麻省理工学院：《System Safety》week 3 Heinrich's Domino model of Accidents

Accident models provide the basis for Investigating and analyzing accidents Preventing accidents Hazard analysis Design for safety Assessing risk(determining whether systems are suitable for use) Performance modeling and defining safety metrics Accident Models Basic Energy Model Assumes accidents are the result of an uncontrolled and undesired release of energy Use barriers or control energy flows to prevent them Barrier ENERGY OBJECT SOURCE Energy flc Variations Both(1) application of energy and(2 )interference in normal exchange of energy Energy transformation Vs energy deficiency Action systems(systems that produce energy)Vs nonaction systems(systems that constrain energy)

c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑✓✒✞✔ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Accident models provide the basis for Investigating and analyzing accidents Preventing accidents Hazard analysis Design for safety Assessing risk (determining whether systems are suitable for use) Performance modeling and defining safety metrics c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑✓✒✞✕ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Basic Energy Model Assumes accidents are the result of an uncontrolled and undesired release of energy. Use barriers or control energy flows to prevent them. Barrier ENERGY Energy flow SOURCE OBJECT Variations: Both (1) application of energy and (2) interference in normal exchange of energy. Energy transformation vs. energy deficiency. Action systems (systems that produce energy) vs. nonaction systems (systems that constrain energy)

Heinrich's Domino model of Accidents Accident mod Injury Accident Unsafe act Fault of person Ancestry. People, not things, are the cause of accidents environment Removing any of dominoes will break sequence but said third was easiest to remove Focus on single causes Chain-of-Events Models Explain accidents in terms of multiple events, sequenced as a forward chain over time Events almost always involve component failure human error, or energy-related event Form the basis of most safety-engineering and reliability engineering analysis e.g.,Fault Tree Analysis, Probabilistic Risk Assessment, FMEA Event trees and design: e.g, redundancy, overdesign, safety margins Equipment Reduce pressure le to dama Moisture COrrosion Weakened Tank Fragments Personnel metal rupture eJected injured Use desiccant Use stainless Overdesign metal Use burst diaphragm Provide mesh Keep personnel from to keep moisture steel or coat cf thickness so to rupture before tank screen to contain viCnity cf tank while out of tank es, preventing more possible fragments. antact with failure point during and fragmentaton moisture

c ✎✞✝✞✏✄✝✞✍●☛✞✟☞✑❍✒✞✒✞■❑❏❑▲✞▲ Heinrich’s Domino Model of Accidents ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ People, not things, are the cause of accidents. but said third was easiest to remove. Removing any of dominoes will break sequence, person Unsafe act or condition Accident Injury Fault of environment Ancestry, Social Focus on single causes. Chain−of−Events Models Explain accidents in terms of multiple events, sequenced as a forward chain over time. Events almost always involve component failure, human error, or energy−related event Form the basis of most safety−engineering and reliability engineering analysis: e.g., Fault Tree Analysis, Probabilistic Risk Assessment, FMEA, Event Trees and design: e.g., redundancy, overdesign, safety margins, ... ❉✚✸✣✢✭✮✄✗❀✮✭✚✰✚✱✯✭✪❇✦✭❅ ✼✺✧✬✸✚✹❊✗✚❋✚✛✜✷ ✥✚✹✦✗✰✮ ✩✵✛✪✩✫✢✤✗✚✥✪✮✺✷ ❁✚❂ ✗❀✮✄✸✦✙ ✭ projected Equipment damaged Personnel injured Fragments ▼✯◆ metal rupture ✖✘✗✚✙✜✛✣✢✤✗✦✥✚✧★✗✪✩✫✩✤✛✚✧✬✗ ✭✩✯✮✭✚✰✚✱✲✭✚✳ ✗✪✩✵✴ Moisture Corrosion Weakened Tank Operating pressure ❙❄❚✓❯ ✹✭✚✳ ✗✜✴ ✶☞✩✤✗✦✙✚✗✪✩✵✷✢✂✢✭✚✰✮ ✶✵✩✵✗❀✩✂✮✭✷ ✰ ❂ ✗✣✩✂✩ ❖✾✤✗✚✧✬✙✚✗✣✩✤✷ ✳✚✰ ✹✦✗✪✮✭❂ ✶✵✩✵✗✦❁✜✛✚✧✩✂✮✻✙✜✷ ✭✥✚✿✜✧✭✚✳✹ ✽✻✧✬✸✣✾✤✷ ✙✚✗✦✹✦✗✣✩✤✿ ❃❄✗✜✗✚✥✦✥✚✗✜✧✩✤✸✰✚✰ ✗✚❂✺✼✺✧✬✸✚✹ ✮✄✸ ✱✗✚✗✜✥✦✹✦✸✚✷✩✂✮✺✛✜✧★✗ ✩✂✮✺✗✜✗✚❂✂✸✚✧✫✢✤✸✭✮❍✸✣✼ ✮✄✿✚✷✢✱✫✰ ✗✣✩✂✩✯✩✵✸ ✮✄✸✦✧★✛✜✥✣✮✄✛✚✧★✗✦❁✜✗✣✼✄✸✚✧★✗❀✮✭✚✰✜✱ ✩✂✢✤✧★✗✚✗✰ ✮✺✸❀✢✤✸✰✮✭✷ ✰ ✾✵✷✢✤✷ ✰ ✷✮❅❆✸✣✼✜✮✭✜✰✚✱❄❇✿✚✷ ❂ ✗ ✸✚✛✪✮✻✸✣✼✚✮✭✚✰✜✱✴ ✥✚❂ ✭✮✺✗❀✢✭✧✬❁✚✸✰ ✢✤✸✚✧★✧✬✸✣✩✤✷ ✸✰❀❇✷ ❂ ❂ ✰ ✸✣✮ ✙✚✸✜✗✣✩✤P✚✥✚✧✬✗✣✾✤✗✰✮✄✷ ✰✚✳ ✹✦✸✜✧★✗ ✥✜✸✣✩✂✩✵✷ ❁✜❂ ✗❀✼✺✧✭✚✳✹✦✗✰✮✩✵✴ ✷✮✻✷✩❆✥✜✧★✗✣✩✂✩✤✛✚✧★✷❈✤✗✚✙✜✴ ✩✂✮✺✗✜✗✚❂✺✮✺✸✦✥✜✧★✗✣✾✤✗✰✮ ✧✬✗✚✙✚✛✪✢✵✗❀✩✂✮✺✧✬✗✰✚✳✮✺✿❀✮✄✸ ✗✣◗✂✮✄✗✰✩✤✷✾✤✗✦✙ ✭✹✭✜✳ ✗ ✢✤✸✰✮✭✢✂✮ ❇✷✮✺✿ ✼✭✷ ❂ ✛✚✧✬✗✦✥✚✸✚✷ ✰✮✻✙✚✛✜✧★✷ ✰✚✳ ✭✚✰ ✙❀✼✺✧✭✚✳✹❘✗✰✮✭✮✄✷ ✸✰ ✴ ✹✦✸✚✷✩✂✮✄✛✚✧★✗✜✴ ✼✄✸✚✧✬✗✣✩✵✗✜✗✭❁✜❂ ✗✦❂ ✷✼✺✗✪✮✺✷✹✦✗✜✴

Chain-of-Events Example: Bhopal E1: Worker washes pipes without inserting slip blind E2: Water leaks into mit tank E3: Explosion occurs E4: Relief valve opens E5: MiC vented into air E6: Wind carries MIC into populated area around plant imitations of event chain models Social and organizational factors in accidents Underlying every technology is at least one basic science,,, the although the technology may be well developed long befor science emerges. Overlying every technical or civil system is a social system that provides purpose, goals, and decision criteria Ralph Miles Jr. Models need to include the social system as well as the technology and its underlying science System accidents · Software error

✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲❼❏ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ c Chain−of−Events Example: Bhopal E1: Worker washes pipes without inserting slip blind E2: Water leaks into MIT tank E3: Explosion occurs E4: Relief valve opens E5: MIC vented into air E6: Wind carries MIC into populated area around plant c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞❽ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Limitations of Event Chain Models: Social and organizational factors in accidents ❹❺✈✦q✦❵✦❡✂❨❥❜❴★✈✦✉❫❵❭♣✓❵✦❡❻❥②❧❑❵✦✐❢❬✦✈✦❤✦❨✬❤✦✉③❥⑧❴★❛❞❲❭❧❀❨★❵✦❲✦❛❜❧❀❤✦✈✦❵⑧⑨✦❲✦❛③❴★✐❞❛❢✐③❴★❵✦✈✦✐❢❵✦t ❲❜❨⑤❧❑❬✦❤✦s✦✉✦❬①❧❑❬✦❵①❧❑❵✦✐❢❬✦✈✦❤✦❨✬❤❜✉❀❥⑧♠❫❲❀❥⑩⑨✦❵①❶❷❵✦❨✬❨❢q✦❵❭♣❍❵✦❨✬❤❀❩❭❵✦q❫❨★❤✦✈✦✉❫⑨✦❵✦❸✞❤✦❡✂❵①❧❑❬✦❵ ❛❢✐❢❴✬❵✦✈✦✐❢❵❫❵✦♠❫❵✦❡✂✉✦❵✦❛❢❣①✇❞♣❍❵✦❡✂❨❥❜❴★✈✦✉❫❵❭♣❍❵✦❡✺❥②❧❑❵✦✐❢❬✦✈✦❴★✐③❲✦❨❢❤✦❡④✐❢❴⑤♣❍❴✬❨❢❛❍❥❜❛❦❧❑❵✦♠⑥❴✬❛⑦❲ ❛❢❤✦✐❢❴✬❲✦❨❢❛✓❥❦❛❜❧❑❵❜♠♥❧❑❬✦❲❭❧☞❩♦❡✂❤❭♣✓❴★q✦❵✦❛r❩❭s✦❡✺❩❭❤✦❛❢❵✦t✦✉✦❤✦❲✦❨✬❛❢t✦❲✦✈✦q❫q✦❵✦✐❢❴✬❛❢❴✬❤✦✈❫✐❢❡✂❴✪❧❑❵✦❡✂❴★❲✦❣ ❱❳❲✦❨❩❭❬❫❪❫❴★❨✬❵❜❛❞❝❢❡✂❣ Models need to include the social system as well as the technology and its underlying science. System accidents Software error

Limitations of Event Chain Models(2) Human error Deviation from normative procedure Vs established practice Cannot effectively model human behavior by decomposing it into individual decisions and actions and studying it in isolation from the physical and social context value system in which it takes place dynamic work process Adaptation Major accidents involve systematic migration of organizational behavior under pressure toward cost effectiveness in an aggressive, competitive environment Vessel Passenger management ardo Excess numbers Berth design Berth design Zeebrugge Traffic Scheduling Unsafe Transfer of Heral 冖 Captains planning Crew Operation partments in operational context ble accidents ery likely will not see the forest can easily be identified

c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞❾ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Limitations of Event Chain Models (2) Human error Deviation from normative procedure vs. established practice Cannot effectively model human behavior by decomposing it into individual decisions and actions and studying it in isolation from the physical and social context value system in which it takes place dynamic work process Adaptation Major accidents involve systematic migration of organizational behavior under pressure toward cost effectiveness in an aggressive, competitive environment. ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞❿ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Design Vessel Design Shipyard Equipment load added Harbor Design Cargo Calais Zeebrugge Traffic Vessel Management Passenger Management Scheduling Operation Berth design Berth design Operations management Captain’s planning procedure to Zeebrugge Transfer of Herald heuristics Operations management procedure Unsafe patterns docking Standing orders Operations management Excess numbers Passenger management Capsizing Change of Crew working Stability Analysis Truck companies Impaired stability Excess load routines Docking c Time pressure Operational Decision Making: Accident Analysis: Combinatorial structure Decision makers from separate of possible accidents departments in operational context can easily be identified. very likely will not see the forest for the trees

Accident STAMP (Systems Theory Accident Modeling and Processes) To effect control over a system requires four conditions Goal Condition: The controller must have a goal or goals (e.g, to maintain a setpoint) Action Condition: The controller must be able to affect the system state Model Condition: The controller must be(or contain) a model of the system Observability Condition: The controller must be able to ascertain the state of the system Human Supervisor ( Controller) Model of Model of Process Automation Process models must contain Displays Controls Required relationship among system vars Current state(values of system vars) Automated Controlle The ways the process can change state Model of‖ Model of Process‖ interfaces Sensors Controlle Measured variable Controlled variables Process Process Process outputs inputs

c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞➨✞■❑❏✬▲✞➩ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ STAMP (Systems Theory Accident Modeling and Processes) To effect control over a system requires four conditions: Goal Condition: The controller must have a goal or goals (e.g., to maintain a setpoint) Action Condition: The controller must be able to affect the system state. Model Condition: The controller must be (or contain) a model of the system Observability Condition: The controller must be able to ascertain the state of the system. ➦④➋●➌❢➎➈➂✲➇➈➇⑦➝➑➌❢↕✲➂➐➙➇⑦➝➄➣✻➇➈➉❢➎➈➌➐➏❍➉✺➅❦↔❑➏❢➧ ➓➔➂❢→➐➣✲↔ ➋➍➂✲↕❫➋➍➂➐➙➅✲➉➛↔➌❦➏✻➇➜➁❢↔❑➊➑➅➐➝➞➌➐➏✻➒➄➇➈➆❄➇➈➉✄➂➐➝➠➟➈➅➐➋➍➇ ➡➣❢➋✣➋➍➂➐➏✻➉✲➇❄➉✺➅❢➉✺➂❫➢➍➟➈➅❦➙❑➣❍➂✲➇r➌✲➤✲➇❄➆➈➇➈➉✄➂➐➝➠➟➈➅➐➋➍➇➈➥ ➀♦➁✻➂➄➃❺➅❢➆➈➇r➉✂➁❍➂❫➊✲➋➍➌✲➎➈➂❢➇➈➇r➎➈➅➐➏➑➎✯➁✻➅➐➏✻➒❢➂➄➇➈➉✄➅✲➉✄➂ Displays Controls inputs Process outputs Process Controlled Process variables Controlled Process Interfaces Model of Model of variables (Controller) Human Supervisor Automation Model of Process Model of Measured Actuators Sensors Automated Controller Disturbances

Human Supervisor (Controller) Model of Model of rocess Automation Automated Displ and Decision Aiding Model of‖ Model of Process Interfaces Actuators Sensors Controlled Measured variables Controlled Process Safety and the Process Models Accidents occur when the models do not match the process Wrong from beginning Missing or incorrect feedback so not updated Must also account for time lags Explains human/machine interaction problems Pilots and others are not understanding the automation What did it just do? Why wont it let us do that? Why did it do that? What caused the failure What will it do next? What can we do so it does not How did it get us into this state? happen again? How do I get it to do what I want? Dont get feedback to update mental models or disbelieve it

c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞✔ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ outputs Process variables Controlled variables Measured inputs Controlled Process and Decision Aiding Automated Display Process Interfaces Model of Model of Process Model of Process Actuators Sensors Model of (Controller) Human Supervisor Automation Safety and the Process Models Accidents occur when the models do not match the process Wrong from beginning Missing or incorrect feedback so not updated Must also account for time lags Explains human/machine interaction problems Pilots and others are not understanding the automation What did it just do? Why won’t it let us do that? Why did it do that? What caused the failure? Disturbances c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞✕ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ What will it do next? What can we do so it does not How did it get us into this state? happen again? How do I get it to do what I want? Don’t get feedback to update mental models or disbelieve it

dent Models A Systems Theory Model of Accidents Accidents arise from interactions among humans, machines and the environment Not simply chains of events or linear causality but more complex types of causal connections Safety is an emergent property that arises when components of system interact with each other within a larger environment a set of constraints related to behavior of components in system enforces that property Accidents when interactions violate those constraints (a lack of appropriate constraints on the interactions) Software as a controller embodies or enforces those constraints A Systems Theory Model of Accidents(2) Safety can be viewed as a control problem e.g. o-rings did not adequately control propellant gas release Software did not adequately control descent speed of MPl Safety management is a control structure embedded in an adaptive syster Events indirectly reflect the effects of dysfunctional interactions and inadequate control Need to examine control structure itself to understand accidents Result from Inadequate enforcement of constraints At each level of socio-technical system controlling development and operations

✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏❑▲✞✒ ￾✂✁✄✁✄☎✆⑤✝✞✟✞✠✞✡✵☛✞✆⑤✝✞✌✍ c A Systems Theory Model of Accidents Accidents arise from interactions among humans, machines, and the environment. Not simply chains of events or linear causality, but more complex types of causal connections. Safety is an emergent property that arises when components of system interact with each other within a larger environment. A set of constraints related to behavior of components in system enforces that property. Accidents when interactions violate those constraints (a lack of appropriate constraints on the interactions). Software as a controller embodies or enforces those constraints. c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏✞❏❑▲ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ A Systems Theory Model of Accidents (2) Safety can be viewed as a control problem e.g. O−rings did not adequately control propellant gas release Software did not adequately control descent speed of MPL Safety management is a control structure embedded in an adaptive system. Events indirectly reflect the effects of dysfunctional interactions and inadequate control Need to examine control structure itself to understand accidents Result from: Inadequate enforcement of constraints At each level of socio−technical system controlling development and operations

SYSTEM DEVELOPMENT SYSTEM OPERATIONS Congress and Legislatures Congress and Legislatures Legislation Government User Asso User Associ m ce Com Courts egal penalties Accidents and incidents Change reports Company Management Safety Policy Status Reports Standards Risk Assessments Resources Incident Report afety Policy Operations Reports stds Project Resources Safety Standards Safety-Related Changes Management Progress Reports Work Instructions Design, Documentation Problem reports Test report Standards Operating Procedures Operating Process Test Requirement Hazard Analyses Review Results Human and assurance Automated Revised Controller operating procedures Actuator(s)【 Senso(s) Manufacturing Hardware replacements Management Design Rationale Work Mail Manufacturing

c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏✞❏✞❏❑■❼❏✞❏❑❽ SYSTEM DEVELOPMENT Congress and Legislatures Government Reports Legislation Lobbying Hearings and open meetings Accidents Government Regulatory Agencies Industry Associations, User Associations, Unions, Insurance Companies, Courts Regulations Certification Info. Standards Change reports Certification Whistleblowers Legal penalties Accidents and incidents Case Law Company Management Safety Policy Status Reports Standards Risk Assessments Resources Incident Reports Policy, stds. Project Management Hazard Analyses Safety Standards Safety−Related Changes Standards Safety Reports Test reports Review Results Hazard Analyses Progress Reports Hazard Analyses Design Rationale Documentation Hazard Analyses ￾✫✁●✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ SYSTEM OPERATIONS Congress and Legislatures Government Reports Legislation Lobbying Hearings and open meetings Accidents Government Regulatory Agencies Industry Associations, User Associations, Unions, Insurance Companies, Courts Regulations Standards Certification Legal penalties Case Law Accident and incident reports Operations reports Maintenance Reports Change reports Whistleblowers Company Management Safety Policy Operations Reports Standards Resources Operations Management Progress Reports Design, Documentation Safety Constraints Test Requirements Implementation and assurance Manufacturing Management Work safety reports Maintenance Procedures audits and Evolution work logs Incidents inspections Change Requests Manufacturing Performance Audits Problem reports Audit reports Work Instructions Change requests Physical Actuator(s) Problem Reports Hardware replacements Software revisions Operating Process Operating Assumptions Operating Procedures Revised operating procedures Automated Human Controller(s) Controller Sensor(s) Process

Accident models GOAL: Provide a framework for classifying factors leading to accidents and a system engineering methodology for handling them Some causes of dysfunctional interactions Asynchronous evolution · Inconsistent models inadequate or missing feedback time lags adequate engineering design activities etc Inadequate coordination among controllers and decision makers Boundary areas Overlap areas Accident Models Control Flaws Leading to Hazards Inadequate control actions(enforcement of constraints) Unidentified hazards Inappropriate, ineffective, or missing control actions for identified hazards o Design of control algorithm(process)does not enforce constraints o Process models inconsistent, incomplete, or incorrect (lack of linkup) Flaw(s)in creation process Flaws(s)in updating process(asynchronous evolution) Time lags and measurement inaccuracies not accounted for o Inadequate coordination among controllers and decision-makers (boundary and overlap areas) nadequate Execution of Control Action Communication flaw Inadequate actuator operation Inadequate or missing feedback Not provided in system design Communication flaw Inadequate sensor operation (incorrect or no information provided

c ✎✞✝✞✏✄✝✞✍●☛✞✟☞✑❢❏✞❏❑❾ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ GOAL: Provide a framework for classifying factors leading to accidents and a system engineering methodology for handling them. Some causes of dysfunctional interactions: Asynchronous evolution Inconsistent models inadequate or missing feedback time lags inadequate engineering design activities etc. Inadequate coordination among controllers and decision makers Boundary areas Overlap areas c ✎✞✝✞✏✄✝✞✍●☛✞✟☞✑❢❏✞❏❑❿ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Control Flaws Leading to Hazards Inadequate control actions (enforcement of constraints) Unidentified hazards Inappropriate, ineffective, or missing control actions for identified hazards Design of control algorithm (process) does not enforce constraints Process models inconsistent, incomplete, or incorrect (lack of linkup) Flaw(s) in creation process Flaws(s) in updating process (asynchronous evolution) Time lags and measurement inaccuracies not accounted for Inadequate coordination among controllers and decision−makers (boundary and overlap areas) Inadequate Execution of Control Action Communication flaw Inadequate actuator operation Time lag Inadequate or missing feedback Not provided in system design Communication flaw Time lag Inadequate sensor operation (incorrect or no information provided)

Human error models Categorize errors by external manifestations Categorize by type of task Simple, vigilance, emergency response, control, complex Coordinating, scanning, recognizing, problem solving, planning Usually consider performance-shaping factors such as task structure, stress, design of displays and controls Categorize by cognitive mechanisms Instead of focusing on task and environment characteristics consider psychological mechanisms used by operator in performing tasks Interaction of psychological factors with features of work environment Requires only a limited number of basic concepts Common Features of Cognitive Models Most based on bartletts schemas Internal representations of regularities of the world An organized structure of knowledge Our way of understanding and dealing with world Slips vs Mistakes(Don Norman) Mistake is an error in intention(error in planning) Slip is error in carrying out the intention Human-Task Mismatch(Rasmussen) Errors are an integral part of learning Should be considered human-task or human-system mismatches Skill-Rules-Knowledge framework(Rasmussen) Human skills needed to solve problems also lead to errors If eliminate possibility of human error, may eliminate ability to solve problems

c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏✞❏❑➨ ￾✂✁✄✁✄☎✆⑤✝✞✟✞✠✞✡✵☛✞✆⑤✝✞✌✍ Human Error Models Categorize errors by external manifestations Categorize by type of task Simple, vigilance, emergency response, control, complex Coordinating, scanning, recognizing, problem solving, planning ... Usually consider performance−shaping factors such as task structure, stress, design of displays and controls Categorize by cognitive mechanisms Instead of focusing on task and environment characteristics, consider psychological mechanisms used by operator in performing tasks. Interaction of psychological factors with features of work environment Requires only a limited number of basic concepts c ✎✞✝✞✏✄✝✞✍✄☛✞✟☞✑③❏✞❏❑➩ ￾✂✁✄✁✄☎✆✞✝✞✟✞✠✞✡☞☛✞✆✞✝✞✌✍ Common Features of Cognitive Models Most based on Bartlett’s ‘‘schemas’’ Internal representations of regularities of the world An organized structure of knowledge Our way of understanding and dealing with world Slips vs. Mistakes (Don Norman) Mistake is an error in intention (error in planning) Slip is error in carrying out the intention Human−Task Mismatch (Rasmussen) Errors are an integral part of learning Should be considered human−task or human−system mismatches Skill−Rules−Knowledge framework (Rasmussen) Human skills needed to solve problems also lead to errors If eliminate possibility of human error, may eliminate ability to solve problems