Introducing the STAMP method in road tunnel safety assessment

After the tremendous accidents in European road tunnels over the past decade, many risk assessment methods have been proposed worldwide, most of them based on Quantitative Risk Assessment (QRA). Although QRAs are helpful to address physical aspects and facilities of tunnels, current approaches in the road tunnel field have limitations to model organizational aspects, software behavior and the adaptation of the tunnel system over time. This paper reviews the aforementioned limitations and highlights the need to enhance the safety assessment process of these critical infrastructures with a complementary approach that links the organizational factors to the operational and technical issues, analyze software behavior and models the dynamics of the tunnel system. To achieve this objective, this paper examines the scope for introducing a safety assessment method which is based on the systems thinking paradigm and draws upon the STAMP model. The method proposed is demonstrated through a case study of a tunnel ventilation system and the results show that it has the potential to identify scenarios that encompass both the technical system and the organizational structure. However, since the method does not provide quantitative estimations of risk, it is recommended to be used as a complementary approach to the traditional risk assessments rather than as an alternative. (C) 2012 Elsevier Ltd. All rights reserved

Environmental Audit improvements in industrial systems through FRAM

Environmental risk management requires specific methodologies to focus audit activities on the most critical elements of production systems. Limited resources require a clear motivation to put attention on specific technological, human, organizational components, and often should address the monitor of interactions among these elements. Recent research in environmental risk looks at methods to deal with complexity as interesting tools to reduce real impacts on pollution and consumption. In this paper, we provide evidence of the advantage in using the Functional Resonance Analysis Method (FRAM), not only to identify the criticalities of a complex production system but to provide a methodology to continuously improve the audit activities in parallel with the introduction of technique to reduce environmental risk. The case study presents the evolution of environmental audit in a sinter plant, proving the need for a review of the criticality list and the successful application of FRAM to refocus the control activities

FRAM for systemic accident analysis: a matrix representation of functional resonance

Due to the inherent complexity of nowadays Air Traffic Management (ATM) system, standard methods looking at an event as a linear sequence of failures might become inappropriate. For this purpose, adopting a systemic perspective, the Functional Resonance Analysis Method (FRAM) originally developed by Hollnagel, helps identifying non-linear combinations of events and interrelationships. This paper aims to enhance the strength of FRAM-based accident analyses, discussing the Resilience Analysis Matrix (RAM), a user-friendly tool that supports the analyst during the analysis, in order to reduce the complexity of representation of FRAM. The RAM offers a two dimensional representation which highlights systematically connections among couplings, and thus even highly connected group of couplings. As an illustrative case study, this paper develops a systemic accident analysis for the runway incursion happened in February 1991 at LAX airport, involving SkyWest Flight 5569 and USAir Flight 1493. FRAM confirms itself a powerful method to characterize the variability of the operational scenario, identifying the dynamic couplings with a critical role during the event and helping discussing the systemic effects of variability at different level of analysis

An analytic framework to assess organizational resilience

Background: Resilience Engineering is a paradigm for safety management that focuses on coping with complexity to achieve success, even considering several conflicting goals. Modern socio-technical systems have to be resilient to comply with the variability of everyday activities, the tight-coupled and underspecified nature of work and the nonlinear interactions among agents. At organizational level, resilience can be described as a combination of four cornerstones: monitoring, responding, learning and anticipating. Methods: Starting from these four categories, this paper aims at defining a semi-quantitative analytic framework to measure organizational resilience in complex socio-technical systems, combining the Resilience Analysis Grid (RAG) and the Analytic Hierarchy Process (AHP). Results: This paper presents an approach for defining resilience abilities of an organization, creating a structured domain-dependent framework to define a resilience profile at different levels of abstraction, to identify weaknesses and strengths of the system and thus potential actions to increase system’s adaptive capacity. An illustrative example in an anaesthesia department clarifies the outcomes of the approach. Conclusions: The outcome of the RAG, i.e. a weighted set of probing questions, can be used in different domains, as a support tool in a wider Safety-II oriented managerial action to bring safety management into the core business of the organization

Human Error Management Paying Emphasis on Decision Making and Social Intelligence -Beyond the Framework of Man-Machine Interface Design-

How latent error or violation induces a serious accident has been reviewed and a proper addressing measure of this has been proposed in the framework of decision making, emotional intelligence (EI) and social intelligence (SI) of organization and its members. It has been clarified that EI and SI play an important role in decision making. Violations frequently occur all over the world, although we definitely understand that we should not commit violations, and a secret to prevent this might exist in the enhancement of both social intelligence and reliability. The construction of social structure or system that supports organizational efforts to enhance both social intelligence and reliability would be essential. Traditional safety education emphasizes that it is possible to change attitudes or mind toward safety by means of education. In spite of this，accidents or scandals frequently occur and never decrease. These problems must be approached on the basis of the full understanding of social intelligence and limited reasonability in decision making. Social dilemma (We do not necessarily cooperate in spite of understanding its importance, and we sometimes make decision not to select cooperative behavior. Non-cooperation gives rise to a desirable result for an individual. However, if all take non-cooperative actions, undesirable results are finally induced to all.) must be solved in some ways and the transition from relief (closed) society to global (reliability) society must be realized as a whole. New social system, where cooperative relation can be easily and reliably obtained, must be constructed to support such an approach and prevent violation-based accidents

Crowd Disasters as Systemic Failures: Analysis of the Love Parade Disaster

Each year, crowd disasters happen in different areas of the world. How and why do such disasters happen? Are the fatalities caused by relentless behavior of people or a psychological state of panic that makes the crowd 'go mad'? Or are they a tragic consequence of a breakdown of coordination? These and other questions are addressed, based on a qualitative analysis of publicly available videos and materials, which document the planning and organization of the Love Parade in Duisburg, Germany, and the crowd disaster on July 24, 2010. Our analysis reveals a number of misunderstandings that have widely spread. We also provide a new perspective on concepts such as 'intentional pushing', 'mass panic', 'stampede', and 'crowd crushs'. The focus of our analysis is on the contributing causal factors and their mutual interdependencies, not on legal issues or the judgment of personal or institutional responsibilities. Video recordings show that, in Duisburg, people stumbled and piled up due to a 'domino effect', resulting from a phenomenon called 'crowd turbulence' or 'crowd quake'. Crowd quakes are a typical reason for crowd disasters, to be distinguished from crowd disasters resulting from 'panic stampedes' or 'crowd crushes'. In Duisburg, crowd turbulence was the consequence of amplifying feedback and cascading effects, which are typical for systemic instabilities. Accordingly, things can go terribly wrong in spite of no bad intentions from anyone. Comparing the incident in Duisburg with others, we give recommendations to help prevent future crowd disasters. In particular, we introduce a new scale to assess the criticality of conditions in the crowd. This may allow preventative measures to be taken earlier on. Furthermore, we discuss the merits and limitations of citizen science for public investigation, considering that today, almost every event is recorded and reflected in the World Wide Web.Comment: For a collection of links to complementary video materials see http://loveparadevideos.heroku.com/ For related work see http://www.soms.ethz.c

The natural history of bugs: using formal methods to analyse software related failures in space missions

Space missions force engineers to make complex trade-offs between many different constraints including cost, mass, power, functionality and reliability. These constraints create a continual need to innovate. Many advances rely upon software, for instance to control and monitor the next generation ‘electron cyclotron resonance’ ion-drives for deep space missions.Programmers face numerous challenges. It is extremely difficult to conduct valid ground-based tests for the code used in space missions. Abstract models and simulations of satellites can be misleading. These issues are compounded by the use of ‘band-aid’ software to fix design mistakes and compromises in other aspects of space systems engineering. Programmers must often re-code missions in flight. This introduces considerable risks. It should, therefore, not be a surprise that so many space missions fail to achieve their objectives. The costs of failure are considerable. Small launch vehicles, such as the U.S. Pegasus system, cost around $18 million. Payloads range from$4 million up to $1 billion for security related satellites. These costs do not include consequent business losses. In 2005, Intelsat wrote off$73 million from the failure of a single uninsured satellite. It is clearly important that we learn as much as possible from those failures that do occur. The following pages examine the roles that formal methods might play in the analysis of software failures in space missions

Introduction Of Clusterization Principles In The Solution Of Problems Of Energy Efficiency And Ecological Safety Of The Existent Building Fund

The aim of the work is to introduce clusterization principles in the solution of problems of energy efficiency and ecological safety of the existent building fund. The material of the research is the process of modeling of energetically effective architecture-building clusters. In this sense it is topical and expedient to elaborate technologies and schemes, able to support making decisions as to the formation of energetically effective architecture-building clusters. The main attention is paid to the solution of infrastructure problems of energy saving of the architecture-building branch, connected with the absence of universal models, distinct algorithms of the formation of energy efficiency clusters and reliable instruments of their activity optimization. But realization of advantages of energy efficiency clusters is possible only at introducing effective mechanisms of the formation of a structure, able to provide a result, optimal by an energy efficiency criterion. The work offers a scheme of the formation process of such structure. The synthesis of models of energetically effective architecture-building clusters is based on principles of the systemic construction of geometric models and provides the imitative modeling of different development scenarios of synthesized clusters. At this stage of the research a function of making decisions as to the real cluster formation is left for experts. But an algorithm of the synthesis of models provides the formation of a knowledge base that will be in further a base of an “internal model” of the intellectual system of supporting decisions making, elaborated for modeling cluster structures. The scientific novelty of the work is in the elaboration of theoretical bases of the technology of coordinating the structure with object properties