The RSDS Reactive system development support method

1
The RSDS (Reactive system development support)
method

• Kelly Androutsopoulos,
• K. Lano, D. Clark and P. Kan
• Department of Computer Science,
• Kings College London, Strand,
• London, WC2R 2LS

2
Motivation

• Development of structured reactive systems.
• Systematic process to follow.
• Provide Tool support
• Input SRS Statecharts Invariants
• Output B specification or/and SMV modules
• Reduce design faults
• Reduce redesign costs
• Invariant-based development - easier to verify
• Graphical Notation - improve comprehension
  between engineers and developers.

3
Overview of RSDS

• Hazard Analysis HAZOPS and Fault Tree Analysis
  (FTA) and invariant derivation.
• Data and control flow diagram (DCFD) to represent
  control systems.
• Decomposition approaches based on invariants.
• Restricted version of statechart notation (SRS)
  used as formal design notation.
• Direct translation of SRS to B formal method.
• Direct translation of SRS to SMV for model
  checking temporal properties.

4
RSDS development steps
5
Integrating hazard Analysis with RSDS
6
HAZOPS Process

• Identify system entities components of system
  and interconnections between them.
• For each entity
• Decompose into sub-entities
• Identify its attributes (e.g. table position)
• For each attribute, apply all relevant guidewords
  to identify all possible deviations.
• Identify all credible causes and consequences of
  deviation mechanisms to aid hazard detection.
• Record the results and then repeat for each
  entity.

7
Simple Production Cell

• Blanks are moved along the feedbelt and onto the
  elevating table.
• The robot arms pick up a blank at a time and
  drop it at a press.
• The blank is pressed and picked up by the robot
  arms and transferred to the deposit belt.
• If one press fails, the system should continue to
  operate with the other. (Fault-tolerance)

Deposit belt
Press 2
Robot
Press 1
Feed belt
Elevating Rotary table
8
Class Diagram for Production Cell
(b,l) located_at l DepositBelt ?
b.pressed
1
Blank pressedbool
0..1

located_at
Location
0..n
0..n
0..1
0..1
Deposit Belt
Press
Table
Feedbelt
0..1
0..1
0..1
9
Guideword Interpretation for Prod. Cell
10
HAZOP results table for Prod. Cell
11
00-58 Guideword Interpretation for Event
12
(No Transcript)
13
Part of a Class Diagram of a Secure System
User Permissions
Secure Host
logged_on
1

(user,host)logged_on ? user.permissions ?
executive
Example part of guideword could suggest that
some user with a security level below executive
is logged into the secure host. This is based on
the part of interpretation for relationships,
where some semantic constraints of the relation
given in the diagram hold, while others do not.
14
Fault Tree Analysis (FTA)

• Steps
• Identify the hazards Use HAZOPS or other
  method.
• Fault tree construction Graphical method that
  starts with an event associated to an identified
  hazard and works backwards to identify its cause.
  
• Qualitative analysis Remove any redundancy in
  the tree.
• Quantitative analysis Calculate the probability
  of the top event using addition for OR and times
  for AND.

15
FTA notation
OR gate
Event resulting from combination of events via
logic gate
AND gate
Basic fault event
INHIBIT gate
Non-decomposed fault inconsequential or info.
not present
Condition needed to produce output of gate (e.g.
enforce order on an AND gate)
Event expected to occur normally
Transfer to/from other tree
16
Reactive System FTA Template
Hazard condition wrong actuator setting
OR gate
Actuator failed in wrong setting
Sensor failure(s) resulting in wrong information
at controller input
AND gate
Design flaw in controller
Sensors correct
17
What can we do with HAZOPS and FTA ?

• 1. Produce severity classification for each
  hazard (from HAZOPS).
• 2. Produce probability classification for each
  hazard (from FTA).
• 3. Produce risk classification for each hazard
  from 1 and 2.
• 4. ALARP reasoning - identifies necessary risk
  reductions.
• 5. Produce SIL for subsystems and identify
  required development techniques.

18
SIL (Safety Integrity Level)

• SIL is effectively an allowed probability range
  of occurrence of
• dangerous failures.

19
Decomposition Approaches
Horizontal
Reflexive
events
Actuators
Hierarchical
Annealing
C1
Chain of Responsibility
Aggregate
A1.2
sensor signals input events
C1
A1.1
Layer n Controller responsible
for calculations of control responses to
events
Layer 1 Controller responsible for control
aspect 1
Layer 2 Controller responsible for
control aspect 2
20
SRS Statecharts for Production Cell
A2_Move_table_vert
A3_Rotate_table
S3
clockwise
up
t31
S4
t21
Controller
t22
t32
stop
stop
S5
t24
t34
t33
t23
anticlockwise
down
S6
21
Finally...

• Control algorithms are synthesised from the
  invariants automatically using RSDS tool.
• Translation to B
• Produce the B AMN modules automatically.
• Structure of B modules described by the DCFD
  diagram.
• Use B Toolkit
• to animate the specification
• refine further,
• prove that the specification satisfies the static
  invariants and
• finally generate code automatically.
• Translation to SMV
• Verify the temporal properties on the
  automatically generated SMV modules.

22
Summary

• RSDS development method
• Hazard Analysis
• Incorporate into the RSDS Tool
• Investigate automating completeness consistency
  checks
• Investigate automatic invariant generation
• Produce UML diagram editor for the RSDS Tool
• Statecharts Invariants
• Identification of abstraction morphisms
• Translations into SMV B
• Proof of correctness of translations
• Apply to other application domains - e.g.
  security systems