[SystemSafety] NYTimes: The Next Accident Awaits

Philip Koopman koopman at ece.cmu.edu
Sun Feb 2 18:08:24 CET 2014


Following up on a couple points in the discussion, my observations are:

I think a super-strong (or weak) safety culture can easily trump the 
technical approach.  One likely factor for the success of the SUBSAFE 
program Nancy mentioned earlier is that the folks who make sure the 
program is working either live in submarines or have spent time living 
in submarines. It gives a new perspective to plumbing safety when you 
spend your days hundreds of feet under water living in a big steel 
tank.  (I was in the Naval shipyard officer program for a while, and 
step #1 was to deploy as a submarine officer for a couple years with the 
same exact qualification and experience parameters as "regular" 
submarine officers, except I skipped nuclear power training. So I got to 
supervise SUBSAFE repairs and so on in an operational environment.) 
Also, all or almost all of the submarine officer core is 
nuclear-trained, which brings an exceptional level of rigor to how they 
do business, even when supervising non-nuclear portions of SUBSAFE 
activities. And there are related factors that also matter, ranging from 
operational safety to weapon safety. Based on the record, it seems that 
what they are doing is working.

On the other hand, I worry about what will happen to safety in some 
industries with older safety standards, such as rail, when all the 
gray-beards retire. It's unclear to me how it will go when the 
generation of engineers who lived through the 
electromechanical=>software transition and know who/why/what/where for 
the details of their design decisions aren't around any more. I guess 
we're getting our first hint of how that might work out by watching how 
it goes when companies in emerging markets try to make competing 
products to the same safety standards (but without the graybeards 
present) and have safety teething problems.

-- Phil




On 2/2/2014 3:35 AM, Nancy Leveson wrote:
> I don't think that anyone is implying that the safety case "replaces 
> some form of regulation". But it implies a particular form of 
> regulation, usually performance-based rather than prescriptive. Thus 
> ARP 4751 in aviation and MIL-STD-882 in defense, are not safety case 
> regimes because there are specific procedures that must be followed to 
> be certified. The applicant does not get to determine what type of 
> argument they make.
>
> Nancy
>
>
> On Sat, Feb 1, 2014 at 7:43 PM, Tracy White <tracyinoz at mac.com 
> <mailto:tracyinoz at mac.com>> wrote:
>
>     I am slightly confused and a little perturbed by an argument that
>     a 'safety case' in someway replaces any regulatory control (or
>     government interference). Even more that a safety case would not
>     include a subclaim to have conducted a 'rigorous hazard analysis'
>     program ... or to have applied appropriate 'procedures and
>     standards'.
>
>     Anybody who thinks that 'safety cases' in anyway replaces some
>     form of regulation is ignorant of its purpose. I work in a
>     regulatory environment and the 'safety case' is the primary
>     communications  medium with that regulator,  elements of which
>     will talk to hazard identification and compliance with standards
>     and codes considered representative of engineering 'good
>     practice'. I would agree that there are good and bad safety cases
>     and I think that 'industries that do not 'have a good historical
>     culture in terms of safety' are as ignorant of purpose of the
>     safety cases as they of the need for safety in general.
>
>     Regards, Tracy
>
>     On Feb 01, 2014, at 12:48 AM, Nancy Leveson
>     <leveson.nancy8 at gmail.com <mailto:leveson.nancy8 at gmail.com>> wrote:
>
>>     It is very difficult to characterize the U.S. In general, the
>>     country is so physically large that there are extreme differences
>>     in culture and politics (generally but not always physically
>>     bounded). Much of the central government in the US and European
>>     worlds seem to be moving toward libertarianism, but I am probably
>>     mischaracterizing Europe based on biased news reports. The
>>     individual U.S. states show extreme differences. At the extremes,
>>     Texas and California may as well be in different worlds, let
>>     alone countries when it comes to safety regulations (and lots of
>>     other things irrelevant to this list). There are also such
>>     different cultures in different industries that it is difficult
>>     to make general statements. Mining and civil aviation are
>>     examples of such extremes.
>>
>>     But I will make one general statement that is only my personal
>>     experience. Because of my paper arguing against safety cases, I
>>     am getting many calls from government employees and company
>>     lawyers as well as individual engineers. Some of the companies
>>     pushing the "safety case" in the U.S. are those who don't want
>>     any government interference and see the safety case as a way to
>>     get around the rigorous procedural standards that now exist here
>>     in many industries. They seem to feel that they will be able to
>>     get rid of the procedures and standards that exist now and can
>>     write anything they want in a safety case and therefore save
>>     money and time in the rigorous hazard analysis now widely
>>     required while using any design features they want. These are
>>     primarily in industries that do not have a good historical
>>     culture in terms of safety.
>>
>>     Nancy.
>>
>>
>>     On Fri, Jan 31, 2014 at 4:08 AM, RICQUE Bertrand (SAGEM DEFENSE
>>     SECURITE) <bertrand.ricque at sagem.com
>>     <mailto:bertrand.ricque at sagem.com>> wrote:
>>
>>         Hi Nancy,
>>
>>         Concerning France you are right, and in that case I think
>>         that the cultural aspect dominates. There is no safety
>>         culture in the population as in UK, as acknowledged after AZF
>>         accident. The risk stops at the fence of the plant and you
>>         can safely build your house on the other side ... The
>>         regulations have changed since but not the cultures. The
>>         safety engineers concerned by the new regulations live a
>>         nightmare as the choices are more or less, dismantle the
>>         plant versus dismantle the town ... I think that the safety
>>         cultures have more impact on the final result than the
>>         competence of the safety community.
>>
>>         Bertrand Ricque
>>
>>         Program Manager
>>
>>         Optronics and Defence Division
>>
>>         Sights Program
>>
>>         Mob : +33 6 87 47 84 64
>>
>>         Tel : +33 1 59 11 96 82
>>
>>         Bertrand.ricque at sagem.com <mailto:Bertrand.ricque at sagem.com>
>>
>>         *From:*systemsafety-bounces at lists.techfak.uni-bielefeld.de
>>         <mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de>
>>         [mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de
>>         <mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de>]
>>         *On Behalf Of *Nancy Leveson
>>         *Sent:* Thursday, January 30, 2014 8:59 PM
>>         *To:* systemsafety at lists.techfak.uni-bielefeld.de
>>         <mailto:systemsafety at lists.techfak.uni-bielefeld.de>
>>         *Subject:* Re: [SystemSafety] NYTimes: The Next Accident Awaits
>>
>>         It would be nice to actually introduce some data into the
>>         discussions on this list. First, although it is very true
>>         that the U.K. has excellent comparative occupational safety
>>         statistics, this exceptional performance predated safety
>>         cases by at least 100 years and is as much a cultural
>>         artifact of the U.K. as any current practices. While the rest
>>         of the world was suffering the results of steam engine
>>         explosions in the late 1800s, for example, Great Britain was
>>         the first to implement measures to reduce them. (I wrote a
>>         paper on this once if anyone is interested.) Although the
>>         British citizens on this list know more about the history of
>>         the UK HSE, I believe they were the first country to require
>>         companies to have safety policies, etc., after the
>>         Flixborough explosion. Safety cases, I believe, came into
>>         being only after the more recent Piper Alpha explosion.
>>
>>         Trying to tie accident rates in different countries to
>>         particular ways of regulating safety is dicey at best. First,
>>         there are significant differences between the engineering,
>>         agricultural, industry, and service rates of accidents in
>>         countries, often related to technical differences. Some have
>>         high agricultural accident rates but low service accident
>>         rates. For example, accident rates are going to be very
>>         different in a country with high tech agricultural techniques
>>         compared to those still plowing fields with a pair of oxen.
>>         Politics plays an even more important role. For example,
>>         western countries often put very dangerous processes and
>>         plants in third world countries or governments in these
>>         countries do not have laws that require manufacturers to use
>>         even minimal safety practices in manufacturing, for example,
>>         and they will not as long as they need the revenue and jobs.
>>         The safety culture in these countries will not change
>>         magically by using one type of regulatory regime.
>>
>>         Note also, that there are vast differences in industries.
>>         Those with the very safest records, such as the U.S. SUBSAFE
>>         program, do not use safety cases. (And they have managed to
>>         have an incredible safety record despite being in the U.S.
>>         :-)). If we want to compare the effectiveness of different
>>         regulatory regimes, then we need to provide scientific
>>         evaluations and not just misuse statistics (which may involve
>>         factors that have nothing to do with the actual regulatory
>>         regime used).
>>
>>         Also, as Michael Holloway noted, culture differences will
>>         make different types of regulation more or less different in
>>         different countries and industries.
>>
>>         Finally, I would like to point out to those who are making
>>         some national comparisons and putting down the U.S. in
>>         comparison with France, for example, that the fatal
>>         occupational accident rate in the U.S. is less than that of
>>         France. Perhaps we can avoid mixing politics and chauvinism
>>         with science on this list.
>>
>>         Nancy
>>
>>         On Thu, Jan 30, 2014 at 8:50 AM, Martyn Thomas
>>         <martyn at thomas-associates.co.uk
>>         <mailto:martyn at thomas-associates.co.uk>> wrote:
>>
>>         I'm a non-exec Director at the UK's Health and Safety
>>         Laboratory (www.hsl.gov.uk <http://www.hsl.gov.uk>). We carry
>>         out the basic research that underpins the UK's regulation of
>>         occupational health and safety, ranging from reducing
>>         accidents on construction sites and improving the tethering
>>         of loads on lorries, through to reproducing and analysing
>>         major explosions (such as Buncefield -
>>         http://www.buncefieldinvestigation.gov.uk/) and
>>         destruction-testing the physical integrity of tankers and
>>         rolling-stock.
>>
>>         We also undertake commercial work that uses our unusual
>>         experimental and analysis capabilities and very strong
>>         science base.
>>
>>         The UK is unusual in having a goal-based, safety-case
>>         regulatory regime and a regulator (HSE) with its own expert
>>         research establishment (HSL). We are getting an increasing
>>         number of approaches from Governments in the Far and Middle
>>         East who see the UK's good performance in occupational Health
>>         and Safety and who want to investigate setting up similar
>>         goal-based regulation.
>>
>>         Maybe there is something in the HSE/HSL approach that the US
>>         chemical industry could benefit from.
>>
>>         Regards
>>
>>         Martyn
>>         Martyn Thomas CBE FREng
>>
>>
>>
>>
>>         On 29/01/2014 22:05, Peter Bernard Ladkin wrote:
>>
>>             A worthy opinion piece from the Chair of the US Chemical Safety Board. Note his suggestion that identifying hazards and mitigation is just well-established best practice. I can say from experience that it is not yet in Europe in all industries with safety aspects, even though he holds Europe up as having a factor of three fewer chemical accidents as the US.
>>
>>
>>         _______________________________________________
>>         The System Safety Mailing List
>>         systemsafety at TechFak.Uni-Bielefeld.DE
>>         <mailto:systemsafety at TechFak.Uni-Bielefeld.DE>
>>
>>
>>
>>         -- 
>>         Prof. Nancy Leveson
>>         Aeronautics and Astronautics and Engineering Systems
>>         MIT, Room 33-334
>>         77 Massachusetts Ave.
>>         Cambridge, MA 02142
>>
>>         Telephone: 617-258-0505
>>         Email: leveson at mit.edu <mailto:leveson at mit.edu>
>>         URL: http://sunnyday.mit.edu
>>
>>         #
>>         " Ce courriel et les documents qui lui sont joints peuvent
>>         contenir des informations confidentielles, être soumis aux
>>         règlementations relatives au contrôle des exportations ou
>>         ayant un caractère privé. S'ils ne vous sont pas destinés,
>>         nous vous signalons qu'il est strictement interdit de les
>>         divulguer, de les reproduire ou d'en utiliser de quelque
>>         manière que ce soit le contenu. Toute exportation ou
>>         réexportation non autorisée est interdite.Si ce message vous
>>         a été transmis par erreur, merci d'en informer l'expéditeur
>>         et de supprimer immédiatement de votre système informatique
>>         ce courriel ainsi que tous les documents qui y sont attachés."
>>
>>
>>         ******
>>         " This e-mail and any attached documents may contain
>>         confidential or proprietary information and may be subject to
>>         export control laws and regulations. If you are not the
>>         intended recipient, you are notified that any dissemination,
>>         copying of this e-mail and any attachments thereto or use of
>>         their contents by any means whatsoever is strictly
>>         prohibited. Unauthorized export or re-export is prohibited.
>>         If you have received this e-mail in error, please advise the
>>         sender immediately and delete this e-mail and all attached
>>         documents from your computer system."
>>         #
>>
>>
>>
>>
>>
>>     -- 
>>     Prof. Nancy Leveson
>>     Aeronautics and Astronautics and Engineering Systems
>>     MIT, Room 33-334
>>     77 Massachusetts Ave.
>>     Cambridge, MA 02142
>>
>>     Telephone: 617-258-0505 <tel:617-258-0505>
>>     Email: leveson at mit.edu <mailto:leveson at mit.edu>
>>     URL: http://sunnyday.mit.edu
>>     _______________________________________________
>>     The System Safety Mailing List
>>     systemsafety at TechFak.Uni-Bielefeld.DE
>>     <mailto:systemsafety at TechFak.Uni-Bielefeld.DE>
>
>     _______________________________________________
>     The System Safety Mailing List
>     systemsafety at TechFak.Uni-Bielefeld.DE
>     <mailto:systemsafety at TechFak.Uni-Bielefeld.DE>
>
>
>
>
> -- 
> Prof. Nancy Leveson
> Aeronautics and Astronautics and Engineering Systems
> MIT, Room 33-334
> 77 Massachusetts Ave.
> Cambridge, MA 02142
>
> Telephone: 617-258-0505
> Email: leveson at mit.edu <mailto:leveson at mit.edu>
> URL: http://sunnyday.mit.edu
>
>
> _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE


-- 
Phil Koopman -- koopman at cmu.edu

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20140202/15521465/attachment-0001.html>


More information about the systemsafety mailing list