Human Error, Safety, and System Development
Next Meetings:
21st European Annual Conference on Human Decision Making and Control
Workshop on the Investigation and Reporting of Incidents and Accidents
Past Proceedings:
1997, Glasgow. |
1998, Seattle. |
1999, Liege. |
2001, Linkoping.
Aims
This working group aims to support practitioners, regulators and researchers to develop leading edge techniques in hazard analysis and the safety engineering of computer-based systems. Particular emphasis will be on the role of human error both in the development and in the operation of complex processes and on techniques that can be easily integrated into existing system engineering practices. Specifically, the aims are:
• to provide a framework for studying human factors that relate to systems failure;
• to provide a forum for practitioners, regulators and researchers interested in the ‘human contribution’ to major accidents and incidents;
• to identify leading edge techniques for the development of safety-critical interactive systems and integrate them with existing systems engineering techniques;
• to support and guide international accreditation activities in the area of safety-critical systems.
Scope
To build on existing work in IFIP member countries in the following areas:
• techniques for analysing human, managerial and organisational factors that relate to the occurrence of accidents;
• the integration of human factors concerns into risk analysis and assessment;
• the integration of human factors concerns into systems engineering techniques for safety-critical systems development;
• the ergonomics of human-computer interaction with safety-critical applications;
• the role of human error both in the development and in the operation of complex processes.
Officers:
Chairman: Prof. Chris Johnson, University of Glasgow, UK
Secretary: Prof. Philippe Palanque, University of Toulouse
Proposed Activities:
1. A continuing series of annual workshops.
These will be working conferences where attendance will be restricted to less than 100 but all submissions will be rigorously reviewed. A continuing aim of these meetings will be to provide a common forum for academics, commercial and regulatory organisations. The sensitive nature of much safety-critical work makes this scale of meeting more appropriate in the short term. In the medium or longer term it may be appropriate to expand the scale of our meetings.
2. The provision and development of electronic media.
One of the greatest needs in this area at the moment is for an information-interchange facility where practitioners and researchers can match existing skills to known problems. The working group would establish a web site and database of resources - primarily by integrating the existing resources of the working group members. Both governmental and commercial support should be forthcoming for this.
Background:
Recent accidents in a range of industries have increased concern over the management and control of safety-critical systems. Although we have developed techniques to cope with failures in individual components, it has proven far more difficult to predict and prevent accidents that are caused by an interaction between component failure, system-level complexity and human-machine intervention.
There are two reasons why it is important for HCI researchers to become involved in the development and operation of safety-critical systems:
1. Operator `error' causes or exacerbates most major accidents.
There is a large and expanding body of research that applies HCI techniques to analyse the causes of human `failure'. Rasmussen and Vicente's work on ecological interface design has provided valuable insights into the wider factors that lead to loss of life and equipment. Their work both mirrors and has had a large impact upon `mainstream' HCI research into the context of interaction. Others have taken techniques from HCI and extended them to help reduce the potential for error in future systems. For example, Chris Mitchell has extended general cognitive modelling techniques to support operator `trouble-shooting' by inferring intentions.
2. Designer `error' often creates the conditions or precursors for those operator errors.
HCI has long been interested in techniques that reduce the likelihood of human error in the design and implementation of complex systems. For instance, TC.13 has had a strong influence on the psychology of programming through successive sessions at the INTERACT conference. This lead has been taken up, more recently, by key researchers within systems and software engineering. For example, Nancy Leveson has developed a range of design techniques that are intended to reduce the likelihood of error during the specification and certification of complex systems. She has also analysed the ways in which present development practices might cause subsequent problems for the users of safety-critical systems.
There are a number of lesser reasons why the field of HCI ought to offer more direct support to the development and operation of safety-critical, interactive systems. Not the least of these is that both governmental and commercial organisations are appealing to research institutions to provide advice and guidance in this area. With successive accidents being blamed on `operator error', they are being urged by public pressure to treat these topics seriously. As a result there are numerous national initiatives in this area but little international integration. This creates considerable problems for the dissemination of research results and for the coordination of research activities. Further problems arise because many initiatives relate to specific industries. The findings of research into nuclear safety rarely reach interface designers within major aircraft manufacturers. This is significant because many interaction problems cross these industry divisions. All of these problems could be addressed by the formation of an international Working Group under the auspices of IFIP (WG13.5).
This proposal is supported by a series of workshops that Nancy Leveson (MIT) and Chris Johnson (University of Glasgow), Veronique de Keyser (Liege) and Philippe Palanque (Univ. of Toulouse) have run over the last four years. The first was held in Glasgow in March 1997. The procedings have been developed into two special editions of Elsevier's Interacting with Computers. Attendance was limited to 50 participants but the meeting was considerably over-subscribed. We had delegates from eight countries and from companies (Boeing, Daimler-Benz, GEC-Marconi), regulatory authorities (the US Federal Aviation Authority, Eurocontrol, UK Health and Safety Executive) and academic institutions (Bielefeld, Eindhoven, Stockholm, Toulouse, Washington, York).
The second of these workshops was held in Seattle, USA, 1-2 April 1998 and was jointly hosted by Battelle Research and the University of Washington. The programme committee for this meeting forms the list of suggested members for WG13.5. Over sixty participants from eight countries participated; just under half were from commercial or regulatory organisations. Keynote speakers included Earl Weener, Head of Safety Engineering at Boeing and Nadine Sarter, University of Illinois. Papers addressed topics ranging from revised safety management techniques in Ontario Hydro to cognitive complexity of pilot-autopilot interaction in the Boeing 737-EFIS. Other papers addressed more theoretical issues concerned with task prioritisation errors and strategic planning in safety-critical interaction.
IFIP working group status will provide mutual benefits to both the researchers who are already active in this area and to IFIP as a whole. By providing working group status, IFIP will help to support the issues and concerns voiced in the previous paragraphs. The role of human error both in systems development and in systems operation is of international importance. Its impact is felt in the developed and in the developing world. Both the United Nations and NATO have identified human error in systems development as a key strategic issue that affects both economic competitiveness and has vital consequence for ecological protection.
IFIP working group structure will provide us with a framework for the informal managerial and organisational arrangements that have grown up around the workshops. It will provide links to existing IFIP working groups and this is important because our aims are inherently inter-disciplinary.