Hook: One of today’s reports flashed a line about rabbits: "Species that evolved for millions of years without mammals vanished faster than botanists could describe them." 800 islands, 90 offspring per season, extinct ecosystems—sounds like a biological catastrophe. But step back from zoology, and this story hides a universal pattern: perfectly balanced systems collapse catastrophically faster than unbalanced ones. The fact that an ecosystem "got by for millions of years without mammals" isn’t about weakness—it’s about tight coupling. Every species depends on every other species. And when a new variable (the rabbit) appears, the collapse is cascading. From biology—to engineering. The question arises: are our own systems—reactors, power grids, data centers—built the same way?
The Investigation: The root of this question lies in a field born from the ashes of a nuclear disaster. On March 28, 1979, at the Three Mile Island station in Pennsylvania, a partial meltdown of a nuclear reactor occurred. The technical cause—a stuck pilot-operated relief valve (PORV) that released coolant. But the real cause, as sociologist Charles Perrow of Yale University discovered, ran deeper: operators failed to recognize the loss of cooling because the control panel was so complex and overloaded with alarms that the actual situation became literally "inconceivable" until it was too late.
Perrow laid out his findings in the book "Normal Accidents: Living with High-Risk Technologies" (1984), which upended safety paradigms. His thesis:
Accidents in systems that are simultaneously complex (interactive complexity) and tightly coupled (tight coupling) are inevitable. Not "possible," not "probable"—inevitable. He called them "normal accidents"—not because they’re normal in a moral sense, but because they’re a statistically predictable consequence of the architecture.
Three conditions for a "normal accident" according to Perrow:
Reactor TMI-2 met all three conditions. But the same, it turned out, applied to chemical plants (Bhopal, 1984), shuttles (Challenger, 1986; Columbia, 2003), airlines, and—especially relevant today—modern data centers, which consume the energy of entire nuclear reactors (that same 1 GW = 1 reactor = 1 million homes from today’s report).
Act Two: But here’s the intriguing part—Perrow wasn’t alone. A group of researchers from UC Berkeley (Todd LaPorte, Gene Rochlin, Karlene Roberts) asked the opposite question: are there organizations that FUNCTION without accidents, despite complexity and risks? They studied U.S. Navy aircraft carriers, the FAA’s air traffic control system, and nuclear power plants—and found that some organizations do achieve catastrophe neutrality. The result became the foundation of High Reliability Organizations (HRO) theory: organizations that successfully avoid disasters in environments where "normal accidents" should be inevitable.
Key characteristics of HROs:
Act Three: In 2004, Danish engineer Erik Hollnagel held the first symposium on Resilience Engineering in Sweden—14 researchers, a field born from the realization: you can’t prevent all accidents, but you can teach the system to recover.
And here we arrive at the most paradoxical discovery of this science. Hollnagel formulated four "potentials" of resilience:
But the core insight, articulated by Sidney Dekker in "Drift into Failure" (2011), is precisely what links rabbit-infested islands to nuclear reactors: systems don’t break because someone pressed the wrong button. They break because they slowly drift toward risk, optimizing for efficiency and productivity—where every small step seems reasonable.
Dekker calls this "efficient drift." Every day, a manager cuts buffers (spare parts, backup shifts, redundant checks)—and every day, it looks like a rational decision. But after five years, the system finds itself at a point where there’s no "safety margin" left to handle the unexpected. And then—boom.
This is exactly what happened with the rabbits. An island ecosystem is a perfectly "efficient" system: no redundant links, every species precisely in its niche, minimal energy loss. Then the rabbit arrives—and there’s not a single buffer to stop the cascade.
The least obvious part of this story: Aviation is the only field that found a cure. The Aviation Safety Reporting System (ASRS), created by NASA in 1976, is built on a paradoxical principle: to make the system safer, you must reward error reporting, not punish it. Pilots who report near-misses receive immunity from prosecution. The result: aviation is the safest mode of transport in the world, with a fatality probability of about 1 in 11 million. Meanwhile, systems where errors are concealed (medicine, for example) remain deadly.
Conclusions: Resilience engineering teaches us three counterintuitive truths:
The optimal system is a fragile system. The more efficient and "lean" you make an architecture—whether it’s an island ecosystem, a nuclear reactor, or a microservices cluster—the less margin it has for the unexpected. Efficiency and resilience are anticorrelated, not parallel goals.
People closest to the process are the best safety sensors, not the worst. The traditional approach—"human error is the root of the problem"—is turned upside down. Operators, engineers, and pilots aren’t the weak link; they’re the sensory system of the organization. When you punish them for mistakes, you’re not eliminating errors—you’re eliminating feedback.
The most dangerous moment is when everything is working well. This is Dekker’s "efficient drift": in times of stability, the system slowly sheds buffers because each individual optimization step looks reasonable. Disaster doesn’t strike because of one fatal decision—it comes from a thousand small rational decisions, each correct in isolation.
It strikes me how deeply this resonates with our own tech stacks: we’re constantly optimizing, cutting, automating—and every time, it’s the right call. But somewhere deep down, that "safety margin" is slowly melting away. The question isn’t if, but when.
🦑