Chương 15: A goaloriented modelbuilding method in action potx

When this level is too high, the corresponding pump must be turned on to pump the water out of the mine.. A software-based controller shall turn a pump on whenever the water in the corr

Building System Models for RE

Chapter 15

A goal-oriented model-building

method in action

A goal-oriented model-building method in action :

outline

Main steps of a model building method for RE

Analyze obstacles, threats,

and conflicts and build the agent model Analyze responsibilities

Make choices among alternative options

Case study: Mine safety control

Mine safety control

[System as-is.] Miners are exposed to multiple hazards while working inside a mine

These include life-threatening levels of percolating water, carbon monoxide, methane, and airflow

Currently, dedicated supervisors have to alert miners inside the mine for prompt

evacuation when any of those levels is estimated to be dangerous

Sumps are placed at selected places in the mine for water collection Each sump is

equipped with a pump The water level in each sump is regularly checked by dedicated operators to see if the water level is not too high When this level is too high, the

corresponding pump must be turned on to pump the water out of the mine

To avoid the risk of explosion, pumps may not be operated when the methane level

exceeds some critical threshold.

The current situation results in unacceptable exposure to risks, due to possible human unawareness or misjudgement of potentially dangerous situations; sudden flows of

gas or water without operators at the right place to act upon; or pump functioning

problems On the other hand, lack of accurate assessment sometimes results in

unnecessary evacuations The cost of manpower for safety control is another concern.

Case study: Mine safety control (2)

[System to-be.] To address these problems, a ubiquitous Safety Control system will be

installed Each sump will be equipped with water level sensors to detect when the

water is above a high or below a low level, respectively A software-based controller shall turn a pump on whenever the water in the corresponding sump is reaching the

high water level, and off whenever the water is reaching the low water level

The mine will also be equipped with sensors at selected places to monitor the carbon monoxide, methane, and airflow levels An alarm shall be raised, and the operator

informed within one second, whenever any of these levels is reaching a critical

threshold, so that the mine can be evacuated promptly

Human operators can also control the operation of the pump, like previously, but

within limits An operator can turn the pump on or off if the water is between the low and high water levels A special operator, the supervisor, can turn the pump on or off

without this restriction

The Safety Control system shall also maintain sensor readings and pump operation

records for history tracking and analysis of anomalies.

Modeling the system-as-is

preliminary goal model Devive conceptual objects

Step 1: Build a preliminary goal model illustrated by

scenarios

Step 1: Build a preliminary goal model illustrated by

… Def Miners inside the mine must be alerted when

the level of methane, carbon monoxide, or airflow

is estimated critical

Supervisor

Operator

“The water level in each sump is regularly checked by dedicated operators to see if the water level is not too high.”

Def A too high water level in a sump must

be detected at any time

Maintain [SumpPumpedOutIfHighWater] Def When the water level in a sump is too high,

the water must be pumped out of the mine

“When , the pump must be turned on to pump the water out …”

Maintain [PumpOnIfHighWater] Def When the water level in a sump is too high, the corresponding pump must be turned on

… Operator

Avoid [Explosion] Def Risks of explosion inside the mine must

be prevented at any time

“…To avoid the risk of explosion, pumps may not be operated when …”

Maintain [PumpOffIfHighMethane] Def Pumps may never be operated when the methane level exceeds some critical threshold

… Operator

Step 1: Build a preliminary goal model illustrated by

Step 1: Build a preliminary goal model illustrated by

Maintain[SumpPumpedOutIfHighWater]

NoExcessive WaterFlow

Step 2: Derive a preliminary object model

assciation, attribute, agent or event.

 HOW:

identified in the previous step.

similar attributes, associations or domain descriptions.

they really seem relevant Drop them otherwise.

Step 2: Derive a preliminary object model

Figure 15.5 – Deriving a preliminary object model from goals and domain descriptions

Achieve [MinersAlertedIfHMDetected] Def Miners inside the mine must be alerted whenever the level of methane is estimated too high

Maintain [PumpOnIfHighWater] Def When the water level in a sump is too high,

the corresponding pump must be on

1

Regulation Pump

Motor: {on, off}

1 …

Sump WaterLevel

Each sump is equipped with a pump

Inside

MineMethaneLevel CO-Level Airflow …

Miner …

waterEvacuation Location

Def Person in charge of

safe working conditions

Def Container placed at

selected bottom places

of the mine to collect

percolating water

the corresponding

pump must be on

Def Electrical device regulating the

level in each sump by water evacuation out of the mine

Modeling the system-to-be

domain concepts towards a model for system-to-be.

Step 3: Update the goal model with new goals

assignments specific to system-to-be.

things.

– …

Step 3: Update the goal model with new goals

Figure 15.6 – Expanded goal model fragment for the system-to-be

SumpPumpedOutIfHighWater

PumpOff If LowWater

Avoid[PumpOn WhenNoWater]

Avoid[MinersInFloodedMine]

NoExcessive WaterFlowSumpsWell

Distributed

Step 4: Derive the updated object model

new conceptual objects specific to the system-to-be.

to others base on the new goal definitions.

 HOW:

and software counterpart.

Step 4: Derive the updated object model

Figure 15.8 – Updated object model from goals and descriptions of the system-to-be

Def Mechanism for generating

different types of alerts in the mine Def Person authorized to switch the pump on or off at any time

1 Regulation

PumpMotor: {on, off}

Switch: {on, off}

Capacity

1 …

SumpWaterLevel

highThreshold lowThreshold

MineMethaneLevel CO-Level Airflow …

Miner …

GasAlarm Buzz

Alerting

AirflowAlarm …

MethaneAlarm Switch: {on,off}

COAlarm …

WaterSensorReadings

Step 5: Analyse obstacles, threats and conflicts

conditions as possible

countermeasures in the goal model.

 HOW:

Step 5: Analyse obstacles, threats and conflicts

Pump highWaterSignal

Avoid [MinersInFloodedMine]

MineEvacuatedIfCriticalWater

MineEvacuated

If WaterAlert

Def There is a sump with water

flow exceeding the worst-case

figure of X litres per hour

Step 6: Analyse responsibilities and build the agent model

to be checked.

and constrained by a leaf goal.

reached.

– …

Step 6: Analyse responsibilities and build the agent model

BuzzSwitch

Switch Switch

highWaterSignallowWaterSignalhighMethaneSignal

highWater Sensor

highWater SensorHighWaterDetected

PumpSwitchOn If HighWaterDetected

highWaterSignal

InstanceResponsibility The high-water sensor of a

sump is responsible for detecting high water in this sump

PumpSwitchOff If LowWaterDetected

lowWater Sensor

WaterLevel

lowWater SensorLowWaterDetected

Sump

lowWaterSignal

highMethaneSensorhighMethane

SensorHighMethaneDetected

highMethaneSignal

MineMethaneLevel

MethaneAlarmSwitchOn If

HighMethaneDetected

Pump

MethaneAlarmmethaneAlarm

Step 6: Analyse responsibilities and build the agent model

Figure 15.13 – Generated context diagram for mine safety control

methaneAlarm Actuator

PumpActuator

highWater SensorSump.WaterLevel

lowWater Sensor

highMethane SensorMine.MethaneLevel

Step 7: Make choices among alternative options

select one “best” set of options defining the final system-to-be.

steps.

contributing the most to higher-priority soft goals.

(Vincke, 1992) Ref 16.3.2

assignments introducing fewer or less severe risks, favour

Step 8: Operationalize goals in the operation model

operationalizing the leaf goals in the goal model.

leaf goal.

reqpre, reqpost, reqtrig ensuring their underlying goals.

 HOW:

scenarios.

Step 8: Operationalize goals in the operation model

Figure 15.14 – Portion of operationalization diagram for the SafetyController agent

Raise Methane Alarm

Switch PumpOn

highWater Sensor

lowWater Sensor highMethane Sensor

Reset Methane Alarm

PumpSwitchOff If

LowWaterDetected

p.Switch

Step 8: Operationalize goals in the operation model

Figure 15.15 – Generated use case diagram for the SafetyController agent

highMethane Sensor

lowWater Sensor

… SafetyController

highWater

MethaneAlarm Actuator

Switch PumpOn

Raise Methane Alarm

Switch PumpOff

Reset Methane Alarm

Step 9: Build and analyse the behaviour model

SafetyControllerState

[ lowWaterSignal = ‘on’ or

highMethaneSignal = ‘on’ ]

/ send PumpMotorState.pumpSwitchOff

[ highWaterSignal = ‘on’ and

not highMethaneSignal = ‘on’ ]

highMethaneSensorState

[ MethaneLevel ≥ High ]

highMethane SignalState

[ MethaneLevel < High ]

psOperating