2016
2015
Scottish Informatics and Computer Science Alliance
2014
2013
EU EATS project supporting the European Train Control System (ETCS).
2012
2011
G2014: Games Planning Model as a Living Legacy for the Governance and Implementation of Security Planning for a Sporting Event
European Commission
Strathclyde Police and Scottish Resilience: Social Media to Support Contingency Planning.
2010
EPSRC: EP/1004289/1: Validation of the USAF 8-Step Problem Solving Technique for Software Configuration Management (with Support from NASA, ESA and USAF)
2009
2008
European Railways Agency: Techniques for Improving Accident and Incident Investigation
2007
BAe Systems CASE Award: Simulating Crowd Responses to Improvised Explosive Devices (IEDs)
2005
US Air Force: Longitudinal Study of US Aviation Accidents (1986-2006)
2003
EC ADVISES Research Training Network
2002
Learning from Incidents Involving Electronic/Programmable Electronic Systems
NASA/ICASE Research `Fellowship' on Mishap Investigation
2000
Elaboration of Guidelines for Air Traffic Management Occurence Reporting
Equator: EPSRC Interdisciplinary Research Centre
1999
Communication of Knowledge (about Accidents) from Synthesised Web Sites
1998
Paraglyde: Mobile Information Resources for Anaesthetists
1996
Linking User and System Models to Analyse the Causes of Major Accidents
1995
Principles For The Use Of Formal Notations During Accident Investigations
Temporal And Graphical Primitives For Declarative Graphics:
Closing The Gap Between Internal Data Structures And Display Objects
1994
Exploiting Utility And Risk Assessments During The Design of Human-Machine Interfaces
1993
Temporal Aspects of Usability
1992
Using Formal Methods To Derive Requirements From Accident Analyses
European Train Control System - Advanced Testing and Smart Train Positioning System (FP7-TRANSPORT-314219)
For more information, see the project web pages
Currently European Train Control System (ETCS) rollout is a major concern for train manufacturers and railway infrastructure managers. Equipment for ETCS level 1 and 2 typically follows a long process before being put into service due to two main reasons. First, there are interpretation variations in the specification of the systems' behaviour. And second, available laboratory certification procedures do not completely address all the needs of the system and require long and expensive field-testing. On the other hand, migration from ETCS level 2 to level 3, which maximizes the railway efficiency, has not been yet foreseen due to the technical constraints that current GNSS solutions, based on GPS and EGNOS, can not overcome.
In this context, EATS project has the objective to address the two previously described situations. On one hand, it will progress beyond the state of the art providing a model of the complete on-board ERTMS system behaviour to eliminate interpretation differences, and will include in the laboratory new tools to include the dynamic behaviour of the wireless interfaces and fault injection techniques in the external and internal interfaces for the safety assessment. This will lead to reduced laboratory and field-testing certification process time and cost. In the current economic situation, this is crucial in order to keep the ETCS deployment speed.
The Glasgow work focuses on the reliability, safety and security concerns within the project.
ENISA, the European Network and Information Security Agency, is engaged in several activities with the ultimate objective to collectively evaluate and improve the resiliency of public eCommunication Network and Services in Europe. In particular, this project supports the implementation of Article 13a of Directive 2009/140/EC of the European Parliament. This calls on member states to ensure that providers of public telecommunication networks and services take appropriate security measures and that these providers notify the competent regulatory authorities of a breach of security or a loss of integrity that have had a significant impact on the operation of networks and services.
We will develop an architecture for a Cyber Incident Reporting and Analysis System (CIRAS) that extends ‘leading practice’ to enable reporting by member states at different levels of infrastructure security maturity. The focus is on supporting National Regulatory Agencies (NRAs) to submit annual summary reports about cyber security incidents and also to contribute information on an ad hoc basis, for instance where incidents have cross-border implications. The overall aim is to support ENISA and the NRAs to meet the provisions of Article 13a and the implementing framework developed in 13b. It must, therefore, be possible for ENISA to store, manage and analyse patterns across the incidents that are recorded within the CIRAS architecture. This project builds on ‘world leading’ research in incident and accident reporting.
In previous projects, we worked with the European Railway Agency and representatives from the National Investigatory Bodies (NIBs) to recommend a number of different accident models that encourage consistency across member states at different levels of safety maturity. This project builds on the expertise developed during the previous work by facilitating the integration of these new methods into the existing good practices currently applied by NIBs. The objectives are to retain the valuable and pragmatic approaches that are already being used by many NIBs, while at the same time promoting innovation and consistency following the Railway Safety Directive (2004/49/EC). The proposal draws upon our unique experience of working for the European Commission in promoting advanced investigatory practices across member states as part of their Strategic Safety Action Plan. This has involved working with investigators to introduce new methods, tools and techniques in more than a dozen member states, including Estonia, Germany, Ireland, Malta, Netherlands, Norway, Portugal, Slovenia, Spain and the UK. In particular, this project has developed a template to assist ERA staff in interviewing investigators across Europe to identify leading practices.
This project focussed on the configuration and integration of safety-critical code developed by many different organisations in space-based applications. Configuration management is particularly important in this context because of the increasing need to integrate commercial space operations into the missions developed by NASA and the European Space Agency (ESA).
The travel funds supported trips to the NASA Johnson Space Centre and to US Air Force Space Command. It also funded shorter trips to analyse the integration of Satellite Based Augmentation Systems into the next generation of European railway signalling systems. Our work helped to reduce the risks that software failures pose for manned and unmanned systems. We worked with NASA’s engineers and their contractors to consider the challenges posed by the rise of commercial space flight and the end of Shuttle missions. Our techniques supported configuration management for software across multiple platforms. This is of critical importance – for instance, on 2nd March 2011 the International Space Station (ISS) networks simultaneously hosted Europe's ATV, HTV, Russia's Soyuz and Progress and the US Shuttle Discovery. We worked with NASA's International Space Station team to consider the challenges that this creates, especially for future missions when these platforms will be joined by commercial vehicles such as those being developed by SpaceX. The consequences of software failures were reinforced by a joint study with NASA engineers into the problems that led to the simultaneous failure of all six Russian ISS central and terminal computers during mission STS-117.
The reliability of space-based software is critical for the safety of astronauts and cosmonauts onboard the International Space Station. However, satellite systems also provide location and timing data to a host of national critical infrastructures, including the electricity distribution grid, as well as mass market navigation systems. The importance of these systems is likely to increase with the certification of the EGNOS Safety of Life service. The European Commission and ESA have developed this infrastructure to extend the use of GPS to safety-critical systems. Using EGNOS, it is possible to derive estimates of the accuracy of a signal, to estimate the delay before any errors are detected and also to provide guarantees about coverage. In practical terms, EGNOS supports the use of satellite signals to guide aircraft during precision approaches to runways in areas that would not otherwise be able to afford the necessary ground based systems. It can also increase the capacity of railway systems by reducing the space between trains, based on knowledge of the exact location and speed of each locomotive on the network. In this project, we worked with the teams that designed the EGNOS software infrastructures. We developed a range of techniques that enable engineers to communicate the safety arguments that support these systems. In particular, these approaches are intended to help other software developers who are more interested in using the satellite-based signals than they are in understanding the detailed infrastructures. The same techniques can also be used when engineers are not permitted to access the underlying engineering details for commercial or security reasons.
Towards the end of this project, we responded to recent concerns about the vulnerability of satellite based systems. A recent Royal Academy of Engineering report (Thomas, 2011) identified numerous threats to national systems that rely on satellite navigation and timing data. With support from NASA, ESA, the US Air Force and by companies in the UK and Europe we were able to identify the potential impact that security threats might have on the safety arguments that support the latest generation of space-based, critical infrastructures.
This project provided a framework for the training of European Railway Accident Investigators that can be used at different levels of maturity across a European syllabus. We developed an architecture for structuring training materials and delivering content. We also presented two case studies in the application of this framework – one for an introductory module in the principles of railway accident investigation and the second an advanced module on human factors in railway accidents. Three high-level recommendations were made.
The project also provided a high-level contract for the further development of course materials to support investigator training across member states.
The Directive 2004/49/EC of the European Parliament and of the Council of 29 April 2004 on safety on the Community’s railways, establishes the conditions to ensure a high level of railway safety and equal conditions for all railway undertakings. To achieve this goal, every Member State must create a safety authority and an accident investigation body. In order to avoid recurrence and, where possible, to improve railway safety, this accident investigation body should investigate all serious accidents on the railway. These investigation bodies shall, herein supported by the European Railway Agency, also conduct an active exchange of views and experience for the purpose of developing common investigation methods, drawing up common principles for follow-up of safety recommendations and adaptation to the development of technical and scientific progress. To be able to fulfil this task and to provide structured and useful guidance to the network of National Investigation Bodies, the European Railway Agency needs an inventory of occurrence investigation methods and techniques both within as outside the railway industry.
This project evaluated more than 100 tools and techyniques for incident and accident investigation against a range of crtieria provided by ERA. It then developed a white paper for the integration of more advanced techniques into national investigatory bodies. Further deliverables summarised short-term and long termn requirements for progress in this area across member states. This is important because we can identify some objectives that require further work before they could be supported by appropriate tools. For example, a requirement to analyse the ‘safety culture’ of organisations involved in an accident is a longer term goal because there is considerable disagreement over the meaning of this term and also over appropriate metrics for the rail industry. In contrast, a requirement to build upon existing skills and expertise within an NIB is a short term requirement for the acceptance of any approach. We also consider the coverage of both short term and long term requirements for tools against the different stages of the ERA generic occurrence investigation process model.
This grant was made by the European Research Office of the US Air Force
and built on initial funding from them for a Workshop on Complexity
in Design and Engineering. In contrast, this project was based around
a long term collaboration with Michael Holloway at NASA Langley's Research
Center. The key objectives were to extend an initial analysis of the
causes of aviation accidents documented in NTSB reports. Previous
papers had looked narrowly at more recent reports. This study used historical
archives to look for longer term trends back to 1986. The aim was to
determine whether it was possible to identify any 'bias' towards
blaming accidents on either individual human error or on organisational/
regulatory factors.
I am coordinator of the European Commission's ADVISES Research Training
Network.
This bring together researchers from seven European countries in a three
year project to exchange techniques between human factors and human
computer interaction for safety-critical systems.
Here is the project home page.
The engineering of interactive, safety-critical systems is an
inter-disciplinary endeavour. This creates a number of practical
problems for many different industries. Organisations must integrate
techniques and methods for many different disciplines. These range from
hardware engineering through to human factors and management. The
difficulty of achieving such integration stems in part from a mutual
ignorance about these complementary disciplines, in part from a lack of
methods in certain areas and in part from a failure to effectively
integrate existing methods and techniques. We believe that the only way
to solve such a problem is to have a tight integration of research
contributions from all the disciplines relevant to the problem, namely:
HSE/Adelard Project
IEC 61508 is a key stanbdard for both industry and the UK Health and Safety Executive.
It sets out the requirements for E/E/PES systems within a generic framework that defines the safety lifecycle and safety management activities that should be followed.
One of these requirements is to learn from the experience of previous failures.
In this project jointly organised between the HSE, Adelard and Bill Black consulting wer are first interviewing the suppliers and users of electronic programmable systems
to identify any existing incident reporting systems.
Based on the information gained from this elicitation system we will prepare draft national guidelines for the development of such reporting systems so that other
companies can benefit from the experience of other operators in this area.
NASA Langley Research Centre Project
NASA operates several different mishap reporting systems.
These range from local applications that are operated by staff in each
centre through to the NASA Safety Reporting System that operates across
all facilities.
This fellowship will investigation techniques to support these and other
forms of mishap reporting within NASA.
The first strand of work involved a comparative evaluation of mishap
investigation and analysis techniques.
We focussed on lifecycle support throughout the course of an
investigation.
The second strand of research was more technical in nature and involved
an analysis of the problems that material implication can create when
mathematical, logic formalisms are used to reason about causation.
The third strand of research involved two independent analysts using
Leveson's STAMP methodology to analyse the causes of the SOHO mission
interruption.
EUROCONTROL contract
This project is intended to help Air Traffic Management (ATM) providers implement and maintain mandatory and voluntary occurrence reporting systems.
The output of this project will be a detailed set of guidelines that European ATM providers can use to achieve the objectives set by EUORCONTROL's ESARR2 requirements.
Our work focusses on a number of generic phases that are common across many existing incident reporting systems.
Occurrence detection and notification is followed by data acquisition. Data acquisition is followed by
occurrence reconstruction. Occurrence reconstruction, in turn is followed by incident analysis and criticality
assessment. Finally, the lessons that can be learnt from an occurrence are fed back to personnel and
regulators. Each of these phases is considered in turn and a number of recommended practices are identified.
UK EPSRC Grant No.
The Equator project is an an EPSRC Interdisciplinary Research Centre involving eight UK academic institutions.
The intention is to look beyond existing means of interacting with computing applications.
In particular, we wish to exploit mobile and context aware technologies to tailor the presentation of information to users' changing needs.
We are focussing on presenting information about museum artefacts, city spaces, elements of fictional narratives, and objects inside 'virtual world' models of cities and towns.
The project web site should be available shortly on www.equator.ac.uk.
Matthew Chalmers coordinates the Glasgow involvement in Equator.
UK EPSRC Grant No. GR/M98302
Web sites are increasingly replacing the dissemination of accident
reports through conventional, paper-based documents.
Unfortunately, most investigation authorities have insufficient
resources to best exploit the visualisation and presentation
opportunities of the new media.
They simply provide electronic versions of the text-based document.
Occasionally hypertext links are provided within single reports.
There are, as yet, no on-line examples of accident reports that
contain hypertext links between incidents.
This is a significant limitation because many people have argued that
designers must have a clear understanding of common causes between
multiple failure if they are to prevent future accident and incidents.
This proposal is predicated on the idea
that it is practical to separate, formally, the information content
of Web sites from their presentational form and to derive content
via automated synthesis.
This approach can yield reduced costs and new opportunities to improve
the presentation of electronic accident reports.
Chris Johnson,
Dave Robertson (1), John Lee (2), Corin Gurr (2),
UK EPSRC Grant No. GR/M53059
This project is using infra-red and wavelan connections to provide anaesthetists with updated information about their patients as they move around a hospital.
In particular, we are focussing on providing integrated support for information retrieval during pre-operative assessments and post-operative care.
At the moment, the project team are engaged in a detailed requirements elicitation exercise involving anaesthetists from several local hospitals.
For more information, see the project web site.
Martin Gardiner, Phil Gray and Chris Johnson,
UK EPSRC Grant No. GR/L27800
A number of techniques might be used to reason about the causes of operator 'err
or' during disasters. For instance, user models have been developed to represe
nt the cognitive and perceptual features that characterise interaction with comp
lex systems (Duke, Barnard, Duce and May, 1995).
Unfortunately, these models lack some of the precision that is required during a
ccident enquiries that have both legal and regulatory consequences. In contras
t, epistemic logics have been proposed as a precise and concise means of represe
nting an individual's beliefs over time (Fagin, Halpern, Moses and Vardi, 1995).
The innovative idea behind this proposal is that epistemic logics provide a l
ink between the formal methods of systems engineering and the user models that h
ave been developed in cognitive psychology.
No previous attempts have been made to exploit this link or to apply epistemic l
ogics to support accident investigations.
Chris Johnson
UK EPSRC Grant No. GR/K55042
Accident reports are intended to ensure that the faults of previous systems are
not propagated into future applications.
They contain the analysis of many different experts: human factors specialists;
control engineers; meteorologists etc.
Unfortunately, the insights of these investigators are typically separated into
chapters that reflect the concerns and expertise of their authors.
This separation creates a number of problems.
For instance, critical incidents in one analysis may not appear in other chapter
s.
This makes it difficult to accurately trace the complex interactions that lead t
o major accidents.
This can obscure the fundamental causes of an accident
This project exploits temporal logic to address the problems described above.
A formal notation will be used to represent the events leading to major accidents.
Executable temporal logics will then be used to animate the formal descriptions.
The resulting simulations are intended to provide a focus for further analysis by the various groups involved in accident analyses.
The innovative task in this proposal is to move from my previous analytical
application of formal methods to develop constructive techniques that support th
e production of accident reports.
Chris Johnson
UK EPSRC Grant No. GR/K69148
The generation of complex images requires high levels
of skill and expertise. This is partly due to the fact that most graphics
programming languages rely upon procedural implementation techniques.
Such approaches are far from ideal; programmers must
maintain a number of internal data structures in addition to the generating
procedures in order to represent the attributes of display objects. An
attractive alternative is to take a declarative approach; such as object
orientation, functional programming and executable logic.
Programmers can construct images in a declarative style without referring to low level sequences of instructions.
These approaches simplify the relationship between display objects and their
internal representation because there is no distinction between the structures
that are used to generate an image and those that are used to record its
other attributes.
Unfortunately, many declarative systems force programmers to rely upon
an arbitrary set of mechanisms, such as assert and retract or
pipeline objects, to implement changes in an image. These
features complicate the relationship between the objects on the screen and the
internal data structures. This, in turn, increases the burdens upon
graphics programmers. I have developed the Prelog environment to avoid this
problem. Temporal logic operators
minimise the additional data structures that programmers must maintain in order
to animate declarative images. Previous work has demonstrated the feasibility
of the approach. The innovative task of this proposal is now to develop
appropriate graphical and temporal primitives that support general purpose,
declarative, graphics programming languages.
Chris Johnson
UK Joint Council Initiative in HCI and Cognitive Science, Grant No. 9201233
David England, Phil Gray, Steve McGowan, Chris Johnson
Steve Draper and Paddy O'Donnel
UK EPSRC Grant No. GR/J07686
Chris Johnson
Michael Harrison and Andy Dearden
European Network and Information Security Agency, Auditing, Incident Reporting Framework and Cyber-Security Strategies (ENISA P/28/11/TCD)
EPSRC EP/1004289/1: Methods for Configuration Management in Safety-Critical Software
Recommendation 1: ERA should develop a web site that catalogues the existing training materials that could be shared between different NIBs. This web site could be structured using the modules identified in Su-Doc5. This will help to facilitate the sharing and re-use that is a principle objective of the framework advocated in this project.
Recommendation 2: ERA should build on the previous recommendation by identifying elements of Su-Doc 5 that are not presently covered by existing training courses. They should also provide a mechanism for alerting NIBs to other areas where costs could be shared by the cooperative development of training materials.
Recommendation 3: Future ERA projects may develop common assessment forms that could be re-used between member states to provide common feedback on the utility of training materials.
European Railway Agency: Techniques for Improving Accident and Incident Investigation (2008-2009)
US Air Force: Longitudinal Study of US Aviation Accidents (1986-2006)
Analysis Design and Validation of Interactive
Safety-critical and Error-tolerant Systems
This partners in this research and training network have recognised
expertise in each of the areas mentioned above.
Our main objective is to provide a multi-disciplinary research training
that can combat the impact of human error during the design, operation
and management of safety-critical, interactive systems.
Additionally, the exchange of knowledge, practices, tools and experience
between adjacent (but still too distinct) disciplines can lead to the
efficient integration of complementary research methods.
Ultimately, it is hoped that this will contribute to a new and more
unified research agenda for the developmentof safety-critical,
interactive systems.
Learning from Incidents Involving Electronic/Programmable Electronic Systems
NASA/ICASE Research `Fellowship' in Mishap Investigation
Elaboration of Guidelines for Air Traffic Management Occurence Reporting
Equator: EPSRC Interdisciplinary Research Centre
Communication of Knowledge (about Accidents) from Synthesised Web Sites
Department of Computing Science, University of Glasgow.
johnson@dcs.gla.ac.uk.
(1) Division of Informatics, (2) Human Communication Research Centre,
University of Edinburgh.
dr@dai.ed.ac.uk, {john, corin}@cogsci.ed.ac.uk
Paraglyde: Mobile Information Resources for Anaesthetists
Department of Computing Science, University of Glasgow.
{martin,pdg,johnson}@dcs.gla.ac.uk.
Linking
User and System Models to Analyse the Causes of Major Accidents
Department of Computing Science, University of Glasgow.
johnson@dcs.gla.ac.uk.
Principles For The Use Of Formal Notations During Accident Investigations
Department of Computing Science, University of Glasgow.
johnson@dcs.gla.ac.uk.
Temporal And Graphical Primitives For Declarative Graphics:
Closing The Gap Between Internal Data Structures And Display Objects
Department of Computing Science, University of Glasgow.
johnson@dcs.gla.ac.uk.
Temporal Aspects of Usability
Temporal properties of interaction have a profound impact upon the usability of human computer interfaces.
Delays in response time can lead to frustration and error.
The simultaneous presentation of many different pieces of information imposes heavy demands upon the cognitive and perceptual resources of system operators.
These problems have been investigated by a number of recent research initiatives.
Unfortunately, it has been difficult to replicate the results that have been obtained from experimental investigations.
This creates significant problems for designers if these results are to guide the future development of interactive systems.
The TAU project was set up in 1992 to address the problems of replicating and
validating empirical results for temporal usability problems.
The project has involved a multi-disciplinary team.
Its focus is to develop a simulation environment that would support
experimental investigations. This system provides a stable
vehicle that could be used by many different research groups. This
supports the replication of experimental conditions by avoiding the ad hoc
development of many different pieces of software in each of the labs that are
investigating this area.
Department of Computing Science, University of Glasgow.
{pdg,stevem,johnson}@dcs.gla.ac.uk.
Department of Psychology, University of Glasgow.
steve@dcs.gla.ac.uk
paddy@psy.gla.ac.uk
Exploiting Utility And Risk Assessments During The Design of Human-Machine Interfaces
Operator error has been cited as a contributory factor in many recent accidents.
It is, therefore, surprising that so little work has been done into the integration of human factors techniques within traditional systems engineering.
This project is addressing this short-coming.
We are investigating ways in which the products of probabilistic risk assessments can be used to guide and inform the development of human-machine interfaces to safety-critical systems.
In particular, we have developed formal specification techniques that can be used to represent and then simulate critical traces of interaction with complex application processes.
Department of Computing Science, University of Glasgow.
johnson@dcs.gla.ac.uk
Department of Computing Science, University of York.
{mdh,andyd}@minster.york.ac.uk.
Using Formal Methods To Derive Requirements From Accident Analyses
EOLAS/British Council Grant No. 9284
Accident reports are intended to ensure that failures do not recur.
They contain the analysis of many different experts, including human factors and
systems engineers.
The insights of these investigators are often separated into chapters that reflect the particular concerns and expertise of their authors.
Such a separation often makes it difficult for readers to trace the ways in which human and system `failures' combine to create the necessary conditions for an
accident.
This project is exploiting mathematically based modelling techniques to overcome this problem.
It is hypothesised that the application of formal notations can be extended from
the domain of systems engineering in order to represent the findings of human factors analyses.
In particular, it is argued that Timed Petri Nets can be used to represent and reason
about the concurrent behaviour of multiple operators and their systems.
Tool support can be recruited to validate the resulting nets.
The sequences of events leading to an accident can be simulated and shown to human
factors and systems engineers.
This, in turn, may elicit further observations about the causes of an accident.
A near collision analysed by the U.K. Department of Transport's Air Accident Investigations
Branch (AAIB) are being used in order to evaluate this approach.
Chris Johnson
Department of Computing Science, University of Glasgow.
johnson@dcs.gla.ac.uk
Peter Wright
British Aerospace's Dependable Computing Systems Centre,
Department of Computing Science, University of York.
pcw@cs.york.ac.uk
John McCarthy
Applied Psychology Unit, University College Cork, Ireland.
mccarthyj@iruccvax.ucc.ie
This page present an overview of my recent research projects. Please let me know if you would like any additional information about this work.