Sydney Dekker's Drift Into Failure*
is a noteworthy effort to provide new insights into how accidents and
other bad outcomes occur in large organizations. He begins by
describing two competing world views, the essentially mechanical view
of the world spawned by Newton and Descartes (among others), and a
view based on complexity in socio-technical organizations and a
systems approach. He shows how each world view biases the search for
the “truth” behind how accidents and incidents occur.
Newtonian-Cartesian (N-C) Vision
Issac Newton and Rene Descartes were
leading thinkers during the dawn of the Age of Reason. Newton used
the language of mathematics to describe the world while Descartes
relied on the inner process of reason. Both believed there was a
single reality that could be investigated, understood and explained
through careful analysis and thought—complete knowledge was
possible if investigators looked long and hard enough. The
assumptions and rules that started with them, and were extended by
others over time, have been passed on and most of us accept them,
uncritically, as common sense, the most effective way to look at the
world.
The N-C world is ruled by invariant
cause-and-effect; it is, in fact, a machine. If something bad
happens, then there was a unique cause or set of causes.
Investigators search for these broken components, which could be
physical or human. It is assumed that a clear line exists between
the broken part(s) and the overall behavior of the system. The
explicit assumption of determinism leads to an implicit assumption of
time reversibility—because system performance can be predicted from
time A if we know the starting conditions and the functional
relationships of all components, then we can start from a later time
B (the bad outcome) and work back to the true causes. (p. 84) Root
cause analysis and criminal investigations are steeped in this world
view.
In this view, decision makers are
expected to be rational people who “make decisions by
systematically and consciously weighing all possible outcomes along
all relevant criteria.” (p. 3) Bad outcomes are caused by
incompetent or worse, corrupt decision makers. Fixes include more
communications, training, procedures, supervision, exhortations to
try harder and criminal charges.
Dekker credits Newton et al for
giving man the wherewithal to probe Nature's secrets and build
amazing machines. However, Newtonian-Cartesian vision is not the
only way to view the world, especially the world of complex,
socio-technical systems. For that a new model, with different
concepts and operating principles, is required.
The Complex System
Characteristics
The sheer number of parts does not make
a system complex, only complicated. A truly complex system is open
(it interacts with its environment), has components that act locally
and don't know the full effects of their actions, is constantly
making decisions to maintain performance and adapt to changing
circumstances, and has non-linear interactions (small events can
cause large results) because of multipliers and feedback loops.
Complexity is a result of the ever-changing relationships between
components. (pp.138-144)
Adding to the myriad information
confronting a manager or observer, system performance is often
optimized at the edge of chaos, where competitors are perpetually
vying for relative advantage at an affordable cost.** The system is
constantly balancing its efforts between exploration (which will
definitely incur costs but may lead to new advantages) and
exploitation (which reaps benefits of current advantages but will
likely dissipate over time). (pp. 164-165)
The most important feature of a complex
system is that it adapts to its environment over time in order to
survive. And its environment is characterized by resource scarcity
and competition. There is continuous pressure to maintain production
and increase efficiency (and their visible artifacts: output, costs,
profits, market share, etc) and less visible outputs, e.g., safety,
will receive less attention. After all, “Though safety is a
(stated) priority, operational systems do not exist to be safe. They
exist to provide a service or product . . . .” (p. 99) And the
cumulative effect of multiple adaptive decisions can be an erosion of
safety margins and a changed response of the entire system. Such
responses may be beneficial or harmful—a drift into failure.
Drift by a complex system exhibits
several characteristics. First, as mentioned above, it is driven by
environmental factors. Second, drift occurs in small steps so
changes can be hardly noticed, and even applauded if they result in
local performance improvement; “. . . successful outcomes keep
giving the impression that risk is under control” (p. 106) as a
series of small decisions whittle away at safety margins. Third,
these complex systems contain unruly technology (think deepwater
drilling) where uncertainties exist about how the technology may be
ultimately deployed and how it may fail. Fourth, there is
significant interaction with a key environmental player, the
regulator, and regulatory capture can occur, resulting in toothless
oversight.
“Drifting into failure is not so much
about breakdowns or malfunctioning of components, as it is about an
organization not adapting effectively to cope with the complexity of
its own structure and environment.” (p. 121) Drift and
occasionally accidents occur because of ordinary system functioning,
normal people going about their regular activities making ordinary
decisions “against a background of uncertain technology and
imperfect information.” Accidents, like safety, can be viewed as
an emergent system property, i.e., they are the result of system
relationships but cannot be predicted by examining any particular
system component.
Managers' roles
Managers should not try to transform
complex organizations into merely complicated ones, even if it's
possible. Complexity is necessary for long-term survival as it
maximizes organizational adaptability. The question is how to manage
in a complex system. One key is increasing the diversity of
personnel in the organization. More diversity means less group think
and more creativity and greater capacity for adaptation. In
practice, this means validation of minority opinions and
encouragement of dissent, reflecting on the small decisions as they
are made, stopping to ponder why some technical feature or process is
not working exactly as expected and creating slack to reduce the
chances of small events snowballing into large failures. With proper
guidance, organizations can drift their way to success.
Accountability
Amoral and criminal behavior certainly
exist in large organizations but bad outcomes can also result from
normal system functioning. That's why the search for culprits (bad
actors or broken parts) may not always be appropriate or adequate.
This is a point Dekker has explored before, in Just Culture
(briefly reviewed here) where he suggests using accountability as a
means to understand the system-based contributors to failure and
resolve those contributors in a manner that will avoid recurrence.
Application to Nuclear Safety
Culture
A commercial nuclear power plant or
fleet is probably not a complete complex system. It interacts with
environmental factors but in limited ways; it's certainly not
directly exposed to the Wild West competition of say, the cell phone
industry. Group think and normalization of deviance*** is a constant
threat. The technology is reasonably well-understood but changes,
e.g., uprates based on more software-intensive instrumentation and
control, may be invisibly sanding away safety margin. Both the
industry and the regulator would deny regulatory capture has occurred
but an outside observer may think the relationship is a little too
cozy. Overall, the fit is sufficiently good that students of safety
culture should pay close attention to Dekker's observations.
In contrast, the Hanford Waste
Treatment Plant (Vit Plant) is almost certainly a complex system and
this book should be required reading for all managers in that
program.
Conclusion
Drift Into Failure is not a
quick read. Dekker spends a lot of time developing his theory, then
circling back to further explain it or emphasize individual pieces.
He reviews incidents (airplane crashes, a medical error resulting in
patient death, software problems, public water supply contamination)
and descriptions of organization evolution (NASA, international drug
smuggling, “conflict minerals” in Africa, drilling for oil,
terrorist tactics, Enron) to illustrate how his approach results in
broader and arguably more meaningful insights than the reports of
official investigations. Standing on the shoulders of others,
especially Diane Vaughan, Dekker gives us a rich model for what might
be called the “banality of normalization of deviance.”
* S. Dekker, Drift Into Failure: From
Hunting Broken Components to Understanding Complex Systems
(Burlington VT: Ashgate 2011).
** See our Sept. 4, 2012 post onCynefin for another description of how the decisions an
organization faces can suddenly slip from the Simple space to the Chaotic
space.
*** We have posted many times about
normalization of deviance, the corrosive organizational process by
which the yesterday's “unacceptable” becomes today's “good
enough.”