MTU Cork Library Catalogue

Syndetics cover image
Image from Syndetics

Engineering a safer world : systems thinking applied to safety / Nancy G. Leveson.

By: Leveson, Nancy [author].
Material type: materialTypeLabelBookSeries: Engineering systems: Publisher: Cambridge, MA ; London : MIT Press, 2017Copyright date: ©2011Description: xx, 534 pages : illustrations, tables ; 23 cm.Content type: text Media type: unmediated Carrier type: volumeISBN: 9780262533690 (paperback).Subject(s): Industrial safety | System safety | DDC classification: 620.86
Contents:
I: Foundations -- Why do we need something different -- Questioning the foundations of traditional safety engineering -- Systems theory and its relationship to safety -- II: STAMP : an accident model based on systems theory -- A systems-theoretic view of causality -- A friendly fire accident -- III: Using STAMP -- Engineering and operating safer systems using STAMP -- Fundamentals -- STPA: a new hazard analysis technique -- Safety-guided design -- Integrating safety into system engineering -- Analyzing accidents and incidents (CAST) -- Controlling safety during operations -- Managing safety and the safety culture -- SUBSAFE: an example of a successful safety program.
Summary: Engineering has experienced a technological revolution, but the basic engineeringtechniques applied in safety and reliability engineering, created in a simpler, analog world, havechanged very little over the years. In this groundbreaking book, Nancy Leveson proposes a newapproach to safety--more suited to today's complex, sociotechnical, software-intensive world--basedon modern systems thinking and systems theory. Revisiting and updating ideas pioneered by 1950saerospace engineers in their System Safety concept, and testing her new model extensively onreal-world examples, Leveson has created a new approach to safety that is more effective, lessexpensive, and easier to use than current techniques. Arguing that traditional models of causalityare inadequate, Leveson presents a new, extended model of causation (Systems-Theoretic AccidentModel and Processes, or STAMP), then then shows how the new model can be used to create techniquesfor system safety engineering, including accident analysis, hazard analysis, system design, safetyin operations, and management of safety-critical systems. She applies the new techniques toreal-world events including the friendly-fire loss of a U.S. Blackhawk helicopter in the first GulfWar; the Vioxx recall; the U.S. Navy SUBSAFE program; and the bacterial contamination of a publicwater supply in a Canadian town. Leveson's approach is relevant even beyond safety engineering, offering techniques for "reengineering" any large sociotechnical system to improve safetyand manage risk.
Holdings
Item type Current library Call number Status Notes Date due Barcode Item holds
General Lending MTU Bishopstown Library Lending 620.86 (Browse shelf(Opens below)) Available I WISH Foundation Women's STEM Project 00218275
Total holds: 0

Enhanced descriptions from Syndetics:

A new approach to safety, based on systems thinking, that is more effective, less costly, and easier to use than current techniques.

Engineering has experienced a technological revolution, but the basic engineering techniques applied in safety and reliability engineering, created in a simpler, analog world, have changed very little over the years. In this groundbreaking book, Nancy Leveson proposes a new approach to safety-more suited to today's complex, sociotechnical, software-intensive world-based on modern systems thinking and systems theory. Revisiting and updating ideas pioneered by 1950s aerospace engineers in their System Safety concept, and testing her new model extensively on real-world examples, Leveson has created a new approach to safety that is more effective, less expensive, and easier to use than current techniques.

Arguing that traditional models of causality are inadequate, Leveson presents a new, extended model of causation (Systems-Theoretic Accident Model and Processes, or STAMP), then shows how the new model can be used to create techniques for system safety engineering, including accident analysis, hazard analysis, system design, safety in operations, and management of safety-critical systems. She applies the new techniques to real-world events including the friendly-fire loss of a U.S. Blackhawk helicopter in the first Gulf War; the Vioxx recall; the U.S. Navy SUBSAFE program; and the bacterial contamination of a public water supply in a Canadian town. Leveson's approach is relevant even beyond safety engineering, offering techniques for "reengineering" any large sociotechnical system to improve safety and manage risk.

Includes bibliographical references and index.

I: Foundations -- Why do we need something different -- Questioning the foundations of traditional safety engineering -- Systems theory and its relationship to safety -- II: STAMP : an accident model based on systems theory -- A systems-theoretic view of causality -- A friendly fire accident -- III: Using STAMP -- Engineering and operating safer systems using STAMP -- Fundamentals -- STPA: a new hazard analysis technique -- Safety-guided design -- Integrating safety into system engineering -- Analyzing accidents and incidents (CAST) -- Controlling safety during operations -- Managing safety and the safety culture -- SUBSAFE: an example of a successful safety program.

Engineering has experienced a technological revolution, but the basic engineeringtechniques applied in safety and reliability engineering, created in a simpler, analog world, havechanged very little over the years. In this groundbreaking book, Nancy Leveson proposes a newapproach to safety--more suited to today's complex, sociotechnical, software-intensive world--basedon modern systems thinking and systems theory. Revisiting and updating ideas pioneered by 1950saerospace engineers in their System Safety concept, and testing her new model extensively onreal-world examples, Leveson has created a new approach to safety that is more effective, lessexpensive, and easier to use than current techniques. Arguing that traditional models of causalityare inadequate, Leveson presents a new, extended model of causation (Systems-Theoretic AccidentModel and Processes, or STAMP), then then shows how the new model can be used to create techniquesfor system safety engineering, including accident analysis, hazard analysis, system design, safetyin operations, and management of safety-critical systems. She applies the new techniques toreal-world events including the friendly-fire loss of a U.S. Blackhawk helicopter in the first GulfWar; the Vioxx recall; the U.S. Navy SUBSAFE program; and the bacterial contamination of a publicwater supply in a Canadian town. Leveson's approach is relevant even beyond safety engineering, offering techniques for "reengineering" any large sociotechnical system to improve safetyand manage risk.

Print version record.

Knovel Library. ACADEMIC - General Engineering & Project Administration.

Table of contents provided by Syndetics

  • Series Foreword (p. xv)
  • Preface (p. xvii)
  • I Foundations (p. 1)
  • 1 Why Do We Need Something Different? (p. 3)
  • 2 Questioning the Foundations of Traditional Safety Engineering (p. 7)
  • 2.1 Confusing Safety with Reliability (p. 7)
  • 2.2 Modeling Accident Causation as Event Chains (p. 15)
  • 2.2.1 Direct Causality (p. 19)
  • 2.2.2 Subjectivity in Selecting Events (p. 20)
  • 2.2.3 Subjectivity in Selecting the Chaining Conditions (p. 22)
  • 2.2.4 Discounting Systemic Factors (p. 24)
  • 2.2.5 Including Systems Factors in Accident Models (p. 28)
  • 2.3 Limitations of Probabilistic Risk Assessment (p. 33)
  • 2.4 The Role of Operators in Accidents (p. 36)
  • 2.4.1 Do Operators Cause Most Accidents? (p. 37)
  • 2.4.2 Hindsight Bias (p. 38)
  • 2.4.3 The Impact of System Design on Human Error (p. 39)
  • 2.4.4 The Role of Mental Models (p. 41)
  • 2.4.5 An Alternative View of Human Error (p. 45)
  • 2.5 The Role of Software in Accidents (p. 47)
  • 2.6 Static versus Dynamic Views of Systems (p. 51)
  • 2.7 The Focus on Determining Blame (p. 53)
  • 2.8 Goals for a New Accident Model (p. 57)
  • 3 Systems Theory and Its Relationship to Safety (p. 61)
  • 3.1 An Introduction to Systems Theory (p. 61)
  • 3.2 Emergence and Hierarchy (p. 63)
  • 3.3 Communication and Control (p. 64)
  • 3.4 Using Systems Theory to Understand Accidents (p. 67)
  • 3.5 Systems Engineering and Safety (p. 69)
  • 3.6 Building Safety into the System Design (p. 70)
  • II Stamp: An Accident Model Based on Systems Theory (p. 73)
  • 4 A Systems-Theoretic View of Causality (p. 75)
  • 4.1 Safety Constraints (p. 76)
  • 4.2 The Hierarchical Safety Control Structure SO
  • 4.3 Process Models (p. 87)
  • 4.4 STAMP (p. 89)
  • 4.5 A General Classification of Accident Causes (p. 92)
  • 4.5.1 Controller Operation (p. 92)
  • 4.5.2 Actuators and Controlled Processes (p. 97)
  • 4.5.3 Coordination and Communication among Controllers and Decision Makers (p. 98)
  • 4.5.4 Context and Environment (p. 100)
  • 4.6 Applying the New Model (p. 100)
  • 5 A Friendly Fire Accident (p. 103)
  • 5.1 Background (p. 103)
  • 5.2 The Hierarchical Safety Control Structure to Prevent Friendly Fire Accidents (p. 105)
  • 5.3 The Accident Analysis Using STAMP (p. 119)
  • 5.3.1 Proximate Events (p. 119)
  • 5.3.2 Physical Process Failures and Dysfunctional Interactions (p. 123)
  • 5.3.3 The Controllers of the Aircraft and Weapons (p. 126)
  • 5.3.4 The ACE and Mission Director (p. 140)
  • 5.3.5 The AWAC5 Operators (p. 144)
  • 5.3.6 The Higher Levels of Control (p. 155)
  • 5.4 Conclusions from the Friendly Fire Example (p. 166)
  • III Using Stamp (p. 169)
  • 6 Engineering and Operating Safer Systems Using STAMP (p. 171)
  • 6.1 Why Are Safety Efforts Sometimes Not Cost-Effective? (p. 171)
  • 6.2 The Role of System Engineering in Safety (p. 176)
  • 6.3 A System Safety Engineering Process (p. 177)
  • 6.3.1 Management (p. 177)
  • 6.3.2 Engineering Development (p. 177)
  • 6.3.3 Operations (p. 179)
  • 7 Fundamentals (p. 181)
  • 7.1 Defining Accidents and Unacceptable Losses (p. 181)
  • 7.2 System Hazards (p. 184)
  • 7.2.1 Drawing the System Boundaries (p. 185)
  • 7.2.2 Identifying the High-Level System Hazards (p. 187)
  • 7.3 System Safety Requirements and Constraints (p. 191)
  • 7.4 The Safety Control Structure (p. 195)
  • 7.4.1 The Safety Control Structure for a Technical System (p. 195)
  • 7.4.2 Safety Control Structures in Social Systems (p. 198)
  • 8 STPA: A New Hazard Analysis Technique (p. 211)
  • 8.1 Goals for a New Hazard Analysis Technique (p. 211)
  • 8.2 The STPA Process (p. 212)
  • 8.3 Identifying Potentially Hazardous Control Actions (Step 1) (p. 217)
  • 8.4 Determining How Unsafe Control Actions Could Occur (Step 2) (p. 220)
  • 8.4.1 Identifying Causal Scenarios (p. 221)
  • 8.4.2 Considering the Degradation of Controls over Time (p. 226)
  • 8.5 Human Controllers (p. 227)
  • 8.6 Using STPA on Organizational Components of the Safety Control Structure (p. 231)
  • 8.6.1 Programmatic and Organizational Risk Analysis (p. 231)
  • 8.6.2 Gap Analysis (p. 232)
  • 8.6.3 Hazard Analysis to Identify Organizational and Programmatic Risks (p. 235)
  • 8.6.4 Use of the Analysis and Potential Extensions (p. 238)
  • 8.6.5 Comparisons with Traditional Programmatic Risk Analysis Techniques (p. 239)
  • 8.7 Reengineering a Sociotechnical System: Pharmaceutical Safety and the Vioxx Tragedy (p. 239)
  • 8.7.1 The Events Surrounding the Approval and Withdrawal of Vioxx (p. 240)
  • 8.7.2 Analysis of the Vioxx Case (p. 242)
  • 8.8 Comparison of STPA with Traditional Hazard Analysis Techniques (p. 248)
  • 8.9 Summary (p. 249)
  • 9 Safety-Guided Design (p. 251)
  • 9.1 The Safety-Guided Design Process (p. 251)
  • 9.2 An Example of Safety-Guided Design for an Industrial Robot (p. 252)
  • 9.3 Designing for Safety (p. 263)
  • 9.3.1 Controlled Process and Physical Component Design (p. 263)
  • 9.3.2 Functional Design of the Control Algorithm (p. 265)
  • 9.4 Special Considerations in Designing for Human Controllers (p. 273)
  • 9.4.1 Easy but Ineffective Approaches (p. 273)
  • 9.4.2 The Role of Humans in Control Systems (p. 275)
  • 9.4.3 Human Error Fundamentals (p. 278)
  • 9.4.4 Providing Control Options (p. 281)
  • 9.4.5 Matching Tasks to Human Characteristics (p. 283)
  • 9.4.6 Designing to Reduce Common Human Errors (p. 284)
  • 9.4.7 Support in Creating and Maintaining Accurate Process Models (p. 286)
  • 9.4.8 Providing Information and Feedback (p. 295)
  • 9.5 Summary (p. 306)
  • 10 Integrating Safety into System Engineering (p. 307)
  • 10.1 The Role of Specifications and the Safety Information System (p. 307)
  • 10.2 Intent Specifications (p. 309)
  • 10.3 An Integrated System and Safety Engineering Process (p. 314)
  • 10.3.1 Establishing the Goals for the 5ystem (p. 315)
  • 10.3.2 Defining Accidents (p. 317)
  • 10.3.3 Identifying the System Hazards (p. 317)
  • 10.3.4 Integrating Safety into Architecture Selection and System Trade Studies (p. 318)
  • 10.3.5 Documenting Environmental Assumptions (p. 327)
  • 10.3.6 System-Level Requirements Generation (p. 329)
  • 10.3.7 Identifying High-Level Design and Safety Constraints (p. 331)
  • 10.3.8 System Design and Analysis (p. 338)
  • 10.3.9 Documenting System Limitations (p. 345)
  • 10.3.10 System Certification, Maintenance, and Evolution (p. 347)
  • 11 Analyzing Accidents and Incidents (CAST) (p. 349)
  • 11.1 The General Process of Applying STAMP to Accident Analysis (p. 350)
  • 11.2 Creating the Proximal Event Chain (p. 352)
  • 11.3 Defining the System(s) and Hazards Involved in the Loss (p. 353)
  • 11.4 Documenting the Safety Control Structure (p. 356)
  • 11.5 Analyzing the Physical Process (p. 357)
  • 11.6 Analyzing the Higher Levels of the Safety Control Structure (p. 360)
  • 11.7 A Few Words about Hindsight Bias and Examples (p. 372)
  • 11.8 Coordination and Communication (p. 378)
  • 11.9 Dynamics and Migration to a High-Risk State (p. 382)
  • 11.10 Generating Recommendations from the CAST Analysis (p. 383)
  • 11.11 Experimental Comparisons of CAST with Traditional Accident Analysis (p. 388)
  • 11.12 Summary (p. 390)
  • 12 Controlling Safety during Operations (p. 391)
  • 12.1 Operations Based on STAMP (p. 392)
  • 12.2 Detecting Development Process Flaws during Operations (p. 394)
  • 12.3 Managing or Controlling Change (p. 396)
  • 12.3.1 Planned Changes (p. 397)
  • 12.3.2 Unplanned Changes (p. 398)
  • 12.4 Feedback Channels (p. 400)
  • 12.4.1 Audits and Performance Assessments (p. 401)
  • 12.4.2 Anomaly, Incident, and Accident Investigation (p. 403)
  • 12.4.3 Reporting Systems (p. 404)
  • 12.5 Using the Feedback (p. 409)
  • 12.6 Education and Training (p. 410)
  • 12.7 Creating an Operations Safety Management Plan (p. 412)
  • 12.8 Applying STAMP to Occupational Safety (p. 414)
  • 13 Managing Safety and the Safety Culture (p. 415)
  • 13.1 Why Should Managers Care about and Invest in Safety? (p. 415)
  • 13.2 General Requirements for Achieving Safety Goals (p. 420)
  • 13.2.1 Management Commitment and Leadership (p. 421)
  • 13.2.2 Corporate Safety Policy (p. 422)
  • 13.2.3 Communication and Risk Awareness (p. 423)
  • 13.2.4 Controls on System Migration toward Higher Risk (p. 425)
  • 13.2.5 Safety, Culture, and Blame (p. 426)
  • 13.2.6 Creating an Effective Safety Control Structure (p. 433)
  • 13.2.7 The Safety Information System (p. 440)
  • 13.2.8 Continual Improvement and Learning (p. 442)
  • 13.2.9 Education, Training, and Capability Development (p. 442)
  • 13.3 Final Thoughts (p. 443)
  • 14 SUBSAFE: An Example of a Successful Safety Program (p. 445)
  • 14.1 History (p. 445)
  • 14.2 SUBSAFE Coals and Requirements (p. 448)
  • 14.3 SUBSAFE Risk Management Fundamentals (p. 450)
  • 14.4 Separation of Powers (p. 451)
  • 14.5 Certification (p. 452)
  • 14.5.1 Initial Certification (p. 453)
  • 14.5.2 Maintaining Certification (p. 454)
  • 14.6 Audit Procedures and Approach (p. 455)
  • 14.7 Problem Reporting and Critiques (p. 458)
  • 14.8 Challenges (p. 458)
  • 14.9 Continual Training and Education (p. 459)
  • 14.10 Execution and Compliance over the Life of a Submarine (p. 459)
  • 14.11 Lessons to Be Learned from SUBSAFE (p. 460)
  • Epilogue (p. 463)
  • Appendixes (p. 465)
  • A Definitions (p. 467)
  • B The Loss of a Satellite (p. 469)
  • C A Bacterial Contamination of a Public Water Supply (p. 495)
  • D A Brief Introduction to System Dynamics Modeling (p. 517)
  • References (p. 521)
  • Index (p. 531)

Reviews provided by Syndetics

CHOICE Review

Leveson (aeronautics/astronautics, MIT) states that she wrote this work for "the sophisticated practitioner," not researchers or laypersons. She says that her approach "can be applied to any complex, sociotechnical system such as health care and even finance." The author maintains that although most existing techniques were good for the "relatively simple electromechanical systems of the past, it is no longer true for the types of complex sociotechnical systems we are building today." One wonders what Leveson thinks about manned spacecraft and the Apollo lunar mission successes. The author also believes that blaming operators or pilots for accidents is very often incorrect. This reviewer does not accept this point of view; he believes that no matter how foolproof a system design, a "greater fool" will defeat it. The cockpit recordings from the plane of Air France's Flight 447 disaster in 2009 demonstrate this. The author emphasizes her "systems-theoretic accident model and processes" (STAMP) throughout the book, even though there is no entry for it in the index. She proposes a new approach to hazard analysis based on STAMP called "systems-theoretic process analysis" (STPA). She also describes an approach, "causal analysis based on STAMP," called CAST. A useful resource for the book's intended audience, sophisticated practitioners. Summing Up: Recommended. Professionals/practitioners. A. M. Strauss Vanderbilt University

Author notes provided by Syndetics

Nancy G. Leveson is Professor of Aeronautics and Astronautics and Engineering Systems at MIT. An acknowledged leader in the field of safety engineering, she has worked to improve safety in nearly every industry over the past, thirty years.

Powered by Koha