Both state machines are modeled as two distinct sets of processes in Hoare’s CSP language [3]. CSP-processes engage in events (e.g., communication with other processes, or signals) and proceed from one state to another. The processes comprise disjoint sets of states (modeled as subprocesses), disjoint sets of internal communication channels and variables (e.g., the user’s perception of the current speed of the wheelchair may differ from that of the automation), and a shared set of external observables, such as the information whether or not the wheelchair is in a standstill.

The FDR model checking tool is used to carry out refinement checks in the so-called failures model. Here, each process is represented by the set of finite event sequences it can perform (its traces) and by its refusals (sets of events the process cannot engage in after having performed a certain trace). If a process P refines a process Q in the failures model, every behavior of P can also be observed for Q with regard to the traces as well as to the refusal sets. If the process U representing the user’s mental model of the automation and the process A representing the implementation of the automation are equal in the failures model, the user will never lose track of the automation behavior and the automation will always accept any action of the user that he or she thinks to be adequate in a specific situation.

5 5 Results and Future Work So far, the mode confusion analysis has shown that the human operator cannot track the behavior of the automation if the obstacle avoidance module tries to steer back to the original path after an avoidance maneuver. To avoid such mode awareness problems in the future, the human-machine interface will be improved. By means of a speech module, the wheelchair will indicate mode changes. As a consequence, confusing situations in which, for instance, the driving assistant tries to circumvent an obstacle that cannot be seen by the human operator will occur less often. The formal approach briefly sketched in section 4.3 will be generalized to suit a wide range of application domains similar to the one presented here.

Acknowledgments This work was supported by the Deutsche Forschungsgemeinschaft through the priority program “Spatial Cognition”.

