Human Unsafe Control Actions (Human-UCAs)

• Human Unsafe Control Actions (Human-UCAs) are deviations in human control actions that lead to hazardous system states in socio-technical environments.
• HAZOP-UML integrates UML modeling with guide-word techniques to systematically identify, analyze, and mitigate deviations.
• Empirical applications in human–robot interaction demonstrate early hazard detection, enhanced traceability, and improved safety design.

Human Unsafe Control Actions (Human-UCAs) are deviations from intended operational behaviors by human agents in socio-technical and cyber-physical systems that can induce hazardous or unsafe system states. The analysis, mitigation, and prioritization of Human-UCAs are central to modern safety methodologies, especially where complex system autonomy, non-deterministic environments, and tightly-coupled human–automation interaction dominate system risk profiles. The following sections synthesize core methodologies, modeling paradigms, tool-assisted analysis, comparative frameworks, and practical case paper outcomes for Human-UCAs.

1. Definition and Context of Human Unsafe Control Actions

A Human Unsafe Control Action is any deviation or error in the execution, timing, sequence, or omission of a human-initiated control action that can contribute to a system hazard. Within human–robot interaction or human–automation domains, this typically manifests as scenarios where a human operator’s action (or inaction) either directly causes or permits a hazardous system state. In the HAZOP-UML method, for instance, a Human-UCA is formulated as any deviation from nominal task behavior which, when arising due to guideword-induced model attribute perturbation, is found to have hazardous consequences for the human in the loop. Human-UCAs are not limited to deliberate operator errors: they encompass communication timing faults, misunderstandings, misinterpretations, and judgment lapses in contexts such as operation of assistive robots, industrial collaborative tasks, and autonomous vehicle handover situations.

The challenge of Human-UCAs is exacerbated in safety-critical applications where complexity, operational non-determinism, and variable human cognitive factors amplify the spectrum of potential hazards. Unlike static hardware or software failure modes, the non-repeatable, context-sensitive, and intent-driven nature of Human-UCAs requires integrated modeling, early-stage anticipation, and traceable risk management (Guiochet, 2016).

2. Systematic Identification via HAZOP-UML

The HAZOP-UML methodology systematically integrates hazard identification (HAZOP) techniques with Unified Modeling Language (UML) system descriptions. The process begins with a detailed behavioral modeling of the system using UML diagrams (use case, sequence, and state machines), which map operational scenarios, message exchanges, and system state transitions. Analysts enumerate all relevant attributes (preconditions, postconditions, invariants, message timing, interaction constraints) for each UML element.

A finite set of guide words—such as "No," "More," "Less," "Reverse," "Other than"—are methodically applied to these attributes, producing hypothetical deviations. For example, applying "No" to a use case precondition "robot is in front of the patient" leads to a deviation where the robot is not in position, potentially leading to a Human-UCA such as a patient fall during a stand-up maneuver.

For each deviation, the HAZOP-UML process requires documentation of:

• Relevant causes (software fault, hardware failure, human misjudgment/omission),
• Model-level and real-world consequences,
• Recommendations for mitigation.

Diagrams—such as “Deviation = UML Attribute ⊗ Guide Word”—and metamodels linking use case attributes to hazards guide the systematic exploration. The outcome is a traceable hazard list and recommendations, formatted as HAZOP tables, directly linked back to the original system models. Tool support (e.g., Eclipse-based) assists analysts in managing the combinatorial expansion, consistency checking, and report generation (Guiochet, 2016).

3. Integration with System Development and Comparative Methodology

The early integration of HAZOP-UML with system design enables hazard identification during the conceptual stage, maintaining consistency and traceability between safety analysis and engineering models. Because both requirements/design artifacts and hazard logs use UML, subsequent revisions to system architecture propagate systematically into the safety analysis, supporting modifiability and evolutionary traceability.

Compared to traditional risk analysis methods such as Preliminary Hazard Analysis (PHA), Fault Tree Analysis (FTA), or Failure Modes, Effects, and Criticality Analysis (FMECA), HAZOP-UML offers:

• Independence from detailed quantitative failure data or preconstructed fault trees,
• Direct accommodation of non-deterministic, interactive, and human-driven behaviors,
• Structured, guideword-forced scenario expansion capturing both functional and human factors in early design.

While conventional methods may excel when deterministic machine-only components are involved, they typically lack expressivity for modeling operational deviations in human–robot or open-environment interactions (Guiochet, 2016).

4. Benefits, Limitations, and Tool Support

Benefits

• Early-stage applicability: Hazards can be identified prior to implementation, supporting proactive design.
• Traceability/Modifiability: Tight linkage between system models and hazard documentation.
• Systematic deviation exploration: Guideword methodology ensures a comprehensive examination of conceivable deviations, including those rooted in human error or misinterpretation.
• Tool-assisted analysis: Software tools streamline the combinatorial aspects, automate report generation, and maintain logical consistency across evolving system models.

Limitations

• Scope restriction: Primarily targets operational hazards tied to human–robot task interaction, not machine-related hazards such as electrical failures (which must be analyzed with complementary methods).
• Dependence on expert judgment: While guide words structure the analysis, expert knowledge is required to judge relevance, consequences, and appropriate mitigations.
• Model dependency: Safety insights are only as detailed and granular as the UML models on which the analysis is based; insufficient model fidelity may obscure critical Human-UCAs.
• Redundancy: Hazards may be identified in multiple diagrams, risking inconsistent or duplicative recommendations. Analysts must reconcile these multiple perspectives (Guiochet, 2016).

The following table summarizes illustrative benefits and limitations:

Benefit	Limitation
Early-stage identification	Excludes non-operational machine hazards
Systems/design traceability	Requires expert safety judgment
Comprehensive deviation coverage	Dependent on UML model fidelity
Tool-based support	Redundant/contradictory findings possible

5. Empirical Applications and Outcomes

HAZOP-UML’s efficacy has been demonstrated in research projects such as MIRAS (assistive robots for mobility), PHRIENDS (industrial mobile robots with manipulators), and SAPHARI (mobile manipulators in shared human workspaces):

• In MIRAS, deviation analysis of use case preconditions (e.g., “robot in front of patient”) identified the risk of patient falls when the robot was misaligned—a Human-UCA with direct physical risk. The resulting insights were formally documented and validated in HAZOP tables (e.g., HN6).
• PHRIENDS leveraged sequence diagrams to analyze hazards induced by timing or misordering of human–robot messages, identifying UCAs arising from incorrect or mistimed commands.
• SAPHARI’s application of HAZOP-UML revealed hazards in physical cue misinterpretation, timing errors, and incorrect handovers in shared workspace navigation.

Results from these projects indicate that HAZOP-UML is effective even when executed by a single analyst, provided appropriate modeling and tool support. The systematic process produced manageable numbers of deviations and hazards and facilitated expert review with domain specialists such as physicians.

6. Conceptual Illustration via Diagrams and Formalisms

The methodology’s analytical structure is concisely represented by:

• The formula: $$\text{Deviation} = \text{UML Attribute} \otimes \text{Guide Word}$$
• Recovery model: Using diagrams that interlink use cases to nominal/exceptional behaviors and to preconditions/postconditions, directing focus to model segments at highest risk for Human-UCAs.
• Example: Application of the guide word "No" to "robot is aligned with the patient" yields the deviation "robot is not aligned with patient," immediately exposing a Human-UCA if the patient attempts a maneuver requiring robot alignment.

Such formal constructs orient analysts and support automated tool verification (Guiochet, 2016).

7. Future Directions and Methodological Significance

The gap between early-stage design modeling and operational hazard analysis is critical in robotics and complex automation systems. HAZOP-UML’s integration of behavioral modeling (via UML) and systematic deviations (via HAZOP guide words) provides a robust framework for identifying and documenting Human-UCAs before deployment. While limitations exist in scope and reliance on expertise, this approach supports traceable, modifiable, and iterative safety engineering for unstructured, interactive environments. Incorporating HAZOP-UML as a front-end to classical risk methods or as a foundation for automated safety analysis tooling is a plausible direction for future development, especially as systems evolve towards greater autonomy and complexity.

In summary, Human Unsafe Control Actions serve as critical focal points in safety-critical system analysis, especially when human actions interface closely with autonomous or semi-autonomous systems. Methods such as HAZOP-UML offer a systematic, design-integrated process for their early detection, documentation, and mitigation—making them central to contemporary safety engineering in human–robot interaction domains.