C. Null 1

Best Practices for Reliable and Robust

Human Systems Integration

Dr. Cynthia H. NullNASA Technical Fellow

NASA Engineering and Safety CenterProgram ManagementChallenge Conference

2008

C. Null 2

Outline

• Human Factors Design Philosophy

• Model of Human Factors in System Design

• Design Processes

• Summary

C. Null 3

Human System Integration

• Systems level approach• Design for robustness for the life of the program

– Design– Build– Test– Operate– Maintain– Retire

• Reliability is an attribute of the product• Reliability is an attribute of operational processes

C. Null 4

Which humans do we design for?• From a human factors viewpoint

CrewmembersControllers Training personnelManufacturing personnelMaintenance personnel Ground operationsGround testing

are apart of the spacecraft system.

• All elements of the system are influenced by human performance.

• Human performance is influenced by the system design.

Not just for human space flight.

C. Null 5

Human Factors Design Principles

1. System demands are compatible with human capabilities and limitations.

2. System enables utilization of human capabilities in non-routine and unpredicted situations.

3. System can tolerate and recover from human errors.

C. Null 6

Tasks / Goals• Requirements• Moderators

• Procedures• Decision Aids

• Interfaces• Human-Human• Human-system

Human Capabilities• Abstraction• Problem Solving• Creativity• Cope with novel situations

•••

System Capabilities• Monitoring• Control• Interfaces• Robotics• Automation

•••

Environment• Physical

• Noise• Vibration• G-level• Climate• Illumination• Access

• Organization• Culture• Communication• Responsibilities• Authority

•Operations Concept•Command & Control•Geographic Distribution•Nominal•Off-nominal•Unexpected

C. Null 7

Simplified ModelEnvironment• Physical• Operational Concept• Organization

Tasks• Requirements• Moderators• Interfaces

•Human-Human•Human-system

Human Capabilities• Abstraction• Problem Solving• Creativity• Cope with surprises

System Capabilities• Monitoring• Control• Interfaces• Robotics• Automation

Displays

Input Devices

Mac

hine

s

Human Sensation

Human Actions

Hum

an C

ognitionTASKS

Subsystems Humans

C. Null 8

Sensation/Perception• Vestibular• Kinesthesia• Taste/smell

Human Actions• Motor coordination• Object manipulation• Speech

Cognition• Attention• Memory• Information processing• Decision making• Action Initiation

Simplified ModelEnvironment• Physical• Operational Concept• Organization

Human Capabilities

Tasks• Requirements• Moderators• Interfaces

•Human-Human•Human-system

Sensation/Perception• Vision• Audition• Tactile

Displays

Input Devices

Mac

hine

s

Human Sensation

Human Actions

Hum

an C

ognitionTASKS

Subsystems Humans

System Capabilities• Monitoring• Control• Interfaces• Robotics• Automation

C. Null 9

Displays• Display Response

•Visual•Sound

• Initiates Queries

Machines• Process Data• Perform procedures• Stores data• Retrieves data• Transmits responses• Control

Simplified Model

Environment• Physical• Operational Concept• Organization

Human Capabilities• Abstraction• Problem Solving• Creativity• Cope with surprises

System Capabilities

Displays

Input Devices

Mac

hine

s

Human Sensation

Human Actions

Hum

an C

ognitionTASKS

Subsystems Humans

Input Devices• Sensors• Controls, switches• Keyboard, mouse, etc.• Touch-screen• Voice recognition

Tasks• Requirements• Moderators• Interfaces

•Human-Human•Human-system

C. Null 10

Fallacy: Human Factors Is Just Common Sense

• Designs are not only built to requirements but may have hidden assumptions or demands

• Simple example of mismatch between human capabilities and tool operation– PDA, cell phone & camera

displays use small, efficient LCDs

– PDAs have thumb-controlled keyboards

C. Null 11

It is common to hear• Automation will:

– Reduce human workload– Simplify tasks performed by humans– Reduce training requirements– Reduced human error

• However, Aviation Automation has:– Changed the human tasks, often increasing the complexity– Moved tasks from control to monitoring, but not simpler– Often increased training (systems are more complicated)– Changed types of errors– Increased concurrence of tasks

C. Null 12

It is common to hear:• If the design isn’t perfect we can train

– However, under stress or time constraints trained behavior may fail

• We will find any issues during training, and design procedures to eliminate the issue– Simulation training may not discover the interactions

with the tools and environment– Changing procedures may not be enough

– Usually too late (or too expensive) to impact design

C. Null 13

Fallacy: Design Deficiencies will be uncovered in human-in-loop testing

or training• Example: STS-49

• Capture, installation of new perigee kick motor & release of an Intelsat-VI satellite View of Robotic Arm Operator

C. Null 14

STS-49 Attaching Capture Bar To Intelsat-VI

Practicing 3-Person Satellite Grab Performing 3-Person Satellite Grab

C. Null 15

Design Processes

Prominent in heritage systems are human-system integration responsibilities

• DDT&E of – “active” interfaces (displays and controls)– “passive” interfaces with vehicle (seating, restraints,

lighting)

• Ensure reliable operations in space environment

C. Null 16

Apollo’s Display and Control Systems Requirements (a few)

• No single display or control failure would jeopardize the safety or the flight crew or be cause for an abort.

• Information would be presented so as to permit rapid assessment of critical system status without resorting to extensive troubleshooting procedures to identify malfunctions

• All D&C used during accelerated flight would be designed for operation by a pressure-suited fully restrained crewman

• Automatic systems would be used to obtain precision, to speed response, or to relieve the crewmen of tedious tasks: but all automatic control modes would have a manual backup

C. Null 17D = Design, B= Build, O= Operate, M= Maintain, T= Train

C. Null 18

HFE methods & tools as a part of overall design process

Overall Engineering Design Process

HSI Design &

Integration

•

Concept Design

•

Detailed Design

•Integration

HFE Analyses

•

Function Analysis

•

Task Analysis

•

Planning

•

Concept of Ops

•

Endpoint Vision•

Human-System performance testing

Nominal & Off-nominal

••

Verification &

Validation

Performance Monitoring

•

Continuous improvement

HFE Activities

HFEGuidelines•HFE Process•HSI Design

•

Systems Approach

•Simulation

Training

Human in Loop Testing and Evaluation

Testing is critical

C. Null 19

HSI System Development

C. Null 20

Human Factors Design Principles

1. System demands are compatible with human capabilities and limitations.

C. Null 21

“Top-Down”

High-level mission and goals

Define functions necessary to achieve the goals

Allocate functions to human and system resources

Decompose functions into tasks

Analyze tasks to define performance requirements

Design detailed HSI, procedures, and training

C. Null 22

“Bottom-Up”

• Prototype human activities (including modeling)

• Identify human performance variability and human error potential

• Design interfaces, tools, training, etc.

C. Null 23

Example: Two Approach Modes

input: -3.3° -800 ft/min

Mt (2700ft)

Planned approach: Track/Flight Path Angle mode: input: -3.3°

-13,6°input:

-3300 ft/min

Actual approach: Heading/Vertical Speed; input: -3300 ft/min

Eventual Crash

Mt (2700ft)

5000ft

5000ft

C. Null 24

Wrong Mode–Spot The Difference

C. Null 25

• Design trades are a fact of designing complex systems

• HFE helps make explicit the trades that effect human performance

and thus effect system performance and reliability

Design trades

C. Null 26

Humans Will AdaptFind New Ways To Solve ProblemsHumans Can Cope with Uncertainty

• But at what cost?

• These characteristics are something we rely on– As individuals– As designers

• It is this creativity that adds reliability to complex systems

C. Null 27

Human Factors Design Principles

2. System enables utilization of human capabilities in non-routine and unpredicted situations

Non-routine

* Procedures

* Training

Unpredicted

* Information is KEY

* Transparent systems

* Diagnosis support

C. Null 28

Apollo 13“Houston, we’ve had a problem”

C. Null 29

Human Factors Design Principles

3. System can tolerate and recover from human errors **

** Let me note: The human error mitigations:Must not reduce humans ability to cope with the unpredicted.

Must not leave humans unaware of automatic actions, operational modes or system status.

C. Null 30

Fault Tree Analysis (Top-Down)

1. What catastrophic outcomes could occur?

2. What event/error sequences and combinations could lead to each outcome?

3. Are there scenarios when one or two human error could lead to a catastrophic outcome?

Human Factors Process failure Modes and Effects Analysis

(Bottom-Up)1. How will humans interact with the system?

2. What errors could occur?

3. What consequence would result from these errors?

1. Identify critical human risks

2. Formulate responses

Human Error and Reliability Analysis

C. Null 31

1997 MIR-Progress Collision

• During 4 months preceding event, crew stressed by frequent system failures

• Near-miss during an Toru-assisted docking

• Low contrast and poor resolution of the Toru display

• Kurs radar shutdown decreased spatial awareness

C. Null 32

People Create Safe Operations

• Rarely is human operator error in complex systems the proximate cause of the failure.

• In complex operations human error is often the symptom of deeper system design issues.

• Human error is not random. Error is systematically connected to features of tool’s, task’s and operating environment

• People are vital to system safety.

C. Null 33

Design Principles

Appropriate interlocks, make it difficult to do dangerous things.

System keeps operators in the loop. Permits humans to take control.

System demands are consistent with human performance standards.

Operate

Avoid simultaneous maintenance of redundant systems.

Non-routine trouble-shooting and repair is possible.

Maintenance tasks are within human capabilities.

Maintain

Independent test verification.

System keeps operators in the loop.

Tasks are within human perceptual envelope.

Test

Components designed to make incorrect assembly difficult.

Hazard analysis.Objectively define and evaluate skill.

Manufacture

3. Error Tolerant

2. Off-nominal

1. Human Capabilities

System Life Cycle Phase

C. Null 34

Some General Characteristics of a Well Designed

Human-System Interface• Accurately represents the system• Meets user expectations• Support task performance• Minimizes distractions• Balances workload• Is tolerant to error• Is consistent• Provides timely information and feedback• Provides access to explanations when needed• Verified through extensive human-in-loop

testing, including off-nominal scenarios

C. Null 35

Human Factors to Reliable Systems• System view

– Human as part of system– Environment context

• Designs for nominal, off-nominal & unexpected

• Matches tasks and tools to human capabilities & limitations

• Data driven—human-system performance testing is key to success

• Requires curious skeptic with knowledge of human capabilities

C. Null 36

Examples

C. Null 37

Design for Maintainability• Physical access• Visual access• Tooling access• Modularity• Error-proofing• Labeling

C. Null 38

Fastener Starter• HF-PFEMA uncovered high potential FOD issue

Shuttle Dome Heat Shield Installation Process • Developed Fastener Starter by incorporating

– task requirements– user preferences– flight hardware constraints– lessons learned from evaluations of currently

available tools • Tested with technicians simulating hardware

installation– evaluated the tool's performance (parts dropped)– the technician's efficiency– subjective rating of the tool.

C. Null 39

Fastener Starter• Firmly grips and holds a single

screw, bolt, nut, washer, spacer, or any combination of these parts.

• Compact size allows it to be used effectively in cramped, difficult-to-see locations

Fastener Starter Holding a Screw