Detecting Mode Confusion Through Formal Modeling and Analysis

Aircraft safety has improved steadily over the last few decades. While much of this improvement can be attributed to the introduction of advanced automation in the cockpit, the growing complexity of these systems also increases the potential for the pilots to become confused about what the automation is doing. This phenomenon, often referred to as mode confusion, has been involved in several accidents involving modern aircraft. This report describes an effort by Rockwell Collins and NASA Langley to identify potential sources of mode confusion through two complementary strategies. The first is to create a clear, executable model of the automation, connect it to a simulation of the flight deck, and use this combination to review the behavior of the automation and the man-machine interface with the designers, pilots, and experts in human factors. The second strategy is to conduct mathematical analyses of the model by translating it into a formal specification suitable for analysis with automated tools. The approach is illustrated by applying it to a hypothetical, but still realistic, example of the mode logic of a Flight Guidance System.

[1]  D Hughes,et al.  GLASS COCKPIT STUDY REVEALS HUMAN FACTORS PROBLEMS , 1989 .

[2]  Bran Selic,et al.  Real-time object-oriented modeling , 1994, Wiley professional computing.

[3]  Paul Clements,et al.  A Case Study in Successful Product Line Development , 1996 .

[4]  Earl F Weener COMMERCIAL TRANSPORT SAFETY. , 1993 .

[5]  P. Ward,et al.  Integration of formal verification with real-time design , 1996, Proceedings of WORDS'96. The Second Workshop on Object-Oriented Real-Time Dependable Systems.

[6]  Jon Damon Reese,et al.  Analyzing Software Specifications for Mode Confusion Potential , 1998 .

[7]  Charles E. Billings,et al.  Aviation Automation: The Search for A Human-centered Approach , 1996 .

[8]  Nancy G. Leveson,et al.  Completeness and Consistency in Hierarchical State-Based Requirements , 1996, IEEE Trans. Software Eng..

[9]  Steven P. Miller Specifying the mode logic of a flight guidance system in CoRE and SCR , 1998, FMSP '98.

[10]  Constance L. Heitmeyer,et al.  Automated consistency checking of requirements specifications , 1996, TSEM.

[11]  Mark A. Ardis,et al.  Defining families - Commonality analysis , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[12]  Shankar Natarajan,et al.  Analyzing Tabular and State-Transition Requirements Specifications in PVS , 1997 .

[13]  Fung Francis,et al.  Formal Specification of a Flight Guidance System , 1998 .

[14]  Nancy G. Leveson,et al.  Safeware: System Safety and Computers , 1995 .

[15]  Naydich Dimitri,et al.  Flight Guidance System Validation using SPIN , 1998 .

[16]  Natarajan Shankar,et al.  Formal Verification for Fault-Tolerant Architectures: Prolegomena to the Design of PVS , 1995, IEEE Trans. Software Eng..