John L Jerz Website II Copyright (c) 2014

Pragmatic Resilience (Lundberg, Johansson, 2007)

Home
Current Interest
Page Title

Jonas Lundberg, Bjorn Johansson

http://www.ep.liu.se/ecp/023/006/ecp2307006.pdf

Abstract. There are different approaches to achieving persistence in system safety functions in the face of disturbances. Whereas some systems strive towards only maintaining stability of one stable state of maximum performance, other systems also rely on resilience, on the ability to make transitions to other stable states, of lower performance, when facing changes to driving variables or state variables. We discuss three kinds of systems, stable, bi-stable, and multi-stable systems, and their persistence when facing regular, irregular, and unexampled events.

"If a system is to be considered as 'safe', it needs to present stable characteristics in the face of regular events, a mixture of resilience and stability in the face of irregular events and finally high resilience when facing the unexampled... a 'safe' system must match the variety of its environment, as in the case of the law of requisite variety described by Ashby (1956). Different types of systems have different abilities to do this by practically coping with changes in the environment (McDonald, 2006)."

JLJ - pragmatic resilience is exactly what you want when playing a social game. What can we apply from this wisdom to game theory? Perhaps the next question to ask, isn't "strategic resilience" what we are really after? The pragmatic should become more or less strategic when operating in a situation of conflict.

p.37 The aim of resilience engineering is to achieve persistence in systems functions in the face of disturbances. In particular, we are interested in persistence of the safety functions of the system. The focus thus lay on persistence of functions, rather than persistence of physical components that realize the functions. When engineering the resilience of a system, it is vital to balance the ability to achieve stability in the face of regular disturbances and threats, with the ability to achieve adaptive behavior when facing more irregular or unexampled events (Lundberg & Johansson, 2006). That can be summarized as

  • The ability to respond, quickly and efficiently, to regular disturbances and threats.
  • The ability continuously to monitor for irregular disturbances and threats, and to revise the basis for the monitoring when needed.
  • The ability to anticipate future changes in the environment that may affect the system's ability to function, and the willingness to prepare against these changes even if the outcome is uncertain.

p.37 To engineer resilience, we need to know something about the variables we wish to control, and something about the variables that might be in flux... When ecologists use the term resilience, the variables that describe the system are called state variables, and those state variables that affect other variables, are called driving variables.

p.38 The ability to make transitions between different functional states is essential for anyone that aims at creating a viable system. But the system characteristics promoting this ability must also be created and maintained. The driving force behind this, or the 'driving variable', is, in theory, safety. By creating barriers, redundancy and capacity for coping with different kinds of events, we improve stability and resilience.

p.39 We consider stable states to be states where the system has some level of functioning, whereas the alternative is states of functional extinction. The levels of performance may differ between stable states, and we assume that most systems strive towards states of as high performance as possible, while still being safe.

p.39-40 Firstly, we have the stable system. Here, stability is increased by defenses such as barriers that deflect damage, and by having spare resources, giving slack to the system. For instance, there might be resources for buying new kinds of equipment, or many spare parts for equipment. The idea here is to re-establish the previous control organization as soon as possible. This system does not adapt to unknown circumstances, only to the previously foreseen. The resources are driving variables, whereas items and people in the system are state variables. The key characteristic of a stable system is that is stable in relation to one state, to which it constantly tries to come back.

Second, we have the bi-stable system. This system may for instance be prepared for a loss of hierarchical control, where top level nodes are lost. The preparation could for instance consist of exercises in independent actions of remaining nodes, and establishment of cooperation between nodes. The state of instability is the transition stage, during which the functionality is not working as in the stable states. In this example, the state of instability might persist, if also one or more of the lower level nodes are damaged. The system can thus strive towards a limited set of different states, depending on damage to the state variables. Driving variables of the transitions are for instance resources and redundancy of skills to take up the roles needed for the alternative states.

Third, we have multi-stable systems. For instance, rescue services might need many different kinds of configurations, depending on the situation they face. Preparation is also in this case exercises in establishing different organizational setups, but it is done more thoroughly than in the preceding case. A multi-stable system can thus adapt to a number of different states. In this case, the driving variables are things like the economical resources for achieving more external resources, and the state variables are associated with the size of the event. If the size of the event surpasses the ability of the organization, it might loose functionality, to the extent of complete loss of functionality (extinction). Another typical characteristic of multi-stable systems is the ability to re-configure, or join up with other systems, forming an ad-hoc configuration with different capacities than the individual parts. The system might also be able to invent new ways of coping, increasing its performance.

p.40 Systems may be subjected to events that affect the state variables or the driving variables. Ron Westrum describes three different types of events that can be related to resilience, regular, irregular and unexampled events (Westrum, 2006). The regular event is well-known, for example machine failure or bad weather. Irregular events are possible to imagine, but are normally so rare (or expensive to handle) that little specific preparation is taken. Earthquakes, large fires or chemical outlets are typically mentioned as examples of irregular events. Unexampled events are so rare that normally no organized mechanisms for coping with them exist. The 9/11 terrorist bombing or the flooding of New Orleans are often mentioned as examples of unexampled events. If a system is to be considered as 'safe', it needs to present stable characteristics in the face of regular events, a mixture of resilience and stability in the face of irregular events and finally high resilience when facing the unexampled.

p.40 a 'safe' system must match the variety of its environment, as in the case of the law of requisite variety described by Ashby (1956). Different types of systems have different abilities to do this by practically coping with changes in the environment (McDonald, 2006).

p.40 To engineer resilient systems in the face of regular, irregular, and unexampled events, we need strategies for engineering state transitions, and for monitoring the driving variables that make safe state transitions possible.

p.41 we can never be completely safe. However, we can strive towards maximizing the safety of each system that we in practice can affect. Epstein pointed out the logical problem that resilience is something that cannot be measured until the fact of impact (Epstein, 2006). This is true in one sense, but not very helpful from a resilience engineering perspective. Instead, we suggest another approach: on the one hand, we may be unable to foresee some kind of events, like unexampled ones. On the other hand, we can always ask our selves what will happen if a system is exposed to a disturbance or lose its intended functional state, regardless of the cause. Since we are aware that things that cannot be predicted are bound to happen it is far easier to simply try to describe what happens if one or more stable states are lost than to try to predict all possible disturbances and prepare for them. As long as some possible state to move to exists, the system at least has a theoretical possibility to survive. [JLJ - another approach is to ask ourselves, what typically happens, given the richly-detailed cues present in the environment, and the various plausible ways (that we can foresee) to proceed? When driving a car, we maintain a following distance between our vehicle and the car in front of us, because something might happen that we did not foresee, which might cause an accident. Perhaps pragmatic resilience is the intelligent collection and deployment of similar concepts (air bags, seat belts, soft dashboards, steel bars giving crash protection, intelligent warning systems, mirrors, anti-lock brakes, two-piston master cylinder, etc.]