Sage Journals: Discover world-class research

Abstract

This article presents an experience-based research effort on human–systems integration (HSI) verification principles for commercial space transportation (CST). CST HSI safety, efficiency, and comfort are analyzed with respect to four critical areas: (1) design and layout of displays and controls (we assume that displays and controls are computer based), (2) mission planning, (3) restraint and stowage, and (4) human factors in vehicle operations. HSI is analyzed using most recent approaches in human-centered design, which integrates technology, organization, and people from the very beginning of the design process and all along the life cycle of systems, including manufacturing, delivery, training, operations, and dismantling. CST HSI verification principles for the four critical areas are provided in the form of recommendations structured along with the five concepts of the AUTOS pyramid.

Introduction

This article presents a research effort on human–systems integration (HSI) verification principles for commercial space transportation (CST), carried out at Florida Institute of Technology by the Human-Centered Design Institute (HCDi). It supported Federal Aviation Administration (FAA) research, engineering, and development goal of “human spaceflight safety,” by decreasing the probability of vehicle failure due to HSI issues considering appropriate safety, efficiency, and comfort requirements.

We used our knowledge and experience in the aeronautical domain (mainly in flight tests and verification) and the space domain (mainly NASA space shuttle). We focused on (not exhaustive list) mental and cognitive processes,^1–3 crew resource management,^4,5 operational complexity,^6–13 workload assessment,^14,15 human error, human reliability and resilience engineering,^16–19 human–automation issues and function allocation (FA),^20–25 and psychophysiological issues.²⁶

An extended literature review has been performed. This article includes a description of relevant academic research (including physical, social, and life sciences) and best practice of relevant industries on HSI CST verification. We describe what we mean by HSI, as well as what we have done in the four following critical areas: (1) design and layout of displays and controls (we assume that displays and controls are computer based), (2) mission planning, (3) restrain and stowage, and (4) human factors in vehicle operations.

HUMAN–SYSTEMS INTEGRATION

Human-centered design (HCD) integrates technology, organization, and people from the very beginning of the design process and all along the life cycle of systems, including manufacturing, delivery, training, operations, and decommissioning. HCD promotes a proactive approach as opposed to the traditional reactive approach (i.e., corrective human-factors and ergonomics (HFE) performed when systems are fully developed). HCD supports the making of effective, efficient, and sustainable systems by identifying possible adverse effects related to human health, safety, and performance using modeling and human-in-the-loop simulation (HITLS).

ISO/IEC definition²⁷: HSI is an approach to systems design and development that aims to make interactive systems more usable by focusing on the use of the system and applying human factors/ergonomics and usability knowledge and techniques.

For that matter, we need to define the following three approaches: HFE, human–computer interaction (HCI), and HSI. Summarizing, for the past 60 years, HCD sociotechnical evolution can be decomposed into three phases (Fig. 1):

Fig. 1.

Evolution of human factors and technology (adapted from Boy^31(p.29)).

• HFE that was developed after World War II to correct engineering productions with respect to human factors principles and criteria, and generated the concepts of human–machine interfaces, commonly called user interfaces and operations procedures.

• HCI that started to be developed during the 1980s to better understand and master interaction with computers; it contributed to shift from corrective ergonomics to interaction design.

• HSI that emerged from the need of considering human factors during the whole life cycle of systems engineering (SE); SE and HCD combined incrementally leads to HSI.

In other words, engineering was always first and humans had to be helped to adapt to technology. This adaptation went progressively from the design of user interfaces and operation procedures, to support human–machine interaction, and today to HSI. HCD is now possible because we have very realistic modeling and simulation (M&S) capabilities, and can run HITLS very early, so emerging HSI properties can be identified and considered in design, development, testing, verification, and finally validation. This participatory design can be achieved with professional experts from the beginning of the design and development process. HITLS realism and participation of realistic human operators increase together with technology maturity and maturity of practice. HSI is typically achieved using an “agile systems engineering” approach,^28,29 which consists of an incremental cycle that includes rapid prototyping using advanced tools, testing, analysis, and redesign.

We also need to present important concepts that have been used in this research effort. We have been using the AUTOS pyramid as a framework that helps rationalize HCD and engineering.³⁰ First, the AUT triangle (Fig. 2) enables the explanation of three edges: task and activity analysis (U-T), information requirements and technological limitations (T-A), and ergonomics and training (procedures) (T-U). Artifacts may be spacecraft or systems, devices, and parts, for example. Users may be astronauts, including pilots, mission specialists, cabin crew, and possibly tourists. They may be stressed, making errors, old or young, and in various kinds of mood. Tasks vary from handling quality control, flight management, managing the passenger cabin, repairing, and communication with mission control to team cooperation and coordination. Each task involves one or several functions that CST actors must learn and use. Second, the AUTO tetrahedron introduces the organizational environment, which includes all team players, called “agents,” whether humans or artificial systems, interacting with the user who performs the task using the artifact (Fig. 3). It introduces three additional edges: social issues (U-O), role and job analyses (T-O), and emergence and evolution (A-O).

Fig. 2.

The AUT triangle.

Fig. 3.

The AUTO tetrahedron.

Third, the AUTOS pyramid (Fig. 4) is an extension of the AUTO tetrahedron that introduces a fifth dimension, the “situation,” which was implicitly included in the “organizational environment.” The four new edges are usability/usefulness (A-S), situation awareness (U-S), situated actions (T-S), and cooperation/coordination (O-S). HSI CST verification is analyzed using the AUTOS pyramid, which takes into account human factors (i.e., user factors), systems factors (i.e., artifact factors), and interaction factors that combine task factors, organizational factors, and situational factors. The AUTOS pyramid is typically used as a conceptual framework to structure analysis of the four critical areas already mentioned in the introduction.

Fig. 4.

The AUTOS pyramid.

The AUTOS pyramid is used in this article to describe the various concepts and properties involved in HSI verification principles for CST.

Critical Area 1: Design and Layout of Displays and Controls

This critical area is about HCI in cockpits and firing/mission control rooms. From an HSI perspective, onboard and ground systems should be designed in a holistic manner (i.e., onboard and ground functions and structures should be coordinated). For example, visual displays (i.e., structures), such as flight management displays, and their roles (i.e., functions), such as trajectory control and management, should be coordinated between spaceflight crew and mission control personnel. Factors such as usability, usefulness, safety, comfort, efficiency, and software reliability are key HCI issues, which are tested using appropriate metrics and scenarios. This agile process is iterative and evolving systems incrementally assessed using formative evaluations.

AUTOS Complexity Concepts and Criteria

User experience is linked to human factor issues and cognitive functions involved in the use of a system for executing a prescribed task in specific situations and environments. Human factors mainly include training (expertise), trust, risk of confusion, lack of knowledge (ease of forgetting what to do), workload, adhesion, and culture. Cognitive functions include learning, situation awareness (that involves understanding, short-term memory, and anticipation), decision-making, and action (that involves anticipation and cross-checking). Artifact complexity is supported by system internal complexity and interface complexity.

Internal complexity is related to explanation, in particular, to the degree of explanation of system interaction complexity. There are several concepts related to artifact complexity: flexibility (both system flexibility and flexibility of use); system maturity (before getting mature, a system is an accumulation of functions—the “another function syndrome”—maturity is directly linked to function articulation and integration); automation (linked to the level of operational assistance, authority delegation, and automation culture); and technical documentation (operational documentation).

Operational documentation is very interesting to be tested because it is directly linked to explanation of artifact complexity. The easier a system is to use (i.e., artifact complexity is low), the less related the operational documentation is needed. Conversely, the harder a system is to use, the more related the operational documentation is required and, therefore, it has to provide appropriate explanation at the right time in the right format. As already said, artifact complexity is related to interface complexity. As internal complexity, interface complexity is supported by operational documentation. Content management, information density, and ergonomics rules also support it. Content management is, in particular, linked to information relevance, alarm management, and display content management.

Information density is linked to information-limited attractors, that is, objects on the instrument or display that are poorly informative for the execution of the task, decluttering, information modality, and diversity. The “PC screen do-it all syndrome” is a good indicator of information density (attributes are screen size and zooming). Ergonomics rules may be characterized by clear and understandable language. In particular, error tolerance, redundancy, and information saturation are typical indicators.

Redundancy is always a good rule whether it repeats information for cross-checking, confirmation or comfort, or by explaining the “why,” “how,” and “when.” Ergonomics rules formalize user friendliness, that is, consistency, customization, human reliability, affordance, feedback, visibility, and appropriateness of the cognitive functions involved. Human reliability involves human error tolerance (therefore, the need for recovery means) and human error resistance (therefore, the existence of risk to resist to).

Interruptions are sources of situation complexity, which may involve safety issues and high workload. Situation complexity is commonly analyzed by decomposing the flight into phases of flight. Within each phase of flight, the situation is characterized by uncertainty, unpredictability, and various kinds of abnormalities, which need to be investigated.

Organization complexity is linked to social cognition, organizational complexity, and more generally multiagent management. There are four principles for multiagent management: agent activity (i.e., what the other agent is doing now and for how long), agent activity history (i.e., what the other agent has done), agent activity rationale (i.e., why the other agent is doing what it does), and agent activity intention (i.e., what the other agent is going to do next and when). Multiagent management needs to be understood through a role (and job) analysis.

Task complexity involves procedure adequacy, appropriate air–ground coupling, and rapid prototyping. It is linked to a number of tasks, task difficulty, induced risk, consistency (lexical, syntactic, semantic, and pragmatic), and the temporal dimension. Task complexity is due to operations maturity management, delegation, and mode management. Mode management is related to role analysis.

The Task–Activity Distinction and HSI Complexity

A task is typically prescribed to an individual, a crew, or an organization. We often talk about “prescribed task.” An activity is the effective result of the execution of a task by an individual, a crew, or an organization. We sometimes talk about “effective task.” Task analyses should be performed as soon as possible during the design process. They require expertise and experience from both operational and engineering personnel, as well as HCD teams. Activity observation and analysis requires agile development of prototypes that support HITLS, and, therefore, assessment of HSI complexity. This incremental prototyping/assessment process requires domain expert and experienced human operators.³¹ We generated a set of concepts useful for HSI verification principles for CST.³² These concepts are related among each other. A typical representation is commonly used: concept maps or C-maps.³³

This critical area is devoted to HCI design solutions, generic testing scenarios and criteria, and human factors-based flight tests and verification methods. We have identified a set of relevant human factor issues (e.g., learnability, tolerance, and resistance to human errors and system failures—resilience, cognitive complexity, and stability, attention, vigilance, and engagement), related parameters, their value range, and thresholds of adequate safety.

More specifically, we focus on hazardous commands identification and execution, display and control affordances (e.g., prevent inadvertent activation), crew notification and caution (i.e., warning design, alarm levels, and classification), human–automation FA, and preventing human–automation conflicts. Design and layout of displays and controls are a matter of cognitive function analysis (CFA),^2,30 which is based on the task–activity distinction and HITLS. A cognitive function is typically defined as transforming a (prescribed) task into an (effective) activity. Our research effort started by developing a set of concepts using the AUTOS pyramid framework. CFA has been used in many industrial and research programs, including the WHISPS project.^*,34

HCI/HSI Recommendations

We propose to proceed in three steps to implement a perceived complexity test^†:

• identify systems, components, and attributes in terms of degree of novelty, complexity, and integration;

• identify how requirements apply to selected systems, components, and attributes, and what design aspects require improvements;

• choose means adapted to compliance.

We propose that criteria are categorized with respect to the AUTOS pyramid framework. They are noted C_Ai for a criterion for an A-test (artifact), C_Ui for a criterion for an U-test (user), C_Ti for a criterion for an T-test (task), C_Oi for a criterion for an O-test (organization), and C_Si for a criterion for an S-test (situation). Some of the criteria of a category are inter-related. Each criterion can itself be expressed in terms of low-level measures.³² Evaluation methods are then selected according to the novel instrument to be tested, and used effectively using appropriate criteria and low-level measures. It is strongly advised that expert evaluators perform the tests, select, and use evaluation methods. Evaluators are required to be trained on the rationale of perceived complexity using the various articles and reports produced during this study.

An integrated measurable criteria C_Pi is a function of a set of low-level measures {LLMj}: \documentclass{aastex}\usepackage{amsbsy}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{bm}\usepackage{mathrsfs}\usepackage{pifont}\usepackage{stmaryrd}\usepackage{textcomp}\usepackage{portland, xspace}\usepackage{amsmath, amsxtra}\usepackage{upgreek}\pagestyle{empty}\DeclareMathSizes{10}{9}{7}{6}\begin{document} \begin{align*} {{ \rm{C}}_{{ \rm{Pi}}}} = f \ \left( { \{ { \rm{LLMj}} \} } \right) , \end{align*} \end{document}

where “P” could be A, U, T, O, or S, and “i” and “j” are numbers corresponding to either a criterion or a low-level measure. For example, a C_Ti can be the “difficulty of a task” that can be an integrated function of the following low-level measures, “time to execute the task,” “number of subtasks,” “levels of recursion of the various subtasks,” and “degree of parallelism of subtasks.”

The construction of the “f” function depends on the application defined with respect to the AUTOS pyramid, that is, it depends on the artifact (new instrument) to be tested, the type of user (pilot) participating in the test, the task being performed during the test, the organizational context of the test, and the situational context of the test. For any C_Pi, both selection of the {LLMj} set and construction of “f” need to be performed in a participatory way, where participants should be chosen among human factor practitioners, engineers (both from the manufacturer and airworthiness authorities), and end users (i.e., pilots).

Critical Area 2: Mission Planning

Definition of Mission Planning

Mission planning, broadly speaking, involves numerous sets of activities, plans, and schedules that “organizes and schedules activities the crew, as well as space and ground-based systems, must do in both the short and long term.”^{35(p. 826)} In the scope of commercial spaceflight operations, mission planning is very broad. It includes both orbital and suborbital missions, manned and unmanned, short- or long-duration missions (hours to days). Furthermore, every mission will have different objective(s) and use various launch vehicles, reusable spacecraft, and (suborbital) “space planes.” As such, the goal of HCD-driven mission planning is to ensure safety, crew well-being, efficiency, and effectiveness, which should be emphasized during the mission planning stage. Interactions between technology, organizations, and people are an integral part of an HCD mission planning. An example of mission planning is the following:

(1) Mission objectives and goals

(2) Orbit/suborbit and trajectory description and orbital plans

(3) Payload description and operation

(4) Ground and space element description and operation

(5) Mission phases

(6) Description and techniques of mission operations

(7) Mission rules and method of verification

(8) Flight safety issues

Elements of mission planning will be assessed in the context of commercial spaceflight to determine human-centered verification recommendations. Mission planning is within the systems lifecycle of a critical subsystem that defines operational constraints: the actual operation, the operational environment, and the interaction of the already listed elements.

Most notable factors of aeronautical accidents are human and organizational factors.^19,36 The authority structure, organizational culture, and mission precedence in strategic and tactical terms determine mission design and planning. As noted in the Lessons Learned from Challenger³⁷ report, management structure had led the decline of safety culture, atrophy of safety management system (including robust error reporting system), and emphasis on cost and time reduction.

Organizational safety culture performance peaks after an accident and subsequently declines after consecutive nominal flights.³⁷ Consequently, human and organizational complacency should be constantly addressed. As indicated in the report,³⁷ “… [Challenger] Shuttle accident and the 1967 Apollo accident both have confirmed that without independent SRM&QA^‡ oversight, sooner or later, the urgent demands of meeting costs and schedules will lead to imprudent decisions affecting safety risks.” This is very applicable in commercial spaceflight where organizations are under pressure to meet mission and schedule requirements due to business and financial concerns.

Traditional organizational models in spaceflight remain very hierarchical model. This was certainly the case in the Apollo and Shuttle accidents.³⁷ More recently, the National Transportation Safety Board (NTSB) discovered in its investigation of the Virgin Galactic Space Ship Two accident, that there was pressure to complete the fourth powered flight (PF04) to remain on program schedule.³⁸ It was stated by the Virgin Galactic's Vice President of Engineering that the pressure was not “undue or unreasonable.”³⁸ In its findings, the NTSB stated that Virgin Galactic failed to consider human factor issues during design and operations of Space Ship 2. Furthermore, mission planning and flight procedures did not consider human error as causation for premature feather unlock.³⁸

In this context, an approach based on the Orchestra model³⁹ (i.e., the distribution of organizational authority and the distribution of tasks and FA) will be used for the development of solutions, guidelines, recommendations, and rules. A common frame of reference, which includes shared terminology, should be developed (i.e., music theory). Each actor (i.e., musician) knows how to control his/her system (i.e., instrument) based on clear and coordinated procedures and problem solving protocols (i.e., scores) defined by HSI specialists (i.e., composers). Finally, actors are coordinated at performance time by skilled technical managers (i.e., conductors). Of course, the validity of the Orchestra model as a metaphor should be extended to orchestras of orchestras (i.e., systems of systems) where there will an accountability problem to solve (i.e., in the end, there will be an overall conductor for the overall system).

The Orchestra model supports FA among people and systems. Within the scope of spaceflight, skilled operators must adapt within a constantly changing environment, and, therefore, FA should be a dynamic activity among mission planners. Consequently, dynamic FA requires scenario-based design.

Although agents have respective tasks that they perform through related functions based on their specialization and competencies (musicians), lateral flow of information enables:

• Plan for unforeseen dynamics during mission planning.

• Greater transparency among various stakeholders.

• Realign launch commit decision from single authority to multidisciplinary team

The various human agents involved exchange information dynamically in a shared decision-making process. However, the high degree of automation among the human agents may lead to chaos among the agents when technology maturity is still low.³⁹ A process of mediation as described by Boy³⁹ is ideal for implementing an Orchestra model wherein multiple agents and systems must interact in a complex environment. This is achieved by a mediation agent(s) that synthesizes information and input from all the human agents involved.

It is critical that the mission planning group/mediator group (the composers) be a multidisciplinary team integrating and disseminating information among the stakeholders and subsequently reintegrating information from the stakeholders to synthesize a mission plan.

Table 1 illustrates the AUTOS model³⁹ for mission planning activities and associated elements. Once the elements within the context of mission planning are identified, analysis of the relationship(s) between each category and the elements therein can be conducted. Subsequently, tasks analysis and FA can be conducted.

Table 1.

AUTOS in Mission Planning

Artifacts	Launch vehicle, telemetry systems, communication hardware, mission planning, flight control hardware and software, life critical systems, flight termination systems, electrical/power supply systems, fueling systems, and propulsion systems.
Users	Flight crew, mission planning team, ground ops team, processing and integration team, mission assurance and safety team, and launch team.
Tasks	Flight planning, simulator rehearsal, environmental planning, safety planning, mission objectives, human–machine interaction, flight procedures, and crew training.
Organization	Company culture, safety culture, project management style, financial goals, company vision, and mission.
Situation	Mission deadline, processing and integration cycle, environmental factors, emergent functions, stakeholders demands, launch commit criteria, nominal and off-nominal conditions, organizational culture, and social–technical factors.

The AUTOS model provides an in-depth and holistic approach to analyzing complex systems. Within the context of mission planning, relationships among the AUTOS categories are as follows:

• Artifact-User—training and procedures that impact the users (flight and ground personnel) in the use, maintenance, and planning of spaceflight vehicles and operations.

• User-Task—activity analysis; Ergonomics and training procedures. HCD of flight systems, controls, and cockpit for adapting the artifact to the user. In the case of mission planning, an HCD approach to defining training processes and operation procedures that contributes to adapting user to artifact in various operational environments. Train, prepare for, and mitigate event-driven anomalies.

• Task-Organization—role analysis; introduction of a new artifact in the organization changes roles and jobs, this needs to be analyzed. Organizational culture in relation to spaceflight operations, business objectives, and safety culture.

• Organization-Situation—coordination and cooperation; how the organization treats and reacts to users/personnel in relation to nominal and off-nominal situations, as well as organizational reactions to personnel involvement in safety culture and decision-making.

• Situation-Artifact—usability; design and development of the spaceflight system based on various use cases, scenarios, and conditions.

Training program should emphasize safety response training for the spaceflight participants (SFPs) within cabin and cockpit, and incorporate:

• SFP response to cabin emergencies (smoke, fire, loss of cabin pressure, and emergency exit)

• SFP response to medical emergencies (crew or SFPs incapacitation)

• SFP response to adverse psychological state of other SFPs (SFPs experience panic attacks, or other mental adverse conditions)

Future work would focus on refining the AUTOS model and the complexities within mission planning. This would be followed by partnership with commercial spaceflight companies to test methodologies within mission planning context to further refine the recommendations. In addition, training and procedures for SFPs would be developed based on vehicle type, mission profile, and organizational culture. Lastly, an analysis of all prior accidents in human spaceflight would be conducted to identify common casual (human) errors to develop mitigation strategies and recommendations for commercial human spaceflight.

Mission Planning Recommendations

(1) Organizational design and authority allocation require analysis of open channels of communication and information exchange. No single agent (individual) should possess the authority to commit to launch. Launch commit decision should be a shared decision-making process among experienced subject-matter experts of equal standing.

(2) Commercial spaceflight companies need to make reasonable efforts to create a shared decision-making environment as stated in recommendation (1). The shared decision-making structure must be officially documented and practiced for every launch. Companies must submit proof of a shared decision-making organizational structure to the FAA.

(3) Human error, at the organizational, operational, engineering, and crew performance levels, can have catastrophic consequences on human spaceflight. Hazard and safety planning must incorporate (a) plans for checks and balances to mitigate authority pressure to launch, (b) determine and enumerate possible and probable operator errors prelaunch and in-flight, (c) each flight must be prepared for possible human errors and lapses in HCI, a formalized human error hazard plan with mitigation and response methodologies must be prevented (consider it as par of the “flight plan”).

(4) Taking into consideration the natural tendencies for organizations to develop complacency in safety culture and distribution of authority, an anonymous safety reporting system must be implemented at the various commercial spaceflight companies. We have a long successful experience in the aviation domain wherein the Aviation Safety Reporting System (ASRS) works since 1976 and has proven to be very useful. In the CST domain, we need to develop a safety culture that promotes responsibility and accountability that will support such a reporting system. The system(s) must enable the FAA-AST to easily access data, conduct metasearches and meta-analysis, and conduct safety audits. Measures must be taken to mitigate possible efforts within individual organizations to minimize safety reporting.

(5) Ensure organizations safety and mission assurance organization is independent and adequately removed from the organizations business, financial, and flights operations influences.

(6) Train SFPs for myriad of off-nominal conditions based on (a) cabin/systems failure, (b) SFP incapacitation and medical response to by other SFPs, (c) crew–SFP coordination and training.

(7) Use of high-fidelity vehicle mockups to train SFPs for off-nominal situations.

Critical Area 3: Restraint and Stowage

Restraint of the spaceflight crew or SFPs is an essential component and contributor to human spaceflight (HSF) safety. Human restraint is a very complex topic involving flight profile, seat design, spacesuit design, rescue and emergency systems, and human functions. Restraints and stowage during HSF can be categorized according to environmental conditions of physical, individual, and social environment and according to humans' and systems' functions.

Currently, on the International Space Station (ISS), crewmembers typically restrain themselves by simply hooking their toes or arms around handholds or other parts of the station that afford themselves as restraints (Crew Restraint Design for the ISS by Norris et al.⁴⁰)

… restraints are especially important for tasks that require the crewmember to remain in one stable posture for an extended period of time. (Risk of Incompatible Vehicle Design, by Whitemore⁴¹)

FAA restraining system requirements for an aircraft are⁴²:

• comfortable and adjustable, with protection against acceleration,

• intuitive, and

• have locking mechanism to be released with one hand.

Another aviation/fighter jet reference can be considered due to high performance of the system design of fighter jet ejection seat that allows for full cockpit operation as well as maximum safety recovery by ejecting the pilot outside the vehicle (first landing of the human has used ejection system—Vostok spacecraft, as well as the first four space transportation system vehicles equipped with ejection seat systems, see Jarrett⁴³). The type of the restraint, mobility aid, and stowage should be identified based on cognitive/physical function analysis. Access, selection, and use of the restraints and mobility aids should be highly intuitive without requirements on training.⁴⁴

Environment

Restraint function and design should respond to the flight profile and spaceflight. It is an imperative that the vehicle, which flight profile is passing through different gravity environments, is equipped with restraints for variable gravity levels and flight profiles. Restraints and stowage have to comply with environmental extremes of four major spaceflight phases and have to endure forces that are possible to occur during the flight. EASA⁴⁵ states that the system is tested to, for example, maximum up to 77 kg mass of seat occupant:

• Launch, hypergravity

• Orbital or suborbital microgravity travel

• Orbital with artificial gravity travel

• Descent, deceleration, and hypergravity

Other environments have to be considered to enable functional restraint and stowage system, such as, emergency scenarios, rescue scenarios, g levels, flight duration and systems reusability, spacesuit systems, and most importantly the organization and human roles.

Functions

Thorough understanding of the human and system functions is essential for definition of the meaningful restraint and stowage system. The tasks beginning and end may be defined by the restrained period and/or by unrestraining, restraining (e.g., task starts when person is restrained, task ends when person completes the unrestraining process). Restraining of HSF crew and SFPs should be clearly linked to each specific flight phase or flight feature and should respect and enable dedicated tasks to be performed.

Existing Standards, Requirements, Recommendations

NASA anthropometric standard requires seat and related restraints perfect fit. Particularly height, head position, and shoulder width/biacromial depth are important for placement of the belt restraints. Restraint “counter design” is an important part of the design process of restraint and stowage systems. An analysis of existing design should be performed to identify emergent behavior, leading to new functions and strategies to prevent any system to resemble or function as restraint, handle, or stowage due to possible damage of the system or other subsystems.⁴⁴

NASA standard 3000–3001 provide high number of meaningful design requirements relevant to restraint and stowage that include⁴⁶: acceleration rate of changes, acceleration injury prevention, injury risk criterion, stowage restraints requirements, sleep accommodations, restraint as an architectural function—next to translation, mobility aids, hatches, windows and lightning and hazard avoidance, crew restraint design, crew restraint posture accommodation, crew restraint interference crew restraints for controls operations, restraints for suited operations, and others.

FAA Human Factors Design Standard (HF-STD001) also provides meaningful complementary framework for restraint and stowage design.⁴⁷

Existing and Past Designs and Technical Solutions

(1) Apollo—Three crew Apollo commander module adjustable seats (called couches) were equipped with lap belt and two shoulder straps that provided required flexibility during variety of spaceflight phases, including microgravity and hypergravity. Seats could be straightened and serve as a sleeping compartment. The Apollo command module and lander were equipped with sets of straps, handholds, flexible, or made of metal depending on position and function. Soft bag stowage was located in the opposite side to the control dashboard/cockpit and within surrounding walls.

(2) SKYLAB—purely microgravity environment—The first U.S. habitat was equipped with a unique floor restraining mechanism that proved to be inefficient. The triangular grid floors were well thought through but usability testing was lacking, hence only during the mission this system was identified unuseful. Bar handles served to positioning and stabilization well during many activities.

(3) Space Transportation System (STS), i.e., NASA's Space Shuttle—Although small in volume, the STS Orbiter crews required restraints for their daily activities in microgravity also. The internal design was developed to be fully functional during terrestrial gravity operations horizontally and vertically, on launchpad, and during landing and postlanding. Foot restraints were added ad hoc. Stowage in STS Orbiter was a combination of general aviation (aluminum boxes) and Apollo experience (soft goods boxes and bags). The storage issue of “over packed”—boxes inside of boxes—was later identified. Requirements on stowage simplification arose.

(4) ISS—Station is purely a microgravity system never operated in gravity conditions. Nonetheless, up and down orientation and rectangular section have been implemented to ease terrestrial training and orientation in the station. Station modules are equipped nominally with bars, rubber straps, and handholds on perimeter of the interior around every rack that serves as a possible subsystem. Example of a novel restraint for seated positions, for example, Robonaut operator restraints tested in parabolic flight.

HCD Restraint and Stowage Recommendations

(1) Restraint should be defined based on user's CFA or physical function analysis and HITLS tests.

(2) Access to and use of the restraints and mobility aids should be highly intuitive.⁴⁴

(3) Spacesuit limits human motion. Its compatibility with restraining mechanisms is essential.

(4) Restraining of crew and SFPs should be clearly linked to specific flight phases and/or features.

(5) Every control system using force feedback or requiring input of human force and/or to be controlled by human and/or can be considered as a human prosthesis or physically human activated system requires restraining mechanism for human operator enabling damping of reaction input force for the controls actuation.

(6) Spaceship resources must provide sleeping area for long duration flights. Depending on gravity environment, this area will be equipped with single or multidirectional restraints to ensure maximum safety of sleeping person.

(7) Long duration HSF requires body restraints to perform all hygiene and body waste functions.⁴⁴

(8) Every single object should have allocated stowage in the cabin, subsystem, or cargo area.

(9) Pre- and postflight systems restraints and stowage have to assure their full functionality and readiness in variable gravity and other characteristics of extreme environments.

(10) Restraints and seats have to assure their functionality with every single person participating in HSF.

(11) Restraints are required to be adjustable to fulfill their function based on individual anthropometry.

(12) Stowage cases should be standardized and provided by the spaceflight operator, limiting size and mass of carried objects and assuring firm attachment in a dedicated stowage area inside the vehicle.

Critical Area 4: Human Factors in Vehicle Operations

It has been our goal to identify and transfer associated commercial airline practices to establish verification practices for the U.S. CST domain. In the potential U.S. CST environment, flight crew members and SFPs will be subjected to a multitude of human physiological, psychological, and environmental variables. These variables can influence performance and decision-making processes of people, inspiring their behavior. Because the commercial airline safety record has continued to improve as system complexity has increased, it can be inferred that risk mitigating variables do indeed exist within that industry. Therefore, we utilize the commercial airline industry as an insightful analog model to infer appropriate practices for the commercial space industry. In addition, because space has other elements not involved in aviation (e.g., micro gravity, six axis of motion), other avenues are also explored to identify and address appropriate models and methods.

When designing sociotechnical systems, we, as human-centered designers, place emphasis on identifying and understanding possible emergent behaviors of people and how they interact with technology; this process begins with the integration of human physiology and ultradynamic machines. We consider potential risks associated with nominal (normal) and off-nominal (abnormal and emergency) scenarios and design for resiliency, robustness, and reliability to mitigate risk associated with commercial spacecraft operational environments.

Within this CST HSI research effort, we have investigated space vehicle demands on human physiological, psychological, and environmental limitations, and have identified human factor requirements for the following:

■ R1 Spaceship Design (HCD guidelines and constraints): Understanding system observables and controls is needed to address anthropological, physiological, psychological, and other environmental needs. CFA and HITLSs are required to determine how functions can be allocated among people and systems. Within the scope of this study, we carried out a first CFA.

■ R2 Space Flight Organizations (Human-centered organizational design and management): Corporate structures and cultures influence organizations, people, and how they interact with technology. To enhance communications between the different organizational people and system use, all system users should be equipped with appropriate organizational documentation to provide sociocognitive stability. This requires a decision-making culture that supports and provides education, operational documentation, and procedural training for the people operating within the organization. We make recommendations that address a robust and resilient spaceflight organization.

■ R3 spaceflight actors (anthropological limitations and requirements for commercial space crew members, and SFPs (i.e., passengers): Space crew members will be performing in high-risk environment. Therefore, they should be selected with respect to their best skills, abilities, attitudes, motivations, and education. Anthropological fatigue, illness, circadian disruption, and other elements have associated effects on human physiology, further increasing human susceptibility to physiological and psychological limitations. These anthropological limitations were researched and recommendations developed.

Recommendations

R1. Human-centered spaceship design

(A) The intravehicular activity suit should be exploited as an environmental emergency protection mechanism.

(B) The following fire-detection systems features should be considered: (a) smoke detectors should be positioned in all critical areas, (b) microgravity smoke detectors need to be modified accordingly, (c) two gasper/ventilation fans need to move internal atmosphere for visual identification of smoke, (d) smoke/fire detection systems should be independent and have independent power sources, (e) need a warning system for smoke and fire detection system failure, (f) cargo compartment fire detection systems, (g) smoke and other hazardous gases detection.

(D) Flight compartment and instrument lighting should illuminate each: (a) essential instrument, (b) switch, (c) instrument lights should be easily readable, (d) light sources should be shielded from flight crew members' eyes, (e) illumination intensity should be adjustable, (f) instruments, nomenclature, manuals, and checklists should be designed to facilitate the mitigation of microgravity visual limitations.

(E) Automatic warning systems need to identify events and should consist of aural and visual warnings. These systems should also have warning systems that automatically identify warning system failures.

(F) Radiation indication and warnings should be made available to the crew, including (a) planned missions should not exceed exposure levels published in NASA–STD-3001, (b) an appraisal of radiation hazards should be communicated to flight crews, (c) crew members should be educated in radiation hazards and how to minimize those hazards, (d) companies should be required to train flight crews and SFPs how to monitor radiation exposure, and (e) companies should establish procedures for emergency situations involving radiation exposure.

(G) Physicians and physiologists have recommended a maximum cabin pressure equivalent to no more than 6,500 ft. This provides physiological needs such as greater saturation of blood oxygen that will improve crew cognitive functions, and an increase in cabin atmospheric humidity that can decrease fatigue.

R2. Spaceflight organizations

(A) There needs to be an organizational structure that incorporates a just and safe culture.

(B) Allocation of shared authority and responsibility must be articulated in documentation that incorporates clear and concise definitions, nomenclature, vocabulary, and, most importantly, instructions that depict those who will be assigned authority, responsibility, and accountability.⁴⁸

(C) Management should incorporate proper humanistic employment screening for determining proper selection of individuals with the correct (a) attitude, (b) motivation, (c) skills, (d) education, and (e) qualifications.

(D) Management should incorporate proper training and simulation procedures that promote emergent anomaly resilience and robustness. Training should (a) promote user attitude, (b) develop internal motivation for (i) system learning, (ii) procedural learning, (iii) rule-based following compliance, and, most importantly, (iv) mounting the use of educated common sense and critical thinking for resolving planned-for emergencies and unforeseen emergencies. Also, training needs to incorporate why procedures are what they are (procedure rationale). In other words, describe the meaning behind the procedures. Without meaning, the learning process will be limited, thus inhibiting natural and instinctive behavior instilled in long-term memory.

(E) The organizational structure should incorporate a culture that reduces stress and acknowledges psychological, physiological, and psychosocial issues. People should have a voice in determining risk factors and developing tools to mitigate those risks. This includes decisions regarding primary mission objectives. In addition, there needs to be a reporting system that provides data about potential failure modes and possible solutions.

(F) In support of R2 (E), management should develop and provide the proper tools for risk mitigation, including (a) operational documentation; (b) HITLS; (c) specific context for proper attitude, motivation, and actions; (d) afford people with natural intuitive abilities for positive human–machine interaction behavior; and (e) ensure these people are well organized, and their skills and knowledge are applied appropriately.

(G) Proper checklist usage needs to be incorporated into the operational documentation and procedural training needs to be provided by the organization. Checklist groupings should be identified and selected so the items are consistent with established flow patterns and can be quickly and efficiently accomplished. The challenge response concept should be considered; checklists should be utilized as verification lists (i.e., each pilot must look and check to verify the item is accomplished) and not a do list. This will ensure essential checks and procedures are accomplished.

(H) Management should provide education in atmospheric constituents, partial pressure, hypoxia, human cardiopulmonary system, fatigue, circadian rhythms, and other anatomical, physiological, psychological, and psychosocial subjects. This education will provide the people with an improved assessment of their own anthropological limitations.

R3. Spaceflight actors: anatomical, physiological, and health requirements

(A) Potential spaceflight candidates will need to possess the intellectual capacity to meet the demands of the training programs. New strategies to select proper personalities with the required cognitive capabilities, attitudes, and motivations need to be determined, implemented, and monitored.

(B) Training helps users develop knowledge schemas and muscle memory that influence positive behavior during emergencies. More time is needed to determine the appropriate amount of training that will accommodate the needs to build resilience for off-nominal events.

(C) There is a need to educate commercial spaceflight crew members in understanding the more complex human physiological limitations.

(D) Duty time limitations and increased rest requirements for commercial spaceflight crews will be needed. These limitations require more research to establish appropriate criteria. However, for mitigation now, Crew Resource Management (CRM) should be incorporated into the training to create group member synergies. The duty limitations and rest requirements should be mandated to incorporate the use of additional crew members for long duration missions.

(E) It is recommended that nap periods be provided for individuals who will experience long-term space missions. However, this long-term measurement needs to be determined through further research.

(F) People should not perform as flight crew members within 48 h of exposure to a pathogenic infection. In addition, people should not be allowed to act as SFPs within the same time frame as they can infect the flight crew during the mission.

(G) There needs to be stringent testing of flight crews to ensure that no cardiovascular anomalies exist.

Finally, recommendations for medical disqualification of CST crew members (cardiopulmonary, ear and eye, digestive, hormonal, immunology, nephrology, muscular, neurologic, psychological, and respiratory) are available in Boy et al.³²

Conclusion

In this article, we have developed four critical areas: (a) design and layout of displays and controls, (b) mission planning, (c) restrain and stowage, and (d) human factors in vehicle operations. We provided recommendations for HSI of spacecraft, surrounding organization, and people involved. This is a preliminary account toward spaceship verification and further certification. A full report is available from the FAA.³² We strongly recommend that this first investigation should be followed by deeper discussions and experimentations with commercial space industry together with government and academia.

HSI cannot be fully developed and verified without considering the TOP model, and more precisely the AUTOS pyramid. All components that these frameworks provide should be considered seriously and in depth at various stages of the life cycle of a CST system. Furthermore, since a CST system is a system of systems, each system should be considered as a part of a bigger system. This property enhances the fact that separability is a constant issue in analysis, design, and evaluation of any CST system (i.e., some subsystems are separable from the rest of the global system; some others are not separable). Systems that are not separable have to be studied in their global environment, which makes the verification task more difficult.

M&S, and more specifically HITLS, are very useful tools to analyze and verify such systems. It is highly recommended that M&S and HITLS are used and further developed for CST systems. Of course, there is always a tradeoff between such usefulness and overall project sustainability. Metrics should be further developed to assess tangibility of CST systems. Tangibility is typically a matter of safety, flexibility, complexity, usefulness, maturity, stability, and sustainability.

Footnotes

Author Disclosure Statement

No competing financial interests exist.

References

Sarter

, Amalberti

. Cognitive Engineering in the Aviation Domain. Boca Raton, FL: CRC Press, 2000.

Boy

. Cognitive Function Analysis. Greenwood, CT: Ablex, 1998.

Bisseret

. Analysis of mental processes involved in air traffic control. Ergonomics. 1971; 14(5):565–70.

Wiener

, Kanki

, Helmreich

(eds.). Crew Resource Management, 2nd edition. Amsterdam, The Netherlands: Academic Press, 2010.

Helmreich

, Merritt

, Wilhelm

. The evolution of crew resource management training in commercial aviation. Int J Aviat Psychol. 1999; 9(1):19–32.

Kopardekar

, Schwartz

, Magyarits

, Rhodes

. Airspace complexity measurement: An air traffic control simulation analysis. Int J Ind Eng. 2009; 16(1):61–70.

Boag

, Neal

, Loft

, Halford

. An analysis of relational complexity in an air traffic control conflict detection task. Ergonomics. 2006; 49(14):1508–26.

Hilburn

. Cognitive complexity in air traffic control: A literature review. EEC Note. 2004; 4(04).

Histon

, Hansman

, Gottlieb

, Kleinwaks

, Yenson

, Delahaye

, Puechmorel

. Structural considerations and cognitive complexity in air traffic control. In Proceedings. The 21st Digital Avionics Systems Conference, Vol. 1. Irvine, CA: IEEE, 2002, pp. 1C2–1.

10.

Delahaye

, Puechmorel

. Air traffic complexity: Towards intrinsic metrics. In Proceedings of the Third USA/Europe Air Traffic Management R & D Seminar, Naples, Italy, 2000.

11.

Sridhar

, Sheth

, Grabbe

. Airspace complexity and its application in air traffic management. In 2nd USA/Europe Air Traffic Management R&D Seminar, Orlando, FL, 1998.

12.

Pawlak

, Brinton

, Crouch

, Lancaster

. A framework for the evaluation of air traffic control complexity. In Proceedings of the AIAA Guidance Navigation and Control Conference, San Diego, CA, 1996.

13.

Mogford

, Guttman

, Morrow

, Kopardekar

. The complexity construct in air traffic control: A review and synthesis of the literature. DTIC Document, 1995.

14.

Loft

, Sanderson

, Neal

, Mooij

. Modeling and predicting mental workload in en route air traffic control: Critical review and broader implications. Hum Factors, 2009; 49(3):376–99.

15.

Hart

, Staveland

. Development of NASA-TLX (task load index): Results of empirical and theoretical research. In: Hancock

, Meshkati

(eds.). Human Mental Workload. Amsterdam, North Holland, 1988, pp. 139–83.

16.

Hollnagel

, Woods

, Leveson N (eds.). Resilience Engineering: Concepts and Precepts. Aldershot, UK: Ashgate, 2006.

17.

Hollnagel

, Amalberti

. The Emperor's new clothes, or whatever happened to “human error”? Invited Keynote Presentation at 4th International Workshop on Human Error, Safety and System Development, Linköping, June 11–12, 2001.

18.

Shorrock

, Kirwan

. Development and application of a human error identification tool for air traffic control. Appl Ergon. 2002; 33(4):319–36.

19.

Reason

. Human Error. New York, NY: Cambridge University Press, 1990.

20.

Degani

, Shafto

, Kirlik

. Modes in human-machine systems: Review, classification, and application. Int J Aviat Psychol. 1999; 9:125–38.

21.

Wickens

, Mavor

, Parasuraman

, McGee

. The Future of Air Traffic Control: Human Operators and Automation. Washington, DC: National Academies Press, 1998.

22.

Grote

, Weik

, Waefler

, Zoelch

. Criteria for the complementary allocation of functions in automated work systems and their use in simultaneous engineering projects?. Int J Ind Ergon. 1995; 16:367–82.

23.

Debernard

, Vanderhaegen

, Millot

. An experimental investigation of dynamic allocation of tasks between air traffic controller and AI systems. In: Stassen

(ed.). Analysis, Design and Evaluation of Man-Machine Systems. Oxford: Pergamon, 1992, pp. 95–100.

24.

Bainbridge

. Ironies of automation. Automatica. 1983; 19:775–79.

25.

Fitts

, ed. Human Engineering for an Effective Air Navigation and Traffic Control System. Washington, DC: National Research Council, 1951.

26.

Wilson

, Russell

. Operator functional state classification using multiple psychophysiological features in an air traffic control task. Hum Factors. 2003; 45:381–89.

27.

ISO/IEC 9241-210:2010.. Ergonomics of Human-System Interaction–Part 210: Human-Centered Design for Interactive Systems. 2010. https://www.iso.org/standard/52075.html (Last accessed on February 23, 2018).

28.

Schwaber

. Scrum development process. In: Sutherland

, Patel

, Casanave

, Miller

, Hollowell

(eds.). OOPSLA Business Objects Design and Implementation Workshop Proceedings. London, United Kingdom: Springer, 1997.

29.

Sutherland

. Scrum: The Art of Doing Twice the Work in Half the Time. New York, NY: Crown Business, 2014.

30.

Boy

. The Handbook of Human-Machine Interaction: A Human-Centered Approach. Burlington, VT: Ashgate, 2011.

31.

Boy

. Tangible Interactive Systems. London, UK: Springer, 2016.

32.

Boy

, Doule

, Kiss

, Mehta

. Human-Systems Integration Verification Principles for Commercial Space Transportation (CST). COE CST Task 333, FAA AST Technical Report, November, 2016.

33.

Cañas

, Novak

, et al. Concept Maps: Theory, Methodology, Technology. First International Conference on Concept Mapping. Pamplona, Spain: Universidad Publica de Navarra, 2004.

34.

Torkaman

, Batcha

, Elbaz

, Kiss

, Doule

, Boy

. Cognitive Function Analysis for Human Spaceflight Cockpits with Particular Emphasis on Microgravity Operations. AIAA SPACE, Long Beach, CA, September 12–14, 2016.

35.

Larson

, Pranke

. Human Spaceflight: Mission Analysis and Design. New York: McGraw-Hill, 2000.

36.

Shappell

, Wiegmann

. The Human Factors Analysis and Classification System (HFACS). Report Number DOT/FAA/AM-00/7. Washington DC: Federal Aviation Administration, 2000.

37.

National Aeronautics and Space Administration. Lessons Learned From Challenger. Washington, DC: National Aeronautics and Space Administration, Safety Division, 1988.

38.

National Transportation Safety Board. In-Flight Breakup During Test Flight Scaled Composites SpaceShipTwo, N339SS Near Koehn Dry Lake, California October 31, 2014 (Aerospace Accident Report NTSB/AAR-15/02 PB2015-105454). Washington, DC: National Transportation Safety Board, 2015.

39.

Boy

. Orchestrating Human-Centered Design. London, UK: Springer, 2013.

40.

Norris

, Holden

, Whitmore

. Crew Restraint Design for the International Space Station, Space 2004 Conference and Exhibit, September 28–30, San Diego, CA, 2004.

41.

Whitemore

. Evidence Report: Risk of Incompatible Vehicle/Habitat Design, Evidence Report: Risk of Incompatible Vehicle/Habitat Design. Houston, TX: NASA Lyndon B. Johnson Space Center, 2013. https://humanresearchroadmap.nasa.gov/evidence/reports/Hab.pdf. (Last accessed on May 10, 2017).

42.

Antunano

. Commercial human space flight medical issues. Presented at CSTC, February 2014, FAA, 2014. https://www.faa.gov/about/office_org/headquarters_offices/ast/17th_cst_presentations/media/Commercial_Human_Spaceflight_Medical_Issues_Dr_Melchor_Antunano.pdf (Last accessed on February 23, 2018).

43.

Jarrett

. Cockpit Engineering. New York, NY: Routledge, 2005.

44.

Lueders

. ISS Crew Transportation and Services Requirements Document. Commercial Crew Program, John F. Kennedy Space Center, CCT-REQ-1130, Rev. D-1, John F. Kennedy Space Center, 2015.

45.

EASA. Certification specifications for large aeroplanes. CSF25, 2010. CS-25 Amdt 10 1-C23–CS 25.562(b). 2010.

46.

NASA STD-3001. NASA Space Flight Human-System Standard, Volume 2: Human Factors, Habitability, and Environmental Health. National Aeronautics and Space Administration: Washington, DC, 2011.

47.

Ahlstrom

, Longo

. Human Factors Design Standard (HF-STD-001), Atlantic City International Airport, NJ: Federal Aviation Administration William J. Hughes Technical Center, 2003.

48.

Boy

, Grote

. Authority in increasingly complex human and machine collaborative systems: Application to the future air traffic management construction. In The Proceedings of the 2009 International Ergonomics Association World Congress, Beijing, China, 2009.

Human–Systems Integration Verification Principles for Commercial Space Transportation

Abstract

Abstract

Introduction

HUMAN–SYSTEMS INTEGRATION

Critical Area 1: Design and Layout of Displays and Controls

AUTOS Complexity Concepts and Criteria

The Task–Activity Distinction and HSI Complexity

HCI/HSI Recommendations

Critical Area 2: Mission Planning

Definition of Mission Planning

Mission Planning Recommendations

Critical Area 3: Restraint and Stowage

Environment

Functions

Existing Standards, Requirements, Recommendations

Existing and Past Designs and Technical Solutions

HCD Restraint and Stowage Recommendations

Critical Area 4: Human Factors in Vehicle Operations

Recommendations

R1. Human-centered spaceship design

R2. Spaceflight organizations

R3. Spaceflight actors: anatomical, physiological, and health requirements

Conclusion

Footnotes

Author Disclosure Statement

References