Leveson对系统安全的7种新认识

   系统安全工程自上世纪五六十年代在美国被创立以来，就已经在全世界得到广泛的应用。但从那之后，国际上有关系统安全工程方面的理论研究进展并不是很多，比较典型的理论研究新进展可能要算美国MIT的Nancy G. Leveson教授所著的Engineering a Safer World: Systems Thinking Applied to Safety，该书于2012年在The MITPress出版，中文版书名为《基于系统思维构筑安全系统》，由唐涛和牛儒翻译，于2015年在国防工业出版社出版。

   国内自上世纪70年代末开始引进系统安全工程，之后也得到了广泛的推广应用。但由于大多数安全科技工作者习惯应用国外的有关理论和方法，忽略了从理论和方法层面的创新研究，因此这么多年过去了，安全系统工程教科书里仍然是一些几十年国外发明的安全分析和安全评价方法。

   以下是吴超学习NancyG. Leveson一书的一点摘录，其中对过去系统安全的7种认识的质疑和新的认识内容感觉还比较新颖和不错，故用双语摘录出来分享给大家。

   ——注：南希. 莱文森，美国麻省理工学院航空与宇航学专业教授，也是美国国家工程院院士，她在美国加州大学洛杉矶分校学习数学、管理和计算机三个专业，1980年获博士学位。Nancy G. Leveson, professor of Aeronautics and Astronautics at MIT.She received all her degrees, in math, management, and computer science, fromUCLA (Ph.D. 1980).

第1章为什么需要不同的方法Why do we need something different?

主要原因如下：

（1）技术进步加快Fast pace of technological change

（2）以往经验的作用降低Reduced ability to learn from experience

（3）事故本质发生变化Changing nature of accidents

（4）新的危险类型New types of hazards

（5）复杂性和耦合性增加Increasing complexity and coupling

（6）对单个事故的容忍度下降Decreasing tolerance for single accidents

（7）难以选择优先级及折中Difficulty in selecting priorities and making tradeoffs

（8）人与自动化系统之间的关系更加复杂More complex relationships between humans and automation

（9）法规及公众对安全认识的变化Changing regulatory and public views of safety

第2章对传统安全工程基础的质疑Questioning the foundations of traditional safetyengineering

“人们的苦恼不在于他们不懂，而在于他们懂得太多似是而非的东西！”

“It's never what we don't know that stop us. It's what we do knowthat just ain't so.”

2.1混淆安全性和可靠性Confusingsafety with reliability

出现以下现象：

1.可靠但不安全Reliablebut unsafe

2.安全但不可靠Safebut unreliable

3.安全性与可靠性之间的矛盾Conflictsbetween safety and reliability

4.组织层的安全性与可靠性Safetyversus reliability at the organizational level

老的认识1：安全性随系统或组件可靠性提高而增强。如果组件或系统没有故障，事故就不会发生。Safety is increased by increasing system or component reliability.If components or systems do not fail, then accidents will not occur.

新的认识1：高可靠性对安全性来说既不是必要条件也不是充分条件Highreliability is neither necessary nor sufficient for safety.

2.2将事故致因描述为事件链Modelingaccident causation as event chains

老的认识2：事故是由直接相关的一连串事件造成的，可通过分析导致损失的事件链来弄清事故和评估风险。Accidents are caused by chains of directly related events. We canunderstand accidents and assess risk by looking at the chain of events leadingto the loss.

新的认识2：事故是涉及整个社会技术系统的复杂过程，传统的事件链模型不能充分描述这一过程。Accidents are complex processes involving the entiresocio-technical system. Traditional event-chains cannot describe this processadequately.

理由是：

2.2.1直接原因 Directcausality

事件链模型中事件之间致因要求是直接的和线性的，这表示前置事件必须发生且相应的条件必须具备以后，后置事件才能发生：如果事件A还没有发生，那么，其后置事件也不会发生。这很难或者不可能描述非线性关系。The causal relationships between the events in event chain modelsare required to be direct and linear, representing the notion that thepreceding event must have occurred and the linking conditions must have presentfor the subsequent event to occur: if event A had not occurred then thefollowing event B would not have occurred. It is difficult or impossible toincorporate nonlinear relationships.

2.2.2 选择事件的主观性Subjectivityof selecting events

2.2.3 选择事件链条件的主观性Subjectivityof selecting the chaining conditions

2.2.4 忽视系统因素Discountingsystemic factors

2.2.5 在事故模型中包括系统因素Includingsystems factors in the accident models

2.3 概率风险评估的局限性Limitationsof probabilistic risk assessment

老的认识3：基于事件链的概率风险分析是评估和表达安全与风险信息的最佳途径。Assumption 3: Probabilistic risk analysis based on event chain isthe best way to assess and communicate safety and risk information.

新的认识3：除了概率风险分析，还可以其他方式更好弄清并交流风险和安全。Risk and safety may be best understood and communicated inways rather than probabilistic risk analysis.

2.4 事故中操作员的作用

老的认识4：大多数事故是由操作员的错误引起的，奖励安全行为和处罚不安全行为将消除或减少事故。Most accidents are causedby operator error. Rewarding safe behavior and punishing unsafe behavior willeliminate or reduce accidents significantly.

新的认识4：操作员的行为是其发生环境的产物。为了减少操作员的“错误”，我们必须改变操作员的工作环境。Operator behavior is a product of environment inwhich it occurs. To reduce operator "error" we must change the environmentin which the operator works.

2.5 事故中软件的作用The role of software in accidents

老的认识：高可靠性软件是安全的。High reliable software issafe.

新的认识：高可靠的软件不一定安全，增强软件可靠性或减少实现错误对于安全性影响较小。High reliable software is not necessarily safe.Increasing software reliability or reducing implementation errors will havelittle impact on safety.

2.6 系统的静态观和动态观

老的认识6：重大事故源自随机事件碰巧同时出现。Major accidents from thechance simultaneous occurrence of random events.

新的认识6：系统趋于向高风险迁移，这种迁移是可以预见的，并且能够通过适当的系统设计来防止或通过运行中风险增加的先兆指标来检测。Systems will tend to migrate toward stage ofhigher risk. Such migration is predictable and can be prevented by appropriatesystem design or detected during operations using leading indicators ofincreasing risk.

2.7 关注追究责任The focus on determining blame

老的认知7：划分责任对从事故或未遂事故中吸取教训及防止事故或未遂事故是必须的。Assigning blame isnecessary to learn from and prevent accidents or incidents.

新的认知7：处罚是安全的敌人。应该将重点放在了解整体的系统行为是如何导致损失的，而不是把事故归咎于谁或什么方面。Blame is the enemy of safety. Focus should be onunderstanding how the system behavior as a whole contributed to the loss andnot on who or what to blame for it.

更多内容有兴趣可自己找书学习。