Modelbased Analysis of Temporal Aspects of Interactive Systems

1
Model-based Analysis of Temporal Aspects of
Interactive Systems

• Karsten.Loer_at_cs.york.ac.uk

2
Goal

• Analysis of models of interactive systems (system
  device user context)
• with respect to a set of properties (usability,
  dependability, temporal aspects, efficiency, )
• for (1) all possible inputs, as well as
  . (2) a set of specific scenarios.

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
3
Overview

• Model checking in a nutshell
• Using model checking in an explorative analysis
  of interactive systems
• modelling interactive systems
• temporal aspects of user tasks
• Real-time models
• Outlook/discussion

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
4
The generic model checking process
Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
5
Device model A key pad
Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
6
Formulating System Requirements

• only input sequences containing 1-2-3 are
  accepted
• all sequences containing 1-2-3 are accepted
• AG (1 AX (2 AX 3) -gt s3)
• any other sequence is rejected
• AG (!(1 AX (2 AX 3))-gt!s3)
• the accepting state can only be reached, if the
  inputs are made within a particular duration

system model
system property
model checker
TRUE or counter-example/ witness traces
Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
7
Computational Tree Logic (CTL)

• Describes properties in terms of computational
  trees

8
Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
9
Model-checking traces
p
p
p
p
p
p

• trace sequence of execution steps that
  demonstrate how a state that violates (or
  demonstrates) a property can be reached from the
  initial system state.
• traces can point the analyst to
• violating user/device behaviour
• task optimisations
• recovery procedures

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
10
Model-checking traces
Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
11
Sample domain A processing plant
12
Modelling Interactive Systems
ENVIRONMENT
USER (TASKS)
environmental layer
DISPLAYS
CONTROL ELEMENTS
interface layer
CONTROL MECHANISM (device core)
system core layer
Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
13
System models
Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
14
Temporal issues of interest

• Characteristics of user tasks in terms of
  temporal system-behaviour
• task sequencing
• task interleaving
• task suspension and resumption
• task durations and optimisation
• e.g. best-case/worst-case execution times
• multi-valued decision criteria
• task allocation
• who needs to perform the task and when?

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
15
Explorative application of model checking

• starting from a device-centric model
• gt all possible user inputs
• 2. gradually add assumptions about user and
  environment behaviour
• gt sub-set of sensible user inputs
• formulation of assumptions
• as part of the property specification
• by model enhancements (e.g. observer automata or
  model decorations)

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
16
Influence of task models on explored input space
all possible user inputs

• no task model
• constrained task space
• normative task model

inputs for a certain task
Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
17
Normative task models

• Focus of analysis
• Given A specification of
• the device under development,
• relevant parts of the environment and
• a normative task model
• Question What states of the environment can be
  reached?

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
18
Types of plans (Dix et al. 98)

• fixed sequence
• optional tasks
• cycles
• waiting for events

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
19
Types of plans (continued)

• time sharing
• discretionary

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
20
Example task

• Once all pumps are off, switch pump 1 ON
  (after at most n steps)

n
Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
21
Task space constraints1

• Focus of analysis
• Given
• a device specification and
• a desired target situation ( state of the
  device and environment)
• Question What assumptions can/need to be made
  about the user?

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
22
Task space constraints2

• Goal Contrain search by adding constraints (
  set of state machines) on the user behaviour
• Example
• Whenever the user realises that pump 1 is
  operating full volume while its target tank is
  close to full the user will switch off the pump

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
23
Real-time models

• real-time is explicit element of the model,
  represented by continuous variables

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
24
Real-time models

• What is the maximal/minimal time required for a
  repair (depending on size and location of leak)?

clock
Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
25
Real-time models

• Modelling complex operator decisions that depend
  on resources and environmental constraints
  (time/leakage/)

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
26
Conclusions1Model checkers are good at

• exhaustive analysis
• automatic analysis
• (provided that appropriate input is supplied)
• analysis of behavioural reachability properties
• ordering/sequencing of tasks
• e.g. Hollnagels error phenotypes
• repetition, reversal, omission, delay, premature
  action, replacement, insertion, and intrusion
• (physical) timing
• mode complexity
• dialogue control
• visibility of action effects, visibility of
  available actions, recoverability, consistency,
  error prevention, flexibility, efficiency of use

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
27
Conclusions2Model checking has limitations

• deliver single, sometimes trivial, traces
• hard/impossible to determine tendencies, e.g.
  certain types of user behaviour, characteristics
  of components that contribute to potential errors
  
• technique does not suggest corrections
• difficult/unsuitable to use for analysis of
  representational properties (layout, direct
  manipulation etc.)
• limited model size (SMVgtgtUppaal)
• abstraction helps, but theres a danger of
  introducing bias

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion
28
Beyond model checking

• hybrid systems model checkers?
• e.g. tools like HyTech can determine for which
  ranges properties hold
• constraint solvers?
• simulation?
• integration with disciplines (e.g. empirical
  psychology)
• can we provide guidance towards what technique to
  use where in the design process?

Intro MC primer Modelling ISs Temporal
aspects of tasks Real-time models Discussion