kaos in action: the bart systemjm/2507s/notes02/bart.pdf · kaos in action: the bart system 1 kaos...

KAOS in Action: The BART System

Emmanuel Letier and Axel van Lamsweerde

Dept. Ingénierie Informatique, Univ. LouvainB-1348 Louvain-la-Neuve (Belgium)

{eletier, avl}@info.ucl.ac.be

TheIdFEIdDEIdO

in Action: the BART System

Outline

oductionoal-Oriented RE with KAOS

BART Case Studyentifying Goals from Initial Documentormalizing Goals and Identifying Objectslaborating the Goal Structureentifying Agents and Responsibilitieseriving Monitored and Controlled Quantitiesxploring Alternative Responsibility Assignmentsentifying Operationsperationalizing Goals through Strenghtened Operations

onflict Analysis: an Example

bstacle AnalysisObstacle GenerationObstacle Resolution

clusion

leration(tr.Loc, tr.Speed, ...)

goal refinementequirements, AssumptionsProps

responsibilities

Dom Pre/PostReq Pre/ Trigger / Post

Goal-Oriented Requirement Engineering withGoal Model

Operation SendComDomPre ¬ Sent(m, trDomPost Sent(m, tr)ReqPostFor SafeAce

m.Acceleration ≤ F

Operation MoAgent Interface Model

Responsibility Model

Object Model

AND/ORGoals, R

software agents+ environment agents

Train TrackSegmentOn

2-level language:semantic net levelformal assertions

NoTrainCollision

SafeAcceleration

Avoid[TrainEnteringClosedGate]

Goal Identification From Initial Documen

al document: see http://www.hcecs.sandia.gov/bart.htm

==> Further goals identified by asking WHY and HOW questions

ServeMorePassengers

TrainsMoreCloselySpaced NewTracksAdded

Minimize[Costs]

Min[TimeBetweenStations]

SafeTransport

Maintain[WCSDistBetweenTrains]

Maintain[TrackSegmentSpeedLimit]

... ...

Min[DvlptCosts] Min[OperationalCosts]

SmoothMovement

PsgerComfort

MinimizessOnEquipment]

[StreMinimize

[PowerUsage

SmoothMovement

PsgerComfort

MinimizessOnEquipment

Goal Identification From Initial Statemen

Further Goals identified by asking WHY and HOW questions

ServeMorePassenger

TrainsMoreCloselySpaced NewTracksAdded

Minimize[Costs]

Min[TimeBetweenStation

SafeTransport

Maintain[TrackSegmentSpeedLimit

... ...

Min[DvlptCosts] Min[OperationalCosts]

[StreMinimize

[PowerUsage

ed REn forlationships, attributes

Formalizing Goals and Identifying Objects

TrackSegment

SpeedLimit: SpeedUn...

Speed: SpeedUnit...

Goal Maintain[TrackSegmentSpeedLimit]Definition A train should stay below the maximum

speed the track segment can han-dle.

FormalDef ∀ tr: Train, s: TrackSegment :On(tr, s) ⇒ tr.Speed ≤

Goal-oriented vs. Object-orientGoals provide precise criterio

identification of objects, re

eedUnit

if the train it.

TrackSegment

SpeedLimit: Sp...

Speed: SpeedUnitLoc : LocationWCSDist : Distance

Following

Goal Maintain[WCSDistBetweenTrains]Definition A train should never get so close to a train in front so that

in front stops suddenly (e.g., derailment) the next train would hitFormalDef ∀ tr1, tr2: Train :

Following(tr1, tr2)⇒ tr1.Loc - tr2.Loc > tr1.WCSDist

eedUnit

’, ‘closed’}

“Since”:“Until” in the past

TrackSegment

SpeedLimit: Sp...

Speed: SpeedUnitLoc : LocationWCSDist : Distance

Following

Goal Avoid[TrainEnteringClosedGate]Definition A train should not enter a closed gate if it can

(i.e. if it is possible for the train to stop before the gateFormalDef ∀ tr: Train, g: Gate, s: TrackSegment:

g.status = ‘closed’ Since tr.Loc - g.Loc > tr.WCSDist∧ HasGate(s, g)⇒¬ @ On(tr, s)

Gatestatus: { ‘openedLoc : Location

10KAOS

taintSpeedLimit]

idailment]

railent]should never derailrain :nt(tr)

Eliciting New Goals : WHY Questions (

Avoid[TrainCollisions]

Main[TrackSegmen

Avo[TrainDer

Goal Avoid[TrainCollisions]Definition Trains should nerver collideFormalDef ∀ tr1, tr2: Train :

❑ ¬ Collision(tr1, tr2)

Goal Avoid[TrainDeDefinition Trains FormalDef ∀ tr: T

❑ ¬ Derailme

11KAOS

TrackSegment

Eliciting New Goals : WHY Questions (

Avoid[TrainOnSwitchInWrongPostion]

Maintain[TrainOnCorrectLine]

Maintain[GateClosedWhen

SwitchInWrongPositio

Goal Avoid[TrainOnSwitchInWrongPostion]Definition When a train is on a switch, theswitch should be in the direction of travel ofthe trainFormalDef ∀ tr: Train, sw: Switch:

On(tr, sw) ⇒ sw.Position = tr.DirectionSwitc

12KAOS

WC ysical speed of the train

[aintain

uddenStopedingTrain]

Eliciting New Goals: HOW Questions (1

SDist : the physical Worst-Case Stopping Distance based on the ph

Avoid[TrainsCollisions]

MaintainSafeSpeed/AccelerationCommanded]

Maintain[SafeTrainResponse

ToCommand]

OfPrec

13KAOS

:.Loc + δ tr.Speed= tr.Speed + δ tr.acc

Fo⇒tr1

∧tr1

’ ≥ tr2.Speed - δ MaxBrakeRate

DomProptr.Loc’ = trtr.Speed’

Following(tr1, tr2)⇒tr1.Loc -tr2.Loc > tr1.WCSDist

llowing(tr1, tr2)

.AccCM’ ≤ F(tr1.Loc, tr2.Loc,tr1.Speed, tr2.Speed)

.SpeedCM’ > tr1.Speed (!)

∀ tr: Traintr.AccCM ≥ 0 ⇒ tr.Acc’ ≤ tr.AccCM∧■≤MCdelay tr.AccCM < 0 ⇒ tr.Acc’ ≤ 0∧tr.Speed ≤ tr.Speed

⇒ tr.Speed’ ≤ tr.SpeedCM

∀ tr2: Tra❑

tr2.Speed

14KAOS

WC ysical speed of the train

aintainddenStopedingTrain]

:.Loc + δ tr.Speed= tr.Speed + δ tr.Acc

Fo⇒tr1

∧tr1

’ ≥ tr2.Speed - δ MaxBrakeRate

SDist : the physical Worst-Case Stopping Distance based on the ph

Maintain[SafeSpeed/AccelerationCommanded]

ToCommand]

M[NoSu

OfPrece

DomProptr.Loc’ = trtr.Speed’

Following(tr1, tr2)⇒tr1.Loc -tr2.Loc > tr1.WCSDist

llowing(tr1, tr2)

.AccCM’ ≤ F(tr1.Loc, tr2.Loc,tr1.Speed, tr2.Speed)

.SpeedCM’ > tr1.Speed (!)

∀ tr: Traintr.AccCM ≥ 0 ⇒ tr.Acc’ ≤ tr.AccCM∧■≤MCdelay tr.AccCM < 0 ⇒ tr.Acc’ ≤ 0∧tr.Speed ≤ tr.SpeedCM

⇒ tr.Speed’ ≤ tr.SpeedCM

∀ tr2: Tra❑

tr2.Speed

15KAOS

aintainddenStopedingTrain]

Maintain[SafeComandToFollowingTrain

BasedOnSpeed/PositionEstimates]

Maintain[AccurateSpeed/

PositionEstimates]

ToCommand]

M[NoSu

OfPrec

16KAOS

c - ti2.Ldev ,v , ti2.Speed - ti2.Sdev )

∀ Tra⇒ti.L∧ti.S

FollowingInfo(ti1, ti2)∧ Tracking(ti1, tr1) ∧ Tracking(ti2, tr2)⇒tr1.AccCM’ ≤ F (ti1.Loc+ ti1.LDev , ti2.Lo

ti1.Speed + ti1.Sde∧tr1.SpeedCM’ > ti1.Speed+ ti1.Sdev

tr: Train, ∃! ti: TrainInfo: Tracking(ti,tr)

tr: Train, ti: TrainInfo:cking(ti, tr)❑

oc - ti.Ldev ≤ tr.Loc ≤ ti.Loc +ti.Ldev

peed - ti.Sdev ≤ tr.Speed ≤ ti.Speed +Sdev

17KAOS

c - ti2.Ldev ,, ti2.Speed - ti2.Sdev )

∀ Tra⇒ti.L∧ti.S

aintainddenStop

eedingTrain]

PositionEstimates]

FollowingInfo(ti1, ti2)∧ Tracking(ti1, tr1) ∧ Tracking(ti2, tr2)⇒tr1.accCM’ ≤ F (ti1.Loc+ ti1.LDev , ti2.Lo

ti1.speed + ti1.Sdev∧tr1.SpeedCM’ > ti1.Speed+ ti1.Sdev

tr: Train, ∃! ti: TrainInfo: Tracking(ti,tr)

tr: Train, ti: TrainInfo:cking(ti, tr)❑

oc- ti.Ldev ≤ tr.Loc ≤ ti.Loc + ti.Ldev

peed- ti.Sdev ≤ tr.Speed ≤ ti.Speed +Sdev

ToCommand]

M[NoSu

OfPrec

18KAOS

Maintain[NoSuddenStop

OfPrecedingTrain]

Maintain[DeliveredCmdMsg

Exercised]

Achieve[CmdMsgSentInTime]

Maintain[SafeCmdMsg]

Achieve[SentCmdMsg

DeliveredInTim

PositionEstimates]

ToCommand]

19KAOS

∀ cm: CommandMessage , ti1, ti2: TrainInfocm.Sent ∧ cm.TrainID = ti1.TrainID∧ FollowingInfo(ti1, ti2)⇒cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev,

ti1.Speed + ti.Sdev, ti2.Speed - ti2.Sdev)∧ cm.Speed > ti1.Speed+ ti1.Sdev

20KAOS

Maintain[NoSuddenStopfPreceedingTrain]

Exercised]

Achieve[SentCmdMsg

DeliveredInTim∀ cm: CommandMessage , ti1, ti2: TrainInfocm.Sent ∧ cm.TrainID = ti1.TrainID∧ FollowingInfo(ti1, ti2)⇒cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev,

PositionEstimates]

ToCommand] O

21KAOS

OfPrecedingTrain]

Exercised]

OnBoardTrainController

Identifying Potential Responsibility Assignm

Achieve[SentCmdM

DeliveredInTi

PositionEstimates]

ToCommand]

Speed/AccelerationControlSystem

CommunicationInfrastructure

TrackingSystem

22KAOS

MonitoringAgent

Attribute

ed/AccelerationontrolSystem

Corresponding Agent Interface Model

Speed/AccelerationControlSystem

TrainInfo CmdMsg

OnBoardTrainControlle

Goal Maintain[SafeCmdMsg]FormalDef ∀ cm: CommandMessage, ti1, ti2: TrainInfo

cm.Sent ∧ cm.TrainID = ti1.TrainID∧ FollowingInfo(ti1, ti2)⇒cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev,

TrackingSystem

Train.AccTrain.Speed

ControllingAgent

Object.

Train.Loc

23KAOS

OfPreceedingTrain]

OnBoardTrainController

Alternative Goal Refinementsand Responsibility Assignments

different design : fully distributed system

Maintain[PreceedingTrainSpeed/Position

KnownToFollowingTrain]

Maintain[SafeAccelerationBasedOn

PreceedingTrainSpeed/Position

Achieve[PreceedingTrainSpeed/PositionCommunicatedToFollowingTrain]

PositionEstimates]

TrackingSystem

CommunicationInfrastructure

24KAOS

OpeInODD

Identifying Operations and DomPre/Pos

entify state transitions relevant to goals

l Maintain[SafeCmdMsg]ormalDef ∀ cm: CommandMessage, ti1, ti2: TrainInfocm.Sent ∧cm.TrainID = ti1.TrainID∧ FollowingInfo(ti1, ti2)⇒cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev,

ration SendCommandMessageput Train {arg tr}utput ComandMessage {res cm}omPre ¬ cm.SentomPost cm.Sent ∧ cm.TrainID = tr.ID

25KAOS

==>Ope

2.Sdev)

Operationalizing Goals

l Maintain[SafeCmdMsg]ormalDef ∀ cm: CommandMessage, ti1, ti2: TrainInfocm.Sent ∧cm.TrainID = ti1.TrainID∧ FollowingInfo(ti1, ti2)⇒cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev,

ration SendCommandMessageput Train {arg tr}

TrainInfoutput ComandMsg {res cm}omPre ¬ cm.SentomPost cm.Sent ∧ cm.TrainID = tr.ID

eqPostFor [SafeCmdMsg]Tracking(ti1, tr) ∧ Following(ti1, ti2)→cm.Acc ≤ F (ti1.Loc+ ti1.LDev, ti2.Loc - ti2.Ldev, ti1.Speed + ti.Sdev, ti2.Speed - ti∧ cm.Speed > ti1.Speed+ ti1.Sdev

eqTrigFor [CmdMsgSentInTime]■≤1/2 sec ¬ ∃ cm2: CommandMessage: cm2.Sent ∧ cm2.TrainID = tr.ID

26KAOS

This is not the end of the story ...

27KAOS

fPhysicalSpeed]

eed + 7

itedAccelerationWhendedSpeedAbove7mph

PhysicalSpeed

SmoothMove

for conflict

Conflict Analysis: An Example

tr.AccCM ≥ 0⇒tr.SpeedCM ≤ tr.Speed+ fn(dist_obstacle)

Maintain[CmdedSpeedCloseToPhysicalSpeed]

DistanceBetweenTrainsIncreasesWithCmdedSpeed

Maintain[CmdedSpeedAbove7mphO

tr.accCM ≥ 0⇒tr.SpeedCM > tr.Sp

◊ (∃ tr: Train):tr.AccCM ≥ 0∧fn(dist_obstacle) ≤ 7

LimCmOf

ServeMorePsgers

speed speed+7speed+fn(dist_obst)

Min[DistBetweenTrains]

Max[TrainSpeed]SafeTransport

boundary condition

28KAOS

Rat eleration mode

leration

t) ≤ 7 fn(dist_obst) > 7

Conflict Resolution

e: fn(dist_obst) increases with dist(obst)

Conflict Resolution :Weaken Maintain [CmdedSpeedAbove7mphOfPhysicalSpeed]

tr.AccCM ≥ 0⇒tr.SpeedCM > tr.Speed + 7 ∨ fn(dist_obst) ≤ 7

ionale: if boundary condition is true, priority is to avoid going into dec

FullBraking Deceleration Acce

fn(dist_obs

29KAOS

1. Ins

Obstacle Analysis

bstacle = high-level exception

stacle O obstructs goal G iff1. {O, Dom } |== ¬ G (Obstruction)2. Dom |=/= ¬ O (Domain Consistenc

andle obstacles at RE time

=> identification of new requirements

=> more robust system

dling obstacles during goal-oriented requirements elaboration

dentify obstacles-> formal techniques for generating obstacles from goal formulatio-> heuristics as ligthweight rules of thumb

enerate alternative obstacle resolutions-> resolution operators ==> new goals/requirements

lternative evaluation and selection

30KAOS

A ineering,andling, 2000.

eMsgTime]

sgInTime

DeliveredCmdMsgCorrupted

Obstacle Identification

oal-anchored form of Fault-Tree construction

ormal techniques to generate obstacles from goal formulations

. van Lamsweerde and E. Letier, Handling Obstacles in Goal-Oriented Requirement Engto appear in IEEE-TSE, Special Issue on Exception H

Achiev[SentCmd

DeliveredIn

CmdMsgNOTSentInTime

mdMsgOTSent

CmdMsgSentLate

CmdMsgSentTo

WrongTrain

UnsafeCmdMsgSentCmdM

NOTDelivered

SentCmdMsgNOTDelivered

SentCmdMsDeliveredLa

31KAOS

Go= cCm

lerationControlSystem==> ller

Age= cUns

lerationControlSystemtionComputer

Ob= aImp Speed/PositionEstimates==>

StationComputer )

Generating Alternative Obstacle Resolutio

al Substitutionhoose alternative goaldMsgSentLate Obstructs Achieve[CmdMsgSentInTime]

UnderResponsibilityOf Speed/Acce alternative design : acceleration calculated by on-board train contro

nt Substitutionhange responsibility assignment for obstructed goalafeAccelerationInCmdMsg Obstructs SafeAccelerationInCmdMsg

UnderResponsibilityOf Speed/Acce==> UnderResponsibilityOf VitalSta

stacle Preventiondd new goal: ¬ OossibleChangeInTrainSpeed/PositionEstimates Obstructs Accurate New Goal: Avoid[ImpossibleTrainInfoChange]

( to be assigned as responsibility of TrackingSystem OR

al Deidealizationeakening goal to make obstruction disappear

32KAOS

Ob= ae.g

MaintainenOutOfDateTrainInfo]

stacle Mitigationdd new goal that tolerates obstacle but mitigates its consequences.

derivation of new requirementsMessage Origination Time Tag attribute

Maintain[NoCollisionWhenOutOfDateTrainInfo]

[NoCollisionWhAchieve

[FullBrakingWhenOutOfDateTrainInfo]utOfDate

TrainInfo

Achieve[FullBrakingWhen

MOTTinCmdMsgExpired]

Maintain[AccurateMOTT

inCmdMsg]

mitigatesMaintain

ccurateSpeed/sitionEstimates]

33KAOS

rolled objects)

• S perties

Conclusions

ystematic derivation of requirements from goals

(required pre/post/trigger conditions, monitored/cont

oal formalization

==> refinement correctness proof

==> conflict identification/resolution

==> obstacle generation/resolution

oal-oriented explanation of requirements

oal structure provides structure for requirements document

eparation of concerns: requirements vs. assumptions vs. domain pro

xploration of alternative system proposals

kaos in action: the bart systemjm/2507s/notes02/bart.pdf · kaos in action: the bart system 1 kaos...

Documents

kaos policy and domain services: toward a description...

bart sustainability action planconsistent with apta’s...

katalog kaos bicara

kaos guide

wa 0812 3397-819 (tsel), jual kaos surabaya, jual kaos...

release - beira kaos

kaos kode introduction

distro kaos online

kaos tutorial

liber kaos

lio logo kaos

kaos brief best of press - the kaos brief...

zgb kaos #01

mantra eller kaos

zgb kaos #02

update from kaos

penyablonan kaos

kaos -konstruktionen

jenis sablon kaos

kaos fraktal