Perrow, Charles - Normal Accident Theory

The Structure of Concern Project compares many theoretical models from many disciplines to the Adizes PAEI model, arguing that they must all be reflecting the same underlying phenomenon. One concern structure model is described below.

Charles Perrow’s Normal Accident Theory is difficult to situate in this catalog because it is a sociological tool, a management tool and a systems analysis and design tool all in equal measure. His theory targets the intersection between complex technological systems and human management practices. Some specific targets of his analysis are high-risk enterprises using high-risk technologies, such as nuclear power plants, petrochemical plants, supertankers, major airport systems, hydroelectric dams and the like – systems with high catastrophic potential. However, in discussing what differentiates these systems from less risky systems, he creates a general typology of systems. This typology names dimensions that I believe lie near the core of the structure of concern (Perrow, 1999).

Perrow argues that there is a particular class of accidents that are normal, inevitable, and are often potentially disastrous. These occur in systems with many components, complex interconnections, strict dependencies and stringent performance conditions. In systems like this, it is computationally impossible to foresee all of the failures that might happen. One also cannot tell how failures might compound each other if two or more were to happen simultaneously. Between design limitations, equipment failures, procedural errors, operator error, problems in supplies and materials, and unknown variables in the environment (Perrow calls this set of considerations DEPOSE), there will always be unforeseen complications and unexpected contingencies. Plus when multiple factors combine to produce accidents in such systems, it will rarely if ever be possible to figure out what is going on in real time. Only post-mortem analysis will reveal the failure path.

Systems that are prone to normal accidents can be identified by their interactive complexity and the coupling relationships among their components. Interactions in a system (across all DEPOSE elements) can be linear or complex. For linear interactions, there is an expected sequence for events along the main causal pathways, and even if unexpected and unplanned events occur, they are immediately visible by the way they cause the system to deviate from its expected functions. Complex interactions occur in unfamiliar, unplanned, unexpected and unforeseeable sequences. Problems, flaws or failures in complex interactions are not visible, and often cannot be comprehended as they unfold. This is because there are multiple elements from across the DEPOSE system interacting simultaneously to produce unpredictable results during complex interactions.

One important source of complexity is called common-mode functioning. In complex systems, some components perform multiple functions (e.g. a wall both holds up the roof and keeps out the wind). This improves design economy, and it reduces certain kinds of complexity, but the failure of common-mode components will be more serious when they happen, bringing non-linearity into the system. A small initial accident that slightly damages a common-mode element can have huge unforeseen consequences, depending on what else is happening in the system. Cause and effect will not be proportionate.

Note that these observations apply to interactions within systems, rather than to systems themselves. Perrow asserts that linear interactions predominate in all systems, but some systems permit more complex interaction than others. Furthermore, complex interactions themselves are not necessarily likely to cause accidents. A second dimension must be considered, namely the tightness or looseness of coupling between the DEPOSE components or subsystems of the system. In tightly coupled systems, there is little or no slack or buffering between the various interconnected components. What happens to one component directly affects what happens to other components around it and connected to it. Chain-reactions or domino-effects happen easily in tightly coupled systems. Loosely coupled systems do have buffers and slack. Components have a certain amount of functional autonomy from each other. Systems characterized by both complex and tightly coupled interactions are prone to normal accidents.

Crossing the dimensions of interactive complexity and coupling give us four categories of interaction: linear tight, linear loose, complex tight, complex loose. This sequence of the four categories is in PAIE order, rather than PAEI order. However, PAIE order does match the account of the ecological underpinnings of concern structures developed earlier in this book, and it is the order I use for this summary of normal accident theory.

Interactive complexity and coupling have ramifications for organizational governance and structuring. Both linear interaction and tight coupling require centralized management structures, whereas complex interaction and loose coupling require decentralized structures. Both interactive and management issues are described below.

P – Linear Interaction, Loose Coupling: Either Centralized or Decentralized Authority
There are few complex interactions in this system. Failed components can be isolated and worked around, without drastically disrupting system function. Accidents can be remedied in either a top-down manner from a central authority or a bottom-up manner from the floor. The prevalence of either form of management in linear, loosely coupled system will be more determined by organizational culture than by their systems and technologies. Single-goal agencies of all descriptions fit within this category, including government agencies. Most manufacturing operations and construction projects also share these qualities. These organizations exist to get specific tasks done, and the manner in which they get done does not need to be rigorously specified.

A – Linear Interaction, Tight Coupling: Centralized Authority
Regularized internal environment, predictable and visible interactions, and invariant sequences. Improvised workarounds are not possible, but must be explicitly design into the system. There is little slack in the system, and delays disrupt the entire operation. Bottom-up local or improvisational solutions may put the entire system at risk, so managerial authority is centralized. Projects in this category include hydroelectric dams, power distribution grids, continuous processing plants and refineries, and rail or marine transport. Centralization, unambiguous and explicit orders and policies and rigorous adherence to procedures are needed.

I – Complex Interaction, Tight Coupling: Neither Centralized nor Decentralized Authority
The tight coupling of the system makes any failure very disruptive, so local solutions have the potential to bring the whole system to a halt if they compromise functional integration with the larger systemic context. This is amplified by the complexity of the system, with components in close proximity to each other, heavily interconnected with many common-mode elements, vertical and horizontal dependencies and unexpected feedback loops. Many of the problems in such systems are unforeseeable because of the combinatorial complexity of the systems. Given this complexity, a decentralized approach to management is suggested, so that those closest to each subsystem can undertake a slow, careful search of the failure to determine what went wrong and what to do about it. However, this conflicts with the need to manage the tight coupling of overall system function. The only way this can be accommodated is for each unit to have a strong sense of the overall purpose of the system, as well as their own place in the system, and their responsibilities to other activity groups. That way they can be creative in the ways they make their needed contribution to overall system function.

E – Complex Interaction, Loose Coupling: Decentralized Authority
Complex interactions, with many control parameters and unplanned behaviors, require management by a network of operators each with some local expertise, particularly since troubleshooting will often be diagnostic and based on inference rather than straightforward observation. Furthermore, since the system is loosely coupled, there is some slack and some room to manoeuvre. Local ingenuity in finding substitutions and alternative pathways will not necessarily disrupt the whole system, and may improve it. Research and development organizations, universities and multi-goal agencies exhibit this kind of loose structure with distributed local authority. This permits the kind of local autonomy that encourages the development of innovations.

The greatest management challenge exists for tightly coupled complex systems with complex interactions, and these have the greatest normal accident potential as well. When a tightly coupled system has become complex, efforts must be made to reduce both coupling and complexity if possible. One way to accomplish this in management and technology is to use the same strategy used by human working memory – chunking. Tightly coupled elements can be integrated at a higher level of organization, through technology or the redefinition of certain activities. This chunking can make it quicker and easier for more people to exercise the coupled function. Perrow gives the example of air traffic control, and the development from early radio contact technologies to radar technologies and finally to transponders. This development took a multifaceted radio communications task and reduced it to an ‘at-a-glance’ representation of all needed information on a screen. By increasing the tight coupling of the linear interactions producing that information, the complexity of interaction managed by each individual operator went down. Also, by segregating traffic into types (commercial, military, small aircraft, etc) and assigning air corridors and altitudes by type, linearity was increased and the complexity of interaction decreased.

By reorganizing coupling, technologies release either operator time and attention, or restrictions on place of operation, or restrictions on the people who can operate that process. This can allow for a reassignment of roles. Within each new function, there may be tighter coupling and more linear interactions, but across the whole network there may be some loosening of coupling and encapsulation of function, pushing the system a bit closer towards a more manageable state. Object-oriented programming represents this kind of organizational development, relative to the procedural programming it has supplanted for certain tasks. To the degree to which programs must be complex, object-oriented programming loosens the coupling between encoded objects through encapsulation. To the degree to which programs must be tightly coupled, object-orientation shields the main program (as the higher level of the chunk) from some of the complexity of the overall code package (classes and objects on the lower level of the chunk). By chunking between levels of complexity and then integrating the resulting chunks, larger systems can be integrated in ways that manage the combined challenges of tight coupling and complexity.

This is central to the structure of concern:

P – In ecosystems, under r-selection conditions, loosely coupled, linear reactions produce the shortest energy-reduction pathways.

A – Under density conditions, larger, more centralized organizations with tighter coupling are more efficient at maximizing the reduction of resources that have become more scarce or patchy in time and space. However, there is an upper limit to the amount of complexity such a centralized system can manage. Fixes, workarounds, updates and expansions all increase the complexity of the system, until the single-system management strategy breaks apart.

I – A complex re-parcelling of the system is needed. Local autonomy must be balanced with global systemic integration. Local systems, organizing themselves to maximize their own reduction efficiency, also enhance the reductive capacity of the overall or global system by improving the efficiency of their input-output transactions with other nodes in the system.

E – When a community is in a climax condition, when further improvements in both independent and interdependent reduction efficiency provide diminishing returns, only an innovation can produce further appreciable enhancements. For this to happen there must be some loosening of coupling between system elements. Elements that can free themselves for some “evolutionary playtime” can produce this novelty. Novelty is often disruptive to the existing order, prompting the re-establishment of a new or altered overall system.

1. Perrow, C. (1999). Normal Accidents: Living With High-Risk Technologies. Princeton, New Jersey: Princeton University Press.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License