Complex systems-of-systems are characterized by emergent behavior resulting from the interaction of behaviorally complex, distributed, autonomous sub-systems or agents. Although the individual subsystems (e.g. Instrument Landing System, aircraft) are certified to high levels of reliability (e.g. 10-7), the interactions between the sub-systems is typically not explicitly, exhaustively, tested or certified. As a consequence, there can emerge scenarios in which a sub-system can find itself commanded into unsafe operating regimes without a failure of any sub-system or agent.This paper describes a No Equipment Failed Malfunction (NEFM) analysis of the Singapore Airlines SQ-327 runway excursion that occurred November 3, 2011 at Munich airport. In the sequence of events of the incident, all the equipment operated as designed (i.e. no equipment failed) and the operators each performed according to their approved Standard Operating Procedures. The analysis highlights: (1) the need for comprehensive testing of the interaction between agents that can lead to scenarios resulting in rare hazardous outcomes, and (2) the vulnerability of designing human operators to monitor these complex system interactions and respond in a timely and appropriate manner. The need for comprehensive system-of-system sequential scenario testing, including exhaustive combinatorics using super computers, and the need for crowd-sourcing through voluntary reporting and safety management systems to address these issues is discussed.
展开▼