Abstract
An important area of Human Reliability Assessment in interactive systems is the ability to understand the causes of human error and to model their occurrence. This paper investigates a new approach to analysis of task failures based on patterns of operator behaviour, in contrast with more traditional event-based approaches. It considers, as a case study, a formal model of an Air Traffic Control system operator’s task which incorporates a simple model of the high-level cognitive processes involved. The cognitive model is formalised in the CSP process algebra. Various patterns of behaviour that could lead to task failure are described using temporal logic. Then a model-checking technique is used to verify whether the set of selected behavioural patterns is sound and complete with respect to the definition of task failure. The decomposition is shown to be incomplete and a new behavioural pattern is identified, which appears to have been overlooked in the informal analysis of the problem. This illustrates how formal analysis of operator models can yield fresh insights into how failures may arise in interactive systems.
Similar content being viewed by others
References
Boyd, J.: A discourse on winning and losing. In unpublished briefing slides: Air University Library, Maxwell AFB. (1987) URL:http://www.d-n-i.net/second_level/boyd_military.htm
Butler, R.W., Miller, S.P., Potts, J.N., Carreno, V.A.: A formal methods approach to the analysis of mode confusion. In: Proceedings of the 17th Digital Avionics Systems Conference. Washington (1998)
Butterworth R., Blandford A.E. and Duke D. (2000). Demonstrating the cognitive plausability of interactive systems. Formal Aspects Comput 12: 237–259
Cerone, A., Lindsay, P., Connelly, S.: Formal analysis of human-computer interaction using model-checking. In: Aichernig, B., Beckert, B. (eds.) Proceedings of the 3rd IEEE International Conference on Software Engineering and Formal Methods, pp. 352–361. IEEE Comp. Soc., New York (2005)
Clarke E., Grumberg O. and Peled D. (1999). Model Checking. MIT, Cambridge
Cleaveland, R., Li, T., Sims, S.: The concurrency workbench of the new century. User’s manual, SUNY at Stony Brook, Stony Brooke (2000). URL:http://www.cs.sunysb.edu/~cwb
Corker, K.: Cognitive engineering in the aviation domain, chap. Cognitive models and control: Human and system dynamics in advanced airspace operations, pp. 13–42. Lawrence Erlbaum and Associates, Inc., Mahwah (2000)
Corker, K.: Cognitive Task Design, chap. A cognitive framework for operation of advanced aerospace technologies, pp. 417–446. Lawrence Erlbaum and Associates, Inc., Mahwah (2003)
Curzon P. and Blandford A.E. (2004). Formally justifying user-centred design rules: a case study on post-completion errors. In: Boiten, E., Derrick, J. and Smith, G. (eds) Integrated Formal Methods, Lecture Notes in Computer Science, vol. 2999, pp 461–480. Springer, Berlin
Dix A.J. (1991). Formal Methods for Interactive Systems. Academic, New York
Grant, T., Kooter, B.: Comparing OODA and other models as operational view C2 architecture. In: 10th International Command and Control Research and Technology Symposium (ICCRTS) (2005)
Hoare C. (1985). Communicating Sequential Processes. International Series in Computer Science. Prentice Hall, Englewood Cliffs
Hollnagel E. (1991). The Phenotype of Erroneous Actions: Implications for HCI Design. Academic, New York
Johnson C. (1997). Reasoning about human error and system failure for accident analysis. In: Howard, S., Hammond, J. and Lindgaard, G. (eds) Human–Computer Interaction INTERACT ’97, pp 331–338. Chapman and Hall, London
Kallus, K., van Damme, D., Dittmann, A.: Integrated task and job analysis of air traffic controllers—phase 2: task analysis of en-route controllers. Tech. Rep. HUM.ET1.ST01.1000-REP-04, European Organisation for the Safety of Air Navigation (Eurocontrol) (1999)
Kirwan, B.: Human reliability assessment. In: Evaluation of Human Work, Chap. 28. Taylor and Francis, London (1990)
Kirwan B. (1992). Human error identification in human reliability assessment. part 1: Overview of approaches. Appl. Ergon. 25(5): 299–318
Leveson N.G. (1995). Safeware: System Safety and Computers. Addison-Wesley, Reading
Leveson et al, N.: Final report: Safety analysis of air traffic control upgrades. NASA technical report (1997). URL:http://sunnyday.mit.edu/papers/dfw2.pdf
Lindsay P. and Connelly S. (2002). Modelling erroneous operator behaviours for an air-traffic control task. In: Grundy, J. and Calder, P. (eds) Third Australasian User Interfaces Conference (AUIC2002), Conferences in Research and Practice in Information Technology, vol. 7, pp 43–54. Australian Computer Society, Inc, Sydney
Manna Z. and Pnueli A. (1992). The Temporal Logic of Reactive and Concurrent Systems—specification. Springer, Heidelberg
Ness, S.: Feasibility study on implementing the SafeHCI model in microsaint. Tech. Rep. ACCS-TR-04-01, ARC Centre for Complex Systems (2004). http://www.accs.uq.edu.au
Palanque P., Bastide R. and Paterno F. (1997). Formal specification as a tool for objective assessment of safety-critical interactive systems. In: Howard, S., Hammond, J., and Lindgaard, G. (eds) Human–Computer Interaction INTERACT ’97, pp 323–330. Chapman and Hall, London
Rasmussen J. (1983). Skills, rules, knowledge: Signals, signs and symbols and other distinctions in human performance models. IEEE Trans. Syst. Man Cybern. 13(3): 257–267
Reason J. (1987). Generic error-modelling system (GEMS): A cognitive framework for locating common human error forms. In: Rasmussen, J., Duncan, K. and Leplat, J. (eds) New Technology and Human Error, Chap. 7, pp 63–83. Wiley, New York
Rouse, W.: Designing for human error: concepts for error tolerant systems. In: MANPRINT—An Approach to Systems Integration, pp. 237–255. Van Nostrand Reinhold, New York (1990)
Rushby J. (2002). Using model-checking to help discover mode confusions and other automation surprises. Reliability Eng. Syst. Safety 75(2): 167–177
Svenson O. (1989). On expert judgements in safety analysis in the process industries. Reliability Eng. Syst. Safety 25: 219–256
Wicks, J., Connelly, S., Lindsay, P., Neal, A., Wang, J., Chitoni, R.: Simulation of air traffic controllers’ behaviour using the operator choice model. In: MODSIM 2005 International Congress on Modelling and Simulation, Proceedings of MODSIM05, vol. 2005, pp. 3023–3029. Modelling and Simulation Society of Australia and New Zealand (2005)
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Dr. Bernhard Beckert.
Rights and permissions
About this article
Cite this article
Cerone, A., Connelly, S. & Lindsay, P. Formal analysis of human operator behavioural patterns in interactive surveillance systems. Softw Syst Model 7, 273–286 (2008). https://doi.org/10.1007/s10270-007-0072-x
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10270-007-0072-x