1
Introduction – On Resilience

The world suffered vicariously as firefighters entered the towers and never returned. We imagined ourselves as passengers on United 93 as it plunged toward a field in Pennsylvania. We felt the temperatures rise as the Columbia space shuttle’s tiles peeled away. In New Orleans we saw waters break through the levees and flood our houses and waited in vain for help to come.

And yet, the persistent question remains: could all these calamities have been prevented; or worse would it have been possible to survive and recover from them and continue functioning? And furthermore, whose fault was it? Was it bad design, or a cultural problem, or management, or politics, or something else? The answer is “yes” to all these questions. And the approach to disaster avoidance, survival, and recovery from such disruptions requires that expertise from a multitude of disciplines be executed to an unprecedented degree. Hence, these three elements, accident avoidance, survival, and recovery, constitute what has come to be called resilience. These three elements will be discussed later.

The opposite of resilience is called brittleness. One of the challenges of research is to determine ways to find out when a system is “drifting” toward brittleness. What can be measured? What can be observed? And, most importantly, what can be done to stop the drift toward brittleness?

The purpose of this book is to answer these questions within an integrated framework. To create this integrated framework many factors are brought together: management and technical functions should be considered a single interconnected discipline. Other disciplines, such as organizational psychology, are brought into the mix. The distinctions among human, software, and hardware systems are erased. In this chapter, infrastructure defines an infrastructure system that encompasses all relevant organizations. Finally, to create systems that are resilient to and survive major disruptions requires considerations far beyond current-day practices that might be considered just good engineering. This framework extends beyond the breadth currently envisioned in most academic, government, and industrial institutions. However, the expectation is that these practices will be incorporated into all aspects of system development wherever it may be needed.

1.1 The Multidisciplinary Challenge

We live in a world of specialists. Even the family doctor has a limited understanding of what the cardiologist does. There are very few Renaissance men like Leonardo. But even more to the point, the gulf between artists, psychologists, managers, and scientists is enormous. Resilience demands Renaissance men and women who are at once practitioners of multidisciplinarity and transdisciplinarity. The multidisciplinary nature of system resilience makes it clear that system resilience is not another specialty, but rather a collaborative effort among many specialties, both technical and non-technical.

Nicolescu (2005), (Chapter 1 On Resilience: The War of Disciplines) describes multidisciplinarity as using several disciplines to enhance the topic in question. The bringing together of management and technical capabilities satisfies this definition. Transdisciplinarity, on the other hand, according to Nicolescu, “concerns that which is at once between the disciplines, across the different disciplines, and beyond all disciplines.” Performing the risk management process and addressing the psychological paradigm of risk aversion appear to fall in this category. Jackson (2007) focuses on the multidisciplinary aspects of system resilience.

Researchers all over the world, such as the Resilience Engineering Network, are studying system resilience. Hollnagel et al. (2006) is an example of the products of the Resilience Engineering Network. They are a unique group. There are engineers, psychologists, sociologists, physicians, and other specialists. They all have one thing in common: an interest in solving the mysteries of resilience and a new discipline of resilience engineering. Could Chernobyl have been prevented? If not, how could anyone survive such an event? These experts all agree on one point: that the answer to this question does not lie solely in engineering expertise, but rather in a broad range of interconnected disciplines, both technical and human. In addition, the study of resilience has attracted the attention of the legal profession. The George Mason School of Law has instituted the critical infrastructure protection (CIP) Program. The CIP report (2007) provides an in-depth study of the benefits of a resilience approach versus the traditional protection approach.

These researchers come with many ideas, and there is not yet a consensus among them on many points. This book will summarize many of those ideas and the ideas among the specialists.

The one principle that they all agree on is that resilience to disaster and survival of disruptions are not purely technical subjects. In the early days of space flight many failures could be traced to technical causes. That is, a system would fail due to unreliable components. Today such failures are largely under control. However, systems continue to fail due to causes beyond the technical. The Caltech physicist Richard Feynman (1988) had asked National Aeronautics and Space Administration (NASA) management what they thought the probability of failure was for a space shuttle. They replied, relying on reliability analysis, that it was about 1 in 100,000. Working engineers put the number at about 1 in 100. Range safety experts estimated the number to be 1 in 25. History has shown that the latter numbers were closer to the truth. In short, the disparity in these estimates demonstrates that Feynman appeared to understand that the causes of catastrophe were far beyond technical considerations, at least as presently understood in the engineering community.

1.2 The Concept of the System

Whenever two or more things act together to achieve a common purpose, you have a system. A mousetrap is a system; the government is a system; a troop of Girl Scouts is a system; a chemical power plant is a system. If all the parts of the system do not work properly, the whole system may fail. The concept of the system is discussed in Chapter 1, On Resilience.

1.3 The Paradox of Humans in the System

To understand and design for resilience the role of the human needs to be understood. Humans are not simply operators of the system, like pilots. Nor are they simply maintainers of the system, like aircraft mechanics. They are not only producers of the system, like factory workers. They are not simply designers of the system, like engineers. All of the above are parts of the system. Sometimes, humans constitute the entire system itself, such as a troop of soldiers. These are called human systems. Some human systems, such as hospitals, have hardware and software components, such as X-ray machines and other test equipment. However, the predominant elements are human, such as doctors, nurses, and other staff members. For these types of systems, the term human-intensive systems applies.

Many researchershave studied humans within an organizational context. However, the design rules of human systems can best be determined by the attributes, laws, and techniques discussed in Chapter 6. Techniques are the design rules of systems architecting, as described by Rechtin (1991), rather than verifiable requirements as in the traditional systems approach. Nor is there a way to test the humans in all possible scenarios to determine if they perform correctly. There are ways to reduce human error, such as training. Nevertheless, human actions may be highly unpredictable leading to unpredictable outcomes. These outcomes are a result of Type A disruptions – that is, disruptions due to degradation of function, capability, or capacity, to be discussed later in Chapter 1.6 Disruptions. The saving grace of humans is that they are adaptable and can sometimes create solutions not even imagined by the designers. An example is the restoration of electrical power in New York after the attack on the twin towers as described in Chapter 7, Case Studies.

In any discussion of humans the question of human error always arises. This is a subject about which there is abundant misunderstanding. This issue is particularly important in the health care domain. That is to say, human errors are systemic in nature and cannot wholly be blamed on individuals. As an example, Reason (1990, p. 173) makes the following statement with regard to human error:

“Rather than being the main instigators of an accident, operators tend to be the inheritors of system defects created by poor design, incorrect installation, faulty maintenance, and bad management decisions. Their part is usually that of adding the final garnish to a lethal brew whose ingredients have already been long in the cooking.”

Later under Chapter 1.6 Disruptions, this chapter describes human error as a source of disruptions, that is, events that can lead to disaster. Hence, the inevitable conclusion is that the pilot of the aircraft in the Nagoya incident described in Chapter 7, Case Histories, might not have made the fatal mistake if the appropriate features had been designed into his aircraft. Chapter 6, Techniques, describes these features as adaptable and agile. Nevertheless, Rooney et al. conclude that...