Design-Safety Relationship

"The way we understand safety affects how we consider Human Factors in an air traffic control (ATC) environment."

People create Safety

In the meanwhile, this sentence has been adopted by many organisations, air navigation service providers (ANSP), EUROCONTROL and CANSO. Alongside the phrase "Safety First”, they represent the core values of a modern safety management.

A relationship between humans and safety therefore seems obvious. The conclusions drawn from this relationship depend on the safety theories applied.

The way we understand safety affects how we consider Human Factors in an air traffic control (ATC) environment. Therefore, it is important to have a definition of safety in the first place before discussing how Human Factors can contribute in this very specific domain.

Traditionally, safety is defined as the absence of unwanted outcomes such as accidents or loss of separation. ICAO puts it this way: Safety is “the state in which the possibility of harm to persons or of property damage is reduced to, and maintained at or below, an acceptable level” and that “the elimination of aircraft accidents and/or serious incidents remains the ultimate goal” (ICAO, 2013).

It is relatively easy to recognise unsafe events once they have occurred, which makes a negative term definition attractive. This does not require defining the actual characteristics of a safe system. It is like defining brightness as the absence of darkness. The downside of a negative term definition is that it limits the space for safety improvements because it takes safety as given as long as no risks have been identified. Safety is measured by its absence not its presence. Consequently, the safety reports are rather a measure of unsafety than safety.

This perspective is also reflected in many accident reports. They usually include a huge compilation of all investigated causes and contributing factors that undermined safety and led to the unwanted consequence. The underlying assumption is that the system is basically safe and the human operator is seen as the weak and unreliable part in it.

Understanding human error and improving human performance are the reason why traditionally Human Factors is located in the safety management department and safety and HF/E are closely connected in the ATC domain. Human Factors became very popular because the discipline is concerned with cognitive work in general and human error in particular. The idea of Human Factors integration in this perspective is that if human errors are analyzed and understood by Human Factors experts in a systematic manner, adequate actions can be taken in order to avoid human errors or at least reduce the risk of occurrence.

One example of this is the accident of Air France Flight 447 (AF 447), a flight from Rio de Janeiro to Paris, which experienced a stall situation and crashed into the Atlantic. An obstruction of the pitot probes by ice crystals led to an inconsistency between the measured airspeeds, autopilot disconnection and a reconfiguration to alternate law. According to the report, the accident resulted from the following succession of events (BEA, 2012):

• Temporary inconsistency between the measured airspeeds, likely following the obstruction of the pitot probes by ice crystals, which led in particular to autopilot disconnection and a reconfiguration to alternate law;
• Inappropriate control inputs that destabilised the flight path
• The crew not making the connection between the loss of indicated airspeeds and the appropriate procedure;
• The PNF’s (pilot not flying) late identification of the deviation in the flight path and insufficient correction by the PF (pilot flying);
• The crew not identifying the approach to stall, the lack of an immediate reaction on its part and exit from the flight envelope;
• The crew’s failure to diagnose the stall situation and, consequently, the lack of any actions that would have made recovery possible;

These findings are an expression of the same safety understanding as given by ICAO: In general, all flights are safe. There were specific events, especially triggered by the crew that made AF 447 exceptionally unsafe. If the crew had made the appropriate control inputs, the right connection between the loss of indicated airspeed and the appropriate procedure, an in-time identification of the deviation in the flight path, had carried out sufficient corrections and diagnosed the stall situation, this flight would have been safe as well.

This shows the consequences of a negative term definition of safety: A lot can be said about why systems are unsafe, but little about what actually makes systems safe. This is where HF/E needs to question whether they want to design safety or just prevent unsafety. The design of safety goes far beyond the prevention of unsafety. Design is something that necessarily happens before any risk evaluation or incident. One key question is how operators can be supported in making safe decisions and carrying out adequate actions in hazardous situations.

The “Miracle on the Hudson”, US Airways Flight 1549 is an interesting example in this context, because the incident had a positive outcome. After a loss of thrust in both engines, the pilots were able to ditch the Airbus A320 on the Hudson River. All passengers survived. Obviously, not the absence but the presence of something led to a positive result. The final report names the following contributing factors to the survivability of the accident (NTSB, 2010):

• 1. the decision-making of the flight crew members and their crew resource management during the accident sequence
• 2. the fortuitous use of an airplane that was equipped for an extended overwater flight, including the availability of the forward slide/rafts, even though it was not required to be so equipped
• 3. the performance of the cabin crew members while expediting the evacuation of the airplane
• 4. the proximity of the emergency responders to the accident site and their immediate and appropriate response to the accident.

This case apparently included several aspects that produced safety. Human Factors needs to be better in understanding these aspects in order to design the conditions and circumstances of safety-related working environments. Besides dealing with probabilities, risk assessment and risk mitigation, this document promotes a new understanding of safety, which actively analyses how the system produces safety in day-to-day operations and how this “production process” can be supported.

The idea is not new, but is currently being discussed under the term “Resilience Engineering” and “Safety-II”. Just as Safety-I was defined as a condition where as little as possible went wrong, Safety-II is defined as a condition where as much as possible goes right. The absence of failures (of things that go wrong) is a result of active engagement. In order to ensure that a system is safe, we need, therefore, to understand how it succeeds rather than how it fails (Hollnagel, 2014). Consequently, safety is something a system does rather than something it has (Hollnagel, Woods, & Leveson, 2006).

As soon as we use the concept of Safety-II as a basis, safety seems quite naturally linked to design, especially if we do not restrict the term “design” to technological systems, but working systems as a whole. Design can complement and steer the behaviours of operators in everyday situations as well as in critical situations.

For this, US Airways Flight 1549 is a suitable example, as well. According to the report, the pilot suffered task saturation resulting from the emergency situation. Fortunately, the captain started the auxiliary power unit with the result that the airplane remained in normal law and maintained the flight envelope protections. Among other things, the flight envelope protections aid the pilot to maintain a safe angle of attack and prevents the aircraft from stalling. Stalling is a serious danger, especially at low airspeeds. Due to this support feature, the captain could focus on maintaining a successful flight path while the system managed the risk of stalling. This example supports the idea that well-elaborated design can directly support safety.

As soon as the human contribution to safety is acknowledged, it becomes apparent how workplace and process design can reinforce safety. To do this, a deep understanding of the work and interactions involved is essential. Only if we better understand the mechanisms behind how people exactly create safety in day-to-day operations we are able to induce safety by design.

Design-Human Factors Relationship

At this point, this white paper deduces the interrelation between design and safety. Beyond that, how is design inter-related with Human Factors? For all Human Factors experts, this should not be a question at all, as the answer is part of the discipline’s self-conception. The International Ergonomics Association (cf. IEA, 2018) and ISO 6385 (2016) use Human Factors and Ergonomics synonymous and define both as follows: “Ergonomics (or human factors) is the scientific discipline concerned with the understanding of interactions among humans and other elements of a system, and the profession that applies theory, principles, data and methods to design in order to optimise human well-being and overall system performance.”

This definition directly emphasises the importance of design as an integral part of the discipline. Dul et al. (2012) deduced three fundamental characteristics of HF/E, i.e.:

• 1. takes a systems approach;
• 2. is design driven;
• 3. focuses on two closely related outcomes: performance and well-being;

The postulation of a systems approach aims for an integrated perspective of ergonomic aspects. Its meaning remains unclear and is currently controversially discussed within the community. There is no common understanding of which characteristics denote a systems approach in HF/E. Thus, no models or methods have been established that can ensure the application of a systems approach. As a starting point, Wilson (2014) suggests the following definition for a system:

“A system is a set of inter-related or coupled activities or entities (hardware, software, buildings, spaces, communities and people), with a joint purpose, links between the entities which may be of state, form, function and causation, and which changes and modifies its state and the interactions within it given circumstances and events, and which is conceptualised as existing within a boundary; it has inputs and outputs which may connect in many-to-many mappings;

Or as Meadows (2008) puts it: “The basic principle of a system is that it is something more than a collection of its parts. Systems thinking consists of three things: elements, interconnections, and a function (for non-living systems) or purpose (living systems). The least obvious part of the system, its function or purpose, is often the most crucial determinant of the system’s behaviour”.

Even though the exact structure of a systems approach remains unclear, there seems to be broad agreement that such an approach should focus on the interdependencies among different system components rather than single system elements in isolation (cf. Wilson, 2000; Carayon, et al., 2014). According to the second fundamental characteristic, HF/E is design driven, which means that real-work systems are examined. There are no “theoretical” work systems. This “action view” (cf. Helander, 1997) separates HF/E from many other disciplines.

Norros (2014) assumes that the design orientation is the largest challenge for the discipline. The specific demands of practitioners regularly collide with the scientific idea of a general validity. Therefore, she suggests that researchers should only be concerned with practitioners’ questions, if available general knowledge is not sufficient.

This perspective neglects the high complexity of today’s work systems: In most cases, the application under given restrictions and boundaries is the crucial part of system design. Salas (2008) and Meister (1999) argue that scientific findings often lack clear implications for practice.

Furthermore, many findings from research papers cannot be directly transferred to problems in practice. Especially in laboratory studies, the controlled factors are often of higher interest to practitioners than the actual investigated variable (cf. Wilson, 2000; Chapanis, 1988; Chiles, 1971). Therefore, the application in practice is accompanied by many uncertainties, which makes the relevance of this knowledge questionable for many practical problems. The difficulties of knowledge application in practice are discussed under the term “researcher-practitioner gap” (cf. Salas, 2008; Dekker & Nyce, 2004; Buckle, 2011; Chung & Shorrock, 2011). Ultimately, the application of HF/E in design is still connected with several problems. If, however, HF/E is to be a design-driven discipline as depicted by Dul (2012), foundational research is not sufficient. Instead, methods and approaches are needed that help to address specific HF/E challenges in complex organisations such as ANSPs. The pure production of new knowledge will not help to tackle the practitioners’ problems, which arise from complexity rather than from lacking knowledge. As a design-driven discipline, methods should be provided that help to deal with this complexity.

The third characteristic of HF/E is that it focuses on two closely related outcomes: performance and well-being. It sets the overall objective of HF/E and splits it up into a performance goal and a humanitarian goal. The performance goal is not formulated as “human performance” or “work performance”. Instead, the definition uses the term “overall system performance” to reflect the idea of a spanning systems approach.

Complex projects typically have several conflicting goals from very different disciplines that need to be managed. Subsequently, one task of HF/E is to contribute to finding a proper solution, having overall system performance and all its interdependencies in mind. In Europe, the high-level measurements of overall system performance are often categorised into safety, capacity, environment and cost efficiency. While the impact on capacity, cost efficiency and environment can be measured, it remains unclear how to include safety in this equation. In the sense of Safety-I, it would be the absence of incidents. This again does not seem very attractive for a complex organisation like an ANSP and is particularly not in line with the idea of Safety-II. A qualitative safety approach could be more appropriate for this. However, this discussion leads far beyond the scope of this study. For this, more research is needed on how to integrate the idea of Safety-II into organisational safety management systems.

The humanitarian goal of optimising human well-being seems difficult to operationalise as well. This is particularly true if it is to go beyond the pure physical integrity of workers. There are some frameworks available that address human well-being, but they are more suitable for manual workers than cognitive workers. Hacker & Sachse (2014), for example, suggest four different levels: On the lowest level, the work has to be performable within the limits of human capabilities. The next level requires that the work can be performed without physical harm to the person. The third level demands that the work is not unreasonable (with respect to the payment, for example). Finally, the possibility for the individual development is placed on the fourth level. This model, however, seems not very suitable for cognitive work, as only the uppermost level seems relevant, while the lower three can be (more or less) neglected.

Newer concepts try to figure out why people go to work at all and what motivates them beyond payment and other extrinsic factors. The basic assumption is that well-being requires the job to produce individual meaning for the worker. The literature discusses different universal human needs that can induce meaningful experiences for workers. Based on Sheldon, Elliot, Kim, & Kasser (2001), Hassenzahl, Diefenbach, & Göritz (2010) describe and define six needs that can address human well-being. These are Autonomy, Competence, Relatedness, Popularity, Stimulation and Physicalness. Marc Hassenzahl elaborates this perspective of human well-being further in his contribution below. Although overall system performance seems to be a more tangible HF/E objective, the six needs nicely illustrate that human well-being is still a relevant matter that goes far beyond occupational healthcare and work-life-balance.

The following table gives an overview of the conceptual framework for a better HF/E integration into design. With this in mind, HF/E can contribute to addressing both: overall system performance and human well-being.

Conceptual Framework for HF/E in Design

A Perspective on Human Well-Being and Meaningful Work and Its Relevance to the ATC World

Article by Prof. Marc Hassenzahl

Technology plays a crucial part in our daily working lives. For example, air traffic controllers use a plethora of devices, software and physical arrangements to carry out their daily routines of guiding, communicating with and safeguarding aircraft. Of course, we expect these technologies to function properly, to be efficient and easy to use. Overall, the goal is to create a sociotechnical system made of humans and technologies to allow for the most trouble-free air traffic possible. Automation is a key ingredient for this.

Understanding the contribution of technology to meaningful work

In general, automation substitutes know-howintensive and allegedly error-prone human activity with technology. What is often overlooked in the endeavour to streamline work is the impact on the human in the system. In fact, the negative consequences of automation on work satisfaction are already well-understood: People feel alienated, they de-skill and feel less responsible for the outcome of a system, they are actually meant to supervise and steer. This is just one example of an important insight:

Technologies are not just neutral ingredients of a work arrangement – they shape work practices as well as the subjective meanings people derive from work. Even subtle changes can have great impact. For example, when air traffic controllers insist on using tangible artefacts, such as flight strips, to manage flights, this tangibility might be crucial for feeling in control of an otherwise quite abstract work, where blips of light represent hundreds of people, whose lives depend on the work of the controller. From a narrow perspective of instrumentality, it does not necessarily matter in what exact manner certain information is presented and handled.

From a broader perspective of experience and meaning, controllers might especially care about certain details, such as tangible flight strips, since they impact how work “feels” and whether it remains “meaningful” to them. As a consequence, insisting on particular aspects of a given technology should not be equated with stubbornness or a general resistance to change on the behalf of the user. Quite the contrary, it is often a consequence of short-sightedness on behalf of technology design and development, which has an impoverished view of the actual richness of human experience created through technology. Placing human experience in the centre

If we place human experience in the centre of technology design, crucial questions will change. While organisations strive towards more efficiency, they must balance efficiency with creating meaningful jobs. What is important is a good understanding of what makes certain work practices meaningful and enjoyable for practitioners. While many organisations have substantial descriptive knowledge about work procedures, tasks and regulations, they often dismiss experienced meaning and enjoyment as too subjective, far outside their influence. In addition, they lack methods to actually explore meaning of work in detail.

However, only if an organisation is aware of which particular elements of work practices are satisfying can the impact of a novel technology on work truly be assessed. To give an example: Assume that informal exchanges between air traffic controllers and pilots via radio add to meaningful work, since they fulfil air traffic controllers’ need for social exchange. In this sense, pilots become “co-workers” or part of the “team”, and it is only natural to know their names, to make some light jokes and to wish them a good flight. Strictly speaking, this exchange is not “necessary” from an organisational point of view and could be automated or more heavily restricted. However, for the humans in the system this element of their work practice might fulfil an important psychological need, which strongly adds to their work satisfaction.

Designing for Well-Being

While it is good to scrutinise changes in the technological arrangements with regard to their impact on people’s experience of work before actually introducing a new technology, it is better to pro-actively design technology with human experience in mind. An approach is Experience Design, often also called Design for Well-Being (Diefenbach & Hassenzahl, 2017; Hassenzahl, et al., 2013). In a nutshell, Design for WellBeing (DfW) starts from positive, that is, meaningful and/ or enjoyable, everyday experiences. Think for a second and try to remember a moment during the last week, when you enjoyed work and thought that it contributed to your personal growth. On a closer look, those moments will be linked to a small number of particular psychological needs.

Humans experience joy and meaning in work, when they master a challenging task (need for competence); when they can make their own choices (autonomy); when they feel close to other people, they care about (relatedness); when they discover interesting and stimulating new things (stimulation); when they influence and inspire other people (popularity); when they have calming routines (security); or when they experience their body, feel healthy and agile (physicalness) (see figure).

Broaden the scope

Any technology inevitably shapes work practices. Its particular design facilitates particular ways of thinking and doing and obstructs others. Typically, technology design focuses on ways to make work more efficient, overlooking many other ways to improve work through technology.

Organisations that care about their human capital and the health and well-being of their workforce should thus focus on the role of technology in increasing well-being. Take the workplace of air traffic controllers as an example: They almost entirely work through technology – they “see” through displays and perceive work through abstract representations of planes; they “act” through phones and radios.

Any introduction of a new technology, be it automation, artificial intelligence or digital flight strips, will impact work and its meaning tremendously. A human-centred design of those technologies, which is sensitive towards the experiences, emotions and motives of the humans involved, can ensure that the technology will actually contribute to the well-being of the most crucial elements of a socio-technical systems: people.

Source: White Paper on Human Factors Integration in ATM System Design, EUROCONTROL, 2019

The White Paper is available on Bookshelf here: White Paper on Human Factors Integration in ATM System Design