Re: [SystemSafety] NYTimes: The Next Accident Awaits

Date: Mon, 3 Feb 2014 17:10:44 +0100

I think there is a lot of fuzziness with the vocabulary and according to the different industry sectors. Words, like performance, prescription, certification, qualification, regulation have not the same meaning in aerospace, railway, medical device, food and drugs, defence, process industries. They have also not the same meaning in different countries. They also have different applicability according to the industrial culture. Some examples. In the context of machinery, a certification is for a type of product or machine. It can be made by an independent (institutional) third party or by the manufacturer as self certification. A prescription is close from a predefined list of components associated with a predefined list of architectures that shall be blindly applied. This has nothing to see with prescription of methods, or prescription of results.

Sometimes the prescribed method is to realise a safety case among other things !

Some rules whatever issued by regulatory agencies, or relevant of a safety case constitution might well suit a simple industrial culture (close a pipe with a single effect valve and a single feedback) and be meaningless for other culture (use a motorised valve with 7 feedbacks, 3 commands and 8 interlocks).

In addition the safety culture is very heterogeneous across industry standards. You still have whole industries not understanding what is the point with analysing the failure modes of a safety system ...

As Nancy pointed out, comparison is very difficult.

My opinion is that all the pitfalls pointed by Nancy are pretty true but that this should not hold us from having both safety cases (as a part of a methodology, and I don't' discuss if it is the best, it has the merit of existing) and regulation as a mean of enforcement.

No driver starts driving with intention to kill, however nobody imagine living without traffic police.

No industrial company starts a plant with the intention to kill, and I don't imagine living without industry police.

Bertrand Ricque
Program Manager
Optronics and Defence Division
Sights Program
Mob : +33 6 87 47 84 64
Tel : +33 1 59 11 96 82

-----Original Message-----
Sent: Monday, February 03, 2014 4:49 PM
To: systemsafety_at_xxxxxx Subject: Re: [SystemSafety] NYTimes: The Next Accident Awaits

I must say I am puzzled by this discussion.

  1. To me, a safety case is some joined-up set of documents which purport to demonstrate that a system taken as an entity is adequately safe (whatever that is taken to be) when it's operating, and also when it's sitting around not operating (such as systems which involve radioactive and poisonous substances).
  2. The contrast is a regime in which Subsystem-X-supervisor Bill "signs off" that Subsystem X is, as far as Bill is concerned, OK, and the system is rendered operational by a hierarchical series of signatures, without necessarily any or much supporting documentation. That's the way things used to be done (Windscale, Piper Alpha).

As far as I know, Lord Cullen popularised the term "safety case" for the situation described in A, and contrasted it with the status quo, which was B, in his inquiries into major accidents.

So, for Nancy to praise aerospace certification as effective, and to denigrate safety cases as ineffective seems to me almost like a contradiction in terms. The FAA and the various European agencies are pioneers in requiring and collecting joined-up documentation that the bits all do what they should do, and the collections of bits also do what you expect of the collection, and so on.

I presume it's not that simple; that Nancy means by "safety case" something more subtle and detailed and constraining, and as far as I am concerned she is welcome, indeed encouraged, to reject subtle and constraining regimes as much as it is appropriate to do so. But to reject safety cases in the sense of A above as required by the FAA, EASA, IEC 61508, IEC 61511 and almost all the other standards promulgated by the IEC would seem to me to be nuts.

Being too subtle about safety cases, that is, more subtle than A, I would suggest is counterproductive. I am involved with two large industry segments that pay lip service to A but which in fact promulgate regime B at every available opportunity: "we don't need <material such as required by A> - we have our methods and our experience and we are good at what we do", except they are bringing in new technology and there is no such history as they wish to claim. The big political action here is still to try to prevail with "A, not B". Still. A quarter century after Piper Alpha and Kings Cross.

PBL Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany Tel+msg +49 (0)521 880 7319

The System Safety Mailing List

" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."

" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system."

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Mon Feb 03 2014 - 17:10:57 CET

This archive was generated by hypermail 2.3.0 : Sun Feb 17 2019 - 17:17:06 CET