Personal tools
You are here: Home 1997 Vol 29, No. 1, January 1997 Workshop: HCI and Requirements Engineering People, Places and Interfaces
Document Actions

People, Places and Interfaces

Using Physiological Constraints To Inform The Design Of Saftey-Critical User Interfaces

No earlier issue with same topic
Previous article
SIGCHI Bulletin
Vol.29 No.1, January 1997
Next article
No later issue with same topic

A range of techniques have been developed to plan the layout of computer systems within complex working environments. For instance, computer aided design (CAD) tools can be used to simulate operators' posture at a particular workstation. Fitting studies can then be used to provide empirical validation. Unfortunately, few of these techniques also support the development of interactive dialogues. This is an important problem because the position of a display can determine whether users are able to monitor its information. The physical location of input devices can also have a profound impact upon error rates. This paper presents techniques that support interface development and workstation layout for safety-critical systems. First-order logic can be used to represent and reason about human computer dialogues. The same formalism can also be used to identify appropriate locations for input and output devices within control rooms and offices. The findings of ergonomic studies can then be applied to analyze the mental and physical demands that are imposed by interactive dialogues within a particular working environment.

Keywords: Dialogue design; environmental layout; safety-critical systems; formal methods.


The European Community Directive on Work with Display Screen Equipment (see SIGCHI Bulletin April 1995) and the United Kingdom's Health and Safety Regulations provide guidelines on the correct layout of working environments for computer operators. Screens should be parallel to overhead fluorescent tubes, at right angles to windows etc. Unfortunately, many techniques in human computer interaction completely ignore these issues. They provide ample support for screen layout and dialogue design but they provide no means of reasoning about the physical layout of work environments. Conversely, the empirical techniques and CAD tools that have been developed to analyse different operator postures do not address the concerns that dominate human computer interaction (Malone, 1989). The lack of integration between user interface design and environmental layout is not a serious problem in many contexts. Office workers can easily move keyboards, screens and telephones into positions that support their everyday tasks. This lack of integration is, however, a more serious problem for the development of safety-critical applications. The position of a display can determine whether operators will observe a warning within a particular time period (Wickens, 1984). The physical location of buttons, keyboards and mice can affect the error rates for particular input sequences (Johnson 1996).

The Problems of Integration

There are a number of reasons for the lack of integration between human computer interfaces and complex working environments. For instance, it is not clear what notations or techniques can be used to represent both layout requirements and dialogue designs. Natural language descriptions quickly become intractable if designers are forced to describe the many different view-points that operators might use to observe many different displays. Graphical notations avoid this problem but cannot easily be used to describe the temporal properties that affect interactive dialogues (Johnson, 1993). In contrast, this paper argues that first order logic can be used to represent dialogue requirements and to reason about physical properties of working environments.

Integration through Formal Methods

Formal notations offer a number of benefits as a means of integrating human computer interaction and environmental planning. In particular, they provide important links with current practice in the software engineering of safety-critical systems (Ministry of Defence 1991, NASA 1989). Formal methods also provide the precision and rigour that is necessary during the development of safety-critical applications. They provide a concise means of representing the mass of vernacular requirements that often frustrate the design of complex systems.

A number of authors have attempted to extend the application of formal methods to support the development of interactive systems. For example, Sufrin and He (1990) have extended the Z schema calculus to represent interaction with a text-editor. Took (1991) has developed a formal framework for the representation of graphical interfaces. Unfortunately, mathematical specification techniques have not been used to reason about complex working environments. This threatens user-centred design. A prime objective in the use of formal methods is to minimise the modifications that are necessary once a specification has been refined towards implementation. An important class of ergonomic considerations, therefore, run the risk of being relegated to an after-thought in the design process (Harrison and Thimbleby, 1989, Dix, 1991).

An Example Application

This paper demonstrates that a formal logic can be used to support the development of interactive dialogues and the planning of potential working environments. We are concerned that a real-world example is used to illustrate our approach. The following pages, therefore, investigate the design of a control room for an oil-production facility. Oil-production systems exhibit many of the problems that complicate the development of human-machine dialogues. They are complex and dynamic. They have posed a significant challenge for both systems designers and human factors specialists (Wardell, 1989). These applications present their operators with information about the extraction of oil-products from geological structures deep beneath the sea-bed. Not only must users monitor the rate of extraction but they must also maintain a constant watch for problems that threaten the safety of the rig. For instance, gas leaks pose a considerable risk of fire in these applications. If gas is detected then control room personnel must investigate the cause and identify potential solutions.

Figure 1 illustrates the plan of an oil rig control module (Cullen, 1990). The exact size of these modules varies. The 0.0 and 10.0 values, therefore, indicate the origin and extent of a relative coordinate system.

Representing Interactive Dialogues

A number of different notations can be used to reason about human computer interaction and the physical layout of working environments. The following pages exploit the Horn clause form of predicate logic. This notation is appropriate because it can readily be incorporated into more complex formal specification techniques, including Z and VDM (Johnson, 1995a). Informal translations will be presented for those who are more interested in the application of the approach rather than the details of the underlying formalism. It should be emphasised that the focus of this paper is upon the descriptive power of the notation for HCI problems; a companion paper reviews the use of formal proof techniques (Johnson, 1996). For example, the following clause states that user_1 is presented with a condensate_injection_display while user_2 is presented with an electricity generation_display:

display(user_1, condensate_injection_display). (1)  
display(user_2, generation_display). (2)

This clause illustrates how abstractions can be used to represent presentation requirements without considering display primitives or particular devices. These details can gradually be added as development progresses. For instance, additional clauses can represent the various icons and items of text that are presented by particular displays. The following dialogue requirement states that a condensate_error_icon is part of the injection display. Elsewhere we describe how such abstractions can be refined to include the fonts, lines and colours that must be introduced prior to implementation (Johnson 1993):

user_1_responsible_for_closing_condenser_A :-     
display(user_1, condensate_injection_display),
display(user_2, generation_display),
part(user_1, condensate_injection_display, condensate_A_error),
not(part(user_2, generation_display, condensate_A_error)),
input(user_1, 'close_pump_A'). (3)
This states that users agree to close pump_A if user_1 is presented with the condensate_injection_display and user_2 is presented with the generation_display and condensate_A_error is part of the con densate and but not of the generation display and user_1 provides input to close pump_A.

Such dialogue requirements make implicit assumptions about the layout of a potential control room. Designers must ensure that user 1 can view the condensate_A_error from their normal working position. Figure 1 illustrates that this may be a non-trivial problem. For instance, if the operator were routinely stationed behind the work surface at the bottom on the figure then it would be difficult for them to view a warning presented on the local control panels towards the top of the layout. Fortunately, logic abstractions can also be used to reason about the physical organisation of complex working environments.

Representing Workstation Layout

Figure 1: Control Room Module For North Sea Oil Production

Designers can exploit logic to represent the allocation of displays to the control panels that users must operate. For instance, clause (3) required that user_1 should be presented with the condensate_injection_display. This could be presented through the local control panel next to the switchgear shown in Figure 1 rather than through the main VDU next to the worktop:

  present(user_1, condensate_injection_display, local_panel_A). (4)
location(local_panel_A, 6.0, 6.5). (5)
dimension(local_panel_A, 1.5, 0.9, 1.1). (6)
The first clause states that the condensate injection display is presented to user_1 through local control panel A. The remaining clauses state that the control panel is located at Cartesian coordinates (6.0, 6.5) and is 1.5 meters in dimension along the X axis, 0.9 along the Y axis and 1.1 meters along the Z axis; this corresponds to the height of the panel.
Designers can use these clauses to guide the detailed layout of a control system. By introducing positional information into logic clauses it is possible to represent the likely working position of an operator performing a particular task. For instance, user_1's normal activity might be to coordinate the operation of the system from behind the worktop. This would place the user at a position close to (6.0, 2.2). It would then be difficult for user_1 to respond to warnings presented on local control panel A at the same time as monitoring a display on the fire and gas panel:

location(user_1, 6.0, 2.2), location(local_panel_A, 6.0,6.5),
location(fire_panel, 6.5,1.5),
present(user_1, Display_1, local_panel_A),
present(user_1, Display_2, fire_panel),
part(user_1, Display_1, condensate_A_error),
part(user_1, Display_2, communications_error),
input(user_1, 'close_pump_A'),
input(user_1, 'self_test_communications'). (7)
This states that user_1 must divide their attention if they are at (6.0,2.2) and must monitor two different displays, one presented by local panel A at (6.0,6.5) and the other presented by the fire and gas console at (6.5,1.5). And that those displays contain warnings about a communications error and a fault with condenser A and user_1 must provide input to resolve those warnings.

Logic can be used to represent potential solutions to such problems. For instance, the position of the fire and gas console might be moved so that it could more easily be observed while user_1 was monitoring the local control panel. This can be represented by altering one of the location clauses. Alternatively, the task of monitoring and responding to the communications error might be allocated to another user. These two potential solutions again illustrate the close interaction between dialogue design and the layout of control rooms:

coordinated_response :- 
part(user_1, Display_1, condensate_A_error),
part(user_2, Display_2, communications_error),
input(user_1, 'close_pump_A'),
input(user_2, 'self_test_communications'). (8)
This states that there is a coordinated response if user_1's display contains a warning about a fault with condenser A and user_2's display contains a warning about a communications problem and user_1 must provide input to resolve the condenser problem and user_2 must resolve the communications error.

Such clauses illustrate the benefits of formal methods for the integration of interface design and environmental layout. It is not clear how such dialogue requirements could be represented using the two dimensional plans that are, typically, used to represent the layout of control rooms, see Figure 1.

Using Ergonomic Guidelines To Inform Interface Design

Research in the field of human factors and ergonomics has developed a mass of information about suitable operator postures and working positions. For instance, Figure 2 illustrates Grandjean's (1988) guidelines for a relaxed viewing angle from an upright, seated posture. If operators are required to monitor displays outside of the -10 to -15 degree cone for long periods then static muscle over-loading may occur.

Figure 2: The Relaxed Viewing Angle

Until now, it has been difficult to envisage how such information can be used to directly inform the development of human computer interfaces. In contrast, the previous clauses can be used to reason about the consequences of such figures for interactive dialogues in particular working environments. For example, assuming that the user were at the worktop in the centre of the control room at (6.0,2.2,1.3) and that they were observing a point on local control panel A, mentioned in clause (7), at (6.0,6.5,1.4) then the visual angle would be approximately 19 degrees below the horizontal. The panel would fall outside of the line of sight for comfortable eye rotation. This is derived from the following formula that relates the operator's seated eye height s and the distance of a target d on a control panel to the height of that target h and the likely visual angle a between the horizontal plane and that target:

Such formulae can be used to guide interface development. Routinely monitored information should not be placed on the local control panel: the operator would be forced to assume an undesirable posture to observe the display. High priority error messages should not be presented on the local control panel: the operator may fail to detect warnings on the edge of their vision (Wickens, 1984). The identification of such `high priority' errors is an important stage during the development of safety-critical interfaces. The observation problem with local control panel A might be resolved by ensuring that such critical warnings are also presented closer to the operator's normal line of sight. Equation (9) can be used to validate user_1's line of sight between various positions in the control room and these additional sources of information. For example, the warning might also appear on the fire console as it indicate a failure that might lead to a gas leak:

resolve_observation_problem :- 
location(user_1, 6.0, 2.2),
present(user_1, Display_1, local_panel_A),
part(user_1, Display_1, compressor_failure),
present(user_1, Display_2, worktop_panel),
part(user_1, Display_2, compressor_failure). (10)
This states that a potential observation problem can be resolved if user_1 is located at (6.0, 2.2) and they are allocated a display, Display_1, which includes a warning that a compressor is failing and that display is presented on the local control panel and they are allocated a display, Display_2, which also includes a warning that the compressor is failing and that display is presented on the worktop_panel.
Workstation layout not only affects the presentation of control information, it also has a profound impact upon input requirements. For example, Grandjean (1988) uses Figure 3 to illustrate the working distance from the elbow to the hand of an operator at table top height. This applies to the fifth percentile of the male population.

Figure 3: The Horizontal Reach Limit

The inner arc represents the extent of the grasp from a relaxed, seated position. This analysis can be used to inform dialogue design. For example, in control systems it is important that certain input sequences are difficult to issue. The pump isolation switches might, therefore, be placed beyond the 55-65cm arc. Operators can make occasional stretches of 70-80cm without difficulty:

reach_isolate_pump_A :- 
location(user_1, 6.0, 2.2),
select(user_1, close_pump_A_switch),
component(close_pump_A_switch, worktop_panel),
location(close_pump_A_switch, 6.0,3.0,0.9).
This states that the user must reach to close off pump A if they are at (2.0, 2.1) and they provide input to isolate the pump by selecting a button on the worktop control panel at (6.0,3.0,0.9).
The correct positioning of control panel components must reflect details of the operators' tasks. It should be hard to issue input sequences that cannot easily be reversed. Conversely, the input requirements that are implicit within dialogue designs must also take into account the physical demands that devices place upon their users. Operators should not routinely be expected to sustain postures that impose significant biomechanical strain.

Animation and Prototyping

Mathematical specifications provide non-formalists an extremely poor impression of the `look and feel' of a potential interface. Prototypes provide a far better impression of what it would be like to interact with a particular system. The Prelog system has been developed to directly derive interactive systems from logic specifications such as those presented in this paper. This tool uses UNIX sockets to link the Prolog logic programming environment with a screen presentation system. Further details about the implementation techniques and the system architecture can be found in (Johnson and Harrison, 1992, Johnson, 1993a).

Prelog offers significant advantages over traditional prototyping tools. Previous generations of interface design environments help designers to quickly mock-up displays and animate dialogue sequences. There is a danger, however, that such tools may produce dialogues which cannot easily be integrated with their eventual working environment. Warnings may be obscured by other operators or pieces of equipment. On-line help may be abandoned if users cannot easily read particular displays. In contrast, the Prelog tool exploits location clauses to build up three-dimensional models of control rooms and offices. The same system can, therefore, be used to prototype dialogues as well as view the potential layout of working environments. These models can be shown to operators and to the members of concurrent design teams that are working on control room planning and display development. The term `environmental animation' has been used to refer to our integration of prototyping techniques and three-dimensional models. We have recently received funding from the UK Engineering and Physical Science Research Council. This will enable us to increase the portability and efficiency of our prototyping tools.


This paper has argued that many techniques in human computer interaction completely fail to consider the physical properties of working environments. This has important consequences for the usability of safety-critical applications. Warnings may be over-looked if operators cannot easily view the displays that present them. High error rates may occur and inadvertent selections may be made if users cannot easily reach their input devices. It has been argued that many of these problems might be avoided if designers can integrate display development and control room design. We have shown that logic provides one means of achieving this integration. The formal notation can be used to represent dialogue requirements without considering device characteristics during the early stages of development. The same notation can also be used to analyse the position of operators and their displays within the working environment. The resulting specifications can then be analysed using the insights gained from ergonomics research on viewing angles and horizontal reach. These findings provide concrete information about suitable positions for input and output devices within control rooms and offices. Perhaps for the first time, we have shown a direct link means of using this body of research to inform interface development. Finally, it has been argued that tools must be provided to support the use of logic abstractions. We have designed the Prelog system to support the development of `environmental animations' from the logic descriptions presented in this paper.


Dr. Andrew Life of the Ergonomics and HCI Unit, University College London provide detailed help and advice with the human factors material in this paper. Thanks are also due to the members of the Glasgow Interactive Systems Centre (GIST) for their help and encouragement with this paper.


Lord Cullen, 1990, The Public Inquiry Into The Piper Alpha Disaster, Department of Energy and Her Majesty's Stationary Office, London, Ref. number CM 1310.

Grandjean, E. 1989, Fitting The Man To The Task: Occupational Ergonomics. Taylor Francis, London, United Kingdom.

Dix, A., 1991, Formal Methods For Interactive Systems, Academic Press, London, United Kingdom,.

Harrison, M.D. and Thimbleby, H.W., editors, 1989. Formal Methods In Human Computer Interaction. Cambridge University Press, Cambridge, United Kingdom.

Johnson, C.W., 1993, A formal approach to the presentation of CSCW systems. In J.L. Alty, D.Diaper, and S.Guest, editors, People And Computers VIII, pages 335--352. Cambridge University Press, Cambridge, United Kingdom.

Johnson, C.W., 1993a, A probabilistic logic for the development of safety-critical interactive systems. International Journal Of Man-Machine Studies, 39(2):333--351.

Johnson, C.W., 1995, The economics of interface design. In K.Nordby, P.H. Helmersen, D.Gilmore, and S.A. Arnesen, editors, Human Computer Interaction - Interact '95, pages 19--25, Chapman And Hall, London, United Kingdom.

Johnson, C.W., 1995a, Using Z To Support The Design Of Safety-Critical Interactive Systems. Software Engineering Journal, 10(2):49-60.

Johnson, C.W., 1996, The Impact Of Working Environments Upon Human-Machine Dialogues: A Formal Logic For The Integrated Specification Of Physical And Cognitive Ergonomic Constraints On User Interface Design. Ergonomics, (39)3.

Johnson, C.W., and Harrison, M.D., 1992, Using temporal logic to support the specification and prototyping of interactive control systems. International Journal of Man-Machine Studies, 36:357--385.

Kowlaski, R. 1984, The relation between logic programming and logic specification. Philosophical Transactions of the Royal Society of London, 312(A):345--361.

Malone, T.B., 1989, MPTS methodology in the Navy: Enhanced HARDMAN. In D.L. Pettigrew, editor, Proceedings Of The 33rd Annual Meeting of the Human Factors Society, pages 1044--1048. Human Factors Society, Santa Monica, United States of America.

Ministry Of Defence, 1991, Requirements for the Procurement of Safety Critical Software, MOD DEF-STAN 00-55, London, United Kingdom.

National Aeronautic and Space Administration, 1989, Advanced Orbiting Systems -- Architectural Specification For The CCSDS Secretariat, Washington DC, United States of America.

Sufrin, B. and He, J. 1990, Specification, refinement and analysis of interactive processes. In M.D. Harrison and H.W. Thimbleby, editors, Formal methods in Human Computer Interaction, pages 153--200. Cambridge University Press, Cambridge, United Kingdom.

Took, R. 1991, Integrating inheritance and composition in an objective presentation model for multiple media. In F.H. Post and W.Barth, editors, EUROGRAPHICS '91, pages 291--303. Elsevier Science Publications, North Holland, Netherlands.

Wardell, R.W., 1989, An Ergonomic Perspective On Safety In The Oilfield. In D.L. Pettigrew, editor, Proceedings of the 33rd Annual Meeting of the Human Factors Society, pages 999--1003. Human Factors Society, Santa Monica, United States of America.

Wickens, C.D, 1984. Engineering Psychology and Human Performance. C.E. Merrill Publishing Company, London, United Kingdom.

Author's Address

Department of Computing Science, University of Glasgow, Glasgow, Scotland, G12 8QQ, UK
Phone: +44 141 330 6053
Fax: +44 141 330 4913

No earlier issue with same topic
Previous article
SIGCHI Bulletin
Vol.29 No.1, January 1997
Next article
No later issue with same topic


Powered by Plone CMS, the Open Source Content Management System

This site conforms to the following standards: