supported the cognitive processes of the operator. 2. The stages of process control systems. The archetypes for the stages are the steam locomotive of the early ...
Verite, Abstraction, and Ordinateur Systems in the Evolution of Complex Process Control Richard I. Cook Cognitive Technologies Laboratory, Department of Anesthesia and Critical Care, University of Chicago, Chicago, IL 60637
Abstract A schema that describe some aspects of the evolution of complex process control from the operators’ perspective is given. Descriptions of the stages of evolution are provided along with a characterization of the way that constraints on system designers are relaxed with each shift to a new stage. The schema is used to advance an explanation for the apparent resistance of anesthesia practitioners to adopt advanced technology.
1. Introduction The evolution of many complex process control systems encompasses an early mechanical stage, a shift to electromechanical form and, recently, a shift to a computer based form. These shifts have been characterized mainly by their impact on technical system characteristics or the economy of operations. Without doubt, this evolution has yielded more efficient, faster, and more powerful systems. The effect of these shifts on the ability of operators to initiate, manage, and recover the process from faults is more rarely the focus of attention. Accidents in these systems remain perplexing anomalies, are sometimes taken as evidence of human operator failure and used as arguments for the employment of even more technology to forestall “human error” [3]. A more informed view is that expert human performance and the characteristics of technology are closely linked [8] and that system failures reflect mismatches between the capabilities of and demands on animate and inanimate system components [14]. According to this view, refined understanding of the relationship between operators and their technology should lead to more robust, resilient, and reliable systems. Just how this is to be accomplished remains at issue. The perplexing circumstances of anesthesia technology demonstrate the point. The past decade has seen an explosion of new technology for use in anesthesia. New sensors, displays, actuators, and information technology have transformed the operating room from a largely mechanical place to a world of microprocessors. The marked reluctance among practitioners to use some
new technology is regarded by its proponents as a simple anti-technology bias. The record is actually mixed: some technologies (e.g. pulse oximetry) have been warmly embraced, others (e.g. total intravenous anesthesia) regarded cautiously and still others (notably automated anesthesia records) coldly rejected. The impact of new, microprocessor based technology remains the subject of debate in anesthesia and also in other domains. Current and anticipated problems arising from the use of microprocessor based systems in anesthesia [5] and, to an extent, in aviation and aerospace applications [12] [1], have prompted the development of a schema for describing the operational impact of technical evolution of these systems. This schema divides system evolution into three stages, verite, abstraction, and ordinateur. These parallel the progression of process control technology from purely mechanical to electromechanical and finally to computer based forms. The purpose of this paper is to describe the schema and to use it to draw attention to the ways that technological evolution has changed the display of data and control potential to the operator. The thesis of the paper is that each transition to a new stage has relaxed a critical constraint on system designers. While these constraints have been regarded by technologists as impediments to progress, they also shaped the environment in ways that efficiently transmitted valuable process information and provided a structure that supported the cognitive processes of the operator.
2. The stages of process control systems The archetypes for the stages are the steam locomotive of the early 1900’s (verite), the electricity generating power plant circa 1970 (abstraction), and an anesthesia humidifier of the 1980’s (ordinateur).
2.1 verite: the steam locomotive The most salient operational characteristic of verite systems is the unity of the control surface, the display of the possibility of control, and the display of the present control and actuator settings. A single component (e.g.
the throttle lever) provides all these display functions as well as being the control surface manipulated by the operator. These display functions extend to include direct feedback from the process itself, e.g. via vibration, temperature, or condensation. Similarly, those components intended specifically as displays (e.g. water level gauges, pressure gauges) are directly connected to the process and so are physical extensions of it (e.g. the flicker of a gauge needle provides indication of (1) slight fluctuations in pressure as valves open and close, (2) the fact that the gauge is connected to the process and (3) the fact that the pointing indicator is free). These artifacts of controls and displays are a rich source of information about the process itself. Direct sensory perception of the process, mediated by mechanically linked controls and displays, is a distinct characteristic of operations of verite systems. The function of control surfaces qua displays reduces the need for components specifically dedicated to display; there are few gauges but many controls in the locomotive cab. The need for explicit displays is also limited by the close physical proximity of the process. The requirement for direct mechanical linkage between the controls and process being controlled forces designers to collocate both and leads to direct sensing and provisions for it. The boiler and firebox, for example, are, of necessity, located near the operator and present observable features (and some danger!) to the operator. Notably, the location of the controls and displays is constrained by the process itself. The boiler water level gauge, for example, must be at the height of water in the boiler in order to function. The grate shaker, in contrast, is connected to the grates which lie below the firebox, and so these controls are on the floor of the cab. There are controls whose locations are not uniquely determined by the process (notably valves controlling the flow of water or steam) but even these are constrained in location by the process elements (e.g. interposition of a valve between the tender and boiler leads it to be located somewhere between those two system components). The locations of controls and displays are not only influenced by the process but are, once placed, static and unmovable. The piping and linkages that connect control surfaces and the process cannot readily be moved. Design decisions, which reflect the limited available surface and irreducible size of components, are highly constrained by available space and the physics of the underlying process. They are also constrained by the limited possibility of action at a distance. This limits the size of verite systems; beyond a certain point verite systems cannot be operated by a single individual but require teams. In these large verite systems (e.g. steamships) human-human communication is used to accomplish action at a distance while the realm of direct action for any single human
remains just the range provided by direct mechanical linkage.
2.2 abstraction: the power plant control room In abstraction systems, the ability to produce action at a distance afforded by electromechanical devices relaxes several constraints that confronted the designers of verite systems. This gives rise to the control room, by definition an area remote from the process. The hallmarks of abstraction are the separation of control surfaces and displays from the process being controlled as displayed. One consequence of this separation is the need for designers to synthesize and provide an image of the system to operators. The effects of acquiring the capacity for action at a distance are two. First, it becomes possible to place the process at greater remove from the operator than is the case with purely mechanically linked systems. This allows processes of almost any size to be operated by a single individual. Such distance also removes the ability of the operator to sense the process directly. Indeed, the control surfaces which were, in verite systems, rich sources of information are, in abstraction systems, so devoid of information about the process that all such information must be transmitted by explicit annuciators. Notably, controls in verite systems’ provided information through their direct contact with the process and through their layout, which was constrained by the process in ways that led the control layout to provide a natural mapping of the process. In contrast, abstraction systems, such as the power plant control room, are characterized by a plethora of annuciators whose purpose is to synthesize a representation of the process for the operator. All these displays are the result of deliberate design intent, representing the designers’ determination of what needs representing in the control room. The second effect of action at a distance is the possible discordance between controls in the control room and actuators at the remote location. It is quite possible for a control to be operated but the actuator at the remote location to fail. This leads designers to provide return indicators of the action occurring at a distance. This amounts to restoring, via technology, part of what verite systems had because of the atomic, indivisible character of controls as displays of themselves. That these abstraction system return links are subject to their own failures goes almost without saying. Abstraction systems have no natural mapping of the location of controls and displays in relationship to the process. The position, indeed even the size and shape, of controls and displays is entirely the province of designers. Therefore it is not uncommon to have circuit breaker panels or display racks that contain many items of identical appearance but different function simply because
it is easy to group similar types of switches and meters together. Any physical layout mapping of controls and displays that demonstrates the structure of the process must be the intentional consequence of design rather than the outgrowth of naturally occurring constraints. Nothing in the abstraction system constrains the placement of a control near its related display and it is this lack of constraint that gives rise to design guidelines. Verite and abstraction systems have one thing in common: the one-to-one relationships between controls and functions and between displays and sensors is static and unchanging. The switch that operates a pump always operates the same pump. A meter showing a voltage is always in the same physical location on the console. This static character is preserved because of the constancy of connection between components. This character also makes it difficult to change the locations and functions of controls and displays and provides a more or less constant environment for the operator.
2.3 ordinateur: the anesthesia humidifier Ordinateur systems are freed by use of the computer from the one-to-one static control/display relationship present in abstraction systems. Designers are no longer constrained by electromechanical connection to place control and display elements in dedicated locations, nor are controls and displays dedicated to single functions. The computer makes it possible to use a single control for multiple purposes. For example, pressing the ENTER key on the computer keyboard may have many different effects. In ordinateur systems it is also possible to display the same data in different locations or different data in a single location at different times, i.e. to multiplex data and display. Significantly, ordinateur systems need not have all data immediately visible nor have all control possibilities constantly displayed. Indeed, it is the hallmark of such systems that they display at one instant only some of the controls and data that constitute the system and that they contain controls and displays devoted to tasks related to controlling the display of controls and displays. Beyond multiplexing of controls and displays, ordinateur systems make possible the combination of multiple functions in a single control and the combination of multiple discrete data sources into a single display element. Cook et al. [2] have described an anesthesia breathing circuit humidifier that shows these features of ordinateur systems. Such systems are now common in transportation (e.g. “glass cockpit” aircraft, [1]). Some manufacturing industries (e.g. semiconductor wafer fabs) are adopting ordinateur systems. Hospital operating room and intensive care units are in varying stages of transition from
abstraction to ordinateur [4] or going directly from verite to ordinateur in a single step.
3. Anesthesia: stuck in verite then shifting to ordinateur Interestingly, anesthesia practice has remained largely verite until recently. This is due in part to the fact that the potent inhaled anesthetic agents used until the 1960s were quite explosive and the use of potentially spark generating electrical equipment in the operating room was prohibited. Even after non-flammable agents came into use, the need for extraordinarily high degrees of electrical isolation to prevent cardiac electrical disturbances limited the use of electrical devices.1 The process of anesthesia still relies heavily on systems that deliver gases and fluids via devices with verite characteristics. The introduction of non-flammable anesthetic agents in the mid-1950s allowed electrical systems to be used more freely in the operating room but it was not until the late 1960s that electrocardiography became universal. In the 1980s, the pace of change accelerated with the addition of quite sophisticated devices such as syringe infusion pumps [5]. Anesthesia technological evolution is thus marked by a long period of verite and rapid progress to ordinateur with little time in abstraction. This technical evolution history is in stark contrast to that of aviation where the transition between verite and abstraction occurred early. Experience with abstraction was gained during intense investigation of the characteristics that led to effective control by aircraft operators [13]. Indeed, although the shift to abstraction was only partial (direct manual influence over the aircraft’s flying surfaces, albeit with hydraulic assistance, persisted until the 1980s) the technology of display and control via electromechanical linkages was well advanced by the 1920s [10]. Transportation systems in general demonstrate long experience with abstraction prior to the shift to ordinateur, and even here that shift is not always successful [9]. The array of ordinateur technology appearing in anesthesia practice may be confusing in part because experience with abstraction systems in anesthesia has been so limited.
4. The meaning of verite
1
Interestingly, even today many electrical devices for use in operating rooms are marked with large warning signs prohibiting their use in the presence of flammable anesthetics. As late as 1975, a standard anesthesia equipment text contained no electrical devices and even the current version devotes only about 1/5 of its pages to electrical devices [6].
So long as the sources of operator expertise remain unstudied and unknown, designers are free to exploit the relaxation of constraints provided by shifts from verite to abstraction to ordinateur systems without hesitation. A naive view of verite systems is that they are obsolete and therefore must have been simple and easily operated. After all, the view goes, their human operators were forced to use direct perception of process elements in order to manage the system. Surely such a system must be inferior to modern, ordinateur systems. On the contrary, it may be argued that verite systems afforded their operators broad, rich, highly refined collections of process information and that operators learned, albeit slowly and in ways poorly understood, to exploit these characteristics to achieve high levels of system performance. As for the successor stages, what appears at first glance to be a wealth of information available to operators of abstraction and ordinateur systems may be in part the impoverished collection comprising what can be sensed and what designers believe to be significant. Some of the apparent richness of abstraction and ordinateur systems is derived from the need to devote space to display management functions and remote sensor indicators of control function. In verite these did not exist because there was no requirement for them; the information was bound up in the control itself and the display space was constantly visible. The functions were derived from the inherent binding of control and display that was and intrinsic part of the systems’ character. There are volumes written on the ways in which operators perform diagnosis and fault management of complex abstraction and ordinateur systems. Seldom is it acknowledged explicitly that the need for these fragile, cognitively demanding, failure prone inferential processes is the result of the evolution of technology rather than some inherent limitation of the operators themselves. The written record of verite systems operations is sparse and largely anecdotal. Operator cultures, then and now, tend to be hard for outsiders to penetrate and they possess a complex jargon [7]. The operators’ tasks are difficult to comprehend because theirs is highly technical world, one not readily apprehended by researchers from disciplines of psychology and computing. The few records of the ways in which verite transportation system operators understood and controlled their systems make fascinating reading [11]. Not surprisingly, such verbal reports only hint at the sources of operator expertise, expertise that was, after all, tightly bound to the direct perception of the process that verite systems provided. This schema, leads to two observations, the first narrow and the second more general. The first is that the reluctance of anesthesia practitioners to abandon their largely verite environment and embrace ordinateur systems may signal something more than instinctive
rejection of the new. Their reluctance, often dismissed by technologists as Luddism, may well be based in quite rational concerns about maintaining robust, easily comprehended, reliably controlled system configurations and the powerful character of verite. The second, more general observation has to do with design. Technological progress can be seen as having relieved the designer of constraints that formed a straightjacket around design. But even as technical evolution relaxes the constraints on technologists’ ability to create systems, it imposes on the designers a new burden. This is the burden of understanding in detail the ways in which those prior constraints led to the design of comprehensible, operable systems of restricted scope and manageable complexity. To maximize operator performance and build robust systems it is necessary to capture and present these qualities in new systems. The need to fully comprehend the how operators manage technical processes may be as quite constricting a garment as the limits previously imposed by a world of levers and valves.
Acknowledgments Fred Gamst, Charlie Billings, Erik Hollnagel, and Penny Sanderson helped shape the schema. My coinvestigator, David Woods, who argued that ordinateur should be called virtuel helped, in numerous discussions over several years, to erect the scaffold on which the schema hangs. Support for some of the research that gave rise to the schema was provided by the Anesthesia Patient Safety Foundation.
References [1] C. E. Billings, Aviation Automation: The Search For A Human-Centered Approach. Hillsdale, NJ: Lawrence Erlbaum Assoc., in press. [2] R. I. Cook, S. S. Potter, D. D. Woods, and J. S. McDonald, “Evaluating the Human Engineering of Microprocessor-Controlled Operating Room Devices,” Journal of Clincal Monitoring, vol. 7, pp. 217-226, 1991. [3] R. I. Cook and D. D. Woods, “Operating at the Sharp End: The Complexity of Human Error,” in Human Error in Medicine, S. Bogner, Ed. Hillsdale, NJ: Lawrence Erlbaum, 1994, pp. 255-310. [4] R. I. Cook and D. D. Woods, “Adapting to New Technology in the Operating Room,” Human Factors, in press. [5] R. I. Cook and D. D. Woods, “Implications of Automation Surprises in Aviation for the Future of Total Intravenous Anesthesia (TIVA),” Journal of Clinical Anesthesia, in press. [6] J. A. Dorsch and S. E. Dorsch, Understanding Anesthesia Equipment: Construction, Care and Complications,
Third ed. Baltimore: Williams and Wilkins, 1994. [7] F. C. Gamst, The Hoghead: An Industrial Ethnology of the Locomotive Engineer. New York: Holt, Rinehart and Winston, 1980. [8] E. Hollnagel, P. C. Cacciabue, and J.-M. Hoc, “Work with Technology: Some Fundamental Issues,” in Expertise and Technology: Cognition and Human-Computer Cooperation, Expertise: Research and Applications, J.-M. Hoc, P. C. Cacciabue, and E. Hollnagel, Eds. Hillsdale, NJ: Lawrence Erlbaum Associates, 1995, pp. 1-15. [9] B. Latour, Aramis or the Love of Technology. Cambridge, MA: Harvard University Press, 1996. [10] S. L. MacFarland, America's Pursuit of Precision Bombing, 1910-1945. Washington D.C.: Smithsonian Institution Press, 1995. [11] N. McKillop, Ace Enginemen. London: T. Nelson Publishers, 1963. [12] N. Sarter and D. D. Woods, “How in the world did we ever get into that mode?,” Human Factors, vol. 37, pp. 5-19, 1995. [13] W. G. Vincenti, What Engineers Know and How They Know it: Analytical studies from Aeronautical History. Baltimore: Johns Hopkins University Press, 1990. [14] D. D. Woods, L. Johannesen, R. I. Cook, and N. Sarter, Beyond Human Error. Dayton, OH: CSERIAC, 1994.
