SAFETY I - Sitraer 2014

Report
SYSTEMS-THEORETIC ACCIDENT MODEL AND
PROCESSES (STAMP) APPLIED TO DESIGN A SAFETYDRIVEN CONCEPT OF AN AIR NAVIGATION SERVICE
PROVIDER (ANSP)
A bit of the History of
Accident Prevention in Complex Systems
NAT – Normal Accident Theory
HRO – High Reliable Organizations
NAT+HRO - Mixed
NAT
Interactive complexity and tight coupling in some
technological systems, such as nuclear power
plants, leads to unpredictability of interactions and
hence system accidents that are inevitable or
“normal” [Perrow 1999]
HRO
Preoccupation with failure, Reluctance to
Simplify interpretations, Sensitivity to
operations, Commitment to resilience, and
Deference to experience. [Weick, 1999]
Does a plane crash mean that NAT is right or
does the reduction in plane crashes over
time mean that HRO is right? [Leveson 2008]
NAT + HRO
Complexity and Tight Coupling
+
Redundancy and Descentralized Decisions
Both groups assume
accidents are caused by
component failures. This
confusion of component
reliability with system safety
leads to a focus on
redundancy as a way to
enhance reliability, without
considering other ways to
enhance safety.
[Leveson, 2008]
Common assumptions (myths) about “safety”
 That if each person and component in the
system operates reliably, there will be no
accidents
 Increasing protection will increase safety
 Human error is the largest single cause of
accidents and incidents
 System will be safe if people comply with the
procedures they have been given
 Accident analysis can identify root causes
(the ‘truth’) of why the accident happened
 Accident investigation is the logical and rational
identification of causes based on facts
 Retrospective analysis of adverse events is
required and perhaps the best way to improve
safety
Detected procedures in accident investigation
Contemporary theories concerning
Accident Prevention in Complex Systems
http://skybrary.aero/index.php/Toolkit:Systems_Thinking_for_Safety/Systems_Thinking_Methods
Resilience Engineering (RE)
Focus on what goes right: Dedalus
SAFETY II
(e.g.: RE)
SAFETY I
(e.g.: SMS)
Focus on what went wrong: Icarus
SAFETY I
SAFETY II
ETTO – FRAM
Accident Analysis
STAMP
Systems-Theoretic Accident
Model And Processes
STAMP (Systems-Theoretic Accident
Modeling and Processes) is expected
to allow managers to more effectively
detect hazards within the organization
from the early design stage.
STAMP
STAMP
STAMP
STAMP
STAMP
STAMP/CAST
Causal Analysis based on STAMP
STAMP/STPA
Systems-Theoretic Process Analysis
STPA
STPA
STPA
Example of a
Safety
Control
Structure
Example of a
Safety
Control
Structure
ANSP
ANSP
Safety
Control
Structure
ANSP
Safety
Control
Structure
(CBO analysis)
ANSP
Safety
Control
Structure
(CBO and TBO analysis)
Successful
cases of using
STAMP/STPA
in industry
http://psas.scripts.mit.edu/home/2013-workshop-presentations/
FAA
Thank You!!!

similar documents