STAMP in Workplace Safetypsas.scripts.mit.edu/home/wp-content/uploads/2017/04/2017-MIT... · •...

STAMP in Workplace SafetyEmily HowardSenior Technical FellowMarch 27, 2017

Disclaimer: The information in this presentation is not intended as direction or recommendations, but simply sharing how the Boeing Company is using STAMP to make our workplace safer.

Notwithstanding any assignment or transfer to the Publisher, or any other terms of this Agreement, the rights granted by Boeing to Publisher are limited as follows: (i) any rights granted by Boeing to the Publisher are limited to the work-made-for-hire rights Boeing enjoys in the Work; (ii) Boeing makes no representation or warranty of any kind to the Publisher or any other person or entity regarding the Work, the information contained therein, or any related copyright; and (iii) Boeing retains a non-exclusive, perpetual, worldwide, royalty-free right, without restriction or

limitation, to use, reproduce, publicly distribute, display, and perform and make derivative works from the Work, and to permit others to do so.

Copyright © 2017 Boeing. All rights reserved per conditions on title page.

BoeingDr. Emily Howard, Senior Technical Fellow, Human Factors, Defense, Space & SecurityKatherine Belvin, Liaison Engineer, Defense, Space & SecurityPaul Staszak, Systems Engineer, Defense, Space & SecurityShawna Murray, Health & Safety Specialist, Environment, Health & SafetyLiz Juhnke, User Experience Designer, Information Technology & Data Analytics

Liberty Mutual Research Institute for SafetyDr. Larry Hettinger, Principal Research Scientist, Human Factors Engineering

MITMegan France, Master’s Candidate, Aeronautics and Astronautics (Human Factors)

The Team


Outline

• Project Overview• Role of Human Factors• Overview of Workplace Safety • Exercise: Application of STPA

• Control Structure• Unsafe Control Actions• Causal Scenarios

• Summary and Conclusions


Recent challenge from our CEO: “Achieve step function improvement in workplace safety”

The engineering vice-president for Boeing Defense, Space and Security retained the services of Dr. Nancy Leveson in May 2015.

Guided by Dr. Leveson, a limited engineering study team has embarked on a 3 year journey to explore STAMP methodology and determine its feasibility for application to workplace safety.

Dr. Leveson recommended reaching out to Liberty Mutual Research Institute for Safety who have partnered with us.

How We Got Involved with STAMP


Our Safety Analyses Start with a Specific View of Human Factors

• Boeing’s human factors’ expertise derives from decades of commercial and military aviation research.

• Our mission success can only be assured through successful human performance.

• Our goal is to identify systemic influences on human judgment and behavior.

• Don’t stop with what people did wrong, but try to understand why it made sense to them to do what they did.

• Determine how to change the environment in order to change the human behavior.

Focus on changing the environment, process

and/or tools rather than trying to change

the person!

Copyright © 2017 Boeing. All rights reserved per conditions on title page.Action and Feedback Loops for All Controlled Processes

• Includes assigned role, action (decisions/behaviors) and feedback (information/metrics) loop

• Utilizes product safety practices applied to the workplace• Addresses hazards in both

development and operations

• Used for engineering analysis to reveals systemic causal conditions of incidents (safety and quality)

Building a Control Structure at Boeing


STPA: Hazard Analysis Based Upon Safety Control Structure

Controlled Process

ControlActions Feedback

Controller

• Systems Theoretic Process Analysis (STPA) provides a systematic way to identify or anticipate hazards, due to unsafe control actions

• STPA utilizes a control structure diagram, which represents system behavior as the interaction between a controller and a controlled process

• Four types of unsafe control actions:• Control actions are not executed when they are required for

safety• Control actions are executed when they should not have been• Potentially safe actions are executed too early, too late• An extended control action stops too soon or is applied too

long


Generic Exercise: Lock Out Tag Out Try Out (LOTO)

OSHA 29 CFR 1910.147: requires employers to establish a program and utilize procedures for affixing appropriate lockout devices or tagoutdevices to energy isolating devices, and to otherwise disable machines or equipment to prevent unexpected energization, start up or release of stored energy in order to prevent injury to employees.

1. What is the undesired accident or loss?2. What is the associated hazard?3. What is the primary safety constraint for

the system?4. What are the controllers and process(es)

that make up this system?


Generic Exercise: Lock Out Tag Out Try Out (LOTO)

Accident or Loss Hazard Safety Constraint

System or Component: Require work and be capable of isolating or releasing energy.

Lock or tag: Indicate LOTO and maintain LOTO status.

Enforce zero-energy state

A-1: Workers are killed or injured on the job.

H-1: Workers are exposed to hazardous energy.

SC-1: Workers shall not be exposed to hazardous energy.

Try your hand at creating a simple LOTO control model, adding an employee to the model below and showing the actions and feedback

OSHA 29 CFR 1910.147: requires employers to establish a program and utilize procedures for affixing appropriate lockout devices or tagoutdevices to energy isolating devices, and to otherwise disable machines or equipment to prevent unexpected energization, start up or release of stored energy in order to prevent injury to employees.


Possible Answer:Simple LOTO Control Model

Employee(s): Perform work and LOTO according to appropriate procedures


System statusEnergy status

Select LOTO procedureShut down system

Tryout/Release stored energyPerform work

Restore system


Lock/tag status

Apply lock or tagRemove lock/tag


LEGENDGreen content depicts Actions.Blue content depicts Feedback.


LOTO Complexities—what if you added another employee?

Primary Employee. A Primary Employee (PE) is appointed …when work on a job requires hazardous energy control and more than one employee working. The PE is responsible for establishing the LOTO and …installing the Lockout Devices and LOTO Tags. The PE is also responsible for removing the Lockout Devices and LOTO Tags, …and restoring the system as required after the completion of the work.

Secondary Employee. An employee(s) whose work requires lock out of aircraft/aircraft systems in order to perform work on the aircraft. A Secondary Employee (SE) can also be a Primary Employee when working in a group.


Assignment: Diagram and then discuss with a neighbor (handouts)

• How would the control model change to depict two Employees, a Primary Employee (who secures LOTO) and a Secondary Employee (who performs work under LOTO protection)?









Restore system


Lock/tag status


Possible Answer: LOTO with Two Employees Having Separate Responsibilities

Primary Employee: Performs LOTO according to appropriate procedures


Select LOTO procedureShut down

Tryout/Release stored energyRestore system



Enforce zero-energy stateWork status

Secondary Employee(s): Perform(s) work and follow(s) safety instructions.Perform work

Report work status and issues

Confirm LOTO protection



Lock/tag status


Next Step: Identify Unsafe Control Actions--Example of LOTO UCA’sStandard UCA Syntax:“Controller issues Action/Type when or while Context or Conditions are Present, leading to a Hazard

Sample Control Action

Applying causes hazard

Not applying causes hazard

Wrong Timing or Order (Too soon/ too late)

Applied too long/ Ended too soon

Perform work on system

UCA-1: Secondary Employee performs work on the system while the system is not locked out. [H1]

UCA-2: Secondary Employee performs work on the system too soon, before the system is locked out. [H1]

UCA-3: Secondary Employee continues to perform work on the system when lock-out protection is removed. [H1]

Remove Lock/tag UCA-4: Primary Employee removes lock/tag while the system is still being worked. [H1]

UCA-5: Primary Employee removes lock/tag before the work is complete. [H1]


Example Causal ScenariosFor each UCA, what are the plausible reasons or situations that could lead to that occurrence?Secondary Employee performs work on the system while the system is not locked out (UCA-1)

• Scenario 1.1: because the Primary Employee (in charge of LOTO) had not yet performed LOTO and the Secondary Employees was not notified of this delay.

• Scenario 1.2 because the Secondary Employee does not believe the energy level is hazardous.

• Scenario 1.3: because the system had been locked out previously, but was no longer, and the Secondary Employee assumed it was still locked out.

• Scenario 1.4: because the Secondary Employee had previously performed this work when the system was not energized and had not experienced LOTO for this job before.

• And so on…

What are some other possible situations that could lead to this?


What if We Examine Other Losses?Accidents or Losses HazardsA-1: Workers are killed or injured on the job. H-1: Workers are exposed to hazardous energy. A-2: Systems or equipment are damaged. H-2: Systems or equipment are exposed to excessive levels of hazardous energy. A-3: Scheduled work is not completed on time. H-3: Production, delivery and/or maintenance commitments are missed.

Control Action

Applying causes hazard

Not applying causes hazard

Wrong Timing or Order (Too soon/ too late) Applied too long/ Ended too soon

Perform work on system

UCA-1: Secondary Employee performs work on the system while the system is not locked out [H1, H2].

UCA-6: Secondary Employee does not perform work on the system while the system is locked out [H3].

UCA-2: Secondary Employee performs work on the system too soon, before the system is locked out [H1, H2].

UCA-7: Secondary Employee delays performing work on the system after the system is locked out [H3].

UCA-3: Secondary Employee continues to perform work on the system when lock-out protection is removed [H1, H2].

UCA-8: Secondary Employee stops performing work on the system too soon when lock-out protection is still in place [H3].

Remove Lock/tag

UCA-4: Primary Employee removes lock/tag while the system is still being worked [H1, H2]

UCA-9: Primary Employee does not remove lock/tag when the work is complete [H3].

UCA-5: Primary Employee removes lock/tag before the work is complete [H1, H2].

UCA-10: Primary Employee delays removing the lock/tag after the work is complete [H-3].

N/A (discrete)


Next Exercise: What happens when tasks that require LOTO have to be performed at the same time with tasks that don’t?

• Hint: assume two more new controllers, a Supervisor, who assigns work, and a Task Coordinator who checks for conflicts and signs off on LOTO

Primary Employee: Performs LOTO according to appropriate procedures






Lock/tag status








Primary Employee: Performs LOTO according to appropriate procedures.






Lock/tag status







Assign Primary EmployeeApprove LOTO

Task Coordinator: Checks for conflicts & signs off on LOTO.

Supervisor: Assigns work and appoints TC.

Assign TCSet Priorities

Report major issues

Assign work packages

Check in, discuss work packagesRequest LOTO approvalReport LOTO status and issues

Possible Answer: Addition of Supervisor and Task Coordinator

Check in with TCDiscuss work packages


Early LOTO Control Model


Many STPA Results Involved Hazards with the Logbook*For Example…• Controller: (Secondary) Authorized Employee

(AE)• Control Action: AE signs into LOTO Log Sheet• Unsafe Control Action: AE does not sign into the

Log Sheet when LOTO is active because…• Causal Scenarios:

• … AE can’t find the sheet• … AE forgot• … AE thought someone else filled it out

*See paper on The Human Element in STPA later in this conference (Juhnke).


Manager/Supervisor/Team LeadEnsures all necessary work is performed on the aircraft. Ensures a GC exists for each aircraft to oversee LOTO.

Group Coordinator (GC)Ensure that work tasks do not conflict or lead to hazards.

Primary Authorized Employee (PAE)Follows LOTO procedures and communicates with other workers to provide LOTO protection to all authorized employees, as well as supporting non-employees who require hazardous energy protection.

Authorized Employees (AE)Perform flight line work activities according to work package. Follow HECP and PAE safety instructions.

LogbookMaintains record of active LOTO activities.

Lockout device & tagsMaintain safe system status; Prevent hazardous exposures.

Aircraft circuit, system, or componentExist in a safe state for work.

30. Assess GC capability/knowledge

31. Assign GC

Status of current LOTO

21. Check in with GC

Report major LOTO issues

Energy statusWork status

2. Select HECP3. Develop discrete

LEGEND:

Green content depicts Actions; Blue content depicts Feedback

4. Shut down5. PAE Tryout/Release

stored energy6. Restore system

7. Verify LOTO is intact

8. Apply lock or tag9. Remove lock or tag

1. Enforce zero-energy state

32. Assess AE capability/knowledge33. Assign work package to AE

17. AE Tryout system18. Assigned work

22. Ensure PAE assigned23. Approve Apply LOTO

24. Approve Remove LOTO

25. GC Review/validate Logbook

26. GC Sign in* 27. GC Sign-out**

19. AE Sign in 20. AE Sign-out

10. PAE Create logsheet

11. Track AEs on log sheet

12. Insert HECP or discrete form

13. PAE Sign in* 14. PAE Sign-out**

Check in, discuss work packagesRequest LOTO approvalReport LOTO status and issues

Status of all active LOTO tasks

Lock statusTag status




Status of current LOTO

*Upon LOTO opening or new shift**Upon LOTO closure or end of shift

Hazardous Energy FocalSupports the oversight of LOTO process and safety.Supports LOTO shift changes and factory to field changes.

36. Assess PAE capability/knowledge

37. Assign PAE38. Assign work package to PAE

35. Provide safety resources LOTO

questions and

feedback

LOTO issues status

39. Provide LOTO support

and information

to GC

40. Provide LOTO

support and information

to PAE

LOTO questions and feedback

41. Validate lockout status accuracy

42. Provide LOTO support and information to AE43. Validate Logbook status accuracy

34. Management removal of LOTO (PAE absent)

Discuss work packages

28. Ensure concurrent work is compatible and does not create hazards

Affected EmployeeAccess Aircraft

45. Employee enters aircraft

16. Communicate status to Affected Employee

44. Affected Employee request aircraft access

46. Transmit energy information to next shift/

location (transfer/induct) GC

Review current LOTO status and aircraft

configuration

47. Transmit energy information to next shift/location (transfer/

induct) PAE


configuration

48. Transmit energy information to next shift/

location (transfer/induct) AE


configuration

Next Shift/Stall Group Coordinator (GC)Ensure that work tasks do not conflict or lead to hazards.

Next Shift/Stall Primary Authorized Employee (PAE)Follows LOTO procedures and communicates with other workers to provide LOTO protection to all authorized employees, as well as supporting non-employees who require hazardous energy protection.

Next Shift/Stall Authorized Employees (AE)Perform flight line work activities according to work package. Follow HECP and PAE safety instructions.

15. Obtain concurrence on discrete

Qualified PersonExamine discrete requestConcur with

discrete

29. Authorize Affected Employee aircraft access

Latest LOTO Control Mode


STPA Challenges*

• Analysis results in too much data for easy comprehension• Controllers: 13• Control actions: 48• Unsafe control actions: 200• Causal scenarios that could result in incidents or injury: 958

Challenges• How to put all of this data into context of the “bigger picture”?

• How to translate that knowledge into business decisions?

*See paper on Using STPA Trend Analysis later in this conference (Belvin)


Unique Aspects of STPA for Workplace Safety• Workplace STPA is similar to traditional product safety STPA, save that nearly every controller and

process is likely to be human.• A more challenging distinction is that these human controllers in the system often represent more

than one individual or possibly a team.• Can be hard to know what level of modeling detail needs to be captured• Causal scenarios may be specific to an individual or subset of individuals

• But even with single individuals representing unique components in the system, people also exhibit significant variability over time.

• Performance will be inconsistent and subject to many factors• Learning• Fatigue• Attentional distraction• Memory lapses• Decision biases and errors• Mood and arousal

• Can be hard to capture the range of possible expected behaviors completely• As with most analysis techniques, the value is doing just enough assessment to support system

changes that will mitigate the identified hazards.• Be mindful of the realistic opportunities for change in the system and focus on those.


In Summary

• STAMP & STPA are very well suited to the analysis of safety hazards in the workplace.• STPA process is highly modular and scalable to address targeted areas of interest

• But recommend modeling the whole system at a high level first, to capture all of the relevant influences

• STAMP provides a very comprehensive understanding of the problems, system-wide, and helps bring diverse stakeholders together in finding solutions.

• Can support a better business case for system-level changes• Unlike many classical safety methods, (RCCA, review boards, etc) STPA is highly

proactive, and does not require actual incidents/injuries to be effective.• Can result in more exhaustive list of hazards to be mitigated than business leaders

would like to hear• May need to offer a prioritization and recommended resource management approach toward

mitigation• Effective application requires key participation from human performance experts and a

solid user research approach with a pool of end users• These represent the most knowledgeable “system experts” to drive STPA results.


Handout









Restore system


Lock/tag status

STAMP in Workplace Safetypsas.scripts.mit.edu/home/wp-content/uploads/2017/04/2017-MIT... · •...

Documents

Transcript of STAMP in Workplace Safetypsas.scripts.mit.edu/home/wp-content/uploads/2017/04/2017-MIT... · •...