Mon Nov 24 05:38:54 PST 2014

Human factors: Disruption: How is disruption of work controlled?


Options:

Option 1: No disruption defenses are used.
Option 2: Settings are configured to limit known disruptions where feasible.
Option 3: Different displays are used for different functions to limit interactions.
Option 4: Different inputs are used for different functions to limit interactions.
Option 5: Input and output are fully controlled to avoid overlap and focus changes.
Option 6: Multiple processors or real-time operating systems are used to support performance requirements.


Decision:

We recommend as follows:

Consequence Other condition Approach
High Custom implementation Input and output are fully controlled to avoid overlap and focus changes.
AND Multiple processors or real-time operating systems are used to support performance requirements.
High No custom implementation Do not operate high consequence systems in this mode.
Medium Custom implementation [Different displays are used for different functions to limit interactions. AND Different inputs are used for different functions to limit interactions. ]
AND/OR Multiple processors or real-time operating systems are used to support performance requirements.
Medium No custom implementation Settings are configured to limit known disruptions where feasible.
AND Multiple processors or real-time operating systems are used to support performance requirements.
Low Always Settings are configured to limit known disruptions where feasible.
Methods to deal with disruption at the human interface

Basis:

Human factors: Disruption: How is disruption of work controlled?

Work disruption typically comes in 2 forms:

In either case there is often the potential for harm in that the disruption may result in, for example:


Multiple processors or real-time operating systems are used to support performance requirements: Because shared resources or priority interrupts may lead to disruption, in systems where (1) real-time performance is important, (2) loss from delayed input handling, or (3) bad decisions may result from old data displayed, performance must be assured at the user interface. This is typically done either by the use of a real-time operating system or multiple non-interfering processors. Priority interrupts are particularly problematic in these situations and must be carefully managed.

Input and output are fully controlled to avoid overlap and focus changes: As an example, mechanisms may be implemented in different ways, through different interfaces, or using a layout that prevents interruption and focus changes. At one extreme, all displays and controls are given their own physical devices so that no interaction is possible and each is independent of the other. At the other extreme, a single display. has relevant information and areas where different sorts of input and output occur and appear so that outputs do not interfere with inputs and different priorities are in different locations.

Different inputs are used for different functions to limit interactions: Multiple input methods are used so that input to different applications come from different devices. For example, a separate input device may be used for a critical application with input controlled by the application rather than as a part of the general inputs used by the operating system so that operating system or other application inputs cannot intercept the input mechanism..

Different displays are used for different functions to limit interactions: Multiple displays are implemented so that disruptive output is applied to different screens for different purposes. For example, a special display may be used for a critical application with output controlled by the application rather than as a part of the general display used by the operating system so that operating system or other application outputs cannot appear on the display.

Settings are configured to limit known disruptions where feasible: To the extent that settings allow disruptions to be disabled, they are configured so as to eliminate the known disruptions. For example, when doing a slide presentation, if there are settings to prevent windows from appearing above the presentation, they are configured to so limit disruptions. This is always desirable unless a stronger method is in place, and even then, it doesn't hurt.

No disruption defenses are used: No special measures are taken to disable interruptions, leading to the sorts of problems identified above. We never advise this, since the difficulty of doing something is low enough that it "pays for itself" very quickly.


Custom implementation: In custom implementations, higher surety methods are available, while most off-the-shelf mechanisms don't support anything more than limited settings.

Copyright(c) Fred Cohen, 1988-2015 - All Rights Reserved