ArticlePDF Available

Four concepts for resilience and the implications for the future of resilience engineering

Four concepts for resilience and the implications for the future
of resilience engineering
David D. Woods
Initiative on Complexity in Natural, Social &Engineered Systems, The Ohio State University, United States
article info
Resilience engineering
Resilient control
Robust control
Complex adaptive systems
Socio-technical systems
The concept of system resilience is important and popularin fact, hyper-popular over the last few years.
Clarifying the technical meanings and foundations of the concept of resilience would appear to be
necessary. Proposals for dening resilience are ourishing as well. This paper organizes the different
technical approaches to the question of what is resilience and how to engineer it in complex adaptive
systems. This paper groups the different uses of the label resiliencearound four basic concepts:
(1) resilience as rebound from trauma and return to equilibrium; (2) resilience as a synonym for
robustness; (3) resilience as the opposite of brittleness, i.e., as graceful extensibility when surprise
challenges boundaries; (4) resilience as network architectures that can sustain the ability to adapt to
future surprises as conditions evolve.
1. Introduction
Today's systems exist in an extensive network of interdepen-
dencies as a result of opportunities afforded by new technology
and by increasing pressures to become faster, better and cheaper
for various stakeholders. But the effects of operating in interde-
pendent networks has also created unanticipated side effects and
sudden dramatic failures [42,1]. These unintended consequences
have led many different people from different areas of inquiry to
note that some systems appear to be more resilient than others.
This idea that systems have a property called resiliencehas
emerged and grown extremely popular in the last decade (for
example, articles in scientic journals on the topic of resilience
increased by an order of magnitude between 2000 and 2013 based
on search of Web of Science, e.g., Longstaff et al. [26]). The idea
arose from multiple sources and has been examined from multiple
disciplinary perspectives including: systems safety (see Hollnagel
et al. (2006)), complexity (see [1]), human organizations (see
[42,40,22,32,31]), ecology (see [41]), and others. However, with
popularity has come confusion as the label continues to be used in
multiple and diverse ways.
As multiple observers from different disciplines began to study
the characteristics that affect the ability to create, manage, and
sustain resilience, four core concepts appear and recur. This paper
organizes the diverse uses of the label resilienceinto groups
based on these four conceptual perspectives. The paper refers to
these four concepts as resilience [1] through [4]. First, people use
the label resilience to refer to how a system rebounds from
disrupting or traumatic events and returns to previous or normal
activities (rebound¼resilience [1]).
Second, people use the label resilience as the equivalent to the
concept of system robustness. These two concepts have recurred
repeatedly in work on resilience, especially in the early stages of
exploring how systems manage complexity as they appear to
provide a path to generate explanations of how some systems
are able to manage increasing complexity, stressors, and chal-
lenges (robustness¼resilience [2]).
As researchers have continued to study the problem of com-
plexity and how systems adapt to manage complexity, two
additional concepts have emerged. Upon further inquiry, the
empirical results begin to reveal how some systems overcome
the risk of brittleness, i.e., the risk of a sudden failure when events
push the system up to and beyond its boundaries for handling
changing disturbances and variations [7,43,44]. From the perspec-
tive of overcoming the risk of brittleness, a third use of the label
resilience becomes the idea of graceful extensibility [47,45] how a
system extends performance, or brings extra adaptive capacity to
bear, when surprise events challenge its boundaries (graceful
extensibility¼resilience [3]).
Another line of inquiry has pursued formal models of systems
that have proved to be evolvable in biology and technology (e.g.,
the internet). A fourth use of the label resilience emerged from this
work that focuses on the question: what are the architectural
properties of layered networks that produce sustained adaptability
the ability to adapt to future surprises as conditions continue to
evolve? [14,32,31]. This line of work centers on how networks
can manage fundamental trade-offs that constrain all systems
E-mail address:
[9,13,5,18]. It seeks to identify governance policies that operate
across layered networks in biological systems, social systems, and
technological systemswhat governance policies sustain the abil-
ity of the network to continue to function well and avoid falling
into traps in the trade spaces as conditions change over long time
scales (sustained adaptability¼resilience [4]).
This paper briey considers each of the four, in turn, to explore
how each has stimulated lines of inquiry and led to new and
sometimes unexpected results. The intent of the paper is to set a
new baseline for future work. Whatever the historical contribu-
tions of each of these four concepts, the question is how to
advance productive lines of inquiry. Organizing the numerous
and continuing attempts to dene resilience around these four
concepts blocks out a great deal of noise (see the overview in [27]).
The review of the four concepts sets the stage to debate which
concepts have the potential to continue to advance our under-
standing of complex adaptive systems.
2. Four concepts for resilience
2.1. Resilience as rebound (or resilience [1])
The rebound concept begins with the question: why do some
communities, groups, or individuals recover from traumatic dis-
rupting events or repeated stressors better than others to resume
previous normal functioning? A representative example of this
approach is a recent compilation of papers assembled when an
organization asked the Institute of Medicine to help it answer the
above question [6]. We also nd this question asked by business
continuity centers as organizations confront extreme weather
events that can produce surprising cascades of effects [11].
This use of the label resilience as [1] rebound is common,
but pursuing what produces better rebound merely serves to re-
state the question. Where progress has been made, the focus is not
on the period of rebound but on what capabilities and resources
were present before the rebound period. Finkel's analysis of
contrasting cases of recovery from or inability to recover from
surprise provides compelling evidence [16]. First, it is not what
happens after a surprise that affects ability to recover; it is what
capacities are present before the surprise that can be deployed or
mobilized to deal with the surprise. This issue was noted early on
by Lagadec with respect to major external trigger events [20,
p. 54]:the ability to deal with a crisis situation is largely
dependent on the structures that have been developed before
chaos arrives. The event can in some ways be considered a brutal
and abrupt audit: at a moment's notice, everything that was left
unprepared becomes a complex problem, and every weakness
comes rushing to the forefront.
Second, rebound considers responses to specic disruptions,
but much more importantly the disrupting events represent
surprises, that is, the event is a surprise when it falls outside the
scope of variations and disturbances that the system in question is
capable of handling [43,46]. In other words, the key is not simply
the attributes of the event in itself as a disruption or its frequency
of occurrence, but how the event challenges a model instantiated
in the base capabilities of that system. The surprise event chal-
lenges the model and triggers learning and model revisiona kind
of model surprise [48]. There are patterns to surprise, or, as Nemeth
puts it, there are regularities to what on the surface appears to be
irregular variations in terms of how disturbances challenge normal
functioning [30].
These two points highlight a paradox about resilience, that
shifts the focus from resilience [1] to resilience [3] (graceful
extensibility) as research begins to consider resilience as multiple
forms of adaptive capacity. To overcome the risk of brittleness in
the face of surprising disruptions requires a system with the
potential for adaptive action in the future when information
varies, conditions change, or when new kinds of events occur,
any of which challenge the viability of previous adaptations,
models, plans, or assumptions. However, the data to measure
resilience as this potential comes from observing/analyzing how
the system has adapted to disrupting events and changes in the
past [44].
There are other limits to the line of inquiry based on resilience
[1], for example, the concept of recovery to normal or previous
function (return to equilibrium) has not held up to inquiry (see for
example, [41]). The process of adapting to disruptions, challenges
and surprises over time changes the system in question in multi-
ple ways. In adapting to new challenges, systems draw on their
past but become something new. Even when adapting to preserve,
the process of adapting transforms both the system and its
environment. Continuity occurs over a lineage of challenge and
adaptive response, a series of adaptive cycles that compose an
adaptive history.
It is historically interesting that questions about resilience are
often formulated around nding a way to explain variations in how
systems rebound from challenge. But research progress has left this
framing behind to focus on the fundamental properties of networks,
systems and organizations that are able to build, modify and sustain
the right kinds of adaptive capacities [14]. Studies of biological
systems [17] and evolutionary computational modeling of biological
systems [23,24] have shown that properties that will sustain adaptive
capacity in the future can be selected for [4].Theseareexamplesof
results that shift in focus the focus from resilience [1] to resilience [4]
architectures for sustained adaptability.
2.2. Resilience as robustness (or resilience [2])
Resilience [2] increased ability to absorb perturbations
confounds the labels robustness and resilience. Some of the
earliest explorations of resilience confounded these two labels,
and this confound continues to add noise to work on resilience (as
noted in [43,29]).
An increase in robustness expands the set of disturbances the
system can respond to effectively. This simple denition is the
basis for the success in robust control as a subset of control
engineering [15].Robust control is risk-sensitive, optimizing
worst case (rather than average or risk-neutral) performance to a
variety of disturbances and perturbations([14, p. 15624]). Alder-
son and Doyle [1] point out that robustness is always of the form:
system X has property Y that is robust in sense Z to perturbation
W. In other words, robust control works, and only works, for cases
where the disturbances are well-modeled.
If an increase in robustness expands the set of disturbances the
system can respond to effectively, the question remains what
happens if the system is challenged by an event outside of the
current set? If the system cannot continue to respond to demands
and meet some of its goals to some degree, then the system will
experience a sudden failure or collapse that is, the system is
brittle at its boundariesresilience [3]. In other words, resilience
comes to the fore when the set disturbances is not well modeled
and when this set is changing. And ironically, the set of poorly
modeled variations and disturbances changes based on a record of
past success which triggers adaptive responses by other nearby
units in the layered network of interdependent systems. As a
result of this fundamental result, and in a direct analogy to robust
control, a new line of inquiry has emerged to develop resilient
control systems for applications such as cybersecurity and cyber-
physical systems (e.g., [36]).
Confounding resilience and robustness turns out to be erro-
neous in another way. If an increase in robustness expands the set
Please cite this article as: Woods DD. Four concepts for resilience and the implications for the future of resilience engineering.
Reliability Engineering and System Safety (2015),
of disturbances the system can respond to effectively, the usual
assumption is that this performance envelope only grows larger or
more encompassing. But Doyle and colleagues have shown for-
mally and theoretically (e.g., [9]) and safety research has shown
empirically [43,19] that this simple expansion is not what hap-
pens. Instead, expanding a system's ability to handle some addi-
tional perturbations, increases the systems vulnerability in other
ways to other kinds of events.
This is a fundamental trade-off for complex adaptive systems
where becoming more optimal with respect to some variations,
constraints, and disturbances increases brittleness in the face of
variations, constraints, and disturbances that fall outside this set
[1,18]. The search for good system architectures studies how some
systems are able to continue to solve the trade-off as load increases
[14,25]. A converging line of evidence comes from studies of
human systems that escape from the tragedy of the commons
[12,31,22]. The emerging understanding of heuristic and formal
architectural principles points us to the fourth concept for resi-
lience as some architectures are able to sustain the ability to adapt
to future surprises over multiple cycles of change, or resilience [4].
2.3. Resilience as graceful extensibility (or resilience [3])
The third concept sees resilience as the opposite of brittleness,
or, how to extend adaptive capacity in the face of surprise [46,47,7]
Resilience [3] juxtaposes brittleness versus graceful extensibility.
Rather than asking the question how or why do people, systems,
organizations bounce back, this line of approach asks: how do
systems stretch to handle surprises? Systems with nite resources in
changing environments are always experiencing and stretching to
accommodate events that challenge boundaries. And what sys-
tems escape the constraints of nite resources and changing
Without some capability to continue to stretch in the face of
events that challenge boundaries, systems are more brittle than
stakeholders realize [45]. And all systems, however successful,
have boundaries and experience events that fall outside these
boundariessurprises. Brittleness describes how a system per-
forms near and beyond its boundary, separate from how well it
performs when operating well within its boundaries. Descriptively
and specically, brittleness is how rapidly a system's performance
declines when it nears and reaches its boundary. Brittle systems
experience rapid performance collapses, or failures, when events
challenge boundaries. Of course, one difculty is that the location
of the boundary is normally uncertain and moves as capabilities
and conditions change.
There is always some rate and kind of events that occur to
challenge the boundaries of more or less optimal or robust
performance, and thus graceful extensibility, being prepared to
adapt to handle surprise, is a necessary form of adaptive capacity
for all systems [43,45]. Systems with low graceful extensibility risk
collapse at the boundaries. But surprise has regular characteristics
as many classes of challenge re-cur (e.g., [30]) which can be
tracked and used as signals for adaptation. Caporale and Doyle
express the point in the context of biological systems [4, p. 20]:
However, many classes of environmental challenge re-cur.
Hosts combat pathogens (and pathogens avoid host defenses);
predators and prey do battle through biochemical adaptations;
bird's beaks must pick up and crack available seeds (or insects)
a menu that may change rapidly due, for example, to a
Challenges such as cascades of disturbances and friction in
putting plans into time are generic classes of demands that require
the ability to extend performance to avoid collapse due to
brittleness [47].
Attempts to expand the base envelope (the competence envel-
ope or base adaptive capacity) shift the dynamics and kinds of
events that challenge the new boundaries (and how they chal-
lenge the boundaries). This process of change means that graceful
extensibility is a dynamic capability. Graceful extensibility is a play
on the traditional term graceful degradation. However, graceful
degradation only refers to breakdowns. Woods [45] uses graceful
extensibility because adaptation at the boundaries can be very
positive and lead to success, not simply less negative capability.
Systems with high graceful extensibility have capabilities to
anticipate bottlenecks ahead, to learn about the changing shape
of disturbances and possess the readiness-to-respond to adjust
responses to t the challenges [16,46,48].
From the point of view of resilience [3], attempts to understand
rebound, rst, should change direction: search for previous dis-
rupting events and analyze what the system drew on to stretch to
accommodate those kinds of past events. Observing/analyzing
how the system has adapted to disrupting events and changes in
the past provides the data to assess that system's potential for
adaptive action in the future when new variations and types of
challenges occur [44]. Many studies of these kinds of adaptive
cycles have identied basic patterns and empirical generalizations
(recent examples are [8,28,3,3335,37,39]).
Second, the desire to understand rebound should lead to
studies and models of the consequences when a system has to
stretch repeatedly to multiple challenges over time. Calling on
resources to stretch repeatedly can overwork a system's readiness-
to-respond capability, resulting in consequences associated with
stress (e.g., in material science over-stressing a material changes
that material and its ability to respond to challenges in the future).
Studies of how systems extend adaptive capacity to handle
surprise have led to characterization of basic patterns in how
adaptive systems succeed and fail [47]. The starting point is
exhausting the capacity to deploy and mobilize responses as
disturbances grow and cascadethis pattern is called decompensa-
tion. The positive pattern observed in systems with high graceful
extensibility is anticipation of bottlenecks and crunches ahead.
Decompensation as a form of adaptive system breakdown
subsumes a related nding called critical slowing down, where an
increasing delay in recovery following disruption or stressor is an
indicator of an impending collapse or a tipping point [38,10].
When the time to recovery increases and/or the level recovered to
decreases, this pattern indicates that a system is exhausting its
ability to handle growing or repeated challenges, in other words,
the system is nearing saturation of its range of adaptive behavior.
Risk of saturation signals the risk of the basic decompensation
failure pattern. Risk of saturation turns out to play a key role in
graceful extensibility as a basic form of adaptive capacity
There are many other indicators of the risk of decompensation,
and studies of systems that reduce the risk of decompensation
provide valuable insight about where to invest to reduce brittle-
ness/increase resilience [3]. For example, Finkel [16] identied
characteristics of human systems that produce the ability to
recover from surprise. Interestingly, these characteristics or
sources of resilience represent the potential for adaptive action
in the future. Sources of resilience [3] provide a system with the
capability, in advance, to handle classes of surprises or challenges
such as cascading events. Providing and sustaining these sources
resilience [3] has its own dynamics and difculties that arise from
fundamental trade-offsresilience [4] [43,19,1]. For example, work
has found that organizations can undermine, inadvertently, their
own sources of resilience as they miss how people step into the
breach to make up for adaptive shortfalls [43].
Please cite this article as: Woods DD. Four concepts for resilience and the implications for the future of resilience engineering.
Reliability Engineering and System Safety (2015),
2.4. Resilience as sustained adaptability (or resilience [4])
Resilience [4] refers to the ability manage/regulate adaptive
capacities of systems that are layered networks, and are also a part
of larger layered networks, so as to produce sustained adaptability
over longer scales [1]. Some layered networks or complex adaptive
systems demonstrate sustained adaptability, but most layered
networks do not, i.e., they get stuck in adaptive shortfalls, unravel
and collapse when confronting new periods of change, regardless
of their past record of successes. Resilience [4] asks three ques-
tions: (1) what governance or architectural characteristics explain
the difference between networks that produce sustained adapt-
ability and those that fail to sustain adaptability? (2) What design
principles and techniques would allow one to engineer a network
that can produce sustained adaptability? (3) How would one know
if one succeeded in their engineering (how can one condently
assess whether a system has the ability to sustain adaptability over
time, like evolvability from a biological perspective and like a new
kind of stability from a control engineering perspective)?
In socio-technical systems, sustained adaptability addresses a
system's dynamics over a life cycle or multiple cycles. The
architecture of the system needs to be equipped at earlier stages
with the wherewithal to adapt or be adaptable when it will face
predictable changes and challenges across its life cycle. Predictable
dynamics of challenge include:
Over the life cycle, assumptions and boundary conditions will
be challengedsurprises will continue to re-cur.
Over the life cycle, conditions and contexts of use will change
therefore boundaries will change, especially if the system
provides valuable capability to stakeholders.
Over the life cycle, adaptive shortfalls will occur and some
responsible people will have to step in to ll the breach.
Over the life cycle, the need for graceful extensibility and the
factors that produce or erode graceful extensibility will change,
more than once.
Over life cycles, classes of changes will occur, and the system in
question will have to adapt to seize opportunities and respond
to challenges by readjusting itself and its relationships in the
layered network.
Central to resilience [4] is identifying what basic architectural
principles are preserved over these changes and provide the
needed exibility to continue to adapt over long scales [14].
Advances on resilience [4] center on the nding that all adaptive
systems are subject to fundamental constraints or trade-offs, that
there are multiple trade-offs, and that there are basic architectural
principles that allow some systems to adjust their position in the
multi-dimensional trade space in ways that tend to move toward
or nd new positions along hard limit lines [14,25]. Prominent in
this line of inquiry are questions about which trade-offs are
fundamental and whether these are different for human systems
as compared to biological or physical systems at various scales
Resilience [4] also leads to the agenda to dene resilient control
mechanisms, i.e., control or management of adaptive capacities
relative to the fundamental trade-offs. Thus, resilience [4] is a
higher level concept in which multiple dimensions are balanced
and traded off, given the laws that constrain how (human)
adaptive systems work. In resilience [4] it makes sense to say a
system is resilient, or not, based on how well it balances all the
tradeoffs, or not. For example, success stories can be found in
biology if we look at glycolysis as modeled by Chandra et al. [5],or
selection for future adaptive capacity (as in [24]), and in human
systems success stories can be found in the work of Finkel [16] on
how successful military systems prepare to adapt to surprise,
Ostrom on how human networks avoid the tragedy of the
commons through polycentric governance principles as in exam-
ples such as managing limited water resources in Bali [32,12,21].
Progress is being made on mechanisms for resilient control in
infrastructures (e.g., [2]) and in regulating the risk of brittleness (e.
g. by regulating a system's capacity for maneuver to handle
potential upcoming surprises in [47,45]).
3. Implications for resilience engineering
As different people and disciplines pursue their journey of
inquiry about complex systems and reducing risks of sudden
failure in complex systems, a progression of concepts recur that
capture different senses of the label resilience. This paper has
organized the various senses and denitions into four groups:
rebound, robustness, graceful extensibility, and architectures for
sustained adaptability. This partition represents four core concepts
that have recurred since the introduction of resilience as a critical
systems property. This partition allows an assessment of progress
and a projection of what is promising to create the ability to
engineer resilience into diverse systems and networks in the
The rst implication of the partition is that, through overuse,
the label resilience only functions as a general pointer to one or
another of the four concepts. For science and engineering pur-
poses, one needs to be explicit about which of the four senses of
resilience is meant when studying or modeling adaptive capacities
(or to expand on the four anchor concepts as new results emerge).
Second, the value of the differing concepts depends on how
they are productive in steering lines of inquiry toward what will
prove to be fundamental ndings, foundational theories, and
engineering techniques. The yield from rst two concepts about
resilience, rebound and robustness, has been low. Resilience as
rebound misdirects inquiry to reactive phases and restoration or
return to previous states. It begs the question on what is needed in
advance of a challenge event or shift in variations and disturbance,
and how systems continue to change as they adapt, as well as how
systems provoke changes through adaptation.
Confounding resilience and robustness begs the question of
how systems and networks adapt when faced with poorly mod-
eled events, disruptions, and variations. Control engineering
already knows a great deal about how to engineer systems to
handle well-modeled disturbances. The lines of inquiry relevant to
resilience are about how systems and networks can be prepared to
handle the model surprises that occur as change is ongoing. The
empirical progress has come from nding, studying, and modeling
the biological and human systems that are prepared to handle
The value of these two concepts is historical as they were the
rst approaches used to tackle issues related to resilience and
stimulated multiple lines of inquiry. The disappointment is that
both of these concepts continue to be recycled, both in reference
to past work and in current efforts, as if they provide an adequate
conceptual basis to move forward.
Nevertheless, the lines of inquiry have progressed to tackle
questions such as:
how adaptive systems fail in general and across scales;
how systems can be prepared for inevitable surprise while still
meeting pressures to improve on efciency of resource
what mechanisms allow a system to manage the risk of
brittleness at the boundaries of normal function;
what architectures allow systems to sustain adaptability over
long times and multiple cycles of change.
Please cite this article as: Woods DD. Four concepts for resilience and the implications for the future of resilience engineering.
Reliability Engineering and System Safety (2015),
Studies of resilience in action have revealed a rich set of
patterns and regularities about how some systems provide and
adjust graceful extensibility to overcome brittleness. Models on
what makes the difference between resilience and brittleness have
been successful in specic areas to highlight fundamental pro-
cesses that sustain adaptability over long scales. As a result, we can
characterize different kinds of adaptive capacities, dynamic pat-
terns about how these capacities develop or degrade, and the kind
of architectures that support or sustain the ability to adapt to
future challenges.
However, the multiple lines of inquiry that intersect around the
label resilience are young. The end story remains to be written of
how to engineer in graceful extensibility and how to design
architectures that will sustain adaptive capacities over time.
[1] Alderson DL, Doyle JC. Contrasting views of complexity and their implications
for network-centric infrastructures. IEEE SMCPart A 2010;40:83952.
[2] Alderson DL, Brown GG, Carlyle WM, Cox LA. Sometimes there is no most-vital
arc: assessing and improving the operational resilience of systems. Mil Oper
Res 2013;18(1):2137.
[3] Allspaw J. Fault injection in production: making the case for resilience testing.
ACM Queue 2012;10(8):305.
[4] Caporale LH Doyle JC. In Darwinian evolution, feedback from natural selection
leads to biased mutations. Annals of the New York Academy of Science, special
issue on evolutionary dynamics and information hierarchies in biological
systems. Annals Reports; 2013, 1305, 1828.
[5] Chandra F, Buzi G, Doyle JC. Glycolytic oscillations and limits on robust
efciency. Science 2011;333:18792.
[6] Colvin HM, Taylor RM, editors. Building a resilient workforce: opportunities
for the department of homeland security workshop summary. Washington
DC: The National Academies Press; 2012.
[7] Cook RI, Rasmussen J. Going solid: a model of system dynamics and
consequences for patient safety. Qual Saf Health Care 2005;14(2):1304.
[8] Cook RI. Being bumpable: consequences of resource saturation and near-
saturation for cognitive demands on ICU practitioners. In: Woods DD,
Hollnagel E, editors. Joint cognitive systems: patterns in cognitive systems
engineering. Boca Raton, FL: Taylor & Francis/CRC Press; 2006. p. 2335.
[9] Csete ME, Doyle JC. Reverse engineering of biological complexity. Science
[10] Dai L, Vorselen D, Korolev K, Jeff Gore J. Generic indicators for loss of resilience
before a tipping point leading to population collapse. Science 2012;336
[11] Deary, DS, Walker, KE Woods, DD.. Resilience in the face of a superstorm: a
transportation rm confronts hurricane sandy. In: Proceedings of the 57th
annual meeting on human factors and ergonomics society; 2013.
[12] Dietz T, Ostrom E, Stern PC. The struggle to govern the commons. Science
[13] Doyle JC, et al. The robust yet fragilenature of the internet. Proc Natl Acad
Sci USA 2005;102:14497502.
[14] Doyle JC, Csete ME. Architecture, constraints, and behavior. Proc Natl Acad Sci
USA 2011;108(Suppl. 3):S1562430.
[15] Doyle JC, Francis B, Tannenbaum A. Feedback control theory. Macmillan
Publishing Co.; 1990.
[16] Finkel M. On exibility: recovery from technological and doctrinal surprise on
the battleeld. Stanford, CA: Stanford Security Studies; 2011.
[17] Graves CJ, Ros VID, Stevenson B, Sniegowski PD, Brisson D. Natural selection
promotes antigenic evolvability. PLOS Pathog 2013;9(11):e1003766.
[18] Hoffman RR, Woods DD. Beyond Simon's slice: ve fundamental tradeoffs that
bound the performance of macrocognitive work systems. IEEE Intell Syst
[19] Hollnagel E. ETTO: efciency-thoroughness trade-off. Farnham, UK: Ashgate;
[20] Lagadec P. Preventing chaos in a crisis: strategies for prevention, control and
damage limitation. London, UK: McGraw-Hill; 1993 (J. M Phelps, Trans).
[21] Lansing JS, Kremer JN. Emergent properties of Balinese water temples. Am
Anthropol 1993;95:97114.
[22] Lansing JS. Perfect order: recognizing complexity in Bali. Princeton, NJ:
Princeton University Press; 2006.
[23] Lehman J, Stanley KO. Abandoning objectives: evolution through the search
for novelty alone. Evol Comput 2011;19(2):189223.
[24] Lehman J, Stanley KO. Evolvability is inevitable: increasing evolvability with-
out the pressure to adapt. PLoS One 2013;8(4):e62186.
[25] Li, N., Cruz, J., Chenghao, S.C., Somayeh, S., Recht, B., Stone, D. et al. (2014).
Robust efciency and actuator saturation explain healthy heart rate control
and variability. Proc Natl Acad Sci USA111, 33, E347685. http://www.pnas.
[26] Longstaff PH, Koslowski TG, Geoghegan W. Translating Resilience: A Frame-
work to Enhance Communication and Implementation. In: Proceedings of the
fth Symposium on Resilience Engineering, resilience engineering association,
Download from Knowledge Bank, Columbus OH, 2013.
[27] Manyena SB. The concept of resilience revisited. Disasters 2006;30:43350.
[28] Miller A, Xiao Y. Multi-level strategies to achieve resilience for an organisation
operating at capacity: a case study at a trauma centre. Cogn Technol Work
[29] Mili, L.. Making the concepts of robustness resilience and sustainability useful
tools for power system planning, operation and control. In: Proceedings of the
ISRCS 2011: 4th international symposium on resilient control systems. Boise,
ID; August 9112011.
[30] Nemeth CP, Nunnally M, OConnor M, Brandwijk M, Kowalsky J, Cook RI.
Regularly irregular: how groups reconcile cross-cutting agendas and demand
in healthcare. Cogn Technol Work 2007;9:13948.
[31] Ostrom E. Polycentric systems: multilevel governance involving a diversity of
organizations. In: Brousseau E, Dedeurwaerdere T, Jouvet P-A, Willinger M,
editors. Global environmental commons: analytical and political challenges in
building governance mechanisms. Cambridge: Oxford University Press; 2012.
p. 10525.
[32] Ostrom E. Scales, polycentricity, and incentives: designing complexity to
govern complexity. In: Guruswamy LD, McNeely J, editors. Protection of global
biodiversity: converging strategies. Durham, NC: Duke University Press; 1998.
p. 14967.
[33] Ouedraogo KA, Simon Enjalbert S, Vanderhaegen F. How to learn from the
resilience of humanmachine systems? Eng Appl Artif Intell 2013;26:2434.
[34] Paletz SB, Kim KH, Schunn CD, Tollinger I, Vera A. Reuse and recycle: the
development of adaptive expertise, routine expertise, and novelty in a large
research team. Appl Cogn Psychol 2013;27:41528.
[35] Perry S, Wears R. Underground adaptations: cases from health care. Cogn
Technol Work 2012;14:25360.
[36] Rieger, CG. Notional examples and benchmark aspects of a resilient control
system. In: Proceedings of the IEEE, 3rd international symposium on resilient
control systems (ISRCS); 2010. p. 6471.
[37] Robbins J, Allspaw J, Krishnan K, Limoncelli T. Resilience engineering: learning
to embrace failure. Commun ACM 2012;55(11):407.
[38] Scheffer M, Bascompte J, Brock WA, Brovkin V, Carpenter SR, Dakos V, et al.
Early-warning signals for critical transitions. Nature 2009;461(7260):539.
[39] Stephens RJ, Woods DD, Patterson ES. Patient boarding in the emergency
department as a symptom of complexity-induced risks. In: Wears RL,
Hollnagel E, Braithwaite J, editors. Resilience in everyday clinical work.
Farnham, UK: Ashgate; 2015. p. 12944.
[40] Sutcliffe KM, Vogus TJ. Organizing for resilience. In: Cameron KS, Dutton IE,
Quinn RE, editors. Positive organizational scholarship. San Francisco: Berrett-
Koehler; 2003. p. 94110 .
[41] Walker BH, Salt D. Resilience thinking: sustaining ecosystems and people in a
changing world. Washington: Island Press; 2006.
[42] Weick K, Sutcliffe KM. Managing the unexpected: resilient performance in an
age of uncertainty. 2nd edition. NY, NY: Jossey-Bass; 2007.
[43] Woods DD. Essential characteristics of resilience for organizations. In: Holl-
nagel E, Woods DD, Leveson N, editors. Resilience engineering: concepts and
precepts. Aldershot, UK: Ashgate; 2006. p. 2134.
[44] Woods DD. Escaping failures of foresight. Saf Sci 2009;47(4):498501.
[45] Woods DD. Outmaneuvering complexity. Ashgate; 2015 In preparation.
[46] Woods DD, Wreathall J. Stressstrain plot as a basis for assessing system
resilience. In: Hollnagel E, Nemeth C, Dekker SWA, editors. Resilience
engineering perspectives 1: remaining sensitive to the possibility of failure.
Aldershot, UK: Ashgate; 2008. p. 14561.
[47] Woods DD, Branlat M. Basic patterns in how adaptive systems fail. In:
Hollnagel E, Pariès J, Woods DD, Wreathall J, editors. Resilience engineering
in practice. Farnham, UK: Ashgate; 2011. p. 12744.
[48] Woods, DD, Chan, YJ Wreathall, J. The stressstrain model of resilience
operationalizes the four cornerstones of resilience engineering. In: Proceed-
ings of the fth international symposium on resilience engineering, resilience
engineering association. Download from The Knowledge Bank.Columbus OH; June 2013. p. 257.
Citation: Woods DD. Four concepts for resilience and the implications for the future of resilience engineering. Reliability Engineering and
System Safety (2015), 141, 5-9.
... Common terms associated with this conceptual heuristic most commonly include the ability to; change, adjust, re-organize, transform, grow, transform, face a tipping point and learn. Here, adaptation refers to a system's capacity to adjust their function and/or characteristics in order to be resilient (Woods 2015). Therefore, this transformation involves training for change management associated with the operations and modes of functioning within the systems of the organization. ...
... 4. Proactivity relates to resilience training being applied in a context which requires an element of foresight, whereby systems, communities, organizations, and individuals predict, and anticipate foreseen changes and disturbances (Woods 2015). Common terms associated with this element of resilience include the ability to anticipate. ...
... To sum up, a resilient system may fluctuate between states as long as it can absorb shocks, in the sense that its qualitative behavior does not change thanks to its robustness and its redundancy, quickly recovers in presence of performance losses, and adapts itself to future disruptions (Woods, 2015;Hollnagel, 2008;Berkeley and Wallace, 2010). ...
... Berkeley and Wallace (2010) extend the definition above by including a feedback phase corresponding to the notion of adaptability. Woods (2015) defines four concepts for resilience. Resilience as a rebound, as robustness, as the opposite of brittleness and as the ability to adapt to future surprises. ...
In addition to operating close to their maximum capacity, transport networks, and especially the urban ones, are subject to various disruptions induced by human, technical or natural factors, which often generate loss of performance, damages and high maintenance costs. Introduced in the 70's, the notion of resilience represents the ability of a system to maintain an acceptable level of performance in presence of a disruption. Modeling and quantifying the resilience of multimodal, large-scale, urban transport networks is expected to allow cities guaranteeing higher-quality of service and seamless mobility, even in the presence of disruptions and major, predictable events. The research presented in this dissertation is motivated by the need of proper defining the resilience of the transport network in order to understand their vulnerabilities. Such indication aims at improving the functioning of the network under disruption and anticipating the loss of performance by means of a resilient-oriented transport network design. In the literature, two major approaches aim at quantifying the network resilience. On the one hand, the topological approach, based on graph theory, which characterizes the static components of transport resilience, as issued from the redundancy of the network and its connectivity. On the other hand, the dynamic approach, which takes into account the traffic dynamics and leverages traffic theory for quantifying resilience induced by the network users behaviors and the transport network performances. The combination of the static and the dynamic approaches for resilience characterization is promising and provides deeper insights in the properties of a network, both in terms of its topology and performance. Centrality measures, aiming at ranking the importance of the graph components and issued from graph theory, are mainly analyzed to characterize the transport networks in static settings. By computing them on dynamic weighted graphs that capture traffic conditions and by adapting their formulation to consider the users’ demand, we are able to jointly consider network topology and traffic dynamics in resilience characterization. To emulate the impact of disruptions, both simulated and real data are considered. A stress test methodology, mostly used in the bank and nuclear sectors, which aims at simulating the worst scenarios in order to analyze the impact and the reaction of the network, is developed to observe the transport network behavior. Finally, we develop a methodology, quick-to-compute, which aims at prioritizing the construction of some new transport mode lines, by maximizing the performance improvement in a resilience context. We also propose an algorithm for the optimal deployment of a disruption-adapted park-and-ride system.
... In the past decade, resilience as a concept has been defined and applied in various scientific fields, including safety management, organizational management, psychology, ecology, and so forth (Hosseini et al., 2016). D. D. Woods (2015) sketches resilience concepts in four categories: (1) as a rebound from trauma; (2) as a synonym for robustness; (3) as the opposite of brittleness, that is, as graceful extensibility when surprise challenges boundaries, and (4) as network architectures that can sustain the ability to adapt to future surprises as conditions evolve. While this typology is useful to categorize generic resilience concepts, for EM systems it remains relevant to confront the implementation of strategies and adapts management responses in several dimensions, as delineated by Margerum (2011) in the following "six Cs": ...
Full-text available
Standard emergency‐management procedures offer guidance on how organizations can improve their handling of all types of emergencies. However, such a generalization undermines uncertainties and oversimplifies the complexity of real work practices during an emergency response operation (ERO). The handling of the COVID‐19 pandemic highlights how uncertainty and escalating consequences reinforce the need for resilience in EROs. To illustrate the key elements of our suggested approach and its practical implications, we discuss the issues in light of a case study related to a COVID‐19 outbreak on a floating oil rig in the North Sea. The analysis reveals several instances of creative problem solving, and individual and collective efforts beyond the scope of the standard procedures. It also underlines how the shortcomings of resource allocation and over‐planning might lead to inflexibility, thus harming EROs' efficiency. Our analysis highlights that the key to resilient EROs lies in robust coordination, the ability to improvise, transparency, and trusting communication between the actors involved. Greater focus on network building—proactively maintained through regular training and exercise activities—strengthens resilience in emergency‐management systems. All these traits link to the Norwegian term “samhandling,” a notion which is here proposed to summarize and connect these resilience capacities.
... The former refers to the ability to limit the scale of current production losses in the case of a given asset loss, and the latter refers to the ability of reconstruction and restoration. (Woods, 2015) grouped the different uses of the "resilient" label around four basic concepts: (1) resilience as rebound from trauma and return to equilibrium; (2) resilience as a synonym for robustness; (3) resilience as the opposite of brittleness, that is, as graceful extensibility when surprise challenges boundaries; and (4) resilience as network architectures that can sustain the ability to adapt to future surprises as conditions evolve. Compared with European and American countries, the research on resilience in China started relatively late. ...
Full-text available
As an important part of the national economy, the marine economy will be subject to various internal and external disturbances in the process of development. Different regions will show different resilience. Based on four dimensions of “resistance–recovery–reorientation–renewal,” this paper measures the marine economic resilience of the four provinces covered within the China’s Southern Marine Economy Circle from 2008 to 2018 by establishing an evaluation index system. The results show that 1) the overall resilience of economy in the Southern Marine Economy Circle showed a fluctuating upward trend from 2008 to 2018. Although there was a decline in 2011–2012 due to natural disasters, the value quickly resumed its increasing trend. 2) At present, there are obvious relative differences in the resilience of marine economy in each region of China’s Southern Marine Economy Circle, and the polarization phenomenon is serious. Among them, Guangdong belongs to the high-value region and Fujian is in the middle, while Hainan and Guangxi are temporarily in the low-value area.
Over the past two decades, the ‘new view’ has become a popular term in safety theory and practice. It has however also been criticised, provoking division and controversy. The aim of this article is to clarify the current situation. It describes the origins, ambiguities and successes of the ‘new view’ as well as the critiques formulated. The article begins by outlining the origins of this concept, in the 1980 s and 1990 s, from the cognitive (system) engineering (CSE) school initiated by Rasmussen, Hollnagel and Woods. This differed from Reason’s approach to human error in this period. The article explains how Dekker, in the early 2000 s, translates ideas from the CSE school to coin the term ‘new view’, while also developing, shortly after, an argument against Reason’s legacy that was more radical and critical than his predecessors’. Secondly, the article describes the ambiguities associated with the term ‘new view’ because of the different programs that have derived from CSE (Resilience Engineering – RE then Safety II, Safety Differently, Theory of Graceful Extensibility). The text identifies three programs by different thinkers (methodological, formal and critical) and Dekker’s three eclectic versions of the ‘new view’. Thirdly, the article discusses the successes of the CSE and RE school, showing how it has strongly resonated with many practitioners outside the academic world. Fourthly, the critiques raised within the field of human factors and system safety but also from different traditions (e.g., system safety engineering with Leveson, sociology of safety with Hopkins) are introduced, and discussed.
This paper sets up a framework to assess co-agency in human-robot interactions, and applies it specifically to the socio-technical safety analysis of collaborative robots. We also examine to what extent the concept of Situation Awareness can be applied to assess collaborative robots as efficient team members in socio-technical systems. We explain some theoretical concerns with traditional concepts of Situation Awareness and defend why the concept of Joint Cognitive Systems, which maps the conceptualization of the cognitive system onto the work system as a whole, is best suited for issues of distributed cognition and controllability in human-robot interaction. Thereafter we present a five-step methodology specifically conceived for cobot applications serving the aim of goal coordination between multiple agents by functional interactions. The proposed framework merges two existing safety and resilience analysis methods, being the Functional Resonance Analysis Method and Interdependence Analysis. These methods are used in combination to assess shared control in safe and efficient human-robot interaction from a systems-thinking perspective. This allows to describe the systemic conditions for Distributed Situation Awareness in terms of observable system interactions and as an emergent object of distributed cognition. Instead of looking at undesirable safety outcomes, we have imposed the focus of co-agency as the unit of analysis in line with the Joint Cognitive Systems perspective. The theoretical insights from this paper are additionally applied to a hypothetical but credible demonstration case study with collaborative warehouse robots.
Epistemic uncertainties, caused by data asymmetry and deficiencies, exist in resilience evaluation. Especially in the system design process, it is difficult to obtain enough data for system resilience evaluation and improvement. Mathematics methods, such as evidence theory and Bayesian theory, have been used in the resilience evaluation for systems with epistemic uncertainty. However, these methods are based on subjective information and may lead to an interval expansion problem in the calculation. Therefore, the problem of how to quantify epistemic uncertainty in the resilience evaluation is not well solved. In this paper, we propose a new resilience measure based on uncertainty theory, a new branch of mathematics that is viewed as appropriate for modeling epistemic uncertainty. In our method, resilience is defined as an uncertainty measure that is the belief degree of a system’s behavior after disruptions that can achieve the predetermined goal. Then, a resilience evaluation method is provided based on the operation law in uncertainty theory. To design a resilient system, an uncertain programming model is given, and a genetic algorithm is applied to find an optimal design to develop a resilient system with the minimal cost. Finally, road networks are used as a case study. The results show that our method can effectively reduce cost and ensure network resilience.
Network resilience, measuring the degree of network performance decline and recovery capacity after perturbation onset, is highly related to capability against a cascading failure. However, the network resilience assessment and reinforcement strategy remain challenging for the network with a potential cascade risk. In this paper, we propose three resilience reinforcement strategies based on the nodal capacity redundancy at the different structure scales and develop a network resilience assessment method considering both the structure and nodal load. The performance of the reinforcement strategy has a close correlation with the nodal capacity redundancy, which performs as the node with larger capacity redundancy is reinforced, the better reinforcement efficiency. Moreover, the heterogeneity of the nodal load profoundly affects the reinforcement efficiency. To enhance network resilience, the reinforcement strategies proposed are then improved based on the optimization theory. Theoretical analysis and experiments for both the Barabási-Albert scale-free network and Erdős-Rényi random network under various initial conditions demonstrate that the modified reinforcement strategy outperforms existing methods in terms of the reinforcement efficiency. This paper provides a general paradigm to address the potential cascade risk, which will enable us to design more resilient networks against cascading failures.
Ultra-safe organizations, such as Air Navigation Service Providers (ANSPs), have extensive safety management organizations and generally excellent safety records with very few serious incidents and accidents. This development has been supported by increasingly advanced and effective methods. However, recent research has uncovered how the application of even advanced incident investigation methods is subject to the same pressures of the reality of everyday work, similar to other safety-critical work tasks. They may therefore also have “incidents”, where all issues are not examined with desired thoroughness, and all recommendations are not formulated or implemented with desired effectiveness. This development may be driven by different factors. For instance, the economic pressure on ANSPs is arguably high in Europe’s competitive aviation market. This speaks for an efficient and pragmatic method for investigating organizational factors affecting incident investigation work. The foundation for such a method existed in prior research, in the form of lists of risk factors for investigative work. In this paper, we present the Method for identifying Investigative Blind Spots (MIBS). We also describe, compare, and assess its development and application, at a Swedish ANSP. Incident investigators were involved in a series of semi-structured workshops to identify possible “blind spots” in their own investigation practices (investigation-work-as-done), i.e. organizational factors that impede or otherwise affect the various phases of the investigative process (investigation-work-as-imagined). This resulted in a method description with an associated set of discussion cards that ultra-safe organizations can use to address blunt-end factors of their investigation-work-as-done.
Conference Paper
Full-text available
This paper presents the latest results on the Stress-­‐Strain model of resilience and shows how the model provides a means to operaJonalize the four cornerstones of Resilience Engineering as proposed by Hollnagel and uJlized in the Resilience Analysis Grid. The Stress-­‐Strain model of resilience, originally proposed by Woods and Wreathall in 2006, addresses one of the original goals for Resilience Engineering-­‐-­‐ how to assess briPleness of an organizaJon or system. The model is based on a representaJon, in the tradiJon of plots of adapJve landscapes, that captures the relaJonship of demands or challenge events (what variaJons and events place stress on the system) and the ability of the system to draw on sources of adapJve capacity to respond to challenge events. The Stress-­‐Strain model provides a framework for analysis to answer the key quesJon-­‐-­‐ how does a system stretch to handle surprises?