An Introduction to System Safety Engineering

by Leveson

ISBN: 9780262376754 | Copyright 2023

Click here to preview

Instructor Requests

Digital Exam/Desk Copy Print Desk Copy Ancillaries
Tabs

A comprehensive, up-to-date introduction to the foundations of classical safety engineering, with an emphasis on preparing for future challenges.

Systems today are orders of magnitude more complex than in the past, and their complexity is increasing exponentially. Preventing accidents and losses in such systems requires a holistic perspective that can accommodate unprecedented types of technology and design. This textbook teaches the foundations of classical safety engineering while incorporating the principles of systems thinking and systems theory. Beginning with the framing and lessons of her classic text, Safeware, Nancy Leveson builds on established knowledge and brings the field up to date, challenging old approaches and introducing new ones. This essential book provides the core information required to build safety-critical systems today and in the future, including coverage of the historical and legal frameworks in which the field operates as well as discussions of risk, ethics, and policy implications. 

• Presents cutting-edge concepts anticipating the safety challenges of the future alongside thorough treatment of historical practices and ideas
• Provides a comprehensive introduction to the foundations of safety engineering
• Covers accident analysis, hazard analysis, design for safety, human factors, management, and operations
• Incorporates extensive examples of real-world accidents and applications 
• Ideal for students new to safety engineering as well as professionals looking to keep pace with a rapidly changing field

Expand/Collapse All
Contents (pg. vii)
Preface (pg. xiii)
Historical and Industrial Perspectives on Safety Engineering (pg. 1)
1.1 Differences between Workplace Safety and Product/System Safety (pg. 2)
1.2 A Brief Legal View of the History of Safety (pg. 2)
1.3 A Technical View of the History of Safety (pg. 4)
1.4 Workplace Safety Today: An Engineer’s View (pg. 8)
1.5 Product/System Safety Today (pg. 10)
1.5.1 Commercial Aviation (pg. 12)
1.5.2 Nuclear Power (pg. 14)
1.5.3 The Chemical Industry (pg. 16)
1.5.4 Defense and “System Safety” (pg. 17)
1.5.5 SUBSAFE: The US Nuclear Submarine Safety Program (pg. 22)
1.5.6 Astronautics and Space (pg. 23)
1.5.7 Healthcare/Hospital Safety (pg. 23)
1.6 Summary (pg. 24)
Exercises (pg. 25)
2. Risk in Modern Society (pg. 27)
2.1 Changing Attitudes toward Risk (pg. 28)
2.2 Changing Risk Factors (pg. 30)
2.2.1 The Appearance of New Hazards (pg. 30)
2.2.2 Increasing Complexity (pg. 30)
2.2.3 Increasing Exposure (pg. 32)
2.2.4 Increasing Amounts of Energy (pg. 32)
2.2.5 Increasing Automation of Manual Operations (pg. 32)
2.2.6 Increasing Centralization and Scale (pg. 33)
2.2.7 Increasing Pace of Technological Change (pg. 34)
2.3 How Safe Is Safe Enough? (pg. 35)
2.3.1 Risk–Benefit Analysis and the Alternatives (pg. 36)
2.3.2 Trans-Scientific Questions (pg. 38)
Exercises (pg. 40)
3. Fundamental Concepts and Definitions (pg. 43)
3.1 Definitions of Safety and Risk (pg. 43)
3.2 Hazards and Hazard Analysis (pg. 45)
3.3 Defining Safety Requirements and Constraints (pg. 47)
3.4 Safety versus Reliability (pg. 49)
3.5 What Is a System? (pg. 51)
3.5.1 Assumptions Underlying the Concept of a System (pg. 52)
3.5.2 Sociotechnical Systems (pg. 54)
3.6 Defining Complexity (pg. 55)
3.7 Approaches to Dealing with Complexity (pg. 56)
3.7.1 Analytic Decomposition (pg. 56)
3.7.2 Statistics (pg. 59)
3.7.3 Systems Thinking and Systems Theory (pg. 59)
3.7.4 Systems Theory Fundamentals (pg. 61)
3.8 Summary (pg. 68)
Exercises (pg. 69)
4. Why Accidents Occur (pg. 73)
4.1 The Traditional Conception of Causality (pg. 73)
4.2 Subjectivity in Ascribing Causality (pg. 75)
4.3 Oversimplification in Determining Causality (pg. 76)
4.3.1 The Legal Approach to Causality (pg. 76)
4.3.2 Human Error as the Cause of Accidents (pg. 77)
4.3.3 Technical Failures as the Cause of Accidents (pg. 77)
4.3.4 Organizational Factors as the Cause of Accidents (pg. 78)
4.4 Multifactorial Explanations of Accidents (pg. 79)
4.5 Systemic Causes of Accidents (pg. 81)
4.5.1 Social Dynamics and Organizational Culture (pg. 82)
4.6 Summary (pg. 126)
Exercises (pg. 127)
5. The Role of Software in Safety (pg. 129)
5.1 The Use of Software in Systems Today (pg. 129)
5.2 Understanding the Problem (pg. 132)
5.3 Why Does Software Present Unique Difficulties? (pg. 134)
5.3.1 Software Myths (pg. 135)
5.3.2 Why Software Engineering Is Difficult (pg. 140)
5.3.3 The Reality We Face (pg. 145)
5.4 The Way Forward (pg. 145)
Exercises (pg. 146)
6. The Role of Humans in Safety (pg. 147)
6.1 Why Replace Humans with Machines? (pg. 148)
6.2 Do Human Operators Cause Most Accidents? (pg. 149)
6.3 The Need for Humans in Automated Systems (pg. 155)
6.4 Human Error as Human–Task Mismatch (pg. 157)
6.4.1 Skill-Based Behavior (pg. 158)
6.4.2 Rule-Based Behavior (pg. 159)
6.4.3 Knowledge-Based Behavior (pg. 159)
6.4.4 The Relationship between Experimentation and Error (pg. 160)
6.5 The Role of Mental Models in Safety (pg. 161)
6.6 What Is the Appropriate Role for Humans in Complex Systems? (pg. 163)
6.6.1 The Human as Monitor (pg. 164)
6.6.2 The Human as Backup (pg. 170)
6.6.3 The Human as Partner (pg. 173)
6.7 Conclusions (pg. 175)
Exercises (pg. 176)
7. Accident Causality Models (pg. 179)
7.1 Energy Models (pg. 180)
7.2 Linear Chain-of-Failure Events Models (pg. 181)
7.2.1 The Domino Model (pg. 184)
7.2.2 The Swiss Cheese Model (pg. 186)
7.2.3 The Functional Resonance Model (pg. 187)
7.2.4 Limitations of Linear Chain-of Events Models (pg. 188)
7.3 Epidemiological Models (pg. 190)
7.4 More Sophisticated Models of Causality (pg. 191)
7.5 The STAMP Model of Causality (pg. 193)
7.6 Looking Ahead (pg. 199)
Exercises (pg. 199)
8. Accident Analysis and Learning from Events (pg. 201)
8.1 Why Are We Not Learning Enough from Accidents? (pg. 201)
8.1.1 Oversimplification and Root Cause Seduction (pg. 202)
8.1.2 Hindsight Bias (pg. 203)
8.1.3 Misunderstanding the Role of Humans in Accidents (pg. 205)
8.1.4 Focusing on Blame: Blame Is the Enemy of Safety (pg. 209)
8.2 Goals for Improved Accident Analysis (pg. 213)
8.3 Example: The Zeebrugge Ferry Accident (pg. 214)
8.4 Generating Recommendations (pg. 235)
8.5 Implementing Long-Term Learning (pg. 236)
8.6 The Cost of Thorough Accident Investigation (pg. 236)
8.7 Summary (pg. 237)
Exercises (pg. 237)
9. Hazard Analysis: Basic Concepts (pg. 241)
9.1 What Is Hazard Analysis? (pg. 241)
9.2 The Hazard Analysis Process (pg. 243)
9.2.1 The Overall Process (pg. 244)
9.2.2 Detailed Steps (pg. 245)
9.3 Types of System Models (pg. 253)
9.4 General Types of Analysis (pg. 253)
9.4.1 Forward and Backward Searches (pg. 254)
9.4.2 Top-Down and Bottom-Up Searches (pg. 255)
9.4.3 Combined Searches (pg. 256)
9.5 Who Should Do Hazard Analysis? (pg. 257)
9.6 Limitations and Criticisms of Hazard Analysis (pg. 257)
9.7 Analysis versus Assessment (pg. 259)
Exercises (pg. 260)
10. Hazard Analysis Techniques (pg. 261)
10.1 Energy Model Techniques: Hazard Indices (pg. 262)
10.2 Techniques Based on the Chain-of-Failure-Events Causality Model (pg. 263)
10.2.1 Failure Modes and Effects Criticality Analysis (pg. 263)
10.2.2 Fault Hazard Analysis (pg. 266)
10.2.3 Fault Tree Analysis (pg. 268)
10.2.4 Event Tree Analysis (pg. 277)
10.2.5 Combinations of Analysis Techniques (pg. 281)
10.2.6 Hazards and Operability Analysis (HAZOP) (pg. 284)
10.2.7 Miscellaneous Techniques (pg. 289)
10.3 STPA: A Technique Based on STAMP (pg. 292)
10.4 Task and Human Error Analysis Techniques (pg. 303)
10.4.1 Qualitative Techniques (pg. 303)
10.4.2 Quantitative Techniques (pg. 305)
10.5 Conclusions (pg. 311)
Exercises (pg. 312)
11. Design for Safety (pg. 315)
11.1 The Design Process (pg. 317)
11.1.1 Standards and Codes of Practice (pg. 317)
11.1.2 Design Guided by Hazard Analysis (pg. 318)
11.2 Types of Design Techniques and Precedence (pg. 320)
11.3 Hazard Elimination (pg. 323)
11.3.1 Substitution (pg. 323)
11.3.2 Simplification (pg. 325)
11.3.3 Decoupling (pg. 330)
11.3.4 Elimination of Specific Human Errors (pg. 331)
11.3.5 Reduction of Hazardous Materials or Conditions (pg. 332)
11.4 Hazard Occurrence Reduction (pg. 333)
11.4.1 Design for Controllability (pg. 334)
11.4.2 Barriers (pg. 335)
11.4.3 Monitoring (pg. 341)
11.4.4 Failure Minimization (pg. 343)
11.5 Hazard Control (pg. 350)
11.5.1 Limiting Exposure (pg. 351)
11.5.2 Isolation and Containment (pg. 351)
11.5.3 Protection Systems and Fail-Safe Design (pg. 352)
11.6 Damage Reduction (pg. 356)
11.7 Design Modification and Maintenance (pg. 357)
Exercises (pg. 357)
12. Human Factors in System Design (pg. 359)
12.1 Determining What Should Be Automated (pg. 360)
12.2 The Need for Wide Participation in Design Activities (pg. 361)
12.3 Safety versus Usability and Other Common Goals (pg. 362)
12.4 Reducing Safety-Critical Human Errors through System Design (pg. 363)
12.4.1 Safety in the Design of Operator Controls (pg. 366)
12.4.2 Designing Feedback for Safety (pg. 368)
12.4.3 Identifying and Designing the Activities and Functions Provided by Humans (pg. 376)
12.4.4 Design of Displays for Safety (pg. 384)
12.5 Training and Maintaining Skills (pg. 393)
12.5.1 Teaching about Safety Features (pg. 393)
12.5.2 Training for Emergencies (pg. 394)
Exercises (pg. 395)
13. Assurance, Assessment, and Certification (pg. 397)
13.1 Assurance of Safety (pg. 397)
13.1.1 Limitations of Traditional Assurance Activities When Used for Safety (pg. 399)
13.2 Hazard and Risk Assessment (pg. 404)
13.2.1 Qualitative and Quantitative Hazard and Risk Assessment (pg. 405)
13.2.2 Limitations of Hazard and Risk Assessment (pg. 408)
13.2.3 Probabilistic Risk Analysis (pg. 412)
13.3 Certification (pg. 415)
13.3.1 Types of Certification Approaches (pg. 416)
13.3.2 National and Industry Practices in Certification (pg. 418)
13.3.3 Providing Evidence in Performance-Based Regulation and Safety Cases (pg. 421)
13.3.4 Designing a Certification Program (pg. 423)
13.4 Some General Conclusions (pg. 427)
Exercises (pg. 427)
14. Designing a Safety Management System (pg. 429)
14.1 Social Dynamics and Organizational Culture (pg. 431)
14.1.1 Modeling Desired Behavior (pg. 433)
14.1.2 Documenting Values and Policies (pg. 434)
14.2 Organizational Structure (pg. 435)
14.2.1 Assigning Responsibility, Authority, and Accountability (pg. 436)
14.3 Management of Safety-Critical System Development (pg. 443)
14.4 Management of Operational Processes and Practices (pg. 445)
14.4.1 Providing a Shared and Accurate Perception of Risk (pg. 447)
14.4.2 Feedback and Learning from Events (pg. 448)
14.4.3 Creating and Updating Operating Procedures (pg. 453)
14.4.4 Training and Contingency Management (pg. 454)
14.4.5 Managing Change (pg. 457)
14.4.6 Maintenance (pg. 460)
14.5 Creating an Effective Safety Information System (pg. 461)
14.6 Summary (pg. 465)
Exercises (pg. 469)
Epilogue: Looking Forward (pg. 471)
Appendix A. Medical Devices: The Therac-25 (pg. 473)
A.1 Background (pg. 473)
A.2 Events (pg. 478)
A.3 Some Causal Factors (pg. 495)
Appendix B. Space: The Challenger and Columbia Space Shuttle Losses (pg. 503)
B.1 Background (pg. 504)
B.2 Events (pg. 506)
B.3 Causal Factors in the Challenger and Columbia Losses (pg. 513)
Appendix C. Petrochemicals: Seveso, Flixborough, Bhopal, Texas City, and Deepwater Horizon (pg. 529)
C.1 Safety in the Chemical Process Industry (pg. 529)
C.2 Seveso (pg. 531)
C.2.1 Background (pg. 532)
C.2.2 Safety Features (pg. 533)
C.2.3 Events (pg. 533)
C.2.4 Some Causal Factors (pg. 536)
C.3 Flixborough (pg. 537)
C.3.1 Background (pg. 537)
C.3.2 Events (pg. 538)
C.3.3 Some Causal Factors (pg. 541)
C.4 Bhopal (pg. 544)
C.4.1 Background (pg. 544)
C.4.2 Safety Features (pg. 544)
C.4.3 Events (pg. 545)
C.4.4 Some Causal Factors (pg. 550)
C.5 The Texas City Refinery Explosion (pg. 552)
C.5.1 Background (pg. 553)
C.5.2 Safety Features (pg. 554)
C.5.3 Proximate Events (pg. 555)
C.5.4 Causal Factors (pg. 560)
C.6 Macondo/Deepwater Horizon (pg. 578)
C.6.1 Background (pg. 579)
C.6.2 Safety Features (pg. 580)
C.6.3 Proximate Events (pg. 585)
C.6.4 Causal Factors (pg. 590)
Appendix D. Nuclear Power: Three Mile Island, Chernobyl, and Fukushima Daiichi (pg. 609)
D.1 Background (pg. 609)
D.1.1 How a Nuclear Power Plant Works (pg. 609)
D.1.2 Safety Features (pg. 612)
D.2 Three Mile Island (pg. 615)
D.2.1 Background (pg. 615)
D.2.2 Events (pg. 618)
D.2.3 Some Systemic Causal Factors (pg. 624)
D.3 Chernobyl (pg. 633)
D.3.1 Background (pg. 633)
D.3.2 Events (pg. 635)
D.4 The Fukushima Daiichi Nuclear Power Plant Accident (pg. 640)
References (pg. 659)
Index (pg. 675)

Nancy G. Leveson

Nancy G. Leveson is Professor of Aeronautics and Astronautics and Engineering Systems at MIT and author of Engineering a Safer World: Systems Thinking Applied to Safety (MIT Press).   A leader in the field of system safety engineering, she has worked in almost every industry to improve analysis, design, management, and operation of safety-critical systems.

eTextbook
Go paperless today! Available online anytime, nothing to download or install.

Features

  • Bookmarking
  • Note taking
  • Highlighting