a way for applicable formal specification of safety requirements by ...
a way for applicable formal specification of safety requirements by ...
a way for applicable formal specification of safety requirements by ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
is, the more it is difficult to control ambiguities<br />
<strong>of</strong> natural language terminology.<br />
A closer approach is <strong>of</strong> Heiner et al. 2001<br />
and Mertke et al. 2001. They do not use the term<br />
“pattern” but implicitly there are patterns which<br />
are designated as “requirement sentences” with<br />
corresponding “<strong>for</strong>mal <strong>for</strong>mulas”. A basic<br />
difference <strong>of</strong> their approach is that they focus on<br />
SFC controls (Sequential Function Charts)<br />
whereas the <strong>safety</strong> pattern approach is usable <strong>for</strong><br />
any kind <strong>of</strong> system or s<strong>of</strong>tware model notation.<br />
Second their core idea <strong>of</strong> applying the patterns is,<br />
that the user has to specify <strong>requirements</strong> <strong>by</strong> using<br />
defined sentence structures in natural language.<br />
Their <strong>requirements</strong> specific technical language is<br />
not oriented on the theoretical works <strong>of</strong> Ortner,<br />
1997 and Schienmann, 1997. Their pattern<br />
system only contains 18 patterns, which are<br />
classified <strong>by</strong> two categories <strong>of</strong> requirement<br />
contents. The <strong>safety</strong> pattern concept attaches<br />
much more importance to the identification <strong>of</strong><br />
the properties <strong>of</strong> the <strong>safety</strong> requirement to be<br />
specified. A similar approach and tool is not<br />
known <strong>for</strong> requirement’s properties selection.<br />
The approaches <strong>of</strong> Heiner et al. 2001,<br />
Mertke et al. 2001 and I-Logix Inc. and OFFIS<br />
Systems and Consulting GmbH, 2002 contain<br />
significantly less patterns. That means first <strong>of</strong> all<br />
that their approaches contain a bigger challenge<br />
to the abilities <strong>of</strong> the user. The user needs more<br />
control <strong>for</strong> composition and instantiation <strong>of</strong><br />
patterns. Second the <strong>safety</strong> pattern approach<br />
enables the <strong>specification</strong> <strong>of</strong> those <strong>requirements</strong>,<br />
which cannot be specified with the help <strong>of</strong> the<br />
other approaches. The reason is that their<br />
objectives are not to give a complete pattern<br />
system <strong>for</strong> <strong>safety</strong> <strong>requirements</strong> <strong>specification</strong>.<br />
Third the <strong>safety</strong> pattern concept supports the<br />
<strong>specification</strong> <strong>of</strong> <strong>safety</strong> <strong>requirements</strong> not<br />
containing temporal logic specific <strong>specification</strong><br />
problems only. One kind <strong>of</strong> these <strong>specification</strong><br />
problems is well described in prEN50129 and<br />
IEC61508: “Quantified time intervals and<br />
constraints are not handled explicitly in temporal<br />
logic. Absolute timing has to be handled <strong>by</strong><br />
creating additional time states as part <strong>of</strong> the state<br />
description.” So it is possible to specify some<br />
problems in temporal logic but it is not explicitly<br />
treated in the temporal logic languages. Such<br />
kinds <strong>of</strong> problems are also supported <strong>by</strong> the<br />
<strong>safety</strong> pattern approach in contrast to any other<br />
known approach. With the help <strong>of</strong> other<br />
approaches it is possible to specify those<br />
<strong>requirements</strong>, too, but it is more difficult <strong>for</strong> the<br />
user because he gets no support <strong>by</strong> special<br />
patterns like in the <strong>safety</strong> pattern approach.<br />
During the development <strong>of</strong> the <strong>safety</strong> pattern<br />
classification <strong>of</strong> our approach we set value on<br />
practical relevance <strong>of</strong> the <strong>safety</strong> patterns <strong>for</strong> any<br />
kind <strong>of</strong> industrial automation system. A result is<br />
e.g. that we consider <strong>requirements</strong> with explicit<br />
time, the frequency <strong>of</strong> validity in a time interval<br />
or <strong>safety</strong> <strong>requirements</strong> <strong>for</strong> time triggered systems<br />
in own classes. Another example is that we<br />
distinguish the exact succession <strong>of</strong> propositions<br />
in detail, such that there may be an overlap<br />
between the validity <strong>of</strong> the successor and the<br />
predecessor. This is e.g. important <strong>for</strong> bus<br />
systems. E.g. these cases are not considered in<br />
any other known approach. So we can take the<br />
note that in several respects the user has more<br />
responsibility and more risk in other approaches.<br />
Besides the extensive in<strong>for</strong>mation listing <strong>for</strong><br />
every <strong>safety</strong> pattern in the <strong>safety</strong> pattern<br />
approach is missing in the other approaches (e.g.<br />
natural language and partly graphical<br />
explanations). Finally only in the <strong>safety</strong> pattern<br />
approach patterns are specified in several <strong>for</strong>mal<br />
languages. In any case the agreement <strong>of</strong> both<br />
related approaches with the <strong>safety</strong> pattern<br />
approach is the conviction <strong>of</strong> the benefit <strong>of</strong><br />
<strong>for</strong>mal requirement <strong>specification</strong> patterns.<br />
7. SUMMARY AND OUTLOOK<br />
It has been shown how with the help <strong>of</strong> <strong>safety</strong><br />
patterns and the dialog system SAPIS the<br />
recommendations and demands <strong>of</strong> the standards<br />
IEC61508 and EN50128 <strong>for</strong> <strong>safety</strong> <strong>requirements</strong><br />
<strong>specification</strong> can be met. The <strong>for</strong>mal<br />
<strong>specification</strong> <strong>of</strong> <strong>safety</strong> <strong>requirements</strong> and the<br />
corresponding <strong>specification</strong> in a terminology <strong>of</strong><br />
natural language are supported. The explained<br />
approach also removes weaknesses <strong>of</strong> the<br />
standards in this <strong>way</strong> that the correct use <strong>of</strong><br />
<strong>for</strong>mal languages is supported <strong>for</strong> <strong>safety</strong><br />
<strong>requirements</strong> <strong>specification</strong>. Also the avoidance <strong>of</strong><br />
ambiguities is supported when using natural<br />
language <strong>specification</strong>s <strong>for</strong> describing the <strong>for</strong>mal<br />
<strong>specification</strong>s. This is achieved <strong>by</strong> using <strong>safety</strong><br />
patterns <strong>for</strong>mulated in the <strong>safety</strong> pattern norm<br />
language. So the equivalence between both<br />
<strong>specification</strong>s is guaranteed. The <strong>safety</strong> pattern<br />
catalogue also helps to interpret correctly a<br />
specified <strong>safety</strong> requirement in such a <strong>way</strong> that<br />
the <strong>specification</strong> meaning can be looked up in the<br />
<strong>safety</strong> pattern catalogue. In Figure 3 the principle<br />
<strong>of</strong> the approach is shown.