GE Design
Published in

GE Design

Pressing the Wrong Button: How Intentional Design Could Have Prevented the Hawaii Missile Alert

A False Alarm

In the early morning of January 13th, a text message went out to the 1.4 million residents of Hawaii that a ballistic missile was inbound and everyone should seek immediate shelter.

The message was sent in error.

The Hawaii Emergency Management Agency took 10 minutes to tweet the error — and 38 minutes to send a correction. In that time, cars were abandoned on the interstate, children were placed in manholes, and many people said what they thought would be their last words to loved ones.

The original explanation was that an employee had “hit the wrong button,” triggering the panic, although a more accurate description is that he “selected the wrong item from a dropdown.” While many people called this an egregious mistake by the employee, this was not a user error; this was a design error. All of this could have been prevented with some thought around common use cases for the system and better naming conventions.

Hawaii Emergency Management Agency via Hawaii News Now

In the annotated screenshot provided by the Hawaii Emergency Management Agency, it’s easy to see that the difference between the option to send a ballistic missile drill and a ballistic missile alarm is strikingly small. According to the official account, the user was supposed to select the option circled in yellow, but selected the one in red.

Designing for Safety

These are the questions we think about as GE designers. GE makes a lot of large, complex industrial equipment, like jet engines and gas turbines. This equipment runs incredibly fast and at very high temperatures. People often think about how user experience and usability design can make software easier to use, but, in some cases, it may actually be better to add friction to these interactions in order to prevent errors like the one that overwhelmed Hawaii.

The goal is not to confuse or frustrate a user (these are not dark patterns) but to promote caution and intention when engaging in actions with severe consequences. Sending out a serious alert should be more difficult than selecting a topping for a pizza or sending a tweet (even one about ballistic missiles).

Offshore Drill Ship at Sea

Take, for example, Blowout Preventers (BOPs). One of these machines is infamously known for the Horizon Deepwater oil spill that claimed the lives of eleven people and caused massive environmental damage in the Gulf of Mexico. The spill was blamed in part on the failure of a (non-GE) BOP that was unable to contain a huge pressure spike and prevent disaster. It’s important to note that BOPs are not automatic systems and require manual intervention by a dedicated worker.

The Human Machine Interface (HMI) on a GE BOP is mostly devoted to the “mimic,” an abstract digital representation of the BOP, with all its valves and sensor data. The three emergency measures, from shutting off valves to shearing the pipe, are represented as small red buttons on a black background at the bottom of the page, and are ordered in severity from left to right.

To execute one of these measures, a trained driller selects an option and is required to confirm it with a two-handed keyboard sequence. This approach means an operator can’t unintentionally or accidentally perform an action, but it also frees the operator from performing a time-consuming confirmation process that could put lives at risk during an emergency.

Preventing Destructive Errors

Even without a complete view of the emergency alert application used in Hawaii, we can make some suggestions. An ideal redesign would put actual alerts in one section, separate from all the other app info. Github does this with the “Danger Zone.” This is a special section at the bottom of a repository’s settings for all destructive actions where a user must type the name of the code repository before proceeding. That’s much more compelling than reading (or, in many cases, ignoring) a simple confirmation popup, and it also requires the user to ensure she is working in the intended space.

Location, visual treatment and a complex confirmation

Other ideas that sound helpful, but could be problematic, involve redesigning the confirmation screen. In this case, the user has to confirm his choice, but this only matters if the user recognizes that he has chosen the wrong option. Most people presented with a yes/no popup dialog may ignore the prompt. This tendency even has a name: acceptance fatigue. A simple confirmation is not enough to verify intent on the part of the user.

A second user could be required to confirm a real alert, but that risks not getting the alert out fast enough when seconds matter. What if the second operator is temporarily indisposed? This fails the test of speed in an actual emergency.

The two-handed keyboard sequence for performing an emergency measure on a BOP works so well because:

  1. It requires intention; it’s a complex action that the user cannot perform arbitrarily.
  2. It’s fast; a trained operator can perform the operation within seconds in an actual emergency.
Small changes can make a big difference

Appreciating the fact that changing emergency management software is probably a long and difficult process, there are minor changes that can be made today to prevent these serious errors. Separate the test alerts from the real ones and put a dummy option as a spacer between the two. Use a naming convention, such as putting the word “Test” in front of all test alerts. Consistent capitalization, where only actual alerts are capitalized, would reinforce the differences further and add a third level of visual distinction. This is all a good start and could help prevent future false alarms if implemented thoughtfully.

When the stakes aren’t high, it can be easy to ignore such use cases, but at GE we design for these scenarios every day. We’ve learned over time what the false alarm in Hawaii has acutely illustrated; sometimes the more valuable design decision is to prevent mistakes by making high-consequence actions more difficult, ensuring that the user is acting thoughtfully and with intention. With some thoughtful intention on the part of the designer, hopefully we can prevent these kinds of scenarios from happening again.

Special thanks to Tali Marcus and Matt Jones for their comments and critiques.

Stories from the designers empowering the world’s most complex industries.

Recommended from Medium

Still Think You Don’t Need a Formal Living Room?

Danielly Design Group -

How to Write an RFP that Gets You the Best Vendor

The Relationship Between Architecture and Inte

How one year of blogging on Melted taught me a lot

The Naming of Bluebird

Between failure and giving up, I choose to fail. Especially when it comes to design.

The most effective method to Fix a Sideways or Upside Down Screen in Windows

Maybe we can’t all get along….. but we could get along better!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Michael Moreau

Michael Moreau

I’m passionate about Participatory Design and looking to find my voice.

More from Medium

Did a clean up of my design newsletters. This is what's left

BOOST your design review sessions. This is how I prepare for success

Making the Metaverse service right, or ‘A tribute to Gather Town.’

Designing for color vision deficiency

Red, green and yellow apple as seen by a person with normal vision vs the same three apples (that now appear to be of a very similar yellow color) as seen by a colorblind person.