Formal Aspects of Computing

, Volume 26, Issue 5, pp 1033–1076 | Cite as

Combining human error verification and timing analysis: a case study on an infusion pump

  • Rimvydas Rukšėnas
  • Paul Curzon
  • Ann Blandford
  • Jonathan Back
Original Paper


The design of a human–computer interactive system can be unacceptable for a range of reasons. User performance concerns, for example the likelihood of user errors and time needed for a user to complete tasks, are important areas of consideration. For safety-critical systems it is vital that tools are available to support the analysis of such properties before expensive design commitment has been made. In this work, we give a unified formal verification framework for integrating two kinds of analysis: (1) predicting bounds for task-completion times via exhaustive state-space exploration, and (2) detecting user-error related design issues. The framework is based on a generic model of cognitively plausible behaviour that captures assumptions about cognitive behaviour decided through a process of interdisciplinary negotiation. Assumptions made in an analysis, including those relating to the performance consequences of users recovering from likely errors, are also investigated in this framework. We further present a novel way of exploring the consequences of cognitive mismatches, on both correctness and performance grounds. We illustrate our analysis approach with a realistic medical device scenario: programming an infusion pump. We explore an initial pump design and then two variations based on features found in real designs, illustrating how the approach identifies both timing and human error issues.


Human error Formal verification Performance Medical devices Model checking SAL 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. AL98.
    Anderson JR, Lebiere C (1998) The atomic components of thought. Lawrence Erlbaum Associates, MahwahGoogle Scholar
  2. AT02.
    Altmann EM, Trafton JG (2002) Memory for goals: an activation-based model. Cogn Sci 26(1): 39–83CrossRefGoogle Scholar
  3. Bar58.
    Bartlett F (1958) Thinking: an experimental and social study. Basic Books, New YorkGoogle Scholar
  4. BB97.
    Byrne MD, Bovair S (1997) A working memory model of a common procedural error. Cogn Sci 21(1): 31–61CrossRefGoogle Scholar
  5. BB06.
    Beckert B, Beuster G (2006) A method for formalizing, analyzing, and verifying secure user interfaces. In: Liu Z, He J (eds) Formal methods and software engineering, vol 4260. Lecture notes in computer science. Springer, Berlin, pp 55–73Google Scholar
  6. BB10.
    Bolton ML, Bass EJ (2010) Formally verifying human-automation interaction as part of a system model: limitations and tradeoffs. Innov Syst Softw Eng 6: 219–231CrossRefGoogle Scholar
  7. BBS12.
    Bolton ML, Bass EJ, Siminiceanu RI (2012) Generating phenotypical erroneous human behavior to evaluate human–automation interaction using model checking. Int J Hum Comput Stud 70(11): 888–906CrossRefGoogle Scholar
  8. BBD00.
    Butterworth RJ, Blandford AE, Duke DJ (2000) Demonstrating the cognitive plausibility of interactive systems. Form Asp Comput 12: 237–259CrossRefzbMATHGoogle Scholar
  9. BF99.
    Bowman H, Faconti G (1999) Analysing cognitive behaviour using LOTOS and Mexitl. Form Asp Comput 11: 132–159CrossRefGoogle Scholar
  10. BM95.
    Barnard PJ, May J (1995) Interactions with advanced graphical interfaces and the deployment of latent human knowledge. In: Interactive systems: design, specification, and verification (DSV-IS’95). Springer, Berlin pp 15–49Google Scholar
  11. CB01.
    Curzon P, Blandford AE (2001) Detecting multiple classes of user errors. In: Little R, Nigay L (eds) Proceedings of the 8th IFIP working conference on engineering for human–computer interaction (EHCI’01), vol 2254. Lecture notes in computer science. Springer, Berlin, pp 57–71Google Scholar
  12. CB08.
    Chung PH, Byrne MD (2008) Cue effectiveness in mitigating postcompletion errors in a routine procedural task. Int J Hum Comput Stud 66(4): 217–232CrossRefGoogle Scholar
  13. CH11.
    Campos JC, Harrison MD (2011) Modelling and analysing the interactive behaviour of an infusion pump. In: Proceedings of the fourth international workshop on formal methods for interactive systems: FMIS 2011, vol 45. Electronic communications of the EASSTGoogle Scholar
  14. CMN80.
    Card SK, Moran TP, Newell A (1980) The keystroke-level model for user performance time with interactive systems. Commun. ACM 23: 396–410CrossRefGoogle Scholar
  15. CMN83.
    Card SK, Moran TP, Newell A (1983) The psychology of human–computer interaction. Lawrence Erlbaum Associates, LondonGoogle Scholar
  16. CRB07.
    Curzon P, Rukšėnas R, Blandford A (2007) An approach to formal verification of human–computer interaction. Form Asp Comput 19: 513–550CrossRefzbMATHGoogle Scholar
  17. dMOR+04.
    de Moura L, Owre S, Ruess H, Rushby J, Shankar N, Sorea M, Tiwari A (2004) SAL 2. In: Alur R, Peled DA (eds) Computer aided verification: CAV 2004, vol 3114. Lecture notes in computer science. Springer, Berlin, pp 496–500Google Scholar
  18. Fie01.
    Fields RE (2001) Analysis of erroneous actions in the design of critical systems. Technical Report YCST 20001/09, University of York, Department of Computer Science. D.Phil ThesisGoogle Scholar
  19. FWH96.
    Fields B, Wright P, Harrison M (1996) Time, tasks and errors. SIGCHI Bull 28: 53–56CrossRefGoogle Scholar
  20. HJKB99.
    Hudson SE, John BE, Knudsen K, Byrne MD (1999) A tool for creating predictive performance models from user interface demonstrations. In: UIST ’99: proceedings of the 12th annual ACM symposium on user interface software and technology. ACM Press, New York, pp 93–102Google Scholar
  21. Hol93a.
    Hollnagel E (1993) Human reliability analysis: context and control. Academic Press, LondonGoogle Scholar
  22. Hol93b.
    Hollnagel E (1993) The phenotype of erroneous actions. Int J Man Mach Stud 39(1): 1–32CrossRefGoogle Scholar
  23. HRA+11.
    Huang H, Rukšėnas R, Ament MGA, Curzon P, Cox AL, Blandford A, Brumby D (2011) Capturing the distinction between task and device errors in a formal model of user behaviour. In: Proceedings of the fourth international workshop on formal methods for interactive systems: FMIS 2011, vol 45. Electronic communications of the EASSTGoogle Scholar
  24. JK96a.
    John BE, Kieras DE (1996) The GOMS family of user interface analysis techniques: comparison and contrast. ACM Trans Comput Hum Interact 3(4): 320–351CrossRefGoogle Scholar
  25. JK96b.
    John BE, Kieras DE (1996) Using GOMS for user interface design and evaluation: which technique. ACM Trans Comput Hum Interact 3: 287–319CrossRefGoogle Scholar
  26. JPSK04.
    John BE, Prevas K, Salvucci DD, Koedinger K (2004) Predictive human performance modeling made easy. In: Proceedings of the SIGCHI conference on human factors in computing systems, CHI ’04, New York, NY, USA. ACM, New York, pp 455–462Google Scholar
  27. KAS+11.
    Kim BG, Ayoub A, Sokolsky O, Lee I, Jones P, Zhang Y, Jetley R (2011) Safety-assured development of the GPCA infusion pump software. In: Proceedings of the ninth ACM international conference on Embedded software, EMSOFT ’11, New York, NY, USA. ACM, New York, pp 155–164Google Scholar
  28. KP99.
    Kieras D, Polson PG (1999) An approach to the formal analysis of user complexity. Int J Hum Comput Stud 51(2): 405–434CrossRefGoogle Scholar
  29. KWM97.
    Kieras DE, Wood SD, Meyer DE (1997) Predictive engineering models based on the EPIC architecture for a multimodal high-performance human–computer interaction task. ACM Trans Comput Hum Interact 4(3): 230–275CrossRefGoogle Scholar
  30. LPNB02.
    Lacaze X, Palanque P, Navarre D, Bastide R (2002) Performance evaluation as a tool for quantitative assessment of complexity of interactive systems. In: Forbrig P, Limbourg Q, Vanderdonckt J, Urban B (eds) Interactive systems: design, specification, and verification, vol 2545. Lecture notes in computer science. Springer, Berlin, pp 208–222Google Scholar
  31. New90.
    Newell A (1990) Unified theories of cognition. Harvard University Press, CambridgeGoogle Scholar
  32. OKM86.
    Osman A, Kornblum S, Meyer DE (1986) The point of no return in choice reaction time: controlled and ballistic stages of response preparation. J Exp Psychol Hum Percept Perform 12(3): 243–258CrossRefGoogle Scholar
  33. Ras83.
    Rasmussen J (1983) Skills, rules, and knowledge; signals, signs, and symbols, and other distinctions in human performance models. IEEE Trans Syst Man Cybern SMC- 13(3): 257–266CrossRefMathSciNetGoogle Scholar
  34. RBCB09.
    Rukšėnas R, Back J, Curzon P, Blandford A (2009) Verification-guided modelling of salience and cognitive load. Form Asp Comput 21: 541–569CrossRefzbMATHGoogle Scholar
  35. RCBB07.
    Rukšėnas R, Curzon P, Back J, Blandford A (2007) Formal modelling of cognitive interpretation. In: Doherty G, Blandford A (eds) Interactive systems. Design, specification, and verification, vol 4323. Lecture notes in computer science. Springer, Berlin, pp 123–136Google Scholar
  36. Rus01.
    Rushby J (2001) Analyzing cockpit interfaces using formal methods. Electron Notes Theor Comput Sci 43: 1–14CrossRefGoogle Scholar
  37. SHL11.
    Sankaranarayanan S, Homaei H, Lewis C (2011) Model-based dependability analysis of programmable drug infusion pumps. In: Fahrenberg U, Tripakis S (eds) Formal modeling and analysis of timed systems, vol 6919. Lecture notes in computer science. Springer, Berlin, pp 317–334Google Scholar
  38. SL03.
    Salvucci DD, Lee FJ (2003) Simple cognitive modeling in a complex cognitive architecture. In: Proceedings of the SIGCHI conference on Human factors in computing systems, CHI ’03, New York, NY, USA. ACM, New York, pp 265–272Google Scholar
  39. Thi02.
    Thimbleby H (2002) Analysis and simulation of user interfaces. In: Waern Y, McDonald S, Cockton G (eds) Human computer interaction 2000, vol XIV. BCS conference on human–computer interaction. Springer, Berlin, pp 221–237Google Scholar

Copyright information

© British Computer Society 2013

Authors and Affiliations

  • Rimvydas Rukšėnas
    • 1
  • Paul Curzon
    • 1
  • Ann Blandford
    • 2
  • Jonathan Back
    • 2
  1. 1.School of Electronic Engineering and Computer ScienceQueen Mary University of LondonLondonUK
  2. 2.UCL Interaction Centre, MPEBUniversity College LondonLondonUK

Personalised recommendations