“The love of a dog is a pure thing. He gives you a trust which is total. You must not betray it.” — Michel Houellebecq
A week ago, Vader, a police dog in the Arnold Police Department (APD), died from heat exhaustion after his handler found him in a hot patrol vehicle. Arnold is a town south of Saint Louis and the public outrage there and throughout the region was immediate. The APD promised an investigation but refused to release the name of Vader’s handler, perhaps fearing the hate that would be directed at the handler.
The public outrage was misdirected.
Systems Were In Place
His handler left Vader in his patrol vehicle as he attended to other matters that did not require the K-9’s active engagement. According to common practice, the cruiser was running with the air-conditioner on while the handler was away. So, the outrage that someone would leave a dog in a hot vehicle during a blistering heat wave is misdirected. It was supposed to be cool. But when the handler returned, the handler discovered that the air conditioning system had malfunctioned.
I don’t know what that means, that the A/C had “malfunctioned.” I can speculate, but I do know that everything fails, including air conditioning systems in automobiles. Nonetheless, we can assume that the handler meant to keep Vader comfortably out of the heat.
Multiple Layers of Protection?
The APD also stated there was a back-up. Knowing that an air conditioning system could fail and that the life of a valuable asset like a police dog depended on staying cool, the cruiser was equipped with an emergency system. The APD explained that, on high temperature in the car, the system was supposed to call the handler’s cell phone, activate the emergency lights and siren, sound the vehicle horn, activate cooling fans, and roll down the vehicle windows.
To a lay person, it probably sounds like there were six separate layers of protection: phone call, emergency lights, siren, vehicle horn, cooling fans, and windows. But four of these—cell phone, emergency lights, siren, and vehicle horn—all depended on the handler responding, a point of common cause failure. However, two of them—the cooling fan and the windows—didn’t depend on the handler. They did, however, both depend on the vehicle running. Another point of common cause failure. Instead of six layers of protection, at most there were two.
In fact, there weren’t even two layers of protection. All six responses depended on the temperature sensor and safety logic solver working correctly. A single failure to detect the high temperature condition or for the safety logic solver to activate the final control elements would render all six responses inoperable, even if they were all in perfect working order. So really, at most, there was only one layer of protection for Vader in the event of an air conditioning system failure.
Common Cause Failures?
Why did the air conditioning system fail? We don’t know what the APD’s investigation will find and many are uncertain that we will ever know, because organizations hate to be embarrassed. But one reason that an automobile’s air conditioning system will stop working is because the vehicle itself has stopped running. And if the vehicle has stopped running, the emergency responses that depend on the vehicle running will also fail. It’s entirely possible that the air conditioning system failure and the failure of the emergency system all resulted from a single cause: the failure of the cruiser to continue running. And that failure could have resulted from something as simple as running out of fuel.
Is that what happened? I don’t know. But it is a simpler explanation than that of multiple simultaneous failures.
What About Proof Tests?
Those of us who work with safety systems know that periodic proof tests are just as important to the reliability of the safety system as the architecture of the safety system. Did the APD periodically test the emergency system to demonstrate that it continued to work as designed? Did it ever work as designed? Did the handler, or anyone else in the APD for that matter, really understand how the emergency system was supposed to work? Maybe it didn’t malfunction, but functioned exactly as it was designed to function; maybe the APD simply didn’t understand what the limitations of the emergency system were.
Lessons for All of Us
I don’t believe that the handler acted with malice or neglect. There is no reason to believe that the department or the handler deliberately behaved in a way to endanger a valuable and beloved police dog like Vader. If their investigation points to errors, I hope they will share them so that other police departments can learn and benefit from their learnings, especially if the investigation uncovers misunderstandings about how the system works, its capabilities, its limitations, or its need for periodic proof tests. Sometimes it takes a terrible tragedy to prompt a course of action
We can all learn from this tragedy in our own world. Do we have emergency systems where we believe there are multiple layers of protection, but in fact those safeguards are vulnerable to common cause failures? Can everyone that depends on an emergency system actually describe how the system works? Do they know what that big red button does when they push it? It’s not enough for the system designer to understand the system; everyone that is depending on the system needs to understand how it works.
Please make sure that everyone understands how your emergency systems are supposed to work. Please make sure those systems are proof tested periodically to confirm that they continue to work. And don’t wait for a tragedy to happen before you do.