Sandra Basnyat

A Formal Approach for User Interaction Reconfiguration of Safety Critical Interactive Systems

The paper proposes a formal description technique and a supporting tool that provide a means to handle both static and dynamic aspects of input and output device configurations and reconfigurations. More precisely, in addition to the notation, the paper proposes an architecture for the management of failure on input and output devices by means of reconfiguration of in/output device configuration and interaction techniques. Such reconfiguration aims at allowing operators to continue interacting with the interactive system even though part of the hardware side of the user interface is failing. These types of problems arise in domains such as command and control systems where the operator is confronted with several display units. The contribution presented in the paper thus addresses usability issues (improving the ways in which operators can reach their goals while interacting with the system) by increasing the reliability of the system using diverse configuration both for input and output devices.

Error patterns: systematic investigation of deviations in task models

We propose a model-based approach to integrate human error analysis with task modelling, introducing the concept of Error Pattern. Error Patterns are prototypical deviations from abstract task models, expressed in a formal way by a model transformation. A collection of typical errors taken from the literature on human errors is described within our framework. The intent is that the human factors specialist will produce the task models taking an error-free perspective, producing small and useful task models. The specialist will then choose from the collection of error patterns, and selectively apply these patterns to parts of the original task model, thus producing a transformed model exhibiting erroneous user behaviour. This transformed task model can be used at various stages of the design process, to investigate the systems reaction to erroneous behaviour or to generate test sequences.

Multidisciplinary perspective on accident investigation

Abstract The increasing complexity of many computer-controlled application processes is placing increasing demands on the investigation of adverse events. At the same time, there is a growing realisation that accident investigators must consider a wider range of contributory and contextual factors that help to shape human behaviour in the causes of safety-related incidents. A range of techniques have been developed to address these issues. For example (as we show in this paper), task modelling techniques have been extended from human computer interaction and systems design to analyse the causes and consequences of operator ‘error’. Similarly, barrier analysis has been widely used to identify the way in which defences either protected or failed to protect a target system from potential hazards. Many barriers fail from common causes, including misconceptions that can be traced back to early stages in the development of a safety-critical system. For instance, unwarranted assumptions can be made about the impact of training on operator behaviour in emergency situations. Similarly, barrier analysis can also be used before a system has been designed to inform the system model and make it more tolerant to errors by incorporating human and technical barriers into the design. Task models often uncover deep-rooted problems, for instance, in workload allocation across many different aspects of an interactive control system. It can be difficult to use barrier and task analysis to trace these common causes that lie behind the failure of many different defences. In order to deal with this complex combination of contributory factors and systems, we promote the use of abstraction (via models) as a way of representing these components and their interrelations whether it is design, construction or investigation. We use, to formally model an abstraction of the system. Additionally, the system model (described using a dialect of high-level Petri-nets) allows to reason about the system and to check conformance with the other models (task model, safety case and barriers). This paper, therefore, shows how an analysis of safety case arguments can be used to support the application of barrier, task, error and system analysis during the investigation of a command and control failure. The intention, in this paper, is to show that if an accident involved the failure of multiple barriers, it is also possible to trace the common causes of those failures back to the assumptions and arguments that are embodied within a safety case. Many countries require that safety cases demonstrate a system is ‘acceptably safe’ before they grant regulatory approval. These documents and the associated analytical techniques, therefore, provide a rich source of information about why command and control failures occurred. We demonstrate our approach on a fatal mining accident case study.

An Architecture and a Formal Description Technique for the Design and Implementation of Reconfigurable User Interfaces

This paper proposes an architecture that provides a means to handle failures of input and output devices. This handling is done by means of previously defined and designed configurations. According to the failure identified at runtime of the interactive system, the most appropriate configuration will be loaded and executed. Such reconfiguration aims at allowing operators to continue interacting with the interactive system even though part of the user interface hardware has failed. These types of problems arise in domains such as command and control systems where the operator is confronted with several display units and can use various combinations of input devices either in a mono-modal or in a multimodal manner.

A Formal Description Technique for Interactive Cockpit Applications Compliant with ARINC Specification 661

The purpose of the ARINC specification 661 is to define interfaces to a cockpit display system (CDS) targeting new aircraft installations. ARINC 661 provides precise information for communication protocols between application and user interface components (called widgets) as well as precise information about the widgets themselves. However, no information is given on the behavior of these widgets and on the behavior of an application made up of a set of such widgets. This paper presents a formal description technique called interactive cooperative objects to define in a precise and non-ambiguous way such behaviors. This description technique also defines the relationships between the behavioral description and the user interface. We show the benefits of such a notation for the specification of interactive cockpit applications and we introduce each modeling concept on a small example.

Improving interactive systems usability using formal description techniques: application to healthcare

In this paper we argue that the formal analysis of an interactive medical system can improve their usability evaluation such that potential erroneous interactions are identified and improvements can be recommended. Typically usability evaluations are carried out on the interface part of a system by human-computer interaction/ergonomic experts with or without end users. Here we suggest that formal specification of the behavior of the system supported by mathematical analysis and reasoning techniques can improve usability evaluations by proving usability properties. We present our approach highlighting that formal description techniques can support in a consistent way usability evaluation, contextual help and incident and accident analysis. This approach is presented on a wireless patient monitoring system for which adverse event (including fatalities) reports are publicly available from the US Food and Drug Administration (FDA) Manufacturer and User Facility Device Experience (MAUDE) database.

Beyond usability for safety critical systems: how to be sure (safe, usable, reliable, and evolvable)?

While a significant effort is currently being undertaken by the CHI community in order to apply and extend current usability evaluation techniques to new kinds of interaction techniques very little has been done to improve the reliability of software offering these kinds of interaction techniques. As these new interaction techniques are currently more and more used in the field of command and control safety critical systems the potential of incident or accidents increases. Similarly, the non reliability of interactive software can jeopardize usability evaluation by showing unexpected or undesired behaviors. Lastly, iterative design processes promote multiple designs through evolvable prototypes in order to accommodate requirements changes and results from usability evaluations thus reducing reliability of the final system by lack of global and structured design. The aim of this SIG is to provide a forum for both researchers and practitioners interested in safety critical interactive systems. Our goal is to define a roadmap of activities to cross fertilize usability, reliability and safety for these kinds of systems to minimize duplicate efforts and reuse knowledge in all the communities involved.