Mode ambiguity

  A common pattern of operational failure is of coordination or cooperation problems, due to mode ambiguity.

  Often, the source for the ambiguity is that the mode set is not defined formally in the system specification documents, and thereof, is missing from the system design.

  Many legacy systems implement algorithms for inferring the operators intention based on the history of the operators commands. However, it sometimes happens that the operator's intention is different from that obtained by these algorithms.

The problem of implicit mode setting

If during the operation, the operational scenario is implicit, then the machine does not have any means to learn about the operator's intention, namely, which of the possible scenarios is active.

Examples

A common source of operational failure is when an operator performs a maintenance procedure when the system is in functional mode (such as production).

• 1967 Torrey Canyon Supertanker disaster. The operator was not aware of the navigation in control mode, in which the steering rod was disconnected from the wheel at the helm
• 1979 TMI nuclear power plant accident. The operators were not aware of the backup pumps being closed following a maintenance procedure.
• The user of a home TV system changes the Sources state unintentionally, and consequently, assuming the wrong mode, s/he cannot find a particular station ( more).

Other examples

Nagoya, Asiana 214

The principle of explicit modes

  In order to prevent scenario ambiguity, the states defining the scenario (operational situation) should be defined explicitly, and represented in the rule database.

Related topic

Updated on 29 May 2016.