Imagine: An automobile that has only one window in the front. No side windows. The driver can see to steer the auto forward and turn, but cannot see completely from side to side. What happens when the driver reaches an intersection with no traffic lights? The driver cannot see out the sides, so how does he or she decide when to drive through the intersection?
The driver could take the same approach we use in the Safety Lifecycle. We establish a tolerable risk target. A number of one major accident per 120,000 intersection crossings is chosen. We do a risk assessment. Obviously the main hazardous event in the process of driving through the intersection is getting hit by another car. Risk is the consequence times the likelihood. What is the risk of this hazard? We can estimate consequences. On the country roads in the US where I live, autos travel 50 - 60 MPH. Therefore it seems likely that during a major accident that there is the possibility of injury, or death, as well as major equipment damage.
But how do you estimate the likelihood? We can use statistics like we do for process safety likelihood estimation! We watch the road in this case, and note when another auto passes in front of us. Assume we monitor for 24 hours and find that 24 autos passed through the intersection. The likelihood might be expressed as 1 events per hour or 1/60 events per minute. If it takes 30 seconds to accelerate through the intersection, every pass through the intersection has an inherent likelihood of 1/120. This is higher than our established tolerable risk criteria of 1/120,000 so we need some protection with a risk reduction factor of 500 ((1/240) / (1/120,000)=1000).
The hazard could be identified with motion detectors mounted on the two front corners of the auto. A logic solver could read the sensors and actuate a solenoid valve that would prevent the auto from moving if motion is detected. A design target risk reduction factor of 2000 is established for the safety function to account for unknowns and the design process. Unfortunately while testing the prototype we found that as soon as the auto passed an object while moving, the safety function activated - a false trip. It became clear that the auto has different modes of operation and the safety function should only be active during “stopped at intersection with stop sign” mode. OK, our designers chose to mount a camera on the right corner of the car (left corner for the UK) and program pattern recognition software to recognize a stop sign. But when we gather the failure data on the equipment and calculate achieved risk reduction factor, the design does not meet the target of 2000.
There are a number of problems with this approach. First, the likelihood data is severely limited. What if we picked a light day and there is really an average of 96 autos per day? We also have created a pretty complex design. Perhaps it would be much simpler to install side windows on all automobiles. When planning process safety, always look for the simple solutions first.