Jun 25, 2007 - bred for meeting standard threats need transpositioning to counter threats not foreseen by anybody. The flight of United Airlines 232 is an ...
Resilience Engineering: New directions for measuring and maintaining safety in complex systems Third Progress Report, June 2007 Sidney Dekker & Erik Hollnagel Lund University School of Aviation
Resilience Engineering: New directions for measuring and maintaining safety in complex systems Third Progress Report June 2007 Sidney Dekker & Erik Hollnagel The aviation industry as benchmark for resilience engineering is interesting only when it can be compared with at least one or a few compelling contrast cases. These industries should have their safety-critical nature in common with aviation, as well as an express willingness to learn from failure. Healthcare delivery, and in particular critical care medicine, is one candidate under consideration for further investigations of resilience engineering in other industries. Another is process industry, or even emergency/rescue services. Contrasting a selection of industries for their efforts to turn lessons from past failures into a broader, resilient future, is necessary for discovering contingent requirements for how to engineer resilience into a complex system. What works for one may not work for the other, or rather, particular measures of resilience (e.g. “preparedness”) may find completely different expressions in different systems. Also, these various industries (or their key constituent organizations) may be variously ill-calibrated about their own sources of safety and risk, making it hard to learn meaningful, actionable lessons from past failures. This second year will therefore help lay bare the scope and nature of problems in learning from failure by (selected) industries next to aviation, documenting their current practices, preconditions and aspirations, and building a requirements analysis for how to make resilience improvements sensitive to the constraints and opportunities offered by the various industries. Proposed deliverables 2007: Report(s) on learning activities and viability of resilience concepts across other worlds (e.g. aviation healthcare, nuclear, road traffic, railways, process industry). Activities first half 2007 In order to be able to generate the 2007 deliverables, we have done the following during the first half of 2007: •
Began to investigate the role of safety leadership in learning from failure and resilience at Swedish Nuclear installations (in collaboration with SKI, Statens Kärnkraftsinspektion). 2
• •
•
•
Fieldwork is planned at nuclear installations during the autumn of 2007 so as to add to the corpus of contrast cases consistent with proposed 2007 deliverables. Planned 2-month long fieldwork in a variety of departments at a large teaching hospital so as to generate a contrast case consistent with the 2007 workplan. This fieldwork will be carried out during December 2007 and January 2008. Continued the experimental work with mid-fidelity simulations to study the learning and relevance of generic skills beyond proceduralized knowledge of how to handle escalating situations (see further in this progress report). This work has been a collaborative effort with Nicklas Dahlström, Roel van Winsen, and James M. Nyce. On another NCO project (“lära sig att lära), conducted extensive field studies at three kommunala räddningstjänster to study the organizational, sociological and psychological factors involved in learning from räddningsinsatser. The report from this work will be made available through NCO separately. Organized a workshop on ”Resilience Engineering” in Vadstena, Sweden 25-27 June, 2007 (http://www.ida.liu.se/conferences/REW07/) as an opportunity to discuss and contextualize the latest findings.
The remainder consists of a report on the experimental work conducted during (and initiated at the Fall 2006 referensgruppsmöte) the Spring of 2007, which offers some (we believe) compelling insights into the relationship between validity and fidelity of simulator training and its consequences for the creation of resilient crews in a variety of operating worlds. James M. Nyce, Nicklas Dahlström, Roel van Winsen (all of Lund University School of Aviation) have all contributed to this work.
3
Resilience, training and learning: Reflections on context-specific simulation and generic skills in escalation management 1 Introduction Operational life contains situations whose subtle and infinite variations will mismatch the exact circumstances of training. It may contain surprises, situations that fall outside the textbook. Practitioners must be able to apply skills and knowledge acquired through training, to situations that even the trainer was unable to foresee. Much of training in one such operational world today—aviation—focuses on technical skills (see Dalhström, Dekker & Nählinder, 2006). These aim to build up an inventory of techniques or competencies for the operation of an aircraft and its systems. From the very first moment, such training is quite context-specific: it is set in, and tightly anchored to, the local technical environment (of an aircraft cockpit or a simulator of as high a fidelity as economically feasible) in which problem-solving activities are to be carried out. This is analogous to other domains that assert the primacy of learning-by-doing (for example surgery, see Bosk, 2003). It can mean that generic abilities like human-machine coordination, communication, problem-solving, or escalation management are left largely to arise and mature from the exercise of context-specific work. But do they? Fundamental surprises There will always be a residue of technical and environmental problems that we have not prepared crews for (i.e., they are not in their inventory, see Dismukes, Berman & Loukopoulos, 2007). Formal mechanisms of safety regulation and auditing (through e.g., design requirements, procedures, instructions, policies, training programs, line checks) will always somehow, somewhere fall short in foreseeing and meeting the shifting demands posed by a world of limited resources, uncertainty and multiple conflicting goals. For this residue we have to count on crews’ generic competencies in problem-solving and coordination. These surprises at the edges of an otherwise very safe system stem from limits in the industry’s knowledge, or, more often, limits on its ability to put together diverse pieces of knowledge, as well as from limits on understanding operational environments (Lanir, 2004). Our knowledge base for creating safety in complex systems is inherently imperfect (Rochlin, 1999). Often the problem is not that the industry lacks the data. After all, the electronic footprint left by any commercial flight today is huge. The problem is an accumulation of noise as well as signals, which can muddle both the perception and conception of “risk” (Amalberti, 2001; Dekker, 2005). Pockets of expertise that may have predicted what could go wrong often existed in some corner of the industry long before any accident. For example, the engine types on the Pinnacle type aircraft had assembled a history of problems with in-flight restarts during flight tests, and problems with wiring and chafing were not new in the late nineties. But few or no operational crews would have been aware of any of this in part because of structural industry arrangements that formally regulate who gets or needs to know what, and in what depth. Resilience and the limits of expertise As a result, some crews will, at some point or another, be left to “fend for themselves” at the margins of a well-built, extremely well-monitored, safe industry. It is at these edges that the skills bred for meeting standard threats need transpositioning to counter threats not foreseen by anybody. The flight of United Airlines 232 is an extreme example. The DC-10 lost total hydraulic 4
power as a result of a tail engine rupture, with debris ripping through all hydraulic lines that ran through the nearby tailplane in mid-flight. The crew figured out how to use differential power on the two remaining engines (slung under the wings, below the aircraft’s center of gravity) and steered the craft toward an attempted landing at Sioux City, Iowa, which a large number of passengers (and the crew) subsequently survived. Thinking outside the box, taking a system way beyond what it was designed to do (even making use of an adverse design quality such as pitching moments with power changes), are hallmarks of resilience. Resilience is the ability to recognize, absorb and adapt to disruptions that fall outside a system’s design base (Hollnagel, Woods, & Leveson, 2006), where the design base incorporates soft and hard aspects that went into putting the system together (e.g., equipment, people, training, procedures). Resilience is about enhancing people’s adaptive capacity so that they can counter unanticipated threats. Adaptive capacity with respect to a narrow set of challenges can grow when an organization courts exposure to smaller dangers (Rochlin, LaPorte, & Roberts, 1987). This allows it to keep learning about the changing nature of the risk it faces—ultimately forestalling larger dangers. Such adaptation could be one explanation behind recent data that suggest that the passenger mortality risk on major airlines that suffered non-fatal accidents is lower than on airliners that had been accident-free (Barnett, 2005). Sioux City is a desperate case. Crews can counter many threats effectively by replicating or slightly varying the technical skills learned in a particular setting. Most situations in commercial aviation, after all, are quite ordinary or recognizable: they fit within the “box,” and, accordingly, crew behavior can stay “inside the box.” Then there is a huge middle ground. It consists of daily safety threats that feature (or occur because of) subtle variations that call for some adaptive capacity. For example, these threats can ask for extra work (e.g., gathering and processing more data, more communication and coordination), for the recruitment of additional expertise (e.g., dispatch, ATC) and the deployment of new strategies. Resilience here means effectively meeting threats that represent infinite reconfigurations of—or that lie entirely beyond—what the industry could anticipate. Simulation fidelity and development of resilience Some have suggested that low-fidelity simulations (that do not attempt to mimic the target technical environment) can actually improve many aspects of learning that will then help people deal with unanticipated situations (Rouse, W. B., 1981; Roscoe, 1991; Caird, 1996). As Caird (1996, p. 127) put it, “For decades, the naïve but persistent theory of fidelity has guided the fit of simulation systems to training.” In addition, Heeter (1992) concluded that the environmental presence experienced in simulated environments is determined more by the extent to which it acknowledges and reacts to the participant than by physical fidelity of the simulation. High levels of technologically-driven fidelity can simply be wasteful in terms of costs and time relative to the pedagogical undertaking at hand. In short, “featurism” can be distracting (Jackson, 1993), both for the trainer and the trainee, especially the features argued for, promoted and designed in are skewed in the direction of realism. The emphasis on photorealism in visual and task contexts can retard or even be detrimental to the development of skill sets critical for creating safety in domains where not all combinations of technical and operational failure can be foreseen (and for which failure strategies then cannot be proceduralized and simulated). The assumption that realism can capture all possible naturalistic cues in addition to the skills necessary to act competently in these domains is generous at best. Competencies the aviation community recognizes as important and significant (for example communication, coordination, problem-solving and management of escalating situations) are thought to emerge directly from context-fixed simulator work.
5
The focus on face-validity has muted perspectives on the use of simulation that would allow a more subtle analysis of cognitive and group interaction aspects to form the base of training and instruction. This is particularly true for training of skills related to Crew Resource Management (Baker, Prince, Shrestha, Oser & Salas, 1993), in particular in those situations where such skills are most needed; highly dynamic situations involving underspecified problems, time pressure, e.g. escalating situations not resolved by procedural guidance. Pertraglia (1998) observed that experience in the world can be neither “predetermined nor preordained” and that this, together with the willing suspension of disbelief, is what makes a simulated activity seem to be authentic as experience. The quarter-century long aviation industry focus on CRM has resulted in few attempts to provide training that incorporates situations with underspecified problems and time pressure in the context of group interaction, i.e. situations which are neither “predetermined or preordained” but take teams beyond the usefulness of procedural protocol. The so-called Multicrew Pilot License, which aims to qualify candidate airline pilots as part of a crew from the very beginning of their training, there is going to be an increased reliance on simulation and focus on development of CRM-skills. This makes it even more important to review the use of simulation in aviation training and the underlying assumptions it is based upon. Fidelity and validity: a more complex relationship than assumed At Lund University School of Aviation, we have been experimenting with lower-fidelity simulations over the last year, to assess the relationship between simulation fidelity and validity— that is, the connection between the faithfulness of the constructed world in which work was trained on the one hand, and the extent to which this actually supported the development of skills that could be mapped onto the target situation. We have used a low-fidelity simulation of a ship bridge (essentially consisting of a laptop computer, printer and table top), but with time-pressure and event-driven scenarios built-in. One major scenario is that of an escalating on-board fire. Trainees (also, if not particularly, those from worlds other than maritime) consistently say that this kind of simulation provides them with relevant and valuable training for their actual work. In spite, or perhaps because, of its lack of fidelity to photorealistic visual, aural and tactile feedback, the engagement and level of intensity of communication, cooperation and decision making in groups always surprises both participants and instructors. In debriefings, groups typically bring this up as an important influence on the training effect. There were no requests for increased fidelity to improve the simulation; in fact contrary opinions were voiced by participants. Such comments, together with observations of the focus (in particular on the first trip) on technical parameters (e.g. engine RPM, course and roll angle) and lack of process-oriented discussion, indicates that potential “improvements” to fidelity could have a detrimental effect on the validity of the training. For example, if we were to “engineer in” higher-fidelity elements, e.g. knobs, levers and buttons participants believe it would shift their focus from generic to procedural competencies. Also, since such higher-fidelity items could never bridge the qualitative gap to the “real” thing in any case, much attention and commentary would be directed to their insufficiency or still unconvincing nature. Initial concerns of the relevance of the training and any frustrations during the simulation (because of a lack of technical and procedural knowledge about a ship or its domain) had in the debriefing been replaced by an understanding of how this led to competences and understanding applicable to problems any practitioner might encounter. To experience such problems in combination with time pressure and group interaction (key features of the simulation training) was recognized as an opportunity requested but not provided by previous training. Observations support that a shift of domain seemed to recreate and emphasize the types of uncertainties encountered in incident and accident investigations. High-fidelity flight simulator training is normally focused on removing, rather than enabling, participant understanding of events of this
6
kind.. In addition, the non-domain specific environment seemed to encourage participants to step out of their normal roles and explore aspects of general group interaction competencies beyond procedures and theories. It may be that training in high-fidelity, highly context-specific, if realistic, environments, where essentially all problem-solving activities are to be carried out, can impede people’s imaginative involvement and the resilience it may eventually deliver. Training in high-fidelity settings alone valorizes the internalization of a series of highly contextualized instrumental stimulus-response relationships—putatively stress-resistant procedural responses which may be insensitive to, or even make actors unprepared for, contingencies outside of rehearsed routines. If the desire is to have learners to successfully extrapolate and improvise beyond a set of fixed learned responses, this issue of what is “carried away” from context-specific naturalistic simulation exercises does need to be looked at more carefully than it has in the past. As Roscoe (1991, p. 1) indicated, “Research has shown that innovations in training strategies, in some cases involving intentional departures from reality, can have stronger effects than high simulator fidelity on the resulting quality of pilot performance.” Indeed, confirmed Caird (1996, p. 128): “…there is some evidence from flight simulation that higher levels of fidelity have little or no effect on skill transfer and reductions in fidelity actually improve training. Reductions of complexity may aid working memory and attention as skills and knowledge are initially acquired.” In this sense the lack of physical fidelity in the lower-fidelity simulation enhances the focus on training of general principles of communication, coordination and problem solving in a workgroup. These principles are ones actors can use to understand and resolve situations beyond those covered by procedural guidance (Dörner, 1996). Locking training to context-specific environments affects more than the exportability of instrumentally-rehearsed skills. It can also amplify and reify role socialization. Effective management of escalating or otherwise novel situations has been associated with the breaking-out of roles and power structures that were formally designed into the system. It is not at all clear whether naïve (built to mimic reality) simulation can “train” in this direction at all. When roles are involved Weitz and Adler (1973, p.224) concluded that “…it might be wise to stress the principles, not the roles” to ensure that participants does not “become wedded to particular performances”. Roles and power structures often go hand-in-glove (e.g., Captain and First Officer), and various programs (e.g., CRM training in aviation) aim to soften role boundaries and flatten hierarchies in order to increase opportunities for coordinating viewpoints and sharing information. Operational success in the face of extreme or rapidly shifting demands can hinge on people going beyond the formal roles assigned to them—as illustrated by various near-accidents or accidents that could have been worse, such as United 232 at Sioux City (and see also Dekker, 2005). Conclusion If no training opportunities exist in which people can disconnect from the constant reification and elaboration of role behaviors, people’s ability to recognize what is going on and respond effectively, may remain inextricably anchored to (and fundamentally limited by) known and rehearsed roles (as shown powerfully in Weick, 1993). Lower-fidelity simulations can serve as an important complement in the creation of resilient crews. In the work we have conducted, they seem to force trainees to confront the interpersonal and goal-oriented demands of managing an escalating problem, without getting lost in or hiding behind the procedural specifics fostered in high-fidelity environments. There is a disconnect between fidelity (or photorealistic faithfulness) of a simulation and its validity (how the skills it develops map onto the target environment). Lower-fidelity simulation allows the development of and emphasis on generic problem-solving skills such as sharing knowledge, making and following up on plans, dividing work, stepping back for broader 7
evaluation, borrowing time from the future by current task investments, and maximally exploiting the available hierarchies and expertises in a group. These skills (and the confidence that comes from successfully deploying them even in settings other than the target environment) can contribute, we believe, to the development of reslient crews in a way that only high-fidelity training cannot. Traditional assumptions about simulation tend to portray both role and context as though they are natural, unalterable facts. This message seems to be implicit in almost all attempts at “realistic” simulation. We would, however, argue that this message conveys exactly the wrong thing if we want individuals and workgroups to be adaptive and capable of creative, appropriate improvisation—skills which are practiced effectively in lower-fidelity simulations, which by design lead participants to rethink their normal roles and behavior, in turn leading to the development of more adaptive and flexible competencies that add up to resilience in the face of surprise and escalating situations. References Amalberti, R. (2001). The paradoxes of almost totally safe transportation systems. Safety Science, 37, 109-126. Barnett, A., & Wong, A. (2000, April) Passenger-mortality risk estimates provide perspectives about airline safety. Flight Safety Digest, 19(4), 1-12. Baker D., Prince C., Shrestha L., Oser R. & Salas E. (1992). Aviation Computer Games for Crew Resource Management Training. The International Journal of Aviation Psychology, 3(2), 143-156. Bosk, C. (2003). Forgive and remember: Managing medical failure. Chicago: University of Chicago Press. Caird, J. K. (1996). Persistent issues in the application of virtual environment systems to training. Proc HICS ’96: Third Annual Symposium on Human Interaction with Complex Systems. Los Alamitos, CA: IEEE Computer Society Press, 124-132. Dahlström, N., Dekker, S. W. A., & Nählinder, S. (2006). Introduction of technically advanced aircraft in ab-initio flight training. International Journal of Applied Aviation Studies, 6(1), 131144. Dekker, S. W. A. (2001). Follow the procedure or survive. Human Factors and Aerospace Safety, 1(4), 381-385. Dekker, S. W. A. (2005). Ten questions about human error: A new view of human factors and system safety. Mahwah, NJ: Lawrence Erlbaum Associates. Dismukes, R. K., Berman, B. A., & Loukopoulos, L. D. (2007). The limits of expertise: Rethinking pilot error and the causes of airline accidents. Aldershot, UK: Ashgate Publishing Co. Hollnagel, E., Woods, D. D., & Leveson, N. G. (2006). Resilience engineering: Concepts and precepts. Aldershot, UK: Ashgate Publishing Co. Lanir, Z. (2004). Fundamental surprise. Eugene, OR: Decision Research. National Transportation Safety Board (2007). Report of Aviation Accident: Crash of Repositioning Flight, Pinnacle Airlines Flight 3701, Bombardier CL-600-2B19, N8396A, Jefferson City, Missouri October 14, 2004 (NTSB/AAR-07/01). Washington, DC: Author. Pertraglia J. (1998). Reality by design: the rhetoric and technology of authenticity in education. Mahwah NJ: Lawrence ErlbaumRochlin, G. I. (1999). Safe operation as a social construct. Ergonomics, 42, 1549-1560. Roscoe S. N. (1991). Simulator Qualification: Just as Phony as it Can Be. The International Journal of Aviation Psychology, 1(4), 335-339. Rouse, W. B. (1981). Human-computer interaction in the control of dynamic systems. IEEE
8
ACM Computing surveys, 13(1), 71-99. Weick, K. E. (1993). The collapse of sensemaking in organizations: The Mann Gulch disaster. Administrative Science Quarterly, 38(4), 628-652.
9
