Human Error as Design Problem
Core insight: What is labeled “human error” is almost always a predictable consequence of design failure — misleading signals, absent feedback, or broken mental models. Blaming the user is both empirically wrong and strategically counterproductive: it stops the investigation before the root cause is found, ensuring the same error recurs.
How Each Book Addresses This
Don Norman - The Design of Everyday Things — The Reframing: System Error, Not Human Error
Norman’s central moral claim is the most consequential reframing in the vault for anyone who ships products, designs processes, or manages systems: when users fail, the correct response is not to examine the user but to examine the design.
The slip/mistake distinction:
Norman identifies two error types with different design implications:
-
Slips — Automatic behavior applied in the wrong context. The user knows the correct procedure and intends to perform it, but automatic execution goes wrong: they reach for the wrong control because it’s in a familiar position, press the right sequence for the wrong program, omit a step they’ve done ten thousand times before. Slips are errors of execution, not intention. They respond to design interventions that differentiate similar-looking controls, provide confirmation feedback for irreversible actions, and offer undo.
-
Mistakes — Conscious decisions made with the wrong mental model. The user is making the rational choice given their (incorrect) understanding of the system. Three Mile Island is Norman’s primary case: operators made decisions that were correct given their mental model of the reactor state; their mental model was wrong because the control room provided misleading information. Mistakes respond to design interventions that improve conceptual model accuracy and feedback legibility.
The blame-attribution failure:
The standard organizational response to accidents is to identify the person who made the error and provide corrective action (training, supervision, dismissal). This is wrong for two reasons:
-
It is causally inaccurate. The error is almost always predictable from the design, not from the individual. Different users placed in the same situation make the same errors — because the design produces the same failure conditions for everyone.
-
It is strategically counterproductive. Attribution to the person closes the investigation before the design is examined. The root cause is never found. The next user placed in the same situation makes the same error. The total error rate is unchanged.
The design audit:
The correct response to any recurring error: treat it as design feedback. A recurring error is a signal that the design contains a predictable failure condition. The audit question is not “what did the user do wrong?” but “what is it about the design that produces this error predictably?”
The 5 Whys as error attribution reversal:
Applying the 5 Whys to any error will eventually trace the root cause to a design decision: a control that resembles another, a feedback signal that is absent, a conceptual model the design creates that doesn’t match the system’s actual behavior. The fifth “why” almost never implicates the user’s character or competence — it implicates a design choice.
Three Mile Island as the canonical case:
Three Mile Island was officially attributed to operator error. Norman’s analysis shows it was a control room design failure: hundreds of undifferentiated alarms, a critical indicator showing “closed command sent” rather than “valve is closed,” and a system that could not communicate its actual state to the people responsible for managing it. The operators made exactly the errors the design predictably produced. A different design would have produced different outcomes regardless of who was operating the controls.
Design for error recovery:
Because some errors are inevitable regardless of how good the design is, Norman adds a second-order principle: design for graceful error recovery. Make errors reversible. Make the current system state visible so users know when an error has occurred. Avoid designs where small errors produce catastrophic outcomes. Checklists and forcing functions are design responses to inevitable human error in safety-critical domains.
How to apply:
- When a user error occurs, record it as a design failure before assigning any other cause. Ask: “What is it about the design that made this error the natural response?”
- Apply the 5 Whys to any recurring error: trace each cause to its cause until you reach a design decision.
- Distinguish slips from mistakes — slips respond to feedback improvements, confirmation dialogs, and undo; mistakes respond to better conceptual model accuracy.
- Audit for catastrophic failure modes: identify any user error that could produce an irreversible outcome, and design a forcing function, confirmation step, or undo mechanism that converts it to a recoverable situation.
Cross-Book Pattern
Norman provides the primary design-domain case. The concept addresses a failure mode — blame attribution preventing root-cause analysis — that appears across safety, organizational, and system design domains.
| Book | Domain | Error Attribution Pattern |
|---|---|---|
| Don Norman - The Design of Everyday Things | Product and systems design | All recurring user errors are design signals; root-cause analysis almost always terminates in a design decision; Three Mile Island as the life-safety case |
Related Concepts
- Concept - Affordances and Signifiers — Missing or wrong signifiers are the most common design cause of user error: the user responded correctly to the information the design provided
- Concept - Feedback Loops & Reality — Absent or delayed feedback is the second most common design cause; users cannot correct errors they cannot detect (Gulf of Evaluation)
- Concept - First Principles Thinking — Root-cause error analysis is a first-principles discipline: reject the surface attribution (user error) and excavate to the structural cause (design decision) using the 5 Whys
- Concept - Conditions Over Commands — Norman’s four constraint types are the positive expression of this concept: design conditions that make errors mechanically impossible rather than relying on user compliance
- Concept - Friction Removal — User errors that manifest as friction are almost always design errors generating friction that should be eliminated at the source