Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Aerospace Engineering

CAST Analysis 1

advertisement 
CAST Analysis
1
© 2013 John Thomas and Nancy Leveson. All rights reserved.
CAST Process
•
•
•
•
•
•
Identify the Accident (Loss)
Identify the Hazards
Identify the Safety Constraints
Identify the Proximal Events
Draw the Safety Control Structure
Analyze each component
2
© 2013 John Thomas and Nancy Leveson. All rights reserved.
CAST Process
•
•
•
•
•
•
Identify the Accident (Loss)
Identify the Hazards
Identify the Safety Constraints
Identify the Proximal Events
Draw the Safety Control Structure
Analyze each component
3
© 2013 John Thomas and Nancy Leveson. All rights reserved.
CAST Process
•
•
•
•
•
•
Identify the Accident (Loss)
Identify the Hazards
Identify the Safety Constraints
Identify the Proximal Events
Draw the Safety Control Structure
Analyze each component
4
© 2013 John Thomas and Nancy Leveson. All rights reserved.
Basic Control Loop
Controller
Process
Model
Control
Actions
Feedback
Controlled Process
5
© 2013 John Thomas and Nancy Leveson. All rights reserved.
Safety Control Structure
ESW p354
From Leveson, Nancy (2012). Engineering a Safer World: Systems Thinking Applied to
Safety. MIT Press, © Massachusetts Institute of Technology. Used with permission.
© 2013 John Thomas and Nancy Leveson. All rights reserved.
6
From Leveson, Nancy (2012). Engineering a Safer World: Systems Thinking Applied to
Safety. MIT Press, © Massachusetts Institute of Technology. Used with permission.
ESW p206: U.S. pharmaceutical safety control structure
© 2013 John Thomas and Nancy Leveson. All rights reserved.
7
Example High-level control structure
Congress
Directives, funding
Reports
FAA
Regulations, procedures
Reports
ATC
Instructions
Acknowledgement, requests
Pilots
Execute maneuvers
Aircraft status, position, etc
Aircraft
8
© 2013 John Thomas and Nancy Leveson. All rights reserved.
Air Traffic Control (ATC)
ATC Front Line Manager (FLM)
Instructions
Status
Updates
Instructions
ATC Ground
Controller
Company
Dispatch
Instructions
Status
Updates
Status
Updates
Instructions
Instructions
Query
Status
Status
Updates
Other Ground
Controllers
Updates and
acknowledgements
ATC Radio
Pilots
Execute
maneuvers
Pilots
Execute
maneuvers
Aircraft
Pilots
Execute
maneuvers
Aircraft
Pilots
Execute
maneuvers
Aircraft
Aircraft
ACARS Text Messages
© 2013 John Thomas and Nancy Leveson. All rights reserved.
9
From Leveson, Nancy (2012). Engineering a Safer World: Systems Thinking Applied to
Safety. MIT Press, © Massachusetts Institute of Technology. Used with permission.
ESW p216: Ballistic Missile Defense System
© 2013 John Thomas and Nancy Leveson. All rights reserved.
10
CAST Process
•
•
•
•
•
•
Identify the Accident (Loss)
Identify the Hazards
Identify the Safety Constraints
Identify the Proximal Events
Draw the Safety Control Structure
Analyze each component
– Physical System
– Controllers
11
© 2013 John Thomas and Nancy Leveson. All rights reserved.
Analyze physical system
• Responsibilities (safety constraints)
– ?
• Emergency and Safety Equipment
(controls)
– ?
• Failures and inadequate controls
– ?
• Contextual Factors
– ?
Physical
System
From Leveson, Nancy (2012). Engineering a Safer World: Systems Thinking Applied to
Safety. MIT Press, © Massachusetts Institute of Technology. Used with permission.
© 2013 John Thomas and Nancy Leveson. All rights reserved.
12
Analyze physical system
• Responsibilities (safety constraints)
– Prevent runaway reactions
– Prevent inadvertent release of toxic chemicals or explosion
– Convert released chemicals into a nonhazardous of less
hazardous form
– Provide indicators (alarms) of the existence of hazardous
conditions
• Emergency and Safety Equipment (controls)
–
–
–
–
–
Air monitors
Windsock
Pressure relief system
Process sensors, gauges and indicators
Spare tank
13
© 2013 John Thomas and Nancy Leveson. All rights reserved.
Analyze physical system (cont)
• Failures and Inadequate Controls
– Inadequate protection against water getting into tanks
– Inadequate monitoring of chemical process: Gauges were missing
or inoperable
– Inadequate emergency relief system (jammed, valves too small,
lines too small)
• Contextual Factors
– The plant was built in a remote location 30 years ago so it would
have a buffer area around it,
– but the city grew closer over the years
– Approximately 24 different chemical products are manufactured at
Oakbridge, most of which are toxic to humans and some very toxic
– At the time of the start of the accident proximal events, Unit 7 was
shut down and was not being used. It was restarted to provide extra
K34
– The plant already was operating at capacity before the decision to
increase production of K34
14
© 2013 John Thomas and Nancy Leveson. All rights reserved.
•
•
•
•
•
•
Operations Manager
Software systems
Maintenance Manager/Worker
Plant Manager
Corporate Management
Etc.
Controllers
Analyze controllers
From Leveson, Nancy (2012). Engineering a Safer World: Systems Thinking Applied to
Safety. MIT Press, © Massachusetts Institute of Technology. Used with permission.
© 2013 John Thomas and Nancy Leveson. All rights reserved.
15
Analyze Controller:
Operations Manager
• Safety-related responsibilities
– ?
• Unsafe Decisions and Control actions
– ?
• Process model flaws
– ?
• Context
– ?
16
© 2013 John Thomas and Nancy Leveson. All rights reserved.
Analyze Controller:
Operations Manager
• Safety-related responsibilities
– Develop operating procedures that adequately control hazards
– Provide operator training on plant hazards and safe operating
procedures. Audit to ensure training is effective
– Oversee operations to ensure that policies and procedures are
being followed
• Unsafe Decisions and Control actions
– Decides to take level gauge from tank 702 and put it on 701;
runs unit 7 without a level gauge on 702. Ignores concerns by
operators about operating a tank with no gauge
– Agrees to or makes changes without thoroughly analyzing
hazards involved
– Agrees to start unit 7 in ten days knowing he does not have the
personnel to do a thorough inspection and adequate startup
activities
17
© 2013 John Thomas and Nancy Leveson. All rights reserved.
Analyze Controller:
Operations Manager (cont)
• Process model flaws
– Thinks tank 702 is empty. Does not know that water was
found by maintenance in tank 701.
– Inaccurate assessment of likelihood of having to use Tank
702
– Like the others, most likely does not understand the
limitations of the design of the safety equipment
• Context
– Under same performance pressures as everyone else
– No organization responsible for safety analyses and risk
assessments
– Understaffed
18
© 2013 John Thomas and Nancy Leveson. All rights reserved.
A note about
Unsafe Control Actions vs. Hazards
• Hazards
– Generally should not name a specific component
– Should describe general behavior of the system (aircraft,
train, space vehicle, chemical plant, etc.)
• Unsafe Control Actions (UCAs)
– Describe behavior of a specific component (pilot, manager,
software automation, etc.)
– Cause system-level hazards
19
© 2013 John Thomas and Nancy Leveson. All rights reserved.
MIT OpenCourseWare
http://ocw.mit.edu
16.63J / ESD.03J System Safety
Fall 2012
For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms.
Related documents
Nancy Leveson is Professor of Aeronautics and Astronautics and
Nancy Leveson is Professor of Aeronautics and Astronautics and
the three questions - Priceless Literacy
the three questions - Priceless Literacy
Copyright Nancy Leveson, Sept
Copyright Nancy Leveson, Sept
System Safety Engineering Nancy Leveson John Thomas
System Safety Engineering Nancy Leveson John Thomas
CAST Analysis Accidents and Hazards 1
CAST Analysis Accidents and Hazards 1
Title: Come To The Table: A Guide For Families To Restore... Interesting Conversations
Title: Come To The Table: A Guide For Families To Restore... Interesting Conversations
Copyright Nancy Leveson, Sept
Copyright Nancy Leveson, Sept
Download
advertisement