a way for applicable formal specification of safety requirements by ...

More documents

Recommendations

Info

the order of questions is fixed. At the beginning of the dialog the user is able to choose one of several question orders. That way the user is able to check the result of a complete dialog by comparing the identification of the suitable safety pattern using different question orders. 2 nd Light guided dialog: In difference to the 1 st dialog mode the user sees in one window all classification criteria with the classes belonging to them. That means he does not see the questions step-by-step but rather all criteria appear together in a form he has to fill in. Reading of questions is not necessary for experienced users but would be time consuming. Therefore, only the criteria and the classes are displayed. The question of a certain criterion is only displayed on inquiry. First the dialog is controlled by a general order, which classification decisions should be made before which other ones. Second it is controlled through the knowledge about which safety pattern class excludes which other ones. Those classification criteria which have already been decided and those, which can not be decided yet are masked. 3 rd Open dialog: In this dialog mode all possible question orders are considered. Like in the second dialog mode the user has to fill in a form, in which all classification criteria with the possible classes are displayed in one window. The user is able to choose at any point in time any classification criterion he likes to answer. The dialog is controlled by SAPIS only in this way that the system has knowledge about which safety pattern classes are excluded by which other ones. In difference to dialog mode 2 it is possible that by one decision also other criteria might be implicitly decided, in case that the decision for one criterion requires that other criteria are decided before. For the userfriendliness of SAPIS, it is important in the 3 rd dialog mode that the user is able to identify the appropriate safety pattern via any possible order of classification criteria decisions. With the help of the tool Cernato (navicon GmbH, 2002) it can be checked if all these possibilities are implemented in SAPIS. It is based on the methods of the begrifflichen Wissensverarbeitung (conceptual knowledge work) of Wille et al. 2000. This tool enables a complete graphical overview and analysis of data dependencies, exceptions, mutuality, connections and differences. In all modes it is also possible to get further more detailed information for every criterion and its classes if the formulation of a question is not sufficient for the user to decide for a class. SAPIS is usable via Internet and is available at the location which can be found in the reference at Bitsch & Lovasi, 2002. The GUI runs in a web browser on a client computer. The application logic is located on a web server. This computer or a third one is used as database server for the safety pattern data. The following section explains by means of an example of use how SAPIS supports the precise and correct specification of safety requirements. class duration of validity: validity of a proposition only until a certain point in time; [0,T]: proposition validity 1 0 T t class beginning of validity: validity of a proposition from a certain point in time on; [T,∞): proposition validity 1 0 T t class beginning & duration of validity: validity of a proposition between two points in time; [T 1 ,T 2 ]: proposition validity 1 0 T 1 T t 2 Fig. 2. Illustration of the classes of the classification criterion temporal restriction of validity. 5. APPLICATION OF THE SAFETY PATTERN APPROACH BY USING THE TOOL SAPIS The application of SAPIS will be demonstrated by a brief example. For the safety requirement of a one-way level crossing in radio based operation there is the safety requirement: If the train does receive the message “level_crossing_not_protected“, then the train has to stop before the level crossing. To detect the suitable formal specification in CTL first the safety requirement has to be assigned to the correct classes of the different criteria with the help of SAPIS. We choose the
mode “strong guided dialog“ so that the order of the question is given. In the following the relevant classification criteria , which have to be decided are listed (a) with the questions belonging to them (b). Then the decision for the correct class the safety requirement belongs to is explained (c): 1. a. Existence of a temporal logic aspect in the safety requirement. b. Does the safety requirement contain any temporal logic aspect? c. Yes, the possible message reception and the stop of the train before the level crossing are in a temporal relation. Therefore the class dynamic safety requirement has to be selected. 2. a. Type of time specification. b. Does the safety requirement contain any explicit time specification? c. No, there is no temporal statement in dependence on a system clock. For that reason it is a safety requirement with implicit time specification only. 3. a. Existence of temporal dependencies between propositions. b. Does the safety requirement contain any temporal dependencies between propositions or does it require a reachability or an assurance of reaching without temporal conditions? c. There exists a temporal dependency between ... • if the train receives the message “level_crossing_not_protected“ and • that the train stops before the level crossing. Therefore, the safety requirement belongs to the class safety requirements with temporal dependencies between propositions. 4. a. Temporal restriction of validity. b. What kind of temporal validity restriction of a property is to be set? c. It is stated at which point in time the train has to be stopped. So the correct class is beginning of validity. 5. a. Frequency of validity in validity interval. b. What is the frequency of the predicate validity in the validity interval? c. There is no safety related necessary restriction with respect to the frequency but the train must stop at least one time if the train receives the negative message. Therefore the right class is validity at least n times (with n=1). 6. a. Modality of demand. b. What is the modality of demand? c. The safety requirement does not state a permitted or forbidden behaviour but a necessary one. That is why the class is necessity. 7. a. Type of beginning of validity. b. When exactly should the validity of the demanded property begin? c. The stopping of the train may be started from that point in time on when the train receives the message. Therefore, the safety requirement has to be assigned to the class validity from a certain point in time on. Based on this classification the following safety pattern with the appropriate explanation is identified: Safety pattern in norm language: b must be valid at least once together with or anytime after a is valid. Safety pattern in formal language (CTL): AG (a → AF b) Specification of the safety requirement in norm language: (train.current_velocity=0 and train.current_position < levelcrossing.position_beginning) must be valid at least once together with or anytime after train.message_level_crossing_not_ protected is valid. Specification of the safety requirement in formal language (CTL): AG (train.message_level_crossing_not_ protected → AF (train.current_ velocity=0 and train.current_position < level-crossing.position_beginning)) The example shows clearly that the variables of a safety pattern predicates can be substituted by state, event, action, condition or configuration variables of the corresponding operational model, which has to fulfil the safety requirement. Furthermore predicates with boolean meaning can be inserted like comparisons with >,
Page 1 and 2: A WAY FOR APPLICABLE FORMAL SPECIFI
Page 3 and 4: (Globally)”, “Until” and “W
Page 5: Safety Pattern ds-wet-27 dynamic sa
Page 9 and 10: is, the more it is difficult to con
Page 11: Safety Reliability and Security (U.

a way for applicable formal specification of safety requirements by ...

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?