Skip to main content
SpringerLink
Log in

An approach to formal verification of human–computer interaction

  • ORIGINAL ARTICLE
  • Published:
Formal Aspects of Computing

Abstract

The correct functioning of interactive computer systems depends on both the faultless operation of the device and correct human actions. In this paper, we focus on system malfunctions due to human actions. We present abstract principles that generate cognitively plausible human behaviour. These principles are then formalised in a higher-order logic as a generic, and so retargetable, cognitive architecture, based on results from cognitive psychology. We instantiate the generic cognitive architecture to obtain specific user models. These are then used in a series of case studies on the formal verification of simple interactive systems. By doing this, we demonstrate that our verification methodology can detect a variety of realistic, potentially erroneous actions, which emerge from the combination of a poorly designed device and cognitively plausible human behaviour.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Bumbulis P, Alencar PSC, Cowan DD, de Lucena CJP (1996) Validating properties of component-based graphical user interfaces. In: Bodart F, Vanderdonckt J (eds) Proc. Design, Specification and Verification of Interactive Systems (DSV-IS’96), Springer-Verlag, pp 347–365

  2. Barnard PJ, May J (1995) Interactions with advanced graphical interfaces and the deployment of latent human knowledge. In: Design, Specification and Verification of Interactive Systems: DSV-IS’95, Springer-Verlag, pp 15–49

  3. Bartlett FC (1958) Thinking: An Experimental and Social Study. Basic Books, New York

    Google Scholar 

  4. Blandford AE, Butterworth RJ, Curzon P (2004) Models of interactive systems: a case study on Programmable User Modelling. International Journal of Human-Computer Studies 60(2):149–200

    Article  Google Scholar 

  5. Butterworth RJ, Blandford AE, Duke DJ (1999) Using formal models to explore display based usability issues. Journal of Visual Languages and Computing 10:455–479

    Article  Google Scholar 

  6. Butterworth RJ, Blandford AE, Duke DJ (2000) Demonstrating the cognitive plausibility of interactive systems. Formal Aspects of Computing 12:237–259

    Article  MATH  Google Scholar 

  7. Back J, Cheng WL, Dann R, Curzon P, Blandford A (2006) Does being motivated to avoid procedural errors influence their systematicity? In: Bryan-Kinns N, Blandford A, Curzon P, Nigay L (eds) People and computers XX–engage: proceedings of HCI 2006 (Vol. 1), Springer-Verlag, pp 151–158

  8. Billings CE (1996) Aviation Automation: The Search for A Human-centered Approach. Lawrence Erlbaum Associates

  9. Blandford AE, Young RM (1998) The role of communication goals in interaction. In: Adjunct Proceedings of HCI’98, pp 14–15

  10. Butler RW, Miller SP, Potts JN, Carreño VA (1998) A formal methods approach to the analysis of mode confusion. In: 17th AIAA/IEEE Digital Avionics Systems Conference, Bellevue, WA, October 1998

  11. Back R-J, Mikhajlova A, von Wright J (1999) Reasoning about interactive systems. In: Formal Methods (FM’99), volume 1709 of Lecture Notes in Computer Science, Springer-Verlag, pp 1460–1476

  12. Bowman H, Faconti G (1999) Analysing cognitive behaviour using LOTOS and Mexitl. Formal Aspects of Computing 11:132–159

    Article  Google Scholar 

  13. Bredereke J (2003) On preventing telephony feature interactions which are shared-control mode confusions. In: Feature Interactions in Telecommunications and Software Systems VII, IOS Press, pp 159–176

  14. Bredereke J, Lankenau A (2002) A rigorous view of mode confusion. In: Computer Safety, Reliability and Security: SAFECOMP 2002, volume 2434 of Lecture Notes in Computer Science, Springer-Verlag, pp 19–31

  15. Buth B (2004) Analysing mode confusion: An approach using FDR2. In: Heisel M, Liggesmeyer P, Wittmann S (eds) Computer Safety, Reliability and Security: SAFECOMP 2004, volume 3219 of Lecture Notes in Computer Science, Springer-Verlag, pp 101–114

  16. Byrne MD, Bovair S (1997) A working memory model of a common procedural error. Cognitive Science 21(1):31–61

    Article  Google Scholar 

  17. Campos JC, Harrison MD (1997) Formally verifying interactive systems: a review. In: Harrison MD, Torres JC (eds) Design, Specification and Verification of Interactive Systems (DSV-IS’97), Springer-Verlag, pp 109–124

  18. Campos JC (2003) Using task knowledge to guide interactor specifications analysis. In: Jorge JA, Jardim Nunes N, Falcão e Cunha J (eds) Interactive Systems. Design, Specification and Verification, 10th International Workshop, volume 2844 of Lecture Notes in Computer Science, Springer-Verlag, pp 171–186

  19. Crow J, Javaux D, Rushby J (2000) Models and mechanized methods that integrate human factors into automation design. In: International Conference on Human-Computer Interaction in Aeronautics: HCI-Aero, September 2000

  20. Curzon P, Blandford AE (2000) Reasoning about order errors in interaction. In: TPHOLs 2000 Supplementary Proceedings

  21. Curzon P, Blandford AE (2000) Using a verification system to reason about post-completion errors. In: Palanque P, Paternò F (eds) Participants Proc. of DSV-IS 2000: 7th Int.Workshop on Design, Specification and Verification of Interactive Systems, at the 22nd Int. Conf. on Software Engineering, pp 292–308

  22. Curzon P, Blandford AE (2001) Detecting multiple classes of user errors. In: Little R, Nigay L (eds) Proceedings of the 8th IFIP Working Conference on Engineering for Human-Computer Interaction (EHCI’01), volume 2254 of Lecture Notes in Computer Science, Springer-Verlag, pp 57–71

  23. Curzon P, Blandford AE (2001) A user model for avoiding design induced errors in soft-key interactive systems. In: Bolton RJ, Jackson PB (eds) TPHOLs 2001 Supplementary Proceedings, number ED-INF-RR-0046 in Informatics Research Report, pp 33–48

  24. Curzon P, Blandford AE (2002) From a formal user model to design rules. In: Forbrig P, Urban B, Vanderdonckt J, Limbourg Q (eds) Interactive Systems. Design, Specification and Verification, 9th International Workshop, volume 2545 of Lecture Notes in Computer Science, Springer-Verlag, pp 19–33

  25. Curzon P, Blandford AE (2004) Formally justifying user-centred design rules: a case study on post-completion errors. In: Boiten EA, Derrick J, Smith G (eds) Proc. of the 4th International Conference on Integrated Formal Methods, volume 2999 of Lecture Notes in Computer Science, Springer-Verlag, pp 461–480

  26. Curzon P, Leslie I (1996) Improving hardware designs whilst simplifying their proof. In: Designing Correct Circuits, Workshops in Computing, Springer-Verlag

  27. Duke DJ, Barnard PJ, Duce DA, May J (1998) Syndetic modelling. Human-Computer Interaction 13(4):337–394

    Article  Google Scholar 

  28. Duke DJ, Barnard PJ, May J, Duce DA (1995) Systematic development of the human interface. In: APSEC’95: Second Asia-Pacific Software Engineering Conference. IEEE Computer Society Press, pp 313–321

  29. Duke DJ, Duce DA (1999) The formalization of a cognitive architecture and its application to reasoning about human computer interaction. Formal Aspects of Computing 11:665–689

    Article  MATH  Google Scholar 

  30. Fields RE (2001) Analysis of erroneous actions in the design of critical systems. D. Phil Thesis, Technical Report YCST 20001/09, University of York, Department of Computer Science

  31. Gordon MJC, Melham TF (eds) (1993) Introduction to HOL: a theorem proving environment for higher order logic. Cambridge University Press

  32. John BE, Kieras DE (1996) Using GOMS for user interface design and evaluation: which technique? ACM Trans. on Computer-Human Interaction 3(4):287–319

    Article  Google Scholar 

  33. Kieras DE, Wood SD, Meyer DE (1997) Predictive engineering models based on the EPIC architecture for a multimodal high-performance human-computer interaction task. ACM Trans. on Computer-Human Interaction 4(3):230–275

    Article  Google Scholar 

  34. Lankenau A (2001) Avoiding mode confusion in service-robots. In: Mokhtari M (ed) Integration of Assistive Technology in the Information Age, Proc. of the 7th Int. Conf. on Rehabilitation Robotics, IOS Press, pp 162–167

  35. Li SYW, Blandford A, Cairns P, Young RM (2005) Post-completion errors in problem solving. In: Proceedings of the 27th Annual Conference of the Cognitive Science Society, Lawrence Erlbaum Associates, pp 1278–1283

  36. Li SYW, Cox AL, Blandford A, Cairns P, Young RM, Abeles A (2006) Further investigations into post-completion error: the effects of interruption position and duration. In: Proceedings of the 28th Annual Conference of the Cognitive Science Society, Lawrence Erlbaum Associates, pp 471–476

  37. Leveson NG, Denise Pinnel L, Sandys SD, Koga S, Reese JD (1997) Analyzing software specifications for mode confusion potential. In: Johnson CW (ed) Proceedings of the Workshop on Human Error and System Development, Glasgow Accident Analysis Group Technical Report GAAG-TR-97-2, pp 132–146

  38. Leveson NG, Palmer E (1997) Designing automation to reduce operator errors. In: Proceedings of the IEEE Systems, Man and Cybernetics Conference, October 1997

  39. Libet B (1989) The timing of a subjective experience. Behavioural and Brain Sciences 12:183–185

    Article  Google Scholar 

  40. Lüttgen G, Carreño V (1999) Analyzing mode confusion via model checking. In: Dams D, Gerth R, Leue S, Massink M (eds) SPIN’99, volume 1680 of Lecture Notes in Computer Science, Springer-Verlag, pp 120–135

  41. Markopoulos P, Johnson P, Rowson J (1998) Formal architectural abstractions for interactive software. International Journal of Human Computer Studies 49:679–715

    Article  Google Scholar 

  42. Moher TG, Dirda V (1995) Revising mental models to accommodate expectation failures in human-computer dialogues. In: Design, Specification and Verification of Interactive Systems: DSV-IS’95, Springer-Verlag, pp 76–92

  43. de Moura L, Owre S, Ruess H, Rushby J, Shankar N, Sorea M, Tiwari A (2004) SAL 2. In: Alur R, Peled DA (eds) Computer Aided Verification: CAV’04, volume 3114 of Lecture Notes in Computer Science, Springer-Verlag, pp 496–500

  44. Newell A (1990) Unified Theories of Cognition. Harvard University Press

  45. Osman A, Kornblum S, Meyer DE (1986) The point of no return in choice reaction time: controlled and ballistic stages of response preparation. Journal of Experimental Psychology: Human Perception and Performance 12(3):243–258

    Article  Google Scholar 

  46. Paternò F, Mezzanotte M (1995) Formal analysis of user and system interactions in the CERD case study. In: Proceedings of EHCI’95: IFIP Working Conference on Engineering for Human-Computer Interaction, Chapman and Hall Publisher, pp 213–226

  47. Papatzanis P, Curzon P, Blandford A (2007) Identifying phenotypes & genotypes: a case study on evaluating an in-car navigation system. In press: Proceedings of Engineering Interactive Systems 2007, Springer-Verlag

  48. Rukšėnas R, Curzon P, Back J, Blandford A (2007) Formal modelling of cognitive interpretation. In: Doherty G, Blandford A (eds) Interactive Systems. Design, Specification and Verification, 13th International Workshop, volume 4323 of Lecture Notes in Computer Science, Springer-Verlag, pp 123–136

  49. Rukšėnas R, Curzon P, Blandford A, Back J (2007) Combining human error verification and timing analysis. In press: Proceedings of Engineering Interactive Systems 2007, Springer-Verlag

  50. Rushby J, Crow J, Palmer E (1999) An automated method to detect potential mode confusions. In: 18th AIAA/IEEE Digital Avionics Systems Conference (DASC), October 1999

  51. Reason J (1990) Human Error. Cambridge University Press

  52. Rushby J (2001) Analyzing cockpit interfaces using formal methods. Electronic Notes in Theoretical Computer Science 43

  53. Rushby J (2001) Modeling the human in human factors. In: Vogues U (ed) Computer Safety, Reliability and Security: SAFECOMP 2001, volume 2187 of Lecture Notes in Computer Science, Springer-Verlag, pp 86–91

  54. Rushby J (2002) Using model checking to help discover mode confusions and other automation suprises. Reliability Engineering and System Safety 75(2):167–177

    Article  Google Scholar 

  55. Suchman LA (1987) Plans and situated actions: the problem of human-machine communication. Cambridge University Press

  56. Thimbleby H (2001) Permissive user interfaces. International Journal of Human-Computer Studies 54(3):333–350

    Article  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, Queen Mary, University of London, Mile End Road, London, E1 4NS, UK

    Paul Curzon & Rimvydas Rukšėnas

  2. University College London Interaction Centre, Remax House, 31-32 Alfred Place, London, WC1E 7DP, UK

    Ann Blandford

Authors
  1. Paul Curzon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rimvydas Rukšėnas
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ann Blandford
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Rimvydas Rukšėnas.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Curzon, P., Rukšėnas, R. & Blandford, A. An approach to formal verification of human–computer interaction. Form Asp Comp 19, 513–550 (2007). https://doi.org/10.1007/s00165-007-0035-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00165-007-0035-6

Keywords

Search

Navigation