[SystemSafety] Fwd: Re: power plant user interfaces

Les Chambers les at chambers.com.au
Tue Jul 21 03:51:25 CEST 2015 

Carl
Your point sounds reasonable. ... But then there is Elon Musk who forswears
just about anything that isn't novel, and in the process may completely
reinvent the way we travel in automobiles, suck power from the sun and move
through space. His latest biography by Ashlee Vance is required reading for
any systems engineer. Whatever you may think about slow, steady, safe
evolution, Musk is what's happening today. It's worth a thread in itself.
Should we be excited about this? Or just very afraid?
Cheers
Les


-----Original Message-----
From: Carl Sandom [mailto:carl at isys-integrity.com] 
Sent: Thursday, July 16, 2015 6:03 PM
To: Les Chambers; 'Smith, Brian E. (ARC-TH)'; 'Steve Tockey'; 'Peter Bernard
Ladkin'; 'The System Safety List'
Subject: RE: [SystemSafety] Fwd: Re: power plant user interfaces

Remarkable things happen when strong opinions are subjected to peer review.

When I made the comment: "...metaphors are not often used unless they have
become the norm as there are obvious risks involved in using novel
solutions." You replied:

On 16 Jul 2015, at 10:02 am, Les Chambers <les at chambers.com.au> wrote:
> Disagree: try explaining any concept without using a metaphor. Human
beings do this naturally. You can't avoid it just as you can't avoid the
fact that HMI is a metaphor and seeking out better metaphors is the key to
better design. The comment '... risks involved in using novel solutions'
smacks of the old
kernel: 'what has not been done before should not be done'.

I didn't say don't use metaphors in HMI design. What I did say was that the
use of *novel* metaphors in safety-related systems presents risks that I
would have thought were obvious. I don't advocate a 'what has not been done
before should not be done' approach. I do however support a cautious and
evolutionary approach when using *novel* metaphors for safety-related
systems.

For example, the next generation of Air Traffic Management workstations may
be capable of showing 3D airspace models (DFS in Germany are testing them
now) but I predict that their use for actually providing Air Traffic Control
will be along way off until 3D airspace models are accepted by ATCOs and the
training, procedures and ICAO rules etc. catch up. 

Of course, we may have different assumptions about metaphors in the context
of HMI development. The silver-bullet of HMI designers is to develop
metaphors that are universally understood by everyone intuitively but there
is a lack of empirical evidence to show that is the case.

Anyway, time is money.....

Cheers
Carl
___________________________
Dr. Carl Sandom CErgHF CEng FIET
Director
iSys Integrity Limited
10 Gainsborough Drive
Sherborne
Dorset, DT9 6DR
United Kingdom
+44 (0) 7967 672560
Carl at iSys-Integrity.com
www.iSys-Integrity.com
___________________________


-----Original Message-----
From: systemsafety-bounces at lists.techfak.uni-bielefeld.de
[mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de] On Behalf Of
Les Chambers
Sent: 16 July 2015 01:02
To: 'Smith, Brian E. (ARC-TH)'; 'Steve Tockey'; 'Peter Bernard Ladkin'; 'The
System Safety List'
Subject: Re: [SystemSafety] Fwd: Re: power plant user interfaces

I find this conversation remarkable. I've always thought that this list is
an ongoing psychology experiment. We have an interesting cross-section of
opinion, all of which is understandably driven by the background of the
authors. We are what we know, we all have our special brand of hammer and we
all look for our familiar nails. 
Some of the responses below reveal a disagreement on what a metaphor is. I
like the poet Robert Frost's definition (well summarised by Steve):
explaining this in terms of that where this is new and that is familiar.
Frost offered this in a speech he made circa 1934 and it has gained a
substantial currency in the literature.

I would put it to the unbelievers that a user interface IS a metaphor. It is
not a question of finding or not finding a metaphor for a particular system.
When you create a HMI you create a metaphor. The question then becomes: is
it a good one or a bad one. If it's a bad one you're building an unsafe
system. For example, the concept Steve described of having actual state and
required state indicators for a control valve, is a thing we call I/O pairs
in chemical processing. It is part of the DNA of the control systems
designer. 

My comments on some of the responses:

>Very much agree, Steve, it's not possible to find a metaphor for every
system.
Disagree: if you can't find a good metaphor don't deploy the system, you
could be creating a hazard.

>The whole point of a metaphor is to take something that the person is
already familiar with--
>like how a railroad switching yard works--and use that to help them
understand something they don't know about-
Agree: see above

>A good case can be made that formal logic is as metaphorical as it gets. 
Agree: as long as the output of the logic provides status information that
is understandable by an operator. I note that in writing complex state
transition logic we often purposely did not use logic simplification
techniques. Instead we opted for something that could be read and understood
by someone other than the author of the code. If this meant wordy code so be
it.

>; metaphors are not often used unless they have become the norm as 
>there
are 
> obvious risks involved in using novel solutions. 
Disagree: try explaining any concept without using a metaphor. Human beings
do this naturally. You can't avoid it just as you can't avoid the fact that
HMI is a metaphor and seeking out better metaphors is the key to better
design. 
The comment '... risks involved in using novel solutions' smacks of the old
kernel: 'what has not been done before should not be done'. 

>There is a fair amount of math and logic involved. No metaphors.
>Key to good HMI is rigorous formal analysis. There are other key processes.
Disagree: I have faith that, if the author of this comment spent substantial
time working with operators in a control room, living with the system he
designed and deployed, he would not have this opinion. 40 years ago when I
walked out of university with a shiny new electrical engineering degree I
would have totally agreed with him. It took plant operators all of six
months to beat that opinion out of me.
Five years later I found myself in a control room on an island in the Hong
Kong archipelago, in an engineering sense, very much alone and responsible
for a critical system (the plant was very close, on the other side of a six
inch thick concrete blast wall). English was the operators' second language.
Maths and logic were hygiene factors, necessary but not sufficient for safe
operation. The operators were having a problem remembering the name of a
particularly important control utility that ramped the reactor temperatures
as the feed rate changed. I changed its name to SEX. They never forgot it.

Metaphors rule!

Cheers
Les

More information about the systemsafety mailing list