; Technical Safety an Attribute of Quality VDI
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Technical Safety an Attribute of Quality VDI

VIEWS: 3 PAGES: 134

  • pg 1
									„Technical Safety”
an Attribute of Quality
–A Memorandum of the Association of German Engineers-
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –




                                „Technical Safety”

                            an Attribute of Quality




                                    – A Memorandum

             of the Association of German Engineers –




                                                                                            Seite 1 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –




                                                                                            Seite 2 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


                                       – CONTENTS –
 1 DEMAND FOR A SAFETY ENGINEERING METHODOLOGY                                                            6
   1.1 The Need for Safety Engineering                                                                    6
   1.2 An Introduction to the Area of Safety Engineering                                                  8
   1.3 Reasons for this Memorandum                                                                       10
   1.4 General Framework for Technical Safety                                                            12
   1.5 Legislative and Administrative Basis of Technical Safety                                          14
   1.6 Ethical Fundamentals                                                                              16
 2 GENERATING SAFETY                                                              19
   2.1 Safety Engineering Principles                                              19
       2.1.1 Safety – an Interdisciplinary Task                                   19
       2.1.2 Implementation of the Phase Approach in Systems Engineering          24
       2.1.3 The Role of Man on Safety of Complex Socio-technical Systems         26
   2.2 Proceeding for an Interdisciplinary Safety-methodical Approach             29
       2.2.1 Basic Principles                                                     29
       2.2.2 Modules of a Safety-methodical Approach                              32
       2.2.3 Human Factors Engineering                                            33
       2.2.4 Appraisal of Failure Prevention from the Interdisciplinary Viewpoint 37
       2.2.5 Criteria for an Interdisciplinary Holistic Safety Approach           42
       2.2.6 Passive and Active Safety Measures                                   49
       2.2.7 Control on Failure Mechanisms                                        49
       2.2.8 Generating Safety according to the Phase Approach                    51
   2.3 Conclusions from the Safety-methodical Approach                            54
       2.3.1 Transfer of Safety Standards to Products Comparable in Technology 56
       2.3.2 Transfer of Safety Standards to Products Enhanced in Technology 57
       2.3.3 Transfer of Safety Standards to Innovative Products                  58
 3 LIMITS OF SAFETY                                                                                      60
      3.1   Societal Accepted and State-run Defined Constraints                                          61
      3.2   Unattainability of Absolute Safety                                                           63
      3.3   Risk Comprehension                                                                           65
      3.4   Relations between Risk, Safety Engineering and Technical Safety                              66
      3.5   Safety-related Feasibility                                                                   67
            3.5.1 Generally Accepted Technical Standards                                                 68
            3.5.2 State-of-the-Art                                                                       70
            3.5.3 State of the Scientific and Technical Knowledge                                        70


                                                                                            Seite 3 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


            3.5.4 Methodology for Determining the Limits of Safety                                       72
 4 ASSESSABILITY OF SAFETY                                                                               74
      4.1 Constraints of the Assessability                                                              74
          4.1.1 Status of Knowledge                                                                     74
          4.1.2 Responsibility                                                                          75
      4.2 Learning as a Continual Task                                                                  78
          4.2.1 Feed forward-Control of Safety and Reliability                                          79
          4.2.2 Feed back-Control of Safety and Reliability                                             79
          4.2.3 System of Organisational Learning                                                       80
          4.2.4 Determination of the State-of-the-Art as Learning Scheme                                80
      4.3 Controlling of the Technical Safety within the Product Lifecycle                              84
          4.3.1 Phase-related Tracing of the Technical Safety                                           85
          4.3.2 Organisation of the Verification                                                        86
          4.3.3 The Module Approach of the European Union                                               87
          4.3.4 Guideline of the European Union for Conformity Assessment                               89
          4.3.5 Planning Process                                                                        90
          4.3.6 Realisation Process                                                                     95
          4.3.7 Operation Process                                                                      103
          4.3.8 Quality Management in Safety Engineering                                               107
 5 SOCIETAL CONSIDERATIONS                                                                             111
   5.1 Prevention of Safety-critical Failures                                                          111
       5.1.1 National and International Achievements                                                   111
       5.1.2 Safety and Legislature                                                                    112
       5.1.3 Safety and Deregulation                                                                   112
       5.1.4 Safety and Economy                                                                        113
       5.1.5 Safety and Assignment of Responsibilities                                                 114
       5.1.6 Safety as Prior-ranking Property of Quality                                               114
       5.1.7 Quality Management as Approach for the Safety Management                                  115
       5.1.8 Configuration Management and Change Procedures                                            116
       5.1.9 Man as Criterion for the Safety Management                                                116
   5.2 Communication of Technical Safety with the General Public                                       116
 6 RECOMMENDATIONS                                                                                     121
   6.1 Research Scenery                                                                                122
   6.2 Educational and Training Options of Universities and Academies                                  124
   6.3 Focus Themes                                                                                    125
       6.3.1 General Public                                                                            125

                                                                                            Seite 4 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


          6.3.2 Technology Council                                                                     126
          6.3.3 Information Management                                                                 127
      6.4 Emergency Planning                                                                           130
      6.5 Internationalisation                                                                         130
 7 CONCLUDING REMARK                                                                                   132
 Information about the terms and definitions utilised in this memorandum:                              133




                                                                                   Translation:
                                                           Dipl.-Ing. Wolf-Dieter Pilz VDI




                                                                                            Seite 5 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 1        DEMAND FOR A SAFETY ENGINEERING
          METHODOLOGY

 1.1      The Need for Safety Engineering

 The last century was marked by exceptional technical progress. The two World
 Wars resulting in a devastating level of destruction also greatly accelerated the
 rate of technological advancement. This was best demonstrated during the
 rebuilding after the Second World War. New types of technology were and are
 still being developed. Worldwide air travel has become a reality, space
 technology has become a viable economic branch, and microelectronics and
 computer technology are now commonly found in the household. With these
 technological advancements also came an increase in the number of different
 engineering fields, as such technical universities and colleges offer a large
 variety of studies in engineering fields, many of which were not even imagined
 about 50 years ago. Not surprisingly Safety Engineering had to develop
 alongside the other technical advances being made, often specifically developed
 in one particular engineering field. A major cause for this applied development
 of Safety Engineering in conjunction with a specific field of engineering can be
 found in the legal system. The German legal basis of Safety Engineering is
 structured very much after engineering fields, to name just a few examples:
 building laws, air traffic regulations, nuclear energy act, and even a test facility
 act (for track-guided transportation systems).

 The number of various technical disciplines has increased to such a degree that
 the entire field of technical knowledge would have become very difficult to
 manage if new interdisciplinary management methods and system engineering
 methods had not been implemented at the same time in order to conduct an
 integrated approach to the planning, monitoring and documentation of the
 different disciplines. Interdisciplinary management methods and system
 engineering methods (referred to as interdisciplinary teamwork) have been
 continuously applied as of four decades now. No major project, which could
 stretch for several years, will be implemented nowadays without the input of a
 central project management body. Globalisation also increases the necessity for
 international, multilingual project management. Although the world of
 technology appears to have no more boundaries, however, they do exist and can
 be found in the area of Safety Engineering. Besides some existing European


                                                                                            Seite 6 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 Directives, which are mainly intended to facilitate the free movement of goods
 in most cases diverging national legislation, has to be applied. Frequently their
 only part in common is that they are structured according to application related
 fields of engineering.

 In the beginning of the 1970’s a new socio-political paradigm was conceived,
 which appeared to make a “Risk Free” life possible. A major point in the
 following discussions concerned large-scale and innovative technological
 facilities whose safety or safety capability was blemished as doubtful and
 questionable. Particularly when dealing with technological innovations more
 emphasis was placed on potential risks, or alleged undesirable side effects as on
 the possible benefits for the population and the social and economic
 opportunities. Consequently a legal and not a technical body had the final say in
 relation to the safety of such technical facilities. The disadvantageous position of
 the present day Safety Engineering, which provides various practised concepts
 according to the area of application, was revealed by the testimonies of
 consulted technical experts. For example the library of standards of the German
 Institute for Standardisation [German: Deutsches Institut für Normung – DIN]
 shows a noteworthy multiplicity of definitions for the terms “Safety” and
 “Technical Safety”.

 Two decades ago the European Union began to undertake efforts designed to
 enable the free movement of consumer and producer goods. How safety of the
 potential users of these goods could be ensured had to be taken into
 consideration. At this time the predominantly national instruments for technical
 surveillance and approval tended to build up barriers to trade, rather than
 reducing them. Therefore, the European Commission proposed a catalogue of
 measures, known as the New and the Global Approach, which should allow for
 significant independence from nationally run bodies on the operational level.
 The instrument chosen was the Declaration of Conformity, which can be either
 issued by the manufacturer himself or by a so-called “Notified Body” according
 to the resolution of the European Council on a modular concept. The level of
 safety is established by European Directives and detailed by mandated European
 standards. It is still a matter of debate as to how effective this catalogue of
 measures is. It is however recognised that the New and the Global Approach is
 not without its weaknesses, and is in part far less effective to the old disregarded
 system. The experts dealing with safety issues during the introduction already
 knew these weaknesses, which are diverse, and currently being tackled by the


                                                                                            Seite 7 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 European Commission. The “General Product Safety Directive”, 2001/95/EC, of
 03.12.2001 (published in the Official Journal No. L 011 of 15.01.2002) acts as
 an umbrella to product specific Directives. It stipulates that all consumer
 products being put on the market within the European Economic Area must be
 safe. Further regulations need to be enacted, as to how exactly this is assured.

 In both aeronautical engineering and space technology the New Approach
 system is still supplemented by mandatory European and International
 airworthiness certification schemes or final system tests. On the same footing
 the European Interoperability Directives introduced for high-speed trains,
 require that the New Approach system be supplemented by a final system test in
 order to gain authorisation by a national authority for the placing in service.

 There is sufficient need for an integrated safety concept, in which the hidden
 commonalities of already existing (admittedly application specific) safety
 concepts are added to an interdisciplinary applicable concept. The Association
 of German Engineers [German: Verein Deutscher Ingenieure – VDI] disposes of
 the interdisciplinary professional competence to prepare and present such a
 holistic Safety Engineering methodology.



 1.2      An Introduction to the Area of Safety Engineering

 The carrying out of sovereign services by governmental agencies and
 institutions, and thereby taking on an active part in the control of technological
 risks, was – at least in Germany – seen as a public duty. The pertinent Directives
 of the European Community (EC) see to it that safety-related verification is
 increasingly run by the open market and only monitored by the State authorities.
 To these ends the necessary professional competence for Safety Engineering,
 which was predominantly the concern of sovereign acting bodies, has to be
 provided through market mechanisms. These reflections by the Association of
 German Engineers [German: Verein Deutscher Ingenieure – VDI] are intended
 to stimulate a Safety Engineering methodology, which is build on commonly
 acknowledged standards of technology as well as defined objectives, in order to
 preserve and redistribute this competence as a basis for a sound Safety
 Engineering practice. The Safety Engineering methodology should be equally
 applicable to the status quo and further development of existing engineering
 fields (like for example: the civil engineering, transportation systems, chemical

                                                                                            Seite 8 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 process engineering, power engineering, aeronautical engineering, plant
 engineering, mechanical engineering, electrical engineering), as well as for the
 conception and safety-governed development of novel technologies.

 Under the term “Technical Safety” it is understood that a technical system,
 facility or product will possess the required functionality for a predetermined
 time period (in some cases its planned lifetime), and that damage is caused
 neither to property nor to persons (i.e. any object of legal protection) by the
 technical system, facility or product during the foreseen utilisation. However the
 reliability during the lifetime is not a necessary requirement for safety, as long
 as the loss of functionality does not lead to an unsafe status.

 Within the framework of discussion on technology, the word “Safety” means
 more than just “Technical Safety”. Considering the general language usage,
 people feel much safer when they do not think that they are being threatened.
 The threat does not necessarily have to be of an existential nature. An imminent
 loss in quality of life can cause biases. The lack of self determination of the own
 lifestyle and the consequent feeling of dependentness on “unchosen conditions”
 can lead to aversive reactions in a liberal and prospering society when the topic
 of exceed the safety limit is raised.

 Hereunto on the one hand is the basis of the decisions more weakly developed in
 the engineering and bio-sciences, on the other hand, the perceptions of safety in
 the general public are so all encompassing, that the acceptable level can only be
 achieved on the basis of a risk minimisation imperative, – the reduction to the
 acceptable limit of the “Maximum Acceptable Risk”. This consumers’
 expectation is expressed in the “purity requirements”, which applies to the
 immediate living necessities like food, drinking water and air. Besides their
 obvious benefits, technologies improving preservation and processibility, which
 violate the “purity requirements”, are only tolerated as long as they comply with
 legally fixed contamination levels, achieved through good professional practice
 (e.g. “Good Farming Practice”). The distance of these limiting contamination
 levels to the health tolerance threshold can amount to several orders of
 magnitude. As a rule the limits are set as high as necessary, but as low as
 possible.

 From this point of view the Technical Safety considerations must in the
 figurative sense also refer to the securing of the users expectations. Incidents


                                                                                            Seite 9 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 resulting in breaking these limits are seen by the public domain as a direct threat
 to the physical inviolability. It is seen from experience that the reactions of the
 State-run surveillance system strengthen this impression, particularly when
 insufficient elbowroom is given for considering reasonable means of countering
 various dangers.

 With the features of a general Safety Engineering methodology the specific
 characteristics of exposure to “residual uncertainty” (which is a standing term in
 bio-sciences) are not excluded from the discussion regarding the use and abuse
 of risk-management, but also cannot be examined in greater detail. It must be
 clarified that it concerns here an interdisciplinary, science-based safety
 guideline. In the interest of exact statements the lines of argument and terms in
 this VDI-Memorandum are borrowed from the engineering sciences.



 1.3      Reasons for this Memorandum

 Spectacular accidents and hazardous incidents, with a high visibility to the
 public, raise again and again questions about the adequate safety of technical
 facilities. In such cases the media can tend to address the event independently
 through news, broadcasts etc, and end up carrying out premature finger pointing.
 This satisfies a very frequently encountered human compulsion to quickly place
 the blame on someone in the event of a breakdown or malfunction. To that
 effect from time to time also technical experts are presented who support the
 relevant assumptions. The next step involved is to immediately question whether
 the laws, statutory orders, supervision regulations and standards are sufficient to
 guarantee the expected safety.

 This typical approach disregards that

 •       Even when the regulations are always followed, 100% safety does not
         exist,

 •       Safety must be generated, designed-in and produced-in before it can be
         maintained and supervised during utilisation,

 •       The circumstances surrounding hazardous incidents and accidents do not
         unveil mono-casual evidence, and are normally interconnected with

                                                                                           Seite 10 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         several unforeseeable incidents and unknown influences, or larger
         interconnected chains of such events eventually resulting in damage.

 Safety is generally generated through the application of appropriate standards
 and sets of rules and existing legal regulations. Safety concepts are developed
 with mathematical models and analytical methods, as well as incorporating
 empirical data collected over long-time and from a variety of different
 application areas (such as: civil engineering, transportation systems, process
 engineering, energy technology, aeronautics, plant construction, mechanical
 engineering, electrical engineering etc.). This can be seen as one of the reasons
 as to why up to now, there is still no unified safety concept, which can be
 applied so as to span all application areas.

 Thus different safety concepts determine the development, design, engineering
 and production in the various technical fields. For operational purposes detailed
 operation directives and instructions along with maintenance and retrofitting
 instructions are developed. The monitoring of operation is also clearly regulated.

 The concept, development, production, operation, supervision and
 decommissioning of technical facilities require particularly the competence of
 engineers. As such the Association of German Engineers [German: Verein
 Deutscher Ingenieure – VDI] intends by this Memorandum to tackle the topic of
 introducing the current level of safety regarding technical facilities to the
 professional public. In addition, problem areas are indicated in for example:

 Legal assessments, judgements and appraisals that have a bearing on safety,
 Unforeseeable occurrences and chaining problems leading to annoyances and
 failing of technical facilities,
 The human being as developer, producer, user, operator and monitor, as people,
 are subject to human error, but influence decisively the level of safety.
 Recommendations for an interdisciplinary safety concept are derived from this,
 such as how different safety concepts must be arranged for and further
 developed in the future and how the interplay of all participants should be
 organised.




                                                                                           Seite 11 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 1.4      General Framework for Technical Safety

 The understanding and the comprehension of the limits of Technical Safety
 makes use of data, such as for example the probability of occurrence, damage
 expectation, failure, perception and risk, which have to be examined at a very
 basic level to be given any significance. Technical Safety is limited by the
 probability of damage or possibly failure of a technical facility. Such
 circumstances are usually understood under the term “Risk”. Nevertheless, it is a
 complex concept (refer to para. 3.3) as it is modified by a very different and
 steadily changing perception.

 Handling risks that are insufficiently known or not controllable represents a
 particular problem; difficulties occur when very different perceptions about the
 assessment of a risk prevail. In these cases, the required prevention is essentially
 a socio-political decision. Above all, hazards from nature, the natural and
 technical environments, and human insufficiency and shortcomings are taken
 into consideration:

 •       Hazards from natural environment may result from, for example:

         – Climatic influences in all possible forms at the site
           (wind, snow, ice, temperatures, etc.),

         – Physical influences (as e.g. lightning, earthquake),

         – Degrading of the resistance of electrical piece parts due to corrosion,
           fatigue and ageing.

 •       Hazards from technical environment can occur due to:

         – Exceeding the specified dead weight and payload,

         – Influences from technical environment (nearby buildings, vehicle
           impact, physical exposure, chemical exposure),

         – Degrading of the resistance of electrical piece parts due to corrosion,
           fatigue and ageing,



                                                                                           Seite 12 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         – Manufacturing conditional shortfall of calculated requirements for
           component parts and framework structures,

         – Detrimental effects due to usage (fire, explosions).

 Human insufficiency and shortcomings can be the causative source of a hazard
 or impede the successful prevention of hazards. This includes all decisions,
 actions and failures for planning, execution and utilisation that are based on a
 number of factors, e.g.

 •       Subjectively unrecognised or objectively unknown hazards,

 •       Insufficient standard of knowledge,

 •       Gaps of information, misunderstandings,

 •       Wrong decisions due to political coercion or misunderstood thriftiness,

 •       Negligence.

 Furthermore, hazards can result from intentional, but inconceivable human
 actions.

 In view of the possible consequences, the frequency and duration of hazards as
 well as the type of actions required for prevention can be differentiated between:

 •       Permanent situations, whose duration is of the same magnitude as the
         useful life of the technical system or facility concerned (intended course
         of operations),

 •       Temporary situations with a short duration and large probability of
         occurrence (such as a rectifiable disturbance to the specified operation),

 •       Exceptional situations due to exceptional influences or in the case of local
         failure, either with a short duration and low probability of occurrence, or
         with long repeat times and a high potential for danger (refer to Table 1:
         Hazard Categories).



                                                                                           Seite 13 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –




 1.5      Legislative and Administrative Basis of Technical
          Safety

 Technical Safety is based to a great extent on the engineering and natural
 sciences and is administered through the corresponding regulatory laws. The
 safety of technical facilities is ensured with methods, which arrange for
 systematically graduated safety preventions (refer to Table 1: Hazard
 Categories). These are made up of engineering measures as well as
 administrative preventions. Detailed regulations often exist for engineering
 measures that regulate the requirements of such measures such as safety
 margins, degree of redundancy as well as diversity and testing to be provided.
 Limits, test regulations and management systems in the form of laws and often
 non-legislative, statutory regulations are stipulated and applied to the technical
 and organisational measures. Public-Technical Safety for the thus generally
 requires that the utilisation of technology and engineering does not

 •       unacceptably militate man’s right to life and bodily integrity,

 •       unacceptably or inadmissibly, e.g. through hazardous materials, or
         irreversibly damage the environment, and

 •       damage other legally protected interests (third party property).

 The guarantee of Public-Technical Safety belongs therefore to the responsibility
 of the individual national State, although in some areas it’s increasingly
 becoming a concern of the European Union, and when appropriate even of the
 United Nations. Public-Technical Safety is that area of safety, which is
 characterised by the individual and collective risks resulting from the active and
 especially the passive utilisation of technical products, facilities and systems as
 well as the associated processes, for whose regulation the State bears
 responsibility. The State’s responsibility for the safety of its citizens against
 risks resulting from scientific research and engineering, especially the
 application and technical implementation of the newly attained knowledge is a
 given, and is called here as Public-Technical Safety.

 Guaranteeing Public-Technical Safety in today’s ever changing technical and
 industrial scope is no less complicated or meaningful than the preventions taken

                                                                                           Seite 14 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 by State to ensure interior and exterior safety. As such all technical facilities
 must be in compliance with the objective legal system, consisting of law-making
 in the field of technology and engineering like e.g. special legal regulations,
 statutory ordinances, directives and technical standards. A danger to public
 safety or law and order exists when circumstances or an event during unhindered
 progression of the objectively being expected occurrence would presumably
 violate legally protected interests (2nd Senate of the Federal Constitutional Court
 in its adjudication of 08.08.78, File no.: 2 BvL 8/77, the so called Kalkar-
 Adjudgement).

 As a basic principle it has to distinguish between a concrete, namely a
 comprehensible, and an abstract, namely an imaginable hazard. With regard to
 the occurrence of harm, both hazard terms call for the same probability. The
 difference between concrete and abstract hazard is in how they are viewed.
 Concrete hazards relate to the individual case, in which the time of occurrence
 of the possible harm doesn’t have to be immediately imminent. However, this
 point in time isn’t so far apart that it gets out of reach.

 A hazard has to be considered as realistic, if a consideration for certain natures
 of functional behaviour results in the outcome, which indicates that in the
 individual case a hazard usually occurs with an adequate probability. It must
 therefore be motivation to prevent such hazards through general-abstract means,
 e.g. through the right of technology and engineering itself or technical standards.
 Then, the verification of the probability of occurrence can be waived in the
 individual case. Hazards, which are determined due to the exceeding of
 generally recognised threshold values, are clearly realistic in nature.

 The necessarily indefinite formulated legal demands on Technical Safety of
 technical systems and facilities must be substantiated by technical standards,
 which are not specified by legally competent institutions but rather by experts
 from the relevant technical fields.

 The necessary State-run measures are addressed primarily towards the inherent
 damage potential of the respective technical products, processes, facilities and
 systems, including their consecutively implications. They extend from
 legislative framework trough approval and supervision functions to direct
 interventions of the State.



                                                                                           Seite 15 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 The State is obliged in its public welfare to prevent where possible or at the very
 least to restrict damage not only to the society as a whole, but also to the
 individual being. Nevertheless, not only the safety necessity of the legal interests
 considered are determined e.g. health of persons or the environment; it requires
 rather a balancing of the usefulness or necessity for the society and the risks
 related to technology and engineering what results in risk control.



 1.6      Ethical Fundamentals

 Primarily engineers and scientists develop Technical Safety, although
 disciplines in the human sciences play an increasing role. In tackling such issues
 they don’t only rely on the regulations of the relevant legal system, but above all
 also on the ethical and moral principles that have been developed over thousands
 of years of occidental history. Thus, the engineer's responsibility is tied in with
 basic ethical standards moral obligations developed thereof.

 In realisation of the engineer’s responsibility, the Association of German
 Engineers [German: Verein Deutscher Ingenieure – VDI] committed themselves
 to the following ethical fundamentals for the profession of an engineer
 (Düsseldorf in March 2002):

 “The engineers

 •       take responsibility alone or jointly for the consequences of their work, as
         well as remaining attentively aware of their specific obligations,

 •       acknowledge their responsibility to deliver reasonable technical
         inventions and sustainable solutions,

 •       are aware of the interrelationship of technical, social, economical and
         ecological systems and their implications in the future,

 •       avoid deeds resulting in inherent necessities of self-dependent acting,

 •       align themselves by the fundamentals of general moral responsibility and
         pay attention to the right of labour, environment and technology and
         engineering,

                                                                                           Seite 16 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       discuss conflicting ideals in an interdisciplinary and intercultural manner,

 •       seek institutional support when profession-related moral conflicts arise,

 •       take part in the formulating and updating of legal and political objectives,

 •       commit permanently to advanced vocational training, and

 •       get involved with technological mentoring at schools, universities,
         enterprises and associations.”

 In everyday life it is not so strictly distinguished between ethics and morals.
 Within the philosophy it has become common practice to clearly differentiating
 ethics and morality from each another. Thus, ethics refer to the scientific
 handling of the various aspects of morals; morals are the subject matter of
 ethics. Ethics deal both with the basic questions concerning the nature of morals
 and the possible substantiations of moral standards (“meta-ethics”), as well as
 with the questions of the consistency of moral values and standards (“normative
 ethics”), in-other-words with the good and the bad. One of the most important
 questions of normative ethics is the question: how much concern should play the
 consideration of the consequences within the moral judgement of human acting.
 In no case, moral standards alone do not suffice for the justification of certain
 activities and strategies. To avoid harm and cause benefit, a good will always
 needs to be supplemented by appropriate competence and forecast capability.

 The term moral encompasses both objective and subjective portions. The
 objective component includes the standards, principles, and ideals, which are
 societal provided to the individual and are partly reflected by the legal system.
 This also includes the institutes, which set these standards (e.g. Report 31
 “Ethical Responsibility of Engineers – Options and Perspectives of the
 Codification”, VDI-Main Group People and Technics, Düsseldorf, 2000 and
 “Ethics and Nuclear Energy – Expertise for the Technical Committee for
 Nuclear Technology [FA-KT] of the VDI-Society for Energy Technology [VDI-
 GET]”, Düsseldorf, May, 2006), corroborate or sanctify them (family, media,
 politics, courts of justice). On the one hand, the objectively provided standards
 correspond on the subjective side to the personal maxim, head notes and ideals,
 and on the other hand, to the moral attitudes, motives, feelings, and willingness
 to act of the individual. In practise the borderline between ethics and morals is


                                                                                           Seite 17 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 blurred. People who behave in a moral manner normally have a good
 understanding of the purpose and function of these moral standards by which
 they abide, and also how these standards are justified. To make it aware, this can
 more or less also apply to the responsibility of engineers in their everyday work,
 and the confidence placed in their work.

 Long-term planning has to result from long consultation processes about values
 and strategies of their implementation, they cannot be simply dictated “top-
 down”. Such a strategy is recommended from pragmatic points of view (risk
 management). Dictation leads almost inescapably to problems in credibility,
 confidence, and legitimization crises of industry, politics and bureaucracy, and
 contributes decisively to the polarisation of the viewpoints. Instead of stealthy
 implementation of new technologies by means of administration with belated
 assuring the acceptance through suitable public relation measures, the
 acceptance should be assured a priori through a logical, albeit a professional
 orientated approach with regard to the Safety Engineering. It marks an essential,
 maybe even a compulsory requirement of the acceptability of a democratically
 legitimised industrial policy. Many discussions in industrial societies are
 unsatisfactory, because they are based on preconceived opinions and unilateral
 statements of a fragmentary statement of the facts and depend on indifferent
 ethical perceptions.




                                                                                           Seite 18 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 2        Generating Safety

 2.1      Safety Engineering Principles

 2.1.1 Safety – an Interdisciplinary Task

 With the help of the technical aids created by him, man strives for a continuous
 extension and perfection of his possibilities. This factor, which is evidenced in
 our cultural history, in itself presents a challenge to every engineer to see it as
 one of his primary tasks in the realisation of future engineering solutions to cope
 with the striving of human society, which aims for a continuing perfection of the
 safety of technical products. In doing so, the actual task for man consists of
 adopting technology and engineering in a supportive role, by handling it by so-
 called man-machine-systems or socio-technical systems. This challenge is all the
 more important as engineers must realise an increasing lack of knowledge in the
 general public regarding the natural sciences and technology, which often results
 in a alarming level of suspiciousness against technology and engineering. For
 this reason, engineers are concerned to demonstrate their professional abilities in
 the field of safety in a way understandable by lay people, in order to eliminate or
 at the very least minimise the discomfort of the general public relating to
 technical equipment and thereby prevent any unjustified cases of technophobia.

 Accidents and incidents prompt us to feel out and eliminate their causes. In this
 process, the effectiveness of the established and generally accepted Safety
 Engineering preventions must be scrutinised. The Association of German
 Engineers [German: Verein Deutscher Ingenieure – VDI] again clearly stresses
 the obligation of Engineers to continuously and regularly further enhance the
 field of Technical Safety, to simplify its usability, and to make it comprehensive
 to non-engineers.

 In this context the following questions need to be addressed:

 •       Do we not allocate, today, sufficient importance to the safety of modern
         complex socio-technical systems?

 •       Do we increasingly concede priority to economic efficiency rather than
         safety?


                                                                                           Seite 19 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       The relevant technical standards, are they no longer adequately observed?

 •       Are the relevant technical standards no longer targeting?

 •       Are laws and statutory regulations being flouted?

 •       Is there a lack of surveillance by the supervising authorities and bodies?

 •       Which standing has the personal acting on the different levels?

 •       Are the comprehension and the assessment of technical phenomena
         underdeveloped (e.g. due to a lack of imparted academic knowledge)?

 With respect to the possible consequences of hazards it is convenient within the
 normal range of experience (refer to Table 1) to distinguish between three
 “Hazard Categories” for technical systems or facilities. For this purpose the
 public’s demand for safety (thread to life and limb, as well as damage to the
 environment; importance of the system or facility) to be taken into account as
 well as commercial criteria: (possible commercial consequences, usage
 requirements), whereas priority is given to the former criterion. According to the
 possible Hazard Categories, a different overall effort is required for the
 definition of counter-actions needed to avert the possible consequences of the
 different hazards.

 As a matter of principle, the constituent system components parts have to be
 categorised in their significance for the properties and usability of a technical
 facility and/or product. In a simplified approach it is possible within the scope
 individual measures to group all essential components of a system or technical
 facility to one of these hazard categories. Every safety concept should orientate
 its safety measures on these hazard categories.




                                                                                           Seite 20 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –



 Possible consequences of hazards, affecting primarily


 The properties                                  The usability                                     Hazard
                                                                                                  Category


 Large importance of the technical systems       Large commercial consequences, large                  3
 or facility for the general public; manifold    detriment to use; cascade effects
 thread to life and limb


 Thread to life and limb and/or respectable      Extensive commercial consequences,                    2
 commercial consequences                         remarkable detriment to use


 No jeopardy for life and limb and marginal      Marginal commercial consequences,                     1
 commercial consequences                         marginal detriment to use


 If the loss of usability conditions a thread to life and limb (e.g. leakage of containers and tubing with
 hazardous substances), this loss is treated as a loss of the required properties.


                                 Table 1: Hazard Categories

 The achievements in Safety Engineering have been until now always adequate
 to the underlying achievements in technical innovation. That said, it appears that
 both Safety Engineering and safety law gradually evade an orderly applicability.
 Nowadays, the following circumstances particularly hamper the most efficient
 Safety Engineering solutions for modern, technologically innovative and
 complex systems:

 •       The multitude of technical standards, which often feature a technical and
         application-specific discrepancies,

 •       The straight application-specific legal requirements and responsibilities of
         supervising bodies,

 •       The technical and application-specific diversity of experts’ opinions, and

 •       The special terminology cultivated in the different technical disciplines.

 Even in the perimeter of classical, until now well controlled engineering, too,
 there are signs of adverse effects, because

                                                                                                       Seite 21 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Experienced specialist personnel is either no longer available or there was
         not sufficient opportunity for transferring their own background of
         profound know-how on engineering to the succeeding generations of
         engineers,

 •       The knowledge about safety-methodical references in technical standards
         is gradually drowning in the ever increasing volume of engineering
         knowledge,

 •       In the course of rationalisation programmes, changes of technical
         concepts are implemented, however often without methodically adapting
         the associated Safety Engineering preventions.

 Although our legal system has established legal requirements for Safety
 Engineering, there is not a uniform concept covering different types of
 application. This aggravates the work of the engineers to pursue
 interdisciplinary cooperation in the field of Safety Engineering. The political
 opponents to further expansion and modernisation of the technical-industrially
 characterised infrastructure tend to ask the courts of justice rather than engineers
 who are specialists in their subject to scrutinise Technical Safety concepts. This
 often leads to compromises, whose politically motivated results accept even
 safety-related shortcomings.

 Is it still possible to avert the impending excess of regulations and bureaucracy
 in Safety Engineering and in safety law and direct them to more appropriate
 grounds? Do the State not even has the duty, when deregulation takes place, to
 compensate for the absence of regulations by establishing other safety
 principles, such as e.g. monitoring the market with equally far-reaching tools
 and powers?

 The Association of German Engineers [German: Verein Deutscher Ingenieure –
 VDI] attempts to give answers to these questions. In doing so, the following
 points are to be focused:

 •       Increasing pressure to interdisciplinary cooperation of all affected
         disciplines and fields of engineering,




                                                                                           Seite 22 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Technologically embracing generalisation of the different safety-related
         concepts by finding the “hidden commonalities”,

 •       Subsequent retention and application of the revealed technological
         generalisation to the different fields of engineering,

 •       Consideration of the whole lifecycle of a product – from the first idea to
         the final disposal (refer to para. 2.1.2),

 •       Interdependence between safety and the boundaries of feasibility on the
         one hand and the commercial viability on the other hand.

 In the course of developing innovative technologies are to be developed, as a
 matter of course, the associated Safety Engineering concepts. For this purpose,
 any existing safety concepts are to be examined for hidden commonalities and
 merged to one single safety-methodical concept. Such a concept should include
 the proven knowledge of Safety Engineering, which is ranging from the
 primarily empirically grown application area, e.g. as in railroad engineering,
 through the analytically based application area as for instance in aerospace
 engineering. This span covers the deterministic approach (this approach is based
 on the classical “if – then” relationship with the direct comprehensible causation
 of the occurrence of events; refer to para. 2.2.4) as well as the probabilistic
 approach (this approach is based on probability consideration of possible events
 their possible occurrence; refer to para. 2.2.4) of the reliability engineering. As
 well, this span takes the approach for a safety-related whole-standardisation as
 well into account as failure-analytically based Safety Engineering in the area of
 aerospace engineering.

 The task is here, as how the approaches to Safety Engineering and law, which
 have historically differently evolved and practiced in the various application
 fields, can be converged to one single interdisciplinary safety-methodical
 approach. The recourse to the methodology for an interdisciplinary approach in
 Safety Engineering presented here (refer to para. 2.3) facilitates the capability
 for communication and interdisciplinary cooperation between the different
 engineering disciplines, as well as between engineers, representatives of
 commerce, politics and judiciary and fellow citizens. This is, in turn, not only of
 advantage for technical innovation projects but also promotes a better
 understanding of Safety Engineering approaches. As a result, it prevents that


                                                                                           Seite 23 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 Safety Engineering concerns, which were still respected during development and
 manufacturing in an appropriate manner, being displaced from the
 consciousness of engineers whenever improvements or other changes are carried
 out on technical equipment, facilities or systems.

 The highly complex technologies which have been developed to a high degree
 of sophistication in the 2nd half of the last century and which have high potential
 usability, have demonstrated for the first time that it is possible to successfully
 cope with wide-ranging engineering tasks while using working methods based
 on systems engineering. The method of using systems engineering as a working
 method is presented in this Memorandum (refer to para. 2.3). When this
 approach is pursued with systematic rigour, it is possible to implement cost-
 efficiently the often conflicting objectives of safety, reliability and availability in
 a system. This is an engineering task covering the optimisation of a generally
 applicable solution for safety and cost-effectiveness through interdisciplinary
 cooperation, both in the creation of safety concepts as well as engineering
 practice.



 2.1.2 Implementation of the Phase Approach in Systems
       Engineering

 To always ensure sufficient transparency of the technological and organisational
 circumstances of complexly structured, technologically innovative or
 ambitiously safety-engineered systems, facilities or products, the complete
 lifecycle is subdivided into time segments, which are subsequently called
 phases. Such a subdivision into time segments facilitates the determination of
 clear targets, edge conditions to be observed, other prerequisites and procedural
 instructions at the start of each of these clearly defined phases. At the end of
 each individual phase, the targeted results are checked for compliance with the
 set targets and specifications. By means of the achieved results, the targets, edge
 conditions to be observed, prerequisites, and the procedural instructions are
 specified for each subsequent phase. Such a phase approach not only eases the
 technical management, it also ensures the necessary organisational management
 measures und enables the proper pursuit and monitoring of the specified targets.




                                                                                           Seite 24 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


  The phases of a product lifecycle can be shown as follows:

 Due to the indispensable transparency of these interrelations, the statements in
 this Memorandum are aligned to this phase approach kept in mind. The
 perimeter of Technical Safety is embedded in this phase approach. That doesn’t
 just apply to the generating of safety in every individual phase of the lifecycle,
 but also its verifiability.

 Technical Safety belongs to the outstanding attributes of a technical system,
 facility or product. Generating Technical Safety represents a task for engineers

                           Figure 1: Phases of a Product Lifecycle


              Conception                    Definition
                                                                          Planning Process



               Development
                    &                     Manufacture
               Engineering
                                                                        Realisation Process



                 Operation                  Retreat,
                      &                    Disposal &
                 Utilisation               Recycling
                                                                          Operation Process
 and, where applicable, scientists that cannot be accomplished by itself or just
 along the way. More than any other engineering disciplines, the generating and
 verifying of Technical Safety not only requires special qualification of the
 engineers and scientists involved, but also particular care and attention by
 technical-industrial management. This means that through the whole lifecycle of
 a technical system, facility or product – including retrofitting and other measures
 to increase the useful life – the Safety Engineering process requires the same
 care and attention as the project left over. For this reason, all aspects and
 attributes of Technical Safety require in each phase of this lifecycle appropriate
 and competent planning, proper tracing and unbroken verification. Such a
 process of planning, tracing and verifying, which ranges along the complete
 lifecycle of a technical system, facility or product, is commonly referred to as


                                                                                           Seite 25 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 “controlling”. As the controlling in this case is performed within the field of
 “Technical Safety”, the appropriate designation here is “safety controlling”.



 2.1.3 The Role of Man on Safety of Complex Socio-
       technical Systems

 Incidents and accidents in recent years made in some areas one thing ever
 clearer: the possible efficiency of additional improvement on technical system
 components in highly complex systems with large hazard potential is more and
 more decreasing, while taking into account the decades of effort in this field. In
 relation to this fact, the relative importance of human actions for causing
 incidents and accidents increases. However, it would be an unacceptable
 simplification always to keep in view only the operator acting at the man-
 machine-interface. It is a logical consequence of the principle of deeply
 hierarchised system protection, which is always implemented with technically
 complex systems that an individual single failure must not lead to a serious
 incident or accident, which has to be prevented by divers technical or
 organisational barriers. Only where weaknesses slumber unrecognised in the
 system and an unfortunate constellation of adverse conditions occurs (often of a
 random nature), the interaction of individual persons and the technical system
 can trigger and progress an incident or accident path by an individual single
 failure at the man-machine-interface (MMI). This will then lead to negatively
 stated and assessed events.

 By the so called phase concept (refer to para. 2.1.2), the entire “product
 lifecycle” of technical equipment can be considered as a whole as well as in
 detail, – from the conception through definition, development and engineering,
 manufacture, operation and utilisation onto retreat, disposal and recycling. In all
 phases of this chain, human acting contributes significantly to the (un-)
 reliability and (un-) safety of technical systems. The matter of this is to take an
 appropriate quality assurance into account in all phases of the lifecycle of a
 product or service. In addition, the analysis of serious events reveals that the
 control potential of human acting inhere an eminent meaning for the reduction
 of any possible adverse or devastating consequences of accidents. The domain
 of “Human Factors” (HF) turns out to be a more and more imposing complex of
 problems, which requires well-directed answers. As such the human


                                                                                           Seite 26 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 contribution to safety and reliability of complex socio-technical systems is of
 high-ranking importance.

 As “Human factors” are thus all factors to be understood, ranging over the
 whole product lifecycle, which affect people in their interaction with a technical
 system or are affected by people. To that extent the unreflected and often
 synonymous application of the term “human factor” with “human error” or even
 “human failure” is not permissible, just as the traditional restriction of the
 ergonomic MMI aspect. Organisational factors, division of work, previous
 management decisions and even inter-organisational relations are relevant here
 in terms of a comprehensive holistic understanding of “human factors”.

 The human contribution to reliability and safety of socio-technical systems
 occurs under edge conditions, which offer indispensable potentials on the one
 hand as well as unalterable restraints. Both ones are to be considered in system
 design, because “man with his natural abilities and disabilities must take centre
 stage of all systems built up by men for men” (“Declaration of Saarbrücken” on
 the occasion of the World Congress on Safety of Modern Technical Systems,
 Saarbrücken, 2001). This ability distinguishes him basically from the machine;
 thus, his ability to learn compensates the susceptibility to make mistakes and
 forms a crucial component for safety-directed acting.

 Mistakes in acting are defined as the non-achievement of the target of this
 acting. It would therefore be a contradiction in terms (oxymoron) to assume that
 someone would consciously make a mistake. The judgement as to whether a
 mistake in acting is existent can therefore only be made with hindsight and after
 clarification of the possibility of a “correct”, target-oriented acting. In so far, the
 widely used automatic to put the blame for a mistake to the personnel in charge
 (“human error”) is in conflict with the “human right for error” as safety
 scientists call for. An appropriate error culture recognises a mistake as a chance
 to learn and does not ask: “How could you do this?”, instead: “How could this
 happen?”

 Mistakes in acting arise from many conditions, in particular from overstrained
 mental capacity for information processing, from inappropriate demands for
 attention, from monotonous work, from native or acquired (inadequate to the
 upcoming tasks) behaviour patterns, from limitations in knowledge. All these
 items are stresses and strains possibly exceeding the human capacity for acting.


                                                                                           Seite 27 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 In the interest of avoiding damages to people and environment, both the
 naturally given human ability as well as human disability must be taken into
 account for the respective system design. This can be done by e.g. failure
 tolerant engineering and configuration.

 Hereby, particular significance is drawn to the automation of socio-technical
 systems, which – from an engineering point of view – often aims for a
 maximum in order to eliminate the error-prone man. However, the contribution
 of man might become more necessary, indeed, as systems become more
 complex. In this context, Bainbridge speaks of the “ironies of automation”
 (Ironies of automation in J. Rasmussen, K. Duncan, J. Leplat (Eds), New
 technology and human error, Chichester: Wiley, p. 281…283, 1987). On the one
 hand, systems are generally developed by a person who is also prone to make
 mistakes and therefore may thus negatively affect the correct utilisation of the
 engineered system because – after his maximum automation strategy – he leaves
 to the operator only functions that are beyond being automated. What is
 emerging is comparable to what psychologists have called in this context
 “acquired helplessness”: the lack of using motoric or cognitive abilities becomes
 then a problem when an unforeseen event occurs and new behaviour patterns are
 requested. Similarly, a pure supervision function of a technical facility, which
 remains because of an all-embracing automation, is affected by the evident
 human weakness, to remain attentive in the long run.

 Furthermore, moments requiring complex decision can result in a problem.
 Inasmuch as all necessary elements of a decision in the production process can
 be specified, the automated computer-aided decision can be carried out faster
 and in more dimensions than by the operator. What remains left, however, to the
 operator is possibly to assess the result of a decision on a meta-level whose
 algorithm he does not at all or only insufficiently conceive. What have to be
 called for shouldn't be the maximum but the adequate automation, which allows
 to man learning and functional ability, in order to create optimal engineered
 safety functions.




                                                                                           Seite 28 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 2.2      Proceeding for an Interdisciplinary Safety-
          methodical Approach

 2.2.1 Basic Principles

 The following statements give a general overview about the basic procedural
 method for the necessary system approach on technical engineering, in
 particular when public safety is considered. The interdisciplinary “Safety-
 methodical Approach” addressed here will be substantiated in due time in a
 separate document. For its preparation, the following principles will be taken
 into consideration:



 2.2.1.1 General Convention on Safety Engineering

 Basically applies that the safety-related design of technical systems has to be
 carried out in such a way that it satisfies the contemporary status of public
 safety. This axiomatic requirement doesn’t count for testing on system and
 assembly level, when safety is – according to the needs of an experimental
 operation – temporarily assured through specific measures.

 The following safety-related design criteria are to be agreed for the Safety
 Engineering of technical systems:

 •       Man must take center stage with his natural abilities and disabilities. This
         demands amongst others for a user-friendly design of technical systems.

 •       A single failure must not induce a safety-critical failure within the overall
         system.

 Is a technical design, which meets this requirement, not possible, applies:

 •       Catenations of failure events in assemblies (failure mechanisms, causal
         chain) – including human operating errors –, which can lead to a safety-
         critical failure within the overall system must be made identifiable by
         active or passive introspection.




                                                                                           Seite 29 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 Is here a technical design, which meets this requirement, not possible as well
 (e.g. because the reliability is affected then), applies additionally:

 •       The probability of multiple failure events (e.g. a contemporaneous failure
         of different assemblies), which can lead to a safety-critical failure within
         the overall system, must not exceed a certain, in each case operation-
         related threshold value.

         The definition of such threshold values is dependent on stochastic
         conditions of the failure behaviour of the respectively affected assembly
         and the – specified – threshold value, which is considered as appropriate
         for the overall system.

 A safety-methodical approach for the Safety Engineering of products and
 technical equipment implies that all safety-technically required activities take
 also the following axioms into consideration:

 •       For each equipment, the “safe status” and/or the “safe functional
         behaviour” must be clearly defined and stipulated in the respective
         specifications. This implies possibly that with respect to the functions and
         directives of operation activities are accurately analysed while taking their
         feasibility into consideration.

 •       The technical engineering is to be effected in such a way that at a multiple
         failure event interactions within the failure mechanism, which lead to the
         possibility of a function loss within a subsystem or the overall system, are
         eliminated.

 •       Threshold values of failure probabilities, which are to be required for the
         respective assembly, must be specified in such a way that the fulfilment of
         the safety requirements for the overall system is not questioned.

 Considering the time response of the failure rates, which concern safety-critical
 failure events, the requirements for the useful life apply, which are stipulated in
 the specifications of the relevant assembly.




                                                                                           Seite 30 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 2.2.1.2 Requirements for the Proceeding in Safety-related
         Design

 For all safety-relevant activities – including the corresponding verifications – the
 following sequence of methodically suitable measures apply in regard to
 conceivable hazards (refer to Table 1):

 •       Exclusion of safety-critical failure events (failure exclusion due to natural
         or technical integrity),

 •       Exclusion of the implications of safety-critical failure events (failure
         implication exclusion),

 •       Limitation of the probability of safety-critical failures events and/or
         defects due to application of reliability engineering.

         This sequence refers to the Safety Engineering routine and does not
         represent a ranking of these measures for a safety rating.

 The methodical approach, which is defined through a mentioned sequence,
 implies that all assemblies of the system have been proven faultless and
 undisturbed at the beginning of each use, and that mistakes, which can arise
 during the manufacture, the operation, as well as the maintenance measures are
 avoided by appropriate preventions.



 2.2.1.3 Safety-methodical Work Steps in Project Management

 In project management the safety-methodical approach must be used; thereby
 the following work steps must always be executed:

 •       Bringing the methodically compiled “Safety-relevant Requirements
         Catalogue” forward to the project and/or system specifications, which
         cover the entire “product lifecycle”;

 •       Stipulation of the safety-related requirements for the engineering of the
         system and its assemblies, which require the different safety-relevant
         disciplines to be involved;

                                                                                           Seite 31 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Scheduling of the implementation steps in terms of Human Factor
         Engineering;

 •       Stipulation of the safety requirements, subject to verification (public
         safety);

 •       Stipulation of the safety requirements, which are necessary for obtaining
         the approval for operation;

 •       Compilation of the safety-critical failure modes and issuing the plan for
         safety controlling (goal: “Lessons Learned” for experience retention).



 2.2.2 Modules of a Safety-methodical Approach

 The basic principles of safety-compatible engineering are so to be coordinated in
 a systematic manner that an interdisciplinary approach is established with it,
 which is uniformly applicable both for the concerned project with its newly
 created and already existing technologies made applicable by this project, but
 also for the assessment by the responsible supervising body. A further general
 possibility of application presents itself for failure investigations on technical
 equipment.

 Thereby, a valid work and evaluations methodology is set up for the entire
 venture of a project, which brings the indispensable safety-related design criteria
 for achieving the approval into a quantitatively assessable relationship to those
 design criteria, which are of importance for the cost-effective utilisation und
 therewith for the technical reliability.

 Failure-caused disturbances are usually originating in piece parts or in low-
 integrated assemblies; the safety-critical implications, however, often become
 observable only due to the functional interactions, which result from the
 technical design of the overall system. The necessary punch can only be
 achieved here with a suitable information management.

 In this context a fundamental deficit is e.g. the ambiguity of differently defined
 technical terms. Since for creating new technologies, always the integration of
 the knowledge from several disciplines is required, those terms should

                                                                                           Seite 32 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 systematically be avoided, which are in the technical standards not defined
 unequivocally or in a generally applicable way, either because they can be
 interpreted differently by the diverse technical disciplines (such as e.g. the term
 “fail safe”) or they are dedicated only for intentionally limited perimeter of
 application (such as e.g. the term “signal security” in DIN VDE 0831). This
 applies in particular when the general language usage already contains
 unequivocal terms in this respect (such as e.g. the term “safety”). However,
 adjectival terms as “safe” or “safety” should on principle not be used in the
 designation of assemblies, not even when safety case is already existent for this
 assembly.

 The term maintenance is used to refer to all measures for preserving and
 restoration of the nominal status of a construction, unless it involves a
 modification. This therefore covers such terms as maintenance, inspections, and
 repair although it is possible to make a distinction between maintenance and
 repair; in habitual language use, maintenance comprises maintenance and
 upgrading works which, according to generally current opinion, are required to
 maintain the nominal status, while the term repair refers to measures necessary
 for reconstructing the nominal status of a construction after it has already lost
 said nominal status due to unforeseen events, such as an event of fire or by a
 lack of proper maintenance work. Maintenance must be carried out properly.
 This does not only refer to the frequency and the rightness of the aim for the
 measures (e.g. the maintenance) but especially also concerns the way as how it
 is carried out. If engineering knowledge or specific technical equipment is
 needed for the completion, maintenance can possibly only be done properly
 when a craftsman, a technical expert or a specialised/certified contractor carries
 out the work.

 A convenient information management is indispensable prerequisite for the
 interdisciplinary approaches of a safety-methodically holistic concept.



 2.2.3 Human Factors Engineering

 The discussion about the design and the engineering of new technical facilities
 almost exclusively focuses on engineering problems whilst Human Factors
 Engineering (HFE) perspectives only play an inferior role, if they are considered
 at all. Certainly, in the very first phases of drafting a technological concept it is

                                                                                           Seite 33 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 necessary to give priority to the basic technological design criteria. This is
 strongly supported for reasons of keeping costs within the perimeter asked for.

 All technical systems and particularly the complex facilities will comprise,
 without exception, technical and human components, i.e. they are socio-
 technical systems. HFE principles for the engineering of socio-technical systems
 require design and engineering processes, in which the trade-off for the man-
 machine-interfaces starts at the earliest time when the combined optimisation of
 the technical and the human components is set up in a concept-determining way.

 There are different areas that are to be tackled on an interdisciplinary basis:

 (1)     Developing an overall HFE plan

         The plan shall make clear, how and at what phases of the overall design
         and engineering process of future facilities, HFE considerations should be
         systematically applied.

 (2)     Evaluation of experience gained from operation

         As a first step it makes sense to carry out under HFE aspects an
         evaluation of the experience already gained in implemented comparable
         systems in order to avoid problems already occurred there and to
         incorporate positive experiences in future designs.

 (3)     Functional analysis of requirements and assignment of tasks

         The objective is here to analyse the system requirements in its various
         functional areas, to identify the performance requirements and to explore
         the limits and possibilities of the design for options in dividing tasks
         between man and machine. Particular emphasis should be placed on the
         principle of the “active operator”, which has been gained from HFE
         experience. Other questions falling into this category cover possible new
         requirements on the operating team and any resulting requirements
         concerning the qualification mix and functional new assignment of tasks
         within the team, as well as the design of appropriate criteria for the work
         places. Moreover, the planning of how to arrange the tasks between man
         and machine, including the arrangements for automation measures.


                                                                                           Seite 34 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 (4)     Centralisation/decentralisation of operating and control stations

         Closely tied to the problem of analysing the functional requirements is the
         question to what extent decentralised operating and control stations
         should be established, the personnel for which in turn requires to meet the
         respective qualifications.

 (5)     Organisational aspects

         The mutual assignment and the interaction conditions of different
         categories of required personnel as well as the dynamic changes of the
         responsibility for tasks for regular operation and incidents and accidents
         should also be analysed. Another question is for example how the
         European directives regarding health and safety at work and the
         protection of the environment require ergonomics to be taken into account
         and are relevant for the work organisation of the systems.

 (6)     Determination of the qualification needs

         Depending on the division of functions plans for qualification needs
         should be established and proposals for their implementation worked out.

 (7)     Decision support systems (DSS)

         Computer-aided DSS could be used for examining task fulfilment by the
         personnel and for the identification of appropriate procedures in case of
         need. In this context one should investigate to what extent the use of
         computer-aided DSS would entail changes in the interaction modes of
         personnel.

 (8)     Configuration of control equipment (e.g. look-out and control stations)

         This concerns, inter alia, questions for the role of analogue and digital
         signal systems, their redundancy, the use of adaptable displays,
         transparency of indications and feedback loops for the effects of operator
         actions. Another point of investigation would be how to consistently
         reflect the team character of the work.



                                                                                           Seite 35 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 (9)     Participative ergonomics

         Forms and options for involving experienced operators in the engineering
         process are to be investigated. In the interest of an iterative trade-off
         strategy, the options and the outcome of the implementation of the
         principle “Simulation before Operation” are to be analysed. Likewise, the
         options for applying “Rapid Prototyping” should be studied.

         Here the term “Rapid Prototyping” refers to the fast manufacture of
         prototypes derived from design data. Rapid prototyping processes are thus
         manufacturing processes, which have the purpose of converting existing
         CAD data (computer-aided design data) directly and fast into work pieces,
         – if possible, without making manual detours. As become generally
         known in the eighties of the last century, the term “Rapid Processing”
         refers to original mould processes, in which the work piece is built layer
         for layer out of formless materials using physical and/or chemical effects.

 (10) In-house emergency measures

             Implementation of HFE principles while establishing technically
             correct, comprehensive, explicit and easy to handle procedures in the
             event of disturbances and emergencies.

 (11) Prevention of operating errors

         – By instruction and prohibitions as well as appropriate training;

         – By built in interlock devices, which automatically switch after a faulty
           operation into a safe status and/or a safe functional sequence.

 In total, three models can be distinguished, as how HFE-experts can be involved
 in the design and engineering process of complex socio-technical installations,
 which are differently to be used, depending on the respective need:

 (a)     Integrated model:

         In this model, the HFE-expert (work scientist, psychologist, medical
         scientist) is integrated into the engineering team right from the beginning


                                                                                           Seite 36 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         in order to take his part the configuration of planned work places, and the
         functions of personnel working at them, with respect to safety and
         reliability, occupational safety and health, and people-friendly design.

 (b)     Model for intermittent involvement:

         In this model, the HFE-expert is called in for critical design phases, e.g. in
         order to evaluate a prototype. This gives allowance to involve experienced
         operators (pilots, personnel from operating and control stations and
         suchlike).

 (c)     Model for post hoc involvement:

         In rare cases only, all engineering faults may be detected prior to the
         system being placed into operation. Then it is necessary to install
         technical and organisational barriers in order to prevent potentially
         dangerous system conditions or the system being used dysfunctionally.
         However, it is imperative to avoid the post hoc involvement of HFE-
         experts is misinterpreted as the standard involvement in terms of a repair
         shop.

 If an event cannot be kept under control within the system and the system
 boundaries are exceeded, a measure has to be taken to handle the interface. Also
 herewith, the knowledge of the HFE is to be implemented in order to necessarily
 include the HFE elements in the emergency management planning.



 2.2.4 Appraisal of Failure Prevention from the
       Interdisciplinary Viewpoint

 Proven approaches oriented to systems engineering make it possible to analyse
 technical products, complex systems as well as simple equipment for their
 potential failure behaviour. In this context, it must always be acted on the
 assumption that failures of technical products can just as little be excluded as it
 might be assumed that man who handles these technology and engineering be
 inerrable. The findings of such failure analyses, which belong to the standard
 tools of each design and project engineer, make it possible to detect
 systematically at the design and planning stage the crucial failure modes of the

                                                                                           Seite 37 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 subassemblies. This in turn is the prerequisite for preventive actions with which
 to avoid undesirable or unacceptable failures.

 For the better understanding of the following statements, an explanation is given
 here for the two terms “deterministic approach” and “probabilistic approach”:

 •       Deterministic approach:

         The deterministic approach in engineering sciences corresponds to the
         historically grown, mono-causal scheme of action. It is based on
         unequivocal If-Then relationships, as well as on the condition that a
         definitive event occurs at a predetermined time. This condition represents
         even in today’s technology and engineering the classic approach in
         engineering for drafting, designing, engineering and testing of technical
         equipment.

         This approach has also been adapted for Safety Engineering while taking
         actions as prevention against safety-critical failures. In this case the “If”
         represents the safety-critical failure event and the “Then” the safety-
         related prevention. In classical engineering both conditions represent a
         logical unambiguous (forward directed) combination or even a logical
         one-to-one- (forward and backward directed) combination and refer to
         mono-causal structure of impact.

         This deterministic approach in engineering is in line with the also
         classical approaches of thinking and decision making judiciaries.

 •       Probabilistic Approach:

         The probabilistic approach is drawn on probability-theoretical or
         statistical principles. Unlike to the deterministic approach the probabilistic
         approach is based not on certainty, but on the possibility that a certain
         event occurs with a certain probability. The occurrence time of the event
         is neither pre-determined nor determinable beforehand.

         Meanwhile, modern engineering (plant engineering, civil engineering,
         power engineering, information and communications technology,
         automotive engineering, aerospace engineering) involves highly


                                                                                           Seite 38 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         networked functions and computer-aided devices, and is increasingly also
         used in aggressive environments (such as outer space, the open and deep
         seas, desert and jungle). This leads inevitably to complex and highly
         integrated structures, which, from the point of view of Safety
         Engineering, can no longer only be kept under control by using the
         deterministic approach but have to be supplemented (or completed) by
         probabilistic approaches (such as reliability engineering, for example).

         For the concept layout, design, engineering and testing of such complex
         technical equipment, the application of reliability engineering has been
         proven for decades. Without the application of reliability engineering the
         achievements in today’s global civil aviation, in scientific or commercial
         space technology and in modern automotive engineering would not have
         been possible.

         In aviation and (manned) spaceflight the application of reliability
         engineering has long-proven its worth, also for the safety-related concept
         layout and design configuration of highly integrated complex technical
         equipment. Nevertheless, the adaptation in other engineering areas of
         applications only progresses very hesitantly due to established traditions.

 From the viewpoint of systematic, the failure behaviour of technical products
 can be only then exhaustively detected and made useful for engineer-like
 targeted preventive measures, if its stochastic manifestation is taken into account
 on the basis of a probabilistic approach. Furthermore, it should be borne in mind
 that the failure behaviour of systems with still straight transparent attributes
 predominantly featured by “captive (unlosable)” (“passive” safety attributes as
 e.g. structural framework, supporting and holding devices, mechanical locking,
 fire protection damping) can be exhaustively detected even under deterministic
 consideration, whilst complex systems featured by “losable” (“active” safety
 attributes as energy supplies, drive systems, control systems, cooling units,
 extinguishing devices) attributes are largely distinguished by their stochastic
 manifestations.

 If engineers are under these circumstances to work systematically using
 probabilistic approaches, limiting probability value have to be available by any
 means. Since the release of the safety standard DIN VDE 31000-2:1987-12
 “General Principles for the Safety Design of Technical Products – Terms of


                                                                                           Seite 39 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 Safety Engineering – Basic Terms” [German: Allgemeine Leitsätze für das
 sicherheitsgerechte Gestalten technischer Erzeugnisse – Begriffe der
 Sicherheitstechnik – Grundbegriffe], the consideration of risks as a probabilistic
 consideration of stochastic failure events of technical products has been
 generally accepted as state-of-the-art.

 The consideration of threshold values for a risk implies that they are accepted,
 too, by the general public (refer to para. 3). Each value so considered has to
 orientate itself at the acceptance by the unprejudiced “public” (public safety).
 Attempts, which are aimed to determine the grade of acceptance by public-
 opinion polls, are doomed to fail. At best they will reveal the public’s ubiquitous
 polarisation between admiration for achievements in engineering and scepticism
 due to justified doubts towards technology and engineering, usually based on a
 lack of knowledge, – but also by reason of the inevitable occurrence of
 demonstrable failings of man and machine. There it is not out of the question
 that this polarisation is politically misconstrued when the outcome of such polls
 are brought to mind of the general public.

 Instead, another already pursued path, should be followed on systematically. It is
 purposeful, to quantify the grade of public acceptance by means of stochastic
 attributes of technologies, which are already accepted by the general public, as
 they are maritime navigation, civil engineering, rail traffic, aviation, road traffic,
 power engineering, chemical engineering, plant engineering or conventional
 power stations. This can also be realised referring to natural risks, which are
 distinguished by the human life expectancy. However, a successful outcome of
 this venture depends on the institutions concerned being prepared to make their
 appropriate statistical material collected in data bases accessible for general use.

 Taking such threshold values as a fixed constant would, however, not yet
 provide a definitive solution. Ultimately it is indispensable to integrate the
 necessary level of safety into the technical system. Consistently, evidence has to
 be provided to the supervising institution, to what extent this has actually
 achieved success. However, tools for really providing such evidence are not yet
 available and would have to be developed further.

 Herefrom results in conjunction with the necessary probabilistic approach a
 quantitative problem. The numeric values (data), with which safety is to be
 calculated, have to be very small, since safety-critical events may very rarely be


                                                                                           Seite 40 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 become possible. Is it intended to provide evidence for such numeric values by
 stochastic methods, borderlines are soon reached, which cannot be crossed due
 to the effort necessarily involved. Therefore, reference is made in this context to
 the well-proven database-related approaches, as they are summed up, for
 example, in the (once) internationally used U.S.-American standard
 MIL-HDBK-217F, Notice 2, “Reliability Prediction of Electronic Equipment
 and NPRD 95, Nonelectronic Parts Reliability Data”.

 The probabilistic consideration of stochastic failure events was developed as
 complement to the deterministic approach of the classic Safety Engineering in
 order to keep even complex systems rationally under control, which are – by
 reasons of Safety Engineering – primarily distinguished by their “losable”
 attributes. On and off, there are attempts to be noticed to replace the classic
 well-proven, deterministic Safety Engineering approach completely by a
 probabilistic approach. This attempt fails all-to often due to the lack of suitable
 and reliable data.

 Based on the subject matter, a lack of knowledge within this limit range between
 the deterministic and probabilistic approaches cannot be completely excluded.
 Deterministic safety measures are motivated by the consideration that technical
 products when a safety-critical failure occurs are to be transferred immediately
 into a safe status, which often consists in blocking of the function (e.g. by an
 intentionally initiated cut-off of a technical apparatus), i.e. in a “failure on
 command” (the definition of this term is issued in the style of
 DIN 25424, 3.8, c). With complex technical systems, however, and their many
 components, the safety-guided cut-off of individual system components is
 leading to reliability dilemma, which can hardly be solved after completion of
 the engineering and construction of a technical facility.

 This line of reasoning leads to the awareness that safety and reliability
 engineering have to remain tied together in an inseparable logic. Both of these
 areas deal as sub-disciplines with failure modes, which are stochastic in nature;
 therefore, the failure behaviour can only be completely considered by stochastic
 methods. For this reason, the proposed deterministic back-up measures are also
 to be subjected to their implications on reliability.




                                                                                           Seite 41 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 2.2.5 Criteria for an Interdisciplinary Holistic Safety
       Approach

 While deriving criteria for a interdisciplinary useable approach (on the occasion
 of a technological innovation project) it has been intentionally avoided to
 establish a further safety approach, which has once again only specific relevance
 for a certain field of application. Thus, the hereby-established criteria are
 universally applicable and can hence be applied in the same way to each field of
 application and each technology. The same applies also to the basic principles of
 the interdisciplinary applicable safety-methodical approach (refer to para. 2.3)
 presented below, in which these individual criteria and their logical conjunction
 are illustrated. Their general validity offers many advantages in application:

 •       Institutions, which take on in the over-all process the State-run
         responsibility for public-technical safety, and perform tests, provide
         authorisations, declarations of conformity and tolerations and take charge
         for control and surveillance, can act on the same approach under the
         identical criteria. They use thus the same elements from the perspective of
         the State-run responsibility, whether directly practised, applied by
         designated institutions or by accredited private bodies, where appropriate.

 •       By unitary introduction of the safety approach, a clear communication,
         independent of the type of application, is enabled across the different
         disciplines involved, – one of the essential principles of the holistic and
         interdisciplinary approach in systems engineering, generalised for all
         technical fields.

 •       However, a prerequisite for a purposive safety-oriented approach is that

         – during planning, engineering and manufacturing suitable and effectual
           measures (generating safety, safety management, quality management,
           safety-related verification) and

         – over the course the operation phase as well as the disposal and the
           retreat actions (safety management, safety-related verification) are
           taken, which are adequate and by means of them the manufactured
           product possesses actually the safety-compatible technical
           configuration,


                                                                                           Seite 42 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –




 •       Just like any other interdisciplinary working method, the safety-oriented
         approach requires appropriate organisational conditions in order to enable
         an effective application. Thereby, the following aspects are to be
         considered:

         – Only a central control point, which is responsible for the considered
           system in total and disposes of sufficient authority, is in a position to
           consider adequately also system-wide criteria within the scope of the
           safety-related activities. Precondition is however that safety can be
           made evident for each component of the system under consideration.

         – Since this safety-oriented approach guarantees economic usability as
           well as an appropriate safety-compatible design, the overall
           responsibility can – in view of the global aim – only be assigned to the
           designing engineer, who is widely trusted with the safety attributes,
           because he designed them into the considered system by himself
           (typical example of matrix organisation).

         – The engineer engaged with expertises has to assess nothing else as the
           safety-related appropriateness of the respective technical design. For
           this the appropriate cascade-like intervention of the expertise
           (principle, dimensioning, execution) is required depending upon the
           complexity and range of the approach concerned. This principle must
           consider the limits of the consequences, the transparency, the
           controllability of negative implications and the reversibility.

         – The observation of applicable “technical standards” and/or statutory
           regulations is on its own a required even though a not necessarily
           sufficient precondition for a conclusive proof of safety.

         – Furthermore, the state-of-the-art has – as a matter of course – also to
           be taken into consideration as the state of the scientific and technical
           knowledge, if necessary (refer to para. 3.5 for more information).

 In view of the nature and usability of technical facilities, their concept layout,
 dimensioning and engineering are based on certain qualities of the materials,
 components, systems, facilities, products and workmanship.

                                                                                           Seite 43 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 It is crucial that the planning specifications themselves, their computed and
 experimental verifications and design plans to check, whether the product can be
 realised in accordance with these specifications as well as the intended
 verification and release measures when the construction work is executed
 (verification und release of the planning specifications).

 In order to ensure that the execution of work does not deviate inadmissibly from
 the basing specifications (e.g. due to the alterability of material and component
 properties, due to uncertainties in installation and build-up or due to faults and
 errors during the different production steps), suitable test and inspection
 measures need to be provided for all significant phases of work execution
 (tracing and verification of work execution).

 It is to be expected that the attributes of quality alter adversely during the
 utilisation phase; recurrent inspection as well as special maintenance measures
 may become necessary (final inspection and verification prior to launch of
 operation).

 •       Organisation requirements for the verification

         Only by means of an appropriate coordination of the intended testing can
         be achieved that the test actions complement one another reasonably,
         unintentional gaps in verification avoided, and the necessary information
         is handed on.

         For the appraisal of test actions is beside their direct assignment relevant
         to disclose adverse nonconformances including their indirect implications,
         namely their positive or negative influence on performance and quality.

         The responsibilities for all test actions, in particular for the enforcement
         of corrective actions in case of inadequate test results (nonconformances),
         require a comprehensible and unequivocal regulation.

         All test results are to be recorded.

         The establishment of a test plan is obligatory when many contractors and
         subcontractors are involved in a construction project and where wrong
         decisions and gaps in verification can entail considerable consequences.


                                                                                           Seite 44 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Elements of Verification

         With respect to nature and extent of the verification, the following
         distinction can be made between

         – Manufacturer verification, arranged for either on an exclusively
           internal or an external basis,

         – Third-party verification by an independent third party, either
           independent of the manufacturer verification or exclusively
           controlling the manufacturer verification for correct execution,

         – Acceptance by the ordering body/customer provided for the
           assessment and quality verification of goods or services at the
           changeover of responsibility or ownership.

         Manufacturer verifications are generally carried out in-house at the office
         or at the company and can, depending on the importance of the
         verification, take the form of self-inspection or be done by persons not
         directly involved in the manufacturing process.

         The in-house manufacturer verification at the office or at the company
         remains, just like other measures for controlling production, in the sole
         responsibility of the manufacturer.

         The planning of verification procedures involves the unequivocal
         determination of rules for the assessment of quality or services, as well as
         actions to be taken in the case of negative results nonconformances).

         The importance of the different elements of verification varies, depending
         on whether the verification concerns design approval, carrying out of
         construction or verifications prior to placing into operation.

 •       Grading of verifications

 The grading of inspection and test measures for safety-related verification
 depends on the following:



                                                                                           Seite 45 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       The intensity of the verification (frequency and extent of the
         tests/inspections),

 •       The evaluation criteria and actions due to negative results
         (nonconformances),

 •       The degree of independence of the verifications of the process concerned,

 •       The use of multiple independent verifications, in which the following
         gradation is possible to adopt, depending on the quality assurance
         requirements:

         – Only manufacturers’ inspections/tests,

         – Manufacturers’ inspections/tests carried out by an external institution,
           together with third-party testing or acceptance testing,

         – Manufacturers’ inspections/tests carried out by an external institution,
           together with third party testing and acceptance testing or a second
           independent third party testing.

         From this context, grades for quality assurance and their classification
         according to the Hazard Categories (refer to Table 1) can be derived.
         Individual subsystem or assemblies can be subject to different grades for
         quality assurance.

 •       Verification and release of the design specifications (as designed)

         – Assessment of design, dimensioning and the engineered configuration

             It has to be assessed whether all relevant hazards have been disclosed
             and appropriate actions have been provided for. In particular, this
             concerns the appropriate choice of the system, the materials and the
             way of manufacturing, the processes and the construction means as
             well as the configuration of the technical system or the facility
             (functional testing, accessibility). Amongst others is also to assess
             whether all essential organisational preconditions, e.g. special manual



                                                                                           Seite 46 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


             and industrial qualification can be met, whether all terms of use and
             necessary maintenance measures have been stipulated.

             The assessment of the design specification (as designed) can be done
             in different ways by varying effort, e.g. by means of tests,
             computation or analogous reasoning. Amongst others, it has to be
             verified whether the computations cover the relevant requirements and
             the actual influences, edge conditions, whether the verifications are
             made for all constituents, whether appropriate mathematical models
             are utilised, whether the computing is self-consistent, and whether the
             system can correctly withstand all loads and influences. In addition it
             is to assess, whether alterations on assemblies will cause undue
             malfunctions.

             With respect to the nature of verification, one can distinguish between

             - Complete recalculation by an independent third party,

             - Model testing,

             - Prototype testing,

         – Verification and release of the design specification (as to be built)

             It has to assess that the design specifications (as to be built) contain all
             required information for the construction work, such as tolerance
             limits or instructions regarding the manufacturing process. Thereby it
             is important, amongst others, whether dimensioning results have been
             transferred correctly, whether the instructions and/or drawings comply
             with the stipulated requirements, whether other edge conditions have
             been considered.

             Since all information and specification details are to a large extent
             transmitted by means of the design specification (as to be built) for
             manufacturing, assembling and/or integration, their assessment for
             clearness and completeness inheres particular meaning.

 •       Verification of the construction work (acceptance as built)


                                                                                           Seite 47 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         – Series manufacturing – single-item manufacturing

             With regard to nature and importance of the verification, it is
             distinguish between

             - Series manufacturing with consistently appropriate quality in mind,

             - Single-item manufacturing with objective to meet the specification
               requirements.

             For the single-item manufacturing preventive actions take priority.

             The construction of complex technical systems or large-scale technical
             facilities is generally a matter of single-item manufacturing, whereas
             only some individual assemblies or materials are subject to series
             manufacturing. Therefore, quality assurance systems, such as e.g.
             according to DIN 55350:1995-08, „Concepts in quality and statistics”
             [German: Begriffe zu Qualitätsmanagement und Statistik], which
             orientate themselves on series manufacturing, cannot be transferred
             directly on all phases of construction work.

         – Evaluation procedures und criteria

             With total verification every manufactured item is verified. An item is
             accepted as “GO” or rejected as „NOT GO”. Is the verification carried
             out in accordance with quantitative criteria, then they generally
             correspond to specified tolerances.

         – Recurring verification

             Time staggered recurring verification, in order to ascertain over the
             whole utilisation time that a technical product meets the applicable
             configuration, to which it has been designed, engineered and
             manufactured, was put into operation and is operated.




                                                                                           Seite 48 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 2.2.6 Passive and Active Safety Measures

 Following classification can be taken:

 A technical assembly, a component of a facility or a complete facility are
 designed and engineered to fulfil different functions. Hereby is to differ between
 active and passive functions.

 •       As a basic principle, passive functions imply “captive or inherent
         attributes respectively”. In normal case or at normal operation
         respectively, these functions cannot get “lost”. No servo drive will be
         activated. Passive functions might be for example clipping, shoring and
         locking functions. As a particular exemplification, the ceiling of a storey
         or the statical attributes of a complete structure can be mentioned here. In
         order to maintain these functions, a consideration of the attributes of the
         hardware and the requirements for the structural parts is necessary. Tests,
         care and maintenance form part of it.

 •       Active functions, however, can get “lost”. They are characterised by the
         utilisation of an active assembly function. As a particular exemplification,
         illumination equipment or a control device is to be mentioned here. At a
         loss of these functions backup and/or protection devices are needed,
         which have to be implemented in accordance with the possible failure
         events.

 •       Wherever possible, passive safety measures are given first priority. In
         application active safety measures have to be at least equally effective for
         the particular Hazard Category (refer to Table 1).



 2.2.7 Control on Failure Mechanisms

 If a component supporting a passive function fails, in a first approximation, the
 defect is to search in a fault of the design or in a defect of the construction. If an
 active function fails, the constitutive assemblies can be in order. In this case,
 individual property attributes of an equipment might have failed because it have
 become faulty or the control on or the interaction of functional elements might
 have failed – for example, as a result of an instruction and/or an operating error.

                                                                                           Seite 49 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 Failure mechanisms can be distinguished by categories. In total, seven different
 failure modes can be categorised, which can be subdivided into three areas:

 •       Failure event while the intended functional element is started:

         – The functional element does not start.

         – The functional element starts only partially.

         – The functional element starts at the wrong time.

 •       Failure event while the functional element is already going on:

         – The ongoing functional element fails totally.

         – The functional element degrades in function, i.e. it can only partially
           fulfil its function.

 •       Failure event while the intended functional element is terminated:

         – The functional element is terminated improperly.

         – The functional element is terminated at the wrong time.

 For generating Technical Safety, the failing of functions must be assessed. For
 reducing the probability of failure occurrence to an acceptable level, different
 methods can be adopted:

 •       A function fails and the technical status of the technical system, of the
         technical facility remains safe. The intended function of the system is quit
         in fact, but no harm or damage is caused. This manner of “fall-back”
         status is called “fail safe”. In this case, a component of the system is
         switched off towards a safe status, whilst care had been taken that the
         final status achieved at the “fall-back” status is safe. There is no harm to a
         person or property, but the function is no longer available – not even with
         restrictions. In other words, the system has come to a “halt”.




                                                                                           Seite 50 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         An example for the “fail safe” approach is the initiation of an emergency
         braking action at a railway train.

 •       If the function of a technical system or a facility is to be hold up, however,
         in spite of the failure of an assembly which supports the function, or if it
         is to be maintained at least on a reduced level, this status is denominated
         as “fail operational”. In this case restricted functions are realised by
         emergency programmes (automatic or called into function by the
         operator), which maintain particularly important functions (emergency
         programmes). A catastrophic behaviour can hardly occur by utilisation
         and implementation of this strategy. In this instance, a systematic
         approach is of particular importance for specifying appropriate strategies.

         An Example for the “fail operational” approach is the engineering and
         organisational preventive provisions taken on flying aircrafts.

 •       If neither “fail safe” nor “fail operational” strategy can be applied, the
         application of “reliability engineering” still lends itself for reducing the
         risk, however, – only for Hazard Category 1 (refer to Table 1). This term
         comprises the application of probability considerations, which analyse the
         possibility of a failure on the basis of empirical data, expertises,
         theoretical investigations, consideration of failure cases and other
         processes. By sufficiently slight probability of harm the technical system
         or the facility can go into operation.

         In order to give an example here, it is referred to the safety-related
         reliability approach as it is utilised for the attitude control systems of
         vertical take-off aircraft (Vertol) or at the Apollo Guidance Computer
         (AGC) as used for landing the Lunar Module (LM) of Apollo 11 mission.



 2.2.8 Generating Safety according to the Phase Approach

 To accomplish appropriate safety statuses, varying provisions and steps are
 needed by the persons involved in the different phases of the lifecycle of a
 technical system, facility or product, (refer to para. 2.1.2).




                                                                                           Seite 51 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 Therefore, designers and engineers of hard- and software, the suppliers,
 operators, personnel for assembly, operation, maintenance, repair and disposal,
 as well as the supervising institutions (authorities) have to develop and discuss
 appropriate and realistic measures and procedures, which can largely avoid the
 failure of functions or a alteration of attributes. The elaboration of international
 solutions is worth pursuing, since a multitude of products is not only engineered
 and utilised on National level. The worldwide acceptance of good safety
 solutions is helpful, even when they might thoroughly differ.

 For the development of safety-relevant systems and functions it would make
 sense to establish appropriate and adapted processes in order to achieve the
 different requirements for safety-related attributes. Such processes can cover the
 following topics, which can and/or have to be adapted to the function and
 purpose of the systems:

 •       System definition,

 •       Hazard analysis,

 •       Risk consideration,

 •       Derivation of safety requirements,

 •       Realisation phase,

 •       Documentation,

 •       Management tasks,

 •       Cross sectional processes,

 •       Supporting processes,

 •       Supplier relationship.

 Due to the fast advancement and innovation of technologies, parallel workings
 must be carried out to check and implement the necessity of extensions,
 specialisations and modifications of existing regulations and standards. By


                                                                                           Seite 52 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 innovations technical fields are followed, which in the past could often not be
 considered in the already existing concepts. Just the utilisation of electronics for
 the realisation of innovative functions needs such new basic conditions, which
 cannot always be carried over from the past. The utilisation of functions depends
 vitally on the legal certainty for the manufacturer, which is stipulated amongst
 others by the state-of-the-art.

 For complex systems and plants or, where Public-Technical Safety is concerned,
 a so-called “Safety Case” (safety report) is to be required. For all further cases, it
 should be a selectable option, but must form for the above quoted area part of
 the practiced safety culture. Based on the approaches in aerospace engineering,
 chemical process engineering, or similarly complex facilities of the power
 industry it must be demanded that a factually appropriate safety management is
 elaborated, submitted and implemented and from the first moment, – thus, from
 the ideas and first thoughts about the design lay-out – to start the documentation
 on “Safety-related requirements catalogue”. The updating must take place
 continuously and all changes and modifications are to be documented in
 revisions. For all technical fields applies that a system description forms part of
 the Safety Case. Further on are covered the safety management and/or the safety
 plan, a risk assessment, an emergency plan as well as the documentation
 instructions. In the case of strong work division, further – assembly- and phase-
 related – parts can be added depending on the specific situation, so-called
 manufacturing and inspections sequence schedules. The Safety Case starts with
 the product idea and grows all along the phases of the products lifecycle.

 For the phases of the lifecycle of a technical system (of a facility or of a
 product), principally the similar requirements apply. During utilisation,
 servicing, repair, decommissioning and disposal, appropriate practices,
 processes and instructions are worked out, which generate and maintain safety.
 A careful elaboration of such processes guarantees in this area, too, optimum
 results and high safety standards. However, respecting the established methods
 and processes by operator and user is a prerequisite for achieving high-level
 safety guaranteed in long term. Understanding and sensibility is also here to be
 promoted by suitable communication. Man stands here at the key position within
 the process of generating safety.

 Technical Safety belongs to those attributes of a technical system, a facility or a
 product, which are not only to be systematically generated by means of a


                                                                                           Seite 53 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 controlled process, but also always require verification, too, – no matter whether
 by checking in own responsibility of the manufacturer (1st party), by possible
 orderer/customers (2nd party) or by independent bodies (3rd party). The nature of
 the parties involved here plays a decisive role for the significance of the
 verifications.

 With the consideration of the lifecycle phases in para. 4 “Assessability of
 Safety“ is therefore demonstrated, which role verifications play. In this context
 is critically to be assessed whether the assessments can only be kept under
 control by the partners on the market and/or whether the assessments have to be
 performed by independent bodies (3rd party) because the market does not
 provide any appropriate regulatory factor. With respect to the 3rd party bodies, it
 to be examined to what extent it is possible to privatise the verification function
 (e.g. in the form of audit systems on a private venture basis) or what
 responsibility is better as a State mandate. At that one must take into account
 that the higher the Hazard Category (refer to Table 1) the more the
 responsibility must be apprehended as mandatory charge for a national
 authority. By this consideration it has taken into account that an absolute
 guarantee responsibility by the State (refer to para. 4.3.3) should only be
 permitted for Hazard Category 1.



 2.3      Conclusions from the Safety-methodical Approach

 From ethical/moral reasons as well as legal objectives results the obligation to
 design technical facilities in safety-compatible manner. The still today practised
 working method is based on the wealth of experience, which emerged in the
 course of the general progression in engineering to a significant extent – of
 course primarily under the pressure of damaging events.

 Engineers, who conceive, design and build technical equipment, attend, as part
 of their overall responsibility, to their duty, too, to design these facilities in
 safety-compatible manner. Nevertheless, based on the factual circumstances, the
 safety risk, which can never be completely excluded while handling technical
 facilities, remains always with the operator or user. From this situation, which is
 characterised by a factually caused polarisation, inevitably results in the
 problem: “What and how much is safe enough?” In order to conduct this
 problem towards a holistic solution, even applying new technologies, the

                                                                                           Seite 54 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 technical design and necessary verification of evidence are to be carried out
 methodically in such a way as to take into account the loss avoiding and risk
 reducing character of the safety-related preventive measures by adopting an
 appropriately targeted, predominantly analytical-preventive approach.

 A prerequisite for effective Safety Engineering activities is a thoroughly correct
 engineered design guaranteeing that the technical facility is not likely to expect
 any damaging event when it is operated or used as intended at actually
 prevailing environmental conditions. In this context, the design principles
 particularly applied in aerospace engineering are to be mentioned. In spite of
 their not always homogeneously interpreted definition of terms and their
 partially overlapping effectiveness, damage-free lifetime approaches, the
 redundant, the fail-proof and the defect-tolerant design have significantly
 contributed to a correctly engineered design in terms of safety, – not only in
 aircraft engineering. A further precondition is the constructive realisation of the
 technical equipment, which is free from defects. “Fail-proof design” means
 “fail-safe engineering”, i.e. the conscious implementation of design principles,
 which make the Technical Safety to the integral constituent of property and
 functional behaviour of a product.

 Defects, malfunctions and failure events may not be generally excluded at
 technical facilities –unless because they occur at random over time, unless
 because unpredictable events are not adequately controllable (e.g. lightning
 stroke), or unless because unintentional operating errors cannot be
 unconditionally avoid in total. A safety-compatible technical design must beside
 a correct engineered design also comprise preventions, by which such mistakes
 can be encountered, as by safety-related locking devises for example, with
 which any mode of operating error can be reliably prevented. This failure
 potential, which certainly cannot necessarily be considered as known by new
 technologies, has to be systematically analysed in order to determine, as far as
 possible, cause and effect of the failure events.

 The complexity of technologically innovative systems makes it necessary to also
 diagnose analytically the stochastic failure behaviour, in order to be able to
 prove and to verify the effectiveness of safety-related preventions. For this
 purpose well-proven methods of reliability engineering are available. It complies
 with the today’s “State of the scientific and technical knowledge” (§ 7 II no. 3 of
 the Atomic Energy Act [German: Atomgesetz]), if the proof of a safety wisely


                                                                                           Seite 55 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 adequate and sufficient reliability is then preferred when thereby the possible
 effort can entail statistically firm results and another safety-orientated
 verification does not make expect a self-consistent result. Also those findings in
 reliability engineering not referring exclusively to its numerical methods can be
 reasonably implemented in Safety Engineering in order to determine those edge
 conditions, at which redundant equipment is necessary for safety-related
 purposes.

 Traditionally the status of Safety Engineering was affected by learning from
 experience (refer to para. 4.2, “Learning as a Continual Task): “Feed back of
 experience” or “Feed back-control”. This means that the safety-relevant
 experience can be transferred relatively easily to products and technical
 equipment, which are technologically comparable to former and present
 products and equipment. Problems arise however always when “safety through
 past experiences” should be transferred to products and equipment, which is
 technologically enhanced or entirely new. Here are foresighted approaches in
 risk estimation necessary, which identify by means of probabilistic methods the
 potential failure modes and help to implement the appropriate preventions in the
 design (“Feed forward-control”). A combination of both approaches will
 frequently be necessary. This is described in more detail in the following.



 2.3.1 Transfer of Safety Standards to Products
       Comparable in Technology

 If engineering and manufacture of a product and/or another technical equipment
 is restricted to the state-of-the-art state of technology, i.e. the product concerned
 comprises neither significant technological innovations nor does it represent any
 significant technological innovation, then the existing legal and technical
 regulations are sufficient, to guarantee safety for this product. Either

 •       the appropriately applicable statutory regulations contain a general
         reference to the technical standards and/or an undetermined reference to
         the state-of-the-art or

 •       the building and execution regulations already comprise a direct reference
         to the relevantly applicable technical standards.


                                                                                           Seite 56 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       In the domain of engineering the alternatives used hereby are described
         through two focal points:

         – On the one hand: Safety through whole-standardisation (like with
           electrical and structural engineering),

         – On the other hand: Safety Engineering based on failure-analytical
           proceeding (like with aerospace engineering).

         A combination of both focal points is increasingly implemented, too.

 •       Also different allocations of the safety responsibility are usual in the legal
         implementation of right:

         – Manufacturer, owner (registered keeper), operator, public authority.

 •       The potential on modifications is primarily confined to the technical
         standards and/or as a matter of fact to the state-of-the-art.



 2.3.2 Transfer of Safety Standards to Products Enhanced
       in Technology

 With products enhanced in technology Safety Engineering is characterised as
 follows:

 •       Legal basics can here unequivocally be allocated:

 •       Likewise, the supervising authorities and bodies are appointed for the
         relevant case of application.

 •       The application of the so called state-of-the-art turns out here to be
         somewhat problematic:

         – Statutory regulations (referring to the state-of-the-art) remain
           applicable,




                                                                                           Seite 57 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         – Safety-relevant applicability of the standards is however questionable,
           and requires in every case a clarification through a failure-analytically
           based Safety Engineering, which is always possible.

         – There is no legal obligation for clarification of safety-relevant
           application of the standards.

         – There is the problem of an always-existing diversity of opinion when
           supervision is executed.

 •       Different allocations of the safety responsibility are usual in the legal
         implementation of right:

         – Manufacturer, owner, registered keeper, operator, public authority.



 2.3.3 Transfer of Safety Standards to Innovative
       Products

 With technological innovation projects new frontiers have to be crossed also in
 conjunction with Safety Engineering (as e.g. with the development of the
 Maglev technology), because the existing state-of-the-art is not capable of
 covering the new, as yet unknown technology. Here, the implementation of
 foresighted probabilistic methods of risk assessment is necessary:

 •       Legal basics cannot be allocated offhand:

         – Stopgap solutions arise as e.g. the “Law on the Construction and the
           Operation of Test Facilities for Trials with Track-guided
           Transportation Techniques” [German: Gesetz über den Bau und den
           Betrieb von Versuchsanlagen zur Erprobung von Techniken für den
           spurgeführten Verkehr], without which a test facility for practical trial
           of new technology wouldn’t have been legally allowed.

         – There are no supervising authorities and/or bodies, yet; they are to be
           assigned for each individual case of application; for the Maglev
           venture, the Lower Saxon Ministry for economics and transport was in
           charge.

                                                                                           Seite 58 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Application of the state-of-the-art is not possible, here:

         – There are neither exhaustive legal regulations (the sole reference to
           the state-of-the-art is here, from the Safety Engineering point of view,
           questionable) nor

         – engineering standards, from which the compulsion to a failure-
           analytical Safety Engineering results.

         – The problem consists therein that alternatively engaged experts, if so,
           may originate a plurality of opinions, since there are no rules for a
           controlled, interdisciplinary coordinated approach (refer to
           para. 6.3.2).

 •       The allocation of the safety responsibility remains here nearly solely with
         the designing or manufacturing body, because the legal system normally
         does not provide for any other body, which would assume or share in such
         liability for safety.




                                                                                           Seite 59 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 3        Limits of Safety

 The limits of safety are blurred. On the one hand, they are determined by the
 edge conditions of the engineering, manufacturing and utilisation processes as
 well as by the costs; on the other hand, they arise from the proceeding of the
 state of the scientific and technical knowledge. Drawing the borderline is
 necessary. This implies gains. As an ethical task the reasonable waiver is neither
 a weaknesses nor a deficit and deficiency. In parallel, the tendency to extreme
 relocation of the limits is noticed. Resultant are the following threatening
 scenarios:

 •       Endangerment to the food basis (“cleanliness” of food and animal feed as
         well as tap water),

 •       Well directed disturbances by criminal conduct (sabotage, assaults, acts of
         terrorism),

 •       Warfare effects and force majeure, as well as forces of nature,

 •       Endangerment from medicaments (dissuasive warnings of unexpected
         side effects) as well as from consumer goods, housekeeping chemicals
         and cosmetics.

 •       Hazards by new technologies, as e.g. pest control, application of genetic
         engineering, nuclear power engineering.

 From ethical reasons (refer to para. 1.6) is to be added that mankind is not only
 responsible for the conservation of his own basic life resources and that of the
 subsequent generations, but it is also the keeper and patron saint of life of any
 kind (animal welfare, preservation of diversity of species, protection of the
 biosphere). In contrast, a population on subsistence level will and must struggle
 solely for its self-preservation. An enhanced sensation for the implication of
 technology might be interpreted as a characteristic of a saturated society. This
 means that opinions about detriment and benefit resulting from technology and
 engineering and safety standards are inhomogeneous.




                                                                                           Seite 60 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 If the limits of safety are, vice versa, to be understood as extent of the thread to
 individual freedom, only a rational appreciation between the standpoints of
 individual and community can fix the limit of safety through a democratic
 process. Thereby, it has always to be made clear this is a matter of an evaluation
 of legal interests between the intended and the undeniably created benefit.
 Anyway, the solidary community is the usufructuary, which draw a profit, at
 large.

 In each case the following keynotes apply for laying-down of a safety approach:

 •       Absolute safety in terms of a zero risk cannot be postulated by the law and
         ordinance maker (risk prohibition) because it is principally not feasible.

 •       However, all chances should be seized under this viewpoint so that with
         different technical products, processes, facilities and systems the
         relationships between the risk of supposable harm and the benefit created
         for the objects of legal protection (risk equivalence) is well-balanced.

 •       The benchmark for the largest still justifiable damages is not only
         determined by the protection need for the legal objects in view, but also
         by the intention to meet societal needs (benefit), whereas generally a
         trade-off within a societal consensus (risk control) is crucial.



 3.1      Societal Accepted and State-run Defined Constraints

 In a constitutional State founded on the rule of law, the citizen may reliably
 expect that decisions concerning life and health be publicly legitimised. That
 cannot be achieved without communication. At that, the purpose might not be to
 convince the other party that a “Maximum Acceptable Risk” [German:
 “Grenzrisiko”, i.e. risk threshold] is reasonable or unbearable. In fact, the citizen
 shall be enabled to implement the entitlement for co-decision, in order to encash
 a quasi “risk maturity”. The capability is addressed here to carry out a personal
 judgement on residual uncertainties and other risk-relevant factors based on the
 knowledge of in fact verifiable consequences of harm causing events or
 activities. The capability shall or will comply with moral concepts for shaping
 the own life as well as the personal criteria for the judgement on the
 acceptability of those risks for the society as a whole.

                                                                                           Seite 61 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 In recognising the co-decision by the citizen, it is task of the political institutions
 to establish and cultivate the necessary basis for communication. In the
 framework of a risk communication all forms of communication are asked for,
 from a simple documentation of results, through well-directed offers of
 information up to the dialog and involvement in decision-making.

 In a society in which a pluralism of ethic values dominates and political actions
 are always under the pressure of justification, the determination of thresholds
 and risk evaluations often raise scepticism or mistrust. Statements on risks
 depend on plausibility and confidence in so called regulatory bodies.

 The more groups and individuals have the opportunity to actively take part in
 dealing with risks, the larger will be the chance that they develop confidence in
 the political institutions also that they will take on responsibilities themselves.

 Thereby, this involvement cannot and must not be taken, however, as a
 substitute for an efficient risk management; the involvement serves only as
 decision-making aid. Above all, the responsibility of the legal decision maker,
 thus, should not be obscured or softened. Involvement is to be understood as

 •       Mutual information (as indispensable prerequisite for proper decision
         making),

 •       Early participation of the concerned persons and the relevant societal
         groups (under concession of a veto power, if applicable) and

 •       Co-decision.

 The postulate of “practical rationality” as the constraints for the decision maker
 conditions that a harmful event can indeed be “practically” excluded according
 to the state of the scientific and technical knowledge. In contrast to the
 “theoretical rationality”, the “practical rationality” does not aim for the mere
 cognition of ideas but provides in parallel accomplishable orientations for
 actions, which are based on the knowledge that a residual risk always remains.

 In view of the theoretically unlimited variety of harm prevention, a corrective in
 form of “factual” or “reasonable” constraints and limits is seen herein. As
 regards content, the absolute exclusion of harm is just not required for, but it is


                                                                                           Seite 62 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 rather adequate that the case of damage appears to be practically impossible
 according to the state of knowledge of natural scientists and engineers, including
 human prudence. Transferred to technical safety law, the request for safety
 systems with reduced failure probability represents for example such an
 orientation for acting. This comprises also all design and engineering provisions
 against – in particular isochronically occurring – multiple failure events.

 What natural scientists and engineers often consider incomprehensible is
 nonetheless rational in the view of different societal groups. The rationality of
 societal decisions in a highly complex system is a severe challenge, because all
 democracies assure their legitimacy by close correspondency with the public
 opinion. Where with particular issues e.g. the will for factual rationality is
 lacking, because socio-political requirements are coming first, the tools of
 factual rationality are either not used at all or are not used in accordance with
 their immanent potential.

 In general, the “Maximum Acceptable Risk” [risk threshold] cannot be
 quantitatively detected. As a rule, it is delineated indirectly by Safety
 Engineering stipulations. Putting or stipulating the “Maximum Acceptable Risk”
 in concrete terms implies that the occurrence probability and the extent of
 detrimental events inherent to the appointed technical products, processes,
 facilities and systems are well known and can be delineated in qualitative
 manner. Therefore, the delineation and assessment of technical risks belongs
 likewise to the field of duty of the regulatory bodies and/or the State, which
 implement the contributions of the circles concerned while assessing them (refer
 to para. 3.5.4).



 3.2      Unattainability of Absolute Safety

 Due to multiple reasons, an absolute safety is unattainable, because

 •       technical processes never go on with 100% reliability, i.e. without any
         trouble, and also the technical equipment concerned can, a priori, never be
         immune against every failure event
         (safety-related preventions like “fail safes” and “fail operational”),




                                                                                           Seite 63 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       material properties are not 100% detectable and, therefore, cannot be
         absolutely reliable
         (in engineering this knowledge is taken into account by e.g. “worst case”
         considerations and so called safety factors),

 •       the state of knowledge is never completely and exhaustively
         comprehensible,

 •       the economical feasibility sets limits for the efforts to be made for
         maximum safety,

 •       human acting always inheres options of error and fault.

 Ignorance and imperfection in Safety Engineering can be limited, indeed.
 Compared with absolute safety, however, the effectiveness of the safety-oriented
 measures can only be delineated as asymptotical convergence. An occurring
 harm can therefore only be excluded with absolute safety if such event be as to
 law of nature impossible. Consequently it stands that the failure potential is
 basically immanent to every technical safety system. Absolute safety cannot be
 realised by any technical equipment. A residual risk always remains, however,
 this must be lower than a appointed “Maximum Acceptable Risk” [risk
 threshold]. Therefore, a request for absolute safety or fault-free solutions of
 complex technical systems leads into the wrong direction.

 The classical question in Safety Engineering: “How safe is safe enough?” covers
 the conflicts of objectives between Technical Safety and the practicability, on
 the one hand, and the financial feasibility as well as the societal imaginations
 about safety, on the other hand. A Technical Safety solely orientated towards
 maximum may in cases of doubt be even harmful to the user. An exaggerated
 measure of Technical Safety leads sometimes to losing in practical
 manageability. Thus, increased complexity of safety systems implies the
 jeopardy of elevating risks.

 As a result from a safety-related, environmental, economical and legal view
 point, the aim is to generate an optimised, i.e. a relative safety. Thereby, the
 remaining threshold risks of technical facilities, products and operational modes
 are to be determined and compared with the proven Safety Engineering,
 alternative products, and other civilisation implications on the environment as


                                                                                           Seite 64 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 well as with the natural risks of life and opened through communications
 management for a far-ranging acceptance.

 Firstly such comparative risk estimations allow perceiving which natural
 scientific, technical, and legal significance inheres optimum safety of a technical
 facility, product or operational mode. The protection of man and his
 environment can and must be optimised through Technical Safety, but will
 always remain relative.



 3.3      Risk Comprehension

 The term “risk” is understood and used in different ways; in our days it is a word
 used in many cases. Therefore, a clarification and definition within the
 framework of this Memorandum on Technical Safety is made here:

 Risk is the quantitative as well as the qualitative characterisation of harm with
 regard to the potential of its occurrence and the extent of the implications.

 According to W. Bons (journal “Kunst und Technik” [Art and Technology] of
 the Deutsches Museum [German Museum], Munich, Vol. 4, p. 18, 1999) it is
 explained, “the risks are a typical modern form of handling uncertainties”. A
 glance at the history behind the risk conception shows that it emerged from the
 context of the long-haul trade of medieval Italian cities. The long-haul trade was
 an equally systematic as uncertain business. These uncertainties were not called
 as dangers, thus considered as threat, against which nothing could be done, but
 denominated as risks (Italian: rischiare = to dare). The merchant didn’t submit to
 the uncertainties, rather he calculated their challenge and speculated for success.
 But the uncertainties he did encounter he no longer conceived as fateful thread,
 but as a calculable venture, thus as problems, which make themselves felt as
 negative if he erred in his calculations and didn’t take precautionary measures.

 The complementary terms risk – opportunity describe the venture that an
 operation, an activity or an event entails to damage – benefit, loss – profit,
 disadvantage – advantage. In conjunction with the “Act on the Peaceful
 Utilization of Atomic Energy and the Protection against its Hazards” (Atomic
 Energy Act), the term risk has been discussed in more detail, whereas the
 Atomic Energy Act while referring to the “state of the scientific and technical

                                                                                           Seite 65 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 knowledge” presumes a separation between hazards to be averted and the
 probabilities of harm. The probability of occurrence and the extent of related
 harm and a resultant valuation have decisive influence on the categorisation of
 hazard averting, risk precaution and “Maximum Acceptable Risk” [risk
 threshold]. Beyond of hazard averting and risk precaution is the area of the so-
 called “Maximum Acceptable Risk” [risk threshold] located, which all citizens
 are to bear as a “socially adequate burden”. Implicitly the “Maximum
 Acceptable Risk” [risk threshold] derives from the totality of technical standards
 and the responsible acting in accordance with these standards while
 implementing the accumulated knowledge.

 The accountability for limits of safety comprises the willingness of the
 concerned people to deal with risks appropriately, to assess and valuate them
 and to accept or reject them not before the overall result is available. Safety,
 stated here more precisely as Technical Safety and defined by a “Maximum
 Acceptable Risk” [risk threshold], must be considered in a run of
 interdependencies extending from the objectives via the realisation and
 usefulness on to the control and the cognition of risks.

 Scientifically substantiated risk analyses are helpful and necessary instruments
 for a rational approach. Only by means of them, risks can be understood and
 options with lowest harm expectations can be chosen. However, the citizens
 conceive the risk less scientifically than rather emotionally. If one wishes to
 listen to their emotions then – under pure rational consideration – the
 scientifically logical risk analyses should be customised for those emotions; so
 the risk analysis should not be characterised anymore as scientifically consistent.
 Thus, the analysis remains within the professionally qualified perimeter. The
 general public, however, can be involved in the risk communication by that the
 results of the analysis can be brought closer to the interested circles of the
 society.



 3.4      Relations between Risk, Safety Engineering and
          Technical Safety

 The – as a rule, randomly and multi-causally interrelated – global events over
 our world are neither predictable with mathematical accuracy nor are they pre-
 determinable. The complexity of these natural events provides, when any at all,

                                                                                           Seite 66 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 only very marginal opportunity to man to exert influence. Locally limited
 intervention in nature is possible in very restricted extent; the outcome resulting
 of this can be often not at all or only insufficiently estimated. Man remains
 largely exposed to the natural events what involves for him a natural risk of life.
 Natural risks appear as fateful.

 Man has learned to provide himself with technical equipment ranging from the
 prehistoric hand axe to the contemporary industrial complex, from the simple
 fireplace to the modern power plant. Unlike the natural risks, man can keep the
 risks, which inhere to the technical equipment created as provision for his own
 existence, to a large extent under control. For the control of these technical risks
 mankind is funded with the entirety of Safety Engineering methods. With
 professionally competent and proper application an extraordinarily high level of
 technical safety can be achieved. Technical equipment is regarded as
 “technically safe” if the risk inhering in the existence and the utilisation of this
 equipment is evidently kept under control so that a related “Maximum
 Acceptable Risk” [risk threshold] isn’t exceeded (refer to para. 3). By the term
 Technical Safety the attributes of technical equipment are understood, for which
 it is proven that they are technically safe.

 These relations can be summarised as follows:

 •       Natural risks are only controllable to a restricted degree; technical risks,
         however, can be kept under control to the same degree as technology and
         engineering themselves.

 •       Safety Engineering is the methodical instruments to keep technical risks
         under control.

 •       Technical Safety is generated and verified through the application of
         Safety Engineering.



 3.5      Safety-related Feasibility

 Technical Safety is generated and cultivated. The State must administratively
 react to possible thread and technical risks to avoid harm to its citizens. The
 respective provisions for this purpose is the technical safety law, which at large

                                                                                           Seite 67 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 responds to the distinctive features of technology and engineering by forming
 the following attributes:

 •       The inevitable time span between finished engineering of a new
         technology and the legal regulation first prorated in the aftermath has led
         to application-oriented law sets; the “right of technology and engineering”
         is splintered and applies only for dedicated technical domains
         (engineering fields).

 •       The substantiation of the intentionally undefined worded request for
         Technical Safety is shifted from the lawmaker to the level of law
         application by the experts, authorities and courts of justice.

 •       Legal requests for Technical Safety are paraphrased by “non-substantiated
         legal terms” such as “generally accepted technical standards”, “state-of-
         the-art” or “state of the scientific and technical knowledge” to put the
         requirements for safety-related attributes and functional behaviour into
         words.

 Technical products may only put on the market, if the technical facilities that
 they are built from meet at orderly maintenance the protection objective of all
 relevant legal regulations over a suitable, adequate duration. And they must be
 serviceable. In addition to the relevant knowledge of the acting personnel und
 those institutions, which are involved with the subject field of safety, Technical
 Safety is largely based on technical standards, legal regulations and limit loads,
 which are – due to their application reference – historically different and often
 distinguished by different terminology.



 3.5.1 Generally Accepted Technical Standards

 The term “generally accepted technical standards” is a legal term that is utilised
 in criminal law for some time. For example according to § 319 StGB
 “Endangerment in Construction” [German: Baugefährdung] (former § 323
 StGB) of the German “Criminal Code” [German: Strafgesetzbuch] anyone who
 offends against the “generally accepted technical standards” and thus endangers
 life and limb of third persons by planning, supervising or executing a
 construction work or the demolition of a building will be penalised. The

                                                                                           Seite 68 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 “generally accepted technical standards” are not just fulfilled that a rule is not
 only proven as realistic according to scientific knowledge, but it must also be
 generally accepted, i.e. be consistently applied by the concerned engineers and
 recognised in practice as appropriate.

 This means, therefore, that it does not depend on whether science recognises and
 teaches a rule, or whether this rule be recognised in the relevant specialist
 literature, rather the practicing architecture as well as the engineering and the
 building trade, the technical system (facility, product) process embodiment, thus
 the practical exercise, must also exhibit the conviction for the need of such rules.
 This conviction must have been consolidated in such a manner that it can be
 referred to as generally accepted in the sense of the law.

 According to prevailing opinion, the factual assumption exists that a standard
 [i.e. a Technical Standard] reflects at the date of its issue the applicable state-of-
 the-art. At the date of issue the practical exercise is, however, very often still
 lacking, in particular, when the implementation of a new technology is
 concerned. By the way, with very longsome standardisation procedures for
 complex matters, it is not impossible that the standard [i.e. a Technical
 Standard] does not anymore responds to the general outlook at the date of
 publication and, therefore, the rules stipulated therein no longer correspond to
 the state-of-the-art. However, there is an actual but at any time refutable
 assumption that relevant standards [i.e. a Technical Standards] reflect
 “engineering rules”, which are generally accepted.

 “Generally accepted technical standards” have been compiled by experts in
 consensus. They may be written or unwritten; but, as a general rule, they are
 codified. A standard [i.e. a Technical Standard] can be a “generally accepted
 technical standards”, but not necessarily. According to the prevalent opinion,
 merely a factual assumption exists that a standard is at the date of its issue a
 generally accepted [engineering] rule, in particular, when it passed the
 standardisation procedure according to (the German) DIN 820:2007-11
 “Standardization” [German: Normungsarbeit]. The right of technology and
 engineering forms its requirements by using non-substantiated legal terms in
 order to efficiently configurate technical design and development within the
 scope of law. For substantiation, it relies therefore on generally accepted
 technical standards, which are also summarised under the term “sub-legislative
 regulations”. Relevant law-making expresses the quite refutable fiction that all


                                                                                           Seite 69 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 technical standards, which are generally legitimated and communicated by law
 count as generally accepted technical standards.



 3.5.2 State-of-the-Art

 The state-of-the-art is a non-substantiated legal term and exhibits the
 technological potential at a predefined date, basing on assured state of the
 scientific and technical knowledge. This term is retrieved in many regulations
 and contracts and is precisely defined by the regularisation to the formality of
 the right. Therewith measures are denominated, which in their content of
 requirements are situated between the generally accepted technical standard and
 the state of the scientific and technical knowledge.

 State-of-the-art is the status of the growth of progressive processes, equipment,
 or operating methods, for which the practical aptitude of the measures in view of
 the goal aimed for (e.g. purpose of occupational health and safety, of
 environmental protection, safety of third persons, of economic efficiency: thus
 in general, the achievement of a high level relative to the relevant aspects)
 appear as assured in total. It [the state-of-the-art] is however not yet sufficiently
 and – relating to the elapsed time – satisfactorily sampled and is mostly known
 to specialists only, that is why e.g. in civil engineering the compliance with the
 generally accepted technical standards usually is contractually asked for.



 3.5.3 State of the Scientific and Technical Knowledge

 Contrary to the “state-of-the-art” the “state of the scientific and technical
 knowledge” indicates a status of technical progression, in which processes and
 equipment are tried out on test and pilot installations, but the implementation in
 the practice is still outstanding (refer to Figure 2).

 Relating legal terms to the term “state of the scientific and technical knowledge”
 relieves the law-maker to provide a detailed Safety Engineering regulation, for
 which he is neither empowered by the tasks allocated within the separation of
 powers nor by his expert knowledge. With reference to “state of the scientific
 and technical knowledge” (e.g. in §7 II no. 3 of the Atomic Energy Act
 [German: Atomgesetz]) the law-maker requires, therefore, the consideration of

                                                                                           Seite 70 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 the scientific and technical progression against the background of the legal
 regulation: that precaution for minimising technical risks must be provided,
 which is deemed necessary according to the most recent scientific knowledge.

 The determination and evaluation of the state of the scientific and technical
 knowledge must take place in the domain of hazard assessment as well hazard
 control scientific-technical in compliance with the basic principle of “balance”:
 i.e. a risk can be disregarded if it is found isolated, assessed as such being minor,
 does not add up with similar other risks to a noteworthy overall risk, in the case
 of its consideration would necessarily induce other, possibly larger risks.

 The state of the scientific and technical knowledge is expressed to a wide extend
 in sets of rules that are issued by different [standardisation] committees. The
 “state of the scientific and technical knowledge” is understood as the current
 status of research and progression within a scientific discipline. It must be based
 on conclusive proof that withstands assessability by third parties. Specialists
 first agree on the “state of the scientific and technical knowledge” in a scientific
 discourse to then make them available to a specialist public.




                                                                              State of
                                                                              Science and
                                                                              Technics/
                                                                              Research
      Technics / Safety Level




                                                                        State of the Art/
                                                                        Safety Engineering




                                                                    Set of Rules
                                                                      Legal Requirements
                                                                      and
                                                                      Technical Standards



                                                  Time

                                Figure 2: State-of-the-Art – Set of Rules




                                                                                            Seite 71 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 3.5.4 Methodology for Determining the Limits of Safety

 The shifting of threshold values for large-scale industrial facilities into sub-
 legislative sets of rules [technical standards] implicates different problems.
 Once, there is the question for the legitimisation of the work in the relevant
 committee, its membership and the procedure for the knowledge gained. Further
 on, the complete set of rules is – due to the multitude of such committees and
 regulations – frequently hard to view as a whole, exhibits overlapping and in
 some cases even conflicts, is inconsistent in structure, systematic and wording
 and thus makes the orientation difficult for law application. This is just
 particularly precarious in domains where on the one hand high investments are
 concerned and on the other hand considerable risks for possible third parties are
 affected, including the burden of lawsuits.

 An additional problem accrues from the merging of objective knowledge of the
 research for truth and its valuation. The committees addressed afore are
 regularly competent and legitimised for the perception process and the hence
 deduced consequences, but not for the socio-political assessment of risks (refer
 to para. 3.3).

 By its stepwise implementation, the safety-related feasibility passes more or less
 clearly the phases of the product lifecycle as described in para. 1.5 (refer also
 to Figure 2). This phase approach doesn’t only facilitate the technical
 management, but also notably assures the necessary organisational measures and
 results finally in the risk management.

 The Planning Process comprises the following two phases of the product
 lifecycle:

 •       Conception phase,

 •       Definition phase.

 These two phases of the product lifecycle are assigned to the Realisation
 Process:

 •       Development and engineering phase,



                                                                                           Seite 72 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Realisation phase.

 The Operation Process is finally composed of these two phases:

 •       Operation and utilisation phase,

 •       Retreat, disposal and recycling phase.

 When the issue of new laws and stricter ordinances are called for strengthening
 threshold values with respect to safety and environmental protection, in many
 countries of the world the applause will not be missing. In reality, noticeable
 improvements are only achieved in mid- to long-term alone due to the duration
 of the legislation procedure and because of transition periods. Entirely unnoted
 remains there the effect that each additional complication of the already intricate
 legal and regulatory system impacts adversely the law application as a result of
 overburden and lack of knowledge. It would be favourable to make the today’s
 applicable laws and ordinances for safety and environmental protection
 significantly more transparent; this would noticeably increase the benchmark of
 safety and environmental protection without having to issue a new law.

 The reduction of the complexity of technical equipment, of the uncertainties and
 risks is the continuous aim for technical, economical or ecological problem
 cases. Compromises are inevitable here because the resources for realisation are
 limited and the available information is always imperfect. A compromise in
 itself cannot represent an optimum, but under given circumstances only the best
 option of feasibility, and therefore, does not lay claim to absolute validity.

 The minimisation of risks must be effected in a social-compatible way; thereby
 has to be permanently balanced between the individual and the societal benefit.
 Compromises are unavoidable here, which however are ethically justifiable. It
 can be observed that the determination of the limits of safety in the framework
 of the safety-related feasibility depends on responsibility, acceptance,
 compromises, the criterion of the practical rationality, the political
 enforceability, and finally on the ethical norms. The stipulation of Technical
 Safety necessitates practicability, cost awareness, and is bound to progression in
 research and engineering. It is governed by the status of knowledge and the
 societal acceptance.



                                                                                           Seite 73 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 4        Assessability of Safety

 Safety can only be assured insofar as it can be assessed. It is shown here how
 constraints are set for this assessability, which methodical approaches exist for
 its improving and which instruments have been proved for assessability of the
 Technical Safety of a technical product or system over the different phases in
 the lifecycle.



 4.1      Constraints of the Assessability

 4.1.1 Status of Knowledge

 The status of knowledge is stipulated in the different categories, which may be
 applied in the German legal system. Technical products can only be utilised
 when the technical equipment they are built from meet at orderly maintenance
 the protection objective of all relevant legal regulations over a suitable, adequate
 duration. This classification is characterised in accordance with bindingness: in
 Generally accepted technical standards, in the State-of-the-art and in the State of
 the scientific and technical knowledge (refer to para. 3.5):

 •       The “Generally accepted technical standards” result from the consensus
         by the experts; they are normally codified and bindingly applied. A
         technical norm can also be a generally accepted technical standard,
         however, it doesn’t have to be.

 •       The “State-of-the-art” regards the dynamic status of evaluation of
         experiences and knowledge. It delineates the technical opportunities at a
         definite date and also defines their economic edge conditions.

 •       The “State of the scientific and technical knowledge” is a status, which
         cannot be considered as common knowledge. It puts results from research
         and development up for discussion about their application. The “State of
         the scientific and technical knowledge” may be useful to fulfil the
         requirements to keep a residual risk as small as possible.




                                                                                           Seite 74 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 4.1.2 Responsibility

 4.1.2.1 Kinds of Responsibility

 Engineering processes, and in particular the verification of safety, proceed under
 the responsibility of people. An individual can take the responsibility for the
 verification of safety if it is overviewable for him. Often more complex kinds of
 responsibility occur in technology. For performance of this responsibility,
 specified institutions or bodies have to accomplish a particular task for their
 members, for stakeholders or for the total community.

 The responsibility of the individual arises from his role he plays in
 responsibility, as duty for the optimal fulfilment of the assigned tasks. First of
 all, everybody is responsible for the result and the direct consequences of his
 own acting. This also includes the results and consequences of omitted or
 neglected acting. A special case of roles in responsibility is responsibility for
 prevention, which for example, an inspection engineer commits to
 systematically look for weak points in a technical facility in order to
 precautionary prevent thus accidents and incidents. Secondly, everybody else
 has beyond the obligation assigned to him the quite general obligation to respect
 and to meet the basic rights, such as the right to living, the right to personal
 property, etc.).

 As “legal persons” [juridical bodies], institutions [or other administrative
 bodies] cannot bear accountability; therefore, the is acting persons there bear the
 responsibility. Thus, the responsibility must be assigned to the relevant persons
 standing for these institutions. The complexity of the tasks calls for a clear
 apportionment of the overall responsibility and its allocation to areas, whose
 extent is arranged according to the abilities and competences of the individual
 persons.



 4.1.2.2 Conflict between Economic Restraints and Technical
         Needs

 A frequent case of conflict exists between the responsibility of the institution for
 the invested funds and the general responsibility for safety. Starting point is the
 consideration that the quantity and quality of goods and services is obviously

                                                                                           Seite 75 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 better operated by the control mechanism of the market than by State-run
 planning in a State-directed economy. By the inherent principle of competition,
 optimisation processes are promoted, without their implementation a
 displacement from the market would result. The self-regulative effect of the
 market provides for the usual goods and services a balance between the quantity
 and quality of a product and customer satisfaction. So long as the customer is in
 the position to appreciate, examine and grasp the quality, he can intervene in the
 market.

 When the market is disturbed by external effects (as environmental influences)
 or unequal knowledge distribution of the market participants, the State must
 intervene on the open market by definition of “to be”-targets for the quality
 attributes of products. Thus, higher quality levels may be (not always) stipulated
 than they would result with the free interplay on the market. The State therefore
 makes provisions for the public benefit. This enforces the constitutional
 principle of physical inviolability for the Technical Safety. In parallel it averts
 high follow-up costs for the public authorities that would be expected in the case
 of non-regulation.

 For the domain of the Public-Technical Safety, the market principle can due to a
 number of reasons only be applied to a limited extent. For this purpose, the key
 criteria being of interest here are to be individually examined by expert-side.

 In the goods sector, only a limited number of products have exclusive safety
 functions (e.g. fire extinguishers, safety relief valves, and safety belts). The
 customer cannot always estimate their attributes. Significant is, how often or in
 which situations the relevant products having to prove their function: in routine
 operation, in normal use including ordinary incidents, in accident situations or in
 the case of a catastrophe.

 The customer cannot appraise the quality of a fire extinguisher that is never used
 in the ideal case. However, if the quality of a safety-relevant product cannot be
 appraised, the self-regulating influence on the market will get lost. Unsuitable
 products threaten to survive on the market or, if there are price advantages, even
 to dominate the market.

 Considerably more frequently goods more often have besides their usage
 property still a safety function (e.g. process or transport container, pipeline, car


                                                                                           Seite 76 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 brakes). In these cases, the interest in sales is superposed by the safety function.
 If the interest in sales and public safety move in the same direction, then the
 market supports the enforcement of safe goods.

 Experience shows that this principle fails in the case of shared or blurred
 responsibilities. Negative customer experience then does not make an impact on
 the producers of the goods. Typically, deficits in safety also then occur when the
 economic benefit of a product/service declines in relation to duties/requirements.
 Hazardous materials transportation with high-value goods is quite differently to
 control as waste transportation.



 4.1.2.3 Priorities for the Decision on Conflicts of
         Responsibility

 There can be an optimum between economic effort and achieved safety that
 must be, however, within the moral reservation of adequate safety. For the
 decision on responsibility and role conflicts the following priorities arise
 according to H. Lenk und M. Maring („Technology between Competence and
 Must-do – Who Accounts for Technology?”, in TÜV Saarland Foundation
 [Hrsg.], Congress-Documentation Saarbrücken 2001: World Congress on Safety
 of Modern Technical Systems, [pp. 725-738], Cologne: Publishing House TÜV
 [German: Technical Supervisory Association]):

 (1)     „Balancing the moral rights of each individual concerned” (refer to
         para. 1.6).

 (2)     „Searching for a compromise, which equally regards each one” in the case
         of an insolvable conflict „between equivalent basic rights”.

 (3)     „Only after balancing the moral rights of each party, one might and should
         vote for the solution, which involves the least detriment for all parties.”

 (4)     Only after applying (1) through (3) balancing benefit contra detriment.

 (5)     By practically insolvable conflicts between the parties involved, one
         should search for fair compromises with regard to detriment and benefit
         for the different parties (“fair compromises” are for example nearly

                                                                                           Seite 77 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         uniformly distributed or fair-minded proportioned sharing of burden
         and/or benefit).

 (6)     Universal-moral responsibility overrides as a rule the responsibility for
         task and/or role.

 (7)     The greater public good, the public interest shall override all other
         specific and particular non-moral interests.

 (8)     In technical standards, too, priority principles are specified. In accordance
         with DIN VDE 31000-2 „”General Principles for the Safety Design of
         Technical Products – Terms of Safety Engineering – Basic Terms”
         [German: Allgemeine Leitsätze für das sicherheitsgerechte Gestalten
         technischer Erzeugnisse – Begriffe der Sicherheitstechnik –
         Grundbegriffe]” the following rule for example can be set up: “For the
         safety-compatible engineering, that solution is to prefer, by which the
         protection target is achieved in the best technically reasonable and
         economically manner. In doubt is at first to be assumed that safety-related
         needs take priority over economic considerations.” On the other hand, it
         has been revealed particularly in civil aeronautical engineering that
         normally even those safety-related solutions are quite possible, which are
         not necessarily in conflict with economic solutions.

 (9)     In the case of „urgency”, the ecological compatibility overrides the
         economic application.

 (10) Definite humanity overrides abstract requirements and universal
      principles (definite human- and social-compatible choice between
      conflicting rights).



 4.2      Learning as a Continual Task

 Disturbances, or accidents, also near-accidents (including deviations from
 defined normal operation) are unintentional, unexpected system status. As they
 are unexpected, there is no opportunity for their verifiability. By many event
 analyses could be demonstrated that the action of the operator may have
 prompted the disturbance but this alone does not suffice for “clarification”.

                                                                                           Seite 78 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 Design, engineering, maintenance and management errors, whose timeliness lies
 far ahead of the prompting action, are also being considered as conditioning.
 These errors must be avoided or eliminated by systematic experience retention.
 In principle, there are three strategies for these objectives:



 4.2.1 Feed forward-Control of Safety and Reliability

 Probabilistic approaches for risk estimation, which also cover personnel actions
 in terms of a Human Reliability Analysis (HRA), are specifically applied for a
 long time in various fields of industry (nuclear industry, civil aviation and civil
 engineering.) However, those approaches leave a lot to be desired. Indeed, the
 needed statistical data on failures of technical components are relatively good.
 But, this is not the case for the underlied statistical information and the quality
 of the chosen modelling of the human acting. It must be taken into account that
 these approaches only allow biased results and so have certain weak points. The
 statistically firm databases are missing; therefore, these approaches function
 largely on informed guesses. However, this needn't curtail the potential of
 probabilistic approaches. These methods are helpful for generating hypotheses
 and forming awareness for the aspects of Human Factors (HF) in designing and
 engineering of technical facilities and should be further developed. Applied
 alone, however, they do not suffice for a robust statement about safety.



 4.2.2 Feed back-Control of Safety and Reliability

 Humans learn from experience, mainly from mistakes; organisations learn from
 occurrences including incidental occurrences, which have to be systematically
 analysed. Directly to the systematic cause analysis, an occurrence-related
 reporting system must be installed. The fewest industries of high hazard
 potential have an efficient report system on incidents and accidents. Whenever
 supervising authorities enjoin such a system and enforce it on the basis of
 reporting commitment criteria, this is often found as onerous. Even rarer,
 occurrence reports below a given reporting threshold are gathered, kept on
 records and analysed, although just those reports should enable for a particular
 instructive learning. It should be considered, as how such reporting systems
 below and above a reporting commitment are to be conceived and implemented
 in order to achieve the maximum gain of knowledge deemed as necessary. For

                                                                                           Seite 79 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 this purpose, a reorientation of the culture in mistake management is needed in
 Germany, which ultimately culminates therein to communicate the first
 occurring mistake and to sanction only the re-occurrence.



 4.2.3 System of Organisational Learning

 The learning process must be institutionalised in terms of an organisational
 learning. Both forms of safety control (“feed forward” and “feed back”) can be
 mutually enriching – when systematically correlated. Establishing analysis and
 record databases must set up such a correlation. In doing this, the following
 details are to be considered:

 •       Standardised category systems,

 •       Periodic analyses of a number of events,

 •       The derivation of appropriate prevention concepts, as well as

 •       Assurance of real-time feedback about events to persons affected.



 4.2.4 Determination of the State-of-the-Art as Learning
       Scheme

 The determination of the state-of-the-art is often a precondition for legally
 conform acting. Due to the outstanding importance of this, numerous attempts
 have been made to systemise this (learning) process to determine the
 requirements. It starts by defining what the state-of-the-art is to be determined
 for, for which reasons and by whom. In the particular case, this is to be read as
 follow:

 •       For what? (for which object):

         This can be a certain type of technical facility, a specific facility, a sub-
         system or an important safety-related system component.

 •       To what (for what purpose/from what motive):

                                                                                           Seite 80 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         The reason (correlation, background) is asked for here, e.g. the execution
         of an authorisation procedure for a new system, a modification
         (enlargement, capacity increase, reduction of harmful substances, …) or
         retrofitting an existing technical facility.

 •       By whom (person/institution):

         The type of business is asked for here (e.g. small and medium-sized
         enterprise or large concern), which internal organisational units and
         external bodies are involved, and who in particular is in charge of the
         overall control.

 In order to assess whether a technical facility meets the state-of-the-art, the
 following cognitions can be consulted:

 •       Comparable procedures, installations and operating methods,

 •       Combination or conjunction of different safety measures,

 •       Safety precautions in other types of technical facilities that are
         comparable to the considered technical facility with respect to their
         technology and the materials in use.

 The duty for safety should be implemented in three stages. The stages make
 clear that the particular safety-related measures can be used for the
 determination of the state-of-the-art without having to derive an obligation from.
 The particular measures have not to be realised in the facility to be assessed,
 since it depends only on the analogy to the reference parameter.

 •       At the first stage, the state-of-the-art is to be determined for the particular
         safety-related assignment of tasks (e.g. in the framework of a technical
         pilot or demonstrations facility) in order to serve as reference parameter
         for the technical facility precisely to be assessed.

 •       At the second stage, the judgmental consideration takes place whether the
         particular technical facility is compliant with the determined state-of-the-
         art. A check is made whether the protection goals are attained by the
         measures provided for on the particular technical facility (analogy check).


                                                                                           Seite 81 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       At the third stage, the decision is made – based on the results of the
         above-mentioned stages – about the approval or supervision procedure
         (legal consequence).



 4.2.4.1 Conditions for the Determination Process

 When determining the state-of-the-art is to be considered what was proved with
 other comparable technical facilities in operation or test operation or what the
 general state of engineering appears to be suitable in practice. If none of these
 three criteria is the case, a determination process must be initiated. Thereby, the
 following five conditions must be fulfilled:

 •       All steps of the determination process must be run through, individual
         steps, where appropriate, several times (iteration loops),

 •       The persons involved must be capable,

 •       The knowledge bases applied must thoroughly cover the subject topics,

 •       The methods/examinations utilised must be appropriate and sufficient,

 •       The decisions must comply with the legal standard of the state-of-the-art.

 The compliance with the state-of-the-art is a duty for the operator of a technical
 facility. Is the duty not fulfilled or not complied with, there may be serious
 consequences. Therefore, it is necessary to streamline the determination process
 in a methodically traceable manner and to carry it out carefully.

 In certain cases, it is possible to determine the state-of-the-art for a technical
 facility on the basis of technical rules, administrative regulations or guidelines.
 These cases can exist when the boundaries of the technical facility, available
 materials and purpose of operation comply to a large extent with a facility
 described in a technical standard etc. The standards, guidelines or administrative
 regulations applied must be up-to-date and the necessary safety-related measures
 must be adequately described. Special facility-related or environment-
 conditioned sources of danger must be excluded.


                                                                                           Seite 82 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 In general, the state-of-the-art is based on the technical standards and the result
 of the discourse of the experts.



 4.2.4.2 Steps of the Determination Process

 To determine the state-of-the-art, the following seven process steps should be
 run through (according to the first step in para. 4.2.4):

 (1)     Definition of the assignment of tasks,

 (2)     Collecting the safety-relevant documents and data of the technical
         facility/of the process,

 (3)     Determining the safety-relevant fields (process steps and components of
         the technical facility),

 (4)     Analysing the potential sources of danger,

 (5)     Determining and selecting the knowledge bases,

 (6)     Evaluating the collected knowledge bases,

 (7)     Decision making,

 where the order of process steps (2) to (6) can vary according to the application
 case.

 The process steps should be run in iteration loops until there is assured an
 adequate confidence level about the state-of-the-art. The iteration loops can
 range over an individual or multiple process steps.

 The determination of the state-of-the-art is only to be viewed as one of the steps
 for compiling a safety-related consideration. This is associated with:

 •       The implementation of the state-of-the-art with regard to the assignment
         of tasks,


                                                                                           Seite 83 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Documentation of this implementation,

 •       Examination and description of the residual risks,

 •       Emergency planning.



 4.2.4.3 Decision Making

 Normally, different options arise for how the state-of-the-art can be
 implemented in a particular technical facility. The finally selected design option
 must be justified and comprehensibly explained.

 By definition, processes, equipment and operating modes must

 •       have been proven in operation,

 •       have been successfully tested or

 •       have provided verification of their practical qualification,

 so that they can comply with the state-of-the-art. Furthermore, the processes,
 equipment and operating modes must comply with the advanced status of
 development. In doing so, a careful appreciation of effectiveness and reliability
 of a measure with regard to the precise source of danger is a basic prerequisite in
 order to avoid mistakes that can increase the probability of incidents.



 4.3      Controlling of the Technical Safety within the
          Product Lifecycle

 It is known from the quality management that the later a fault is revealed in the
 planning or production process the larger is the expense in eliminating it. This is
 also certainly relevant for safety-related mistakes. Cost efficiency reasons
 require therefore carrying along safety-related considerations from the very first
 phase of design and development. This evaluation capacity can be integrated
 into the project engineering team, or it can be carried out as certain milestones


                                                                                           Seite 84 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 are achieved by an external control, perhaps by a central department (safety /
 quality), and when appropriate by a third party.

 The collected safety-relevant information and the taken decisions should be kept
 all the time available in the following phases of the product lifecycle for
 nominal/actual status comparisons in terms of a safety-related controlling. This
 controlling information lends itself for the continual build-up of the “Safety
 Case” structured into a hierarchy of safety objectives.



 4.3.1 Phase-related Tracing of the Technical Safety

 An all-embracing hazard analysis must be carried out for the entire object
 (technical system, facility, product) in interdisciplinary cooperation (refer to
 para. 2.1 and 2.2). To be accounted for are thereby facility-related and
 environment-conditioned sources of hazards including natural conditions and
 events and unauthorised interventions.

 The hazards and their causes should be analysed while implementing an
 accepted and proven evaluation method. This ensures an adequate degree of
 thoroughness and evaluation depth. The object to be examined must be
 narrowed down to areas easy to survey.

 The breaking-off criteria for the hazard analysis must be disclosed. For example,
 breaking-off criteria can concern evaluation depth, exclusion of particular
 individual sources of hazard, material property and process parameters.

 The documents and data referred to as well as the information from facility and
 site inspections serve as work base. If the hazard analysis discloses one or more
 sources of hazard, then the measures must be determined, which are to be taken
 according to the state-of-the-art. Independent of this, the potential consequences
 of though conceivable faults must be determined, is assessed as to their risks and
 the safety measures applied.




                                                                                           Seite 85 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 4.3.2 Organisation of the Verification

 For organising of the verification, internal and external evaluation must be
 distinguished. The external evaluations can be organised under private law or
 performed ex officio due to legal principles (State or State-granted bodies).

 Only through coordination by a body endowed with sufficient authority can be
 achieved that evaluation measures complement reasonably one another, as well
 as unintentional gaps in verification are avoided and the necessary information
 is handed on. In addition to their direct task to identify adverse
 nonconformances, the indirect effect, to exert positive or negative influence on
 performance and quality, is also important for the assessment of evaluation
 measures.



 4.3.2.1 Elements of the Verification

 With respect to nature and extent of the verification, the following distinction
 can be made between

 •       Manufacturer verification, which is arranged exclusively in-house or on
         an external basis,

 •       External verification by an independent third party, which is carried out
         either independent of the manufacturer verification or refers exclusively to
         the assessment about proper manufacturer verification,

 •       Acceptance verification by the (receiving) customer, which serves for the
         assessment and the proof of quality of goods or services at the point of
         transfer of responsibility or ownership.

 Manufacturer verification is generally carried out in-house. It can be performed
 – depending on the importance of the verification – in form of introspection or
 by persons that are not directly involved in the manufacturing process.

 The in-house manufacturer verification lies – just like particular measures for
 controlling production – in the sole competence of the manufacturer.


                                                                                           Seite 86 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 The planning of the verification includes the distinct determination of rules for
 the assessment as well as corrective and preventative actions for negative
 verification results. The importance of the individual verification elements
 requires a proper documentation.



 4.3.2.2 Grading of the Verification

 The effectiveness of verification measures depends on following factors:

 •       The degree of independence of the verification of the respective process,

 •       The qualification of the inspection personnel,

 •       The intensity of the inspections (frequency and extent of inspections),

 •       The evaluation criteria and actions to be taken in case negative inspection
         results,

 •       Use of multiple inspections independent from each other.

 In view of these relations, stages of quality assurance and their allocation to the
 hazard categories can be determined. Individual items can be subject to different
 quality assurance stages.



 4.3.3 The Module Approach of the European Union

 There is strong pressure to privatise the verification and surveillance functions,
 which are performed up to now by the State. This is often substantiated by the
 potential for an enhancement in efficiency or broadened personal accountability
 of the manufacturers. Another reason lies in the European integration process:
 The member states of the European Union acted on the assumption that the
 teardown of trade barriers in the Single European Market succeeds quicker by a
 private approval regime. At the early 1990s, these tendencies towards the
 relocation of the risks (in conjunction with shifting of the accountability) to the
 private sector induced a real explosion of formal quality management systems
 and associated auditing. Expenditure and benefit of quality management systems

                                                                                           Seite 87 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 and their audits have turned, therefore, to a central discussion point while
 verifying the Technical Safety.

 The New Approach 1 and the Global Approach of the European Community
 (EC) for the conformity assessment 2 – including the following module
 decisions 3 – represent the prime example for the privatisation and the grading
 of control procedures in the technical safety law. The Global Approach and the
 module decisions of the EC describe control procedures for use in the legislative
 projects of the EC for the free movement of goods. The modules represent a
 graded system that ranges from the manufacturer’s declaration (Module A) to
 the individual acceptance of the product by an independent third parties
 (Module G) and the all-embracing quality assurance (Module H). The
 EC-Guidelines and the National law derived contain a selection of modules that
 account for the risk of the regulated product. In order to qualify his product for
 the EC domestic market, the manufacturer can choose one of these modules,
 which complies best with his product needs, unless a product-specific guideline
 does not appoint it otherwise.

 With the creation of the EC domestic market, the hitherto existing borders of
 domestic safety structures were dislocated to the external borders of Europe. For
 worldwide activities, the different safety structures must be equalised with each
 other (compatibility clauses or matching).

 Had the Federal Republic of Germany until now still taken an explicitly active
 role in risk minimisation, in that State – or State-granted – bodies performed, as
 sovereign function, the safety-related verification processes and/or took part in
 them (performing responsibility by the State), thus, the corresponding guidelines


 1
      Council Resolution of 7 May 1985 on a new approach to technical harmonization and standards
      (85/C136/01), Official Journal of the European Community No. C 136 dated 04.06.1985, Pages 0001 –
      0009
 2
      Council Resolution of 21 December 1989 on a global approach to conformity assessment (90/C010/01),
      Official Journal of the European Community No. C 010 dated 16.01.1990, Pages 0001 – 0002
 3
      Council Decision of 13 December 1990 concerning the modules for the various phases of the conformity
      assessment procedures which are intended to be used in the technical harmonization directives
      (90/683/EEC), Official Journal of the European Community No. L 380 dated 31.12.1990, Pages 013 – 026,
      and
      Council Decision of 22 July 1993 concerning the modules for the various phases of the conformity
      assessment procedures and the rules for the affixing and use of the CE conformity marking, which are
      intended to be used in the technical harmonization directives (93/465/EWG), Official Journal of the
      European Community No. L 220 dated 30.08.1993, Pages 0023 – 0039



                                                                                                         Seite 88 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 of the European Community (EC) imply that these sovereign verification
 activities, too, should be left to the open market and only be surveilled by the
 State (pure guaranteeing responsibility by the State). Could the safety-related
 professional competence until now be bundled on the sovereignly acting bodies,
 as such this safety-related professional competence must now be procured in the
 open market. By the VDI-Memorandum [VDI: Association of German
 Engineers], a safety-methodical approach is announced, which enables
 independently of the technological field of application to systematically
 generate, verify and maintain Technical Safety for technical systems, facilities,
 processes and products. In doing so, the risk controlling function of the State is
 to be respected, thus, the necessary contribution for the performing
 responsibility and/or the possible portion for the guaranteeing responsibility is to
 be stipulated.



 4.3.4 Guideline of the European Union for Conformity
       Assessment

 The European Community aims to promote on its territory the open market
 through the free movement of goods, capital, services, and persons. On the one
 hand, it has defined requirements for properties and conditions for products with
 safety- and health-relevant attributes putted on the open market – and insofar
 intervened in the market. On the other hand, it has opened the market for
 services in conjunction with the evidence of conformity. The evaluation,
 certification and surveillance including the accreditation of bodies for these
 activities are in principle – subject to National restrictions – open to everyone
 and so are open to free competition.

 For implementation of the aims of the European Community, Instruments in
 form of independent evidence of conformity were created. By means of the
 “New Approach”, the European Community replaces previously responsible
 authorities and officially admitted experts by “Notified Bodies” with evaluation
 and certification rights and duties. This “New Approach” presumes that the
 services of these “Notified Bodies” are subject to the open market
 (liberalisation).




                                                                                           Seite 89 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 4.3.5 Planning Process

 The Planning Process includes the Conception and Definition Phases (refer to
 para. 3.5.4). During both of these phases the following objectives and purposes
 will be pursued.



 4.3.5.1 Objective and Purpose

 Objectives are characterised in that they are explicitly qualified and quantified
 by content, time, and extent. In an agreement of objectives, individual targets are
 gradually derived and developed for the responsible employees. Depending on
 the perimeter of accountability, these can be targets for profit contribution, cost
 or performance objectives. Due to their combination, consistent target systems
 can be developed that are suitable for both responsibilities and decision-making.
 The management by agreement of objectives is clearly privileged about the
 management by objectives, because the employees are involved in the derivation
 of the objectives.

 The safety-relevant share of the Conception Phase is the collection and
 evaluation of available safety-relevant information. From external requirements
 by business markets/society/law, development in technology, supplier and raw
 material markets as well as the in-house potentials of the business company such
 as the workforce and personnel qualification, existing product range and
 workshop facilities, the programme is defined, by which the safety-oriented
 development of new products (as well as technical systems and facilities) is in
 principle made possible.

 On result, the product lifecycle must reflect an agreed quality requirement. It
 consists of the entirety of the individual requirements under consideration for
 the properties and condition of the product. The most important attribute for
 quality-determining requirements is that these can be measurably integrated in
 test plans and appended with tolerances (refer to para. 3.5.3).

 The main focus of the Conception Phase involves within the scope of safety the
 following activities:




                                                                                           Seite 90 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Organisation of the safety-relevant work in consideration of the state of
         the scientific and technical knowledge,

 •       Determination of the responsibilities within the safety scope of topics,

 •       Compilation of all safety-relevant requirements, e.g. from technical
         standards, relevant legal ordinances and other sets of rules,

 •       Evaluation of the “Lessons Learned” from previous events,

 •       Determination of the hazard potentials,

 •       Definition of the superordinate “Safety-related Requirements Catalogue”
         for the over-all system or technical facility,

 •       Statement of the safety requirements,

 •       Definition of a rough structure for the completion of the safety-related
         assignment of tasks,

 •       Verification that this superordinate “Safety-related Requirements
         Catalogue” is conclusive, is compliant with the relevant regulations and
         that the safety requirements stipulated in this catalogue are always
         traceable and can be verified.

 In the Definition Phase the same activities are provided, in principle, for the
 safety scope of topics as in the conception phase, – in many cases, however,
 more precisely and broadened by a traceable filing:

 •       Assessment of the organisation of the safety-relevant work and, if
         necessary, their adaptation to any alterations of the Definition Phase.

 •       Affirmation or re-assignment of the responsibilities within the safety
         scope of topics provided that modifications to responsibilities arose for
         the definition phase,

 •       Continuation of the compilation of all safety-relevant requirements, e.g.
         from technical standards, relevant legal ordinances and other sets of rules,


                                                                                           Seite 91 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Continuation of the “Lessons Learned” for each technical component to
         be defined here,

 •       Hazard analysis, determination of the “Maximum Acceptable Risk”
         [German: “Grenzrisiko”, i.e. risk threshold] and of “Risk Equivalents”,

 •       Defining and releasing of the “Safety-related Requirements Catalogue”
         and the appropriate safety-relevant threshold values,

 •       Definition of the subordinated “Safety-related Requirements Catalogue”
         for each technical component to be defined here in a logical continuation
         of the superordinate “Safety-related Requirements Catalogue” for the
         over-all system or technical facility,

 •       Application of the safety-methodical approach for each technical
         component to be defined here,

 •       Traceable filing of the compiled documentation,

 •       Verification that the “Safety-related Requirements Catalogues” defined
         here for the technical components are conclusive, not in conflict with the
         superordinate “Safety-related Requirements Catalogue” and are compliant
         with the corresponding regulations. The safety-related requirement in
         these catalogues must also be evidently verifiable.



 4.3.5.2 Materials, Sampling Procedure

 In order to evaluate the homogeneity of the materials to be used, the
 manufacturer must select a statistically random sample from an in itself
 homogeneous total (e.g. from a production batch). The sampling must originate
 from a batch of reference materials, which comes into question. This assessment
 procedure complies with acknowledged uniform sample plans, i.e. accomplished
 and documented according to DIN ISO 2859-1:2004-01 „Sampling procedures
 for inspection by attributes – Part 1: Sampling schemes indexed by acceptance
 quality limit (AQL) for lot-by-lot inspection”.




                                                                                           Seite 92 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 For the manufacture of single-items, the suitability of the material must result
 from an analogous proceeding with specific method of verification.



 4.3.5.3 Verifiability of the Requirements

 It must be assured that only suitable products and services will be procured,
 which comply with the requirements. For this reason, all sub-contractors and
 suppliers must be evaluated in as far they have the necessary competency in
 quality; the procurement file must completely contain all significant data in a
 verifiable form. Their traceability shall enable to trace the history of making,
 utilisation and localisation of a by means of the likewise recorded marking.
 Traceability refers in particular to

 •       The source of the materials and component parts,

 •       The processing history of the product,

 •       The distribution and the whereabouts of the product after its delivery.



 4.3.5.4 Resolution of the Conflict Potential between Cost-
         effectiveness / Technical Safety

 The profit-oriented market principle for the field of “Public-Technical Safety”
 does not represent an adequately suitable safety instrument and can for a series
 of reasons find only restricted application in this field. Thereto, the main factors
 of interest are to be assessed and considered in detail:

 •       The product „Safety”

         Besides other factors, which exert influence on Technical Safety, such as
         vocational education/professional knowledge, general safety
         culture/degree of observance of regulations, safety is assigned here to
         goods and services.




                                                                                           Seite 93 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       The user

         While evaluating the offered products and services, the user primarily
         makes decisions primarily for himself, whereby interests of the general
         public wealth is usually not taken into consideration. Thus, such case
         cannot be allocated as referable attribute for safety considerations.

         The consideration of third party and general public interests must
         therefore be enforced or attained by positive incentives.

 •       The general public interest

         To protect the general public and the environment, the State intervenes in
         the market. It takes provisions for the general public wealth and for the
         public safety and order.

         For their implementation, requirements on attributes and operation as well
         as a graduated control system with instruments for an independent proof
         of conformity are placed.

 •       Sovereign supervision by the State (market surveillance)

         In the case of a liberalised verification and certification market in Europe
         – possibly the intended future of the majority of the States joint in the
         European Community –, by which it cannot be assumed to some extent
         that goods and services with safety-relevant functions are provided for the
         public benefit, the instrument of market surveillance an indispensable
         element for the implementation of the public safety interest. The
         implementation of market surveillance is a necessary but not yet adequate
         instrument in the field of Technical Safety. Safety is both an individual
         and a collective necessity. It cannot be continuously satisfied through
         market forces. This particularly applies for forward-directed collective
         necessities. For these reasons, the Federal Republic of Germany must
         regulative intervene into the market, as to disagree to the change of the
         possibly intended future of the majority of the European nations.




                                                                                           Seite 94 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 4.3.5.5 Responsibilities

 The responsibilities for all verification and inspection procedures, in particular
 for the implementation of actions in case of inadequate verification and
 inspection results, must be clearly and unequivocally regulated. All essential
 verification and inspection results must be recorded. When more than one
 contractors and sub-contractors participate in the manufacture and/or production
 process and if wrong decisions and voids in the verification may cause
 significant consequences, a verification or inspection plan is necessary.



 4.3.6 Realisation Process

 The Realisation Process consists of the Development & Engineering and the
 Manufacture Phase. The fundamental objective of the Realisation Process
 coincides substantially with that of the Planning Process (refer to para. 3.5.4). In
 the Manufacture Phase, however, the instrument of agreement of objectives can
 only still be worked with under fairly particular constraints; that by objectives is
 more often be utilised.



 4.3.6.1 Objective and Purpose

 The main focus of the Development & Engineering Phase (refer to para. 3.5.4)
 involves within the scope of safety the following activities:

 •       Assessment of the organisation of the safety-relevant work and, if
         necessary, their adaptation to any alterations of the Development &
         Engineering Phase,

 •       Establishment of the quality and safety management with a new
         assignment of the responsibilities for the field of Technical Safety if
         modifications to responsibilities have been made for the Development &
         Engineering Phase,

 •       Continuation of the compilation of all safety-relevant requirements, e.g.
         from technical standards, relevant legal ordinances and other sets of rules,


                                                                                           Seite 95 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Evaluation of the probability of occurrence and the extent of related harm
         per failure mode,

 •       Continuation of the “Lessons Learned” for each technical component to
         be defined here,

 •       Involvement of the appropriate supervising institutions (authorities, public
         agency [German: Träger öffentlicher Belange], Notified Bodies, technical
         experts or the like) for generating and evaluating of safety, as far as this is
         legally and factually necessary.

 •       Application of the “Safety-related Requirements” and their
         implementation for each component to be developed and/or engineered
         here, such that the safety-methodical approach is applied for each
         technical component to be developed and/or engineered here,

 •       Verification that the “Technical Safety Requirements” applied and
         implemented here are

         – effective for the subordinated technical components,

         – not in conflict with the superordinate “Technical Safety Requirements
           Catalogue”,

         – in accordance with the relevant regulations, as well as

         – compliant with the “Technical Safety Requirements” defined in detail,

 •       Optimising of the safety-related application,

 •       Assessment and verification of the safety requirements defined for the
         concerned single concepts implemented in the course of the qualification
         (type testing etc.),

 •       Submission of a safety report (as formal completion of the safety-related
         verification), – if necessary as the module of the Safety Case (refer to
         para. 2.2.8).



                                                                                           Seite 96 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 For the main focus of the Manufacture Phase (refer to para. 3.5.4) result the
 following activities for the scope of safety, which exhibit to some extent a
 further detailing of the activities from the Development & Engineering Phase, to
 a larger extent, however, are specific for the Realisation Process:

 •       Assessment of the organisation of the safety-relevant work and, if
         necessary, their adaptation to any alterations of the Manufacture Phase,

 •       Re-assignment of the responsibilities for the quality management in the
         field of Technical Safety – if modifications to responsibilities have been
         made for the Manufacture Phase,

 •       Contacting of the quality assurance organisation in charge (in internal and
         external evaluation) for the Manufacture Process with focussing on the
         safety-relevant specified defaults and attributes,

 •       Assuring, that the applied production processes are not only cost-efficient,
         but always reproducible, – namely with the focus on safety,

 •       Involvement of the appropriate supervising institutions (authorities, public
         agency [German: Träger öffentlicher Belange], Notified Bodies, technical
         experts or the like) for generating and evaluating of safety, as far as this is
         legally and factually necessary,

 •       Implementing the pertinent state-of-the-art and/or the application of the
         generally accepted rules of engineering into the production, and in any
         case under utilising all safety-relevant technical requirements, e.g. from
         technical standards, manufacture and quality assurance procedures,

 •       Verification that the here applied and implemented “Technical Safety
         Requirements” are effective for the subordinated technical components,
         not in conflict with the superordinate “Technical Safety Requirements
         Catalogue”, compliant with the appropriate regulations, and that the in
         detail defined “Safety-related Requirements” are met and are in the course
         of the technical acceptance (acceptance testing or the like) evaluated,
         verified and traceably documented.




                                                                                           Seite 97 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       At the technical acceptance, the conformity of the manufactured products
         (or of the system, the technical facility) with the “Safety-related
         Requirements” established and stipulated in the preceding phases has to
         be verified.



 4.3.6.2 Hazard Analysis

 The hazards and their sources must be analysed while utilising a proven
 evaluation method. So a sufficient extent of thoroughness and evaluation depth
 can be assured. For that purpose, the technical component to be examined must
 be encompassed in areas easy to grasp.

 For the complete technical component, an all-comprising hazard analysis is to be
 carried out. System-related and environment-conditioned hazards sources are to
 be considered including nature-conditions situations and events as well as
 unauthorised interventions.

 As work base serve the compiled documents and data as well as the information
 from system and site inspections.

 If the hazard analysis reveals one or more sources of danger, then the measures
 are to be determined according to the state-of-the-art. Independent of this, the
 potential consequences of in spite imaginable disturbances must be evaluated in
 view of their risk of occurring harm and its implication and – considering the
 normative default for the “Maximum Acceptable Risk” [German: “Grenzrisiko”,
 i.e. risk threshold] – protective safety measures to be applied.



 4.3.6.3 Verifiability of the Requirements

 Verification of the specified defaults from the preceding phases:

 •       With regard to the type and the significance of evaluations, the distinction
         must be made between series production with the aim of consistent quality
         and single-item production with the aim to comply with the design
         specifications.


                                                                                           Seite 98 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Stated deviations are controllable by corrective measures. In view of the
         control of the production process, attention must be paid to the
         reproducibility of the production process (nonconformances); in case of
         single-item production preventive measures have priority.



 4.3.6.4 Verification and Release of the Design Specifications

 •       Evaluation of design, dimensioning and correct engineering

         It is necessary to assess whether all decisive hazards have been identified
         and appropriate actions have been provided for their prevention. This
         particularly concerns the appropriate choice of the system, the materials
         and types, the processes and tools/utilities as well as the layout
         (accessibility). Amongst others, it must be further assessed, whether

         – all essential organisational prerequisites, e.g. particular qualifications
           workmanship and operation can be fulfilled,

         – all evaluations necessary for the engineering have been provided,

         – all terms of use and necessary maintenance measures have been
           specified before commissioning.

 •       The evaluation of the design specifications can be made in different ways
         with altering effort. Amongst others, it is to be assessed, whether

         – the calculation covers the decisive requirements and factual impacts,
           edge conditions and the terms of use,

         – evidence is provided for all essential components,

         – practical algorithms are used,

         – the calculation is self-consistent,

         – all design assumptions were correctly tracked all over the system,


                                                                                           Seite 99 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         – no damage will be caused by the modification on technical
           components or the system.

         With respect to the evaluation method, it can be distinguish between

         – complete comparative calculation, which is conducted independently
           of the existing calculation, whereas appropriate results of the
           dimensioning are compared,

         – partial counter calculation, where only the essential parts of the
           calculation are cross-checked in detail by re-calculation or comparing
           calculation,

         – evaluation of the manufacturing and production documentation
           (reference documents).

 •       The manufacture or production documents must contain all required
         information for the execution, such as tolerance limits or modifications as
         well as instructions with regard to the production flow. Thereby, it is
         important, amongst others, whether dimensioning results had been
         transferred correctly, whether the drawings comply with the given
         requirements, whether other edge conditions are taken into account and
         whether the design specifications are unambiguous and comprehensible.



 4.3.6.5 Traceability of the Documentation

 The manufacturer must dispose of a quality management system that regularly
 comprises the following circumstances:

 •       Documentation and traceably filing of the design specifications,

 •       Regulations to guarantee the suitable selection (e.g. sample matrix,
         particle size, concentration range) of reference materials in question,

 •       Procedure for production engineering,




                                                                                          Seite 100 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Evaluation and quantification of the needed degree of material
         homogeneity,

 •       Evaluation of the material stability, including a stability evaluation in
         progress – if necessary,

 •       Execution procedure for the characterisation of the required (e.g.
         materials) properties,

 •       Practical realisation of the re-traceability of the legal measuring unit to
         National or international standards,

 •       Assignment of property values, including preparation of the certificates or
         declarations in compliance with ISO Guide 31:2000 “Reference materials
         – Contents of certificates and labels” – if appropriate,

 •       Provision of suitable production facilities,

 •       Regulations for suitable options for identification, labelling and
         packaging, packing and shipping procedures as well as aftersales service.

 The documentation and filing system must be capable to retrieve, which activity
 the manufacturer has performed and which one the co-operation partners. It
 must also comprise the regulations and procedures implemented by the
 manufacturer.



 4.3.6.6 Approval Procedure

 The manufacture of particular products with safety-relevant importance can
 already be subject to the obligation of an official approval or authorisation. The
 appropriate charges (release procedures) must be integrated in the quality
 management system and respected.

 The safety management must be considered as constituent part of a quality
 managements system. Authorisations are often due to consideration against
 unauthorized access (“security”).


                                                                                          Seite 101 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 The quality management system itself is subject to a periodic certification
 process by third parties, so-called accredited certifier.



 4.3.6.7 Utilisation of Materials

 •       Quality assurance system (in-house or external surveillance with
         documentation for traceability):

         – There are factors, which can lead that the actual performance deviates
           unacceptably from the nominal design specification. These factors
           include e.g. altered material and component properties, uncertainties
           when assembling and constructing or faults and errors at the different
           steps of manufacturing. To prevent this, control measures are to be
           provided at all essential phases of execution (precautionary
           surveillance of the construction).

         – If there is the danger that the properties alter inadmissibly and/or
           against the expectation during utilisation, special maintenance
           measures might become necessary to provide special (collateral
           surveillance prior to putting in operation).

 •       Compatibility of the Technical Components

         The manufacturer must perform in-house audits of its activities in routine
         intervals and in accordance with schedules and procedures fixed in
         advance. With that it provides evidence that its workflow continues being
         compliant with the requirements of the quality management system.

         The programme for in-house auditing must response to all elements of the
         quality management system presented in the quality management manual
         including the technical and production activities, which lead to the
         assignment of characteristic values to a reference material (material
         compatibility, “fit/form/function”). It belongs to the responsibility of the
         quality management representative to plan and organise audits in
         accordance with to the established programme and on demand of the top
         management. Trained and qualified personnel must perform such audits.


                                                                                          Seite 102 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         The personnel must be – wherever the resources allow it – independent of
         the function to be audited.

         The personnel must not audit his own function, – unless this is necessary
         and has proven to be effectively performed.



 4.3.6.8 Market Supervision / Sovereign Surveillance

 The instrument of market supervision is an indispensable element of sovereign
 acting for implementing legal concerns of public safety. The State can intervene
 in the market and eliminate erroneous trend. The State does this in manifold
 manner while providing its own surveillance personnel or so-called granted
 contractors.

 The (traceable) transparency for the acting of the (State-run) market supervision
 must be achieved by the manufacturer.



 4.3.7 Operation Process

 The Operation Process consists of the Operation & Utilisation Phase, in which
 after termination of the utilisation can also be integrated the Retreat, Disposal &
 Recycling Phase (refer to para. 3.5.4).



 4.3.7.1 Objective and Purpose

 The instrument for achievement of objectives, the objectives come to the fore,
 with which cost efficient, reliable and safe operations are to be achieved.

 In the Operation & Utilisation Phase (refer to para. 3.5.4) is to be
 distinguished between products (technical facilities, goods and services), which
 are needing no approval and those that require approval prior to putting in
 operation. In both cases, however, the following aspects are to be considered:

 •       Safety management,


                                                                                          Seite 103 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Safety-related surveillance,

 •       Safety in case of possible retrofitting.

 For the Retreat, Disposal & Recycling Phase (refer to para. 3.5.4) are, in
 principle, the same procedures applicable as described for the preceding phases,
 however, with enlarged effort for evaluation and supervision due to the often
 missing rules of engineering. Additionally it is aggravating that in the Retreat,
 Disposal & Recycling Phase not serial procedures are concerned, what demands
 from the personnel to solve this task with particular care and attention. Above
 all, the executive personnel have to provide for an appropriate and suitable
 quality management system, which copes with the particular procedural steps at
 the Retreat, Disposal & Recycling Phase.

 The focus of the Retreat, Disposal & Recycling Phase in the field of safety lies
 in the following:

 •       Organisation of the safety-relevant tasks,

 •       Assignment of the responsibilities for the safety scope of topics,

 •       Review of the „Lessons Learned” from preceding events for determining
         preventive measures,

 •       Right of continuance from former threshold values,

 •       Definition of the superordinate „Technical Safety Requirements
         Catalogue” for the complete Retreat, Disposal & Recycling Phase,

 •       Verification, that these superordinate „Technical Safety Requirements”
         are conclusive, compliant with the appropriate regulations and that the
         “Safety-related Requirements” defined in this catalogue are met and
         verifiable.




                                                                                          Seite 104 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 4.3.7.2 Approval

 Environment pollutant or safety-relevant essential industrial plants and
 manufacturing firms need permission according to corresponding law. The
 permission procedure shall ensure that

 •       The employees, the neighbourhood where necessary and the general
         public are protected against adverse environmental effects and other
         hazards,

 •       The necessary precautions against detrimental environmental effects and
         other hazards as well as considerable harm or annoyances are met,

 •       Wastages are avoided or recycled and – if not avoidable or recyclable –
         properly disposed off,

 •       Energy is used efficiently and economically.

 By the permission procedure, it is moreover verified, whether further regulations
 under public law (e.g. nature conservation law, laws pertaining to water and
 waterways, building law) are protected and the necessary measures for work
 protection are applied.

 A permission can implicate numerous other official decisions (concentration
 effect).

 The official procedures, e.g. building licenses, admission for technical facilities
 requiring special supervision in accordance with “Equipment and Product Safety
 Law”, declaration of appropriateness of technical plants for storage, filling,
 reloading, producing, treating or utilising substances, which are hazardous to
 waters, are bundled.



 4.3.7.3 Status Inspections

 All operational procedure must be systematically assessed at regular intervals. In
 this way, potential sources of nonconformities as well as all options for
 improvement can be identified, be they technical nature or within the quality

                                                                                          Seite 105 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 management system. Action plans for must be established, implemented and
 supervised to reduce the probability of occurrence of nonconformities and to
 realise the benefits from the improvements. The results of the preventive
 measures must be submitted for the purposes of management evaluation.



 4.3.7.4 Instructions for Use

 Instructions for use act for quality maintaining during operation; they must be
 prepared in writing and in detail for the quality agreements and submitted by the
 manufacturer to the user. Instructions for use are part of the quality planning on
 the basis of the quality management system. The “Equipment and Product
 Safety Law” and relevant legal regulations are to be observed here.



 4.3.7.5 Maintenance

 Products must only be compliant with the requirements on technical facilities in
 such extent as these are maintained properly.

 According to the standard DIN 31051:2003-06 „Fundamentals of maintenance”,
 maintenance is understood as all measures for the maintaining and repairing of
 the nominal status of technical systems and facilities as far as they are not
 modified. Terms such as maintenance, inspection and repair are comprised.



 4.3.7.6 Retrofitting

 For complex systems and industrial goods with a long useful life (as for example
 airliners, railway systems for track-guided transportation, chemical large-scale
 plants, and power plants etc.) an extension of the lifespan is often aimed for.
 Depending upon the range of the necessary retrofit, partial measures of the
 different lifecycle phases are run through again so that at resumption of
 operation an equal operation and safety status is ensured, as prior to the retrofit.

 In particular fields, the retrofit according to the state-of-the-art or the state of the
 scientific and technical knowledge is legally regulated.


                                                                                          Seite 106 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –




 4.3.8 Quality Management in Safety Engineering

 4.3.8.1 Role and Benefit of Quality Management Systems

 The systematic evaluation and implementation of technical requirements is the
 basis of every quality management system, as e.g. per DIN EN ISO
 9001:2000-12 „Quality management systems – Requirements”. These
 requirements refer to all phases. Since they are already included in the planning
 process, this actual situation depicts a decisive step for the quality management,
 because the costs induced by mistakes increase by each further step.

 To a grantable quality requirement belongs a well-conceived quality planning,
 which consists of the following main elements:

 •       Planning for identification, classification and weighting of the quality
         attributes of the product, determination of the objectives and the quality
         requirements,

 •       Planning of the management and working activities such as preparation of
         the application of the quality management system with operating and time
         schedules.

 •       Establishing of quality management plans and the implementation of a
         process for continual quality improvement.

 By forceful application of the quality management system, the achievement of
 the requested product quality is expected. This expectation has to rely on a high
 reliability of the concerned system. The statement of conformity for the product
 counts as an external sign of this expectation with the requirements and the
 appropriate documents.

 For laboratories for example, which are analysing attributes of substances, exists
 an auditable management system in the form of the GLP-standards (good
 laboratory practice) of the “Organisation for Economic Co-operation and
 Development” (OECD). This has been bindingly launched as a directive for the
 nations of the European Community.


                                                                                          Seite 107 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –




 4.3.8.2 Quality Management System and Qualified Personnel

 Within predefined intervals, the product supplier must audit the quality
 management system. The intervals must be determined so that the
 appropriateness and effectiveness can be assured for the compliance with the
 requirements, the stipulated quality policy and its objectives. For the purpose of
 traceability, records are necessary about, which have to be traceably filed within
 the necessary scale.

 The manufacturer must establish, implement and maintain a quality management
 system – normally in accordance with DIN EN ISO 9001:2000-12 „Quality
 management systems – Requirements” –, which is appropriate for the perimeter
 of its business activities including type, scope and order of magnitude of the
 production. The manufacturer must define and document his quality
 management policy, objectives and commitments.

 The quality management must further engage in producing reference materials,
 which comply with the definitions delineated in ISO Guide 30:1992 „Terms and
 definitions used in connection with reference materials” and their characteristic
 values are evaluated while utilising approved statistical procedures. The quality
 management has to commit itself, to fulfil the readings, which are delineated in
 ISO Guide 31:2000 „ Reference materials – Contents of certificates and labels”
 in terms of material certificates and submission of appendant information to the
 user. The quality management must also specify the intended use of the supplied
 material and commit the organisation of the manufacturer to grant that the
 customers are thoroughly informed.

 The Manufacturer must

 •       Dispose of executive personnel, which is supported by technical
         personnel; they again must have authority and resources available. In
         addition, the technical personnel must also identify deviations from the
         quality management system and/or from the procedures for the
         manufacture of the reference materials and be able to start processes to
         prevent or minimise such deviations,




                                                                                          Seite 108 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Dispose of regulations, which guarantee that its management and
         personnel is disengaged from any commercial, financial or other in-house
         or external pressure that could adversely affect the quality of their work,

 •       Dispose of regulations and procedures, which guarantee that confidential
         information and the proprietary right of its customers remain guarded,

 •       Dispose of regulations and procedures, which avoid any kind of
         involvement in activities, which reduce the confidence in his expertise,
         impartiality, judgement ability or operational integrity,

 •       Define the organisation and management structure of the manufacturer by
         means of organisation charts, his position within a holding organisation
         and the relationships between management, technical processes,
         supporting services, cooperation partners and the quality management
         system,

 •       Describe responsibilities, competences and relations between the entire
         personnel who affect control, accomplish or verify the work that
         influences the quality of the manufacture of the reference materials,

 •       Dispose of a technical management, which bears total responsibility for
         the technical processes and for the provision of the required means, in
         order to ensure the requested quality of the production processes,

 •       Dispose of a archiving system for traceable documentation

         – for the management of documents (specified requirements, release and
           change control system),

         – for the management of records (verification, inspection reports),

         – on internal audits (scheduled, ad hoc),

         – for the management of non-conforming products (nonconformance
           control and waiver system),

         – on corrective measures,


                                                                                          Seite 109 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


         – on preventive measures.

 The competencies and responsibilities for all verifications, in particular for the
 assertion of measures in case of insufficient inspection results, should be
 comprehensibly and unequivocally governed. A control plan makes sense for an
 integrated verification when more than one contractor and sub-contractor take
 part in a construction project and when wrong decisions and gaps in project
 control may implicate crucial after-effects. All these individual measures must
 also pursue the overall objective of an integrated safety management.

 The Operator must fulfil the directions for use requested by the manufacturer,
 which include first of all the safety-related directions. For this purpose he has to
 establish, implement and maintain a quality management system, which is
 appropriate for his range of business activity including type, extent and
 magnitude of the business. Manufacturer and operator must define the objectives
 and engagements, and document them, if necessary. Thus, the quality of all
 production aspects, material properties (e.g. strength, homogeneity and other
 attributes), indicators (e.g. calibration of instruments and validation of
 measurement methods), assignment of characteristic values (e.g. utilisation of
 suitable statistical methods) and the procedure for handling, storing and
 transporting materials can be ensured and maintained.

 The operator must provide sufficient personnel who have the required education,
 training, technical knowledge and experience for the tasks assigned to them. The
 operator must ensure, if in doubt, that the operating personnel receive additional
 training to ensure a competent execution of the measurements, operation of
 equipment and other activities that have influence on quality. If possible, the
 level of competence achieved by training should be assessed according to
 objective criterions.

 If management systems are stipulated, they must correspond to the requirements.
 It might be possible that the quality managements system integrates other
 elements, such as safety management systems or safety-related prevention
 systems.




                                                                                          Seite 110 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 5        Societal Considerations

 5.1      Prevention of Safety-critical Failures

 5.1.1 National and International Achievements

 On the national level, target values for public-technical safety are constituted in
 regulations, ranging from the Basic Law [German: Grundgesetz, i.e.
 Constitution of the Federal Republic of Germany] through laws and ordinances
 up to standards and codes of conduct. The internationally social-conditional
 shaping implies differences in structures in the various countries and regions.
 The more and more intense cooperation in economic areas crossing national and
 regional borders necessitates an assimilation and opening of the hitherto
 primarily national regulations. The spectrum of the appropriate actions covers
 the mutual recognition of regional structures further on different through world-
 wide uniform, harmonised structures and regulations on certain sectors for
 embanking hazards. The shapes and contents of verifications in test and Safety
 Engineering are subject to changes, which implications are to be appraised.

 The transition of national competencies to supra-national institutions is
 correlated also in engineering and economics with a change of national practices
 of grown and often established traditions. These changes are to be assessed for
 adverse effects on safety; if necessary, counter-actions are to be initiated.

 The resulting consequence is: By the European and ultimately global needs for
 advancement of the public-technical safety further, not only the conventional
 German system but also other systems are to be evaluated on the basis of a
 comparative analysis. For the determination of an appropriate system ensuring
 public-technical safety, the respective legal background, the state-of-the-art and
 the needs of economics are to be considered. The activities of independent 3rd
 parties, too, are to be implied into the future-oriented problem analysis against
 the background of the whole span ranging from [institutional] bodies granted
 with national verification tasks up to service providers acting on the market
 (Problem area: executing and guaranteeing responsibility of the State).

 In order to develop consensus-compliant solutions for indisputably safe systems,
 the technical risks should firstly be considered and analysed. In any case,


                                                                                          Seite 111 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 engineering has to be ahead with the discussion about consensual solutions and
 organisational forms of the scenery of safety.



 5.1.2 Safety and Legislature

 The acceptation of ensuring Technical Safety is not to estimate in another way
 than the responsibility for inner and external security. It belongs to the core tasks
 of the State to establish for this purpose the appropriate general framework. The
 State and the general public are called for to answer the question, which risk (in
 terms of: Risk – Chance) is admissible and which is inadmissible. The State
 implement this by appropriate laws, as e.g. the Nuclear Act [German:
 Atomgesetz], Chemicals Act [German: Chemikaliengesetz], Act on the
 Transportation of Dangerous Goods [German: Gesetz zur Beförderung
 gefährlicher Güter], Law on Explosives [German: Sprengstoffgesetz].
 Ordinances substantiate the necessary precautions; the respective standards and
 rules to be referred complete this regulation system.

 Within the regulation system, direct state-run activities are being replaced
 through the increasingly practised market surveillance actions; dependent on
 risk, a role allocation must be equilibrated here between the State and private
 stakeholders.



 5.1.3 Safety and Deregulation

 Within safety-relevant perimeters, the State must not confine themselves to
 making rules and threat of punishment, but in parallel it must ensure their
 implementation and compliance by actively taking action at the necessary extent
 for setting standards and structures. It is the political intention to place tasks as
 yet state-run more and more into the hands of private institutions and/or of the
 economy. In order to maintain the necessary balance, an adequate orientation of
 the state-run tasks is needed within the changing verification and approval
 systems.

 The structures within Safety Engineering must be equilibrated between State and
 economy, as also, however, the balance between provision (for elementary
 needs), prevention (of hazards), repression (punishment on harmful events) has

                                                                                          Seite 112 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 to be maintained. This grading of the necessary requirement profile according to
 the hazard and damage potential does not only refer to technical requirements
 but also to the measures in the fields of approval and surveillance. The
 involvement of all interested parties and their active interaction must be
 systematically organised (manufacturers and operators as well as the State and
 independent 3rd parties). This means that the State must play his part in the duty
 for approval and surveillance in a well-balanced way. The State, too, has to put
 its activities in the total perspective of the mechanisms, which guarantee that the
 utmost still acceptable risks are not exceeded.



 5.1.4 Safety and Economy

 Economically of great importance is the establishing of standards and
 regulations as unified as possible and assigned to large economic areas. By the
 harmonisation of different objectives, adjustments may become possible here
 from the companionships involved, which no longer adequately reflect the initial
 national implementation of standards and regulations. So much, the rules must
 be carefully shaped in order not to suffer losses within the all-over system of
 public-technical safety.

 In the Anglo-American economic area, organisational aspects (behaviour
 requirements in companies and detailed job instructions) find more accentuation,
 as this is the case in Germany, where product-related safety (requirements on
 properties and conditions as to construction methods and finishing) is more
 emphasised. A weighted levelling of these positions in all-embracing systems
 could be advantageous whereas a simple adaptation of an increase in
 organisation and a decrease in constructional requirements would be
 disadvantageous. In either case, it will be necessary henceforth to verify the
 intended extent of public-technical safety through institutionalised interface
 considerations of property and behaviour requirements.

 This all the more, since within the scope of the European harmonisation of the
 safety-related right, the property requirements on technical products will
 increasingly be determined at European level, in fact with the objective assure
 the free movement of goods.




                                                                                          Seite 113 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 5.1.5 Safety and Assignment of Responsibilities

 Apart from a balanced involvement of manufacturer and operator interests, the
 involvement of technical authorities and independent technical experts is
 necessary. Risks of an occurring harm and its implications as well as differences
 within the structures for products on the one hand and technical facilities on the
 other hand have to be considered. For this reason, the rules of behaviour gain
 clearly apparent in importance within the European zone and for the American
 comprehension against the background that the standards for component parts
 and products can form compromises, on which the hitherto existing German
 objectives could not be brought in altogether.

 Inasmuch as the stringent implementation of the provision commandment of the
 Basic Law [German: Grundgesetz] is no longer perceived by national or directly
 under national charge acting institutions, there is the necessity – while keeping
 neutrality and objectivity as well as continuity on behalf of the State – with the
 consequence (legal unity, legal certainty), to grant independent institutions with
 the tasks of coordination and ensuring the sharing of experiences of private
 institutions.



 5.1.6 Safety as Prior-ranking Property of Quality

 The quality management measures practiced today in some fields of application
 are by themselves not sufficient for detecting and eliminating safety-critical
 deficiencies in quality and potential failure sources in due time. Nevertheless,
 there seems to be insufficient awareness that a system may only be valuated as
 safe unless certainty is achieved that the safety-relevant quality attributes are
 given, indeed, in their specified form. Here, the necessary awareness among
 engineers and scientists is still to be formed: Quality management is the
 approach, which describes the technical safety attributes with sufficient accuracy
 and thus offers the opportunity to the responsible personnel to take necessary
 action and rectification.




                                                                                          Seite 114 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 5.1.7 Quality Management as Approach for the Safety
       Management

 Like any other quality attribute, safety needs to be planned, traced and verified.
 But it is possible in this context to fall back on proven methods: namely on the
 standard DIN EN ISO 9000 “Quality Management Systems”. By the quality
 management requirements of this standard the prerequisites for a trustable safety
 system are described that is necessary for a promising quality management – or
 in conjunction with the Technical Safety – for a trustable safety management. A
 company management certified in accordance with the demands of this standard
 is regarded as quality-compliant. Consequently, a safety management oriented to
 the demands of this standard may be regarded as safety-compliant. In the
 perimeter of European aerospace companies, the standard DIN EN ISO 9000
 “Quality Management Systems” has been implemented. The question is, in as
 far this standard is also implemented and practiced in the other application
 fields, which bear relevance to public safety.

 In the field of civil engineering, this system has been embodied in analogy in the
 building codes [German: Bauordnungen] and is to be applied at all important
 safety-relevant building products (refer to Model Building Codes [German:
 Musterbauordnung], §§ 20 and the following, and the examination, surveillance
 and certification ordinances of the Federal States [German: Bundesländer]). In
 other engineering fields, safety or quality management systems are stipulated
 (technical facilities concerned by the Hazardous Incident Ordinance [German:
 Störfallverordnung], manufacturing of packages for hazardous materials),
 whereas however, the choice of the quality management system remains with
 the responsible as long as the system is efficient.

 Within the framework of the safety management, by which safety
 methodologies and Safety Engineering are implemented for complex systems, it
 must be possible to address open questions regarding all organisational,
 methodical and safety-related problems – but also suggestion for improvements
 to specified stipulations – to one central focus of contact.




                                                                                          Seite 115 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 5.1.8 Configuration Management and Change Procedures

 A framework specification for safety must – just as any other specification, too –
 be subject to a formal approval and change procedure, namely based on proper
 configuration management, the principles and processes of which can be
 stipulated in a guideline for configuration management.



 5.1.9 Man as Criterion for the Safety Management

 Technically complex systems are generally counted among the man-machine-
 systems, in which the operating personnel are entrusted with significant
 operating functions. Above all, these functions also comprise safety-related
 functions. In such man-machine-systems, particular care and attention must be
 paid to the operational involvement of the personnel.

 Here too, the necessary awareness among engineers and scientists is still to be
 formed:

 Personnel, which know about the safety-relevant issues engineering facts, which
 has unimpeded access to the necessary safety-related equipment, which is
 permanently and fully informed about the respectively given status of operations
 and the safety-related peripherals, which are anew evaluated for its “operational
 function”, cannot become a weak link in the chain of operational and/or safety
 functions.

 In conjunction with the man-machine-systems, man embodies with his natural
 capabilities and incapabilities an essential criterion for the safety management.



 5.2      Communication of Technical Safety with the General
          Public

 At difficult topics, particularly those that stoke fears within the general public,
 sciences are called for clarification. This applies for medicine, environment,
 urban planning, the employment market, tax policy, energy supply as well as the
 safety of technical facilities. Representatives of science often suddenly slip into
 the role to legitimise the different matters of interest and lobbies. The ideal of

                                                                                          Seite 116 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 scientific absence of conflicts, the consensus in sciences, gets lost due the
 dispute thus initiated among scientists. The image of scientific helplessness
 emerges within the general public. This conflict is founded through the
 complexity of many problems upcoming nowadays. “Evidence” then has
 inevidently a hypothetical character. Depending on the hypothesis chosen and
 on the stipulated constraints, different conclusions result.

 Due to ambiguity and incomprehensibility of the used terms, the general public
 feel rather unsure than informed. Here, the term “safety” can be taken as an
 example. Correctly, the competent scientist would have to point out that there
 could never be 100% safety. Figures about the probability of occurrence of 10-7
 (1 : 10 millions) leave for the layman a certain lack of comprehension. The term
 “frequency”, understood here as “rareness”, has another meaning for the
 competent engineer than in general for the public. The general public
 qualitatively associates other meanings – hazard, catastrophic potential in the
 event of damage, supposed awfulness of the harm, personal dismay, impact on
 the own children, helpless exposedness and lack of controllability. The two
 different levels of discourse remain unmatched. Since science has the obligation
 for comprehensible risk communication, it must recognise and account for five
 important psychological factors of hazard perception:

 (1)     Voluntariness:
         Hazards, to which one exposes voluntarily, are rather underestimated.
         This applies to smoking as well as to motoring.

 (2)     Controllability:
         Hazard, which seem to be controllable by own capabilities, are rather
         overestimated. An example is the practice of the roofer.

 (3)     Catastrophic Potential:
         Hazards with high catastrophic potential are rather overestimated, for
         instance the possibility of many fatalities due to an aircraft crash.

 (4)     Dismay:
         Hazards, which effect oneself, are rather overestimated, e.g. possible side-
         effects while taking medicines.


                                                                                          Seite 117 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 (5)     Awareness / Familiarity:
         Hazards, which are known, are rather underestimated. Smoking may
         exemplify this factor.

 Communication on risks requires constructive handling as well as topic-
 orientated argumentation for the evaluation of the risks. Risk communication
 that destroys the confidence of the addressee often results from downplaying
 risks, from suppressing susceptible incidents or accidents, acting in
 contradiction to (own) statements. Likewise negative appear belated reacting to
 public allegations instead of proactive information or the announcement of
 incomprehensible or mistakable information.

 For this reason, risk communication must look for new paths. Appropriate
 strategies for risk communication are:

 •       Certain forms of representing low probabilities: The relevance and the
         attainment of numerically reflected probabilities must be explained in
         each case, – including the boundary conditions.

 •       Risk comparisons: i.e. the comparison of the risk of a waste incineration
         plant with a railway accident: Only when such dimensions as
         controllability, voluntariness or catastrophe potential are comparable, risk
         comparisons have a chance to be understood.

 •       Risk compensation: here, expected risks are compared with expected
         benefit (construction of a chemical plant and its effect on the local
         employment market).

 •       Confidence and probability: comprehensible and unambiguous
         information preparation, respectful treatment of the addressees of risk
         communication, no concealment of information.

 Since risk communication gains more and more importance in our society, risk
 concepts must be submitted, which are not only oriented towards a limitation of
 the probability of occurrence of incidents and accidents. In the traditional
 engineering language, these are generally difficult to understand for the layman.
 The point is, to emphasise the mitigation of the extent of damage and to consider


                                                                                          Seite 118 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 the psychological findings of the awareness of hazards and promising
 communication conditions.

 Communication between interest group with contrary objectives is futile without
 arbitral entity as long as the capability for compromise within the groups is
 discredited as weakness in asserting the own interests. This is no longer a matter
 of an appreciation process of values between risks and chances for the
 community – however defined – when the welfare of the individual is “the
 measure of all things”. Anyway, stakeholders of groups have a clear mandate.
 When they appear under the sign of their group, their task in the public
 discourse can generally be recognised.

 The position of the administration is more difficult to define. The role of the
 mediator between the state of the scientific and technical knowledge and the
 safety need of the general public is generally assigned to it. In practice, however,
 the institutions, which are advising political bodies, are situated – only
 “presumed”, as the case may be – dependency on a superior political entity.
 Then, it is not necessarily their task to pledge themselves to scientific
 objectivity. They are biased to a certain extent, and their task to consist in a
 nearly unflinching implementation of destined protection target (public
 safety/security, health protection, environmental protection). The pressure to
 succeed, under which they are, indeed, or believe to be, results in the worst case
 in a collision of crosswise oriented maximum requirements, which are decided
 on according to the expediency principle, but politically detached from the
 realistic world. The in effect desirable balance of interests, which would have to
 lead to a factual elaboration for political options on an interdisciplinary level of
 experts, will be missed in so far.

 Therefore, the trend is to be appreciated to vanquish this problem of a
 representative democracy, wherever this is possible. First of all, it is necessary
 to familiarise the general public with the facts and uncertainties in the run-up of
 safety-relevant decisions. The general public must be placed in the position to
 get aware of the scope of the option in all facets so that each interested one can
 decide against his personal background. Thereby, one should detach oneself
 from the perception that this is an obligation of the individual to collect and the
 possibility of the involvement exists always. The “silent majority” is to be
 motivated by a highly visible offer to take actively part in the consensus of the
 informed ones.


                                                                                          Seite 119 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 In principle, we have this option. The media subject to public law could play the
 role of an educational institution and frame the forum for risk communication.
 The today’s flattened could be replaced by a fascinating knowledge transfer
 within a discourse, whose attendants are bound to a discussion culture (while
 utilising generally available techniques of information and communication). If
 one could succeed to establish this frame of disputation by the results of
 scientific and technical innovation as a routine, the pressure on the experts
 would rise to provide their knowledge to the general public and to compete
 themselves with the response of the audience.

 Risk communication within the discourse on a democratic understanding is a
 hard venture and thereto with uncertain outcome.




                                                                                          Seite 120 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 6        Recommendations

 Even though currently another impression prevails possibly within the broad
 public, we engineers state again and again that the advancement of the Technical
 Safety all the time kept step with the advancement in overall engineering.
 However, it can also be stated that the interdisciplinary cooperation, with which
 the growing specialisation is encountered in engineering, is realised in Safety
 Engineering only in rudiments. While within general engineering, all-
 encompassing approaches and management methods from systems engineering
 have proven themselves for a long time, by means of that specialised work based
 on division of labour can be remerged on an interdisciplinary basis, Safety
 Engineering, technical safety law and the appropriate standardisation seem to be
 remained unaffected therefrom, even today. There is a strong need to launch the
 all-encompassing approaches and management methods from systems
 engineering for Safety Engineering, too, in the same manner as they are
 common practice within general engineering since decades. The methodical
 safety approach dealt with in this Memorandum could serve as this all-
 encompassing approach for Safety Engineering; a suitable management
 method as also practised for systems engineering could be the standard DIN
 EN ISO 9000 “Quality Management Systems”. The Association of German
 Engineers [German: Verein Deutscher Ingenieure] offers the interdisciplinary
 working platform to elaborate the main features presented here to the necessary
 extent and to keep them updated.

 In the preceding paragraphs, it was shown how Technical Safety is planned,
 generated and maintained on a long-term basis. It was also described how the
 different influences – both of a technical or human origin – affect a production
 process. The persons responsible for a product must be aware of the safety level
 achieved during each planning and production step, as each successive step is
 based on the preceding step; errors which are not detected are otherwise
 perpetuated. However, it arises here, too, that one only sees and respects that of
 which one is aware.

 The society, which pays for learning and research and promotes technology, has
 a right for being kept informed. Therefore, there is an obligation to deliver
 information about the interrelations of



                                                                                          Seite 121 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 The engineering and natural sciences are obliged to supply information on the
 correlations of Technical Safety. The significant areas are addressed below.



 6.1      Research Scenery

 The research scenery is subdivided into four areas, namely into

 •       Universities (university colleges, colleges of higher education as well as
         conservatories and colleges of art, quite prevailing in legal and financial
         responsibility of the federal states),

 •       Research (promotion) organisations (“German Research Foundation”,
         “Helmholtz Association”, “Max Planck Society”, “Fraunhofer Society”
         and “Scientific Community Gottfried Wilhelm Leibnitz”),

 •       Research centres of the industry, – including the small and medium-sized
         enterprises (SMEs),

 •       Research institutes of the Federation and the states.

 Research in the Federal Republic of Germany disposes therewith of a high
 potential, which is also shown on the basis of the ratio of the gross inland
 expenditures on research and development of 2.55% (for the year of 2003)
 relating to the gross domestic product. There was again a large increase from
 1998 to 2003, so that in 2003 a total of 54.3 thousand million Euros were made
 available. The ratio of the industry amounted to around two thirds. The share of
 research, which can be attributed to the safety research, cannot be continuously
 identified. If one emanates from an orientation of the emphasis to the economic
 research for products as well as from lower shares of the other types for the
 safety research, then it can only be inferred that the share for the research on
 safety problems is to low.

 Supposing that products from Germany are expected to feature – quasi as a
 brand mark – beside a high level of quality also a high level of safety, what
 expresses an expectation of the market, research must be increasingly devoted to
 safety matters.


                                                                                          Seite 122 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       To begin with, an evaluation of the safety research can help to clarify
         whether the quality features the needed level.

 •       Based on that, a reorientation must be established. Thus, the Research
         Committee “Safety Engineering in Chemical Facilities” of the Society for
         Chemical Engineering and Biotechnology [German: Gesellschaft für
         Chemische Technik und Biotechnologie – Dechema] and the VDI-Society
         for Chemical and Process Engineering [German: VDI-Gesellschaft
         Verfahrenstechnik und Chemieingenieurwesen – GVC] complains e.g. of

         – The missing sponsoring for topics related to Safety Engineering by the
           public authorities,

         – The trend that chairs and institutes, which were in the past primarily
           focussed on Safety Engineering, are more and more aimed at other
           fields of research,

         – The regression of the contents and chances of vocational training,
           which come along with the cutbacks at research capacities at
           universities in the field of Safety Engineering,

         – The lack of an adequate basic knowledge on Safety Engineering by
           academic graduates, which has still to be additionally communicated
           through external or company-internal seminars,

         – A notably decreased number of (academic) students in chemical and
           process engineering, what likewise reduces the propagation of the
           safety-related knowledge, and

         – The increasingly confined freedom of action within the German
           industry for research and development in Safety Engineering, too,
           amongst others in the wake of the global competition, which, in part,
           is aggravated by non uniform international framework.

 This also applies in general and underlines recommendation made here for
 reorientation of safety research.




                                                                                          Seite 123 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 The complexity, the economical interdependence and the necessary depth of
 detail as well as the new fields of dynamically proceeding innovations require
 the integration of research in German into international networks, especially
 those of the European Union. Here, new organisations are constantly being
 constituted, such as the European Technology Platforms. The platform “Safety
 for Sustainable European Industry Growth” alone comprises several focus
 groups dealing with topics relating to risk and Human Factor Engineering.

 The international integration of the German safety research is to be defined and
 managed; suitable structures are to be appointed for it and established.

 The internationalisation is dealt with in more detail in para. 6.4.



 6.2      Educational and Training Options of Universities and
          Academies

 A range of teaching on the needed high level can only be maintained in
 connexion with a profound research in order to can provide economy with
 sufficient qualified engineers. Safety Engineering must therefore be integral
 constituent of the curriculum of all universities of applied sciences [German:
 Fachhochschulen], technical universities [German: Technische Universitäten]
 and universities just as subject of further training measures of private
 educational institutions.

 The necessary training measures for offering a basic safety-related education
 must be borne by technical universities and universities within the framework of
 the engineering curriculum. To the offers, which have to be made available for
 the tertiary education, belong first of all:

 •       Engineering results assessment and risk analysis,

 •       Risk communication,

 •       Influences of human behaviour on safety (Human Factors),

 •       Interdisciplinary cooperation competence,


                                                                                          Seite 124 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 •       Emergency planning,

 •       The role of national and international regulation efforts,

 •       Vocational ethical principles of engineers’ activities.

 In view of the range and societal importance of the educational offers necessary
 for this, the actually observable cutback of the qualified teaching capacities and
 the rededication of safety-related chairs to other fields at technical universities
 and universities is not appropriate. For the benefit of the future ensuring
 Technical Safety, the authorities of education and cultural affairs responsible for
 universities and colleges are called upon to quickly stop this cutback. In order to
 counteract the resulting shortage of competent teaching staff, the industry should
 consider setting up foundations for chairs appointed to Safety Engineering.

 The long-term provision for preserving the competence in Safety Engineering
 and adapting this competence to new technical and societal challenges have to
 be taken in particular by private educational institutions of the industry. It is
 appreciated that the establishing of formation academies and teaching
 institutions (e.g. simulator centres for periodical examination and continuing
 revolution of necessary competencies) has been promoted in several branches of
 industry for many years. However, safety-related questioning only plays a
 subordinate role in the curriculum. This requires urgent correction. Therefore,
 industry is called upon to train and employ the personnel qualified in Safety
 Engineering on a long-term basis in order to guarantee that no bottlenecks in
 safety-related competencies do result by the natural retirement of experienced
 specialists and a possible lack of growth of afterborn specialists. This calls that a
 future-oriented knowledge and information management through an exhaustive
 documentation of technical decisions and associated measures for passing on the
 accumulated knowledge take place (refer to para. 6.3.3).



 6.3      Focus Themes

 6.3.1 General Public

 Acceptance of technology within the general public depends largely on how a
 preferably comprehensive understanding of the conditions and limits of safe

                                                                                          Seite 125 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 engineering of technologies is achieved by persons, who are affected by
 technical reality. In the sense of an obligation to deliver that obliges all experts
 and institutions dealing with safety questions (scientists, research institutions,
 engineers, courts of justice, industry and public perimeter) to inform the general
 public by means of comprehensible information and communication strategies
 of the needs and opportunities of safe technology.

 Multipliers and opinion agents inhere a particular value in providing objective
 information for the general public: Media representatives, executive personnel
 of the parties, teachers at schools and universities as well as other private and
 public educational institution, representatives of engineers' and industrial
 associations.

 To enable the transfer of appropriate information from the “producers” of the
 technology to the “end users”, the organisation of networks for technical safety
 with topic-related contact offices (“nodes”) should be envisaged. These nodes
 would then have to be run by qualified experts to cover the information need of
 the interested public or to act as agency for the corresponding professional
 competence centres.



 6.3.2 Technology Council

 Safety Engineering must be treated holistically and considerably more
 systematically. Limits of engineering fields must be overcome, just as sectional
 fields of responsibility must be transmissible for safety-related matters. The
 historically evolved structuring of Safety Engineering according to application-
 oriented reference and professional fields leads today to countless committees,
 panels and boards. In interdisciplinary technology projects, whose specialised
 regulations cause a multitude of interface problems, which are just difficult to
 handle.

 As a vision – a safety codex “Technology and Engineering” would be an ideal
 type of solution for an increase in efficiency of acting in engineering, and here
 for the entirety of economy including the safety-related evaluation of
 corresponding elements of the engineering activities. The target parameter, that
 is to say the long-term generation of a safety codex “Technology and


                                                                                          Seite 126 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 Engineering”, can be an outstanding task for Technology Council, which would
 be created in analogon to a science council.

 This Technology Council gives advice to the Federal Government. An
 outstanding focus would be the development of the universities, science and
 research. It would give recommendations and comments for two core areas,
 namely to the scientific institutions as well as to questions spanning the
 scientific system. A Technology Council should not only inform and advise the
 Federal Government and, if necessary, the governments of the federal states, but
 as a matter of course, in any case, too, the economy and the societal groups on
 questions of how to deal with technology and engineering.

 As one of its working focuses, the Technology Council could take responsibility
 for the above-mentioned safety codex “Technology and Engineering” while
 controlling it by appropriate structures and assist it as regards contents. Another
 working focus can then be Safety Engineering, which with this part of the
 Technology Council would have an optimum with respect to the overall view of
 all engineering elements. Further focuses – such as ethics, science – are
 imaginable and should be defined and stipulated in touch with the economy.
 Certainly, the innovation potential in engineering belongs to this area of further
 working focuses, as too, the implementation of research results in marketable
 products in the field of technology and engineering.

 The State represented by the Federal and Federal State Governments, which are
 here responsible, too, for the interests of the general public, as well as the
 industry and other non-governmental organisations such as labour unions and
 environment associations, would act as the supporting agent for the Technology
 Council. Further details on the structures and working methods are reserved for
 the consultations of the VDI-committee “Technical Safety”. For factual
 advisement, the secretariat of such Technology Council would be placed at the
 Association of German Engineers [German: Verein Deutscher Ingenieure –
 VDI].



 6.3.3 Information Management

 Against the background that technical safety concepts and man-machine
 interfaces on complex systems are not trivial to be described and easy to be

                                                                                          Seite 127 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 controlled, the documentation and communication of the technical and
 organisational sub-concepts have become an important constituent of the
 integrated safety concept. The beneficial tools for effective documentation and
 communication are provided by the discipline of information or knowledge
 management. The term “information management” was launched in the middle
 of the eighties in the United States in connection with considerations for an
 approach of a paper-free office. Today, the term “knowledge management” is
 used synonymously, although strictly speaking the knowledge in the heads of
 persons cannot be managed. That, what is referred to as knowledge
 management, is ultimately information management and serves to establish the
 framework conditions for the knowledge work. Due to the historical evolution,
 the term “knowledge management” became accepted. The discipline
 “information or knowledge management” is rooted in information technology
 with the main focus on documentation and the electronic interexchange of
 information. The instruments for information management had been strongly
 supplemented by contributions from the economic and social sciences; but also
 cybernetics and communication psychology supplied contributions. It is
 certainly not by accident that over the past 20 years the safety and hazard
 prevention management was established in parallel to the information and
 knowledge management. So that instruments of the information management
 can likewise be utilised successively for the safety management. Highly safety-
 sensitive systems as air transportation or nuclear as well as chemical facilities
 would not at all be kept on the high safety level as this is binding in an industrial
 society. In the field of Technical Safety, the instruments of the information
 management must be utilised increasingly in those technical and economical
 fields, in which – due to their structure (e.g. small and medium-sized
 enterprises), diversity and individuality regarding safety-relevant questions (e.g.
 process plants) – modern instruments of the information management are only
 partially implemented.

 The objective of information management is sometimes strikingly abstracted by
 the slogan “The right information at the right time at the right place”.
 Ultimately, only the efficiency aspect is still missing. The effort for the
 information management must be proportionate to the safety-related question, –
 both due to the risk with all described facets and also the economical framework
 conditions, in which a company, a test organisation or an authority can or must
 take action.



                                                                                          Seite 128 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 The quoted slogan gives rise to a number of questions concerning the real
 challenges to be met by information management:

 •       Are all safety-relevant aspects taken into account for the respective task?
         Today it is not difficult to collect any information from libraries or the
         Internet.

 However, additional questions arise:

 •       How can the information, which is relevant for my task, be filtered out
         and how can it task-related be compressed?

 •       Are all data – also those affecting peripheral issues – gathered?

 The increasing specialisation of the different disciplines makes it more often
 necessary to take a look at adjacent disciplines when looking for safety
 solutions, and ultimately the immemorial question still remains:

 •       Are the data and information, which have been gathered, correct?

 Specialised experts always were and will be in future, too, the key to success in
 finding the solutions to such questions. Consensus is prevailing to a large extent
 that suitable IT platforms such as Intra- and Internet or databases and retrieval
 systems are necessary prerequisites – as in former times paper and pencil as well
 as the written documents. However, the success of information management
 depends on whether man is placed at the centre of all focus. If one act on this
 perception, current work in the field of information and knowledge management
 can be focused so that the interaction between the persons involved is backed.
 Irrespective of whether these are experts or groups of persons involved, who
 belong to open expert networks or closed communities, whether they
 communicate within a company or authority or across institutions or interest
 groups. Thereby, national networks stand alongside European and international
 networks. For example, the European Union promotes the formation of
 European networks mainly with the aim to strengthen the economy, but also
 with the aim to ensure that level of safety expected by the society. Networks
 focusing mainly on safety-related topics have difficulties, as the funds for
 supporting networks mainly flow into projects, which promise direct economic
 success. Herewith, the concerned bodies in companies, in politics and in


                                                                                          Seite 129 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 administration authorities are, therefore, called upon to provide the necessary
 resources in keeping with the particular importance of Technical Safety in an
 more and more complex society in order to ensure that the right safety-related
 information is made available at the right time in the right place.



 6.4      Emergency Planning

 The emergency planning for large-scale damaging events must also be organised
 on a more international basis. In Germany alone, it is reckoned yet that
 numerous products and systems, which intrinsic safety is sufficiently proven and
 documented, display further risks at their Operation and Utilisation Phase.
 Suchlike hazard sources can clearly overstep the inherent product and system
 limits and endanger a larger environmental domain, which is not causally linked
 with the product or its operation. In such cases, the safety philosophy for
 keeping control over the product must also imply the emergency planning for
 the environmental domain potentially affected. Beside the facilities of
 companies and economic associations, national facilities of the executive branch
 (as the district governments, the district administrators and mayors) normally
 count hereto, but also institutions, which are directly responsible for disaster
 control (as the fire brigades and the German Federal Agency for Technical
 Relief [German: Bundesanstalt Technisches Hilfswerk]). The entire network
 concerning structure and responsibilities must be defined more clearly, as much
 as the interface to the planners and operators of products, systems and technical
 facilities is be institutionalised.

 Transnational implications are not only possible but increasingly to be expected.
 The clearer structuring of the network recommended for the Federal Republic of
 Germany must analogically be transferred in a recommendation for the
 international structure of relief organisations.



 6.5      Internationalisation

 The globalisation of the markets also requires the internationalisation of Safety
 Engineering by the product and system manufacturers. More and more
 frequently, goods and their manufacturing have to meet safety-related principles,
 which ensure their unrestricted exchange and their safe utilisation in consignee

                                                                                          Seite 130 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 states. The forces of the market alone are not sufficient to adequately configure
 the safety attributes of products and systems, because economical aspects are
 often in conflict for that purpose. Therefore, a safety structure is necessary,
 which establishes the minimum standards of Technical Safety on the market
 while using state-run surveillance and efficient sanctions.

 Thereto, transnational agreements on governmental level are essential.




                                                                                          Seite 131 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 7        Concluding Remark

 While taking benefit from its interdisciplinary expert competence, the
 Association of German Engineers [German: Verein Deutscher Ingenieure] sees
 itself called upon to initiate and promote this process of awareness for Technical
 Safety. This Memorandum presented here builds the basis for the
 interdisciplinary safety-methodical approach to be derived out of it.

 The presentation of this safety-methodical approach shall to show to a wider
 expert community how Technical Safety is generated and which methodical
 approaches are necessary. The shown paths are realistic and feasible through
 consistent, ethically reflective acting by the experts interdisciplinary involved. A
 mutual trust between society and technology and engineering is important,
 which can only be achieved by an open and honestly hold discourse.

 The discernible technophobia of an un-technical audience must be relieved by
 briefings about risks while dealing with technical products, which are
 comprehensible for laymen. This in turn can only successfully take place if at
 first terms and methods in the field of Safety Engineering are interdisciplinary
 harmonised among the experts and defined in a trusted manner. Just as the
 general technology and engineering, Safety Engineering also requires
 generalised approaches for interdisciplinary acting as well as appropriate
 management procedures based on the perceptions of systems engineering. This
 still requires a great deal of effort in the fields of science and economy.

 The steps, which the Commission and the Council of the European Union (EU)
 have taken with the implementation of the “New Approach” and the “General
 Approach” are definitely leading into the right direction. By their focussing on
 the free movement of goods, they exhibit, however, obvious weaknesses in
 certain sectors, particularly in those industrial domains, in which the EU
 assessment of the respective products is not followed by a system verification by
 a national body and lag behind, therefore, far behind the effectiveness of the
 replaced systems historically grown in response to the actual needs. These
 weaknesses, which the experts dealing with safety questions already realised
 since their introduction, are manifold and the European Commission is currently
 revising these approaches. Beside the product-related directives, the “General
 Product Safety Directive”, 2001/95/EC, of 03.12.2001 (published in the Official


                                                                                          Seite 132 von 133
„Technical Safety”, an Attribute of Quality – A Memorandum of the Association of German Engineers –


 Journal No. L 011 of 15.01.2002) also applies; this regulates that all products
 put on to the market within the European Economic Area must be safe. How this
 is to be made sure requires further regulations, – and in fact not only in the field
 of safety law, but above all in the subject matter of Safety Engineering itself.

 All concerned and interested persons and institutions are therefore appealed to
 engage in the further forming of an interdisciplinary applicable safety-
 methodical approach and its implementation.



 INFORMATION ABOUT THE TERMS AND DEFINITIONS
 UTILISED IN THIS MEMORANDUM:

 The purpose of this VDI-Memorandum focussed on interdisciplinarity
 implicates that the terms and definitions used here are to be understood among
 the different technical and non-technical disciplines in one and the same
 significance. For Safety Engineering, however, the terms and definitions used in
 the different fields of engineering are too widespread to cope with this demand.
 For that reason, the VDI-committee “Technical Safety” has established a
 database-aided glossary, into which the necessary terms and definitions can be
 keyed in for better comprehension of this Memorandum 4 .




 4
      The respective database, which is for the time being not yet finally finished, can be viewed under following
      Internet address:
         URL:         www.tes.bam.de/vdi
      Under consideration of the case sensitivity, the following access data are applicable:
         Login:    VDI
         Password: Positionspapier


                                                                                                          Seite 133 von 133

								
To top