|
|
|
Vol. 47, No. 6 • November-December 2011 |
|
In the Spotlight
|
|
The Use of Safety Cases in Certification and Regulation
|
|
by Nancy Leveson, Aeronautics and Astronautics/Engineering Systems, MIT
|
|
Pages
1 |
2 |
3 |
4 |
5
|
Experience with Safety Cases
The use of performance-based regulation has not necessarily proven to be better than the other approaches in use. One of the most effective safety programs ever established, SUBSAFE [Ref. 12] — which has had no losses in the past 48 years, despite operating under dangerous conditions — is the almost total opposite of the goal-based orientation of the British form of the safety case. The spectacular SUBSAFE record is in contrast to the U.S. experience prior to the initiation of SUBSAFE, when a submarine loss occurred on average every two to three years. SUBSAFE uses a prescriptive approach, as does the civil aviation community, which has also been able to reduce accident rates down to extremely low levels and keep them there.
 |
|
Unfortunately, careful evaluation and comparison between approaches has not been done. Most papers about safety cases express personal opinions or deal with how to prepare a safety case, but not whether it is effective. As a result, there is no real evidence that one type of regulation is better than another.
|
 |
|
Unfortunately, careful evaluation and comparison between approaches has not been done. Most papers about safety cases express personal opinions or deal with how to prepare a safety case, but not whether it is effective. As a result, there is no real evidence that one type of regulation is better than another.
The use, or at least poor use, of safety cases has been implicated in accident reports. The best known of these is the Nimrod aircraft crash in Afghanistan in 2006. A safety case had been prepared for the Nimrod, but the accident report concluded that the quality of that safety case was gravely inadequate [Ref. 5]:
"...the Nimrod safety case was a lamentable job from start to finish. It was riddled with errors... Its production is a story of incompetence, complacency, and cynicism... The Nimrod Safety Case process was fatally undermined by a general malaise: a widespread assumption by those involved that the Nimrod was 'safe anyway' (because it had successfully flown for 30 years) and the task of drawing up the Safety Case became essentially a paperwork and 'tickbox' exercise."
The criticisms of safety cases contained in the Nimrod report include:
- The Safety Case regime has lost its way. It has led to a culture of "paper safety" at the expense of real safety. It currently does not represent value for money.
- The current shortcomings of safety cases in the military environment include bureaucratic length, obscure language, a "failure to see the wood for the trees," archaeological documentary exercises, routine outsourcing to industry, lack of vital operator input, disproportionality, ignoring of age issues, compliance-only exercises, audits of process only and prior assumptions of safety and "shelf-ware".
- Safety cases were intended to be an aid to thinking about risk, but they have become an end in themselves.
- Safety cases for "legacy" aircraft are drawn up on an "as designed" basis, ignoring the real safety, deterioration, maintenance and other issues inherent in their age.
- Safety cases are compliance-driven, i.e., written in a manner driven by the need to comply with the requirements of the regulations, rather than being created as working documents to improve safety controls. Compliance becomes the overriding objective, and argumentation tends to follow the same, repetitive, mechanical format that amounts to no more than a secretarial exercise (and, in some cases, have actually been prepared by secretaries in outside consultant firms). Such safety cases also tend to give the answer that the customer or designer wants, i.e., that the platform is safe.
- Large amounts of money are spent on things that do not improve the safety of the system.
Haddon-Cave, the author of the Nimrod accident report, concluded that safety cases should be renamed "risk cases," and made the following recommendations (among others):
- Care should be taken when utilizing techniques such as Goal Structured Notation or "Claims-Arguments-Evidence" to avoid falling into the trap of assuming the conclusion ("the platform is safe"), or looking for supporting evidence for the conclusion instead of carrying out a proper analysis of risk. (Note the similarity to the concerns expressed earlier about mindset and confirmation bias.)
- Care should be taken when using quantitative probabilities, i.e., numerical probabilities such as 1 x 10–6 equating to "remote." Such figures and their associated nomenclature give the illusion and comfort of accuracy and a well-honed scientific approach. Outside the world of structures, numbers are far from exact.
- Care should be taken when using historical or past statistical data. The fact that something has not happened in the past is no guarantee that it will not happen in the future. Piper Alpha was ostensibly "safe" on the day before the explosion. The better approach is to analyze the particular details of a hazard and make a decision on whether it represents a risk that needs to be addressed.
- Care needs to be taken to define the process in which new hazards can be added to the Risk Case, incorporated in the Hazard Log and dealt with in due course, as well as how original assumptions about hazards or zones are to be re-examined in light of new events.
- Once written, the safety case should be used as an ongoing operational and training tool. There are all too many situations where a comprehensive safety case is written, and then sits on a shelf, gathering dust, with no one paying attention to it. In such situations, there is a danger that operations personnel may take the attitude, "We know we are safe because we have a safety case."
« previous page | next page »
|
|
|
|
|
