Introducing the STAMP method in road tunnel safety assessment

After the tremendous accidents in European road tunnels over the past decade, many risk assessment methods have been proposed worldwide, most of them based on Quantitative Risk Assessment (QRA). Although QRAs are helpful to address physical aspects and facilities of tunnels, current approaches in the road tunnel field have limitations to model organizational aspects, software behavior and the adaptation of the tunnel system over time. This paper reviews the aforementioned limitations and highlights the need to enhance the safety assessment process of these critical infrastructures with a complementary approach that links the organizational factors to the operational and technical issues, analyze software behavior and models the dynamics of the tunnel system. To achieve this objective, this paper examines the scope for introducing a safety assessment method which is based on the systems thinking paradigm and draws upon the STAMP model. The method proposed is demonstrated through a case study of a tunnel ventilation system and the results show that it has the potential to identify scenarios that encompass both the technical system and the organizational structure. However, since the method does not provide quantitative estimations of risk, it is recommended to be used as a complementary approach to the traditional risk assessments rather than as an alternative. (C) 2012 Elsevier Ltd. All rights reserved

Safety verification of ADA programs in MURPHY

MURPHY is a experimental methodology, which will include an integrated tool set, for building safety-critical, real-time software. Although it is language independent, many safety-critical software projects are currently planning to use Ada. This paper presents the semantic templates for the verification of the safety of Ada programs using Software Fault Tree Analysis. An example is shown of applying the technique to an Ada program, and the tools in the MURPHY tool set to aid in this type of analysis are described

A system-theoretic, control-inspired view and approach to process safety

Accidents in the process industry continue to occur, and we do not seem to be making much progress in reducing them (Venkatasubramanian, 2011). Postmortem analysis has indicated that they were preventable and had similar systemic causes (Kletz, 2003). Why do we fail to learn from the past and make adequate changes to prevent their reappearance? A variety of explanations have been offered; operators' faults, component failures, lax supervision of operations, poor maintenance, etc. All of these explanations, and many others, have been exhaustively studied, analyzed, “systematized” into causal groups, and a variety of approaches have been developed to address them. Even so, they still occur with significant numbers of fatalities and injured people, with significant disruption of productive operations and frequently extensive destruction of the surrounding environment, both physical and social

Management issues in systems engineering

When applied to a system, the doctrine of successive refinement is a divide-and-conquer strategy. Complex systems are sucessively divided into pieces that are less complex, until they are simple enough to be conquered. This decomposition results in several structures for describing the product system and the producing system. These structures play important roles in systems engineering and project management. Many of the remaining sections in this chapter are devoted to describing some of these key structures. Structures that describe the product system include, but are not limited to, the requirements tree, system architecture and certain symbolic information such as system drawings, schematics, and data bases. The structures that describe the producing system include the project's work breakdown, schedules, cost accounts and organization

Tree-Network Overrun Model Associated with Pilots’ Actions and Flight Operational Procedures

The runway excursions are defined as the exit of an aircraft from the surface of the runway. These excursions can take place at takeoff or at landing and consist of two types of events: veer off and overrun. This last one, which occurs when the aircraft exceeds the limits at the end of the runway, is the event of interest in the current study. This chapter aims to present an accident model with a new approach in aeronautical systems, based on the tasks of the pilots related to the operational procedures necessary for the approach and landing, in order to obtain the chain of events that lead to this type of accident. Thus, the tree-network overrun model (TNO model) was proposed, unlike most traditional models, which consider only the hardware failures or which do not satisfactorily explain the interrelationship between the factors influencing the operator. The proposed model is developed in a fault tree and transformed into a Bayesian network up to the level of the basic elements. The results showed the qualitative model of the main tasks performed by the pilots and their relation to the accident. It has also been suggested how to find and estimate the probability of factors that can impact on each of the tasks

Propulsion system safety analysis methodology for commercial transport aircraft

Airworthiness certification of commercial transport aircraft requires a safety analysis of the propulsion system to establish that the probability of a failure jeopardising the safety of the aeroplane is acceptably low. The needs and desired features of such a propulsion system safety analysis are discussed, and current techniques and assumptions employed in such analyses are evaluated. It is concluded that current assumptions and techniques are not well suited to predicting behaviour of the propulsion system in service. The propulsion accident history of the high bypass ratio commercial transport fleet is reviewed and an alternate approach to propulsion system safety analysis is developed, based on this accident history. Features of the alternate approach include quantified prediction of propulsion related crew error, engine-level reliability growth modelling to realistically predict engine failure rates, and quantified credit for design features which mitigate the effects of propulsion system failures. The alternate approach is validated by applying it to two existing propulsion systems. It is found to produce forecasts in good agreement with service experience. Use of the alternate approach to propulsion system safety analysis during design and development will enable accurate prediction of the expected propulsion related accident rate and identification of opportunities to reduce the accident rate by incorporating mitigating features into the propulsion system/ aeroplane design

Comparative Analysis of Nuclear Event Investigation Methods, Tools and Techniques

Feedback from operating experience is one of the key means of enhancing nuclear safety and operational risk management. The effectiveness of learning from experience at NPPs could be maximised, if the best event investigation practices available from a series of methodologies, methods and tools in the form of a ‘toolbox’ approach were promoted. Based on available sources of technical, scientific, normative and regulatory information, an inventory, review and brief comparative analysis of information concerning event investigation methods, tools and techniques, either indicated or already used in the nuclear industry (with some examples from other high risk industry areas), was performed in this study. Its results, including the advantages and drawbacks identified from the different instruments, preliminary recommendations and conclusions, are covered in this report. The results of comparative analysis of nuclear event investigation methods, tools and techniques, presented in this interim report, are of a preliminary character. It is assumed that, for the generation of more concrete recommendations concerning the selection of the most effective and appropriate methods and tools for event investigation, new data, from experienced practitioners in the nuclear industry and/or regulatory institutions are needed. It is planned to collect such data, using the questionnaire prepared and performing the survey currently underway. This is the second step in carrying out an inventory of, reviewing, comparing and evaluating the most recent data on developments and systematic approaches in event investigation, used by organisations (mainly utilities) in the EU Member States. Once the data from this survey are collected and analysed, the final recommendations and conclusions will be developed and presented in the final report on this topic. This should help current and prospective investigators to choose the most suitable and efficient event investigation methods and tools for their particular needs.JRC.DDG.F.5-Safety of present nuclear reactor

Systemic approaches to incident analysis in aviation: comparison of STAMP, Agent-Based Modelling and Institutions

The rapid development and increasing complexity of modern socio-technical systems suggest an urgent need for systemic safety analysis approaches because traditional linear models cannot cope with this complexity. In the aviation safety literature, among systemic accident and incident analysis methods, Systems Theoretic Accident Modelling and Processes (STAMP) and Agent-based modelling (ABM) are the most cited ones. STAMP is a qualitative analysis approach known for its thoroughness and comprehensiveness. Computational ABM approach is a formal quantitative method which proved to be suitable for modelling complex flexible systems. In addition, from a legal point of view, formal systemic institutional modelling potentially provides an interesting contribution to accident and incident analysis. The current work compares three systemic modelling approaches: STAMP, ABM and institutional modelling applied to a case study in an aviation domain

Bowtie models as preventive models in maritime safety

Aquest treball ha sorgit d’una proposta del Dr. Rodrigo de Larrucea que ha acabat de publicar un llibre ambiciós sobre Seguretat Marítima. Com ell mateix diu, el tema “excedeix amb molt les potencialitats de l’autor”, així que en el meu cas això és més cert. Es pot aspirar, però, a fer una modesta contribució a l’estudi i difusió de la seguretat de la cultura marítima, que només apareix a les notícies quan tenen lloc desastres molt puntuals. En qualsevol cas, el professor em va proposar que em centrés en els Bowtie Models, models en corbatí, que integren l’arbre de causes y el de conseqüències (en anglès el Fault Tree Analysis, FTA, i l’Event Tree Analysis, ETA). Certament, existeixen altres metodologies i aproximacions (i en el seu llibre en presenta vàries, resumides), però per la seva senzillesa conceptual i possibilitat de generalització i integració dels resultats era una bona aposta. Així, després d’una fase de meditació i recopilació de informació, em vaig decidir a presentar un model en corbatí molt general on caben les principals causes d’accidents (factores ambientals, error humà i fallada mecànica), comptant també que pot existir una combinació de causes. De tota manera, a l’hora d’explotar aquest model existeix la gran dificultat de donar una probabilitat de ocurrència, un nombre entre 0 i 1, a cada branca. Normalment les probabilitats d’ocurrència són petites i degut a això difícils d’estimar. Cada accident és diferent, de grans catàstrofes n’hi ha poques, i cada accident ja és estudiat de manera exhaustiva (més exhaustiva quan més greu és). Un altre factor que dificulta l’estima de la probabilitat de fallada és l’evolució constant del món marítim, tant des del punt de vista tècnic, de formació, legal i fins i tot generacional doncs cada generació de marins és diferent. Els esforços estan doncs enfocats a augmentar la seguretat, encara que sempre amb un ull posat sobre els costs. Així, he presentat un model en corbatí pel seu valor didàctic i gràfic però sense entrar en detalls numèrics, que si s’escau ja aniré afinant i interioritzant en l’exercici de la professió. En aquest treball també he intentat no mantenir-me totalment al costat de la teoria (ja se sap que si tot es fa bé, tot surt perfecte, etc…) sinó presentar amb cert detall 2 casos ben coneguts d’accidents marítims: el petroler Exxon Valdez, el 1989 i el ferry Estonia en 1994, entre altres esmentats. Són casos ja una mica vells però que van contribuir a augmentar la cultura de la seguretat, fins a arribar al nivell del que gaudim actualment, al menys als països occidentals. Doncs la seguretat, com esmenta Rodrigo de Larrucea “és una actitud i mai és fortuïta; sempre és el resultat d’una voluntat decidida, un esforç sincer, una direcció intel·ligent i una execució acurada. Sens lloc a dubtes, sempre suposa la millor alternativa”. The work has been inspired in its initial aspects by the book of my tutor Jaime Rodrigo de Larrucea, that presents a state of the art of all the maritime aspects related to safety. Evidently, since it covers all the topics, it cannot deepen on every topic. It was my opportunity to deepen in the Bowtie Model but finally I have also covered a wide variety of topics. Later, when I began to study the topics, I realized that the people in the maritime world usually do not understand to a great extent statistics. Everybody is concerned about safety but few nautical students take a probabilistic approach to the accidents. For this it is extremely important to study the population that is going to be studied: in our case the SOLAS ships Also, during my time at Riga, I have been very concerned with the most diverse accidents, some of them studied during the courses at Barcelona. I have seen that it is difficult to model mathematically the accidents, since each one has different characteristics, angles, and surely there are not 2 equal. Finally, it was accorded that I should concentrate on the Bowtie Model, which is not very complex from a statistical point of view. It is simply a fault tree of events model and a tree of effects. I present some examples in this Chapter 2. The difficulty I point out is to try to estimate the probabilities of occurrence of events that are unusual. We concentrated at major accidents, those that may cause victims or heavy losses. Then, for the sake of generality, at Chapter 4, I have divided the causes in 4 great classes: Natural hazards, human factor, mechanical failure and attacks (piracy and terrorism). The last concern maybe should not be included beside the others since terrorism and piracy acts are not accidents, but since there is an important code dedicated to prevent security threats, ISPS, it is example of design of barriers to prevent an undesired event (although it gives mainly guidelines to follow by the States, Port Terminals and Shipping Companies). I have presented a detailed study of the tragedy of the Estonia, showing how a mechanical failure triggered the failure of the ferry, by its nature a delicate ship, but there were other factors such as poor maintenance and heavy seas. At the next Chapter, certain characteristics of error chains are analyzed. Finally, the conclusions are drawn, offering a pretty optimistic view of the safety (and security) culture at the Western World but that may not easily permeate the entire World, due to the associated costs