Abstract
A central challenge in designing stable control systems is to identify the states that must be fed back to enable successful control. The quality of control (including safety) depends on our ability to visualize the state space underlying the functional dynamics of the work being managed. Building concrete visualizations is both a useful tool for knowledge elicitation with domain experts to discover the meaningful functional work constraints that determine this state space, and an essential part of interface design to support safe work in complex systems.
You have full access to this open access chapter, Download chapter PDF
Similar content being viewed by others
Keywords
8.1 Introduction
One of the central challenges in designing stable control systems is to identify the “states” that must be fed back to enable successful control. For successful control, these states must allow a controller to anticipate the future consequences of actions (or inaction). For example, it is impossible to control an inertial vehicle (e.g., a car) with feedback of position only. It is also essential that the velocity also be fed back, since that provides a basis for anticipating future positions. Further, the weighting of position and velocity in order to know when to initiate braking must reflect the dynamic capabilities of your brakes [6]. In other words, distance and velocity feedback and the associated relations to braking dynamics are essential for letting drivers judge safe speeds and following distances and when to initiate braking.
In generalizing this insight to complex, high-dimensional control problems, the conclusion that we draw is that the feedback provided to the controllers of these systems must make the states and patterns of constraint among the high-dimensional states of the systems being controlled salient to decision makers so that they are better able to anticipate the consequences of their decisions and actions. However, in complex open systems the number of potentially relevant state variables can be large and some of these variables may be difficult to measure and specify. One strategy for coping with this challenge is “defence in depth.” That is, to specify a tangible (well-specified) boundary or buffer to protect the system from risky situations (e.g., a speed limit). However, as [10] observed, defence in depth solutions are vulnerable to decay over time as people endeavour to increased efficiency and minimize effort (Fig. 8.1). Each time they drift pass the “artificial” constraint its power for influencing behaviour diminishes, increasing the potential for an accident.
Rasmussen’s dynamic safety model showing drift across safety buffers
The point of Rasmussen’s dynamic safety model is that defence in depth is not sufficient. In addition to creating buffers to protect the system from risky situations, it is important to directly face the difficult challenge of making the actual risk boundaries visible (i.e., providing the feedback that operators need to anticipate and avoid dangerous situations). This insight is the motivation for the Ecological Interface Design approach for creating representations or visualizations for safety critical systems (e.g., [2, 11]).
In terms of interface design to support complex work, representations tend to be framed as either geometric analogues or metaphors that have multiple levels of structure to reflect the multiple levels of means-ends constraints associated with complex work (e.g., [2, 5]). For both analogical and metaphorical representations, there are two related principles that are fundamental to the quality of the representation: semantic mapping [3] and systematicity [7].
8.1.1 Semantic Mapping and Systematicity
The semantic mapping principle states that there should be a “one-to-one mapping between the invisible abstract properties of the process and the cues or signs provided by the interface” [11]. This principle emphasizes the importance of correspondence between meaningful properties of the dynamics of the work and properties of the associated analogy or metaphor. The most important properties for anticipating the consequences of action should be the most salient features in the representations. The goal is to help workers to directly “see” the future consequences of their decisions and actions (i.e., affordances—opportunities and risks).
The systematicity principle states that “a system of relations connected by higher-order constraining relations such as causal relations is preferred over one with an equal number of independent matches” [7]. This principle emphasizes the relations across multiple levels of constraint. The proposition is that the functional patterns across levels of constraint should correspond with similarly nested patterns within the representation. Complex work has been modelled as a nested hierarchy of constraints (e.g., [9]). In this context, systematicity reflects the degree to which the structure of the analogue or metaphor corresponds with this nested structure. For example, high orders of constraints (e.g., goals, values, safety) should be reflected in global properties (e.g., global symmetries) and lower orders of constraints (e.g., component interactions) should be mapped to local features nested within more global patterns (e.g., local symmetries).
Woods [13] addresses one aspect of systematicity with the construct of visual momentum. Realizing that for very complex work the work may need to be distributed across multiple display pages, Woods recognized that the work needed to be parsed in a way that preserved both local and global coherence. Using the metaphor of editing film, he discusses multiple techniques for preserving global relations across multiple local display windows. In other words, the parsing of the work across multiple representations must respect the higher-order structural relations underlying the work dynamics. This is consistent with the principle of systematicity.
This is not just important for parsing work for an individual, but the same principles apply to how we distribute information across multiple operators in a distributed work context. In building interfaces for distributed or polycentric control systems the parsing of the work must preserve the multilevel structure of functional constraints—so that, individuals see what is meaningful locally in relation to more global common goals and values. This is essential for achieving coordinated control.
I would like to make the case that these two principles (semantic mapping and systematicity) are fundamental to all forms of representations—computer interfaces, internal mental models created through training, posters, and movies. For example, just as an interface can be evaluated in terms of the mapping of work semantics and the appropriate layering of information to reflect levels of constraint associated with the work dynamics, so too, can a movie be evaluated in terms of the structure of the narrative and how local patterns of events fit within more global themes that reflects how local events relate to higher-order values associated with safety.
Returning to the control theoretic context, an important implication of this is that a comprehensive work analysis is essential to designing appropriate representations/visualizations. That is, the goal of work analysis is to provide a model of the “state” space that reflects the underlying state variables and the patterns of constraint among them. While I am tempted to say that this is a prerequisite for designing effective visualizations, experience tells me rather that it is a co-requisite. This reflects my experience that visualizations themselves are critical to the process of work analysis. In 30 years of working on designing interfaces for sociotechnical systems, I have found that building concrete visualizations (e.g., wireframe interfaces) can be essential for knowledge elicitation with domain experts to discover the meaningful functional work constraints. The first interface concept generated on the basis of extensive work analysis is rarely sufficient. However, the initial concepts can be extremely valuable in engaging domain experts in a participatory design process. Often, the interactions in assessing and evaluating initial interface designs help us and the domain experts to gain a heightened awareness of the information feedback that is necessary for effective control. Thus, concrete representations can be essential for creating the common ground essential to multidisciplinary collaborative design.
8.1.2 Some Examples
Figure 8.2 shows four examples of ecological interfaces. Although the representations are very different at the surface level, each was designed to explicate the links between system states, actions and risk. For example, Vicente’s [12] DURESS interface explicitly links the fluid flows through a feedwater control system with the mass and energy targets and the ultimate constraints on safety associated with the balancing mass and energy. Amelink et al. [1] Total Energy Reference Path interface is designed to help pilots see and understand the relation between manipulations of their controls (e.g., stick and throttle) and a safe balance between kinetic and potential energy while landing. The Cardiac Consultant interface [8] is designed to explicate the links between various clinical and behaviour measures and the risk of cardiovascular disease. And finally, the RAPTOR interface [4] includes a Force Ratio display as an explicit indication of the risks associated with military engagements.
Ecological interfaces are designed to help operators to better see the factors that impact safe operations
8.2 Summary
In sum, the point is not to eliminate defence in depth protections, but to understand that defence in depth protections alone will often not be sufficient. It is not a question of either defence in depth or representation design. Rather, for safety critical systems it is dangerous to rely on either alone. We need both. For example, in driving speed limits and lane marking provide important safety buffers, but safety can be further improved by adding additional feedback about actual risks (e.g., blind spot displays). Thus, in addition to safety buffers, it is important to face up to the challenge of providing the feedback that will help operators to anticipate and respond to the actual boundaries to safe operations. The essential point is that control requires the ability to anticipate the consequences of decisions and actions. For safety, this means the ability to anticipate risks in time to take action to avoid or mitigate them. The physical and mental visualizations that people use to assess the “state” of the system will determine their ability to anticipate risks. Today, designers have a wide range of opportunities to shape these visualizations through many different media. However, independent of the medium, the quality of the visualization will depend fundamentally on the mapping of the visualization to the functional semantics of the work being performed. The meaningful functional constraints must be salient, and the organization of the constraints must systematically correspond to multilevel relations that shape the functional work dynamics. In essence, the quality of control (including safety) will ultimately depend on our ability to visualize the state space underlying the functional dynamics of the work being managed.
References
H.J.M. Amelink, M. Mulder, M.M. van Paassen, J.M. Flach, Theoretical foundations for total energy-based perspective flight-path displays for aircraft guidance. Int. J. Aviat. Psychol. 15, 205–231 (2005)
K.B. Bennett, J.M. Flach, Display and Interface Design: Subtle Science, Exact Art. Boca Raton (CRC Press, FL), ISBN-13: 978-1420064384 (2011)
K. Bennett, J.M. Flach, Graphical displays: implications for divided attention, focused attention, and problem solving. Hum. Factors, 34(5), 513–533 (1992) Reprinted in N.J. Cooke, E. Salas (eds.), Best of Human Factors: Thirty Classic Contributions to Human Factors/Ergonomics Science and Engineering. The Human Factors and Ergonomics Society, Santa Monica, CA (2008)
K.B. Bennett, S.M. Posey, L.G. Shattuck, Ecological interface design for military command and control. J. Cogn. Eng. Decis. Making 2(4), 349–385 (2008)
C. Borst, J.M. Flach, J. Ellerbroek, Beyond ecological interface design: lessons from concerns and misconceptions. IEEE: Trans. Syst. Man Cybern. 45(2), 164–175 (2015)
J.M. Flach, M.R.H. Smith, T. Stanard, S.M. Dittman, in Collision: getting them under control, eds. by H. Hecht, G.J.P. Savelsbergh. Theories of Time to Contact. Advances in Psychology Series (Elsevier, North-Holland, 2004), pp 67–91
D. Gentner, B. Bowdle, P. Wolff, C. Boronat, Metaphor is like Analogy, in The Analogical Mind: Perspectives from Cognitive Science. ed. by D. Centner, K.J. Holyoak, B.N. Kokinov (Cambridge MA, MIT Press, 2001), pp.199–253
T. McEwen, J.M. Flach, N. Elder, in Interfaces to Medical Information Systems: Supporting Evidence-Based Practice. IEEE: Systems, Man, & Cybernetics Annual Meeting, Oct 5–8 (San Diego, CA, 2014), pp. 341–346
J. Rasmussen, Information Processing and Human-Machine Interaction (Elsevier, New York, 1986)
J. Rasmussen, Risk management in a dynamic society: a modelling problem. Saf. Sci. 27, 183–213 (1997)
J. Rasmussen, K.J. Vicente, Coping with system error through system design: implications for ecological interface design. Int. J. Man Mach. Stud. 31, 517–534 (1989)
K.J. Vicente, Cognitive Work Analysis (Erlbaum, Mahwah, NJ, 1999)
D.D. Woods, Visual momentum: a concept to improve the cognitive coupling of person and computer. Int. J. Man Mach. Stud. 21, 229–244 (1991)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this chapter
Cite this chapter
Flach, J.M. (2023). Anticipating Risk (and Opportunity): A Control Theoretic Perspective on Visualization and Safety. In: Le Coze, JC., Reiman, T. (eds) Visualising Safety, an Exploration. SpringerBriefs in Applied Sciences and Technology(). Springer, Cham. https://doi.org/10.1007/978-3-031-33786-4_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-33786-4_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-33785-7
Online ISBN: 978-3-031-33786-4
eBook Packages: EngineeringEngineering (R0)