Catálogo de publicaciones - libros

This book looks at socio-technical systems, that is systems which consist of a group of people working with some complex technology in order to achieve some common purpose.We shall be dealing in the main with the case of the technology being a computer system, though the ideas we shall present are applicable to other forms of technology, and we shall also discuss them in the context of a railway system. The main reason for looking at socio-technical systems is to explore the extent to which ideas of dependability, which have been developed for technical systems for some decades now, can be applied to socio-technical systems. It is no longer good enough simply to say that a failure was due to a computer error; in most cases there was a human error along the line too. We shall be looking at what sorts of thing can be said about error that applies to both computer error and human error. These ideas are not so much concerned with what causes errors, but how errors can be prevented or recovered from. It is this focus on prevention and recovery that led us to understand that there are indeed some concepts and structures that are common to the ways that errors are managed in both technical and human systems, though the actual causes may well be of very different kinds.

The concept of responsibility seems to be an important one in our social life, in our personal relations at home, at play, sport and leisure, at work; in our relations to various institutions, society in general; and in any spiritual beliefs we may hold of whatever colour or form. In a mundane form it permeates our talk about our duties and obligations, our jobs and tasks, the things we are in charge of, the things we are accountable for. At times it feels full of moral import—being responsible for the welfare of a child—at other times it is simply some mundane tasks we mast carry out or be in charge of. Our responsibilities may be general or specific, clearly defined or loosely delineated. Responsibility talk is often about deciding what caused something after the fact, often when considering blame, but sometimes about deciding or debating what caused something neutral or positive. In this form it is often about inquiry or discovery. In another form, it is adverbial. Doing something responsibly means doing something with due care and attention and can be contrasted with irresponsible actions, actions that might lead to some sort of error or problem. It is little wonder that in philosophical and sociological debates it is often bound up with ideas about what people ought to do, what is wrong and right, how and by what arguments will people or groups or institutions be blamed (or praised). It is implicated in learned discussions about the duties we have to one another (e.g. between partners, colleagues, to our parents) and between us and society. In what way is society responsible for the individual and in what way is the individual responsible to society or the other members of society? Such work is often ‘aspirational’ in that it tries to suggest how we should conduct our relations and ‘definitional’ in that it tries to state, for once and all, what is right or wrong or how we should decide what is right or wrong or the relative distribution of duties, obligations, jobs, tasks, amongst and between people, employers, governments and so forth. Often such talk is delivered with a great moral force, but as we have seen, sometimes in ordinary talk about responsibilities there is little moral force.We can take the blame for a minor error or be responsible for some fairly innocuous tasks.

Responsibility looks as if it has become all but impossible, at just that historical moment when we articulated the virtue and began to demand it of our institutions and ourselves. This apparent contradiction might help explain why we are now so strongly aware of responsibility: we have been driven to notice what has slipped from our grasp. Williams (1994, p. 11)

On the 5th of October 1999 at Ladbroke Grove a catastrophic crash occurred between two trains resulting in the deaths of both drivers and 29 passengers and the injury of approximately 414 persons. The trains involved in the crash were owned by two private companies—Thames Trains and GreatWestern Trains. The Thames Train was driving away from Paddington, while the Great Western was travelling towards Paddington. The Thames train passed a signal that was reading ‘stop’ (signal passed at danger (SPAD)) and indeed sped up into the path of the Great Western. Subsequent to the crash the Ladbroke Grove Rail Inquiry was set up and conducted in the months of May and December of 2000. The purpose of a public inquiry in the UK is not to decide upon criminal guilt^1, but is instead to lay open and examine all the evidence in an attempt to understand all of the possible causes of the accident no matter how small or distant to the actual event.

In this chapter we shall describe an enterprise modelling technique based on the idea that to make sense of a socio-technical system in order to design an information and communication technology (ICT) system which is intended to be deployed in the socio-technical context requires an analysis of the responsibilities that exist in that context and the way these responsibilities are mapped on to the various actors. This mapping of responsibilities to actors constitutes the roles of the actors.

In everyday life, we observe that system failures and system inefficiencies regularly arise because of misunderstandings about responsibility (‘I thought that you were supposed to be doing that’). Modelling the assignment of responsibilities helps make clear to the actors in a process what their responsibilities actually are. Other classes of system failure arise when the nature of an assigned responsibility is misunderstood (particularly common when discussing responsibilities across organisations). Because Alice has been assigned some responsibility in organisation X, Bob in organisationYinterprets this responsibility in the context of organisation Y, not X. Modelling the nature of responsibilities helps to reduce misunderstandings amongst actors in a process about the scope of the responsibility and the context in which it was given or assumed. Another class of failure arises when an assigned responsibility is improperly discharged (or, perhaps, not discharged in a timely way) because the agent holding the responsibility has insufficient resources to discharge the responsibility. This is particularly likely where an agent has multiple responsibilities that are competing for resources. It is particularly problematic in situations where the agent has to interact with multiple authorities (who may have different goals and who need not necessarily be in a position to negotiate). To understand this class of failure, we need to be able to model both the assignment of responsibilities and the responsibilities themselves. Finally, failures (or more commonly inefficiencies) arise when a responsibility is assigned to a responsible who has no previous experience of that responsibility and/or who has to acquire some information/knowledge in order to discharge the responsibility. The may use models of both the nature of a responsibility and the assignment of a responsibility to discover what to do and who to appeal to for information.

In this chapter, we use parts of the report of inquiry into the London Ambulance Service Computer Aided Despatch system (February 1993) and model them using some of the techniques outlined in this book. We consider some of the failures that occurred at various stages of system development in the London Ambulance Service and examine whether responsibility models can be applied to prevent such failures. Our discussion addresses such questions as the types of responsibilities considered to be important, where responsibilities within socio-technical systems should be located and when and where should responsibility modelling be applied. It is important to realise that this chapter is not just another analysis of the failure—there are enough of those already, readily found by using a www search engine—but a more general discussion and demonstration of the kind of responsibility modelling we have introduced and are advocating. What matters is the models, not what they are modelling. We could have chosen an artificial example to serve our purposes equally well. The main reason for choosing LASCAD was the ready availability of the report with its discussion not only of the failure but also of the context in which the failure occurred. An electronic copy is available at http://www.cs.ucl.ac.uk/staff/A.Finkelstein/las.html. Numbers in square brackets in what follows refer to paragraphs in the report.

Responsibility assignment modelling is concerned with developing a picture of how the responsibilities in a socio-technical system are distributed across the different automated elements and actors in that system. At this stage, we are not concerned with the details of the responsibilities themselves, or with what the actors in the system have to do to discharge these responsibilities. Rather, a responsibility model presents a succinct picture of ‘who is responsible for what’ that can be used to identify responsibilities that have not been assigned, responsibilities that have been misassigned and actors in the system that may be overloaded with responsibilities.We argue that these models have a role to play in identifying sources of undependability in a system. They can be used to help identify requirements that are inconsistent with the responsibility structures and to design robust and reliable operational processes.

In previous chapters, we have discussed the ways in which we can model how responsibility can be assigned to agents and how responsibility models can facilitate discussions about the nature of responsibilities in organisations. These models document responsibilities in an organisation, provide insights into possible vulnerabilities due to responsibility misassignment and facilitate discussion about the nature of specific responsibilities. However, we have not, so far, tried to model the responsibilities themselves. Such a model might include information about the attributes of the responsibility, the relationships between these attributes and how one responsibility is dependent on other responsibilities.

In previous chapters, we have argued that responsibility plays a key role in sociotechnical systems; however, the task of pinning responsibilities down to specific individuals or organisations is not trivial. In this book, we have presented three viewpoints for analysing responsibility. Firstly, the ethnographic approach (Chapters 3 and 4), while highlighting the difficulties associated with locating responsibilities, allows us to describe certain levels of responsibility and identify areas where responsibility needs to be clarified. Secondly, the management perspective (Chapters 5 and 6) enables us to model processes and tasks involved in job allocations in such a way that potential areas of responsibility conflicts can be revealed. Finally, the software engineering models in Chapters 8 and 9 complement these two viewpoints by providing a way of explicitly mapping responsibility to agents, thus making responsibility conflicts and neglects more evident, while also providing a method for analysis.