A System s Approach to Safety. Prof. Nancy Leveson Aeronautics and Astronautics MIT
|
|
- Antonia Maxwell
- 6 years ago
- Views:
Transcription
1 A System s Approach to Safety Prof. Nancy Leveson Aeronautics and Astronautics MIT
2 The Problem
3 Why do we need a new approach? New causes of accidents in complex, softwareintensive systems Software does not fail, it usually issues unsafe commands Role of humans in systems is changing Traditional safety engineering approaches were developed for relatively simple electro-mechanical systems We need more effective techniques for these new systems and new causes
4 Accident with No Component Failures
5 Types of Accidents Component Failure Accidents Single or multiple component failures Usually assume random failure Component Interaction Accidents Arise in interactions among components Related to interactive complexity, coupling and use of computers Level of interactions has reached point where can no longer be thoroughly Planned Understood Anticipated Guarded against
6 So What Do We Need to Do? Engineering a Safer World Expand our accident causation models Create new hazard analysis techniques Use new system design techniques Safety-driven design Improved system engineering Improve accident analysis and learning from events Improve control of safety during operations Improve management decision-making and safety culture
7 An Expanded View of Accident Causes
8 Accident Causality Models Underlie all our efforts to engineer for safety Explain why accidents occur Determine the way we prevent and investigate accidents All models are wrong, some models are useful George Box
9 Chain-of-Events (Domino) Causation Models Assumption: Accidents are caused by chains of component failures Simple, direct relationship between events in chain Ignores non-linear relationships, feedback, etc. Events almost always involve component failure, human error, or energy-related event Forms the basis for most safety-engineering and reliability engineering analysis: e,g, FTA, PRA, FMECA, Event Trees, etc. and design: e.g., redundancy, over-design, safety margins,.
10 Chain-of-events example
11 Limitations of Chain-of-Events Causation Models Oversimplifies causality Excludes or does not handle Component interaction accidents (vs. component failure accidents) Indirect or non-linear interactions among events Systemic factors in accidents Human errors System design errors (including software errors) Migration toward states of increasing risk
12 The Computer Revolution General Purpose Machine + Software = Special Purpose Machine Software is simply the design of a machine abstracted from its physical realization Machines that were physically impossible or impractical to build become feasible Design can be changed without retooling or manufacturing Can concentrate on steps to be achieved without worrying about how steps will be realized physically
13 Advantages = Disadvantages Computer so powerful and useful because has eliminated many of physical constraints of previous technology Both its blessing and its curse No longer have to worry about physical realization of our designs But no longer have physical laws that limit the complexity of our designs. What does failure of a design (pure abstraction) mean?
14 Software-Related Accidents Are usually caused by flawed requirements Incomplete or wrong assumptions about operation of controlled system or required operation of computer Unhandled controlled-system states and environmental conditions Merely trying to get the software correct or to make it reliable will not make it safer under these conditions.
15 Software-Related Accidents (2) Software may be highly reliable and correct and still be unsafe: Correctly implements requirements but specified behavior unsafe from a system perspective. Requirements do not specify some particular behavior required for system safety (incomplete) Software has unintended (and unsafe) behavior beyond what is specified in requirements.
16 Safety = Reliability Safety and reliability are NOT the same Sometimes increasing one can even decrease the other. Making all the components highly reliable will have no impact on system accidents. For relatively simple, electro-mechanical systems with primarily component failure accidents, reliability engineering can increase safety. But this is untrue for complex, software-intensive sociotechnical systems.
17 It s only a random failure, sir! It will never happen again.
18 Operator Error: Old View (Sidney Dekker, Jens Rasmussen) Operator error is cause of incidents and accidents So do something about operator involved (suspend, retrain, admonish) Or do something about operators in general Marginalize them by putting in more automation Rigidify their work by creating more rules and procedures
19 Operator Error: New View Operator error is a symptom, not a cause All behavior affected by context (system) in which occurs To do something about error, must look at system in which people work or operate machines: Design of equipment Usefulness of procedures Existence of goal conflicts and production pressures
20 Hindsight Bias Sidney Dekker, 2009
21 Overcoming Hindsight Bias Assume nobody comes to work to do a bad job. Investigation reports should explain Why it made sense for people to do what they did What changes will reduce likelihood of happening again
22 Adaptation Systems are continually changing Planned changes Unplanned changes Rasmussen: Systems and organizations migrate toward accidents (states of high risk) under cost, productivity, and profit pressures in an aggressive, competitive environment During operations need to: Control planned changes Control and/or detect unplanned changes
23 Simplified System Dynamics Model of Columbia Accident
24 STAMP A new accident causation model using Systems Theory (vs. Reliability Theory)
25 Applying Systems Thinking to Safety Losses are the result of complex processes, not simply chains of failure events Accidents can occur due to unsafe interactions among components Component Failure Accidents Component Interaction Accidents Most major accidents arise from a slow migration of the entire system toward a state of high-risk Need to control and detect this migration
26 STAMP (System-Theoretic Accident Model and Processes) Treat safety as a dynamic control problem rather than a component failure problem O-ring did not control propellant gas release by sealing gap in field joint of Challenger Space Shuttle Software did not adequately control descent speed of Mars Polar Lander Public health system did not adequately control contamination of the milk supply with melamine Financial system did not adequately control the use of financial instruments Deepwater Horizon design and operations did not adequately control the release of hydrocarbons from the well. The Washington Metropolitan Area Transit Authority railway design and operations did not adequately control separation between trains
27 Safety is a Control Problem (2) Events are the result of the inadequate control Result from lack of enforcement of safety constraints in system design and operations A change in emphasis: prevent failures enforce safety constraints on system behavior
28 STAMP (2) Systems can be viewed as hierarchical control structures Systems are treated as interrelated components kept in a state of dynamic equilibrium by feedback loops of information and control Controllers imposes constraints upon the activity at a lower level of the hierarchy: safety constraints
29 Example Safety Control Structure
30
31
32 Safety Constraints Each component in the control structure has Assigned responsibilities, authority, accountability Controls that can be used to enforce safety constraints Each component s behavior is influenced by Context (environment) in which operating Knowledge about current state of process
33 Control processes operate between levels of control Controller Model of Process Accidents occur when model of process is inconsistent with real state of process and controller provides inadequate control actions Control Actions Feedback Controlled Process Feedback channels are critical -- Design -- Operation
34 Relationship Between Safety and Process Models Accidents occur when models do not match process and Required control commands are not given Incorrect (unsafe) ones are given Correct commands given at wrong time (too early, too late) Control stops too soon Explains software errors, human errors, component interaction accidents
35 A Broad View of Controls Component failures and unsafe interactions may be controlled through design (e.g., redundancy, interlocks, fail-safe design, other design techniques) or through process Manufacturing processes and procedures Maintenance processes Operations or through social controls (cultural, policy, regulation, individual self interest)
36
37 Summary: Accident Causality Accidents occur when Control structure or control actions do not enforce safety constraints Unhandled environmental disturbances or conditions Unhandled or uncontrolled component failures Dysfunctional (unsafe) interactions among components Control structure degrades over time (e.g., asynchronous evolution) Control actions inadequately coordinated among multiple controllers
38
39 A Third Source of Risk Control actions inadequately coordinated among multiple controllers Boundary areas Controller 1 Controller 2 Process 1 Process 2 Overlap areas (side effects of decisions and control actions) Controller 1 Controller 2 Process Copyright Nancy Leveson, Aug. 2006
40 Uncoordinated Control Agents UNSAFE SAFE STATE BOTH TCAS TCAS ATC and ATC provides provide uncoordinated instructions & independent to to both planes instructions Control Agent (TCAS) Instructions Instructions No Coordination Instructions Instructions Control Agent (ATC)
41 (From Rasmussen)
42 Uses for STAMP More comprehensive accident/incident investigation and root cause analysis Basis for new, more powerful hazard analysis techniques (STPA) Safety-driven design (physical, operational, organizational) Can integrate safety into the system engineering process Assists in design of human-system interaction and interfaces Organizational and cultural risk analysis Identifying physical and project risks Defining safety metrics and performance audits Designing and evaluating potential policy and structural improvements Identifying leading indicators of increasing risk ( canary in the coal mine ) Improve operations and management control of safety
43
44 What is Safety Culture? Shein: The Three Levels of Organizational Culture Safety culture is set by the leaders who establish the values under which decisions will be made.
45 Safety Culture Safety culture is a subset of culture that reflects general attitude and approaches to safety and risk management Trying to change culture without changing environment in which it is embedded is doomed to failure Simply changing organizational structures may lower risk over short term, but superficial fixes that do not address the set of shared values and social norms are likely to be undone over time. Culture of denial Copyright Nancy Leveson, Aug. 2006
46 Examples of Positive Cultural Values and Assumptions Incidents and accidents are valued as an important window into systems that are not functioning as they should triggering causal analysis and improvement actions. Safety information is surfaced without fear Safety analysis is conducted without blame Safety commitment is valued
47 Example Cultural Values and Assumptions (2) There is a feeling of openness and honesty, where everyone s voice is valued. Employees feel managers are listening. Trust among all parties (hard to establish, easy to break). Employees feel psychologically safe about reporting concerns Employees believe that managers can be trusted to hear their concerns and will take appropriate action Managers believe employees are worth listening to and are worthy of respect.
48 Types of Flawed Safety Cultures Culture of Denial Risk assessment unrealistic Credible risks and warnings are dismissed without appropriate investigation (only want to hear good news) Believe accidents are inevitable, the price of productivity Compliance Culture Focus on complying with government regulations Produce extensive safety case arguments Paperwork Culture Produce lots of paper analyses with little impact on design and operations
49 Safety Policy Reflects how the company or group values safety Should be easy to understand, easily operationalized States the way the company views safety: guiding principles
50 Example Operational Safety Philosophy (1) (Colonial Pipeline) All injuries and accidents are preventable. We will not compromise safety to achieve any business objective. Leaders are accountable for the safety of all employees, contractors, and the public. Each employee has primary responsibility for his/her safety and the safety of others. Effective communication and the sharing of information is essential to achieving an accident-free workplace. Employees and contractor personnel will be properly trained to perform their work safely.
51 Example Operational Safety Philosophy (2) (Colonial Pipeline) Exposure to workplace hazards shall be minimized and/or safeguarded. We will empower and encourage all employees and contractors to stop, correct and report any unsafe condition. Each employee will be evaluated on his/her performance and contribution to our safety efforts. We will design, construct, operate and maintain facilities and pipelines with safety in mind. We believe preventing accidents is good business.
52 Safety in Operations
53 Continuous Improvement and Learning Learning from events Accident/incident analysis Generating Recommendations Continuous Improvement Assigning responsibility Follow-up to ensure implemented Feedback channels to determine whether changes effective
54 Impediments to Learning Filtering and subjectivity in accident reports Root cause seduction Idea of a singular cause is satisfying to our desire for certainty and control Leads to fixing symptoms (sophisticated game of whack a mole ) Blame is the enemy of safety Oversimplification Focus on hardware component failure and operator error Tend to look for linear cause-effect relationships and proximal events (rather than systemic factors)
55 Blame is the Enemy of Safety My UK safety customers are incredibly spooked by [the Nimrod accident report] because of the way it singled out individuals in the safety assessment chain for criticism. It has made a very difficult process of assessing safety risk even more difficult. People stop reporting errors and problems Just Culture movement
56 Using STAMP in Accident Analysis Identify system hazard violated and the system safety design constraints Construct the safety control structure as it was designed to work Component responsibilities (requirements) Control actions and feedback loops For each component, determine if it fulfilled its responsibilities or provided inadequate control. If inadequate control, why? (including changes over time) Determine the changes that could eliminate the inadequate control (lack of enforcement of system safety constraints) in the future.
57 Copyright Nancy Leveson, Aug. 2006
58 Copyright Nancy Leveson, Aug. 2006
59 New Hazard Analysis Technique Starts from hazards Identifies safety constraints (system and component safety requirements) Identifies scenarios leading to violation of safety constraints Includes scenarios (cut sets) found by Fault Tree Analysis Finds additional scenarios not found by FTA and other failureoriented analyses Can be used on technical design and organizational design
60 5 Missing or wrong communication with another controller
61 Evaluation (1) Performed a non-advocate risk assessment for inadvertent launch on new BMDS Deployment and testing of BMDS held up for 6 months because so many scenarios identified for inadvertent launch. In many of these scenarios: All components were operating exactly as intended E.g., missing cases in software, obscure timing interactions Could not be found by fault trees or other standard techniques Complexity of component interactions led to unanticipated system behavior STPA also identified component failures that could cause inadvertent launch (most analysis techniques consider only these failure events) Now being used proactively as changes made to system
62 Evaluation (2) Joint research project between MIT and JAXA to determine feasibility and usefulness of STPA for JAXA projects Comparison between STPA and FTA for HTV Problems identified? Resources required?
63 Comparison between STPA and FTA ISS component failures Crew mistakes in operation Crew process model inconsistent Activation missing/inappropriate Activation delayed HTV component failures HTV state changes over time Out of range radio disturbance Physical disturbance t, x feedback missing/inadequate t, x feedback delayed t, x feedback incorrect Flight Mode feedback missing/inadequate Flight Mode feedback incorrect Visual Monitoringmissing/inadequate Identified by both (STPA and FTA) Identified by STPA only Wrong information/directive from JAXA/NASA GS
64 Technical Does it work? Is it practical? Safety analysis of new missile defense system (MDA) Safety-driven design of new JPL outer planets explorer Safety analysis of the JAXA HTV (unmanned cargo spacecraft to ISS) Incorporating risk into early trade studies (NASA Constellation) Orion (Space Shuttle replacement) Safety of maglev trains (Japan Central Railway) NextGen (for NASA, just starting) Accident/incident analysis (aircraft, petrochemical plants, air traffic control, railway accidents, )
65 Analysis of the management structure of the space shuttle program (post-columbia) Risk management in the development of NASA s new manned space program (Constellation) NASA Mission control re-planning and changing mission control procedures safely Food safety Does it work? Is it practical? Social and Managerial Safety in pharmaceutical drug development Risk analysis of outpatient GI surgery at Beth Israel Deaconess Hospital Analysis and prevention of corporate fraud
66 Conclusions A new, more sophisticated causality model is needed to handle the new causes of accidents and the complexity in our modern systems Safety is a control problem, not just a failure problem Safety engineering and risk management needs to consider operations and changes over time and not just the original engineering design Using STAMP, we can create much more powerful and effective safety engineering tools and techniques and operate safer systems
67 Nancy Leveson, Engineering a Safer World, MIT Press,
The Path to More Cost-Effective System Safety
The Path to More Cost-Effective System Safety Nancy Leveson Aeronautics and Astronautics Dept. MIT Changes in the Last 50 Years New causes of accidents created by use of software Role of humans in systems
More informationSTAMP Applied to Workplace Safety
STAMP Applied to Workplace Safety Emily Howard, Ph.D., Senior Technical Fellow Lori Smith, EHS Deputy Chief Engineer March 21, 2016 The Team Dr. Emily Howard, Human Factors Engineering, Boeing Senior Technical
More informationAssuring Safety of NextGen Procedures
Assuring Safety of NextGen Procedures Prof. Nancy Leveson Cody H. Fleming M. Seth Placke 1 Outline Motivation Propose Accident Model Hazard Analysis Technique Current and Future Work 2 Motivation Air Traffic
More informationA Systems Approach to Risk Management Through Leading Indicators
A Systems Approach to Risk Management Through Leading Indicators Nancy Leveson MIT Goal To identify potential for an accident before it occurs Underlying assumption: Major accidents not due to a unique
More informationSoftware Safety Testing Based on STPA
Available online at www.sciencedirect.com ScienceDirect Procedia Engineering 80 (2014 ) 399 406 3 rd International Symposium on Aircraft Airworthiness, ISAA 2013 Software Safety Testing Based on STPA Changyong
More informationSTPA: A New Hazard Analysis Technique. Presented by Sanghyun Yoon
STPA: A New Hazard Analysis Technique Presented by Sanghyun Yoon Introduction Hazard analysis can be described as investigating an accident before it occurs. Potential causes of accidents can be eliminated
More informationSTAMP Experienced Users Tutorial. John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi Hommes Tak Ishimatsu John Helferich
STAMP Experienced Users Tutorial John Thomas Blandine Antoine Cody Fleming Melissa Spencer Qi Hommes Tak Ishimatsu John Helferich Systems approach to safety engineering (STAMP) STAMP Model (Leveson, 2003);
More informationEngineering for Humans: A New Extension to STPA
Engineering for Humans: A New Extension to STPA by MEGAN ELIZABETH FRANCE B.S. Human Factors Engineering, Tufts University, 2015 Submitted to the Department of Aeronautics and Astronautics in partial fulfillment
More informationNBAA SAFETY CULTURE SURVEY
DEDICATED TO HELPING BUSINESS ACHIEVE ITS HIGHEST GOALS. NBAA SAFETY CULTURE SURVEY For effective safety leadership in a business aviation environment, the entire organization must work together to fully
More informationEngineering systems to avoid disasters
Critical Systems Engineering Engineering systems to avoid disasters Adapted from Ian Sommerville CSE 466-1 Objectives To introduce the notion of critical systems To describe critical system attributes
More informationIntelligent-Controller Extensions to STPA. Dan Mirf Montes
Intelligent-Controller Extensions to STPA Dan Mirf Montes Disclaimer The views expressed in this document are those of the author and do not reflect the official position or policies of the United States
More informationEngineering a Safer and More Secure World
Seminar Series Engineering a Safer and More Secure World Nancy Leveson MIT You ve carefully thought out all the angles You ve done it a thousand times It comes naturally to you You know what you re doing,
More informationA New Approach to System Safety Engineering
A New Approach to System Safety Engineering Nancy G. Leveson, MIT System Safety Engineering: Back to the Future http://sunnyday.mit.edu/book2.html Outline of Day 1 Why a new approach is needed STAMP A
More informationA Trade Union Perspective on The New View of Health and Safety
A Trade Union Perspective on The New View of Health and Safety by James Frederick, Bud Hudspith, & Gerry LeBlanc Author Notes: James Frederick is the Assistant Director of Health, Safety and Environment
More informationUsing System Theoretic Process Analysis (STPA) for a Safety Trade Study
Using System Theoretic Process Analysis (STPA) for a Safety Trade Study David Horney MIT/U.S. Air Force Distribution Statement A: Approved for public release; distribution unlimited Safety-Guided Design
More informationUsing STPA in Compliance with ISO26262 for developing a Safe Architecture for Fully Automated Vehicles
Bitte decken Sie die schraffierte Fläche mit einem Bild ab. Please cover the shaded area with a picture. (24,4 x 11,0 cm) Using STPA in Compliance with ISO26262 for developing a Safe Architecture for Fully
More informationBoeing Engineering. Overview of
Boeing Engineering Overview of Systems Theoretical Analysis, Modeling and Processes (STAMP) and Systems Theoretical Process Analysis (STPA) for Product and Production Systems Engineering Marc Nance Director,
More informationSTAMP and Workplace Safety
STAMP and Workplace Safety Larry Hettinger & Marvin Dainoff Liberty Mutual Research Institute for Safety John Flach Wright State University 1 MIT STAMP/STPA Workshop March 23-26, 2015 2 Liberty Mutual
More informationThe SMS Table. Kent V. Hollinger. December 29, 2006
The SMS Table Kent V. Hollinger December 29, 2006 This presentation introduces the concepts contained in a Safety Management System (SMS) by using the analogy of an SMS being a four-legged glass-top table,
More informationSystems-Based Approaches for Effective Problem Solving
Systems-Based Approaches for Effective Problem Solving James P. Bagian, MD, PE Director Center for Healthcare Engineering and Patient Safety Professor, Department of Anesthesiology and Engineering University
More informationSafety Culture in Modern Aviation Systems Civil and Military
Safety Culture in Modern Aviation Systems Civil and Military Valentin-Marian IORDACHE 1, Casandra Venera BALAN (PIETREANU)*,1 *Corresponding author 1 POLITEHNICA University of Bucharest, Aerospace Engineering
More informationSafety Committee Training December 6, 2017
Star Buick GMC, Inc. Safety Committee Training December 6, 2017 Agenda Safety Committee Operations Hazard Identification and Inspection Accident Investigation Activities Drugs/Alcohol and the Workplace
More informationSystemic Accident Analysis Methods What are they? How feasible in healthcare?
Systemic Accident Analysis Methods What are they? How feasible in healthcare? Gyuchan Thomas Jun and Patrick Waterson email: g.jun@lboro.ac.uk Human Factors and Complex Systems Research Group Loughborough
More informationSTAMP A SIMPLE GUIDE TO HAZARD ANALYSIS. Michael Killaars Ruby Weener Thom van den Engel Oktober 2016
STAMP A SIMPLE GUIDE TO HAZARD ANALYSIS Michael Killaars Ruby Weener Thom van den Engel Oktober 2016 Introduction Systems-Theoretic Accident Model and Processes (STAMP) is an accident analysis model based
More informationRESILIENCE IN RISK ANALYSIS AND RISK ASSESSMENT
Chapter 15 RESILIENCE IN RISK ANALYSIS AND RISK ASSESSMENT Stig Johnsen Abstract Resilience is the ability of a system to react to and recover from disturbances with minimal effects on dynamic stability.
More informationHeinrich Deconstructed
Heinrich Deconstructed (and reconstructed!) A Safety Revolution in Progress Presented at CSSE 2012 Professional Development Conference, Niagara Falls, Canada September 11, 2012 Wayne Pardy - Quality Plus
More informationResilience engineering Building a Culture of Resilience
Resilience engineering Building a Culture of Resilience Erik Hollnagel Professor, University of Southern Denmark Chief Consultant Center for Quality, RSD (DK) hollnagel.erik@gmail.com An insatiable need
More informationRisk. Risk Categories. Project Risk (aka Development Risk) Technical Risks. Business Risk. Example: Project Risk. Lecture 5, Part 1: Risk
Risk Lecture 5, Part 1: Risk Jennifer Campbell CSC340 - Winter 2007 The possibility of suffering loss Risk involves uncertainty and loss: Uncertainty: The degree of certainty about whether the risk will
More informationCan safety be managed, can risks be anticipated?
Can safety be managed, can risks be anticipated? Experiences from aviation, health care, petroleum Human Factors & Safety seminar Espoo, March 17 2010 Karina Aase Can safety be managed, can risks be anticipated?
More informationTo understand the importance of defining a mission or project s scope.
Scoping & CONOPS 1 Agenda To understand the importance of defining a mission or project s scope. To explain the contents of scope, including needs, goals, objectives, assumptions, authority and responsibility,
More informationUsing STAMP to investigate decisionmaking. a DSB Case Study Proposal
Using STAMP to investigate decisionmaking a DSB Case Study Proposal Introducing the Dutch Safety Board Investigation of (near-) incidents Blame-free, focus on learning Government-funded, independent All
More informationTechniques and benefits of incorporating Safety and Security analysis into a Model Based System Engineering Environment
Techniques and benefits of incorporating Safety and Security analysis into a Model Based System Engineering Environment Gavin Arthurs P.E Solution Architect Systems Engineering IBM Software, Rational Common
More informationINTEGRATED modular avionics, or IMA, is a shared set of flexible, reusable, and interoperable hardware and software resources that, when
JOURNAL OF AEROSPACE INFORMATION SYSTEMS Vol. 11, No. 6, June 2014 Improving Hazard Analysis and Certification of Integrated Modular Avionics Cody Harrison Fleming and Nancy G. Leveson Massachusetts Institute
More informationChallenge H: For an even safer and more secure railway
The application of risk based safety analysis has been introduced to the Railway system with the publication of the dedicated standard EN 50 126 in 1999. In the railway sector the application of these
More informationStarting a Safety Conversation. Why they re important and how to have them.
Starting a Safety Conversation Why they re important and how to have them. Introduction It s now generally recognised that health and safety management should embrace in a holistic way the interactions
More informationARE WE TOUCHING EVERYONE WHO TOUCHES THE GRID?
Improving Human Performance on the Grid ARE WE TOUCHING EVERYONE WHO TOUCHES THE GRID? Tom Harvey, CSP tom@alliedsafety.com REDUCING THE FREQUENCY and LOWERING THE SEVERITY of HUMAN ERROR Analysis of Observations
More informationEngineering Safety-Critical Systems in the 21 st Century
Engineering Safety-Critical Systems in the 21 st Century Tom Ferrell, Principal FAA Consulting, Inc. Slide 1 A Loose Outline What is a Safety? Safety Levels Architecture and Process Organizational Focus
More informationPreventing Fatal & Life Changing Injury Events Frank Baker, CSP, CFPS, ALCM
Preventing Fatal & Life Changing Injury Events Frank Baker, CSP, CFPS, ALCM Regional Manager, Risk Management Greg Clone, ASP Sr. Risk Management Consultant Page 1 N3L3 Is about changing the way we think
More informationData Collection Systems
Data Collection Systems David Embrey PhD Managing Director Human Reliability Associates Ltd 1. An Overview of Data Collection Systems The function of this document is to provide an overall framework within
More informationSafety Science. Applying systems thinking to analyze and learn from events. Nancy G. Leveson * abstract. Contents lists available at ScienceDirect
Safety Science 49 (2011) 55 64 Contents lists available at ScienceDirect Safety Science journal homepage: www.elsevier.com/locate/ssci Applying systems thinking to analyze and learn from events Nancy G.
More informationBefore You Start Modelling
Chapter 2 Before You Start Modelling This chapter looks at the issues you need to consider before starting to model with ARIS. Of particular importance is the need to define your objectives and viewpoint.
More informationJust Culture. Leading Through Shared Values and Expectations
Just Culture Leading Through Shared Values and Expectations Objectives Understand the concepts of Just Culture Identify three predictable behaviors Understand a Just Culture investigation Describe the
More informationManaging and Motivating
Presented by Cassandra Peck Managing and Motivating the Most Challenging Employee Types Why Do They Do What They Do? What You ll Learn Challenging employee types you re most likely to run into learn why
More informationSoftware Quality. Unit 6: System Quality Requirements
Software Quality Unit 6: System Quality Requirements System Requirements Best products, from users point of view, are those which have been developed considering organizational needs, and how product is
More informationResilience Engineering and Safety Management
Resilience Engineering and Safety Management Erik Hollnagel Professor Institute of Public Health University of Southern Denmark Odense, Denmark Professor & Industrial Safety Chair MINES ParisTech Sophia
More informationNot all or nothing, not all the same: classifying automation in practice
Not all or nothing, not all the same: classifying automation in practice by Dr Luca Save Different Levels of Automation Since the seminal work of Sheridan & Verplanck 39 it has become apparent that automation
More informationA New Approach to Hazard Analysis for Rotorcraft
A New Approach to Hazard Analysis for Rotorcraft Blake Abrecht Massachusetts Institute of Technology Engineering Systems Division Master s Student 2 nd Lieutenant, United States Air Force Cambridge, MA,
More informationHow to Make Safety Work in Your Company Mark A. Friend, Ed.D., CSP Professor, Ph.D. in Aviation Embry-Riddle Aeronautical University
How to Make Safety Work in Your Company Mark A. Friend, Ed.D., CSP Professor, Ph.D. in Aviation Embry-Riddle Aeronautical University Safety first may be a phrase heard around the water cooler or at the
More informationA Systems Theoretic Approach to Safety Engineering
A Systems Theoretic Approach to Safety Engineering Nancy Leveson, Mirna Daouk, Nicolas Dulac, Karen Marais Massachusetts Institute of Technology April 19, 2004 1 Introduction A model or set of assumptions
More informationLecture 10: Managing Risk. Risk Management
General ideas about Risk Risk Management Identifying Risks Assessing Risks Case Study: Mars Polar Lander Lecture 10: Managing Risk 2008 Steve Easterbrook. This presentation is available free for non-commercial
More informationTowards a STAMP-Based Safety Plans Approach for Construction Projects
Towards a STAMP-Based Safety Plans Approach for Construction Projects Ioannis M. Dokas Assistant Professor Democritus University of Thrace, Greece Email: idokas@civil.duth.gr Motivation Accidents in Construction
More informationA Human Factors Approach to Root Cause Analysis:
A Human Factors Approach to Root Cause Analysis: The Human Factors Analysis and Classification System (HFACS) Douglas A. Wiegmann, PhD University of Wisconsin-Madison Human Error and Adverse Events Medical
More informationEMPOWERING WORKERS TO SHARE SAFETY CONCERNS: WHAT MANAGERS NEED TO KNOW AND DO. Joe McGuire, PhD, CRH Emily J. Haas, PhD, NIOSH
EMPOWERING WORKERS TO SHARE SAFETY CONCERNS: WHAT MANAGERS NEED TO KNOW AND DO Joe McGuire, PhD, CRH Emily J. Haas, PhD, NIOSH IMAGINE a workplace where everyone truly cares about coworkers safety all
More informationA Guide to Develop Safety Performance Indicators (Draft no.1 22/5/2016)
A Guide to Develop Safety Performance Indicators (Draft no.1 22/5/2016) Yu Pak Kuen Monitoring and measuring performance has always been part of safety management systems. However, such systems frequently
More informationACHIEVE CONTINUOUS SAFETY IMPROVEMENT
ACHIEVE CONTINUOUS SAFETY IMPROVEMENT Angela Summers, Ph.D., P.E., President, SIS-Tech Solutions, LP Achieve Continuous Safety Improvement, Chemical Processing, April 2007. Carolyn W. Merritt, Chairman
More informationModel-based Safety and Security Analysis in High Consequence System Development. John Colley Formal Verification Conference June 2016
Model-based Safety and Security Analysis in High Consequence System Development John Colley Formal Verification Conference June 2016 Humans are Slamming into Driverless Cars and Exposing a Key Flaw Bloomberg,
More informationSystems Theoretic Process Analysis Applied to Air Force Acquisition Technical Requirements Development
Systems Theoretic Process Analysis Applied to Air Force Acquisition Technical Requirements Development by Sarah E. Summers Major, United States Air Force B.S. Aerospace Engineering, Oklahoma State University,
More informationKey elements for a healthy safety culture
Key elements for a healthy safety culture Capt. Himanshu Chopra Ship Management Ltd. 20 th September 2018 Safety Culture We all aim for.. 2 Shipping is a truly globalized industry 3 What does an accident
More informationApplication of STAMP to Improve the Evaluation of Safety Management Systems
Application of STAMP to Improve the Evaluation of Safety Management Systems Robert J. de Boer, Raymon van der Maarel Aviation Academy Amsterdam University of Applied Science Weesperzijde 190, 1097DZ, Amsterdam
More informationCritical Thinking in Project Management. By: Matthew Holtan
1 Critical Thinking in Project Management By: Matthew Holtan PMGT 690, ERAU Prof. Dennis Sherman July 30, 2017 Abstract 2 This paper is to analyze and reflect on a scholarly, peer-reviewed article on if
More informationgetabstract compressed knowledge Motivation Management Overall Applicability Innovation Style
Motivation Management Fueling Performance by Discovering What People Believe About Themselves and Their Organizations by Thad Green Davies-Black, 2000 268 pages Focus Leadership Strategy Sales & Marketing
More informationApplying Force to Deliver Desired Safety Results
Applying Force to Deliver Desired Safety Results American Society of Safety Engineers Annual Conference San Antonio, Texas July 1, 2009 Scott Gaddis, Global Safety Leader Scott Gaddis was named Global
More informationRisk analysis of serious air traffic incident based on STAMP HFACS and fuzzy sets
Risk analysis of serious air traffic incident based on STAMP HFACS and fuzzy sets Michał LOWER, Jan MAGOTT Wroclaw University of Technology Jacek SKORUPSKI Warsaw University of Technology Plan 1. The goal
More informationARE YOU REALLY REDUCING YOUR HIGHEST RISK EXPOSURE? A Closer Look at Sustainable Serious Injuries & Fatality Prevention
ARE YOU REALLY REDUCING YOUR HIGHEST RISK EXPOSURE? A Closer Look at Sustainable Serious Injuries & Fatality Prevention ARE YOU REALLY REDUCING YOUR HIGHEST RISK EXPOSURE? DuPont and safety are intertwined
More informationThe BEST Framework EDF Group s Expectations for Managing Health and Safety. The EDF Group BEST Framework
Version 1 The BEST Framework EDF Group s Expectations for Managing Health and Safety The EDF Group BEST Framework 2 CONTENTS 1 2 3 4 5 6 7 8 Leadership in Health and Safety 07 Incident Management 09 Contractor
More informationHuman Performance Blueprint UK NUCLEAR HUMAN PERFORMANCE FORUM
UK NUCLEAR HUMAN PERFORMANCE FORUM Human Performance Blueprint This document provides a strategic approach to the implementation of a human performance programme within an organisation. Document History
More informationResilience Engineering and FRAM Today. (June 7, 2012)
Resilience Engineering and FRAM Today (June 7, 2012) The FRAM book (finally) published. www.functionalresonance.com has been established (and partly populated) Resilience Engineering basics: Safety-I and
More informationInjury Investigation Process. Using Root Cause Analysis
Injury Investigation Process Using Root Cause Analysis 1 Objectives Review why injury investigations & multiple root cause analysis are important. Discuss the elements of an effective injury investigation
More informationTOTAL SAFETY LEADERSHIP FROM ACCIDENTS TO ZERO
TOTAL SAFETY LEADERSHIP FROM ACCIDENTS TO ZERO SECTOR / HEALTH AND SAFETY NON-TECHNICAL & CERTIFIED TRAINING COURSE Striving for total safety excellence has to be every safety professional s endeavor and
More informationPresented by. John McGraw. San Juan, Puerto Rico. January 27, 2015
2015 SMS Presented by John McGraw San Juan, Puerto Rico January 27, 2015 1 Page 1 Brief Evolution of Safety What is SMS? Regulatory Update Core Components Company Safety Culture SMS Tools Your Questions
More informationCorporate Safety Policies and Procedures
Safety & Health Program Corporate Safety Policies and Procedures 10627 Midwest Industrial Boulevard, St. Louis, MO Phone: 314-785-6425 Fax: 314-785-6426 Many companies involved in construction have written
More informationService Operation. Scenario One
Service Operation Scenario One A large corporation completed implementing a new IT service management framework last month and has selected its new service management tools. The new processes of the framework
More informationSoftware Design Decision Vulnerability Analysis
Software Vulnerability Analysis P G Avery*, R D Hawkins *Thales UK, UK, email: phil.avery@uk.thalesgroup.com, The University of York, UK, email: richard.hawkins@york.ac.uk Keywords: software, safety, design,
More informationResilience of integrated operations
Resilience of integrated operations Erik Hollnagel ndustrial Safety Chair École des Mines de Paris, Pôle Cindyniques Sophia Antipolis, France E-mail: erik.hollnagel@cindy.ensmp.fr use of T Why integrated
More informationWINTER. Safety Culture High Reliability Strategies for High Consequence Professions. Who Else? Socio-Technical Systems. Template
WINTER Template Safety Culture High Reliability Strategies for High Consequence Professions Much of the information in this presentation is protected by copyrights and Standards of Use contracts with the
More informationUnderstanding Human Error and Risk Tolerance as Causes of Workplace Accidents
Understanding Human Error and Risk Tolerance as Causes of Workplace Accidents Glyn Jones, M.A.Sc, P.Eng, CIH, CRSP EHS Partnerships Ltd. 2 3 4 Schuylkill County (pronounced SKOO-kill) Alberta sees five
More informationValidation, Verification and MER Case Study
Validation, Verification and MER Case Study Prof. Chris Johnson, School of Computing Science, University of Glasgow. johnson@dcs.gla.ac.uk http://www.dcs.gla.ac.uk/~johnson Introduction. Definitions and
More informationDelivering Safety Through Design Using Early Analysis Methods. Mark A. Vernacchia, MSES, PE General Motors Company; Milford, Michigan, USA
Delivering Safety Through Design Using Early Analysis Methods Mark A. Vernacchia, MSES, PE General Motors Company; Milford, Michigan, USA Keywords: systems engineering, SEFA, STPA, interactions, safety,
More informationIs about changing the way we think about Risk, and how we manage it.
Preventing Fatal & Life Changing Injury Events Melanie Nykamp, CSHM Sr. Risk Management Consultant Greg Clone, CSP Risk Management Executive Page 1 Is about changing the way we think about Risk, and how
More informationOrganizational Introspection
Organizational Introspection Analysis / Sensemaking Presentation to: North American Electric Reliability Corporation Human Performance Conference W. Earl Carnes March 28, 2012 Its not about when the lights
More informationA systems-theoretic approach
A systems-theoretic approach to analyze humanautomation interactions Dr. John Thomas MIT Human Factors in Control April 2018 Halden, Norway Outline Safety Engineering Modern engineering challenges Modern
More informationCollaboration For Better Human Performance : Aviation Industry Success Story
Collaboration For Better Human Performance : Presentation to: NERC 2015 Human Performance Conference Name: Christopher A. Hart Date: March 18, 2015 Aviation Industry Success Story The Contrast - Conventional
More informationService Operation. Scenario One
Service Operation Scenario One A large corporation completed implementing a new IT service management framework last month and has selected its new service management tools. The new processes of the framework
More informationInvestigating and Analysing Human and Organizational Factors
Investigating and Analysing Human and Organizational Factors Heather Parker Transport Canada 2006-11-09 1 Outline Meaning of Human Factors Collecting Data Meaning of Human Error Investigating and Analysing
More informationLothar Winzer Head of Software Product Assurance Section ESA/ESTEC Product Assurance and Safety Department. Apr-17-09
Lothar Winzer Head of Software Product Assurance Section ESA/ESTEC Product Assurance and Safety Department Apr-17-09 List of past new challenges or new promises Which have been overcome Which are work
More informationInvestigating and Analysing Human and Organizational Factors
Investigating and Analysing Human and Organizational Factors Heather Parker Human Factors Specialist Transport Canada RDIMS 2124053 1 Outline Meaning of Human Factors Collecting Data Meaning of Human Error
More informationIT-systems and Human Factors Situation awareness Humans and automation
IT-systems and Human Factors Situation awareness Humans and automation Human-Computer Interaction Dept of Information Technology Uppsala University Bengt Sandblad http://www.it.uu.se/research/hci Agenda
More informationE & B Oilfield Services Inc.
Chapter 1 Company Safety Policy and Procedures E & B Oilfield Services Inc. 1798 W 3250 N. Roosevelt Utah 84066 Danny Abegglen is the designated Company Safety Coordinator. Safety & Health Policy Statement
More informationUsing Bayesian Networks to Model Accident Causation in the UK Railway Industry
Using Bayesian Networks to Model Accident Causation in the UK Railway Industry William Marsh, RADAR Group, Queen Mary, University of London, Mile End Road, E1 4NS, London, UK william@dcs.qmul.ac.uk George
More informationLeading and Lagging Indicators
Leading and Lagging Indicators Author: Mike Munsil, Senior Project Manager HS&E Interested in a Lunch & Learn Program for your HSE or PSM Team? Contact Della at dmullan@psrg.com to discuss topics! Office
More informationDEVELOPING SAFETY-CRITICAL SOFTWARE REQUIREMENTS FOR COMMERCIAL REUSABLE LAUNCH VEHICLES
DEVELOPING SAFETY-CRITICAL SOFTWARE REQUIREMENTS FOR COMMERCIAL REUSABLE LAUNCH VEHICLES Daniel P. Murray (1) and Terry L. Hardy (2) (1) Federal Aviation Administration, Office of Commercial Space Transportation,
More informationSpaceflight vs. Human Spaceflight
Spaceflight vs. Human Spaceflight The Aerospace Corporation 2013 Stephanie Barr The Aerospace Corporation Civil and Commercial Division stephanie.e.barr@aero.org 6 th Conference International Association
More informationProcess Safety Management (PSM)
Process Safety Management (PSM) General Awareness Training By Gary Whitmore 1 This book is intended to provide the reader with a basic general awareness of the Occupational Safety and Health Administration
More informationLeadership and the Normalization of Deviance: Step off the Ladder
Leadership and the Normalization of Deviance: Step off the Ladder Organizational Traps Theories-In-Use vs Espoused Theories The Ladder of Inference I will follow up questions to confirm
More information8 Critical Success Factors When Planning a CMS Data Migration
8 Critical Success Factors When Planning a CMS Data Migration Executive Summary The first step to success. This paper is loaded with critical information that will promote the likelihood of your success
More informationNANCY G. LEVESON JOHN P. THOMAS
NANCY G. LEVESON JOHN P. THOMAS MARCH 2018 This handbook is intended for those interested in using STPA on real systems. It is not meant to introduce the theoretical foundation, which is described elsewhere.
More informationConduct of Operations For the 21 st Century
Conduct of Operations For the 21 st Century Joyce L. Connery, Board Member Defense Nuclear Facilities Safety Board 2018 DOE Nuclear & Facility Safety Programs Workshop The views expressed herein are solely
More informationChapter 8. Systems Development. Ralph M. Stair George W. Reynolds
Ralph M. Stair George W. Reynolds Chapter 8 Systems Development An Overview of Systems Development Managers and employees in all functional areas work together and use business information systems Corporations
More informationRequirement Error Taxonomy
Requirement Error Taxonomy Loan arranger system (LA): The LA application supports the business of a loan consolidation organization. This type of organization makes money by purchasing loans from banks
More informationISO Understanding the new international standard for Occupational Health & Safety
ISO 45001 Understanding the new international standard for Occupational Health & Safety ISO 45001 - Understanding the new international standard for occupational health & safety The new international way
More information