70 Electric Drives and Electromechanical Systems


             of the undesired event, and their severity. Since data on the frequencies of these types of
             event are unlikely to be available in most situations, the various likelihoods are obtained
             by expert judgement using specially selected teams of experts, for example as convened
             in the process industries for HAZOP studies or historical data. As part of the process the
             consequences of all significant undesired events also need to be assessed. The severity of
             the consequences can be expressed in financial terms for the physical damage that may
             occur and in terms of injury/harm to people for the operational undesired events.
                Risk assessment of software Many engineering systems now incorporate computer-
             based control systems, which must be incorporated into any risk assessment process. It
             has been estimated that for every million lines of code, there are 20,000 bugs. Of these,
             90% are found during the testing phase, of the remaining 2000, 200 are found in the first
             year of use. The problem is such that the remainder will remain dormant until a set of
             trigger conditions occur. The risks of using software with any system can be minimised
             by techniques such as protective redundancy or N modular redundancy. N modular
             redundancy depends on the assumption that a programme can be completely,
             constantly and unambiguously specified, and that the independently developed
             programmes will fail independently. To fully implement this a number of versions of the
             programme must be developed using different languages or compilers as well as running
             on a range of hardware supplied by different manufactures.
                Preventative measures When the most significant risks have been determined, the
             next stage of the methodology requires that the underlying causes should be targeted for
             control, as shown in Fig. 2.16. In general, each possible triggering condition leading to an
             undesired event can be attributed to a stage of design, assembly, or maintenance and
             this indicates whether it is the manufacturer or user of the system who is failing in their
             responsibilities. Finally, remedial action should be specified, indicating how the unde-
             sired events and their effects can be controlled. This involves a hierarchy of control
             measures, with these being applied not only to the cause of the initiating event and
             triggering conditions, but also to the hazards and the consequences of failure. For
             example, one might use interlock systems, and other safety features to protect or
             distance the operator from the hazard, thereby reducing her or his exposure to the
             danger. Finally, if a hazard cannot be eliminated or further reduced, one should prepare
             an appropriate set of warnings and instructions for the operator so that he or she can
             take precautions to avoid the danger.
                ALARP Within the scope of considering preventative assessment the concept of As Low
             As Reasonably Practical, or ALARP, needs to be discussed. The ALARP principle is
             fundamental to the regulation of health and safety in the UK and requires that risks should
             be weighed against the costs of implementing the control measures. These measures must
             then be taken to reduce or eliminate the risks unless the cost of doing so is obviously
             unreasonable compared with the risk. The principles are summarised in Fig. 2.17.