Issue |
Article |
Vol.30 No.4, October 1998 |
Article |
Issue |
The main goal of this workshop was to discuss different approaches and exchange ides about the design of safety critical interactive systems which are able to satisfy both usability and safety requirements at both specification and implementation level.
We decided to use the following working definition of safety critical system: "a system containing computer, electronic or electromechanical components whose failure may cause threat to life and limb or severe damage to property." Classic examples of such systems are aircraft or nuclear power station control systems. It is often useful to broaden the discussion to include other "high consequence systems" whose failure can incur a high financial cost. Examples of such systems are broader than the previous one and include satellite or ambulance control, and financial systems. Figure 1 represents the cycle of user's actions on the various components of a safety critical system.
Both safety critical and high consequence systems have human operators, and increasingly their role is mediated by computer technology. Clearly, in this domain, usability problems can have potentially disastrous consequences. Participants to the workshop have noticed that CHI conferences have very rarely addressed this "critical" issue.
We think that this class of problems is becoming increasingly relevant, with the growing deployment of technology in many areas in ways that can exacerbate and amplify natural tendencies for "human error", with the possibility of disastrous results. Air traffic control applications are a good example: with continual increases in air traffic, the requirements on new technology and new user interfaces become ever more stringent. Interfaces must assist rather than hinder controllers in balancing the dual goals of efficient air traffic management and the safety of the travelling public [2, 3].
We believe that the designers of user interfaces in this area require new and innovative methods to address both usability and safety in an integrated way. Such methods must also accommodate a range of new technologies for supporting user interactions, and allow a collaboration between many kind of skills, viewpoints and disciplinary backgrounds.
Figure 1: The action-retroaction loop in a safety critical system
From the software engineering community there is a call for the use of formal methods in the development of safety critical and safety related software. The argument here is that such methods can help to remove ambiguities from the specifications of these systems and to provide approaches to proving relevant properties [1].
From the human factors community there is call for increased use of task-based and/or scenario-based design, early prototyping and a consideration of human error at the interface. We believe that there is much to be gained by a consideration of the relationship between formal methods and more human factors- based approaches.
The challenge of the workshop was to bring together researchers and practitioners from the disciplines of software engineering and human factors to consider issues in safety critical system design, which are at the intersection of usability and safety. Areas of concern were requirements analysis, specification, testing, and evaluation.
One of the aims of the workshop was to review the state of art in the field, to give a framework to evaluate current approaches, and to identify promising research lines and the possible results that can be foreseen in the next few years.
We have focussed on some specific issues that we feel relevant in this application area:
We have solicited, from the CHI community, people with experience in industries with main interests in designing user interfaces for safety critical systems.
We have also encouraged participation by those with experience in the use of formal specification techniques, and their application in the field of user interfaces for critical systems.
Attendees submitted short position papers describing their interests and previous work in areas relevant to the workshop. Participants were encouraged to refer to a "case study" based on new technology proposals in air traffic control.
The details of the list of issues and the case study were circulated among the participants beforehand. Some discussion on the topics of the workshop had also been carried out by email before the workshop.
Nine people attended the workshop from Canada, United Kingdom, France, Germany, Italy and the United States. As expected, participants had a wide range of backgrounds from academia, industry and government. Most had had significant participation in projects addressing the problem of user interfaces for safety critical systems in a wide variety of domains (for example, submarine systems, transportation, air traffic control and airborne systems).
The workshop lasted one and a half days. After a short introduction by Fabio Paternò, each participant briefly described their area of expertise and their views on the list of issues. The aim here was to understand the background and perspective of the participants and how they deal with these kind of interactive software applications.
In the discussion participants tried to identify the main requirements of the class of application considered. There was a general consensus that interactive safety-critical systems can characterised by a number of distinguishing factors: highly trained expert users; a need to react to externally generated events; user control of other physical equipment that is often capable of causing injury to humans; actions are often irreversible and cannot be undone. Consequently, there is a strong need to improve awareness of safety issues from the requirement elicitation phase and throughout the product lifecycle.
It was also noted that, in order to consider all possible sources of erroneous behaviour, interactions users have with their colleagues and with the surrounding external environment are just as important as interactions with user interfaces. This raises the need to use approaches that are able to describe parallel and co-operating activities required to achieve users' goals.
Then the group discussed the case study proposed by the organisers and then, thanks to the size of the group, was able to turn to issues related to the experience of the participants in the area of safety critical applications.
The final part of the workshop was devoted to the synthesis of the earlier discussions, and to produce the poster that would represent this synthesis to the CHI 98 participants. Plans for future work were discussed and are outlined in the section on "Dissemination of results".
As a result of discussions here is a list of what we have identified as features that makes a safety critical system significantly different from other systems:
Users:
Tasks:
Environment:
The following list details some of the issues that seem to make interface design in a safety-related context differ from design of other kinds of systems.
The picture in Figure 2 was taken during the workshop. The participants were:
Jeff Caird, University of Calgary, Canada, jkcaird@acs.ucalgary.ca
Bob Fields, University of York, UK, bob@cs.york.ac.uk
Wayne Gray, George Mason University, Fairfax, USA, gray@gmu.edu
Andrew Jamison, GEC Marconi Research Centre, UK, andrew.jamison@gecm.com
Patrick Girard, LISI/ENSMA, France, girard@ensma.fr
Rémi Bastide & Philippe Palanque, University of Toulouse 1, Toulouse, France, {palanque, bastide}@univ-tlse1.fr
Fabio Paternò, CNUCE-CNR, Pisa, Italy, F.Paterno@cnuce.cnr.it
Bernard Rummel, German Naval Medical Institute, Germany, P.O. Box 6161, D-24122 Kiel.
Several web pages have been built in order to co-ordinate actions among participants prior to the workshop. Information has been added after the workshop and some nice pictures are also available there. The address is:
http://lis.univ-tlse1.fr/~palanque/wschi98.html
Figure 2: The participants (From left to right: Bob Fields, Jeff Caird, Fabio Paternò, Bernard Rummel, Wayne Gray, Philippe Palanque, Rémi Bastide, Andrew Jamison, Patrick Girard)
As stated above the results from the workshop have first been presented as a poster during the CHI 98 conference.
Now the ACM ToCHI journal is calling for papers for a special issue focussing on the topics of this workshop. Information about how to submit to this special issue can be found at the following address:
http://www.acm.org/tochi/
1. P. Palanque, R. Bastide, F. Paternò. Formal Specification as a Tool for Objective Assessment of Safety-Critical Interactive Systems. In proceedings of the Interact'97 conference, Chapman & Hall, p.323-331.
2. S. Chatty, P. Lecoanet. Pen Computing for Air Traffic Control. CHI 96 conference, pp.87-93, ACM Press.
3. P. Palanque, F. Paternò (Eds) Formal Methods in Human Computer Interaction. Springer Verlag, 1997.
4. P. Wright, R. Fields and M. Harrison (1994) Deriving error tolerance requirements from tasks. Proceedings of the IEEE International Conference on Requirements Engineering, ICRE '94. pp. 135-142
Philippe Palanque
LIHS FROGIS
University Toulouse 1
Place Anatole France
31042 Toulouse
France
Email: palanque@univ-tlse1.fr
Web: lis.univ-tlse1.fr/~palanque
Tel: +33 561 63 35 88
Fabio Paternò
CNUCE-CNR
Via S. Maria
56126 Pisa
Italy
Email: F.Paterno@cnuce.cnr.it
Web: giove.cnuce.cnr.it/~fabio
Tel: +39 50 593289
Bob Fields
Department of computer science
University of York
Y01 5DD York
UK
Email: bob@cs.york.ac.uk
Web: http://www.cs.york.ac.uk/~bob
Tel: +44 1904 434755
Email: bob@cs.york.ac.uk
Web: http://www.cs.york.ac.uk/~bob
Tel: +44 1904 434755
Issue |
Article |
Vol.30 No.4, October 1998 |
Article |
Issue |