Complexity in process industry’s require a suite of tools to manage. Nancy Leveson
realised that the tools available to her to investigate or prevent incidents did not adequately achieve robust long term solutions. With this she developed a completely new framework she called STAMP (Systems-Theoretic Accident Model and Processes).
What Leveson realized is that as complexity increases within a system, this approach [RCA type problem solving] loses its effectiveness. Things can go catastrophically wrong even when every individual component is working precisely as its designers imagined. “It’s a matter of unsafe interactions among components,” she says. “We need stronger tools to keep up with the amount of complexity we want to build into our systems.” (Jeff Wise
Understanding the conflicts between reliability and safety requires distinguishing between requirements and constraints. Requirements are derived from the mission or reason for the existence of the organization. The mission of the chemical plant is to produce chemicals. Constraints represent acceptable ways the system or orga-nization can achieve the mission goals. Not exposing bystanders to toxins and not polluting the environment are constraints on the way the mission (producing chemicals) can be achieved.
There are always multiple goals and constraints for any system — the challenge in engineering design and risk management is to identify and analyze the conflicts, to make appropriate tradeoffs among the conflicting requirements and constraints, and to find ways to increase system safety without decreasing system reliability…
Bottom-up decentralized decision making can lead — and has led — to major accidents in complex sociotechnical systems. Each local decision may be “ correct ” in the limited context in which it was made but lead to an accident when the independent decisions and organizational behaviors interact in dysfunctional ways.
Safety is a system property, not a component property, and must be controlled at the system level, not the component level. (Leveson P33-35
STAMP (Systems-Theoretic Accident Model and Processes) is an accident causality model based on systems theory and systems thinking …[it] integrates into engineering analysis causal factors such as software, human decision-making and human factors, new technology, social and organizational design, and safety culture, which are becoming ever more threatening in our increasingly complex systems.
STPA (Systems-Theoretic Process Analysis) is a powerful hazard analysis technique based on STAMP, while CAST (Causal Analysis based on STAMP) is the equivalent for accident and incident analysis. (Reykjavik University
In STAMP, accidents are conceived as resulting not from component failures, but from inadequate control or enforcement of safety-related constraints on the design, development, and operation of the system. Safety is viewed as a control problem: accidents occur when component failures, external disturbances, and/or dysfunctional interactions among system components are not adequately handled…
Systems are viewed, in this approach, as interrelated components that are kept in a state of dynamic equilibrium by feedback loops of information and control. A system is not treated as a static design, but as a dynamic process that is continually adapting to achieve its ends and to react to changes in itself and its environment. The original design must not only enforce appropriate constraints on behavior to ensure safe operation, but it must continue to operate safely as changes and adaptations occur over time. Accidents then are viewed as the result of flawed processes involving interactions among system components, including people, societal and organizational structures, engineering activities, and physical system components. STAMP is constructed from three basic concepts: constraints, hierarchical levels of control, and process models. These concepts, in turn, give rise to a classification of control flaws that can lead to accidents.
The basic concept in STAMP is not an event, but a constraint. In systems theory and control theory, systems are viewed as hierarchical structures where each level imposes constraints on the activity of the level below it—that is, constraints or lack of constraints at a higher level allow or control lower-level behavior
Instead of viewing accidents as the result of an initiating (root cause) event in a series of events leading to a loss, accidents are viewed as resulting from interaction among components that violate the system safety constraints. The control processes that enforce these constraints must limit system behavior to the safe changes and adaptations implied by the constraints. (Leveson et al)