Interaction engineering using the IVY tool

This paper is concerned with support for the process of usability engineering. The aim is to use formal techniques to provide a systematic approach that is more traceable, and because it is systematic, repeatable. As a result of this systematic process some of the more subjective aspects of the analysis can be removed. The technique explores exhaustively those features of a specific design that fail to satisfy a set of properties. It also analyzes those aspects of the design where it is possible to quantify the cost of use. The method is illustrated using the example of a medical device. While many aspects of the approach and its tool support have already been discussed elsewhere, this paper builds on and contrasts an analysis of the same device provided by a third party and in so doing enhances the IVY tool

High assurance on cyber-physical interactive systems

Cyber-Physical Systems, as distributed systems of computational elements interacting with the physical world, are highly complex systems. They can, in many instances, be considered safety critical interactive systems, as errors in interaction can have disastrous consequences (consider the case of autonomous vehicles or integrated clinical environments). High assurance is, then, an underlying requirement, also at their user interface. In this position paper we identify five challenges to be solved both in the short and in the long term, regarding the modelling of (1) distributed and (2) heterogeneous interactive systems, (3) the analysis and relation between the different abstraction layers of Cyber-Physical Systems, (4) the modelling of real time/hybrid systems, and (5) the modelling of the dynamic nature of such systems. Solutions for these challenges are not presented, but possible directions are discussed.This work was financed by National Funds through the Portuguese fundingagency, FCT - Fundação para a Ciência e a Tecnologia (Portuguese Foundation for Science and Technology) within project: UID/EEA/50014/201

Modelling and systematic analysis of interactive systems

Two aspects of our research concern the application of formal methods in human-computer interaction. The first aspect is the modelling and analysis of interactive devices with a particular emphasis on the user device dyad. The second is the modelling and analysis of ubiquitous systems where there are many users, one might say crowds of users.The common thread of both is to articulate and prove properties of interactive systems, to explore interactive behaviour as it influences the user, with a particular emphasis on interaction failure. The goal is to develop systematic techniques that can be packaged in such a way that they can be used effectively by developers. This “whitepaper” will briefly describe the two approaches and their potential value as well as their limitations and development opportunities

PVSio-web: a tool for rapid prototyping device user interfaces in PVS

We present PVSio-web which extends the simulation component of the PVS proof system with functionalities for rapid prototyping device user interfaces. The tool presents itself as a classic image-editing environment with functionalities such as area selection and hyperlink creation, thus reducing the barriers that prevent non-experts in formal methods from using PVS. Designers load a picture of the layout of the device user interface under development, specify interactive areas over the layout, and link them to a PVS specification. They can then explore the behaviour of the formal user interface specification through point-and-click interactions. The architecture of the tool is general, and can be used as the basis for extending other verification tools. A demonstration of the capabilities of PVSio-web is presented through an example based on a commercial medical device user interface. Our ultimate aim is to promote and facilitate the use of formal verification tools when developing device user interfaces

Automated theorem proving for the systematic analysis of an infusion pump

This paper describes the use of an automated theorem prover to analyse properties of interactive behaviour. It offers an alternative to model checking for the analysis of interactive systems. There are situations, for example when demonstrating safety, in which alternative complementary analyses provide assurance to the regulator. The rigour and detail offered by theorem proving makes it possible to explore features of the design of the interactive system, as modelled, beyond those that would be revealed using model checking. Theorem proving can also speed up proof in some circumstances. The paper illustrates how a theory generated as a basis for theorem proving (using PVS) was developed systematically from a MAL model used to model check the same properties. It also shows how the CTL properties used to check the original model can be translated into theorems

Automated theorem proving for the systematic analysis of an infusion pump

This paper describes the use of an automated theorem prover to analyse properties of interactive behaviour. It offers an alternative to model checking for the analysis of interactive systems. There are situations, for example when demonstrating safety, in which alternative complementary analyses provide assurance to the regulator. The rigour and detail offered by theorem proving makes it possible to explore features of the design of the interactive system, as modelled, beyond those that would be revealed using model checking. Theorem proving can also speed up proof in some circumstances. The paper illustrates how a theory generated as a basis for theorem proving (using PVS) was developed systematically from a MAL model used to model check the same properties. It also shows how the CTL properties used to check the original model can be translated into theorems.CHI+MED, EPSRC research grant EP/G059063/

The modelery: a collaborative web based repository

Software development processes are known to produce a large set of artifacts such as models, code and documentation. Keeping track of these artifacts without supporting tools is not easy, and making them available to others can be even harder. Standard version control systems are not able to solve this issue. More than keeping track of versions, a system to help organize and make artifacts available in meaningful ways is needed. In this paper we review a number of alternative systems, and present the requirements and the implementation of a collaborative web repository which we developed to solve this issue.Project LATiCES: Languages And Tools for Critical rEal-time Systems (Ref. NORTE-07-0124-FEDER-000062) is financed by the North Portugal Regional Operational Programme (ON.2 - O Novo Norte), under the National Strategic Reference Framework (NSRF), through the European Regional Development Fund (ERDF), and by national funds, through the Portuguese funding agency, Fundacão para a Ciência e a Tecnologia (FCT)

A hazard analysis method for systematic identification of safety requirements for user interface software in medical devices

© Springer International Publishing AG (outside the US) 2017. Formal methods technologies have the potential to verify the usability and safety of user interface (UI) software design in medical devices, enabling significant reductions in use errors and consequential safety incidents with such devices. This however depends on comprehensive and verifiable safety requirements to leverage these techniques for detecting and preventing flaws in UI software that can induce use errors. This paper presents a hazard analysis method that extends Leveson’s System Theoretic Process Analysis (STPA) with a comprehensive set of causal factor categories, so as to provide developers with clear guidelines for systematic identification of use-related hazards associated with medical devices, their causes embedded in UI software design, and safety requirements for mitigating such hazards. The method is evaluated with a case study on the Gantry-2 radiation therapy system, which demonstrates that (1) as compared to standard STPA, our method allowed us to identify more UI software design issues likely to cause use-related hazards; and (2) the identified UI software design issues facilitated the definition of precise, verifiable safety requirements for UI software, which could be readily formalized in verification tools such as Prototype Verification System (PVS).- U.S. Food and Drug Administration(NORTE-01-0145-FEDER-000016)Sandy Weininger (FDA), Scott Thiel (Navigant Consulting, Inc.), Michelle Jump (Stryker), Stefania Gnesi (ISTI/CNR) and the CHI+MED team (www.chi-med.ac.uk) provided useful feedback and inputs. Paolo Masci’s work is supported by the North Portugal Regional Operational Programme (NORTE 2020) under the PORTUGAL 2020 Partnership Agreement, and by the European Regional Development Fund (ERDF) within Project “NORTE-01-0145-FEDER-000016”.info:eu-repo/semantics/publishedVersio

Modelling and analysing the interactive behaviour of an infusion pump

Proceedings of the Fourth International Workshop on Formal Methods for Interactive Systems (FMIS 2011)This paper is concerned with the scaleable and systematic analysis of interactive systems. The motivating problem is the procurement of medical devices. In such situations several different manufacturers offer solutions that support a particular clinical activity. Apart from cost, which is a dominating factor, the variations between devices are relatively subtle and the consequences of particular design features are not clear from manufacturers' manuals, demonstrations or trial uses. De- spite their subtlety these differences can be important to the safety and usability of the device. The paper argues that formal analysis of the range of offered devices can provide a systematic means of comparison. The paper also explores barriers to the use of such techniques, demonstrating how layers of specification may be used to make it possible to reuse common specification. Infusion pumps provide a motivating example. A specific model is described and analysed and comparison between competitive devices is discussed rather than dealt with in detail.(undefined

GUI inspection from source code analysis

Graphical user interfaces (GUIs) are critical components of todays software. Given their increased relevance, correctness and usability of GUIs are becoming essential. This paper describes the latest results in the development of our tool to reverse engineer the GUI layer of interactive computing systems. We use static analysis techniques to generate models of the user interface behaviour from source code. Models help in graphical user interface inspection by allowing designers to concentrate on its more important aspects. One particularly type of model that the tool is able to generate is state machines. The paper shows how graph theory can be useful when applied to these models. A number of metrics and algorithms are used in the analysis of aspects of the user interface's quality. The ultimate goal of the tool is to enable analysis of interactive system through GUIs source code inspection.Fundação para a Ciência e a Tecnologia(PTDC/EIA-CCO/108995/2008