20140318 cisec-critical-hmi

download 20140318 cisec-critical-hmi

of 99

  • date post

    19-Jan-2015
  • Category

    Technology

  • view

    1.003
  • download

    2

Embed Size (px)

description

Interactive systems are nowadays an important part of most command and control systems. Research efforts in the field of Human-Computer Interaction has mainly been focused on the design of innovative and creative interfaces and interaction techniques. These interfaces aim at supporting operators engaged in very diverse tasks involving data of growing complexity. When such interactive systems are deployed in critical contexts, usability and user experience become much less important than reliability and fault-tolerance. The talk will present state of knowledge in the area of notations, methods and tools for engineering interactive critical systems. This body of knowledge is located at the intersection of software engineering, dependable computing and Human-Computer Interaction and provides means for the design, development, verification, validation and evaluation of interactive critical systems. The emphasis will be on benefits of and needs for systematic and integrated approaches in order to design, develop and evaluate the entire interactive system (including its interfaces and interaction techniques, the operational procedures and the training program of operators). Concrete application of both problems and solutions will be given drawing examples from aeronautics (Air Traffic Control and Interactive Cockpits) and space (ground segments) domains.

Transcript of 20140318 cisec-critical-hmi

  • 1. Interaction Homme-Machine et Ingnierie des Systmes Interactifs Critiques Philippe Palanque Interactive Critical Systems research group http://www.irit.fr/ICS/palanque - palanque@irit.fr March 18th, 2014

2. Interaction Homme-Machine et Ingnierie des Systmes Interactifs Critiques Philippe Palanque Interactive Critical Systems research group http://www.irit.fr/ICS/palanque - palanque@irit.fr March 18th, 2014 3. Air Trafic Management (enroute ATC workstations) 1995-2001& 2010-2014 HALA! Network of excellence & SPAD (System Performance under Automation Degradation) Dynamic instantiation of widgets, Post WIMP interfaces Time constraint about 3mn (speed vector) Automation and Automation Degradation Drones (UAVs) 2001-2003 Management of fleet of aircrafts Authority sharing Cooperation and collaboration problems Military aviation 2003-2006 Multimodal systems for military cockpits (evolutions of RAFALE fighter) Specification of multimodal fusion engines, real time (20 ms) Space domain : R&T IMAGES (2004-2006) R&T TORTUGA (2008-2011) R&T ALDABRA (2011-2012) R&T MARACCAS (2012-2014) Multimodal interfaces for ground segments Specification of satellite ground segments with multimodal interfaces Target application: AGENDA & spacecraft collision avoidance system Civil aviation 2004-2006 & 2009-2016 (Airbus dependable interactive cockpits) Interactive Cockpits (ARINC 661 standards) Specification of all the embedded elements (widgets, UA, UI server) Specification of system architectures for dependable interactive systems (fault tolerance) Touch interaction in cockpit 3 Past-Current Research Projects 4. Human-Computer Interaction (HCI) ACM ACM SIGCHI main SIG (36) at ACM (4600 members) ~20% of downloads ACM DL ($510k return to SIGCHI) Main conference CHI (in 2013 = 3442 participants) IFIP IFIP TC 13 on HCI Main conference INTERACT (2011=500 participants) Main research interests/contributions Exploration of the jungle of possibilities Focus on Usability and User Experience 4 5. Human-Computer Interaction (HCI) ACM ACM SIGCHI main SIG (36) at ACM (4600 members) ~20% of downloads ACM DL ($510k return to SIGCHI) Main conference CHI (in 2013 = 3442 participants) IFIP IFIP TC 13 on HCI Main conference INTERACT (2011=500 participants) Main research interests/contributions Exploration of the jungle of possibilities Focus on Usability and User Experience 5 6. Human-Computer Interaction (HCI) ACM ACM SIGCHI main SIG (36) at ACM (4600 members) ~20% of downloads ACM DL ($510k return to SIGCHI) Main conference CHI (in 2013 = 3442 participants) IFIP IFIP TC 13 on HCI Main conference INTERACT (2011=500 participants) Main research interests/contributions Exploration of the jungle of possibilities Focus on Usability and User Experience 6 7. Human Computer Interaction : Usability of computing systems (effectiveness, efficiency, satisfaction ISO 92 41- part 11) Basic principle: user centered design Process: iterative design/development Initial approach in computer science: We design/develop the system and THEN usability is evaluated HCI domain contribution: We design/develop the system and FOR usability 7 A bit of history: What is HCI? 8. 8 Beaudouin-Lafon, M. 2004. Designing interaction, not interfaces. In Proceedings of the Working Conference on Advanced Visual interfaces (Gallipoli, Italy, May 25 - 28, 2004). AVI '04. ACM, New York, NY, 15-22. 9. iPhone iPAD 10. In one sentence: Designing Interactive Systems neither Interaction, nor Interfaces Principle: Usability is NOT more important than Reliability, Dependability, Security, Resilience, Safety, User eXperience, others Privacy, Trust, Accessibility, Proposal: Design methods, processes and tool to design/develop interactive systems FOR these properties 10 Beaudouin-Lafon, M. 2004. Designing interaction, not interfaces. In Proceedings of the Working Conference on Advanced Visual interfaces (Gallipoli, Italy, May 25 - 28, 2004). AVI '04. ACM, New York, NY, 15-22. 11. They are not Orthogonal !? Usable & reliable then safer? Planes Command and control systems Usable & reliable then less safe!! The less usable the more safe The less reliable the more safe Safer for some less for others Less Reliability less User eXperience More Secure and more Reliable then less Usable More Privacy then less Security More Security less reliability (cockpits & satellites) There is a need for a holistic view on these properties and not for a reductionist one (even though this supports progress) 11 12. 12 Do We Need New Integrated Processes? Usability/User eXperience engineer Software engineer Reliability engineer Safety engineer 13. 13 14. Current Situation Low hanging fruits already been collected Foundations identified many years ago Annett & Duncan HTA in 1967 Petri nets C.A. Petri in 1962 Refinement and deeper understanding over the years Need for long term detailed smaller refinements Need for support to the design, development of safe, usable and dependable interactive systems 15. Introduction (HCI in Critical Contexts) Introduction to the Interactive Cockpits domain A Research Contribution based on Models Dependability for Interactive Systems/Cockpits Dealing with automation Conclusions and perspectives Outline of the talk 15 16. Aircraft Systems Display System DataCrew members System Monitor systems Input manage ment Display system was not interactive No USER INPUT related to display system INPUT and OUTPUT are independent (Segregation, (Separation and Isolation) and Diversity) The Past: Input vs Output Command systems Command + data 17. Control and Display System (CDS) Events Set ParametersCrew members Actions Monitor system System User Applications for Aircraft Systems UA With ARINC 661 the command and display system is interactive Execution of system depend strongly on user activity (and expect user input) What about usability? ARINC 661: Input and Output Intertwined 17 18. DU: Display Unit KCCU: Keyboard and Cursor Control Unit CDS : Control and Display System Standard ARINC 661 Specification A380 Cockpit 19. 19 Current State of ARINC 661 AEEC PP661 adopted October 2001/published April 2002 Met Airbus critical need requirement (161 pages) Supplement 1 (Dec 10, 2002, 141 pages) Vertical map display capability Eight new widgets added Airbus A380 CDS versus needs for future CDSs ARINC 661-1 published June 26, 2003 Supplement 2 (292 pages) Draft 1 published 1st September 2004 Changes to ARINC 661 necessary for the Airbus A380 (NextFocusedWidget) and Boeing 787 cockpit display system development Seven new widgets (57 widgets in total) Addition of state diagrams for interactive objects (p196) Supplement 3 draft 1 released May 21st 2007 (356 pages) Eight new widgets Supplement 4 released May 10th 2010 (466 pages) Three new widgets 20. ARINC 661 Principles Client-server Very similar to previous old work in HCI IBM Common User Access 1989 standard for UI, OSF/MOTIF, X Window DisplayUnit -Screen- Window (managed by the CDS) Layer (owned by one User Application) Widget Format Application 1 Application 3 Application 2 Application 1 Widget Layer 20 21. Introduction (HCI in Critical Contexts) Introduction to the Interactive Cockpits domain A Research Contribution based on Models System models Task models Integrated models Dependability for Interactive Systems/Cockpits Dealing with automation Conclusions and perspectives Outline of the talk 21 22. Formal description techniques for the specification, design and construction of interactive systems Support better dependability of the system Support better usability of the system Can provide contextual help Can support the production of training material Support diversity (compatibility of various models) Can take into account evolvability Can support safety by e.g. providing tools to prevent incident and accident from re-occurring 22 Our Research Proposal 23. 23 Overview of Interactive Cooperative Objects: a formal description technique Set of cooperating classes For each class Behavior (Petri nets) Services (availability) State (distribution and value of tokens) Presentation Activation (how users' actions on the input devices trigger systems methods) Rendering (how state changes are presented to the users Extensions Asynchronous multicast communication mechanism Quantitative temporal information (temporal window) reuse of previous work in Petri nets theory 24. This is not the first work in that field Dragicevic & Fekete . ICMI 04 25. This is not the first work in that field David Carr et al. CHI 94 26. Goal of ICOs and PetShop The user interface requires the same dependability as the rest of the software Completeness (model the entire UI) the complex parts must be dealt with too the more complex the UI the more likely the notation is to be not able to deal with it Concurrency, infinite number of states, temporal aspects, objects and behavior integrated, Verification, validation, certification, of the interactive software Bridge the edition-execution gap (Navarre D. et al. A Model-Based Tool for Interactive Prototyping of Highly Interactive Applications. 12th IEEE, International Workshop on Rapid System Prototyping ; Monterey (USA), IEEE, 2001.) 26 26 27. 27 A Small Example Double click dud u DC Idle Down One_Click Two_Down t C 28. 28 Multimodal Interaction & ATM Unexpected Double Clicking 29. 29 A Small Example du / StartTimerd u DC Idle Down One_Click Two_Down t C t C Adding Time 30. 30 A Small Example Taking Movements into account + Threashold m D u E m C,B du / StartTimer m C,M d, target=this u DC Idle m B Down One_Click Moving Two_Down t C t C 31. 31 A Small Example Taking Movements into account + Threashold m D u E m C,B du / StartTimer m C,M d, target=this