Abstract
Recent accounts of accidents draw attention to “automation surprises” that arise in safety critical systems. An automation surprise can occur when a system behaves differently from the expectations of the operator. Interface mode changes are one class of such surprises that have significant impact on the safety of a dynamic interactive system. They may take place implicitly as a result of other system action. Formal specifications of interactive systems provide an opportunity to analyse problems that arise in such systems. In this paper we consider the role that an interactor based specification has as a partial model of an interactive system so that mode consequences can be checked early in the design process. We show how interactor specifications can be translated into the SMV model checker input language and how we can use such specifications in conjunction with the model checker to analyse potential for mode confusion in a realistic case. Our final aim is to develop a general purpose methodology for the automated analysis of interactive systems. This verification process can be useful in raising questions that have to be addressed in a broader context of analysis.
Similar content being viewed by others
References
Abowd, G.D., Wang, H.–M., and Monk, A.F. 1995. A formal technique for automated dialogue development. In Proceedings of the First Symposium of Designing Interactive Systems—DIS'95, ACM Press, pp. 219–226.
Atlee, J.M. and Gannon, J. 1993. State–based model checking of event–driven systems requirements. IEEE Transactions on Software Engineering, 19(1):24–40.
Bharadwaj, R. and Heitmeyer, C.L. 1999. Model checking complete requirements specifications using abstractions. Automated Software Engineering, 6(1):37–68.
Bodart, F. and Vanderdonckt, J. (eds.) 1996. Design, specification and verification of interactive systems `96, Springer Computer Science. Springer–Verlag/Wien.
Bolognesi, T. and Brinksma, E. 1987. Introduction to the ISO specification language LOTOS. Computer Networks and ISDN Systems, 14(1):25–59.
Bumbulis, P., Alencar, P.S.C., Cowan, D.D., and Lucena, C.J.P. 1996. Validating properties of component–based graphical user interfaces. In Bodart and Vanderdonckt, editors, 1996. Springer–Verlag/Wien, pp. 347–365.
Burch, J.R., Clarke, E.M., and McMillan, K.L. 1990. Symbolic model checking: 1020 States and Beyond. In Proceedings of the Fifth Annual IEEE Symposium on Logic In Computer Science, IEEE Computer Society Press, pp. 428–439.
Campos, J.C. 1999. Automated deduction and usability reasoning. DPhil thesis, Department of Computer Science, University of York.
Campos, J.C. and Harrison, M.D. 1997. Formally verifying interactive systems: A review. In Harrison and Torres, editors, 1997. Springer–Verlag/Wien, pp. 109–124.
Campos, J.C. and Harrison, M.D. 1998. The role of verification in interactive systems design. In P. Markopoulos and P. Johnson, editors, Design, Specification and Verification of Interactive Systems '98, Springer Computer Science, Springer–Verlag/Wien, pp. 155–170.
Campos, J.C. and Harrison, M.D. 1999. Using automated reasoning in the design of an audio–visual communication system. In D.J. Duke and A. Puerta, editors, Design, Specification and Verification of Interactive Systems '99, Springer Computer Science, Springer–Verlag/Wien, pp. 167–188.
Chan, W., Anderson, R.J., Beame, P., Burns, S., Modugno, F., Notkin, D., and Reese, J.D. 1998. Model checking large software specifications. IEEE Transactions on Software Engineering, 24(7):498–520.
Cheaney, E. 1991. ASRS Introduces.... ASRS Directline (1). http://asrs.arc.nasa.gov/directline.htm.
Clarke, E. and Wing, J.M. 1996. Tools and partial analysis. ACM Computing Surveys, 28(4es):116–es.
Clarke, E.M., Emerson, E.A., and Sistla, A.P. 1986. Automatic verification of finite–state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2):244–263.
Clarke, E.M., Grumberg, O., and Peled, D. 1999. Model Checking, MIT Press, Cambridge, Massachusetts, U.S.A.
de Roever, W.–P. 1998. The need for compositional proof systems: A survey. In W.–P. de Roever, H. Langmaack, and A. Pnueli, editors, Compositionality: The Significant Difference, Springer, pp. 1–22. Vol. 1536 of Lecture Notes in Computer Science.
Doherty, G., Campos, J.C., and Harrison, M.D. 2000. Representational reasoning and verification. Formal Aspects of Computing, 12:260–277.
Duke, D., Barnard, P., May, J., and Duce, D. 1995. Systematic development of the human interface. In Asia Pacific Software Engineering Conference. IEEE Computer Society Press, pp. 313–321.
Duke, D.J. and Harrison, M.D. 1993. Abstract interaction objects. Computer Graphics Forum, 12(3):25–36.
Dwyer, M.B., Carr, V., and Hines, L. 1997. Model checking graphical user interfaces using abstractions. In M. Jazayeri and H. Schauer, editors, Software Engineering—ESEC/FSE '97, Springer, pp. 244–261. Vol. 1301 of Lecture Notes in Computer Science.
Faconti, G. and Paternò, F. 1990. An approach to the formal specification of the components of an interaction. In C. Vandoni and D. Duce, editors, Eurographics '90. North–Holland, pp. 481–494.
Fiadeiro, J. and Maibaum, T. 1991. Temporal reasoning over deontic specifications. Journal of Logic and Computation 1(3):357–395.
Fields, B., Merriam, N., and Dearden, A. 1997. DMVIS: Design, modelling and validation of interactive systems. In Harrison and Torres, editors, 1997. Springer–Verlag/Wien, pp. 29–44.
Harrison, M., Fields, R., and Wright, P.C. 1996. The user context and formal specification in interactive system design (invited paper). In C.R. Roast and J.I. Siddiqi, editors, Formal Aspects of the Human Computer Interface, electronic, Workshops in Computing. London: Springer–Verlag.
Harrison, M.D. and Torres, J.C. (eds.) 1997. Design, specification and verification of interactive systems `97, Springer Computer Science, Eurographics, Springer–Verlag/Wien.
Heitmeyer, C., Kirby, J., and Labaw, B. 1998. Applying the SRC requirements method to a weapons control panel: An experience report. In Proceedings of the Second Workshop on Formal Methods in Software Practice (FMSP '98), pp. 92–102.
Henzinger, T.A. 1996. Some myths about formal verification. ACM Computing Surveys, 28(4es):119–es.
Honeywell Inc. 1988. SAS MD–80: Flight management system guide. Honeywell Inc., Sperry Commercial Flight Systems Group, Air Transport Systems Division, P.O. Box 21111, Phoenix, Arizona 85036, USA. Pub. No. C28–3642–22–01.
Leveson, N.G. and Palmer, E. 1997. Designing automation to reduce operator errors. In Proceedings of the IEEE Systems, Man, and Cybernetics Conference.
Mañas, J.A. et al. 1992. Lite user manual. LOTOSPHERE consortium. Ref. Lo/WP2/N0034/V08.
McMillan, K.L. 1993. Symbolic Model Checking, Kluwer Academic Publishers, USA.
Monk, A.F. and Curry, M.B. 1994. Discount dialogue modelling with action simulator. In G. Cockton, S.W. Draper, and G.R.S. Weir, editors, People and Computer IX—Proceedings of HCI'94. Cambridge University Press, pp. 327–338.
Nicola, R.D., Fantechi, A., Gnesi, S., and Ristori, G. 1993. An action–based framework for verifying logical and behavioural properties of concurrent systems. Computer Networks and ISDN Systems, 25(7):761–778.
Palanque, P., Paternò, F., Bastide, R., and Mezzanote, M., 1996. Towards an integrated proposal for interactive systems design based on TLIM and ICO. In Bodart and Vanderdonckt, 1996, pp. 162–187.
Palmer, E. 1995. Oops, it didn't arm—A case study of two automation surprises. In R.S. Jensen and L.A. Rakovan, editors, Proceedings of the Eighth International Symposium on Aviation Psychology. Columbus, Ohio, pp. 227–232.
Paternò, F. and Mezzanotte, M. 1995. Formal analysis of user and system interactions in the CERD case study. Technical Report SM/WP48, Amodeus Project.
Paternò, F.D. 1995. A method for formal specification and verification of interactive systems. Ph.D. thesis, Department of Computer Science, University of York.
Rushby, J. 1999. Using model checking to help discover mode confusions and other automation surprises. In (Pre–) Proceedings of the Workshop on Human Error, Safety, and System Development (HESSD) 1999. Liège, Belgium.
Ryan, M., Fiadeiro, J., and Maibaum, T. 1991. Sharing actions and attributes in modal action logic. In T. Ito and A.R. Meyer, editors, Theoretical Aspects of Computer Software, Springer–Verlag, pp. 569–593. Vol. 526 of Lecture Notes in Computer Science, Berlin Heidelberg, New York.
Sreemani, T. and Atlee, J.M. 1996. Feasibility of model checking software requirements: A case study. In Proceedings of the 11th Annual Conference on Computer Assurance (COMPASS '96), pp. 77–88.
Stallman, R. 1998. GNU Emacs Manual. 13th edition. Free Software Foundation.
Wall, L., Christiansen, T., and Schwartz, R.L. 1996. Programming Perl, 2nd edition. O'Reilly & Associates, Inc.
Woods, D.D., Johannesen, L.J., Cook, R.I., and Sarter, N.B. 1994. Behind human error: Cognitive systems, computers, and hindsight. State–of–the–Art Report SOAR 94–01, CSERIAC.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Campos, J.C., Harrison, M.D. Model Checking Interactor Specifications. Automated Software Engineering 8, 275–310 (2001). https://doi.org/10.1023/A:1011265604021
Issue Date:
DOI: https://doi.org/10.1023/A:1011265604021