163 行
10 KiB
Plaintext
163 行
10 KiB
Plaintext
chapter 1.
|
|
Why Do We Need Something Different?
|
|
This book presents a new approach to building safer systems that departs in impor-
|
|
tant ways from traditional safety engineering. While the traditional approaches
|
|
worked well for the simpler systems of the past for which they were devised, signifi-
|
|
cant changes have occurred in the types of systems we are attempting to build today
|
|
and the context in which they are being built. These changes are stretching the limits
|
|
of safety engineering..
|
|
|
|
point one.
|
|
•Fast pace of technological change. Although learning from past accidents is
|
|
still an important part of safety engineering, lessons learned over centuries
|
|
about designing to prevent accidents may be lost or become ineffective
|
|
when older technologies are replaced with new ones. Technology is changing
|
|
much faster than our engineering techniques are responding to these changes.
|
|
New technology introduces unknowns into our systems and creates new paths
|
|
to losses..
|
|
|
|
point two.
|
|
•Reduced ability to learn from experience. At the same time that the develop-
|
|
ment of new technology has sprinted forward, the time to market for new
|
|
products has greatly decreased, and strong pressures exist to decrease this
|
|
time even further. The average time to translate a basic technical discovery into
|
|
a commercial product in the early part of this century was thirty years. Today
|
|
our technologies get to market in two to three years and may be obsolete in
|
|
five. We no longer have the luxury of carefully testing systems and designs
|
|
to understand all the potential behaviors and risks before commercial or
|
|
scientific use..
|
|
|
|
point three.
|
|
•Changing nature of accidents. As our technology and society change, so do
|
|
the causes of accidents. System engineering and system safety engineering
|
|
techniques have not kept up with the rapid pace of technological innovation.
|
|
Digital technology, in particular, has created a quiet revolution in most fields
|
|
of engineering. Many of the approaches to prevent accidents that worked on
|
|
electromechanical components—such as replication of components to protect
|
|
against individual component failure—are ineffective in controlling accidents
|
|
that arise from the use of digital systems and software..
|
|
|
|
point four.
|
|
•New types of hazards. Advances in science and societal changes have created
|
|
new hazards. For example, the public is increasingly being exposed to new man-
|
|
made chemicals or toxins in our food and our environment. Large numbers of
|
|
people may be harmed by unknown side effects of pharmaceutical products.
|
|
Misuse or overuse of antibiotics has given rise to resistant microbes. The most
|
|
common safety engineering strategies have limited impact on many of these
|
|
new hazards.
|
|
|
|
point five.
|
|
•Increasing complexity and coupling. Complexity comes in many forms, most
|
|
of which are increasing in the systems we are building. Examples include
|
|
interactive complexity (related to interaction among system components),
|
|
dynamic complexity (related to changes over time), decompositional complex-
|
|
ity (where the structural decomposition is not consistent with the functional
|
|
decomposition), and nonlinear complexity (where cause and effect are not
|
|
related in a direct or obvious way). The operation of some systems is so
|
|
complex that it defies the understanding of all but a few experts, and some-
|
|
times even they have incomplete information about the system’s potential
|
|
behavior. The problem is that we are attempting to build systems that are
|
|
beyond our ability to intellectually manage; increased complexity of all types
|
|
makes it difficult for the designers to consider all the potential system states
|
|
or for operators to handle all normal and abnormal situations and distur-
|
|
bances safely and effectively. In fact, complexity can be defined as intellectual
|
|
unmanageability.
|
|
This situation is not new. Throughout history, inventions and new technology
|
|
have often gotten ahead of their scientific underpinnings and engineering
|
|
knowledge, but the result has always been increased risk and accidents until
|
|
science and engineering caught up.1 We are now in the position of having
|
|
to catch up with our technological advances by greatly increasing the power
|
|
of current approaches to controlling risk and creating new improved risk
|
|
management strategies.
|
|
|
|
Footnote to point five.
|
|
|
|
As an example, consider the introduction of high-pressure steam engines in the first half of the nine-
|
|
teenth century, which transformed industry and transportation but resulted in frequent and disastrous
|
|
explosions. While engineers quickly amassed scientific information about thermodynamics, the action of
|
|
steam in the cylinder, the strength of materials in the engine, and many other aspects of steam engine
|
|
operation, there was little scientific understanding about the buildup of steam pressure in the boiler, the
|
|
effect of corrosion and decay, and the causes of boiler explosions. High-pressure steam had made the
|
|
current boiler design obsolete by producing excessive strain on the boilers and exposing weaknesses in
|
|
the materials and construction. Attempts to add technological safety devices were unsuccessful because
|
|
engineers did not fully understand what went on in steam boilers. It was not until well after the middle
|
|
of the century that the dynamics of steam generation was understood.
|
|
|
|
|
|
point six.
|
|
•Decreasing tolerance for single accidents. The losses stemming from acci-
|
|
dents are increasing with the cost and potential destructiveness of the systems
|
|
we build. New scientific and technological discoveries have not only created
|
|
new or increased hazards (such as radiation exposure and chemical pollution)
|
|
but have also provided the means to harm increasing numbers of people as the
|
|
scale of our systems increases and to impact future generations through envi-
|
|
ronmental pollution and genetic damage. Financial losses and lost potential
|
|
for scientific advances are also increasing in an age where, for example, a space-
|
|
craft may take ten years and up to a billion dollars to build, but only a few
|
|
minutes to lose. Financial system meltdowns can affect the world’s economy
|
|
in our increasingly connected and interdependent global economy. Learning
|
|
from accidents or major losses (the fly-fix-fly approach to safety) needs to be
|
|
supplemented with increasing emphasis on preventing the first one.
|
|
|
|
point seven
|
|
•Difficulty in selecting priorities and making tradeoffs. At the same time that
|
|
potential losses from single accidents are increasing, companies are coping with
|
|
aggressive and competitive environments in which cost and productivity play
|
|
a major role in short-term decision making. Government agencies must cope
|
|
with budget limitations in an age of increasingly expensive technology. Pres-
|
|
sures are great to take shortcuts and to place higher priority on cost and sched-
|
|
ule risks than on safety. Decision makers need the information required to
|
|
make these tough decisions.
|
|
|
|
point eight.
|
|
•More complex relationships between humans and automation. Humans
|
|
are increasingly sharing control of systems with automation and moving into
|
|
positions of higher-level decision making with automation implementing the
|
|
decisions. These changes are leading to new types of human error—such as
|
|
various types of mode confusion—and a new distribution of human errors, for
|
|
example, increasing errors of omission versus commission. Inade-
|
|
quate communication between humans and machines is becoming an increas-
|
|
ingly important factor in accidents. Current approaches to safety engineering
|
|
are unable to deal with these new types of errors.
|
|
All human behavior is influenced by the context in which it occurs, and
|
|
operators in high-tech systems are often at the mercy of the design of the auto-
|
|
mation they use or the social and organizational environment in which they
|
|
work. Many recent accidents that have been blamed on operator error could
|
|
more accurately be labeled as resulting from flaws in the environment in which
|
|
they operate. New approaches to reducing accidents through improved design
|
|
of the workplace and of automation are long overdue.
|
|
|
|
point nine.
|
|
•Changing regulatory and public views of safety. In today’s complex and
|
|
interrelated societal structure, responsibility for safety is shifting from the
|
|
individual to government. Individuals no longer have the ability to control the
|
|
risks around them and are demanding that government assume greater respon-
|
|
sibility for ensuring public safety through laws and various forms of oversight
|
|
and regulation as companies struggle to balance safety risks with pressure to
|
|
satisfy time-to-market and budgetary pressures. Ways to design more effective
|
|
regulatory strategies without impeding economic goals are needed. The alter-
|
|
native is for individuals and groups to turn to the courts for protection, which
|
|
has many potential downsides, such as stifling innovation through fear of law-
|
|
suits as well as unnecessarily increasing costs and decreasing access to products
|
|
and services.
|
|
|
|
end of points.
|
|
|
|
Incremental improvements in traditional safety engineering approaches over
|
|
time have not resulted in significant improvement in our ability to engineer safer
|
|
systems. A paradigm change is needed in the way we engineer and operate the types
|
|
of systems and hazards we are dealing with today. This book shows how systems
|
|
theory and systems thinking can be used to extend our understanding of accident
|
|
causation and provide more powerful (and surprisingly less costly) new accident
|
|
analysis and prevention techniques. It also allows a broader definition of safety and
|
|
accidents that go beyond human death and injury and includes all types of major
|
|
losses including equipment, mission, financial, and information.
|
|
Part I of this book presents the foundation for the new approach. The first step
|
|
is to question the current assumptions and oversimplifications about the cause of
|
|
accidents that no longer fit today’s systems (if they ever did) and create new assump-
|
|
tions to guide future progress. The new, more realistic assumptions are used to create
|
|
goals to reach for and criteria against which new approaches can be judged. Finally,
|
|
the scientific and engineering foundations for a new approach are outlined.
|
|
Part II presents a new, more inclusive model of causality, followed by part III,
|
|
which describes how to take advantage of the expanded accident causality model
|
|
to better manage safety in the twenty-first century. |