a way for applicable formal specification of safety requirements by ...

More documents

Recommendations

Info

safety pattern to the respective safety requirement in context to the operational model. The result is a formally specified safety requirement, which is an instance of a safety pattern. In the catalogue every safety pattern is given in the formal notations CTL (Computation Tree Logic), LTL (Linear Time Temporal Logic) and µ-Calculus. Furthermore the specification in Temporal OCL (an extension of the Object Constraint Language by temporal logic aspects, compare Flake & Mueller, 2001) is in process. In this way the developer is able to choose the formalism required for the model checker according to his preferences. For that reason the expressive power of different variants of temporal logic is considered in the safety patterns approach. Every safety pattern is explained in natural language, so that the meaning of the safety patterns is easily to understand. Like explained before, IEC61508 and EN50128 necessarily require for reasons of clear understandability that in case of formal specification there should be also a formulation in natural language. For that reason safety patterns do not only support formal specification of safety requirements but also enable specifications in a terminology of natural language equivalent to the formal specification. Every safety pattern contains a specification template in a restricted terminology of natural language. The meanings of the allowed constructs and words being used for description are fixed (see Bitsch & Göhner, 2002). That means that a norm language for safety patterns is used. A norm language sounds like a natural language, but it is a strongly reduced form of natural language. It is a connecting link between natural languages and formal languages (Ortner, 1997 and Schienmann, 1997). By the fixed assignment of a formal formulation and a formulation in a restricted safety requirements related terminology the equivalence of formal specification and specification in words of natural language is guaranteed. The demands of the standards are fulfilled and simultaneously the weakness of the standards is solved. In this way a safety pattern can also be used to precisely formulate a safety requirement in natural language. Especially in teamwork, clearly understandable and precisely formulated specifications of safety requirements are a precondition for the development of safe automation systems. Besides in communication with approval authorities the meaning of formal safety requirements based on such a safety pattern catalogue is easy to understand. Figure 1 shows an example of a safety pattern. It is also in process to enlarge the data in every safety pattern with graphical descriptions. The graphical description contains typical possible sequences of states and also different examples of possible computation paths (see Bitsch & Göhner, 2002). Bitsch, 2002 showed the role and the benefit of embedding the safety pattern approach in the process of developing system requirements specifications for railway systems. Also a process is explained how to specify safety requirements in context of the operational model (see also Bitsch et al. 2000 and Moik, 2002) so that safety requirements are formulated with variables and sizes of the operational model. We can note the following benefits of safety patterns. Safety patterns support: • to specify correctly safety requirements in formal languages. • to interpret correctly formal specifications. • to specify safety requirements by using a restricted terminology of natural language corresponding to the formal specification. • different tools for correctness checking. 4. SAFETY PATTERN IDENTIFICATION The safety patterns are catalogued by means of 14 classification criteria. Every classification criterion is decisive for the classification of a safety pattern to one of two or more classes. E.g. one criterion is temporal restriction of validity. The decisive question is: What kind of temporal validity restriction of a property is to be set? The possible classes are duration of validity, beginning of validity or beginning and duration of validity (see Figure 2). A certain combination of classes of different classification criteria describes the different properties of a certain safety pattern. Based on this safety patterns classification scheme it is possible to identify the appropriate safety pattern for the safety requirement to be specified. Every classification criterion can be used to characterise a property of the safety requirement to be specified. In this way the properties of the searched safety pattern are identified and so the searched safety pattern itself is identified.
Safety Pattern ds-wet-27 dynamic safety requirement without explicit time, concerning beginning of validity and concerning permissibility of validity, safety pattern no. 27 Safety Pattern in Norm Language Only strictly after that point in time when p is valid then it is permitted that q is valid . Safety Pattern in Formal Languages CTL: A((not q) W (p and (not q))) LTL: (not q) W (p and (not q)) µ-Calculus: nu Z.((p and ( not q)) or (( not q) and [-]Z)) Temporal OCL 3 : inv: let requiredSequence = Sequence{not qConf, pConf} in begin implies self@post→forAll(s:OclPath | s→includes(requiredSequence) or s→excludes(qConf)) Explanation in Natural Language A main characteristic of this safety pattern is that q may only occur strictly after p. The exact point in time after p is irrelevant. The main thing is that q occurs strictly after p. That means q must neither occur before p nor becomes true together with p. q may occur but it do not have to. Example of Use System Level crossing in radio based operation Conventional specification of the safety requirement Only if the train has received the message “level-crossing-protected”, then it is permitted that the train drives on the level crossing. Safety requirement in norm language Only strictly after that point in time when train.received_message_level-crossing_ protected is valid then it is permitted that train.train_drives_on_level-crossing is valid. Safety requirement in formal language (CTL) A( (not train.received_message_level-crossing_protected) W (train.train_drives_on_level-crossing and not train.received_message_level-crossing_protected))) Fig. 1. Example of a safety pattern. For developers using the safety pattern concept it would be very hard to identify the suitable safety pattern only on basis of a document, in which the safety patterns are listed. To keep overview on the different kinds of classification criteria and of the respective classes a tool support in form of a dialog system is necessary. In this section the tool belonging to the safety pattern approach is explained. This software tool also helps to determine, which criteria are relevant for the safety requirement to be specified. It also supports the user to make decisions in a meaningful sequential order. The tool name is SAPIS (Safety Pattern Instantiation System). By using different kinds of dialog modes the dialog system is adaptable for users with different background knowledge and experiences related to the safety pattern approach. In principle there are three possible modes of dialog guidance. The first dialog mode is suitable for new users. The second one is the experienced user mode and the third dialog mode is the expert mode. The use of the third dialog mode is the less large-scale and the fastest one. But it can be used effectively by those users only who know the safety pattern classification very well. In the following the different modes are explained: 1 st Strong guided dialog: In this dialog mode the dialog steps are determined by the tool SAPIS. The dialog takes place in form of a question-answer-interaction. The dialog is strongly controlled by the dialog system because 3 “pConf” describes the configuration, which is reached at the occurrence of the event p and “qConf” is the configuration, which is valid at the execution of the action q. Configurations describe unambiguously every possible system state and in this way they also represent certain events and actions.
Page 1 and 2: A WAY FOR APPLICABLE FORMAL SPECIFI
Page 3: (Globally)”, “Until” and “W
Page 7 and 8: mode “strong guided dialog“ so
Page 9 and 10: is, the more it is difficult to con
Page 11: Safety Reliability and Security (U.

a way for applicable formal specification of safety requirements by ...

Create successful ePaper yourself

Delete template?

Save as template?