Using Task Analytic Models and Phenotypes of Erroneous Human Behavior to Discover System Failures Using Model Checking.

Breakdowns in complex systems often occur as a result of system elements interacting in ways unanticipated by analysts or designers. In systems with human operators, human-automation interaction associated with both normative and erroneous human behavior can contribute to such failures. This paper presents a method for automatically generating task analytic models encompassing both erroneous and normative human behavior from normative task models. The resulting model can be integrated into a formal system model so that system safety properties can be formally verified with a model checker. This allows analysts to prove that a human automation-interactive system (as represented by the model) will or will not satisfy safety properties with both normative and generated erroneous human behavior. This method is illustrated with a case study: the operation of a radiation therapy machine. In this example, a problem resulting from a generated erroneous human action is discovered. Future extensions of our method are discussed.