The Human Factor

Most designers of technological systems do not pay enough attention to human needs and capabilities.

Many people find technology frustrating and difficult to use in everyday life. In the vast majority of cases, the problem is not that they are technological "dummies" but that the designers of technological systems did not pay sufficient attention to human needs and capabilities. The new BMW 7 series automobile, for example, has an electronic dashboard system, referred to as iDrive, that has between 700 and 800 features (Hopkins, 2001). An article in Car and Driver described it this way: "[it] may . . . go down as a lunatic attempt to replace intuitive controls with overwrought silicon, an electronic paper clip on a lease plan. One of our senior editors needed 10 minutes just to figure out how to start it" (Robinson, 2002). An editor at Road & Track agreed: "It reminds me of software designers who become so familiar with the workings of their products that they forget actual customers at some point will have to learn how to use them. Bottom line, this system forces the user to think way too much. A good system should do just the opposite" (Bornhop, 2002). As technologies become more complex and the pace of change increases, the situation is likely to get worse.

In everyday situations, overlooking human factors leads to errors, frustration, alienation from technology, and, eventually, a failure to exploit the potential of people and technology. In safety-critical systems, however, such as nuclear power plants, hospitals, and aviation, the consequences can threaten the quality of life of virtually everyone on the planet. In the United States, for example, preventable medical errors are the eighth leading cause of death; in hospitals alone, errors cause 44,000 to 98,000 deaths annually, and patient injuries cost between $17 billion and $29 billion annually (IOM, 1999).

Diagnosis
The root cause of the problem is the separation of the technical sciences from the human sciences. Engineers who have traditionally been trained to focus on technology often have neither the expertise nor the inclination to pay a great deal of attention to human capabilities and limitations. This one-sided view leads to a paradoxical situation. When engineers ignore what is known about the physical world and design a technology that fails, we blame them for professional negligence. When they ignore what is known about human nature and design a technology that fails, we typically blame users for being technologically incompetent. The remedy would be for engineers to begin with a human or social need (rather than a technological possibility) and to focus on the interactions between people and technology (rather than on the technology alone). Technological systems can be designed to match human nature at all scales - physical, psychological, team, organizational, and political (Vicente, in press).

Computer Displays For Nuclear Power Plants
People are very good at recognizing graphical patterns. Based on this knowledge, Beltracchi (1987) developed an innovative computer display for monitoring the safety of water-based nuclear power plants. To maintain a safety margin, operators must ensure that the water in the reactor core is in a liquid state. If the water begins to boil, as it did during the Three Mile Island accident, then the fuel can eventually melt, threatening public health and the environment. In traditional control rooms, such as the one shown in Figure 1, operators have to go through a tedious procedure involving steam tables and individual meter readings to monitor the thermo-dynamic status of the plant. This error-prone pro-cedure requires that operators memorize or record numerical values, perform mental calculations, and execute several steps.

Beltracchi’s display (Figure 2) is based on the temperature-entropy diagram found in thermodynamic textbooks. The saturation properties of water are shown in graphical form as a bell curve rather than in alphanumeric form as in a steam table. Furthermore, the thermodynamic state of the plant can be described as a Rankine cycle, which has a particular graphical form when plotted in temperature-entropy coordinates. By measuring the temperature and pressure at key locations in the plant, it is possible to obtain real-time sensor values that can be plotted in this graphical diagram. The saturation properties of water are presented in a visual form that matches the intrinsic human capability of recognizing graphical patterns easily and effec tively. An experimental evaluation of professional nuclear power plant operators showed that this new way of presenting information leads to better interactions between people and technology than the traditional way (Vicente et al., 1996).

Framework for Risk Management
Public policy decisions are necessarily made in a dynamic, even turbulent, social landscape that is continually changing. In the face of these perturbations, complex sociotechnical systems must be robust. Rasmussen (1997) developed an innovative framework for risk management to achieve this goal (Figure 3).

The first element of the framework is a structural hierarchy describing the individuals and organizations in the sociotechnical system. The number of levels and their labels can vary from industry to industry. Take, for example, a structural hierarchy for a nuclear power plant. The lowest level usually describes the behavior associated with the particular (potentially hazardous) process being controlled (e.g., the nuclear power plant). The next level describes the activities of the individual staff members who interact directly with the process being controlled (e.g., control room operators). The third level from the bottom describes the activities of management that supervises the staff. The next level up describes the activities of the company as a whole. The fifth level describes the activities of the regulators or associations responsible for setting limits to the activities of companies in that sector. The top level describes the activities of government (civil servants and elected officials) responsible for setting public policy.

Decisions at higher levels propagate down the hierarchy, and information about the current state of affairs propagates up the hierarchy. The interdependencies among the levels of the hierarchy are critical to the successful functioning of the system as a whole. If instructions from above are not formulated or not carried out, or if information from below is not collected or not conveyed, then the system may become unstable and start to lose control of the hazardous process it is intended to safeguard.

In this framework, safety is an emergent property of a complex sociotechnical system. Safety is affected by the decisions of all of the actors - politicians, CEOs, managers, safety officers, and work planners - not just front-line workers. Threats to safety or accidents usually result from a loss of control caused by a lack of vertical integration (i.e., mismatches) among the levels of the entire system, rather than from deficiencies at any one level.

Inadequate vertical integration is frequently caused, at least partly, by a lack of feedback from one level to the next. Because actors at each level cannot see how their decisions interact with decisions made by actors at other levels, threats to safety may not be obvious before an accident occurs. Nobody has a global view of the entire system.

The layers of a complex sociotechnical system are increasingly subjected to external forces that stress the system. Examples of perturbations include: the changing political climate and public awareness; changing market conditions and financial pressures; changing competencies and levels of education; and changes in technological complexity. The more dynamic the society, the stronger these external forces are and the more frequently they change.
The second component of the framework deals with dynamic forces that can cause a complex sociotechnical system to modify its structure over time. On the one hand, financial pressures can create a cost gradient that pushes actors in the system to be more fiscally responsible. On the other hand, psychological pressures can create a gradient that pushes actors in the system to work more efficiently, mentally or physically.

Pressure from these two gradients subject work practices to a kind of "Brownian motion," an exploratory but systematic migration over time. Just as the force of gravity causes a stream of water to flow down crevices in a mountainside, financial and psychological forces inevitably cause people to find the most economical ways of performing their jobs. Moreover, in a complex sociotechnical system, changes in work practices can migrate from one level to another. Over time, this migration will cause people responding to requests or demands to deviate from accepted procedures and cut corners to be more cost-effective. As a result, over time the system’s defenses are degraded and eroded.

A degradation in safety may not raise an immediate warning flag for two reasons. First, given the stresses on the system, the migration in work practices may be necessary to get the job done. That is why so-called "work-to-rule" campaigns requiring that people do their jobs strictly by the book usually cause complex sociotechnical systems to come to a grinding halt. Second, the migration in work practices usually does not have immediate visible negative impacts. The safety threat is not obvious because violations of procedures do not lead immediately to catastrophe. At each level in the hierarchy, people may be working hard and striving to respond to cost-effectiveness measures; but they may not realize how their decisions interact with decisions made by actors at other levels of the system. Nevertheless, the sum total of these uncoordinated attempts at adapting to environmental stressors can slowly but surely "prepare the stage for an accident" (Rasmussen, 1997).

Migrations from official work practices can persist and evolve for years without any apparent breaches of safety until the safety threshold is reached and an accident happens. Afterward, workers are likely to wonder what happened because they had not done anything differently than they had in the recent past.

Rasmussen’s framework makes it possible to manage risk by vertically integrating political, corporate, managerial, worker, and technical considerations into a single integrated system that can adapt to novelty and change.

Case Study
A fatal outbreak of E. coli in the public drinking water system in Walkerton, Ontario, during May 2000 illustrates the structural mechanisms at work in Rasmussen’s framework (O’Connor, 2002). In a town of 4,800 residents, seven people died and an estimated 2,300 became sick. Some people, especially children, are expected to have lasting health effects. The total cost of the tragedy was estimated to be more than $64.5 million (Canadian).

In the aftermath of the outbreak, people were terrified of using tap water to satisfy their basic needs. People who were infected or who had lost loved ones suffered tremendous psychological trauma; their neighbors, friends, and families were terrorized by anxiety; and people throughout the province were worried about how the fatal event could have happened and whether it could happen again in their towns or cities. Attention-grabbing headlines continued unabated for months in newspapers, on radio, and on television. Eventually, the provincial government appointed an independent commission to conduct a public inquiry into the causes of the disaster and to make recommendations for change. Over the course of nine months, the commission held televised hearings, culminating in the politically devastating interrogation of the premier of Ontario. On January 14, 2002, the Walkerton Inquiry Commission delivered Part I of its report to the attorney general of the province of Ontario (O’Connor, 2002).

The sequence of events revealed a complex interaction among the various levels of a complex sociotechnical system, including strictly physical factors, unsafe practices of individual workers, inadequate oversight and enforcement by local government and a provincial regulatory agency, and budget reductions imposed by the provincial government. In addition, the dynamic forces that led to the accident had been in place for some time - some going back 20 years - but feedback that might have revealed the safety implications of these forces was largely unavailable to the various actors in the system. These findings are consistent with Rasmussen’s predictions and highlight the importance of vertical integration in a complex sociotechnical system.

Conclusions
We must begin to change our engineering curricula so that graduates understand the importance of designing technologies that work for people performing the full range of human activities, from physical to political activities and everything in between. Corporate design practices must also be modified to focus on producing technological systems that fulfill human needs as opposed to creating overly complex, technically sophisticated systems that are difficult for the average person to use. Finally, public policy decisions must be based on a firm understanding of the relationship between people and technology. One-sided approaches that focus on technology alone often exacerbate rather than solve pressing social problems.

Because the National Academy of Engineering has unparalleled prestige and expertise, it could play a unique role in encouraging educational, corporate, and governmental changes that could lead to the design of technological systems that put human factors where they belong - front and center.

Acknowledgments
This paper was sponsored in part by the Jerome Clarke Hunsaker Distinguished Visiting Professorship at MIT and by a research grant from the Natural Sciences and Engineering Research Council of Canada.
References
Beltracchi, L. 1987. A direct manipulation interface for water-based Rankine cycle heat engines. IEEE Transactions on Systems, Man, and Cybernetics SMC-17: 478-487.
Bornhop, A. 2002. BMW 745I: iDrive? No, you drive, while I fiddle with the controller. Road & Track 53(10): 74-79.
Burns, C.M. 2000. Putting it all together: improving display integration in ecological displays. Human Factors 42: 226-241.
Hopkins, J. 2001. When the devil is in the design. USA Today, December 31, 2001. Available online at: www.usatoday.com/money/retail/2001-12-31-design.htm.
IOM (Institute of Medicine). 1999. To Err Is Human: Building a Safer Health System, edited by L.T. Kohn, J.M. Corrigan, and M.S. Donaldson. Washington, D.C.: National Academy Press.
O’Connor, D.R. 2002. Report of the Walkerton Inquiry: The Events of May 2000 and Related Issues. Part One. Toronto: Ontario Ministry of the Attorney General. Available online at: www.walkertoninquiry.com.
Rasmussen, J. 1997. Risk management in a dynamic society: a modelling problem. Safety Science 27(2/3): 183-213.
Robinson, A. 2002. BMW 745I: the ultimate interfacing machine. Car and Driver 47(12): 71-75.
Vicente, K.J. In Press. The Human Factor: Revolutionizing the Way We Live with Technology. Toronto: Knopf Canada.
Vicente, K.J., N. Moray, J.D. Lee, J. Rasmussen, B.G. Jones, R. Brock, and T. Djemil. 1996. Evaluation of a Rankine cycle display for nuclear power plant monitoring and diagnosis. Human Factors 38: 506-521.