Safety Systems and Cognitive Models

Simon Grant
European Commission Joint Research Centre
Institute for Systems Engineering and Informatics
Socio-Technical Systems Safety Sector
also was then
on leave from City University, London

Introduction

• A conceptual framework for a new generation of safety system
• to counter human error
• in complex cognitive tasks
• without overloading human cognitive capabilities
• What kind of system are we trying to design?
• How could we use models of cognition?

Outline

• The classification of machine systems
• passive / active
• responsive / autonomous
• usual / unusual
• dormant / latent
• danger-centred / cognition-centred
• The role of models of cognition placed for the first of each pair
• Cognition-centred systems and how they might work

The classification

passive / active

• Does the system take any action?
• Examples of passive systems
• padded seats
• physical interlocks
• barriers
• fixed warning notices
• Cognition considered at the design stage only (cf. Norman) - but could be interesting
• Detailed models unlikely to be useful

responsive/autonomous

• Do humans initiate system action?
• Examples of responsive systems
• parachutes
• ejector seats
• information systems acting on demand
• Responsive systems are fine when
• important, unpredictable consequences
• situation clear of other tasks
• operation is simple
• Responsive systems are otherwise prone to human error

usual / unusual

• Is operator practiced with system operation?
• Examples of usual systems
• car anti-skid systems
• common safely aspects of flight management or control systems
• Humans often adapt to usual systems (Wilde)
• Modelling adaptation is very difficult
• Usual systems less likely to pick up unusual errors

dormant / latent

• Dormant systems triggered by simple condition
• Latent by complex condition that requires active processing
• Examples of dormant systems
• any one-condition alarm
• A set of dormant systems is bound to have overlapping boundaries
• Three Mile Island effect
• Thus, could use models of attention and possibly workload

danger-centred / cognition-centred

• Danger-centred systems
• identify known dangers
• have (complex) boundaries for prevention or warning
• Examples of danger-centred systems
• stall warning systems
• ground proximity warning systems
• Danger-centred warning systems may have overlapping boundaries
• needs consideration of the cognitive effect of interplay of safety systems

Simplistic GPWS design

• GPWS illustrates danger-centred approach, dormant and latent

Cognition-centred safety systems

• Why? Even if all dangers were identified still most of task or activity space remains unfamiliar
• Unnoticed straying into unfamiliar areas implies loss of situation awareness
• Counteract this by providing cognition-centred safety systems
• focus on what the human agrees he or she should be doing
• not what human should not be doing
• hence catch the problem before the possibility of many warnings arising

Cognition-centred safety systems

• Regions in task or activity space
• Various error modes

The SACHE design concept

Situation Awareness Correspondence between Human and Engineered system

• Divide up the task into units
• Know what prompts transition
• Know what is expected in each
• Track units and behaviour
• When there is a lack of correspondence, either
• emphasise missed information, or
• issue warning, or
• indicate the level to which the situation has been envisaged and planned for

Conclusion