hci & safety critical systems lynne hall. overview zwhat are safety critical systems zwhy use...
TRANSCRIPT
HCI & Safety Critical Systems
Lynne Hall
Overview
What are safety critical systemsWhy use softwareCausationThe fallacy of human errorDesigning a good operator interfaceExample: Night Order Book
Introduction
Incorporation of computers into potentially dangerous systems
Use of computers for control functionsComputers now control most safety
critical devicesOften replace traditional hardware
safety interlocks and protection systems
Safety Critical Systems
Process Supervision and Control power stations electricity networks chemical sector
Health life support systems
Transport Aviation / Space Ground Transport
Tornado F3 cockpit
Taken from: http://www.ptvideo.com/videos/Aviation/cockpit.html
Telerobotic System
Taken from: http://www.cse.dmu.ac.uk/~arg/tmmi/interface.html
Defence Sector
Taken from: http://www.army-technology.com/contractors/computers/orbit/index.html
Control Rooms (ATC)
Taken from: http://www.wild-designs.demon.co.uk/ccd.htm
Industrial Processes
Inherently riskyRisk compounded by:
practicalities of plant maintenance need for incremental improvements to
technology infrastructureEconomic loss through downtimeFailure can result in injury or death
Characteristics
Exceptionally complex Hundreds of thousands of lines of code multiple pathways
Embedded systems hidden from user
OpaqueHigh information overload potentialDubious position of operator
Some scarey facts
One error in every 50 lines of code safety critical systems 100,000 + lines Ariane 5 - missing full stop…
Impossible to test integrity of safety-critical systems until they are put into real world
Impact of failure can be catastrophic: 200,000 people injured in Bhopal
Examples
Ariane 5ChernobylChallengerUnion Carbide chemical plant (Bhopal)Three Mile IslandBig One Rollercoaster (Blackpool)Channel Tunnel FireTexaco Oil Refinery
Why not to use software
Automation can result in tedium De-skilling Lowered reaction times
Possible paths in software so extensive that they cannot be tested
Why use software
Automate safety critical process Continual monitoring of processGive guidance to user in a safety critical
processProvision of advanced warningGrowing complexity of new systems
requires the use of software
The Scapegoat - Human Error
75% of aviation accidents caused by mistake made by one of cabin crew
Inadequate design can place operator in situation where error is inevitable or at least very likely
Contribution operator can make to design of safety critical systems may be undervalued and underused
Why do errors happen
Multi-level model Failings in social context
management and safety culturetraining and awareness
Cognitive level errors in human decision makingtrainingtask design
Design errors at interfacenot the user’s fault
“Windows of Opportunity” for Human Error
Failure of human responsibilitiesEffect of unexpected hw/sw failureDealing with rare eventsLevel of user knowledgeCognitive workloadUtility and Usability
Design of good operator interface
System design requires understanding of strengths and weaknesses which humans display under operational conditions
Soft facts can be very important LIFETRACK project information that underpins communication communication structures stakeholders training (and not just in-house)
Designing the Operator Interface
Not a last minute taskNot just concerned with superficial factors
such as layout and displaysReaches deep into requirements and
design processesConcerned with what should be automated
and how this should be automated (and if..)Social, psychological and technical issues
IEC 61508
Function safety of electrical / electronic / programmable electronic safety-related systems
Recognises need for human factorsStandardNot very explicitIntegrates human factors in development
process
Night Order Book
Context: Chemical PlantProduced daily by technical supervisorMultiple paper copies distributed to
night shiftAllows day shift to inform night shift of
important process facts and developments
Why move to computer based
Delivery delaysData loss and confusionClutterData access limitationsNo or limited access to past knowledge
Operator Requirements
FastUncluttered, consistent, “known,”
interface styleImportant information readily available
in an at-a-glance formatLarge buttons Avoidance of pull-down menus
Operator Requirements 2
Avoidance of excessive typingUse of keyboard rather than mouseFew basic queries should support all
requestsInformation access should be achieved
with minimum number of actionsAuthorised input onlyData security
Summary
Safety-critical systems rely on the use of computing hardware and software
Need to include human factors throughout lifecycle of safety-critical systems
HCI for safety-critical systems is essential for appropriate work support
Display and lay out of interface must be rigorously tested and evaluated