下载文档原格式
WEBISOInternet & Intranet workflow For quality, health, environment & safetyCopyright © 2019Ockham B.V.B.A.All rights reservedWEBISO is a registeredtrademark of OckhamB.V.B.A. in Europe, the USAand certain other countries.All other trademarks mentioned in this documentare the property of theirrespective owners.The interest for the automation of quality, environment, safety and health care is growing. This is logical because creating a user-friendly manual and –even more- keeping it up-to-date is an unattainable dream for most managers.On the contrary, drowning in the paper mountain is the daily reality, a real nightmare.That's the reason why differentversions of a manual are incomplete or inconsistent and why it is socumbersome to keep the end-users informed about the new or adapted procedures. For the end-user, it is often not clear to find relevantinformation in a big pile of paper, the manual is often too complex, which makes that the procedures are not strictly followed and thus ... the manual is not being used.WEBISO is the Intranet solution that automates both the easy look-up for the end-users (= theWEBISO viewers) and the daily workflow of thedocuments (=the WEBISO users).This methodology has the following advantages: • A central point fromwhere anyone can consult the latest version• Accessibility of theprocedures for everybody from everywhere• Powerful automatichyperlinks• A simple concept forthe users.That is exactly why WEBISO has been developed. This intranet workflow solution is first of all a secure solution to manage the document flow of all types of documents. Not only a quality manual, but also a management system for safety, environment and health care can benefit from WEBISO.It offers a framework, in which the manager creates and builds his/her manual. The manager determines how the manual will look. Moreover WEBISO uses all your so well-known software: your browser and your e-mail server.Verify Approve RejectConsult overviewsPublishNotifications ConsultCreate Modify SaveAsk confirmationViewers Doc.responsible Approver AdministratorFUNCTIONALITY:Integration of non-textual elementsParts of graphicalelements can belinked to background elements (which can be textual of graphical).WEBISO supports all kinds of data types: pictures, images, video, sound, flowcharts, graphics, diagrams, ...Besides the integration goes one step further with MS-Visio and iGrafx FlowCharter: elements in a drawing become sensitive for hyperlinking in WEBISO. This means that a user can click such an element and immediately navigate to other (textual) parts in the same document or to another document in the manual.In this way, a process can easily be linked to a background process and/or parts of texts.FUNCTIONALITY:Automatic creationof hyperlinksWEBISO automaticallygenerates a hyperlinkto the referreddocument if its nameis mentioned in themanual.WEBISO has the unique feature to automatically generate hyperlinksbetween different documents within a manual. If in a document thename or title is being used of another document within the samemanual, WEBISO will automatically generate a hyperlink in thisdocument to the referred document. Besides aliases can be added todocument titles so that these aliases are also being hyperlinked.Each publication recalculates all the links, so that you do not lose timewith the maintenance of manual links and with the inconvenient“dead” links.FUNCTIONALITY:Version managementWEBISO stores thedifferent versions ofyour documents in a very efficient way.The “Revision Control System” fills in automatically a series of keywords: the status of a document, the proprietor, the version number, the modification date, … In this way it is possible to track who has changed what and when and to get an overview of the history of a document or procedure.A strong and very useful consequence of this feature is that it is possible to rebuild a manual with all its documents and procedures. WEBISO manages this by recalculating the delta (differences) of the documents. In this way, the differences of the versions are stored very efficiently.FUNCTIONALITY:Visualization of the changesbetween successive versionsColoured text partsreflect the changes indocuments (read foromissions, green foradd-ons) in comparisonwith the former version.Editors and approvers have the possibility to see the changesbetween two successive versions of a document or procedure incolour (red and crossed for what has been deleted, green for whatis newly added). This visualisation implies both to texts (contentand formatting) and to images. That’s the way in which editors andapprovers can verify quickly what the changes are compared to anolder version.This same technology is used to let end-users see the differencebetween two consequent published (thus approved) versions.FUNCTIONALITY:Integration of your existing e-mail systemWEBISOautomaticallygenerates and sends an e-mail to theconcerned approvers when theconfirmation of the modified document is asked for.WEBISO automatically integrates with your corporate e-mail system. This means that standard e-mail is used to send requests for approval to the persons concerned and to notify end-users (viewers) about changes in the documents or the availability of new documents in a manual.WEBISO uses the existing SMTP gateway for this. The documents themselves are not being sent, only the links to the TO DO list (for the requests for approval) and towards the published documents (for the notifications) are sent.FUNCTIONALITY:Links to (external) fill-in formsWithin documentshyperlinks can be setup to fill-in forms,other files and/orapplications.WEBISO supports the uploading of (external) documents fromyour browser: e.g. fill-in forms or other additional information,from MS-Excel, …When uploaded into your browser, these external documents canbe used within WEBISO and subsequently saved in a 'projectdirectory' or mailed to their responsible. Hyperlinks to theseexternal documents can be made manually; besides externalprograms can be started from within WEBISO too.FUNCTIONALITY:Use of templatesWEBISO gives you the power to work with templates.On one hand there are the manual templates that define the look and feel of the HTML output.On the other hand, there are document templates . Through these templates, a same lay-out of the documents can be forced. You can make these document templates yourself and they can always be created and/or modified. In this way, a template can generate the message of "This printed document is an uncontrolled version" in the watermark of every printed document.Documenttemplates to fix the layout of your documents. Manual templates to influence the look & feel of the intranet output.FUNCTIONALITY:Reports & StatisticsIn WEBISO all kinds of reports can be requested, such as:-Report of permissions by user-Report of documents within a manual that are in a specified state-Report of documents that have specific permissions attached to it-Report of reminders-Report of the notifications sent to the end users-Statistics of who views what-Statistics of who searches for whatFUNCTIONALITY:Automatic content and indexFUNCTIONALITY:Search-engineThanks to the “full -text” search engine in WEBISO, your end-users will easily find very specific information in yourmanuals.The built-in search engine of WEBISO is a Google-like full text search engine. You can search in one manual or through different manuals. The engine retrieves words, parts of words, clusters, … Besides the search results are secured from unauthorized access.If however you have already a free text search engine implemented in your intranet, WEBISO can integrate with it. This set-up is talked through before the start of the implementation.The content is a traditional view of the tree structure of the manual, with collapsible and expandable parts.The index includes automatically all words from your titles.FUNCTIONALITY:Integration of LDAP andActive DirectorySame login andpassword as on thecentral IT sytem.The information theWEBISO system picksup from the ActiveDirectory server or theLDAP server is:•the logon•the first name•last name•the e-mail addressWEBISO can be integrated with the info of your users stored inthe LDAP of Active Directory system.This means that the administrator of the Quality Managementsystem has to address the LDAP or Active Directoryadministrator to create or delete users, as opposed to theWEBISO solution without this integration.Once the LDAP or Active Directory is available for the WEBISOserver, the administrator will take care of the user rights and therights of the groups on document level or manual level withinthe WEBISO application itself. This is necessary to keepWEBISO’s functionality and functions of version c ontrol andhistory manageable and traceable.FUNCTIONALITY: SecurityFUNCTIONALITY: Multiple formats The documents are encrypted by a digital MD5 signature. They are secured in such a way that every modification is stored into the WEBISO system in the most efficient way.Besides all actions in WEBISO can be secured separately. This implies that you can set up as many user profiles as you like to protect the WEBISO functions from unauthorized access.If needed, encryption of the network traffic can be setup (through https).Give up a remind date toavoid certain documents to stay unmodified through time.By setting a reminder to a document, the document gets an age so to speak.When this reminddate arrives, certain people will be notified of this, so that necessary actions can be taken regarding the update of the document.FUNCTIONALITY:RemindersYour existing documents need to be uploaded once in WEBISO. There are two ways of doing this:- The customer takes care of the conversion of existingdocuments and uploads them into the database;- Ockham takes care of the conversion and uploads (ifdesired) them into the database.FUNCTIONALITY:MultilingualMultilingual means that the menu of the user interface is the language of its user. The language code is picked up for each WEBISO user (editor/approver/administrator) and the interface is shown in the correct language.WEBISO is delivered standard in one language (to be chosen by you) and add-on interfaces are being delivered as an option: Dutch, English and French.FUNCTIONALITY:Integration of existing documentsIntranet serverThe internet/intranet server is an Apache server; this is bundled into the WEBISO software.Text editorWEBISO includes an online HTML editor in which users can immediately make changes.BrowserThe "browsers" on the PC’s, choice between: - Microsoft Internet Explorer 10 or higher; - Mozilla Firefox; - Google Chrome.Search engineThe search engine is HTDIG and is bundled for free into the WEBISO license. There are no add-on licenses or maintenance costs.Basic systemThe basic system can be installed on: - On a Linux server; - On a Windows server; - On ESX infrastructureMinimum requirements for the server are: - Type of server: no specific requirements. - Min. 8 GB RAM.100 GB free disc space for WEBISO. The disc space for the procedures itself will be defined by thegrowth of the procedures within your organisatieon.Graphical elementsNon-textual objects can also be integrated (such as jpeg, gif, video animations, …). A furtherintegration enabling hyperlinking between non-textual objects and documents is possible with:- MS VISIO: supported versions are VISIO 2003,2007, 2010, 2013, 2016;- iGrafx FlowCharter of Micrografx from 2003Professional onwardsThis graphical software is only necessary for those who create the non-textual objects, not for those viewing them in the browser.TECHNICAL SPECIFICATIONSDatabaseThe database is PostgreSQL and is bundled for free into the WEBISO license. There are no add-on licenses or maintenance costs.WEBISO is a platform independent solution. The solution uses as much as possible your existing infrastructure. Beneath you can find a survey of the supported platforms.You can choose between 2 ways of implementing WEBISO: an own license on your server within your network or in the cloud on a secure server infrastructure.E-mailTo integrate your existing e-mail system the SMTP protocol is needed. So all e-mail systems supporting SMTP are valid; e.g. MS Exchange, Unix mail, Lotus Notes ,…REFERENCESOckham BVBAPrins Boudewijnlaan 155 b2.2 B-2610 Antwerpen (Wilrijk) BELGIE+32 3 280 00 00+32 3 280 01**************www.webiso.be。
分布式驱动电动汽车AFS和DYC协调控制策略研究摘要随着人们对环境保护意识的不断提高,电动汽车被越来越广泛地应用。
然而,电动汽车的安全性能和驾驶体验仍然需要提高。
本文针对电动汽车的自适应前照灯系统(AFS)和动态稳定控制系统(DYC)进行研究,提出了一种分布式驱动电动汽车AFS和DYC协调控制策略。
首先,通过分析电动汽车的动力学模型和AFS控制原理,建立了分布式控制模型,使得AFS能够自适应调整前照灯照射范围并且反映动态路况。
其次,通过研究电动汽车的离散控制模型和DYC控制原理,提出了一种基于模型预测控制的DYC协调控制策略。
该策略采用了基于短期和长期预测的混合控制策略,有效地提高了电动汽车的稳定性和安全性。
最后,通过仿真实验对本文协调控制策略的有效性进行了验证。
实验结果显示,该策略能够使AFS和DYC系统之间实现协同控制,同时保持较高的车速和良好的驾驶舒适性。
这些结果为电动汽车的安全性能和驾驶体验的提升提供了一种新的思路。
关键词:电动汽车;自适应前照灯系统;动态稳定控制;协调控制AbstractWith the increasing awareness of environmental protection, electric vehicles have been widely used. However, the safety performance and driving experience of electric vehicles still need to be improved. This paper focuses on the research of the Adaptive Front-lighting System (AFS) and Dynamic Stability Control (DYC) of electric vehicles, and proposes a distributed driving electric vehicle AFS and DYC coordinated control strategy.Firstly, by analyzing the dynamics model and AFS control principle of electric vehicles, a distributed control model was established, so that AFS could adaptively adjust the illumination range of headlights and reflect the dynamic road conditions. Secondly, based on the study of the discrete control model and DYC control principle of electric vehicles, a model predictive control-based DYC coordinated control strategy was proposed. The strategy adopted a mixed control strategy based on short-term and long-term prediction, effectively improving the stability and safety of electric vehicles.Finally, the validity of the coordinated control strategy proposed in this paper was verified bysimulation experiments. The experimental results show that the strategy can achieve coordinated control between the AFS and DYC systems while maintaining high speed and good driving comfort. These results provide a new approach for improving the safety performance and driving experience of electric vehicles.Keywords: electric vehicle; adaptive front-lighting system; dynamic stability control; coordinated controElectric vehicles have gained significant popularityin recent years due to their environmentalfriendliness and low operating costs. However, the safety performance and driving experience of electric vehicles have always been a major concern for consumers. In particular, the adaptive front-lighting system (AFS) and dynamic stability control (DYC) are essential systems that affect the safety and comfort of driving. Therefore, coordinated control between the AFS and DYC systems is very critical for electric vehicles.Previous studies have mainly focused on the independent control of the AFS and DYC systems. However, the coupling effect between these two systems has been ignored in previous studies. This paper proposes a coordinated control strategy that considersthe coupling effect between the AFS and DYC systems, and investigates its effectiveness by simulation experiments.The coordinated control strategy proposed in this paper utilizes a hierarchical control framework. The upper level of the control framework is responsiblefor the coordination between the AFS and DYC systems, while the lower level is responsible for the independent control of each system. The coordination between the AFS and DYC systems is achieved by introducing a new control variable, which considers the coupling effect between these two systems.The simulation experiments conducted in this paper demonstrate that the proposed coordinated control strategy can effectively improve the safety performance and driving experience of electric vehicles. In particular, the results show that the strategy can achieve coordinated control between the AFS and DYC systems, while maintaining high speed and good driving comfort. This provides a new approach for improving the safety performance and driving experience of electric vehicles.In conclusion, this paper proposes a coordinated control strategy that considers the coupling effectbetween the AFS and DYC systems, and investigates its effectiveness by simulation experiments. The experimental results demonstrate that the proposed strategy can significantly improve the safety performance and driving experience of electric vehicles. Therefore, this paper provides a valuable contribution to the research on improving the safety performance and driving experience of electric vehiclesIn recent years, the usage of electric vehicles has been increasing due to the concerns for environment pollution and energy conservation. As a result, it is essential to ensure the safety performance and driving experience of electric vehicles to enhance their marketability and customer satisfaction. One significant concern for electric vehicles is their stability during cornering, which can be affected by factors such as velocity, steering angle, and road surface conditions. Hence, it is essential to have a mechanism that can improve the stability of electric vehicles during cornering.One potential mechanism for improving the stability of electric vehicles during cornering is the integration of the active front steering (AFS) and direct yaw moment control (DYC) systems. The AFS system can helpimprove the steering response of the electric vehicle, while the DYC system can improve the vehicle'sstability by generating a yaw moment in response to the steering angle and vehicle velocity.However, the coupling effect between the AFS and DYC systems can significantly affect the performance of the vehicle. Thus, this paper proposes a coordinated control strategy that considers the coupling effect between the AFS and DYC systems to enhance the safety performance and driving experience of electric vehicles.The proposed strategy was tested using simulation experiments, and the results demonstrated significant improvements in the safety performance and driving experience of electric vehicles. Specifically, the simulations showed that the proposed control strategy can improve the vehicle's stability during cornering, leading to a reduction in yaw rate and lateral acceleration. Furthermore, the strategy can improve the responsiveness of the steering system by reducing the delay in the steering response, which can lead to a better driving experience for the driver.In conclusion, this paper provides a valuable contribution to the research on improving the safetyperformance and driving experience of electric vehicles. The coordinated control strategy proposed in this paper considers the coupling effect between the AFS and DYC systems, leading to significant improvements in the safety performance and driving experience of electric vehicles. Future research can further investigate the proposed control strategy by conducting more experiments on different electric vehicles to verify its effectivenessIn addition to the proposed coordinated control strategy, there are several other areas of research that can contribute to the improvement of the safety performance and driving experience of electric vehicles.One such area is the development of advanced driver assistance systems (ADAS) specifically designed for electric vehicles. ADAS can include features such as collision avoidance, lane departure warnings, and automated parking, all of which can help increase the safety of electric vehicles on the road.Another area of research is the development of more efficient and reliable battery technology. Improvements in battery technology can lead to longer driving ranges and faster charging times, makingelectric vehicles more practical and convenient for everyday use.Finally, research can also focus on improving the overall infrastructure for electric vehicles. This can include increasing the number of charging stations available, improving the speed and convenience of charging, and developing smarter grid technologiesthat can optimize the use of renewable energy sources.Overall, continued research and development in these areas can help increase the safety, efficiency, and convenience of electric vehicles, paving the way for a more sustainable and environmentally friendly transportation systemIn conclusion, electric vehicles have the potential to significantly reduce greenhouse gas emissions from transportation, but there are still challenges that need to be addressed to fully realize their benefits. Improving battery technology, increasing the range of vehicles, and developing smart charging and grid technologies are all important areas for research and development. Additionally, infrastructure improvements such as increasing the number and convenience of charging stations can help support the growth of electric vehicles. By addressing these challenges andinvesting in the continued development of electric vehicle technology, we can create a more sustainable and environmentally friendly transportation system。
一、专业词汇翻译Accident Causation Models:事故致因模型Safety Policy and Planning:安全方针和计划Accident causation theory:事故致因理论Poor physical conditions:物的不安全状况Accident-proneness model:事故倾向模型Social security system :社会保障体系Accident reporting system:意外呈报制度Occupational illness:职业病System safety:系统安全Safety Engineering:安全工程System safety engineering:系统安全工程System safety program:系统安全规划Hazard analysis:危害分析Hazard identification:危险源辨识Hazard control:危险源控制Hazard evaluation:危险源评价Logical reasoning process 逻辑推理过程Warning device 报警装置Ergonomics process 人机工程过程Ergonomics committee 人机工程委员会Job site 工作现场Musculoskeletal disorder 肌股失常Chain of command 行政管理系统Hazard prevention and control 灾害预防与控制Hazard Identification 危险源辨识PPE(personal protective equipment)个人防护设备OSHA(Occupational Safety and Health Act)职业安全与健康条例planning and accountability 计划与职责planning and review 计划与评审budgetary constraint 预算限制Occupational Health and Safety Management System 职业健康安全管理系统Implementation method 实施方法System characteristic 系统特性systematic management 系统化管理Industrial Hygiene 工业卫生Cosmic ray 宇宙射线Terrestrial radiation 地面辐射Material Safety Data Sheet 物质安全技术说明书Hazard Communication Standard 危害通识标准Physical hazards 物理危险源safety culture 安全文化corporate culture 企业文化reciprocal relationship:互反关系organisational goals 组织目标Physiological needs 生理需求Safety needs 安全需求Social needs 社会需求Ego needs 自我需求Self-fulfillment 自我满足,自我实现Principle of motivation 激励原则Accident Investigation:事故调查After-the-fact approach to hazard identification 事后事后危险源辨识方法fact-finding process 寻找事实过程affixing blame 追究责任accident investigation procedure 事故调查程序Safety Electricity 电气安全Electrical shock 电击Groundfault Circuit interrupt:接地故障断路器First aid:急救Artificial ventilation(respiration):人工呼吸Cardio-pulmonary Resuscitation (CPR)心肺复苏Declaration of Conformity 符合性声明Insurance premium 保险费Safety device 安全防护装置HSE:health、safety、environment 健康、安全和环境管理体系ROPS:roll-over protective structure:翻车安全保护装置Manufacturing industry 制造业Transportation equipment 运输设备Excavation work 开挖施工Guard rail:防护围栏Confined space 狭小空间Rooflight sheet 采光屋面板Toe board 趾板mine fire 矿井火灾二、句型翻译1、Rasmussen and Jensen have presented a three-level skill-rule-knowledge model for describing the origins of the different types of human errors.Rasmussen和Jensen提出了一种技能—规范—知识的三级模型,用来描述不同类型的人为失误的来源。
Internal Control — Integrated Framework Executive SummarySenio.executive.hav.lon.sough.way.t.bette.contro.th.enterprise.the.run.Interna. pan.o.cours.towar.profitabilit.goal.an.achievemen.o. it.mission.an.t.minimiz.surprise.alon.th.way.The.enabl.managemen.t.dea.wit.rapidl. petitiv.environments.shiftin.custome.demand.an.prioritie s.an.restructurin.fo.futur.growth.Interna.control.promot.efficiency.reduc.ris.o.asse.l w.an.regulatio ns.Becaus.interna.contro.serve.man.importan.purposes.ther.ar.increasin.call.fo.be tte.interna.contro.system.an.repor.card.o.them.Interna.contro.i.looke.upo.mor.an.m or.a..solutio.t..variet.o.potentia.problems.What Internal Control IsInterna.contro.mean.differen.thing.t.differen.people.Thi.cause.confusio.amon. businesspeople.legislators.regulator.an.others.Resultin.miscommunicatio.an.differ pounde.whe.th.ter w.regulatio.o.rule.•Thi.repor.deal.wit.th.need.an.expectation.o.managemen.an.others.I.define.an. describe.interna.contro.to.•mo.definitio.servin.th.need.o.differen.parties.Provid..standar.agains.whic.busines.an.othe.entities--larg.o.small.i.th.publi.o.pr ivat.sector.fo.profi.o.not--ca.asses.thei.contro.system.an.determin.ho.t.improv.the m.Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:•Effectivenes.an.efficienc.o.operations.•Reliabilit.o.financia.reporting.w.an.regulations.Th.firs.categor.addresse.a.entity'.basi.business objectives.includin.performanc. an.profitabilit.goal.an.safeguardin.o.resources.Th.secon.relate.t.th.preparatio.o.reli abl.publishe.financia.statements.includin.interi.an.condense.financia.statement.an. selecte.financia.dat.derive.fro.suc.statements.suc.a.earning.releases.reporte.publicl w.an.regulation.t.whic.th.entit.i.subject.Thes.di stinc.bu.overlappin.categorie.addres.differen.need.an.allo..directe.focu.t.mee.th.se parat.needs.•Interna.contro.system.operat.a.differen.level.o.effectiveness.Interna.contro.ca.b.judge.effectiv.i.eac.o.th.thre.categories.respectively.i.th.boar.o.director.an.manag emen.hav.reasonabl.assuranc.that.•The.understan.th.exten.t.whic.th.entity'.operation.objective.ar.bein.achieved.•Publishe.financia.statement.ar.bein.prepare.reliably.plie.with.While internal control is a process, its effectiveness is a state or condition of the process at one or more points in time.ponents.Thes.ar.derive.fro.th.wa.ma panie.ma.implemen.the.differentl.tha. pan.ca.stil.hav.eff ponent.are:Control Environmentanization.influencin.th.contro.consci ponent.o.interna.control.providin. disciplin.an.structure.Contro.environmen.factor.includ.th.integrity.ethica.value.an.c ompetenc.o.th.entity'.people.management'.philosoph.an.operatin.style.th.wa.man agemen.assign.authorit.an.responsibility.and organize.an.develop.it.people.an.th.attentio.an.directio.provide.b.th.boar.o.directors.Risk Assessment--Ever.entit.face..variet.o.risk.fro.externa.an.interna.source.tha.mus.b.assessed.. preconditio.t.ris.assessmen.i.establishmen.o.objectives.linke.a.differen.level.an.inte rnall.consistent.Ris.assessmen.i.th.identificatio.an.analysi.o.relevan.risk.t.achieveme n.o.th.objectives.formin..basi.fo.determinin.ho.th.risk.shoul.b.managed.Becaus.eco nomic.industry.regulator.an.operatin.condition.wil.continu.t.change.mechanism.ar. neede.t.identif.an.dea.wit.th.specia.risk.associate.wit.change.Control Activities--Contro.activitie.ar.th.policie.an.procedure.tha.hel.ensur.managemen.directive .ar.carrie.out.The.hel.ensur.tha.necessar.action.ar.take.t.addres.risk.t.achievemen.o.t h.entity'anization.a.al.level.an.i.al .functions.The.includ..rang.o.activitie.a.divers.a.approvals.authorizations.verificatio ns.reconciliations.review.o.operatin.performance.securit.o.asset.an.segregatio.o.du ties.Information and Communicationmunicate.i..for.an.timefr rmatio.system.produc.reports. rmation.tha.mak.i.possibl.trmati rme.busines.decision-m municatio.als.mus.occu.i..broade.sense.flowi anization.Al.personne.mus.receiv..clea.messag.fro.to.man agemen.tha.contro.responsibilitie.mus.b.take.seriously.The.mus.understan.thei.ow. rol.i.th.interna.contro.system.a.wel.a.ho.individua.activitie.relat.t.th.wor.o.others.Th rmatio.upstream.Ther.als.need.t.b. municatio.wit.externa.parties.suc.a.customers.suppliers.regulator.an.sh areholders.Monitoring--Interna.contro.system.nee.t.b.monitored--.proces.tha.assesse.th.qualit.o.th.s ystem'.performanc.ove.time.Thi.i.accomplishe.throug.ongoin.monitorin.activities.s binatio.o.th.two.Ongoin.monitorin.occur.i.th.cours.o.oper ations.I.include.regula.managemen.an.supervisor.activities.an.othe.action.personn e.tak.i.performin.thei.duties.Th.scop.an.frequenc.o.separat.evaluation.wil.depen.pri maril.o.a.assessmen.o.risk.an.th.effectivenes.o.ongoin.monitorin.procedures.Intern a.contro.deficiencie.shoul.b.reporte.upstream.wit.seriou.matter.reporte.t.to.manag emen.an.th.board.ponents.formin.a.integrate.syste.tha.rea ct.dynamicall.t.changin.conditions.Th.interna.contro.syste.i.intertwine.wit.th.entity'. operatin.activitie.an.exist.fo.fundamenta.busines.reasons.Interna.contro.i.mos.effe ctiv.whe.control.ar.buil.int.th.entity'.infrastructur.an.ar..par.o.th.essenc.o.th.enterprise."Buil.in.control.suppor.qualit.an.empowermen.initiatives.avoi.unnecessar.cost.an. enabl.quic.respons.t.changin.conditions.Ther.i..direc.relationshi.betwee.th.thre.categorie.o.objectives.whic.ar.wha.a.enti ponents.whic.represen.wha.i.neede.t.achiev.th.objectives.A ponent.ar.relevan.t.eac.objective.category.Whe.lookin.a.an.on.category--th.ef ponent.mus.b.presen.an. functionin.effectivel.t.conclud.tha.interna.contro.ove.operation.i.effective.The internal control definition--with its underlying fundamental concepts of a process, effected by people, providing reasonable assurance--together with the categorization of objectives and the components and criteria for effectiveness, and the associated discussions, constitute this internal control framework.What Internal Control Can DoInterna.contro.ca.hel.a.entit.achiev.it.performanc.an.profitabilit.targets.an.prev en.los.o.resources.I.ca.hel.ensur.reliabl.financia.reporting.An.i.ca.hel.ensur.tha.th.en w.an.regulations.avoidin.damag.t.it.reputatio.an.othe.consequ ences.I.sum.i.ca.hel.a.entit.ge.t.wher.i.want.t.go.an.avoi.pitfall.an.surprise.alon.th.wa y.What Internal Control Cannot Do•Unfortunately.som.peopl.hav.greater.an.unrealistic.expectations.The.loo.fo.absolutes.believin.that.Interna.contro.ca.ensur.a.entity'.success--tha.is.i.wil.ensur.achievemen.o.basi.b usines.objective.o.will.a.th.least.ensur.survival.•Eve.effectiv.interna.contro.ca.onl.hel.a.entit.achiev.thes.objectives.I.ca.provid. rmatio.abou.th.entity'c.o.it.towar.thei.achievement.B e petitors.action.o.economi.condition.ca.b.beyon.mana gement'.control.Interna.contro.canno.ensur.success.o.eve.survival.w.an. regulations.Thi.belie.i.als.unwarranted.A.interna.contro.system.n.matte.ho.wel.conceive.an. operated.ca.provid.onl.reasonable--no.absolute--assuranc.t.managemen.an.th.bo ar.regardin.achievemen.o.a.entity'.objectives.Th.likelihoo.o.achievemen.i.affecte.b.l imitation.inheren.i.al.interna.contro.systems.Thes.includ.th.realitie.tha.judgment.i.d ecision-makin.ca.b.faulty.an.tha.breakdown.ca.occu.becaus.o.simpl.erro.o.mistake. Additionally.control.ca.b.circumvente.b.th.collusio.o.tw.o.mor.people.an.managem en.ha.th.abilit.t.overrid.th.system.Anothe.limitin.facto.i.tha.th.desig.o.a.interna.cont ro.syste.mus.reflec.th.fac.tha.ther.ar.resourc.constraints.an.th.benefit.o.control.mus.b.considere.relativ.t.thei.costs.Thus, while internal control can help an entity achieve its objectives, it is not apanacea.Roles and ResponsibilitiesEveryone in an organization has responsibility for internal control.Management--Th.chie.executiv.office.i.ultimatel.responsibl.an.shoul.assum."ownership.o.th. system.Mor.tha.an.othe.individual.th.chie.executiv.set.th."ton.a.th.top.tha.affect.int pany.th.chie.e xecutiv.fulfill.thi.dut.b.providin.leadershi.an.directio.t.senio.manager.an.reviewin.th. wa.they'r.controllin.th.business.Senio.managers.i.turn.assig.responsibilit.fo.establis hmen.o.mor.specifi.interna.contro.policie.an.procedure.t.personne.responsibl.fo.th. unit'.functions.I..smalle.entity.th.influenc.o.th.chie.executive.ofte.a.owner-manager.uall.mor.direct.I.an.event.i..cascadin.responsibility..manage.i.effectivel..chie.exec utiv.o.hi.o.he.spher.o.responsibility.O.particula.significanc.ar.financia.officer.an.thei. staffs.whos.contro.activitie.cu.across.a.wel.a.u.an.down.th.operatin.an.othe.unit.o.a .enterprise.Board of Directorsernance.guid anc.an.oversight.Effectiv.boar.member.ar.objective.capabl.an.inquisitive.The.als.hav. .knowledg.o.th.entity'mi.th.tim.necessar.t.fulfil.thei.boar.responsibilities.Managemen.ma.b.i..positio.t.overrid.control.an.ignor.o.stifl.c ommunication.fro.subordinates.enablin..dishones.managemen.whic.intentionall.m isrepresent.result.t.cove.it.tracks..strong.activ.board.particularl.whe.couple.wit.effec munication.channel.an.capabl.financial.lega.an.interna.audi.function s.i.ofte.bes.abl.t.identif.an.correc.suc..problem.Internal Auditors--Interna.auditor.pla.a.importan.rol.i.evaluatin.th.effectivenes.o.contro.systems anizationa.positio.an.authorit.i.a.e ntity.a.interna.audi.functio.ofte.play..significan.monitorin.role.Other Personnelanizatio.an.th erefor.shoul.b.a.explici.o.implici.par.o.everyone'.jo.description.Virtuall.al.employee. e.i.th.interna.contro.syste.o.tak.othe.action.neede.t.effec.cont municatin.upwar.problem.i.operatio ns.noncomplianc.wit.th.cod.o.conduct.o.othe.polic.violation.o.illega.actions..numbe.o.externa.partie.ofte.contribut.t.achievemen.o.a.entity'.objectives.Exte rna.auditors.bringin.a.independen.an.objectiv.view.contribut.directl.throug.th.finan efu.t.managemen.an.th.boar.efu.i.effectin.i nterna.contro.ar.legislator.an.regulators.customer.an.other.transactin.busines.wit.th.enterprise.financia.analysts.bon.rater.an.th.new.media.Externa.parties.however.ar.n o.responsibl.for.no.ar.the..par.of.th.entity'.interna.contro.system.Organization of this ReportThi.repor.i.i.fou.volumes.Th.firs.i.thi.Executiv.Summary..high-leve.overvie.o.th.i nterna.contro.framewor.directe.t.th.chie.executiv.an.othe.senio.executives.boar.me mbers.legislator.an.regulators.ponent.a n.provide.criteri.agains.whic.managements.board.o.other.ca.asses.thei.contro.syste ms.Th.Executiv.Summar.i.included.The third volume, Reporting to External Parties, is a supplemental document providing guidance to those entities that report publicly on internal control over preparation of their published financial statements, or are contemplating doing so.The fourth volume, Evaluation Tools, provides materials that may be useful in conducting an evaluation of an internal control system.What to DoActions that might be taken as a result of this report depend on the position and role of the parties involved:Senior Management--Mos.senio.executive.wh.contribute.t.thi.stud.believ.the.ar.basicall."i.control.o. pany--.division..de ponen.tha.cut.acros.activities--wher.control.ar.i.earl.stage.o. developmen.o.otherwis.nee.t.b.strengthened.The.d.no.lik.surprises.Thi.stud.sugge in.thi.framework ..CEO.togethe.wit.ke.operatin.an.financia.executives.ca.focu.attentio.wher.needed. Unde.on.approach.th.chie.executiv.coul.procee.b.bringin.togethe.busines.uni.head. an.ke.functiona.staf.t.discus.a.initia.assessmen.o.control.Directive.woul.b.provide.fo .thos.individual.t.discus.thi.report'.concept.wit.thei.lea.personnel.provid.oversigh.o .th.initia.assessmen.proces.i.thei.area.o.responsibilit.an.repor.bac.findings.Anothe.a pproac.migh.involv.a.initia.revie.o.corporat.an.busines.uni.policie.an.interna.audi.pr ograms.Whateve.it.form.a.initia.self-assessmen.shoul.determin.whethe.ther.i..nee.f or.an.ho.t.procee.with..broader.mor.in-dept.evaluation.I.shoul.als.ensur.tha.ongoin. monitorin.processe.ar.i.place.Tim.spen.i.evaluatin.interna.contro.represent.a.invest ment.bu.on.wit..hig.return.Board Members--Member.o.th.boar.o.director.shoul.discus.wit.senio.managemen.th.stat.o.th.e ntity'.interna.contro.syste.an.provid.oversigh.a.needed.The.shoul.see.inpu.fro.th.int erna.an.externa.auditors.Other Personnel--Manager.an.othe.personne.shoul.conside.ho.thei.contro.responsibilitie.ar.bein.conducte.i.ligh.o.thi.framework.an.discus.wit.mor.senio.personne.idea.fo.strengt henin.control.Interna.auditor.shoul.conside.th.breadt.o.thei.focu.o.th.interna.contr par.thei.evaluatio.material.t.th.evaluatio.tools.Legislators and Regulatorsw.recogniz.tha.ther.ca.b.misconception .an.differen.expectation.abou.virtuall.an.issue.Expectation.fo.interna.contro.var.wid el.i.tw.respects.First.the.diffe.regardin.wha.contro.system.ca.accomplish.A.noted.so m.observer.believ.interna.contro.system.will.o.should.preven.economi.loss.o.a.leas. panie.fro.goin.ou.o.business.Second.eve.whe.ther.i.agreemen.abou.wh a.interna.contro.system.ca.an.can'.do.an.abou.th.validit.o.th."reasonabl.assurance.c oncept.ther.ca.b.disparat.view.o.wha.tha.concep.mean.an.ho.i.wil.b.applied.Corpor at.executive.hav.expresse.concer.regardin.ho.regulator.migh.constru.publi.report.a ssertin."reasonabl.assurance.i.hindsigh.afte.a.allege.contro.failur.ha.occurred.Befor. legislatio.o.regulatio.dealin.wit.managemen.reportin.o.interna.contro.i.acte.upon.t mo.interna.contro.framework.includin.limitation.o.int erna.control.Thi.framewor.shoul.b.helpfu.i.reachin.suc.agreement.Professional Organizationsanization.providin.guidanc.o.financia.ma nagement.auditin.an.relate.topic.shoul.conside.thei.standard.an.guidanc.i.ligh.o.thi .framework.T.th.exten.diversit.i.concep.an.terminolog.i.eliminated.al.partie.wil.ben efit.Educators--Thi.framewor.shoul.b.th.subjec.o.academi.researc.an.analysis.t.se.wher.futur.e mo. groun.fo.understanding.it.concept.an.term.shoul.fin.thei.wa.int.universit.curricula.W.believ.thi.repor.offer..numbe.o.benefits.Wit.thi.foundatio.fo.mutua.understa municat.mor.effectively.Bus ines.executive.wil.b.positione.t.asses.contro.system.agains..standard.an.strengthe.t h.system.an.mov.thei.enterprise.towar.establishe.goals.Futur.researc.ca.b.leverage. of.a.establishe.base.Legislator.an.regulator.wil.b.abl.t.gai.a.increase.understandin.o. mo.interna.contro. framework.thes.benefit.wil.b.realized。
Developing A Risk Communication Model to Encourage Community Safetyfrom Natural HazardsJ UNE 2004Peter O’NeillThe author acknowledges the contributions of Joan Young and Les Robinson in the development of this model.Com Safety Program 4 04.doc 27/04/04- 1 -“T HE PURPOSE OF (RISK) COMMUNICATION IS TO ASSIST PEOPLE TO OBTAIN THE INFORMATION THEY NEED TO MAKE INFORMED CHOICES ABOUT THE POSSIBLE RISK THEY FACE.”(Wade, C R, Molony, S T, Durbin, M E, Klein S H, and Wahl L E, (1992), P1)“H UMAN BEINGS DO NOT HAVE THE TIME OR THE ABILITY TO BE CONCERNED ABOUT EVERY PROBLEM IN THE WORLD. T HEY DEVOTE THEIR TIME AND ENERGY TO PROBLEMS THAT INVOLVE THEM AND FOR WHICH THEY CAN MAKE A DIFFERENCE.”J E Grunig quoted in Leffler (1998)Com Safety Program 4 04.doc 27/04/04- 2 -TABLE OF CONTENTS1) INTRODUCTION (4)2) TRADITIONAL APPROACHES TO COMMUNITY SAFETY (5)3) FINDING BETTER RISK COMMUNICATION APPROACHES FOR COMMUNITY SAFETY (8)4) FACTORS THAT INFLUENCE COMMUNITY SAFETY (10)A. T HE NATURE OF THE HAZARD AND ASSOCIATED RISK (10)B. R ISK P ERCEPTION (11)C. S TAGES OF R ISK C OMMUNICATION (14)D. I DENTIFYING AUDIENCES AND ASSOCIATED MESSAGES (15)i. Demographic factors (16)ii. Psychological traits (17)iii. Experience of the hazard (20)E) R ESILIENCE (24)5) AN INTEGRATED COMMUNICATION FRAMEWORK (26)6) FOSTERING BEHAVIOURAL CHANGE (32)7) SUMMARY: THE PROPOSED MODEL (38)8) DETAILS OF THE INTEGRATED PROGRAM (40)A) C OMMUNITY DEVELOPMENT (41)B) C OMMUNITY EDUCATION (41)C) S OCIAL MARKETING AND PUBLIC AWARENESS - ONE-WAY PERSUASION (42)D) E DUCATION ABOUT MANDATORY DIRECTIONS (EMERGENCY WARNINGS) (43)9) CONCLUSION (43)REFERENCES (45)Com Safety Program 4 04.doc 27/04/04- 3 -1) I NTRODUCTIONThis discussion paper will outline issues relating to developing a risk communication model in the context of a severe but infrequent hazard such as a significant flood or storm. It will also investigate the concept of risk perception and the elements that contribute to an integrated community safety campaign. The paper will review traditional approaches to community education used by emergency agencies. It will suggest a need for a more integrated risk communication model that acknowledges community perceptions about the risks they face, and while encouraging self-reliance acknowledges the limitations of this approach. It will then present a coherent conceptual framework for communicating and involving the public, focusing on adopting protective behaviour for the pre-disaster phase. Hopefully, this paper will generate vigorous debate over future directions for community safety within the SES and lead to the development of rigorous and effective safety programs for flood and storm education.Emergency managers are in the midst of historic changes. The focus of expectations has changed dramatically, from a pure emergency response to a proactive 'risk management' approach involving disaster mitigation, prevention, and risk communication (Keys 1999a, Buckle 1998, Granger 1999).These shifts involve:- a whole-of-government approach that sees community safety as a total system;- locally focused and integrated planning;- the need for greater community participation;- community-centric, rather than agency-centric approaches;- risk management and multi-disciplinary approaches;- improved use of technology;- the need for greater cost effectiveness and public accountability;- the need to form and enhance partnerships and to reduce organisations’isolation;- the need for sophisticated skills in risk management and communication(EMA 1999a, Hodges 1999).A changing publicAt the same time as expectations of emergency services are changing, so is too the nature of the public changing:- the changing nature of 'community', from communities-of-place to dispersed communities-of-interest;- the demand for greater community participation (EMA 1999a);Com Safety Program 4 04.doc 27/04/04- 4 -- increasingly low tolerance of risk and increasing expectation of emergency services;- a declining level of trust in government and authorities;- a community that is shifting its concerns from the public to the private and personal (Quantum Market Research 2002);- an increasingly complex and competitive communication environment;- an increasing urbanisation and an increase in communities of older people living along the coast (Salt 2003); and- a community that is sophisticated in reading and interpreting communications. These factors reinforce the need for innovation, rigorous planning and an evidence-based culture in the design of community safety programs.However, while there has been extensive education resources developed in Australia, there has been little research to substantiate a link to an appropriate risk communication model: one that explains the relationship between vulnerable communities and their willingness to become involved with community safety programs (Boura, 1998).2) Traditional approaches to community safetyTraditional education approaches, often called public awareness programs, are increasingly being questioned. In the flood and storm safety arena, there remains a lack of clarity about what approaches are appropriate in different situations. As Keys (1999b) noted, "It has been apparent for some time that creating community awareness of floods and storms is not easy, and that our various pamphlets and guides do not 'move' in large numbers. Most of the time, people are not particularly interested in them.”From a national multi-hazard perspective, the outlook is just as bleak."…there is currently no nationally accepted theory which provides the basis for determining 'good practice' and programs and activities have been developed from a basis of intuition, past experience or adoption and adaption of activities from other areas…." (AMEC 2002 p7).Historically, when emergency services have undertaken community education, they have informed the community about hazards and their risks, through distribution of prepared material emphasising actions residents can undertake to protect themselves and their property during emergencies. The communication process was often one-off and one-way, and assumed that the audience was an indistinguishable group of individuals who had the same needs and values.The effectiveness of this traditional approach and the extent to which individuals implemented safety messages was often measured by the number of resources distributed, or the public recalling the message. The indicators used to determine a Com Safety Program 4 04.doc 27/04/04- 5 -successful campaign focussed on the ability of the individual to demonstrate an awareness of the safety messages presented (eg. Mountford and Davidson 1999, storm safety evaluation).This traditional model is one where the emergency professional is the ‘active agent’and the community member is the passive recipient of appropriate messages (Macdonald, 1998). The deficits of this model are at last being recognised and research has questioned the effectiveness of these education strategies in changing people’s behaviour. "One of the most puzzling findings … was that many people did not implement strategies that would improve their safety, despite understanding the issues associated with safety and acknowledging that safety was their own responsibility" (Esmund et al. 2000, p5).Implicit in this traditional approach was the assumption that there was a direct correlation between awareness raising and behavioural change. "It is frequently assumed that providing the public with information on hazards and their mitigation will encourage preparation. This assumption is unfounded." (Paton et al., undated). This failing of the traditional Information-Action model is the belief that merely informing the individual or community about a hazard, will lead to risk awareness and awareness to actions, and then to sustained behavioural change. Boura (1998) identifies the weakness in the belief that there is a strong and direct causal link between receiving information and appropriate actions.The literature on risk communication indicates that distribution of information on the hazard and associated risk will not by itself make a significant difference in attitude, perception or behaviour (Boura, 1998). Keys (1996, p3) noted, “…public awareness strategies have had a low profile in the emergency management field. Their potential as tools for reducing the costs which floods impose has also been little developed, despite the fact that a flood-aware community is recognised in the floodplain management literature as being important in this regard.”Health Promotion and Injury Prevention CampaignsAlthough emergency education programs are customarily under-funded, additional resources alone will not improve residents’ ability to prepare and cope with a major disaster. It is instructive to review other behavioural change campaigns that have received greater funding and have a more empirically rigorous model to support their strategies. In spite of health promotion campaigns making some advancement in lessening dangerous behaviours these measures are still the subject of constant revisions, as more effective strategies are discovered.Researchers are still investigating why so many people continue to maintain unhealthy and potentially dangerous lifestyles. Even well funded programs in related areas, such as road safety campaigns, have been criticised for a lack of success. According to the 2002 Safety Strategy Report, “It is likely that millions of dollars have been wasted each year on road safety advertising in Victoria since 1989” (Sinclair, 2003).Com Safety Program 4 04.doc 27/04/04- 6 -The 1997/98 NSW Sun Protection Campaign (the Seymour Snowman campaign) is an example of this in a related health area (NSW Cancer Council, 1998). The campaign focussed on encouraging appropriate sun protection behaviour through a social marketing campaign and information distribution. The campaign used radio, TV, billboards, posters and leaflets to give positive information about appropriate sun protection to children and their carers. The campaign generated significant increase in awareness of the main character (Seymour Snowman) used in the campaign, with 73% recalling they had seen the commercial on TV. However, over the same time there was only a 3% increase in children engaging in the desired sun protection behaviour, while adults reported a 2% fall in appropriate sun protection behaviour.The success and possible new directions for the smoking cessation campaigns were recently reviewed in the Sydney Morning Herald. The campaigns use a system-based intervention approach consisting of macro and micro projects such as pricing increases, mass-media projects, restricting cigarettes availability, restricting advertising, targeting vulnerable groups, bans in public areas and work places, commercial cessation programs, pack warnings, the Quitline and GP guidelines.The multiple players in these campaigns, such as state and federal health departments, commercial companies and various independent agencies (eg. Cancer Councils) make it difficult to evaluate individual programs. However, as these various programs employ common strategies, their success is ultimately measured by the reduction in smoking and the number of new smokers. While the smoking cessation campaigns had been successful in lowering the rate of smoking, in the last few years the cessation rate has stalled at just below 20 per cent. Professor Simon Chapman of the Cancer Council, believes that while mass-media campaigns can be effective in reducing smoking rates, there will always be smokers and that the messages won’t reach everybody. To further reduce the smoking rate within 10 years in NSW, Dr Penman, CEO of the Cancer Council believes a $15 million a year anti-smoking campaign could significantly decrease the smoking rate within 10 years (SMH, 16 Oct, 2003).Clearly current disaster education programs are not as sophisticated or as well resourced as health promotion and injury prevention campaigns. Yet these campaigns are now struggling to have a significant impact on their target audiences. What approach should emergency managers take in encouraging safety preparation for disasters?Com Safety Program 4 04.doc 27/04/04- 7 -3) F INDING BETTER RISK COMMUNICATION APPROACHES FOR COMMUNITY SAFETYIt is apparent that new approaches are needed to create desirable behavioural changes. The focus in the current methodology on individual behavioural change through conveying information needs to be broadened. The Institute of Medicine (2002) has identified three major determinates of intention to undertake behavioural change. They are:• Attitudes of a person;• community norms; and• the degree of self-efficacy of a person.Macdonald (1998) also includes the social setting in which people make decisions about their risks.In response to these challenges, alternative approaches are emerging. Fortunately, rather than re-inventing the wheel, we are able to learn and adapt approaches and models which have been proven in other jurisdictions -- notably health promotion, social marketing, community safety and adult education -- to present a community safety model that identifies and addresses the concerns of all affected groups. The report of a national flood warning workshop (Proudley and Handmer, 2003) identified many of the issues that need to be addressed in developing effective warning systems, including:• The necessity for community engagement through increased awareness and engagement;• The need to improve the communication of risk;• The importance of recognising the target audience of flood warnings; and• The need for policy improvements in the area of flash flood warnings.Other approaches that have proved useful in improving health and safety outcomes include:•Comprehensive systems-based intervention. This approach recognises community behaviour is the outcomes of interaction between legislation, organisational policy and practice, social networks, engineering solutions, and community norms. System-based intervention approaches have been widely applied in health promotion, notably in community safety and injury prevention work (Lindquist et al 2002, Cohen and Swift 2003, Jensen 1999, Esmund et al 2000). An example of this is the smoking cessation campaign. The programs are supported by federal and state governments and by community health groups. Strategies include legislation to ban smoking in workplaces, individual Quit packs, powerful advertisements to alert smokers to the danger of smoking and measures to protect non-smokers (SMH, 16 Oct, 2003).Com Safety Program 4 04.doc 27/04/04- 8 -•Greater use of "bottom-up" (participative) strategies. These focus on empowering and resourcing local groups and networks, to identify problems, define solutions and initiate action plans. Examples in the emergency management field include: Community Fire Guard (Vic CFA), Community Fire Units (NSW FB), AWARE (WA FESA) and the American Red Cross's Disaster Resistant Neighbourhood program.•Greater use of social marketing methods. Mass persuasion methods originally developed in the commercial marketing field are now widely used to foster positive behaviours. These are being applied to improve community resilience to natural hazards, e.g. FloodSafe (NSW SES). The National Flood Warning Centre (UK) ran a social marketing and health promotion campaign that is credited with raising flood awareness from 48% to 79% over the past five years (Proudley and Handmer, 2003).•Greater use of evidence-based approaches. Social research is replacing gut feeling in emergency risk communication. The last few years have seen a dramatic increase in the commissioning of quantitative and qualitative social research: for instance, FESA's Community Safety Survey 2000, the Queensland Department of Emergency Services'focus group research (AC Neislen 2003), and NSW SES research into flood knowledge and perceptions.The shift from a public awareness approach to one of community safety alters the traditional top-down, 'command and control' relationship with the community. In this new model, the community is seen as an active participant in its own safety, rather than a passive recipient of services. This requires emergency agencies to become specialists, facilitators and supporters of the community, while maintaining their traditional disaster response functions. These are challenging roles which requiring flexibility, new skills and new approaches (AMEC 2002).The behavioural models that have influenced the development of community safety programs are summarised in Speaking of Health (Institute of Medicine 2002). The first of these health promotion models is the Health Belief Model. According to this model, two main factors contribute to a person’s willingness to adopt appropriate health behaviours. First, the person must believe that there is a significant risk to them and the suggested benefits will compensate for the cost of undertaking the appropriate behaviours. The second is the Social Cognitive Theory, that emphasises the importance of individual self-efficacy, or self-confidence that they can exercise some degree over their behaviour and the outcomes they want to achieve. The Theory of Reasoned Action asserts that the extent of behaviour change can be viewed as a function of a person’s attitude towards performing the action and a person’s perception of what his/her peers’ attitude is towards performing the task. The identification of community norms as an incentive or hindrance to change is an important factor, especially in low perceived/high actual risk environments, and highlights the need to work closely with community expectations.Com Safety Program 4 04.doc 27/04/04- 9 -4) F ACTORS THAT I NFLUENCE C OMMUNITY S AFETYOne of the most contentious issues in the risk communication area is the identification of factors that contribute to a successful community safety program. Previous programs had centred on the Information/Action model; however, research carried out by the NSW SES in Kempsey and by Pfister (2001) at Grafton, have demonstrated that hazard and risk information, when distributed in isolation from the social setting, will have little significant impact on awareness or behavioural change.The principal factors that contribute to an effective community safety program include:a) The nature of the hazard and associated risk;b) The perception of the risk and people’s willingness to act;c) Identifying the stages of risk communication;d) Identifying audiences and associated messages; ande) Community resilience.a. The nature of the hazard and associated riskEmergency managers frequently express frustration with the public when they demonstrate a lack of concern when experts identify an extreme risk that threatens a community. This is particularly so when managers need to communicate the risk resulting from an infrequent but severe hazard. "Arguably, the flood threat is neither frequent enough in its impact nor severe enough in its usual consequences for experience of it to generate deliberate protective behaviour in most people" (Keys 1999b).Severe floods are an example of a risk that most non-experts would see as unlikely to have an impact on their lives. However floods are one of most costly natural disasters in Australia. In NSW from 1967-99 (in 1998 $A), floods cost $128,000,000 per annum; about 26.5% of the total cost of all disasters. For Australia as a whole, the cost was $314,000,000 per annum or 28% of all disaster costs (Bureau of Transport Economics, 2001).So while severe floods are a real problem for many communities, there is evidence that the public does not agree with this assessment. A recent survey of Queenslanders showed that floods are generally perceived as less risky than other hazards such as cyclones.Flooding:• It is low risk unless you live near a river;• You can do little to prepare until you receive a flood warning; and• A lot of clean-up is needed, but little damage (AC Neilsen 2003).Com Safety Program 4 04.doc 27/04/04- 10 -As risk managers one of the greatest dilemmas in flood and storm communication is how do you alert the public to the risk of low-probability, high-consequence disasters such as severe floods? The conventional wisdom is that people need to be convinced of the risks. It is therefore our role as risk managers, to give them sufficient details of the hazard, so that they will be prepared to protect themselves from the consequences.However, conventional wisdom runs into a wall of public indifference – an indifference with its own logic. “Why should I concern myself with risks that -- while they may be severe -- are rare and usually low-intensity, and which the government and emergency agencies are practiced at managing?”The fact is, we may be asking the public to act on someone else's problem – in this case, the risk communication manager’s problem. The issue then becomes one of not only identifying the actual risk from a severe hazard, but also understanding how people will perceive the risk and be willing to adopt protective behaviours.b. Risk PerceptionIntegral to the community safety approach is the belief that people do not categorise all risks as the same. In other words, they will underestimate or overestimate the risk according to their perception or understanding of the impact of the risk on their own lives. In situations such as an infrequent but severe hazard, the decision-making process is made harder by the complex variables that influence an individual’s perception of the risk.Research suggests that when people feel threatened when confronted with health and safety messages, they become defensive and believe that it won’t affect them. Sandman (1994) found that people were often hostile to the idea that they are at risk. People judged themselves less at risk than the ‘average’ person to a variety of natural and technological hazards. This psychological bias is well known: people believe that they are impervious to events that affect the average person and is referred to as Optimism Bias (Amber, 2003). This view dominates most responses to risk, and people support it by devising a rationale for the conviction that the hazard will pass them by, or that it will only inflict minor damage to their property. Carney (1993) hypothesised that when communicating about risk there is a need to develop a contingency model that takes into consideration both the actual risk of the situation (Factor 1) and the perceived risk (Factor 2). This determines the best communication strategies to use in the situation it represents.Risk Contingency Factors1. Low actual risk/ low perceived risk (e.g., volcanic eruption in Sydney)2. Low actual risk/ high perceived risk (e.g., attack by bees)3. High actual risk/ high perceived risk (e.g., motor vehicle accident)Com Safety Program 4 04.doc 27/04/04- 11 -4. High actual risk/ low perceived risk (e.g., severe flood).In essence, people usually underestimate risks because they would rather believe they are safe, free to live their lives without the responsibility of feeling vulnerable and obliged to make difficult or unpopular decisions that would affect their lifestyle. Festinger (1964) identified this conflict in his Theory of Cognitive Dissonance. Festinger examined situations where there are often mutually incompatible alternatives that ensure conflict in the decision-making process. The greater the conflict before the decision, the greater the dissonance. To reduce this dissonance, a person may try to justify the decision by increasing the attractiveness of the chosen alternative and decreasing the attractiveness of the rejected alternative. For example, people who are confronted with the devastating news of a future severe flood may deny that this level of flooding could occur and reject the information as well as assistance to reduce the risk. This is because they may consider there is a low risk from a severe flood, coupled with low benefits from becoming flood prepared and a high cost in terms of their time and effort. Thus, they would consider their vulnerability as being low and would make a decision not to become involved in any risk-management programs. When a severe flood occurs, these people would be ill prepared and require the assistance of emergency agencies to evacuateHow then, do people determine the degree of risk that they are willing to accept when going about their lives? There are many empirical studies that attempt to establish an objective comparison between risks that communities are exposed to, people’s attitude towards risk and their willingness to act to reduce the risk are more subjective. Wade et al. (1992) identified several of the variables that a person will use to determine their reaction to a specific risk (see Table 1). Thus, a person may have a high vulnerability to a specific risk because of their belief that the risk will not affect their life, which in turn will influence their willingness to adopt safety messages.Table 1. Variables That Influence Risk Perception Model (adapted by O’Neill from Wade et al. [1992])Com Safety Program 4 04.doc 27/04/04- 12 -H IGH B ENEFITSPeople will accept a risk if they can identify corresponding benefits (eg., car travel).V L ITTLE B ENEFITSPeople are less accepting if theysee no benefits or high costs fromaccepting the risk (e.g., industrialpollution).F AMILIARIf a risk is an everyday occurrence, it may be accepted into a person’s schema (e.g., smoking).V U NKNOWNIf the risk is unknown or rare, thereis likely to be resistance in acceptingit (e.g., GM foods).TRUSTEDThe risk is more likely to be accepted if people know and trust the organisation helping to manage the risk (e.g., SES).V N OT TRUSTEDIf the organisation is not trusted, themessage about the risk may not beaccepted (e.g., a bank)1.N ATURALPeople are more likely to accept what is regarded as a natural hazard (this perception gives a sense of inevitability about the risk).V T ECHNOLOGICALPeople have a higher expectationthat technological or industrial riskswill be managed.V OLUNTARYPeople are more willing to accept a risk when they make the decision about their own exposure to it. (e.g., smoking)V I MPOSEDPeople may react negatively if theyfeel they have little choice inaccepting the risk. (e.g., pollution)M EMORABLEPeople are less willing to accept a risk concerning a hazard that will attract wide public and media attention.V F ORGETTABLEPeople may accept a riskconcerning an event not likely tocreate community or media interest.C ATASTROPHIC P OTENTIAL People are more concerned about risks from hazards that are capable of causing dread because of the significant impact on a community.V C HRONIC P OTENTIALPeople may be unconcerned aboutthe risk from hazards that seem tohave little potential to significantlyaffect a community.F OCUSED THREATAn event that occurs over a brief period concentrates media and community interest.V D ISPERSED THREATThere is less media and communityattention if an event occurs over along period (e.g., drought).U NCERTAIN TIME AND SEVERITY A vague or undefined threat can make people reject safety messages as too hard to implement.V C ERTAIN TIME AND SEVERITYPeople feel more comfortable andwilling to listen to safety messages ifa threat can be defined andprepared for.M ANAGEDPeople are more willing to accept V H APHAZARDPeople are unwilling to accept risksCom Safety Program 4 04.doc 27/04/04- 13 -。
OHSMS and Safety CultureWhat is an occupational health and safety management s ystem(OHSMS)?One difficultly in evaluating the effectiveness of OHSMS lies in the different meanings given to the team .Finding agreement upon criteria for effectiveness, or methods of measure-ment and evaluation is especially hard where basic disagreement exists upon what an OHSMS .1、The General Characteristics Of an OHSMSAll OHSMS owe something to the legacy of general system theory. Systems theory suggests that there should be four general requirements for an OHSMS, although how there requirements are met in practice allows for considerable diversity. The four general requirements are as follows.1)System objectives.2)Specification of system elements and their inter-relationship; not all systems need have the same elements.3)Determining the relationship of the OHSMS to other systems (including the general management system, and the regulatory system , but also technology and work organization ).4)Requirements for system maintenance (which may be internal, linked to a review phase , or external , linked for example to industry policies that support OHSbest practice; system maintenance may vary between systems).Several Australian authorities upon OHSMS have given definitions broadly consistent with these general system requirements. Thus Bottomley notes what makes an OHSMS a system “is the deliberate linking and sequencing of processes to achieve specific objectives and to create a repeatable and identifiable way of managing OHS. Corrective actions … (are also )central to a systematic approach .”Warwick Pearse also emphasises s ystemic linkages, defining an OHSMS as “distinct e lements which cover the key range of activities required to manage occupational health and safety. These are inter-linked, and the whole thing is drivenby feedback loops.”Similarly, Gallagher defines an OHSMS as “…a combination of the planningand review, the management organization arrangements, the consultative arrangements, and the specific program elements that work together in an integratedway to improve health and safety performance.”2、Voluntary Or Mandatory Implementation MethodsOne way that OHSMS differ arises from the various methods of implementation.Frick and Wren distinguish three types—voluntary, mandatory and hybird. Voluntarysystems exist where enterprises adopt OHSMS on their owe volition. Often this is toimplement strategic objectives relating to employee welfare or good corporatecitizenship, although there may be other motives such as reducing insurance costs. Incontrast, mandatory systems have evolved in a number of European countries wherelegislation requires adoption of a risk assessment system. Quasimandatory methodsmay also exist where external commercial pressures take the place of legislative requirements. Thus many businesses adopt OHSMS to comply with the requirementsof customers and suppliers, principal contractors and other commercial bodies. Hybridmethods are said to entail a mixture of voluntary motives and legislative requirements.3. Management Systems or Systematic ManagementFollowing from their distinction between voluntary and mandatory OHSMS,Frick and Wren also separate occupational health and safety “management systems and the “management systems” of occupational health and safety. Specifically ,theformer have been characterized as: market-based, promoted typically by consultingfirms, and with usually highly formalized prescriptions on how to integrate OHSMwithin large and complex organizations and also comprehensive demands on documentation.from must meet stringent criteria. Where these This “management systems” requirements of a “systems” are not met, then the term is said to be inapplicable. Onthe other hand, “systematic management”is described as “… a limited number ofmandated principles for a systematic management of OHS, applicable to all types ofemployers including the small ones”.This approach stems from methods of regulation found in Europe as well asAustralia, where businesses, i ncluding smaller ones, are encouraged or required tocomply with a less demanding framework than “management systems”. One exampleof this simpler regulatory framework might be the risk assessment principles withinthe 1989/391 European Union Framework Directive.Support for such a loose approach to OHSM also exists in Australia. Oneemployer expert on OHS defined systems simply as “just a word for what you do to-encompassing approach whichmanage safety”. Consistent with this is Bottomley’s allallows that “…an OHSMS can be simple or complex, it can be highly documented orsparingly described, and it can be home grown or based on an available model”. Ato the management ofexample of a relatively simple “systematic”approach-aoccupational health and safety is to be found in “Small Business Safety Solutions”booklet for small business published by the Australian Chamber of Commerce andIndustry.This advocates a four step process as follows:Step1: Commitment to a Safe Workplace(framing a policy based on consultation).Step2: Recognising and Removing Dangers(using a danger identification list)Step3:Maintaining a Safe Workplace (including safety checks, maintenance, reportingdangers, information and training, supervision ,accident investigation, and emergencyplanning).Step4: Safety Records and Information (including records and standards required tobe kept by law)It is debatable whether such a framework for “systematic management” in a small business can include all the elements of planning and accountability that areessential to a “management system” in a large business.4 . System Characteristics : managerialist and Participative Modelsd . The first variantWithin “management systems” two different models can be foun( Taylorist andstems from what Nielsen terms “rational organisation theory” bureaucratic models of organisation ) . Rational organisation theory is associated withtop down managerialist models of OHSMS such as Du Pont . Some authorities nowconsider most voluntary systems to be managerialist . Thus Frick. et al . observe that“ . . . most voluntary OHSM systems define top management as the ( one and only )canactor”. Conversely, an alternative participative model of “management systems”be traced to socio-technical systems theory, which emphasises organisationalinterventions based on analysis of the inter-relationships of technology , theorientation of participants , and organisational structure .The strengths of this typology are two-fold . First , it is grounded in the literaturethat discusses alternative approaches to managing OHS and different controlstrategies , and it reflects the principal debates in that literature . Second , it can beoperationalised through empirical tests to see which type of OHSMS performs best .The typology also faces a difficulty in the fact that the “ s afe place controlstrategy “ is mandatory in Australia and should be found in all workplaces . There innot , therefore . a clear choice between two mutually exclusive control strategies ; theworkplace with dominant safe person characteristics should also be implementing safeplace characteristics .5 . Degree of Implementation: Quality LevelsFrick and Wren expand upon their distinction between mandatory and voluntaryOHSMS to further identify three levels of systems objectives , drawn from theliterature on product quality control , that represent different levels of achievementand measures of OHSM performance.6 . degree of Implementation: Introductory and Advanced SystemsThe idea that there may be different levels of OHSM has been interpreted another wayin Australia where performance levers in some programs are explicitly developmental( the business graduating up an ascending ladder as it demonstrates compliance withthe requirements of each successive lever ) .One example of Australian program with developmental steps is the South AustralianSafety Achiever Business System ( SABS ) ( formerly known as the Safety AchieverBonus Scheme ) . The program specifies five standards (commitment and policy ,planning implementation , measurement and management systems review and implementation ) linked in a continuous improvement cycle . Three “levels”ofimplementation are then prescribed cumulatively introducing all five standards from a basic or introductory program to a continuous improvement system . Different evaluation standards are prescribed for each level .7. OHSMS Diversity and Evaluation : A SummaryWhile, in general, this Report advocates care in defining OHSMS with respect to the problems outlined above , for the purpose of this project an inclusive approach to the phenomena is to be adopted .In particular , the term OHSMS will be used broadly to encompass both the highly complex formal systems adopted voluntarily by some businesses as well as the more rudimentary mandatory or advisory frameworks offered to and implemented by small business.So far , we have shown that OHSMS can vary upon a number of dimensions relating to method of implementation , system characteristics , and degree of implementation . Such variance is important because it affects evaluation and measurement of OHSMS performance . Measures appropriate for one dimension of a system will be irrelevant to another . Evaluation of OHSMS effectiveness may need to take account of what systems are expected to do . Are they to meet complex system or simple design standards ? Are they implemented at the behest of management or external OHS authorities ? Are objectives the simple ones such as reducing direct lost-time injuries or do they include satisfying multiple stakeholders ? Are they at an early or established stage of development ; and which of several different configurations of control strategy and management structure/style is adopted ? Drawing upon the review above , the diagram below sets out five key dimensions on which OHSMS vary that need to be considered in evaluation and measurement .8. OHSMS Diversity : 5 Key Dimensions for Evaluation While all systems must meet the general requirements for an OHSMS , diversity may occur along five key dimensions as follows :Implementation method (voluntary , mandatory or hybrid) ;Control strategy (safe person/safe place) ;Management structure and style (innovative or traditional) ;Degree of implementation (from meeting basic specifications to meetingstakeholder needs) ;Degree of implementation(form introductory stage to fully operational) .OHSMS is a process of continuous development of innovation, is a process ofcontinuous improvement. In the process, the enterprise culture constantly adjust theoriginal management idea, realize enterprise safety culture reengineering.1. What Is Safety Culture?The UK Health and Safety Executive defines safety culture as “ . . . the productof the individual and group values, attitudes, competencies and patterns of behaviorthat determine the commitment to, and the style and proficiency of, an organization'shealth and safety programs.” A more succinct definition has been suggested: “S culture is how the organization behaves when no one is watching.”Every organization has a safety culture, operating at one level or another. Thechallenges to the leadership of an organization are to: 1) determine the level at whichthe safety culture currently functions; 2) decide where they wish to take the culture;and 3) chart and navigate a path from here to there.2. Why Is Safety Culture Important?Management systems and their associated policies and procedures depend uponthe actions of individuals and groups for their successful implementation. Forexample, a procedure may properly reflect the desired intent and be adequatelydetailed in its instructions. However, the successful execution of the procedurerequires the actions of properly trained individuals who understand the importance ofthe underlying intent, who accept their responsibility for the task, and who appreciatethat taking an obviously simplifying but potentially unsafe shortcut would be, quitesimply, wrong.The values of the group (e.g., corporation, plant, shift team) help shape thebeliefs and attitudes of the individual, which in turn, play a significant role indetermining individual behaviors. A weak safety culture can be (and likely will be)evidenced by the actions and inactions of personnel at all levels of the organization.For example, the failure of a critical interlock might have been caused by themechanic who failed to calibrate the pressure switch and falsified the maintenancerecords. Alternatively, it might have been caused by the plant manager who deniedthe funding requested to address staffing shortages in the instrument department.Audits too frequently reveal ostensibly complete, sometimes sophisticated,management systems within which one or more elements are falling well short ofachieving their desired intent. Previously, we might have attributed such failures toCertainly, the failure to maintaina general concept of “lack of operating discipline.” high standards of performance might be a contributor to the problem. However,deficiencies in other safety culture features likely contributed to the situation.Industry has gradually accepted the importance of identifying the managementsystem failures that lead to incidents and near misses (i.e., identifying root causes).For example, let us suppose that an incident occurred because a control room operator,leaving at the end of the shift, failed to alert the oncoming operator of a serious,off-standard condition in the process. This problem might be diagnosed generally asa communications problem, with a specific root cause identified as “CommunicatioPerhaps, however, perfunctory shift turnoversbetween shifts less than adequate.” are the rule rather than the exception, and this circumstance is generally known tosupervision. In this circumstance, another root cause related to supervisory practices,“Improper performance not corrected,” might be identified.This analysis so far leaves a number of questions unanswered, such as “Whydo operators shortcut the turnover process and why do they feel comfortable in doing or “Why d o supervisors tolerate a practice that jeopardizes the safety of theso?” We can attempt to answer these questions by seeking to understand thefacility?” values, beliefs and attitudes that shape individual actions and inactions (i.e., byseeking to understand the safety culture). By identifying and addressing thepathologies within the safety culture (or, more appropriately, by proactively seeking tomaintain a culture free of such weaknesses), w e are effectively addressing the rootcauses of what we typically regard to be the root causes of safety performanceproblems.Regardless o f whether one is seeking to establish a new safety managementsystem, repair an existing underperforming system, or fine-tune a basically soundsystem to achieve higher performance, it is the actions or inactions of the individualworking within the system that can ultimately be the limiting performance factor.Creating and sustaining a sound safety culture can be a decisive factor in determiningthe performance of the individual and the system.3. Who Is Responsible for Safety Culture?rtance that leaders do It has been suggested that “…the only thing of real impois to create and manage culture…”The leadership of an organization has the primary responsibility for identifying the need for, and fostering, cultural change and forsustaining a sound safety culture once it is established.However, not unlike the concept of “safety as a line responsibility,” theresponsibility for fostering and maintaining a sound safety culture cascades d ownthrough the organization. Every individual in the organization has a role to play.Cultures are based upon shared values, beliefs, and perceptions that determinewhat comes to be regarded as the norms for the organization; i.e., cultures developfrom societal agreements about what constitutes appropriate attitudes and behaviors.If the organization feels strongly about a particular behavior, there will be littletolerance for deviation, and there will be strong societal pressures for conformance.Each individual in the organization has a role in reinforcing the behavioral norms.Thus, in the broadest sense for a sound safety culture, “The organization andeach individual” is the most appropriate answer to the question “Who is responsib In a sound safety culture, an individual would be expected to intercede if they saw aco-worker about to commit an unsafe act. In a sound safety culture, leadershipwould be expected to monitor the heath of the safety culture and reinforce and nurtureit when required. In a sound safety culture, individuals and groups would beexpected to speak out if they perceived management acting in a fashion inconsistentwith the organization’s values.4. What Are the Key Attributes Of A Sound Safety Culture?A review of the literature on the topics of organizational effectiveness andsafety culture, reinforced by learning from numerous chemical facility audits andincident investigations, has led to the identification 11 key attributes for a sound safety culture. These attributes, which are described in further detail in Table 1.Table 1. Key Attributes Of A Sound Safety Culture?Espo use safety as a core value?Provide strong leadership?Establish and enforce high standards of performance?Maintain a sense of vulnerability?Empower individuals to successfully fulfill their safety responsibilities?Provide deference to expe rtise?Ensure open and effective communications?Establish a questioning/learning environment?Foster mutual trust?Provide timely response to safety issues and concerns?Provide continuous monitoring of performanceThe six cultural themes distilled from the Columbia investigation can be mappedto these eleven key attributes. It is important to keep in mind that the organizational themes distilled from the Columbia incident do not cover all of the cultural pathologies that could exist within an organization. Your organization may have safety culture weaknesses that did not play a part in the three case studies described in this communications package.5. What Should Be Done?While it is not feasible to provide an explicit rode map here, there are some basic steps that you should consider to address the safety culture issues within your organization.Create Awareness. Presumably, that is why you are reading this communications package. Corporate and/or site leadership need an awareness of the importance of safety culture to safety performance. The case histories included in this package should allow you to demonstrate the potential consequences that can result from a weak safety culture. The exercises or workshops that you may choose to conduct, based upon the tools and guidance in this communications package, should helpidentify any of the more obvious issues and set the stage for further, more detailedevaluations of your safety culture.Identify a Champion. While every member of the organization should be asupporter of a sound safety culture, your organization may require a Champion if thescope of the cultural transformation is large. Perhaps that is you. Whoever fulfilsthis role must understand the dynamics of safety cultures and the process for, andobstacles to, implementing cultural change.Perform a gap analysis. Learn/evaluate how your culture is performing incontrast with the 11 key attributes. Identify where the gaps are and prioritize arisk-based response to closing this gaps. This is simply stated and difficultly done.Gaining a full understanding of the dynamics of your culture and determining the rootcauses of any problems is likely not an overnight exercise. However, there are likelyto be some readily apparent first steps that could be taken to start the process.Steward cultural change. When we talk of “managing culture,” it is importantpotency in this matter is limited to inspiring,that we recognize that leadership’senabling, and nurturing cultural change. Since leaders cannot change an organization’s values and beliefs through edict, it is not possible to mandate cultural change.Keep the organization focused. Many organizations have already establishedsound safety cultures. Not uncommonly, these cultures have been developed inresponse to, and are reinforced by frequent reference to, significant loss events in thecompany’s past. Those organizations fortunate enough not to have experienced such aseminal event may find it helpful to draw upon the experience of others in their, orsimilar, industries. This communications package provides one process industrycase study. You may have case studies from your own organization that can be usedto emphasize the importance of safety culture. However you do it, it is important tokeep the organization, at all levels, focused on “What Is At Stake.”职业健康安全管理体系和安全文化职业健康安全管理体系(OHSMS)是什么?一种难以在职业健康安全管理体系的效能评估是给团队中的不同含义。
AdvisoryCircularFlight Standard Department of Civil Aviation Administration of ChinaReference Nu. AC-121/135-FS-2008-26Issue Date: April 29,2008 Requirements about Safety Management Systemfor Air OperatorsRequirements about Safety Management System forAir Operators1.Basis and PurposesThis Advisory Circular (AC) is formulated pursuant to “Rules on operation certification on large aircraft commercial transport operatio n” (CCAR 121) and “Rules on operation certification on small aircraft commercial transport operation” (CCAR135), for the purpose of providing guidance for commercial air transport carrier of large aircraft and commercial air transport operator of small aircraft to establish their own qualified safety management system.2.ApplicabilityThis AC applies to operators who operate under CCAR-121 and CCAR-135.3.ReferenceThis AC is in accordance with the following documents:(1)<Convention On International Civil Aviation> Annex 6 Operation ofAircraft(2) International Civil Aviation Organization Doc9859 Safety ManagementManual(3) FAA AC 120-92 Introduction to Safety Management System for AirOperator(4) FAA AC 120-59A Air Carrier Internal Evaluation Programs4.Cancellation(Standby).5.DefinitionProcess - A set of interrelated and interacted activities that transform inputs to outputs.Procedures- A method for accomplishing a process, or for performing an activityHazard – any existing or potential condition that can lead to injury, illness, or death to people; damage to or loss of a system, equipment, or property; or damage to the environment.Risk – The composite of predicted severity and likelihood of the potential effect of a hazardSubstitute risk –risk unintentionally created as a consequence of safety risk control(s).Safety risk management (SRM) –a formal process within the SMS composed of describing the system, identifying the hazards, assessing the risk, analyzing the risk, and controlling the risk. The SRM process is embedded in the processes used to provide the product/service; it is not a separate/distinct process.Audit –scheduled, formal reviews and verifications to evaluate compliance with policy, standards, and contractual requirements. The starting point for an audit is the management and operations of the organization, and it moves outward to the organization's activities and products/services.Internal audit – an audit conducted by, or on behalf of, the organization being audited.External audit – an audit conducted by an entity outside of the organization being audited.Evaluation –a functionally independent review of company policies, procedures, and systems. If accomplished by the company itself, a department of the company other than the one performing the function being evaluated should do the evaluation. The evaluation process builds on the concepts of auditing and inspection. An evaluation is synonymous with the term systems audit.Auditor –An individual who has satisfied defined experience prerequisites and is successfully qualified under a defined training program to conduct audits.Safety assurance –process management functions that systematically provide confidence that organizational products/services meet or exceed safety requirements.Safety Management System (SMS) – the formal, top-down business-like approach to managing safety risk. It includes systematic procedures, practices, and policies for the management of safety (as described in this document it includes safety risk management, safety policy, safety assurance, and safety promotion).6.Background and IllustrationThe ICAO council adopted on March 2006 the 30th amendment to Annex 6 –Operation of Aircraft. This amendment added that states should make theimplementation of safety management system a mandate to their air operators. According to Annex 6, all member countries should ask their air operator to implement Safety Management System which is acceptable to local authority since January 1, 2009.Though China civil aviation industry keeps high safety management records, the total number of accidents would be unacceptable to the public if we don’t adopt effective measures in view of the rapid growth of traffic. Safety focus has been moved from hardware problems like aircraft, ATC and airport facility and infrastructure to human factors in transitional phases. Now the focus is on how system and organization influence safety.A systematic approach to safety management enables operators to clearly identify safety responsibility by policies, goals, encourage everyone to participate, allocate resources effectively and improve operations by adopting risk management, safety assurance and safety promotion besides complying with regulations.7. SMS composition7.1 Safety Management.Modern management and safety oversight practices are moving increasingly toward a systems approach that concentrates more on control of processes rather than efforts targeted toward extensive inspection and remedial actions on end products. One-way of breaking down SMS concepts are to discuss briefly the three words that make it up: safety, management, and systems. Then we’ll touch on another essential aspect of safety management; safety culture.(1)Safety: Requirements Based on Risk Management.The objective of an SMS is to provide a structured management system to control risk in operations. Effective safety management must be based on characteristics of an operator’s processes that affect safety. Safety i s defined in dictionaries in terms of absence of potential harm, an obviously impractical goal. However, risk, being described in terms of severity of consequences and likelihood is a more tangible object of management. We can identify and analyze the factors that make us more or less likely to be involved in accidents as well as the relative severity of the outcomes. From here, we can use this knowledge to set system requirements and take steps to insure that they are met. Effective safety management is, therefore, risk management.(2)Management: Safety Assurance Using Quality ManagementThe safety management process described in this AC starts with design and implementation of organizational processes and procedures to control risk in aviation operations. Once these controls are in place, quality management techniques can be used to provide a structured process for ensuring that they achieve their intended objectives and, where they fall short, to improve them. Safety management can,therefore, be thought of as quality management of safety related operational and support processes to achieve safety goals.(3)Systems: Focusing on a Systems ApproachSystems can be described in terms of integrated networks of people and other resources performing activities that accomplish some mission or goal in a prescribed environment. Management of the system’s activities involves planning, organizing, directing, and controlling toward the organization’s goals. Several important characteristics of systems and their underlying process are known as “process attributes” or “safety attributes.” when they are applied to safety related operational and support processes. These process attributes must have safety requirements built in to their design if they are to result in desired safety outcomes. The attributes include:(a)Responsibility and authority for accomplishment of required activities;(b)Procedures to provide clear instructions for the members of theorganization to follow;(c)Measures that provide organizational and supervisory controls on theactivities involved in processes to ensure they produce the correctoutputs;(d)Measures of both the processes and their products.(e)An important aspect of systems management also is recognizing theimportant interrelationships or interfaces between individuals andorganizations within the company as well as with contractors,vendors, customers, and other organizations with which thecompany does business.7.2.Safety Culture:An organization’s culture consists of its values, beliefs, legends, rituals, mission goals, performance measures, and sense of responsibility to its employees, customers, and the community. The principles discussed above that make up the SMS functions will not achieve their goals unless the people that make up the organization function together in a manner that promotes safe operations. The safety culture consists of psychological (how people think), behavioral (how people act), and organizational elements. The organizational elements are the things that are most under management control, the other two elements being outcomes of those efforts. For this reason, the SMS standard for Air operators(hereinafter as standards) that is contained in Appendix of this AC includes requirements for policies that will provide the framework for the SMS and requirements for organizational functions(i.e. an effective employee safety reporting system and clear lines of communications both up and down the organizational chain regarding safety matters).8.The relationship between operator’s operation and protection and authority oversight management of safetyFigure 1 depicts the relationship between the systems that are related to safety. The Figure depicts the relationships between the technical and management functions in the company (that are related to providing customers with products or services) and the functions that are related to controlling risk.NOTE: The depiction in Figure 1 refers to functional roles and not organizational structures. It is not meant to suggest that safety management is the sole responsibility of a “safety department” or “safety manager.” In fact, the SMS standard stresses the role of those who manage the productive“line operational’ processes in safety management.FIGURE 1. RELATIONSHIPS BETWEEN PROTECTION ANDPRODUCTIONProtection Production (Operations)Objective: Control safety risk Objective:ServecustomerrequirementsOutputs=Products/Services8.1.1ProductionThe production process usually involves aircraft operation, operation control, maintenance, cabin safety, ground service and freight. Since operator’s mission of providing transportation service is fulfilled during the production process. One of the first tasks in effective risk management and safety assurance is to have a thorough understanding of the configuration and structure of this system and its processes. A significant number of hazards and risk factors exist from improper design of these processes or a poor fit between the system and its operational environment. In these cases, hazards to operational safety may be poorly understood and, therefore, inadequately controlled.8.1.2ProtectionSafety risk is a byproduct of activities related to production. The aviation service provider’s customers and employees are, therefore, the potential direct victims of the consequences of failures in the safety system. It is a primary responsibility of the aviation service provider to identify hazards and to control risk in the processes they manage and their operational environment. The aviation service provider is primarily responsible for safety management. The aviation service provider’s SMS provides a formal management system for the operator’s management to ful fill this obligation, achieve safe operation and protect the interests of customers and employees.8.2 Relationships between the production and prevention of operator and oversight management of authority.Figure 2 depicts the functional relationships between the productive processes in operator’s organizations, their safety management functions, and the functions of authority’s oversight activities. Authority’s oversight activities don’t only apply to operational process of operators, but also apply to operator’s SMS, which provided another layer of protection.Traditional oversight of aviation authority consists of activities such as certification, continuous airworthiness, investigation, and enforcement of regulations. While traditional oversight functions will continue to exist in future safety oversight systems, the primary means of safety oversight will shift more toward system safety methods and an emphasis on operator safety management to oversight operator’s safety status as a whole.FIGURE 2. Relationships between the production and prevention of operator and oversight management of authority.Objective:Public SafetyObjective: Control safety risk Outputs= Products/ Services9. Introduction About Requirements On SMS of Air Operator9.1 The Need for Safety Management Standards.9.1.1 Standardization.In order to harmonize with other management system, requirements are formulated according to standard international term structure, which is similar to the format of quality management system ISO09001-2000.9.1.2 Auditability.The REQUIREMENTS is designed to provide definitive functional requirements in a manner that can be audited by the organization’s own personnel, regulators, or other third parties. To the maximum extent possible, each indexed statement defines a single requirement so that it can easily be used in audits of the system.9.2 Structure and composition9.2.1Functional Orientation.The REQUIREMENTS is written as a functional requirements document. It stresses “what” the organization must do rather than “how” it will be accomplished in order to provide flexibility of implementation for operators.It is designed to allow operators to integrate safety management practices into their unique business models. Operators are not expected to create a brand new and independent system. Instead they should integrate all the functional requirements into their existing management system. Though every requirement in the REQUIREMENTS is indispensable, operators don’t have to duplicate the existing program that accomplishes the same function.9.2.2 Composition of Safety Management.SMS consists of four basic building blocks including policy, risk management, safety assurance and safety promotion. The REQUIRMENTS is organized in four parts to provide functional descriptions for each element.(1) Policy.All management systems must define policies, procedures, and organizational structures to accomplish their goals. Requirements for these elements are outlinedin part 4 of this document.(2) Safety risk management.Risk management is designed to control risk to or below acceptable levels and the requirement for every element is depicted in part 5 of this document.(3) Safety assurance.Once these controls are identified, the operator must ensure they are continuously practiced and continue to be effective in a changing environment. The requirement for every element of safety assurance is depicted in part 6 of this document.(4) Safety promotion.Finally, the operator must promote safety as a core value with practices that support a sound safety culture. Part 7 provides depiction of the requirement for every element.9.2.3 Relationship between Risk Management and Safety AssuranceFigure 3 shows how the safety risk management related to safety assurance processes. Figure 3 is a functional chart of relationship, not the organization chart. The safety risk management process provides for initial identification of hazards and assessment of risk. Organizational risk controls are developed and, once they are determined to be capable of bringing the risk to an acceptable level, they are employed operationally. The safety assurance function takes over at this point to ensure that the risk controls are being practiced and they continue to achieve their intended objectives. This system also provides for assessment of the need for new controls because of changes in the operational environment.FIGURE 3. SAFETY RISK MANAGEMENT AND SAFETY ASSURANCEFUNCTION10. Introduction of Requirements of Safety Management system of Air Operator 10.1 Policy10.1.1 safety policySafety policy reflects operator’s concept of safety management and its commitment to safety. As the foundation to establish SMS, safety policy provides clear guidance to set up proactive safety culture. Safety policy must be in compliance with relevant states regulations, approved by the top management and promulgate among employees. During the formulation, top management should consult with key personnel in relevant fields, making sure employees are related to these safety policies.10.1.2S afety designBeing one part of safety management, safety design works on developing safety objectives and specifying necessary operation procedure and relevant resources, which are used to accomplish safety objectives.Note: the safety objectives outlined by operator shall not be less restrictive than those of authority in a type, scale and safety level which are proper for operator’s company. It also has to be auditable.10.1.3Organization and ResponsibilityOperator should clearly delineate safety responsibilities throughout the organization, especially the direct responsibility of top management. Top management is primarily responsible for safety management and also is the one who will take responsibility eventually. Managements must plan, organize, direct, and control employees’ activities, allocate resources to make safety controls effective and assess management of SMS regularly within the organization. While it is true that top management must take overall responsibility for safe operations, it also is true thatall members of the organization must know their responsibilities and be both empowered and involved with respect to safety.10.1.4Compliance with regulations and other rulesSince info rmation in regulations and other rules would affect operator’s SMS directlyor indirectly, operator should establish formal channels to acquire information in order to be aware of the current regulations and other requirements in effective. After noticing the impact on its own SMS by those regulations and other requirements, operator should find out ways to be compliant.10.1.5 Procedures and ControlsTwo key attributes of systems are procedures and controls. Policies must be translated into procedures in order for them to be applied and organizational controls must be in place to ensure that critical steps are accomplished as designed. Organizations must develop, document, and maintain procedures to carry out their safety policies and objectives. The REQUIRMENTS also requires organizations to ensure that employees understand their roles. Moreover, supervisory controls must be used to monitor the accomplishment of the procedures.10.1.6 Contingency plan and responseEffective contingency plan would alleviate consequences caused by events and accidents, enabling an orderly and effective switch from normal operation to emergency operation and revert to normal operation finally. The written contingency plan would identify for operator what to do and who shall be responsible in case of unsafe event occurred. In order to ensure the effectiveness of contingency plan, operator shall conduct practices and exercises regularly, checking the effectiveness and finding out what falls short and corresponding corrective actions.10.1.7.Documentation and Records ManagementThe value of a documentation aims to communicate with the intentions for the unified actions. Therefore, the approval, assessment and update, identification, distribution and invalidation for the documentation shall be controlled to ensure the adaptability, adequacy and efficiency of the documentation. A great number of records will be generated in course of operation and safety management and these records can provide the evidence to meet with the requirements and the effective operations of SMS.Safety Management Manual (SMM) including: safety policies; safety objectives; SMS requirements; procedures and processes of SMS; responsibilities and authorities for procedures and processes of SMS; interaction/interfaces between procedures and processes of SMS. It is a documentation that will reflect the current status of SMS will be continuously updated and can deliver the safety management actions of the operator to the entire organization.10.2. Safety Risk ManagementThe safety risk management process is used to analyze the operational functions of the organization and their operational environment to identify hazards and to analyzeassociated risk. The course of risk management is under the course of the organizatio n’s providing with transport service, and is not an independent or special course.10.2.1. Systems and Task AnalysisSafety risk management begins with system design. These systems consist of the organizational structures, processes, and procedures, as well as the people, equipment, and facilities used to accomplish the organization’s mission. The system and task descriptions should completely explain the interactions among the hardware, software, people, and environment that make up the system in sufficient detail to identify hazards and perform risk analyses. While systems should be documented, no particular format is required. System documentation would normally include the operator’s manual system, checklists, organizational charts, and personnel position descriptions, etc. A suggested breakdown of operational and support processes for air operators includes:(1) Flight operations;(2) Operation control;(3) Maintenance;(4) Cabin safety;(5) Ground servicing;(6) Cargo handling;(7) Training, etc.Long and excessively detailed system and task descriptions are not necessary as long as they are sufficiently detailed to perform hazard and risk analyses. While sophisticated process development tools and methods are available, simple brainstorming sessions with managers, supervisors, and other employees are often most effective.10.2.2. Hazard IdentificationHazards in the system and its operating environment must be identified, documented, and controlled. It also requires that the analysis process used to define hazards consider all components of the system, based on the system description described above. The key question to ask during analysis of the system and its operation is “what if?” As with system and task descriptions, judgment is required to determine the adequate level of detail. While identification of every conceivable hazard would be impractical, aviation service providers are expected to exercise due diligence in identifying significant and reasonably foreseeable hazards related to their operations. See Table 1 for the samples of dangerous sources.Table 1 The samples of dangerous sources10.2.3. Risk Analysis and AssessmentThe standard’s risk analysis and risk assessment cl auses use a conventional breakdown of risk by its two components: likelihood of occurrence of an injurious mishap and severity of the mishap. A common tool is a risk matrix. Figure 4 shows an example of one such matrix. Operators should develop a matrix that best represents their operational environment. Separate matrices with different risk acceptance criteria may also be developed for long-term versus short-term operations.The definitions and final construction of the matrix is left to the aviation servi ce provider’s organization to design. The definitions of each level of severity and likelihood will be defined in terms that are realistic for the operational environment. This ensures each organization’s decision tools are relevant to their operations and operational environment, recognizing the extensive diversity in this area. An example of severity and likelihood definitions is shown in Table 2 below. Each operator’s specific definitions for severity and likelihood may be qualitative but quantitative measures are preferable, where possible.TABLE 2. SAMPLE SEVERITY AND LIKELIHOOD CRITERIAAviation service providers should develop risk acceptance procedures, including acceptance criteria and designation of authority and responsibility for risk management decision making. The acceptability of risk can be evaluated using a risk matrix such as the one illustrated in Figure 4. The example matrix shows three areas of acceptability: unacceptable (black), acceptable (white), and acceptable with mitigation (gray).(1) Unacceptable (Black)If the risk falls into the black area, the risk would be assessed as unacceptable and further work would be required to design an intervention to eliminate that associated hazard or to control the factors that lead to higher risk likelihood or severity.(2) Acceptable (White)If the risk falls into the white area, it may be accepted without further action. The objective in risk management should be always to reduce risk to as low as practicable regardless of whether or not the assessment shows that it can be accepted as is. This is a fundamental principle of continuous improvement.(3) Acceptable with Mitigation (Gray)If the risk falls into the gray area, the risk may be accepted under defined conditions ofmitigation. An example of this situation would be an assessment of the impact of a non-operational aircraft component for inclusion on a Minimum Equipment List. Defining an Operational (“O”) or Maintenance (“M”) procedure in the MEL would constitute a mitigating action that could make an otherwise unacceptable risk acceptable, as long as the defined procedure was implemented. These situations may also require continued special emphasis in the safety assurance function.FIGURE 4. SAFETY RISK MATRIXOther tools can also be used for flight or operational risk assessment such as flight operation, operational control, and ground operations risk assessment tools developed by some professional organizations.10.2.4. Causal AnalysisRisk analyses should concentrate not only on assigning levels of severity and likelihood but on determining why these particular levels were selected. This is often called “root cause analysis,” and is the first step in developing effective controls to reduce risk to lower levels. Several structured software systems are available to perform root cause analysis. However, in many cases, simple brainstorming sessions among the company’s pilots, mechanics, or dispatchers and other experienced subject matter experts is the most effective and affordable method of finding ways to reduce risk. This also has the advantage of involving employees who will ultimately be required to implement the controls developed. 10.2.5. Controlling RiskAfter hazards and risk are fully understood though the preceding steps, risk controls must be designed and implemented. These may be additional or changed procedures, new supervisory controls, addition of organizational, hardware, and software aids, changes to training, additional or modified equipment, changes to staffing arrangements, or any of a number of other system changes.The process of selecting and designing controls should be approached in a structured manner. System safety technology and practice has provided a hierarchy of control actions that range from most to least effective. Depending on the hazard under scrutiny and its complexity there may be more than one action or strategy that may be applied. Further, the controls may be applied at different times depending on the immediacy of the required action and the complexity of developing more effective controls. For example, it may be appropriate to post warnings while a more effective elimination of the hazard is developed. The hierarchy of control actions is:(1) Design the hazard out –modify the system (this includes hardware/software systems involving physical hazards as well as organizational systems);(2) Physical guards or barriers – reduce exposure to the hazard or reduce the severity of consequences;(3) Warnings, advisories, or signals of the hazard;(4) Procedural changes to avoid the hazard or reduce likelihood or severity of associated risk;(5) Training to avoid the hazard or reduce the likelihood of an associated risk. It is seldom possible to entirely eliminate risk, even when highly effective controls are used. After these controls are designed but before the system is placed back on line, an assessment must be made of whether the controls are likely to be effective and/or if they introduce new hazards to the system. (The latter condition。
汽核安全法英文版Law of Nuclear SafetyChapter 1 General ProvisionsArticle 1This Law is enacted for the purpose of ensuring the safety of nuclear facilities and activities, preventing and mitigating nuclear accidents, protecting the environment and human health, and promoting the peaceful uses of nuclear energy.Article 2The term "nuclear safety" as mentioned in this Law refers to the state in which nuclear facilities and activities are operated under normal conditions, and any potential radiation hazard is controlled to a level that does not harm human health or the environment.Article 3The State shall implement a regime for nuclear safety and establish a system for the prevention, control, and emergency response of nuclear accidents.Article 4The State shall strengthen the organization and management of nuclear safety, and establish a nuclear safety regulatory authority to supervise and administer nuclear safety.Article 5The State shall develop a national policy and long-term plan for nuclear safety, and implement safety measures and technical standards applicable to the design, construction, operation, and decommissioning of nuclear facilities.Chapter 2 Nuclear Safety Regulation and SupervisionArticle 6The nuclear safety regulatory authority is responsible for regulating and supervising nuclear safety, granting operation licenses, conducting inspections and evaluations, and imposing administrative penalties for violations of nuclear safety regulations. Article 7The nuclear safety regulatory authority shall establish a nuclear safety regulatory system, formulate nuclear safety regulations, and regularly update and improve them in accordance with scientific and technological advances.Article 8Nuclear facility operators shall establish a nuclear safety management system, and bear the primary responsibility for ensuring nuclear safety.Article 9Nuclear facility operators shall submit a safety assessment report and other relevant documents to the nuclear safety regulatory authority for review and approval before the construction and operation of a nuclear facility.Article 10The nuclear safety regulatory authority shall conduct inspections and evaluations of nuclear facilities on a regular basis, and have the right to order the suspension of operations or impose other necessary measures if any safety issues are found.Chapter 3 Nuclear Accident Prevention and Emergency ResponseArticle 11Nuclear facility operators shall establish an emergency response plan and hold regular drills to enhance their capabilities in preventing and responding to nuclear accidents. Article 12In the event of a nuclear accident, the nuclear safety regulatory authority shall promptly initiate emergency response measures, mitigate the consequences, and investigate the causes of the accident.Article 13The State shall establish a nuclear accident compensation system, and provide compensation for personal injury, property damage, and environmental pollution caused by a nuclear accident.Chapter 4 Legal Liability and PenaltiesArticle 14Any individual or organization that violates the provisions of this Law and endangers nuclear safety shall bear legal liability according to the law.Article 15Any individual or organization found responsible for a nuclear accident due to negligence, violation of regulations, or other wrongful acts shall be liable for compensation and may face criminal charges.Chapter 5 Supplementary ProvisionsArticle 16This Law shall come into force on the date of promulgation.。
Nuclear Engineering and Design 240 (2010) 3550–3558Contents lists available at ScienceDirectNuclear Engineering andDesignj o u r n a l h o m e p a g e :w w w.e l s e v i e r.c o m /l o c a t e /n u c e n g d esIntegrated framework for safety control design of nuclear power plantsHossam A.GabbarFaculty of Energy and Nuclear Science,University of Ontario Institute of Technology,2000Simcoe St.North,Oshawa,Ontario,Canada L1H7K4a r t i c l e i n f o Article history:Received 11November 2009Received in revised form 30June 2010Accepted 14July 2010a b s t r a c tThis paper presents an integrated framework for safety control analysis and design for nuclear power plants.It shows the use of process object-oriented modeling methodology (POOM)and fault models to integrate safety requirements,identified hazards,and fault propagation scenarios.Safety control design framework is proposed to show the integration between control systems and safety control design.Hier-archical control charts (HCC)are proposed to integrate process,control,and safety models along with the associated fault models in systematic manner.Process and the associated process and control variables that are involved in safety control systems.The proposed safety control design framework will support the control design and operation of nuclear power plants,as well as the integration with cogeneration facilities such as hydrogen production.© 2010 Elsevier B.V. All rights reserved.1.IntroductionProcess controllers are responsible for executing operating pro-cedures of the underlying system to produce the target product or service in steady,safe,and optimum manner.This means that process control systems should include aspects of process safety.From the other hand,safety systems are designed to ensure overall safety of the underlying system against any possible hazard sce-nario.In nuclear power plant (NPP),safety systems are represented in the form of independent layers of protections,or barriers.These layers could provide prevention or mitigation means to all pos-sible hazards.Elements of safety systems are represented within process control systems such as alarms,process limits,or control rules/constraints which are translated into control actions.Some of these control actions are dedicated for process control stability or dynamics,while other actions are for safety purposes,such as limiting temperature in a steam generator to be controlled within safety margins.From these two views,i.e.process control design and safety design,the overlap between them represents safety con-trol design.There is a lack of structured framework to support safety control design,which is important for nuclear power industries.Currently,control and safety design practices are fragmented and the gaps between them cause increased risks,cost,and production interruption in terms of frequent installation or upgrade of control or safety systems.Traditionally,safety system design is implemented completely separate from control design (Davey,2002).Control systems as explained by many control and simulation experts show dis-E-mail address:hossam.gabbar@uoit.ca .tributed control systems to deal with single output controllers for nuclear power plants,such as the case of CANDU (Bereznai,2001a ).In all nuclear power stations,control systems are spec-ified and implemented separately from safety systems (Erickson and Hedrick,1999).In particular,CANDU control design is speci-fied separately from safety systems (Harber et al.,2010).Nuclear safety commissioning agencies are requiring strict compliance with safety regulations and verifications in all adopted safety systems.Control design is mainly based on specifying main processes and identifying and analyzing control variables as manipulated,distur-bance,and output control variables (Pérez et al.,1997).However,this should include possible deviations in each control variables and possible propagation time,speed,and escalation factors as well as the associated safety controls.In case of safety systems,such as shutdown systems,it is required to identify safety limits and identify adequate safety margins before activating the appropri-ate shutdown system.Simulation practices are used to adequately calculate safety margins such as steam level/pressure,moderator temperature,etc.(Futao et al.,2000).In fact,effective safety control design can optimize operating cost,by optimizing safety margins to reduce unnecessary shutdown cases (O’Hara,1994).This includes human factors involved in plant operation to ensure that safety margins are appropriately matched with required operator actions (Moray and Huey,1988;Lee and Seong,2004).From engineering and operating companies’views,it might not be the case when adopting new safety system or upgrade existing system where sys-tematic safety control design framework is required to reduce time and efforts in specifying the target safety system and to reduce the cost and improve the accuracy by developing appropriate integra-tion with existing safety and control systems.Safety design is usually performed during process design where safety limits are identified and appropriate safety protection sys-0029-5493/$–see front matter © 2010 Elsevier B.V. All rights reserved.doi:10.1016/j.nucengdes.2010.07.024H.A.Gabbar/Nuclear Engineering and Design240 (2010) 3550–35583551Fig.1.Integrated safety control system.tems are considered.Also,safety design is considered during plant operation where plant modifications or expansion might require amending safety design.This will include different aspects of safety design as explained by IEC-61508as well typical defence-in-depth concepts.In case of safety control design,safety requirements are mapped into safety functions that are categorized into safety instrumented systems(or SIS)and non-safety instrumented sys-tems(or non-SIS).Safety instrumented systems include input elements(sensors),logic solvers(controllers)andfinal elements (actuators/valves).SIS is commonly referred to as shutdown sys-tem or safety control system.Current practices to design advanced safety control systems are focused on treating quantitative or deter-ministic safety analysis data.In addition,probabilistic safety data are used to estimate risks for identified hazard scenarios.There are limited efforts to integrate these two views in safety control design, and in particular to map safety control instructions.One more challenge in current practices is to systematically formulate safety requirements,which are typically initiated from safety analysis of process safety margins.In addition,there are major limitations to link safety requirement with safety specifi-cation and implementation of shutdown systems.IEC61508and IEC61511are widely used to specify safety protection layers and detailed design of shutdown systems(SIS).In view of current practices,safety design is conducted by engi-neering group who dictates the safety requirements to vendors who implement the target safety system while confirming all safety requirements with nuclear safety commissioning agencies.These processes are not well described for operating companies and for researchers.On the other hand,safety systems require high attention in terms of verification and relatively long compliance validation from nuclear safety commissioning.The systematization and automation of safety control system design will support the validation and verification process which will optimize design and implementation costs and time.This paper describes a practical framework for safety control design as a smooth integration between process control design and safety control design.The following section describes the inte-grated control and safety framework,followed by description of modeling framework that integrates process design models with control and safety models.Section4describes control recipe design based on safety verification using a case study from nuclear power plant.2.Safety control analysis2.1.Proposed integrated system architectureTypically,safety control systems are implemented as safety pro-grammable logic controller(or SPLC)or as shutdown systems(or SDS).These systems run completely independent from other con-trol systems.The proposed approach is to develop set of smart safety controllers that are dynamic and adaptive to any possible hazard situation that might arise during the operation of nuclear power plants.This includes situations like degradation in plant equipment,operator error,environmental hazards,etc.The iden-tification of risk scenario will trigger appropriate safetycontrol Fig.2.Integrated process control and safety.3552H.A.Gabbar /Nuclear Engineering and Design240 (2010) 3550–3558Fig.3.Integrated safety control design framework.actions that will be executed in the form of safety control instruc-tions.In order to achieve the proposed target,an overview of the proposed safety control system is illustrated,as shown in Fig.1.In the proposed system,real time and simulation data are used as inputs via distributed control systems (DCS),pro-grammable logic controller (PLC),or equipment controllers to analyze process/equipment/environment/human conditions and predict possible hazard scenarios.Risk levels are estimated for each possible scenario based on fault/failure propagation models and process models.Accordingly,appropriate safety control programs are activated to optimally shutdown the power plant fully or par-tially and/or to move the plant to a safe state.To facilitate the modeling of fault propagation scenarios,POOM or plant process object-oriented modeling methodology is proposed to associate fault and safety models along with control and behavioral models.Fault semantic network or FSN is used to structure fault models along with the associated process variables.Trends of related pro-cess variables are analyzed using trend fusion algorithm or TFA to extract features from all trends related to each fault scenario.Independent protection layers (or IPL)and layers of protection anal-ysis (or LOPA)are used to analyze safety requirements and map to safety systems.And finally safety instructions are mapped tocon-Fig.4.Mapping defence in depth to independent protection layers.H.A.Gabbar/Nuclear Engineering and Design240 (2010) 3550–35583553Table1Defence-in-depth levels.Level1Prevention of abnormal operation and of malfunctionsLevel2Control of abnormal operation and detection of malfunctionsLevel3Control of accidents included in the design basisLevel4Control of severe accident conditions of the plant,including theprevention of accident progression and mitigation ofconsequencesLevel5Mitigation of the environmental/radiological consequences ofsignificant releases of harmful productstrol programs that are implemented using international standards of control programming like IEC61131.To facilitate the systematic mapping from safety requirements into control programs,engi-neering formal language or EFL is proposed(Gabbar,2007).2.2.Integrated safety and control designBased on the proposed system architecture for typical integrated safety control system,it is required to explain practical framework to integrate safety and control design.Typically,process control design goes through different stages starting from process design. Based on control block diagram,control functions are defined.Con-trol recipes are defined that are mapped to control systems(ISA S-88Standard,1995;ISA,1995,1996;Lamb et al.,2000).On the other hand,safety design starts with hazard identification that is followed by risk assessment and treatment.This is followed by safety requirement specifications.First layer of safety systems is the inherent safety where opportunities are considered to change process design for safety purposes.Other safety functions are devel-oped based on IPL or independent protection layers.This is usually follows the concept of defence in depth,which is typically fol-lowed in nuclear power plants.Safety instrumented systems(SIS) or non-SIS are designed accordingly,and linked with control func-tion design stage.The proposed framework is illustrated in Fig.2.IEC61508proposed high level process safety management framework that describes basic steps to perform safety life cycle activities.Thefirst step is to identify hazards using qualitative and quantitative methods,such as HAZOP,FTA,and FMEA.This step will identify set of possible hazard scenarios along with risks of worst case scenarios.Risk acceptance and treatment/mitigation analysis will be performed to suggest ways to reduce or mitigate risks for cases where risks are unacceptable.2.3.Proposed safety control design frameworkSafety control design framework shows the mapping between process design,control,and safety design.Fig.3shows the proposed framework where safety requirements are mapped to process design and linked with fault models.On the other side,safety requirements are mapped to control system design to identify the specific needs for shutdown systems.2.4.Safety control design and protection layersThe safety control design process is performed in iterative manner via risk assessment and reduction practices using quali-tative and quantitative risk assessment techniques.Some of the safety requirements are implemented as set of safety design e.g. inherent safety.Safety specifications will be examined in view of independent protection layers(IPL)that include:IPL1:safety design;IPL2:basic process control/alarm;IPL3:critical alarm;IPL4: safety instrumented systems(SIS);IPL5:relief devices;IPL6:phys-ical protection;IPL7:plant/site emergency procedures;and IPL8: community protection.These are developed based on the general framework of defence in depth,which is described in Table1.The proposed mapping between IPL and defence in depth is shown in Fig.4.Fig.4shows the mapping between defence-in depthand safetyprotection layers.It shows that defence-in-depth levels are mappedto all safety protection layers,which is logic where each defence-in-depth level should be covered by more than one protection layer.3.POOM-based safety control designIn this section,safety control recipe design is presented based onprocess object-oriented modeling methodology(POOM)and hier-archical control chart(HCC)support tool.Fig.5.POOM-based process design,control design,and safety design.3554H.A.Gabbar /Nuclear Engineering and Design240 (2010) 3550–3558Fig.6.Activity modeling for safety verification and control recipe design.3.1.POOM and process designPOOM or plant/process object-oriented modeling methodology is developed to facilitate the formulation and verification of pro-cess design (Gabbar,2007).In this research,POOM is enhanced to cover process control and safety design where process vari-ables are linked with manipulated and disturbance variables within each structural model element and associated with safety require-ments and procedures.POOM covers all process dimensions:static,dynamic,functional /operation,safety,and control.Static dimen-sion includes facility,materials/products,topology,and human (Bereznai,2001a ).In other word it includes static elements of the underlying process.The dynamic dimension includes behavior models,which are represented as states,transitions,and messages.The operation dimension includes purposes and methods to be exe-cuted and evaluated as a response to incoming message (Erickson and Hedrick,1999;Futao et al.,2000).These three main views are the base of the traditional object-oriented modeling approach and can be used to model both process (i.e.controlled)and control system (i.e.controller),as shown in Fig.5.The complete model can be formalized as building blocks of structural static model ele-ments;each is associated with operation,behavior,control,and safety modelelements.Fig.7.Safety requirement hierarchy of NPP.3.2.Activity modeling for safety verification and control recipe designAs part of control design,safety recovery actions,shutdown recovery actions and process control recovery actions are speci-fied using ISA S88standards (Davey,2002;Moray and Huey,1988;Lee and Seong,2004;ISA S-88Standard,1995;ISA,1995)where general recipe,master recipe,and control recipe are synthesized for each safety and control action (O’Hara,1994).Activity models are developed for the proposed safety control practice,as shown in Fig.6.Process design modeling activities are developed on the basis of POOM or process object-oriented modeling methodology,which is used to express nuclear power plant process as building blocks in hierarchical manner on the basis of ISA-S88:site,cell,unit,and equipment (Davey,2002).Each process block includes structural information such as input/output ports,materials,and other phys-ical properties.In addition,each process block includes dynamic information such as process variables,states and the correspond-ing behavioral equations,and function and operational models.In order to systematically design the target control and safety sys-tems fault models are structured and specified within each process and control block.Such fault models are expressed in qualitative and quantitative forms and tuned using real time operational data,simulation data,as well as human experience (Bereznai,2001a ).This is tuned using computational intelligence algorithms that are used to estimate risks at all levels dynamically with each design step and with the considerations of all possible fault propagation scenarios.3.3.Safety requirements analysisThe fundamental safety requirements are governed by the Cana-dian Nuclear Safety Commission (CNSC)and are based on the following Golden Rules:control of the reactivity;removal of heat from the core;and containment of the radioactivity.Removal of heat from the core function is correlated with the processes that occur in the Primary Heat Transport System (PHT).In such system,the coolant is the working medium for the removal of the heat form the core.The coolant travels from the inlet of the reactor,through the fuel,and comes out with higher energy from the reactor outlet.H.A.Gabbar/Nuclear Engineering and Design240 (2010) 3550–35583555Fig.8.Simulation based safety control recipe synthesis framework.The coolant is cooled by the working medium in the steam genera-tor called the feedwater.The coolant comes out with lower energy from the steam generator outlet,and the cycle begins again.In all these stages,safety requirements are concerned with the moni-toring of coolant inventory,ensuring the removal of residual heat form the core,maintaining acceptable temperatures in the contain-ing structures,and lastly to ensure that a heat sink is provided at high reliability.This safety requirement has been translated into control steps of maintaining a steam generator level at appropri-ate levels,as shown in Fig.7.The maintenance of steam generator level,among others factors,will ensure that a heat sink is pro-vided at high reliability.The case study will model the example of steam generator level maintenance throughout the rest of these processes.4.Safety control recipe design frameworkSafety procedures are synthesized in the form of safety control recipe,which are converted into control programs.Theproposed Fig.9.HCC for nuclear power plant.3556H.A.Gabbar /Nuclear Engineering and Design240 (2010) 3550–3558Fig.10.Shutdown systems SDS1and SDS2(Bereznai,2001b ).framework for safety control program development is shown in Fig.8.The process starts with safety requirements specification in generic and plant specific form where safety requirements are structured within knowledgebase.Safety requirement validation process will provide possible symptoms of failure and correspond-ing general recipe for recovery.Control recipe will be generated based on failure analysis and general recipe.Control recipe will be validated and accumulated to the knowledgebase.Based on IEC61131-3standard languages,the corresponding control pro-grams will be developed and translated into DCS/SIS systems.4.1.Safety control design within HCCThe design of modern control systems starts with the analysis of control goals and control hierarchy,which requires knowledge of all measured and control variables as well as determination of all of the components,processes and their relation.Control design is systematized using hierarchical control chart (HCC)which supports control designers to build control functions and block dia-grams in hierarchical manner as integrated with process design.HCC links process design models with the corresponding con-trol models in hierarchical manner using POOM and in view of ISA-S88standards.The proposed automated hierarchical control chart is integrated with an interactive knowledge database that enables the access to processes and parameters across the under-lying process domain.Process and control information are stored in database and captures at different levels of process and control hierarchy.Standard legend for HCC is presented where blocks are marked with “P”for process blocks and “C”for control blocks.Num-bering mechanism is proposed where hierarchical numbering is used as “P1.1”,“C1.2”,etc.HCC enables control designer to con-struct the target control system as integrated with the underlying process so that lines between control and process blocks will identify the process–process;process–control;control–process;and control–control integration.This is essential to specify and validate the relationships between process variables,control vari-ables,manipulated variables,and disturbance variables within each process and control block.The control blocks will be expanded hier-archically till it reaches the lowest level where control programs are specified in the form of function block diagrams or FBD on the basis of IEC61131standards (Morris,2000;Toon,2002).Fig.9shows example of HCC to represent nuclear power plant connected within electricity grid.HCC will provide detailed mapping between pro-cess variables,control variables and their relationships with safetyrequirements.Fig.11.HCC for steam generator process and control.H.A.Gabbar/Nuclear Engineering and Design240 (2010) 3550–35583557Fig.12.Safety control program represented using FBD.The lowest-level control programs are mainly the control recipe. For safety control design,safety control programs are designed based on hazard scenario and possible prevention,control,and mit-igation scenarios.The next section describes the process of safety control recipe synthesis using safety requirements and process sim-ulation.5.Case studySafety control design of shutdown system is selected as a case study.Safety control recipe is the procedures required to execute safety actions,such as shutdown operation.The Canadian National Safety Commissioning(CNSC)requires well defined and verified safety procedures that are known and documented.The difficulty with this approach is the limitations to completely identify all possible fault propagation scenarios and design the corresponding safety control recipe.The proposed safety control recipe synthe-sis is based on automatic and real time identification of new fault propagation scenarios that are simulated and corresponding safety control recipe is synthesized.5.1.CANDU shutdown systemsTo understand the proposed system,shutdown systems for CANDU reactors are considered.Shutdown system-1,or SDS1, utilizes neutron absorbing cadmium rods,which are inserted verti-cally into the reactor core.The rods are dropped by gravity after the release of an electro-magnetic clutch to trigger the shutdown state. There are mechanical requirements such as full insertion should be within2s to be able to control the excess reactivity as a fail-safe design.Shutdown system-2,or SDS2,has six nozzles placed at the side of the Calandria,which are horizontally mounted across the moderator.Each nozzle is connected to a liquid tankfilled with gadolinium nitrate(GdNO3),which acts as poison that is injected into moderator by opening the valve between the high pressure helium tank and the poison tanks.Fig.10shows both shutdown1 and2as connected to the Calandria.Trip parameters that trigger the shutdown actions include:high neutron power,high rate of rise of neutron power,high coolant pressure,low coolant pressure,high building pressure,low steam generator level,low pressurizer level,high moderator tempera-ture,low coolantflow,low,and steam generator pressure.The shutdown control system is triggered once parameter thresholds are exceeded.Typically,independent channels are used indepen-dently for each shutdown system where any trip to two of the three Table2Safety control logic.If Neutron-Power Is High(>SDS1-UL)Then Trigger SDS1If Neutron-Power Is High(>SDS2-UL)Then Trigger SDS2If Neutron-Rise-Rate Is High(>SDS1-UL)Then Trigger SDS1If Neutron-Rise-Rate Is High(>SDS2-UL)Then Trigger SDS2If HEX-Flow Is Low(<SDS1-UL)Then Trigger SDS1If HEX-Flow Is Low(<SDS2-UL)Then Trigger SDS2If two-channels are tripped Then Trigger SDS1[Delay2seconds to monitor the action]If Dropped-Rods<n Then Trigger SDS2with%-Parameter[as SDS1is notadequate,SDS2should run with amount of poison]UL means upper limit,HEX means heat exchanger.channels will trip the reactor by triggering the shutdown system. Table2shows the safety control parameters used to synthesize safety control programs.5.2.Developed safety control programsIEC61131-3is the international standard for control program-ming.Control programs should be structured on the basis of IEC61131-3so that it can be easily implemented within safety and control systems.IEC61131-3offered set of standard programming languages:Ladder Diagram(LD);Sequential Function Charts(SFC); Function Block Diagram(FBD);Structured Text(ST);and Instruc-tion List(IL).Safety control programs can be implemented using IEC61131-3for both recovery and shutdown scenarios.One safety recovery operation scenario is selected from steam generator.Fig.11shows the high level process and control diagram for the case study of steam generator and the corresponding controllers. Each line is identified by a number that is used to link this number with the detailed control chart.Fig.12shows the input/output lines from the steam generator or boiler controller.While Fig.10shows the corresponding Function Block Diagram(FBD)of the corresponding safety control program to maintain steam generator level.It shows that once signal of steam generator level high is detected in the controller,it will trigger standby valve LCV to be opened,while isolation manual valve to be closed.In addition,it will transfer control to the secondary steam generator level controller.5.3.Case study-2,nuclear–hydrogen cogenerationIn this example the safety control design is studied for cogener-ation of nuclear and hydrogen.This is applied to CANDU(CANada3558H.A.Gabbar/Nuclear Engineering and Design240 (2010) 3550–3558Fig.13.Control design for nuclear–hydrogen cogeneration. Deuterium Uranium)power stations as integrated with hydrogen (Rosen et al.,2008).Fig.13shows the control hierarchy of the pro-posed CANDU–hydrogen power station.The practice to design safety control design is essential to ensure safe cogeneration.For example,one hazard of high steam pressure might be interpreted within CANDU power station into shutdown scenario.Such scenario can be eliminated with the integration with hydrogen cogeneration by supplying more steam to the hydrogen process for more hydrogen production.The safety control program will be modified within CANDU to ensure increasing the opening angle of the steam valve V1to allow more steam to the hydrogen process.6.ConclusionsNuclear power plants and other production and manufacturing industries are seeking practical integrated safety control design to ensure safety across all control activities in automatic and accurate manner.This can be achieved by integrating process design models with process control and safety models.In this research,POOM is proposed to provide such modeling framework where plant static models,dynamic behaviors,operational models,control,and safety models are integrated to enable the systematic design of safety control systems.HCC or hierarchical control chart is proposed to automate such integration where it enabled the identification of control and safety models as integrated with process design.The proposed activity models to conduct safety control design are pro-posed using IDEF0.The proposed safety control design framework is integrated within control design and safety control programs are synthesized on the basis of IEC61131-3standards to ensure smooth and unified implementation in different plant technologies. Safety requirements are identified from different hazard scenarios and mapped to safety control recipe recovery operations and shut-down scenarios.Examples are selected for safety control design from CANDU power station and CANDU-hydrogen cogeneration facilities.AcknowledgementsThanks to IEEE NPSS and CNSC for the valuable information regarding nuclear reactor safety and control design.Also,thanks to students who helped in this research work.ReferencesBereznai,G.,2001a.Nuclear Power Plant Operations.UOIT.Davey,E.,2002.Design principles for CANDU control centres in response to evolving utility business needs.In:Proceedings of Canadian Nuclear Society Conference, Toronto,Ontario,pp.1–7.Erickson,K.T.,Hedrick,J.L.,1999.Plant Process Control.Zhao,F.,Ou,J.,Du,W.,2000.Simulation modeling of nuclear steam generator water level process:a case study.ISA Transactions39,143–151.Gabbar,H.,2007.Formal representation of meta-operation of chemical plants.In: IEEE Transactions on Systems,Man,and Cybernetics–Part C:Applications and Reviews,vol.37,4,July2007.Bereznai,G.,2001b.Nuclear power plant systems and operation,simulator user manual.Faculty of Energy Systems and Nuclear Science,University of Ontario Institute of Technology(UOIT),Oshawa,Ontario.Harber,J.,Borairi,M.,Tikku,S.,Josefowicz,A.,2010.Documenting Control System Functionality for Digital Control Implementations.Atomic Energy of Canada Limited,Mississauga,Ontario.ISA,1995.Batch Control:Batch Control Part1:Models and Terminology.ANSI/ISA-88.01-1995.ISA,1996.Possible Recipe Procedure Presentation Formats.ISA-TR88.0.03-1996. ISA S-88Standard,1995.ISA-88Batch Standards and User Resources,2nd Edi-tion,1995(R2006),Copyright2007by ISA-The Instrumentation,Systems and Automation Society.Lamb,L.,et al.,2000.Basic Concepts of ISA-S88.01-1995Batch Control.ISA Encyclo-pedia of Measurement and Control.Lee,S.J.,Seong,P.H.,2004.Development of automated operating procedure system using fuzzy colored petri nets for nuclear power plants.Journal of Annals of Nuclear Energy31(8),849–869.Moray,N.P.,Huey,B.M.,1988.Human factors research and human safety.In: Proceedings of Panel on human factors research needs in nuclear regulatory research,Committee on Human Factors,Commission on Behavioral and Social Sciences.National Research Council,Washington,DC,pp.13–19.Morris,A.,2000.IEC61131–A User’s Perspective From Innogy.INIS:International Nuclear Information System.O’Hara,K.,1994.Cost of Operations Affects Planfulness of Problem-Solving Behaviour.In:Proceedings of CHI’94,Conference on Human Factors in Com-puting Systems,Boston,MA,USA,pp.105–106.Pérez,A.,Strietzel,R.,Mort,N.,1997.Control Engineering Solutions.Institution of Electrical Engineers.Rosen,M.A.,Naterer,G.F.,Chukwu,C.C.,Sadhankar,R.,Suppiah,S.,2008.Nuclear-based hydrogen production with a thermochemical copper–chlorine cycle and supercritical water reactor:equipment scale-up and process simulation.Inter-national Journal of Energy Research.Toon,K.,2002.Open Automation and Control IEC61131in Safety Applications.INIS: InternationalNuclear.Hossam A.Gabbar is Associate Professor and Directorof Energy Safety&Control Lab,in the Faculty of EnergySystems and Nuclear Science,University of Ontario Insti-tute of Technology(UOIT).He obtained his Ph.D.degree(Safety Engineering)from Okayama University(Japan).He obtained his BSc(First Class of Honors)in the area ofComputer and Automatic Control,Alexandria University.He is specialized in process control and safety engineer-ing where he initiated several research and industrialprojects,which are applied on different disciplines such asoil&gas,energy,nuclear power,and manufacturing andproduction systems.Prior to moving to Canada,he wasAssociate Professor in Okayama University(Japan)where he established his research lab in the area of safety and green energy and produc-tion systems.He worked with Tokyo Institute of Technology and Japan Chemical Innovative Institute(JCII)where he participated in national projects related to pro-cess control and safety engineering for green production systems,batch process operation,oil&gas operation design&verification,biomass production systems, and plastic production chain with recycling.He developed new methods for con-trol recipe synthesis and verification,safety design,and quantitative and qualitative fault diagnosis and simulation.He proposed new process modeling and simulation techniques for green hybrid energy supply chain planning and operation,which facilitate the smooth and optimum implementation of renewable and clean energy technologies.He is a Senior Member of SMCS IEEE,the founding chair of SMC Chap-ter–Hiroshima Section,the founding chair of the technical committee on Intelligent Green Production Systems(IGPS),and member of the technical committee on Sys-tem of Systems and Soft Computing(IEEE SMCS).He is invited speaker in several Universities and international events,and PC/chair/co-chair of several international conferences.He is the author of more than90publications including books,book chapters,patent,and papers in the area of process control and safety engineering and green hybrid energy systems.。
