a way for applicable formal specification of safety requirements by ...
a way for applicable formal specification of safety requirements by ...
a way for applicable formal specification of safety requirements by ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
(Globally)”, “Until” and “Weak until” 2 , (see<br />
Huth & Ryan, 2000 and Villa et al.).<br />
In the following the difficulty <strong>of</strong> <strong>safety</strong><br />
requirement <strong>specification</strong>s in CTL is shown <strong>by</strong><br />
means <strong>of</strong> an example. A <strong>safety</strong> requirement <strong>for</strong> a<br />
pneumatic train door control could be:<br />
The execution <strong>of</strong> the close function <strong>of</strong> valve v3 is<br />
permitted only after receiving the close<br />
command.<br />
(1) shows the <strong>for</strong>mal <strong>specification</strong> <strong>of</strong> this<br />
<strong>safety</strong> requirement. However, the problem is that<br />
(2) is also a possible <strong>for</strong>mal <strong>specification</strong>. It<br />
depends on the interpretation <strong>of</strong> the word “after”,<br />
which <strong>of</strong> these possible <strong>for</strong>mal <strong>for</strong>mulas is the<br />
right one.<br />
A(not close_function_valve_v3 W<br />
(receive_close_command and not<br />
close_function_valve_v3))<br />
A(not close_function_valve_v3 W<br />
(receive_close_command and not<br />
close_function_valve_v3)) and<br />
(AG (receive_close_command →<br />
(AX close_function_valve_v3 and<br />
AX AX AG not<br />
close_function_valve_v3)) xor<br />
AG not close_function_valve_v3)<br />
(1)<br />
(2)<br />
In (2) “after” has the meaning <strong>of</strong> “exactly<br />
after” in the sense <strong>of</strong> directly after or<br />
immediately after. In context to the example the<br />
meaning would be that until the close command<br />
is executed the execution <strong>of</strong> the close function is<br />
not permitted. In the chronological succession <strong>of</strong><br />
actions the valve close function is not true in that<br />
time when “receiving the close command”<br />
becomes valid. In case that the <strong>safety</strong><br />
requirement is related to a time triggered system<br />
the meaning is that the execution <strong>of</strong> the close<br />
function is only permitted in the state after the<br />
next time trigger. In case <strong>of</strong> an event triggered<br />
system then in between the temporal succession<br />
<strong>of</strong> the both actions it is not permitted that any<br />
other variable defined in the operational model<br />
(e.g. state, action or event variable) changes its<br />
value. In (1) “after” has the meaning <strong>of</strong> “strictly<br />
after”. In context to the example the meaning<br />
would be as in (2) that until the close command<br />
2<br />
In (p W q) with the temporal modality “Weak until” the<br />
proposition q does not have to be true in any state in<br />
difference to the <strong>for</strong>mula (p U q) with the ordinary “Until”.<br />
In particular, if q is never true, then p needs to hold <strong>for</strong> all<br />
states <strong>of</strong> that path.<br />
is executed the execution <strong>of</strong> the close function is<br />
not permitted but in difference to (2) it is<br />
permitted any time after.<br />
This example shows that such kind <strong>of</strong> <strong>for</strong>mal<br />
<strong>for</strong>mulas like (1) or (2) are difficult to read, to<br />
understand and to write correctly especially <strong>for</strong><br />
an engineer, who is not familiar with higher<br />
logic. It easily happens, that a <strong>for</strong>mula is<br />
specified, which states something different than<br />
it should.<br />
To handle these difficulties, in IEC61508<br />
and EN50128 it is necessarily required to specify<br />
in addition to <strong>for</strong>mal <strong>specification</strong> also in natural<br />
language <strong>for</strong> reasons <strong>of</strong> clear understandability.<br />
But this is not a sufficient solution. The problem<br />
is that natural language permits ambiguous<br />
<strong>for</strong>mulations. There<strong>for</strong>e a possible consequence<br />
could be a specified <strong>safety</strong> requirement, which is<br />
interpreted differently with respect to the original<br />
intention <strong>of</strong> the <strong>for</strong>mal <strong>specification</strong>. Moreover<br />
an equivalent <strong>specification</strong> <strong>of</strong> the original<br />
intention cannot be guaranteed. A solution to<br />
solve these problems <strong>of</strong> <strong>applicable</strong> precise<br />
<strong>specification</strong> and interpretation and <strong>of</strong><br />
<strong>specification</strong> in a natural language terminology<br />
equivalent to <strong>for</strong>mal <strong>specification</strong> is the <strong>safety</strong><br />
pattern approach. This approach is explained in<br />
detail in the next section.<br />
3. SAFETY PATTERNS – THE KEY TO<br />
FORMAL SPECIFICATION OF<br />
SAFETY REQUIREMENTS<br />
The core idea <strong>of</strong> the <strong>safety</strong> pattern approach is<br />
that the engineer applies pre-specified generic<br />
<strong>safety</strong> <strong>requirements</strong> <strong>for</strong> <strong>safety</strong> <strong>requirements</strong><br />
<strong>specification</strong> (see Bitsch, 2001 and Bitsch &<br />
Göhner, 2002). These patterns contain only those<br />
temporal logic expressions, which are suitable<br />
<strong>for</strong> the different kinds <strong>of</strong> <strong>safety</strong> <strong>requirements</strong>.<br />
Because these patterns are used <strong>for</strong> the<br />
<strong>specification</strong> <strong>of</strong> <strong>safety</strong> <strong>requirements</strong> they are<br />
called <strong>safety</strong> patterns. They are listed in a<br />
catalogue <strong>of</strong> <strong>safety</strong> patterns. This catalogue<br />
contains 305 different <strong>safety</strong> patterns. In a first<br />
step the developer identifies the suitable <strong>safety</strong><br />
pattern with the respective <strong>for</strong>mal <strong>for</strong>mula in this<br />
catalogue. The identification is supported <strong>by</strong> a<br />
structure <strong>of</strong> the <strong>safety</strong> patterns based on a<br />
semantic classification <strong>of</strong> different kinds <strong>of</strong><br />
<strong>safety</strong> <strong>requirements</strong>. Bitsch, 2001 and Bitsch &<br />
Göhner, 2002 explain the classification and the<br />
principle <strong>of</strong> deriving <strong>safety</strong> patterns. In a second<br />
step the developer has to adapt the identified