dent Models A Systems Theory Model of Accidents Accidents arise from interactions among humans, machines and the environment Not simply chains of events or linear causality but more complex types of causal connections Safety is an emergent property that arises when components of system interact with each other within a larger environment a set of constraints related to behavior of components in system enforces that property Accidents when interactions violate those constraints (a lack of appropriate constraints on the interactions) Software as a controller embodies or enforces those constraints A Systems Theory Model of Accidents(2) Safety can be viewed as a control problem e.g. o-rings did not adequately control propellant gas release Software did not adequately control descent speed of MPl Safety management is a control structure embedded in an adaptive syster Events indirectly reflect the effects of dysfunctional interactions and inadequate control Need to examine control structure itself to understand accidents Result from Inadequate enforcement of constraints At each level of socio-technical system controlling development and operations✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞✒ ￾✂✁✄✁✄☎✆⑤✝✞✟✞✠✞✡✵☛✞✆⑤✝✞✌✍ c A Systems Theory Model of Accidents Accidents arise from interactions among humans, machines, and the environment. Not simply chains of events or linear causality, but more complex types of causal connections. Safety is an emergent property that arises when components of system interact with each other within a larger environment. A set of constraints related to behavior of components in system enforces that property. Accidents when interactions violate those constraints (a lack of appropriate constraints on the interactions). Software as a controller embodies or enforces those constraints. c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏✞❏❑▲ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ A Systems Theory Model of Accidents (2) Safety can be viewed as a control problem e.g. O−rings did not adequately control propellant gas release Software did not adequately control descent speed of MPL Safety management is a control structure embedded in an adaptive system. Events indirectly reflect the effects of dysfunctional interactions and inadequate control Need to examine control structure itself to understand accidents Result from: Inadequate enforcement of constraints At each level of socio−technical system controlling development and operations