The Safety Control Structure

Hazards related to the interaction among components, for example the interaction between attempts by air traffic control and by TCAS to prevent coUisions, need to be handled in the safety control structure design, perhaps by mandating how the pilot is to select between conflicting advisories.There may be considerations in handling these hazards in the subsystem design that will impact the behavior of multiple subsystems and therefore must be resolved at a higher level and passed to them as constraints on their behavior. 

The safety requirements and constraints on the physical system design shown in section 7.3 act as input to the standard system engineering process and must be incorporated into the physical system design and safety control structure. An example of how they are used is provided in chapter 10. 

Additional system safety requirements and constraints, including those on operations and maintenance or upgrades will be used in the design of the safety control structure at the organizational and social system levels above the physical system. There is no one correct safety control structure what is practical and effective will depend greatly on cultural and other factors. Some general principles that apply to all safety control structures are described in chapter 13. These principles need to be combined with specific system safety requirements and constraints for the particular system involved to design the control structure. 

An example from the world of space exploration is used in this section, but many of the same requirements and constraints could easily be adapted for other types of technical system development and operations. 

The requirements in this example were generated to perform a programmatic risk assessment of a new NASA management structure called Independent 

---

More generally, control structures always change over time, particularly those that include humans and organizational components. Physical devices also change with time, but usually much slower and in more predictable ways. If we are to handle social and human aspects of safety, then our accident causaUty models must include the concept of change. In addition, controls and assurance that the safety control structure remains effective in enforcing the constraints over time are required. 

In this conception of safety, there is no root cause. Instead, the accident cause consists of an inadequate safety control structure that under some circumstances leads to the violation of a behavioral safety constraint. Preventing future accidents requires reengineering or designing the safety control structure to be more effective. 

Because the safety control structure and the behavior of the individuals in it, like any physical or social system, changes over time, accidents must be viewed as dynamic processes. Looking only at the time of the proximal loss events distorts and omits from view the most important aspects of the larger accident process that are needed to prevent reoccurrences of losses from the same causes in the future. Without that view, we see and fix only the symptoms, that is, the results of the flawed processes and inadequate safety control structure without getting to the sources of those symptoms. 

Because those who had designed the control structure recognized the potential for some distance to develop between the training of the AWACS crew members and the continually evolving practice in the no-fly zone (another example of asynchronous evolution of the safety control structure), they had instituted a control by creating staff or instructor personnel permanently stationed in lUrkey. Their job was to help provide continuity for U.S. AWACS crews who rotated through OPC on temporary duty status, usually for thirty-day rotations. This shadow crew flew with each new AWACS crew on their first mission in the TAOR to alert them as to how things were really done in OPC. Their job was to answer any questions the new crew... 

AU the parts of the process described in the following chapters start from the same fundamental system engineering activities. These include defining, for the system involved, accidents or losses, hazards, safety requirements and constraints, and the safety control structure. 

For each component of the structure, information must be determined about its overall role, responsibilities, controls, process model requirements, coordination and communication requirements, contextual (environmental and behavior-shaping) factors that might bear on the component s abihty to fulfill its responsibilities, and inputs and outputs to other components in the control structure. The responsibihties are shown in figure 7.5. A risk analysis on ITA and the safety control structure is described in chapter 8. 

Using STPA on Organizational Components of the Safety Control Structure... 

T vo examples are used in this section one was a demonstration for NASA of risk analysis using STPA on a new management structure proposed after the Columbia accident. The second is pharmaceutical safety. The fundamental activities of identifying system hazards, safety requirements and constraints, and of documenting the safety control structure were described for these two examples in chapter 7. This section starts from that point and illustrates the actual risk analysis process. 

In analyzing an existing organizational or social safety control structure, one of the first steps is to determine where the responsibility for implementing each requirement rests and to perform a gap analysis to identify holes in the current design, that is, requirements that are not being implemented (enforced) anywhere. Then the safety control structure needs to be evaluated to determine whether it is potentially effective in enforcing the system safety requirements and constraints. 

Using the responsibilities and control actions defined for the components of the safety control structure, the STAMP-based risk analysis applied the four general types of inadequate control actions, omitting those that did not make sense for the particular responsibility or did not impact risk. To accomplish this, the general responsibilities must be refined into more specific control actions. 

The analysis can be used to identify potential changes to the safety control structure (the ITA program) that could eliminate or mitigate identified risks. General design principles for safety are described in the next chapter. 

The traditional risk analysis performed by NASA on ITA identified about one hundred risks. The more rigorous, structured STAMP-based analysis—done independently and without any knowledge of the results of the NASA process-identified about 250 risks, all the risks identified by NASA plus additional ones. A small part of the difference was related to the consideration by the STAMP group of more components in the safety control structure, such as the NASA administrator. Congress, and the Executive Branch (White House). There is no way to determine whether the other additional risks identified by the STAMP-based process were simply missed in the NASA analysis or were discarded for some reason. 

The hazards, system safety requirements and constraints, and documentation of the safety control structure for pharmaceutical safety were shown in chapter 7 Using these, Couturier performed several types of analysis. 

He first traced the system requirements to the responsibilities assigned to each of the components in the safety control structure, that is, he performed a gap analysis as described above for the NASA ITA risk analysis. The goal was to check that at least one controller was responsible for enforcing each of the safety requirements, to identify when multiple controllers had the same responsibility, and to study each... 

System dynamics modeling was used to show the relationship among the contextual factors and unsafe control actions and the reasons why the safety control structure migrated toward ineffectiveness over time. Most modeling techniques provide... 

STPA can be used to further refine these constraints and to evaluate the resulting designs. In the process, the safety control structure will be refined and perhaps changed. In this case, a controller must be identified for the stabilizer legs, which were previously not in the design. Let s assume that the legs are controlled by the TTPS movement controller (figure 9.3). 

Document the safety control structure in place to control the hazard and enforce the safety constraints. This structure includes the roles and responsi-... 

Determine the dynamics and changes in the system and the safety control structure relating to the loss and any weakening of the safety control structure over time. 

If STAMP has been used as the basis for previous safety activities, such as the original engineering process or the investigation and analysis of previous incidents and accidents, a model of the safety-control structure may already exist. If not, it must be created although it can be reused in the future. Chapters 12 and 13 provide information about the design of safety-control structures. 

Each relevant component of the safety control structure, starting with the lowest physical controls and progressing upward to the social and political controls, needs to be examined. How are the components to be examined determined Considering everything is not practical or cost effective. By starting at the bottom, the relevant... 

Stopping after identifying inadequate control actions by the lower levels of the safety control structure is common in accident investigation. The result is that the cause is attributed to operator error, which does not provide enough information to prevent accidents in the future. It also does not overcome the problems of hindsight bias. In hindsight, it is always possible to see that a different behavior would have been safer. But the information necessary to identify that safer behavior is usually only available after the fact. To improve safety, we need to understand the reasons people acted the way they did. Then we can determine if and how to change conditions so that better decisions can be made in the future. 

Let s follow some of the physical plant inadequacies up the safety control structure at Citichem. Three examples of STAMP-based analyses of the inadequate control at Citichem are shown in figure 11.3 a maintenance worker, the maintenance manager, and the operations manager. 

The goal of understanding the dynamics is to redesign the system and the safety control structure to make them more conducive to system safety. For example, behavior is influenced by recent accidents or incidents As safety efforts are successfully employed, the feeling grows that accidents cannot occur, leading to reduction in the safety efforts, an accident, and then increased controls for a while until the system drifts back to an unsafe state and complacency again increases. .. 

This chapter describes the implications of STAMP on operations. Some topics that are relevant here are left to the next chapter on management organizational design, safety culture and leadership, assignment of appropriate responsibilities throughout the safety control structure, the safety information system, and corporate safety policies. These topics span both development and operations and many of the same principles apply to each, so they have been put into a separate chapter. A final section of this chapter considers the application of STAMP and systems thinking principles to occupational safety. 

Organizational changes change is a constant in most organizations, including changes in the safety control structure itself, or in the physical and social environment within which the system operates or with which it interacts. 

Detect safety-related flaws in the system design and in the safety control structure, hopefully before major losses, and fix them. 

To avoid losses, not only must the original design enforce the safety constraints on system behavior, but the safety control structure must continue to enforce them as changes to the designed system, including the safety control structure itself, occur over time. 

---