Formally verifying human–automation interaction as part of a system model: limitations and tradeoffs

Both the human factors engineering (HFE) and formal methods communities are concerned with improving the design of safety-critical systems. This work discusses a modeling effort that leveraged methods from both fields to perform formal verification of human–automation interaction with a programmable device. This effort utilizes a system architecture composed of independent models of the human mission, human task behavior, human-device interface, device automation, and operational environment. The goals of this architecture were to allow HFE practitioners to perform formal verifications of realistic systems that depend on human–automation interaction in a reasonable amount of time using representative models, intuitive modeling constructs, and decoupled models of system components that could be easily changed to support multiple analyses. This framework was instantiated using a patient controlled analgesia pump in a two phased process where models in each phase were verified using a common set of specifications. The first phase focused on the mission, human-device interface, and device automation; and included a simple, unconstrained human task behavior model. The second phase replaced the unconstrained task model with one representing normative pump programming behavior. Because models produced in the first phase were too large for the model checker to verify, a number of model revisions were undertaken that affected the goals of the effort. While the use of human task behavior models in the second phase helped mitigate model complexity, verification time increased. Additional modeling tools and technological developments are necessary for model checking to become a more usable technique for HFE.

[1]  Ann Blandford,et al.  An approach to formal verification of human–computer interaction , 2007, Formal Aspects of Computing.

[2]  Insup Lee,et al.  Formal Methods Based Development of a PCA Infusion Pump Reference Model: Generic Infusion Pump (GIP) Project , 2007, 2007 Joint Workshop on High Confidence Medical Devices, Software, and Systems and Medical Device Plug-and-Play Interoperability (HCMDSS-MDPnP 2007).

[3]  Alex Kirlik,et al.  Modes in human-automation interaction: initial observations about a modeling approach , 1995, 1995 IEEE International Conference on Systems, Man and Cybernetics. Intelligent Systems for the 21st Century.

[4]  Robert E. Fields,et al.  Analysis of erroneous actions in the design of critical systems , 2001 .

[5]  P C Anderson Health care corporations. , 1971, Archives of dermatology.

[6]  Ellen J. Bass,et al.  Building a Formal Model of a Human-interactive System: Insights into the Integration of Formal Methods and Human Factors Engineering , 2009, NASA Formal Methods.

[7]  Guy H. Walker,et al.  Human Factors Methods: A Practical Guide for Engineering and Design , 2012 .

[8]  Asaf Degani,et al.  Modeling human-machine systems :on modes, error, and patterns of interaction , 1996 .

[9]  John Rushby,et al.  Using model checking to help discover mode confusions and other automation surprises , 2002, Reliab. Eng. Syst. Saf..

[10]  Christine M. Mitchell,et al.  An enhanced architecture for OFMspert: a domain-independent system for intent inferencing , 1998, SMC'98 Conference Proceedings. 1998 IEEE International Conference on Systems, Man, and Cybernetics (Cat. No.98CH36218).

[11]  Natarajan Shankar,et al.  The SAL Language Manual , 2003 .

[12]  Barry Kirwan,et al.  A Guide To Task Analysis: The Task Analysis Working Group , 1992 .

[13]  David F. Feldon,et al.  Cognitive task analysis , 2009 .

[14]  Shin Nakajima,et al.  The SPIN Model Checker : Primer and Reference Manual , 2004 .

[15]  Asaf Degani,et al.  Formal Analysis and Automatic Generation of User Interfaces: Approach, Methodology, and an Algorithm , 2007, Hum. Factors.

[16]  K. J. Vicente,et al.  Cognitive Work Analysis: Toward Safe, Productive, and Healthy Computer-Based Work , 1999 .

[17]  Christine M. Mitchell,et al.  A Discrete Control Model of Operator Function: A Methodology for Information Display Design , 1986, IEEE Transactions on Systems, Man, and Cybernetics.

[18]  Yili Liu,et al.  Introduction to Human Factors Engineering (2nd Edition) , 2003 .

[19]  C. Marano,et al.  To err is human. Building a safer health system , 2005 .

[20]  Clarence C. Rodrigues,et al.  Commercial Aviation Safety , 1991 .

[21]  L. Kohn,et al.  To Err Is Human : Building a Safer Health System , 2007 .

[22]  Christopher D. Wickens,et al.  An introduction to human factors engineering , 1997 .

[23]  J. Meigs,et al.  WHO Technical Report , 1954, The Yale Journal of Biology and Medicine.

[24]  D. Mccormick Normal Accidents , 1991, Bio/Technology.

[25]  Denis Javaux,et al.  A method for predicting errors when interacting with finite state systems. How implicit learning shapes the user's knowledge of a system , 2002, Reliab. Eng. Syst. Saf..

[26]  Matthew L Bolton,et al.  A Method for the Formal Verification of Human-interactive Systems. , 2009, Proceedings of the Human Factors and Ergonomics Society ... Annual Meeting. Human Factors and Ergonomics Society. Annual Meeting.

[27]  Denis Javaux,et al.  Models and Mechanized Methods that Integrate Human Factors into Automation Design , 2000 .

[28]  Ewen Denney,et al.  Proceedings of the First NASA Formal Methods Symposium , 2009 .

[29]  Helmut Veith,et al.  Counterexample-guided abstraction refinement for symbolic model checking , 2003, JACM.

[30]  Michael Heymann,et al.  Generating Procedures and Recovery Sequences: a Formal Approach , 2007 .

[31]  Ellen J. Bass,et al.  Enhanced operator function model: A generic human task behavior modeling language , 2009, 2009 IEEE International Conference on Systems, Man and Cybernetics.

[32]  Lawrence Z. Markosian,et al.  Program Model Checking: A Practitioner's Guide , 2008 .