A White Paper Resilience Engineering

7/27/2019 A White Paper Resilience Engineering

1/16

Cooperative Network Design

A Wite Paper

n Resilience Engineering fr ATM

EUROCONTROL


2/16

Tempora mutantur, nos et mutamur in illis

(Times change, and we change with them)


3/16

RESILIENCEENGINEERINGfor ATM

In January 2007, a project was launched by EUROCONTROL with the aim o understanding the new area o ResilienceEngineering and its relevance to Air Trac Management (ATM). Resilience Engineering is developing important tools

and methods or both system developers and people responsible or the maintenance and management o system

saety, in a number o industries.

This White Paper provides an overview o the work carried out and seeks to answer the ollowing questions:

n What is Resilience Engineering?

n Why do we need it in ATM?

n What is the useulness o perormance variability?

n What does Resilience Engineering look like in practice?

n How does Resilience Engineering t with other saety methods?

n How mature is Resilience Engineering and what is the added value or ATM?

The added value o an Resilience Engineering approach is that it provides a way to address the issues o emergent

accidents and the oten disproportionate consequences that are an outcome o ever more complex technologies

and ever more integrated organisations. Resilience methods are likely to be important tools in the management and

assurance o ATM saety in the uture.

INTRoduCTIoN


4/16

2

Since humans are indispensable in all situations involvingchange, Resilience Engineering naturally has strong links

with Human Factors and Saety Management. It is based

on the ollowing premises:

1. Perormance conditions are always underspecied.

Individuals and organisations must thereore adjust

what they do to match current demands and re-

sources. Because resources and time are nite, such

adjustments will inevitably be approximate.

2. Some adverse events can be attributed to a break-down or malunctioning o components and nor-

mal system unctions, but others cannot. The latter

can best be understood as the result o unexpected

combinations o perormance variability.

3. Saety management cannot be based exclusively on

hindsight, nor rely on error tabulation and the cal-

culation o ailure probabilities. Saety management

must be proactive as well as reactive.

4. Saety cannot be isolated rom the core (business)

process, nor vice versa. Saety is the prerequisite or

productivity, and productivity is the prerequisite

or saety. Saety must thereore be achieved by im-

provements rather than by constraints.

Adopting this view creates a need or an approach that

can represent the variability o normal system peror-

mance, and or methods that can use this to provide

more comprehensive explanations o accidents as well

as identiy potential risks.

Resilience is the intrinsic ability o a system

to adjust its unctioning prior to, during, or

ollowing changes and disturbances, so that

it can sustain required operations under both

expected and unexpected conditions.

Perormance variability:

The ways in which individual and collective

perormances are adjusted to match current

demands and resources, in order to ensure

that things go right.

WhAT IS RESILIENCE ENGINEERING?


5/16

RESILIENCEENGINEERINGfor ATM 3

Figure 1: The set o possible outcomes

FRoM SAFETy MANAGEMENT To RESILIENCE

ENGINEERING

The ocus o Resilience Engineering is on the whole seto outcomes, i.e., things that go right as well as things

that go wrong with the possible exceptions o the areas

o serendipity and good luck, where we are mostly in the

hands o ate.

The aim o Resilience Engineering is not only to prevent

things rom going wrong, but also to ensure that things

go right, i.e., to acilitate normal outcomes. Simply put,

the more likely it is that something goes right, the less

likely it is that it goes wrong. And there is clearly an

added value in trying to acilitate normal outcomes andin discarding the traditional separation between saety

and productivity.

Risk governance and saety management have tradi-tionally, and with good reason, been concerned with

what can go wrong and thereore lead to unwanted out-

comes. The set o possible outcomes can schematically

be shown as in Figure 1, where the x-axis describes pre-

dictability, ranging rom very low to very high, and the

y-axis describes the value o the outcome, ranging rom

negative to positive.

The established approaches to risk and saety mainly

ocus on the things that go wrong, more specically

those areas in gure 1 named disasters, accidents, andincidents with occasional orays into near misses. The

mishaps region describes unwanted outcomes that in

practice have been eliminated. But there has traditional-

ly been little or no ocus on things that go right, despite

the act that these happen ar more oten than things

that go wrong. I, or instance, the probability o ailure is

10-4, then there will be 9,999 normal outcomes or every

ailure!.

Serendipity

Near misses

Good luck

Accidents

Disasters Mishaps

Normal outcomes

(things that go right)

Incidents

Negative

Neutral

Positive

OUTCOME

PREDICTABILITY

Very low Very high


6/16

4

Why do WE NEEd RESILIENCE ENGINEERING?

A simple answer to this question is given by the typeso accidents that can occur in complex yet well-de-

ended systems, o which Air Trac Management (ATM)

is a good example. While accidents such as berlingen

(2002) with hindsight can be explained by ailure modes

emerging rom the weak interaction o multiple actors,

ew would have considered this situation credible ahead

o time. Traditional thinking makes it dicult to describe

and understand how multiple actors can come to-

gether at a single point o time and in a position o

airspace to produce something as disastrous as a mid-

air collision.

Today, most ANSPs have saety nets, Saety Manage-

ment Systems (SMS), saety assessment and assurance

processes, and many are also improving their saety

culture. These eorts add layers o saety to already sae

systems. While this will reduce the likelihood o acci-

dents even urther, it also means that those that do slipthrough these nets will be complex and multi-aceted.

Such accidents will be due more to coincidences among

the variability o unctions and human perormance in

dierent parts o the system, than to maniest ailures

and incorrect human actions.

Accident analysis and risk assessment methods have

usually been developed in response to problems ol-

lowing major technological developments or to cope

with new types o accidents. Figure 2 shows the distri-

bution o some well-known methods used to addresstechnical, human actors, and organisational issues,

respectively. It is noteworthy that human actors meth-

ods came onto the scene ater the accident at Three

Miles Island in 1979, and that organisational methods

were developed ollowing the Chernobyl and Chal-

lenger accidents in 1986.

Figure 2: Accident Analysis and Risk Assessment Methods

1900 1910 1920 1930 1940 1950 1960 1970 1980 1990 2000 2010

Technical Organisational SystemicHuman Factors

Root cause FMEADomino

HAZOP

STAMP

FRAM

Fault tree

MORT CREAM

FMECA

CSNI

TRACEr

MERMOS

THERP

HCR

STEP

MTO

TRIPOD

HPES

HERA

Swiss cheese

HEAT

RCA, ATHEANA

AEB

AcciMap


7/16


Methods must clearly be powerul enough to addressthe problems ound in real-lie applications. Established

ways o thinking about accidents, such as the Swiss

Cheese analogy o holes in saety barriers that line up,

will thereore at some time be unable to prevent, pre-

dict, and explain new types o accidents. The variability

o normal perormance may or instance combine to

produce eects that go beyond what the Swiss Cheese

analogy was intended to describe, even i the holes are

allowed to grow or shrink dynamically and the blocks

o cheese allowed to move around. In order to address

these more complex phenomena, Resilience Engineer-ing uses the principle o resonance to represent how

the variability o normal perormance can combine

dynamically in ways that may lead to disproportionate

(non-linear) eects. Saety assessment methods have

historically developed rom technical methods, via hu-

man actors methods, to organisational methods. While

many current methods combine the technical, human,

or organisational levels, resonance must be treated at

the system level. Figure 3: Swiss Cheese Model

Resonance:

A principle that explains how dispropor-

tionate large consequences can arise rom

seemingly small variations in perormance

and conditions.


8/16

6

ThE uSEFuLNESS oF PERFoRMANCE

vARIAbILITy

The rst premise o Resilience Engineering makes clearthat perormance variability is inevitable but also useul.

Procedures and instructions are always incomplete,

except or extremely simple situations. Following proce-

dures and instructions to the letter will thereore both

be inecient and unsae. To compensate or this incom-

pleteness, individuals and organisations habitually ad-

just their perormance to match the current demands,

resources, and constraints. The ability to do so is at the

heart o successul perormance. But since inormation,

resources, and time are nite, the adjustments will in-

evitably be approximate. Perormance variability is thusunavoidable, but should be recognised as a source o

success as well as o ailure.

This has, however, not always been so. The concern or

how human actors could aect saety began with the

accident at the Three Mile Island nuclear power plant

in 1979. At that time, the ocus was naturally on control

room operations (the sharp end), and methods were

thereore developed to support that. The situation in

the 1980s with regard to the ocus o saety is depicted

in Figure 4.

Socio-technical systems have since the 1980s become

steadily more complex due to rampant technological

and societal developments. The idea o a socio-techni-

cal system is that the conditions or successul organisa-

tional perormance and conversely also or unsuccess-

ul perormance depends on the interaction between

social and technical actors. The scope o saety assess-

ment must thereore be extended in several directions.

A vertical extension is needed to cover the entire sys-

tem, rom technology to organisation. One horizontal

extension is needed to increase the scope to include

both design and maintenance. A second horizontal ex-

tension is needed to include both upstream and down-

stream processes. Altogether, the situation today there-

ore looks more as shown in Figure 5.

Organisation

(management)

Technology

Upstream

Downstream

Design Maintenance

Organisation

(management)

Technology

Upstream

Downstream

Design Maintenance

Figure 4: Saety Focus anno 1984

Figure 5: Saety Focus anno 2009


9/16


Upsteam-downstream means integration into thecompanys business. In aviation, gate-to-gate would be

an example, i.e. you can no longer consider previously

separate unctions as separate. There are dependencies

to what went beore (upstream) and what comes ater

(downstream). In general production it is just in time

(JIT) in order to remove the need or inventories (raw

materials, spare parts etc).

As a result o these developments, saety methods must

today address systems that are larger and more com-

plex than the systems o yesteryear. Because there aremany more details to consider; because some modes o

operation may be incompletely known; because o tight

couplings among unctions; and because systems may

change aster than they can be described, the net result

is that many systems, ATM included, are underspecied

or intractable. For these systems it is clearly not possible

to prescribe tasks and actions in every detail. This means

that perormance must be variable or fexible rather than

rigid. In act, the less completely the system is described,

the more perormance variability is needed.

It is useul to make a distinction between tractable and

intractable systems. Tractable systems can be completely

described or specied, while intractable systems cannot.

The dierences between the two types o systems are

summarised in Table 1.

Most established saety methods have been devel-

oped on the assumption that systems are tractable.As this assumption is no longer universally valid, there

is a need to develop methods to deal with intractable

systems. Resilience Engineering is one answer to this

problem.

Figure 6 shows the result o characterising dierent

socio-technical systems on the dimensions o Coupling

and Manageability. Existing methods are not well

suited or systems in the upper right quadrant (intrac-

table and tightly coupled), which makes this a primary

ocus or Resilience Engineering.

Loose

Coupling

Tight

Tractable Manageability Intractable

Dams

Railways

Emergencymanagement

ATMMarinetransport

Mining

Postoffices

Assemblylines

Healthcare

Universities

Spacemissions

Publicservices

Manufacturing

Powergrids

NPPs

Aircraft

Militaryoperations

Integratedoperations

Financialsystems

Figure 6: System Characteristics

Tractable system Intractable system

Number o detailsDescription are simple with ewdetails

Description are elaborate withmany details

ComprehensibilityPrinciples o unctioning areknown

Principles o unctioning arepartly unknown

StabilitySystem does not change whilebeing described

System changes beore descriptionis completed

Relation to other systems Independence Interdependence

Metaphor Clockwork Teamwork

Table 1: Dierences between tractable and intractable systems


10/16

8

To predict how resonance may lead to accidents, wemust be able to describe and model the characteristic

variability o the system. A main source o perormance

variability is the underspecication o work, as described

in the previous section. In addition to the underspeci-

cation, human perormance can vary or several other

reasons:

Physiological and/or undamental

psychological actors (e.g., aecting

perception and vigilance).

Higher level psychological actors such

as ingenuity, creativity, and adaptability.

Organisational actors, as in meeting

perormance demands, stretching re-

sources, substituting goals, etc.

Social actors, as in meeting expectations

o onesel or o colleagues, complying

with inormal work standards, etc.

Contextual actors, or instance i the

workplace is too hot, too noisy, too hu-

mid, etc.

Other actors such as the unpredict-

ability o the domain, e.g., weather

conditions, number o fights, pilot

variability, technical problems, etc.

ThE REASoNS FoR PERFoRMANCE

vARIAbILITy

The challenge or resilience engineering is to representthe variability o a system, such as ATM, in a way that

makes it possible to identiy what may aect peror-

mance either adversely or positively. This must overcome

two obstacles:

1. Because ATM is a complex and intractable system,

its unctions, their interactions, and potential vari-

ances, can only be specied approximately.

2. In a time o trac growth, planned changes to ATMs

undamental inrastructure and technical systemsmust be reconciled with strong but varying nancial

pressures and demands.

The ATM system environment eels the eect o the

resulting instability and increasing variability as

ANSPs try to ride out the changes whilst remaining

sae and protable. This requires them to be fexible,

to rely on human ingenuity and skill, and to make

use o perormance variability rather than to con-

strain it.


11/16


hoW IS IT doNE?

Resilience Engineering provides the conceptual basis ora new perspective on saety. The leading prototype cur-

rently is the Functional Resonance Assessment Method

(FRAM). This method is based on our principles:

n The equivalence o success and ailures. Failures

do not stand or a breakdown or malunctioning o

normal system unctions, but rather represent the

adaptations necessary to cope with the underspeci-

cation ound in complex real-world systems.

n The principle o approximate adjustments. Toget anything done people must adjust their peror-

mance to the current conditions. Because resources

and time are nite, such adjustments will inevitably

be approximate.

n The principle o emergence. Both ailures and nor-

mal perormance are emergent phenomena: neither

can be attributed to or explained simply by reer-

ring to the (mal)unctions o specic components or

parts.

n The principle o unctional resonance. FRAM re-

places the traditional cause-eect relation with reso-

nance. This explains how the variability o a number

o unctions every now and then may resonate, i.e.,

reinorce each other, leading to excessive variability

in one or more downstream unctions. The conse-

quences may spread through the system by means o

tight couplings rather than easily identiable cause-

eect links.

FRAM is a developing method. The ollowing is an illus-tration o what a FRAM analysis might look like or an

overfight scenario:

A FRAM analysis consists o ve steps:

1. Dene the purpose o the analysis. FRAM can be

used or saety assessment (looking at uture events)

as well as or accident investigation (looking at past

events).

2. Identiy and describe the relevant system unctions.A unction, in FRAM terms, constitutes an activity

or task which has important or necessary conse-

quences or the state or properties o another ac-

tivity. Each unction is characterised by six aspects:

Input, Output, Preconditions, Resources, Time and

Control, as depicted in Figure 7.

3. Assess and evaluate the potential variability o

each unction. FRAM uses a distinction between

oreground and background actors, which may all

aect perormance variability. Foreground actors

are directly associated with the unctions being

modelled and may vary signicantly during a sce-

nario, while background actors reer to common

conditions that may vary more slowly. Both sets o

actors should be calibrated as ar as possible using

inormation extracted rom accident databases.

4. Identiy where unctional resonance may emerge.

This step nds the possible ways in which the vari-

ability rom one unction can spread through thesystem. In case o unctional resonance, the com-

binations o this variability may lead to situations

where the system loses its capability to saely man-

age variability.

5. The th and last step is the development o

efective countermeasures. These usually aim

at dampening perormance variability in order to

maintain the system in a sae state, but can also be

used to sustain or ampliy unctional resonance that

leads to desired or improved outcomes.

T

I O

C

P R

Function/

Process

Time Control

Precondition

Input Output

Resource

Figure 7: The six aspects o a FRAM unction


12/16

10

An example o what this looks like, applied to an over-fight scenario, is in the ollowing. The analysis o system

unctions (Step 2) produced the ollowing list:

n Provide ATC clearance to pilot

n Monitoring

n Planning

n Strip marking

n Coordination

n Update fight data processing system

n Provide meteorological data to controller

n Provide fight and radar data to controllern Controller-pilot communication

n Sector-to-sector communication

By characteristing each unction using the six aspects

described in Step 2 above (c., Figure 7), the ollowing

instantiation o the model was produced.

Figure 8: Instantiation o the FRAM model or the overfight scenario

T

I O

C

P R

Provide

MET data

T

I O

C

P R

Provideflight &

radar

data

T

I O

C

P R

Monitoring

T

I O

C

P R

Planning

T

I O

C

P R

Pilot -

ATCO

communi-

cation

T

I O

C

P R

Strip

marking

T

I O

C

P R

Sector to

sector

comm.

T

I O

C

P R

Issue

clearanceto pilot

T

I O

C

P R

Coordination

T

I O

C

P R

UpdateFDPS

MET data

Flight & radar data

FDPS updated

FDPS updated

Teamcoordination

Request from

next sector:Climb to FL100

Team

coordination

Flight position A/C 1

monitored

Flight position A/C 1

monitored

Clearance plan A/C 1:

Climb to FL100

A/C 1: radio

contact established

A/C 1 strip marked:

Climb to FL100

Clearance A/C 1:

Climb to FL100

A/C 1: radio

contact established


13/16


hoW doES RESILIENCE ENGINEERING FIT

WITh oThER SAFETy METhodS?

hoW MATuRE IS RESILIENCE ENGINEERING?

Resilience Engineering is a developing approach, one that provides an additional perspective on saety assessmentand management and oers potential resilience assessment techniques, such as FRAM, to complement existing

tools. Adopting a Resilience Engineering view does not require that existing practices are discarded wholesale. But it

does mean that they are looked at in a dierent way, which in turn may change how they are applied, as well as the

way in which their results are interpreted.

At present, the use o Resilience Engineering in ATM is at the easibility stage o development. The research team

working on the project will complete a rst main case study or ATM in 2009, which will show how this approach

works in detail and what it can deliver. The example will be a study o a Minimum Altitude Saety Warning (MSAW)

system. Following that, urther test cases should be conducted to develop and mature the approach to make it an

additional tool or saety cases. While this inevitably will require some time, the goal is to have the methodology t

or use prior to SESARs implementation phase in 2013.

In other domains, such as general aviation, oshore production, and healthcare, Resilience Engineering has been

used longer and has provided a substantial body o knowledge and experience. This has been documented in a

number o books and marked by several international symposia and workshops, as well as commercial applications,

e.g. maintenance o heavy machinery, risk modeling o helicopter saety, and patient saety.

OrganisationalSa

fety

Technical Safety

HumanFactors

ResilienceEengineering

Figure 9: Widening perspectives on saety


14/16

12

n

Perormance variability enables individuals and or-ganisations to adjust what they do to match current

resources and demands. Perormance variability is

the reason why things go right, and sometimes also

the reason why things go wrong.

n Resilience Engineering complements existing saety

methods. It oers a dierent perspective, but is not

intended to be a wholesale replacement.

n Resilience Engineering has been actively developed

since 2004, and has been successully applied to acci-dent investigation and risk assurance in several indus-

trial domains, eg. maintenance o heavy machinery,

risk modeling o helicopter saety, and patient saety.

This has been documented in a number o books and

marked by several international symposia and work-

shops, as well as commercial applications, e.g. risk

modeling o helicopter saety, patient saety, and main-

tenance o heavy machinery. In the latter cases one

technique was to implement a new alarm process to

identiy signs that things were getting worse, as a basis

or timely remedial interventions.

This key question can obviously best be answered aterResilience Engineering has been seen in action in ATM.

Since it addresses a dicult problem, more than one

case study may be needed to demonstrate its ull po-

tential. However, there is an obvious value in having a

technique which can explain and predict the complex

accident scenarios that deeat existing barriers and

deences, and that also tries to acilitate normal out-

comes.

In summary, the questions posed at the beginning o

this brochure can be answered as ollows:

n Resilience Engineering goes beyond classical saety

issues by recognising that saety and production are

intrinsically linked. The aim o Resilience Engineer-

ing is to develop models and methods to improve

an organisations ability to succeed under varying

conditions, thereby enhancing both saety and daily

operations.

n Resilience Engineering is needed because many

current systems are underspecied, hence exceed

the premises o existing saety analysis methods.

This White Paper has presented the main concepts and practical principles o Resilience Engineering, a developingeld which will be important or ATM saety in the uture. ATM is among the socio-technical systems that have developed

so rapidly that established saety assessment approaches are increasingly challenged to address all the issues and

identiy all the risks. In complex socio-technical systems, things may go wrong in the absence o maniest ailures

and malunctions, and outcomes may oten be disproportionately large. To saeguard against such developments,

it is necessary to have tools and methods that can deal with the underspecication and tight couplings o complex,

highly interactive systems such as ATM. Resilience Engineering oers a conceptual and methodological basis or

achieving that goal it is one to watch. The research and development eorts will continue and urther results will

be documented and disseminated as a way o demonstrating the added value o the approach. Special emphasis

will be put on case studies and guidance on how a smooth integration with conventional saety assurance schemes

can be accomplished.

Some additional reading is suggested below.

WhAT IS ThE AddEd vALuE oF RESILIENCE

ENGINEERING?

CoNCLuSIoN


15/16


http://www.resilience-engineering.org/

Hollnagel, E. (2004).

Barriers and accident prevention. Chapter 5 & 6. Aldershot, UK: Ashgate publishers.

Hollnagel, E., Woods, D. D. & Leveson, N. (2006).

Resilience engineering: Concepts and precepts. Aldershot, UK: Ashgate publishers.

Hollnagel, E. (2009).

The ETTO principle: Eciency-thoroughness trade-of. Why things that go right sometimes go wrong.

Aldershot, UK: Ashgate publishers.

Woltjer, R. & Hollnagel, E. (2008).

Modeling and evaluation o air trac management automation using the unctional resonance accident model (FRAM) .

8th International Symposium o the Australian Aviation Psychology Association, Sydney, Australia.

Intractable: A system which cannot be described in every detail and where the unctioning there-

ore is not completely understood. Intractable systems are only partly predictable.

Perormance variability: The ways in which individual and collective perormances are adjusted to match cur-

rent demands and resources, in order to ensure that things go right.

Resilience: The ability o a system to succeed under varying and adverse conditions.

Resonance: A principle that explains how disproportionate large consequences can arise rom

seemingly small variations in perormance and conditions.

Saety culture: That assembly o characteristics and attitudes in organisations and individuals which

establishes that, as an overriding priority, saety issues receive the attention warranted

by their signicance.

Serendipity: The making o happy and unexpected discoveries by accident or when looking or

something else; such as discovery.

FuRThER REAdING:

GLoSSARy


16/16

Fr frter infrmatin cntact:

EUROCONTROL

European Organisation or the Saety o Air Navigation (EUROCONTROL). September 2009

This document is published by EUROCONTROL or inormation purposes. It may be copied in

whole or in part, provided that EUROCONTROL is mentioned as the source and it is not used or

commercial purposes (i.e. or nancial gain). The inormation in this document may not be modiedwithout prior written permission rom EUROCONTROL.

www.eurocontrol.int

Project Team

Jrg Leonhardt, holds a Master Degree oHuman Factors and Aviation Saety rom LundUniversity, Sweden. He is Head o Human Fac-tors in the Saety Management Department othe German Air Navigation Service Provider,DFS.He is Project Leader the EURCONTROLs FA-RANDOLE Project, A resilient approach toevaluate the human contribution to systemSaety and member o the EUROCONTROLHERA User Group.

[email protected]

Erik Hollnagel is Proessor and IndustrialSaety Chair at MINES ParisTech (France) andVisiting Proessor at the Norwegian Universityo Science and Technology (NTNU) in Trond-heim (Norway). He has or many years workedat universities, research centres, and industriesin several countries and with problems romseveral domains, including nuclear powergeneration, aerospace and aviation, sotwareengineering, healthcare, and land-based tra-c. He has published widely and is the author/editor o 17 books, including three books onResilience Engineering. The latest title romAshgate is The ETTO Principle: Why things

that go right, sometimes go wrong.

[email protected]

Luigi Macchi is a PhD student in the IndustrialSaety Chair o the Mines-ParisTech University(France). He holds a Psychology degree romthe Universit degli Studi di Torino (Italy). HisPhD adopts the Resilience Engineering per-spective and aims to develop a saety assess-ment methodology accounting or the humancontribution to Air Trac Management saety.

[email protected]

EUROCONTROL Point o Contact

Dr Barry Kirwan leads Saety Research and De-velopment in EUROCONTROL. He has degreesin Psychology, Human Factors and Human Re-liability Assessment. He has worked in the nu-clear, chemical, petrochemical, marine and airtrac sectors o industry, and lectured at theUniversity o Birmingham in Human Factors.He was ormerly Head o Human Reliability atBNFL in the UK nuclear industry, and Head oHuman Factors at NATS (UK). For the past nineyears he has been working or EUROCONTROL,managing a team o saety researchers andsaety culture specialists at the EUROCONTROLExperimental Centre in Bretigny, near Paris. Hehas published our books and around 200 ar-ticles. He is also a visiting Proessor o HumanReliability & Saety at Nottingham Universityin the UK.

[email protected]

Documents

A White Paper Resilience Engineering