Karim Hardy
© 2026 The author. This article is published by IIETA and is licensed under the CC BY 4.0 license (http://creativecommons.org/licenses/by/4.0/).
OPEN ACCESS
Safety management systems (SMS) serve as the principal governance architecture for managing operational risk in high-reliability domains. Yet most implementations remain compliance-driven, lacking explicit treatment of feedback, delay, and learning dynamics. This paper develops a system-control framework grounded in engineering principles to model the adaptive behavior of SMS using cybernetic feedback loops and system dynamics formalization. The model conceptualizes the SMS as a multi-loop control network comprising four interacting subsystems: Policy (P), Risk Management (R), Assurance (A), and Promotion (M). Each subsystem is expressed as a state-transition function with defined inputs, outputs, and internal variables. Three dominant control loops regulate system performance: (i) R₁-Learning Amplification, a reinforcing loop linking Promotion and Risk Management; (ii) B₁-Stability Control, balancing feedback between Assurance and Policy; and (iii) R₂-Organizational Learning, reinforcing knowledge retention between Policy and Promotion. System evolution is governed by two measurable parameters, learning velocity (Lᵥ) and feedback latency (Fₗ), whose ratio (Ψ = Lᵥ / Fₗ) defines an adaptive stability index. When Ψ > 1, learning outpaces delay, yielding anticipatory regulation; when Ψ < 1, delay dominates, producing oscillatory or reactive performance. Integrating control theory, human-in-the-loop feedback, and reliability engineering, the framework enables quantifiable analysis of SMS responsiveness and stability. It extends the system-theoretic lineage by formalizing the influence of feedback delay, control gain, and information coupling, establishing a scalable basis for simulation-based validation and predictive reliability modeling.
safety management system, system dynamics, adaptive governance, complexity, reliability, resilience engineering, symbiotic risk model
Over the past two decades, safety management systems (SMS) have evolved into the dominant framework for regulating safety performance in high-reliability engineering domains, including aviation, nuclear energy, and transportation. Originating in the International Civil Aviation Organization’s (ICAO) Annex 19 and the Safety Management Manual (Doc 9859, 4th ed.) [1, 2], the U.S. Federal Aviation Administration later institutionalized the SMS concept through Advisory Circular AC 120-92D [3]. These frameworks define a four-pillar architecture—Policy, Risk Management, Assurance, and Promotion—intended to maintain hazard control and enable continuous improvement through structured organizational processes [4]. While this model has achieved global harmonization and demonstrable oversight improvements [5], it remains rooted in a static paradigm of hierarchical control. Such design assumptions fit the operational environment of the 1990s—linear, deterministic, and largely human-supervised—but are increasingly inadequate for the nonlinear and tightly coupled architectures characterizing modern socio-technical systems [6, 7]. Under these new operating conditions, even fully compliant SMS may exhibit instability: small signal delays or misalignments in feedback can cascade into major performance drift or accidents. The persistence of critical incidents despite regulatory compliance suggests that the limitation lies not in SMS execution, but in its control-system architecture [8, 9].
1.1 The methodological gap
Within reliability engineering, accident causation and safety performance have increasingly been examined through systemic and control-theoretic perspectives. Rather than treating accidents as isolated component failures, recent approaches emphasize dynamic feedback failures, simulation-based systemic risk assessment, and safety as an emergent property of complex socio-technical systems [10-12]. This view has been further extended by studies on organizational resilience and system dynamics modeling, which frame safety performance as a dynamic and adaptive process shaped by feedback, learning, and system-level interactions [13, 14].
Despite these advances, few models have explicitly captured the coupled feedback behavior among the four SMS pillars themselves, nor have they incorporated measurable delay and learning terms, such as feedback latency (Fₗ) and learning velocity (Lᵥ), that define system stability boundaries. This lack of quantitative representation creates a methodological gap between the conceptual intent of SMS frameworks and their dynamic realization in real operational contexts. Addressing this gap motivates the present research.
1.2 Research question and objective
The central research question guiding this study is:
How can the complexity and dynamic behavior of SMS be modeled as a closed-loop control system without oversimplifying their adaptive properties?
To answer this, the paper develops a system dynamics and control framework that models the SMS as a complex adaptive control system, in which safety performance emerges from feedback interactions among cognitive subsystems rather than from top-down procedural control. Building on foundational theories of system safety and resilience engineering [8, 12, 15] and on prior work on hormetic adaptive governance [16], the framework integrates prior contributions on resilience quantification [13], dynamic system modeling [14], and system-of-systems reliability analysis [17]. The specific objectives are:
1.3 Contribution of the study
This study advances the system-theoretic lineage of reliability engineering by introducing a formal control-based representation of SMS dynamics. It reframes the SMS as a governance feedback system whose reliability depends on control gain, phase delay, and learning efficiency—parameters that can be analyzed and simulated using system dynamics methods. The proposed model provides:
(i) a quantitative architecture linking compliance, cognition, and control;
(ii) a set of measurable parameters to evaluate SMS responsiveness and stability; and
(iii) a conceptual foundation for the forthcoming cognitive safety management system (C-SMS), where adaptive reliability emerges from feedback coherence, controlled stress exposure, and continuous learning [16].
By formalizing the feedback structure and latency effects within SMS operations, this work bridges conceptual governance models with engineering analysis, creating a pathway toward simulation-driven evaluation of safety performance.
2.1 Regulatory foundations of safety management systems
The contemporary SMS is the regulatory standard for structured safety governance in high-reliability engineering domains. Its foundations were formalized by ICAO through Annex 19—Safety Management and the Safety Management Manual (Doc 9859, 4th ed.) [1, 2]. ICAO defines SMS as a systematic approach to managing safety, including the necessary organizational structures, accountabilities, policies, and procedures [2]. This model establishes four interdependent control domains—Safety Policy, Safety Risk Management, Safety Assurance, and Safety Promotion—which together form a recursive feedback architecture for hazard identification, performance monitoring, and knowledge transfer. In the United States, the Federal Aviation Administration (FAA) codified the same framework under Advisory Circular AC 120-92D, emphasizing data-driven assurance, documentation traceability, and management accountability [3]. Both the ICAO and FAA architectures follow the Plan-Do-Check-Act (PDCA) logic derived from industrial quality management and management system standards [4, 18]. This sequence implicitly defines a control cycle, where each stage acts as a discrete processing layer within a larger dynamic system. However, these documents specify what organizations must implement, not how their internal feedback mechanisms operate dynamically. The ICAO Manual explicitly acknowledges that the SMS should be commensurate with the complexity of the organization [2], but offers little operational guidance for managing nonlinear feedback, latency, and cross-pillar coupling. This limitation has motivated the development of dynamic and control-theoretic models in reliability and safety engineering, seeking to formalize the SMS as a governance control system with measurable stability parameters [10, 11, 13, 14].
2.2 From linear control to dynamic interaction
Traditional safety management often treated risk control as a linear transfer function, assuming proportional relationships between hazards and outcomes. However, socio-technical systems are characterized by nonlinear interactions, delays, and tight coupling, which make linear control assumptions insufficient [6]. Later systemic safety theories reframed risk regulation as a hierarchical and dynamic control process, in which operational pressures may gradually shift systems toward unsafe boundaries [8]. This perspective was further developed by defining safety as an emergent property of interactions among control structures rather than as the result of component reliability alone [12]. Resilience engineering and Safety-II extended this view by emphasizing adaptive capacity and the ability of systems to adjust before failure occurs [15, 19]. Within this development, reliability and safety engineering have increasingly operationalized systemic safety concepts through models of feedback, control, and functional variability. Prior studies have examined dynamic feedback coupling in accident models, simulation-based systemic risk assessment in air traffic systems, measurable indicators of organizational resilience, system-dynamics representations of safety management processes, and FRAM-based analysis of variability in complex systems [10, 11, 13, 14, 20].
Together, these studies suggest that reliability depends not only on procedural compliance but also on feedback coherence and learning velocity. Building on this foundation, the present work combines the SRM [16] with system dynamics modeling [14] to represent SMS as a complex adaptive control system, namely, a network of interdependent cognitive subsystems governed by feedback, delay, and control gain.
2.3 The symbiotic risk model
The SRM, as developed in the present article and supported by prior work on hormetic adaptive governance [16], conceptualizes safety as the emergent outcome of co-evolutionary feedback among technical, human, and organizational subsystems. Instead of treating hazards as exogenous perturbations, SRM models them as endogenous stressors that drive learning and adaptation, analogous to hormetic dynamics observed in biological systems. This view aligns with resilience engineering and adaptive governance perspectives, which identify resilience as a property of systems capable of absorbing, interpreting, and transforming information under stress [19, 21]. When applied to SMS, SRM interprets the four pillars as cognitive subsystems:
Reliability, therefore, depends not only on each subsystem’s internal performance but on the density (Id) and timeliness (Fₗ) of the feedback signals exchanged between them. High interaction density and low latency enhance system observability and control gain, whereas delayed or fragmented feedback undermines adaptation.
2.4 Integrating complexity and resilience within safety management systems
Complexity theory provides the mathematical bridge between procedural compliance and adaptive governance. In open socio-technical systems, multiple feedback loops operate simultaneously, generating resonance effects that can amplify or dampen safety performance [15]. Studies on organizational resilience and system-of-systems reliability have shown that nonlinear dependencies between subsystems can be analyzed through structured modeling approaches [13, 17]. From a control-theoretic perspective, the SMS can thus be expressed as a multi-loop feedback system whose stability depends on three interacting parameters. Table 1 summarizes these parameters and specifies their control-theoretic roles.
Table 1. Core control-theoretic parameters of adaptive safety management systems (SMS)
|
Parameter |
Symbol |
Definition |
Control-Theoretic Role |
|
Feedback latency |
Fl |
Time delay between deviation detection and corrective control |
Phase lag determining stability margin |
|
Learning velocity |
Lv |
Rate at which new information is assimilated and operationalized |
Positive gain governing adaptive response |
|
Interaction density |
Id |
Degree of interconnection and signal exchange among subsystems |
Coupling coefficient influencing system sensitivity |
From a control-theoretic perspective, the SMS can thus be expressed as a multi-loop feedback system, whose stability depends on three interacting parameters:
Adaptive equilibrium is achieved when the learning gain compensates for delay-induced instability, i.e., when the adaptive stability index Ψ exceeds unity. This provides a measurable boundary condition for governance stability and organizational adaptability, linking cognitive behavior to control performance.
2.5 Methodological approach
To operationalize these theoretical principles, the study employs a system dynamic modeling approach, which is particularly suited for representing feedback loops, accumulation processes, nonlinearities, and delays in complex systems [22]. Each SMS pillar is represented as a subsystem defined by three functions: Input, corresponding to signal sensing; Processing, corresponding to control decision; and Output, corresponding to feedback action. These subsystems are connected through reinforcing and balancing loops, consistent with prior system dynamics applications to safety management [14].
The model incorporates the three control variables—feedback latency (Fₗ), learning velocity (Lᵥ), and interaction density (Id)—to govern information propagation and delay effects across subsystems. A qualitative causal-loop diagram is used to map interactions, while FRAM mapping identifies variability in human and procedural performance [15, 20]. To strengthen validity, parameter relationships were refined through expert elicitation involving three senior safety management professionals from the aviation and energy sectors. Two baseline configurations were then simulated qualitatively, as shown in Table 2.
Table 2. Baseline configurations for procedural and adaptive safety management systems (SMS)
|
Scenario |
Description |
Dynamic Characteristics |
Expected Stability Behavior |
|
Scenario A-Procedural SMS |
Long feedback delays (high Fl), low learning velocity (low Lv) |
Reactive, compliance-based control |
Oscillatory, brittle response (Ψ < 1) |
|
Scenario B-Adaptive SMS |
Short feedback delays (low Fl), high learning velocity (high Lv) |
Proactive, learning-based control |
Stable adaptive regulation (Ψ > 1) |
This dual-scenario analysis enables a qualitative sensitivity assessment of the SMS as a nonlinear control system, illustrating how adaptive stability depends on the balance between feedback delay and learning gain. The results presented in Section 4 demonstrate how $\Psi=L_v / F_l$ provides an interpretable index linking reliability performance to cognitive adaptability.
3.1 System architecture and feedback structure
The SMS can be represented as a multi-loop control network composed of four interacting subsystems: Safety Policy (P), Safety Risk Management (R), Safety Assurance (A), and Safety Promotion (M). Each subsystem functions as a cognitive control node, exchanging signals with the others through reciprocal feedback.
Rather than operating in sequence, these components interact continuously, forming a nonlinear control structure that balances reinforcing and balancing mechanisms. The architecture follows the control logic $\dot{x}(t)=f(x, u, t)+g(x, \tau)$, where $x$ represents state variables (safety performance indicators), $u$ denotes control inputs (policy decisions), and $\tau$ corresponds to feedback delay.
The causal-loop diagram was iteratively refined through expert review (three senior safety managers from the aviation and energy sectors). Modifications included directional adjustments and latency corrections to ensure representational fidelity and functional closure.
These interactions create a dynamic control topology in which safety performance depends on delay times and control gains. High feedback coherence produces stable adaptation, whereas delayed or weak coupling yields oscillatory drift, consistent with dynamic risk regulation and system dynamics perspectives [8, 14].
3.2 Dynamic parameters of the model
Following prior system dynamics applications to safety management, the behavior of the SMS was parameterized through three control variables that determine adaptive equilibrium: feedback latency (Fₗ), learning velocity (Lᵥ), and interaction density (Id) [14].
Table 3 operationalizes these variables by linking each parameter to its observable interpretation and control-theoretic function.
Table 3. Operationalization of dynamic model parameters
|
Parameter |
Symbol |
Description |
Operational Interpretation |
Control-Theoretic Role |
|
Feedback latency |
Fl |
Time delay between detection and managerial response |
Measures reporting and decision delay |
Phase-lag factor; affects stability margin |
|
Learning velocity |
Lv |
Rate of procedural or cognitive adaptation after a lesson learned |
Measures responsiveness of internal learning |
Positive feedback gain; accelerates adaptation |
|
Interaction density |
Id |
Frequency and intensity of cross-pillar information exchange |
Measures organizational connectivity |
Coupling coefficient; modulates sensitivity |
System behavior was simulated qualitatively through delay-differential logic:
$\dot{S}(t)=L_v S\left(t-F_l\right)-\alpha S(t)$
where, S(t) represents aggregate safety performance and α a damping coefficient capturing resource saturation.
When Ψ > 1, adaptive correction occurs before instability develops; when Ψ < 1, oscillations dominate. This interpretation is consistent with prior resilience and system-of-systems approaches, which show that reliability depends on the timing, strength, and coupling of adaptive responses across interconnected subsystems [13, 17].
3.3 Scenario A: Procedural safety management systems (long delays, low learning velocity)
In this configuration, the SMS behaves as a compliance-driven control system characterized by long decision delays and weak cross-pillar connectivity.
Table 4 summarizes the variable conditions, system behaviors, and reliability outcomes associated with this procedural SMS configuration.
This state exhibits limit-cycle oscillations in performance: safety events generate short-term responses but insufficient reinforcement, leading to recurrence. Such systems remain formally compliant yet cognitively inert, consistent with the post-event learning pattern identified in organizational resilience studies [13].
Table 4. Dynamic behavior of procedural safety management systems (SMS) under long-latency conditions
|
Variable Condition |
Symbolic State |
System Behavior |
Reliability Outcome |
|
Fl ↑(long delay) |
Phase lag increases |
Reactive response, oscillatory cycles |
Instability under perturbation |
|
Lv ↓(slow learning) |
Reduced adaptation gain |
Lessons poorly reintegrated |
“After-action learning” regime |
|
Id↓ (low coupling) |
Fragmented information flow |
Delayed coordination |
Structural brittleness |
3.4 Scenario B: Adaptive safety management systems (short delays, high learning velocity)
This configuration represents a C-SMS. Short latency (Fl↓) enables near-real-time detection, and high learning velocity (Lv↑) ensures rapid assimilation of lessons. Table 5 presents the corresponding dynamic behavior of an adaptive SMS under short-latency and high-learning-velocity conditions.
Table 5. Dynamic behavior of adaptive safety management systems (SMS) under short-latency conditions
|
Variable Condition |
Symbolic State |
System Behavior |
Reliability Outcome |
|
Fl ↓ |
Minimal delay |
Early deviation detection |
Rapid corrective control |
|
Lv ↑ |
High learning gain |
Anticipatory adjustment |
Stable equilibrium |
|
Id↑ |
Dense coupling |
Enhanced signal coherence |
Homeostatic reliability |
The resulting dynamic is anticipatory rather than reactive: disturbances are absorbed through coordinated adaptation. The system converges to a stable fixed point, consistent with homeostatic control behavior and adaptive resilience theory [15, 21].
3.5 Sensitivity analysis and stability domain
A sensitivity analysis was performed by varying the adaptive stability ratio Ψ, revealing three behavioral regimes. Table 6 classifies these regimes according to their system behavior, reliability interpretation, and stability condition.
The critical boundary Ψ = 1 marks the bifurcation between reactive brittleness and adaptive resilience. This aligns with stability thresholds observed in system dynamics safety modeling and supports the hypothesis that learning velocity is the principal stabilizing gain in socio-technical control systems [14].
Table 6. Stability regimes associated with the adaptive stability index Ψ
|
Ratio Ψ |
System Behavior |
Reliability Interpretation |
Stability Classification |
|
<1.0 |
Oscillatory, reactive feedback |
Compliance without cognition |
Unstable regime |
|
≈1.0 |
Transitional mixed control |
Partial adaptation |
Marginal stability |
|
>1.0 |
Stable, anticipatory learning |
Cognitive reliability domain |
Asymptotic stability |
4.1 Linking dynamic feedback to reliability performance
The analysis demonstrates that SMS performance cannot be captured through static compliance indicators alone. Reliability depends on temporal synchronization among sensing, decision, and learning subsystems.
When learning cycles outpace feedback delays (Lv > Fl), the system exhibits anticipatory control, absorbing deviations before escalation. Conversely, when Lv < Fl, delayed corrective actions cause oscillations, reflecting reactive governance.
These results align with prior studies that have modeled safety as a dynamic equilibrium driven by feedback coherence, adaptive learning, and cross-system coupling [13, 14, 17]. The present work extends this foundation by quantifying the cognitive control dimension, specifically how processing velocity and cross-functional coupling determine system-wide reliability.
4.2 Integrating cognition into system-theoretic safety models
Within the system-theoretic lineage of reliability and safety engineering, accidents are typically viewed as the result of inadequate control, signal distortion, or delayed feedback in hierarchical systems [10-12]. However, as socio-technical systems evolve toward higher levels of interconnectivity and automation, the control failure paradigm must incorporate cognitive mechanisms, those governing how organizations perceive, interpret, and learn from anomalies and early warning signals.
Recent work on the cognitive basis of human reliability analysis shows that cognitive processing delays can substantially affect human–system performance [23]. By analogy, an SMS operates as a distributed cognitive control system, subject to similar temporal constraints. The parameters introduced in this study, feedback latency (Fₗ) and learning velocity (Lᵥ), represent macroscopic analogs of cognitive processing time and information assimilation rate at the organizational level.
Thus, the proposed C-SMS bridges the conceptual gap between individual cognition and organizational reliability. Distributed sensemaking [24], adaptive feedback loops [15], and systemic co-evolution [16, 21] interact to produce resilient system behavior. In formal terms, cognition acts as a dynamic control function regulating the system’s phase lag through Fₗ and control gain through Lᵥ, thereby influencing its overall stability margin.
4.3 Reliability as an emergent function of learning
From a reliability-engineering perspective, this study reframes reliability as an emergent and rate-dependent property rather than a static probability measure. Traditional models treat reliability as a scalar function of component failure rates or mean time to failure [25]. However, system-theoretic safety perspectives show that, in complex adaptive systems, overall reliability also depends on how efficiently feedback mechanisms detect, transmit, and correct deviations over time [12].
Table 7 maps the proposed system parameters to their cognitive functions, control-system equivalents, observable indicators, and reliability implications.
Table 7. Mapping of system parameters to cognitive and reliability functions
|
Parameter |
Cognitive Function |
Control-System Equivalent |
Observable Indicator |
Reliability Implication |
|
Feedback Latency (Fₗ) |
Cognitive delay, sensemaking lag |
Phase lag, response time constant |
Mean reporting time, decision latency |
Determines oscillation risk; lower Fₗ improves control stability |
|
Learning Velocity (Lᵥ) |
Knowledge assimilation speed |
Positive feedback gain |
Rate of lesson implementation, procedural update time |
Higher Lᵥ increases adaptive reliability |
|
Interaction Density (Id) |
Distributed attention and communication |
Coupling coefficient, signal density |
Network connectivity, cross-functional exchanges |
Higher Id improves information coherence and fault observability |
|
Ψ = Lᵥ/Fₗ |
Adaptive stability ratio |
Control gain–delay ratio |
Composite indicator of learning vs delay |
Ψ > 1 → stable adaptive regime; Ψ < 1 → reactive instability |
The present model proposes that adaptive reliability Ra (t) can be expressed conceptually as:
$R_a(t)=f\left(L_v(t), F_l(t), I_d(t)\right)$
where, $L_v$ defines the system's learning gain, $F_l$ is temporal delay, and $I_d$ is coupling density. This formulation highlights reliability as a derivative of learning performance, that is, the faster a system learns and reintegrates feedback (high $L_v$, low $F_l$ ), the higher its sustained reliability. The adaptive reliability index $\Psi=L_v / F_l$ therefore serves as a leading indicator of system stability.
This interpretation parallels resilience quantification studies, where performance recovery speed defines resilience [13]. Here, resilience and reliability are shown to co-evolve: reliability provides structural stability, expressed through low variance and consistent control, while resilience provides dynamic stability, expressed through rapid adaptation and drift correction. Increasing Lᵥ relative to Fₗ thus expands both domains simultaneously, improving system robustness under uncertainty.
4.4 Policy and governance implications
The results have direct implications for regulators, system designers, and safety managers in high-reliability organizations:
Interaction density as a structural design parameter. Governance frameworks should promote high-frequency, bidirectional information exchanges across the four pillars, enabling collective sensemaking and adaptive coordination [7, 21]. Regulators should also shift from prescriptive compliance to performance-based oversight, assessing how effectively organizations learn and self-correct under changing operational conditions [8, 26]. These findings reinforce that safety governance is a dynamic control problem: effectiveness depends less on procedural uniformity than on the speed, density, and coherence of feedback processes.
4.5 Methodological contribution and future integration
Methodologically, this work extends prior resilience engineering contributions along three main axes, summarized in Table 8.
This dual-method framework offers a pathway for empirical extension through digital twin simulation of operational environments, scenario-based stress testing of system delay and coupling sensitivity, and machine-learning analysis of time-series safety data to infer feedback latency in real operations. These extensions are consistent with system dynamics modeling, organizational resilience assessment, and system-of-systems reliability approaches [13, 14, 17].
Ultimately, the SMS evolves from a compliance architecture to an adaptive control system, a cognitive safety engine capable of sustaining reliability through continuous feedback, learning, and foresight.
Table 8. Methodological contributions of the proposed SD-FRAM framework
|
Contribution |
Description |
Reference |
|
Formalization of dynamic control structure |
Provides a system dynamics representation of SMS behavior as a closed-loop network, enabling explicit analysis of delay and gain effects. |
Builds on system dynamics foundations [14, 22] |
|
Quantifiable governance parameters |
Introduces measurable control variables (Fₗ, Lᵥ, Id) linking management processes to adaptive reliability outcomes. |
Extends organizational resilience and system-of-systems reliability approaches [13, 17] |
|
Hybrid SD-FRAM integration |
Combines causal-loop modeling with functional resonance mapping to capture both structural and emergent dynamics. |
Builds on Safety-II and FRAM foundations [15, 20] |
Note: Safety management systems (SMS); System Dynamics- Functional Resonance Analysis Method (SD-FRAM)
While this study provides a qualitative model, the next step involves quantitative calibration and simulation validation. Future research will use parameter estimation and time-series data from high-reliability sectors to test the sensitivity of Fₗ, Lᵥ and Id under varying disturbance conditions, thus operationalizing the proposed adaptive reliability Index (Ψ) as a measurable engineering metric.
This study proposed a system dynamics Framework for modeling and managing the complex adaptive behavior of SMS in high-reliability organizations.
Building on system safety theory, resilience engineering, and prior work on hormetic adaptive governance, the research formalized the four SMS pillars—Policy (P), Risk Management (R), Assurance (A), and Promotion (M)—as interconnected feedback control functions within a cognitive system architecture..Using qualitative system dynamics modeling complemented by Functional Resonance Analysis Method (FRAM) principles, two distinct dynamic regimes were identified: a Procedural SMS, characterized by long feedback delays and low learning velocity, resulting in oscillatory, compliance-driven behavior; and an Adaptive SMS, where short latency and dense cross-pillar interaction generate stable, anticipatory regulation. The results demonstrate that organizational reliability is a rate-dependent property, determined by the balance between feedback latency (Fₗ) and learning velocity (Lᵥ).
When Lv > Fl, the system learns faster than perturbations propagate, producing adaptive equilibrium.
When Lv < Fl, delays dominate, producing oscillatory drift and reactive control.
This behavior aligns with previous work on resilience quantification, system dynamics modeling, and system-of-systems reliability, but extends it by introducing a cognitive-control dimension at the system-governance level, thereby connecting human cognition with organizational control theory. From a methodological standpoint, this framework advances the Reliability Engineering tradition by bridging resilience engineering, control theory, and organizational cognition.
It formalizes how feedback structure, signal latency, and learning velocity govern adaptive reliability, transforming SMS from a procedural compliance framework into a governance control system capable of learning in real time.
For researchers, the model provides a foundation for quantitative validation through simulation, digital-twin environments, and learning analytics.
For practitioners and regulators, it introduces diagnostic variables that can be monitored empirically to assess an organization’s adaptive capacity and cognitive maturity.
Ultimately, the transition from Compliance to Cognition represents the next evolution in safety governance. The proposed C-SMS extends SMS beyond documentation and oversight into an intelligent feedback architecture, one that perceives, interprets, and adapts dynamically to emerging risks.
In such systems, reliability becomes an emergent property of continuous learning: a measure not of how strictly procedures are followed, but of how rapidly an organization can learn from complexity.
While the framework offers a structured and theoretically grounded representation of SMS dynamics, it remains a qualitative model that requires empirical calibration.
Future work will focus on parameter estimation, time-series simulation, and cross-industry validation, enabling quantitative evaluation of sensitivity and stability domains for Fl, Lv and Id.
Integrating these elements into digital twin architectures will enable the predictive assessment of adaptive reliability under real-world operating conditions.
[1] International Civil Aviation Organization. (2016). Annex 19 to the Convention on International Civil Aviation: Safety Management, 2nd ed. Montreal: ICAO.
[2] International Civil Aviation Organization. (2018). Safety Management Manual (SMM), Doc 9859, 4th ed. Montreal: ICAO.
[3] Federal Aviation Administration. (2024). Advisory Circular AC 120-92D: Safety Management Systems for Aviation Service Providers. Washington, DC: U.S. Department of Transportation, Federal Aviation Administration.
[4] International Organization for Standardization. (2018). ISO 45001:2018—Occupational Health and Safety Management Systems—Requirements with Guidance for Use. Geneva: ISO.
[5] Hardy, K., Comfort, L.K. (2015). Dynamic decision processes in complex, high-risk operations: The Yarnell Hill Fire, June 30, 2013. Safety Science, 71: 39-47. https://doi.org/10.1016/j.ssci.2014.04.019
[6] Perrow, C. (1999). Normal Accidents: Living with High-Risk Technologies. Princeton, NJ: Princeton University Press. https://doi.org/10.1515/9781400828494
[7] Woods, D.D., Branlat, M. (2011). Basic patterns in how adaptive systems fail. In Resilience Engineering in Practice: A Guidebook, pp. 127-143. Farnham: Ashgate. https://doi.org/10.1201/9781317065265-10
[8] Rasmussen, J. (1997). Risk management in a dynamic society: A modelling problem. Safety Science, 27(2-3): 183-213. https://doi.org/10.1016/S0925-7535(97)00052-0
[9] Dekker, S. (2016). Drift into Failure: From Hunting Broken Components to Understanding Complex Systems. Boca Raton, FL: CRC Press. https://doi.org/10.1201/978131525739
[10] Qureshi, Z.H. (2007). A review of accident modelling approaches for complex socio-technical systems In SCS '07: Proceedings of the twelfth Australian workshop on Safety critical systems and software and safety-related programmable systems - Volume 86, pp. 47-59.
[11] Stroeve, S.H., Blom, H.A.P., Bakker, G.J. (2009). Systemic accident risk assessment in air traffic by Monte Carlo simulation. Safety Science, 47(2): 238-249. https://doi.org/10.1016/j.ssci.2008.04.003
[12] Leveson, N.G. (2012). Engineering a Safer World: Systems Thinking Applied to Safety. Cambridge, MA: MIT Press. https://doi.org/10.7551/mitpress/8179.001.0001
[13] Patriarca, R., Di Gravio, G., Costantino, F., Falegnami, A., Bilotta, F. (2018). An analytic framework to assess organisational resilience. Safety and Health at Work, 9(3): 265-276. https://doi.org/10.1016/j.shaw.2017.10.005
[14] Di Nardo, M., Madonna, M., Murino, T., Castagna, F. (2020). Modelling a safety management system using system dynamics at the Bhopal incident. Applied Sciences, 10(3): 903. https://doi.org/10.3390/app10030903
[15] Hollnagel, E. (2014). Safety-I and Safety-II: The Past and Future of Safety Management. Boca Raton, FL: CRC Press. https://doi.org/10.1201/9781315607511
[16] Hardy, K. (2025). Harnessing hormesis for strengthening disaster resilience and adaptive governance in remote and island communities. In IDRiM2025 Conference: Advancing Disaster Risk Reduction in Islands and Remote Areas, Samos, Greece, pp. 143-144.
[17] Eusgeld, I., Nan, C., Dietz, S. (2011). “System-of-systems” approach for interdependent critical infrastructures. Reliability Engineering & System Safety, 96(6): 679-686. https://doi.org/10.1016/j.ress.2010.12.010
[18] Deming, W.E. (2018). Out of the Crisis. Cambridge, MA: MIT Press. https://doi.org/10.7551/mitpress/11457.001.0001
[19] Hollnagel, E., Woods, D.D., Leveson, N. (2006). Resilience Engineering: Concepts and Precepts. Aldershot: Ashgate. https://doi.org/10.1201/9781315605685
[20] Patriarca, R., Di Gravio, G., Woltjer, R., Costantino, F., Praetorius, G., Ferreira, P., Hollnagel, E. (2020). Framing the FRAM: A literature review on the functional resonance analysis method. Safety Science, 129: 104827. https://doi.org/10.1016/j.ssci.2020.104827
[21] Comfort, L.K. (2016). Building community resilience to hazards. Safety Science, 90: 1-4. https://doi.org/10.1016/j.ssci.2015.09.031
[22] Sterman, J.D. (2000). Business Dynamics: Systems Thinking and Modeling for a Complex World. Boston, MA: Irwin/McGraw-Hill.
[23] Alvarenga, M.A.B., Frutuoso e Melo, P.F. (2019). A review of the cognitive basis for human reliability analysis. Progress in Nuclear Energy, 117: 103050. https://doi.org/10.1016/j.pnucene.2019.103050
[24] Weick, K.E. (1995). Sensemaking in Organizations. Thousand Oaks, CA: Sage Publications.
[25] Aven, T. (2016). Risk assessment and risk management: Review of recent advances on their foundation. European Journal of Operational Research, 253(1): 1-13. https://doi.org/10.1016/j.ejor.2015.12.023
[26] Reason, J. (2016). Managing the Risks of Organizational Accidents. London/New York: Routledge. https://doi.org/10.4324/9781315543543