Envisioning Emergent Behaviors of Socio-Technical Systems Title Based on Functional Resonance Analysis Method( Dissertation_全文 ) Author(s) Hirose, Takayuki Citation 京都大学 Issue Date 2020-09-23 URL https://doi.org/10.14989/doctor.k22772 Right Type Thesis or Dissertation Textversion ETD Kyoto University Envisioning Emergent Behaviors of Socio-Technical Systems Based on Functional Resonance Analysis Method Hirose Takayuki Envisioning Emergent Behaviors of Socio-Technical Systems Based on Functional Resonance Analysis Method Takayuki Hirose Supervisor: Professor Tetsuo Sawaragi Department of Mechanical Engineering and Science Kyoto University A thesis submitted for the degree of Doctor of Philosophy in Engineering 2020 Abstract This thesis provides simulation models to envision emergent behavior, or more specif- ically, safety of artifacts as socio-technical systems, based on Functional Resonance Analysis Method (FRAM) and addresses potential problems inherent to three prin- ciples to design human-machine systems. It has traditionally been believed that the safety can be ensured by identifying and eliminating unsafe factors. However, people came to realize that it is not enough since unsafe events such as hazards or accidents are still unavoidable no matter how carefully we brace for them. Specifically, those experiences suggest that there is a lack of balance between Verification and Validation (V&V) in their traditional approaches; the traditional safety management is very good at verifying how the artifacts should be designed, but essentially poor at validating how they can maintain their validity in real fields of practice. One typical approach for this challenge is to carry out Work Domain Analysis (WDA) and investigate functional safety of target artifacts; the WDA enables us to model the targets and investigate their safety at functional abstraction level. This approach is expected to provide various insights which cannot be obtained at the physical level | the field of traditional safety management. The problem is that the investigation of the functional safety is generally qualitative, and it is therefore difficult to confirm its validity. The objective of this research is to develop simulation models based on the FRAM and overcome this problem. In this respect, this thesis firstly summarizes the nature of difficulties in ensuring the safety of artifacts. Also, the historical context of the safety is reviewed to introduce the resilience engineering | one of the latest ideas of how to ensure the safety of artifacts. The focus is then shifted to the FRAM which has been proposed as a practical method of the resilience engineering; this thesis reviews an overview of the FRAM including its limitations and propose numerical simula- tion models based on the FRAM to make it more practical. In addition, this thesis addresses potential problems inherent to three principles to design human-machine systems, i.e., the Compensatory Principle, Leftover Principle, and Complementar- ity/Congruence Principle, through case studies with the proposed FRAM models. i The first case study examines the validity of the Compensatory Principle. In this principle, functions of humans and machines are separated and allocated to what they are good at, and it is pointed out that their roles often tend to be fixed even in unexpected situations. To examine the issue, this case study investigated an actual air crash accident with the proposed FRAM model. The FRAM simulation envisioned how the validity of the operation, especially focusing on the feasibility of operational procedures, had been changing during the accident sequence. The simulation result consequently confirmed that it is necessary for this principle to take into account the validity of such predefined function allocation in ever changing environment, and the FRAM model can be utilized for such kind of stress test. The second case study addresses an inherent problem of the Leftover Principle. This principle is to automate everything found to be feasible by designers and push human beings to a domain where too complex tasks/activities to be automated are left. The operation of systems based on this principle shall generally depend on implicit knowledge or skills of human operators, and it is generally difficult to eluci- date their validity. To address the issue, this case study examined the validity of an empirical knowledge currently inherited in the steel production industry; the simu- lation result provided several insights about why the knowledge can be effective and confirmed that its dynamics is closely related to that of complex systems. The third case study is to demonstrate the importance of the Complementar- ity/Congruence Principle, or more specifically, human-machine collaboration for the future. It is expected that more and more automations will be introduced into our daily lives, and some of them are designed to reduce the involvement of human beings as much as possible. However, the history shows that such kind of automations often confuses human beings, and the situation could be even worse since such the con- sumers are generally \novice" of the automations, contrary to \professionals" such as aviation pilots. To demonstrate this problem, this case study examined the feasibil- ity of the SAE conditional driving automation in time-critical situations. The result suggested that human drivers must be involved in driving activities even if the highly automated driving systems are responsible for major part of the driving tasks. In conclusion, this thesis points out that it is difficult for traditional reductionism or methodologies of reliability analysis to provide these kind of insights; the functional safety must be investigated for this reason, and certain methodologies to support the investigations are required. The proposed FRAM models are one possible solution. ii Acknowledgement First and foremost, I wish to express my deepest gratitude to my supervisor, Professor Tetsuo Sawaragi, who continuously supported me on every activities as a researcher. He always inspired me with his profound knowledge and encouraged me throughout this research. He also provided great opportunities to see and discuss many people across the fields all over the world. These experiences shall greatly support me from now and forever. I am also thankful to all staffs and members in Sawaragi laboratory. Especially, Lecturer Hiroaki Nakanishi and Assistant Professor Yukio Horiguchi always provided keen insights and comments to convince me of various perspectives of this work. Besides, Secretary Ms. Minato supported me by taking care of all the paperwork in the university and encouraged through daily conversation. The experience in this laboratory would not have been great without them. This research is supported by many people outside of Kyoto University as well. Dr. Hiroshi Narazaki, an engineer of Kobe Steel, Ltd., shared a lot of insightful knowledge and suggestions based on his profession. The members of Total Flight Operation System Study Group (TFOS.SG) shared a number of valuable information which cannot be obtained in the academic field alone; their airmanship inspired and motivated me a lot. I also had very constructive discussions with the members of FRAMily. Especially, Professor Erik Hollnagel at University of Southern Denmark, Honorary Professor David Slater at Cardiff University, and Researcher Riccardo Pa- triarca at Sapienza University of Rome, took time for me and shared a lot of ideas about future prospects of FRAM. Moreover, Dr. Hideki Nomoto and Researcher Ya- sutaka Michiura, engineers of Japan Manned Space Systems Corporation (JAMSS), provided me opportunities to have regular discussions, and furthermore, a post in this company as a researcher after my graduation. It is indeed difficult to mention about all the people here, but I am so gratefull to everyone who got to know with, inspired, and supported me through this research. In the end, I take this opportunity to express my profound gratitude to my family. They alaways respected my ideas and encouraged me to try Ph.D. It had been im- possible for me to complete this work without their dedicated support and patience. iii Contents 1 Introduction 1 1.1 Envisioned World Problem: Difficulties to Predict Impacts of New Technologies . 1 1.2 Approach for Envisioned World Problem . 3 1.3 Overview of This Research . 5 2 Resilience Engineering in Historical Context of Safety Management 7 2.1 Concept of Safety . 7 2.2 Contributing Factors to Safety Suggested by Historical Major Accidents 8 2.2.1 Safety Supported by Technical Factors . 8 2.2.2 From Technical Factors to Human Factors: Impact of Automa- tion and Growing Importance of Effective Human-Machine In- teractions . 9 2.2.3 Growing Complexities: Safety of Socio-Technical Systems . 14 2.3 Historical Development of Accident Models: Analogical Concepts to Describe Accidents . 18 2.3.1 Sequential Accident Model . 18 2.3.2 Epidemiological Accident Model . 19 2.3.3 Systemic Accident Model . 20 2.4 Historical Development of Human Reliability Analysis . 22 2.4.1 Origin of Human Reliability Analysis . 22 2.4.2 First-Generation Human Reliability Analysis . 23 2.4.3 Second Generation Human Reliability Analysis . 26 2.5 Paradigm Shift from Safety-I to Safety-II: Development of Resilience Engineering . 28 2.5.1 Safety-I and Safety-II: New Perspective of Safety . 28 2.5.2 Resilience as Property of Socio-Technical System . 30 iv CONTENTS 3 Development of Simulation Model Based on Functional Resonance Analysis Method 33 3.1 FRAM as Proposed Method . 33 3.1.1 Four Principles . 34 3.1.2 Procedure of FRAM . 37 3.1.3 Challenges to Utilize . 40 3.2 Initial Model: Development of Primary Mechanism of FRAM Functions 41 3.2.1 Numerical Definitions of Variabilities with Fuzzy CREAM . 41 3.2.2 Formulating Interaction among Functions and Surrounding Work- ing Environment . 48 3.3 Extended FRAM Model Based on Cellular Automaton . 53 3.4 Extended FRAM Model Based on Structure of Complex Adaptive Sys- tems . 57 3.4.1 Inconsistency of FRAM Model Structure . 57 3.4.2 Revision of Previous FRAM Model .