Safe Systems Through Better User Interface

1
Safe Systems Through Better User Interface

• By Niall Murphy

2
Roadmap

• What is the connection between user interface and
  safety?
• What is the tradeoff between usability and
  safety?
• What kind of features in the interface are
  related to safety?
• How should we validate the user input?
• What kind of safety related parameters should be
  presented to the user?
• How should we alarm the user ?

3
Safety-design Connection

• Sometimes the worst accidents take place on
  perfectly functioning hardware and software that
  the operator simply misunderstood or misused
  because of a deficient user interface.
• When you analyze the safety properties of a
  system, its important to ensure that the design
  is both true to the safety requirements and
  robust enough to tolerate certain failures.

4
The Usability vs. Safety Tradeoff

• To provide safety, you must often make the user
  work harder.
• Many situations involve a direct trade-off
  between usability and safety.
• Example Therac-25 - cancer irradiation device.

5
The Usability vs. Safety Tradeoff

• Therac-25
• One of the safety features in the original design
  was that all the settings for the device had to
  be entered through a terminal, as well as on a
  control panel.
• This was seen as redundant by users of a
  prototype, so the design was changed before
  release so that the settings could be entered on
  the terminal alone.
• Once the settings were accepted by hitting the
  return key, the user was asked to confirm that
  the settings were correct.

6
The Usability vs. Safety Tradeoff

• Therac-25
• With repetition, the action became like
  double-clicking a mouse, and thus the settings
  were never really reviewed.
• Because of a bug in the software, though, some
  settings werent properly recorded.
• The user of the device didnt review the
  confirmation message (which included the wrong
  data).
• The outcome several people were killed !!
• Note too that the later design was more
  susceptible to the simple user error of entering
  a wrong value.

7
The Usability vs. Safety Tradeoff

• Often, safety measures can serve this dual
  purpose of protecting against device error and
  user error.
• Example intensive care medical ventilators.
• A pressure valve opens at a fixed pressure limit.
  An alarm sounds and the patient is exposed to
  room air pressure in the fail-safe state.
• This feature protects the patient against an
  electronic or software fault that may deliver a
  large volume of gas, as well as from a user
  accidentally setting 3.0 liters rather than the
  intended 0.3 liters.

8
Types of Information

• Three types of information must be presented
  clearly
• Direct feedback to actions taken by the user
  (validating inputs).
• Monitored parameters of the system.
• Alarms that alert the user, usually audibly, to
  unusual patterns in the monitored parameters.

9
Validating Input - Irreversible Actions

• If the user can easily perform irreversible
  actions, a mistake may have serious consequences.
  The system must make it obvious that an important
  action is about to take place.
• Asking the user to confirm an action is common,
  but not necessarily the best approach. (as we saw
  in the Therac-25 example).
• Sometimes, making the action different from usual
  user actions is enough.

10
Validating Input Irreversible Actions

• Example a piece of medical equipment might have
  an apply to patient button that would be
  pressed only when the adjusted settings are to be
  made active on the patient.
• This button can be placed a distance from the
  other input controls, just as the power switch on
  a desktop computer is not placed on the keyboard.

11
Validating Input Removed Risks

• The system can attempt to guarantee that risk has
  been removed before proceeding.
• Example paper-cutting machines.
• You can remove this risk by placing two buttons
  on either side of the machine, which the user
  must press simultaneously to lower the blade.

12
Validating Input Ambiguity

• Construct dialogs that are clear and unambiguous.
  Example
• Note that this example also breaks the earlier
  rule that irreversible action buttons should be
  placed far from any other button. It is better to
  place the ACCEPT button left to the screen.
• A state of emergency is obviously the worst time
  to make a mistake In this case, it is also the
  most likely because of the stress that user might
  be in.

13
Monitoring

• Monitored values are the users window into the
  process. The monitored values should tell the
  user the state of the system at a glance.
• An alarm that only detects whether the settings
  are being applied isnt sufficient in a
  safety-critical system.
• Monitored values will tell the user when hes
  approaching the danger zone, while alarm can only
  give indication when the values are in the danger
  zone itself

14
Monitoring

• The problem with relying solely on settings and
  alarms is that alarms simply cant react quickly
  enough
• If you set alarm bands so tightly that a slight
  system anomaly causes an alarm to sound, youll
  see a lot of false alarms.
• If the bounds are set widely enough to avoid
  false alarms, alarms wont occur as early as
  youd like when a parameter slowly drifts out of
  its desired range.
• The only solution is to provide monitored
  information that allows observation of the state
  of the system over time.

15
Monitoring Analog and digital displays

• Values displayed in an analog fashion, such as a
  bar graph or an analog needle indicator, are
  quicker to read and better at providing relative
  measures.
• Digital displays are more precise but require
  more concentration by the user.
• Ideally, you should provide both.

16
Monitoring

• If average or recent values are available, the
  user can notice sudden changes in behavior.
• Example monitoring heart beats.

17
Monitoring independent channels

• On the one hand, we should avoid presenting too
  much information, as that could make important
  patterns difficult to decipher.
• On the other hand, when safety is an issue, we
  should present information from as many
  independent channels as possible in order to make
  the system more robust.
• The way to combine this two principles can be
  done by multiplexing the information. Consider
  this furnace display

18
Monitoring independent channels

• Example furnace display
• Two options of displaying the average and current
  temperature monitored by two separated
  thermostats placed on two different sides of a
  furnace. Which display is safer?

19
Monitoring independent channels

• Example furnace display (continue)
• You can argue that a simple alarm can check the
  difference between the two thermostats and
  annunciate if the difference becomes too large.
  But
• During warm-up or cool-down, the differences may
  be larger than those seen during quiescent
  conditions.
• If an alarms tolerance is set wide enough to
  cover all possible situations, it may be wide
  enough to allow a faulty sensor to pass its test.
  This leaves you back at square one

20
Alarms

• Safety-critical systems require both an alarm
  system and a monitoring system to provide
  warnings of device failure and to warn of
  possibly dangerous patterns in the monitored
  parameters.
• There are two ways to display alarms to the user
• Text lists (LCD or VDU).
• Dedicated alarms (visual or audible).

21
Alarms Text lists

• Video display units (VDUs), allow you to display
  an alarm as a text message, rather than requiring
  a dedicated indicator.
• Advantages
• If the number of possible alarms is high then the
  VDU is the only option because of the amount of
  space that would be occupied by many individual
  indicators.
• Example nuclear power station monitoring rooms
  have hundreds of possible alarms.
• The VDU has an added advantage if secondary
  information, such as a value for the monitored
  parameter, can be displayed with the alarm.

22
Alarms Text lists

• Advantages
• A VDU can also order the alarms, either
  chronologically or priority-based. The user can
  be given several filtering options, such as
  displaying only temperature-related alarms or
  alarms that occurred in the last five minutes.
• Several views of the system can provide the user
  with extra insight into the cause of the alarms.

23
Alarms Text lists

• Disadvantages
• Text-based alarms on a VDU may cause confusion by
  giving the user too much information. In an
  emergency, many conditions are annunciated
  simultaneously, challenging the users ability to
  read all of the generated text.
• Its too easy for developers to give a long and
  informative description of the condition.
• An LCD-based VDU may not be bright enough for an
  alarm to be noticed from the far side of the
  room.

24
Alarms Dedicated indicators

• The designer of a critical-safety device may
  choose to present alarms by using dedicated
  alarms (audibly or visually).
• Advantages
• Individual indicators (often LEDs and a label)
  allow a visible pattern to emerge from the
  combination of conditions at any given moment.
• No real-estate competition exists between alarms
  one alarm never forces another off the screen.

25
Alarms Dedicated indicators

• Advantages
• The user knows which condition is associated with
  an indicator and does not have to read a lot of
  text to establish it.
• Disadvantage
• Sometimes, audible alarms are not directional
  enough and the user may need to establish the
  alarms source by glancing at many devices.
• This is particularly true in hospital
  intensive-care units, where each patient can be
  connected to several devices capable of
  generating audible alarms.

26
Alarms

• How can we combine the advantages of dedicated
  alarms and text lists?
• You can effectively compromise by using bright
  indicators for the most urgent alarm, and
  including further information on the VDU.
• Alternatively, you can use a small number of
  indicators for the most important conditions,
  while the less-frequent or less-urgent conditions
  can be displayed only on the VDU.

27
So, what have we seen?

• Safety-design connection.
• Usability-safety tradeoff.
• Types of safety related information.
• Validating inputs.
• Irreversible Actions
• Removed Risks
• Ambiguity
• Monitoring
• Analog and digital displays
• Recent values over time
• independent channels
• Alarms
• Text list
• Dedicated alarms

28
Principles of User Interface Design By Niall
Murphy
29
Roadmap

• Approaches to UI design
• Usability by evaluation
• Usability by principles
• Issues concerning UI design
• Robustness
• Affordance
• Surface area
• Compatibility
• Directed interfaces
• Equal opportunity
• Multiple paths
• Migrating From mechanical to software

30
Interface Design

• There are two fundamental approaches to usability
  design
• Usability by evaluation
• Usability by principles

31
Usability by evaluation

• Dissecting a design to find its strong and weak
  points, with a view to making improvements
• Historically, a lot of usability work is done
  this way
• usability is not considered until someone
  realizes that the product is hard to use
• Pros
• Its easy to criticize an already built design
• Cons
• Its difficult to decide what to improve
• Hard to make changes (product already built)

32
Usability by principles

• Its about deciding ahead of time
• what usability properties will be desirable on
  this interface
• what kind of people will use it
• Pros
• The product's usability features can be discussed
  and documented more powerfully
• Allows transfer of usability concepts from one
  product to another
• Cons
• Sometimes, can you never know how the interface
  would act,
• until you try it

33
Robustness

• Robustness - indicates how well the object
  tolerates rough use and
  carelessness
• A robust user interface is not necessarily
  physically strongbut,
• tolerates improper inputs (or makes them
  impossible )
• protects the device from accidental damage due to
  an incorrect input , and
• Protects the user himself

34
Robustness Spectrum

• From the Sinclair ZX Spectrum (1982) home
  computer's user manual
• "Nothing typed at the keyboard can damage
  this computer."
• It reduced users' anxiety - they would not
  destroy their purchase no matter how many silly
  mistakes they made
• It was sign of good design of the computer- ITS
  ROBSUT
• As a result
• Many programmers wrote their first programs on
  that system, without having to worry about any
  damage a buggy program might cause

35
Robustness Deleting a file

• Deleting a file by mistake
• A robust interface should not allow an accident
  like that to occur easily
• The system could ask users "Do you really want
  to delete VeryImportantFile.txt?"
• system more robust, but
• less usable (now it takes more key strokes to
  delete a file )
• Better - allow an undelete command
• system more robust, AND
• ease of use has not been compromised

36
Robustness confirmation

• In general, asking for confirmation of an action
  is a clumsy way to add robustness
• Using an interface should be as natural as using
  a tool from your toolbox - Your hammer does not
  ask you if you want to hit something, just before
  impact
• In fact, confirming actions often becomes
  automatic
• The user will kit the OK button without reading
  the question,
• therefore, it adds little protection in any
  case

37
Robustness Limiting the users

• Limiting the users - prevent them setting illegal
  values
• Important make the user know he has been
  limited !!
• using an internal limit can have the disadvantage
  that the user may believe that the device is
  acting on the entered input values, while its
  really acting on the limited values
• Its better to limit the user at the time of
  input
• An ATM machine will not allow a request for too
  much money - The system is protecting the user
  from becoming overdrawn

38
Robustness Wording error messages

• A message that says "Illegal action" not only
  gives the user very little information, it also
  suggests that he is a criminal!
• Its better telling the user what is actually
  wrong, something like
  "Can't record no tape inserted."

39
Robustness Wording error messages
40
Robustness error messages

• Ok, so we improved the product, but the
  interface has become less user friendly !
• Devices that tell you what you can and cannot do
  are unpleasant to use
• In many cases you can get the best of both worlds
  
• What happens when you reach the highest channel
  at the TV?
• The TV could beep and flash if the user tries to
  go any higher
• It is much better to wrap around to the lowest
  channel

41
Robustness avoiding error messages

• Users find it unpleasant to be told they have
  made a mistake, so design fewer paths that end in
  error messages.
• error message is like an airbag-it minimizes
  damage once the accident has happened
• Its far better to supply the user with an
  anti-lock braking system, which might avoid the
  accident in the first place
• Input from numeric keypad you can reject
  illegal values
• Input from a dial you can simply limit the
  range mechanically

42

43
Robustness undo

• What about the case where the user performs an
  action that is a valid input to the system and
  then realizes that it was not the appropriate
  action ?
• Undo operation
• The problem
• how much will get undone ?
• Will a second undo go back further into history,
  or will it redo the undone command ?

44
Robustness undo

• An important guideline to a more robust system
• The effort taken to undo the action is equal to
  the effort taken to perform the action in the
  first place
• A tape recorder (and they do exist) with a fast
  forward button but no reverse button
  ..not so robust
• Or - from mode A to mode B 10 steps from
  mode B to mode A 1 step
• Expect your users to be displeased if they are in
  mode B, and entered mode A by accident

45
Robustness undo

• Some exceptions
• When mode A is a safer mode than mode B
• You may then wish to make it quite difficult to
  get into the high risk mode B, but easy to
  escape from it
• This does not make the system easier to use, but
  it surly makes it safer.

46
Robustness undo/ confirmation

• Sometimes, a physical action taken by the device
  cannot be undone
• You cannot unlaunch a rocket!
• In that case, some confirmation is required
• Typing in a complex sequence every time an
  irreversible action is to be done, will reduce
  the chance doing it by accident , or
• Two buttons that are to be pressed simultaneously
  
• But again, avoid forcing the users to confirm so
  many details, so many times per day, that they
  confirm actions automatically

47
Robustness Guidelines

• Avoid too many confirmation messages
• Confirmation of irreversible action should be
  done through typing a complex sequence
• Allow undo action, if possible
• Control the ease of the undo action
• Limit the user from inserting illegal input
• Try to avoid the need of error messages
• Error message should be informative

48
Affordance

• Affordance the property that indicates how
  obvious a devices function is from
  its appearance
• Take a pair of scissors for instance
• The scissors afford holding and cutting!
• Some things are obviously easy to use because you
  can see all of the controls
• The buttons to control the tape may be marked
  PLAY, REWIND, FAST FORWARD, and STOP giving
  further information
• A camcorder with speakers suggests it can play
  sound

49
Affordance
50
Affordance touchscreen

• But what if the device has a less conventional
  control?
• A device controlled by a touchscreen
• The user might not immediately realize that the
  screen's surface is touch sensitive
• Making the on-screen buttons three dimensional
  will hint to the user that they can be pressed
  down just like a mechanical button.

51
Affordance touchscreen
52
Affordance labeling

• What do those buttons actually do?
• Labeling is a delicate art
• Sometimes a button performs more than one action
  -requires two labels
• The double label looks awkward
• POWER does a good job of replacing ON/OFF.
• . , but such replacements are not always
  available !

53
Affordance labeling

• The Microsoft Word 5.0 toolbar
• Is it an ancient Egyptian hieroglyphs??
• icon as a metaphor how much imagination do you
  need?
• The Netscape toolbar

54
Affordance placing buttons

• A common fault in industrial design - to place
  buttons in a symmetrical pattern
• They line them up like soldiers, each one looking
  like the next
• This makes sense if each has a similar meaning
• such as each one representing a different TV
  channel
• But, If the buttons perform separate functions?
• Try to group them according to function
• Use bigger buttons for the more popular functions
  
• and keep the rare-but-nasty functions out of the
  way

55
Affordance placing buttons
56
Affordance pressing in sequence

• If certain buttons, or a number of choices are
  likely to be pressed in sequence
• Arrange them in a left to right ordering (since
  this is the way people read)
• If the path is not trivial use arrows

57
Affordance Guidelines

• The labeling of controls should be clear and
  simple
• Group controls with similar functionality
• Frequently used buttons should be bigger
• If certain buttons are likely to be pressed in
  sequence arrange them in a way which reflect the
  right order

58
Surface area definition

• Surface area - the number of controls available
  and the number of actions that can be
  performed upon them
• A device with more dials, buttons, and displays
  has a greater surface area
• As the number of features in a device grows,
• the design is likely to hide many of them
• Industrial designers who want a simple form
• Mechanical engineers who want fewer parts

59
Surface area more buttons

• A telephone that can access voice mail
• If you still have to use the digits buttons, you
  cant guess its capable to enter the voice mail
• The phone would be far easier to use if the
  buttons ENTER VOICE MAIL, NEXT MESSAGE, and
  DELETE MESSAGE were added
• The phone may look more complex, but you can
  always ignore those buttons
• The more of the user interface's functionality
  that is visible to the user, It will be easier
  to learn and understand the device.

60
Surface area multiplexing a button

• Some of the worst designs are a result of taking
  a product with complex interface, and trying to
  deliver it through a simple front panel.
• Fewer buttons, often require multiplexing them.
• Multiplexing a control when one button has
  several different uses
• An interface will be less usable if the user has
  to decide, whether button "2" means exit voice
  mail, or delete message

61
Surface area multiplexing output

• Output can be multiplexed as well
• A single LED might indicate power on most of the
  time, but it can flash to indicate low battery at
  other times
• A single numeric display can show temperature at
  one stage, and the time of day at another point
• The user should have some hint,
• to show which mode it is in
• AM/PM indicator
• Having many displays would make life easier on
  the user, not harder
• Assuming that the displays are properly labeled

62
Surface area Guidelines

• A device with many function should have as many
  controls
• Try to make the functionality of the device as
  visible as possible through the surface area
• Avoid multiplexing input controls and output
  displays
• If multiplexing is unavoidable, give sufficient
  indication

63
Compatibility

• Three levels of compatibility should be in an
  interface
• Compatibility between what the user expects and
  what the user gets
• Compatibility between different products of the
  same type
• Compatibility between the device and its
  surroundings

64
Compatibility expects-gets

• A lever-operated press moves down when
• the arm is raised and up when the arm
• is lowered
• Good engineering
• Bad usability the user may revert to the more
• natural mapping in an emergency, thus causing
• an accident
• But in software (GUI), engineering issues are not
  relevant
• So UP buttons should be above DOWN buttons
• In general, you do not want to surprise the user

65
Compatibility between products

• Compatibility between products is not such a
  simple issue
• The history of products in your market may
  dictate rules, even if
• a better way of doing the job has been found
• Predecessors of a particular piece of equipment
  may have set a precedent for the way certain
  operations are performed
• Engineers often find this frustrating - their
  elegant design is being soiled by unfair
  requirement created by history
• ?
• Even though you have a good product, if its not
  compatible with the majority, users will think
  twice before purchasing it

66
Compatibility between products

• The same functions should be similar on different
  devices
• ISO 9995 has set a standard for the arrangement
  of letters on the buttons of a telephone or other
  numeric keypad
• Though phones the world over still vary in the
  placement of letters
• Annoyingly, numeric keypads on computers are
  upside-down when compared to the telephone
  standard

67
Compatibility between products

• The symbols on the main buttons of a VCR have
  also been standardized
• though the rest of the controls on the VCR may
  vary greatly-even within one product line.

68
Compatibility between products

• Some standards are not so quickly accepted
• ISO 8601 is a standard for date and time formats.
  It dictates a yyyy-mm-dd format for dates
• Europe uses the dd/mm/yy format
• The U.S. uses the mm/dd/yy
• The ISO standard is a more logical format
• It starts with the most significant unit and then
  moves to the successively smaller units as you
  read it from left to right
• It has a distinct advantage - it can be sorted
  chronologically (since the most significant unit
  is to the left )
• This standard is common only in Japan and a few
  other countries
• The other formats are so well established - so
  the vast majority of the world doesnt use it

69
Compatibility between products

• If no standard is in place
• At least try to ensure that all products
• from the same type/company, are
• compatible
• In a rack stereo system, the on/off button for
  each one should have similar positioning
• Compatible mental models and behavior are more
  important than compatible appearance
• Matching interactions is more important than
  matching the color or the company logo

70
Compatibility surrounding environment

• You must also attempt to be compatible with the
  surrounding environment
• If the device will be used in a noisy
  environment, very quiet alarm sounds will not be
  appropriate
• A pocket calculator may be used by students in a
  quiet library, so you do not want it to make loud
  key-click noises
• But sometimes you will not be able to guess the
  environment in advance
• An automatic teller machine lobby with mirrored
  walls, to prevent customers feeling
  claustrophobic, would make the user's key
• presses - including their PIN-visible from
  almost anywhere in the lobby !

71
Compatibility Guidelines

• Dont surprise the user (what you see is what you
  get)
• Design the UI to be compatible with other
  similar devices
• Apply international standards if possible
• Be compatible with the surrounding environment

72
Directed interfaces definition

• Some interfaces strongly suggest a direction
• A question-and-answer session provides an
  interaction where the direction is dictated by
  the user interface-
• That type of interaction is considered directed
• In a car dashboard You start the ignition and
  any number of things are available for you to do
  
• This is a non-directed interface

73
Directed interfaces when to apply

• When should you design a directed interface?
• When the device has a single simple goal
• It also good for the novice user

74
Directed interfaces when to apply

• What about non-directed interface?
• It provides more power to the user who knows how
  to navigate the device's features
• Sometimes you can combine both
• An ATM will give you little or no options until
  you have entered your card and personal
  identification number
• Once the card has been validated, you get much
  more flexibility

75
Directed interfaces Guidelines

• Novice users usually prefer directed interfaces
  with an obvious path
• Non-directed interfaces are more powerful but
  more difficult to use
• Try to combine directed and non-directed
  interface if needed

76
Equal opportunity

• Equal opportunity- The principle of using a piece
  of device output as a
  piece of user input
• Keeping the paths that the user has to follow
  short and simple is always an advantage
• Devices output that can be treated as an input
• A cruise control in a car
• Last caller display on a phone

77
Equal opportunity

• Some windowing systems dont allow the copy
  paste action
• If data is already available, do not force the
  user to enter it again

78
Multiple paths

• If your interface provides more than one way to
  perform a function, ask yourself "Is there a
  reason for each path?"
• When is it necessary?
• When one way is slow but obvious, and another is
  quick but only likely to be known by the expert
  user
• However, if the alternatives are arbitrary, the
  user may assume that there is some difference in
  the result
• Some side effect that he haven't noticed before
  
• This may lead to user discomfort

79
From mechanical to software

• A software-based device can hide the mechanics of
  the device from the user, and
• can greatly increase the amount and types of
  information presented to the user
• Engineers are inclined towards a
  more-information-is-always-better philosophy
• This does not always lead to better interfaces

80
From mechanical to software

• Users want enough information to solve the
  problem at hand
• They may not be as skilled as a typical engineer
• A lot of information is only of peripheral
  interest

81
From mechanical to software fuel

• When converting from mechanical indicator to a
  software-controlled display
• It may be tempting to change the type information
  presented
• A fuel level indicator on a car dashboard
  replaced by a small liquid crystal display
• Variety of information can be presented to the
  user
• In each case the user forms a conceptual model of
  the fuel tank

82
From mechanical to software hidden rules

• When changing the type of information presented
• The user might need to learn some new rules
• Fuel consumption in a traffic jam
• Not everyone reads the user manual
• and the interface does not explicitly tell
  him
• Hidden rules can be dangerous
• If there are too many of them, the user will
  constantly find himself surprised by the device's
  actions

83
From mechanical to software too much info

• Many interfaces fall into the trap of giving the
  user far more precision than they require
• There is little value in telling users
• You have enough fuel for another 31.7 miles
• The vagueness of the needle in this case is an
  advantage
• The needle says
• "I don't know exactly how much further you can
  go, and we are not at the panic stage yet, but if
  you see a gas station, you may as well stop."

84
From mechanical to software too much info

• An alternative may be to present the driver with
  a range of values
• 31.7 miles plus/minus 10 ???
• If the tank is low on fuel, the sensible thing to
  do is fill up at the next opportunity

85
From mechanical to software copy functionality

• The designer may do well to copy the
  functionality of the needle
• This will be less threatening for the new user
  because he can relate easily to his past
  experience with the needle display
• An interface controlled from software could
  control a needle in a number of ways
• Digital needle, use of LEDs
• Whats important is the functionality !
• Users will quickly adapt to a new appearance, but
  not to changes in functionality

86
From mechanical to software Guidelines

• Avoid giving unnecessary information
• Design the software UI to be consistent with its
  mechanical predecessor (do not change the
  functionality)
• When converting from mechanical indicator to a
  software-controlled display dont change the type
  information presented.
• Avoid hidden rules
• Avoid giving the users more precision then they
  require

87
summary

• The interface properties we have talked about
  are
• Robustness
• Affordance
• Surface area
• Compatibility
• Directed interfaces
• Equal opportunity
• Multiple paths
• From mechanical to software

88
Pros Cons

• Cons
• Only few examples
• Many repetitions
• Pros
• Interesting easy to relate
• Use of cynicism

89
Reference

• Leveson, Nancy. Safeware, System Safety and
  Computers . Reading, MA Addison-Wesley, 1995.
• Stanton, Neville. Human Factors in Alarm Design .
  London Taylor Francis Ltd., 1994.
• Neumann, Peter G. Computer Related Risks.
  Reading MA Addison-Wesley, 1995.
• Thimbleby, Harold. User Interface Design. New
  York City ACM Press, 1990.
• Equal Opportunity Tutorial available at
  www.panelsoft.com/tut_equal.
• http//www.interfacemafia.org
• http//cfg.cit.cornell.edu/cfg/design/concepts.htm
  l