1

ΣΧΕΔIΑΣΗ ΚΑΙ ΛΕΙΤΟΥΡΓΙΑ ΣΥΣΤΗΜAΤΩΝ:Η ΣΗΜΑΣIΑ ΤΗΣ ΤΕΚΜΗΡIΩΣΗΣ ΤΩΝ ΥΠΟΘEΣΕΩΝ ΕΡΓΑΣIΑΣΔρ. Νεκτάριος Καρανίκας, Ασμχος (εα)MSc, PMP, MIET, MRAeS, CEng, GradIOSH

Αναπληρωτής Καθηγητής Ασφάλειας & Ανθρώπινου ΠαράγονταΑεροπορική Ακαδημία Πανεπιστημίου Εφαρμοσμένων Επιστημών Άμστερνταμ

Hellenic Army University, 7 December 2017, Athens, Greece

ALASKA FLIGHT 261

2

DC-9 AIRCRAFT: LUBRICATION OF THE TRIM JACKSCREW ASSEMBLY• Mid 1960’s: task every 300 to 350 FH• 1985: Every other B-check (350 FH) -> task every 700 FH• 1987: B-check increased to 500 FH -> task every 1000 FH• 1988: B-checks cancelled and distributed across A & C checks ->

task every 8th A-check (125 FH) -> task every 1000 FH• 1991: A-check increased to 150 FH -> task every 1200 FH• 1994: A-check increased to 200 FH -> task every 1600 FH• 1996: Alaska airlines removed task from A-checks -> task every 8

months -> task every 2550 FH in average• What about missing a check at one of the aforementioned intervals?

3

MORE ABOUT THE FLIGHT 261 CASE• Jackscrew:

• Was originally classified as structural component and not a sub-system component

• But, structural components do not undergo system safety analysis• Airworthiness requirements

• Can we predict components’ wear?• Engineering judgment?• Argument?• Best guess?• Calculations?

• Who is going to operate/maintain the system?• How technological evolution will be adopted and influence older

systems?• Are pressure, resources, uncertainties etc. anticipated in system design?

4

WHY ASSUMPTIONS?• Assumptions are inextricable parts of problem-solving due to

limited knowledge, capacity and resources to:• completely comprehend systems dynamics and complexity• exert full control over interactions and individual behaviours• ensure entirely that our solutions will sustain any external or

internal disturbance• Assumptions mainly refer to the:

• conceptual and analytical models used• relationships and behaviours of system elements,

considering also surrounding conditions• quality of available data

5

ASSUMPTIONS AND SYSTEM PERFORMANCE• The more the assumptions made, the higher the

dependency on agents and factors outside our directcontrol

• The validity of assumptions is of paramount importanceto maintain viability of any solution

• Assumptions must be visibly documented to allow theircheck and revision

• The more the invalid assumptions, the more vulnerablethe system

• The monitoring of validity of assumptions can function asa leading performance indicator

6

OVERALL PICTURE (1/2)• Ten assumption groups have been identified• Assumptions might be generated along various

stages of system/hazard analysis• Assumptions falling in six of the groups are

deemed as inevitable• The assumptions linked to the rest of the groups

depend on the scope and resources linked tothe analysis and utilization of its products

7

SYSTEMS VIEW: AN “OPEN” CONTROL LOOP

8

9(Leveson, 2011)

(Leveson, 2011)

OVERALL PICTURE (2/2)• The analysis stage and system level of

assumptions are connected with their expectedimpact:• the higher the hierarchical level the assumptions are

invalid, the higher the vulnerability of the system• the assumptions generated earlier in the analysis will

have larger effects on system performance than theassumptions made at lower analysis levels

• The monitoring of assumptions validity is suggested tobe performed under a top-down system level priority

11

ASSUMPTIONS:SYSTEM DEFINITIONThe elements and interactions excluded from the analysis,

where applicable:

• have predictable effects on the system under study(Assumption group No 1 - Inevitable)

• change at a pace that allows a successful adaptation of the system under study to maintain achievement of its

objectives(Assumption group No 2 - Inevitable)

12

ASSUMPTIONS: SYSTEM OBJECTIVES & CONSTRAINTS

Assumptions group No 3 (System Objectives)The system objectives included in the analysis do not conflict with the system objectives excluded from the

analysis

Assumptions group No 4 (System Constraints)The agents outside the system under study maintain the

system constraints assigned to them

13

ASSUMPTIONS: ANALYSIS DEPTH & SYSTEM REQUIREMENTS

Assumptions group No 5 – InevitableThe behaviour of elements and/or subsystems belonging to

system levels lower than the ones analysed can be confidently predicted

Assumptions group No 6 – Inevitable External agents will fulfil the requirements assigned to them

Assumptions group No 7 – InevitableThe system controllers will fulfil the requirements assigned to them given that external agents will have fulfilled their relevant

requirements14

ASSUMPTIONS: CAUSAL SCENARIOS (SAFETY CASES) TESTING

Assumptions group No 8The occurrence of causal scenarios not to be tested is

practically improbable

Assumptions group No 9The requirements excluded from scenario testing are

always fulfilled

Assumptions group No 10 - InevitableThe results from causal scenario tests are reliable and valid

15

REMARKS• Additional assumptions: the skills and

knowledge of the analyst in terms of analysisdepth and quality.

• Analysts must be aware of possible andinevitable “imperfections” of any analysis.

• Every analysis technique is subject toassumptions.

• Documentation and traceability of assumptionsconsistently and transparently to increase thecredibility of your analyses.

16

17

18

ΣΧΕΔIΑΣΗ ΚΑΙ ΛΕΙΤΟΥΡΓΊΑ ΣΥΣΤΗΜAΤΩΝ:Η ΣΗΜΑΣIΑ ΤΗΣ ΤΕΚΜΗΡIΩΣΗΣ ΤΩΝ ΥΠΟΘEΣΕΩΝ ΕΡΓΑΣIΑΣΔρ. Νεκτάριος Καρανίκας, Ασμχος (εα)MSc, PMP, MIET, MRAeS, CEng, GradIOSH

Αναπληρωτής Καθηγητής Ασφάλειας & Ανθρώπινου ΠαράγονταΑεροπορική Ακαδημία Πανεπιστημίου Εφαρμοσμένων Επιστημών Άμστερνταμ

Επικοινωνία: n.karanikas@hva.nl, nektkar@gmail.com