Apr 2, 1981 - coming decennium are described by Veenstra and Stoop (1990). ...... Handleiding Conflict Observatie techniek DOCTOR, Stichting.
S A F E T Y A N D T H E D E S I G N PROCESS
D i t p r o e f s c h r i f t is goedgekeurd door de promotoren p r o f . d r . A . R . Hale p r o f . i r . J . L . de Kroes
This p u b l i c a t i o n has been sponsored by the Netherlands Institute f o r Fishery Investigations R I V O at IJmuiden.
C o p y r i g h t © 1 9 9 0 by J. Stoop Print U n i v e r s i t e i t s d r u k k e r i j Technische U n i v e r s i t e i t D e l f t Layout Bureau F3 ISBN 90-9003301-7 CIP gegevens K o n i n k l i j k e Bibliotheek, Den Haag
A l l rights reserved. No part o f this p u b l i c a t i o n may be reproduced, stored in a retrieval system, or transmitted in any f o r m by any means, electronical, mechanical, p h o t o c o p y i n g , recording or otherwise, w i t h o u t the written permission o f the publisher.
CONTENTS Chapter 1 INTRODUCTION
1
Chapter 2 A NEW APPROACH TO SAFETY PROBLEMS
9
1. S c i e n t i f i c attention 2. Systems approach 2.1 Relevant characteristics 2.2 A p p l i c a t i o n 3. I n t e r d i s c i p l i n a r i t y 3.1 M a n - m a c h i n e interface 3.2 Need f o r education 4. Problem orientation 4.1 Problem d e f i n i t i o n 4.2 I m p l i c i t normative concepts 4.2.1 H u m a n f a i l u r e 4.2.2 Linkage to the question o f blame
9 10 10 13 14 14 15 17 IV 17 18 19
Chapter 3 TOWARDS A SCIENTIFIC A P P R O A C H TO SAFETY PROBLEMS .
23
1. O b j e c t o f research 2. Structure o f the process o f approach to the problem 2.1 V e r b a l description o f the process 2.1.1 The process o f approach to the problem A . Requirements B. The Steps i n the process 2.1.2 I n t e r d i s c i p l i n a r i t y 2.1.2.1 I n the analysis 2.1.2.2 I n requirements to solutions 2.1.2.3 I n the development o f solutions 2.1.3 Problem orientation 2.1.3.1 I n the problem analysis 2.1.3.2 I n the generation o f solutions 2.1.3.3 I n the choice o f subsolutions 2.1.3.4 I n the development o f solutions 2.2 The diagram 2.3 The structure model 2.4 Epilogue
23 24 24 24 24 25 32 32 33 33 34 34 38 39 40 42 43 46
Chapter 6 S A F E T Y A N D T H E D E S I G N PROCESS
79
1. Summary 2. The role o f safety i n design 2.1 A historically based engineering approach 2.1.1 The material phase 2.1.2 The energy phase 2.1.3 The i n f o r m a t i o n phase 2.2 A safety integrated approach 3. Design methodology 3.1 A craftsmanship approach 3.2 Towards an engineering design process 4. Safety integrated design methodology 4.1 Process characteristics 4.2 Structure o f the processes 4.3 Contents o f the process 5. Towards a safety integrated beam trawler design 5.1 Safety analysis 5.2 Program o f Requirement 5.3 Conceptional solutions; a Beamer 2000 5.4 D e t a i l i n g ; the Goodness o f solutions 5.5 Residual risks 6. Epilogue
79 79 80 80 80 82 83 84 84 85 86 86 87 89 92 92 92 94 95 99 99
REFERENCES
101
APPENDICES
117
SAMENVATTING
121
SUMMARY
123
CURRICULUM VITAE
125
ACKNOWLEDGEMENTS
127
Chapter 1 INTRODUCTION Compared to the damage and i n j u r i e s sustained, D u t c h society has not paid m u c h attention to safety problems f r o m the industrialization in the middle o f the nineteenth century onwards. Scientifically speaking, safety was - u n t i l recently- not an independent object o f research. A d i f f e r e n t perception o f risk between stakeholders, the post hoc nature of the accident phenomenon and a high social acceptance o f risk have u n t i l recently characterised the attention in society to safety i n the home, w o r k and transport'''. I n a d d i t i o n to social attention, changes i n these factors have cleared the way f o r a s c i e n t i f i c attention to safety problems. This dissertation describes the resulting scientific attention, which w i l l be w o r k e d out i n detail i n the f o l l o w i n g chapters. The objective o f such a s c i e n t i f i c approach is analysis, modelling and solution of problems and learning lessons f r o m accidents. This objective is therefore disconnected f r o m the question o f blame: who is liable f o r the consequences. For the b e n e f i t o f prevention, safety has to be included as an explicit constraint i n the technical design process f r o m the beginning, based on previous experiences, i n c l u d i n g accidents. Increased emancipation o f risk bearers and a changing concept o f man through the application of i n f o r m a t i o n technology have led to a renewed appreciation o f the risk bearer. I n this dissertation s c i e n t i f i c attention is distinguished f r o m social attention. As starting point was chosen the f o r m u l a t i o n of a s c i e n t i f i c approach, as stated d u r i n g the f o u n d a t i o n symposium o f the Safety Science G r o u p i n 1978 at the D e l f t U n i v e r s i t y o f Technology. The methodology to develop a s c i e n t i f i c approach is based on a systems approach and is characterised by an interdisciplinary problem orientation. The use o f a systems approach makes i t possible to consider the areas o f H o m e , Work and Transport in a similar way. These areas appear to be very d i f f e r e n t . However, they can all three be interpreted as sociotechnical systems. W i t h the help o f a systems approach a complex m o d e l l i n g on the level o f sociotechnical systems comes w i t h i n reach through the description o f the characteristics o f the system, distinguishing the l i f e - c y c l e and the dynamic character o f systems. However, the systems approach i n itself is not s u f f i c i e n t to produce a scientific approach, because normative aspects play a role and the d i v i d i n g line between the methodologies o f science and o f design cannot be transgressed w i t h o u t problems. Besides the systems approach the notions o f i n t e r d i s c i p l i n a r i t y and problem orientation are i m p o r t a n t . These focus on 'point of view' and 'method' i n the approach. I n t e r d i s c i p l i n a r i t y makes possible an exchange between and d i r e c t i o n o f the several needs f o r knowledge; i t structures the decision m a k i n g process and clarifies the objectives to which this
- 1-
technical components. N o n - t e c h n i c a l approaches and the role o f n o n technical disciplines each demand f u r t h e r studies i n order to be able to incorporate safety e x p l i c i t l y , and i n a goal directed and integrated way i n the overall problem approach. I n this dissertation a number o f subjects are discussed only s u p e r f i c i a l l y , although they deserve a more thorough treatment in the f u t u r e . - The concept o f scenarios is shown to be somewhat ambiguous. I t can be d e f i n e d i n a number o f d i f f e r e n t ways, dependent on the system level at w h i c h a scenario is applied, on the objective o f the research project and on the disciplines i n v o l v e d (Gelderblom 1988). I n this dissertation therefore, scenarios are d e f i n e d i n a specific and l i m i t e d context. - The n o t i o n o f causality has a long and problematical history i n safety problem analysis and is fundamented to both the classic theories such as the accident proneness theory, domino theory, multicausal p r o b a b i l i t y theory (Winsemius 1958) and the application of epidemiological concepts to safety problems ( G o r d o n 1949, Haddon, Suchman & K l e i n 1964) as w e l l as to modern concepts like systems theory and human f a i l u r e . I f the assumed causal relations are not made explicit i n research they w i l l i n f l u e n c e the results and the recommendations resulting f r o m this research i n an u n k n o w n way and thereby limits its predictive potential. - A more thorough historical analysis than is given here is also required o f the social and s c i e n t i f i c attention paid to safety at the level o f social systems. Such research should include analysis o f the background, objectives and values o f the various stakeholders in order to understand the present and f u t u r e needs f o r a s c i e n t i f i c approach to safety problems. - Recent developments i n the methodology o f engineering and design are described i n the dissertation (chapter 6), to give a b r i e f historical perspective as a starting point f o r a discussion about safety in the engineering design process. Safety however, is only one aspect i n the design process. A study o f how i t is incorporated into designs could b e n e f i t f r o m comparing i t w i t h experience w i t h other design aspects such as costs, q u a l i t y , maintenance and reliability. A better understanding o f the engineering design process in its several aspects may lead to generalizable knowledge and a better control o f the engineering design process particularly w i t h respect to the p r e d i c t a b i l i t y of the consequences and f u t u r e use o f designs. - R a p i d developments i n the application of the systems approach and of i n f o r m a t i o n technology, particularly in the fields o f C A D / C A M and transport and logistics have led to a greater awareness o f the importance of the total system l i f e cycle. Optimalization o f management control i n the use phase can only be achieved by developing better f e e d - f o r w a r d p r e d i c t i o n i n the design phase to foresee the consequences o f design choices and the way i n w h i c h designs w i l l be used. Such developments parallel the discussion i n this dissertation about the way safety needs to be incorporated i n t o the design, not only i n relation to its technical
to a number o f research reports and papers in which the author participated and w h i c h may serve as more detailed references f o r specific aspects f o r the interested reader. F i n a l l y reference is made to a number o f graduate student projects w h i c h f o r m e d part o f the research and w h i c h supplied detailed material on a number o f items. The dissertation focusses on the f o l l o w i n g subjects. The i n t r o d u c t o r y chapter discusses the scope and limitations o f the dissertation and indicates some lines which could be developed f u r t h e r . Chapter 2 discusses a number o f factors in society which have encouraged the development o f s c i e n t i f i c attention to safety problems. I t also sets out and explains the concepts 'systems approach', ' i n t e r d i s c i p l i n a r i t y ' and 'problem o r i e n t a t i o n ' . Chapter 3 formulates an object o f research f o r the scientific approach to safety and describes i n detail the proposed process o f approach to safety problems. I n the process the concepts ' i n t e r d i s c i p l i n a r i t y ' and 'problem o r i e n t a t i o n ' are placed i n the context o f the approach and the instruments of 'dimensions', use-scenarios, hazard patterns and solution m a t r i x are d e f i n e d . The structure o f the process is pictured by the application of the systems approach and the relationship between the parts o f the structure is given i n a diagram. Chapter 4 is i n press as an article f o r the j o u r n a l of A p p l i e d Ergonomics (Stoop 1989.1). I t demonstrates the f o r m u l a t i o n o f a problem model by the use o f the 'dimensions' technique. Use-scenarios are applied to divide a problem into manageable sub-problems and to facilitate more specific designs. Research on power chain saws laid the basis f o r this use-scenario concept. A study o f the possibilities and restrictions in the m o d i f i c a t i o n of a p r u n i n g shear laid the basis f o r a description o f the hazard pattern concept and f o r exploration o f the relations between the safety problem solving process and the engineering design process. Consideration o f design m o d i f i c a t i o n at the detailing level c l a r i f i e d the need f o r adequate residual risk strategies. The possibilities f o r safety redesign on the f u n c t i o n a l level in the engineering design process are demonstrated by the development o f a p o w e r - t a k e - o f f device w h i c h eliminates accidents and i n j u r i e s w i t h conventional p o w e r - t a k e - o f f shafts. Chapter 5 is i n press as an article f o r the Journal o f Navigation (Stoop 1989.2). I t is based on a study i n the f i s h i n g industry. A f t e r structuring the problem area into sub-problems w h i c h are open to scientific research, mental load as a m a j o r cause o f accidents w i t h fishing vessels on the N o r t h Sea is selected f o r i n - d e p t h analysis. Such i n - d e p t h analysis proves to be necessary to describe in detail and to explain satisfactory the accidents w h i c h have occurred. T o structure the task on the bridge a N o r m a t i v e Task Analysis is p e r f o r m e d . The G E M S model o f Reason is applied to this task analysis as a predictor o f human error. This application gives good results w i t h respect to the explanation o f accidents, seems to have promising predictive potential and allows the f o r m u l a t i o n
- 5-
the derivation o f design recommendations are described by Hale, Stoop and Hommels (1989). Initiatives f o r safety-integrated vessel design o f beam trawlers f o r the coming decennium are described by Veenstra and Stoop (1990). The graduate student projects are to be f o u n d i n the f o l l o w i n g references, respectively published by Bos (1988), D r a i j e r et al (1988), E i j k e l e n b o o m (1985), Gelderblom (1988), H e i n r i c h (1988), H e r l é et al (1989), Hoefnagels (1986 and 1987), V a n Belois (1987) and Van der Sloot (1987 and 1988). W i t h the f o r m u l a t i o n o f its o w n object o f scientific research and o f a s c i e n t i f i c method o f approach to safety problems, i t is possible to speculate that a new discipline might develop f r o m this scientific attention. I t is t e m p t i n g to attach a name to this new t w i g on the tree o f science. G i v i n g a name creates an object f o r discussion. I n Greek ' k i n d u n o s ' means 'hazard'. The scientific study o f hazards could therefore conceivable be called 'hazard science': kindunology.
Chapter 2 A NEW A P P R O A C H TO SAFETY PROBLEMS 1. S c i e n t i f i c attention. A symposium i n 1978 at the D e l f t U n i v e r s i t y of Technology, entitled ' U n i v e r s i t y Education and Research i n Safety', argued f o r an integrated s c i e n t i f i c attention to safety problems by means of an interdisciplinary, problem orientation on the basis of a systems approach. H o w can one start to f i l l this description i n f u r t h e r ? The d e f i n i t i o n of the term 'safety' depends on one's scientific discipline and social point o f v i e w . Safety can be defined along legal, technical, medical and behavioral science lines and the ' r i g h t to safety' of risk bearers can be contrasted w i t h the 'management strategy' of the decision makers. The d i f f e r e n t attempts to define the concept safety unambiguously have led to controversy and to an approach w h i c h is hardly workable. 'Safety' is poorly distinguished f r o m protection against natural disasters, war and crime or f r o m social security (De Kroes 1978). I f one tries to sum up w h i c h disciplines should occupy themselves w i t h safety, large i n d i v i d u a l differences i n the list can be expected. Posing this question collectively results i n an all but endless list of potentially involved disciplines and is not practicable either (Beck 1983). I n d i c a t i n g the relationship between the problem areas and the procedure f o r solving safety problems appears to o f f e r a practical way out, but poses a number of essential questions: Can an object of research be formulated? Can a process of a s c i e n t i f i c approach to safety problems be described and how can the co-operation between disciplines and stakeholders be modelled (Derks 1977)? Do the references to an interdisciplinary, problem orientation on the basis of a system approach o f f e r a way out or are they only empty phrases? We shall therefore pose the question: ' i n what way can 'the systems approach', ' i n t e r d i s c i p l i n a r i t y ' and 'problem orientation' be defined as separate characteristics and f i t t e d into a methodological approach. When considering the areas home, work and transport in their d i f f e r e n t ' concrete manifestation there seems at first sight to be little coherence and resemblance i n the development i n them of attention to safety. They are separate areas o f attention, each w i t h their own historical development, also i n a s c i e n t i f i c sense. The areas of attention are in d i f f e r e n t phases of development, technology plays its role i n d i f f e r e n t ways, each has its own structure of safety management and regulation and the level of organization o f the stakeholders d i f f e r s . Looked upon at a higher level of abstraction, as part of society i n a certain era, they have been however, subject to background factors that have d e f i n e d their course of development in interaction w i t h each
9 TRANSCENDENTAL SYSTEMS
8 SOCIAL SYSTEMS
7 HUMAN BEINGS ABSTRACT THINKING, SELF AWARENESS 6 FAUNA MOBILITY/AWARENESS OF ENVIRONMENT 5 FLORA BLUE PRINTED GROWTH 4 S E L F RELIANT CELL 3 CYBERNETIC THERMOSTAT^ 2 DYNAMIC CLOCKWORK
J STATIC MAP UPPER LEVELS OF ADEQUATE SCIENTIFIC MODELS OF REALITY fig. 1
Systems tiierarctiy by Boulding
I n order to describe safety problems in the context o f social systems a number o f characteristics o f these systems have been i d e n t i f i e d : - context; the system boundary w i t h i n w h i c h a problem is d e f i n e d and the interactions w i t h the environment. - culture; the collective concepts, perceptions, notions and manners o f stakeholders w i t h i n the system - structure; sum o f elements and relations, the d i f f e r e n t system levels at w h i c h this interrelation manifests itself - content; the d i f f e r e n t processes that take place w i t h i n the d e f i n e d system, both the deviations and/or disruptions and the 'normal' processes. It is o f importance f o r the problem approach to d i f f e r e n t i a t e the levels at w h i c h stakeholders concerned are involved i n the problem. Three levels can be distinguished: - the m i c r o level, the i n d i v i d u a l human being as the risk bearer in his direct interaction w i t h the technological system. This is the level o f the workplace, the participant i n t r a f f i c , the consumer. I n terms o f the
- 11 -
Each on its o w n level generates f u n c t i o n a l requirements and specifications and makes a w e i g h i n g o f possible c o n f l i c t i n g interests necessary. The design, development and control o f technological systems is pree m i n e n t l y a f e e d - f o r w a r d process. The lack o f evaluation and feed-back loops f r o m practical experiences to the design stage related to theoretical insights and to other previous phases causes a serious bottleneck when safety has to be taken into account i n a preventive manner (Brown 1986, Stoop 1987.1, 1987.2, 1988.2). There is therefore a great need to make safety explicit and to incorporate i t i n f e e d - f o r w a r d coupling f r o m the design and development phases o f systems onwards. 2.2 A p p l i c a t i o n A l t h o u g h the systems approach is widespread and o f t e n applied, a critical consideration o f the limits o f applicability o f this type of modelling is necessary. a. The practical development o f models at higher system levels is still i n s u f f i c i e n t ( K o o r n n e e f 1982). As a rule safety problems are to be f o u n d at the level o f social systems. U p to now models have been adequately described upto the level o f the cell. 'Adequately' here implies completeness and (qualitative) p r e d i c t a b i l i t y . This gap i n m o d e l l i n g capacity brings w i t h i t the risk o f systematic disregard of i m p o r t a n t safety aspects at higher levels. Systems theory i n a narrower sense does not do justice to state-space changes in the d i f f e r e n t variables. M o d e l l i n g of the entire socio-technical system w i t h i n which a problem is d e f i n e d , proves to be d i f f i c u l t i n practice and is therefore usually not attempted. People l i m i t themselves to a s i m p l i f i e d model i n w h i c h the restrictions may or may not be explicitly f o r m u l a t e d , or restrict themselves to an aspect o f the system which seems to lend itself best to m o d e l l i n g . The systems approach has proved to be o f especial importance f o r the technological component. The technological part o f a system can o f t e n be modelled well, but the human factor poses more problems. This applies to man both as an element w i t h i n existing or f u t u r e designs and as controller o f the system. C r i t i c i s m can partly be removed by developing aids to better modelling. M a k i n g distinctions between system levels, characteristics, l i f e cycle and couplings aims to make more adequate modelling possible. b. System theory lacks operational models at higher system levels and descriptions in terms of metamodels do not lead simply to insight and control, as far as can be seen upto now ( G i l l 1980). The problem o f operationalizing insight into action is a fundamental problem that does not exclusively occur in tackling safety problems. Each problem approach that crosses the line between knowledge (science) and action (design) is c o n f r o n t e d w i t h this problem. The solution to this problem cannot be reached via the systems approach. I t can only be f o u n d through the concept o f i n t e r d i s c i p l i n a r i t y w h i c h
- 13 -
Management and designers have developed an interest i n the knowledge and thought processes o f users. Risk bearers are no longer unquestioningly and wherever possible, excluded f r o m technological systems through e l i m i n a t i o n i n the design phase or through selection i n the use phase. The tasks o f operators i n automated production processes are essentially d i f f e r e n t f r o m the tasks i n c r a f t and mechanised labour processes. People t u r n out to be better able to evaluate, recognise and intervene i n emergencies than machines (Hale 1985). They have mental models o f their control and m o n i t o r i n g tasks and o f the production processes themselves, that cannot be done w i t h o u t i n the design and control phase. Therefore there is a g r o w i n g interest i n the knowledge and insights w h i c h operators possess, and, more generally, i n the control capacities o f risk bearers (Van der Schaaf 1986, Suokas & Pyy 1988, Wilson 1989). I t is no longer man the rule f o l l o w e r that is central, but man the actor (Hommels & Hale 1989). I n the technical sciences there is a great need to design and control processes on a s c i e n t i f i c basis, as those (new) technological processes become more complex. The idea that the risk bearer in these processes can be eliminated by means o f mechanization or automation, can no longer be sustained. There is a need f o r adequate models that lend themselves to i m p l e m e n t a t i o n i n the design and control processes. 3.2 Need f o r education The sixties demonstrated a rapid development in the need f o r s c i e n t i f i c attention to safety^. Government and industry had an increased need to determine the acceptability o f risks and acceptable risk levels. Social acceptability o f technological consequences must increasingly be backed up by s c i e n t i f i c argumentation. I n complex systems and production processes the need arises f o r strategies and methods f o r risk control. Social and p o l i t i c a l involvement o f i n d i v i d u a l scientists in the needs o f risk bearers and the g r o w i n g need f o r scientific (contra-) expertise and support f o r the risk bearers point o f view led to the f o u n d a t i o n o f 'science shops' at universities i n the seventies (Pennings & Weerdenburg 1987). Safety i n w o r k i n g conditions, transport and consumer a f f a i r s received increasing attention i n the academic world^. I n t e r d i s c i p l i n a r i t y should be seen in the f r a m e w o r k o f a leap f o r w a r d i n the quality o f f u n c t i o n i n g , i n w h i c h the problem orientation o f the disciplines i n v o l v e d is placed centrally to focus them on a practical problem ( L e i j d e s d o r f f 1977). The focus on the practical problem is essential. A monodisciplinary orientation is replaced by a problem orientation, d r i v e n f r o m the practical situation. I n t e r d i s c i p l i n a r i t y does not relate to a definable set o f sciences, that together f o r m a new specialism, but refers to a guiding principle w h i c h aims to make all knowledge relevant to the problem and thereby to utilise
- 15 -
4. i t concerns the i n t r o d u c t i o n o f research objectives into the process o f problem solving w h i c h give expression to the involvement o f the stakeholders i n the decision m a k i n g process.
4. Problem orientation 4.1 Problem d e f i n i t i o n The n o t i o n ' p r o b l e m ' is not unambiguous, but can be interpreted i n two ways. A problem can be d e f i n e d as: - an apparent d i f f i c u l t y i n an existing system that requires a solution. This can be characterised as an a-posteriori solution oriented point o f view. - a d i f f i c u l t y i n existing or f u t u r e systems predicted before i t becomes tangible. This can be characterised as an a - p r i o r i problem oriented point of v i e w . The approach to safety problems, as i t developed up to the middle o f the sixties, was directed at three separate areas: engineering, education and enforcement. Engineering is directed at designing and making technical provisions; education is directed at adaptation o f the user to the training and behavioral requirements that are set by technology; enforcement is meant to punish those who nevertheless deviate i n their behaviour. The enforcement is directed at deviations f r o m desired behaviour and at human f a i l u r e and is strongly normative i n character. I n these solution oriented approaches there is a strong tendency to design man out o f the system. E l i m i n a t i o n o f man as an 'unpredictable machine' and as 'main cause' o f accidents is seen as a lucrative approach because i t increases safety and r e l i a b i l i t y . I n the work place the elimination o f man also serves another important aim; the factor labour is an important cost factor. Mechanization and automation are inherent to the permanent s t r i v i n g o f management to reach a reduction o f costs and to control the p r o d u c t i o n process. Therefore wherever possible workers are eliminated f r o m the p r o d u c t i o n process. I f e l i m i n a t i o n is not possible, as i n transport and consumer a f f a i r s , this approach relies upon the development o f a supervisory and repressive apparatus (Quist 1981, V a n Z w a m 1978). F r o m this monodisciplinary approach there has been a s h i f t towards the problem oriented approach caused by a number o f developments. 4.2 I m p l i c i t normative concepts A solution oriented approach is particularly sensitive to misdirection f r o m the i n c o r p o r a t i o n o f normative concepts which are not made explicit. The problem oriented approach forces these to be spelt out because the i n p u t f r o m disciplines and stakeholders requires precision at the points where interaction takes place.
- 17 -
adequate design o f tasks is as yet unanswered (Hale & Stoop 1988). D e f i n i n g 'deviations' as undesired failures to comply w i t h o n c e - f o r - a l l d e f i n e d norms, does i n s u f f i c i e n t justice to the long term dynamics o f a system. I t is inherent i n the existence o f human beings, products and p r o d u c t i o n processes that they continuously undergo changes i n the course of time. Each system has a longer or shorter l i f e cycle during which its normative rules also adapt. I n order to f u n c t i o n , i t lays down a number o f control strategies i n the f o r m o f rules and structures. The continuous adaptation o f these strategies to changes i n the environment or i n system objectives is a natural survival process. When a structure or set o f rules is no longer suitable f o r the overall control strategy this structure must be adapted. There is a continuous and mutual adaptation between human beings and their surrounding reality (Venda 1989). 4.2.2 Linkage to the question o f blame Accidents manifest themselves at the micro-system level i n concrete practice; they become visible d u r i n g the execution o f tasks and processes. The rules and procedures that have been laid down f o r carrying out those tasks and processes cannot be directly perceived, but they are nevertheless present. H u m a n beings interact w i t h their entire surroundings w i t h i n its c u l t u r a l , social and procedural f r a m e w o r k and not just w i t h a machine. The machine is only a material representation of that environment i n w h i c h many presuppositions, decisions, rules and procedures are contained. When posing the question o f blame or l i a b i l i t y f o r an accident, the machine is o f t e n seen as no more than a technical artefact w h i c h can therefore not bear responsibility, i n contrast w i t h a human being. I n a d d i t i o n , other stakeholders at the meso- and macro-system level have a number o f regulating mechanisms at their disposal, as a result o f w h i c h they can safeguard themselves against l i a b i l i t y . I n the case o f an accident as a result o f inadequate, inaccurate or impracticable instructions and procedures and shortcomings i n design, the user lacks such mechanisms and is granted the blame, although he cannot be expected to do anything about these constraints. The popular assertion that 80 % o f accidents are due to the victim's or operator's f a i l u r e cannot be sustained: - posing the question o f l i a b i l i t y solely at the level o f the risk bearer exempts the other stakeholders f r o m their l i a b i l i t y . The role o f all stakeholders, on the d i f f e r e n t system levels, is o f importance. - posing the question o f guilt per se indicates a tendency to monocausal t h i n k i n g . Safety problems are, however, always multicausal. U p to n o w , i n researching accidents, i n s u f f i c i e n t explicit distinction has been made between research into the question o f guilt - who is responsible f o r the consequences- and research into the causes of accidents -what
- 19 -
registration and classification of accidents that is suitable f o r scientific analysis (Hale et al 1989, Stoop 1989.3). Accidents have to be selected f o r i n - d e p t h analysis on the basis of their superficial characteristics such as severity, nature or extent, when ideally the selection criteria should be the potential to learn lessons f r o m them and to prevent repetition. Such i n depth analysis should then be p e r f o r m e d by a team of experts and should be independent o f research i n t o the question of guilt. This method of research has f o r a long time been customary i n aviation and is gaining wider recognition and practice i n other fields of application. The concept o f problem orientation relates to the prediction of problems in prospective or existing systems and the i n t r o d u c t i o n of the aspect of safety i n t o the l i f e cycle of a system as a f e e d - f o r w a r d constraint. The problem can thereby be d e f i n e d i n the context o f a socio-technical system and refers to the integration of solutions w i t h i n this dynamic system (Robinson 1982). The integration o f solutions does not operate at the level of a procedural integration o f disciplines by means of a f o r m a l method, but at the theoretical level via a conceptual f r a m e w o r k . Such a theoretical integration is not a technical or procedural, but a normative problem on a cognitive level. Problem orientation demands a systematic reflection about normative questions that otherwise w o u l d remain unnoticed and m i g h t thereby result i n unintended misdirection of the research (Koningsveld 1989).
- 21 -
Chapter 3 TOWARDS A SCIENTIFIC APPROACH TO SAFETY PROBLEMS 1. O b j e c t o f research W i t h the establishment o f the chair o f General Safety Science i n 1984 a consensus was reached on the f o r m u l a t i o n o f its object o f research: a. the study o f the interactions that threaten man and the environment i n systems w i t h technological components. b. the development o f assessment methods, criteria and norms, related to the acceptability o f risks that emanate f r o m the f u n c t i o n i n g o f those systems. c. operationalization and application o f this knowledge and these insights in the design, construction, use(regulation) and organization o f those systems and products, w i t h a view to the protection o f man and e n v i r o n m e n t , also i n the longer term. Besides having its o w n object o f research, is i t possible to define a s c i e n t i f i c approach f o r studying safety problems which is particular to those problems? Since safety science aims both at the study, the development and the operationalization o f knowledge and applications, the development o f a s c i e n t i f i c approach to safety seems to come up against the problems inherent i n the distinction between a methodology o f science and a methodology o f design. The methodology o f science is problem-oriented and aims to produce generalizable knowledge. I t aims at the understanding o f reality by means of observation, measurement and the f o r m u l a t i o n and testing o f theory. For this i t makes use o f mathematical notations, written language and deductive or i n d u c t i v e methods. The methodology o f design is solution-oriented and aims at the realization and application o f specific, practical solutions. I t aims at the evaluation and adaptation o f reality i n the light o f the material and mental needs o f man. For this i t makes use o f modelling by means of drawings, diagrams, physical models and abductive methods (Archer 1979, Cross 1989) . The methodology o f science and the methodology o f design both describe the structure o f reasoning- and decision-making processes (Eekels 1973). The purpose o f describing a methodology f o r both o f these s c i e n t i f i c pursuits is to d i f f e r e n t i a t e them f r o m n o n - s c i e n t i f i c approaches to the problems. A s c i e n t i f i c approach lays down in its methodology the structure o f the approach to the problem and its relation w i t h logical reasoning. Thereby this s c i e n t i f i c reasoning and decision-making process distinguishes itself through its susceptibility to repetition, v e r i f i c a t i o n and o b j e c t i v i t y f r o m the n o n - s c i e n t i f i c process, that is based on t r a d i t i o n , authority and i n t u i t i o n . The structure o f the s c i e n t i f i c approach to safety problems can be represented i n three f o r m s . I t can be represented through language, that verbalizes the structure, i n a diagram, that pictures the relations between
- 23 -
discrete steps. This description is applicable to many problem areas and is not specific to safety problems. This description reflects the decision-making process w i t h i n and between each of the steps. The decision-making process is structured by the fact that a conscious assessment of the subsequent steps is made after each specific step is taken. I n this s t r u c t u r i n g process both procedures f o r and the contents of the decision m a k i n g are explicitly discussed. The process is iterative; i t must be gone through several times, u n t i l a result is reached that is satisfactory to all stakeholders. The approach develops through these iterations f r o m an overall descriptive phase to a more detailed explanatory phase w i t h respect to the expected consequences and effects of the choices that are made i n each of the steps. B. The steps i n the process I n the process o f approach to the problem nine steps can be distinguished, derived f r o m the basic cycle of problem solving (Hale 1985). 1. problem recognition and problem d e f i n i t i o n 2. problem analysis 3. requirements to solutions 4. setting priorities 5. inventory and generation of solutions 6. choice of solutions 7. development and implementation 8. evaluation 9. planning f o r contingencies The process has some six principal decision points at which the choices are made w i t h respect to the progress of the process. Feedback to the problem d e f i n i t i o n f o r m u l a t e d at the beginning of the process takes place at these p r i n c i p a l decision points. 1. Problem recognition and problem d e f i n i t i o n Problem recognition. Recognition that there is a problem and what f o r m that problem has, may happen i n d i f f e r e n t ways w h i c h are dependent on the position of the d i f f e r e n t stakeholders. I t is not only a f f e c t e d by differences in perception between stakeholders, but also by the way in which the undesired result is d e f i n e d , the cause is hypothesized and the desired solution is d e f i n e d . Problem recognition is therefore subjective and subject to alteration t h r o u g h feedback. The recognition by all stakeholders that a problem experienced by one of them is so serious that a j o i n t approach is called f o r , has o f t e n proved i n practice to be a long and d i f f i c u l t process. D i f f e r e n c e s between stakeholders exist i n their perceptions, their a u t h o r i t y to make decisions, their 'ownership' of the problem, the problem
- 25 -
f r o m or prevent these undesired states as 'deviations'. When a problem involves the m o n i t o r i n g of existing policies, or of trends i n accidents over a period i n order to make small adaptations, use can usually be made i n the analysis of existing retrospective knowledge about deviations to be expected on the basis of past experience. These can be cast i n the f o r m o f standard problem models. For new problems, especially when related to new technologies and energy f o r m s , i t is essential to have prospective techniques available, because predictions have to be made about foreseeable f u t u r e f u n c t i o n i n g . These may have to be cast i n the f o r m of (partially) new problem models. A mere description o f a problem does not necessarily guarantee an e f f e c t i v e approach to its solution. The detailed description of the problem w i t h i n its wider context may give a picture of all the relevant elements and relations w i t h i n the system -human, machine and environmental aspects- however i t too o f t e n fails to give a s u f f i c i e n t picture of how all these factors interrelate dynamically to produce the process that leads to damage and i n j u r y (Oude Egberink et al 1988, Greyson & H a k k e r t 1987). W i t h o u t a s u f f i c i e n t problem explanation the basis f o r intervention i n the problem situation is lacking, because no decisive prediction can be made of the consequences and d u r a b i l i t y o f the proposed solutions. I n order to tackle this problem there is a need f o r i n - d e p t h and detailed analysis, f o r w h i c h the i n f o r m a t i o n is o f t e n lacking. This i n f o r m a t i o n is available as expert knowledge w i t h i n one or more of the scientific disciplines, f o r instance in the f i e l d of human behaviour models, crack propagation, or (metal) fatigue. The second principal decision point i n the process of approach relates to the decision to call i n this specialist knowledge to meet the objectives of the problem d e f i n i t i o n . When i n s u f f i c i e n t or i n s u f f i c i e n t c a r e f u l decisionm a k i n g takes place here, the problem w i l l be only partly solved and not to the satisfaction o f all stakeholders. Supporting the problem analysis w i t h s c i e n t i f i c knowledge and arguments may greatly influence the f u r t h e r steps i n the approach to the problem. The scientific discipline that furnishes an explanation w h i c h the stronger party considers 'desirable' can considerably i n f l u e n c e the way i n w h i c h the 'cause' of the problem is f i n a l l y d e f i n e d . I t has been shown that scientific knowledge is not valuefree and hence the possibility exists that scientific influence can be used to r e f o r m u l a t e a socially d e f i n e d problem i n terms of existing power relations ( A l b u r y & Schwartz 1983). 3. Requirements to solutions Requirements to solutions can be developed f r o m d i f f e r e n t viewpoints, depending on who specifies them. From a management v i e w p o i n t requirements may be specified in terms of quality control, f r o m a design v i e w p o i n t on f u n c t i o n a l requirements f o r a design, f r o m a risk control v i e w p o i n t requirements f o r acceptable exposure and f r o m the standpoint
- 27 -
problems the application o f available solutions f r o m related problem areas o f f e r s a p o s s i b i l i t y , i f necessary supported by a databank f r o m w h i c h available solutions can be selected (Else 1986). A p p l i c a t i o n o f such solutions or solution principles demands a proper problem d e f i n i t i o n and insight i n t o the f u n c t i o n i n g o f the system. I n addition i t is possible to generate entirely new solutions f o r existing problems w i t h the help o f association techniques, brainstorming and expert opinions. For entirely new problems the generation o f new solutions is necessary. I t is i m p o r t a n t to distinguish between an a - p r i o r i and an a-posteriori p r o b l e m . B o t h types o f problems require the help o f a databank that has been developed by means o f feedback about k n o w n problems, but at an a - p r i o r i problem w i l l be approached f r o m a d i f f e r e n t direction - what are the possible consequences o f a design- than an a-posteriori problem what are the causes o f the perceived problem and what control strategies w i l l produce the required change. D u r i n g the process o f generating and m a k i n g an inventory of potential solutions i t must be c l a r i f i e d w h i c h stakeholders are concerned by what solution strategies at what decision level. The 'solution m a t r i x ' is available to structure the i n v e n t o r y by relating the various system levels to i n t e r v e n t i o n strategies. This m a t r i x w i l l be dealt w i t h in detail when discussing the concept o f problem orientation. 6. Choice o f solutions A n essential feature o f the s c i e n t i f i c approach to safety problems is the search f o r solutions. This implies that there is a transition f r o m analysis to solutions i n the course o f the approach to the problem. This transition is a f u n d a m e n t a l one w h i c h crosses the methodological divide between s c i e n t i f i c (knowledge) and design (action) approaches. The fourth principal decision point i n the process is i n the choice o f solutions. A number o f factors should be taken into account here. I n practice there w i l l be no monocausal and deterministic relation between causes and effects. Choices o f solutions should therefore take into account a certain degree o f uncertainty and multiple causes. A number o f other issues arise at this stage: - because i n the course o f studying complex problems a subdivision into subproblems w i l l have taken place, solutions w i l l have to be allocated to subproblems and some subproblems w i l l remain unresolved. - i n a social, dynamic system change w i l l lead to a response f r o m other system elements that may i n f l u e n c e the effectiveness o f the solution. Such an e f f e c t is seen f o r instance i n risk compensation (Wilde 1982). - the m o d e l l i n g that has taken place is always a reduction o f reality. I n t e r v e n t i o n planned on the basis o f that model is then applied i n that reality and hence may lead to unexpected relations and feedback and may generate new problems, especially when that intervention takes place i n a complex system.
- 29 -
principal decision point
step recognition
1
definition
2
analysis
3
requirements
Analysis
inventory generation
Synthesis
^
development implementation
p l a n n i n g lor
Evaluation
contingencies
fig. 3
Tfie process of approacfi to tfie problem
- 31 -
discipline. The decision m a k i n g among those who are involved i n the phase o f problem d e f i n i t i o n determines whether this c o n t r i b u t i o n w i l l indeed be made possible. The d i f f e r e n c e between an a - p r i o r i and an a-posteriori problem is again relevant. The i n t r o d u c t i o n and organization o f an interdisciplinary approach may be more d i f f i c u l t i n an a - p r i o r i problem because o f a dominant technological orientation, the absence o f risk bearers as yet as direct stakeholders and the lack o f measures o f the short- and l o n g - t e r m consequences o f the design at that stage. 2.1.2.2 I n requirements to solutions The differences i n u n d e r l y i n g objectives o f d i f f e r e n t stakeholders are expressed i n the f o r m u l a t i o n o f design requirements as the t h i r d step i n the process. This gives direction to the process. Each stakeholder w i l l have to f o r m u l a t e his o w n objectives and make safety into an explicit requirement and provide i t w i t h w e i g h i n g , i f safety as a requirement is to be discussed and weighted by the other stakeholders. N o t just the safety objectives are at issue. For each stakeholder safety as a requirement is an aspect i n the entirety o f objectives and is only one part o f weighing the total costs against the benefits. 2.1.2.3 I n the development o f solutions I n t e r d i s c i p l i n a r i t y is i m p o r t a n t i n this seventh step of the process i n two respects. Residual risks and side effects. S c i e n t i f i c mono- and multidisciplines play a role in determining the residual risks and the side effects o f solutions. They can predict the p r o b a b i l i t y o f certain developments, assess the effectiveness o f the solutions and lay the ground f o r the decision making in respect o f the social acceptability o f the effects. Predictive methods play an important role i n m a k i n g statements about the expected effects, especially when no experience is available, as i n the case o f entirely new technologies. I n these methods the p r o b a b i l i t y o f the effects stands f i r s t rather than the question o f the l i n k between causes and possible effects. Discussion is still going on among both experts and stakeholders as to the advantages and disadvantages o f the methods used (Hale 1987.1, Hale 1987.2). Change strategies. I n t e r d i s c i p l i n a r i t y is i m p o r t a n t i n yet another way. Scientific mono- and multidisciplines play a central role i n the development and implementation o f solutions. The problem o f the d i s t i n c t i o n between the methodologies o f science and design is bound up w i t h the transition f r o m analysis to solutions. Whereas safety can be central i n the analysis phase of the process, safety w i l l now have to be i n t r o d u c e d into solutions as one aspect among many, that w i l l
- 33 -
in-deplh research
^—
2
1
2
criteria
n
objectives
hazard patterns
per safety + health/ other
per stakeholder
5
fig. 4
Intertdisciplinarity
- 35 -
and controllable subproblems. For this process o f sub-division the concept of scenario is applied (Stoop 1987.3, Heimplaetzer 1988, Stoop 1989.1). Use-scenarios are d e f i n e d which describe the circumstances and constraints w i t h i n w h i c h problems may occur. Subsequently hazard patterns must be described w h i c h specify the hazards w i t h i n use-scenarios and the way i n w h i c h they can manifest themselves ( D r u r y & B r i l l 1983). Hazard patterns and use-scenarios together f o r m the concept 'accident scenarios' (Gelderblom 1988). The distinction between use-scenarios and hazard patterns makes i t possible to develop these concepts independent o f each other. I n the eventual f o r m u l a t i o n o f accident scenarios the d i f f e r e n t types o f accidents can be allocated to specific situations w i t h d e f i n e d users, use circumstances, products and processes. Use-scenarios divide the problem up and p e r m i t a transition f r o m an inventory of factors to a causal analysis. D e p e n d i n g on the availability o f data on disturbances and on the undisturbed system f u n c t i o n i n g use-scenarios can de derived f r o m ; - an analysis o f aggregated data about the severity, nature and extent o f k n o w n problems and broad notions developed f r o m these analysis. The development o f valid use-scenarios is a step-wise iterative process (Goossens et al 1987). Eventually i t must be possible to prove a causal relation between factors i n the analysis - analysis o f tasks and f u n c t i o n s as f o u n d i n the normal f u n c t i o n i n g of a system (Hoefnagels & B o u w m a n 1989). A f t e r establishing broad notions o f the hazard patterns i n the specific use-scenarios, the next step is to establish detailed hazard patterns. T h r o u g h i n - d e p t h analysis o f accidents the technological hazards and the way they manifest themselves must be described i n detail and explained s u f f i c i e n t l y i n terms o f causal relations. To do that i t is necessary to classify accidents i n a typology (Stoop 1989.2, Stoop 1989.3). The process o f selection o f problems f o r f u r t h e r investigation and the transition to the process o f drawing up hazard patterns is the subject o f the second p r i n c i p a l decision point. The step f r o m broadly descriptive to detailed explanatory is guided by the need f o r a satisfactory explanation of accidents and the expertise and insight necessary f o r interventions. I n - d e p t h understanding o f the phenomena studied is necessary to draw up hazard patterns. The researcher is not only dependent on a retrospective approach f r o m studying phenomena that have already occurred. I t is also possible to start the research f r o m a prospective approach i n w h i c h the technological system and its threats to man and environment f o r m the o b j e c t o f research. Such a study can provide direct evidence o f the properties o f the hazards i n the system. Technological hazards such as r a d i a t i o n , noise or vibrations can be unambiguous expressed as doses w h i c h can be measured beforehand i n an unequivocal way. For many hazards i t is possible to define the relation between dose and e f f e c t as so to determine the transfer f u n c t i o n . The way i n which the dose can manifest itself and eventually result i n damage and i n j u r y is determined
- 37 -
described. The i n t e r v e n t i o n strategies axis is based on the l i f e cycle and process dimensions w h i c h indicate i n which phase o f the system l i f e cycle and i n what process phase i n t e r v e n t i o n is the most e f f e c t i v e . The solution m a t r i x has been f o u n d to be satisfactory f o r relatively simple problems, starting f r o m a clear d e f i n i t i o n o f danger sources and i f i n t e r v e n t i o n is l i m i t e d to a consideration of preventive strategies (Stoop 1989.1). 2.1.3.3 I n the choice o f subsolutions A l l o c a t i o n o f possible solutions to subproblems per use-scenario and hazard pattern is dealt w i t h i n the sixth step of the process. Desirability, feasibility and cost-effectiveness are central to this question. The c o n t r i b u t i o n o f the various stakeholders groups is of equal importance to the contributions f r o m academic and practical experts. The various coherent packages o f coherent preventive measures that have been selected as real solutions f r o m the repertoire of potential solutions may have d i f f e r e n t consequences. A distinction must be made between residual risks -the h a r m f u l consequences that have not or not entirely been p r o v i d e d f o r by the chosen solution- and side effects -the consequences o f i n t r o d u c i n g new risks, emerging f r o m new use-scenarios, hazards and hazard patterns-. Residual risks and side effects must be researched in d i f f e r e n t ways (Hale 1987.1). T o do this the solution matrix can be used i n t w o ways. For both the first step is to consider the matrices, in p r i n c i p l e one per hazard pattern, as transparent sheets were, per sheet some squares have been f i l l e d i n , indicating that a solution i n that square is relevant to that hazard pattern. I f all the sheets f o r the whole problem are laid on top o f each other some f i l l e d i n squares f a l l on top o f others, while some squares are blank f o r all sheets. T w o lines o f reasoning are then possible: - choosing solutions that occur frequently; f i l l e d i n squares f a l l i n g on top of each other. These are l i k e l y , a - p r i o r i , to have a great e f f e c t as they are valid f o r many hazard patterns. However, f u r t h e r research into interference o f solutions and the i n t r o d u c t i o n o f new use-scenarios is necessary. 'Transparent' squares indicate where there are f e w solutions; there is a large residual risk because o f 'un-safeguarded' hazard patterns as a result of the lack o f solutions or the availability o f solutions w i t h only a low estimated e f f e c t . - application o f an inverse reasoning, in which the matrices are looked at f r o m the p o i n t o f view o f the possible negative effects o f the proposed solutions; this view uncovers side effects. A d i s t i n c t i o n must also be made as to which disciplines must be involved in w o r k i n g out each solution, which objectives are relevant f r o m the problem solving process and whether the solution has a technical.
- 39 -
3
per use scenario set of m e a s u r e s per tiazard pattern
existing
solution
tectinology
strategies
new
adaptation
technology
strategies
9
i fig. 5
Problem orientation
- 41 -
2.3 The structure model Structure o f the process o f approach to the problem I n describing the processes that are involved i n the technical, organizational and social change strategies no specification is made o f the structure o f the c o m m u n i c a t i o n process and the level at w h i c h interaction should take place. I t is therefore necessary to formulate the d i f f e r e n t processes i n some f o r m o f structure, to see whether comparison o f structures is possible and whether relations between these processes can be established. The role o f safety i n the design process w i l l be f u r t h e r elaborated i n chapter 6 on the basis o f the relations that can be established i n this way between the process o f approach to safety problems and the engineering design process. The structure o f the problem solving process can be represented by means o f a scheme, derived f r o m the systems approach. F o r m u l a t e d i n general terms, the process can be represented i n a structure (Hanken & Reuver 1976) ( f i g . 7).
meta s y s t e m i.e. black box (generalized model)
specification/ classification
generalisation
abstract systems i.e. specific model of reality
realisation of solution
abstraction
(sub) s y s t e m in reality, including problem situation
fig. 7
Systems approach of problem development (general scheme)
- 43 -
theories and insights w i t h their n o r m a l s c i e n t i f i c processes f o r hypothesis f o r m u l a t i o n and testing. T h i s general structure can t h e r e f o r e be f i l l e d i n using the t e r m i n o l o g y o f the safety p r o b l e m solving process, w i t h the f o l l o w i n g results as shown i n f i g . 8.
1 meta s y s t e m I in-
