Example of a Complementary Use of Model Checking and Human Performance Simulation

Aircraft automation designers are faced with the challenge to develop and improve automation such that it is transparent to the pilots using it. To identify problems that may arise between pilots and automation, methods are needed that can uncover potential problems with automation early in the design process. In this paper, simulation and model checking are combined and their respective advantages leveraged to find problematic human-automation interaction using methods that would be available early in the design process. A particular problem of interest is automation surprises, which describe events when pilots are surprised by the actions of the automation. The Tarom flight 381 incident involving the former Airbus automatic speed protection logic, leading to an automation surprise, is used as a common case study. Results of this case study indicate that both methods identified the automation surprise found in the Tarom flight 381 incident, and that the simulation identified additional automation surprises associated with that flight logic. The work shows that the methods can be symbiotically combined, and the joint method is suitable to identify problematic human-automation interaction such as automation surprise.

[1]  Karen M. Feigh,et al.  Modeling Human–Automation Function Allocation , 2014 .

[2]  F. Finegan,et al.  Runway acceptance rate improvements , 1970 .

[3]  Amy R. Pritchett,et al.  Predicting Interactions Between Agents in Agent-Based Modeling and Simulation of Sociotechnical Systems , 2008, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[4]  David N. Ford,et al.  Mental models concepts for system dynamics research , 1998 .

[5]  Kevin M. Corker,et al.  AN ARCHITECTURE AND MODEL FOR COGNITIVE ENGINEERING SIMULATION ANALYSIS: APPLICATION TO ADVANCED AVIATION AUTOMATION , 1993 .

[6]  Karen M. Feigh,et al.  Example of a Complementary Use of Model Checking and Agent-Based Simulation , 2013, 2013 IEEE International Conference on Systems, Man, and Cybernetics.

[7]  Ashish Tiwari,et al.  Relational Abstractions for Continuous and Hybrid Systems , 2011, CAV.

[8]  Maarten Sierhuis,et al.  Brahms: simulating practice for work systems design , 1998, Int. J. Hum. Comput. Stud..

[9]  Donald A. Norman,et al.  Some observations on mental models , 1987 .

[10]  David B. Kaber,et al.  In-Flight Planning and Intelligent Pilot Aids for Emergencies and Non-Nominal Flight Conditions Using Automatically Generated Flight Plans , 2007 .

[11]  R.W. Butler,et al.  A formal methods approach to the analysis of mode confusion , 1998, 17th DASC. AIAA/IEEE/SAE. Digital Avionics Systems Conference. Proceedings (Cat. No.98CH36267).

[12]  Alexandre M. Bayen,et al.  Invariance-Preserving Abstractions of Hybrid Systems: Application to User Interface Design , 2008, IEEE Transactions on Control Systems Technology.

[13]  Axel Lankenau,et al.  A Rigorous View of Mode Confusion , 2002, SAFECOMP.

[14]  John M. Rushby,et al.  Analyzing Cockpit Interfaces Using Formal Methods , 2001, FM-Everywhere@FORTE/PSTV.

[15]  Michael J. Radzicki,et al.  Measuring Change in Mental Models of Complex Dynamic Systems , 2008 .

[16]  Ashish Tiwari,et al.  HybridSAL Relational Abstracter , 2012, CAV.

[17]  Michael D. Harrison,et al.  Formal methods in human-computer interaction , 1990 .

[18]  John Rushby,et al.  Using model checking to help discover mode confusions and other automation surprises , 2002, Reliab. Eng. Syst. Saf..

[19]  Victor Carreño,et al.  Analyzing Mode Confusion via Model Checking , 1999, SPIN.

[20]  D. Woods,et al.  Automation Surprises , 2001 .

[21]  Nadine B. Sarter,et al.  Team Play with a Powerful and Independent Agent: Operational Experiences and Automation Surprises on the Airbus A-320 , 1997, Hum. Factors.

[22]  Earl L. Wiener,et al.  Human factors of advanced technology (glass cockpit) transport aircraft , 1989 .

[23]  Ashish Tiwari,et al.  Sal 2 , 2004, CAV.

[24]  Denis Javaux,et al.  Models and Mechanized Methods that Integrate Human Factors into Automation Design , 2000 .

[25]  H. Van Dyke Parunak,et al.  Agent-Based Modeling vs. Equation-Based Modeling: A Case Study and Users' Guide , 1998, MABS.

[26]  Jon Damon Reese,et al.  Analyzing Software Specifications for Mode Confusion Potential , 1998 .

[27]  Sjsu ScholarWorks,et al.  Using finite automata to represent mental models , 2014 .

[28]  Amy R. Pritchett,et al.  Simulating situated work , 2011, 2011 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA).

[29]  Denis Javaux,et al.  HESSD ’ 98 62 Explaining Sarter & Woods ’ Classical Results . The Cognitive Complexity of Pilot-Autopilot Interaction on the Boeing 737-EFIS , 1998 .

[30]  John Rushby The Versatile Synchronous Observer , 2014, Specification, Algebra, and Software.

[31]  Paul Curzon,et al.  Abstract Models and Cognitive Mismatch in Formal Verification , 2011 .

[32]  Ellen J. Bass,et al.  Using Formal Verification to Evaluate Human-Automation Interaction: A Review , 2013, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[33]  K. J. Craik,et al.  The nature of explanation , 1944 .

[34]  Karen M. Feigh,et al.  Simulating first-principles models of situated human performance , 2011, 2011 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA).

[35]  Asaf Degani,et al.  Formal Verification of Human-Automation Interaction , 2002, Hum. Factors.

[36]  Ann Blandford,et al.  An approach to formal verification of human–computer interaction , 2007, Formal Aspects of Computing.

[37]  Ashish Tiwari,et al.  Abstractions for hybrid systems , 2008, Formal Methods Syst. Des..

[38]  Karen M. Feigh,et al.  Formal Modeling and Analysis for Interactive Hybrid Systems , 2011 .

[39]  John M. Rushby,et al.  Harnessing Disruptive Innovation in Formal Verification , 2006, Fourth IEEE International Conference on Software Engineering and Formal Methods (SEFM'06).

[40]  Bettina Buth Analysing Mode Confusion: An Approach Using FDR2 , 2004, SAFECOMP.