SYSTEMS-THEORETIC ACCIDENT MODEL AND PROCESSES (STAMP) APPLIED TO DESIGN A SAFETY DRIVEN CONCEPT OF AN AIR NAVIGATION SERVICE PROVIDER (ANSP)

A bit of the History of

Accident Prevention in Complex Systems

NAT – Normal Accident Theory HRO – High Reliable Organizations NAT+HRO - Mixed

NAT Interactive complexity and tight coupling in some technological systems, such as nuclear power plants, leads to unpredictability of interactions and hence system accidents that are inevitable or “normal” [Perrow 1999]

HRO Preoccupation with failure, Reluctance to Simplify interpretations, Sensitivity to operations, Commitment to resilience, and Deference to experience. [Weick, 1999]

Does a plane crash mean that NAT is right or does the reduction in plane crashes over time mean that HRO is right? [Leveson 2008]

NAT + HRO Complexity and Tight Coupling + Redundancy and Descentralized Decisions

Both groups assume accidents are caused by component failures. This confusion of component reliability with system safety leads to a focus on redundancy as a way to enhance reliability, without considering other ways to enhance safety. [Leveson, 2008]

Common assumptions (myths) about “safety”

      

That if each person and component in the system operates reliably, there will be no accidents Increasing protection will increase safety Human error is the largest single cause of accidents and incidents System will be safe if people comply with the procedures they have been given Accident analysis can identify root causes (the

‘

truth

’

) of why the accident happened Accident investigation is the logical and rational identification of causes based on facts Retrospective analysis of adverse events is required and perhaps the best way to improve safety

Detected procedures in accident investigation

Contemporary theories

concerning Accident Prevention in Complex Systems http://skybrary.aero/index.php/Toolkit:Systems_Thinking_for_Safety/Systems_Thinking_Methods

Resilience Engineering (RE)

Focus on what goes right: Dedalus

SAFETY II

(e.g.: RE)

SAFETY I

(e.g.: SMS) Focus on what went wrong: Icarus

SAFETY I SAFETY II

ETTO – FRAM

Accident Analysis

STAMP

Systems-Theoretic Accident Model And Processes

STAMP (Systems-Theoretic Accident Modeling and Processes) is expected to allow managers to more effectively detect hazards within the organization from the early design stage.

STAMP

STAMP

STAMP

STAMP

STAMP

STAMP/CAST

Causal Analysis based on STAMP

STAMP/STPA

Systems-Theoretic Process Analysis

STPA

STPA

STPA

Example of a Safety Control Structure

Example of a Safety Control Structure

ANSP

ANSP Safety Control Structure

ANSP Safety Control Structure (CBO analysis)

ANSP Safety Control Structure (CBO and TBO analysis)

Successful cases of using STAMP/STPA in industry

http://psas.scripts.mit.edu/home/2013-workshop-presentations/

FAA

Thank You!!!