Building Dependable Systems Ambiguous Incomplete Inconsistent Complex R
Building Dependable Systems
Ambiguous Incomplete Inconsistent Complex R 1. There is a single control button available for the user of the oven. If the oven is idle with the door R 1. There is aclosed single and you push the control button, available thefor oven will start the user of thecooking oven. If(this the is, energize oven is idle with door thethe power-tube for one closed and you push the minute). button, the oven will start cooking (this is, energize R 2. If the button is pushed the power-tube for one while the oven is cooking it minute). will cause the oven to cook for an extra minute. R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. Defect Removal Formalisation Control of Complexity Informal Requirements Behavior Trees Integration Simulation Model Checking Implementation Integrated Behavior Tree
Informal Requirements Translation Requirement Behavior Trees R 1. There is a single control button available for the user of the oven. If the oven is idle with the door closed and you push the button, the oven will start cooking (this is, energize the power-tube for one minute). R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. Simulation Integrated Behavior Tree R 3. Pushing the button when the door is open has no effect (because it is disabled). Requirements Integration R 4. Whenever the oven is cooking or the door is open the light in the oven will be on. R 5. Opening the door stops the cooking. R 6. Closing the door turns off the light. This is the normal idle state, prior to cooking when the user has placed food in the oven. Verification R 7. If the oven times-out, the light and the power-tube are turned off. Component and then a beeper emits a sound to indicate that the cooking is finished. Implementation Behavior Tree
Requirements Translation Informal Requirements Translation Requirement Behavior Trees R 1. There is a single control button available for the user of the oven. If the oven is idle with the door closed and you push the button, the oven will start cooking (this is, energize the power-tube for one minute). R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. R 3. Pushing the button when the door is open has no effect (because it is disabled). R 4. Whenever the oven is cooking or the door is open the light in the oven will be on. R 5. Opening the door stops the cooking. R 6. Closing the door turns off the light. This is the normal idle state, prior to cooking when the user has placed food in the oven. R 7. If the oven times-out, the light and the power-tube are turned off and then a beeper emits a sound to indicate that the cooking is finished. Simulation Integrated Behavior Tree Requirements Integration Verification Implementation Component Behavior Tree
Requirement Behavior Tree Informal Requirements Translation Requirement Behavior Trees R 1. There is a single control button available for the user of the oven. If the oven is idle with the door closed and you push the button, the oven will start cooking (this is, energize the power-tube for one minute). R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. R 3. Pushing the button when the door is open has no effect (because it is disabled). R 4. Whenever the oven is cooking or the door is open the light in the oven will be on. R 5. Opening the door stops the cooking. R 6. Closing the door turns off the light. This is the normal idle state, prior to cooking when the user has placed food in the oven. R 7. If the oven times-out, the light and the power-tube are turned off and then a beeper emits a sound to indicate that the cooking is finished. Simulation Integrated Behavior Tree Requirements Integration Verification Implementation Component Behavior Tree
Requirements Integration Informal Requirements Translation Requirement Behavior Trees R 1. There is a single control button available for the user of the oven. If the oven is idle with the door closed and you push the button, the oven will start cooking (this is, energize the power-tube for one minute). R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. R 3. Pushing the button when the door is open has no effect (because it is disabled). R 4. Whenever the oven is cooking or the door is open the light in the oven will be on. R 5. Opening the door stops the cooking. R 6. Closing the door turns off the light. This is the normal idle state, prior to cooking when the user has placed food in the oven. R 7. If the oven times-out, the light and the power-tube are turned off and then a beeper emits a sound to indicate that the cooking is finished. Simulation Integrated Behavior Tree Requirements Integration Verification Implementation Component Behavior Tree
Integrated Behavior Tree Informal Requirements Translation Requirement Behavior Trees R 1. There is a single control button available for the user of the oven. If the oven is idle with the door closed and you push the button, the oven will start cooking (this is, energize the power-tube for one minute). R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. R 3. Pushing the button when the door is open has no effect (because it is disabled). R 4. Whenever the oven is cooking or the door is open the light in the oven will be on. R 5. Opening the door stops the cooking. R 6. Closing the door turns off the light. This is the normal idle state, prior to cooking when the user has placed food in the oven. R 7. If the oven times-out, the light and the power-tube are turned off and then a beeper emits a sound to indicate that the cooking is finished. Simulation Integrated Behavior Tree Requirements Integration Verification Implementation Component Behavior Tree
Component Behavior Tree Informal Requirements Translation Requirement Behavior Trees R 1. There is a single control button available for the user of the oven. If the oven is idle with the door closed and you push the button, the oven will start cooking (this is, energize the power-tube for one minute). R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. R 3. Pushing the button when the door is open has no effect (because it is disabled). R 4. Whenever the oven is cooking or the door is open the light in the oven will be on. R 5. Opening the door stops the cooking. R 6. Closing the door turns off the light. This is the normal idle state, prior to cooking when the user has placed food in the oven. R 7. If the oven times-out, the light and the power-tube are turned off and then a beeper emits a sound to indicate that the cooking is finished. Simulation Integrated Behavior Tree Requirements Integration Verification Implementation Component Behavior Tree
Simulation Informal Requirements Translation Requirement Behavior Trees R 1. There is a single control button available for the user of the oven. If the oven is idle with the door closed and you push the button, the oven will start cooking (this is, energize the power-tube for one minute). R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. R 3. Pushing the button when the door is open has no effect (because it is disabled). R 4. Whenever the oven is cooking or the door is open the light in the oven will be on. R 5. Opening the door stops the cooking. R 6. Closing the door turns off the light. This is the normal idle state, prior to cooking when the user has placed food in the oven. R 7. If the oven times-out, the light and the power-tube are turned off and then a beeper emits a sound to indicate that the cooking is finished. Simulation Integrated Behavior Tree Requirements Integration Verification Implementation Component Behavior Tree
Verification Informal Requirements Translation Requirement Behavior Trees R 1. There is a single control button available for the user of the oven. If the oven is idle with the door closed and you push the button, the oven will start cooking (this is, energize the power-tube for one minute). R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. R 3. Pushing the button when the door is open has no effect (because it is disabled). R 4. Whenever the oven is cooking or the door is open the light in the oven will be on. R 5. Opening the door stops the cooking. R 6. Closing the door turns off the light. This is the normal idle state, prior to cooking when the user has placed food in the oven. R 7. If the oven times-out, the light and the power-tube are turned off and then a beeper emits a sound to indicate that the cooking is finished. Simulation Integrated Behavior Tree Requirements Integration Verification Implementation Component Behavior Tree
Automatically Generated Implementation Informal Requirements Translation R 1. There is a single control button available for the user of the oven. If the oven is idle with the door closed and you push the button, the oven will start cooking (this is, energize the power-tube for one minute). R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. R 3. Pushing the button when the door is open has no effect (because it is disabled). R 4. Whenever the oven is cooking or the door is open the light in the oven will be on. R 5. Opening the door stops the cooking. R 6. Closing the door turns off the light. This is the normal idle state, prior to cooking when the user has placed food in the oven. R 7. If the oven times-out, the light and the power-tube are turned off and then a beeper emits a sound to indicate that the cooking is finished. Simulation Integrated Behavior Tree Verification Implementation Component Behavior Tree
Building Dependable Systems Informal Requirements Translation Requirement Behavior Trees R 1. There is a single control button available for the user of the oven. If the oven is idle with the door closed and you push the button, the oven will start cooking (this is, energize the power-tube for one minute). R 2. If the button is pushed while the oven is cooking it will cause the oven to cook for an extra minute. R 3. Pushing the button when the door is open has no effect (because it is disabled). R 4. Whenever the oven is cooking or the door is open the light in the oven will be on. R 5. Opening the door stops the cooking. R 6. Closing the door turns off the light. This is the normal idle state, prior to cooking when the user has placed food in the oven. R 7. If the oven times-out, the light and the power-tube are turned off and then a beeper emits a sound to indicate that the cooking is finished. Simulation Integrated Behavior Tree Requirements Integration Verification Implementation Component Behavior Tree
Building Dependable Systems 1. Control of Complexity Avoids short-term memory overflow 2. Early Defect Detection Quality, verified software 3. Rigorous Translation Building right system, right 4. Ease of Simulation, Model checking Dependable systems 5. Productivity gains for teams Parallel working, Co-operative editing 6. Wide applicability Command Control, Enterprise Systems
- Slides: 13