A Safety Mechanism Using Software Patterns

Similar documents
A Metric of the Relative Abstraction Level of Software Patterns

A System of Patterns for Web Navigation

A Metric for Measuring the Abstraction Level of Design Patterns

Reflective Design Patterns to Implement Fault Tolerance

Object-Oriented Software Development Goal and Scope

Concurrency Control with Java and Relational Databases

Pattern-Based Architectural Design Process Model

Concurrent Object-Oriented Development with Behavioral Design Patterns

Patterns for Decoupling

Static Safety Analysis of UML Action Semantics for Critical Systems Development

Towards Better Support for Pattern-Oriented Software Development

WS01/02 - Design Pattern and Software Architecture

Object-Oriented Design

Software Engineering

A Framework for Reliability Assessment of Software Components

An Expert System for Design Patterns Recognition

Design Patterns. An introduction

MODEL-BASED DESIGN OF CODE FOR PLC CONTROLLERS

JUnit A Study on Applying JUnit Framework to Document Knowledge of Object-Oriented Software Systems

Universal Communication Component on Symbian Series60 Platform

Topics in Object-Oriented Design Patterns

Lectures 24 and 25 Introduction to Architectural Styles and Design Patterns

Ingegneria del Software Corso di Laurea in Informatica per il Management. Design Patterns part 1

A MULTI-LEVEL DESIGN PATTERN FOR EMBEDDED SOFTWARE *

Goals of Lecture. Lecture 27: OO Design Patterns. Pattern Resources. Design Patterns. Cover OO Design Patterns. Pattern Languages of Programming

SOFTWARE ARCHITECTURE INTRODUCTION TO SOFTWARE ENGINEERING PHILIPPE LALANDA

APPLYING DESIGN PATTERNS TO SCA IMPLEMENTATIONS

A Design Pattern of the User Interface of Safety-Critical Systems

UML Specification and Correction of Object-Oriented Anti-patterns

be used for more than one use case (for instance, for use cases Create User and Delete User, one can have one UserController, instead of two separate

Design Patterns V Structural Design Patterns, 2

Scenario-based Synthesis of Annotated Class Diagrams in UML

Coordination Patterns

StateClock: a Tool for Timed Reactive Modules

Towards the integration of security patterns in UML Component-based Applications

Appendix A - Glossary(of OO software term s)

Using Design Patterns in Java Application Development

SyncFree SyncFree: The Development of an Open Source Personal Data Synchronization Software

Design Patterns. Gunnar Gotshalks A4-1

Simulink/Stateflow. June 2008

Towards a Java Framework for Knowledge Representation and Inference

CHAPTER 6: CREATIONAL DESIGN PATTERNS

Review Software Engineering October, 7, Adrian Iftene

Using AOP to build complex data centric component frameworks

The following topics will be covered in this course (not necessarily in this order).

Coordinator. Example. Prashant Jain Corporate Technology, Siemens AG Munich, Germany

Applying Design Patterns to accelerate development of reusable, configurable and portable UVCs. Accellera Systems Initiative 1

Facade and Adapter. Comp-303 : Programming Techniques Lecture 19. Alexandre Denault Computer Science McGill University Winter 2004

Influence of Design Patterns Application on Quality of IT Solutions

Lecture 19: Introduction to Design Patterns

Object-Oriented Design

Slide 1. Design Patterns. Prof. Mirco Tribastone, Ph.D

Canica: An IDE for the Java Modeling Language

Architecture-Centric Evolution in Software Product Lines:

Verification Framework for Detecting Safety Violations in UML State chart Models of Reactive Systems C.M. Prashanth

CSCD01 Engineering Large Software Systems. Design Patterns. Joe Bettridge. Winter With thanks to Anya Tafliovich

Partial Acquisition Prashant Jain and Michael Kircher

A Rapid Overview of UML

The Method for Verifying Software Architecture with FSP Model

SWE 760 Lecture 1: Introduction to Analysis & Design of Real-Time Embedded Systems

An Approach to Reusable Software for Mobile Robot Applications through Analysis Patterns

Introduction to Software Engineering: Object Design I Reuse & Patterns

RADX - Rapid development of web applications in XML

Validating UML Statechart-Based Assertions Libraries for Improved Reliability and Assurance 1

A Novel Approach to Automated Design Pattern Detection

Quality-Driven Architecture Design Method

Simulation and Verification of UML-based Railway Interlocking Designs

Foundations of Software Engineering Design Patterns -- Introduction

Available online at ScienceDirect. Procedia Computer Science 56 (2015 )

Applying the Observer Design Pattern

25.1 Introduction Façade Design Pattern Identification Problem Structure Participants...

Transforming UML Collaborating Statecharts for Verification and Simulation

HYBRID PETRI NET MODEL BASED DECISION SUPPORT SYSTEM. Janetta Culita, Simona Caramihai, Calin Munteanu

Łabiak G., Miczulski P. (IIE, UZ, Zielona Góra, Poland)

Summary of the course lectures

1 (ERTSDP) ERTSDP (Embedded Real-Time Systems Design Pattern) (1)

Review of Basic Software Design Concepts. Fethi Rabhi SENG 2021

Software Design Patterns. Background 1. Background 2. Jonathan I. Maletic, Ph.D.

Producing Graphical User Interface from Activity Diagrams Ebitisam K. Elberkawi, Mohamed M. Elammari

PATETA: PATterns for EnTerprise reference Architectures

CS/CE 2336 Computer Science II

Proceedings of. The Three-Tier Architecture Pattern Language Design Fest

Design Patterns. Observations. Electrical Engineering Patterns. Mechanical Engineering Patterns

Configuration Provider: A Pattern for Configuring Threaded Applications

Object Oriented Methods with UML. Introduction to Design Patterns- Lecture 8

Composability Test of BOM based models using Petri Nets

An Introduction to Patterns

From Architectural Patterns to Architecture-Based Development

A Metamodeling Approach to Model Refactoring

' Dept. of Systems Engineeering, Hokkaido Univ., Japan

Composition Approaches Summary

Object Design II: Design Patterns

A New approach to Detect Safety Violations in UML Statechart Models

Real-Time Coordination Patterns for Advanced Mechatronic Systems

CSCI Object Oriented Design: Frameworks and Design Patterns George Blankenship. Frameworks and Design George Blankenship 1

An Open System Framework for component-based CNC Machines

Design Patterns. Manuel Mastrofini. Systems Engineering and Web Services. University of Rome Tor Vergata June 2011

SOFTWARE PATTERNS. Joseph Bonello

Concurrency Patterns in SCOOP

Cover Page. The handle holds various files of this Leiden University dissertation

Transcription:

URL: http://www.elsevier.nl/locate/entcs/volume82.html 11 pages A Safety Mechanism Using Software Patterns Kiyohito Itoh, Hiromi Kobayashi 1 Department of Management Engineering Tokai University Hiratsuka, Japan Abstract Software patterns have been widely studied in order to reuse of design knowledge in software design phase. However, few patterns have been known in the area of safety. This paper addresses a mechanism for safety and its software pattern in a reactive system. We construct a pattern composed of a mechanism called an event checker including several software patterns to check scenarios, i.e., the order of events and their timing constraints. Next, we show examples of its implementation to railroad models using Java. Moreover, we discuss the safety in the domain of a reactive system by means of this event checker and its software reliability by using this pattern. 1 Introduction In a reactive system, a controller responds to both external and internal stimuli in an event-driven manner [1]. Railroad crossing systems and manufacturing sequence control systems are examples of reactive systems. In these systems, an incorrect action of a controller may lead to an accident. Because the elimination of all errors is practically impossible including specification and programming errors, an accident can be caused by a latent error in a system. When an error causes a faulty event to be sent to a controller, this error can be detected by checking the order of events and timing constraints. There are few typical scenarios, i.e., event sequences, in an industrial and a railroad crossing system. This paper presents a safety mechanism called an event checker for detecting errors using this mechanism. When errors are detected, an event occurs to operate to the safety mode of a system. This checking mechanism was originally proposed as the trace assertion method in [2], and is applied to an event checker in this paper. 1 Email: kobayasi@keyaki.cc.u-tokai.ac.jp c 2003 Published by Elsevier Science B. V. Open access under CC BY-NC-ND license. 110

In recent software development, design patterns,i.e., abstractions of software architecture have been widely studied in order to reuse designing knowledge and components that increases productivity and reliability. Few patterns, however, have been noted in the area of safety [4-6]. This paper proposes a pattern for an event checker that combines several patterns. This event checker pattern can be regarded as a framework for similar programs, as well. Using software patterns, the reliability of a safety mechanism can be improved. Because the event checker is a redundant mechanism, cost-efficiency is critical factor. The creation of this event checker focused on ease of development, minimization of modifications in controller program, and simplicity of description to prevent errors. An example of the implementation of this mechanism in Java is provided for railroad models, followed by a discussion on safety in this field. 2 Event Checker Pattern 2.1 Overview Because reactive systems respond to stimuli in an event-driven manner, the event checker is designed for checking some scenarios, such as the order of events and timing constraints upon introduction to the controller. This mechanism is developed by combining several patterns that have certain desirable properties. Figure 1 shows a safety mechanism using an event checker. This mechanism consists of two packages: a controller package and event checker package. The classes in the controller package are responsibile for operating the subordinate equipment, while the classes in the event checker package are responsibe for checking the order of events and the timing constraints received from the subordinate equipment. This mechanism is effective because the controller package and event checker package doubly check the order of events and the timing constraints, the description of the event list representing event sequences in the event checker package is so simple that errors can be eliminated. 2.2 Problem and Solution The following is the problems discovered during the development of the event checker. Problem A Changes to the software architecture are needed in order to send events to both event checker package and the controller package. However, this modification has the possibility of creating new errors. Therefore, the alteration of the controller package architecture should be minimized and the controller package software should not be affected. 111

event flow class equipment Control computer Safety mechanism controller event_checker Fig.1 Safety mechanism. Problem B Scenarios, i.e., event sequences and their timing constraints are described in the event checker. Event names and control symbols representing both branches and repetition should be described as text for easier of understanding. Recursive and hierarchical representations should be used in order to describe scenarios as simply as possible. Problem C The timing constraints of events should be verified in the event checker. In general, whether or not events are included between T min : the minimum delay time, and T max : the maximum delay time, should be checked in reactive systems. These timing constraint states are divided into the following three categories: S less when an event occurs at a time less than T min, S in when an event occurs at a time between T min and T max,ands more when an event occurs at a time more than T max. If timing constraint states are represented in an event class, the class cohesion is low and the class structure is complex. Therefore, timing constraint states are introduced as objects. The patterns shown by E.Gamma et al. in [4] were used to solve the above problems. Each solution below corresponds to its respective problem above. Solution A The Decorator pattern, shown in Fig. 2, provides additional behavior to one object without affecting others. This pattern also allows the extraction of events sent from subordinate equipment to a controller. A Facade class can be used to provide single unified interface for multiple subsystem interfaces, which is called the Facade pattern. Using the Decorator pattern, events are extracted through a Facade class. In Fig. 2, the Controller class 112

is a Facade class. The implementation of the controller interface denoted by << interf ace >> Controller is embodied to use ConcreteController class. The << interf ace >> Controller represents contract between the Controller class and other classes denoted by A, B, C, D. Because the Decorator class now sends events to event checker package, the effect of the above modification is restricted solely to this Facade class. Solution B The Composition pattern provides objects with both a recursive structure and a hierarchical relationship between the whole and its parts. Using the Composite pattern, objects are used to express order of events. The control symbols (whole) and events (parts) are represented in these objects. In Fig. 3, a control symbol class ControlWord has multiple references to its superclass, an element class, called << abstract >> Element. ControlWord is able to contain objects created by both a control symbol class and an Event class because both are subclasses of << abstract >> Element. Solution C The State pattern can be used to classify the behavior of an object depending on its state. It can also be used to separate the task of checking timing constraints from an event class. In Fig. 4, an event class, Event, delegates an operation dependent upon timing constraints to class S less, S in,ors more. Each of these classes implements a state interface denoted by << interf ace >> State. Timing constraints are then checked in the appropriate class and its state transitition occurs. event A C <<interface>> Controller B D ConcreteController Decorator Fig.2 Decorator pattern. 113

Element ControlWord Event Fig.3 Composite pattern. Event <<interface>> State Sless Sin Smore (t Tmin) (Tmin t Tmax) (t Tmax) Fig.4 State pattern. 2.3 Integration The patterns mentioned in the previous section are integrated. Figure 5 shows the Event checker pattern. This pattern contains four other patterns: the Decorator, Facade, Composite, and State patterns in the controller and event checker package. The Decorator and Facade patterns are applied to controller package. The event checker package contains the parser package, element package, and EventChecker class. The EventListP arser class is the principal part of the parser package. The purpose of the EventListP arser class is to parse an event list and create an event object group. The Composite and State patterns are applied to the element package. The element package includes Event class, ControlWord class, and << abstract >> Element class, which represents the event names and control symbols. The element package also includes << interface >> State, S less, S in,ands more classes that check the timing constraints. 114

controller A C Controller B D ConcreteController Decorator event_checker <<uses>> EventChecker <<uses>> element <<uses>> parser Element next EventList- ControlWord Event Parser <<creates>> State Sless Sin Smore Fig.5 Event checker pattern. 2.4 Behavior This section describes the behavirs involved in checking the order of events and timing constraints performed by the event checker package. The EventChecker class through the Decorator class checks the order of events as shown in the sequence diagram in Fig. 6. Horizontal arrows represent event transmissions between objects, and the vertical direction represents the temporal sequence of these event transmissions. A Decorator class object denoted by : Decorator checks the order of events using the check(evt2) method in the : EventChecker after calling evt2() method from : Equipment, where evt2 represents the event name. The event name is then checked using getnextevent(evt2) in : EventChecker. The timing constraint of an event is checked by the S less, S in,and S more classes. The sequence diagram in Fig. 7 depicts this behavior. When a timing constraint needs to be checked, start() is initially called. When the next event occurs, getnextevent() is called. An event object : Event delegates 115

the checking operation to : S less first. In : S less, it is determined whether the elapsed time is less than T min. When the time becomes greater than T min, the timing constraint state is transferred to : S in ; and when the time exceeds T max T min, the timing constraint state transfers from : S in to : S more. :Equipment :Decorator :EventChecker evt1 :Event evt2() check(evt2) getnextevent(evt2) evt2 true Fig.6 Event sequence checking. evt1 :Event sl:sless si:sin sm:smore start() start() sleep(tmin) changestate(si) start() sleep(tmax-tmin) getnextevent(evt2) getnextevent() changestate(sl) interrupt() Fig.7 Event timing constraint checking. 3 Example In this section, the Event Checker pattern is applied to railroad models. Java is used for its implementation. 3.1 Railroad crossing Figure 8 shows a railroad crossing model [7-8]. This model consists of one or more trains, a gate, a sensor I, a sensor O, and a controller. The behavior of this model is shown as a sequence diagram in Fig. 9, and is described below. 116

When a train approaches a gate, it reaches a given distance where a sensor I detects its approach. Sensor I sends an event approach to the controller. The controller commands the gate to lower as event lower, and the gate moves from the up to the down position. Event down is returned after the gate is shut completely. After the train passes the gate, sensor O detects the fact and sends event pass to the controller. This controller commands the gate to raise as event raise, and the gate moves from the down to the up position. Event up is returned after the gate has opened completely. The Event Checker pattern is applied to this model using Java. For this example, the maximum number of trains within a closing activity is assumed to be two ( including the opposite track ). Figure 10 describes the possible event sequences for this model. If there is only one train, the order of events is 1 2 3 4. However, if there are two trains, the order will be one of the four senarios shown in Fig. 10. This diagram is implemented as an event list. event flow Train Crossing Sensor I Sensor O Controller Fig.8 Railroad crossing model. :Controller I:Sesor :Gate O:Sensor approach lower down pass raise up Fig.9 Railroad crossing behavior. 117

Kobayashi approach pass down up start 1 2 11 3 8 12 4 5 9 13 End 1 6 10 14 7 4 4 4 Fig.10 Train event sequences Signal A1 C1:Track Points A1 A2 A3 B1 B2 B3 Interlocking controller C1 Fig.11 Railroad interlocking model. 3.2 Interlocking Controller Interlocking is a mechanism used to control points and signals for the safe operation of a train station. This model [9] consists of one or more trains, tracks, points, signals, and an interlocking controller. The trackes are named A1,A2,,A3, as shown in Fig. 11. The behavior of this model is shown as a sequence diagram in Fig. 12, and is described below. 118

:Interlocking :Operator X:Track :Points :Signal designate track change confirm(1) confirm(2) lock confirm(3) green detect train red unlock Fig.12 Railroad interlocking behavior. The Operator class object : Operator commands the interlocking controller to designate tracks for the trains. The interlocking controller sends event change to the points for changing. After the controller confirms that (1) there are no trains on the course assured by the signal, (2) the direction of each point is correct, (3) there are no conflicts with courses indicated by other signals, by using conf irm(1), conf irm(2), and conf irm(3), the controller sends lock to each point and turns the signal green. When a train passes a track, the track detects this train and sends an event to the controller. When the controller receives this event from the end of the tracks consisting a course, this controller turns the signals red and unlocks each point. 4 Discussion and Conclusion A safety mechanism called an event checker and its software design pattern have been presented in this paper. The event checker is a mechanism to check order of events and their timing constraints in a reactive system. Software design patterns are used for improving reliability of this safety mechanism. Even though the event checker doesn t deal with concurrency, we consider it is still available to check the critical events in a scenario. The advantage of this mechanism is that the controller and event checker packages are able to check the event sequences twice, while maintaining the simplicity of event list description written in a text file. The advantage of the software pattern is its broad utilization for many defferent applications. The 119

reuse of software, which means the reuse of design knowledge and the reuse of software components, could improve the reliability of the software. This event checker has been developed by combining several patterns for the separation of responsibility, alleviation of dependency, and clarity of the software structure, and its utility was exhibited through the application to railroad models. Currently in Japan, interruption during a task is prohibited and single thread processing is used for railway signaling due to safety concerns. However, considering the future distributed controll system, it is necessary to study the interruption method further. Inturruption cannot be fully dealt in Java (JDK1.3). However, it can be dealt in the real-time specification for Java. Further work of software patterns is needed in the area of safety. Acknowlegement The authors would like to thanks Shingo Matsumoto at the Japan Railway Technical Research Institute for his help. References [1] Harel, D., Statecharts : A visual formalism for complex systems, Science of Computer Programming, Vol.8, pp.231-274, 1987. [2] Bartussek, W., and Parnas, D.L., Using assertions about traces to write abstract specifications for software modules, Proc.2nd Conference European Cooperation in Informatics on Information Systems Methodology, pp.211-236,1978. [3] Leveson, N.G., Safeware : SystemSafety and Computer, Addison-Wesley, 1995. [4] Gamma, E., Helm, R., Johnson, R.,and Vlissides, J., Design Patterns, Addison-Wesley, 1995. [5] Buschmann, F., Meunier, R., Rohnert, H., Sommerlad, P., and Stal, M., Pattern-oriented Software Architecture : A System of Patterns, John Wiley&Sons, 1996. [6] Grand, M., Patterns in Java: A Catalog of Reusable Design Patterns, Illustrated with UML Volume 1, John Wiley&Sons, 1998. [7] Leveson, N.G., and Stolzy, J.L., Safety analysis using Petri nets, IEEE Trans. Software Engineering, Vol.SE-13, No.3, pp.386-397, 1987. [8] Alur, R., and Dill, D., The theory of timed automata, Real-time theory in practice, LNCS Vol.600, pp.45-73, Springer-Verlag, 1992. [9] Matsumoto, S., Verification of railway interlocking specification using formal safety requirements, (in Japanese) Technical Report of IEICE, FTS99-69, pp.29-36, 1999. 120

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback