CHAPTER 1
The History of System Safety

Prior to the 1940s, safety was generally achieved by attempting to control obvious hazards in the initial design and then correcting other problems as they appeared after a product was in use or at least in a testing phase. In other words, designers relied, at least in part, on a trial‐and‐error methodology. In the aviation field, this process became known as the fly‐fix‐fly approach. An aircraft would be designed using the best knowledge available, flown until problems were detected (or it crashed), and then the problems would be corrected and the aircraft would be flown again. This method obviously worked best with low, slow aircraft.

This approach was not acceptable for certain programs—such as nuclear weapons and space travel—soon became apparent, at least to some. The consequences of accidents were too great. Trial‐and‐error and fly‐fix‐fly approaches were not adequate for systems that had to be first‐time safe.

Thus, system safety was born or, more accurately, evolved. The history of system safety consists of

• Traditional trial‐and‐error or fly‐fix‐fly approach not adequate for aerospace and nuclear programs
• 1960s—MIL‐STD‐882 (DoD, NASA)
• 1970s—MORT (Department of Energy)
• 1980s—Other agencies
• 1990s—Risk‐based process safety
• 2000s—Quest for intrinsic safety
• 2010s—Risk management integration
• 2020s—Improvements and international approach to risk maturing

The roots of the system safety effort extend back at least to the 1940s and 1950s. Accurately tracing the early transition from the traditional trial‐and‐error approach to safety to the first‐time safe effort that lies at the heart of system safety is really impossible, but such a transition occurred as both aircraft and weapon systems became more complex and the consequences of accidents became less acceptable.

THE 1960s—MIL‐STD‐882, DOD, AND NASA

Even though the need for a more in‐depth, upstream safety effort was recognized relatively early in the aviation and nuclear weapons fields, not until the 1960s did system safety begin to evolve as a separate discipline. In the 1960s

• USAF publishes “System Safety Engineering for the Development of Air Force Ballistic Missiles” (1962)
• USAF publishes MIL‐S‐38130, “General Requirements for Safety Engineering of Systems and Associated Subsystems and Equipment” (1963)
• System Safety Society founded (1963)
• DoD adopts MIL‐S‐38130 as MIL‐S‐38l308A (1966)
• MIL‐S‐381308A revised and designated MIL‐STD‐882B, “System Safety Program Requirements” (1969)

Most agree that one of the first major formal system safety efforts involved the Minuteman intercontinental ballistic missile (ICBM) program. A series of pre‐Minuteman design‐related silo accidents probably provided at least part of the incentive (U.S. Air Force 1987).

Early system safety requirements were generated by the U.S. Air Force Ballistic System Division. Early air force documents provided the basis for MIL‐STD‐882 (July 1969), “System Safety Program for Systems and Associated Subsystems and Equipment: Requirements for.” This document (and revisions MIL‐STD‐882A and MIL‐STD‐882B) became, and remain, the bible for the Department of Defense (DoD) system safety effort (Moriarty and Roland 1983).

In addition to weapon systems, other early significant system safety efforts were associated with the aerospace industry, including civil and military aviation and the space program.

Even though the National Aeronautical and Space Administration (NASA) developed its own system safety program and requirements, the development closely paralleled the MIL‐STD‐882 approach and the DoD effort, primarily because the two agencies tend to share contractors, personnel, and, to a lesser degree, missions.

Also, through the early to mid‐1960s, the System Safety Society emerged. This professional organization was founded in the Los Angeles area by Roger Lockwood. Organizational meetings were held in 1962 and 1963. The organization was chartered as the Aerospace System Safety Society in California in 1964. The name was changed to System Safety Society in 1967 (Medford 1973). In 1973, the System Safety Society was incorporated as “an international, nonprofit, organization dedicated to the safety of systems, products, and services” (System Safety Society 1989).

THE 1970s—THE MANAGEMENT OVERSIGHT AND RISK TREE

In the late 1960s, the Atomic Energy Commission (AEC), aware of system safety efforts in the DoD and NASA communities, made the decision to hire William G. Johnson, retired manager of the National Safety Council, to develop a system safety program for the AEC.

In the mid‐1970s, AEC was reorganized into the Department of Energy (DOE). Even though the individual AEC programs and the AEC contractors had good (some better than others) safety programs in place, the programs and approaches varied widely. This lack of standardization or commonality made effective monitoring, evaluation, and control of safety efforts throughout the organization difficult, if not impossible.

Thus the goals of the AEC effort were to improve the overall safety effort by

Developing a new approach to system safety that incorporated the best features of existing system safety efforts

Providing a common approach to system safety and safety management to be used throughout the AEC and by AEC contractors

In 1973, revised management oversight and risk tree (MORT) manual was published by the AEC. Even though Johnson borrowed heavily from existing DoD and NASA programs, his MORT program bore little resemblance to programs based on MIL‐STD‐882 (Johnson 1973).

The work by Bill Johnson was expanded and supplemented throughout the 1970s by the System Safety Development Center (SSDC) in Idaho Falls, Idaho. The MORT program provides the direction for this second major branch of the system safety effort.

Progress in the 1970s included

• NASA publishes NHB 1700.1 (V3), “System Safety” (1970)
• AEC publishes “MORT—The Management Oversight and Risk Tree” (1973)
• System Safety Development Center founded (1974)
• MORT training initiated for AEC, ERDA, and DOE (1975)
• MIL‐STD‐882A replaces MIL‐STD‐882 (1977)

THE 1980s—FACILITY SYSTEM SAFETY

Throughout the 1980s, three factors have driven system safety tools and techniques in areas other than the traditional aerospace, weapons, and nuclear fields.

First, the complexity and high cost of many nonflight, nonnuclear projects have dictated a more sophisticated upstream safety approach. Second, product liability litigation has provided added incentive to produce safe products, and, third, system safety experience has begun to demonstrate that upstream safety efforts lead to better design. System safety tools and techniques originally considered to be expensive but necessary add‐ons have proven to be cost‐effective planning and review tools.

Significant programs initiated or developed in the 1980s include the facility system safety efforts of the Naval Facilities Command and the U.S. Army Corps of Engineers and initiatives in the petrochemical industry.

• MIL‐STD‐882B replaces MIL‐STD‐882A (1984)
• NAVFAC sponsors system safety courses (1984)
• AIChE publishes “Guidelines for Hazard Evaluation Procedures” (HazOps) (1985)
• MIL‐STD‐882B updated by Notice 1 (1987)
• USACE‐sponsored facility system safety workshops initiated (1988)

The need for a system safety effort for major military construction projects resulted in the development of draft guidelines and facility system safety workshops for the military safety and engineering communities. By the end of the decade, facility system safety training programs for government employees were established, and similar courses for contractors were available. Regulations outlining facility system safety efforts were pending, and facility system safety efforts were being required on selected military construction projects. In addition, NASA was initiating facility system safety efforts, especially for new space station support facilities.

In 1985, the American Institute of Chemical Engineers (AIChE) initiated a project to produce the “Guidelines for Hazard Evaluation Procedures.” This document, prepared by Battelle, includes many system safety analysis tools. Even though frequently identified as hazard and operability (HazOp) programs, the methods being developed by the petrochemical industry to use preliminary hazard analyses, fault trees, failure modes, effects, and criticality analyses, as well as similar techniques to identify, analyze, and control risks systematically, look very much like system safety efforts tailored for the petrochemical industry.

THE 1990s—RISK‐BASED PROCESS SYSTEM SAFETY

If the 1980s was designated as “facility safety,” then the 1990s should be identified as “process safety.” Prior to the 1990s,...