A formal framework for design and analysis of human-machine interaction

Automated systems are increasingly complex, making it hard to design interfaces for human operators. Human-machine interaction (HMI) errors like automation surprises are more likely to appear and lead to system failures or accidents. In previous work, we studied the problem of generating system abstractions, called mental models, that facilitate system understanding while allowing proper control of the system by operators as defined by the full-control property. Both the domain and its mental model have Labelled Transition Systems (LTS) semantics, and we proposed algorithms for automatically generating minimal mental models as well as checking full-control. This paper presents a methodology and an associated framework for using the above and other formal method based algorithms to support the design of HMI systems. The framework can be used for modelling HMI systems and analysing models against HMI vulnerabilities. The analysis can be used for validation purposes or for generating artifacts such as mental models, manuals and recovery procedures. The framework is implemented in the JavaPathfinder model checker. Our methodology is demonstrated on two examples, an existing benchmark of a medical device, and a model generated from the ADEPT toolset developed at NASA Ames. Guidelines about how ADEPT models can be translated automatically into JavaPathfinder models are also discussed.

[1]  Axel Lankenau,et al.  A Rigorous View of Mode Confusion , 2002, SAFECOMP.

[2]  Charles Pecheur,et al.  A bisimulation-based approach to the analysis of human-computer interaction , 2009, EICS '09.

[3]  Denis Javaux,et al.  A method for predicting errors when interacting with finite state systems. How implicit learning shapes the user's knowledge of a system , 2002, Reliab. Eng. Syst. Saf..

[4]  Austin Henderson,et al.  Conceptual models: begin by designing what to design , 2002, INTR.

[5]  Harold W. Thimbleby,et al.  Applying Graph Theory to Interaction Design , 2008, EHCI/DS-VIS.

[6]  Asaf Degani,et al.  Taming HAL: Designing Interfaces Beyond 2001 , 2004 .

[7]  Matthew L Bolton,et al.  Using Task Analytic Models and Phenotypes of Erroneous Human Behavior to Discover System Failures Using Model Checking , 2010, Proceedings of the Human Factors and Ergonomics Society ... Annual Meeting. Human Factors and Ergonomics Society. Annual Meeting.

[8]  Harold Thimbleby,et al.  Creating user manuals for using in collaborative design , 1996, CHI Conference Companion.

[9]  Ellen J. Bass,et al.  A Systematic Approach to Model Checking Human–Automation Interaction Using Task Analytic Models , 2011, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[10]  Ann Blandford,et al.  An approach to formal verification of human–computer interaction , 2007, Formal Aspects of Computing.

[11]  Dimitra Giannakopoulou,et al.  Learning system abstractions for human operators , 2011, MALETS '11.

[12]  Jan Tretmans,et al.  Model Based Testing with Labelled Transition Systems , 2008, Formal Methods and Testing.

[13]  John Rushby,et al.  Using model checking to help discover mode confusions and other automation surprises , 2002, Reliab. Eng. Syst. Saf..

[14]  Jakob Nielsen,et al.  The usability engineering life cycle , 1992, Computer.

[15]  Marisa E. Campbell,et al.  Conference preview: HCI 2000: usability or else! , 2000, INTR.

[16]  Michael D. Harrison,et al.  Model Checking Interactor Specifications , 2001, Automated Software Engineering.

[17]  Using Formal Methods to Predict Human Error and System Failures , 2010 .

[18]  Michael S. Feary A Toolset for Supporting Iterative Human Automation: Interaction in Design , 2010 .

[19]  Asaf Degani,et al.  Formal Analysis and Automatic Generation of User Interfaces: Approach, Methodology, and an Algorithm , 2007, Hum. Factors.

[20]  Michael D. Harrison,et al.  Systematic Analysis of Control Panel Interfaces Using Formal Tools , 2008, DSV-IS.

[21]  Rémi Bastide,et al.  Engineering Interactive Systems Through Formal Methods for Both Tasks and System Models , 2001 .

[22]  P.C. Mehlitz Trust Your Model - Verifying Aerospace System Models with Java Pathfinder , 2008, 2008 IEEE Aerospace Conference.

[23]  Harold W. Thimbleby,et al.  Press on - principles of interaction programming , 2007 .

[24]  Axel Lankenau,et al.  Safety-relevant mode confusions - modelling and reducing them , 2005, Reliab. Eng. Syst. Saf..

[25]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..

[26]  Nancy G. Leveson,et al.  An investigation of the Therac-25 accidents , 1993, Computer.