The Safety 'Staircase'
Simple principles can help when dealing with major challenges, like the safety and security of complex engineered systems.
Today’s post is perhaps a bit techy - but please bear with it, as it concerns important issues that many of us will have to get to grips with as transport technology continues to leap forward.
Gradual technological evolution
No one person fully understands how modern complex vehicle systems, like aeroplanes and rolling stock, work. However many people have to work together to build, operate and maintain them. To cope with this reality we build models and devise concepts to help us collaborate on them. But these models and concepts are imperfect.
The complexity of these vehicles is increasing incrementally and in real-time. Each technological advance compounds with the previous one, and we rarely have the opportunity to take a step back and take a fresh whole system view. But if we wish them to function safely the whole system has to be collectively understood.
Edging towards danger
This gradual creep in technological complexity can create unsafe conditions: a process that was tragically evident in the causation of the fatal crashes of the Boeing 737 Max aeroplanes in Indonesia and Ethiopia in 2018 and 2019. The immediate cause of those accidents was determined to relate to the plane’s Manoeuvring Characteristics Augmentation System (MCAS) which was designed to adjust the horizontal stabilizer trim of the plane to push its nose down so that the pilot would not inadvertently pull the airplane up too steeply and cause a stall. In both crashes it was determined that the MCAS was activated by erroneous indications from its sensors, which were not duplicated in the design to protect against one failing. The investigation found that:
the MCAS was not evaluated as a complete and integrated function in the certification documents that were submitted to the [safety regulator].
The detailed design had been undertaken without effective consideration of either the total reliability of the plane or the challenges of actually piloting it when its key sensor had failed.
The ‘waterfall’ model
The current generation of vehicle system safety standards were originally developed in the 1980s and 1990s. They are based on the ‘waterfall’ model of system development. The elegant and simple concept is that key system requirements, including those that ensure safety, are set and then passed to each lower level system and its supplier. Then each component, or sub-system is checked against the right level of requirements when it is delivered. This should ultimately lead to the whole system meeting the top level requirements initially set - something that is also checked.
Just the name of this model indicates some of the flawed assumptions that underpin it. The concept of a ‘waterfall’ implies an elegant flow that will occur naturally of its own volition. But in reality the ‘waterfall’ process has to be carefully and actively managed at all times.
For modern complex systems, there is rarely a ‘god-like’ central design authority: modern planes and trains are ‘systems of systems’ with individual elements developed to their own plan at some other time. The ‘waterfall’ activities do not therefore happen in a fixed, logical and sequential order. The necessary evidence that the model has been correctly applied arises haphazardly at different times, making the check that requirements have ultimately been met difficult.
It is right that requirements should evolve through delivery. But often those specifying the delivery of complex systems do not have the competence to understand which requirements - particularly safety requirements - must be fixed and dealt with tightly in procurement and delivery. Errors in the setting or delivery of such requirements inevitably occur and it can be very costly to address them when they are eventually uncovered. This might in some cases lead to poor design or sub-optimal compromises with possible safety implications.
All of these problems are compounded by growing computerisation, deeper supply chains and increased network connectivity. And yet the same, flawed ‘waterfall’ model has been adopted for requirements management in newer Cyber Security standards as well.
A new model: the ‘Staircase’
This set of challenges was the driver for a recent paper I wrote with Professor Coen Van Gulijk - my colleague at the University of Huddersfield - and Dr Richard Thomas from Birmingham University. The premise was simple: Are the shared models that we have used for the last 30-40 years for assuring the safety and security of complex transport systems still valid? If we were developing such models today, what would they look like?
It is right to allow requirements to evolve through a long system delivery project. But safety and security requirements are much less flexible than other requirements so a tighter process is needed. The answer that we have proposed is a new model: The ‘Safety Stair Case’ which is summarised in the diagram below. The boxes on the left hand side show the different organisations responsible for determining the system and its requirements. Each has a different role to play sequentially, in ensuring that robust safety (and security) requirements are identified and implemented.
This model subtly shifts the focus in undertaking complex safety assurance to the earliest phases of a project. This is possible as most complex safety issues are addressed when a particular vehicle type is first designed and built. For the majority of projects the key safety information should therefore be readily available from the outset. Reviewing this information upfront de-risks all subsequent activity. The revised model has some profound benefits. For example:
Greater clarity emerges about when and how early key technical expertise should be consulted to de-risk a project’s delivery.
Fixed safety and security requirements can be clearly embedded in supply chain contracts, and compliance with them managed throughout a delivery project
Project delivery risk can be reduced as it will be less likely that errors are uncovered late, such as in the final testing stage.
The end result should be less cost, shorter timescales, a safer end product, and greater assurance. The model is just a ‘straw-man’ at this stage. But it indicates the strategic level at which we need to innovate to address the safety and security challenges ahead. With developments coming like fully autonomous vehicles and drone taxis such improved approaches will be needed to head off the risk of major accidents in the future.
The next issue - and a public lecture
Please expect another post in about two weeks time. A key date to put into your diaries is September 27th, when I will be giving a public lecture in the Bronte lecture theatre of University of Huddersfield at 6:30pm. The lecture is titled ‘Railway Safety in a Period of Change’ and I’ll be discussing the safety culture, strategy and policy challenges and opportunities created by the organisational change that is underway in Britain’s railways. I’m preparing a paper to accompany the lecture which I will release here when it is ready.
For those who can’t be there it will be available live online via the joint hosts, the Safety and Reliability Society.
I’m very keen to build the network for this newsletter. If you know anyone who is interested in the safety of modern transport technology, and who likes a thought provoking read every couple of weeks, please do share a link with them.
Thanks for reading
All views are my own: Please feel free to feedback any thoughts or comments, particularly if they are a constructive challenge to anything I have said. The photo used on social media is "Half of the graceful double-sided marble staircase, City Hall (1801), Broad Street at Meeting, Charleston, SC" by Spencer Means and is licensed under CC BY-SA 2.0.
And finally, please do feel free to drop me an e-mail on george.bearfield@ntlworld.com: My particular area of professional and research interest is practical risk management and assurance of new technology. I’m always keen to engage on interesting projects in this area.