Formal Modeling and Analysis for Interactive Hybrid Systems

An effective strategy for discovering certain kinds of automation surprise and other problems in interactive systems is to build models of the participating (automated and human) agents and then explore all reachable states of the composed system looking for divergences between mental states and those of the automation. Various kinds of model checking provide ways to automate this approach when the agents can be modeled as discrete automata. But when some of the agents are continuous dynamical systems (e.g., airplanes), the composed model is a hybrid (i.e., mixed continuous and discrete) system and these are notoriously hard to analyze. We describe an approach for very abstract modeling of hybrid systems using relational approximations and their automated analysis using infinite bounded model checking supported by an SMT solver. When counterexamples are found, we describe how additional constraints can be supplied to direct counterexamples toward plausible scenarios that can be confirmed in high-fidelity simulation. The approach is illustrated though application to a known (and now corrected) human-automation interaction problem in Airbus aircraft

Example of a Complementary Use of Model Checking and Agent-Based Simulation

Abstract—To identify problems that may arise between pilots and automation, methods are needed that can uncover potential problems with automation early in the design process. Such potential problems include automation surprises, which describe events when pilots are surprised by the actions of the automation. In this work, agent-based, hybrid time simulation and model checking are combined and their respective advantages leveraged in an original manner to find problematic human-automation interaction (HAI) early in the design process. The Tarom 381 incident involving the former Airbus automatic speed protection logic, leading to an automation surprise, was used as a common case study for both methodology validation and further analysis. Results of this case study show why model checking alone has difficulty analyzing such systems and how the incorporation of simulation can be used in a complementary fashion. The results indicate that the method is suitable to examine problematic HAI, such as automation surprises, allowing automation designers to improve their design. Index Terms—simulation, model checking, automation sur-prise, mental model, formal methods I

MesoTRAP: a feasibility study that includes a pilot clinical trial comparing video-assisted thoracoscopic partial pleurectomy decortication with indwelling pleural catheter in patients with trapped lung due to malignant pleural mesothelioma designed to address recruitment and randomisation uncertainties and sample size requirements for a phase III trial.

Introduction: One of the most debilitating symptoms of malignant pleural mesothelioma (MPM) is dyspnoea caused by pleural effusion. MPM can be complicated by the presence of tumour on the visceral pleura preventing the lung from re-expanding, known as trapped lung (TL). There is currently no consensus on the best way to manage TL. One approach is insertion of an indwelling pleural catheter (IPC) under local anaesthesia. Another is video-assisted thoracoscopic partial pleurectomy/decortication (VAT-PD). Performed under general anaesthesia, VAT-PD permits surgical removal of the rind of tumour from the visceral pleura thereby allowing the lung to fully re-expand. Methods and analysis: MesoTRAP is a feasibility study that includes a pilot multicentre, randomised controlled clinical trial comparing VAT-PD with IPC in patients with TL and pleural effusion due to MPM. The primary objective is to measure the SD of visual analogue scale scores for dyspnoea following randomisation and examine the patterns of change over time in each treatment group. Secondary objectives include documenting survival and adverse events, estimating the incidence and prevalence of TL in patients with MPM, examining completion of alternative forms of data capture for economic evaluation and determining the ability to randomise 38 patients in 18 months. Ethics and dissemination: This study was approved by the East of England-Cambridge Central Research Ethics Committee and the Health Research Authority (reference number 16/EE/0370). We aim to publish the outputs of this work in international peer-reviewed journals compliant with an Open Access policy. Trial registration: NCT03412357

Formal modeling and analysis for interactive hybrid systems

Abstract: An effective strategy for discovering certain kinds of automation surprise and other problems in interactive systems is to build models of the participating (automated and human) agents and then explore all reachable states of the composed system looking for divergences between mental states and those of the automation. Various kinds of model checking provide ways to automate this approach when the agents can be modeled as discrete automata. But when some of the agents are continuous dynamical systems (e.g., airplanes), the composed model is a hybrid (i.e., mixed continuous and discrete) system and these are notoriously hard to analyze. We describe an approach for very abstract modeling of hybrid systems using relational approximations and their automated analysis using infinite bounded model checking supported by an SMT solver. When counterexamples are found, we describe how additional constraints can be supplied to direct counterexamples toward plausible scenarios that can be confirmed in high-fidelity simulation. The approach is illustrated though application to a known (and now corrected) human-automation interaction problem in Airbus aircraft

An Overview of Formal Verification for the Time-Triggered Architecture

We describe formal verification of some of the key algorithms in the Time-Triggered Architecture (TTA) for real-time safety-critical control applications

Architecture challenges for intelligent autonomous machines : An industrial perspective

Machines are displaying a trend of increasing autonomy. This has a far reaching impact on the architectures of the embedded systems within the machine. The impact needs to be clearly understood and the main obstacles to autonomy need to be identified. The obstacles, especially from an industrial perspective, are not just technological butalso relate to system aspects like certification, development processes and product safety. In this paper, we identify and discuss some of the main obstacles to autonomy from the viewpoint of technical specialists working on advanced industrial product development. The identified obstacles cover topics like world modeling, user interaction, complexity and system safety.QC 20140930</p

MesoTRAP: a feasibility study that includes a pilot clinical trial comparing video-assisted thoracoscopic partial pleurectomy decortication with indwelling pleural catheter in patients with trapped lung due to malignant pleural mesothelioma designed to address recruitment and randomisation uncertainties and sample size requirements for a phase III trial.

INTRODUCTION: One of the most debilitating symptoms of malignant pleural mesothelioma (MPM) is dyspnoea caused by pleural effusion. MPM can be complicated by the presence of tumour on the visceral pleura preventing the lung from re-expanding, known as trapped lung (TL). There is currently no consensus on the best way to manage TL. One approach is insertion of an indwelling pleural catheter (IPC) under local anaesthesia. Another is video-assisted thoracoscopic partial pleurectomy/decortication (VAT-PD). Performed under general anaesthesia, VAT-PD permits surgical removal of the rind of tumour from the visceral pleura thereby allowing the lung to fully re-expand. METHODS AND ANALYSIS: MesoTRAP is a feasibility study that includes a pilot multicentre, randomised controlled clinical trial comparing VAT-PD with IPC in patients with TL and pleural effusion due to MPM. The primary objective is to measure the SD of visual analogue scale scores for dyspnoea following randomisation and examine the patterns of change over time in each treatment group. Secondary objectives include documenting survival and adverse events, estimating the incidence and prevalence of TL in patients with MPM, examining completion of alternative forms of data capture for economic evaluation and determining the ability to randomise 38 patients in 18 months. ETHICS AND DISSEMINATION: This study was approved by the East of England-Cambridge Central Research Ethics Committee and the Health Research Authority (reference number 16/EE/0370). We aim to publish the outputs of this work in international peer-reviewed journals compliant with an Open Access policy. TRIAL REGISTRATION: NCT03412357