DESIGN ERROR A HUMAN FACTORS APPROACH Comment on the Cover Photo The cover photo depicts two trains that collided with each other dur- ing a shunting episode in the Everleigh train yards, Sydney, Australia (http://www.dailytelegraph.com.au October 10, 2011). One was from Cityrail, the suburban network, and the other from the Countryrail network. Luckily no one was injured but there was damage to both trains and the accident took a significant amount of time to clear. The movement of trains is controlled from regional control centres where con- trollers use highly sophisticated software to ensure that trains don’t run into each other. An important control device is called ‘interlocking’, a procedure developed after a disastrous train crash in Armagh, Northern Ireland in 1889, where 80 people died and 260 were injured. They were on a Sunday school picnic trip and many of the victims were children. Interlocking describes the inter-relational working of points, signals and other rail devices to ensure that once a train route is set, it cannot be reversed until the designated train has passed by. In this photo we can see that interlocking was not employed. The accident inves- tigation report was not released by the company so we cannot say with any confi- dence that this collision was caused by a design error in the control system. But we know from other rail accident reports that systems do fail when they do not include strategies to deal with every eventuality, a growing problem when automation takes over tasks previously done by humans. Computers are very good at carrying out routine activities, but have not yet been built with a human’s ability to problem-solve and react quickly to an unforeseen event. We can hazard a guess that this control system had not been designed to control the whole gamut of shunting operations. DESIGN ERROR A HUMAN FACTORS APPROACH RONALD WILLIAM DAY Boca Raton London New York CRC Press is an imprint of the Taylor & Francis Group, an informa business CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2017 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Printed on acid-free paper Version Date: 20160614 International Standard Book Number-13: 978-1-4987-8367-5 (Paperback) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmit- ted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright. com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Library of Congress Cataloging-in-Publication Data Names: Day, Ronald William, author. Title: Design error : a human factors approach / Ronald William Day. Description: Boca Raton : Taylor & Francis, CRC Press, 2017. Identifiers: LCCN 2016026982 | ISBN 9781498783675 (pbk.) Subjects: LCSH: Design--Human factors. | System design--Quality control. | System design--Psychological aspects. | System failures (Engineering) | Manufactures--Defects--Prevention. Classification: LCC TA166 .D39 2017 | DDC 620.8/2--dc23 LC record available at https://lccn.loc.gov/2016026982 Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents Foreword ...................................................................................................................ix Acknowledgements ...................................................................................................xi Introduction ............................................................................................................xiii Author .....................................................................................................................xix Chapter 1 Design Error … Can Models Help? .....................................................1 Dominoes Are Falling: Queensland Health Payroll Fiasco .................3 Swiss Cheese Anyone? Zanthus Bypass Accident ...............................4 Systems Flying High: Mt Erebus Disaster ...........................................6 Random Clusters Model: Government Home Insulation Program ......7 Chaos Reigns: Melbourne’s West Gate Bridge Collapse .....................9 Chapter 2 Common Causes of Design Error ......................................................11 Value of User Situational Knowledge ................................................12 Clients Are Part of the Problem .........................................................12 Too Much Reliance on Client Documentation ...................................12 User Interface or Usability Issues ......................................................12 Design Constraints .............................................................................13 Open-Cut Mine Radar Solution ....................................................13 Walking the Tightrope ...................................................................14 Unsafe Army Vehicle ....................................................................15 Chapter 3 Who Is the Designer? .........................................................................17 How Does a Designer Create a New Design? ....................................17 Intuition .........................................................................................18 Designing Style..............................................................................19 Problem-Solving Methods and Conceptual Strategies ..................19 Designer Profile ..................................................................................20 Demographics ................................................................................20 Design Error Occurrence ..............................................................20 Systems Development Life Cycle Model Chosen..........................20 Conceptual Strategies ....................................................................20 Concerns ........................................................................................20 User-Centred Design .....................................................................21 Designer Profile Items ........................................................................21 Chapter 4 What Is the Design Process? ..............................................................23 Design Concept Formation .................................................................23 v vi Contents Writing Specifications ........................................................................24 Building the Design ............................................................................25 Testing ................................................................................................25 Implementation ...................................................................................26 Training ..............................................................................................26 Maintaining ........................................................................................26 If a Design Meets the Specifications, Can It Contain Errors? ...........27 The Many Faces of the Design Process .............................................27 Chapter 5 Systems Development Life Cycle Models ..........................................29 Traditional Models .............................................................................29 Waterfall Model .............................................................................29 V-Model .........................................................................................30 Incremental Model ........................................................................30 Evolutionary Model .......................................................................30 Spiral Model ..................................................................................31 Prototyping ....................................................................................32 Adaptive Models.................................................................................32 Agile ..............................................................................................32 Rapid Application Development ....................................................33 Joint Application Design ...............................................................33 Extreme Programming ..................................................................34 Lean Software Development .........................................................34 Scrum ............................................................................................35 Chapter 6 Choosing an SDLC … Which Cap to Wear? .....................................37 When to Wear a RED CAP ................................................................38 When You Cannot Meet the End Users .........................................38 When to Wear a BLUE CAP ..............................................................39 When to Wear a YELLOW CAP .......................................................39 Avoiding Project Creep .................................................................40 YELLOW CAP Futures: Continuous Agile .......................................40 Organic Model: A New Look at the Design Process .........................41 Chapter 7 Where Do Design Errors Occur in the Design Process? ...................43 Design Concept Issues ........................................................................43 Writing Specifications ........................................................................44 Building the Design ............................................................................45 Testing ................................................................................................46 Implementation ...................................................................................47 Training ..............................................................................................48 Maintaining ........................................................................................48 Paradise Lost ......................................................................................49 Contents vii Chapter 8 Human Factors Issues .........................................................................51 User Interface Design .........................................................................52 Computer Interface Errors .............................................................52 Non-Computer Errors ....................................................................54 Associated Business Process Errors ..............................................54 End-User Profile .................................................................................54 Demographics ................................................................................54 Design Error Occurrence ..............................................................55 Problems Experienced ...................................................................55 Participative Design .......................................................................55 Concerns ........................................................................................55 Comparison of Designer and End-User Profiles ................................55 Chapter 9 Automation … Persistence of a Myth ................................................57 Human Cost of Automation ...............................................................57 Complexity .........................................................................................58 Complexity in Action .........................................................................59 Measuring Complexity .......................................................................60 And the Problem Is? ...........................................................................60 Three Reasons For the Advance of Automation ................................61 Two Social Impacts of Automation ....................................................62 Airbus A320 Crash ........................................................................63 Driverless Monorail Train Crash ...................................................63 Rail Crash in Spain ........................................................................63 Future Directions in Automation .......................................................64 Changing Lifestyles .......................................................................64 Internet of Things ...............................................................................65 An Early M2M System ..................................................................65 Target Was Targeted ......................................................................67 Problems with Medical Devices ....................................................67 Stuxnet ...........................................................................................67 Chapter 10 How Artificial Is Artificial Intelligence (AI)? ...................................69 Has AI Always Existed? .....................................................................69 Alan Turing, the Father of Modern-Day Machine Intelligence .........70 Knowledge-Based Systems ................................................................71 Expert Systems ...................................................................................71 MYCIN ..........................................................................................72 ELIZA and PARRY.......................................................................72 Artificial Intelligence Today ..............................................................73 Natural Language Processing ............................................................73 Amelia Goes to Work ....................................................................73 Yseop .............................................................................................74 viii Contents Artificial Intelligence in the Future ....................................................74 Why Is AI Dangerous? .......................................................................75 Chapter 11 The Solution Is …? .............................................................................77 RED CAP Strategies ..........................................................................77 Rules for a Successful RED CAP Design Project .........................78 BLUE CAP Strategies ........................................................................78 Rules for a Successful BLUE CAP Design Project .......................78 YELLOW CAP Strategies .................................................................79 Rules for a Successful YELLOW CAP Design Project ................79 Concept Formation ...................................................................79 Specifications Writing ..............................................................79 Development .............................................................................80 Testing .......................................................................................80 Deployment ...............................................................................81 Training ....................................................................................81 Maintenance .............................................................................82 Design Process Auditing ....................................................................82 How Many Ways Can the Design Process Go Wrong? .................82 Analytical Tool ...................................................................................84 Glossary of Terms ..................................................................................................85 References ...............................................................................................................87 Index ........................................................................................................................89 Foreword A lifetime ago, I tried to replace a domestic door handle so that my knuckles did not get scraped each time I opened it. It proved impossible for the simple reason that a design decision somewhere upstream had rendered the actuating mechanism too short to give adequate clearance. This was not in any way important or life threatening, but it started a train of thought that developed into a serious interest in the way that design happens, and the – almost certainly unknown and unintended – consequences of a design process that ignores the human factor. Human beings make mistakes. All of us. All of the time. A huge majority are of little or no consequence, except for local irritation, and pass unremarked. When the error results in a catastrophe, however, the charge is on to allocate blame. This process is marked by a search for proximal causation. Which person pressed the wrong button? Only after an exhaustive analysis has revealed that nobody at the sharp end did anything wrong, or did because of inadequate information and so forth, does the focus shift to upstream causation or contribution. Even then, when design or process inadequacies are uncovered, there is little evidence that the design process, as opposed to the outcome, is subject to scrutiny and almost no evidence at all of its being called to account. That is what this book sets out to change. It does it, not by looking for scapegoats, but by a constructive approach to ways of doing it better. Ronald Day is uniquely qualified to do this. In addition to a penetrating (and it must be said, somewhat icono- clastic) intelligence, his background and experience allow a special understanding of a basic problem: that human actions are usefully predictable only at low resolution, and by the time the resolution gets to be useful in the design sense, they are hardly predictable at all. Murphy’s law says that if anything can go wrong, it will. (If you drop your jam and bread, it will land jammy side down). Murphy’s second law says that it will happen for maximum effect. (The chances of it happening are directly proportional to the cost of the carpet.) There is a little known third law that says Murphy makes mistakes. (It will all be OK sufficiently frequently to fool you.) The practical implication of this is the need for protocols that can cope with our apparent capacity to mess up the most robust systems. This presents a challenge of majestic proportions, and it is only by a detailed scrutiny of the design processes and design thinking that any progress can be made. As automated systems driven by artificial intelligence take an increasingly important role in our critical functions, it becomes even more important to understand the human component, often at the stream source. In this book, Ronald provides a truly accessible approach to the com- plexities of safety systems design and goes on to suggest a new and important model for resolving some of the intractable issues. It is my privilege to be associated with Ronald as a colleague and as a friend, and a great satisfaction to see this work published at a time when our rate of technologi- cal development is stretching our human capacity to cope. Emeritus Professor Bill Green University of Canberra ix