Barrier Analysis Analysed in MORT Perspective

Similar documents
NRI-3 (2002) 3CA FORM A. Control Change Cause Analysis Manual

Systems. Professor Vaughan Pomeroy. The LRET Research Collegium Southampton, 11 July 2 September 2011

Engaging UK Climate Service Providers a series of workshops in November 2014

How do we Measure Up?: A critical analysis of knowledge translation in a health social marketing campaign

Probability (Devore Chapter Two)

1. Historical Development of SSDMs

Introduction to Foresight

The Response from Motorola Ltd. to the Consultation on The Licence-Exemption Framework Review

IRAHSS Pre-symposium Report

1. The chance of getting a flush in a 5-card poker hand is about 2 in 1000.

PRIMATECH WHITE PAPER COMPARISON OF FIRST AND SECOND EDITIONS OF HAZOP APPLICATION GUIDE, IEC 61882: A PROCESS SAFETY PERSPECTIVE

SAFETY CASE ON A PAGE

Emerging biotechnologies. Nuffield Council on Bioethics Response from The Royal Academy of Engineering

Clients and Users in Construction. Research Roadmap Summary

Innovation and Science Australia Strategic Plan: Issues Paper. Victorian TAFE Association Response. May 2017

Ascendance, Resistance, Resilience

Level 1 VRQ Qualifications in Photo Imaging (7512) Assessment pack

DIGITAL TRANSFORMATION LESSONS LEARNED FROM EARLY INITIATIVES

Human Factors Points to Consider for IDE Devices

The topic for the third and final major portion of the course is Probability. We will aim to make sense of statements such as the following:

Accuracy, Precision, Tolerance We understand the issues in this digital age?

Chief Nuclear Inspector s Inspection of NNB GenCo Ltd. s Supply Chain Management Arrangements for the Hinkley Point C Project

Reelwriting.com s. Fast & Easy Action Guides

Deviational analyses for validating regulations on real systems

Office for Nuclear Regulation

in the New Zealand Curriculum

Eco-Schools Curricular Maps - Litter Topic

Book Review: Digital Forensic Evidence Examination

ONR Strategy 2015 to 2020

Design and Technology Subject Outline Stage 1 and Stage 2

Using Operational Readiness to improve the Management of Risk

Empirical Research on Systems Thinking and Practice in the Engineering Enterprise

CHAPTER LEARNING OUTCOMES. By the end of this section, students will be able to:

The concept of significant properties is an important and highly debated topic in information science and digital preservation research.

Title? Alan Turing and the Theoretical Foundation of the Information Age

Understanding Software Architecture: A Semantic and Cognitive Approach

H enri H.C.M. Christiaans

My 36 Years in System Safety: Looking Backward, Looking Forward

DEVELOPMENT OF SAFETY PRINCIPLES FOR IN- VEHICLE INFORMATION AND COMMUNICATION SYSTEMS

The case for a 'deficit model' of science communication

Opinion-based essays: prompts and sample answers

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

A Bibliometric Analysis of Australia s International Research Collaboration in Science and Technology: Analytical Methods and Initial Findings

Designing measures for behavioural change

Cheshire, Warrington and Wirral Area Team Commissioning for Value Pack

THE IMPACT OF SCIENCE DISCUSSION PAPER

Welwyn Hatfield Consortium Advanced Level Induction Assignment for Geography Hydrology

1. Papers EVOLUTIONARY METHODS IN DESIGN: DISCUSSION. University of Kassel, Germany. University of Sydney, Australia

The next several lectures will be concerned with probability theory. We will aim to make sense of statements such as the following:

Open Science for the 21 st century. A declaration of ALL European Academies

Comments on Summers' Preadvies for the Vereniging voor Wijsbegeerte van het Recht

A web-based early-warning service to monitor drinking-water treatment plant operations

Discrete Mathematics and Probability Theory Spring 2014 Anant Sahai Note 11

Combinatorics: The Fine Art of Counting

A SYSTEMIC APPROACH TO KNOWLEDGE SOCIETY FORESIGHT. THE ROMANIAN CASE

Transferring knowledge from operations to the design and optimization of work systems: bridging the offshore/onshore gap

Focusing Software Education on Engineering

Leading Systems Engineering Narratives

Enhancing industrial processes in the industry sector by the means of service design

Conway s Soldiers. Jasper Taylor

Social Innovation Research in Horizon 2020 Position paper June 2013

The Human and Organizational Part of Nuclear Safety

The Information Commissioner s response to the Draft AI Ethics Guidelines of the High-Level Expert Group on Artificial Intelligence

Mr Hans Hoogervorst International Accounting Standards Board 1 st Floor 30 Cannon Street London EC4M 6XH. MV/288 Mark Vaessen.

Cisco Live Healthcare Innovation Roundtable Discussion. Brendan Lovelock: Cisco Brad Davies: Vector Consulting

ASSESSING THE POTENTIAL FOR THE AUTOMATIC DETECTION OF INCIDENTS ON THE BASIS OF INFORMATION OBTAINED FROM ELECTRONIC TOLL TAGS

What the editors want: How to

LICENSING THE PALLAS-REACTOR USING THE CONCEPTUAL SAFETY DOCUMENT

ISSN (print) ISSN (online) INTELEKTINĖ EKONOMIKA INTELLECTUAL ECONOMICS 2011, Vol. 5, No. 4(12), p

INTEGRATING DESIGN AND ENGINEERING, II: PRODUCT ARCHITECTURE AND PRODUCT DESIGN

IASB DISCUSSION PAPER DISCLOSURE INITIATIVE PRINCIPLES OF DISCLOSURE

The creation of the Emergency Preparedness and Response Expert Group (EPREG) which held its second meeting last month.

Office for Nuclear Regulation Strategy

COMMISSION OF THE EUROPEAN COMMUNITIES

Professor Zdzisław Bubnicki in my memory

Tackling Digital Exclusion: Counter Social Inequalities Through Digital Inclusion

Asynchronous Best-Reply Dynamics

THE IMPLICATIONS OF THE KNOWLEDGE-BASED ECONOMY FOR FUTURE SCIENCE AND TECHNOLOGY POLICIES

Three Drops. Formative Evaluation. Joyce Ma

The Hemispherical Receptor Incident Light Exposure Meter

Agent-Based Modeling Tools for Electric Power Market Design

Corporate Responsibility Reporting 2017

Years 9 and 10 standard elaborations Australian Curriculum: Digital Technologies

Debugging a Boundary-Scan I 2 C Script Test with the BusPro - I and I2C Exerciser Software: A Case Study

EA 3.0 Chapter 3 Architecture and Design

The Components of Networking for Business to Business Marketing: Empirical Evidence from the Financial Services Sector

Computer Networks and Internets

The role of investigation - before and after the accident

Discrete Mathematics and Probability Theory Spring 2016 Rao and Walrand Note 13

CS 350 COMPUTER/HUMAN INTERACTION

Separation of Concerns in Software Engineering Education

Computer Progression Pathways statements for KS3 & 4. Year 7 National Expectations. Algorithms

Creating Scientific Concepts

Miguel I. Aguirre-Urreta

Webs of Belief and Chains of Trust

Centre for the Study of Human Rights Master programme in Human Rights Practice, 80 credits (120 ECTS) (Erasmus Mundus)

The future of IoT: Expert Survey results

5th Creative Industries Research Seminar 14 December 2017, 14:00-18:00

Domain Understanding and Requirements Elicitation

Greenlining and Bluelining of Ergon Energy Substation Drawings

Transcription:

Barrier Analysis Analysed in MORT Perspective John Kingston, Robert Nertney, Rudolf Frei and Philippe Schallier Noordwijk Risk Initiative Foundation Delft, Netherlands Floor Koornneef Safety Science Group, Delft University of Technology Delft, Netherlands Abstract This paper discusses the incorporation into MORT of the Haddon energy-flow notion. It focuses on the relationships between MORT barrier analysis, Energy Trace and Barrier Analysis (ETBA), Control Change Cause Analysis (3CA) and the cybernetic conventions developed by Ashby. The implications for the next generation of MORT and the application of barrier analysis in domains outside of safety are discussed. 1 The barrier concept is intrinsic to MORT The barrier concept is intrinsic to the Management Oversight and Risk Tree, in both MORT s manifestation as a description of a safety management programme (e.g. Johnson, 1973) and as a suite of analytical methods, of which the most visible is the MORT logic tree (Frei et al, 2002(a) and 2002(b)). For the most part, MORT analysis is concerned with the energy flows that get things done in a work/process system. A characteristic of MORT analysis is that it operates in the perspective of what people wished to achieve through the work process rather than being focussed solely on what could go wrong. Within MORT, barrier analysis refers the use of the MORT logic tree to analyse the interaction between a particular energy flow and a vulnerable target (meaning somebody or something), this event being referred to generally as an energy transfer (Trost and Nertney, 1995). There may be many such events within the one accident and Energy Trace and Barrier Analysis (ETBA) is used to identify them.

2 MORT s origins: the epidemiological model of barriers and the Haddon concept The development of MORT (1969-1973) by Johnson and his team was a process of incorporating ideas that could prove helpful in the management of safety at nuclear facilities. Quite often the ideas for MORT came from outside of the nuclear industry and the field of safety. One of the present authors (Nertney) was a member of Johnson s team and recalls that the barrier concept was initially identified in epidemiology, where disease vectors occupy the same role as Haddon s energy flow. The MORT developers adopted Haddon to make barrier analysis recognisable to and usable by the engineers who were their primary audience. This worked but had a downside too. The developers (Johnson and Nertney) could easily see energy as the basic currency that applies to everything, but sometimes others had problems with this. In this way, the expedient adoption of the Haddon energy barrier notion became a minor obstacle itself. As Nertney explains it Johnson and I had to reexplain the relevance of the idea to settings in which people wouldn t normally think in terms of energy transfers. That meant that we had to do quite a lot of tap-dancing around to show how the energy transfer idea could handle issues like starvation. But it s a problem people think about food, not about cellular metabolism. 3 The role of ETBA in investigation Most incidents contain more than one event that requires explanation, often there are several. Elsewhere (Frei et al, 2003) we have characterised ETBA as a way of identifying the norms, novelties and deviations - NNDs that are of relevance to a particular incident or accident. As we say there: When an incident occurs, it sometimes signals failures in the control of an activity or of protective systems. To provide the focus for subsequent [root] causal analysis, these failures can be characterised as deviations from norms. In many cases, identifying norms equates to identifying the standards that applied to a specific instance of control or protection. (Frei et al, 2003). In the context of MORT root cause analysis, ETBA is used to decompose a sequence of events into discrete events or units, each of which can be the subject of the analysis. In effect, each row of an ETBA is a unit of MORT analysis and this makes the decomposition through ETBA a prerequisite for the investigative use of MORT. This prerequisite can be argued to apply to root cause methods generally. Without clear delineation of events, it is difficult for the analyst to settle on what it is that they are trying to explain through root cause analysis. Within the one accident, the units of analysis may vary widely in the NNDs that are revealed for root cause analysis. Furthermore, each NND can reveal different patterns of causation; a root cause analysis specific to each NND allows a finely grained picture (and hopefully well-evidenced) to be established. Often MORT

analysis of several rows from an ETBA 1 will reveal recurrent general themes (i.e. converging root causes). However, although the general themes may be interesting in themselves, the specific grounds from which they arise provide a firmer basis on which to make recommendations. Root cause analysis that is not focussed in this way can only produce very impressionistic causal themes but without a way of connecting the general to the specific; a recipe for management hand-wringing but not for definite, targeted remedial action. ETBA can also be applied on its own account in investigations as a standalone method. Used this way, ETBA can produce a very concise summary of the significant events and the barriers and controls implicated in the accident. 4 Reconciling qualities of flexibility and reproducibility in Barrier Analysis ETBA is a powerful idea, and a flexible tool, but as Johnson (1973) points out, a key to this potential is rigour of application. The rigorous use of ETBA has three aspects: (1) the meticulous trace aspect requires the analyst to identify all the energy transfers occurring in the sequence of events (meaning within the accident, incident, and precursor events). Each unwanted energy transfer begs the question where did this energy come from? a question that Johnson tells us must be repeatedly asked and answered; (2) barriers and controls need to be identified precisely and in context. Generic statements about barriers and controls cannot be analysed properly in terms of the standards, or the test of reasonableness, that apply to the context of the accident; (3) the same level of system needs to be maintained when associating an energy transfer with the barriers and controls that correspond to it. For example an electric shock suffered by an Electrician from a live system, could correspond to barriers and controls such as isolate from electrical supply. Sometimes, novice analysts jump immediately to higher order controls such as training or risk assessment for zeroorder energy transfers. Training will not stop the flow of current, but training may have a role in implementing the isolation". The points above are some of the grounds for a rigorous approach, but also worthy of note is the desire by the developers of MORT to combine rigorous analysis with a flexible approach, that is, one not limited to a literal view of energy flows. Their experience was that overly-rigid analyses can block valuable insights into problems. For example, if one adopts a form of barrier analysis that is not restricted to energy 1 The practical relationship between ETBA and MORT analysis of barriers is fully explained in the MORT Users Manual (Frei et al, 2002).

transfers, one can also think in terms of how did bad things get into our system and why good things did not get into our system. For example, having purchase orders signed-off by safety professionals provides a way of blocking bad things from entering your system looking at a purchase order will often set-off alarm bells in the safety professional s mind. One might even imagine extending barrier analytical thinking to the recommendation phase of accident investigation: to consider what barriers might exist to implementing recommendations. If we are to apply ETBA thinking to forms of barrier analysis that use analogues of the energy transfer concept, rigorous analysis will require appropriate translation of the three aspects mentioned earlier: meticulous trace, specific to context and operate at one-level of system. 5 Two forms of barrier analysis: ETBA and 3CA Our experience of designing a new form of barrier analysis (to serve as the basis of the 3CA method, Kingston, 2003) provides further insight into the general principles. We wanted the new form of barrier analysis to have a good degree of reproducibility and to enable analysts to capture issues without the need for forcing the analysis. In the event, we used agent of change instead of energy flow. We arrived at agent of change by using the cybernetics model devised by Ashby (1956). Ashby s scheme proposes four functions, related as follows: a disturbance (D) acts upon a transformational system (T) in a way that would adversely change the values of one or more essential variables (E) were it not for the action of a regulator (R). It needs to be recognised that these functions are not necessarily separate entities, and indeed will quite often be found in the one entity. Although disturbance is defined by the adverse effect on essential variables, it is best seen in a wider context. What Ashby calls disturbance (D) is only one functional aspect of the entire input to the transformational system (T) most of which is beneficial to maintaining the essential variables (E) within their desired range of values. The analytical perspective is of a system achieving something useful rather than a just as a convention for stating problems. This is highly congruent with the MORT viewpoint discussed earlier in section one. In terms of the Ashby model, this perspective reminds us of the need to ensure that R (by acting on T) does not unduly obstruct the generally beneficial flow of input of which D is a problematic subset. Seen this way, a desirable property in a regulator is that it should be highly selective about what it blocks. An undiscerning regulator, one that blocks too much beneficial input, might itself have an adverse impact on the essential variables. Returning to the relationship between the Ashby model and 3CA, the headings we used in the new barrier analysis are: (1) Change to person or thing; (2) Agent of

change; (3) Adverse effect of change; (4) Work controls or protective barriers implicated in (1)/(2). The correspondence between these headings and Ashby s conventions is illustrated below in Figure 1. D Agent of change T Change to person or thing E Adverse effect of change R Controls or barriers Figure 1: Correspondence of 3CA Headings and Ashby conventions (configured in a full-information paradigm) In 3CA, instead of the meticulous energy trace of ETBA, the barrier analysis is performed on a robust, sequenced description of what happened and how (as could be obtained by using a method like ECFA+ (Kingston et al. 2004) or STEP (Kendrick and Benner, 1987). With the sequenced description available, the 3CA process begins by identifying all events that create an adverse change in control or that increase risk these terms often being the two sides of the same coin. Kingston (2002) provides a comparison of the barrier analytical terms used in ETBA and 3CA. 6 The next horizon of generalisation for MORT-based barrier analysis Haddon s energy transfer model is a special instance of a more general concept. A great advantage of Haddon s model is the facility for rigorous application with the clarity of insight and confidence that this can bring to barrier analysis. However, these benefits are available at some cost to flexibility with what Energy Trace and Barrier Analysis can be applied to. Arguably anything can be stated in terms of energy flow, but this can sometimes lead to very forced analyses and tenuous arguments. When Johnson and Nertney saw how an idea from epidemiology could apply in the context of the nuclear industry, and adopted Haddon s scheme to make it stick, they were using an analogy between those two worlds. We believe that the Ashby model, and the ideas to which it connects, provide the underlying set of concepts to these and other worlds of application. This has two outcomes: first, the ability to develop barrier analyses tailored to any domain of risk management, and second; the ability to make formal comparisons between barriers and controls in one domain and another, even if they are superficially very dissimilar.

One immediate conclusion of this line of thinking is that barrier analysis is essentially about understanding the selective blocking of information in a specific context, whether the analyst is concerned with physical blocking of an energy flow by a barrier, or blocking of terrorist actions using intelligence generated by a security agency. Both MORT and the Ashby models remind us of the need for selectivity in these arrangements: block the harm but not the work, obstruct the terrorist but not the citizen. We will be applying these insights in the next generation of MORT, making it usable in domains of risk management beyond health, safety and environmental protection. References Ashby, W.R. (1956). Introduction to Cybernetics. London, Chapman and Hall. Frei, R., Kingston, J., Koornneef, F., and Schallier, P. (2002a), NRI MORT User's Manual. Ref. NRI-1 (2002), Pub. Noordwijk Risk Initiative Foundation, The Netherlands. www.nri.eu.com. Frei, R., Kingston, J., Koornneef, F., and Schallier, P. (2002b), NRI MORT Chart. Ref. NRI- 2 (2002), Pub. Noordwijk Risk Initiative Foundation, The Netherlands. www.nri.eu.com. Frei, R., Kingston, J., Koornneef, F., and Schallier, P. (2003) Investigation Tools in Context. JRC/ESReDA Seminar on Safety Investigation of Accidents on 12-13 May 2003, Petten, The Netherlands. Hendrick, K. and Benner, L. (1987), Investigating accidents with STEP. Marcel Dekker. Johnson, W.G. (1973). MORT - The Management Oversight and Risk Tree. SAN 821-2. US Atomic Energy Commission. Kingston, J. (2002) 3CA Control Change Cause Analysis Manual. NRI-3 (2002), Pub. Noordwijk Risk Initiative Foundation, The Netherlands. www.nri.eu.com. Kingston, J., Jager, J., and Koornneef, F. (2004) ECFA+: Events and Conditional Factors Analysis. Ref. NRI-4 (2004), Pub. Noordwijk Risk Initiative Foundation, The Netherlands. www.nri.eu.com. Trost, W.A. and Nertney, R.J. (1995), Barrier Analysis. US Department of Energy Ref. DOE 76-45/29, SSDC-29.

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback