A mechanism is needed to adequately protect a safety-relevant function from inadvertent activation.

The first example showcases a command button protected by a flip-flop button for resistive touch technology, where drag and drop operations are possible.

Drag the slider to unlock the “Open Door” button. Click the command button.

The second example shows how to avoid drag and drop for capacitive touch technology.

Click the flip-flop button to unlock the “Open Door” button. Click the command button.

Context

The user needs to perform a safety-critical function, e.g., to stop all trains on a track section.

Forces

Insufficient protection may result in inadvertent activation of certain functions.

During usability tests we found out that the initial design of the shield were not successful due to issues of user interface and interaction design — a design being considered “safe” does not necessarily mean it is usable as well.

Solution

The proposed solution combines a flip-flop button with another user interface control for the safety-relevant function.

With the safety-relevant function is disabled initially, the toggle control is used to enable the control. After performing the safety-relevant function the control is disabled immediately and the toggle returns to its initial state.

Usability Impact

Inadvertent activation is not possible, therefore, errors are prevented.

Safety Impact

Inadvertent activation of a safety-relevant function is prevented by design. This pattern has been verified using a failure mode and effects analysis (FMEA).

Your opinion!

Feel free to provide your comments, reports of usage of this pattern, or feedback in general!