Beruflich Dokumente
Kultur Dokumente
Process Safety
Prof. Nancy Leveson
Engineering Systems
Aeronautics and Astronautics
MIT
Think Again
Topics
Lessons from Texas City
New factors in process accidents
Safety as a control problem
Conclusions
Leadership
Safety requires passionate and effective leadership
Tone is set at the top of the organization
Not just sloganeering but real commitment
Setting priorities
Adequate resources assigned
A designated, high-ranking leader
Factors in Complacency
Discounting risk
Over-relying on redundancy
Unrealistic risk assessment
Ignoring low-probability, high-consequence events
Assuming risk decreases over time
Ignoring warning signs
Topics
Lessons from Texas City
New factors in process accidents
New technology
System accidents
New types of human error
Types of Accidents
Component Failure Accidents
Single or multiple component failures
Usually assume random failure
System Accidents
Arise in interactions among components
Related to interactive complexity and tight coupling
Exacerbated by introduction of computers and
software
Topics
Lessons from Texas City
New factors in process accidents
Safety as a control problem
New approaches to hazard analysis
Design for safety
Risk analysis and management
Conclusions
STAMP (2)
Safety is an emergent property that arises when system
components interact with each other within a larger
environment
A set of safety constraints related to behavior of
system components enforces that property
Accidents occur when interactions among system
components violate those constraints
Goal of process (system) safety engineering is to
identify the safety constraints and enforce them in the
system design
STAMP (3)
Systems are not static
A socio-technical system is a dynamic process
continually adapting to achieve its ends and to react
to changes in itself and its environment
Systems and organizations migrate toward accidents
(states of high risk) under cost and productivity
pressures in an aggressive, competitive environment
Preventing accidents requires designing a control
structure to enforce constraints on system behavior
and adaptation that ensures safety
Example
Control
Structure
Feedback
Controlled Process
Resulting in
Uncontrolled disturbances
Unhandled process states
Inadvertently commanding system into a hazardous state
Unhandled or incorrectly handled system component
failures
STPA (2)
STPA process
Starts with identifying system requirements and
design constraints necessary to maintain safety.
Then STPA assists in
Top-down refinement into requirements and safety
constraints on individual components.
Identifying scenarios in which safety constraints can be
violated.
Using results to eliminate or control hazards in design,
operations, etc.
Comparisons (2)
Concrete model (not just in head)
Not physical structure (HAZOP) but control (functional)
structure
General model of inadequate control (based on control
theory)
HAZOP guidewords based on model of accidents being
caused by deviations in system variables
Includes HAZOP model but more general
Time
Time
100
200
300
400
500
600
Time Time
(Month)
700
800
900
1000
Risk Units
Incidents
Time
Schedule Pressure
Low
Low
High
Safety Priority
1.
2.
Conclusions
Future needs for safety in the process industry:
Differentiation between process safety and personal
(occupational) safety
Improved safety culture management
New approaches to handle
Advanced technology (particularly digital technology)
System accidents and complexity
New types of human error