Formal Aspects of Procedures: the Problem of Sequential Correctness

In complex human-machine systems, successful operations depend on an elaborate set of procedures provided to the human operator. These procedures specify a detailed step-by-step process for configuring the machine during normal, abnormal, and emergency situations. The adequacy of these procedures is vitally important for the safe and efficient operation of any complex system. In high-risk endeavors such as aircraft operations, maritime, space flight, nuclear power production, and military operations, it is essential that these procedures be flawless, as the price of error may be unacceptable. When operating procedures are inadequate for the task, not only will the system’s overall efficiency be thwarted, but there may also be tragic human and material consequences (Degani and Wiener, 1993). In commercial aviation, for example, crew interaction with the aircraft is specified through a set of Standard Operating Procedures (SOPs) (Federal Aviation Administration, 1995). In the event of a normal task (e.g., configuration of the aircraft before takeoff), an abnormal condition (e.g., high engine temperature on start-up), or an emergency situation (e.g., engine fire), procedures are set in place to support the crew in managing the situation. Procedures assist the crew along a path of pre-defined sequences of actions; the objective is to quickly “drive” the system to some safe, yet still efficient, configuration. It must be recognized, however, that an unpredictable constellation of circumstances including machine (e.g., component failure), human (e.g., making a mistake), and environmental factors (e.g., low ambient temperature) can interfere with operations and lead to a sub-optimal configuration (see Mosier, Palmer, and Degani, 1992, for one example). From the organization’s point of view, a procedure represents a collective agreement on the “best” way to achieve both safe and efficient operations (Wieringa, Moore, and Barnes, 1992). Nevertheless, there are many documented cases in which the procedures provided to the crews are not the “best” (Degani and Wiener, 1997). For example, one U.S. airline’s abnormal procedure for coping with asymmetricalflap-extension (which can have a significant effect on lateral control of the aircraft) had to be rewritten when it was found to be inaccurate. The problem? The power supply for activating the flaps following asymmetrical flap extension, was different from the standard configuration for this model aircraft. The airline that originally specified the non-standard power supply configuration failed to modify the procedure accordingly. (The inaccurate procedure was in effect for some five years before it was detected). Based on our survey of several U.S. airlines, we have noted that the process of designing a procedure is accomplished informally. That is, a Flight Manager and/or several experienced pilots discuss and then (re)-design the procedure based on their knowledge, experience, and intuition. Once the procedure is reviewed by the regulating agency’s (e.g., FAA’s) inspector, the procedure is approved, accepted, and provided to all flight crews. Other industries that we surveyed, such as nuclear power, maritime, and space, use similar procedural design processes. We believe that current procedural design processes should be augmented with an in-depth evaluation of the procedure in terms of its [1] sequential correctness, [2] ability to deal with out-of-norm configurations, [3] compatibility with the user interface, [4] vulnerability to human error, [5] capability of meeting the demands from the operational environment, and [6] consistency with other procedures and policies. In this paper we suggest an approach for describing and analyzing procedures in terms of sequential correctness.