INFORMATION PAPER

Resilience engineering and the builtenvironment

Erik Hollnagel1,2

1Institute of Regional Health Research,University of Southern Denmark, J.B.Winsl�wsparken19,DK-5000Odense,Denmark

E-mail: erik.hollnagel@rsyd.dk

2Centre for Quality,Region of Southern Denmark,P.V.Tuxensvej 3^5,DK-5500Middelfart,Denmark

The possible relations between resilience engineering and built environments are explored. Resilience engineering has

been concerned with the safe and efficient functioning of large and small industrial systems. These may be described

as built systems or artefacts. The resilience engineering approach argues that if the performance of systems is to be

resilient, then they must be able to respond, monitor, learn and anticipate. The last ability in particular means that

they must be able to consider themselves vis-a-vis their environment, i.e. be sentient and reflective systems. In

practice, this means people individually or collectively can adjust what they do to match conditions, identify and

overcome flaws and function glitches, recognize actual demands and make appropriate adjustments, detect when

something goes wrong and intervene before the situation becomes serious. It is particularly important to understand

the range of conditions about why and how the system functions in the ‘desired’ mode as well as ‘unwanted’ modes.

Resilience is the capacity to sustain operations under both expected and unexpected conditions. The unexpected

conditions are not only threats but also opportunities.

Keywords: anticipate, built environment, cognitive systems engineering, outcomes, proactive, resilience, resilience

engineering, system performance

Introduction‘Resilience’ is a term that has been used for a long timeand in several different ways. According to McAslan(2010), the term was first used by Tredgold (1818) todescribe a property of timber, and to explain whysome types of wood were able to accommodatesudden and severe loads without breaking. Almostfour decades later, Mallet, in a report to the Admiralty,referred to a measure called the modulus of resilienceas a means of assessing the ability of materials to with-stand severe conditions (Mallet, 1856).

Many years later, Holling (1973) referred to the resili-ence of an ecosystem as the measure of its ability toabsorb changes and still exist. He further contrastedresilience with stability, defined as the ability of asystem to return to its equilibrium state after a tempor-ary disturbance, but also argued that resilience andstability were two important properties of ecologicalsystems. This later led to a distinction between

engineering resilience and ecological resilience(Gunderson, Holling, Pritchard, & Peterson, 2002).Engineering resilience considers ecological systems toexist close to a stable steady-state. Resilience is herethe ability to return to the steady-state following a per-turbation. Ecological resilience emphasizes conditionsfar from any stable steady-state, where instabilitiescan flip a system from one regime of behaviour intoanother. Resilience is here the system’s ability toabsorb disturbances before it changes the variablesand processes that control behaviour.

In the early 1970s, the term ‘resilience’ began to beused as a synonym for stress resistance in psychologicalstudies of children. It soon became a frequently usedterm in psychology, and many years later Tisserondefined resilience as: ‘The capacity to withstand trau-matic situations and the ability to use a trauma as thestart of something new’ (Tisseron, 2007, p. 7).1 Atthe beginning of the 21st century, it was picked up

BUILDING RESEARCH & INFORMATION 2014

Vol. 42, No. 2, 221–228, http://dx.doi.org/10.1080/09613218.2014.862607

# 2013 Taylor & Francis

Dow

nloa

ded

by [

24.1

37.9

7.73

] at

11:

10 2

5 Fe

brua

ry 2

014

by the business community. Hamel & Valikangas(2003) referred to resilience as the ability dynamicallyto reinvent business models and strategies as circum-stances change, and went on to explain:

Strategic resilience is not about responding to aonetime crisis. It’s not about rebounding from asetback. It’s about continuously anticipatingand adjusting to deep, secular trends that canpermanently impair the earning power of a corebusiness. It’s about having the capacity tochange before the case for change becomes des-perately obvious.

(p. 53)

Last but not least, around the turn of the century safetyspecialists started to use resilience engineering todescribe an alternative approach dealing with safetyissues, accidents as well as risks (Woods, 2000). Resili-ence engineering quickly became accepted as a viableapproach to safety management, and was defined as:

the intrinsic ability of a system to adjust its func-tioning prior to, during, or following changesand disturbances, so that it can sustain requiredoperations under both expected and unexpectedconditions.(Hollnagel, Paries, Woods, & Wreathall, 2011,

p. xxxvi)

The various ways in which the term has been usedclearly demonstrate a practical need in severaldomains of practice, if not in several sciences, of away to characterize a certain type of system perform-ance. The practical needs may vary and the differentdefinitions show that there are at least four differentmeanings of resilience:

. Resilience as a property of materials. This was theoriginal meaning. Here resilience is used to charac-terize an inherent quality of a material, hence of astatic system.

. Resilience as a property of ecological systems. Thisintroduces the concept of living – or dynamic –systems. Ecological systems are reactive in thesense that they may be able to respond and evenchange their mode of operation (cf. the notion ofecological resilience), but can neither anticipatenor have any intentions.

. Resilience as a property of psychological systems.Here the system can in principle reflect on itsexperience and use that to shape how it responds,and can also anticipate.

. Resilience as a property of dynamic and inten-tional systems. This usage is found both in the

case of business systems (and organizations ingeneral) and in the case of resilience engineering.In both cases the ability to anticipate plays animportant role. The situations where resilience isneeded are usually ones that develop rapidly,sometimes even abruptly.

The focus of this paper is on the fourth meaning of resi-lience. While business survival and safety managementmay seem to be different, the similarities aremore important than the differences (Sundstrom &Hollnagel, 2011). ‘Risk management’, for instance, isa term used in both domains. For business as well asfor safety it is also important for the system tosurvive and to sustain its operations – although notnecessarily exactly as before (cf. ecological resilience).It is also essential to be prepared to respond, to be ableto respond quickly and effectively, and even in somecases to respond pre-emptively.

The question is how well this fourth meaning of resili-ence is suited to the problems of built environments(BEs). In order to determine that, it is necessary to con-sider whether a ‘built environment’ is a uniqueconcept, or whether it can have several interpretations.

What is a built environment?One definition of the BE is that it ‘includes man-madebuildings, infrastructures and cultural landscapes thatconstitute the physical, natural, economic, social andcultural capital of a society’.2 In other words, the phys-ical structures and artefacts that enable and facilitatecertain kinds of activity. The Built Environment Pro-fessions Bill put forward by the Parliament of theRepublic of South Africa in 2008 defined the BE as‘The physical world that has been intentionallycreated through science and technology for thebenefit of mankind’. Further clarification can befound in Wikipedia, which helpfully notices that theBE is ‘The man-made surroundings that provide thesetting for human activity, ranging from the large-scale civic surroundings to personal places.’

There is, however, a problem with these definitions.The problem is not with the term ‘built’, whichclearly refers to something that is created or man-made, i.e. artefacts usually of considerable size. Theproblem is with the term ‘environment’. The reasonis that resilience refers to a property of a system(except, perhaps, in the original interpretation), but asystem cannot be considered without including itsrelation to its environment (or to a general environ-ment) (cf. Mumford, 2006). Indeed, resilience can bedescribed as ‘a central unifying concept in disasterrisk management and sustainability science’.However, if the ‘built environment’ constitutes the‘system’ (which constitutes resilience as an aspect of

Hollnagel

222

Dow

nloa

ded

by [

24.1

37.9

7.73

] at

11:

10 2

5 Fe

brua

ry 2

014

safety, risk management and sustainability), then whatis the ‘environment’ of this system, i.e. the environmentof the ‘built environment’?

Systems have traditionally been defined with referenceto their structure in terms of their parts and how theyare connected or put together. Thus, Hall & Fagen(1968, p. 81) defined a system as ‘a set of objectstogether with relationships between the objects andbetween their attributes’, while Beer (1959, p. 9)declared that a system simply is ‘anything that consistsof parts connected together’. The parts that are ‘con-nected together’ must, however, exist within somekind of boundary beyond which lies the system’senvironment. This follows from the basic definitionsof open and closed systems, as systems that allow inter-actions between their internal elements and theenvironment and systems that are isolated from theirenvironment, respectively (von Bertalanffy, 1969).The boundary has more precisely been defined as:

the area within which the decision-taking processof the system has power to make things happen,or prevent them from happening. More gener-ally, a boundary is a distinction made by anobserver which marks the difference betweenan entity he takes to be a system and its environ-ment.

(Checkland, 1999, p. 312)

Given this definition, the ‘BE’ must clearly be con-sidered as a system. Below, the resilience of thissystem will be considered relative to its environment,the external conditions that affect how the system per-forms but which it is unable to control. In order toavoid cumbersome linguistic constructions such as‘the built environment’s environment’, the term ‘builtsystem’ will be used instead of BE. Any reference toan environment is therefore to the environment of asystem, rather than to the environment that is thesystem in the traditional meaning of BE.3

Amultitude of built systemsThe sample definitions of BEs have in common thatthey refer to something that is of large scale, oftenwith long duration, and meant to facilitate or enablehuman activities or endeavours in one way oranother. From the perspective of resilience engineering,this might be interpreted to suggest that a built systemis a setting created for human activity. To be even moreprecise, in this paper a built system is interpreted assomething that has been designed and constructed inorder to enable a specific function (or set of functions)to be carried out in a specific manner – efficient, safe,durable, economical, etc. Resilience is similarly definedto denote the ability of the built system to sustain itsfunctioning under expected and unexpected conditionsalike.

There are, of course, many systems that match this defi-nition, including the various definitions of BE givenabove. As with all definitions, it is worthwhile not onlyto look at the typical exemplars, but also to considerthe borderline cases. The main concern of resilienceengineering is with industrial systems, which meanssystems that have the purpose of producing or trans-forming something. Rather than the usual types of BEssuch as buildings, parks, neighbourhoods and cities,this means built systems that are smaller and intendedto serve a specific rather than a general purpose. Resili-ence engineering is also more concerned with the func-tioning of systems than with their structure.

. A refugee camp is an example of a built system. Itis a system not only in the sense that it consists of‘parts connected together’, but also in the sensethat the parts are organized to serve a generalpurpose. It is deliberately constructed andintended to exist for a limited time only – althoughthat intention often is unfulfilled. There is clearlyan environment outside the refugee camp thatmay be considered a risk to the sustainability oreven survival of the people in the camp.

. A nuclear power plant is also an example of a builtsystem. Although it is a place of work rather thanfor living, it is of considerable scale and is usuallyintended to exist for many decades. It is clearlyalso a built system where the possibility of disas-ters is very real. Nuclear installations at ThreeMile Island, Chernobyl and Fukushima all illus-trate that. And it is a built system that must be resi-lient to both internal and external challenges.

. A hospital is also a built system, but one where thestructure (i.e. the buildings and the service net-works) as well as the organization must be veryflexible. The reason is that patient care andpatient treatment change over time, so much thathospitals, unlike nuclear power plants, usuallyare being rebuilt (physically and organizationally)more or less continually.

. A large international airport, such as Heathrow(UK), Incheon (Korea), Los Angeles International(US) or Narita (Japan), must also be consideredas a built system in every meaning of the term.They are large, structurally heterogeneous, long-lived, and built to provide a specific main service,in addition to several subsidiary services. Theyare also more or less continuously being changed.(This inevitably leads to the question of whetherit is possible for an airport to be so small that itno longer is a built system?)

. Could a large aeroplane, such as an A380, be abuilt system? This is clearly something that is

Resilience engineering and the built environment

223

Dow

nloa

ded

by [

24.1

37.9

7.73

] at

11:

10 2

5 Fe

brua

ry 2

014

built, and it provides space for up to 853 passen-gers for a period up to 14–16 hours. It serves adefinite purpose and is in addition a place ofwork for 20 or so people. It is undoubtedly a‘man-made surrounding that provides the settingfor human activity’, even though both the passen-gers and the crew will be different from flight toflight. And there are unquestionably issues of dis-asters and sustainability.

. If a large aeroplane is not deemed acceptable as abuilt system because it is too small and only‘exists’ for a limited period of time, althoughrepeatedly, then would a cruise liner (such as theCarnival Triumph) be acceptable? This is certainlya built system; it can take about 4400 people (pas-sengers and crew) for a cruise of 14 days or more;and it certainly serves a purpose, leisure for thepassengers and work for the crew. (It is not eventhe largest cruise ship, but currently only the24th largest.) And it is, as recent events haveshown, a built system where a disaster is waitingto happen either from within the system’s bound-ary or from the environment.

Resilience engineering is relevant for all these builtsystems, in the sense that their performance must beresilient as per the resilience engineering definitiongiven above. Because resilience refers to the perform-ance or functioning of a built system, the concept canbe applied regardless of the scale or size of thesystem. If it is relevant for a hospital, it is also relevantfor a clinic, and for a single general practitioner. If it isrelevant for a nuclear power plant, it is also relevant foran offshore oil field comprising multiple installations,for a windmill farm and for a local power generatingplant. In general, resilience is a quality of the perform-ance of a built system regardless of its size, nature andlongevity.

Built systems as joint systemsWhile the original meaning of resilience referred tomaterials and structures, the later uses of the term –in ecology, psychology, finance and the safety sciences– refer to the functioning or performance of the builtsystem. Resilience is, in other words, something thatis associated with the dynamics of a built system,hence with what it does rather than what it is. Andso far, built systems have only been able to behave ordo something because they are socio-technicalsystems or joint systems. Socio-technical systems canbe defined as systems that involve a complex inter-action between humans, technology and workplaces(Emery & Trist, 1960), whereas joint cognitivesystems can be defined as two or more systems con-sidered together, where at least one is able locally tomodify its behaviour so as to achieve specific anti-entropic ends (Hollnagel & Woods, 2005).

In less elevated language this means that a built systemmust include or embody some form of sentience –intelligence or cognition – in order to be resilient.Despite more than 50 years of hopes and promisesfrom artificial intelligence, this still requires thepresence of humans. The physical parts of a builtsystem may possibly be able to resist the decay oftime, but they cannot be resilient. Technology canpossibly respond and monitor on its own, at leastto some degree, but cannot yet learn and anticipate.Built systems may be able to withstand the onslaughtof forces, but cannot overcome them. UntilKurzweil’s (2005) prophecies become fact, the onlysentience of a built system is therefore that providedby people.

What makes a built system resilient?Resilience engineering defines resilience as:

the intrinsic ability of a system to adjust its func-tioning prior to, during, or following changesand disturbances, so that it can sustain requiredoperations under both expected and unexpectedconditions.

(Hollnagel et al., 2011, p. xxxvi)

In this definition, it is the emphasis on the ability toadjust performance prior to something happeningthat excludes non-sentient systems. The definitionalso makes clear that resilience is a characteristic ofthe system’s performance or behaviour, rather than aquality or feature of the system as such. This definitionof resilience can be made more operational by noticingthat it implies four main abilities, namely:

. Knowing what to do: how to respond to regularand irregular disruptions and disturbances eitherby implementing a prepared set of responses orby adjusting normal functioning. This is theability to address the actual.

. Knowing what to look for: how to monitor thatwhich is or can become a threat in the near term.The monitoring must cover both events in theenvironment and the performance of the systemitself. This is the ability to address the critical.

. Knowing what has happened: how to learn fromexperience, in particular how to learn the rightlessons from the right experience – successes aswell as failures. This is the ability to address thefactual.

. Knowing what to expect: how to anticipate devel-opments, threats, and opportunities further intothe future, such as potential changes, disruptions,

Hollnagel

224

Dow

nloa

ded

by [

24.1

37.9

7.73

] at

11:

10 2

5 Fe

brua

ry 2

014

pressures and their consequences. This is theability to address the potential.

A resilient system is not just an active or respondingsystem, but also a proactive system. It must, ofcourse, be a reactive system but if it only responds towhat has happened it cannot be considered as resilient.(It may, however, be seen as robust.) A built systemthat is reactive only will sooner or later succumb.That even goes for the traditional BEs such as citiesor communities – and even empires. The importanceof the ability to anticipate can be summarized:4

Potential threats appear both as disruptions (overshort time horizons) and slow moving, diffusethreats (over longer time horizons). An effectiveresponse may need to include a combination ofanticipation (precaution) and resilience.However the evolution and interaction of mul-tiple and largely unknown threats makes it extre-mely difficult to develop proactive interventionswith regard to exposure, sensitivity and adaptivecapacity.

Anticipation – and its close cousin, planning – isnecessary for several reasons as a part of resiliencerather than in addition to it. Anticipation is neededto develop new responses over and above learningfrom the past. Anticipation is needed to develop focifor monitoring. And anticipation is finally needed asa basis for the long-term, proactive strategies that areindispensable for any system to sustain its existence.

Safety of built systemsThe common, and intuitive, understanding of safety isthat it represents a condition where the number ofthings that go wrong, or can go wrong, is acceptablysmall. The American National Standards Institute(ANSI) (2012, p. 12), for instance, defines safety asthe ‘freedom from unacceptable risk’. As a conse-quence of this definition, safety is measured indirectly,not by the presence of safety or as a quality in itself, butby the consequences of the absence of safety. Thenumber of adverse outcomes (i.e. cases where safetysomehow failed or were missing) is always highlightedand emphasized. However, the regular outcomes areoften ignored, although these represent the presenceof safety. Safety concerns were at the beginningdirected at risks related to passive technology andstructures such as buildings, bridges, ships, etc. Thisfocus was reinforced by the needs of the second indus-trial revolution and the rapid mechanization of workthat followed. The belief that a focus on technologywas sufficient to explain problems and generate sol-utions was successfully maintained until 1979, whenthe accident at the Three Mile Island nuclear powerplant demonstrated that safeguarding technology was

not enough. The accident brought to the fore the roleof human factors and made it necessary to considerhuman failure and malfunctioning as potential risks.Seven years later, in 1986, the Challenger spaceshuttle and Chernobyl accidents led to another exten-sion, this time by introducing the influences of organiz-ational failures and safety culture.

Throughout the ages, the starting point for safety con-cerns has been the potential or actual occurrence ofadverse outcomes. New forms of accidents have beenaccounted for by introducing new types of causes.This has fostered a causality credo, which is thebelief that adverse outcomes happen because some-thing has gone wrong; adverse outcomes thereforehave causes, which can be found and treated. Thelogic underpinning this states that because the causescan be identified and treated, all accidents are preven-table. This approach has also led to the bias that civilsociety only pays attention to something that goeswrong. In relation to built systems it makes sense tofocus on situations where things go wrong, bothbecause such situations by definition are unexpectedand because they may lead to harm or loss of life andproperty. But it does not make sense to limit attentionto adverse outcomes. That this nevertheless is so isillustrated by the conventional risk matrix, used inmany different domains. This matrix describes or rep-resents adverse outcomes in terms of their probabilityand severity. Yet when possible outcomes of an activityor a function are considered, it is clear that things cango right as well as wrong. Furthermore, it is reasonableto expect that things will go right most of the time,because that is the purpose of designing, constructingand operation built systems. In view of this, it seemsreasonable to propose that a description of possibleoutcomes should include positive (wanted) as well asnegative (unwanted) outcomes. If outcomes continueto be described in terms of their probability andvalue, then the following four characteristic subsetsare observed:

. Positive outcomes that have a high probability.This subset represents the successes or ‘normal’actions, i.e. the things that not only go right, butalso that are expected to go right. In otherwords, everyday work or everyday functioning.These are essential for resilience, but rarely ifever considered by safety.

. Positive outcomes that have a low probability.This subset represents the ‘good’ things thathappen unexpectedly. There is no commonlyrecognized terminology for these; when theyhappen they are simply accepted with gratitude.

. Negative or unwanted outcomes that have a lowprobability, i.e. things that go wrong and which

Resilience engineering and the built environment

225

Dow

nloa

ded

by [

24.1

37.9

7.73

] at

11:

10 2

5 Fe

brua

ry 2

014

are unexpected – although not unimaginable. Thisis the subset of outcomes that traditionally isassociated with safety (or rather, the lack ofsafety), particularly outcomes that cause signifi-cant losses and are hard to predict.

. Negative or unwanted outcomes that have a highprobability. This basically means adverse out-comes that realistically must be expected tohappen frequently or even regularly. The purposeof risk assessment and risk management is to ident-ify how such outcomes can arise and prevent themfrom happening. This is usually done successfully;cf. the ANSI definition of safety as ‘the freedomfrom unacceptable risks’. In practice this subsetis therefore very small.

The common understanding is that a system is safe ifaccidents, incidents (and mishaps) (1) can be preventedso that their number or frequency can be reduced or (2)people – or the built system itself – can be protectedagainst the negative outcomes. The traditionalapproaches to safety thus disregard the things that goright. This is due to the unspoken assumption thatlearning about failure is only accomplished by studyingonly things that go wrong. It is nice when things goright, but it is often assumed that there is no need topay much attention to these occurrences preciselybecause they go right.

However, the concept of resilience engineering positsthat the ‘things that go wrong’ are the inverse of the‘things that go right’, and therefore assumes thatboth are a result of the same underlying processes. Aconsequence is that both can be explained in basicallythe same way. In resilience engineering it makes asmuch sense to try to understand why things go rightas to understand why they go wrong. In fact, itmakes more sense because there are very many morethings that go right than things that go wrong. Resili-ence engineering argues that a system’s performanceshould be understood in general, rather than belimited to cases when something goes wrong, i.e. tounderstand all the outcomes rather than only the nega-tive ones.

Traditional safety and resilience engineeringThe traditional safety view can be contrasted with resi-lience engineering. According to the traditional safetyview, safety is defined as a condition where thenumber of adverse outcomes (accidents/incidents/nearmisses) is as low as possible. The purpose of systemdesign and safety management is consequently toachieve and maintain that state. A traditional safetyview promotes a binary view of functioning, accordingto which something either succeeds or fails. Wheneverything works as it should (‘normal’ functioning),the outcomes will be acceptable: things go right, in

the sense that the number of adverse outcomes is accep-tably small. But when something goes wrong, whenthere is some kind of malfunctioning, this will lead toa failure (an unacceptable outcome). The issue is there-fore how the transition from normal to abnormal (ormalfunction) takes place, e.g. whether it happensthrough an abrupt or sudden transition or through agradual ‘drift into failure’. According to the traditionalsafety logic, safety and efficiency can be achieved if thistransition can be blocked.

The background for the traditional safety view is foundin well-understood, well-tested and well-behavedsystems. It is therefore tacitly assumed that systemswork because they are well designed and scrupulouslymaintained, because procedures are complete andcorrect, because designers can foresee and anticipateeven minor contingencies, and because people behaveas they are expected to – and more importantly asthey have been taught or trained to do. This unavoid-ably leads to an emphasis on compliance as a way ofensuring that the system functions as intended by thedesign.

As technical and socio-technical systems have contin-ued to develop, systems and work environments havegradually become more intractable (Hollnagel, 2010).Since the models and methods of the traditionalsafety view assume that systems are well-understoodand well-behaved, they are increasingly unable tobring about the required ‘state of safety’. Thisproblem can be alleviated by focusing on what goesright in addition to what goes wrong and by changingthe definition of safety from ‘avoiding that somethinggoes wrong’ to ‘ensuring that everything goes right’.More precisely, this is the ability to succeed undervarying conditions, so that the number of intendedand acceptable outcomes is as high as possible. Theconsequence of this definition is that the basis forsafety and resilience now becomes an understandingwhy things go right, which means an understandingof everyday activities (Hollnagel, Leonhardt, Licu, &Shorrock, 2013).

Resilience engineering explicitly assumes that builtsystems work because people, individually or collec-tively, are able to adjust what they do to match the con-ditions of work. They learn to identify and overcomedesign flaws and functional glitches, they can recognizeactual demands and adjust their performance accord-ingly, they can interpret and apply procedures tomatch the conditions. They can also detect when some-thing goes wrong, or is about to go wrong, and inter-vene before the situation becomes serious. The resultof that is performance variability, not in the negativesense where variability is seen as a deviation fromsome norm or standard, but in the positive sense thatvariability represents the adjustments that are theindispensable basis for safety and productivity. One

Hollnagel

226

Dow

nloa

ded

by [

24.1

37.9

7.73

] at

11:

10 2

5 Fe

brua

ry 2

014

consequence is that it is impossible to ensure safe andefficient performance by insisting on compliance withdesign assumptions or work-as-imagined, since theactual conditions never completely match the intendedconditions. This is demonstrated by the simple fact thatworking-to-rule is a recognized way of creatingdisruptions.

ConclusionsBuilt systems are artefacts or socio-technical habitatsdesigned to enable and facilitate a particular kind ofactivity (regardless of whether it is a hospital, anairport or a nuclear power plant). The ability of abuilt system to be resilient, to survive, requires that itis able to respond, to monitor, to learn and to antici-pate. Considering each of the four abilities from amore operational perspective will quickly point to anumber of issues that can become the starting pointfor more concrete measures for how to think aboutresilience engineering in a practical manner. Startingfrom the level of a built system as a whole, resilienceengineering can be used to propose specific stepsfor improvement, depending, of course, on the charac-teristics of the specific domain or field of activity.For any given domain or organization it will be necess-ary to determine the relative weight or importance ofthe four main abilities, i.e. how much of each isneeded. The right proportion cannot be determinedanalytically, but must be based on expert knowledgeof the system under consideration and with due con-sideration of the characteristics of the core business.Yet the minimum requirement is that none of thefour can be left out if a system wants to call itselfresilient.

The practical use of resilience engineering also requiresan understanding of how the four abilities are coupledand therefore depend upon each other. This underlinesthe importance of thinking of the built system as awhole, and to provide effective concepts and methodsfor managing overall performance. Without goinginto details, the dependencies can be illustrated asshown in Figure 1, where the arrows connecting thefour abilities suggest how each depends on one ormore of the others (Hollnagel, 2011).

All four abilities must be able to address both whathappens in the system itself and what happens in theenvironment – what happens outside the system’sboundary. A built system can – or should be able to– control itself, but by definition it is not able tocontrol the environment. As there are few caseswhere environments can be assumed to be benignand stable, the ability to anticipate what may happenin the environment, now and in the future, is essentialfor the system’s survival. This highlights the impor-tance of understanding how the systems function,

rather than how they are structured or what they aremade of, and to focus on their ability to use opportu-nities as well as withstand threats.

For resilience engineering, the understanding of theeveryday acceptable functioning of a built system isthe necessary and sufficient basis for understandinghow something can go wrong. It is argued that it isboth easier and more effective to manage risks andsustain existence by improving the number of thingsthat go right, than by reducing the number of thingsthat go wrong.

For built systems, which in this paper means socio-technical systems that have been built in order toprovide a certain service or functionality, resilience istherefore not just an issue of disaster risk managementand sustainability. Resilience is an issue of being ableto sustain required operations under both expectedand unexpected conditions. But the unexpected con-ditions are not only threats, but also opportunities. Abuilt system that is unable to recognize and utilizeopportunities will in the long run be no better offthan a system that cannot respond to threats anddisruptions.

ReferencesAmerican National Standards Institute. (2012). Prevention

through design: Guidelines for addressing occupationalhazards and risks in design and redesign processes. DesPlaines, IL: American Society of Safety Engineers.

Beer, S. (1959). Cybernetics and management. New York: ScienceEditions.

von Bertalanffy, L. (1969). General system theory. New York: G.Braziller.

Checkland, P. (1999). Systems thinking, systems practice.New York: Wiley.

Emery, F. E., & Trist, E. L. (1960). Socio-technical systems. In C.W. Churchman & M. Verhulst (Eds.), Management sciencemodels and techniques (Vol. 2, pp. 83–97). Oxford, UK:Pergamon.

Gunderson, L., Holling, C. S., Pritchard, L., & Peterson, G. D.(2002). Resilience. In H. A. Mooney & J. G. Canadell(Eds.), Encyclopedia of global environmental change;Volume 2, The earth system: Biological and ecological

Figure 1 Dependencies among resilience abilities

Resilience engineering and the built environment

227

Dow

nloa

ded

by [

24.1

37.9

7.73

] at

11:

10 2

5 Fe

brua

ry 2

014

dimensions of global environmental change (pp. 530–531).Paris: UNESCO/SCOPE.

Hall, A. D., & Fagen, R. E. (1968). Definition of system. In W.Buckley (Ed.), Modern systems research for the behaviouralscientist. Chicago: Aldine Publishing Company.

Hamel, G., & Valikangas, L. (2003). The quest for resilience.Harvard Business Review, 81(9), 52–65.

Holling, C. S. (1973). Resilience and stability of ecologicalsystems. Annual Review of Ecology and Systematics, 4, 1–23.

Hollnagel, E. (Ed.) (2010). Safer complex industrial environ-ments. Boca Raton, FL: CRC Press.

Hollnagel, E. (2011). Epilogue: RAG – The resilience analysisgrid. In E. Hollnagel, J. Paries, D. D. Woods, & J. Wreathall(Eds.), Resilience engineering in practice: A guidebook.Farnham, UK: Ashgate.

Hollnagel, E., Leonhardt, J., Licu, T., & Shorrock, S. (2013). Fromsafety-I to safety-II: A white paper. Brussels: Eurocontrol.(http://www.skybrary.aero/bookshelf/books/2437.pdf)

Hollnagel, E., Paries, J., Woods, D. D., & Wreathall, J. (Eds.)(2011). Resilience engineering in practice: A guidebook.Farnham, UK: Ashgate.

Hollnagel, E., & Woods, D. D. (2005). Joint cognitive systems:Foundations of cognitive systems engineering. Boca Raton,FL: CRC Press.

Kurzweil, R. (2005). The singularity is near. New York: Viking Press.Mallet, M. (1856). On the physical conditions involved in the con-

struction of artillery: An investigation of the relative and absolutevaluesof the materialsprincipally employedandof some hithertounexplained causes of the destruction of the canon in service.London: Longman, Brown, Green, Longmans and Roberts.

McAslan, A. (2010). The concept of resilience. Understanding itsorigins, meaning and utility. Adelaide, Australia: TheTorrens Resilience Institute.

Mumford, E. (2006). The story of socio-technical design: Reflec-tions on its successes, failures and potential. Journal of Infor-mation Systems, 16, 317–342.

Sundstrom, G., & Hollnagel, E. (Eds.) (2011). Governance andcontrol of financial systems: A resilience engineeringapproach. Farnham, UK: Ashgate.

Tisseron, S. (2007). La Resilience. Paris: PUF.Tredgold, T. (1818). On the transverse strength of timber. Philo-

sophical Magazine: A Journal of Theoretical, Experimentaland Applied Science, Chapter XXXXVII. London: Taylorand Francis.

Woods, D. D. (2000). Designing for resilience in the face ofchange and surprise: Creating safety under pressure.Plenary Talk, Design for Safety Workshop, NASA AmesResearch Center, October 10.

Endnotes1‘La capacite de resister a des situations traumatiques et la possi-bilite de transformer un traumatisme pour en faire un noveaudepart.’

2A workshop held at ETH Zurich in January 2013 on BuiltEnvironment Resilience provided this definition in its invitationto workshop participants.

3This may clash with the established terminology, so apologiesare offered to readers for any agony this may cause.

4A workshop invitation held at ETH Zurich in January 2013 onBuilt Environment Resilience provided this statement.

Hollnagel

228

Dow

nloa

ded

by [

24.1

37.9

7.73

] at

11:

10 2

5 Fe

brua

ry 2

014