163 lines
10 KiB
Plaintext
163 lines
10 KiB
Plaintext
ENGINEERING A SAFER WORLD.
|
||
Systems Thinking Applied to Safety.
|
||
By Nancy G Leveson.
|
||
The MIT Press.
|
||
Cambridge, Massachusetts.
|
||
London, England.
|
||
|
||
We pretend that technology, our technology, is something of a life force, a will, and a thrust
|
||
of its own, on which we can blame all, with which we can explain all, and in the end by
|
||
means of which we can excuse ourselves.
|
||
—T Cuyler Young, Man in Nature.
|
||
|
||
Series Foreword.
|
||
|
||
Engineering Systems is an emerging field that is at the intersection of engineering,
|
||
management, and the social sciences. Designing complex technological systems
|
||
requires not only traditional engineering skills but also knowledge of public policy
|
||
issues and awareness of societal norms and preferences. In order to meet the
|
||
challenges of rapid technological change and of scaling systems in size, scope, and
|
||
complexity, Engineering Systems promotes the development of new approaches,
|
||
frameworks, and theories to analyze, design, deploy, and manage these systems.
|
||
This new academic field seeks to expand the set of problems addressed by engi-
|
||
neers, and draws on work in the following fields as well as others.
|
||
|
||
|
||
one.• Technology and Policy.
|
||
two.• Systems Engineering.
|
||
three.• System and Decision Analysis, Operations Research.
|
||
four.• Engineering Management, Innovation, Entrepreneurship.
|
||
five.• Manufacturing, Product Development, Industrial Engineering.
|
||
|
||
The Engineering Systems Series will reflect the dynamism of this emerging field
|
||
and is intended to provide a unique and effective venue for publication of textbooks
|
||
and scholarly works that push forward research and education in Engineering
|
||
Systems.
|
||
|
||
|
||
Preface.
|
||
I began my adventure in system safety after completing graduate studies in com-
|
||
puter science and joining the faculty of a computer science department. In the first
|
||
week at my new job, I received a phone call from Marion Moon, a system safety
|
||
engineer at what was then the Ground Systems Division of Hughes Aircraft
|
||
Company. Apparently he had been passed between several faculty members, and I
|
||
was his last hope. He told me about a new problem they were struggling with on a
|
||
torpedo project, something he called. “software safety.” I told him I didn ot know
|
||
anything about it and that I worked in a completely unrelated field. I added that I
|
||
was willing to look into the problem. That began what has been a thirty-year search
|
||
for a solution and to the more general question of how to build safer systems.
|
||
Around the year 2000, I became very discouraged. Although many bright people
|
||
had been working on the problem of safety for a long time, progress seemed to be
|
||
stalled. Engineers were diligently performing safety analyses that did not seem to
|
||
have much impact on accidents. The reason for the lack of progress, I decided, was
|
||
that the technical foundations and assumptions on which traditional safety engineer-
|
||
ing efforts are based are inadequate for the complex systems we are building today.
|
||
The world of engineering has experienced a technological revolution, while the
|
||
basic engineering techniques applied in safety and reliability engineering, such as
|
||
fault tree analysis (FTA) and failure modes and effects analysis (FMEA), have
|
||
changed very little. Few systems are built without digital components, which operate
|
||
very differently than the purely analog systems they replace. At the same time, the
|
||
complexity of our systems and the world in which they operate has also increased
|
||
enormously. The old safety engineering techniques, which were based on a much
|
||
simpler, analog world, are diminishing in their effectiveness as the cause of
|
||
accidents changes.
|
||
For twenty years I watched engineers in industry struggling to apply the old
|
||
techniques to new software-intensive systems — expending much energy and having
|
||
little success. At the same time, engineers can no longer focus only on technical
|
||
issues and ignore the social, managerial, and even political factors that impact safety
|
||
if we are to significantly reduce losses. I decided to search for something new. This
|
||
book describes the results of that search and the new model of accident causation
|
||
and system safety techniques that resulted.
|
||
The solution, I believe, lies in creating approaches to safety based on modern
|
||
systems thinking and systems theory. While these approaches may seem new or
|
||
paradigm changing, they are rooted in system engineering ideas developed after
|
||
World War 2. They also build on the unique approach to engineering for safety,
|
||
called System Safety, that was pioneered in the 1950s by aerospace engineers such
|
||
as C O Miller, Jerome Lederer, and Willie Hammer, among others. This systems
|
||
approach to safety was created originally to cope with the increased level of com-
|
||
plexity in aerospace systems, particularly military aircraft and ballistic missile
|
||
systems. Many of these ideas have been lost over the years or have been displaced
|
||
by the influence of more mainstream engineering practices, particularly reliability
|
||
engineering.
|
||
This book returns to these early ideas and updates them for todays technology.
|
||
It also builds on the pioneering work in Europe of Jens Rasmussen and his followers
|
||
in applying systems thinking to safety and human factors engineering.
|
||
Our experience to date is that the new approach described in this book is more
|
||
effective, less expensive, and easier to use than current techniques. I hope you find
|
||
it useful.
|
||
|
||
Relationship to Safeware.
|
||
My first book, Safeware, presents a broad overview of what is known and practiced
|
||
in System Safety today and provides a reference for understanding the state of the
|
||
art. To avoid redundancy, information about basic concepts in safety engineering
|
||
that appear in Safeware is not, in general, repeated. To make this book coherent
|
||
in itself, however, there is some repetition, particularly on topics for which my
|
||
understanding has advanced since writing Safeware.
|
||
|
||
Audience.
|
||
This book is written for the sophisticated practitioner rather than the academic
|
||
researcher or the general public. Therefore, although references are provided, an
|
||
attempt is not made to cite or describe everything ever written on the topics or to
|
||
provide a scholarly analysis of the state of research in this area. The goal is to provide
|
||
engineers and others concerned about safety with some tools they can use when
|
||
attempting to reduce accidents and make systems and sophisticated products safer.
|
||
It is also written for those who are not safety engineers and those who are
|
||
not even engineers. The approach described can be applied to any complex,
|
||
sociotechnical system such as health care and even finance. This book shows you
|
||
how to “reengineer” your system to improve safety and better manage risk. If pre-
|
||
venting potential losses in your field is important, then the answer to your problems
|
||
may lie in this book.
|
||
|
||
Contents.
|
||
The basic premise underlying this new approach to safety is that traditional models
|
||
of causality need to be extended to handle todays engineered systems. The most
|
||
common accident causality models assume that accidents are caused by component
|
||
failure and that making system components highly reliable or planning for their
|
||
failure will prevent accidents. While this assumption is true in the relatively simple
|
||
electromechanical systems of the past, it is no longer true for the types of complex
|
||
sociotechnical systems we are building today. A new, extended model of accident
|
||
causation is needed to underlie more effective engineering approaches to improving
|
||
safety and better managing risk.
|
||
The book is divided into three sections. The first part explains why a new approach
|
||
is needed, including the limitations of traditional accident models, the goals for a
|
||
new model, and the fundamental ideas in system theory upon which the new model
|
||
is based. The second part presents the new, extended causality model. The final part
|
||
shows how the new model can be used to create new techniques for system safety
|
||
engineering, including accident investigation and analysis, hazard analysis, design
|
||
for safety, operations, and management.
|
||
This book has been a long time in preparation because I wanted to try the new
|
||
techniques myself on real systems to make sure they work and are effective. In
|
||
order not to delay publication further, I will create exercises, more examples, and
|
||
other teaching and learning aids and provide them for download from a website in
|
||
the future.
|
||
|
||
Chapters 6 – 10, on system safety engineering and hazard analysis, are purposely
|
||
written to be stand-alone and therefore usable in undergraduate and graduate
|
||
system engineering classes where safety is just one part of the class contents and
|
||
the practical design aspects of safety are the most relevant.
|
||
|
||
Acknowledgments.
|
||
|
||
The research that resulted in this book was partially supported by numerous research
|
||
grants over many years from NSF and NASA. David Eckhardt at the NASA Langley
|
||
Research Center provided the early funding that got this work started.
|
||
I also am indebted to all my students and colleagues who have helped develop
|
||
these ideas over the years. There are too many to list, but I have tried to give them
|
||
credit throughout the book for the ideas they came up with or we worked on
|
||
together. I apologize in advance if I have inadvertently not given credit where it is
|
||
due. My students, colleagues, and I engage in frequent discussions and sharing of
|
||
ideas, and it is sometimes difficult to determine where the ideas originated. Usually
|
||
the creation involves a process where we each build on what the other has done.
|
||
Determining who is responsible for what becomes impossible. Needless to say, they
|
||
provided invaluable input and contributed greatly to my thinking.
|
||
I am particularly indebted to the students who were at MIT while I was writing
|
||
this book and played an important role in developing the ideas: Nicolas Dulac,
|
||
Margaret Stringfellow, Brandon Owens, Matthieu Couturier, and John Thomas.
|
||
Several of them assisted with the examples used in this book.
|
||
Other former students who provided important input to the ideas in this book
|
||
are Matt Jaffe, Elwin Ong, Natasha Neogi, Karen Marais, Kathryn Weiss, David
|
||
Zipkin, Stephen Friedenthal, Michael Moore, Mirna Daouk, John Stealey, Stephanie
|
||
Chiesi, Brian Wong, Mal Atherton, Shuichiro Daniel Ota, and Polly Allen.
|
||
Colleagues who provided assistance and input include Sidney Dekker, John
|
||
Carroll, Joel Cutcher-Gershenfeld, Joseph Sussman, Betty Barrett, Ed Bachelder,
|
||
Margaret-Anne Storey, Meghan Dierks, and Stan Finkelstein. |