Innovations in Systems and Software Engineering

, Volume 6, Issue 3, pp 219–231 | Cite as

Formally verifying human–automation interaction as part of a system model: limitations and tradeoffs

Open Access
Original Paper


Both the human factors engineering (HFE) and formal methods communities are concerned with improving the design of safety-critical systems. This work discusses a modeling effort that leveraged methods from both fields to perform formal verification of human–automation interaction with a programmable device. This effort utilizes a system architecture composed of independent models of the human mission, human task behavior, human-device interface, device automation, and operational environment. The goals of this architecture were to allow HFE practitioners to perform formal verifications of realistic systems that depend on human–automation interaction in a reasonable amount of time using representative models, intuitive modeling constructs, and decoupled models of system components that could be easily changed to support multiple analyses. This framework was instantiated using a patient controlled analgesia pump in a two phased process where models in each phase were verified using a common set of specifications. The first phase focused on the mission, human-device interface, and device automation; and included a simple, unconstrained human task behavior model. The second phase replaced the unconstrained task model with one representing normative pump programming behavior. Because models produced in the first phase were too large for the model checker to verify, a number of model revisions were undertaken that affected the goals of the effort. While the use of human task behavior models in the second phase helped mitigate model complexity, verification time increased. Additional modeling tools and technological developments are necessary for model checking to become a more usable technique for HFE.


Human–automation interaction Task analysis Formal methods Model checking Safety critical systems PCA pump 



The research described was supported in part by Grant Number T15LM009462 from the National Library of Medicine and Research Grant Agreement UVA-03-01, sub-award 2623-VA from the National Institute of Aerospace (NIA). The content is solely the responsibility of the authors and does not necessarily represent the official views of the NIA, NASA, the National Library of Medicine, or the National Institutes of Health. The authors would like to thank Radu I. Siminiceanu of the NIA and Ben Di Vito of the NASA Langley Research Center for their technical help. They would like to thank Diane Haddon, John Knapp, Paul Merrel, Kathryn McGough, and Sherry Wood of the University of Virginia Health System for describing the functionality of the Baxter Ipump and for providing documentation, training materials, and device access.

Open Access

This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.


  1. 1.
    Arney D, Jetley R, Jones P, Lee I, Sokolsky O (2007) Formal methods based development of a PCA infusion pump reference model: generic infusion pump (GIP) project. In: Proceedings of the 2007 joint workshop on high confidence medical devices, software, and systems and medical device plug-and-play interoperability. IEEE Computer Society, Washington, DC, pp 23–33Google Scholar
  2. 2.
    Baxter Health Care Corporation (1995) Ipump pain management system operator’s manual. Baxter Heath Care Corporation, McGaw ParkGoogle Scholar
  3. 3.
    Bolton ML, Bass EJ (2009) Building a formal model of a human-interactive system: insights into the integration of formal methods and human factors engineering. In: Proceedings of the first NASA formal methods symposium. NASA Ames Research Center, Moffett Field, pp 6–15Google Scholar
  4. 4.
    Bolton ML, Bass EJ (2009) Enhanced operator function model: a generic human task behavior modeling language. In: Proceedings of the IEEE international conference on systems, man, and cybernetics. IEEE, Piscataway, pp 2983–2990Google Scholar
  5. 5.
    Bolton ML, Bass EJ (2009) A method for the formal verification of human-interactive systems. In: Proceedings of the 53rd annual meeting of the human factors and ergonomics society. Human Factors and Ergonomics Society, Santa Monica, pp 764–768Google Scholar
  6. 6.
    Clarke E, Grumberg O, Jha S, Lu Y, Veith H (2003) Counterexample-guided abstraction refinement for symbolic model checking. J ACM 50(5): 752–794CrossRefMathSciNetGoogle Scholar
  7. 7.
    Crow J, Javaux D, Rushby J (2000) Models and mechanized methods that integrate human factors into automation design. In: Proceedings of the 2000 international conference on human-computer interaction in aeronautics. Association for the Advancement of Artificial Intelligence, Menlo Park, pp 163–168Google Scholar
  8. 8.
    Curzon P, Ruksenas R, Blandford A (2007) An approach to formal verification of human–computer interaction. Formal Asp Comput 19(4): 513–550MATHCrossRefGoogle Scholar
  9. 9.
    De Moura L, Owre S, Shankar N (2003) The SAL language manual. Technical report, Computer Science Laboratory, SRI International, Menlo ParkGoogle Scholar
  10. 10.
    Degani A (1996) Modeling human–machine systems: on modes, error, and patterns of interaction. PhD thesis, Georgia Institute of Technology, AtlantaGoogle Scholar
  11. 11.
    Degani A, Kirlik A (1995) Modes in human–automation interaction: Initial observations about a modeling approach. In: Proceedings of the IEEE international conference on systems, man and cybernetics. IEEE, Piscataway, pp 3443–3450Google Scholar
  12. 12.
    Fields RE (2001) Analysis of erroneous actions in the design of critical systems. PhD thesis, University of York, YorkGoogle Scholar
  13. 13.
    Heymann M, Degani A (2007) Formal analysis and automatic generation of user interfaces: approach, methodology, and an algorithm. Hum Factors 49(2): 311–330CrossRefGoogle Scholar
  14. 14.
    Heymann M, Degani A, Barshi I (2007) Generating procedures and recovery sequences: a formal approach. In: Proceedings of the 14th international symposium on aviation psychology. Association for Aviation Psychology, Dayton, pp 252–257Google Scholar
  15. 15.
    Holzmann GJ (2003) The spin model checker, primer and reference manual. Addison-Wesley, ReadingGoogle Scholar
  16. 16.
    Javaux D (2002) A method for predicting errors when interacting with finite state systems. How implicit learning shapes the user’s knowledge of a system. Reliab Eng Syst Saf 75(2): 147–165CrossRefGoogle Scholar
  17. 17.
    Kirwan B, Ainsworth LK (1992) A guide to task analysis. Taylor and Francis, PhilidelphiaGoogle Scholar
  18. 18.
    Kohn LT, Corrigan J, Donaldson MS (2000) To err is human: building a safer health system. National Academy Press, WashingtonGoogle Scholar
  19. 19.
    Krey N (2007) 2007 Nall report: accident trends and factors for 2006. Technical report.
  20. 20.
    Mansouri-Samani M, Pasareanu CS, Penix JJ, Mehlitz PC, O’Malley O, Visser WC, Brat GP, Markosian LZ, Pressburger TT (2007) Program model checking: a practitioner’s guide. Technical report, Intelligent Systems Division, NASA Ames Research Center, Moffett FieldGoogle Scholar
  21. 21.
    Mitchell CM, Miller RA (1986) A discrete control model of operator function: a methodology for information dislay design. IEEE Trans Syst Man Cybern A Syst Hum 16(3): 343–357CrossRefGoogle Scholar
  22. 22.
    Perrow C (1984) Normal accidents. Basic Books, New YorkGoogle Scholar
  23. 23.
    Rushby J (2002) Using model checking to help discover mode confusions and other automation surprises. Reliab Eng Syst Saf 75(2): 167–177CrossRefGoogle Scholar
  24. 24.
    Schraagen JM, Chipman SF, Shalin VL (2000) Cognitive task analysis. Lawrence Erlbaum Associates, MahwahGoogle Scholar
  25. 25.
    Stanton N (2005) Human factors methods: a practical guide for engineering and design. Ashgate Publishing, BrookfieldGoogle Scholar
  26. 26.
    Thurman DA, Chappell AR, Mitchell CM (1998) An enhanced architecture for OFMspert: a domain-independent system for intent inferencing. In: Proceedings of the IEEE international conference on systems, man, and cybernetics. IEEE, Piscataway, pp 3443–3450Google Scholar
  27. 27.
    Vicente KJ (1999) Cognitive work analysis: toward safe, productive, and healthy computer-based work. Lawrence Erlbaum Associates, MahwahGoogle Scholar
  28. 28.
    Wells AT, Rodrigues CC (2004) Commercial aviation safety, 4th edn. McGraw-Hill, New YorkGoogle Scholar
  29. 29.
    Wickens CD, Lee J, Liu YD, Gordon-Becker S (2003) Introduction to human factors engineering. Prentice-Hall, Upper Saddle RiverGoogle Scholar

Copyright information

© The Author(s) 2010

Authors and Affiliations

  1. 1.Department of Systems and Information EngineeringUniversity of VirginiaCharlottesvilleUSA

Personalised recommendations