In aviation safety engineering, it’s easy to talk as if “safety” is something that gets fully built into a system during design.
It isn’t.
Safety is split across two very different environments:
Safety in design defines how a system should behave.
Safety in operation determines how it actually behaves.
Confusing the two is one of the most common—and costly—failure modes in safety thinking.
1. Safety in design: controlled assumptions
Safety in design exists in a structured, modelled world.
Engineers assume:
- Defined operating conditions
- Known failure modes
- Controlled environments
- Predictable human interaction
- Stable system configuration
This is where we use tools like:
- Functional Hazard Analysis (FHA)
- Fault Tree Analysis (FTA)
- Failure Modes and Effects Analysis (FMEA)
- System Safety Assessments (SSA)
Design safety answers questions like:
- What happens if this function fails?
- How bad is the effect?
- What mitigations can we build in?
- What redundancy is required?
But fundamentally:
Design safety is based on assumptions about reality, not reality itself.
2. Safety in operation: uncontrolled reality
Operational safety is where assumptions are tested.
In the real world:
- Systems degrade over time
- Procedures drift from original intent
- Maintenance varies in quality and timing
- Environmental conditions exceed expectations
- Human performance fluctuates
- Software and configuration changes accumulate
This is where safety stops being theoretical and becomes behavioural.
Operators are dealing with:
- Time pressure
- Ambiguity
- Competing priorities
- Partial information
- Real consequences
Operational safety is not about ideal system behaviour—it is about actual system behaviour under real constraints.
3. The gap between design and operation is where risk lives
Most serious safety issues do not come from design alone or operations alone.
They emerge in the gap between them:
- Assumptions made in design that no longer hold in operation
- Operational workarounds not reflected in design intent
- Maintenance realities not captured in safety cases
- Human adaptations that improve efficiency but degrade margins
This gap is often invisible in documentation—but very visible in incidents.
4. Design is static. Operation is dynamic.
A key structural difference:
Design environment:
- Frozen snapshot of system intent
- Stable configuration
- Documented assumptions
- Certification basis
Operational environment:
- Continuously changing system state
- Accumulating modifications and deviations
- Evolving procedures and interpretations
- Real-time decision-making
This means:
A system can be “safe by design” and still become unsafe in operation.
Not because the design was wrong, but because the world changed faster than the assumptions did.
5. Feedback is what connects the two worlds
Safety only works when there is a functioning feedback loop between operation and design.
That feedback comes from:
- Incident reporting systems
- Flight data monitoring
- Maintenance findings
- Safety occurrence reporting
- Operational experience
- Human factors observations
Without feedback:
- Design assumptions stagnate
- Risks accumulate silently
- Workarounds become normalised
- System drift goes unnoticed
With feedback:
- Design evolves
- Procedures improve
- Hidden hazards are exposed early
6. Why operators are not just “users”
In many industries, operators are incorrectly treated as end-users of a finished system.
In reality, they are:
- Real-time safety controllers
- System boundary managers
- De facto risk mitigators
- Adaptive decision-makers under uncertainty
They continuously:
- Compensate for design limitations
- Detect degraded conditions
- Manage unexpected interactions
- Maintain safety margins in real time
Operational safety is not passive—it is active risk management under pressure.
7. Why design cannot “solve” safety alone
A persistent misconception is that better design will eliminate operational risk.
But no design can fully account for:
- Human variability
- Organisational drift
- Environmental extremes
- Unintended interactions between systems
- Long-term degradation and change
Design can reduce risk. It cannot eliminate it.
This is why aviation safety is built on multiple layers:
- Engineering controls
- Operational procedures
- Training and competence
- Regulatory oversight
- Continuous monitoring
Closing thought
Safety in design defines the boundaries of expected behaviour.
Safety in operation determines whether those boundaries hold under real-world pressure.
The system is not safe because it was designed safely.
It is safe because it continues to behave safely when design meets reality.
Related Posts
