Tag: Systems

From Prescription to Performance-Based Regulation

One regulatory development that has stuck since the start of the new century is the idea that we need to transition from prescriptive requirements to performance-based requirements. It’s not too hard to understand where the motivation to change has come from but there are several strands to the path. Here’s three that come to mind.

For one, the intense dislike of overbearing governmental regulators who adopt an almost parental attitude towards industry. It’s true that safety regulatory bodies have a duty to serve the public interest. The difficulty arises in interpreting that brief. Not as police officers sometimes did, imagining everyone as a potential miscreant.

My experience as a regulator started at a time when traditional institutional approach was quite common. There was a respectful distance between the airworthiness surveyor or operations inspector and the aviation industry that they oversaw. I think, even the term “surveyor” was one inherited from the insurance industry at the birth of flying.

A wave of liberalisation swept into the 1980s. It was an anathema to those who started their careers as men from the Ministry. The idea that regulators should be in a partnership with industry to meet common goals was not easily accepted. Undoubtably a change was necessary and, naturally, easier for an up-and-coming generation.

The next move away from regulatory prescription came as its value declined. That is, not that there will not always be an element of prescription by matter of the written law. However, for detailed technical considerations it became less and less practical to say, this is the way it must be. The minute decision-makers were faced with the complexity of a microprocessor it become clear that it’s not effective to simply prescribe solutions.

Much of the changes that took place can be traced to the evolution of system safety assessment and the use of probabilistic methods in aviation. In mechanics, prescribing a safety guard for a chain drive is straightforward. For complex electronics saying when a flight system is safe enough requires a different approach. Regulators are now driven to set objective rather than dictate solutions.

My third point is a future looking one. Whatever the history and heritage of aeronautical innovation, it’s true that a “conservative” but rapid adoption of new technology continues to be a source of success. Great safety success as well as commercial success.

Hidden amongst the successes are products, and ways of working that don’t meet the grade. The joke goes something like this: “How can I make a fortune in aviation?” Answer: “Just start with a big one.” Implicit in this observation is a wiliness to innovate at risk. That means, amongst many things, having confidence, adaptability and not be so constrained as to be assured failure. An objective or performance-based approach to safety regulation opens opportunity to innovate more freely whilst still protecting the public interest in safety.

There’s no fixed destination for regulatory development.

Dependency

It’s not unique. Charle Dickens wrote about it. We don’t like to admit it. We have a dependency on bureaucracy. Our complex society runs on it.

Whatever we do when it comes to the meeting of an individual with an organisation, it’s inevitable. Irrational people deny this fact or say it’s only true of public bodies, like government departments. It’s as if the generally high performance of modern computer systems renders them completely invisible.

One apt illustration of a dependency on systematic bureaucracy and digitisation combined can be read in a carefully constructed e-mail from the CEO of Sainsbury’s this weekend.

“I’m writing to update you on the technical issue that has affected our Groceries Online deliveries and some services in our stores this weekend.”

This could have come from any large complex organisation that exists in today’s digital world. When outages happen, we all sit patiently for affected systems to come back online with the full services that we normally take for granted. A sudden reversion to traditional cash transactions was a shock to the average post-COVID consumer.

This weekend my experience of one major hotel chain was that they would not accept cash at all in their restaurant. My “paper” money was useless. It sat in my pocket.

What we have is the power of utility. Systems become so good that we build ever more dependency into them doing the right thing, every time. The problem is that systems are often programmed to do certain tasks exceptionally well but as soon as there’s an unexpected deviation outside normal parameters the situation does not go well. 

An illustration of that experience can be read in the public version of the interim report on UK NATS[1]. After the event, and similar unfortunate events, there’s a cavalcade of calls for more contingency, more resilience, more planning, more training, more checking and so on.

That list is perfectly sensible. But wouldn’t it have been better if those actions had been taken up-front? I often saw this discovery in my time doing systems certification audits. Companies who spend a lot of money upfront to build software that was well characterised and tested were not guaranteed success, but their chances were greatly improved. Those who hit the road with over-confidence, marketing hype and rigorous cost cutting had a high probability of negative outcomes. It’s not a simple cause and effect but good system architecture, robust software and a management that understood the need to spend time and money judiciously do well.  

Just think. If a runner ran a marathon without a strategy, training, basic fitness, planning and sound motivation no one would expect them to be winning anything unless they were exceptionally lucky or unbelievably talented. Not many in the latter category.

There’s a lesson here. It’s been copied over and over. Saddy the almost completely invisibly of complex system that work well in everyday life means we soon take them for granted. And the result is?

[1] https://www.caa.co.uk/publication/download/21478

Adaptation

There was a time when AI was an esoteric subject that filled the minds of high-minded professors. They had real trouble trying to translate what they were doing into langauage that most of us would understand. Research in the subject area was the purview of national institutes and military facilities. Results flowed into academic journals and little read folders in the corners of university libraries.

That has changed. What was expensive to build and test because everything was unique or bespoke is no longer. Enough is known about algorithms that work, and the ones that don’t, to make practical experimentation much more viable. AI tools are turning up on our desktops, tablets, and phones without us even asking. Opting-in is often assumed.

A massive number of applications are nothing more than fizz. They can be useful, but they are not game changers, and our lives carry on much as before. What is new, or at least pushing at the door, is applications that control things in our everyday environment.

If traffic lights start guessing what my age is before allocating a maximum time to cross the road, we are going to start to see a good amount of pavement rage when they get it wrong. When AI algorithms drive my car for me it’s going to be a bad day when accidents start to accumulate[1] (even if the total system of systems is far safer than us mere humans). Anyway, it’s easy to write scary stuff about AI. In this case I’d like to highlight some positive gains that might be realised.

A lot of what is designed, produced, and sold is pretty much fixed the day it leaves the shop or showroom. Yes, for example, cars are recalled for fixing known deficiencies but the threshold for taking such action is extremely high. Even in a safe industry like civil aviation dealing with an unsafe condition that has been discovered takes time and a great deal of resources.

AI has the potential to be adaptive[2]. So, that thing that you buy, car, washing machine, or whatever, will have the inbuild ability to learn. To adapt to its situation. To be like others of its type but, over time, to customise itself to the needs of its user.

Just image a domestic appliance that can adapt to its pattern of use. Always staying with safe boundaries, producing maximum energy efficiency, and doing its job to the best of its specification. Let’s imagine a car that gets to know common routes and all the hazards on those routes and even takes the weather and time of day into account when driving those routes.

In all that adaptive potential there’s great benefit. Unlike buying gloves that are made to specific standard sizes and don’t quite fit you, the adaptive glove would be that malleable leather that slowly gets a better and better fit with use. AI will be able to do that if it gathers the right kind of data.

Now naturally, this gets complicated if the adaptive element is also safety related. The control system in a car, truck, tram, train, or aircraft must get it right day after day in a wide range of conditions. Nevertheless, if systems are constrained within known safe boundaries there’s much to be gained by adaptation. This is not taking control away from the human in the loop but making it easier to do what humans do best. Just a thought.

[1] https://www.washingtonpost.com/technology/2023/09/28/tesla-trial-autopilot-crash/

[2] https://luffy.ai/pages/IS-DR.html

Safety in numbers. Part 2

Previously, we walked on a path through some simple statistics as they relate to aircraft systems. Not wishing to sound like the next episode of a popular drama, the only recap needed is, that by making a few assumptions we showed that: where P is the probability of failure and n is the number of similar concurrently operating systems:

A total failure occurs at probability Pn

A single failure occurs at probability n x P

It’s as well to distinguish between the total system and the sub-systems of which it comprises. For example, we can have one aircraft normally operating with four engines. Here we can call each individual engine a sub-system. The word “simple” can best be applied for highly reliable sub-systems where there’s only a few and n is a low number.

Aviation is going through a period of great change. A big part of that change is electrification. Today, there are numerous Quadcopter designs. The name gives it away. Here we are dealing with 4 electric motors connected to rotors. Some new aircraft designs go much further with as many as 18 electric motors. That’s 18 similar sub-systems all contributing to the safe flight and landing of an aircraft.

Superficially, it would be easy to say that if n equals 18 then the chances of the failure of all propulsion simultaneously is astronomically low. That’s true but only if considering the reliability of the electric motors providing propulsion in isolation. Each electric motor makes a partial contribution to the safe performance of the aircraft.

Just as we have with fuel systems in conventional aircraft, in an electric aircraft, each of these sub-systems are dependent upon a source of power being provided. If the source of that power disappears the aircraft’s motor count becomes irrelevant. This is referred to as the consideration of common-mode failures. The electric motors maybe independent in operation but they are all dependent upon the reliable supply of electrical power.

Before a discussion of common-mode failures, let’s go back to the earlier maths. We can see that the loss of one electric motor, amongst 18 occurs with a probability of 18 x P. Unfortunately, in these cases the possible combinations of multiple failures increases.

Given that this subject is so much easier to discuss when dealing with small numbers, let’s consider the Quadcopter. Here there are 4 electric motors and 4 groups of distinct failure condition: 1 motor failed, 2 motors failed, 3 motors failed, and 4 motors failed. For the sake of argument let’s say they perform the same function and call them motors A, B, C and D.

Except for the case where all 4 motors fail, 3 cases produce an outcome with a reduced aircraft capability. We have the way of calculating the probability of total failure and a single failure so it’s the double failure and triple failure cases that are of interest.

Let’s step through the combination of double failures that can occur. Here they are A and B, B and C, C and D, D and A, A and C, B and D. There are 6 unique combinations that make up double failures.

Let’s step through the combination of triple failures that can occur. Here they are A and B and C, B and C and D, C and D and A. D and A and B. There are 4 unique combinations that make up triple failures. We can tabulate these findings for our Quadcopter motor failures thus:

SingleDoubleTripleTotal
4P6P24P3P4

There’s a nice pattern in this table of probabilities. The number of possible combinations of multiple failures grows as n grows.  

Now, we get more into the subject of combinations and permutations. The word “combination” is more often in common usage. When we use that word, it really doesn’t matter what order that any failures occur. Often combinations are like other combinations and so each may not be entirely unique in its impact on the flight of an aircraft. Hence the doubles and triples above.

With 4 electric motors there are 24 possible combinations. This is calculated thus:

n! = n × (n – 1) × (n – 2) × (n – 3)

This is pronounced “n factorial”. So, for n = 18 this gets big. In fact, it’s 6,402,373,705,728,000. 

However, as we have seen from the Quadcopter discussion it’s the grouping of failure conditions that we are often most interested in. Afterall, for safe flight and landing of an aircraft we need to manage those failure conditions that can be managed. At the same time reducing the probability of occurrence of the failure conditions that can’t be managed.

That’s a lot of work. It may explain the drive to develop autonomous aircraft systems. The case could be made that managing flight is impossible when subject to the vast array of potential combinations and permutation of failure conditions that can exist within a multi rotor systems, where n is large.

[Do you agree?]

Tea or Coffee

I’ll grab a newspaper and flick through the pages. I can almost guarantee in all the thousands of words use to describe the events of the week nowhere will you see the word “determinism”. Now, that shouldn’t surprise anyone. Or at least anyone who doesn’t spend their days in the systems engineering world. Yet, the basic idea of determinism is ingrained in everyday thinking.

Yesterday, I bought a new kettle. It works well. I can take cold fresh water from my kitchen tap, fill it to the two-cup line and press the button with confidence that within a couple of minutes I’ll have boiling water. Cause-and-effect are truly well connected. I pay my electricity bill and expect current to flow when the switch is thrown. I’d be really annoyed if my new kettle didn’t do what it said it would do on the box it was packaged in. My cup of tea is assured.

Now, let’s step into an imaginary future. Well, a future that not as imaginary as might first be thought. I’ll set aside my morning tea drinking habit and brew a coffee instead. I haven’t got one, but they are certainly being advertised. That’s a coffee machine that’s connected to the INTERNET[1]. It can be given voice commands to brew my favourite brew. It has an app where I can set-up my preferences. It’s a whizzy way to get an espresso.

I don’t say this function exists, only that as soon as the connection is made to an external service what happens next becomes just a little less predictable. A coffee machine with an integrated voice activation system will do as it’s told. At least we assume it will do as it’s told. Thus, cause-and-effect remain connected. Stand back. The door has now been opened. Let’s say, after I acquired the coffee maker the anxious manufacture changes the algorithm that runs the machine. They want me to drink the maximum number of their wonderful coffees but without going to the dark side.

Next time, I go for a smart espresso the machine talks back: “Are you sure? You’ve had 5 coffees already this afternoon.” I have no knowledge of, or control over the algorithm that’s coming up with this talk back. The question might be fair, sensible, and looking after my health but, in that moment, I have no ability to predict what the machine will do next. Will it let me carry on regardless? Or will it say: “No, you’ve had enough. Come back and talk to me in an hour.” The simple cause-and-effect relationship I have with my new kettle is no more. Without being warned, I’ve strayed into the world of non-determinism.

I think you can now appreciate the purpose of this short article. It’s to point out that our quaint classical deterministic world is going to go through a shakeup. Think of the scenario above for a car or an aeroplane. It’s not inevitably bad. In fact, non-deterministic systems offer huge potential benefits. My message is that we’d better be ready for all aspects of this transition.

I’ve made the contrast between either one or the other. In realty, there will be a fuzzy zone between what’s deterministic and what’s non-deterministic. The tea or coffee drinker may have a choice in different places at different times for different reasons.

[1] https://www.lavazza.co.uk/en/landing/voicy.html