AbstractÐThis paper examines and proposes an approach to writing software specifications, based on research in systems theory, cognitive psychology, and human-machine interaction. The goal is to provide specifications that support human problem solving and the tasks that humans must perform in software development and evolution. A type of specification, called intent specifications, is constructed upon this underlying foundation. Index TermsÐRequirements, requirements specification, safety-critical software, software evolution, human-centered specifications, means-ends hierarchy, cognitive engineering.

This dissertation defines and explores Graspable User Interfaces, an evolution of the input mechanisms used in graphical user interfaces (GUIs). A Graspable UI design provides users concurrent access to multiple, specialized input devices which can serve as dedicated physical interface widgets, affording physical manipulation and spatial arrangements. Like conventional GUIs, physical devices function as “handles” or manual controllers for logical functions on widgets in the interface. However, the notion of the Graspable UI builds on current practice in a number of ways. With conventional GUIs, there is typically only one graphical input device, such as a mouse. Hence, the physical handle is necessarily “time-multiplexed,” being repeatedly attached and unattached to the various logical functions of the GUI. A significant aspect of the Graspable UI is that there can be more than one input device. Hence input control can then be “space-multiplexed.” That is, different devices can be attached to different functions, each independently (but possibly simultaneously) accessible. This, then affords the capability to take advantage of the

Automation is often problematic because people fail to rely upon it appropriately. Because people respond to technology socially, trust influences reliance on automation. In particular, trust guides reliance when complexity and unanticipated situations make a complete understanding of the automation impractical. This review considers trust from the organizational, sociological, interpersonal, psychological, and neurological perspectives. It considers how the context, automation characteristics, and cognitive processes affect the appropriateness of trust. The context in which the automation is used influences automation performance and provides a goal-oriented perspective to assess automation characteristics along a dimension of attributional abstraction. These characteristics can influence trust through analytic, analogical, and affective processes. The challenges of extrapolating the concept of trust in people to trust in automation are discussed. A conceptual model integrates research regarding trust in automation and describes the dynamics of trust, the role of context, and the influence of display characteristics. Actual or potential applications of this research include improved designs of systems that require people to manage imperfect automation.

Composition of a system is driven by the (a) identification and specification of basic components, and (b) specification of the interactions across the components, i.e., the communication linkages, that are needed to communicate value and temporal information across the components from which the aggregate system results. This paper addresses compositional design of distributed Real-Time (RT) systems focusing specifically on the role of specification of linking interfaces (LIFs) across components.

A framework for designing a multiagent system (MAS) in which agents are capable of coordinating their activities in routine, familiar, and unfamiliar situations is proposed. This framework is based on the skills, rules and knowledge (S-R-K) taxonomy of Rasmussen. Thus, the proposed framework should allow agents to prefer the lower skill-based and rule-based levels rather than the higher knowledge-based level because it is generally easier to obtain and maintain coordination between agents in routine and familiar situations than in unfamiliar situations. The framework should also support each of the three levels because complex tasks combined with complex interactions require all levels. To permit agents to rely on low levels, a suggestions is developed: agents are provided with social laws so as to guarantee coordination between agents and minimize the need for calling a central coordinator or for engaging in negotiation which requires intense communication. Finally, implemen...

gence in circumscribed, cooperative roles to aid human observers in organizing, selecting, managing, and interpreting data. CHARACTERIZATIONS OF DATA OVERLOAD Data overload is the problem of our age -- generic yet surprisingly resistant to different avenues of attack. In order to make progress on innovating solutions to data overload in a particular setting, we need to identify the root issues that make data overload a challenging problem everywhere and to understand why proposed solutions have broken down or produced limited success in operational settings. There are three basic ways that the data overload problem has been characterized (Woods, Patterson, and Roth, 1998): 1. As a clutter problem where there is too much data: therefore, we can solve data overload by reducing the number of data units that are displayed. This has not proven to be a fruitful direction in solving data overload because it misrepresents the design problem, is based on erroneous assumptions a

This paper examines the issue of completeness in specification language design. In the mid-80s we identified a set of 26 formal criteria to identify missing, incorrect, and ambiguous requirements for process-control systems. Experimental validation of the criteria on NASA and NASDA spacecraft systems have supported their usefulness in detecting commonly omitted but important information and engineers have been using them in checklist form on real systems. At the same time, we have extended the criteria and now have over 60. This paper shows how most of the criteria can be embedded in a formal specification language in ways that potentially allow automated checking or assist in manual reviews.

This report details a complete, beginning-to-end Cognitive Systems Engineering (CSE) project tackling the challenges of conducting intelligence analysis under the condition of data overload. We first reviewed and synthesized the research base on data overload from multiple complex, high-consequence settings like nuclear power generation. The product of this activity was a diagnosis of the challenges of dealing with data overload in general. Then, leveraging this research base and previous experience in conducting Cognitive Task Analysis (CTA), we conducted a study to identify the aspects of this research base that applied to intelligence analysis as well as unique challenges. We observed expert intelligence analysts conducting an analysis on a selected unclassified scenario, the 1996 Ariane 501 rocket launch failure, with a baseline set of tools that supported keyword search, browsing, and word processing in an investigatorconstructed database. From this study, we identified challenging tasks in intelligence analysis that leave analysts vulnerable to making inaccurate statements in briefings when they are working in a new topic area and are under short deadline constraints. In parallel, we identified limitations of the baseline tools in addressing these vulnerabilities that pointed to ideas for new design directions. In addition, the study findings were translated into objective criteria for evaluating the usefulness of any effort aimed at reducing data overload. In the final phase of the project, we shifted from an emphasis on problem definition to an emphasis on developing modular design concepts, or "design seeds," that could be incorporated into both ongoing and future design efforts. The design seeds were instantiated as animated fly-through mockups, or "Animocks,"...

The increasing technological sophistication of ship navigation systems may significantly alter the skills, knowledge, and strategies involved in navigating large ships. Many examples in other domains illustrate the dangers of technology-driven innovations. These examples show that without a systematic method to detect design flaws and training requirements, technology -driven designs may degrade rather than enhance maritime safety. The operator function model (OFM) provides the basis for examining technological innovations; however, the OFM does not describe specific cognitive demands. Augmenting the OFM with a description of cognitive operations provides a structured cognitive task analysis tool-OFM-COG-that can identify the design and training requirements needed to safeguard system performance. This approach identifies how to tailor designs, develop training, and adjust qualifications to minimize the human errors that might otherwise accompany technological innovation. This paper shows how OFM-COG can catalog differences between traditional navigation systems and those augmented with electronic charts and collision avoidance systems. Specifically, it examines the cognitive demands of collision avoidance and track keeping, with and without advanced technological aids. This analysis demonstrates that some advanced radars may in fact increase the likelihood of certain collisions, and that the current certification process does not reflect the cognitive demands of the new technology. The analysis also indicates that electronic chart display and information systems (ECDIS) can reduce the redundancy that has served to make traditional systems quite reliable. Drawing upon these examples, this paper describes OFM-COG and demonstrates how this novel, model-based analysis tech...

Contrary to end-users, security is a primary task for those charged with the security of system or network. Despite the importance of the task, little is known about how to effectively design interfaces for security management systems. Usability problems in these systems can lead to security vulnerabilities because administrators may miss an attack altogether or misdiagnose it. We examined four different design approaches in order to devise a preliminary set of design guidelines for security management systems.