Abstract
Both the human factors engineering (HFE) and formal methods communities are concerned with improving the design of safety-critical systems. This work discusses a modeling effort that leveraged methods from both fields to perform formal verification of human–automation interaction with a programmable device. This effort utilizes a system architecture composed of independent models of the human mission, human task behavior, human-device interface, device automation, and operational environment. The goals of this architecture were to allow HFE practitioners to perform formal verifications of realistic systems that depend on human–automation interaction in a reasonable amount of time using representative models, intuitive modeling constructs, and decoupled models of system components that could be easily changed to support multiple analyses. This framework was instantiated using a patient controlled analgesia pump in a two phased process where models in each phase were verified using a common set of specifications. The first phase focused on the mission, human-device interface, and device automation; and included a simple, unconstrained human task behavior model. The second phase replaced the unconstrained task model with one representing normative pump programming behavior. Because models produced in the first phase were too large for the model checker to verify, a number of model revisions were undertaken that affected the goals of the effort. While the use of human task behavior models in the second phase helped mitigate model complexity, verification time increased. Additional modeling tools and technological developments are necessary for model checking to become a more usable technique for HFE.
Article PDF
Similar content being viewed by others
References
Arney D, Jetley R, Jones P, Lee I, Sokolsky O (2007) Formal methods based development of a PCA infusion pump reference model: generic infusion pump (GIP) project. In: Proceedings of the 2007 joint workshop on high confidence medical devices, software, and systems and medical device plug-and-play interoperability. IEEE Computer Society, Washington, DC, pp 23–33
Baxter Health Care Corporation (1995) Ipump pain management system operator’s manual. Baxter Heath Care Corporation, McGaw Park
Bolton ML, Bass EJ (2009) Building a formal model of a human-interactive system: insights into the integration of formal methods and human factors engineering. In: Proceedings of the first NASA formal methods symposium. NASA Ames Research Center, Moffett Field, pp 6–15
Bolton ML, Bass EJ (2009) Enhanced operator function model: a generic human task behavior modeling language. In: Proceedings of the IEEE international conference on systems, man, and cybernetics. IEEE, Piscataway, pp 2983–2990
Bolton ML, Bass EJ (2009) A method for the formal verification of human-interactive systems. In: Proceedings of the 53rd annual meeting of the human factors and ergonomics society. Human Factors and Ergonomics Society, Santa Monica, pp 764–768
Clarke E, Grumberg O, Jha S, Lu Y, Veith H (2003) Counterexample-guided abstraction refinement for symbolic model checking. J ACM 50(5): 752–794
Crow J, Javaux D, Rushby J (2000) Models and mechanized methods that integrate human factors into automation design. In: Proceedings of the 2000 international conference on human-computer interaction in aeronautics. Association for the Advancement of Artificial Intelligence, Menlo Park, pp 163–168
Curzon P, Ruksenas R, Blandford A (2007) An approach to formal verification of human–computer interaction. Formal Asp Comput 19(4): 513–550
De Moura L, Owre S, Shankar N (2003) The SAL language manual. Technical report, Computer Science Laboratory, SRI International, Menlo Park
Degani A (1996) Modeling human–machine systems: on modes, error, and patterns of interaction. PhD thesis, Georgia Institute of Technology, Atlanta
Degani A, Kirlik A (1995) Modes in human–automation interaction: Initial observations about a modeling approach. In: Proceedings of the IEEE international conference on systems, man and cybernetics. IEEE, Piscataway, pp 3443–3450
Fields RE (2001) Analysis of erroneous actions in the design of critical systems. PhD thesis, University of York, York
Heymann M, Degani A (2007) Formal analysis and automatic generation of user interfaces: approach, methodology, and an algorithm. Hum Factors 49(2): 311–330
Heymann M, Degani A, Barshi I (2007) Generating procedures and recovery sequences: a formal approach. In: Proceedings of the 14th international symposium on aviation psychology. Association for Aviation Psychology, Dayton, pp 252–257
Holzmann GJ (2003) The spin model checker, primer and reference manual. Addison-Wesley, Reading
Javaux D (2002) A method for predicting errors when interacting with finite state systems. How implicit learning shapes the user’s knowledge of a system. Reliab Eng Syst Saf 75(2): 147–165
Kirwan B, Ainsworth LK (1992) A guide to task analysis. Taylor and Francis, Philidelphia
Kohn LT, Corrigan J, Donaldson MS (2000) To err is human: building a safer health system. National Academy Press, Washington
Krey N (2007) 2007 Nall report: accident trends and factors for 2006. Technical report. http://download.aopa.org/epilot/2007/07nall.pdf
Mansouri-Samani M, Pasareanu CS, Penix JJ, Mehlitz PC, O’Malley O, Visser WC, Brat GP, Markosian LZ, Pressburger TT (2007) Program model checking: a practitioner’s guide. Technical report, Intelligent Systems Division, NASA Ames Research Center, Moffett Field
Mitchell CM, Miller RA (1986) A discrete control model of operator function: a methodology for information dislay design. IEEE Trans Syst Man Cybern A Syst Hum 16(3): 343–357
Perrow C (1984) Normal accidents. Basic Books, New York
Rushby J (2002) Using model checking to help discover mode confusions and other automation surprises. Reliab Eng Syst Saf 75(2): 167–177
Schraagen JM, Chipman SF, Shalin VL (2000) Cognitive task analysis. Lawrence Erlbaum Associates, Mahwah
Stanton N (2005) Human factors methods: a practical guide for engineering and design. Ashgate Publishing, Brookfield
Thurman DA, Chappell AR, Mitchell CM (1998) An enhanced architecture for OFMspert: a domain-independent system for intent inferencing. In: Proceedings of the IEEE international conference on systems, man, and cybernetics. IEEE, Piscataway, pp 3443–3450
Vicente KJ (1999) Cognitive work analysis: toward safe, productive, and healthy computer-based work. Lawrence Erlbaum Associates, Mahwah
Wells AT, Rodrigues CC (2004) Commercial aviation safety, 4th edn. McGraw-Hill, New York
Wickens CD, Lee J, Liu YD, Gordon-Becker S (2003) Introduction to human factors engineering. Prentice-Hall, Upper Saddle River
Acknowledgments
The research described was supported in part by Grant Number T15LM009462 from the National Library of Medicine and Research Grant Agreement UVA-03-01, sub-award 2623-VA from the National Institute of Aerospace (NIA). The content is solely the responsibility of the authors and does not necessarily represent the official views of the NIA, NASA, the National Library of Medicine, or the National Institutes of Health. The authors would like to thank Radu I. Siminiceanu of the NIA and Ben Di Vito of the NASA Langley Research Center for their technical help. They would like to thank Diane Haddon, John Knapp, Paul Merrel, Kathryn McGough, and Sherry Wood of the University of Virginia Health System for describing the functionality of the Baxter Ipump and for providing documentation, training materials, and device access.
Open Access
This article is distributed under the terms of the Creative Commons Attribution Noncommercial License which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Open Access This is an open access article distributed under the terms of the Creative Commons Attribution Noncommercial License (https://creativecommons.org/licenses/by-nc/2.0), which permits any noncommercial use, distribution, and reproduction in any medium, provided the original author(s) and source are credited.
About this article
Cite this article
Bolton, M.L., Bass, E.J. Formally verifying human–automation interaction as part of a system model: limitations and tradeoffs. Innovations Syst Softw Eng 6, 219–231 (2010). https://doi.org/10.1007/s11334-010-0129-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11334-010-0129-9