Re: [SystemSafety] NYTimes: The Next Accident Awaits

From: Nancy Leveson < >
Date: Mon, 3 Feb 2014 18:27:12 -0500

I said I would withdraw but I am so amazed by this discussion that I thought I would at least try to bring some facts into it. The communication problems here seem to devolve from misunderstandings about:
  1. The definition of a safety case. Many people here seem to be using "safety case" as simply a synonym for any evidence generated that involves safety. This is not the standard definition of a safety case.
  2. The definition of a "safety case regime." Note that I tried to use this phrase in my messages, but sometimes I forgot. But this is a regulatory approach that started in the UK after the Piper Alpha accident. It also is widely used in Australia. Not so much in the U.S. There was a lot of controversy about the safety case regime in the U.S. after Deepwater Horizon. Much of the discussion involved lawyers and environmentalists, not engineers. I have included an abstract that will give you the idea at the end of this message.
  3. Safety cases and safety case regulatory regimes are mostly used in health and safety of workers, not in engineering development (although it is occasionally used that way). Note below that the work force must be involved in the safety case according to the U.K. standards -- they are talking about operations safety.

Here are some quotes I pulled from the web. Everything in italics was not written by me. The bold-faced, non-italicized sentences were written by me. Most of the quotes below refer to U.K. standards and practices because the U.S. and most other countries do not use a safety-case regime except in a very limited way:

*Safety cases are basically non-prescriptive and performance based - in the
same manner as for process safety management programs onshore. Instead of following detailed rules, the owner (duty holder) of the facility set his or her own standards. The duty-holder's performance is then assessed against that standard.*

*A safety case regime is an objective-based regime whereby legislation sets
broad safety objectives and the operator, who accepts direct responsibility for the ongoing management of safety, develops the most appropriate methods to achieve those objectives.*

*[Nancy: An example of a goal-based (performance-based) safety requirement
in aviation is that "The aircraft navigation system must be able to estimate its position to within a circle with a radius of 10 nautical miles with some specified probability." Another example comes from the international standard for new aircraft in-trail procedure (ITP) equipment "The likelihood that the ITP equipment provides undetected erroneous information about accuracy and integrity levels of own data shall be less than 1E-3 per flight hour" [RTCA, 2008]. While some safety requirements (like these examples) in the aviation industry are starting to be stated as goal-based, it is a rather recent phenomenon. The majority of certification in aviation is prescriptive. One big problem, of course, is how to prove that the probabilities will be satisfied, i.e., that the goal will be achieved.]*

*A definition by UK Defence Standard 00-56 Issue 4 states:[1]
<> ... an evidence-based approach [that] can be contrasted with a prescriptive approach to safety certification, which require safety to be justified using a prescribed process. Such standards typically do not explicitly require an explicit argument for safety and instead rest on the assumption that following the prescribed process will generate the required evidence for safety. Many UK standards are non-prescriptive and call for an argument-based approach to justify safety, hence why a safety case is required.*

*The Offshore Installations (Safety Case) Regulations 2005 aims to reduce
the risks from major accident hazards to the health and safety of the workforce employed on offshore installations, and in connected activities. The regulations implement the main recommendations of Lord Cullen's Report of the Public Inquiry into the Piper Alpha Disaster.*

 *Australia Offshore Petroleum and Greenhouse Gas Storage (Safety) Regulations:*

*Objective based (or goal setting) regimes, including the safety case
regime, are based on the principle that the legislation sets the broad safety goals to be attained and the operator of the facility develops the most appropriate methods of achieving those goals. A basic tenet is the premise that the ongoing management of safety is the responsibility of the operator and not the regulator.*

*Often used in environmental health and safety and the operation of a
facility, not the engineering development.*

*The important features of a safety case regime, are that it must have (1)
a risk/ hazard framework, (2) there must be workforce involvement, (3) you must be required to make the case to a regulator, (4) the regulator must be engaged, and (5) there must be a requirement of duty of care, he said.*

*First, the company that owns and operates a platform has "to assure
itself" that the facility is safe. At root, a safety case is developed for the facility personnel and company management - not for outside parties. A safety case is not fundamentally a regulatory tool - although it is often used by regulators. For example, operators of large and expensive deepwater facilities in the Gulf of Mexico (GoM) frequently develop analyses and reports which are very similar to safety cases. They do this - in spite of the lack of regulatory requirements - simply to assure themselves that they have identified the factors that could lead to the loss of their very expensive facilities. *

*A safety case regime is an objective-based regime whereby legislation sets
broad safety objectives and the operator, who accepts direct responsibility for the ongoing management of safety, develops the most appropriate methods to achieve those objectives.*

*[Nancy: Here is an example of a paper, actually just the abstract, by a
U.S. law professor that describes the controversy in the U.S. I can send her paper if you are interested although you should be able to find it on the web. I got pulled into this controversy because of my role in the Deepwater Horizon accident report and a DOE advisory committee I was on after the accident. Rena and I wrote a newspaper opinion piece about the safety case approach.]*

*Lessons from the North Sea January 6, 2011 Copyright 2010 by Rena Steinzor
**1 *

*By Rena Steinzor**

*ABSTRACT: The catastrophic oil spill in the Gulf of Mexico last spring and
summer has triggered a frantic search for more effective regulatory methods that would prevent such disasters. The new Bureau of Ocean Energy Management, Regulation, and Enforcement (BOEMRE) is under pressure to adopt the British "safety case" system, which requires the preparation of a facility-specific safety plan that is typically several hundred pages long. This regulatory scheme is described as a "goal oriented" approach that inculcates a "safety culture" within companies that operate offshore in the British portion of the North Sea because it overcomes a "box-ticking" mentality and constitutes "bottom up" implementation of safety measures. Safety cases are strictly confidential: only company officials, regulators and, in limited circumstances, worker representatives, are allowed to see the entire plan. This paper argues that the safety case approach should not come to America because this confidentiality and the risk levels tolerated by the British system conflict with the both the spirit and the letter of American law. *

*British regulations allow the plans to be no more protective than
preventing one in 1,000 worker deaths and require operators to spend no more than $1.5 million per life saved. These standards are far more lax than comparable American legal requirements. The use of quantitative risk assessment and cost benefit analysis within the plans means that they must be prepared by technical experts far removed from an oil rig, suggesting that safety cases are not "bottom up" vehicles for ensuring best operational practice. The U.S. now fields only 55-60 inspectors to cover 3,500 facilities in the Gulf. To be even minimally effective, a safety case regime would require increasing available overseers by orders of magnitude, a prospect that is unlikely given the political climate in Washington. Lastly, a British study of conditions in the North Sea suggest alarming neglect of the physical infrastructure that ensures safety, further undermining claims that the safety case system is as effective as its advocates claim. *

*This paper was presented at a symposium organized by the Boston College
Environmental Affairs Law Review and will be published in any upcoming issue of that publication. Comments should be addressed to rsteinzor_at_xxxxxx

The System Safety Mailing List
systemsafety_at_xxxxxx Received on Tue Feb 04 2014 - 00:27:24 CET

This archive was generated by hypermail 2.3.0 : Wed Feb 20 2019 - 01:17:06 CET