A JavaPathfinder Extension to Analyze Human Machine Interactions - PowerPoint PPT Presentation

A JavaPathfinder Extension to Analyze Human Machine Interactions Sébastien Combéfis (UCLouvain), Dimitra Giannakopoulou (NASA), Charles Pecheur (UCLouvain), Peter Mehlitz (NASA)

HMI issues § automation surprises – non-determinism, mode confusion § system abstractions for human operators – user / pilot training, procedure generation, test-case generation § jpf-hmi – supports the definition of hmi systems – provides a number of hmi-specific analysis capabilities

HMI LTS of a countdown system start running idle val=4 tick command stop running tau unobservable val=3 tick observation stop running val=2 mode1 tick stop running val=1 mode2 tick stop running val=0

jpf-hmi JPF .xmi .java XMIParser SC2LTS other? .txt .txt HMI LTS LTSLoader LTSLoader FCCheck Bisim Learning true/false HMI LTS HMI LTS

HMI system description public class CountDown extends Model @Override public List<Action> getActions() { List<Action> actions = new ArrayList<Action>(); actions.addAll(Arrays.asList ( new Action(“start”, COMMAND), new Action(“stop”, COMMAND), new Action(“tick”, OBSERVATION) )); return actions; } public static class Behaviour extends State { private static final int MAX = 4; @Mode(“red”) ; public class Idle extends State { public void start() ... } @Mode(“green”) ; public class Running extends State { int val = 0; public void stop() ... public void tick() ... } ...

HMI analyses: behavioral abstraction start running abstraction M U allows full idle val=4 control of system M M if at tick any time, when using the stop running system according to M U : val=3 1. the set of available tick commands is exactly the stop running same for the two models val=2 2. abstraction allows at tick least all the observations stop running that can be produced by val=1 the system tick stop running val=0

HMI analyses during generation start running idle FC determinism val=4 tick System model is not full stop running control deterministic : val=3 tick CEX:[start, tick, tick, stop tick, tick] running val=2 tick Mode confusion stop running Modes are self-loop transitions val=1 treated like commands. If CEX tick ends in mode action, then it stop running represents mode confusion. val=0 tau

where would we be without abstraction? @FilterField n public static class ValAbs1 extends AbstractionAdapter { n public int getAbstractValue (int v) { if (v > 0) { return 0; } else if (v == 0) { return 1; } return -1; } public String getName (int v) { int i = getAbstractValue (v); return i == 0 ? "(>0)" : "(=0)"; } }

conclusions & extensions more input sources / analyses / scalability, more users…

system vs mental models § system model describes complete behavior of a system § mental model describes user ’ s view of the system c 1 2 a 0 d d d d, e c a, b c e b 0 1 2 3 4 5 § user does not need to distinguish states with the same color § the focus of this work is to generate mental models automatically

full control mental model § what is a good mental model? – it should be as compact as possible – the user should have enough information to control the system § mental model M U allows full control of a system M M if at any time, when using the system according to the mental model: – the set of available commands is exactly the same for the two models – the mental model allows at least all the observations that can be produced by the system c 1 2 a 0 d d d d ,e, f c a, b c e b 0 1 2 3 4 5