A contemporary view of organizational safety: Variability and interactions of organizational processes
Tom Kontogiannis* Abstract Studies of qualitative assessment of organizational processes (e.g., safety audits and performance indicators) and their incorporation into risk models have been based on a ‘normative view’ that decomposes organizations into separate processes that are likely to fail and lead to accidents.
This paper discusses a control theoretic framework of
organizational safety that views accidents as a result of performance variability of human behaviors and organizational processes whose complex interactions and coincidences lead to adverse events. Safety-related tasks managed by organizational processes are examined from the perspective of complexity and coupling.
This allows safety analysts
to look deeper into the complex interactions of organizational processes and how these may remain hidden or migrate towards unsafe boundaries. A taxonomy of variability of organizational processes is proposed and challenges in managing adaptability are discussed.
The proposed framework can be used for studying interactions between
organizational processes, changes of priorities over time, delays in effects, reinforcing influences, and long-term changes of processes.
These dynamic organizational
interactions are visualized with the use of System Dynamics. The framework can provide a new basis for modeling organizational factors in risk analysis, analyzing accidents and designing safety reporting systems. Keywords: Organizational safety, systems theory, variability, complexity and coupling, safety management, system dynamics * Technical University of Technology, Dept. of Production Engineering and Management Address for correspondence to Tom Kontogiannis, Technical University of Technology, Dept. of Production Engineering and Management, University campus, Chania, Crete, GR 73100, Greece;
[email protected]
0
1.
Introduction
The importance of management and organizational factors in high risk industries has been emphasized by both industrial practitioners (Dien et al., 2004) and researchers (Reason, 1997; Rasmussen and Svendung, 2000). This field of research grew out of the root cause analysis of major accidents and the realization that technical failures and human errors could be traced into ‘latent’ failures in the organization.
Safety
management can break the accident trajectory by providing ‘defenses-in-depth’ such as, training, ergonomic design and procedures, supervision and leadership, communication networks, and a safety culture to govern the interactions of multiple actors. A prevailing line of thinking in industrial safety claims that it is not necessary to predict the entire sequence of events to prevent an accident; any type of ‘defenses in depth’, if it works, will terminate the trajectory of a potential accident (Reason, 1997). This line of research has been retrospective and the impact of organizational factors has been based on major accident analysis. The need to arrive at assessments and predictions of organizational safety has taken two directions: (i) assessing the quality of organizational factors in terms of ‘safety audits’ (Hudson et al., 1994) and ‘organizational indicators’ (Marcus et al., 1990; Wreathall et al.,1992) and (ii) incorporating the impact of organizational factors into a risk model of the system (Davoudian et al., 1994; Embrey, 1992; Pate-Cornell & Murphy, 1996; Papazoglou et al., 2003).
This impact has been
established through a process of rating the quality of organizational factors and weighting their relative effects on human performance.
The rating and weighting of factors have
been based on expert judgment and their total influence was obtained by aggregating the effects through all levels using ‘simple sum of products’ or ‘influence diagrams’; the final effect is fed to a risk model of the technical system and the risk estimate is recalculated.
These studies have taken a normative approach that decomposes the
organization in terms of a formal hierarchy of ‘separate’ factors or processes (Le Coze, 2005). This ‘de-compositional approach’ forces safety analysts to examine potential deficiencies in each organizational factor as a source of threat to safety. The aim of this paper is to review this normative approach to organizational safety and discuss a framework for studying the complex interactions of organizational factors that could give rise to risks. This would provide a more comprehensible basis for 1
understanding the impact of organizational factors on accidents and for supporting the development of organizational risk models. The framework draws upon a contemporary view of accidents as a result of performance variability of human behaviors and organizational processes whose complex interactions and coincidences may lead to adverse events (Rasmussen and Svendung, 2000; Hollnagel, 2004; Leveson, 2004). In particular, human variability can be seen as a source of adaptability and human error. Studies in naturalistic decision making (Klein et al., 1993) have shown that the same ‘heuristics’ used by experts to adapt performance to job constraints (e.g., time pressure) can be seen as ‘biases’ that impede a change of direction in decision-making when the situation takes an unexpected turn. The management of performance variability accepts that accidents are not always individual failures of components and organizational functions but that, instead, they are the result of function variability and complex interactions between functions (Hollnagel, 2004). Of course, actual failures may be seen as an extreme form of performance variability (i.e., the tail end of a distribution) but the main point is that accidents may sometimes happen even though nothing seems to have failed as such. In this paper, variability and interactions of organizational processes are studied from a control theoretic viewpoint that addresses aspects of complexity and coupling (Perrow, 1999).
The paper presents an integrated framework for studying
interactions of organizational processes, changes of priorities over time, delays in effects, reinforcing influences, and long term changes of processes.
These dynamic
organizational interactions are visualized with the use of System Dynamics.
The
framework explains how well-intended efforts to improve safety may generate sideeffects and how local decisions can become uncoordinated in the long term. It can also be used to understand coupling effects and asynchronous changes of different organizational processes that impact safety. When applied proactively, the framework can contribute to dynamic models of organizational factors that can be incorporated into risk models – a good example of how System Dynamics can be used in risk analysis has been provided by Mohaghege et al., (2009).
In accident analysis, the framework can be used to
describe uncontrolled organizational interactions that contributed to undesired events.
2
2.
Variability and interactions of organizational factors in safety
Organizations operate in an open environment and their exchanges can be rich and dense. Increasing competition, societal pressures and de-regulation are cases in point that can inflict changes in technology, reforms of organizational structure and adaptation of means of control (e.g., work schemes and procedures). Organizations must adapt their structure and transform their processes to manage these demands over time. This is a challenge to organizations as it is difficult to anticipate suitable forms of adaptation that match contextual demands. Studies of high reliability organizations (Roberts, 1990; Weick et al., 1999) have shown that variability in their operationing modes was selectively used to adapt to the situations encountered. Variability of operations ranged from a formal centralized organization to a high tempo and an emergency one.
The high tempo
organization was characterized by having a decentralized authority and high degree of functional redundancy to protect against errors. Effective control of authority variability and adaptability, however, comes at a cost of increased training and coordination needs. A study of authority structures in the cockpit found that captains that could adopt a flexible style of centralized and decentralized authority caused some confusion as the rest of the crew were unable to predict what style the captain would adopt next (Helmreich et al., 1998); additional training was required so that the flight crews could improve their anticipatory and coordination skills. The control theoretic framework provides a basis for examining aspects of organizational variability and adaptation to contextual demands. The dimensions of complexity and coupling (Perrow, 1999) can be used to examine how organizational processes interact in ways that are difficult to predict and sometimes prone to failure.
Complexity refers to the connections between sub-
processes, their information requirements, and their degree of differentiation or fragmentation.
One source of complexity, for instance, regards the coordination of
organizational reforms and technological changes. One part of a system may undergo a technological improvement which necessitates a synchronous change in the authority structure and means of control (e.g., new control systems and procedures); asynchronous coordination and fragmentation of work processes has led to many accidents related to the management of change (Leveson, 2004; Kletz, 2001).
3
Coupling refers to potential means for absorbing disturbances, redundancies to recover failures, dependencies between barriers, and available degrees of freedom to achieve system functions. In particular, the dependence of organizational factors is very important since improvements in one factor may erode another factor, or a third factor may influence their functioning. A case in point is the Uberlingen mid-air collision in which a contributory factor was the informal practice of keeping only one of the two air traffic controllers on the radar, while the other would get some resting out of sight of the other. As a result, the single controller had to perform many task sequentially and give each task limited attention (Busby and Bennett, 2007).
Here, coupling between tasks and
competences was not due to the original job design but it rather arose from the informal organization of work. The proposed control theoretic framework starts outs with the ‘safety gap’ to be investigated, that is, the discrepancy between the actual and goal states as perceived by the organization. Safety gaps can be created either internally by inadequate responses to established goals or externally by changes in the organizational environment (e.g., new task demands, time pressure, unexpected events). In both cases, the organization has to reduce the safety gap by changing the operating modes of organizational processes (e.g., shift to a decentralized authority structure) and by managing the interactions between different processes. In this respect, the aim of the proposed framework is twofold: (i) identify alternative operating modes of processes that can adapt better to the current situation (i.e., process variability) and (ii) examine the dynamics of interaction of organizational processes.
On the one hand, process variability raises two issues:
(i) mapping of alternative operating modes (e.g., centralization – decentralization) to different environmental demands (e.g., low tempo – high tempo situations) and (ii) controlling or adapting variability (e.g., being able to work at both modes, switching between modes, synthesizing modes). On the other hand, changes in the operating modes of a process is likely to impact on other organizational processes. This requires a systematic framework for studying aspects of complexity and coupling involved in the interaction of processes in order to reduce the initial safety gap. Finally, a formal representation of the variability and interactions of organizational processes is proposed in terms of system dynamics that address several elements of control theory (e.g.,
4
conflicting goals, perceptions of the safety gap, feedback and feedforward control modes, constraints on action and degrees of freedom, time delays and non-linear interactions). The control theoretic framework is presented in section 3 together with a set of organizational factors that have been used in many risk models. The first aspect of control regards the alternative operating modes of organizational processes and section 4 reviews four main challenges that organizations encounter in controlling variability. The second aspect of control regards the interaction of organizational processes. In this respect, section 5 looks at a general control framework that addresses aspects of goal or target discrepancies, different perceptions and mental models of the problem as well as modes of authority and control. The dimensions of complexity and coupling are used in sections 6 and 7 in order to examine how organizations can control process interactions that are complex and dynamic. Finally section 8 concludes with a scheme how to apply the proposed framework in the context of risk analysis and accident investigation.
3.
A control theoretic framework of organizational safety
Although a systems view of organizational safety has been adopted by several researchers (Rasmussen and Svendung, 2000; Hollnagel, 2004; Leveson, 2004) the variability and interactions of organizational processes have not been put into a practical framework. Most approaches in systems theory perceive of organizations as hierarchical structures with communication and control processes that operate at the interfaces between organizational levels and entail an upper level imposing constraints upon a lower one. Top-down channels provide information to lower levels about safety goals and standards that are transformed into specific plans for action and assigned to different personnel. Operational practices adapt the safety plans to the local situations and provide feedback to higher levels about the degree of fulfillment of safety standards and plans. Managers and operators must have adequate knowledge of potential hazards and organizational processes to accomplish several safety-related tasks. Finally, control may be enforced either in a prescriptive mode or in a feedback mode with many degrees of freedom to be satisfied according to the local context (Hollnagel, 1993).
5
This control theoretic framework has been used to structure several organizational factors, examine sources of variability and study interactions and couplings that may be prone to failure. A well established list of organizational factors - developed by Jacobs and Haber (1994) - has been adapted and condensed into a list of ten factors as defined in Table 1. Although the original list of organizational factors was proposed for modeling risk in nuclear power plants, a adaptation of it can be used for several high-risk industries. All factors referring to administrative knowledge and decision-making have been retained while communication factors and human resources factors were collapsed into two items in Table 1.
Organizational knowledge and culture have been grouped as
one factor that pervades many organizational processes and constitute a common source of influence on processes such as, formalization of work, authority structure and communication. Insert Table 1 here Figure 1 shows a control theoretic framework of organizational safety at the management and operational levels. Interactions of the organization with the wider environment are modeled either at the level of goals and policies of safety management systems or at the level of safety information that can be audited directly by regulatory authorities; the framework can be further extended in this direction on the basis of earlier work (Rasmussen and Svendung, 2000; Leveson, 2004). Organizations that operate complex systems have to make tradeoffs between conflicting goals such as, safety, production, delivery times, and utilization of capacity. The manner in which managers and supervisors handle goal conflicts and prioritize goals is important for safety management. This brings into the fore the role of organizational knowledge and culture that constitute the deepest set of beliefs about how the world works, about potential hazards and about perceptions of organizational capabilities. This mindset, or paradigm out of which the control system arises, can remain resistant to change or adaptation because social beliefs and assumptions remain largely unstated (Meadows, 1999). This is shown in Figure 1 as an upper control loop that is similar to the ‘double loop learning’ or ‘double control loop’ of organizational learning (Argyris and Schon, 1996).
6
The focus of this paper has been mainly on the primary or bottom control loop that includes organizational goals, policies, safety plans and feedback reporting systems. In this sense, safety goals are passed onto the supervisory level and are transformed into specific plans for action (i.e., formalization of work) that are assigned to different personnel (i.e., division of work). At the shop-floor level, operational practices (i.e., competence) adapt the safety plans to variations in the environment, making use of available resources and safety barriers and exploiting several means of redundancy (i.e., resource allocation).
To assess the adequacy of safety plans and update the mental
models, a feedback loop is established to the higher levels of supervision and management.
Safety Management Systems have placed particular emphasis on the
processes of plan formalization, division of work, and operational feedback that challenge senior management. Specific safety tasks are portrayed in Figure 1 for the organizational processes as indicated by an earlier review (Bellamy et al., 2006). Insert Figure 1 Finally, control of authority and coordination at each level may be enforced either in a prescriptive mode (i.e., feedforward control or coordination by rules) or in a loosely implemented mode as ‘performance objectives’ with many degrees of freedom to match the local context (feedback control or coordination by mutual adjustment).
Two-way
communication channels are utilized to exchange formal and informal information between operators or between different organizational levels.
External communication
of the organization with regulatory institutions and public interest groups could also be considered in order to examine the organizational interface with the environment. In addition, coordination can be viewed at the management and supervisory levels required to synchronize management of change and organizational reforms.
The proposed
framework integrates a structural theory of organizational processes (Jacobs and Haber, 1994) with aspects of complexity and coupling (Perrow, 1999) to examine complex interactions of processes that can lead to adverse events. In general, the more complex and tightly coupled the safety tasks, the more complex the interactions of the organizational processes. The framework also examines how organizational processes vary their capabilities to adapt to changes in contextual demands.
7
To apply the proposed framework to case studies and examine possible organizational interactions, a formal representation has been selected according to system dynamics. Several studies have shown that system dynamics is a powerful method for modeling organizational interactions (Marais et al, 2006) and organizational learning (Tucker and Endmonson, 2003; Cooke and Rohleder, 2006) in the context of system safety. Several studies have used system dynamics in the analysis of incidents such as, Chernobyl (Salge and Milling, 2006), Westray mine (Cooke, 2003) and Challenger (Dulac et al., 2005) while relatively fewer ones applied them prospective risk analysis mainly in the nuclear power domain (Yu et al., 2004; Mohaghege et al., 2009). System dynamics have been very useful for the examination of reporting systems particularly in health care organizations (Tucker and Endmonson, 2003; Andersona et al., 2006). The framework uses mainly the representation of causal loop diagrams to consider multiple balancing and reinforcing loops that interact in dynamic ways and produce complex effects that are difficult to foresee in the first place. A Balancing loop (or a negative loop) is a structure that bridges the gap between an actual and desired state through some action. Figure 2 models how safety programs or interventions can reduce the gap between actual safety and target safety. The delay mark (i.e., the double line) models the time that elapses between causes and effects on a loop. The choice of states to be modeled depends on the purpose of the analysis. ‘Visibility of results’, for instance, may be useful to examine how the complexity of the situation and the detection capability of practitioners affect the perception of the safety problem. In the same way, ‘pressure to set up a safety policy’ may be affected by other external pressures and, hence, reduce the effort to be invested on safety programs. A Reinforcing loop (or positive loop) is basically a self-loop that changes the initial state variable and can generate growth, amplify deviations or reinforce changes (Sterman, 2000).
Figure 3 shows how a safety improvement plan may produce
unintended side-effects or reactions that exacerbate the safety problem reported in the first case. Side-effects may not have an immediate impact and the system reaction may remain latent for a long time (see delay mark in Figure 3) until an action or event triggers the reaction. External influences on the action effects may also be modeled in order to examine the resulting changes at the rate at which grown/decline is produced. The 8
proposed framework provides a theoretical basis for postulated interactions of organizational processes that can be further elaborated in terms of causal loop diagrams. Insert Figures 2 and 3
4.
Challenges to the control of variability of organizational processes
There is increasing evidence that organizations manage to adapt to changes in task demands by controlling their authority structure, division of work, coordination and degrees of operator freedom (Hollnagel, 2004; Klein, 2003; Grote, 2007).
Controlling
the variability of organizational processes is a challenging task that is associated with increased training and coordination needs. Many major incidents can be seen as failures to change operating modes or match contextual demands to modes. To understand the challenges in controlling variability, a control theoretic view has been adopted that examines how variety in contextual demands is matched by variety in the organization. Control of variability usually takes the form of adaptation of organizational processes to a continuum between two poles. Table 2 shows how organizational processes can adapt between two sets of operating modes in order to respond to contextual demands. In general, the spectrum can be defined as ‘optimization’ versus ‘agility’ (Alberts and Hayes, 2007) since one set of operating modes focuses on hierarchical organizations that opt for efficiency, optimized planning and economical use of resources whilst agile organizations opt for thoroughness in assessing problems and utilizing resources;
this is alike the ‘efficiency’ and
‘thoroughness’ distinction
(Hollnagel, 2009; Marais & Saleh, 2007). The two poles can also be described as ‘minimizing uncertainty’ versus ‘handling uncertainty’ (Grote, 2007) since one set of modes focuses on how to predict uncertainties and minimize their effects while the other focuses on how to enable organizational actors to cope with the uncertainty locally. Insert Table 2 In familiar situations, organizational hierarchies may be very effective since information needs are likely to be well known, appropriate means may be available at the right place and optimization can be the most suitable strategy. For situations that call for many work groups with different backgrounds and degrees of expertise, organizational 9
hierarchies can also provide formal means for coordination and procedural support for areas where expertise is lacking. All of this changes when organizations are faced with unfamiliar situations that are likely to change course over time. Organizations dealing with complex and dynamic situations must seek agility that is, models, goals and responses that are flexible, innovative, adaptive and resilient. Agility requires that a variety of perspectives are brought to bear (i.e., multiple mental models) and that human resources can be employed in a flexible manner to meet the needs of a variety of situations. While agile organizations are not optimized to perform familiar tasks, they may be able to develop innovative solutions to familiar problems over time. This is because they allow front-end operators significant freedom of action and greater decision latitude.
Agility provides for adaptation by requiring organizations to
decentralize decision making to front-line units who have first-hand information about the situation and exploit better any opportunities that may arise; coordination by mutual adjustment can also contribute to greater adaptation. Finally, agility requires a state of mindfulness (i.e., a critiquing stance) to operational feedback so that inappropriate actions are detected and recovered which enhances resilience.
To achieve these aspects
of agility, organizations need to provide rigorous training to their practitioners (i.e., to increase competence and willingness to accept responsibility) and establish a just and trusting culture (Reason, 1997) to promote coordination between units. A study of organizational coordination and collaborative planning (Windischer et al., 2009) suggested that it is unlikely that practitioners will rely entirely upon one type of organization; a synthesis of operating modes across the spectrum is required to match the context of work. For instance, increases in the complexity and coupling of the technical system would shift the preferred operating modes towards thoroughness, provided that competence of organizational actors was high. Necessary conditions for the control of organizational flexibility would include a reporting and just culture (Reason, 1997) as well as a mindful culture (Weick and Sutcliffe, 2001) that would be vigilant to failure and sensitive to the front-end operations. However, these conditions are not sufficient to develop knowledge how to operate at both modes as well as abilities to switch between modes. This section reviews a number of challenges to the control of variability.
10
4.1 Developing competence to operate at both sides of the spectrum Effective control of variability implies that organizations can operate at both sides of the spectrum and change operating modes to match the demands of a variety of situations. Developing this capability, however, comes at a cost of increased training needs so that practitioners acquire redundant skills for a variety of domains.
Broadening the
bandwidth, or degrees of freedom, may be a good strategy to increase flexibility, for instance, but it also leads to increased demands for training. In a study of coordination mechanisms in railway organizations (Grote et al., 2008), a high degree of decision latitude was found in shunting operations since they must be carried out in so many different contexts (e.g., within stations, on shunting yards with varying degrees of automation, etc).
However, shunters were reluctant to exploit
the degrees of freedom offered in the operating procedures probably because of their low level of qualification.
So the issue becomes that increased flexibility should be
accompanied by higher investments in personnel qualifications and training.
This
emphasis on flexibility, however, may have implications for the education of managers and supervisors to become willing to accept greater uncertainty with regard to the actions of their subordinates as they are able to operate at different modes of the spectrum.
4.2
Switching between modes and evaluating the cost of change
Switching between operating modes in the spectrum is an essential capability for controlling organizational variability.
Because it is unlikely that the same operating
mode will be suitable for different situations, practitioners should be able to predict when to switch modes and how to coordinate this transfer. Changing authority structures in the cockpit, for instance, has often caused some coordination problems in anticipating what leadership style the captain would adopt in the next phase (Helmreich et al., 1998). Switching modes requires extensive communication to avoid confusion and minimize risks resulting from the new operating mode; this is very hard to achieve under time pressure. In some cases, a more efficient operating mode may be found but teams could be reluctant to change because of the time-consuming communications required. Klein and Pierce (2001) presented the case of a battalion commander who realized that 11
his plan was running into trouble and knew how the plan should be altered. However, he considered how many different groups would have to be notified and how unreliable the communications were, so he decided to continue with the plan. The process of changing to a new mode may be complicated by the complexity of the precautions and safeguards required to bring technological systems to stable states before aborting the existing mode. 4.3 Bridging the gap between different operating modes An alternative to switching modes could be creating a synthesis between modes to maintain a balance.
Self-organizing behaviors, for instance, require decentralized
planning so that operators are able to make rapid decisions without the need to notify and get agreement from their supervisors.
However, an authority structure that is too
decentralized may have trouble in synthezing data from different sources to develop an accurate picture of the situation (Klein, et al., 2005). Is the team appropriately structured to permit self-organizing behavior and at the same time, synthesis of different inputs (centralization) ? Unfortunately, there are very few concrete suggestions on how to bridge the gap between different modes of the spectrum. An ethnographic study of scheduled outages of nuclear power plants (Bourrier, 1998) provided some useful indications of how to balance ‘compliance with rules’ and ‘initiative at the front line’. In two plants, operators were observed to make modifications of maintenance procedures to respond to situation variances, time pressure, and problems of equipment availability. In one of the plants, operators were not allowed officially to modify procedures and were reluctant to provide any operational feedback to the management. In the other plant, operators were involved in the design and update of procedures and supervisors devoted time to this recurrent modification task.
Although
the final decisions were made by upper management, a clear delegation of autonomy was left to the front-line operators when field issues were concerned. This ‘higher-order autonomy’ allowed operators to decide upon the restrictions of their own autonomy through their involvement in the design of procedures.
12
4.4 Developing a mindset for adaptation and change An adaptive organization is one that expects to find problems with the current assessment of the situation and therefore expects to make changes in operating modes in the course of problem solving.
In the context of military organizations, Klein and Pierce (2001)
have raised several questions regarding this mindset for adaptation – e.g., Does the team try to preserve or challenge the current understanding of the situation ? Does the team expect to find weaknesses in the current plans ? Is the team orientation to dismiss weaknesses or take them seriously ?
This mindset for adaptation can be expressed as
sustaining an ambivalent and critiquing stance towards the problem. In complex systems, operators are faced with situations that are partly familiar and partly novel. For these cases, Weick and Sutcliffe (2001) have argued that ‘people should retain a model of situation created by their past experience but also watch for unfamiliar and novel cues in the interest of building a comprehensive story or account of events’.
Maintaining ambivalence requires practitioners, on the one hand, to retain well
tried and proven operating modes but, on the other hand, to remain vigilant to the possibility of changing to a different mode as the situation takes an unexpected turn. Engaging in simultaneous belief and doubt is admittedly a difficult exercise but this stance of ambivalence may be required in order to exploit the valuable experience of practitioners and, at the same time, leave more opportunities for improvisation and error recovery. Effective control of variability also requires that practitioners accept greater job responsibilities that are manifested as ‘seeing old things in new ways’, ‘critiquing welltried and proven plans’ and ‘accepting greater uncertainty by granting autonomy to subordinates’. Critiquing goals and plans requires that practitioners forgo standard procedures in favor of what amounts to ‘reinventing the wheel’ every time that a plan of action is called for. Seeing old things in new ways, staying ahead of the situation, and setting milestones for revisions are the last things people want to do every time they have to develop a course of action. ‘Reinventing the wheel’, may involve all these cognitive strategies in planning, yet new experiences are gained that may enable people to develop a new understanding of the situation and detect problems at an early stage.
13
5. Aspects of control and organizational interactions A control theoretic framework accepts that organizational structures and control modes are affected by the goals and safety standards set by the controllers (e.g., the managers, supervisors and operators). The implementation of goals and the coordination of actions, in turn, depend on the mental models and knowledge of controllers about potential hazards, accident causes, affiliations to receive support, and strategies to reduce risk. Safety goals and mental models are likely to affect the way that organizations adapt their authority structures and control modes to the context of work. These aspects of mental models, organizational structures and control are considered in this section in order to understand interactions between the safety and production systems, lagging effects of safety programs and side-effects caused by well intended adaptations. Dynamic organizational interactions can be visualized with the use of causal loop diagrams and system archetypes (Braun 2002; Marais et al., 2006). 5.1 Goal prioritization and conflict resolution The analysis of human performance in safety-critical systems requires a thorough identification of strategic factors including, the multiplicity of goals, the tradeoffs being made, and the pressures present that affect the final decisions.
Although the
practitioner’s highest goal may be related to safety, there are also other goals to consider that may be less explicitly articulated (e. g., reducing costs, maintaining production levels, responding to external pressures). Goal variety is difficult to manage because priority criteria may change over time and long-term effects of decisions are difficult to understand. The ‘eroding/drifting goals’ archetype (Marais et al., 2006) can be used to model interactions between safety and production goals and lagging effects of safety programs that may be difficult to understand. Figure 4 shows that when the gap between actual safety and target goal exceeds a limit, pressures to improve safety increase, hence leading to safety programs that eventually increase safety (Bsafety_program). The safety gap, however, can also be reduced by adjusting safety priorities downwards (Bsafety_priority) which reduces the requirements for balancing the gap with more safety actions (Bsafety_program). Vaughan (1996) proposed
14
the term ‘normalization of deviance’ to refer to this situation where teams repeatedly accept a lower standard of performance until that lower standard becomes a norm. Safety gaps in the form of near misses, injuries, and incidents can also lead to loss of productive capacity, creating links between the safety and the production system. Such productivity losses will lead to pressures for increasing performance that may erode or subvert safety priorities over time. Safety programs often do not show immediate results (delay mark in Figure 4) which creates a perception of programs as being ineffective, at least in the short term (Bsafety_perception); this makes it likely for managers to lose sight of the program value that will ultimately reduce accidents in the long term (Marais et al., 2006). Time delays, dependencies and long term effects are factors that are likely to influence how managers perceive the effectiveness of safety programs which ultimately lead to adjustments of safety priorities.
Many managers, for instance, would improve
safety in terms of redundant systems but fail to anticipate possible forms of system dependencies (Sagan, 1993). Because the perception is that safety will be improved with higher redundancy, managers tend to compensate by increasing performance pressure or by making the system perform at higher tempos (Bsafety_perception). This ‘overcompensation’ problem may have been a contributory factor in the Challenger accident. When safety engineers feared that the critical O-ring would fail because of the extremely cold temperature at launch time, they were comforted by the (false) belief that the redundant O-ring would work, if the primary did not. This difficulty in understanding the effects of safety interventions led decision makers to increase production pressures and expedite the launch decision. Insert Figure 4 5.2
Organizational safety models
All managerial and operator interventions on safety are associated with a ‘mental model’ of what safety means to them. Practitioners tend to construct their own ‘theory’ of potential hazards, accident causes, affiliations to receive support, and strategies to reduce risk.
The bits of knowledge in the ‘mental models’ come from personal experience,
perceptions, shared beliefs and problem-solving strategies in daily operations. 15
Practitioners’ internal models are vehicles for elaboration (i.e., understanding of the situation) and for directing attention to critical signs of risk.
When combined with a
mindset for adaptation, mental models can help managers and operators challenge their understanding and remain vigilant to the possibility of failure (Weick and Sutcliffe, 2001).
In this sense, mental models can motivate managers to persevere with the
programs despite an initial lack of results and become wary of problems of delay and dependency (see Figure 4). Mental models that are shared in an organization can create a multiplicity of views that provides the requisite variety necessary to cope with a spectrum of safety critical situations. Organizational culture plays an important role in imbuing people with common approaches that reconcile conflicting mental models and improve coordination in the organization. Convergent mental models, however, brings with them a danger of collective fixation (i.e., a danger that some vital factors may be left outside the bounds of organizational perception). The Aberfan inquiry (Turner, 1978) made it clear that the pervasive set of beliefs and perceptions within the coal industry was oriented towards the problems of underground mining for coal, and away from tips as being a source of hazard in the mining industry. Institutional and organizational efforts were directed towards hazards arising from explosions and roof falls in mines. This mindset of possible hazards prevented the industry from revising their mental models and consider other less likely risks arising from tips on the surface of mines. The interaction between culture and mental models is difficult to manage because the change from a ‘collective view’ to a ‘collective fixation’ tends to happen slowly and often becomes imperceptible.
In
addition, it is difficult for an organization to realize that it is becoming fixated until an accident occurs that makes people aware of their complacency. 5.3
Delegation of authority and control
Safety management of complex organizations requires the integration of large quantities of data that are rarely available to the persons who make the decisions at the right time. A centralized authority structure increases the amount of information passed at higher levels and hence, the risk of information distortion and delay. A predictive approach is often taken (i.e., risks are identified in advance) in combination with a feed-forward
16
mode of control where rules and procedures are specified in detail to minimize uncertainty and cope with the situation (i.e., procedural control).
By contrast, a
decentralized structure that empowers initiative and uses feedback control can enable front-line operators to handle uncertainty locally, without authorization from higher command levels.
Local adaptation can handle many unfamiliar situations but, in a
distributed system, could become disconnected from global constraints. Figure 5 shows how decentralization enhances organizational performance (e.g., by reducing the amount of communication) and expedites decision-making in high tempo situations (Bdecentralisation). In a distributed system, however, local practice may drift to become disconnected from global constraints. An analysis of the destruction of two US Army Black Hawk helicopters over Northern Iraq by two USAF fighter aircraft (Snook, 2000) indicated that local pressures of operational practice induced a shift to locally efficient but globally inconsistent procedures.
This ‘practical drift’ can create
coordination problems which reinforces the initial performance gap (Runintended_effects). Another cause of coordination problems relates to the tendency of decentralized teams to resolve obstacles by themselves without bringing them to the attention of supervisors, or without searching for underlying organizational causes; hence teams are less likely to engage in this type of second-order problem solving. Tucker and Edmondson (2003) asserted that the flip side of empowerment and decentralization is the removal of supervisors from daily work activities, leaving the local teams on their own to resolve problems that may stem from other parts of the organization with which they have limited interaction. Figure 5 demonstrates how well-intended efforts to create empowerment and adaptation can generate side-effects in the long term. A change of the organizational structure to respond to one goal (e.g., privatization of business or introduction of new technologies) may generate side-effects to other goals or safety-related programs. Organizational reforms entail the movement of personnel to new posts, the creation of new work teams, and possibly new patterns of departmental interaction. In this sense, changes of the structure is a critical process that may induce risks in a safety program.
For instance, the restructuring of railways in the UK led
several managers to suspect that whatever conclusions they drew from their experience of signals passed at danger (SPADs) could easily be played down by new job 17
responsibilities; this has undermined their determination to carry their finding through (see the analysis of the Ladbroke Grove train crash in Busby, 2006). Variations of the authority structure should be carefully controlled especially in large scale organizations. Insert Figure 5
6.
Aspects of complexity of safety tasks and organizational interactions
Organizational processes coordinate the management of many safety-related tasks but sometimes interact in ways that are difficult to predict and prone to failure.
To
understand the interactions among organizational processes, it is better to look into the complexity of safety tasks that are supposed to manage. Complexity refers to the number of tasks, their connections and their feedback loops that create a task network. High complexity implies a system with many branching points and feedback loops which makes interactions difficult to trace. Likewise, tasks may consist of many subtasks that impose an overload of information, have unintended feedback loops and entail unfamiliar or hidden interactions. Perrow (1999) also refers to complexity that stems from components that are close to each other (or interwoven) and organizations that employ specialized material that is difficult to substitute. Hence, managing complexity may be achieved by chunking tasks (i.e., attenuating task variety) and allocating them to different operators with a range of skills (i.e., amplifying operator variety). Mapping tasks and roles to the organizational structure (i.e., differentiation and integration of roles) has practical implications for managing task complexity. The complexity dimensions of technological systems (Perrow, 1999) can provide valuable input in studying how task complexity affects the management of safety.
The complex interactions between safety
tasks can point out to important interactions between processes that manage safety. 6.1
Scope of safety-related tasks
One source of complexity in safety management is the scope of safety-related tasks that is a function of the number of subtasks, the potential outcomes, and the measures of success (e.g., speed, accuracy, cost, and flexibility of modification). This requires ‘extensive safety programs’ capable of coping with these aspects of complexity.
Figure 6 shows a
balancing loop (Bsafety_program) where a safety program is initiated to respond to a 18
perceived problem; however, issues of cost, delayed outcomes and time pressure may encourage other types of safety interventions that seem to cure the symptoms of problem in the short term. Some management groups, for instance, tend to diminish complexity by means of formalization of safety plans – e.g., issuing high level and abstract plans that at first seem to cope with all eventualities but often are not well tested and contain many hidden assumptions. This can be seen as a sort of ‘quick fix’ (Bfix) that may temporarily decrease the symptoms of the problem. As the complexity of the system increases, however, abstract plans may become more difficult to translate into concrete practices, or may remain untested, which decreases the effectiveness of the safety improvement program (R1, Figure 6). The causal loop diagram in Figure 6 corresponds to the ‘shifting burden’ archetype (Braun, 2002) or the ‘safety fixes’ archetype of Marais et al., (2006). Another element that defines the scope of task network is the amount and type of information required to accomplish safety tasks. Complex organizations generate a large number of messages that are likely to increase the chances of communication failures and information-handling problems.
Complexity can be diminished by adjusting the
division of work – e.g., increasing the number of practitioners involved in data collection. Without an elaborate data-collection plan, however, this fragmentation of information makes it difficult for observers to obtain the same information about the problem and could result in different ‘mindsets’ about the nature of the problem. Quick fixes can result in uncoordinated data collection that may mask the root causes and increase the size of the problem (see reinforcing loop R2 in Figure 6). In this sense, the processes of plan formalization and division of work interact in dynamic ways so that the initial positive effect is offset by undesired side-effects. Insert Figure 6 6.2 Nonlinear interactions Many safety critical systems are characterized by nonlinear interactions between their tasks whereby outcomes and inputs are not proportional, connections are unexpected or hidden and cause – effect relationships are cyclical (e.g., feedback loops). Nonlinear interactions make the behaviour of the system less predictable, especially in emergency situations.
Unexpected connections and cyclical effects create problems that cascade 19
across multiple areas and affect the work of many practitioners. This makes it difficult to setup a safety management system with clearly defined roles because the safety problem cannot be broken into simple individual tasks that are combined at a later stage. Safety critical situations are characterized by nonlinear interactions where many actors are involved, each provided with partial information about the emerging scenario, and often with a considerable degree of ambiguity in their task responsibilities.
Given the
complexity and vagueness of non-linear tasks, it is often difficult for one actor with one view of a hazard to convince another actor of the validity of that view. situations attract conflicting views that are difficult to reconcile.
Nonlinear
To cope with such
conflicting views, people tend to simplify the problem which impacts upon their models of hazards (e.g., explain away the other actors’ views, or devalue the problem so that conflicts are seen as unimportant). Another tendency to cope with the problem of nonlinearity is for safety practitioners to use formal predictive techniques as the main basis of decision making. This ignores the uncertainties involved in assessing complex scenarios and excludes any consideration of expert intuition. In the Challenger disaster, for instance, engineers who opposed the launch in a teleconference, to a large extent, based their opposition on intuition rather test data which contributed to the NASA officials’ negative response to the opposing engineers (Leveson, 2007).It is now increasingly recognized that expert intuition can play an important role in making sense of non-linear situations (Weick and Sutcliffe, 2001; Klein, 2003). 6.3
Fragmentation and integration
Differentiation refers to the degree of job specialization in the organization. Specialists are essential in organizations that operate complex systems and increase the effectiveness with which tasks are performed. In Figure 7 a causal loop diagram has been drawn that depicts this process as a balancing loop (Bdifferentiaion). However, as organizations become increasingly differentiated or specialized, the likelihood that an unforeseen and adverse event will fit into an existing organizational capability or frame is decreased. Even when warning signals are recognized, the structure of an organization can impede sharing of awareness and information.
20
A major public inquiry into children’s heart surgery at the Bristol Royal Infirmary (Kennedy, 2001) revealed that although the hospital was ‘awash with data’, these were not shared but were handled in a fragmented way due to flaws over lines of authority and responsibility for patient monitoring. Even in best practice organizations, high levels of vertical and horizontal differentiation may create the conditions for structurally induced inaction with tragic results (Runintented_effects). Figure 7 also shows that the higher the uncertainty of the situation, the more profound the effect of poor coordination becomes. When faced with ambiguous or unusual events that do not fit current methods of organizing work, the very same process of division of work that accomplishes ordinary tasks can actually work to defeat appropriate responses. Figure 6 demonstrates that division of work interacts with communication and coordination in complex ways so that independent decisions in different parts of the organizations can combine to impact safety. Another feature of differentiation in complex organizations is that unit orientations and relationships are not constant for all situations and may change over time (Snook, 2000).
Many organizational efforts to coordinate complex actions of
differentiated teams focus on directives and procedures which fail to keep pace with the ever changing face of differentiation.
Although rule-based efforts may manage the
integration for long periods of time without any adverse event, this turns out to be deceptive and misleading to managers who continue to rely on the same rules. Directives written to coordinate current interactions may not apply in future situations. Continuous monitoring and modification of rules alone is unlikely to provide for adaptation. Integration is an ongoing accomplishment (Snook, 2000) and often requires switching between different coordination mechanisms such as, regulation by rules and by mutual adjustment (e.g., cross-functional teams, liaison individuals).
The challenge for
organizations is to manage the interaction between division of work and coordination over a range of different contexts of work. Insert Figure 7
21
7.
Aspects of coupling of safety tasks and organizational interactions
The interaction between organizational processes can also be studied from the perspective of coupling which refers to potential barriers between processes, redundancies that recover failures, dependencies between barriers and finally, degrees of freedom allowed to achieve safety functions. Some dimensions of coupling (e.g., the dependence between organizational factors) are very important in studying side-effects since improvements in one factor may erode another factor.
Constraints on means and
degrees of freedom are important in examining the potential for error recovery while available time slack may affect how task progress is reviewed and how plans can change in due course. In general, the coupling between safety-related tasks can reveal several constraints in adapting organizational processes and recovering from failures.
The
framework can be extended to include the concept of coupling as shown below. 7.1 Barriers, redundancies and dependencies The most obvious way to reduce coupling is the availability of barriers (Hollnagel, 2004) including physical barriers, functional barriers (e.g., interlocks, passwords) and symbolic barriers (e.g., alarms, warnings, signs).
Another way concerns the use of technical
resources and human redundancies (e.g., a redundant operator monitoring the work of a colleague or an automated system).
Figure 8 models the use of barriers and
redundancies as alternative actions or means to achieve safety functions and bridge the gap in a safety problem (Bmain_action and Bother_action). Unfortunately, several mechanisms may creep up in the organization and damage the effectiveness of barriers and redundancies. Most coupling mechanisms include a combination of two basic types, that is: (a) ‘internal dependency’ where one action that is part of one loop affects the operating conditions of another loop (e.g., the addition of an extra operator can lead others to be less observant or responsible) and (b) ‘common external influence’ where both action loops are affected by the same external influential factor (e.g., primary and redundant operators are using the same tool). In the real world of organizations, however, different coupling mechanisms may exist that reinforce one another.
A case in point is the shoot-down of two US Army
Black Hawk helicopters under friendly fire (Snook, 2000). A large crew aboard the 22
Airborne Warning and Control System (AWACS) aircraft knew that two US helicopters were flying through the no-fly zone, but none of them intervened when an F-15 pilot below them announced that he was going to shoot down two supposedly hostile helicopters. On the one hand, it is likely that the addition of extra operators may have led others to be less observant or responsible (internal dependency). On the other hand, organizational structure and culture may have a common external influence upon seemingly independent resources - e.g., diffusion of responsibility where everyone, but probably no one, is responsible for doing the job. Organizational processes, such as authority structure and level of involvement, interact with the use of resources in ways that affect efficiency of operations and the degree of coupling.
For instance, redundancies may rely on different authority
structures, such as a single operator being assisted by a redundant colleague, an operating team and a supervisor, or a team and a shift technical advisor. The level of involvement of the redundant supervisor in the daily activities of the operating team is another organizational factor that affects redundancy. A shift technical advisor, for instance, becomes available on call only (i.e., standby individual) while a team supervisor is actively involved in monitoring the team functions throughout the daily activities (Clarke, 2005). On the one hand, a standby advisor may be less efficient and take longer to reach a satisfactory understanding of the problem in comparison to an actively involved supervisor who is constantly aware at some level of detail of the system state.
On the
other hand, the dependence between the standby advisor and the team is lower because he is not typically as fully integrated into the team as the everyday supervisor.
In many
cases, organizations will have to tradeoff carefully different structures in terms of criteria of efficiency and coupling. Insert Figure 8 7.2
Constraints on available means and degrees of operator freedom
Constraints can guide operators how to take preventive measures and coordinate tasks in a safe manner. However, imposing too many constraints can limit the available methods to ones that may be efficient in the short term but difficult to adapt to variations in the environment. Increasing the number of constraints can produce tightly-coupled tasks 23
with few degrees of freedom. In contrast, loosely coupled organizations make provisions for alternative means to achieve the task goal (see alternative action loops to solve the same problem in Figure 8) in case of failure or unavailability of resources. While decision latitude and degrees of freedom may be a good strategy for increasing the reliability of a system, there are however some tradeoffs that are difficult to foresee. For instance, higher degrees of freedom and competence may be counterproductive in the long term due to increased demands for training and coordination. A study of coordination mechanisms in railway organizations (Grote et al., 2008) showed that higher degrees of freedom increased the coordination requirements between signalers and train drivers. An analysis of incidents showed that increasing the scope of action for signalers reduced possibilities for action in the other personnel.
Collaboration demands
increase as people must communicate their capacity to adapt their scope of action and agree on certain deviations from the overall plan.
In this sense, the interactions between
competence (or degrees of freedom) and coordination are affecting the degree of coupling between safety tasks. As discussed earlier in Section 6.3, differentiation and job specialization may bring into fore multiple views but could also create a ‘silo mentality’ between different professional communities.
Increasing operator variety (i.e., degrees of freedom and
diversity) may encourage some form of ‘heedful inter-relating’ where people are helping out others even when this is beyond their formal duties. In a train collision at Ladbroke Grove, the train driver passed a signal set a danger, probably without realizing it. On seeing this, the signaler was slow to react (e.g., he could have radioed the train driver to warn him of the status of the system) but felt that this was beyond his formal job responsibilities (Busby, 2006); this ‘silo mentality’ has hindered error recovery. Despite the increasing demands for training, enhancing operator variety could reduce coupling and failures of error recovery due to the ‘silo’ effect. 7.3 Time dependencies Another way to operationalize the concept of coupling, in the context of the control theoretic framework, would be in relation to the issues of processing delays, time slack and synchronization of large scale activities. First, time dependencies can be introduced 24
by several delays in the ‘information-policy-plan-feedback’ loop of the proposed framework (Figure 1) as described below:
Decision time for the interpretation of information to decide upon a policy
Dead time that occurs in getting a plan started once a policy has been formulated
Time constant of the operational practices for getting results from the plan execution
Feedback delay from the production of results to the reporting or collection of information It is interesting to compare the organizational response time (i.e., the sum of all
delays in the ‘information-policy-plan-feedback’ loop) with the rate of change of the technological system. In a tightly coupled system, the rate of change in the states of the technological system could be much faster than the organizational response time (Cooke and Rohleder, 2005). Even a loosely-coupled system can be converted into a tightlycoupled system by slowing down the processing of information and decisions.
Cooke
and Rohleder, (2005) argued that this may explain some incidents in loosely-coupled systems, like the Westray mine, where the organizational response time was too slow to respond to the growing evidence of unsafe conditions (e.g., the roof falls and the building up of methane). Second, time-dependent tasks may pose a challenge to operators how to coordinate, when to interrupt or resume tasks and when to change plans. Time slack is very important for communicating to others any intentions to change the overall plan in cases where the situation takes an unexpected turn. In some cases, a more efficient plan may be found but teams may be reluctant to change because of several time-dependent processes and communications. Emergent events, interruptions of tasks, and modifications of plans can undermine any on-going activities in the organization. Busby (2006) refers to this undermining of organizational activities as ‘disarticulation’ of activities. Becoming hostage to events as they emerge, being distracted from following plans and having to relinquish standard practices in order to make quick ad hoc adjustments, all create a disarticulation of activity (Busby, 2006).
25
Third, synchronizing large scale activities and organizational reforms can be a daunting task for many organizations. Leplat (1987) noted that many accidents relate to asynchronous evolution where one part of a system changes (e.g., new equipment is installed) without the related necessary changes in other parts (e.g., modification of procedures). An investigation of the Ladbroke Grove train collision (Busby, 2006) showed that the railway organization experienced difficulty in sustaining many simultaneous lines of development in a changing environment (e.g., installation of new signaling system and` organizational reform).
In one case, a thread involving the
application of a risk assessment was interrupted by changes and discontinuities in the organizational structure.
Kletz (2001) has described many incidents in the chemical
industry resulting from inefficient coordination of technical and organizational changes.
8.
Concluding remarks
The proposed framework of organizational factors in safety draws upon a view of accidents as a result of performance variability of human and organizational processes whose complex interactions and coincidences can lead to adverse events. Accidents are not always the result of individual failures of components and organizational processes but, in many cases, they are the result of process variability and complex interactions that are difficult to foresee and control. Therefore, instead of looking into types of individual organizational failures (Hudson et al., 1994; Kennedy and Kirwan, 1998) the proposed framework examines problems in controlling the variability and interaction of organizational processes that can lead to unsuccessful performance. Earlier studies on the impact of organizational factors on safety have adopted a normative view that decomposed organizations into a list of separate processes that were rated for their possible deficiencies and failures. The proposed systems view should focus on the ability of organizations to adapt to the demands of safety critical events. On the one hand, safety analysts should examine how organizations control their variability of operating modes and respond to several challenges such as, developing competence at both sides of the spectrum, knowing when to switch modes or bridge the gap between modes, and maintaining a mindset for adaptation. On the other hand, the assessment of
26
the relative contribution of organizational processes on safety should consider their dynamic interactions and especially, changes of priorities over time, delays in effects, reinforcing influences, and confounding effects that may be triggered by actions at the front end. In this sense, Table 3 provides a synthesis of complex organizational interactions to be addressed in risk assessment and accident analysis. Insert Table 3 The proposed framework can be put into practice to examine problems that organizations face in adapting their operating modes to different demands,
understand
the dynamics of interaction of organizational processes, and choose leverage points to intervene and improve safety.
Figure 9 shows three stages of applying the framework
prospectively in risk analysis or retrospectively in incident investigation. 1. The framework starts out with the ‘safety gap’ to be investigated, that is, the discrepancy between the actual and target goal states, as perceived by the organization.
The first stage involves an examination of the processes and
operating modes that the organization mobilizes to reduce the safety problem. Adapting operating modes to the situational demands entails many challenges that should be explored according to section 4. 2. The second stage involves an analysis of the interaction of organizational processes, all of which may be necessary to reduce the safety problem. However, a change in the operating mode of a process is likely to impact upon other organizational processes.
The framework looks at process interactions by
studying aspects of complexity, coupling and control (e.g., processes serving different goals, perceptions of the safety gap, feedback and feedforward control modes, constraints on action, time delays, types of dependency and degree of sharing awareness). 3. The final stage attempts to provide a formal representation of the variability and interaction of organizational processes in terms of system dynamics which address many elements of control theory. System dynamics provide a simulation tool for studying organizational dynamics and for thinking of potential leverage points to intervene. 27
Meadows (1999) summarized several leverage points stemming from system dynamics that are summarized in Figure 9 in increasing order of effectiveness. For instance, reconciling goals and reframing mindsets are more difficult to achieve than strengthening balancing loops but the latter have a weaker leverage effect on the whole intervention effort. Insert Figure 9 System dynamics is particularly helpful in gaining insights into the patterns exhibited by dynamic organizational systems as well as into the structures underlying them. The emphasis is not on point-precise prediction but on fostering understanding of the interaction and development patterns generated by the systems under study. Therefore, system dynamics models purport to test hypotheses about process interactions and help to recognize conflict potentials and tradeoffs, before the change process has event started. However, system dynamics do not provide a framework or theory of organizational design. For this reason, several theoretical systems approaches have tried to use system dynamics for testing their propositions.
Examples include the Soft
Systems Methodology (SSM, Lane and Oliva, 1998), the Viable System Model (VSM, Schwaninger, 2004), and Theory of Constraints (TOC, Mabin et al., 2006). In this sense, the framework and system dynamics are useful in analyzing and testing process interactions as proposed by theories of organizational design, operational feedback and near miss or incident reports. In the framework, process interactions are modeled as multiple feedback loops with their own control modes, rates of changes and constraints. In general, people tend to think in terms of single causal series and have difficulties in systems with side effects and multiple causal paths (Dorner, 1996). When the cognitive maps held by different safety analysts are expressed as causal loop diagrams it becomes easier to discern multiple causal paths, hidden or nonlinear interactions, and sources of dependency. Nonlinear effects are modeled as positive loops that reinforce or amplify whatever is happening in the system. Often small and random changes may be amplified by positive loops and generate growth patterns in space and time. In highly dynamic systems, causal loop diagrams can help analysts to study multiple feedback loops with different strengths, lags, and information flows. Even a comprehensible cognitive map of the causal links of 28
organizational processes can run into problems without any simulation facilities for studying the dynamics of change of the processes involved. The framework can be used to understand dynamic and complex process interactions that led to safety problems as implicated in operational feedback and incident reports. When used prospectively, however, the framework can generate interaction patterns that are difficult to interpret or support by organizational theories. For this reason, the predictions of the framework require some form of empirical testing, experimentation, or validation by human experts in the domain of practice. Another limitation is that the framework has looked into adaptations of the internal organization whilst interactions of the organization with the wider environment have not been examined adequately.
An expansion of the framework into the wider environment of
inter-organization communication, regulatory control and public interest groups could be made along the lines of similar control theoretic approaches advocated in Rasmussen and Svendung (2000) and Levenson (2004).
29
References Alberts DS, Hayes RE (2007) Planning: Complex Endeavors. Command and Control Research Program (CCRP), Washington, DC Andersona JD, Ramanujama R, Henselb D, Andersonc MM, Sirio CA (2006) The need for organizational change in patient safety initiatives. International Journal of Medical informatics 75: 809–817 Argyris C, Schon DA, (1996) Organizational Practice, Addison-Wesley, Amsterdam
Learning II: Theory, Method, and
Bellamy LJ, Geyer TA, Wilkinson, J (2006) Development of a functional model which integrates human factors, safety management systems and wider organizational issues. Safety Science 46:461-492 Bourrier M (1998) Constructing organizational reliability: the problem of embeddedness and duality. In: Misumi J, Wilpert JB, Miller R (eds) Nuclear Safety: A Human Factors Perspective, Taylor and Francis, London pp. 25–48 Braun W. (2002) The system archetypes. klu.ac.at/~gossimit/sd/wb_sysarch.pdf>
Available
from
