Protecting from state mismatch

Unavoidable state transitions

State mismatch cannot always be prevented. For example, we cannot prevent exceptional states corresponding to failure of system units. Subsequently, the operator might disregard the exceptional state, and since the system behavior is well-defined for scenarios only, the system response to the next event might be unpredictable. For example, an accident of friendly air strike in December 2001 in Afghanistan was due to automatic coordination reset after battery replacement (Sheridan and Nadler, 2006). Also, complex systems such as flight control systems require that the operation is state dependent. In these cases, incidents of state mismatch are inevitable, because sooner or later the user will forget to regard the current state.

The challenge

The design challenge is to decide how to protect the system from the unexpected events. We are not allowed to just ignore all events when in the exceptional state, because we need the operator’s skills to find the proper solution, which may involve means beyond the system implementation. On the other hand, when in an exceptional state, the system response to the next action might be unpredictable. Therefore, the design challenge is to define how to respond to the operator commands in such cases.

State synchronization

To prevent accidents due to state mismatch we need to synchronize the operator with the system. We can do it either way.

To synchronize the operator to the system, we need to inform the operator about the state change.
To synchronize the system to the operator, we need the operator to inform the system about the required state.

Anyway, to enable state synchronization, we need the system to inform the operator about the state transitions (Sheridan and Nadler, 2006). Sometimes, as in the case of battery replacement, the system should force the operator to notice the system change and to repeat data entry.