Free Essay About What Are Some Possible Negative Outcomes Of Having Replaced Older Electromechanical Controls With Computerized And Digitalized Controls?

Question 1

With older electromechanical controls, the operator used to typically be located physically in closer proximity to the process, and therefore had direct sensory perception of the status of the process (e.g., sound, vibration, light) (Leveson 2011). Under computerized and digitalized controls, the operator no longer has a sensory perception of the status, other than what is viewed on the computer. This requires whomever is designing the control system to determine what information is important to the controller, and that the information provided in the feedback loop between the process and what is reported on the screen is complete and accurate (Leveson 2011). This can result in an increased risk of accident.
For example, in the Plains All American Pipeline spill in Santa Barbara County, California, the operator’s control room for the pipeline was located in Texas, for a major pipeline occurring in California. Therefore, the operator was operating at a disadvantage when the system failed to report a leak on the pipeline. According to an investigation by the U.S. Department of Transportation’s Pipeline and Hazardous Materials Safety Administration (PHMSA), the investigation “found that the system used to detect leaks did not alert control room staff to the release when it occurred. Also, the operator did not establish formal requirements for emergency shutdown and leak detection alarm training.  PHMSA’s investigation found that a control room operator inhibited an alarm that could have assisted with the recognition of the rupture” (DOT 2016).

References

Leveson, N.G. (2011). Engineering a safer world: systems thinking applied to safety. Massachusetts Institute of Technology. The MIT Press, Cambridge, Massachusetts and London, England.
Question 2
Explain in detail the three basic constructs that underlie STAMP.
STAMP (Systems-Theoretic Accident Model and Processes) is an accident causality model designed to identify the causes of accidents and to help enforce behavioral safety constraints to prevent accidents from occurring (Leveson 2011). This is a paradigm shift from models that have previously been used to “determine the root cause” or to “prevent failures,” rather than enforce safety constraints (Leveson 2011).
STAMP was developed from the following three concepts:
Process models;
Safety constraints; and
Hierarchical control structures.
Process models are used as tools in STAMP to help determine how the system works to determine how to control it. Process models describe “what” is being controlled, in order for the operator (or automated controller) to control the process effectively (Leveson 2011). Specifically, these models contain the relevant variables involved in the process, the current state of the variables, and an indication of how these variables can change (Leveson 2011). In this way, the model can be monitored and adjusted as necessary. The process models also show the details of how components interact to enable overall control of all levels of the process.
STAMP is used to determine what safety constraints are recommended, and where in the process, and what safety constraints have been violated during an accident. The goal of applying safety constraints to a system is to “impose constraints on the behavior of, and interactions among, the components” of a system (Leveson 2011).
In systems theory, each level of a system is seen as controlling the level below it in a process (Leveson 2011). Hierarchical control structures are put into place to control the levels below in the process in order to enforce implementation of safety constraints. Adaptive feedback mechanisms are used to help guide this hierarchical control.
Accidents occur as a result of inadequate implementation or enforcement of safety-related constraints, either in the development, design, or operation of the system. STAMP is used to identify how this occurred.
References
Leveson, N.G. (2011). Engineering a safer world: systems thinking applied to safety. Massachusetts Institute of Technology. The MIT Press, Cambridge, Massachusetts and London, England.
Question 3
Consider that the analysis findings revealed that there were no explicit or written procedures regarding the control of helicopters with respect to AWACS operations. Describe and explain the reason for this flawed control.
In the friendly fire scenario analyzed using STAMP as described in Leveson (2011), the fact that there were no explicit or written procedures regarding the control of helicopters by AWACS operations, appears to have left AWACS with “all of the responsibility, but none of the control or necessary information” to appropriately respond to the Black Hawk situation. Because AWACS was not supposedly responsible for helicopter operations in the TAOR, AWACS was not adequately aware of, or prepared to deal with, the Black Hawk situation. Nevertheless, according to the ROE, AWACS was directly responsible in the decision making process whether to engage with the helicopters or not, and in fact was a critical member of that chain of command. In this situation, there were two main rules at play and two main chains of command operating concurrently, that were applicable to the same scenario (i.e., helicopter traffic in the TAOR). Therefore, conflicting hierarchical control structures high in the system hierarchy was a definite contributing factor to this accident.
In addition to conflicting control structures, the adaptive management feedback loop also failed in this scenario, when AWACS staff failed to recognize that there were two rules and two chains of command operating under the same scenario. Under a properly functioning adaptive management process, at a minimum, AWACS should have questioned the scenario that was unfolding. AWACS knew and heard that the F-15s had intended to engage, yet, AWACS did not adequately perform its role under the ROE to advise and control the situation.
In order for adaptive management to work, lower levels in the system must be capable of identifying and distinguishing between all of the different messages that are being sent from higher levels, and either correct for discrepancies, or stop operating until clarification is received. In this respect, the burden of responsibility can almost be considered greater, or at least equivalent to, the responsibility of the higher levels of command.
References
Leveson, N.G. (2011). Engineering a safer world: systems thinking applied to safety. Massachusetts Institute of Technology. The MIT Press, Cambridge, Massachusetts and London, England.