How Complex Systems Fail
How Complex Systems Fail
them.
The complexity of these systems makes it impossible for them to run without
multiple flaws being present. Because these are individually insufficient to
cause failure they are regarded as minor factors during operations. Eradication
of all latent failures is limited primarily by economic cost but also because it is
difficult before the fact to see how such failures might contribute to an
accident. The failures change constantly because of changing technology,
work organization, and efforts to eradicate failures.
5. Complex systems run in degraded mode.
A corollary to the preceding point is that complex systems run as broken
systems. The system continues to function because it contains so many
redundancies and because people can make it function, despite the presence
of many flaws. After accident reviews nearly always note that the system has a
history of prior ‘proto-accidents’ that nearly generated catastrophe. Arguments
that these degraded conditions should have been recognized before the overt
accident are usually predicated on naïve notions of system performance.
System operations are dynamic, with components (organizational, human,
technical) failing and being replaced continuously.
6. Catastrophe is always just around the corner.
Complex systems possess potential for catastrophic failure. Human
practitioners are nearly always in close physical and temporal proximity to
these potential failures – disaster can occur at any time and in nearly any place.
The potential for catastrophic outcome is a hallmark of complex systems. It is
impossible to eliminate the potential for such catastrophic failure; the potential
for such failure is always present by the system’s own nature.
7. Post-accident attribution to a ‘root cause’ is fundamentally wrong.
Because overt failure requires multiple faults, there is no isolated ‘cause’ of an
accident. There are multiple contributors to accidents. Each of these is
necessarily insufficient in itself to create an accident. Only jointly are these
causes sufficient to create an accident. Indeed, it is the linking of these causes
together that creates the circumstances required for the accident. Thus, no
isolation of the ‘root cause’ of an accident is possible. The evaluations based
https://how.complexsystems.fail 2/7
on such reasoning as ‘root cause’ do not reflect a technical understanding of
5/8/25, 10:50 AM How Complex Systems Fail
the nature of failure but rather the social, cultural need to blame specific,
localized forces or events for outcomes. 1
1 Anthropological field research provides the clearest demonstration of the social
construction of the notion of ‘cause’ (cf. Goldman L (1993), The Culture of
Coincidence: accident and absolute liability in Huli, New York: Clarendon Press; and
also Tasca L (1990), The Social Construction of Human Error, Unpublished doctoral
dissertation, Department of Sociology, State University of New York at Stonybrook)
resource for the most difficult or demanding production needs and (2) the
need to develop expertise for future use.
4. Change introduces new forms of failure.
The low rate of overt accidents in reliable systems may encourage changes,
especially the use of new technology, to decrease the number of low
consequence but high frequency failures. These changes maybe actually
create opportunities for new, low frequency but high consequence failures.
When new technologies are used to eliminate well understood system failures
or to gain high precision performance they often introduce new pathways to
large scale, catastrophic failures. Not uncommonly, these new, rare
catastrophes have even greater impact than those eliminated by the new
technology. These new forms of failure are difficult to see before the fact;
attention is paid mostly to the putative beneficial characteristics of the
changes. Because these new, high consequence accidents occur at a low rate,
multiple system changes may occur before an accident, making it hard to see
the contribution of technology to the failure.
5. Views of ‘cause’ limit the effectiveness of defenses against future events.
Post-accident remedies for “human error” are usually predicated on
obstructing activities that can “cause” accidents. These end-of-the-chain
measures do little to reduce the likelihood of further accidents. In fact that
likelihood of an identical accident is already extraordinarily low because the
pattern of latent failures changes constantly. Instead of increasing safety, post-
accident remedies usually increase the coupling and complexity of the system.
This increases the potential number of latent failures and also makes the
detection and blocking of accident trajectories more difficult.
6. Safety is a characteristic of systems and not of their components
Safety is an emergent property of systems; it does not reside in a person,
device or department of an organization or system. Safety cannot be
purchased or manufactured; it is not a feature that is separate from the other
components of the system. This means that safety cannot be manipulated like
a feedstock or raw material. The state of safety in any system is always
https://how.complexsystems.fail 5/7
dynamic; continuous systemic change insures that hazard and its management
5/8/25, 10:50 AM How Complex Systems Fail
https://how.complexsystems.fail 7/7