SYSTEMS-THEORETIC ACCIDENT MODEL AND PROCESSES (STAMP) APPLIED TO DESIGN A SAFETYDRIVEN CONCEPT OF AN AIR NAVIGATION SERVICE PROVIDER (ANSP) A bit of the History of Accident Prevention in Complex Systems NAT – Normal Accident Theory HRO – High Reliable Organizations NAT+HRO - Mixed NAT Interactive complexity and tight coupling in some technological systems, such as nuclear power plants, leads to unpredictability of interactions and hence system accidents that are inevitable or “normal” [Perrow 1999] HRO Preoccupation with failure, Reluctance to Simplify interpretations, Sensitivity to operations, Commitment to resilience, and Deference to experience. [Weick, 1999] Does a plane crash mean that NAT is right or does the reduction in plane crashes over time mean that HRO is right? [Leveson 2008] NAT + HRO Complexity and Tight Coupling + Redundancy and Descentralized Decisions Both groups assume accidents are caused by component failures. This confusion of component reliability with system safety leads to a focus on redundancy as a way to enhance reliability, without considering other ways to enhance safety. [Leveson, 2008] Common assumptions (myths) about “safety” That if each person and component in the system operates reliably, there will be no accidents Increasing protection will increase safety Human error is the largest single cause of accidents and incidents System will be safe if people comply with the procedures they have been given Accident analysis can identify root causes (the ‘truth’) of why the accident happened Accident investigation is the logical and rational identification of causes based on facts Retrospective analysis of adverse events is required and perhaps the best way to improve safety Detected procedures in accident investigation Contemporary theories concerning Accident Prevention in Complex Systems http://skybrary.aero/index.php/Toolkit:Systems_Thinking_for_Safety/Systems_Thinking_Methods Resilience Engineering (RE) Focus on what goes right: Dedalus SAFETY II (e.g.: RE) SAFETY I (e.g.: SMS) Focus on what went wrong: Icarus SAFETY I SAFETY II ETTO – FRAM Accident Analysis STAMP Systems-Theoretic Accident Model And Processes STAMP (Systems-Theoretic Accident Modeling and Processes) is expected to allow managers to more effectively detect hazards within the organization from the early design stage. STAMP STAMP STAMP STAMP STAMP STAMP/CAST Causal Analysis based on STAMP STAMP/STPA Systems-Theoretic Process Analysis STPA STPA STPA Example of a Safety Control Structure Example of a Safety Control Structure ANSP ANSP Safety Control Structure ANSP Safety Control Structure (CBO analysis) ANSP Safety Control Structure (CBO and TBO analysis) Successful cases of using STAMP/STPA in industry http://psas.scripts.mit.edu/home/2013-workshop-presentations/ FAA Thank You!!!