Re: [SystemSafety] NYTimes: The Next Accident Awaits

From: RICQUE Bertrand (SAGEM DEFENSE SECURITE) < >
Date: Tue, 4 Feb 2014 09:51:59 +0100


Thank you for this clarification Nancy. This was not my understanding of safety case regime.

I outlined the following sentence :
Safe operations are achieved by setting and achieving goals rather than by following prescriptive rules

IMHO it is wrong to oppose both. One need both. If you want to drive safely you need to stick to prescriptive rules (stop at red light) AND have the objective of reaching safely your goal (permanently look at other cars)…

Bertrand Ricque
Program Manager
Optronics and Defence Division
Sights Program
Mob : +33 6 87 47 84 64
Tel : +33 1 59 11 96 82
Bertrand.ricque_at_xxxxxx

From: systemsafety-bounces_at_xxxxxx Sent: Tuesday, February 04, 2014 12:27 AM Cc: <systemsafety_at_xxxxxx Subject: Re: [SystemSafety] NYTimes: The Next Accident Awaits

I said I would withdraw but I am so amazed by this discussion that I thought I would at least try to bring some facts into it. The communication problems here seem to devolve from misunderstandings about:

  1. The definition of a safety case. Many people here seem to be using "safety case" as simply a synonym for any evidence generated that involves safety. This is not the standard definition of a safety case.
  2. The definition of a "safety case regime." Note that I tried to use this phrase in my messages, but sometimes I forgot. But this is a regulatory approach that started in the UK after the Piper Alpha accident. It also is widely used in Australia. Not so much in the U.S. There was a lot of controversy about the safety case regime in the U.S. after Deepwater Horizon. Much of the discussion involved lawyers and environmentalists, not engineers. I have included an abstract that will give you the idea at the end of this message.
  3. Safety cases and safety case regulatory regimes are mostly used in health and safety of workers, not in engineering development (although it is occasionally used that way). Note below that the work force must be involved in the safety case according to the U.K. standards -- they are talking about operations safety.

Here are some quotes I pulled from the web. Everything in italics was not written by me. The bold-faced, non-italicized sentences were written by me. Most of the quotes below refer to U.K. standards and practices because the U.S. and most other countries do not use a safety-case regime except in a very limited way:

Safety cases are basically non-prescriptive and performance based - in the same manner as for process safety management programs onshore. Instead of following detailed rules, the owner (duty holder) of the facility set his or her own standards. The duty-holder's performance is then assessed against that standard.

A safety case regime is an objective-based regime whereby legislation sets broad safety objectives and the operator, who accepts direct responsibility for the ongoing management of safety, develops the most appropriate methods to achieve those objectives.

[Nancy: An example of a goal-based (performance-based) safety requirement in aviation is that "The aircraft navigation system must be able to estimate its position to within a circle with a radius of 10 nautical miles with some specified probability." Another example comes from the international standard for new aircraft in-trail procedure (ITP) equipment “The likelihood that the ITP equipment provides undetected erroneous information about accuracy and integrity levels of own data shall be less than 1E-3 per flight hour” [RTCA, 2008]. While some safety requirements (like these examples) in the aviation industry are starting to be stated as goal-based, it is a rather recent phenomenon. The majority of certification in aviation is prescriptive. One big problem, of course, is how to prove that the probabilities will be satisfied, i.e., that the goal will be achieved.]

A definition by UK Defence Standard 00-56 Issue 4 states:[1]<http://en.wikipedia.org/wiki/Safety_case#cite_note-1> … an evidence-based approach [that] can be contrasted with a prescriptive approach to safety certification, which require safety to be justified using a prescribed process. Such standards typically do not explicitly require an explicit argument for safety and instead rest on the assumption that following the prescribed process will generate the required evidence for safety. Many UK standards are non-prescriptive and call for an argument-based approach to justify safety, hence why a safety case is required.

The Offshore Installations (Safety Case) Regulations 2005 aims to reduce the risks from major accident hazards to the health and safety of the workforce employed on offshore installations, and in connected activities. The regulations implement the main recommendations of Lord Cullen's Report of the Public Inquiry into the Piper Alpha Disaster.

Australia Offshore Petroleum and Greenhouse Gas Storage (Safety) Regulations: Objective based (or goal setting) regimes, including the safety case regime, are based on the principle that the legislation sets the broad safety goals to be attained and the operator of the facility develops the most appropriate methods of achieving those goals. A basic tenet is the premise that the ongoing management of safety is the responsibility of the operator and not the regulator.

Often used in environmental health and safety and the operation of a facility, not the engineering development.

The important features of a safety case regime, are that it must have (1) a risk/ hazard framework, (2) there must be workforce involvement, (3) you must be required to make the case to a regulator, (4) the regulator must be engaged, and (5) there must be a requirement of duty of care, he said.

A safety case is built upon the following three principles.

  1. Those who create risks are responsible for controlling those risks.
  2. Safe operations are achieved by setting and achieving goals rather than by following prescriptive rules.
  3. All risks must be reduced such that they are below a threshold of acceptability. First, the company that owns and operates a platform has "to assure itself" that the facility is safe. At root, a safety case is developed for the facility personnel and company management - not for outside parties. A safety case is not fundamentally a regulatory tool - although it is often used by regulators. For example, operators of large and expensive deepwater facilities in the Gulf of Mexico (GoM) frequently develop analyses and reports which are very similar to safety cases. They do this - in spite of the lack of regulatory requirements - simply to assure themselves that they have identified the factors that could lead to the loss of their very expensive facilities.

Safety cases are basically non-prescriptive and performance based - in the same manner as for process safety management programs onshore. Instead of following detailed rules, the owner (duty holder) of the facility set his or her own standards. The duty-holder's performance is then assessed against that standard.

A safety case regime is an objective-based regime whereby legislation sets broad safety objectives and the operator, who accepts direct responsibility for the ongoing management of safety, develops the most appropriate methods to achieve those objectives.

[Nancy: Here is an example of a paper, actually just the abstract, by a U.S. law professor that describes the controversy in the U.S. I can send her paper if you are interested although you should be able to find it on the web. I got pulled into this controversy because of my role in the Deepwater Horizon accident report and a DOE advisory committee I was on after the accident. Rena and I wrote a newspaper opinion piece about the safety case approach.]
Lessons from the North Sea January 6, 2011 Copyright 2010 by Rena Steinzor 1  Lessons from the North Sea: Should “Safety Cases” Come to America? By Rena Steinzor∗
ABSTRACT: The catastrophic oil spill in the Gulf of Mexico last spring and summer has triggered a frantic search for more effective regulatory methods that would prevent such disasters. The new Bureau of Ocean Energy Management, Regulation, and Enforcement (BOEMRE) is under pressure to adopt the British “safety case” system, which requires the preparation of a facility-specific safety plan that is typically several hundred pages long. This regulatory scheme is described as a “goal oriented” approach that inculcates a “safety culture” within companies that operate offshore in the British portion of the North Sea because it overcomes a “box-ticking” mentality and constitutes “bottom up” implementation of safety measures. Safety cases are strictly confidential: only company officials, regulators and, in limited circumstances, worker representatives, are allowed to see the entire plan. This paper argues that the safety case approach should not come to America because this confidentiality and the risk levels tolerated by the British system conflict with the both the spirit and the letter of American law. British regulations allow the plans to be no more protective than preventing one in 1,000 worker deaths and require operators to spend no more than $1.5 million per life saved. These standards are far more lax than comparable American legal requirements. The use of quantitative risk assessment and cost benefit analysis within the plans means that they must be prepared by technical experts far removed from an oil rig, suggesting that safety cases are not “bottom up” vehicles for ensuring best operational practice. The U.S. now fields only 55-60 inspectors to cover 3,500 facilities in the Gulf. To be even minimally effective, a safety case regime would require increasing available overseers by orders of magnitude, a prospect that is unlikely given the political climate in Washington. Lastly, a British study of conditions in the North Sea suggest alarming neglect of the physical infrastructure that ensures safety, further undermining claims that the safety case system is as effective as its advocates claim.

#
" Ce courriel et les documents qui lui sont joints peuvent contenir des informations confidentielles, être soumis aux règlementations relatives au contrôle des exportations ou ayant un caractère privé. S'ils ne vous sont pas destinés, nous vous signalons qu'il est strictement interdit de les divulguer, de les reproduire ou d'en utiliser de quelque manière que ce soit le contenu. Toute exportation ou réexportation non autorisée est interdite Si ce message vous a été transmis par erreur, merci d'en informer l'expéditeur et de supprimer immédiatement de votre système informatique ce courriel ainsi que tous les documents qui y sont attachés."



" This e-mail and any attached documents may contain confidential or proprietary information and may be subject to export control laws and regulations. If you are not the intended recipient, you are notified that any dissemination, copying of this e-mail and any attachments thereto or use of their contents by any means whatsoever is strictly prohibited. Unauthorized export or re-export is prohibited. If you have received this e-mail in error, please advise the sender immediately and delete this e-mail and all attached documents from your computer system." #


The System Safety Mailing List
systemsafety_at_xxxxxx Received on Tue Feb 04 2014 - 09:52:15 CET

This archive was generated by hypermail 2.3.0 : Sat Apr 20 2019 - 01:17:06 CEST