Next Article in Journal
Evaluating the Quality of Reinforced Concrete Electric Railway Poles by Thermal Nondestructive Testing
Previous Article in Journal
Correlation between Material Properties and Breakage Rate Parameters Determined from Grinding Tests
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Formal Analysis and Design of Supervisor and User Interface Allowing for Non-Deterministic Choices Using Weak Bi-Simulation

1
Department of Industrial and Information Engineering, Hanyang University, ERICA Campus, Ansan 15588, Korea
2
Department of Mechanical Engineering, Hanyang University, ERICA Campus, Ansan 15588, Korea
*
Author to whom correspondence should be addressed.
Appl. Sci. 2018, 8(2), 221; https://doi.org/10.3390/app8020221
Submission received: 13 November 2017 / Revised: 19 January 2018 / Accepted: 22 January 2018 / Published: 31 January 2018

Abstract

:
In human machine systems, a user display should contain sufficient information to encapsulate expressive and normative human operator behavior. Failure in such system that is commanded by supervisor can be difficult to anticipate because of unexpected interactions between the different users and machines. Currently, most interfaces have non-deterministic choices at state of machine. Inspired by the theories of single user of an interface established on discrete event system, we present a formal model of multiple users, multiple machines, a supervisor and a supervisor machine. The syntax and semantics of these models are based on the system specification using timed automata that adheres to desirable specification properties conducive to solving the non-deterministic choices for usability properties of the supervisor and user interface. Further, the succinct interface developed by applying the weak bi-simulation relation, where large classes of potentially equivalent states are refined into a smaller one, enables the supervisor and user to perform specified task correctly. Finally, the proposed approach is applied to a model of a manufacturing system with several users interacting with their machines, a supervisor with several users and a supervisor with a supervisor machine to illustrate the design procedure of human–machine systems. The formal specification is validated by z-eves toolset.

1. Introduction

My specific target in this article is to preserve non-deterministic choices in the context of the fundamental feature of a user and supervisor machine interaction. At a more comprehensive level, the aim of this article is to give confidence to the analytic development of the concept of a formal model of supervisor and supervisor machine. The traditional use of theory has been to evaluate the supervisor interaction under different operating and environmental conditions [1]. In formal model, the formal specification uses the variables that describe the system set of states to develop the proposition with a transition in between them [2]. The process of formal model verification will satisfy the system model and system specification properties [3]. The behavioral equivalences are used to verify a property of a system by assessing the equivalence of the observed system with a system which is known to possess that property and whether the two systems cannot be illustrated by an invader. These formal models manifest the mental and physical activities incorporating the user and supervisor with machine operation to achieve their objectives. Interaction between the user and machine may be brittle; the purpose of interface is only to provide the pre-enumerated condition for which it was planned [4]. The brittle interaction of a complex and safety critical system due to unexpected deficiencies in communication and coordination between the human and the machine [5] encompasses manufacturing systems [6,7]. Likewise, automated systems may be enabled to upscale their potential after being deployed [8]. However, difficult situations can still emerge because of functional conditions or machine behaviors which were not expected by the designer; the automation design having been oversimplified because the embedded machine limitations, machine automation and user interface were not executed in agreement with the design.
Basic formalism is enough to model the functionality of systems, and hence to capture the qualitative behavior, but if one wants to also capture quantitative aspects, such as time or frequency-dependent properties, formalisms must be extended with real-time features [9]. In systems that model quantitative processes, steps are associated with a given quantity, such as the resources (e.g., time or cost) needed to perform that step. Timed automaton has potential to allow for non-deterministic behavior to be solved while the weak bi-simulation perpetuate the co-reachability after its abstraction. The augmented interface was generated through the weak bi-simulation modelling technique that specifically addresses current modelling issues with several users and machines formally represented by timed automata. The concise, complete, unambiguous and comprehensible specification construction that unable the supervisor to make sense out of a rather complex implement. Our objective to develop a formal specification in such a way that it leads in the direction of an appropriate implementation and the process of progress called the refinement. We used Z notation for analyzing and validating the formal specification by z-eves toolset [10,11].
Initially, the formal representation of user and machine model is extended with a discrete event system and its further extension with event-based analysis as a means of representing the activities of the user and machine. These models show goal level of behavior in terms of the user and machine triggering transition. According to the principle of timed automaton, each transition will need time constraints that describe under what conditions a single transition among several possible transitions from the same state will be activated. This phenomenon will help us to understand the system characteristics in real time. Each user interacts with their machine and generate the interaction behavior by combining all users and machines inside the system that links with the supervisor to achieve the system goal under the time constraint value for each transition. However, non-deterministic choice in interface is not only in user but also in supervisor control which is a big safety concern regarding the manufacturing system and can contribute to unforeseen problems. For example, failure of part of the manufacturing system due to poor user interaction consisting of the interface of several machines being poorly defined can cause part supply delay and product recall [12,13] from the market. We first present the formal semantics and syntax of supervisor and supervisor machine model. We show how the interface can be generated through a weak bi-simulation that preserves the co-reachability. We then present a part of a manufacturing system that consists of several users and machines which are controlled by the supervisor. In conclusion, we present the limitations of this technique and the future direction for its model development.

2. Literature Review

2.1. Interface Generating Models of Human Automation Interaction

Scientists [14] modelled a user interface established on modes, error and pattern of interaction. Traditionally, most human factors research on interface design has emphasis on perceptual and cognitive compatibility between the human and the interface structure [15]. Much fewer studies have been conducted on the correspondence between the interface [16] and the machine being controlled [17]. Fewer researcher [18] modelled both the machine’s behavior and user’s operation as discrete event systems and put forward a formal approach for verifying their interface. Further, the scientists [19] modelled the detection of automation surprise in human machine system operated through multiple operation by user. Researchers [20] discussed an interface generating model based on user observable vs. unobservable and controllable vs. uncontrollable events provoked by the user decision through the interface model. Few scientists used logics and theory to represent the user and machine interaction [21]. In their article, the user can be regarded as a human intervention which is an extension of supervisory control with some expedite actions and avoid mode confusion [22] accompany through the behavior of underlying machine by supervisor. To be clearer, these models explicitly used to develop training manuals to anticipate the underlying machine behavior and avoiding undeveloped accidents due to mode confusion and automation surprises. To execute this ultimate concern, it is important for manufacturing system for understanding of user, supervisor and machine model in realistic term. Moreover, I need to manifest the interface constitute of following different notions:
  • User and Supervisor action-based interfaces, which distinguish between controllable vs. uncontrollable, observable vs. un-observable by the user and supervisor and internal transitions.
  • The operating modes that characterize the user, supervisor and machine states that the user or supervisor needs to be able to distinguish.

2.2. Formal Verification with Interface Generating Models

Model checking is a computerized formal method practiced verifying system contents based on a formal model a set of anticipated characteristics in the form of formal specification [23]. The formal model of a system defines with respect to the variable in the form of set and shifts among state of variable. Verification is the procedure of verifying that the system encounters the properties lying under specification. Model checking achieves this procedure automatically by comprehensively identifying a system’s state space to control if these measures hold. If there is an against of rule, then counterexample will generate. The counterexample will show the clear description of rule violation for each state and specification including with next state of model that led up to the violation.
The scientist [24] integrates the user interface model into the discrete event system. This will allow the scientist to verify the state matching between the user and the machine [25] under the umbrella of user knowledge and their expectations. Also, it will verify that the interface will able to satisfy the user requirements and the need for updates to fulfil the system requirements. The first concept regarding formal verification of a user machine interaction model was introduced by [26]. In this composition, the scientist combines the user and machine model states into a state duplet and estimates their matched march with respect to the identical specification classes. Few scientist [20] explores the verification of a user interface model by simulation relation. They [5] generate the user interface constructed on formal model and verifies it systematically maneuvering the formal specifications. In response of such needs, the non-deterministic choice at any state of interface is still insufficient for these interfaces. Further, the interface generating model can be used to include a single user and machine-based interaction. In case of several users that are controlled by the supervisor in a formal system models along with the necessary system elements such as the user machine interface and supervisor machine interface have still not been considered by the research community.

2.3. Limitations on Current Techniques

The prospective verification analysis is limited in extent by the potential user machine interaction model to establish the correct user behavior. Works such as these researcher [18] express the user machine interaction with an account of a formal description and they are not well reinforce the relation with user machine interaction. Correspondingly, they [20] established awareness of the link to unobservable and uncontrollable events for user but it had some weak points. Further, they [5] investigated and analyzed the human machine interaction through a formal model representation using predicate and proposition. All the provided practices do not have the non-deterministic behavior or choices lie at any state.
Moreover, currently we cannot generate the interface when the system has more than one user and machine all of which are interlinked with the supervisor as we described the limitation in Table 1. We are also interested to investigate the supervisor interface. ( M c o m ) c h o i c e = 1 , ( o b s ) and ( i n t ) have already evaluated in [19] the user domain while the supervisor’s perspective still needs to be considered. Further, ( c o m ) c h o i c e > 1 and ( c o m ) c h o i c e > 1 events are still not being investigated by scientists.

3. Formal Semantics of the Supervisor Machine Interaction

3.1. Formal Semantics of the Supervisor Model

We are assuming that we are considering only one supervisor in our system. This supervisor must merge the several users who are operating their machines. The functions and responsibility of supervisor is that she/he must inform the users of their tasks initially. After that the supervisor will also play their role by modifying the product through different user and machine interactions and obtain information through the supervisor interface [27]. Therefore, the supervisor interface should be correct [28] and meaningful otherwise the outcome of product will not be as per the requirement of customer. We used the four-machine cell N S 1 ,   N S 2 ,   N S 3 and N S 4 operated by the four different users. At each cell we have states for operation for example in N S 1 we have four states like wise L 1 ,   L 2 represent the low having the same class while M 1 ,   M 2 represent the medium having same class as shown in Figure 1. In between of these states we have transitions and these transitions are labelled as per our definitions. The dotted line represents the machine transitions while the dark line represents the user transition within the cell or if the transition is incoming or outgoing the cell then it termed as supervisor transition.
The supervisor has also the same character as the individual user, as shown in Table 2. The observable and controllable events α S U i ( S c o m ) c h o i c e > 1 is formed due to the execution of a supervisor task. The α S U i ( S c o m ) c h o i c e > 1 is the communication of the supervisor with the user and the supervisor has more than one choice in their state. All of them are observable and controllable. The machine transition which is also observable but uncontrollable β s i S o b s likewise moving the lathe to milling operation. If there is change inside the system without a user task, then the event must fall into the unobservable and uncontrollable category γ s i S i n t for the supervisor.
S = ( S c o m ) c h o i c e = 1 . ( S c o m ) c h o i c e > 1 . S o b s . S i n t
The supervisor model can be represented as the timed automata;
  • M S = N S , n O S , E S , I S Where,
  • N S : Set of supervisor states,
  • n O S N S : Initial (starting) state in the supervisor,
  • E S N S × B ( C ) × S × 2 C × N S : Set of edges termed as transition among the system states,
  • I S : N S B ( C ) Assigns invariants to locations.
B ( C ) is the clock constraint where x ~ n or x y ~ n for x , y C ,   ~   [ , < , = , > , ] and n Ν . In our modelling, We used T S i for supervisor modelling state to state time constraint while, T x i is used for user station. The x is representing the station, we used as a, b, c and d station respectively while the i ℕ.
According to the above definition we can write n S : g , a , r n S if and only if n S , g S , a S , r S , n S E S .
g S : is the guard of e s = n S , g S , a S , r S , n S E S , a S : is the action of e s , r s : is the set of clocks that is reset by e s , S : Set of events among the supervisor states.
Definition 1.
The appearance of observable and controllable event η S 1 ( s c o m ) c h o i c e = 1 will change the state of the supervisor interface through supervisor action. The formation of this event η i , j by any state will yield the only choice of user operations. When it appears in a state then it will become ( N S M ,   N S ) B R S M or ( ( N S M 0 ) ,   ( N S 0 ) ) B R S M . The change of machine state n S M N S M or ( N S M 1 ) ( N S M ) because of the observable and controllable event η S 1 ( S c o m ) c h o i c e = 1 .
Definition 2.
The observable but uncontrollable event ( β S 1 , β S 2 ) ( s o b s ) will change the state of user interface through the occurrence of a machine transition. When it appears in a state then ( ( N S M , N S ) B R S M or ( N S M 2 ) , ( N S 2 ) ) B R S M as in the supervisor model of Figure 1. The change of machine state n S M N S M or ( N S M 3 ) ( S t a t i o n 2 ) M because of the observable and controllable event ( β S 1 , β S 2 ) ( s o b s ) that change the state ( N S M 2 ) β S 1 ( N S M 3 ) , ( N S M 3 ) β S 2 ( N S M 2 ) having the interaction of ( n S M , n S ) B R S M as per the supervisor model described in Figure 1 ( ( N S M 2 ) #x2032; , ( N S 2 ) ) B R S M if and only if β S 1 and ( ( N S M 3 ) , ( N S 3 ) ) B R S M if and only if β S 2 .
Definition 3.
The unobservable and uncontrollable event ( γ S 1 , γ S 2 , γ S 3 , γ S 4 ) S i n t will not change the state of the supervisor. It is the internally change of machine state is and unobservable because there is no supervisor action either before or after the formation of the machine state. It may cause the uncontrollable event ( γ S 1 , γ S 2 , γ S 3 , γ S 4 ) S i n t . There is no binary relation that exists and the change of machine state n S M N S M or ( N S M 1 ) ( S t a t i o n 1 ) M , ( N S M 2 ) ( S t a t i o n 2 ) M and ( N S M 4 ) ( S t a t i o n 4 ) M because of we have no supervisor action and the unobservable and uncontrollable event ( γ S 1 , γ S 2 , γ S 3 , γ S 4 ) S i n t that change the state of machine ( N S M 1 ) γ S 1 ( N S M 2 ) and ( N S M 2 ) γ S 2 ( N S M 1 ) . Similarly, ( N S M 2 ) γ S 3 ( N S M 4 ) and ( N S M 4 ) γ S 4 ( N S M 2 ) that is internally triggered by machine having no interaction with supervisor.
Definition 4.
The observable and controllable supervisor event ( α S U 1 , α S U 2 , α S U 3 , α S U 4 ) ( S c o m ) c h o i c e > 1 has more than one choice at the starting state of supervisor for the user to perform the machine interaction. Similarly, ( α S 1 , α S 2 ) ( S c o m ) c h o i c e > 1 it has also more than one choice at N S 1 state of supervisor to execute the task by the supervisor operations. The time transition will handle this choice easily to allow user to perform their operation safely and correctly. When it appears in a state then ( N S M , N S ) B R S M or ( N S M 1 , N S 1 ) B R S M as in the supervisor model of Figure 1. The change of machine state n S M N S M or ( N S M 1 ) ( S t a t i o n 1 a ) S M , ( N S M 2 ) ( S t a t i o n 1 b ) S M , ( N S M 3 ) ( S t a t i o n 2 ) S M and ( N S M 4 ) ( S t a t i o n 1 c ) S M because of the observable and controllable event that change the state ( α S U 1 , α S U 2 , α S U 3 , α S U 4 ) ( S c o m ) c h o i c e > 1 and in the Form of transition ( N S M 0 ) α S U 1 ( N S M 1 ) , ( N S M 0 ) α S U 2 ( N S M 2 ) , ( N S M 0 ) α S U 3 ( N S M 3 ) , ( N S M 0 ) α S U 4 ( N S M 4 ) , ( N S M 1 ) α S U 6 ( N S M 3 ) and ( N S M 1 ) α S U 5 ( N S M 2 ) having the interaction of ( n S M , n S ) B R S M or ( N S M 0 , N S 0 ) B R S M has four choices and ( N S M 1 , N S 1 ) B R S M has two choices for the interaction.
According to all the above definitions, the all supervisor operation is observable and controllable. The event that is unobservable and uncontrollable | E S ( n S , e c o m | 1 for any supervisor state n S N S is uncontrollable to the supervisor. We also incorporated the deterministic and non-deterministic choices into the supervisor model. Moreover, we used the Z notation for analyzing and validating the supervisor model using z-eves toolset. The information is well structured and presented at appropriate abstraction using z notation. The snapshot for specification validation of supervisor model is given in the appendix section in Figure A1.

3.2. Formal Semantics of the Supervisor Machine Model

The supervisor machine model consists of several interactions of users with respect to their machines to reach the desired goal. Each work cell consisting of a user and machine would be considered as a supervisor state. Moving the product from one work cell to another is considered as a machine transition. The state is observable vs controllable and uncontrollable vs unobservable if and only if the criteria as mentioned in the Table 2 are true.
The supervisor machine model as shown in Figure 2 can be represented in terms of timed automata;
  • M S M = N S M , n O S M , E S M , l S M Where,
  • N S M : Set of supervisor machine states,
  • n O S M N S M : Initial (Starting) state of supervisor machine,
E S M N S M N S M × B ( C ) × N S M × 2 C × S M Set of edges termed the transition among the system states, I S M : N S M B ( C ) assigns invariants to locations, B ( C ) is the clock constraints where x ~ n or x ~ y ~ n for x , y C , ~ [ , < , = , > , ] and n ℕ. According to the above definition we can write n S M g , a , r n S M when n S M , g S M , a S M , r S M , n S M E S M . We used similar technique for defining the time constraint as we described in supervisor model.
  • g S M : is the guard of e = n S M , g S M , a S M , r S M , n S M E S M ,
  • a S M : is the action of e S M ,
  • r S M : is the set of clocks that is reset by e S M ,
  • S M : Set of events among the supervisor machine states.
The set of supervisory action that consists of S M = { ( S M c o m ) c h o i c e = 1 } . ( S M c o m ) c h o i c e > 1 } . S M o b s . M i n t has three disjoint subsets. These subsets are only workable for ( S M c o m ) c h o i c e = 1 : an observable and controllable event having only one choice for supervisor operation, ( S M c o m ) c h o i c e > 1 : an observable and controllable event having more than one choice for supervisor operation, S M o b s : an observable and uncontrollable event and S M i n t : an unobservable and uncontrollable event for user. These subsets are based on a discrete event system using finite state machines. In our case, we represent the semantics of the machine model by time automata because we can easily include more than one choices of user operation at any stage of machine state as shown in Figure 2. Now the updated equation will be as follows;
S M = { ( S M c o m ) c h o i c e = 1 } . ( S M c o m ) c h o i c e > 1 } . S M o b s . S M i n t
According to the Figure 2 η S = { η S 1 } are the observable and controllable events that exists in N S M 0 state of machine such that η S ( S M c o m ) c h o i c e = 1 . They β S = { β S 1 , β S 2 } are the observable but uncontrollable events that exists in the N S 2 and N S 3 state of machine such that β S S M o b s . They γ S = { γ S 1 , γ S 2 , γ S 3 , γ S 4 } are the unobservable and uncontrollable events in N S M 2 and N S M 4 such that γ S S M i n t . They α S U = { α S U 5 , α S U 6 } are the observable and controllable events that exists in the M 1 machine state in which the user has only one choice to execute their operation such that α S U ( S M c o m ) c h o i c e > 1 . These α S U = { α S U 1 , α S U 2 , α S U 3 , α S U 4 } are the events in which the supervisor will give the task to the user to execute their operation in the N S M 0 state such that α S U ( S M c o m ) c h o i c e > 1 . The time constraint at N S M 0 is T S 1 . While the outgoing transition has four different choices of state N S M 1 , N S M 2 , N S M 3 and N S M 4 with time constraints of N S M 0 state is T S 1 . N S M 1 the state is T S 2 , N S M 2 state is T S 5 and T S 4 , N S M 3 state is T S 7 , T S 3 , N S M 4 state is T S 12 . In addition, the formal specification of supervisor machine model is analyzed and validated using a-eves toolset. The snapshot for formal specification validation of supervisor machine model is given in appendix section in Figure A2.

3.3. Supervisor Interface Model

The details regarding the controllable and observable events, number of user and machine, non-deterministic choices, which lie or not in the user and supervisor model are mentioned in Table 2. The events α S U 5 , α S U 6 ( S M c o m ) c h o i c e > 1 are supervisor observable and controllable having more than one choice at a single state and two choices at N S 1 . The event η S 1 ( S M c o m ) c h o i c e = 1 is uncontrollable but observable for user and has only one choice for the supervisor perform their operation at N S 0 described in the supervisor interface model and illustrated in Figure 3. The event γ S 1 , γ S 2 , γ S 3 , γ S 4 S M i n t are uncontrollable and unobservable for user.
Finally, the event ( α S U 1 , α S U 2 , α S U 3 , α S U 4 ) ( S M c o m ) c h o i c e > 1 are observable and controllable for supervisor that provides information to the user to perform their operation using the supervisor interface as shown in Figure 3. Accordingly, this event defines the supervisor and supervisor machine model as shown in the Table 2, the interaction between the n S N S supervisor and n S M N S M machine, n S M N S M supervisor and n S N S user described with binary relation. B R N S × N U implies that the interaction ( S u p e r v i s o r , N U ) between the supervisor and user to proceed with the user operations B R N S × N S M implies that the interaction between ( S u p e r v i s o r , N S M 0 ) , ( S t a t i o n 1 a , N S M 1 ) , ( S t a t i o n 1 b , N S M 2 ) , ( S t a t i o n 1 c , N S M 4 ) , ( S t a t i o n 2 , N S M 3 ) the supervisor gives the command to the machine with the help of the supervisor interface. According to the supervisor machine model shown in Figure 2, it always shows the important transitions and state that describe the behavior of the machine operated by the supervisor according to the guideline of the supervisor interface model.

4. Interface Generation Using the Weak Bi-Simulation

To generate the interface, we need to consider the timed automaton, which can be either a machine model of user or a machine model of supervisor but as a machine model in the form of tuple can be describe as M M = N M , n O M , E M , l M , υ M , N m shown in Figure 4. The υ M : N m × M 2 X is a partial transition map, N m is the marker sate. Now, we are considering here the S M i n t M c o r M and M r c h M while M c o r is showing that all states are reachable but there is no illegal state [29] and M r c h M are the reachable states during the user and machine interaction. For co-reachability [30] the events are observable and controllable with respect to user M c o r = c h o i c e = 1 c o m . c h o i c e > 1 c o m while in reachability, the M r c h = c h o i c e = 1 c o m . c h o i c e > 1 c o m . o b s events are not only c h o i c e = 1 c o m . c h o i c e > 1 c o m observable and controllable but also o b s observable and uncontrollable with respect to user therefore P : M M r c h is in the form of natural projection. The relation of weak bi-simulation to N M according to the M r c h is the equivalence relation κ N M × N M | for each ( n M , n M ) κ and every e M c o r M c o r . If υ M ( n M , e M c o r ) ! then ( e M c o r ) M c o r | υ M ( n M , ( e M c o r ) ) ! having the following.
Definition 5.
The co-reachable event e M c o r that is executed by user e M c o r is the natural projection P : ( e M c o r ) P ( e M c o r ) while if the events are the same before and after the state then it will fall under the equivalence relation for each machine state υ M ( n M , ( e M c o r ) ) that is reachable by machine state n M υ M ( N M , ( e M c o r ) ) with the equivalence relation ( n U , n U ) κ [ n U N M n U N M ] the events of a system using machine are the same n M υ M ( n M , ( e M c o r ) ) n M υ M ( N M , ( e M c o r ) ) before and after the machine state as formally represented if and only if ( n U , n U ) κ [ n U N m n U N m ] .
We used the abstract idea of [31] and explain this more clearly with the help of the machine model such that, where M = { l o M 1 , l o M 2 , l o M 3 , l o M 4 } and M r c h = { l o M 2 , l o M 4 } . The equivalence relation will be as a weak bi-simulation relation M = { ( N M 1 , N M 1 ) , ( N M 2 , N M 3 ) } . Hence, the l o M 2 and l o M 4 are different so they cannot be executed and will not fulfil the above definition criteria. The κ is the weak bi simulation relation to N M . According to the M r c h thus the weak bi similarity will be as follows; ~ M M r c h = { ( N M 1 , N M 2 ) , ( N M 1 , N M 3 ) , ( N M 2 , N M 1 ) , ( N M 3 , N M 4 ) } for each n M N M assuming that [ n M ] will be represent as class of equivalence of n M under ~ M M r c h namely the set of all elements n M N M | ( n M , n M ) ~ M M r c h . The quotient set of N M by equivalence relation is N M / ~ M M r c h = { [ n M } N M | n M N M } according to ~ M M r c h .
Definition 6.
The timed automaton M M = N M , l O M , E M , I M , υ M , N m assume that M r c h M . The degree of timed automaton according to ~ M M r c h is an automaton M M / ~ M M r c h : = N M R , M R , υ M R , n o M R , N m where N M R : is the reduced state as shown in Figure 5, M R : a common user action represents a single action in the reduced model in Figure 5, υ M R : N M R × M R 2 X and n o M R : the reduced initial state as specified by,
  • N M R : = N M / ~ M M r c h .
  • n o M R : = [ n o M ]
  • N m R : = { n R N M R | n R N m }
  • N M R : = r c h { e r c h | ( n M N M R ) υ M ( n M , e ) [ n M ] { } }
  • υ M R : N M R × M R 2 R | ( n M R , e ) N M R × M R , υ M R ( n M R , e ) = { n M R N M R | ( n M n M R ) υ M ( n M , e ) n M R { } }
We normally describe M M / ~ M M r c h as the reduced form of M M by using the techniques of weak bi-simulation relation ~ M M r c h . As per the consideration of our example the final version of the automaton will be as in Figure 5. The partition on the set of state is M M . As per the easy understandable we have N M R = { [ N M 1 ] , [ N M 2 ] , [ N M 4 ] , [ N M 5 ] } while the [ N M 2 ] = { N M 2 , N M 3 } . Hence the above automaton is in the form of the reduced automaton.
We can define the product of two systems | | s y s × s y s s y s : ( M M , U M ) M M | | U M : = M M U M . The symbol is || used to represents the product of two entities. We normally compare to obtain the product of the machine and user model with respect to transition architectures. According to the [12] user and machine model can be defined as M M and U M where timed automaton M M a set map to another set N M U : N M U M if the following conditions hold. The first condition is N M U : N M U M . The second condition is N M U ( n M , 0 ) = n U , 0 and N M U ( N M , m ) = N U , m . There is a third condition; in the third condition, it is for every n M N M and e M M , ζ M ( n M , e M ) ! ζ U ( N M U ( n U ) , e M ) ! & ζ U ( N M U ( n U ) , e M ) = N M U ( ζ M ( n M , e M ) ) where this condition holds here N M U ( ζ M ( n M , e M ) ) : = { N M U ( n M ) | ( n M ) ζ M ( n U , e M ) } . The final condition is for every n U N U and e M M therefore ζ U ( n M , e M ) ! n M N M ) ζ M ( n M , e M ) ! & N M U ( n M ) = n M , if and only if ζ U : N U × B ( C ) × U 2 C , ζ M : N M × B ( C ) × M 2 C . In addition, the formal specification is presented here is analyzed and validated using z notation through z-eves toolset. We used the iteration-based approach to validate the interactive systems by using weak bi-simulation through checking of two systems simultaneously using z-eves, as a snapshot presented in appendix in Figure A3. The iteration 2 and 3 are solved based on source code using java. In iteration 1: we specify the system using the formal specification likewise in our case, the development of formal specification of supervisor, interface and machine model with transition definition. In iteration 2: we can identify the relevant interaction between the supervisor and machine through interface. In relevant interaction there is no blocking, error and illegal state [18]. If there is irrelevant interaction then there must be blocking, error and illegal state then label it. Iteration 3: In this iteration, the identified irrelevant interaction should not be a part of the interaction. It means the supervisor and machine model interaction is free from blocking, error and illegal state. To make sure there is no irrelevant interaction, we apply the above described interface correction using weak bi-simulation method in Section 4. Iteration 4: In this iteration, we check the weak bi-simulation relation between the supervisor and machine model. If the supervisor and machine model are bi similar then the interaction has no illegal, error and blocking state. Hence, the correct interface is ready for the operational mode.
To apply the operation of a model checking verification, formal semantics of supervisor machine interaction model should be interpreted in the language of model checking. We apply the formal semantics to translate supervisor machine interaction model into the symbolic analysis laboratory (SAL) language [32,33]. The formal semantics of supervisor machine interaction model to SAL translation is computerized by our practice constructed in java program which practices the document object model [34] to parse the supervisor and interaction model’s extensible markup language (XML) code.
A diversity of examinations was course to authenticate that the translator was producing a SAL code that observed the formal semantics of supervisor machine interaction model. To estimate the complexity and scalability of the formal semantics of supervisor machine interaction models, we produced their models and examined the translated models’ in terms of state spaces and runtimes by means of the SAL. The formal semantics supervisor model and formal semantics of supervisor machine interaction models comprise only supervisor who interact with different users and machine in a manufacturing system environment using the supervisor interface. Further, the different users also interact with their machine after getting the information from the supervisor by using their interface. The part manufacturing process were used to understand for both the users and supervisor operations. To guarantee that the verification method would examination a model’s complete state space, we formed the specification that would not generate a counterexample. We also took help from the Z-eves tool to validate and verify our presented model using the analysis of counter example.

5. A Case Study of a Part Manufacturing System

To illustrate how this technique can be applied to find solutions to the problems in a parts manufacturing system, we present the following case study. In our case study the transmission does not shift into the higher gear when the driver wants to drive her/his vehicle at more than 160 km per hour. At the start we checked with the scan tool which point in the engine and ECT has the fault. After performing the code test, the malfunctioning in the shift solenoid control circuit was found to be high. There are three causes of these problems; the first one is open circuit, second one is a wiring problem and finally the solenoid valve malfunctioning. As per the manual instructions, first we checked the resistance of several solenoids. Fortunately, we traced the malfunctioning to solenoid valve having low resistance. We checked the underbody of the vehicle; the solenoid valve was completely dipped into oil and this was creating the malfunction. Further after analysis, we saw that the pipe set radiator was damaged and that it was draining the oil into this solenoid valve. After new parts were fitted, we faced same problem within a month. Moreover, we checked the engine noise and heating temperature inside the engine.
We identified that the engine noise and temperature as measured were not as per the standard. So, a high amount of gas was leaking from the exhaust manifold that caused the damage to the pipe resulting in the oil draining into the solenoid valve. We investigated the manufacturing process of exhaust manifold to identify the cause of the gas leakage. Now we will describe its current user and supervisor model and the user and supervisor machine model with the current user and supervisor interface. The data were obtained from the vendor of the car manufacturing company. We investigated the series of extensive production of exhaust manifold manufacturing using the automated manufacturing system. We selected the problematic fragment of the entire manufacturing process of the exhaust manifold and this analysis can be performed using our defined approach. As far as the verification is concerned, we start to describe the control panel by how the user interact with machine and several users are assisted and controlled by the supervisor. Also, the supervisor will interact with the machine and display inform to the user about their task and tells the supervisor the behavior of the machine.

6. Current Interface Description

The relevant elements of the computer-numerically controlled (CNC), Robot (low weight material transfer) control panel and the electronic attitude display mode in a CNC machine are shown in Figure 6 and Figure 7. In the robot controller we will discuss about the function of the on/off switch and in the user controller we will discuss about the five switches controlling both control panel and display mode as shown in Figure 7 that are interest of us. These five switches are (1) tool change for machining operation; (2) coordinate setting for part manufacturing; (3) start cycle button; (4) move to bin; (5) take part from bin and are easily operated through the display mode. These five modes for user and one mode for supervisor can be engaged by pressing the respective buttons on the CNC and robot control panel as shown in Figure 6 and Figure 7.
In the CNC machine the selection of the five operations is made on the top portion of the control panel operated by user having a small window as the display mode, indicating the tool change, start operation, movement of parts into the bin and dimension set by the user. The user can change the dimension by entering the values through the x, y and z button at the panel side. We can also adjust the speed of the spindle by the feed rate switch and edit the program as per the user or customer requirements as shown in Figure 7. The procedure for iteration 1 is given in the subsections.

6.1. Modeling the Rest of the System

The exhaust manifold manufacturing process is operated simultaneously in two ways; the first part is highly automated with no human involvement while the other part is operated by several users linked with the supervisor interacting with the machine. This two-way manufacturing process will be able to manufacture the exhaust manifold for the Corolla (EM1), Cuore (EM2) and innovative international multi-purpose vehicle (IMV) Hilux (EM3) car variants. We are considering here only the human involvement with machine. To complete the formal system model, for the system operational environment we created at the formal representation of a three-user model, three machine models, a supervisor model and supervisor machine model for exhaust manifold manufacturing system. The model representation is for more readable, expressive and includes the choices for the handling of non-determinism, so we can use easily the timed automaton transition systems.

6.2. Transition Definition

α S U 1 : Supervisor transmit information to user 1 to perform the operations of turning {take first EM1 part then EM2 then EM3 from bin 1 to perform turning operations}, Facing {take first EM1 part then EM2 then EM3 part to perform the facing operation}and then perform the reaming and boring operation on EM1, EM2 and EM3 parts. After performing the turning operation on EM1, EM2 and EM3 user will move the few EM1 part into the bin2 similarly, user will move the few EM2 part into the bin 2 after finishing the facing operation. The few EM3 parts will receive from the bin 3 to perform the reaming operation and then part EM1, EM2 and EM3 will move to the bin 4 after finishing the boring operation.
α S U 2 : Supervisor transmit the information to user 2 to perform the operations of indexing, knurling, and taping on EM1, EM2 and EM3 then few EM1 and EM2 parts move to bin 6 after indexing operation and few EM3 parts move to bin 7 after knurling operation. After performing the taping operation on EM1, EM2 and EM3 parts will move to bin 8.
( α S U 2 ) m : Supervisor transmit the information to user 2 to perform the operations of indexing1 and 2, knurling, and taping on EM1, EM2 and EM3 then few EM1 and EM2 parts move to bin 6 after indexing 2 operations. Few EM3 parts move to bin 7 after knurling operation. After performing the taping operation on EM1, EM2 and EM3 parts will move to bin 8.
α S U 3 : Supervisor transmits the information to user 3 to perform the operations of boring on EM1, EM2 and EM3 one by one or their availability. After performing the boring operation, the user will move the EM1, EM2 and EM3 parts for performing the reaming operation and move to bin 11. After this operation the user will perform the threading operation on EM1, EM2 and EM3. While few EM3 parts were received from bin 10 to perform the threading operation. Finally, the reaming operations were performed on EM1, EM2 and EM3 then move to bin 11.
( α S U 3 ) m : Supervisor transmits the information to user 3 to perform the operations of boring on EM1, EM2 and EM3 one by one or their availability. After performing the boring 1 operation, the user will move the EM1, EM2 and EM3 parts for performing the reaming operation. After that the user will perform the boring 2 operations on EM1, EM2 and EM3. While few EM3 parts were received from bin 10 to perform the threading operation on all parts. Finally, the reaming operations were performed on EM1, EM2 and EM3 then move to bin 11.
α S U 4 : Parts are moved after facing operation to perform Indexing operation.
( α S U 4 ) m : Parts are moved after facing operation to perform Indexing 1operation.
α S U 5 : Parts are moved after facing operation to perform boring operation.
( α S U 5 ) m : Parts are moved after facing operation to perform boring1 operation.
α S U 6 : Parts are moved after boring operation to perform reaming operation.
( α S U 6 ) m : After finishing the boring 2 operations to perform the reaming operation {Reaming = 1 mm}.
α S U 7 : Parts are moved after indexing operation to perform reaming operation.
( α S U 7 ) m : Parts are moved after indexing 2 operations to perform reaming operation.
η 1 , 1 : Take the part from bin1 one by one in ordering of first EM1, EM2 and EM3 or if and only if one of them is exists then perform the turning operation. The depth of cut is 3 mm.
η 1 , 2 : The few EM1 part will move to bin 2.
η 1 , 3 : The few EM3 part will move to reaming operation.
η 1 , 4 : The EM1, EM2 and EM3 part will move to bin 4.
β 1 , 1 : Part is moving into the facing operation {Reduced length = 3 mm}.
β 1 , 2 : Part is moving into the reaming operation {R = 1 mm}.
β 1 , 3 : Part is moving into the boring operation {Depth of cut = 7 mm}.
β S 1 : Parts are moved through conveyor to bin 2 from bin 6.
α 1 , 1 : The few EM2 part will move to bin 2.
α 1 , 2 : Take the part after performing the facing operation then go to the boring operation.
η 2 , 1 : Take the part from bin 5 one by one in the ordering of first EM1, EM2 and EM3 or if and only if one of them is exists there then perform the indexing operation {Index = 6}.
η 2 , 2 : Part will move to bin 6.
η 2 , 3 : The Part will move to bin 6 at machine and bin 7 for supervisor model.
η 2 , 4 : Part will move to bin 7 at machine and part will move for bin 8 for supervisor model.
η 2 , 5 : Part will move to Bin 8.
β 2 , 1 : Part is moving into the knurling operation {Length = 18 mm}.
β 2 , 2 : Part is moving into the taping operation {Length = 8 mm}.
β 2 , 1 b : Part is moving into the indexing 2 operation {Index = 6}.
β S 2 : Parts are moved through conveyor to bin 6 from bin 2.
η 3 , 1 : Take the part from bin 9 one by one in the ordering of first EM1, EM2 and EM3 or if and only if one of them is exists there then perform the boring operation {Doc = 3 mm}.
η 3 , 2 : After finishing the boring operation to perform the reaming operation {Reaming = 1 mm}.
η 3 , 3 : Part will be moved for threading operation {Thread Length = 8 mm}.
η 3 , 4 : EM1, EM2 and EM3 parts will be placed into the bin11.
β 3 , 1 : Part is moving to the threading operation {Thread Length = 8 mm}.
β 3 , 2 : Part is moving to reaming operation {R = 1 mm for finishing}.
β 3 , 1 b : Part is moving to boring 2 operations {Depth of cut = 3 mm}.
β S 3 : Parts are moved through conveyor to bin 7 from bin 3.
β S 4 : Parts are moved through conveyor to bin 10 from bin 7.

6.3. Supervisor Model

In the supervisor model, we have only one supervisor and the supervisor will provide information to all users to perform the needed task as per the production schedule. The supervisor switches on the robot to transfer the part to its dedicated place. The parts will be moved by robot after the indexing operation to perform the reaming operation. Similarly, this operation is needed on those parts that have already under- gone the boring operation of user model 3.
While, after the facing operation the parts will move to indexing and boring operation. The supervisor events are ( S c o m ) c h o i c e = 1 = {}, ( S c o m ) c h o i c e > 1 { α S U 1 , α S U 2 , α S U 3 , α S U 4 , α S U 5 , α S U 6 , α S U 7 }.

6.4. Supervisor Machine Model

The supervisor will switch on the conveyor to transfer the part to its dedicated place and the parts will move from bin 6 to bin 2 and vice versa. Similarly, the parts move from bin 3 to bin 7 and bin 7 to bin 10. The user only places the part on to the conveyor and all the parts are moved through the conveyor which is controlled by the supervisor as per their company production plan. The dashed line is used for the machine transition and the dark lines represent the supervisor task as shown in Figure 8 and Figure 9. The supervisor machine events are S o b s = { β S 1 , β S 2 , β S 3 , β S 4 } and S i n t = {}. The procedure of iteration 2 is given in the Section 7 and their subsections.

7. Discussion

Formal verification was performed using the model composition of user with machine and supervisor with a machine. For all user models, two of the timed automaton-based formalisms indicated that the acts of user model 2 and user model 3 reset-ability, act and skip-ability, every part of these user model as shown in Figure 8 and its associated time transitions between execution states was not reachable. Similarly, n S 6 and n S 7 in the supervisor model the supervisory task was unable to reach their target state as per customer requirements. Indicating that a conflicting mode arises which does not fulfil the user and the supervisor demand. Thus the complete-ability [35] will not be evaluated correctly, indicating that the manufacturing process of the exhaust manifold observed by user with machine and supervisor with the supervisor machine model composition. This could go for the exhaust gas leakage inside the engine compartment to create malfunction during driving of the car. In the user model the event sets η 2 , 3 and η 3 , 2 have an issue with the interaction of the machine due to their unmatched state compositions. Similarly, supervisor has also an unmatched state with their machine during the execution of α S U 6 and α S U 7 task. This information was not mentioned inside the user manual. In that case the interface should be correct for the user and supervisor and there is a need to update the user and supervisor manual to execute the task by user and supervisor as per customer needs.

7.1. Formal Verification Results

Formal verification was done on a LG computer in succession with Linux Mint 18 with an intel core i7, and 64 giga bytes of RAM, Ansan, Korea with the aid of SAL’s symbolic model checker open source. It acquired 19.86 s of entire completing time to validate all 68 obtained properties with 1496 numbered as the determined staying at states for verification. We also used the Z-eves tool for model verification using proof. Further, there is no counterexample formed.

7.2. Scalability

We have no observation for substantial growth during the verification times and states pace magnitudes among the normal behavior of model holding at 2 min 38 s and 3,062,072 states producing scheme obtainable here does scale fit. Therefore, the scheme may be suitable for the examination of considerable bigger systems. Forthcoming work should explore how this technique should implement for different scenario. The procedure for iteration 3 and 4 are given in Section 8 and their subsection.

8. Interface of User Model and Supervisor Model

We rectified the supervisor interface as shown in Figure 10, interface of user model 2 as shown in Figure 11 and the user model 3 interfaces as shown in Figure 12 using the weak bi-simulation approach. This interface of user and the supervisor will be co-reachable because the weak bi-simulation preserves this property. We already implemented this interface after we received feedback from the customer in favor of the product. Further, this interface allows the user and supervisor to handle the non-deterministic choices with the help of time transition in user and the supervisor model as shown in Figure 10, Figure 11 and Figure 12.
Operational incidents occur when the part is fitted into the vehicle and then after few weeks, leakage is identified by the customer. Normally this type of complain would not appear on the plant and dealer side. However, the customer feedback motivates us to improve the quality of product inside the plant to make the product as per the standard criteria. Similarly, the set pipe hose has no leakage after the improvement in the interface model of user and the supervisor and further the malfunctioning of the solenoid valve was not observed, and it performs well.

9. Conclusions

The design of an interface based on user understanding about the systems is not as stable as manufacturing systems and product quality demand, due to several user-machine interactions aligned with the supervisor when the process of manufacturing is ongoing. However, a general observation can still be drawn about their relative performance. To compare with those needs, we developed a formal framework for the analysis of human-computer interaction systems modelling based on time automaton. Compared with other models [36], our novel approach describes the formal models of user and supervisor activities with their machine behavior by adopting the modelling techniques of time automaton with full control and mode preserving. Also, we propose a technique to generate the supervisor interface based on multiple users with a machine and user interface through weak bi-simulation. Moreover, our technique has the potential to evaluate the interaction in real time and we also discuss how these techniques can be adapted to consider information about the machine and user states to solve for non-deterministic choices. We used z-eves for analyze and validate the formal specification of supervisor, machine and weak bi-simulation relation. We used the iteration-based approach to validate the interactive systems by using weak bi-simulation through checking of two systems simultaneously using z-eves to generate the correct interface. We implemented our technique on case study of a transmission gear not shifting at more than 189 km/h. Each treatment-created specification property designed the estimated consequence on behalf of that, for all its related transitions among finishing states was accessible. Further, there is no counterexample formed. For future perspectives, a possible extension is to add information about the environment and a cognitive model of the system and user. Such information constitutes a user and supervisor state-based interface. The supervisor and user models for such systems can be advanced in the sense that their transitions should be well defined. This will raise some issues related with observation of the user and supervisor state-interface meaning that both should know the previous interface observation. Defining the generation of such an interface is a possible extension of this work. Finally, with this method the interfaces are more expressive and understandable, and improvements in product quality and customer response have also been achieved.

Acknowledgments

The work described in this paper was funded by HEC Pakistan and supported by Hanyang University, South Korea. This basic research and technology are the effort on human-automation interaction as well as the Customer Satisfaction with high quality products. Scientists wrote the first version of the formal composite model of single user and machine [18]. Scientists described the concept of user based generated events and modify the concept of single user interface by building up mathematical tool using simulation technique [20]. Finally, we give thanks to reviewers for providing us the nice suggestions, time and effort to improve my papers.

Author Contributions

The mathematical models were developed by Shazada Muhammad Umair Khan. Further he also executes the case study. Wenlong He Analyze the literature review and finalized the formatting of this manuscript. Wenlong He also helps to understand the logic of case study and provide information for its better solution.

Conflicts of Interest

The author declares that there is no conflict of interest regarding the publication of this paper.

Appendix A

The validation of formal specification for supervisor model, machine model and weak bi-simulation are given as a snapshot in Figure A1, Figure A2 and Figure A3 respectively. In these figures, there is limitation in the symbol representation using z editor, likewise in supervisor model we used the symbol N S for supervisor state but in z notation we used N S . Similar approach is applied for all other symbols. The symbol which are different from their model representation are also explained clearly. The subscript we used for supervisor model is ‘s’ and for machine model we used ‘sm’. In z representation the symbol S used as Ss, ( S c o m ) c h o i c e = 1 used as Sscomch, ( S c o m ) c h o i c e > 1 used as Sscomchgo for machine we used Ssmcomchgo. The symbol S o b s used as Ssobs for machine we used Ssmobs. The symbol S i n t used as Ssint for machine we used Ssmint. Similarly, the symbol M c o r used as Sscor for machine we used Ssmcor, M r c h used as Ssrch for machine we used Ssmrch. Finally, the symbol S M i n t used as Ssint for machine we used Ssmint and e M c o r used as emcor respectively.
Figure A1. The snapshot of the formal specification analysis of supervisor model.
Figure A1. The snapshot of the formal specification analysis of supervisor model.
Applsci 08 00221 g0a1
Figure A2. The snapshot of the formal specification analysis of machine model.
Figure A2. The snapshot of the formal specification analysis of machine model.
Applsci 08 00221 g0a2
Figure A3. The snapshot of the formal specification analysis of weak bi-simulation model.
Figure A3. The snapshot of the formal specification analysis of weak bi-simulation model.
Applsci 08 00221 g0a3

References

  1. Saraph, J.V.; Sebastian, R.J. Human resource strategies for effective introduction of advanced manufacturing technologies (AMT). Prod. Inventory Manag. J. 1992, 33, 64. [Google Scholar]
  2. Weyers, B.; Bowen, J.; Dix, A.; Palanque, P. The Handbook of Formal Methods in Human-Computer Interaction; Springer: Berlin, Germany, 2017. [Google Scholar]
  3. Cheng, R.; Zhou, J.; Chen, D.; Song, Y. Model-based verification method for solving the parameter uncertainty in the train control system. Reliab. Eng. Syst. Saf. 2016, 145, 169–182. [Google Scholar] [CrossRef]
  4. Rezazadeh, I.M.; Wang, X.; Firoozabadi, M.; Golpayegani, M.R.H. Using affective human–machine interface to increase the operation performance in virtual construction crane training system: A novel approach. Autom. Constr. 2011, 20, 289–298. [Google Scholar] [CrossRef]
  5. Bolton, M.L.; Siminiceanu, R.I.; Bass, E.J. A systematic approach to model checking human–automation interaction using task analytic models. IEEE Trans. Syst. Man Cybern. Part A 2011, 41, 961–976. [Google Scholar] [CrossRef]
  6. Wang, X.V.; Wang, L.; Mohammed, A.; Givehchi, M. Ubiquitous manufacturing system based on Cloud: A robotics application. Robot. Comput. Integr. Manuf. 2017, 45, 116–125. [Google Scholar] [CrossRef]
  7. Wan, J.; Tang, S.; Li, D.; Wang, S.; Liu, C.; Abbas, H.; Vasilakos, A.V. A Manufacturing Big Data Solution for Active Preventive Maintenance. IEEE Trans. Ind. Inform. 2017, 13, 2039–2047. [Google Scholar] [CrossRef]
  8. Thurman, D.A.; Mitchell, C.M. An apprenticeship approach for the development of operations automation knowledge bases. Proc. Hum. Factors Ergon. Soc. Annu. Meet. 2000, 44, 231–234. [Google Scholar] [CrossRef]
  9. Oishi, M.M.; Tilbury, D.; Tomlin, C.J. Guest Editorial Special Section on Human-Centered Automation. IEEE Trans. Autom. Sci. Eng. 2016, 13, 4–6. [Google Scholar] [CrossRef]
  10. Meisels, I.; Saaltink, M. The Z/EVES Reference Manual (for Version 1.5); Reference Manual TR-97-5493-03; ORA: Ottawa, ON, Canada, 1997. [Google Scholar]
  11. Woodcock, J.; Davies, J. Using Z: Specification, Refinement, and Proof; Prentice Hall Englewood Cliffs: Oxford, UK, 1996. [Google Scholar]
  12. Maynard, M. Issue: Global Manufacturing Global Manufacturing; Sage Businessresearcher: New York, NY, USA, 2015. [Google Scholar]
  13. Wu, Y.; Boyle, L.N.; McGehee, D.; Roe, C.A.; Ebe, K.; Foley, J. Foot placement during error and pedal applications in naturalistic driving. Accid. Anal. Prev. 2017, 99, 102–109. [Google Scholar] [CrossRef] [PubMed]
  14. Degani, A.; Kirlik, A. Describing the design contributors to mode error. In Proceedings of the Fourth Annual Symposium on Human Interaction with Complex Systems, Dayton, OH, USA, 22–25 March 1998; pp. 112–115. [Google Scholar]
  15. Wickens, C.D. Automation in air traffic control: The human performance issues. In Automation Technology and Human Performance; Lawrence Erlbaum Associates: Mahwah, NJ, USA, 1999; pp. 2–10. [Google Scholar]
  16. Hilbert, D.M.; Redmiles, D.F. Extracting usability information from user interface events. ACM Comput. Surv. 2000, 32, 384–421. [Google Scholar] [CrossRef]
  17. Torney, H.; O’Hare, P.; Davis, L.; Delafont, B.; Bond, R.; McReynolds, H.; McLister, A.; McCartney, B.; Di Maio, R.; McEneaney, D. A usability study of a critical man–machine interface: Can layperson responders perform optimal compression rates when using a public access defibrillator with automated real-time feedback during cardiopulmonary resuscitation? IEEE Trans. Hum. Mach. Syst. 2016, 46, 749–754. [Google Scholar] [CrossRef]
  18. Degani, A.; Heymann, M. Formal verification of human-automation interaction. Hum. Factors J. Hum. Factors Ergon. Soc. 2002, 44, 28–43. [Google Scholar] [CrossRef] [PubMed]
  19. Suzuki, A.; Ushio, T.; Adachi, M. Detection of automation surprises in discrete event systems operated by multiple users. In Proceedings of the International Joint Conference, SICE-ICASE, Busan, Korea, 18–21 October 2006; pp. 1115–1118. [Google Scholar]
  20. Adachi, M.; Ushio, T.; Ukawa, Y. Design of user-interface without automation surprises for discrete event systems. Control Eng. Pract. 2006, 14, 1249–1258. [Google Scholar] [CrossRef]
  21. Nachreiner, F.; Nickel, P.; Meyer, I. Human factors in process control systems: The design of human–machine interfaces. Saf. Sci. 2006, 44, 5–26. [Google Scholar] [CrossRef]
  22. Cummings, M.L.; Clare, A.; Hart, C. The role of human-automation consensus in multiple unmanned vehicle scheduling. Hum. Factors J. Hum. Factors Ergon. Soc. 2010, 52, 17–27. [Google Scholar] [CrossRef] [PubMed] [Green Version]
  23. Clarke, E.M.; Grumberg, O.; Peled, D. Model Checking; MIT Press: Cambridge, MA, USA, 1999. [Google Scholar]
  24. Parasuraman, R.; Sheridan, T.B.; Wickens, C.D. A model for types and levels of human interaction with automation. IEEE Trans. Syst. Man Cybern. Part A 2000, 30, 286–297. [Google Scholar] [CrossRef]
  25. Saleh, L.; Chevrel, P.; Claveau, F.; Lafay, J.-F.; Mars, F. Shared steering control between a driver and an automation: Stability in the presence of driver behavior uncertainty. IEEE Trans. Intell. Transp. Syst. 2013, 14, 974–983. [Google Scholar] [CrossRef]
  26. Heymann, M.; Degani, A. Formal analysis and automatic generation of user interfaces: Approach, methodology, and an algorithm. Hum. Factors 2007, 49, 311–330. [Google Scholar] [CrossRef] [PubMed]
  27. Pérez, A.; García, M.I.; Nieto, M.; Pedraza, J.L.; Rodríguez, S.; Zamorano, J. Argos: An advanced in-vehicle data recorder on a massively sensorized vehicle for car driver behavior experimentation. IEEE Trans. Intell. Transp. Syst. 2010, 11, 463–473. [Google Scholar] [CrossRef]
  28. Wei, Z.; Zhuang, D.; Wanyan, X.; Liu, C.; Zhuang, H. A model for discrimination and prediction of mental workload of aircraft cockpit display interface. Chin. J. Aeronaut. 2014, 27, 1070–1077. [Google Scholar] [CrossRef]
  29. Gachui, N.A. Wizard Navigation Functionality to Automated User Interfaces Using Finite State Machines. Master’s Thesis, Jomo Kenyatta University of Agriculture and Technology, Nairobi, Keneya, 2016. [Google Scholar]
  30. Wonham, W.M. Supervisory control of discrete-event systems. In Encyclopedia of Systems and Control; Springer: London, UK, 2015; pp. 1396–1404. [Google Scholar]
  31. Milner, R. Communication and Concurrency; Prentice Hall: New York, NY, USA, 1989; Volume 84. [Google Scholar]
  32. De Moura, L.; Owre, S.; Shankar, N. The SAL language manual. In Computer Science Laboratory; Technical Report CSL-01-01; SRI International: Menlo Park, CA, USA, 2003. [Google Scholar]
  33. Shankar, N. Symbolic Analysis of Transition Systems. In Proceedings of the International Workshop on Abstract State Machines, Theory and Applications, London, UK, 19–24 March 2000; pp. 287–302. [Google Scholar]
  34. Lin, Y.-D.; Liao, F.-Z.; Huang, S.-K.; Lai, Y.-C. Browser fuzzing by scheduled mutation and generation of document object models. In Proceedings of the 2015 International Carnahan Conference on Security Technology (ICCST), Taipei, Taiwan, 21–24 September 2015; pp. 1–6. [Google Scholar]
  35. Bolton, M.L.; Jiménez, N.; van Paassen, M.M.; Trujillo, M. Automatically generating specification properties from task models for the formal verification of human–automation interaction. IEEE Trans. Hum. Mach. Syst. 2014, 44, 561–575. [Google Scholar] [CrossRef]
  36. Bolton, M.L.; Bass, E.J. Using model checking to explore checklist-guided pilot behavior. Int. J. Aviat. Psychol. 2012, 22, 343–366. [Google Scholar] [CrossRef]
Figure 1. An example of a supervisor model.
Figure 1. An example of a supervisor model.
Applsci 08 00221 g001
Figure 2. An example of a supervisor machine model.
Figure 2. An example of a supervisor machine model.
Applsci 08 00221 g002
Figure 3. An example of supervisor interface model.
Figure 3. An example of supervisor interface model.
Applsci 08 00221 g003
Figure 4. An example of machine model.
Figure 4. An example of machine model.
Applsci 08 00221 g004
Figure 5. An example of reduced machine model.
Figure 5. An example of reduced machine model.
Applsci 08 00221 g005
Figure 6. (a) Computer-numerically controlled (CNC) milling control panel; (b) Controller switch.
Figure 6. (a) Computer-numerically controlled (CNC) milling control panel; (b) Controller switch.
Applsci 08 00221 g006
Figure 7. (a) Switches of computer-numerically controlled (CNC) milling control; (b) Display mode.
Figure 7. (a) Switches of computer-numerically controlled (CNC) milling control; (b) Display mode.
Applsci 08 00221 g007
Figure 8. Supervisor Model.
Figure 8. Supervisor Model.
Applsci 08 00221 g008
Figure 9. Supervisor Machine Model.
Figure 9. Supervisor Machine Model.
Applsci 08 00221 g009
Figure 10. Supervisor Interface.
Figure 10. Supervisor Interface.
Applsci 08 00221 g010
Figure 11. Interface Model of User #2.
Figure 11. Interface Model of User #2.
Applsci 08 00221 g011
Figure 12. Interface Model of User#3.
Figure 12. Interface Model of User#3.
Applsci 08 00221 g012
Table 1. Event execution based on criteria of observability and controllability through user and machine operation.
Table 1. Event execution based on criteria of observability and controllability through user and machine operation.
#User and MachineUserChoiceEventControllabilityObservabilitySupervisor ModelSupervisor Machine ModelPublication
Only 1 M 1 η 1 , 1 * L 1
User operation
1 ( M c o m ) c h o i c e = 1 YesYesNoNo[26]
Only 1 L 2 β 1 , 1 * M 1
Machine operation
- M o b s NoYesNoNo[20]
Only 1 L 1 γ 1 , 1 * L 2 L 2 γ 1 , 2 * L 1 M 1 γ 1 , 3 * M 2 M 2 γ 1 , 5 * M 3 M 2 γ 1 , 4 * M 1 M 3 γ 1 , 6 * M 2
Machine operation
- M i n t NoNoNoNo[20,26]
>1 can be used L 2 α 1 , 1 * M 1
L 2 α 1 , 2 * M 2
User operation
>1 ( M , i c o m ) c h o i c e > 1 YesYesNoNo***
>1 can be used N S 0 α S U 1 L 1
Supervisor operation
1 ** ( S c o m ) c h o i c e > 1 YesYesYesYes***
Note: * Previously model can support only one user and machine so we used η 1 * representation. Now, we changed the representation because of more than one user and machine from η 1 * to η 1 , 1 (user or machine = 1, operation = 1). ** Supervisor will deliver the instruction to user for proceeding the user operations. Also, depend upon supervisor model; supervisor may have one or more than one choice to execute her/his task. *** Contribution.
Table 2. Event execution based on criteria of observability and controllability through supervisor and supervisor machine operation.
Table 2. Event execution based on criteria of observability and controllability through supervisor and supervisor machine operation.
#User and MachineSupervisorChoiceEventControllabilityObservabilityPublication
More than 1 N S M 0 η S 1 N S M 0
Supervisor operation
1 ( S M c o m ) c h o i c e = 1 YesYes***
More than 1 N S M 2 β S 1 N S M 3 N S M 3 β S 2 N S M 2
Machine operation
** S M o b s NoYes***
More than 1 N S M 1 γ S 1 N S M 2 N S M 2 γ S 3 N S M 4 N S M 2 γ S 2 N S M 1 N S M 4 γ S 4 N S M 2
Machine operation
** S M i n t NoNo***
More than 1 N S M 0 α S U 1 N S M 1 N S M 0 α S U 2 N S M 2 N S M 0 α S U 3 N S M 3 N S M 0 α S U 4 N S M 4 N S M 1 α S U 5 N S M 2 N S M 1 α S U 6 N S M 3
Supervisor operation
>1 * α S U i ( S M c o m ) c h o i c e > 1 YesYes***
Note: * Supervisor will deliver the instruction to user for preceding the user operations. Also, depend upon supervisor model; supervisor may have one or more than one choice to execute her/his task. ** The machine transition could be one or more but activate as per time transition. *** Contribution.

Share and Cite

MDPI and ACS Style

Khan, S.M.U.; He, W. Formal Analysis and Design of Supervisor and User Interface Allowing for Non-Deterministic Choices Using Weak Bi-Simulation. Appl. Sci. 2018, 8, 221. https://doi.org/10.3390/app8020221

AMA Style

Khan SMU, He W. Formal Analysis and Design of Supervisor and User Interface Allowing for Non-Deterministic Choices Using Weak Bi-Simulation. Applied Sciences. 2018; 8(2):221. https://doi.org/10.3390/app8020221

Chicago/Turabian Style

Khan, Shazada Muhammad Umair, and Wenlong He. 2018. "Formal Analysis and Design of Supervisor and User Interface Allowing for Non-Deterministic Choices Using Weak Bi-Simulation" Applied Sciences 8, no. 2: 221. https://doi.org/10.3390/app8020221

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop