Add to collection(s) Add to saved
  1. No category

Human Factors Analysis using HMI Sequence Diagrams Lance Sherry 1

advertisement 
Human Factors Analysis using
HMI Sequence Diagrams
Lance Sherry
1
Learning Objectives
Knowledge
• HMI
• HMI Steps (4)
• HMI- Loop
• Cueing
• Failure Modes in Cueing
• Operationally Allowable
Time Window (OATW)
Skills
• Create an HMI Sequence
Diagram
• Interpret an HMI Sequence
Diagram
2
Human Factors
• Study of the ability of the Human-Machine
“system” to deal with mission surprises
• Need to understand the interaction between
Humans and Machines
3
Human-Machine Interaction (HMI)
• All machines (i.e. vehicles, processing plants,
systems) are controlled/managed by human
operators
• The success of the mission is therefore directly
attributable to the ability of the human-machine
“system” to achieve the mission goals in the
presence of an uncertain operating environment
– i.e. mission surprises
• Machine is vehicle/processing plant
– Include automation
4
HMI
• “Machine” control/management is conducted
through a cycle of interaction
1. Observe the environment and the status of the
machine
2. Interpret the situation
3. Decide on the next action(s)
4. Act by manipulating parameters that control the
machine
5
HME Interaction Loop
1.
Change in environment is detected
by machine sensors
Sensor information is processed
and made available to cue the
Operator
Operator interprets information
and decides on appropriate action
(if required)
Operator takes action by adjusting
machine configuration
2.
3.
4.
–
Environment
Machine
Operator
Time
(1) Traffic appears and
aircraft trajectory on
course for Traffic
Collision
(2) Traffic alert “pull up”
Operational Time
Window:
Maximum
Allowable
Response Time
(5) Aircraft trajectory
modified and no
longer on collision
course
(4) Increase Rate of
Climb
(3) Confirm
traffic and verify
pull-up is correct
action
Most commands coordinated through
automation
5.
Machine results in change in
environment
•
HME Interaction loop must be
completed within the Operational
Time Window
6
HMI Design an Afterthought?
• Emphasis on
System/Machine Design
– Long history of engineering
methods leading to robust
integrated designs
– Model-based design
practices
• HM Interaction Design is
afterthought
Environment
Machine
Operator
(1) Traffic appears and
aircraft trajectory on
course for Traffic
Collision
(2) Traffic alert “pull up”
(5) Aircraft trajectory
modified and no
longer on collision
course
System/Machine Design
• System/Mission
• Hardware
•Software
(4) Increase Rate of
Climb
(3) Confirm
traffic and verify
pull-up is correct
action
HM Interaction Design
•Ergonomics
•Human Factors
•Procedures
•Training
– Short history of piece-meal
approaches
7
Formal Method for HMI Design
1. Is the HMI feasible
– Machine is designed for Ease-of-Use
•
supports Cue – Decide – Act Operator Actions
2. Is the HMI reliable
– HMI can be performed within operational time limits
under all expected circumstances
3. Is the HMI robust to disruptions
– HMI can be performed reliably in the presence of
disruptions
4. Comparing Alternate Procedures
– Utility Analysis
8
Organization
1. HMI Sequence Diagram
– HMI-loop
2. Ease-of-Use Evaluation
– Cueing, Decision, Action
3. Reliability Analysis
– Hazards and Operational Time Windows
– HMI Sequence Simulations
4. Robust to Disruptions
– Disruption Analysis
9
HMI Sequence Diagram
• Operator Actions:
1. Cue
2. Decide on appropriate
action(s)
3. Execute action(s)
Machine
Operator
(1) Traffic alert “pull up”
(3) Increase Rate of
Climb
(2) Confirm
traffic and verify
pull-up is correct
action
10
1. Ease-of-Use Analysis
• How seamless is HMIloop?
• Direct cues/prompts to
the next Operator
action provide for
seamless operation
11
HMI-loop
• Operator Actions:
1. Cue
2. Decide on appropriate
action(s)
3. Execute action(s)
Machine
Operator
(1) Traffic alert “pull up”
(3) Increase Rate of
Climb
(2) Confirm
traffic and verify
pull-up is correct
action
12
Cueing
(1-a) Direct signal from
Environment
– Visual
– Tactile
– Aural
(1-b) Signal from
Automation
– Visual
– Tactile
– Aural
Environment
Machine
Operator
WM
LTM
(1-a) Direct signal from Environment
(1-b) Signal from Automation
(1-c) Signal from LTM
(3) Increase Rate of
Climb
(2) Confirm
traffic and
verify pull-up
is correct
action
(1-c) Signal from Long-term
Memory
– Memorized
13
Failure Modes in Cueing
• Visual
– No visual cue (NVC)
– Visual cue present, but not in
field of view (NFoV)
– Visual cue present and in field
of view, but lost in clutter (CVC)
• i.e. competing visual cues
– Salient cue, but semantics of
cue do not match semantics of
action (VCSem)
• Tactile/Aural
– No cue (NTC, NAC)
– Cue present, but not in
tactile/aural range for human
sensory perception (NTR, NAR)
– Cue present and in range, but
lost in noise (CTC, CAC)
– Salient cue, but cannot be
interpreted (TCSem, ACSem)
• Cues button push with cue that
does not match button label
– Salient and Semantically similar
OR Frequent (S&S, Freq)
14
Failure Modes in Cueing
• Long-term Memory (Freq) (Inf) (Rare)
– Works fine for frequent events
– Is subject to failure for infrequent/rare events
• Note: Long-term Memory is the “back-up” for
failures in Visual/Tactile/Aural cues
15
Failure Modes in Cueing
Environment
Machine
Operator
WM
LTM
(1-a) Direct signal from Environment
NFoV
(1-b) Signal from Automation
VCC
(1-c) Signal from LTM
Rare
(3) Increase Rate of
Climb
(2) Confirm
traffic and
verify pull-up
is correct
action
16
Decision-making
(2-a) Decide on
appropriate actions
(2-b) Decide based on
retrieval from
Working Memory
Environment
Machine
Operator
(1-a) Direct signal from Environment
WM
LTM
Data
placed in
WM
(1-b) Signal from Automation
(1-c) Signal from LTM
(2-a) Decide
on appropriate
actions
(2-b ) Data
retrieved
from WM
(3) Increase Rate of
Climb
17
Failure Modes in Decision-making
(2-a) Decide on appropriate actions
1.
Automaticity (A)
•
•
•
•
2.
Procedure is well-defined (i.e. no gaps)
Procedures/Habit/Practiced
Fast and reliable
Subject to (inadvertent) “slips”
(2-b) Decide based on retrieval from Working
Memory (RWM(t>10 secs))
–
Data in WM decays in matter of seconds
(7-10 secs)
Rule-based (RB, T&E)
•
•
•
•
•
3.
Procedure requires operator to fill in gaps
Needs some thinking based on memorized
rules
“thinking” is generally done by Trial-andError (T&E)
Slower and less reliable
Subject to “mistakes”
Reasoning (R)
•
•
•
•
No procedure
Needs deep thinking based on information
gathering and mental model trial-and-error
Very slow and poor reliability
Subject to deep errors in how things work
(i.e. response to stimulus)
18
Environment
Machine
Operator
(1-a) Direct signal from Environment
WM
LTM
Data
placed in
WM
(1-b) Signal from Automation
(1-c) Signal from LTM
(2-a) Decide
on appropriate
actions
[μ = 7 secs, σ = 1.2]
(2-b ) Data
retrieved
from WM
RWM(t>1
0 secs)
(3) Increase Rate of
Climb
A)
19
Actions
• Manipulate Input
Device
–
–
–
–
Lever
Button
Knob
Data Entry
• Keyboard
• Selection
• Cursor (point-and-click)
20
Failures in Actions
• Failure Modes
– Input device not in range
(to reach) (NiR)
– Input device manipulation
error (e.g. direction) (ME)
– Input device moded (i.e.
works differently in
different situations) (Mod)
– Input device manipulation
not acknowledged (NAck)
21
Failures Modes in Actions
Environment
Machine
Operator
(1-a) Direct signal from Environment
WM
LTM
Data
placed in
WM
(1-b) Signal from Automation
(1-c) Signal from LTM
(2-a) Decide
on appropriate
actions
[μ = 7 secs, σ = 1.2]
(2-b ) Data
retrieved
from WM
(3) Increase Rate of
Climb
Mod
22
Example: Print from Powerpoint but Change
Orientation Landscape to Portrait
1
Link: Printer Properties
2
3
6
4
5
PRINT Button
7
23
Task Print from Powerpoint but Change Orientation Landscape to Portrait
(1) Draw an HMI Sequence Diagram, (2) Assign Failure Modes to each Operator Action
Environment
Machine
Operator
WM
LTM
24
Print from Powerpoint but Change Orientation Landscape to Portrait
Environment
Machine
Operator
WM
LTM
S&S
Print but change
Orientation to
Portrait
Menu Bar: File
Click File
Freq
OK
A
1
A
2
Menu Item: Print
S&S
Click Print
Link: Printer Properties
Click Printer Properties
OK
CVC
T&E
3
T&E
4
A
5
A
6
A
7
OK
Tab: Finishing
Click Tab Finishing
CVC
OK
Orientation Radio Button
Click Portrait
Button: OK
Click OK Button
S&S
OK
Freq
OK
• Where are the
likely failure points
in the chain of HMI
loops?
• How would you fix
these?
Button: Print
Click Print Button
S&S
OK
Print Menu page Closes
Printer hums and
paper emerges
OK
25
2. Reliability Analysis
• How reliably, over a population of users can
the Procedure be completed with an
Operationally Allowable Time Window
(OATW) ?
26
Defining the OATW
• OATW defined by:
– Hazards (in a dynamic system – e.g. collisions,
performance envelope, energy limitations, …)
– Efficiency goals
27
Print from Powerpoint but Change Orientation Landscape to Portrait
Environment
Machine
Operator
WM
LTM
S&S
Print but change
Orientation to
Portrait
Menu Bar: File
Operationally Allowable Time Window
Click File
Freq
OK
A
1
A
2
Menu Item: Print
S&S
Click Print
Link: Printer Properties
Click Printer Properties
OK
CVC
T&E
3
T&E
4
A
5
A
6
A
7
OK
Tab: Finishing
Click Tab Finishing
CVC
OK
Orientation Radio Button
Click Portrait
Button: OK
Click OK Button
S&S
OK
Freq
OK
• Where are the
time consuming
steps in the chain
of HMI loops?
• How would you fix
these?
Button: Print
Click Print Button
S&S
OK
Print Menu page Closes
Printer hums and
paper emerges
Probability of
Failure to
Complete
OK
28
Accident Investigation
• AF 447
– Automation sends deluge of “faults”
• Competing cues
• Conflicting cues
• No cues on what actions to take to resolve
• TK 1951
– Automation autonomously changes control model (i.e. to a Land
Mode despite the aircraft being airborne)
– Hides true intent (not to control speed) with functionally
overloaded label (“RETARD”)
• OZ214
– Automation changes control mode based on pilot action
– Hides true intent (not to control speed) with functionally
overloaded label (“HOLD”)
29
Accident Investigation
• Flight crew included on flight deck to:
1. Communicate with outside world (via voice)
2. Oversee systems that are not (yet) integrated
3. Intervene if systems behavior inappropriately (for the
current situation)
• Intervention:
– Monitor equipment designed to 10-5 to intervene to
achieve safety target of 10-9
– Is the best design?
• Asking humans to monitor for rare events that occur 10-4.
• Should pilots be held liable for not intervening in a 104 scenario?
• Who is/should be responsible for solving this problem?30
Related documents
Unitronics Takes It To The Extreme With The Vision 350 Extended
Unitronics Takes It To The Extreme With The Vision 350 Extended
Linear Algebra
Linear Algebra
SPECTRAL PROPERTIES OF A POLYHARMONIC OPERATOR We consider the operator:
SPECTRAL PROPERTIES OF A POLYHARMONIC OPERATOR We consider the operator:
Royal Castle Operator Instructions - Air
Royal Castle Operator Instructions - Air
PHY 6645 - Quantum Mechanics I - Fall 2011
PHY 6645 - Quantum Mechanics I - Fall 2011
Math 304 — Problem Set 9 Issued: 11.08 Due: 11.16
Math 304 — Problem Set 9 Issued: 11.08 Due: 11.16
Location Tolerance Zone
Location Tolerance Zone
Download
advertisement