Matthew L. Bolton, Mechanical and Industrial Engineering
… Step 23 … DisplayedValue = Incorrect PrescribedDelay = Correct ChangeDelay = Done Count = 1 …
Environmental Conditions
Mission Goals
Human Actions
Human Task Behavior
Device
Interface State
DisplayedValue ≠ PrescribedDose DisplayedValue ≠ Change DisplayedValue = PrescribedDose Dose PrescribedDose
System Model
or_seq
Press Left
Press Right
Problem Statement and Motivation
Proof or counterexample:
Environment
Human Mission
Normative Task Behavior Model
InterfaceState = SetDelay
Set Delay
•
• • •
•
Breakdowns in complex systems often occur as a result of system elements interacting in unanticipated ways DisplayedValue ≠ PrescribedDelay• Unanticipated normative and erroneous human-system interactions DisplayedValue ≠ Change DisplayedValue = Accept PrescribedDelay Delay PrescribedDelay are often associated with these failures • Formal verification analyses (like those supported by model checking) or_seq ord allow analysts to prove whether or not a model of a system satisfies Change Select Press Clear Digit Next Enter safety properties ord ord xor • Human factors engineers have models capable of representing Verification Press Press Press Press Model Up Report Left Right Clear normative human task behavior and erroneous acts Checker • This work is focused on synthesizing these technologies into novel tools capable of predicting when normative and erroneous human behavior can Erroneous Behavior contribute to system failure ord
59
Generator and Translator
Specification
Technical Approach • • •
InterfaceState ≠ SetDelay
Normative human behavior is represented using a task modeling notation A translator automatically converts this into formal modeling notation As part of this translation, erroneous human behavior can be generated in the formal representation of the human behavior model The formal human behavior model is integrated with a larger formal system model that includes human mission goals, device behavior, and the operational environment A specification asserts desirable properties about the operation of the system using a temporal logic A model checker is used to prove whether or not the system model adheres to the specification The model checker produces a verification report that contains a confirmation or a counterexample (counter proof)
Key Achievements and Future Goals Key Achievements: • A novel, formal, task analytic modeling notation • A task-model-to-formal-model translator • Two novel methods for generating erroneous human behavior • A counterexample visualization tool • Successful application of the method to the design of aircraft checklist procedures, an automobile cruise control system, and a patient controlled analgesia pump Future Goals • Improve method scalability • Model human-human interaction and communication error • Integrate method with other analysis approaches