Resilience engineering has since 2004 attracted widespread interest from industry as well as academia. Practitioners from various fields, such as aviation and air traffic management, patient safety, off-shore exploration and production, have quickly realised the potential of resilience engineering and have became early adopters. The continued development of resilience engineering has focused on four abilities that are essential for resilience. These are the ability a) to respond to what happens, b) to monitor critical developments, c) to anticipate future threats and opportunities, and d) to learn from past experience - successes as well as failures. Working with the four abilities provides a structured way of analysing problems and issues, as well as of proposing practical solutions (concepts, tools, and methods). This book is divided into four main sections which describe issues relating to each of the four abilities. The chapters in each section emphasise practical ways of engineering resilience and feature case studies and real applications. The text is written to be easily accessible for readers who are more interested in solutions than in research, but will also be of interest to the latter group.

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Yes, you can access Resilience Engineering in Practice by Jean Pariès, John Wreathall, Erik Hollnagel in PDF and/or ePUB format, as well as other popular books in Technology & Engineering & Industrial Health & Safety. We have over one million books available in our catalogue for you to explore.

Information

Publisher

CRC Press

Year

2017

ISBN

9781317065258

Edition

Topic

Technology & Engineering

Subtopic

Industrial Health & Safety

Index

Technology & Engineering

PART 1

Dealing with the Actual

Chapter 1

Resilience and the Ability to Respond

Jean Pariès

Resilience in ‘Real Time’

In this first section, the emphasis is on the ability of an organisation or a system to ‘deal with the actual,’ that is, to respond to the demands of the current situation—a disrupting situation. At the ‘sharp end’ of the system, ‘responding to the situation’ includes assessing the situation, knowing what to respond to, finding or deciding what to do, and when to do it. The readiness to respond mainly relies on two strategies. The first—and proactive one—is to anticipate the potential disruptive situations and predefine ready-for-use solutions (e.g., abnormal or emergency procedures, specific reaction skills, crisis response plans, and so on). The second—and reactive one—is to generate, create, invent, or derive ad hoc solutions.

To put it differently, this section is about ‘real time’ resilience, but from a synchronic as well as diachronic perspective. Indeed, at the ‘blunt end’ of the system (i.e., the domain of designers, managers or trainers), issues related to ‘real time resilience’ include how to ensure that the required resources (people, competence, equipment) are available or can be established in time. Hence a more complete question would be how to establish (now) and maintain (tomorrow) a readiness to respond (at any time in the future). While the three chapters in this section focus on the ‘readiness to respond,’ they also tackle some issues related to establishing and maintaining that readiness. Each of them presents a practical case taken from a specific domain: commercial aviation, anaesthesia, and rescue services. Beyond their obvious difference of perspective and domain, they share similar underlying theoretical questions. The first of these is the relationship between resilience and anticipation, which also runs throughout other chapters of this book.

Readiness and Anticipation

At first glance, the role of anticipation is both obvious and simple: things go better when they have been anticipated. In Lessons from the Hudson (Chapter 2 this volume), the author revisits the successful ditching of US Airways Flight 1549 into the Hudson River in 2009. He describes a ‘defence in depth’ strategy against the anticipated bird hazard, engineered into the aviation system: the first line of defense is to minimise the frequency of bird strikes, the second is to assure the ability of the aircraft and its engines to withstand hitting some birds without damage, and so on. The last line of defense is the ability of the crew-aircraft system to land on unprepared terrain or ditch with minimum damage after a total loss of power, and to evacuate passengers safely. Clearly, the fact that the aviation system had anticipated a total engine failure greatly contributed to survivability in the Hudson River event. The aircraft design allowed the crew to keep some control of the flight path, dual engine failure and ditching procedures were available, and the crew had been trained in emergency evacuation. However, while fully anticipated at the aviation system level, a dual engine failure is an extremely remote event at the scale of a pilot’s professional life, and its occurrence came as a total surprise for the crew. This highlights that anticipation is not something that is uniformly distributed throughout a large system. The global system may anticipate occurrences that are too rare to be even thought of at local scales, while local operators will anticipate situations that are much too detailed to be tackled at a larger scale. This raises the issue of the coupling between the different levels of organisation within a system, what Woods (2006a) calls ‘cross-scale interactions.’ We will come back to this later.

In Chapter 3, Cuvelier and Falzon discuss how anaesthetists manage critical situations. They show that practitioners anticipate a specific range of ‘potential variability’ before each operation, prepare the necessary responses and resources, and feel that they are in control as long as the ‘unexpected’ events stay within the boundaries of this area. When an event falls outside this area (mostly because of equipment failures or cooperation problems with the surgical team), the first challenge is to recognise it as such and anaesthetists found themselves with problems in most cases either having to identify and understand the situation or implement appropriate responses under very tight time constraints. Consequently, the authors differentiate ‘unexpected’ events according to the nature of the related surprise. They classify events as ‘potential situations’ when they had been envisaged by the anaesthetists before the operation (while of course not expected to happen at this time and place), and as ‘unthought-of situations’ when they had not been envisaged at all, similar to the ‘unprecedented events’ of Westrum’s (2006) classification. In nine of the thirteen so-called unthought-of situations, the anaesthetists called on colleagues for help. The authors see these decisions to call on additional resources (particularly to call on colleagues) as the observable sign of a shift from controlled to crisis situations. They argue that resilience lies in the operator’s ability, not only to detect, but also to accept—and literally ‘decide’—that the system has breached the boundaries of potential variability. This is a key point; a crucial condition for maintaining and/or recovering control is indeed the ability to detect, recognise and accept that the situation is beyond what had been imagined by the operators on the basis of their experience envelope. Many accidents can be understood as the result of a failure to recognise/accept an excursion of the real situation outside the range of anticipated variations, leading to a continuation of the current (and then de-adapted) strategies.

This also suggests a more complex relationship between resilience and anticipation. It links resilience not only to the anticipation of what may happen, but also to the anticipation of coping capacities. This implies the monitoring of the current degree of control of the situation, and the prediction of the future level of control. As Woods puts it in Chapter 9 ‘To be resilient, a system always keeps an eye on whether its adaptive capacity, as it currently is configured and performs, is adequate to meet the demands it will or could encounter in the future.’ And because the adaptive capacity includes anticipation, we have a recursive relation, namely that resilience also implies anticipation of future anticipation capacities. This is illustrated by the US Airways Flight 1549 captain’s decision not to attempt to return to an airport, because such a decision would have engaged an irreversible course of action, with a total loss of control and inescapable catastrophic consequences if wrongly taken. This idea of constantly monitoring the future marges de manoeuvre and adapting the current state of affairs to protect these margins is also present in the background of what Bergström and his colleagues (Chapter 4 this volume) address in their experiment for ‘Training organisational resilience in escalating situations.’ They outline a theoretical framework of ‘Generic Competencies in Management of Escalating Situations,’ which includes the ability to constantly monitor whether the organisation is suited to manage the situation at hand, and the ability to constantly monitor and update the process by which the escalating situation is managed.

Being Prepared to Be Unprepared

However, the conditions for resilience cannot be reduced to anticipation. While things that happen are controllable only if they have been anticipated to some extent, they will never have been anticipated in every detail. Hence, resilience implies a combination of readiness and creativity, and of anticipation and serendipity. Or, to put it differently, a resilient system must be both prepared, and be prepared to be unprepared. There is an explicit double bind in this last sentence that goes beyond a play on words. In the Hudson case study, the author shows that anticipating strategies at the system level in aviation can lead to a paradoxical result of generating unprepared operators. Building on Mintzberg’s (1996) idea of ‘predetermination fallacy,’ he suggests that there may be an ‘irony of resilience’ in the fact that the real time competences needed to cope with unanticipated or extreme events are exactly those that are lost in the continuous attempt to anticipate all events and to pre-determine corresponding responses. This raises at least two issues.

The first one is the relationship between training and ‘fundamental surprise’ situations (Lanir, 1986). At first glance, it seems paradoxical to want to train people for something unimagined. How can one possibly train for such situations? In ‘Lessons from the Hudson’ (see also Pariès and Amalberti, 2000), the author argues that it is possible indeed. However, the efficiency conditions (Dekker et al., 2008), including emotional and cognitive fidelity simulation of ‘real surprise’ are not met by the current aviation training system. One reason may be the dominant aviation safety paradigm which assumes that flight operations can be entirely specified by procedures that consequently must be fully adhered to by crews (cf., Chapter 18). Bergström and his colleagues also believe it is possible (Chapter 4); they designed scenarios aiming at training generic team competencies, rather than domain-specific skills representing pre-defined responses. They experimentally show the potential benefits of such training programs in a class of trainees to become incident commanders in rescue services.

The second issue is the relationships between resilience features engineered into the system as a whole, and resilience features of the local components or agents of the system (e.g., front line operators). Resilience at the global system level can be seen as a property emerging from the interactions of individual agents’ behaviors, while at the same time, resilience at the individual behavior level at least partially is an outcome of the global system design. So, ‘real time resilience’ is generated through both a bottom-up and a top-down process. Woods (2006) refers to ‘downward and upward resilience’ to describe these interrelated and complex processes. Here we will only discuss the risk that anticipating strategies at the system level may generate unprepared operators. One way to help overcome this apparent double-bind is to adapt the level of functional abstraction of the prepared responses to match the level of uncertainty associated with the anticipated situation. In the Hudson River ditching case, every time the next line of the ‘defence in depth’ is breached, the uncertainty increases: the situation gets more improbable and less controllable. At each stage, the prepared responses shift from concrete and detailed to abstract and generic, the procedures shift from accurate and detailed action oriented protocols to a generic, goal-oriented response framework.

Adapted or Adaptive?

However, it would be naïve to pretend that merely adapting the level of functional abstraction of the prepared responses can solve the potential contradiction between anticipation and serendipity. In his theory of cognitive adaptation, Piaget (1967) argued that it included the two processes of assimilation and accommodation. Assimilation ‘filters’ the world to make it fit to individual mental structures. Accommodation works in the opposite direction: it modifies the filter (one’s mental structures) to fit to the demands of the environment. Assimilation is mainly supported by homeostatic routines, while accommodation requires self-modification of existing schemes triggered, for instance, by cognitive dissonance. Similarly, the adaptive capacity of a system derives from its permanent under-adaptation (dissonance), which creates the tension for adaptation. Indeed, a complex system is necessarily partially ‘out of tune’ regarding its environment. Implementing its adaptation capacities to fit internal and external changes increases its spectrum of potential behavior, which momentarily provides the solutions to match the new needs (adaptation), while it increases the adaptation repertoire, and generates new exploration capacities, which will eventually expose the system to face new situations, and new challenges (de-adaptation). Finally, all this boils down to the optimality/brittleness trade-off constraining the behavior of any complex adaptive system (Doyle, 2000). Such a system cannot be at the same time totally adapted to its environment (optimally performing) and able to cope with disruptive changes in that environment (resilient). Adapted or adaptive, an inescapable choice has to be made.

Chapter 2

Lessons from the Hudson

Jean Pariès

Things that have never happened before happen all the time.

Scott D. Sagan (The Limits of Safety)

The successful ditching of US Airways Flight 1549 into the Hudson River (15th January 2009) shows an implementation of the ‘strategic resilience’ engineered into the aviation system – in this case, the multiple layers of ‘defence in depth’ set up by to manage a total engine failure in the context of bird ingestion. Each move through one line of defence to the next is like a tactical retreat, in which sights are lowered and sacrificing decisions are made, in order to save what can be saved. At each stage, the situation gets more improbable, more variable and less controllable; the probability and potential magnitude of damage are increasing; the response options are more restricted, harder to anticipate, more constrained by time, and less reversible. So the ‘tactical retreat’ is also a shift from adaptation to de-adaptation. Hence resilience implies a combination of anticipation and serendipity: a resilient system must be both prepared and prepared to be unprepared. But there may be a negative interference between anticipation and serendipity, leading to an ‘irony of resilience’: the ‘real time’ competences needed to cope with unanticipated or extreme events at the ‘sharp end’ are exactly those which are lost in the continuous attempt to anticipate all events and to pre-determine corresponding responses at the system level. So there is a tradeoff between efficiency (linked to the degree of adaptation of a system) and flexibility (linked to the adaptation bandwidth of a system).

Miracle on the Hudson River?

Many readers will probably remember the breathtaking images of the US Airways Flight 1549 ditched into the Hudson River, in New York, on 15th January 2009, with the passengers standing on the wings of the floating airliner. The entire crew was awarded, among other honours, the Master’s Medal of the Guild of Air Pilots and Air Navigators (GAPAN). The GAPAN citation read: ‘This emergency ditching and evacuation, with the loss of no lives, is a heroic and unique aviation achievement.’ Statistically, the event was indeed rare. There have been only very few documented occurrences of controlled ditching by commercial public transport aircraft. And it appears that prior to our recent US Flight 1549, only one known ditching of a passenger jet had been managed without fatalities (in St Petersburg, Russia, in 1963, an Aeroflot Tu124 jet ran out of fuel during an emergency and landed on the Neva River. All 52 people aboard survived and the jet was towed to shore).

So was the Hudson River successful ditching a miracle, a h...

Cover
Half Title
Title Page
Copyright Page
Table of Contents
List of Figures
List of Tables
List of Contributors
PART I DEALING WITH THE ACTUAL
PART II DEALING WITH THE CRITICAL
PART III DEALING WITH THE POTENTIAL
PART IV DEALING WITH THE FACTUAL
Epilogue: RAG – The Resilience Analysis Grid by Erik Hollnagel
Bibliography
Author Index
Subject Index