[SystemSafety] Fwd: Measurement + Control

Peter Bernard Ladkin ladkin at rvs.uni-bielefeld.de
Mon Dec 16 09:39:02 CET 2013


I lost the thread somewhat.

Let me first extend Nancy's statement of goal. Safety engineering is about designing, implementing,
operating, maintaining and decommissioning appropriately safe systems appropriately safely.

Operating and maintaining appropriately safe systems used to take vigilance as well as some depth of
understanding and experience. In many cases it still does. That's why we have driver's tests and
licences, and why driving is a privilege not a right and may be rescinded.

Operations. Commercial flights inbound to an airport were - still are - given the visual one-over
from the tower to make sure everything "looks right". Which usually has something to do with noting
that the gear is down. It has been a long time, I think, since a commercial flight landed at a tower
airport with gear up inadvertently (I am not speaking of gear malfunction). It used to be the case
that we could not "design in" gear-operating systems for final approach. Now we probably can,
although much is still up to trusting the operators (to follow procedure, including going around
when the warning systems trigger or the tower says so). Seems to have worked.

Maintenance. Anyone remember Air Transat's Azores glider a month before 9/11? Maintenance required
to change a fuel-supply joint some time before; maintenance staff couldn't find the precise
maintenance manual on-line (it was a Sunday and not everyone was available to fix IT glitches); took
a joint off the shelf for that engine type and installed it. Trouble is, it was the slightly wrong
joint for that serial number; it chafed through from vibration in about fifty hours of operation,
and led to the mid-Atlantic fuel leak. All the procedures were there; all the right documentation
and knowledge was there and written down; it just wasn't quite available at the right time and place.

Decommissioning. Sellafield is the world's largest toxic waste dump and still no one has any real
idea how to handle all that spent fuel from the last almost 60 years.

Safe operation, maintenance and decommissioning of many safety-critical systems still requires a lot
of hands and brains. A point about Buncefield and outsourcing is that, even under the circumstances
that your safety analysis is so complete that it specifies the precise operation of the safety
function of overfill protection under precise conditions, then in order to maintain the system you
still need people around (*) who know about and refer to that analysis, (**) who understand what it
entails, and (***) who realise that the new kit doesn't do what the old kit did the way the system
requires it. Otherwise a maintainer is maybe going to install the "newer, better" but still
"equivalent" kit, and an inspector/supervising engineer is going to sign off on it, without anyone
realising they have violated an essential constraint. As seems to have happened.

I won't rehearse the arguments that say that "outsourcing" any one of the operation, maintenance and
oversight functions lead to an increased chance that one to all of (*), (**) and (***) are not going
to be fulfilled. But I think that was the original point.

The same issue arises for any activity. I took Andrew's point to be that (*) and (**) suffer an
increased chance of not being fulfilled when the safety case or review is "outsourced".

I think the way to address these issues is to ensure explicitly that (*), (**) and (***) are
appropriately fulfilled for any of the activities involved in designing, implementing, maintaining
or decommissioning a safety-critical system. Quis custodiet ipsos custodes still applies.

I bet, though, that the "outsourcing" contract said something like that (the operator's insurance
company may well have insisted on it). Quis custodiet?

I think it cuts both ways. When you "outsource" review it is known as "independent safety review"
and thought to be a good thing. When you perform a HazOp for a process plant, the HazOp chair and
Secretary are required to be from outside, that is, the leadership of the HazOp is "outsourced". And
if the owner of a process plant doesn't have any other plants, it surely makes some sense to
"outsource" maintenance and operations to an entity which maintains and operates many such plants
and which has the relevant experience.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de






More information about the systemsafety mailing list