Design for safety. At the foundation of the current limitations in engineering for safety and mission assurance is the almost exclusive use of a model of accident causation that assumes such accidents arise from a chain of failure events and human errors. While satisfactory for the relatively simple electromechanical and industrial systems for which the model was developed, it does not explain system accidents, and it is inadequate for today’s complex, software-intensive, human-machine systems. After much frustration in trying to adapt the old model to the new engineering environment, I created a new accident causation model based on systems and control theory rather than reliability theory that can serve as the foundation for new and improved approaches to accident investigation and analysis, hazard analysis and accident (loss) prevention, risk assessment and risk management, and performance monitoring. The model integrates organizational and management factors (the safety culture) with the technical aspects of accident causation in order to fully understand the origin of accidents and successfully prevent them. Our new hazard analysis methods based on this model are now starting to be applied to defense and aerospace system design. Nancy G. Leveson is a professor in the MIT Department of Aeronautics and Astronautics, and in the Engineering Systems Division. She is a member of the National Academy of Engineering, and has received awards for her research including the AIAA Information Systems Award, the ACM Allen Newell Award, and the ACM Outstanding Software Research Award. Her research activities have focused on system safety engineering, software engineering, human-computer interaction, and system engineering for software-intensive systems. She may be reached at leveson@mit.edu.
Confidence in the Code
37