3.1 Need for a Safety Methodically Concept

3.1.1 The Need for Action in Safety Engineering

The last century was marked by epoch-making technological achievements. The two world wars caused devastating destruction, but reconstruction also accelerated the technical progress which, above all, characterized the years of rebuilding after the Second World War. New technologies were developed and are being constantly further developed. Worldwide air travel has long become a reality; space technology has become a productive branch of the economy, and microelectronics and computer technology are now an indispensable part of private life. However, as a result of this technological progress, the number of engineering fields has grown—technical subjects are now taught in the technical universities and colleges whose existence half a century ago was not even imaginable. Of course, safety technology has also kept developing continuously parallel to technological progress although specifically for the individual fields of engineering. One of the key reasons for this application-oriented safety technology structured according to individual fields of engineering is to be found in the German legal system since the legal basis for safety technology is also structured according to engineering fields: construction law, railways legislation, air traffic legislation, atomic energy legislation and test facilities legislation, to name just a few.

To date, the number of technical specialist fields has already increased to such an extent that the total field of technical knowledge would have become immense and poorly manageable had not interdisciplinary management methods and system-technical working procedures been introduced. Planning, tracking (monitoring) and verification are carried out with these methods in the various technical specialist fields by following a holistic procedural concept. Over the last forty years, these interdisciplinary management methods and system-technical working procedures, grouped together under the term “interdisciplinary teamwork”, have found ever greater application. No major project, which today could cover many years, is now undertaken without the input of a central project management system. With increasing globalization, there is also a greater necessity for internationalized project management with a multilingual capability and operating over national borders. The world of technology does not seem to recognize borders any more. However, these borders do exist, namely in the field of safety engineering . Apart from already existing European regulations (which are, however, principally supposed to ensure the free movement of goods), the provisions of different national legislation still apply here. What they all have in common is their assumption that safety technology is structured on the basis of application-specific fields of engineering.

As has already been mentioned, new sociopolitical ideas arose at the beginning of the 1970s which appeared to make a “risk-free” life possible for citizens (see Sect. 3.1) Thus, public debate was increasingly more concerned with conceivably possible side effects than with the technical facility whose implementation process needed to be managed in the best possible way. Ultimately, it was no longer a technical but increasingly a legal body which had the final say on the safety of the affected facilities. It is problematic that the very exemplary standards issued by DIN show a remarkable variety of different term definitions for “safety” and “technical safety” .

Around twenty years ago, the European Union (EU) commenced its efforts aimed at implementing the free movement of consumer and capital goods. Bound up with this was the question as to how safety could be ensured for the people using the goods. The instruments for safety monitoring and approval, whose character at this time was mostly nationally oriented, tended to place obstacles in the way of trade rather than preventing them. Therefore, the European Commission created with its New Approach and Global Approach a catalogue of measures by which a high degree of independence from national bodies was supposed to be achieved on the operative level. The instrument for this was the Declaration of Conformity which, according to the resolution of the European Union Council , could be issued by either the manufacturer itself or a so-called Notified Body . The level of safety itself is laid down in the European directives and generally partly specified in detail in mandated technical standards. Opinions vary as to the ultimate effectiveness of this catalogue of measures. It has clearly already been recognized that both the New Approach and the Global Approach have considerable weaknesses and to some extent are a long way behind the effectiveness of the system they replaced. These weaknesses, which at the time of introduction were already known to the experts dealing with safety issues, are diverse, and improvements are currently being made by the European Commission. The “General Product Safety Directive” 2001/95/EG applies over and above the product-related directives. This regulates that all products being put on the market within the European Economic Area have to be safe. Precisely how this is to be ensured does, however, call for further regulation.

In both aeronautical engineering and space technology, the New Approach system is still supplemented, as before, by mandatory international or European airworthiness tests or final system tests. The European Interoperability Directives introduced in the railways sector also stipulate in this way that, when the national safety authority grants authorization for putting into service, the New Approach system be supplemented by a final system test.

There is, therefore, sufficient need for a safety methodically holistic concept in which the hidden commonalities of existing safety concepts (admittedly limited by being application-specific) are joined together into an interdisciplinarily applicable overall concept . The VDI has the interdisciplinary technical expertise to elaborate and present such a safety methodically holistic concept .

3.1.2 Introduction to the Application Area Safety Engineering

In their performance of public services, state bodies and institutions—in Germany at least—had up to this point carried out safety-related verification analyses and, in this way, actively participated in the control of technical risks. The relevant EU directives in the meantime envisage these safety-related verifications being increasingly left to the free market and only monitored by the state. The expertise required for this in the field of technical safety, which was previously mostly the concern of governmental agencies, must now be obtained on the free market. The approach outlined in this VDI publication is intended to maintain and spread this safety-related expertise by encouraging a safety methodically concept which, by extensively referring to generally accepted technical regulations and defined objectives, offers a firm basis for engineering practice in the field of safety engineering . This safety methodically concept is equally applicable to the maintenance and further development of existing fields of technology (e.g. civil engineering, transportation systems, chemical process engineering, energy technology, aviation, plant engineering and construction, mechanical engineering or electrical engineering) as to the conceptual design of innovative technologies and their controlled safety-related development.

The term “technical safety” is understood as meaning that a technical system, technical facility or product will fulfil its intended functions over a planned period of time (if applicable, its planned lifetime) and, provided it is operated according to regulations, will not injure or damage any objects of legal protection. This means that neither persons nor property is injured or damaged in as far as the system, the technical facility or the product can be responsible for this. Reliability of function over the envisaged lifetime is not a necessary component of safety, provided loss of function does not lead to an unsafe state.

In the context of discussing technology, safety means more than just technical safety. In everyday speech, a person feels “safe” when he/she does not feel threatened. This threat need not be existential in nature in any way. An impending loss in the quality of life can already trigger a prejudice against technology. In a liberal and affluent society, a situation in which one’s own way of living is determined by others and the associated feeling of being dependent on conditions not freely chosen (loss of autonomy) can result in aversive reactions in individual groups when the subject of the limits of safety is raised.

On the one hand, the bases for decisions are more weakly developed here in some of the engineering sciences, but also in the life sciences. On the other hand, the public’s notions of safety are so broad that adequate acceptance can only be achieved on the basis of a risk-minimization imperative—a limitation with an accepted limiting risk . The expectations of the consumer are manifestly expressed in the idea behind the purity regulations, which at least cover the immediate necessities of life such as food, drinking water and air. Technologies, such as those concerning preservation and processability, which infringe the purity regulations while still offering clear benefits, are only tolerated for as long as they do not infringe legally stipulated contamination levels, provided these technologies are being correctly employed (one example is “good farming practice”). The gap between these levels and the higher health tolerance threshold can however be several orders of magnitude. The rule applies to set permissible limit values as low as necessary but as high as possible.

From this point of view, safety-related technical considerations must, in the broader sense, also apply to the safeguarding of consumer expectations. Incidents which result in threshold values being violated are perceived by the public in most cases as an imminent threat to their physical integrity. Experience shows that the reaction of state supervisory bodies strengthens this impression, especially when there is insufficient latitude for assessing the proportionality of the means for hazard prevention.

In the main features of a general safety methodically concept, the particular form of dealing with “residual uncertainty” (which is a standard concept or special characteristic of the life sciences) cannot be ignored in discussions about the uses and harms in risk management, but it is not examined in greater detail. Clarification is needed that this is an interdisciplinary, scientifically based safety guideline. In the interests of precise statements, the lines of argument and the terms used in this publication have been borrowed from the engineering sciences.

3.1.3 Reasons for this Publication

Spectacular incidents and accidents with a great public impact repeatedly raise the question of adequate safety in technical facilities. In such cases, there is a tendency for some of the media to respond only to the event itself in their news reports but also, at the same time, to rush to assign blame. There is a very common attitude of quickly pointing the finger at a culprit responsible for the failure. Accordingly, there will always be technical experts who support these assumptions as far as possible. In the next step, the question is then immediately asked as to whether the laws, statutory orders, monitoring requirements and sets of regulations are adequate to ensure the expected level of safety.

This typical approach disregards the fact that

  • there is no such thing as 100% safety , even though the limits of safety are always to be observed,

  • safety must be generated—in other words, developed and produced—before it can be maintained and monitored during utilization, and

  • complex circumstances do not in most cases allow the identification of a monocausal connection in incidents and accidents. Instead, there are often in the implementation events, which are not taken into consideration, unknown influences or previously unidentified chains of multiple influences which result in damage.

Safety is, in most cases, created by applying relevant standards and codes of practice and existing legal provisions. Safety concepts are developed with mathematical models and analytical methods. Years of empirical experience gained specifically in the most diverse application areas (civil engineering, transportation systems, chemical process engineering, energy technology, aviation, plant construction, mechanical engineering, electrical engineering, etc.) are also integrated in these concepts. This is one of the reasons why no uniform safety concept as yet exists which spans all application areas.

The development, construction, design and manufacture of a particular technical facility are thus determined by different safety concepts. Detailed operating instructions, operating regulations and maintenance instructions are drawn up for its operation and requirements formulated for retrofitting. Monitoring of operations by the owner and the other bodies entrusted with monitoring is clearly regulated.

The conceptual design, development, manufacture, operation, decommissioning and monitoring of technical facilities require in a particular way the skills of engineers. The VDI addresses these issues with this publication firstly by presenting to the specialist community the current situation regarding the safety of technical facilities. In addition, problem areas are identified such as:

  • legal appraisals, assessments and judgments which have a bearing on safety,

  • unforeseeable events and chains of events leading to disturbances and failures of technical facilities and

  • the individual person as a developer, manufacturer, user, operator and monitoring agent who, although not working free of error himself/herself, nevertheless has a decisive influence on safety.

Recommendations for an interdisciplinary safety concept are derived from this as to how the most diverse safety concepts must be designed and further developed in the future and how the cooperation of all participants must be organized for this purpose.

3.1.4 The General Framework for Technical Safety

Insight into and understanding of the limits of technical safety derive from a number of aspects, e.g. the probability of occurrence and expectation of damage, failure, perception and risk, whose importance requires fundamental and binding clarification. Technical safety is limited by the probability of damage occurring or, depending on the case, the failure of a technical facility. The circumstances are usually subsumed under the term “risk”. This is, however, a complex concept (see Sect. 3.3.3) because it is modified by a very different and constantly changing perception.

Dealing with risks which are insufficiently known or are not manageable poses a problem, and difficulties also arise when markedly diverse opinions prevail regarding the assessment of a risk. In such cases, the necessary precautions are essentially a sociopolitical decision. Primarily taken into consideration are dangers emerging from nature, the natural environment , the technical environment , human inadequacy and mistakes:

  • hazards from the natural environment may arise, for example, due to:

    • climatic influences in all possible forms at the location (wind, snow, ice, temperatures, etc.),

    • physical influences (e.g. lightning strikes, earthquakes) and

    • reduction in the resistances of construction components due to corrosion, fatigue and ageing;

  • hazards from the technical environment may arise, for example, due to:

    • exceeding specified unladen weights and actual loads,

    • influences from the technical environment (nearby buildings, vehicle collisions, physical exposure, chemical exposure),

    • reduction in electrical resistance due to corrosion, fatigue and ageing,

    • production-related failure to reach the calculated requirements for construction components and supporting structures and

    • exceptional influences arising from use (fire, explosions).

Human inadequacies and mistakes can be the causative source of a hazard or impede a successful prevention of hazards. This includes all decisions, actions and omissions in planning, execution and utilization which a series of factors may be the basis of, e.g.

  • subjectively unrecognized or objectively unknown hazards,

  • insufficient knowledge,

  • information gaps, misunderstandings,

  • incorrect decisions due to political pressure or misconceived thriftiness and

  • negligence.

Hazards may also arise through intentional but unfathomable human actions.

With regard to the possible consequences, the frequency and duration of hazards and the type of preventive measures necessary, a distinction can be drawn between:

  • permanent situations whose duration is of the same order of magnitude as the useful life of the system or facility concerned (intended course of operation),

  • temporary situations of short duration and with a high probability of occurrence (possibly a rectifiable disturbance of intended operation) and

  • exceptional situations arising from exceptional influences or, in the case of local failures, of short duration and with a low probability of occurrence, with long recurrence intervals and a great potential for danger (see also Table 3.1 in Sect. 3.2.1.1).

    Table 3.1 Hazard categories
    Full size table

3.1.5 Legal Basis of Technical Safety

Technical safety is very largely based on the engineering and natural sciences and is administrated by the relevant regulatory legislation. The safety of technical facilities is created by methods which provide systematically hierarchized safety precautions (see Table 3.1). These are formed by both technical measures and organizational arrangements. Detailed regulations often exist for technical measures and regulate the requirements for measures such as safety margins, the degree of redundancy, the diversity to be provided and testing. Limiting values, test specifications and management systems are required and implemented in the form of laws and often as sub-statutory regulations as regards technical and organizational measures. Public technical safety for the citizen thus generally requires that the utilization of technology does not

  • unacceptably affect the individual in his/her right to life and physical integrity,

  • unacceptably, impermissibly—due to hazardous substances, for example—or irreversibly damage the environment or

  • damage other objects of legal protection (property of third parties).

The guarantee of public technical safety thus falls within the responsibility of the individual nation state and, in some fields increasingly, within the responsibility of the EU and even, if applicable, of the United Nations. Public-technical safety is the part of safety which is characterized by the systematic individual risk and the collective risk emerging from the active and, in particular, the passive utilization of technical products, facilities and systems as well as the associated processes for whose regulation the state is responsible. All in all, the state has responsibility for ensuring the safety of its citizens against risks arising from scientific and engineering research and development especially as regards application of the results obtained and forms of technical implementation. It is referred to here as “public-technical safety” and also so understood in general.

Guaranteeing public-technical safety in a constantly changing technological and industrial environment can in its current significance and complexity only be regarded as the state’s provision for its internal and external safety. Technical facilities must therefore comply with the objective legal system. It is implemented by legislation in the field of technology, for example, by means of special legal regulations, provisions, guidelines and technical rules. A danger to public safety or order exists when circumstances or an event will probably damage an asset under legal protection if the occurrence objectively expected is permitted to continue unobstructed (Second Senate of the Federal Constitutional Court in its decision of 08.08.78, File no.: 2 BvL 8/77, the so-called Kalkar judgement).

In principle, a distinction is to be drawn between a concrete, tangible hazard and an abstract hazard, which is only conceivable. As to the expected occurrence of damage, the two types of hazard have the same requirements regarding probability. The distinction between “concrete” and “abstract” hazards lies in the point of view. Concrete hazards relate to the individual case, whereby the time at which damage possibly occurs need not be imminent. This time is, however, not so far off that it is no longer manageable.

A hazard is deemed to exist when observation of certain types of behaviour or conditions leads to the conclusion that there is sufficient probability that damage will occur in an individual case. There must therefore be grounds for preventing such hazards even with general-abstract means, e.g. in technology law itself or by technical rules. Verification of the probability of occurrence can then be dispensed with in the individual case. Hazards which are detected when generally accepted threshold values are exceeded are clearly of a concrete nature.

The necessarily vaguely formulated legal requirements regarding the technical safety of technical systems and facilities must be made concrete with technical rules drawn up, not by legally competent committees but experts from the relevant technical fields.

The necessary governmental measures comply primarily with the inherent potential for damage of the respective technical products, processes, facilities and systems, including their subsequent effects. They range from legislative frameworks covering approval and supervisory functions to direct state intervention.

In its duty of care, the state has an obligation to do its utmost to prevent or, by all means, limit injury not only to society as a whole but also to individual humans. In this matter, however, it is not only the safety requirements of the objects of legal protection under consideration—humanity and the environment, for example—which can be determined. It requires, rather, a balancing of their usefulness and/or necessity for society on the one hand and the risks of technology on the other. This results in a risk management system.

3.1.6 Ethical Principles

Technical safety is essentially developed by engineers and natural scientists even though the humanities are becoming increasingly influential. In their responsibility for this, they not only comply with the provisions of the applicable legal system but also, above all, follow the ethical and moral principles which have evolved over the millennia of Western history. The engineer’s responsibility is thus anchored in basic ethical standards and the moral obligations developing from them.

In recognizing the engineer’s responsibility, the VDI has committed itself to the following ethical principles for the profession of engineer (Düsseldorf, March 2002):

“Engineers

  • are individually or jointly responsible for the consequences of their professional work as well as for the diligent discharge of their specific duties,

  • acknowledge their obligation to deliver sensible technical inventions and sustainable solutions,

  • are aware of the interrelationships of technical, social, economic and ecological systems and their effects in the future,

  • avoid deeds which result in constraints on and restriction of independent action,

  • orientate themselves on the basic principles of general moral responsibility and respect labour, environmental and technology legislation,

  • discuss conflicting values on an interdisciplinary and cross-cultural basis,

  • seek institutional support when profession-related moral conflicts arise,

  • participate in the formulation and updating of legal and political guidelines,

  • commit themselves to constant further training and

  • involve themselves in technological mentoring in basic and further education programmes in schools, universities, companies and associations”.

In everyday life, however, the distinction between ethics and morality is blurred, whereas in philosophy a clear line is drawn between ethics and morality. Ethics is accordingly the scientific examination of the various aspects of morality, and the subject of ethics is morality. Ethics deals not only with basic questions relating to the nature of morality and the possible rationale for moral standards (“meta-ethics”) but also with questions relating to the content of moral values and standards (“normative ethics”)—in other words, with good and bad. Among the most important questions in normative ethics is the question to which extent consideration of consequences may or must play a role in the moral evaluation of human actions. There is no case when moral standards alone suffice to justify certain actions and strategies. If damage is to be prevented and benefits created, goodwill must always be supplemented by expertise and a prognosis capability.

The concept of morality includes both objective and subjective components. Objective components include the standards, principles and moral concepts which society lays down for the individual and are partly reflected in the legal system. Included in this are the institutions (family, media, politics, courts) which set, endorse or enforce these standards (see also [3; 4]). Corresponding on the subjective side to objectively prescribed standards are personal principles, guiding principles and ideals on the one hand and the moral attitudes, motives, feelings and willingness to act of the individual on the other. In practice, the borderline between ethics and morality is blurred. A person who acts morally usually also has an idea of the sense and function of the moral standards he/she follows and advocates and how these standards are justified. Consciously expressed to a greater or lesser extent, this also of course applies to the responsibility of engineers in their daily work and the confidence placed in their work.

Longer-term planning must arise from communication processes dealing with values and strategies for implementing them—they must not be dictated “from the top down”. One such strategy is already advisable for pragmatic reasons (risk management). A diktat almost inevitably leads to credibility, trust and legitimacy crises in industry, politics and bureaucracy and contributes significantly to the polarization of positions. A stealthy introduction of new technologies by administration with a later assurance of acceptance through suitable public relations measures does not make sense here.

Rather, acceptance should be secured right from the start by means of a discursively conducted yet technically and strictly orientated approach in safety-engineering procedure. It sets an essential, maybe even mandatory, requirement of the acceptability of a democratically legitimized industrial policy. Many discussions in industrial societies are unsatisfactory since they are based on preconceived notions and one-sided presentations of the incompleteness of the current situation and assume indifferent ethical values.

3.2 Generating Safety

3.2.1 Principles of Safety Engineering

3.2.1.1 Safety—An Interdisciplinary Task

With the aid of the technical resources they have created, human beings seek to expand and perfect continuously their possibilities. This fact, which is verifiable in our cultural history, represents a well-grounded challenge in itself for every engineer. It consists of regarding one of his/her primary tasks in implementing future engineering tasks as doing justice to the constant striving of human society to perfect the safety of technical products. The actual task here is for the human to adopt technology as a supportive function by creating the connection in the so-called human–machine systems or socio-technical systems. This challenge becomes all the more important when engineers are forced to watch an increasing lack of knowledge in the general public as regards scientific and technological correlations, which has resulted in an often frightening distrust of technology. Engineers should therefore strive to make their technical skills in the safety field generally comprehensible and understandable even for non-technicians and the layperson. In this way, the unease felt by the public towards technical facilities will be removed or at least limited to the point where no unthinking technophobia arises.

Accidents and incidents repeatedly give reason to investigate and eliminate their causes. In this matter, the effectiveness of proven and generally accepted safety-engineering precautionary measures needs to be examined. The VDI once again clearly stresses the engineers’ duty of constantly developing further the field of “technical safety” , simplifying its applicability and making it comprehensible to non-technicians.

In this context, however, questions do arise such as:

  • Is insufficient importance being attributed today to the safety of modern, complex socio-technical systems?

  • Is profitability increasingly being given priority over safety?

  • Are the relevant technical standards no longer being sufficiently observed?

  • Are the relevant technical standards no longer sufficiently productive?

  • Are laws and statutory orders being flouted?

  • Is there a lack of surveillance by governmental agencies and supervisory bodies?

  • What importance does the human being have on the various operating levels?

  • Are the understanding and assessment of technical laws underdeveloped (e.g. due to deficiencies in imparting knowledge in schools)?

With regard to the possible consequences of hazards, it seems appropriate to distinguish three hazard categories in technical systems or facilities within the normal range of experience (see Table 3.1). In this respect, both the public’s need for safety (danger to life and limb as well as environmental hazards and the importance of the system or facility) and the commercial aspects (possible economic consequences, utilization requirements) must be provided for, whereby priority is given to the first criterion. The overall effort required in the individual hazard categories to determine countermeasures varies depending on the possible consequences of the hazards.

As a basic rule, plant components and assembly parts must be classified differently according to their importance for the nature and serviceability of a technical facility or product. In a simplified form, all important components of a system or technical facility within the scope of individual measures can be assigned to one of these hazard categories. Every safety concept should be orientated with its measures towards these hazard categories.

Achievements in safety engineering have up until now always been adequate for the underlying technological innovation achievements. However, it does seem that safety engineering and safety legislation are gradually being deprived of an ordered applicability. Particularly in modern, technologically innovative and complex systems, the following aspects are currently making it more difficult to find the most effective solution in safety engineering:

  • the plethora of technical rules and standards, which often exhibit technical- and application-specific differences,

  • legal regulations which apply in a purely application-specific way and the spheres of responsibility of supervisory institutions,

  • the wide diversity of opinions among experts in technical and custom-designed matters and

  • the specialist terminology cultivated in every technical discipline.

Even in the sphere of classical engineering, which has been manageable until now, signs of adverse effects are now emerging because

  • experienced specialist personnel are either no longer available themselves or have not had sufficient opportunity to pass on their own knowledge of basic principles and contexts to subsequent generations of engineers,

  • knowledge concerning aspects of safety-engineering methodology in technical rules and standards is gradually becoming swamped by the ever-increasing volume of engineering knowledge, and

  • in the course of rationalizing projects, changes in technical concepts may also have been implemented but without any methodological adaption of the corresponding safety-engineering precautionary measures.

Although our legal system lays down legal requirements for safety engineering , there is no uniform concept covering all applications. This makes it more difficult for the operating engineers to pursue interdisciplinary cooperation in the field of safety engineering . Political opponents of the expansion and modernization of the technical–industrial infrastructure now tend to have courts check technical safety concepts rather than expert engineers as before. This often leads to compromise in whose politically orientated decision even safety-engineering shortcomings are accepted.

Can the looming over-regulation and bureaucratization of safety engineering and safety legislation still be averted and steered down more appropriate paths? Does the state not even have the duty, during the process of deregulation and liberalization, of compensating for the disappearance of regulations by establishing other safety principles, such as, for example, a drastic market surveillance in a similar way?

The VDI also seeks to give answers to these questions. In doing so, the following central aspects are examined:

  • increasing pressure towards interdisciplinary cooperation of all concerned fields and in all fields of technology,

  • generalization across all technical fields of the various safety-engineering concepts by finding the “hidden commonalities ”,

  • subsequent feedback and application of the discovered generalization across all technical fields to individual technical fields,

  • consideration of the entire life cycle of a product —from the initial idea to final disposal (see Sect. 3.2.1.2) and

  • interplay between safety and the limits of feasibility on the one hand and commercial viability on the other.

As innovative technologies are developed, the corresponding safety-engineering concepts must also be worked out. For this purpose, already existing safety concepts should be investigated for hidden commonalities and merged into a safety methodically concept. A concept of this kind should include the tried and tested findings of safety engineering , which extend from the primarily empirically expanding area of application, e.g. railway technology, to the analytically shaped field of application, such as aviation and space technology. The spectrum ranges from the deterministic concept, which is based on classic if-then relationships with a directly verifiable causality in the occurrence of events (see Sect. 3.2.2.4), to the probabilistic concept of reliability, which is based on both probability observations of possible events and consideration of their possible occurrence (see Sect. 3.2.2.4). The full safety-engineering standardization in the fields of construction and electrical engineering should just as much be taken into consideration here as safety engineering based on failure analysis in the fields of aviation and space technology.

It is a matter here of how concepts in safety engineering and legislation which are practised in different custom-designed ways and have developed differently over time can be merged into a single, interdisciplinary safety methodically concept. Recourse to the methodology presented here for an interdisciplinary concept in the field of safety engineering (see Sect. 3.2.3) facilitates not only communication capabilities but also interdisciplinary cooperation between the different technical specialist fields as well as between engineers, representatives of business, politics and the judiciary and fellow citizens. This in turn will have an equally beneficial effect on technological innovation projects, which is beneficial for the understanding of safety-engineering concepts. In this way, safety-engineering concerns which are already properly respected are prevented from being pushed out of the engineer’s consciousness as soon as improvements or other changes are made to technical equipment, facilities or systems.

The highly complex technologies with a great potential for utilization, which were brought to a respectable level of maturity in the latter half of the twentieth century, proved for the first time that even wide-ranging engineering tasks could be unerringly mastered with working methods on a system-technical basis. The methodology of working system technically is presented in this publication (see Sect. 3.2.3). This concept with consistent application enables the implementation of the frequently non-superimposable objectives of safety, reliability and availability cost-effectively in one system. This is an engineering task whose universally applicable solution needs to be found in interdisciplinary cooperation between safety and cost-effectiveness as an optimization task not only in the creation of safety concepts but also in engineering practice.

3.2.1.2 Application of the System-Technical Phase Concept

In order to maintain always sufficient transparency of the technological and organizational content of complexly structured, technologically innovative and/or high-standard safety-engineering systems, facilities or products, their complete life cycle is subdivided into time segments, which hereinafter will be referred to as “phases”. Such a subdivision into content and time segments allows the setting of instructions at the beginning of each of these clearly created phases clear objectives, basic conditions to be observed and other requirements and procedural instructions. At the end of each individual phase, the results obtained can be checked with regard to fulfilment of the set objectives and requirements. On the basis of the results determined, the objectives, basic conditions to be observed and other requirements and procedural instructions are set for each following phase. A phase concept of this kind not only facilitates technical management but also secures notably the organizational management measures required and, ultimately, results in it being possible for the first time to track and monitor properly the specified objectives.

The phases in the product life cycle as shown below will run in chronological order although it does remain possible, in the event of possible inconsistencies, that individual phases run recursively (as indicated by the blue recursion arrows in Fig. 3.1).

Fig. 3.1
figure 1

Phases of the product life cycle

Full size image

Due to the indispensable transparency of these specialist interrelations, the analysis in this publication is geared towards the phase approach presented previously. The topic of “technical safety” should be integrated into this phase concept. This applies not only to the generation of safety in every single phase of the life cycle but also to its verifiability.

Technical safety is one of the outstanding attributes of a technical system, facility or product. Creating technical safety is a task for engineers and scientists if necessary, which cannot be accomplished by itself or incidentally. Even more than any other technical specialist field, the generation and verification of technical safety requires not only the specialist knowledge of the engineers and scientists involved but also special attention and care with the technical–industrial management. Therefore, the safety-engineering process requires the same care and attention as the rest of the project over the entire life cycle of a system, facility or product—including any possible refitting or measures to extend the service life of the project. Thus, all aspects and features of technical safety in every single phase of this life cycle require proper and competent planning, proper tracking and complete verification . Such a process of planning, tracking and verification extending over the entire life cycle of a system, facility or product is commonly referred to as “controlling”. Since this case is concerned with controlling in the field of “technical safety”, the appropriate term here is “safety controlling ” for this subject.

3.2.1.3 The Role of the Individual in the Safety of Complex Socio-technical Systems

Incidents and accidents in recent years have made one thing ever clearer in some fields: in view of decades of improvements in this field, the possible beneficial effect of additional improvements in technical system components in highly complex facilities with a high hazard potential is constantly decreasing. In connection with this fact, the relative importance of human actions in triggering accidents and incidents is increasing. However, it would be an unacceptable simplification to focus always solely on the operator acting directly at the human–machine interface . It follows logically from the principle of deeply hierarchized system protection, which is always implemented in complex technical systems, that an individual single error must not lead to a serious incident or accident—various technical or organizational barriers should prevent this. Only where weaknesses lie dormant and unrecognized in the system and an unfortunate, often stochastically caused constellation of aversive conditions occurs can an incident or accident path be opened up and followed on account of individual single errors at the human–machine interface (MMI). This leads to the events assessed as negative.

The so-called phase concept (see Sect. 3.2.1.2) makes it possible to consider the entire product life cycle of technical facilities comprehensively and in detail. This applies from conception over definition, development and construction, manufacture, operation and use up to dismantling including disposal and recycling. In all phases of this chain, human action makes a significant contribution to the (lack of) reliability and the (lack of) safety of technical systems. Therefore, it is important to provide quality assurance in all phases of the life cycle of a product or service. Furthermore, analysis of serious events indicates that extreme importance is also attached to the control potential of human activity in reducing the possibly adverse or devastating consequences of accidents. The field of “human factors ” (HF) is becoming an ever more intrusive complex of problems which requires specific answers. As such, the human contribution to the safety and reliability of socio-technical systems has a high relative importance.

“Human factors ” are therefore to be understood as all those factors over the entire product life cycle which affect individuals in their interaction with a technical system or are caused by individuals. In this respect, the unconsidered and frequently encountered synonymous use of “human factors” and “human error” or even “human failure” is impermissible just as is the traditional restriction of the ergonomic aspect of the MMI. Organizational factors, division of labour, prior management decisions and even inter-organizational relations are relevant here in terms of a comprehensive, holistic understanding of “human factors”.

The human contribution to the reliability and safety of socio-technical systems is made under general conditions which provide both indispensable potential and unalterable limitations. Both must be taken into account in the design of the system since “the human with his/her natural abilities and limitations must take centre stage in all systems built up by humans for humans” (“Declaration of Saarbrücken” on the occasion of the “World Congress on the Safety of Modern Technical Systems”, Saarbrücken, 2001). This ability basically makes the human superior to the machine—the ability to learn compensates for the susceptibility to error and is an important component in safety-oriented action.

Operation mistakes are defined as the failure to achieve an operation. It would therefore be a contradiction in itself to assume that someone could deliberately make a mistake. Whether a mistake in operation was made can therefore only be determined with hindsight and following clarification of the possibility of a “correct” target-oriented act. Seen in this way, the very common kneejerk reaction of assigning blame (“human error”) for a mistake contradicts the “human right of error” which safety researchers call for. A reasonable mistake culture recognizes a mistake as a learning opportunity and does not ask: “How could you have done such a thing?”, but rather “How could it have come to this?”

Operation mistakes originate from many conditions, especially from

  • an overtaxed mental capacity for processing information,

  • unreasonable attentiveness demands, monotonous work,

  • inherent or learnt (inappropriate for the tasks on hand) behaviour stereotypes or

  • limited knowledge.

All of these are possibly stresses and strains which exceed the human capacity for action. In the interest of preventing injury to people and the environment, system design should take into account both the natural human potential and human limitations. This can be achieved, for example, by fault-tolerant constructions and design.

The automation of socio-technical systems has particular significance here. From a technical point of view, it often seeks a maximum to rule out the “error-prone” human as far as possible. In actual fact, the more complex systems become the more necessary the human contribution becomes. Bainbridge speaks here of the “ironies of automation” (in [5]). In the first place, the developer of a system is, as a rule, a human, who is also susceptible to making mistakes and can thus have a negative effect on the correct use of the developed system. In the end, the developer leaves the operator only tasks which are no longer automatable after his/her maximum automation strategy. The result is comparable with what psychologists have called “learned helplessness”: the lack of use of motor or cognitive skills becomes a problem when an unforeseen event occurs and new behaviour patterns are required of the inexperienced operator. In a similar way, the purely supervisory function of a technical facility remaining due to comprehensive automation is negatively affected due to the proven human weakness in remaining attentive for long periods.

Furthermore, complex situations requiring a decision can become a problem. Provided all necessary elements of a decision in the production process can be specified, the automated, computer-aided decision can occur faster and more multidimensionally than a decision by the operator. However, the operator is possibly left with judging the result of a decision on a meta-level whose algorithm he/she does not or only insufficiently understand. Automation can thus mask system failure and evade carrying out the correct diagnosis and rectification. What is therefore required would be not maximum but rather appropriate automation which grants the human learning and operational capability so that optimally designed safety measures are created.

3.2.2 Procedures for an Interdisciplinary Safety Methodically Concept

3.2.2.1 General Outline

In what follows, a general overview is given of the basic valid procedure in the required system-related work on safety engineering , especially with regard to public safety. The interdisciplinary “safety methodically concept” referred to here is presented in Sect. 3.4. The following basic principles listed form the basis for its composition.

3.2.2.1.1 3.2.2.1.1 General Agreements on Safety Engineering

As a fundamental rule, technical systems must be designed safety-compliantly such that they meet the current state of public safety. However, this fundamental requirement does not apply when, during testing of the system and its components, safety—according to the needs of a test operation—is temporarily assured by means of specific measures.

In designing a technical system which complies with safety requirements, the following safety-engineering design criteria are to be agreed on:

  • The human with his/her natural abilities and disabilities must stand in focus. Among other considerations, this requires design of technical systems as user-friendly.

  • A single failure must not cause or encourage a safety-critical failure in the complete system.

Should a technical design meeting these criteria not be possible:

  • combinations of failure cases in structural units (failure mechanisms , causal chains )—including human operating errors—which could lead to a safety-critical failure within the entire system must be made recognisable by active or passive self-inspection.

If a technical design which satisfies this requirement is not possible here either (e.g. because this would impair reliability), the following also applies:

  • The probability of multiple failures (e.g. a simultaneous single failure of different structural units) which could lead to a safety-critical failure within the complete system must not exceed a specific limiting value relating to the particular type of operation in each case.

  • The definition of such limiting values is dependent on stochastic conditions of the failure behaviour of the structural units concerned in each case and the specified limiting value considered appropriate for the complete system.

A safety methodically procedural concept for the safety-engineering design of products and technical facilities assumes that the following basic principles are also observed in all activities required for safety-engineering reasons:

  • The “safe state ” or “safe functional behaviour ” must be clearly defined and recorded in the relative specification for every structural unit. This may possibly assume that exact functional and requirement analyses are carried out for operation activities in due consideration of their feasibility.

  • The technical design should be such that, in the event of multiple failure interactions in the failure mechanism, the possibility of the function loss of a sub-system or the entire system is ruled out.

  • Limiting values of failure probabilities, which are required for the respective structural units, must be set so that fulfilling the safety requirements applicable to the entire system is not put into question.

As regards the time response of the failure rates applying to safety-critical failure events, the requirements relating to service life as laid down in the specifications of the particular structural unit will apply.

3.2.2.1.2 3.2.2.1.2 Requirements of the Procedure for Safety-Compliant Design

For all safety-engineering activities—including the appropriate verification —the following sequence of methodically appropriate measures applies with respect to conceivable hazards (see Table 3.1):

  1. 1.

    exclusion of safety-critical failure events (failure exclusion due to natural or technical integrity),

  2. 2.

    exclusion of the consequences of safety-critical failure events (exclusion of failure consequences) and

  3. 3.

    limitation of the probability of safety-critical failure events or mistakes by application of reliability engineering .

This sequence applies to the safety-engineering process and does not represent a priority ranking for a safety-engineering quality rating of the measures referred to.

The methodical approach, which is determined by the defined sequence above, assumes that all structural units in the system are verifiably in flawless and trouble-free condition at the beginning of every stage of use and that mistakes, which can arise not only during the production process and operation but also during maintenance work, are prevented by the appropriate precautions.

3.2.2.1.3 3.2.2.1.3 Safety Methodically Work Steps in Project Management

The safety methodically concept must be applied in project management . In this matter, the following work steps must always be carried out:

  • transfer of the methodically prepared “safety-engineering catalogue of requirements” into project or system specifications covering the entire “product life cycle”,

  • safety-related requirements of the design of the system and its structural units, which requires the involvement of various safety-engineering-relevant specialist fields,

  • planned setting of the implementation steps in terms of human factor engineering,

  • determination of the safety requirements which are subject to verification (public safety),

  • determination of the safety requirements necessary to obtain the operation permit and

  • compilation of safety-critical failure modes and preparation of the plan for safety controlling (goal: “lessons learned ” for experience feedback).

3.2.2.2 Modules of the Safety Methodically Concept

The basic principles of safety-engineering design are to be systematically coordinated so as to establish an interdisciplinary procedure. This should be uniformly applicable not only to the project in question, the new technology thereby created and the conventional technology employed in practice, but also to the assessment by the responsible supervisory body. A further, general possibility of application is offered to damage inspections of technical facilities.

A valid work and evaluation methodology is thus established for the entire scope of a project. This brings the safety-engineering design criteria essential for getting authorization into a quantitatively assessable relationship with those design criteria which are important for cost-effective utilization and, thus, technical reliability.

Disturbances caused by failures originate mostly in the individual component or in structural units with a low level of integration. However, the safety-critical effects often become evident only on the basis of the functional interaction, which arises from the technical design of the overall complete system. The access required here can only be obtained by means of a suitable information management system.

One basic deficiency is, for example, the ambiguity of technical terms as defined in different technical fields. Since creating new technologies always requires an integration of knowledge from several specialized fields, terms which are not clearly defined in the technical standards and a universally applicable form should be systematically avoided. This is because they either can be interpreted differently depending on the specialist field (such as the term “fail-safe” ) or are intended only for use in deliberately restricted areas of application (e.g. the term “signal-technical safety” in DIN VDE 0831). This is especially true when common language use already has unambiguous terms in this regard (such as the term “safety”). However, words such as “safe” or “safety” should not be used as a basic principle in the designations of structural units, not even when safety verification already supposedly exists for the structural unit.

The term “maintenance ” is used here specifically for all measures to preserve and restore the nominal state of constructions unless a modification is involved. Therefore, this includes terms such as preventive maintenance, inspection and repair, although a distinction can definitely be made between maintenance and repair in terms of content. In everyday speech, “maintenance” includes the maintenance and modernization work which in the prevailing public understanding is necessary to preserve the nominal condition. On the other hand, “repair” means measures required to restore the nominal condition of a construction after losing it due to unforeseen events, e.g. a fire or a lack of correct maintenance work. Maintenance must be correct. This applies to not only the frequency and accuracy of measures (e.g. maintenance) but also, especially, the form of their implementation. If special expertise or specific technical equipment is required, maintenance can, under certain circumstances, only be correct if the work is carried out by a tradesman, expert or specialist company.

An appropriate information management system is an indispensable requirement for the interdisciplinary procedures of a safety methodically holistic concept.

3.2.2.3 Human Factors Engineering

Discussion of the design and engineering of new technical facilities almost exclusively focuses on technical problems, while aspects of the human factor engineering (HFE) only play a subordinate role, if any. Of course, basic technical design criteria must be given priority in the first stages of a technical concept. This is already advised on account of the cost dimensions thus activated.

However, all technical systems and, in particular, complex facilities consist, without exception, of technical and human components—in other words, they are socio-technical systems. HFE principles for designing socio-technical systems require development and design processes in which optimization of human–machine interfaces as a common optimization of both technical and human components starts determining the concept at the earliest opportunity.

Different areas are addressed here which are to be tackled on an interdisciplinary basis:

  1. (a)

    Draft of an overall HFE plan

    The plan should clarify how and in which phases of the overall design and construction process of future facilities HFE aspects should be systematically taken into consideration.

  2. (b)

    Evaluation of operational experience

    As a first step, it makes sense from the HFE point of view to carry out an evaluation of the experiences identified in already installed, comparable systems in order to avoid problems encountered there and to incorporate positive experiences into future drafts.

  3. (c)

    Functional requirement analysis and task assignment

    The objective is to analyse the requirements of the system in its different functional areas, identify performance requirements and explore the limits and possibilities of the design for options in the task sharing of the human and machine. In this matter, particular attention should be paid to the important principle of the “active operator” gained from HFE experience. Questions also fall into this category concerning possible new requirements of the operating team and the resulting requirements of the qualification mix and functional reallocation of tasks within the team, as well as the development of appropriate criteria for the design of workplaces. Furthermore, this planning covers the assignment of tasks between the human and machine, including planning for automation measures.

  4. (d)

    Centralization/decentralization of monitoring and control stations

    Closely bound up with the problem of functional requirement analyses is the question of the extent to which decentralized monitoring and control stations are established, whose personnel in turn require appropriate qualifications.

  5. (e)

    Organizational aspects

    The mutual assignment and interaction conditions of different required personnel categories should be analysed together with the dynamic changes in responsibility for tasks in regular operation, incidents and accidents. There is also the question of how, for example, the European directives on work and environment protection require consideration of ergonomics and are relevant to the work organization of facilities.

  6. (f)

    Determination of qualification requirements

    Depending on the division of functions, qualification requirements plans would need to be developed and proposals for their implementation worked out.

  7. (g)

    Decision support systems (DSS)

    Computer-aided DSSs could be used for checking task fulfilment on the part of the personnel and for identifying appropriate procedures in case of need. In this context, the extent to which the use of computer-aided DSSs would entail changes in the interaction modes of personnel should be investigated.

  8. (h)

    Design of control equipment (e.g. control rooms, control centres)

    This includes, among other things, questions regarding the role of analogue and digital signal systems, their redundancy, the use of adaptive displays, transparency of reports and feedback loops for the effects of operator actions. Another point of investigation would be to examine how the team character of the work can be consistently taken into account.

  9. (i)

    Participatory ergonomics

    Ways and possibilities of involving experienced operators in the design process should be investigated. In the interests of an iterative optimization strategy, an analysis should be made of the possibilities and consequences of implementing the principle of “first the simulator, then the facility”. Likewise, possibilities of using “rapid prototyping ” should be investigated.

    The term “rapid prototyping ” in this context denotes the rapid creation of prototypes on the basis of design data. Rapid prototyping processes are thus manufacturing processes whose aim is to convert existing CAD data directly and rapidly into work pieces—if possible, without manual detours. These procedures, known as “rapid prototyping” since the 1980s, are usually moulding processes which build up the work piece layer by layer from shapeless or shape-neutral material by using physical and/or chemical effects.

  10. (j)

    Internal facility incident and emergency measures

    This concerns the implementation of HFE principles when developing technically correct, comprehensive, explicit and easy-to-handle procedures in the event of disturbances, incidents and emergencies.

  11. (k)

    Prevention of operating errors by

    • instructions and prohibitions as well as appropriate training and

    • built-in interlock devices which, following an operating error, automatically switch to a safe state or safe functional sequence.

All in all, three models can be distinguished of how HFE experts can be involved in the process of designing and constructing complex socio-technical installations. These models are applied differently depending on the need in question:

  1. (a)

    Integrated model

    In this case, the HFE expert (work scientist, psychologist, medical scientist) is integrated from the outset in the design team so as to participate in the design of planned workplaces and the functions of personnel working there with regard to safety and reliability, occupational safety, health aspects and humane design.

  2. (b)

    Intermittent involvement model

    In this case, the HFE expert is consulted in critical design phases to evaluate, for example, a prototype. In this way, experienced operators (pilots, control room staff, etc.) can be involved.

  3. (c)

    Post hoc involvement model

    Only in rare cases will all design flaws be detected before the system goes into operation. It is then necessary to install technical or organizational barriers to prevent dysfunctional use of the system or hazardous system conditions. Under no circumstances, however, should post hoc involvement of HFE experts be chosen for a standard form of participation in the sense of a repair service.

If an event cannot be controlled within the system and system limits are exceeded, steps must be implemented to deal with the interface. In this case too, the knowledge of HFE must be deployed in order to incorporate unconditionally the HFE elements into emergency management planning as well.

3.2.2.4 Evaluation of Failure Prevention from the Interdisciplinary Perspective

Proven concepts with a systems engineering orientation make it possible to examine the potential failure behaviour of technical products and both complex installations and simple devices. In this case, it must always be assumed that a failure of technical products can just as little be excluded as the assumption might be accepted that the human working with this technology is infallible. The findings of such failure analyses, which count as standard tools of any project and development engineer, make it possible to detect systematically the crucial failure possibilities of structural units already in the design or planning stage. This, in turn, creates the requirement for preventive measures with which undesirable or unacceptable failures should be prevented.

For a better understanding of further explanations, the two terms “deterministic approach” and “probabilistic approach” should first of all be clarified here:

  • Deterministic approach

    The deterministic approach in the engineering sciences corresponds to the historically developed, monocausal plot. It is based on both unequivocal if-then relationships and the situation when a specific event occurs at a predetermined time. In addition, it even still shapes in modern technology the classic procedure in the conception, design and testing of technical facilities.

    This approach was also adopted for safety engineering when it was (or is) a matter of devising measures as precautions against a safety-critical failure . The “if” here stands for the safety-critical failure and the “then” for the safety-engineering precaution. In classical engineering, both conditions represent a logically unambiguous (in forwardly oriented logic) or even one-to-one (in forwardly and backwardly oriented logic) connection and relate to monocausal active structures.

    The deterministic approach to engineering is in line with the equally classical conceptual and decision structures in the legal system.

  • Probabilistic approach

    The probabilistic approach is based on theoretical or statistical probability principles. In contrast to the deterministic approach, the probabilistic approach is based not on certainty but on the possibility that a specific event occurs with a certain probability. The time when the event occurs is not predetermined and cannot be determined in advance either.

    Modern technology (such as plant engineering, civil engineering, energy supply engineering, information and communication technology, automotive engineering, aerospace engineering) has come to involve highly networked functions and computer-aided facilities. It is also increasingly seeing service in aggressive environments (such as space, open and deep seas, deserts, jungle). This inevitably leads to complex and highly integrated structures which are, as far as safety engineering is concerned, no longer manageable solely by the deterministic approach. They must be supplemented or completed by probabilistic approaches (such as reliability engineering , for example).

    The use of reliability engineering has proven its value for decades now in the conception, design and testing of such complex technical facilities. Without using reliability, the achievements of modern global aviation, scientific and commercial space travel and even modern automotive engineering would not have been possible.

    The application of reliability engineering has become indispensable for aviation and (manned) space travel in the safety-engineering design of highly integrated, complex technical facilities. Nevertheless, its adaption in other technical fields of application is only proceeding very slowly on account of established traditions.

The failure behaviour of technical products can only be fully determined from the systematics and made usable for engineering-related selective precautionary measures if its stochastic manifestations are also taken into account in a probabilistic approach. In addition, it must be taken into account here that the failure behaviour of systems (e.g. supporting structures, supporting devices, mechanical interlocks, fire insulation) which are still transparent and equipped mainly with “captive” attributes (“passive” safety attributes ) can usually still be fully determined even with an exclusively deterministic approach. On the other hand, the failure behaviour of complex systems equipped mainly with “losable” attributes (“active” safety attributes )—systems such as energy supply systems, power units, control systems, cooling equipment, extinguishers—is essentially characterized by its stochastic manifestations.

If engineers are to work under these conditions focused with probabilistic approaches as well, they must in all cases have access to probability-related limiting values. As already mentioned, since the first publication of the DIN 31004 safety standard (see Chap. 2), risk assessment as a probabilistic analysis of the stochastic failure modes of technical products has come to be regarded as the generally accepted state of the art .

Consideration of limiting values for a risk assumes that they are also accepted by the general public (see Sect. 3.3.1). Every limiting value so considered must orient itself to acceptance by the impartial “public” (public safety). Attempts to determine the degree of acceptance by public-opinion polls are doomed to failure. At best, they will reveal the polarization always present in the public between, on the one hand, admiration of technology and, on the other hand, a sceptical attitude to technology based in most cases on ignorance but also—due to the unavoidable occurrence of verifiable failings of humans and machines—on justifiable doubts. In this case, the danger cannot be ruled out of this polarization being politically misconstrued when the results of such surveys are presented to the public.

A different, already taken path should be followed purposefully against this. The degree of public acceptance should be measured by the stochastic attributes of technologies which have already been accepted by the public. These are technological attributes which present themselves in shipping, civil engineering, rail traffic, aviation, road traffic, power engineering, chemical engineering, process plants or even in power stations of conventional technology. Acceptance can also be measured by natural risks, which are, for example, characterized by human life expectancy. However, the success of this approach assumes that the relevant institutions make their databases available for general use.

However, defining limiting values of this kind would not lead to a definitive solution. It is ultimately essential that the requisite level of safety be integrated into the technical system. Consequently, it must be proven to the supervisory body to what extent this has actually succeeded. However, instruments with which this evidence can truly be supplied efficiently are only partially available at present and would need further development.

This fact in conjunction with the probabilistic approach required results in a quantitative problem. The numerical values (data) with which safety is to be calculated must be very low since safety-critical events may only very rarely be possible. If numerical values of this kind are to be proven by stochastic methods, one quickly meets limits which cannot be crossed on account of the necessary effort involved. Therefore, reference in this context is made to the well-proven databank-based concepts as they are presented, for example, in the formerly internationally used US-American standards MIL-HDBK 217F, Notice 2, “Reliability Prediction of Electronic Equipment and NPRD 95, Non-electronic Parts Reliability Data”.

The probabilistic consideration of stochastic failure modes as a complement to the deterministic concept of classical safety engineering was developed to make complex systems , which are predominantly characterized by their multiplicity of “losable” attributes , also meaningfully controllable by safety engineering. Attempts are constantly being made to replace the classical deterministic approach so comprehensively proven in safety-engineering practice with a probabilistic approach. This attempt frequently fails due to a lack of suitable, reliable data.

In this interface between deterministic and probabilistic approaches, a lack of relevant knowledge cannot be entirely ruled out. Deterministic safety measures are thus based on the idea that, when a safety-critical failure occurs, technical products must be immediately converted into a safe state. This often consists of blocking a function (e.g. in the deliberately induced shutdown of an installation)—in other words, in an unconditionally commanded failure (the definition of this term is based on DIN 25424 “Fault Tree Analysis”, 3.8, c). However, in the case of complex technical systems with their many sub-components, the safety-controlled “switching off” of individual sub-systems leads to reliability problems which, once a technical development is completed or a facility built, are almost incapable of solution.

This behaviour led to the realization that safety and reliability engineering must remain connected in inseparable logic. Both fields deal with failure modes of a stochastic nature, which is why failure behaviour can only be fully determined by stochastic methodology. Thus, the proposed deterministic support measures should also be determined stochastically in their effects on reliability.

3.2.2.5 Criteria for an Interdisciplinary Holistic Safety Concept

In the derivation of criteria for a concept usable on an interdisciplinary basis (on the occasion of a technological innovation project), a deliberate attempt was made to avoid creating again only a safety concept which applied solely to one particular area of application. The criteria prepared are therefore universally valid and can accordingly be used in any field or technology. This also applies to the fundamental principles of the interdisciplinary safety methodically concept presented below (see Sect. 3.2.3), in which these individual criteria are recorded in their logical connections. Their universal validity offers the following advantages for application:

  • Institutions which in the overall process exercise the specific governmental responsibility for public technical safety and conduct tests, approvals, declarations of conformity and tolerances and also carry out surveillance and control can work according to the same criteria of the same concept. They thus use the same elements from the perspective of state responsibility, regardless whether they are practised directly, applied in public commissioning procedures or used on the basis of structural criteria by recognized (accredited) private bodies.

  • In a uniform introduction of the safety concept, application-independent and clear communication is made possible between the different specialist fields involved. This occurs since one of the essential basic principles of the holistic and interdisciplinary concept from systems engineering has been universalized for all technical fields.

  • A precondition for a purposive safety-oriented concept is, however, that

    • sufficiently suitable measures (generating safety , safety management, quality management , safety-related verification) are taken during planning, development and manufacturing, and

    • during the operational phase as well as disposal and dismantling, further measures (safety management , safety-related verification ) are taken which are appropriate and by means of which the manufactured product truly has a safety-compliant technical design.

  • As with any other interdisciplinary working method, the safety-oriented approach requires appropriate organizational conditions to make an effective application possible. In this matter, the following aspects should be taken into consideration:

    • Only a central control facility, responsible for the entirety of the system in question and equipped with sufficient powers, is practically capable of taking into account appropriately system comprehensive criteria in safety-related activities. However, the precondition is that safety can be verified for all components of the system under consideration itself.

    • This safety-oriented approach guarantees cost-effective usability just as a safety-compliant technical design does. Therefore, in view of this comprehensive objective, overall responsibility can only lie with the design engineer who is comprehensively familiar with the safety-related characteristic since he/she was the one who created it for the product in question (typical example of a matrix organization).

    • The engineer working as an expert only has to assess the safety-related appropriateness of this technical design. Depending on the complexity and scope of the concept, this requires the appropriate cascade-like activation of the expert opinion (principle, dimensioning, execution). The principle must take into consideration the limited nature of consequences, manageability, accessability of negative effects and reversibility.

    • Observation of the applicable “good engineering practice” and/or legally qualified regulations is in itself alone a mandatory if not necessarily sufficient precondition for conclusive proof of safety.

    • In addition, of course, due regard must be paid to the state of the art and, if required, also to the state of scientific and technical knowledge. (For more detailed information, see Sect. 3.3.5).

    With regard to the nature and serviceability of technical facilities, certain qualities of the materials, components, systems, facilities, products and implementation form the basis for their design, dimensioning and construction.

It is crucial that the planning specifications themselves, their calculative and experimental verifications and construction plans be tested as to whether the product with these specifications—as well as with the testing and approval measures planned during implementation—can be put into execution in accordance with these requirements (testing and approval of the planning specifications).

Suitable testing and verification measures must be provided in all major phases of implementation (tracking and testing of the implementation) to prevent implementation deviating impermissibly from the underlying requirements. Deviations can occur, for example, due to the variability of material and component properties, uncertainties in installation and construction or mistakes and errors during the various production steps.

If qualities are expected to change adversely during service life, periodic inspections and special maintenance measures may be necessary (final inspection and verification before going into service).

  • Requirements relating to the organization of verification

It is only by an appropriate coordination of the designated tests that testing measures can rationally complement each other, unintended gaps in verification be avoided and the necessary information passed on.

In the appraisal of testing measures, it is important not only to record their immediate function but also adverse deviations and their indirect effect, namely their positive or negative impact on important aspects of performance and quality.

Responsibilities for all testing measures, especially for implementing measures in the event of insufficient test results, need to be regulated clearly and unambiguously.

All major test results must be recorded.

Establishing a test plan is then necessary if a large number of contractors and subcontractors are involved in the project and incorrect decisions and gaps in verification can have serious consequences.

  • Elements of verification

With regard to the nature and scope of verification , a distinction can be drawn between:

  • manufacturer testing which is regulated only internally or externally,

  • third-party testing by an independent third party carried out either independently of manufacturer testing or relating exclusively to inspecting the correct performance of manufacturer testing and

  • acceptance tests on the part of the purchaser or customer which are used for assessing and verifying the quality of goods or services at the transfer of responsibility or ownership.

Manufacturer tests are, in principle, carried out in an office or in-house and can, depending on the importance of verification , occur in the form of self-testing or be conducted by persons not directly involved in the manufacturing process.

Manufacturer tests regulated in an office or in-house special measures for controlling production fall within the sole responsibility of the manufacturer.

Planning tests include a clear definition of rules for assessing quality or a service and also measures for negative test results.

The importance of the individual elements of verification differs depending on whether it concerns tests on planning specifications, constructional execution or tests before the start of operation.

  • Grading of tests

The grading of test measures for safety-related verification depends on:

  • the intensity of testing (frequency and extent of tests or inspections),

  • the assessment criteria and measures in the event of negative test results,

  • the degree of independence of testing the process in question and

  • the use of multiple independent tests whereby, depending on quality assurance requirements, the following gradation is possible:

    • only manufacturer tests,

    • externally regulated manufacturer tests together with third-party tests or acceptance tests and

    • externally regulated manufacturer tests together with third-party tests and acceptance tests or a second independent third-party test.

On the basis of this context, the determination of quality assurance levels and their classification in the hazard categories (see Table 3.1) can be deduced. Individual sub-systems or structural units can be subject to different distinct quality assurance levels.

  • Inspection and approval of the planning specifications

  • Inspection of draft design, dimensioning and structural design

    It is important to test whether all decisive hazards have been identified and appropriate measures provided for their prevention. This concerns, in particular, the appropriate choice of the system, the materials and method of production, the processes and tools used in construction, and also the design of the system or facility (function testing, accessibility). Among other things, a check should be made whether all essential organizational requirements, e.g. special trade and operational qualifications, can be fulfilled, all tests required for implementation have been provided, and all conditions of use and necessary maintenance measures have been defined.

    The design inspection can be carried out in different ways with different degrees of effort, e.g. by tests, calculations or analogy observations. Among other things, it should be checked whether:

    • the calculation includes the relevant requirements and actual influences, basic conditions and conditions of use,

    • verifications are maintained for all major components,

    • the appropriate mathematical models are used,

    • the calculation in itself is consistent, and

    • all effects are borne correctly by the system.

    Whether modifications of components cause unacceptable malfunctions should also be checked.

    As regards the type of inspection, a distinction can be drawn between:

    • a complete recalculation by an independent third party,

    • simulation tests and

    • prototype tests.

  • Inspection and approval of final planning documents.

    A check must be made whether the final planning documents contain all the information required for implementation, such as, for example, tolerance limits or instructions regarding the manufacturing procedure. In this case, it is, among other things, important whether dimensioning results have been communicated correctly, instructions or drawings correspond to the specified requirements, and other basic conditions have been taken into consideration.

    Since all information and requirements on the part of planning are mostly conveyed via implementation plans for production, assembly and integration, special importance is granted to checking clarity and completeness.

  • Inspections of constructional implementation (acceptance inspection)

    • Series production—single-item production

      As regards the type and importance of tests, a distinction should be drawn between

      • series production with the objective of consistent quality and

      • single-item production with the objective of complying with planning specifications.

      Preventive measures have priority in single-item production.

      The construction of complex technical systems or large technical facilities is generally a matter of single-item production in which only individual components or materials are subject to series production. Therefore, quality assurance systems, e.g. according to DIN 55350 “Concepts in Quality-Management and Statistics”, which are oriented towards series production, are not directly applicable to all phases of the construction work.

    • Assessment procedures and criteria

      Every production unit is tested in the complete assessment. A unit is either accepted as “good” or rejected as “bad”. If the assessment is carried out according to quantitative criteria, these generally comply with specified tolerances.

    • Periodic testing

      Time-staggered periodic tests serve to ascertain that a technical product conforms over its entire service life to the valid configuration according to which it was planned, developed, constructed, put into service and operated.

3.2.2.6 Passive and Active Safety Measures

The following basic classification can be made: when a component, part of a technical facility or an entire facility is developed to fulfil different functions, a distinction is drawn between active and passive functions.

  • Passive functions basically involve “captive or inherent attributes”. These functions cannot become “lost” in the normal case/operation. No actuator is operated. Passive functions can carry out holding, supporting and locking functions, for example. Specific examples include the floor of a building storey or the static properties of an entire structure. Consideration of both the properties of the hardware and the requirements of the construction components is necessary to maintain these functions. Tests, care and maintenance also play a part in this.

  • Active functions, on the other hand, can basically become “lost”. They are characterized by the use of an actively operating construction component. Examples include lighting equipment or a regulator. In the event of loss of these functions, safeguards are necessary which must be suitably implemented for the relative possible failure performance.

  • Wherever possible, priority must be given to passive safety measures. In the case of application, active safety measures must be proven to be at least equally effective for the hazard category concerned (see Table 3.1).

3.2.2.7 Controlling Failure Mechanisms

If a construction component supporting a passive function fails, the failure is sought in the first approximation in the design or the constructional implementation. If an active function fails, the important construction components may be in order. In this case, individual characteristics of a device might have failed because it has been damaged. Alternatively, the control or the interaction of function elements may have failed—for example due to an instruction or operator error.

Failure mechanisms can be divided into categories. Seven different types of failure in total can be categorized and divided into three fields:

  • Failure when installing a function:

    • A system lacks the intended function.

    • The intended function only partially materializes.

    • The function materializes at the wrong point of time.

  • Failure in an already existing function:

    • There is a total failure of the existing function.

    • There is a degradation of a function element, and this element can fulfil its function only partially.

  • Failure when terminating a function:

    • The function is terminated in an unqualified way.

    • The function is terminated at the wrong time.

In order to generate technical safety, the failure of functions must be weighted. Different approaches can be taken to reduce the probability of the occurrence of a possible failure to an acceptable level:

  • A function fails, and the technical state of the system or facility still remains safe. Despite the intended function becoming inoperative no damage results. This “fallback state” is called “fail-safe ”. In this case, the system is switched off towards a safe state despite the failure of a system component with care being taken that the final state arrived at in the fallback is safe. No injury to persons or damage to property occurs, but the function is no longer available—not even with limitations. The system “comes to a standstill”, so to speak.

    The triggering of emergency braking in a railway train is given here as an example of the “fail-safe” approach.

  • However, if a function of a system or technical facility should be maintained or must stay at least partially maintained despite the failure of a component supporting that function, this state is called “fail-operational ”. In this case, restrictions are applied by emergency programmes (automatically or selected by humans) which maintain particularly important functions. Catastrophic behaviour can hardly occur with implementation of this strategy. A systematic approach to establishing appropriate strategies is particularly important here.

    The technical and organizational precautionary concepts in a flying plane are given here as an example of the “fail-operational” approach.

  • If neither “fail-safe ” nor “fail-operational ” strategies can be applied, the application of reliability engineering offers the possibility of reducing the risk , although only for Hazard Category 1 (see Table 3.1). This term means the application of probability considerations which examine the possibility of a failure by using empirical values, expert reports, theoretical studies, failure observations and other methods. If the probability of damage is low enough, the system or technical facility can be put into operation.

    The safety-related reliability concept as used in attitude control systems for vertical take-off aircraft or in the landing computer for the lunar module is given here as an example.

3.2.2.8 Generating Safety According to the Phase Approach

Achieving appropriate safety conditions requires different provisions and steps in the various phases of the life cycle of a system, technical facility or product by the individuals involved (see Sect. 3.2.1.2).

Designers and developers of the hardware and software, suppliers, operators, personnel for installation, operation, maintenance, repair and disposal, and the competent supervisory institutions (authorities) must therefore develop and discuss appropriate and realistic measures and ways and discuss what can prevent the failure of functions or changes in properties to the greatest possible extent. The development of international solutions is worth pursuing since many products are developed and used not only on a national level. Worldwide acceptance of good safety solutions, which can differ quite considerably, is helpful.

It is wise to develop suitable and adapted processes for the development of safety-relevant systems and functions in order to achieve the different requirements of safety properties. Such processes may include the following topics, which can or must be adapted to the function and purpose of the systems:

  • system definition,

  • hazard analysis,

  • risk disclosure statement,

  • derivation of safety requirements,

  • implementation phase,

  • documentation,

  • management tasks,

  • interdisciplinary processes,

  • support processes and

  • supplier relations.

Due to the rapid further development and innovation of technologies, there must be parallel work which tests and implements the necessity of extensions, specializations and changes of existing regulations and standards. Innovations result in technical fields being entered which, in many cases, could not be taken into account in previous concepts. The use of electronics, in particular, for putting innovative functions into practice needs such new basic conditions which cannot always be adopted from the past. The utilization of functions depends decisively on legal security for the manufacturer, and this is described by, among other things, the state of the art .

A so-called safety case (safety report) is required for complex systems and technical facilities. The same applies when public-technical safety is concerned. In addition, the safety case should be a selectable option for all cases but, in the fields listed above, must be part of the safety culture practised. Based on the procedures in aerospace engineering, chemical engineering or comparably complex installations in the energy sector, it must be demanded that a factually appropriate safety management system be devised, presented and applied. This means that the documentation for a “safety-engineering requirements catalogue” must be initiated from the very beginning—in other words, with the ideas and first considerations of design. Updating must be continuous and all changes and modifications documented in revised editions. It applies to all technical fields that a system description forms part of the safety case. It also contains the safety management and/or safety plan, a risk assessment, an emergency plan and documentation instructions too. Depending on the specific case, more component- and phase-related parts can be added in high division of labour production—for example, so-called production and test sequence plans. The safety case starts with the product idea and grows over time and with the phases of the life cycle.

In principle, similar requirements apply to the phases of the life cycle of a system (a technical facility or product). Suitable procedures, processes and instructions are worked out during operation, maintenance, repair, decommissioning and disposal which generate and maintain safety. Careful formulation of such procedures ensures optimal results and high safety standards in this field too. However, a guaranteed high level of safety in the long term depends on operators and users complying with the methods and processes established. Understanding and sensitivity are to be solicited here too by means of suitable communication. The human being stands here in a key position in the process for generating safety .

Technical safety is one of those attributes of a technical system, facility or product which is not only to be specifically generated by a controlled process but which also always requires verification . It is not important whether this occurs by testing or inspection at the manufacturer’s own responsibility (first party), by possible clients/customers (second party) or independent third parties. The nature of the parties involved here plays an important part in the validity of the tests or inspections.

When life phases are considered in Sect. 3.2.1.2, the role played by tests and inspections is therefore presented. A critical assessment should be made here whether the verifications can be regulated solely by market participants or to what extent testing and inspection must be carried out by independent third parties since the market does not offer a sufficiently suitable regulatory framework. As regards independent third parties, it must be examined to what extent the monitoring function can be privatized (e.g. in the form of private-sector auditing systems) and which responsibility is better assumed by the state itself. It should be taken into consideration here that the higher the hazard category according to Table 3.1, the more emphatically the responsibility must be observed by the state. It must be considered with this view that an absolute responsibility of guarantee on the part of the state should only be permitted with Hazard Category 1 (see Table 3.1).

3.2.3 Implications of a Safety Methodically Concept

The obligation to design technical facilities that are safe results from both ethical–moral reasons and legal requirements. This working method, which essentially is still practised today, is based on a wealth of experience that has built up in the course of technical development to a considerable extent. This happened, however, mainly under the pressure of damaging events that occurred.

Engineers who design, develop and build technical facilities also have the duty in the framework of their overall responsibility to design these technical facilities safety-compliantly. However, the residual safety risk, which can never be completely ruled out when dealing with technical facilities, always remains for factual reasons with the operator and/or user. From this situation, which is characterized by a polarization arising from the factual circumstances, the problem inevitably emerges: “What and how much is safe enough?” Even in the application of new technologies, this problem ought to be made amenable to a holistic solution. Therefore, the technical design and required verification should be undertaken methodically so that the damage-preventing, risk-minimizing character of safety-related precautionary measures is taken into account by a correspondingly oriented approach which is predominantly analytical preventative.

A precondition of effective safety-engineering activities is a correctly engineered structural design which offers a guarantee that the technical facility will not expect any damaging event if it is operated or used as intended under real-life environmental influences. In this context, special mention should be made of the design principles commonly applied in aerospace engineering in particular. Lifetime concepts on freedom from damage, redundant design, fail-safe design and damage-tolerant design have, despite their sometimes ambiguous word interpretation and partially overlapping modes of action, made a significant contribution to constructive design regarding safety not only in aircraft construction. A further precondition is the structural completion of a technical facility in faultless condition. “Fail-safe design” means fail-safe engineering—in other words, conscious dealing with design principles which make technical safety an integral component of the product composition and behaviour.

Mistakes, disturbances and failures in technical facilities cannot be ruled out in principle—whether because they occur at random times, unpredictable influences cannot be adequately controlled (e.g. lightning strikes) or unintentional operating errors cannot be unconditionally avoided. A safety-compliant technical design must therefore include not only the correct structural design but also precautionary measures by which such mistakes can be effectively dealt with. An example of this is safety interlock devices which can reliably prevent every kind of operating error. These fault possibilities, which can by no means be presupposed in new technologies, must be analysed systematically in order to be able to determine cause and effect of fault possibilities as far as possible.

The complexity of technologically innovative systems makes it necessary to determine analytically stochastic failure behaviour too so as to be able to test and verify the effectiveness of safety-oriented precautions. The tried and tested methods of reliability engineering are available for this purpose. It definitely conforms with the currently existing “State of Scientific and Technical Knowledge ” (Atomic Energy Act Art. 7 II No. 3) when preference is given to the verification of appropriate and adequate reliability as regards safety; the possible effort here can yield statistically verified results, and no coherent result can be expected of an alternative safety-oriented verification . Even such findings of reliability engineering which are not exclusively based on its numerical methods can be usefully included in safety engineering . They are applicable to determine those basic conditions for redundant facilities required from the safety-engineering point of view.

The state of safety engineering was traditionally shaped by learning from experience (see Sect. 3.4.2.2). This means that it is comparably easy to transfer safety-engineering experience to products and technical facilities which are technologically comparable with previous and current products and facilities. However, it always proves to be problematic when “safety based on past experience” should be transferred to products and facilities which have been further developed technologically or are entirely new. In this case, forward-looking approaches in risk assessment become necessary which identify the possible failure modes with probabilistic methods and implement the appropriate precautionary measures in the design (“feed-forward control”). In many cases, a combination of both approaches will be necessary. This will be described in more detail below.

3.2.3.1 Transfer of the Safety Standard to Technologically Comparable Products

If the development and manufacture of a product or technical facility are limited to the existing state of the art , the product in question will neither contain any serious technological innovations nor constitute as a whole a technological innovation. The existing legal and technical regulations will then suffice to be able to guarantee safety for this product. Either

  • the relevant and valid statutory orders include a general reference to the technical rules and standards or an undefined reference to the state of the art , or

  • the building and executory ordinances already include a direct reference to the relevant applicable technical rules and standards.

    In engineering, the possibilities used here are described by two focus points:

    • on the one hand, safety through full standardization (as in electrical and civil engineering) and

    • on the other hand, safety engineering based on failure analysis (as in aerospace engineering).

    Hybrid forms of both focus points are also increasingly being used.

    • Different assignments of safety responsibility are also common in the application of law: manufacturer, owner (registered keeper), operator and government agency.

    • The potential for modification is primarily limited to the technical rules and standards or, depending on the circumstances, to the state of the art .

3.2.3.2 Transfer of the Safety Standard to Technologically Further Developed Products

In the case of technologically further developed products, safety engineering takes this form:

  • Legal bases can be assigned unambiguously here as well.

  • Supervisory bodies or institutions are also determined for the application in question.

  • Application of the state of the art turns out to be problematic here to a certain extent:

    • Statutory orders (with reference to the state of the art ) remain valid.

    • The safety-engineering applicability of the standards is nevertheless questionable and requires in each individual case clarification by safety engineering based on failure analysis, which is always possible.

    • There is no legal obligation to clarify the safety-engineering applicability of the standards.

    • There is the problem of the always present diversity of opinion in the execution of supervision.

  • Different allocations of safety responsibility in the application of law: manufacturer, owner, registered keeper, operator, registered keeper and government agency.

3.2.3.3 Transfer of the Safety Standard to Technologically Innovative Products

With technological innovation projects, virgin territory must also be entered in connection with safety engineering (e.g. in the development of magnetic levitation train technology) since the existing state of the art cannot cover the new, previously unknown technology. The use of forward-looking probabilistic methods of risk assessment is required here:

  • Legal bases are not readily assignable:

    • Stopgap solutions arise, such as the German legislation on the construction and operation of test facilities testing the engineering for track-guided transportation systems (Test Facility Act), without which a test facility testing this innovative technology is not legally permitted.

    • Supervisory bodies or institutions do not exist as yet and are to be determined separately for the individual application. In the case of the magnetic levitation train, responsibility lays with the Ministry for Economics and Transportation of Lower Saxony.

  • Application of the state of the art is not possible here:

    • Neither exhaustive legal regulations exist (the sole reference to the state of the art is dubious here from the safety-engineering point of view),

    • nor does any standardization exist from which a necessity for safety engineering based on failure analysis arises.

    • The problem is that, when experts are brought into provide assistance, a diversity of opinions arises since there are no rules for an orderly, interdisciplinarily coordinated approach (see Sect. 3.2.2.1.1).

  • The assignment of responsibility for safety here almost always remains with the developer or manufacturer since the legal system does not as a rule provide for other bodies which would assume or even only share such a safety responsibility.

3.3 Limits of Safety

The limits of safety are blurred. They are determined, on the one hand, by the basic conditions of development, production, and utilization processes and also by costs. On the other hand, they result from the progressive state of scientific and technical knowledge . Setting limits is necessary. This means profit. As an ethical obligation sensible renunciation is neither a weakness nor a deficiency. At the same time, tendencies towards extreme relocations of limits are observed. The following threatening scenarios emerge from this:

  • endangerment of the foundations of nutrition (“purity” of food, animal feed and drinking water),

  • specific disturbances caused by criminal activity (sabotage, assassinations, terrorist acts),

  • war damage, acts of God, natural disasters,

  • hazard from medicaments (deterrent warning of unexpected side effects) as well as consumer goods, household chemicals and cosmetics and

  • dangers of new technologies, e.g. pest control, use of genetic engineering and nuclear energy technology.

From the ethical point of view (see Sect. 3.1.6), we should also add the fact that humanity is not only responsible for preserving the foundations of its own existence and that of subsequent generations but also the preserver and protector of all forms of life (animal protection, preservation of biodiversity and protection of the biosphere). On the other hand, a people on the subsistence level will and must fight exclusively for its self-preservation. Therefore, a refined feeling for the effects of technology may be regarded as a characteristic of a satisfied society. Views on the drawbacks and benefits of technology and its safety standards are therefore inhomogeneous.

If the limits of safety are to be understood in the converse argument as a measure of the threat to individual freedom, only a rational balance of protection of the individual and protection of the community in a democratic process can define a limit of safety. It must always be made clear in the process that this is a balancing of interests between the intended and indisputably created benefits and the damage which is conceivable within the context of residual risk. Whatever the case, the beneficiary is the solidarity community, which profits as a whole.

In every case, the following basic ideas apply in defining a safety concept:

  • Absolute safety in the sense of zero risk cannot be demanded of the legislator or regulation provider (risk ban ) because it is not possible in principle.

  • However, all possibilities should be used from this point of view so that there is a well-balanced relationship between the risk of conceivable damage and the benefits created for the legal interests to be protected with different technical products, processes, facilities and systems (risk equivalence).

  • The measure for the largest damage still acceptable is determined not only by the need for protection of the legal interests under consideration but also by the intention to satisfy social needs (benefits). In this process, a trade-off in the social consensus is generally needed (risk management).

3.3.1 Socially Accepted and State-Defined Limits

In a state governed by the rule of law the citizen may reliably expect that decisions affecting life and health are publicly legitimized. This is not possible without communication. The aim of this process cannot be to convince the other party that a borderline risk is acceptable or unacceptable. The citizen should much more be put in the position of implementing the right of co-determination in a “risk awareness” as it were. This addresses the ability to make a personal judgement on the basis of knowledge of the factually verifiable consequences of events or activities resulting in damage, the residual uncertainties and other factors relevant to risk. This ability should or will on the whole correspond to both the values for shaping the individual life and the personal criteria for judging the acceptability of these risks for society.

In recognizing the co-determination of the individual citizen, it is the duty of political institutions to set up and care for the communication basis required for this. Risk communication calls for all forms of communication, from the simple documentation of results to specific information offers followed by dialogue and participation in decision-making.

In a society in which pluralistic values prevail and political actions are always under high pressure to justify themselves, setting limits and risk assessment often meet with scepticism or suspicion. Statements about risks therefore rely on plausibility and confidence in the so-called regulatory bodies. The more individuals and groups have the opportunity of active participation in risk assessment, the greater the chance of them developing trust in political institutions and also taking on responsibility themselves.

Participation, however, cannot and may not be a substitute for effective risk management, and participation is solely a decision-making aid. Above all, the responsibility of the legal decision-makers should not be obscured or softened by this. Participation should be understood as

  • a two-way flow of information (as an indispensable precondition of proper decision-making),

  • early involvement of the parties involved and relevant social groups (if applicable with a—justifiable—veto right) and

  • co-decision.

The postulate “practical thinking” as a measure of the decision-makers requires that the occurrence of a damaging event can “practically” be ruled out in accordance with the state of scientific and technical knowledge . Unlike “theoretical thinking”, “practical thinking” does not, however, aim at a mere awareness of ideas but simultaneously provides feasible orientations for action which are based on the realization that there will always be a residual risk.

In view of the theoretically infinite number of possibilities of damage precaution, a corrective is seen in the form of “factual” and “rational” criteria and limits. In terms of content, absolute exclusion of damage is not required. Rather, it is sufficient that the damaging event seems to be ruled out in practice according to the state of knowledge of scientists and engineers including human discretion. Applied to technical safety law , the demand for safety systems, for example, with reduced failure probability presents such orientations for action. All design-engineering precautions against multiple failures, especially simultaneous ones, are part of this.

What scientists and engineers often regard as incomprehensible is nevertheless rational from the viewpoint of different social groups. The rationality of social decisions in a highly complex system means serious challenges because all democracies secure their legitimacy by close correspondence with public opinion. Where under special circumstances the will towards practical rationality is, for example, lacking because sociopolitical requirements are in the foreground, the instruments of practical rationality are either not being used at all or not in accordance with their inherent possibilities.

In general, the limiting risk cannot be determined quantitatively. It is usually described indirectly by safety-engineering stipulations. This specification or determination of the limiting risk assumes that the probability of a damaging event occurring and the extent of damage associated with particular technical products, processes, facilities and systems are adequately known and qualitatively describable. Describing and evaluating technical risks are thus also among the duties of regulatory bodies or the state, which evaluates and includes the contributions of affected parties (see Sect. 3.3.5.4).

3.3.2 Unattainability of Absolute Safety

Absolute safety cannot exist for several reasons:

  • Technical processes never run with 100% reliability, in other words without any incident, and therefore, the technical facilities concerned also cannot be immune in themselves to every failure (safety devices such as “fail-safe ” and “fail-operational ”).

  • Material properties cannot be comprehended 100% and are therefore not entirely reliable. (This awareness is taken into account in engineering by, for example, worst-case scenarios and so-called safety factors.)

  • The current state of knowledge is never completely and exhaustively comprehensible.

  • Economic feasibility sets limits to efforts for maximum safety.

  • Human action is always subject to the possibility of error and mistakes.

Ignorance and the imperfection of technical safety can, however, be restricted. However, the effects of safety-oriented measures compared to absolute safety can only be described as an asymptotic approach. A damaging event can then only be ruled out with absolute certainty if it is impossible by the laws of nature. Therefore, the possibility of failure is basically inherent in every technical safety system. Absolute safety can be achieved by no technical facility . There is always a residual risk, although this must be lower than a specific limiting risk . Thus, a demand for absolute safety or faultless solutions in complex technical systems leads in the wrong direction.

Behind the classic question in safety engineering—“How safe is safe enough?”—are hidden conflicting objectives: technical safety and practicability on the one hand and financial feasibility and social notions of safety on the other. Where there is orientation solely towards a maximum in technical safety, it can even be harmful to the user in cases of doubt. An excessively high level of technical safety sometimes leads to a loss in practical manageability. Thus, increased complexity in safety systems even brings with it the danger of an increase in risk.

Accordingly, from both the safety-engineering and the environmental, economic and legal point of view, it is essential to generate optimized (in other words, relative) safety. In this respect, the residual limiting risks of technical facilities, products and operating modes should be determined and compared with the risks of proven safety engineering , alternative products, other human environmental impacts and the natural risks in life . The result should be guided by communications management towards extensive acceptance.

It is only by such comparative risk assessments that it is possible to identify the scientific, technical and legal importance of the optimal safety of a technical facility, product or operating mode. Protection of humans and their environment by technical safety can and must be very well optimized but will always remain relative.

3.3.3 The Understanding of Risk

The term “risk” is understood and used in different ways and is a frequently used word nowadays. Therefore, it will be clarified and defined here in the context of this publication on technical safety.

Risk is both the quantitative and the qualitative characterizations of damage with regard to the possibility of its occurrence and the consequences of the damage effect.

According to W. Bons [6], “risks are a typical modern way of dealing with uncertainties”. A look at the historical origin of the risk concept shows that it originated in mediaeval Italian cities in the context of long-distance trading. Long-distance trading was just as much a tactical as an uncertain issue. These uncertainties were not called dangers but rather seen as threats against which nothing could be done but which were identified as risks (the Italian verb rischiare means to risk being challenged). The merchant did not bow down to the uncertainties but calculated on them and gambled on success. However, he no longer regarded the uncertainties he encountered as fate-dependent threats but rather as calculable risks—in other words, as problems which only manifested themselves negatively when he had erred in his calculations and taken no precautionary measures.

The complementary terms “risk—opportunity” describe the risk that an action, activity or event will result in harm or benefit, loss or gain, disadvantage or advantage. The concept of risk has been discussed in more detail in connection with the Atomic Energy Act, the legislation dealing with the peaceful use of atomic energy and protection against its hazards. In this matter, the Atomic Energy Act, with reference to the state of scientific and technical knowledge, assumes a separation between the dangers to be repelled and the probability of damage. The probability of occurrence, the extent of certain damage and the associated evaluation have a decisive influence on the classification in the category-based framework of hazard prevention, risk provisioning and limiting risk . Beyond hazard prevention and risk provisioning the field of so-called limiting risk begins, which can at best be reduced to a “residual risk” and is borne by all citizens as a reasonable social burden. The limiting risk implicitly derives from the sum of technical regulations and responsible action in accordance with these regulations while making use of the accumulated body of knowledge.

Accountability for the limits of safety lies in the readiness of the parties involved to deal appropriately with risks following consideration of the technical, economic, ecological and ethical aspects, to assess and evaluate the risks and to accept or reject them when there is an overall result. Safety, rendered precisely here as technical safety and defined by a limiting risk , must be seen in a series of interactions—from the aim and then over implementation and usefulness up to monitoring—and be taken into account in risk perception.

Scientifically based risk analyses are useful and necessary tools in a rational approach. Risks can only be understood with their help and options selected with the lowest damage expectancy values. The public, however, perceives risk much less scientifically than emotionally. If their feelings are to be listened to, it is entirely rational to open scientifically logical risk analyses to these feelings. However, in such a case, risk analysis could no longer be regarded as scientifically logical. Analysis therefore remains in the field of specialists. The general public should, however, be involved in risk communication by which the results of analysis can be made accessible to interested groups in society.

3.3.4 Factual Relationship Between Risk, Safety Engineering and Technical Safety

Global events in our world are usually linked randomly and multi-causally and therefore are neither foreseeable with mathematical accuracy nor determinable beforehand. The complexity of these natural events offers the human very few, if any, possibilities for influencing them. Locally limited interventions in nature are possible to a very restricted extent, but the consequences resulting from them can often not be estimated at all or only insufficiently. The human remains largely exposed to natural events whereby a nature-related life hazard occurs. Natural risks appear to be matters of fate.

The human has learnt to create technical devices ranging from the prehistoric hand axe to the modern industrial complex and from the simple hearth to modern energy supply. Unlike natural risks, the human can very well and even largely manage the risks involved with the technical equipment he/she has created for his/her own service. The whole arsenal of methods in safety engineering is at the disposal of the human to control these technical risks. When these methods are used competently and correctly, an extremely high level of technical safety can be achieved. Technical equipment is deemed “technically safe” when the risk associated with the presence and utilization of this technical equipment can be demonstrably controlled so that a specific limiting risk is not exceeded (see Sect. 3.3). The attributes of technical equipment which has been proven to be technically safe are meant by the term “technical safety”.

This factual relationship can be summarized as follows:

  • Natural risks can only be controlled to a limited extent, while technical risks can be controlled just as the technology itself can.

  • Safety engineering is the body of methods for controlling technical risks.

  • Technical safety is generated and verified by application of safety engineering .

3.3.5 Safety-Engineering Feasibility

Technical safety is generated and maintained. The state must respond administratively to the possibility of damage and technical risks in order to prevent harm to its citizens. Technical safety legislation is used for this which reacts as a whole to the special characteristics of technology and engineering in the form of the following attributes:

  • The time necessarily elapsing between the completed development of a new technology and its legal regulation, which is only subsequently implemented, has resulted in application-specific legal provisions. Technology legislation is fragmented and applies in every case only to specific technical fields of application (engineering fields).

  • Putting into concrete terms the demand for technical safety, which for good reasons is vaguely formulated, is shifted by the legislator to the legal users level of the experts, authorities and courts.

  • Legal demands for technical safety are defined by vague legal terms such as “generally accepted sound engineering practice ”, “state of the art ” or “state of scientific and technical knowledge ”. In this way, safety-engineering conditions and behaviour requirements are formulated.

Technical products may only be put on the market if the technical facilities made of them and properly maintained satisfy the safety objective of all relevant legal regulations over an adequate, reasonable period. They must also be utilizable. Technical safety is based, on the one hand, on the relevant knowledge of the active individuals and those organizations directly involved in the field of safety. On the other hand, it is largely based on technical rules and standards, legal regulations and load limits which differ according to the application orientation for historical reasons and are often characterized by different technical languages.

3.3.5.1 Generally Accepted Sound Engineering Practice

The term “generally accepted sound engineering practice ” is a legal term which has long been used in criminal law as well. For example, under Article 323 of the Criminal Code (Constructional Hazard), one is prosecuted who violates generally accepted sound engineering practice and thereby endangers life and limb of another person when planning, managing, executing or discontinuing construction work. Generally accepted sound engineering practice is not only achieved when a rule is regarded as correct according to scientific findings but must also be generally recognized—in other words, by being consistently applied by the engineers concerned and recognized in practice as correct.

This means that it is neither a question of whether science has recognized and taught a rule nor, in addition, whether it has been recognized in the relevant specialist literature. Rather, the architecture involved, engineering and building industry, system (facilities, products) and process design—in other words, practice—must be convinced of the necessity. This conviction must have established itself in such a way that for the purpose of the law it is possible to speak of general acceptance.

According to the prevailing view, there is a factual assumption that a standard reflects the “state of the art ” at the time of its publication. Very frequently, however, there is still a lack of practical application at the time of publication, especially when the implementation of new technologies is concerned. In the case of very lengthy standardization procedures for complex matters, it can also not be ruled out that the standard at the time of publication no longer conforms with the general opinion and the rules it sets and, therefore, no longer corresponds to the state of the art. Nevertheless, there is a real presumption, which can be disproved at any time, that the relevant standards reflect the “good engineering practice”, which is generally recognized.

“Generally accepted sound engineering practice” has been developed by experts in consensus. It can be in written form or not but is, as a general rule, codified. A standard can be generally accepted sound engineering practice but does not have to. The prevailing opinion is that there is only a factual supposition that a standard is generally accepted sound engineering practice at the time of publication , especially when it was produced in the process according to DIN 820 “Standardization”. Technology legislation shapes its demands with vague legal terms in order to form technical developments efficiently within the legal framework. In order to make it more concrete, it is, therefore, based on generally accepted sound engineering practice, these rules also being grouped under the term “sub-statutory regulations”. The corresponding legislation expresses, for example, the entirely refutable fiction that all technical rules which are generally introduced and made known in legislation are regarded as generally accepted sound engineering practice .

3.3.5.2 State of the Art

The “state of the art ” is a vague legal term and represents the technical possibilities at a certain point in time based on the established findings of science and technology. It is found in many regulations and contracts and is precisely defined by the regulations relating to legal formalization. The term is used to designate measures which fall between generally accepted sound engineering practice and the state of scientific and technical knowledge as regards their requirements of content.

The state of the art is the state of development of advanced processes, facilities or operating modes which demonstrates that the practical suitability of the measure for attaining a high standard in the desired objectives is safeguarded on the whole (e.g. occupational health and safety, environmental protection, safety for third parties, cost-effectiveness). It has, however, not yet been tested enough over a sufficient time period and is mostly only known to specialists. Therefore, in building and plant engineering, for example, compliance with generally accepted sound engineering practice is usually contractually required.

3.3.5.3 State of Scientific and Technical Knowledge

In contrast to the “state of the art ”, the “state of scientific and technical knowledge ” refers to a technical state of development in which processes and facilities are tested in test and pilot facilities but have not yet been put into service (see Fig. 3.2).

Fig. 3.2
figure 2

State of the art-code of practice

Full size image

Linking legal terms to the concept of the “state of scientific and technical knowledge” relieves the legislator of detailed safety regulation for which it is competent neither in the allocation of duties in the separation of powers nor in its expertise. By making reference to the “state of scientific and technical knowledge ” (e.g. in Article 7 Sect. 2.3 of the Atomic Energy Act), the legislator thus requires observance of scientific and technical development against the background of legal regulation. Precaution for the minimization of technical risk must be taken, which is regarded as essential according to the latest scientific findings.

In both fields of hazard assessment and hazard control, determination and evaluation of the “state of scientific and technical knowledge” must take into consideration the scientific and technical principle of “balance”. A risk can be ignored if it:

  • occurs in isolation,

  • is assessed as only minor,

  • does not add up with other similar risks to a noteworthy risk contribution and

  • would not, however, cause other greater risks under certain circumstances in the case of its consideration.

The state of scientific and technical knowledge is, however, used widely in technical regulations drawn up by different committees. The current state of research and development within a specific scientific discipline is intended by the term “state of scientific and technical knowledge”. It must be based on conclusive evidence which will bear up against verification by third parties. Specialists first come to agreement in this matter in scientific discussions in order then to make it accessible to an expert public.

3.3.5.4 Methodology for Determining the Limits of Safety

The transference of limiting values for large-scale industrial facilities into sub-statutory rules and regulations poses various problems. To begin with, there is the question of legitimization of committee work, its membership and the procedure for the knowledge acquired. Following this, it is often difficult to get an overview of the entire set of rules due to the large number of such committees and regulations, and there are also overlaps and, in some cases, even contradictions. It is not uniform in structure, systematics and wording and thus makes orientation difficult in application of the law. This happens to be dangerous in a field where there is heavy investment on the one hand and considerable risks for possible affected third parties, including the burden of litigation, on the other hand.

An additional problem arises from the mixture of the objective findings of research into truth and their evaluation. The aforementioned committees are regularly qualified and legitimized for the truth-finding process and consequences derived from this but not for the sociopolitical assessment of risks (see Sect. 3.3.3).

The safety-engineering feasibility in its step sequence and processing passes more or less clearly through the phases of the product life cycle as described in Sect. 3.1.5 (see also Fig. 3.2). This phase-based approach not only facilitates technical management but also notably secures the necessary organizational measures and finally results in risk management.

The following two phases are assigned to the planning process in the product life cycle :

  • Conception phase

  • Definition phase

The following two phases of the product life cycle are assigned to the implementation process :

  • Development and engineering phase

  • Production phase

Finally, the operation process comprises these two phases:

  • Operation and utilization phase and

  • Dismantling, disposal and recycling phase .

If new legislation and stricter regulations are required to tighten limiting values in safety and environmental protection, this will not go unwelcomed in many countries throughout the world. In reality, noticeable improvements are already being achieved at best in the medium and long term due to the time needed for the legislative process and, consequently, transition periods. In this process, the effect remains completely disregarded that every additional complication of the already confusing body of legislation and rules increases the risk of the legal application being impaired due to excessive demands and lack of knowledge. It would be preferable to make today´s applicable laws and regulations relating to safety and environmental protection considerably more transparent. This alone would make for a significant improvement in the standard of safety and environmental protection without a new law needing to be passed.

Reducing the complexity of technical installations, uncertainties and risks is always pursued in technical, economic or environmental problem cases. Compromises are therefore already inevitable here since the resources for implementation are limited and available information incomplete. By its very nature, a compromise cannot represent an optimum but only what is feasible under the circumstances and, therefore, does not claim absolute truth.

Risks must be minimized in a socially acceptable way and a balance always found between individual and social benefits. Compromises are unavoidable here that are nevertheless ethically justifiable. It can be stated that determination of the limits of safety is based on responsibility, acceptance, compromises, the measure of practical thinking, political feasibility, economic opportunities and, ultimately, on ethical standards. The definition of technical safety calls for practical feasibility and cost awareness and is committed to progress in research and development. It is determined by the current state of knowledge and social acceptance.

3.4 Verifiability of Safety

Safety can only be assured to the extent that it can be verified. It is shown here how limits of verifiability are set, which methodical approaches exist for its improvement, and which instruments have proven their worth for verifying the technical safety of a technical product or system over the various phases of its life cycle.

3.4.1 Limits of Verifiability

3.4.1.1 Responsibility

3.4.1.1.1 3.4.1.1.1 Types of Responsibility

Technical processes, especially verification of their safety, take place under the responsibility of humans. The individual can take responsibility for verification of safety when it is manageable for him/her. However, more complex forms of responsibility often occur in technology. Institutions or corporations have a specific duty with respect to their customers, members, shareholders or society in comprehending this responsibility.

The responsibility of the individual arises, on the one hand, from the responsibility of his/her role as a duty to the optimal fulfilment of assigned tasks. Therefore, everyone is firstly responsible for the result and direct consequences of their own actions. This also includes the results and consequences of neglected acts. One special case of role responsibility is prevention responsibility, which obligates a test engineer, for example, to search a facility systematically for weaknesses and thus proactively prevent accidents and malfunctions. On the other hand, everyone has the quite general obligation beyond assigned obligations to respect and comply with basic rights, such as the right to life, the right to private property.

Institutions themselves cannot bear responsibility in their legal function as juristic persons. Responsibility must therefore be transferred to the persons acting in each case who represent these institutions. The complexity of the tasks does, however, call for a clear division of overall responsibility into fields whose scope should be adapted to the possibilities of the individual.

3.4.1.1.2 3.4.1.1.2 Conflict Between Economic Constraints and Technical Necessity

A frequent case of conflict is between the responsibility of the institution management for invested funds and the responsibility for safety. The starting point is the idea that the quantity and quality of goods and services are obviously better controlled by the regulatory mechanisms of the market than by state control. Optimization processes are encouraged by the inherent principle of competition which, if not implemented, would lead to displacement from the market. In the case of the usual goods and services, the regulating effect of the market provides for a balance between the quantity and quality of a product and customer satisfaction. As long as the customer is in a position to assess, check or experience the quality, he/she can intervene in the market.

Should the market, however, be disrupted by external effects (outside influences) or an uneven distribution of knowledge on the part of market participants, the state must intervene in the free market by laying down target specifications for the quality of products. In most cases, higher levels of quality are stipulated than would arise in the free play of the market. The state thus takes precautions in the general public interest. It enforces the constitutional principle of physical integrity for technical safety. In addition, it fends off the high consequential costs for the public sector which would be expected in the case of non-regulation.

Due to a number of reasons, the market principle can only be applied to a limited extent to the field of public-technical safety. In addition, the interesting main factors here should be individually checked by the experts before a technical product is put on the market.

Only a limited number of products have solely a safety function (e.g. fire extinguishers, safety valves, safety belts). The purchaser cannot always assess their properties. It is important how frequently and in what situations the products in question must prove their function: in routine use, normal use including common incidents, accident situations or emergencies.

The customer cannot judge the quality of a fire extinguisher which, in the ideal case, never needs to be used. However, if the quality of a safety-relevant product cannot be assessed, the regulating influence on the market is lost. Unsuitable products threaten to survive on the market or, if there are price advantages, even to dominate it.

It is much more common for goods to have a safety function in addition to their utilitarian feature (e.g. process/transport containers, pipelines, truck brakes). In these cases, the selling interest is overlaid by the safety function. If the selling interest and the public safety interest move in the same direction, the market supports the implementation of safe goods.

As experience shows, however, this principle fails in the case of shared or unclear responsibilities. Negative customer experiences do not then make an impact on the manufacturer of the goods. Safety deficiencies typically also occur when the economic benefits of a product or service decline in relation to duties or obligations. Therefore, dangerous goods transports with high-quality products must definitely be regulated differently from waste transportation.

3.4.1.1.3 3.4.1.1.3 Priorities in Deciding Responsibility Conflicts

There can be an optimum balance between economic expenditure and the safety achieved, but this must be with the moral reservation of adequate safety. According to Lenk and Maring [7], the following priorities arise in deciding conflicts of responsibility and roles:

  1. (a)

    Weighing the moral rights of every affected individual (see Sect. 3.1.6).

  2. (b)

    Seeking a compromise which takes everyone equally into consideration in the event of an irresolvable conflict between basic rights of equal value.

  3. (c)

    Voting for a solution which results in the least harm to all parties may and should occur only after weighing up the moral rights of every party.

  4. (d)

    Only when points (a)–(c) have been applied are benefits weighed against drawbacks.

  5. (e)

    In the event of practically irresolvable conflicts between the parties involved fair compromises should be sought for the various parties with regard to harm and benefits (“Fair compromises” are, for example, an approximately evenly distributed or justifiably apportioned distribution of burdens and benefits).

  6. (f)

    Universal moral responsibility usually has priority over task and role responsibility.

  7. (g)

    The public greater good and common welfare should precede all other specific and minority non-ethical interests.

  8. (h)

    Priority principles are also formulated in technical rules and standards. According to DIN 31004-1:1982-11 (see Chap. 2), for example, in the case of the term “safety” the following rule can be formulated with the aid of the probabilistic parameter “risk”: “In safety-compliant design, preference should be given to the solution with which the safety objective is best achieved in a technically meaningful and cost-effective manner. In case of doubt, it should first be assumed that safety-related requirements take priority over economic considerations”. On the other hand, it has been demonstrated, particularly in civil aeronautical engineering, that such safety-related solutions are also usually possible which are not necessarily in conflict with economic solutions.

  9. (i)

    In the case of “urgency”, ecological compatibility overrides economic application.

  10. (j)

    Concrete humanity takes precedence over abstract requirements and universal principles (precise human and socially acceptable weighing of goods).

3.4.2 Learning as a Continuous Task

Disturbances or accidents, even near-accidents (including negligently caused deviations from intended operation), are unintentional, unexpected system states. Since they are unexpected, there is also no possibility of their verifiability. It could be shown in many event analyses that, although the action of the operator may have triggered the disturbance, this alone does not suffice for an “explanation”. Design, construction, maintenance and management errors are frequently a long time before the single action which triggered the disturbance and are also to be regarded as necessary preconditions. These errors must be avoided or eliminated by systematic experience feedback. In principle, there are three strategies for this objective.

3.4.2.1 Feed-Forward Control of Safety and Reliability

Probabilistic approaches to risk assessment, which also cover the actions of personnel in terms of a human reliability analysis (HRA), have long been systematically applied in diverse industrial sectors (among others, in the nuclear industry, civil aviation and engineering). However, these methods leave something to be desired. Although the necessary statistical data about failures in technical components are comparatively good, the same is not true of the underlying statistical information and the quality of the selected model concepts of human action. It must be borne in mind that these methods only permit partial statements and thus have certain weaknesses. Statistically sound databases are lacking, and these methods thus largely work with expert opinions (“informed guesses”). However, this does not have to detract from the possibilities of probabilistic methods. During the design and engineering of technical facilities, these methods are useful in gaining hypotheses and increasing awareness of human factor aspects (HF aspects) and should be developed further. Nevertheless, they are not sufficient on their own for a resilient statement on safety.

3.4.2.2 Feedback Control of Safety and Reliability

People learn from experience, mainly from mistakes, and organizations learn from events, including near-occurrences, which need to be analysed systematically. An event-related reporting system with a direct relationship to systematic root-cause analysis must be installed. The very few industries with a high risk potential have an efficient reporting system for incidents and accidents. Wherever supervisory authorities prescribe a system of this kind and enforce a reporting obligation, it on the basis of criteria is often felt to be burdensome. Incident reports beyond a prescribed reporting threshold are even more rarely gathered, documented and analysed, although exactly these reports would enable especially instructive learning. Thought should be given to how such reporting systems are to be designed and implemented below and beyond the reporting obligation so as to enable the emerging maximum yield of knowledge demanded. This calls for a reorientation of the error culture in Germany which culminates ultimately in communicating the error occurring for the first time and only punishing its recurrence.

3.4.2.3 System of Organizational Learning

The learning process must be institutionalized in the sense of organizational learning. Both forms of safety control (“feed-forward” and “feedback”) can be mutually enriching when brought into a systematic relationship. Such a relationship must be created by setting up analysis and reporting databases. The following should be taken into account here:

  • standardized category systems,

  • periodic analyses of several events,

  • derivation of appropriate prevention concepts and

  • up-to-date ascertained feedback of results to persons affected.

3.4.2.4 Determination of the State of the Art as Learning Scheme

Determining the state of the art is often the precondition for acting in conformity with the law. Due to this prominent importance, various attempts were made to systematize this (learning) process for determination of the requirements. It begins with specifying for what the state of the art is to be determined, why and by whom. In individual cases, this means the following:

  • For what (for what object):

    It can deal with a particular type of technical facility, specific facility, part of a facility or facility component of safety-related importance.

  • Why (for what purpose, from which cause):

    The reason (context, background) is enquired into here, e.g. the implementation of an approval procedure for a new facility, change (expansion, increase in capacity, reduction in pollution emissions) or upgrading of an existing facility.

  • By whom (person/ institution):

    The type of business should be stated here (e.g. small-/medium-sized enterprise or large company), which internal organizational units and external bodies are involved and, in particular, who the decision-making is established with.

To determine whether a technical facility is state of the art , the following insights can be used:

  • comparable procedures, installations and operating methods,

  • combination or linking of different safety measures and

  • safety precautions in other types of technical facility which, in regard to their technology and materials used, are comparable with the facility under consideration.

Perception of the safety obligation should be implemented in three stages. These steps make it clear that certain safety-related measures can be applied in determining the state of the art without an obligation already being derived from this. These particular measures do not have to be implemented in the technical facility being assessed since it is only a question of correspondence with the reference parameter.

  • In the first stage, the state of the art is to be determined for a specific safety-related assignment of tasks (e.g. in the context of a pilot or demonstration installation) in order to serve as a reference parameter for the specific facility under assessment.

  • In the second stage, an evaluative consideration is carried out as to whether the specific technical facility corresponds to the state of the art as determined. A check is made to see whether the safety objectives are attained with the designated measures for the specific technical facility (correspondence check).

  • In the third stage, a decision is made—on the basis of the results of the aforementioned stages—regarding the approval or supervisory procedures (legal consequence).

3.4.2.4.1 3.4.2.4.1 Conditions for the Determination Process

Determination of the state of the art must take into account what has proved itself in other comparable technical facilities in normal or test operation, or what the general engineering stage of development demonstrates as practically suitable. If none of these three criteria applies, a determination process should be initiated. In this case, the following five conditions must be satisfied:

  • All of the steps in the determination process must be completed, some steps being repeated if necessary (iteration loops).

  • The persons involved must be suitable.

  • The sources of knowledge consulted must cover the subject area thoroughly.

  • The methods and investigations applied must be suitable and sufficient.

  • The decisions must meet the legal standard of the state of the art.

Compliance with the state of the art is an obligation of the technical facility operator. Failure to meet or comply with this obligation can have serious consequences. Therefore, it is necessary to design the determination process methodologically and transparently and perform it with due diligence.

In certain cases, it is possible to determine the state of the art for a technical facility on the basis of technical rules, administrative regulations or guidelines. Such cases can occur when the boundaries of the technical facility, existing materials and purpose of operation largely correspond to a technical facility described in a technical rule, etc. The rules, guidelines or administrative regulations consulted must be up-to-date and the necessary safety measures sufficiently described. Special technical facility related or environmental hazard sources must be excluded.

In general, the state of the art results from the basis of technical rules and the results of discussions among experts.

3.4.2.4.2 3.4.2.4.2 Steps in the Determination Process

To determine the state of the art, the following seven process steps must be completed (corresponding to the first stage in Sect. 3.4.2.4):

  1. (a)

    definition of the task,

  2. (b)

    gathering the safety-relevant documents and data of the technical facility/process,

  3. (c)

    determining the safety-relevant fields (process steps and technical facility components),

  4. (d)

    analysing possible hazard sources,

  5. (e)

    determining and selecting knowledge sources,

  6. (f)

    evaluating the knowledge sources collected and

  7. (g)

    decision-making.

In this matter, the order of process steps (b) to (f) can vary depending on the particular application case.

The process steps should be run in iteration loops until sufficient certainty about the state of the art is available. Iteration loops can comprise single or several process steps.

Determining the state of the art is only to be regarded as one step in developing a safety-engineering view. The following points are to be added:

  • implementation of the state of the art with regard to the particular task,

  • documentation of its implementation,

  • investigation into and description of the residual risks and

  • emergency planning.

3.4.2.4.3 3.4.2.4.3 Decision-Making

As a rule, different possibilities will arise as to how the state of the art can be implemented in a specific technical facility. The design option finally selected must be justified and explained in a comprehensible way.

By definition, processes, equipment and operating modes must

  • have proved themselves in operation,

  • have been successfully tested or

  • have provided proof of their practical suitability

    so that they can comply with the state of the art . Furthermore, the processes, equipment and operating modes must correspond to the advanced state of development. In this matter, a careful balancing of the effectiveness and reliability of a safety measure with respect to the specific hazard source is a basic requirement for preventing errors which could increase the likelihood of hazardous incidents.

3.4.3 Controlling Technical Safety in the Product Life Cycle

It is known from quality management that the later a fault is discovered in the planning or production process, the more it costs to eliminate it. This is certainly also applicable to safety-related errors. To achieve optimum cost-effectiveness, one must therefore demand to carry out the safety-related observation from the very first phase of development. This evaluation function can be integrated into the development team or, whenever milestones are reached, take the form of an external check by, for example, a central department (safety/quality) and, if necessary, a third party.

The safety-related information collected and decisions made should be kept available at all times in the subsequent phases of the product life cycle for target/performance comparisons in terms of technical safety controlling. There is an opportunity to structure this controlling information for the continuous installation of the “safety case” in a hierarchy with safety objectives.

3.4.3.1 Phase-Based Pursuance of Technical Safety

A comprehensive hazard analysis should be performed for the entire object (system, technical facility, product) in interdisciplinary collaboration (see Sects. 3.2.1 and 3.2.2). This should take into account technical facility-based and environmental hazard sources, including natural conditions and events and interference by unauthorized persons.

The hazards and their causes should be analysed by means of a recognized, proven test method. In this way, a sufficient measure of thoroughness and depth of testing can be assured. The object under investigation should therefore be limited to manageable fields.

The criteria for terminating the hazard analysis should be recorded. Termination criteria can concern, for example, the depth of testing, exclusion of particular individual hazard sources, material properties and process parameters.

Both the collected documents and data and information from facility and site inspections serve as a basis for the work. Should hazard analysis cover one or more hazard sources, it should be determined which measures should be taken according to the state of the art . Independently of this, the possible consequences of nevertheless conceivable disturbances should be determined, their risk assessed and protective measures taken.

3.4.3.2 Organization of Verification

In the organization of verification , a distinction should be drawn between internal and external inspections. External inspections can be organized under private law or carried out on basic legal principles as required by the state (governmental agencies or bodies authorized by the state).

Only by coordination of a body endowed with adequate authority can inspection measures be reasonably augmented, unintentional gaps in verification prevented and the required information passed on. Its immediate task is to identify not only adverse deviations important for the evaluation of inspection measures but also their indirect effect of exerting a positive or negative influence on performance and/or quality.

3.4.3.2.1 3.4.3.2.1 Elements of Verification

With regard to the nature and scope of verification , a distinction can be drawn between:

  • manufacturer inspection or testing, whether regulated only internally or also externally,

  • third-party inspections by an independent third party carried out either independently of manufacturer inspections or relating exclusively to verifying the correct performance of manufacturer inspections and

  • acceptance inspections by the purchaser which are used for assessing and verifying the quality of goods or services at the transfer of responsibility or ownership.

Manufacturer inspections are always carried out in-house. Depending on the importance of the verification , they can take the form of a self-check or be carried out by persons not directly involved in the manufacturing process.

Internally regulated manufacturer inspections—like special measures for checking production—fall within the sole responsibility of the manufacturer.

Planning verifications include both the clear definition of rules for the assessment and corrective and/or preventive measures in the case of negative inspection results. The importance of the individual elements of the verification requires documentation.

3.4.3.2.2 3.4.3.2.2 Grading of Verification

The effectiveness of verification measures depends on the following factors:

  • degree of independence of inspection from the process concerned,

  • qualification of the inspection personnel,

  • intensity of checks (frequency and scope of inspections),

  • evaluation criteria and action taken in the event of negative inspection results and

  • use of multiple independent inspections.

Quality assurance stages and their assignment to hazard categories can be defined based on these factors, and individual items can come under different quality assurance stages.

3.4.3.3 The Modular Concept of the European Union

There is strong pressure to privatize the inspection and monitoring functions performed up to now by the state. This is often justified by the potential to increase efficiency or the responsibility of the manufacturer. Another reason is to be found in the process of European integration: the EU member states are acting on the assumption that barriers to free trade in the internal market can be dismantled more quickly by a private approval body. In the early 1990s, in particular, these tendencies to shift risk to the private sector (in conjunction with the transference of responsibility) have resulted in a real explosion of formal quality management systems and the associated auditing. For this reason, the costs and benefits of quality management systems and their audits have become a central point of discussion in the verification of technical safety.

The EU’s New ApproachFootnote 1 and the Global Approach for conformity assessmentFootnote 2—including subsequent module decisionsFootnote 3—are a prime example of the privatization and grading of control procedures in technical safety law . The Global Approach and the module decisions of the EU describe control procedures to be used in the EU’s legislative proposals for the free movement of goods. The modules constitute a graded system which ranges from the manufacturer’s declaration (Module A) to the individual approval of the product by an independent third party (Module G) and comprehensive quality assurance (Module H). The EU directives and the national legislation derived from these contain a selection of modules which take into account the risk of the regulated product. To qualify their product for the EU internal market, the manufacturer can select from these modules the one which best meets their production needs unless otherwise specified by a product-specific directive.

With the creation of the EU internal market, the previous limits of national security structures have been shifted to the borders of Europe itself. In the case of global activities, there must be mutual adjustment of the various safety structures (compatibility clauses or reconciliation).

Germany has, until now, actively participated in risk minimization by governmental agencies or bodies authorized by the state to carry out, in their sovereign function, safety verifications or participate in them (implementation responsibility of the state). The relevant EU directives, on the other hand, want even these state-conducted verifications to be left to the free market and only monitored by the state (pure guarantee responsibility of the state). Although it used to be possible for safety-related professional expertise to remain linked with state agencies, it must now be procured on the open market. A safety methodically concept is presented with this VDI publication (see Chap. 4) which makes it possible, in any technological field of application, to systematically generate, verify and maintain technical safety for technical systems, facilities, processes and products. In this matter, due regard is to be paid to the risk-controlling function of the state—in other words, the necessary contribution to implementation responsibility and the possible share of guarantee responsibility are to be specified.

3.4.3.4 Control Directive of the European Union

The European Union (EU) is committed to promoting within its territory the free market through the free movement of goods, capital, services and individuals. On the one hand, it has laid down quality requirements for the marketing of products with safety- or health-related attributes and has intervened in the market to this extent. On the other hand, it has opened up the market for services in connection with the conformity certificate. Testing, certification and monitoring are in principle—subject to national restrictions—open to anyone and are thus open to free competition.

To secure the aims of the EU, instruments have been created in the form of independent conformity certificates. With its New Approach , the EU is increasingly replacing existing responsible authorities and officially recognized experts with “notified bodies” with rights and obligations in testing and certification. This new concept assumes that the services of these notified bodies are subject to the free market (liberalization).

3.4.3.5 Planning Process

The planning process includes the conception phase and the definition phase (see Sect. 3.3.5.4). The following objectives and purposes are pursued in these two phases.

3.4.3.5.1 3.4.3.5.1 Objective and Purpose

Objectives are characterized by the fact that they are uniquely qualified and quantified by content, time and scope. Individual objectives for the responsible employees are derived and developed in a process of agreement about objectives and are appropriate for the level concerned. Depending on the employees’ fields of responsibility, these might be objectives relating to profit contribution, costs or performance. By combining them, consistent target systems can be developed which are suitable with regard to both responsibilities and decision-making. Guidance by agreement about objectives is clearly superior to simply specifying objectives since employees are included in the process of identifying objectives.

The safety-related part of the design phase is the collection and analysis of available information about safety. The programme in which it is basically possible, from the safety-engineering point of view, to develop new products (and also systems and technical facilities) is defined by external requirements. These requirements derive from sales markets, society, legislation, technological development, supplier and raw materials markets as well as from the internal capabilities of the company, such as the workforce and their qualifications, the existing product range and production resources.

An agreed quality requirement must be reflected in the result of the product life cycle. It consists of the totality of relevant individual requirements relating to the quality of the product. The most important aspect for the requirements which determine quality is for them to be measurably included in test plans and provided with tolerances (see Sect. Fehler! Verweisquelle konnte nicht gefunden werden).

As regards safety, the focus of the design phase is on the following activities:

  • organization of safety-related activities taking into account the state of scientific and technical knowledge,

  • definition of responsibilities and competences in the field of safety,

  • gathering together all technical requirements relevant to safety from, for example, technical standards, relevant legislation and other rules and regulations,

  • evaluation of the “lessons learned ” from previous events,

  • determination of hazard potentials,

  • definition of the higher-level “safety requirements catalogue” for the entire system or entire technical facility

  • statement of safety requirements,

  • definition of a rough structure for performing the safety task and

  • verification that this higher-level safety requirements catalogue is coherent in itself and satisfies the relevant regulations and that the safety requirements stipulated in this catalogue can always be tested and verified.

In the definition phase , the same activities are basically included for safety as in the conception phase —but, in many cases, in a more concrete form and with the addition of traceable archiving :

  • assessment of the organization of safety-relevant work and likewise, where appropriate, its adaptation to alterations in the definition phase,

  • confirmation or redefinition of responsibilities or competences in the field of safety where changes in responsibilities and competences emerged for the definition phase,

  • continuation in the collection of all technical requirements relevant to safety from, for example, technical standards, relevant legislation and other rules and regulations,

  • continuation of the “lessons learned ” aspect and evaluation of every structural unit to be defined here,

  • hazard analysis, determination of limiting risks and risk equivalents,

  • definition and release of the safety requirements catalogue and the corresponding safety-related limiting values,

  • definition of the subordinate safety requirements catalogue for each structural unit to be defined here in a logical continuation of the higher-level safety requirements catalogue for the entire system or entire technical facility,

  • application of the safety methodically concept for every structural unit to be defined here,

  • traceable archiving of the documentation which has been created and

  • verification that the safety requirements catalogues defined here for the subordinate structural units are coherent in themselves, do not conflict with the higher-level safety requirements catalogue and satisfy the relevant regulations.

The safety requirements laid down in these catalogues must also be demonstrably verifiable.

3.4.3.5.2 3.4.3.5.2 Materials and Sampling Procedures

In order to evaluate the homogeneity of the materials to be used, the manufacturer must make a statistically random selection from an internally homogenous totality (from a production batch, for example)—in other words, a random sample. It must come from a representative number of samples from a batch of reference materials in question. This evaluation procedure should be implemented and documented in compliance with recognized, uniform sampling plans (according to DIN ISO 2859-1 “Sampling procedures for inspection by attributes”).

In the case of production of single items (one-offs), the suitability of the material must be indicated on the basis of an analogous procedure with a specific method of verification.

3.4.3.5.3 3.4.3.5.3 Verifiability of Requirements

It must be ensured that only suitable products and services are procured which can also comply with requirements. In this case, a check must be made of all subcontractors and suppliers to ascertain whether they have the necessary quality capability, and the procurement documents must contain all relevant data and be verifiable. Traceability should make it possible to track the creation process, utilization or location of a structural unit on the basis of its identification, which has also been recorded. Traceability relates in particular to

  • the origin of materials and structural units,

  • the processing history of the product and

  • the distribution and whereabouts of the product after delivery.

3.4.3.5.4 3.4.3.5.4 Consideration of the Potential Conflict Between Cost-Effectiveness and Technical Safety

The profit-oriented market principle is not a sufficiently suitable safety instrument for the field of public-technical safety and can, for a number of reasons, only be applied to a limited extent here. In this case, the main factors of interest should be individually examined and taken into consideration:

  • The product “safety”

    In addition to other factors affecting technical safety —such as training or expertise, the general safety culture and the degree to which regulations are observed—safety is here classified under goods and services.

  • The user

    In evaluating the products and services on offer, the user makes decisions primarily for himself/herself and normally does not taken into consideration the interests of the common good. Therefore, this case cannot be included as a robust variable in safety-related analyses. Taking into consideration, the interests of third parties or the general public must therefore be enforced or achieved through positive incentives.

  • The public interest

    The state intervenes in the market in order to protect the general public and the environment. It thus implements precautions for the common good and public safety and order. In order to enforce this, requirements are made regarding quality and operation and a graduated control system is also provided with instruments for independent proof of conformity.

  • Governmental supervision (market surveillance)

    In the liberalized testing and certification market in Europe—possibly the intended future of the majority of the countries participating in the EU—it cannot in some cases be assumed that goods and services with a safety function are provided for the public benefit. In such cases, the instrument of market surveillance is an indispensable element in safeguarding the public safety interest. Setting up a market surveillance body is a necessary though not sufficient instrument for the field of technical safety. Safety is both an individual and a collective need which cannot be consistently satisfied by market forces. This is especially true of forward-looking collective needs. Therefore, Germany as a state must regulatively intervene in the market—in other words, be in disagreement with a change in the possibly intended future of the majority of European countries.

3.4.3.5.5 3.4.3.5.5 Responsibilities

The responsibilities for all verification or inspection measures, especially as regards the implementation of measures when verification or inspection results are inadequate, must be clearly and unambiguously regulated. All verification or inspection results must be recorded. If several contractors and subcontractors are involved in the manufacturing or production process and wrong decisions or gaps in verification can cause significant consequences, a verification or inspection plan will be necessary.

3.4.3.6 Implementation Process

The implementation process consists of the development and engineering phase and the production phase . The basic objective of the implementation process essentially coincides with that of the planning process (see Sect. 3.3.5.4). In the production phase, however, it is only possible to work with the instrument of agreement on objectives under very specific constraints, and the instrument of definition of objectives will have to be applied more often.

3.4.3.6.1 3.4.3.6.1 Objective and Purpose

The main points of emphasis in the development and engineering phase (see Sect. 3.3.5.4) as regards safety are the following activities:

  • checking the organization of safety-relevant work and, if necessary, its adjustment to any possible changes during the development and engineering phase,

  • setting up quality and safety management with a redefinition of responsibilities and competences in the safety field if changes in responsibilities and competences have arisen for the development and engineering phase ,

  • continuation in the collection of all technical requirements relevant to safety from, for example, technical standards, relevant legislation and other rules and regulations,

  • determination of probabilities of occurrence and the extent of damage for each type of failure,

  • continuation of “lessons learned” and evaluation for each technical component to be developed or engineered,

  • involvement of relevant institutions (authorities, public-interest bodies, notified bodies, experts, etc.) in the generation and verification of safety insofar as this is legally and factually necessary for effective supervision,

  • application of safety requirements and their implementation for every structural unit to be developed or engineered here by the safety methodically concept, which is applied precisely for this purpose,

  • verificatio n that the safety requirements applied and implemented here

    • are effective for subordinate structural units,

    • are not in conflict with the higher-level safety requirements catalogue,

    • comply with the relevant regulations and

    • comply with the safety requirements as defined in detail:

  • optimization of specified safety precautions (e.g. inhibition of the utility function, fail-safe , fail-operational ),

  • Checking and verification of the specified safety requirements for the individual concepts concerned here and doing so during the course of qualification (type test, etc.) and

  • submission of a safety report (as the formal conclusion of safety verification )—if necessary, as a component of the safety case (see Sect. 3.2.2.8).

As regards the main focus of the production phase (see Sect. 3.3.5.4), there are the following activities in the field of safety which, in part, represent a further detailing of activities from the development and engineering phase but are, for the most part, specific to the production process:

  • review of the organization of safety-relevant work and its adaptation to possible changes in the production phase where necessary,

  • within the framework of quality management, redefinition of responsibilities and competences for the field of safety should changes have arisen in responsibilities and competences for the production phase,

  • involvement of the appropriate quality assurance organization (either in-house or external) in the production process with emphasis laid on safety requirements and attributes,

  • ensuring that the manufacturing processes used are not only cost-effective but also always reproducible—and that with the emphasis on safety,

  • involvement of relevant institutions (authorities, public-interest bodies, notified bodies, experts, etc.) in the generation and verification of safety insofar as this is legally and factually necessary for effective supervision,

  • implementation in production of the relevant state of the art or application in production of generally accepted sound engineering practice and, in all cases, paying due regard to technical requirements relevant to safety: for example, in technical standards, production and quality regulations,

  • verification that the safety requirements applied and implemented here

    • are effective for subordinate structural units,

    • are not in conflict with the higher-level safety requirements catalogue,

    • comply with the relevant regulations,

    • meet the detailed safety requirements and

    • are checked, verified and traceably documented during the course of technical acceptance (acceptance testing or similar).

During acceptance testing, verification is required of the conformity of the manufactured products (or system or technical facility) with the safety requirements worked out and laid down in the preceding phases.

3.4.3.6.2 3.4.3.6.2 Hazard Analysis

Hazards and their causes must be analysed using a tried and tested method of investigation. In this way, sufficient thoroughness and depth of testing can be assured. The structural unit to be investigated may need to be divided into manageable sections.

A comprehensive hazard analysis should be carried out for the entire structural unit. This should take into account facility-specific and environmental hazard sources, including natural conditions and events and interference by unauthorized persons.

The documents and data which have been collected together with information from facility and, where applicable, site inspections will serve as a basis for the work.

If hazard analysis covers one or more hazard sources, it should be determined which measures should be taken according to the state of the art . Independently of this, the possible consequences of nonetheless conceivable disturbances should be determined and evaluated with regard to the risk of damage occurring and its effects. Safety measures should be taken while paying due regard to the normative requirements applicable to the limiting risk .

3.4.3.6.3 3.4.3.6.3 Verifiability of Requirements

The requirements emerging from the preceding phases are verified as follows:

  • As regards the type and importance of tests and inspections, a distinction should be drawn between serial production with the objective of consistent quality and single-item production with the objective of complying with planning specifications.

  • Deviations detected can be managed by corrective measures. With regard to control of the manufacturing process, attention should be paid to the reproducibility of the production process (non-conformities) in the case of series production while priority is given to preventive measures in single-item production.

3.4.3.6.4 3.4.3.6.4 Inspection and Approval of the Planning Documents

  • Examination of draft design, dimensioning and structural design

    It is important to check that all relevant hazards have been identified and appropriate measures provided for their prevention. This particularly concerns the appropriate choice of the system, materials and designs, processes and auxiliary resources for both the execution and the layout (accessibility). Among other things, a check should also be made whether

    • all essential organizational requirements, such as specific trade and operational qualifications, can be met,

    • all tests or inspections required for the execution are provided, and

    • all terms of use and, where applicable, necessary conservation measures are specified before commissioning.

  • Planning documents can be inspected in different ways with different amounts of effort. Among other things, a check will be made to see whether

    • the calculation includes the relevant requirements and actual influences, boundary conditions and conditions of use,

    • verifications are maintained for all major components,

    • suitable computational models are used,

    • there are no contradictions in the calculation,

    • all design assumptions are correctly tracked through the system, and

    • no damage is caused by modifications of either components or the system.

    As regards the type of inspection, a distinction may be drawn between:

    • a full comparative calculation carried out independently of the present calculation and in which important dimensioning results are compared,

    • a partial checking calculation in which only crucial parts of the calculation are checked in detail by recalculation or comparative calculation and

    • inspection of manufacturing/construction documentation.

  • The manufacturing/production documentation must contain all information necessary for the execution, such as tolerance limits or changes as well as instructions relating to the course of production. In addition, it is important here that dimensioning results were correctly transferred, the drawings meet given requirements, additional necessary constraints must be observed, and the plans are clear and unambiguous.

3.4.3.6.5 3.4.3.6.5 Traceability of Documentation

The manufacturer must have a quality management system which typically includes the following items:

  • documentation and traceable archiving of design documents,

  • provisions to ensure an appropriate selection (e.g. sample matrix, particle size, concentration range) of possible reference materials,

  • preparation methods,

  • assessment and quantification of the required degree of homogeneity of the material,

  • evaluation of the stability of the material, even continuously if necessary,

  • procedure for characterization of the required properties,

  • practical implementation of the traceability of legal units of measurement to national or international standards,

  • assignment of attribute values, including preparation of certificates or statements in accordance with ISO Guide 31 “Reference materials” if appropriate,

  • provision of suitable production facilities and

  • regulations regarding suitable possibilities for identification, labelling and packaging, packing and shipping procedures, as well as after-sales service.

The documentation and archiving system must clearly indicate which activities are to be carried out by the manufacturer and which by collaboration partners. It must also contain the regulations and procedures being used by the manufacturer.

3.4.3.6.6 3.4.3.6.6 Approval Procedure

The manufacture of certain important safety-related products may already be subject to mandatory official approval or authorization. These obligations (approval process) must be included in the quality management system and complied with.

The safety management system should, in all cases, be considered a constituent part of the quality management system. Approvals also often stipulate that consideration must be given to protection against unauthorized access (“security”).

The quality management system itself is subject to a periodic certification process by third parties, the so-called accredited certifiers.

3.4.3.6.7 3.4.3.6.7 Utilization of Materials

  • Quality assurance system (in-house and external monitoring with documentation for traceability):

    • Several factors can cause the actual performance to deviate unacceptably from nominal specifications. These factors include, for example, changes in material and component properties, uncertainties in installation or construction or faults and errors in the different manufacturing steps. To combat this, control measures should be included in all major phases of execution (precautionary monitoring of the execution of work).

    • If there is a risk of attributes changing impermissibly or contrary to expectations during the utilization phase, special conservation measures may be necessary (accompanying monitoring before commissioning).

  • Compatibility of the components

    The manufacturer must conduct internal audits of his/her activities at regular intervals and in accordance with a previously defined plan and procedure. By doing so, he/she demonstrates that the activities still comply with the requirements of the quality management system.

    The internal auditing programme of must address all elements of the quality management system described in the quality management manual. This also includes the technical and production activities which result in attribute values being assigned to a reference material (material compatibility, “fit, form, function”). It is the responsibility of the quality assurance representative to schedule and organize audits in accordance with the established programme and at the request of management. Such audits must be performed by trained and qualified personnel. Where resources permit, the personnel must be independent of the activity being audited.

    Personnel may not audit their own activities unless this is necessary and its effective performance can be demonstrated.

3.4.3.6.8 3.4.3.6.8 Market Surveillance/State Supervision

The instrument of market supervision is an indispensable element of the state’s regulatory action for enforcement of public safety concerns in legal aspects. Availing itself of its legal options, the state can intervene in the market and eliminate undesirable developments. The state does this in a variety of ways, either by retaining suitable supervisory officials or by using “appointed contractors”.

The manufacturer must create transparency (traceability) for the action of (state) market surveillance.

3.4.3.7 Operation Process

The operation process includes the operation and utilization phases into which, at the completion of utilization, the dismantling, disposal and recycling phases can also normally be integrated (see Sect. 3.3.5.4).

3.4.3.7.1 3.4.3.7.1 Objective and Purpose

As an instrument for achieving objectives, the objective definition by which cost-effective, reliable and safe operation is to be achieved stands to the fore.

In the operation and utilization phase (see Sect. 3.3.5.4), a distinction should be drawn between products (technical facilities, goods and services) not requiring and those requiring an approval before going into operation. In either case, the following aspects must be taken into consideration:

  • safety management,

  • safety monitoring and

  • safety during the course of retrofitting work.

The same procedures apply, in principle, to the dismantling, disposal and recycling phases (see Sect. 3.3.5.4) as described in the preceding phases but, due to a frequent lack of relevant sound engineering practice, with a greater testing or surveillance effort. Making matters more difficult is the fact that the processes involved in the dismantling, disposal and recycling phases are not standard processes and, therefore, the personnel concerned must perform their duties with special attention and responsibility. Above all, managerial staff must set up an appropriate and suitable quality management system oriented to the special process steps in the dismantling, disposal and recycling phases.

As regards safety, the focus in the dismantling, disposal and recycling phases is on the following activities:

  • organization of work relevant to safety,

  • definition of responsibilities and competences in the field of safety,

  • evaluation of the “lessons learned ” from previous events in order to determine preventive measures,

  • grandfathering from earlier limiting values,

  • definition of the higher-level safety requirements catalogue for the entire dismantling, disposal and recycling phases and

  • verification that this higher-level safety requirements catalogue is coherent in itself and satisfies the relevant regulations and that the safety requirements stipulated in this catalogue can also always be tested and verified.

3.4.3.7.2 3.4.3.7.2 Approval

Industrial plants and business enterprises which are sources of environmental pollution or important as regards safety require an approval in accordance with the relevant legislation. The approval procedure should ensure that

  • employees and, where applicable, the neighbourhood and even general public are protected against injurious environmental influences and other hazards,

  • necessary precautions are taken against injurious environmental influences and other hazards as well as against significant disadvantages or annoyances,

  • waste is avoided, recycled or, if not avoidable or recyclable, properly disposed of, and

  • energy is used thriftily and efficiently.

A check is also made during the approval procedure to see whether other regulations under public law (such as nature conservation legislation, legislation relating to water and building code legislation) have been observed and measures for occupational health and safety implemented.

An approval can include numerous other official decisions (concentration effect).

The official procedures are bundled by, for example, building permits, permits for installations requiring monitoring as required in the Equipment and Product Safety Act and declarations of suitability for facilities used for storing, filling, trans-shipping, manufacturing, treating or using substances hazardous to water.

3.4.3.7.3 3.4.3.7.3 Status Checks

All operational procedures need to be systematically checked at regular intervals. In this way, it is possible to identify not only potential sources of non-conformities but also all possibilities for improvement, either of a technical nature or within the quality management system. Flow charts must be developed, implemented and monitored so as to reduce the probability of the occurrence of non-conformities and to observe the benefits arising from the improvements. The results of the preventive measures must be submitted for purposes of management review.

3.4.3.7.4 3.4.3.7.4 Instructions for Use

Instructions for use help in maintaining quality during operation and must be prepared in writing and in detail in the quality agreements and handed over to the user by the manufacturer. Instructions for use are a constituent part of quality planning on the basis of the quality management system. Due observance should be given here to the Equipment and Product Safety Act and relevant legal regulations.

3.4.3.7.5 3.4.3.7.5 Maintenance

In order to meet the requirements applicable to technical facilities, products only need to contribute to the extent that these facilities are also properly maintained.

According to standard DIN 31051:2012-09 (see Chap. 2), maintenance is understood as all the measures taken to maintain or restore the nominal condition of technical systems and facilities in as far as they are not modified. This includes terms such as routine maintenance, inspection and repair.

3.4.3.7.6 3.4.3.7.6 Retrofitting

For complex systems and industrial goods with a long service life (such as commercial aircraft, rail track networks, large-scale chemical plants and power stations), efforts are often made to secure an extension of their service life. Depending on the extent of the necessary retrofitting, subordinate measures undertaken during the various phases of the life cycle may need to be repeated so that the same operational and service condition is secured with a return to service as was present before retrofitting.

In certain areas, the law requires retrofitting in accordance with the state of the art or the state of scientific and technical knowledge.

3.4.3.8 Quality Management in Safety Engineering

3.4.3.8.1 3.4.3.8.1 Role and Benefits of Quality Management Systems

The systematic evaluation and realization of technical requirements is the basis of every quality management system such as, for example, according to DIN EN ISO 9000 “Quality management systems”. These requirements apply to all phases. Since they are already included in the planning process , this situation represents a decisive step for quality management as the costs arising from mistakes increase with every subsequent step.

A quality requirement which can be fulfilled involves well thought-out quality planning consisting of the following main elements:

  • planning for the identification, classification and prioritizing of the quality characteristics of the product, specification of objectives and quality requirements,

  • planning management and implementation activities, such as preparing the application of the quality management system with flow charts and time schedules,

  • preparation of quality management plans with utilization of the non-conformities management system and

  • establishment of a process for continuous quality improvement (e.g. “lessons learned”).

Provided the quality management system is applied consistently, achievement of the required product quality may be expected. This expectation must be able to assume a high degree of reliability in the system used. The successful conformity of the product with the requirements and the relevant documents is an outward indication of this expectation.

For laboratories, for example, which determine the characteristic data of materials, there is an auditable management system in the form of the Good Laboratory Practice (GLP) standards of the Organization for Economic Cooperation and Development (OECD). A directive has made this mandatory for the members of the EU.

3.4.3.8.2 3.4.3.8.2 Quality Management System and Qualified Personnel

At predefined intervals, the product supplier must audit the quality management system. These intervals should be chosen in such a way that suitability and effectiveness can be ensured in complying with both requirements and the established quality policy and its objectives. For the purpose of traceability , the corresponding records must be kept and archived to a sufficient extent.

The manufacturer must set up, implement and maintain a quality management system—usually according to DIN EN ISO 9000 “Quality management systems”—appropriate to his field of activity and including the type, scope and scale of production. The manufacturer must define and document his/her quality management policy, objectives and commitments.

The quality management must further engage in producing reference materials. These must comply with the definitions given in ISO Guide 30 “Reference materials—selected terms and definitions” and the characteristic values evaluated by using approved statistical methods. The quality management system must also commit itself to complying with the provisions of ISO Guide 31 “Reference materials” with regard to material certificates and the provision of the corresponding information to users. Furthermore, quality management must also specify the intended use of the supplied material and commit the manufacturer’s organization to ensuring that customers are fully informed.

The obligations of the manufacturer in detail:

  • The manufacturer must have at his/her disposal managerial staff supported by technical staff who, in turn, must have the powers and resources to perform their duties. The technical staff must also identify deviations from either the quality management system or the procedures for preparing the reference material and be able to initiate processes to prevent or minimize such deviations.

  • The manufacturer must have arrangements in place which ensure that his/her management and personnel are free from any commercial, financial or other internal or external pressures which could adversely affect the quality of their work.

  • The manufacturer must have regulations and procedures in place to ensure that confidential information and the ownership rights of customers are protected.

  • The manufacturer must have regulations and procedures in place which prevent any involvement in activities that lower confidence in his/her competence, impartiality, judgment or operational integrity.

  • With the aid of organizational charts, the manufacturer must define his/her organization and management structure, his/her position within a supporting organization and the relationships between management, technical processes, support services, collaborative partners and the quality management system.

  • The manufacturer must describe the responsibilities, powers and mutual relationships of all of the personnel who manage, carry out or check the work which influences the quality of the production of the reference materials.

  • The manufacturer must have a technical management team which has overall responsibility for technical operations and providing the necessary resources to ensure the required quality of production processes.

  • The manufacturer must have an archiving system for traceable documentation

    • for control of documents (specified requirements, release and change management),

    • for control of records (verification Nachweisführung, inspection reports),

    • for internal audits (scheduled, ad hoc),

    • for control of non-conforming products (non-conformities management system),

    • concerning corrective measures and

    • concerning preventive measures.

    The competences and responsibilities for all verifications, especially for the enforcement of measures in the event of unsatisfactory inspection results, should be regulated clearly and unambiguously. If a large number of contractors and subcontractors are involved in a construction project and incorrect decisions could have serious consequences, it makes sense to prepare an inspection plan for integrated verification . All of these individual measures must also pursue the common goal of an integrated safety management system.

The operator must, as a minimum, comply with the manufacturer’s conditions of use with safety requirements having absolute priority here. To this end, he/she must set up, implement and maintain a suitable quality management system appropriate to his/her field of activity and including the type, scope and scale of the business. Manufacturer and operator must define objectives and obligations and, where appropriate, document them. Quality can thus ensure and maintain

  • all aspects of production,

  • material properties (e.g. strength, homogeneity and other characteristics),

  • characterization (e.g. equipment calibration and the validation of measurement methods),

  • assignment of attribute values (e.g. the use of suitable statistical methods) and

  • procedures for material handling, storage and transportation.

The operator must have sufficient personnel who have both the necessary education and training and the technical knowledge and experience for their assigned tasks. The operator must ensure that operating personnel are, in cases of doubt, given additional training to ensure competent performance of measurements, operation of equipment and other activities affecting quality. If possible, the achievement of competence should be assessed by training courses on the basis of objective standards.

If management systems are required, they must comply with the requirements. The quality management system may integrate other systems such as safety or safety management systems.

3.5 Social Considerations

3.5.1 Prevention of Safety-Critical Failures

3.5.1.1 National and International Developments

On the national level, target values for public technical safety are laid down in regulations ranging from the Basic (Constitutional) Law, laws and ordinances to standards and codes of conduct. Its society-dependent form on the international level implies differences in its structures in the various states and regions. Increasing interaction in economic areas crossing state and regional boundaries makes it necessary to adjust and open up regulations which previously have been predominantly national. The scale of the measures to be taken extends from the mutual recognition of structures which have further differences regionally to globally uniform, harmonized structures and regulations for hazard control in specific sectors. In both form and content, verifications in inspection and safety engineering are undergoing a radical change whose implications need to be assessed.

The transfer of national powers to supranational institutions is bound up with a change in national practices in matured and often well-proven traditions, even in technology and business. These changes should be reviewed with regard to negative effects on safety and countermeasures to be taken if necessary.

The conclusion to be drawn from this is that not only the established German system but also other systems should be comparatively analysed and evaluated in the European and, ultimately, global requirements for a further development of public-technical safety. The legal background, state of the art and needs of the economy must be taken into account when determining a suitable system for ensuring public-technical safety. This future-looking problem analysis must also include the activities of independent third parties against a background of the full span ranging from organizations authorized to conduct testing on behalf of the state to service providers acting in the market (problem area: the state’s guarantee and implementation responsibilities).

The technical risk should first be examined and analysed to develop approaches for solutions which can be agreed on for systems that are incontestably safe. Whatever the case, engineering must take the forefront in any discussion about consensual solutions and the forms taken by organizations in the safety landscape.

3.5.1.2 Safety and Legislature

Ensuring technical safety should not be regarded in its importance as anything other than the responsibility for internal and external safety. One of the core tasks of the state is to establish a suitable general framework for this. The state and the public are called on to answer the question as to which risk is acceptable and which not (where risk means opportunity). The state does this through the appropriate legislation, such as the Atomic Energy Act, Chemicals Act, Carriage of Dangerous Goods Act and Explosives Act. Ordinances express the necessary precautions in a concrete form, and this regulatory system is completed by the standards and rules to which reference is made.

Direct governmental activities within the regulatory system are being supplanted by market surveillance procedures which are being increasingly applied. In this case, a risk-dependent balance of role apportionment between the state and the private sector must be found in the future.

3.5.1.3 Safety and Deregulation

In fields of relevance to safety, the state should not limit itself to issuing regulations and punitive sanctions. It should, rather, concern itself with actively specifying standards and structures to the extent required and simultaneously ensuring they are implemented and complied with. The political will is for tasks previously performed by the state to be increasingly passed over into the hands of private bodies or the business sector. Maintaining the required balance calls for an appropriate orientation of state tasks within the changing testing and approval systems.

Structures in the field of safety engineering must be balanced between the state and business just as the balance is to be maintained between precautions, prevention (hazard prevention) and repression (punishment for damaging events). This grading of the necessary requirements profile by the potential for endangerment or damage does not relate solely to technical requirements but also to measures in the fields of approval and surveillance. The inclusion of all interested groups (manufacturers and operators as well as the state and independent third parties) and their active participation must be organized systematically. This means that the state must play its part in a level-headed manner in the duties of approval and supervision. It must also act within the overall context of the mechanisms which ensure that the maximum still acceptable risks is not exceeded.

3.5.1.4 Safety and the Economy

The establishment of standards and rules which are as uniform as possible and assigned to major economic fields is of great importance to the economy. In efforts to find a balanced compromise for the different aims of the groups involved, adjustments may need to be made which no longer adequately reflect the original national implementation of standards and regulations. The regulations must be formulated all the more carefully if public-technical safety within the overall system is not to suffer any impairments.

Organizational aspects (behavioural requirements in operation and detailed activity-related rules) are more strongly emphasized in the Anglo-American economic sector than in Germany, where more stress is laid on product-related safety (quality requirements concerning construction and fittings). A weighted balancing of these aspects in comprehensive systems could bring benefits, and simply adopting more organization and fewer constructional requirements would be disadvantageous. Whatever the case, in the future the desired level of public-technical safety will need to be verified by looking at the interfaces of quality and behaviour requirements. This is all the more so since, as part of the Europeanization of safety legislation, the requirements applicable to technical products are increasingly being laid down on the European level, this being done with the aim of ensuring the free movement of goods.

3.5.1.5 Safety and Assignment of Competences

Not only is a well-balanced inclusion of manufacturer and operator interests necessary but also the participation of specialized agencies and independent experts. Attention must be paid to the risks of damage occurring and its effects and also to differences in the structures for products on the one hand and technical facilities on the other. Codes of conduct are thus very visibly gaining great importance in the European area and in the American interpretation. This is happening against a background in which standards relating to components and products can represent compromises within which existing German objectives cannot be entirely accommodated.

Since the stringent enforcement of the Basic Law’s precautionary imperative is no longer implemented by state institutions or institutions acting directly on behalf of the state, another necessity arises: for the sake of neutrality and objectivity as well as continuity and its consequences (legal uniformity, legal certainty), the state must entrust independent bodies with the tasks of coordinating and ensuring the sharing of experiences among private bodies.

3.5.1.6 Safety as a Paramount Quality Characteristic

The quality management measures practised today in some areas of application are not sufficient by themselves to enable timely discovery and correction of safety-critical quality defects and potential causes of failure. Notwithstanding this, many people do not seem sufficiently aware of the fact that a system cannot be classed as safe unless there is certainty that the safety-related quality characteristics actually correspond to their required form. In this case, the necessary awareness must be created among engineers and scientists: quality management is the approach which adequately describes technical safety attributes and, thus, first provides those responsible with the possibility of making the necessary interventions, corrections and improvements.

3.5.1.7 Quality Management as a Concept for Safety Management

As with any other quality characteristic, safety must be planned, monitored and verified. In this regard, however, it is possible to fall back on the tried and tested—that is, the DIN EN ISO 9000 standard “Quality management systems”. In the demands this standard makes regarding quality management , a description is given of the requirements for a reliable safety system on which a potentially successful quality management system depends or, in connection with technical safety, a reliable safety management system. A corporate management system certified in accordance with the requirements of this standard is deemed to have quality capability, and a safety management system geared to the requirements of this standard may thus be regarded as having safety capability. DIN EN ISO 9000 was introduced in the European airlines sector. The question is to what extent this standard has also been introduced and practised in other fields of application with a connection to public safety.

In the field of civil engineering, this system has been anchored in a similar way in the building codes of the German federal states and must be applied to all building products with a major safety aspect (see Model Building Codes, Articles 20 ff. and the inspection, surveillance and certification regulations of the German federal states). Safety or quality management systems are mandatory in other fields of engineering for technical facilities coming under the Hazardous Incident Ordinance, production of hazardous goods packaging. In this case, however, the choice of a quality management system is left to the individual in charge, provided the system is effective.

Safety methodology and engineering are implemented for complex systems with safety management. It must be possible within this context to direct to a central contact point not only unanswered questions regarding all organizational, methodological and safety-related problems but also suggestions for improvements to specified stipulations.

3.5.1.8 Configuration Control and Change Procedures

A general specification for “safety” must, like any other specification, be subject to a formal approval and change procedure. This must be on the basis of a proper configuration control system, whose principles and processes can be specified in a guideline on configuration control.

3.5.1.9 The Individual as a Criterion for Safety Management

Technically complex systems are usually included among human–machine systems in which the personnel employed are entrusted with crucial operational functions. These functions also include safety-related ones. In human–machine systems of this kind, particular attention should be paid to the involvement of the personnel in operations.

In this matter too, the requisite awareness must be created among engineers and scientists. Personnel who

  • know about the practical side of safety,

  • have unlimited access to the necessary safety-related facilities,

  • are kept constantly and comprehensively informed about the current operating status and safety environment and

  • are always being re-evaluated with regard to their “operational function”

should not become weak links in the chain of operational and safety functions.

With his/her natural abilities and shortcomings, the individual is an essential factor in safety management in the context of human–machine systems.

3.5.2 Communication with the Public About Technical Safety

The scientific world strives to provide enlightenment about difficult topics, especially those which could even produce fear in the general public. This is true of medicine, the environment, urban planning, the labour market, tax policy, energy supply and the safety of technical facilities. The representatives of science tackling these issues often slip unintendedly into a role in which they are supposed to legitimize various vested interests and lobbies. The ideal of scientific consistency, the consensus of science, is lost as a result of the conflict among scientists thus created, and this comes to be seen by the public as scientific helplessness. This conflict arises in most cases from the complexity of many current unresolved problems. “Proof” is then necessarily hypothetical in nature. Different conclusions can be drawn depending on the selected hypotheses and the boundary conditions in place.

The ambiguity and opaqueness of the terminology used means that the public becomes more unsettled than enlightened. Let us take the term “safety” as an example here. The competent scientist would have to correctly point out that there has never been 100% safety anywhere. Figures cited for the probability of occurrence of 10−7 (1 in 10 million) evoke only a blank response in the layperson. The term “frequency”, by which of course “rarity” is meant here, has a different meaning for the specialist engineer than it does for the general public. For the public, there is a qualitatively quite different content of associations: danger, the catastrophic potential of the damaging event, the presumed horrific nature of the damage, personal impacts, effects on one’s own children, being helplessly exposed and lack of controllability. In this respect, the two levels of discourse remain dissociated. Since science has the obligation of risk communication in an understandable way, it must recognize and take into account at least five important psychological factors of risk perception:

  1. (a)

    Voluntariness

    Hazards to which one exposes oneself voluntarily tend to be underestimated. This applies to smoking as well as driving a car.

  2. (b)

    Controllability

    Hazards which seem to be controllable by one’s own skills tend to be underestimated. One example is the work of the roofer.

  3. (c)

    Disaster potential

    Hazards with a high potential for disaster tend to be overestimated, such as the possibility of many fatalities in a plane crash.

  4. (d)

    Concern

    Hazards which affect oneself tend to be overestimated, such as the possible side effects of taking medicaments.

  5. (e)

    Awareness and familiarity

    Hazards of which one is aware tend to be underestimated. Smoking may serve as an example here.

Risk communication requires constructive handling as well as factually based argumentation in the assessment of risks. Playing down risks, glossing over susceptible disturbances, covering up accidents or acting contrary to one’s own statements are examples of risk communication which destroys the confidence of its audience. Similarly negative in effect is a delayed response to public allegations instead of proactive information or the publication of misleading information.

Risk communication must therefore seek new paths. Appropriate strategies of risk communication include:

  • Certain forms of representing low probabilities: the significance and realization of probabilities in the form of numbers, including boundary conditions, must be explained in each case.

  • Risk comparisons such as, for example, comparing the risks inherent in a waste incineration plant and the risk of a railway accident: only when dimensions such as controllability, voluntariness or disaster potential can actually be compared can risk comparisons have a chance of being understood.

  • Risk compensation: in this case, expected risks and expected benefits are compared with each other (construction of a chemical plant and its impact on the local labour market).

  • Confidence and credibility only develop when there is an intelligible and consistent preparation of information, a respectful treatment of those whom risk communication addresses and an information policy in which nothing is withheld.

Since risk communication is becoming increasingly important in our society, risk concepts as a whole must be presented which are not entirely oriented towards limiting the probabilities of accidents and incidents occurring. Expressed in conventional engineering terminology, they are basically very hard for the layperson to understand. It is much more a matter of emphasizing the reduction in the extent of damage and taking into account both the psychological insights into risk perception and the conditions of successful communication.

Communication between interest groups with opposing objectives is futile without an arbitrating body when openness to compromise within these groups is interpreted as weakness in asserting one´s own interests. It is therefore no longer a balancing process between risks and opportunities for the community—however that is defined—when the welfare of the individual is “the measure of all things”. Representatives of interest groups have, nevertheless, a clear mandate. When they appear under the banner of their group, their role in public discourse will generally be recognized.

The position of the administration is more difficult to define. According to the general understanding, the administration is assigned the role of mediator between the accepted state of scientific and technical knowledge and the need of the public for safety. In practice, however, policy institutes are sometimes in a relationship of dependency on a higher-level political entity (which may be only a “perceived” one). In such a case, it is not necessarily their task to pledge themselves to scientific objectivity alone. They are in some measure biased, and their task is the almost unswerving pursuit of specific objectives (public safety, health and environmental protection). The drive to success to which they are or believe they are committed results, in the most unfavourable case, in a clash of opposing maximum requirements which will be decided on the expediency principle in a detached political arena. The essentially desirable balance of interests, which, on an interdisciplinary expert level, should result in a fact-based report for political options, will be missing in such a case.

We should therefore welcome the trend towards solving this problem of representative democracy wherever it is possible. The first thing to do is to inform the public in advance of a safety-related decision by giving it the facts about opportunities and risks. The public must be put into a position where it recognizes the consequences of the options in all their aspects so that any interested party can make a decision in the light of his/her personal background. In this matter, the idea should be discarded that a collectable debt of the individual is concerned and that there is always the possibility of involvement. The “silent majority” is to be animated by an offer which cannot be overlooked of taking an active part in the consensus of the informed.

This option does, in principle, exist. The public media could take on the role of an educational institution and be the forum for risk communication if they were not already also generally following the trend in journalism that only “bad” news is “good” news. Today’s partly trivialized talk shows could be replaced by a readily graspable transfer of knowledge within a discourse whose participants were committed to the culture of dialogue (if necessary, using generally accessible techniques of information and communication). If there were success in establishing as a routine this form of debate about the consequences of scientific and technological innovation, there would be increased pressure on the experts to make their specialist knowledge available to the public and be measured by the response of the audience.

Risk communication within a discourse regarded as democratic in nature is an arduous undertaking and, in addition, one with an uncertain outcome. Nevertheless, this is the only serious way of problem-solving.

3.6 Recommendations

Although a different impression may currently prevail among the general public, we engineers notice again and again that the development of technical safety has always kept in step with the overall development of engineering. It should, however, also be noted that interdisciplinary cooperation, with which increasing specialization in engineering is countered, is found in safety engineering only in a rudimentary form. In general engineering, generalistic approaches and systems engineering management procedures have long proven themselves and, with their help, specializations based on the division of labour can be brought together again in an interdisciplinary approach. On the other hand, safety engineering , safety legislation and the relevant standards seem to have remained unaffected by this today. There is an urgent need for action in bringing generalistic approaches and systems engineering management procedures into safety engineering in the same way as has been common practice in general engineering for decades. The safety methodically concept mentioned in this publication may serve as a generalistic concept for safety engineering and DIN EN ISO 9000 “Quality management systems” might be used as a suitable systems management procedure. The VDI can offer the interdisciplinary working platform for both elaborating the outlines presented here to the extent necessary and keeping them up to date.

The preceding sections have shown how technical safety is planned, generated and permanently maintained. Descriptions were also given of how different influences, be they of technical or human origin, affect a production process. The persons responsible for the product must be aware of the level of safety achieved in every planning and production step since each successively builds on the previous step (and therefore progresses). Undetected errors would otherwise be carried forward. However, it is evident in this matter too that one only sees and attends to what one knows.

The society which pays for teaching and research and promotes technology has a right to information. There is, therefore, an obligation on the part of engineers and scientists to supply information about interrelationships in technical safety. The relevant areas are addressed below.

3.6.1 The Research Landscape

The research landscape can be divided into four fields:

  • tertiary education institutions (universities, colleges and music and art schools, predominantly under the legal and financial responsibility of the federal states),

  • research (and research funding) organizations (the German Research Foundation, the Helmholtz Association, the Max Planck Society, the Fraunhofer Society and the Gottfried Wilhelm Leibnitz Scientific Association),

  • research centres in industry, including small- and medium-sized enterprises (SMEs), and

  • research centres and institutes of the federal and state governments.

Research in Germany thus has a high potential, which is evidenced by the share of gross domestic product taken by research and development. In a press release of December 2013, the Federal Ministry for Education and Research wrote: “In 2012 expenditure on research and development (R&D) in Germany rose to a record level of more than 79.5 thousand million euros. The R&D share of the gross domestic product (GDP) thus reached its highest value of 2.98% for the first time in Germany. […] Germany is investing in the future to a degree higher than ever before. Together with business and science we are reaching the 3% target for the first time. It is now a matter of securing this positive development in the long term. This cannot succeed unless business and the state together continue to invest strongly in research and development—in other words, in the future of our country”. The press release continues: “Germany has significantly strengthened overall its position as one of the world’s leading innovation hubs, also via the successful high-tech strategy. Its strong position in international competition is reflected in, for example, global trading in R&D-intensive goods, scientific publications and transnational patents”.

While taking account of both the isolated areas of focus in economic research on products and the small quotas devoted to safety research, it is still, however, necessary to point out the present deficit in research as regards the solution to obvious problems in the field of safety engineering . The VDI offers with this publication on technical safety an approach soundly based in professional knowledge and expertise by which these obvious problems can be properly solved.

If we assume that not only quality but also safety are expected of products from Germany—almost like a trademark—and that a market expectation is expressed thereby, research must again devote itself more strongly to questions of safety.

  • First of all, an evaluation of safety research can help to clarify whether quality is at the required level.

  • In response to this, a reorientation must begin. The Dechema/GVC research committee “Safety technology in chemical plants” accordingly complained, for example, about

    • the lack of public-sector sponsorship for issues in safety engineering ,

    • the trend which has seen university departments and institutes that used to have primarily a safety orientation now increasingly turning to other research fields,

    • the restrictions in course content and possibilities linked with the decline in university research capacity in the field of safety technology,

    • the lack of an adequate fund of basic knowledge in the field of safety engineering on the part of graduates, who then have to acquire this from in-house or external technical seminars,

    • a marked drop in students studying process engineering and technical chemistry, which in turn also limits the propagation of safety-related knowledge, and

    • the increasingly more limited freedom of action of German industry in research and development, even in safety engineering , among other things as a result of global competition which is, in part, becoming more fierce due to a lack of uniformity in general conditions at the international level.

    This is also the case in general and reinforces our recommendation for a reorientation of safety research.

Complexity, economic integration, the necessary depth of detail and the new fields in the dynamic progress of innovation call for research in Germany to be integrated into international networks, in particular those of the EU. New organizations are constantly coming into existence here, such as the European Technology Platforms (ETPs). The “Safety for Sustainable European Industry Growth” platform alone has several focus groups dealing with topics relating to risk and human factors engineering .

The international integration of German safety research must be defined and managed, and the appropriate structures must be designated and set up.

The subject of internationalization is dealt with in more detail in Sect. 3.6.5.

3.6.2 Education and Training Options of the Universities

Courses can be maintained at the required high level only in conjunction with sound research if industry is to be provided with sufficiently qualified engineers. Safety technology must therefore equally form an integral part of the curriculum at all polytechnics, technical colleges and universities and be a subject of training and further training courses at private institutes.

The training measures necessary for offering a basic course in safety engineering must be the responsibility of technical colleges and universities within the framework of the engineering curriculum. The content of courses which must be offered by tertiary education will, above all, include:

  • technological impact assessment and risk analysis,

  • risk communication,

  • influences of human behaviour on safety (human factors ),

  • interdisciplinary cooperation competence,

  • emergency planning,

  • the role of national and international regulatory efforts and

  • vocational ethics in engineering activities.

In view of the range and social significance of the courses required here, the currently observable cutback in qualified teaching capacities and the rededication of safety-oriented departments to other fields in technical colleges and universities are not satisfactory. In the interests of ensuring technical safety in the future, the cultural administrations responsible for the universities are urged to stop rapidly this decline and reverse it. Private business would have to consider setting up endowment chairs in safety engineering as an immediate measure to counteract the associated shortage of competent teaching staff.

It is, in particular, up to the private educational institutions in the industrial sector to make long-term provisions for securing competence in safety engineering and adapting this competence to new technical and social challenges. It is a welcome fact that setting up academies and other training institutions (such as simulator centres for the periodic review and further development of the necessary competences) has already been promoted for a long time now in some branches of industry. However, questions relating to safety only play a subordinate role in the curricula, and this needs to be corrected urgently. Private business is therefore called on to train and employ personnel with safety-engineering qualifications and do so on a long-term basis in order to ensure that no shortages in safety competence arise due to the natural retirement of experienced personnel coupled with a possible lack of growth in the numbers of younger technical staff. This presupposes that a future-looking management of knowledge and information is effected via a thorough documentation of technical decisions and the corresponding measures for the further dissemination of accumulated knowledge (in this connection, see Sect. 0).

3.6.3 Thematic Focuses

3.6.3.1 The Public

Acceptance of technology by the general public depends largely on how the benefits for the individual and society are made clear and a preferably comprehensive understanding of the conditions and limits of safe technological development is achieved for the people affected by technical factors. In the sense of a debt to be discharged, all experts and institutions (scientists, research institutions, engineers, the courts, industry and the public sphere) are under an obligation to implement comprehensible information and communication strategies in order to inform the public of the demands and possibilities of safe technology.

Multipliers and opinion leaders have a special value in conveying factual information to the public: media representatives, senior members of political parties, teaching staff in schools, universities and other private and public-sector educational institutions and representatives of engineering and industrial associations.

To make it possible to transfer appropriate information from the “producers” of technology to the “end users”, consideration should be given to setting up networks for technical safety with topic-specific contact desks (“nodes”). These nodes should be staffed by not only media professionals but also qualified experts in their particular fields in order to meet the needs of an interested general public for information or handle referrals to the appropriate technically competent bodies.

3.6.3.2 Technology Council

Safety technology must be treated holistically and considerably more systematically. The boundaries of technical fields must be overcome, just as the fields of responsibility of organizational units must be open in the event of questions of safety. Today, the structure of safety engineering historically developed on the basis of application-oriented specialist and technical areas is leading to the emergence of countless committees. In the case of interdisciplinary technology projects, their field-specific regulations are bringing about a multitude of interfacing problems.

As a vision, a “safety engineering ” code would be an ideal solution for increasing the efficiency of activities in engineering and, in this case, for all of the business sector, including the “safety” evaluation of the corresponding elements of engineering activities. The target—the long-term creation of a “safety engineering ” code—could be a primary task of a Technology Council, which would be created analogously to the Science Council.

This Technology Council would advise the federal government and federal state governments. One main focus would be the development of universities, science and research. It would make recommendations and statements in two core areas: scientific institutions and questions spanning the scientific system. A Technology Council should, of course, inform and advise not only the federal government and, where applicable, the federal state governments but also trade, industry and social groups about questions relating to dealing with engineering and technology.

As one of its fields of operation, the Technology Council could take over responsibility for the “safety engineering ” code mentioned above and, with the appropriate structures, guide and support it. Another field of operation could then be safety engineering , which would have an optimal overall view of all elements of technology and engineering with this section of the Technology Council. Other fields, such as ethics and science, are conceivable and should be defined and set up in consultation with private business. Both the potential for innovation in engineering and the transformation of research findings into marketable products in the technical area certainly belong to this area of additional fields of operation ((Lenhart: Aussage muss noch geprüft werden.)).

The entities responsible for the Technology Council would be both the state, represented by the federal and federal state governments, which would look after the interests of their citizens, and private business and other non-governmental bodies such as trade unions and environmental organizations.

Since it is not a simple matter with more complex systems to describe and easily control technical safety concepts and human–machine interfaces, the documentation and communication of technical and organizational sub-concepts have become an important component of the holistic safety concept. The field of information or knowledge management provides useful tools for documentation and communication. The term “information management” was introduced in the mid-1980s in the USA in connection with the idea of the paperless office. Nowadays, “knowledge management” is a synonym although, strictly speaking, the knowledge which is in the minds of people cannot be managed. What is referred to as “knowledge management” is, in the final analysis, information management and is used for creating the general conditions for knowledge work. For historical reasons, the term “knowledge management” has, however, prevailed. The discipline of information or knowledge management has its roots in information technology with a focus on documentation and the electronic exchange of information. Information management instruments have been heavily supplemented by contributions from not only economics and the social sciences but also cybernetics, behavioural and communication psychology. It is probably not coincidental that safety and hazard prevention management have been introduced parallel to information and knowledge management in the last 30 years. This means that information management tools can gradually be used for safety management too. Highly sensitive safety systems, such as in commercial aviation or nuclear and chemical plants, could not be kept at the high level of safety required in an industrial society without perfect management. In the field of technical safety, information management instruments must be used more intensively in those technical and economic sectors in which, due to their structure (e.g. small and medium-sized enterprises), variety and individuality in safety issues (e.g. in process plants), modern information management tools are only being partially used. A new special focus must be placed on “technical safety” for the future-oriented project in the Industry 4.0 high-tech strategy of the German federal government.

The objective of information management is sometimes strikingly expressed by the slogan “the right information at the right time in the right place”. Ultimately, only the aspect of efficiency is missing here since the outlay on information management must be commensurate with the security-related question. This is so on account of not only the risks and their various facets but also the economic constraints within which a company, testing organization or public authority must operate.

Various questions can be derived from this slogan relating to the specific challenges to information management:

  • For the task in question, have all safety-relevant aspects been taken into account? Nowadays, it is not difficult to gather all of the necessary information from libraries or the Internet.

Nevertheless, more questions arise:

  • How can information relevant to the specific task be filtered out and condensed task-specifically?

  • Have all data, even those relating to peripheral fields, been collected?

In the search for safety solutions, increasing specialization of technical disciplines makes it necessary to look more and more frequently at neighbouring disciplines—ultimately, the age-old question remains:

  • Are the data and information collected correctly?

Technical experts have always been, and will remain in the future, the key to success in solving questions of this kind. Although there is broad consensus that suitable IT platforms, such as the intranet and Internet or databases and research systems, are necessary requirements here—as pen and paper and printed matter once were—the success of information management does, nevertheless, depends on whether and how the individual is placed at the centre. If this realization is pursued, current work in the field of information and knowledge management can be focussed so that there is support for interactions between the individuals involved. It no longer matters in this regards to what extent the people who belong to open expert networks or closed “communities” are experts or stakeholder groups, or whether they are communicating within a company or public authority or between different institutions or stakeholder groups. In this matter, there are both national networks and European and international networks. For example, the EU encourages the creation of European networks especially with the aim of not only strengthening the economy but also securing the level of safety which is expected by society. However, networks focussed predominantly on safety-related aspects are struggling since the funds for supporting networks mainly flow into projects which promise immediate economic success. Therefore, we appeal to the competent bodies, companies, politics and administrations to take into account the special importance of technical safety in an increasingly complex society and provide the necessary funds to enable the right safety-related information to be in the right place at the right time.

3.6.4 Emergency Planning

Emergency planning for large-scale damaging events must also be organized on a more international basis. In the case of only Germany, numerous products and systems, despite their inherent safety having been adequately demonstrated and documented, do nevertheless reveal additional risks during their utilization phase. Hazard sources of this kind can significantly overstep the product’s or system’s own boundaries and endanger a broader area of the environment which is not causally linked to the product or its operation. In such cases, the safety philosophy behind product management must also include emergency planning for the potentially affected environment. In addition to bodies within companies and associations, this usually involves not only bodies in the government executive (such as district authorities, county council chairpersons and mayors) but also agencies directly responsible for disaster protection (such as the fire brigade and the technical relief agency). The entire network needs to be defined more clearly in its structure and responsibilities, and the interface with the planners and operators of products, systems and technical facilities needs to be more institutionalized.

Not only are cross-border effects possible—they are increasingly to be expected. The clearer structuring of the network recommended for Germany must analogously be transferred into a recommendation for the international structuring of relief organizations. Some good approaches to this are already in place in Germany, Poland and the Czech Republic and need to be strengthened from the institutional point of view and expanded.

3.6.5 Internationalization

Globalization of the markets also calls for the internationalization of safety engineering among product and system manufacturers. Goods and their production must increasingly conform to safety principles which ensure their free circulation and safe utilization in all recipient countries. Market forces are not strong enough on their own to adequately secure the necessary safety attributes of products and systems as they are often opposed by economic aspects. Therefore, a safety structure is required which will establish the minimum standard of technical safety in the market and also avail itself of state supervision and effective sanctions.

Cross-border agreements at governmental level are indispensable for this.