This author strongly recommends that safety professionals obtain a copy of this Standard for informative purposes.
MIL‐STD‐882E extends the previous issue – 882D – considerably. For example, the 882D version, including addenda, had 26 numbered pages: the 882E version has 98 numbered pages. It replaces some of what was in 882C that was not included in 882D. In 882E:
Achieving and maintaining acceptable risk levels dominates.
Revisions were made in the system safety process that give additional emphasis to hazard analysis and risk assessment.
The use of a risk assessment matrix is required.
Noteworthy revisions are made in the design order of preference.
Appropriate emphasis is given to managing High and Serious risk levels.
A major section is devoted to software and software assessments.
Excerpts follow, some of which are modified to avoid governmental terminology. Section 4 in 882E is titled General Requirements. It sets forth the “requirements for an acceptable system safety effort.” Section 4.3 outlines the eight elements in the system safety process, as follows:
Element 1: Document the System Safety Approach.
Element 2: Identify and Document the Hazards.
Element 3: Assess and Document Risk.
Element 4: Identify and Document Risk Mitigation Measures.
Element 5: Reduce Risk.
Element 6: Verify, Validate and Document Risk Reduction.
Element 7: Accept Risk and Document.
Element 8: Manage Life‐Cycle Risk.
Because of its connotation, the concept outlined for 4.3.4 – Identify and document risk mitigation measures – is duplicated here.
Potential risk mitigation(s) shall be identified, and the expected risk reduction(s) of the alternative(s) shall be estimated and documented in the HTS. The goal should always be to eliminate the hazard if possible. (Emphasis added). When a hazard cannot be eliminated, the associated risk should be reduced to the lowest acceptable level within the constraints of cost, schedule, and performance by applying the system safety design order of precedence. The system safety design order of precedence identifies alternative mitigation approaches and lists them in order of decreasing effectiveness.
1 Eliminate hazards through design selection. Ideally, the hazard should be eliminated by selecting a design or material alternative that removes the hazard altogether.
2 Reduce risk through design alteration. If adopting an alternative design change or material to eliminate the hazard is not feasible, consider design changes that reduce the severity and/or the probability of the mishap potential caused by the hazard(s).
3 Incorporate engineered features or devices. If mitigation of the risk through design alteration is not feasible, reduce the severity or the probability of the mishap potential caused by the hazard(s) using engineered features or devices. In general, engineered features actively interrupt the mishap sequence and devices reduce the risk of a mishap.
4 Provide warning devices. If engineered features and devices are not feasible or do not adequately lower the severity or probability of the mishap potential caused by the hazard, include detection and warning systems to alert personnel to the presence of a hazardous condition or occurrence of a hazardous event.
5 Incorporate signage, procedures, training, and PPE. Where design alternatives, design changes, and engineered features and devices are not feasible and warning devices cannot adequately mitigate the severity or probability of the mishap potential caused by the hazard, incorporate signage, procedures, training, and PPE. Signage includes placards, labels, signs, and other visual graphics. Procedures and training should include appropriate warnings and cautions. Procedures may prescribe the use of PPE. For hazards assigned Catastrophic or Critical mishap severity categories, the use of signage, procedures, training, and PPE as the only risk reduction method should be avoided. 4.3.5 Reduce risk. Mitigation measures are selected.
For emphasis, it is said again that MIL‐STD 882E is an excellent educational and resource document. Its base is hazard identification and analysis and risk assessment.
1.8 OSHA Requirements
OSHA’s Rule For Process Safety Management Of Highly Hazardous Chemicals, 1910.119, issued in 1992, applies to employers at about 50 000 locations, many of which are not considered chemical companies. With respect to requirements for hazards analyses being included in standards, this OSHA standard merits a review by safety practitioners. The standard requires that:
The employer shall perform an initial hazard analysis (hazard evaluation) on processes covered by this standard. The process hazard analysis shall be appropriate to the complexity of the process and shall identify, evaluate, and control the hazards involved in the process. The employer shall use one or more of the following methodologies that are appropriate to determine and evaluate the hazards of the process being analyzed:
What‐If;
Checklist;
What‐If/Checklist;
Hazard and Operability Study (HAZOP);
Failure Modes and Effect Analysis (FMEA);
Fault Tree Analysis; or
An appropriate equivalent methodology.
Although affected employers are to make hazards analyses, the methodologies previously listed are risk assessment techniques. This author’s recollection is that commenters on the standard prior to its promulgation expressed concern over having to use probability data – of which there is little that is statistically sound. OSHA responded favorably. This appears in the preamble to the standard.
OSHA has modified the paragraph (editorial note – paragraph on consequence analysis) to indicate that it did not intend employers to conduct probabilistic risk assessments to satisfy the requirement to perform a consequence analysis.
However, all risks are not equal. Some require attention prior to others. And managements do assess and prioritize risks in their decision‐making when determining which resources are to be allocated for individual projects.
1.9 EPA Requirements
The Environmental Protection Agency (EPA) and OSHA have different legal authority with respect to accidental releases of harmful substances. The concerns at EPA center on offsite consequences: that is, harm to the public and the environment. At OSHA, the legal authority pertains to on‐site consequences.
On 19 August 1996, EPA issued rule 40 CFR Part 68, Risk Management Programs for Chemical Accidental Release Prevention. Risk Management Plans required of location managements by the rule were due by 21 June 1999. Although the provisions of the rule are extensive, only the specifications for hazards analyses will be addressed here.
Processes subject to this rule are divided into three groups, labeled by EPA as Programs 1, 2, and 3. Program levels relate to the quantities and extent of exposure to toxic and flammable chemicals. For locations qualifying for Program levels 1 and 2, those with lesser exposure, EPA will accept hazard reviews done by qualified personnel using suitable checklists.
Hazard reviews must be documented and show that problems have been addressed. In its literature, EPA comments on the desirability of using the “What If” hazard identification and analysis process. EPA also proposes the use of more involved analytical techniques if findings suggest that to be desirable.
Hazard