Re: [SystemSafety] NYTimes: The Next Accident Awaits

From: Peter Bernard Ladkin < >
Date: Mon, 03 Feb 2014 16:49:19 +0100

I must say I am puzzled by this discussion.
  1. To me, a safety case is some joined-up set of documents which purport to demonstrate that a system taken as an entity is adequately safe (whatever that is taken to be) when it's operating, and also when it's sitting around not operating (such as systems which involve radioactive and poisonous substances).
  2. The contrast is a regime in which Subsystem-X-supervisor Bill "signs off" that Subsystem X is, as far as Bill is concerned, OK, and the system is rendered operational by a hierarchical series of signatures, without necessarily any or much supporting documentation. That's the way things used to be done (Windscale, Piper Alpha).

As far as I know, Lord Cullen popularised the term "safety case" for the situation described in A, and contrasted it with the status quo, which was B, in his inquiries into major accidents.

So, for Nancy to praise aerospace certification as effective, and to denigrate safety cases as ineffective seems to me almost like a contradiction in terms. The FAA and the various European agencies are pioneers in requiring and collecting joined-up documentation that the bits all do what they should do, and the collections of bits also do what you expect of the collection, and so on.

I presume it's not that simple; that Nancy means by "safety case" something more subtle and detailed and constraining, and as far as I am concerned she is welcome, indeed encouraged, to reject subtle and constraining regimes as much as it is appropriate to do so. But to reject safety cases in the sense of A above as required by the FAA, EASA, IEC 61508, IEC 61511 and almost all the other standards promulgated by the IEC would seem to me to be nuts.

Being too subtle about safety cases, that is, more subtle than A, I would suggest is counterproductive. I am involved with two large industry segments that pay lip service to A but which in fact promulgate regime B at every available opportunity: "we don't need <material such as required by A> - we have our methods and our experience and we are good at what we do", except they are bringing in new technology and there is no such history as they wish to claim. The big political action here is still to try to prevail with "A, not B". Still. A quarter century after Piper Alpha and Kings Cross.

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Tel+msg +49 (0)521 880 7319

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Mon Feb 03 2014 - 16:49:29 CET

This archive was generated by hypermail 2.3.0 : Tue Jun 04 2019 - 21:17:06 CEST