Formal analysis of human-computer interaction using model checking

Experiments with simulators allow psychologists to better understand the causes of human errors and build models of cognitive processes to be used in human reliability assessment (HRA). This paper investigates an approach to task failure analysis based on patterns of behaviour, by contrast to more traditional event-based approaches. It considers, as a case study, a formal model of an air traffic control (ATC) system which incorporates controller behaviour. The cognitive model is formalised in the CSP process algebra. Patterns of behaviour are expressed as temporal logic properties. Then a model-checking technique is used to verify whether the decomposition of the operator's behaviour into patterns is sound and complete with respect to the cognitive model. The decomposition is shown to be incomplete and a new behavioural pattern is identified, which appears to have been overlooked in the analysis of the data provided by the experiments with the simulator. This illustrates how formal analysis of operator models can yield fresh insights into how failures may arise in interactive systems.

Events in Indonesia: exploring the limits to formal tourism trends forecasting methods in complex crisis situations

The desire to know the future is as old as humanity. For the tourism industry the demand for accurate foretelling of the future course of events is a task that consumes considerable energy and is of great significance to investors. This paper examines the issue of forecasting by comparing forecasts of inbound tourism made prior to the political and economic crises that engulfed Indonesia from 1997 onwards with actual arrival figures. The paper finds that current methods of forecasting are not able to cope with unexpected crises and other disasters and that alternative methods need to be examined including scenarios, political risk and application of chaos theory. The paper outlines a framework for classifying shocks according to a scale of severity, probability, type of event, level of certainty and suggested forecasting tools for each scale of shock. (C) 2003 Elsevier Science Ltd. All rights reserved.

Assessing the performance of a nucleus estate and smallholder scheme for oil palm production in West Sumatra: a stochastic frontier analysis

In this paper, we study the performance of smallholders in a nucleus estate and smallholder (NES) scheme in oil palm production schemein West Sumatra by measuring their technical efficiency using a stochastic frontier production function. Our results indicate a mean technical efficiency of 66%, which is below what we would have expected given the uniformity of the climate, soils and plantation construction among the sample farmers. The use of progressive farmers as a means of disseminating extension advice does not appear to have been successful, and more rigorous farmer selection procedures need to be put in place for similar schemes and for general agricultural extension in future. No clear relationship was established between technical efficiency and the use of female labour, suggesting there is no need to target extension services specifically at female labourers in the household. Finally, education was found to have an unexpectedly negative impact on technical efficiency, indicating that farmers with primary education may be more important than those with secondary and tertiary education as targets of development schemes and extension programs entailing non-formal education. (C) 2003 Elsevier Ltd. All rights reserved.

Formal change impact analyses for emulated control software

Processor emulators are a software tool for allowing legacy computer programs to be executed on a modern processor. In the past emulators have been used in trivial applications such as maintenance of video games. Now, however, processor emulation is being applied to safety-critical control systems, including military avionics. These applications demand utmost guarantees of correctness, but no verification techniques exist for proving that an emulated system preserves the original system’s functional and timing properties. Here we show how this can be done by combining concepts previously used for reasoning about real-time program compilation, coupled with an understanding of the new and old software architectures. In particular, we show how both the old and new systems can be given a common semantics, thus allowing their behaviours to be compared directly.

The status and relevance of Vietnamese journalism education: An empirical analysis

Based primarily on data from indepth interviews with senior journalists and journalism educators as well as a content analysis of journalism curricula, this paper sets out to provide an overview of the demand, overall provision structure, teaching materials and methods of Vietnamese journalism education. It first shows that with a fast expansion in both size and substance, the Vietnamese media system is beginning to feel the urgent need for formal journalism education. However, the country's major journalism programs have been criticised for producing hundreds of unqualified journalism graduates a year. In general, the most deplorable aspects of Vietnamese journalism education include its body of outdated and awkward teaching material, its undue focus on theories and politics at the expense of practical training, its lack of qualified teaching staff and its inadequate teaching resources.

An automated failure mode and effect analysis based on high-level design specificication with behavior trees

Formal methods have significant benefits for developing safety critical systems, in that they allow for correctness proofs, model checking safety and liveness properties, deadlock checking, etc. However, formal methods do not scale very well and demand specialist skills, when developing real-world systems. For these reasons, development and analysis of large-scale safety critical systems will require effective integration of formal and informal methods. In this paper, we use such an integrative approach to automate Failure Modes and Effects Analysis (FMEA), a widely used system safety analysis technique, using a high-level graphical modelling notation (Behavior Trees) and model checking. We inject component failure modes into the Behavior Trees and translate the resulting Behavior Trees to SAL code. This enables us to model check if the system in the presence of these faults satisfies its safety properties, specified by temporal logic formulas. The benefit of this process is tool support that automates the tedious and error-prone aspects of FMEA.

Timing analysis of assembler code control-flow paths

Timinganalysis of assembler code is essential to achieve the strongest possible guarantee of correctness for safety-critical, real-time software. Previous work has shown how timingconstrain ts on controlflow paths through high-level language programs can be formalised using the semantics of the statements comprisingthe path. We extend these results to assembler-level code where it becomes possible to not only determine timingconstrain ts, but also to verify them against the known execution times for each instruction. A minimal formal model is developed with both a weakest liberal precondition and a strongest postcondition semantics. However, despite the formalism’s simplicity, it is shown that complex timingb ehaviour associated with instruction pipeliningand iterative code can be modelled accurately.