Part 2: Human-Centered Design

There were at least 14 crew members on the bridge at the time of the accident. The bridge contained at least nine screens displaying information about the ship’s situation. When the 18-year-old helmsman lost control of the ship, why was no one else in the room able to remedy the situation? It is hard to believe, but despite all these people and all this data, nobody could figure out who was steering the ship. This is a failure of design.

Good design isn’t simply choosing the right buttons or checkboxes. Creating a strong interface requires an understanding of the users and their environment. By empathizing with the person using the interface, a designer can prevent errors, reduce cognitive strain, and help people recognize and recover from mistakes if they should happen. This empathetic approach is called human-centered design. Let’s try to put ourselves on the bridge of the McCain and think about how design failed these sailors.

First, let’s understand the bridge layout. The highest ranking officers have seats at the front corners. There are two control stations in the front and two additional stations behind them. Touchscreen controls provide a feature unavailable to older ships constrained by physical levers, knobs, and buttons. Now anyone at any of the McCain’s four stations could take control at any moment. For emergencies there was also a physical wheel on the rear station.

How could a crew be fooled into thinking their ship is out of control? Imagine that you are starting your shift. To maintain a straight trajectory, the previous sailor may have set the rudder 5 degrees right in order to compensate for wind or water current. By design, when the steering controls are passed to your station, your defaults are applied and the rudder is set to zero degrees. From your perspective the boat should continue heading straight, but instead it starts turning left. This causes an illusion of loss of control. Add inexperience, insufficient training, and lack of sleep to the situation and you have a recipe for disaster. Your tiny error gets magnified and compounded as mistakes spread through the crew.

Shouldn’t there be processes to reduce this confusion? Yes, and they are already in place. To avoid a situation where five people are adjusting steering at the same time, procedures exist to transfer controls from station to station. Steering control can be requested by a station or it can be assigned to a station. In either case, the transfer has to be accepted by the other station. This little two-step dance ensures that you don’t send control to an unmanned station and that you don’t receive control of the steering unknowingly. In the case of emergency, there is a big red button that you can press to bypass everything and force everything into manual mode. More on that later.

In the minutes prior to the collision steering on the McCain was transferred four times. Above is the timeline showing how in three minutes the ship’s trajectory got worse instead of better with each adjustment the crew made. Below is the user interface that allows the transfer of steering between stations.

This interface deserves some criticism. It is unclear whether the transfer of steering control is achieved by the field at the top (is that supposed to be a dropdown menu?) or the options at the bottom (are those green diamonds checkboxes or radio buttons or something else)? Does white or black text indicate the steering location is selected? It appears that multiple steering locations are active (white) which probably isn’t possible.

It is hard to even comment on the controls in the center because they are so cryptic and confusing. Perhaps this is describing the conditions of the right/left propellors. Even assuming the acronyms and terminology is understood by a sailor it is unclear what would happen when the buttons are tapped. If I tap “engage” does an action occur instantly or do I have to tap “Accept” below first? Why is the close button the primary option?

The three buttons at the bottom are unnecessarily confusing. What is the difference between cancel and close? Does the accept button apply the settings I have just changed, or am I accepting settings that someone else has transferred to my station?

It is also important to note that this screen introduces a new concept that we haven’t discussed yet. Notice the second menu where a “steering mode” can be chosen. There are five modes that offer varying degrees of computer assistance from autopilot down to backup manual mode. Not every station can support every mode. Confusion is inevitable because when you receive control at your station you need to understand what level of computer-assistance you are also inheriting along with the transfer.

Despite being recommended only for emergencies, commanders say they are more comfortable in backup manual mode. As a result computer assistance is often turned off completely, as was the case on the McCain. A dangerous side-effect of operating in backup manual mode is that it turns off the two-step process where control of the ship must be requested and accepted be both stations. Put more simply, in manual mode anyone can receive control of the ship at any moment without warning.

Like a game of hot potato, steering controls get tossed around blindly. Just like in your car, to confirm that your steering wheel is working, you turn the wheel right and left. This was attempted by the sailors as they tested the only physical steering wheel at the rear station. This proved that the wheel wasn’t active, but it unfortunately left the wheel in a turned position. In the final seconds when control was passed to this manual wheel it turned the ship in the opposite direction from where they wanted to go.

Confusion around steering eventually caused somebody to give a command to reduce speed. Because the throttle controls were still unganged (and probably spread across two stations) the speed was only reduced on one engine. This caused the ship to turn even more sharply. Confusion turned to panic as the boat seems to slip further out of control.

As the sailors were trying to figure out who was steering the ship, the real reason the ship was turning was under their noses. The speed of the propellors was mismatched. How could they miss this? Let’s understand how thrust controls are transferred.

Similar to the transfer of steering to different stations, the thrust of the boat could likewise be passed around. The transfer of thrust comes with an additional level of complexity because the propellors must be transferred one at a time. Half way through a transfer the boat is in a situation where one propellor is controlled by one station and the other is controlled by someone else. At this moment the checkbox labeled “Gang” is automatically unchecked. It wasn’t a human who mistakenly unchecked a box, it was designed to work this way.

It is unclear how the screens appeared in this state, when the thrust controls are spread across two screens. Did half the controls become disabled? Did the gang checkbox disappear? If the checkbox was visible could you tap it? If you could tap on it, would the other station have to approve your request to take full control? This is the moment when good design could have rescued the ship. Blindly adding a checkbox to a screen may meet technical requirements, but without a human-centered design approach the nuances of life-or-death decisions are unlikely to be addressed when the interface is being built.

The photo below is not from the McCain, but it does give some clues to how confusion about which station has control could arise. In this picture we can see that the “Lee Helm” is in control of both thrust sliders. The screen on the station to the right appears to display the same information, a mirror of the first screen. If you don’t know or forget which station is the Lee Helm (and the stations don’t appear to be labeled) it is impossible to know which station has control.

As mentioned earlier, there is also a big red button in the center of the rear control stations. While it is technically called the “Emergency Override To Manual Button” crew members call it the “big red button.” I find it noteworthy that in the midst of so much nautical jargon, sailors occasionally speak like humans. The irony of this button is that it forces the ship into manual mode, the same mode that the ship was already operating under. So it should come as no surprise that even though everyone on the bridge knew there was an emergency, there was no operational benefit to hitting the big red button. Presumably, the big red button might initiate additional emergency functions, perhaps sending a radio message to nearby ships that the boat was in distress, but my research has not verified this assumption. The big red button might as well have been for decoration.

After three minutes of confusion, the throttle is finally unganged and steering is recovered. Unfortunately the crew didn’t have enough time to maneuver out of the way of the oncoming ship. Repairs to the McCain were estimated at $100 million dollars, a price tag that ballooned to $223 million after additional damage was caused during transit to the repair facility.