[SystemSafety] NYTimes: The Next Accident Awaits

Peter Bernard Ladkin ladkin at rvs.uni-bielefeld.de
Mon Feb 3 16:49:19 CET 2014


I must say I am puzzled by this discussion.

A. To me, a safety case is some joined-up set of documents which purport to demonstrate that a
system taken as an entity is adequately safe (whatever that is taken to be) when it's operating, and
also when it's sitting around not operating (such as systems which involve radioactive and poisonous
substances).

B. The contrast is a regime in which Subsystem-X-supervisor Bill "signs off" that Subsystem X is, as
far as Bill is concerned, OK, and the system is rendered operational by a hierarchical series of
signatures, without necessarily any or much supporting documentation. That's the way things used to
be done (Windscale, Piper Alpha).

As far as I know, Lord Cullen popularised the term "safety case" for the situation described in A,
and contrasted it with the status quo, which was B, in his inquiries into major accidents.

So, for Nancy to praise aerospace certification as effective, and to denigrate safety cases as
ineffective seems to me almost like a contradiction in terms. The FAA and the various European
agencies are pioneers in requiring and collecting joined-up documentation that the bits all do what
they should do, and the collections of bits also do what you expect of the collection, and so on.

I presume it's not that simple; that Nancy means by "safety case" something more subtle and detailed
and constraining, and as far as I am concerned she is welcome, indeed encouraged, to reject subtle
and constraining regimes as much as it is appropriate to do so. But to reject safety cases in the
sense of A above as required by the FAA, EASA, IEC 61508, IEC 61511 and almost all the other
standards promulgated by the IEC would seem to me to be nuts.

Being too subtle about safety cases, that is, more subtle than A, I would suggest is
counterproductive. I am involved with two large industry segments that pay lip service to A but
which in fact promulgate regime B at every available opportunity: "we don't need <material such as
required by A> - we have our methods and our experience and we are good at what we do", except they
are bringing in new technology and there is no such history as they wish to claim. The big political
action here is still to try to prevail with "A, not B". Still. A quarter century after Piper Alpha
and Kings Cross.

PBL

Prof. Peter Bernard Ladkin, Faculty of Technology, University of Bielefeld, 33594 Bielefeld, Germany
Tel+msg +49 (0)521 880 7319  www.rvs.uni-bielefeld.de






More information about the systemsafety mailing list