Archives of Personal Papers ex libris Ludwig Benner, Jr.
   - - - - - -Last updated on Saturday, July 12, 2012
   [Investigation Catalyst Software ] [ Investigation Research Roundtable Site ]   
[ Contact "me" at ]

Seventh International 
System Safety Conference

"Principles and Applications for Safer Systems
San Jose, California o July 25, 1985
Volume II


Leslie M White and Ludwig Benner Jr.
Events Analysis Inc., Oakton, Virginia 22124


This paper describes a set of procedures designed to assess the relative safety effectiveness of candidate controls for identified hazards. The procedure was developed in response to an objective to develop a systematic process to assess the relative safety effectiveness of alternative corrective actions, which considers both the type of hazard to be controlled as well as the degree of risk involved. Development of the process involved integrating: the existing DOD risk assessment scheme; the corrective action precedence process prescribed by Military Standard 882-B and; a prioritized “MORT” type energy control assessment. The decision parameters are displayed in a matrix format called a Control Rating Code (CRC), with supporting instructions, to assist in understanding the decision process, and to ensure a consistent approach between competing projects. While developed primarily for the U.S. Corps of Engineers Facility System Safety Program (FASS), this corrective action evaluation process can also be used in other system safety programs, or to assist in the selection of controls for industrial safety/occupational health hazards in more traditional safety and health programs.


Given the objective of developing a systematic process for evaluating candidate corrective actions which considers both the type of hazard and the degree of risk, the authors explored the analytical tools available in existing system safety programs. Military Standard 882B offers system safety engineers several methods to help assess the priority for, and potential effectiveness of, corrective actions. The first of these methods involves the assessment of hazard severity and probability to assist in the establishment of priorities for corrective action and the resolution of identified hazards. The second method, System Safety Precedence 1/, provides an order of precedence for applying corrective actions to identified hazards. Beyond the scope of MIL-STND 882B, several other methodologies also appeared to be useful in assisting in the selection of corrective actions. The first of these additional methodologies is the DOD Risk Assessment Code (RAC) 2/. This process, an off shoot of the MIL-STND 882B Risk Assessment process, provides a relative assessment of risk by assigning a RAC rating to an identified hazard based on a qualitative or quantitative assessment of the probability and severity of potential mishaps. The second additional methodology considered was the Energy Barrier concept of hazard control used by the Department of Energy and the Naval Facilities Engineering Command. We would also like to acknowledge the work of the late Dr. William Haddon Jr. for his pioneering work in the barrier concept. As each of these methods have value, individually, in helping to select effective corrective actions, the authors attempted to incorporate the best features of each method for the Facility System Safety Program. Accordingly, CRC links the Energy Barrier Concept to the System Safety Precedence, and links this combination in turn to the DOD Risk Assessment Code. .We believe that the CRC is an improvement on existing methodologies in that it directs the analysts thinking towards an understanding of what hazard type is being controlled, how it is being controlled and, the relation of the relative effectiveness to the original risk level. Further, the results are couched in measurable, management oriented terms, to encourage action on the recommended solutions. The result of this marriage of methodologies is described in the following paragraphs


The Control Rating Code hazard control concept combines elements of the DOD Risk Assessment Code (RAC), the Energy Barrier Concept and the MIL-STD-882B Control Precedence Concept to achieve a systematic method of assessing candidate hazard controls in facility design. The primary requirements for successful application of this hazard control concept involves:
  1. Identifying the energy type, source and magnitude;
  2. Understanding the flow of each energy type into, through, and out of the facility or system;
  3. Identifying the potential targets and damage mechanism for any undesired releases of energy;
  4. Then, based on the degree of risk involved, selection of the appropriate control type.
Application of this process requires the following three steps:

STEP 1. As illustrated in Table 1, energy flows are examined to identify the most effective means of preventing or limiting an energy source from doing unwanted work, (e.g., injury or damage) and by selecting a control or group of controls to achieve this. The controls may include one or more of the following:

  1. Eliminating the energy source;
  2. Limiting the energy accumulated;
  3. Preventing the harmful release of energy;
  4. Placing a barrier(s) between the energy and the target(s);
  5. Channeling harmful flows of energy away from the target(s);
  6. Treating harm caused by unintended energy releases.

STEP 2. Involves evaluating the potential effectiveness of the candidate controls. Table 2, illustrates the Hazard Control Precedence List, adapted from MIL-STD-882B, which is used to evaluate candidate controls for implementation. The control precedence list displays control types in decreasing order of effectiveness, and every effort should be made to apply controls by the indicated precedence. If in actual practice it proves impractical to apply the first level of control because of operational or cost considerations, attempt, in precedence order, to apply the second level of control. If that type control cannot be effectively implemented, attempt to apply the third level of control, etc. 1/

STEP 3. Involves selection and evaluation of the specific control(s) to be used by using the Control Rating Code (CRC) illustrated in Table 3.

  1. The vertical axis of the matrix is composed of candidate energy controls in descending order of control priority, e.g., it is generally more effective to eliminate an energy source, if possible, than to issue an individual personnel protective equipment to prevent that energy flow from doing harm.
  2. The horizontal axis of the matrix is composed of the modified MIL-STD-882B Control Precedence rank ordered from A to E.
  3. The boxes within the matrix indicate the control rating code (CRC) for the proposed corrective action.
  4. The CRC for the primary corrective action should correspond to the RAC numbers within the matrix and should never be greater than one digit higher, e.g., controlling a RAC 1 hazard by preventing the accumulation of energy with a safety device (CRC 1) is a preferred control, controlling a RAC 1 hazard by preventing the accumulation of energy with an active safety device (CRC 2) is acceptable, and selecting a warning device for the same control (CRC 3) is unacceptable. The following criteria were also recommended for the FASS program: (1) No single point failure shall be permitted to result in a severity level I or 11 mishap; (2) No warning, caution, or other form of written advisory shall be used as the only control for a RAC 1 or 2 hazard, and; 3) The use of PPE as the only control for a RAC 1 or 2 hazard also requires the specific written authorization.


1. DESIGN FOR MINIMUM RISK. From the first stages of design attempt to eliminate hazards. If an identified hazard cannot be eliminated by design, attempt to minimize the associated risk to an acceptable level in the design process by decreasing the probability of a mishap occurring or reducing the severity of a mishap type should it occur.

2. INCORPORATE PASSIVE OR ACTIVE SAFETY DEVICES. If identified hazards cannot be eliminated or their associated risk reduced to an acceptable level through design selection, the risk shall be reduced through the use of passive or active fixed, automatic, or other protective safety design features or devices.
  1. A passive safety device is a device which operates in an automatic fashion without the need for human intervention or action.
  2. An active safety device requires human action to set or activate.
(Examples of each type include: in an automotive context, the airbag (passive) and seatbelts (active) and in a fire suppression context, sprinklers (passive) and a fire hose (active.) As indicated in Table 1, a passive safety device takes precedence over an active safety device. When these control types are selected, provisions must be made for periodic functional checks of the safety devices, if applicable.

3. PROVIDE WARNING DEVICES. When neither design or safety devices can effectively eliminate identified hazards or adequately reduce associated risks, devices shall be used to detect the condition and produce an adequate warning signal to alert personnel of the hazard.
  1. Warning signals and their application shall be designed to minimize the probability of incorrect personnel reaction to the signals.
  2. Warning devices for a particular hazard shall be standardized within the same facility or group of facilities.
  3. The use of warning devices may generate a requirement for training personnel to respond properly.

4. DEVELOP PROCEDURES AND TRAINING. As a last resort, where it is impractical to eliminate hazards through design selection or adequately reduce the associated risk with safety and warning devices, procedures and training may be used. The use of personal protective equipment (PPE) as a hazard control is considered a procedure and not a safety device.

  • 1/ Table 2 was reproduced essentially intact from MIL—STND 882B with one significant-exception. The Safety Device selection was sub—divided into “Active” and “Passive” Safety Devices with the passive device selection awarded a higher precedence for effectiveness.

  • 2/ The Risk Assessment Code (RAC) was developed initially in 1976 for the hazard abatement process set forth in DOD Instruction 6055.1, “Occupational Safety and Health”. Since that time its use has been expanded to include use as a relative risk assessment tool for system safety programs.
The RAC is a quantified expression of the risk associated with the hazard by combining the elements of hazard severity and mishap probability. There are several variants of RAC codes in existence (seven by the authors' count ) with the severity terms tailored to the type of program involved. The RAC described below has been tailored for the FASS program. The RAC is derived by:

a. Estimating or quantifying the Hazard Severity. The hazard severity rating is an assessment of the probable consequence of a mishap, defined by the degree of injury, occupational illness, property damage, or loss of mission capability which can result from the hazard. Hazard severity categories are assigned a Roman numeral according to the following criteria:

  1. Category I—Catastrophic: May cause death, loss of a facility or mission capability.

  2. Category Il—Critical: May cause severe injury, severe occupational illness, major property damage, or serious disruption in mission capability. Severe injury/severe occupational illness is defined as a permanent total or partial disability; major property damage is a value which classifies it as a DOD Category A Mishap and serious disruption in mission capability is loss of that capability for 48 or more hours.

  3. Category Ill—Marginal: May cause minor injury, minor occupational illness, minor property damage or minor disruption in mission capability. Minor injury/minor occupational illness is defined as one which can result in one or more days away from work; major property damage is a value which classifies it as a DOD Category B Mishap and; minor disruption in mission capability is loss of that capability for less than 48 hours.

  4. Category IV—Negligible: Probably would not affect personnel safety or health, but is nevertheless in violation of applicable standards.

b. Estimating or quantifying the mishap probability. The mishap probability rating is an assessment of the probability of a mishap occurring based on an assessment of such factors as location, exposure in terms of cycles or hours of operation, and affected population. Mishap probability sub—categories are assigned an Arabic letter according to the following criteria:
  1. Subcategory A—Frequent: Likely to occur frequently.

  2. Subcategory B—Reasonably Probable: Will occur several times in life of facility.

  3. Subcategory C—Occasional: Likely to occur sometime in the life of the facility.

  4. Subcategory D—Remote: So unlikely, can be assumed that this mishap will not be experienced.

  5. Subcategory E—Extremely Improbable: Probability of occurrence cannot be distinguished from zero.

c. Combining the elements of Mishap Severity and Mishap Probability using the RAC Matrix illustrated in Table 4. The RAC is expressed as a single Arabic number which, in turn, is used to establish priorities for the elimination, control or acceptance of the hazard. For example: a Hazard Severity Level of II and a Hazard Probability of C would yield a RAC of 2. The lower the RAC number, the higher the risk.


Leslie M White President
Events Analysis Inc
12101 Toreador Lane Oakton, Virginia 22124

Mr. White, a retired Air Force pilot, has been involved in safety analysis, safety management and accident investigation on a full-time basis for more than 18 years. While serving as the Assistant for Safety Policy in the Office of Secretary of Defense he was the principal author of several current DOD safety related Directives and Instructions including DODI 5000.36, “ System Safety Engineering and Management. As President of EVA he is currently Project Director on projects to develop system safety programs for the U.S. Corps of Engineers and the #000080 Surface Weapons Center. He also serves as the Managing Editor of the International Society of Air Safety Investigators “Forum” magazine.

Ludwig Benner Jr. Vice President
Events Analysis Inc
12101 Toreador Lane Oakton, Virginia 22124

Mr. Benner, a Fellow of the System Safety Society, has long been active in developing, documenting and teaching advanced techniques for safety analysis and accident investigation. The former Director of the Hazardous Materials Division of the NTSB, he currently serves as the Chairmen of the Accident Investigation Sub—committee, Hazardous Materials Committee, Transportation Research Board. He also serves as the Program Director for the Washington, DC Chapter of the society. As Vice President and senior researcher for EVA, he is project director for a program to develop a risk analysis/decision process for general aviation pilots for the FAA under sub-contract to the Aircraft Owners and Pilots Association.