Hybrid system theory lies at the intersection of the fields of engineering control theory and computer science verification. It is defined as the modeling, analysis, and control of systems which involve the interaction of both discrete state systems, represented by finite automata, and continuous state dynamics, represented by differential equations. The embedded autopilot of a modern commercial jet is a prime example of a hybrid system: the autopilot modes correspond to the application of different control laws, and the logic of mode switching is determined by the continuous state dynamics of the aircraft, as well as through interaction with the pilot. Embedded

For discrete event systems under partial observation, we study the problem of selection of an optimal set of sensors that can provide sucient yet minimal events observation information needed to accomplish the task at hand such as that of control or estimation. The suciency of the observed information is captured as the ful lment of a desired formal property such as (co-)observability or normality (for control under partial observation), state-observability (for state estimation under partial observation), diagnosability (for failure diagnosis under partial observation), etc. A selection of sensors can be viewed as a selection of an observation mask and also of an equivalence class of events. A sensor set is called optimal if any coarser selection of the corresponding equivalence class of events results in some loss of the events observation information so that the task at hand cannot be accomplished, or equivalently the desired formal property cannot be ful lled. We study an optimal selection of sensors over the set of general \non-projection" observation masks. We show that this problem is NP-hard in general. For mask-monotonic properties (that are preserved under increasing precision in events observation information, such as (co)-observability, normality, state-observability, diagnosability, etc.), we present a \top-down" and a \bottom-up" algorithm each of polynomial complexity. We show that observer-ness is not mask-monotonic. We show that the computational complexity can be further improved if the property is preserved under the projection via an intermediary observation mask that is an observer. Our results are obtained in a general setting so that they can be adapted for an optimal selection of sensors for a variety of applications in discrete event systems i...

This paper discusses a formal perspective to the analysis of user interaction with machines, in general, and pilot interaction with automated flight control systems, in particular. It addresses the issue of correct interaction between the user and the machine by asking whether the information provided to the user about the machine, and the display of this information, enables the user to perform his or her tasks reliably and successfully. We explain this perspective by looking at one example of pilots ' interaction with a modern autopilot. Theme: Design and evaluation- user-centered design methods

Modern commercial aircraft have extensive automation which helps the pilot by performing computations, obtaining data, and completing procedural tasks. The pilot display must contain enough information so that the pilot can correctly predict the aircraft's behavior, while not overloading the pilot with unnecessary information. Human-automation interaction is currently evaluated through extensive simulation. In this paper, using both hybrid and discrete-event system techniques, we show how one could mathematically verify that an interface contains enough information for the pilot to safely and unambiguously complete a desired maneuver. We first develop a nonlinear, hybrid model for the longitudinal dynamics of a large civil jet aircraft in an autoland/go-around maneuver. We find the largest controlled subset of the aircraft's flight envelope for which we can guarantee both safe landing and safe go-around. We abstract a discrete procedural model using this result, and verify a discrete formulation of the pilot display against it. An interface which fails this verification could result in nondeterministic or unpredictable behavior from the pilot's point of view.

This paper discusses a formal and rigorous approach to the analysis of operator interaction with machines. It addresses the acute problem of detecting design errors in human-machine interaction and focuses on verifying the correctness of the interaction in complex and automated control systems. The paper describes a systematic methodology for evaluating whether the interface provides the necessary information about the machine, so as to enable the operator to perform a specified task successfully and unambiguously. It also addresses the adequacy of the information, provided to the user via training material (e.g., user manual), about the machine’s behavior. The essentials of the methodology, which can be automated and applied to the verification of large systems, are illustrated by several examples and through a case study of pilot’s interaction with an autopilot onboard a modern commercial aircraft. Running head: human-automation interaction. Key words: automation, modeling, design of interfaces, formal-methods, verification, cockpit design.

This report addresses the design of human-automation interaction from a formal perspective that focuses on the information content of the interface, rather than the design of the graphical user interface. It also addresses the issue of the information provided to the user (e.g., user-manuals, training material, and all other resources). In this report, we propose a formal procedure for generating interfaces and user-manuals. The procedure is guided by two criteria: First, the interface must be correct, i.e., that with the given interface the user will be able to perform the specified tasks correctly. Second, the interface should be as succinct as possible. The report discusses the underlying concepts and the formal methods for this approach. Several examples are used to illustrate the procedure. The algorithm for constructing interfaces can be automated, and a preliminary software system for its implementation has been developed.

A human interacting with a hybrid system is often presented, through information displays, with a simplified representation of the underlying system. This interface should not overwhelm the human with unnecessary information, and thus usually contains only a subset of information about the true system model, yet, if properly designed, represents an abstraction of the true system which the human is able to use to safely interact with the system [1]. For cases in which the human interacts with all or part of the system from a remote location, and communication has a high cost, the need for a simple abstraction which reduces the amount of information that must be transmitted is of the utmost importance. The user should be able to immediately determine the actual state of the system, based on the information displayed through the interface. In this paper, we derive conditions for immediate observability in which the current state of the system can be unambiguously reconstructed from the output associated with the current state and the last or next event. Then, we show how to construct a discrete event system output function which makes a system immediately observable, and apply this to a reduced state machine which represents an interface.

This paper describes our experience when applying formal methods in the design of the tourist information system TIP, which presents context-sensitive information to mobile users with small screen devices. The dynamics of this system are very complex and pose several challenges, firstly because of the sophisticated interaction of several applications on a small screen device and the user, and secondly because of the need for communication with highly asynchronous event-based information systems.

Hybrid systems combine discrete state dynamics which model mode switching, with continuous state dynamics which model physical processes. Hybrid systems can be controlled by affecting both their discrete mode logic and continuous dynamics: in many systems, such as commercial aircraft, these can be controlled both automatically and using manual control. A human interacting with a hybrid system is often presented, through information displays, with a simplified representation of the underlying system. This user interface should not overwhelm the human with unnecessary information, and thus usually contains only a subset of information about the true system model, yet, if properly designed, represents an abstraction of the true system which the human is able to use to safely interact with the system. In safety-critical systems, correct and succinct interfaces are paramount: interfaces must provide adequate infor-mation and must not confuse the user. We present an invariance-preserving abstraction which generates a discrete event system that can be used to analyze, verify, or design user-interfaces for

This paper describes our experience when applying formal methods in the design of the tourist information system TIP, which presents context-sensitive information to mobile users with small screen devices. The dynamics of this system are very complex and pose several challenges, firstly because of the sophisticated interaction of several applications on a small screen device and the user, and secondly because of the need for communication with highly asynchronous event-based information systems. UML sequence diagrams have been used to capture the requirements and possible interactions of the system. In a second step, a formal model has been created using discrete event systems, in order to thoroughly understand and analyse the dynamics of the system. By verifying general properties of the formal model, several conceptual difficulties have been revealed in very early stages of the design process, considerably speeding up the development. This work shows the limitations of typical methods for interaction design when applied to mobile systems using small screen devices and proposes an alternative approach using discrete event systems. 1