News By Tag
News By Place
Hawaii Panic Caused by Negligent Design, Not Just Operator Error
Many Negligent and Very Serious System Design Flaws Made This Event Virtually Inevitable
Actually, the true immediate cause was his clearly foreseeable mistake in choosing from a confusing and poorly designed drop-down menu on a computer screen; a design and system which made such a happening almost inevitable, notes Professor John Banzhaf.
Good design much anticipate that people will make mistakes, and plan systems so that these foreseeable mistakes either will not occur or can be immediately corrected, says Banzhaf.
One very obvious example of negligent system design was to have a system where one single employee could send out a warning with such severe consequences. This is especially negligent since a technique for preventing any one employee from triggering a very serious event by himself was developed long ago to prevent the wrongful launching of missiles, for example.
Launching a missile always requires two different authorized persons to act together, thereby preventing a launch by one individual; something which foreseeably could occur.
While the U.S.'s original missile-launch system required two different officers to turn their own keys in separate keyholes at the same time for a launch, the same fail-safe principle could easily be applied to an emergency warning system controlled by computers.
This could be accomplished very easily and inexpensively by requiring at least two different authorized employees to each click on the same choice in a drop down menu on two different computers at the same time.
Another major design error was not providing a mechanism which would permit a subsequent corrective message to be sent out virtually immediately if an original one was false.
Authorities blame their delay in sending out a second WAS (Wireless Emergency Alerts) - to alert the public that the initial warning was sent in error - on the need to carefully compose such a message, but this is not a valid excuse for at least two reasons.
First, since sending out a false missile warning by mistake is clearly foreseeable, such a message should have already been prepared and ready to be transmitted.
Second, an even more important reason is that authorities should be able to compose messages very quickly in response to many different events about which the public should be warned very quickly.
A third clear system design error was failing to clearly and unambiguously differentiate the choices on the drop down menu so that mistakes of this kind become much more unlikely.
The current choices on the drop down menu are all in the same color and apparently in the same font, thereby making a mistake much more likely. This can be corrected very easily.
Also, something which makes confusion and mistakes more likely is that the line on the computer drop down menu used to trigger a missile warning reads "(PACOM) (CDW) - State Only."
While employees authorized to operate the system should know that PACOM stands for the United States Pacific Command in Hawaii, and that CDW stands for Civil Defense Warning, some confusion and/or forgetfulness is clearly possible if not likely. This possibility is increased because there is another line in the menu which also refers to PACOM.
Non-negligent design would strongly suggest that, given the dire consequences of selecting the wrong menu item, the menu choice for the missile warning would very clear and easily distinguishable.
Something like "INCOMING MISSILE ALERT WARNING - USE GREAT CARE" would be unambiguous and clear distinguishable from the other menu choices, especially if it was the only menu item choice which occupied two (rather than only one) line, and it was in a different color and font.
Still another serious system design flaw is the use of what is described as a "a standard, confirmatory pop-up" which appeared on his computer asking whether the employee was sure he wanted to send the alert. In other words, he probably received a pop-up asking "Are You Sure" similar to the type all computer users received routinely, and which many click on immediately and often almost reflexively.
Given the gravity of a mistake in using the drop down menu, something much more and very different from a "a standard, confirmatory pop-up" is clearly required.
Rather than being asked something simple such as "Are You Sure," a well designed backup protection would probably say something such as "THIS IS VERY SERIOUS - ARE YOU ABSOLUTELY SURE YOU WISH TO SEND A MISSILE WARNING MESSAGE!"
Indeed, for the same reason, a second confirmatory message, perhaps reading "LAST CHANCE - A MISTAKE COULD BE CATASTROPHIC - ARE YOU SURE YOU WANT TO SEND THIS WARNING?" should probably also be required before the message is actually sent.
System designers must always assume that people will make mistakes, and design systems so that such mistakes will not lead to catastrophic consequences, says Banzhaf, who reminds us that good designers must always honor Murphy's law - "If Something Can Go Wrong, It Will!"
Thus good system designers must assume that something will in fact go wrong, at least over the long run, and design the system to be "fail safe" - to not fail because of easily anticipated problems.