Not sure that these slides will make too much sense without the video, but here they are.

1. Advanced
PostMortem Fu
& Human Error 101
John Allspaw
VP, Tech Ops
Velocity 2011

3. We Want YOU
etsy.com/careers

4. Science
TimeTravel
Mythbusting
Reading
Homework

5. Here To Challenge You

6. Resilience Engineering
Dr. Erik Hollnagel Dr. David Woods Dr. Sidney Dekker Dr. Richard Cook

7. Complex, Dynamic

8. Fundamental Surprises

9. E.T.T.O.
Efficiency Thoroughness

11. Organizations, Policies, Procedures,
Regulations
BLUNT
Resources & Constraints

12. Organizations, Policies, Procedures,
Regulations
BLUNT
Resources & Constraints
Slips Adjustments
Operators
Compensations Mistakes
Lapses Recoveries
Violations Improvisations
SHARP

13. FUTURE
+
PAST

14. Why Do Them?

15. Why?
Understand the
failure

16. Why?
Understand the
system

17. Where “System” =
Networks
Servers
Applications
Processes
People

18. Where “System” =
Networks
Servers
Applications
Processes
People

19. People

21. (Anticipation)
Knowing
What
To Expect

22. (Anticipation)
Knowing Knowing
What What
To Expect To Look For
(Monitoring)

23. (Anticipation) (Response)
Knowing Knowing Knowing
What What What
To Expect To Look For To Do
(Monitoring)

24. (Anticipation) (Response)
Knowing Knowing Knowing Knowing
What What What What
To Expect To Look For To Do Has Happened
(Monitoring) (Learning)

25. (Anticipation) (Response)
Knowing Knowing Knowing Knowing
What What What What
To Expect To Look For To Do Has Happened
(Monitoring) (Learning)

26. Microphones are ON?

28. Event Awareness
Code Deploys

30. TIMELINE
IRC logging = Rich Data

31. TIMELINE Traces of Data
IRC logging = Rich Data

32. IRC Logs Fed Into Solr

33. Status
Blog
Twitter
Feed

34. Flight Data Recorder

36. Annotation Traces

37. Investigation Basics

38. Start?

39. TTD
How?

40. TTR

41. Stable
(“all clear”)

42. Impact Time = TTR - Start

43. SEVERITY

44. Severity 1
A. Total loss of service
B. Severe degradation, effectively unusable
C. Loss of a critical feature

45. Severity 2
A. Major degradation/feature loss for SUBSET of members
B. Minor degradation/feature loss for ALL members

46. Severity 3
Noticeable non-critical feature loss or degradation

47. Severity 4
No visible impact, loss of redundancy or capacity
headroom

48. Severity 5
No-impact but unexpected failure

49. 5/11/2011 - Payments/Checkout system issue
Start 4:10pm
TTD 4:15pm
TTR 4:30pm
Stable 4:35pm
Total Impact 20 min
Severity 1

50. • Basic metrics
• Timeline with details
• Remediations/Observations

51. “normal”
Incident PostMortem
operation
Time

52. How?
Why?
Prevention?

53. How

54. Crisis Patterns
Problem Starts
PostMortem
Time

55. Crisis Patterns
Problem Starts
Detection
PostMortem
Time

56. Crisis Patterns
Problem Starts
Detection
Evaluation
PostMortem
Time

57. Crisis Patterns
Problem Starts
Detection
Evaluation
Response
PostMortem
Time

58. Crisis Patterns
Problem Starts
Detection
Evaluation
Response
Stable
PostMortem
Time

59. Crisis Patterns
Problem Starts
Detection
Evaluation
Response
Stable
PostMortem
Confirmation
Time

60. Crisis Patterns
Problem Starts
Detection
Evaluation
Response
Stable
PostMortem
Confirmation
All Clear
Time

61. Crisis Patterns
Problem Starts
Stress
Detection
Evaluation
Response
Stable
PostMortem
Confirmation
All Clear
Time

62. Crisis Patterns
Problem Starts
PostMortem
Time

63. Crisis Patterns
Problem Starts
Detection
PostMortem
Time

64. Crisis Patterns
Problem Starts
Detection Evaluation
PostMortem
Time

65. Crisis Patterns
Problem Starts
Detection Evaluation
Response
PostMortem
Time

66. Crisis Patterns
Problem Starts
Detection Evaluation
Response
Stable
PostMortem
Time

67. Crisis Patterns
Problem Starts
Detection Evaluation
Response
Stable
PostMortem
Confirmation
Time

68. Crisis Patterns
Problem Starts
Detection Evaluation
Response
Stable
PostMortem
Confirmation
All Clear
Time

69. Crisis Patterns
Problem Starts Stress
Detection Evaluation
Response
Stable
PostMortem
Confirmation
All Clear
Time

70. Crisis Patterns
Problem Starts
PostMortem
Time

71. Crisis Patterns
Problem Starts
Detection
PostMortem
Time

72. Crisis Patterns
Problem Starts
Detection
Evaluation
PostMortem
Time

73. Crisis Patterns
Problem Starts
Detection
Evaluation
Response
PostMortem
Time

74. Crisis Patterns
Problem Starts
Detection
Evaluation
Response
Stable
PostMortem
Time

75. Crisis Patterns
Problem Starts
Detection
Evaluation
Response
Stable
PostMortem
Confirmation
Time

76. Crisis Patterns
Problem Starts
Detection
Evaluation
Response
Stable
PostMortem
Confirmation
All Clear
Time

77. Crisis Patterns
Problem Starts Stress
Detection
Evaluation
Response
Stable
PostMortem
Confirmation
All Clear
Time

78. Problem Starts
Detection
Evaluation
Response
Stable
PostMortem
Confirmation
All Clear
Time

79. Problem Starts
Detection
Evaluation
Response
Stable
PostMortem
Confirmation
All Clear
Time

80. Problem Starts
Detection
Evaluation
Response
Stable
PostMortem
Confirmation
All Clear
Time
Internal and External Update Communications

81. Crisis Patterns
Problem Starts
Detection
Evaluation
Response
Stable
Confirmation
All Clear
Time

82. Crisis Patterns

83. Crisis Patterns
Forced beyond learned roles

84. Crisis Patterns
Forced beyond learned roles
Actions whose consequences are both important and
difficult to see

85. Crisis Patterns
Forced beyond learned roles
Actions whose consequences are both important and
difficult to see
Cognitively and perceptively noisy

86. Crisis Patterns
Forced beyond learned roles
Actions whose consequences are both important and
difficult to see
Cognitively and perceptively noisy
Coordinative load increases exponentially

87. Thematic Vagabonding
“butterfly minds”
NOT STUCK ENOUGH

88. Goal Fixation
(encystment)
TOO STUCK

89. Heroism
Non-communicating lone wolf-isms

90. Distraction
Irrelevant noise in comm channels

91. IMPROVISATION
REQUIREMENT for troubleshooting
complex systems

92. IMPROVISATION

93. IMPROVISATION

94. Why?

95. Root Cause Analysis
“With the unknown, one is confronted with danger,
discomfort, and care; the first instinct is to abolish
these painful states.
First principle: any explanation is better than
none.”
Friedrich Nietzsche
Twilight of the Idols, or
How to Philosophize with a Hammer

96. Hindsight Bias
Knowledge of the outcome influences the
analysis of the process
Makes steps towards failure appear
foreseeable and obvious

97. After The Fact

98. After The Fact

99. Reality: Before and During

100. Hindsight Bias
“Should have known better”
“All the signs were there, you just needed to
pay attention”

101. Hindsight Bias
BEFORE accident:
The future seems implausible
AFTER accident:
Obviously clear: “how could they not see what
mistake they were about to make”

102. Hindsight Bias
“...people’s need to be right
is stronger than their ability
to be objective.”
N. Crawford
American Psychological Association

103. Outcome Bias
Judging a past decision
based on its outcome.

104. ID Fishbone/Ishikawa
FMEA
Five Whys
Fault Tree CED
CRT

105. why?
OUTAGE

106. why?
because
this
OUTAGE

107. why? why?
because
this
OUTAGE

108. why? why?
because because
this this
OUTAGE

109. why? why? why?
because because
this this
OUTAGE

110. why? why? why?
because because because
this this this
OUTAGE

111. why? why? why?
because because because
this this this
OUTAGE
but: WHY?

112. which
caused
Some Caused other
Action Some Things things
OUTAGE
to
happen

113. Sequence-Of-Events

115. • Satisfyingly simple, easy to explain and document

116. • Satisfyingly simple, easy to explain and document
• Solves for a specific case
• Ignorant of surrounding circumstances
• Too focused on components
• Validates Hindsight and Outcome bias

117. NOT HELPFUL
• Satisfyingly simple, easy to explain and document
• Solves for a specific case
• Ignorant of surrounding circumstances
• Too focused on components
• Validates Hindsight and Outcome bias

118. Epidemiological
(adapted from Reason, 1990)

119. (adapted from Reason, 1990)

120. Holes = Active/Latent Failures,
Bad Things™ Waiting to Happen
(adapted from Reason, 1990)

121. Holes = Active/Latent Failures,
Bad Things™ Waiting to Happen
Cheese = Safety Barriers,
Layers of Defense (adapted from Reason, 1990)

122. (adapted from Reason, 1990)

123. Code Servers
(adapted from Reason, 1990)

124. Code Servers
Schedule Training (adapted from Reason, 1990)

126. Unmonitored Disk Space
(latent condition)

127. Capacity
Unmonitored Disk Space
Miscalculation
(latent condition)
(latent condition)

128. Capacity
Unmonitored Disk Space
Miscalculation
(latent condition)
(latent condition)
Unit Test In
Transition

129. Violation of known coding
Capacity standards Unmonitored Disk Space
Miscalculation (latent condition) (latent condition)
(latent condition)
Unit Test In
Transition

130. Violation of known coding
Capacity standards Unmonitored Disk Space
Miscalculation (latent condition) (latent condition)
(latent condition)
Unit Test In
Bug Introduced
Transition
(active failure)

131. Violation of known coding
Capacity standards Unmonitored Disk Space
Miscalculation (latent condition) (latent condition)
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)

132. Violation of known coding
Capacity standards Unmonitored Disk Space
Miscalculation (latent condition) (latent condition)
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)

133. Violation of known coding
Capacity standards Unmonitored Disk Space
Miscalculation (latent condition) (latent condition)
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)

134. Violation of known coding
Capacity standards Unmonitored Disk Space
Miscalculation (latent condition) (latent condition)
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)

135. Violation of known coding
Capacity standards Unmonitored Disk Space
Miscalculation (latent condition) (latent condition)
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)

136. Violation of known coding
Capacity standards Unmonitored Disk Space
Miscalculation (latent condition) (latent condition)
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)

137. Violation of known coding
Capacity standards Unmonitored Disk Space
Miscalculation (latent condition) (latent condition)
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)

138. Violation of known coding
Capacity standards Unmonitored Disk Space
Miscalculation (latent condition) (latent condition)
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)
FAILURE!

139. Capacity
Miscalculation
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)

140. Capacity
Miscalculation
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)

141. Capacity
Miscalculation
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)

142. Capacity
Miscalculation
(latent condition)
Unit Test In
Bug Introduced External API call
Transition
(active failure) (active failure)
NO FAILURE!

144. • Better than dominoes, but still linear layers of “defense”
• Helps uncover multiple contributors and latent failures (at
sharp and blunt ends)

145. • Better than dominoes, but still linear layers of “defense”
• Helps uncover multiple contributors and latent failures (at
sharp and blunt ends)
• Doesn’t explain lineups or orientation of holes
• Only identifies defects/gaps, nothing more
• Still encourages judgements of decisions

146. Better, but still
NOT HELPFUL
• Better than dominoes, but still linear layers of “defense”
• Helps uncover multiple contributors and latent failures (at
sharp and blunt ends)
• Doesn’t explain lineups or orientation of holes
• Only identifies defects/gaps, nothing more
• Still encourages judgements of decisions

147. Multiple Contributors
“each necessary but only jointly sufficient”

148. Resultant Versus Emergent

149. Systemic
Database
Router Memcache
Webserver

150. Systemic
Database
Router Memcache
Webserver
Feature
Roadmap

151. Systemic
Database
Router Memcache
Last Round
Webserver of Funding
Feature
Roadmap

152. Systemic Dashboard
Design
Database
Router Memcache
Last Round
Webserver of Funding
Feature
Roadmap

153. Systemic Dashboard
Design
Database
Router Memcache
Last Round
Webserver of Funding
Feature
Roadmap
DBA’s car

154. Systemic Dashboard
Design
Database
Router Memcache
Last Round
Webserver of Funding
Feature
Roadmap
No Eng
DBA’s car Training

155. Systemic Dashboard
Design
Database
Router Memcache
Last Round
Webserver of Funding
Feature
Email is
Roadmap
down
No Eng
DBA’s car Training

156. Systemic Dashboard
Design
Database
Router Memcache
Last Round
Webserver of Funding
Feature
Email is
Roadmap
down
Entire
Ops Team
No Eng Is At
DBA’s car Training Velocity

157. Systemic Dashboard
Design
Database
Router Memcache
Last Round
Webserver of Funding
Feature
Email is
Roadmap
down
Entire
Ops Team
No Eng Techcrunch Is At
DBA’s car Training Article Velocity

158. Systemic Hiring
Dashboard
Design
Difficulties Database
Router Memcache
Last Round
Webserver of Funding
Feature
Email is
Roadmap
down
Entire
Ops Team
No Eng Techcrunch Is At
DBA’s car Training Article Velocity

159. Systemic Hiring
S3 is slow Dashboard
Design
Difficulties Database
Router Memcache
Last Round
Webserver of Funding
Feature
Email is
Roadmap
down
Entire
Ops Team
No Eng Techcrunch Is At
DBA’s car Training Article Velocity

160. Systemic Hiring
S3 is slow Dashboard
Design
Difficulties Database
Router Memcache
Last Round
Webserver of Funding
Feature
Email is
Roadmap
down
Entire
Ops Team
No Eng Techcrunch Is At
DBA’s car Training Article Velocity

161. Systemic

162. Systemic

163. Systemic

164. Systemic

165. Systemic

166. Systemic

167. Systemic

168. Functional Resonance
In isolation, components act within bounds.
Interconnected, they produce emerging
behaviors.

169. Causes Are Constructed,
Not Found
WYLFIWYF
Pre-conceived notions on “causes” and behaviors

170. Contributors, not causes

171. There is no root cause.

172. LEARNING

173. Quantifying Response
Time to detect?
Time for escalation, internal notification?
Time to notify the public?
Time to graceful degradation? (feature off)
Time to stable/resolve?
Time to all clear?

174. Qualifying Response
High signal:noise in comm channels?
Troubleshooting fatigue?
Troubleshooting handoff?
All tools on-hand?
Metrics visibility?
Collaborative and skillful communication?
Improvised tooling or solutions?

175. All Together Now
• Start/TTD/TTR/Stable/etc.
• Severity
• DATA (graphs, IRC, etc.)
• Description (timeline, etc.)
• Observations (motivations, latent conditions, etc.)
• Actions (remediation tickets, followup)

176. (Anticipation) (Response)
Knowing Knowing Knowing Knowing
What What What What
To Expect To Look For To Do Has Happened
(Monitoring) (Learning)

177. (Anticipation) (Response)
Knowing Knowing Knowing Knowing
What What What What
To Expect To Look For To Do Has Happened
(Monitoring) (Learning)

178. Human Error
“...knowledge and error flow from the
same mental sources, only success
can tell one from the other.”
Ernest Mach, 1905

179. Human Error
Nobody comes to work to do a bad job.

180. Human Error
Useless as a label and ending point.

181. Human Error
Human error isn’t a cause, it’s
an effect.

182. Why did it make sense
to the person
at the time?

183. Error Categories
• Slips
• Lapses
• Mismatches
• Violations

184. Error Categories

185. First Stories
“Human error” seen as root cause.
Counterfactuals: saying what they “should”
have done.
Prevention: be “more careful!”

186. Second Stories
“Human error” seen as systemic vulnerabilities,
deeper inside the organization.
Digging into why it made sense for them to do what they
did, at the time they did it.
Prevention...

187. Why did it make sense
to the person
at the time?

188. Why did it make sense
to the person
at the time?

189. Why did it make sense
to the person
at the time?

190. Substitution Test
Could peers have made the
same error under the same
circumstances?

191. WHERE to learn from ?

192. Two Propositions

193. 100 deploys
6 deploy-related issues

194. 100 > 6

195. Proposition #1
“Ways in which things go right are special cases
of the ways in which things go wrong.”

196. Proposition #1
Successes = failures gone wrong
Study the failures, generalize from that.
data sources: 6 out of 100

197. Proposition #2
“Ways in which things go wrong are special
cases of the ways in which things go right.”

198. Proposition #2
Failures = successes gone wrong
Study the successes, generalize from that
data sources: 94 out of 100

199. 94/100 ?
OR
6/100 ?

200. What and WHY Do Things
Go RIGHT?

201. Not just:
why did we fail?
But also:
why did we succeed?

202. Near Misses
Hey everybody -
Don’t be like me. I tried to X, but
because it was no good.
It almost exploded everyone.
So, don’t do: (details about X)
Love,
Joe

203. Taking the New View
Recognize that human error is
an attribution.

204. Taking the New View
Pursue Second Stories.

205. Taking the New View
Escape Hindsight Bias.

206. Taking the New View
Understand work as performed
at the sharp end.

207. Taking the New View
Examine how changes (at all
layers) will produce new
vulnerabilities.

208. Taking the New View
Use technology to support and
enhance human expertise.

209. Taking the New View
Tame complexity through new
forms of feedback.

210. Taking the New View
Realize that your systems are
not inherently safe.

211. Taking the New View
Human error is an inevitable
by-product of strained
complex systems.

212. Taking the New View
Human error isn’t at the root of
your safety problems.

213. Taking the New View
Human error isn’t random.

214. (Anticipation) (Response)
Knowing Knowing Knowing Knowing
What What What What
To Expect To Look For To Do Has Happened
(Monitoring) (Learning)

216. Just Culture

217. Just Culture
Balancing accountability with
learning.

218. Intentional Malice

219. Negligence
Found
Severity of the Outage

220. Name
Blame
Shame

221. Name
Blame
Shame

222. Name
WHY?
Blame
#!@%$&#
Shame

223. “Must set an example!”

224. “Has to be some fear that not
doing one’s job correctly could
lead to punishment.”

225. “Must set an example!”
Punishing
Deterrents is a not
“Has to be some fear that
Losing could
doing one’s job correctly
Proposition
lead to punishment.”

226. Holding People Accountable
!=
Blaming People

227. Accountability
and
Learning
Punishment For Errors

228. No Bad Apples
Only Bad Theories of Error

229. Name
WHY?
Blame
#!@%$&#
Shame

230. Signs Of Old View
“Gross Misconduct”
“Carelessness”
“Negligence”
“Egregious Behavior”
“Willful Violations”

231. Discretionary Spaces

232. Acceptable
Unacceptable

233. Acceptable
Unacceptable

234. Acceptable
Unacceptable

235. Acceptable
Unacceptable

236. Acceptable
(who draws this subjective line?)
Unacceptable

237. Increase Accountability By
Supporting Learning

238. Empower People
Let them own their own stories.
Don’t make people pay penalties.
Allow them to educate the organization.

239. Reduce Uncertainty
Make it clear who defines
acceptable behavior.

240. Organizational Roots
Accountability =
Responsibility + Requisite Authority

241. (Anticipation) (Response)
Knowing Knowing Knowing Knowing
What What What What
To Expect To Look For To Do Has Happened
(Monitoring) (Learning)

243. (Thanks, Fellas)
Dr. Erik Hollnagel Dr. David Woods Dr. Sidney Dekker Dr. Richard Cook

244. Homework!

245. We Want YOU
etsy.com/careers

246. •
Photo Credits
http://www.flickr.com/photos/51035644987@N01/2678090600/
• http://www.flickr.com/photos/67196253@N00/2941655917/
• http://www.flickr.com/photos/stirwise/417629641
• http://www.flickr.com/photos/38383999@N06/3888057995/
• http://www.flickr.com/photos/94443490@N00/361543080/
• http://www.flickr.com/photos/7729940@N06/4333396494/
• http://www.flickr.com/photos/cpstorm/167418602
• http://www.flickr.com/photos/63474264@N00/4366221069/
• http://www.flickr.com/photos/proimos/4199675334
• http://www.flickr.com/photos/30475691@N07/2862060992/
• http://www.flickr.com/photos/14663487@N00/797755046/
• http://www.flickr.com/photos/25080113@N06/5361445631/

247. THE END