Murphi busts an altitude: a Murphi analysis of an automation surprise

Abstract

In training and during operations, users of automatic systems form expectations of how automatic systems respond to their control inputs and to environmental disturbances. These expectations form the basis for what can called the operator's "mental model" of the system. An "automation surprise" is said to occur when the automation behaves in a manner different from what the operator expects. A requirement for a properly functioning human-machine system is that the human operator have good situation awareness. A key component of an operator's situation awareness is knowing how the machine will behave in the near future. Automation surprises are situations in which this system requirement has failed. In this paper, the modeling language-Murphi-is used to model and analyze an automation surprise in which a flight crew, using the autopilot, climbs above their cleared altitude during a full mission flight simulation. Murphi is a system description language and model checker developed by software engineers to formally evaluate behavioral requirements for concurrent software processes A rule-based model of the autopilot system and the pilot was developed. Murphi was then used to automatically check the validity of the above requirement for a model of the pilot-autopilot-aircraft system. The requirement failed for the same sequence of human and machine events that were recorded in the altitude bust incident. The Murphi model was then modified to explore possible procedural and mode logic fixes to reduce the likelihood of this type of breakdown in the human-machine system.