Preventing technological disasters

Safety critical systems

Jean-Christophe Le Coze is a doctor of MINES ParisTech since the 5th of May 2011

Certainly one of the most challenging tasks in safety science today is to develop ways of assessing safety-critical systems in order to capture the patterns identified by social sciences following major accidents, to prevent them from causing disasters. In other words, the challenge is to develop  ways to better grasp in foresight what is being interpreted in hindsight, or in other words, to move from a study of past failures to an anticipation of future ones.

 
Figure 1: Moving from hindsight (accident investigation) to foresight (safety assessment) 
Figure 2: Four research traditions classified according to three dimensions (purpose, scope, empirical posture).

So far, the models of safety critical systems have been strongly dominated by technologically and quantitatively oriented rationales. Now, the current and next generation of technological developments require enhanced abilities, both from states and private companies, to better anticipate technological, human, organisational and socio-cultural types of failures, and calls for a better interface between technology and social sciences and their translation into safety assessment practices.

A safety assessment must rely on some form of indications about where to look and what to derive from observations. As a consequence, one has to specify key dimensions indicating relevant areas to be considered and investigated for safety assessment during empirical phases.

For this thesis, a design rationale has been established, based on four requirements:
- a model that is generic enough to sensitise without destroying the distinctiveness ofreal cases (a ‘sensitising model’);
- a descriptive and neutral approach (balance between a descriptive and a normative posture) ;
- to grasp several nested layers of analysis to capture the patterns identified retrospectively in accidents by social scientists, introduction of the micro-meso-macro  systemic and dynamic link; 
- a model stresses that some key features are linked in a circular and dynamic relationship to produce safety.

Under the fourth requirement, i.e. producing a trade-off between simplicity and complexity for practical purposes, this is what the systemic safety model now proposes :
- strategy adaptations (by leaders) in the organisation’s environment (economical, political, social and technological), 
- a number of technological and organisational changes at different levels, which may positively or negatively affect the design and/or implementation of (technical and procedural) safety barriers by those at the operational level (in teams and departments),
- a situation monitored and controlled by an ability to treat signals (possibly conveyed by ‘whistle blowers’) about specific safety-related problems or negative impacts of developments on design or implementation of (technical and procedural) safety barriers, relying on an influential safety department which can challenge the organisation about the impacts of changes on design and implementation of safety barriers and/or about the status of treatment of (weak or strong) signals. This department is backed up by safety (external or internal) reviews which can play a role of ‘organisational redundancy’ for the internal safety department (or department) on these very same issues.

                                                          
                                      Figure 3: A systemic and dynamic safety model

It aims to be generic and relatively, simple. Its level of generality allows it to be relevant in sensitising a very wide range of high-risk systems. But, as case studies always reveal, one needs to consider how specific each investigated situation is.  When applied, it indeed produces a specific case study, showing the unique interplay of the key dynamical features in a specific real-life context. This is why this model is defined as a ‘sensitising’ one.

It is therefore important here to recall that no model can pretend to be at the same time general, accurate and simple. The virtue of a general and simple model like this one is to identify key features in real-life situations with relevance across domains, whereas the virtue of a case study is to be simple and accurate for one particular example. One can however very well imagine the need for and relevance of feedback between these two positions, as the model must apply to the differents situations met in reality. Several empirical studies in safety critical systems have been carried out in order to demonstrate the relevance of the approach.

                                                          
                                            Jean-Christophe Le Coze at INERIS

Jean-Christophe Le Coze is now a research and consulting scientist at INERIS (National Institute of environment and risks), he is in charge of research programs for the improvement of safety assessment by combining engineering and social sciences. The collaboration with the Crisis and Risk and Research Centre (MINES ParisTech-CRC) has proved extremely useful to promote this type of research and development, as there is no other academic environment in France to support this type of highly hybrid scientific approach.