Through a Mirror Darkly…

13/07/2011 — 1 Comment

Good and bad in the design of a Human Machine Interface (HMI)

When I was a very junior naval officer I was posted under training to sea in the engineering departments of the Australian Oliver Hazard Perry class frigates HMAS Sydney and Canberra. My job was to start at the bottom and work my way up through the watchkeeping organisation to obtain my Engineering Officer of the Watch ticket.

At the time these were the Navy’s state of the art combatants, and as such they incorporated the latest, mid 1970’s, digital computer control system (1).

The picture above is of the Propulsion Control Console (PCC) which was used to control the ships main propulsion plant from the ships Central Control Station (CCS) (2).

The Good. My first ship had been HMAS Stalwart a destroyer tender built in the 1960s, and this was the first computer controlled system I’d ever had to work with as an operator, and I found it a great system to use.

The control consoles were laid out in schematic form with pushbutton controls and gauges located adjacent to the related equipment diagram.

Functionally related indicators and controls were grouped using borders while colour was used to designate specific systems e.g., red for fuel, yellow for lube oil and so on.

The engine start sequence also had it’s own indicator group to provide task related monitoring of that critical sequence.

The console was designed with a green board philosophy so watch keeping it was very easy to monitor the board for changes in state.

An aviation style master caution ensured that critical alarms did not go unnoticed, although as a watch keeper you did need some discipline to find the specific alarm before hitting the master caution acknowledge.

Ergonomically the console was laid out well and sailors of all shapes and sizes could reach the critical controls without awkward accommodation.

And the Not So Good. But there were one or two design aspects that represented what we now know to be poor HMI design practice.

The first was the mirror reversal of layout of the two gas turbine schematics. Looks good, but in practice you should avoid this as when you’re cross checking between the two pieces of plant there’s there’s the chance of substituting (3) the reversed wrong gauge or indicator.

5.1.2.1.1.4 Consistency. The location of recurring functional groups and individual items shall be similar from panel to panel. Mirror image arrangements shall not be used. MIL-STD-1472 (4).

You’ll also note that in the above picture some control/display groups on the console are mirrored, but in others not. This sort of subtle inconsistency of layout should also be avoided as it can again lead to substitution errors.

An example of the likelihood of such substitution error is given by Fitts and Jones (1947a) where out of a total of 460 errors made by pilots in operating cockpit controls, 229 (approximately 50%) were errors of substitution, while substitution errors in reading instruments accounted for 13% of the 270 pilot errors studied (Fitts & Jones 1947b).

The second and more specific issue was the location of the emergency stop and halon discharge push buttons. If you look at the picture above they’re the two red outlined covered push buttons on the top inboard corner of each gas turbine control group. Now grouping these two controls makes sense because in a gas turbine module fire you want to hit emergency stop and then dump halon as part of the casualty response drill.

However, because of their close location, like colour, shape and well as sequential proximity there is the introduced possibility of a PCS watchkeeper firing the halon rather than shutting down the engine. Of course with a gas turbine if the engine is not shutdown the halon goes ‘whoosh’ straight up the stack!

Sounds unlikely but one day during a training team emergency drill the on watch EOOW who was manning the console did just that… At the time I just chalked it upto the ‘human factor’, but looking back on it I kind of think that layout of these controls would have had something to do with it.

In practice the controls were ‘functionally’ grouped, however you actually want to separate them spatially because a) you don’t want the wrong one pressed, and b) you want to build in a operator refractory period between shutdown and triggering of the Halon (5). So in this case separating the two controls would have been a better option.

Notes

1. The ECS provided remote start, monitoring and stop functionality for power generation and distribution, main propulsion with only limited monitoring and control for auxiliary and damage control systems. The ECS employed application specific software, running on dual processors. The network was based on a ship-wide cabling system for sensors and controls that uses shielded cables with a wire-braid sheathing. The monitoring systems for main propulsion, power, and auxiliary share a common ungrounded bus with the damage control subsystem on a separate bus.

2. What can I say the navy loves it’s TLAs. 🙂

3. In which an incorrect control was operated in place of a correct one.

4. Basing controls on mirror versus place was studied by Pigg (1954) who found a short lived temporal reduction of error rate for mirrored layouts when compared to place layouts, for changes in the hand used. A study by Limerick inter alia (2010) found for a dual control workstation that there was no demonstrable error difference between mirror and place layouts, again for hand controls.

However, both studies used an experimental method based on a small number of controls, this is significantly different to a real world console in which there are multiple panels with replicated groups and items. Similarly the ecological effect of performance shaping factors such as stress, fatigue and task saturation were not considered by Fitts or Limerick.

So there remains a common sense argument that the location of recurring groups or items should be similar just to reduce cognitive workload and the possibility of substitution errors under pressure.

5. I can’t recall whether the Halon discharge sequence incorporated a timer to allow the engine to spool down. The GTE on twin shaft USN ships certainly does, as that system can be automatically triggered.

References

1. Burgess-Limerick-R, Krupenia-V, Zupanc-C, Wallis-G, Steiner-LJ, Reducing Control Selection Errors Associated with Underground Bolting Equipment, Appl Ergon 2010 Jul; 41(4):549-555.

2. Fitts, P.M., & Jones, R.E. (1947a). Analysis of factors contributing to 460 “pilot error” experiences in operating aircraft controls (Report No. TSEAA-694-12). Dayton, OH: Aero Medical Laboratory, Air Materiel Command, U.S. Air Force.

3. Fitts, P.M., & Jones, R.E. (1947b). Psychological aspects of instrument display. Analysis of 270 “pilot-error” experiences in reading and interpreting aircraft instruments (Report No. TSEAA-694-12A). Dayton, OH: Aero Medical Laboratory, Air Materiel Command, U.S. Air Force.

4. Pigg, L.D., Orientation of Controls in Bilateral Transfer of Learning, Masters Thesis, The Ohio State University, 1954.

One response to Through a Mirror Darkly…

  1. 

    if you can’t tell , or know which meter you need to pay attention to ,,, you don’t have any business being assigned to operate this equipment ,,, it worked fine for those who knew it

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s