![Page 1: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/1.jpg)
Reasoning about human error with interactive
systems based on formal models of behaviour
Reasoning about human error with interactive
systems based on formal models of behaviour
Paul CurzonQueen Mary, University of
London
Paul CurzonQueen Mary, University of
London
1
![Page 2: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/2.jpg)
AcknowledgementsAcknowledgements
Ann Blandford (UCL) Rimvydas Rukšėnas (QMUL) Jonathan Back (UCL) George Papatzanis (QMUL) Dominic Furniss (UCL) Simon Li (UCL) …+ various QMUL/UCL students
Ann Blandford (UCL) Rimvydas Rukšėnas (QMUL) Jonathan Back (UCL) George Papatzanis (QMUL) Dominic Furniss (UCL) Simon Li (UCL) …+ various QMUL/UCL students
![Page 3: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/3.jpg)
BackgroundBackground
The design of computer systems (including safety critical systems) has historically focused on the hardware and software components of an interactive system
People have typically been outside the system as considered for verification
The design of computer systems (including safety critical systems) has historically focused on the hardware and software components of an interactive system
People have typically been outside the system as considered for verification
1
![Page 4: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/4.jpg)
Can we bring users into the development process?
Can we bring users into the development process? In a way that talks at the same level of
abstraction as established software development
That accounts for cognitive causes of error
That doesn’t require historical data to establish probabilities
That doesn’t demand strong cognitive science background of the analyst
In a way that talks at the same level of abstraction as established software development
That accounts for cognitive causes of error
That doesn’t require historical data to establish probabilities
That doesn’t demand strong cognitive science background of the analyst
1
![Page 5: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/5.jpg)
The Human error Modelling (HUM) project
The Human error Modelling (HUM) project
Systematic investigations of human error and its causes
Formalise results in a user model included in the “system” for verification Model of cognitively plausible behaviour
Investigate ways of “informalising” the knowledge to make it usable in practice focus on dynamic context-aware systems
Improve understanding of actual usability design practice
Systematic investigations of human error and its causes
Formalise results in a user model included in the “system” for verification Model of cognitively plausible behaviour
Investigate ways of “informalising” the knowledge to make it usable in practice focus on dynamic context-aware systems
Improve understanding of actual usability design practice
1
![Page 6: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/6.jpg)
Systematic ErrorsSystematic Errors
Many errors are systematic They have cognitive causes NOT due to lack of knowledge of what
should do If we understand the patterns of such
errors, then we can minimise their likelihood through better design
Formalise the behaviour from which they emerge and we can develop verification tools to identify problems
Many errors are systematic They have cognitive causes NOT due to lack of knowledge of what
should do If we understand the patterns of such
errors, then we can minimise their likelihood through better design
Formalise the behaviour from which they emerge and we can develop verification tools to identify problems
1
![Page 7: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/7.jpg)
Post-completion errors (PCEs)
Post-completion errors (PCEs)
Characterised by there being a clean-up or confirmation operation after achievement of main goal
Infrequent but persistent Examples:
Leaving the original on the photocopier Leaving the petrol filler cap at the petrol
station …etc.
Characterised by there being a clean-up or confirmation operation after achievement of main goal
Infrequent but persistent Examples:
Leaving the original on the photocopier Leaving the petrol filler cap at the petrol
station …etc.
1
![Page 8: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/8.jpg)
Experiments: eg Fire engine dispatch
Experiments: eg Fire engine dispatch
![Page 9: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/9.jpg)
Call prioritizationCall prioritization
![Page 10: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/10.jpg)
The structure of specifications
The structure of specifications
![Page 11: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/11.jpg)
Generic user model in SAL
Generic user model in SAL
Cognitive principles:
Non-determinism Relevance Salience Mental vs. physical Pre-determined
goals Reactive behaviour Voluntary
completion Forced termination
Cognitive principles:
Non-determinism Relevance Salience Mental vs. physical Pre-determined
goals Reactive behaviour Voluntary
completion Forced termination
UserModel{goals,actions,…} =
…TRANSITION ([]g,slc: Commit_Action:
… )[] ([]a: Perform_Action: … )[] Exit_Task: …[] Abort_Task: …[] Idle: …
UserModel{goals,actions,…} =
…TRANSITION ([]g,slc: Commit_Action:
… )[] ([]a: Perform_Action: … )[] Exit_Task: …[] Abort_Task: …[] Idle: … 1
![Page 12: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/12.jpg)
Recent Work: salienceand cognitive load
Recent Work: salienceand cognitive load
Our early work suggested importance of salience and cognitive load…
Humans rely on various cues to correctly perform interactive tasks: procedural cues are internal; sensory cues are provided by interfaces; sensory cues can strengthen procedural
cueing (Chung & Byrne, 2004). Cognitive load can affect the strength of
sensory & procedural cues.
Our early work suggested importance of salience and cognitive load…
Humans rely on various cues to correctly perform interactive tasks: procedural cues are internal; sensory cues are provided by interfaces; sensory cues can strengthen procedural
cueing (Chung & Byrne, 2004). Cognitive load can affect the strength of
sensory & procedural cues.1
![Page 13: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/13.jpg)
AimsAims
To determine the relationship between salience and cognitive load;
To extend (refine) our cognitive architecture with salience and load rules;
To assess the formalization by modeling the task used in the empirical studies.
To highlight further areas where empirical studies are needed.
To determine the relationship between salience and cognitive load;
To extend (refine) our cognitive architecture with salience and load rules;
To assess the formalization by modeling the task used in the empirical studies.
To highlight further areas where empirical studies are needed.
1
![Page 14: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/14.jpg)
ApproachApproach Use fire engine dispatch to develop an
understanding of the link between cognitive load and salience
Re-analyse all previous experiments to refine and validate understanding, identifying load and salience of individual elements
Informally devise rule for the relationship Formalise the informal rule in user model Model and verify one detailed experimental
scenario - fire engine dispatch Compare models predicted results with those
from the experiment.
Use fire engine dispatch to develop an understanding of the link between cognitive load and salience
Re-analyse all previous experiments to refine and validate understanding, identifying load and salience of individual elements
Informally devise rule for the relationship Formalise the informal rule in user model Model and verify one detailed experimental
scenario - fire engine dispatch Compare models predicted results with those
from the experiment.
1
![Page 15: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/15.jpg)
Experimental settingExperimental setting
Hypothesis: slip errors are more likely when the salience of cues is not sufficient to influence attentional control.
Variables: intrinsic and extraneous cognitive load.
Hypothesis: slip errors are more likely when the salience of cues is not sufficient to influence attentional control.
Variables: intrinsic and extraneous cognitive load.
1
![Page 16: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/16.jpg)
Fire engine dispatchFire engine dispatch
![Page 17: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/17.jpg)
ResultsResults1
![Page 18: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/18.jpg)
Interpretation of empirical data
Interpretation of empirical data
High intrinsic load reduces the salience of procedural cues.
High intrinsic & extraneous load may reduce the salience of sensory cues
High intrinsic load reduces the salience of procedural cues.
High intrinsic & extraneous load may reduce the salience of sensory cues
1
![Page 19: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/19.jpg)
Formal salience and load rules
Formal salience and load rules
Types: Salience {High,Low,None}; Load {High,Low} Procedural: if default High intrinsic High then procedural Low else procedural default Sensory: if default High intrinsic High extraneous
High then sensory {High, Low} else sensory default
Types: Salience {High,Low,None}; Load {High,Low} Procedural: if default High intrinsic High then procedural Low else procedural default Sensory: if default High intrinsic High extraneous
High then sensory {High, Low} else sensory default
1
![Page 20: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/20.jpg)
Levels of overall salienceLevels of overall salience
HighestSalience(…) … procedural High procedural Low sensory High
HighSalience(…) … procedural None sensory High
LowSalience(…) …
HighestSalience(…) … procedural High procedural Low sensory High
HighSalience(…) … procedural None sensory High
LowSalience(…) … 1
![Page 21: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/21.jpg)
Choice prioritiesChoice priorities
[] g,slc: Commit_Action: HighestSalience(g,…) (HighSalience(g,…) NOT(h: HighestSalience(h,…))) (LowSalience(g,…) NOT(h: HighestSalience(h,…) HighSalience(g,
…))) …
commit[…] committed;
status …
[] g,slc: Commit_Action: HighestSalience(g,…) (HighSalience(g,…) NOT(h: HighestSalience(h,…))) (LowSalience(g,…) NOT(h: HighestSalience(h,…) HighSalience(g,
…))) …
commit[…] committed;
status …1
![Page 22: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/22.jpg)
Correctness verificationCorrectness verification
Use model checking to reason about properties of combined user model - fire engine dispatch system
Compare to actual results from the experiment
Use model checking to reason about properties of combined user model - fire engine dispatch system
Compare to actual results from the experiment
1
![Page 23: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/23.jpg)
Correctness verificationCorrectness verification
Functional correctness: System EVENTUALLY(Perceived Goal
Achieved)
‘Decide mode’ goal: System ALWAYS (Route Constructed Mode
chosen)
Functional correctness: System EVENTUALLY(Perceived Goal
Achieved)
‘Decide mode’ goal: System ALWAYS (Route Constructed Mode
chosen)
1
![Page 24: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/24.jpg)
Formal verification & empirical data
Formal verification & empirical data
Load Error
Extraneous
Intrinsic Initialize Mode Term
Low Low +
High Low +
Low High +
High High
![Page 25: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/25.jpg)
Results (again)Results (again)1
![Page 26: Reasoning about human error with interactive systems based on formal models of behaviour Paul Curzon Queen Mary, University of London Paul Curzon Queen](https://reader036.vdocuments.site/reader036/viewer/2022062308/56649cdc5503460f949a72e1/html5/thumbnails/26.jpg)
SummarySummary
Abstract (simple) formalisation of salience & load: close correlation with empirical data for some
errors; Initialization error - match Mode error - false positives Termination error - 1 condition false negative further refinement of salience & load rules
requires new empirical studies. Demonstrates how empirical studies and
formal modelling work can feed each other.
Abstract (simple) formalisation of salience & load: close correlation with empirical data for some
errors; Initialization error - match Mode error - false positives Termination error - 1 condition false negative further refinement of salience & load rules
requires new empirical studies. Demonstrates how empirical studies and
formal modelling work can feed each other.
1