Analysing Fault-Tolerant System using KAOS FAUST C Ponsard P

Analysing Fault-Tolerant System using KAOS/FAUST C. Ponsard, P. Massonet, J. F. Molderez (CETIC) A. van Lamsweerde (UCL/INGI) Short presentation & Demo REFT’ 05, Newcastle (UK)

Key Idea B Method: from specification to code “correct by construction” approach moving towards requirements “System B” models of both SW/HW/environment KAOS similar approach at requirements level also refinement approach (property based) reason the design of the composite system explore alternative designs, reason about agent responsibilities assess/improve the robustness of the system tool support: FAUST • based on Objectiver semi-formal RE platform (providing conceptual repository, graph edit, doc. generation, …) • Seamless integration for optimal communication Þ Þ looks complementary and worth investigating current status of on-going work

Structuring Properties using a Goal Model (with KAOS) HOW? Effective. Passengers. Transportation Safe. Transportation Rapid. Transportation Train. Progress Train Collision Delay On (tr, b) On (tr, next(b)) Progress. When Go. Signal. Set To. Go On(tr, b) Go[next(b)] On(tr, b) Go[next(b)] On(tr, next(b)) WHY? current Train Waiting S 2 B Trains. On Same. Block On (tr, b) W On (tr, next(b)) Doors. Closed While. Moving Block. Speed Limited More. Trains Running Worst. Case. Stopping Distance. Maintained

Being Pessimistic Worst. Case. Stopping. Distance. Maintained Milestone Safe. Acceleration Computed Acceleration Not. Safe . . . Not. Sent Acceleration. Sent In. Time. To. Train Sent. Command Received. By. Train Acceleration. Command Not Sent. In. Time. To. Train Sent. Late Sent. To Wrong. Train Received. Command Executed. By. Train Acceleration. Command Not Received. In. Time. By. Train Not. Received . . . Corrupted Received. Late

Driving the elaboration process No. Train. Collision Object Model Train On 0: 1 Track. Segment Operation Send. Command Dom. Pre ¬ Sent (m, tr) Dom. Post Sent (m, tr) Req. Post for Safe. Acceler m. Acceler F(tr, tr. Preced) Goal Model Agent Model Safe. Acceler Operation Model

Some Derived Artefacts

Connection with B/Rodin B moving towards requirements “System B” models of both SW/HW/environment Requirements gap is a well known problem [Abrial] Refinement approach Property refinements in KAOS Operational refinements in B Benefits for direct engineering: Identifying key properties Building models easier to prove Benefits for reverse engineering: Structuring key properties Explaining model to stakeholders for validation/acceptance • semi-formal notations, animation, document generation, … Better documentation: less flat document, richer traceability, checks

Agenda for “K 2 B” Practical Scope: Composys style (Clearsy use of System-B) industrial cases (automotive/railway) From KAOS models to B models: “Automated” generation of initial B specification From set of operation assigned to agent Attach requirements/ higher level goals Animation tool ? From B models to KAOS models Guidelines for building goal/object/agent models “B aware” document generation template Means Applied research at CETIC Collaboration with Clear. Sy Student task force from UCL (Belgium)

Demo during coffee break

FAUST Architecture

Interface du vérificateur de raffinements

Interface de l’animateur