Table Of ContentInformation Systems: Failure Analysis
NATO ASI Series
Advanced Science Institutes Series
A series presenting the results of activities sponsored by the NA TO Science
Committee, which aims at the dissemination of advanced scientific and
technological knowledge, with a view to strengthening links between scientific
communities.
The Series is published by an international board of publishers in conjunction with
the NATO Scientific Affairs Division
A Life Sciences Plenum Publishing Corporation
B Physics London and New York
C Mathematical and D. Reidel Publishing Company
Physical Sciences Dordrecht, Boston, Lancaster and Tokyo
D Behavioural and Martinus Nijhoff Publishers
Social Sciences Boston, The Hague, Dordrecht and Lancaster
E Applied Sciences
F Computer and Springer-Verlag
Systems Sciences Berlin Heidelberg New York
G Ecological Sciences London Paris Tokyo
H Cell Biology
Series F: Computer and Systems Sciences Vol. 32
Information Systems:
Failure Analysis
Edited by
John A. Wise
Westinghouse Research and Development Center
1310 Beulah Road, Pittsburgh, PA 15235, USA
Anthony Debons
University of Pittsburgh, Pittsburgh, PA 15260, USA
Springer-Verlag
Berlin Heidelberg New York London Paris Tokyo
Published in cooperation with NATO Scientific Affairs Divison
Proceedings of the NATO Advanced Research Workshop on Failure Analysis of
Information Systems held in Bad Windsheim, Federal Republic of Germany, August
18-22, 1986
ISBN-13: 978-3-642-83093-8 e-ISBN-13: 978-3-642-83091-4
001: 10.1007/978-3-642-83091-4
Library of Congress Cataloging in Publication Data. NATO Advanced Research Workshop on Failure
Analysis of Information Systems (1986: Bad Windsheim, Germany) Information systems. (NATO ASI
series. Series F, Computer and systems sciences; vol. 32) "Published in cooperation with NATO Scientific
Affairs Division" "Proceedings of the NATO Advanced Research Workshop on Failure Analysis of Informa
tion Systems held in Bad Windsheim, Federal Republic of Germany, August 18-22, 1986"-lp. verso.
Includes index. 1. Electronic data processing-Congresses. 2. System failures (Engineering)-Congres
ses. 3. System analysis-Congresses. I. Wise, John A., 1944- . II. Debons, A. III. North Atlantic Treaty
Organization. Scientific Affairs Division. IV. Title. V. Series: NATO ASI series. Series F, Computer and
systems sciences; vol. 32. QA75.5.N381986 003 87-12818
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting,
reproduction on microfilms or in other ways, and storage in data banks. Duplication of this publication or
parts thereof is only permitted under the provisions of the German Copyright Law of September 9, 1965, in
its version of June 24,1985, and a copyright fee must always be paid. Violations fall under the prosecution
act of the German Copyright Law.
© Springer-Verlag Berlin Heidelberg 1987
Softcover reprint of the hardcover 1s t edition 1987
2145/3140-54321 0
This proceedings is dedicated to the late
Dr. Mario di Lullo
Program Director
NATO Scientific Affairs Division
A champion of the new idea
from whatever quarter,
and an unflinching supporter
of its definition and development
PREFACE
Although system analysis is a well established methodology, the specific application of
such analysis to information systems is a relatively new endeavor. Indeed, it may be said to be
still in the trial-and-error stage. In recent years, such analysis has been given impetus by the
numerous accounts of information system failures, some of which have led to serious
consequences -e.g., the accident at Three Mile Island, the chemical spills at Bophal, India, and
at Institute, West Virginia, and the loss of the space shuttle Challenger. Analysis of the failure
of the W. T. Grant Company, the third largest retail organization in the United States, indicated
that improper use of the available information was a significant factor in that failure.
In spite of these incidents and their widespread impact, only meager attempts have been
made to develop an effective methodology for analyzing the information systems involved in
such incidents. There have been no well developed guidelines for determining the causes of
such events and for recommending solutions so that similar failures could be avoided.
To address the need for such a methodology, the North Atlantic Treaty Organization
(NATO) sponsored an Advanced Research Workshop attended by a group of 32 scientists,
scholars, and expert investigators, representing a variety of disciplines and countries.
Additional funding was provided by the Aluminum Company of America and the U. S. Army
Research Institute for the Behavioral and Social Sciences -European Office. The Workshop
meetings were held in Bad Windsheim, West Germany, August 18 to 22, 1986.
This Proceedings document includes the papers prepared by the Workshop participants,
along with summaries of the conclusions reached by the group. The material is intended to
provide basic guidelines for both the design of information systems and the prevention of
future information system failures. The Proceedings will also serve as a basis for generating
Research and Development programs that are directed specifically toward establishing new
methodologies for the investigation of information system failures.
Meeting in small groups and plenary sessions, the Workshop participants addressed the
following specific topics:
• Investigation techniques. Identification of techniques used in the evaluation of
system failures.
• System issues. Effects of the functional relationship among components on
system failure.
• Hardware/software. Factors related to hardware and software contributions to
system breakdown.
• Decision-making and problem-solving issues. Factors related to human
decision-making and problem-solving during crisis events. The human ability
to deal with options before and after a crisis event
• Organizational issues. Personnel management factors in system breakdown.
The role of communications during pre-and post-events. Causes of
communications breakdown.
• Human/computer interface. Basic human factors considerations in data
acquisition from the system. Loss of an effective communication between
user and computer.
VIII
In examining these topics, the group identified and evaluated various investigative
techniques and methods of converting results into design and test of procedures and standards
verification. They also identified case histories that can be used as models, resources required
for investigation of information system failure, and new methods that are information system
specific.
The opinions expressed in this volume are those of the participants and do not necessarily
represent those of any of the sponsors.
ACKNOWLEDGMENTS
The editors would like to acknowledge the work of those individuals whose untiring effort
and dedication to the Advanced Research Workshop made possible the publication of this
Proceedings. In a certain sense, each of them should have his or her name on the cover,
because without anyone of them this volume would not exist
For the success of the Workshop, we must thank our co-director, Dr. Gianni Casale. He
did all of the leg work and a significant amount of the coordination that was required to set up
and run a meeting of this magnitude. A very special thanks must be extended to Mrs. M.
Barbara Gibson, who handled the finances and acted as the general manager during the event.
Her business sense was a key reason for the successful operation of the Workshop. We also
owe a significant debt of gratitude to Dr. Mary C. Culver, who served as our technical writer
and editor to ensure the high quality of the Proceedings.
We want to thank Ms. Thelma Crum, Ms. Michele Ginley, Ms. Lisa Girty, and Mr. Mark
Wise for their technical support in getting the papers into the word processing system, and
especially Ms. Gerry Markle for her untiring work in processing and preparing the papers for
publication.
While our names are on the cover, we respectfully share whatever credit arises from this
volume with all of the above.
John A. Wise
Anthony Debons
EXECUTIVE SUMMARY
During the week of August 18-22, 1986, thirty-four scientists and interested participants
met in an Advanced Research Workshop to discuss the nature of information system failure
and to explore whether investigation methods are available that could provide understanding of
the nature of these failures and how they could be prevented. These methods, it was hoped,
could then be formalized as tools for investigating teams that would be asked to assess the
causes of a failure and how it could be prevented.
Several working groups were formed to address specific aspects of the topic: human
factors methodological issues, systemic issues, hardware-software, decision making, and
organizational aspects. The total workshop met in plenary session for open discussion of these
issues, and attendees then met in working groups to identify and detail technical aspects of the
issues. Presentation of papers was discouraged, but the workshop did entertain statements by
some of the participants, who presented their experiences, views, and suggestions in plenary
session.
WORKSHOP BACKGROUND
In proposing and conducting the Advanced Research Workshop, the directors were
motivated by three existing situations:
1. Contemporary events of considerable significance to national and public
welfare suggest that information was a significant force on the character and
outcome of the each event (e.g., the Challenger shuttle accident, the
explosion at Bophal). The need to explicate the role of information in these
events was deemed to be relevant to national and private interests.
2. Although the failure to respond to such events because of factors attributable
to the breakdown of information was explicit, the role of information as a
multi-faceted system phenomenon was not. The tendency of the accounts of
these events was to attribute the information breakdown to things (i.e.,
computers, humans, warning devices) and not to a process of the many
components that make up an information system. The Workshop Directors
were interested in learning whether (and if so, how) a mind set could
influence the understanding of an information system failure and thus negate
the possibility of establishing investigative procedures.
3. A disarming aspect of system failures that can be directly or hypothetically
linked to information failure is the lack of any accepted concept of an
information system. The ubiquity of the term "information" compounds the
difficulty inherent in the term "system."
A structure for an information system based on a physiological metaphor was proposed to
serve as a guidepost for the workshop in its attempt to assess the state of affairs in regard to
information system failure. The directors were interested in learning the usefulness of the
model in developing insight to current problems and in provoking research and study.
WORKSHOP POINTS OF EMPHASIS
The reports of the special working groups (included in this volume) serve to bring together
many of the technical statements contained in the papers prepared by the scientists who were
invited to present their views prior to the workshop. These statements can be summarized
briefly as follows:
x
1. There are several methods that can be applied directly to the investigation of
information system failure --some quantitative and some descriptive. In the
absence of any clear definition of an information system (and possibly the
inclination to resist the acceptance of such a definition), the tendency to
accept a component, such as a computer or a human, as the information
system itself rather than as part of the system becomes the focus of the failure
analysis. Some aspects of a component may be difficult to test because of
their nature (e.g., software) or changing structure, as pointed out by A.
Bilinski in this volume. However, among methods available in the rest of
the overall system, data flow analysis, which is the practice of system
analysis, is applicable. Simulation is suggested as an alternative to
operational testing and verification (see Ehrenberger and Yarman in this
volume). Diagnostic methods as part of expert systems development are
relevant within the contemporary interests of those engaged in research on
artificial intelligence (see HoUnagel).
2. The utilization component of the information system, i.e., the human, is a
key element in information system failure. As to conditions that precede
failure (pre-mortem), ergonomic considerations are explicit to the extent that
statistical data are available that indicate the predisposing factors of human
failure. Data on interpretive, analytical, and synthesizing capabilities
(cognitive element) are less available. Methods have been proposed,
however, that indicate ways of identifying these predisposing factors and
their containment (see Janis, Reason).
3. An often neglected but important element in information system functioning is
the organization in which the information system is encased. The
organization, which is itself an information system, embraces a multitude of
other information systems that aid in the achievement of objectives. In this
hierarchy of information systems, the information system at whatever level is
a source of power even to those individuals who themselves represent
information systems with desires and objectives.
These various information entities with related powers are all potential sources of failure.
For example, individuals in an organization can induce failure of other information systems in
the hierarchy (see Weiner, Conway). Centralization and decentralization of completed data
flow in an organization (top-down, bottom-up) as a system organizational philosophy can be
the stimulus for failure (see Westrum). Thus, any investigation of information system failure
needs to account for the rationality (and the related organizational culture or belief systems) of
those who direct the activities of an information system (see Westrum).
Each of these dimensions of the workshop is discussed in greater detail in the individual
concept papers prepared prior to the convening of the workshop and to a lesser degree in the
working group reports.
IMPLICATIONS FOR FUTURE RESEARCH
Were the aspirations of the directors met? Most certainly. But more important, what are
the implications for future research on information system failure? Several areas that need to be
studied are summarized below.
1. There is a tacit recognition that the concept of an information system favors a
reductionist component-oriented "mind set". Despite the power of analogic,
metaphorical applications (see Reason, Debons), the utility of such thinking
in the analysis of failure remains to be questioned. It is doubtful, however,
that information failure analysis can proceed without some standard by which
an information system can be conceived. In this connection, it would appear
XI
that Janis' reference to Scriven's modus operandi deserves careful attention
in regard to "post mortem" analysis. Janis' pre-mortem analysis reference to
barometers could provide insight to the state of data flow throughout the
system and the likelihood of possible failure. These barometers can suggest
the state of the interaction between the components of the system and provide
concepts for system experimentation and simulation.
2. It appears that the life cycle for a system provides the basis for concepts
concerning the level of efficiency and effectiveness and the degradation of the
system. These concepts, at present, could be considered hypothetical and
need to be studied in detail.
3. Concerning the utilization of a human component in an information system,
the question should be raised of whether a taxonomy of human error (see
Empson) can be established for the cognitive domain. Within the Janis
(Scriven) framework of symptoms, perhaps both Reason's identification of
ergonomic factors and Yovits' drive to obtain a quantitative measure of
information can be integrated into a checklist for the containment of
information system failure.
Psychologists and ergonomists are eminently qualified to realize that a human
information system is not simply a matter of brain functioning but, on the
contrary, the interaction of emotion and effector subsystems in their total
functioning. Likewise, a human information system that is technologically
augmented brings sensor, transmission, processing, utilization, and transfer
functions within a concept that integrates the functions of these individual
components. Thus, an investigative checklist must explicitly recognize the
breakdown of cognitive factors influenced by the breakdown of the
respective subsystems.
4. The role of management in past incidents of system failure is clear (see
Mason). Understanding the role that centralization and decentralization of
data can play in these failures needs to be studied. Of critical importance is
the use of information systems by management to induce the destination of
their organization for their own purposes or for the purposes of others (see
Conway).
5. The documentation and centralization of data on information system failures
are important factors in the understanding and curtailment of such failures.
Study should be conducted on the resources presently available for this
purpose and on the advisability of establishing a centralized data base.
6. Investigations require individuals trained in careful observation and rational
thinking. Considering the important role these individuals play, research
should be conducted to identify the related background and skills required to
undertake the task of information system failure analysis (see Petrie).
7. Lastly, it remains to be established whether the investigative methods and
concepts be formally integrated in standards which allow for identifying and
preventing information system failure.
A final comment is in order to further highlight the importance of recognizing information
system failure. It can be surmised from the Tower Commission Report that many information
system issues, including President Reagan's management style and the decentralization of data
caused by the numerous individuals involved, contributed to the Iran weapons sale crisis in the
United States. It is significant to note that these are among the issues addressed by the authors
in this Proceedings.
