Aviation safety: modeling and analyzing complex interactions between humans and automated systems

The on-going transformation from the current US Air Traffic System (ATS) to the Next Generation Air Traffic System (NextGen) will force the introduction of new automated systems and most likely will cause automation to migrate from ground to air. This will yield new function allocations between humans and automation and therefore change the roles and responsibilities in the ATS. Yet, safety in NextGen is required to be at least as good as in the current system. We therefore need techniques to evaluate the safety of the interactions between humans and automation. We think that current human factor studies and simulation-based techniques will fall short in front of the ATS complexity, and that we need to add more automated techniques to simulations, such as model checking, which offers exhaustive coverage of the non-deterministic behaviors in nominal and off-nominal scenarios. In this work, we present a verification approach based both on simulations and on model checking for evaluating the roles and responsibilities of humans and automation. Models are created using Brahms (a multi-agent framework) and we show that the traditional Brahms simulations can be integrated with automated exploration techniques based on model checking, thus offering a complete exploration of the behavioral space of the scenario. Our formal analysis supports the notion of beliefs and probabilities to reason about human behavior. We demonstrate the technique with the Überlingen accident since it exemplifies authority problems when receiving conflicting advices from human and automated systems.

[1]  William J. Clancey,et al.  Work Practice Simulation of Complex Human-Automation Systems: The Brahms Generalized überlingen Model , 2014, AAAI Spring Symposia.

[2]  John M. Rushby,et al.  New challenges in certification for aircraft software , 2011, 2011 Proceedings of the Ninth ACM International Conference on Embedded Software (EMSOFT).

[3]  Marta Z. Kwiatkowska,et al.  PRISM: Probabilistic Symbolic Model Checker , 2002, Computer Performance Evaluation / TOOLS.

[4]  Amy R. Pritchett,et al.  Hybrid agent-based simulation for analyzing the National Airspace System , 2001, Proceeding of the 2001 Winter Simulation Conference (Cat. No.01CH37304).

[5]  Darren D. Cofer,et al.  Software model checking takes off , 2010, Commun. ACM.

[6]  Maarten Sierhuis,et al.  Brahms: simulating practice for work systems design , 1998, Int. J. Hum. Comput. Stud..

[7]  Ellen J. Bass,et al.  Enhanced operator function model: A generic human task behavior modeling language , 2009, 2009 IEEE International Conference on Systems, Man and Cybernetics.

[8]  Franco Raimondi,et al.  A synergistic and extensible framework for multi-agent system verification , 2013, AAMAS.

[9]  William J. Clancey,et al.  Simulating activities: Relating motives, deliberation, and attentive coordination , 2002, Cognitive Systems Research.

[10]  Elsa L. Gunter,et al.  Automated framework for formal operator task analysis , 2011, ISSTA '11.

[11]  SierhuisMaarten,et al.  Modeling and Simulating Work Practice , 2002 .

[12]  Amy R. Pritchett,et al.  Preface to Special Issue on Air Transportation , 2007, Simul..

[13]  Barry W. Boehm,et al.  Software Engineering Economics , 1993, IEEE Transactions on Software Engineering.

[14]  Dimitra Giannakopoulou,et al.  A formal framework for design and analysis of human-machine interaction , 2011, 2011 IEEE International Conference on Systems, Man, and Cybernetics.

[15]  Frédéric Boniol,et al.  Toward a wider use of formal methods for aerospace systems design and verification , 2009, International Journal on Software Tools for Technology Transfer.

[16]  Maarten Sierhuis,et al.  Modeling and simulating work practice : BRAHMS: a multiagent modeling and simulation language for work system analysis and design , 2001 .

[17]  Amy R. Pritchett,et al.  Pilot interaction with TCAS and air traffic control , 2012, ATACCS.

[18]  Kirk C. Benson,et al.  Experimental study of cockpit displays of traffic information for pilot self-spacing in congested airspace , 2003, CHI Extended Abstracts.

[19]  Matthew L. Bolton,et al.  Adding a motor control component to the operator function model expert system to investigate air traffic management concepts using simulation , 2004, 2004 IEEE International Conference on Systems, Man and Cybernetics (IEEE Cat. No.04CH37583).

[20]  Asaf Degani,et al.  Formal Verification of Human-Automation Interaction , 2002, Hum. Factors.

[21]  Ellen J. Bass,et al.  A Systematic Approach to Model Checking Human–Automation Interaction Using Task Analytic Models , 2011, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[22]  Patrice Godefroid,et al.  Model checking for programming languages using VeriSoft , 1997, POPL '97.

[23]  Karen M. Feigh,et al.  Toward a multi-method approach to formalizing human-automation interaction and human-human communications , 2011, 2011 IEEE International Conference on Systems, Man, and Cybernetics.

[24]  John Rushby,et al.  Using model checking to help discover mode confusions and other automation surprises , 2002, Reliab. Eng. Syst. Saf..