Human Factors Standards and the Hard Human Factor Problems: Observations on Medical Usability Standards

With increasing variety and sophistication of computer-based medical devices, and more diverse users and use environments, usability is essential, especially to ensure safety. Usability standards and guidelines play an important role. We reviewed several, focusing on the IEC 62366 and 60601 sets. It is plausible that these standards have reduced risks for patients, but we raise concerns regarding: (1) complex design trade-offs that are not addressed, (2) a focus on user interface design (e.g., making alarms audible) to the detriment of other human factors (e.g., ensuring users actually act upon alarms they hear), and (3) some definitions and scope restrictions that may create “blind spots”. We highlight potential related risks, e.g. that clear directives on “easier to understand” risks, though useful, may preclude mitigating other, more “difficult” ones; but ask to what extent these negative effects can be avoided by standard writers, given objective constraints. Our critique is motivated by current research and incident reports, and considers standards from other domains and countries. It is meant to highlight problems, relevant to designers, standards committees, and human factors researchers, and to trigger discussion about the potential and limits of standards

Comparing the effectiveness of testing methods in improving programs: the effect of variations in program quality

We compare the efficacy of different testing methods for improving the reliability of software. Specifically, we use modelling to compare “operational” testing, in which test cases are chosen according to their probability of occurring in actual use of the software, against “debug” testing methods, in which the testers look for test cases which they consider likely to cause failure, or that satisfy some coverage criterion. We base our comparisons on the reliability reached by the program at the end of testing. Differently from previous studies, we consider the probability distribution of the achieved reliability, and thus the probability of satisfying specific requirements, rather than just the average reliability achieved. We take account of two sources of variation. The variation between the actual test histories that are possible for a given program and a given test method: and the fact that different programs start testing with different faults and initial reliability levels. By necessity, we use very simplified models of reality. Yet, we can show some interesting conclusions with important practical consequences. In general, there are stronger arguments in favor of operational testing than previous studies have show

Optimal discrimination between transient and permanent faults

An important practical problem in fault diagnosis is discriminating between permanent faults and transient faults. In many computer systems, the majority of errors are due to transient faults. Many heuristic methods have been used for discriminating between transient and permanent faults; however, we have found no previous work stating this decision problem in clear probabilistic terms. We present an optimal procedure for discriminating between transient and permanent faults, based on applying Bayesian inference to the observed events (correct and erroneous results). We describe how the assessed probability that a module is permanently faulty must vary with observed symptoms. We describe and demonstrate our proposed method on a simple application problem, building the appropriate equations and showing numerical examples. The method can be implemented as a run-time diagnosis algorithm at little computational cost; it can also be used to evaluate any heuristic diagnostic procedure by compariso

Protective wrapping of off-the-shelf components

System designers using off-the-shelf components (OTSCs), whose internals they cannot change, often use add-on “wrappers” to adapt the OTSCs’ behaviour as required. In most cases, wrappers are used to change “functional” properties of the components they wrap. In this paper we discuss instead protective wrapping, the use of wrappers to improve the dependability – i.e., “non-functional” properties like availability, reliability, security, and/or safety – of a component and thus of a system. Wrappers can improve dependability by adding fault tolerance, e.g. graceful degradation, or error recovery mechanisms. We discuss the rational specification of such protective wrappers in view of system dependability requirements, and highlight some of the design trade-offs and uncertainties that affect system design with OTSCs and wrappers, and that differentiate it from other forms of fault-tolerant design

Gaining assurance in a voter-verifiable voting system

The literature on e-voting systems has many examples of discussion of the correctness of the computer and communication algorithms of such systems, as well as discussions of their vulnerabilities. However, a gap in the literature concerns the practical need (before adoption of a specific e-voting system) for a complete case demonstrating that the system as a whole has sufficiently high probability of exhibiting the desired properties when in use in an actual election. This paper discusses the problem of producing such a case, with reference to a specific system: a version of the Prêt à Voter scheme for voter-verifiable e-voting. We show a possible organisation of a case in terms of four main requirements – accuracy, privacy, termination and ‘trustedness’– and show some of the detailed organisation that such a case should have, the diverse kinds of evidence that needs to be gathered and some of the interesting difficulties that arise

Use of computer-aided detection (CAD) tools in screening mammography: a multidisciplinary investigation

We summarise a set of analyses and studies conducted to assess the effects of the use of a computer-aided detection (CAD) tool in breast screening. We have used an interdisciplinary approach that combines: (a) statistical analyses inspired by reliability modelling in engineering; (b) experimental studies of decisions of mammography experts using the tool, interpreted in the light of human factors psychology; and (c) ethnographic observations of the use of the tool both in trial conditions and in everyday screening practice. Our investigations have shown patterns of human behaviour and effects of computer-based advice that would not have been revealed by a standard clinical trial approach. For example, we found that the negligible measured effect of CAD could be explained by a range of effects on experts' decisions, beneficial in some cases and detrimental in others. There is some evidence of the latter effects being due to the experts using the computer tool differently from the intentions of the developers. We integrate insights from the different pieces of evidence and highlight their implications for the design, evaluation and deployment of this sort of computer tool

Bayesian belief network model for the safety assessment of nuclear computer-based systems

The formalism of Bayesian Belief Networks (BBNs) is being increasingly applied to probabilistic modelling and decision problems in a widening variety of fields. This method provides the advantages of a formal probabilistic model, presented in an easily assimilated visual form, together with the ready availability of efficient computational methods and tools for exploring model consequences. Here we formulate one BBN model of a part of the safety assessment task for computer and software based nuclear systems important to safety. Our model is developed from the perspective of an independent safety assessor who is presented with the task of evaluating evidence from disparate sources: the requirement specification and verification documentation of the system licensee and of the system manufacturer; the previous reputation of the various participants in the design process; knowledge of commercial pressures;information about tools and resources used; and many other sources. Based on these multiple sources of evidence, the independent assessor is ultimately obliged to make a decision as to whether or not the system should be licensed for operation within a particular nuclear plant environment. Our BBN model is a contribution towards a formal model of this decision problem. We restrict attention to a part of this problem: the safety analysis of the Computer System Specification documentation. As with other BBN applications we see this modelling activity as having several potential benefits. It employs a rigorous formalism as a focus for examination, discussion, and criticism of arguments about safety. It obliges the modeller to be very explicit about assumptions concerning probabilistic dependencies, correlations, and causal relationships. It allows sensitivity analyses to be carried out. Ultimately we envisage this BBN, or some later development of it, forming part of a larger model, which might well take the form of a larger BBN model, covering all sources of evidence about pre-operational life-cycle stages. This could provide an integrated model of all aspects of the task of the independent assessor, leading up to the final judgement about system safety in a particular context. We expect to offer some results of this further work later in the DeVa project

Increased creatine demand during pregnancy in Arginine: Glycine Amidino-Transferase deficiency: A case report

Background: Creatine (Cr), an amino acid derivative, is one of the most important sources of energy acting as both a spatial and temporal energy buffer through its phosphorylated analogue phosphocreatine (PCr) and creatine kinase (CK). Maternal Cr biosynthesis and metabolism seem to play an important role in pregnancy, as shown in preclinical and in healthy human pregnancy studies. Patients with Arginine:Glycine Amidino-Transferase deficiency (AGAT-d), due to the deficit of the first enzyme involved in Cr synthesis, are at a disadvantage due to their failure to synthesize Cr and their dependence on external intake, in contrast to normal subjects, where changes in Cr biosynthesis supply their needs. We report the outcomes of a pregnancy in an AGAT-d woman, and the challenge we faced in managing her treatment with oral Cr to ensure optimal conditions for her fetus. Case presentation: A 22-year-old AGAT-d woman referred to our Institute for the management of her first conception at 11 weeks of fetal gestational age. Sonographic monitoring at 20 w GA indicated a reduction of fetal growth, in particular of the head circumference that was below the 3rd centile. Biochemical monitoring of Cr in biological fluids of the mother revealed a decline of the Cr concentrations, in particular in the urine sample, requiring prompt correction of the Cr dose. At 35 weeks of gestation the patient delivered a male infant, heterozygous for GATM mutation, with normal brain Cr levels; at one year the baby achieved typical developmental milestones. Conclusions: This rare pregnancy demonstrates that Cr levels in the blood and urine of the mother with AGAT-d decreased since the first months of gestation. The increase of the Cr daily dose administered to the mother seems to have produced beneficial effects also on the fetus

Diversity for Safety and Security in Embedded Systems

We present ongoing work about how security and safety properties in embedded systems are affected by redundancy and diversity. The need to consider security requirements in the presence of malicious action creates additional design trade-offs besides those familiar in the design of safety critical and highly reliable systems. We outline the motivation for this work, an industrial case study, and the research direction we have taken