Empirical data is often gathered after an accident occurs, particularly if there
have been major consequences such as loss of life, severe environmental
damage or financial losses. Accident analysis involves collecting physical and
documentary evidence, and interviewing key witnesses. As a result of the
analysis an event diagram is created , describing the accident in detail by
portraying the chronological flow of events. The event flow diagram makes
explicit any unsafe actions, indicating those task steps that were not performed
correctly. However erroneous human action per se cannot be observed. It is
impossible to know that an action is erroneous when we observe the action,
unless we interpret human action in a context, and observe or predict the
consequences of the actions . Given that the context of an action must be
considered, factors effecting human performance are added to the event diagram
to achieve more sophisticated description of an accident. The understanding of
any accident scenario must be twofold, illuminating what actually happened,
along with the prior conditions that led to or exacerbated the situation.
The identification of human performance shaping factors is a vital part of accident
investigation, helping also to quantify human error probabilities. This technique
assesses various factors that determine the likelihood of human error or effective
human performance . These factors comprise the environmental context of a
work environment, including physical factors such as lighting, noise level and
thermal conditions, as well as conditions such as work patterns and pauses, and
shift rotation. Task characteristics are also considered, including the
characteristics of physical equipment, control panels, interfaces, various job-aids
and procedures, and the type of training provided. Finally, the organizational and
social environments are taken into account, including such factors as clarity of
responsibilities and management policies, and characteristics of individual
operators, such as physical condition, experience and the ability to cope with
The identification of human performance shaping factors is concerned with
performance generally, rather than human error exclusively. Thus, in theory,
when human performance shaping factors are optimal, human performance is
also optimal, though there is always some possibility for error. .
Near-Miss Reporting is a valuable way of collecting empirical data. A near-miss
is any event that could have had negative consequences but did not. As the
name suggests, near-miss reporting is concerned with documenting, analyzing
and learning from ‘near-accidents’ experienced by an operating team .
Near-misses can be a rich source of information and opportunities to improve
system characteristics before accidents actually occur. Near-misses are more
frequent than accidents and this technique therefore produces more data for
analysis. Since near-misses happen more frequently than accidents, they can
serve to alert people to hazards and allow them to improve and maintain safety.
Unfortunately, near miss reporting is not common practice in many industries.
However in the field of aviation, critical incidents are systematically gathered by
soliciting reports from aircraft crews on a weekly basis, with assured
confidentiality. Without a guarantee of confidentiality the likelihood of obtaining
information would be very limited. Thus, the success of near-miss reporting
depends on a culture that is highly supportive and emphasizes the value of this
type of information whilst minimizing blame and punishment .
The use of simulations of human behavior can be traced back to the 1950s when
simulation methods were used in the design of aircraft controls. Simulations
range from simple mock-ups to sophisticated computer-driven system simulators,
spanning routine and complex activities. Simulations are often used to overcome
the limiting aspects of empirical data collection, producing unusual situations to
allow for the study of specific types of performance . This is particularly true
with regard to dangerous situations, in which a controlled environment is
Simulation is typically used to establish appropriate working methods,
ergonomics of control layout and design, identification of potential sources of
error and to derive training recommendations. At present we may simulate
certain aspects of a system, such as an interface, but in time we may be able to
simulate the human operator to study how humans perform under various
conditions. This could help to resolve the quantification problems in the study of
human performance and reliability.
Simulation allows observation of erroneous actions that otherwise would not be
possible. However the data obtained by simulation may not be accurate. One
disadvantage of this approach lies in the fact that simulation often cannot fully
replicate reality. For example, in a simulated situation, real stress such as risk to
life may be absent, making it difficult to reveal the true nature of human behavior.
Cognitive modeling may be understood as one type of simulation. It can provide
causal descriptions of performance, particularly of erroneous actions. It
originated in early works in psychological modeling and Artificial Intelligence .
One of the goals of cognitive modeling has been to provide an account of how
mental processes lead to observed behaviors that may or may not contain
erroneous actions. Understanding sequences of actions at the cognitive level
may facilitate the systematic treatment of erroneous actions in dynamic,
The strength of this approach is that it can account for complex actions that occur
during emergency operations as well as elementary actions such as basic
perceptual actions: discrimination or cued reaction. However, it is one level of
analysis and at this stage it cannot cover the full range of problems found in
work-studies. For any given erroneous action literally hundreds of causes can be
found at the level of cognitive functions, as the models run without any empirical
reference to context.
Methods for analyzing human performance and human error can be loosely
categorized as either qualitative or quantitative. The methods already described
in this article are predominantly qualitative. The descriptions that follow are
predominantly quantitative, and have emerged largely from the discipline of
traditional safety engineering.
From a safety engineering perspective, system reliability can be assessed by the
reliability of a mechanical component, which is assessed by repeating the
component function again and again until it breaks down.
Probabilistic Risk Assessment
In a sense, as Hollnagel states, the reliability of a human is currently assessed in
basically the same way as the reliability of a piece of equipment.  First the
person’s tasks are identified by modeling a given accident scenario. The tasks
are then decomposed to determine task elements (for example a button press).
Next, error probabilities are assigned to each task element, which were
determined prior to the analysis by repeating the task step (in this case a button
press) again and again until a reliable probability value was obtained. Finally
probabilities are modified by the value of performance shaping factors, which are
numerical measurements that describe the context. The sum of the error
probabilities of the task element will determine the probabilities of the occurrence
of human error.
Human Reliability Assessment
A number of techniques known collectively as Human Reliability Analysis aim to
assist in making predictions about the contribution that humans make to the
overall reliability of some critical system. Human reliability analysis techniques
not only predict erroneous task performances but also assess the risk associated
with each error form . The risk associated with an event or combination of
events is typically defined as the product of the probability of an event occurring
and the consequences of the event. Therefore if a severe event occurs with a
small probability it may considered as lower risk than an equally severe event
with higher probability.
Two very well know Human Reliability Assessment methods are the Technique
for Human Error Rate Prediction (THERP) and the Human Error Assessment and
Reduction Technique (HEART).
Technique for Human Error Rate Prediction (THERP)
The THERP approach consists largely of a database or probabilities of different
kinds of human error, together with performance shaping factors . The analysis
starts off with a task analysis of the crew’s or operator’s work, graphically
representing this in event trees. Event trees are logical tree models designed to
model hypothetical system failures. They are used to consider the potential
outcomes of an initiating fault and probabilities of the subsequent failure of other
system elements . Human activities are broken down into task elements and
substituted for equipment outputs. The human error probabilities for the activities
of the task or the branches can be obtained from THERP tables. Together with
the task descriptions, performance-shaping factors such as stress and time
available are collected to modify probabilities according to the analyst’s
judgment. The result of the analysis is an estimate of the likelihood of a task
being carried out in error.
Human Error Assessment and Reduction Technique (HEART)
HEART takes a more rapid approach to quantification than THERP. Like THERP
it is based on tables of human error probability data, but it has a more scenario-
oriented function . This technique addresses not only the probabilistic
assessment of human error, but also designer’s responses to it, by providing a
number of generic remedial reduction strategies .
Time Reliability Techniques
While THERP focuses mainly upon procedural errors, (e.g. leaving manual
valves in the wrong position), Operator Action Trees (OATS) focuses on
cognitive errors that take place after an accident sequence has been set off .
This method is based on a basic operator action tree that identifies the possible
post-accident operator failure modes. The analysis has enough sensitivity to
differentiate amongst three types of cognitive error: failure to perceive that an
event has occurred, failure to diagnose, and failure to implement necessary
remedial actions in a timely manner. These errors are quantified by applying
what is known as a time reliability curve, which describes the probability of failure
on a time scale as a function of the time interval between the moments at which
the relevant warning signals are obvious to when action should be taken to
realize successful recovery. The parameters of the time reliability curve are often
derived from experts, or guessed.
There are a number of analyses such as confusion matrix, models based on
mathematical framework, software products (e.g. SLIM –SAM, SLIM-SARAH)
that support experts in the connection of error probabilities to situation-specific
A detailed description of the various Human Reliability Analyses is beyond the
scope of this paper, however some of the underlying problems with the methods
are summarized in the following section.
Underlying problems with the methods
The basic problem with quantitative methods is a lack of data to form the
foundation for the assignment of human probabilities to individual task elements.
Given that underlying databases are incomplete, experts are asked to provide
data that the databases cannot provide. This leads to the combination of
quantitative methods with subjective estimation.
Conventional human reliability analyses are useful in the case of routine highly
skilled activities, in the sense that humans may be said to behave very much like
machines. There is not necessarily a great deal of conscious control or need for
cognition in the sense of reasoning and thinking. Simple analysis methods can
be adequate. However, for analyzing complex activities, involving consciousness,
reasoning and thinking, more complex methods are required .
Approaches to human reliability analysis are based on the idea that human
performance can be well estimated by focusing on the individual elements of the
performance, along with the idea that the reliability of the total performance can
be determined by summing the reliability of the individual performance elements.
Hollnagel  states that this view neglects the possible interdependence or
interaction amongst the performance elements. The whole is more than the sum
of the parts, and therefore decomposing human performance to its elements and
assessing those elements to determine the reliability of human performance is
not a meaningful technique. Whilst decomposition is appropriate to engineering,
it may not be appropriate when the subject of analysis is a human being.
Task descriptions in the form of event trees are idealized sequences of steps and
may not, indeed often do not, correspond to the ways that tasks are actually
carried out. Task descriptions assume a pre-defined, highly likely ideal way of
performing an action, and analysis of actual performance as it occurs with
reference to these, and may be described as deviations from these ‘ideals’. This
does not always reflect a reality of exceedingly large combinations of possible
actions and / or sequences . Unless reasons can be found to exclude some
combinations, all combinations must be considered. Unfortunately, analysis
methods generally cannot accommodate this and task branching is avoided .
For example in an uncomplicated THERP analysis of a simple sequence with
only ten steps, with two choices at each step, calls for a tree with 1.024
branches. If there were 20 steps the complete tree would have 1.048.576
The situation is exacerbated when cognitive functions are included. Obviously
the chosen solution to this problem is to look at only a subset of the task or
application, but as already suggested, this may not reflect the reality of a
The aim of performance prediction is to specify what could possibly happen
under given conditions, such as if a person misunderstands a procedure. A focus
on context rather than actions may in fact provide the information needed to
remove ambiguities from performance models. Thus the art of performance
prediction becomes to understand and describe the most likely context(s), rather
than to restrict focus to sequences of specific actions . Analyzing from the
perspective of context can reduce the number of combinations that must be
considered during analysis. Prediction becomes concerned with probable
performance conditions rather than with the prediction of specific events.
This view has important consequences not only for attempts to model cognition
but also for interface design. The goal becomes less oriented towards supporting
specific procedure forms, and more focused on supporting an understanding of
context. This means that rather than supporting specific modes of functioning
one should offer an easily understandable representation of the context of a
given situation . Actions are viewed and interpreted through an understanding
of context. The interface should not only support specific procedures or
sequences of actions but should also support the understanding of the context.
Ecological Interface Design
Ecological Interface Design places greater emphasis on analyzing the interaction
between people and their environment than on analyzing human characteristics,
though characteristics are taken into account. The goal of this technique is to
present the operator with all information necessary for understanding how to
achieve system goals . Some researchers believe that this is an impossible
task as it is impossible to predict and therefore support the system operators’
information needs in an unlimited number of possible system failures. Ecological
Interface Design attempts to overcome this problem by representing system state
(i.e. the context) by an explicit presentation of system constraints.
The context, which imposes various constraints on the behavior, is initially
analyzed using a method proposed by Vicente called Cognitive Work Analysis
Instead of focusing on the mechanism by which things operate, Cognitive Work
Analysis emphasizes the various kinds of work constraints imposed on the
behavior. The design of an interface that is based on the result of Cognitive Work
Analysis represents external reality by explicitly presenting work constraints in a
The greatest threat to system safety comes from the failures of connected but
independent and unrelated subsystems . Failures may therefore not be
immediately comprehensible to operators. Providing operators with an
appropriate representation of context can make these failures more obvious and
allow for more efficient responses. By making the boundaries of acceptable
performance visible to users, Ecological Interface Design provides a solid base
for the operator to create correct mental models about the system state, and so
to react appropriately to unplanned events .
Cognitive Work Analysis and Ecological Interface Design have not yet been used
as predictors of system state. Nonetheless, they do perhaps allow for the
possibility of predicting conditions and contexts, rather than predicting specific
actions and events and if methods are created to facilitate such predictions with
these tools, the end result may very well be more accurate predictions of
systems behaviors and failures.