ABSTRACT
A recent development in safety management that has caught attention is “resilience engineering” (Hollnagel & Rigaud, 2006; Hollnagel, Woods, & Leveson, 2006; Woods & Wreathall, 2003). What “resilience engineering” exactly means is still a subject of discussion, but it is clear from the response of the scientifi c community that the concept appeals to many. According to Hollnagel et al. (2006), “resilience engineering” is “a paradigm for safety management that focuses on how to help people cope with the complexity under pressure to achieve success,” and one should focus on developing the practice of resilience engineering in socio-technical systems. Th e term “socio-technical system” here refers to the constellation of both humans and the technology that they use, as in the case of a nuclear power plant or an air-traffi c control center. Systems like those mentioned earlier share the characteristic that the tolerance toward failure is low. Th e costs of failure in such systems are so high that considerable eff ort is spent on maintaining an “acceptable” level of safety in them. Indeed, most of such systems can present an impressive record of stable perfor mance over long time-spans. However, the few cases of failure have led to catastrophic accidents where costs have been high, both in terms of material damage as well as the lives lost. Such accidents oft en lead to large revisions of safety procedures and systems, reenforcing the original system with altered or completely new parts aimed at improving safety. Th is process normally reoccurs in a cyclic fashion, moving the current level of performance and safety from one point of stability to another (McDonald, 2006). Th is kind of hindsight driven safety development is a common practice. Th e process continues until the system is considered as “safe” or the resources for
creating new safety systems are depleted. Entirely new systems may be designed, encapsulating the original system with the purpose of making it safer. Th is is referred to as the “Matryoschka problem,” using the metaphor of the Russian dolls, which states that it is impossible to build completely fail-safe systems as there will always be a need for yet another safety-doll to maintain the safety of its subordinate dolls. According to this metaphor, failure cannot be avoided completely; it may only become very improbable according to our current knowledge about it. Th us, we must accept that any system can fail (Lundberg & Johansson, 2006). In resilience engineering, it is proposed that the focus should lay on the ability to adapt to changing circumstances. A system should thus be designed in such a way that it can cope with great variations in its environment. In this chapter, we argue that the focus on such “resilience” is not suffi cient in itself. Instead, we propose that systems should be designed in such a way that resilient properties are balanced with the properties aimed at coping with common disturbances.
