SAFETY, A STRATEGIC ASPECT IN TRANSPORT SYSTEMS DESIGN

6$)(7<$675$7(*,&$63(&7,175$1632576<67(06'(6,*1

-RKQ$6WRRS :LP5%HXNHQNDPS

'HOIW8QLYHUVLW\RI7HFKQRORJ\ 7KH1HWKHUODQGV

Abstract: Fundamental changes have occurred in tran sport system design and their relation to assessing a safe operating performance. Such change s should facilitate technological innovation and conceptual change. Integrating safety in fundam ental changes requires a ‘conceptual leap’ in safety thinking. New actors and safety aspects put additional demands on engineering design concepts and consecutive school of safety thinking. Changes in the design environment and in the engineering design process put demands on design as sessment with respect to a system safety integrator role, failure mode identification, the r ole of the human factor, rescue and emergency throughout the various phases of the design process &RS\ULJKW‹,)$& . 

Keywords: safety analysis, transport, systems desig

n

conditions. Major issues in several modes of transportation have lead to such a system pressure that e Over the past decade a major transition in transpor t major changes should be introduced. Such changes ar policy-making has been argued, based on internal an d so fundamental that only conceptual modifications e external conditions. Internal factors are focusing on may be satisfactory. A ‘system leap’ forwards may b inevitable (Connekt, 2001). Most recent example of performance pressure within a system in order to such a system leap are provided by the implementati on control required growth, modal shift demands, of ICT applications and telematics in all modes of intelligent operation and expansion of transport services. External factors should be integrated in a transportation or the introduction of new hybrid construction materials in aviation such as Glare future systems development, dealing with land use, composites. detrimental environmental effects, sustainability a nd safety. 1. INTRODUCTION

Over the past decade, several major transport proje cts have been initiated in all modes of transportation, covering railway infrastructure, expansion of airpo rts and ports, public transport networks, multiple land use and underground structures.

7HFKQRORJLFDOLQQRYDWLRQDQGFRQFHSWXDOFKDQJH

Recently, a more fundamental approach is favored. I n reconsidering transport policy and system modification, a more strategic approach has been emerging, dealing with technological innovation, conceptual change and rearrangement of institutiona l

© 11th IFAC Symposium on Control in Transportation Systems Delft, The Netherlands, August 29-30-31, 2006

,QWHJUDWLQJVDIHW\ 

Historically, safety has been submitted to a fragme nted approach. In the past, every Department has had its own responsibility towards safety, focusing either on working conditions, or internal safety, external sa fety, rescue and emergency, public order or security. The y each issued policy documents, which in their time were leading statements for elaboration and regulat ion such as Sustainable Safety, Integral Safety or quantitative risk assessment standards. Experiences over the past decade have demonstrated however, tha t safety has not been integrated successfully in a se ries of major transport projects. The implementation of

Page 519

safety has shown a divers and scattered picture, depending on accidental circumstances or projectspecific conditions (Stoop and Beukenkamp, 2003; Leeuwendaal, 2001). With the stated necessity of technological innovati on and a ‘system leap’ in mind for all modes of transportation to fulfill internal and external dem ands, a ‘conceptual leap’ in safety notion may be require d to fit in with these demands. It may become necessary to transform safety from an operational cost into a strategic policy making issue. In particular during the development, design, construction and operation of innovative systems facilitating a ‘systems leap’, s afety should be integrated in each phase during the life cycle of such systems (McIntyre, 2000; Rasmussen and Svedung, 2000).

sector to other industrial and high-risk sectors. A t a European level, mandatory investigation agencies ar e recognized as indispensable safety instruments for all modes of transportation, for which draft EU Directi ves are in progress (ETSC, 2001). Feedback to the design phase of accident analysis findings is required in order to comply with demand from a Zero Defect and First Time Right design strategy.

s

$QHZUROHIRUUHVFXHDQGHPHUJHQF\ 

Over the past decade, several major accidents withi n the railway system have occurred, including a serio us accident with an ICE high speed train in Germany du e to a fractured wheel tire. Several major fires have occurred in road and rail tunnels, fuelling debates on rescue and emergency capabilities in dealing with t he 2. CHANGES IN THE DESIGN ENVIRONMENT aftermath of such major accidents. A European  Guideline for tunnel safety incorporates design and Several changes in the operating environment of and railways have created a necessity to broaden the sa fety construction requirements for fire fighting, rescue emergency handling. engineering design scope to other risk and safety issues. During the design, development and construction of a  series of major infrastructure projects in the Netherlands it became clear that the safety aspect &KDQJHVLQVDIHW\SROLF\PDNLQJ lacked transparency and consistency across the majo r A change in the role of the national administration has projects under design and construction (Leeuwendaal , taken place, privatizing the national railway compa ny, 2001). creating private partners and admitting new entrant s in the railway market. Since safety is an interfacing issue Three principal issues for a safety integrated engineering design of major infrastructure projects across systems, new boundaries within the former national railway company create a necessity to defi ne emerged from these projects. new responsibilities among parties involved and to First, adequate terms of reference were lacking, assess safety in a multi-actor decision making causing a lack of uniformity in risk and safety environment. Additional safety principles have been assessment across projects and state boundaries. In its introduced, dealing with: turn, this revealed inconsistencies in licensing an d - maintaining a standstill principle, despite consequence management during the operational increases in traffic volume, transport services phase. diversity, in order to assure the safety of passengers, by-standers and staff he - reduction of the number of accidents with injurie s Second, a consistent procedure lacked to organize t risk decision making process among public and priva te to generally acceptable societal risk levels partners during the various phases of the project. This - reduction of the risk and nuisance by application deficiency in structuring collaboration and of the ‘as low as reasonably achievable’ principle. communication caused ad-hoc approaches and frustration of the continuity of projects under cri tical time and budget constraints. $QHZUROHIRUDFFLGHQWLQYHVWLJDWLRQV Due to a series of major accidents and disasters, t he focus of attention in public safety perception is shifting from complying with quantitative risk standards towards independent accident investigatio n of major events. In the Netherlands, the recognitio n of the importance of independent investigations has le ad to an expansion of this philosophy from the transpo rt

© 11th IFAC Symposium on Control in Transportation Systems Delft, The Netherlands, August 29-30-31, 2006

Thirdly, a systematic acquisition of expertise and experience within the rescue and emergency sector was lacking. This not only caused vulnerabilities regarding a dependence on tacit knowledge within th e rescue and emergency community but also created differences across stakeholders with respect to the ir negotiating and collaboration capabilities. This ch ange triggered a fourth issue: designing the decision ma king

Page 520

focused on accident prevention and was heavily supported by the development of safety standards, specifications and operating instructions. The Syst ems Safety concept calls for a systems life cycle safet y analysis and hazard control actions from the 6DIHW\6FKRROVRI7KRXJKWLQWUDQVSRUWDWLRQ conceptual phase of a system on into the design,  development, manufacturing, construction, operation Safety in modern transportation systems has been an issue for about 150 years. It evolved as a discipli ne until modification and finally demolition. from several different domains and disciplines and has a strong practical bias. Consequently, various ‘sch ools Based on the analysis of a series of disaster, the ical of thought’ have been merging. Each of these school s sociologist Turner defined disaster not by its phys represent a different pattern of thinking and can b e impact, but by its social impact: a significant disruption of existing cultural beliefs and norms a bout considered as consecutive, representing the societa l hazards and their impacts. He expanded the technica l and scientific safety concepts of their times. systems approach into socio-technical systems. As a consequence of expanding scopes, attention should 7RUW/DZ also pay attention to higher order systems levels a nd The ‘Tort Law School’ as defined by McIntyre, has a post-event consequences dealing with rescue, long history and roots in the U.S. railway industry emergency and crisis management or administrative since the end of the 19th century. It goes back to the responsibilities, institutional constraints and pol icy introduction of safety engineering design in the decision making and policy management issues. railway industry to cope with the carnage among railway workers. Lorenzo Coffin is stated to be the first railroad safety advocate and champion of safe ty 6\VWHPGHILFLHQF\DQGFKDQJH ourth legislation in the USA. He was the first in line of a In addition to these three ‘schools of thought’ a f series of safety advocates, followed by people such as school has emerged during the last decade. Based on the operational experience of Transportation Safety Ralph Nader in the automobile industry or Mary Boards throughout the world, a school of ‘safety Schiavo in the aviation sector. He had a pioneering deficiency and system change’ is developing. In thi s voice for the merging of two streams of safety technology and government policy control. Out of th is school the concept of independence is crucial, separating the investigative mission and efforts fr om development, an engineering design approach allocation of blame and vested interests of major emerged, focusing on certification and standardisat ion stakeholders. This school also separates the of technical designs and products. activities. The concept of failure is central to understand enginee ring, investigations from scientific preferences or biase s of a for engineering design has as it’s first and foremo st technical, behavioural, organisational or cultural objective the obviation of failure (Petroski, 1992) . nature. A fundamental issue is how to achieve a r Lessons learned from disaster can do more to advanc e neutral and objective analytic result as a basis fo safety enhancements. Consequently, this school does engineering knowledge than successful machines or not longer focus on ‘deviation’ from a normative technical designs. performance, but refers to ‘system deficiencies’. I t emphasises the need to implement sustainable safety 5HOLDELOLW\(QJLQHHULQJ changes in the system rather than issuing Reliability Engineering became a new engineering school based on the problems of maintenance, repair s recommendations without monitoring their lasting effects.. The focus is on safety critical character istics and field failures during the Second World War In h communication and transportation, the rapid growth in in its structure, culture, contents and context wit complexity and automation fuelled the development o f respect to safety critical performance throughout t he life cycle of the systems. These characteristics ca n be sophisticated techniques in probabilistic risk identified and analysed along the lines of: assessment (PRA). Cognitive aspects of human error - an analysis of the primary processes and relevant came to maturity by the work of James Reason, actors during design and operation including their defining and operationalizing the concept of human safety critical strategic decision making issues. failure. Most recently, the reliability concept is expanded from the technical aspects into organisational aspects of systems. The concept of H igh However, such a preventive encompassing analysis is not always feasible in practice due to the complexi ty Reliability Organisations by Laporte and Normal and dynamic nature of transportation systems. Accidents by Perrow examined the complex relation Therefore, a second reactive approach is between organisational culture and safety. indispensable: - an in-depth and independent investigation into 6\VWHPV(QJLQHHULQJ systemic incidents, accidents and disasters. Such The modern Systems Engineering School developed independent investigations may provide a with the dawn of space transportation. This approac h process among public and private stakeholders in th project management.

© 11th IFAC Symposium on Control in Transportation Systems Delft, The Netherlands, August 29-30-31, 2006

e

Page 521

expected in view of theoretical considerations regarding a systems approach, the decision making process and substantive aspects. Innovative solutio ns in aviation, railways and underground infrastructur es  have contributed to a significant increase in safet y 3. NEW NOTIONS IN TRANSPORT SYSTEMS levels. Integrating safety into the technical desig n and ENGINEERING DESIGN construct process could be realized, but required a e In order to integrate safety in the design and cons truct different notion of safety. Also a relation could b of major projects, a new notion of systems engineer ing established with the control and management ficult, design and system architecture should be defined. T his processes of the project. A proof of success is dif especially since safety performance parameters and notion consists of three principal elements, being supporting instruments are still under development Design, Control and Practice (DCP). They can be interrelated along three dimensions, being a system s (Stoop and Beukenkamp, 2003). approach, a life cycle approach and a design approa ch. Together they constitute an integrated systems architecture prototype: the DCP diagram. &KDOOHQJHVLQVDIHW\HQJLQHHULQJGHVLJQ temporary transparency as a starting point for removing inherent deficiencies in such systems.

To manage consequences of new technology and innovation in transport systems engineering design, two principal lines are available:  - the Design-Control line. Along this line, decisio n A systems dimension defines three levels: the micro making and safety assessment methods and level of the user/operator, the meso level of standards should be elaborated, to facilitate organization and operational control and the macro coordination among stakeholders and actors, level of institutional conditions. At this level th e issue participating in major infrastructure and of integration of administrative and emergency transportation project developments. Several organization across the various levels is crucial. initiatives have already been taken such as safety impact assessment techniques, harmonization of The life cycle dimension defines a series of subseq uent standards by draft EU Guidelines and national phases, being design, development, construction, legislation regarding tunnel safety. operation and modification. At this dimension, the - the Design-Practice line. Engineering design coordination of decision making among actors across methods for integration of safety in technological the phases is crucial. innovation are in their earliest phases of development. Historically, an impressive variety The design dimension identifies three principal pha ses of design techniques is available. However, these in design, being goal –expressed by a program of instruments focus on the detailing level of requirements, concepts and principles-, function – engineering design and are not fully generically expressed by design alternatives- and form, express ed applicable across modes, disciplines or sectors. by detailed design complying with standards and norms. At this dimension, the potential of technica l In order to design a coherent system and to maintai n innovation for new safety solutions is crucial. oversight over the system functioning, a system saf ety Eventually, only in practice safety is visible and actual integrator role should be defined. consequences of accidents occur. At each of the oth er levels and phases however, separated in time or spa ce, During the design of complex transport systems, a ure safety critical decisions have been made by differe nt dedicated responsibility should be allocated to ass continuous monitoring of the safety aspects along b oth actors. The diagram demonstrates whom, how, at lines during its design. A safety expert should be a which moment can contribute to safety and risk permanent member of the design team and should assessment. serve as system safety integrator (Stoop and Beukenkamp, 2003; Leeuwendaal, 2001; Combi-Road, Lessons learned in the development of major 1996). infrastructure projects can be put in a wider perspective. Common concerns and similarities in other infrastructure projects and technological innovation can be identified. Such concerns could b e  $V\VWHPVDUFKLWHFWXUH

© 11th IFAC Symposium on Control in Transportation Systems Delft, The Netherlands, August 29-30-31, 2006

Page 522

The DCP diagram

&RQWURO

'HVLJQ design

Life- cycle: coordination

development

construct

operation macro

goal

meso

function

Systems-level: integration

Design: innovation

form ©

modification

J.A. Stoop 1996

micro

3UDFWLFH

Fig 1. Systems architecture model 

4. ASSESSING SAFETY IN THE DESIGN OF TRANSPORT SYSTEMS Assessing safety in a design has traditionally been emphasizing type certification as the most common approach of the first engineering design school. Ov er the past decades, probabilistic risk standards have been introduced, migrating from stationary plant design in the process industry and energy sector. The influen ce of social risk perception is reflected in introduci ng rescue and emergency aspects. Such issues are in th eir first phases of implementation in the certification process such as with tunnel fire design requirement s. This issue is represented by the introduction of th e Safety Case, which may take the form of a mandatory element in certification processes in almost any ar ea of technological industrial activity.

7KH6DIHW\&DVHFRQFHSW

Legal procedures such as Safety Cases have their practical origin in major disasters encountered in the UK with Windscale (nuclear power supply), Piper Alpha (offshore), Flixborough (process industry) an d Ladbroke Grove (railways). Independent investigatio n in each of these disasters drafted recommendations for dealing with structural deficiencies in the systems . The

© 11th IFAC Symposium on Control in Transportation Systems Delft, The Netherlands, August 29-30-31, 2006

first time a safety case was used in a major projec during the construction of the Channel Tunnel.

t was

A Safety Case provides an independent assessment of the structure, transparency and maintenance of the evidence of a safe performance of the system throughout its life cycle, provided by the designer . The Safety Case identifies and defines the operating envelope and environment of a specific system and provides physical, procedural and process evidence of a safe use of the system. The Safety Case Report serves as the documented certification of a design to protect the designer, supplier and user from legal liability. Safety Cases provide transparency over the life cyc le of a design and specify the operating envelope. By applying an integral safety concept, containing multiple performance indicators, an encompassing oversight is provided of the overall safety perform ance of a design. Safety Case Reports provide a relation between the design phase with other system life pha ses with similar instruments, such as Accident Reports after a system failure in practice and Audit Report s on the quality of performance of the safety management system. This type of reporting has common characteristics such as independence, a documented nature, provides legal protection, is evidence base d and comprises top-level commitment. By these

Page 523

reports, feedback and feed forward learning loops a re established, transferring evidence of actual and intended performance between design, control and operational practice. They provide input for identification of deficiencies and implementing changes in the systems across its life cycle phases .

7KH5RVHODZQLQFLGHQW

If such safety critical decisions are not explicitl y encountered in the conceptual design phase, systemi c deficiencies may occur in practice with catastrophi c consequences. The crash of an ATR-72 airplane may serve as an example how the operating envelope may be stretched beyond its limits by gradual expansion of the operating conditions without appropriate assessment of the criticality of the situation.

system architectures, tools and assessment procedur have to be developed. REFERENCES Combi Road (1996). Combi-Road. Veiligheidsaspecten. &77 3XEOLNDWLHUHHNV QR  CTT Centrum Transport Technologie. Rotterdam McIntyre G. (2000). Ashgate 2000

3DWWHUQV LQ VDIHW\ WKLQNLQJ

Rasmussen J. and Svedung I. (2000). 3URDFWLYH 5LVN 0DQDJHPHQW LQ D '\QDPLF 6RFLHW\ Swedish Rescue Service Agency. Karlstad, Sweden ETSC (2001). LQYHVWLJDWLRQ

American Eagle, flight 4184 departed from Indianapolis to Chicago anticipating bad weather at arrival. At 10.000 feet the de-icing was activated during descent and the airplane was put on holding. During descent to 8.000 feet, de-icing was initiate d again and power was reduced. After a ‘flap overspee d’ warning, a roll maneuver was encountered and the plane crashed at Roselawn, nose down after a steep descent. The accident type was established as a ‘ru dder hardover’ issue during holding of the aircraft in s evere weather conditions.

es

LQ

7UDQVSRUW WKH

DFFLGHQW

(XURSHDQ

DQG

8QLRQ

LQFLGHQW

European

Transport Safety Council. Brussels Leeuwendaal (2001).

'H ERFKWLJH ZHJ QDDU EHKHHUVW

ULVLFR1DDUHHQHYHQZLFKWLJHEHVOXLWYRUPLQJELMJURWH LQIUDVWUXFWXUHOH SURMHFWHQ

Leeuwendaal Advies, the

Netherlands Petroski (1992).

7R HQJLQHHU LV KXPDQ 7KH UROH RI

)DLOXUHLQ6XFFHVIXO'HVLJQ

Vitage Books, New York

Stoop J.A. and Beukenkamp W. (2003). Monitoring safety in design and construct; the HSL-South case The aircraft was put in extended holding, waiting f or a study. ITA World Tunneling Congress 2002, delayed preferential landing of a connecting 5H &ODLPLQJ WKH XQGHUJURXQG VSDFH 12-17 April 2003, Amsterdam, the Netherlands. international flight. The ‘rudder hardover’ of the controls was caused by extended exposure to icing Stoop J.A. (2003). Critical size events: a new tool for conditions in the holding pattern. The de-icing capacity equipment of the aircraft was insufficient to crisis management resource allocation? 6DIHW\6FLHQFH deal with the rate of icing, while the crew was not able 9ROQR, pp 465-480. to identify the extend of the icing at the control surfaces. In addition, the air traffic management d id not realize that the airplane encountered critical operational conditions and consequently did not reconfigure its holding pattern. During a debriefin g of the investigations, a senior captain in the meeting clearly indicated the systemic deficiency by statin g: “What do you want if they put us on ice”. 5. CONCLUSIONS In order to assess the safety impact of conceptual change and technological innovation in systems design, safety should be transformed from an operational and tactical issue in decision making i nto a pro-active and strategic issue. To this purpose, a transformation of the safety notion is required. A fourth school of safety thinking is emerging, focus ing on system deficiency and system change. In order to operationalize such a new school of thinking, new

© 11th IFAC Symposium on Control in Transportation Systems Delft, The Netherlands, August 29-30-31, 2006

Page 524