- Email: [email protected]
A risk interpretation of sociotechnical safety perspectives
Reliability Engineering and System Safety 175 (2018) 13–18
Contents lists available at ScienceDirect
Reliability Engineering and System Safety journal homepage: www.elsevier.com/locate/ress
A risk interpretation of sociotechnical safety perspectives Terje Aven a,∗, Marja Ylönen b a b
University of Stavanger, Norway VTT Technical Research Centre of Finland, Finland
a b s t r a c t This paper addresses ‘sociotechnical perspectives on safety’, highlighting common ideas and principles for understanding, studying and managing the safety of sociotechnical systems, such as high-risk industries. These perspectives can be characterised in different ways, but, for the purpose of the present paper, three features are focused on: i) that a holistic view is needed to manage safety, covering knowledge from different disciplines (technology, social sciences, etc.), ii) that complex systems cannot be fully predicted and controlled, and iii) that safety management consequently needs to highlight robustness and resilience in addition to risk analysis. Some works have been conducted to understand these perspectives in relation to risk, risk analysis and risk management, but most of these have been based on traditional concepts and approaches to risk, using quantitative probabilistic risk assessments. In this paper we revisit the issue, using more recent ideas and approaches for understanding, assessing and managing risk, where uncertainty is a main component of risk. We show that, when framed according to these ideas and approaches, the risk field can provide a supporting platform for the sociotechnical perspectives and supplement the types of means to properly manage safety. Some implications for safety and risk regulation are also discussed. © 2018 Elsevier Ltd. All rights reserved.
1. Introduction Different approaches are used to study and manage the safety of technical systems like nuclear power plants and offshore installations. Basically, we can distinguish between two main categories of such approaches: the engineering risk assessment perspective and the sociotechnical perspective. The foundation and practices vary for these perspectives, but some common features can be identified when looking for the big picture of current applied safety work for such systems. For risk assessments, the aim is to provide system understanding by the use of simple linear models (such as event trees and fault trees), then to quantify the risk and compare it with predefined criteria as input to a decision-making process. The sociotechnical perspective points to the limitations of this risk assessment approach, arguing that systems like nuclear power plants and offshore installations are complex systems and that important aspects for safety are not taken into account when using the linear risk assessment models. For a complex system, it is not possible to accurately predict the system performance and accurately estimate risk on the basis of knowing the performance of the system components. There are interactions, and there will always be surprises relative to the knowledge of the analysts and experts and the models they are applying. The message is that the risk assessment approach is not able to provide a satisfactory analysis and control of the hazards and threats that can occur in such systems. Other approaches are needed and, of these, the most commonly referred to are robust analysis and resilient engineering. These approaches seek to make the systems better able to cope with surprises.
∗
The risk assessment and risk management community has met this criticism in different ways. It is stressed that the models and tools used have limitations and that the results always need to be seen in relation to the assumptions and simplifications made. Yet the analysis and results can be informative for the decision makers. There is also a continuous drive to improve models and tools, make them more detailed and accurate, with the expectations that the risk estimations are becoming better and better. We have also seen that a new way of thinking about risk has developed, as summarised in Section 3. This work has been motivated by this critique linked to sociotechnical systems, but it has also come from self-reflections within the risk assessment and management community. It has been shown that the traditional risk approaches based on probability calculus are too narrow to properly reflect all relevant aspects of risk and uncertainties, for sociotechnical systems but also for other types of systems and activities. It is realised that it is necessary to better reflect the uncertainties and knowledge when conceptualising and assessing risk, to be able to deal with risk concealed in beliefs and assumptions made. Surprises relative to the knowledge is also a topic that is captured by these developments. The present paper seeks to integrate these developments in the risk field with the current perspectives on socio-technical systems. The aim of the paper is to show that, when suitably framed and conceptualised, the risk field can provide a platform for the sociotechnical perspectives on safety. There is no conflict between these perspectives and the risk assessment and management approaches when these are based on the new ideas and principles mentioned above. The paper builds on earlier works, including Wynne [46], Jasanoff [22] and Gooday [15], which
Corresponding author. E-mail address: [email protected] (T. Aven).
https://doi.org/10.1016/j.ress.2018.03.004 Received 5 November 2017; Received in revised form 15 February 2018; Accepted 3 March 2018 Available online 6 March 2018 0951-8320/© 2018 Elsevier Ltd. All rights reserved.
T. Aven, M. Ylönen
Reliability Engineering and System Safety 175 (2018) 13–18
point to and discuss the fact that the social and cultural understandings of safety are not integrated with technical risk assessment and related management, and that these different ‘schools’ do not really speak well with each other. We will discuss the integration of the sociotechnical perspectives and approaches regarding risk in Section 3, following a brief introduction of the sociotechnical perspectives to safety in Section 2. Section 4 will discuss how a closer integration of the risk analysis and management approach and the sociotechnical perspective on safety can be utilised to improve risk and safety regulations. Finally, Section 5 provides some conclusions.
the end result is a consequence of technical, cultural and psychological factors, i.e. sociotechnical aspects. Sociotechnical approaches have adopted ideas from general systems theory, for instance that the system consists of interconnected components. Each component is unaware of the behaviour of the whole system and it cannot see the influences of its actions [24]. Furthermore, interconnectedness of different systems generates complexity that is difficult, if not impossible, to govern and regulate. Hence, complexity is inherent in sociotechnical systems thinking. It means that a system as a whole cannot be accurately predicted by knowing the states of the individual elements of the system. Complexity arises from the multiplied networks of relationships, interactions and interconnectedness between the components or subsystems. As a result, the boundaries of systems become obscure [13]. With regard to safety critical organisations, sociotechnical thinking has become highly relevant. Resilience engineering has emphasised the interdependency of system effectiveness, efficiency and safety. If the system is not able to take into account both the technical and social aspects, it will lead to unsuccessful system performance or even accidents in the long run [19,30]. Accident investigations in the high-risk industries have shown that accidents are sociotechnical by nature. Accidents and failures are consequences of interconnections between technical deficiencies, human errors, organisational and inter-organisational problems in communication, lack of regulation, etc. [1,12,26,39]. Technical and social systems (including organisations) and processes are interdependent, which increases complexities and the possibility of negative surprises. These observations have led to the shift in our understanding of safety. Safety is increasingly seen as an emergent phenomenon and a by-product of several interacting systems [18]. This kind of sociotechnical systemic understanding of safety has called for a more integrated and holistic view of safety, and this has also challenged some current regulatory approaches, such as solely looking for compliance with the regulations. Then we can ask: How should regulation be changed, in order to better consider the sociotechnical aspects of safety? It has been demonstrated that a conventional root-cause analysis is an unsuitable tool for capturing the complexity of a sociotechnical system [13,30]. Sociotechnical systems are time-dependent, they change continuously, and therefore it is impossible to trace the situation that existed before the accident. That is also due to the emergent nature of sociotechnical systems [13,30]. The notion of emergence––a characteristic of socio-technical systems––refers to a new kind of relatedness between the systems and subsystems [35]; in addition, it means that sociotechnical systems are in a continuous process of change and, as mentioned, there are difficulties in reconstructing the situation as it was before the accident. Therefore, root-cause analysis may even lead to errors in the management of safety in complex systems [13,30]. One can summarise that, due to complexity and the emergent nature of sociotechnical systems, they embrace the following aspects:
2. Sociotechnical perspectives on safety The history of sociotechnical-systems thinking is traced to the UK’s Tavistock Institute of Human Relations and studies on the implications of human factors for work systems [14,45]. Researchers highlighted human and social factors, alongside the technology affecting the work system. The following definition of a sociotechnical system derives from the context of work systems: “The concept of sociotechnical system was established to stress the reciprocal interrelationship between humans and machines and to foster the program of shaping both the technical and social conditions of work, in such a way that efficiency and humanity would not contradict each other” [24,41]. In the work system studies, the sociotechnical includes the following dimensions: 1) two or more persons, interaction with some form of 2) technology, 3) and internal work environment (both physical and cultural), 4) external environment (can include political, regulatory, technological, economic, educational and cultural sub-environments), 5) an organisational design and management subsystems [24]. The example illustrates that sociotechnical thinking includes micro-, meso‑ and macro aspects and their interconnections. From work systems studies and organisational design and change management, sociotechnical thinking has spread to other fields and been exploited in various contexts [11]. In the context of information technology, it has been argued that sociotechnical thinking is especially relevant for the design, development, implementation and use of information technology systems. According to Coakes and Coakes [[11], 281], sociotechnical thinking “addresses vital issues in combining the use of powerful information and communication technologies with effective and humanistic use of people.” Hence, the term ‘sociotechnical’ was introduced to capture the interconnections between the social and technological aspects. In a nutshell, sociotechnical can be defined as referring to the interconnectedness and complexity of social and technical systems [24,30]. Different disciplines add new ideas into sociotechnical thinking Several disciplines have participated in discussions of sociotechnical aspects. Therefore, the sociotechnical concept has different meanings. In social sciences and, particularly, in science and technology studies (STS), the interest has been in analysing how sociotechnical actornetworks, i.e. hybrid actors or actants, are formed. We often see things as social or technical by nature, but STS have shown that things deemed either social or technical are, in fact, a combination of both aspects [25]. When humans make new innovations, they modify knowledge and technological artefacts, as well as their own identities. For instance, new technology requires new competences, experts, new roles and responsibilities, while undermining the role of older experts, thus affecting identities, competences and power relationships within a company. Artefacts have consequences for the ways in which humans relate to each other. Hence, reciprocity and inherent interconnectedness are characteristics of humans and technology in sociotechnical actor-networks. As an example of a sociotechnical phenomenon, we can take road humps. They are designed by engineers to get car drivers to reduce their speed and, thus, to enhance road safety. Car drivers are, however, also affected by their cultural context as well as situational factors. Hence,
1) 2) 3) 4)
Knowledge gained from sociotechnical systems is uncertain. Harms are not easily foreseeable. It is difficult to reconstruct what happened before the accident. Causes for effects are difficult to find (see [13]).
In addition, the sociotechnical approach to safety includes the following dimensions: 1) Safety as an emergent phenomenon. 2) Safety as a by-product of several interacting systems. 3) Safety cannot be separated from the other functions of an organisation; therefore, for instance change management, work process management or project management need to be seen as relevant functions in terms of safety. That requires an integrated understanding of the totality of an organisation. Safety should be seen as an outcome of the success of core functions of the organisation and as consequence of inter-organisational relationships. 14
T. Aven, M. Ylönen
Reliability Engineering and System Safety 175 (2018) 13–18
3. Understanding the sociotechnical perspectives using recent ideas and approaches regarding risk
d) The strength of the knowledge is always an issue. The probability numbers can be the same in two situations, despite the fact that in one case the knowledge is strong and in the other it is weak. e) It is realised that surprises can and will occur, relative to the knowledge of the analysts (it is common to talk about black swans [6,44]). f) Risk assessment is the systematic process to identify risk sources, hazards, threats and opportunities; to understand how these can occur and what their consequences can be; to represent and express uncertainties and risk; and to determine the significance of the risk using relevant criteria. Risk assessment intends to characterise what we know and do not know about relevant risk aspects. g) Risk analysis informs decision makers. There is a leap between the risk analysis and the decision making, due to the limitations of the risk analysis in capturing all aspects of importance for the decision making. The decision makers need to address risk related to the background knowledge of the analysts’ risk characterisations, as well as considering other concerns not captured by the risk analysis (for example costs, reputation, etc.). h) The cautionary and precautionary principles have important roles in risk management, to ensure that the proper weight is given to uncertainties in the decision making. Weight given to resilience is an example of cautionary thinking. i) Risk tolerability and acceptance should not be based on probability judgements alone, as risk is more than probability, and concerns other than risk are normally relevant when making decisions related to risk. Pure probability-based risk acceptance (tolerability) criteria should, hence, not be used.
Today risk and risk thinking are not pillars for the sociotechnical perspective to safety. It is striking that the sociotechnical literature hardly relates to risk. If risk is being addressed, the motivation is typically to point to the limitations of risk analysis in dealing with sociotechnical systems. There is a huge body of safety and resilience literature stressing the problems of using risk analysis approaches and methods for studying sociotechnical systems (e.g. [20,37,40]). The message is that risk analysis does not work for these systems, as they are complex, and it is not sufficient to base safety management on a set of identified scenarios with associated probability estimates. The argument is that accidents will always occur as a result of some surprising features for this type of system and, hence, reliance on the estimated probability numbers represents a poor strategy for obtaining a high safety level. Instead, the focus should be on building resilient systems, highlighting instruments like strengthening the immune system, diversification, flexible response options, and the improvement of conditions for emergency management and system adaptation [40]. This criticism of risk analysis relates to the traditional perspective on risk analysis. This perspective was developed in the nuclear industry in the 1970 s and 80 s and is still being adopted in this industry and in most other sectors and application areas. It builds on the following ideas: 1. Risk is characterised by events, scenarios, consequences and probabilities. 2. These probabilities are propensities of the systems studied and need to be estimated. Historical data is seen as the key source for these probabilities. In advanced studies, epistemic uncertainties of these probabilities are also an issue. 3. By proper risk analysis, all important scenarios and events are identified. 4. Risk analysis seeks to accurately estimate risk and describe ‘the truth’ about risk. 5. By using probabilistic modelling and analysis for these scenarios and events, the decision makers are provided with a rational approach for controlling the risk. By meeting some probabilistic limits or criteria, the remaining risk is found to be tolerable or even negligible.
These ideas are more in line with sociotechnical thinking, as will be discussed in the following.
3.1. The link between safety and risk Among many professionals and researchers within the sociotechnical tradition, it is common to define safety as the absence of accidents (e.g. [28,29]). As a future accident is unknown today, this way of looking at safety means that we cannot refer to low or high safety; we must speak about the probability of the safety being low or high, or the uncertainties about the safety being high or low [7]. It is also common to define safety in relation to risk (e.g. [17,33,43]). However, this idea has been challenged by several researchers, including Möller et al. [36], who conclude that it is essential to go beyond the view that safety is the antonym of risk. Aven [8] provides a thorough analysis of this topic and argues that, for some risk conceptualisations and perspectives, which highlight uncertainties beyond probabilities, it is possible to see safety as the antonym of risk. This is also in line with the definitions adopted by the new SRA [43] glossary, which defines: Safe: Without unacceptable risk Safety:
The sociotechnical safety literature has pointed to the limitations of this perspective for handling complex systems. The uncertainties of the knowledge and potential surprises are not captured. In parallel with this criticism, mainly raised by social scientists, there have been developments of this perspective in many directions, also with the intention to better analyse sociotechnical systems, see for example Groth et al. [16] and Luxhøj et al. [34]. There has been a strong criticism of the traditional risk analysis perspective also within the risk analysis community, as commented on in Section 1, pointing to the same type of challenges but also seeking to improve and extend the risk thinking and approaches so that they are better able to deal with the knowledge and surprise aspects of risk (see e.g. [5]). New types of risk analysis frameworks have been developed which deviate from the traditional one on the fundamental thinking of what risk and risk assessment are. The key ideas can be summarised in the following points [2,5]:
•
•
a) Uncertainty is a key feature of risk. Probability is used to represent or express uncertainty, but it is just a tool, and it has limitations. It is important to understand these limitations when describing or characterising risk. b) Any probability judgement is based on a background knowledge K, which needs to be considered an integrated part of the results of the risk analysis. The knowledge can be more or less strong, and even erroneous. Risk related to K needs to be taken into account when considering the significance of the risk analysis results. c) Knowledge in this context is basically justified beliefs and is often formulated as assumptions.
Interpreted in the same way as safe (for example when saying that safety is achieved) or The antonym of risk (the safety level is linked to the risk level: a high safety level means a low risk and vice versa)
This way of looking at safe and safety would not work when considering risk in line with the traditional approach summarised above, where risk is associated with probability, as uncertainties are not properly reflected in the risk concept [8,36]. However, when building on the new risk perspectives as outlined above, the uncertainty dimension is captured, and we obtain a link, as described by the definitions of the SRA glossary. It is recognised that being safe is a subjective judgement, dependent on institutional processes to determine what is acceptable risk and what is not. 15
T. Aven, M. Ylönen
Reliability Engineering and System Safety 175 (2018) 13–18
3.2. Uncertainties of the knowledge and potential surprises
some stressors, the system studied may have shown itself to be resilient in the sense that it is able to recover and sustain its functions. However, for other stressors, the system may not be resilient, and, when facing the future, it may turn out that the system will also experience problems when encountering other stressors, of known or unknown type. Aven [4] argues that resilience analysis can benefit from the new risk perspectives by performing some type of risk assessments for the occurrences of the stressors, not aiming at accurate estimates of their occurrences but searching for insights by
To a large extent, the traditional perspectives on risk build on historical data and probability judgements, and conclusions on the acceptability of solutions are often made directly on the basis of derived probabilities. The risk associated with the knowledge supporting these probabilities is not addressed or captured by the analyses. For the new risk perspectives, this type of risk is, however, a major issue. Consider the following example linked to offshore operations. The example relates to a leakage at the Heimdal installation on May 26, 2012 [38]. During the testing of two emergency shutdown valves, a hydrocarbon leak of about 3500 kg and an initial leak rate of about 17 kg/s occurred. The relevant pipe section was designed according to an older design practice, in which the order of operation of the three valves was critical. The last valve to the flare was opened last, which resulted in the pipe being subjected to higher pressure than designed for, and the leakage occurred. Such a design is not in accordance with recent normal design practice (NORSOK). The analysis team based their judgements on an erroneous assumption. From a sociotechnical perspective, this is an example of a surprise that occurs on a complex offshore installation. Risk analysis struggles to identify all the relevant scenarios. There is risk associated with the knowledge on which the analyses are based. In this case, there was risk linked to the key assumption made by the analyst team: that the system was a standard design and the order of closing of the valves was not important. In adopting the new risk perspective, focus is placed on this knowledge, the key beliefs and the assumptions on which the analysis judgements are founded. The strength of this knowledge is assessed and, in particular, the potential for deviations from these beliefs and assumptions. This does not of course guarantee that all such potential surprises are revealed. However, it increases the chances that some of them are. It is realised that all are difficult to foresee – it is a complex system and it is difficult to predict what will happen. With hindsight, it is easy to explain what happened: that this assumption was wrong. It is more difficult to identify in advance, when facing a large number of situations involving many elements connected in intricate ways. Hence, we cannot build safety only on the basis of risk judgements, even if they are very thoroughly performed and stress the knowledge and surprise dimension as outlined. The new risk perspectives are fully in line here with the sociotechnical perspective. We also need to build on robustness and resilient thinking, as will be discussed in the coming section.
i) “Making a judgement of the type of stressors that can occur, what we know and do not know (highlighting key assumptions and justified beliefs). ii) Making a distinction between known types of stressors, unknown types of stressors, and surprising stressors. iii) Assessing the probability for these types of stressors and other unknown events and quantities whenever found meaningful (using subjective probabilities or subjective interval probabilities). iv) Assessing the strength of knowledge supporting these judgements. How can the knowledge be strengthened? v) Conducting assessments to reveal unknown and surprising stressors.” [4] Included in such assessments there is also a need to study the type of stressors to which the system is susceptible or vulnerable. It is also worth mentioning that risk assessment and management can supplement resilience analysis and management by performing research into stressors and threats. Through such studies, new insights may be gained; for example, unknown and potentially surprising types of events could be identified, and new “cause-effect” relationships could be revealed. Concrete and effective measures can then be developed to meet these stressors. By studying why certain infections occur, more effective measures can be developed than if the focus is limited to how to make the body withstand infections in general [4]. The new risk perspectives can also benefit the resilience analysis, given specific stressors. The idea is to consider risk in relation to not meeting the objective “recovery”, with associated uncertainties characterised in a suitable way. The incorporation of knowledge and strength of knowledge judgements will add an important feature to these resilience studies and management. 4. Implications for risk and safety regulations
3.3. The need for robustness and resilience-based thinking
In this section we discuss how risk and safety regulations can be improved by following up the insights developed in the previous sections. For short, we refer to these insights as the “integrated sociotechnical and risk perspective”. There are some reflections upon what sociotechnical safety regulation would entail [27,47]. Firstly, these suggestions refer to the need to go beyond compliance with the regulations, since compliance does not guarantee safe performance in complex emerging situations. Secondly, sociotechnical safety regulation would require broad cooperation between different experts, so that various views and alternatives would be taken into account. Thirdly, sociotechnical regulation would require understanding of macro-level economic and political aspects, as well as meso‑level interfaces within an organisation and between the organisations, not to mention micro-level individual workloads, for instance. Fourthly, closely related to the previous point, sociotechnical regulation entails a need to understand the realities of daily work at the plants, because it may often be that, rather than taking into account the complex realities of the organisation and work conditions, the regulations simplify them, which may imply that it is impossible to comply with the regulations. Everyday life creates constraints on compliance. Only by taking into account these aspects, can one obtain a broad and holistic understanding of the functioning of the organisation. It has been recommended that, in order to improve sociotechnical safety assessment, attention needs to be paid to issues like external pres-
Surprises occur, and we need to construct the systems in such a way that they can meet these. This is exactly what sociotechnical thinking prescribes, and resilience based approaches are put forward as effective means in this regard (e.g. [19]). There are many definitions of resilience, but the basic idea is that resilience is concerned with the ability of a system to sustain or restore its basic functionality following some level of stressors (events) [43]. Resilience management (engineering) can be conducted without considering risk, and there are advocators of this perspective who see resilience management as replacing risk management. However, a more common view is to see risk management and resilience management as supplementing instruments; see discussion in, for example, Park et al. [37], Linkov et al. [32] and Aven [4]. Clearly, we do not need to identify all possible hazards and threats and assess their probability, in order to understand that specific resilience arrangements and measures will be useful in many cases. However, some types of risk assessments are useful for supporting the resilience analysis and management, as discussed by Aven [4]. In practice, we face resource limitations; we have to prioritise – where should we improve the resilience? There could be a large number of areas in which the resilience can be improved, but which should we select and give weight to? Many resilience metrics exist, but a basic feature of risk is not reflected by these: what stressors will in fact occur? With respect to 16
T. Aven, M. Ylönen
Reliability Engineering and System Safety 175 (2018) 13–18
sures in the organisation, changes in laws, the safety effects of organisational and technological changes, understanding of the overall situation and the potential dangers in the organisation, and the promotion of safety culture within the organisation, as proactive means to face complexities [47]. The new risk perspectives with the resilience emphasis fit well with the above-mentioned recommendations and provide relevant input to enhance sociotechnical safety assessment. Risk assessment that identifies organisational and inter-organisational vulnerabilities is valuable and helps in concentrating efforts on certain goals within a wide range of targets. Anticipation of future threats is an important part of resilience thinking, and risk analysis, according to the new risk perspectives, contributes to meeting the anticipation task. We find that the sociotechnical safety regulation will be enhanced by adopting and applying a new risk perspective. Existing regulatory frameworks can be gradually developed to be in line with such a perspective and then also with the sociotechnical ideas. Adoption of a new risk perspective would entail the following. Regulators need to establish suitable broad frameworks for the risk assessment and management to be able to reflect this perspective and, particularly, the uncertainties and surprise aspects of risk. Robustness and resilience constitute key pillars of these frameworks, as well as participation and dialogue, in addition to risk-informed analysis and management. Robustness and resilience analysis and management supplement risk assessments. Compared to current regulations, there is a need to broaden the riskrelated concepts to be in line with the ‘integrated sociotechnical and risk perspective’. As discussed in Section 3, the common probabilitybased frameworks are not suitable. The risk assessments and management need to understand and reflect that systems could be complex. Broad risk assessment should be conducted in order to analyse and determine the proper level of robustness and resilience, and ensure efficient use of resources [4]. Modelling and analysis of complex systems are considered useful despite the difficulties in obtaining accurate predictions, provided the modelling and analysis are properly framed and conducted, refer discussions in Cilliers [10] and Jensen and Aven [23]. Regulatory regimes need to be revised to reflect the ‘integrated sociotechnical and risk perspective’. This would entail the creation of consistent regulation by providing some general level of guidance for regulators. It would describe the fundamental principles for the risk and safety regulations, covering issues on, for example, risk reduction, risk assessment, and risk acceptance and tolerability. Today’s regulations often have a focus on verification that risk is tolerable or acceptable, using some pre-defined probabilistic criteria or limits. However, the ‘integrated sociotechnical and risk perspective’ requires a different approach, which reflects that risk is more than probabilities. In more general terms, the ‘integrated sociotechnical and risk perspective’ would mean a shift in thinking from a compliance focus – often with one-dimensional criteria and requirements – to processes, acknowledging that risk and safety require broad judgements, which also need to take into account intangible aspects concerning uncertainties and potential surprises. Such processes can better understand the realities of complex operations and activities, with the many constraints that different members of an organisation face when taking care of their everyday work duties. Attention can be directed to the main organisational functions and activities, such as change management and work process management, which affect whether work is organised in a manageable way. These functions directly or indirectly affect whether and how members of the organisation can fulfil safety criteria or requirements. The ‘integrated sociotechnical and risk perspective’ would encourage the development of broad processes characterising and discussing risk, for example forums mixing technical and social competences. Such forums could also include different types of stakeholders, as is the case for example in the Norwegian oil and gas industry [9,31,42]. It also motivates work highlighting a safety culture and the enhancement of organisational performance. An example is the concept of “institu-
tional strength-in-depth”, recently introduced by the international expert group of the International Atomic Energy Agency [21]. Based on the lessons learned from the Fukushima accident, the expert group stressed the importance of openness and transparency inside and between different subsystems (industry, regulators and stakeholders) of the overall national framework, so that people belonging to different subsystems can challenge the existing practices and suggest ways of improving current approaches and methods. The goal is to create a robust nuclear safety system that ensures that safety standards and tools are applied efficiently and also that new tools and practices are created. The aim is to extend the principle of technical defence-in-depth to an institutional context. The ‘integrated sociotechnical and risk perspective’ would in fact also encourage the development of broad processes, discussing the role and basic features of the regulation of risk and safety in society. For proper development to take place, there is a need for dialogue and for arguments to be tested. 5. Conclusions The ‘sociotechnical perspectives on safety’ are commonly considered to be an alternative to risk assessment and management. The present paper argues that these perspectives are not in conflict but supplement each other. However, this harmony requires the adoption of broader risk perspectives than the traditional probability-based ones supporting quantitative risk assessments (QRAs) and probabilistic risk assessments (PRAs). In these broader perspectives on risk, uncertainty and knowledge are key pillars, which allow for an appreciation of the key aspects of the ‘sociotechnical perspectives on safety’, including the difficulties in predicting the performance of complex systems and reflecting potential surprises. We argue in the paper that these perspectives on risk provide a conceptual platform for the ‘sociotechnical perspectives on safety’. Today, the new risk perspectives are only to some extent implemented in practice. The same is the case for the ‘sociotechnical perspectives on safety’. We consider the arguments for both to be strong, but the traditional risk analysis thinking, as defined in Section 3, still prevails. The ‘integrated sociotechnical and risk perspective’ represents a further strengthening of the rationale for making changes in current risk management and regulation regimes. This rationale relates to theoretical reasoning, as well as to practical methods for how to carry out a shift in thinking and approaches. We see that changes are continuously made in risk management and regulations in the direction of the ‘sociotechnical perspectives on safety’, but there are many obstacles and the developments are rather few and slow. Frequently, we meet very narrow ideas of risk and safety, expressing for example that probability times losses provides the key guidance for decision makers. It seems very difficult to change current thinking about risk and safety, despite the evidence showing its unsuitability. The issue is a fundamental one, related to the role and position of the risk and safety fields in society. There are reasons to believe that as long as these fields are not broadly recognised as sciences per se, fundamental changes are not likely to happen, refer discussion in Aven [2,3]. Acknowledgements The authors are grateful to three anonymous reviewers for their useful comments and suggestions to the original version of this paper. For Terje Aven, the work has been partly funded by the Norwegian Research Council as a part of the Petromaks 2 program under grant number 233971. The support is gratefully acknowledged. References [1] Allocco M. Safety analyses of complex systems. New York: Wiley; 2010. [2] Aven T. An emerging new risk analysis science: foundations and implications. Risk Anal 2018 Open access. doi:10.1111/risa.12899. 17
T. Aven, M. Ylönen
Reliability Engineering and System Safety 175 (2018) 13–18
[3] Aven T. What defines us as professionals in the field of risk analysis. Risk Anal 2017;37(5):854–60. [4] Aven T. How some types of risk assessments can support resilience analysis and management. Reliab Eng Syst Saf 2017;167:536–43. [5] Aven T. Risk assessment and risk management: review of recent advances on their foundation. Eur J Oper Res 2016;25:1–13 Open access. [6] Aven T. Implications of black swans to the foundations and practice of risk assessment and management. Reliab Eng Syst Saf 2015;134:83–91 Open access. [7] Aven T. What is safety science. Saf Sci 2014;67:15–20. [8] Aven T. Safety is the antonym of risk for some perspectives of risk. Saf Sci 2009;47(7):925–30. [9] Bang P, Thuestad O. Government-enforced self-regulation: the Norwegian CASE. Risk governance of offshore oil and gas operations. Lindøe P, Baram M, Renn O, editors. Cambridge, USA: Cambridge University Press; 2014. [10] Cilliers P. Why we cannot know complex things completely. Emergence 2002;4(1/2):77–84. [11] Coakes, E, and Coakes, J.A. (2011) Meta-analysis of the direction and state of sociotechnical research in a range of disciplines: for practitioners and academics. Available at:https://www:igi-global.com/chapter/meta-analysisdirection-state-sociotechnical/52207?camid=4v1. Assessed October 25, 2017. [12] Dekker S. The field guide to human error investigations. Aldershot, UK: Ashgate; 2002. [13] Dekker S, Cilliers P, Hofmeyr JH. The complexity of failure: implications of complexity theory for safety investigations. Saf Sci 2011;49(6):939–45. [14] Emery FE, Trist EL. Socio-technical systems. In: Churchman CW, Verhulst M, editors. Management science, models and techniques, Vol. 2. Pergamon Press; 1960. p. 83–97. [15] Gooday G. Re writing the ‘book of blots’: critical reflections on histories of technological ‘failure’. Hist Technol 1998;14(4):265–91. [16] Groth K, Wang C, Mosleh A. Hybrid causal methodology and software platform for probabilistic risk assessment and safety monitoring of socio-technical systems. Reliab Eng Syst Saf 2010;95(12):1276–85. [17] Harms-Ringdahl L. Safety analysis – principles and practice in occupational safety. (Second edition). London: Taylor & Francis; 2001. [18] Hollnagel E. Safety-I and safety-II. Past and future of safety management. Farnham: Ashgate; 2014. [19] Hollnagel E, Pariès J, Woods DD, Wreathall J. Resilience engineering in practice. A guidebook. Surrey: Ashgate; 2011. [20] Hollnagel E, Woods DD, Leveson N. Resilience engineering: concepts and precepts. Aldershot, UK: Ashgate; 2006. [21] INSAG-27. Ensuring robust national nuclear safety systems—-institutional strength-in-depth. International Atomic Energy Agency, Vienna; 2017. [22] Jasanoff S. Bridging the two cultures of risk analysis. Risk Anal 1993;13(2):123–9. [23] Jensen A, Aven T. A new definition of complexity in a risk analysis setting. Reliab Eng Syst Saf 2018;171:169–73. [24] Kleiner BM, Hettinger LJ, Dejoy DM, Huang Yuang-Hsiang, Love PED. Sociotechnical attributes of safe and unsafety work systems. Ergonomics, Apr3 2015;58(4):635–49. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4566878/#cit0022. [25] Latour B. Science in action. Cambridge, Mass: Harward University Press; 1987. [26] Le Coze JC. Managing the unexpected. Handbook for safety principles. Moller N, Hanson S, editors. London: Routledge; 2016.
[27] Le Coze JC, Pettersen K, Engen OA, Morsut K, Skotnes R, Ylönen M, Heikkilä J, Merlele-Coze I. Sociotechnical systems theory and the regulation of safety in high-risk industries–White paper. VTT Technology; 2017. p. 293. [28] Leveson NG. Software. Reading, MA: Addison-Wesley; 1995. [29] Leveson NG. A new accident model for engineering safer systems. Saf Sci 2004;42(4):237–70. [30] Leveson N. Engineering a safer world: systems thinking applied to safety. Cambridge, MA: The MIT Press; 2012. [31] Lindøe P, Engen OA. Offshore safety regimes – a contested terrain. The regulation of continental shelf development Rethinking international standards. Nordquist M, More JN, Chircop A, Long R, editors. Martinus Nijhoff Publishers; 2013. [32] Linkov I, Trump BD, Fox-Lent C. Resilience: approaches to risk analysis and governance: an introduction to the IRGC resource guide on resilience. IRGC resource guide on resilience. Linkov I, Florin M-V, editors; 2016. Retrieved from https://www.irgc.org/risk-governance/resilience/ Accessed January 16, 2017. [33] Lowrance W. Of acceptable risk – science and the determination of safety. Los Altos, CA: William Kaufmann Inc; 1976. [34] Luxhøj JT, Joyce W, Luxhøj C. A ConOps derived UAS safety risk model. J Risk Res 2017. https://doi.org/10.1080/13669877.2017.1409253. [35] Morgan CL. Emergent evolution. London: Williams and Norgate; 1923. [36] Möller N, Hansson SO, Person M. Safety is more than the antonym of risk. J Appl Philos 2006;23:419–32. [37] Park J, Seager TP, Rao PSC, Convertino M, Linkov I. Integrating risk and resilience approaches to catastrophe management in engineering systems. Risk Anal 2013;33(3):356–67. [38] PSA-N (2012) Rapport etter gransking av hydrokarbonlekkasje på Heimdal 26.5.2012 [Report following the investigation of the hydrocarbon leakage on Heimdal 26 May 2012] (In Norwegian). Stavanger: Petroleum Safety Authority Norway. [39] James. Managing the risks of organizational accidents. Aldershot: Ashgate; 1997. [40] Renn O. Risk governance: coping with uncertainty in a complex world. London: Earthscan; 2008. [41] Ropohl G. Philosophy of socio-technical systems. Techne: Res Philos Technol 1999;4(3):186–94. [42] Rosness R, Forseth U. Boxing and dancing: tripartite collaboration as an integral part of a regulatory regime. Risk governance of offshore oil and gas operations. Lindøe P, Baram M, Renn O, editors. Cambridge, MA: Cambridge University Press; 2014. [43] SRA. Glossary society for risk analysis; 2015 www.sra.com/resources Accessed October 17, 2017. [44] Taleb NN. The black swan: the impact of the highly improbable. London: Penguin; 2007. [45] Trist EL, Bamforth KW. Some social and psychological consequences of the longwall method of coal-getting: an examination of the psychological situation and defences of a work group in relation to the social structure and technological content of the work system. Hum Relat 1951;4(1):3–38. [46] Wynne B. Unruly technology: practical rules, impractical discourses and public understanding. Soc Stud Sci 1988;18(1):147–67. [47] Ylönen M, Engen OA, Le Coze JC, Heikkilä J, Skotnes R, Pettersen K, Morsut K. Sociotechnical safety assessment within three risk regulation regimes. VTT Technology; 2017. p. 295.
18
Contents lists available at ScienceDirect
Reliability Engineering and System Safety journal homepage: www.elsevier.com/locate/ress
A risk interpretation of sociotechnical safety perspectives Terje Aven a,∗, Marja Ylönen b a b
University of Stavanger, Norway VTT Technical Research Centre of Finland, Finland
a b s t r a c t This paper addresses ‘sociotechnical perspectives on safety’, highlighting common ideas and principles for understanding, studying and managing the safety of sociotechnical systems, such as high-risk industries. These perspectives can be characterised in different ways, but, for the purpose of the present paper, three features are focused on: i) that a holistic view is needed to manage safety, covering knowledge from different disciplines (technology, social sciences, etc.), ii) that complex systems cannot be fully predicted and controlled, and iii) that safety management consequently needs to highlight robustness and resilience in addition to risk analysis. Some works have been conducted to understand these perspectives in relation to risk, risk analysis and risk management, but most of these have been based on traditional concepts and approaches to risk, using quantitative probabilistic risk assessments. In this paper we revisit the issue, using more recent ideas and approaches for understanding, assessing and managing risk, where uncertainty is a main component of risk. We show that, when framed according to these ideas and approaches, the risk field can provide a supporting platform for the sociotechnical perspectives and supplement the types of means to properly manage safety. Some implications for safety and risk regulation are also discussed. © 2018 Elsevier Ltd. All rights reserved.
1. Introduction Different approaches are used to study and manage the safety of technical systems like nuclear power plants and offshore installations. Basically, we can distinguish between two main categories of such approaches: the engineering risk assessment perspective and the sociotechnical perspective. The foundation and practices vary for these perspectives, but some common features can be identified when looking for the big picture of current applied safety work for such systems. For risk assessments, the aim is to provide system understanding by the use of simple linear models (such as event trees and fault trees), then to quantify the risk and compare it with predefined criteria as input to a decision-making process. The sociotechnical perspective points to the limitations of this risk assessment approach, arguing that systems like nuclear power plants and offshore installations are complex systems and that important aspects for safety are not taken into account when using the linear risk assessment models. For a complex system, it is not possible to accurately predict the system performance and accurately estimate risk on the basis of knowing the performance of the system components. There are interactions, and there will always be surprises relative to the knowledge of the analysts and experts and the models they are applying. The message is that the risk assessment approach is not able to provide a satisfactory analysis and control of the hazards and threats that can occur in such systems. Other approaches are needed and, of these, the most commonly referred to are robust analysis and resilient engineering. These approaches seek to make the systems better able to cope with surprises.
∗
The risk assessment and risk management community has met this criticism in different ways. It is stressed that the models and tools used have limitations and that the results always need to be seen in relation to the assumptions and simplifications made. Yet the analysis and results can be informative for the decision makers. There is also a continuous drive to improve models and tools, make them more detailed and accurate, with the expectations that the risk estimations are becoming better and better. We have also seen that a new way of thinking about risk has developed, as summarised in Section 3. This work has been motivated by this critique linked to sociotechnical systems, but it has also come from self-reflections within the risk assessment and management community. It has been shown that the traditional risk approaches based on probability calculus are too narrow to properly reflect all relevant aspects of risk and uncertainties, for sociotechnical systems but also for other types of systems and activities. It is realised that it is necessary to better reflect the uncertainties and knowledge when conceptualising and assessing risk, to be able to deal with risk concealed in beliefs and assumptions made. Surprises relative to the knowledge is also a topic that is captured by these developments. The present paper seeks to integrate these developments in the risk field with the current perspectives on socio-technical systems. The aim of the paper is to show that, when suitably framed and conceptualised, the risk field can provide a platform for the sociotechnical perspectives on safety. There is no conflict between these perspectives and the risk assessment and management approaches when these are based on the new ideas and principles mentioned above. The paper builds on earlier works, including Wynne [46], Jasanoff [22] and Gooday [15], which
Corresponding author. E-mail address: [email protected] (T. Aven).
https://doi.org/10.1016/j.ress.2018.03.004 Received 5 November 2017; Received in revised form 15 February 2018; Accepted 3 March 2018 Available online 6 March 2018 0951-8320/© 2018 Elsevier Ltd. All rights reserved.
T. Aven, M. Ylönen
Reliability Engineering and System Safety 175 (2018) 13–18
point to and discuss the fact that the social and cultural understandings of safety are not integrated with technical risk assessment and related management, and that these different ‘schools’ do not really speak well with each other. We will discuss the integration of the sociotechnical perspectives and approaches regarding risk in Section 3, following a brief introduction of the sociotechnical perspectives to safety in Section 2. Section 4 will discuss how a closer integration of the risk analysis and management approach and the sociotechnical perspective on safety can be utilised to improve risk and safety regulations. Finally, Section 5 provides some conclusions.
the end result is a consequence of technical, cultural and psychological factors, i.e. sociotechnical aspects. Sociotechnical approaches have adopted ideas from general systems theory, for instance that the system consists of interconnected components. Each component is unaware of the behaviour of the whole system and it cannot see the influences of its actions [24]. Furthermore, interconnectedness of different systems generates complexity that is difficult, if not impossible, to govern and regulate. Hence, complexity is inherent in sociotechnical systems thinking. It means that a system as a whole cannot be accurately predicted by knowing the states of the individual elements of the system. Complexity arises from the multiplied networks of relationships, interactions and interconnectedness between the components or subsystems. As a result, the boundaries of systems become obscure [13]. With regard to safety critical organisations, sociotechnical thinking has become highly relevant. Resilience engineering has emphasised the interdependency of system effectiveness, efficiency and safety. If the system is not able to take into account both the technical and social aspects, it will lead to unsuccessful system performance or even accidents in the long run [19,30]. Accident investigations in the high-risk industries have shown that accidents are sociotechnical by nature. Accidents and failures are consequences of interconnections between technical deficiencies, human errors, organisational and inter-organisational problems in communication, lack of regulation, etc. [1,12,26,39]. Technical and social systems (including organisations) and processes are interdependent, which increases complexities and the possibility of negative surprises. These observations have led to the shift in our understanding of safety. Safety is increasingly seen as an emergent phenomenon and a by-product of several interacting systems [18]. This kind of sociotechnical systemic understanding of safety has called for a more integrated and holistic view of safety, and this has also challenged some current regulatory approaches, such as solely looking for compliance with the regulations. Then we can ask: How should regulation be changed, in order to better consider the sociotechnical aspects of safety? It has been demonstrated that a conventional root-cause analysis is an unsuitable tool for capturing the complexity of a sociotechnical system [13,30]. Sociotechnical systems are time-dependent, they change continuously, and therefore it is impossible to trace the situation that existed before the accident. That is also due to the emergent nature of sociotechnical systems [13,30]. The notion of emergence––a characteristic of socio-technical systems––refers to a new kind of relatedness between the systems and subsystems [35]; in addition, it means that sociotechnical systems are in a continuous process of change and, as mentioned, there are difficulties in reconstructing the situation as it was before the accident. Therefore, root-cause analysis may even lead to errors in the management of safety in complex systems [13,30]. One can summarise that, due to complexity and the emergent nature of sociotechnical systems, they embrace the following aspects:
2. Sociotechnical perspectives on safety The history of sociotechnical-systems thinking is traced to the UK’s Tavistock Institute of Human Relations and studies on the implications of human factors for work systems [14,45]. Researchers highlighted human and social factors, alongside the technology affecting the work system. The following definition of a sociotechnical system derives from the context of work systems: “The concept of sociotechnical system was established to stress the reciprocal interrelationship between humans and machines and to foster the program of shaping both the technical and social conditions of work, in such a way that efficiency and humanity would not contradict each other” [24,41]. In the work system studies, the sociotechnical includes the following dimensions: 1) two or more persons, interaction with some form of 2) technology, 3) and internal work environment (both physical and cultural), 4) external environment (can include political, regulatory, technological, economic, educational and cultural sub-environments), 5) an organisational design and management subsystems [24]. The example illustrates that sociotechnical thinking includes micro-, meso‑ and macro aspects and their interconnections. From work systems studies and organisational design and change management, sociotechnical thinking has spread to other fields and been exploited in various contexts [11]. In the context of information technology, it has been argued that sociotechnical thinking is especially relevant for the design, development, implementation and use of information technology systems. According to Coakes and Coakes [[11], 281], sociotechnical thinking “addresses vital issues in combining the use of powerful information and communication technologies with effective and humanistic use of people.” Hence, the term ‘sociotechnical’ was introduced to capture the interconnections between the social and technological aspects. In a nutshell, sociotechnical can be defined as referring to the interconnectedness and complexity of social and technical systems [24,30]. Different disciplines add new ideas into sociotechnical thinking Several disciplines have participated in discussions of sociotechnical aspects. Therefore, the sociotechnical concept has different meanings. In social sciences and, particularly, in science and technology studies (STS), the interest has been in analysing how sociotechnical actornetworks, i.e. hybrid actors or actants, are formed. We often see things as social or technical by nature, but STS have shown that things deemed either social or technical are, in fact, a combination of both aspects [25]. When humans make new innovations, they modify knowledge and technological artefacts, as well as their own identities. For instance, new technology requires new competences, experts, new roles and responsibilities, while undermining the role of older experts, thus affecting identities, competences and power relationships within a company. Artefacts have consequences for the ways in which humans relate to each other. Hence, reciprocity and inherent interconnectedness are characteristics of humans and technology in sociotechnical actor-networks. As an example of a sociotechnical phenomenon, we can take road humps. They are designed by engineers to get car drivers to reduce their speed and, thus, to enhance road safety. Car drivers are, however, also affected by their cultural context as well as situational factors. Hence,
1) 2) 3) 4)
Knowledge gained from sociotechnical systems is uncertain. Harms are not easily foreseeable. It is difficult to reconstruct what happened before the accident. Causes for effects are difficult to find (see [13]).
In addition, the sociotechnical approach to safety includes the following dimensions: 1) Safety as an emergent phenomenon. 2) Safety as a by-product of several interacting systems. 3) Safety cannot be separated from the other functions of an organisation; therefore, for instance change management, work process management or project management need to be seen as relevant functions in terms of safety. That requires an integrated understanding of the totality of an organisation. Safety should be seen as an outcome of the success of core functions of the organisation and as consequence of inter-organisational relationships. 14
T. Aven, M. Ylönen
Reliability Engineering and System Safety 175 (2018) 13–18
3. Understanding the sociotechnical perspectives using recent ideas and approaches regarding risk
d) The strength of the knowledge is always an issue. The probability numbers can be the same in two situations, despite the fact that in one case the knowledge is strong and in the other it is weak. e) It is realised that surprises can and will occur, relative to the knowledge of the analysts (it is common to talk about black swans [6,44]). f) Risk assessment is the systematic process to identify risk sources, hazards, threats and opportunities; to understand how these can occur and what their consequences can be; to represent and express uncertainties and risk; and to determine the significance of the risk using relevant criteria. Risk assessment intends to characterise what we know and do not know about relevant risk aspects. g) Risk analysis informs decision makers. There is a leap between the risk analysis and the decision making, due to the limitations of the risk analysis in capturing all aspects of importance for the decision making. The decision makers need to address risk related to the background knowledge of the analysts’ risk characterisations, as well as considering other concerns not captured by the risk analysis (for example costs, reputation, etc.). h) The cautionary and precautionary principles have important roles in risk management, to ensure that the proper weight is given to uncertainties in the decision making. Weight given to resilience is an example of cautionary thinking. i) Risk tolerability and acceptance should not be based on probability judgements alone, as risk is more than probability, and concerns other than risk are normally relevant when making decisions related to risk. Pure probability-based risk acceptance (tolerability) criteria should, hence, not be used.
Today risk and risk thinking are not pillars for the sociotechnical perspective to safety. It is striking that the sociotechnical literature hardly relates to risk. If risk is being addressed, the motivation is typically to point to the limitations of risk analysis in dealing with sociotechnical systems. There is a huge body of safety and resilience literature stressing the problems of using risk analysis approaches and methods for studying sociotechnical systems (e.g. [20,37,40]). The message is that risk analysis does not work for these systems, as they are complex, and it is not sufficient to base safety management on a set of identified scenarios with associated probability estimates. The argument is that accidents will always occur as a result of some surprising features for this type of system and, hence, reliance on the estimated probability numbers represents a poor strategy for obtaining a high safety level. Instead, the focus should be on building resilient systems, highlighting instruments like strengthening the immune system, diversification, flexible response options, and the improvement of conditions for emergency management and system adaptation [40]. This criticism of risk analysis relates to the traditional perspective on risk analysis. This perspective was developed in the nuclear industry in the 1970 s and 80 s and is still being adopted in this industry and in most other sectors and application areas. It builds on the following ideas: 1. Risk is characterised by events, scenarios, consequences and probabilities. 2. These probabilities are propensities of the systems studied and need to be estimated. Historical data is seen as the key source for these probabilities. In advanced studies, epistemic uncertainties of these probabilities are also an issue. 3. By proper risk analysis, all important scenarios and events are identified. 4. Risk analysis seeks to accurately estimate risk and describe ‘the truth’ about risk. 5. By using probabilistic modelling and analysis for these scenarios and events, the decision makers are provided with a rational approach for controlling the risk. By meeting some probabilistic limits or criteria, the remaining risk is found to be tolerable or even negligible.
These ideas are more in line with sociotechnical thinking, as will be discussed in the following.
3.1. The link between safety and risk Among many professionals and researchers within the sociotechnical tradition, it is common to define safety as the absence of accidents (e.g. [28,29]). As a future accident is unknown today, this way of looking at safety means that we cannot refer to low or high safety; we must speak about the probability of the safety being low or high, or the uncertainties about the safety being high or low [7]. It is also common to define safety in relation to risk (e.g. [17,33,43]). However, this idea has been challenged by several researchers, including Möller et al. [36], who conclude that it is essential to go beyond the view that safety is the antonym of risk. Aven [8] provides a thorough analysis of this topic and argues that, for some risk conceptualisations and perspectives, which highlight uncertainties beyond probabilities, it is possible to see safety as the antonym of risk. This is also in line with the definitions adopted by the new SRA [43] glossary, which defines: Safe: Without unacceptable risk Safety:
The sociotechnical safety literature has pointed to the limitations of this perspective for handling complex systems. The uncertainties of the knowledge and potential surprises are not captured. In parallel with this criticism, mainly raised by social scientists, there have been developments of this perspective in many directions, also with the intention to better analyse sociotechnical systems, see for example Groth et al. [16] and Luxhøj et al. [34]. There has been a strong criticism of the traditional risk analysis perspective also within the risk analysis community, as commented on in Section 1, pointing to the same type of challenges but also seeking to improve and extend the risk thinking and approaches so that they are better able to deal with the knowledge and surprise aspects of risk (see e.g. [5]). New types of risk analysis frameworks have been developed which deviate from the traditional one on the fundamental thinking of what risk and risk assessment are. The key ideas can be summarised in the following points [2,5]:
•
•
a) Uncertainty is a key feature of risk. Probability is used to represent or express uncertainty, but it is just a tool, and it has limitations. It is important to understand these limitations when describing or characterising risk. b) Any probability judgement is based on a background knowledge K, which needs to be considered an integrated part of the results of the risk analysis. The knowledge can be more or less strong, and even erroneous. Risk related to K needs to be taken into account when considering the significance of the risk analysis results. c) Knowledge in this context is basically justified beliefs and is often formulated as assumptions.
Interpreted in the same way as safe (for example when saying that safety is achieved) or The antonym of risk (the safety level is linked to the risk level: a high safety level means a low risk and vice versa)
This way of looking at safe and safety would not work when considering risk in line with the traditional approach summarised above, where risk is associated with probability, as uncertainties are not properly reflected in the risk concept [8,36]. However, when building on the new risk perspectives as outlined above, the uncertainty dimension is captured, and we obtain a link, as described by the definitions of the SRA glossary. It is recognised that being safe is a subjective judgement, dependent on institutional processes to determine what is acceptable risk and what is not. 15
T. Aven, M. Ylönen
Reliability Engineering and System Safety 175 (2018) 13–18
3.2. Uncertainties of the knowledge and potential surprises
some stressors, the system studied may have shown itself to be resilient in the sense that it is able to recover and sustain its functions. However, for other stressors, the system may not be resilient, and, when facing the future, it may turn out that the system will also experience problems when encountering other stressors, of known or unknown type. Aven [4] argues that resilience analysis can benefit from the new risk perspectives by performing some type of risk assessments for the occurrences of the stressors, not aiming at accurate estimates of their occurrences but searching for insights by
To a large extent, the traditional perspectives on risk build on historical data and probability judgements, and conclusions on the acceptability of solutions are often made directly on the basis of derived probabilities. The risk associated with the knowledge supporting these probabilities is not addressed or captured by the analyses. For the new risk perspectives, this type of risk is, however, a major issue. Consider the following example linked to offshore operations. The example relates to a leakage at the Heimdal installation on May 26, 2012 [38]. During the testing of two emergency shutdown valves, a hydrocarbon leak of about 3500 kg and an initial leak rate of about 17 kg/s occurred. The relevant pipe section was designed according to an older design practice, in which the order of operation of the three valves was critical. The last valve to the flare was opened last, which resulted in the pipe being subjected to higher pressure than designed for, and the leakage occurred. Such a design is not in accordance with recent normal design practice (NORSOK). The analysis team based their judgements on an erroneous assumption. From a sociotechnical perspective, this is an example of a surprise that occurs on a complex offshore installation. Risk analysis struggles to identify all the relevant scenarios. There is risk associated with the knowledge on which the analyses are based. In this case, there was risk linked to the key assumption made by the analyst team: that the system was a standard design and the order of closing of the valves was not important. In adopting the new risk perspective, focus is placed on this knowledge, the key beliefs and the assumptions on which the analysis judgements are founded. The strength of this knowledge is assessed and, in particular, the potential for deviations from these beliefs and assumptions. This does not of course guarantee that all such potential surprises are revealed. However, it increases the chances that some of them are. It is realised that all are difficult to foresee – it is a complex system and it is difficult to predict what will happen. With hindsight, it is easy to explain what happened: that this assumption was wrong. It is more difficult to identify in advance, when facing a large number of situations involving many elements connected in intricate ways. Hence, we cannot build safety only on the basis of risk judgements, even if they are very thoroughly performed and stress the knowledge and surprise dimension as outlined. The new risk perspectives are fully in line here with the sociotechnical perspective. We also need to build on robustness and resilient thinking, as will be discussed in the coming section.
i) “Making a judgement of the type of stressors that can occur, what we know and do not know (highlighting key assumptions and justified beliefs). ii) Making a distinction between known types of stressors, unknown types of stressors, and surprising stressors. iii) Assessing the probability for these types of stressors and other unknown events and quantities whenever found meaningful (using subjective probabilities or subjective interval probabilities). iv) Assessing the strength of knowledge supporting these judgements. How can the knowledge be strengthened? v) Conducting assessments to reveal unknown and surprising stressors.” [4] Included in such assessments there is also a need to study the type of stressors to which the system is susceptible or vulnerable. It is also worth mentioning that risk assessment and management can supplement resilience analysis and management by performing research into stressors and threats. Through such studies, new insights may be gained; for example, unknown and potentially surprising types of events could be identified, and new “cause-effect” relationships could be revealed. Concrete and effective measures can then be developed to meet these stressors. By studying why certain infections occur, more effective measures can be developed than if the focus is limited to how to make the body withstand infections in general [4]. The new risk perspectives can also benefit the resilience analysis, given specific stressors. The idea is to consider risk in relation to not meeting the objective “recovery”, with associated uncertainties characterised in a suitable way. The incorporation of knowledge and strength of knowledge judgements will add an important feature to these resilience studies and management. 4. Implications for risk and safety regulations
3.3. The need for robustness and resilience-based thinking
In this section we discuss how risk and safety regulations can be improved by following up the insights developed in the previous sections. For short, we refer to these insights as the “integrated sociotechnical and risk perspective”. There are some reflections upon what sociotechnical safety regulation would entail [27,47]. Firstly, these suggestions refer to the need to go beyond compliance with the regulations, since compliance does not guarantee safe performance in complex emerging situations. Secondly, sociotechnical safety regulation would require broad cooperation between different experts, so that various views and alternatives would be taken into account. Thirdly, sociotechnical regulation would require understanding of macro-level economic and political aspects, as well as meso‑level interfaces within an organisation and between the organisations, not to mention micro-level individual workloads, for instance. Fourthly, closely related to the previous point, sociotechnical regulation entails a need to understand the realities of daily work at the plants, because it may often be that, rather than taking into account the complex realities of the organisation and work conditions, the regulations simplify them, which may imply that it is impossible to comply with the regulations. Everyday life creates constraints on compliance. Only by taking into account these aspects, can one obtain a broad and holistic understanding of the functioning of the organisation. It has been recommended that, in order to improve sociotechnical safety assessment, attention needs to be paid to issues like external pres-
Surprises occur, and we need to construct the systems in such a way that they can meet these. This is exactly what sociotechnical thinking prescribes, and resilience based approaches are put forward as effective means in this regard (e.g. [19]). There are many definitions of resilience, but the basic idea is that resilience is concerned with the ability of a system to sustain or restore its basic functionality following some level of stressors (events) [43]. Resilience management (engineering) can be conducted without considering risk, and there are advocators of this perspective who see resilience management as replacing risk management. However, a more common view is to see risk management and resilience management as supplementing instruments; see discussion in, for example, Park et al. [37], Linkov et al. [32] and Aven [4]. Clearly, we do not need to identify all possible hazards and threats and assess their probability, in order to understand that specific resilience arrangements and measures will be useful in many cases. However, some types of risk assessments are useful for supporting the resilience analysis and management, as discussed by Aven [4]. In practice, we face resource limitations; we have to prioritise – where should we improve the resilience? There could be a large number of areas in which the resilience can be improved, but which should we select and give weight to? Many resilience metrics exist, but a basic feature of risk is not reflected by these: what stressors will in fact occur? With respect to 16
T. Aven, M. Ylönen
Reliability Engineering and System Safety 175 (2018) 13–18
sures in the organisation, changes in laws, the safety effects of organisational and technological changes, understanding of the overall situation and the potential dangers in the organisation, and the promotion of safety culture within the organisation, as proactive means to face complexities [47]. The new risk perspectives with the resilience emphasis fit well with the above-mentioned recommendations and provide relevant input to enhance sociotechnical safety assessment. Risk assessment that identifies organisational and inter-organisational vulnerabilities is valuable and helps in concentrating efforts on certain goals within a wide range of targets. Anticipation of future threats is an important part of resilience thinking, and risk analysis, according to the new risk perspectives, contributes to meeting the anticipation task. We find that the sociotechnical safety regulation will be enhanced by adopting and applying a new risk perspective. Existing regulatory frameworks can be gradually developed to be in line with such a perspective and then also with the sociotechnical ideas. Adoption of a new risk perspective would entail the following. Regulators need to establish suitable broad frameworks for the risk assessment and management to be able to reflect this perspective and, particularly, the uncertainties and surprise aspects of risk. Robustness and resilience constitute key pillars of these frameworks, as well as participation and dialogue, in addition to risk-informed analysis and management. Robustness and resilience analysis and management supplement risk assessments. Compared to current regulations, there is a need to broaden the riskrelated concepts to be in line with the ‘integrated sociotechnical and risk perspective’. As discussed in Section 3, the common probabilitybased frameworks are not suitable. The risk assessments and management need to understand and reflect that systems could be complex. Broad risk assessment should be conducted in order to analyse and determine the proper level of robustness and resilience, and ensure efficient use of resources [4]. Modelling and analysis of complex systems are considered useful despite the difficulties in obtaining accurate predictions, provided the modelling and analysis are properly framed and conducted, refer discussions in Cilliers [10] and Jensen and Aven [23]. Regulatory regimes need to be revised to reflect the ‘integrated sociotechnical and risk perspective’. This would entail the creation of consistent regulation by providing some general level of guidance for regulators. It would describe the fundamental principles for the risk and safety regulations, covering issues on, for example, risk reduction, risk assessment, and risk acceptance and tolerability. Today’s regulations often have a focus on verification that risk is tolerable or acceptable, using some pre-defined probabilistic criteria or limits. However, the ‘integrated sociotechnical and risk perspective’ requires a different approach, which reflects that risk is more than probabilities. In more general terms, the ‘integrated sociotechnical and risk perspective’ would mean a shift in thinking from a compliance focus – often with one-dimensional criteria and requirements – to processes, acknowledging that risk and safety require broad judgements, which also need to take into account intangible aspects concerning uncertainties and potential surprises. Such processes can better understand the realities of complex operations and activities, with the many constraints that different members of an organisation face when taking care of their everyday work duties. Attention can be directed to the main organisational functions and activities, such as change management and work process management, which affect whether work is organised in a manageable way. These functions directly or indirectly affect whether and how members of the organisation can fulfil safety criteria or requirements. The ‘integrated sociotechnical and risk perspective’ would encourage the development of broad processes characterising and discussing risk, for example forums mixing technical and social competences. Such forums could also include different types of stakeholders, as is the case for example in the Norwegian oil and gas industry [9,31,42]. It also motivates work highlighting a safety culture and the enhancement of organisational performance. An example is the concept of “institu-
tional strength-in-depth”, recently introduced by the international expert group of the International Atomic Energy Agency [21]. Based on the lessons learned from the Fukushima accident, the expert group stressed the importance of openness and transparency inside and between different subsystems (industry, regulators and stakeholders) of the overall national framework, so that people belonging to different subsystems can challenge the existing practices and suggest ways of improving current approaches and methods. The goal is to create a robust nuclear safety system that ensures that safety standards and tools are applied efficiently and also that new tools and practices are created. The aim is to extend the principle of technical defence-in-depth to an institutional context. The ‘integrated sociotechnical and risk perspective’ would in fact also encourage the development of broad processes, discussing the role and basic features of the regulation of risk and safety in society. For proper development to take place, there is a need for dialogue and for arguments to be tested. 5. Conclusions The ‘sociotechnical perspectives on safety’ are commonly considered to be an alternative to risk assessment and management. The present paper argues that these perspectives are not in conflict but supplement each other. However, this harmony requires the adoption of broader risk perspectives than the traditional probability-based ones supporting quantitative risk assessments (QRAs) and probabilistic risk assessments (PRAs). In these broader perspectives on risk, uncertainty and knowledge are key pillars, which allow for an appreciation of the key aspects of the ‘sociotechnical perspectives on safety’, including the difficulties in predicting the performance of complex systems and reflecting potential surprises. We argue in the paper that these perspectives on risk provide a conceptual platform for the ‘sociotechnical perspectives on safety’. Today, the new risk perspectives are only to some extent implemented in practice. The same is the case for the ‘sociotechnical perspectives on safety’. We consider the arguments for both to be strong, but the traditional risk analysis thinking, as defined in Section 3, still prevails. The ‘integrated sociotechnical and risk perspective’ represents a further strengthening of the rationale for making changes in current risk management and regulation regimes. This rationale relates to theoretical reasoning, as well as to practical methods for how to carry out a shift in thinking and approaches. We see that changes are continuously made in risk management and regulations in the direction of the ‘sociotechnical perspectives on safety’, but there are many obstacles and the developments are rather few and slow. Frequently, we meet very narrow ideas of risk and safety, expressing for example that probability times losses provides the key guidance for decision makers. It seems very difficult to change current thinking about risk and safety, despite the evidence showing its unsuitability. The issue is a fundamental one, related to the role and position of the risk and safety fields in society. There are reasons to believe that as long as these fields are not broadly recognised as sciences per se, fundamental changes are not likely to happen, refer discussion in Aven [2,3]. Acknowledgements The authors are grateful to three anonymous reviewers for their useful comments and suggestions to the original version of this paper. For Terje Aven, the work has been partly funded by the Norwegian Research Council as a part of the Petromaks 2 program under grant number 233971. The support is gratefully acknowledged. References [1] Allocco M. Safety analyses of complex systems. New York: Wiley; 2010. [2] Aven T. An emerging new risk analysis science: foundations and implications. Risk Anal 2018 Open access. doi:10.1111/risa.12899. 17
T. Aven, M. Ylönen
Reliability Engineering and System Safety 175 (2018) 13–18
[3] Aven T. What defines us as professionals in the field of risk analysis. Risk Anal 2017;37(5):854–60. [4] Aven T. How some types of risk assessments can support resilience analysis and management. Reliab Eng Syst Saf 2017;167:536–43. [5] Aven T. Risk assessment and risk management: review of recent advances on their foundation. Eur J Oper Res 2016;25:1–13 Open access. [6] Aven T. Implications of black swans to the foundations and practice of risk assessment and management. Reliab Eng Syst Saf 2015;134:83–91 Open access. [7] Aven T. What is safety science. Saf Sci 2014;67:15–20. [8] Aven T. Safety is the antonym of risk for some perspectives of risk. Saf Sci 2009;47(7):925–30. [9] Bang P, Thuestad O. Government-enforced self-regulation: the Norwegian CASE. Risk governance of offshore oil and gas operations. Lindøe P, Baram M, Renn O, editors. Cambridge, USA: Cambridge University Press; 2014. [10] Cilliers P. Why we cannot know complex things completely. Emergence 2002;4(1/2):77–84. [11] Coakes, E, and Coakes, J.A. (2011) Meta-analysis of the direction and state of sociotechnical research in a range of disciplines: for practitioners and academics. Available at:https://www:igi-global.com/chapter/meta-analysisdirection-state-sociotechnical/52207?camid=4v1. Assessed October 25, 2017. [12] Dekker S. The field guide to human error investigations. Aldershot, UK: Ashgate; 2002. [13] Dekker S, Cilliers P, Hofmeyr JH. The complexity of failure: implications of complexity theory for safety investigations. Saf Sci 2011;49(6):939–45. [14] Emery FE, Trist EL. Socio-technical systems. In: Churchman CW, Verhulst M, editors. Management science, models and techniques, Vol. 2. Pergamon Press; 1960. p. 83–97. [15] Gooday G. Re writing the ‘book of blots’: critical reflections on histories of technological ‘failure’. Hist Technol 1998;14(4):265–91. [16] Groth K, Wang C, Mosleh A. Hybrid causal methodology and software platform for probabilistic risk assessment and safety monitoring of socio-technical systems. Reliab Eng Syst Saf 2010;95(12):1276–85. [17] Harms-Ringdahl L. Safety analysis – principles and practice in occupational safety. (Second edition). London: Taylor & Francis; 2001. [18] Hollnagel E. Safety-I and safety-II. Past and future of safety management. Farnham: Ashgate; 2014. [19] Hollnagel E, Pariès J, Woods DD, Wreathall J. Resilience engineering in practice. A guidebook. Surrey: Ashgate; 2011. [20] Hollnagel E, Woods DD, Leveson N. Resilience engineering: concepts and precepts. Aldershot, UK: Ashgate; 2006. [21] INSAG-27. Ensuring robust national nuclear safety systems—-institutional strength-in-depth. International Atomic Energy Agency, Vienna; 2017. [22] Jasanoff S. Bridging the two cultures of risk analysis. Risk Anal 1993;13(2):123–9. [23] Jensen A, Aven T. A new definition of complexity in a risk analysis setting. Reliab Eng Syst Saf 2018;171:169–73. [24] Kleiner BM, Hettinger LJ, Dejoy DM, Huang Yuang-Hsiang, Love PED. Sociotechnical attributes of safe and unsafety work systems. Ergonomics, Apr3 2015;58(4):635–49. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4566878/#cit0022. [25] Latour B. Science in action. Cambridge, Mass: Harward University Press; 1987. [26] Le Coze JC. Managing the unexpected. Handbook for safety principles. Moller N, Hanson S, editors. London: Routledge; 2016.
[27] Le Coze JC, Pettersen K, Engen OA, Morsut K, Skotnes R, Ylönen M, Heikkilä J, Merlele-Coze I. Sociotechnical systems theory and the regulation of safety in high-risk industries–White paper. VTT Technology; 2017. p. 293. [28] Leveson NG. Software. Reading, MA: Addison-Wesley; 1995. [29] Leveson NG. A new accident model for engineering safer systems. Saf Sci 2004;42(4):237–70. [30] Leveson N. Engineering a safer world: systems thinking applied to safety. Cambridge, MA: The MIT Press; 2012. [31] Lindøe P, Engen OA. Offshore safety regimes – a contested terrain. The regulation of continental shelf development Rethinking international standards. Nordquist M, More JN, Chircop A, Long R, editors. Martinus Nijhoff Publishers; 2013. [32] Linkov I, Trump BD, Fox-Lent C. Resilience: approaches to risk analysis and governance: an introduction to the IRGC resource guide on resilience. IRGC resource guide on resilience. Linkov I, Florin M-V, editors; 2016. Retrieved from https://www.irgc.org/risk-governance/resilience/ Accessed January 16, 2017. [33] Lowrance W. Of acceptable risk – science and the determination of safety. Los Altos, CA: William Kaufmann Inc; 1976. [34] Luxhøj JT, Joyce W, Luxhøj C. A ConOps derived UAS safety risk model. J Risk Res 2017. https://doi.org/10.1080/13669877.2017.1409253. [35] Morgan CL. Emergent evolution. London: Williams and Norgate; 1923. [36] Möller N, Hansson SO, Person M. Safety is more than the antonym of risk. J Appl Philos 2006;23:419–32. [37] Park J, Seager TP, Rao PSC, Convertino M, Linkov I. Integrating risk and resilience approaches to catastrophe management in engineering systems. Risk Anal 2013;33(3):356–67. [38] PSA-N (2012) Rapport etter gransking av hydrokarbonlekkasje på Heimdal 26.5.2012 [Report following the investigation of the hydrocarbon leakage on Heimdal 26 May 2012] (In Norwegian). Stavanger: Petroleum Safety Authority Norway. [39] James. Managing the risks of organizational accidents. Aldershot: Ashgate; 1997. [40] Renn O. Risk governance: coping with uncertainty in a complex world. London: Earthscan; 2008. [41] Ropohl G. Philosophy of socio-technical systems. Techne: Res Philos Technol 1999;4(3):186–94. [42] Rosness R, Forseth U. Boxing and dancing: tripartite collaboration as an integral part of a regulatory regime. Risk governance of offshore oil and gas operations. Lindøe P, Baram M, Renn O, editors. Cambridge, MA: Cambridge University Press; 2014. [43] SRA. Glossary society for risk analysis; 2015 www.sra.com/resources Accessed October 17, 2017. [44] Taleb NN. The black swan: the impact of the highly improbable. London: Penguin; 2007. [45] Trist EL, Bamforth KW. Some social and psychological consequences of the longwall method of coal-getting: an examination of the psychological situation and defences of a work group in relation to the social structure and technological content of the work system. Hum Relat 1951;4(1):3–38. [46] Wynne B. Unruly technology: practical rules, impractical discourses and public understanding. Soc Stud Sci 1988;18(1):147–67. [47] Ylönen M, Engen OA, Le Coze JC, Heikkilä J, Skotnes R, Pettersen K, Morsut K. Sociotechnical safety assessment within three risk regulation regimes. VTT Technology; 2017. p. 295.
18