Human error in computer systems has been blamed for many military and civilian catastrophes resulting in mission failure and loss of money and lives. However, the root cause of such failures often lies in the system's design. A central theme in designing for human-error tolerance is to build a multi-layered defense. Creating such a robust system requires that designers effectively manage several aspects of erroneous system usage: prevention, reduction, detection, identification, recovery, and mitigation. These also correspond to discrete stages before and after error occurrence where different defensive measures can be taken. Human error models can be used to better understand these stages, the underlying cognitive mechanisms responsible for errors, and ultimately how to design systems and training to reduce the effects of inherent human limitations.

This paper presents a general framework for human error recovery based on five key stages of erroneous performance: the commission of an error, its detection, identification, and correction, and resumption of the original task. These stages constitute the main components of a state model that characterizes human performance, and allows designers and trainers to comprehensively address the most important aspects of error-tolerant design. Furthermore, these performance stages can be modeled computationally, to varying degrees, using standard information processing architectures. This work also demonstrates the effectiveness of a technique using GOMS models to design systems to prevent human error. The technique is applied to WebStock, a realistic web application designed to elicit human error, and the results are used to redesign WebStock's user interface. We compared user performance on the original Web-Stock interface with the interface improved using the technique. Improvements were made at two levels. Procedural changeswere those that were directly indicated by GOMS analysis, such as reducing working memory load and optimizing non-intuitive procedures. Non-procedural changes were those requiring more analyst expertise but where a GOMS model was instrumental in pointing them out, such as improving the salience of visual objects used in the model. The results showed substantial improvement in task completion time and overall errors, but the GOMS-based procedural improvements were especially important in reducing certain classes of errors. The paper concludes with practical implications of the recovery framework for system and training design such as techniques for supporting error recovery. Further development of the described human-error models will help us to better understand how people commit and recover from errors, and can lead to more robust computer-based tools, improved effectiveness, and reduced training costs.