models for the engineering of interactive...

02/11/2017

1

Models for

the Engineering

of Interactive Systems

Philippe Palanque

Interactive Critical Systems research group

http://www.irit.fr/ICS/palanque - [email protected]

October 31st, 2017

2

http://www.irit.fr/ICS/palanque

02/11/2017

2

• Air Traffic Management (enroute ATC workstations) 1995-2001 & 2010-2016 HALA! Network of excellence & SPAD (System Performance under Automation Degradation)

Dynamic instantiation of widgets, Post WIMP interfaces

Time constraint about 3mn (speed vector)

Automation and Automation Degradation

• Drones (UAVs) 2001-2003 & Military aviation 2003-2006 Management of fleet of aircrafts, Authority sharing, Cooperation and collaboration problems

Multimodal systems for military cockpits (evolutions of RAFALE fighter)

Specification of multimodal fusion engines, “real time” (20 ms)

• Space domain : R&T IMAGES (2004-2006) R&T TORTUGA (2008-2011) R&T ALDABRA (2011-2012) R&T

MARACCAS (2012-2014) IFA-ESA (2012-2015) Time constraints about 3-4 days

Specification of satellite ground segments with multimodal interfaces

Target application: AGENDA & spacecraft collision avoidance system

Integrated Failure Analysis – ECSS Handbook on Human Reliability

• Civil aviation 2004-2006 & 2009-2016 & 2015-2019 (Airbus – dependable interactive cockpits) & 2015-2018 (MMI

Airbus Helicopter Marseille & Bertin Technologies) Interactive Cockpits (ARINC 661 standards) & touch interaction in cockpit

Specification of all the embedded elements (widgets, UA, UI server)

Specification of system architectures for dependable interactive systems (fault tolerance)

Time constraint high variability (from seconds to tens of minutes)

3

Past-Current Research Projects

• Human Computer Interaction : Usability of computing systems (effectiveness, efficiency, satisfaction) and UX (aesthetics, meaning and value, emotions, social connectedness, identification, stimulation)

Basic principle: user centered design (UCD)Process: iterative design/development

• Initial approach in computer scienceWe design/develop the system FOR reliability and THEN usability is evaluated (meaning not usable but too late to change)

• HCI domain contributionWe design/develop the system and FOR usability and THEN we do our best for reliability (meaning not reliable but try to have not too many crashes and recurring patches)

4

Basic Principles of HCI

02/11/2017

3

Philosophy

• Human on one side and the system on the other side

Philosophy

• Human on one side and the system on the other side

• Human-System integration does not exist

• Human-System integration takes place through another complex system

▫ Hardware

▫ Software

▫ Interaction

02/11/2017

4

MIODMIT

7

Martin Cronel. 2017. An Approach for the engineering of Multimodal and

Multi-user Engineering of Interactive Systems. PhD University of

Toulouse, October 2017 (in French)

MIODMIT

02/11/2017

5

Why should I (we) care?

Why should I (we) care?

02/11/2017

6

Erik Hollnagel. 1997.

Cognitive ergonomics: it’s

all in the mind. Ergonomics

40, 10 (1997), 1170–1182

Ragosta et al. 2015. Concept Maps for Integrating ModelingTechniques for the Analysis and Re-Design of Partly-AutonomousInteractive Systems. In Proceedings of the 5th Int. Conf. on Application and Theory of Automation in Command and Control Systems (ATACCS '15), ACM, New York, NY, USA, 41-52

02/11/2017

7

Context & Environment

The issue of context

Click

Click

Click

Palanque P., Winckler M., Ladry J-F., Ter Beek M., Faconti G., Massink M. A Formal Approach Supporting the Comparative Predictive Assessment of the Interruption-Tolerance of Interactive Systems. ACM Engineering Interactive Computing Systems (2009), ACM Press, p. 211-220.

02/11/2017

8

Why do I do that? (safety and reliability)

• I am not a lucky user!

Why do I do that?


• Are you usually lucky?

02/11/2017

9

Why do I do that?



• How much can you trust your luck?

Safety improvements?

18

02/11/2017

10

Safety

impro-

vements?

19

Safety improvements (?) by designers

20

02/11/2017

11

Why do I do that?



• How much can you trust your luck?

Very recent (few months ago)

02/11/2017

12


User Experience? Usability? Reliability?

Very recent (yesterday)


02/11/2017

13



Beaudouin-Lafon, M. 2004. Designing interaction,

not interfaces. In Proceedings of the Working

Conference on Advanced Visual interfaces

(Gallipoli, Italy, May 25 - 28, 2004). AVI '04. ACM,

New York, NY, 15-22.

02/11/2017

14

27

• In one sentence: Designing Interactive Systems neither Interaction, nor Interfaces

• Principle: Usability is NOT more important than Reliability, Dependability, Security, Resilience, Safety, User eXperience, others Privacy, Trust, Accessibility, …

• Proposal: Design methods, processes and tool to design/develop interactive systems FOR these properties

28

Research Goals

02/11/2017

15

They are not Orthogonal !?• Usable & reliable then safer?

▫ Planes ▫ Command and control systems

• Usable & reliable then less safe!!▫ The less usable the more safe▫ The less reliable the more safe

• Safer for some less for others • Less Reliability less User eXperience• More Secure and more Reliable then less Usable • More Privacy then less Security• More Security less reliability (cockpits & satellites)

There is a need for a holistic view on these properties and not for a reductionist one (even though this supports progress)

29

30

Do We Need New Integrated Processes?Usability/User eXperienceengineer

Software engineer

Reliability engineer

Safety engineer

…

02/11/2017

16

31

02/11/2017

17

33

34

April 2015

02/11/2017

18

Current Situation

• Low hanging fruits already been collected

• Foundations identified many years ago

▫ Annett & Duncan HTA in 1967

▫ Petri nets C.A. Petri in 1962

• Refinement and deeper understanding over the years

• Need for long term detailed smaller refinements

• Need for methods, processes, tools to address the scale and complexity of interactive systems

• Introduction (HCI in Critical Contexts)

• Introduction to the Interactive Cockpits domain

• A Research Contribution based on Models

• Dependability for Interactive Systems/Cockpits

• Dealing with automation

• Conclusions and perspectives

Outline of the talk

36

02/11/2017

19

Aircraft Systems

Display System DataCrew

members

System

Monitor systems

Input manage

ment Display system was

not interactive

No USER INPUT related to display system

INPUT and OUTPUT are independent(Segregation, (Separation and Isolation) and

Diversity)

The Past: Input vs OutputCommand systems

Command + data

Aircraft Systems


members

System

Monitor systems

Input manage


not interactive



Diversity)


Command + data

02/11/2017

20

Aircraft Systems


members

System

Monitor systems

Input manage


not interactive



Diversity)


Command + data

DU: Display Unit

KCCU: Keyboard and Cursor Control Unit

CDS : Control and Display System

Standard ARINC 661 Specification

A380 Cockpit

02/11/2017

21

Control and

Display System (CDS)

Events

SetParametersCrew members

Actions

Monitor system

System

User Applications for Aircraft

SystemsUA

With ARINC 661 the command and display system is interactive

Execution of system mainly rely on user activity (and expect user input)

What about interaction specification, verification, usability, … ?

ARINC 661:

Input and Output Intertwined

41

ARINC 661 Principles

• Client-server

• Very similar to previous old work in HCI

▫ IBM Common User Access 1989 standard for UI, OSF/MOTIF, …

▫ X Window

Display Unit - Screen -

Window

(managed

by the CDS) Layer

(owned by one

User Application) Widget

Format

Application 1

Application 3

Application 2

Application 1

Widget

Layer

42

02/11/2017

22

ARINC 661 specification architecture

43




▫ System models

▫ Task models

▫ Integrated models




Outline of the talk

44

02/11/2017

23

Our view on models

• Models for science : the goal is the model

• Models for engineering : the goal is the system (to build)

Edward A. Lee. 2016. Fundamental Limits of Cyber-

Physical Systems Modeling. ACM Trans. Cyber-Phys.

Syst. 1, 1, Article 3 (Nov. 2016), 26 pages.

Our view on models

• Models for science : the goal is the model • Models for engineering : the goal is the system (to build)

▫ Descriptive properties for models for engineering interactive systems Describe in an integrated way data and behaviour

Describe event-based evolutions

Describe parallel/concurrent behaviours

Describe qualitative time (before, after, …)

Describe quantitative time (after 300ms do this)

▫ Analysis properties for models for engineering interactive systems Offer possibilities to reason about models

Proofs and model-checking techniques

▫ Executability properties for models for engineering interactive systems Avoid human activity between models and code

Provide means to ensure performance

02/11/2017

24

• “Formal” description techniques for the analysis, specification, design, construction, verification and validation of interactive systems

▫ Support better dependability of the system

▫ Support better usability of the system Can provide contextual help

Can support the production of training material

▫ Support diversity (compatibility of various models)

▫ Can take into account evolvability

▫ Can support safety by e.g. providing tools to prevent incident and accident from re-occurring

47

Our Research Proposal

• Coverage

▫ What is not described cannot be analyzed

▫ What is not described does not exist (for the analyst) but is still there in the real world

• Notation bias

▫ A notation is usually very good at capturing what it is very good at capturing

▫ A notation is usually very bad at capturing what it is very bad at capturing

• Need to define/identify a set of complementary notations able to capture "all" the aspects of interactive systems (organization, system & operator)

48

Constraints on our Research Proposal

02/11/2017

25

49

Overview of Interactive Cooperative Objects: a

formal description technique

• Set of cooperating classes • For each class

▫ Behavior (Petri nets)▫ Services (availability)▫ State (distribution and value of tokens)▫ Presentation

Activation (how users' actions on the input devices trigger systems methods) Rendering (how state changes are presented to the users

• Recent extensions ▫ Asynchronous multicast communication mechanism (events and sources)

supporting dynamic instantiation and management of devices and interaction techniques

▫ Quantitative temporal information (temporal window) integration of previous work in Petri nets theory

Goal of ICOs and PetShop

• The user interface requires the same dependability as the rest of the software

• Completeness (model the entire UI)▫ the complex parts must be dealt with too

▫ the more complex the UI the more likely the notation is to be not able to deal with it

• Concurrency, “infinite” number of states, temporal aspects, objects and behavior integrated, …

• Verification, validation, certification, … of the interactive software

• Bridge the edition-execution gap (Navarre D. et al. A Model-Based Tool for

Interactive Prototyping of Highly Interactive Applications. 12th IEEE, International Workshop on Rapid System Prototyping ; Monterey (USA), IEEE, 2001.)

50

50

02/11/2017

26

51

A Small Example – Double click

dud

u

DC

Idle Down

One_Click Two_Down

t

C

52

Multimodal

Interaction & ATM

Unexpected Double Clicking

02/11/2017

27

53

A Small Example

du / StartTimerd

u

DC

Idle Down

One_Click Two_Down

t

C

t

C

Adding Time

54

A Small Example

Taking Movements into account + Threshold

mD

uE

m

C,B

du / StartTimer

m

C,M

d, target=this

u

DC

Idle

mB

Down

One_Click

Moving

Two_Down

t

C

t

C

02/11/2017

28

55

A Small Example

Taking Movements into account + Threashold

mD

uE

m

C,B

du / StartTimer

m

C,M

d, target=this

u

DC

Idle

mB

Down

One_Click

Moving

Two_Down

t

C

t

C

Einstein: "Things should beas simple as possible but not more simple"

Johnny Accot, Stéphane Chatty, Philippe A. Palanque: A Formal Description of Low Level Interaction and its Application to Multimodal Interactive Systems. DSV-IS 1996, Springer: 92-104

56

Multimodal

Interaction & ATM

02/11/2017

29

57

Multimodal

Interaction & ATM

58

A Small Example

m

D

m

C,B

Idle

Down One_Click

Moving

Two_Down

uE

mB t

C

du / StartTimerd, target=this

t

C

m

C,M

u

DCCDC

CCComb_Click

Comb_Double_Click

Multimodal Part

Monomodal Part

Multimodality

02/11/2017

30

CaptainFirst Officer

02/11/2017

31

MIODMIT – ARCH view (Bass et al. 91)

61

MIODMIT - automata

02/11/2017

32

Combined Mixed Interaction Technique

63

• Integrate previous work on barrier modeling

• Dependable interactive cockpits applications▫ At behavioral level ▫ At presentation level

• Dependability throughout the interaction chain▫ Dependable CDS (input devices management, interaction

techniques, multimodality …)▫ Dependable ARINC 661 widget library▫ Dependable User Applications

• Usability aspects (and impact) of these dependable solutions in abnormal contexts (interruptions, failures, multimodality, animation & multi-touch)

• Software Testing of Interactive Systems

Future work: Models, Models Everywhere

64

02/11/2017

33

Issues of interaction technique• CHI conference touch

interaction techniques

Versus

• Reliable interaction techniques

Julian Lepinski, Tovi Grossman & George Fitzmaurice. (2010). The design and evaluation of multitouchmarking menus CHI 2010 Conference Proceedings: ACM SIGCHI Conference on Human Factors in ComputingSystems. pp. 2233-2242.

Finger Clustering Rendering

66

Hamon A., Palanque P., Silva J-L., Deleris Y., Barboni E. Formal description of multi-touchinteractions. ACM Engineering Interactive Computing Systems EICS 2013: 207-216

02/11/2017

34

67

68

02/11/2017

35

69

70

02/11/2017

36

71

Modeling multitouch interactions

72

Automation: Danger or Opportunity? - Philippe Palanque, Camille Fayollas & Célia Martinie

02/11/2017

37

Impact of environment – multitouch cockpits

Slide 73

Andy Cockburn, Carl Gutwin, Philippe Palanque, Yannick Deleris, Catherine Trask, Ashley Coveney, Marcus Yung, Karon E. MacLean. Turbulent Touch: Touchscreen Input for Cockpit Flight Displays. CHI 2017: 6742-6753


Slide 74


02/11/2017

38


Slide 75


76

An example:

the MPIA application

02/11/2017

39

The user interfaces (output)

Potential Problem (box canyon)

02/11/2017

40

79

MPIA Application• Available in several cockpits

▫ Switch between modes▫ The tilt angle: a numeric edit

box permits to select its valueinto range [-15°; 15°]

▫ Modifications are forbidden when in AUTO tilt selection mode

• Simple behavior but realistic• Tasks are simple enough too• Used in our group for

dependability and scalability studies of interactive applications

80

Behavioral description of the

application: system model

02/11/2017

41

81

PetShop and the system model

82

PetShop and the system model

02/11/2017

42

Modelling the Entire Interactive System

• User Application

• Widgets

• User inteface server

▫ Objects, widgets

▫ Applications

▫ Input and output devices

84

Formal Description of a "simple" widget: ARINC 661

PushButton p.98-101

• Informal presentation

• Formal Description of the PushButton

▫ Services and Events

▫ Behaviour

▫ Activation and Rendering functions

• Thales CDS Look & Feel (21 other ones modelled)

02/11/2017

43

85

PushButton : The Behavior

86

Global Complete View of the Server

02/11/2017

44

87

• Benefits related to modeling▫ Define entirely the behavior of components▫ Easier early specification of the application▫ Verification of expected properties (mainly related to

behavior, accessibility, reinitialisabity, liveness, ...)▫ Is compatible with previous server implementation (CDS in

a simulation environment)

• Makes validation of the application possible▫ At least one widget is available on the UI▫ All the widgets useful wrt to the current flight phase, task,

… are available▫ Come back to initial state in at most 2 interactions

• Makes behavioral verification of exstant servers possible

Benefits from the Approach

02/11/2017

45

Formal Analysis in PetShop

Formal Analysis in

PetShop

02/11/2017

46

Execution logging in PetShop

92

Examples of analysis (widgets)

• Only one widget is "Highlighted"

• Widgets receive events only if they are "highlighted"

• …

02/11/2017

47

93

Analysis Examples (User Application)

▫ Button always available (Tilt-selection button always available

▫ Place invariant (AUTO, Not_AUTO) thus switchAUTO_T1 and switchAUTO_T2 are mutually exclusive and always one is fireable (according to initial marking)

94

02/11/2017

48

More about ICOs

• Navarre et al. ICOs: a Model-Based User Interface Description Technique dedicated to Interactive Systems Addressing Usability, Reliability and Scalability. ToCHI, ACM SIGCHI, Vol. 16 N. 4, p. 1-56, 2009

• Bastide, Sy & Palanque. A formal notation and tool for the engineering of CORBA systems. Concurrency: practice and experience (Wiley) Special issue "Selected papers from ECOOP'99" Vol. 12, n° 14, pp. 1379-1403, 2000

• Bastide, et al. Formal specification of CORBA services: experience and lessons learned. ACM Conference OOPSLA'2000, Minnesota USA. ACM Press; 2000.p105-117.

• Bastide & Palanque Modelling a groupware editing tool with cooperative objects "Advance in Petri nets on Object Orientation", 2001, G. Agha & F. De Cindio (Eds.), Springer Verlag, Lecture Notes in Computer Science n° 2001

• Bastide, Palanque A Petri Net Based Environment for the Design of Event-Driven Interfaces. 16th International Conference on Application and theory of Petri Nets (ATPN'95) Torino, Italy, 20-22 June 1995, LNCS.

95

There is a need for adequate tools

96

02/11/2017

49

• Introduction (ICS group and HCI in Critical Contexts)



▫ System models

▫ Task models

▫ Integrating models




Outline of the talk

97

98

02/11/2017

50

99

100

02/11/2017

51

101

Goals of HAMSTERS• Remain similar to the main task modeling tools

▫ Factorization of operators ▫ Handle low-level tasks (related to interaction techniques)

• Extends expressive power of existing tools▫ Handle object information (preconditions, processing, …) (ECCE 2013)▫ Support structuring (INTERACT 2011)▫ Support reuse and components (HCSE 2014)

• Make it possible to ▫ Connect to a system model (TAMODIA 2007/AMBOSS)▫ Co-execution of models (EICS 2010)▫ Co-execution of tasks with an interactive application (EICS 2015)▫ Support performance evaluation (EICS 2009)▫ Formally check the compatibility of tasks and system models (EHCI 1995,

IwC 1997)▫ Support training (EICS 2011)

Task models:

HAMSTERS

- Decomposition of a user’s goal

- Hierarchical

- Temporally ordered

02/11/2017

52

Martinie, Palanque et al. 2013. Extending Procedural Task Models by Explicit and Systematic Integration of Objects, Knowledge and Information. In European Conference on Cognitive Ergonomics 2013 (ECCE). . ACM, ECCE '13, 23, 1-10.


104

02/11/2017

53




▫ System models

▫ Task models

▫ Integrating models




Outline of the talk

105

• Strong integration (co-execution of models)

• One single platform (PetShop with HAMSTERS inside)

• Two modes

▫ Task driven (performing a task makes the system evolve)

▫ System driven (acting on the system changes the current task in the task model)

106

Integration Principles

02/11/2017

54

107

108

Conclusions on the example

• 4 views of the same real world▫ System (including interaction and interface)

▫ Tasks (of each operator and of the cooperating operators)

▫ Training and User Manual (e.g. Elect. Flight Bag and FCOM)

• Support for task-based construction and testing

• Not presented▫ Construction of training program, assessment of trainee and online

contextual help (EICS 2011)

▫ Dealing with errors and failures (human and systems)

▫ Dealing with “user over the loop” issues (automation)

▫ Configurations switching following failures

02/11/2017

55

Integration

within ADDIE

ANALYSIS

DESIGN

DEVELOPMENTIMPLEMENTATION

Task inventory

Task selection

Performance measure

Existing courses analysis

Settings selection

Objective settings

Tests settings

Entry behaviour assessment

Sequence setting

Structure setting

Learning events specification

Training management plan

& delivery system specification

Material selection

Training development

Training validation

Training execution

Training plan implementation

EVALUATION

Internal evaluation

External evaluation

Revision

INSTANCE OF THE

TRAINING

PROGRAM

T

T

TS

TS

TS

TS

S

TS

S Contribution from system modeling activity

Contribution from task modeling activityT

TS

TS

109

Martinie, Palanque et al. Model-Based Training: An Approach Supporting Operability of Critical Interactive Systems: Application to Satellite Ground Segments. ACM Engineering Interactive Computing Systems 2011 (EICS).


110

02/11/2017

56

• Introduction (ICS group and HCI in Critical Contexts)




▫ Zero default

▫ N-version programming

▫ Self-checking widgets

▫ Impact of hardware/software architecture on usability



Outline of the talk

111

• “The dependability of a system is the ability to avoid service failures

that are more frequent and more severe than is acceptable” Avizienis A.,

Laprie J-C., Randell B., Landwehr C: Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE (2004)

• Failure Condition Severity DO 178C and Probability Objectives

Dependability

FailureCondition Severity

Probability Objective

Probability descriptive

Catastrophic <10-9 Extremely Improbable

Hazardous <10-7 (very) Improbable

Major <10-5 Improbable

Minor <10-3 Reasonably probable

Redundancy is required to provide design protection from catastrophic failure conditions (ARP 4761) safety civil airborne systems

112

02/11/2017

57

• Software side of it ▫ If the systems exhibit zero default then the interactive cockpit is dependable ▫ Formal description techniques (complete and unambiguous specification)▫ No gap between code and implementation ▫ Models can be used to support exhaustive testing

• Hardware side of it▫ Hardware failures still possible (KCCU is a single point of failure)▫ Network failure/bugs

• Environment side of it ▫ Bit flips (altitude), memory errors, memory leaking (flight time 18 hours) …

• Human side of it ▫ ~80% of accidents are attributed to human error (2006 study on all accidents in the US)▫ Increase dependability level should not have a negative impact on usability of

interactive system▫ New mechanisms and methods to make cockpits dependable without increasing task

difficulty for crew

Several Views on the Problem

113

Overall Solution

• Relying on three steps:▫ A Formal Specification

ICOs: Interactive Cooperative Objects

▫ A Fault-Tolerant Software Architecture

Self-Checking architecture

▫ Space and Time Partitioning Architecture

Mapping upon an ARINC 653 OS

114

A FAULT-TOLERANT SOFTWARE ARCHITECTURE AND ITS FORMAL SPECIFICATION FOR

EMBEDDED, REAL-TIME INTERACTIVE SYSTEMS – ERTS² 2014 –TOULOUSE, FRANCE

Operational natural faults

Development software faults

Fault confinement

Common mode

Fayollas, Martinie, Palanque et al.. An approach for assessing the impact of dependability on usability: application to interactive cockpits Levels, Tenth European Dependable Computing Conference - EDCC 2014

02/11/2017

58

SIP_setEnable

SOP_setEnable

SIP_setVisible

SOP_setVisible

SIP_setStyleSet

SOP_setStyleSet

SIP_setLabelString

SOP_setLabelString

SIP_processMouseClicked

SOP_processMouseClicked

SIP_processMouseDown

SOP_processMouseDown

SIP_processMouseReleased

SOP_processMouseReleased

1 Enabled

NotEnabled NotVisible

1Visible

1 StyleSet

1 MaxStringLength

1LabelString

ButtonPressed

1ButtonReleased

ClickToFunctionalWidget

ClickToController

TriggerPossibleController

Trigger_OK

TriggerPossibleFunctional

Error_TF

SelectionNotPossibleController

selectionNotpossibleFuntionnal

Error_SC

Error_SF

SelectionNotPossible_OK

WaitTriggerOK

Error_TC

1 Enabled 1Visible

processMouseReleased

<_i,test0,test1>

<_i>

setStyleSet

<_i,A661_STYLE_SET> <old>

<_i><A661_STYLE_SET>

ConditionForTriggerFunctional

<_i,x,y>

<_i>

<_i,x,y>

<_i,x,y>

SetString_3

A661_STRING.length()>1 && A661_STRING.length()<=Length

<A661_STRING2>

<_i,A661_STRING>

<A661_STRING>

<_i>

<Length>

SetString_1

A661_STRING.length()<1

<_i,A661_STRING>

SetString_2

A661_STRING.length()>Length

<_i,A661_STRING> <Length>

AlreadyVisible

A661_VISIBLE==true

<_i,A661_VISIBLE>

<_i>AlreadyEnabled

A661_ENABLE==true

<_i,A661_ENABLE>

<_i>

AlreadyNotEnable

A661_ENABLE==false<_i,A661_ENABLE>

<_i>

AlreadyNotVisible

A661_VISIBLE==false<_i,A661_VISIBLE>

<_i>

SelectionNotPossibleFunctional

<_i,x,y>

<_i,x,y>

mouseDown1

<_i,x,y>

<_i>

setVisible

A661_VISIBLE==true

<_i,A661_VISIBLE>

<_i>

setNotVisible

A661_VISIBLE==false

<_i,A661_VISIBLE>

<_i>

setEnabled

A661_ENABLE==true

<_i,A661_ENABLE>

<_i>

setNotEnabled

A661_ENABLE==false

<_i,A661_ENABLE>

<_i>

DuplicateClickEvent

<_i,x,y> <_i,x,y>

<_i,x,y>

ConditionForTriggerController

<_i,x,y>

<_i,x,y>

CheckTriggerOK

<_i,x,y>

<_i,x,y>

<_i,x,y>

Error_TriggerOnlyonFunctional

<_i,x,y><_i,x,y>

Error_TriggerOnlyonController

<_i,x,y>

<_i,x,y>

SelectionNotpossibleController

<_i,x,y>

<_i,x,y>

CheckSelectionNotpossibleOK

<_i,x,y>

<_i,x,y>

<_i,x,y>

Error_selectionOnlyonController<_i,x,y>

<_i,x,y>

Error_selectiobOnlyonFuntional<_i,x,y>

<_i,x,y>

mouseDown2

<_i,x,y>

<_i>

mouseDown3

<_i,x,y>

<_i>

TriggerEvent{

trigger("A661_EVT_SELECTION", new java.util.EventObject(self));

}

<_i,x,y>

<_i,x,y>

Error_Trigger{

trigger("A661_EVT_ERROR", new java.util.EventObject(self));

}

<_i,x,y>

<_i,x,y>

<_i,x,y>

CONTROLLER Part

FUNCTIONAL Part

INPUTS Event

Styleset LabelString

VisibleEnable

Control_Trigger

13

4

2

1'

115

Overall Solution• Relying on three steps:

▫ A Formal Specification

ICOs: Interactive Cooperative Objects

▫ A Fault-Tolerant Software Architecture

Self-Checking architecture

▫ Space and Time Partitioning Architecture

Mapping upon an ARINC 653 OS

116

A FAULT-TOLERANT SOFTWARE ARCHITECTURE AND ITS FORMAL SPECIFICATION FOR

EMBEDDED, REAL-TIME INTERACTIVE SYSTEMS – ERTS² 2014 –TOULOUSE, FRANCE

Operational natural faults

Development software faults

Fault confinement

Common mode

02/11/2017

59


• Examples from the Interactive Cockpits domain



▫ Zero default

▫ N-version programming

▫ Self-checking widgets

▫ Impact of hardware/software architecture on usability

• Similarities with other domains (Space, ATM &

Entertainment)


Outline of the talk

Summary : without system error

118

Fayollas, Martinie, Palanque et al.. An approach for assessing the impact of dependability on usability: application to interactive cockpits Levels, Tenth European Dependable Computing Conference - EDCC 2014

02/11/2017

60







Outline of the talk

119


• Examples from the Interactive Cockpits domain



• Similarities with other domains (Space, ATM &

Entertainment)


Outline of the talk

120

02/11/2017

61

• Dependability and usability are intrinsically related, but often studied independently in the literature (and at conferences)

• Increase dependability level can have a huge (possibly negative) impact on usability of interactive system

• Necessity to design new mechanisms or methods which can make critical interactive system reliable assessing

▫ Impact on usability

▫ Impact on training (learnability is key)

▫ Impact on performance

▫ Potential for automation (impact of degradation)

HCI In Critical Contexts

121

Thoughts for the future

• Construction▫ Adequate tools▫ Adequate machines▫ Adequate factories

• Product characteristics▫ Properties / qualities▫ Handling and managing conflicts/trade-offs rationally and systematically▫ Supporting certification activities of interactive systems

• Understanding and handling the borders▫ Formal and informal ▫ Hardware / software / OS▫ Critical systems / mass market▫ Work environment / entertainment-social

122

02/11/2017

62

Thoughts for the future

• Construction▫ Adequate tools▫ Adequate machines▫ Adequate factories

• Product characteristics▫ Properties / qualities▫ Handling and managing conflicts/trade-offs rationally and systematically▫ Supporting certification activities of interactive systems

• Understanding and handling the borders▫ Formal and informal ▫ Hardware / software / OS▫ Critical systems / mass market▫ Work environment / entertainment-social

123

Long Term Research Objectives

Slide 124

SAFEUSABLERELIABLEDEPENDABLECONFORMANT TO STANDARDS

UNSAFEHAZARDOUSDANGEROUSUNRELIABLEFRIGHTENING

02/11/2017

63

Thank you very much …

for the invitation

for your attention

Acknowledgements

The work presented is partly funded by:

CNES R&T projects TORTUGA & ALDABRA

Airbus contract UPS/ CNRS/AIRBUS PBO D08028747- 788/2008 & IKKY

dependability projet

EUROCONTROL HALA! (Higher Automation Level in Aviation research

network)

ESA Integrated Failure Analysis project

Thanks to my colleagues: Yannick Deleris & Christine Gris (Airbus), Jean-

Charles Fabre (LAAS) and David Navarre, Célia Martinie, Eric Barboni (ICS-

IRIT) & all the PhD students that have been working on these projects

models for the engineering of interactive...

Documents