麻省理工学院：《System Safety》week 3 Heinrich's Domino model of Accidents

Human Supervisor (Controller) Model of Model of rocess Automation Automated Displ and Decision Aiding Model of‖ Model of Process Interfaces Actuators Sensors Controlled Measured variables Controlled Process Safety and the Process Models Accidents occur when the models do not match the process Wrong from beginning Missing or incorrect feedback so not updated Must also account for time lags Explains human/machine interaction problems Pilots and others are not understanding the automation What did it just do? Why wont it let us do that? Why did it do that? What caused the failure What will it do next? What can we do so it does not How did it get us into this state? happen again? How do I get it to do what I want? Dont get feedback to update mental models or disbelieve it

c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞✔ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ outputs Process variables Controlled variables Measured inputs Controlled Process and Decision Aiding Automated Display Process Interfaces Model of Model of Process Model of Process Actuators Sensors Model of (Controller) Human Supervisor Automation Safety and the Process Models Accidents occur when the models do not match the process Wrong from beginning Missing or incorrect feedback so not updated Must also account for time lags Explains human/machine interaction problems Pilots and others are not understanding the automation What did it just do? Why won’t it let us do that? Why did it do that? What caused the failure? Disturbances c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞✕ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ What will it do next? What can we do so it does not How did it get us into this state? happen again? How do I get it to do what I want? Don’t get feedback to update mental models or disbelieve it

dent Models A Systems Theory Model of Accidents Accidents arise from interactions among humans, machines and the environment Not simply chains of events or linear causality but more complex types of causal connections Safety is an emergent property that arises when components of system interact with each other within a larger environment a set of constraints related to behavior of components in system enforces that property Accidents when interactions violate those constraints (a lack of appropriate constraints on the interactions) Software as a controller embodies or enforces those constraints A Systems Theory Model of Accidents(2) Safety can be viewed as a control problem e.g. o-rings did not adequately control propellant gas release Software did not adequately control descent speed of MPl Safety management is a control structure embedded in an adaptive syster Events indirectly reflect the effects of dysfunctional interactions and inadequate control Need to examine control structure itself to understand accidents Result from Inadequate enforcement of constraints At each level of socio-technical system controlling development and operations

✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞✒ ￾✂✁✄✁✄☎✆⑤✝✞✟✞✠✞✡✵☛✞✆⑤✝✞✌✍ c A Systems Theory Model of Accidents Accidents arise from interactions among humans, machines, and the environment. Not simply chains of events or linear causality, but more complex types of causal connections. Safety is an emergent property that arises when components of system interact with each other within a larger environment. A set of constraints related to behavior of components in system enforces that property. Accidents when interactions violate those constraints (a lack of appropriate constraints on the interactions). Software as a controller embodies or enforces those constraints. c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏✞❏❑▲ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ A Systems Theory Model of Accidents (2) Safety can be viewed as a control problem e.g. O−rings did not adequately control propellant gas release Software did not adequately control descent speed of MPL Safety management is a control structure embedded in an adaptive system. Events indirectly reflect the effects of dysfunctional interactions and inadequate control Need to examine control structure itself to understand accidents Result from: Inadequate enforcement of constraints At each level of socio−technical system controlling development and operations