Sociotechnical systems resilience:a dissonance engineering point of view

"Symposium on Analysis, Design, and Evaluation of H uman-Machine Systems " - August 11-15 2013

Sociotechnical systems resilience: a dissonance engineering point of view

Jean-René RuaultFrédéric Vanderhaegen

Christophe Kolski

[email protected]

"Symposium on Analysis, Design, and Evaluation of Human-Machine Systems " August 11-15 2013 2

Summary

� Running outside the specified domain

� About resilience

� About dissonance engineering

� Proposition : dissonance Management for resilient systems design

� Railway case study

� Conclusion and perspectives


Context, train crashes

� Lac-Mégantic (Canada), 6 July 2013

� 50 dead

� Brétigny sur Orge (France), 12 July 2013

� 7 dead

� 9 gravely injured

� Santiago de Compostela (Spain), 24 July 2013

� 80 dead

� 130 injured

� Granges-près-Marnand (Switzerland), 29 July

� 1 dead

� 25 injured


Road map

� Running outside the specified domai







Running outside the specified domainDynamic representation of barriers bypassing

A

B

C

D

1

Time

3

2

�

�

�

�

�

AccidentE

Legend:• Specified path: • Actual path: • Specified local variability:• Actual local variability:• Situation point:• Safety margin: • Barriers : • Barrier bypassing• Deviation

X

1


Road map








Four main resilience functions (1)

1. Avoidance (capacity for anticipation)

2. Resistance (capacity for absorption)

3. Adaptation (capacity for reconfiguration)

4. Recovery (capacity for restoration)

This paper deals with:

1. Avoidance

2. Adaptation

1. D. Luzeaux: Engineering Large-scale Complex Systems in D. Luzeaux, J.-R. Ruault & J.-L. Wippler, Complex Systems and Systems of Systems Engineering, ISTE Ltd and John Wiley & Sons Inc, 2011


Road map








Dissonance engineering

� At least, two conflicting beliefs and behaviours � Beliefs of designers, managers and evaluators

� Beliefs of operators

� Task oriented and activity oriented points of view (Leplat 1985)

� Task / work-as-designed: prescribed,

� Activity / work-as-done: actual, function of the situation

� Two different meanings to understand situation and events

� The gap between prescribed and done work is an error and must be resolved applying prescribed procedure (designer point of view)

� Work is done function of the actual situation and operators’ interpretation of this situation


Road map








Modelling variability and the gap between work-as-designed and work-as-done

Activity / function

T

I

P R

C

O

� Functional Resonance Analysis Method1

� Modelling variability ; the first step in order to assess the gap between work-as-designed and work-as-done

1. Hollnagel, E. (2012). FRAM: The Functional Resonance Analysis Method. Ashgate, Hampshire, Great Britain.

F1 F3

F2

F4

C

I O

Resilience function: Adaptation


Management of the dissonance

Hazardous management Resilient management

� Silent migration � Clear and relevant shared situation awareness

� Normalization of deviance

� Simulation of possible or incredible accident scenarios

� Search of scapegoat � System design update based upon evolutions assessment

� Not biased BCD analysis


Mistake-proving device for resilient management of dissonance

� Assess the variability and the gap between both paths

� Enlighten this difference and exhibit it to stakeholders, both operators and managers

Severity

Probability

Catastrophic Critical Marginal Negligible

Frequent High High Serious Medium Probable High High Serious Medium Occasional High Serious Medium Low Remote Serious Medium Medium Low Improbable Medium Medium Medium Low Eliminated Eliminated

Resilience function: Avoidance

�


Foreseeable possible or incredible accident

Accident cases base

Actual field data, including trend drift

Models of system as-designed

Display possible /incredible accident scenarios

Operators

Managers

Detect ‘out-of-range’ variability (FRAM)

Generate possible / incredible accidental scenarios (inferential engine)

� Simulation scenarios of possible or incredible accident that may happen soon

� Enhancement of shared situation awareness

� Opportunity to foresee potential accident



Road map








Zoufftgen accident case study

� Context of the accident:

� 2 trains collided head on near Zofftgen, on the boundary between Luxembourg and France

� 6 deaths, 1 wounded

1. BEA TT (Land Transport Accident Investigation Bureau) (2009). Technical Investigation Report on the Train Collision that occurred on 11 October 2006 on the French/Luxembourg Border at Zoufftgen (Moselle).

� Report direct and indirect causes of the accident1

� Mistake issuing the pass-through order

� Failure of attempts to rectify the situation

� Insufficient knowledge of the central control post staff

� Unrealistic division of tasks

� Laissez-faire approach to monitoring staff


Hazardous management of the dissonance contributing to the accident

� Barriers removal

� Traffic Controller did not carry out all the prescribed preliminary checks before issuing a pass-through order

� Normalization of deviant behaviours

� This omission seemed to occur fairly often at the Bettembourg CCP since the wrong-track working fixed equipment display is not in the Traffic Controller’s visual field when he is looking at the check lights for the tracks towards France

� 107 written orders to pass through a Main Fixed Signal were issued over the three-month period, before the accident

� Silent migration

� Violation of staff handover procedure, due to poor procedure usability

� At 11h30, the Morning Traffic Controller wanted to leave but theEvening Traffic Controller had not yet arrived

� This quite common practice is contrary to the regulations

� In addition to the oral handover, the Morning Traffic Controllergave a sheet of “scrap paper” to the Evening Train Announcer


Functional resonance model of the accident

High frequency of signal faults

Insufficient check

Lateness of traffic controller/ barrier removal

Violation of staff procedure / barrier removal

Poor usability of procedure and HCI

Traffic control activity

Pass-through order

Dual task reducing attention resources

O I

T C

R P

Resilience function: Adaptation


Mistake-proving device� Restoring the capability of visual piloting

� Such trends, as issuing written orders have to be detected, expressed to all stakeholders in order to be fixed

Severity

Probability

Catastrophic Critical Marginal Negligible

Frequent High High Serious Medium Probable High High Serious Medium Occasional High Serious Medium Low Remote Serious Medium Medium Low Improbable Medium Medium Medium Low Eliminated Eliminated


��

�

Accident


Expressing foreseeable or incredible accidents to operators� Simulation complements the visual display expressing

explicitly the current migration

� Simulation expresses to operators the accident that should happen soon within the actual context

� For instance, inlayed augmented reality

� Maintaining the capability to rectify the situation

� Secure equipment reliability

� Relevant and well known skills to cut off traction power,

� Knowing the perimeter and the limits of the button (marshalling yard track), to phone to the operators who are able to cut off the traction power



Road map








Conclusion and perspective

� Conclusion� Resilient management of dissonance: expressing this

gap and enhancing shared situation awareness in order to restore visual piloting capacity

� Perspective � Enhance FRAM in order to model trend and express

the two kinds of variability (normal and out-of-range)

� Enhance visual piloting

� Express foreseeable or incredible accidents to operators

� Prepare an open-ended experiment


References

� Barrier bypassing / barrier removal:� VANDERHAEGEN F. (2010). Human-error-based design of barriers

and analysis of their uses. Cognition, Technology and Work, 12(2), pp. 133-142.

� Resilience:� ZIEBA S., POLET P., VANDERHAEGEN F., DEBERNARD S. (2010).

Principles of adjustable autonomy: a framework for resilient human machine cooperation. Cognition, Technology and work, 12 (3), pp.193-203.

� OUEDRAOGO K-A., ENJALBERT S., VANDERHAEGEN F. (2013). How to learn from the resilience of Human–Machine Systems?. Engineering Applications of Artificial Intelligence, volume 26, issue 1, pp. 24-34.

� Dissonance engineering:� VANDERHAEGEN F. (2012). Dissonance Engineering for Risk Analysis.

Workshop: Risk Management in Life Critical Systems, Human-Centered Design Institute, Florida Institute Of Technology, Melbourne, FL, USA, mars.

� VANDERHAEGEN F. (2013). Dissonance engineering for risk analysis: a theoretical framework. International Summer School on Risk Management in Life Critical Systems, Valenciennes, France, July 1-5 2013.


References� Dominique Luzeaux & Jean-

René Ruault Systems of Systems ; Wiley, 2010

� Dominique Luzeaux, Jean-René Ruault & Jean-Luc Wippler Complex Systems and Systems of Systems Engineering ;Wiley, 2011


THANK YOU

VERY MUCH

FOR YOUR

ATTENTION

Sociotechnical systems resilience:a dissonance engineering point of view

Engineering

Transcript of Sociotechnical systems resilience:a dissonance engineering point of view