclopedia. Original Article. The text on this site is made available under the terms of the GNU Free Documentation Licence. We take no responsibility for the content, accuracy and use of this article.

Anoca.org Encyclopedia