Automated Software Engineering

, Volume 8, Issue 3–4, pp 275–310 | Cite as

Model Checking Interactor Specifications

  • José C. Campos
  • Michael D. Harrison


Recent accounts of accidents draw attention to “automation surprises” that arise in safety critical systems. An automation surprise can occur when a system behaves differently from the expectations of the operator. Interface mode changes are one class of such surprises that have significant impact on the safety of a dynamic interactive system. They may take place implicitly as a result of other system action. Formal specifications of interactive systems provide an opportunity to analyse problems that arise in such systems. In this paper we consider the role that an interactor based specification has as a partial model of an interactive system so that mode consequences can be checked early in the design process. We show how interactor specifications can be translated into the SMV model checker input language and how we can use such specifications in conjunction with the model checker to analyse potential for mode confusion in a realistic case. Our final aim is to develop a general purpose methodology for the automated analysis of interactive systems. This verification process can be useful in raising questions that have to be addressed in a broader context of analysis.

software verification interactive systems automation surprise interface mode confusion model checking interactor based specifications 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. Abowd, G.D., Wang, H.–M., and Monk, A.F. 1995. A formal technique for automated dialogue development. In Proceedings of the First Symposium of Designing Interactive Systems—DIS'95, ACM Press, pp. 219–226.Google Scholar
  2. Atlee, J.M. and Gannon, J. 1993. State–based model checking of event–driven systems requirements. IEEE Transactions on Software Engineering, 19(1):24–40.Google Scholar
  3. Bharadwaj, R. and Heitmeyer, C.L. 1999. Model checking complete requirements specifications using abstractions. Automated Software Engineering, 6(1):37–68.Google Scholar
  4. Bodart, F. and Vanderdonckt, J. (eds.) 1996. Design, specification and verification of interactive systems `96, Springer Computer Science. Springer–Verlag/Wien.Google Scholar
  5. Bolognesi, T. and Brinksma, E. 1987. Introduction to the ISO specification language LOTOS. Computer Networks and ISDN Systems, 14(1):25–59.Google Scholar
  6. Bumbulis, P., Alencar, P.S.C., Cowan, D.D., and Lucena, C.J.P. 1996. Validating properties of component–based graphical user interfaces. In Bodart and Vanderdonckt, editors, 1996. Springer–Verlag/Wien, pp. 347–365.Google Scholar
  7. Burch, J.R., Clarke, E.M., and McMillan, K.L. 1990. Symbolic model checking: 1020 States and Beyond. In Proceedings of the Fifth Annual IEEE Symposium on Logic In Computer Science, IEEE Computer Society Press, pp. 428–439.Google Scholar
  8. Campos, J.C. 1999. Automated deduction and usability reasoning. DPhil thesis, Department of Computer Science, University of York.Google Scholar
  9. Campos, J.C. and Harrison, M.D. 1997. Formally verifying interactive systems: A review. In Harrison and Torres, editors, 1997. Springer–Verlag/Wien, pp. 109–124.Google Scholar
  10. Campos, J.C. and Harrison, M.D. 1998. The role of verification in interactive systems design. In P. Markopoulos and P. Johnson, editors, Design, Specification and Verification of Interactive Systems '98, Springer Computer Science, Springer–Verlag/Wien, pp. 155–170.Google Scholar
  11. Campos, J.C. and Harrison, M.D. 1999. Using automated reasoning in the design of an audio–visual communication system. In D.J. Duke and A. Puerta, editors, Design, Specification and Verification of Interactive Systems '99, Springer Computer Science, Springer–Verlag/Wien, pp. 167–188.Google Scholar
  12. Chan, W., Anderson, R.J., Beame, P., Burns, S., Modugno, F., Notkin, D., and Reese, J.D. 1998. Model checking large software specifications. IEEE Transactions on Software Engineering, 24(7):498–520.Google Scholar
  13. Cheaney, E. 1991. ASRS Introduces.... ASRS Directline (1). Scholar
  14. Clarke, E. and Wing, J.M. 1996. Tools and partial analysis. ACM Computing Surveys, 28(4es):116–es.Google Scholar
  15. Clarke, E.M., Emerson, E.A., and Sistla, A.P. 1986. Automatic verification of finite–state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2):244–263.Google Scholar
  16. Clarke, E.M., Grumberg, O., and Peled, D. 1999. Model Checking, MIT Press, Cambridge, Massachusetts, U.S.A.Google Scholar
  17. de Roever, W.–P. 1998. The need for compositional proof systems: A survey. In W.–P. de Roever, H. Langmaack, and A. Pnueli, editors, Compositionality: The Significant Difference, Springer, pp. 1–22. Vol. 1536 of Lecture Notes in Computer Science.Google Scholar
  18. Doherty, G., Campos, J.C., and Harrison, M.D. 2000. Representational reasoning and verification. Formal Aspects of Computing, 12:260–277.Google Scholar
  19. Duke, D., Barnard, P., May, J., and Duce, D. 1995. Systematic development of the human interface. In Asia Pacific Software Engineering Conference. IEEE Computer Society Press, pp. 313–321.Google Scholar
  20. Duke, D.J. and Harrison, M.D. 1993. Abstract interaction objects. Computer Graphics Forum, 12(3):25–36.Google Scholar
  21. Dwyer, M.B., Carr, V., and Hines, L. 1997. Model checking graphical user interfaces using abstractions. In M. Jazayeri and H. Schauer, editors, Software Engineering—ESEC/FSE '97, Springer, pp. 244–261. Vol. 1301 of Lecture Notes in Computer Science.Google Scholar
  22. Faconti, G. and Paternò, F. 1990. An approach to the formal specification of the components of an interaction. In C. Vandoni and D. Duce, editors, Eurographics '90. North–Holland, pp. 481–494.Google Scholar
  23. Fiadeiro, J. and Maibaum, T. 1991. Temporal reasoning over deontic specifications. Journal of Logic and Computation 1(3):357–395.Google Scholar
  24. Fields, B., Merriam, N., and Dearden, A. 1997. DMVIS: Design, modelling and validation of interactive systems. In Harrison and Torres, editors, 1997. Springer–Verlag/Wien, pp. 29–44.Google Scholar
  25. Harrison, M., Fields, R., and Wright, P.C. 1996. The user context and formal specification in interactive system design (invited paper). In C.R. Roast and J.I. Siddiqi, editors, Formal Aspects of the Human Computer Interface, electronic, Workshops in Computing. London: Springer–Verlag.Google Scholar
  26. Harrison, M.D. and Torres, J.C. (eds.) 1997. Design, specification and verification of interactive systems `97, Springer Computer Science, Eurographics, Springer–Verlag/Wien.Google Scholar
  27. Heitmeyer, C., Kirby, J., and Labaw, B. 1998. Applying the SRC requirements method to a weapons control panel: An experience report. In Proceedings of the Second Workshop on Formal Methods in Software Practice (FMSP '98), pp. 92–102.Google Scholar
  28. Henzinger, T.A. 1996. Some myths about formal verification. ACM Computing Surveys, 28(4es):119–es.Google Scholar
  29. Honeywell Inc. 1988. SAS MD–80: Flight management system guide. Honeywell Inc., Sperry Commercial Flight Systems Group, Air Transport Systems Division, P.O. Box 21111, Phoenix, Arizona 85036, USA. Pub. No. C28–3642–22–01.Google Scholar
  30. Leveson, N.G. and Palmer, E. 1997. Designing automation to reduce operator errors. In Proceedings of the IEEE Systems, Man, and Cybernetics Conference.Google Scholar
  31. Mañas, J.A. et al. 1992. Lite user manual. LOTOSPHERE consortium. Ref. Lo/WP2/N0034/V08.Google Scholar
  32. McMillan, K.L. 1993. Symbolic Model Checking, Kluwer Academic Publishers, USA.Google Scholar
  33. Monk, A.F. and Curry, M.B. 1994. Discount dialogue modelling with action simulator. In G. Cockton, S.W. Draper, and G.R.S. Weir, editors, People and Computer IX—Proceedings of HCI'94. Cambridge University Press, pp. 327–338.Google Scholar
  34. Nicola, R.D., Fantechi, A., Gnesi, S., and Ristori, G. 1993. An action–based framework for verifying logical and behavioural properties of concurrent systems. Computer Networks and ISDN Systems, 25(7):761–778.Google Scholar
  35. Palanque, P., Paternò, F., Bastide, R., and Mezzanote, M., 1996. Towards an integrated proposal for interactive systems design based on TLIM and ICO. In Bodart and Vanderdonckt, 1996, pp. 162–187.Google Scholar
  36. Palmer, E. 1995. Oops, it didn't arm—A case study of two automation surprises. In R.S. Jensen and L.A. Rakovan, editors, Proceedings of the Eighth International Symposium on Aviation Psychology. Columbus, Ohio, pp. 227–232.Google Scholar
  37. Paternò, F. and Mezzanotte, M. 1995. Formal analysis of user and system interactions in the CERD case study. Technical Report SM/WP48, Amodeus Project.Google Scholar
  38. Paternò, F.D. 1995. A method for formal specification and verification of interactive systems. Ph.D. thesis, Department of Computer Science, University of York.Google Scholar
  39. Rushby, J. 1999. Using model checking to help discover mode confusions and other automation surprises. In (Pre–) Proceedings of the Workshop on Human Error, Safety, and System Development (HESSD) 1999. Liège, Belgium.Google Scholar
  40. Ryan, M., Fiadeiro, J., and Maibaum, T. 1991. Sharing actions and attributes in modal action logic. In T. Ito and A.R. Meyer, editors, Theoretical Aspects of Computer Software, Springer–Verlag, pp. 569–593. Vol. 526 of Lecture Notes in Computer Science, Berlin Heidelberg, New York.Google Scholar
  41. Sreemani, T. and Atlee, J.M. 1996. Feasibility of model checking software requirements: A case study. In Proceedings of the 11th Annual Conference on Computer Assurance (COMPASS '96), pp. 77–88.Google Scholar
  42. Stallman, R. 1998. GNU Emacs Manual. 13th edition. Free Software Foundation.Google Scholar
  43. Wall, L., Christiansen, T., and Schwartz, R.L. 1996. Programming Perl, 2nd edition. O'Reilly & Associates, Inc.Google Scholar
  44. Woods, D.D., Johannesen, L.J., Cook, R.I., and Sarter, N.B. 1994. Behind human error: Cognitive systems, computers, and hindsight. State–of–the–Art Report SOAR 94–01, CSERIAC.Google Scholar

Copyright information

© Kluwer Academic Publishers 2001

Authors and Affiliations

  • José C. Campos
    • 1
    • 2
  • Michael D. Harrison
    • 1
  1. 1.Human-Computer Interaction GroupThe University of YorkUK; and
  2. 2.Departamento de InformáticaUniversidade do MinhoPortugal

Personalised recommendations