Professional Documents
Culture Documents
Carrol - 2004 - Redundancy As A Design Principle and An Operating Principle (Risk Analysis, Vol. 24, Issue 4) (2004)
Carrol - 2004 - Redundancy As A Design Principle and An Operating Principle (Risk Analysis, Vol. 24, Issue 4) (2004)
4, 2004
John S. Carroll∗
to the design, equipment was allowed to deteriorate, selves, who may choose to attack a less formidable
repairs were not made in a timely fashion, opera- target.
tors and maintenance personnel worked in ways that
designers had not considered, and unanticipated tech-
nical challenges emerged (e.g., stress corrosion crack-
ing, outage risk). In contrast to design logics, operat-
3. MANAGING FOR NUCLEAR SECURITY
ing logics demand continual alertness, maintenance
of doubt (Schulman, 1993), heedful interrelating However, if we want real safety beyond the per-
(Weick et al., 1999), and resilience in the face of sur- ception of safety, then we have to combine design log-
prise (Wildavsky, 1988). This means that plants are ics with operating logics. Sagan offers awareness as a
both less safe and more safe than we calculate: less first step for opening a dialogue around the value of re-
safe because hidden traps or “latent defects” (Reason, dundancy, or how much is enough. But we can go fur-
1990) are widespread, and more safe because people ther. There are ways to address problems such as diffu-
can improvise to handle risks and manage problems sion of responsibility, complacency, and scope creep
in creative and unplanned ways (e.g., using fire hoses that are linked to redundancy. Research on “social
to provide cooling water when all cooling pumps were loafing” (Karau & Williams, 1993) and accountability
disabled). (Tetlock, 1992) shows that responsibility does not dif-
Thus, there is no exact answer to the question fuse if people know they are individually accountable,
of how many guards are needed at a nuclear facil- particularly to a diverse audience that may ask unpre-
ity. Given a predictable threat (three outside attack- dictable questions. Research on safety culture shows
ers and one insider) and a set of assumptions (well- that it is possible to maintain a questioning attitude
trained guards who react appropriately, attackers who and avoid complacency (Carroll et al., 2002; Mearns,
follow a standard attack plan, etc.), then a level of et al., 2003; Reason, 1997). Above all, research and
safety can be calculated. However, as someone who experience show that safety comes from people, not
sat in on verbal reports following a simulated attack from technology alone (Weick et al., 1999). It is peo-
against a nuclear power plant, I know that these as- ple who notice vulnerabilities, design models, pay at-
sumptions are routinely violated. Plants prepare care- tention to surprises, tell each other about discover-
fully for these scheduled tests and, when weaknesses ies and problems, create technical and organizational
are revealed, they make changes intended to reme- innovations, and pass information across plants and
diate the weaknesses, but they are not necessarily industries.
re-tested at that point in time. Thus, any number of Far more resources have been invested in techni-
weaknesses may remain, at least for some number of cal know-how than in understanding how people op-
years. Nor do we really know whether a “surprise” test erate within technical systems. Nuclear power plants
would achieve the same level of performance. Since are required to spend millions of dollars on technical
security forces face an intelligent opponent who is well safety analyses and safety equipment. On the people
aware of the countermeasures being adopted, we can side, we rely on procedures, training, and supervision
be reasonably assured that terrorists will attack at a to make people do what is expected of them. Unfortu-
time and place of their choice and in a manner di- nately, we also need them to do more than is expected.
rected at whatever weaknesses they anticipate. If 19 We want people to bring their experience, creativity,
terrorists can attack 4 airplanes, then 19 terrorists can imagination, and teamwork to the workplace. We can-
attack 1 nuclear power plant. Five guards are only “re- not “design in” safety through technical means alone;
dundant” if we assume that they (and more) are not discussions over safety have to engage the knowledge
all needed at once. and experience of a wide range of experts and prac-
The truth of the matter is that redundancy serves titioners, including operations personnel and social
to make us feel safe. At a time of public concern, policy scientists. Policy makers should consider that invest-
makers have “to let insiders and outsiders see that top ments in a greater variety of skills and viewpoints, a
officials are doing something” (Sagan, this issue). Re- reasonable amount of slack time for reflection and
dundancy is in part a persuasive argument addressed observation, critical self-analysis that admits doubt,
to policy makers who allocate funds, plant employees willingness to improvise and learn from experience,
who must be motivated to do their jobs as well as pos- and managerial capabilities are just as important for
sible, a public that needs reassurance in order to con- security against terrorists as they are for operational
tinue working and spending, and the terrorists them- excellence in general.
Redundancy as a Design or Operating Principle 957