What is Resilience Engineering? Changing focus of system safety Kazuo Furuta
What is Resilience Engineering? Resilience Engineering Research Center Kazuo Furuta Resilience Engineering Research Center © K. Furuta Changing focus of system safety Accident model Linear model Epidemiological model Systemic model (Single root cause) (Multiple latent factors) (Emergent variability) System complexity Era of resilience Era of human errors Era of technology The issue is hardware failures. The issue is individual human performance. de Havilland Comet 1960 Resilience Engineering Research Center The issue is vulnerability against unanticipated situations. Era of socio-technical interactions The issue is Improper socio-technical interactions. TMI-2 1980 Chernobyl Challenger WTC Tohoku earthquake 2000 © K. Furuta Linear model • Premise – An accident occurs when a series of events occur in a specific order. • Causes – Malfunctions and failures (root causes) of a definite set system components (equipment or humans) • Countermeasures – Eliminate events or situations that may become root causes of an accident Resilience Engineering Research Center © K. Furuta Principles behind linear model • Decomposition principle – Any system is composed of components and understandable by reduction into the components. • Bimodal state principle – Functioning of any system can be described just by two states: normal (success) or abnormal (failure). • Independence (linear) principle – Interactions between system components are definite, and it can be assumed that their functions are independent each other. Resilience Engineering Research Center © K. Furuta Example of linear model Initiator Reactivity control Pressure boundary Turbine trip TT Reactor RV open RV close trip C M Core cooling RHR Feed water HPCI Depressure LPCI Q U X V P Sequence W OK OK TT QW OK TT QUW TT QUV TT QUX OK TT PW OK TT PQW OK TT PQUW TT PQUV TT M TT C Resilience Engineering Research Center © K. Furuta Epidemiological model • Premise – A combination of multiple failures and latent conditions cause an accident. • Causes – Degradation of safety barriers (physical, functional, symbolic, conceptual) • Countermeasures – Detect and repair degradation of safety barriers organizationally スイスチーズ・モデル Resilience Engineering Research Center © K. Furuta Epidemiological view of human errors Private factors Environmental factors Societal factors Cognitive mechanism Context HEP = P(Unsafe act|EFC) x P(EFC) • Error Forcing Context (EFC) Context such that humans inevitably make an error Resilience Engineering Research Center © K. Furuta Normal accidents • Charles Perrow (1984) INTERACTIONS Tight Linear Dams Complex Nuclear plants Power grids DNA Chemical plants Rail transport COUPLING Space mission Airways Military adventures Assembly-line Loose Mining R&D firms Manufacturing Universities Resilience Engineering Research Center • Accidents in a huge and complex system are inevitable – Unforeseen strong connections between separate parts of system – Non-linear system behavior – Complexity beyond human understanding – Erroneous safety protections • Acceptance of technologies should not be determined by risk but by potential danger. © K. Furuta Complex system Chaos Emergent phenomena Network system Stylized fact Fractal Resilience Engineering Research Center © K. Furuta Non-linear system and resonance + • Stochastic resonance = Tacoma Narrows, 1940 – A weak periodic signal added to a non-linear system will emerge in the presence of a stochastic noise. Resilience Engineering Research Center © K. Furuta Systemic model • Premise – The performance of system function fluctuates continuously. • Causes – An unexpected combination (resonance) of performance variability causes an accident. • Countermeasures – Monitoring and damping performance variability Resilience Engineering Research Center © K. Furuta Four principles of FRAM Functional Resonance Accident Model • Equivalence of success and failure – Success and failure derive from essential variability of system function. There are no difference between them. • Approximate adjustment – Adjustment for damping performance variability must be incomplete and approximate due to resource limitations. • Emergence – System behavior emerges from variability of non-linear system functions. • Functional resonance – An accident occurs when variability of system function exceeds a safety limit due to functional resonance. Resilience Engineering Research Center © K. Furuta Functional Resonance Accident Model Function Variability of system function Variability of component function Safety boundary Time Resilience Engineering Research Center © K. Furuta What is resilience? • Ecological resilience (Holling, 1973) – A measure of the persistence of systems and of their ability to absorb changes and disturbances and still maintain the same relationships between populations or state variables • Seismic resilience (Bruneau, 2003) – The ability of both physical and social systems to withstand earthquake-generated forces and demands and to cope with earthquake impacts through situation assessment, rapid response, and effective recovery strategies Resilience Engineering Research Center © K. Furuta What is resilience? • Economic resilience – The ability to escape from serious economic crises, or to recover from crises by mitigating the influence of external shocks • Business resilience – The ability to respond and adapt quickly to internal or external disturbances of business opportunities, demands, confusions, and threats, to suppress their impacts, and to continue business operations Resilience Engineering Research Center © K. Furuta Resilience engineering • Resilience from systemic view – The intrinsic ability of a system to adjust its functioning prior to, during, or following changes and disturbances, so that it can sustain required operations under both expected and unexpected conditions. • Resilience engineering – Design methodology of resilience – The objective of risk management is not reduction of risks, but enhancement of the ability to suppress system performance variability under changes, disturbances, and uncertainties. Proactive risk management Resilience Engineering Research Center © K. Furuta High Reliability Organization (HRO) • Organization where accident occurring is suppressed below the standard level under severe conditions – Aircraft carrier, Air Traffic Control, Nuclear power plants, Emergency Rescue Center • Vigorously studied around 1990 at UCB • Features common in HRO – Mindfulness – Ability to manage unanticipated situations Resilience Engineering Research Center © K. Furuta Implementation process • Anticipation – Get ready for long-term threats and changes • Monitoring – Watch system states and find out clues of threats • Responding – Take immediate actions to regulate function variability • Learning – Learn from good as well as bad consequences Resilience Engineering Research Center © K. Furuta Functionality Resilience triangle (Bruneau,2003) Bruneau,2003) Crisis Damage High resilience Resilience triangle Low resilience Time Resilience Engineering Research Center © K. Furuta Assessment of resilience • Key issue in assessing system resilience – Different people have different interests, valuations, needs, and so on; resilience is different for different stakeholders. • Demonstration with recovery of lifeline after Tohoku Earthquake – Maslow’s five-layered hierarchy of human needs – Persona method Resilience Engineering Research Center © K. Furuta Maslow’s hierarchy of human needs • Physiological – Freedom from hunger, thirst, sleepiness, fatigue, cold, etc. • Safety – Protection against hazards, threats, fear, and uncertainty. • Social – Desire to be liked by others, to belong to community, etc. • Esteem – Desire to be accepted, respected, and valued by others. • Self-actualization – Desire to become more and more what one is. Resilience Engineering Research Center © K. Furuta Decomposition of assessment measure Level Item Basic data Physiological Water Food Dwelling Medical care Water supply, water wagons Shops, distribution Home, refugee camps Hospitals Safety Electricity Water Gas Information Electricity grid, generators Water supply Gas lines Internet, TVs, radios Social Privacy Job Relatives Property Home or refugee camp Workplace, employer State of relatives House, cars Resilience Engineering Research Center © K. Furuta Assessment for different stakeholders • Persona – Imaginary but very specific user model to be considered in designing products or services – Not an average user • Characteristic three personas of earthquake sufferers – Based on opened notes of sufferers 【Persona B】 Age: 40s Sex: male Residence: Kesen-numa Family: Wife and 2 sons Health condition: Good but blood pressure is a little high Occupation: Self-owned shop job Resilience Engineering Research Center © K. Furuta Satisfaction (%) Resilience triangle of utilities after Tohoku Earthquake (2) 100 Social needs 0 3/8 Persona A Persona B Persona C 3/22 4/5 4/19 5/3 5/17 5/31 Date Resilience Engineering Research Center © K. Furuta Satisfaction (%) Resilience triangle of utilities after Tohoku Earthquake (1) 100 Physiological needs 0 3/8 Persona A Persona B Persona C 3/11 3/14 3/17 3/20 3/23 Date Resilience Engineering Research Center © K. Furuta Essential characteristics of resilience Safety boundary Margin How closely operating to a boundary Buffering capacity Size of disruptions that system can absorb Adaptation Flexibility Ability to restructure itself in response to changes Resilience Engineering Research Center Functionality (Resilience triangle) Boundary Tolerance System behavior near a boundary (Graceful degradation) © K. Furuta Premises in engineering design • Systems are to be designed to satisfy specific design bases that are predefined. • Situations beyond the design bases are not assumed. Functions beyond the design bases are not guaranteed. • The probability that the system goes beyond the design bases is empirically predictable. • Where to locate the design bases will not be determined by engineering but by economics and politics. Resilience Engineering Research Center © K. Furuta Risk retention Probability of loss Safety based on probabilistic risk Risk reduction Risk limit Risk transfer / retention Scale of loss Resilience Engineering Research Center © K. Furuta Overview of resilience engineering Synthesis Assessment Socialization Physics of failure Maitenology Intelligent training Condition monitoring Lifetime prediction Decision-making Ontology Implementation process Anticipate Simulation Respond Adapt Incident analysis Replanning Human modeling Risk discovery Monitor Nondestructive inspection Performance indicator Data mining Energy strategy Assessment of safety culture Maintenance data base Base technologies Resilience Engineering Research Center © K. Furuta Super resilience • Resilience is not restricted to system’s response to crisis, but also includes adaptation to slow and long term changes. – Resolution of the 3E trilemma (sustainability) – Endless innovation under changing global business environment • Society can get stronger and smarter than the pre-event level by restructuring itself from experience. Super resilience Resilience Engineering Research Center © K. Furuta Summary • The conventional approach for risk management does not work often in actual situations. New approaches based on a systemic viewpoint are desired. • Resilience engineering is a promising idea that can give solution to the above problem based on a concept of complex systems or the systemic model of accident. Resilience Engineering Research Center © K. Furuta
© Copyright 2024