Formal Aspects of Computing

, Volume 19, Issue 4, pp 513–550

An approach to formal verification of human–computer interaction

ORIGINAL ARTICLE

Abstract

The correct functioning of interactive computer systems depends on both the faultless operation of the device and correct human actions. In this paper, we focus on system malfunctions due to human actions. We present abstract principles that generate cognitively plausible human behaviour. These principles are then formalised in a higher-order logic as a generic, and so retargetable, cognitive architecture, based on results from cognitive psychology. We instantiate the generic cognitive architecture to obtain specific user models. These are then used in a series of case studies on the formal verification of simple interactive systems. By doing this, we demonstrate that our verification methodology can detect a variety of realistic, potentially erroneous actions, which emerge from the combination of a poorly designed device and cognitively plausible human behaviour.

Keywords

Formal verification Human error Formal cognitive architecture Interactive systems, Theorem proving 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. BAC+96.
    Bumbulis P, Alencar PSC, Cowan DD, de Lucena CJP (1996) Validating properties of component-based graphical user interfaces. In: Bodart F, Vanderdonckt J (eds) Proc. Design, Specification and Verification of Interactive Systems (DSV-IS’96), Springer-Verlag, pp 347–365Google Scholar
  2. BaM95.
    Barnard PJ, May J (1995) Interactions with advanced graphical interfaces and the deployment of latent human knowledge. In: Design, Specification and Verification of Interactive Systems: DSV-IS’95, Springer-Verlag, pp 15–49Google Scholar
  3. Bar58.
    Bartlett FC (1958) Thinking: An Experimental and Social Study. Basic Books, New YorkGoogle Scholar
  4. BBC04.
    Blandford AE, Butterworth RJ, Curzon P (2004) Models of interactive systems: a case study on Programmable User Modelling. International Journal of Human-Computer Studies 60(2):149–200CrossRefGoogle Scholar
  5. BBD99.
    Butterworth RJ, Blandford AE, Duke DJ (1999) Using formal models to explore display based usability issues. Journal of Visual Languages and Computing 10:455–479CrossRefGoogle Scholar
  6. BBD00.
    Butterworth RJ, Blandford AE, Duke DJ (2000) Demonstrating the cognitive plausibility of interactive systems. Formal Aspects of Computing 12:237–259MATHCrossRefGoogle Scholar
  7. BCD+06.
    Back J, Cheng WL, Dann R, Curzon P, Blandford A (2006) Does being motivated to avoid procedural errors influence their systematicity? In: Bryan-Kinns N, Blandford A, Curzon P, Nigay L (eds) People and computers XX–engage: proceedings of HCI 2006 (Vol. 1), Springer-Verlag, pp 151–158Google Scholar
  8. Bil96.
    Billings CE (1996) Aviation Automation: The Search for A Human-centered Approach. Lawrence Erlbaum AssociatesGoogle Scholar
  9. BlY98.
    Blandford AE, Young RM (1998) The role of communication goals in interaction. In: Adjunct Proceedings of HCI’98, pp 14–15Google Scholar
  10. BMP+98.
    Butler RW, Miller SP, Potts JN, Carreño VA (1998) A formal methods approach to the analysis of mode confusion. In: 17th AIAA/IEEE Digital Avionics Systems Conference, Bellevue, WA, October 1998Google Scholar
  11. BMW99.
    Back R-J, Mikhajlova A, von Wright J (1999) Reasoning about interactive systems. In: Formal Methods (FM’99), volume 1709 of Lecture Notes in Computer Science, Springer-Verlag, pp 1460–1476Google Scholar
  12. BoF99.
    Bowman H, Faconti G (1999) Analysing cognitive behaviour using LOTOS and Mexitl. Formal Aspects of Computing 11:132–159CrossRefGoogle Scholar
  13. Bre03.
    Bredereke J (2003) On preventing telephony feature interactions which are shared-control mode confusions. In: Feature Interactions in Telecommunications and Software Systems VII, IOS Press, pp 159–176Google Scholar
  14. BrL02.
    Bredereke J, Lankenau A (2002) A rigorous view of mode confusion. In: Computer Safety, Reliability and Security: SAFECOMP 2002, volume 2434 of Lecture Notes in Computer Science, Springer-Verlag, pp 19–31Google Scholar
  15. But04.
    Buth B (2004) Analysing mode confusion: An approach using FDR2. In: Heisel M, Liggesmeyer P, Wittmann S (eds) Computer Safety, Reliability and Security: SAFECOMP 2004, volume 3219 of Lecture Notes in Computer Science, Springer-Verlag, pp 101–114Google Scholar
  16. ByB97.
    Byrne MD, Bovair S (1997) A working memory model of a common procedural error. Cognitive Science 21(1):31–61CrossRefGoogle Scholar
  17. CaH97.
    Campos JC, Harrison MD (1997) Formally verifying interactive systems: a review. In: Harrison MD, Torres JC (eds) Design, Specification and Verification of Interactive Systems (DSV-IS’97), Springer-Verlag, pp 109–124Google Scholar
  18. Cam03.
    Campos JC (2003) Using task knowledge to guide interactor specifications analysis. In: Jorge JA, Jardim Nunes N, Falcão e Cunha J (eds) Interactive Systems. Design, Specification and Verification, 10th International Workshop, volume 2844 of Lecture Notes in Computer Science, Springer-Verlag, pp 171–186Google Scholar
  19. CJR00.
    Crow J, Javaux D, Rushby J (2000) Models and mechanized methods that integrate human factors into automation design. In: International Conference on Human-Computer Interaction in Aeronautics: HCI-Aero, September 2000Google Scholar
  20. CuB00a.
    Curzon P, Blandford AE (2000) Reasoning about order errors in interaction. In: TPHOLs 2000 Supplementary ProceedingsGoogle Scholar
  21. CuB00b.
    Curzon P, Blandford AE (2000) Using a verification system to reason about post-completion errors. In: Palanque P, Paternò F (eds) Participants Proc. of DSV-IS 2000: 7th Int.Workshop on Design, Specification and Verification of Interactive Systems, at the 22nd Int. Conf. on Software Engineering, pp 292–308Google Scholar
  22. CuB01a.
    Curzon P, Blandford AE (2001) Detecting multiple classes of user errors. In: Little R, Nigay L (eds) Proceedings of the 8th IFIP Working Conference on Engineering for Human-Computer Interaction (EHCI’01), volume 2254 of Lecture Notes in Computer Science, Springer-Verlag, pp 57–71Google Scholar
  23. CuB01b.
    Curzon P, Blandford AE (2001) A user model for avoiding design induced errors in soft-key interactive systems. In: Bolton RJ, Jackson PB (eds) TPHOLs 2001 Supplementary Proceedings, number ED-INF-RR-0046 in Informatics Research Report, pp 33–48Google Scholar
  24. CuB02.
    Curzon P, Blandford AE (2002) From a formal user model to design rules. In: Forbrig P, Urban B, Vanderdonckt J, Limbourg Q (eds) Interactive Systems. Design, Specification and Verification, 9th International Workshop, volume 2545 of Lecture Notes in Computer Science, Springer-Verlag, pp 19–33Google Scholar
  25. CuB04.
    Curzon P, Blandford AE (2004) Formally justifying user-centred design rules: a case study on post-completion errors. In: Boiten EA, Derrick J, Smith G (eds) Proc. of the 4th International Conference on Integrated Formal Methods, volume 2999 of Lecture Notes in Computer Science, Springer-Verlag, pp 461–480Google Scholar
  26. CuL96.
    Curzon P, Leslie I (1996) Improving hardware designs whilst simplifying their proof. In: Designing Correct Circuits, Workshops in Computing, Springer-VerlagGoogle Scholar
  27. DBD+98.
    Duke DJ, Barnard PJ, Duce DA, May J (1998) Syndetic modelling. Human-Computer Interaction 13(4):337–394CrossRefGoogle Scholar
  28. DBM+95.
    Duke DJ, Barnard PJ, May J, Duce DA (1995) Systematic development of the human interface. In: APSEC’95: Second Asia-Pacific Software Engineering Conference. IEEE Computer Society Press, pp 313–321Google Scholar
  29. DuD99.
    Duke DJ, Duce DA (1999) The formalization of a cognitive architecture and its application to reasoning about human computer interaction. Formal Aspects of Computing 11:665–689MATHCrossRefGoogle Scholar
  30. Fie01.
    Fields RE (2001) Analysis of erroneous actions in the design of critical systems. D. Phil Thesis, Technical Report YCST 20001/09, University of York, Department of Computer ScienceGoogle Scholar
  31. GoM93.
    Gordon MJC, Melham TF (eds) (1993) Introduction to HOL: a theorem proving environment for higher order logic. Cambridge University PressGoogle Scholar
  32. JoK96.
    John BE, Kieras DE (1996) Using GOMS for user interface design and evaluation: which technique? ACM Trans. on Computer-Human Interaction 3(4):287–319CrossRefGoogle Scholar
  33. KWM97.
    Kieras DE, Wood SD, Meyer DE (1997) Predictive engineering models based on the EPIC architecture for a multimodal high-performance human-computer interaction task. ACM Trans. on Computer-Human Interaction 4(3):230–275CrossRefGoogle Scholar
  34. Lan01.
    Lankenau A (2001) Avoiding mode confusion in service-robots. In: Mokhtari M (ed) Integration of Assistive Technology in the Information Age, Proc. of the 7th Int. Conf. on Rehabilitation Robotics, IOS Press, pp 162–167Google Scholar
  35. LBC+05.
    Li SYW, Blandford A, Cairns P, Young RM (2005) Post-completion errors in problem solving. In: Proceedings of the 27th Annual Conference of the Cognitive Science Society, Lawrence Erlbaum Associates, pp 1278–1283Google Scholar
  36. LCB+06.
    Li SYW, Cox AL, Blandford A, Cairns P, Young RM, Abeles A (2006) Further investigations into post-completion error: the effects of interruption position and duration. In: Proceedings of the 28th Annual Conference of the Cognitive Science Society, Lawrence Erlbaum Associates, pp 471–476Google Scholar
  37. LDS+97.
    Leveson NG, Denise Pinnel L, Sandys SD, Koga S, Reese JD (1997) Analyzing software specifications for mode confusion potential. In: Johnson CW (ed) Proceedings of the Workshop on Human Error and System Development, Glasgow Accident Analysis Group Technical Report GAAG-TR-97-2, pp 132–146Google Scholar
  38. LeP97.
    Leveson NG, Palmer E (1997) Designing automation to reduce operator errors. In: Proceedings of the IEEE Systems, Man and Cybernetics Conference, October 1997Google Scholar
  39. Lib89.
    Libet B (1989) The timing of a subjective experience. Behavioural and Brain Sciences 12:183–185CrossRefGoogle Scholar
  40. LüC99.
    Lüttgen G, Carreño V (1999) Analyzing mode confusion via model checking. In: Dams D, Gerth R, Leue S, Massink M (eds) SPIN’99, volume 1680 of Lecture Notes in Computer Science, Springer-Verlag, pp 120–135Google Scholar
  41. MJR98.
    Markopoulos P, Johnson P, Rowson J (1998) Formal architectural abstractions for interactive software. International Journal of Human Computer Studies 49:679–715CrossRefGoogle Scholar
  42. MoD95.
    Moher TG, Dirda V (1995) Revising mental models to accommodate expectation failures in human-computer dialogues. In: Design, Specification and Verification of Interactive Systems: DSV-IS’95, Springer-Verlag, pp 76–92Google Scholar
  43. MOR+04.
    de Moura L, Owre S, Ruess H, Rushby J, Shankar N, Sorea M, Tiwari A (2004) SAL 2. In: Alur R, Peled DA (eds) Computer Aided Verification: CAV’04, volume 3114 of Lecture Notes in Computer Science, Springer-Verlag, pp 496–500Google Scholar
  44. New90.
    Newell A (1990) Unified Theories of Cognition. Harvard University PressGoogle Scholar
  45. OKM86.
    Osman A, Kornblum S, Meyer DE (1986) The point of no return in choice reaction time: controlled and ballistic stages of response preparation. Journal of Experimental Psychology: Human Perception and Performance 12(3):243–258CrossRefGoogle Scholar
  46. PaM95.
    Paternò F, Mezzanotte M (1995) Formal analysis of user and system interactions in the CERD case study. In: Proceedings of EHCI’95: IFIP Working Conference on Engineering for Human-Computer Interaction, Chapman and Hall Publisher, pp 213–226Google Scholar
  47. PCB07.
    Papatzanis P, Curzon P, Blandford A (2007) Identifying phenotypes & genotypes: a case study on evaluating an in-car navigation system. In press: Proceedings of Engineering Interactive Systems 2007, Springer-VerlagGoogle Scholar
  48. RCB+07a.
    Rukšėnas R, Curzon P, Back J, Blandford A (2007) Formal modelling of cognitive interpretation. In: Doherty G, Blandford A (eds) Interactive Systems. Design, Specification and Verification, 13th International Workshop, volume 4323 of Lecture Notes in Computer Science, Springer-Verlag, pp 123–136Google Scholar
  49. RCB+07b.
    Rukšėnas R, Curzon P, Blandford A, Back J (2007) Combining human error verification and timing analysis. In press: Proceedings of Engineering Interactive Systems 2007, Springer-VerlagGoogle Scholar
  50. RCP99.
    Rushby J, Crow J, Palmer E (1999) An automated method to detect potential mode confusions. In: 18th AIAA/IEEE Digital Avionics Systems Conference (DASC), October 1999Google Scholar
  51. Rea90.
    Reason J (1990) Human Error. Cambridge University PressGoogle Scholar
  52. Rus01a.
    Rushby J (2001) Analyzing cockpit interfaces using formal methods. Electronic Notes in Theoretical Computer Science 43Google Scholar
  53. Rus01b.
    Rushby J (2001) Modeling the human in human factors. In: Vogues U (ed) Computer Safety, Reliability and Security: SAFECOMP 2001, volume 2187 of Lecture Notes in Computer Science, Springer-Verlag, pp 86–91Google Scholar
  54. Rus02.
    Rushby J (2002) Using model checking to help discover mode confusions and other automation suprises. Reliability Engineering and System Safety 75(2):167–177CrossRefGoogle Scholar
  55. Suc87.
    Suchman LA (1987) Plans and situated actions: the problem of human-machine communication. Cambridge University PressGoogle Scholar
  56. Thi01.
    Thimbleby H (2001) Permissive user interfaces. International Journal of Human-Computer Studies 54(3):333–350MATHCrossRefGoogle Scholar

Copyright information

© British Computer Society 2007

Authors and Affiliations

  • Paul Curzon
    • 1
  • Rimvydas Rukšėnas
    • 1
  • Ann Blandford
    • 2
  1. 1.Department of Computer Science, Queen MaryUniversity of LondonLondonUK
  2. 2.University College London Interaction CentreLondonUK

Personalised recommendations