#### ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

## Embedded Systems WS 08/09

## Maritta Heisel Maritta.Heisel(AT)uni-duisburg-essen.de

Denis.Hatebur(AT)uni-duisburg-essen.de

University Duisburg-Essen – Faculty of Engineering Department of Computer Science Workgroup Software Engineering

## Content of lecture

#### ES

Heisel

#### Introduction

- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

## Lecture

- Characteristics of embedded systems
- Development process for embedded systems
- Notations to be used in the development process
- If we have time: safety and security aspects of embedded systems, fault tolerance

## Practical part of the course

 Development of a simple embedded system according to the development process

## Organizational issues of the course

### ES

### Heisel

### Introduction

- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- Lecture: Tuesday 12–14, room BA 143
- Exercises and practical training: Tuesday, 14–16, room BA 143
   beginning: Oct. 21, 2008
- Course material will be published under http://swe.uni-duisburg-essen.de/

## Organizational issues of the lab I

ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- Set up groups of at least 3 and at most 5 students.
- Announce your group until 2008-10-19⇒ 1 email per group with names and matr.-numbers (denis.hatebur@uni-due.de)!
- Work on tasks and submit the group solution and all previous solutions in one .pdf-file until following Sunday 23:59. The email must include names and matr.-no of all members. The .pdf-file should include only the number of the group.
- If more than two solutions are submitted too late, the whole group will not pass the lab.
- All tasks must be processed.

## Organizational issues of the lab II

#### ES

### Heisel

### Introduction

- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- To pass you have to attend all labs and submit all solutions in time (max. 2 exceptions).
- Everyone has to present the group solution at least (!) once.
- It must be indicated in the mail who performed the tasks and who performed the validation.
- All solutions will be published on the web.

## Literature I

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- Alan Burns and Andy Wellings: Real-Time Systems and Programming Languages.
   Pearson Education, 2001.
- Denis Hatebur: A Pattern- and Component-Based Process for Embedded Systems Development. University Duisburg-Essen, 2006, http://swe.uni-duisburg-essen.de/intern/dpes.pdf
- David E. Simon: An Embedded Software Primer. Addison-Wesley 2004.
- Ahmad Ibrahim: Fuzzy Logic for Embedded Systems Applications (Embedded Technology), 2003

## Literature II

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

 Manfred Broy and Wolfgang Pree: Ein Wegweiser für Forschung und Lehre im Software-Engineering eingebetteter Systeme,

Informatik Spektrum, 18/2003, Volume 18.

 Michael Jackson: Problem Frames. Analyzing and structuring software development problems. Addison Wesley, 2001.

 Michael Jackson. Problems and requirements. In Proceedings of the IEEE Second International Symposium on Requirements Engineering. ACM Press, 1995.

 Michael Jackson and Pamela Zave. Deriving specifications from requirements: an example. In *Proceedings 17th Int. Conf. on Software Engineering, Seattle, USA*, S. 15–24. ACM Press, 1995.

## Literature III

ES

- Heisel
- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

 Pamela Zave and Michael Jackson. Four dark corners of requirements engineering. ACM Transactions on Software Engineering and Methodology, 6(1):1–30, January 1997. Available at

http://www.research.att.com/~pamela/ori.html # fre

UML Superstructure Specification, v2.0 (709 Pages, 5.4 MB)

http://www.omg.org/docs/formal/05-07-04.pdf

- Laurent Doldi: UML 2.0 Illustrated. TMSO, 2003. http://www.tmso-systems.com
- M. Jeckle, C. Rupp, J. Hahn, B. Zengler, S. Queins: UML 2 glasklar. Hanser, 2004.

## Some definitions of embedded systems

ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- Embedded systems are computer-based systems being part of products other than a computer (Broy and Pree, after Simon)
- Embedded systems are information technology systems embedded in an electro-mechanical environment. (Borusan and Weber)
- ... applications whose prime function is *not* that of information processing, but which nevertheless require information processing in order to carry out their prime function. (Ahmad Ibrahim)

About 99% of the worldwide production of microprocessors is used in embedded systems (Burns and Wellings).

# Typical tasks of embedded systems (Burns and Wellings)

#### ES

Heisel

#### Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Process Control The computer interacts with its environment using sensors and actuators.

It controls the operation of the sensors and actuators to ensure that correct plant operations are performed at appropriate times.

Where necessary, analogue to digital (and vice versa) converters must be inserted between the controlled process and the computer.

Manufacturing The physical system consists of a variety of mechanical devices – such as machine tools, manipulators and conveyor belts – all of which need to be controlled and coordinated by the computer.

## Application domains of embedded systems

#### ES

Heisel

#### Introduction

- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

## automotive

- aviation and space technology
- medical technology
- traffic guidance technology
- industrial automation
- telecommunications
- business
- entertainment
- household

## Examples for embedded systems



### Heisel

#### Introduction

- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- anti-lock braking system (ABS)
- smartcard
- washing machine
- traffic light
- temperature control unit
- elevator control unit
- **.**..

## Characteristics of embedded systems I

#### ES

Heisel

#### Introduction

- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- specialized for a particular purpose
- limited amount of resources (memory, power)
- high number of copies
- combination of hardware and software
- often security or safety critical
- connected via bus systems to other information technology systems
- larger embedded systems are often configurable
- faults in embedded software are expensive

## Characteristics of embedded systems II

#### ES

Heisel

#### Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Embedded Software ...

- is usually reactive or continuous
- works on hardware with limited resources
- often has to fulfill safety or security requirements
- often fulfills timing requirements
- performs several tasks on one hardware

## Embedded vs. real-time systems

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Often used synonymously.

In contrast, we consider real-time systems to be a special kind of embedded systems:

A real-time system is any information processing activity of a system which has to respond to externally generated input stimuli within a finite and specified delay. (Burns and Wellings)

Real-time does not mean to be very fast. But if a real-time system does not react within the specified delay, this is considered to be a system fault.

Hard real-time system: delay in reaction may cause danger to life of people or assets.

### ES

Heisel

Introduction

#### DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

## **Overview of development process (DePES)**

## Overview of development process (DePES) I

### ES

- Heisel
- Introduction

#### DePES

- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- 1. Describe system in use
- 2. Describe system to be built
- 3. Decompose problem
- 4. Derive a machine behavior specification for each subproblem
- 5. Design global system architecture
- 6. Derive specifications for all components of the global system architecture
- 7. Design an architecture for all programmable components of the global system architecture that will be implemented in software

## Overview of development process (DePES) II

#### ES

Heisel

#### Introduction

### DePES

- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- 8. Specify the behavior of all components of all software architectures, using sequence diagrams
- 9. Specify the software components of all software architectures as state machines
- 10. Implement software components and test environment
- 11. Integrate and test software components
- 12. Integrate and test hardware and software

## Phase 1: Describe system in use

| ES           | input:      | informal description of the task            | natural language        |
|--------------|-------------|---------------------------------------------|-------------------------|
|              | output:     | context diagram of system in use            | Jackson without machine |
| Heisel       |             |                                             | domain                  |
|              |             | shortcomings                                | natural language        |
| Introduction |             | domain knowledge $D(F \land A)$             | natural language, (HTA, |
| DePES        |             |                                             | state machines)         |
| Phase 1      |             | glossary with definitions and designa-      | natural language        |
|              |             | tions                                       |                         |
| Phase 2      |             | list of possible development alternatives   | natural language        |
| Phase 3      | validation: | all domains and phenomena in the con-       |                         |
| Phase 4      |             | text diagram must be described.             |                         |
|              |             | the context diagram must contain all        |                         |
| Phase 5      |             | domains necessary to describe the short-    |                         |
|              |             | comings.                                    |                         |
|              |             | shortcomings must be stated using ele-      |                         |
|              |             | ments of the domain knowledge descrip-      |                         |
|              |             | tion.                                       |                         |
|              |             | the glossary contains the notions used      |                         |
|              |             | in D.                                       |                         |
|              |             | each entry in the list of possible develop- |                         |
|              |             | ment alternatives must consider at least    |                         |
|              |             | one of the shortcomings.                    |                         |
|              |             |                                             |                         |

## Phase 2: Describe system to be built

| ES                  | input:                                | all results of Phase 1                        | Jackson/ natural lan-   |
|---------------------|---------------------------------------|-----------------------------------------------|-------------------------|
|                     |                                       |                                               | guage                   |
| Heisel              | output:                               | system mission statement                      | natural language        |
|                     |                                       | selected development alternatives             | natural language        |
| ntroduction         |                                       | context diagram of system to be built         | ext. Jackson            |
| DePES               |                                       | changed domain knowledge $D$ ( $F \land A$ )  | natural language, (HTA, |
| Phase 1             |                                       |                                               | state machines)         |
|                     |                                       | initial set of requirements R <sub>init</sub> | natural language        |
| <sup>p</sup> hase 2 |                                       | requirements $R$ to be implemented            | natural language        |
| Phase 3             | validation:                           | only the limited set of operators is applied  |                         |
| <sup>o</sup> hase 4 |                                       | on the context diagram of system in use       |                         |
|                     |                                       | to derive the context diagram of system to    |                         |
| Phase 5             |                                       | be built                                      |                         |
|                     |                                       | system mission statement must address         |                         |
|                     |                                       | the shortcomings or refer to domain knowl-    |                         |
|                     |                                       | edge of the system in use                     |                         |
|                     |                                       | domains and phenomena in the context di-      |                         |
|                     |                                       | agram and in $R$ and $D$ must be consistent   |                         |
|                     |                                       | R must be a subset of R <sub>init</sub>       |                         |
|                     |                                       | changes in the domain knowledge must be       |                         |
|                     |                                       | justified by the requirements                 |                         |
|                     |                                       | $D \wedge R$ are non-contradictory            |                         |
|                     | · · · · · · · · · · · · · · · · · · · |                                               |                         |

## Phase 3: Decompose problem

| ES           |             |                                 |              |
|--------------|-------------|---------------------------------|--------------|
|              | input:      | requirements $R$ to be imple-   | natural lan- |
| Heisel       |             | mented of Phase 2               | guage        |
| Introduction |             | domain knowledge D of           | natural lan- |
| DePES        |             | Phase 2                         | guage        |
| Phase 1      |             | context diagram of Phase 2      | ext. Jackson |
| Phase 2      | output:     | set of problem diagrams with    | Jackson with |
| Phase 3      |             | associated set of requirements  | dot-notation |
| Phase 4      |             | expression of the subproblem    | grammar      |
| Phase 5      |             | relationships                   |              |
|              | validation: | consistent with context dia-    |              |
|              |             | gram of Phase 2                 |              |
|              |             | requirements $R$ of Phase 2     |              |
|              |             | must be treated in at least one |              |
|              |             | subproblem                      |              |
|              |             |                                 |              |

# Phase 4: Derive a machine behavior specification for each subproblem $P_i$

| input:     | requirements R from Phase 2                       | natural language  |
|------------|---------------------------------------------------|-------------------|
|            | domain knowledge D from Phase 2                   | natural language  |
|            | problem diagram for $P_i$ from Phase 3            | Jackson with dot- |
|            |                                                   | notation          |
| on output: | specification $S_{P_i}$ of machine to construct   | natural language  |
|            | sequences of interactions with annotated states   | sequence diagrams |
|            | for the domains in the environment, expressing    | with annotated    |
|            | $R_{P_i}$ and $D_{P_i}$                           | states            |
|            | sequences of interactions on initialization       | sequence diagram  |
|            |                                                   | with annotated    |
|            |                                                   | states            |
| validation | $D \wedge S_{P_i}$ are non-contradictory          |                   |
|            | $D \wedge S_{P_i} \Longrightarrow R_{P_i}$        |                   |
|            | all requirements must be captured                 |                   |
|            | in the sequence diagrams refined phenomena of     |                   |
|            | the problem diagrams are used as signals          |                   |
|            | direction of signals must be consistent with con- |                   |
|            | trol of shared phenomena                          |                   |
|            | signals must connect domains as connected in      |                   |
|            | problem diagram                                   |                   |
|            | the relationships of Phase 3 must be consistent   |                   |
|            | with the states                                   |                   |

## Phase 5: Design global system architecture I

| ES    | input:  | context diagram from Phase 2                 | ext. Jackson      |
|-------|---------|----------------------------------------------|-------------------|
|       |         | problem diagrams from Phase 3                | Jackson with dot- |
|       |         |                                              | notation          |
|       |         | sequences of interactions between machine    | sequence diagrams |
| DePES |         | and environment of all subproblems from      |                   |
|       |         | Phase 4                                      |                   |
|       |         | expression of the subproblem relationships   | grammar           |
|       |         | from Phase 3                                 |                   |
|       | output: | system architecture                          | composite struc-  |
|       |         |                                              | ture diagram      |
|       |         | perhaps subcomponents (recursively)          | composite struc-  |
|       |         |                                              | ture diagrams     |
|       |         | purpose of each component                    | natural language  |
|       |         | specification of external interfaces         | interface classes |
|       |         | specification of interfaces between the com- | interface classes |
|       |         | ponents                                      |                   |
|       |         | technical description of hardware interfaces | natural language, |
|       |         |                                              | figures           |
|       |         | expression of the subproblem relationships   | grammars          |
|       |         | for all components                           |                   |

## Phase 5: Design global system architecture II

| ES           |                                       |                                            |  |
|--------------|---------------------------------------|--------------------------------------------|--|
| ES           | validation: a                         | all machine interfaces of the problem dia- |  |
| Heisel       | 8                                     | grams must be captured                     |  |
|              | t                                     | the signals in the sequence diagrams must  |  |
| Introduction | ł                                     | be the same as the signals in the external |  |
| DePES        |                                       | nterfaces                                  |  |
| Phase 1      | t                                     | to each programmable component at least    |  |
| Phase 2      | 0                                     | one problem diagram must be associated     |  |
| Phase 3      | e                                     | each problem diagram must be associated    |  |
|              | t                                     | to at least one component                  |  |
| Phase 4      | a                                     | all domains in the problem diagrams being  |  |
| Phase 5      | l l                                   | part of the machine must be associated to  |  |
|              | a                                     | a component                                |  |
|              | e                                     | each machine domain in the context dia-    |  |
|              | E E E E E E E E E E E E E E E E E E E | gram must occur in the architecture        |  |
|              | 4                                     | purpose must be consistent with the asso-  |  |
|              | 0                                     | ciated requirements                        |  |
|              | t                                     | the grammar for each component must de-    |  |
|              | s                                     | scribe a subset of the grammar in Phase 3  |  |

# Phase 6: Derive specifications for all components of the global system architecture

. . . . . . . . . . . . . . . . . . .

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

## For each subproblem:

| input:      | architecture from Phase 5                        | composite structure   |
|-------------|--------------------------------------------------|-----------------------|
|             |                                                  | diagrams              |
|             | interface specifications from Phase 5            | interface classes     |
|             | subcomponents (if defined) from Phase 5          | composite structure   |
|             |                                                  | diagrams              |
|             | sequences of interactions from Phase 4           | sequence diagrams     |
|             |                                                  | with annotated states |
|             |                                                  | or existing technical |
|             |                                                  | documentation         |
| output:     | interface behavior of all components (test spec- | sequence diagrams     |
|             | ification)                                       | with annotated states |
| validation: | sequence diagrams together must describe the     |                       |
|             | same interface behavior as in Phase 4            |                       |
|             | all signals in the interface classes of Phase 5  |                       |
|             | must be used in at least one sequence diagram    |                       |
|             | direction of signals must be consistent with the |                       |
|             | required and provided interfaces of Phase 5      |                       |
|             | signals must connect components as connected     |                       |
|             | in the system architecture of Phase 5            |                       |
|             | it must be possible to map the new states to the |                       |
|             | states of Phase 4                                |                       |

# Phase 7: Design a software architecture for all components of the global system architecture

| 50           | Lin muster  | alahal watawa anahita atawa ƙwara Dharas F                  | dia                       |
|--------------|-------------|-------------------------------------------------------------|---------------------------|
| ES           | input:      | global system architecture from Phase 5                     | composite structure dia-  |
|              |             |                                                             | gram                      |
| Heisel       |             | problem diagrams from Phase 3                               | Jackson with dot-         |
|              |             |                                                             | notation                  |
| Introduction |             | interface specifications from Phase 5                       | interfaces classes        |
| DePES        |             | relationships between subproblems specified in Phase 5      | grammars                  |
|              |             | possibly reusable components from other projects            | active or passive classes |
| Phase 1      |             | (Phase 9)                                                   | with interface classes    |
| Phase 2      |             | machine behavior specifications from Phase 4                | sequence diagrams with    |
| Phase 3      |             |                                                             | annotated states          |
| r liase 5    | output:     | layered software architecture for each subproblem           | composite structure dia-  |
| Phase 4      |             |                                                             | grams                     |
| Phase 5      |             | merged layered software architecture (with subcompo-        | composite structure dia-  |
| 1 11450 0    |             | nents)                                                      | grams                     |
|              |             | purpose of each software component                          | natural language          |
|              |             | specification of interfaces between software components     | interface classes         |
|              | validation: | if no instantiation of architectural patterns: consistent   |                           |
|              |             | with problem diagram                                        |                           |
|              |             | signals of Phase 4 sequence diagrams are interfaces of      |                           |
|              |             | the application layer                                       |                           |
|              |             | direction of all signals consistent to each other and input |                           |
|              |             | external interfaces must be consistent with the interfaces  |                           |
|              |             | of the system architecture developed in Phase 5             |                           |

# Phase 8: Specify the behavior of all components of all software architectures, using sequence diagrams

ES

### Heisel

DePES

## For each subproblem:

| input:      | software architectures from Phase 7              | composite     | structure  |
|-------------|--------------------------------------------------|---------------|------------|
|             |                                                  | diagrams      |            |
|             | interface specifications from Phase 7            | interface cla | isses      |
|             | system behavior from Phase 4                     | sequence      | diagrams   |
|             |                                                  | with annota   | ted states |
|             | interface behavior of all programmable compo-    | sequence      | diagrams   |
|             | nents from Phase 6                               | with annota   | ted states |
| output:     | interface behavior of all software components    | sequence      | diagrams   |
|             | (test specification)                             | with annota   | ted states |
| validation: | all sequence diagrams together must describe     |               |            |
|             | the same interface behavior as in Phase 6        |               |            |
|             | all signals in the interfaces classes of Phase 7 |               |            |
|             | must be used in at least one sequence diagram    |               |            |
|             | direction of signals must be consistent with the |               |            |
|             | required and provided interfaces of Phase 7      |               |            |
|             | signals must connect components as connected     |               |            |
|             | in the software architecture of Phase 7          |               |            |
|             | it must be possible to map any new states to the |               |            |
|             | states of Phase 6                                |               |            |

# Phase 9: Specify the software components of all software architectures as state machines

| ES    | input:     | interface behavior from Phase 8              | sequence diagrams  |
|-------|------------|----------------------------------------------|--------------------|
|       |            |                                              | with annotated     |
|       |            |                                              | states             |
|       |            | relationships between subproblems speci-     | grammars           |
|       |            | fied in Phase 5                              | -                  |
| DePES | output:    | component overview description with refer-   | class diagram with |
|       |            | ences to interface classes                   | ports, sockets and |
|       |            |                                              | lollipops          |
|       |            | data types and operations                    | class diagrams     |
|       |            | defined using pre- and postconditions        | formulas or natu-  |
|       |            |                                              | ral language       |
|       |            | state machines                               | state machine dia- |
|       |            |                                              | grams              |
|       |            | invariants                                   | formulas or natu-  |
|       |            |                                              | ral language       |
|       | validation | consistent with interface behavior from      |                    |
|       |            | Phase 8                                      |                    |
|       |            | completeness of state machines (implies      |                    |
|       |            | error-cases for user-interaction)            |                    |
|       |            | a class must be active if it contains an ac- |                    |
|       |            | tive class or a timer                        |                    |
|       |            |                                              |                    |

# Phase 10: Implement software components and test environment

| ES           |         |                        |
|--------------|---------|------------------------|
| Heisel       |         |                        |
| Introduction | input:  | software componen      |
| DePES        | input.  | Phase 8                |
| Phase 1      |         | specification of merg  |
| Phase 2      |         | Phase 9                |
| Phase 3      | output: | test software for soft |

| input:      | software component behavior from      | sequence diagrams     |  |  |  |
|-------------|---------------------------------------|-----------------------|--|--|--|
|             | Phase 8                               | with annotated states |  |  |  |
|             | specification of merged components of | different notations   |  |  |  |
|             | Phase 9                               |                       |  |  |  |
| output:     | test software for software components | programming lan-      |  |  |  |
|             |                                       | guage or test lan-    |  |  |  |
|             |                                       | guage                 |  |  |  |
|             | implemented software components       | programming lan-      |  |  |  |
|             |                                       | guage                 |  |  |  |
| validation: | run tests                             | test results          |  |  |  |

## Phase 11: Integrate and test software components

ES

#### Heisel

Introduction

#### DePES

Phase 1

Phase 2

Phase 3

Phase 4

| input:      | global software architecture from  | composite structure dia-   |  |
|-------------|------------------------------------|----------------------------|--|
|             | Phase 7                            | grams                      |  |
|             | software behavior from Phase 6     | sequence diagrams with an- |  |
|             | notated states                     |                            |  |
|             | implemented software compo-        | programming language       |  |
|             | nents from Phase 10                |                            |  |
| output:     | implemented software               | programming language       |  |
|             | test software for integrated soft- | programming language or    |  |
|             | ware                               | test language              |  |
| validation: | run tests                          | test results               |  |

## Phase 12: Integrate and test hardware and software

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

| input:      | system architecture from Phase 5 | composite structure dia-   |  |
|-------------|----------------------------------|----------------------------|--|
|             |                                  | gram                       |  |
|             | system specifications from       | sequence diagrams with an- |  |
|             | Phase 4                          | notated states             |  |
|             | expression of the subproblem re- | grammar                    |  |
|             | lationships from Phase 3         |                            |  |
|             | implemented software from        | programming language       |  |
|             | Phase 11                         |                            |  |
| output:     | integrated system                | machine                    |  |
|             | acceptance test cases            | test system and/or test    |  |
|             |                                  | plans                      |  |
| validation: | run tests                        | test results               |  |

## Phase 1: Describe system in use

#### ES

Heisel

- Introduction
- DePES
- Introduction
- Notations Terminology Context diagrams R, D & S Summary Procedure
- Example SB
- Phase 2
- Phase 3
- Phase 4
- Phase 5

## 1. Describe system in use

- 2. Describe system to be built
- 3. Decompose problem

. . .

- 4. Derive machine behavior specification for each subproblem
- 5. Design global system architecture
- 6. Derive specifications for all components of the global system architecture
- 7. Design a software architecture for all components of the global system architecture that should be implemented in software
- 8. Specify the behavior of all components of all software architectures, using sequence diagrams

## Phase 1: Describe system in use

| ES                     | input:      | informal description of the task            | natural language        |
|------------------------|-------------|---------------------------------------------|-------------------------|
|                        | output:     | context diagram of system in use            | Jackson without machine |
| Heisel                 |             |                                             | domain                  |
|                        |             | shortcomings                                | natural language        |
| Introduction           |             | domain knowledge $D(F \land A)$             | natural language, (HTA, |
| DePES                  |             |                                             | state machines)         |
| Phase 1                | -           | glossary with definitions and designa-      | natural language        |
| Introduction           |             | tions                                       |                         |
| Notations              |             | list of possible development alternatives   | natural language        |
| Terminology<br>Context | validation: | all domains and phenomena in the con-       |                         |
| diagrams               |             | text diagram must be described.             |                         |
| R, D & S<br>Summary    |             | the context diagram must contain all        |                         |
| Procedure              |             | domains necessary to describe the short-    |                         |
| Example - TLC          |             | comings.                                    |                         |
| Example - SBC          |             | 0                                           |                         |
| Phase 2                |             | shortcomings must be stated using ele-      |                         |
|                        |             | ments of the domain knowledge descrip-      |                         |
| Phase 3                |             | tion.                                       |                         |
| Phase 4                |             | the glossary contains the notions used      |                         |
| Phase 5                |             | in D.                                       |                         |
| Phase 5                |             | each entry in the list of possible develop- |                         |
|                        |             | ment alternatives must consider at least    |                         |
|                        |             | one of the shortcomings.                    |                         |
|                        |             |                                             |                         |

## Notations and concepts

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminolog Context diagrams R, D & S

Procedure

Example - SE

Phase 2

Phase 3

Phase 4

- Terminology
- Context diagrams
- Requirements
- Domain knowledge
- Glossary
- Specification

## Terminology: System, machine and environment I

#### ES

#### Heisel

- Introduction
- DePES

#### Phase 1 Introduction Notations Terminology Context diagrams R D & S

- Summary Procedure Example - TL Example - SE
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- A system consists of a machine and its environment.
- System is a recursive term: A system can consist of other systems.
- The machine is the system to be built.
- Each machine acts in an environment

## Terminology: System, machine and environment II

ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure

Example - T Example - S

Phase 2

Phase 3

Phase 4

Phase 5

**Goal**: Design of a system with specified characteristics *Example*: An elevator should enable persons in a building to get from one floor to another.

Components of the system:

 environment: part of "real world" relevant for the problem Example: floors, persons, cage, doors, engine, buttons, sensors, ...

machine: controlling software and suitable hardware

Properties of the environment are fixed. We have to build the machine, so that it realizes the desired properties of the system.

## Terminology: Phenomena I

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology

diagrams R, D & S Summary Procedure Example - TLO Example - SBO

Phase 2

Phase 3

Phase 4

Phase 5

State and behavior of the environment can be described by phenomena. Examples:

### Elevator

Person presses button, expects, that the elevator arrives.

### Bank

Client gives withdrawal instruction, expects a withdrawal.

Machine can interact with the environment by

- observing certain phenomena (input) ( $\rightarrow$  sensors)
- causing certain phenomena (output) (→ actuators)

# Terminology: Phenomena II

#### ES

### Heisel

#### Introduction

DePES

#### Phase 1 Introduction Notations Terminology

Context diagrams R, D & S Summary Procedure Example - T Example - SI

Phase 2

Phase 3

Phase 4

Phase 5

### Phenomena

- are actions/events/operations that occur in the environment
- are important for expressing statements
- can be observed or controlled by the environment or the machine, respectively

### Examples:

- waiting in front of the elevator
- pressing the button inside the elevator
- elevator door closes

# Terminology: Control of phenomena

ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL Example - SB

Phase 2

Phase 3

Phase 4

Phase 5

1. Controlled by the environment, not observable by the machine

Example: waiting in front of the elevator

- 2. Controlled by the environment, observable by the machine Example: *pressing the button inside the elevator*
- 3. Controlled by the machine, observable by the environment Example: *elevator door closes*

The category "controlled by the machine, not observable by the environment" is not considered in this phase, since internal phenomena of the machine do not belong to the requirements.

### Context diagrams

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL Example - SE

Phase 2

Phase 3

Phase 4

Phase 5

- Distinction between environment and machine
- Representation of the connections between environment and machine
- Structuring the environment into a machine and (usually several) problem domains
- Connections between domains
- Represent the world, when the machine is in operation

### Context diagrams - Notation



# Context diagram example: patient monitoring system

#### ES

Heisel

Introductio

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL( Example - SB(

Phase 3

Phase 4

Phase 5

A patient monitoring program is required for the intensive-care unit of a hospital. Each patient is monitored by an analog device which measures factors such as pulse, temperature, blood pressure, and skin resistance.

The program reads these factors on a periodic basis (specified for each patient) and stores the factors in a database. For each patient, safe ranges for each factor are also specified by medical staff.

If a factor falls outside a patient's safe range, or if an analog device fails, then the nurses' station is notified.

# Related (provisional) Context Diagram



### Context Diagram of a Problem

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLI Example - SB Phase 2

Phase 3

Phase 4

Phase 5

- forms the basis for structuring and analyzing the problem
  - shows all domains that need to be taken into consideration
  - everything that does not appear in the context diagram, is not considered

 $\implies$  careful selection of domains necessary!

# Example: different possibilities for the database domain

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL Example - SB

Phase 2

Phase 3

Phase 4

Phase 5

- Factor database as *given* domain
  - $\implies$  it already exists, does not have to be designed
- If it were part of the task:



Only sensible, if the database is also used by other systems.

• Otherwise: Database as part of the machine that is to be constructed, *no separate domain* in the context diagram

### Context Diagram – Complete Notation

#### ES

Heisel

#### Introduction

#### DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLi Example - SBi Phase 2 Phase 3

- Phase 4
- Phase 5

### Write down shared phenomena at the connecting lines



### Extended Context Diagrams

#### ES

### Heisel

Introduction

#### DePES

Phase 1 Introduction Notations Terminology **Context diagrams** R, D & S Summary Procedure Example - TL Example - SE Phase 2

User edit Client requests Network requests, config Administrator settings Client B Client Server

Systems with more than one machine are necessary, when the machines are physically distributed (e.g., Client-Server Systems). Therefore, Jackson's context diagrams are extended to allow more than one machine domain.

### Context Diagram – Connection Domains I

#### ES

#### Heisel

#### Introduction

#### DePES

#### Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL Example - SB Phase 2

#### DI 4

Phase 5

Patients and the machine are not directly connected, but indirectly through a causality chain:



### Context Diagram – Connection Domains II

ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL Example - SB Phase 2

Phase 3

Phase 4

Phase 5

Shared phenomena in context diagrams are abstractions of real phenomena, e.g. by

 omitting properties that are not relevant for the purpose at hand at that moment

e.g., the event Notify surely has arguments

treat complex episode of interaction as an instantaneous event

Care must be taken in the latter abstraction, as the following example taken from retail shows:



### Context Diagram – Connection Domains III

ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL Example - SE Phase 2

rnase o

Phase 4

Phase 5

If issuing an invoice and payment are carried out via postal mail, then the above mentioned context diagram would represent a (too great) abstraction of what actually happens :



b: SendBill, ReceivePayment

c: SendPayment, ReceiveBill

The phenomena *Bill* and *Pay* are in fact no shared phenomena of *AccountsDepartment* and *RetailCustomers*, since the mail acts as intermediary, which causes delays and uncertainties.  $\Rightarrow$  We need the *Post Office* as a connection domain.

### Context Diagram – Connection Domains IV

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL Example - SB

Phase 3

Phase 4

Phase 5

Connection domains are necessary, if

- they are explicitly mentioned in the requirements, such as analog devices in the patient monitoring system
- may cause delays, that cannot be ignored, as shown in the retail example
- the transmission via the connection domain is unreliable, e.g., failure of an analog device.

# Setting up Context Diagrams

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL( Example - SB

mase 2

Phase 3

Phase 4

Phase 5

### Problem: circularity:

- It can only be decided on the context, if an overview of the problem is available.
- A problem is only properly known, if its embedding in environment is known.

 $\Longrightarrow$  Iterative analysis of problem context and requirements

# R, D & S – Requirements and specification I

#### ES

Heisel

- Introduction
- DePES
- Phase 1 Introduction Notations Terminology Context diagrams **R**, D & S Summary Procedure Example - Th
- Phase 2
- Phase 3
- Phase 4

Phase 5

- Known:
  - (1) Fixed characteristics of the environment (domain knowledge)
  - (2) Desired characteristics of the system (requirements)
- Clear: Machine must close the "gap" between (1) and (2)
- Searched: specification of the machine "How should the machine act, so that the system fulfills the requirements?"

Requirements describe the environment, the way it should be, after the machine is integrated.

# R, D & S – Functional vs. non-functional requirements

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams **R**, D & S Summary Procedure Example - TLC Example - SBC Phase 2 Phase 3

Phase 4

Phase 5

- Functional requirements: state how the system should act
   Non-functional manipumentation account multitude
- Non-functional requirements: concern quality characteristics such as efficiency or user-friendliness

fulfillment of functional requirements  $\hat{=}$  correctness fulfillment of non-functional requirements  $\hat{=}$  ???

Decisions on fulfillment of non-functional requirements need the definition of separate criteria! In the following: only functional requirements

### R & D – Types of statements

ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams **R, D & S** Summary Procedure Example - TL Example - SB

Dhaan 2

Phase 4

Phase 5

Indicative Statements describe the environment irrespective of how the machine is built.

Other notion: domain knowledge.

Example: a door cannot be open and closed at the same time.

Optative statements describe the environment, in the way we would expect it after the machine is integrated. Example: After the button was pressed, the elevator stops at the corresponding floor.

Note: Statements are characterized by being true or false.

Requirements are thus optative statements.

# D – Types of domain knowledge

#### ES

Heisel

Introductio

DePES

Phase 1 Introduction Notations Terminology Context diagrams **R, D & S** Summary Procedure Example - TL Example - SE Phase 2

Phase 5

Facts describe conditions that are always fulfilled.

Example: When the motor turns right, the elevator moves to a higher floor

(This fact is needed to transform the requirement "Move to another floor" into a specification with phenomena visible to the machine (turn motor right).)

Assumptions describe conditions that are needed, so that the requirements are satisfiable.

Example: When the elevator reaches my floor, I enter (This assumption is needed for fulfilling the requirement that the elevator carries all waiting persons to their destination.)

# D – Types of domain knowledge: Facts

#### ES

Heisel

- Introduction
- DePES
- Phase 1 Introduction Notations Terminology Context diagrams **R, D & S** Summary Procedure Example - SE
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- When it rains, the sensor gets wet.
- A wet sensor has an impedance below 100 Ω, and a dry sensor has an impedance above 200 Ω.
- When a airplane is on the ground and it is not stopped the wheels are turning. (?)
- When a car passes the sensor a pulse is generated.

# D – Types of domain knowledge: Assumptions

#### ES

### Heisel

- Introduction
- DePES
- Phase 1 Introduction Notations Terminology Context diagrams **R**, D & S Summary Procedure Example - TI Example - SE
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- In case of fire the user presses the emergency button.
- The cars passing the sensor have a height of more than one meter.
- The button is pressed for more than 0.5 seconds.

### R & S – Specifications



- are descriptions that are sufficient for building the machine
- are **implementable** requirements
- correctness condition:

If the machine fulfills the specification, the system fulfills the requirements.  $S \land D \Rightarrow R$ 

### R & S – Specifications vs. requirements

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams **R, D & S** Summary Procedure Example - SE Phase 2

Phase 3

Phase 4

Phase 5

Requirements are NOT implementable, if they

- constrain actions that are controlled by the environment Example: The elevator is not be overloaded.
- refer to actions that are not observable by the machine Example: The elevator should go to a floor where people are waiting.
- express conditions that can only be decided in the future Example: As soon as a user has dialed the last digit, he receives the dial tone, the busy signal, or the announcement "number not assigned".

### Glossary – Designations

ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams **R**, **D** & **S** Summary Procedure Example - TI Example - SI

Phase 2

Phase 3

Phase 4

Phase 5

System descriptions require designations as basic vocabulary

- Each designation has
  - (1) a name
  - (2) a (detailed) explanation

Example.: A *student* is somebody who is enrolled at a university.

• With designations, we can form statements, e.g.

```
\forall s : student \bullet \exists l : lecture \bullet enrolled(s, l)
```

(assuming that designations of *lecture* and *enrolled* are available)

### Glossary – Definitions

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams **R, D & S** Summary Procedure Example - TL Example - SD

Phase 3

Phase 4

Phase 5

expand the available vocabulary, but not its expressivenesscan be absurd or useless, but not false

A defined notion can always be replaced by its definition. Example:

$$student(s) \cong \exists I : lecture \bullet enrolled(s, I)$$

### Summary of the terminology

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL Example - SE

Phase 2

Phase 3

Phase 4

Phase 5

You should have learned the following notions:

- machine
- environment
- designation
- definition
- indicative statement
- optative statement

- assumption
- fact
- shared phenomenon (action / event / operation)
- requirement
- specification

### Phase 1: Describe system in use

| ES                             | input:      | informal description of the task            | natural language        |
|--------------------------------|-------------|---------------------------------------------|-------------------------|
|                                | output:     | context diagram of system in use            | Jackson without machine |
| Heisel                         |             |                                             | domain                  |
|                                |             | shortcomings                                | natural language        |
| Introduction                   |             | domain knowledge $D(F \land A)$             | natural language, (HTA, |
| DePES                          |             |                                             | state machines)         |
| Phase 1                        |             | glossary with definitions and designa-      | natural language        |
| Introduction                   |             | tions                                       |                         |
| Notations                      |             | list of possible development alternatives   | natural language        |
| Terminology<br>Context         | validation: | all domains and phenomena in the con-       |                         |
| diagrams                       |             | text diagram must be described.             |                         |
| R, D & S<br>Summary            |             | the context diagram must contain all        |                         |
| Procedure                      |             | domains necessary to describe the short-    |                         |
| Example - TLC<br>Example - SBC |             | comings.                                    |                         |
|                                |             | shortcomings must be stated using ele-      |                         |
| Phase 2                        |             | ments of the domain knowledge descrip-      |                         |
| Phase 3                        |             | tion.                                       |                         |
| Phase 4                        |             | the glossary contains the notions used      |                         |
| Phase 5                        |             | in D.                                       |                         |
| r hase 5                       |             | each entry in the list of possible develop- |                         |
|                                |             | ment alternatives must consider at least    |                         |
|                                |             | one of the shortcomings.                    |                         |
|                                |             |                                             |                         |

### Executing Phase 1 I

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary **Procedure** Example - TL<sup>i</sup> Example - SB<sup>i</sup>

Phase 2

Phase 3

Phase 4

Phase 5

All items of the output can be developed in parallel. The following points should be considered after we have an initial context diagram and some initial shortcomings:

- A shortcoming usually refers to some domains that must be introduced.
- Each domain requires a description of its domain knowledge.
- Each domain controls or observes some phenomena that must be decribed in the context diagram and may need a description in the glossary.
- For a shortcoming a new development alternative can be identified.
- A new development alternative may also address other shortcomings.

### Executing Phase 1 II



Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL Example - SE

. . . . . . .

Phase 3

Phase 4

Phase 5

 An assumption may show us that there are additional shortcomings.

### Remarks I

#### ES

Heisel

- Introduction
- DePES
- Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TII Example - S
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- Only the actual state is described.
- Possible solutions are discussed.
- Problem: Which domains should be described.
- Solution: Those domains, that are relevant for describing the shortcomings.
- For users in the environment a Hierarchical Task Analysis (HTA) can be performed, see
   www.hfidtc.com/pdf/reports/HTA%20Literature%20Review.pdf .
- Other systems in the environment can be described by state machines (the notation is introduced in Phase 9).
- Do not forget to include the existing solution in the list of alternatives (even if it addresses no shortcoming).

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TL Example - SB

Phase 2

Phase 3

Phase 4

Phase 5

# **Example 1: traffic light control**

### Informal description of the task

E5

Heisel

Introductio

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC Phase 2

Phase 3

Phase 4

Phase 5



We should build a system that prevent accidents on the crossing. It should also help the fire brigade (on the left) to pass the crossing and arrange for a fair and adapted flow of traffic between the main road (horizontal) and the secondary road (vertical).

### Context diagram of system in use



Phase 5

### Shortcomings

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC

Phase 2

Phase 3

Phase 4

Phase 5

- SC1: The old traffic light control is broken and cannot be repaired and improved.
- SC2: Vehicles of the fire brigade are disturbed by cars on the secondary road when the secondary road is not allowed to pass. This causes delays in case of fire.

SC3: The amount of traffic has increased on both roads.

SC4: Too many accidents happened without working traffic lights.

### Domain knowledge: Facts I

ES

Heisel

Introduction

DePES

- Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure **Example - TLC** Example - SBC
- Phase 2
- Phase 3
- Phase 4

Phase 5

- F1 : Traffic rule: stop if red (see\_red).
- F2 : Traffic rule: cross if green. (see\_green)
- F3 : Traffic rule: leave crossing as fast as possible.
- F4 : Fair means (for this **crossing**) that vehicles on the main road are allowed to pass the crossing for more than twice the time vehicles of the secondary road are allowed.
- F5 : Traffic rule: if yellow (see\_yellow): stop if possible.
- F6 : Vehicles cannot stop immediately.
- F7 : A *broken* light bulb can be detected by measurement of the electric current (no current = no light).
- F8 : There are tunnels for pedestrians.
- F9 : Induction loops can be used for monitoring the **waiting** area of secondary road.

### Domain knowledge: Facts II

#### ES

Heisel

- Introduction
- DePES
- Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- F10: The **lights** operate with a power supply of 24 V.
- F11: The **fire brigade** is allowed to ignore the red light (but must be careful).
- F12 : If the red phase is more than 30 s, some car drivers ignore the red light.
- F13 : The **old traffic light control** is broken and cannot be repaired. Before, the vehicles on the main road were allowed to pass until a vehicle on the secondary road was detected. Cars in the secondary road were allowed to pass for 5 seconds.

### Domain knowledge: Assumptions



Phase 2

Phase 3

Phase 4

- A1 : All vehicles follow the traffic rules.
- A2 : Pedestrians use the pedestrian tunnels.

# Glossary for crossing



- Iane / waiting area of main road: A lane / waiting area of secondary road: B traffic lights: device containing colored light bulbs to signal "stop" or "go" fire brigade: F
  - crossing: critical section: C
- vehicle waiting: sensor detecting if a vehicle is in the waiting area of the secondary road
- accident: 2 or more vehicles at the same time at the same place

### List of development alternatives

#### ES

Heisel

#### Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC

- Phase 3
- Phase 4
- Phase 5

- ALT1: Remove old traffic lights and use signs (addresses shortcoming SC1)
- ALT2: Replace old traffic lights by a roundabout/rotary (addresses shortcomings SC1, SC3, and SC4)
- ALT3: Replace the broken traffic lights control by a new traffic lights control (addresses shortcomings SC1, SC2, SC3 and SC4)
- ALT4: Leave everything as it is

### Validation I

#### ES

Heisel

Introductio

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC Phase 2

Phase 3

Phase 4

Phase 5

All domains domains and phenomena in the context diagram are described:

crossing: F4 road users on lanes: F1, F2, F3, F5, F6, F12, A1 waiting area of secondary road: F9 old and broken traffic light control: F13 lights: F10, F7 fire brigade: F11

The pedestrians are not considered in the context diagram, since pedestrian tunnels exists and are used (F8, A2). The

# Validation II

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC

Phase 2

Phase 3

Phase 4

Phase 5

context diagram contains all domains necessary to describe the shortcomings and the shortcomings are stated using elements of the domain knowledge description.

- SC1: old and broken traffic light control
- SC2: fire brigade, waiting area of secondary road, road users on lanes
- SC3: old and broken traffic light control
- SC4: old and broken traffic light control

The glossary shoud contain the notions used in D. The given TLC glossary is just an example and not complete. Each entry in the list of possible solutions considers at least one of the shortcomings. This is directly stated on the corresponding slide.

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC

Phase 2

Phase 3

Phase 4

Phase 5

# Example 2: sun blind control

#### Informal description of the task

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC

Phase 3

Phase 4

Phase 5

A building is equipped with sun blinds made up of metallic fins which are attached to the outer side of the window. The sun blinds are controlled manually. Unfortunately, the sunblinds can be destroyed by heavy wind if they are not pulled up. The system should be improved to achieve a comfortable working ambiance by not disturbing the users by sunshine.

### Context diagram of system in use



Example - SBC

c: lower sun blind, pull up sun blind, stop sun blind, sun blind is lowered, sun blind is pulled up, rotate fins with positive degree, rotate fins with negative degree

С

user

d

wind

b

- d: destroy sun blind
- e: sunshine. no sunshine

### Shortcomings

#### ES

#### Heisel

- Introduction
- DePES
- Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC
- Phase 2
- Phase 3
- Phase 4
- Phase 5

- SC1: Users forget to pull up the sunblind when there is no sunshine what may have an influence on the well-being and health of users.
- SC2: Users forget to pull up the sunblind when there is heavy wind or even do no recognize that there is heavy wind.
- SC3: Users have to stop their work to lower the sunblind if there is sunshine with high intensity and the users cannot read their monitor content.
- SC4: Sometimes users destroy the sunblind accidentally by pulling heavily at the wires.

#### Facts

#### ES

Heisel

- Introduction
- DePES
- Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC
- Phase 2
- Phase 3
- Phase 4

- F1: Interface between user and sun blind are the control wires.
- F2: The intensity of sunshine on a sunny day ranges from 32 000 lux to 100 000 lux. More than 32 000 lux makes it hard to read content of a standard monitor.
- F3: The fins are turnable from  $80^{\circ}$  to  $0^{\circ}$  and to  $-80^{\circ}$ . If a user tries to rotate more (with normal power), nothing happens.
- F4: Heavy wind has a speed of more than 80 kilometers per hour. No heavy wind has a speed of less than 80 kilometer per hour.
- F5: The sun blind is destroyed by heavy wind.
- F6: The sun blind is destroyed if the user pulls too heavily at the wires (especially if the sunblind is lowered or pulled up).
- F7: The fins have an interface that can be directly connected to a microcontroller.

#### Assumptions

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC

Phase 2

Phase 3

Phase 4

Phase 5

Assumptions, description of user:

- A1: Users usually lower the sunblind when the sun is shining.
- A2: Users pull up the sunblind when the sun is not directly shining
- A3: Users pull up the sunblind when there is heavy wind.
- A4: Users adjust the fins as convenient.
- A5: User recognize if the wind is blowing heavily (heavy wind).
- A6: Users pull up the sunblind when they want to look out of the window.
- A7: Users lower the Sunblind when they do not want to be seen.

# Glossary for sun blind (example)

ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC Phase 2 Phase 3

Phase 4

Phase 5

metallic fins: metallic plates rotating on a horizontal axis.
outer side: not inside the building.
windows: part of a building made of glass.
sun blind: is made up of *metallic fins* which are attached to the *outer side* of the *window*.

sinshine: ...

Designations:

wind: ... wire: ...

microcontroller: ...

monitor: ...

### List of development alternatives

ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC

Phase 2

Phase 3

Phase 4

- ALT1: Hire an employee who pulls up all sunblinds in case of heavy wind. (addresses shortcoming SC1)
- ALT2: Replace sunblinds by drapes or other types of sunblinds. (addresses shortcomings SC2 and SC4)
- ALT3: Replace the display units by monitors with higher intensity and let the sunblind pulled up. (addresses shortcomings SC1, SC2, SC3, and SC4)
- ALT4: Automatic sunblind control (addresses shortcomings SC1, SC2, SC3, and SC4)
- ALT5: Leave everything as it is

### Validation I

#### ES

Heisel

#### Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC Phase 2

Phase 3

Phase 4

Phase 5

All domains domains and phenomena in the context diagram are described:

```
User: A1 - A7, F1
Wind: F4, F5
Sunblind with fins: F1, F3, F5, F6, F7
Sun: F2
```

# Validation II

#### ES

Heisel

Introduction

DePES

Phase 1 Introduction Notations Terminology Context diagrams R, D & S Summary Procedure Example - TLC Example - SBC

Phase 2

Phase 3

Phase 4

Phase 5

The context diagram contains all domains necessary to describe the shortcomings and the shortcomings are stated using elements of the domain knowledge description.

- SC1: User, Sun, and Sunblind
- SC2: User, Wind, and Sunblind
- SC3: User, Sunblind (monitor intentionally left out, seen as part of user domain)
- SC4: User, Sunblind (wires intentionally left out, seen as part of Sunblind domain)

The glossary contains exactly the notions used in D, but is not complete. Each entry in the list of possible solutions considers at least one of the shortcomings. This is directly stated on the corresponding slide.

### Phase 2: Describe system to be built

ES

Heisel

Introduction

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

Phase 5

- 1. Describe system in use
- 2. Describe system to be built
- 3. Decompose problem

. . .

- 4. Derive machine behavior specification for each subproblem
- 5. Design global system architecture
- 6. Derive specifications for all components of the global system architecture
- 7. Design a software architecture for all components of the global system architecture that should be implemented in software
- 8. Specify the behavior of all components of all software architectures, using sequence diagrams

#### Phase 2: Describe system to be built

| ES                      | input:      | all results of Phase 1                        | Jackson/ natural lan-   |
|-------------------------|-------------|-----------------------------------------------|-------------------------|
| 23                      |             |                                               | guage                   |
| Heisel                  | output:     | system mission statement                      | natural language        |
|                         |             | selected development alternatives             | natural language        |
| Introduction            |             | context diagram of system to be built         | ext. Jackson            |
| DePES                   |             | changed domain knowledge $D(F \land A)$       | natural language, (HTA, |
| Phase 1                 |             |                                               | state machines)         |
|                         |             | initial set of requirements R <sub>init</sub> | natural language        |
| Phase 2<br>Introduction |             | requirements $R$ to be implemented            | natural language        |
| Procedure               | validation: | only the limited set of operators is applied  |                         |
| Example - TLC           |             | on the context diagram of system in use       |                         |
| Example - SBC           |             | to derive the context diagram of system to    |                         |
| Phase 3                 |             | be built                                      |                         |
| Phase 4                 |             | system mission statement must address         |                         |
| Phase 5                 |             | the shortcomings or refer to domain knowl-    |                         |
| T Hase 5                |             | edge of the system in use                     |                         |
|                         |             | domains and phenomena in the context di-      |                         |
|                         |             | agram and in $R$ and $D$ must be consistent   |                         |
|                         |             | $R$ must be a subset of $R_{init}$            |                         |
|                         |             | changes in the domain knowledge must be       |                         |
|                         |             | justified by the requirements                 |                         |
|                         |             | $D \wedge R$ are non-contradictory            |                         |

### Executing Phase 2 I

#### ES

Heisel

- Introduction
- DePES

Phase 1

Phase 2 Introduction Procedure Example - TL Example - SB

- Phase 3
- Phase 4

- The system mission statements have to be defined. The system mission statements can be derived from good properties and from the shortcomings of the system in use.
- The development alternatives can be compared according to their estimated costs and addressed shortcomings.
- The context diagram of the system to be built is created by applying the following rules:
  - Introduce domain
  - Split domain
  - Remove domain with connected interfaces
  - Replace/change domain
  - Add or remove interfaces and phenomena for introduced, changed or replaced domains and between split domains
  - Connect interfaces to other domains

### Executing Phase 2 II

ES

Heisel

- Introductior
- DePES

Phase 1

- Phase 2 Introduction Procedure Example - TLO Example - SBO
- Phase 3

Phase 4

Phase 5

- State the requirements in terms of domains and phenomena of the context diagram.
- Give the condition for each requirement explicitly. Requirements consist of a precondtion and a postcondition. (when / if ... happens, do ...)
- State the domain knowledge for all introduced and replaced domains.
- Verify and update existing domain knowledge.

For each system mission statement:

- Determine all requirements that are necessary to achieve it.
- Determine if the necessary requirements (together with the domain knowledge) are also sufficient to achieve the mission statement. If not, more requirements are needed.

### Executing Phase 2 III

#### ES

Heisel

Introductio DePES

Phase 1

Phase 2 Introduction **Procedure** Example - TL Example - SB Phase 3

Phase 4

Phase 5

The requirements obtained in this way are the "need-to-have" (mission-critical) requirements.

All other requirements are "nice-to-have" requirements or the system mission must be adjusted. The "nice-to-have" requirements should be prioritized, and a return-on-investment analysis should be performed.

**Result:** Consolidated set of requirements to be achieved (all of the mission-critical plus selection of the "nice-to-have" requirements).

### Remarks I

Heisel

- Introduction
- DePES

Phase 1

- Phase 2 Introduction **Procedure** Example - TL Example - SB
- Phase 3

Phase 4

- Only the desired state is described.
- One of the possible solutions is chosen.

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

Phase 5

# **Example 1: traffic light control**

### System mission

#### ES

Heisel

#### Introduction

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

- SM1 : The system should prevent accidents on the crossing.
- SM2 : The system should help the fire brigade to pass the crossing with priority.
- SM3 : The system should arrange for a fair and adapted flow of traffic between the main and the secondary road (and maximize the flow of traffic).

### Select development alternative

ES

Heisel

Introductio

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

Phase 5

ALT1: Using signs will not improve the fair flow of traffic.

ALT2: A parcel of land must be bought to build a roundabout/rotary big enough for the vehicles of the fire brigade. The owner does not want to sell his parcel of land for an acceptable price. Estimated costs:

Parcel: EUR 5.000

Build the roundabout: EUR 20.000

ALT3: For a new traffic lights control the old lights and induction loops can be reused. Estimated costs:

New control: EUR 5.000

Maintanance: EUR 500 / year

ALT4: Costs of accidents are much higher

The roundabout charges off after 40 years  $\Rightarrow$  new traffic lights control

### New context diagram for traffic lights



Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4



- the old and broken traffic light control is replaced (replace domain)
- the fire bridage can send an emergency request (add interfaces with phenomena, change domain)

### Changed/added/removed domain knowledge

#### ES

#### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2 Introduction Procedure Example - TLC
- Phase 3
- Phase 4
- Phase 5

- A1 and A2 are still true
- F1 F12 are still applicable.
- F13 is removed (because domain is removed)
- The following assumption is added:
- A3 : In case of emergency the emergency switch is activated and deactivated *emergency\_request* after crossing.

### Initial requirements for traffic lights I

ES

- Heisel
- Introduction
- DePES

Phase 1

- Phase 2 Introduction Procedure Example - TLC
- Phase 3
- Phase 4

- R1 : When there is a car waiting *(vehicle\_waiting)* on the **secondary road**, the traffic **lights** should stop *(see\_red)* the flow of traffic on the main road for a period of time and allow *(see\_green)* the traffic flow on the secondary road.
- R2 : When the emergency switch is activated (*emergency\_request*), the flow of traffic on the main road should be stopped (*see\_red*) after a reasonable time and the flow of traffic on the secondary road should be allowed (*see\_green*) after a reasonable time.
- R3 : Vehicles on the main road should be allowed to pass the crossing for a longer period of time than from the secondary road (if not emergency-case<sup>1</sup>).

## Initial requirements for traffic lights II

ES

Heisel

Introductio

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC

Phase 3

Phase 4

Phase 5

- R4 : While vehicles on one road are allowed to pass (see\_green), the others should be stopped (see\_red).
- R5 : The lights should switch in the following order: red red+yellow - green - yellow - red. Other combinations (except "all off", yellow blinking, and green - yellow green in emergency case<sup>2</sup>) are not allowed (see\_red, see\_yellow, see\_green).
- R6 : In case of a *broken* light bulb the traffic **lights** should blink in yellow (*see\_yellow*) for the secondary road, after all red lights have been switched on for a period of time (*see\_red*).
- R7 : After switching to red *(see\_red)*, the traffic flow of both roads should be stopped *(see\_red)* for a period of time \*<sup>3</sup>.

<sup>1</sup>Added later to eliminate contradictions <sup>2</sup>Added later to eliminate contradictions <sup>3</sup>A star (\*) denotes: added later

### Consolidate traffic light requirements I

#### $R \wedge F \wedge A \Longrightarrow SM$

#### SM1: avoid accidents

Example - TLC

Accidents will not occur if at most one road gets the "go" signal **and** cars have time to leave the crossing when the signal is changed to "stop", provided drivers obey to the rules.

 necessary: R4 (at most one road may pass), R5 (yellow before red, red/yellow before green), R7 (both roads get "stop" signal for some time)

### Consolidate traffic light requirements II

ES

Heisel

Introduction

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

Phase 5

# $(R4 \land F1 \land A1) \land (F6 \land R5 \land R7 \land F3 \land F5 \land A1) \Longrightarrow SM1$

(only one road may pass, stop if red, vehicles follow rules) (vehicles cannot stop immediately, correct order of signalling, period with red for all, leave critical section as fast as possible, stop on yellow if possible, vehicles follow rules)

#### ■ SM2: priority for fire brigade

sufficient:

This mission statement is achieved by the emergency button.

 necessary: R2 (emergency button yields "go" signal for secondary road)

### Consolidate traffic light requirements III

ES

Heisel

Introduction

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

Phase 5

 ■ sufficient: R2 ∧ F1 ∧ F2 ∧ A3 ∧ A1 ⇒ SM2 (emergency button stops main road, stop if red, drive if green, button is pressed on emergency, vehicles follow rules)

#### ■ SM3: fair traffic flow

Requests from the secondary road must be taken into account, but main road should be allowed to pass twice as long as secondary road.

- necessary: R1, R3
- sufficient: R1 ∧ R3 ∧ F4 ∧ A3 ⇒ SM3 (secondary road request leads to "go", longer period for main road, definition of fairness, emergency button is released)

### Consolidate traffic light requirements IV

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

Phase 5

#### Summary:

 $R' = \{R1, R2, R3, R4, R5, R7\}$  (mission critical requirements)  $R_{init} \setminus R' = \{R6\}$ 

but R6 required for safety

 $\implies$  All requirements will be implemented,  $R = R_{init}$ .

### Validation I

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2 Introduction Procedure Example - TLC Example - SBC
- Phase 3
- Phase 4
- Phase 5

- The applied operators for the context diagram are given directly below the diagram.
- The system mission statement addresses the shortcomings or refer to domain knowledge of the system in use:
  - SM1 (prevent accidents) addresses shortcomings SC4
  - SM2 (help the fire brigade) addresses shortcoming SC2
  - SM3 (fair and adapted flow of traffic) addresses shortcomings SC3
- The phenomena and the domains of the context diagram are printed emphasized in the requirements and in the domain knowledge.

# Validation II

#### ES

Heisel

- Introductio
- DePES
- Phase 1
- Phase 2 Introduction Procedure Example - TLC
- Phase 3
- Phase 4
- Phase 5

- All given and designed domains are referenced in the requirements and the domain knowledge:
  - The *crossing* is referenced in F4 and F6.
  - The *waiting area of main road* is referenced in *R*3.
  - The *waiting area of secondary road* is referenced in *R*1 and *F*9.
  - The road users on lanes is referenced in R1, R2, R3, R4, R7, F1, F2, F3, F5, F6, A1.
  - The *fire brigade* with its emergency button is referenced in *R*2, *R*3, *A*3.
  - The *lights* are referenced in *R*5, *R*6, *F*7.

### Validation III

| ES                                                                     |
|------------------------------------------------------------------------|
|                                                                        |
|                                                                        |
|                                                                        |
|                                                                        |
| Phase 2<br>Introduction<br>Procedure<br>Example - TLO<br>Example - SBO |
|                                                                        |

Phase 3

Phase 4

- Usually, in all requirements and domain knowledge only elements of the context diagram are referenced.
   Pedestrians are referenced in F8 and A2. A domain *pedestrian* is not included in the context diagram since there are no shared phenomena with the machine or other domains being relevant for the problem.
- In  $D \wedge R$  no contradictions were found.

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

Phase 5

# Example 2: sun blind control

## System mission



- SM1: Achieve a comfortable working ambiance by not beeing disturbed by sunshine.
- SM2: Achieve a comfortable working ambiance according to user wishes.

### Select development alternative

ES

Heisel

Introduction

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

Phase 5

For the SunBlind problem, we only consider the development alternatives addressing all shortcomings.

ALT3: Replace the display units by monitors with higher intensity and let the sunblind pulled up. (estimated costs for each PC 4000 EUR)

ALT4: Automatic sunblind control. (estimated costs for each window 1000 EUR)

Ratio PCs and Windows: 1 PC : 2 Windows

 $\Rightarrow$  Automatic sunblind control

### New context diagram for sun blind I



### New context diagram for sun blind II

ES

Heisel

Introductio

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

- a: manually adjust fins with negative degree, manually adjust fins with positive degree, manually open sun blind, manually close sun blind, stop closing sun blind, stop opening sun blind (introduced with machine domain)
- b: heavy wind, no heavy wind now connected to machine, not to user
- c: lower sun blind, pull up sun blind, stop sun blind, sun blind is lowered, sun blind is pulled up, rotate fins with positive degree, rotate fins with negative degree now connected to machine, not to user
- d: destroy sun blind
- e: sunshine, no sunshine now connected to machine, not to user

### Initial requirements for sun blind I

#### ES

Heisel

Introductio

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

- R1 If there is *sunshine* for more than one minute but *no heavy wind*, the **sun blind** will be lowered (*lower sun blind*). (*Negation of precondition of R3 is included to prevent contradictions. R8 has priority*!)
- R2 If there is *no sun shine* for more than 5 minutes, the **sun blind** will be pulled up (*pull up sun blind*). (*R8 has priority!*)
  - R3 The **sun blind** should not be destroyed: If there is *heavy* wind, the **sun blind** will be pulled up (*pull up sun blind*).

### Initial requirements for sun blind II

ES

- Heisel
- Introductio
- Phase 1
- Phase 2 Introduction Procedure Example - TLC Example - SBC
- Phase 3
- Phase 4
- Phase 5

- R4 If there is no heavy wind and the user manually adjusts the fins with positive degree the fins are rotated with positive degree (rotate fins with positive degree).If there is no heavy wind and the user manually adjusts the fins with negative degree the fins are rotated with negative degree (rotate fins with negative degree).
- R5 If the **user** *manually opens the sun blind*, the **sun blind** will be pulled up (*pull up sun blind*).
- R6 If the **user** manually closes the sun blind and there is no heavy wind, the **sun blind** will be lowered (lower sun blind). (Negation of precondition of R3 is included to prevent contradictions.)

### Initial requirements for sun blind III

ES

#### Heisel

Introduction DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

- R7 The **sun blind** should not be destroyed: When the **sun blind** is in its lowest position (*sun blind is lowered*) or in it highest position (*sun blind is pulled up*) the **sun blind** should stop (*stop sun blind*).
- R8 If the **user** interacts with the **sun blind** (*manually opens* the sun blind, manually closes the sun blind, manually rotate fins with positive degree or manually rotate fins with negative degree), then sun shine and no sun shine are ignored for the next 4 hours.

### Revised domain knowledge I

ES

- Heisel
- Introduction
- DePES
- Phase 1
- Phase 2 Introduction Procedure Example - TLC Example - SBC
- Phase 3
- Phase 4
- Phase 5

- A1, A2, A3, A5 are removed
- A4, A6, A7 are still true
- F2, F3, F4, F5, and F7 are still applicable.
- F1 is changed to: The control wires are connected to the motor of the machine to be built. When the motor turns right, the sun blind is lowered (*lower sun blind*). When the motor turns left, the sun blind is pulled up (*pull up sun blind*). When the motor stops, the sun blind is stopped (*stop sun blind*).
- F6 is changed to: The wires are protected from the user. The sun blind is destroyed if the Sun Blind Control does not stop pulling or releasing the wires (within 0.2 s) when the sunblind is pulled up or lowered.

### Consolidate sun blind control requirements

ES

Heisel

Introductio

DePES

Phase 1

Phase 2 Introduction Procedure Example - TLC Example - SBC

Phase 3

Phase 4

Phase 5

The system mission can be split into the following parts:

- SM1: react to sun shine (R1, R2, F1, F2, F3, F4)
- SM2: react to user needs (R4, R5, R6, R8, F3, F4, F5, A1, A2, A3)

All contradictions are eliminated. (R3)

Requirements R1, R2, R4, R5, R6, R8 are "need to have". R3 and R7 (together with F4, F6, F7, A4) prevent sun blind from taking damage, thus contributing to the system mission SM1 and SM2.

$$\implies$$
  $R_{init} = R$ 

## Validation I

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2 Introduction Procedure Example - TLC Example - SBC
- Phase 3
- Phase 4
- Phase 5

- The applied operators for the context diagram are given with the diagram.
- The system mission statement addresses the shortcomings or refer to domain knowledge of the system in use:
  - SM1 (react to sunshine to achieve a comfortable working ambiance) address shortcomings SC1 and SC3.
  - SM2 (react to user needs) is included to do not make things worse, and addresses the assumption A3, A6, A7 but also the shortcoming SC4 since there is no direct user interaction.
- The phenomena and the domains of the context diagram are printed emphasized in the requirements and in the domain knowledge.
- All given and designed domains are referenced in the requirements and the domain knowledge.

### Phase 3: Decompose problem

ES

Heisel

- Introduction
- DePES
- Phase 1

Phase 2

Phase 3

#### Introduction Notations Terminology

Problem Diagrams Problem decomposition Problem frame Decomposition operations

relationships Procedure

Example - TLC

Phase 4

1. Describe problem

. . .

- 2. Consolidate requirements
- 3. Decompose problem
- 4. Derive machine behavior specification for each subproblem
- 5. Design global system architecture
- 6. Derive specifications for all components of the global system architecture
- 7. Design a software architecture for all components of the global system architecture that should be implemented in software
- 8. Specify the behavior of all components of all software architectures, using sequence diagrams

# Phase 3: Decompose problem

| ES                          |                  |                                 |              |
|-----------------------------|------------------|---------------------------------|--------------|
| -                           | input:           | requirements $R$ to be imple-   | natural lan- |
| Heisel                      |                  | mented of Phase 2               | guage        |
| Introduction                |                  | domain knowledge D of           | natural lan- |
| DePES                       |                  | Phase 2                         | guage        |
| Phase 1                     |                  | context diagram of Phase 2      | ext. Jackson |
| Phase 2                     | output:          | set of problem diagrams with    | Jackson with |
| Phase 3                     |                  | associated set of requirements  | dot-notation |
| Introduction                |                  | associated set of requirements  |              |
| Notations<br>Terminology    |                  | expression of the subproblem    | grammar      |
| Problem<br>Diagrams         |                  | relationships                   | 0            |
| Problem<br>decomposition    | validation:      | consistent with context dia-    |              |
| Problem frames              | , and a decision |                                 |              |
| Decomposition<br>operations |                  | gram of Phase 2                 |              |
| Subproblem<br>relationships |                  | requirements $R$ of Phase 2     |              |
| Procedure<br>Example - TLC  |                  | must be treated in at least one |              |
| Example - SBC               |                  | must be treated in at least one |              |
| Phase 4                     |                  | subproblem                      |              |

### Notations and concepts

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3

#### Introduction Notations

- Terminology Problem Diagrams Problem decomposition Problem fram Decompositio operations Subproblem relationships Procedure Example - TLC
- Example SB
- Phase 4

- Terminology
- Problem diagrams, simple problems
- Problem decomposition
- Problem frames
- Decomposition operations
- Subproblem relationships

# Terminology: Context Diagrams vs. Problem Diagrams vs. Problem Frames

#### ES

Heisel

- Introduction
- DePES
- Phase 1

Phase 2

Phase 3

Introduction Notations Terminology

Problem Diagrams Problem decomposition Problem frames Decompositions Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Context Diagram: "Where is the problem located?"

- Problem Diagram: "What is the problem?"
  - contains requirements (that refer to / constrain the problem domains)
  - contains information on who controls shared phenomena
- Problem Frame: Pattern for a Problem Diagram
  - describes classes of *simple* problems.

# Simple Problem Example: odometer display problem

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem

decomposition Problem frames Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

A microchip computer is required to control a digital electronic speedometer and odometer in a car. One of the car's rear wheels generates pulses as it rotates. The computer can detect these pulses and must use them to set the current speed and total number of miles traveled in the two visible counters on the car fascia. The underlying registers of the counters are shared by the computer and the visible display.

## Corresponding problem diagram



### Simple problems are characterized by

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Notations Terminolog

Problem Diagrams

Problem decomposition Problem frames Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

- Simple requirements, i.e., the purpose of the machine is intuitively comprehensible.
- Simple interfaces, i.e., it is easy to characterize the way the parts interact at each interface.
- Simple roles of the domains, i.e., it is clearly defined, which domain should be constrained and which should only be observed, etc.

# Decomposition of realistic problems into simpler subproblems

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams **Problem** 

decomposition

Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

• Necessary for solving the problems.

- Also necessary for capturing, describing and understanding realistic problems.
- Questions:
  - How can a good decomposition be made?
  - How do you know, that solving subproblems is easier than solving the initial problem?
- Desirable: subproblems that belong to known classes (*Problem frames* as "problem patterns")

#### Approaches to decomposition I

ES

Heisel

- Introduction
- DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams

Problem decomposition

Problem frames Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Top-Down-Decomposition ("oldest and worst approach")

- Arrange functions in a hierarchy of several levels
- At each level, decompose each function into a number of functions at the next level.
- Stop when a level is reached where all functions are regarded as elementary.
- Disadvantages
  - Approach takes no explicit account of the problem to be decomposed.
  - Unlikely to achieve a good decomposition if not already familiar with the problem.
  - Example: Reduce enumerating all prime numbers up to a certain limit to determining the next prime number greater than a given number. Subproblem is not simpler than original problem.

### Approaches to decomposition II

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams

Problem decomposition

Problem frames Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Use-Case-Decomposition

- Known through object-oriented analysis.
- Works well when it makes sense to think of the machine as a facility offering discrete services that are used in clearly defined episodes.
- Not suitable for continuing interaction between machine and problem domains, as often needed for embedded systems, e.g. in patient monitoring problem.
- "Knowledge-based" decomposition through projection.
  - Decomposition into "parallel" (not hierarchical) subproblems.
  - Knowledge of problem classes and their solutions are used for decomposition.

### Characteristics of subproblems

#### ES

#### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2

#### Phase 3

Introduction Notations Terminology Problem Diagrams **Problem** 

#### decomposition

Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

- Subproblems treat sets of related requirements.
- Subproblems are complete, independent problems with their own problem diagrams.
- When analyzing a subproblem, the other subproblems are considered as solved (*separation of concerns*).
- Subproblems are related to each other.
- Subproblems are *projections* of the overall problem, i.e., some aspects are ignored.

### Problem frames

#### ES

Heisel

- Introduction
- DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition operations Subproblem relationships

- Procedure
- Example TLC

Example - SE

- are patterns that characterize frequently occurring problems
- simple subproblems resulting from problem decomposition should fit to a problem frame
- are represented with frame diagrams
- concrete problems are "fitted to problem frames"
- six fundamental problem frames and variants exist
- Literature: Jackson, Chapter 4

### Problem frame: Required Behaviour

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frames Decomposition operations Subproblem relationships Procedure Example - TLC

Phase 4

Phase 5

#### **Informal Description**

There is some part of the physical world whose behaviour is to be controlled so that it satisfies certain conditions. The problem is to build a machine that will impose that control.

#### Frame Diagram



C: Causal domain, reacts to events in a predictable way C1–C3: indicate *causal* relations, C2: *Feedback* 

#### Example: Sluice Gate Control I

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Introduction Notations Terminology Problem Diagrams Problem frames Decomposition Operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

A small sluice is used in a simple irrigation system. The sluice gate can rise and fall. A computer system should control the sluice gate. The requirement is that the gate should be held in the fully open position for ten minutes in every three hours and otherwise kept in the fully closed position.

The gate is opened and closed by rotating vertical screws. The screws are driven by a small motor, which can be controlled by clockwise, anticlockwise, on and off pulses. There are sensors at the top and bottom of the gate travel. At the top it's fully open, at the bottom it's fully shut. The connection to the computer consists of four pulse lines for motor control and two status lines for the gate sensor. Sluice Gate Control fitted to

## Example: Sluice Gate Control II

ES

#### Heisel

Introduction

DePES

Phase 1

Phase 2

#### Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition **Problem frames** Decomposition operations Subproblem relationships Procedure

Example - SB(

Phase 4

Phase 5

#### Required Behaviour frame



Fitting problems to problem frames is achieved by instantiation of the variables contained in the frame diagram.

### Problem frame: Commanded Behaviour I

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem Problem frames Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

#### Informal Description

There is some part of the physical world whose behaviour is to be controlled with commands issued by an operator. The problem is to build a machine that will accept the operator's commands and impose the control accordingly.

Difference to "required behaviour": An *operator* can issue commands that influence the behaviour of the controlled domain. Usually operator knows that he/she is an operator

## Problem frame: Commanded Behaviour II

ES

Problem frames

#### **Frame Diagram**



B: A biddable domain cannot be influenced through a machine E4: operator commands

Determine how and when the machine should – or should not – cause C1-phenomena in response to E4 commands.

### Example: Occasional Sluice Gate Control I

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3 Introduct

Notations Terminology Problem Diagrams Problem decomposition decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

A small sluice is used in a simple irrigation system. The sluice gate can rise and fall. A computer system is needed to raise and lower the sluice gate in response to the commands of the operator.

The gate is open and closed by rotating vertical screws. The screws are driven by a small motor, which can be controlled by clockwise, anticlockwise, on and off pulses. There are sensors at the top and bottom of the gate travel; at the top it's fully open, at the bottom it's fully shut. The connection to the computer consists of four pulse lines for the gate sensor, a status line for each class of operator command.

### Example: Occasional Sluice Gate Control II

Problem frames

#### Fitting the Occasional Sluice Gate Control to the Commanded Behaviour frame



### Problems in introducing an operator

#### ES

Heisel

- Introduction
- DePES

Phase 1

Phase 2

Phase 3 Introducti Notations

> Problem Diagrams Problem decomposition **Problem frames** Decomposition operations Subproblem

Procedure

Example - TLC

Example - Si

Phase 4

Phase 5

- possible that commands cannot be obeyed Example: two stop-commands in succession
- possible that commands should not be obeyed Example: raise-command when the gate is already at the top of its travel.

These situations must be taken into account when elicitating the requirements!

## Problem frame: Information Display I

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition **Problem frames** Decomposition Subproblem relationships Procedure Example - TLC

Phase 1

Phase 5

#### **Informal Description**

There is some part of the physical world about whose states and behaviour certain information is continually needed. The problem is to build a machine that will obtain this information from the world and present it at the required place in the required form.

#### Frame diagram



## Problem frame: Information Display II



 It must cause events E2, in order to generate phenomena Y4.

## Example: Odometer display



#### Odometer display fitted to information display frame



# Problem frame: Commanded Information (Simple Information Systems) I

Problem frames

#### Informal description

A machine is to be built, which answers questions about a domain of the real world.

#### Frame diagram



# Problem frame: Commanded Information (Simple Information Systems) II



- Enquiries E5 are regarded as commands, shared with the machine
- The requirements stipulate the answers to be produced for each combination of a real world state C2 with an E5 enquiry
- Answers are symbolic phenomena Y4.

Problem frames

## Example: Mail Order Company I

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

ntroduction Notations Terminology Problem Diagrams Problem frames Decomposition Operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

Customers can order products from a mail order company. The mail order company can introduce new products and discontinue products that do not sell well. A machine is to be built that provides information to the management on the sales that have taken place. It should be possible to e.g. retrieve information about the goods in stock, how much of a product has been sold in a certain time period, as well as information about the last order placed by a customer.

# Example: Mail Order Company II



### Problem frame: Simple Workpieces I

ES

Heisel

Introductior

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem framess Decomposition Peroblem framess Subproblem relationships Procedure Example - SBC

Phase 4

Phase 5

### Informal Description

A tool is needed to allow a user to create and edit a certain class of computer-processable text or graphic objects, or similar structures, so that they can be subsequently copied, printed, analysed or used in other ways. The problem is to build a machine that can act as this tool.

### Workpieces:

Normally a piece of material worked on by a machine, e.g. wood blocks, metal castings, etc.

Here: things that are worked on by a computer.

# Problem frame: Simple Workpieces II

ES

### Frame Diagram



### X: Lexical Domain, i.e. data type Phenomena E1: *Operations* on workpieces Phenomena Y2: allow the machine to examine the current

state and values of the workpiece. Workpieces domain is contained in the machine, indicated by "•".

Phase 5

Problem frames

# Problem frame: Simple Workpieces III



Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frames Decomposition **Problem frames** Decomposition operations Subproblem relationships Procedure Example - SEC Example - SEC

Phase 4

Phase 5



### Phenomena E3: user commands

Requirements: describe effects, commands E3 should have on phenomena Y4.

Y4 often differs from Y2: Phenomena Y4 can have some meaning to the user that is insignificant for editing. Simple workpieces does not deal with printing, representing or further processing the workpieces.

## Example: Party plan I

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

ntroduction Notations Terminology Problem Diagrams Problem frames Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

Lucy and John need a system to keep track of the many parties they give and the many guests they invite. They want a simple editor to maintain the information, which they call their *party plan*. Essentially the party plan is just a list of parties, a list of guests, and a note of who is invited to each party. The editor will accept command-line text input.

# Example: Party plan II



Command

effects

Correct

editing

b

### Remark

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Introduction Notations Terminology Problem Diagrams Problem decomposition **Problem frames** Decomposition operations Subproblem relationships
- Example T
- Example SBC

Phase 4

The structure of the problem frames simple workpieces and commanded behaviour are very similar! Differences:

- The Workpieces domain is lexical and formal, but the Controlled domain is causal and informal
- In the Controlled domain, approximations must be taken into account, which is unnecessary for the Workpieces domain
- The requirements in the simple workpieces frame relate only to the user's commands, while in the commanded behaviour frame other requirements can occur, e.g. that the sluice gate is not driven beyond the limits of its vertical travel.

### Problem frame: Transformation I

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3 Introducti Notations Terminol

Problem Diagrams Problem decomposition **Problem frames** Decomposition operations Subproblem relationships Procedure

Example - TEC

Phase 4

Phase 5

### **Informal Description**

There are some given computer-readable input files whose data must be transformed to give certain required output files. The output data must be in a particular format, and it must be derived from the input data according to certain rules. The problem is to build a machine that will produce the required outputs from the inputs.

# Problem frame: Transformation II

ES

### Frame diagram



The input cannot be changed, and is not restricted through requirements.

Y1 and Y3, as well as Y2 and Y4 may differ, but do not have to.

Phase 5

Problem frames

### Example: Mailfiles analysis I

#### ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition **Problem frames** Decomposition operations Subproblem relationships Procedure

Example - TEX

Phase 4

Phase 5

John wants to analyse his email-correspondence. He is interested in the average number of messages he receives and sends in a week, the average and maximum message length, and similar things. After some thought he has worked out that he wants a report that looks like this:

| Name   | ∦ In | Max.Length | Ø Length | # Out | Max.Length | Ø Length |
|--------|------|------------|----------|-------|------------|----------|
| Albert | 19   | 52136      | 6027     | 17    | 21941      | 2123     |
| Anna   | 31   | 13248      | 1736     | 37    | 34763      | 2918     |
|        |      |            |          |       |            |          |

The report contains a line for each of his correspondents.

# Example: Mailfiles analysis II

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frames Decomposition **Problem frames** Decomposition subproblem relationships Procedure Example - SBC Example - SBC

Phase 4

Phase 5

### Mailfiles analysis fitted into transformation frame diagram



# Summary

### ES

- Heisel
- Introductio
- DePES
- Phase 1
- Phase 2
- Phase 3
- Introduction Notations Terminology Problem Diagrams Problem decomposition **Problem frames** Decompositions Subproblem
- Procedure
- Example TLC
- Example SB
- Phase 4

- Simple problems that occur during problem decomposition should belong to known problem classes, which have common solution methods.
  - These kinds of problem classes are characterized through problem frames. Problem frames contain patterns for the domains involved and their shared phenomena. They also define which domains the requirements refer to and which domains they restrict.
- In order to solve a subproblem with a method that is associated with a problem frame, the subproblem needs to be "fitted" to the frame by instantiating the frame diagram.

### Decomposition

#### ES

Heisel

- Introductio
- DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition Problem frame

### Decomposition operations

Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

 Realistic problems must be divided into (simple) subproblems.

A useful way of decomposition is *projection*, i.e., ignoring certain aspects.

This kind of decomposition adds to other types of decomposition, such as top-down or Use Cases.

- The problem frames help to find suitable subproblems.
- If a problem does not fit into one of the problem frames, a new problem diagram can be developed.

### Decomposition operations

#### ES

### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2

### Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition Problem frame

### Decomposition operations

Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

To fit a subproblem into a problem frame, the following operations can be applied on the context diagram:

- Leave out domains (with corresponding interfaces)
- Combine several domains into one domain
- Divide a domain
- Introduce a connection domain
- Reduce interface between domains
- Refine phenomena
- Combine (i.e., abstract) phenomena

### Subproblem relationships

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure

Example - TLC Example - SBC

Phase 4

Phase 5

The following relationships between subproblems can be identified and help to compose the solution:

- Parallel subproblems are largely independent of each other, and the global machine will have to treat the problems in parallel. If the same domain is contrained in parallel subproblems, *priorities* should be assigned. These priorities must be consistant with the priorities in the requirements. They must be updated if necessary.
  - Sequential subproblems have to be treated one after another.
  - Alternative problems are exclusive. Only one of them will have to be treated at a given time.

Subproblem relationships can be expressed using a context-free grammar in in so-called Backus-Naur Form (BNF). The BNF can be extended with a symbol for parallel subproblems.

### Context-free grammars, Backus-Naur-Form

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition Problem frame Decomposition operations

Subproblem relationships

Example - TLC Example - SBC

- A context-free defines a language, i.e., a set sequences of (terminal) symbols.
- A BNF specification is a set of production rules, written as < NTS >::=< expression with symbols >.
- $\blacksquare$  < *NTS* > is a nonterminal symbol.
- The expression consists of sequences of symbols, where "|" indicates alternatives.
- The expression describes possible substitution for the symbol on the left.
- The language consists of all sequences of terminal symbols that can be derived using the production rules, starting from a specified start symbol.

### Subproblem relationship notation example

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

ntroduction Notations Terminology Problem Diagrams Problem decomposition Problem frame Decompositions Subproblem relationships Procedure Example - TLC

Phase 4

Phase 5

The dependencies between the subproblems can be summarized using a context-free grammar describing the possible sequences. In the following grammar, "||" denotes parallel problems and "|" denotes an alternative.

| < start >            | ::= | $<$ main_passing $>$    $<$ fire $>$    $<$ broken_light $>$ |
|----------------------|-----|--------------------------------------------------------------|
| $<$ main_passing $>$ | ::= | $MainRoadPassing < sec_passing >$                            |
| < sec_passing >      | ::= | SecondaryRoadPassing < main_passing >                        |
| < fire $>$           | ::= | EmergencyRequest < main_passing >                            |
| $<$ broken_light $>$ | ::= | BrokenLightSafeState                                         |

In this grammar, the terminal symbols *MainRoadPassing*, *SecondaryRoadPassing*, *EmergencyRequestSecondaryRoadPassing* and *BrokenLightSafeState* are all the subproblems of the traffic light control problem.

### Subproblem relationship notation remarks

#### ES

Heisel

- Introduction
- DePES
- Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition Problem frame: Decompositions

#### Subproblem relationships

Procedure Example - TLC Example - SBC

Phase 4

- We always start with the nonterminal < *start* >.
- The subproblems correspond to terminal symbols of the grammar.
- The nonterminals (< main\_passing >, < sec\_passing >, < fire >, and < broken\_light >) may correspond to states. These states form the conditions the the previous subproblem establishes and the succeeding subproblem requires.

# Phase 3: Decompose problem

| ES                                            |  |             |                                       |              |
|-----------------------------------------------|--|-------------|---------------------------------------|--------------|
|                                               |  | input:      | requirements $R$ to be imple-         | natural lan- |
| Heisel                                        |  |             | mented of Phase 2                     | guage        |
| Introduction                                  |  |             | domain knowledge D of                 | natural lan- |
| DePES                                         |  |             | Phase 2                               | guage        |
| Phase 1                                       |  |             | context diagram of Phase 2            | ext. Jackson |
| Phase 2                                       |  | output:     | set of problem diagrams with          | Jackson with |
| Phase 3                                       |  | -           | according to a function of the second | dot-notation |
| Introduction                                  |  |             | associated set of requirements        | dol-notation |
| Notations<br>Terminology                      |  |             | expression of the subproblem          | grammar      |
| Problem                                       |  |             |                                       | 0            |
| Diagrams<br>Problem                           |  |             | relationships                         |              |
| decomposition                                 |  | validation: | consistent with context dia-          |              |
| Problem frames<br>Decomposition<br>operations |  |             | gram of Phase 2                       |              |
| Subproblem relationships                      |  |             | requirements R of Phase 2             |              |
| Procedure<br>Example - TLC                    |  |             | must be treated in at least one       |              |
| Example - SBC                                 |  |             | - h                                   |              |
| Phase 4                                       |  |             | subproblem                            |              |

# Executing Phase 3

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Introduction Notations Terminology Problem Diagrams Problem decomposition Problem framo Decompositions Subproblem
- relationship Procedure
- Example TLC Example - SBC
- Phase 4

To decompose the problem the following steps have to be performed:

- Identify subproblems that should fit to problem frames.
- Set up the correspondig problem diagrams. Try to assign each requirement to exactly one subproblem.
- Add connection domains (possibly part of the machine) according to facts and assumptions.
- Introduce domain knowledge for connection domains.
- Describe the relationships between the subproblems.

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition Operations Subproblem relationships Procedure **Example - TLC** Example - SBC

Phase 4

Phase 5

# Example 1: traffic light control

### Requirements for traffic lights I

#### ES

### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3 Introduction Notations Terminolog Problem Diagrams Problem decomposit Problem fra Decomposit operations Subproblem
- Procedure
- Example TLC Example - SBC
- Phase 4

R1 : When there is a car waiting on the secondary road, the traffic lights should stop the flow of traffic on the main road for a period of time and allow the traffic flow on the secondary road.

- R2 : As long as the emergency button is activated, the flow of traffic on the main road should be stopped and the flow of traffic on the secondary road should be allowed.
- $\label{eq:R3} R3: \mbox{Vehicles on the main road should be allowed to pass the crossing for a longer period of time than from the secondary road (if not emergency-case^4).$
- R4 : While vehicles on one road are allowed to pass, the others should be stopped.

### Requirements for traffic lights II

#### ES

- Heisel
- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3 Introduct
- Notations Terminology Problem Diagrams Problem decomposition Problem frame Decomposition Subproblem relationships Procedure Example - TLC
- Example SE
- Phase 4
- Phase 5

- R5 : The lights should switch in the following order: red red+yellow - green - yellow - red. Other combinations (except "all off", yellow blinking, and green - yellow green in emergency case<sup>5</sup>) are not allowed.
- R6 : In case of a broken light bulb the traffic lights should blink in yellow for the secondary road, after all red lights have been switched on for a period of time.
- R7 : After switching to red, the traffic flow of both roads should be stopped for a period of time \*<sup>6</sup>.

<sup>&</sup>lt;sup>4</sup>Added later to eliminate contradictions <sup>5</sup>Added later to eliminate contradictions <sup>6</sup>A star (\*) denotes: added later

## Context diagram for traffic lights



## SecondaryRoadPassing Problem Diagram I

ES

- Heisel
- Introduction
- DePES
- Phase 1
- Phase 2

#### Phase 3

Introduction Notations Terminology Problem Diagrams Problem frames Decomposition operations Subproblem relationships Procedure **Example - TLC** Example - SBC

Phase 4

- Variant of the *required behavior* problem frame. (no operator, lights domain is controlled, additional domains without a direct connection to the machine exist)
- Because of F10 it is not possible to connect lights and the machine directly (different voltage). Therefore, the connection domain *lights control* (being part of the machine) must be introduced.



## SecondaryRoadPassing Problem Diagram II

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

In this diagram only the parts of the requirements concerning the secondary phase are considered.

The following projection operators have been applied:

- The domains waiting area of secondary road, fire brigade, and the corresponding interfaces are left out.
- The connection domain *light control* is introduced. The phenomena of the context diagram (*on*, *off*) are used between the machine *TLC secondary phase* and the connection domain.
- The interface between machine and *lights* domain is reduced (dropping the phenomenon *broken*).

## SecondaryRoadPassing Problem Diagram III

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2

#### Phase 3

Introduction Notations Terminology Problem Diagrams Problem frames Decomposition operations Subproblem relationships Procedure **Example - TLC** Example - SBC

- Phase 4
- Phase 5

■ The interface between road users on lanes and lights domain is refined (e.g., see\_green ⇒ sec\_green or main\_green) and reduced (e.g., dropping main\_green; it only contains the phenomena relevant for the secondary road passing phase).

# MainRoadPassing Problem Diagram I

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frames Decomposition Problem frames Decomposition operations Subproblem relationships Procedure **Example - TLC** Example - SBC

Phase 4

Phase 5

- Variant of the *required behavior* problem frame.
- To detect if a road user is on the *waiting area* an additional connection domain is necessary (F9). The connection domain *induction loop control* is introduced.
- Lights control is introduced (see SecondaryRoadPassing).



In this diagram only the parts of the requirements for the secondary phase are considered.

# MainRoadPassing Problem Diagram II

#### ES

### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2

#### Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition Problem frame Decompositions Subproblem relationships Procedure Example - TLC

Phase 4

Phase 5

The following projection operators have been applied:

- The domains *crossing*, and *fire brigade*, and the corresponding interfaces are left out.
- The interface between machine and *lights* domain is reduced (dropping the phenomenon *broken*).
- The interface between road users on lanes and lights domain is refined (e.g., see\_red ⇒ sec\_red or main\_red) and reduced (e.g., dropping sec\_green; it only contains the phenomena relevant for the main road passing phase).

### EmergencyRequest Problem Diagram I

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure **Example - TLC** Example - SBC

Phase 4

 Variant of the commanded behavior problem frame. The domain fire brigade is the operator (biddable domain) in the problem frame.

Lights control is introduced (see SecondaryRoadPassing).



## EmergencyRequest Problem Diagram II

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure Example - TLC Example - SEC

Phase 4

Phase 5

The following projection operators have been applied:

- *Lights control* is introduced (see SecondaryRoadPassing).
- The interface between machine and *lights* domain is reduced (dropping the phenomenon *broken*).
- The interface between road users on lanes and lights domain is refined (e.g., see\_green ⇒ sec\_green or main\_green) and reduced (e.g., dropping main\_green; it only contains the phenomena relevant for the emergency phase).
- The phenomenon emergency\_request is refined into emergency\_request\_start and emergency\_request\_stop.

# BrokenLightSafeState Problem Diagram I

#### ES

Heisel

- Introductio
- DePES

Phase 1

Phase 2

#### Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure **Example - TLC** Example - SBC

Phase 4

- Variant of the required behavior problem frame.
- The connection domain *lights control* is also necessary to detect broken lights by measurement of the power consumption (*F7*).



## BrokenLightSafeState Problem Diagram II

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure Example - TLC

Phase 4

Phase 5

The following projection operators have been applied:

- The domains crossing, waiting area of secondary road, fire brigade, and the corresponding interfaces are left out.
- The interface between road users on lanes and lights domain is refined (e.g., see\_yellow ⇒ sec\_yellow or main\_yellow) and reduced (e.g., dropping main\_green; it only contains the phenomena relevant for the broken phase).
- The domain *lights control* with its phenomena (*0V*, 24V, current) is introduced. The electric current is used to detect a broken light bulb (*F*7).

### Problem Diagram relationships

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition Problem frame Decomposition operations Subproblem relationships Procedure

Example - TLC

| < start $>$           | ::= | < main_passing >  < fire >  < broken_light > |
|-----------------------|-----|----------------------------------------------|
| $<$ main_passing $>$  | ::= | MainRoadPassing < sec_passing >              |
| $<$ sec _ passing $>$ | ::= | SecondaryRoadPassing < main_passing >        |
| < fire $>$            | ::= | EmergencyRequest < main_passing >            |
| $<$ broken_light $>$  | ::= | BrokenLightSafeState                         |

- Once activated, the subproblem *EmergencyRequest* has priority. That implies, only the machine for *EmergencyRequest* is allowed to control the lights until it gives the control to the machine for *MainRoadPassing*.
- The subproblem BrokenLightSafeState acts in parallel to the subproblems EmergencyRequest, MainRoadPassing, and SecondaryRoadPassing. It has a higher priority than all the other subproblems: Once activated, only the machine for BrokenLightSafeState is allowed to control the lights.

### Validation

#### ES

Heisel

- Introduction
- DePES
- Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

The problem diagrams are consistent with the context diagram:

- The problem diagrams were derived from the context diagram by applying the introduced operators.
- All phenomena and all domains of the context diagram are covered.

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame: Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

# Example 2: sun blind control

## Requirements for sun blind I

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3 Introducti

Terminology Problem Diagrams Problem decomposition Problem frames Decomposition operations Subproblem relationships Procedure Example - SEC

- R1 If there is *sunshine* for more than one minute but *no heavy wind*, the sun blind will be lowered (*lower sun blind*). (*Parts of R3 included to prevent contradictions*)
- R2 If there is *no sun shine* for more than 5 minutes, the sun blind will be pulled up (*pull up sun blind*).
  - R3 The sun blind should not be destroyed: If there is *heavy* wind, the sun blind will be pulled up (*pull up sun blind*).

## Requirements for sun blind II

ES

Heisel

- Introductio
- DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition Operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

- R4 If there is no heavy wind and the user manually adjusts the fins with positive degree the fins are rotated with positive degree (rotate fins with positive degree).If there is no heavy wind and the user manually adjusts the fins with negative degree the fins are rotated with negative degree (rotate fins with negative degree).
- R5 If the user *manually opens the sun blind*, the sun blind will be pulled up (*pull up sun blind*).
- R6 If the user *manually closes the sun blind* and there is *no heavy wind*, the sun blind will be lowered (*lower sun blind*). (*Parts of R3 included to prevent contradictions.*)

## Requirements for sun blind III

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

R7 The sun blind should not be destroyed: When the sun blind is in its lowest position (*sun blind is lowered*) or in it highest position (*sun blind is pulled up*) the sun blind should stop (*stop sun blind*).

R8 If the user interacts with the sun blind (*manually opens the* sun blind, manually closes the sun blind, rotate fins with positive degree or rotate fins with negative degree), sun shine and no sun shine are ignored within the next 4 hours.

# Context Diagram for sun blind I



close sun blind, stop closing sun blind, stop opening sun blind

Example - SBC

# Context Diagram for sun blind II

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Introduction Notations Terminology Problem Diagrams Problem frames Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC
- Phase 4

- b: heavy wind, no heavy wind
- c: lower sun blind, pull up sun blind, stop sun blind, sun blind is lowered, sun blind is pulled up, rotate fins with positive degree, rotate fins with negative degree
- d: destroy sun blind
- e: sunshine, no sunshine

## SunControl Problem Diagram I

#### ES

#### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2

#### Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

- .
- r nase 4

- Variant of the commanded behavior problem frame. The domain user is the operator (biddable domain). The domains wind, sun, and sun blind are the the controlled domains.
- Because of A1, A2, and A3 (description of the user interactions) the connection domain *button* (being part of the machine) must be introduced.
- *F*1 and *F*2 show that a *sun sensor* is necessary to measure the intensity.

# SunControl Problem Diagram II



- U!{manually open sun blind, stop closing sun blind, manually close sun blind, stop opening sun blind, manually adjust fins with negative degree, manually adjust fins with positive degree}
- h: S!{sunshine, no sunshine}
  - "heavy wind"

1

user

sun

B1, B2, B8

- "user input"
- "weather conditions"
- "position of sun blind"

## SunControl Problem Diagram III

ES

Heisel

- Introductio
- DePES
- Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition Problem frame Decomposition Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

The following projection operators have been applied:

- The domain sun blind with fins is split and the domain fins is left out with the corresponding phenomena.
- The connection domains motor, wind sensor, buttons and sun sensor are introduced with additional phenomena.
- The phenomena *rotate fins with positive degree, rotate fins with negative degree* are dropped.
- The phenomena dealing with pulled up or lowered sunblind and blocked motor are dropped.

All phenomena of the user are included since *sun\_shine* and *no\_sunshine* are ignored for 4 hours in if one of the user phenomena occurs.

## UserControl Problem Diagram I

#### ES

Heisel

- Introduction
- DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Problem Problem frame Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

- Variant of the commanded behavior problem frame. The domain user is the biddable domain. The domains wind and sun blind are controlled domains.
- Because of A1, A2, and A3 (description of the user interactions) the connection domain *button* (being part of the machine) must be introduced.
- F3, F4, F11, and F13 show that a motor is necessary to control the sun blind (conection domain). (domin knowledge added in Phase 1)

## UserControl Problem Diagram II



#### Heisel

- Introductio
- DePES
- Phase 1
- Phase 2
- Phase 3 Introduction Notations Terminology Problem Diagrams Problem decompositi operations Subproblem relationships Procedure
- Example TLC Example - SBC
- Phase 4
- Phase 5



- a: UC!{turn motor right, turn motor left}
- b: WS!{intensity of wind}
- c: B!{up-button pushed, up-button released, down-button pushed, down-button released}
- d: M!{lower sun blind, pull up sun blind}
- e: W!{heavy wind, no heavy wind}

- f: U!{manually open sun blind, stop closing sun blind, manually close sun blind, stop opening sun blind}
- g: "position of sun blind"
- h: "heavy wind"
- i: "user input"

## UserControl Problem Diagram III

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition operations Subproblem relationships Procedure Example - TLC Example - SEC

Phase 4

The following projection operators have been applied:

- The domain sun blind with fins is split and the domain fins is left out with the corresponding phenomena.
- The domain *sun* is left out with the corresponding phenomena.
- The connection domains *buttons* and *motor* and necessary phenomena are introduced.
- The phenomena concerning the fins are dropped in the user interface.
- The phenomena dealing with pulled up or lowered sunblind and blocked motor are dropped.

## FinsControl Problem Diagram I

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure Example - SBC
- Phase 4

- Variant of the commanded behavior problem frame. The domain user is the biddable domain. The domains wind and fins are controlled domains.
- Because of A1, A2, and A3 (description of the user interactions) the connection domain *button* (being part of the machine) must be introduced.
- *F*6 shows that a *wind sensor* is necessary to measure the speed of the wind.
- The fins have an interface that can be directly connected to a microcontroller (*F*12 added).

# FinsControl Problem Diagram II

ES

#### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2

### Phase 3

- Introduction Notations Terminology Problem Diagrams Problem decomposition Operations Subproblem relationships Procedure
- Example SBC

Phase 4

Phase 5



- a: B!{up-button pushed, up-button released, down-button pushed, down-button released}
- b: U!{manually adjust fins with negative degree, manually adjust fins with positive degree}
- c: FC!{rotate fins with positive degree, rotate fins with negative degree}

- d: WS!{intensity of wind}
- e: W!{heavy wind, no heavy wind}
- f: "user input"
- g: "fins position"
- h: "wind strength"

The following projection operators have been applied:

## FinsControl Problem Diagram III

#### ES

Heisel

- Introductio
- DePES
- Phase 1
- Phase 2
- Phase 3
- Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC
- Dhaca /

- The domain sun blind with fins is split and the domain sun blind is left out with the corresponding phenomena.
- The domain *sun* is left out with the corresponding phenomena.
- The connection domains buttons and wind sensor and necessary phenomena are introduced.
- The phenomena manually open sun blind, stop closing sun blind, manually close sun blind, stop opening sun blind, manually adjust fins with negative degree, manually adjust fins with positive degree are dropped.

## NoDestruct Problem Diagram I

ES

Heisel

- Introduction
- DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame: Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

- Variant of the *required behavior* problem frame. The domains *wind* and *sun blind* are *controlled domain*.
- F6 shows, that a wind sensor is necessary to measure the speed of the wind.
- F3, F4 and F11 show, that a motor is necessary to control the sun blind. Additionally, the motor must be able to inform the machine that the sun blind is blocked (F10). When the sun blind is pulled up or the sun blind is lowered, the motor is blocked.

# NoDestruct Problem Diagram II



- a: W!{heavy wind, no heavy wind}
- b: WS!{intensity of wind}
- c: NDC!{turn motor right, turn motor left, stop motor}, M!{turn right is blocked, turn left is blocked}
- d: M!{lower sun blind, pull up sun blind, stop sun blind}, SB!{sun blind is lowered, sun blind is pulled up}
- e: "position of sun blind"
- f: "heavy wind"
- g: W!{detroy sunblind}

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Introduction Notations Terminology Problem Diagrams Problem decompositio Problem fran Decompositio operations Subproblem relationships Procedure

Example - TL

Example - SBC

Phase 4

## NoDestruct Problem Diagram III

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition operations Subproblem relationships Procedure Example - TLC Example - SEC

Phase 4

Phase 5

The following projection operators have been applied:

- The domain *sun blind with fins* is split and the domain *fins* is left out with the corresponding phenomena.
- The domains *sun* and *user* are left outwith the corresponding phenomena.
- The connection domains motor and wind sensor and necessary phenomena are introduced.

## Problem Diagram relationships

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem frame Decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

Phase 4

Phase 5

All supproblems are parallel.

istart¿ ::= SunControl || NoDestructControl || FinsControl ||
UserControl

- NoDestructControl should have the highest priority.
- UserControl should have a higher priority than SunControl.
- No priority must be assigned to FinsControl since a different domain (fins, not sun blind) is contrained.

## Validation

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Introduction Notations Terminology Problem Diagrams Problem decomposition operations Subproblem relationships Procedure Example - TLC Example - SBC

- Usually, the phenomena in the problem diagrams the same as in the context diagram. Only when connection domains are introduced, new phenomena have been introduced.
- Usually, the domains in the problem diagrams the same as in the context diagram. Only connection domains are introduced.
- All requirements of Phase 2 are captured.

# Phase 4: Derive machine behavior specification for each subproblem $P_i$

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Introduction

Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

## 3. Decompose problem

- 4. Derive machine behavior specification for each subproblem
- 5. Design global system architecture
- 6. Derive specifications for all components of the global system architecture
- 7. Design a software architecture for all components of the global system architecture that should be implemented in software

...

. . .

# Phase 4: Derive machine behavior specification for each subproblem $P_i$

| ES                                | input:      | requirements R from Phase 2                       | natural language  |
|-----------------------------------|-------------|---------------------------------------------------|-------------------|
|                                   |             | domain knowledge D from Phase 2                   | natural language  |
| Heisel                            |             | problem diagram for $P_i$ from Phase 3            | Jackson with dot- |
|                                   |             |                                                   | notation          |
| ntroduction                       | output:     | specification $S_{P_i}$ of machine to construct   | natural language  |
| 0ePES                             |             | sequences of interactions with annotated states   | sequence diagrams |
| hase 1                            |             | for the domains in the environment, expressing    | with annotated    |
|                                   |             | $R_{P_i}$ and $D_{P_i}$                           | states            |
| 'hase 2                           |             | sequences of interactions on initialization       | sequence diagram  |
| hase 3                            |             |                                                   | with annotated    |
| hase 4                            |             |                                                   | states            |
| ntroduction                       | validation: | $D \wedge S_{P_i}$ are non-contradictory          |                   |
| Votations                         |             | $D \wedge S_{P_i} \Longrightarrow R_{P_i}$        |                   |
| Terminology<br>Specifications     |             | all requirements must be captured                 |                   |
| UML sequence                      |             | in the sequence diagrams refined phenomena of     |                   |
| diagrams<br><sup>p</sup> rocedure |             | the problem diagrams are used as signals          |                   |
| xample - TLC                      |             | direction of signals must be consistent with con- |                   |
| Example - SBC                     |             | trol of shared phenomena                          |                   |
| hase 5                            |             | signals must connect domains as connected in      |                   |
|                                   |             | problem diagram                                   |                   |
|                                   |             | the relationships of Phase 3 must be consistent   |                   |
|                                   |             | with the states                                   |                   |

## Notations and concepts



Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Notations
- Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

- Terminology
- Specifications
- UML sequence diagrams

## Terminology



## Deriving specifications from requirements I

ES

Heisel

- Introductio
- DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology **Specifications** UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

- Searched: specification of the machine
- Known: facts F, assumptions A and requirements R



• Question: How do you get the specification S, such that  $F \land A \land S \Rightarrow R$  (correctness of the specification)

## Deriving specifications from requirements II



## Specifications vs. requirements

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SC In contrast to the requirements, the *specification* of the machine gives an answer to the question: "How should the machine act, so that the system fulfills the requirements?" Specifications are descriptions that are sufficient for building the machine. Specifications are implementable requirements. To derive the specification:

Replace phenomena not observable / controlled by the machine by observable / machine controlled phenomena that are *related* to the requirements phenomena.

# A negative Example: Airbus Accident in Warsaw

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology **Specifications** UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

**Requirement**:  $reverse\_thrust\_allowed \Leftrightarrow plane\_landed$ **Reasoning**:

 $plane\_landed \Leftrightarrow wheels\_turn\_fast \in F$ 

wheels\_turn\_fast  $\Leftrightarrow$  pulses  $\in F$ 

## Conclusion:

*reverse\_thrust\_allowed*  $\Leftrightarrow$  *pulses*  $\in$  *S* 

Problem: aquaplaning!

**Result**: plane refused reverse thrust during landing when raining

## Correctness criteria

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology **Specifications** UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

Consider requirements R, facts F, assumptions A, specifications S.

- 1. Each element of *R* is considered acceptable by the client, and *R* contains all customer preferences concerning the software development project.
- 2. Each element of F was checked for correctness.
- 3. Each element of A was checked for plausibility.
- 4. All elements of S are implementable.
- 5.  $F \land A \land S \Rightarrow R$  is demonstrated.
- 6. It is proved that F, A and S are consistent.

When these criteria are fulfilled, then the construction of a machine that fulfills S can be started.

## Sequence diagrams

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

UML Superstructures Specification:

A sequence diagram describes an Interaction by focusing on the sequence of Messages that are exchanged, along with their corresponding OccurrenceSpecifications on the Lifelines. An OccurrenceSpecification is the basic semantic unit of Interactions. The sequences of occurrences specified by them are the meanings of Interactions. OccurrenceSpecifications are ordered along a Lifeline.

### Literature:

- Laurent Doldi: UML 2.0 Illustrated. TMSO, 2003. http://www.tmso-systems.com
- M. Jeckle, C. Rupp, J. Hahn, B. Zengler, S. Queins: UML 2 glasklar.
  - Hanser, 2004.

## **Basic Elements**

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

## Each sequence diagram has a name and a bounding box.



Objects are not underlined.

(This and the following pictures are taken from Doldi, 2003.)

## Asynchronous vs. synchronous messages

#### ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

Asynchronous messages First, the sending of the message occurs, and after a certain (variable) amount of time, the message is consumed by the receiver. The sender does not wait for the receiver's reply but continues its process. Example: mailbox.

Synchronous messages Sending and reception of the message take place at (almost) the same time. The sender waits for reply message before resuming its process. Example: function call.

## Synchronous messages



Gray box represents execution of actions.

The different kinds of messages are indicated by different arrowheads.

## Co-region

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

## Messages can be received in any order.



## Reference

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

Enables reuse of diagrams. Semantics: replace reference by its contents.



## **Combined Fragments**

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

Operators for combining different sequence diagrams:

- alt alternatives; more than two alternatives are possible.
- opt option
- loop repetition
- break description of behavior expected after a break par parallel independent execution of several operands ignore to define messages to be ignored in the execution consider to define messages to be considered in the

execution

seq weak sequencing (default)

strict strict sequencing

- neg to define forbidden behavior
- critical critical region, non-interruptible behavior
- assert assertion, to define a message sequence that must

### Alt operator, non-deterministic



We will use non-determinism, although not allowed in standard.

## Alt operator with guards





- Guards specify what alternative will be taken.
- More than two possibilities may be specified (case construct).
- The guards must be exclusive, and their disjunction must be *true*.

### Opt operator

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

Corresponds to "Alt" with only one alternative. Standard requires interaction condition (conditions not given are considered to be *true*).



#### Loop operator



#### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

#### Fragment can be repeated a number of times.



### Loop operator variants



|             | repetitions |             |  |
|-------------|-------------|-------------|--|
|             | minimum     | maximum     |  |
| loop (0, 2) | 0           | 2           |  |
| loop (3)    | 3           | 3           |  |
| loop (0, *) | 0           | not limited |  |
| loop        | 0           | not limited |  |

#### Nested operators



Phase 5

Combined fragments can be nested (e.g., *alt* fragment inside a *loop* fragment).

#### Par operator





Describes the parallel merge between the behaviors of the operands (interleaving).

### Expanded behavior of par operator

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC



## Consider operator (1)

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SE

Phase 5

Filter for relevant messages, noted in "headline" after the name of the interaction.



Further ("irrelevant") messages, here RR, may occur.

## Consider operator (2)



If RR is considered, too, then the execution trace does not conform to the sequence diagram tB.

#### Ignore operator

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

Dual to consider operator. All messages that are not ignored are considered.



#### Local attributes

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC Like classes, sequence diagrams may have local attributes that may be public or private.



Local attributes can be used as parameters of messages.

#### State invariants

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC Express conditions for interactions. Interactions where the condition does not hold do not conform to the given diagram.



Invariants can be expressed as constraints, state symbols or notes.

#### Time constraints

#### ES

#### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

- The used time unit must be specified, e.g., using a note.
- Points in time and durations may be specified.
- Durations may be specified as time intervals, e.g., {t..t+3}
- Pre-defined: now for actual time, duration for duration between sending and reception of a message.

## Example



- Phase 1
- Phase 2
- Phase 3
- Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC



- The time between transmission and reception of signal L\_EstabReq(0) is measured and stored in d.
- Signal L\_EstabConf(0) must occur between d and d + 2 time units after L\_EstabReq(0).
- The duration of signal L\_DataReq must be between 2 and 8 time units.
- The date of transmission of L\_EstabReq(1) is stored into t, and the reception of L\_EstabConf(1) must occur at t+23.

## Lost and found messages





- Notation: large dot.
- Lost message: reception event not modeled.
- Found message: sender not known.
   Will be used for initialization of machine.

#### Messages from and to gates



Used for messages with unknown source or destination. *L\_EstabReq(0)* is a message from a gate and *SABME(0)* is a message to a gate.

## Phase 4: Derive machine behavior specification for each subproblem $P_i$

|                               | ·           |                                                   |                   |
|-------------------------------|-------------|---------------------------------------------------|-------------------|
| ES                            | input:      | requirements R from Phase 2                       | natural language  |
|                               |             | domain knowledge D from Phase 2                   | natural language  |
| Heisel                        |             | problem diagram for $P_i$ from Phase 3            | Jackson with dot- |
|                               |             |                                                   | notation          |
| ntroduction                   | output:     | specification $S_{P_i}$ of machine to construct   | natural language  |
| DePES                         |             | sequences of interactions with annotated states   | sequence diagrams |
| hase 1                        |             | for the domains in the environment, expressing    | with annotated    |
|                               |             | $R_{P_i}$ and $D_{P_i}$                           | states            |
| Phase 2                       |             | sequences of interactions on initialization       | sequence diagram  |
| Phase 3                       |             |                                                   | with annotated    |
| hase 4                        |             |                                                   | states            |
| Introduction                  | validation: | $D \wedge S_{P_i}$ are non-contradictory          |                   |
| Notations                     |             | $D \wedge S_{P_i} \Longrightarrow R_{P_i}$        |                   |
| Terminology<br>Specifications |             | all requirements must be captured                 |                   |
| UML sequence                  |             | in the sequence diagrams refined phenomena of     |                   |
| diagrams<br>Procedure         |             | the problem diagrams are used as signals          |                   |
| Example - TLC                 |             | direction of signals must be consistent with con- |                   |
| Example - SBC                 |             | trol of shared phenomena                          |                   |
| Phase 5                       |             | signals must connect domains as connected in      |                   |
|                               |             | problem diagram                                   |                   |
|                               |             | the relationships of Phase 3 must be consistent   |                   |
|                               |             | with the states                                   |                   |

## Executing Phase 4

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3

#### Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams **Procedure** Example - TLO Example - SBO

- 1. Derive a specification of the machine.
- 2. Express requirements and domain knowledge as sequence diagrams.
- 3. Check the correctness of the developed specification.

## Executing Phase 4 – Sequence diagrams I

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specification UML sequen diagrams **Procedure** Example - TL Example - SB

Phase 5

To create the sequence diagrams the following steps have to be performed:

- For each domain which is directly connected to the machine in a problem diagram, a lifeline is drawn.
- Domains can be merged in the sequence diagram to simplify the description.
- The machine to be built (together with all domains that belong to the machine) can be represented by one lifeline in the sequence diagrams.
- The phenomena are represented by asynchronous signals between lifelines.
- It should be assumed that an asynchronous signal occurs when the state in the environment changes.

## Executing Phase 4 – Sequence diagrams II

ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4 Introduction Notations Terminology Specifications UML sequenc diagrams **Procedure** Example - TLO Example - SBO

- To express the coherence between the sequences *states* for the domains in the environment should be included.
- Appropriate case distinctions according to these states should be introduced.
- For the case distinctions new diagrams should be created instead of using the *alt* operator.
- The sequence diagrams can be split at appropriate states, if necessary.
- Specify the initialization of the machine. A *found signal* or a signal from a gate can be used to specify a *power on* signal.
- Refine events by adding parameters to phenomena or define rules for the refinement.
- Add timing constraints.

### Remarks I

#### ES

Heisel

- Introductio
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4 Introduction Notations Terminology Specifications UML sequend diagrams **Procedure** Example - TLI Example - SB

- The relationships of Phase 3 should be consistent with the states, e.g., if for two sequential sequence diagrams the last state of the first diagram is the same as the first state of the second diagram.
- Sequence diagrams can be used to discuss important aspects with the customers, and they are the outline for the test in Phase 12.
- Each diagram represents one concrete interaction sequence. Do not try to make your diagrams too general. It is better to draw further diagrams. The sequence diagrams should express typical cases with example values. Loops, states, references, and co-regions do not cause any problems, while e.g., parallelism and considered signals should be used with care.

## Remarks II

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4 Introduction Notations Terminology Specifications UML sequenci diagrams **Procedure** Example - TLO Example - SBO
- Phase 5

- To reuse these diagrams later, the requirements and the domain knowledge should be expressed as separate sequence diagrams instead of expressing the specification directly.
- For all connection domains (being not part of the machine) the domain knowledge should be described by separate sequence diagrams.
- To express the requirements, the separately described domains should be merged with the machine.

## Remarks III

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4 Introduction Notations Terminolog Specificatio UML seque diagrams Procedure
- Example TLC Example - SBC

- The relationships between subproblems must be considered for validation:
  - If two subproblems are sequential the sequence diagrams of the first subproblem end with the same states as the second subproblem sequence diagrams start.
  - All sequence diagrams of one subproblem end with the initial states of succeeding diagrams (all alternatives can be considered).
  - Sequences for parallel subproblems must start with states that can be reached in some parallel subproblem.

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

## **Example 1: traffic light control**

# Domain Knowledge of lights domain (Sequence diagram) I

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

It is difficult (many signals) to express the specification directly, therefore D and R are expressed as separate sequence diagrams.



# Domain Knowledge of lights domain (Sequence diagram) II





# Domain Knowledge of lights domain (Sequence diagram) III





DoDES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC



# Domain Knowledge of lights domain (Sequence diagram) IV





# Domain Knowledge of lights domain (Sequence diagram) V



## SecondaryRoadPassing Problem Diagram I







Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC



- R3 : Vehicles on the main road should be allowed to pass the crossing for a longer period of time than from the secondary road (if not emergency-case).
- R4: While vehicles on one road are allowed to pass, the others should be stopped.

## SecondaryRoadPassing Problem Diagram II

#### ES

#### Heisel

#### Introduction

- DePES
- Phase 1
- Phase 2
- Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

- R5 : The lights should switch in the following order: red red+yellow green yellow red. Other combinations (except "all off", yellow blinking, and green yellow green in emergency case<sup>7</sup>) are not allowed.
- $\mathsf{R7}$  : After switching to red, the traffic flow of both roads should be stopped for a period of time

<sup>&</sup>lt;sup>7</sup>Added later to eliminate contradictions

## SecondaryRoadPassing – Derive Specification I

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

allowed to pass the crossing is no interface phenomenon of the machine (controlled by the environment, not observable by the machine).  $\Rightarrow$ Transformed into  $s\_green(24)$  or  $m\_green(24)$  followed by  $s\_green(0)$  or  $m\_green(0)$  using F2 and A1.

should be stopped is no interface phenomenon of the machine (controlled by the environment, not observable by the machine).  $\Rightarrow$  Transformed into  $s\_red(24)$  or  $m\_red(24)$  followed by  $s\_red(0)$  or  $m\_red(0)$  using F1 and A1. longer period of time should be refined into concrete values using F4 and F12 (definition of fairness, maximum time for waiting).

- S3 The traffic light should switch on the green light bulb for the main road (m\_green(24), m\_green(0)) for at least 20 s and for the secondary road (s\_green(24), s\_green(0)) 10 s (if not emergency-case).
- S4a While green is shown for the main road  $(m\_green(24))$ , the secondary road lights should show red  $(s\_red(24))$ .
- S4b While green is shown for the secondary road  $(s\_green(24))$ , the main road lights should show red  $(m\_red(24))$ .

### SecondaryRoadPassing – Derive Specification II

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

S5a The lights should be switched in the following order: red  $(m\_red(24), m\_yellow(0), m\_green(0))$ red/yellow  $(m\_red(24), m\_yellow(24), m\_green(0))$ green  $(m\_red(0), m\_yellow(0), m\_green(24))$ yellow  $(m\_red(0), m\_yellow(24), m\_green(0))$ red  $(m\_red(24), m\_yellow(0), m\_green(0))$ . Other combinations (except "all off"  $(m\_red(0), m\_yellow(0), m\_green(0))$  and yellow blinking  $(m\_red(0), m\_yellow(24/0), m\_green(0))$  are not allowed.

S5b The lights should be switched in the following order: red (s\_red(24), s\_yellow(0), s\_green(0)) red/yellow (s\_red(24), s\_yellow(24), s\_green(0)) green (s\_red(0), s\_yellow(0), s\_green(24)) yellow (s\_red(0), s\_yellow(24), s\_green(0)) red (s\_red(24), s\_yellow(0), s\_green(0)) . Other combinations (except "all off" (s\_red(0), s\_yellow(0), s\_green(0)) and yellow blinking (s\_red(0), s\_yellow(24/0), s\_green(0)) are not allowed.

## SecondaryRoadPassing – Derive Specification III

- ES
- Heisel
- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure **Example - TLC** Example - SBC
- Phase 5

S7 After switching to red  $(s\_red(24) \text{ or } m\_red(24))$  the lights traffic show red for both roads for 3 s  $(s\_red(24) \text{ and } m\_red(24))$  before  $(s\_red(0) \text{ or } m\_red(0))$ .

## Sequence diagram for SecondaryRoadPassing I

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

For the TLC instead of the specification, the requirements are expressed as sequence diagrams:

- The domains *crossing* and *road users on lanes* are merged.
- The domains TLC secondary phase, lights control, and lights are also merged to express requirements.

In this step the requirement is refined by adding timing constraints, e.g., the state *SECONDARY PASSING* should take 10 seconds (see F4 and F12).

# Sequence diagram for SecondaryRoadPassing II



# MainRoadPassing Problem Diagram I



Example - TLC

- R1 : When there is a car waiting on the secondary road, the traffic lights should stop the flow of traffic on the main road for a period of time and allow the traffic flow on the secondary road.
- R3 : Vehicles on the main road should be allowed to pass the crossing for a longer period of time than from the secondary road (if not emergency-case).

# MainRoadPassing Problem Diagram II

#### ES

#### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

- $\mathsf{R4}$  : While vehicles on one road are allowed to pass, the others should be stopped.
- R5 : The lights should switch in the following order: red red+yellow green yellow red. Other combinations (except "all off", yellow blinking, and green yellow green in emergency case<sup>8</sup>) are not allowed.
- $\mathsf{R7}$  : After switching to red, the traffic flow of both roads should be stopped for a period of time

<sup>&</sup>lt;sup>8</sup>Added later to eliminate contradictions

# MainRoadPassing – Derive Specification I

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

allowed to pass the crossing is no interface phenomenon of the machine (controlled by the environment, not observable by the machine).  $\Rightarrow$ Transformed into  $s\_green(24)$  or  $m\_green(24)$  followed by  $s\_green(0)$  or  $m\_green(0)$  using F2 and A1.

should be stopped and allow the traffic flow are no interface phenomena of the machine (controlled by the environment, not observable by the machine).  $\Rightarrow$  Transformed into  $s\_red(24)$  or  $m\_red(24)$  followed by  $s\_red(0)$  or  $m\_red(0)$  using F1 and A1.

car waiting on the secondary road is no interface phenomenon of the machine (controlled by the environment, not observable by the machine).  $\Rightarrow$  Transformed into (*srr*) using F9 and A4.

- S1 When a secondary road request occurs (*srr*), the traffic lights should should switch on the red light for the main road for a period of time  $(m\_red(24)$  followed by  $m\_red(0)$ ) and switch on the green light for the secondary road for a period of time (*s\\_green*(24) followed by *s\\_green*(0)).
- S3 see SecondaryRoadPassing.

# MainRoadPassing – Derive Specification II



Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

S4a/b see SecondaryRoadPassing.

S5a/b see SecondaryRoadPassing.

S7 see SecondaryRoadPassing.

# Sequence diagrams for MainRoadPassing I





# Sequence diagrams for MainRoadPassing II





# Sequence diagrams for MainRoadPassing III

#### ES

#### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3

#### Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

- The first sequence diagram expresses that the state MAIN PASSING takes at least 20 seconds, and therefore the requirement R3 is considered.
  - The domains *crossing* and *road users on lanes* are merged.
  - The domains induction loop control, TLC main phase, lights control, and lights are merged to express requirements.

# EmergencyRequestSecondaryRoadPassing Problem Diagram I



R2 : As long as the emergency button is activated, the flow of traffic on the main road should be stopped and the flow of traffic on the secondary road should be allowed.

# EmergencyRequestSecondaryRoadPassing Problem Diagram II

#### ES

#### Heisel

#### Introduction

- DePES
- Phase 1
- Phase 2
- Phase 3

#### Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

- R5 : The lights should switch in the following order: red red+yellow green yellow red. Other combinations (except "all off", yellow blinking, and green yellow green in emergency case<sup>9</sup>) are not allowed.
- $\mathsf{R7}$  : After switching to red, the traffic flow of both roads should be stopped for a period of time

<sup>&</sup>lt;sup>9</sup>Added later to eliminate contradictions

# EmergencyRequestSecondaryRoadPassing – Derive Specification I

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

should be allowed is no interface phenomenon of the machine (controlled by the environment, not observable by the machine).  $\Rightarrow$  Transformed into  $s\_green(24)$  or  $m\_green(24)$  followed by  $s\_green(0)$  or  $m\_green(0)$  using F2 and A1.

should be stopped is no interface phenomenon of the machine (controlled by the environment, not observable by the machine).  $\Rightarrow$  Transformed into  $s\_red(24)$  or  $m\_red(24)$  followed by  $s\_red(0)$  or  $m\_red(0)$  using F1 and A1.

- S2 As long as the emergency button is activated (emergency\_request\_start, emergency\_request\_end), the lights for the main road should be red (m\_red(24)) and the lights for the secondary road should be green (s\_green(24)).
- S5a see SecondaryRoadPassing.
- S5b see SecondaryRoadPassing.
  - S7 see SecondaryRoadPassing.

# Sequence diagrams for EmergencyRequestSecondaryRoadPassing I





# Sequence diagrams for EmergencyRequestSecondaryRoadPassing II



# Sequence diagrams for EmergencyRequestSecondaryRoadPassing III



# Sequence diagrams for EmergencyRequestSecondaryRoadPassing IV



# Sequence diagrams for EmergencyRequestSecondaryRoadPassing V



# Sequence diagrams for EmergencyRequestSecondaryRoadPassing VI

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

- The emergency request can occur at any time; therefore all possible starting states have to be considered.
- The star (\*) indicates that the diagram can be applied for all states, whose name begins with the given string.
- The domains *crossing* and *road users on lanes* are merged.
- The domains TLC fire brigade, lights control, and lights are merged to express requirements.

# BrokenLightSafeState Problem Diagram I



## BrokenLightSafeState – Derive Specification I

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

broken light bulb is no interface phenomenon of the machine (controlled by the environment, not observable by the machine).  $\Rightarrow$  Transformed into *current* not beween 300 mA and 1 A using F7.

S6 In case of a *current* below 300 mA or above 1 A for a light bulb that is switched on, the traffic lights should blink in yellow for the secondary road (*s\_yellow*(24), *s\_yellow*(0)), after all red lights have been switched on (*s\_red*(24) or *m\_red*(24)) for a period of time.

# Domain knowledge about *broken\_light()*



# Sequence diagrams for BrokenLightSafeState I



# Sequence diagrams for BrokenLightSafeState II





# Sequence diagrams for BrokenLightSafeState III

ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure **Example - TLC** Example - SBC

- The phenomenon broken\_light can occur in every state. It is detected by a very high or very low current for one light bulb.
- Although the domain *lights control* is part of the machine, it is included in this diagram because the phenomenon *broken\_light* is more abstract. A diagram using the more technical phenomenon *current* is hard to understand.
- The references set\_all\_red and set\_sec\_yellow are not specified here since the behavior is described in Phase 6.
- The safe state is realized by periodically switching on and off the yellow light of the secondary road. It is not specified how to repair the traffic lights, i.e., how to leave the safe state.

# Sequence diagrams for Initialization



# Validation I

ES

Heisel

- Introductio
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

• no contradictions found in  $F \land A \land S$ 

•  $F \land A \land S \Longrightarrow R'$ 

- $S1 \wedge F1 \wedge F9 \wedge A1 \wedge A4 \Longrightarrow R1$
- $S2 \wedge F1 \wedge F2 \wedge A1 \Longrightarrow R2$
- $S3 \wedge F2 \wedge A1 \wedge F4 \wedge F12 \Longrightarrow R3$
- $S4a \land S4b \land F1 \land F2 \land A1 \Longrightarrow R4$
- $\bullet S5a \land S5b \land A1 \Longrightarrow R5$
- $S6 \wedge F7 \wedge A1 \Longrightarrow R6$
- $S7 \wedge F1 \wedge A1 \Longrightarrow R7$
- All requirements are captured. They are assigned to the subproblems as described in Phase 3 and therefore also assigned to the corresponding sequence diagrams.

# Validation II

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

- In the sequence diagrams, exactly the phenomena of the problem diagrams are used, and the direction of signals is consistent with the control of the shared phenomena.
- The signals connect domains as connected in the problem diagram.
- The specification can be easily derived from the requirements and the domain knowledge expressed as sequence diagrams.
- The relationships of Phase 3 are consistent with the state invariants:

| Subproblem           | Start State | End State  |
|----------------------|-------------|------------|
| MainRoadPassing      | ALL_WAIT_M  | ALL_WAIT_S |
| SecondaryRoadPassing | ALL_WAIT_S  | ALL_WAIT_M |
| EmergencyRequest     | all         | ALL_WAIT_M |
| SecondaryRoadPassing |             |            |
| BrokenLightSafeState | all         | none       |

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

# Example 2: sun blind control

# SunControl Problem Diagram



Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

- R1 If there is *sunshine* for more than one minute but *no heavy wind*, the sun blind will be lowered (*lower sun blind*). (*Parts of R3 included to prevent contradictions. R8 has priority!*)
- R2 If there is *no sun shine* for more than 5 minutes, the sun blind will be pulled up (*pull up sun blind*). (*R8 has priority!*)
- R8 If the user interacts with the sun blind (*manually opens the sun blind*, *manually closes the sun blind*, *manually rotate fins with positive degree* or *manually rotate fins with negative degree*), *sun shine* and *no sun shine* are ignored within the next 4 hours.

# SunControl – Derive Specification

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC SunShine, noSunShine, heavyWind, noHeavyWind, manuallyOpenSunBlind, manuallyCloseSunBlind, manuallyRotateFinsWithPositiveDegree and manuallyRotateFinsWithNegativeDegree are controlled by the environment and observable by the machine. *lowerSunBlind, pullUpSunBlind* are controlled by the machine and observable by the environment. R8 expresses conditions that can only be decided in the future.

S1 = R1

S1 = R2

S8 The sunblind should not be lowered or pulled up (*lowerSunBlind*, pullUpSunBlind) when the user interacted with the sun blind (manually opens the sun blind, manually closes the sun blind, rotate fins with positive degree or rotate fins with negative degree) within the last 4 hours.

### SunControl Sequence Diagrams I



## SunControl Sequence Diagrams II



10

## SunControl Sequence Diagrams III



## SunControl Sequence Diagrams IV



<sup>10</sup>First the exceptions are specified.

### UserControl Problem Diagram



Example - SBC

sun blind h wind R5.R6 user

- R5 If the user *manually opens the sun blind*, the sun blind will be pulled
- R6 If the user manually closes the sun blind and there is no heavy wind, the sun blind will be lowered (lower sun blind). (Parts of R3 included to prevent contradictions.)

# UserControl - Derive Specification I

| ES<br>Heisel |                                                                                |
|--------------|--------------------------------------------------------------------------------|
|              |                                                                                |
|              | heavyWind, noHeavyWind, manuallyOpenSunBlind, and                              |
|              | manuallyCloseSunBlind are controlled by the environment and observable         |
|              | by the machine.                                                                |
|              | <i>lowerSunBlind</i> , <i>pullUpSunBlind</i> are controlled by the machine and |
|              | observable by the environment.                                                 |
|              | S5 = R5                                                                        |
|              | S6 = B6                                                                        |
|              |                                                                                |
|              |                                                                                |
|              |                                                                                |

Phase 5

Example - SBC

## UserControl Sequence Diagrams I



## UserControl Sequence Diagrams II



## FinsControl Problem Diagram



Phase 5



R4 If there is *no heavy wind* and the user *manually adjusts the fins with positive degree* the fins are rotated with positive degree (*rotate fins with positive degree*).

If there is *no heavy wind* and the user *manually adjusts the fins with negative degree* the fins are rotated with negative degree (*rotate fins with negative degree*).

## FinsControl - Derive Specification

ES

#### Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

*heavyWind*, *noHeavyWind*, *manuallyRotateFinsWithPositiveDegree* and *manuallyRotateFinsWithNegativeDegree* are controlled by the environment and observable by the machine.

*rotateFinsWithPositiveDegree* and *rotateFinsWithNegativeDegree* are controlled by the machine and observable by the environment.

- S4a If there is *no heavy wind* and the user *manually adjusts the fins with positive degree* the fins are rotated with positive degree (*rotate fins with positive degree*).
- S4b If there is no heavy wind and the user manually adjusts the fins with negative degree the fins are rotated with negative degree (rotate fins with negative degree).

## FinsControl Sequence Diagram I



### NoDestructControl Problem Diagram



Example - SBC

- R3 The sun blind should not be destroyed: If there is *heavy wind*, the sun blind will be pulled up (*pull up sun blind*).
- R7 The sun blind should not be destroyed: When the sun blind is in its lowest position (*sun blind is lowered*) or in it highest position (*sun blind is pulled up*) the sun blind should stop (*stop sun blind*).

## NoDestructControl - Derive Specification

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC *heavyWind*, *noHeavyWind*, *sunBlindIsLowered*, and *sunBlindIsPulledUp* are controlled by the environment and observable by the machine. *rotateFinsWithPositiveDegree* and *rotateFinsWithNegativeDegree* are controlled by the machine and observable by the environment.

S3 = R3S7 = R7

## NoDestructControl Sequence Diagram



## Initialization Sequence Diagram



## Validation I

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

• no contradictions found in  $D \wedge S$ 

 $\bullet D \land S \Longrightarrow R$ 

- $S1 \iff R1$
- $\bullet S2 \Longleftrightarrow R2$
- $S3 \iff R3$
- $S4a \land S4b \iff R4$
- $S5 \iff R5$
- $\bullet S6 \Longleftrightarrow R6$
- $S8 \implies R8$  (other time reference)
- $S7 \iff R7$
- all requirements are captured
- in the sequence diagrams exactly the phenomena of the problem diagrams are used (space + letter converted to capital letters)

## Validation II

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3

Phase 4 Introduction Notations Terminology Specifications UML sequence diagrams Procedure Example - TLC Example - SBC

Phase 5

- direction of signals is consistent with control of shared phenomena
- signals connect domains as connected in problem diagram
- all phases are parallel, and therefore it is not checked that the relationships are consistent with the state invariants

## Phase 5: Design global system architecture subproblem

#### ES

Heisel

. . .

. . .

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5

#### Introduction

Notations UML Composite structure diagrams Procedure Example - TL Example - SB

- 4. Derive machine behavior specification for each subproblem
  - 5. Design global system architecture
  - 6. Derive specifications for all components of the global system architecture
  - 7. Design a software architecture for all components of the global system architecture that should be implemented in software
  - 8. Specify the behavior of all components of all software

## Phase 5: Design global system architecture I

| ES                        | input:  | context diagram from Phase 2                       | ext. Jackson                  |
|---------------------------|---------|----------------------------------------------------|-------------------------------|
|                           |         | problem diagrams from Phase 3                      | Jackson with dot-<br>notation |
|                           |         | sequences of interactions between machine          | sequence diagrams             |
|                           |         | and environment of all subproblems from<br>Phase 4 |                               |
|                           |         | expression of the subproblem relationships         | grammar                       |
|                           |         | from Phase 3                                       | 0                             |
|                           | output: | system architecture                                | composite struc-              |
|                           |         |                                                    | ture diagram                  |
|                           |         | perhaps subcomponents (recursively)                | composite struc-              |
| Introduction<br>Notations |         |                                                    | ture diagrams                 |
|                           |         | purpose of each component                          | natural language              |
|                           |         | specification of external interfaces               | interface classes             |
|                           |         | specification of interfaces between the com-       | interface classes             |
|                           |         | ponents                                            |                               |
|                           |         | technical description of hardware interfaces       | natural language,             |
|                           |         |                                                    | figures                       |
|                           |         | expression of the subproblem relationships         | grammars                      |
|                           |         | for all components                                 | 200                           |

## Phase 5: Design global system architecture II

| 50                        |                                                        |
|---------------------------|--------------------------------------------------------|
| ES                        | validation: all machine interfaces of the problem dia- |
| Heisel                    | grams must be captured                                 |
|                           | the signals in the sequence diagrams must              |
| Introduction              | be the same as the signals in the external             |
| DePES                     | interfaces                                             |
| Phase 1                   | to each programmable component at least                |
| Phase 2                   | one problem diagram must be associated                 |
| Phase 3                   | each problem diagram must be associated                |
|                           | to at least one component                              |
| Phase 4                   | all domains in the problem diagrams being              |
| Phase 5                   | part of the machine must be associated to              |
| Introduction<br>Notations | a component                                            |
| UML                       | each machine domain in the context dia-                |
| Composite<br>structure    |                                                        |
| diagrams<br>Procedure     | gram must occur in the architecture                    |
| Example - TLC             | purpose must be consistent with the asso-              |
| Example - SBC             | ciated requirements                                    |
|                           | the grammar for each component must de-                |
|                           | scribe a subset of the grammar in Phase 3              |

### Notations and concepts



#### Composite structure diagrams

#### ES

#### Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4

#### Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLO Example - SBO

- Represent internal structure of a component
- Also called architecture diagrams
- Answers question "How are components structured and how do they work together"?

#### **Basic elements**

ES

Heisel

- Introductio
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TL Example - SB

- **parts**: named rectangles, denote architectural components
- ports: small rectangles, denote interaction points of a part with its environment; may have names
- connectors: lines between two ports; may have names



## Part multiplicity





There is exactly one instance of part *dispatch* and between 0 and maxDLC + 1 instances of part *dlc*.

#### Interfaces

#### ES

#### Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLI Example - SBI

#### May be associated to ports

- required interface: "socket" notation
- provided interface: "lollipop" notation



#### Interface classes

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TL( Example - SB(

- Serve to describe interfaces
- Notation: class diagrams, with stereotype "<<interface>>"
- Contain no attributes

| < <interface>&gt;<br/>ControlButtons</interface>  | < interface name      |
|---------------------------------------------------|-----------------------|
| start()<br>stop()<br>volume_up()<br>volume_down() | ← operations, signals |

#### Notation for architectures



Parts = Components = Objects or Classes (Classifiers)

### Notation for interfaces



Notations UML Composite structure diagrams Procedure Example - TL Example - SB

Composite structure diagrams can be transformed into class diagrams.

## Problem diagrams with phenomena vs. composite structure diagrams with interface classes I

#### ES

#### Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TL Example - SB Phenomena controlled by the machine become part of a required interface of the machine.



## Problem diagrams with phenomena vs. composite structure diagrams with interface classes II

#### ES

#### Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLI Example - SB Phenomena controlled by lexical domains in the environment can become part of a required interface of the machine, if the lexical domain returns a value.



## Problem diagrams with phenomena vs. composite structure diagrams with interface classes III

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TL Example - SB Phenomena controlled by the environment become part of a provided interface of the machine.



## Phase 5: Design global system architecture I

| ES                             | input:  | context diagram from Phase 2                       | ext. Jackson                  |
|--------------------------------|---------|----------------------------------------------------|-------------------------------|
| Heisel                         |         | problem diagrams from Phase 3                      | Jackson with dot-<br>notation |
| Introduction                   |         | sequences of interactions between machine          | sequence diagrams             |
| DePES                          |         | and environment of all subproblems from<br>Phase 4 |                               |
| Phase 1                        |         | expression of the subproblem relationships         | grammar                       |
| Phase 2                        |         | from Phase 3                                       | 5                             |
| Phase 3                        | output: | system architecture                                | composite struc-              |
| Phase 4                        |         |                                                    | ture diagram                  |
| Phase 5                        |         | perhaps subcomponents (recursively)                | composite struc-              |
| Introduction<br>Notations      |         |                                                    | ture diagrams                 |
| UML                            |         | purpose of each component                          | natural language              |
| Composite<br>structure         |         | specification of external interfaces               | interface classes             |
| diagrams<br>Procedure          |         | specification of interfaces between the com-       | interface classes             |
| Example - TLC<br>Example - SBC |         | ponents                                            |                               |
|                                |         | technical description of hardware interfaces       | natural language,             |
|                                |         |                                                    | figures                       |
|                                |         | expression of the subproblem relationships         | grammars                      |
|                                |         | for all components                                 |                               |

## Phase 5: Design global system architecture II

| ES                         |                                                        |
|----------------------------|--------------------------------------------------------|
| LJ                         | validation: all machine interfaces of the problem dia- |
| Heisel                     | grams must be captured                                 |
|                            | the signals in the sequence diagrams must              |
| Introduction               | be the same as the signals in the external             |
| DePES                      | interfaces                                             |
| Phase 1                    | to each programmable component at least                |
| Phase 2                    | one problem diagram must be associated                 |
| Phase 3                    | each problem diagram must be associated                |
|                            | to at least one component                              |
| Phase 4                    | all domains in the problem diagrams being              |
| Phase 5<br>Introduction    | part of the machine must be associated to              |
| Notations                  | a component                                            |
| UML<br>Composite           | each machine domain in the context dia-                |
| structure<br>diagrams      | gram must occur in the architecture                    |
| Procedure<br>Example - TLC | purpose must be consistent with the asso-              |
| Example - SBC              | ciated requirements                                    |
|                            | the grammar for each component must de-                |
|                            | scribe a subset of the grammar in Phase 3              |

## Executing Phase 5 I

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TL Example - SB

- Find out which hardware and software components are necessary.
  - Existing components can become parts of the machine.
     We distinguish between programmable components (e.g., Microcontroller, Embedded PC with Operating System) and hardware components (e.g., Network and Interconnection Components, Analog-Digital-Converter, Clocks). (Software components will be considered in Phase 7).
  - If distributed processing is required, several components being part of the machine are necessary.
  - Domains in the problem diagrams that are part of the machine (marked with a big dot) will become separate components inside the architectual diagram.

## Executing Phase 5 II

ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TL Example - SB

- Add ports with their provided and required interfaces.
  - The signals and parameters of the operations for the external interfaces can be extracted from the sequence diagrams.
  - The other interfaces must be designed according to the desired functionality of the connected components.
- In addition to the interface description using interface classes, the technical realization of the interfaces must be described. Natural language or figures from the application domain can be used for these technical descriptions.
- For each component, its purpose should be described in one or two sentences. This description must be clear enough to distinguish between the different components.

## Executing Phase 5 III

#### ES

Heisel

- Introductio
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TL Evample - SR

- State for each programmable component which (parts of) subproblems are solved by the component and what their relatenships are.
  - The subproblem relationships are described for each component with the same notation as introduced in Phase 3.
  - Parallel problems constraining different domains can be easily distributed to different components.
  - Sequential and alternative problems must be associated to the same component or a new component must be introduced that decides which of the machines should be activated.

#### Remarks

#### ES

Heisel

- Introductio
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TL

- For all programable components, the architecture diagram will be refined in Phase 7.
- For hardware components to be developed, the architecture diagram is the starting point for the hardware development.
- Clock components should only be included if the programable component does not provide a clock signal or timer functionality and at least one time-dependent requirement exists. Operating systems often provide some kind of timer functionality. In this case, all software components can use the given functionality, and no dedicated interface for the clock signal must be described.

#### ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC

## **Example 1: traffic light control**

## TrafficLightsControl System Architecture



#### Purpose of each component

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC

- TrafficLightsController Decides on the signaling shown by the physical traffic lights.
- LightsControl Connects the *TrafficLightsController* to the physical lights. We buy this component.

InductionLoopControl Connects the *TrafficLightsController* to the induction loop. We buy this component.

## Subcomponents



# TrafficLightsControl System Architecture - External Interfaces I

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Fxample - SBC ⟨⟨*interface*⟩⟩ lights\_on\_off

main\_red (voltage: integer)
sec\_red (voltage: integer)
main\_yellow (voltage: integer)
sec\_yellow (voltage: integer)
main\_green (voltage: integer)
sec\_green (voltage: integer)

{(interface))
srr
vehicle\_waiting ()

# TrafficLightsControl System Architecture - External Interfaces II

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC

 $\langle \langle \textit{interface} 
angle 
angle$ bl

current (light: eLight, current\_of\_light: integer)

 $\langle \langle interface \rangle \rangle$ 

er

emergency\_request\_start()
emergency\_request\_end()

## TrafficLightsControl System Architecture - Internal Interfaces

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC ((interface))
 lights\_on\_off\_if

m\_red (on: boolean)
s\_red (on: boolean)
m\_yellow (on: boolean)
s\_yellow (on: boolean)
m\_green (on: boolean)
s\_green (on: boolean)

((interface))
srr\_if
srr ()

(*interface*) bl\_if broken\_light ()

## TrafficLightsControl System Architecture – Technical interface description

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4
- Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC

### Example: Interface bl

The signal of the interface *bl* describes the measurement of the electric current for each light. If the electric current is not in the range from 300 mA to 1000 mA, the signal *broken light()* of the interface *bl* is sent to the *TrafficLightsController* as a single event.

## Subproblem relationships

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC We decided to implement all subproblems in the component *TrafficLightsController*. The subproblem relationship of the component *TrafficLightsController* is therefore the same as for the overall machine (Step 3).

The other components are hardware components.

## Validation I

#### ES

Heisel

- Introductio
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC

- The external interfaces of the components cover the interfaces of all problem diagrams.
- The signals in the sequence diagrams are the same as in the external interfaces.
- All subproblems are associated to the component *TrafficLightsController*. (At least one must be associated.)
- All domains in the problem diagrams being part of the machine are associated to a component (domain *lights control* – component *LightsControl*, domain *induction loop control* – component *InductionLoopControl*).
- LightsControl and InductionLoopControl are hardware components.

## Validation II

#### ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure **Example - TLC** Example - SBC

- Only one machine domain in the context diagram exists.
   Its structure is given by the architecture.
- The purpose of each component is consistent with the associated requirements.

#### ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC

## Example 2: sun blind control

## SunControl System Architecture



### Purpose of each component I

ES

Heisel

Introductio

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC Button Transforms the user commands into a button state.

SunSensor Measures the sun intensity and transforms it into a lux-value.

WindSensor Measures the speed of the wind and transforms it into a number of pulses per minute proportional to the speed of the wind.

Motor Pulls up and lowers the sunblind according to its turning direction. The direction can be controlled by the *SunBlindController*.

SunBlindController Controlls the sun blind and the fins. It should react to sunshine and user commands, and it prevents the sun blind from taking damage caused by heavy wind.

## Subcomponents I



## SunControl System Architecture - External Interfaces I

ES

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC  $\ll$  interface  $\gg$ 

usr\_cmds

manuallyOpenSunBlind() manuallyAdjustFinsPositiveDegree() manuallyCloseSunBlind() manuallyAdjustFinsNegativeDegree()

 $\ll$  interface  $\gg$  sun\_blind\_state

sunBlindIsPulledUp()
sunBlindIsLowered()

 $\ll$  interface  $\gg$  sun\_blind\_ctrl

stopSunBlind() lowerSunBlind() pullUpSunBlind()

## SunControl System Architecture - External Interfaces II



## SunControl System Architecture - Internal Interfaces I

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC  $\ll$  interface  $\gg$ 

button\_state

upButtonPushed() upButtonReleased() downButtonPushed() downButtonReleased()

> ≪ interface ≫ motor\_state

motorLeftBlocked()
motorRightBlocked()

 $\ll$  interface  $\gg$  motor\_ctrl

stopMotor() turnMotorRight() turnMotorLeft()

## SunControl System Architecture - Internal Interfaces II

| ES      |                            |
|---------|----------------------------|
|         |                            |
|         | // interface >>            |
| DePES   | $\ll$ interface $\gg$      |
|         | sun_intensity              |
|         |                            |
|         | auglatonaitu (luvu latogou |
| Phase 3 | sunIntensity(lux: Integer  |
|         | $\ll$ interface $\gg$      |
|         | wind_speed                 |
|         |                            |
|         |                            |
|         | windPulse()                |
|         | willur uise()              |
|         |                            |

Example - SBC

## SunControl System Architecture - Wind sensor description

#### ES

#### Heisel

Example - SBC

| wind speed | pulses per minute | delay between two pulses |
|------------|-------------------|--------------------------|
| 1 km/h     | 10                | 6000 ms                  |
| 2 km/h     | 20                | 3000 ms                  |
| 5 km/h     | 50                | 1200 ms                  |
| 10 km/h    | 100               | 600 ms                   |
| 20 km/h    | 200               | 300 ms                   |
| 50 km/h    | 500               | 120 ms                   |
| 80 km/h    | 800               | 75 ms                    |
| 100 km/h   | 1000              | 60 ms                    |
| 200 km/h   | 2000              | 30 ms                    |

## Subproblem relationships I

```
ES
```

Heisel

Introduction

DePES

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC The component *SunBlindController* is the only programmable component.

## Validation I

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC

- All machine interfaces of the problem diagrams are captured (e.g., lower sun blind – lowerSunBlind).
- The signals in the sequence diagrams are the same as in the external interfaces.
- To each programmable component at least one problem diagram is associated (see previous slide).
- All problem diagrams are associated to the component SunBlindController.
- All domains in the problem diagrams being part of the machine are associated to a component (Buttons – Buttons, SunSensor – SunSensor, WindSensor – WindSensor, Motor – Motor).

## Validation II

#### ES

Heisel

- Introduction
- DePES
- Phase 1
- Phase 2
- Phase 3
- Phase 4

Phase 5 Introduction Notations UML Composite structure diagrams Procedure Example - TLC Example - SBC

- Only one machine domain in the context diagram exists (Sun Blind Control). Its structure is given by the architecture.
- The purpose of each component is consistent to the associated requirements.

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

## Embedded Systems WS 08/09

### Maritta Heisel Maritta.Heisel(AT)uni-duisburg-essen.de

Denis.Hatebur(AT)uni-duisburg-essen.de

University Duisburg-Essen – Faculty of Engineering Department of Computer Science Workgroup Software Engineering

## Overview of development process (DePES) I

#### ES

Heisel

#### Overview

Phase 6

- Phase 7
- Phase 8
- Phase 9

- 1. Describe system in use
- 2. Describe system to be built
- 3. Decompose problem
- 4. Derive a machine behavior specification for each subproblem
- 5. Design global system architecture
- 6. Derive specifications for all components of the global system architecture
- 7. Design an architecture for all programmable components of the global system architecture that will be implemented in software

## Overview of development process (DePES) II

#### ES

#### Heisel

#### Overview

- Phase 6
- Phase 7
- Phase 8
- Phase 9

- 8. Specify the behavior of all components of all software architectures, using sequence diagrams
- 9. Specify the software components of all software architectures as state machines
- 10. Implement software components and test environment
- 11. Integrate and test software components
- 12. Integrate and test hardware and software

# Phase 6: Derive specifications for all components of the global system architecture I

ES

Heisel

. . .

. . .

Overview

Introduction Procedure

Example - TLC Example - SBC

Phase 7

Phase 8

Phase 9

- 5. Design global system architecture
- 6. Derive specifications for all components of the global system architecture
- 7. Design a software architecture for all components of the global system architecture that should be implemented in software
- 8. Specify the behavior of all components of all software architectures, using sequence diagrams
- 9. Specify the software components of all software architectures as state machines

## Phase 6: Derive specifications for all components of the global system architecture

| ES                             | For each s  | subproblem:                                      |               |            |
|--------------------------------|-------------|--------------------------------------------------|---------------|------------|
| Heisel                         | input:      | architecture from Phase 5                        | composite     | structure  |
| , reibei                       |             |                                                  | diagrams      |            |
| Overview                       |             | interface specifications from Phase 5            | interface cla | sses       |
| <sup>2</sup> hase 6            |             | subcomponents (if defined) from Phase 5          | composite     | structure  |
| Introduction                   |             |                                                  | diagrams      |            |
| Procedure                      |             | sequences of interactions from Phase 4           | sequence      | diagrams   |
| Example - TLC<br>Example - SBC |             |                                                  | with annota   | ted states |
|                                |             |                                                  | or existing   | technical  |
| <sup>o</sup> hase 7            |             |                                                  | documentation |            |
| Phase 8                        | output:     | interface behavior of all components (test spec- | sequence      | diagrams   |
| Phase 9                        |             | ification)                                       | with annota   | ed states  |
|                                | validation: | sequence diagrams together must describe the     |               |            |
|                                |             | same interface behavior as in Phase 4            |               |            |
|                                |             | all signals in the interface classes of Phase 5  |               |            |
|                                |             | must be used in at least one sequence diagram    |               |            |
|                                |             | direction of signals must be consistent with the |               |            |
|                                |             | required and provided interfaces of Phase 5      |               |            |
|                                |             | signals must connect components as connected     |               |            |
|                                |             | in the system architecture of Phase 5            |               |            |
|                                |             | it must be possible to map the new states to the |               |            |
|                                |             | states of Phase 4                                |               |            |

## Executing Phase 6 I

ES

Heisel

Overview

Phase 6 Introduction Procedure Example - TL Example - SB Phase 7 Phase 8

Phase 9

To create the sequence diagrams, for each subproblem the following steps have to be performed:

- Draw a lifeline for all components of the architecture that are necessary to describe the interface behavior of the subproblem and one or more lifelines for the environment. If the diagram becomes too complex, components can be merged in the sequence diagram, and the interaction between these components must be described separately.
- Alternatively, for each component the behavior can be described separately.
- Describe the interface behavior of all components using the signals from the system architecture (Phase 5). The behavior must refine the behavior described in Phase 4.

## Executing Phase 6 II

#### ES

Heisel

Overview

Phase 6 Introduction Procedure Example - TLI Example - SBI

Phase 7

Phase 8

Phase 9

- Add states where they are relevant to describe the behavior.
- Add missing sequence diagrams to describe the behavior for all relevant states for all components.
- Add timing constraints if necessary.
- To describe complex interactions between two components, references to detailed sequence diagrams can be used.
- As for Phase 4: each diagram represents one concrete interaction sequence. Do not try to make the diagrams too general. It is better to draw further diagrams.

### Remarks

#### ES

Heisel

- Overview
- Phase 6 Introduction Procedure Example - TI
- Phase 7
- Phase 8
- Phase 9

- The sequence diagrams together must describe the same behavior as in Phase 4.
- The signals at the external interfaces of this phase must be the same, have the same direction and the same order as in Phase 4.
- All signals in the interface classes specified in Phase 5 must be used in at least one sequence diagram of one subproblem, and the direction of signals must be consistent with the required or provided interfaces.
- It must be possible to map the new states to the states in Phase 4.

#### ES

Heisel

Overview

Phase 6 Introduction Procedure Example - TLC Example - SBC

Phase 7

Phase 8

Phase 9

## **Example 1: traffic light control**

## Interface behavior for TrafficLightsControl, Subproblem MainRoadPassing 1 I



## Interface behavior for TrafficLightsControl, Subproblem MainRoadPassing 1 II



| road users on<br>lanes | crossing, waiting<br>area of seconday<br>road | lights lights    |                | roller induction loop |
|------------------------|-----------------------------------------------|------------------|----------------|-----------------------|
|                        | {t+3<br>t+24}                                 | srr              | 0              |                       |
|                        |                                               |                  |                | vehicle_waiting ()    |
|                        |                                               | main_red (0)     | m_red (off)    |                       |
|                        |                                               | main_yellow (24) | m_yellow (on)  |                       |
|                        |                                               | main_green (0)   | m_green (off)  |                       |
|                        |                                               |                  |                |                       |
| {t+23.9                | main yellow ()                                |                  |                |                       |
| (MAIN PASSING)         | main_yenow ()                                 |                  |                |                       |
| WILLEND                |                                               |                  |                |                       |
|                        |                                               | main_red (24)    | m_red (on)     |                       |
|                        |                                               | main_yellow (0)  | m_yellow (off) |                       |
|                        |                                               | main_green (0)   | m_green (off)  |                       |
|                        |                                               |                  |                |                       |
| {t+24.9                |                                               |                  |                |                       |
| t+25.1}_               | main_red ()                                   |                  |                |                       |
|                        |                                               |                  |                |                       |
|                        |                                               |                  |                | 1 1                   |

## Interface behavior for TrafficLightsControl, Subproblem MainRoadPassing 1 III

#### ES

Heisel

Overview

- Phase 6 Introduction Procedure Example - TLC Example - SBC
- Phase 7
- Phase 8
- Phase 9

We suggest to use the alternative way of specification:

- In this phase, it is also possible to merge the domains lights, lights control and TLC main phase and express the interaction between these components separately.
- Since the diagrams become very complex in this case and only little additional information is given in the diagrams above, the specification of Step 4 can be re-used, and the behavior of the components *LightsControl* and *InductionLoopControl* can be specified separately on the next slides.

## Interface behavior for LightsControl I



lights control

s red (on)

s\_red (off)

s vellow (off

s areen (on)

s green (off

m red (off)

m yellow (on

m yellow (of

m areen (on)

m areen (off)

main yellow (0

main green (24

main green (0)

## Interface behavior for LightsControl II

#### ES

Heisel

Overview

Phase 6 Introduction Procedure Example - TLC Example - SBC Phase 7 Phase 8

Phase 9

### Subproblem BrokenLight-SafeState

When a light bulb is supplied with 24 V, a functioning lights bulb uses a current between 300 mA and 1000 mA. If another current can be measured for one light bulb, the *BrokenLight* signal is generated.

| ad Linkto Oractor   | Dealers are sides (summation)    | and Balan       |
|---------------------|----------------------------------|-----------------|
| sa Lights Contro    | l Broken consider {current, brok | en_lignt}       |
| + vLiah             | t: eLight                        |                 |
|                     |                                  | control         |
|                     |                                  | · · · · ·       |
|                     |                                  |                 |
|                     |                                  | unit = mA       |
|                     |                                  |                 |
| loop (0,*)          |                                  |                 |
|                     |                                  |                 |
| {vCurrent of vLight |                                  |                 |
| changed}            |                                  |                 |
|                     | current (vLight, vCurrent)       |                 |
|                     | current (veight, vourient)       |                 |
| L                   |                                  |                 |
| {vCurrer            | nt<300 or                        |                 |
| vCurrer             |                                  |                 |
|                     | <i>,</i>                         |                 |
|                     |                                  | broken_light () |
|                     |                                  | ;               |
|                     |                                  |                 |
| 1                   |                                  |                 |
|                     |                                  |                 |

## Interface behavior for LightsControl III



## Interface behavior for InductionLoopControl I

ES

Heisel

Overview

Phase 6 Introduction Procedure Example - TLC Example - SBC Phase 7 Phase 8

Phase 9

### Subproblem MainRoadPassing

The secondary road request (*srr()*) is transformed into the signal *vehicle\_waiting*. Since the abstract signal *srr* is used, an additional technical description is necessary (but not provided here).



## Validation

#### ES

Heisel

Overview

- Phase 6 Introduction Procedure Example - TLC Example - SBC
- Phase 7
- Phase 8
- Phase 9

- The sequence diagrams together describe the same behavior as in Phase 4, since all diagrams are re-used.
- All signals in the interface classes of Phase 5 are used in at least one sequence diagram.
- The direction of signals is consistent with the required or provided interfaces of Phase 5.
- The signals connect components as connected in the system architecture of Phase 5.

#### ES

Heisel

Overview

Phase 6 Introduction Procedure Example - TLC Example - SBC

Phase 7

Phase 8

Phase 9

## Example 2: sun blind control

## Interface behavior for SunBlindControl

#### ES

Heisel

Overview

Phase 6

Introduction Procedure Example - TLC Example - SBC

Phase 7

Phase 8

Phase 9

## Subproblems SunControl, NoDestructControl, FinsControl, UserControl

The interface behavior can be directly derived from Phase 4 and the sequence diagrams of the other components.

## Interface behavior for Button I

ES

Heisel

Overview

Phase 6 Introduction Procedure Example - TLC Example - SBC

rnase r

Phase 8

Phase 9

The signals to the Buttons are abstract and represents the intention of the user.

### Subproblem FinsControl



## Interface behavior for Button II

ES

Heise

### Subproblem UserControl



## Interface behavior for Button III

ES

Heisel

### Subproblem UserControl



## Interface behavior for Button IV



Phase 7

Phase 8

Phase 9

### Subproblem SunControl

All sequence diagrams for Button together cover S8.

## Interface behavior for SunSensor

ES

Heisel

Overview

Phase 6 Introduction Procedure Example - TLC Example - SBC

Phase 7

Phase 8

Phase 9

## Subproblem SunControl



## Interface behavior for WindSensor

ES

### Heisel

### Overview

Phase 6 Introduction Procedure Example - TLC Example - SBC

. .

Phase 9

# Subproblems SunControl, NoDestructControl, FinsControl, UserControl



The phenomena *WindSpeed* is an abstraction of a signal sequence consisting of *WindPulse*s.

## Interface behavior for Motor

ES

Heisel

#### Overview

Phase 6 Introduction Procedure Example - TLC Example - SBC

Phase 7

Phase 8

Phase 9

# Subproblems SunControl, NoDestructControl, FinsControl, UserControl



## Validation

### ES

Heisel

- Overview
- Phase 6 Introduction Procedure Example - TLC Example - SBC
- Phase 7
- Phase 8
- Phase 9

- The sequence diagrams together describe the same behavior as in Phase 4, because all digrams are re-used.
- All signals in the interface classes of Phase 5 are captured in at least one sequence diagram. The phenomenon *WindSpeed* is an abstraction of a signal sequence consisting of *WindPulses*.
- The direction of signals is consistent with the required or provided interfaces of Phase 5.
- The signals connect components as connected in the system architecture of Phase 5.
- No new state invariants are introduced.

# Phase 7: Software architecture for all programmable components of the global system arch. I

ES

Heisel

. . .

. . .

- Overview
- Phase 6
- Phase 7
- Concepts Connection notation Four-variable model Architectura patterns Procedure Example - TL
- Phase 8

- 5. Design global system architecture
- 6. Derive specifications for all components of the global system architecture
- 7. Design a software architecture for all components of the global system architecture that should be implemented in software
- 8. Specify the behavior of all components of all software architectures, using sequence diagrams
- 9. Specify the software components of all software architectures as state machines
- 10. Implement software components and test environment

## Phase 7: Software architecture for all programmable components of the global system arch.

| ES                     | input:      | global system architecture from Phase 5                     | composite structure di  |
|------------------------|-------------|-------------------------------------------------------------|-------------------------|
|                        |             |                                                             | gram                    |
| Heisel                 |             | problem diagrams from Phase 3                               | Jackson with do         |
|                        |             | -                                                           | notation                |
| Overview               |             | interface specifications from Phase 5                       | interfaces classes      |
| Phase 6                |             | relationships between subproblems specified in Phase 5      | grammars                |
| Phase 7                |             | possibly reusable components from other projects            | active or passive class |
| Introduction           |             | (Phase 9)                                                   | with interface classes  |
| Concepts               |             | machine behavior specifications from Phase 4                | sequence diagrams wit   |
| Connection<br>notation |             | ·                                                           | annotated states        |
| Four-variable<br>model | output:     | layered software architecture for each subproblem           | composite structure di  |
| Architectural          |             |                                                             | grams                   |
| patterns<br>Procedure  |             | merged layered software architecture (with subcompo-        | composite structure di  |
| Example - TLC          |             | nents)                                                      | grams                   |
| Example - SBC          |             | purpose of each software component                          | natural language        |
| Phase 8                |             | specification of interfaces between software components     | interface classes       |
| Phase 9                | validation: | if no instantiation of architectural patterns: consistent   |                         |
|                        |             | with problem diagram                                        |                         |
|                        |             | signals of Phase 4 sequence diagrams are interfaces of      |                         |
|                        |             | the application layer                                       |                         |
|                        |             | direction of all signals consistent to each other and input |                         |
|                        |             | external interfaces must be consistent with the interfaces  |                         |
|                        |             | of the system architecture developed in Phase 5             | 20 / 241                |
|                        |             |                                                             | 29/241                  |

## Notations and concepts

#### ES

Heisel

Overview

Phase 6

Phase 7

Concepts

Connection notation Four-variable model Architectural patterns Procedure Example - TL Example - SB

Phase 8

- Notation for connections and interfaces
- Four-variable model
- Architectural patterns

## Notation for connections and interfaces



## Layered architectures



Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variab model Architecture

patterns Procedure

Example - 1

Phase 8

Phase 9



- Hierarchical organization of software plus hardware executing the software
- "Lower" layers provide services for "higher" layers
- Usually, only adjacent layers should be connected (no *layer bridging*)
- Advantage: modifications only affect adjacent layers

 Well-known example: ISO/OSI reference model for communication protocols

## Four-variable model - basic idea

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation

Four-variable model

Architectural patterns Procedure Example - TL Example - SB

Phase 8

- Divide software into device-dependent and device-independent parts.
- Use (extended) four-variable model
  - Developed by David Parnas, extension by Connie Heitmeyer
  - Four Variables:
    - 1. Monitored variables: measured quantities (i.e., physical values, measured by sensors)
    - 2. Controlled variables: affected quantities (i.e., physical values, controlled by actuators)
    - 3. Input data: resources from which the values of monitored variables must be determined; submitted via a technical interface (electric signals corresponding to digital values)
    - 4. Output data: resources available to affect controlled variables; submitted via a technical interface (digital values corresponding to electric signals)

## Four variable model: System architecture, I



## Four variable model: System architecture, II



## Layered system architecture

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model

Architectura patterns Procedure Example - TI Example - SE

Phase 8

Phase 9



Hardware Programmable hardware component

- HAL Hardware Abstraction Layer: consists of drivers for external components; needed for portability
  - IAL Interface Abstraction Layer: provides input data or accepts output data, respectively

Application Layer: computes output data from input data

## Extended four-variable model: Interfaces

ES

Heisel

Overview

Phase 6

Phase 7 Introductio Concepts

Connection notation

Four-variable model

Architectural patterns Procedure Example - TL( Example - SB)

Phase 8

- Basic idea: application layer software should have the the same interfaces as the system, i.e., monitored and controlled variables
- Thus, application layer becomes device-independent, device dependencies are factored out in IALs and HALs.



# Four-variable model: System vs. Component behavior I



System behavior (Phase 4)

### Component behavior (Phase 6)

# Four-variable model: System vs. Component behavior II



System behavior (Phase 4)Component behavior (Phase 6)Analog-digital converter (ADV) to transform measured weight of vessel. $(5 V \cong 255 \cong 25 \text{ kg})$ 

## Architectural patterns

#### ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural

#### Architectura patterns

Procedure Example - TLC Example - SBC

Phase 8

- For the most important problem frames the corresponding architectural patterns will be proposed.
- If a subproblem fits to a known problem frame, then a simple instantiation of the patterns will suffice.
- This architectural pattern is one possible solution and can be used as a starting point for further development.

# Required behaviour frame diagram and architectural pattern



# Commanded behaviour frame diagram and architectural pattern



Phase 9

Control system with operator.

## Detailed architectural pattern for user interface



#### Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns

Procedure Example - TI Example - SE

Phase 8

Phase 9



Note: The architectual pattern contains a display to give feedback to the user (in contrast to the problem frame)

# Information display frame diagram and architectural pattern



Display machine with application layer to process sensor values.

# Commanded information frame diagram and architectural pattern



Example - TI Example - SE

Phase 9

Display machine with operator. A data storage component serves to store information that can be queried by operator commands.

# Workpieces frame diagram and architectural pattern



Phase 9

Note that there is only one interface with the environment.

# Transformation frame diagram and architectural pattern



## Phase 7: Software architecture for all programmable components of the global system arch.

| ES                             | input:      | global system architecture from Phase 5                     | composite structure   |
|--------------------------------|-------------|-------------------------------------------------------------|-----------------------|
|                                |             |                                                             | gram                  |
| Heisel                         |             | problem diagrams from Phase 3                               | Jackson with          |
| 0                              |             |                                                             | notation              |
| Overview                       |             | interface specifications from Phase 5                       | interfaces classes    |
| Phase 6                        |             | relationships between subproblems specified in Phase 5      | grammars              |
| Phase 7                        |             | possibly reusable components from other projects            | active or passive c   |
| Introduction                   |             | (Phase 9)                                                   | with interface classe |
| Concepts<br>Connection         |             | machine behavior specifications from Phase 4                | sequence diagrams     |
| notation<br>Four-variable      |             |                                                             | annotated states      |
| model                          | output:     | layered software architecture for each subproblem           | composite structure   |
| Architectural<br>patterns      |             |                                                             | grams                 |
| Procedure                      |             | merged layered software architecture (with subcompo-        | composite structure   |
| Example - TLC<br>Example - SBC |             | nents)                                                      | grams                 |
| Phase 8                        |             | purpose of each software component                          | natural language      |
| Phase 9                        |             | specification of interfaces between software components     | interface classes     |
| Phase 9                        | validation: | if no instantiation of architectural patterns: consistent   |                       |
|                                |             | with problem diagram                                        |                       |
|                                |             | signals of Phase 4 sequence diagrams are interfaces of      |                       |
|                                |             | the application layer                                       |                       |
|                                |             | direction of all signals consistent to each other and input |                       |
|                                |             | external interfaces must be consistent with the interfaces  | 10/011                |
|                                |             | of the system architecture developed in Phase 5             | 48 / 241              |

## Executing Phase 7 I

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variabl model Architectura

Procedure

Example - TLC Example - SBC

Phase 8

Phase 9

For each programmable component and each subproblem, an architecture should be developed. If the component implements several subproblems, we develop a seperate architecture for each subproblem:

- If a subproblem fits to a known problem frame, then a simple instantiation of the corresponding pattern suffices.
- If the subproblem fits to a variant of some problem frame, the corresponding architectual pattern can be adjusted.
- If a subproblem is unrelated to any problem frame, then a corresponding architecture has to be developed from scratch. The following rules can be applied to develop a layered architecture:
  - The interfaces of the architecture correspond exactly to the interfaces of the machine domains as defined in the different problem diagrams.

## Executing Phase 7 II

ES

Heisel

Overview

Phase 6

Phase 7

Introduction Concepts Connection notation Four-variabl model Architectura patterns

Procedure

Example - TLO Example - SBO

Phase 8

- If the machine has interfaces with causal domains, the corresponding architecture should contain components for handling sensors and actuators. This reflects the way in which software can communicate with and influence the physical world.
- If the frame diagram contains a biddable domain (i.e., an operator or user), then the corresponding architecture should contain a user interface component.
- If the machine has interfaces with lexical domains, these domains should be reflected as parts of the corresponding architecture, because lexical domains can only exist inside the machine.
- Components for data storage should only be included if the data is stored persistently. Otherwise they can be assumed to be part of some other component.

## Executing Phase 7 III

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectura patterns Procedure

Example - TL Example - SB

Phase 8

Phase 9

### Merge the architectures to a global architecture:

- Decide if two components contained in different subproblem architectures should occur only once in the global architecture.
- Make use of the information gathered when decomposing the overall problem into subproblems. Therefore, distinguish the following cases:
  - 1. The components are hardware (HAL) or interface abstraction layers (IAL), establishing the connection to some hardware device.

Such components should be merged if and only if they are associated to the same hardware device.

2. Two application components belong to subproblems being related sequentially or by alternative.

Such components should be merged into one application component.

## Executing Phase 7 IV

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns **Procedure** Example - TL Example - SB

Phase 8

- Two application components belong to parallel subproblems and share some output phenomena. Such components should be merged, because the output must be generated in a way satisfying both subproblems.
- 4. Two application components belong to parallel subproblems and share some input phenomena. If the components do not share any output phenomena, both alternatives (merging the components or keeping them separate) are possible. If the components are not merged, then the common input must be duplicated.
- Two application components belong to parallel subproblems and do not share any interface phenomena. Such components should be kept separately.
- If a component is too complex, it should be split into subcomponents.

## Executing Phase 7 V

#### ES

Heisel

Overview

Phase 6

Phase 7

Introduction Concepts Connection notation Four-variabl model Architectura patterns Procedure

Example - TLC Example - SBC

Phase 8

Phase 9

 If timing constraints have been specified, include a timer component with corresponding time-out timer.

## Executing Phase 7 VI

### ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectura patterns Procedure

Example - TL Example - SB

Phase 8

Phase 9

### Specify interface classes:

- The external interfaces are the same as the interfaces in the system architecture between the components.
- Since we use interface classes to describe the hardware interfaces, the interfaces between IAL and HAL are similar to the external interfaces of the component. Thereby, the HAL contains no application-specific functionality. It only provides easy-to-use software interfaces to access the hardware (e.g. registers, interrupts, direct memory access).
- The interfaces to the application component can be derived from sequence diagrams that describe the machine behavior (Phase 4).

## Executing Phase 7 VII

#### ES

Heisel

Overview

Phase 6

Phase 7

Introduction Concepts Connection notation Four-variabl model Architectura patterns Procedure

Example - SBC

Phase 8

- If the interface of the application layer is the same as the interface of the HAL, the IAL can be removed from the architecture.
- As described in Phase 5, for each interface it must be decided, which component provides the interface and which component uses the interface. Usually, the component being in control of a phenomenon uses the corresponding interface. If an interface contains operations with return values, then the component providing these interfaces is in control of a phenomenon.

#### Remarks I

#### ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TL

Phase 8

- If reusable components from other projects are used, they must be integrated into the software architecture.
- The already developed architectures of the other subproblems should be checked for reusable components.
- The global architecture must contain all components of all subproblem architectures. Its external interfaces must be the same as in the system architecture developed in Phase 5.
- The external interfaces of the software architecture are usually connected with a microcontroller component. The software components can access these interfaces using *ports* and *interrupts*.

### Remarks II

#### ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variab model

Architectur

Procedure

Example - TLC Example - SBC

Phase 8

- Ports are provided by the microcontroller, and the software can use ports to read out input data or to send output signals.
- Interrupts are required interfaces of the microcontroller. The microcontroller sends the interrupts to the pre-configured software component when a change of the state at the interface is detected. Note: An interrupt cannot have parameters. The parameters must be read out using ports.
- Interrupts are assigned to fixed input pins of the microcontroller. Each microcontroller has a fixed number of pins that can send interrupt signals.

#### ES

Heisel

Overview

Phase 6

Phase / Introduct

Concepts Connection notation Four-variabl model Architectura patterns

Example - TLC Example - SBC

Phase 8

Phase 9

## **Example 1: traffic light control**

#### TrafficLightsControl System Architecture



## TrafficLightsControl SecondaryRoadPassing problem diagram



Variant of the required behavior.

## TrafficLightsControl SecondaryRoadPassing architecture



Variant of the required behavior architectural pattern. In problem the diagram no sensor is contained. For this the reason. components Sensor IAI Sensor and HAI are removed from the software architecture.

The Microcontroller is a reused component.

# TrafficLightsController MainRoadPassing problem diagram



Phase 9

Variant of the required behavior.

## TrafficLightsController MainRoadPassing architecture



# EmergencyRequestSecondaryRoadPassing Problem Diagram



Variant of the commanded behavior.

## EmergencyRequestSecondaryRoadPassing architecture



A sensor is not necessary and therefore removed. The user interface is just a button and no feedback is given to the user.

## TrafficLightsController BrokenLightSafeState problem diagram



## TrafficLightsController BrokenLightSafeState Architecture



LightsControl

#### Global Architecture I

ES

Heisel

Overview

Phase 6

Phase 7 Introductio

Connection notation Four-variab model

Architectur patterns

Procedure Example - TLC

Example - SBO

Phase 8



### Global Architecture II

The components of the global architecture are merged using the following components of the subproblem architectures.

| TrafficLightApplication    | TrafficLightApplicationSRP,<br>TrafficLightApplicationMRP,<br>TrafficLightApplicationER,<br>TrafficLightApplicationBL             |
|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------|
| IndictionLoopIAL           | $IndictionLoopIAL_MRP$                                                                                                            |
| LightsInterfaceAbstraction | LightsInterfaceAbstractionSRP,<br>LightsInterfaceAbstractionMRP,<br>LightsInterfaceAbstractionER,<br>LightsInterfaceAbstractionBL |
| IndictionLoopDriver        | IndictionLoopDriverMRP                                                                                                            |
| LightsDriver               | LightsDriverSRP, LightsDriverMRP,<br>LightsDriverER, LightsDriverBL                                                               |
| EmergencyRequestDriver     | ${\sf EmergencyRequestDriverER}$                                                                                                  |
| ${\sf BrokenLightDriver}$  | ${\sf BrokenLightDriverBL}$                                                                                                       |
| Microcontroller            | Existing component                                                                                                                |

Overview

Phase 6

```
Phase 7
Introduction
Concepts
Connection
notation
Four-variable
model
Architectural
patterns
Procedure
Example - TLC
Example - SBC
```

#### Global Architecture III

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure **Example - TLC** Example - SBC Phase 8

Phase 9

The components LightsInterfaceAbstractionSRP, LightsInterfaceAbstractionMRP, LightsInterfaceAbstractionER, and LightsInterfaceAbstractionBL are merged since they are associated to the same hardware device (Case 1).

The components *LightsDriverSRP*, *LightsDriverMRP*, *LightsDriverER*, and *LightsDriverBL* are merged since they are associated to the same hardware device (Case 1).

The components TrafficLightApplicationSRP and

*TrafficLightApplicationMRP* implement sequential subproblems and are merged into one application component (Case 2). The merged component and the components *TrafficLightApplicationER* and

*TrafficLightApplicationBL* belong to parallel subproblems and share all output phenomena. They are also merged, because the output must be generated in a way satisfying all subproblems (Case 3).

### Global Architecture – TrafficLightApplication

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SEC

Phase 9

Since the component is complex, it is split into subcomponents. A *TimeOutTimer* and a *Clock* are introduced to separate the timers from the logic (in *TrafficLightBehavior*).



### Global Architecture – Purpose of the components

| ES                                                                             |                               |                                                                                                       |
|--------------------------------------------------------------------------------|-------------------------------|-------------------------------------------------------------------------------------------------------|
| Heisel                                                                         | Clock                         | Generates a pulse each millisecond.                                                                   |
| )verview                                                                       | TimeOutTimer                  | Sends a timeout message after a predefined time is elapsed.                                           |
| hase 6                                                                         | TrafficLightBehavior          | Control of Traffic Lights.                                                                            |
| Phase 7<br>Introduction<br>Concepts<br>Connection<br>notation<br>Four-variable | IndictionLoopIAL              | Detects if a vehicle is waiting (based on a secondary road request). (More complex in real machines). |
| model<br>Architectural<br>patterns<br>Procedure                                | LightsInterfaceAbstractionIAL | Transforms lights commands for each road into commands for each light bulb.                           |
| Example - TLC<br>Example - SBC                                                 | IndictionLoopDriver           | HAL for induction loop access.                                                                        |
| hase 8                                                                         | LightsDriver                  | HAL for lights access.                                                                                |
| hase 9                                                                         | EmergencyRequestDriver        | HAL for emergency request button.                                                                     |
|                                                                                | BrokenLightDriver             | HAL for lights (broken light detection).                                                              |
|                                                                                | Microcontroller               | Hardware running the application.                                                                     |
|                                                                                |                               |                                                                                                       |

#### TrafficLightsControl interfaces I

ES

Heisel

Overview

Phase 6

Phase 7

Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC

Example - SBO

Phase 8

Phase 9

| $\langle \langle interface \rangle \rangle$ |
|---------------------------------------------|
| srr                                         |
|                                             |
| vehicle_waiting ()                          |

*((interface))* irq7 interrupt\_request\_7 ()

| $\langle \langle interface \rangle \rangle$ |
|---------------------------------------------|
| srr_if'                                     |
|                                             |
| see srr_if                                  |

The microcontroller schematic and databook show that the *Induction-LoopControl* is connected to the pin of the microcontroller that generates the interrupt request with number 7.

| $\langle \langle interface \rangle \rangle$ |
|---------------------------------------------|
| srr₋if                                      |
|                                             |
| srr ()                                      |

### TrafficLightsControl interfaces II

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-varial model Architectu

Procedure Example - TLC

Example - SBC

Phase 8

Phase 9

 $\langle \langle interface \rangle \rangle$ lights\_state\_if

main\_red ()
main\_yellow\_red ()
main\_yellow ()
main\_green ()
sec\_red ()
sec\_yellow\_red ()
sec\_yellow ()
sec\_green ()
all\_off ()

((interface))
 lights\_on\_off\_if

s\_red (on: boolean) s\_yellow (on: boolean) s\_green (on: boolean) m\_red (on: boolean) m\_yellow (on: boolean) m\_green (on: boolean)

((interface))
ports

see Hardware descriptions

(*(interface*)) lights\_on\_off\_if' see lights\_on\_off\_if

### TrafficLightsControl interfaces III

ES

Heisel

Overview

Phase 6

Phase 7

Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC

Phase 8

Phase 9

((interface))
bl\_if
broken\_light ()



*((interface))* irq8 interrupt\_request\_8 ()

The microcontroller schematic and databook show that the broken lights detection of *LightsControl* is connected to the pin of the microcontroller that generates the interrupt request with number 8.

### TrafficLightsControl interfaces IV

ES

Heisel

Overview

Phase 6

Phase 7

Introduction Concepts Connection notation Four-variab model Architectur. patterns Procedure

Example - TLC Example - SBC

Phase 8

Phase 9

⟨⟨interface⟩⟩ er\_if

emergency\_request\_start()
emergency\_request\_end()

((interface)) er\_if' see er\_if

*((interface))* irq9 interrupt\_request\_9 ()

The microcontroller schematic and databook show that the *button at the fire brigade* is connected to the pin of the microcontroller that generates the interrupt request with number 9.

### TrafficLightsControl interfaces V



#### Heisel

Overview

Phase 6

Phase 7

Introduction Concepts Connection notation Four-variab model Architecturn patterns

Example - TLC

Phase 8

Phase 9





SetTimeOut (seconds: Integer)

((interface))
timeout
TimeOut ()

#### Validation

#### ES

Heisel

- Overview
- Phase 6
- Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Evample - SBC
- Phase 8
- Phase 9

- The subproblem architectures have the same external interfaces as the problem diagrams.
- The signals of sequence diagrams at the external interfaces are the same as the signals in the interfaces of the application layer.
- The direction of all signals is consistent to each other and consistent to the input.
- The architecture has the same external interfaces as the traffic lights control component of the system architecture developed in Phase 5.
- The overall architecture contains all components of all subproblem architectures.

#### ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection Notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC

Phase 9

## Example 2: sun blind control

#### SunBlindControl system architecture



#### SunControl Problem Diagram I



#### SunControl architecture

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC Phase 8

Phase 9



The IAL for the WindSensor is splitted since it has to perform two differnt task (transform pulses to a speed, calculates if there is heavy wind). The Microcon-

troller is a reused component.

#### UserControl problem diagram



### UserControl architecture





#### FinsControl problem diagram

h

R4



#### FinsControl architecture

ES

......

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - SEC Example - SEC

Phase 9



There is no IAL for the fins since the requirements for the fins are the same as the specification and no hardware component is necessary to control the fins.

#### NoDestructControl problem diagram



#### NoDestructControl architecture



#### Global architecture



Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC Phase 8

Phase 9



Components with similar names are merged.

#### Global architecture – SunBlindApp



#### Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC Phase 8

Phase 9



In this example the timer is an internal class.

The component *SunDetection* was seperated since the state machine of the whole component *SunBlindApp* is too complex.

### Global architecture – Purpose of the Components I

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC Phase 8

| SunBlindApp                 | Control of SunBlind according to state of Blind,<br>Buttons, Sun and Wind. Control of the Fins<br>according to Buttons and Wind. |
|-----------------------------|----------------------------------------------------------------------------------------------------------------------------------|
| SunDetection                | Calculates if the sun is shining or not shining for a certain period of time.                                                    |
| SunBlindAppCtrl             | Control of SunBlind according to Buttons, Sun and Wind.                                                                          |
| ButtonIAL                   | Transforms button state to intended user commands.                                                                               |
| SunSensorIAL                | Calculates if sun is shining or not based on intensity.                                                                          |
| WindSensorIAL               | Calculates if there is heavy wind or not based on speed.                                                                         |
| ${\sf WindPulseToSpeedIAL}$ | Calculates wind speed from sequence of pulses.                                                                                   |

### Global architecture – Purpose of the Components II

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC

Phase 9

MotorIAL Transforms sun blind commands into motor commands and motor state into sunblind state. ButtonHAL HAL for button access. SunSensorHAL HAL for sun sensor access. WindSensorHAL HAL for wind sensor access. MotorHAL HAL for motor access. FinsHAL HAL for fin access. Microcontroller Hardware running the application.

# SunControl interfaces I

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC Phase 8

Phase 9

Hardware interfaces:

≪ interface ≫ button state

upButtonPushed() upButtonReleased() downButtonPushed() downButtonReleased() ≪ interface ≫ sun\_intensity

sunIntensity(lux: Integer)

≪ interface ≫ wind\_speed ≪ interface ≫ motor\_ctrl

stopMotor() turnMotorRight() turnMotorLeft()

# SunControl interfaces II

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC

Phase 8

Phase 9

 $\ll$  interface  $\gg$ 

fin\_ctrl

rotateFinsWithPositiveDegree()
rotateFinsWithNegativeDegree()

### Microcontroller interfaces:

 $\ll$  interface  $\gg$  ports

out(adr, value) in(adr): value

> ≪ interface ≫ irq7

interrupt\_req\_8()

≪ interface ≫ irq7

interrupt\_req\_7()

# SunControl interfaces III

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC Phase 8

Phase 9

HAL interfaces:

 $\ll {\rm interface} \gg {\rm button\_state}'$ 

upButtonPushed'() upButtonReleased'() downButtonPushed'() downButtonReleased'()

 $\ll$  interface  $\gg$  wind\_speed'

windPulse()'

 $\ll$  interface  $\gg$  sun\_intensity'

sunIntensity'(lux: Integer)

 $\ll$  interface  $\gg$  motor\_ctrl'

stopMotor'() turnMotorRight'() turnMotorLeft'()

### SunControl interfaces IV

ES

Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC Phase 8

Phase 9

 $\ll$  interface  $\gg$  fin\_ctrl'

rotateFinsWithPositiveDegree'()
rotateFinsWithNegativeDegree'()

### IAL Interfaces:

 $\ll$  interface  $\gg$  usr\_cmds

manuallyOpenSunBlind() manuallyCloseSunBlind() adjustFinsPositiveDegree() adjustFinsNegativeDegree()

| $\ll$ interface $\gg$ | ] |  |
|-----------------------|---|--|
| sun_state             |   |  |
|                       | - |  |
| sunShine()            |   |  |
| noSunShine()          |   |  |
|                       | - |  |

# SunControl interfaces V



Heisel

Overview

Phase 6

Phase 7

Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC Phase 8

Phase 9

≪ interface ≫ sun\_blind\_ctrl

stopSunBlind() lowerSunBlind() pullUpSunBlind()

Interface inside application:

≪ interface ≫ sun\_state\_if

sun() noSun()  $\ll interface \gg sun\_blind\_state$ 

sunBlindIsPulledUp()
sunBlindIsLowered()

### SunControl interfaces VI



Heisel

Overview

Phase 6

Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC

Phase 9

### Interface inside IAL:

 $\ll$  interface  $\gg$  wind\_kmh

windSpeed(kmh: Integer)

### Validation

#### ES

Heisel

- Overview
- Phase 6
- Phase 7 Introduction Concepts Connection notation Four-variable model Architectural patterns Procedure Example - TLC Example - SBC
- -. .

- The subproblem architectures have the same external interfaces as the problem diagrams.
- The phenomena of sequence diagrams at the external interfaces are the same as the signals in the interfaces of the application layer.
- The direction of all signals is consistent to each other and consistent to the input.
- The architecture has the same external interfaces as the sun blind controller component of the system architecture developed in Phase 5.
- The overall architecture contains all components of all subproblem architectures.

# Phase 8: Specify the behavior of all components of all software architectures, using sequence diagrams

ES

Heisel

. . .

- Overview
- Phase 6

Phase 7

#### Phase 8 Introduction

Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC 5. Design global system architecture

- 6. Derive specifications for all components of the global system architecture
- 7. Design a software architecture for all components of the global system architecture that should be implemented in software
- 8. Specify the behavior of all components of all software architectures, using sequence diagrams
- 9. Specify the software components of all software architectures as state machines
- 10. Implement software components and test environment

# Phase 8: Specify the behavior of all components of all software architectures, using sequence diagrams

ES

Introduction

#### For each subproblem:

| software architectures from Phase 7                                                                                                                                                                        | composite                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | structure                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|                                                                                                                                                                                                            | diagrams                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| interface specifications from Phase 7                                                                                                                                                                      | interface classes                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| system behavior from Phase 4                                                                                                                                                                               | sequence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | diagrams                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
|                                                                                                                                                                                                            | with annotated states                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| interface behavior of all programmable compo-                                                                                                                                                              | sequence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | diagrams                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| nents from Phase 6                                                                                                                                                                                         | with annota                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ted states                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| interface behavior of all software components                                                                                                                                                              | sequence                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         | diagrams                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
| (test specification)                                                                                                                                                                                       | with annota                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | ted states                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |
| validation: all sequence diagrams together must describe<br>the same interface behavior as in Phase 6<br>all signals in the interfaces classes of Phase 7<br>must be used in at least one sequence diagram |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|                                                                                                                                                                                                            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|                                                                                                                                                                                                            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|                                                                                                                                                                                                            |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| direction of signals must be consistent with the                                                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| required and provided interfaces of Phase 7                                                                                                                                                                |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| signals must connect components as connected                                                                                                                                                               |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| in the software architecture of Phase 7                                                                                                                                                                    |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| it must be possible to map any new states to the                                                                                                                                                           |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| states of Phase 6                                                                                                                                                                                          |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|                                                                                                                                                                                                            | software architectures from Phase 7<br>interface specifications from Phase 7<br>system behavior from Phase 4<br>interface behavior of all programmable compo-<br>nents from Phase 6<br>interface behavior of all software components<br>(test specification)<br>all sequence diagrams together must describe<br>the same interface behavior as in Phase 6<br>all signals in the interfaces classes of Phase 7<br>must be used in at least one sequence diagram<br>direction of signals must be consistent with the<br>required and provided interfaces of Phase 7<br>signals must connect components as connected<br>in the software architecture of Phase 7<br>it must be possible to map any new states to the | software architectures from Phase 7composite<br>diagramsinterface specifications from Phase 7interface clasystem behavior from Phase 4sequence<br>with annotainterface behavior of all programmable compo-<br>nents from Phase 6sequence<br>with annotainterface behavior of all software components<br>(test specification)sequence<br>with annotaall sequence diagrams together must describe<br>the same interface behavior as in Phase 6sequenceall signals in the interfaces classes of Phase 7<br>must be used in at least one sequence diagram<br>direction of signals must be consistent with the<br>required and provided interfaces of Phase 7signals must connect components as connected<br>in the software architecture of Phase 7it must be possible to map any new states to thesequence diagram |

### Notations and concepts



Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variabl model Timing constraints Procedure Example - TI Example - Sf

Phase 9

- Four-variable model (repetition)
- Transformation of timing constraints

### Four-variable model

Four-variable



- Application layer software should have the same interfaces as the system, i.e., monitored and controlled variables.
  - States of the environment will be mapped to internal states.

# Transformation of timing constraints I

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TL Example - SE In Phase 4, timing constraints are specified as shown in the following figure.



# Transformation of timing constraints II

ES

Heisel

Overview Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TL Example - SB Phase 0 These timing constraints can be transformed in this phase into implementable events to reuse the specification from Phase 4, e.g., as shown in the following figure:



x' is derived from x according to the expected execution time of the application component and the hardware devices.

# Transformation of timing constraints III

ES

Heisel

Overviev

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TL Example - SB Phase 9





From the timing constraints, concrete requirements for the execution time of the application component and the precision of the clock can be derived.

# Executing Phase 8 |

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints **Procedure** Example - TL( Example - SB( To create the sequence diagrams, for each software component and each subproblem the following steps have to be performed:

- Draw a lifeline for the software component to be specified.
   Either introduce a lifeline for the connected components, or connect the arcs representing a signal with the left and right border of the sequence diagram.
- Describe the interface behavior of the component using the signals from the software architecture.
- The specification of the application components should be reused from Phase 4.

# Executing Phase 8 II

ES

- Heisel
- Overview
- Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints **Procedure** Example - TL' Example - SB<sup>i</sup>

- The specification for the interface abstraction layer can be derived from the domain knowledge used to derive the specification and the specification of the other components in the system architecture, expressed as sequence diagrams.
- The specification for the hardware abstraction layer should show the mapping from the IAL to the hardware and vice versa. Since this specification is usually described in the data book and in the schematic of the hardware, only a reference must be given.
- If possible, refer to other sequence diagrams and do not draw diagrams for the same sequence several times.

# Executing Phase 8 III

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TL Example - SB

- Add states where they are relevant to describe the behavior. Map the defined states to the states in the environment.
- Add missing sequence diagrams to describe the behavior for all relevant states.
- Add timing constraints if necessary.
- Specify the initialization sequences. They describe the state of the software components after initializing the components (e.g., after power-on).

### Remarks

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints **Procedure** Example - TL Example - SB

Phase 9

- In this phase, each component is described separately.
- Do not forget the extended four-variable model (for reuse of specifications).
- A specification expressed somewhere else should be referenced and does not have to be translated into sequence diagrams.
- The sequence diagrams developed in this phase are a concrete basis for the implementation of test cases for all software components.

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

# **Example 1: traffic light control**

### Global software architecture I





### Global software architecture II



### Behavior of the components I

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC TrafficLightBehavior – all subproblems: same as in Phase 4 (also for the initialization sequence), see four-variable model and transformation of timing constrains

Clock – all subproblems: reused component without states (initialization sequence not necessary).

TimeOutTimer – all subproblems: see slide *Transformation of timing constraints*.

# Behavior of the components II

ES

#### Heisel

#### Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC InductionLoopIAL – subproblem MainRoadPassing:

| sd InductionL          | oopIAL    |
|------------------------|-----------|
| Inducti                | onLoopIAL |
| vehicle_<br>waiting () | srr ()    |

An initialization sequence is not necessary since no states are specified.

InductionLoopDriver – subproblem MainRoadPassing: see *InductionLoopIAL* and description of the Microcontroller.

### Behavior of the components III

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC Phase 9

# LightsInterfaceAbstraction – all subproblems:

The complete specification for this component can be derived from the domain knowledge about the lights compontent in Phase 4.



An initialization sequence is not necessary since no states are specified.

LightsDriver – all subproblems: see *LightsInterfaceAbstraction* and description of the Microcontroller.

### Behavior of the components IV

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC BrokenLightDriver – subproblem BrokenLightSafeState: see description of the Microcontroller.

EmergencyRequestDriver – subproblem EmergencyRequestSecondaryRoadPassing: see description of the Microcontroller.

Microcontroller – all subproblems: The behavior is described in the Microcontroller data book and therefore not specified here.

### Validation

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

- All sequence diagrams together describe the same behavior as in Phase 6.
- All signals in the interfaces classes of Phase 7 occur in the specification of at least one component (in the complete specification).
- The direction of the signals are consistent with the required or provided interfaces of Phase 7.
- The signals connect the same components as connected in the software architecture of Phase 7.
- The states of the environment are mapped 1:1 to the application states.

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

Example 2: sun blind control

### Global software architecture



### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC



### Software architecture of the application



Phase 9

## Behavior of the Components I

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC Phase 9

### ButtonIAL – subproblems SunControl and UserControl



### Behavior of the Components II

ES

Heise

Overview Phase 6 Phase 7 Phase 8 Introductio Concepts Four-varia

Four-varia model Timing constraint Procedure

Example - SBC

Phase 9



### Behavior of the Components III

ES

#### Heisel

#### Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

#### Phase 9

### ButtonIAL – subproblems SunControl and FinsControl



### Behavior of the Components IV

ES

#### Heisel

#### Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

### SunSensorIAL – subproblem SunControl



### Behavior of the Components V

ES

#### Heisel

#### Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC Phase 9

### WindSensorIAL – all subproblems



# Behavior of the Components VI

ES

#### Heisel

Overviev

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

### WindPulseToSpeedIAL – all subproblems



## Behavior of the Components VII

ES

#### Heisel

#### Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

Phase 9

#### MotorIAL – subproblems UserControl and SunControl



## Behavior of the Components VIII

ES

#### Heisel

Overviev

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

#### MotorIAL – subproblem NodestructControl



## Behavior of the Components IX

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC ButtonHAL see ButtonIAL and description of Microcontroller SunSensorHAL see SunSensorIAL and description of Microcontroller WindSensorHAL see WindSensorIAL and description of Microcontroller MotorHAL see MotorIAL and description of Microcontroller. Microcontroller see description of Microcontroller.

## Behavior of the Components X

ES

#### Heisel

#### Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

#### SunDetection – Subproblem SunControl

| List = s           surStrine()           roSurStrine()           surStrine()           surStrine()           roSurStrine()           roSurStrine()           surStrine()           roSurStrine()           surStrine()           rosurStrine()           roSurStrine()           roSurStrine()           roSurStrine()           roSurStrine()           roSurStrine()           roSurStrine()           roSurStrine()           urdStrine()           urdStrine()           urdStrine()                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | SunD         | stection  |
|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------|-----------|
| ALT<br>surShine() -t=rrow<br>roSurShine() -(.1+59)<br>surShine() -(.1+59)<br>row<br>surShine() -(.1+59)<br>row<br>surShine() -(.1+59)<br>row<br>surShine() -(.1+239)<br>roSurShine() -(.1+239)<br>roSurShine() -(.1+239)<br>roSurShine() -(.1+239)<br>roSurShine() -(.1+239)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |              |           |
| surShine()         I=now           noSurShine()         (L+56)           surShine()         I=now           noSurShine()         I=now           noSurShine()         I=now           surShine()         I=now           noSurShine()         I=now           surShine()         I=now           noSurShine()         I=now           incSurShine()         I=now           noSurShine()         I=now           noSurShine()         I=now           noSurShine()         I=now                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |              | unit = s  |
| roSunShine()         -(+1-69)           sunShine()         -(+1-69)           roSunShine()         -(+now           roSunShine()         -(+now           sunShine()         -(+now           sunShine()         -(+1-239)           roSunShine()         -(+row           sunShine()         -(+1-239)           roSunShine()         -(+row           (+(+240))         -(moSun())                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | ALT          |           |
| - (.1-20)<br>- (.1-2 | sunShine()   | -t=now    |
| (+40)<br>roSurShine()<br>usurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine()<br>roSurShine                                                                                                                  | noSunShine() | — (tt+59) |
| (+40)<br>no SunShine()<br>sunShine()<br>(+row<br>sunShine()<br>(+20)<br>(+24)<br>(+24)<br>(+24)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | sunShine()   | -t=now    |
| roSunShine()         -(=now           sunShine()         -(=.1+239)           roSunShine()         -(=.1+239)           roSunShine()         -(=.1+200)           (>1+240)         roSun()                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          | 8+603        | sun()     |
| sunShine()<br>noSunShine()<br>(+1+239)<br>roSunShine()<br>(+1+240)<br>noSun()                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |              |           |
| sunShine() - (l.1+29)<br>noSunShine() - (l-1+00W<br>(+4+240) - noSun()                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | noSUnShine() | -t=now    |
| (>t+240) noSun()                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |              | i         |
| {>t+240}                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            | noSunShine() | -t=now    |
| sunsnine()                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |              | noSun()   |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | sunshinë()   |           |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |              |           |

## Behavior of the Components XI

ES

Example - SBC

#### SunBlindAppCtrl – Subproblem SunControl

| PULL     | ED_UP )                |
|----------|------------------------|
|          |                        |
|          | heavyWind()            |
|          | sun()                  |
|          |                        |
| NEG      | lowerSunBlind >        |
|          |                        |
|          | noSun()                |
|          | noHeavyWind()          |
|          |                        |
| t = now- | manuallyOpenSunblind() |
|          | sun()                  |
| NEG /    | lowerSunBlind          |
|          | IOWEIGUINU             |
|          | noSun()                |
|          | nosun()                |
| {t+4*    |                        |
| 3600}-   |                        |
|          | sun                    |
|          |                        |
|          | lowerSunBlind()        |

## Behavior of the Components XII



Heise

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

| sd SunBlindAppCtrl (R<br>SunBlindAppC | Ctri ButtoniAL         | SunDetection   | WindSensorIAL | MotorIAL |
|---------------------------------------|------------------------|----------------|---------------|----------|
| t = now                               | anuallyCloseSunblind() |                |               | Lunit=s  |
| ×                                     | noSun()                |                |               |          |
| NEG                                   |                        | pullUpSunBlind |               |          |
|                                       | onSun()                |                |               |          |
| {t+4*<br>3600}—                       |                        |                |               |          |
| -                                     | noSun                  |                |               |          |
|                                       |                        | pullUpSunBlind |               |          |
| PULLED_UF                             |                        |                |               |          |
|                                       |                        |                |               |          |
|                                       |                        |                |               |          |

## Behavior of the Components XIII

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

| d SunBlindAppCtrl (R8)                  |               |                      | _       |      |       |        |
|-----------------------------------------|---------------|----------------------|---------|------|-------|--------|
| SunBlindAppCtrl                         | WindSensorIAL | SunDetection         | Mot     | JAho | Butto | nIAL   |
| PULLED_UP and<br>roManualControl        |               |                      |         |      |       | unit=s |
| GNORE<br>overSunBlind,<br>sulUpSunBlind |               |                      |         |      |       |        |
| ALT J                                   |               |                      |         |      |       |        |
| bt=now                                  |               | manuallyCloseSunB    | lind()  |      |       |        |
|                                         |               | manuallyOpenSunBl    |         |      |       |        |
| bt=now-                                 |               | mandanyopensons      | ind()   |      |       |        |
| bt=now-                                 |               | adjustFirsPositiveDe | gree()  |      |       |        |
| bt=now-                                 |               | adjustFinsNegativeDe | igree() |      |       |        |
|                                         |               |                      |         |      |       |        |
| PULLED_UP and<br>ManualControl          |               |                      |         |      |       |        |
| *                                       | sun           |                      |         |      |       |        |
| NEG                                     | lowe          | rSunBlind            |         |      |       |        |
|                                         |               |                      |         |      | l     |        |
| {bt+ 3600<br>*4}                        |               |                      |         |      |       |        |
| PULLED_UP and<br>noManualControl        |               |                      |         |      |       |        |
| ×                                       | noSun         |                      |         |      |       |        |
|                                         | sun           |                      |         |      |       |        |
|                                         | lower         | SunBlind()           |         |      |       |        |
| LOWERED and<br>noManualControl          |               |                      |         |      |       |        |
|                                         |               |                      |         |      |       |        |
|                                         |               |                      |         | 1    |       |        |

## Behavior of the Components XIV

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

#### SunBlindAppCtrl – Subproblem UserControl

| sd SunBlindApp (R5) |                  |             |           |
|---------------------|------------------|-------------|-----------|
| SunBlindApp         | WindSensorIAL    | MotorIAL    | ButtonIAL |
|                     |                  |             | 1         |
|                     | manuallyOpe      | nSunBlind() |           |
|                     | !                | !           |           |
|                     | pullUpSunBlind() |             |           |
|                     | 1                | 1           | 1         |
|                     |                  |             | 1         |
| i                   | i                | i           | i         |
| I                   | 1                | 1           | 1         |

## Behavior of the Components XV



## Behavior of the Components XVI

SunBlindApp – subproblem FinsControl

ES

#### Heisel



## Behavior of the Components XVII

ES

Heisel

#### Overview

Phase 6

Phase 7

Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

#### - subproblem NodestructControl



## Validation

#### ES

Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8 Introduction Concepts Four-variable model Timing constraints Procedure Example - TLC Example - SBC

 All sequence diagrams together describe the same behavior as in Phase 6.

- All signals in the interfaces classes of Phase 7 are captured in at least one sequence diagram.
- The direction of the signals are consistent with the required or provided interfaces of Phase 7.
- The signals connect the same components as connected in the software architecture of Phase 7.
- The state invariants can be mapped as follows:
  - noManualControl ⇔ no interaction within the last 4 hours
  - manualControl ⇔ pressed within the last 4 hours
  - $\blacksquare PULLEED_{-}UP \Leftrightarrow UP$
  - $\blacksquare LOWERED \Leftrightarrow DOWN$

# Phase 9: Specify the software components of all software architectures as state machines

ES

Heisel

. . .

Overview

Phase 6

Phase 7

Phase 8

Phase 9

#### Introduction

Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

- 7. Design a software architecture for all components of the global system architecture that should be implemented in software
- 8. Specify the behavior of all components of all software architectures, using sequence diagrams
- 9. Specify the software components of all software architectures as state machines
- 10. Implement software components and test environment
- 11. Integrate and test software components
- 12. Integrate and test hardware and software

# Phase 9: Specify the software components of all software architectures as state machines

|                               | · · · · · · · · · · · · · · · · · · · |                                              |                    |
|-------------------------------|---------------------------------------|----------------------------------------------|--------------------|
| ES                            | input:                                | interface behavior from Phase 8              | sequence diagrams  |
|                               |                                       |                                              | with annotated     |
| Heisel                        |                                       |                                              | states             |
| - ·                           |                                       | relationships between subproblems speci-     | grammars           |
| Overview                      |                                       | fied in Phase 5                              |                    |
| Phase 6                       | output:                               | component overview description with refer-   | class diagram with |
| Phase 7                       |                                       | ences to interface classes                   | ports, sockets and |
| Phase 8                       |                                       |                                              | lollipops          |
| r nase o                      |                                       | data types and operations                    | class diagrams     |
| Phase 9                       |                                       | defined using pre- and postconditions        | formulas or natu-  |
| Introduction                  |                                       | defined using pre- and postconditions        |                    |
| Concepts                      |                                       |                                              | ral language       |
| Active and<br>passive classes |                                       | state machines                               | state machine dia- |
| Pre- and<br>postconditions    |                                       |                                              | grams              |
| Class invariants              |                                       | invariants                                   | formulas or natu-  |
| UML 2.0 state<br>machine      |                                       |                                              | ral language       |
| diagrams<br>Active and        | validation:                           | consistent with interface behavior from      |                    |
| passive sensors               |                                       | Phase 8                                      |                    |
| Procedure<br>Example - TLC    |                                       | completeness of state machines (implies      |                    |
| Example - SBC                 |                                       | error-cases for user-interaction)            |                    |
|                               |                                       | a class must be active if it contains an ac- |                    |
|                               |                                       | tive class or a timer                        |                    |
|                               |                                       |                                              |                    |

### Notations and concepts

#### ES

Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

Phase 9

#### Introducti Concepts

Active and passive classes Pre- and postconditions Class invariants UML 2.0 state diagrams Active and passive sensors Procedure Example - TLC Example - SBC

- Notation for active and passive classes
- Pre- and postconditions
- Class invariants
- UML 2.0 state machine diagrams
- Active and passive sensors

### Notation for active and passive classes

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9 Introduction

Active and passive classes

Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC Components corespond to classes.

Active Class: May contain timers, work in parallel to its environment, may contain other passive or active classes (see composite structure diagram of Phase 7)

Passive Class: Cannot contain timers, functionality is executed in the time context of an active class, may contain other passive classes.



## Notation for data types



Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introductio Concepts

Active and passive classes

Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

# Data Type Class: passive class without required or provided interfaces

<<type>>

DataTypeClass

attribute: Datatype

operation(..)

## Design by Contract – Pre- and Postconditions

#### ES

Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

Phase 9

Introduction Concepts Active and passive class

Pre- and postconditions

Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

- Needed to apply principle of design by contract.
- Must be specified for all operations.
- Preconditions: express when an operation may be called.
- Postconditions: express effect of operations by relating the state before calling the operation with the state that is reached after termination of the operation.

## Design by Contract - Contracts in daily life

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classe

Pre- and postconditions

Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC Bertrand Meyer Object-Oriented Software Construction Prentice Hall 1988 (first edition), 1997 (second edition) online see:

http://archive.eiffel.com/doc/manuals/technology/contract/page.html

- Contractual partners are clients and sellers or service providers.
- Both expect advantages from the contract and are willing to make a commitment.

## Design by Contract – Example

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classe

Pre- and postconditions Class invariants

UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

#### I want to travel from Berlin to Duisburg.

|                     | Commitments                                                        | Advantages                                                                                                                                         |
|---------------------|--------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------|
| Passenger           | Pay ticket<br>Be there at departure time<br>Must keep precondition | getting to Duisburg<br>Has advantages from post-<br>condition                                                                                      |
| Traffic<br>provider | Must take the passenger to<br>Duisburg<br>Must guarantee postcond. | Receives price for the<br>ticket; does not have to<br>take passengers who have<br>not paid or did not arrive<br>in time<br>Can assume precondition |

# Pre- and Postconditions – Advantages of explicit contracts

#### ES

Heisel

Overviev

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classe

Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Evanade SPC

#### Meyer:

A contract document protects both the client, by specifying how much should be done, and the supplier, by stating that the supplier is not liable for failing to carry out tasks outside of the specified scope.

Application to software: A contract is a formal agreement between a machine / a class and its actors / clients. It specifies the rights and duties for both sides.

# Pre- and Postconditions – Example: Stack (generic class)

|                                                          | , i i i i i i i i i i i i i i i i i i i |                      |
|----------------------------------------------------------|-----------------------------------------|----------------------|
| ES                                                       |                                         |                      |
| Heisel                                                   |                                         |                      |
| Overview                                                 | -1                                      |                      |
| Phase 6                                                  | class                                   | Stack[T]             |
| Phase 7                                                  | attribute                               | nb_elements: integer |
| Phase 8                                                  | method                                  | empty(): Boolean     |
| Phase 9                                                  |                                         | full(): Boolean      |
| Introduction<br>Concepts                                 |                                         | push(x: T)           |
| Active and<br>passive classes                            |                                         | pop()                |
| Pre- and<br>postconditions                               |                                         | top(): T             |
| Class invariants<br>UML 2.0 state<br>machine<br>diagrams | end class                               |                      |
| Active and<br>passive sensors                            |                                         |                      |
| Procedure<br>Example - TLC<br>Example - SBC              |                                         |                      |
|                                                          |                                         |                      |

# Pre- and Postconditions – Specification of the stack operations I

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classe

Pre- and postconditions

Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

empty() **pre** true **post** Result = true  $\Leftrightarrow$  nb\_elements = 0 full() **pre** true **post** Result = true  $\Leftrightarrow$  nb\_elements = ... push(x: T) **pre** not full **post** not empty and nb\_elements = nb\_elements@pre + 1and "top = x" "x@pre": old value of attribute x, i.e., value when operation is called; "x": new value of attribute x, i.e., value when operation terminates

# Pre- and Postconditions – Specification of the stack operations II



# Pre- and Postconditions – Commitments and advantages

ES

Heisel

Pre- and postcondition

| lient | Commitments $Call_{nuclei}(x) = call_{nuclei}(x)$                                                                                       | Advantages                                                                  |
|-------|-----------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
| lient | Call puch(x) cally if                                                                                                                   |                                                                             |
|       | Call <i>push</i> ( <i>x</i> ) only if Element <i>x</i> is stack is not full <i>stack</i> , top() result <i>nb_elements</i> is increase. |                                                                             |
|       | Must keep precondition                                                                                                                  | Has advantages from post-<br>condition                                      |
| erver | Makes sure that x is<br>placed on the stack<br>Must guarantee post-<br>condition                                                        | Unnecessary to handle the case if stack is full.<br>Can assume precondition |
|       | erver                                                                                                                                   | erver Makes sure that x is placed on the stack Must guarantee post-         |

# Pre- and Postconditions – Application of the design by contract principle I

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes

Pre- and postconditions

UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

- An operation may only be called when its precondition is satisfied. Otherwise, its effect is unspecified.
- The caller of an operation must make sure that the precondition of the operation holds.
  - This can be done by checking the precondition explicitly before calling the operation. However, the precondition can also be guaranteed by the context. For example, immediately after a *pop* operation, a *push* operation is always possible.
- Pre- and postcondition must be contained in the code of each operation, either as an assertion that can be checked at runtime, or (at least) as a comment.
- In the implementation of the operation, the precondition is not checked!!

# Pre- and Postconditions – Application of the design by contract principle II

ES

Heisel

- Overview
- Phase 6

Phase 7

Phase 8

- Phase 9
- Introduction Concepts Active and passive classe

Pre- and postconditions

UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

- Operations that are called from the environment outside the machine should be robust, i.e., they should have precondition *true*, and the treatment of error cases should be performed in the operation.
- Internal operations may have stronger preconditions than true. Then, the treatment of error cases must be performed in the operations that call the operation in question.
- Example: An operation *push1* that checks if the stack is full is a different operation than the *push* operation given above. It implements a different functionality!

## Pre- and Postconditions - Syntax

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive class

Pre- and postconditions

Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

- Boolean expressions like in programming languages Example: x <> 0 and x <= y</p>
- Formulas, using logical connectives Example:  $x \neq 0 \land x \leq y$
- Natural language

Example: "x must not be equal to zero, and x must be less than or equal to y"  $% \left( {{{x_{\rm{m}}}} \right) = {{x_{\rm{m}}}} \right)$ 

### Class invariants

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions **Class invariants** UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC Condition that holds for all objects of a class, in the initial state, before and after each operation.

Example: class invariant for *Stack*:  $0 \le nb_{-}elements$ 

## State Machines

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors

Procedure Example - TLC Example - SBC Consist of states and transitions between these states.

Example: two states with transitions



### Transitions, initial states



<sup>1</sup>Several figures taken from UML Superstructure Specification, v2.0 (709 Pages), http://www.omg.org/docs/formal/05-07-04.pdf

#### State Lists



It is allowed to combine states.

### State References



It is allowed to repeat states.

### **Composite States**



"XOR" hierachical states. When the state machine is in state AB, it is *either* in state A or in state B.

### Referenced Composite States



## Regions

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC



Figure 380 - Notation for composite state/state machine with regions

"AND" hierarchical (parallel) states. When the state machine is in state S, it is *in all* regions at the same time. To eliminate regions, one has to form the Cartesian product of the states of the (two or more) regions.

Alternative: Do not use regions, but define a separate active class (and corresponding state machine) for each parallel state machine.

# Choice States





No "real" states (the state machine cannot stay in such states, events are not processed); they are only used to make case distinctions.

# Entry and Exit Points



Exit points can be used to leave the composite state from a specified state and go to another state outside (that is connected with the exit point).

# Example: Reference to Sub-State Machines with Entry and Exit Points



# Final State and Terminate Node

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive concerner

Procedure Example - TLC Example - SBC



Figure 363 - Final State

### A final state indicates, that the composite state will be left.



Figure 375 - Terminate node

A terminate node indicates that the object will be destroyed.

# Sub-State Machines: Example ATM (1)



# Sub-State Machines: Example ATM (2)



# History

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure

Example - TLC Example - SBC

# (H)

Figure 369 - Shallow History

When a composite state is re-entered, the sub-state is entered that was most recently left.



Figure 370 - Deep History

Recursive history connector. May be useful when substates are also hierarchically structured.

# Difference between active and passive sensors I

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Active Sensor: Sensor actively sends its measured values (cyclic or when they changed).
 Passive Sensor: Sensor values have to be requested. We distinguish between passive sensors that react with and without delay.



Both are drawn as *active classes* because they are hardware components, and hardware components usually work in parallel with their environment.

# Difference between active and passive sensors II

ES



Overviev

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams **Active and passive sensors** Procedure Example - TLC



The interface to the higher layer can be the same for all type of sensors if this kind of HAL is used.

# Phase 9: Specify the software components of all software architectures as state machines

| ES                                                                 | input:      | interface behavior from Phase 8                                           | sequence diagrams                                   |
|--------------------------------------------------------------------|-------------|---------------------------------------------------------------------------|-----------------------------------------------------|
| Heisel                                                             |             |                                                                           | with annotated states                               |
| verview                                                            |             | relationships between subproblems speci-<br>fied in Phase 5               | grammars                                            |
| hase 6<br>hase 7                                                   | output:     | component overview description with refer-<br>ences to interface classes  | class diagram with ports, sockets and               |
| hase 8                                                             |             |                                                                           | lollipops                                           |
| hase 9<br>ntroduction<br>Concepts<br>Active and<br>passive classes |             | data types and operations<br>defined using pre- and postconditions        | class diagrams<br>formulas or natu-<br>ral language |
| Pre- and<br>postconditions<br>Class invariants                     |             | state machines                                                            | state machine dia-<br>grams                         |
| JML 2.0 state<br>nachine<br>liagrams<br>Active and                 |             | invariants                                                                | formulas or natu-<br>ral language                   |
| passive sensors<br><b>rocedure</b><br>xample - TLC<br>xample - SBC | validation: | consistent with interface behavior from Phase 8                           |                                                     |
| xample - 56C                                                       |             | completeness of state machines (implies error-cases for user-interaction) |                                                     |
|                                                                    |             | a class must be active if it contains an ac-                              | 173                                                 |

# Executing Phase 9 I

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors **Procedure** Example - TLC For each component, the following steps should be performed:

- Decompose the component if necessary. In this case, add descriptions of new interface classes.
- Draw an active (e.g., behaves like hardware, contains a clock) or passive (e.g., calculation-routine) class with its interfaces as a component overview description.

# Executing Phase 9 II

ES

Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors **Procedure** Example - TLC For each subproblem and each component, the following steps should be performed:

- Design a state machines that implements the behavior of all sequence diagrams specified in Phase 8.
- Add necessary data as attributes to the component overview description.
- In case of complex data or complex operations on data types: add classes for data types.
- Specify pre- and postconditions for all operations of introduced classes.
- Complete the state machines, i.e. there must be a specified reaction to each possible input signal.
- Add class invariants to introduced classes if possible.

# Executing Phase 9 III

ES

Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8
- Phase 9
- Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state diagrams Active and passive sensors Procedure
- Example TLC Example - SBC

To merge the different state machine associated with one component, the following steps should be performed:

- The state machine diagrams can be merged according to the case distinction we made in Phase 7:
  - Case 1 (The components are hardware (HAL) or interface abstraction layers (IAL), establishing the connection to some hardware device): often the state machines will already be equal, because they describe the same device. If not, the state machines must be merged manually. In many cases, we only need to add the additional signals to the appropriate states.
  - Case 2 (Two application components belong to subproblems being related sequentially or by alternative): the composition can be achieved by using composite states. The connecting arcs between the sub-automata depend on the problem.

# Executing Phase 9 IV

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors **Procedure** Example - TLC

- Case 3 (Two application components belong to parallel subproblems and share some output phenomena): here, the merge depends on the problem to be solved. The priorities from Phase 5 have to be taken into account.
- Case 4 (Two application components belong to parallel subproblems and share some input phenomena): the merge has to be performed manually.
- Case 5 (Two application components belong to parallel subproblems and do not share any interface phenomena): no merge should be performed, see Phase 7.
- When state machines are merged, for each state it must be checked if it can handle all events that can occur.

## Remarks

### ES

Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors **Procedure** Example - TLC

- In contrast to Phase 8, the behavior must be described completely for each subproblem since the state diagrams form the basis for the implemention.
- To validate the results, it should be assured that each composed state machine is complete and covers all input events that can be sent by the components with an interface to the composed state machine.

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC

# Example 1: traffic light control

# Global software architecture

ES

Heise

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC



# Component TrafficLightApplication I

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Evample - SBC The component *TrafficLightApplication* is an active component since it contains a clock. The following overview diagram is not strictly necessary since this component is decomposed as shown on the following slide.



The component *TrafficLightApplication* is split into the subcomponents *TrafficLightBehavior*, *Clock*, and *TimeOutTimer*. These components are specified separately.

# Component TrafficLightApplication II



# Component TrafficLightApplication III

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC ⟨⟨*interface*⟩⟩ ms\_clock MsClock ()

 $\langle \langle interface \rangle \rangle$ 

set\_timeout

SetTimeOut (seconds: Integer)

| $\langle \langle interface \rangle \rangle$ |  |  |  |
|---------------------------------------------|--|--|--|
| timeout                                     |  |  |  |
|                                             |  |  |  |
| TimeOut ()                                  |  |  |  |

# Component Clock

### ES

#### Heisel

#### Overview

- Phase 6
- Phase 7
- Phase 8

### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2,0 state machine diagrams Active and passive sensors Procedure **Example - TLC** 

### Clock component overview



- The component is an active component since it has to work in parallel with all other components and generates cyclic signals.
- Usually it is a standard component, contained in the operating system. Hence, it is not specified here.

# Component TimeOutTimer I

ES

### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC** 

### TimeOutTimer component overview



- Additionally, it contains a data type and operators for the remaining time.
- The state machine uses this data.
- The component is a passive component, since it reacts immediately to the input signals of the clock.

# Component TimeOutTimer II

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC** 

# TimeOutTimer operations IsZero()

pre true

post  $Result = true \Leftrightarrow remaining_time = 0$ 

## SetTime(x)

pre x > 0

post remaining\_time = x

### DecTime()

pre remaining\_time  $\neq 0$ post remaining\_time = remaining\_time@pre -1

# Component TimeOutTimer III



# Heise

- Overview
- Phase 6
- Phase 7
- Phase 8

### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC** Example - SBC

### TimeOutTimer state machine



### TimeOutTimer invariants

For the state machine and the data of the component the following additional invariant must always be true:

In state Stopped  $\Rightarrow$  remaining\_time = 0 In state Running  $\Rightarrow$  remaining\_time > 0

# Component TrafficLightBehavior I



### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC** Example - SBC

### TrafficLightBehavior component overview



- It is a passive component since it reacts immediately to input signals.
- The attribute *another\_vehicle\_waiting* was added later.

# Component TrafficLightBehavior II



### TrafficLightBehavior state machine for SecondaryRoadPassing



# Component TrafficLightBehavior III



### Heisel

- Overviev
- Phase 6

Phase 7

Phase 8

### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariant UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC

### TrafficLightBehavior state machine for MainRoadPassing



- The attribute another\_vehicle\_waiting is added to store a secondary road request.
- The state machine is using this data.

# Component TrafficLightBehavior IV



Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC Example - SBC**  TrafficLightBehavior state machine for EmergencyRequest In this state machine. the states of the other state machines are repeated (in blue) to express the behavior without changing all other state machines



# Component TrafficLightBehavior V



### TrafficLightBehavior State Machine for BrokenLightSafeState



# Component TrafficLightBehavior VI

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### TrafficLightBehavior merged state machine

This component is contained in all subproblems. The attribute *another\_vehicle\_waiting* is only contained in the subproblem *MainRoadPassing*. Therefore, in the state machines for the other subproblems this attribute must be considered:

- In the subproblem SecondaryRoadPassing, the signal srr must not change the attribute another\_vehicle\_waiting, since the cars on the secondary road are allowed to pass and they are not waiting.
- In the subproblem *EmergencyRequest*, the signal *srr* must not change the attribute *another\_vehicle\_waiting*, since the cars on the secondary road are allowed to pass and they are not waiting.

# Component TrafficLightBehavior VII

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

#### Phase 9 Introduct

Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - SBC On start-up, each time the main phase is activated the attribute another\_vehicle\_waiting must be set to false.

Since the subproblems *MainRoadPassing* and *SecondaryRoadPassing* are related sequentially, one state machine will be activated as soon as the other state machine terminates. The state machines for the subproblems *EmergencyRequest* and *BrokenLightSafeState* are parallel and activated with the signals *broken\_light()* or *emergency\_request\_start()*. Once activated, they take control over the output signals. Additionally, the initialization sequence

# Component TrafficLightBehavior VIII





# Component: InductionLoopIAL I

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC** Example - SBC

# InductionLoopIAL component overview and state machine for MainRoadPassing



It is a passive component since it reacts immediately to input signals.

This component is only contained in subproblem *MailRoadPassing*, and no merge is performed.

# Component LightsInterfaceAbstraction I



### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC** 



It is a passive component since it reacts immediately to input signals.

# Component LightsInterfaceAbstraction II

ES

Heisel

LightsInterfaceAbstraction state machine for MainRoad-

LightsInterfaceAbstraction ction state machine for SecondaryainRoad- RoadPassing

LightsInterfaceAbstraction



main green ()/

m green (true)

m\_red (false), m\_yellow (false).



Concepts Active and passive classes Pre- and postconditions Class invariants diagrams Active and passive sensors Procedure **Example - TLC** Example - SBC

# Component LightsInterfaceAbstraction III



Example - TLC

## Component LightsInterfaceAbstraction IV

#### ES

#### Heisel

#### Overview

- Phase 6
- DI 7

#### Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC** Example - SBC

### LightsInterfaceAbstraction global state machine



## Component: InductionLoopDriver



#### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC** Example - SBC

### InductionLoopDriver component overview



- When this component receives the signal *interrupt\_request\_7*, it emits a *srr* signal.
- It is a passive component since it reacts immediately to input signals from the Microcontroller.
- It is not specified here since it only converts the interrupt into a signal for the IAL.

This component is only contained in subproblem *MailRoadPassing* and need not be merged.

## Component LightsDriver



Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC



- This component sets the ports to switch the lights on or off.
- It is a passive component since it reacts immediately to input signals from the IAL.
- It is not specified here since it only passes on the input signals from the IAL to specific ports of the microcontroller.

## Component: BrokenLightDriver



#### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC

### BrokenLightDriver component overview



- When this component receives the signal *interrupt\_request\_8*, it emits a *broken\_light* signal.
- It is a passive component since it reacts immediately to input signals from the Microcontroller.
- It is not specified here since it only converts the interrupt into a signal for the IAL.

This component is only contained in subproblem *BrokenLightSafeState* and need not be merged.

## Component: EmergencyRequestDriver



#### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC** Example - SBC

### EmergencyRequestDriver component overview



- When this component receives interrupt\_request\_9, it reads out the port connected to the emergency request switch and emits the signal emergency\_request\_start() or the signal emergency\_request\_end().
- It is a passive component since it reacts immediately to input signals from the Microcontroller.
- It is not specified here since it only reads out the input port in case of an interrupt request and generates the signal for the IAL.

This component is only contained in subproblem *EmergencyRequest* and need not be merged.

### Component Microcontroller

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SPC

### Microcontroller component overview

- The *Microcontroller* is a reused existing component.
- It is not specified here since it is described in its datasheet.
- It is an active component since it is a hardware component.
- The component requires and provides at least the same interfaces as shown in the global software architecture.

### Validation

#### ES

Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure **Example - TLC** 

- The state machines are consistent with the interface behavior from Phase 8. All states are covered. Additional states ending with \_PASSING\_WILL\_START are introduced.
- Each architectural component is covered, and in all state machines each possible input signal (as specified in Phase 7) is taken into account. The interface classes are the same as in Phase 7.

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state diagrams Active and passive sensors Procedure Example - TLC Example - SBC

## Example 2: sun blind control

## Global software architecture (repetition)

ES

#### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8
- Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariant UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC



## Component SunControlApplication (repetition)



Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8
- Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariant UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### This component can be deomposed as follows:



## Component SunDetection I



Example - SBC

### SunDetection component overview





210/241

## Component SunDetection II

ES

#### Heisel



Phase 6

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### SunDetection state machine



## Component SunBlindAppCtrl I

ES

#### Heisel

Overview

Phase 6

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### SunBlindAppCtrl component overview



## Component SunBlindAppCtrl II

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### SunBlindAppCtrl state machine for SunControl



## Component SunBlindAppCtrl III

Example - SBC



## Component SunBlindAppCtrl IV

#### ES

#### Heisel

#### Overview

Phase 6

Phase 7

#### Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariant: UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### SunBlindAppCtrl state machines for UserControl



## Component SunBlindAppCtrl V

Example - SBC



## Component SunBlindAppCtrl VI



### SunBlindAppCtrl state machine for FinsControl



## Component SunBlindAppCtrl VII

#### ES

#### Heisel

#### Overview

Phase 6

Phase 7

#### Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariant: UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### SunBlindAppCtrl state machines for NoDestructControl



## Component SunBlindAppCtrl VIII

Example - SBC



## Component SunBlindAppCtrl IX

ES

#### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### SunBlindAppCtrl merged state machine



## Component SunBlindAppCtrl X



## Component ButtonIAL I



#### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC





## Component ButtonIAL II



## Heise

-----

Phase 6

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### ButtonIAL state machine for SunControl and UserControl



## Component ButtonIAL III



## Heise

.

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariant UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### ButtonIAL state machine for FinsControl



## Component ButtonIAL IV

ES

#### Heisel

#### Overview

Phase 6

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariant UML 2.0 state diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### ButtonIAL merged state machine



## Component ButtonHAL

ES

#### Heisel

Overview

Phase 6

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and Procedure Example - TLC Example - SBC

### ButtonHAL component overview



This component checks the port of the microcontroller representing the state of the buttons every 20 ms and generates the *pressed* and *released* signals if the state of the port changes.

## Component SunSensorIAL I



### SunSensorIAL component overview



Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

This component is contained only in the subproblem SunControl and need not to be merged.

## Component SunSensorIAL II

ES

#### Heisel

#### Overview

Phase 6

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### SunSensorIAL state machine



## Component SunSensorHAL

ES

#### Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC **Example - SBC** 

### SunSensorHAL component overview



When this component receives an intrerrupt from *irq7*, it reads out the port of the microcontroller where a new intentity is stored and sends the *sunIntensity* signal. This component is contained only in the subproblem SunControl and need not to be merged.

## Component WindSensorIAL I



### WindSensorIAL component overview



Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

# This component is the same for all subproblems and need not to be merged.

### Component WindSensorIAL II

ES

Heisel

#### Overview

Phase 6

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### WindSensorIAL state machine



## Component WindPulseToSpeedIAL I



### WindPulseToSpeedIAL component overview



Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

# This component is the same for all subproblems and need not to be merged.

## Component WindPulseToSpeedIAL II

#### ES

#### Heise

#### Overview

- Phase 6
- Phase 7

#### Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### WindPulseToSpeedIAL state machine



## Component WindSensorHAL

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

### WindSensorHAL component overview



When this component receives the signal *interrupt\_req\_8()*, it emits a *windPulse* signal.

This component is the same for all subproblems and need not to be merged.

## Component MotorIAL I



### MotorIAL component overview



- Overview
- Phase 6
- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC



## Component MotorIAL II



## Component MotorIAL III

ES

#### Heisel

- Overview

- Phase 7
- Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariant: UML 2.0 state diagrams Active and passive sensors Procedure Example - TLC Example - SBC

## MotorIAL merged state machine (Signals for NoDesctructControl added)



## Component MotorHAL I

ES

#### Heisel

#### Overview

Phase 6

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

## MotorHAL component overview



This component sets the ports to turn the motor left or right or to stop it. It would be a passive component for the subproblems SunControl, UserControl and FinsControl since it reacts immediately to input signals. But it has to be an active

## Component MotorHAL II

#### ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC component, since it also checks the port of the microcontroller representing the state of the motor every 10 ms and generates the *blocked* signals if the state of the port changes (subproblem NoDestructControl).

## Component FinHAL

ES

Heisel

Overview

Phase 6

Phase 7

Phase 8

Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state diagrams Active and passive sensors Procedure Example - TLC Example - SBC

## FinIAL component overview



This component sets the ports to turn the fins left or right. This component is contained only in the subproblem FinsControl and need not to be merged.

## Component Microcontroller

ES

#### Heisel

Overview

Phase 6

Phase 7

Phase 8

#### Phase 9

Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2.0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

#### Microcontroller component overview



The *Microcontroller* is a reused existing component. In this Figure, only the interfaces relevant for the problem are shown.

## Validation

#### ES

Heisel

- Overview
- Phase 6
- Phase 7
- Phase 8
- Phase 9
- Introduction Concepts Active and passive classes Pre- and postconditions Class invariants UML 2:0 state machine diagrams Active and passive sensors Procedure Example - TLC Example - SBC

- The state machines behave as described in the sequence diagrams of Step 8. All states are covered.
- The interface classes are the same as in Phase 7.
- SunDetection, ButtonIAL, and WindPulseToSpeedIAL are active classes, because they contain timers.
   SunBlindAppCtrl is active, because it contains the active class SunDetection. MotorHAL is an active component since it works in parallel with the other components.
- The state machines handle all possible signals in all states.

ES Heisel

Overview

Phase 10

Phase 11

Phase 12

Summary

## Embedded Systems WS 08/09

## Maritta Heisel Maritta.Heisel(AT)uni-duisburg-essen.de

Denis.Hatebur(AT)uni-duisburg-essen.de

University Duisburg-Essen – Faculty of Engineering Department of Computer Science Workgroup Software Engineering

## Overview of development process (DePES) I

#### ES

Heisel

Overview

Phase 10

Phase 11

Phase 12

Summary

- 1. Describe system in use
- 2. Describe system to be built
- 3. Decompose problem
- 4. Derive a machine behavior specification for each subproblem
- 5. Design global system architecture
- 6. Derive specifications for all components of the global system architecture
- 7. Design an architecture for all programmable components of the global system architecture that will be implemented in software

## Overview of development process (DePES) II

## Heisel

ES

#### Overview

- Phase 10
- Phase 11
- Phase 12
- Summary

- 8. Specify the behavior of all components of all software architectures, using sequence diagrams
- 9. Specify the software components of all software architectures as state machines
- 10. Implement software components and test environment
- 11. Integrate and test software components
- 12. Integrate and test hardware and software

Phase 10: Implement software components and test environment

#### ES

Heisel

. . .

Overview

Phase 10

#### Introduction

Notations Java Implementation of modules Module Tests Procedure Example - TLC

Phase 11

Phase 12

Summary

- 7. Design a software architecture for all components of the global system architecture that should be implemented in software
- 8. Specify the behavior of all components of all software architectures, using sequence diagrams
- 9. Specify the software components of all software architectures as state machines
- 10. Implement software components and test environment
- 11. Integrate and test software components
- 12. Integrate and test hardware and software

# Phase 10: Implement software components and test environment

#### ES

#### Heisel

#### Overview

| P | ь. |  | -1 |  |
|---|----|--|----|--|
|   |    |  |    |  |

| luction |
|---------|
|         |

Notations Java Implementatic of modules Module Tests Procedure Example - TLC

Phase 11

Phase 12

Summary

|   | input:      | software component behavior from      | sequence diagrams     |
|---|-------------|---------------------------------------|-----------------------|
|   |             | Phase 8                               | with annotated states |
|   |             | specification of merged components of | different notations   |
| 1 |             | Phase 9                               |                       |
|   | output:     | test software for software components | programming lan-      |
|   |             |                                       | guage or test lan-    |
|   |             |                                       | guage                 |
|   |             | implemented software components       | programming lan-      |
|   |             |                                       | guage                 |
|   | validation: | run tests                             | test results          |

## Notations and concepts



Phase 12

Summary

## Java

- Implementation of modules
- Module tests

## Constants

```
ES
Heisel
Overview
Phase 10
Introduction
Notations
Java
Implementation
of modules
Module Tests
Procedure
Example - TLC
Example - SBC
```

```
Phase 11
```

Phase 12

Summary

■ in C++:

#define X 2

or const int X = 2;

■ in Java: final static int X = 2;

## Classes in Java

#### ES

#### Heisel

#### Overview

- Phase 10
- Introduction Notations
- Java
- Implementation of modules Module Tests Procedure Example - TLC
- Example SE
- Phase 11

Phase 12

Summary

- Always one file for one class, no header files
- Name of constructor = name of class = name of file
- There is no destructor, the garbage collection frees memory of unused objects (e.g. for objects set to *null*).
- The entry point of an application is public static void main (String[] args) in one class (file).

Note: Java is case sensitive.

## Objects in Java

#### ES

#### Heisel

- Overview
- Phase 10
- Introduction Notations
- Java
- Implementation of modules Module Tests Procedure Example - TLC Example - SBC
- Phase 11
- Phase 12
- Summary

- All objects that are not simple data types such as boolean, char, byte, short, int, long, float, double have to be created explicitly.
- For some simple data types predefined classes exist (e.g. Integer for int). These classes provide methods like, e.g., toString.
- Create an object m of the class Integer: Integer m = new Integer(0);
- Or: Integer m; m = new Integer(0);
- Attributes and methods declared as static belong to the class and are the same for all objects.
- super can be used to access functionality of the the superclass.
- this can be used to reference the object itself.

## Classes: Example

#### ES

#### Heisel

```
Overview
Phase 10
Introduction
Notations
Java
```

Module Tests Procedure Example - TLC Example - SBC Phase 11

```
Phase 12
```

Summary

public class MainInit {
 private Integer i; // Attributes
 private String s;
 public MainInit() { // Constructor
 s = new String();
 i = new Integer(7);
 }
 public static void main(String [] args) {
 MainInit m = new MainInit();
 }
}

## Abstract Classes

#### ES

#### Heisel

- Overview
- Phase 10
- Introduction Notations
- Java
- Implementation of modules Module Tests Procedure
- Example SB
- Phase 11
- Phase 12
- Summary

- Methods that are not yet implemented can be defined as abstract.
- A class with at least one abstract method is an abstract class.
- Abstract classes are useful for inheritance.
- Java supports no multiple inheritance.
- An abstract class has to be *extended* by another class where the method has to be implemented (keyword: extends).
- It is not possible to create objects of an abstract class.

## Abstract Classes: Example



## Interface Classes

#### ES

#### Heisel

#### Overview

- Phase 10
- Introduction Notations

#### Java

- Implementation of modules Module Tests Procedure Example - TLC Example - SBC
- Phase 11

Phase 12

Summary

- A class where all methods are abstract can be declared as an interface.
- A class can implement several interfaces (keyword implements), but it can only extend one other class.
- A class can be accessed using the interface.
- An interface class has no constructor.
- Solves problem of multiple inheritance.

## Interface Classes: Example



## Exceptions

#### ES

#### Heisel

Overview

Phase 10

Introduction Notations

```
Java
```

Implementation of modules Module Tests Procedure Example - TLC Example - SBC

Phase 11

Phase 12

Summary

# Methods can throw exceptions public int div(int n1, int n2) throws Exception { if (n2==0) throw Exception; ... } Exceptions can be handled with try and catch try { a = div(b,c); } catch (Exception e) { System.out.println(e); //println internally calls e.toString() }

 Other exceptions are e.g. IOException, ClassNotFoundException, ArithmeticException, OutOfMemoryError, Error.

## Assertions

#### ES

#### Heisel

#### Overview

- Phase 10
- Introduction Notations

#### Java

- Implementation of modules Module Tests Procedure Example - TLC Example - SBC
- Phase 11

Phase 12

Summary

- Assertions can be used to specify (and check) the pre-conditions and possibly post-conditions of a method.
- Assertions are defined using

assert condition==true: "ErrorString";

- Assertions are introduced in Java 1.5, they are only evaluated using the execution switch "evaluate assertions": java -ea
- Exceptions thrown by assertions cannot be caught.

## Threads ( $\triangleq$ Tasks with shared memory)

#### ES

#### Heisel

Overview

- Phase 10
- Introduction Notations

#### Java

- Implementation of modules Module Tests Procedure Example - TLC Example - SBC
- Phase 11

Phase 12

Summary

- Threads are necessary for active components.
- Systems with one processor use time slices to simulate parallelism for several threads.
- The started thread runs "in parallel" to the other parts of the software.
- Threads in Java support the following functionality:

start starts the Thread

interrupt stops the thread

setName Assigns a name to the thread.

sleep Waits the time given as a parameter in ms.

yield Advises the scheduler to run another thread at this time.

setPriority Assigns a priority to the thread. Threads with a higher priority get more execution time or they preempt the other tasks (depends on OS).

## Example: Threads

#### ES Heisel

Java

of modules

Phase 11

Phase 12

Summary

```
import java.lang.*; // import library functionality
public class Clock extends Thread{
   private ms_clock clk;
                                           // Attributes
   public Clock(ms_clock call) {
                                           // Constructor
        clk = call:
        this.start();
    }
                                           // Thread
   public void run () {
        while (true) {
                                           // endless Loop
            clk.MsClock():
            trv {
                Thread.sleep(1); //this.sleep(1) is also possible
            } catch ( Exception e ) { // when thread is interrupted
                System.out.println( e ); // using interrupt()
            }
       }
   }
}
```

18/92

# Example: Threads with runnable interface (alternative way)

```
ES
              import java.lang.*;
              public class Clock implements Runnable{
   Heisel
                  private Thread clockThread;
                                                         // Attributes
                  private ms_clock clk;
                  public Clock(ms_clock call) {
                                                         // Constructor
                      clk = call:
                       clockThread = new Thread (this);// an object of type Thread
Java
                                                             must be created with the
                      clockThread.start();
                                                         11
of modules
                  }
                                                         11
                                                             object of Clock as a param.
Module Tests
                  public void run () {
                                                         // Thread
                      while (true) {
                                                         // endless Loop
                           clk.MsClock():
Phase 11
                           trv {
                               Thread.sleep(1);
Phase 12
                           } catch ( Exception e ) {
Summary
                               System.out.println( e );
                           }
                      }
                  }
              }
```

Must be used if the class extends another class.

## Problem: Concurrent access to variables



## Solution: Synchronize

#### ES Heisel

Java

Phase 11

Phase 12

Summarv

```
public class SharedMemSum {
   private int[] x;
   public SharedMemSum () {
       x = new int [3]:
       x[0]=0; x[1]=0; x[2]=0;
   }
   synchronized void setVal(int a, int b, int c) { //called from T. 1
       x[0] = a; x[1] = b; x[1] = c;
   3
   synchronized int getSum() { //called from Thread 2
       int a,b,c;
       a=x[0]; b=x[1]; c=x[2];
       return a+b+c:
   }
}
```

The statement synchronized makes a method non-interruptable.

## Implementation of modules / software components

#### ES

#### Heisel

Overview

- Phase 10
- Introduction Notations Java Implementation of modules Module Tests
- Procedure Example - TLC Example - SBC

Phase 11

Phase 12

Summary

- A module has provided and required interfaces that can be connected with other modules
- A module only uses functionality from its required interfaces, from the programming language, and a limited set of operations of the operating system (e.g., tasks, threads, memory allocation, timers, messages, synchronization mechanisms).
  - Active components are implemented using threads.

# Implementation of modules / software components $\ensuremath{\mathsf{II}}$

#### ES

#### Heisel

Overview

Phase 10

Introduction Notations Java

#### Implementation of modules

Module Tests Procedure Example - TLC Example - SBC

Phase 11

Phase 12

Summary

## Interfaces can be implemented using

- directly called methods,
- methods in interface classes, or
- messages, e.g.
  - delegates in  $C\sharp$ ,
  - events in Java,
  - $\blacksquare$  signals and slots in C++ with the Qt-library,
  - messages in the Windows API.

Messages usually allow asynchronous communication (with queuing) and in some frameworks multiple consumers are allowed.

## Implementation of interfaces I

#### ES

Heisel

Overview

Phase 10

Introduction Notations Java

Implementation of modules

Module Tests Procedure Example - TLC Example - SBC

Phase 11

Phase 12

Summary

Loose and tight coupling is possible for interfaces between components.

- For tight coupling methods are called directly.
- Tight coupling of objects can only be implemented if the called object is created by the calling class.
- Tight coupling usually needs less resources and can also be implemented using non-oo languages.
- For loose coupling (methods in interface classes) the objects are created by a different class. The object that uses an interface of another object needs a reference to the used object. The reference can be provided in the constructor or in an additional method to connect the objects.

## Implementation of interfaces II

#### ES

#### Heisel

Overview

Phase 10

Introduction Notations Java Implementation of modules Module Tests Procedure

Example - SB

Phase 11

Phase 12

Summary

 With loose coupling, the object can be implemented independently of its environment. The object becomes a component. Messages also implement a loose coupling. Loose coupling is better for the implementation of module tests.

## Implementation of interfaces in Java



Procedure Example - TL Example - SB

Phase 11

Phase 12

Summary

The project name should be added as a package. Otherwise additional parameters are necessary to compile the project. Note: int is a simple data type and and String is a class.

## Implementation of provided interfaces in Java I



## Implementation of provided interfaces in Java II

#### ES

#### Heisel

Overview

Phase 10

Introduction Notations Java Implementation of modules Module Tests

Example - TL Example - SB

Phase 11

}

Phase 12

Summary

```
A component can implement / provide several interfaces, e.g.:

public class AmplifierAndSpeeker implements

LineInOut, PowerSupply {

public AmplifierAndSpeeker (){} //constructor

public void transmitMusic() { Play;}
```

All provided operations must be implemented as methods.

public void powerOn() { Action2;}

## Implementation of required interfaces in Java I

#### ES

```
Heisel
```

Overview

Phase 10

Introduction Notations Java Implementation of modules Module Tests Procedure Example - TLC Example - SBC

Phase 11

Phase 12

Summary

A component can use / require several interfaces, defined as interface classes.

```
public class Tuner implements PowerSupply {
    private LineInOut outputDevice;
    public Tuner(){ outputDevice = NULL; }
    public void connectTo(LineInOut par) {outputDevice = par;}
    public void powerOn() {
        while (true) {
            if (outputDevice!=NULL) outputDevice.transmitMusic();
        }
    }
}
```

}

## Implementation of required interfaces in Java II

## ES

### Heisel

- Overview
- Phase 10 Introduction Notations Java Implementation of modules Module Tests Procedure
- Example TL Example - SB
- Phase 11
- Phase 12
- Summary

- The required interfaces become private attributes (outputDevive of type LineInOut).
- The component has to provide a method to connect the component to the required component (connectTo). In this connect method, the private attributes is initialized.
- Using this private attribute, the connected component can be used. It should only be used if it is initialized (if (outputDevice!=NULL) ... ).
- Alternatively, it is possible to leave out the method connectTo and initialize the connected interface in the constructor.
  - The component Tuner also provides the interface PowerSupply and implements the method powerOn.

## Implementation of required interfaces in Java III

## ES

#### Heisel

## Overview

Introduction Notations Java Implementation of modules Module Tests Procedure Example - TLC

Phase 11

Phase 12

Summary

```
public class Battery {
    public Battery(){ suppliedDevice=NULL }
    private PowerSupply suppliedDevice;
    public void connectTo(PowerSupply suppliedDevice ) {
    suppliedDevice.powerOn();
    }
}
```

The component Battery powers on the supplied device when connected. It requires the interface PowerSupply.

## Implementation of required interfaces in Java IV

## ES

#### Heisel

Overview

Phase 10 Introduction

Notations

Implementation of modules

Module Tests Procedure Example - TI

Example - St

Phase 11

Phase 12

Summary

The components *bat1*, *bat2*, *myTuner*, and *myAmp* can be connected as follows:



## Implementation of required interfaces in Java V

### ES

#### Heisel

#### Overview

```
Phase 10
Introduction
Notations
Java
Implementation
```

#### Implementatio of modules

Module Tests Procedure Example - TL

Example - SI

Phase 11

Phase 12

Summary

```
AmplifierAndSpeeker myAmp = new AmplifierAndSpeeker();
Tuner myTuner = new Tuner();
Battery bat1 = new Battery();
Battery bat2 = new Battery()
```

```
myTumer.connectTo(myAmp);
bat1.connectTo(myTuner);
bat2.connectTo(myAmp);
```

## Implementation of state machines in Java I

## ES

#### Heisel

Overview

Phase 10 Introduction Notations

#### Implementation of modules

Module Tests Procedure Example - TLC Example - SBC

Phase 11

Phase 12

Summary

Can be implemented in different ways; here just one alternative is shown.

- Define a constant for each state.
- Set the initial state in the constructor.
- Create a method for each incoming signal.
- Add a case distinction containing all possible states to this method.
- In each case emit the specified output signals and set the new state of the state machine.
- Add appropriate handling for the parameters of the signals.
- Add a default case.

## Implementation of state machines in Java II



## Module Tests I



Phase 12

Summary

Sequence diagrams can be transformed into test cases.

A signal to the module can be implemented as a method call to the module (must belong to a provided interface).

## Module Tests II

## ES

- Heisel
- Overview
- Phase 10
- Introduction Notations Java
- of modules
- Module Tests
- Example TLO
- Phase 11
- Phase 12
- Summary

- For each required interface, a test driver that provides the required interfaces is necessary. It has to store the signals and the parameters called from the module to be tested. The test driver also needs an interface to check which methods (with which parameters) were called.
- Each signal in the sequence diagram from the tested module will be implemented as a command to the driver to check which methods (with which parameters) were called.
- If a timing constraint is given, it must be checked that the signal (method call) occurred within the given interval (not before and not too late).
- If a sequence diagram contains a combined fragment ALT, then for each alternative a test case must be implemented.

## Module Tests III

## ES

#### Heisel

#### Overview

- Phase 10
- Introduction Notations Java Implementatio
- Module Tests
- Procedure Example - TLC Example - SBC
- Phase 11

Phase 12

Summary

- If the sequence diagram contains variables, suitable sample values must be used for testing. Try to use also values at the limit of the range and out of the range.
- If a sequence diagram describes a typical interactions, also implement test cases for similar interactions and exceptional behavior. (In this case you have to check the state machines to find out the expected behavior.)

# Phase 10: Implement software components and test environment

### ES

#### Heisel

#### Overview

| - |  |  |   |  |
|---|--|--|---|--|
|   |  |  | 1 |  |
|   |  |  |   |  |

Introduction Notations Java Implementatio of modules Module Tests

#### Procedure

Example - TLC Example - SBC

Phase 11

Phase 12

Summary

| input:      | software component behavior from      | sequence diagrams     |
|-------------|---------------------------------------|-----------------------|
|             | Phase 8                               | with annotated states |
|             | specification of merged components of | different notations   |
|             | Phase 9                               |                       |
| output:     | test software for software components | programming lan-      |
|             |                                       | guage or test lan-    |
|             |                                       | guage                 |
|             | implemented software components       | programming lan-      |
|             |                                       | guage                 |
| validation: | run tests                             | test results          |

## Executing Phase 10

ES

Heisel

Overview

- Phase 10
- Introduction Notations Java Implementation of modules
- Procedure
- Example TLO Example - SBO
- Phase 11

Phase 12

Summary

In general, the procedure to implement and test software components using an object oriented programming languages can be described as follows:

- 1. Create interface classes for all internal interfaces (also for subcomponents).
- Implement test drivers and cases for all components (except HAL) according to the sequence diagrams of Phase 8.
- 3. Create classes for all (sub-)components and implement them.
  - Implement actions as private methods.
  - Implement the state machine.
  - Implement the active classes with threads.
  - Check all classes if there is a concurrent access to complex variables and resolve this problem with the synchronized statement.
- 4. Run test cases.

## Remarks I

## ES

#### Heisel

### Overview

- Phase 10
- Introduction Notations Java Implementatio of modules
- Module Te

#### Procedure

- Example TL Example - SB
- Phase 11

Phase 12

Summary

- Only the software components are implemented in this phase. They will be connected / integrated in the next phase.
- The validation of this phase is performed by running the test cases (unit test).
- The HAL is difficult to test because the hardware is directly connected to the HAL. Therefore, manual tests using measurement equipment and debugging tools should be performed.
- Real-time functionality must be tested in an emulator.

## Remarks II

## ES

## Heisel

#### Overview

- Phase 10
- Introduction Notations Java Implementatio
- of modules Module Test

#### Procedure

- Example TLC Example - SBC
- Phase 11
- Phase 12
- Summary

- The software components are implemented using some simple heuristics. For embedded systems, usually a static connection between components is established. The connectors in the composite structure diagrams can be implemented e.g. as data streams, method calls, asynchronous messages, or hardware access.
- This development process allows developing statically linked software components with the possibility of reuse.

#### ES

#### Heisel

Overview

Phase 10

Notations Java Implementation of modules

Module Tests

Example - TLC

Example - SBC

Phase 11

Phase 12

Summary

## **Example 1: traffic light control**

## Create interface classes

## ES

#### Heisel

#### Overview

Phase 10 Introduction Notations Java Implementation of modules Module Tests Procedure **Example - TLC** Example - SBC Phase 11

|   | < <interface>&gt;</interface> |
|---|-------------------------------|
|   | lights_state_if               |
| F | 1.0                           |
|   | main_red ()                   |
| S | sec_red ()                    |
| r | main_yellow ()                |
|   | sec_yellow ()                 |
| r | main_green ()                 |
| S | sec_green ()                  |
| r | main_yellow_red ()            |
| s | sec_yellow_red ()             |
| a | all_off ()                    |

package tlc; public interface lights\_state\_if { public void main\_red(); public void sec\_red(); public void sec\_red(); public void sec\_yellow(); public void sec\_red\_yellow(); public void sec\_red\_yellow(); public void sec\_green(); public void sec\_green(); public void all\_off(); }

Phase 12 Summary

## Implement test environment

## ES

## Heisel

Overview

- Phase 10
- Introduction Notations
- Implementat
- of modules
- Module Test
- Procedure Example - TLC
- Example SBC
- Phase 11

Phase 12

Summary

- The test environment consists of the test drivers for all required interfaces and the test cases.
- The test drivers stores the called methods and their parameters.
- The test drivers provides an interface to check the stored methods and parameters.
- Tests should be performed for all components, except HAL.
- The Hardware Abstraction Layer should be tested manually, because you need hardware to test them.

## Test environment for LightsInterfaceAbstraction



Test cases according Phase 8.

# Implementation of LightsTestDriver for lights\_on\_off\_if'

| ES                                   |                                                                                                      |
|--------------------------------------|------------------------------------------------------------------------------------------------------|
| Heisel                               | <pre>class LightsTestDriver implements lights_on_off_if_ {     private boolean _m_red = false;</pre> |
| Overview                             | private boolean _s_red = false;<br>private boolean _m_yellow = false;                                |
| Phase 10                             | private boolean _s_yellow = false;                                                                   |
| Introduction<br>Notations            | private boolean _m_green = false;                                                                    |
| Java<br>Implementation<br>of modules | <pre>private boolean _s_green = false;</pre>                                                         |
| Module Tests                         | <pre>public void m_red (boolean x) { _m_red = x;}</pre>                                              |
| Procedure<br>Example - TLC           | <pre>public void s_red (boolean x) { _s_red = x;}</pre>                                              |
| Example - SBC                        | <pre>public void m_yellow (boolean x) { _m_yellow = x;}</pre>                                        |
| Phase 11                             | <pre>public void s_yellow (boolean x) { _s_yellow = x;}</pre>                                        |
| Phase 12                             | []                                                                                                   |
| Summary                              | <pre>public boolean checkColor(boolean mr, sr, my, sy, mg, sg) {</pre>                               |
|                                      | return ( (_m_red == mr) && (_s_red == sr) &&                                                         |
|                                      | (_m_yellow == my) && (_s_yellow == sy) &&                                                            |
|                                      | (_m_green == mg) && (_s_green == sg) ) ;                                                             |
|                                      | }                                                                                                    |
|                                      | }                                                                                                    |

# Implementation of test cases for LightsInterfaceAbstraction

| ES                           | package tlc;                                                           |  |  |  |
|------------------------------|------------------------------------------------------------------------|--|--|--|
| E5                           | <pre>import junit.framework.TestCase;</pre>                            |  |  |  |
| Heisel                       | public class LightsInterfaceAbstractionTest extends                    |  |  |  |
|                              | TestCase {                                                             |  |  |  |
| Overview                     | LightsInterfaceAbstraction lia;                                        |  |  |  |
| Phase 10                     | LightsTestDriver ltd;                                                  |  |  |  |
| Introduction                 | <pre>public void testInit() {</pre>                                    |  |  |  |
| Notations                    | // Initialize the test environment and the SU                          |  |  |  |
| Java                         | <pre> ltd = new LightsTestDriver();</pre>                              |  |  |  |
| Implementation<br>of modules | <pre>sd LightsIA 1 / lia = new LightsInterfaceAbstraction(ldt);</pre>  |  |  |  |
| Module Tests                 | LightsInterfaceAbstraction // check that all lights are off ofter init |  |  |  |
| Procedure<br>Example - TLC   | main red() assertTrue("one light is on", ltd.checkColor                |  |  |  |
| Example - SBC                | (false, false, false, false, false, false);                            |  |  |  |
| Phase 11                     | m_red (on) }                                                           |  |  |  |
| 51 10                        | <pre>m_yellow (off) public void test_lightsia_1() {</pre>              |  |  |  |
| Phase 12                     |                                                                        |  |  |  |
| Summary                      | m_green (off) // send input signal                                     |  |  |  |
|                              | lia.main_red();                                                        |  |  |  |
|                              | // checks result using the test driver                                 |  |  |  |
|                              | assertTrue("not only m_red on", ltd.checkColor                         |  |  |  |
|                              | <pre>(true, false, false, false, false, false));</pre>                 |  |  |  |
|                              | }                                                                      |  |  |  |
|                              |                                                                        |  |  |  |
|                              | }                                                                      |  |  |  |

## Test environment for the application component



Test cases according to Phase 8.

## Implementation of test driver for set\_timeout

### ES

#### Heisel

```
Overview
Phase 10
Introduction
Notations
Java
Implementation
of modules
Procedure
Example - TLC
Example - SBC
Phase 11
Phase 12
Summary
```

```
package tlc;
class TimerTestDriver implements set_timeout {
    int sec = -1;
    public void SetTimeOut(int seconds) {
        sec = seconds;
    }
    public boolean checkSetTimeOut(int second) {
        boolean ret = (sec == second); sec = -1;
        return ret;
    }
}
```

Reset of sec to enable two consecutive checks with same value.

# Implementation of LightsTestDriver for lights\_state\_if

| ES                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Heisel                                                                                                                                                                             | <pre>class LightsAppTestDriver implements lights_state_if {     int color = 0;</pre>                                                                                                                                                                                                                                                                                                                                                                                                |
| Overview<br>Phase 10<br>Introduction<br>Notations<br>Java<br>Implementation<br>of modules<br>Procedure<br><b>Example - TLC</b><br>Example - SBC<br>Phase 11<br>Phase 12<br>Summary | <pre>public final static int M_R = 1;<br/>public final static int S_R = 2;<br/>public final static int M_RY = 3;<br/>[]<br/>public final static int ALL_OFF = 9;<br/>public void main_red(){ color = M_R; }<br/>public void sec_red(){color = S_R; }<br/>public void main_yellow(){color = M_Y; }<br/>[]<br/>public void all_off(){color = ALL_OFF;}<br/>public boolean checkColor(int colorNr) {<br/>boolean ret = (colorNr == color);<br/>color = 0;<br/>return ret;<br/>} </pre> |

# Implementation of test cases for TrafficLightBehavior I



```
(System unter test).
```

# Implementation of test cases for TrafficLightBehavior II

## ES Heisel

Phase 12

Summary

```
      Overview
      tlb = new TrafficLightBehavior();

      Phase 10
      lia = new LightsAppTestDriver();

      Introduction
      tot = new TimerTestDriver();

      Notations
      tlb.ConnectTo(tot, lia);

      Implementation
      // checks lights using the test driver

      Module Tests
      assertTrue("main_red not set", lia.checkColor(lia.M_R));

      Procedure
      }

      Example - SBC
      ...

      Phase 11
      }
```

Only *main\_red* is checked due to limitation of the test driver since only the last called is stored.

## Implementation of test cases for TrafficLightBehavior III



# Implementation of test cases for TrafficLightBehavior IV

## ES Heisel

Overview

Phase 10 Introduction Notations Java Implementation of modules Module Tests Procedure **Example - TLC** Example - SBC Phase 11

Phase 12

Summary

```
package tlc;
import junit.framework.TestCase;
public class TrafficLightBehaviorTest extends TestCase {
    . . .
    public void testMainRoadPassing2() {
        // ALL_WAIT_M
        // simulate elapsed timer
         tlb.Timeout();
        // checks result using the test driver
         assertTrue("main_red_yellow not set", lia.checkColor(lia.M_RY))
        // checks timer setting using the test driver
         assertTrue("timeout wrong", tot.checkSetTimeOut(1));
        // simulate elapsed timer
         tlb.Timeout():
        // checks result using the test driver
         assertTrue("main_green not set", lia.checkColor(lia.M_G));
        // checks timer setting using the test driver
         assertTrue("timeout wrong", tot.checkSetTimeOut(20));
        // MAIN_PASSING
        // simulate elapsed timer
         tlb.Timeout():
```

# Implementation of test cases for TrafficLightBehavior V

### ES Heisel // sends directly a signals to the provided interfaces tlb.srr() // checks result using the test driver assertTrue("main\_yellow not set", lia.checkColor(lia.M\_Y)); // checks timer setting using the test driver assertTrue("timeout wrong", tot.checkSetTimeOut(1)); // MAIN\_PASSING\_WILL\_END of modules // simulate elapsed timer tlb.Timeout(): Example - TLC // checks result using the test driver assertTrue("main RED not set", lia.checkColor(lia.M r)); Phase 11 // ALL\_WAIT\_S Phase 12 } Summarv . . . }

The test runs faster than reality.

## Create classes for all (sub-)components



All methods of all provided interfaces have to be implemented

(here: *SetTimeOut, MsClock*). An empty function body ({}) is used to avoid error messages of the compiler.

## Implement actions as private methods

}

## ES

#### Heisel

Overview

Phase 10 Introduction Notations Java Implementation of modules Module Tests Procedure Example - TLC Example - SBC

Phase 11

Phase 12

Summary

## lsZero()

pre true post Result = true ⇔ remaining\_time = 0 SetTime(time)

pre time  $\geq 0$ post remaining\_time = time DecTime()

> pre remaining\_time  $\neq 0$ post remaining\_time = remaining\_time@pre -1

```
package tlc;
public class TimeOutTimer implements
                ms clock. set timeout {
    . . .
    private long remaining_time = 0;
    . . .
    private boolean IsZero() {
        return (remaining time == 0):
    }
    private void SetTime(long time) {
        assert (time >= 0): "PRE: SetTime":
        remaining_time = time;
    }
    private void DecTime() {
        assert remaining_time!=0:
               "PRE: DecTime":
        remaining_time = remaining_time - 1
    }
```

## Implement the state machine as public methods I



## Implement the state machine as public methods II

FS Heisel Example - TLC Phase 11 Phase 12 Summarv

```
package tlc:
public class TimeOutTimer implements ms_clock, set_timeout {
    static final int STOPPED = 0;
    static final int RUNNING = 1:
    private int state;
    public TimeOutTimer(timeout timeout_par) {
        SetTime(0): state = STOPPED:
    }
    public void SetTimeOut(int seconds) {
        switch (state) {
            case STOPPED:
                SetTime(seconds*1000); state = RUNNING; break;
            case RUNNING:
                SetTime(seconds*1000); break;
            default:
                assert false: "FSM error TimeOutTimer.SetTimeOut":
        7
```

Do not forget the *break*-statement. Otherwise, the next case will also be executed.

## Implement the state machine as public methods III



## Implement the active classes with threads



## Check for concurrent access

## ES

#### Heisel

#### Overview

Phase 10

Introduction Notations Java Implementation of modules Module Tests Procedure Example - TLC

Phase 11

Phase 12

Summary

For all classes: Check what methods of one class are called from different threads.

 No synchronized statement is necessary because no complex attributes are shared between methods called by different threads.

## Validation: run tests

## ES

### Heisel

Overview

Phase 10

Notations Java Implementati of modules Module Tests Procedure

#### Example - TLC

Example - SBC

Phase 11

Phase 12

Summary

## Output of JUnit test environment:

## Test result with one error:

```
Testsuite: tlc.TrafficLightBehaviorTest
Tests run: 33, Failures: 1, Errors: 0, Time elapsed: 0,217 sec
Testcase: testInit(tlc.TrafficLightBehaviorTest): FAILED
main_red not set
junit.framework.AssertionFailedError: main_red not set
at tlc.TrafficLightBehaviorTest.testInit(TrafficLightBehaviorTest.java:103)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.NativeMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:
Test tlc.TrafficLightBehaviorTest FAILED
```

## Test result with no errors:

```
Testsuite: tlc.TrafficLightBehaviorTest
Tests run: 33, Failures: 0, Errors: 0, Time elapsed: 0,213 sec
```

#### ES

#### Heisel

Overview

Phase 10

Notations Java Implementation of modules Module Tests Procedure

Example - TLC Example - SBC

Phase 11

Phase 12

Summary

## Example 2: sun blind control

# Implementation of SunBlindContoller



Phase 12

Summary

Phase 11: Implement software components and test environment

### ES

### Heisel

. . .

Overview

Phase 10

Phase 11

#### Introduction

Procedure Example - TLC Example - SBC

Phase 12

Summary

- 7. Design a software architecture for all components of the global system architecture that should be implemented in software
- 8. Specify the behavior of all components of all software architectures, using sequence diagrams
- 9. Specify the software components of all software architectures as state machines
- 10. Implement software components and test environment
- 11. Integrate and test software components
- 12. Integrate and test hardware and software

## Phase 11: Integrate and test software components

#### ES Heisel input: global software architecture from composite structure Phase 7 grams software behavior from Phase 6 sequence diagrams with an-Introduction notated states implemented software programming language components from Phase 10 Phase 12 output: implemented software programming language Summarv test software for integrated softprogramming language or test language ware validation: run tests test results

dia-

# Executing Phase 11

## ES

Heisel

Overview

Phase 10

Phase 11 Introduction Procedure Example - TLC Example - SBC

Phase 12

Summary

In general, the procedure to compose the software out of components using an object oriented programming languages can be described as follows:

1. Create a class for each subcomponent containing other components to initialize all objects according to the subcomponent-architecture.

2. Create a class MainInit to initialize all objects according to the architecture from Phase 7.

- 3. Implement test cases for the connected components (except HAL) according to the sequence diagrams of Phase 6.
- 4. Run test cases.

#### ES

Heisel

Overview

Phase 10

Phase 11 Introduction Procedure

Example - TLC Example - SBC

Phase 12

Summary

# **Example 1: traffic light control**

# Create class containing all components of TrafficLightsApplication I



# Create class containing all components of TrafficLightsApplication II

```
ES
              package tlc;
  Heisel
              public class TrafficLightApplication {
                  // declare all components
                  private TrafficLightBehavior tlb;
                  private TimeOutTimer tot;
                  private Clock clk:
                  public TrafficLightApplication () { // constructor
Example - TLC
                      // create all components, connect where possible
                      tlb = new TrafficLightBehavior();
Phase 12
                      tot = new TimeOutTimer(tlb):
Summarv
                      clk = new Clock(tot);
                  }
                  public void connectTo(lights_state_if lsi) {
                      // connect remaining interfaces
                      tlb.connectTo(tot, lsi);
                  }
              }
```

# Create main class containing all components I



# Create main class containing all components II

```
ES
             package tlc;
             public class MainInit {
  Heisel
                 // declare all components
                 private BrokenLightDriver bld;
                 private EmergencyRequestDriver erd;
                 private InductionLoopDriver ild;
                 private LightsInterfaceAbstraction lia;
                 private LightsDriver ld;
                 private TrafficLightsApplication tla;
Example - TLC
Example - SBC
Phase 12
                 public MainInit() {
                      // create all components, connect all components
Summarv
                      ld = new LightsDriver():
                                                               // Actuators
                      lia = new LightsInterfaceAbstraction (ld);
                      tla = new TrafficLightApplication(); // Application
                      bld = new BrokenLightDriver(tlb); // Sensors
                      erd = new EmergencyRequestDriver(tlb);
                      ild = new InductionLoopDriver(tlb);
                      tla.ConnectTo(lia):
                            // Connect components and start Application
                  ł
```

# Create main class containing all components III



Parameters are used to create connections according to the software architecture. The order of initialisation is important. Start with objects without required interfaces.

# Test environment for integrated software



Test cases according to Phase 6.

# Implementation of test cases for TrafficLightControl I



```
LightsInterfaceAbstraction lia;
```

```
LightsTestDriver ltd;
```

```
InductionLoopIAL il;
```

```
public void testInitialization() {
```

# Implementation of test cases for TrafficLightControl II

## ES Heisel Overview // Initialize the test environment and the SUT (System unter test). Phase 10 tla = new TrafficLightApplication (); Phase 11 ltd = new LightsTestDriver(); Introduction Procedure Example - TLC Example - SBC tla.ConnectTo(lia); Phase 12

. . .

}

Summarv

```
// checks lights using the testdriver
   assertTrue("main_red and sec_red not set",
        ltd.checkColor(true, true, false, false, false, false));
}
```

# Implementation of test cases for TrafficLightControl III



# Implementation of test cases for TrafficLightControl IV

## **Heisel** Overview Phase 10

ES

package tlc;

Phase 11 Introduction Procedure

```
Example - TLC
Example - SBC
```

```
Phase 12
```

Summary

```
import junit.framework.TestCase;
public class TrafficLightBehaviorTest extends TestCase {
    public void testTLC_Main_Road_Passing_2() {
        // ALL_WAIT_M
        // wait 3 seconds
         Thread.sleep(3000);
        // checks lights state using the testdriver
         assertTrue("main_red_yellow not set",
            lia.checkColor(true, true, true, false, false, false));
        // wait 1 second
         Thread.sleep(1000):
        // checks lights state (sec_green) using the testdriver
         assertTrue("main_green not set",
            lia.checkColor(false, true, false, false, true, false));
        // MAIN_PASSING
        // wait 21 seconds
         Thread.sleep(21000);
        // sends directly the srr signal to the provided interfaces
         il.srr()
```

# Implementation of test cases for TrafficLightControl V

## ES Heisel // checks result using the testdriver assertTrue("main\_yellow not set", lia.checkColor(false, true, true, false, false, false)); // MAIN PASSING WILL END // wait 1 second Thread.sleep(1000); Example - TLC // checks lights state using the testdriver Example - SBC assertTrue("main\_red not set", Phase 12 lia.checkColor(true, true, false, false, false, false)); Summarv // ALL\_WAIT\_S } . . . }

## Validation: run tests

## ES

### Heisel

Overview

Phase 10

Phase 11

Procedure

Example - TLC

Phase 12

Summary

## Output of JUnit test environment:

## Test result with one error:

Testsuite: tlc.TrafficLightBehaviorTest Tests run: 24, Failures: 1, Errors: 0, Time elapsed: 3,345 sec Testcase: testInit2(tlc.TrafficLightBehaviorTest): FAILED main\_red not set junit.framework.AssertionFailedError: main\_red and sec\_red not set at tlc.TrafficLightBehaviorTest.testInitialization(TrafficLightBehaviorTest.java:103) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: Test tlc.TrafficLightBehaviorTest FAILED

## Test result with no errors:

```
Testsuite: tlc.TrafficLightBehaviorTest
Tests run: 24, Failures: 0, Errors: 0, Time elapsed: 103,345 sec
```

#### ES

Heisel

Overview

Phase 10

Phase 11 Introduction Procedure Example - TLC Example - SBC

Phase 12

Summary

## **Example 2: sun blind control**

# Implementation of SunBlindContoller

| ES                                                                      |                                               |
|-------------------------------------------------------------------------|-----------------------------------------------|
| Heisel                                                                  |                                               |
| Overview                                                                |                                               |
| Phase 10                                                                |                                               |
| Phase 11<br>Introduction<br>Procedure<br>Example - TLC<br>Example - SBC | See Netbeans-Project on http://swe.uni-due.de |
| Phase 12                                                                |                                               |

Summary

# Phase 12: Integrate and test hardware and software

## ES

## Heisel

. . .

- Overview
- Phase 10
- Phase 11
- Phase 12
- Introduction Procedure
- Summary

- 7. Design a software architecture for all components of the global system architecture that should be implemented in software
- 8. Specify the behavior of all components of all software architectures, using sequence diagrams
  - 9. Specify the software components of all software architectures as state machines
- 10. Implement software components and test environment
- 11. Integrate and test software components
- 12. Integrate and test hardware and software

# Phase 12: Integrate and test hardware and software

## ES

#### Heisel

Phase 10 Phase 11 Phase 12 Introductio Procedure

| lia- |
|------|
|      |
|      |
| an-  |
|      |
|      |
|      |
|      |
|      |
|      |
| est  |
|      |
|      |
|      |

# Executing Phase 12

## ES

- Overview
- Phase 10
- Phase 11
- Phase 12 Introduction Procedure
- Summary

- Load software into target (microcontroller).
- Perform manual tests.
- Build test environment for automated test.
- Implement test cases for the whole machine according to the sequence diagrams from phase 4.
- Run test cases.

## Remarks

## ES

- Overview
- Phase 10
- Phase 11
- Phase 12 Introduction Procedure
- Summary

- The acceptance test should not be done by the developer.
- The test environment can be developed in parallel to the design and implementation phases.
- The test environment has to interact with the external interfaces of the machine. Hence the technical interfaces of the test system also consist of hardware.

# What do we gain by defining such a process? I

## ES

- Overview
- Phase 10
- Phase 11
- Phase 12
- Summary

- Sequence of well-defined steps helps developers to focus attention on relevant parts of the task (and fake a rational design process ;-).
- Developed models and their interrelations can be checked in each step.
- Validation is integral part of the process:
  - Validation conditions are defined for each step.
  - Systematic test case generation is part of the process.
- Certification according to safety- and security standards (IEC 61508 and Common Criteria) is supported.

# What do we gain by defining such a process? II

ES

- Heisel
- Overview
- Phase 10
- Phase 11
- Phase 12
- Summary

- Various possibilities for tools support:
  - UML tools available.
  - Tool for generating sequence diagrams available.
  - Model checker for UML state machines available.
  - Other tools conceivable.
- Component-based development is supported.
- Hardware as well as software components can be part of the developed system (machine).
- Specific attention is paid to the analysis phase and the modeling of the environment. (Environment models yield test cases.)
- Non-functional (quality) characteristics can be taken into account (in particular, safety and security; by specific architectures and problem frames).

# What do we gain by defining such a process? III

## ES

- Overview
- Phase 10
- Phase 11
- Phase 12
- Summary

- Systematic evolution of existing systems is supported (traceability links between different models / documents).
- Problem decomposition is performed explicitly and systematically. Relations between subproblems are exploited to compose partial solutions of subproblems.
- Using patterns in various phases support re-use of existing knowledge and (partial) automation:
  - Problem Frames for analysis
  - Architectural patterns for software design
  - Code patterns for implementing state machines
- Process emerged from industrial practice, uses well-established languages and techniques. Hence, no ivory-tower invention.

# What do we gain by defining such a process? IV

| ES       |                                                        |
|----------|--------------------------------------------------------|
| Heisel   |                                                        |
| Overview |                                                        |
| Phase 10 |                                                        |
| Phase 11 | Therefore, we can hope that with DePES, we are able to |
| Phase 12 | develop better products with less effort.              |
| Summary  |                                                        |
|          | However: DePES is not a light-weight process!          |