1. Analysing Fault-Tolerant System using KAOS/FAUST C. Ponsard, P. Massonet, J.F. Molderez (CETIC) A. van Lamsweerde (UCL/INGI) Short presentation & Demo REFT’05, Newcastle (UK)

2. Key Idea B Method: from specification to code “correct by construction” approach moving towards requirements “System B” models of both SW/HW/environment KAOS similar approach at requirements level also refinement approach (property based) reason the design of the composite system explore alternative designs, reason about agent responsibilities assess/improve the robustness of the system tool support: FAUST based on Objectiver semi-formal RE platform (providing conceptual repository, graph edit, doc. generation,…) Seamless integration for optimal communication  looks complementary and worth investigating  current status of on-going work

3. Structuring Properties using a Goal Model (with KAOS) EffectivePassengersTransportation SafeTransportation RapidTransportation BlockSpeed Limited DoorsClosed WhileMoving Train Collision ProgressWhen GoSignal SignalSet ToGo TrainProgress Delay HOW? WHY? MoreTrains Running S2B WorstCaseStopping DistanceMaintained current TrainsOn SameBlock On (tr, b)   On (tr, next(b)) On(tr,b)  Go[next(b)]   On(tr,next(b)) On(tr,b)   Go[next(b)] On (tr, b)  On (tr, b) W On (tr,next(b)) Train Waiting

4. Being Pessimistic AccelerationCommand Not SentInTimeToTrain WorstCaseStoppingDistanceMaintained AccelerationCommand Not ReceivedInTimeByTrain... NotSentSentLate SentTo WrongTrain Acceleration NotSafe... AccelerationSent InTimeToTrain SafeAcceleration Computed SentCommand ReceivedByTrain ReceivedCommand ExecutedByTrain Milestone ReceivedLate CorruptedNotReceived

5. Driving the elaboration process Goal Model TrainTrackSegment 0:1 On Object Model Agent Model SafeAcceler Operation SendCommand DomPre ¬  Sent (m, tr) DomPre ¬  Sent (m, tr) DomPost Sent (m, tr) DomPost Sent (m, tr) ReqPost for SafeAcceler ReqPost for SafeAcceler m.Acceler  F(tr, tr.Preced) m.Acceler  F(tr, tr.Preced) Operation Model NoTrainCollision

6. Some Derived Artefacts

7. Connection with B/Rodin B moving towards requirements “System B” models of both SW/HW/environment Requirements gap is a well known problem [Abrial] Refinement approach Property refinements in KAOS Operational refinements in B Benefits for direct engineering: Identifying key properties Building models easier to prove Benefits for reverse engineering: Structuring key properties Explaining model to stakeholders for validation/acceptance semi-formal notations, animation, document generation,… Better documentation: less flat document, richer traceability, checks

8. Agenda for “K2B” Practical Scope: Composys style (Clearsy use of System-B) industrial cases (automotive/railway) From KAOS models to B models: “Automated” generation of initial B specification From set of operation assigned to agent Attach requirements/ higher level goals Animation tool ? From B models to KAOS models Guidelines for building goal/object/agent models “B aware” document generation template Means Applied research at CETIC Collaboration with ClearSy Student task force from UCL (Belgium)

9. Demo during coffee break

10. FAUST Architecture

11. Interface du vérificateur de raffinements

12. Interface de l’animateur