models for the engineering of interactive...
TRANSCRIPT
02/11/2017
1
Models for
the Engineering
of Interactive Systems
Philippe Palanque
Interactive Critical Systems research group
http://www.irit.fr/ICS/palanque - [email protected]
October 31st, 2017
2
02/11/2017
2
• Air Traffic Management (enroute ATC workstations) 1995-2001 & 2010-2016 HALA! Network of excellence & SPAD (System Performance under Automation Degradation)
Dynamic instantiation of widgets, Post WIMP interfaces
Time constraint about 3mn (speed vector)
Automation and Automation Degradation
• Drones (UAVs) 2001-2003 & Military aviation 2003-2006 Management of fleet of aircrafts, Authority sharing, Cooperation and collaboration problems
Multimodal systems for military cockpits (evolutions of RAFALE fighter)
Specification of multimodal fusion engines, “real time” (20 ms)
• Space domain : R&T IMAGES (2004-2006) R&T TORTUGA (2008-2011) R&T ALDABRA (2011-2012) R&T
MARACCAS (2012-2014) IFA-ESA (2012-2015) Time constraints about 3-4 days
Specification of satellite ground segments with multimodal interfaces
Target application: AGENDA & spacecraft collision avoidance system
Integrated Failure Analysis – ECSS Handbook on Human Reliability
• Civil aviation 2004-2006 & 2009-2016 & 2015-2019 (Airbus – dependable interactive cockpits) & 2015-2018 (MMI
Airbus Helicopter Marseille & Bertin Technologies) Interactive Cockpits (ARINC 661 standards) & touch interaction in cockpit
Specification of all the embedded elements (widgets, UA, UI server)
Specification of system architectures for dependable interactive systems (fault tolerance)
Time constraint high variability (from seconds to tens of minutes)
3
Past-Current Research Projects
• Human Computer Interaction : Usability of computing systems (effectiveness, efficiency, satisfaction) and UX (aesthetics, meaning and value, emotions, social connectedness, identification, stimulation)
Basic principle: user centered design (UCD)Process: iterative design/development
• Initial approach in computer scienceWe design/develop the system FOR reliability and THEN usability is evaluated (meaning not usable but too late to change)
• HCI domain contributionWe design/develop the system and FOR usability and THEN we do our best for reliability (meaning not reliable but try to have not too many crashes and recurring patches)
4
Basic Principles of HCI
02/11/2017
3
Philosophy
• Human on one side and the system on the other side
Philosophy
• Human on one side and the system on the other side
• Human-System integration does not exist
• Human-System integration takes place through another complex system
▫ Hardware
▫ Software
▫ Interaction
02/11/2017
4
MIODMIT
7
Martin Cronel. 2017. An Approach for the engineering of Multimodal and
Multi-user Engineering of Interactive Systems. PhD University of
Toulouse, October 2017 (in French)
MIODMIT
02/11/2017
5
Why should I (we) care?
Why should I (we) care?
02/11/2017
6
Erik Hollnagel. 1997.
Cognitive ergonomics: it’s
all in the mind. Ergonomics
40, 10 (1997), 1170–1182
Ragosta et al. 2015. Concept Maps for Integrating ModelingTechniques for the Analysis and Re-Design of Partly-AutonomousInteractive Systems. In Proceedings of the 5th Int. Conf. on Application and Theory of Automation in Command and Control Systems (ATACCS '15), ACM, New York, NY, USA, 41-52
02/11/2017
7
Context & Environment
The issue of context
Click
Click
Click
Palanque P., Winckler M., Ladry J-F., Ter Beek M., Faconti G., Massink M. A Formal Approach Supporting the Comparative Predictive Assessment of the Interruption-Tolerance of Interactive Systems. ACM Engineering Interactive Computing Systems (2009), ACM Press, p. 211-220.
02/11/2017
8
Why do I do that? (safety and reliability)
• I am not a lucky user!
Why do I do that?
• I am not a lucky user!
• Are you usually lucky?
02/11/2017
9
Why do I do that?
• I am not a lucky user!
• Are you usually lucky?
• How much can you trust your luck?
Safety improvements?
18
02/11/2017
10
Safety
impro-
vements?
19
Safety improvements (?) by designers
20
02/11/2017
11
Why do I do that?
• I am not a lucky user!
• Are you usually lucky?
• How much can you trust your luck?
Very recent (few months ago)
02/11/2017
12
Very recent (few months ago)
User Experience? Usability? Reliability?
Very recent (yesterday)
User Experience? Usability? Reliability?
02/11/2017
13
Very recent (few months ago)
User Experience? Usability? Reliability?
Beaudouin-Lafon, M. 2004. Designing interaction,
not interfaces. In Proceedings of the Working
Conference on Advanced Visual interfaces
(Gallipoli, Italy, May 25 - 28, 2004). AVI '04. ACM,
New York, NY, 15-22.
02/11/2017
14
27
• In one sentence: Designing Interactive Systems neither Interaction, nor Interfaces
• Principle: Usability is NOT more important than Reliability, Dependability, Security, Resilience, Safety, User eXperience, others Privacy, Trust, Accessibility, …
• Proposal: Design methods, processes and tool to design/develop interactive systems FOR these properties
28
Research Goals
02/11/2017
15
They are not Orthogonal !?• Usable & reliable then safer?
▫ Planes ▫ Command and control systems
• Usable & reliable then less safe!!▫ The less usable the more safe▫ The less reliable the more safe
• Safer for some less for others • Less Reliability less User eXperience• More Secure and more Reliable then less Usable • More Privacy then less Security• More Security less reliability (cockpits & satellites)
There is a need for a holistic view on these properties and not for a reductionist one (even though this supports progress)
29
30
Do We Need New Integrated Processes?Usability/User eXperienceengineer
Software engineer
Reliability engineer
Safety engineer
…
02/11/2017
16
31
02/11/2017
17
33
34
April 2015
02/11/2017
18
Current Situation
• Low hanging fruits already been collected
• Foundations identified many years ago
▫ Annett & Duncan HTA in 1967
▫ Petri nets C.A. Petri in 1962
• Refinement and deeper understanding over the years
• Need for long term detailed smaller refinements
• Need for methods, processes, tools to address the scale and complexity of interactive systems
• Introduction (HCI in Critical Contexts)
• Introduction to the Interactive Cockpits domain
• A Research Contribution based on Models
• Dependability for Interactive Systems/Cockpits
• Dealing with automation
• Conclusions and perspectives
Outline of the talk
36
02/11/2017
19
Aircraft Systems
Display System DataCrew
members
System
Monitor systems
Input manage
ment Display system was
not interactive
No USER INPUT related to display system
INPUT and OUTPUT are independent(Segregation, (Separation and Isolation) and
Diversity)
The Past: Input vs OutputCommand systems
Command + data
Aircraft Systems
Display System DataCrew
members
System
Monitor systems
Input manage
ment Display system was
not interactive
No USER INPUT related to display system
INPUT and OUTPUT are independent(Segregation, (Separation and Isolation) and
Diversity)
The Past: Input vs OutputCommand systems
Command + data
02/11/2017
20
Aircraft Systems
Display System DataCrew
members
System
Monitor systems
Input manage
ment Display system was
not interactive
No USER INPUT related to display system
INPUT and OUTPUT are independent(Segregation, (Separation and Isolation) and
Diversity)
The Past: Input vs OutputCommand systems
Command + data
DU: Display Unit
KCCU: Keyboard and Cursor Control Unit
CDS : Control and Display System
Standard ARINC 661 Specification
A380 Cockpit
02/11/2017
21
Control and
Display System (CDS)
Events
SetParametersCrew members
Actions
Monitor system
System
User Applications for Aircraft
SystemsUA
With ARINC 661 the command and display system is interactive
Execution of system mainly rely on user activity (and expect user input)
What about interaction specification, verification, usability, … ?
ARINC 661:
Input and Output Intertwined
41
ARINC 661 Principles
• Client-server
• Very similar to previous old work in HCI
▫ IBM Common User Access 1989 standard for UI, OSF/MOTIF, …
▫ X Window
Display Unit - Screen -
Window
(managed
by the CDS) Layer
(owned by one
User Application) Widget
Format
Application 1
Application 3
Application 2
Application 1
Widget
Layer
42
02/11/2017
22
ARINC 661 specification architecture
43
• Introduction (HCI in Critical Contexts)
• Introduction to the Interactive Cockpits domain
• A Research Contribution based on Models
▫ System models
▫ Task models
▫ Integrated models
• Dependability for Interactive Systems/Cockpits
• Dealing with automation
• Conclusions and perspectives
Outline of the talk
44
02/11/2017
23
Our view on models
• Models for science : the goal is the model
• Models for engineering : the goal is the system (to build)
Edward A. Lee. 2016. Fundamental Limits of Cyber-
Physical Systems Modeling. ACM Trans. Cyber-Phys.
Syst. 1, 1, Article 3 (Nov. 2016), 26 pages.
Our view on models
• Models for science : the goal is the model • Models for engineering : the goal is the system (to build)
▫ Descriptive properties for models for engineering interactive systems Describe in an integrated way data and behaviour
Describe event-based evolutions
Describe parallel/concurrent behaviours
Describe qualitative time (before, after, …)
Describe quantitative time (after 300ms do this)
▫ Analysis properties for models for engineering interactive systems Offer possibilities to reason about models
Proofs and model-checking techniques
▫ Executability properties for models for engineering interactive systems Avoid human activity between models and code
Provide means to ensure performance
02/11/2017
24
• “Formal” description techniques for the analysis, specification, design, construction, verification and validation of interactive systems
▫ Support better dependability of the system
▫ Support better usability of the system Can provide contextual help
Can support the production of training material
▫ Support diversity (compatibility of various models)
▫ Can take into account evolvability
▫ Can support safety by e.g. providing tools to prevent incident and accident from re-occurring
47
Our Research Proposal
• Coverage
▫ What is not described cannot be analyzed
▫ What is not described does not exist (for the analyst) but is still there in the real world
• Notation bias
▫ A notation is usually very good at capturing what it is very good at capturing
▫ A notation is usually very bad at capturing what it is very bad at capturing
• Need to define/identify a set of complementary notations able to capture "all" the aspects of interactive systems (organization, system & operator)
48
Constraints on our Research Proposal
02/11/2017
25
49
Overview of Interactive Cooperative Objects: a
formal description technique
• Set of cooperating classes • For each class
▫ Behavior (Petri nets)▫ Services (availability)▫ State (distribution and value of tokens)▫ Presentation
Activation (how users' actions on the input devices trigger systems methods) Rendering (how state changes are presented to the users
• Recent extensions ▫ Asynchronous multicast communication mechanism (events and sources)
supporting dynamic instantiation and management of devices and interaction techniques
▫ Quantitative temporal information (temporal window) integration of previous work in Petri nets theory
Goal of ICOs and PetShop
• The user interface requires the same dependability as the rest of the software
• Completeness (model the entire UI)▫ the complex parts must be dealt with too
▫ the more complex the UI the more likely the notation is to be not able to deal with it
• Concurrency, “infinite” number of states, temporal aspects, objects and behavior integrated, …
• Verification, validation, certification, … of the interactive software
• Bridge the edition-execution gap (Navarre D. et al. A Model-Based Tool for
Interactive Prototyping of Highly Interactive Applications. 12th IEEE, International Workshop on Rapid System Prototyping ; Monterey (USA), IEEE, 2001.)
50
50
02/11/2017
26
51
A Small Example – Double click
dud
u
DC
Idle Down
One_Click Two_Down
t
C
52
Multimodal
Interaction & ATM
Unexpected Double Clicking
02/11/2017
27
53
A Small Example
du / StartTimerd
u
DC
Idle Down
One_Click Two_Down
t
C
t
C
Adding Time
54
A Small Example
Taking Movements into account + Threshold
mD
uE
m
C,B
du / StartTimer
m
C,M
d, target=this
u
DC
Idle
mB
Down
One_Click
Moving
Two_Down
t
C
t
C
02/11/2017
28
55
A Small Example
Taking Movements into account + Threashold
mD
uE
m
C,B
du / StartTimer
m
C,M
d, target=this
u
DC
Idle
mB
Down
One_Click
Moving
Two_Down
t
C
t
C
Einstein: "Things should beas simple as possible but not more simple"
Johnny Accot, Stéphane Chatty, Philippe A. Palanque: A Formal Description of Low Level Interaction and its Application to Multimodal Interactive Systems. DSV-IS 1996, Springer: 92-104
56
Multimodal
Interaction & ATM
02/11/2017
29
57
Multimodal
Interaction & ATM
58
A Small Example
m
D
m
C,B
Idle
Down One_Click
Moving
Two_Down
uE
mB t
C
du / StartTimerd, target=this
t
C
m
C,M
u
DCCDC
CCComb_Click
Comb_Double_Click
Multimodal Part
Monomodal Part
Multimodality
02/11/2017
30
CaptainFirst Officer
02/11/2017
31
MIODMIT – ARCH view (Bass et al. 91)
61
MIODMIT - automata
02/11/2017
32
Combined Mixed Interaction Technique
63
• Integrate previous work on barrier modeling
• Dependable interactive cockpits applications▫ At behavioral level ▫ At presentation level
• Dependability throughout the interaction chain▫ Dependable CDS (input devices management, interaction
techniques, multimodality …)▫ Dependable ARINC 661 widget library▫ Dependable User Applications
• Usability aspects (and impact) of these dependable solutions in abnormal contexts (interruptions, failures, multimodality, animation & multi-touch)
• Software Testing of Interactive Systems
Future work: Models, Models Everywhere
64
02/11/2017
33
Issues of interaction technique• CHI conference touch
interaction techniques
Versus
• Reliable interaction techniques
Julian Lepinski, Tovi Grossman & George Fitzmaurice. (2010). The design and evaluation of multitouchmarking menus CHI 2010 Conference Proceedings: ACM SIGCHI Conference on Human Factors in ComputingSystems. pp. 2233-2242.
Finger Clustering Rendering
66
Hamon A., Palanque P., Silva J-L., Deleris Y., Barboni E. Formal description of multi-touchinteractions. ACM Engineering Interactive Computing Systems EICS 2013: 207-216
02/11/2017
34
67
68
02/11/2017
35
69
70
02/11/2017
36
71
Modeling multitouch interactions
72
Automation: Danger or Opportunity? - Philippe Palanque, Camille Fayollas & Célia Martinie
02/11/2017
37
Impact of environment – multitouch cockpits
Slide 73
Andy Cockburn, Carl Gutwin, Philippe Palanque, Yannick Deleris, Catherine Trask, Ashley Coveney, Marcus Yung, Karon E. MacLean. Turbulent Touch: Touchscreen Input for Cockpit Flight Displays. CHI 2017: 6742-6753
Impact of environment – multitouch cockpits
Slide 74
Andy Cockburn, Carl Gutwin, Philippe Palanque, Yannick Deleris, Catherine Trask, Ashley Coveney, Marcus Yung, Karon E. MacLean. Turbulent Touch: Touchscreen Input for Cockpit Flight Displays. CHI 2017: 6742-6753
02/11/2017
38
Impact of environment – multitouch cockpits
Slide 75
Andy Cockburn, Carl Gutwin, Philippe Palanque, Yannick Deleris, Catherine Trask, Ashley Coveney, Marcus Yung, Karon E. MacLean. Turbulent Touch: Touchscreen Input for Cockpit Flight Displays. CHI 2017: 6742-6753
76
An example:
the MPIA application
02/11/2017
39
The user interfaces (output)
Potential Problem (box canyon)
02/11/2017
40
79
MPIA Application• Available in several cockpits
▫ Switch between modes▫ The tilt angle: a numeric edit
box permits to select its valueinto range [-15°; 15°]
▫ Modifications are forbidden when in AUTO tilt selection mode
• Simple behavior but realistic• Tasks are simple enough too• Used in our group for
dependability and scalability studies of interactive applications
80
Behavioral description of the
application: system model
02/11/2017
41
81
PetShop and the system model
82
PetShop and the system model
02/11/2017
42
Modelling the Entire Interactive System
• User Application
• Widgets
• User inteface server
▫ Objects, widgets
▫ Applications
▫ Input and output devices
84
Formal Description of a "simple" widget: ARINC 661
PushButton p.98-101
• Informal presentation
• Formal Description of the PushButton
▫ Services and Events
▫ Behaviour
▫ Activation and Rendering functions
• Thales CDS Look & Feel (21 other ones modelled)
02/11/2017
43
85
PushButton : The Behavior
86
Global Complete View of the Server
02/11/2017
44
87
• Benefits related to modeling▫ Define entirely the behavior of components▫ Easier early specification of the application▫ Verification of expected properties (mainly related to
behavior, accessibility, reinitialisabity, liveness, ...)▫ Is compatible with previous server implementation (CDS in
a simulation environment)
• Makes validation of the application possible▫ At least one widget is available on the UI▫ All the widgets useful wrt to the current flight phase, task,
… are available▫ Come back to initial state in at most 2 interactions
• Makes behavioral verification of exstant servers possible
Benefits from the Approach
02/11/2017
45
Formal Analysis in PetShop
Formal Analysis in
PetShop
02/11/2017
46
Execution logging in PetShop
92
Examples of analysis (widgets)
• Only one widget is "Highlighted"
• Widgets receive events only if they are "highlighted"
• …
02/11/2017
47
93
Analysis Examples (User Application)
▫ Button always available (Tilt-selection button always available
▫ Place invariant (AUTO, Not_AUTO) thus switchAUTO_T1 and switchAUTO_T2 are mutually exclusive and always one is fireable (according to initial marking)
94
02/11/2017
48
More about ICOs
• Navarre et al. ICOs: a Model-Based User Interface Description Technique dedicated to Interactive Systems Addressing Usability, Reliability and Scalability. ToCHI, ACM SIGCHI, Vol. 16 N. 4, p. 1-56, 2009
• Bastide, Sy & Palanque. A formal notation and tool for the engineering of CORBA systems. Concurrency: practice and experience (Wiley) Special issue "Selected papers from ECOOP'99" Vol. 12, n° 14, pp. 1379-1403, 2000
• Bastide, et al. Formal specification of CORBA services: experience and lessons learned. ACM Conference OOPSLA'2000, Minnesota USA. ACM Press; 2000.p105-117.
• Bastide & Palanque Modelling a groupware editing tool with cooperative objects "Advance in Petri nets on Object Orientation", 2001, G. Agha & F. De Cindio (Eds.), Springer Verlag, Lecture Notes in Computer Science n° 2001
• Bastide, Palanque A Petri Net Based Environment for the Design of Event-Driven Interfaces. 16th International Conference on Application and theory of Petri Nets (ATPN'95) Torino, Italy, 20-22 June 1995, LNCS.
95
There is a need for adequate tools
96
02/11/2017
49
• Introduction (ICS group and HCI in Critical Contexts)
• Introduction to the Interactive Cockpits domain
• A Research Contribution based on Models
▫ System models
▫ Task models
▫ Integrating models
• Dependability for Interactive Systems/Cockpits
• Dealing with automation
• Conclusions and perspectives
Outline of the talk
97
98
02/11/2017
50
99
100
02/11/2017
51
101
Goals of HAMSTERS• Remain similar to the main task modeling tools
▫ Factorization of operators ▫ Handle low-level tasks (related to interaction techniques)
• Extends expressive power of existing tools▫ Handle object information (preconditions, processing, …) (ECCE 2013)▫ Support structuring (INTERACT 2011)▫ Support reuse and components (HCSE 2014)
• Make it possible to ▫ Connect to a system model (TAMODIA 2007/AMBOSS)▫ Co-execution of models (EICS 2010)▫ Co-execution of tasks with an interactive application (EICS 2015)▫ Support performance evaluation (EICS 2009)▫ Formally check the compatibility of tasks and system models (EHCI 1995,
IwC 1997)▫ Support training (EICS 2011)
Task models:
HAMSTERS
- Decomposition of a user’s goal
- Hierarchical
- Temporally ordered
02/11/2017
52
Martinie, Palanque et al. 2013. Extending Procedural Task Models by Explicit and Systematic Integration of Objects, Knowledge and Information. In European Conference on Cognitive Ergonomics 2013 (ECCE). . ACM, ECCE '13, 23, 1-10.
There is a need for adequate tools
104
02/11/2017
53
• Introduction (HCI in Critical Contexts)
• Introduction to the Interactive Cockpits domain
• A Research Contribution based on Models
▫ System models
▫ Task models
▫ Integrating models
• Dependability for Interactive Systems/Cockpits
• Dealing with automation
• Conclusions and perspectives
Outline of the talk
105
• Strong integration (co-execution of models)
• One single platform (PetShop with HAMSTERS inside)
• Two modes
▫ Task driven (performing a task makes the system evolve)
▫ System driven (acting on the system changes the current task in the task model)
106
Integration Principles
02/11/2017
54
107
108
Conclusions on the example
• 4 views of the same real world▫ System (including interaction and interface)
▫ Tasks (of each operator and of the cooperating operators)
▫ Training and User Manual (e.g. Elect. Flight Bag and FCOM)
• Support for task-based construction and testing
• Not presented▫ Construction of training program, assessment of trainee and online
contextual help (EICS 2011)
▫ Dealing with errors and failures (human and systems)
▫ Dealing with “user over the loop” issues (automation)
▫ Configurations switching following failures
02/11/2017
55
Integration
within ADDIE
ANALYSIS
DESIGN
DEVELOPMENTIMPLEMENTATION
Task inventory
Task selection
Performance measure
Existing courses analysis
Settings selection
Objective settings
Tests settings
Entry behaviour assessment
Sequence setting
Structure setting
Learning events specification
Training management plan
& delivery system specification
Material selection
Training development
Training validation
Training execution
Training plan implementation
EVALUATION
Internal evaluation
External evaluation
Revision
INSTANCE OF THE
TRAINING
PROGRAM
T
T
TS
TS
TS
TS
S
TS
S Contribution from system modeling activity
Contribution from task modeling activityT
TS
TS
109
Martinie, Palanque et al. Model-Based Training: An Approach Supporting Operability of Critical Interactive Systems: Application to Satellite Ground Segments. ACM Engineering Interactive Computing Systems 2011 (EICS).
There is a need for adequate tools
110
02/11/2017
56
• Introduction (ICS group and HCI in Critical Contexts)
• Introduction to the Interactive Cockpits domain
• A Research Contribution based on Models
• Dependability for Interactive Systems/Cockpits
▫ Zero default
▫ N-version programming
▫ Self-checking widgets
▫ Impact of hardware/software architecture on usability
• Dealing with automation
• Conclusions and perspectives
Outline of the talk
111
• “The dependability of a system is the ability to avoid service failures
that are more frequent and more severe than is acceptable” Avizienis A.,
Laprie J-C., Randell B., Landwehr C: Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE (2004)
• Failure Condition Severity DO 178C and Probability Objectives
Dependability
FailureCondition Severity
Probability Objective
Probability descriptive
Catastrophic <10-9 Extremely Improbable
Hazardous <10-7 (very) Improbable
Major <10-5 Improbable
Minor <10-3 Reasonably probable
Redundancy is required to provide design protection from catastrophic failure conditions (ARP 4761) safety civil airborne systems
112
02/11/2017
57
• Software side of it ▫ If the systems exhibit zero default then the interactive cockpit is dependable ▫ Formal description techniques (complete and unambiguous specification)▫ No gap between code and implementation ▫ Models can be used to support exhaustive testing
• Hardware side of it▫ Hardware failures still possible (KCCU is a single point of failure)▫ Network failure/bugs
• Environment side of it ▫ Bit flips (altitude), memory errors, memory leaking (flight time 18 hours) …
• Human side of it ▫ ~80% of accidents are attributed to human error (2006 study on all accidents in the US)▫ Increase dependability level should not have a negative impact on usability of
interactive system▫ New mechanisms and methods to make cockpits dependable without increasing task
difficulty for crew
Several Views on the Problem
113
Overall Solution
• Relying on three steps:▫ A Formal Specification
ICOs: Interactive Cooperative Objects
▫ A Fault-Tolerant Software Architecture
Self-Checking architecture
▫ Space and Time Partitioning Architecture
Mapping upon an ARINC 653 OS
114
A FAULT-TOLERANT SOFTWARE ARCHITECTURE AND ITS FORMAL SPECIFICATION FOR
EMBEDDED, REAL-TIME INTERACTIVE SYSTEMS – ERTS² 2014 –TOULOUSE, FRANCE
Operational natural faults
Development software faults
Fault confinement
Common mode
Fayollas, Martinie, Palanque et al.. An approach for assessing the impact of dependability on usability: application to interactive cockpits Levels, Tenth European Dependable Computing Conference - EDCC 2014
02/11/2017
58
SIP_setEnable
SOP_setEnable
SIP_setVisible
SOP_setVisible
SIP_setStyleSet
SOP_setStyleSet
SIP_setLabelString
SOP_setLabelString
SIP_processMouseClicked
SOP_processMouseClicked
SIP_processMouseDown
SOP_processMouseDown
SIP_processMouseReleased
SOP_processMouseReleased
1 Enabled
NotEnabled NotVisible
1Visible
1 StyleSet
1 MaxStringLength
1LabelString
ButtonPressed
1ButtonReleased
ClickToFunctionalWidget
ClickToController
TriggerPossibleController
Trigger_OK
TriggerPossibleFunctional
Error_TF
SelectionNotPossibleController
selectionNotpossibleFuntionnal
Error_SC
Error_SF
SelectionNotPossible_OK
WaitTriggerOK
Error_TC
1 Enabled 1Visible
processMouseReleased
<_i,test0,test1>
<_i>
setStyleSet
<_i,A661_STYLE_SET> <old>
<_i><A661_STYLE_SET>
ConditionForTriggerFunctional
<_i,x,y>
<_i>
<_i,x,y>
<_i,x,y>
SetString_3
A661_STRING.length()>1 && A661_STRING.length()<=Length
<A661_STRING2>
<_i,A661_STRING>
<A661_STRING>
<_i>
<Length>
SetString_1
A661_STRING.length()<1
<_i,A661_STRING>
SetString_2
A661_STRING.length()>Length
<_i,A661_STRING> <Length>
AlreadyVisible
A661_VISIBLE==true
<_i,A661_VISIBLE>
<_i>AlreadyEnabled
A661_ENABLE==true
<_i,A661_ENABLE>
<_i>
AlreadyNotEnable
A661_ENABLE==false<_i,A661_ENABLE>
<_i>
AlreadyNotVisible
A661_VISIBLE==false<_i,A661_VISIBLE>
<_i>
SelectionNotPossibleFunctional
<_i,x,y>
<_i,x,y>
mouseDown1
<_i,x,y>
<_i>
setVisible
A661_VISIBLE==true
<_i,A661_VISIBLE>
<_i>
setNotVisible
A661_VISIBLE==false
<_i,A661_VISIBLE>
<_i>
setEnabled
A661_ENABLE==true
<_i,A661_ENABLE>
<_i>
setNotEnabled
A661_ENABLE==false
<_i,A661_ENABLE>
<_i>
DuplicateClickEvent
<_i,x,y> <_i,x,y>
<_i,x,y>
ConditionForTriggerController
<_i,x,y>
<_i,x,y>
CheckTriggerOK
<_i,x,y>
<_i,x,y>
<_i,x,y>
Error_TriggerOnlyonFunctional
<_i,x,y><_i,x,y>
Error_TriggerOnlyonController
<_i,x,y>
<_i,x,y>
SelectionNotpossibleController
<_i,x,y>
<_i,x,y>
CheckSelectionNotpossibleOK
<_i,x,y>
<_i,x,y>
<_i,x,y>
Error_selectionOnlyonController<_i,x,y>
<_i,x,y>
Error_selectiobOnlyonFuntional<_i,x,y>
<_i,x,y>
mouseDown2
<_i,x,y>
<_i>
mouseDown3
<_i,x,y>
<_i>
TriggerEvent{
trigger("A661_EVT_SELECTION", new java.util.EventObject(self));
}
<_i,x,y>
<_i,x,y>
Error_Trigger{
trigger("A661_EVT_ERROR", new java.util.EventObject(self));
}
<_i,x,y>
<_i,x,y>
<_i,x,y>
CONTROLLER Part
FUNCTIONAL Part
INPUTS Event
Styleset LabelString
VisibleEnable
Control_Trigger
13
4
2
1'
115
Overall Solution• Relying on three steps:
▫ A Formal Specification
ICOs: Interactive Cooperative Objects
▫ A Fault-Tolerant Software Architecture
Self-Checking architecture
▫ Space and Time Partitioning Architecture
Mapping upon an ARINC 653 OS
116
A FAULT-TOLERANT SOFTWARE ARCHITECTURE AND ITS FORMAL SPECIFICATION FOR
EMBEDDED, REAL-TIME INTERACTIVE SYSTEMS – ERTS² 2014 –TOULOUSE, FRANCE
Operational natural faults
Development software faults
Fault confinement
Common mode
02/11/2017
59
• Introduction (HCI in Critical Contexts)
• Examples from the Interactive Cockpits domain
• A Research Contribution based on Models
• Dependability for Interactive Systems/Cockpits
▫ Zero default
▫ N-version programming
▫ Self-checking widgets
▫ Impact of hardware/software architecture on usability
• Similarities with other domains (Space, ATM &
Entertainment)
• Conclusions and perspectives
Outline of the talk
Summary : without system error
118
Fayollas, Martinie, Palanque et al.. An approach for assessing the impact of dependability on usability: application to interactive cockpits Levels, Tenth European Dependable Computing Conference - EDCC 2014
02/11/2017
60
• Introduction (HCI in Critical Contexts)
• Introduction to the Interactive Cockpits domain
• A Research Contribution based on Models
• Dependability for Interactive Systems/Cockpits
• Dealing with automation
• Conclusions and perspectives
Outline of the talk
119
• Introduction (HCI in Critical Contexts)
• Examples from the Interactive Cockpits domain
• A Research Contribution based on Models
• Dependability for Interactive Systems/Cockpits
• Similarities with other domains (Space, ATM &
Entertainment)
• Conclusions and perspectives
Outline of the talk
120
02/11/2017
61
• Dependability and usability are intrinsically related, but often studied independently in the literature (and at conferences)
• Increase dependability level can have a huge (possibly negative) impact on usability of interactive system
• Necessity to design new mechanisms or methods which can make critical interactive system reliable assessing
▫ Impact on usability
▫ Impact on training (learnability is key)
▫ Impact on performance
▫ Potential for automation (impact of degradation)
HCI In Critical Contexts
121
Thoughts for the future
• Construction▫ Adequate tools▫ Adequate machines▫ Adequate factories
• Product characteristics▫ Properties / qualities▫ Handling and managing conflicts/trade-offs rationally and systematically▫ Supporting certification activities of interactive systems
• Understanding and handling the borders▫ Formal and informal ▫ Hardware / software / OS▫ Critical systems / mass market▫ Work environment / entertainment-social
122
02/11/2017
62
Thoughts for the future
• Construction▫ Adequate tools▫ Adequate machines▫ Adequate factories
• Product characteristics▫ Properties / qualities▫ Handling and managing conflicts/trade-offs rationally and systematically▫ Supporting certification activities of interactive systems
• Understanding and handling the borders▫ Formal and informal ▫ Hardware / software / OS▫ Critical systems / mass market▫ Work environment / entertainment-social
123
Long Term Research Objectives
Slide 124
SAFEUSABLERELIABLEDEPENDABLECONFORMANT TO STANDARDS
UNSAFEHAZARDOUSDANGEROUSUNRELIABLEFRIGHTENING
02/11/2017
63
Thank you very much …
for the invitation
for your attention
Acknowledgements
The work presented is partly funded by:
CNES R&T projects TORTUGA & ALDABRA
Airbus contract UPS/ CNRS/AIRBUS PBO D08028747- 788/2008 & IKKY
dependability projet
EUROCONTROL HALA! (Higher Automation Level in Aviation research
network)
ESA Integrated Failure Analysis project
Thanks to my colleagues: Yannick Deleris & Christine Gris (Airbus), Jean-
Charles Fabre (LAAS) and David Navarre, Célia Martinie, Eric Barboni (ICS-
IRIT) & all the PhD students that have been working on these projects