a way for applicable formal specification of safety requirements by ...

More documents

Recommendations

Info

emoving a signal). In that case a specific pattern of the following kind is inserted: Formulation in norm language: α changes from valid to invalid Formulation in formal language (CTL): α & AX not α In addition to this insertion, before all other variables in the formal specification of the requirement an AX has to be placed. It is in process to support also this kind of instantiation by the tool SAPIS. For specification of complex safety requirements several safety patterns have to be combined by and, or, xor or not connectives of Propositional logic. In other cases safety patterns have to be inserted in other safety patterns to specify complex safety requirements. E.g. a safety requirement of a train door control is: If the door block button is activated, the ending of the door blocking is only permitted when the signal v5 is not longer contacted. It is obvious that this safety requirement consists of two parts: A causal condition and a temporal condition. The causal condition for the whole safety requirement is: the door block button is activated. The temporal condition for the ending of the door blocking is: the signal v5 is not longer contacted. For that reason two safety patterns have to be identified in such a way like it is explained before, to specify this safety requirement. First selected safety pattern: Safety pattern in norm language: Always if a is valid, then b must also be valid. Alternative: Always if a is valid, then it must also be valid: b Safety pattern in formal language (CTL): AG (a → b) Instantiation of this safety pattern for the relevant part of the safety requirement: Safety requirement in norm language: Always if door_blockbutton_activated is valid it must also be valid: b For b a second safety pattern has to be inserted. Second selected safety pattern: Safety pattern in norm language: a must be valid permanently until b is valid. Safety pattern in formal language (CTL): A(a W (b and a)) Instantiation of this safety pattern for the relevant part of the safety requirement: Safety requirement in norm language: door_blocked must be valid permanently until not signal_v5 is valid. Total result - specification of the complete safety requirement: Safety requirement in norm language: Always if door_blockbutton_activated is valid then it must also be valid: door_blocked must be valid permanently until not signal_v5 is valid. Safety pattern formulation in formal language (CTL): AG (door_blockbutton_activated → A(door_blocked W (not signal_v5 and door_blocked))) 6. RELATED WORKS Bitsch & Göhner, 2002 and Bitsch, 2001 have already discussed works related to the safety pattern concept. Moreover there is the pattern library for the Certifier of the tool Statemate of I-Logix Inc. (I-Logix Inc. and OFFIS Systems and Consulting GmbH, 2002). A basic difference of their pattern system is that they expect the user to have knowledge and mastery of temporal logic application, which is not necessary in our approach. They only divide the patterns into four classes and give no further support to identify the correct pattern, neither by a detailed pattern classification nor by a tool. There are no patterns for specification in a terminology of natural language and only in some cases explanations in natural language are provided. A good idea is that they give an example of a state diagram for every pattern, which meets the respective requirement. In some cases they give graphical explanations using timelines. A main difference to the safety patterns approach is, that they do not restrict the practical use of formal verification to the context of safety. For this reason their considered kinds of specification patterns are not restricted to safety requirements. If the interest of a user in formal specification was only in the context to safety, it would be much easier to use a pattern system, which is restricted to the context to safety. Otherwise there are many patterns, which are not relevant to safety requirements in general. Therefore it is easier to select the suitable pattern in a pattern system restricted to the context to safety. Furthermore the bigger the pattern system
is, the more it is difficult to control ambiguities of natural language terminology. A closer approach is of Heiner et al. 2001 and Mertke et al. 2001. They do not use the term “pattern” but implicitly there are patterns which are designated as “requirement sentences” with corresponding “formal formulas”. A basic difference of their approach is that they focus on SFC controls (Sequential Function Charts) whereas the safety pattern approach is usable for any kind of system or software model notation. Second their core idea of applying the patterns is, that the user has to specify requirements by using defined sentence structures in natural language. Their requirements specific technical language is not oriented on the theoretical works of Ortner, 1997 and Schienmann, 1997. Their pattern system only contains 18 patterns, which are classified by two categories of requirement contents. The safety pattern concept attaches much more importance to the identification of the properties of the safety requirement to be specified. A similar approach and tool is not known for requirement’s properties selection. The approaches of Heiner et al. 2001, Mertke et al. 2001 and I-Logix Inc. and OFFIS Systems and Consulting GmbH, 2002 contain significantly less patterns. That means first of all that their approaches contain a bigger challenge to the abilities of the user. The user needs more control for composition and instantiation of patterns. Second the safety pattern approach enables the specification of those requirements, which cannot be specified with the help of the other approaches. The reason is that their objectives are not to give a complete pattern system for safety requirements specification. Third the safety pattern concept supports the specification of safety requirements not containing temporal logic specific specification problems only. One kind of these specification problems is well described in prEN50129 and IEC61508: “Quantified time intervals and constraints are not handled explicitly in temporal logic. Absolute timing has to be handled by creating additional time states as part of the state description.” So it is possible to specify some problems in temporal logic but it is not explicitly treated in the temporal logic languages. Such kinds of problems are also supported by the safety pattern approach in contrast to any other known approach. With the help of other approaches it is possible to specify those requirements, too, but it is more difficult for the user because he gets no support by special patterns like in the safety pattern approach. During the development of the safety pattern classification of our approach we set value on practical relevance of the safety patterns for any kind of industrial automation system. A result is e.g. that we consider requirements with explicit time, the frequency of validity in a time interval or safety requirements for time triggered systems in own classes. Another example is that we distinguish the exact succession of propositions in detail, such that there may be an overlap between the validity of the successor and the predecessor. This is e.g. important for bus systems. E.g. these cases are not considered in any other known approach. So we can take the note that in several respects the user has more responsibility and more risk in other approaches. Besides the extensive information listing for every safety pattern in the safety pattern approach is missing in the other approaches (e.g. natural language and partly graphical explanations). Finally only in the safety pattern approach patterns are specified in several formal languages. In any case the agreement of both related approaches with the safety pattern approach is the conviction of the benefit of formal requirement specification patterns. 7. SUMMARY AND OUTLOOK It has been shown how with the help of safety patterns and the dialog system SAPIS the recommendations and demands of the standards IEC61508 and EN50128 for safety requirements specification can be met. The formal specification of safety requirements and the corresponding specification in a terminology of natural language are supported. The explained approach also removes weaknesses of the standards in this way that the correct use of formal languages is supported for safety requirements specification. Also the avoidance of ambiguities is supported when using natural language specifications for describing the formal specifications. This is achieved by using safety patterns formulated in the safety pattern norm language. So the equivalence between both specifications is guaranteed. The safety pattern catalogue also helps to interpret correctly a specified safety requirement in such a way that the specification meaning can be looked up in the safety pattern catalogue. In Figure 3 the principle of the approach is shown.
Page 1 and 2: A WAY FOR APPLICABLE FORMAL SPECIFI
Page 3 and 4: (Globally)”, “Until” and “W
Page 5 and 6: Safety Pattern ds-wet-27 dynamic sa
Page 7: mode “strong guided dialog“ so
Page 11: Safety Reliability and Security (U.

a way for applicable formal specification of safety requirements by ...

Create successful ePaper yourself

Delete template?

Save as template?