Upload
reza-mahmoudi
View
216
Download
0
Embed Size (px)
Citation preview
7/27/2019 A White Paper Resilience Engineering
1/16
Cooperative Network Design
A Wite Paper
n Resilience Engineering fr ATM
EUROCONTROL
7/27/2019 A White Paper Resilience Engineering
2/16
Tempora mutantur, nos et mutamur in illis
(Times change, and we change with them)
7/27/2019 A White Paper Resilience Engineering
3/16
RESILIENCEENGINEERINGfor ATM
In January 2007, a project was launched by EUROCONTROL with the aim o understanding the new area o ResilienceEngineering and its relevance to Air Trac Management (ATM). Resilience Engineering is developing important tools
and methods or both system developers and people responsible or the maintenance and management o system
saety, in a number o industries.
This White Paper provides an overview o the work carried out and seeks to answer the ollowing questions:
n What is Resilience Engineering?
n Why do we need it in ATM?
n What is the useulness o perormance variability?
n What does Resilience Engineering look like in practice?
n How does Resilience Engineering t with other saety methods?
n How mature is Resilience Engineering and what is the added value or ATM?
The added value o an Resilience Engineering approach is that it provides a way to address the issues o emergent
accidents and the oten disproportionate consequences that are an outcome o ever more complex technologies
and ever more integrated organisations. Resilience methods are likely to be important tools in the management and
assurance o ATM saety in the uture.
INTRoduCTIoN
7/27/2019 A White Paper Resilience Engineering
4/16
2
Since humans are indispensable in all situations involvingchange, Resilience Engineering naturally has strong links
with Human Factors and Saety Management. It is based
on the ollowing premises:
1. Perormance conditions are always underspecied.
Individuals and organisations must thereore adjust
what they do to match current demands and re-
sources. Because resources and time are nite, such
adjustments will inevitably be approximate.
2. Some adverse events can be attributed to a break-down or malunctioning o components and nor-
mal system unctions, but others cannot. The latter
can best be understood as the result o unexpected
combinations o perormance variability.
3. Saety management cannot be based exclusively on
hindsight, nor rely on error tabulation and the cal-
culation o ailure probabilities. Saety management
must be proactive as well as reactive.
4. Saety cannot be isolated rom the core (business)
process, nor vice versa. Saety is the prerequisite or
productivity, and productivity is the prerequisite
or saety. Saety must thereore be achieved by im-
provements rather than by constraints.
Adopting this view creates a need or an approach that
can represent the variability o normal system peror-
mance, and or methods that can use this to provide
more comprehensive explanations o accidents as well
as identiy potential risks.
Resilience is the intrinsic ability o a system
to adjust its unctioning prior to, during, or
ollowing changes and disturbances, so that
it can sustain required operations under both
expected and unexpected conditions.
Perormance variability:
The ways in which individual and collective
perormances are adjusted to match current
demands and resources, in order to ensure
that things go right.
WhAT IS RESILIENCE ENGINEERING?
7/27/2019 A White Paper Resilience Engineering
5/16
RESILIENCEENGINEERINGfor ATM 3
Figure 1: The set o possible outcomes
FRoM SAFETy MANAGEMENT To RESILIENCE
ENGINEERING
The ocus o Resilience Engineering is on the whole seto outcomes, i.e., things that go right as well as things
that go wrong with the possible exceptions o the areas
o serendipity and good luck, where we are mostly in the
hands o ate.
The aim o Resilience Engineering is not only to prevent
things rom going wrong, but also to ensure that things
go right, i.e., to acilitate normal outcomes. Simply put,
the more likely it is that something goes right, the less
likely it is that it goes wrong. And there is clearly an
added value in trying to acilitate normal outcomes andin discarding the traditional separation between saety
and productivity.
Risk governance and saety management have tradi-tionally, and with good reason, been concerned with
what can go wrong and thereore lead to unwanted out-
comes. The set o possible outcomes can schematically
be shown as in Figure 1, where the x-axis describes pre-
dictability, ranging rom very low to very high, and the
y-axis describes the value o the outcome, ranging rom
negative to positive.
The established approaches to risk and saety mainly
ocus on the things that go wrong, more specically
those areas in gure 1 named disasters, accidents, andincidents with occasional orays into near misses. The
mishaps region describes unwanted outcomes that in
practice have been eliminated. But there has traditional-
ly been little or no ocus on things that go right, despite
the act that these happen ar more oten than things
that go wrong. I, or instance, the probability o ailure is
10-4, then there will be 9,999 normal outcomes or every
ailure!.
Serendipity
Near misses
Good luck
Accidents
Disasters Mishaps
Normal outcomes
(things that go right)
Incidents
Negative
Neutral
Positive
OUTCOME
PREDICTABILITY
Very low Very high
7/27/2019 A White Paper Resilience Engineering
6/16
4
Why do WE NEEd RESILIENCE ENGINEERING?
A simple answer to this question is given by the typeso accidents that can occur in complex yet well-de-
ended systems, o which Air Trac Management (ATM)
is a good example. While accidents such as berlingen
(2002) with hindsight can be explained by ailure modes
emerging rom the weak interaction o multiple actors,
ew would have considered this situation credible ahead
o time. Traditional thinking makes it dicult to describe
and understand how multiple actors can come to-
gether at a single point o time and in a position o
airspace to produce something as disastrous as a mid-
air collision.
Today, most ANSPs have saety nets, Saety Manage-
ment Systems (SMS), saety assessment and assurance
processes, and many are also improving their saety
culture. These eorts add layers o saety to already sae
systems. While this will reduce the likelihood o acci-
dents even urther, it also means that those that do slipthrough these nets will be complex and multi-aceted.
Such accidents will be due more to coincidences among
the variability o unctions and human perormance in
dierent parts o the system, than to maniest ailures
and incorrect human actions.
Accident analysis and risk assessment methods have
usually been developed in response to problems ol-
lowing major technological developments or to cope
with new types o accidents. Figure 2 shows the distri-
bution o some well-known methods used to addresstechnical, human actors, and organisational issues,
respectively. It is noteworthy that human actors meth-
ods came onto the scene ater the accident at Three
Miles Island in 1979, and that organisational methods
were developed ollowing the Chernobyl and Chal-
lenger accidents in 1986.
Figure 2: Accident Analysis and Risk Assessment Methods
1900 1910 1920 1930 1940 1950 1960 1970 1980 1990 2000 2010
Technical Organisational SystemicHuman Factors
Root cause FMEADomino
HAZOP
STAMP
FRAM
Fault tree
MORT CREAM
FMECA
CSNI
TRACEr
MERMOS
THERP
HCR
STEP
MTO
TRIPOD
HPES
HERA
Swiss cheese
HEAT
RCA, ATHEANA
AEB
AcciMap
7/27/2019 A White Paper Resilience Engineering
7/16
RESILIENCEENGINEERINGfor ATM 5
Methods must clearly be powerul enough to addressthe problems ound in real-lie applications. Established
ways o thinking about accidents, such as the Swiss
Cheese analogy o holes in saety barriers that line up,
will thereore at some time be unable to prevent, pre-
dict, and explain new types o accidents. The variability
o normal perormance may or instance combine to
produce eects that go beyond what the Swiss Cheese
analogy was intended to describe, even i the holes are
allowed to grow or shrink dynamically and the blocks
o cheese allowed to move around. In order to address
these more complex phenomena, Resilience Engineer-ing uses the principle o resonance to represent how
the variability o normal perormance can combine
dynamically in ways that may lead to disproportionate
(non-linear) eects. Saety assessment methods have
historically developed rom technical methods, via hu-
man actors methods, to organisational methods. While
many current methods combine the technical, human,
or organisational levels, resonance must be treated at
the system level. Figure 3: Swiss Cheese Model
Resonance:
A principle that explains how dispropor-
tionate large consequences can arise rom
seemingly small variations in perormance
and conditions.
7/27/2019 A White Paper Resilience Engineering
8/16
6
ThE uSEFuLNESS oF PERFoRMANCE
vARIAbILITy
The rst premise o Resilience Engineering makes clearthat perormance variability is inevitable but also useul.
Procedures and instructions are always incomplete,
except or extremely simple situations. Following proce-
dures and instructions to the letter will thereore both
be inecient and unsae. To compensate or this incom-
pleteness, individuals and organisations habitually ad-
just their perormance to match the current demands,
resources, and constraints. The ability to do so is at the
heart o successul perormance. But since inormation,
resources, and time are nite, the adjustments will in-
evitably be approximate. Perormance variability is thusunavoidable, but should be recognised as a source o
success as well as o ailure.
This has, however, not always been so. The concern or
how human actors could aect saety began with the
accident at the Three Mile Island nuclear power plant
in 1979. At that time, the ocus was naturally on control
room operations (the sharp end), and methods were
thereore developed to support that. The situation in
the 1980s with regard to the ocus o saety is depicted
in Figure 4.
Socio-technical systems have since the 1980s become
steadily more complex due to rampant technological
and societal developments. The idea o a socio-techni-
cal system is that the conditions or successul organisa-
tional perormance and conversely also or unsuccess-
ul perormance depends on the interaction between
social and technical actors. The scope o saety assess-
ment must thereore be extended in several directions.
A vertical extension is needed to cover the entire sys-
tem, rom technology to organisation. One horizontal
extension is needed to increase the scope to include
both design and maintenance. A second horizontal ex-
tension is needed to include both upstream and down-
stream processes. Altogether, the situation today there-
ore looks more as shown in Figure 5.
Organisation
(management)
Technology
Upstream
Downstream
Design Maintenance
Organisation
(management)
Technology
Upstream
Downstream
Design Maintenance
Figure 4: Saety Focus anno 1984
Figure 5: Saety Focus anno 2009
7/27/2019 A White Paper Resilience Engineering
9/16
RESILIENCEENGINEERINGfor ATM 7
Upsteam-downstream means integration into thecompanys business. In aviation, gate-to-gate would be
an example, i.e. you can no longer consider previously
separate unctions as separate. There are dependencies
to what went beore (upstream) and what comes ater
(downstream). In general production it is just in time
(JIT) in order to remove the need or inventories (raw
materials, spare parts etc).
As a result o these developments, saety methods must
today address systems that are larger and more com-
plex than the systems o yesteryear. Because there aremany more details to consider; because some modes o
operation may be incompletely known; because o tight
couplings among unctions; and because systems may
change aster than they can be described, the net result
is that many systems, ATM included, are underspecied
or intractable. For these systems it is clearly not possible
to prescribe tasks and actions in every detail. This means
that perormance must be variable or fexible rather than
rigid. In act, the less completely the system is described,
the more perormance variability is needed.
It is useul to make a distinction between tractable and
intractable systems. Tractable systems can be completely
described or specied, while intractable systems cannot.
The dierences between the two types o systems are
summarised in Table 1.
Most established saety methods have been devel-
oped on the assumption that systems are tractable.As this assumption is no longer universally valid, there
is a need to develop methods to deal with intractable
systems. Resilience Engineering is one answer to this
problem.
Figure 6 shows the result o characterising dierent
socio-technical systems on the dimensions o Coupling
and Manageability. Existing methods are not well
suited or systems in the upper right quadrant (intrac-
table and tightly coupled), which makes this a primary
ocus or Resilience Engineering.
Loose
Coupling
Tight
Tractable Manageability Intractable
Dams
Railways
Emergencymanagement
ATMMarinetransport
Mining
Postoffices
Assemblylines
Healthcare
Universities
Spacemissions
Publicservices
Manufacturing
Powergrids
NPPs
Aircraft
Militaryoperations
Integratedoperations
Financialsystems
Figure 6: System Characteristics
Tractable system Intractable system
Number o detailsDescription are simple with ewdetails
Description are elaborate withmany details
ComprehensibilityPrinciples o unctioning areknown
Principles o unctioning arepartly unknown
StabilitySystem does not change whilebeing described
System changes beore descriptionis completed
Relation to other systems Independence Interdependence
Metaphor Clockwork Teamwork
Table 1: Dierences between tractable and intractable systems
7/27/2019 A White Paper Resilience Engineering
10/16
8
To predict how resonance may lead to accidents, wemust be able to describe and model the characteristic
variability o the system. A main source o perormance
variability is the underspecication o work, as described
in the previous section. In addition to the underspeci-
cation, human perormance can vary or several other
reasons:
Physiological and/or undamental
psychological actors (e.g., aecting
perception and vigilance).
Higher level psychological actors such
as ingenuity, creativity, and adaptability.
Organisational actors, as in meeting
perormance demands, stretching re-
sources, substituting goals, etc.
Social actors, as in meeting expectations
o onesel or o colleagues, complying
with inormal work standards, etc.
Contextual actors, or instance i the
workplace is too hot, too noisy, too hu-
mid, etc.
Other actors such as the unpredict-
ability o the domain, e.g., weather
conditions, number o fights, pilot
variability, technical problems, etc.
ThE REASoNS FoR PERFoRMANCE
vARIAbILITy
The challenge or resilience engineering is to representthe variability o a system, such as ATM, in a way that
makes it possible to identiy what may aect peror-
mance either adversely or positively. This must overcome
two obstacles:
1. Because ATM is a complex and intractable system,
its unctions, their interactions, and potential vari-
ances, can only be specied approximately.
2. In a time o trac growth, planned changes to ATMs
undamental inrastructure and technical systemsmust be reconciled with strong but varying nancial
pressures and demands.
The ATM system environment eels the eect o the
resulting instability and increasing variability as
ANSPs try to ride out the changes whilst remaining
sae and protable. This requires them to be fexible,
to rely on human ingenuity and skill, and to make
use o perormance variability rather than to con-
strain it.
7/27/2019 A White Paper Resilience Engineering
11/16
RESILIENCEENGINEERINGfor ATM 9
hoW IS IT doNE?
Resilience Engineering provides the conceptual basis ora new perspective on saety. The leading prototype cur-
rently is the Functional Resonance Assessment Method
(FRAM). This method is based on our principles:
n The equivalence o success and ailures. Failures
do not stand or a breakdown or malunctioning o
normal system unctions, but rather represent the
adaptations necessary to cope with the underspeci-
cation ound in complex real-world systems.
n The principle o approximate adjustments. Toget anything done people must adjust their peror-
mance to the current conditions. Because resources
and time are nite, such adjustments will inevitably
be approximate.
n The principle o emergence. Both ailures and nor-
mal perormance are emergent phenomena: neither
can be attributed to or explained simply by reer-
ring to the (mal)unctions o specic components or
parts.
n The principle o unctional resonance. FRAM re-
places the traditional cause-eect relation with reso-
nance. This explains how the variability o a number
o unctions every now and then may resonate, i.e.,
reinorce each other, leading to excessive variability
in one or more downstream unctions. The conse-
quences may spread through the system by means o
tight couplings rather than easily identiable cause-
eect links.
FRAM is a developing method. The ollowing is an illus-tration o what a FRAM analysis might look like or an
overfight scenario:
A FRAM analysis consists o ve steps:
1. Dene the purpose o the analysis. FRAM can be
used or saety assessment (looking at uture events)
as well as or accident investigation (looking at past
events).
2. Identiy and describe the relevant system unctions.A unction, in FRAM terms, constitutes an activity
or task which has important or necessary conse-
quences or the state or properties o another ac-
tivity. Each unction is characterised by six aspects:
Input, Output, Preconditions, Resources, Time and
Control, as depicted in Figure 7.
3. Assess and evaluate the potential variability o
each unction. FRAM uses a distinction between
oreground and background actors, which may all
aect perormance variability. Foreground actors
are directly associated with the unctions being
modelled and may vary signicantly during a sce-
nario, while background actors reer to common
conditions that may vary more slowly. Both sets o
actors should be calibrated as ar as possible using
inormation extracted rom accident databases.
4. Identiy where unctional resonance may emerge.
This step nds the possible ways in which the vari-
ability rom one unction can spread through thesystem. In case o unctional resonance, the com-
binations o this variability may lead to situations
where the system loses its capability to saely man-
age variability.
5. The th and last step is the development o
efective countermeasures. These usually aim
at dampening perormance variability in order to
maintain the system in a sae state, but can also be
used to sustain or ampliy unctional resonance that
leads to desired or improved outcomes.
T
I O
C
P R
Function/
Process
Time Control
Precondition
Input Output
Resource
Figure 7: The six aspects o a FRAM unction
7/27/2019 A White Paper Resilience Engineering
12/16
10
An example o what this looks like, applied to an over-fight scenario, is in the ollowing. The analysis o system
unctions (Step 2) produced the ollowing list:
n Provide ATC clearance to pilot
n Monitoring
n Planning
n Strip marking
n Coordination
n Update fight data processing system
n Provide meteorological data to controller
n Provide fight and radar data to controllern Controller-pilot communication
n Sector-to-sector communication
By characteristing each unction using the six aspects
described in Step 2 above (c., Figure 7), the ollowing
instantiation o the model was produced.
Figure 8: Instantiation o the FRAM model or the overfight scenario
T
I O
C
P R
Provide
MET data
T
I O
C
P R
Provideflight &
radar
data
T
I O
C
P R
Monitoring
T
I O
C
P R
Planning
T
I O
C
P R
Pilot -
ATCO
communi-
cation
T
I O
C
P R
Strip
marking
T
I O
C
P R
Sector to
sector
comm.
T
I O
C
P R
Issue
clearanceto pilot
T
I O
C
P R
Coordination
T
I O
C
P R
UpdateFDPS
MET data
Flight & radar data
FDPS updated
FDPS updated
Teamcoordination
Request from
next sector:Climb to FL100
Team
coordination
Flight position A/C 1
monitored
Flight position A/C 1
monitored
Clearance plan A/C 1:
Climb to FL100
A/C 1: radio
contact established
A/C 1 strip marked:
Climb to FL100
Clearance A/C 1:
Climb to FL100
A/C 1: radio
contact established
7/27/2019 A White Paper Resilience Engineering
13/16
RESILIENCEENGINEERINGfor ATM 11
hoW doES RESILIENCE ENGINEERING FIT
WITh oThER SAFETy METhodS?
hoW MATuRE IS RESILIENCE ENGINEERING?
Resilience Engineering is a developing approach, one that provides an additional perspective on saety assessmentand management and oers potential resilience assessment techniques, such as FRAM, to complement existing
tools. Adopting a Resilience Engineering view does not require that existing practices are discarded wholesale. But it
does mean that they are looked at in a dierent way, which in turn may change how they are applied, as well as the
way in which their results are interpreted.
At present, the use o Resilience Engineering in ATM is at the easibility stage o development. The research team
working on the project will complete a rst main case study or ATM in 2009, which will show how this approach
works in detail and what it can deliver. The example will be a study o a Minimum Altitude Saety Warning (MSAW)
system. Following that, urther test cases should be conducted to develop and mature the approach to make it an
additional tool or saety cases. While this inevitably will require some time, the goal is to have the methodology t
or use prior to SESARs implementation phase in 2013.
In other domains, such as general aviation, oshore production, and healthcare, Resilience Engineering has been
used longer and has provided a substantial body o knowledge and experience. This has been documented in a
number o books and marked by several international symposia and workshops, as well as commercial applications,
e.g. maintenance o heavy machinery, risk modeling o helicopter saety, and patient saety.
OrganisationalSa
fety
Technical Safety
HumanFactors
ResilienceEengineering
Figure 9: Widening perspectives on saety
7/27/2019 A White Paper Resilience Engineering
14/16
12
n
Perormance variability enables individuals and or-ganisations to adjust what they do to match current
resources and demands. Perormance variability is
the reason why things go right, and sometimes also
the reason why things go wrong.
n Resilience Engineering complements existing saety
methods. It oers a dierent perspective, but is not
intended to be a wholesale replacement.
n Resilience Engineering has been actively developed
since 2004, and has been successully applied to acci-dent investigation and risk assurance in several indus-
trial domains, eg. maintenance o heavy machinery,
risk modeling o helicopter saety, and patient saety.
This has been documented in a number o books and
marked by several international symposia and work-
shops, as well as commercial applications, e.g. risk
modeling o helicopter saety, patient saety, and main-
tenance o heavy machinery. In the latter cases one
technique was to implement a new alarm process to
identiy signs that things were getting worse, as a basis
or timely remedial interventions.
This key question can obviously best be answered aterResilience Engineering has been seen in action in ATM.
Since it addresses a dicult problem, more than one
case study may be needed to demonstrate its ull po-
tential. However, there is an obvious value in having a
technique which can explain and predict the complex
accident scenarios that deeat existing barriers and
deences, and that also tries to acilitate normal out-
comes.
In summary, the questions posed at the beginning o
this brochure can be answered as ollows:
n Resilience Engineering goes beyond classical saety
issues by recognising that saety and production are
intrinsically linked. The aim o Resilience Engineer-
ing is to develop models and methods to improve
an organisations ability to succeed under varying
conditions, thereby enhancing both saety and daily
operations.
n Resilience Engineering is needed because many
current systems are underspecied, hence exceed
the premises o existing saety analysis methods.
This White Paper has presented the main concepts and practical principles o Resilience Engineering, a developingeld which will be important or ATM saety in the uture. ATM is among the socio-technical systems that have developed
so rapidly that established saety assessment approaches are increasingly challenged to address all the issues and
identiy all the risks. In complex socio-technical systems, things may go wrong in the absence o maniest ailures
and malunctions, and outcomes may oten be disproportionately large. To saeguard against such developments,
it is necessary to have tools and methods that can deal with the underspecication and tight couplings o complex,
highly interactive systems such as ATM. Resilience Engineering oers a conceptual and methodological basis or
achieving that goal it is one to watch. The research and development eorts will continue and urther results will
be documented and disseminated as a way o demonstrating the added value o the approach. Special emphasis
will be put on case studies and guidance on how a smooth integration with conventional saety assurance schemes
can be accomplished.
Some additional reading is suggested below.
WhAT IS ThE AddEd vALuE oF RESILIENCE
ENGINEERING?
CoNCLuSIoN
7/27/2019 A White Paper Resilience Engineering
15/16
RESILIENCEENGINEERINGfor ATM 13
http://www.resilience-engineering.org/
Hollnagel, E. (2004).
Barriers and accident prevention. Chapter 5 & 6. Aldershot, UK: Ashgate publishers.
Hollnagel, E., Woods, D. D. & Leveson, N. (2006).
Resilience engineering: Concepts and precepts. Aldershot, UK: Ashgate publishers.
Hollnagel, E. (2009).
The ETTO principle: Eciency-thoroughness trade-of. Why things that go right sometimes go wrong.
Aldershot, UK: Ashgate publishers.
Woltjer, R. & Hollnagel, E. (2008).
Modeling and evaluation o air trac management automation using the unctional resonance accident model (FRAM) .
8th International Symposium o the Australian Aviation Psychology Association, Sydney, Australia.
Intractable: A system which cannot be described in every detail and where the unctioning there-
ore is not completely understood. Intractable systems are only partly predictable.
Perormance variability: The ways in which individual and collective perormances are adjusted to match cur-
rent demands and resources, in order to ensure that things go right.
Resilience: The ability o a system to succeed under varying and adverse conditions.
Resonance: A principle that explains how disproportionate large consequences can arise rom
seemingly small variations in perormance and conditions.
Saety culture: That assembly o characteristics and attitudes in organisations and individuals which
establishes that, as an overriding priority, saety issues receive the attention warranted
by their signicance.
Serendipity: The making o happy and unexpected discoveries by accident or when looking or
something else; such as discovery.
FuRThER REAdING:
GLoSSARy
7/27/2019 A White Paper Resilience Engineering
16/16
Fr frter infrmatin cntact:
EUROCONTROL
European Organisation or the Saety o Air Navigation (EUROCONTROL). September 2009
This document is published by EUROCONTROL or inormation purposes. It may be copied in
whole or in part, provided that EUROCONTROL is mentioned as the source and it is not used or
commercial purposes (i.e. or nancial gain). The inormation in this document may not be modiedwithout prior written permission rom EUROCONTROL.
www.eurocontrol.int
Project Team
Jrg Leonhardt, holds a Master Degree oHuman Factors and Aviation Saety rom LundUniversity, Sweden. He is Head o Human Fac-tors in the Saety Management Department othe German Air Navigation Service Provider,DFS.He is Project Leader the EURCONTROLs FA-RANDOLE Project, A resilient approach toevaluate the human contribution to systemSaety and member o the EUROCONTROLHERA User Group.
Erik Hollnagel is Proessor and IndustrialSaety Chair at MINES ParisTech (France) andVisiting Proessor at the Norwegian Universityo Science and Technology (NTNU) in Trond-heim (Norway). He has or many years workedat universities, research centres, and industriesin several countries and with problems romseveral domains, including nuclear powergeneration, aerospace and aviation, sotwareengineering, healthcare, and land-based tra-c. He has published widely and is the author/editor o 17 books, including three books onResilience Engineering. The latest title romAshgate is The ETTO Principle: Why things
that go right, sometimes go wrong.
Luigi Macchi is a PhD student in the IndustrialSaety Chair o the Mines-ParisTech University(France). He holds a Psychology degree romthe Universit degli Studi di Torino (Italy). HisPhD adopts the Resilience Engineering per-spective and aims to develop a saety assess-ment methodology accounting or the humancontribution to Air Trac Management saety.
EUROCONTROL Point o Contact
Dr Barry Kirwan leads Saety Research and De-velopment in EUROCONTROL. He has degreesin Psychology, Human Factors and Human Re-liability Assessment. He has worked in the nu-clear, chemical, petrochemical, marine and airtrac sectors o industry, and lectured at theUniversity o Birmingham in Human Factors.He was ormerly Head o Human Reliability atBNFL in the UK nuclear industry, and Head oHuman Factors at NATS (UK). For the past nineyears he has been working or EUROCONTROL,managing a team o saety researchers andsaety culture specialists at the EUROCONTROLExperimental Centre in Bretigny, near Paris. Hehas published our books and around 200 ar-ticles. He is also a visiting Proessor o HumanReliability & Saety at Nottingham Universityin the UK.