Beyond Formal Methods for Critical Interactive Systems: Dealing with Faults at Runtime

International audienceFormal methods provide support for validation and verification of interactive systems by means of complete and unambiguous description of the envisioned system. They can also be used (for instance in the requirements/needs identification phase) to define precisely what the system should do and how it should meet user needs. If the entire development process in supported by formal methods (for instance as required by DO 178C [7] and its supplement 333 [8]) then classical formal method engineers would argue that the resulting software is defect free. However, events that are beyond the envelope of the specification may occur and trigger unexpected behaviors from the formally specified system resulting in failures. Sources of such failures can be permanent or transient hardware failures, due to (when such systems are deployed in the high atmosphere e.g. aircrafts or spacecrafts) natural faults triggered by alpha-particles from radioactive contaminants in the chips or neutron from cosmic radiation. This position paper proposes a complementary view to formal approaches first by presenting an overview of causes of unexpected events on the system side as well as on the human side and then by discussing approaches that could provide support for taking into account system faults and human errors at design time

Evaluation of formal IDEs for human-machine interface design and analysis: the case of CIRCUS and PVSio-web

Critical human-machine interfaces are present in many systems including avionics systems and medical devices. Use error is a concern in these systems both in terms of hardware panels and input devices, and the software that drives the interfaces. Guaranteeing safe usability, in terms of buttons, knobs and displays is now a key element in the overall safety of the system. New integrated development environments (IDEs) based on formal methods technologies have been developed by the research community to support the design and analysis of high-confidence human-machine interfaces. To date, little work has focused on the comparison of these particular types of formal IDEs. This paper compares and evaluates two state-of-the-art toolkits: CIRCUS, a model-based development and analysis tool based on Petri net extensions, and PVSio-web, a prototyping toolkit based on the PVS theorem proving system.This work is partially supported by: Project NORTE-01-0145-FEDER-000016, financed by the North Portugal Regional Operational Programme (NORTE 2020), under the PORTUGAL 2020 Partnership Agreement, and through the European Regional Development Fund (ERDF); Conselho Nacional de Desenvolvimento Cientifico e Tecnologico (CNPq) PhD scholarship

Systematic automation of scenario-based testing of user interfaces

Ensuring the effectiveness factor of usability consists in ensuring that the application allows users to reach their goals and perform their tasks. One of the few means for reaching this goal relies on task analysis and proving the compatibility between the interactive application and its task models. Synergistic execution enables the validation of a system against its task model by co-executing the system and the task model and comparing the behavior of the system against what is prescribed in the model. This allows a tester to explore scenarios in order to detect deviations between the two behaviors. Manual exploration of scenarios does not guarantee a good coverage of the analysis. To address this, we resort to model-based testing (MBT) techniques to automatically generate scenarios for automated synergistic execution. To achieve this, we generate, from the task model, scenarios to be co-executed over the task model and the system. During this generation step we explore the possibility of including considerations about user error in the analysis. The automation of the execution of the scenarios closes the process. We illustrate the approach with an example.José Campos acknowledges support from project "NORTE01-0145-FEDER-000016", financed by the North Portugal Regional Operational Programme (NORTE 2020), under the PORTUGAL 2020 Partnership Agreement, and through the European Regional Development Fund (ERDF

Analysis of WIMP and Post WIMP Interactive Systems based on Formal Specification

While designing interactive software, the use of a formal specification technique is of great help by providing non-ambiguous, complete and concise descriptions. The advantages of using such a formalism is widened if it is provided by formal analysis techniques that allow to prove properties about the design, thus giving an early verification to the designer before the application is actually implemented. This paper presents how models built using the Interactive Cooperative Objects formalism (ICOs) are amenable to formal verification. The emphasis is on the behavioral part of the description of the interactive systems and more precisely on the properties at the interaction technique level. However, the process and the associated tools can be generalized to the other parts of the interactive systems (including the non-interactive parts)

Beyond Formal Methods for Critical Interactive Systems: Dealing with Faults at Runtime

Formal methods provide support for validation and verification of interactive systems by means of complete and unambiguous description of the envisioned system. They can also be used (for instance in the requirements/needs identification phase) to define precisely what the system should do and how it should meet user needs. If the entire development process in supported by formal methods (for instance as required by DO 178C [7] and its supplement 333 [8]) then classical formal method engineers would argue that the resulting software is defect free. However, events that are beyond the envelope of the specification may occur and trigger unexpected behaviors from the formally specified system resulting in failures. Sources of such failures can be permanent or transient hardware failures, due to (when such systems are deployed in the high atmosphere e.g. aircrafts or spacecrafts) natural faults triggered by alpha-particles from radioactive contaminants in the chips or neutron from cosmic radiation. This position paper proposes a complementary view to formal approaches first by presenting an overview of causes of unexpected events on the system side as well as on the human side and then by discussing approaches that could provide support for taking into account system faults and human errors at design time

Genetic software architecture and model-based approach for the dependability of interactive critical

Depuis l'introduction au début des années 2000 du standard ARINC 661 (définissant les interfaces graphiques dans les cockpits), les avions modernes, tels que l'A380, l'A350 ou le B787, intègrent des systèmes interactifs permettant à l'équipage d'interagir avec des applications interactives. Ces applications sont affichées sur des écrans à travers l'utilisation d'un dispositif similaire à un clavier et une souris. Pour des raisons d'exigences de sûreté de fonctionnement, l'utilisation de ces systèmes est limitée, à l'heure actuelle, à la commande et au contrôle de fonctions avioniques non critiques. Cependant, l'utilisation de ces systèmes dans les cockpits d'avions civils apporte de nombreux avantages (tels qu'une amélioration de l'évolutivité du cockpit) qui amènent les industriels à chercher comment l'étendre à la commande et le contrôle de systèmes avioniques critiques. Dans cette optique, nous proposons une approche duale et homogène de prévention et de tolérance aux fautes pour concevoir et développer des systèmes interactifs tolérants aux fautes. Celle-ci repose, dans un premier temps, sur une approche à base de modèles permettant de décrire de manière complète et non ambiguë les composants logiciels des systèmes interactifs et de prévenir les fautes logicielles de développement. Dans un second temps, elle repose sur une approche de tolérance aux fautes naturelles et certaines fautes logicielles résiduelles en opération, grâce à la mise en œuvre d'une solution architecturale fondée sur le principe des composants autotestables. Les contributions de la thèse sont illustrées sur une étude de cas de taille industrielle : une application interactive inspirée du système de commande et contrôle de l'autopilote de l'A380.Since the introduction of the ARINC 661 standard (that defines graphical interfaces in the cockpits) in the early 2000, modern aircrafts such as the A380, the A350 or the B787 possess interactive systems. The crew interacts, through physical devices similar to keyboard and mouse, with interactive applications displayed on screens. For dependability reasons, only non-critical avionics systems are managed using such interactive systems. However, their use brings several advantages (such as a better upgradability), leading aircraft manufacturers to generalize the use of such interactive systems to the management of critical avionics functions. To reach this goal, we propose a dual and homogeneous fault prevention and fault tolerance approach. Firstly, we propose a model-based approach to describe in a complete and unambiguous way interactive software components to prevent as much as possible development software faults. Secondly, we propose a fault tolerant approach to deal with operational natural faults and some residual software faults. This is achieved through the implementation of a fault tolerant architecture based on the principle of self-checking components. Our approach is illustrated on a real size case study: an interactive application based on the command and control system of the A380 autopilot

Architecture logicielle générique et approche à base de modèles pour la sûreté de fonctionnement des systèmes interactifs critiques

Since the introduction of the ARINC 661 standard (that defines graphical interfaces in the cockpits) in the early 2000, modern aircrafts such as the A380, the A350 or the B787 possess interactive systems. The crew interacts, through physical devices similar to keyboard and mouse, with interactive applications displayed on screens. For dependability reasons, only non-critical avionics systems are managed using such interactive systems. However, their use brings several advantages (such as a better upgradability), leading aircraft manufacturers to generalize the use of such interactive systems to the management of critical avionics functions. To reach this goal, we propose a dual and homogeneous fault prevention and fault tolerance approach. Firstly, we propose a model-based approach to describe in a complete and unambiguous way interactive software components to prevent as much as possible development software faults. Secondly, we propose a fault tolerant approach to deal with operational natural faults and some residual software faults. This is achieved through the implementation of a fault tolerant architecture based on the principle of self-checking components. Our approach is illustrated on a real size case study: an interactive application based on the command and control system of the A380 autopilot.Depuis l'introduction au début des années 2000 du standard ARINC 661 (définissant les interfaces graphiques dans les cockpits), les avions modernes, tels que l'A380, l'A350 ou le B787, intègrent des systèmes interactifs permettant à l'équipage d'interagir avec des applications interactives. Ces applications sont affichées sur des écrans à travers l'utilisation d'un dispositif similaire à un clavier et une souris. Pour des raisons d'exigences de sûreté de fonctionnement, l'utilisation de ces systèmes est limitée, à l'heure actuelle, à la commande et au contrôle de fonctions avioniques non critiques. Cependant, l'utilisation de ces systèmes dans les cockpits d'avions civils apporte de nombreux avantages (tels qu'une amélioration de l'évolutivité du cockpit) qui amènent les industriels à chercher comment l'étendre à la commande et le contrôle de systèmes avioniques critiques. Dans cette optique, nous proposons une approche duale et homogène de prévention et de tolérance aux fautes pour concevoir et développer des systèmes interactifs tolérants aux fautes. Celle-ci repose, dans un premier temps, sur une approche à base de modèles permettant de décrire de manière complète et non ambiguë les composants logiciels des systèmes interactifs et de prévenir les fautes logicielles de développement. Dans un second temps, elle repose sur une approche de tolérance aux fautes naturelles et certaines fautes logicielles résiduelles en opération, grâce à la mise en œuvre d'une solution architecturale fondée sur le principe des composants autotestables. Les contributions de la thèse sont illustrées sur une étude de cas de taille industrielle : une application interactive inspirée du système de commande et contrôle de l'autopilote de l'A380

A Generic Approach for Assessing Compatibility Between Task Descriptions and Interactive Systems: Application to the Effectiveness of a Flight Control Unit

International audienceTask models are a very powerful artefact describing users’ goals and users’ activities and contain numerous information extremely useful for designing usable interactive applications. Indeed, task models is one of the very few means for ensuring effectiveness of the application i. e. that the application allows users to reach their goals and perform their tasks. This paper presents a tool-supported framework for exploiting task models throughout the development process and even when the interactive application is deployed and used. To this end, we introduce a framework for connecting task models to an existing, executable, interactive application. The main contribution of the paper lies in the definition of a systematic correspondence between the user interface elements of the interactive application and the low level tasks in the task model. Depending on the fact that the code of the application is available or not, the fact that the application has been prepared at programming time for such integration or not, we propose different alternatives to perform such correspondence (in a toolsupported way). This task-application integration allows the exploitation of task models at run time bringing in the benefits listed above to any interactive application. The approach, the tools and the integration are presented on a case study of a Flight Control Unit (FCU) used in aircraft cockpits. This paper extends the article entitled ‘A Generic Tool-Supported Framework for Coupling Task Models and Interactive Applications’ which have been presented at the 7th ACM SIGCHI Symposium on Engineering Interactive Computing Systems (EICS 2015). In this expanded version, the detailed description of the correspondence between annotations in the program of the interactive application and interactive tasks in the task models has been added. The complete version of the case study has also been integrated so that the application of each step of the proposed validation process is presented

A Generic Tool-Supported Framework for Coupling Task Models and Interactive Applications

International audienceTask models are a very powerful artefact describing users' goals and users' activity and contain numerous information extremely useful for designing usable interactive application. Indeed, task models is one of the very few means for ensuring effectiveness of the application i.e. that the application allows users to reach their goals and perform their tasks. Despite those advantages, task models are usually perceived as a very expensive artefact to build that has to be thrown away as soon as the interactive application has been designed, i.e. right after the early stages of the design process are performed. However, tasks models can also be of great help for instance when used to support training material production, for training of operators and for providing tasks and goals oriented contextual help while the interactive application is being used ... This paper proposes a tool-supported framework for exploiting task models throughout the development process and even when the interactive application is deployed and used. To this end, we introduce a framework for connecting task models to an existing, executable, interactive application. The main contribution of the paper lies in the definition of a systematic correspondence between the user interface elements of the interactive application and the low level tasks in the task model. Depending on the fact that the code of the application is available or not, the fact that the application has been prepared at programming time for such integration or not, we propose different alternatives to perform such correspondence (in a tool-supported way). This task-application integration allows the exploitation of task models at run time bringing in the benefits listed above to any interactive application. The approach, the tools and the integration are presented on a case study of a Flight Control Unit (FCU) used in aircraft cockpits

Performance Evaluation of Interactive Systems with Interactive Cooperative Objects Models

International audienc