Design of Everyday Things - Norman, Don [73]
1. Understand the causes of error and design to minimize those causes.
2. Make it possible to reverse actions—to “undo” them—or make it harder to do what cannot be reversed.
3. Make it easier to discover the errors that do occur, and make them easier to correct.
4. Change the attitude toward errors. Think of an object’s user as attempting to do a task, getting there by imperfect approximations. Don’t think of the user as making errors; think of the actions as approximations of what is desired.
When someone makes an error, there usually is good reason for it. If it was a mistake, the information available was probably incomplete or misleading. The decision was probably sensible at the time. If it was a slip, it was probably due to poor design or distraction. Errors are usually understandable and logical, once you think through their causes. Don’t punish the person for making errors. Don’t take offense. But most of all, don’t ignore it. Try to design the system to allow for errors. Realize that normal behavior isn’t always accurate. Design so that errors are easy to discover and corrections are possible.
HOW TO DEAL WITH ERROR—AND HOW NOT TO
Consider the error of locking your keys into your car. Some cars have made this error much less likely. You simply can’t lock the doors (not easily, anyway) except by using the key. So you’re pretty much forced to have the keys with you. I call this kind of design a forcing function. (More on this topic in the next section.)
In the United States, cars are required to be designed so that if the door is opened while the keys are in the ignition, a warning sound comes on. In theory, if you walk away from your car, leaving the keys in the ignition, the buzzer will call you back. Yet the signal must be ignored as often as it must be attended to. It must be ignored when you open the door of your car while the engine is running so you can hand someone something. On these occasions it is annoying; you know the door is open. And sometimes you want to or need to leave the keys in the car. There goes the buzzer—it can’t distinguish deliberate actions from erroneous ones.
Warning signals are usually not the answer. Consider the control room of a nuclear power plant or the cockpit of a commercial aircraft. Thousands of instruments, each designed by someone who thought it was necessary to put in a warning signal for it. Many of the signals sound the same. Most can be ignored anyway because they tell the operator about something that is already known. And when a real emergency happens, all the warning signals seem to go on at once. Each competes with the others to be heard, preventing the person from concentrating upon the problem.16
Built-in warning features are bypassed for several reasons. One is that they can go off in error, disrupting perfectly sensible, proper behavior. Another is that they often conflict, and the resulting cacophony is distracting enough to hamper performance. Finally, they are often inconvenient. You can’t sit in the car on a warm day, open the door to get some air, and listen to the radio. The key must be in the ignition to make the radio work, but then the door buzzes all the time. So we disconnect those warning signals, tape them over, silence the bell, unscrew the lightbulbs. Warnings and safety methods must be used with care and intelligence, taking into account the tradeoffs for the people who are affected.
FORCING FUNCTIONS
Forcing functions are a form of physical constraint: situations in which the actions are constrained so that failure at one stage prevents the next step from happening. Starting a car has a forcing function associated with it—you must put the ignition key into the ignition switch. Some time ago, the button that activated the starter motor was separate from the ignition key, so that it was possible to attempt to start the car without the keys; the error was made