SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal

SWE 623 Duminda Wijesekera 1

Requirements, their Consistency and Completeness

RSML Formulation of TCAS IIDiscussed as an example of a precise and formal capturing of

a real-world software engineering specifications

SWE 623(Thanks to Prof. Mats P. E. Heimdahl for references)


TCAS II• Traffic alert and collision avoidance system.• Airborne device functioning independent of ground

based traffic control.• All commercial and larger commuter and business

aircrafts (with 10-30 seats) must have this on aboard.• TCAS I provided proximity warning (traffic

advisories) and assist the pilot in visualizing intruder aircrafts.

• TCAS II recommends escape maneuvers (resolution advisories) in a vertical direction to avoid collusions.


Brief History• Collision avoidance systems are 25 years old.

• Minimal Operational Performance Standards Document (MOPS-1983) was written in a combination of English and pseudocode. –– Revised extensively six times.– Had difficulty in certification, so Government

started rewriting the document and UCI started an experimental formal specification and safety analysis.


System View

• System = Collection of components working together.• Process control= input output behavior in the presence

of disturbances.– Disturbances due to chemical, aerodynamic, thermal or

physical laws.

• Operating Constraints– Range constraints for input/output variables.– Operating conditions.– Limits design choices– May be results of quality control, resource bounds, physical

limitations, process characteristics etc.


TCAS Examples

• Maintain minimum separation between aircrafts

• Constraints– No interfering with ground based air traffic

control (ATC) functions.– Acceptably low level of unwanted alarms.– Minimizing deviation from ATC assigned

tracks.


Difference between Goals and Requirements

• Goal= Avoid near misses = (I.e. aircrafts violating minimum separation distance)

• A legitimate goal, but cannot determine if it is achievable in a given operating environment.

• Therefore cannot be a requirement of the system design.

• The system can strive to minimize near misses.


Basic Process Control Model• Control variables ( Vc )

– Process monitored through these

• Manipulated variables ( Vm )– Controlled through these

• Sensors ( Fs )– Monitor actual behavior of

process

• Actuators ( Fa )– Devices designed to manipulate

process behavior

• Controller ( Fc)– Device used to implement

control function

Process Fp

Controller Fc

Actuator Sensors

Disturbances

ControlledVariables

ManipulatedVariables

Command Signal


RSML Approach

• Black-box behavior specified using state machine model

– Outputs of the controller specified with respect to state change in the model as information received about current state via controlled variables Vc.

– Control function Fc specified using a model of the state of all other aircraft within host’s space.

Desired process control behavior

Black-box specification of controller behavior

ImplementationSpecifying Controller Design Based on functional decomposition


Basic Definitions

• Input Variables: Is,,Output Variables: Os

• Controlled Vars: Vc ManipulatedVars: Vm

• Disturbances: D

• Process Function: Fp: Vm x Is x D x t Os x Vc

• Sensor Function: Fs: Vc x t Is

• Actuator Function: FA: Os x t Vm

• Control Function: Fc: Is x Vc x t Os


Fc : Controller Function

• Modeled as a state machine– Iteratively refined during requirements specification.

• An abstraction of the current understanding of real world control loop.

• Most control functions are non-linear equations.• Modeling errors represent mismatches between

real world view and state machine view.


Design Criteria• Need black-box behavior, not internal design

information.

• Minimality and simplicity.

• Formal, concise, coherent notation.

• Readability, reviewability

• Best use of graphics, tables and symbolic.

• Ability to formally analyze safety, completeness and consistency.


Properties of Statecharts• And/Or hierarchies.• Conditions (conditional connectives in RSML)

– I.e. guard determines which Or state to transition as a consequence of an even triggering.

• Arrays of state machines. – Example: array of other aircraft (statechart)

• Additions:– Directed communication (unidirectional explicit FIFO

queue) between state charts

– Broadcast mechanisms with some limitations


Interface Definitions and Communication Mechanisms

• State-charts modeled components, hence had to write interface definitions between models.

• Communication– Sending machine execute SEND(msg, destination) -

I.e. receivers name– Triggers RECEIVE event in destination machine.– No synchrony hypothesis in communication


State Machine Descriptions• Input variables, output variables and graphical state

machines• Attributes of variable include

– Location (machine name),

– Source/destination (external component, eg Altimeter)

– Type (eg integer) , Expected Range 9eg 1 to 1000,

– Granularity (10s) , Units meters), Load (frequency of change)

– Exception handling (what to do for out of range)

– Traceability information (MOPS document reference)


Format ofRSML State Machines


Example RSML State-chart




Encoding States


Example State

Definition


Transitions

• TRANSITION: North East

North East

•Had a notation for locations such as•Location: Other_aircraft Tracked > Intruder_status_52


Notation for Guarding Conditions• Conditions written in disjunctive normal form

and tabulated


Example: Table vs. Logic


Example: Table vs. Logic


Analysis• Completeness: Robustness

– Responsiveness to every possible input and input sequence.

– Logical OR of transition condition is a tautology.– Every state having a timeout transition behavior.

• Consistency– Free of conflicting requirements.– Free of undesired non-determinism.


Completeness: D-completeness

• D-Completeness: – The system must respond in real time to any input

and input sequence. Involves following steps– At atomic states,

• all behaviors are defined (I.e. all external input changes are accounted for) and

• There are no conflicting requirements (source of non-determinism)


Completeness: OR States Cont..– At OR (Union) states,

• Transition conditions are disjoint.– Guards of transitions triggered by the same event are mutually

exclusive.

• Entire domain is covered (OR of conditions is True)– OR of all guards of conditions triggered by same event is TRUE.

• (I.e. one and ONLY ONE satisfiable transition out of every state)

• AND/OR tabular representation of guards is very helpful for analysis.

• In general, this problem is NP complete (3-sat is NP hard), but Used BDD’s to manipulate conditions.


Completeness: OR - Continued

– At OR (Union) states: Problems Encountered, • BDD’s are only good for symbolic manipulations, hence a

lot of potential errors in the specifications are reported.

• Conversely, theorem proving approach will cover some of these problems, but is VERY expensive to do by itself.

• Would like a hybrid of BDD’s talking to theorem provers, but such things do not exist yet!

• See Heimdahl, Czerney article in High Assurance Systems Engineering Conference 1999 on this point.


Completeness: AND States• Two transitions in parallel AND state triggers

by same event

• If truth value of the guard of one component affects the truth value of the other guards, then non-determinism may result.

• So RSML check for such dependencies.

• Costly to check, but rare in TCAS specifications.


Completeness: Serial Composition

• Transition triggering one event may trigger another event.

• In order to achieve this effect, the the domain of the second must be included in the range of the first.

• Thirdly, if an event is generated as a consequence of some action, and it is never caught any where else, then the specification is incomplete.


Consequences• RSML specs are now the official specs for TCAS II.• There are some tools to check d-completeness.• Many incomplete specifications were detected during

analysis phase. • It is difficult to provide guidance in eliminating

incompleteness's and inconsistencies.• Sensitivity of the TCAS system: How close an intruder

is allowed to get? RSML specifications can be parametrized on sensitivity levels. –

• Sensitivity analysis.

Documents

SWE 623Duminda Wijesekera1 Requirements, their Consistency and Completeness RSML Formulation of TCAS II Discussed as an example of a precise and formal