Safety control structure

The STAMP (System-Theoretic Accident Model and Processes) accident model is based on these principles. Three basic constructs underlie STAMP safety constraints, hierarchical safety control structures, and process models. 

Between the hierarchical levels of each safety control structure, effective communication channels are needed, both a downward reference channel providing the... 

More generally, control structures always change over time, particularly those that include humans and organizational components. Physical devices also change with time, but usually much slower and in more predictable ways. If we are to handle social and human aspects of safety, then our accident causaUty models must include the concept of change. In addition, controls and assurance that the safety control structure remains effective in enforcing the constraints over time are required. 

Safety control structures may be very complex Abstracting and concentrating on parts of the overall structure may be useful in understanding and communicating about the controls. In examining different hazards, only subsets of the overall structure may be relevant and need to be considered in detail and the rest can be treated as the inputs to or the environment of the substructure. The only critical part is that the hazards must first be identified at the system level and the process must then proceed top-down and not bottom-up to identify the safety constraints for the parts of the overall control structure. 

The operation of sociotechnical safety control structures at all levels is facing the stresses noted in chapter 1, such as rapidly changing technology, competitive and time-to-market pressures, and changing public and regulatory views of responsibility for safety. These pressures can lead to a need for new procedures or new controls to ensure that required safety constraints are not ignored. 

The third concept used in STAMP, along with safety constraints and hierarchical safety control structures, is process models. Process models are an important part of control theory. The four conditions required to control a process are described in chapter 3. The first is a goal, which in STAMP is the safety constraints that must be enforced by each controller in the hierarchical safety control structure. The action condition is implemented in the (downward) control channels and the observability condition is embodied in the (upward) feedback or measuring channels. The final condition is the model condition Any controller—human or automated-needs a model of the process being controlled to control it effectively (figure 4.6). 

The STAMP (Systems-Theoretic Accident Model and Process) model of accident causation is built on these three basic concepts—safety constraints, a hierarchical safety control structure, and process models—along with basic systems theory concepts. All the pieces for a new causation model have been presented. It is now simply a matter of putting them together. 

Leplat has noted that many accidents relate to asynchronous evolution [112], where one part of a system (in this case the hierarchical safety control structure) changes without the related necessary changes in other parts. Changes to subsystems may be carefully designed, but consideration of their effects on other parts of the system, including the safety control aspects, may be neglected or inadequate. Asynchronous evolution may also occur when one part of a properly designed system deteriorates. 

In this conception of safety, there is no root cause. Instead, the accident cause consists of an inadequate safety control structure that under some circumstances leads to the violation of a behavioral safety constraint. Preventing future accidents requires reengineering or designing the safety control structure to be more effective. 

Because the safety control structure and the behavior of the individuals in it, like any physical or social system, changes over time, accidents must be viewed as dynamic processes. Looking only at the time of the proximal loss events distorts and omits from view the most important aspects of the larger accident process that are needed to prevent reoccurrences of losses from the same causes in the future. Without that view, we see and fix only the symptoms, that is, the results of the flawed processes and inadequate safety control structure without getting to the sources of those symptoms. 

The Hierarchical Safety Control Structure to Prevent Friendly Fire Accidents... 

Because those who had designed the control structure recognized the potential for some distance to develop between the training of the AWACS crew members and the continually evolving practice in the no-fly zone (another example of asynchronous evolution of the safety control structure), they had instituted a control by creating staff or instructor personnel permanently stationed in lUrkey. Their job was to help provide continuity for U.S. AWACS crews who rotated through OPC on temporary duty status, usually for thirty-day rotations. This shadow crew flew with each new AWACS crew on their first mission in the TAOR to alert them as to how things were really done in OPC. Their job was to answer any questions the new crew... 

In the following analysis, the basic failures and dysfunctional interactions leading to the loss at the physical level are identified first. Then each level of the hierarchical safety control structure is considered in turn, starting from the bottom. 

Besides setting the culture through their own behavior, managers need to establish the organizational safety policy and create a safety control structure with appropriate responsibilities, accountability and authority, safety controls, and feedback channels. Management must also establish a safety management plan and ensure that a safety information system and continual learning and improvement processes are in place and effective. 

Because changes in the physical components, human behavior, and the organizational safety control structure are almost guaranteed to occur over the life of the system, operations must manage change in order to ensure that the safety constraints are not violated. The requirements for safe operations are discussed in chapter 12. 

AU the parts of the process described in the following chapters start from the same fundamental system engineering activities. These include defining, for the system involved, accidents or losses, hazards, safety requirements and constraints, and the safety control structure. 

Hazards related to the interaction among components, for example the interaction between attempts by air traffic control and by TCAS to prevent coUisions, need to be handled in the safety control structure design, perhaps by mandating how the pilot is to select between conflicting advisories.There may be considerations in handling these hazards in the subsystem design that will impact the behavior of multiple subsystems and therefore must be resolved at a higher level and passed to them as constraints on their behavior. 

The safety requirements and constraints on the physical system design shown in section 7.3 act as input to the standard system engineering process and must be incorporated into the physical system design and safety control structure. An example of how they are used is provided in chapter 10. 

Additional system safety requirements and constraints, including those on operations and maintenance or upgrades will be used in the design of the safety control structure at the organizational and social system levels above the physical system. There is no one correct safety control structure what is practical and effective will depend greatly on cultural and other factors. Some general principles that apply to all safety control structures are described in chapter 13. These principles need to be combined with specific system safety requirements and constraints for the particular system involved to design the control structure. 

The new safety control structure for the NASA manned space program was introduced to improve the flawed engineering and management decision making leading to the Columbia loss. The hazard to be eliminated or mitigated was ... 

There is unlikely to be a universal set of requirements that holds for every safety control structure beyond a small set of requirements too general to be very useful in a risk analysis. Each organization needs to determine what its particular safety goals are and the system requirements and constraints that are likely to ensure that it reaches them. 

For each component of the structure, information must be determined about its overall role, responsibilities, controls, process model requirements, coordination and communication requirements, contextual (environmental and behavior-shaping) factors that might bear on the component s abihty to fulfill its responsibilities, and inputs and outputs to other components in the control structure. The responsibihties are shown in figure 7.5. A risk analysis on ITA and the safety control structure is described in chapter 8. 

Social system safety control structures often are not designed but evolve over time. They can, however, be analyzed for inherent risk and redesigned or reengineered to prevent accidents or to eliminate or control past causes of losses as determined in an accident analysis. 

The reengineering process starts with the definition of the hazards to be eliminated or mitigated, system requirements and constraints necessary to increase safety, and the design of the current safety-control structure. Analysis can then be used to drive the redesign of the safety controls. But once again, just like every system that has been described so far in this chapter, the process starts by identifying the hazards... 

The NASA safety control structure under the original ITA design. 

Dozens of books have been written about the problems in the pharmaceutical industry. Everyone appears to have good intentions and are simply striving to optimize their performance within the existing incentive structure. The result is that the system has evolved to the point where each group s individual best interests do not necessarily add up to or are not aligned with the best interests of society as a whole. A safety control structure exists, but does not necessarily provide adequate satisfaction of the system-level goals, as opposed to the individual component goals. 

The responsibilities of the components in the NASA TEA safety control structure. 

Figure 7.6 shows the general pharmaceutical safety control structure in the United States. Each component s assigned responsibilities are those assumed in the design of the structure. In fact, at any time, they may not be living up to these responsibilities. 

As designed, this safety control structure looks strong and potentially effective. Unfortunately, it has not always worked the way it was supposed to work and the individual components have not always satisfied their responsibilities. Chapter 8 describes the use of the new hazard analysis technique, STPA, as well as other basic STAMP concepts in analyzing the potential risks in this structure. 

In addition to the factors shown in figure 8.6, the analysis must consider the impact of having two controllers of the same component whenever this occurs in the system safety control structure. In the friendly fire example in chapter 5, for example, confusion existed between the two AWACS operators responsible for tracking aircraft inside and outside of the no-fly-zone about who was responsible for aircraft in the boundary area between the two. The FMIS example below contains such a scenario. An analysis must be made to determine that no path to a hazard exists because of coordination problems. 

Using STPA on Organizational Components of the Safety Control Structure... 

The examples above focus on the lower levels of safety control structures, but STPA can also be used on the organizational and management components. Less experimentation has been done on applying it at these levels, and, once again, more needs to be done. 

T vo examples are used in this section one was a demonstration for NASA of risk analysis using STPA on a new management structure proposed after the Columbia accident. The second is pharmaceutical safety. The fundamental activities of identifying system hazards, safety requirements and constraints, and of documenting the safety control structure were described for these two examples in chapter 7. This section starts from that point and illustrates the actual risk analysis process. 

---