- R esilience Engineering Concepts and
advertisement
-
http: // site.ebrary.comll ib/l inkoping/docPrint.action?encrypted=211 c ...
Resilience Engineering : Concepts and Precepts
Resilience Engineering
Concepts and Precepts
f ~'d/krll!)'
ERIK. HOLL ' AGEl.
f .i",
. 1~"Jj~1!. L'JlJt'I'!';t/r.. lnu{.-IJ
DAV m D. "fU UDS
Ohio Yf/I1r' C!lifl-rS;()', Ft-I
I ,\ NCY LE\'ESUN
,\fIlJJtTt'/!IIMI.( /J,·.fI;llIIf "./,I ~th,:(}I~fJ'.
('.'. \",. 1
ASHGATE
Hollnagel . Erik (Editor) ; Woods , David D . (Editor) ; Leveson , Nancy (Ed itor). Resilience Engineering : Concepts and
Precepts .
Abingdon , Oxon , , GBR : Ashgate Publishing Group, 2006. p iii.
http://site .ebrary.com/libninkoping/Doc?id= 10211227 &ppg=4
Upphovsratt © 2006. Ashgate Publishing Group Alia rattigheter f6rbehallna .
Far inte aterges i nagon form utan tillstand fran utgivaren , f6rutom rattvisa anvandningar under amerikansk eller annan
tillamplig upphovsrattslag.
I av 2
20 11-02-101 2:33
Resi Jience Engi neering: Concepts and Precepts
http://site.ebrary.comlJ ib/J inkopingldocPrint.action?encrypted=2 J1c ...
All rights reser\·cd. 1 0 p;lf or th is puh ljca rio n rn.'ly be re prcx lucc<l, sto re.1 in a
rerrie \·:tI sysTem, o r !ran~mi Hcd in ,11l1" rorm or by :mr mC,1ns, c it'e rmnic, mechani cll,
photocopying, reco rd injo! or ()[ he m'i~" w itiloUT rhl! p rim pcrmis,:.io n of rhc p uh!ish er.
I:rik !lolll13gcl, [)avid D . \1;·,)o,1s :In.l :,b ncy l .e\·cson b:l\'c asser red rheir ri~h r under
the Copyrighr, Dc<,igns and !':Ire ms Act, 19i'1K, 10 he idcnriflcd as rhe ('(Ii ltlrs ()f tbis
work.
Published hI·
Ashg.'1 11.! Publi sh in ~ l.imir"d
Gowcr EInuse
CrofT Road
Afclc rsilo r
I bmpshirc (; 1' I I -,I IR
:\ sh~:1re Puhlis.hing Cnm p ~nr
Suir c ·n (1
Hi t Chern' S rrec[
Bu rlingron, \ T H'i401·4405
l 'SA
I ~ngbnd
Ashgule
wd"~llc:
hll p:J/www,us hgatexHIll
British Library Catalogulng in Pu blication D ata
Rt'silicnce l·n~int.'Cring : cnnc"p r!> and prcCt'prs
t.Rd i.a bilit\· (Enginecrin,c) ' CClngresscs 2 .lndusrrial
s :tfcr~' , Co ngrcsscs
U lolll13gcl, r ~ ri k, I l)4 1· IL\'roo d ~ > D ,w id D. II IJ .cn ':Son,
i'!anc),
62lJ'.f)I)4.,2
Libmry of Congre s.s Cala.loglng-in-Publicatlon Data
n esil i "n c(.~ cn!-:incering : concepts and prccl1,rs . . .:difl:d lw f '.rik Hollmgd, D av id D .
\'\ ·oo':!s :I nti Nanc,' 1 .",· c~n!1.
p. cm .
Inelutles h ih liogmphictl rcfc rencc..-;; ant! i n d c~ .
ISBN 1.1 . 7';·U;--I64I · (,
1. Rd i-ahilirl· (l ~ nginct:rinj!J. 2.. Sy~T;;- ll1 :tnah'. is. .)' D e cision nuking. l.
I follnag cl, I ~ rik, 1')41· Il. \'\'onds , l Yon-it! D., I,)S2 · )[/. I.C\-O:!U")I1, Nancy.
TS1 7J. R-I 7 : 01 1()
()21)'.I~ .4.'i2 ·· dc22
2(I()SfJ24-R%
IS13 i\:· \ f) : H 1 ~4 6 -1641 6
Printo:d 'lfui. bound in G re:n 13rit:lin Iw
TJ
Imcrn.'1 rinl1all.rd, Pads row, Corl1\\'lll
Hollnagel, Erik (Editor) ; Woods , David D. (E ditor); Leveson , Nancy (Editor) . Res ilience Engineering: Concepts and
Precepts .
Abingdon , Oxon , , GBR: Ashgate Publishing Group, 2006. p iv.
htlp:/Isite .ebrary.comllibllinkoping/Doc?id= 10211227 &ppg=5
Upphovsratl © 2006. Ashgate Publishing Group Alia ratligheter fbrbehallna .
rattvisa anvandningar under amerikansk eller annan
tillamplig upphovsratlslag .
Far inte aterges i nagon form utan tillstand fran utgivaren , fbrutom
2 av 2
2011-02-1012:33
Chapter 19
How to Design a Safety
Organization: Test Case for
Resilience Engineering
David D. \,\'ood5
In the aftermath of the Columbia 5pace 5huttle accident (STS-107), the
investigation board found evidence of an organizational accident as
~;\SA failed to balance safety risks with inten se production pressure
(Gheman, 20(3). Ironically, a previous investigation examining a series
of failures in Mars exploration missions also focused on breakdowns in
organizational decision-making in their recommendations (Stephenson
et aI., 20(0). Both reports diagnosed a process where the pres5ure for
production to be 'faster, better, cheaper', combined with poor feedback
about eroding safety margins, led manage ment inadvertently to accept
riskier and riskier decisions.
\,'ood5 (2005a) links these accident 'lnalyses to patterns deri\'ed
from previous results and argues that organizatio nal accidents represent
breakdowns in the processes that produce resilience. Balancing the
competing demands for very high safety with real-time press ures for
efficiency and production is very difficult. As pressure on acute
efficiency and production goals inten5ifies, fir5t, people working hard to
cope with these press ures make decisions that consume or 'sacrifice'
tasks related to chronic goals such as safety. As a result, safety rnargins
begi n to erode over time - buffering capacity decreases, system rigidity
increases, the positioning of system performance relative to boundary
conditions becomes more precarious (cf. , Chapter 2) . Second, when
margins begin to erode as a natural response to production pressure, it
is very difficult to see e\·idence of increasing or new risks. Processes
that fragment information over organizational boundaries and that
Hollnagel, Erik( Editor}. Resilience Engineering: Concepts and Precepts.
Abingdon, Oxon, , GBR: Ashgate Publishing, Limited, 2006. p 315.
http://site.ebrary.comllibllinkopingIDoc?id=1 02 11227&ppg=328
JI6
CII
c:C
.-
~
00 .-
CIIe.
Uo.
:::I 01
00 ...
~ 0
c. .
CIIrn
~::i
.0'"
CII
"'00
o c
C :::I
»00
01 CII
~=
. 'E
00 ...
CII CII
i!o.
CII III
III CII
~ III
III :::I
......
..c:: .-
Cl-f
~c.
-CII
<U)(
-g~
~Q)
E..c::
._
III
...J=
_.0
Cl:::l
Co.
:CCII
.~=
:CE
...
:::I 0
0.. ...
~c
01 0
Cl '..c:: 1Il
III
.!!!
<E
.0;
:go.
0'"
N:::I
;:(: ~~
: ~j !!!
~E~
.~ (5
.g»
» ... »
0.»0.
o C 0
UOIU
reduce cross-checks across di" erse terun s lea \'e decisio n makers unable
to recognize the big pictu re, th at is, unable to re frame th ei r situatio n
assessment as evidence o f a dri ft toward safety bo und aries accumulates
(until a failure occurs and with the benefit of hind sigh t the evidence o f
new dange rs see m s strong and unambig uo us).
How do p eo ple d etect that p ro blem s are emerging o r changing
wh en information is subtle, fragmented , incomplete o r di stributed
across the diffe rent gro ups in voh-ed in p rod uctio n p rocesses and in
safety m anagement? i\Iany studi es have sho wn h o w decisio n makers in
en)lving situatio ns can get stuck in a single p roble m fra me and mi ss o r
mi s-interpret new in fo n-natio n th at sho uld force re-evaluatio n and
revi sio n o f th e situation assessmen t (e.g., J o hnson et aI., 20(H ; P atterso n
et al. 2(0 1). 1\ recent sy nth esis of research o n problem detectio n b y
pro fess io nal decisio n makers (Klein et aI., 200S) fo und that reframing is
a cri ti cal but diffi cult ski ll. Refra ming starts wi th no ti cing initial signs
th at call into <'Iuestio n o ngo ing mod els, plan:-; and routines. H ()\\' do
these di sc rep ancies lead peo ple to llues tio n th e current frame? \,\ 'hen do
th ey b ecome suspicio us that the current interpretatio n o f events is
inco mplete and perh ap s incorrec t?
The ini tial signs are always uncertain and o pen to o ther
interpretatio n s. These indicato rs can easily be mi ssed o r ratio nalized
away rath er th an lead to <'lues tio ning and revisio n o f th e current fram e.
ror example, studi es ha "e sho wn th at a skilled weath er fo recaster
co mes in to wo rk searching for th e problem s of the d ay, which
co mprise th e un se ttled parts o f the scene that will need to be closely
mo nito red (Pliske et aI. , 20(4) . In other word s, th e expert adopts a
highly suspicio us stance to no tice and pursue sm all di screp ancies
despite th e workload press ures and atte ntional dern and s. Less-s killed
forecasters are much more reactive given o th er demand s and do not
reserve tim e to pursue th ese small (usually unimpo rtant) discrep ancies.
As thi s example indica tes, facto rs related to expertise, workload, and
attentional focus can all co ntribute to a te nd ency to become stuck in a
single vi ew o r fra me, even as evidence is accumulating th at sugges ts
alternate situatio n assessm ents (Klein et a1. , 200 5).
i\ resilience perspecti ve on accident s such as Columbia allows one
to step away from linear causal analyses th at b eco me stuck o n th e
proximal events in them selves, o n red herrings such as human error, or
vague 'root causes' such as communicatio n . l\.hj o r accidents, like
Columbia, are late indicators o f a system th at beca me b rittle o ve r time,
HoI/nagel, Erik(Editor}. Resilience Ellgineering: COllcepts alld Precepts.
Abingdon, Oxon, , GBR: Ashgate Publishing, Limited, 2006. p 3 16.
http://site.ebrary.comllib/linkoping/Doc?id=1 02 11 227&ppg =329
..
317
of a sa fety management p rocess th at co uld not see th e increasi ng
brittleness, and o f safety management th at was in no position to help
line manage ment respo nd to increasing brittleness. As a res ult, fai lures
of safe ty management in the face o f press ure to be ' fas ter, bette r,
cheaper' re\'eal that mo re effecti \'e technillues sho uld pro\'ide the
ability:
<I>
.-'0c::i5.-~
<l>Q.
Ue.
::J co
'0 ...
to
•
to detect when safety margins are eroding O\'er ti me (mo nitor
operating points relati\'e to boundari es as noted in Cook &
Rasmu ssen, 2003), in particul ar, to rnonitor the o rganiza tion's
model o f itsel f - the risk that th e orga niza tio n is choosing to
operate nea rer to sa fety bo undaries than it reali zes.
to mo ni tor ri sk co ntinuo usly th roughout the life-cycle o f a sys tem,
so as to maintain a dynam ic balance betwee n safety and the o ften
considerable press ures to meet production and efficienc), goals.
<l>CI)
~:::i
.0'"
<I>
.... '0
o c:
c:
::J
:"'0
CO <I>
::iE:::
. 'E
1l:u
1:e.
<I> en
en <I>
f! en
en ::J
•
.......
.r:
.C1~
'i:
~
_e.
-<I>
<U)(
-g ~~
re\'i se and reframe the organization's assessment o f th e risks it
face d and the effecti\'eness of its co untermeas ures against those
ri sks as new e\'id ence accumulates.
•
eo
e. .
The organi zatio nal reform s proposed b y th e Columbia Accident
In\'es tigatio n Board try to mee t these criteri a, which makes thi s accident
repo rt th e fir st to reco mmend a resilience strategy as a fund amental
mech anism to prevent future failures .
~QJ
E.r:
._
en
...J=
_ .0
C1::J
c:e.
:t:<I>
.~;
:i5E
::J 0
0.. ...
<1> ....
.... c:
Dilemmas of Safety Organizations
CO 0
01 '-
.r:en
en .!!!
<E...
'<1>
:§:e.
0
....
N::J
~ 0
.
.r: ~
:~~~
~
:EE:E
·~o·~
:., .... :.,
e.:.,e.
o c:
0
Ucou
Using a resilie nce approach to sa fety, I pro vided some input to the
Colurnbia Accident Inves tiga ti on Board (CAIB) which see med
consistent with th e Board 's o wn analysis and recommendatio n
direction5. Later Congress, as ' ASA's supervi sor, wanted to check o n
t\ ASi\'s plans to implement th e CAIB's recommendatio ns, especially
th e modification s to t\AS i\'s safety o ffi ce. Co ng ressional staffers asked
several people to comment on the changes. As background I circulated
a draft of m y input to the board (what later evol ved into \'('ood s,
2005a). The staffers were very interes ted in thi s perspective, but to my
surpri se as ked a simple and challenging l]Uestio n - ho\\' d oes one design
a safety o rga nization to meet these criteria? I was caught completel,' o ff
gua rd, but immediately recogniz ed the centrality o f the l1uestio n.
HolinCl/?el, Erik(Editor}. Resilience En/?ineerin/?: Concepts Clnd Precepts.
Abin/?don, Oxon" GBR: Ash/?Clte Publishin/?, Limited, 2006. p 3 17.
http://site.ebrary.comJlib//in koping/ Doc ?id=1 0211 227&ppg=330
JI8
Resilience engineering, if it is a meaningful and practical advance in
safety management, sho uld be able to specify the design of safety
organizations as a work-a-day part of the organization's activities.
The staffers' lluestion put me on the spot. As always when
confronted with a conceptual surprise my mind shifted to a diagnostic
search mode: why is the job of a safety organization hard? The
resilience paradigm suggested organizations needed a mechanism that
lluestions the organization's own model of the risks it faces and the
countermeasures deployed. Such a 'fresh' or outside perspective is
necessary for reframing in cOb'11itive systems in general. A review and
reassessment was necessary to help the organization find places \\·here it
has underestimated the potentiaJ for trouble and revise its approach to
create safety. A lluasi-independent group is needed to do this independent enough to lluestion the normal organizational decision making but invoked enough to have a finger on the pulse of the
organization (keeping statistics from afar is not enough to accomplish
this).
\'\'hy is developing and maintaining this lluestioning role difficult
and unstable? Because organizations are always under production
pressure (though sometimes the pressure on these acute goals can be
stronger or weaker), the dilemma for safety organizations is the
problem of 'cold water and an empty gun.' Safety organizations, if they
assess th e organization'S own models of how it is achiedng safety, raise
questions which stop progress on production goals - the 'cold water.'
Yet when line organizations ask for help on how to address the factors
that are eroding or reducing resilience, \\·hile still being realistic and
responsi\'e to the ever-present production constraints, the safety
organization has little to contribute - the 'empty gun.' As a result, the
safety organization fails to better balance the safety/prod uction tradeoff in the long run and tends to be sh unted aside. In th e short run and
following a failure, the safety organization is emboldened to raise safety
issues (sacrifice production goals), but as time flows on, the memory of
the previous failure fades, production press ures dominate, and the drift
processes operate unch ecked (as has happened in l\ J\S A before
Challenger and before Columbia, and can happen agai n).
from the point of \'iew of managing resilience, a safe ty
organization shouJd monitor and dyn amically re-balance the trade-off
of production pressure and risk. The safety organization shou ld see
'holes' in the organization'S decision processes, reframe assessments of
Hollna~el,
Erik(Editor}. Resilience Efl~ineerill~: COllcepts and Precepts.
Oxon, , GBR: Ash~ate PLlblislzill~, Limited, 2006. p 318.
hllp:llsite.ebrary.comllibllinkopingIDoc ?id= 102 1/227 &ppg=331
Abin~don,
F
319
how risky the organization has been acting, to (Iues tion th e
organiz ation' s assumptions abo ut how it creates safety. HO\v could a
safety organization be designed to meet th ese ambitious goals since
th ese are rath er difficult cognitive functi ons to suppo rt in any
distributed systems? E ven worse, in order to avoid th e trap of 'cold
\vater and empty guns,' 1 was in effect as king th e leadership of an
organization to authorize and independently fund a separate gro up
wh ose role was to (luestion those leaders' decisions and prioriti es .
And th en, if the safety orga nization was authorized and prO\'ided
wi th an independent set o f significant reso urces, it was committed to
o ffer positive action plans sensiti ve to the limited resources and larger
press ures imposed from outside. To accomplish thi s retluires a mea ns
for safety management to escape the fund amental paradox of
prod uction / sa fety conflicts: safety investments are m os t impo rtant
when least affordable. It is precisely at points of intensifying prod uction
press ure and higher organizational tempo th at extra investm ents are
retllured in sources of res ilience to keep prod uction / safety trade-o ffs
from sliding out-o f- balance. \'Vhat does Resilience Enginee ring offer as
guid ance to better balance thi s trade-off?
The 4 'I's of Safety Org anizations: Independent, Involved,
Informed, and Informa tive
At this point I had used a resilience perspective to provide co rnmon
ground fo r an exch ange on the dil emmas o f safety organi zation s. But I
was still on the spot and th e staffers were insistent, hO\\· can sa fety
o rga ni zatio m be designed to co pe with these dil emmas? How did
success fu l o rga ni zations confront these dilemmas?
To help o rganizations balance safety! production trade-offs, a
safety organizatio n needs the resources and autho rity to achieve
independ ence, to be involved , informed and informative. J\[y res ponse
was th at safety o rga niz ations are successful when they:
•
•
provide an independe nt vo ice that challenges con ventional
ass umptions about safety ri sks wi thin senio r management,
have constructlve im'olvement In targeted but everyday
organizational d ecision-making (for example, ownership of
Hollna/?el. Erik( Editor). Resilience Ell/? ;'leerin/? : Concepts and Precepts.
Abingdoll. O XOIl•• GBR: Ashgate PlIblishin/? Limited. 2006. p 3 19.
http://site.ebrary.comllibl linkopingIDoc ?id= 102 11227&ppg=332
no
•
•
technical standards, WaIve r granting, readiness reviews, and
anomaly definition),
acti,·ely ge nerate information about how th e organizati o n is actually
operating and th e vectors of change that influence how it will
operate (informed),
use inforrnation about weakn esses in th e organization and th e ga p
b etween \\·o rk as imagined and work as practi sed in th e
organization to reframe and direct interventions (informative).
These four 'I's prm·ide a simple mnemonic th at conci sely captures
th e difficulty in d esigning a safety organization: th ese four requireme nts
are in conflict! 1\t b es t, th e relatio nship betwee n the safety organization
and se nior/ line management will be one of constructive tension. Safety
organizations must achieve independence enough to (luestion the
norm al organizational decision-maki ng, provide a 'fresh ' point o f vi ew,
and help the p arent organization di scover its own blind spo ts.
Challenging co nventional assumptions of senior m anagement lirnits the
voice as fresh vi ews bring unwelcome information and seem to distract
from making defi niti\·e decisions or building support for current
manage rnent plans. Inevitably, there will be period s where se nio r
managem ent tries to dominate th e safety organization. The design of
the orga ni zational dynamics needs to provide the safety organi zation
with the tools to resist th ese predictable episodes by prm·iding funding
directly and independent from head(lu arters. Similarl y, to achie\·e
independ ence, th e safety leadership team needs to be chosen and
acco untable o utside of the normal chain of command.
Safety organizations mu st be invo lved in enough everyday
organizational activities to have a finger on th e pulse of the
organization and to be see n as a constructiv e p articipant in th e
o rga ni zatio n'S acti\·ities and decisions th at affect the b alance ac ro ss
safety and production goals. In general, safety organizations are at great
ri sk of becoming informat io n-limited as th ey can be shunted aside from
real organiza tion al deci sion s, kept at ~I di stance from the actual work
processes, and kept busy tabulating irrelevant counts when th eir
activities are seen as a threa t by line or by upper manage rn ent (fo r
example, the 'cold water' problem). Simply by being positioned to hav e
a voice at the top can leave th e sa fety organization (ILute di sconnected
from operations and exacerbate information limits . By being informed,
the safety organization can be informative, and th e stronges t test of thi s
Hol/naxel, Erik(Editor). Resilience Enxineerinx: Concepts and Precepts.
AbillXdon, Oxon, , GBR: Ashxate Publishinx, Limited, 2006. p 320.
http://s ite.ebrary.comllib/linkopillg/Doc?id=1 02 11227&ppg=333
H Oil '
/0 nes{~1/
(/ .14;-')' Orgtllli':i!/lioll
32 1
criterion is th e ability to identify targets for investm ents to enhance
aspects of resilience and to priorItIze across these targets of
opportunity. To be constructive, a safety organization need s to control
a significant set of reso urces and have the authority to decide how to
invest th ese reso urces to help line organizations increase resili ence and
enhance safety while accommodating production goa ls. for exarnple,
th e safety organization could decide to invest and develop new anomaly
res ponse training and rehea rsal programs wh en it detects hol es in
org:l.Oizational decision -making processes. !m'olvement, balanced with
independence, allows the safety organization to prO\'ide technical
experti se and enhance coordination across the normal chain of
command . In other words, the involvement fo cllses on creating
effective O\'erlap across different organizational units (even though
such overlap can be seen as inefficient wh en the organization is under
se \'ere cost press ure).
Balancing the four 'l's means that a safety organization is mo re
th an an arm's length tabulator, does more th an compile a trail of
papervvo rk showing the orga ni zation meets retluirements of 'safety' as
defined by regulators or accreditors, is more than a cheerleader for past
safety records, and more than a cost center th at occasionall· slows
down normal production processes. Being im'oived and infonned
retluires connection s to th e character and difticulties of operations (the
evolving nature of technical work as captured e.g., in th e studies in
' erneth , Cook & \X!oods, 2004). Being independent and informative
retluires a voice that is rel evant and heard at the senior management
le\'el. By achieving each pair and making them mutu ally reinforcing,
safety manage ment becomes a proacti\'e part of th e normal conduct of
the organization.
The safet\· organization's mIssIon th en is to monitor th e
organization's resili ence including th e ability to make targeted
im'es tments to restore resilience and reduce brittleness. In reac hing for
the four 'l's, the safety organization function s as a critical monitor of
the gap between work as imagined and work as practised and generates
tactics to reduce that gap. 1\s a result, the safety organization becomes a
contributor to all of the organization's goals - by enhancing resilience
both safety and production are balanced and advance together as new
capabilities arise and as the orga nization faces new press ures.
Hollna/?el, Erik(Editor}. Resilience Enllineerin/?: Concepts and Precepts.
Abin/?don, Oxon, , GBR: Ash/?ate Publishinll, Limited, 2006. p 32 1.
hrrp:llsite.ebrary.comllibllinkopingIDoc ?id= 1021 1227&ppg=334
j22
Safe ty as Analogou s to Polycentric M an ageme nt of Common Pool
Resources
T h e analys is ab ove and th e four 'I's as a potential solution to the
challenge case p arallels an alyses o f how complex systems avoid the
tragedy o f the commo ns (O strom, 1990; 1999). The traged y o f th e
commons co ncern s sh ared physical reso urces (a mong the m os t studied
examples of co mmon p ools are fi sh eries managem ent and water
reso urces for irrigation). Th e tragedy of th e commo ns is a name fo r a
baseline adapti \'e dynamic whereb y the actors, b y ac ting ratio nall y in the
sho rt term to ge nerate a return in a co mpetiti ve envi ron ment, deplete
o r des troy the common resource o n which th ey depend in the long run.
In th e usual descrip tio n o f th e dynarnic, parti cipants are trapped in an
ad ap ti ve cycle th at inexorably o veru ses th e common reso urce; thu s,
fro m a large r systems view the local actIons of group s are
co unterproductiv e and lead them to d estroy their Li velihood or way o f
life in th e long run.
Organi zational analyses of accidents li ke Columbia seem to put
production ! safety trade-offs in a parallel positio n to tragedi es of th e
cornmons. D es pite organiz atio ns' attempts to des ign operations fo r
high sa fety and th e large cos ts of failures in mo ney and in li\'es, line
managers under p roduction press ures make decisions th at gradually eat
away at safe ty m argins, undermining the la rger commo n goal of sa fety.
In other word s, m aybe safety can be tho ught of as an abstract commo n
pool reso urce analogous to a fi shery. Or, alternatively, dilemmas th at
arise in managing physical co mmon p ool reso urces are a specific
exampl e o f a general type o f goal co nfl ict wh ere diffe rent groups are
di ffe rentially res po nsible and affected by d iffere nt sub-goals, even
th o ugh th ere is one or only a couple of com mo nly h eld O\'e r-arching
goals (\\?oods et al. , 1994, Chapte r 4).
D evelo ping th e analogy furth er, th e standard vie\\' o f how to
manage commo n poo l reso urces is to create a higher le\'el o f
orga ni zatio n res ponsible for th e resource O\'er its entire range and O\'e r
lo nge r periods of tim e. T his orga ni zatio n th en needs auth o rity to
compel individuals or local g roups to modify their beh avior sacrificing
short term return and autonomy in order fo r th e higher level
o rg'.-l nizatio n to analyze and plan behaviors th at sustain or grow the
resource O\'er the long term - a command o rganizatio n. Safety
manage men t th eo ry often seem s to m ake similar assumptio ns and
Hollnal(el, Erik(Editor). Resilience Engineerinl( : Concepts and Precepts.
Abinl(don, Oxon, , GBR: Ashl(ate Publishinl(, Limited, 2006. p 322.
http://site.ebrary.com/lib/linkoping/Doc?id= 102 11227&ppg=335
32}
propose similar responses, i.e., a command structure is needed from
regulators to cornpanies or from management to line operations that
takes a broader view and compels workers and line managers to modify
behavior for a lo ng term common good.
O stro m (1999) revi ews th e empirical res ults on hO\\· people actually
manage common pool resources and find s th e standard vi ew
un supported hy the evidence. Basically, she found that o ve ru se h y local
acto rs is not inevitable and that command style relationship s across
levels of organizations do not work well. Instead, she finds from
research on co-adaptive sys tems that common pool reso urces can be
effectively managed through polycentric governance systerns.
Polyce ntti c systems provide for multiple levels of gm·ernance \\·ith
overlapping authority in a dynamic halance hut where th ere is no single
gove rnance center which directs or 'commands' unilaterally. Her
synth esis of resea rch identifies a variety of conditions and properties
for pol ycentric management of commo n reso urces (s uch as crosscom munication, shared norms, trust, and reciprocity; Ostrom, 20(3).
The proposed four 'I's of safety organization design can then be
seen as addition;t1 policy guid ance for how to huild effectiv e polycentric
management to balance multiple interacting goals. Achieving a dynamic
halanc e across multiple centers of governance - some closer to the
hasic processes but with narro\ver fi eld of view and scope of action and
o thers farther removed but with larger fi elds of view and scopes of
action, would see m to relluire a lluasi-i ndependent, intersecting
organization that can cross connect th ese different levels of
o rga ni zatio n to be both informed and informative. By heing outside a
nornin al chain of command, such groups can lluestion and help revise
assess ments as e\·idence and situations change, as well as inten ·ene \\·ith
targeted inves tments to help resolve short term dilemmas (independent
and invo lved).
Recent research on di stributed cooperative sys tems made possible
by new co mputer technolob'Y also seem s to support the analogy, for
example studi es of th e change to 'free flight' in managing the nation al
ai r transpo rt system support and extend O strom's findings (see Smith
et aI., 20(4). The tool s th at have proved necessa ry to make
collaboration work between air carriers and f'i\J\ authorities given new
capabilities for cornmunication at a di stance and given th e dernand s for
adaptive behavior as congestio n and weather change also provide other
ideas for th e design of polycentric management syste ms. Similarly,
Hollnagel, Erik( Editor}. Resilience Engineering: Concepts and Precepts.
Abingdon, Oxon, , GBR: Ashgate Publishing, Limited, 2006. p 323.
http://site.ebrary.com/lib/linkoping/Doc?id= 10211227&ppg=336
}24
studies of hO\v military organizations delegate authority to adapt plans
to surpri sing situation s provide lessons th at al ~o can be applied to guide
polycentric m anagement (e.g., \,food s & Shattuck, 2(00).
The analogy suggests th at findings from managi ng ph ysical
COl1unon pool reso urces and findings from h ow goal conflict. between
safety versus production a re reso k ed (\X!oods et aI., 1994, chapte r 4)
may converge and mutually reinfo rce or stimulate each other. foor
example co mmon poo l resea rch m ay benefit from exarnining the
reframing processes which are central to th e resilience approach to
safety under different m anagem ent structures.
CIl
c:O
.-
~
"Uo..co
"eO
...
c. .
CIlc.
::l
CIlcn
~:::)
.0'"
CIl
o c
-"
C ::l
Summary
>."
CO CIl
~::::
. 'E
al~
C:o.
CIl
I/)
I/)
~
CIl
I/)
I/)
::l
-...
.r:: .-
Cl~
.~
..,
_0.
-CIl
<u><
-c:iCll
CIl":
~Q)
E.r::
I/)
._
..I::
• .0
Cl::l
Co.
:ECIl
.~=
:OE
-
::l 0
11. ...
~c
CO 0
Cl '.r::1/)
I/) .!!!
<E...
'CIl
:go.
0-
N::l
~ 0
.
.r:: ~
:~j~
~
Orga ni za tions in the future will balance the goals of both high
productivi ty and ultra-high sa fety f,ri ven the uncertainty of changing
risks and certainty of continued pressure for effici ent and high
perfo rm ance. Thi s organization will be able to (a) find places wh ere th e
organization itsel f ha s missed or underes timated th e potential for
trouble and revise its approach to create safety, (b) recogni ze wh en th e
side effe cts of production pressure may be increasing safety ri sks and,
(c) develop the means to mak e targe ted im 'es rrn ents at the very time
wh en th e organiza tion is mo st squ eezed on re so urces and time.
To carry out thi s dyn ami c bala ncing act, a new sa fety organization
\\·ill emerge - designed and empowered to be independ ent, im'oh-ed,
informed , an d informati\·e. T he safety organization will use the tools of
Resilience E ngineering to monitor for 'holes' in organizational decisionmaking and to d etect when the organization is movi ng closer to failure
boundaries th an it is awa re. Together, th ese processes will create
foresight about the changing patterns of ri sk before failure and harm
occur.
:EE:E
.g' 0 .g'
>.- >.
0.>'0.
o C 0
Ucou
Acknowled gements
This work was supported in part by g rant
-i\04CK 45A from j ASA
Ames Resea rch Center to develop resilience engineering concepts fo r
managing organizational risk. I particularly thank the congressional
staffers who provided an opportunity to review ~i\SN s post-Columbia
Hollnagel, Erik(Editor}. Resilience Engineering: Concepts and Precepts.
Abingdon, OXOIl, , GBR: Ashgate Publishill!(, Limited, 2006. p 324.
hllp:llsite.ebrary.com/libllillkopillgIDoc ?id= 102 11227 &ppg=337
325
reform plans and \\·ho challenged the concepts for achieving resilience.
The ideas he re benefited grea tly from th e inputs, re\'iews, and
sugges ti ons o f my colleagues G eoff i\[umfo rd and E mily Patterson.
The remaining gaps are my own.
Hollnallel, Erik(Editor). Resilience Enllineerinll: Concepts and Precepts.
Abinlldoll, Oxon, , GBR: Asizllate Publishillll, Limited, 2006. p 325.
hllp://si te.ebra ry.cOIn/Ii b//inkopi Ilg/Doc ?id= 102 11227&ppg=338
