Category Archives: alarms

Hawaii False Alarm: The story that keeps on giving

Right after the Hawaii false nuclear alarm, I posted about how the user interface seemed to contribute to the error. At the time, sources were reporting it as a “dropdown” menu. Well, that wasn’t exactly true, but in the last few weeks it’s become clear that truth is stranger than fiction. Here is a run-down of the news on the story (spoiler, every step is a human factors-related issue):

  • Hawaii nuclear attack alarms are sounded, also sending alerts to cell phones across the state
  • Alarm is noted as false and the state struggles to get that message out to the panicked public
  • Error is blamed on a confusing drop-down interface: “From a drop-down menu on a computer program, he saw two options: “Test missile alert” and “Missile alert.”
  • The actual interface is found and shown – rather than a drop-down menu it’s just closely clustered links on a 1990s-era website-looking interface that say “DRILL-PACOM(CDW)-STATE ONLY” and “PACOM(CDW)-STATE ONLY”
  • It comes to light that part of the reason the wrong alert stood for 38 minutes was because the Governor didn’t remember his twitter login and password
  • Latest news: the employee who sounded the alarm says it wasn’t an error, he heard this was “not a drill” and acted accordingly to trigger the real alarm

The now-fired employee has spoken up, saying he was sure of his actions and “did what I was trained to do.” When asked what he’d do differently, he said “nothing,” because everything he saw and heard at the time made him think this was not a drill. His firing is clearly an attempt by Hawaii to get rid of a ‘bad apple.’ Problem solved?

It seems like a good time for my favorite reminder from Sidney Dekker’s book, “The Field Guide to Human Error Investigations” (abridged):

To protect safe systems from the vagaries of human behavior, recommendations typically propose to:

    • Tighten procedures and close regulatory gaps. This reduces the bandwidth in which people operate. It leaves less room for error.
    • Introduce more technology to monitor or replace human work. If machines do the work, then humans can no longer make errors doing it. And if machines monitor human work, they ca
    snuff out any erratic human behavior.
    • Make sure that defective practitioners (the bad apples) do not contribute to system breakdown again. Put them on “administrative leave”; demote them to a lower status; educate or pressure them to behave better next time; instill some fear in them and their peers by taking them to court or reprimanding them.

In this view of human error, investigations can safely conclude with the label “human error”—by whatever name (for example: ignoring a warning light, violating a procedure). Such a conclusion and its implications supposedly get to the causes of system failure.

AN ILLUSION OF PROGRESS ON SAFETY
The shortcomings of the bad apple theory are severe and deep. Progress on safety based on this view is often a short-lived illusion. For example, focusing on individual failures does not take away the underlying problem. Removing “defective” practitioners (throwing out the bad apples) fails to remove the potential for the errors they made.

…[T]rying to change your people by setting examples, or changing the make-up of your operational workforce by removing bad apples, has little long-term effect if the basic conditions that people work under are left unamended.

A ‘bad apple’ is often just a scapegoat that makes people feel better by giving a focus for blame. Real improvements and safety happen by improving the system, not by getting rid of employees who were forced to work within a problematic system.

‘Mom, are we going to die today? Why won’t you answer me?’ – False Nuclear Alarm in Hawaii Due to User Interface


Image from the New York Times

The morning of January 13th, people in Hawaii received a false alarm that the island was under nuclear attack. One of the messages people received was via cell phones and it said:“BALLISTIC MISSILE THREAT INBOUND TO HAWAII. SEEK IMMEDIATE SHELTER. THIS IS NOT A DRILL.” Today, the Washington Post reported that the alarm was due to an employee pushing the “wrong button” when trying to test the nuclear alarm system.

The quote in the title of this post is from another Washington Post article where people experiencing the alarm were interviewed.

To sum up the issue, the alarm is triggered by choosing an option in a drop down menu, which had options for “Test missile alert” and “Missile alert.” The employee chose the wrong dropdown and, once chosen, the system had no way to reverse the alarm.

A nuclear alarm system should be subjected to particularly high usability requirements, but this system didn’t even conform to Nielson’s 10 heuristics. It violates:

  • User control and freedom: Users often choose system functions by mistake and will need a clearly marked “emergency exit” to leave the unwanted state without having to go through an extended dialogue. Support undo and redo.
  • Visibility of system status: The system should always keep users informed about what is going on, through appropriate feedback within reasonable time.
  • Error prevention: Even better than good error messages is a careful design which prevents a problem from occurring in the first place. Either eliminate error-prone conditions or check for them and present users with a confirmation option before they commit to the action.
  • Help users recognize, diagnose, and recover from errors: Error messages should be expressed in plain language (no codes), precisely indicate the problem, and constructively suggest a solution.
  • And those are just the ones I could identify from reading the Washington Post article! Perhaps a human factors analysis will become regulated for these systems as it has been for the FDA and medical devices.

    The Patient Writes the Prescription

    jeep

    I took the photo above in my brother-in-laws 2015 Jeep Grand Cherokee EcoDiesel. It says “Exhaust Filter Nearing Full Safely Drive at Highway Speeds to Remedy.”

    I’d never seen anything like that before neither had he – it seemed like a terrible idea at first. What if the person couldn’t drive at highway speeds right then? Spending an unknown time driving at highway speeds wasting gas also seemed unpleasant. My brother-in-law said that he was having issues with the car before, but it wasn’t until the Jeep downloaded a software update that it displayed this message on the dashboard.

    My own car will be 14 years old this year (nearing an age where it can get its own learner’s permit?), so I had to adjust to the idea of a car that updated itself. I was intrigued by the issue and looked around to see what other Jeep owners had to say.

    I found another unhappy customer at the diesel Jeep forum:

    At the dealer a very knowledgeable certified technician explained to me that the problem is that we had been making lots of short trips in town, idling at red lights, with the result that the oil viscosity was now out of spec and that the particulate exhaust filter was nearly full and needed an hour of 75 mph driving to get the temperature high enough to burn off the accumulated particulates. No person and no manual had ever ever mentioned that there is a big problem associated with city driving.

    And further down the rabbit hole, I found it wasn’t just the diesel Jeep. This is from a Dodge Ram forum:

    I have 10,000K on 2014 Dodge Ram Ecodiesel. Warning came on that exhaust filter 90% full. Safely drive at highway speeds to remedy. Took truck on highway & warning changed to exhaust system regeneration in process. Exhaust filter 90% full.
    All warnings went away after 20 miles. What is this all about?

    It looks like Jeep added a supplement to their owners manual in 2015 to explain the problem:

    Exhaust Filter XX% Full Safely Drive at Highway Speeds to Remedy — This message will be displayed on the Driver Information Display (DID) if the exhaust particulate filter reaches 80% of its maximum storage capacity. Under conditions of exclusive short duration and low speed driving cycles, your diesel engine and exhaust after-treatment system may never reach the conditions required to cleanse the filter to remove the trapped PM. If this occurs, the “Exhaust Filter XX% Full Safely Drive at Highway Speeds to Remedy” message will be displayed in the DID. If this message is displayed, you will hear one chime to assist in alerting you of this condition. By simply driving your vehicle at highway speeds for up to 20 minutes, you can remedy the condition in the particulate filter system and allow your diesel engine and exhaust after-treatment system to cleanse the filter to remove the trapped PM and restore the system to normal operating condition.

    But now that I’ve had time to think about it, I agree with the remedy. After all,my own car just has a ‘check engine’ light no matter what the issue. Twenty minutes on the highway is a lot easier than scheduling a trip to a mechanic.

    What could be done better is the communication of the warning. It tells you what to do, and sort of why, but not how long you have to execute the action or the consequences of not acting. The manual contains a better explanation of why (although the 20 minutes there does not match the 60 minute estimate of at least one expert), not that many people read the manual. Also, the manual doesn’t match the message. The manual says you’ll receive a % full, but the message just said “nearly.” The dash display should direct the driver to more information in the manual. Or, with such a modern display, perhaps scroll to reveal more information (showing partial text, so the driver knows to scroll). Knowing the time to act is more critical, and maybe a % would do that since the driver can probably assume he or she can drive closer to 100% before taking action. It looks as though the driver needs to find a way to drive at highway speeds right now, but hopefully that is not the case. I can’t say for sure though, since neither the manual nor the display told me the answer.

    String of Workplace Incidents Lead to Death

    A restaurant owner was found deceased in a walk-in cooler, but not for reasons one might expect. You can read the full article here, and I’ll provide a quick summary below.

    • An electrical outage prompted the restaurant to fill the cooler with dry ice to prevent spoilage
    • The button for exiting the cooler from the inside had been broken for some time
    • One of the owners went to check on the food at an unusual time, because he was worried it might be spoiling
    • No one was scheduled to be at the restaurant for many hours after his visit, which was closed due to the power outage
    • He triggered an alarm, but police treated it as a false alarm when the restaurant appeared closed and locked
    • He was overcome by the carbon dioxide fumes when he could not exit the cooler and died

    The case includes:

    • A minor incident (power outage) prompting unusual behavior (use of dry ice, checking on the food in the evening)
    • Failure to maintain safety equipment (the exit button)
    • Questionable design of safety equipment (Why use a button instead of a door handle?)
    • Response bias to a likely “false alarm”

    Pilots forget to lower landing gear after cell phone distraction

    This is back from May, but it’s worth noting. A news story chock-full of the little events that can add up to disaster!

    From the article:

    Confused Jetstar pilots forgot to lower the wheels and had to abort a landing in Singapore just 150 metres above the ground, after the captain became distracted by his mobile phone, an investigation has found.

    Major points:

    • Pilot forgets to turn off cell phone and receives distracting messages prior to landing.
    • Co-pilot is fatigued.
    •  They do not communicate with each other before taking action.
    •  Another distracting error occurred involving the flap settings on the wings.
    • They do not use the landing checklist.

    I was most surprised by that last point – I didn’t know that was optional! Any pilots out there want to weigh in on how frequently checklists are skipped entirely?

     

     

    Photo credit slasher-fun @ Flickr

    New automation will warn drivers of lane changes

    Ford is introducing a system that first warns of a lane change, then actually changes the direction of the car if the warning is ignored. From the USA Today article:

    When the system detects the car is approaching the edge of the lane without a turn signal activated, the lane marker in the icon turns yellow and the steering wheel vibrates to simulate driving over rumble strips. If the driver doesn’t respond and continues to drift, the lane icon turns red and EPAS will nudge the steering and the vehicle back toward the center of the lane. If the car continues to drift, the vibration is added again along with the nudge. The driver can overcome assistance and vibration at any time by turning the steering wheel, accelerating or braking.

    Is this going to be as annoying as having Rich Pak’s phone beep every time I go over the speed limit (which is A LOT)? Just kidding – stopping a drifting car could be pretty great.

     

    LOLcat photo credit to ClintCJL at Flickr.

    Verdict Reached for Air France Rio Crash

    The BBC has reported the incident analysis of the Air France crash that killed 228 people was due to lack of pilot skill in dealing with a high altitude stall.

    Here is a link to the BEA Report from the Bureau d’Enquetes et d’Analyses. It’s a frightening read, as they give a moment by moment analysis of the last minutes in the cockpit. No emergency was ever noted and there did not appear to be any mechanical failures. It appeared that the flight crew thought events were under control the entire time (despite the alarms.)

     

     

    Photo credit Vin Crosbie at Flickr.

    False Alarms in the Hospital

    NPR pointed me to a two-series in the Boston Globe examining the incessant din of patient alarms.

    The monitor repeatedly sounded an alarm — a low-pitched beep. But on that January night two years ago, the nurses at St. Elizabeth’s Medical Center in Brighton didn’t hear the alarm, they later said. They didn’t discover the patient had stopped breathing until it was too late.

    These were just two of more than 200 hospital patients nation wide whose deaths between January 2005 and June 2010 were linked to problems with alarms on patient monitors that track heart function, breathing, and other vital signs, according to an investigation by The Boston Globe. As in these two instances, the problem typically wasn’t a broken device. In many cases it was because medical personnel didn’t react with urgency or didn’t notice the alarm.

    They call it “alarm fatigue.’’ Monitors help save lives, by alerting doctors and nurses that a patient is — or soon could be — in trouble. But with the use of monitors rising, their beeps can become so relentless, and false alarms so numerous, that nurses become desensitized — sometimes leaving patients to die without anyone rushing to their bedside.

    This is a very well-studied topic in human-automation interaction research.  We can understand why false alarms are so prevalent in healthcare settings:  if you were hooked up to a patient monitoring device, would you rather have a) the machine miss some important change but not beep so frequently (low false alarm rate + high miss rate) or b) constantly beep to let you know of the possibility that something is wrong but also be wrong frequently (high false alarm rate + low miss rate).  You’d probably pick option b because of the inherent risk in missing a life-threatening critical event.

    But, as research has shown in the past (and the linked articles demonstrate), a high false alarm rate can have very detrimental effects on the person monitoring the alarm.  Keep in mind: the nurses in the story DO NOT WANT to ignore the alarms!  The article walks the fine line in blaming the user (it doesn’t quite do that).  The sheer number of alarms makes it difficult for nurses and other healthcare workers to differentiate true critical events from false alarms.

    The general topic of automation in healthcare is a topic that I’ve recently dipped my toes into and it’s fascinating and complex.  Here are some papers on the topic of false alarms and how operators/users are affected.

    Dixon, S., Wickens, C. D., & McCarley, J. S.  (2007).  On the independence of compliance and reliance: Are automation false alarms worse than misses?  Human Factors, 49(4), 564-572.

    Meyer, J.  (2001).  Effects of warning validity and proximity on responses to warnings.  Human Factors, 43(4), 563-572.

    (photo: flickr user moon_child; CC by-NC 2.0)

    Honesty Hurts (especially when design is poor)

    I enjoy the mix of economics and psychology, which is why I am a faithful reader of the Freakanomics blog. Their recent podcast on “pain” started off with a good human-factors-related tale of the problematic design of a subway alarm system. I have included a link below to the podcast, but the quick overview is that there is an ear piercing alarm that is triggered by using the “emergency” exit, which is invariably used every day by someone wanting to get out faster than turnstiles permit.

    The person breaking the rules has to hear the alarm for the shortest period of time and face no repercussions. The law abiding citizens waiting in line to exit get to listen to the alarm the longest.

    Link to the podcast

    Photo Credit Wavebreaker @ Flickr