CORRECTIVE ACTION EVALUATION
M White and Ludwig Benner Jr.
Analysis Inc., Oakton, Virginia 22124
paper describes a set of procedures designed to assess the relative safety
effectiveness of candidate controls for identified hazards. The procedure was
developed in response to an objective to develop a systematic process to assess
the relative safety effectiveness of alternative corrective actions, which
considers both the type of hazard to be controlled as well as the degree of
risk involved. Development of the process involved integrating: the existing
DOD risk assessment scheme; the corrective action precedence process prescribed
by Military Standard 882-B and; a prioritized “MORT” type energy
control assessment. The decision parameters are displayed in a matrix format
called a Control Rating Code (CRC), with supporting instructions, to assist in
understanding the decision process, and to ensure a consistent approach between
competing projects. While developed primarily for the U.S. Corps of Engineers
Facility System Safety Program (FASS), this corrective action evaluation
process can also be used in other system safety programs, or to assist in the
selection of controls for industrial safety/occupational health hazards in more
traditional safety and health programs.
the objective of developing a systematic process for evaluating candidate
corrective actions which considers both the type of hazard and the degree of
risk, the authors explored the analytical tools available in existing system
safety programs. Military Standard 882B offers system safety engineers several
methods to help assess the priority for, and potential effectiveness of,
corrective actions. The first of these methods involves the assessment of
hazard severity and probability to assist in the establishment of priorities
for corrective action and the resolution of identified hazards. The second
method, System Safety Precedence 1/, provides an order of precedence for
applying corrective actions to identified hazards. Beyond the scope of MIL-STND
882B, several other methodologies also appeared to be useful in assisting in
the selection of corrective actions. The first of these additional
methodologies is the DOD Risk Assessment Code (RAC) 2/. This process, an off
shoot of the MIL-STND 882B Risk Assessment process, provides a relative
assessment of risk by assigning a RAC rating to an identified hazard based on a
quantitative assessment of the probability and severity of potential mishaps.
The second additional methodology considered was the Energy Barrier concept of
hazard control used by the Department of Energy and the Naval Facilities
We would also like to acknowledge the work of the late Dr. William Haddon Jr. for
his pioneering work in the barrier concept. As each of these methods have
value, individually, in helping to select effective corrective actions,
the authors attempted to incorporate the best features of each method for the
Facility System Safety Program. Accordingly, CRC links the Energy Barrier
Concept to the System Safety Precedence, and links this combination in turn to
the DOD Risk Assessment Code. .We believe that the CRC is an improvement on
existing methodologies in that it directs the analysts thinking towards an
understanding of what hazard type is being controlled, how it is being
controlled and, the relation of the relative effectiveness to the original risk
level. Further, the results are couched in measurable, management oriented
terms, to encourage action on the recommended solutions. The result of this
marriage of methodologies is described in the following paragraphs
RATING CODE PROCEDURES
Control Rating Code hazard control concept combines elements of the DOD Risk
Assessment Code (RAC), the Energy Barrier Concept and the MIL-STD-882B Control
Precedence Concept to achieve a systematic method of assessing candidate hazard
controls in facility design. The primary requirements for successful
application of this hazard control concept involves:
of this process requires the following three steps:
1. As illustrated in Table 1, energy flows are examined to identify the most
effective means of preventing or limiting an energy source from doing unwanted
work, (e.g., injury or damage) and by selecting a control or group of controls
to achieve this. The controls may include one or more of the following:
the energy type, source and magnitude;
the flow of each energy type into, through, and out of the facility or system;
the potential targets and damage mechanism for any undesired releases of energy;
based on the degree of risk involved, selection of the appropriate control type.
2. Involves evaluating the potential effectiveness of the candidate controls.
Table 2, illustrates the Hazard Control Precedence List, adapted from
MIL-STD-882B, which is used to evaluate candidate controls for implementation.
The control precedence list displays control types in decreasing order of
effectiveness, and every effort should be made to apply controls by the
indicated precedence. If in actual practice it proves impractical to apply the
first level of control because of operational or cost considerations, attempt,
in precedence order, to apply the second level of control. If that type control
cannot be effectively implemented, attempt to apply the third level of control,
3. Involves selection and evaluation of the specific control(s) to be used by
using the Control Rating Code (CRC) illustrated in Table 3.
the energy source;
the energy accumulated;
the harmful release of energy;
a barrier(s) between the energy and the target(s);
harmful flows of energy away from the target(s);
harm caused by unintended energy releases.
vertical axis of the matrix is composed of candidate energy controls in
descending order of control priority, e.g., it is generally more effective to
eliminate an energy source, if possible, than to issue an individual personnel
protective equipment to prevent that energy flow from doing harm.
horizontal axis of the matrix is composed of the modified MIL-STD-882B Control
Precedence rank ordered from A to E.
boxes within the matrix indicate the control rating code (CRC) for the proposed
CRC for the primary corrective action should correspond to the RAC numbers
within the matrix and should never be greater than one digit higher, e.g.,
controlling a RAC 1 hazard by preventing the accumulation of energy with a
safety device (CRC 1) is a preferred control, controlling a RAC 1 hazard by
preventing the accumulation of energy with an active safety device (CRC 2) is
acceptable, and selecting a warning device for the same control (CRC 3) is
unacceptable. The following criteria were also recommended for the FASS
program: (1) No single point failure shall be permitted to result in a severity
level I or 11 mishap; (2) No warning, caution, or other form of written advisory shall be used as the only control for a RAC 1 or 2 hazard, and; 3) The use of PPE as the only control for a RAC 1 or 2 hazard also requires the specific written authorization.
DESIGN FOR MINIMUM RISK. From the first stages of design attempt to eliminate
hazards. If an identified hazard cannot be eliminated by design, attempt to
minimize the associated risk to an acceptable level in the design process by
decreasing the probability of a mishap occurring or reducing the severity of a
mishap type should it occur.
PASSIVE OR ACTIVE SAFETY DEVICES. If identified hazards cannot be eliminated or
their associated risk reduced to an acceptable level through design selection,
the risk shall be reduced through the use of passive or active fixed,
automatic, or other protective safety design features or devices.
of each type include: in an automotive context, the airbag (passive) and
seatbelts (active) and in a fire suppression context, sprinklers (passive) and
a fire hose (active.) As indicated in Table 1, a passive safety device takes
precedence over an active safety device. When these control types are selected,
provisions must be made for periodic functional checks of the safety devices,
PROVIDE WARNING DEVICES. When neither design or safety devices can effectively
eliminate identified hazards or adequately reduce associated risks, devices
shall be used to detect the condition and produce an adequate warning signal to
alert personnel of the hazard.
passive safety device is a device which operates in an automatic fashion
without the need for human intervention or action.
active safety device requires human action to set or activate.
DEVELOP PROCEDURES AND TRAINING. As a last resort, where it is impractical to
eliminate hazards through design selection or adequately reduce the associated
risk with safety and warning devices, procedures and training may be used. The
use of personal protective equipment (PPE) as a hazard control is considered a
procedure and not a safety device.
signals and their application shall be designed to minimize the probability of
incorrect personnel reaction to the signals.
devices for a particular hazard shall be standardized within the same facility
or group of facilities.
use of warning devices may generate a requirement for training personnel to
Risk Assessment Code (RAC) was developed initially in 1976 for the hazard
abatement process set forth in DOD Instruction 6055.1, “Occupational
Safety and Health”. Since that time its use has been expanded to include
use as a relative risk assessment tool for system safety programs. The RAC is a
quantified expression of the risk associated with the hazard by combining the
elements of hazard severity and mishap probability. There are several variants
of RAC codes in existence (seven
by the authors' count
the severity terms tailored to the type of program involved. The RAC described
below has been tailored for the FASS program. The RAC is derived by:
or quantifying the Hazard Severity. The hazard severity rating is an assessment
of the probable consequence of a mishap, defined by the degree of injury,
occupational illness, property damage, or loss of mission capability which can
result from the hazard. Hazard severity categories are assigned a Roman
to the following criteria:
- 1/ Table 2 was reproduced essentially intact from MIL—STND 882B with one
significant-exception. The Safety Device selection was sub—divided into
“Active” and “Passive” Safety Devices with the passive
device selection awarded a higher precedence for effectiveness.
Il—Critical: May cause severe injury, severe occupational illness, major
property damage, or serious disruption in mission capability. Severe
injury/severe occupational illness is defined as a permanent total or partial
disability; major property damage is a value which classifies it as a DOD
Category A Mishap and serious disruption in mission capability is loss of that
capability for 48 or more hours.
Ill—Marginal: May cause minor injury, minor occupational illness, minor
property damage or minor disruption in mission capability. Minor injury/minor
occupational illness is defined as one which can result in one or more days
away from work; major property damage is a value which classifies it as a DOD
Category B Mishap and; minor disruption in mission capability is loss of that
capability for less than 48 hours.
IV—Negligible: Probably would not affect personnel safety or health, but
is nevertheless in violation of applicable standards.
I—Catastrophic: May cause death, loss of a facility or mission capability.
or quantifying the mishap probability. The mishap probability rating is an
assessment of the probability of a mishap occurring based on an assessment of
such factors as location, exposure in terms of cycles or hours of operation,
and affected population. Mishap probability sub—categories are assigned
an Arabic letter according to the following criteria:
A—Frequent: Likely to occur frequently.
B—Reasonably Probable: Will occur several times in life of facility.
C—Occasional: Likely to occur sometime in the life of the facility.
D—Remote: So unlikely, can be assumed that this mishap will not be experienced.
- Subcategory E—Extremely Improbable: Probability of occurrence cannot be distinguished from
the elements of Mishap Severity and Mishap Probability using the RAC Matrix
illustrated in Table 4. The RAC is expressed
as a single Arabic number which, in turn, is used to establish priorities for
the elimination, control or acceptance of the hazard. For example: a Hazard
Severity Level of II and a Hazard Probability of C would yield a RAC of 2. The
lower the RAC number, the higher the risk.
M White President
Toreador Lane Oakton, Virginia 22124
White, a retired Air Force pilot, has been involved in safety analysis, safety
management and accident investigation on a full-time basis for more than 18
years. While serving as the Assistant for Safety Policy in the Office of
Secretary of Defense he was the principal author of several current DOD safety
related Directives and Instructions
including DODI 5000.36, “ System Safety Engineering and Management.
As President of EVA he is currently Project Director on projects
to develop system safety programs for the U.S. Corps of Engineers
and the #000080 Surface Weapons Center. He also serves as the Managing
Editor of the International Society of Air Safety Investigators
Benner Jr. Vice President
Toreador Lane Oakton, Virginia 22124
Benner, a Fellow of the System Safety Society, has long been active in
developing, documenting and teaching advanced techniques for safety analysis
and accident investigation. The former Director of the Hazardous Materials
Division of the NTSB, he currently serves as the Chairmen of the Accident
Investigation Sub—committee, Hazardous Materials Committee,
Transportation Research Board. He also serves as the Program Director for the
Washington, DC Chapter of the society. As Vice President and senior researcher
for EVA, he is project director for a program to develop a risk
analysis/decision process for general aviation pilots for the FAA under
sub-contract to the Aircraft Owners and Pilots Association.