www.wileyeurope .com/college/van lamsweerde Chap.15: A goal oriented model building method in action © 2009 John Wiley and Sons Building System Models for RE Building System Models for RE Chapter 15 A goal-oriented model-building method in action www.wileyeurope .com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 2 A goal-oriented model-building method in action: outline  Overview and case study introduction  Modelling the system-as-is – S1: Build a preliminary goal model illustrated by scenarios – S2: Derive a preliminary object model  Modelling the system-to-be – S3: Update the goal model with new goals… – S4: Derive the updated object model – S5: Analyse obstacles, threats and conflicts – S6: Analyse responsibilities and build the agent model – …  Handling model variants for product lines www.wileyeurope .com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 3 Main steps of a model building method for RE Figure 15.1 – Main steps of a model building method for RE Build a preliminary goal model illustrated by scenarios Modeling the system-as-is Derive a preliminary object model Update the goal model with new goals illustrated by scenarios Modeling the system-to-be Derive the updated object model Analyze obstacles, threats, and conflicts Analyze responsibilities and build the agent model Make choices among alternative options Operationalize goals in the operation model Build and analyze the behavior model data dependency backtracking www.wileyeurope .com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 4 Case study: Mine safety control . Mine safety control [System as-is.] Miners are exposed to multiple hazards while working inside a mine. These include life-threatening levels of percolating water, carbon monoxide, methane, and airflow. Currently, dedicated supervisors have to alert miners inside the mine for prompt evacuation when any of those levels is estimated to be dangerous. Sumps are placed at selected places in the mine for water collection. Each sump is equipped with a pump. The water level in each sump is regularly checked by dedicated operators to see if the water level is not too high. When this level is too high, the corresponding pump must be turned on to pump the water out of the mine. To avoid the risk of explosion, pumps may not be operated when the methane level exceeds some critical threshold. The current situation results in unacceptable exposure to risks, due to possible human unawareness or misjudgement of potentially dangerous situations; sudden flows of gas or water without operators at the right place to act upon; or pump functioning problems. On the other hand, lack of accurate assessment sometimes results in unnecessary evacuations. The cost of manpower for safety control is another concern. www.wileyeurope .com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 5 Case study: Mine safety control (2) . [System to-be.] To address these problems, a ubiquitous Safety Control system will be installed. Each sump will be equipped with water level sensors to detect when the water is above a high or below a low level, respectively. A software-based controller shall turn a pump on whenever the water in the corresponding sump is reaching the high water level, and off whenever the water is reaching the low water level. The mine will also be equipped with sensors at selected places to monitor the carbon monoxide, methane, and airflow levels. An alarm shall be raised, and the operator informed within one second, whenever any of these levels is reaching a critical threshold, so that the mine can be evacuated promptly. Human operators can also control the operation of the pump, like previously, but within limits. An operator can turn the pump on or off if the water is between the low and high water levels. A special operator, the supervisor, can turn the pump on or off without this restriction. The Safety Control system shall also maintain sensor readings and pump operation records for history tracking and analysis of anomalies. www.wileyeurope .com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 6 Modeling the system-as-is  Purpose: – Structuring the goals and concepts – Analyse the system-as-is to extract: preliminary goal model Devive conceptual objects  Two steps: – Step 1: Build a preliminary goal model illustrated by scenarios – Step 2: Derive a preliminary object model www.wileyeurope .com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 7 Step 1: Build a preliminary goal model illustrated by scenarios  WHAT: – Analysing any available material to identify stable goals – Each goal is defined and classified in term of type and category. – The goals are refined to get sub-goals – The goals are abstracted until the sys’s boundary is reached  HOW: – Search for prescriptive or intentional keywords. – Ask HOW and WHY questions about such statements – Check for responsibility assignments in prescriptive statements. – Elicit illutrative scenarios of current ways of doing thing. – Use goal refinement patterns to restructure the model www.wileyeurope .com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 8 Step 1: Build a preliminary goal model illustrated by scenarios Figure 15.2 – Preliminary identification of stable goals and refinements in the system-as-is Maintain [HighWaterDetected] Achieve [MineEvacuatedIfCriticalLevel] Def The mine must be evacuated promptly when the level of methane, carbon monoxide, or airflow is estimated critical. “… supervisors have to alert miners inside the mine for prompt evacuation when…” Achieve [MinersAlertedIfCriticalLevel] … Def Miners inside the mine must be alerted when the level of methane, carbon monoxide, or airflow is estimated critical. Supervisor Operator “The water level in each sump is regularly checked by dedicated operators to see if the water level is not too high.” Def A too high water level in a sump must be detected at any time. Maintain [SumpPumpedOutIfHighWater] Def When the water level in a sump is too high, the water must be pumped out of the mine. “When , the pump must be turned on to pump the water out …” Maintain [PumpOnIfHighWater] Def When the water level in a sump is too high, the corresponding pump must be turned on. … Operator Avoid [Explosion] Def Risks of explosion inside the mine must be prevented at any time. “…To avoid the risk of explosion, pumps may not be operated when …” Maintain [PumpOffIfHighMethane] Def Pumps may never be operated when the methane level exceeds some critical threshold. … Operator www.wileyeurope .com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 9 Step 1: Build a preliminary goal model illustrated by scenarios Figure 15.3 – Scenario illustrating the goal Maintain[PumpOnIfHighWater] pumpOn : PumpActuator pumpStart : Operator WaterTooHigh? WaterOK? pumpOff pumpStop www.wileyeurope .com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 10 Step 1: Build a preliminary goal model illustrated by scenarios Figure 15.4 – Goal model fragment for the system-as-is Operator PumpOnIfHighWaterDetected milestone-driven HighWaterDetected WaterPumped Out If PumpOn Sufficient PumpCapacity Maintain[SumpPumpedOutIfHighWater] NoExcessive WaterFlow PumpOn If HighWater Avoid[MinersInFloodedMine] Operator SumpsWell Distributed Achieve[MineEvacuatedIfCriticalLevel] MineEvacuated If HighMethane MineEvacuated If HighAirflow by cases HighMethane Detected MinersAlerted If HMDetected MineEvacuated If HMAlert Supervisor Miner HOW ? WHY ? [...]... realizability of leaf goals by the agents assigned to them has to be checked  HOW: – Ref Chapter 11 – Identify any active object that a leaf goal concerns – Look for agents whose capabilities match the variables evaluated in and constrained by a leaf goal – Consider abstract agents and refine these until individual roles are reached – … www.wileyeurope com/college/van lamsweerde Chap.14: Integrating multiple... highMethaneSensor highMethaneSignal MethaneAlarm Switch PumpActuator Pump.Motor methaneAlarm Buzz methaneAlarm Actuator Figure 15.13 – Generated context diagram for mine safety control www.wileyeurope com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 22 Step 7: Make choices among alternative options  WHAT: – Evaluating the various options arising in the previous... Portion of operationalization diagram for the SafetyController agent www.wileyeurope com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 25 Step 8: Operationalize goals in the operation model highWater Sensor lowWater Sensor highMethane Sensor Switch PumpOn Pump Actuator Switch PumpOff Raise Methane Alarm … Reset Methane Alarm MethaneAlarm Actuator SafetyController... a preliminary object model  WHAT: – Identifying the stable concepts – Each concept is defined and classified as an entity, assciation, attribute, agent or event  HOW: – Take any conceptual object referred to by the goals identified in the previous step – Identify associations and participating objects – Identify generalization from objects characterized by similar attributes, associations or domain... CriticalWater MinersAlerted If WaterAlarm Figure 15.9 – Obstacle analysis: mine safety control examples www.wileyeurope com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 19 Step 6: Analyse responsibilities and build the agent model  WHAT: – Exploring alternative responsibility assignments – All the agents forming the system need to be defined – The realizability... defining the final system-to-be – Evaluation/selection may proceed in parallel with the preceding steps  HOW: – Using qualitative reasoning techniques to select those options contributing the most to higher-priority soft goals – Using quantitative techniques, including multi-criteria analysis (Vincke, 1992) Ref 16.3.2 – Using various kinds of heuristics: favour refinements or assignments introducing... www.wileyeurope com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 17 Step 5: Analyse obstacles, threats and conflicts  WHAT: – Identifying as many obstacles, threats and boundary conditions as possible – Assessing their likelihood and criticality – Exploring resolutions yielding new candidate goals as countermeasures in the goal model  HOW: – Ref Chapter 8-9 www.wileyeurope... Expanding the preliminary structure of stable goals and domain concepts towards a model for system-to-be – Considering alternative goal refinements and assignments  Two steps: – Step 3: Update the goal model with new goals… – Step 4: Derive the updated object model – Step 5: Analyse obstacles, threats and conflicts – Step 6: Analyse responsibilities and build the agent model – Step 7: Make choices among... rules in S[14.2] www.wileyeurope com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 16 Step 4: Derive the updated object model highWater Sensor 1 Sump highWaterSignal WaterSensor Tracking WaterLevel … highThreshold Readings lowThreshold 1 * lowWater Sensor Miner lowWaterSignal MethaneAlarm 1 Regulation Location Inside … … Switch: {on, off} AirflowAlarm … COAlarm... Electrical device regulating the level in each sump by water evacuation out of the mine MethaneLevel CO-Level Airflow Operator Inspection … Def Person in charge of safe working conditions Figure 15.5 – Deriving a preliminary object model from goals and domain descriptions www.wileyeurope com/college/van lamsweerde Chap.14: Integrating multiple system views © 2009 John Wiley and Sons 12 Modeling the system-to-be . by scenarios  WHAT: – Analysing any available material to identify stable goals – Each goal is defined and classified in term of type and category. – The goals are refined to get sub-goals – The. Chapter 11. – Identify any active object that a leaf goal concerns. – Look for agents whose capabilities match the variables evaluated in and constrained by a leaf goal. – Consider abstract agents. … GasAlarm Buzz Alerting AirflowAlarm … MethaneAlarm Switch: { on, off} COAlarm … WaterSensor Readings Tracking Inside lowWater Sensor lowWaterSignal highWater