STAMP-based analysis on the railway accident and accident spreading: Taking the China–Jiaoji railway accident for example

Each hazard analysis technique is based on a model of accident causation. Most accident models regard accidents as resulting from a chain or sequence of events, such models are fit for accidents caused by failures of physical components and for relatively simple systems, but suffer from serious deficiencies when they are applied to software-intensive, complex engineering systems. Recently, a new accident model called System-Theoretic Accident Models and Process (STAMP) for system safety has been proposed, it is based on control theory and enforces constraints on hazards and thereby prevent accidents. In this paper, taking the China–Jiaoji railway accident happened on April 28, 2008 as an example, the STAMP approach has been used to analyze the railway accident and some improvement measures have been proposed. As the occurrence of one accident can cause many other accidents happen, based on the STAMP-based analysis, the accident spreading processes have also been discussed and modeled, which will be helpful to analyze accidents spreading in a broad sense and establish effective emergent measures for accident response management.     

Coordinability and consistency: Application of systems theory to accident causation and prevention

Recent works in the safety literature report several fruitful attempts to introduce mathematically rigorous results from systems and control theory to bear upon accident prevention and system safety. Previously, we discussed the implications on safety of the systems theoretic principles of coordinability and consistency, and we identified the lack of coordinability and/or consistency as fundamental failure modes in hierarchical multilevel systems. In this work, we further develop system safety analysis techniques based on these principles. We demonstrate that these principles not only provide a domain-independent vocabulary for expressing the results of post-mortem accident analyses, but they can also be applied to guide design and operational choices for accident prevention and system safety. We develop these ideas with the help of an illustrative case study. This case study represents a broad class of systems where operational policies and procedures of individual stakeholders in the system interact with physical processes such that new system behaviors emerge, and unanticipated safety issues arise. We argue, and illustrate our arguments using this case study, that the coordinability and consistency principles can be developed to deliver a threefold impact on accident analysis and prevention: firstly, these principles provide domain-independent procedural templates and vocabulary for post-mortem accident analysis. Secondly, these principles provide theoretical safety specifications to be met during system design and operation. Finally, these safety specifications can precipitate the formulation of a series of questions directly related to safety-oriented choices in the design, operation, and control of systems.     

基于系统理论事故模型与过程的危险性分析方法

传统危险性分析方法将事故视为开始事件诱发的一连串事件所造成的不幸后果,适于处理相对简单或由物理组件构成的系统,但无法胜 任较为复杂的社会技术系统,有必要研究和探索推广性更好、更为有效的系统安全分析手段。系统理论事故模型与过程（STAMP）将安全视为系 统组件间交互的一种涌现特性,并认为事故起因除了组件失效,组件间交互失常而违背安全约束也是重要诱因。主张在系统开发、设计和运行 中通过加强控制和强化有关安全约束来预防事故。基于此,先引入了STAMP的基本概念,并介绍了其分析步骤,然后,以贴近真实的导弹拦截系 统危险性分析案例,阐述了基于STAMP的分析过程。该分析方法可为开发较高安全性水平的社会技术系统提供技术支持。     

突发事件下城市关键基础设施应急策略研究

城市关键基础设施系统由于相互之间存在的各种关联关系而形成了一个相互依存的网络化复杂系统,在突发事件下,一个单一系统功能的失效或部分功能丧失会导致与其相关联的系统产生级联失效现象。针对关键基础设施系统间相互耦合的特性,建立了突发事件下多层系统之间的供需关系网络数学模型,提出当某单一系统的节点失效后,通过分析事故链,利用与之耦合系统的供需关联关系,进行紧急状态下的备用资源调度应急策略。研究表明,基于城市关键基础设施系统之间的供需关联关系来进行资源调度的应急决策能够有效地突破传统方法中以调用备用资源为主的单系统内部优化应急策略的局限性,更有效地优化整个网络资源以降低系统总体损失。     

Availability organisational analysis: Is it a hazard for safety?

This main issue of this article analyses the possible way to use for availability improvement, the organisational analysis methodology initially developed for accident safety investigations. As the last decade examples in the industrial world prove that some organisational weaknesses could either impact safety or availability, we have for purpose to make some important clarifications, with the help of the organisational paradigm, and grounded on our knowledge of safety accidents or local inquiries in hazardous technical complex systems.We will first give our definition of an availability event, by comparison with a safety event and recall what is for us an organisational analysis. Then we will consider the safety organisational paradigm pathogenic factors in wondering if these factors could also be seen as pathogenic factors for availability; or if specific availability pathogenic factors can be inferred from these safety pathogenic factors.In the end we will try to assess the common points and the differences between an availability oriented organisational analysis and a safety oriented one, with a particular attention to possible negative follows-up on safety issues and to the methodology issue.     

Dynamic accident modeling for high-sulfur natural gas gathering station

Dynamic accident modeling for a gas gathering station is implemented to prevent high-sulfur natural gas leakage and develop equipment inspection strategy. The progress of abnormal event occurring in the gas gathering station is modeled by the combination of fault tree and event sequence diagram, based on accident causal chain theory, i.e. the progress is depicted as sequential failure of safety barriers, then, the occurrence probability of the consequence of abnormal event is predicted. Consequences of abnormal events are divided into accidents and accident precursors which include incidents, near misses and so on. The Bayesian theory updates failure probability of safety barrier when a new observation (i.e. accident precursors or accidents data) arrives. Bayesian network then correspondingly updates failure probabilities of basic events of the safety barriers with the ability of abductive reasoning. Consequence occurrence probability is also updated. The results show that occurrence probability trend of different consequences and failure probability trend of safety barriers and basic events of the safety barriers can be obtained using this method. In addition, the critical basic events which play an important role in accidents occurrence are also identified. All of these provide useful information for the maintenance and inspection of the gas gathering station.     

复杂社会技术系统安全事故的成因结构敏感性及预防对策研究

简要回顾现有复杂社会技术系统安全事故的成因理论存在的局限性,根据大量统计资料和经验总结构建事故成因理论的缺陷。该研究试图从分析和推理入手,根据复杂社会技术系统运行机制及事故成因结构敏感性特征,探索由于新技术快速普及应用而不断涌现的复杂社会技术系统的失效机制及事故的成因理论;解释复杂社会技术系统安全事故的严重程度差异性、时间方向性及情境依赖性;为任何因新技术普及应用而产生的人造系统的安全分析及事故预防提供理论和方法支撑。     

Systemic accident risk assessment in air traffic by Monte Carlo simulation

A systemic accident model considers accidents as emergent phenomena from variability and interactions in a complex system. Air traffic risk assessments have predominantly been done by sequential and epidemiological accident models. In this paper we demonstrate that Monte Carlo simulation of safety relevant air traffic scenarios is a viable approach for systemic accident assessment. The Monte Carlo simulations are based on dynamic multi-agent models, which represent the distributed and dynamic interactions of various human operators and technical systems in a safety relevant scenario. The approach is illustrated for a particular runway incursion scenario, which addresses an aircraft taxiing towards the crossing of an active runway while its crew has inappropriate situation awareness. An assessment of the risk of a collision between the aircraft taxiing with an aircraft taking-off is presented, which is based on dedicated Monte Carlo simulations in combination with a validation approach of the simulation results. The assessment particularly focuses on the effectiveness of a runway incursion alert system that warns an air traffic controller, in reducing the safety risk for good and reduced visibility conditions.     

Road transport in drift? Applying contemporary systems thinking to road safety

Despite the extent to which the proximal causes of road traffic injury are known, road trauma remains a substantial and growing component of the global health burden. Application of contemporary sociotechnical systems theory to the problem of traffic injury suggests that the lack of progress globally may be a consequence of “drift into failure”. This article considers the new systems perspective on safety, explores the utility of this approach for road safety efforts, and specifically examines the ‘drift into failure’ hypothesis. It is argued that road transport systems do currently display characteristics of complex systems in drift and that greater understanding of complexity theory-based models will support improved road safety efforts. However, the extent to which such models can support road safety practitioners appears to be limited by the lack of practical tools for translating theory to practice. The article concludes by drawing attention to similarities between complex systems theory and the contexts in which the discipline of Human Factors has been developed, and suggests that Human Factors methodologies could be usefully used to facilitate further research in this field.     

What-You-Look-For-Is-What-You-Find – The consequences of underlying accident models in eight accident investigation manuals

Accident investigation manuals are influential documents on various levels in a safety management system, and it is therefore important to appraise them in the light of what we currently know – or assume – about the nature of accidents. Investigation manuals necessarily embody or represent an accident model, i.e., a set of assumptions about how accidents happen and what the important factors are. In this paper we examine three aspects of accident investigation as described in a number of investigation manuals. Firstly, we focus on accident models and in particular the assumptions about how different factors interact to cause – or prevent – accidents, i.e., the accident “mechanisms”. Secondly, we focus on the scope in the sense of the factors (or factor domains) that are considered in the models – for instance (hu)man, technology, and organization (MTO). Thirdly, we focus on the system of investigation or the activities that together constitute an accident investigation project/process. We found that the manuals all used complex linear models. The factors considered were in general (hu)man, technology, organization, and information. The causes found during an investigation reflect the assumptions of the accident model, following the ‘What-You-Look-For-Is-What-You-Find’ or WYLFIWYF principle. The identified causes typically became specific problems to be fixed during an implementation of solutions. This follows what can be called ‘What-You-Find-Is-What-You-Fix’ or WYFIWYF principle.     

An urban pipeline accident model based on system engineering and game theory

Urban pipeline accidents are caused by complex social-technical factors, in which urban communities and pipeline systems are involved. Such accidents can thus be investigated from the viewpoint of system engineering. System-Theoretic Accident Model and Processes (STAMP) is a systemic method for safety assessment, which has been adopted in many domains. This approach can provide deep insights of accident causes by considering direct and indirect factors. Meanwhile, competition and cooperation between stakeholders in accidents are observed. Therefore, these parties can also be analyzed with the game theory. That is, stakeholders in STAMP can be regarded as players in game. The aim of this paper is to provide a new insight to analyze urban pipeline accidents by considering both STAMP and game theory. In this paper, we proposed an accident model for urban pipelines, with a case study of China-Qingdao pipeline accident occurred in 2013. We concluded that accident reasons can be investigated in-depth and lessons can be learned from analyzing causal factors by using STAMP. Based on results generated from STAMP, we applied the game theory to analyze roles that government and companies act in the China-Qingdao urban pipeline accident. The results show that current punishment and incentive systems are incomplete, lacking of the driving force and constraining force for the stakeholders involved in the accident.     

Overcoming the blame game to learn from major accidents: A systemic analysis of an Anhydrous Ammonia leakage accident

This article aims to demonstrate the need for changing the methods with which accidents are analyzed, if we truly wish to use what we uncover from them to learn and enrich our knowledge base of organizational management. The goal is to relinquish the broadly adopted and rather simplistic paradigm that accepts the search for human error and unsafe acts performed by workers, and produces “guilt diagnostics”. Instead, we use a systemic accident analysis methodology, based on the sociotechnical principle of understanding the real operating conditions in which accidents take place. In order to demonstrate the benefits of the theoretical framework, we compare the analyses of an Anhydrous Ammonia gas leakage accident in a fish processing plant using the traditional accident analysis model based on unsafe acts and the proposed systemic approach. The results favor the latter since it tends to be more reliable and offering useful recommendations to safety management processes, thus helping to prevent accidents, especially in complex systems.     

Modeling patterns of breakdown (or archetypes) of human and organizational processes in accidents using system dynamics

Systems approaches to safety have received growing attention in modern accident investigation techniques (e.g., STAMP, Accimap) with the emphasis shifted to the organizational dynamics (or archetypes) that may lead to an erosion of defenses and a drift out of the safety margins. Although the literature contains many applications of archetypes and system dynamics to safety, this richness comes at a cost of learning. It has become very difficult for safety practitioners to integrate the diverse studies of system dynamics with their diverging models. To provide a practical tool of system dynamics in accident investigation, this article reviews earlier studies and integrates them as a classification of patterns of breakdown (or archetypes) of both human and organizational processes on the basis of two control models, that is, the Extended Control Model (ECOM) and the Viable System Model (VSM). In this article, archetypes are represented as variants of two generic templates of performance which exploit many elements of complexity theory and system control. Apart from providing a practical tool to safety practitioners to access the literature on archetypes, the generic templates of ECOM and VSM can be used in building simulators of individual and organizational processes for risk analysis.     

Model-based hazard identification in multiphase chemical reactors

Chemical productions operated in extreme conditions (high pressure, high temperature) require a detailed analysis of all potentially dangerous situations that can lead to a major industrial accident and thus cause a loss of life and property. Many accidents in the near or distant history underline the need of a detailed safety analysis in process industries, not only in the phase of plant design but also during the operation of the plant. It would be shown that simulation of a chemical unit using an appropriate mathematical model and the nonlinear analysis theory can be a suitable tool for safety analysis. This approach is based on mathematical modeling of a process unit where both the steady-state analysis, including the analysis of the steady states multiplicity and stability, and the dynamic simulation are used. Principal objective of this paper is to summarize problems regarding the model-based hazard identification in processes. A case study, focused on phenomena of multiple steady states in ammonia synthesis reactor will be presented. The influence of the model complexity and model parameters uncertainly on the quality of safety analysis would be underline.     

复杂社会技术系统事故成因结构敏感性分析

讨论基于共同成因假设思想的事故成因理论的局限:①不考虑系统复杂性影响,认为复杂系统和简单系统都遵循同样的事故成因机理;②共同成因假设,即大小事故具有相同的成因,遵循共同成因路径;③因果律假设,即任何事故一定有清晰严格的因果链;④只注重比较重要因素,人为增加了系统的不和谐。系统地阐述复杂系统事故所具有的结构敏感性,给出了事故成因模型有效性的价值判断标准,并提出活跃元素的行为偏差及活跃元素间交互作用偏差的合成是决定复杂社会技术系统事故成因机理的学说,补充并完善了Reason的Swisscheese模型,同时构建了基于结构敏感性的事故成因模型。     

事故致因“2-4”模型及其事故原因因素编码研究

事故致因模型是用于事故原因分析和预防的重要理论依据,模型的可操作性是决定事故预防效果的重要影响因素。对目前国内研究较为持续和系统的事故致因"2-4"模型进行了深入研究,以增强其在事故分析时的可操作性。首先,研究了事故致因"2-4"模型中组织内、外部原因的各个阶段原因因素的划分情况;其次,根据得到的各阶段原因因素划分结果,对应用事故致因"2-4"模型分析事故原因的因素进行了编码;最后,以一起重大瓦斯爆炸事故为例,对事故致因"2-4"模型原因因素编码系统的有效性进行了实证研究。划分了事故致因"2-4"模型中的各原因模块中的原因因素,并得到了不安全动作和物态、习惯性不安全行为、安全管理体系、安全文化、外部因素等5个层级原因,确定了基于事故致因"2-4"模型的30个原因因素。对事故原因因素进行系统编码,提高了应用事故致因"2-4"模型进行事故原因分析和事故预防的可操作性,增强了其应用实践性。     

Intra‐individual variability in job complexity over time: Examining the effect of job complexity trajectory on employee job strain

Drawing on gestalt characteristics theory, we advance the literature on the effect of job complexity on employee well‐being by considering intra‐individual variability of job complexity over time. Specifically, we examine how the trend, or trajectory, of job complexity over time can explain unique variance of employee job strain. Across two longitudinal data sets, we consistently find that, with the average level of job complexity during a given period held constant, a positive job complexity trajectory (i.e., an increasing trend in complexity) is associated with higher employee job strain. Based on job‐demand‐control theory and the exposure‐reactivity model, we further establish that job autonomy and employee emotional stability jointly moderate the relationship between job complexity trajectory and employee job strain. Specifically, for employees with high emotional stability, job autonomy mitigates the job strain brought by positive job complexity trajectory, whereas for employees with low emotional stability, job autonomy does not help to reduce the adverse effect of the increasing trend. These findings not only contribute to extend the understanding of the job complexity – strain relationship, but also suggest a promising, dynamic avenue to study the effects of work characteristics on employee well‐being as well as other outcomes. Copyright © 2016 John Wiley & Sons, Ltd.     

Applicability of accident analysis methods to Chinese construction accidents

IntroductionIt is necessary to clearly understand construction accidents for preventing a rise in Chinese construction accidents and deaths. Better analysis methods are required for Chinese construction sector accidents.MethodsChoosing and analyzing a typical construction accident based on four popular contemporary accident causation models: STAMP, AcciMap, HFACS, and the 2-4 Model. Then we evaluated the models' applicability to construction accidents, including their usability, reliability, and validity.ResultsSTAMP addressed how complexity within the accident system influenced the accident development, and its output makes the responsibilities clearer for the accident. AcciMap described the entire system's failure, the entire accident's trajectory, and the relationship between them. AcciMap showed that the accident was a dynamic developing process, and this method has a high usability. The taxonomic nature of HFACS is an important feature that provides it with a high reliability. In the accident reviewed here, we found that poor management was a critical factor rather than the individual factor in the accident. The 2-4 Model provided detailed causes of the accident and established the relationship among the accident causes, the safety management system, and the safety culture. It also avoided capturing all of the complexity in the large sociotechnical system and revealed a dynamic analysis and developing process. We confirmed that it has a high usability and validity. Therefore, the 2-4Model is recommended for future Chinese construction accident analysis efforts.Practical ApplicationsThe study provides a useful, reliable, and effective analysis method for Chinese construction accidents.     

Assessing safety management systems

Traditionally, both academe and practitioners have tended to address fire safety by focusing on technical aspects and looking for the immediate causes of fire incidents or accidents after they have taken place. More recently, organisations have focused on assessing the consequences of the fire risk inherent in their operations pro-actively. However, fire safety still tends to be addressed in isolation, though fire loss is an emergent property. An organisation's emergent property results from the interrelated activities of people who design it, manage it and operate it. There is still a need for a systemic approach to understand the systemic nature of fire safety. This paper describes a fire safety management system (FSMS) model that aims to maintain fire risk within an acceptable range in an organisation's operations in a coherent way. This systemic approach can be used as a diagnostic tool to assess the effectiveness of existing safety management systems (SMS). It is hoped that this approach will lead not only to more effective management of fire safety, but also to more effective management of safety, health and the environment for any organisation.     

安全系统涌现性模型构建及核心问题研究

为促进安全科学基础理论发展,基于安全问题中蕴含的系统涌现思想,开展安全系统涌现性研究.首先,经辩证分析提取安全科学理论中蕴含的涌现思想,定义安全系统涌现性并建立概念模型;其次,降维分析安全系统复杂性,从多视角剖析涌现性概念;然后,提出安全系统涌现性研究的核心问题与研究方向,并总结其对安全科学研究的意义;最后,从涌现性角...