COMMUNICATION-BASED MODELLING AND INSPECTION IN
CRITICAL SYSTEMS
Marcos Salenko Guimarães, M. Cecilia C. Baranauskas and Eliane Martins
Instituto de Computação, Universidade Estudual de Compinas, Av. Albert Einstein, 1251, Campinas, SP, Brazil
Keywords: Human-Computer Interaction, Safety-Critical Systems, Communication, Organizational Semiotics.
Abstract: Safety-critical systems are systems whose failure would provoke injury or death to human beings. In avionic
systems we have seen some significant evolution related to the aircraft cockpits. The Personal Air Vehicle
(PAV) represents a new generation of small aircrafts being conceived to extend personal air travel to a much
larger segment of the population proposing new concepts of interaction and communication in aviation. In
this domain, communication is a critical factor especially among the users while running the system through
its interfaces. This paper presents a technique for modelling and inspecting communication in the user
interface of the avionics domain; a case study illustrates the proposal for artefacts of the PAV domain.
1 INTRODUCTION
Safety-critical systems are systems whose failure
would provoke injury or death to human beings
(Palanque, 1998). The term incident is defined as
unexpected events that may or may not lead to
accidents or deaths (Johnson, 2003). In aviation
systems, many incidents have reasons originated
from failures during communication mediated by the
user interface artefacts as some statistics of the
problems in the avionics domain show: from 34 total
incidents, 1100 computer-related accidental deaths
occurred from 1979 to 1982; 4% of the deaths due to
physical causes; 3% of the deaths due to software
error; 92% of the deaths due to problems related to
human-computer interaction failures (Harrison,
2004). According to the Air Traffic Control (ATC),
90% of the air traffic incidents occur due to fault
attributed to pilots or controllers. These reports show
us the role a reliable user interface has in providing a
better human-computer interaction enabling the
correct use of critical artefacts and supporting
decision making mainly during emergency
situations.
Some significant evolution regarding the user
interfaces in cockpits of aircrafts has happened
recently. The flight decks (or cockpits) today utilize
multifunction computer displays – where huge
amounts of information are stored and the pilot
navigates through layers and layers to find the
required information (Carver and Turoff, 2007).
He/she thus becomes more a system engineer than a
pilot. This modern cockpit, named “glass cockpit”,
represents information using graphical elements
through diagrams and symbols. The automated
systems may produce conflicting data from different
sources and they will force decisions about which
information to act upon (Carver and Turoff, 2007).
The concept behind the Personal Air Vehicle
(PAV) represents a new generation of small aircraft
that can extend personal air travel to a much larger
segment of the population. PAV must provide
simplified operation akin to driving a car. Although
several tasks will be executed by the automation
system because users are persons not supposed to be
trained in pilot’s course, others will be allocated for
humans. Within this scenario, the future of aviation
is being discussed by the CAFE Foundation (Cafe,
2007) and the National Aeronautics and Space
Administration (Young and Quon, 2006). There are
several research sectors specialized in technologies
related to PAV such as flight instructors systems
(Allen, 2007), synthetic vision information system
(Schnell et. al., 2002; Glaab et. al., 2003) and
distributed decision-making (Rong et. al., 2005).
As cockpits have evolved technically, there are
demands for new fundamentals, theoretical and
methodological backgrounds that contribute on
understanding the interaction and communication
issues between human and machine.
We understand that the Human-Computer
Interaction (HCI) field has a role to play and
215
Salenko Guimarães M., Cecilia C. Baranauskas M. and Martins E. (2008).
COMMUNICATION-BASED MODELLING AND INSPECTION IN CRITICAL SYSTEMS.
In Proceedings of the Tenth International Conference on Enterprise Information Systems - HCI, pages 215-220
DOI: 10.5220/0001693902150220
Copyright
c
SciTePress
responsibilities to assume in this particular domain.
HCI is a field of study concerned with human and
machine in communication. It draws on knowledge
on both the machine and the human sides. On the
machine side, computer graphics, operating systems,
programming languages, and development
environments are relevant disciplines. For the human
side, communication theory, graphic and industrial
design, linguistics, social sciences, cognitive
psychology, and ergonomics are important
disciplines. Moreover, engineering and design
methods are naturally relevant (Hewett et al. 2007).
The concepts of communication and interaction
are sometimes blurred in the HCI context.
Communication has been studied from different
points of view, with associated models. The semiotic
school understands communication as the production
and sharing of meaning (Baranauskas et. al., 2002).
Therefore, in the context of this work, we
understand “communication” as implying code
(anything that has a meaning for something or
someone) sharing among systems. Regarding human
and computer systems, they can communicate by
interacting through icons, windows, progress bar,
buttons and other user interface elements.
To our knowledge, literature on user interface
analysis in the domain being considered has not paid
special attention to communication issues. This work
presents an exploratory approach for analysing the
user interface of safety-critical systems regarding
communication aspects. The proposed approach is
applied to the analysis of the Synthetic Vision
Systems (SVS) display that is one of the user
interaction technologies required by PAV aircrafts.
The paper is organized as follows: Section 2
presents the theoretical background which serves as
foundations for the proposed analysis. Section 3
applies the approach to an exploratory study of a
PAV cockpit. Section 4 presents conclusions and
points to further work.
2 THEORETICAL AND
METHODOLOGICAL
BACKGROUND
The theoretical and methodological background
considered in this work is Semiotics that consists on
the study of the signs that are used for
communication. The rules operating upon them and
upon their use form the core of the communication
study. As there is no communication without a
system of signs, Semiotics as a discipline concerned
with the analysis of signs or the study of the
functioning of sign systems may offer an appropriate
foundation.
Organisational Semiotics (OS) is one of the
branches of Semiotics particularly related to
business and organisations (Liu, 2000). OS
understands that any organized behaviour is
governed by a system of social norms which are
communicated through signs. Methods for Eliciting,
Analysing and Specifying Users’ Requirements
(MEASUR), resulted from a Stamper’s research
work in the late 70´s (Stamper, 1993), constitutes a
set of methods to deal with all aspects of information
system design: the use of signs, their function in
communicating meanings and intentions, and their
social consequences. The relevant methods for the
specific scope of this work are described as follows:
The Stakeholder Analysis allows all the
interested parts (stakeholders) to be
investigated that directly or indirectly have
influences or interests in the information
system under analysis. In the stakeholders
analysis all interested parts are categorized in
several groups whose context covers all the
organization.
The Evaluation Framing is an extension of the
Stakeholder Analysis, which allows
identifying, for each stakeholder category,
their questions and problems, in order to
discuss possible solutions.
The Semiotic Ladder (SL) is an artefact
primarily used to clarify some important
Information System notions such as
information, meaning and communication
(Cordeiro and Filipe, 2004). Stamper
(Stamper, 1973) extended the traditional
semiotic divisions of syntactic, semantics and
pragmatics by adding three other layers: social
world, physical world and empirics as
depicted in Figure 1, which, all together, form
the SL.
Figure 1: Semiotic Ladder, adapted from Stamper (1973).
ICEIS 2008 - International Conference on Enterprise Information Systems
216
A communication is considered successful only
if all these six levels of the SL are successfully
accomplished. The communication in upper levels
depends on the result of the communication on
lower levels. The Physical World deals with the
physical aspects of signs such as cable or radio
waves. The Empirics level deals with the statistical
properties of signs such as channel capacity,
patterns, efficiency. In the Syntactic level, there are
signs and their relations to other signs forming a
structure, language, data and records. The Semantics
deals with signs and their relations to meaning that
users perceive. In the Pragmatics level, the signs and
their effect on users are identified. Finally, in the
Social World, the signs and their relation to social
implications are considered. If there is a failure in
the Semantics level, it means that it is related to the
human information function. Therefore, the SL may
link human factors and social issues focusing on
different levels of communication.
The Fractal Model of Communication (FMC)
(Salles et al., 2001; Salles, 2000) captures the
structure of the communication process involved in
the application domain. The FMC models agents in
communication through channels. A communicant
agent shares information with other agents through
channels. Figure 2 represents this concept of
communication in which, in one level (or one fractal
dimension), agents B and C communicate through
channel A. In another level, A assumes the role of an
agent in communication with C through channel AC.
Figure 2: The Fractal Model of Communication (Salles,
2000).
The artefacts of Stakeholder Analysis and
Evaluation Framing can be developed during the
requirements analysis (Guimarães et. al., 2007).
These artefacts can be reused for modelling and
inspection using artefacts of Stakeholder Analysis
and the Evaluation Framing for defining agents and
channels for FMC. The communication inspection is
accomplished by analysing all the six levels of the
SL for each channel represented in FMC model.
The FMC models communication in any fractal
dimension: from the organizational context
(business) to a small pixel in the screen (user
interface elements). For example, if the context of
requirements is relative to the user interface, then the
FMC should have a channel representing the user
interface. If the requirements refer to a specific
interaction object, the channel regarding the user
interface should be exploded reaching to lower
fractal dimension to have specific channel regarding
this interaction object. Therefore, the FMC should
be adjusted according to the requirements contexts.
The presented artefacts can be articulated for
modelling and inspecting the communication as
proposed in this work. Figure 3 illustrates it.
The inspection is conducted by verifying all
levels of the SL in all FMC channels. Examples of
questions defined for each SL level are listed in
Table 1.
Table 1: Questions for the six levels of the Semiotic
Ladder.
Layer Question
Physical
world
How is communication being
accomplished regarding physical aspects
(signals, traces, physical distinctions,
hardware component, etc)?
Empirics What are the empirical characteristics
(pattern, capacity, speed, noise) of this
communication?
Syntactic How is communication being
accomplished in syntactic terms
(language, formal structure, files,
software)?
Semantics How is communication being
accomplished regarding semantics
(Meanings, propositions, validity, truth,
signification, denotations)?
Pragmatic
s
How is communication being
accomplished regarding pragmatics
aspects (Intentions, communication,
conversations, and negotiations)?
Social
world
How is communication being
accomplished in social terms (Beliefs,
expectations, law, commitments,
contracts, culture)?
The SL allows exploring each communication
channel with a wide coverage. The physical,
empirics and syntactic levels focus on information
technology and the levels of semantics, pragmatics
and social world focus on the human context.
COMMUNICATION-BASED MODELLING AND INSPECTION IN CRITICAL SYSTEMS
217
Figure 3: Modelling and inspecting communication.
In the next section, these modelling and
inspection techniques will be applied in a case study
related to the PAV context.
3 MODELLING AND
INSPECTING A PAV DISPLAY
This section presents the modelling and inspection
for the SVS display, one of the technologies
proposed for human-vehicle interaction for PAV,
based on outcomes from the analysis of the problem
domain carried out using the OS methods
(Guimarães et. al., 2007). Due to the specificity for
SVS Display, in this section the FMC is adapted for
the context of this display.
Literature proposes several elements for the user
interface of SVS displays including symbolic,
textual and graphical representations. Not all SVS
displays are designed for PAV. Although Domino
(2006) proposed a user interface layout for a SVS
display without mentioning whether it was designed
for PAV or not, it provides a SVS display layout.
The horizon (composed by sky and terrain) is
presented as 3D objects; all obstacles (fog, clouds
and darkness) are removed as this display provides a
synthetic view, i.e. data related to visualization is
obtained from a database and not from the real
world. It provides information (represented as
Indicator) regarding current altitude (represented as
Tape), current speed (as Tape), pathway display
elements and other information that can help the
user to get a situational awareness. This SVS display
will be analysed regarding communication aspects
considering the PAV context. Figure 4 depicts the
FMC in a fractal dimension representing display
SVS proposed by Domino with more specific agents
and channels. There is no limit for the number of
fractal dimensions allowing any detail degree when
necessary.
Figure 4: Modelling SVS display using FMC.
In interactive systems, the FMC represents the
communication between two agents (the display and
the user) through a channel called user interface
acting as communication media. One important
concept related to modelling in safety-critical
systems is redundancy. For example, aircraft with
ICEIS 2008 - International Conference on Enterprise Information Systems
218
redundant displays is a typical configuration. We
model redundancy in FMC by using dashed
connections and dashed circles as Figure 4 depicts.
This communication related inspection technique
consists on answering questions listed in Table 1 for
all channels represented in FMC and in all fractal
dimensions for obtaining a complete view. The
answers should be easy to understand explaining
how the communication is accomplished in each
layer of SL. In this case study, we have the answers
regarding the channel Tape presented in the Table 2.
Table 2: Answers of SL for channel Tape.
Layer Answer
Physical
world
Tape consists on several colored pixels
Empirics The tape may show any range of values
depending on the context (altitude,
speed).
Syntactic The rectangle is presented with scale of
values and a current value pointed by a
triangle.
Semantics This object is well known by pilots which
means that there is a current value with
specific range and scale.
Pragmatic
s
This object represents for pilots the
current value with scale information.
Social
world
Providing better situation awareness, the
pilots feel safe during the flight.
The analysis of the SVS Display proposed by
Domino based on the Table 2, shows that the
communication channels through tapes seem
adequate for pilots. In the case of PAV, the users are
not only the pilots but people without intensive
training. Therefore, this artefact may not be
sufficient for PAV.
The artefacts (Stakeholders Analysis, FMC and
SL) allow rich information related to communication
with wide coverage. The organization can be
prepared for most of communication failures
studying alternative ways if a communication fails.
The alternative ways can be obtained focusing on
the FMC to identify the redundant communication
channels supposing situations of each specific
channel or agent is unavailable. The SL provides a
more specific focus on context directed to the cause
of communication failure for each channel. This list
of possible communication failures and respective
ways for treating failures also contribute to
improvements in communication. Consequently, it
leads to improvements in the quality of the technical
product.
4 CONCLUSIONS
Communication is a critical factor to be addressed in
safety-critical systems, especially in the avionics and
aviation domain. Semiotics as a discipline focused
on communication may provide a good foundation
to inform the modelling and inspection of
communication in these systems. This paper
proposed using artefacts of Organizational Semiotics
allied to a framework for modelling communication:
the Fractal Model of Communication (FMC). The
approach was illustrated with the modelling and
inspection of communication regarding a SVS
display of Personal Air Vehicles.
The FMC represents agents and channels of
communication with unlimited fractal dimensions.
In this way, the communication model can be
presented in overview and with detailed information
of each channel, with the six layers of
communication of the Semiotic Ladder. FMC and
Semiotic Ladder provide support for inspecting a
communication system (e.g. the user interface)
helping to detect problems related to
communication. This technique allows seeing the
connection between the organizational view and the
user interface contexts. The overall communication
quality depends on the quality of communication in
each channel. Nevertheless, the FMC may grow in
complexity presenting many agents and channels
making the reading difficult. Some visualization
tools may allow the presentation of the FMC model
with a configurable filter to allow visualizing each
fractal dimension separately, zooming in and out to
show only the agents and channels needed for a
specific consideration.
As an extension of the communication-based
modelling, some adjustments of this technique could
inform the system development for improving the
quality of the communication among agents in the
organization. Moreover, part of this communication
based modelling upon FMC may be automated by a
tool. This tool would be valuable for defining
redundancy points, obtaining alternative ways
(channels and agents) to maintain communication.
ACKNOWLEDGEMENTS
We thank our colleagues and reviewers for insightful
comments on previous version of the paper.
COMMUNICATION-BASED MODELLING AND INSPECTION IN CRITICAL SYSTEMS
219
REFERENCES
Allen M. J., 2007. “Guidance and Control of an
Autonomous Soaring UAV”, In NASA Technical
Memorandum, NASA/TM-2007-214611, NASA.
Baranauskas M. C. C., Salles J. P., Liu K., 2002.
“Analysing Communication in the Context of a
Software Production Organisation”. In 4th
International Conference on Enterprise Information
Systems, Kluwer Academic Publishers, 2002, pp 202-
209.
Cafe Foundation, 2007. “Personal Air Vehicle”. Retrieved
January 27, 2007, from
http://cafefoundation.org/v2/pav_home.php.
Carver L. and Turoff M., 2007. “Human-Computer
Interaction: The Human and Computer as a Team in
Emergency Management Information Systems”. In
Communications of the ACM, Vol. 50. No. 3. ACM
Press.
Cordeiro J., and Filipe J., 2004. “The Semiotic Pentagram
Framework - A perspective on the use of Semiotics
within Organisational Semiotics”. In Proceedings of
the 7th International Workshop on Organisational
Semiotics.
Domino D. A., 2006. “Concept of Operations for the Use
of Synthetic Vision System (SVS) Display During
Precision Instrument Approach”. In Tech paper of
MITRE. Retrieved October 11, 2007, from
http://www.mitre.org/work/tech_papers/
tech_papers_07/06_1230/06_1230.pdf.
Glaab L. J., Kramer L. J., Arthur T., Parrish R. V., Barry J.
S., 2003. “Flight Test Comparison of Synthetic Vision
Display Concepts at Dallas/Fort Worth International
Airport”. In NASA Technical Publication NASA/TP-
2003-212177. NASA.
Guimarães M. S., Baranauskas M.C.C., Martins E., 2007.
“A Communication-based Approach to Requirements
Elicitation for Safety-Critical Systems”. In
Proceedings of 10th International Conference on
Organisational Semiotics, ICOS.
Harrison, M., 2004. Aspects of Human Error: A brief
introduction. In Workshop on Human Computer
Interaction and Dependability. Retrieved May, 2,
2006, from http://www.laas.fr/IFIPWG /Workshops&
Meetings/46/03-Harrison.pdf.
Hewett, Baecker, Card, Carey, Gasen, Mantei, Perlman,
Strong and Verplank, 2007. Curricula for Human-
Computer Interaction, ACM SIGCHI Curricula for
Human-Computer Interaction. Retrieved October 17,
2007, from http://sigchi.org/cdg/cdg2.html. ACM
SIGCHI.
Johnson, C. W., 2003. Failure in Safety-Critical Systems:
A Handbook of Incident and Accident Reporting.
Glasgow University Press.
Liu, K., 2000. Semiotics in Information Systems
Engineering, Cambridge University Press.
Rong J., Theresa S. and Valasek J., 2005. “Small Aircraft
Pilot Assistant: Onboard Decision Support System for
SATS Aircraft”. In AIAA 5th Aviation, Technology,
Integration, and Operations Conference, 26-28.
Palanque, P., Paterno, F., Fields, R., 1998. Designing
User Interfaces for Safety Critical Systems. In CHI´98
workshop, ACM Press.
Salles J. P., Baranauskas M. C. C. and Bigonha R. S.,
2001. “Towards a communication model applied to the
interface design process. In Knowledge-Based
Systems, v. 18, n. 8, 455-459.
Salles J. P., 2000. “O Modelo Fractal de Comunicação:
Criando um Espaço de Análise para Inspeção do
Processo de Design de Software”. In Tese de
Doutorado, Departamento de Ciência da Computação,
Universidade Federal de Minas Gerais.
Schnell T., Lemos K., and Etherington T., 2002. “Terrain
Sampling Density, Texture, and Shading
Requirements for SVIS”.In Final Report to the Iowa
Space Grant Consortium.
Stamper R. K., 1993. “Social Norms in requirements
analysis – an outline of MEASUR”. In Requirements
Engineering, Technical and Social Aspects. Academic
Press.
Stamper R. K., 1973. Information in Business and
Administrative Systems, John Wiley and Sons Inc.
Young S. D. and Quon L., 2006. “Aviation Safety
Program, Integrated Intelligent Flight Deck, Technical
Plan Summary". Retrieved October 17, 2007, from
http://www.hq.nasa.gov/office/aero/nra_pdf/iifd_tech_
plan_c1.pdf.
ICEIS 2008 - International Conference on Enterprise Information Systems
220