functional resonance analysis method - gnssn home resonance... · luigi macchi, phd...
Post on 14-Aug-2019
215 Views
Preview:
TRANSCRIPT
Luigi Macchi, PhD
lmacchi@dedale.net
Functional Resonance Analysis Method
Proactive systemic assessment
Technical meeting on the Interaction between Individuals, Technology
and Organization – A systemic approach to safety in practice
Vienna, Austria IAEA Headquarters 10 – 13 June 2014
Dédale 2014 Wien, 12/06/2014
Dedale S.A.S.
• Private shareholders founded in 1992, from
the aviation domain
• A multi-disciplinary team: HF experts,
engineers, psychologists, ergonomists
Permanent staff: 12 in France (Paris), 3 in
Australia (Melbourne)
• Specialised in reliability and performance of
complex socio-technical systems
Bridging between research and applications to
industry
Know-how transfer
Daedalus & Icarus
Dédale 2014 Wien, 12/06/2014
Systemic approach
1. A systemic perspective implies analysing the impacts of the constant
dynamic interaction between and within the human, technical and
organizational factors comprising the socio-technical system, as well as
the interactions within and between organizations within the larger
system that this particular system is a part of.
2. A systemic perspective implies describing accidents on the level of the
socio-technical system as whole rather than on the level of specific
cause-effect mechanisms.
3. A systemic perspective implies taking into account factors that lie far
away in time and space from the moment things went wrong
Hollnagel, 2004; Dekker, 2011
Dédale 2014 Wien, 12/06/2014
Steps for a systemic approach to safety
1. Knowing where the risks are, prioritising and building an ad-hoc
system of defences
2. Setting this “paper model” alongside the real situation and
making adjustments accordingly, particularly to various shifts in
practice
3. Carrying out the analysis at a higher level and considering the
macroeconomic and political constraints
4. Asking how much resistance it still has to exceptional
circumstances
Amalberti, 2013
Dédale 2014 Wien, 12/06/2014
Steps for a systemic approach to safety
1. Knowing where the risks are, prioritising and building an ad-hoc
system of defences
2. Setting this “paper model” alongside the real situation and
making adjustments accordingly, particularly to various shifts in
practice
3. Carrying out the analysis at a higher level and considering the
macroeconomic and political constraints
4. Asking how much resistance it still has to exceptional
circumstances
Amalberti, 2013
Dédale 2014 Wien, 12/06/2014
Linear models
How does accident
happen?
Accident models assumptions
• A system/event can be decomposed into meaningful elements/steps
• Parts and components either work or fail
• Order of events is predetermined and fixed
• Combinations of events are orderly and linear
• Accidents are due to cause-effect chain of events
Simple
Complex
Independent causes,
Failures, malfunctions
Interdependent causes
(active errors + latent
failures)
Linear
Accident
Model Method
Conclusions
Data
Interpretation
Dédale 2014 Wien, 12/06/2014
Safety assessment approaches
TRADITIONAL
approach
SAFETY ACHIEVED ACCIDENT DUE TO
Failures Errors
Constraining performance
Hale and Hovden (1998)
Dédale 2014 Wien, 12/06/2014
Systemic models
Accident models assumptions •Principles of functioning of systems are unknown or only partly known
•Description of system is difficult and contains many details
•Description takes a long time to make
•System’s structure changes before description is completed
•Important to understand system dynamics (variability)
•Accidents emerge from the normal functional adjustments of the system
Systemic
Accident
Model Method
Conclusions
Data
Interpretation
Accidents are consequences of
normal adjustments, rather than
of failures. Without such
adjustments, systems would not
work
How does the
system work?
Is its
functioning
appropriate for
achieving the
purposes?
Dédale 2014 Wien, 12/06/2014
Safety assessment approaches
TRADITIONAL
approach
SAFETY ACHIEVED ACCIDENT DUE TO
Failures Errors
Constraining performance
SYSTEMIC
approach
Combination of
performance variability
Managing performance
variability
Dédale 2014 Wien, 12/06/2014
Systemic models
How does the
system work?
Systemic
Accident
Model
Conclusions
Data
Interpretation
Accidents are consequences of
normal adjustments, rather than
of failures. Without such
adjustments, systems would not
work
FRAM
Is its
functioning
appropriate
for achieving
the
purposes?
Dédale 2014 Wien, 12/06/2014
FRAM principles
• Performance has to be adjusted to meet working conditions. Since resources are always finite, adjustments are always approximate
Approximate adjustment
• Success is the ability to anticipate risks and critical situations, recognise them in time and take appropriate actions. Failure is the temporary inability to do so.
Equivalence of success and failures
• Both success and failures cannot be explained only by referring to the (mal)functions of specific component
Emergence
• The variability of a number of functions reinforce each other and thereby cause the variability of one function to exceed normal limits
Functional resonance
Dédale 2014 Wien, 12/06/2014
FRAM steps
Recognise the purpose of the
analysis.
Identify and describe the
functions.
The identification of variability.
The aggregation of
variability.
Consequences of the analysis.
Dédale 2014 Wien, 12/06/2014
Recognise the purpose of the analysis.
Accident analysis Risk assessment
Step 0
Look for what SHOULD
have gone right but did not
Look for what SHOULD
go right
Dédale 2014 Wien, 12/06/2014
Step 1
Identify and describe the
functions
A function refers to the activities required to produce an outcome
Sources for describing functions: e.g.
Description of events and system/work documentation
Procedures, named individual functions
Work descriptions
Design case, use case, scenario
Functional decomposition
Task analysis
Goals-means task analysis
Technological functions
Human functions
Organisational functions
Dédale 2014 Wien, 12/06/2014
Step 1 – Functions and aspects
Identify and describe the
functions
Needed or consumed by function to process input (e.g., matter, energy, hardware, software, manpower).
Supervises or adjusts a function. plans, procedures, guidelines or other functions.
System conditions that must be fulfilled before a function
can be carried out.
Can be a constraint but can also be considered as a kind
of resource.
FunctionI
P
C
O
R
T
Output
Resource
Control
Input
Precondition
Time
Produced by function. Used or transformed to
produce the output.
Aspect
Dédale 2014 Wien, 12/06/2014
FunctionI
P
C
O
R
T
FunctionI
P
C
O
R
T
FunctionI
P
C
O
R
T
FunctionI
P
C
O
R
T
FunctionI
P
C
O
R
T
FunctionI
P
C
O
R
T
FunctionI
P
C
O
R
T
FunctionI
P
C
O
R
T
Identify and describe the
functions
Foreground functions:
The focus of analysis
Background functions:
create the context in which foreground functions are performed
FunctionI
P
C
O
R
T
FunctionI
P
C
O
R
T
FunctionI
P
C
O
R
T
FunctionI
P
C
O
R
TFunctionI
P
C
O
R
T
Step 1 – Foreground and background
Dédale 2014 Wien, 12/06/2014
Function 4I
P
C
O
R
T
Function 2I
P
C
O
R
T
Function 3I
P
C
O
R
T
I
P
C
O
R
T
Function 1
INSTANTIATION Identify and describe the
functions
Downstream functions
Upstream functions
Step 1 – Upstream and downstream
Dédale 2014 Wien, 12/06/2014
Function 3I
P
C
O
R
T
Function 2I
P
C
O
R
T
Function 4I
P
C
O
R
T
Function 1I
P
C
O
R
T
FRAM MODEL
Function 4I
P
C
O
R
T
Function 2I
P
C
O
R
T
Function 3I
P
C
O
R
T
I
P
C
O
R
T
Function 1
INSTANTIATION
Identify and describe the
functions
Step 1 – Model and instantiation Step 1 – Model and Instantiation
Dédale 2014 Wien, 12/06/2014
1. Start by a function that appears to be essential for the scenario
2. There is no single or right level of description
3. Start describing at a “natural” level
4. Functions always contains a verb phrase
5. A FRAM model is the textual description of functions (NO LINKS)
6. An Instantiation represents the way functions are coupled in a specific
scenario
7. Functions are potentially coupled if they have common aspects
8. A FRAM model can contain functions at a different degree of elaboration
9. All the aspects of a function must be described for at least another function in
the model (model has to be consistent and complete)
10.Not all aspects of a function must be described
Step 1 in practice
Dédale 2014 Wien, 12/06/2014
ATM Example: Human–Technological-Organisational
COORDINA-
TIONI
P
C
O
R
T
UPDATE
MET DATAI
P
C
O
R
T
UPDATE
FDPSI
P
C
O
R
T
PLANNINGI
P
C
O
R
T
MONITORINGI
P
C
O
R
T
PILOT –
ATCO
COMMUNI-
CATION
I
P
C
O
R
T
SECTOR-
SECTOR
COMMUNI-
CATIO
I
P
C
O
R
T
ISSUE
CLEARANCE
TO PILOT
I
P
C
O
R
T
STRIP
MARKINGI
P
C
O
R
T
DEFINE
ALERT-
INHIBITED
AIRSPACE
VOL.
I
P
C
O
R
T
DEFINE
ALERT-
INHIBITED
SRR
CODES
I
P
C
O
R
T
ENABLE
MSAW
ALERT
TRANSMI-
SSION
I
P
C
O
R
T
Human
PROVIDE
MET DATAI
P
C
O
R
T
DISPLAY
DATA ON
CWP
I
P
C
O
R
T
PROVIDE
FLIGHT &
RADAR
DATA
I
P
C
O
R
T
GENERATE
MSAW
ALERT
I
P
C
O
R
T
Technological
MANAGE
RESOURCESI
P
C
O
R
T
MANAGE
COMPETENCEI
P
C
O
R
T
MANAGE
PROCEDURESI
P
C
O
R
T
MANAGE
TEAMWORKI
P
C
O
R
T
MANAGE
WORKING
CONDITIONSI
P
C
O
R
T
Organisational
Dédale 2014 Wien, 12/06/2014
The identification of variability
Internal variability: due to
the nature of the function
itself
External variability: due to
the variability of the
working environment Organisational functions:
performed by groups of
people where activities
are explicitly organised
Technological functions:
performed mainly by
machinery
Human functions:
performed by individuals
or informal groups
Functions vary in how they are carried out. The variability
of a function results in a variability in its Output
Variability is partially
predictable because it
is due to adjustments
performed for a
purpose
Step 2 – Sources of variability
Dédale 2014 Wien, 12/06/2014
Step 2
The identification of variability
Organisational functions
Internal variability External variability
Sources: Many,
function specific
Slow
frequency,
large
amplitude
Sources: Many,
instrumental
Low
frequency,
large
amplitude
Human functions Sources: Very many,
psychological &
physiological
High
frequency,
large
amplitude
Sources: Very many,
social and
organisational
High
frequency,
large
amplitude
Technological functions Sources: Few, well
known Low
Sources:
maintenance Low
How does
variability look
like in practice?
Step 2 – Sources of variability
Dédale 2014 Wien, 12/06/2014
Temporal characteristics
Too early On time Too late Not at all
Technological function
Unlikely Normal, expected Unlikely, but
possible Very unlikely
Human function
Possible Possible, should be
typical Possible, more
likely than early Possible to a lesser degree
Organisational function
Unlikely Likely Possible Possible
The identification of variability
Manifestations of variability
Step 2 – Manifestation of variability
Dédale 2014 Wien, 12/06/2014
Precision characteristics
Precise Acceptable Imprecise
Technological function
Normal, expected Unlikely Unlikely
Human function
Possible, but unlikely
Possible, likely Typical
Organisational function
Unlikely Possible Likely
The identification of variability
Manifestations of variability
How does
variability combine
and resonate?
Step 2 – Manifestation of variability
Dédale 2014 Wien, 12/06/2014
Step 3 – Aggregation of variability
Dédale 2014 Wien, 12/06/2014
Step 3 – Aggregation of variability
Dédale 2014 Wien, 12/06/2014
The aggregation of variability
To understand how variability may combine and lead to
unexpected outcomes
Functional coupling: variability due to couplings
between upstream and downstream functions
Function 4I
P
C
O
R
T
Function 2I
P
C
O
R
T
Function 3I
P
C
O
R
T
I
P
C
O
R
T
Function 1
INSTANTIATION
Upstream Output variability Possible effects on downstream function
Timing Too early Premature start; Input possibly missed [V]
On time No effect, possible damping [V]
Too late Function delayed, leading to short-cuts [V]
Omission Function not carried out or severely
delayed [V]
Precision
Imprecise
Loss of time, loss of accuracy,
misunderstandings. [V]
Acceptable No effect [V]
Precise Possible dampening. [V] Possible damping of
variability
Possible increase of
variability
Neutral for variability
E.g. Coupling for
Input
© Hollnagel, 2012
Step 3 – Aggregation of variability
Dédale 2014 Wien, 12/06/2014
Function ZI
P
C
O
R
T
Function YI
P
C
O
R
T
Function XI
P
C
O
R
T
Output 3 - Quality I
Output 2 - Quality: F
Output 1 - Quality: F
Function WI
P
C
O
R
T
Output 4 - Quality A
Function KI
P
C
O
R
T
Function Z
Input Aspect 1
Aspect 2
Output
Control Aspect 4
Time
Preconditions Aspect 3
Resources
Step 3 – Aggregation of variability
Dédale 2014 Wien, 12/06/2014
Function ZI
P
C
O
R
T
Function YI
P
C
O
R
T
Function XI
P
C
O
R
T
Output 3 - Quality I
Output 2 - Quality: F
Output 1 - Quality: F
Function WI
P
C
O
R
T
Output 4 - Quality A
Function KI
P
C
O
R
T
Function Z Possible effects on downstream function
Input Aspect 1
Aspect 2
Possible increase of variability
Possible increase of variability
Output
Control Aspect 4 Possible damping of variability
Time
Preconditions Aspect 3 Possible increase of variability
Resources
Step 3 – Aggregation of variability
In the instantiation,
where the possible
variability combine
and resonate?
Dédale 2014 Wien, 12/06/2014
ENABLE
MSAW
ALERT
TRANSMI-
SSION
I
P
C
O
R
T
PROVIDE
MET DATAI
P
C
O
R
T
DISPLAY
DATA ON
CWP
I
P
C
O
R
T
PROVIDE
FLIGHT &
RADAR
DATA
I
P
C
O
R
T
PLANNINGI
P
C
O
R
T
PILOT –
ATCO
COMMUNI-
CATION
I
P
C
O
R
T
STRIP
MARKINGI
P
C
O
R
T
FLIGHT & RADAR DATA
SYSTEM MESSAGE
ALERT INHIBIT
SSR CODES DEFINED
ALERT INHIBIT
AIRSPACE
VOL DEFINED
MSAW FUNCTION
ENABLED
MET DATA
FLIGHT POSITION A/C 2
MONITORED
FLIGHT POSITION A/C 1
MONITORED
FLIGHT & RADAR DATA
DISPLAYED
MET DATA
DISPLAYED
SYSTEM MESSAGE
CLEARANCE PLAN A/C 1
CLEARANCE PLAN A/C 2
A/C 1:
RADIO CONTACT
ESTABLISHED
A/C 2:
RADIO CONTACT
ESTABLISHED
CLEARANCE A/C 1:
descend altitude 4000FTturn right heading 230
cleared ILS25
CLEARANCE A/C2:
descend altitude 4000FT-QNH 1027
turn left heading 210
cleared ILS25
Teamwork
Teamwork
Procedure
Procedure
Procedure
ProcedureTechnical training
Technical training
Technical training
Technical training
Technical training
MONITORINGI
P
C
O
R
T
ISSUE
CLEARANCE
TO PILOT
I
P
C
O
R
T
Technical training
Procedure
MANAGE
COMPETENCEI
P
C
O
R
T
MANAGE
PROCEDURESI
P
C
O
R
T
MANAGE
TEAMWORKI
P
C
O
R
T
GENERATE
MSAW
ALERT
I
P
C
O
R
T
DEFINE
ALERT-
INHIBITED
AIRSPACE
VOL.
I
P
C
O
R
T
DEFINE
ALERT-
INHIBITED
SRR
CODES
I
P
C
O
R
T
© Macchi, 2010
Step 3 – ATM example
Dédale 2014 Wien, 12/06/2014
Consequences of the analysis
To propose ways to manage emergent risks
Focus of recommendations to:
1. Eliminate hazards
2. Prevention of risks
3. Protection from effects
4. Facilitation of positive factors
5. Monitoring variability (performance indicators)
6. Dampening variability
Step 4
Dédale 2014 Wien, 12/06/2014
Conclusions
1. FRAM applies a systemic perspective to safety assessment
2. Analysis:
1. of the impacts of the dynamic interaction between and within the
human, technical and organizational factors comprising the socio-
technical system;
2. of the interactions within and between organizations within the
larger system;
3. of the variability of performance which is at the basis of both
successes and failures
3. Description on the level of the socio-technical system as whole rather
than on the level of specific cause-effect mechanisms taking into
account factors that lie far away in time and space from the moment
things could go wrong
Dédale 2014 Wien, 12/06/2014
Wait… I’ve got
few questions!! Let’s leave….
Thank you for your attention
top related