Safety, a system state or property?

John Stoop

Safety, a system state or property?

John StoopUniversity of Applied Sciences

Aviation Academy

Safer by design: an engineering perspective

Socio-technical systems:

• Specific category of high energy density systems

• Deliberate, disruptive, innovative interventions

• Proaction imperative to prevent unacceptable emergent behaviour

• Relative and absolute safety performance

Traditional safety indicators in aviation :

• Air services: fatality rate per pax km

• Airworthiness: accident rate per aircraft hour of flight

Relation between air services and airworthiness

Dimension analysis:Number of passengers km P

Aircraft flying hours U

Aircraft flying kilometres S

K passenger fatalities in R fatal accidents K

fatality rate per passenger km K/P

fatal accident rate per flight hour R/U

Combining the two dimensions introduces: K/P=R/U*k/p*1/VB

In which k = K/R = average number of fatalities per fatal accident

p = P/S = average number of passengers per aircraft

VB = S/U = average block speed

In words:Introduction of long haul flights, increased survivability rate per accident, increase in blockspeed and larger aircraft contributed to decrease of the fatality rate per passenger km

Selecting a rational approach

In aviation exposure rates are no longer viable proof

due to non-plus ultra-safe performance: beyond the 10-7

Towards an overall systems safety assessment:

• system safety approach for overall safety performance

• understanding of higher systems levels and life cycle phases

Three case studies identifying safety as:

• Emergent property: HSL multi-actor optimization

• Inherent property: SESAR business model

• Intrinsic value: Stall recovery

HSL South railway designAn innovative concept: 250 km/h, 25kV, ERTMS• Initiating a High Speed Trans European Network• Cooperation between Dutch and Belgain railways• Multiple partners and contracts: DC, DBMF consessions• Technology was assumed conventional engineering • Optimization on costs and lead time

Findings• Assumptions flawed: no self regulation by actors• A 17 year project, lasting only 40 days operational• Frequent interventions by Parliament om each of the

main components: infra, signalling and rolling stock

Emergent properties in practice• Unexpected couplings between processes• Temporal, legal and technological assumptions flawed• System oversight not organized• System architect, overall problem owner indispensable• Safe, but neither available nor reliable

Single European Sky

Inherent properties desinged into the system:

• Increase in air space capacity: accommodating growth

• Controlling traffic volume management rather than individual flights

• Changes in business models: flight costs in the value chain

• Shift from operators to Air Navigation Service Providers

• Intermediate solutions: Functional Airspace Blocks

• Software and design driven automation, no operator feedback

Safety : restricted to uncertainty and conflict handling

Courtesy Ben Pirard, CC BY-SA 3.0

Congestion and traffic flow density

Functional Airspace Blocks

Reality

Only 8% potential improvements applied by operators:

• Routes choices based on fuel economy/tariff reasons

• Five countries cover 54% of traffic

• Traffic density in congested areas

• Dominant role for tariffs in National State business model

• Optimization based on individual interests of operators

• Interferences with open architecture cockpits and UAS:

not yet incorporated

Safety: no safety targets, assessment based on PRA and SMS,

no performance indicators

Aerodynamic stall, an intrinsic hazard

Stall recovery

Stall: an intrinsic hazard

Recurrent phenomenon, due to intrinsic propertiesTurkish Airlines TK1951, Colgan Air 3407, Air France AF447, Air Asia 8501,

Air Algerie 5017

Many solutions on either man or machine level, but:• No systemic analysis• No redundancy in air data information• No redundancy in pitch control • No direct alpha indicator• Performance envelope protection not fail safe• Human performance models inadequate

Innovative design: the stall shield

Characteristics:

• New, correcting aerodynamic forces

• Uncorrupted air flow

• Small forces combined with long momentum arms

• Redundant control over the pitch moment

• In case of emergency and non-normal situations

• Involvement of operator experiences

Stalll recovery shield

Safety: value or property?

Identify system states:

• Stable or unstable, safe or unsafe

Safety as a critical design and operational value

• To be optimized in the value chain as an intrinsic value

Safety as a system inherent property

• To be assessed as a critical design load: the accident scenario

Safety as an emergent property in reality

• To be controlled and managed during operations

From causal factor to system vector

Value engineering:

• Realisation of the intrinsic value in operations

• In a multi-dimensional decision making environment

• Represented by event vectors and system state vectors

• To be optimized in preferential states

Balancing KPI’s:

ΔV = αC(C1/C0)+ αU(U1/U0) + αM(M1/M0) + αE(E1/E0) + αP(P1/P0) + αS(S1/S0) + ε

Regarding

Costs, Utilization, Maintenance, Environment, Passenger satisfaction and Safety

Navigating through design solution spaces:

synchronizing vectors

Event

micro

meso

macro

Systems level

Design interventions

Operational interventions

© 2010

Johan van der Vorm

John Stoop

Contentsdimension

Contextualdimension

Culturaldimension

Structuraldimension

Safety occurrence vector

Vector specific description:

- magnitude

- direction

Safety occurrence vector

linear

complex

concept

Systems state vector

System state vector- system states

- state transitions

- system stability

- Target Safety Levels

- KPI’s

Conclusions

Safety is:

An intrinsic system value• Defined by the technological hazard and system architecture

and may manifest itself as:

An inherent property by design• Throughout all system states

An emergent property in reality• To be controlled by operational constraints

Integration in the optimization process by safety vectoring• Closes the gap between design and operations

• Provides new perspectives for high energy density socio-technical systems

Questions, any questions?