Use and Misuse of Safety Models in Design

Abstract

Operator models, or equivalent end-user models have become a standard prerequisite in most man-machine system design. Nowadays, the designer can choose among a great variety of models, e.g., behavioural models and competence models, and these models are available in a large range of granularity from quasineuropsychological models of memory to framework models of dynamic cognition. However, despite -or maybe because of- the variety of models, modelling the operator is still a land of contrasts within the industry, with multiple forms and meanings, and as result a feeling persists that these models, which are meant to be useful, are difficult to incorporate into the design process or the operations. This conference focuses on the development and use of cognitive models of human reliability, and tries to understand the biases and limitations of their use in design of safe systems within the industry. It is divided into three sections. The first section details the range of existing cognitive models of human reliability and proposes a classification of these models into four main categories: error production models, error detection and recovery models, systemic models, and integrated safety ecological models. The example of the Aviation Industry shows how difficult it has been in the recent past to incorporate the most advanced of these models into design, even though the same Industry has long complained that such cognitive operators’ models were not available. The second section tries to explain the reason for the relative failure. It shows the inter-dependency existing between the category of cognitive model, the safety paradigm, and the strategy for design. Severe drawbacks may occur each time a model is used with the wrong safety paradigm or the wrong strategy for design. It also shows that the more cognitively-based the model is, the less it is incorporated into design. The lack of education in psychology for designers, as well as the lack of a clear procedure for incorporating such models into design, are among the most important factors explaining this lack of success. The third and last section points to the new directions in cognitive modelling to improve the fit between operator modelling and design requirements.