Analysing Fault-Tolerant System using KAOS/FAUST

C. Ponsard, P. Massonet, J.F. Molderez (CETIC)

A. van Lamsweerde (UCL/INGI)Short presentation & DemoREFT’05, Newcastle (UK)

Key IdeaKey Idea

B Method:from specification to code “correct by construction” approachmoving towards requirements“System B” models of both SW/HW/environment

KAOSsimilar approach at requirements levelalso refinement approach (property based)reason the design of the composite systemexplore alternative designs, reason about agent responsibilitiesassess/improve the robustness of the systemtool support: FAUST

• based on Objectiver semi-formal RE platform (providing conceptual repository, graph edit, doc. generation,…)

• Seamless integration for optimal communication looks complementary and worth investigating current status of on-going work

Structuring Properties Structuring Properties using a Goal Model (with KAOS)using a Goal Model (with KAOS)

EffectivePassengersTransportation

SafeTransportationRapidTransportation

BlockSpeed Limited

DoorsClosedWhileMoving

TrainCollision

ProgressWhen GoSignal

SignalSet ToGo

TrainProgress Delay

HOW? WHY?

MoreTrainsRunning

S2B

WorstCaseStoppingDistanceMaintained

current

TrainsOnSameBlock

On (tr, b) On (tr, next(b))

On(tr,b) Go[next(b)] On(tr,next(b))

On(tr,b) Go[next(b)]

On (tr, b) On (tr, b) W On (tr,next(b))

TrainWaiting

Being PessimisticBeing Pessimistic

AccelerationCommand Not SentInTimeToTrain

WorstCaseStoppingDistanceMaintained

AccelerationCommand NotReceivedInTimeByTrain

...

NotSent SentLate SentToWrongTrain

Acceleration NotSafe

...

AccelerationSentInTimeToTrain

SafeAccelerationComputed

SentCommandReceivedByTrain

ReceivedCommandExecutedByTrain

MilestoneMilestone

ReceivedLate

CorruptedNotReceived

Driving the elaboration Driving the elaboration processprocess

Goal Goal ModelModel

TrainTrain TrackSegmentTrackSegment0:10:1OnOn

Object ModelObject Model Agent ModelAgent Model

SafeAccelerSafeAcceler

OperationOperation SendCommand SendCommand DomPreDomPre ¬¬Sent (m, tr)Sent (m, tr) DomPostDomPost Sent (m, tr)Sent (m, tr) ReqPostReqPost forfor SafeAccelerSafeAcceler m.Acceler m.Acceler F(tr, tr.Preced)F(tr, tr.Preced)

Operation Operation ModelModel

NoTrainCollisionNoTrainCollision

Some Derived ArtefactsSome Derived Artefacts

Connection with B/RodinConnection with B/Rodin

B moving towards requirements “System B” models of both SW/HW/environmentRequirements gap is a well known problem [Abrial]

Refinement approachProperty refinements in KAOSOperational refinements in B

Benefits for direct engineering: Identifying key propertiesBuilding models easier to prove

Benefits for reverse engineering:Structuring key propertiesExplaining model to stakeholders for validation/acceptance

• semi-formal notations, animation, document generation,…Better documentation: less flat document, richer traceability, checks

Agenda for “K2B”Agenda for “K2B”

Practical Scope: Composys style (Clearsy use of System-B)industrial cases (automotive/railway)

From KAOS models to B models:“Automated” generation of initial B specificationFrom set of operation assigned to agentAttach requirements/ higher level goalsAnimation tool ?

From B models to KAOS modelsGuidelines for building goal/object/agent models“B aware” document generation template

MeansApplied research at CETICCollaboration with ClearSy Student task force from UCL (Belgium)

DemoDemo

during coffee break

FAUST ArchitectureFAUST Architecture

Interface du vérificateur de Interface du vérificateur de raffinementsraffinements

Interface de l’animateurInterface de l’animateur