Architecture Modeling - SPES 2020
Architecture Modeling - SPES 2020
Architecture Modeling - SPES 2020
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Architecture</strong> <strong>Modeling</strong><br />
flight incidents, the Code of Practice proposed by the Prevent Project using guiding questions to<br />
assess the completeness of requirements in the concept phase of the development of advanced<br />
driver assistance systems, use-case analysis methods as advocated for UML based development<br />
process, where an initial stakeholder based analysis is refined by scenarios capturing the typical<br />
interactions between actors and the system-under-development, and the various approaches<br />
based on rapid prototyping, including virtual reality based mock-ups. A common theme of these<br />
approaches is the intent to systematically identify those aspects of the environment of the system<br />
under development (SUD) (subsuming the physical environment, the operator of the system, and<br />
– for systems-of-systems – other “surrounding” systems) whose observability is necessary and<br />
sufficient to achieve the system requirements. As examples of extensions of systems parameters<br />
based on such heuristic approaches, we mention the need to observe, whether the aircraft<br />
is on-ground (as required to prevent inadvertent activation of reverse thrust of engines when in<br />
cruise flight), blind-spot detection coupled with lane change assistance systems warning against<br />
lane changes in critical traffic situations, or train-integrity control in ETCS-based train-safety<br />
systems. Once this perimeter of the system-under-development is identified, the challenge rests<br />
in characterizing those conditions on the environment, under which the system is expected to<br />
perform according to its requirements. For example, advanced driver assistance systems dependent<br />
on image processing for obstacle detection from video streams will be automatically<br />
de-activated or switched to a degraded mode in complex lighting conditions. As other classes of<br />
environment assumptions we mention assumed boundary values of physical parameters, such<br />
as maximal relative and absolute speed of vehicles, maximal acceleration, types of road conditions,<br />
curve radiuses on highways, traffic rules, average and worst case distributions of arrival<br />
processes of systems in the environment, etc. The approach taken by the Code of Practice can<br />
be generalized to other domains, using a Hazop-style analysis [45], where for each identified<br />
class of interaction between actor and SUD and for each viewpoint specific guide-words could<br />
be used to probe for undesired interactions or interferences, which should be excluded.<br />
An initial phase of refining requirements to contracts is an important step in the design<br />
methodology we describe in this paper. Based on a determined system boundary, responsibilities<br />
of achieving requirements are split into those to be established by the system-underdevelopment<br />
(the “guarantees” of the contract) and those characterizing admissible environments<br />
of the system-under-development (the “assumptions” of the contract). To further<br />
strengthen the capabilities for improving the quality of initial specifications, we advocate the<br />
use of formal specification languages for expressing these, where the particular shape of such<br />
formalizations is viewpoint and domain dependent. Examples include the usage of failure propagation<br />
models for safety contracts, the use of probabilistic timed automata to specify arrival<br />
processes, the use of live sequence charts for capturing scenarios in the interaction of actors<br />
and systems [44], or the pattern-based contract specification language initially developed by the<br />
integrated project SPEEDS, and further refined and elaborated to the RSL language presented<br />
in the Annex advocated for usage in <strong>SPES</strong>. All these enable what Harel called “playing out”<br />
for the particular case of live sequence charts, i. e. the use of formalized contract specifications<br />
to generate trajectories of interface observations compliant to the currently derived set of<br />
contracts. Such simulation capabilities turn out to be instrumental in further refining our specifications:<br />
typically, they will exhibit unexpected traces, e. g. due to an insufficient restriction of<br />
the environment, or only partially specified system reactions. Using contracts resting on logic<br />
based formalisms comes with the advantage, that such “spurious” unwanted behaviors can be<br />
excluded by “throwing in” additional contracts, or strengthening assumptions, or by considering<br />
additional cases for guarantees. A second advantage of such formalized contracts rests in<br />
the now available methods for checking for consistency: the formalism mentioned above do<br />
102/ 156