文档详细内容(约20页)
Accident models provide the basis for Investigating and analyzing accidents Preventing accidents Hazard analysis Design for safety Assessing risk(determining whether systems are suitable for use) Performance modeling and defining safety metrics Accident Models Basic Energy Model Assumes accidents are the result of an uncontrolled and undesired release of energy Use barriers or control energy flows to prevent them Barrier ENERGY OBJECT SOURCE Energy flc Variations Both(1) application of energy and(2 )interference in normal exchange of energy Energy transformation Vs energy deficiency Action systems(systems that produce energy)Vs nonaction systems(systems that constrain energy)
c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑✓✒✞✔ ✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Accident models provide the basis for Investigating and analyzing accidents Preventing accidents Hazard analysis Design for safety Assessing risk (determining whether systems are suitable for use) Performance modeling and defining safety metrics c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑✓✒✞✕ ✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Basic Energy Model Assumes accidents are the result of an uncontrolled and undesired release of energy. Use barriers or control energy flows to prevent them. Barrier ENERGY Energy flow SOURCE OBJECT Variations: Both (1) application of energy and (2) interference in normal exchange of energy. Energy transformation vs. energy deficiency. Action systems (systems that produce energy) vs. nonaction systems (systems that constrain energy)
Heinrich's Domino model of Accidents Accident mod Injury Accident Unsafe act Fault of person Ancestry. People, not things, are the cause of accidents environment Removing any of dominoes will break sequence but said third was easiest to remove Focus on single causes Chain-of-Events Models Explain accidents in terms of multiple events, sequenced as a forward chain over time Events almost always involve component failure human error, or energy-related event Form the basis of most safety-engineering and reliability engineering analysis e.g.,Fault Tree Analysis, Probabilistic Risk Assessment, FMEA Event trees and design: e.g, redundancy, overdesign, safety margins Equipment Reduce pressure le to dama Moisture COrrosion Weakened Tank Fragments Personnel metal rupture eJected injured Use desiccant Use stainless Overdesign metal Use burst diaphragm Provide mesh Keep personnel from to keep moisture steel or coat cf thickness so to rupture before tank screen to contain viCnity cf tank while out of tank es, preventing more possible fragments. antact with failure point during and fragmentaton moisture
c ✎✞✝✞✏✄✝✞✍●☛✞✟☞✑❍✒✞✒✞■❑❏❑▲✞▲ Heinrich’s Domino Model of Accidents ✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ People, not things, are the cause of accidents. but said third was easiest to remove. Removing any of dominoes will break sequence, person Unsafe act or condition Accident Injury Fault of environment Ancestry, Social Focus on single causes. Chain−of−Events Models Explain accidents in terms of multiple events, sequenced as a forward chain over time. Events almost always involve component failure, human error, or energy−related event Form the basis of most safety−engineering and reliability engineering analysis: e.g., Fault Tree Analysis, Probabilistic Risk Assessment, FMEA, Event Trees and design: e.g., redundancy, overdesign, safety margins, ... ❉✚✸✣✢✭✮✄✗❀✮✭✚✰✚✱✯✭✪❇✦✭❅ ✼✺✧✬✸✚✹❊✗✚❋✚✛✜✷ ✥✚✹✦✗✰✮ ✩✵✛✪✩✫✢✤✗✚✥✪✮✺✷ ❁✚❂ ✗❀✮✄✸✦✙ ✭ projected Equipment damaged Personnel injured Fragments ▼✯◆ metal rupture ✖✘✗✚✙✜✛✣✢✤✗✦✥✚✧★✗✪✩✫✩✤✛✚✧✬✗ ✭✩✯✮✭✚✰✚✱✲✭✚✳ ✗✪✩✵✴ Moisture Corrosion Weakened Tank Operating pressure ❙❄❚✓❯ ✹✭✚✳ ✗✜✴ ✶☞✩✤✗✦✙✚✗✪✩✵✷✢✂✢✭✚✰✮ ✶✵✩✵✗❀✩✂✮✭✷ ✰ ❂ ✗✣✩✂✩ ❖✾✤✗✚✧✬✙✚✗✣✩✤✷ ✳✚✰ ✹✦✗✪✮✭❂ ✶✵✩✵✗✦❁✜✛✚✧✩✂✮✻✙✜✷ ✭✥✚✿✜✧✭✚✳✹ ✽✻✧✬✸✣✾✤✷ ✙✚✗✦✹✦✗✣✩✤✿ ❃❄✗✜✗✚✥✦✥✚✗✜✧✩✤✸✰✚✰ ✗✚❂✺✼✺✧✬✸✚✹ ✮✄✸ ✱✗✚✗✜✥✦✹✦✸✚✷✩✂✮✺✛✜✧★✗ ✩✂✮✺✗✜✗✚❂✂✸✚✧✫✢✤✸✭✮❍✸✣✼ ✮✄✿✚✷✢✱✫✰ ✗✣✩✂✩✯✩✵✸ ✮✄✸✦✧★✛✜✥✣✮✄✛✚✧★✗✦❁✜✗✣✼✄✸✚✧★✗❀✮✭✚✰✜✱ ✩✂✢✤✧★✗✚✗✰ ✮✺✸❀✢✤✸✰✮✭✷ ✰ ✾✵✷✢✤✷ ✰ ✷✮❅❆✸✣✼✜✮✭✜✰✚✱❄❇✿✚✷ ❂ ✗ ✸✚✛✪✮✻✸✣✼✚✮✭✚✰✜✱✴ ✥✚❂ ✭✮✺✗❀✢✭✧✬❁✚✸✰ ✢✤✸✚✧★✧✬✸✣✩✤✷ ✸✰❀❇✷ ❂ ❂ ✰ ✸✣✮ ✙✚✸✜✗✣✩✤P✚✥✚✧✬✗✣✾✤✗✰✮✄✷ ✰✚✳ ✹✦✸✜✧★✗ ✥✜✸✣✩✂✩✵✷ ❁✜❂ ✗❀✼✺✧✭✚✳✹✦✗✰✮✩✵✴ ✷✮✻✷✩❆✥✜✧★✗✣✩✂✩✤✛✚✧★✷❈✤✗✚✙✜✴ ✩✂✮✺✗✜✗✚❂✺✮✺✸✦✥✜✧★✗✣✾✤✗✰✮ ✧✬✗✚✙✚✛✪✢✵✗❀✩✂✮✺✧✬✗✰✚✳✮✺✿❀✮✄✸ ✗✣◗✂✮✄✗✰✩✤✷✾✤✗✦✙ ✭✹✭✜✳ ✗ ✢✤✸✰✮✭✢✂✮ ❇✷✮✺✿ ✼✭✷ ❂ ✛✚✧✬✗✦✥✚✸✚✷ ✰✮✻✙✚✛✜✧★✷ ✰✚✳ ✭✚✰ ✙❀✼✺✧✭✚✳✹❘✗✰✮✭✮✄✷ ✸✰ ✴ ✹✦✸✚✷✩✂✮✄✛✚✧★✗✜✴ ✼✄✸✚✧✬✗✣✩✵✗✜✗✭❁✜❂ ✗✦❂ ✷✼✺✗✪✮✺✷✹✦✗✜✴
Chain-of-Events Example: Bhopal E1: Worker washes pipes without inserting slip blind E2: Water leaks into mit tank E3: Explosion occurs E4: Relief valve opens E5: MiC vented into air E6: Wind carries MIC into populated area around plant imitations of event chain models Social and organizational factors in accidents Underlying every technology is at least one basic science,,, the although the technology may be well developed long befor science emerges. Overlying every technical or civil system is a social system that provides purpose, goals, and decision criteria Ralph Miles Jr. Models need to include the social system as well as the technology and its underlying science System accidents · Software error
✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲❼❏ ✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ c Chain−of−Events Example: Bhopal E1: Worker washes pipes without inserting slip blind E2: Water leaks into MIT tank E3: Explosion occurs E4: Relief valve opens E5: MIC vented into air E6: Wind carries MIC into populated area around plant c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞❽ ✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Limitations of Event Chain Models: Social and organizational factors in accidents ❹❺✈✦q✦❵✦❡✂❨❥❜❴★✈✦✉❫❵❭♣✓❵✦❡❻❥②❧❑❵✦✐❢❬✦✈✦❤✦❨✬❤✦✉③❥⑧❴★❛❞❲❭❧❀❨★❵✦❲✦❛❜❧❀❤✦✈✦❵⑧⑨✦❲✦❛③❴★✐❞❛❢✐③❴★❵✦✈✦✐❢❵✦t ❲❜❨⑤❧❑❬✦❤✦s✦✉✦❬①❧❑❬✦❵①❧❑❵✦✐❢❬✦✈✦❤✦❨✬❤❜✉❀❥⑧♠❫❲❀❥⑩⑨✦❵①❶❷❵✦❨✬❨❢q✦❵❭♣❍❵✦❨✬❤❀❩❭❵✦q❫❨★❤✦✈✦✉❫⑨✦❵✦❸✞❤✦❡✂❵①❧❑❬✦❵ ❛❢✐❢❴✬❵✦✈✦✐❢❵❫❵✦♠❫❵✦❡✂✉✦❵✦❛❢❣①✇❞♣❍❵✦❡✂❨❥❜❴★✈✦✉❫❵❭♣❍❵✦❡✺❥②❧❑❵✦✐❢❬✦✈✦❴★✐③❲✦❨❢❤✦❡④✐❢❴⑤♣❍❴✬❨❢❛❍❥❜❛❦❧❑❵✦♠⑥❴✬❛⑦❲ ❛❢❤✦✐❢❴✬❲✦❨❢❛✓❥❦❛❜❧❑❵❜♠♥❧❑❬✦❲❭❧☞❩♦❡✂❤❭♣✓❴★q✦❵✦❛r❩❭s✦❡✺❩❭❤✦❛❢❵✦t✦✉✦❤✦❲✦❨✬❛❢t✦❲✦✈✦q❫q✦❵✦✐❢❴✬❛❢❴✬❤✦✈❫✐❢❡✂❴✪❧❑❵✦❡✂❴★❲✦❣ ❱❳❲✦❨❩❭❬❫❪❫❴★❨✬❵❜❛❞❝❢❡✂❣ Models need to include the social system as well as the technology and its underlying science. System accidents Software error
Limitations of Event Chain Models(2) Human error Deviation from normative procedure Vs established practice Cannot effectively model human behavior by decomposing it into individual decisions and actions and studying it in isolation from the physical and social context value system in which it takes place dynamic work process Adaptation Major accidents involve systematic migration of organizational behavior under pressure toward cost effectiveness in an aggressive, competitive environment Vessel Passenger management ardo Excess numbers Berth design Berth design Zeebrugge Traffic Scheduling Unsafe Transfer of Heral 冖 Captains planning Crew Operation partments in operational context ble accidents ery likely will not see the forest can easily be identified
c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞❾ ✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Limitations of Event Chain Models (2) Human error Deviation from normative procedure vs. established practice Cannot effectively model human behavior by decomposing it into individual decisions and actions and studying it in isolation from the physical and social context value system in which it takes place dynamic work process Adaptation Major accidents involve systematic migration of organizational behavior under pressure toward cost effectiveness in an aggressive, competitive environment. ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞❿ ✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Design Vessel Design Shipyard Equipment load added Harbor Design Cargo Calais Zeebrugge Traffic Vessel Management Passenger Management Scheduling Operation Berth design Berth design Operations management Captain’s planning procedure to Zeebrugge Transfer of Herald heuristics Operations management procedure Unsafe patterns docking Standing orders Operations management Excess numbers Passenger management Capsizing Change of Crew working Stability Analysis Truck companies Impaired stability Excess load routines Docking c Time pressure Operational Decision Making: Accident Analysis: Combinatorial structure Decision makers from separate of possible accidents departments in operational context can easily be identified. very likely will not see the forest for the trees
Accident STAMP (Systems Theory Accident Modeling and Processes) To effect control over a system requires four conditions Goal Condition: The controller must have a goal or goals (e.g, to maintain a setpoint) Action Condition: The controller must be able to affect the system state Model Condition: The controller must be(or contain) a model of the system Observability Condition: The controller must be able to ascertain the state of the system Human Supervisor ( Controller) Model of Model of Process Automation Process models must contain Displays Controls Required relationship among system vars Current state(values of system vars) Automated Controlle The ways the process can change state Model of‖ Model of Process‖ interfaces Sensors Controlle Measured variable Controlled variables Process Process Process outputs inputs
c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞➨✞■❑❏✬▲✞➩ ✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ STAMP (Systems Theory Accident Modeling and Processes) To effect control over a system requires four conditions: Goal Condition: The controller must have a goal or goals (e.g., to maintain a setpoint) Action Condition: The controller must be able to affect the system state. Model Condition: The controller must be (or contain) a model of the system Observability Condition: The controller must be able to ascertain the state of the system. ➦④➋●➌❢➎➈➂✲➇➈➇⑦➝➑➌❢↕✲➂➐➙➇⑦➝➄➣✻➇➈➉❢➎➈➌➐➏❍➉✺➅❦↔❑➏❢➧ ➓➔➂❢→➐➣✲↔ ➋➍➂✲↕❫➋➍➂➐➙➅✲➉➛↔➌❦➏✻➇➜➁❢↔❑➊➑➅➐➝➞➌➐➏✻➒➄➇➈➆❄➇➈➉✄➂➐➝➠➟➈➅➐➋➍➇ ➡➣❢➋✣➋➍➂➐➏✻➉✲➇❄➉✺➅❢➉✺➂❫➢➍➟➈➅❦➙❑➣❍➂✲➇r➌✲➤✲➇❄➆➈➇➈➉✄➂➐➝➠➟➈➅➐➋➍➇➈➥ ➀♦➁✻➂➄➃❺➅❢➆➈➇r➉✂➁❍➂❫➊✲➋➍➌✲➎➈➂❢➇➈➇r➎➈➅➐➏➑➎✯➁✻➅➐➏✻➒❢➂➄➇➈➉✄➅✲➉✄➂ Displays Controls inputs Process outputs Process Controlled Process variables Controlled Process Interfaces Model of Model of variables (Controller) Human Supervisor Automation Model of Process Model of Measured Actuators Sensors Automated Controller Disturbances
