Systems Thinking for Safety/Principles in Action
From SKYbrary Wiki
The principles in this White Paper encourage a different way of thinking about complex systems, in the context of both ordinary work and unusual events or situations. Anyone can use the principles in some way, and you may be able to use them in different aspects of your work. It is helpful to have working knowledge of some methods for data collection, analysis and synthesis that focus on some of the principles. Some specialists will already have knowledge of these (e.g. human factors specialists, systems engineers, safety investigators). These methods will tend to be of the following sorts.
Systems methods allow the consideration of the wider system and its interactions. These include many methods that can be used for describing, analysing, changing, and learning about situations and systems. You may wish to research the following methods: system maps and influence diagrams (see Open University, 2014); causal loop diagrams (see Meadows and Wright, 2009); activity theory/systems (see Williams and Hummelbrunner, 2010); seven samurai (Martin, 2004); FRAM (functional resonance analysis method; Hollnagel, 2012); AcciMaps (Rasmussen, 1997); and STAMP (systems theoretic accident model and processes; Leveson, 2004, 2012).
Observation of ordinary work with field experts, with or without a particular method, is important to understand how work really works (even, or especially, where an unusual event has occurred). By observing interactions over time, the flow of work becomes clearer, along with performance variability and the trade-offs used to manage complexity and deal with uncertainty. The focus of observation is work and system behaviour, not the individual. Work must be understood in the context of system conditions – demand and pressure, resources and constraints. Observation is non-judgemental and focuses only on what is observable. Alone, however, observation is insufficient to understand work.
Discussion with field experts is essential to understand why things work in the way that they work. Discussion may follow an observed period of work, or may relate to work and the system more generally, including activities, situations, occurrences or scenarios. This can be in the context of a one-to-one or group discussion. The principles may be especially useful in the context of team resource management (TRM) training, which involves strategies for the best use of all available resources – information, equipment and people. Discussion of the principles enables a better understanding of system behaviour.
Data and document review, in partnership with field experts, looks at data that exist in documents, information systems, and so on. This can help, for instance, to highlight patterns, trends and variability in interactions and demand over time.
Survey methods, such as questionnaires and interviews, may be used to collect data from a larger number of people, for instance concerning trade-offs used in practice, the adequacy of resources and appropriateness of constraints.
These and other methods are detailed in several books (e.g. Williams and Hummelbrunner, 2010 on systems thinking methods; Stanton et al, 2013, and Wilson and Sharples, 2014 on human factors methods).
The principles do not operate in isolation; they interrelate and interact in different ways, in different situations. This is illustrated in the following scenario.
Scenario: Alarm management
Imagine an engineering control and monitoring position. There is variability in the way that alarms are handled, and some important alarms are occasionally missed. This must be understood in the context of the overall ATM/CNS system (Foundation: System Focus). Since success and failure come from the same source – everyday work – it is necessary to understand the system and day-to-day work in a range of conditions over time (Principle 10: Equivalence). This can only be understood with the engineers and technicians who do the work (Principle 1: Field Experts). They will view their work from their own (multiple) perspectives, in light of their experience and knowledge, their goals at their focus of attention, and how they make sense of the work (Principle 2: Local Rationality).
In particular, it is necessary to understand how performance varies over time and in different situations (Principle 8: Performance Variability). For this, we must understand demand over time (e.g. the number, pattern and predictability of alarms) and the pressure that this creates in the system (time pressure; pressure for resources) (Principle 4: Demand and Pressure). Through observation and discussion, it is possible to understand the adequacy of resources (e.g. alarm displays, competency, staffing, procedures), and the effect of constraints and controls (e.g. alarm system design) (Principle 5: Resources and Constraints) on interactions and the end-to-end flow of work (Principle 6: Interactions and Flow) – from demand (alarm) to resolution in the field.
It will likely become apparent that engineers must make trade-offs (Principle 7: Trade-offs) when handling alarms. Under high pressure, with limited resources and particular constraints, performance must adapt. In the case of alarms handling, engineers may need to be more reactive (tactical or opportunistic), trading off thoroughness for efficiency as the focus shifts toward short-term goals.
Through system methods, observation, discussion, and data review, it may become apparent that the alarm flooding emerges from particular patterns of interactions and performance variability in the system at the time (Principle 9: Emergence), and cannot be traced to individuals or components. While the alarm floods may be relatively unpredictable, the resources, constraints and demand are system levers that can be pulled to enable the system to be more resilient – anticipating, recognising and responding to developments and events.
Source: Systems Thinking for Safety: Ten Principles. A White Paper. Moving towards Safety-II, EUROCONTROL, 2014.
The following Systems Thinking Learning Cards: Moving towards Safety-II can be used in workshops, to discuss the principles and interactions between them for specific systems, situations or cases.