Keywords

1 Why Does Standardization Matter for HCI?

Standardization has the effect of making things fit. A folded sheet of paper of a standard size fits into an envelope. Nuts fit on screws. Besides governing the safety of products, standards also govern such things as services, methods and management systems. According to ISO, the International Standards Organization, an International Standard provides rules, guidelines or characteristics for activities or for their results, aimed at achieving the optimum degree of order in a given context.

Standards support economic activity, facilitate international trade, and often permit access to markets. Companies can reduce their costs by applying standards rather than reverting to solutions of their own that entail long development times.

Standards also contribute to safety at work. Although they are often not immediately evident, they influence the world of work by regulating safety conditions and thereby reducing the number of accidents. They also describe how the interaction between human beings and machines, including computers, is to be shaped. Standards have long been used as a point of reference for the design of human-computer interfaces (HCIs).

2 How Can Stakeholders Get Involved in the Standardization Process?

At first glance, the process of standards development seems opaque. Numerous points exist however at which influence can be brought to bear upon the text of a standard. HCI designers and OSH experts alike thus have the opportunity to play a part in shaping the content and quality of a standard, either indirectly or directly.

Every standardization project begins with the idea for a standard. In principle, anyone – not just institutions, but even individual members of the public – may submit an application for the development of a standard to their national standards institute, and thus literally set standards.

The national standards organization reviews whether the proposal should be taken up directly at international level at ISO, the International Standards Organization. If the ISO members (i.e. the national standards institutes) signal sufficient support for the proposal and their willingness to participate, and funding of the work is assured, ISO assigns the project to a Technical Committee (TC), which in turn assigns the work to one of its Working Groups (WGs). Whether a work item is taken up depends entirely upon the voting members of ISO. For this reason, it is particularly important to enlist the support of other countries in advance. Through active observation of standardization work in progress and cooperation with OSH experts in other countries, influence can be brought to bear upon the standardization process at an early stage.

Mirror committees support the standardization process at national level. The ISO members post delegates to the TC. The delegates present their respective national opinions and have the function of liaising between the international and national standardization levels. The ISO members post experts to the WG who primarily present their personal expert opinions. Positions can therefore best be presented through active involvement in the standardization activity at international level and in the mirror committees.

The WG produces a committee draft (CD), upon which the national standards organizations are required to comment within three months. If a consensus is reached, each ISO member submits the draft international standard (DIS) to a national public enquiry, in which all stakeholders are able to submit comments upon it to their respective national standards organizations. The comments are incorporated into the DIS, and the WG produces a final draft international standard (FDIS).

The FDIS is presented to the ISO members once again for voting. At this stage, the ISO members are able only to approve or reject the FDIS, or to abstain; comments on its content are no longer possible.

The adoption of international standards in the European or national bodies of standards is not mandatory. If international standards are to be adopted in the European body of standards, they can be modified with respect to the international version. However, the Frankfurt and Vienna Agreements are intended to promote adoption of international standards unchanged in the European body of standards.

International standards are reviewed routinely every five years. New comments can be submitted at this point. In addition, a reasoned request for review of a standard can be presented at any time.

3 Standardization, OSH and HCI

Product standards serve as the framework for the design of work equipment. To a large degree, the mandatory risk assessments to be performed by employers in Germany concern the use of these products as work equipment. If they are not designed with consideration for the manner of their use and the safety and health of their users, they may give rise to hazards and impairing stress. As a result, standardization processes are highly relevant to occupational safety and health when they concern OSH aspects not merely explicitly (this, however, violates the principles of standardization agreed in Germany [1]), but implicitly.

The body of regulations of the German Social Accident Insurance refers directly to the specific standards in order for compliance to be assured with the statutory OSH arrangements in the area of HCI. For example: “The statutory framework of the German Ordinances on workplaces and on VDU work, in conjunction with rules and standards currently in force, serve as the basis. DGUV Informative publication 215-450 concerning software ergonomics thus serves as the reference document for the German Social Accident Insurance in this area, and provides practical assistance. (…) The requirements of the standard can be applied both during assessment of interfaces of a software application already in existence or under development, and during the procurement of software” [2] (unofficial translation). Figure 1 summarizes the complex relationship between HCI and German OSH legislation. The relevant standards serve to support and detail the primary legislation.

Fig. 1.
figure 1

Pyramid showing OSH legislation relating to software ergonomics (see [2]; with kind permission of the DGUV)

Full size image

The relationship between standardization, occupational safety and health, and HCI thus constitutes a framework for design activity that is binding upon HCI designers and product developers. It provides an opportunity for products not only to meet with high acceptance among users (good usability and UX), but also to assure a high level of legal security for commercial users and customers.

This relationship is illustrated below with reference to examples. The aspect of usability with reference to ISO 9241 [3] is considered, as is the issue of safety and security as a future sphere of standardization, and HCI.

3.1 Standardization and Usability

For a good decade, ISO 9241 has been an established reference framework for the design of interfaces for human-computer interaction that are usable and fit for purpose. It has been implemented in this time as an ISO and EN ISO standard, i.e. at international, European and national level. In practical terms it is therefore regarded as supporting the statutory German Ordinance on workplaces, which was updated in 2016. This item of legislation requires interfaces for human-computer interaction at the workplace to be subject to the requirements for the humane design of work. This enables impairing mental stress caused by operation of the equipment and actual hazards caused by incorrect operation to be reduced or even prevented. The original version of ISO 9241 has been followed by numerous supplements and specifications. The core of the standard continues to be the seven principles of dialogue design, which are described in the part “Ergonomics of human-system interaction” [3]. These principles are: suitability for the task; self-descriptiveness; controllability; conformity with user expectations; error tolerance; suitability for individualisation; and suitability for learning. The principles are increasingly being made the subject of the occupational safety of workers at work in the context of risk assessments, and also of upstream occupational safety and health in the context of product design.

The human-machine interface on a printer operated by touchscreen serves as an illustrative example of this relationship with reference to three of the seven principles concerning dialogues:

Suitability for the Task

The user must be able to complete his or her work task efficiently by means of the software. This typically includes the facility for recognizing the progress of work, the provision of all required information, and where applicable the provision of IT resources. For the example of the user interface of a printer, this means that the required settings for a paper format can be made; that information is displayed on a lack of suitable paper or a low toner level; and that the progress of a running print job is shown.

Self-descriptiveness

The interface must be sufficiently self-descriptive to be used intuitively at least by the intended user group. In other words, a highly specialized machine must be self-descriptive for experts, but not necessarily for unskilled personnel. Conversely, a printer is used by a large number of people with widely differing levels of training. In this case, the interface must be self-descriptive to a much broader user base. This includes feedback to the user on errors and/or successful progress of the work process. The printer interface thus provides clear indication of the options and reports successful completion of the print job, or interruptions in its progress.

Accordingly, a standard must also contain criteria for analysing the context, the tasks and the users, as has been the case in ISO 9241-210 since 2010 [4].

Conformity with User Expectations

Conformity with user expectations is derived from cognitive models of the users and the consistency of the design. In this context, “cognitive models” refers to the existing horizon of the users’ expectations. With regard to the printer’s user interface, this may mean for example that the structure of menus should already be familiar to users from their use of common operating systems. If this structure is also consistent, i.e. the print menu retains its logic across all hierarchical levels, the result is greater conformity with expectations, and unnecessary stress is avoided during use.

The dialogue principles, including the examples referred to here, ensure that good practice is observed. This benefits the designers of the interface on the one hand, and purchasers, users, and OSH experts in companies on the other.

3.2 Safety and Security

The digitalization of production (termed “Industry 4.0” in Germany) means that installations, machines and human beings are to be able to communicate with each other irrespective of product brand [5]. Even should direct human-computer interaction be reduced owing to high levels of networking and automated control (machine-to-machine communication), the issue will still be relevant to the HCI community, since direct HCI will be replaced by indirect HCI in this case. This aspect was referred to by Mark Weiser when speaking of “the computer for the 21st century [6]: in ubiquitous computing, HCI refers to implicit interaction with interfaces that are absorbed into the environment within which human beings act, becoming regarded as a part of it. This aspect now also points to the fact that the HCI community must complete a transition, namely from the design of direct HCI to the design of indirect HCI in ubiquitous computing.

This presents a challenge, of which safety and security are a part. Smart manufacturing (described in more detail below) is one specific application scenario.

The accompanying increase in the level of networking results in more and more IT systems being used in production. As a result, industrial control systems (ICSs) are increasingly being targeted by the same cyberattacks as those affecting conventional office IT systems. This is where the aspects of safety and security converge.

A danger exists not only for infrastructures that are directly connected to the Internet, but also for those indirectly connected to it. Besides selective attacks, cyberattacks may also take the form of malware without a specific target [7]. Cyberattacks upon IT systems and industrial control systems can result in the safety of the machine or installation being impaired, thereby giving rise to hazards for human beings. Machines and installations must therefore address aspects not only of safety but also of security, in order for IT and industrial control systems to be protected against cyberattack and impairments to their safety. To provide a better understanding of the different aspects and the interdependencies between them, the essential strategies and objectives of safety and security will first be considered separately.

Safety and security are normally two quite distinct spheres. The safety of a system as a whole is determined by a large number of individual systems. These in turn may employ different technologies, such as mechanical, hydraulic, electrical, electronic, or programmable electronic technology. Safety is understood to be the freedom from unacceptable risk (refer for example to ISO/IEC Guide 51). The aspect of functional safety in particular is affected by issues of security. Functional safety applies to control systems of all kinds; it ensures that safety functions are executed correctly in the event of a fault. Functional safety contributes to overall safety, and also safeguards human health.

The strategy of functional safety is one of risk reduction. Following a risk assessment, the contribution to be made by each individual safety function that is performed by the control system is defined. The requirement is for a safe state to be reached in the event of a fault. This is synonymous with freedom from unacceptable risk. Safety functions are placed in “Categories” according to the probability of a dangerous failure of the safety function per hour. The greater the requirements upon the safety function, the higher the required Category.

By contrast, “security” essentially refers to the ability of an IT system to withstand attack and the associated disruptions and malfunctions. A range of strategies, such as “defence in depth” and “security by design”, are intended to assure this protection.

The specific measures to be taken for security depend upon the motivation of the attacker. A distinction is therefore drawn between a coincidental maloperation and an intentional attack employing considerable resources. This distinction is categorized by “security levels”, or SLs.

The greatest difference between safety and security is that security must address an attack scenario that is continually changing. By contrast, the threat to be addressed by functional safety does not change (provided the level of the accepted risk does not change, for example owing to ongoing development of the state of the art). This explains the difference between the strategies for implementing safety and security.

The increase in security-related threats gives rise to a new form of threat to safety: attacks on IT systems may have a negative effect upon their safety, irrespective of whether the attacks are targeted or not and whether machines and installations are connected directly or indirectly to the Internet.

The relationship between safety and security is currently the subject of heated discussion. Some experts consider a threat to safety and thus to human beings unlikely, since attackers, such as hackers, are pursuing business models based upon monetary gain. The business model may for example take the form of encryption that cripples the IT systems, making machinery and installations unavailable to the operator; the data are decrypted again only once a ransom has been paid. Attackers may however not be fully able to assess the consequences of manipulation; consequently, it may present a direct or indirect hazard to human beings. The general assumption that human health and safety cannot be the target of hacking attacks because this does not form part of the hackers’ business model is therefore incorrect.

In standardization, functional safety is largely described by the IEC 61508 series of standards serving as a generic standard, IEC 61511 for the process industry, and ISO 13849 and IEC 62061 for machinery. IT security is described by the IEC 62443 series; the standards in this series are currently being developed or revised.

Standards governing functional safety have existed for a long time. However, they do not consider the possible threats and hazards presented by networked machines. Very diverse standardization activities are therefore currently in progress concerning safety and security. For the most part, the purpose of these activities is to present the relationship between safety and security and to offer solutions by which the requirements of these different spheres can be met. IEC/TR 63069 and IEC 63074, currently under development, are examples worthy of mention. At ISO level, ISO/TR 22100-4 is currently being developed. This standard is intended to describe the relationship between ISO 12100, governing safety, and IT security for machinery. At national level in Germany, VDE Application Rule 2802-1 also exists. Further parts of this standard are to appear in the future.

Owing to the diversity of standardization activity in the area of safety and security, it is important that it be coordinated and its content reconciled across the standards organizations, in order to prevent overlap and duplication in standards development work. This also requires close cooperation between the respective experts, in order for them to acquire an understanding of the different philosophies.

3.3 Smart Manufacturing

A vision of the future is that custom products with a batch size of one will be available for the price of mass-produced products. This is to be made possible by “smart manufacturing”. One aspect of this is self-configuring production. The precise definition of “smart manufacturing” is currently being formulated in standardization work at ISO level by the “Smart Manufacturing Coordinating Committee”, SMCC [8]. Its publication is anticipated in the near future.

In order for the vision of self-configuring production to become reality, communication between the items of machinery and plant employed, irrespective of product manufacturer, is essential. Interfaces and communication protocols must therefore be standardized. Only then can industrial processes be organized and controlled for this purpose. Reference architecture models are therefore currently under development throughout the world:

The “Reference architecture model Industry 4.0”, or RAMI 4.0, is currently being developed in Germany. This model is focused upon manufacturing, and is being standardized by DIN SPEC 91345:2016-04. In the US, the Industrial Internet Consortium (IIC) is developing the Industrial Internet Reference Architecture, or IIRA for short.

The IIRA is broader in its scope than its German counterpart: for example it covers business processes in the public sector, energy, transport and health, in addition to manufacturing. In order for communication to be possible independently of the manufacturer, overlaps between different reference architecture models must be avoided. Activities and convergence initiatives have therefore already been launched to link RAMI 4.0 and IIRA in a suitable manner in the future [9]. These activities must be extended to include other reference architectures, in order to permit worldwide, manufacturer-independent communication.

4 Regarding the Role of the Commission for Occupational Health and Safety and Standardization (KAN)

In general KAN focuses on:

  • formulating fundamental OSH positions on important issues of the standardization process,

  • assessing the content of standards to determine whether they meet the OSH requirements from the German point of view and comply with the protection goals specified in European directives,

  • exerting influence on standardization programmes and mandates (mandates are issued by the European Commission to the private CEN/CENELEC standards bodies).

  • checking whether there is a need for standardization from the point of view of OH&S,

  • obtaining and providing or distributing information on standardization work for the OH&S experts.

    figure a

“KAN (17 members) brings together the institutions concerned with Occupational Health and Safety (OH&S) in Germany.

KAN is composed of five representatives each from the employers, the trade unions and the State, (…) plus one representative each from DIN German Institute for Standardization and The Association for the Promotion of Occupational Health and Safety in Europe (VFA)/German Social Accident Insurance (DGUV), which represents the committees of experts of the statutory accident insurance institutions.

With the Social Insurance for Agriculture, Forestry and Horticulture (SVLFG) as a permanent guest, all statutory accident insurance institutions are thus involved in KAN’s work (…).

This essentially tripartite membership complies with the demand of the Machinery Directive 2006/42/EC (Art. 7 Par. 4) for an improvement in the involvement of the social partners in standardization. KAN has gone a step further by establishing one office each for the social partners at the Secretariat” (see KAN-Website).

In the field of digitalization numerous national and international standardization activities are currently in progress. “KAN considers it important for OSH aspects to be considered and addressed at an early stage during the standards development process. Cooperation and dialogue between the various standards organizations is also important in order for overlap to be avoided” [10].

The particular make-up of KAN includes the direct involvement of the social partners. The presenter of this paper represents the interests of the trade unions within KAN, and also on a number of advisory councils concerning digitalization at the German Federal Ministry of Labour and Social Affairs (BMAS) and in the research community (Hans Böckler foundation).

5 Conclusions

In the light of the diverse challenges facing the world of work owing to digitalization, the relationship between standardization, OSH and HCI cannot be ignored. Both usability (as discussed here with reference to the example of principles for dialogues) and the aspects of the safety and security of machinery and installations are crucial to the promotion of acceptance and safety, and also to compliance with national and international occupational safety and health regulations.

The relationship, formulated here with specific reference to HCI in the first instance, will develop at breakneck pace, irrespective of the development of technology as a whole. In the relationship described here, HCI developers and OSH experts will find a strategy for cooperation in the mutual interest.