Evaluating Human-Human Communication Protocols with Miscommunication Generation and Model Checking

  • Matthew L. Bolton
  • Ellen J. Bass
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7871)


Human-human communication is critical to safe operations in domains such as air transportation where airlines develop and train pilots on communication procedures with the goal to ensure that they check that verbal air traffic clearances are correctly heard and executed. Such communication protocols should be designed to be robust to miscommunication. However, they can fail in ways unanticipated by designers. In this work, we present a method for modeling human-human communication protocols using the Enhanced Operator Function Model with Communications (EOFMC), a task analytic modeling formalism that can be interpreted by a model checker. We describe how miscommunications can be generated from instantiated EOFMC models of human-human communication protocols. Using an air transportation example, we show how model checking can be used to evaluate if a given protocol will ensure successful communication. Avenues of future research are explored.


Task analysis Human-human communication Air traffic control Formal methods Model checking Human error 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Airbus: Effective pilot/controller communications. In: Human Performance. Flight Operations Briefing Notes. Airbus, Blagnac Cedex (2006)Google Scholar
  2. 2.
    Argón, P., Delzanno, G., Mukhopadhyay, S., Podelski, A.: Model checking communication protocols. In: Pacholski, L., Ružička, P. (eds.) SOFSEM 2001. LNCS, vol. 2234, pp. 160–170. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Austin, J.: How to do things with words, vol. 88. Harvard University Press (1975)Google Scholar
  4. 4.
    Bass, E.J., Bolton, M.L., Feigh, K., Griffith, D., Gunter, E., Mansky, W., Rushby, J.: Toward a multi-method approach to formalizing human-automation interaction and human-human communications. In: Proceedings of the IEEE International Conference on Systems, Man, and Cybernetics, pp. 1817–1824. IEEE, Piscataway (2011)Google Scholar
  5. 5.
    Bass, E.J., Baxter, G.D., Ritter, F.E.: Creating models to control simulations: A generic approach. AI and Simulation of Behaviour Quarterly 93, 18–25 (1995)Google Scholar
  6. 6.
    Bastide, R., Basnyat, S.: Error patterns: Systematic investigation of deviations in task models. In: Coninx, K., Luyten, K., Schneider, K.A. (eds.) TAMODIA 2006. LNCS, vol. 4385, pp. 109–121. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  7. 7.
    Baxter, G.D., Bass, E.J.: Human error revisited: Some lessons for situation awareness. In: Proceedings of the Fourth Annual Symposium on Human Interaction with Complex Systems, pp. 81–87. IEEE (1998)Google Scholar
  8. 8.
    Bochmann, G., Sunshine, C.: Formal methods in communication protocol design. IEEE Transactions on Communications 28(4), 624–631 (1980)CrossRefGoogle Scholar
  9. 9.
    Bolton, M.L.: Automatic validation and failure diagnosis of human-device interfaces using task analytic models and model checking. Computational and Mathematical Organization Theory, 1–25 (2012),
  10. 10.
    Bolton, M.L., Bass, E.J.: Enhanced operator function model: A generic human task behavior modeling language. In: Proceedings of the IEEE International Conference on Systems Man and Cybernetics, pp. 2983–2990. IEEE, Piscataway (2009)Google Scholar
  11. 11.
    Bolton, M.L., Bass, E.J.: A method for the formal verification of human interactive systems. In: Proceedings of the 53rd Annual Meeting of the Human Factors and Ergonomics Society, pp. 764–768. HFES, Santa Monica (2009)Google Scholar
  12. 12.
    Bolton, M.L., Bass, E.J.: Formally verifying human-automation interaction as part of a system model: Limitations and tradeoffs. Innovations in Systems and Software Engineering: A NASA Journal 6(3), 219–231 (2010)CrossRefGoogle Scholar
  13. 13.
    Bolton, M.L., Bass, E.J.: Using task analytic models to visualize model checker counterexamples. In: Proceedings of the 2010 IEEE International Conference on Systems, Man, and Cybernetics, pp. 2069–2074. IEEE, Piscataway (2010)CrossRefGoogle Scholar
  14. 14.
    Bolton, M.L., Bass, E.J.: Evaluating human-automation interaction using task analytic behavior models, strategic knowledge-based erroneous human behavior generation, and model checking. In: Proceedings of the IEEE International Conference on Systems Man and Cybernetics, pp. 1788–1794. IEEE, Piscataway (2011)Google Scholar
  15. 15.
    Bolton, M.L., Bass, E.J.: Using model checking to explore checklist-guided pilot behavior. International Journal of Aviation Psychology 22, 343–366 (2012)CrossRefGoogle Scholar
  16. 16.
    Bolton, M.L., Bass, E.J., Siminiceanu, R.I.: Using phenotypical erroneous human behavior generation to evaluate human-automation interaction using model checking. International Journal of Human-Computer Studies 70, 888–906 (2012)CrossRefGoogle Scholar
  17. 17.
    Bolton, M.L., Bass, E.J., Siminiceanu, R.I.: Using formal verification to evaluate human-automation interaction in safety critical systems, a review. IEEE Transactions on Systems, Man and Cybernetics: Systems (in press, expected 2013)Google Scholar
  18. 18.
    Bolton, M.L., Siminiceanu, R.I., Bass, E.J.: A systematic approach to model checking human-automation interaction using task-analytic models. IEEE Transactions on Systems, Man, and Cybernetics, Part A 41(5), 961–976 (2011)CrossRefGoogle Scholar
  19. 19.
    Clarke, E.M., Grumberg, O., Peled, D.A.: Model checking. MIT Press, Cambridge (1999)Google Scholar
  20. 20.
    De Moura, L., Owre, S., Shankar, N.: The SAL language manual. Tech. Rep. CSL-01-01, Computer Science Laboratory, SRI International, Menlo Park (2003)Google Scholar
  21. 21.
    Dietrich, F., Hubaux, J.: Formal methods for communication services. Tech. Rep. SSC/1999/023, Institute for Computer Communications and Applications, Swiss Federal Institute of Technology (1999)Google Scholar
  22. 22.
    Edelkamp, S., Leue, S., Lluch-Lafuente, A.: Directed explicit-state model checking in the validation of communication protocols. International Journal on Software Tools for Technology Transfer 5(2), 247–267 (2004)CrossRefGoogle Scholar
  23. 23.
    Fields, R.E.: Analysis of Erroneous Actions in the Design of Critical Systems. Ph.D. thesis, University of York, York (2001)Google Scholar
  24. 24.
    Gibson, W., Megaw, E., Young, M., Lowe, E.: A taxonomy of human communication errors and application to railway track maintenance. Cognition, Technology & Work 8(1), 57–66 (2006)CrossRefGoogle Scholar
  25. 25.
    Harris Corporation: Harris Corporation awarded $331 million contract by FAA for data communications integrated services program (2012), (accessed December 16, 2012)
  26. 26.
    Hoare, C.A.R.: Communicating sequential processes. Commun. ACM 21(8), 666–677 (1978)MathSciNetMATHCrossRefGoogle Scholar
  27. 27.
    Hollan, J., Hutchins, E., Kirsh, D.: Distributed cognition: toward a new foundation for human-computer interaction research. ACM Transactions on Computer-Human Interaction 7(2), 174–196 (2000)CrossRefGoogle Scholar
  28. 28.
    Hollnagel, E.: The phenotype of erroneous actions. International Journal of Man-Machine Studies 39(1), 1–32 (1993)CrossRefGoogle Scholar
  29. 29.
    Hörl, J., Aichernig, B.K.: Formal specification of a voice communication system used in air traffic control, an industrial application of light-weight formal methods using VDM++. In: Wing, J.M., Woodcock, J., Davies, J. (eds.) FM 1999. LNCS, vol. 1709, pp. 1868–1868. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  30. 30.
    Hörl, J., Aichernig, B.K.: Validating voice communication requirements using lightweight formal methods. IEEE Software 17(3), 21–27 (2000)CrossRefGoogle Scholar
  31. 31.
    John, B.E., Kieras, D.E.: The goms family of user interface analysis techniques: comparison and contrast. ACM Transactions on Computer-Human Interaction 3(4), 320–351 (1996)CrossRefGoogle Scholar
  32. 32.
    Jones, R.K.: Miscommunication between pilots and air traffic control. Language Problems and Language Planning 27(3), 233–248 (2003)CrossRefGoogle Scholar
  33. 33.
    Kieras, D.E., Wood, S.D., Meyer, D.E.: Predictive engineering models based on the epic architecture for a multimodal high-performance human-computer interaction task. ACM Transactions on Computer-Human Interaction 4(3), 230–275 (1997)CrossRefGoogle Scholar
  34. 34.
    Kirwan, B., Ainsworth, L.K.: A Guide to Task Analysis. Taylor and Francis, London (1992)Google Scholar
  35. 35.
    NASA Aviation Safety Reporting System: Pilot/controller communications. Tech. rep., NASA Ames Research Center (2012)Google Scholar
  36. 36.
    Paternò, F., Santoro, C.: Preventing user errors by systematic analysis of deviations from the system task model. International Journal of Human-Computer Studies 56(2), 225–245 (2002)CrossRefGoogle Scholar
  37. 37.
    Paternò, F., Santoro, C., Tahmassebi, S.: Formal model for cooperative tasks: Concepts and an application for en-route air traffic control. In: Proceedings of the 5th International Conference on the Design, Specification, and Verification of Interactive Systems, pp. 71–86. Springer, Vienna (1998)Google Scholar
  38. 38.
    Pek, E., Bogunovic, N.: Formal verification of communication protocols in distributed systems. In: Proceedings of MIPRO 2003, Computers in Technical Systems and Intelligent Systems, pp. 44–49. MIPRO (2003)Google Scholar
  39. 39.
    Pritchett, A.R., Feigh, K.M., Kim, S.Y., Kannan, S.: Work models that compute to support the design of multi-agent socio-technical systems (under review)Google Scholar
  40. 40.
    Reason, J.: Human Error. Cambridge University Press, New York (1990)CrossRefGoogle Scholar
  41. 41.
    Sidhu, D.P., Leung, T.: Formal methods for protocol testing: A detailed study. IEEE Transactions on Software Engineering 15(4), 413–426 (1989)CrossRefGoogle Scholar
  42. 42.
    Sunshine, C.A.: Formal methods for communication protocol specification and verification. Tech. rep., RAND Corporation, Santa Monica (1979)Google Scholar
  43. 43.
    Traum, D., Dillenbourg, P.: Miscommunication in multi-modal collaboration. In: AAAI Workshop on Detecting, Repairing, and Preventing Human–Machine Miscommunication, pp. 37–46. AAAI, Palo Alto (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Matthew L. Bolton
    • 1
  • Ellen J. Bass
    • 2
  1. 1.Department of Mechanical and Industrial EngineeringUniversity of Illinois at ChicagoChicagoUSA
  2. 2.College of Information Science and Technology, College of Nursing and Health ProfessionsDrexel UniversityPhiladelphiaUSA

Personalised recommendations