The Dreamliner and the Network
Big complicated technologies are rarely (perhaps never) developed by one organisation. Instead they’re a patchwork quilt of individual systems which are developed by domain experts, with the whole being stitched together by a single authority/agency. This practice is nothing new, it’s been around since the earliest days of the cybernetic era, it’s a classic tool that organisations and engineers use to deal with industrial scale design tasks (1). But what is different is that we no longer design systems, and systems of systems, as loose federations of entities. We now think of and design our systems as networks, and thus our system of systems have become a ‘network of networks’ that exhibit much greater degrees of interdependence.
Unfortunately a property of interdependent networks is that the failure of nodes in one network can cause failures of dependent nodes in other networks. These failures can recurse and cascade between the two systems resulting in what’s technically called a first-order percolation phase transition (2)(3). Or putting it non-technically instead of exhibiting graceful degradation into smaller but still useful chunks, at some critical point (in the worst case with only a few node failures) they can fragment abruptly and catastrophically, see for example the Italian power blackout of 2003 (Parandehgheibi, Modiano 2014).
Now traditionally we’ve dealt with system failure using a range of reductionist quasi-static techniques, such as FHA, FMEA, CCA, Fault Trees, or Markov modelling, and given that for the most part our systems were neither too complex or too interdependent we could get away with these approximations. In engineering you usually don’t need to be absolutely accurate, just accurate enough for your purposes. Unfortunately these traditional techniques tell us lots about the failure modes of yesterday’s systems, but nothing about the failure modes that emerge from interdependent networks. To find these new failure modes you have to apply techniques that will expose them, e.g. dynamic modelling and simulation (Buldyrev et al. 2010).
The implications for modern network style systems that are fielded right now are troubling. As an example if we consider the aerospace industry, which has a mature set of safety assurance processes, we see that the state of practice still relies heavily upon the traditional reductionist techniques discussed above (3). This means that as the architecture of aviation systems continues to evolve the opening gap between design and analytical abilities means allows risks of an ontological nature to slip through unannounced. Case in point, in the QF32 near disaster redundant systems were significantly degraded, not by direct impact of the rotor burst, but by the failure of other systems (4).
You see the way of human inventiveness is to discover the potential of things and race ahead to realise them, even though our actual understanding of the deeper magic lags behind. This is understandable as to understand something you need to be able to regard it, which in turn dictates that we must firstly create ‘something’ before we can analyse the ‘something’.Analysis in the absence of an objective instance is, of course, unlikely to be terribly informative. The problem of our capability rushing ahead of our understanding is in turn compounded by what Woods (2003) calls the ‘can do/make do’ principle where organisations will try to use the old ways of thinking and acting, even though they may not actually do the new situation justice (5).
Which brings us to Boeing’s Dreamliner and a prediction. Boeing’s newest aircraft is ‘all electric’, with the aircraft’s internal systems powered by four different voltage buses served by six on-board generators. This is an unprecedented leap forward in terms of the size, complexity and criticality of the aircraft’s power system, and one that delivers significant economic advantages. More importantly for us the Dreamliner’s also a networked system with a high degree of integration between the various systems onboard. Now for the prediction, while the Dreamliner will be safer than preceding generations of aircraft conversely the first catastrophic accident will not be due to a single component failure, or human error, but due to an unanticipated cascade of failures between the aircraft’s inter-dependent systems.
Our failure to identify new hazards stems it seems, not from a lack of looking, but more from a failure to look in the right spot.
1. See SAGE as a quintessential example from the early days of systems engineering.
2. A phase transition is defined by a characteristic qualitative change in one or more system variables (called order variables) and usually involve an abrupt change in a symmetry property of the system. A first order phase transition is one which the average value of the order statistic changes discontinuously.
3. Percolation theory describes the behaviour of connected clusters in a random graph.
5. For example the loss of the fuel transfer network and hydraulics systems were as much due to cascades of failures in other service systems as they were to damage directly sustained.
6. Woods points out that we normally try and save effort by applying existing techniques and tools to a new problem, this ‘can do’ parsimony can when the application is inadvertently inappropriate degenerate into the ‘make do’ principle.
Parandehgheibi, M., Modiano, E., “Robustness of Interdependent Networks: The case of communication networks and the power grid”, IEEE Globecom, Next Generation Networking Symposium, Atlanta, GA (2013).
Woods, J., Paradox and Paraconsistency: Conflict Resolution in the Abstract Sciences, Cambridge University Press, Cambridge and New York (2003).