Abstract: In ultra safe and complex, dynamic systems, safety requires a new approach in which: - safety is a strategic value in decision making and business ...
From factor to vector, a systems engineering design perspective on safety J.A. Stoopa, R. van der Burgb Delft University of Technology, Delft, The Netherlands b Ministry of Infrastructure and Environment, The Hague, The Netherlands ________________________________________________________________________________ Abstract: In ultra safe and complex, dynamic systems, safety requires a new approach in which: - safety is a strategic value in decision making and business modeling - safety investigations focuses on knowledge deficiencies and systems change as feedback of operational experience to the design phase - safety is a system state, represented by a state/space vector. In this perspective, safety is made explicit and designed into the systems as an inherent property before it manifests itself as an emergent property in practice. The approach emphasized the value of serendipity through safety investigations. Through investigating systems in their operational context, relations between design and operation, between socio-technical and socio-organizational approaches become transparent and provide feedback to the system ‘by accident’. To this purpose, new scientific notions are mobilized, such as value and knowledge based engineering during design, forensic engineering and resilience management during operations. The design of safer systems should apply a non-linear design methodology, including prototyping, simulation and serious gaming techniques. Such design should focus on the functional level, inherent system properties and synchronization of event and system state vectors. The safety added value of such a design can be expressed as a synchronization between these two vectors. a
Keywords: safety investigations, system state vector_____________________________________________
1. INTRODUCTION Safety as a societal as well as a scientific notion has seen gradual developments over the past decades. In assessing these developments, three relatively independent approaches have emerged, each originating from different domains and characterized by their specific contexts and transitions. Three areas can be discriminated and are discussed consecutively on their usefulness: - safety as a strategic value in decision making, discriminating public and private values across various levels of decision making in the system, adding the notion of four ‘dimensions’ to the modeling - modern safety investigations are to provide timely transparency in the factual functioning of complex systems, emphasizing independency, scope, investigative qualifications and methodology and to introduce forensic engineering principles to support diagnosis of complex systems - dealing with safety enhancement and providing transparency in the complexity in dynamic systems, based on multiple engineering design methodologies applying prototyping, simulation and serious gaming techniques. These three areas provide building blocks for an engineering design perspective on safety. Finally, safety solution spaces are represented as a synchronization of the vectors that can be identified as the Eigen Value and Safety Added Value of the system state vector and the safety occurrence vector. 1.1 Safety as a strategic value It is recognized more and more that safety is a strategic notion, similar to economy, environment and other social values [1]. Safety can be discriminated in public values and private values, each with their own attributes, performance indicators and metrics. A change of focus on safety emerged due to a series of major events such as major transport and industrial accidents and natural disasters. First, safety is considered a societal challenge. Safety as a social value has seen an incremental development over the past 25 years. Starting as an academic interest in quantitative risk analysis, safety management and safety culture in process industry and energy supply, safety evolved into a limited set of applicable methods and theories with a gradual dissemination of their practical applications across many domains and disciplines. Generic methods seemed to satisfy existing needs for safety and risk assessment. However, due to a series of major events, public risk awareness eroded established standards and methods for risk perception and acceptance. Simultaneously, an already existing industrial need for a First Time Right and Zero Defect strategy in technological innovation in aviation, railways and infrastructure merged with a need
for business continuity and system integration. International market developments and new economy demands transformed hierarchical business structures and transport systems –such as aviation and railwaysinto multi-actor network configurations. Such configuration changes require new institutional and governmental arrangements, clarifying a need for system integration and a role for an independent safety assessor. At the same time, these new configurations face the challenge of societal demands with respect to environment, noise, land use and sustainability. Consequently, it has been recognized that safety cannot be reduced to single stakeholder interests and fragmented across business components into quantifiable performance indicators. On one hand safety has become an integral value at a societal level as a part of strategic policy decision making, to be balanced against other values such as environment, economy and sustainability. On the other hand, the level of complexity, sophistication and knowledge intensive development in aviation and railways require more dedicated, specific knowledge based and evidence based methods and diagnostic abilities to assess their safety and risk implications in design and operations. Second, safety is becoming a scientific challenge. Designing complex systems becomes more and more problematic. Due to mutually exclusive design decisions, outcomes all have their own stakeholders driven benefits while the collective results are often irrational and suboptimal. A considerable loss of value occurs, removing all flexibility in potential design spaces. Even where components meet their quantitative requirements, the overall result fall short and performance erosion occurs [2]. In order to improve the performance, a value driven design and resilient operational performance is required. Present risk and safety notions do not comply with demands of reduction of costs and lead time and take no part as a performance lever in added value and utility function methodologies [3]. Safety and risk assessment and management methods fall short in their ability to take part in an integrated design and operation value assessment. For designing modern complicated systems, methodologies for value engineering and knowledge based engineering are developing, providing tools for lead system integrators and indicators to enable them to avoid cyclic redesign in overcoming emergent shortcomings during development and implementation. At the moment this value function is defined for cost, while safety has not yet been incorporated in such a value engineering approach, particularly in dealing with conceptual change an technological innovation [4, 5]. In designing organizations, the concept of resilience engineering aims at overcoming efficiencythoroughness trade-off considerations during operations. This reliance on knowledge and evidence based interventions in the design and development of modern transport systems create an urge to reconsider the role of safety in providing expertise and operational experience to such design processes [6]. Safety boards have a role as problem providers for knowledge development [7, 8, 9]. Expansion of this role is under debate. A proactive and encompassing approach is favored: instead of preventing recurrence of accidents as undesirable outcomes, the focus shifts towards identification of systemic and knowledge deficiencies in design and operations of the systems themselves. A shift occurs from elimination of deviations from an optimized control perspective towards oversight over primary business processes and decision making processes. In order to provide a timely transparency in the factual functioning of systems, new diagnostic methods, systems modeling, simulation and decision support methods are developing. In such a perspective, safety is the ability to succeed under varying conditions, given the inherent properties of a system, controlling the navigation through its safety envelope and value landscape. 1.2 Safety in complex and dynamic systems Systems with a very high level of technological complexity, in general also require a very high level of safety performance, such as in aviation, maritime, railways, process industry and (nuclear) power supply. This class of systems is frequently referred to as beyond 10*e-7 systems or Non-Plus Ultra Safe systems. Current safety enhancement strategies have aimed at a complete elimination of technical breakdowns and human error. Such strategies however, separating technological design engineering from human and social intervention seems to have reached their limits. Addition of new strategies to the existing arsenal seems to lead to over-extensive linear extrapolation of protective measures [11]. On one hand, more sophisticated mathematical modeling and knowledge based engineering principles are developed to cope with the complex socio-technical interrelations between systems functionalities, embedded subsystems architecture, based on neural networking, Bayesian Belief and Semantic networks. On the other hand, from a socio-organizational perspective, a more encompassing, integral approach seems to become inevitable by introducing concepts such as resilience engineering and informed decision making [6, 11, 12]. These developments have demonstrated a gradual shift in systems modeling, which can be expressed as a transition from accident investigation models, via static systems modeling towards dynamic systems modeling.
In this modeling, the safety focus has shifted from thinking along lines of causal and contributing factors, via managing deviations from normative performance indicator standards, towards control of the system dynamic behavior, perceptions and culture. A gradual shift has occurred towards controlling systems dynamics at various systems levels, beyond the operational control over performance and output control, towards system properties, primary business processes, culture and leadership. Such a transition defines five primary dimensions of a system: structure, culture, content, context and time. Each of these dimensions have their own attributes, performance parameters, metrics and standards which enable assessment of the integral systems performance [7].
Established causes
Deviations Normative performance
Drift into failure Performance envelope
Accident process: Causes Consequences Scenarios
System characteristics: Performance indicators Linear behavior Single system state
System behavior: Emergent properties Non-linear behavior Multiple system states
Accident investigation:
Static Systems approach:
Dynamic Systems approach
First dimension
Second dimension
Third dimension
Shift towards systems
Casuistics/QRA Damping/ prevention/ elimination
Shift towards processes
HRO
NAT
Feedback/ extrapolation
Chaos-/complexity theory Feedforward/ anticipation
Fig 1: System modeling: transition towards a third systems dimension
2. TOWARDS A NEW CONCEPT IN SAFETY INVESTIGATION 2.1 Independent accident investigations Over the past two decades, accident investigations have evolved from allocating blame and liability to independent safety investigations, identifying systems deficiencies and knowledge deficiencies [7]. In conducting independent and blame free investigations, a conceptual shift is made in the investigation process itself from finding the truth towards achieving or regaining trust in the safety performance of a system. Instead of identifying the causal factors in order to establish the involvement of actors and their motives during the event, the operational performance of the system as such becomes relevant in the potential change towards a safer performance and the ability to learn from undesirable disruptions. Instead of the event and the causal relation to the mishap of any factor, actor or aspect, systemic deficiencies and knowledge deficiencies become the critical issue in system change and knowledge development. Consequently, an increasing number of mixed accident causation and systemic models have been developed [6]. In order to enable such a change from event to system, two transitions in the investigation process are critical: - a transition from descriptive variables and their causal relations as the answer to the what and how necessary and sufficient conditions were present for the event to occur, towards explanatory variables which provide an answer to why the event could occur. This is the domain of forensic sciences, evidence based and case based learning. - a transition from explanatory variables towards control, change and design variables. Such a transition shifts the focus from influencing safety dimensions towards systemic dimensions and knowledge development. It adds a systems engineering perspective in order to identify the available solution space for safety enhancements. This is the domain of knowledge based engineering, model driven engineering, dynamic modeling, serious gaming and simulation.
Such a shift in modeling should coincide with a shift in safety thinking in order to facilitate the integration of safety into such new systems modeling perspectives. In safety thinking three consecutive paradigms have been developed which concurrently are applied in practice [7]: - a technical paradigm, based on the load concept, dealing with failure, cause and design envelopes. This load concept has evolved from mechanical loads towards mental loads and from a deterministic, analytical approach towards a probabilistic and availability modeling. The concept deals primarily with engineering design of technical system components in establishing a design and performance envelope, dealing with reliability, redundancy and robustness - A medical paradigm, based on the transfer of hazards as a specific type of ‘disease’ and the consequences of an exposure to this ‘disease’. This exposure concept focuses on (re-)gaining control over the exposure, minimizing losses and reducing deviations from standards in performance indicators. The concept primarily deals with control over operational performance from a managerial perspective by preventing deviations from a normative performance level. - A biological paradigm, based on a mutual and dynamic adaptation of an agent and its systemic environment. This adaptation is based on feedback and achieving transparency over the primary processes of an organization by responding to emergent properties during operation by monitoring, anticipation and learning. The concept focuses on recovery from disturbances outside the operating envelope by adhering to a systems engineering approach in designing ‘r’ properties into the system, such as recovery, resilience, reliance, rescue and emergency, reintegration and rehabilitation. In investigating systems, the full information paradigm is applied, providing feedback and feed forward information to the investigations, facilitating a combined retrospective and prospective analysis. This combined approach provides transparency over past performance and operating behavior as input for understanding the actual behavior of the system under scrutiny. Such a reality check provides serendipity: revealing systemic deficiencies and knowledge deficiencies that were or could not be known at the time of design and previous operational conditions. Safety investigations take place in complex, dynamic and adaptive systems, such as aviation and railways, where reliance upon prediction and modeling only is not an option. It is necessary also to make capital out of experience, to build on what by accident can be learned from the field, because prevention cannot replace correction. Safety investigations are an attempt to structure serendipity through an open-minded, systematic and in-depth examination of unpredicted events [10]. 2.2 Forensic engineering Historically, designers needed a technical investigator, capable of recomposing the actual and factual sequence of events, the operating conditions and context, the factual technical functioning of the designs in practice. Such re-composition facilitated the drafting of redesign requirements. However, a re-composition ability should not only reproduce the physical reality, but also should encompass the knowledge, assumptions, decisions and safety critical issues which have been taken into account and assessed with respect to their acceptability. Such ability should also incorporate the ability to recompose the sociotechnical context and operating environment. From an investigator perspective, three kinds of systems designers should be supplied with a counterpart, each qualified with diagnostic and analytical skills from a technological/engineering design, organizational/managerial or governance/control perspective in order to cover the architecture of the overall socio-technical system. These three design-counterpart roles for investigators have been developing gradually over the past decades. Initially, with the development of technology, the technical investigator has matured, creating specialist approaches in many technological domains such as propulsion, structures, avionics, stability and control. Although the domain of human factors has seen major progress over the last two decades, the notions that have been developed in this domain are not yet readily applicable for investigation purposes. Translating theories on human factors into investigation tools is progressing, dealing with developing notions on bounded and local rationality, naturalistic decision making theories, a blame-free view on human error, high reliability organisations and resilience in organisational design. In the domain of governance and control the development is in an even earlier phase: this domain is developing classification schemes on failure, but is not yet in a phase of developing general concepts and notions of systems governance and control. Consequently, a framework and toolbox of investigation methods for conducting accident investigations at a systems level is not yet fully developed. Designers need counterparts for the assessment of their designs in
practice. Such a role is fulfilled by accident investigators by providing feedback from investigation findings. Investigations are problem providers for knowledge development. In accordance with such new conceptual thinking in complex and dynamic systems, safety can be considered a system state, either stable, quasi stable or unstable, inherent safe or unsafe. While safe and stable system states assess safety a non-critical value, inherent unsafe and unstable system states identify safety as a critical design and operational value, which permanently has to be designed, managed and controlled carefully to avert disaster. Otherwise, the inherent properties of such systems and system states manifest themselves as emergent properties in practice. Providing transparency over the actual systems behavior becomes pivotal in such critical and unsafe system states. This appeals to afore mentioned transitions in safety investigations to provide a timely transparency in the factual functioning of the system. A combined transition in safety investigation and systems modeling has the potential to provide a generic basic methodology and investigation notions for all kinds of event investigations across industrial sectors and scientific domains. This transition serves the identification of safety critical knowledge deficiencies and establishes a working relation between forensic engineering, value engineering, knowledge based engineering and resilience engineering. This concept of safety investigations enables the transition from decomposing an event into isolated accident causation factors to a representation of the actual system state by identifying accident scenarios as the actual system state description. In such a transition, two major changes have to be taken into account in order to establish the actual system state: - a shift in focus from the practical level of analysis to a methodological level, mobilizing new scientific concepts and theories - a merging between the socio-technological perspective and the socio-organizational perspective. In order to distinguish between Non-Plus Ultra Safe systems and other, less critical systems with respect to their required change capability and adaptivity, safety enhancing interventions can be categorized in two main classes: • Linear interventions and first order solutions. Simple problems allow restricting the design space. This is valid only if the number of solutions is small, the number of design variables is small, their values have limited ranges and optimizing within these values deals with sacrificing of aspects among the limited set of variables. Such interventions reinforce the design space in the detailed design phase by reallocation of factors, more stringent compliance with rules and regulations, elimination of deviations, applicable to simple, stand alone systems • Complex interventions and second order solutions. Complex dynamic problems demands expansion of the design space. Such solutions focus on concepts and morphology, reallocation of functions to components, reconfiguration and synthesizing of sub-solutions, involvement of actors, aspects, teamwork, communication, testing and simulation. Such an expansion of the design space occurs in the functional design phase by developing conceptual alternatives and prototypes, applicable to complex and embedded systems. When first order solutions have failed and do not prevent a critical event, a redesign of the system becomes necessary. 3. DESIGNING SAFER SOLUTIONS: A SYSTEMS APPROACH Linear interventions produce first order solutions: the analysis is restricted to a decomposition into factors, actors and aspects as contributors to the causal process. In contrast with linear interventions and first order solutions, in complex systems there is no direct and unique relation between a single contributing factor and its remedy. In redesigning safer solutions, there are three different focus groups for communication of the safety solutions: operators and actors within the system able to achieve a safe performance, knowledge providers for a better understanding of the system behavior and change agents, able to govern and control the system. Each of these parties has a specific set of communication means, applying respectively metaphors, models or prototypes [13, 14]. Each of these parties applies its own vocabulary and reference frameworks, but should share a common notion in the end by a common means of communication. Applying a ‘barrier’ notion –such as Reason’s Swiss Cheese model- is a powerful communication metaphor, but does not help in case of a scientific modeling of the issue or applying a prototype in testing a solution.
Synthesizing solutions is necessary in order to establish a shared solution, based on the credibility, feasibility, compatibility, selection of preferred alternatives in order to create consensus among all parties involved in accepting the solution. Synthesizing is about recreating interdependencies into a new concept, network or configuration based on shared values. Complexity then can be defined as the interdependences of variables, choices and design assumptions. To deal with this complexity, it is not sufficient to decompose a system or event into its contributing variables and explanatory variables within its existing solution space. To identify and control change in the system and its dynamics, also the change variables must be identified in order to serve as input for the engineering design process. Across the various life cycle phases, stakeholders have a different safety perception, change potential and perspective on system change. While designers and engineers act from a socio-technical perspective during the design, management and governance will have their influence on socio-organizational issues from a control perspective. Operators and investigators derive their experience and expertise from operational practices, dealing with actual dilemmas and challenges from a naturalistic perspective [15]. © J.A. Stoop 1996
Design
Control the life cycle-axis: coordination
design
development construction
goal
operation demolition
macro function meso
the design-axis: innovation
the system level axis: integration
form micro
Practice Fig 2: A multi-actor systems engineering design perspective
In addition, dealing with complexity and context is not adding more detail and levels to an event by increasing the decomposition, but providing transparency at higher systems levels with respect to its functioning and primary processes, clarification of the conceptual properties, its configuration and composition. Increasingly complex accident modeling such as Accimap does not make the full transition from the event towards systems characteristics, while STAMP applies a combined instrumental approach by simultaneous use of the bowtie model, Rasmussen’s system hierarchy and influence diagrams. If inherent properties of a system are not identified during design, they will manifest themselves as emergent properties during operations. Such properties are to be specified from a multi-actor perspective, leading to and a shared vision on system goals. To assess the integral performance of the system, a synthesis should take place of all aspects in an encompassing Program of Requirements. Such a Program of Requirements becomes a consensus document, in which all actors involved have had the opportunity to express and incorporate their requirements, constraints and conditions during the assignment phase of the redesign. How do we substantiate an engineering design approach in accident investigation methodology? Two steps are to be taken into account: identification of the design solution space and the use of empirical evidence based on forensic engineering principles. A methodological question is how to establish the feedback loop between operational practices and engineering design from a socio-technological or socio-organizational perspective. Do systems engineering design methodology such as simulation and prototyping provide an answer? Can we apply notions derived from systems state/space modeling and chaos and complexity theory?
4. CREATING A DESIGN SOLUTION SPACE 4.1 Value Operations Methodology Value Driven Design (VDD) is a methodology which promotes the use of a more complete value function as the objective function to be solved through optimisation, rather than using a more limited formulation typically related to some performance metric or through managing the process of meeting requirements [3]. However, this principle can be extended to consider not only the value of today’s basic economic drivers but also to incorporate the ultimate value for the customer and even society, depending on who is implementing the Value Operations Methodology (VOM) that focuses on the ultimate value realised in through-life operation. Consequently, it is extremely well aligned to the problem of how to incorporate safety analysis into engineering and policy making decisions. This has been incorporated into the fundamental VOM hypothesis as follows: ‘the true value of an engineering solution is subjective, temporal and of an inherently transient nature, and therefore engineering value analysis and optimisation is more meaningful if formulated as the evaluator’s preference for one state over another as a function of the quantitative difference in a number of key value levers related to the operational realisation of the intrinsic value of the product, process or service being considered.’ Consequently, this principle is further expressed in equation 1: (1)
Where a change in value deltaV is caused by a change in a set of associated value levers xi, when moving from some start-state to some new end-state. Each value lever of the set i=1…N has an associated scaling factor αi and error εi and is in turn defined by a subset of lower level value parameters, xji for j=1…M and associated scaling factor ωj , that describe the causal nature of each of each driver. Consequently we can conclude that certain events have a contextual, cultural, content and structural dimension, whether at a component, sub-system, systems or system of systems level. Most importantly, rather than just stating safety factors we now have a concept of real safety related events having an impact magnitude and a directional bias relative to the four dimensions of the model. The model suggests multivectorial design solution spaces which have meaning relative to the four dimensions of safety in terms of the contribution or impact within each dimension and the overall resulting orientation or direction of the safety issue being considered. Consequently, safety is significantly elevated from the very basic consideration of factor, to a new level where it is being quantified as a multi-dimensional quantity with a resulting orientation that defines the choice of the designer or operator relative to their values regarding safety. With reference to the Value Operations Methodology [4] this leads us to the position where safety can be integrated into the general design approach of the air transport system according to an equation relating KPI to some delta value of the form in equation 2: ∆V = αC(C1/C0)+ αU(U1/U0) + αM(M1/M0) + αE(E1/E0) + αP(P1/P0) + αS(S1/S0) + ε
(2)
where Cost efficiency is represented by C (revenue/cost), Utilization by U, Maintainability by M, Environmental Quality by E, Passenger Satisfaction by P, Safety by S and finally including an error ε, consideration. Consequently, safety as a function of: safety=fn(context, culture, content, structure), can be characterised with the individual drivers associated with each dimension so that safety in its vectorial and most realistic form can be integrated into the overall integrated system of systems design solution space. 4.2 Simulation and prototyping In making the transition from a linear safety intervention towards a dynamic safety intervention, the concept of critical load is applied. Accident scenarios can be considered critical loads on a system: once the critical load is applied, the system will fail if the loads is increased, exceeding the load capacity under the given operational conditions.
In complex interventions, the focus is on safety critical events in a systems context rather than on isolated factors and generic aspects, as is the case with linear interventions. The re-composition of events takes place by identifying and synthesizing explanatory variables into scenarios in their specific operating environment and constraints. Such synthesizing is primarily evidence based. The redesign of the systems is conducted along the lines of engineering principles by generating design alternatives in the enlarged design space into the form of a limited set of prototypes. These prototypes contain a relocation and addition of functions, changing the morphology and configuration and incorporate additional actors and aspects. The testing of these prototypes is conducted by running scenario tests, definition of limit state loads and simulation of complex and dynamic systems in virtual reality. Analyzing system responses, before they are put into practice, are based on First Time Right and Zero Defect strategies. The responses of systems can be determined by a gradual enlargement of the disruptions which are inflicted upon the system, until oscillation and instability occur. Responses of systems may become visible by a gradual or sudden transition to another system state by passing a bifurcation point. After such a transition, the safety of the systems can be assessed according to the acceptability of the new safety integrity level, also in a technological sense. Technology in itself contains many forms, incorporating invisible knowledge, notions, principles and decisions from previous life cycle phases. The physical appearance of a product and process does not disclose inherent properties, principles or interactions to end-users in their operational environment. Design decisions are frequently made under conditions of high uncertainty. Safety margins and design standards, identification of failure mechanisms, probability assessment, consequence analysis and identification of a design envelope should reduce the uncertainty again to an accepted level. Designers deal with optimizing performance and are not in a position to gain oversight into all uncertainties and unforeseen behavior of their designs. Such behavior however can be designed into their processes such as with the Japanese design philosophy of Limit State or Critical State Design methodologies. Designers need an intellectual counterpart in assessing the safety and operational performance of their designs. Such a role is historically provided by accident investigators and safety managers. To fulfill their role, their expertise should become available in the design process. Consequently, such a collaborative engineering design methodology may provide a perspective for improving the safety performance of complex systems at a socio-technical level. The potential for systems engineering design in providing safer solutions requires to: • Identify inherent properties before they manifest themselves as emergent properties • Deal with complexity and dynamics by focusing on functions rather than on factors • Focus on design principles and properties rather than optimizing performance • Introduce systems dynamics by synthesizing interrelations into accident scenarios • Apply a proof of concept by testing solutions in a dynamic simulation environment Therefore, it is necessary to: • develop event scenarios separated from systems models • develop prototypes of safer solutions • create dedicated virtual systems models, representing their specific characteristics • facilitate testing and validation in these virtual models, parallel to the real system. Instead of identifying causes in order to establish the involvement of factors, actors, their motives and interrelations during the event, the operational performance of the system as such becomes relevant in the potential change towards a safer performance and the ability to learn from undesirable disruptions. Historically, safety oriented interventions have been focusing on elimination or mitigation of factors, actors or aspects, breaking up the sequence of events in order to prevent its recurrence. Instead of the event and the causal relation to the mishap, identifying systemic deficiencies and knowledge deficiencies become the critical issue in changing system properties, function allocation, system configuration and knowledge development. 5. FROM FACTOR TO VECTOR Synchronizing Eigen Values and Added Values Design solution spaces can be discriminated as either linear and static –within the existing design envelope with a focus on performance in the operational phase- or complex and dynamic –beyond the design envelope, focusing on changing system properties and configuration-. The scope of such design interventions varies from an improved control over the event in case of a linear intervention to identification of multiple stable or unstable systems states and transition phases across these states.
Complex systems modeling takes the form of representation by system state vectors, expressed by five primary systems dimensions –culture, structure, contents, context and time-, each with their own characteristic attributes, key performance indicators and metric values. Similar to such a system state vector, an event vector should be identified expressed by its own characteristics such as hazards, actors, factors, aspects, causal relations, operating variance, interactions and operating conditions. Navigating such an event vector through the systems operating envelope indicates proximity to operating limits and a drift into failure. The challenge in optimizing safe solutions is the synchronization of these two vectors by transforming the event vector problem space into systems vector solution spaces within the boundaries of the available engineering design solution space. Such synchronization requires transparency over the various system state transitions, as well as a consequence assessment of the residual risk and side effects that remains after a transition. Navigating through design solution spaces: synchronizing vectors © 2010 Johan van der Vorm John Stoop
Design interventions
Safety occurrence vector Contextual dimension
Contents dimension
concept complex
Systems state vector
linear
Event micro
Cultural dimension
Operational interventions
meso
Structural dimension
macro Systems level
System state vector - system states - state transitions - system stability - Target Safety Levels - KPI’s
Safety occurrence vector Vector specific description: - magnitude - direction
Figure 3. Multivectorial safety design solution spaces In order to facilitate such synchronization, the Eigen Values of the event vector and system vector should be established to avoid oscillation and resonance. Analyzing the potential systems responses is supported by testing the solutions in a virtual design environment by simulation and serious gaming techniques before the changes are implemented in the real world. By exposing the redesigned systems to the original ultimate load –the event scenario- the support for safety enhancement in terms of commitment for change, acceptance of the residual risk and feasibility for engineering design improvements are tested and validated [16]. To this purpose, new scientific notions (such as Value Engineering, Knowledge Based Engineering and Resilience engineering) focusing on system properties such as resilience, reliability, redundancy, recovery, reliance, reconfiguration, rescue and emergency handling can be assessed for their applicability during the (re-)design [17, 18, 19, 20]. 6. CONCLUSIONS This transition in safety investigations has the potential to provide a generic, basic methodology and investigation notions for event investigations across industrial sectors and scientific domains due to its systems orientation. This transition serves the identification of safety critical knowledge deficiencies by applying forensic engineering, establishing a working relation between value engineering and knowledge based engineering design from a socio-technical perspective and resilience engineering from a socioorganizational perspective. This concept of safety investigations enables the transition from accident causation factors to systems state vectors in order to identify systemic and knowledge deficiencies, to learn from mishap and to enhance safety performance of complex, dynamic systems.
In shifting from factor towards vector, safety critical behavior of open and dynamic systems can be analyzed by identifying inherent properties during design before they manifest themselves as emergent properties during operations. By doing so, safety can be assessed and optimized as a critical strategic value against other system values in a dynamic and complex systems perspective. Although the notion of safety vectoring is still in its early phases of development, it contains challenges with respect to its operational validity and practical applicability. In dealing with safety of complex and dynamic systems, it provides a theoretical basis for establishing a working relation between design and operations by closing the feedback loop between the various phases of the life cycle and bridges the gap between technological and organizational perspectives. References [1] WRR. Onzekere veiligheid. Verantwoordelijkheid rond fysieke veiligheid. (Uncertain safety, responsibilities about physical safety). Wetenschappelijke Raad voor het Regeringsbeleid. Amsterdam University Press (In Dutch) 2008 [2] Curran C., Verhagen W., Van Tooren M. and Van der Laan T. A multidisciplinary implementation methodology for knowledge based engineering: KNOMAD. Expert Systems with Applications 37 (2010) 7336-7350. 2010 [3] Curran R.. Value-driven design and operational value. Encyclopedia of Aerospace Engineering. Ed R. Blockley and Wei Shyy. Wiley & Son, Ltd. 12 p, 2010 [4] Curran R., Castange S., Early J., Price M., Raghunathan S., Butterfield J. and Gibson A. Aircraft cost modeling using the genetic causal technique within a systems engineering approach. The Aeronautical Journal July 2007 pp 409- 420. 2007 [5] Curran C., Abu-Kias T., Repco M., Sprengers Y., Van der Zwet P. and Beelaerts W., A value operations methodology for value driven design: medium range passenger airliner validation. 48th AIAA Aerospace Sciences Meeting. 4-7 January 2010, Orlando, Florida, USA. (Accepted for the Journal of Aerospace Operations, 2011). [6] Hollnagel E., Paries J., Woods C. and Wreathall J. Resilience engineering in practice. A guidebook. Ashgate Studies in Resilience Engineering. 2010 [7] Stoop J. and Dekker S. Limitations of ‘Swiss Cheese’ models and the Need for a Systems Approach. Annual ISASI Seminar 2010, 6-9 September, Sapporo, Japan. 2010 [8] Benner L., Five accident perceptions: their implications for accident investigators. Journal of System safety, Sept-Oct 2009 pp 17-23, 2009 [9] Johnson C., Failure in safety-critical systems: a handbook of accident and incident reporting. University of Glasgow Press, Glasgow, Scotland, October 2003 [10] Arslanian P., (2011) ISASI Forum, October-December 2011, pp 12-13. [11] Amalberti R. The paradoxes of almost totally safe transportation systems. Safety Science 37 (2001) 109-126, 2001 [12] Holden R. People or systems. To blame is human. The fix is to engineer. Professional Safety December 2009, www.asse.org pp34-41, 2009 [13] Eckerson W. Performance dashboards. Measuring, monitoring, and managing your business. Second Edition, John Wiley & Son, Inc. 2010 [14] Kent S. Model driven engineering. In: M. Butler, L. Petre and K. Sere (Eds): IFM 2002, LNCS 2335, pp 286-298, 2002. Springer Verlag Berlin Heidelberg, 2002 [15] Espejo R. The viable system model. A briefing about organizational structure. SYNCHO Limited, www.syncho.com United Kingdom pp 1-35, 2003 [16] Van Meer Ph., Ghobbar A. and Stoop J.. Systemic safety investigations for aerospace MRO’s. 27th international Congress of the Aeronautical Sciences ICAS 2010. 19-24 Sept 2010. Nice, France [17] Ideler G. Learning more from occurrences at KLM E&M. MSc Thesis Delft University of Technology, Faculty Aerospace Engineering. 2009 [18] De Zanna C., van Tooren M., Schut J., Stoop J. and Curran R. Safer by design: towards a conceptual assessment of safety. SAFE 2009, 1-3 July Rome, Italy, 2009 [19] Kinik Y. Improving the Safety Culture at KLM Engineering & Maintenance – a holistic approach. MSc Thesis, Delft University of Technology, 2010 [20] Curran, R. Raghunathan, S. Price, M. (2004). Review of aerospace engineering cost modeling: The genetic causal approach, Progress in Aerospace Sciences, Volume 40, Issue 8, p. 487-534.
