1. Exercise 1.
According to Theo Leggett, the business analyst for BBC, (Leggett, 2019) the two most fatal crushes by the Lion can be classified into three: the design, operation and the human limitation. In this answer, I would like to therefore categorise the accident cause into the three main categories as suggested by Theo.
The first cause of the accident is classified as the technical hitches in the system design. All automated functions in any given system are supposed to be flawless otherwise the flaw will in the process of execution generate problematic operation. It is important to first understand how the MCAS is designed and its purpose in the flight of the Lion air bus. This system abbreviated as Manoeuvring Characteristics Augmentation System(MCAS) is a computerised system that receives a signal on the angle of flight from a sensor installed in the nose of the airplane. The MCAS then automatically sends the signals to the horizontal stabiliser trim which will clear off the angle by adjusting the plane's inclination. This adjustment will restore the plane to the correct or preferred horizontal position that allows the auto-mode function to continue flying without problems.
The MCAS can be switched off by the pilot especially in the incidences of take off as well as landing. This is however where the problem originated as the sensor sends false signals which reactivates the MCAS without the input of the flight crew. This is a dangerous privilege as it striped the pilot of the ability to control and take charge of the plane. This unqualified right left the planes without human control and hence the fatal crushes that caused the deadly accidents. This should have been adequately tested by the design personnel before the flights were satisfied as safe for human flying. This should have also been properly documented by the authorities certifying the flight.
The false signals may not have been anticipated and clearly calibrated for the system to make proper judgement. This adds up to the design failure on the part of the engineers as well as the system programmers. This failure in properly creating a system that allows the human interaction and input was a major contributor as cited by the report. This together with the technical knowhow of the flight crew must have contributed majorly in the two accidents and the grounding of the airplanes.
The human limitation factors cited in the two fatal accidents include the intervention approach as well as the proper training of the flight crew in seamlessly operating or intervening in the flight of the airplanes affected. In both of the two fatal accidents, the flight crew could not intervene in the control of the MCAS to avert the crushes. This is probably because they either did not have the proper knowledge on the points of intervention or the system was unable to integrate with the human intervention.
In the former where the flight crew were unable to intervene, it would most likely arise from the proper training of the crew on the handling of the new system. It all ends with the training of the crew as they are supposed to handle a new system. A failure to equip them with proper skills will leave them with very little knowledge on the remedial steps required to apply in the event that there is a mistake. This is clearly pointed out in the two reports for both the Indonesian and Ethiopian crushes. The crew could not intervene in the failure incidence of both the.
The report also suggests as reported by one of the reports that the crew taking over the first airplane were poorly trained. This ill preparation on the handling and management of the airplane must have contributed to the fatal accident.
In summary, both incidences were contributed by the technical design of the system which was not well evaluated to address safety measures prior to the commercial release of the newly developed system. This was a failure on the part of the company which worked on the assumptions from previously successful minor projects. This should not have been the case bearing in mind the importance of the airline in carrying human beings. The management lacked due diligence in case evaluation of the new system which resulted to the disaster. Similarly, the crew should have also been adequately trained on the new systems and how to handle any deviations before being allowed to take off from the ground. This would have helped in detecting and handling the challenges before occurring.
2. Exercise 2.
The design of the system is effectively made and positioned in the sense that each part of the working region is clearly set and differentiated from the other. The differentiation in the entry and exit for both the green and red regions is very important in the sense that the doors are well positioned and aligned to significantly cut down on the timing. This enables the automated system to run and function without much trouble.
Proper precautions are set in the entry and exit as well as the opening and closure of the doors. This regulated automations will prevent the accidental flow of traffic as well as the strain or confusion of the system. This control is very important especially in dealing with the fatality of the decontaminations being carried out in the two laboratory rooms.
The human factors in system operation has been well integrated in the automated functioning of the system. On the lethal decongestioncorridor, the presence and absence of human beings is used as the overall standard of making a decision to both close the doors D0 and D1. This will make the system to operate without much problems as the standard of measurement is the same across board. The same is also true for the human-friendly decongestion. This application makes it not only smooth but also very safe for the operation of the system.
- Safety analysis and validation
The safety analysis and validation has been well incorporated and integrated through the use of infra-red sensory cameras. It is the cameras that detect and relay the sensory signals to the mechanism that controls the closing and opening of the doors. The two corridors have been designed with a parallel working mechanism which analysis the presence of individuals, the opening or closure of the doors and the decontamination exercise.
This automated analysis having been programmed without the interference of human beings is very critical in ensuring that there is consistency in the flow of activities which makes the system to flow without problems.
- Safety argument (textual or in form of GSN) (15 marks)
The safety arguments for the working area 42 will be as follows:
b) Produce a safety case for AREA-42 when failures occurs:
ü System design and scope
In the event of a failure of the automated system, the design has clearly separated and demarcated the decontamination chambers for both the lethal and human-friendly corridors. This separation makes it easy for both the automated function as well as the ordinary performance to be followed. The separation will advantageously work to safeguard the wellbeing of people working in the laboratory.
The system should however have a decontamination plan which should be systematically timed. An alert system should be generated where the workers can be alerted to enter the corridors in a regulated manner before executing the process. The alert and monitoring system should be accessed from both the green and red regions.
ü Safety requirement
The safety of the personnel will easily be carried out in the event of failure because of the separate entry and exit corridors that have been put in place to enter and leave the green and red areas simultaneously. This makes it easy to avoid confusion especially where there are clearly communicated instructions. The flow of traffic will however have to be regulated and controlled from the two regions. The only challenge is likely to result in the execution of the lethal decontamination. This is especially on the case of timing for the individuals opening and closing the doors D0 and D1.
ü Fault tolerant techniques employed
An alert system that can be followed in the rooms should be put in place. Safe or waiting rooms should be put up to guide the people on the entry into and exit out of the corridors. This will enable the workers to also follow the safety guidelines before entering or leaving the corridors.
ü Hazard/risk identification and analysis
The calibration of time and instructions while entering or leaving the left corridor should be clearly documented and placed in a strategic position that would be accessible. This will help the workers to understand what happens in the corridors and what is expected of each of time. A time frame should be communicated to clear any form of ignorance from the side of the workers. The Dos and Don'ts should also be clearly stated for the general public to be aware of.
ü Human factors
The human factors which include the social and judgemental effects will be easily handled as the flow of traffic is limited to be in only one direction. This is important in eliminating the chances of confusion as well as accidental collisions. Signs and posters should be clearly market and communicated in both the green and red working areas to guide the workers.
A broadcasting equipment should be put up in the two rooms to communicate what is expected of each worker while in the corridors and the time frame for individuals to hang around the two corridors. Safety marks in the languages used by the workers together with pictorial marks should be placed in strategic positions.
ü Root cause analysis Hazard control/risk reduction measures.
Major system failure could be attributed to either electricity, mechanical or technical faults occurring in the decontamination chambers.
In the event that the major issue is the electric failure, the doors will be affected as well as the dispensation chambers. The manual operant of the system will have to issue a delay in the decontamination clearance time to ensure that people are not affected. This is especially very critical on the lethal decontamination in the left chamber.
In the event that there is a mechanical failure or fault in the dispensation chambers or the exits, a safety handling and practice code should be prepared and communicated in advance and safety guidelines be put in place to guide the workers on what should be done and what should be avoided. This will help in mitigating any dangerous incidence from affecting the workers.
3. Exercise 3.
a. Produce a safety proof analysis, i.e., check whether the algorithm can reach unsafe state(s).
From the current analysis and review of the algorithm as presented; it is very likely that it can reach an unsafe state. This is likely to result from the extreme measurement of the blood level until the very exhaustion. The purpose of a good automated system is supposed to measure the extremes and regulate them so as to avoid incidences of cut off. Living the code open-ended to the maximum or minimum without the intervention of a person is likely to result into a negative outcome.
The insulin monitoring system is designed to monitor, compute and alert the carrier or user of the system to make a decision on the automated computation and dispensation of the insulin. This is a very critical system that is able to compute and deliver more accurate results in the determination and functioning of the insulin monitoring and dispensation.
This system will therefore be very useful where it enables the user to take precautions in the likely event that an insulin exhaustion is likely to occur. It should therefore be corrected to take this into account.
b. If you discovered that unsafe state(s) could be reached, describe an appropriate modification to the algorithm. (10 marks)
The algorithm could be modified this system however is only made to create an alert on detecting that the pump has run out of the insulin. This is likely to create a problem on the patient who is relying on the system for insulin monitoring and dispensation. If not corrected and the patient affected suffers a shortage, the results are likely to be detrimental. This should therefore be adjusted accordingly so as to avoid such an incidence where there is a problem.
References
ii. Martin, T., E. Ulich, H.J. Warnecke (19901. Appropriate Automation for Flexible Manufacturing. Automa.tica, 26, 611-616.
iii. Martin, T. (1990). The Need for Human Skills in Production - The Case of CIM. Computers III Industry, 14,205-211.
iv. Final JATR Submittal to FAA (2019)