The paper How Complex Systems Fail by Richard Cook should be required reading for anyone in programming or operations. Hell, it should be required reading for most everyone. You should read the whole paper (it’s very short at under five pages), but here are the main points:
- Complex systems are intrinsically hazardous systems.
- Complex systems are heavily and successfully defended against failure.
- Catastrophe requires multiple failures – single point failures are not enough.
- Complex systems contain changing mixtures of failures latent within them.
- Complex systems run in degraded mode.
- Catastrophe is always just around the corner.
- Post-accident attribution accident to a ‘root cause’ is fundamentally wrong.
- Hindsight biases post-accident assessments of human performance.
- Human operators have dual roles: as producers & as defenders against failure.
- All practitioner actions are gambles.
- Actions at the sharp end resolve all ambiguity.
- Human practitioners are the adaptable element of complex systems.
- Human expertise in complex systems is constantly changing
- Change introduces new forms of failure.
- Views of ‘cause’ limit the effectiveness of defenses against future events.
- Safety is a characteristic of systems and not of their components.
- People continuously create safety.
- Failure free operations require experience with failure.
Points 2 and 17 are especially interesting to me. It’s not that people can build complex systems that work; instead, it is that people have to actively prevent system failure. Once you stop maintaining the system, it begins to fail. It sounds like thermodynamics; without a constant input of energy from people, the mostly-orderly complex system will descend into increasing disorder and failure.