Abstract
Improvements in safety culture involve using various tools and taking some measures. Besides the development of techniques, there is also the aspect of management. On the management, there are ways in which safety issues are to be handled including the development of structures and motivating people to become part of the solution to safety problems. Tools for hazard analysis has also been improved over time from the traditional methods to the modern alternative approaches. This essay is going to discuss safety issues broadly in the context of management and tools. It will begin with a list and explanations of intent specification levels. Also, there will be a description of how each intent specification is tied to specific system’s components. This will be followed by a description of the benefits and limitations of employing traditional matrix techniques in the hazard analysis. A comparison will also be made between approaches advanced by Leveson and the standard techniques. This will be followed by a discussion of elements present in a typical Operational Safety Management Plan. Finally, there will be a discussion on how blame and punishment are managed as per Dekker’s model of Just Culture.
Question #1
List and explain the intent specifications levels, and describe how each specification is tied to specific components of the system.
The way an intent specification is structured is based on the fundamental concept of hierarchy which is derived from systems theory. In this hierarchical structure, complex systems are organized regarding a hierarchy of levels consistent with the levels in a typical organization. In the hierarchy, each level exerts constraints on the degree of freedom of the components which appear below that level. Intent specifications are structured along three dimensions: refinement, part-whole abstraction, and intent abstraction. Part-whole abstraction lies in the horizontal dimension while refinement occurs within each level. Both play the role of allowing users to change their area of focus to either more or less detailed views appearing within each model or level. The vertical dimension, however, specifies the particular level of intent where the problem to be solved is being considered. Each intent level has information about the attributes of the physical system components, functional system components, human operators/users, environment, and requirements/results for verification and validation activities for that particular level (Leveson, 2011).
A vertical intent dimension is composed of seven levels where each level is a representation of a different model of the system in a different perspective and where it stands for a different kind of reasoning about it. Both decomposition and refinement appear within each level of the specification instead of appearing between each level. In addition to providing information about what and the how, each level also provides information about the why (Leveson, 2011). The why explains the design rationale as well as the reasons informing each design decision including aspects of the safety consideration.
Level 0 (the top level). This level represents the project management views as well as the insight into the relationship defining the plans and the project development status by using links connected to other parts of the intent specification. This level might also have the safety plan, project management plan, and status information among other content. The top level assists system engineers as they go reasoning about constraints, tradeoffs, system-level goals, priorities, and constraints.
Level 1: This is the customer’s view. It assists both system engineers and customers in arriving at a consensus on what should be built. Later on, it helps them to agree on whether the task has been accomplished. The level includes hazard information, high-level requirements, system limitations, constraints, environmental assumptions, the definition of accidents, and goals. This level is tied to the environment (by assumptions and constraints), the operator (by responsibilities, requirements, and I/F requirements), system and components (by system goals, high-level requirements, design constraints, and limitations), verification and validation (by preliminary hazard analysis report).
Level 2: This is the system engineering view. It assists the system engineers to record and also to reason bout the system regarding system-level design as well as physical principles upon which the system design is found on. This level is tied to the environment (by external interfaces), the operator (by task analysis, task allocation, controls, and displays), system and components (logic principles, control laws, functional decomposition, and allocation), verification and validation (validation plan and results, and system hazard analysis).
Level 3: this level specifies the system architecture. It also serves as an ambiguous interface connecting system engineers with contractors/component engineers.At this level, the system components defined in previous level (level 2) are decomposed and allocated to components before being specified rigorously and to completion. To specify as well as reason about the system’s logical design as a whole and the interactions taking place among individual components of a system without being interrupted by the implementation details, black-box behavioral component models may be utilized. This level is tied to the environment (by environmental models), the operator (by operator task models and HCI models), system and components (black box functional models, interface specifications), verification and validation (analysis plans and results, and subsystem hazard analysis).
Level 4: Design representation. They provide information which is key to reasoning about implementation aspects as well as individual component design. However, certain parts of level 4 may not be required. This is especially when at least certain portions of the physical design can be automatically generated from the models existing in Level 3. This level is tied to the operator (by HCI design), system and components (software and hardware design specifications), verification and validation (test plans and results).
Level 5: Physical representation. They provide information which is key to reasoning about implementation aspects as well as individual component design. This level has tied the operator (by GUI design, and physical controls), system and components (by software codes, and hardware assembly instructions), verification and validation (test plans and results).
Level 6: These are operations levels. They provide a view of the system’s operations and acts as a link between system operations and system development. This level helps in designing and also in performing system’s safety activities during system operation. This level may have the suggested or required audit procedures for operations, training materials, user manuals, error reports, maintenance requirements, information for historical usage, and change requests among others. This level is tied to the environment (by audit procedures), the operator (by operator manuals, maintenance, and training materials), system and components (error reports, and change requests among others), and verification and validation (by performance monitoring and audits).
References
Leveson, N.G. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Massachusetts: MIT Press.
Question #2
Describe the benefits and limitations of using traditional risk matrix designs for hazard analysis. Compare the benefits and limitations of the standard design against the alternative method presented by Leveson (2011).
There are benefits and limitations of employing traditional risk matrix designs to analyze hazards. One of the traditional hazard analysis tools is the Systemic Occurrence Analysis Methodology (SOAM). Despite being an outdated version, SOAM is a very powerful tool as a communication device. However, the methodology is weak when employed to analyze emerging issues and also when used for nonlinear interactions. Traditional designs are useful in that they guide the investigator to consider the context of event occurrence, the organizational factors involved, and the barriers that failed. The limitation, however, is that the methodology does not direct the investigator to the process that created them. The methodology does not also help direct the investigator to how the entire system can migrate into confines of safe operation. The traditional approaches of hazard analysis also narrowly target causes of hazards and the corresponding potential problems. They do not have measures in pace to correct the fundamental safety control structure. Failure to correct such underlying causes has been associated with inadequate control actions, unenforced constraints, increased inconsistencies, and inadequate dysfunctional control actions (Leveson, 2011). These limitations have been overcome by utilizing alternative approaches. Most traditional analysis tools only go to the extent of answering what happened and ignores why it happened.
Unlike the traditional methodologies, the alternative methods advanced by Leveson (2011) are more powerful. For example, STAMP, unlike SOAM, direct the investigator deeper into the mechanisms of interactions taking place between the components of the system and how systems adapt with time. STAMP has been successfully used to identify controls and constraints which are critical to the prevention of undesirable interactions between system components. Further, the alternative systems are also beneficial in that they guide the investigator through a structured analysis of the upper level of the control structure of the system, which also help in the identification of higher level countermeasures. The alternative approaches are also migrating from centralized systems controlled by human beings to semi-automated distributed decision-making. These alternative systems are very important for the prevention of undesirable interactions that occur between normally functioning system components as well as to the understanding of changes taking place over time in the increasingly complex system. Another strength of the alternative approaches is that it helps in the identification of additional factors especially those concerning higher levels of the safety control structure (Leveson, 2011).
References
Leveson, N.G. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Massachusetts: MIT Press.
Question #1
Discuss the elements inherent within an Operations Safety Management Plan.
An Operation Safety Management Plan (OSMP) is used in the guiding of operation control of safety. The OSMP not only describe the objectives of the operation safety program but it also how the objectives will be achieved. Further, OSMP provides a baseline for evaluation of compliance as well as progress. OSMP need not be presented in one document but there ought to be a central reference which guides on where the information is found. The plan should also contain review procedures for not only the plan itself but also how the plan will be updated and improved through a combination of feedback and experience. The elements inherent in an OSMP include general considerations, safety organization (safety control structure), procedures, schedule, safety information system, operations hazard analysis, and evaluation and feedback (Leveson, 2011). The following is a discussion of these elements.
General considerations are one of the inherent elements found in OSMP. General considerations comprise some features. This includes scope and objectives. An OSMP ought to include scope and objectives of what the plan aims to achieve. The plan should also contain applicable standards. The standards ought to apply to the company or the respective industry. Further, the plan ought to contain documentation and reports. The reports and documentation are for incidences and results of the analysis. The OSMP also contain how the plan ought to be reviewed and also progress reporting procedures (Leveson, 2011).
Safety Organization, also known as safety control structure, is an element present in a typical OSMP. The safety organization comprises items like personnel qualifications and their respective duties. Qualification includes both academic background as well as training they personnel have undergone. Staffing and Manpower include the number of staff and the categories of manpower working in an organization. Within the safety structure, a communication plan must be put in place. This indicates the means through which people us to communicate within the organization. Authority, responsibility, and accountability is also another feature of a safety plan and should be specific to the type of organization: be it a functional organization or any other organizational structure. A plan must also contain information requirements including process model, feedback requirements, and how requirements are updated. Further, an OSMP contains subcontractor responsibilities and coordination mechanisms. Working groups is another feature of OSMP that must be included in safety organization. Further, safety system interfaces need to be part of the overall elements of OSMP. The safety interfaces show a relationship with other related groups of tasks including occupational safety, maintenance and test, and quality assurance among others (Leveson, 2011).
Procedures to be followed is one of the benefits of a safety plan. Problem reporting guides on how processes and follow-ups are executed. It also contains how accidents and incidents are investigated. Incidents and accident investigations comprise tasks such as procedures, staffing, and follow-up. Staffing is actual participants involved in the investigation. Follow-up involves tracing risk and hazard analyses and also communication involved in accident and incident investigation. Testing and audit program is also part of the procedure which spells out various issues including procedures to be followed, scheduling, review and follow-up, metrics and trend analysis, and operational assumptions from both risk and hazard analysis. The procedure of the Safety Plan also comprises emergency as well as contingency planning and procedures. Other items in the procedures of a safety plan include management of change procedures, training, decision making, and conflict resolution (Leveson 2011).
OSMP also contains a schedule. The schedule comprises critical checkpoints and also milestones. Further, it includes start and completion dates for various activities, reviews, and tasks. Finally, it should contain the method of reviewing procedures and the participants involved in the review process. Safety Information System is an inherent element of OSMP and comprises some items. This includes hazard and risk analyses, and also hazard logs. Hazard logs comprise things like reviews, controls, and feedback procedures. Safety Information System also consists of lessons learned, safety data library (this involve documentation and filing), record retention policies, and hazard tracking and reporting system (Leveson, 2011).
Other critical contents of an OSMP include operations hazard analysis. It must also be evaluation and planned utilization of feedback. In operations hazard analysis, some of the important items considered are identified hazards and also mitigation for those hazards. The reason why evaluation and planned the use of feedback is included to help in keeping the plan up-to-date and subsequently improve it over time (Leveson, 2011).
References
Leveson, N.G. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Massachusetts: MIT Press.
Question #2
Discuss the way that blames and punishment are handled in Dekker's just culture model.
Avoiding instances of blame and punishment is one of the hallmarks of creating a safety culture. It has been pointed that one of the enemies of safety is blame (Leveson, 2011). Instead of focusing what or who to blame, the idea should be in the understanding of how the whole system behavior led to the loss. Where instances of blame and punishment are common, people have been found to avoid reporting problems and mistakes and therefore making it impossible to make improvements on the system. Dekker’s Just Culture is about avoiding both unsafe cultural values as well as professional conduct which has occasionally been reported in many accidents.
Dekker argued that creating a safety culture is more to do with how to deal with incidents reporting. This view is consistent with the views of Malle, Guglielmo, and Monroe (2014) who pointed out that blame is a strong and potentially devastating intervention. Dekker believes that it organizations benefit more by learning mistakes more than by punishing people who make mistakes. To him, avoiding blame and punishment so that organizations learn from mistakes can be achieved by ensuring that reporting incident errors and suggestion of changes should be seen as something normal, anticipated, and without harm to anyone involved. Further, mistakes or incidents ought not to be seen as a failure. Instead, mistakes should be taken as a free lesson that offers opportunities to not only focus on attention but also to learn. The organization should not make people fearful. Instead, the organization should nurture a culture of safety by encouraging people to play an active role in change and improvement. Further, when people voluntarily offer information in good faith, such information should not be used against them even if they are the ones who made the mistakes. Blaming or punishing them will make them afraid of reporting incidents in future. This will make it hard for the organization to learn and make improvements. Dekker pointed out that people should be empowered so that they can affect their work conditions. Further, those who chose to report any problems they encounter in the workplace ought to be made part of the change process. This will promote their willingness to carry their responsibilities and therefore share information regarding safety problems they encounter. Another approach to minimizing issues of blame and punishment is to see mistakes as a symptom of the educational, organizational, political, and operational problem (Leveson, 2011). All components involved in the safety issues should be held equally accountable for mistakes that happen.
References
Leveson, N.G. (2011). Engineering a Safer World: Systems Thinking Applied to Safety. Massachusetts: MIT Press.
Malle, B. F., Guglielmo, S., & Monroe, A. E. (2014). A theory of blame. Psychological Inquiry, 25(2), 147-186.