Organizational Failure (LSCITS EngD 2012)

Organisational Failure

Prof Ian Sommerville

Video link

Organisational Failure, York EngD Course in LSCITS, 2012 Slide 1

Organisational failure

• Why and how organisational factors can contribute to
system failures


Why organisations matter?
• Organisations have multiple, inter-related, potentially
conflicting goals:
– Efficient resource utilisation
– Timely delivery of products/services
– Customer satisfaction
– Owner satisfaction
– Regulatory compliance
– Safety and dependability
– Maintenance of reputation/brand
– Future development


Decision making
• Organisational decision making involves taking all of
these into account
– Inevitably, this sometimes means making compromises that
affect the safety and dependability of a system
• These compromises lead to vulnerabilities and
hazards that may then compromise the safety or
dependability of the system
• In complex organisations, there are competing
priorities in different parts of the organisation
– Shifting power and authority in an organisation affects
decision making
– May be deliberate lack of communications across the
organisation

NASA Challenger disaster
• Space shuttle exploded shortly after take-off
• The cause was the failure of rubber seals (O-rings)
that allowed hot gas to escape and make contact with
fuel tanks which then exploded
• Subsequent enquiry showed that O-ring failure was
due to brittleness at low temperatures
• Arguably, decision makers were complacent because
– Redundant (primary and secondary) O-rings in the system
– Damage to primary O-rings had been tolerated in previous
launches


Organisational failure
• Engineers were concerned about launching in low
temperatures and advised against launch
• But goals other than safety and dependability took
precedence and engineers were overruled
– „Owner‟ satisfaction
• already several delays to flight
– Future planning
• NASA wanted a success to support budget negotiations
– Resource utilisation
• Reluctance to address known problem with O-rings because of
costs

Normal accidents
• Developed by Charles Perrow who conducted a study of a
nuclear accident in the USA (Three Mile Island)
• Official conclusion was that the problems were due to
“human error”
• Perrow disagreed with this and argues that failures are
„normal‟ and inevitable in complex systems which have:
– Interactive complexity
• The presence of unfamiliar, unplanned and unexpected sequences
of events in a system that are not visible or immediately
comprehensible
– Tight coupling
• The presence of interdependent components.
• Tight coupling will make a system more prone to cascading errors.


Redundancy
• The use of redundancy is a fundamental technique in
achieving system safety
– Primary and secondary O-rings on space shuttle
– Quintuple redundancy in Airbus FCS

• Failure of primary system can be tolerated
• Perrow argues that redundancy can decrease rather
than increase safety:
– Increases complexity and coupling in the system
– Provides reassurance that system faults can be tolerated


Failures or successes
• Normal accident theory is based on extensive studies
of system failures
• It argues that failure is systemic and an inherent
characteristic of the system itself
• Alternative perspective is based on studies of
success
– Why are there some areas that are apparently complex (e.g.
air traffic management) where failures are relatively
uncommon?

• Led to the notion of high-reliability organisations


Failure-free organisations?
• High-reliability organisation (HRO) researchers
disagree that complex, highly interdependent
systems will inevitably have accidents
– They believe organisations are able to compensate for
technical shortcomings through their methods of operation, in
essence they argue that organisations can be ‘failure free’.

• Based on studies of „reliable‟ organisations
– Aircraft carriers
– Air traffic control
– Nuclear power stations
– Intensive care units


Aircraft carrier flight operations


Nuclear powered carriers
• Complex systems
– Carriers are 24 stories high and carry enough fuel for 15
years. 2000 telephones. 3,360 compartments and spaces
– Multiple software intensive systems (command systems,
aircraft software)
– Dangerous objects (aircraft, fuel, and explosives) in close
proximity.
– Aircraft taking off and landing in 48-60 second intervals.
– 6000 crew. Several different kinds of aircraft, multiple
squadrons.
– All work interdependently and must be coordinated.


Nuclear powered carriers
• High risk
– Nuclear reactor accidents
– Fire, flooding, grounding, collision
– Fuel and weapons explosions
– Mistaken identification of friends and foes
– High risks both to crew and a much larger public

• High reliability
– Low “crunch rates”
– comparatively few major accidents

• High reliability achieved through organisational
design

High Reliability Organisations
• High Reliability Organisations (HROs) have particular
qualities
– Reliability takes precedence over efficiency
– Preoccupation with failure, not success
– Share the big picture
– Focus on details
– Migrate decisions


Reliability over Efficiency
– Reliability comes before efficiency but cannot replace it
– Decisions are made on the grounds of reliability first and then
efficiency
– Efficiency initiatives are treated with scepticism
– Managers regularly talk to and familiarise themselves with
staff about how they do their work and why. This stops
managers focusing just on figures.
– Organisations develop safety measures as well as financial
measures, and include these in employee evaluations
– Organisations assign value to the avoidance of accidents
– High redundancy despite cost
– Cautious actions when necessary despite cost

Preoccupation with Failure
• HROs recognise that:
– Workers need to be heedful to the possibility of failure
– Failures are normal but accidents should be avoided
– Acknowledge there can be unexpected failure modes, even
in common activities

• HROs address failure by:
– Constant training of all people (simulations, apprenticing,
practice)
– Using incident reporting
– Designing in extensive redundancy
– Maintaining contingencies for critical operations
– Requiring proofs that something is safe, not that it is unsafe

Carrier operations
– There is constant tracking of issues around malfunctioning,
defective and substandard equipment.
• They act on these by training crew how to overcome problems
and pressuring vendors to make improvements
– Extensive redundancy (overlapping jobs, multiple channels
and centres of communications, spare parts, multiple sources
for decision making).
• Example: if an aircrafts landing gear warning light comes on, the
spotter, commander and pilot all work together to establish what
the issues is.
– Multiple contingencies are maintained
• Example: There will always be multiple options for how to land
the plane (or for the pilot to escape).

Sharing the Big Picture
• HROs recognise that:
– If people are narrowly focused they will act only in their own
interest
– People need to maintain awareness of other people and
events around the organisation

• HROs
– Train people broadly
– Educate people about overarching objectives, and set
statements of purpose
– Give people access to information on what is happening
elsewhere
– Clearly specify how people and teams fit into the whole

Reluctance to Simplify
• HROS are reluctant to simplify
• All organisations have to simplify and abstract, to filter out
unnecessary information (particularly for getting “big pictures”)

• Rather, HROs
– Use labels and categories as little as possible as they stop
you from looking further into details and events.
– Continually rework labels and categories
– Listen to wisdom, but with skepticism
– Do not focus on information that supports expectations, but
focus on that which doesn‟t fit or disconfirms desires


Migration of decision making
• HROs migrate decision making as far down the
organisation as possible
– Decisions are not made by one central authority

• HROs recognise:
– Decisions need to be made where there is expertise
– Decisions often need to be made quickly
– People must be trained in making decisions and are given
the right resources to do so
– Skill levels and legitimacy through the organisation and
people are trusted


HROs and Normal Accidents
• HRO theory is sometimes presented as conflicting
with Normal Accidents
– HRO proponents may argue that accidents are not „normal‟
– Leveson critiques work on HROs and argues that they are
not based on concerns of tightly coupled systems

• Arguably, an HRO is an organisation that has taken
active steps to:
– reduce coupling and
– reduce interactions
– Once that has been achieved, the driver for HRO‟s is
perhaps a strong „safety culture‟ to promote safety across the
organisation

Organisational vulnerabilities

• Organisational vulnerabilities are characteristics of an
organisation that weaken defensive layers and so
may lead to system failure.
• Examples of organisational vulnerabilities
– Over-reliance on process to achieve safety/dependability
– Responsibility failures
– Weak safety/dependability culture
– Under-resourcing of safety


Over-reliance on process
• Quality standards such as ISO 9000 place great
emphasis on process and process assurance
– Implication of these standards is that process is paramount

• This tends to promote a belief that focusing on
process is the way to achieve safety and
dependability
• However, processes are never isolated and have to
be enacted in a dynamic context
• Sometimes necessary to deviate from the „normal‟
process to achieve safety and dependability


Responsibility failures
• System failures are often a consequence of
responsibility failures
– Unassigned responsibility
– Misassigned responsibility
– Misunderstood responsibility
– Duplicated responsibilities
– Responsibility overload
– Responsibility fragility

• Responsibility failures may be a consequence of poor
communications and/or under-resourcing


Organisational culture
• “The way that we do things around here”
• Culture may conflict with public statements of
priorities
– “The patient comes first”
– “Safety is our goal”

• Investment banking
– High risk, high reward
– Lack of regulation or weak compliance with regulations
– Large-scale failures


Safety culture
• Some organisations have developed a strong safety
culture where safety is seen as a priority by all
members of the organisation
• Safety culture (UK HSE)
– “The product of individual and group values, attitudes,
perceptions, competencies, and patterns of behaviour that
determine the commitment to, and the style and proficiency
of, an organization‟s health and safety management”


Safety culture (Reason)


Safety maturity


Under-resourcing
• If operations are under-resourced then safety and
dependability are often sacrificed
• Organisational priorities focus on optimising resource
utilisation to continue service delivery
– Safety and dependability may be seen as an avoidable
overhead

• Example
– Cleaning services in hospital outsourced to save money
– Competitive tender
– Under-resourced so quality of service reduced
• Consequent increase in hospital acquired infections

Complex systems
• Complexity = Coupling + Interaction
• Lesson for LSCITS
– Increasing complexity will lead to unpredictable system failure
– Strive to build LSITS rather than LSCITS

• Improve safety by
– Reducing coupling
– Reducing interactions
– Redundancy may not improve safety as it increases complexity in
the system

• Address problems at organisational as well as the system level


Key points
• Organisational decisions, influenced by structure and
culture, often have a major impact on safety and
dependability
• Normal Accident Theory postulates that accidents are
inevitable in complex, tightly coupled systems
• High-reliability organisations aim to achieve safety
through a set of practices that aim to reduce failures
• Organisational vulnerabilities include over-reliance on
process, responsibility failures, poor safety culture
and under-resourcing


Organizational Failure (LSCITS EngD 2012)

More Related Content

What's hot

Similar to Organizational Failure (LSCITS EngD 2012)

More from Ian Sommerville

Recently uploaded

Organizational Failure (LSCITS EngD 2012)