Using Model Checking to Help Discover Mode Confusions and Other Automation Surprises

John Rushby

From Reliability Engineering and System Safety, Vol. 75, No. 2, pp. 167-177, February 2002.

Abstract

Automation surprises occur when an automated system behaves differently than its operator expects. If the actual system behavior and the operator's "mental model" are both described as finite state transition systems, then mechanized techniques known as "model checking" can be used automatically to discover any scenarios that cause the behaviors of the two descriptions to diverge from one another. These scenarios identify potential surprises and pinpoint areas where design changes, or revisions to training materials or procedures, should be considered. The mental models can be suggested by human factors experts, or can be derived from training materials, or can express simple requirements for ``consistent'' behavior. The approach is demonstrated by applying the Murphi state exploration system to a "kill-the-capture" surprise in the MD-88 autopilot.

This approach does not supplant the contributions of those working in human factors and aviation psychology, but rather provides them with a tool to examine properties of their models using mechanized calculation. These calculations can be used to explore the consequences of alternative designs and cues, and of systematic operator error, and to assess the cognitive complexity of designs.

The description of model checking is tutorial and is hoped to be accessible to those from the human factors community to whom this technology may be new.

gzipped postscript, or plain postscript or PDF, or crude ascii (for your Palm Pilot)

Slides

The most recent slides on this material are from a talk I gave at Safecomp'01 and are available here

BibTeX Entry

@article{Rushby:RESS02,
        AUTHOR = {John Rushby},
        TITLE = {Using Model Checking to Help Discover Mode Confusions
                and Other Automation Surprises},
        JOURNAL = {Reliability Engineering and System Safety},
        PAGES = {167--177},
        VOLUME = 75,
        NUMBER = 2,
        MONTH = feb,
        YEAR = 2002,
	NOTE = {Available at
        \url{http://www.csl.sri.com/users/rushby/abstracts/ress02}}
}

Having trouble reading our papers?
Return to the Formal Methods Program home page
Return to the Computer Science Laboratory home page