|
Conclusion
To avoid confirmation bias and compliance-only exercises, assurance cases should focus not on showing that the system is safe, but on attempting to show that it is unsafe. It is the emphasis and focus on identifying hazards and flaws in the system that provide the "value-added" of system safety engineering. System engineers have already created arguments for why their design is safe. The effectiveness in finding safety flaws by system safety engineers has usually resulted from the application of an opposite mindset from that of the developers.
Whatever is included in the assurance case, the following characteristics are important:
- The process should be started early. The assurance case is only useful if it can influence design decisions. That means it should not be done after a design is completed or prepared in isolation from the system engineering effort. If safety cases are created only to argue that what already exists is safe, then the effort will not improve safety and becomes simply a paper exercise to get a system certified. One result might be unjustified complacency by those operating and using the systems.
- The assumptions underlying the assurance case should be continually monitored during operations, and procedures should be established to accomplish this goal. The system may be working, but not the way it was designed, or the assumptions may turn out to be wrong, because of poor prediction or because the environment has changed. Changes to the system and its environment may have been made for all the right reasons, but the drift between the system as designed and the system as enacted is rarely if ever analyzed or understood as a whole, even when each particular deviation appears sensible or even helpful to the individuals involved.
- To make maintaining the assurance case practical, the analysis needs to be integrated into system engineering and system documentation so that it can be maintained and updated. Safety assurance is not just a one-time activity; it must continue through the lifetime of the system, including checking during operations that the assumptions made in the assurance argument remain true for the system components and the system environment. The problems in updating and maintaining safety assurance do not arise from the form of the assurance documentation or in updating the argument once the need for it is established; rather, problems arise in relating the assurance case to the detailed design decisions so that when a design is changed, it is possible to determine what assumptions in the safety analysis are involved.
- The analysis should consider worst cases, not just likely or expected cases (called a design basis accident in nuclear power plant regulation).
- The analysis needs to include all factors, and be comprehensive. It should include not just hardware failures and operator errors, but also management structure and decision-making. It must also consider operations, and the updating process must not be limited to development and certification, but must continue through the operational part of the system lifecycle.
- To be most useful, qualitative and verifiable quantitative information must be used, not just probabilistic models of the system
- The integrated system must be considered, rather than considering each hazard or component in isolation
References
1. American Nuclear Society. "Risk-Informed and Performance-Based Regulations for Nuclear Power Plants," Position Statement 46, June,2004.
2. The Hon. Lord Cullen. The Public Inquiry into the Piper Alpha Disaster, Vols. 1 and 2, Report to Parliament by the Secretary of State for Energy by Command of Her Majesty, November 1990.
3. Dekker, Sidney. The Field Guide to Understanding Human Error, Ashgate Publishers, 2006.
4. Fischoff, B., P. Slovic and S. Lichtenstein. "Fault Trees: Sensitivity of Estimated Failure Probabilities to problem Representation," Experimental Psychology: Human Perception and Performance, Vol. 4, 1978.
5. Haddon-Cave, Charles. The Nimrod Review, HC 1025, London: The Stationery Office Limited, October 28, 2009.
6. Health and Safety Executive, "Safety Case Regulations for Offshore Oil Drilling," 2005.
7. Heiler, Kathryn. "Is the Australian Mining Industry Ready for a Safety Case Regime," 31st International Conference of Safety in Mines Research Institute, Brisbane, Australia, October, 2005.
8. Houck, Oliver A., "Worst Case and the Deepwater Horizon Blowout: There Ought to be a Law," Evironmental Law Reporter, 40 ELR 11036, November 2010.
9. Inge, J.R. "The Safety Case: Its Development and Use in the United Kingdom," Equipment Safety Assurance Symposium, Bristol, U.K., 2007.
10. Kunda, Ziva. Social Cognition: Making Sense of People, MIT Press, ISBN 9780262611435, OCLC 40618974, 1999.
11. Leveson, N.G., Safeware: System Safety and Computers, Addison Wesley Publishers, 1995.
12. Leveson, N.G. Engineering a Safer World, MIT Press, in production (to appear 2011), http://sunnyday.mit.edu/safer-world.
13. Nickerson, Raymond S. "Confirmation Bias; A Ubiquitous Phenomenon in Many Guises," Review of General Psychology, Educational Publishing Foundation, 2 (2): 175-220, 1998.
14. NOPSA, http://nopsa.gov.au/safety.asp, 2005.
15. Pereira, Steven J., Grady Lee, and Jeffrey Howard. "A System-Theoretic Hazard Analysis Methodology for a Non-advocate Safety Assessment of the Ballistic Missile Defense System," AIAA Missile Sciences Conference, Monterey, California, November 2006.
16. Rasche, T. "Development of a Safety Case Methodology for the Minerals Industry — a Discussion Paper," MISHC, University of Queensland, 2001.
17. Sutton, Ian. "Preparing and Managing a Safety Case in the Process Industries," http://knol.google.com/k/ian-sutton/safety-cases/2vu500dgllb4m/33#.
18. U.S. Department of Defense, "Standard Practice for System Safety," MIL-STD-882D, February 10, 2000.
19. Vectra Group. "Literature Review on the Perceived Benefits and Disadvantages of the UK Safety Case Regime," http://www.hse-databases.co.uk/research/misc/sc402083.pdf.
20. Vicente, K.J. and J. Rasmussen. "Ecological Interface Design: Theoretical Foundations," IEEE Trans. Systems, Man, and Cybernetics, Vol. 22, No. 4, July/August 1992.
21. Whyte, D. "Moving the goalposts: The Deregulation of Safety in the Post Piper Alpha Offshore Oil Industry," http://www.psa.ac.uk/cps/1997/whyt.pdf, 1997.
22. Wilkinson, P. "Safety case: success or failure?" Seminar paper 2, National Research Centre for OHS Regulation, ANU Canberra, 2002.
23. Wikipedia, Mindset, http://en.wikipedia.org/wiki/Mindset.
« previous page
|
