Next Article in Journal
A Novel Control Allocation Method for Yaw Control of Tailless Aircraft
Next Article in Special Issue
Analysis of Aircraft Maintenance Related Accidents and Serious Incidents in Nigeria
Previous Article in Journal
Quantifying the Environmental Design Trades for a State-of-the-Art Turbofan Engine
Previous Article in Special Issue
Airlift Maintenance and Sustainment: The Indirect Costs
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Aerospace
Volume 7
Issue 10
10.3390/aerospace7100149
aerospace-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles thumb_up
...
Endorse textsms
...
Comment
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Integration-In-Totality: The 7th System Safety Principle Based on Systems Thinking in Aerospace Safety

by
Johney Thomas
1,2,*,†,
Antonio Davis
2,† and
Mathews P. Samuel
3,†
1
Hindustan Aeronautics Limited, LCA-Tejas Division, Bengaluru 560037, India
2
International Institute for Aerospace Engineering & Management, Jain (Deemed-to-be University), Bengaluru, Karnataka 562112, India
3
Regional Centre for Military Airworthiness (Engines), CEMILAC, DRDO, Bengaluru 560093, India
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Aerospace 2020, 7(10), 149; https://doi.org/10.3390/aerospace7100149
Submission received: 1 September 2020 / Revised: 8 October 2020 / Accepted: 9 October 2020 / Published: 14 October 2020
(This article belongs to the Special Issue Civil and Military Airworthiness: Recent Developments and Challenges (Volume II))
Browse Figures
Versions Notes

Abstract

:
Safety is of paramount concern in aerospace and aviation. Safety has evolved over the years, from the technical era to the human-factors era and organizational era, and finally to the present era of systems-thinking. Building upon three foundational concepts of systems-thinking, a new safety concept called “integration-in-totality principle” is propounded in this article as part of a “seven-principles-framework of system safety”, to act as an integrated framework to visualize and model system safety. The integration-in-totality principle concept addresses the need to have a holistic ‘vertical and horizontal integration’, which is a key tenet of systems thinking. The integration-in-totality principle is illustrated and elucidated with the help of a simple “Rubik’s cube model of integration-in-totality principle” with three orthogonal axes, the ‘axis of perspective’ of vertical integration, and the two ‘axes of perception and performance’ of horizontal integration. Safety analysis along the three axes with a ‘bidirectional synthesis’ and ‘continuum approach’ is further elaborated with relevant case studies, one among them related to the Boeing 737 MAX aircraft twin disasters. Safety is directly linked to quality, reliability and risk, through a self-reinforcing reflexive paradigm, and airworthiness assurance is the process through which safety concepts are embedded in a multidisciplinary aviation environment where the system of systems is seamlessly operating. The article explains how the system safety principle of integration-in-totality is related to reliability and airworthiness of an aerospace system with the help of the ‘V-model of systems engineering’. The article also establishes the linkage between integration-in-totality principle and strategic quality management, thus bridging the gap between two parallel fields of knowledge.

1. Introduction

Accidents and serious incidents continue to occur in the field of aviation and no further emphasis is required on the requirement to abate potential hazards in aviation systems. Though the probability of accidents has come down over the years, the severity of the consequences of an aviation accident can be catastrophic, as seen in the case of the two Boeing 737 MAX aircraft disasters at Indonesia and Ethiopia in October 2018 and March 2019, respectively, that resulted in the tragic deaths of 346 people. This has brought about a renewed focus on safety as the paramount cause of concern in both civil and military aviation, and an important knowledge field for study and action.
The concept of safety has evolved over the years, from the technical era to the human-factors era and the organizational era, and finally to the present era of systems-thinking [1,2,3,4,5,6,7,8,9]. In order to account for the nuances of safety concepts in the context of the modern complex aerospace systems, a “seven-principles-framework of system safety principles” has been developed by the authors. This proposed framework is built upon the five system safety principles (comprising of fail-safe, safety-margin, ungraduated-response, defence-in-depth and observability-in-depth principles) conceptualized by Saleh et al. [6], with the addition of the ‘human-factors principle’ as the 6th system safety principle, and a newly developed concept called “integration-in-totality principle” as the 7th system safety principle. Thus, in the remaining sections of this article, the authors will discuss the new safety concepts of the ‘integration-in-totality principle’, as well as the ‘seven-principles-framework of system safety principles’ to which it belongs. These new concepts are meant to enhance the understanding on safety-critical socio-technical systems in their entirety, incorporating the key tenets of systems thinking.
Before getting into the details of the ‘integration-in-totality principle’, it is worthwhile to present a brief background, and the need to have a fresh outlook and an augmentation of the existing concepts. It is a well-established fact that there exist multiple root causes and failure modes in real life complex systems that could complement each other. According to Latino [4], the three basic types of causes are: (i) Technical/physical: the actual physical mechanism of the failure; (ii) Human: the human practices that allowed the physical root causes to exist; and (iii) Latent: the way a facility is managed and/or designed that creates the human root causes. Often the physical roots lead to the multiple human and latent roots, and hence it is important to truly understand the physical roots of a failure to find the larger causes. This has been pointed out by the authors [1,2] among other researchers [3,4]. According to Hulme et al. [5], “there is a need to update our understanding of the different viewpoints of the systems-thinking approach, upgrade the accident analysis methodologies to a unified one, and further explore the opportunities towards development of a novel comprehensive accident analysis approach”. The development of the ‘integration-in-totality principle’ is a forward step in that direction.
Even though the five system safety principles suggested by Saleh et al. [6,7] are effective in illuminating the technical/technological/physical aspects of accident causation and understanding the preventive measures thereof, they are not addressing the human-factors and organizational aspects of system safety to capture the human and latent root causes. Hence the authors have included the ‘human-factors principle’ popularized by International Civil Aviation Organization (ICAO) [8,9] as the 6th system safety principle, in addition to the five basic/technical system safety principles of Saleh et al. The importance of the human factors principle as one of the cardinal principles of system safety needs no further emphasis, and especially in aviation activities one should adopt and train their personnel in the human factors principle. Furthermore, the authors felt the need to include one more system safety principle to suitably address the latent root causes based on systems thinking and systems engineering, in order to make the principles more comprehensive. Hence the new system safety principle of ‘integration-in-totality principle’ has been propounded as the 7th system safety principle, to take care of the systems-theoretic aspects of accident analysis and prevention. Before proceeding to the details of the new concepts, an overview of the organization of this paper is presented below to give a broader perspective of the discussions.
At the outset, in Section 2, an elaborate discussion on the proposed framework called the ‘Seven-Principles-Framework of System Safety Principles’ is provided. Having discussed the broad framework, the ‘Integration-in-Totality Principle’, the 7th system safety principle newly introduced by the authors, is explained in detail in Section 3. The ‘integration-in-totality principle’ is illustrated and elucidated in this Section with the help of the simile of a “Rubik’s cube model” having three orthogonal axes, viz. “axis of perspective”, “axis of perception”, and “axis of performance”. The two properties of this model called the “continuum approach” and the “bidirectional synthesis” along the three axes are also discussed in Section 3. Now it is required to discuss the connection and linkage of the integration-in-totality principle with the system thinking domain, and the same has been taken up in Section 4. The authors identified “five key tenets of systems-thinking” and mapped them against the present set of system safety principles, which revealed and amplified the need to add not only the ‘human-factors principle’ to take care of the human aspects, but also the ‘integration-in-totality principle’ to take care of the key systems thinking tenet of “vertical and horizontal integration”.
The ‘theoretical foundation’ of the ‘integration-in-totality principle’ is presented in Section 5. It is comprised of three foundational concepts of systems thinking, viz. the ‘abstraction hierarchy’ proposed by Rasmussen [10,11,12,13,14], the ‘design-control-practice (DCP) diagram’ of Stoop [15,16,17,18], and the ‘mental models in systems-theoretic framework’ described by Leveson [19,20,21], which are related to the ‘axis of perspective’, ‘axis of performance’ and ‘axis of perception’, respectively.
Having elaborated the integration-in-totality principle from a theoretical angle, it is pertinent to present a few case studies chosen to demonstrate how it could be implemented, and the same has been taken up in subsequent sections. Section 6 further elaborates on the “macro-meso-micro levels of vertical integration” along the ‘axis of perspective’ and provides a case study on the application of the concept in defect investigation and failure analysis of an aero-engine component. Section 7 is devoted to elucidating the significance of perception and mental models in aviation safety, which has not been explored in the safety literature to the fullest extent. Analysis and understanding of an accident or a safety event along the ‘axis of perception’ of the ‘integration-in-totality principle’ can remove the distortions in perceptions, and thus help find the truth in any given situation. The recent aviation twin disasters of Boeing 737 MAX aircraft have been analyzed as a case study to illustrate the application of the understanding along the path of “intent-execution-manifestation” in the ‘axis of perception’.
Section 8 is meant for explaining the usefulness of ‘bi-directional synthesis’ along the “design-manufacture-operation” life-cycle continuum. A case study based on the analysis of the test data of 200 aero-engines along the reverse path of test-assembly-manufacture helped improving the engine performance and safety, by working back on the assembly procedures of the compressor modules and manufacturing practices of the compressor blades.
A model on ‘quality-reliability-risk-safety paradigm’ is presented in Section 9 to highlight the relationship between these four aspects so fundamental to the aerospace and aviation field. Section 10 presents a very interesting analysis of the ‘V-model of systems engineering’ mapped with respect to the axes of perspective, perception and performance of the ‘integration-in-totality principle’, thus establishing the applicability of the ‘integration-in-totality principle’ in the field of reliability analysis and airworthiness certification. Section 11 narrates the suitability of the ‘integration-in-totality principle’ in risk management.
Finally, Section 12 establishes the linkage between two emerging and parallel fields of knowledge, viz. ‘systems thinking and system safety principles’, and ‘strategic quality management’. It is diagrammatically shown how the ‘integration-in-totality principle’, developed by the authors as the 7th system safety principle based on ‘systems thinking in safety’, can be used as a pivotal concept in ‘strategic quality management’. The technical discussion is concluded in Section 13.

2. System Safety Principles and the Seven-Principles-Framework

System safety principles are general, high-level, domain-independent and technologically-agnostic principles, adoptable as detailed safety measures for dealing with various safety hazards. Once incorporated, the system safety principles are expected to vastly improve the safety of socio-technical systems. The five basic/technical system safety principles, originally formalized by Saleh et al., and built upon the notion of the level of hazard and its escalation along the path of accident causation [6,7], are described below:
(1)
The fail-safe principle [22] mandates that the system design should prevent or mitigate the unsafe consequences of the failure of a system;
(2)
The safety margin principle [23] requires that features be put in place to maintain the operational conditions and the associated hazard level at some “distance” away from the estimated critical hazard threshold or accident-triggering threshold;
(3)
The ungraduated response principle [24] posits that the first course of action to explore for accident prevention and mitigation is the possibility of eliminating a hazard altogether, regardless of the extent of its belligerence, using creativity and technical ingenuity
(4)
The defence-in-depth principle [25,26,27] calls for safety protection by means of multiple lines of defences or safety barriers along the potential accident sequences.
(5)
The observability-in-depth principle [26,27] requires that various features be put in place to observe and monitor for the system state and breaches of any safety barrier, and reliably provide this feedback to the operators, so that all safety-degrading events or states (that the safety barriers are meant to protect against) are observable.
In order to have a comprehensive set of safety principles, a “seven-principles-framework of system safety principles” has been developed by the authors, which is shown in Figure 1.
Here, two additional system safety principles have been added over and above the aforementioned “basic/technical five”, covering the human and systemic aspects of system safety. These “additional two” included in the ‘seven-principles-framework of system safety principles’ are:
(1)
The human factors principle [8,9,28] which calls for due consideration of the pivotal resource of human personnel in a production system, and their interaction with the other resources or factors of production including the other human beings, for smooth and effective functioning of the system.
(2)
The integration-in-totality principle, which the authors expound in this article, requires that every aspect in a socio-technical system be integrated vertically and horizontally. Furthermore, it views, analyzes and understands the system bi-directionally along the continuum of three axes of perspective, perception, and performance, to have necessary cohesiveness in operations with convergence of purpose in safety.
There are different ways to comprehend and appreciate integration as a systems requirement. In general, one can select any one of the three basic approaches or their combinations towards achieving integration in a system. The first approach is the “interface approach” in accordance with the ‘SHELL model’ [8], which endeavors perfect interface and smooth interaction between the ‘liveware’ (meaning human-beings) and the remaining workplace elements/components of software, hardware, environment, and other liveware. The second approach is the “resource approach” as per the ‘5M model’ [9], based on the interplay between various resources viz. man, machine, medium, mission and management. These two approaches form part of the ‘human factors principle’, which is propounded by the International Civil Aviation Organization (ICAO) as part of the safety management system, as elaborated in the ICAO Safety Management Manual [8].
However, in the current context, the authors are focusing on a third and perhaps the most important approach, which can be called the “continuum approach”, which has not been adequately captured in the safety literature. The details of the ‘integration-in-totality principle’, developed based on the continuum approach of systems thinking in aerospace Safety, is further elaborated in the next section.

3. Integration-In-Totality Principle and the Rubik’s Cube Model

The “integration-in-totality principle” proposed by the authors calls for viewing, analyzing and understanding socio-technical systems bi-directionally along three axes, viz. (i) the axis of performance, (ii) the axis of perception, and (iii) the axis of perspective. Though conceptually appealing, the integration of these diverse dimensions needs further illustration and elucidation.
In order to illustrate and illuminate the ‘integration-in-totality principle’ wherein three dimensions of organizational continuum along three axes have been integrated together, the authors have developed a “Rubik’s cube model of integration-in-totality principle”, as shown in Figure 2.
The first dimension of continuum, the “axis of perspective”, represent the “macro-meso-micro” levels of systems thinking in the conventional ‘vertical integration’ approach, which can have many different interpretations depending upon the context. They could include the continuum permeating the echelons of regulatory command to management control to operator compliance (command-control-compliance), the purpose-function-equipment comprehension, or a system-subsystems-components level understanding. It allows one to migrate from, and bi-directionally navigate between, a bird’s eye-view of wider and general understanding to a worm’s eye-view of closer and detailed look.
The second dimension of continuum, the “axis of perception”, consists of the “intent-execution-manifestation” pathway which the authors propose here in this article as a novel concept of “horizontal integration” in systems thinking, in addition to the ‘vertical integration’. The axis of perception reflects the perceptions and mental models being maintained by different participants in the system.
Finally, the third dimension of continuum, the “axis of performance”, comprises of the major stages in the product life cycle, viz. design, manufacture and operation. This can further be telescopically expanded, as the need arises, into a design-development-manufacture-assembly-testing-operation-modification continuum. The ‘axis of performance’ provides an additional orthogonal element of “horizontal integration” in systems thinking.
Thus, the ‘integration-in-totality principle’ captures the essence of an integrated “continuum approach” along the three axes of perspective (macro-meso-micro), perception (intent-execution-manifestation), and performance (design-manufacture-operation). The integration-in-totality principle is proposed as a stand-alone principle, along with the five basic/technical system safety principles proposed by Saleh et al. [6], and the human factors principle popularized by ICAO [8], within the ‘seven-principles-framework of system safety principles’.
The traversal from the highest level to the lowest level and then back to the highest level, like that from the bird’s eye-view to the worm’s eye-view and vice-versa, can be called “bi-directional synthesis”, which is in fact applicable along each of the three axes, viz. ‘axes of perspective, perception, and performance’. This property reinforces the dynamics of the ‘continuum approach’. The ‘bi-directional synthesis’ is represented by the bi-directional arrows shown along each of the continuum axes in the ‘Rubik’s cube model of integration-in-totality principle’.
The bidirectional interplay between the three axes of continuum, viz. the ‘axis of perspective’ providing the vertical integration, and the two orthogonal ‘axes of perception and performance’ giving the horizontal integration, is at the core of the dynamics of the ‘integration-in-totality principle’. ‘Integration-in-totality principle’ can be particularly useful in the realm of safety investigations, since the analysis along the ‘axis of perspective’ of vertical integration can take care of the factors that are typically found at the higher echelons of a socio-technical system, like the command and policies of the regulatory agencies, and the control and practices of the company management, which are not fully captured by the present set of accident analysis models. Furthermore, the analysis along the ‘axis of perception’ and ‘axis of performance’, the two orthogonal axes of horizontal integration, can provide a more comprehensive and insightful analysis with a lot of flexibility, for understanding and analyzing a safety-critical socio-technical system in its entirety and instituting necessary preventive interventions early on.

4. Vertical and Horizontal Integration—A Key Tenet of Systems-Thinking

4.1. The Five Key Tenets of Systems Thinking

Grant et al. [29] tried to capture the spirit of systems thinking by synthesizing the core features of contemporary accident causation models, as a basis to develop a formal methodology for anticipating and preventing accident causation and occurrence. They identified a set of 15 basic systems thinking tenets across the different accident causation models. It was found that, despite considerable variation in the different philosophical approaches towards accident causation, these tenets are universally supported. The authors analyzed the 15 basic systems thinking tenets suggested by Grant et al. It was found that the 15 tenets can further be consolidated into the “five key tenets of systems thinking”, in order to have a simplified and focused understanding. This effort in consolidation helped in correlating the ‘systems thinking tenets’ to the ‘system safety principles’. It also revealed the inadequacy of the present set of the five basic/technical system safety principles in covering the complete set of systems thinking tenets. A comparative matrix prepared by the authors showing the ‘five key tenets of systems thinking’ mapped against the relevant ‘system safety principles’ is presented in Table 1.
It was found from the analysis that the ‘human factors principle’ should be added as a 6th system safety principle to the set of five basic/technical system safety principles, since all the key tenets (except probably for the ‘complex and unruly technologies’ tenet) are directly influenced by human factors. The analysis also revealed that the ‘integration-in-totality principle’ is required to be introduced as the 7th system safety principle to completely take care of the need for embracing the conventional systems thinking tenet of ‘vertical integration’, which in fact requires further integration with the two dimensions of ‘horizontal integration’ presented in this article.

4.2. Need for Both Vertical and Horizontal Integration—The Case for Integration-In-Totality

“Systems thinking is all about relationships and integration”, said Sydney Dekker in his seminal works on Systems thinking concepts and tenets [30,31]. ‘Vertical integration’ is only one part of the totality of integration. Even though Grant et al. listed ‘vertical integration’ as one among the fifteen basic systems thinking tenets, the authors felt that ‘integration-in-totality’ is achieved only through a holistic “vertical and horizontal integration”. Hence the authors, in their compilation of the “five key tenets of systems thinking”, substituted the tenet of ‘vertical integration’ with ‘vertical and horizontal integration’ to reflect the need of complete integration in the true spirit of systems thinking. The next section is devoted to narrate how a combination of vertical integration and horizontal integration is created to generate the “integration-in-totality principle”, with strong theoretical foundation from three important foundational concepts from the field of “systems thinking”.

5. Integration-In-Totality Principle—Three Concepts Constituting the Theoretical Foundation

5.1. The Axis of Perspective—Abstraction Hierarchy and the Macro-Meso-Micro Levels of Vertical Integration

In his pioneering Systems thinking concept of “abstraction hierarchy”, Rasmussen [10,11,12,13,14] proposed five top-down hierarchical levels of abstraction, viz. functional purpose, abstract function, generalized functions, physical functions, and physical form, shown in Figure 3.
The concept of abstraction hierarchy can nevertheless be simplified into the three levels of purpose, function, and physical-form. These levels of abstraction hierarchy are the basis for the “macro-meso-micro” levels of ‘vertical integration’ in the integration-in-totality principle. In the systems analogy, these three levels could be related to the system (having a purpose), sub-systems (having their own functions), and components/equipment (having the physical-form). This understanding calls for a vertical integration of the system, the sub-systems and the equipment so as to capture the entirety of the system. However, the macro-meso-micro levels have different connotations in different system contexts, as explained in subsequent sections. The ‘bidirectional synthesis’ with ‘continuum approach’ along the different levels of vertical integration is ingrained in the abstraction hierarchy, as evidenced by the bi-directional arrows shown in the diagram.

5.2. The Axis of Performance—The Design-Control-Practice (DCP) Diagram

The “design-control-practice (DCP) diagram”, shown in Figure 4, was proposed by Stoop [15,16,17,18]. The DCP diagram is constructed of three sets of bi-directional arrows representing three axes. The macro-meso-micro levels of the vertical axis here represent the control levels of governance-oversight, management-control and operator-compliance respectively. The diagonal axis indicates the engineering design cycle of goal-function-form. It can be seen that both the vertical and diagonal axes of the DCP diagram have a one-to-one correspondence with the macro-meso-micro levels of ‘vertical integration’ derived from the concept of abstraction hierarchy (which in fact have different connotations in different system contexts), and represented by the ‘axis of perspective’ in the ‘Rubik’s cube model of integration-in-totality Principle’.
The horizontal axis of the DCP diagram represents a ‘design-develop-construct-operate-adapt’ bi-directional continuum which additionally provides ‘horizontal integration’, which has been taken as the basis for the ‘axis of performance’ of ‘design-manufacture-operation’ continuum in the ‘Rubik’s cube model of integration-in-totality principle’. The need for adopting the concepts of ‘continuum approach’ and the ‘bidirectional synthesis’ in safety-related analyses is evident from the three bi-directional arrows used in the construction of the DCP diagram.

5.3. The Axis of Perception—The Role of Mental Models in Systems-Theoretic

The ‘horizontal integration’ cannot be limited to the life-cycle continuum of design-manufacture-operation. Perception and mental models play an important role in understanding a socio-technical system in its entirety. That is the reason why one more horizontal axis orthogonal to the other two axes is provided in the form of ‘axis of perception’ in the ‘Rubik’s cube model of integration-in-totality principle’, having an ‘intent-execution-manifestation’ pathway along its length. The ‘axis of perception’ is meant to capture the possible variances in the realms of design-manufacture-operation in the life-cycle continuum, and also between the macro-meso-micro levels.
The ‘axis of perception’ has been conceived in accordance with the ‘role of mental models in systems-theoretic framework’, suggested by Leveson [19,20,21] who opined that the human behavior within a system-theoretic framework is based on the three elements of (i) the designer’s model, (ii) the actual system model, and (iii) the operator’s mental model, as shown in Figure 5. The bi-hexagonal arrows in the figure have been added by the authors to indicate the need and scope for the ‘bi-hexagonal synthesis’ with the ‘continuum approach’ along the path.
The designer deals with idealized description which is generally known as the “intent”. The actual system is a result of the “execution” as per the specifications. The operators continually test their mental model of the process against the reality, which results in the “manifestation”. Thus, the authors have defined the “axis of perception” of the integration-in-totality principle as an ‘intent-execution-manifestation’ continuum, deriving from the aforementioned concept of ‘mental models of system-theoretic framework’ from Leveson [19,20,21].
The ‘axis of perception’ of the integration-in-totality principle, with its horizontal integration along the orthogonal axis of ‘intent-execution-manifestation’, takes care of the perceptive mental models involved in understanding and analyzing a socio-technical system. This is adding up to the horizontal integration provided by the ‘axis of performance’ along the ‘design-manufacture-operation’ continuum. Hence it can be seen that the systems safety principle of ‘integration-in-totality’ is perfectly in alignment with the key systems thinking tenet of ‘vertical and horizontal integration’, with the three axes of performance, perception and perspective providing the pathways for analyzing any socio-technical system by applying the concepts of the ‘continuum approach’ to ensure the necessary system integration, and the ‘bidirectional synthesis’ for comprehensive analysis along the integrated pathways.
Thus we can see that three important concepts of “systems thinking” by three prominent thinkers in the field of safety have been combined by the authors in this article to conceptualize the ‘Rubik’s cube model’ having the ‘continuum approach’ and the ‘bi-directional synthesis’, in order to develop the ‘integration-in-totality principle’ as the “7th system safety principle”.

6. The Axis of Perspective in Integration-In-Totality Principle, and the Macro-Meso-Micro Levels

6.1. Skill-Rule-Knowledge Framework and Macro-Meso-Micro Perspective Levels

The “skill-rule-knowledge (SRK) framework” developed by Rasmussen in 1983 has been a pioneering work on systems thinking, along with the abstraction hierarchy proposed by him the same year [10,11,12]. The SRK framework posits that the human behavior is a reflection of complexity of the environment; and is basically ‘teleological’, i.e., driven by purposive goals; and is shaped by signals, signs and symbols in the environment. It gives a description of the abstraction hierarchy, explaining the operational aspect of the functional properties of a system, relating it to the various levels of the operator’s cognitive processing at three levels based on skills, rules and knowledge. It provides an integrated approach to the design of human-machine systems, combining the concepts of control engineering and psychology [13,14].
The authors further innovated and reframed the ‘SRK framework’ in the form of a “FRAMED-IN-FRAM® diagram” to bring in better clarity on how it is a reflection of the ‘axis of perspective’ of ‘vertical integration’ which is fundamental to the ‘integration-in-totality principle’. The FRAMED-IN-FRAM® diagram is an improved version of the functional resonance analysis method (FRAM) diagram [32], developed by the authors. Interested readers are referred to Thomas, et al. [1,2] for further information on the FRAMED-IN-FRAM® diagram. The FRAMED-IN-FRAM® diagram for the SRK framework, presented in Figure 6, shows how the behaviour and control, based on the three levels of skill, rule and knowledge, works through signals, signs and symbols of perceptual, conceptual and explicit nature respectively. It also illuminates how they work at the three organizational levels, viz. strategic, tactical, and operational levels, which correspond to the ‘macro-meso-macro’ levels respectively of the ‘Rubik’s cube model of integration-in-totality principle’.

6.2. Macro-Meso-Micro Perspectives in Different Contexts

The macro-meso-micro levels of vertical integration in the axis of perspective of the integration-in-totality principle can be understood/interpreted in many different ways depending upon the context in which they exist. From a systems-theoretic point of view, it could be the system-subsystem-component levels of understanding and analyzing the entity being examined. The vertical integration achieved along the axis of perspective in integration-in-totality principle at the macro-meso-micro levels in different contexts is presented in Figure 7.
In terms of the abstraction hierarchy, the macro-meso-micro levels correspond to the purpose-function-equipment levels, as explained in the previous section. In an organizational situation, the macro-meso-micro levels could be the echelons of regulatory agency, company management and operating personnel, with the corresponding restraint actions of command, control, and compliance & care, respectively, as envisaged by Stoop in the DCP diagram [15,16,17,18].
As per the SRK framework proposed by Rasmussen, explained earlier with the help of a FRAMED-IN-FRAM® diagram, the macro-meso-micro levels have knowledge, rule and skill as the basis of behavior, with corresponding actions being strategic, tactical and operational, respectively.

6.3. The Micro-Meso-Macro Levels of the Axis of Perspective in a Typical Case Study

The case study presented in an earlier technical article by the authors [1] can be shown as an example of the application of the concept of macro-meso-micro levels for detailed analysis. The case study pertains to the crack developed at the shear neck of the drive shaft of the oil cooling system (OCS shaft) of a turbo-shaft engine. Three major influencing sources were identified for occurrence of the crack (which happened because of excitation of ‘backward whirl’ phenomenon in the OCS shaft as shown alongside). Interestingly, the three influencing sources were at the three macro-meso-micro levels from the systemic viewpoint, viz. the aircraft (system), aero engine (sub-system) and the OCS shaft (component), as shown in Figure 8.

7. Axis of Perception—The Intent-Execution-Manifestation Pathway

7.1. The World of Perspectives and Perceptions

A good starting point for further discussions on the need for integration-in-totality could be the illustrations by the authors on the different facets of perspective, based on the ideas from a Deloitte pamphlet [33], given in Figure 9. The illustrations show that perceptions vary depending upon the perspective or the viewpoint.
The ‘big picture’, shifting from a worm’s eye-view to a man’s eye-view to a bird’s eye-view and vice versa, is in fact the ‘macro-meso-micro’ level viewpoints along the ‘axis of perspective’ of the ‘vertical integration’ concept of integration-in-totality principle. As we go higher up in the ladder, things become smaller, but the field of vision become larger and wider to have a totally different perspective. The ‘flip side’ calls for looking from the exactly opposite direction to get a totally different understanding of the same thing, just as the rotation of an object understood to be clockwise when looking from above is perceived as an anti-clockwise rotation when looked from below, as illustrated. This is in fact the property of ‘bi-directional synthesis’ ingrained in the integration-in-totality principle. ‘Looking through others eyes’ and ‘view from the future’ provide entirely new perspectives and perceptions. The ‘analogous angle’ and the ‘unexpected answer’ provide new options to be considered and selected from in any given situation. Other than the facet of ‘big picture’ which belong to the ‘axis of perspective’, all the other facets are captured by the ‘axis of perception’ of integration-in-totality principle.

7.2. The Axis of Perception—Perceptions Vary

The role of perception in understanding the truth and reality is best exemplified by the story of “The Blind Men and the Elephant” from Indian folklore, wherein the same elephant was variedly interpreted to be a snake, spear, fan, tree, wall, and rope by the six blind men who touched the trunk, tusk, ear, leg, side and tail respectively. “Our perception of truth depends on our point of view”, writes Losmilzo [34] as a caption to the illustration shown in Figure 10, wherein “truth” is shown as a three-dimensional object which has shadows of square, circular and triangular shapes when projected in the three orthogonal directions, all of which are perceived as “true”.
The ‘axis of perception’ in the integration-in-totality principle captures the variance in perception due to the difference in viewpoint by different stakeholders at different levels depending upon their own field of endeavour like design, manufacture, or operation. This variance can be clarified through the ‘bi-directional synthesis’ with ‘continuum approach’ along the ‘axis of perception’ of ‘intent-execution-manifestation’ in the integration-in-totality principle.

7.3. The Intent-Execution-Manifestation Continuum of the Axis of Perception in a Typical Case Study

The inadequacy of the five basic/technical system safety principles [6] in facilitating complete understanding, analysis and interpretation of aviation accidents and safety events was earlier highlighted by the authors. The human factors principle, and the human-factor-focused accident analysis methods like human factors analysis and classification system (HFACS) also fail to fully achieve this objective, due to a disconnect with the technical aspects of the present-day aerospace systems which are basically complex, software-driven and automated. In such a situation, integration-in-totality principle with its ability to provide multi-dimensional interpretations can provide multifarious insights into the specific problem.
It would be interesting to see how the integration-in-totality principle could be applied to analyze the twin disasters of Boeing 737 MAX aircraft [35,36] mentioned in the Introduction. During the upgrade to Boeing 737 MAX aircraft with bigger engines, the engines were moved up the wing to get sufficient ground clearance, causing the aircraft nose to lift up higher during take-off. This increased the possibility of aircraft stall due to a higher angle of attack (AoA). The maneuvering characteristics augmentation system (MCAS) was introduced by the designers as a software solution to overcome the problem. The ‘design intent’ was to achieve an automatic “aircraft nose down (AND)” by means of a stabilizer trim input actuated by the MCAS when the ‘critical angle of attack’ is reached or exceeded.
However, in both the disaster cases, one of the two AoA sensors installed on the aircraft became faulty, indicating an AoA value higher than the actual value. The feedback from the sensor on the higher angle of attack (~20° in the Indonesian aircraft case, and ~57° in the Ethiopian aircraft one) resulted in the stabilizer trim input actuation by the MCAS, making the aircraft automatically and uncontrollably pitch down. The pilot applied the manual “aircraft nose up (ANU)” electric trim to counter the ‘AND’ as and when it was encountered, but the faulty AoA sensor kept sending the wrong signal triggering the MCAS to cause automatic aircraft nose down repeatedly. The erroneous reading by the faulty AoA sensor threw up multiple and confusing signals to the aircrew in the cockpit, and the pilots were not trained to handle such an automation surprise.
This vicious cycle of the automatic ‘AND’ by the MCAS and the manual ‘ANU’ by the pilot continued many times, and finally the pilot had to give up the control to the MCAS automation under duress, causing the aircraft to plunge downwards and crash in both the disaster cases, as shown in the “FRAMED-IN-FRAM® diagram” (Thomas et al. [1,2]), given in Figure 11.
The case study shows the disconnect between the ‘intent’ of the designers, the ‘execution’ by the MCAS and the pilot, and finally the ‘manifestation’ of the disasters due to the disconnect. Had such possibilities been anticipated as a mental model, necessary checks and controls could have been instituted in the design stage itself so as to obviate the fatal disasters.
The traditional accident analysis methods like AcciMap [13] would have tried to understand the event along the macro-meso-micro levels of vertical integration, which can be captured by the “axis of perspective’ of the integration-in-totality principle. The design-related aspects of the MCAS and its integration into the aircraft system and its testing and certification could be captured by the ‘axis of performance’. However, the ‘axis of perception’ provides a powerful tool for understanding and analysis in the form of an intuitional mental model along the ‘intent-execution-manifestation’ continuum as shown in the case study, highlighting the applicability of integration-in-totality principle in general and the axis of perception in particular in safety investigations.

8. Axis of Performance—The Design-Manufacture-Operation Continuum

8.1. The Axis of Performance—The Pathway for Improvement Processes

The continuum of design-development-manufacturing-assembly-test-operation along the axis of performance in the integration-in-totality principle is the real pathway for improvement processes in a system, applying the intent-execution-manifestation mental models of the axis of perception, and the macro-meso-micro levels of the axis of perspective simultaneously, and hence the Rubik’s cube simile for the integration-in-totality principle.
The analysis along the continuum of the ‘axis of performance’ has to happen bi-directionally. Normally, the flow of information and the consequent action, if any, happen uni-directionally along the forward direction only. But there is a need to have a bi-directional flow of information and action in the value chain of production/overhaul of an aircraft or aero engine between all the stages and sub-stages. For example, the expected acceptance test parameters of an aero-engine are made available with the assembly personnel and the expected assembly acceptance criteria of the manufactured components are taken care by the people involved in manufacture/overhaul of the aero-engine, as shown in Figure 12.

8.2. The Design-Manufacure-Operation Continuum of the Axis of Performance—A Case Study

Quantitative and qualitative analysis bi-directionally along the life-cycle continuum of design-manufacture-operation of an airborne system can help improving performance and safety of the system. As a case study, the authors would like to present a glimpse into a research done by them on performance enhancement of a turbofan aero-engine. The engine type used to have pre-mature withdrawals before completion of the specified time between overhaul (TBO) due to performance deterioration, manifesting in the form of higher turbine entry temperature (TET), consequent upon the higher fuel burning requirement to get the required engine thrust. An analysis of the engine test data of 200 engines for various engine performance parameters revealed very interesting results. Two of the typical trend graphs (for the TET and the compressor pressure ratio, with respect to the compressor mass flow rate) are shown in Figure 13.
The graphs show that the more the compressor mass flow rate, the lesser is the turbine entry temperature, and the higher is the compressor pressure ratio. Working backward along the axis of performance, the analysis of the assembly procedures revealed the various reasons for a reduction in the compressor pressure ratio, and in turn the compressor mass flow rate, leading to higher turbine entry temperature, thus making the engine susceptible to early withdrawal due to performance deterioration, like a higher blade tip run-out.
Working further backward along the axis of performance, the contributing factors at the component manufacturing stage which eventually led to the higher blade tip run-out could be found out. Improvement actions taken in the manufacturing stage on the blade realization processes and in the assembly stage on the assembly procedures, and establishing the best practice rules accordingly, helped in getting a lower turbine entry temperature and thus higher thrust at the testing stage. This could substantially reduce the susceptibility of the aero-engine for pre-mature withdrawals from the operating unit due to performance deterioration, since sufficient margin of safety was provided in the engine pass-out stage itself by aiming for an engine with lesser TET.

9. The Quality-Reliability-Risk-Safety Paradigm

The concepts of quality, reliability, risk and safety are correlated, as shown in the FRAMED-IN-FRAM® diagram of quality-reliability-risk-safety paradigm (Thomas et al. [2]) in Figure 14.

10. Integration-In-Totality Principle—Linkages to Systems Engineering and Airworthiness

In this section, the ‘integration-in-totality principle’ is explained in the context of systems engineering concepts applicable to reliability and airworthiness, and the linkage between the integration-in-totality principle and the “V-model of systems engineering” is established.
Systems engineering is the structured approach towards definition, implementation, integration and operation of a system to meet its functional, physical and operational performance requirements, in the given environment over the planned life cycle. The V-model captures the essence of the systems engineering process [37].

10.1. The Integration-In-Totality Principle Represented in the V-Model of Systems Engineering

It is interesting to note that the system safety principle of integration-in-totality, with its axes of perspective, perception and performance, can be depicted in the V-model of systems engineering, as shown in Figure 15.

10.2. The Systems Engineering Process and the Macro-Meso-Micro Levels of ‘Axis of Perspective’

The “axis of perspective”, comprising of the macro-meso-micro levels of vertical integration in the integration-in-totality principle, can be viewed in two different ways in the V-model of systems engineering. The creation of a “system” in systems engineering is meant to meet the mission objective or the “purpose” [37]. This is achieved by means of various design teams (applying concurrent engineering concepts) working on multiple “subsystems” having their own “function”. At a lower level, specialized design groups (applying the engineering design process) design the “components”, forming part of the “equipment”. Thus it can be seen that systems engineering follows the macro-meso-micro levels of system-subsystem-component bi-directionally, which in turn corresponds to the abstraction hierarchy levels of purpose-function-equipment, fundamental to the axis of perspective of the integration-in-totality principle.
The left leg of the systems engineering V-model represents the ‘Formulation phases of decomposition and definition’, wherein ‘tearing down’ of the system is done to reveal the complete system architectural design. The right leg of the V-model, on the other hand, represents the ‘Implementation phases of integration and verification’ that are effectively ‘building up’ the system from the component level to the functional sub-systems to the complete system. This traversal from the highest level to the lowest level and then back to the highest level, like the traversal from the bird’s eye-view to the worm’s eye-view and back, is in accordance with the “bi-directional synthesis” with “continuum approach” along the ‘axis of perspective’ of the integration-in-totality principle, as shown alongside the figure of V-model by bi-directional arrows. The same ‘bi-directional synthesis’ and ‘continuum approach’ are applicable along the ‘axis of perception’ and the ‘axis of performance’ as well.

10.3. The Systems Engineering Process and the Intent-Execution-Manifestation of ‘Axis of Perception’

The V-model of systems engineering, which is basically a process model, calls for moving down along the left leg by completing each phase sequentially and then moving up the right leg, applying the ‘eleven systems engineering functions’ at each stage to achieve the objectives [37]. This process traverses along the mental model path of intent-execution-manifestation of the “axis of perception” of the integration-in-totality principle. It can be seen that there is a one-to-one correspondence between the Intent and the manifestation at each level of execution (viz. the operational need of the system and the delivered capability; the functional requirement of the subsystem and the validated solution; and the detailed design of the equipment and the verified parts).

10.4. The Systems Engineering Process and the Design-Manufacture-Operation Path of ‘Axis of Performance’

The engineering design process (EDP) in the V-model follows the “axis of performance” of design-manufacture-operation. As illustrated in the representative V-model of systems engineering in Figure 15 linking it to the integration-in-totality principle, the axis of performance can also be shown perpendicular to the plane of the page bi-directionally, since the same V-model having the axes of perspective and perception is applicable not only for design in the plane of the diagram, but also for the parallel planes for manufacture and operation as well.

10.5. Integration-In-Totality Principle in Airworthiness Certification

The operational requirements of an aircraft or an aero engine are specified by the customer and designed, manufactured and maintained by the contractor firm having the ‘system design responsibility (SDR)’. The design organization holds the ‘type approval’ which is obtained through an elaborate type certification process undertaken by a dedicated airworthiness certification agency. The ‘military type qualification process’ regulates the procedures concerning the military aircraft ‘type qualification’ for performance and ‘certification’ for airworthiness, and the qualification and suitability for installation of pertinent systems.
Typically, the verification process of a ‘type design’ for airworthiness is done in a three-stage process, viz. (i) definition of the type in accordance with approved documentation or design standard, (ii) definition of the ‘means of compliance’ to demonstrate each requirement as per the qualification programme plan, and (iii) demonstration of compliance with the safety requirements. It can be seen from the foregoing discussions that the integration-in-totality principle, with its three axes of perspective, perception and performance, can be used as a valuable theoretical foundation for airworthiness certification, including for continuing and continued airworthiness, since it takes care of all the related aspects of reliability, risk, safety and quality.

11. Integration-In-Totality Principle—Linkage to Risk Management

11.1. Risk Management and System Safety

“Safety is the state in which risk (of personal harm or property damage) is reduced to and maintained at or below an acceptable level, through a continuing process of hazard identification and risk management”, according to the ICAO definition [8]. Quantitative risk management is done based on the assessment of ‘probability’ of occurrence of safety hazards/events and ‘severity’ of their consequences. The integration-in-totality principle, being the system safety principle based on systems thinking in safety, has got major relevance in the process of identifying the hazards and managing the associated risks. This is done by way of mitigating the risk through necessary corrective actions in the short term and eliminating the risk altogether through effective preventive actions for the long term.

11.2. Risk Management along the Axes of Perspective, Perception and Performance

Risk management in an organization is carried out at different levels. ‘Organizational risk management’ is concerned with the threats and opportunities external to the organization, and hence is ‘strategic’ in nature. ‘Operational risk management’, on the other hand, deals with the weaknesses and strengths within the organization and are therefore ‘tactical’ and ‘operational’ in practice. Hence it can be seen that risk management has a strategic-tactical-operational continuum of vertical integration as shown in Figure 7, along the ‘axis of perspective’ of the integration-in-totality principle.
Risk management also works along the ‘axis of perception’. The disconnect between the design intent, manufacturing execution and the operational manifestation are to be captured by applying forward-looking and backward-looking logics respectively between the safety event and the cause/consequence using the various inductive and deductive techniques of system safety analysis. This requires ‘bidirectional synthesis’ along the intent-execution-manifestation continuum in the axis of perception of integration-in-totality principle.
Analyzing the system along the ‘axis of performance’ of the design-development-manufacturing-testing-operation continuum also is equally important for risk management, to understand the system deficiencies and vulnerabilities along the path. Bi-directional synthesis along the chain of adjacent operations, treating the personnel dealing with the next phase or process or operation as the external/internal customer is very important for achieving risk mitigation at each stage, bringing down the probability of occurrence of safety events and severity of their consequences. In order to mitigate risk, and enhance quality, reliability and safety, it is necessary to act upon the accident precursors, pathogens and latent defects in a near-miss management framework early on along the axis of performance of the integration-in-totality principle.

12. Integration-In-Totality Principle—Linkage to Strategic Quality Management

12.1. Strategic Quality Management—A Convergence Concept

Quality as an organizational function has evolved over the years, from inspection to quality-control to quality-assurance to company-wide-quality-control to total-quality-management to strategic-quality-management. In the process, the tenets of quality also got enlarged with a snowballing effect, encompassing and subsuming the product, process, system, people, improvement-cycle and risk [38]. Strategic quality management (SQM) is a convergent concept, combining the basic concepts of total quality management and corporate strategy management [39].

12.2. Integration-In-Totality Principle and Strategic Quality Management

The integration-in-totality principle is the pivotal concept which can bridge the gap between the two parallel knowledge fields of safety and quality, by integrating the concepts of systems thinking in aerospace safety and strategic quality management, as shown in Figure 16.
Strategic quality management and system safety principles represent the latest developments in the fields of quality and safety, respectively. Quality and safety are linked through the quality-reliability-risk-safety paradigm presented in an earlier section [2], and strategic quality management has risk-based thinking as one of the cornerstones [39]. Hence application of strategic quality management and integration-in-totality principle together in the systems thinking framework can help understand aerospace systems like aircraft, aero engines, etc. better and achieve performance enhancement of the system, applying quantitative analysis using predictive analytics, and also employing qualitative analysis techniques like functional resonance analysis method (FRAM).

13. Conclusions

A new safety concept called “integration-in-totality principle” has been introduced in this article as the 7th system safety principle. A “seven-principles-framework of system safety principles” is proposed, adding two more principles to the five basic/technical system safety principles conceptualized by Saleh et al. The “integration-in-totality principle” is illustrated with the simile of a “Rubik’s cube model of integration-in-totality principle” having three axes, viz. the axis of performance, the axis of perception, and the axis of perspective, reinforcing the key systems thinking tenet of “vertical and horizontal integration”. The relevance of ‘bidirectional synthesis’ of a socio-technical system with a ‘continuum approach’ along these three axes to facilitate systems thinking is articulated, drawing upon the ‘abstraction hierarchy’ and the ‘SRK framework’ by Rasmussen, ‘DCP diagram’ by Stoop and ‘mental models in systems-theoretic framework’ by Leveson. The article also explores the linkage of integration-in-totality principle to strategic quality management and risk management, bridging the gap between two parallel fields of knowledge. The integration-in-totality principle is interpreted in terms of the ‘V-model of systems engineering’, to establish its linkage to reliability and airworthiness of an aerospace system. It is expected that the new safety concepts shall augment the existing body of knowledge and trigger further research in the field of systems thinking and strategic quality management.

Author Contributions

All the authors contributed equally to this work. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Acknowledgments

This research has been a part of the academic programme at International Institute for Aerospace Engineering & Management, Jain (Deemed-to-be University), Bengaluru, India. The theme discussed herein is independently developed by the authors for the academic work. The authors would like to express their deep sense of gratitude to all the colleagues who have associated directly or indirectly towards creation of knowledge in the field, and thank the managements of their organizations for providing all support for the study and the permission to publish this technical article.

Conflicts of Interest

There is no conflict of interest whatsoever.

References

  1. Thomas, J.; Davis, A.; Samuel, M.P. Strategic Quality Management of Aero Gas Turbine Engines, Applying Functional Resonance Analysis Method. In Proceedings of the National Aerospace Propulsion Conference; Mistry, C.S., Kumar, S.K., Raghunandan, B.N., Sivaramakrishna, G., Eds.; Lecture Notes in Mechanical Engineering; Springer: Singapore, 2021; pp. 65–91. Available online: https://doi.org/10.1007/978-981-15-5039-3_4 (accessed on 31 August 2020).
  2. Thomas, J.; Davis, A.; Samuel, M.P. Quality–Reliability–Risk–Safety Paradigm—Analyzing Fatigue Failure of Aeronautical Components in Light of System Safety Principles. In Fatigue, Durability, and Fracture Mechanics; Seetharamu, S., Jagadish, T., Malagi, R.R., Eds.; Lecture Notes in Mechanical Engineering; Springer: Singapore, 2021; pp. 267–304. Available online: https://doi.org/10.1007/978-981-15-4779-9_18 (accessed on 8 October 2020).
  3. Sachs, N.W.; Beckman, M. Figuring out why Things Breakdown. In Tribology & Lubrication Technology; STLE, Society of Tribologists and Lubrication Engineers: Park Ridge, IL, USA, 2019; pp. 38–45. [Google Scholar]
  4. Latino, M.A.; Latino, R.J.; Latino, K. Root Cause Analysis: Improving Performance for Bottom-Line Results, 4th ed.; CRC Press: Boca Raton, FL, USA, 2011; ISBN 978143950923. [Google Scholar]
  5. Hulme, A.; Stanton, N.A.; Walker, G.H.; Waterson, P.; Salmon, P.M. What do applications of systems thinking accident analysis methods tell us about accident causation? A systematic review of applications between 1990 and 2018. Saf. Sci. 2019, 117, 164–183. [Google Scholar] [CrossRef]
  6. Saleh, J.H.; Marais, K.B.; Favarò, F.M. System safety principles: A multidisciplinary engineering perspective. J. Loss Prev. Process. Ind. 2014, 29, 283–294. [Google Scholar] [CrossRef] [Green Version]
  7. Gnoni, M.G.; Saleh, J.H. Near-Miss Management Systems and Observabiliy-in-Depth: Handling Safety Incidents and Accident Precursors in Light of Safety Principles. Saf. Sci. 2017, 91, 154–167. [Google Scholar] [CrossRef]
  8. International Civil Aviation Organisation (ICAO). Safety Management Manual (SMM), Doc. 9859, 4th ed.; ICAO Headquarters: Montreal, QC, Canada, 2018. [Google Scholar]
  9. FAA Air Traffic Organisation. Safety Management System Manual April 2019; Federal Aviation Administration: Richmond, VA, USA, 2019.
  10. Waterson, P.; le Coze, J.-C.; Andersen, H.B. Recurring themes in the legacy of Jens Rasmussen. Appl. Ergon. 2017, 59, 471–482. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  11. Rasmussen, J. Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models. IEEE Trans. Syst. Man Cybern. 1983, 257–266. [Google Scholar] [CrossRef]
  12. Rasmussen, J.; Vicente, K.J. Coping with human errors through system design: Implications for ecological interface design. Int. J. Man-Mach. Stud. 1989, 31, 517–534. [Google Scholar] [CrossRef]
  13. Rasmussen, J.; Svedung, I. Proactive Risk Management in a Dynamic Society; Swedish Rescue Services Agency: Karlstad, Sweden, 2000; ISBN 91-7253-084-7.
  14. Le Coze, J.C. Reflecting on Jens Rasmussen’s legacy. A strong program for a hard problem. Saf. Sci. 2015, 71, 123–141. [Google Scholar] [CrossRef]
  15. Stoop, J.; de Kroes, J.; Hale, A. Safety science, a founding fathers’ retrospection. Saf. Sci. 2017, 94, 103–115. [Google Scholar] [CrossRef]
  16. Stoop, J.A. Safety: A system state or property? J. Saf. Stud. 2016, 2. [Google Scholar] [CrossRef] [Green Version]
  17. Stoop, J.A.; Dechy, N.; Dien, Y.; Tulonen, T. Past and Future in Accident Prevention and Learning: Single Case or Big Data? In Proceedings of the ESReDA 50th Seminar, Sevilla, Spain, 18–19 May 2016. [Google Scholar]
  18. Stoop, J.A.; van der Burg, R. From Factor to Vector, a System Engineering Design Perspective on Safety. Ph.D. Thesis, Delft University of Technology, Delft, The Netherlands, January 2014. [Google Scholar]
  19. Leveson, N.G. Applyng systems thinking to analyze and learn from events. Saf. Sci. 2011, 49, 55–64. [Google Scholar] [CrossRef]
  20. Leveson, N.G. Engineering a Safer World: Systems Thinking Applied to Safety; MIT Press: Cambridge, MA, USA, 2011; ISBN 978-0-262-01662–9. [Google Scholar]
  21. Leveson, N.G.; Stephanopoulos, G. A system-theoretic, control-inspired view and approach to process safety. AIChE J. 2013, 60, 2–14. [Google Scholar] [CrossRef] [Green Version]
  22. Saleh, J.; Marais, K.; Bakolas, E.; Cowlagi, R. Highlights from the literature on accident causation and system safety: Review of major ideas, recent contributions, and challenges. Reliab. Eng. Syst. Saf. 2010, 95, 1105–1116. [Google Scholar] [CrossRef]
  23. Favarò, F.M.; Saleh, J.H. Toward risk assessment 2.0: Safety supervisory control and model-based hazard monitoring for risk-informed safety interventions. Reliab. Eng. Syst. Saf. 2016, 152, 316–330. [Google Scholar] [CrossRef] [Green Version]
  24. Saleh, J.H.; Geng, F.; Ku, M.; Walker, M.L. Electric propulsion reliability: Statistical analysis of on-orbit anomalies and comparative analysis of electric versus chemical propulsion failure rates. Acta Astronaut. 2017, 139, 141–156. [Google Scholar] [CrossRef] [Green Version]
  25. Cowlagi, R.V.; Saleh, J.H. Co-Ordinability and Consistency in Accident Causation and Prevention: Formal System Theoretic Concepts for Safety in Multilevel Systems. Risk Anal. 2013, 33, 420–433. [Google Scholar] [CrossRef]
  26. Bakolas, E.; Saleh, J.H. Augmenting defense-in-depth with the concepts of observability and diagnosability from Control Theory and Discrete Event Systems. Reliab. Eng. Syst. Saf. 2011, 96, 184–193. [Google Scholar] [CrossRef]
  27. Favaro, F.M.; Saleh, J.H. Observabilit-in-Depth: An Essential Complement to the Defence-in-Depth Safety Strategy in the Nuclear Industry. Nuclear Eng. Technol. 2014, 46, 1–14. [Google Scholar] [CrossRef] [Green Version]
  28. Shanmugam, A.; Robert, T.P. Human factors engineering in aircraft maintenance: A review. J. Qual. Maint. Eng. 2015, 21, 478–505. [Google Scholar] [CrossRef]
  29. Grant, E.; Salmon, P.M.; Stevens, N.J.; Goode, N.; Read, G.J. Back to the future: What do accident causation models tell us about accident prediction? Saf. Sci. 2018, 104, 99–109. [Google Scholar] [CrossRef]
  30. Dekker, S.W.A. Why We Need New Accident Models; Technical Report 2005-02; Lund University School of Aviation: Lund, Sweden, 2015. [Google Scholar]
  31. Dekker, S.W.; Pruchnicki, S. Drifting into failure: Theorising the dynamics of disaster incubation. Theor. Issues Ergon. Sci. 2013, 15, 534–544. [Google Scholar] [CrossRef]
  32. Hollnagel, E. FRAM: The Functional Resonance Analysis Method: Modelling Complex. Socio-Technical Systems; Ashgate Publishing Limited: Surrey, UK, 2012; ISBN 978-1-4094-4551-7. [Google Scholar]
  33. Deloitte. 10 Moves to Make Moments Matter; Deloitte Development LLC: London, UK, 2017. [Google Scholar]
  34. Our Perception of Truth Depends on Our Viewpoint 2.0. 2016. Available online: https://imgur.com/gallery/obWzGjY (accessed on 31 August 2020).
  35. Comittee on Transportation and Infrastructure. The Design, Development & Certification of the Boeing 737 MAX; Final Committee Report; Comittee on Transportation and Infrastructure: Washington, DC, USA, September 2020.
  36. National Transportation Safety Board. Assumptions Used in the Safety Assessment Process and the Effects of Multiple Alerts and Indications on Pilot Performance; Safety Commission Report; National Transportation Safety Board: Washington, DC, USA, 2019.
  37. NASA. Chapter 2: The Systems Engineering (SE) Process. National Aeronautics and Space Administration. Available online: https://www.nasa.gov/pdf/598887main_Auburn_PowerPoints_SE.pdf (accessed on 31 August 2020).
  38. Thomas, J.; Davis, A.; Samuel, M.P. Aerospace Organizational Excellence: Quality System Standards and Global Best Practices. In Proceedings of the CSDO Golden Jubilee Seminar on Excellence through Maintainability in Aviation, Bengaluru, India, 13–14 December 2018. [Google Scholar]
  39. Thomas, J.; Davis, A.; Samuel, M.P. Strategic Quality Management and Risk-Based Thinking. J. Aerospace Qual. Reliabil. 2019, 7, 1–6. [Google Scholar]
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Aerospace 07 00149 g001 550
Figure 1. The Seven-Principles-Framework of System Safety Principles.
Figure 1. The Seven-Principles-Framework of System Safety Principles.
Aerospace 07 00149 g001
Aerospace 07 00149 g002 550
Figure 2. The Rubik’s Cube Model of Integration-in-Totality Principle.
Figure 2. The Rubik’s Cube Model of Integration-in-Totality Principle.
Aerospace 07 00149 g002
Aerospace 07 00149 g003 550
Figure 3. The Levels of Abstraction Hierarchy by Rasmussen (source: [10]).
Figure 3. The Levels of Abstraction Hierarchy by Rasmussen (source: [10]).
Aerospace 07 00149 g003
Aerospace 07 00149 g004 550
Figure 4. The Design-Control-Practice (DCP) Diagram by Stoop (Source: [16]).
Figure 4. The Design-Control-Practice (DCP) Diagram by Stoop (Source: [16]).
Aerospace 07 00149 g004
Aerospace 07 00149 g005 550
Figure 5. The Role of Mental Models in Systems-theoretic Framework (Adapted from [19]).
Figure 5. The Role of Mental Models in Systems-theoretic Framework (Adapted from [19]).
Aerospace 07 00149 g005
Aerospace 07 00149 g006 550
Figure 6. Skill-Rule-Knowledge Framework of Rasmussen, Interpreted using the FRAMED-IN-FRAM® Diagram.
Figure 6. Skill-Rule-Knowledge Framework of Rasmussen, Interpreted using the FRAMED-IN-FRAM® Diagram.
Aerospace 07 00149 g006
Aerospace 07 00149 g007 550
Figure 7. Macro, Meso and Micro Levels of Vertical Integration in Different Contexts.
Figure 7. Macro, Meso and Micro Levels of Vertical Integration in Different Contexts.
Aerospace 07 00149 g007
Aerospace 07 00149 g008 550
Figure 8. The Micro-Meso-Macro Levels of Component, Aero-engine and Aircraft; (a) Progression of Events Leading to Crack and Rupture, and (b) the Influencing Sources of Crack and Rupture. (Source: Thomas, Davis & Samuel [1]).
Figure 8. The Micro-Meso-Macro Levels of Component, Aero-engine and Aircraft; (a) Progression of Events Leading to Crack and Rupture, and (b) the Influencing Sources of Crack and Rupture. (Source: Thomas, Davis & Samuel [1]).
Aerospace 07 00149 g008
Aerospace 07 00149 g009 550
Figure 9. The Different Facets of Perspective, Illustrated.
Figure 9. The Different Facets of Perspective, Illustrated.
Aerospace 07 00149 g009
Aerospace 07 00149 g010 550
Figure 10. “Our perception of Truth depends on our viewpoint” (Adapted from [34]).
Figure 10. “Our perception of Truth depends on our viewpoint” (Adapted from [34]).
Aerospace 07 00149 g010
Aerospace 07 00149 g011 550
Figure 11. Intent-Execution-Manifestation Continuum—Case Study on Boeing 737 MAX Disasters.
Figure 11. Intent-Execution-Manifestation Continuum—Case Study on Boeing 737 MAX Disasters.
Aerospace 07 00149 g011
Aerospace 07 00149 g012 550
Figure 12. Bi-directional Synthesis along the Axis of Performance.
Figure 12. Bi-directional Synthesis along the Axis of Performance.
Aerospace 07 00149 g012
Aerospace 07 00149 g013 550
Figure 13. The Case study on Bi-directional Synthesis along the Axis of Performance.
Figure 13. The Case study on Bi-directional Synthesis along the Axis of Performance.
Aerospace 07 00149 g013
Aerospace 07 00149 g014 550
Figure 14. The Quality-Reliability-Risk-Safety Paradigm.
Figure 14. The Quality-Reliability-Risk-Safety Paradigm.
Aerospace 07 00149 g014
Aerospace 07 00149 g015 550
Figure 15. Integration-in-Totality Principle, Depicted in the V-Model of Systems Engineering.
Figure 15. Integration-in-Totality Principle, Depicted in the V-Model of Systems Engineering.
Aerospace 07 00149 g015
Aerospace 07 00149 g016 550
Figure 16. Theoretical Foundation of Applying Integration-in-Totality Principle in Strategic Quality Management.
Figure 16. Theoretical Foundation of Applying Integration-in-Totality Principle in Strategic Quality Management.
Aerospace 07 00149 g016
Table
Table 1. The Five Key Tenets of Systems Thinking and the Correlated System Safety Principles.
Table 1. The Five Key Tenets of Systems Thinking and the Correlated System Safety Principles.
S/NThe Fifteen Basic Systems-Thinking Tenets Identified by Grant et al. (2018), with their DescriptionConsolidated Set of “Five Key Tenets of Systems-Thinking”“System Safety Principles”
Corresponding to the Key Systems Thinking Tenets
1Unruly TechnologiesUnforeseen and unpredictable behaviours of new technologies that are introduced into the systemComplex and Unruly TechnologiesFail-Safe Principle Margin-of-Safety Principle Ungraduated-Response Principle Defence-in-Depth Principle Observability-in-Depth Principle
ConstraintsSystem elements that impose limits on, or influence, the behaviour of other system elements to ensure safe operation
2Non-linear InteractionsComplex interactions that produce dynamic unpredictable sequences and outcomesNon-linear Interactions and EmergenceFail-Safe Principle Margin-of-Safety Principle Ungraduated-Response Principle Defence-in-Depth Principle Observability-in-Depth Principle Human-Factors Principle
Dependence on Initial conditionsCharacteristics of the original state of the system that are amplified throughout and alters the way the system operates at a later point in time
EmergenceOutcomes that result from the interactions between elements in the system that cannot be fully explained by examining the elements alone
Linear InteractionsDirect and predictable cause and effect relationships between system elements and production sequences
3Performance VariabilitySystem elements change performance and behaviour to meet the conditions in the world and environment in which the system worksPerformance Variability and Functional ResonanceFail-Safe Principle Margin-of-Safety Principle Ungraduated-Response Principle Defence-in-Depth Principle Observability-in-Depth Principle Human-Factors Principle
Contribution of the Protective StructureThe formal and organized structure intended to protect and optimize system safety, but instead competes for resources with negative effects [ETTO Principle]
DecrementalismMinor modifications to system elements and/or normal performances that gradually create a significant change with safety risks [Normalization of Deviance]
Normal PerformanceThe way that activities are actually performed within a system [Work-as-Done], regardless of formal rules and procedures [Work-as-Imagined]
4Functional DependenciesNecessary relationships and path dependence between tightly coupled system elements (i.e., components that serve a functional purpose)Functional Dependencies and Control-FeedbackFail-Safe Principle Margin-of-Safety Principle Ungraduated-Response Principle Defence-in-Depth Principle Observability-in-Depth Principle Human-Factors Principle
CouplingThe degree or ‘tightness’ and interconnectivity of the interactions that exist between system elements
ModularitySub-systems and elements that interact but are designed and operated independently of each other
Feedback loopsCommunication structure and information flow to evaluate control requirements of hazardous processes
5Vertical IntegrationInteraction between elements across levels of the system hierarchyVertical and Horizontal IntegrationIntegration-in-Totality Principle (Newly introduced)

Share and Cite

MDPI and ACS Style

Thomas, J.; Davis, A.; Samuel, M.P. Integration-In-Totality: The 7th System Safety Principle Based on Systems Thinking in Aerospace Safety. Aerospace 2020, 7, 149. https://doi.org/10.3390/aerospace7100149

AMA Style

Thomas J, Davis A, Samuel MP. Integration-In-Totality: The 7th System Safety Principle Based on Systems Thinking in Aerospace Safety. Aerospace. 2020; 7(10):149. https://doi.org/10.3390/aerospace7100149

Chicago/Turabian Style

Thomas, Johney, Antonio Davis, and Mathews P. Samuel. 2020. "Integration-In-Totality: The 7th System Safety Principle Based on Systems Thinking in Aerospace Safety" Aerospace 7, no. 10: 149. https://doi.org/10.3390/aerospace7100149

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop