KAOS in Action: The BART Systemjm/2507S/Notes02/BART.pdf · KAOS in Action: the BART System 1 KAOS...

1KAOS
in Action: the BART System
KAOS in Action: The BART System

Emmanuel Letier and Axel van Lamsweerde

Dept. Ingénierie Informatique, Univ. LouvainB-1348 Louvain-la-Neuve (Belgium)

{eletier, avl}@info.ucl.ac.be

2KAOS

IntrG

TheIdFEIdDEIdO

C

O

Con


Outline

oductionoal-Oriented RE with KAOS

BART Case Studyentifying Goals from Initial Documentormalizing Goals and Identifying Objectslaborating the Goal Structureentifying Agents and Responsibilitieseriving Monitored and Controlled Quantitiesxploring Alternative Responsibility Assignmentsentifying Operationsperationalizing Goals through Strenghtened Operations

onflict Analysis: an Example

bstacle AnalysisObstacle GenerationObstacle Resolution

clusion

3KAOS

KAOS

and)

leration(tr.Loc, tr.Speed, ...)

del

goal refinementequirements, AssumptionsProps

responsibilities

Dom Pre/PostReq Pre/ Trigger / Post


Goal-Oriented Requirement Engineering withGoal Model

Operation SendComDomPre ¬ Sent(m, trDomPost Sent(m, tr)ReqPostFor SafeAce

m.Acceleration ≤ F

Operation MoAgent Interface Model

Responsibility Model

Object Model

AND/ORGoals, R

+ Dom

Or

software agents+ environment agents

Train TrackSegmentOn

2-level language:semantic net levelformal assertions

NoTrainCollision

SafeAcceleration

0:1

4KAOS

t

Initi

Avoid[TrainEnteringClosedGate]


Goal Identification From Initial Documen

al document: see http://www.hcecs.sandia.gov/bart.htm

==> Further goals identified by asking WHY and HOW questions

ServeMorePassengers

TrainsMoreCloselySpaced NewTracksAdded

Minimize[Costs]

Min[TimeBetweenStations]

SafeTransport

Maintain[WCSDistBetweenTrains]

Maintain[TrackSegmentSpeedLimit]

... ...

Min[DvlptCosts] Min[OperationalCosts]

...

5KAOS

SmoothMovement

PsgerComfort

MinimizessOnEquipment]

...

...


[StreMinimize

[PowerUsage

6KAOS

t

==>


SmoothMovement

PsgerComfort

MinimizessOnEquipment

...

...


Goal Identification From Initial Statemen

Further Goals identified by asking WHY and HOW questions

ServeMorePassenger

TrainsMoreCloselySpaced NewTracksAdded

Minimize[Costs]

Min[TimeBetweenStation

SafeTransport


Maintain[TrackSegmentSpeedLimit

... ...

Min[DvlptCosts] Min[OperationalCosts]

...

[StreMinimize

[PowerUsage

7KAOS

(1)

it

ed REn forlationships, attributes


Formalizing Goals and Identifying Objects

TrackSegment

SpeedLimit: SpeedUn...

Train

Speed: SpeedUnit...

On

Goal Maintain[TrackSegmentSpeedLimit]Definition A train should stay below the maximum

speed the track segment can han-dle.

FormalDef ∀ tr: Train, s: TrackSegment :On(tr, s) ⇒ tr.Speed ≤

Goal-oriented vs. Object-orientGoals provide precise criterio

identification of objects, re

⇓

8KAOS

(2)

eedUnit

if the train it.



TrackSegment

SpeedLimit: Sp...

Train

Speed: SpeedUnitLoc : LocationWCSDist : Distance

Following

Goal Maintain[WCSDistBetweenTrains]Definition A train should never get so close to a train in front so that

in front stops suddenly (e.g., derailment) the next train would hitFormalDef ∀ tr1, tr2: Train :

Following(tr1, tr2)⇒ tr1.Loc - tr2.Loc > tr1.WCSDist

⇓

On

9KAOS

(3)

eedUnit

,)

’, ‘closed’}

sGate

“Since”:“Until” in the past



TrackSegment

SpeedLimit: Sp...

Train

Speed: SpeedUnitLoc : LocationWCSDist : Distance

Following

Goal Avoid[TrainEnteringClosedGate]Definition A train should not enter a closed gate if it can

(i.e. if it is possible for the train to stop before the gateFormalDef ∀ tr: Train, g: Gate, s: TrackSegment:

g.status = ‘closed’ Since tr.Loc - g.Loc > tr.WCSDist∧ HasGate(s, g)⇒¬ @ On(tr, s)

⇓

On

Gatestatus: { ‘openedLoc : Location

Ha

10KAOS

1)

taintSpeedLimit]

idailment]

...

railent]should never derailrain :nt(tr)


Eliciting New Goals : WHY Questions (


Avoid[TrainCollisions]

Main[TrackSegmen

Avo[TrainDer

Goal Avoid[TrainCollisions]Definition Trains should nerver collideFormalDef ∀ tr1, tr2: Train :

❑ ¬ Collision(tr1, tr2)

Goal Avoid[TrainDeDefinition Trains FormalDef ∀ tr: T

❑ ¬ Derailme

11KAOS

2)

n]

TrackSegment

h ...


Eliciting New Goals : WHY Questions (


Avoid[TrainOnSwitchInWrongPostion]

Maintain[TrainOnCorrectLine]

Maintain[GateClosedWhen

SwitchInWrongPositio

Goal Avoid[TrainOnSwitchInWrongPostion]Definition When a train is on a switch, theswitch should be in the direction of travel ofthe trainFormalDef ∀ tr: Train, sw: Switch:

On(tr, sw) ⇒ sw.Position = tr.DirectionSwitc

12KAOS

)

WC ysical speed of the train

[aintain

uddenStopedingTrain]


Eliciting New Goals: HOW Questions (1

SDist : the physical Worst-Case Stopping Distance based on the ph


Avoid[TrainsCollisions]

MaintainSafeSpeed/AccelerationCommanded]

Maintain[SafeTrainResponse

ToCommand]

M[NoS

OfPrec

13KAOS

:.Loc + δ tr.Speed= tr.Speed + δ tr.acc

Fo⇒tr1

∧tr1

in

’ ≥ tr2.Speed - δ MaxBrakeRate


DomProptr.Loc’ = trtr.Speed’

Following(tr1, tr2)⇒tr1.Loc -tr2.Loc > tr1.WCSDist

llowing(tr1, tr2)

.AccCM’ ≤ F(tr1.Loc, tr2.Loc,tr1.Speed, tr2.Speed)

.SpeedCM’ > tr1.Speed (!)

∀ tr: Traintr.AccCM ≥ 0 ⇒ tr.Acc’ ≤ tr.AccCM∧■≤MCdelay tr.AccCM < 0 ⇒ tr.Acc’ ≤ 0∧tr.Speed ≤ tr.Speed

⇒ tr.Speed’ ≤ tr.SpeedCM

∀ tr2: Tra❑

tr2.Speed

14KAOS

)

WC ysical speed of the train

aintainddenStopedingTrain]

:.Loc + δ tr.Speed= tr.Speed + δ tr.Acc

Fo⇒tr1

∧tr1

in

’ ≥ tr2.Speed - δ MaxBrakeRate



SDist : the physical Worst-Case Stopping Distance based on the ph



Maintain[SafeSpeed/AccelerationCommanded]


ToCommand]

M[NoSu

OfPrece

DomProptr.Loc’ = trtr.Speed’

Following(tr1, tr2)⇒tr1.Loc -tr2.Loc > tr1.WCSDist

llowing(tr1, tr2)

.AccCM’ ≤ F(tr1.Loc, tr2.Loc,tr1.Speed, tr2.Speed)

.SpeedCM’ > tr1.Speed (!)

∀ tr: Traintr.AccCM ≥ 0 ⇒ tr.Acc’ ≤ tr.AccCM∧■≤MCdelay tr.AccCM < 0 ⇒ tr.Acc’ ≤ 0∧tr.Speed ≤ tr.SpeedCM

⇒ tr.Speed’ ≤ tr.SpeedCM

∀ tr2: Tra❑

tr2.Speed

15KAOS

)

aintainddenStopedingTrain]





Maintain[SafeComandToFollowingTrain

BasedOnSpeed/PositionEstimates]

Maintain[AccurateSpeed/

PositionEstimates]



ToCommand]

M[NoSu

OfPrec

16KAOS

c - ti2.Ldev ,v , ti2.Speed - ti2.Sdev )

∀

∀ Tra⇒ti.L∧ti.S


FollowingInfo(ti1, ti2)∧ Tracking(ti1, tr1) ∧ Tracking(ti2, tr2)⇒tr1.AccCM’ ≤ F (ti1.Loc+ ti1.LDev , ti2.Lo

ti1.Speed + ti1.Sde∧tr1.SpeedCM’ > ti1.Speed+ ti1.Sdev

tr: Train, ∃! ti: TrainInfo: Tracking(ti,tr)

tr: Train, ti: TrainInfo:cking(ti, tr)❑

oc - ti.Ldev ≤ tr.Loc ≤ ti.Loc +ti.Ldev

peed - ti.Sdev ≤ tr.Speed ≤ ti.Speed +Sdev

17KAOS

)

c - ti2.Ldev ,, ti2.Speed - ti2.Sdev )

∀

∀ Tra⇒ti.L∧ti.S

aintainddenStop

eedingTrain]








PositionEstimates]

FollowingInfo(ti1, ti2)∧ Tracking(ti1, tr1) ∧ Tracking(ti2, tr2)⇒tr1.accCM’ ≤ F (ti1.Loc+ ti1.LDev , ti2.Lo

ti1.speed + ti1.Sdev∧tr1.SpeedCM’ > ti1.Speed+ ti1.Sdev

tr: Train, ∃! ti: TrainInfo: Tracking(ti,tr)

tr: Train, ti: TrainInfo:cking(ti, tr)❑

oc- ti.Ldev ≤ tr.Loc ≤ ti.Loc + ti.Ldev

peed- ti.Sdev ≤ tr.Speed ≤ ti.Speed +Sdev



ToCommand]

M[NoSu

OfPrec

18KAOS

)

e]

Maintain[NoSuddenStop

OfPrecedingTrain]

Maintain[DeliveredCmdMsg

Exercised]



Achieve[CmdMsgSentInTime]

Maintain[SafeCmdMsg]

Achieve[SentCmdMsg

DeliveredInTim






PositionEstimates]



ToCommand]

19KAOS
∀ cm: CommandMessage , ti1, ti2: TrainInfocm.Sent ∧ cm.TrainID = ti1.TrainID∧ FollowingInfo(ti1, ti2)⇒cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev,

ti1.Speed + ti.Sdev, ti2.Speed - ti2.Sdev)∧ cm.Speed > ti1.Speed+ ti1.Sdev

20KAOS

)

e]

Maintain[NoSuddenStopfPreceedingTrain]


Exercised]





Achieve[SentCmdMsg

DeliveredInTim∀ cm: CommandMessage , ti1, ti2: TrainInfocm.Sent ∧ cm.TrainID = ti1.TrainID∧ FollowingInfo(ti1, ti2)⇒cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev,







PositionEstimates]



ToCommand] O

21KAOS

ents

sgme]


OfPrecedingTrain]


Exercised]

OnBoardTrainController

Resp



Identifying Potential Responsibility Assignm



Achieve[SentCmdM

DeliveredInTi






PositionEstimates]



ToCommand]

Speed/AccelerationControlSystem

CommunicationInfrastructure

Resp

Resp

Resp

TrackingSystem

Resp

Resp

22KAOS

r

MonitoringAgent

Attribute

ed/AccelerationontrolSystem

esp


Corresponding Agent Interface Model

Train

Speed/AccelerationControlSystem

TrainInfo CmdMsg

OnBoardTrainControlle

Goal Maintain[SafeCmdMsg]FormalDef ∀ cm: CommandMessage, ti1, ti2: TrainInfo

cm.Sent ∧ cm.TrainID = ti1.TrainID∧ FollowingInfo(ti1, ti2)⇒cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev,


⇓

TrackingSystem

Train.AccTrain.Speed

ControllingAgent

Object.

SpeC

R

...

Train.Loc

23KAOS

==>

]


OfPreceedingTrain]



Alternative Goal Refinementsand Responsibility Assignments

different design : fully distributed system


Maintain[PreceedingTrainSpeed/Position

KnownToFollowingTrain]

Maintain[SafeAccelerationBasedOn

PreceedingTrainSpeed/Position

Or

Achieve[PreceedingTrainSpeed/PositionCommunicatedToFollowingTrain]


PositionEstimates]

Resp

TrackingSystem

Resp

CommunicationInfrastructure

Resp

...

24KAOS

t

= Id

GoaF

==>

OpeInODD


Identifying Operations and DomPre/Pos

entify state transitions relevant to goals

l Maintain[SafeCmdMsg]ormalDef ∀ cm: CommandMessage, ti1, ti2: TrainInfocm.Sent ∧cm.TrainID = ti1.TrainID∧ FollowingInfo(ti1, ti2)⇒cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev,


ration SendCommandMessageput Train {arg tr}utput ComandMessage {res cm}omPre ¬ cm.SentomPost cm.Sent ∧ cm.TrainID = tr.ID

25KAOS

GoaF

==>Ope

In

ODD

R

2.Sdev)

R


Operationalizing Goals

l Maintain[SafeCmdMsg]ormalDef ∀ cm: CommandMessage, ti1, ti2: TrainInfocm.Sent ∧cm.TrainID = ti1.TrainID∧ FollowingInfo(ti1, ti2)⇒cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev,


ration SendCommandMessageput Train {arg tr}

TrainInfoutput ComandMsg {res cm}omPre ¬ cm.SentomPost cm.Sent ∧ cm.TrainID = tr.ID

eqPostFor [SafeCmdMsg]Tracking(ti1, tr) ∧ Following(ti1, ti2)→cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev, ti1.Speed + ti.Sdev, ti2.Speed - ti∧ cm.Speed > ti1.Speed+ ti1.Sdev

eqTrigFor [CmdMsgSentInTime]■≤1/2 sec ¬ ∃ cm2: CommandMessage: cm2.Sent ∧ cm2.TrainID = tr.ID

26KAOS
This is not the end of the story ...

27KAOS

fPhysicalSpeed]

eed + 7

itedAccelerationWhendedSpeedAbove7mph

PhysicalSpeed

SmoothMove

for conflict


Conflict Analysis: An Example

tr.AccCM ≥ 0⇒tr.SpeedCM ≤ tr.Speed+ fn(dist_obstacle)

Maintain[CmdedSpeedCloseToPhysicalSpeed]

DistanceBetweenTrainsIncreasesWithCmdedSpeed

Maintain[CmdedSpeedAbove7mphO

tr.accCM ≥ 0⇒tr.SpeedCM > tr.Sp

◊ (∃ tr: Train):tr.AccCM ≥ 0∧fn(dist_obstacle) ≤ 7

LimCmOf

ServeMorePsgers

speed speed+7speed+fn(dist_obst)

Min[DistBetweenTrains]

Max[TrainSpeed]SafeTransport

boundary condition

28KAOS

Not

==>

Rat eleration mode

leration

t) ≤ 7 fn(dist_obst) > 7


Conflict Resolution

e: fn(dist_obst) increases with dist(obst)

Conflict Resolution :Weaken Maintain [CmdedSpeedAbove7mphOfPhysicalSpeed]

tr.AccCM ≥ 0⇒tr.SpeedCM > tr.Speed + 7 ∨ fn(dist_obst) ≤ 7

ionale: if boundary condition is true, priority is to avoid going into dec

Train

WCSD

FullBraking Deceleration Acce

fn(dist_obs

29KAOS

• O

Ob

y)

• H

=

=

Han

1. Ins

2. G

3. A


Obstacle Analysis

bstacle = high-level exception

stacle O obstructs goal G iff1. {O, Dom } |== ¬ G (Obstruction)2. Dom |=/= ¬ O (Domain Consistenc

andle obstacles at RE time

=> identification of new requirements

=> more robust system

dling obstacles during goal-oriented requirements elaboration

dentify obstacles-> formal techniques for generating obstacles from goal formulatio-> heuristics as ligthweight rules of thumb

enerate alternative obstacle resolutions-> resolution operators ==> new goals/requirements

lternative evaluation and selection

30KAOS

• G

• F

A ineering,andling, 2000.

eMsgTime]

CN

sgInTime

gte

DeliveredCmdMsgCorrupted


Obstacle Identification

oal-anchored form of Fault-Tree construction

ormal techniques to generate obstacles from goal formulations

. van Lamsweerde and E. Letier, Handling Obstacles in Goal-Oriented Requirement Engto appear in IEEE-TSE, Special Issue on Exception H





Achiev[SentCmd

DeliveredIn

CmdMsgNOTSentInTime

mdMsgOTSent

CmdMsgSentLate

CmdMsgSentTo

WrongTrain

UnsafeCmdMsgSentCmdM

NOTDelivered

SentCmdMsgNOTDelivered

SentCmdMsDeliveredLa

...

31KAOS

ns

Go= cCm

lerationControlSystem==> ller

Age= cUns

lerationControlSystemtionComputer

Ob= aImp Speed/PositionEstimates==>

StationComputer )

Go= w


Generating Alternative Obstacle Resolutio

al Substitutionhoose alternative goaldMsgSentLate Obstructs Achieve[CmdMsgSentInTime]

UnderResponsibilityOf Speed/Acce alternative design : acceleration calculated by on-board train contro

nt Substitutionhange responsibility assignment for obstructed goalafeAccelerationInCmdMsg Obstructs SafeAccelerationInCmdMsg

UnderResponsibilityOf Speed/Acce==> UnderResponsibilityOf VitalSta

stacle Preventiondd new goal: ¬ OossibleChangeInTrainSpeed/PositionEstimates Obstructs Accurate New Goal: Avoid[ImpossibleTrainInfoChange]

( to be assigned as responsibility of TrackingSystem OR

al Deidealizationeakening goal to make obstruction disappear

32KAOS

Ob= ae.g

==>

MaintainenOutOfDateTrainInfo]

O

[APo


stacle Mitigationdd new goal that tolerates obstacle but mitigates its consequences.

derivation of new requirementsMessage Origination Time Tag attribute

Maintain[NoCollisionWhenOutOfDateTrainInfo]


[NoCollisionWhAchieve

[FullBrakingWhenOutOfDateTrainInfo]utOfDate

TrainInfo

Achieve[FullBrakingWhen

MOTTinCmdMsgExpired]

Maintain[AccurateMOTT

inCmdMsg]

...

mitigatesMaintain

ccurateSpeed/sitionEstimates]

33KAOS

• S

rolled objects)

• G

• G

• G

• S perties

• E


Conclusions

ystematic derivation of requirements from goals

(required pre/post/trigger conditions, monitored/cont

oal formalization

==> refinement correctness proof

==> conflict identification/resolution

==> obstacle generation/resolution

oal-oriented explanation of requirements

oal structure provides structure for requirements document

eparation of concerns: requirements vs. assumptions vs. domain pro

xploration of alternative system proposals

KAOS in Action: The BART Systemjm/2507S/Notes02/BART.pdf · KAOS in Action: the BART System 1 KAOS...

Documents

Transcript of KAOS in Action: The BART Systemjm/2507S/Notes02/BART.pdf · KAOS in Action: the BART System 1 KAOS...