2Estimated number of “human errors” 100The diagram shows the attribution of “human errors” as causes, which may be different from the contribution of “human errors” to incidents / accidents.90807060% Human action attributed as cause504030201019601965197019751980198519901995
3What is an “error”? Actual outcomes = intended outcomes Correctly performed actionsDetected and recoveredDetected but toleratedIncorrect actionsOvert effectsDetected but not recoveredLatent effectsUndetected
4Humans and system safety Technology centred-viewHuman-centred viewHumans are a major source of failure. It is therefore desirable to design the human out of the system.Humans are the main resource during unexpected events. It is therefore necessary to keep them in the system.Automation permits the system to function when the limits of human capability have been reached.The conditions for transition between automation and human control are often vague and context dependent.Automation does not use humans effectively, but leaves them with tasks that cannot be automated - because they are too complex or too trivial.Automation is cost-effective because it reduces the skill-requirements to the operators.Conclusion: Humans are necessary to ensure safety
5Lisanne Bainbridge (1987), “Ironies of automation” The basic automation “philosophy” is that the human operator is unreliable and inefficient, and therefore should be eliminated from the system.1“Designer errors can be a major source of operating problems.”“The designer, who tries to eliminate the operator, still leaves the operator to do the tasks which the designer cannot think how to automate.”2Lisanne Bainbridge (1987), “Ironies of automation”
6Automation double-bind Safety critical eventDesign teams are fallible, therefore humans are required in the systemHumans are fallible, and should therefore be designed “out” of the system
7Maintaining control What can help maintain or regain control? What causes the loss of control?Sufficient timeUnexpected eventsGood predictions of future eventsAcute time pressureReduced task loadNot knowing what happensClear alternatives or proceduresNot knowing what to doBeing in control of the situation means:Capacity to evaluate and planNot having the necessary resourcesKnowing what will happenKnowing what has happened
8Cyclical HMI model Team Information / feedback Provides / produces Goals for what to do when something unusual happens:Goals [Identify, Diagnose, Evaluate, Action]ModifiesTeamNext actionCurrent understandingDirects / controls
9Effects of misunderstanding The dynamics of the process only leaves limited time for interpretationUnexpected information / feedbackProvides / producesIncreases demands to interpretationOperator may lose control of situationInadequate actionsIncorrect or incomplete understandingLoss ofaccuracy increases unexpected informationLeads to
10Prevention and protection AccidentInitiating event(incorrect action)Protection (safety barriers):Active barrier functions that deflect consequencesProtection (boundaries):Passive barrier functions that minimise consequencesPrevention (control barriers):Active or passive barrier functions that prevent the initiating event from occurring.
11Types of barrier systems Material barriersPhysically prevents an action from being carried out, or prevents the consequences from spreadingFunctional (active or dynamic) barriersHinders the action via preconditions (logical, physical, temporal) and interlocks (passwords, synchronisation, locks)Symbolic barriers (perceptual, conceptual barriers)requires an act of interpretation to work, i.e. an intelligent and perceiving agent (signs, signals alarms, warnings)Immaterial barriers (non-material barriers)not physically present in the situation, rely on internalised knowledge (rules, restrictions, laws)
12Barrier system types Physical, material Functional Symbolic Immaterial Obstructions, hindrances, ...FunctionalMechanical (interlocks)Logical, spatial, temporalSymbolicSigns & signalsProceduresInterface designImmaterialRules, laws
13Barriers systems on the road Symbolic: requires interpretationPhysical: works even when not seenSymbolic: requires interpretationSymbolic: requires interpretation
15Barrier evaluation criteria Efficiency: how efficient the barrier is expected to be in achieving its purpose.Robustness: how resistant the barrier is w.r.t. variability of the environment (working practices, degraded information, unexpected events, etc.).Delay: Time from conception to implementation.Resources required. Costs in building and maintaining the barrier.Safety relevance: Applicability to safety critical tasks.Evaluation: How easy it is to verify that the barrier works.