Architecture Modeling - SPES 2020

More documents

Recommendations

Info

Architecture Modeling • In both cases, provided air must be within a certain range. This range could be between 12 ◦ C and 28 ◦ C in normal mode, while in degraded mode the maximum allowed temperature may be 32 ◦ C. These requirements are the guarantees of the air conditioning system, one for each corresponding weak assumption. The distinction between strong and weak assumptions may also affect the way to verify certain properties involving formal reasoning about contracts. This discussion is however out of scope of this section, and the interested reader is referred to Section 6.2. From a user perspective, strong assumptions can be seen as to be assigned to components instead of contracts. All contracts associated to a component shall maintain the same strong assumptions. If we use in the following the term assumption of a contract without attribution, we refer to the conjunction of both strong and weak assumptions. Deriving (formal) contracts from (informal) requirements is not always an obvious and easy task. To avoid ambiguities, often formal languages are used to state requirements with well defined meaning. It however does not only require some training to write requirements in such formal languages, it may also be hard to read them. The pattern based Requirement Specification Language RSL provides an easy to use formal language with well defined semantics, that is still readable like natural language. RSL patterns consist of static text elements and attributes being instantiated by the requirements engineer. Each pattern has well defined semantics in order to ensure consistent interpretation of the written system specification across all project participants. RSL allows writing of natural sounding requirements while being expressive enough to formalize complex requirements. To gain a high degree of intuition, the language consist of only a few constructs that can be easily remembered, to give the user the possibility to fully understand the RSL and to choose the right pattern that fits the properties he wants to demand of the system. RSL aims at providing expression of a large scale of requirement domains. It defines patterns for each of the following categories: • Functional patterns express requirements such as relationship between events, handling of conditions and invariants, and optional intervals in which a requirement (or parts of it) is valid. • Probability patterns, which are needed in almost all safety critical systems to express failure or hazard probabilities. • Safety related patterns outline relationships between system components. These patterns enable the specification of single point of failures or other failure and hazard dependencies between different components. • Timing patterns are used to describe real-time behavior of systems. This includes recurring activations, jitter and delay. RSL patterns normally contain optional parts that need not be instantiated. A functional pattern for example describing causality between two events looks like this: whenever event1 occurs event2 occurs [during interval] Phrases in square brackets are optional, bold elements are static keywords of the pattern, and elements printed in italics represent attributes that have to be instantiated by the requirements engineer. In the example above three attributes event1, event2 and interval exist, and the part [during interval] is optional. 48/ 156
Architecture Modeling When specifying requirements there is no strict typing like int or real but there are categories that specify what is described by the different attributes. To not complicate the language too much and to be also expressive enough, the set of supported attributes has been carefully chosen: • Events represent activities in the system. An event can be for example a signal, a user input by pressing a button, or the availability of a computational result. Events occur at specific points in time and have no duration. • Conditions are logical and/or arithmetical expressions over variables and the status of events. Conditions can be used in two different ways. Firstly, they can be used as pseudo events to trigger an action if the condition becomes true. And secondly, they may represent the system state that has to hold for a specified time. • Intervals describe a continuous fragment of time whose boundaries are either (relative) time measures, or events. Intervals can be open “]x,y[“ or closed “[x,y]” or a combination. • Components refer to entities that are able to handle events or condition variables. RSL supports various combinations of elements. It allows for example filtering of events by intervals or conditions. That is, whenever a pattern expects an event, one may also use “event during interval”, or “event under (condition)”. Thus, one can e.g. specify whenever request during [activate,deactivate] occurs response occurs during [l,u] meaning that a response is constrained only if the request happened after an activate and before some deactivate event. Filtering of events can be applied recursively. So activate could again be filtered by some interval or condition. The interested reader is referred to Section 6.1 for a detailed description of the RSL. While specification languages such as RSL help the engineer to formalize requirements, there are other pitfalls when specifying contracts. Two key properties of contracts, essential to maintain sanity of the design-flow shall be discussed here, namely receptiveness and consistency. Receptiveness Since the interface of a component distinguishes input ports and output ports, there is a clear separation between those ports the component controls and those that are controlled by the components environment. Receptiveness denotes the fact that also the responsibilities of both assumption and guarantee of a contract are properly distinguished. More formally, a contract is receptive only if the assumption does not restrict possible behavior of the output of a component, and if the guarantee does not restrict the input ports. To give an example, we assume a component with inport i and outport o. A guarantee stating that, whenever the component sends an event to o, the environment responds by another event send to i within, say 5 ms, violates the receptiveness property. It violates receptiveness because it is not the duty of a components guarantee to require the environment to react in a certain amount of time. For the same reason, an assumption stating that the component produces an output event each 10 ms violates receptiveness. On the other hand, an assumption for such a component, stating that whenever the component sends an event to o, the environment responds by another event send to i within 5 ms, perfectly maintains receptiveness. A receptive contract is denoted directed. 49/ 156
Page 1 and 2: Architecture Modeling ∗ Andreas B
Page 3 and 4: Contents 1 Introduction 1 2 Quick-T
Page 5 and 6: 1 Introduction This document propos
Page 7 and 8: Architecture Modeling allowing to m
Page 9 and 10: Architecture Modeling creating a vi
Page 11 and 12: Architecture Modeling the design it
Page 13 and 14: Architecture Modeling of the logica
Page 15 and 16: Architecture Modeling realization o
Page 17 and 18: Architecture Modeling can usually o
Page 19 and 20: 3 The Architecture Meta-Model In Se
Page 21 and 22: Abstraction-Levels (detail increase
Page 23 and 24: 3.2.2 Functional Perspective Archit
Page 25 and 26: Architecture Modeling The semantics
Page 27 and 28: Architecture Modeling expressed by
Page 29 and 30: Architecture Modeling computing cap
Page 31 and 32: 3.2.5 Geometrical Perspective Archi
Page 33 and 34: ShapeCompositionOperator intersecti
Page 35 and 36: Architecture Modeling The constrain
Page 37 and 38: Architecture Modeling of particular
Page 39 and 40: Architecture Modeling Shape that de
Page 41 and 42: Architecture Modeling Conjugation o
Page 43 and 44: RichComponent Architecture Modeling
Page 45 and 46: MultiplicityElement +part 0..* Rich
Page 47 and 48: ComponentC Architecture Modeling pa
Page 49 and 50: 4 Steps in Component-Based Design T
Page 51: Architecture Modeling Assume/guaran
Page 55 and 56: Architecture Modeling next selectio
Page 57 and 58: Architecture Modeling ports must ha
Page 59 and 60: established if (and only if): Archi
Page 61 and 62: 12°C < tempSelect < 35°C actTemp
Page 63 and 64: Architecture Modeling The component
Page 65 and 66: Architecture Modeling 4.3.2 Establi
Page 67 and 68: Architecture Modeling a mapping is
Page 69 and 70: Architecture Modeling Another impor
Page 71 and 72: 5 Using the Architecture Meta-Model
Page 73 and 74: Architecture Modeling Design proces
Page 75 and 76: Architecture Modeling abstraction l
Page 77 and 78: Pwr1 Pedal_Pos1 Pwr2 Pedal_Pos2 CMD
Page 79 and 80: Architecture Modeling Figure 5.4: O
Page 81 and 82: Architecture Modeling Figure 5.7: L
Page 83 and 84: Architecture Modeling Figure 5.9: T
Page 85 and 86: Architecture Modeling Figure 5.12:
Page 89 and 90: Architecture Modeling However this
Page 91 and 92: Architecture Modeling The considera
Page 97 and 98: Architecture Modeling tasks Command
Page 99 and 100: Architecture Modeling of the V, suc
Page 101 and 102: Architecture Modeling thus decorate
Page 103 and 104:
Architecture Modeling In summary, P
Page 105 and 106:
Architecture Modeling OEMs are incr
Page 107 and 108:
Architecture Modeling provide effec
Page 109 and 110:
Architecture Modeling Figure 5.24:
Page 111 and 112:
Architecture Modeling patterns, cap
Page 113 and 114:
Architecture Modeling 6.1 Syntax an
Page 115 and 116:
6.1.1.1.1 Attribuute Definit tion a
Page 117 and 118:
Constrrain Eventts with Co ondition
Page 119 and 120:
These events used in the “and the
Page 121 and 122:
Formalization: whenever StartButton
Page 123 and 124:
Architecture Modeling Basic bloock
Page 125 and 126:
6.1.1.1.1.3 Conditions Conditions c
Page 127 and 128:
6.1.1.1.2.2 Seammless Con ncatenati
Page 129 and 130:
e3 && (clk==0) e1 idle pre e1 idle
Page 131 and 132:
Pattern whenever event occurs condi
Page 133 and 134:
If the brake force is above 80% for
Page 135 and 136:
Pattern S3: Failure shall not be ca
Page 137 and 138:
Pattern S9: failureCondition failur
Page 139 and 140:
Pattern R2: Event occurs each perio
Page 141 and 142:
idle e1 |clk:=0 e2 && (l
Page 143 and 144:
The function : allocates a singl
Page 145 and 146:
Examplees of clocks: • Run: {c=0@
Page 147 and 148:
Architecture Modeling 1. For σ ∈
Page 149 and 150:
Architecture Modeling Traces accord
Page 151 and 152:
Architecture Modeling Definition 6.
Page 153 and 154:
Architecture Modeling the one given
Page 155 and 156:
Architecture Modeling Decomposition
Page 157 and 158:
Bibliography [1] ARINC 653 - Avioni
Page 159 and 160:
Architecture Modeling [26] Holger G
show all

Architecture Modeling - SPES 2020

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?