PBL

Some input from someone who analyses the safety of critical systems for a living.

slip and turn has made a crucial intervention, early on, by pointing to a paper of Peter Brooker of Cranfield on how to assess the safety of very safe sociotechnical systems. This is implicitly what most correspondents here are debating ("we're the safest"; "yes, but you're getting closer to some limit", and so on).

So has anybody else here read the paper?

Let me quote:
Debating that, rather than the morals of individual actors, would be worthwhile. I would add something else. There is no "safe/not safe" dichotomy which it makes sense to employ. Safety can be better thought of as a continuum and the question is better phrased as assessing the level of safety.

What has happened here is fairly straightforward. A controller apparently was concerned that the level of safety in certain operations had been reduced, and that this reduction did not necessarily show up in the statistics on currently-sampled events (airproxes, MORs and so on). He expressed his concern in a report which looked at those events and others. The report was apparently well-written. NATS management apparently wanted to keep the report internal. The author and the BBC obviously thought it was worthwhile to put the information in the public domain.

Now, I don't see anything wrong with any of that, and I certainly don't see any reason for anyone to be upset at any aspect of it. If I were working in NATS management, I would likely want to keep it internal, for the usual political reasons; and if I were not working in NATS management, I would want to know the information anyway because this is a public system with a public level of safety. So there is an obvious conflict there, but it is not clear that anyone can judge which side is "right".

I work with a group of colleagues who are prominent in system safety. Many of us feel that safety information should generally be public domain. There are a number of reasons for it. One is that one major applicable standard, for functional safety of electrical/electronic/programmable electronic (E/E/PE) systems, IEC 61508, requires one explicitly to assess the publically-acceptable level of safe operations in order to determine the so-called "Safety Integrity Level" to which a system or subsystem must be demonstrated to conform. Now, obviously you cannot determine the publically-acceptable level of safe operations unless the public has the details. Which are often kept out of the public domain by those who have them. So there is a political problem there which hinders the application of an international standard. The easiest solution is to put that info in the public domain.

A second reason is this. The so-called safety case is a written argument that a system achieves a certain level of safety. The UK pioneered the use of safety cases, and the requirement for safety cases is now spreading throughout the world. Most of the safety cases which I have seen, however, have included very poor arguments which do not necessarily establish the conclusion (that the required level of safety has been reached). One set of exceptions to that general observation on poor safety cases are, I believe, the safety cases for U.K. nuclear plants, which are exemplary in their arguments for a given level of safety and on which my colleague Bev Littlewood is a principal consultant. Many of us feel that an obvious way to improve the quality of safety cases, and thereby to assure that the level of safety achieved by a system is well-established, is to require safety cases to be public, and thus potentially subject to open peer review by anyone who cares to do so.

It does seem clear that, if the trend is for the public to be required to determined a level of acceptable safety for systems which involve public safety, then that information must be made publically available.

PBL