Capturing an Uncertain Future: The Functional Resonance Accident Model

Similar documents
Resilience Engineering: The changing nature of safety

How to be safe by looking at what goes right instead of what goes wrong

Hazard Identification

Safety Critical Systems

Safety models & accident models

Reliability Risk Management. August 2012 g Earl Shockley, Senior Director of Reliability Risk Management

Safety-critical systems: Basic definitions

The Safety Case. Structure of Safety Cases Safety Argument Notation

D-Case Modeling Guide for Target System

Reliability of Safety-Critical Systems Chapter 10. Common-Cause Failures - part 1

BASIC AIRCRAFT STRUCTURES

Understanding safety life cycles

Safety-Critical Systems

The Safety Case. The safety case

Go around manoeuvre How to make it safer? Capt. Bertrand de Courville

Using what we have. Sherman Eagles SoftwareCPR.

ADVISORY MATERIAL JOINT AMJ

Review and Assessment of Engineering Factors

Marine Risk Assessment

Safety Engineering - Hazard Identification Techniques - M. Jahoda

Transformer fault diagnosis using Dissolved Gas Analysis technology and Bayesian networks

FLIGHT TEST RISK ASSESSMENT THREE FLAGS METHOD

PI MODERN RELIABILITY TECHNIQUES OBJECTIVES. 5.1 Describe each of the following reliability assessment techniques by:

A systematic hazard analysis and management process for the concept design phase of an autonomous vessel.

Lecture 04 ( ) Hazard Analysis. Systeme hoher Qualität und Sicherheit Universität Bremen WS 2015/2016

Lesson: Pitch Trim. Materials / Equipment Publications o Flight Training Manual for Gliders (Holtz) Lesson 4.4 Using the Trim Control.

1309 Hazard Assessment Fundamentals

ENS-200 Energy saving trainer

Fail Operational Controls for an Independent Metering Valve

II.E. Airplane Flight Controls

Selecting Maintenance Tactics Section 4

CONTROL SOLUTIONS DESIGNED TO FIT RIGHT IN. Energy Control Technologies

Chapter 3: Aircraft Construction

(DD/MMM/YYYY): 10/01/2013 IP

Adaptability and Fault Tolerance

1.0 PURPOSE 2.0 REFERENCES

PROCEDURE. April 20, TOP dated 11/1/88

ITTC Recommended Procedures and Guidelines

Reliability of Safety-Critical Systems Chapter 3. Failures and Failure Analysis

Three Approaches to Safety Engineering. Civil Aviation Nuclear Power Defense

DEVELOPING YOUR PREVENTIVE MAINTENANCE PROGRAM

THE CANDU 9 DISTRffiUTED CONTROL SYSTEM DESIGN PROCESS

Software Reliability 1

Reliability engineering is the study of the causes, distribution and prediction of failure.

Hazard Operability Analysis

2600T Series Pressure Transmitters Plugged Impulse Line Detection Diagnostic. Pressure Measurement Engineered solutions for all applications

THE SAFE ZONE FOR PAIRED CLOSELY SPACED PARALLEL APPROACHES: IMPLICATIONS FOR PROCEDURES AND AUTOMATION

1 General. 1.1 Introduction

A study on the relation between safety analysis process and system engineering process of train control system

PC-21 A Damage Tolerant Aircraft. Paper presented at the ICAF 2009 Symposium by Lukas Schmid

SAFETY APPROACHES. The practical elimination approach of accident situations for water-cooled nuclear power reactors

THE UN-QUANTIFIED RISKS IN AIRCRAFT MAINTENANCE

AIRCRAFT PRIMARY CONTROLS A I R C R A F T G E N E R A L K N O W L E D G E

A study evaluating if targeted training for startle effect can improve pilot reactions in handling unexpected situations. DR. MICHAEL GILLEN, PH.D.

Gas Network Craftsperson

Name Phone Logo

DETERMINATION OF SAFETY REQUIREMENTS FOR SAFETY- RELATED PROTECTION AND CONTROL SYSTEMS - IEC 61508

C. Mokkapati 1 A PRACTICAL RISK AND SAFETY ASSESSMENT METHODOLOGY FOR SAFETY- CRITICAL SYSTEMS

Safety Manual VEGAVIB series 60

Distributed Control Systems

Reliability of Safety-Critical Systems Chapter 4. Testing and Maintenance

Basic STPA Tutorial. John Thomas

VIII.A. Straight and Level Flight

Performance Characterization of the ABI Cryocooler

LECTURE 3 MAINTENANCE DECISION MAKING STRATEGIES (RELIABILITY CENTERED MAINTENANCE)

(C) Anton Setzer 2003 (except for pictures) A2. Hazard Analysis

VIII.A. Straight and Level Flight

Calspan Loss-of-Control Studies Using In-flight Simulation. Lou Knotts, President November 20, 2012

Release: 1. UEPOPL002A Licence to operate a reciprocating steam engine

Functional safety. Functional safety of Programmable systems, devices & components: Requirements from global & national standards

FMEA- FA I L U R E M O D E & E F F E C T A N A LY S I S. PRESENTED BY: AJITH FRANCIS

Translation of 109 high speed trials. Spring Plane: 109 F with G wings W.Nr Original german text is included.

Performance Monitoring Examples Monitor, Analyze, Optimize

The benefits of the extended diagnostics feature. Compact, well-proven, and flexible

Safety Manual VEGAVIB series 60

PERFORMANCE MANEUVERS

Hydraulic (Subsea) Shuttle Valves

Introduction Definition of decision-making: the capacity of the player to execute an action following some conscious tactical or strategical choice.

KAYAKING REGISTRATION LEVELS AND ASSESSMENT REQUIREMENTS

V mca (and the conditions that affect it)

CHAP Summary 8 TER 155

SIL Safety Manual. ULTRAMAT 6 Gas Analyzer for the Determination of IR-Absorbing Gases. Supplement to instruction manual ULTRAMAT 6 and OXYMAT 6

Risk Management. Definitions. Principles of Risk Management. Types of Risk

1. Lean, Agile, and Scrum Values and Principles 1.1. describe Scrum s relationship to the Agile Manifesto.

PL estimation acc. to EN ISO

GREENDOT AVIATION LTD. UPRT. GreenDot Aviation Ltd. EASA SI.ATO &

Achieving Compliance in Hardware Fault Tolerance

RESOLUTION MSC.94(72) (adopted on 22 May 2000) PERFORMANCE STANDARDS FOR NIGHT VISION EQUIPMENT FOR HIGH-SPEED CRAFT (HSC)

VI.A-E. Basic Attitude Instrument Flight

USING HAZOP TO IDENTIFY AND MINIMISE HUMAN ERRORS IN OPERATING PROCESS PLANT

XVII Congreso de Confiabilidad

Advanced LOPA Topics

A quantitative software testing method for hardware and software integrated systems in safety critical applications

STRIP EDGE SHAPE CONTROL

From Bombe stops to Enigma keys

5 Function Indicator. Outside Air Temperature (C) Outside Air Temperature (F) Pressure Altitude Density Altitude Aircraft Voltage STD TEMP SL 15000

SIL explained. Understanding the use of valve actuators in SIL rated safety instrumented systems ACTUATION

RELIABILITY-CENTERED MAINTENANCE (RCM) EVALUATION IN THE INDUSTRY APPLICATION, CASE STUDY: FERTILIZER COMPANY, INDONESIA

Safety Manual. Process pressure transmitter IPT-1* 4 20 ma/hart. Process pressure transmitter IPT-1*

CAVING REGISTRATION LEVELS AND ASSESSMENT REQUIREMENTS

Transcription:

apturing an Uncertain Future: he Functional esonance Accident Model Erik Hollnagel ndustrial Safety hair ENSM ôle indyniques, Sophia Antipolis, France E-mail: erik.hollnagel@cindy.ensmp.fr

he future is uncertain isk assessment requires an adequate representation or model of the possible future events. Accident model / risk model he representation must be powerful enough to capture the functional complexity of the system being analysed. What may happen? How should we respond?

High workload Mechanics High workload Equipment Expertise Expertise rocedures Excessive end-play rocedures Grease Lubrication nterval approvals nterval approvals Allowable end-play FAA Aircraft design knowledge ontrolled stabilizer movement Aircraft edundant design Limited stabilizer movement Developments in accident models Sequential accident model Decomposable, simple linear robability of component failures Epidemiological accident model Decomposable, complex linear Likelihood of weakened defenses, combinations End-play checking Maintenance oversight Aircraft design ertification Limiting stabilizer movement Jackscrew up-down movement Horizontal stabilizer movement Aircraft pitch control Lubrication Jackscrew replacement Systemic accident model Non-decomposable, non-linear oincidences, links, resonance HEE HAS BEEN N SMLA DEVELMENS N SK MDELS!

What is the nature of accidents? he purpose of risk assessment is to identify in a systematic manner how unwanted outcomes can obtain (= severe accidents). raditional view: Accidents are due to failures or malfunctions of humans or machines. Example: Event ree isks can be represented by linear combinations of failures or malfunctions. Example: Fault ree raditional risk assessment is constrained by two assumptions. Events develop in a pre-defined sequence. he major source of risk is component malfunctions. Systemic view: Accidents are due to unexpected combinations of actions rather than action failures. Example: E. isks can be represented by non-linear combinations of performance variability. Example: FAM.

Nature of technical systems Many identical systems hey can be described bottom-up in terms of components and subsystems. Decomposition works for technical systems, because they have been designed. isks and failures can therefore be analysed relative to individual components and events. utput (effects) are proportional to input (causes) and predictable from knowledge of the components. echnical systems are linear.

isk assessment: sequential models Decomposable, simple linear Sequential accident model robability of component failures urpose: find the probability that something breaks, either at the component level or in simple, logical and fixed combinations. Human failure is treated at the component level. Decomposable, complex linear Epidemiological accident model Likelihood of weakened defenses, combinations Single failures combined with latent conditions, leading to degradation of barriers and defences.

Nature of socio-technical systems All systems unique Must be described topdown in terms of functions and objectives. Decomposition does not work for socio-technical systems, because they are emergent. isks and failures must therefore be described relative to functional wholes. omplex relations between input (causes) and output (effects) give rise to unexpected and disproportionate consequences. Socio-technical systems are non-linear.

isk assessment: Systemic model Nondecomposable non-linear Systemic accident model oincidences, links, resonance isk assessment goes beyond component failures to look at system dynamics and must consider issues of non-linear risk assessment. he emergence of failures from normal performance variability can be explained by the concept of functional resonance, derived from the theory of stochastic resonance.

Stochastic resonance Stochastic resonance Mixed signal + random noise Signal andom noise Detection threshold ime Detection threshold Stochastic resonance is the enhanced sensitivity of a device to a weak signal that occurs when random noise is added to the mix.

Functional resonance erformance variability For each function, the others constitute the environment. Every function has a normal weak, variability. Functional resonance is the detectable signal that emerges from the unintended interaction of the weak variability of many signals. ime he pooled variability of the environment may lead to resonance, hence to a noticeable signal

Normal behaviour is variable Human failures cannot be modelled as deviations from designed and required performance: - humans are not designed. - conditions of work are usually underspecified - humans are multifunctional, and can do many different things erformance variability is natural in socio-technical systems, and a valuable part of normal performance. he many small adjustments enable humans to cope with the complexity and uncertainty of work. he adjustments allow the system to achieve its functional goals more efficiently by sacrificing details that under normal conditions are unnecessary. Humans are adept at developing working methods that allow them to take shortcuts, thereby often saving valuable time.

Airprox As the analysis shows there is no root cause. Deeper investigation would most probably bring up further contributing factors. A set of working methods that have been developed over many years, suddenly turn out as insufficient for this specific combination of circumstances. ime - and environmental- constraints created a demand resource mismatch in the attempt to adapt to the developing situation. his also included coordination breakdowns and automation surprises (AS).

rinciple of bimodal functioning echnical components usually function until they fail. E.g., light bulbs or engines are designed to deliver a uniform performance until, for some reason, they fail. erformance norm Failure echnical systems work in the same way, but some failures may be intermittent (SW). erformance is bimodal: the system either works or doesn t. Humans and social systems are not bimodal. Normal performance is variable and this rather than failures or errors is why accidents happen. Since performance shortfalls are not a simple (additive or proportional) result of the variability, more powerful, non-linear models are needed. erformance norm

Functional resonance analysis 1 2 3 4 dentify essential system functions; characterise each function by six basic parameters. haracterise the (context dependent) potential variability using a checklist. Define functional resonance based on possible dependencies (couplings) among functions. dentify barriers for variability (damping factors) and specify required performance monitoring.

he MD-80 Airplane, horizontal stabilizer he stabilizer of the MD-83 has small pivoting wings and is mounted on the top of the vertical tail fin of the aircraft. he horizontal stabilizers help control the pitch of the plane s nose during flight. Stabilizer trim tabs located on the horizontal stabilizer help adjust the wing s air flow. he pilot trims the stabilizer via a wheel in the cockpit. Example prepared by ogier Woltjer, LU

Stabilizer Jackscrew Assembly NSB, 2003

FAM functional unit (module) ime available: his can be a constraint but can also be considered as a special kind of resource. ime ontrol hat which supervises or adjusts a function. an be plans, procedures, guidelines or other functions. hat which is used or transformed to produce the output. onstitutes the link to previous functions. nput Activity / function utput hat which is produced by function. onstitute links to subsequent functions. System conditions that must be fulfilled before a function can be carried out. recondition esource hat which is needed or consumed by function to process input (e.g., matter, energy, hardware, software, manpower).

Horizontal stabilizer movement

Aircraft design for redundancy

Design and maintenance certification

Jackscrew assembly maintenance

High workload Maintenance versight End-play checking rocedures nterval approvals nspections Mechanics Equipment Expertise High workload rocedures Maintenance oversight Lubrication nterval approvals nspections Grease Expertise

FAM modules synthesis Maintenance oversight FAA Aircraft design knowledge ertification Aircraft High workload Mechanics High workload Equipment End-play checking Expertise rocedures rocedures Excessive end-play nterval approvals nterval approvals Allowable end-play Jackscrew up-down movement Aircraft design ontrolled stabilizer movement edundant design Horizontal stabilizer movement Limiting stabilizer movement Failsafe limited stabilizer movement Lubrication Lubrication Aircraft pitch control Jackscrew replacement Expertise Grease

onclusions isk assessment must comprise a model of the system and its behaviour, which is as complex as the system itself. onventional risk assessment is based on linear models (e.g., event tree) and on calculating failure probabilities. Socio-technical systems are non-linear. isk is an emergent rather than a resultant phenomenon. isk assessment should address how irregularities can arise from performance variability, rather than on how individual functions fail. erformance variability reflects the nature of the work environment, including social and organisational factors. erformance variability is predictable for identified conditions. he principle of functional resonance can be used to identify possible combinations of performance variability which may lead to the occurrence of undesirable outcomes.

hank you for your attention

2024 © sportdocbox.com Privacy Policy | Terms of Service | Feedback