The Avengers Initiative – A System of Systems Safety Challenge

“And there came a day, a day unlike any other, when Earth’s mightiest heroes and heroines found themselves united against a common threat. On that day, the Avengers were born—to fight the foes no single super hero could withstand! Through the years, their roster has prospered, changing many times, but their glory has never been denied! Heed the call, then—for now, the Avengers Assemble!”

System Definition

“The Avengers” is a team of super-heroes from the Marvel Comics universe. As with any hazard identification, it is important to be precise about what is considered in and out of the system. This is complicated by the changing composition of the super-hero team, including multiple incarnations in parallel continuities. There are also interfaces with other organisations such as Shield and non-aligned super-heroes. In fact, it may be more useful to consider the Avengers as a “System of Systems” (SoS).

Hall-May describes SoS as “systems whose constituent components are sufficiently complex and autonomous to be considered as systems in their own right and which operate collectively with a shared purpose”[1]. This would certainly apply to the Avengers.

Held [2] says that a System of Systems has the characteristics:

  1. The system can be subdivided into independently operating systems. The independent systems must themselves be systems.
  2. The system does not depend on all elements for survival. For example, if the rudder on a 747 fails, the aircraft is very likely to crash destroying the rest of the nodes and ceasing to be a system as a whole. The 747 cannot be an SoS. The airport, however, will continue to operate. The airport can be an SoS.
  3. Systems in an SoS have some form of communication. Communication is any form of information passing, regardless of intent. For example a deer showing a white tail while running is passing the information of danger to any other observing deer. The intent of the deer was to run in fear, not to communicate the danger.
  4. Elements have a common mission. A mission can be described which encapsulates the behavior of the group.

This definition also applies to the Avengers. My own view [3] is that Systems of Systems is not an absolute definition, but should be applied when it is useful to do so. One case where it is definitely useful is when systems have a fluid configuration, with limited information about future configurations. Again, this suggests that System of Systems treatment of the Avengers is appropriate.


Each Avengers Ensemble will comprise of between four and six super-hero systems, selected from the following set. Each system may have multiple operating modes.

  • Ironman / Tony Stark  (Powered flying suit and operator | Genius Technologist)
  • Hulk / Bruce Banner (Enraged Green Monster | Gamma-Ray Scientist)
  • Thor (Norse God)
  • Henry Pym (Ant-Man | Giant Man | Wasp)
  • Captain America (Super Soldier)
  • Hawkeye (Archer)
  • Quicksilver (Fast Moving Mutant)
  • Scarlet Witch (Magic Wielding Mutant)
  • Black Widow (Spy)
  • Beast (Scientist)

Configurations may also include up to two other external super-hero systems. Modes and capabilities of these other systems cannot be fully anticipated. A stereotypical example is Spiderman. Spiderman will be used throughout this analysis as a test case for the ability of the System of Systems to incorporate an external super-hero system.

Each configuration will typically include one or more vehicles.


An important aspect of system-of-systems is that the lifecycle of the SoS does not neatly align with the lifecycles of the component systems. All of the initial component super-hero systems were specified, designed and implemented before the assembly of the Avengers system. As a consequence it was not possible to incorporate features into the design of each of them to support Avengers working. A key example of this is inter-operability of equipment and power sources. Thor’s main weapon system is incompatible with everyone but Thor. Iron Man’s entire weapons and propulsion platform uses bespoke technology.

Contrast this with a lifecycle where the Avenger’s concept was determined before the design of the superheroes. At the very least, dangerous fashion incompatibility could have been avoided.

Top Level Hazards(TLH)

With any system-of-systems there are a standard set of hazards that may be applicable. In fact, with the Avengers we find that all of them are applicable.

TLH1: Fratricide

Fratricide, also known as “friendly fire” or “blue on blue” incidents, typically results from misidentification of targets, incorrect aiming of direct or indirect fire, or failure to establish and enforce zones with clear rules of engagement. The mix of indirect-fire weapons (ants, lightning), direct fire weapons (shield, hammer, arrows, guns, magnetic repulsors) and melee suggests that Avenger fratricide is a risk which must be carefully managed.

The Avengers have rightly determined that procedural mitigations are insufficient here. It’s one thing to tell Iron Man, Thor or Hulk to carefully identify targets, it is another thing to actually expect them to do so. An alternate strategy is to mitigate the consequences of fratricide by designing defensive capability to be universally stronger than the offensive systems. The main mechanisms of these systems are:

  • Invulnerability  (Thor, Hulk)
  • Physical Protection (Iron Man, Captain America)
  • Agility (Beast, Quicksilver, Black Widow)

Fratricide risk applying to the other super-hero systems remains high-likelihood, high-consequence. Blind luck and comic-book physics are the only explanations for the continued survival of Henry Pym, Hawkeye and the Scarlet Witch.

 TLH2: Collision

Combat frequently requires fast-moving objects to co-ordinate their movements in close proximity. Whilst in many respects the speed and mass of the super-hero units makes collision a greater threat than fratricide, the mitigations are the same. Ideally zones of operation and movement would be determined and enforced through non-procedural means. In practice ambiguous verbal communication (“look out”, “gang way”, “duck”) seems to be the main strategy for collision avoidance. For units such as Hulk, Thor or Iron Man this level of mitigation is acceptable, because the consequences of collision are minor. In the case of Ant Man his small size not only magnifies the consequence, but reduces the effectiveness of the mitigation. Other units are unlikely to see Ant Man, and his own voice requires magnification to be heard.

TLH3: Resource Competition

Typical finite resources which must be considered in System of Systems are:

  • Communication channels
  • Logistic support channels
  • Fuel
  • Ammunition
  • Movement corridors
  • Shared support facilities

Fortunately, none of the super-hero units are heavily resource dependent. Units such as Hawkeye have ammunition restrictions, but these restrictions are typically plot-imposed rather than dependent on logistic organisation. In most respects the lack of weapon-system compatability is an advantage here, as no pair of units have common consumable supplies or parts.

TLH4: Mission Capability Shortfall

The fluid configuration of a system-of-systems presents a risk that a vital capability will be lacking in some configurations. To account for this hazard we must consider what the vital capabilities are, and how they may be provided.

For a super-hero team, plotlines typically require:

  • Investigative ability
  • Novel solutions to complex problems
  • Transport to and from the location of incidents
  • Combat capability

Full details are not provided here, but a simple table showing the capabilities of each hero-unit will show that not all combinations of hero-unit can deliver all of the required capabilities. For example, a team consisting of Thor, Henry Pym as Giant Man, Quicksilver and Bruce Banner in Enraged Green Monster mode would have considerable combat capability, but so little intellectual capability that they would present an enormous threat to the general public. On the other hand, a team consisting of Tony Stark in Genius mode, Bruce Banner in Gamma Scientist Mode, Black Widow and Henry Pym as ant-man would have insufficient firepower for most plot challenges, presenting serious risk to themselves and unprotected bystanders.



How Repeatable is Quantitative Risk Analysis – European Benchmark Studies

I was at PSAM11/ESREL12 this week, and I plan to write a few posts on topics I found interesting. First though there were some papers that I mentioned during my own talk that are not in the bibliography of the accompanying paper. Normally, this would cause me to start questioning just how  comprehensive my work was – after all, I was making claims about the lack of empirical evaluation of quantitative analysis, and here are three relevant papers that I hadn’t even seen. On the other hand, no one in my research group had heard of the studies either, and they aren’t well known in the whole Probabilistic Risk Assessment community. Important work, bypassing its key audience. Maybe the research councils have a point when they insist on an impact plan in grant applications.

These papers report three investigations into variation in risk assessment. In the first study, 11 teams were asked to quantify the risk presented by an ammonia plant. All teams had access to the same information, but the results were evenly spread over six orders of magnitude. In the second study they tried to pin down what was causing the variation. At several stages during this study they reduced the variation by standardising assumptions and methods, but the teams (using similar source information to the first study) still spread over four orders of magnitude. Once you take into accound the reductions in variation along the way, this was a good (but not completely independent) replication of the first study’s results.

The third study is to do with the ability of reviewers to interpret studies. Multiple reviewers were given the same study, and asked to draw conclusions from it.

Anyway, the three papers are:

S. Contini, A. Amendola, and I. Ziomas, ‘Benchmark Exercise on Major Hazard Analysis. Vol. 1. Description of the Project, Discussion of the Results and Conclusions’, 1991. [Online]. Available: [Accessed: 22-Jun-2012].
K. Lauridsen, I. Kozine, F. Markert, A. Amendola, M. Christou, and M. Fiori, ‘Assessment of Uncertainties in Risk Analysis of Chemical Establishments The ASSURANCE project’, Final Report, Risø, 2002.
L. Fabbri and S. Contini, ‘Benchmarking on the evaluation of major accident-related risk assessment’, Journal of Hazardous Materials, vol. 162, no. 2–3, pp. 1465–1476, Mar. 2009.