Proceedings of TMCE 2016, May 9-13, 2016, Aix-en-Provence, France, edited by I. Horváth, J.-P. Pernot, Z. Rusák. Organizing Committee of TMCE 2016, ISBN 978-94-6186-635-6
AN ARCHITECTURE MODEL FOR COMMUNICATION OF SAFETY
IN PUBLIC TRANSPORTATION
Mohammad Rajabalinejad Laboratory of Design, Production and Management
University of Twente, the Netherlands m.rajabalinejad@utwente.nl
ABSTRACT
Safety in transportation is under the influence of the rising complexity, increasing demands for capacity and decreasing cost. Furthermore, the interdisciplinary environment of operation and altered safety regulations invite for a centralized (integrated) modelling/ communication approach. This study highlights the problem, uses the conducted interviews, and explains a solution to the stated problem. This paper explains the architecture of solution, the safety integration model, and customized A3 architecture for the interactive communication of information. The customized A3 views for communication have been used in earlier studies and briefly presented in this paper.
KEYWORDS
Safety, architecture, framework, model, system, transportation
1. INTRODUCTION
Safe transportation has been always one of the primary demands of human societies, and the rail transport has provided safe and affordable services all over the world. Among the others, safety is one of the key success factors for the transportation services [1]. To reach its full potential for passengers and goods, there are updates required for the rail transportation in Europe. European commission has aimed a reliable and safe rail transport that meets EU standards. This requires transparent policies for safety regulations, economic regulations and infrastructure managements. As the current rail transportation in Europe is fragmented geographically, economically and politically, EU countries have been asked by European Railway Agency to publish development strategies that meet the needs for future mobility in terms of safety, maintenance, and etcetera. This rather complex development raises concerns about safety. European Rail Agency (ERA) experiences a decreasing
progress in safety improvement: “Despite a positive long-term trend in the risk of fatal train collisions and derailments over the past two decades, the data suggests that the progress has been slowing down since 2004 [2].”
There are methods and tools for assessment or management of the system risk as listed in [3-5]. They aim to ensure delivering safe products, systems or services. Yet at the system level, safety tools are not up-to-date as there are issues related to safety at the system or interface levels [see e.g. [6-8]]. These safety concerns are systematically under the influence of several performance indicators. This paper discusses this influence in further details and explains the main but not all challenges that influence system safety. Then, Section 3 summarizes the key requirements for addressing these challenges. As the issues at system level demand solutions at the same level, Section 4 projects the architecture of solution in the form of a plural approach to tackle the issue. Section 5 refers to an application example presenting the successful uses of the solution through a complex project. This paper uses stakeholder in a broad term that includes users, experts, managers, etcetera.
2. WHAT HARMS SAFETY?
2.1. Complexity
While high-end technology offers new capabilities for the transport system, its arising complexity may result in unintended system-performance or unpredicted system-behavior and ultimately influence the system safety [8]. This is summarized in Figure 1 presenting how complexity leads to uncertain behavior or performance. As transportation system is a large scale, complex, technology intensive with the intense human interaction [9], it is widely accepted that its complexity challenges its safety [6, 10].
complexity to the system. While some people may perceive that new technology offers a higher level of serviceability and safety, integration of new technology into the currently operating system may cause risk. Experts should be aware of adapting technology up to the extent that complexity is manageable.
2.2. Capacity
Increasing demands for capacity challenges safety. While the need for capacity can be easily sensed, the perception about system safety might be under the influence of new or advanced technology, reliability or maintenance. It was realized by the Dutch Safety Board that too much focus on maintenance may cause overlooking concerns that are not relevant to availability but safety. Furthermore, adaptation of new fleet has created more attention to the availability of services. As a matter of fact, accumulation of several concerns has caused a pick for demanding capacity which can push safety even further aside. These concerns are mainly
• disposal of old fleet • delivering new fleet
• increasing demand for rail transportation • maintaining the operation
• punctuality of the operation
In brief, focusing on preventing service disruption may cause less attention to other performance
indicators like safety. It is important for system managers to keep availability, punctuality and safety in balance.
2.3. Interdisciplinary
There are often many stakeholders involved in transportation systems. This results in a high number of views, skills, responsibilities, and interests. It has been observed in practice that a set of common interest within the system may gradually apply pressure on the safety management which ultimately might act decisively on the system safety.
In another perspective, a high number of perspective make it hard to preserve the complete system picture. This may ultimately lead to circumstances of having perfectly working sub-systems that do not interact with each other. Various practitioners and researchers suggested approaches and methods to stimulate an integral approach to bring together different skills and perspectives insisting that risk management is indeed a team work [6, 11].
2.4. Adaptive response
ERA projects a shift from quantitative to qualitative safety data. This suggests organizations to deal with descriptions instead of numbers and observation instead of measurements. Qualitative approach may use subjective indexes along with logical reasoning from different experts. This stimulates proactive approach to predict risk and take preventive measures to demolish or moderate the risk.
The proactive approach to risk management may add extra complexity to the system, and the
Complexity Uncertainty includes Unpredicted behaviour results Undefined performance results
Safety issues results results
Figure 1. System complexity may negatively influence system safety Safety issues Extra measures System complexity Uncertainty requires may increase results results
Figure 2. Extra measures to deal with safety issues may add to system complexity
experts/managers have to be careful about it. The influence of proactive measures on system complexity has been discussed for example in [12]. If a certain measure increases up the system complexity, it may also cause safety issues. Figure 2 shows that careless adaptation of safety measures may create a loop that causes safety issues.
While taking measures to manage safety issues is vital, they should come with clear descriptions and be confirmed with the system stakeholder if these measures are clear. This is necessary to avoid further complexity.
2.5. Regulations
Safety regulations are increasing, a hundred-fold increase in regulations between 1947 and 2008 shown in [13]. There are doubts in some literatures if extra rules may provide a higher safety level as discussed for example in [14]. From another perspective, extra regulations may add to system complexity causing an emerging system behavior that compromises safety. There is an example presented in [12] explaining that why extra regulations may create a loop for error elimination process for practitioners. It concludes that extra regulations may decrease the probability of anything going wrong, yet they increase the possibility of a negative event as a result of extra-tight coupling within the sub-systems of a system.
2.6. Cost/ performance
Like the other industries, the transportation industry demands a higher performance by reducing the cost of services. From the safety perspective, the increasing paper works, extra safety staff, time drain and others impose extra cost to the system, and the budget cut puts more pressure on safety management [15]. This means that risks are to be well mapped and prioritized so that proper measure can be taken in the optimized way.
2.7. Toolbox
Shortcomings of commonly practiced engineering tools to cover safety aspects of complex systems have been discussed for example in [6, 8]. For example, [8] explains that safety tools mainly support fragmented analysis of a system, and the safety analysis of a system is often field specific. A system is analyzed from a certain perspective for being robust, reliable, fault tolerant and safe. The integration process is well developed in the field of
reliability engineering. Yet integration of two reliable components does not necessarily lead to a safe situation. This clarifies the needs for a tool that can address safety issues and integrate system concerns, dynamism and complexity.
3. KEY REQUIREMENTS
To fulfil the safety requirements and to understand their main expectation for a solution, stakeholders were interviewed (see [16]). This aimed to clarify the problem and help finding a better solution. Interviewing several stakeholders in rail transportation resulted the following key-requirements concluding that any possible solution should be capable of
• communicating with stakeholders • presenting safety concerns • calculating/informing risk • considering costs
• modelling hazards
• offering mitigation (& contingency) plans
Next sections discuss these requirements in more details.
3.1. Communication
As systems become complex, it becomes more and more difficult to keep consistency. Studies show how the information about system is variously perceived and understood at different organizations or at different levels of operation within one organization [17]. System complexity makes it more and more likely that stakeholders pay attention to their own system-view. This may cause inconsistency of information about the system issues or concerns and impose the danger that some safety concerns are not effectively communicated with the stakeholders. Therefore, communication of proper information about the system safety to stakeholders requires considerable attention.
3.2. Safety information
Access to up-to-dated safety information can be a time-consuming process for experts about a certain aspect of the system [18]. Furthermore, the use of this information can be domain specific which may hinder the communicability of the information in other domains. Therefore, safety information is to become transparently available to stakeholders. The safety information should meet the requirements for stakeholders which include but not limited to
• risks • hazards • costs
• consequences
A central safety information model ensures the consistency and reusability of information which are key aspects for the system success [19].
3.3. Mitigation plans
Hazards are to be mitigated in order to reach a safer system. This requires plans agreed among all stakeholders. As unexpected events may happen, the need for the contingency plans are considered for improving crisis management. The motivation is that the preventive schemes might fail yet the system should remain functional. This may rise expectations for a fully prepared system for all scenarios which imposes burdens that are not economic. Studies suggest that safety chain is more a parallel than a series system. This concludes investing heavily in the performance of one component rather than to disperse the budget over all of them [20]. These are to be transparently developed and communicated with stakeholders.
3.4. Transparency
Safety information should be transparent internally and externally. It should be internally transparent and communicate updated information and mitigation plans to stakeholders. It should be also externally transparent as the system has to present evidences to public to prove that it delivers safe services. Literatures observe a change of focus from technical to non-technical issues in system safety and suggest an interdisciplinary approach with involvement of practitioners as a part of solution and recommend transparency in order to impact the improvement of safety performance in socio-technical systems [21]. Transparency implies that all the processes are available for examination, and a great deal of rail systems might not be immediately transparent [22]. Transparency helps to discover safety problems that cannot be easily seen. This however demands a change in attitude which is not always easily achieved. Transparency has been considered as one of the achievements of modern systems for safety [23]. Transparency is recommended for being integral to long-term management [24] or safe design [25].
4. SYSTEM ARCHITECTURE
A system has an architecture which can be implicit or explicit. An explicit architecture helps achieving a shared understanding of the system [26]. This facilitates communication by creation of a consistent system picture and makes it less independent on the personal experience. Furthermore, it helps capturing knowledge and its transparent sharing. A graphical representation of the architecture assists achieving these more effectively.
Safety should be explicitly embedded in system architecture. Figure 3 shows that a Safety Information Model (SIM) is considered as a part of the architecture. SIM includes safety concerns and communicates with stakeholders through customized views. SIM, safety concerns and customized views are further explained via next sections.
4.1. Safety Information Model (SIM)
SIM includes domain specific safety information about functional, physical, and quantified views on system safety. They respectively present hazards, chain of events (in case of an accident), and quantified values in terms of e.g. risk and cost. Figure 4 shows the main components of SIM.
System Architecture has SIM has Specific views generates Stakeholders have has Safety concerns have includes feeds back
Figure 3. System architecture and its relationship with SIM.
SIM
Chair of events (consequences) Hazards
(functions) Quantification(cost) Specific views generates includes feeds back Domain specific safety information includes
Figure 4. Safety information model
4.2. Safety concerns
Safety concerns of stakeholders cover many safety issues for the system. SIM captures and process this information in real time through an interface with system stakeholders. Thus it is capable of presenting the influence of any decisions made by a stakeholder to other systems elements or other stakeholders. Figure 5 shows a model for involving stakeholders concerns about risk (hazards and cost) as a part of SIM that communicates with stakeholders.
4.3. Customized views
Stakeholders need a proper level of information about system safety. Too much information loses the focal points and too less information provides a vague description. In order to effectively communicate with stakeholders, the following items are to be considered.
• Stakeholder’s interest: For each stakeholder (or expert) a specific view is to be designed. This view should be capable of producing the proper level of information that is demanded from the system.
• Preparation and Validation: A proper view is to be prepared, tested and validated to make sure the sufficiency of the customized view.
• Interactive communication: the view is to be able to provide information for the stakeholder and feeds back the sytem.
• Update: the view should be capable of updating the safety information model.
• Completeness check: It should be possible to update the view in order to make meet the stakeholders’ expectation and meet
Studies have been conducted in order to communicate the proper level of information with experts or stakeholders. Among the others, Borche suggests the A3 Architecture Overview [27] which was found effectively communicative through different case studies [28].
Figure 5. A model for stakeholders’ concerns and its relationship with SIM.
4.4. Integral model
The structures presented in previous sections are integrated through a model shown in Figure 6. This suggests forming a safety architecture that focuses on safety concerns in terms of physical, functional and quantifications views and customizes information for stakeholders. Moreover, it communicates the mitigation and contingency plans and collects recommendations for system revisions. The model aims to communicate with stakeholders that may have different levels of knowledge or fields of expertise. Therefore, the model does not use some domain specific languages or symbols e.g. UML or SysML.
about stakeholders concerns have Safety concerns include System has Specific views has Risks about Costs Safety Model generates Hazards related to abstracted in Concequences feeds back Architecture includes Mitigation plans Contingency plans Recommendations Unexpected/ (mis)use cases includes Recommendations for system revisions
Figure 6. The Safety architecture for public transport.
5. EXAMPLE APPLICATIONS
The use of A3 architecture for customized communication with stakeholders has been successfully used in different context [see e.g. [28, 29]]. A3 views customized for safety communication have been also developed and used in the context of rail transportation. These have been presented in [16]. An example view is presented here in Figure 7. This method has proved its efficiency for communicating a proper level of information for a specific stakeholder.
6. CONCLUSION
This paper proposes a safety architecture for dealing with system safety through a pluralistic approach where a central safety model captures and communicates the safety information. It promotes transparent communication of safety concerns, mitigation plans and system revisions.
The proposed architecture has been developed based on the study in rail transportation, yet its principles overlap the other safety critical systems and seems to be applicable to other complex systems.
Proceedings of TMCE 2016, May 9-13, 2016, Aix-en-Provence, France, edited by I. Horváth, J.-P. Pernot, Z. Rusák. Organizing Committee of TMCE 2016, ISBN 978-94-6186-635-6
Figure 7. An A3 Architecture Overview that represents hazards, physical effects, and quantified values for a certain scenario for High Speed Train Lines in the Netherlands (see [16]).
REFERENCES
1. Rajabalinejad, M., L. van Dongen, and A. Martinetti, Operation, Safety and Human:
Critical Factors for the Success of Railway Transportation, in System of Systems. 2016:
Kongsberg, Norway.
2. Intermediate report on the development of railway safety in the European Union. 2013,
ERA
3. ISO(12100:2010), Safety of machinery
-General principles for design - Risk assessment and risk reduction. 2010.
4. ISO(31000:2009), Risk management —
Principles and guidelines. 2009.
5. Rajabalinejad, M., Coping with System
Hazards in Early Project Life Cycle: Identification and Prioritization, in The Sixth International Conference on Performance, Safety and Robustness in Complex Systems and Applications. 2016: Lisbon, Portugal.
6. Leveson, N., Engineering a Safer World. 2012, Cambridge, Massachusetts, London, England: Massachusetts Institute of Technology.
7. Parchment, A., DEVELOPMENT OF A
NOVEL METHOD FOR
CROSS-DISCIPLINARY HAZARD
IDENTIFICATION. 2013, CRANFIELD UNIVERSITY.
8. Rajabali Nejad, M., G.M. Bonnema, and F.J.A.M.v. Houten, An integral safety
approach for design of high risk products and systems, in Safety and Reliability of Complex Engineered Systems P.e. al., Editor.
2015, Taylor & Francis Group: Zurich, Switzerland.
9. Ramos, A.L., J.V. Ferreira, and J. Barceló,
Model-based systems engineering: An emerging approach for modern systems.
Applications and Reviews, IEEE Transactions on, 2012. 42(1): p. 101-111.
10. Harvey, C. and N.A. Stanton, Safety in
System-of-Systems: Ten key challenges.
Safety Science, 2014. 70: p. 358-366.
11. Park, J.Y., Model-based Concurrent Systems
Design for Safety. Concurrent Engineering,
2004. 12(4): p. 287-294.
12. Bradley, J., M. Efatmaneshnik, and M. Rajabalinejad, Toward A Theory of Complexity Escalation and Collapse for System of Systems, in System of Systems Engineering 2015: San Antonio, Tx, USA.
13. Townsend, A.S., Safety Can't Be Measured. Famham, UK: Gower Publishing, 2013. 14. Amalberti, R., The paradoxes of almost
totally safe transportation systems. Safety
Science, 2001. 37(2-3): p. 109-126.
15. Hoj, N.P. and W. Kroger, Risk analyses of
transportation on road and railway from a European Perspective. Safety Science, 2002.
40(1-4): p. 337-357.
16. Schuitemaker, K., M. Rajabalinejad, and J. Braakhuis. A Model Based Safety Architecture Framework for Dutch High Speed Train Lines. in System of Systems Engineering 2015. San Antonio, Tx, USA.
17. Wold, T. and K. Laumann, Safety
Management Systems as communication in an oil and gas producing company. Safety
Science, 2015. 72: p. 23-30.
18. Woestenenk, K., CONSISTENCY,
INTEGRATION, AND REUSE IN MULTI-DISCIPLINARY DESIGN PROCESSES.
2014, University of Twente: Enschede. 19. Woestenenk, K., et al., Capturing Design
Process Information in Complex Product Development. Proceedings of the Asme
International Design Engineering Technical Conferences and Computers and Information in Engineering Conference, 2011, Vol 2, Pts a and B, 2012: p. 1351-1360.
20. Jongejan, R.B., S.N. Jonkman, and J.K. Vrijling, The safety chain: A delusive
concept. Safety Science, 2012. 50(5): p.
1299-1303.
21. Stoop, J. and S. Roed-Larsen, Public safety
investigations-A new evolutionary step in safety enhancement? Reliability Engineering
& System Safety, 2009. 94(9): p. 1471-1479. 22. Elms, D., Rail safety. Reliability Engineering
& System Safety, 2001. 74(3): p. 291-297.
23. Dekker, S.W.A., The bureaucratization of
safety. Safety Science, 2014. 70: p. 348-357.
24. Drew, C.H., T.L. Nyerges, and T.M. Leschine, Promoting transparency of
long-term environmental decisions: The Hanford decision mapping system pilot project. Risk
Analysis, 2004. 24(6): p. 1641-1664.
25. Hale, A., B. Kirwan, and U. Kjellen, Safety
by design. Safety Science, 2007. 45(1-2): p.
3-9.
26. Bonnema, G.M., Insight, Innovation, and the
Big Picture in System Design Application of FunKey Architecting. Systems Engineering,
2011. 14(3): p. 223-238.
27. Borches, P.D. and G.M. Bonnema, Coping
with System Evolution - Experiences in Reverse Architecting as a Means to Ease the Evolution of Complex Systems. 2008.
28. Brussel, F.F. and G.M. Bonnema, Interactive
A3 Architecture Overviews: Intuitive Functionalities for Effective Communication.
Procedia Computer Science, 2015. 44(0): p. 204-213.
29. Haveman, S.P. and G.M. Bonnema,
Communication of Simulation and Modelling Activities in Early Systems Engineering.
Procedia Computer Science, 2015. 44: p. 305-314.
