Introduction:A New Perspective On The Dependability Of Software Systems - Graham Button

Chapter 1: When a bed is not a bed: Calculation and Calculability in Complex Organizational Settings - Karen Clarke, John Hughes, Mark Rouncefield, Terry Hemmings

In this chapter we present instances of how organisational knowledge is constructed, collected and used in a range of complex organisational settings, including a large hospital trust in the North of England, a steel production plant and a car manufacturer. Our main concern here is to focus upon how representational artefacts of organisational activities and 'states of play' are oriented to in the everyday work of staff in these settings. For example, we focus on the situated character of the representational artefact - a 'beds board'- and the system of calculability that it affords in the hospital setting. Our view is that such representations must be understood as embedded within the practicalities of the setting, and that any assumed benefits of replacing existing systems must be carefully considered.

Chapter 2: Enterprise modeling based on responsibility - John Dobson with David Martin

Trust and responsibility are closely related concepts. If I trust someone to do something, then I have implicitly given them a responsibility to do it. failure to carry out such a responsibility is a breach of trust - and trust, once broken, is not easy to repair. In the design of information systems for use in organisations, it is important to establish the patterns of trust and responsibility that exist in the organisation, since these patterns tend to get inscribed in the system. It is a common enough observation that information systems that do not match the patterns of trust and responsibility in an organisation are not well received by their users. Making models of these patterns is an important way for the system architect to reflect them in the structure of the system, for where there are no models, there is no understanding. So in describing one particular method of modelling responsibilities in an organisation -a method that is one example of what is generically called 'enterprise modelling'- we are providing the system architect with a way of understanding, and therefore enabling to make explicit, the implicit patterns of trust and responsibility that structure all human organisations.

Chapter 3: Standardization, Trust and Dependability - Gillian Hardstone, Luciana d'Adderio and Robin Williams

How is an information system made, or how does it become seen as 'trustworthy' and hence dependable? And how trustworthy is the information entered into that system? These questions become particularly acute where users of a system are geographically distant from each other; or where there is cognitive and substantive distance between their domains of knowledge; or where the knowledge and practice of one community have not been fully articulated, and are hence considered less significant or more remote from the everyday concerns of another community. All these situations raise socio-technical issues of trust, or its absence.

One answer suggested by the literature to the issues of dependability highlighted above would appear to lie in a certain level of standardization of information structures and organization practice in order to facilitate control and co-ordination at a distance. However, our empirical material illustrates that standardization intended to increase trust can itself create or reveal system undependabilities, thereby compromising organizational and professional trust and discretion. The questions then concern what level or type of standardization may be deemed workable or desirable, in order to create more dependable products, processes or systems. Since local work groups (communities of practice) tend to articulate their own systems of meaning, including information systems, around their particular context, practices and purposes, does standardization imply or result in the privileging of or support for some groups - and their ways of thinking, doing and recording - over others. Does standardization force other groups to align their practices with those embedded in standardized information system procedures, or compel them to perform a continual translation process between domains? This raises questions about the costs as well as the benefits of standardization.

The chapter presents three case studies of moves towards standardization within organizations: two from manufacturing industry (ComputerCo and MotorCo) and one from public sector primary healthcare (NHS Urban). These demonstrate different types and degrees of standardization, whether of products, processes, practice and terminology, forms of knowledge or social relations, to point up a variety of possible organizational approaches and outcomes. Combining insights from the empirical material with sociological studies of standardization we reflect upon the implications for the development and implementation of more dependable computer-based systems. We conclude that organizational processes of standardization are more negotiable than formalist approaches assume. Conversely standardization processes are not as open as many accounts that foreground the contingent nature of local adaptation and translation processes suggest. We demonstrate that in practice, levels and types of informational and operational standardization vary widely between and within organizations, and can be related to organizational control and co-ordination strategies.

Chapter 4: 'Its About Time': Temporal Features of Dependability - Karen Clarke, John Hughes, Dave Martin, Mark Rouncefield, Ian Sommerville; Alexander Vo�, Rob Procter, Roger Slack and Mark Hartswood

This chapter uses our empirical studies on organisational culture and trust to examine issues of timeliness as a feature of dependability. It begins by considering some of the classical sociological approaches to time and temporality such as Marx, Mauss, Simmel's work on time, trust and expectation as well as (and in rather more detail) more recent treatments of time such as Adam. Other recent accounts that impact on our work are Garfinkel's notion of trust as the routine operation of background expectancies, part of which relates to 'timeliness' and the work of Mumford (1963) on temporal regularity and Zerubavel (1985) on temporal rhythms. In 'Technics and Civilisation', Mumford (1963) suggests that "The first characteristic of modern machine civilization is its temporal regularity" (Mumford 1963: 269) involving the structuring of social life by forcing activities into fairly rigid temporal patterns. Mumford identifies four major forms of temporal regularity - regular patterns of associating social events and activities - rigid sequential structures, fixed durations, standard temporal locations, and uniform rates of recurrence, stressing the fact that these often constitute binding normative prescriptions. This notion of recurrence of temporal patterns is also found in Zerubavel's (1985) work on 'temporal rhythms in hospital settings: "The world in which we live is a fairly structured place. Even the most casual glance at our environment would already reveal a certain degree of orderliness. One of the fundamental parameters of this orderliness is time - there are numerous temporal patterns around us" (Zerubavel 1985: 1)

The relevance of rhythms in everyday working life is that they orient members towards likely future activities and information needs in the course of doing their work. Current activities are crafted with an orientation towards expectations of future events. Although these rhythms are a feature of the daily work they are not unchanging or unchangeable but are affected by unexpected occurrences. As Dourish & Reddy (2002) suggest, while work rhythms provide information to help people accomplish their work and guide future activities, they can also pose challenges to the coordination of work. "Medical practitioners must continually balance and integrate medical and organizational information in decision-making; that the processes of seeking and providing information are seamlessly interwoven with other working activities; and that they are coordinated in part through the set of working rhythms that provide a resource to interpret and manage work". Different work rhythms can conflict with each other - nurses and physicians for example that can produce different expectations about the availability of information. Issues of timeliness are pervasive in all aspects of the design and deployment of computer-based systems The focus of this chapter is on issues of time and timeliness as instantiated in our empirical studies of everyday work - how time is woven into organisational culture. Our interest is in discovering and demonstrating how temporal patterns - rhythms and trajectories - provide individuals with a resource for seeking, providing, and managing information in the course of their everyday work and the implications these findings have for the design and deployment of dependable socio-technical systems.

Our empirical, ethnographic studies of organizational work in DIRC have highlighted a number of facets of timeliness that we will draw upon in our analysis. In our studies of road safety engineers, for example, aspects of time - such as the time of day, the day of the week and the month of the year were all seen as crucial in both understanding and providing viable solutions to road traffic accidents. Our studies of hospital work - staff handover, bed management and process modeling and mapping - illustrate some of the timely features of patient admission, treatment and discharge. In steelmaking and the rolling of steel plate timeliness becomes a central feature of awareness and coordination of the working division of labour. Finally, our studies of engine manufacture highlight mundane issues of timeliness within 'just-in-time' production. This enables us to conclude by reflecting on aspects of time and 'technomethodology'. For if an aim of technomethodology was to make technology accountable - able to provide an account of its behaviour; any such account must necessarily include making technology take account of temporal aspects of human interaction and work by building timeliness into the socio-technical system.

Chapter 5: Explicating Failure - Karen Clarke, Dave Martin, Mark Rouncefield, Ian Sommerville; Alexander Voss, Corin Gurr, Rob Procter, Roger Slack, Mark Hartswood

This chapter examines issues of 'failure' and organisational culture by outlining and documenting some of the problems involved in defining and measuring 'failure'. When defined as "the ability to deliver service that can justifiably be trusted" - dependability has a number of attributes. These include: availability (readiness for correct service); reliability (continuity of correct service); safety (absence of catastrophic consequences); integrity (absence of improper system state alterations); maintainability (ability to undergo repairs) and more. But as we consider broader, socio-technical, notions of "system", the ability to achieve a clear and documented understanding of the intended service of the system - and hence some view of dependability - becomes increasingly difficult. Once we start taking into account the actual practice of a socio-technical system rather than any idealisation of it, it seems increasingly difficult to determine with sufficient precision what is meant by the "service" the system offers. Thus it also becomes difficult to determine what is meant by a "failure" of that service, and thus what is meant by "dependability" in this broader context.

In these circumstances we may need to broaden our understanding of what dependability means beyond the simple "absence of failure", particularly if we consider 'quality of service' to develop a more nuanced notion of 'dependable systems'. As computer-based systems become more complex and organisationally embedded, so the challenges of dependability - of building systems involving complex interactions amongst computers and humans - increase. In these systems, failure, or lack of dependability, can result in financial or human loss and, consequently, improved means of specifying, designing, assessing, deploying and maintaining complex computer-based systems would seem of crucial importance. Much of the work on dependability has necessarily, and naturally, focused on massive, extraordinary, public failures such as the London Ambulance Service failure of 1992, the space shuttle catastrophe of 1986, or the Ladbroke Grove train disaster of 1999.

This chapter begins however, by being concerned with rather more ordinary, everyday instances of dependability and failure. Instances of undependability in many settings are not normally catastrophic, but are rather mundane events that occasion situated practical (as opposed to legal) inquiry and repair. Dependability can then be seen as being the outcome of people's everyday, coordinated, practical actions. Workers draw on more or less dependable artefacts and structures as a resources for their work of achieving overall dependable results in the work they are doing (Vo� et al., 2002; Clarke et al., 2002).

Chapter 6: Patterns for dependable design - David Martin, Mark Rouncefield and Ian Sommerville

Patterns of Cooperative Interaction are regularities in the organisation of work, activity, and interaction. These patterns are organised around a framework and are inspired by how such regularities are highlighted in ethnomethodologically-informed ethnographic studies of work and technology. They comprise a high level description and two or more comparable examples drawn from specific studies. Our contention is that these patterns form a useful resource for re-using findings from previous field studies for enabling analysis and considering design in new settings. Previous work on the relationship between ethnomethodology and design has been concerned primarily in providing presentation frameworks and mechanisms, practical advice, schematisations of the ethnomethodologist's role, different possibilities of input at different stages in development, and various conceptualisations of the relationship between study and design. In contrast, this paper seeks to firstly discuss the position of patterns relative to emergent major topics of interest of these studies. Subsequently it seeks to describe the case for the collection of patterns based on findings, their comparison across studies and their general implications for design problems, rather than the concerns of practical and methodological interest outlined in the other work. Special attention is paid to our evaluations and to how they inform how the patterns collection may be read, used and contributed to. The chapter finishes, with a discussion of how our Patterns relate to organizational culture and dependability and trust.

Chapter 7: Dependability and Trust in Organizational and Domestic Computer Systems - Ian Sommerville, Guy Dewsbury, Karen Clarke, Mark Rouncefield

Organisational systems are designed for a specific purpose, support known and defined processes and their use is controlled by the organisation. In this context, when we consider the issue of what is meant by a 'trusted' computer system, we argue that a technical view of trust is appropriate. A system is trusted if it correctly provides the services that it has been designed to deliver and is available for service when required. Because both the operators and the computer system are within the organisation then issues such as the provenance of the system are disregarded in assessing its trustworthiness. Furthermore, as far as external users of the system are concerned, their access is mediated by a human operator so there is no direct trust relationship between the external user and the computer system. Therefore, for systems that have a clear role in organisational socio-technical processes, the primary trust relationship is between the operator and the computer system and the dominant factor in that trust is the dependability of the system. We discuss the notion of dependability in the following section but, essentially, you can think of it as an amalgam of other system properties such as system availability, security, reliability, etc. More broadly, however, when we consider socio-technical systems that are not entirely situated within an organisation then trust is, of course, far more than a technical issue. It reflects the user's confidence that the system will do what they want (whether or not this has been specified by the system designers) and that it will not cause damage that results in losses of time, information, money, etc. to the user.

The degree of trust that an external user has in a system depends on factors such as previous experience with comparable systems, the provider's reputation, the existence of external sanctions on the system provider if they fail to deliver services and the price paid. It also reflects the degree of risk taken by the user in that people are more willing to trust a system where the exposure to loss is relatively low and legal factors such as the existence of regulators and compensation bodies. In this chapter, we will not be concerned with these broader issues of trust but, rather, will focus on trust from a technical perspective. However, we will argue that, for systems where the use of defined operational processes cannot be guaranteed or where users can choose whether or not to use the system, there is a need to extend the technical view of dependability to cover broader issues of fitness for purpose and adaptability as well as more traditional properties such as system reliability and availability.

The remainder of the chapter therefore includes four principal sections. Firstly, we discuss the currently accepted technical model of system dependability as applied to organisational systems. We then go on to critique this model and propose a broader model of system dependability that incorporates this model but which extends it to be applicable to domestic and discretionary systems - workplace systems where users have a choice whether or not to make use of them. Finally, we propose ways in which this model may be used in the design process for domestic and discretionary systems.

Chapter 8: Understanding and Supporting Dependability as Ordinary Action - Alexander Vo�, Rob Procter, Roger Slack, Mark Hartswood and Mark Rouncefield

In this chapter we are concerned with the ways in which people within organisations experience dependability, how dependability is routinely achieved through 'ordinary action', and what this could mean for the design, development and implementation of dependable IT systems. Our programme of investigation into these matters has a number of related threads, which we will address in turn. First, we are interested in the in-vivo work of living with systems that are more or less reliable and the practices that this being 'more or less dependable' occasions. The situated practical actions of living with systems (e.g., workarounds and so on) are important to us in that they show how society membersi experience dependability as a practical, day-to-day matter.

In particular, we seek to explicate what dependability means in an everyday language sense, and to provide an analysis of the ways in which systems come to be seen as dependable and the work members are called upon to perform to make them more or less dependable. This is not intended as a remedy or corrective to 'professional' uses of dependability, but to demonstrate the value for IT professionals of looking at what, following Livingston, we call the 'lived work' of working with more or less dependable systems. By this we meaning attending to the 'what is this?', 'what to do?' and 'what to do next?' of practical problem solving; it draws our attention to the nature of candidate solutions and the fact that not just anything will do.

To illustrate how dependability is realised in and as a part of members' ordinary actions - the 'routine' but nevertheless skilful responses to both expected and unexpected problems - we draw on material from an ethnographic study of control room work and IT systems implementation in a manufacturing plant. Instances of undependability in this setting are quite frequentbut are not normally catastrophic. Rather, they are 'normal, natural troubles' that occasion situated, practical investigation and repair. This is in contrast to much of the extant literature, which has focused on dependability issues as fatal issues, e.g., studies of such cases as the London Ambulance Service or Therac-25. The first part of our study points to some of the worldly contingencies of production management that control room workers routinely deal with as a part of their work.

In particular, we show how the practical implementation of a production plan is a production worker's formulation, produced in response to issues concerning the 'local logics' of day-to-day production management. By this we mean to emphasise the dynamic yet situated nature of knowledge and plans, the 'minor actions, minor decisions and minor changes'í upon which the organisation rides. Our findings lead us to support the argument that the implementation of plans is always a practical and situated activity, the character of which emerges in action. This view emphasises the incompleteness of knowledge and the set of circumstances - more or less intended, arbitrary, uncontrolled or unanticipated - which affect action. In the second part of our study, having looked at the use of IT systems and related practices in the control room, we turn to the implementation of these systems and their configuration in what constitutes the socio-material basis for production work. Here, the day-to-day activities of the plant's own IT staff come to the fore.

The case study material shows how their work is closely related to production work and how dependability of the overall production process is a concern shared by IT and non-IT professionals in the plant. As in the case of the control room workers, one might say that the activities of the plant's IT staff are situated and that for them, too, dependability is a contexted matter. We conclude by considering how the understanding gained from witnessing at first hand members' experience of dependability as a practical, day-to-day matter might be taken up and applied more widely to the design, development and implementation of dependable IT systems. In particular, we point to the problem of the 'design fallacy', the assumption that more dependable IT systems can be achieved by more sophisticated processes of a priori requirements analysis and design. Instead, we propose co-realisation as an approach to building highly dependable, work affording artefacts, which is based upon creating a shared practice between IT professionals and system users that is set within the context of use [7].

Chapter 9: The DIRC project as the context of this book - Cliff B Jones

This and the related notion of membership point to the skills people have, what they know and do competently in a particular setting. In this usage we also stress mundane, banal competence as opposed to professionalised conduct.