- http: // site.ebrary.comll ib/l inkoping/docPrint.action?encrypted=211 c ... Resilience Engineering : Concepts and Precepts Resilience Engineering Concepts and Precepts f ~'d/krll!)' ERIK. HOLL ' AGEl. f .i", . 1~"Jj~1!. L'JlJt'I'!';t/r.. lnu{.-IJ DAV m D. "fU UDS Ohio Yf/I1r' C!lifl-rS;()', Ft-I I ,\ NCY LE\'ESUN ,\fIlJJtTt'/!IIMI.( /J,·.fI;llIIf "./,I ~th,:(}I~fJ'. ('.'. \",. 1 ASHGATE Hollnagel . Erik (Editor) ; Woods , David D . (Editor) ; Leveson , Nancy (Ed itor). Resilience Engineering : Concepts and Precepts . Abingdon , Oxon , , GBR : Ashgate Publishing Group, 2006. p iii. http://site .ebrary.com/libninkoping/Doc?id= 10211227 &ppg=4 Upphovsratt © 2006. Ashgate Publishing Group Alia rattigheter f6rbehallna . Far inte aterges i nagon form utan tillstand fran utgivaren , f6rutom rattvisa anvandningar under amerikansk eller annan tillamplig upphovsrattslag. I av 2 20 11-02-101 2:33 Resi Jience Engi neering: Concepts and Precepts http://site.ebrary.comlJ ib/J inkopingldocPrint.action?encrypted=2 J1c ... All rights reser\·cd. 1 0 p;lf or th is puh ljca rio n rn.'ly be re prcx lucc<l, sto re.1 in a rerrie \·:tI sysTem, o r !ran~mi Hcd in ,11l1" rorm or by :mr mC,1ns, c it'e rmnic, mechani cll, photocopying, reco rd injo! or ()[ he m'i~" w itiloUT rhl! p rim pcrmis,:.io n of rhc p uh!ish er. I:rik !lolll13gcl, [)avid D . \1;·,)o,1s :In.l :,b ncy l .e\·cson b:l\'c asser red rheir ri~h r under the Copyrighr, Dc<,igns and !':Ire ms Act, 19i'1K, 10 he idcnriflcd as rhe ('(Ii ltlrs ()f tbis work. Published hI· Ashg.'1 11.! Publi sh in ~ l.imir"d Gowcr EInuse CrofT Road Afclc rsilo r I bmpshirc (; 1' I I -,I IR :\ sh~:1re Puhlis.hing Cnm p ~nr Suir c ·n (1 Hi t Chern' S rrec[ Bu rlingron, \ T H'i401·4405 l 'SA I ~ngbnd Ashgule wd"~llc: hll p:J/www,us hgatexHIll British Library Catalogulng in Pu blication D ata Rt'silicnce l·n~int.'Cring : cnnc"p r!> and prcCt'prs t.Rd i.a bilit\· (Enginecrin,c) ' CClngresscs 2 .lndusrrial s :tfcr~' , Co ngrcsscs U lolll13gcl, r ~ ri k, I l)4 1· IL\'roo d ~ > D ,w id D. II IJ .cn ':Son, i'!anc), 62lJ'.f)I)4.,2 Libmry of Congre s.s Cala.loglng-in-Publicatlon Data n esil i "n c(.~ cn!-:incering : concepts and prccl1,rs . . .:difl:d lw f '.rik Hollmgd, D av id D . \'\ ·oo':!s :I nti Nanc,' 1 .",· c~n!1. p. cm . Inelutles h ih liogmphictl rcfc rencc..-;; ant! i n d c~ . ISBN 1.1 . 7';·U;--I64I · (, 1. Rd i-ahilirl· (l ~ nginct:rinj!J. 2.. Sy~T;;- ll1 :tnah'. is. .)' D e cision nuking. l. I follnag cl, I ~ rik, 1')41· Il. \'\'onds , l Yon-it! D., I,)S2 · )[/. I.C\-O:!U")I1, Nancy. TS1 7J. R-I 7 : 01 1() ()21)'.I~ .4.'i2 ·· dc22 2(I()SfJ24-R% IS13 i\:· \ f) : H 1 ~4 6 -1641 6 Printo:d 'lfui. bound in G re:n 13rit:lin Iw TJ Imcrn.'1 rinl1all.rd, Pads row, Corl1\\'lll Hollnagel, Erik (Editor) ; Woods , David D. (E ditor); Leveson , Nancy (Editor) . Res ilience Engineering: Concepts and Precepts . Abingdon , Oxon , , GBR: Ashgate Publishing Group, 2006. p iv. htlp:/Isite .ebrary.comllibllinkoping/Doc?id= 10211227 &ppg=5 Upphovsratl © 2006. Ashgate Publishing Group Alia ratligheter fbrbehallna . rattvisa anvandningar under amerikansk eller annan tillamplig upphovsratlslag . Far inte aterges i nagon form utan tillstand fran utgivaren , fbrutom 2 av 2 2011-02-1012:33 Chapter 19 How to Design a Safety Organization: Test Case for Resilience Engineering David D. \,\'ood5 In the aftermath of the Columbia 5pace 5huttle accident (STS-107), the investigation board found evidence of an organizational accident as ~;\SA failed to balance safety risks with inten se production pressure (Gheman, 20(3). Ironically, a previous investigation examining a series of failures in Mars exploration missions also focused on breakdowns in organizational decision-making in their recommendations (Stephenson et aI., 20(0). Both reports diagnosed a process where the pres5ure for production to be 'faster, better, cheaper', combined with poor feedback about eroding safety margins, led manage ment inadvertently to accept riskier and riskier decisions. \,'ood5 (2005a) links these accident 'lnalyses to patterns deri\'ed from previous results and argues that organizatio nal accidents represent breakdowns in the processes that produce resilience. Balancing the competing demands for very high safety with real-time press ures for efficiency and production is very difficult. As pressure on acute efficiency and production goals inten5ifies, fir5t, people working hard to cope with these press ures make decisions that consume or 'sacrifice' tasks related to chronic goals such as safety. As a result, safety rnargins begi n to erode over time - buffering capacity decreases, system rigidity increases, the positioning of system performance relative to boundary conditions becomes more precarious (cf. , Chapter 2) . Second, when margins begin to erode as a natural response to production pressure, it is very difficult to see e\·idence of increasing or new risks. Processes that fragment information over organizational boundaries and that Hollnagel, Erik( Editor}. Resilience Engineering: Concepts and Precepts. Abingdon, Oxon, , GBR: Ashgate Publishing, Limited, 2006. p 315. http://site.ebrary.comllibllinkopingIDoc?id=1 02 11227&ppg=328 JI6 CII c:C .- ~ 00 .- CIIe. Uo. :::I 01 00 ... ~ 0 c. . CIIrn ~::i .0'" CII "'00 o c C :::I »00 01 CII ~= . 'E 00 ... CII CII i!o. CII III III CII ~ III III :::I ...... ..c:: .- Cl-f ~c. -CII <U)( -g~ ~Q) E..c:: ._ III ...J= _.0 Cl:::l Co. :CCII .~= :CE ... :::I 0 0.. ... ~c 01 0 Cl '..c:: 1Il III .!!! <E .0; :go. 0'" N:::I ;:(: ~~ : ~j !!! ~E~ .~ (5 .g» » ... » 0.»0. o C 0 UOIU reduce cross-checks across di" erse terun s lea \'e decisio n makers unable to recognize the big pictu re, th at is, unable to re frame th ei r situatio n assessment as evidence o f a dri ft toward safety bo und aries accumulates (until a failure occurs and with the benefit of hind sigh t the evidence o f new dange rs see m s strong and unambig uo us). How do p eo ple d etect that p ro blem s are emerging o r changing wh en information is subtle, fragmented , incomplete o r di stributed across the diffe rent gro ups in voh-ed in p rod uctio n p rocesses and in safety m anagement? i\Iany studi es have sho wn h o w decisio n makers in en)lving situatio ns can get stuck in a single p roble m fra me and mi ss o r mi s-interpret new in fo n-natio n th at sho uld force re-evaluatio n and revi sio n o f th e situation assessmen t (e.g., J o hnson et aI., 20(H ; P atterso n et al. 2(0 1). 1\ recent sy nth esis of research o n problem detectio n b y pro fess io nal decisio n makers (Klein et aI., 200S) fo und that reframing is a cri ti cal but diffi cult ski ll. Refra ming starts wi th no ti cing initial signs th at call into <'Iuestio n o ngo ing mod els, plan:-; and routines. H ()\\' do these di sc rep ancies lead peo ple to llues tio n th e current frame? \,\ 'hen do th ey b ecome suspicio us that the current interpretatio n o f events is inco mplete and perh ap s incorrec t? The ini tial signs are always uncertain and o pen to o ther interpretatio n s. These indicato rs can easily be mi ssed o r ratio nalized away rath er th an lead to <'lues tio ning and revisio n o f th e current fram e. ror example, studi es ha "e sho wn th at a skilled weath er fo recaster co mes in to wo rk searching for th e problem s of the d ay, which co mprise th e un se ttled parts o f the scene that will need to be closely mo nito red (Pliske et aI. , 20(4) . In other word s, th e expert adopts a highly suspicio us stance to no tice and pursue sm all di screp ancies despite th e workload press ures and atte ntional dern and s. Less-s killed forecasters are much more reactive given o th er demand s and do not reserve tim e to pursue th ese small (usually unimpo rtant) discrep ancies. As thi s example indica tes, facto rs related to expertise, workload, and attentional focus can all co ntribute to a te nd ency to become stuck in a single vi ew o r fra me, even as evidence is accumulating th at sugges ts alternate situatio n assessm ents (Klein et a1. , 200 5). i\ resilience perspecti ve on accident s such as Columbia allows one to step away from linear causal analyses th at b eco me stuck o n th e proximal events in them selves, o n red herrings such as human error, or vague 'root causes' such as communicatio n . l\.hj o r accidents, like Columbia, are late indicators o f a system th at beca me b rittle o ve r time, HoI/nagel, Erik(Editor}. Resilience Ellgineering: COllcepts alld Precepts. Abingdon, Oxon, , GBR: Ashgate Publishing, Limited, 2006. p 3 16. http://site.ebrary.comllib/linkoping/Doc?id=1 02 11 227&ppg =329 .. 317 of a sa fety management p rocess th at co uld not see th e increasi ng brittleness, and o f safety management th at was in no position to help line manage ment respo nd to increasing brittleness. As a res ult, fai lures of safe ty management in the face o f press ure to be ' fas ter, bette r, cheaper' re\'eal that mo re effecti \'e technillues sho uld pro\'ide the ability: <I> .-'0c::i5.-~ <l>Q. Ue. ::J co '0 ... to • to detect when safety margins are eroding O\'er ti me (mo nitor operating points relati\'e to boundari es as noted in Cook & Rasmu ssen, 2003), in particul ar, to rnonitor the o rganiza tion's model o f itsel f - the risk that th e orga niza tio n is choosing to operate nea rer to sa fety bo undaries than it reali zes. to mo ni tor ri sk co ntinuo usly th roughout the life-cycle o f a sys tem, so as to maintain a dynam ic balance betwee n safety and the o ften considerable press ures to meet production and efficienc), goals. <l>CI) ~:::i .0'" <I> .... '0 o c: c: ::J :"'0 CO <I> ::iE::: . 'E 1l:u 1:e. <I> en en <I> f! en en ::J • ....... .r: .C1~ 'i: ~ _e. -<I> <U)( -g ~~ re\'i se and reframe the organization's assessment o f th e risks it face d and the effecti\'eness of its co untermeas ures against those ri sks as new e\'id ence accumulates. • eo e. . The organi zatio nal reform s proposed b y th e Columbia Accident In\'es tigatio n Board try to mee t these criteri a, which makes thi s accident repo rt th e fir st to reco mmend a resilience strategy as a fund amental mech anism to prevent future failures . ~QJ E.r: ._ en ...J= _ .0 C1::J c:e. :t:<I> .~; :i5E ::J 0 0.. ... <1> .... .... c: Dilemmas of Safety Organizations CO 0 01 '- .r:en en .!!! <E... '<1> :§:e. 0 .... N::J ~ 0 . .r: ~ :~~~ ~ :EE:E ·~o·~ :., .... :., e.:.,e. o c: 0 Ucou Using a resilie nce approach to sa fety, I pro vided some input to the Colurnbia Accident Inves tiga ti on Board (CAIB) which see med consistent with th e Board 's o wn analysis and recommendatio n direction5. Later Congress, as ' ASA's supervi sor, wanted to check o n t\ ASi\'s plans to implement th e CAIB's recommendatio ns, especially th e modification s to t\AS i\'s safety o ffi ce. Co ng ressional staffers asked several people to comment on the changes. As background I circulated a draft of m y input to the board (what later evol ved into \'('ood s, 2005a). The staffers were very interes ted in thi s perspective, but to my surpri se as ked a simple and challenging l]Uestio n - ho\\' d oes one design a safety o rga nization to meet these criteria? I was caught completel,' o ff gua rd, but immediately recogniz ed the centrality o f the l1uestio n. HolinCl/?el, Erik(Editor}. Resilience En/?ineerin/?: Concepts Clnd Precepts. Abin/?don, Oxon" GBR: Ash/?Clte Publishin/?, Limited, 2006. p 3 17. http://site.ebrary.comJlib//in koping/ Doc ?id=1 0211 227&ppg=330 JI8 Resilience engineering, if it is a meaningful and practical advance in safety management, sho uld be able to specify the design of safety organizations as a work-a-day part of the organization's activities. The staffers' lluestion put me on the spot. As always when confronted with a conceptual surprise my mind shifted to a diagnostic search mode: why is the job of a safety organization hard? The resilience paradigm suggested organizations needed a mechanism that lluestions the organization's own model of the risks it faces and the countermeasures deployed. Such a 'fresh' or outside perspective is necessary for reframing in cOb'11itive systems in general. A review and reassessment was necessary to help the organization find places \\·here it has underestimated the potentiaJ for trouble and revise its approach to create safety. A lluasi-independent group is needed to do this independent enough to lluestion the normal organizational decision making but invoked enough to have a finger on the pulse of the organization (keeping statistics from afar is not enough to accomplish this). \'\'hy is developing and maintaining this lluestioning role difficult and unstable? Because organizations are always under production pressure (though sometimes the pressure on these acute goals can be stronger or weaker), the dilemma for safety organizations is the problem of 'cold water and an empty gun.' Safety organizations, if they assess th e organization'S own models of how it is achiedng safety, raise questions which stop progress on production goals - the 'cold water.' Yet when line organizations ask for help on how to address the factors that are eroding or reducing resilience, \\·hile still being realistic and responsi\'e to the ever-present production constraints, the safety organization has little to contribute - the 'empty gun.' As a result, the safety organization fails to better balance the safety/prod uction tradeoff in the long run and tends to be sh unted aside. In th e short run and following a failure, the safety organization is emboldened to raise safety issues (sacrifice production goals), but as time flows on, the memory of the previous failure fades, production press ures dominate, and the drift processes operate unch ecked (as has happened in l\ J\S A before Challenger and before Columbia, and can happen agai n). from the point of \'iew of managing resilience, a safe ty organization shouJd monitor and dyn amically re-balance the trade-off of production pressure and risk. The safety organization shou ld see 'holes' in the organization'S decision processes, reframe assessments of Hollna~el, Erik(Editor}. Resilience Efl~ineerill~: COllcepts and Precepts. Oxon, , GBR: Ash~ate PLlblislzill~, Limited, 2006. p 318. hllp:llsite.ebrary.comllibllinkopingIDoc ?id= 102 1/227 &ppg=331 Abin~don, F 319 how risky the organization has been acting, to (Iues tion th e organiz ation' s assumptions abo ut how it creates safety. HO\v could a safety organization be designed to meet th ese ambitious goals since th ese are rath er difficult cognitive functi ons to suppo rt in any distributed systems? E ven worse, in order to avoid th e trap of 'cold \vater and empty guns,' 1 was in effect as king th e leadership of an organization to authorize and independently fund a separate gro up wh ose role was to (luestion those leaders' decisions and prioriti es . And th en, if the safety orga nization was authorized and prO\'ided wi th an independent set o f significant reso urces, it was committed to o ffer positive action plans sensiti ve to the limited resources and larger press ures imposed from outside. To accomplish thi s retluires a mea ns for safety management to escape the fund amental paradox of prod uction / sa fety conflicts: safety investments are m os t impo rtant when least affordable. It is precisely at points of intensifying prod uction press ure and higher organizational tempo th at extra investm ents are retllured in sources of res ilience to keep prod uction / safety trade-o ffs from sliding out-o f- balance. \'Vhat does Resilience Enginee ring offer as guid ance to better balance thi s trade-off? The 4 'I's of Safety Org anizations: Independent, Involved, Informed, and Informa tive At this point I had used a resilience perspective to provide co rnmon ground fo r an exch ange on the dil emmas o f safety organi zation s. But I was still on the spot and th e staffers were insistent, hO\\· can sa fety o rga ni zatio m be designed to co pe with these dil emmas? How did success fu l o rga ni zations confront these dilemmas? To help o rganizations balance safety! production trade-offs, a safety organizatio n needs the resources and autho rity to achieve independ ence, to be involved , informed and informative. J\[y res ponse was th at safety o rga niz ations are successful when they: • • provide an independe nt vo ice that challenges con ventional ass umptions about safety ri sks wi thin senio r management, have constructlve im'olvement In targeted but everyday organizational d ecision-making (for example, ownership of Hollna/?el. Erik( Editor). Resilience Ell/? ;'leerin/? : Concepts and Precepts. Abingdoll. O XOIl•• GBR: Ashgate PlIblishin/? Limited. 2006. p 3 19. http://site.ebrary.comllibl linkopingIDoc ?id= 102 11227&ppg=332 no • • technical standards, WaIve r granting, readiness reviews, and anomaly definition), acti,·ely ge nerate information about how th e organizati o n is actually operating and th e vectors of change that influence how it will operate (informed), use inforrnation about weakn esses in th e organization and th e ga p b etween \\·o rk as imagined and work as practi sed in th e organization to reframe and direct interventions (informative). These four 'I's prm·ide a simple mnemonic th at conci sely captures th e difficulty in d esigning a safety organization: th ese four requireme nts are in conflict! 1\t b es t, th e relatio nship betwee n the safety organization and se nior/ line management will be one of constructive tension. Safety organizations must achieve independence enough to (luestion the norm al organizational decision-maki ng, provide a 'fresh ' point o f vi ew, and help the p arent organization di scover its own blind spo ts. Challenging co nventional assumptions of senior m anagement lirnits the voice as fresh vi ews bring unwelcome information and seem to distract from making defi niti\·e decisions or building support for current manage rnent plans. Inevitably, there will be period s where se nio r managem ent tries to dominate th e safety organization. The design of the orga ni zational dynamics needs to provide the safety organi zation with the tools to resist th ese predictable episodes by prm·iding funding directly and independent from head(lu arters. Similarl y, to achie\·e independ ence, th e safety leadership team needs to be chosen and acco untable o utside of the normal chain of command. Safety organizations mu st be invo lved in enough everyday organizational activities to have a finger on th e pulse of the organization and to be see n as a constructiv e p articipant in th e o rga ni zatio n'S acti\·ities and decisions th at affect the b alance ac ro ss safety and production goals. In general, safety organizations are at great ri sk of becoming informat io n-limited as th ey can be shunted aside from real organiza tion al deci sion s, kept at ~I di stance from the actual work processes, and kept busy tabulating irrelevant counts when th eir activities are seen as a threa t by line or by upper manage rn ent (fo r example, the 'cold water' problem). Simply by being positioned to hav e a voice at the top can leave th e sa fety organization (ILute di sconnected from operations and exacerbate information limits . By being informed, the safety organization can be informative, and th e stronges t test of thi s Hol/naxel, Erik(Editor). Resilience Enxineerinx: Concepts and Precepts. AbillXdon, Oxon, , GBR: Ashxate Publishinx, Limited, 2006. p 320. http://s ite.ebrary.comllib/linkopillg/Doc?id=1 02 11227&ppg=333 H Oil ' /0 nes{~1/ (/ .14;-')' Orgtllli':i!/lioll 32 1 criterion is th e ability to identify targets for investm ents to enhance aspects of resilience and to priorItIze across these targets of opportunity. To be constructive, a safety organization need s to control a significant set of reso urces and have the authority to decide how to invest th ese reso urces to help line organizations increase resili ence and enhance safety while accommodating production goa ls. for exarnple, th e safety organization could decide to invest and develop new anomaly res ponse training and rehea rsal programs wh en it detects hol es in org:l.Oizational decision -making processes. !m'olvement, balanced with independence, allows the safety organization to prO\'ide technical experti se and enhance coordination across the normal chain of command . In other words, the involvement fo cllses on creating effective O\'erlap across different organizational units (even though such overlap can be seen as inefficient wh en the organization is under se \'ere cost press ure). Balancing the four 'l's means that a safety organization is mo re th an an arm's length tabulator, does more th an compile a trail of papervvo rk showing the orga ni zation meets retluirements of 'safety' as defined by regulators or accreditors, is more than a cheerleader for past safety records, and more than a cost center th at occasionall· slows down normal production processes. Being im'oived and infonned retluires connection s to th e character and difticulties of operations (the evolving nature of technical work as captured e.g., in th e studies in ' erneth , Cook & \X!oods, 2004). Being independent and informative retluires a voice that is rel evant and heard at the senior management le\'el. By achieving each pair and making them mutu ally reinforcing, safety manage ment becomes a proacti\'e part of th e normal conduct of the organization. The safet\· organization's mIssIon th en is to monitor th e organization's resili ence including th e ability to make targeted im'es tments to restore resilience and reduce brittleness. In reac hing for the four 'l's, the safety organization function s as a critical monitor of the gap between work as imagined and work as practised and generates tactics to reduce that gap. 1\s a result, the safety organization becomes a contributor to all of the organization's goals - by enhancing resilience both safety and production are balanced and advance together as new capabilities arise and as the orga nization faces new press ures. Hollna/?el, Erik(Editor}. Resilience Enllineerin/?: Concepts and Precepts. Abin/?don, Oxon, , GBR: Ash/?ate Publishinll, Limited, 2006. p 32 1. hrrp:llsite.ebrary.comllibllinkopingIDoc ?id= 1021 1227&ppg=334 j22 Safe ty as Analogou s to Polycentric M an ageme nt of Common Pool Resources T h e analys is ab ove and th e four 'I's as a potential solution to the challenge case p arallels an alyses o f how complex systems avoid the tragedy o f the commo ns (O strom, 1990; 1999). The traged y o f th e commons co ncern s sh ared physical reso urces (a mong the m os t studied examples of co mmon p ools are fi sh eries managem ent and water reso urces for irrigation). Th e tragedy of th e commo ns is a name fo r a baseline adapti \'e dynamic whereb y the actors, b y ac ting ratio nall y in the sho rt term to ge nerate a return in a co mpetiti ve envi ron ment, deplete o r des troy the common resource o n which th ey depend in the long run. In th e usual descrip tio n o f th e dynarnic, parti cipants are trapped in an ad ap ti ve cycle th at inexorably o veru ses th e common reso urce; thu s, fro m a large r systems view the local actIons of group s are co unterproductiv e and lead them to d estroy their Li velihood or way o f life in th e long run. Organi zational analyses of accidents li ke Columbia seem to put production ! safety trade-offs in a parallel positio n to tragedi es of th e cornmons. D es pite organiz atio ns' attempts to des ign operations fo r high sa fety and th e large cos ts of failures in mo ney and in li\'es, line managers under p roduction press ures make decisions th at gradually eat away at safe ty m argins, undermining the la rger commo n goal of sa fety. In other word s, m aybe safety can be tho ught of as an abstract commo n pool reso urce analogous to a fi shery. Or, alternatively, dilemmas th at arise in managing physical co mmon p ool reso urces are a specific exampl e o f a general type o f goal co nfl ict wh ere diffe rent groups are di ffe rentially res po nsible and affected by d iffere nt sub-goals, even th o ugh th ere is one or only a couple of com mo nly h eld O\'e r-arching goals (\\?oods et al. , 1994, Chapte r 4). D evelo ping th e analogy furth er, th e standard vie\\' o f how to manage commo n poo l reso urces is to create a higher le\'el o f orga ni zatio n res ponsible for th e resource O\'er its entire range and O\'e r lo nge r periods of tim e. T his orga ni zatio n th en needs auth o rity to compel individuals or local g roups to modify their beh avior sacrificing short term return and autonomy in order fo r th e higher level o rg'.-l nizatio n to analyze and plan behaviors th at sustain or grow the resource O\'er the long term - a command o rganizatio n. Safety manage men t th eo ry often seem s to m ake similar assumptio ns and Hollnal(el, Erik(Editor). Resilience Engineerinl( : Concepts and Precepts. Abinl(don, Oxon, , GBR: Ashl(ate Publishinl(, Limited, 2006. p 322. http://site.ebrary.com/lib/linkoping/Doc?id= 102 11227&ppg=335 32} propose similar responses, i.e., a command structure is needed from regulators to cornpanies or from management to line operations that takes a broader view and compels workers and line managers to modify behavior for a lo ng term common good. O stro m (1999) revi ews th e empirical res ults on hO\\· people actually manage common pool resources and find s th e standard vi ew un supported hy the evidence. Basically, she found that o ve ru se h y local acto rs is not inevitable and that command style relationship s across levels of organizations do not work well. Instead, she finds from research on co-adaptive sys tems that common pool reso urces can be effectively managed through polycentric governance systerns. Polyce ntti c systems provide for multiple levels of gm·ernance \\·ith overlapping authority in a dynamic halance hut where th ere is no single gove rnance center which directs or 'commands' unilaterally. Her synth esis of resea rch identifies a variety of conditions and properties for pol ycentric management of commo n reso urces (s uch as crosscom munication, shared norms, trust, and reciprocity; Ostrom, 20(3). The proposed four 'I's of safety organization design can then be seen as addition;t1 policy guid ance for how to huild effectiv e polycentric management to balance multiple interacting goals. Achieving a dynamic halanc e across multiple centers of governance - some closer to the hasic processes but with narro\ver fi eld of view and scope of action and o thers farther removed but with larger fi elds of view and scopes of action, would see m to relluire a lluasi-i ndependent, intersecting organization that can cross connect th ese different levels of o rga ni zatio n to be both informed and informative. By heing outside a nornin al chain of command, such groups can lluestion and help revise assess ments as e\·idence and situations change, as well as inten ·ene \\·ith targeted inves tments to help resolve short term dilemmas (independent and invo lved). Recent research on di stributed cooperative sys tems made possible by new co mputer technolob'Y also seem s to support the analogy, for example studi es of th e change to 'free flight' in managing the nation al ai r transpo rt system support and extend O strom's findings (see Smith et aI., 20(4). The tool s th at have proved necessa ry to make collaboration work between air carriers and f'i\J\ authorities given new capabilities for cornmunication at a di stance and given th e dernand s for adaptive behavior as congestio n and weather change also provide other ideas for th e design of polycentric management syste ms. Similarly, Hollnagel, Erik( Editor}. Resilience Engineering: Concepts and Precepts. Abingdon, Oxon, , GBR: Ashgate Publishing, Limited, 2006. p 323. http://site.ebrary.com/lib/linkoping/Doc?id= 10211227&ppg=336 }24 studies of hO\v military organizations delegate authority to adapt plans to surpri sing situation s provide lessons th at al ~o can be applied to guide polycentric m anagement (e.g., \,food s & Shattuck, 2(00). The analogy suggests th at findings from managi ng ph ysical COl1unon pool reso urces and findings from h ow goal conflict. between safety versus production a re reso k ed (\X!oods et aI., 1994, chapte r 4) may converge and mutually reinfo rce or stimulate each other. foor example co mmon poo l resea rch m ay benefit from exarnining the reframing processes which are central to th e resilience approach to safety under different m anagem ent structures. CIl c:O .- ~ "Uo..co "eO ... c. . CIlc. ::l CIlcn ~:::) .0'" CIl o c -" C ::l Summary >." CO CIl ~:::: . 'E al~ C:o. CIl I/) I/) ~ CIl I/) I/) ::l -... .r:: .- Cl~ .~ .., _0. -CIl <u>< -c:iCll CIl": ~Q) E.r:: I/) ._ ..I:: • .0 Cl::l Co. :ECIl .~= :OE - ::l 0 11. ... ~c CO 0 Cl '.r::1/) I/) .!!! <E... 'CIl :go. 0- N::l ~ 0 . .r:: ~ :~j~ ~ Orga ni za tions in the future will balance the goals of both high productivi ty and ultra-high sa fety f,ri ven the uncertainty of changing risks and certainty of continued pressure for effici ent and high perfo rm ance. Thi s organization will be able to (a) find places wh ere th e organization itsel f ha s missed or underes timated th e potential for trouble and revise its approach to create safety, (b) recogni ze wh en th e side effe cts of production pressure may be increasing safety ri sks and, (c) develop the means to mak e targe ted im 'es rrn ents at the very time wh en th e organiza tion is mo st squ eezed on re so urces and time. To carry out thi s dyn ami c bala ncing act, a new sa fety organization \\·ill emerge - designed and empowered to be independ ent, im'oh-ed, informed , an d informati\·e. T he safety organization will use the tools of Resilience E ngineering to monitor for 'holes' in organizational decisionmaking and to d etect when the organization is movi ng closer to failure boundaries th an it is awa re. Together, th ese processes will create foresight about the changing patterns of ri sk before failure and harm occur. :EE:E .g' 0 .g' >.- >. 0.>'0. o C 0 Ucou Acknowled gements This work was supported in part by g rant -i\04CK 45A from j ASA Ames Resea rch Center to develop resilience engineering concepts fo r managing organizational risk. I particularly thank the congressional staffers who provided an opportunity to review ~i\SN s post-Columbia Hollnagel, Erik(Editor}. Resilience Engineering: Concepts and Precepts. Abingdon, OXOIl, , GBR: Ashgate Publishill!(, Limited, 2006. p 324. hllp:llsite.ebrary.com/libllillkopillgIDoc ?id= 102 11227 &ppg=337 325 reform plans and \\·ho challenged the concepts for achieving resilience. The ideas he re benefited grea tly from th e inputs, re\'iews, and sugges ti ons o f my colleagues G eoff i\[umfo rd and E mily Patterson. The remaining gaps are my own. Hollnallel, Erik(Editor). Resilience Enllineerinll: Concepts and Precepts. Abinlldoll, Oxon, , GBR: Asizllate Publishillll, Limited, 2006. p 325. hllp://si te.ebra ry.cOIn/Ii b//inkopi Ilg/Doc ?id= 102 11227&ppg=338