The Hierarchical Safety Control Structure

In systems theory (see section 3.3), systems are viewed as hierarchical structures, where each level imposes constraints on the activity of the level beneath it—that is. 

Control processes operate between levels to control the processes at lower levels in the hierarchy. These control processes enforce the safety constraints for which the control process is responsible. Accidents occur when these processes provide inadequate control and the safety constraints are violated in the behavior of the lower-level components. 

By describing accidents in terms of a hierarchy of control based on adaptive feedback mechanisms, adaptation plays a central role in the understanding and prevention of accidents. 

At each level of the hierarchical structure, inadequate control may result from missing constraints (unassigned responsibility for safety), inadequate safety control commands, commands that were not executed correctly at a lower level, or inadequately communicated or processed feedback about constraint enforcement. For example, an operations manager may provide unsafe work instructions or procedures to the operators, or the manager may provide instructions that enforce the safety constraints, but the operators may ignore them. The operations manager may not have the feedback channels established to determine that unsafe instructions were provided or that his or her safety-related instructions are not being followed. 

Between the hierarchical levels of each safety control structure, effective communication channels are needed, both a downward reference channel providing the 

---

The third concept used in STAMP, along with safety constraints and hierarchical safety control structures, is process models. Process models are an important part of control theory. The four conditions required to control a process are described in chapter 3. The first is a goal, which in STAMP is the safety constraints that must be enforced by each controller in the hierarchical safety control structure. The action condition is implemented in the (downward) control channels and the observability condition is embodied in the (upward) feedback or measuring channels. The final condition is the model condition Any controller—human or automated-needs a model of the process being controlled to control it effectively (figure 4.6). 

Leplat has noted that many accidents relate to asynchronous evolution [112], where one part of a system (in this case the hierarchical safety control structure) changes without the related necessary changes in other parts. Changes to subsystems may be carefully designed, but consideration of their effects on other parts of the system, including the safety control aspects, may be neglected or inadequate. Asynchronous evolution may also occur when one part of a properly designed system deteriorates. 

The Hierarchical Safety Control Structure to Prevent Friendly Fire Accidents... 

In the following analysis, the basic failures and dysfunctional interactions leading to the loss at the physical level are identified first. Then each level of the hierarchical safety control structure is considered in turn, starting from the bottom. 

The STAMP (System-Theoretic Accident Model and Processes) accident model is based on these principles. Three basic constructs underlie STAMP safety constraints, hierarchical safety control structures, and process models. 

The STAMP (Systems-Theoretic Accident Model and Process) model of accident causation is built on these three basic concepts—safety constraints, a hierarchical safety control structure, and process models—along with basic systems theory concepts. All the pieces for a new causation model have been presented. It is now simply a matter of putting them together. 

The safety control structure must be carefully designed, monitored, and adapted to ensure that the controls are adequate to maintain the constraints on behavior necessary to control risk. Figure 14.1 shows a generic hierarchical safety control structure... 

The three main concepts in this model—safety constraints, hierarchical control structures, and process models—are introduced first in chapter 4. Then the STAMP causality model is described, along with a classification of accident causes implied by the new model. 

Accidents in STAMP are the result of a complex process that results in the system behavior violating the safety constraints. The safety constraints are enforced by the control loops between the various levels of the hierarchical control structure that are in place during design, development, manufacturing, and operations. 

As in the previous examples, the first step in creating a STAMP analysis is to identify the system hazards, the system safety constraints, and the hierarchical control structure in place to enforce the constraints. 

Hierarchical Approach is a simple but powerful methodology for the synthesis of process flowsheets. It consists of a top-down analysis organised as a clearly defined sequence of tasks grouped in levels. Each level solves a fundamental problem as, number of plants, input/output structure, reactor design and recycle structure, separation system, energy integration, environmental analysis, safety and hazard analysis, and plantwide control. At each level, systematic methods can be applied for the synthesis of subsystems, as chemical reaction, separations, or heat exchangers network. 

Platypus can import process equipment lists of a process plant or a site that houses several process plants. The equipment list is translated into a hierarchical model structure to represent the plant and represent individual safety barriers for process control. Currently, the barriers are grouped into 11 individual Equipment LoC template models (EqLoC s) but Platypus can be used to build any barrier-structure in a process plant. The templates provide quick references that contain estimates for global average leak rates for a predetermined set of leak scenario s. These templates function as a first estimate when assessing the leak rate of a site or a plant. Someone that is familiar with the program can make this first estimate within the time span of 15 minutes or less for any given chemical site or process plant. 

Life-cycle approach is required to manage the hazards that affect offshore installations. It should be noted that offshore saf ety study has to deal with the boundaries of other industries such as marine operations and aviation. In offshore safety study, it is desirable to obtain the optimum risk reduction solution for the total life cycle of the operation or installation, irrespective of the regulatory boundaries (UKOOA (1999)). The basic idea is to minimise/eliminate the source of hazard rather than place too high reliance on control and mitigatory measures. To reduce risks to an ALARP level, the following hierarchical structure of risk control measures should follow ... 

---