sociotechnical systems resilience:a dissonance engineering point of view
TRANSCRIPT
"Symposium on Analysis, Design, and Evaluation of H uman-Machine Systems " - August 11-15 2013
Sociotechnical systems resilience: a dissonance engineering point of view
Jean-René RuaultFrédéric Vanderhaegen
Christophe Kolski
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 2
Summary
� Running outside the specified domain
� About resilience
� About dissonance engineering
� Proposition : dissonance Management for resilient systems design
� Railway case study
� Conclusion and perspectives
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 3
Context, train crashes
� Lac-Mégantic (Canada), 6 July 2013
� 50 dead
� Brétigny sur Orge (France), 12 July 2013
� 7 dead
� 9 gravely injured
� Santiago de Compostela (Spain), 24 July 2013
� 80 dead
� 130 injured
� Granges-près-Marnand (Switzerland), 29 July
� 1 dead
� 25 injured
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 4
Road map
� Running outside the specified domai
� About resilience
� About dissonance engineering
� Proposition : dissonance Management for resilient systems design
� Railway case study
� Conclusion and perspectives
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 5
Running outside the specified domainDynamic representation of barriers bypassing
A
B
C
D
1
Time
3
2
�
�
�
�
�
AccidentE
Legend:• Specified path: • Actual path: • Specified local variability:• Actual local variability:• Situation point:• Safety margin: • Barriers : • Barrier bypassing• Deviation
X
1
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 6
Road map
� Running outside the specified domain
� About resilience
� About dissonance engineering
� Proposition : dissonance Management for resilient systems design
� Railway case study
� Conclusion and perspectives
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 7
Four main resilience functions (1)
1. Avoidance (capacity for anticipation)
2. Resistance (capacity for absorption)
3. Adaptation (capacity for reconfiguration)
4. Recovery (capacity for restoration)
This paper deals with:
1. Avoidance
2. Adaptation
1. D. Luzeaux: Engineering Large-scale Complex Systems in D. Luzeaux, J.-R. Ruault & J.-L. Wippler, Complex Systems and Systems of Systems Engineering, ISTE Ltd and John Wiley & Sons Inc, 2011
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 8
Road map
� Running outside the specified domain
� About resilience
� About dissonance engineering
� Proposition : dissonance Management for resilient systems design
� Railway case study
� Conclusion and perspectives
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 9
Dissonance engineering
� At least, two conflicting beliefs and behaviours � Beliefs of designers, managers and evaluators
� Beliefs of operators
� Task oriented and activity oriented points of view (Leplat 1985)
� Task / work-as-designed: prescribed,
� Activity / work-as-done: actual, function of the situation
� Two different meanings to understand situation and events
� The gap between prescribed and done work is an error and must be resolved applying prescribed procedure (designer point of view)
� Work is done function of the actual situation and operators’ interpretation of this situation
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 10
Road map
� Running outside the specified domain
� About resilience
� About dissonance engineering
� Proposition : dissonance Management for resilient systems design
� Railway case study
� Conclusion and perspectives
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 11
Modelling variability and the gap between work-as-designed and work-as-done
Activity / function
T
I
P R
C
O
� Functional Resonance Analysis Method1
� Modelling variability ; the first step in order to assess the gap between work-as-designed and work-as-done
1. Hollnagel, E. (2012). FRAM: The Functional Resonance Analysis Method. Ashgate, Hampshire, Great Britain.
F1 F3
F2
F4
C
I O
Resilience function: Adaptation
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 12
Management of the dissonance
Hazardous management Resilient management
� Silent migration � Clear and relevant shared situation awareness
� Normalization of deviance
� Simulation of possible or incredible accident scenarios
� Search of scapegoat � System design update based upon evolutions assessment
� Not biased BCD analysis
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 13
Mistake-proving device for resilient management of dissonance
� Assess the variability and the gap between both paths
� Enlighten this difference and exhibit it to stakeholders, both operators and managers
Severity
Probability
Catastrophic Critical Marginal Negligible
Frequent High High Serious Medium Probable High High Serious Medium Occasional High Serious Medium Low Remote Serious Medium Medium Low Improbable Medium Medium Medium Low Eliminated Eliminated
Resilience function: Avoidance
�
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 14
Foreseeable possible or incredible accident
Accident cases base
Actual field data, including trend drift
Models of system as-designed
Display possible /incredible accident scenarios
Operators
Managers
Detect ‘out-of-range’ variability (FRAM)
Generate possible / incredible accidental scenarios (inferential engine)
� Simulation scenarios of possible or incredible accident that may happen soon
� Enhancement of shared situation awareness
� Opportunity to foresee potential accident
Resilience function: Avoidance
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 15
Road map
� Running outside the specified domain
� About resilience
� About dissonance engineering
� Proposition : dissonance Management for resilient systems design
� Railway case study
� Conclusion and perspectives
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 16
Zoufftgen accident case study
� Context of the accident:
� 2 trains collided head on near Zofftgen, on the boundary between Luxembourg and France
� 6 deaths, 1 wounded
1. BEA TT (Land Transport Accident Investigation Bureau) (2009). Technical Investigation Report on the Train Collision that occurred on 11 October 2006 on the French/Luxembourg Border at Zoufftgen (Moselle).
� Report direct and indirect causes of the accident1
� Mistake issuing the pass-through order
� Failure of attempts to rectify the situation
� Insufficient knowledge of the central control post staff
� Unrealistic division of tasks
� Laissez-faire approach to monitoring staff
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 17
Hazardous management of the dissonance contributing to the accident
� Barriers removal
� Traffic Controller did not carry out all the prescribed preliminary checks before issuing a pass-through order
� Normalization of deviant behaviours
� This omission seemed to occur fairly often at the Bettembourg CCP since the wrong-track working fixed equipment display is not in the Traffic Controller’s visual field when he is looking at the check lights for the tracks towards France
� 107 written orders to pass through a Main Fixed Signal were issued over the three-month period, before the accident
� Silent migration
� Violation of staff handover procedure, due to poor procedure usability
� At 11h30, the Morning Traffic Controller wanted to leave but theEvening Traffic Controller had not yet arrived
� This quite common practice is contrary to the regulations
� In addition to the oral handover, the Morning Traffic Controllergave a sheet of “scrap paper” to the Evening Train Announcer
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 18
Functional resonance model of the accident
High frequency of signal faults
Insufficient check
Lateness of traffic controller/ barrier removal
Violation of staff procedure / barrier removal
Poor usability of procedure and HCI
Traffic control activity
Pass-through order
Dual task reducing attention resources
O I
T C
R P
Resilience function: Adaptation
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 19
Mistake-proving device� Restoring the capability of visual piloting
� Such trends, as issuing written orders have to be detected, expressed to all stakeholders in order to be fixed
Severity
Probability
Catastrophic Critical Marginal Negligible
Frequent High High Serious Medium Probable High High Serious Medium Occasional High Serious Medium Low Remote Serious Medium Medium Low Improbable Medium Medium Medium Low Eliminated Eliminated
Resilience function: Avoidance
��
�
Accident
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 20
Expressing foreseeable or incredible accidents to operators� Simulation complements the visual display expressing
explicitly the current migration
� Simulation expresses to operators the accident that should happen soon within the actual context
� For instance, inlayed augmented reality
� Maintaining the capability to rectify the situation
� Secure equipment reliability
� Relevant and well known skills to cut off traction power,
� Knowing the perimeter and the limits of the button (marshalling yard track), to phone to the operators who are able to cut off the traction power
Resilience function: Avoidance
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 21
Road map
� Running outside the specified domain
� About resilience
� About dissonance engineering
� Proposition : dissonance Management for resilient systems design
� Railway case study
� Conclusion and perspectives
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 22
Conclusion and perspective
� Conclusion� Resilient management of dissonance: expressing this
gap and enhancing shared situation awareness in order to restore visual piloting capacity
� Perspective � Enhance FRAM in order to model trend and express
the two kinds of variability (normal and out-of-range)
� Enhance visual piloting
� Express foreseeable or incredible accidents to operators
� Prepare an open-ended experiment
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 23
References
� Barrier bypassing / barrier removal:� VANDERHAEGEN F. (2010). Human-error-based design of barriers
and analysis of their uses. Cognition, Technology and Work, 12(2), pp. 133-142.
� Resilience:� ZIEBA S., POLET P., VANDERHAEGEN F., DEBERNARD S. (2010).
Principles of adjustable autonomy: a framework for resilient human machine cooperation. Cognition, Technology and work, 12 (3), pp.193-203.
� OUEDRAOGO K-A., ENJALBERT S., VANDERHAEGEN F. (2013). How to learn from the resilience of Human–Machine Systems?. Engineering Applications of Artificial Intelligence, volume 26, issue 1, pp. 24-34.
� Dissonance engineering:� VANDERHAEGEN F. (2012). Dissonance Engineering for Risk Analysis.
Workshop: Risk Management in Life Critical Systems, Human-Centered Design Institute, Florida Institute Of Technology, Melbourne, FL, USA, mars.
� VANDERHAEGEN F. (2013). Dissonance engineering for risk analysis: a theoretical framework. International Summer School on Risk Management in Life Critical Systems, Valenciennes, France, July 1-5 2013.
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 24
References� Dominique Luzeaux & Jean-
René Ruault Systems of Systems ; Wiley, 2010
� Dominique Luzeaux, Jean-René Ruault & Jean-Luc Wippler Complex Systems and Systems of Systems Engineering ;Wiley, 2011
"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 2525
THANK YOU
VERY MUCH
FOR YOUR
ATTENTION