The safety culture 

by A. Autino 

The calendar of disasters, put together by a rather random search on the internet, covering the period since the 70's to date is not, neither did it aim to be, complete. I simply intended to provide a vision of a certain number of defeats of our engineering and our technology. Cases in which those who had custody of a certain number of human lives were not able or could not meet the trust that those people committed to them. We are speaking of 11,355 victims verified in little more than 30 years, the sum of the deceased in the listed catastrophes: including aerial, naval, nuclear, railway, and industrial accidents. 

The chapter of safety, if we aimed to deal with it completely, would obviously be very much wider: it includes job safety, the deaths on job, that still intolerably occur in high numbers, even in our post-industrial electronic age. It would include industrial diseases, natural disasters, crime, and auto accidents. And even war holocausts would re-enter, to be honest, in a global discourse about safety. But I decided to focus this essay only on accidents caused by lack of, or the inadequacy of, technological systems (that means: what we could do, without requiring complex political programs!). 

Neither is it a goal of this article to analyze the social context in which the majority of these accidents occurred. The data required to perform such analyses will likely never be available, since in the ex real-socialist countries certain news items were carefully hidden, except when it was not possible to hide them (Chernobyl), even the so-called free societies do not always communicate every accident to the media. 

I have read a lot of criticism about the politics of public service privatisation, particularly railways, of which the government of the Great Britain has been the precursor. But I don't believe, as I have already had the opportunity to say about other problems, that a big difference exists between public and private management. In both systems two implacable enemies of culture and respect for human life flourish: corruption and bureaucracy. Public and private (opposites in the comedy of electoral politics) perfectly mesh, when it is time to make business on the skin of the citizens. 

Nevertheless both the private profiteers and the bureaucrats (public and private) have to answer their actions, not so much to judges who are often complacent, however, such people, if they want to keep on making their business (more or less clean), have to answer to the market. The market is composed of the citizens, and the citizens are influenced by strong tides of opinion, that seem in certain periods to have a life of their own, so powerful do they appear. They say that even the oil lobbies had to take account, at the market level, with the powerful opinion movements born after catastrophes such as the Exxon Valdez, that on March 24th 1989 spilt into the sea of Alaska, 11 million barrels (42 million liters) of raw crude oil. 

Surely, after the disaster of the Mont Blanc Tunnel - that caused the death of 39 people in March 1999, horribly among the flames -, and even after the most recent fire in the Gottard tunnel, after the aerial and railway disasters of the last ten years, the demand for safety could even be growing. It would be a demand, against the trend for the historical period that we are living in. It would be, in fact, a demand of safety for humans: something that is worth today, on the market, surely much less than that for nature or the environment. 

Nevertheless we have a legitimate hope that - given the high number of human sacrifices -someone will start finally to move away from the various philosophies of human sacrifice, still so much rooted in our society (please see also the numerous articles online on tdf on such topic), and to ask for greater safety for humans. Such a demand has ideological enemies in great quantity, and not only of corruption and bureaucracy. Just to start with, if one woke up to consider the value of a human life he should also stop considering technology to be a calamity. And this is not easy, in a society where technological development is considered responsible for much of the evil and impending danger to humanity. Other enemies, less known to public opinion, are the huge underestimation of the testing culture, and the thoughtless irresponsible lightness with which automation systems are designed. Tunnel, transport aeroplanes, maritime transport, railroads, production facilities and any continuously functioning plant: all these plants in fact, since the 80's are operated by means of automation systems. People perhaps imagine that, in the world of globalisation, the designers always perform on the frontiers of the technological possibilities, and that, when a disaster happens, it is always attributable to human error or to unavoidable technological problems. Such a vision, false, can also be generated by the continuous development of communication technologies (mobile telephony, etc.). People tend to be used to the frontiers, and to think that all the design activities conform to the rules of continuous experimentation. Or, in other words, we have the illusion of living in a scientific society.

But, pay attention, our life rarely depends directly on communication technologies, while it often depends, even if we don't know it, on automation systems. We have already analysed, on tdf, the computer science revolution, riding the internet and telephony wave, and how such a single minded revolution resulted in a dramatic decrease for the real-time automation systems culture with a corresponding detrimental effect on safety critical systems. 

To that hypothetical safety and reliability demand - that I hope continues to grow - we shall therefore answer in a suitable way, and provide, in due course, some items of suitable education. But for now we have nothing more than a generic attention towards the problem of safety, that just results in more lengthy negotiations during the choice of suppliers, and rarely results in a concrete budget for safety. 

In fact, continuing to list the enemies of safety and reliability, three are evident to whoever operates in the sector: (i) the discharge of responsibility (ii) the cost planning culture, (iii) the subcontractors management. 

As for responsibility, recent tragedies have caused a further profile lowering of those people who should sign the projects, and therefore assume the responsibility. People like above all to earn, and much less take any responsibilities. People spend therefore a big part of their time studying how to unload responsibilities, rather than designing safe systems. The fact that nobody is willing to take responsibility represents a huge obstacle for the strategy of test and acceptance: nobody is more suitable than the designer of the system - experienced in the physical processes to be controlled - to stretch the acceptance test procedures of the plant. But in many cases the designer/technologist simply... doesn't exist! Since he doesn't exist, the designer cannot have the responsibility for the project, or for the acceptance testing of the finished plant. And, notwithstanding all the claimed quality standards, the specification documents don't carry any title, no signature by whom has conceived and written them, no release number, date, etc... 

Reasonable people probably think that, when high safety plants are involved, researchers and university teachers are called in to act as experts and project coordinators. It is true after all that, usually, to make teachers reason about budgets and time-schedulings is very difficult: it would end up multiplying the costs at least by a factor of 10. Besides (other commonplaces) the teachers love Pindaric flights, and often their reports are filled with few pertinent scientific contents, wrt the commitment goals, with consequent expansion of completion times. Then, apart a few cases of international importance (e.g. for the new Mont Blanc tunnel Prof. Rubbia has been involved), universities and research institutes are a-priori excluded. Who makes, then, the project? the suppliers, of course, each one for its part of competence. Saying it like this, it almost seems a reasonable thing, but it is not at all! 

The design of any complex plant necessarily has to use different competences, at least: 

  1. One or more expert of the physical process (or processes) to supervise and control, 
  2. An experienced supplier of automation systems (better if with some experience in the specific technological applications),
  3. experienced suppliers of the different plant parts, instrumentation, devices. 

The type a) experts must comply with the following: 

  1. to produce the functional specification (or user requirements document) and the acceptance test procedure; 
  2. to answer to all the questions and comments about the user requirements; 
  3. to act as project coordinator, validating the documents and the executive design; 
  4. to check the development of the different work packages; 
  5. to witness the acceptance test of the plant when the commissioning is completed, and to put his/her own signature on the executed test procedures. 

Lacking such brave figure, the main contractors (usually civil works enterprises, having few technical competence in matter of automation and plants) proceed as follows. Firstly they start the tender for the automation system: the great hardware constructor houses (PLC, supervision software, etc.), to win the tender they present themselves as experts of whatever physical process is involved besides of their specific expertise in automation hardware and systems. Sometimes this is almost true, if the supplier has seen quite a lot cases in the same technological context. But, more often, it is as if a producer of classical music records claimed to be an orchestra director. The technical studio (director of works) is very happy: they will have the draft specification ready, and they could show that they are not the originators of it (meaning less responsibility)! Having such a draft in their hands, the director of works starts requiring proposals by the suppliers of the different plant parts, each of whom is very happy to show their great competence of their particular physical process (measuring instruments, radar, control's, etc.). The enterprise has no difficulty in choosing the suppliers, having no specific competences: they simply choose the lowest price. At the end, the building enterprise and the director of works will hold a complete specification in their hand. 

In reality, such a specification is a mess, a collage of different proposals that nobody took care to standardize, to re-elaborate, to get an organic and coherent project document. But neither is this a problem: the more incomprehensible and contradictory the specification, the more more difficult it will be to assign the responsibility of the user requirements to the director of works or the building enterprise. 

But then, the reasonable person that followed us until here, will wonder at this point, how could these systems, despite everything, work correctly??!? Dear friends, it is true, the systems usually work, and people lose their life only sometimes, and not continually, as we could suppose. Such a strange result depends on the normal ability, of technicians, to make miracles. The Italian technician (I speak mainly about the reality I know best) is used to getting by. If he/she sees that the project coordinator is missing, and that the project is a very shaky concern, look at his face: you will see him close his jaw, knit his forehead, even to curse, and then you will see him absorbed. In this way solutions occur daily, re-invented, tens and hundreds of times: what is really extraordinary then, is that they almost always work. The test procedures are also - for good and for bad - invented by technicians. Many, in spite of all the quality methodologies, are left to the good will of single technicians and programmers. The whole supply chain standing above is well aware of such ways of working: they shamelessly take advantage of it, pocketing lavish profits and unloading responsibilities. 

Now I have told you the things as they are. The key to improvement is, as often happens, "in the handling of the process". A small but fundamental change of mentality is needed: to start considering that human life is the supreme value, that life depends on the reliability and safety of the technology, and therefore the safety deserves a specific budget (nowadays mainly denied). If we begin with this priority we will also find methods to divide the heavy load of responsibility that comes with high reliability and safety critical systems. 

On the topics of the Availability and Safety of the Software Systems please see also (Italian language):

[004.AA.TDF.1/2002 - 12.01.2002]
[English version was revised by Ben Croxford]