Abstract
In this paper we show how an understanding of a dynamic system from the point of view of the tasks that it supports and an understanding of human error can guide a process of deriving human error tolerance requirements. Our aim is to provide a means whereby, rather than relying on training as a means of improving operator performance, designers may develop interactive systems with human error tolerance in mind. We extend an established methodology (SHARP) by employing a software engineering notation (CSP) that provides a bridge between a theory of error and the practice of design and implementation. In this paper we outline approaches to human error, describe a task notation based on CSP which helps us to elicit requirements on human-error tolerance expressed as functional properties of the system. The technique is used to analyze an engine fire recovery procedure in order to derive human error tolerance requirements.

Abstract
In this paper we put forward an approach to deriving and applying human error tolerance requirements. Such requirements are concerned with the response of a system to errors introduced by human operators. The approach provides a means by which operators' tasks can be described and analysed for likely errors and the impact of these errors on system safety can be explored. The approach, based on previous work by the same authors, uses a software engineering notation to provide the bridge between operator models and systems engineering concerns. In this paper the approach is extended to include a more refined understanding of the processes that contribute to human error. The operators' process in achieving goals is understood in terms of structured tasks. With this additional apparatus we are able to capture a more complex set of human error forms.

Abstract
The trend towards systems that support a rich variety of interaction techniques has consequences for the traditional understanding of software design practice. Formal approaches to software development have mainly focused on design expressions that avoid explicit discussion of interactive behaviour. The emphasis in rigorous development is on transforming a mathematical specification into an implementation through a series of valid refinement steps. However, any design process for interactive systems must also add user oriented requirements. It is suggested that a suitable concern for human factors can be folded into a rigorous development process by generalizing from functional models and refinement to models that provide multiple viewpoints onto the design artefacts. The paper provides an overview of the relevant perspectives and describes work aimed at integrating them within the specification phase of software development.

Abstract
Interaction objects (interactors) are abstract structures that provide a link between rigorous approaches to software development and user-oriented aspects of interaction. The focus of the paper is on the second role of interactors; in particular, how a formal model of interaction can be used to classify and clarify various properties of interactive behaviour that are important from a user-oriented viewpoint. The formal model used in this discussion abstracts away from distinctions between states, events, and renderings; when needed, these concepts are introduced as various projections on the basic model.

Abstract
In this paper, we consider the concept of the impact of an action or human-error. We begin from an informal definition of impact as: the effect that an action or sequence of actions has on the safe and successful operation of a system; and develop a quantitative measure of the impact of specified behaviours. It is important that human-machine interface (HMI) designers should understand the relationship between operator actions and the hazards associated with a system. We demonstrate how impact can be assessed prior to, or in parallel with the design of the HMI, and show how impact assessments could be used to allow risk analysts to inform HMI designers about the relationship between operator actions and system hazards. To illustrate our approach we present a simple case study.

Abstract
It is typical for cycles of iteration to be used to refine the current state of the design of a system so that it more closely meets its requirements. Such refinements are in terms of the original requirements specification and any new requirements that have been identified during this process. However, not all defined requirements are equally essential, particularly in high consequence systems where there are issues of dependability. Although descriptive methods for scenario analysis can be used to highlight new requirements, it can be difficult to evaluate the impact of these new requirements. In this paper, we exemplify this problem and investigate how numeric methods can be used to highlight the impact of consequences identified by descriptive scenario analysis. An example from the context of human reliability analysis is presented and dependability issues for system design are considered.