swe 623duminda wijesekera1 requirements, their consistency and completeness rsml formulation of tcas...
TRANSCRIPT
![Page 1: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/1.jpg)
SWE 623 Duminda Wijesekera 1
Requirements, their Consistency and Completeness
RSML Formulation of TCAS IIDiscussed as an example of a precise and formal capturing of
a real-world software engineering specifications
SWE 623(Thanks to Prof. Mats P. E. Heimdahl for references)
![Page 2: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/2.jpg)
SWE 623 Duminda Wijesekera 2
TCAS II• Traffic alert and collision avoidance system.• Airborne device functioning independent of ground
based traffic control.• All commercial and larger commuter and business
aircrafts (with 10-30 seats) must have this on aboard.• TCAS I provided proximity warning (traffic
advisories) and assist the pilot in visualizing intruder aircrafts.
• TCAS II recommends escape maneuvers (resolution advisories) in a vertical direction to avoid collusions.
![Page 3: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/3.jpg)
SWE 623 Duminda Wijesekera 3
Brief History• Collision avoidance systems are 25 years old.
• Minimal Operational Performance Standards Document (MOPS-1983) was written in a combination of English and pseudocode. –– Revised extensively six times.– Had difficulty in certification, so Government
started rewriting the document and UCI started an experimental formal specification and safety analysis.
![Page 4: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/4.jpg)
SWE 623 Duminda Wijesekera 4
System View
• System = Collection of components working together.• Process control= input output behavior in the presence
of disturbances.– Disturbances due to chemical, aerodynamic, thermal or
physical laws.
• Operating Constraints– Range constraints for input/output variables.– Operating conditions.– Limits design choices– May be results of quality control, resource bounds, physical
limitations, process characteristics etc.
![Page 5: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/5.jpg)
SWE 623 Duminda Wijesekera 5
TCAS Examples
• Maintain minimum separation between aircrafts
• Constraints– No interfering with ground based air traffic
control (ATC) functions.– Acceptably low level of unwanted alarms.– Minimizing deviation from ATC assigned
tracks.
![Page 6: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/6.jpg)
SWE 623 Duminda Wijesekera 6
Difference between Goals and Requirements
• Goal= Avoid near misses = (I.e. aircrafts violating minimum separation distance)
• A legitimate goal, but cannot determine if it is achievable in a given operating environment.
• Therefore cannot be a requirement of the system design.
• The system can strive to minimize near misses.
![Page 7: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/7.jpg)
SWE 623 Duminda Wijesekera 7
Basic Process Control Model• Control variables ( Vc )
– Process monitored through these
• Manipulated variables ( Vm )– Controlled through these
• Sensors ( Fs )– Monitor actual behavior of
process
• Actuators ( Fa )– Devices designed to manipulate
process behavior
• Controller ( Fc)– Device used to implement
control function
Process Fp
Controller Fc
Actuator Sensors
Disturbances
ControlledVariables
ManipulatedVariables
Command Signal
![Page 8: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/8.jpg)
SWE 623 Duminda Wijesekera 8
RSML Approach
• Black-box behavior specified using state machine model
– Outputs of the controller specified with respect to state change in the model as information received about current state via controlled variables Vc.
– Control function Fc specified using a model of the state of all other aircraft within host’s space.
Desired process control behavior
Black-box specification of controller behavior
ImplementationSpecifying Controller Design Based on functional decomposition
![Page 9: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/9.jpg)
SWE 623 Duminda Wijesekera 9
Basic Definitions
• Input Variables: Is,,Output Variables: Os
• Controlled Vars: Vc ManipulatedVars: Vm
• Disturbances: D
• Process Function: Fp: Vm x Is x D x t Os x Vc
• Sensor Function: Fs: Vc x t Is
• Actuator Function: FA: Os x t Vm
• Control Function: Fc: Is x Vc x t Os
![Page 10: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/10.jpg)
SWE 623 Duminda Wijesekera 10
Fc : Controller Function
• Modeled as a state machine– Iteratively refined during requirements specification.
• An abstraction of the current understanding of real world control loop.
• Most control functions are non-linear equations.• Modeling errors represent mismatches between
real world view and state machine view.
![Page 11: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/11.jpg)
SWE 623 Duminda Wijesekera 11
Design Criteria• Need black-box behavior, not internal design
information.
• Minimality and simplicity.
• Formal, concise, coherent notation.
• Readability, reviewability
• Best use of graphics, tables and symbolic.
• Ability to formally analyze safety, completeness and consistency.
![Page 12: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/12.jpg)
SWE 623 Duminda Wijesekera 12
Properties of Statecharts• And/Or hierarchies.• Conditions (conditional connectives in RSML)
– I.e. guard determines which Or state to transition as a consequence of an even triggering.
• Arrays of state machines. – Example: array of other aircraft (statechart)
• Additions:– Directed communication (unidirectional explicit FIFO
queue) between state charts
– Broadcast mechanisms with some limitations
![Page 13: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/13.jpg)
SWE 623 Duminda Wijesekera 13
Interface Definitions and Communication Mechanisms
• State-charts modeled components, hence had to write interface definitions between models.
• Communication– Sending machine execute SEND(msg, destination) -
I.e. receivers name– Triggers RECEIVE event in destination machine.– No synchrony hypothesis in communication
![Page 14: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/14.jpg)
SWE 623 Duminda Wijesekera 14
State Machine Descriptions• Input variables, output variables and graphical state
machines• Attributes of variable include
– Location (machine name),
– Source/destination (external component, eg Altimeter)
– Type (eg integer) , Expected Range 9eg 1 to 1000,
– Granularity (10s) , Units meters), Load (frequency of change)
– Exception handling (what to do for out of range)
– Traceability information (MOPS document reference)
![Page 15: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/15.jpg)
SWE 623 Duminda Wijesekera 15
Format ofRSML State Machines
![Page 16: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/16.jpg)
SWE 623 Duminda Wijesekera 16
Example RSML State-chart
![Page 17: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/17.jpg)
SWE 623 Duminda Wijesekera 17
![Page 18: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/18.jpg)
SWE 623 Duminda Wijesekera 18
![Page 19: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/19.jpg)
SWE 623 Duminda Wijesekera 19
Encoding States
![Page 20: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/20.jpg)
SWE 623 Duminda Wijesekera 20
Example State
Definition
![Page 21: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/21.jpg)
SWE 623 Duminda Wijesekera 21
Transitions
• TRANSITION: North East
North East
•Had a notation for locations such as•Location: Other_aircraft Tracked > Intruder_status_52
![Page 22: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/22.jpg)
SWE 623 Duminda Wijesekera 22
Notation for Guarding Conditions• Conditions written in disjunctive normal form
and tabulated
![Page 23: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/23.jpg)
SWE 623 Duminda Wijesekera 23
Example: Table vs. Logic
![Page 24: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/24.jpg)
SWE 623 Duminda Wijesekera 24
Example: Table vs. Logic
![Page 25: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/25.jpg)
SWE 623 Duminda Wijesekera 25
Analysis• Completeness: Robustness
– Responsiveness to every possible input and input sequence.
– Logical OR of transition condition is a tautology.– Every state having a timeout transition behavior.
• Consistency– Free of conflicting requirements.– Free of undesired non-determinism.
![Page 26: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/26.jpg)
SWE 623 Duminda Wijesekera 26
Completeness: D-completeness
• D-Completeness: – The system must respond in real time to any input
and input sequence. Involves following steps– At atomic states,
• all behaviors are defined (I.e. all external input changes are accounted for) and
• There are no conflicting requirements (source of non-determinism)
![Page 27: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/27.jpg)
SWE 623 Duminda Wijesekera 27
Completeness: OR States Cont..– At OR (Union) states,
• Transition conditions are disjoint.– Guards of transitions triggered by the same event are mutually
exclusive.
• Entire domain is covered (OR of conditions is True)– OR of all guards of conditions triggered by same event is TRUE.
• (I.e. one and ONLY ONE satisfiable transition out of every state)
• AND/OR tabular representation of guards is very helpful for analysis.
• In general, this problem is NP complete (3-sat is NP hard), but Used BDD’s to manipulate conditions.
![Page 28: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/28.jpg)
SWE 623 Duminda Wijesekera 28
Completeness: OR - Continued
– At OR (Union) states: Problems Encountered, • BDD’s are only good for symbolic manipulations, hence a
lot of potential errors in the specifications are reported.
• Conversely, theorem proving approach will cover some of these problems, but is VERY expensive to do by itself.
• Would like a hybrid of BDD’s talking to theorem provers, but such things do not exist yet!
• See Heimdahl, Czerney article in High Assurance Systems Engineering Conference 1999 on this point.
![Page 29: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/29.jpg)
SWE 623 Duminda Wijesekera 29
Completeness: AND States• Two transitions in parallel AND state triggers
by same event
• If truth value of the guard of one component affects the truth value of the other guards, then non-determinism may result.
• So RSML check for such dependencies.
• Costly to check, but rare in TCAS specifications.
![Page 30: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/30.jpg)
SWE 623 Duminda Wijesekera 30
Completeness: Serial Composition
• Transition triggering one event may trigger another event.
• In order to achieve this effect, the the domain of the second must be included in the range of the first.
• Thirdly, if an event is generated as a consequence of some action, and it is never caught any where else, then the specification is incomplete.
![Page 31: SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal](https://reader036.vdocuments.us/reader036/viewer/2022070409/56649e9c5503460f94b9cfb8/html5/thumbnails/31.jpg)
SWE 623 Duminda Wijesekera 31
Consequences• RSML specs are now the official specs for TCAS II.• There are some tools to check d-completeness.• Many incomplete specifications were detected during
analysis phase. • It is difficult to provide guidance in eliminating
incompleteness's and inconsistencies.• Sensitivity of the TCAS system: How close an intruder
is allowed to get? RSML specifications can be parametrized on sensitivity levels. –
• Sensitivity analysis.