1 / 96

Model-Based Approaches for Safety-Critical Systems Design

Explore model-based approaches for the design of safety-critical interactive systems presented by LIIHS-IRIT University in France.

byrnea
Download Presentation

Model-Based Approaches for Safety-Critical Systems Design

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Model-based approaches for the design of safety critical interactive systems Philippe Palanque LIIHS-IRIT University Paul Sabatier Toulouse – France http://liihs.irit.fr/palanque palanque@irit.fr Rio de Janeiro – 18-19 september 2007

  2. Overview of the lectures • Overview of LIIHS Research Group • State of the art in MBA for HCI • System modeling • Task modeling • Design rationale • Research Themes and Productions • A Roadmap on FM & HCI

  3. 1 - Overview of LIIHS A bit of History about LIIHS • Started in 1988 at University Toulouse 1 (law and economics) gathering all the computer scientists at UT1 • In 1993 main research theme is HCI and name changed to LIHS (group size about 15 people) • From research on software engineering methodologies • From research on notations for modeling activities • ~ 20 PhDs

  4. Mono-disciplinary research: Human Computer Interaction Computer Scientists, Human Factors, Ergonomics, HCI specialists Special point of view: Software Engineering for Human-Computer Interaction Usability (methods for design and evaluation of computer systems) Reliability (formal specification, human error assessment, …) Traceability (Design rationale) Special application domain: (safety) critical interactive systems – cost of development much lower than the cost of a failure 1 - Overview of LIIHS Research at LIIHS

  5. Safety Critical Systems Software Engineers System centered Reliability Safety requirements (certification) Formal specification Verification / Proof Waterfall model / structured Archaic interaction techniques Interactive Systems Usability experts User centered Usability Human factors Task analysis & modeling Evaluation Iterative process / Prototyping Novel Interaction techniques 1 - Overview of LIIHS Reliability Usability Safety Critical Interactive Systems

  6. Modeling • Tasks models • Abstract description of users' planned activities (goal) • Scenarios • Concrete description of users' planned activities • Temporal organization of actions (and related information) • System models • Both structure (object oriented approach) and behavioral description • How user's actions change system state • How system state (rendering) • Reduces authorized user's actions • Is presented to the user • Designing options rationally

  7. Current projects ReSIST EU Network of Excellence Project (Resilience for Information Society) (01-2006/12-2008) COST NSF EU action MAUSE (Maturing Usability) (01-2005/12-2008) Recently completed INTUITION Project (Multimodal Interfaces military aircrafts) (02-2003/02-2006) MISC Project (Multimodal Interfaces for Safety-critical Command and Control) (01-2003/01-2007) Research Training Network EU ADVISES (11-2002/ 12-2006) Capes/ Cofecub SPIDER WEB (07-2002/07-2005) Previous relevant projects DoD Drones Project (Unmanned Aerial Vehicles) (03-2001/09-2002) EUD-Net EU Network of Excellence (07-2002/07-2002) EVALWEB Project: Building ergonomic web sites by design (1999-2002) Project CNET SERPICO : Specifications for CORBA Components Engineering (1998-2001) Esprit Project LTR MEFISTO n°24963 Modeling Evaluation and Formalizing Interactive Systems using Tasks and Objects (1997-2001) ERGOVAL (1995) 1 - Overview of LIIHS Research Projects

  8. 1 - Overview of LIIHS EvalWeb • 1998-2002 • Ergonomic application web by design • Partners : Univ. Louvain la neuve (J. Vanderdonckt) & INRIA (D. Scapin) • Funding : CNRS GIS Cogniscience (1999)

  9. Modeling, Evaluating and Formalizing Interactive Systems using Tasks and interaction Objects ESPRIT Reactive LTR 24963 Project (EC) Air Traffic Control domain Multi disciplinary team Computer Scientists (F. Paterno CNUCE, LIIHS) Psychologists (P. Wright Univ. York, P. Marti Univ. Sienna) Industrial partners (DERA UK, CENA F, Alenia I) Users (ENAV I ATC association) MEFISTO (overview)

  10. 1 - Overview of LIIHS UAV Project (1/2)

  11. 1 - Overview of LIIHS UAV Project (2/2) • Design, implementation and evaluation of user interfaces for drones command and control • Performance and user capabilities • Authority sharing • From several controllers per drone to one controller for several drones

  12. Multimodal Interaction for Command and Control of Safety critical Systems Starting: beginning 01/2003 Finances: DGA (French Department of Defense , CNES (National center for spatial studies), and LIIHS 1 - Overview of LIIHS MISC Project

  13. 1 - Overview of LIIHS COFECUB Project SPIDER WEB • Specification and Prototyping for user Interface Design, Engineering and Re-engineering for the Web • France- Brazil cooperation • Partners LIIHS and Instituto de Informatica (Porto Alegre) • Beginning Feb. 2002 • In conjunction with a CNPq funding of Marco Winckler PhD about "model-based approaches for wed application evaluation"

  14. ADVISES: Analysis Design and Validation of Interactive Safety-critical and Error-tolerant Systems • Type de projet: Research Training Network • Sponsors: EU (Fifth Framework Improving Human Potential Programme) • 8 sites : Delft University of Technology (NL), ISTI-CNR(I), Risø National Laboratory (DK), Université de Liège (B), Université Paul Sabatier Toulouse (F), University of Glasgow (UK), University of York (UK), Universität Paderborn (D) • Objectifs • Étudier et développer des méthodes outils et techniques pour l'analyse, la conception et la validation de systèmes interactifs fiables et tolérants aux erreurs humaines • Principes • Approche pluridisciplinaire intégrant des spécialistes facteurs humains (ergonomie cognitive, psychologie du travail) des spécialistes informatiques (génie logiciel, méthodes formelles, approches à objets et distribuées) des spécialistes en interaction homme-machine (méthodes de conception centrée utilisateur) et des spécialistes en systèmes critiques (analyse d'incidents/accidents, systèmes embarqués civil et militaires, nucléaire) • Formation à la recherche et par la recherche • Formation des jeunes chercheurs dans ces domaine par la mobilité au sein du réseau Durée (4 ans): Oct. 02  Oct. 06 Budget LIIHS: 160 K€ HT

  15. 1 - Overview of LIIHS EUD-Net • The EUD-NET Network of Excellence is financed by European Community and started in July, 1st 2002. • Goal: help the European Commission to prepare a research agenda in the end-user development field • Related to previous work on notations and tools for visual programming

  16. Project INTUITION • Financed by DoD. THALES avionic in charge. LIIHS team 240K€ HT. • Start January 2003. 3 years • Definition and construction of a platform for the design, specification and development of multimodal interactive systems • Application domains: • Rafale Cockpit • Air Traffic Control multimodal Interfaces

  17. Cockpit Rafale Visu tête haute Ecran tactile Joystick

  18. http://www.cost294.org/ http://www.esf.org/ http://cost.cordis.lu/ MAUSE: Towards the MAturation of Information Technology USability Evaluation • Type de projet: action COST • Sponsors: ESF (European Science Foundation) et COST (European Cooperation in the field of Scientific and Technical research) • 19 pays UE: (AT, BE, CY, CZ, DK, FI, FR, DE, GR, IS, NL, NO, PL, RO, SI, ES, SE, CH and UK) • Objectifs • Étudier, développer, évaluer et comparer les Méthodes d’Evaluation de l’Utilisabilité (MEU)s • Activités • WG 1: Révision et Analyse de (MEU)s • WG 2: Comparaison de (MEU)s: Stratégies et Implémentation • WG 3: Validation de Schèmes de Classification de Problèmes d’utilisabilité • WG 4: Révision des approches assistées par l’ordinateurs pour l’évaluation de l’utilisabilité • (SIG): E-Learning • Dissémination de résultats (Coordination): LIIHS-IRIT, P. Palanque, M. Winckler Durée (4 ans): Déc. 04  Nov. 08 Budget: Défini en fonctions des missions et des activités des participants

  19. 1 - Overview of LIIHS ReSIST • http://www.resist-noe.eu/ • Resilience • Diversity • Usability • Evolvability • Assessability • Dependability+Safety+Security+Usability • Duration 3 years

  20. 1 - Overview of LIIHS Marco WINCKLER Lecturer Christelle FARENC Lecturer David NAVARRE Lecturer Philippe PALANQUE Professor Members of LIIHS working in that field Regina BERNHAUPT Visiting Professor Joseph Xiong PhD Student 4th year Jean-François LADRY PhD Student 1st year Eric BARBONI Post Doc Florence Pontico PhD Student 4th year Sandra BASNYAT Post Doc

  21. Outline of the presentation • Overview of LIIHS Research Group • State of the art in MBA for HCI • Specificities of Interactive System • What is modeling? • What kind of modelling in HCI? • What has still to be done? • System modelling • Task modelling • Design rationale • Research Themes and Productions • A Roadmap on FM & HCI

  22. 2 – State of the art Interactive Systems

  23. 2 – State of the art "Classical" Design Process SS Informal requirements Manual Spec 1 Specification ... Spec n Design 1 Design ... Design n User testing Prog. 1 Coding ... Prog. n

  24. 2 – State of the art x f1 e1 x x f2 e2 x e3 x x f3 What is a "Model" ? • Concepts relationships between concepts • Example : Entity Relationship Model • Concepts : Entity types, Relationship Types, Attributes, Domain of Values, Identifiers, ... • Relationships between concepts : "A Relationship type is a sub set of the Cartesian product of two Entity Type" • An entity e1 cannot have more than one relationship with another entity e2 through the same relationship type

  25. 2 – State of the art What can we Expect from a Model ? • Completeness (we can express all the information we need to) • Consistency (Contradictory elements cannot be expressed) • Generality (Independent from a given application domain … always ?)

  26. 2 – State of the art What is a "formalism" ? • A set of conventions for representing the concepts of a Model • Lexical elements (graphical or textual) • Concrete Syntax (separators, terminators, ...) • A formal definition of these conventions (otherwise just a notation) Person Flat 0,n 1,1 Owns

  27. 2 – State of the art Owns Person Flat 0,n 1,1 Rents 0,1 0,n What can we expect from a "formalism" ? • Expressiveness • Conciseness • Closeness of the representation to the application domain • Completeness wrt the Model (counter example : Graphical formalism of the Entity Relationship Model) • L. Lamport "the only difficult problem the author solved was understanding his own notation" • L. Lamport "Automaton is a formal description technique dedicated to the specification of stacks"

  28. 2 – State of the art Bug : With a "Formalism" we build "models" Modelling • model: ideal representation of a given situation form the real world restrained to the concepts covered by the Model • Goal: analyze the model to draw conclusions about the actual state of the real world • Meta-model: model representing the concepts of the Model using the formalism (done for E/R and UML using class diagrams)

  29. 2 – State of the art What and why modeling systems? • An abstract description of the system • independent from the implementation • that do not deal too early with details • Describe what are the outputs of the system according to the inputs • To allow discussions between the various actors (at a time, along the design process) • to store results of discussions

  30. 2 – State of the art What is a system model for Interactive Systems ? • Represents the system data and actions • Represents behaviour of the system • what actions are offered by the system • when an action is available (according to the state of the system) • what is the effect of an action on the state of the system • Represents both how the system is presented to the user and how the user interacts with it

  31. 2 – State of the art Design process for IS ? Informal requirements Manual Spec 1 Goal 1 User requirements Specification ... ... Spec n Goal n Design 1 Task 1 Task Analysis Design ... ... Design n Task n User testing Prog. 1 Coding ... Prog. n

  32. 2 – State of the art Why Modelling Interactive Systems Formally ? • To cope with the complexity • To avoid a human observer (checking models) • To avoid a human translator (writing code) • To reason (verification, validation) • To meet three basic requirements • Reliability: generic and specific properties • Efficiency : performance of the system, the user (workload, …) and the couple (user, system) tasks • Usability

  33. 2 – State of the art Design process using FM Automatic Informal requirements Manual Spec 1 Verification Specification ... Spec n Validation Design 1 Design ... Generic properties Verification Design n Informal validation Coding Prog. 1 ... Progr. Gener. Prog. n

  34. 2 – State of the art The design process of models

  35. 2 – State of the art Examples of models (requirements) • A need for a declarative formalismRequirements • Every clearance sent by a controler to a plane p is received by this plane " p Planes, " req DLRequest, AG[send(req,p)]AF<receive(req,p)>true • A data-link clearance sent by a controler to a plane p will only be received by that plane " p,p' Planes, " req DLRequest, AG[send(req,p)]AG[not(receive(req,p')]true

  36. 2 – State of the art Temporal Logic CTL * (Computational Tree Logic Star) • A state has one or mode successors • The set of possible states is infinite • Operators: • A (all the possible future); E (one possible future) + {F eventually, G always, X next, U until} • Logical connectors : •  (and);  (or);  (not);  (implies)

  37. 2 – State of the art Temporal Logic CTL * si si |= AGp si |= AFp si si |= EGp si |= EFp p formula is true if the system is in red state false otherwise

  38. 2 – State of the art Temporal Logic CTL * si si si |= AXp si |= EXp si si si |= E(p U q) si |= A(p U q)

  39. 2 – State of the art Relating tasks and system Maintain task and system models consistency Formal task modelling Formal system modelling Preliminary Preliminary th th system model i iteration i iteration task model Quantitative analysis Ok Towards Not Ok Proposals for Check Usability improving the Objectives Testing system model

  40. 2 – State of the art Proving compatibility of models • All the objects in the tasks model are part of the data model of the system model • All the actions in the tasks model are offered by the system model • All the actions in the system model exist in the tasks models • All the sequences of actions in the tasks model are "legal" in the system model

  41. 2 – State of the art Fundamental elements for formal methods for IS • Describe both state and events • Describe both data structure and control structure • Provide structuring mechanisms (80% of the code is dedicated to UI Myers 90) • Take into account concurrency (multimodal systems) • Deals with temporal aspects (temporal windows) • Do it formally (it is easier to prove than to test)

  42. 2 – State of the art State versus Events (Dix 91) • Reactive systems • Event driven • Slicing of code into event handlers require explicit state representations • Approaches • Approaches coming from Reactive Systems • Reactive or synchronous languages (esterel, Lotos) • Methodological use of Petri nets

  43. 2 – State of the art Data Structure / Control Structure • Software crisis has shown limitations of separation (maintainability, modifiability, reusability, ...) • Approaches • Mix two dedicated approaches (CSP-Z, Object-Z, …) • Integrate two approaches (Full LOTOS, Petri nets with objects)

  44. 2 – State of the art Structuring Mechanisms • Handling of complex components • Understandability of models • Reusability • Modifiability • Approaches • composition (aggregation, association, …) • communication (client-server, actors) • macros and plugs

  45. 2 – State of the art Concurrence • Concurrency between input and output devices (+ multimodality) • Groupware • Multi threaded dialogues • Approaches • Textual formalisms (CSP, CCS, LOTOS, Temporal Logic) • Graphical formalisms (Petri nets, Statecharts) • Only Petri nets feature full concurrency semantics

  46. 2 – State of the art Temporal Aspects • Multimodal systems • Animation (time based evolution) • Alarms • Calendar events • Approaches • Procedural (Petri nets, Lotos, ... ) • Declarative (Temporal Logics, ...)

  47. 2 – State of the art Formal Aspects • Easier to prove than to test • Critical Systems • Completeness, concision et non-ambiguity • Executability • Approaches • Mathematical validation • Test case generation • Automatic code generation

  48. A Small Example/Exercise • Model of a Mouse behaviour (one button, no wheel) • Model of the interaction technique • Click • Double click • Extensions • Several buttons • Behaviour of the wheel • Several mice

  49. 2 – State of the art A Small Example • Requirement: • Whatever state the system is in, Move is always available

  50. 2 – State of the art A Small Example

More Related