Beyond Formal Methods for Critical Interactive Systems: Dealing with Faults at Runtime

Formal methods provide support for validation and verification of interactive systems by means of complete and unambiguous description of the envisioned system. They can also be used (for instance in the requirements/needs identification phase) to define precisely what the system should do and how it should meet user needs. If the entire development process in supported by formal methods (for instance as required by DO 178C [7] and its supplement 333 [8]) then classical formal method engineers would argue that the resulting software is defect free. However, events that are beyond the envelope of the specification may occur and trigger unexpected behaviors from the formally specified system resulting in failures. Sources of such failures can be permanent or transient hardware failures, due to (when such systems are deployed in the high atmosphere e.g. aircrafts or spacecrafts) natural faults triggered by alpha-particles from radioactive contaminants in the chips or neutron from cosmic radiation. This position paper proposes a complementary view to formal approaches first by presenting an overview of causes of unexpected events on the system side as well as on the human side and then by discussing approaches that could provide support for taking into account system faults and human errors at design time.

[1]  Allen Newell,et al.  The model human processor: An engineering model of human performance. , 1986 .

[2]  Erik Hollnagel,et al.  Cognitive reliability and error analysis method : CREAM , 1998 .

[3]  Yvon Savaria,et al.  Efficiency of transient bit-flips detection by software means: a complete study , 2003, Proceedings 18th IEEE Symposium on Defect and Fault Tolerance in VLSI Systems.

[4]  Eduardo Pinheiro,et al.  DRAM errors in the wild: a large-scale field study , 2009, SIGMETRICS '09.

[5]  A. D. Swain,et al.  Handbook of human-reliability analysis with emphasis on nuclear power plant applications. Final report , 1983 .

[6]  Fabio Paternò,et al.  Preventing user errors by systematic analysis of deviations from the system task model , 2002, Int. J. Hum. Comput. Stud..

[7]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[8]  Philippe A. Palanque,et al.  Enhanced Task Modelling for Systematic Identification and Explicit Representation of Human Errors , 2015, INTERACT.

[9]  D. Norman Categorization of action slips. , 1981 .

[10]  J.C. Williams,et al.  A data-based method for assessing and reducing human error to improve operational performance , 1988, Conference Record for 1988 IEEE Fourth Conference on Human Factors and Power Plants,.

[11]  Philippe A. Palanque,et al.  Interactive cockpits as critical applications: a model-based and a fault-tolerant approach , 2013, Int. J. Crit. Comput. Based Syst..

[12]  Philippe A. Palanque,et al.  A Software-Implemented Fault-Tolerance Approach for Control and Display Systems in Avionics , 2014, 2014 IEEE 20th Pacific Rim International Symposium on Dependable Computing.

[13]  Alan Dix,et al.  Upside down As and algorithms, computational formalisms and theory , 2003 .

[14]  Philippe A. Palanque,et al.  Task Model-Based Systematic Analysis of Both System Failures and Human Errors , 2016, IEEE Transactions on Human-Machine Systems.

[15]  Gilbert Cockton,et al.  Design Principles for Interactive Software , 1997, IFIP — The International Federation for Information Processing.

[16]  Eric Barboni,et al.  Analysis of WIMP and Post WIMP Interactive Systems based on Formal Specification , 2013, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[17]  Philippe A. Palanque,et al.  Self-Checking Components for Dependable Interactive Cockpits Using Formal Description Techniques , 2011, 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing.

[18]  Ann Blandford,et al.  Recognising Erroneous and Exploratory Interactions , 2007, INTERACT.

[19]  Ann Blandford,et al.  Identifying Phenotypes and Genotypes: A Case Study Evaluating an In-Car Navigation System , 2007, EHCI/DS-VIS.

[20]  Wendy E. Mackay,et al.  CPN/Tools: A Post-WIMP Interface for Editing and Simulating Coloured Petri Nets , 2001, ICATPN.

[21]  Philippe A. Palanque,et al.  Understanding Functional Resonance through a Federation of Models: Preliminary Findings of an Avionics Case Study , 2013, SAFECOMP.

[22]  Sandeep Neema,et al.  Autonomic fault mitigation in embedded systems , 2004, Eng. Appl. Artif. Intell..