Building Dependable Systems

1
Building Dependable Systems
2
Ambiguous
Defect Removal Formalisation
Incomplete
Control of Complexity
Inconsistent
Behavior Trees
Informal Requirements
Complex
Integration
Simulation
Model Checking
Implementation
Integrated Behavior Tree
3
Informal Requirements
Informal Requirements
Requirement Behavior Trees
Requirements Translation

• R1. There is a single control button available
  for the user of the oven. If the oven is idle
  with the door closed and you push the button, the
  oven will start cooking (this is, energize the
  power-tube for one minute).
• R2. If the button is pushed while the oven is
  cooking it will cause the oven to cook for an
  extra minute.
• R3. Pushing the button when the door is open has
  no effect (because it is disabled).
• R4. Whenever the oven is cooking or the door is
  open the light in the oven will be on.
• R5. Opening the door stops the cooking.
• R6. Closing the door turns off the light. This is
  the normal idle state, prior to cooking when the
  user has placed food in the oven.
• R7. If the oven times-out, the light and the
  power-tube are turned off and then a beeper emits
  a sound to indicate that the cooking is finished.

Simulation
Integrated Behavior Tree
Requirements Integration



Verification
Component Behavior Tree

Implementation


4
Requirements Translation
Informal Requirements
Requirement Behavior Trees
Requirements Translation

• R1. There is a single control button available
  for the user of the oven. If the oven is idle
  with the door closed and you push the button, the
  oven will start cooking (this is, energize the
  power-tube for one minute).
• R2. If the button is pushed while the oven is
  cooking it will cause the oven to cook for an
  extra minute.
• R3. Pushing the button when the door is open has
  no effect (because it is disabled).
• R4. Whenever the oven is cooking or the door is
  open the light in the oven will be on.
• R5. Opening the door stops the cooking.
• R6. Closing the door turns off the light. This is
  the normal idle state, prior to cooking when the
  user has placed food in the oven.
• R7. If the oven times-out, the light and the
  power-tube are turned off and then a beeper emits
  a sound to indicate that the cooking is finished.

Simulation
Integrated Behavior Tree
Requirements Integration



Verification
Component Behavior Tree

Implementation


5
Requirement Behavior Tree
Informal Requirements
Requirement Behavior Trees
Requirements Translation

• R1. There is a single control button available
  for the user of the oven. If the oven is idle
  with the door closed and you push the button, the
  oven will start cooking (this is, energize the
  power-tube for one minute).
• R2. If the button is pushed while the oven is
  cooking it will cause the oven to cook for an
  extra minute.
• R3. Pushing the button when the door is open has
  no effect (because it is disabled).
• R4. Whenever the oven is cooking or the door is
  open the light in the oven will be on.
• R5. Opening the door stops the cooking.
• R6. Closing the door turns off the light. This is
  the normal idle state, prior to cooking when the
  user has placed food in the oven.
• R7. If the oven times-out, the light and the
  power-tube are turned off and then a beeper emits
  a sound to indicate that the cooking is finished.

Simulation
Integrated Behavior Tree
Requirements Integration



Verification
Component Behavior Tree

Implementation


6
Requirements Integration
Informal Requirements
Requirement Behavior Trees
Requirements Translation

• R1. There is a single control button available
  for the user of the oven. If the oven is idle
  with the door closed and you push the button, the
  oven will start cooking (this is, energize the
  power-tube for one minute).
• R2. If the button is pushed while the oven is
  cooking it will cause the oven to cook for an
  extra minute.
• R3. Pushing the button when the door is open has
  no effect (because it is disabled).
• R4. Whenever the oven is cooking or the door is
  open the light in the oven will be on.
• R5. Opening the door stops the cooking.
• R6. Closing the door turns off the light. This is
  the normal idle state, prior to cooking when the
  user has placed food in the oven.
• R7. If the oven times-out, the light and the
  power-tube are turned off and then a beeper emits
  a sound to indicate that the cooking is finished.

Simulation
Integrated Behavior Tree
Requirements Integration



Verification
Component Behavior Tree

Implementation


7
Integrated Behavior Tree
Informal Requirements
Requirement Behavior Trees
Requirements Translation

• R1. There is a single control button available
  for the user of the oven. If the oven is idle
  with the door closed and you push the button, the
  oven will start cooking (this is, energize the
  power-tube for one minute).
• R2. If the button is pushed while the oven is
  cooking it will cause the oven to cook for an
  extra minute.
• R3. Pushing the button when the door is open has
  no effect (because it is disabled).
• R4. Whenever the oven is cooking or the door is
  open the light in the oven will be on.
• R5. Opening the door stops the cooking.
• R6. Closing the door turns off the light. This is
  the normal idle state, prior to cooking when the
  user has placed food in the oven.
• R7. If the oven times-out, the light and the
  power-tube are turned off and then a beeper emits
  a sound to indicate that the cooking is finished.

Simulation
Integrated Behavior Tree
Requirements Integration



Verification
Component Behavior Tree

Implementation


8
Component Behavior Tree
Informal Requirements
Requirement Behavior Trees
Requirements Translation

• R1. There is a single control button available
  for the user of the oven. If the oven is idle
  with the door closed and you push the button, the
  oven will start cooking (this is, energize the
  power-tube for one minute).
• R2. If the button is pushed while the oven is
  cooking it will cause the oven to cook for an
  extra minute.
• R3. Pushing the button when the door is open has
  no effect (because it is disabled).
• R4. Whenever the oven is cooking or the door is
  open the light in the oven will be on.
• R5. Opening the door stops the cooking.
• R6. Closing the door turns off the light. This is
  the normal idle state, prior to cooking when the
  user has placed food in the oven.
• R7. If the oven times-out, the light and the
  power-tube are turned off and then a beeper emits
  a sound to indicate that the cooking is finished.

Simulation
Integrated Behavior Tree
Requirements Integration



Verification
Component Behavior Tree

Implementation


9
Simulation
Informal Requirements
Requirement Behavior Trees
Requirements Translation

• R1. There is a single control button available
  for the user of the oven. If the oven is idle
  with the door closed and you push the button, the
  oven will start cooking (this is, energize the
  power-tube for one minute).
• R2. If the button is pushed while the oven is
  cooking it will cause the oven to cook for an
  extra minute.
• R3. Pushing the button when the door is open has
  no effect (because it is disabled).
• R4. Whenever the oven is cooking or the door is
  open the light in the oven will be on.
• R5. Opening the door stops the cooking.
• R6. Closing the door turns off the light. This is
  the normal idle state, prior to cooking when the
  user has placed food in the oven.
• R7. If the oven times-out, the light and the
  power-tube are turned off and then a beeper emits
  a sound to indicate that the cooking is finished.

Simulation
Integrated Behavior Tree
Requirements Integration



Verification
Component Behavior Tree

Implementation


10
Verification
Informal Requirements
Requirement Behavior Trees
Requirements Translation

• R1. There is a single control button available
  for the user of the oven. If the oven is idle
  with the door closed and you push the button, the
  oven will start cooking (this is, energize the
  power-tube for one minute).
• R2. If the button is pushed while the oven is
  cooking it will cause the oven to cook for an
  extra minute.
• R3. Pushing the button when the door is open has
  no effect (because it is disabled).
• R4. Whenever the oven is cooking or the door is
  open the light in the oven will be on.
• R5. Opening the door stops the cooking.
• R6. Closing the door turns off the light. This is
  the normal idle state, prior to cooking when the
  user has placed food in the oven.
• R7. If the oven times-out, the light and the
  power-tube are turned off and then a beeper emits
  a sound to indicate that the cooking is finished.

Simulation
Integrated Behavior Tree
Requirements Integration



Verification
Component Behavior Tree

Implementation


11
Automatically Generated Implementation
Informal Requirements
Requirements Translation

• R1. There is a single control button available
  for the user of the oven. If the oven is idle
  with the door closed and you push the button, the
  oven will start cooking (this is, energize the
  power-tube for one minute).
• R2. If the button is pushed while the oven is
  cooking it will cause the oven to cook for an
  extra minute.
• R3. Pushing the button when the door is open has
  no effect (because it is disabled).
• R4. Whenever the oven is cooking or the door is
  open the light in the oven will be on.
• R5. Opening the door stops the cooking.
• R6. Closing the door turns off the light. This is
  the normal idle state, prior to cooking when the
  user has placed food in the oven.
• R7. If the oven times-out, the light and the
  power-tube are turned off and then a beeper emits
  a sound to indicate that the cooking is finished.

Simulation
Integrated Behavior Tree



Verification
Component Behavior Tree

Implementation


12
Building Dependable Systems
Informal Requirements
Requirement Behavior Trees
Requirements Translation

• R1. There is a single control button available
  for the user of the oven. If the oven is idle
  with the door closed and you push the button, the
  oven will start cooking (this is, energize the
  power-tube for one minute).
• R2. If the button is pushed while the oven is
  cooking it will cause the oven to cook for an
  extra minute.
• R3. Pushing the button when the door is open has
  no effect (because it is disabled).
• R4. Whenever the oven is cooking or the door is
  open the light in the oven will be on.
• R5. Opening the door stops the cooking.
• R6. Closing the door turns off the light. This is
  the normal idle state, prior to cooking when the
  user has placed food in the oven.
• R7. If the oven times-out, the light and the
  power-tube are turned off and then a beeper emits
  a sound to indicate that the cooking is finished.

Simulation
Integrated Behavior Tree
Requirements Integration



Verification
Component Behavior Tree

Implementation


13
Building Dependable Systems
1. Control of Complexity
Avoids short-term memory overflow
Quality, verified software
2. Early Defect Detection
Building right system, right
3. Rigorous Translation
4. Ease of Simulation, Model checking
Dependable systems
5. Productivity gains for teams
Parallel working, Co-operative editing
6. Wide applicability
Command and Control, Enterprise Systems