Rushby J. Using model checking to help discover mode confusions and other automation surprises. Reliab Eng Syst Saf 2002;75(2): 167--77.  Home/Search   Document Details and Download   Summary   Related Articles   Check

.... a potentially unsafe situation in which the system does not behave as the pilot anticipates [5, 8, 9] Although the human factors community has historically dominated research on human automation interaction [9, 10, 11, 12] there have recently been e#orts by the formal methods community [7, 13, 14, 15, 16] as well as system and control communities [17] to address these safety critical problems. We build our methodology based on [7] in which user interfaces are verified for a given task. In [7] the hybrid plant model is represented as an abstracted discrete system in which the system dynamics are ....

J. Rushby, "Using model checking to help discover mode confusions and other automation surprises, " in Proceedings of the Workshop on Human Error, Safety, and System Development (HESSD), (Belgium) , June 1999.

....been conducted. The first study dealt with the analysis of specific mode problems on two commercial aircraft from di#erent manufacturers. The aim here was to investigate the scalability of Ofan modelling and modelchecking to real world problems and to provide a comparison with other related work [4, 5, 25, 30, 33, 34]. This study showed that, with the use of activity charts, Ofan modelling does scale up su#ciently for non trivial systems. A second casestudy was conducted to explore the kinds of usability properties that can be checked. It has been found that the suggested approach is restricted in two ....

J. Rushby. Using Model Checking to Help Discover Mode Confusions and Other Automation Surprises. In (Pre-) Proceedings of the Workshop on Human Error, Safety, and System Development (HESSD) 1999.

....may lead to human error and system failure. This has been pointed out by several authors. Rushby explains how faults between operators and automated systems (and their automated modes) sometimes arise as a result of a mismatch between the operator s mental model and the automated system behaviour [11]. Sheridan [12] draws attention to the different models for human and machine systems and their mutual views of each other, on which decisions have to be taken. Leveson also mentions that while automation has eliminated some type of errors, it has also created potential for new types of error ....

Rushby, J. Using model checking to help discover mode confusions and other automation surprises. in (Pre-) Proceedings of the Workshop on Human Error, Safety, and System Development (HESSD) 1999. 1999. Lige, Belgium.

....response times and perception thresholds, to ascertain whether system performance is compatible with the user s capabilities. A review of the use of machine assisted verification (including model checking) in the analysis of interactive systems can be found in Campos and Harrison [2] Rushby [17] describes some preliminary work in using a model checker to check for inconsistencies between a user s model of system operation and actual system behaviour which lead to automation surprises in an avionics case study [16] 5 Hydraulics system specification In this section, we describe a formal ....

J. Rushby. Using model checking to help discover mode confusions and other automation surprises. Draft for comments, Computer Science Laboratory, SRI International, Menlo Park CA 94025, USA, January 1998.

....to ascertain whether system performance is compatible with the user s capabilities. A review of the use of machine assisted verification (including model checking, but not realtime or hybrid techniques) in the analysis of interactive systems can be found in Campos and Harrison [2] Rushby [20] describes some preliminary work in using a model checker to look for inconsistencies between a user s model of system operation and actual system behaviour which lead to automation surprises in an avionics case study [19] 4.2. Modelling user, system and environment While automata formalisms ....

J. Rushby, "Using model checking to help discover mode confusions and other automation surprises," in D. Javaux (Ed.), Proceedings of the 3rd Workshop on Human Error, Safety and System Development (HESSD'99), University of Liege, Belgium, 1999. A revised journal version is due to appear in Reliability Engineering and System Safety, Elsevier.

....using model checking or reachability analysis: these explore all possible behaviors by a brute force search and will report scenarios that cause the simulation relation to fail. Colleagues and I have used this kind of analysis to explore automation surprises in the autopilots of the MD 88 [20], A320 [5] and 737 [21] In each case, a plausible mental model exposed exactly the scenarios that have led to reported surprises and consequent altitude busts, and pinpointed elements in the behavior of the actual system that preclude construction of an accurate mental model (because the ....

....design, or constructed by a process similar to that used to develop an instruction manual, or it could even be a taken directly from the actual system design. Check the initial mental model against the actual design. Using model checking techniques similar to those described previously [5, 20, 21], check whether the initial mental model is an adequate description of the actual system. If so, proceed to the next step, otherwise modify the design and its initial mental model and iterate this and the previous steps (there is no point in proceeding until we have some description that ....

John Rushby. Using model checking to help discover mode confusions and other automation surprises. In Javaux and Keyser [10].

....used in FM, and researchers in this field have recently started applying their methods to cockpit automation. For example, Butler et al. 2] examine an autopilot design for consistent behavior, Leveson et al. 11] look for constructions that are believed to be particularly error prone, and Rushby [15] compares an autopilot description against a plausible mental model. Leveson and Palmer [10] and Rushby, Crow, and Palmer [16] show how their methods could be used to predict a known automation surprise in the MD 88 autopilot [12] This convergence in the modeling approaches used in the HF and ....

....all possible scenarios, and to check them against desired invariants or mental models. Mechanized Analysis of the Design The mechanized analysis presented here was undertaken in the Murphi state exploration system [4] from Stanford University, using verification techniques described in detail in [15]. We summarize that approach here, but omit the details of our analysis due to space constraints. The basic idea is to construct a state machine model of the relevant aspects of the A320 automation and then explore all possible scenarios for that model. Simple expectations for consistent behavior ....

[Article contains additional citation context not shown here]

John Rushby. Using model checking to help discover mode confusions and other automation surprises. In Javaux and De Keyser [5].

....of a system and the operator s mental model of that behavior are common, especially in complicated systems, and are a contributor to hazardous states (e.g. mode confusion in pilots) Such discrepancies between actual (i.e. required) and expected behavior can be hard to discover in testing. Rushby [1999a] shows that by modeling both the system and the operator s expectation, a mechanized comparison of all possible behaviors of the two systems can be performed via formal models (here, the state exploration Software Engineering for Safety: A Roadmap Delta 11 tool MurOE) Proposed changes to ....

.... The safety consequences of flexible and adaptable architectures (e.g. using integrated systems for in flight reconfiguration) Stavridou 1999] 2) Evaluation of architectures for safety critical product families [Gannod and Lutz ] 3) Partitioning to control hazards enabled by shared resources [Rushby 1999b] and (4) Architectural solutions to the need for techniques that augment the robustness Software Engineering for Safety: A Roadmap Delta 13 of less robust components [Neumann 1998] For example, when a safety critical system is built using legacy subsystems or databases, an operating system ....

Rushby, J. 1999a. Using model checking to help discover mode confusions and other automation surprises. In Proc 3rd Workshop on Human Error, Safety, and System Development (1999).

....as a result of other system action. The second is that the formal specification of an interactive system may provide an opportunity to analyse the consequences of such a design and thereby reduce the risk of this type of interface problem. We note recent relevant analyses (Leveson Palmer 1997, Rushby 1999) of mode complexity in aviation based systems. These analyses have been conducted retrospectively using experience based on flight simulations. Scenarios have provided the foundation for the analysis. In this paper we consider the role that an interactor based specification (Faconti Patern o ....

....into SMV code which can be model checked, and in Section 5 we show how to go about model checking the resulting specification. Finally in Section 6 we analyse the results of the case study, and compare it with other approaches to the detection of mode related problems (Leveson Palmer 1997, Rushby 1999). 2 Interactors and Partial Models In this section we discuss the role of verification in interactive systems development, and how interactors can be used in the verification process. We also introduce the specific flavor of interactor we shall be using. 2.1 Role of Verification Work on formal ....

[Article contains additional citation context not shown here]

Rushby, J. (1999), Using model checking to help discover mode confusions and other automation surprises, in `(Pre-) Proceedings of the Workshop on Human Error, Safety, and System Development (HESSD) 1999', Li`ege, Belgium.

....symbolic) search over the entire state space of the state machines supplied to them; what makes them useful is that they can explore vast numbers of states (many millions) in a reasonable time. Model checkers differ from simulators in that they consider all possible scenarios. A companion paper [7] describes how the example considered here can be subjected to automated analysis using the model checker Murphi from David Dill s group at Stanford. The specification of the actual system and mental model requires just a few dozen lines of specification, and the automated analysis finds the kill ....

John Rushby. Using model checking to help discover mode confusions and other automation surprises. In Javaux and Keyser [2]. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Air Force Office of Scientific Research or the U.S. Government. 5

No context found.

Rushby J. Using model checking to help discover mode confusions and other automation surprises. Reliab Eng Syst Saf 2002;75(2): 167--77.

No context found.

J. Rushby. Using model checking to help discover mode confusions and other automation surprises. In D. Javaux, editor, Proceedings of the 3rd Workshop on Human Error, Safety, and System Development (HESSD'99), June 1999.

No context found.

John Rushby. Using model checking to help discover mode confusions and other automation surprises. In Proceedings of 3rd Workshop on Human Error, pages 1--18. HESSD'99, 1999.

No context found.

John Rushby. Using model checking to help discover mode confusions and other automation surprises. In Proceedings of 3rd Workshop on Human Error, pages 1--18. HESSD'99, 1999.

No context found.

J. Rushby. Using model checking to help discover mode confusions and other automation surprises. Reliability Engineering & System Safety 75(2), 167--177 (February 2002).

No context found.

Rushby, J. (2002). Using Model Checking to Help Discover Mode Confusions and Other Automation Surprises. Reliability Engineering and System Safety, 75(2):167--177. Available at http://www.csl.sri.com/ users/rushby/abstracts/ress02.

No context found.

Rushby, J.: Using model checking to help discover mode confusions and other automation surprises. Reliability Engineering & System Safety 72 (2002) 167-177

No context found.

J. Rushby, "Using Model Checking to Help Discover Mode Confusions and Other Automation Surprises," Reliability Engineering and System Safety, vol. 75, pp. 167-177, 2002.

No context found.

Rushby, J. (2002). Using Model Checking to Help Discover Mode Confusions and Other Automation Surprises. Reliability Engineering and System Safety, 75(2):167--177. Available at http://www.csl.sri.com/users/rushby/ abstracts/ress02.

No context found.

John Rushby. Using model checking to help discover mode confusions and other automation surprises. Reliability Engineering and System Safety, 75(2):167--177, February 2002.

No context found.

John Rushby. Using model checking to help discover mode confusions and other automation surprises. In Proceedings of 3rd Workshop on Human Error, pages 1--18. HESSD'99, 1999.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC