19 de maio de 2012
Professor Salvador Raza foreword for Losses Prevention and Investigation Manual: APICE Methodology
Professor Salvador, member of the team hired by the Obama administration to propose a comprehensive reform to the policy and the methods used by the United States, presents his analysis about the APICE Methodology.
Professor Salvador Raza honored us with the preface of the “Loss Prevention and Investigation Manual: APICE Methodology”, where he makes a very interesting and thorough analysis of this methodology. Having the endorsement of a professional of his stature fills us with pride and even more confidence in our products.
Preface
As technology expands, systems and systems of systems are built or (re) potentiated, increasing the risk to operators, maintainers, and even to pedestrians and people at their homes, work or leisure. Some of these risks project only few occurrences of property damages, almost inconsequential, while others have potential for catastrophe, threatening to reap hundreds of lives at once. The more we understand the structure of the causes of these risks, the more we can act to reduce the probability of their effects, as well as the possibility of its spread.
On the one hand this statement summarizes and explains the purpose of Loss Prevention and Investigation, on the other it reveals the existence of three critical uncertainties underlying the scope of this operational area competence: uncertainty about cutting criteria, about the correlations, and about scalability.
The order of presentation of these three critical uncertainties generates no priority of one over the others, since the reality prevention and investigation of damage will always face a combined manifestation of the three, although with varying degrees of contributions of each one of them.
The first uncertainty, on the cutting criteria, lies in the correlation between the increase curve of systems technological complexities and risk curve, which is neither direct nor simple, greatly hindering the development of metrics capable of instructing design decisions about the need for more and better safety devices, or recommend changes in regulatory standards and operational protocols.
It is related to the possibilities of routes of failure interaction due to the system architecture. If we can map these routes, we can understand why accidents tend to occur in these systems, which technologies should be abandoned, which cannot, and which should be modified. When routes are linear, the model (IPS) “fault indication, problem-type, standardized solution” works well. The loss prevention aims at ensuring that all the many critical routes are properly verified and validated as for their logical functioning.
Aeronautical systems, for instance, have a huge amount of these routes, all of them associated with operational protocols that seek to ensure timely correction or compensation of failures within the limits of minimum safety requirements. But in terms of very short work response time of the current aeronautical systems and the degree of interaction among these systems, the modern accident investigation should go beyond; ensuring also that potential capillary routes are identified, verified, and then qualified.
Other complex systems, in addition to the aircraft, also have capillary routes. The investigation of the accident in the U.S. nuclear power plant at Three Mile Island was traced to breakdowns in capillary routes, which caused the interaction of multiple failures with alarms (the “symptoms”) lagged standardized operational sequences. A safety valve of the reactor cooling system locked open – when it should be closed, with its operation indicator in a secondary panel away from the control system main panel – and the condenser circulation pumps disconnection, by a temperature sensor in drainage system, led to the brink of nuclear catastrophe. The pump stopped because the sensors indicated correctly the possibility of flooding the condenser; without movement, the pressure in the reactor core increased, causing the output to go through the exhaust system to try to reduce this pressure.
The indicators showed just the opposite of what actually occurred, causing the performance of operators, even being according to the operational protocols, to aggravate the problem in a positive feedback that led to the emergency automatic shut down of the plant. But then the damage to the primary system was already irreversible. With the control systems of the nuclear reaction stopped, the nucleus continued to produce energy, without cooling. The process was getting worse, creating a huge “bubble” of hydrogen that could explode at risk of contaminating millions of people on the American East Coast.
With the turn-taking, new entrants; without a picture of the situation induced by the initial symptoms, which had enabled the previous team to interpret and respond; created new hypotheses, identified the fault and activated two circulation pumps for secondary systems, that had not been designed for that, to cool the reactor core, trying to lower the pressure in the core. One of the bombs failed immediately due to the intense reaction, the other, luckily, managed to cool the core, preventing the catastrophe.
In systems with capillaries, the failure cannot be isolated in a single chain of effects, causing an attempt to recover an initial loss of safety conditions, by the operator, not to be feasible or desirable, since the action by the operator may aggravate the resulting loss, because, in the short time available to respond, he is not able to know what the real problem is.
As a consequence, the prevention and investigation of damage hold much greater sophistication to account for the complexity of systemic failures. Prevention and investigation complement each other, creating their own terms of effectiveness.
Whereas the loss prevention increases the capacity of the system (including the operator) to prevent the spread of damage by stopping the effect linear chains, before its impact gain unanticipated capillaries in critical systems; the loss investigation tries to understand the structure of the causes of accident, searching for the effects to identify where and how prevention failed in order to, thereafter, improve its procedures, processes and techniques.
The second uncertainty determines the correlation between the increase or decrease of the severity of damage designed in potential accidents, and increase or decrease of intensity of the likely causes, creating considerable difficulties for the construction of early warning systems, and within them, for the determination of cutting parameters, the safety limit achievement indicators.
Risks are inherent in the definition of complex systems, such as a modern aircraft, imposing a structural premise in the prevention and investigation of accidents: there will always be risk of loss in systems and systems of aeronautical systems, its complete and precise elimination is not possible.
It does not mean that modern aircrafts are unsafe, but with the complexity increase of the aerial platforms and their embedded systems (civil and military), the prevention effort must increase exponentially to continue to ensure smaller and smaller incident and accident rates, even when the aircraft systems are being increasingly routinely operated on limits.
In order to get a historical perspective on the importance of the loss prevention mechanisms in the reduction of these rates, just call to mind that the life expectancy of pilots, of the U.S. Air Mail Service in the 1920s, did not exceed four years. Thirty-one out of the first forty pilots died trying to meet deadlines in adverse weather conditions, with a forced landing every twenty hours of flight. Currently, the pilots pay basically the same amount of life insurance as any other citizen.
The acceleration of these advances in the 1950s, can be easily referenced to the initial effort of Jerome Lederer – “Mr. Safety” – considered the “father” of civil aviation safety. Thereafter, the practices of damage prevention and investigation gained institutionalism and rooted in, virtually, all areas of instrumental technology application, such as the defense industry, petrochemical, pharmaceutical, aerospace, and mechatronics. This boundary in continuous expansion now moves to the area of intersection of the technology fields, international relations and security, enlightening the elaboration of criteria to evaluate public policies with a high degree of scope and importance.
This progress is driven by the continuous generation of new knowledge through recurring practices of collecting, analyzing, processing, storing, and retrieving systematic and consistent information of the prevention and Investigation practices, aiming at achieving two mutually complementary purposes: (1) to understand the way the new aeronautical systems work, in order to identify which points of the processes and their interfaces should be monitored and what the cutoff point is to activate the warning signs, alert or alarm, and (2) to increase the time of accidents or incidents recovery beyond the critical limits by means of easily achievable standardized operational protocols.
It implies that the elaboration of these protocols has to combine the lessons of the past failures in demonstrated technologies, with the possibility of future failures, still unrealized, but being likely to emerge during the application of innovative technologies, and the transition between past and future is always mediated by the human factor.
This condition carries the activity of Loss Prevention and Investigation from the field of simple technical “checklist” developed for application in systems taken separately, to the metric field of complex systems of systems, where the human interface remains essential in the integration of their features.
The third uncertainty is related to the capacity limits of loss measurement scales to monitor the progression of the system scope, creating undesirable plasticity in the construction of the criteria for applying the findings of the investigations.
It occurs in all complex systems, as we expand the system under investigation. A fuel injection module and its safety devices are measured with specific criteria of tightness and pressure; they are part of a set of power that is measured in units of torque and mean time between faults, which is part of a platform of combat that is inspected by the criteria of maintained maximum speed, which contributes to a specific tactical intended effect rated by operational protocols. And so on, until we reach the policy implications and level of social impact on systems that integrate consequence chains oriented to produce public assets or considerations on profitability, public image and social responsibility in the private consequence chains.
If we maximize performance requirements in a specific link in the chain, we may be compromising the performance of others. A power system that optimizes vibration, impact resistance, tightness, maintainability, determines the form and function of the platform structure, with an impact on its operating performance. Or vice versa, when the project tactic functions command technical performance requirements.
These three uncertainties, also respectively called the uncertainties on indicators, correlations, and scales, are studied under the dominion of the metrics in an extremely important subject, of extensive practical application, but very difficult theorizing.
This Loss Prevention and Investigation Manual works on APICE methodology in the field of complex metrics, facing the practical challenges of this area of knowledge with responsibility and competence. Alberto and Marcia are responsible for that. They are experts on the topic!
So, when Alberto asked me to write this introduction, I was not worried. I have known, for a long time, that he is brilliant, along with Marcia; and that they both could only have developed an excellent product. His accomplishments, beyond empty words, attest his actual capabilities to transform reality.
In late 1992, during the final war game of the Brazilian Naval War College Command and Staff Course, whose outcome would impact on our course classification and, consequently, on our careers, Alberto was the Chief-of-Staff of the Brazil Team. We played against a stronger naval force in conditions of disadvantage. Historically, Brazil always lost, although the judges of the game never confirmed it, saying the game had a didactic character.
Again, that year, Brazil was losing. No matter as much we did, our escort ships were being gradually destroyed, the enemy was advancing to the southeastern coast where we knew they could block the flow of oil that supplies the economy. Our scarce resources for scouting were scattered and worn, our submarines neutralized, our aircraft carrier damaged and navigating at low speed to a safe haven with the few escorts available, and the worst was that we did not know where the enemy aircraft carrier was.
On the eve of the last day of the game, Alberto called me and proposed an ambitious plan, generally repeating what had been executed in a battle of World War II in the Pacific. It would be very risky, but it could work!
We redesigned our strategy, concentrating and releasing all reconnaissance aircraft we had in an extended range search to the limit of their endurance. After about 12 hours we found out where the enemy was and sent such an intense air strike that the judges of the game had to recognize that in 1992 Brazil had won the War Game.
Only a person with profound professional knowledge about the capabilities of aircrafts, with highly sophisticated analytical skills, and courage to break doctrinal standards, could have done what Alberto did. To him I owe the last grade for the course classification, which led me to the academic career.
After studying the manual I saw that its value far surpassed my most ambitious expectations. The APICE method gives theoretical support for the practice of Loss Prevention and Investigation, providing, in an innovative way, the solution for the three uncertainties that bring complexity to the instrumental metrics of this area and, furthermore, translating this mechanics into simple and objective steps, presented in a straightforward way.
It occurs just because the APICE manual is able to develop in the cycles of Anticipation, Prevention, Investigation, Correction and Evolution – that defines the logical steps that lead to critical analysis of technical and human performance of systems of complex systems – while guiding the user to accommodate the results found in pre-defined categories of findings that respond to a consistent taxonomy.
In support of this dual and simultaneous process of analyzing and cataloging the results, the Manual also offers an extensive and detailed operational definition of the terms that the practice of Loss Prevention and Investigation needs. Thus, it integrates the conceptual basis with methodological rules that instruct consistent practical actions, allowing the APICE to win the recognition it deserves as one of the best instrumental methodologies of safety metrics in the world.
Salvador Ghelfi Raza
According to the magazine “Isto É”, “Salvador Ghelfi Raza is the only Brazilian working on the team hired by the Obama administration to propose a major reform in politics and also in the methods used by the United States worldwide. There are 30 Ph.Ds, the best brains in the world in security, defense and diplomacy analysis.
Raza has a doctorate in strategic studies from UFRJ with postdoctoral in defense studies at the National Defense University in Washington, where he teaches.
“He is Director General of CeTRIS – Technology, International Relations and Security Center, Coordinator of the International Relations FACAMP and Associate Professor of National Security Affairs at the Center for Hemispheric Defense Studies at the United States National Defense University (CHDS / NDU) in Washington, DC.s de corte, esta alojada na correlação entre a curva de aumento das complexidades tecnológicas de sistemas e a curva de riscos, que não é nem direta nem simples, dificultando enormemente a formulação de métricas capazes de instruir decisões de projeto sobre a necessidade de mais e melhores dispositivos de segurança, ou de recomendar modificações em normas reguladoras e protocolos operacionais.
Helicopter collision against a power line
Differences between flight safety and industrial safety paradigms
Losses Prevention and Investigation Course (PREVINV): APICE Methodology delivered.
Presentations to Eletronuclear
Professor Salvador Raza foreword for Losses Prevention and Investigation Manual: APICE Methodology
APICE Methodology