A few weeks ago I was fortunate enough to attend the International Cross-Industry Safety Conference at the University of Applied Sciences in Amsterdam. An engaging couple of days with speakers and guests from around the world. There was a range of particularly diverse topics covering safety process analytics, quantification and measurement of safety through to alternative approaches and attitudes to safety across different industries. Below are some of the key discussion points arising from the conference that got me thinking. Have a read and be sure to check out the three podcasts from Simon Whiteley on the STAMP method and approach to safety.
So safe it actually becomes dangerous?
A question that really stood out to me. This was stated by speaker Ray Master in reference to an incident at a former Deutsch Bank building decommissioning at Ground Zero in New York City whereby protective measures were in place to stop contaminated materials escaping the site. All very safe for the working principle of the building site. However, the 'safe status' would change drastically in the event that the building caught fire as the containment system in place actually fuelled the fire and caused it to behave in unexpected ways. Unfortunately this was not understood fully before a fire started.
As with many safety-related disasters there were multiple failings that resulted in the incident and one aspect of this has really stood out to me… the implementation of the safety measures imposed resulted in emergent properties and behaviours of the building on fire and these, in this instance, were not fully understood.
Coming from a defence/aerospace background I can see the relation to the functional safety solutions we put in place on aircraft and aviation equipment. We have many years of experience and many thousands of examples of systems including one safety function or more for us to have learned about emergent behaviours of implementing safety-related functionality. Not so simple in novel technologies and/or niche projects where the hazards are not so well defined to start with.
Nor is it so simple with a human at the centre. Another of the good questions raised…how do you quantify human reliability as part of your safety analysis? Actually it was explained that through human factors analysis we have a lot of data to support human reliability figures (phew!) but then this is just the non-malicious type of human. The type of human that likes to get to the end of the day knowing everyone they were responsible for on that day did too…What about the malicious type? The type, well, somewhat the opposite of the person just described.
Recently in Melbourne there were incidents of hoax callers causing aircraft to abort landings at Melbourne's international airport. Exactly the type of malicious activity that causes safety concerns. Not to mention the growing (and largely un-regulated) use of drones and lasers aimed at aircraft.
So this brings us to a junction in the safety conference. A new age for safety?
More so, the system safety dependence on technology that can be intentionally manipulated to become unsafe. Cue the role of system security (encompassing the more widely used term cyber security). As we implement security features in aerospace equipment- aircraft, support equipment, infrastructure etc, some of it is retro-fitted and in much the same way as with any new development, do we really understand the emergent properties of what we are developing? Their impacts on systems performance and safety. And, in similar consideration to the Deutsch Bank building in New York, are we in danger of developing systems so secure they actually become unsafe?
I guess it is difficult to answer this yet. It is early days and we can only address the known hazards for the known behaviours and operations of the system. Interestingly speakers at the conference were pointing out the same issues. For aircraft, generally the sheer quantity of data available from 50 years of the aviation industry helps form a basis for safety mitigation and measurement. Still, the identification of this in design is currently dependent largely on the expertise of those involved and the mitigations implemented are built around linear models. Multiple speakers covered the advantages of dynamic models in responding to the emerging properties of systems. One of which is STAMP (Systems-Theoretic Accident Model and Processes). Listen here to Simon Whiteley as he discusses what STAMP is, how it can be applied and how it could be encompassed in new industries.
Interested in STAMP? There is more information from Simon available on YouTube. Including a 5 minute introduction:
Further information including on training courses can be accessed through the videos on YouTube.
As part of this new-age should we also be approaching safety with a different attitude? As part of Keynote speaker Johan Svenningsson's presentation it was raised that we could approach safety in a positive manner i.e. rather than looking at what could go wrong, we look at what we can do. I guess this could be considered as looking at saying we can prevent damage to someone's head through them wearing a helmet rather than looking at the hazard of them hitting their head in all the different places and then determining that a suitable mitigation is to wear a helmet. Or, to use an aerospace example, that we can prevent landing gear being retracted by monitoring whether there is weight on the wheels.
Imagine a list of safety capabilities- rather than a list of hazards. A list of stuff we do because we can, rather than because we have to. Safety in the positive manner.
Finally, there was a message about what we can do. Whether designing aircraft, providing ground support, or interfacing with aviation infrastructure there was a key message- Speak up. Everyone has a role to play.
The presentations from the event can be found here.:
Lee Murton
Aerospace Network
Young Professionals Chairman