On the writing styles of some resilience engineering researchers

This post is a brief meditation in the writing styles of four luminaries in the field of resilience engineering: Drs. Erik Hollnagel, David Woods, Sidney Dekker, and Richard Cook.

This post was inspired by a conversation I had with my colleague J. Paul Reed. You can find links to papers by these authors at resiliencepapers.club.

Erik Hollnagel – the framework builder

Hollnagel often writes about frameworks or models. A framework is the sort of thing that you would illustrate with a box and arrow diagram, or a table with two or three columns. Here are some examples of Hollnagellian frameworks:

Safety-I vs. Safety-II
Functional Resonance Analysis Method (FRAM)
Resilience Analysis Grid (RAG)
Contextual Control Model (COCOM)
Cognitive Reliability and Error Analysis Method (CREAM)

Of the four researchers, Hollnagel’s writings read the most like traditional academic writing. Even his book Joint Cognitive Systems: Foundations of Cognitive Systems Engineering feels like something out of an academic journal. Of the four authors, he is the one I struggle the most with to gain insight from. Ironically, one of my favorite concepts I learned from him, the ETTO principle, is presented more as a pattern in the style of Woods, as described below.

David Woods – the pattern oracle

I believe that a primary goal of academic research is to identify patterns in the world that had not been recognized before. By this measure, David Woods is the most productive researcher I have encountered, in any field! Again and again, Woods identifies patterns inherent in the nature of how humans work and interact with technology, by looking across an extremely broad range of human activity, from power plant controllers to astronauts to medical doctors. Gaining insight from his work is like discovering there’s a white arrow in the FedEx logo: you never imagined it was before it was pointed out, and now that you know it’s impossible not to see.

These patterns are necessarily high-level, and Woods invents new vocabulary out of whole cloth to capture these new concepts. His writing contains terms like anomaly response, joint cognitive systems, graceful extensibility, units of adaptive behavior, net adaptive value, crunches, competence envelopes, dynamic fault management, adaptive stalls, and veils of fluency.

In Woods’s writing, he often introduces or references many new concepts, and writes about how they interact with each other. This style of writing tends to be very abstract. I’ve found that if I can map the concepts back into my own experiences in the software world, then I’m able to internalize them and they become powerful tools in my conceptual toolbox. But if I can’t make the connection, then I find it hard to find a handhold in scaling his writing. It wasn’t until I watched his video lectures, where he discussed many concrete examples, that I was able to really to understand many of his concepts.

Sidney Dekker – the public intellectual

Of the four researchers, Dekker produces the most amount of work written for a lay audience. My entrance into the world of resilience engineering was through his book Drift into Failure. Dekker’s writings in these books tend toward the philosophical, but they don’t read like academic philosophy papers. Rather, it’s more of the “big idea” kind of writing, similar in spirit (although not in tone) to the kinds of books that Nassim Taleb writes. In that sense, Dekker’s writing can go even broader than Woods’s, as Dekker muses on the perception of reality. He is the only one I can imagine writing books with titles such as Just Culture, The Safety Anarchist, or The End of Heaven.

Dekker often writes about how different worldviews shape our understanding of safety. For example, one of his more well-known papers contrasts “new” and “old” views on the nature of human error. In Drift Into Failure, he write about the Newtonian-Cartesian worldview and contrast it with a systems perspective. But he doesn’t present these worldviews as frameworks in the way that Hollnagel would. They are less structured, more qualitatively elaborated.

I’m a fan of the “big idea” style of non-fiction writing, and I was enormously influenced by Drift into Failure, which I found extremely readable. However, I’m particularly receptive to this style of writing, and most of my colleagues tend to prefer his Field Guide to Understanding ‘Human Error’, which is more practical.

Richard Cook – the raconteur

Cook’s most famous paper is likely How Complex Systems Fail, but that style of writing isn’t what comes to mind when I think of Cook (that paper is more of a Woods-ian identification of patterns).

Cook is the anti-Hollnagel: where Hollnagel constructs general frameworks, Cook elaborates the details of specific cases. He’s a storyteller, who is able to use stories to teach the reader about larger truths.

Many of Cook’s papers examine work in the domain of medicine. Because Cook has a medical background (he was a practicing anesthesiologist before he was a researcher), he has deep knowledge of that domain and is able to use it to great effect in his analysis on the interactions between humans, technology, and work. A great example of this is how his paper on the allocation of ICU beds in Being Bumpable. His Re-Deploy talk entitled The Resilience of Bone and Resilience Engineering is another example of leveraging the details of a specific case to illustrate broader concepts.

Of the four authors, I think that Cook is the one who is most effective at using specific cases to explain complex concepts. He functions almost as interpreter for grounding Woods-ian concepts in concrete practice. It’s a style of writing that I aspire to. After all, there’s no more effective way to communicate than to tell a good story.

Chasing down the blipperdoodles

To a first approximation, there are two classes of automated alerts:

A human needs to look at this as soon as possible (page the on-call!)
A human should eventually investigate, but it isn’t urgent (email-only alert)

This post is about the second category. These are events like the error spikes that happened at 2am that can wait until business hours to look into.

When I was on the CORE¹ team, one of the responsibilities of team members was to investigate these non-urgent alert emails. The team colorfully referred to them as blipperdoodles², presumably because they look like blips on the dashboard.

I didn’t enjoy this part of the work. Blipperdoodles can be a pain to track down, are often not actionable (e.g., networking transient), and, in the tougher cases, are downright impossible to make sense of. This means that the work feels largely unsatisfying. As a software engineer, I’ve felt a powerful instinct to dismiss transient errors, often with a joke about cosmic rays.

But I’ve really come around on the value of chasing down blipperdoodles. Looking back, they gave me an opportunity to practice doing diagnostic work, in a low-stakes environment. There’s little pressure on you when you’re doing this work, and if something more urgent comes up, the norms of the team allow you to abandon your investigation. After all, it’s just a blipperdoodle.

Blipperdoodles also tend to be a good mix of simple and difficult. Some of them are common enough that experienced engineers can diagnose them by the shape of the graphs. Others are so hard that an engineer has to admit defeat once they reach their self-imposed timebox for the investigation. Most are in between.

Chasing blipperdoodles is a form of operational training. And while it may be frustrating to spend your time tracking down anomalies, you’ll appreciate the skills you’ve developed when the heat is on, which is what happens when everything is on fire.

¹ CORE stands for Critical Operations & Reliability Engineering. They’re the centralized incident management team at Netflix.

²I believe Brian Trump coined the term.

The inevitable double bind

Here are three recent COVID-19 news stories:

Here's the story of one young doctor tried to get ahead of the coronavirus by developing his own test—and the red tape that stopped him.

My latest.https://t.co/eQHe6Uc2RU
— Julia Ioffe (@juliaioffe) March 16, 2020

some of the nation's largest banks lagged behind relatively tiny rivals in handling applications for the SBA's #PPPloans program. scoop here: https://t.co/0i8iaDtMGn
— Hannah Levitt (@hannahlevitt) April 17, 2020

Dozens of coronavirus antibody tests on the market were never vetted by the FDA, leading to accuracy concerns. “Having many inaccurate tests is worse than having no tests at all,” says one testing expert. https://t.co/MS1cLv7G3Q @lauriemcginley2
— Laurie McGinley (@lauriemcginley2) April 19, 2020

The first two stories are about large organizations (the FDA, large banks) moving too slowly in order to comply with regulations. The third story is about the risks of the FDA moving too quickly.

Whenever an agent is under pressure to simultaneously act quickly and carefully, they are faced with a double-bind. If they proceed quickly and something goes wrong, they will be faulted for not being careful enough. If they proceed carefully and something goes wrong, they will be faulted for not moving quickly enough.

In hindsight, it’s easy to identify who wasn’t quick enough and who wasn’t careful enough. But if you want to understand how agents make these decisions, you need to understand the multiple pressures that agents experience, because they are trading these off. You also need to understand what information they had available at the time, as well as their previous experiences. I thought this observation of the behavior of the banks was particularly insightful.

But it does tell a more general story about the big banks, that they have invested so much in at least the formalities of compliance that they have become worse than small banks at making loans to new customers.
Matt Levine

Reactions to previous incidents have unintended consequences to the future. The conclusion to draw here isn’t that “the banks are now overregulated”. Rather, it’s that double binds are unavoidable: we can’t eliminate them by adding or removing regulations. There’s no perfect knob setting where they don’t happen anymore.

Once we accept that double binds are inevitable, we can shift of our focus away from just adjusting the knob and towards work that will prepare agents to make more effective decisions when they inevitably encounter the next double bind.

Embracing the beautiful mess

Nobody likes a mess. Especially in the world of software engineering, we always strive to build well-structured systems. No one ever sets out to build a big ball of mud.

Alas, we are constantly reminded that the systems we work in are messier than we’d like. This messiness often comes to light in the wake of an incident, when we dig in to understand what happened. Invariably, we find that the people are a particularly messy part of the overall system, that the actions that they take contribute to incidents. In the wake of the incident, we identify follow-up work that we hope will bring more order, less mess, into our world. What we miss, though, is the role that the messy nature of our systems play in keeping things working.

When I use the term system here, I mean it in the broader sense of a socio-technical system that includes both the technological elements (software, hardware) and the humans involved, the operators in particular.

Yes, there are neat, well-designed structures in place that help keep our system healthy: elements that include automated integration tests, canary deployments, and staffed on-call rotations. But complementing those structures are informal layers of defense provided by the people in our system. These are the teammates who are not on-call but jump in to help, or folks who just happen to lurk in Slack channels and provide key context at the right moment, to either help diagnose an incident or prevent one from happening in the first place.

This informal, messy system of defense is like a dynamic, overlapping patchwork. And sometimes this system fails: for example, a person who would normally chime in with relevant information happens to be out of the office that day. Or, someone takes an action which, under typical circumstances, would be beneficial, but under the specific circumstances of the incident, actually made things worse.

We would never set out to design a socio-technical system the way our systems actually are. Yet, these organic, messy systems actually work better than the neat, orderly systems that engineers dream of, because of how the messy system leverages human expertise.

It’s tempting to bemoan messiness, and to always try to reduce it. And, yes, messiness can be an indicator of problems in the system: for example, people using workarounds instead of how the system was intended to be used are an example of a kind of messiness that points to a shortcoming in our system.

But the human messiness we see under the ugly light of failure is the messiness that actually helps keep the system up and running when that light isn’t shining. If we want to get better at keeping our systems up and running, we need to understand what the mess looks like when things are actually working. We need to learn to embrace the mess. Because there’s beauty in that mess, the beauty of a system that keeps on running day after day.