IBM Rational Harmony Deskbook Rel 3.1.2

IBM Software Group Foreword
The file "Deskbook Rel311.pdf" is the latest version of the Rational Harmony for Systems Engineering Deskbook Release 3.1 (“Deskbook”), released
May 28, 2010.
February
The Deskbook is2011
written for the practitioner. Screenshots, notes and best practice tips are added to the workflow descriptions. The brief introductions
are minimal rather than narrative. The Deskbook is not intended to replace training for the IBM Rational Rhapsody component of the IBM Rational
Workbench for Systems and Sofware Enigineering; it is intended to supplement it. It is assumed that the reader is familiar with UML/SysML and the
IBM Rational Rhapsody component of the IBM Rational Workbench for Systems and Software Engineering.
Systems Engineering Best Practices with the Rational

Permission to use, copy, and distribute, this Deskbook, is granted; provided, however, that the use, copy, and distribution of the Deskbook is made in
whole and not in part.
Solution for Systems and Software Engineering
THIS DESKBOOK IS PROVIDED "AS IS." IBM MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
IBM WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE
DESKBOOK OR THE PERFORMANCE OR IMPLEMENTATION OF THE CONTENTS OF THE DESKBOOK..
Deskbook
The directory "Deskbook Rel.3.1 Requirements and Models" contains the requirements specification for the Security System example and snapshots
of the models generated with Rhapsody. Release 3.1.2
Copyright IBM Corporation 2006, 2010
IBM Corporation
Software Group
Route 100
Model-Based Systems Engineering with Rational Rhapsody and
Somers, NY 10589
U.S.A.
Rational Harmony for Systems Engineering
Licensed Materials - Property of IBM Corporation
U.S. Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both.
Other company, product, or service names may be trademarks or service marks of others.
Hans-Peter Hoffmann, Ph.D.
The Rational Software home page on the Internet can be found at ibm.com/software/rational
Chief Systems Methodologist
The IBM home page on the Internet can be found at ibm.com
hoffmape@us.ibm.com
© 2011 IBM Corporation

The file "Deskbook Rel312.pdf" is the latest version of the “Systems Engineering Best Practices with the Rational Solution for Systems and Software
Engineering Deskbook Release 3.1.2” (“Deskbook”), released February 21, 2010.
The Deskbook is written for the practitioner. Screenshots, notes and best practice tips are added to the workflow descriptions. The brief introductions
are minimal rather than narrative. The Deskbook is not intended to replace IBM Rational Rhapsody training; it is intended to supplement it. It is
assumed that the reader is familiar with UML/SysML and the IBM Rational Rhapsody tool.
Permission to use, copy, and distribute, this Deskbook, is granted; provided, however, that the use, copy, and distribution of the Deskbook is made in
whole and not in part.
THIS DESKBOOK IS PROVIDED "AS IS." IBM MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
IBM WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE
DESKBOOK OR THE PERFORMANCE OR IMPLEMENTATION OF THE CONTENTS OF THE DESKBOOK..
The directory "Deskbook Rel.3.1.2 Requirements and Models" contains the requirements specification for the Security System example and
snapshots of the models generated with Rhapsody.
Copyright IBM Corporation 2006, 2011

IBM Corporation
Software Group
Route 100
Somers, NY 10589
U.S.A.
Licensed Materials - Property of IBM Corporation

U.S. Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both.
Other company, product, or service names may be trademarks or service marks of others.
The Rational Software home page on the Internet can be found at ibm.com/software/rational
The IBM home page on the Internet can be found at ibm.com

Foreword
Foreword to the Deskbook Release 3.0
Here it is – the long awaited next iteration. I completely restructured

the Deskbook, focusing more on the methododical part of Harmony for
Systems Engineering and its support in Rhapsody by means of the
Rhapsody SE-Toolkit. This release also extends the previous scope.
It now addresses Requirements Elaboration and Traceability as well
as Architectural Analysis through Trade Studies.
I want to thank two colleagues who deserve special mentions with

regard to their contributions to this release: Andy Lapping and Dr.
Graham Bleakley. Andy - the “Wizard Guru” – is the author of the
Rhapsody-SE-Toolkit. Whenever I came up with an idea, how the SE
workflow could be automated, the next day I got the wizard-based
solution. Graham is the specialist for Architectural Analysis. The
chapter on how to perform a trade study is based on his input. Here
again, Andy automated it by respective wizards.
Any feed-back for the next iteration (release) is appreciated.
Andover, 06-01-09
Foreword to the Deskbook Release 2.0

The systems engineering process is iterative. There is no reason why
this should not be applicable also to this Deskbook. Meanwhile,
numerous companies started to apply the Harmony for Systems
Engineering process using the Deskbook as a general guideline.
This revision takes into consideration the feed-back that I got from “the
field”. Especially with regard to the use case analysis, I realized that
the approach needed to consider the needs of projects with a large
numbers of use cases. Nothing changed with regard to the workflow.
What changed, is the project structure. The new project structure
supports team collaboration. Each use case now may be elaborated
separately and then – iteratively - merged to a common system model.
The outlined process (Harmony for Systems Engineering) is tool
independent.
Andover, 10-12-06
The Author - by J. Rick White
© Copyright IBM Corporation 2006, 2010. All Rights Reserved.

Table of Contents
Table of Contents
1 INTRODUCTION 1
1.1 Scope.................................................................................................................................................................................................................... 1
1.2 Document Overview ............................................................................................................................................................................................. 1
2 FUNDAMENTALS OF HARMONY FOR SYSTEMS ENGINEERING...............................................................................................................................2
2.1 Rational Integrated Systems / Embedded Software Development Process Harmony ........................................................................................ 2
2.2 Model-based Systems Engineering Process........................................................................................................................................................ 4
2.2.1 Requirements Analysis.................................................................................................................................................................................. 5
2.2.2 System Functional Analysis .......................................................................................................................................................................... 6
2.2.3 Design Synthesis......................................................................................................................................................................................... 10
2.2.3.1 Architectural Analysis (Trade Study).................................................................................................................................................... 11
2.2.3.2 Architectural Design ............................................................................................................................................................................. 14
2.2.3.3 Detailed Architectural Design............................................................................................................................................................... 16
2.2.4 Systems Engineering Hand-Off................................................................................................................................................................... 18
2.3 Essential SysML Artifacts of Model-based Systems Engineering ...................................................................................................................... 19
2.3.1 Requirements Diagram ............................................................................................................................................................................... 20
2.3.2 Structure Diagrams...................................................................................................................................................................................... 20
2.3.2.1 Block Definition Diagram...................................................................................................................................................................... 20
2.3.2.2 Internal Block Diagram......................................................................................................................................................................... 20
2.3.2.3 Parametric Diagram ............................................................................................................................................................................. 22
2.3.3 Behavior Diagrams ...................................................................................................................................................................................... 22
2.3.3.1 Use Case Diagram ............................................................................................................................................................................... 23
2.3.3.2 Activity Diagram ................................................................................................................................................................................... 23
2.3.3.3 Sequence Diagram .............................................................................................................................................................................. 24
2.3.3.4 Statechart Diagram .............................................................................................................................................................................. 24
2.3.4 Artifact Relationships at the Requirements Analysis / System Functional Analysis Level.......................................................................... 25
2.4 Service Request-Driven Modeling Approach ..................................................................................................................................................... 26
3 RHAPSODY PROJECT STRUCTURE............................................................................................................................................................................27
3.1 Project Structure Overview................................................................................................................................................................................. 27
3.2 Requirements Analysis Package........................................................................................................................................................................ 28
3.3 Functional Analysis Package.............................................................................................................................................................................. 29
3.4 Design Synthesis Package................................................................................................................................................................................. 30
ii | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Table of Contents
3.4.1 Architectural Analysis Package ................................................................................................................................................................... 30

3.4.2 Architectural Design Package ..................................................................................................................................................................... 31
3.5 System-Level Definitions .................................................................................................................................................................................... 32
4 CASE STUDY: SECURITY SYSTEM ............................................................................................................................................................................. 33
4.1 Getting Started.................................................................................................................................................................................................... 33
4.2 Requirements Analysis ....................................................................................................................................................................................... 34
4.2.1 Import of Stakeholder Requirements........................................................................................................................................................... 35
4.2.2 Generation of System Requirements .......................................................................................................................................................... 36
4.2.3 Linking System Requirements to Stakeholder Requirements..................................................................................................................... 38
4.2.4 Definition of System-Level Use Cases ........................................................................................................................................................ 40
4.2.5 Linking Requirements to Use Cases ........................................................................................................................................................... 41
4.3 System Functional Analysis................................................................................................................................................................................ 43
4.3.1 Uc1ControlEntry .......................................................................................................................................................................................... 44
4.3.1.1 Project Structure of the Uc1 Model ...................................................................................................................................................... 44
4.3.1.2 Definition of Uc1 Functional Flow......................................................................................................................................................... 45
4.3.1.3 Definition of Uc1 Scenarios .................................................................................................................................................................. 46
4.3.1.4 Definition of Ports and Interfaces ......................................................................................................................................................... 50
4.3.1.5 Definition of State-based Behavior....................................................................................................................................................... 51
4.3.1.6 Uc1 Model Verification ......................................................................................................................................................................... 53
4.3.1.7 Linking Uc1 Block Properties to Requirements................................................................................................................................... 55
4.3.2 Uc2ControlExit............................................................................................................................................................................................. 58
4.3.2.1 Project Structure of the Uc2 Model ...................................................................................................................................................... 58
4.3.2.2 Definition of Uc2 Functional Flow......................................................................................................................................................... 58
4.3.2.3 Definition of Uc2 Scenarios .................................................................................................................................................................. 59
4.3.2.6 Uc2 Model Verification ......................................................................................................................................................................... 61
4.3.2.7 Linking Uc2 Block Properties to Requirements................................................................................................................................... 61
4.3.3 Merging Use Case Blocks ........................................................................................................................................................................... 62
4.4 Design Synthesis ................................................................................................................................................................................................ 63
4.4.1 Architectural Analysis (Trade-Off Analysis)................................................................................................................................................. 63
4.4.1.1 Definition of Key System Functions ..................................................................................................................................................... 64
4.4.1.2 Definition of Candidate Solutions ......................................................................................................................................................... 65
4.4.1.3 Definition of Assessment Criteria ......................................................................................................................................................... 66
4.4.1.4 Assigning Weights to Assessment Criteria .......................................................................................................................................... 67
4.4.1.5 Definition of a Utility Curve for each Criterion ...................................................................................................................................... 68
4.4.1.6 Assigning Measures of Effectiveness (MoE) to each Solution............................................................................................................. 69
4.4.1.7 Determination of Solution ..................................................................................................................................................................... 70
4.4.2 Architectural Design .................................................................................................................................................................................... 72
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | iii
Table of Contents
4.4.2.1 Security System Decomposition .......................................................................................................................................................... 72

4.4.2.2 Graphical Allocation of Operations....................................................................................................................................................... 74
4.4.2.3 Formalizing the Allocation of Operations ............................................................................................................................................. 77
4.4.2.4 Allocation of Non-functional Requirements.......................................................................................................................................... 79
4.4.3 Detailed Architectural Design............................................................................................................................................................... 81
4.4.3.1 Derive White-Box Sequence Diagrams ............................................................................................................................................... 82
4.4.3.4 System Architecture Model Verification .............................................................................................................................................. 93
5 HAND-OFF TO SUBSYSTEM DEVELOPMENT.............................................................................................................................................................94
6 APPENDIX 95
A1 Mapping Security System Requirements to Model Artifacts .............................................................................................................................. 95
A2 Extended Architectural Model of the Security System ....................................................................................................................................... 98
A2.1 Extended System Architecture .................................................................................................................................................................... 99
A2.2 Extended State-based Behavior of Subsystems...................................................................................................................................... 100
A2.3 Verification of the Extended System Architecture Model ......................................................................................................................... 102
A3 Modeling Guidelines ......................................................................................................................................................................................... 103
A3.1 General Guidelines and Drawing Conventions ......................................................................................................................................... 103
A3.2 Use Case Diagram .................................................................................................................................................................................... 104
A3.3 Block Definition Diagram ........................................................................................................................................................................... 105
A3.4 Internal Block Diagram .............................................................................................................................................................................. 106
A3.5 Activity Diagram......................................................................................................................................................................................... 108
A3.6 Sequence Diagram.................................................................................................................................................................................... 111
A3.7 Statechart Diagram.................................................................................................................................................................................... 113
A3.8 Profiles....................................................................................................................................................................................................... 115
A4 Guideline: Deriving a Statechart Diagram ....................................................................................................................................................... 116
A5 Guideline: Logical Decomposition of a Use Case Black-Box Activity Diagram............................................................................................... 121
A6 Rhapsody Action Language ............................................................................................................................................................................. 128
A7 Rhapsody SE-Toolkit (Overview) ..................................................................................................................................................................... 131
7 REFERENCES 134
iv | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Table of Figures
Table of Figures
Fig.2-1 Rational Integrated Systems / Embedded Software Development Process Harmony.......................................................................................... 2
Fig.2-2 Model-based Systems Engineering ....................................................................................................................................................................... 4
Fig.2-3 Workflow in the Requirements Analysis Phase ..................................................................................................................................................... 5
Fig.2-4 Alternative Approaches of Building an Executable Use Case Model .................................................................................................................... 6
Fig.2-5 Derivation of a Use Case Scenario from a Use Case Black-Box Activity Diagram (Industrial Automation Use Case)........................................ 8
Fig.2-6 Workflow of the Use Case Model Rainy Day Analysis .......................................................................................................................................... 9
Fig.2-7 Workflow in the System Functional Analysis Phase .............................................................................................................................................. 9
Fig.2-8 Subphases and Workflow in the Design Synthesis Phase .................................................................................................................................. 10
Fig.2-9 Workflow and Work Product ............................................................................................................................................................................... 11
Fig.2-10 Different Shapes of Utility Curves ...................................................................................................................................................................... 12
Fig.2-11 Tasks and Workproducts in the Architectural Design Phase............................................................................................................................. 14
Fig.2-12 Nested Use Case White-Box Activity Diagram .................................................................................................................................................. 14
Fig.2-13 Allocation of Operations to Subsystems (Use Case Fig.2-5) ............................................................................................................................ 15
Fig.2-14 Workflow and Workproducts in the Detailed Architectural Design Phase ......................................................................................................... 16
Fig. 2-15 Derivation of White-Box Scenarios from a Use Case White-Box Activity Diagram (ref. Fig.2-13) ................................................................... 17
Fig.2-16 Overview of UML/SysML Interrelationship......................................................................................................................................................... 19
Fig.2-17 Taxonomy of SysML Diagrams Used in Harmony for Systems Engineering .................................................................................................... 19
Fig.2-18 Requirements Diagram ...................................................................................................................................................................................... 20
Fig.2-19 Block Definition Diagram.................................................................................................................................................................................... 20
Fig.2-20 Internal Block Diagram....................................................................................................................................................................................... 20
Fig.2-21 Standard Ports ................................................................................................................................................................................................... 21
Fig.2-22 Flow Ports .......................................................................................................................................................................................................... 21
Fig.2-23 Constraint Block Definition in a Block Definition Diagram ................................................................................................................................. 22
Fig.2-24 Parametric Diagram ........................................................................................................................................................................................... 22
Fig.2-25 Use Case Diagram............................................................................................................................................................................................. 23
Fig.2-26 Activity Diagram ................................................................................................................................................................................................. 23
Fig.2-27 Sequence Diagram ............................................................................................................................................................................................ 24
Fig.2-28 Statechart Diagram ............................................................................................................................................................................................ 24
Fig.2-29 SysML Artifacts Relationship at the Requirements Analysis / System Functional Analysis Level .................................................................... 25
Fig.4-1 Requirements Analysis Workflow and its Support through the Rhapsody SE-Toolkit......................................................................................... 34
Fig.4-2 Stakeholder Requirements Specification............................................................................................................................................................. 35
Fig.4-3 System Functional Analysis Workflow and its Support through the Rhapsody SE-Toolkit ................................................................................. 43
Fig.4-4 Workflow in the Architectural Analysis Phase and its Support through the Rhapsody SE-Toolkit ...................................................................... 63
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | v
Tables
Fig.4-5 Architectural Design Workflow and its Support through the Rhapsody SE-Toolkit ............................................................................................. 72
Fig.4-6 Detailed Architectural Design Workflow and its Support through the Rhapsody SE-Toolkit............................................................................... 81
Fig.A4-1 Use Case Black-Box Activity Diagram Uc2 ControlExit .................................................................................................................................. 116
Fig.A4-2 UC-Scenario Uc2_Sc1 .................................................................................................................................................................................... 116
Fig.A4-3 Uc-Scenario Uc2_Sc2 ..................................................................................................................................................................................... 116
Fig.A4-4 Wait States of Uc2_ControlExit ....................................................................................................................................................................... 117
Fig.A4-5 Action States of Uc2 ControlExit ..................................................................................................................................................................... 117
Fig.A4-6 Flat Statechart of Uc2_ControlExit .................................................................................................................................................................. 118
Fig.A4-7 Composite State ProcessingCardData............................................................................................................................................................ 119
Fig.A4-8 Composite State UnlockingAndLockingAccessPoint ...................................................................................................................................... 119
Fig.A4-9 Top-Level Statechart of Uc2_ControlExit ........................................................................................................................................................ 120
Fig.A5-1 Use Case Diagram UCD_MultiAxesSystem ................................................................................................................................................... 121

Fig.A5-2 Use Case HomingAndManualMode: Functional and State-based Behavior at the System Decomposition Level 1.................................... 122
Fig.A5-3 Reference Activity Diagram Level2_moveAxisB and Associated Derived Scenarios...................................................................................... 123
Fig.A5-4 Linking the Reference Activity Diagram ........................................................................................................................................................... 124
Fig.A5-5 Automatically generated Extended Uc1Sc1 Sequence Diagram..................................................................................................................... 124
Fig.A5-6 Linking RefAD_MoveAxisB Scenarios to Black-Box Use Case Scenario Uc1Sc1 ......................................................................................... 125
Fig.A5-7 Extended State-Based Behavior of the Use Case Block ................................................................................................................................ 126
Fig.A5-8 Animated Sequence Diagram (Extended Uc1Sc1) ......................................................................................................................................... 126
Fig.A5-9 Allocation of RefAD_MoveAxisB Operations to Subsystems in the Architectural Design Phase ................................................................... 127
Tables
Tab.A1-1 Mapping Security System Requirements to Model Artifacts ............................................................................................................................ 95
Tab.A1-2 Mapping Security System Requirements to Model Artifacts (cont’d)............................................................................................................... 96
Tab.A1-3 Mapping Security System Requirements to Model Artifacts (cont’d)............................................................................................................... 97
Tab.A3-1 Project-Specific Tags Defined in a Profile...................................................................................................................................................... 115

Tab.A3-2 Project-Specific Properties Defined in a Profile ............................................................................................................................................. 115
Tab.A7-1 Rhapsody SE-Toolkit Features ...................................................................................................................................................................... 131

Tab.A7-2 Rhapsody SE-Toolkit Features cont’d............................................................................................................................................................ 132
vi | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Introduction
1 Introduction
• Section 3 describes the project structure that should be followed
1.1 Scope when the Rhapsody tool is used in a model-based systems
engineering project.
Meanwhile, many books and articles have been published about • Section 4 details a case study of the Harmony for Systems
SysML, the standardized language for model-based systems Engineering workflow using the Rhapsody tool. The chosen
engineering [1]. But in most cases, the question of how to apply it in example is a Security System. The workflow starts with the import
an integrated systems and software development process has not of stakeholder requirements into Rhapsody and ends with the
been addressed. This deskbook tries to close the gap. Based on the definition of an executable system architecture model. The
tool independent Rational® Integrated Systems/Embedded Software workflow is application oriented and focuses on the usage of the
Development Process Harmony™ it provides systems engineers with a Rhapsody SE-Toolkit.
step-by step guide on using the SysML in a way that allows a • Section 5 addresses the handoff to the subsequent subsystem
seamless transition to the subsequent system development. (SecSysController) development.
In this deskbook the chosen tool is the Rational® systems and
software design tool Rhapsody® Release 7.5 . Also provided are several appendices, including
• the documentation of the Extended System Architecture Model of
The deskbook is written for the practitioner. Screenshots, notes, and the Security System which takes into consideration the inclusion of
best practice tips are added to the workflow descriptions. The brief COTS components,
introductions are minimal rather than narrative.
• a chapter about modeling/style guidelines regarding the usage of
the various SysML diagrams in model-based systems engineering
The deskbook does not replace the Rhapsody training documentation.
It rather is intended to supplement it. It is assumed, that the reader is • a guideline how to derive a statechart diagram from the information
familiar with the UML/SysML and the Rhapsody tool. captured in an activity diagram and associated sequence diagrams,
• a guideline how to logically decompose a use case black-box
1.2 Document Overview activity diagram,
• a quick reference guide to the Rhapsody Action Language,
The deskbook is divided into 5 sections: • an overview of the Rhapsody SE-Toolkit features that are applied in
the case study, and
• Section 1 describes the scope and structure of this book.
• a set of references.
• Section 2 introduces the basic concepts of Harmony for Systems
Engineering. It starts with an overview of how the systems
Included to this deskbook is a volume containing
engineering part of the integrated systems/embedded software
development process Harmony fits into the model-driven • the Security System stakeholder requirements,
development lifecycle. Then, the task flow and the associated • for each of the SE phases the incrementally extended Rhapsody
work products in the different systems engineering phases are model database:
detailed. With regard to modeling, this section also provides an - SecSys_RA (Requirements Analysis),
overview of SysML artifacts that are considered essential for - SecSys_FA (System Functional Analysis),
model-based systems engineering, followed by an introduction to - SecSys_AA (Architectural Analysis),
the service request driven modeling approach. - SecSys_AD (Architectural Design/Detailed Architectural Design)
• the Extended System Architecture Model (SecSys_EAD).
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 1
Fundamentals of Harmony for Systems Engineering
2 Fundamentals of Harmony for Systems Engineering
2.1 Rational Integrated Systems / Embedded Software Development Process Harmony

Fig.2-1 shows the Rational Integrated Systems / Embedded Software The Harmony process consists of two closely coupled sub-processes
Development Process Harmony by means of the classic “V” diagram.
- Harmony for Systems Engineering and
The left leg of the “V” describes the top-down design flow, while the
- Harmony for Embedded Real Time Development
right hand side shows the bottom-up integration phases from unit test
to the final system acceptance. Using the notation of statecharts, the The systems engineering workflow is iterative with incremental cycles
impact of a change request on the workflow is visualized by the “high- through the phases requirements analysis, system functional analysis
level interrupt”. Whenever a change request occurs, the process will and design synthesis. The increments are use case based.
restart at the requirements analysis phase.
Change Request
Stakeholder Harmony™ for

Requirements Systems
Engineering
System
Validation
Scenarios (ConOps)
Requirements Models, Requirements Plan System
Model / Requirements Repository

System Use Cases Model Analysis Acceptance
Test
Executable Scenarios
System Functional
Use Case Model(s) Analysis
System
Verification
Architectural Analysis Model(s), Plan (Sub-)System
System Architecture Model Design Synthesis
Integration & Test
Component
Verification Harmony™ for
System
Procedure
Architecture Embedded RT
Baseline SW Module Development
Analysis & Design Integration & Test
Software
Implementation
Model SW Implementation
& Unit Test
Fig.2-1 Rational Integrated Systems / Embedded Software Development Process Harmony
2 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
The software engineering workflow is characterized by the iterative The system architecture model captures the allocation of the system
incremental cycles through the software analysis and design phase, operations to the system architecture that was elaborated in the
the implementation phase, and the different levels of integration and previous architectural analysis phase. The correctness and
testing. completeness of the system architecture model is verified through
Regarding the systems engineering and implementation iterations, it model execution. Once the model is verified, the architectural design
should be noted, that the analysis iterations continue through may be analyzed with regard to performance and safety requirements.
implementation and testing, thus providing something demonstrable The analysis may include Failure Modes Effects Analysis (FMEA), and
with each iteration. Mission Criticality Analysis.
It is important to note the creation and reuse of requirements related The baselined system architecture model defines the hand-off to the
test scenarios all along the top-down design path. These scenarios subsequent HW/SW development.
are also used to assist the bottom-up integration and test phases and,
in the case of system changes, regression test cycles. Model-driven software development is supported by the Software
Implementation Model. This model is the basis for - either manual or
The Harmony process supports Model-Driven Development (MDD). In automatic - code generation [5,6].
a model-driven development, the model is the central work product of
the development processes, encompassing both analysis and design. An essential element of the model-driven development process is the
Each development phase is supported by a specific type of model. Model/Requirements Repository. It contains the configuration
controlled knowledge of the system under development, i.e.
Models that support the requirements analysis phase are
- Requirements documentation
- the Requirement Models and - Requirements traceability
- the System Use Cases Model. - Design documentation and
- Test definitions
A requirement model visualizes the taxonomy of requirements. The
system use cases model groups requirements into system use cases.
Neither of these models is executable.
In the system functional analysis phase the focus is on the translation

of the functional requirements into a coherent description of system
functions (operations). Each use case is translated into an executable
model and the underlying system requirements verified through model
execution.
There are two types of executable models supporting the design

synthesis phase:
- Architectural Analysis Model(s) and
- System Architecture Model
The objective of the architectural analysis model(s) - also referred to
as Trade Study Model(s) - is to elaborate an architectural concept for
the implementation of the identified operations e.g. through a
parametric analysis.
2.2 Model-based Systems Engineering Process

Key objectives of Harmony for Systems Engineering are: Fig.2-2 depicts an overview of Harmony for Systems Engineering. For
each of the systems engineering phases, it shows the essential input
• Identification and derivation of required system functions
and outputs.
• Identification of associated system modes and states
• Allocation of the identified system functions and modes/states to a The following paragraphs detail the workflow and artifacts of the
subsystem structure model-based systems engineering process and outline an associated
With regard to modeling, these objectives imply a top-down approach Requirements Management and Traceability (RT) concept. For a
on a high level of abstraction. The main emphasis is on the more application oriented workflow description, please refer to the
identification and allocation of a needed functionality and state-based case study in Section 4.
behavior, rather than on the details of its functional behavior.
Next Iteration or
Change Request
Stakeholder Requirements
Stakeholder Requirements
System Requirements Requirements Analysis

System Use Cases Model SRS
Model / Requirements Repository
(Draft)
System Use Cases
Updated System Requirements System Functional Analysis System-Level

Executable Use Case Model(s) (Use Case-Based) ICD
Use Case Scenarios (Black-Box) SRS
System Operations (Baseline)
Non-Functional System Requirements
Design Synthesis
Updated System Requirements
Architectural Analysis
Architectural Analysis Model(s) (Trade Study)
Architectural Concept
UC Activity Diagram(s) (Black-Box)
Architectural Design
UC Activity Diagram(s) (White-Box)
Allocated
System Operations
UC Activity Diagram(s) (White-Box)
Detailed
Scenarios (White-Box) Architectural Design
System Architecture Model (Baseline)
Links providing traceability

Logical ICDs
to original requirements
HW/SW Req Specs
HW/SW
incl. Test Scenarios
Development
Fig.2-2 Model-based Systems Engineering
2.2.1 Requirements Analysis into required system functions (“shall” statements) and documented in
the Draft System Requirements Specification. For traceability, the
The objective of the requirements analysis phase is to analyze the identified system requirements are linked to the associated
process inputs. Stakeholder requirements are translated into system stakeholder requirements.
requirements that define what the system must do (functional
requirements) and how well it must perform (quality of service The next major step in the requirements analysis phase is the
requirements) definition of system use cases. A use case describes a specific
operational aspect of the system (operational thread). It specifies the
The essential steps of the requirements analysis workflow are shown behavior as perceived by the actors (user) and the message flow
in Fig.2-3. It starts with the analysis and optional refinement of the between the actors and the use case. An actor may be a person,
stakeholder requirements. Output of this phase is the Stakeholder another system or a piece of hardware external to the system under
Requirements Specification. Essentially, stakeholder requirements development (SuD). A use case does not reveal or imply the system’s
focus on required capabilities. In the next step, these are transformed internal structure (black box view).
Use cases may be structured hierarchically – but care should be taken

[System Use Cases defined] not to functionally decompose the use cases. Use cases are not
functions, they use functions. There is no “golden rule” with regard to
[else]
the number of use cases needed to describe a system. Experience
Analyze/Refine
Stakeholder Reqs
shows that for large systems, typically 6 to 24 use cases may be
defined at the top level. At the lowest level a use case should be
Stakeholder
Requirements described by at least 5, with a maximum of 25 essential use case
Specification scenarios. At this stage, emphasis is put on the identification of
“sunny day” use cases, assuming an error/fail free system behavior.
Generate
Link Exception scenarios will be identified at a later stage (=> system
Stakeholder Reqs
System Reqs
to System Reqs
functional analysis) through model execution. If more than 5 error/fail
scenarios are found for a use case, they should be grouped in a
System separate exception use case, which are then linked to the “sunny day”
Requirements use case via an include or extend dependency.
Specification (Draft)
Define In order to assure that all functional and associated performance
System Use Case
requirements are covered by the use cases, respective traceability
Link
links need to be established.
Functional / Performance
Reqs to System Use Case Once the system-level use cases are defined and the complete
coverage of the functional and associated performance requirements
[Next System Use Case] is assured, they need to be ranked according to their importance for
[else]
the definition of the system architecture. The order defines the
Prioritize and Partition
System Use Cases
increments of the iterative SE workflow. At the end of each iteration
this ranking might need to be updated.
Fig.2-3 Workflow in the Requirements Analysis Phase
2.2.2 System Functional Analysis
The main emphasis of the system functional analysis phase is on the Fig.2-4 details the modeling tasks and the associated work products.
transformation of the functional system requirements into a coherent First, the use case model context is defined in an Internal Block
description of system functions (operations). The analysis is use Diagram. Elements of this diagram are instances of SysML blocks,
case-based, i.e. each system-level use case that was identified in the representing the use case and its associated actor(s). At this stage,
previous requirements analysis phase is translated into an executable the blocks are empty and not linked.
model. The model and the underlying requirements then are verified
through model execution.
Build Executable Model of Use Case
Define Use Case Model Context

(UC Internal Block Diagram)
[Alternative 3]
[Alternative 1]
[Alternative 2]
Define UC Scenarios Define UC Functional Flow Define UC State-Based Behavior

(UC Black-Box Sequence Diagrams) (UC Black-Box Activity Diagram) (UC Statechart Diagram)
Derive UC Functional Flow Derive UC Scenarios Derive UC Scenarios

from UC Scenarios from UC Functional Flow from UC Statechart Diagram
(UC Black-Box Activity Diagram) (UC Black-Box Sequence Diagrams) (UC Black-Box Sequence Diagrams)
Define Ports And Interfaces Define Ports And Interfaces

(UC Internal Block Diagram) (UC Internal Block Diagram)
Document
New / Derived Reqs Derive UC State-Based Behavior
from UC Black-Box AD and SDs
(UC Statechart Diagram)
Verify UC Model
through Model Execution
[else]
[Rainy Day Analysis]

Extend UC Model
w.r.t. Error/Fail Behavior
Link
UC Block Properties to Reqs
Update
Draft System Req Spec
Fig.2-4 Alternative Approaches of Building an Executable Use Case Model
The next step in the modeling workflow is the definition of the behavior activity diagram (ref. Fig.2-5). Ports and interfaces of the use case
of the use case block. It is captured by means of three SysML block are created from the sequence diagrams. Lastly, its state-based
diagrams: behavior is captured in a statechart diagram.
- Activity Diagram, Alternative 3 starts with the definition of the use case state-based
- Sequence Diagrams, and behavior. This approach is recommended if the system under design
- Statechart Diagram. (SuD) is strongly state-based. In this case, the creation of a use case
black-box activity diagram may even be skipped. Use case scenarios
Each diagram plays a specific role in the elaboration of the use case then are derived as paths through the statechart diagram. From the
behavior. The activity diagram – referred to as Use Case Black-Box sequence diagram then ports and associated interfaces are
Activity Diagram - describes the overall functional flow (storyboard) of generated.
the use case. It groups functional requirements in actions – in
Harmony for Systems Engineering the equivalent of operations - and It should be noted, that regardless of which approach is chosen, the
shows, how these actions/operations are linked to each other. The most important diagram in the system functional analysis process is
sequence diagram – referred to as Use Case Black-Box Sequence the use case block statechart diagram. It comprises the information of
Diagram - describes a specific path through the use case and defines both the black-box sequence diagrams and the use case black-box
the interactions (messages) between the operations and the actors. activity diagram and can be verified through model execution. The
The statechart diagram aggregates the information from the activity use case black-box activity diagram and the associated black-box
diagram (functional flow) and the sequence diagrams (actor sequence diagrams will be reused further down in the design process.
interactions). It puts this information into the context of system states
Whenever during the use case based system functional analysis new
and adds to it the system behavior due to external stimuli of different
requirements are identified or high-level requirements are detailed by
priority.
derived requirements, they need to be documented. Last at the end of
There is no mandate directing in which order these diagrams should the system functional analysis phase, these additional requirements
be generated. The order may depend on the available information and need to be approved by the stakeholders and exported to the
the modeler’s preference. Fig.2-4 shows three alternative requirements traceability tool.
approaches:
The use case model is analyzed through model execution using the
black-box use case scenarios as the basis for respective stimuli. It
Alternative 1 starts with the definition of use case scenarios.
should be noted, that - following the previously outlined key objectives
Customers often describe sequences of required system usage (e.g.
of this process - the primary focus is on the verification of the
Concept of Operations). Once a set of essential scenarios is
generated sequences rather than on the validation of the underlying
captured, the identified functional flow is merged into a common
functionality.
description in an activity diagram. Ports and interfaces are created
from the sequence diagrams (ref. section 2.4 Service Request-Driven
Modeling Approach). They define the links between the actor(s) and
the use case block in the use case model internal block diagram. The
final step in this approach is the definition of the state-based behavior
of the use case block in a statechart diagram.
Alternative 2 starts with the definition of the use case functional

flow. This is a common approach, if systems engineers have to
elaborate requirements. Typically, customers like to express their
requirements from the “big picture” point of view. Once the overall
functional flow is defined, use case scenarios are derived from the
AD_Uc_HomingAndManualMode SD_Uc_HomingAndManualMode_Sc1
User
Start setOpMode User Uc_HomingAndManualMode
[OpMode==Homing"]
homeAxisD
User [OpMode == "Manual"]

Preconditions:
homeKAxis
setAxis System is powered
[else] [else] openAxisL

[else]
reqSetMode("Manual")
User User User
[Axis == "AxisC"] [Axis == "AxisB"] [Axis == "AxisA"] setOpMode("Manual")
mvCtrldAxisLToBasePos
setDirection setDi rection setDirection
User User User reqSetAxis("AxisA")

homeAxisF
setAxis("AxisA")
setSpeed setSpeed setSpeed
homeAxisE
[UserInput == DirectionA] [UserI nput == DirectionB] [UserI nput == DirectionA] [UserInput == DirectionB] reqSetDirection(Direction)
checkPosAxisB
setDirection(Direction)
homeAxisB
checkPosAxisK checkPosAxisB checkPosAxisC checkPosAxisA Start
[else] reqSetSpeed(Speed)
[inSafePos]
[else] [else] homeAxisA setSpeed(Speed)
checkStatusAxisA
[inSafePos] [inSafePos]
checkPosAxisE
mvCtrldAxisAToOpenPos checkPosAxisB()
checkPosAxisG
[else]
[isHomed] homeAxisL
[else] [else] [else] [else] AxisB in Save Position
Start Start mvCmddAxisA_Normal
[inSafePos] [inSafePos] [inSafePos] [inSafePos]

mvCtrldAxisLToBasePos checkStatusAxisA()
checkStatusAxisB checkStatusAxisB mvCmddAxisA_Slow
checkStatusAxisC checkStatusAxisC
homeAxisG
[isHomed] [isHomed] Start
alt [AxisA Homed]
[isHomed] [isHomed]
[else] [else] Start
mvCmddAxisA_Normal()
mvCmddAxisC_Slow mvCmddAxisB_Slow
mvCmddAxisC_Normal mvCmddAxisB_Normal
[else]
Start Start mvCmddAxisA_Slow()
[else] [else] [else] [Axis == "AxisM"]

[else] [else]
User User User User

User User User [Axis == "AxisL"] [Axis == "AxisK"] [Axis == "AxisG"]
[Axis == "AxisD"] [Axis == "AxisE"] [Axis == "AxisF"]
setDirection setDi rection setDi rection setDirection
setDirection setDi rection setDirection
User User User User

User User User
setSpeed setSpeed setSpeed setSpeed

checkStatusAxisL checkStatusAxisL checkStatusAxisG checkStatusAxisM

checkStatusAxisD checkStatusAxisE checkStatusAxisF
[else] [else]
[else]
[isHomed] [isHomed]
[isHomed] [isHomed]
mvCmddAxisL_Normal mvCmddAxisM_Normal
mvCmddAxisD_Normal mvCmddAxisF_Normal
mvCmddAxisF_Slow mvCmddAxisL_Slow mvCmddAxisM_Slow

mvCmddAxisD_Slow
Start [else] Start

Start Start [else]
[else]
[isHomed]
[isHomed] [isHomed]
mvCmddAxisG_Normal
mvCmddAxisL_Normal
mvCmddAxisE_Normal
mvCmddAxisG_Slow
mvCmddAxisL_Slow
mvCmddAxisE_Slow
Start
Start Start
Fig.2-5 Derivation of a Use Case Scenario from a Use Case Black-Box Activity Diagram (Industrial Automation Use Case)
Extend UC Model w.r.t. Error/Fail Behavior Once all use cases of an iteration increment are verified, there are two
ways to proceed (ref. Fig.2-7). If use cases overlap – i.e. if they
Identify
address common system requirements - the consistency between the
Exception Behavior use case models may be checked by executing respective models
concurrently in a common framework (Use Case Collaboration Model).
Extend
UC Block Statechart Diagram
Constituents of the use case collaboration model are the instances of
[Update
the relevant use case blocks and their associated/shared actors. The
UC Functional Flow] Update correct behavior of the use case blocks due to the inputs from the
UC Black-Box Activity Diagram
[else] common actors may then be checked through visual inspection of the
[Update individual state-based behavior.
UC Model IBD] Update
UC Model Internal Block Diagram
[else]
Build
Executable Model of Use Case
Verify UC Model Record
trough Model Execution Exception Scenario(s)
[Next Use Case]

[else]
[Next Exception]
[else] [UC Consistency Analysis] Perform Use Case
Consistency Analysis
[else]
Merge Use Case Blocks
Fig.2-6 Workflow of the Use Case Model Rainy Day Analysis in SuD Block
System-Level ICD
Once the use case model and the underlying functional requirements System
are verified, Rainy Day Analysis may be performed. This analysis Requirements
Specification (Baselined)
focuses on the identification of system error / fail behavior that was not
covered by the initial set of requirements.
Fig.2-6 details the workflow and the associated work products of the Fig.2-7 Workflow in the System Functional Analysis Phase
rainy day analysis. It is recommended to first add respective
exception behavior to the statechart diagram as this diagram depicts If consistency between the different use case models is not an issue,
best the overall system behavior. If the error / fail behavior includes the identified operations, associated service requests, and attributes of
new functionality, the use case black-box activity diagram and – if each use case model are merged in a common system block SuD. In
needed – the use case model internal block diagram needs to be the subsequent design phase, this information will be allocated to sub-
updated accordingly. The extended use case model is verified systems.
through model execution. It is recommended to record the respective
verification scenarios and add these to the set of use case black-box The system functional analysis phase ends with the baselined System
sequence diagrams. Requirements Specification. Another document generated at this
stage is the System-Level Interface Control Document (ICD). It
The use case modeling workflow ends with the definition of traceability defines the logical (=functional) interfaces between the (black-box)
links between the use case block properties and relevant system system and its actors and is the aggregate of all use case blocks
requirements. If new requirements or derived requirements were interfaces. This ICD is the basis for the later system-level (black-box)
identified during the modeling process, the draft system requirements test definition.
specification needs to be updated accordingly.
Sometimes the question comes up whether a black-box functional hardware (e.g. mechanical or FPGA/ASIC) and which should be
system model – incl. an integrated black-box statechart diagram - implemented in software.
should be built in order to assure, that the system has been completely
described by the use cases. In principal, there is no reason why it
should not be done. The more pragmatic and time saving approach is
to shift this issue to the subsequent design synthesis phase. The use
Architectural Analysis
cases should have brought enough system information to start the (Trade Study)
architectural design. What is missing will be identified later when the
system architecture model will be verified through model execution.
[else] [Known
Architectural Concept]
2.2.3 Design Synthesis Architectural Design
The focus of the design synthesis phase is on the development of a

physical architecture (i.e. a set of product, system, and/or software
elements) capable of performing the required functions within the limits [Next Level of
of the prescribed performance constraints. Design synthesis follows a Decomposition] [else]
top-down approach. Fig.2-8 depicts the essential subphases and the Detailed
associated workflow. Architectural Design
Design synthesis typically starts at each level of the architectural

decomposition with an Architectural Analysis – also referred to as
Trade Study. Since there may be several hardware and/or software
architectures that satisfy a given set of functional and performance
requirements, the optimum design concept is elaborated based upon a Fig.2-8 Subphases and Workflow in the Design Synthesis Phase
set of criteria (e.g. Measures of Effectiveness, MoEs), that are
weighted according to relative importance. The focus of the Detailed Architectural Design phase is on the
definition of the ports and interfaces as well as the state-based
The focus of the architectural design phase is on the allocation of behavior of the system blocks at the lowest level of the architectural
system-level operations to the elements of an architectural structure. decomposition.
This structure may be the result of a previous trade study or a given
(legacy) architecture. The allocation is an iterative process and is The following paragraphs detail the workflow and associated work
typically performed in collaboration with domain experts. Different products in the different design synthesis sub-phases.
allocation strategies may be analyzed, taking into consideration design
constraints like performance and safety requirements that were
captured during the requirements analysis phase.
Depending on the hand-off to the subsequent subsystem

development, the architectural analysis and architectural design
phases may be repeated for the different levels of the architectural
decomposition. At the lowest level, the functional allocation may
address the realization, i.e. which operation should be implemented in
2.2.3.1 Architectural Analysis (Trade Study)
System functional analysis defines What the system should do but not One of the simplest means of determining the “how” is a technique
How it is to be done. The objective of a Trade Study in the known as the Weighted Objectives Method, developed by N. Cross [7].
architectural analysis phase is to determine the best means of This form of analysis is commonly used within the field of Engineering
achieving the capability of a particular function in a rational manner. System Design to evaluate potential solutions to functional problems.
i.e. to identify the How. It can also be used to determine the best hardware platforms for
software or decide the optimum mechanical/electrical hardware split
based upon non-functional requirements like a set of customer
Define constraints, performance or cost criteria.
Key System Functions
Fig.2-9 depicts the workflow and the associated work products in the
Architectural Analysis phase.
Build Weighted Objectives Table
Identify Key System Functions

Define The objective of this task is to group system functions into sub-sets to
Candidate Solutions support the analysis of alternatives during architectural analysis. A
key system function could be a group of system functions that
Define
Assessment Criteria • are cohesive and/or tightly coupled or
• may be realized by a single architectural component or
Assign • will be realized by reuse of an existing component (HW/SW) or
Weights to Criteria
• may be reused within the system or
Define Utility Curve • address a specific design constraint
for each Criterion
The next 6 tasks are performed for each selected key system function.
Assign MoEs
to Candidate Solutions
Define Candidate Solutions
There is always more than one way to realize a key system function.
Determine Solution The objective of this task is to identify possible solutions for a
previously identified key system function. The solutions are
elaborated in a team representing all relevant areas of expertise. At
[Next Key System Function]
this stage, associated stakeholder requirements need to be identified
[else] and taken into consideration. Candidate solutions may take into
Merge Solutions to consideration previously developed hardware and software
Form System Architecture
components, non-developmental items, and COTS hardware and
Trade Study software.
Report
Fig.2-9 Workflow and Work Product

in the Architectural Analysis Phase
Identify Assessment Criteria

In order to identify the best solution from a set of candidate solutions A utility curve may also be created by knowledgeable project
for a specific key system function, assessment criteria need to be members. In this case the curve reflects the consensus among the
identified. Meaningful assessment criteria are established in group but should be considered as subjective.
collaboration with stakeholders and a team representing all relevant
areas of expertise. Typically, the assessment criteria are based upon Assign Measures of Effectiveness (MoE) to Candidate Solution
customer constraints, required performance characteristics, and/or In order to compare the different solutions of a key system function via
costs. weighted objectives analysis each candidate solution is characterized
by a set of normalized, dimensionless values - Measures of
Assign Weights to Assessment Criteria Effectiveness (MoE) - which describe how effective a solution
Not all assessment criteria are equal. Some are more important than candidate is for a particular assessment criterion. The MoE is a
others. Assessment criteria are weighted according to their relative normalized value computed using the utility curve and the nominal
importance to the overall solution. The weighting factors are value specified for the solution candidate. The nominal values are
normalized to add up to 1.0. This task should be performed in typically determined from equipment specifications or derived from
collaboration with stakeholders and relevant domain experts. calculations based upon the relevant solution.
Define Utility Curves for each Criterion Determine Solution

The purpose of this task is to define a set of normalization curves - The determination of a preferred solution is performed by means of
also known as Utility Curves or Value Functions - one for each Weighted Objectives calculation. In this analysis the MoE values for
assessment criterion that will be used to produce a dimensionless each of the assessment criteria are multiplied by the appropriate
Measure of Effectiveness for each solution candidate. This curve weight. The weighted values for each alternative solution then are
yields a normalized value typically between 0 and 10. The input value added to obtain a total score for each solution. The solution with the
to the curve is typically based upon equipment specifications or highest score is selected as the implementation for that particular
derived from calculations based upon possible solutions. In this case function.
it is considered as being objective. Tab.2-1 shows for the key system function “Capture Biometric Data” in
the case study described later in chapter 4, that the preferred solution
Step Function Continuous is the Fingerprint Scanner.
Relationship
Merge Possible Solutions to form System Architecture

10
The solutions identified for each key system function are merged to
8 define the equipment breakdown structure. It is assumed that the
initial key system functions were independent. Thus, the final merged
Utility
6 solution is the preferred solution based upon the assessment criteria
(MoE) for the complete architecture. It will be the basis of the subsequent
4
architectural design activities. These design decisions are captured in
2 the Trade Study Report along with any resulting design constraints.
0
Threshold Goal
Assessment Criterion
(e.g. Speed, Cost, Reliability, etc)
Fig.2-10 Different Shapes of Utility Curves
10
6
MoE
4
2
Optical Scanner Fingerprint Scanner
0
400 350 300 250 200 150 100 50 0
Purchase Cost ($)
Purchase Cost Utility Curve used in the Trade Study
Tab.2-1 Weighted Objectives Table of the Key System Function “Capture Biometric Data” (ref. Case Study Chapter 4)
of the decomposition hierarchy. Based on the chosen design concept,

2.2.3.2 Architectural Design the operations ( = actions) then are “moved” into respective block
swim lanes (ref. Fig.2-13). An essential requirement for this allocation
is that the initial links (functional flow) between the actions are
Fig.2-11 shows the workflow and the associated work products in the
maintained.
architectural design phase. Based on the design concept, optionally
elaborated in a previous trade study, it starts with the decomposition of
Use case white-box activity diagrams may be nested, thus reflecting
the chosen system block into parts. The resulting system structure is
the iterative architectural decompositions of the system under design
captured in a SysML Block Definition Diagram (BDD) and in a SysML
(ref. Fig.2-12).
Internal Block Diagram (IBD).
Architectural Design SuD_Lvl 0
SuD_Lvl 1
SuD
Decompose System Architecture SuD_Lvl 2
SuD
System Bock into Parts Structure Diagram UC Black-Boc Activity Dagram
(BDD, IBD)
SS1 SS2
Allocate Operations to Parts 1 1
UC White Box Activity Diagram Lvl 1 SS1 SS2

[else]
1
SS11 SS12 SS13 SS11
[Elaboration needed]
1
Graphically allocate UC Operations UC White-Box
UC White-Box SS12
in UC White-Box Activity Diagram Activity Diagram Activity Diagram Lvl 2
1
SS13
Copy System Block Operations

into Parts
Fig.2-12 Nested Use Case White-Box Activity Diagram

[Next Use Case]
[else]
If an operation cannot be allocated to a single block, it must be
decomposed. In this case, the associated decomposed SuD
operations need to be linked to the parent operation through a
[Next Level of respective dependency.
Decomposition] [else]
A system-level operation may also be allocated to more than one
Allocate Non-Functional Reqs
to Parts and/or Operations block (e.g. architectural redundancy in order to meet fault tolerance
requirements). In this case, the relevant action is copied into the
respective block swim lane and integrated into the functional flow.
Fig.2-11 Tasks and Workproducts in the Architectural Design Phase White-box activity diagrams allow a first estimate of the resulting load
on respective communication channels, as links that cross a swim lane
Generally, there are two ways to proceed with regard to the allocation correspond to interfaces.
of the system block operations to the parts. If an allocation concept
exists, they may be copied directly into the relevant parts. Otherwise, Once all system block operations, that capture system functional
the allocation can be elaborated graphically for each use case by requirements are allocated to system parts, non-functional require-
means of the associated Use Case White-Box Activity Diagram. ments (e.g. design constraints) are allocated to the relevant parts and
Essentially, this activity diagram is a copy of the use case black-box respective trace links are established..
activity diagram, partitioned into swim lanes, each representing a block
Proc1 Proc2 Proc3
User
Start setOpMode
[OpMode=="Homing"] homeAxisD homeAxisK
[OpMode == "Manual"]
User
setAxis openAxisL
User mvCtrldAxisLToBasePos
[UserInput =="AxisA"] setDirection

homeAxisF
AD_Uc_HomingAndManualMode [else] User
User setSpeed checkStatusAxisA

homeAxisE
Start User
setOpMode checkPosAxisB
[UserInput =="AxisD"] setDirection homeAxisB
[OpMode==Homing"] User Start

homeAxisD [else] [else] homeAxisA
setSpeed [isInSafePos]
User [OpMode == "Manual"] [else]

mvCtrldAxisAToOpenPos
homeKAxis checkStatusAxisD [isHomed]
setAxis
mvCmddAxisA_Normal mvCmddAxisA_Slow
[isHomed] [else] homeAxisL
[else] [else] openAxisL
[else] Start
mvCmddAxisD_Normal mvCmddAxisD_Slow mvCtrldAxisLToBasePos homeAxisG
User [Axis == "AxisC"] User User [Axis == "AxisA"]

[Axis == "AxisB"]
mvCtrldAxisLToBasePos Start
setDirection setDirection setDirection User
Start
User [UserInput == "AxisB"]

User User setDirection
homeAxisF
User
[else] checkStatusAxisB
setSpeed
homeAxisE
[UserInput == DirectionA] [UserInput == DirectionB] [UserInput == DirectionA] [UserInput == DirectionB] [UserInput == DirectionA] [UserInput == DirectionB]
checkPosAxisB
checkPosAxisA
homeAxisB checkPosAxisL
checkPosAxisK checkPosAxisB checkPosAxisC checkPosAxisA Start [else]
[else] [else]
Start
[inSafePos]
[else] [else] homeAxisA [InSafePos] [inSafePos]
[isHomed]
checkStatusAxisA checkPosAxisA
[inSafePos] [inSafePos] [else]

mvCtrldAxisAToOpenPos [else]
checkPosAxisG checkPosAxisE
[else]
[inSafePos]
[isHomed] homeAxisL [isHomed] mvCmddAxisB_Normal

[else] [else] [else] [else]
Start Start mvCmddAxisA_Normal [else]
[inSafePos] [inSafePos] [inSafePos] [inSafePos] User mvCmddAxisB_Slow

mvCtrldAxisLToBasePos [UserInput == "AxisC"]
checkStatusAxisB checkStatusAxisB mvCmddAxisA_Slow setDirection
checkStatusAxisC checkStatusAxisC Start
User
homeAxisG
Start setSpeed checkStatusAxisL
[isHomed] [isHomed]
[isHomed] [isHomed] [UserInput == DirectionB] [UserInput == DirectionA]
checkPosAxisK
[else] [else] Start
mvCmddAxisC_Slow mvCmddAxisB_Slow checkPosAxisB
[else] [else] [InSafePos]

Start CheckPosAxisG
mvCmddAxisC_Normal mvCmddAxisB_Normal [else]
[InSafePos]
[else]
[isHomed]
Start [isHomed]
Start
mvCmddAxisL_Normal
[inSafePos]
[else]
[else]
User mvCmddAxisL_Slow
[else] [else] [else] [Axis == "AxisM"]
[else] [else] [UserInput == "AxisA"]
setDirection Start
User User User User
User User User [Axis == "AxisL"] [Axis == "AxisK"] [Axis == "AxisG"] User
[Axis == "AxisD"] [Axis == "AxisE"] [Axis == "AxisF"]
setDirection setDirection setSpeed checkStatusAxisE
setDirection setDi rection setDi rection
setDirection setDirection
[else]
User User User User [else]
User User User
[Homed]
setSpeed setSpeed setSpeed setSpeed
setSpeed setSpeed setSpeed mvCmddAxisE_Slow
mvCmddAxisE_Normal
User
[UserInput == "AxisF"]
checkStatusAxisM setDirection start
checkStatusAxisL checkStatusAxisL checkStatusAxisG
checkStatusAxisD checkStatusAxisE checkStatusAxisF
[else] User
setSpeed checkStatusAxisF
[else] [else]
[else]
[isHomed] [isHomed] [else]

[isHomed] [isHomed]
[Homed]
mvCmddAxisL_Normal mvCmddAxisM_Normal
mvCmddAxisD_Normal mvCmddAxisF_Normal mvCmddAxisF_Normal mvCmddAxisF_Slow
User
mvCmddAxisF_Slow mvCmddAxisL_Slow mvCmddAxisM_Slow [UserInput == "AxisL"] setDirection Start

mvCmddAxisD_Slow
User
[else]
setSpeed checkStatusAxisL
Start [else] Start
Start Start [else]
[else] [else]
User
[isHomed] [Homed]
[isHomed] [isHomed] setDirection mvCmddAxisL_Normal mvCmddAxisL_Slow

[UserInput == "AxisK"]
mvCmddAxisG_Normal
mvCmddAxisL_Normal User
mvCmddAxisE_Normal Start
[else] setSpeed checkStatusAxisK

mvCmddAxisG_Slow
mvCmddAxisL_Slow
mvCmddAxisE_Slow
[Homed] [else]
Start
Start Start mvCmddAxisK_Normal
User
[UserInput == "AxisG"] mvCmddAxisK_Slow
setDirection
User Start
Use Case Black-Box Activity Diagram setSpeed

checkStatusAxisG
User
[UserInput == "AxisM"]
setDirection [Homed] [else]
User
setSpeed mvCmddAxisG_Normal
mvCmddAxisG_Slow
checkStatusAxisM
Start
[Homed] [else]
mvCmddAxisM_Normal mvCmddAxisM_Slow
Fig.2-13 Allocation of Operations to Subsystems (Use Case Fig.2-5) Start
Use Case White-Box Activity Diagram Lvl 1
2.2.3.3 Detailed Architectural Design
The focus of the detailed architectural design phase is on the definition Detailed Architectural Design
of ports and interfaces, as well as on the definition of the state-based
behavior of the system blocks at the lowest level of the architectural
decomposition. Fig.2-14 depicts the workflow and the associated work
products in the detailed architectural design phase. Derive System
White-Box Sequence Diagrams White-Box Sequence Diagrams
Leaf block ports and interfaces are identified from White-Box
Sequence Diagrams. White-box sequence diagrams are derived from [Next Use Case
White-Box AD]
the use case white-box activity diagrams that were created in the
previous architectural design phase. The focus of black-box sequence [else]
diagrams was on the identification of the required sequences of
system functions (operations). White-box activity diagrams focus on Define System Architecture
Structure Diagram (IBD)
the collaboration between the different subsystems taking into Ports and Interfaces
consideration the allocation of the operations. The received service
requests define the (provided) interfaces of a block (ref. section 2.4).
Define Statechart Diagrams
State-Based Behavior of Blocks
The derivation of white-box sequence diagrams is performed
iteratively for each use case white-box activity diagram.
Verify
Once ports and interfaces are defined, the resulting state-based System Architecture Model
behavior of each leaf block needs to be captured in a statechart
diagram.
The correctness and completeness of the system architecture model is

verified through model execution. Once the model functionality is
verified, the architectural design may be analyzed with regard to Fig.2-14 Workflow and Workproducts in the
performance and safety requirements. The analysis may include Detailed Architectural Design Phase
Failure Modes Effects Analysis (FMEA), and Mission Criticality
Analysis.
Uc_HomingAndManualMode_WB_Sc1
User Proc1 Proc2 Proc3
displaySystemStatus(SystemStatus)
reqSetOpMode("Manual")
setOpMode("Manual")
reqSetAxis("AxisC")
setAxis("AxisC")
reqSetDirection("DirectionA")
setDirection("DirectionA")
reqSetSpeed(Speed)
setSpeed(Speed)
reqCheckPosAxisK()
checkPosAxisK(StatusAxisK)
CheckPosAxisG(StatusAxisG)
reqCheckStatusAxisC()
checkStatusAxisC(StatusAxisC)
mvCmddAxisL_Slow()
reqDisplaySystemStatus()
displaySystemStatus(SystemStatus)
Fig. 2-15 Derivation of White-Box Scenarios from a Use Case White-Box Activity Diagram (ref. Fig.2-13)
2.2.4 Systems Engineering Hand-Off
In a Model-Driven Development the key artifact of the hand-off from

systems engineering to the subsequent system development is the
baselined executable model. This model is the repository from which
specification documents (e.g. HW/SW Requirements Specifications,
ICDs …) are generated. Scope and content of the hand-off is
dependent on the characteristics of the project and the organizational
structure systems engineering is embedded.
If the SuD is one specific software configuation item (CI), systems

engineering may stop at the system functional analysis level. In this
case, the hand-off will be executable use case models.
From the organizational point of view, if there is a separation between

systems engineering and subsystems engineering, systems
engineering may stop at the first level of system architecture
decomposition. In this case the hand-off will be composed of relevant
executable subsystem models.
If systems engineers hand-off their specifications directly to HW/SW

development, the hand-off will be respective executable HW and/or
SW configuration item (CI) models.
In any of these cases the hand-off packages are composed of:

● Baselined executable CI model(s)
● Definition of CI-allocated operations including links to
the associated system functional and performance
requirements
● Definition of CI ports and logical interfaces
● Definition of CI behavior, captured in a statechart
diagram
● Test scenarios, derived from system-level use case
scenarios
● CI-allocated non-functional requirements
It should be noted, that the baselined System Architecture model
becomes the reference model for further development of system
requirements.
2.3 Essential SysML Artifacts of Model-based Systems Engineering

SysML defines the standardized “vocabulary” of the language for
SysML
SysMLDiagrams
Diagram
model-based systems engineering. As a standard, this vocabulary
needs to cover all possible applications. But SysML does not specify
how to apply these words. Systems engineering is strongly
communication driven. Systems engineers have to communicate with
Structural
StructureDiagrams
Diagram Behavioral
BehaviorDiagrams
Diagram Requirements Diagram
stakeholders from different domains, like electrical engineers,
mechanical engineers, software engineers, test engineers, and - not to
forget - the customer who is not necessarily an engineer. In such an Block
BlockDefinition
DefinitionDiagram
Diagram Use
UseCase
CaseDiagram
Diagram
environment it is paramount to keep the language domain independent
and as simple as possible. The goal should be to minimize the Internal
InternalBlock
BlockDiagram
Diagram Sequence
SequenceDiagram
Diagram
amount of language elements. The fewer elements are used, the
better. The compliance to a standard does not mean that all elements Activity Diagram
Activity Diagram
of this standard have to be applied. It is good practice to standardize Parametric
Parametric
Diagram
Diagram
the usage of SysML within the organization, if a company wants to Statechart
StatechartDiagram
Diagram
deploy SysML-based systems engineering. This paragraph provides
an overview of the SysML artifacts that are considered essential in the
model-based systems engineering process Harmony for Systems Fig.2-17 Taxonomy of SysML Diagrams Used in Harmony for
Engineering. Systems Engineering
SysML reuses a subset of the UML 2.1 and extended it by systems Fig.2-17 shows the taxonomy of SysML diagrams used in Harmony for
engineering specific constructs. Fig.2-16 visualizes the relationship Systems Engineering. Essentially, there are three categories of
between the UML and SysML by means of a Venn diagram, where the diagrams:
set of language constructs that comprise the UML and SysML
languages are shown as circles marked UML 2.1 and SysML 1.0, - Structure Diagram,
respectively. The intersection of the two circles indicates the UML - Behavioral Diagram, and
modeling constructs that SysML reuses (UML4SysML). In order to - Requirements Diagram.
provide a seamless transition from systems engineering to software The color code of the Venn diagram is also applicable to this diagram.
development, a respective process should focus on UML4SysML. Some of the diagrams have two colors. This indicates that SysML
extended the initial UML artifact.
UML4SysML
The following paragraphs outline the usage of these diagrams in
Harmony for Systems Engineering. and list the elements that are
considered essential.
UML 2.1 SysML 1.0
Fig.2-16 Overview of UML/SysML Interrelationship
2.3.2 Structure Diagrams

2.3.1 Requirements Diagram
2.3.2.1 Block Definition Diagram
A Requirements Diagram graphically shows
The SysML Block Definition Diagram is the equivalent to a class
• the relationship among textual requirement elements diagram in the UML. It shows the basic structural elements (blocks) of
(<<derive>>, containment) the system and their relationships / dependencies. Internal connectors
• the relationship between requirements and model elements are not shown.
(<<trace>>, <<satisfy>>), and BDD_SuD
• the dependency between a requirement and a test case that
verifies that the requirement is met (<<verify>>).
block
SuD
A1 A2
RD_Reqs
«Requirement»
1 1
SRS_Req 1.1
« block» «pSS1_10
« block»
Containment
SS_A SS_B
Relationship
«Requirement» «Requirement»
SRS_Req 1.1.1.x SRS_Req 1.1.1
«derive»
«satisfy» «trace» Fig.2-19 Block Definition Diagram
«block» Uc2
SS_B
2.3.2.2 Internal Block Diagram
The SysML Internal Block Diagram shows the realization of the system
Fig.2-18 Requirements Diagram
structure defined in the Block Definition Diagram. It is composed of a
set of nested parts (i.e. instances of the system blocks) that are inter-
connected via ports and connectors.
IBD_SuD
1
1
itsSuD
1 1
itsA1 itsSS_A
pA1
pSuD pA1
pA1 pSS_B
pSS_B
1 1
itsA2 itsSS_B
pA2
pSuD pA2
pA2 pSS_A
pSS_A
Fig.2-20 Internal Block Diagram
Ports
A port is a named interaction point between a block or a part and its A standard port is specified via its provided and required interfaces. A
environment. It is connected with other ports via Connectors. The provided interface (denoted by a lollipop symbol) specifies a set of
SysML defines two types of ports: Standard Ports and Flow Ports. messages received at that port from elements outside the block. A
The main motivation for specifying such ports on system elements is required interface (denoted by a socket symbol) specifies a set of
to allow the design of modular reusable blocks, with clearly defined messages sent from that port to elements outside of the block. Thus,
interfaces. by characterizing an interface as required or provided, the direction of
the constituent messages at the port is defined.
Standard Ports
Flow Ports
A UML/SysML Standard Port is a named interaction point assigned to
a block, through which instances of this block can exchange A SysML Flow Port specifies the input and output items that may flow
messages. It specifies the services the owning block offers (provides) between a block and its environment. Input and output items may
to its environment as well as the services that the owning block include data as well as physical entities, such as fluids, solids, gases,
expects (requires) of its environment. and energy. The specification of what can flow is achieved by typing
the Flow Port with a specification of things that flow.
There are two different kinds of Standard Ports:
There are two different kinds of Flow Ports:
• Delegation or Relay ports forward requests to other ports.
• Behavioral ports are parts of the block that actually • An Atomic Flow Port relays a single item that flows in or out.
implements the service. • A Non-Atomic Flow Port relays multiple items, listed in a
respective “flow specification”.
Behavioral
Delegation Port
Port « Interface »
NavDat
« flowAttribute » Longitude(Out):double
1 itsB « flowAttribute » Latitude(Out):double
1 1 iB1_B2
itsA iA_B itsB1 Non-Atomic Flow Port
pA
pB pA
pA pB2
pB2
1 1
iA_B iA_B
iA_B itsGPS itsSuD
iB2_B1
iB2_B1
fp:NavDat fp:NavDat
1 iB2_B1
itsB2 Elevation:double Elevation:double
pB1
pB1
Speed:double Speed:double
iB1_B2
Atomic Flow Port
Required Provided
Interface Interface
Fig.2-22 Flow Ports

Fig.2-21 Standard Ports
2.3.2.3 Parametric Diagram 2.3.3 Behavior Diagrams

A Parametric Diagram is a special type of an Internal Block Diagram. UML/SysML provides four diagrams that express the functional and
It visualizes the parametric relationship between system properties. It dynamic behavior of a system:
is an integral part of technical performance measures and trade
studies. • Use Case Diagram
• Activity Diagram
Constraints among system properties are specified in Constraint • Sequence Diagram and
Blocks. Constraint blocks are defined in a Block Definition Diagram • Statechart Diagram
and “used” in the Parametric Diagram by binding their parameters to
the specific properties of a block Although each diagram focuses on a specific behavioral aspect, the
information provided by these diagrams overlap each other. For
BDD_MassConstraints instance, both the sequence diagrams and the activity diagrams
describe interactions. There may also be an overlap between the
behavior captured in activity diagram and the statechart diagram,
«ConstraintBlock»
NewtonLaw since SysML extended the UML activity diagrams by adding the
Constraints notation of dynamic behavior (control of actions).
force = mass * acceleration
mass:Kg
Attributes In order to minimize the overlap between the different behavioral
force:Newtons
acceleration:MetersPerSec^2
diagrams, decisions should be made upfront, which role the individual
diagrams should play in the context of the modeling workflow. The
next step should be to “standardize” the usage of diagram elements by
filtering-out in each diagram those elements that are considered
essential.
Fig.2-23 Constraint Block Definition in a Block Definition Diagram
ParD_TotalMass
1 «ConstraintProperty,ConstraintBlock»
itsNewtonLaw:NewtonLaw
force = mass * acceleration
«Attribute»
mass mass:Kg «Attribute»
force:Newtons force
«Attribute»
acceleration acceletation:MetersPerSec^2
Fig.2-24 Parametric Diagram
2.3.3.1 Use Case Diagram 2.3.3.2 Activity Diagram
A Use Case Diagram captures the functional requirements of a system An Activity Diagram is similar to the classic flow chart. It describes a
by describing interactions between users of the system and the workflow, business process, or algorithm by decomposing the flow of
system itself. Note that as a system is decomposed, users of a given execution into a set of actions and sub activities joined by transitions
system could be external people or other systems. A use case and various connectors. An activity diagram can be a simple linear
diagram comprises a system boundary that contains a set of use sequence of actions or it can be a complex series of parallel actions
cases. Actors lie outside of the system boundary and are bound to with conditional branching and concurrency.
use cases via associations.
NOTE: In Harmony for Systems Engineering the terms activity, action
and operation are synonymous.
A use case describes a specific usage (“operational thread”) of a
system:
Actions may be grouped and assigned to objects – e.g. subsystems.
• the behavior as perceived by the users (actors) and In this case, the activity diagram is split into swim lanes that depict the
• the message flow between the users and the use case. respective responsibilities.
A use case does not reveal or imply the system’s internal structure NOTE: Harmony for Systems Engineering uses a SysML activity pin
(“black-box view”). stereotyped ActorPin to visualize the interaction of an action/operation
UCD_SuD
with the environment. The name of the pin is the name of the
associated actor, the arrow in the pin shows the direction of the link.
pSS1_8
SuD
AD_Uc2
Uc1
Uc1 A1
op1
Uc2
pSS1_3
A1 A2
[C1]
op2 op5
A2
[else]
op4 op3 op6

Fig.2-25 Use Case Diagram
A2
When use cases get too complex, dependencies between use cases op7
may be defined:
• <<include>>
One use case includes another Fig.2-26 Activity Diagram
• <<extend>>
One use case provides an optional extension of another
• Generalization
One use case is a more specialized or refined version of another
2.3.3.3 Sequence Diagram 2.3.3.4 Statechart Diagram
Sequence Diagrams elaborate on requirements specified in use cases A Statechart Diagram describes the state-based behavior of a block.
and activity diagrams by showing how actors and blocks collaborate in In the Harmony for Systems Engineering workflow it is considered the
some behavior. A sequence diagram represents one or more most important behavior diagram, as it aggregates the information
scenarios through a use case. from both the activity diagram (functional flow) and the sequence
diagrams (interactions with the environment), and adds to it the event-
A sequence diagram is composed of vertical lifelines for the actors and driven block behavior. As the “language” of statecharts is formally
blocks along with an ordered set of messages passed between these defined, the correctness and completeness of the resulting behavior
entities over a period of time. can be verified through model execution.
• Messages are shown as horizontal lines with open arrows between
Statechart diagrams are finite statemachines that are extended by the
the vertical object lines (lifelines).
notation of
NOTE: UML/SysML differentiates between synchronous and
asynchronous messages. In Harmony for Systems Engineering the • Hierarchy
message-based communication is described via asynchronous • Concurrency
messages (two-line arrowhead). Basically, a statechart diagram is composed of a set of states joined
• Operations are depicted as reflexive (synchronous) messages (full by transitions and various connectors. An event may trigger a
arrowhead) at associated lifelines. transition from one state to another. Actions can be performed on
transitions and on state entry/exit
• Quality of Service (QoS) requirements may be added as comments
and/or constraints. SCD_Uc1Ctrl
S1
SD_Uc1_Sc1 op1
itsA1 itsUc1
op1() S2 reqDeactivateS2 reqActivateS2
reqActivateS2()
C1==true
A21
/op2
tm(5)/op4
parallel op2() [C1==true]/op3
S211 S22
Interaction Operator
10 ms tm(10)
setStatus()
[else]/op5 S212
setStatus to pA1
op3()
ev2 ev1
5 ms op4() S213
reqDeactivateS2()
op1()
Fig.2-28 Statechart Diagram
Fig.2-27 Sequence Diagram
2.3.4 Artifact Relationships at the Requirements

Analysis / System Functional Analysis Level
Fig.2-29 shows, how the different SysML artifacts are related to each
other at the requirements analysis and system functional analysis
level.
Use Case Diagram Requirement Requirements Diagram
3..* 1
• A Requirements Diagram visualizes the dependencies of at least 3
requirements.
1 1..*
• A Use Case Diagram contains minimum one Use Case. is traced to
1..*
Use Case Internal Block Diagram
• Use cases are traced to at least one requirement.
1..*
1 1
is described by
• A use case should always have one Activity Diagram that captures
1 1
the functional flow. 2..*
1 5..*
Activity Diagram Sequence Diagram Block
• A use case should be described by at least 5 Sequence Diagrams.
• When it comes to building an executable use case model, the

1
model is described by an Internal Block Diagram
1
Statechart Diagram
• The Internal Block Diagram should contain instances of at least two
Blocks (use case block and actor block(s)).
Requirements Analysis Functional Analysis
• The state-based behavior of each block instance is described by a

Statechart Diagram. Fig.2-29 SysML Artifacts Relationship at the
Requirements Analysis / System Functional Analysis Level
2.4 Service Request-Driven Modeling Approach

In the Service Request-Driven Approach, the communication between blocks is based on asynchronous messages (“service requests”) via SysML
Standard Ports. A service request always is followed by an associated provided service at the receiving part – either state/mode change or operation.
First, the service requests and associated operations have no arguments. At a later stage arguments may be added to the service requests and
associated operations or listed in the associated description field of the relevant service request and associated operation.
IBD_SuD
1
1
itsB1:B1
1
itsB2:B2
The approach is performed in four steps:
2
itsB2
itsB1 1 It starts with the definition of the network
reqOperation1()
operation1()
nodes by means of SysML structure
reqSetMode(ModeX)
diagrams, using blocks as the basic
structure elements. First, these blocks are
ModeX empty and not linked.
reqOperation2()
IBD_SuD operation2() 2 In the next step, the communication between
1
3 the blocks is described in a UML/SysML
reqOperation3()
itsB1:B1 1
itsB2:B2
B2 operation3() Sequence Diagram.
pB1 NOTE: In the Rhapsody tool the Sequence
reqOperation4()
reqOperation2
reqOperation4
reqSetMode
reqSetMode Diagram may be automatically generated
reqOperation1
reqOperation1 operation4()
operation2 reqOperation3
reqOperation3 from an underlying Activity Diagram by
operation4 operation1
operation1
operation3
operation3
means of the SE Toolkit (ref section 4.3.1.3)
The next step is the allocation of the service

3 requests and operations to respective blocks.
NOTE: In the Rhapsody tool this step is
IBD_SuD
iB1_B2 iB1_B2
automated through the Auto Realize feature.
1 1
itsB1:B1 itsB2:B2
B2
pB2 pB1
pB1 Based on the allocated service requests, the
reqOperation2 reqSetMode associated SysML Standard Ports and
reqOperation1
reqOperation4
operation2
iB2_B1 iB2_B1 reqOperation3 interfaces now can be defined.
operation4 operation1
operation3
4 NOTE: In the Rhapsody tool this step is
semi-automated by means of the SE-Toolkit
«Interface» «Interface»
(ref. section 4.3.1.4).
Interface
iB1_to_B2
iB1_to_B2 iB2_to_B1
4 reqOperation2
reqOperation2 reqSetMode
reqOperation4
reqOperation4 reqOperation1
reqOperation3
Rhapsody Project Structure
3 Rhapsody Project Structure

This section describes the project structure that should be followed when the Rhapsody tool is used in a model-based systems engineering project.
The details are shown considering as an example the Security System Model of the deskbook case study.
3.1 Project Structure Overview

On the top-level, the project structure shows two types of packages:
• Packages that contain the artifacts generated in the different SE-
phases, i.e.
- RequirementsAnalysisPkg
- FunctionalAnalysisPkg
- DesignSynthesisPkg
• Packages that contain system-level model definitions, i.e.
- ActorPkg
- InterfacesPkg and
- TypesPkg
Project Structure Overview
3.2 Requirements Analysis Package

Constituents of the RequirementsAnalysisPkg are
• RequirementsPkg and
• UseCaseDiagramsPkg
Constituents of the RequirementsPkg are
• StakeholderRequirementsPkg,
• SystemRequirementsPkg, and
• DerivedRequirementsPkg
The StakehoderRequirementsPkg contains the imported stakeholder

(“capability”) requirements specification.
The SystemRequirementsPkg contains the actual system

requirements (“shall” statements), generated from the stakeholder
requirements. During requirements analysis and system functional
analysis, there is no sub-structure. At the end of the architectural
design phase, system requirements are grouped into allocation-related
packages. Each of the packages may contain a folder with associated
requirements diagrams.
During the system functional analysis and design synthesis phase

additional requirements may be identified. First, they will be located in Requirements Analysis Package
the DerivedRequirementsPkg. Once they are approved, they will be
exported to DOORS, linked to the associated model artifacts and
moved into allocation-related packages.
The UseCaseDiagramsPkg contains the system-level use case

diagram(s).
NOTE: Initially, use cases and actors are located in the

UseCasesPkg. In the system functional analysis phase use cases are
moved into respective use case packages in the
FunctionalAnalysisPkg and the associated actors are moved into the
ActorsPkg.
3.3 Functional Analysis Package

System functional analysis in Harmony for Systems Engineering is use
case based. Each use case of the system-level use case diagram(s) is
translated into an executable model. The FunctionalAnalysisPkg
contains the artifacts generated in the system functional analysis phase.
For each use case of the use case diagram, there is a package
<UseCaseName>Pkg that contains the associated model artifacts:
• A category blocks containing the definition of the use case block

Uc_<UseCaseName>. This block includes the associated statechart
diagram.
• A folder Internal Block Diagrams with the internal block diagram

IBD_<UseCaseName>
• A folder Packages that contains

- A package <UseCaseName>_ExecutionScopePkg that defines
the context of the use case model execution, i.e. the instances of
the actor(s) and the use case block as well as the definition of their
links.
- A package <UseCaseName>_BBScenariosPkg which holds the
use case scenarios.
• A category Use Cases with the use case descriptions, i.e.

- The category Activity Views which contains the black-box activity
diagram <UseCaseName>_BlackBoxView and a folder
Sequences that contains the references to use case scenarios,
which were derived from the black-box activity diagram (ref.
section 4.3.1.3).
- The category Association Ends which contains the definitions of the Functional Analysis Package
associations between the actor(s) and the use case.
- The category Dependencies which contains the trace dependencies
between the use case and the associated system requirements.
3.4 Design Synthesis Package

The DesignSynthesisPkg is partitioned into two packages 3.4.1 Architectural Analysis Package
• ArchitecturalAnalysisPkg and The ArchitecturalAnalysisPkg contains the artifacts that are created
• ArchitecturalDesignPkg when a trade-off analysis is performed prior to the architectural design.
For details please refer to section 4.4.1.
Design Synthesis Package Architectural Analysis Package
3.4.2 Architectural Design Package
Constituents of the ArchitecturalDesignPkg are:
• A folder Block Definition Diagrams with the SuD level 1 block

definition diagram BDD_<SuDName>
• A category blocks containing the definitions of the SuD block,

including instances of its parts and the definition of associated
Delegation Ports.
• A folder Internal Block Diagrams with the internal block diagram of

the SuD system architecture IBD_<SuDName>
• A folder Packages that contains

- An ExecutionScopePkg which defines the context of the
architectural model execution, i.e. the instances of the actor(s) and
the SuD block as well as the definition of their links.
- A package <BlocK>DecompositionPkg the constituents of which

are:
• A package <Block>WB_AD which contains the decomposed
white-box activity diagrams of the system use cases,
• A package <Block>WB_UcSD which holds the decomposed
system use case scenarios,
• Packages <Part>Pkg, each of which holds the definitions of
the relevant part. If a part is further decomposed, it will
contain a package <Part>DecompositionPkg with packages
of its associated sub-blocks each of which will be
decomposed according to the outlined structure.
Architectural Design Package
3.5 System-Level Definitions

On the top-level of the project structure there are three packages for
system-level definitions:
• ActorPkg
• InterfacesPkg
• TypesPkg
The ActorPkg contains the definitions of all the actors identified in the
system-level use case diagram(s). Each actor block may contain a
statechart diagram.
The InterfacesPkg contains the definition of interfaces and associated

events. The interfaces are grouped in packages corresponding to the
associated use case model(s) and the system architecture model.
The TypesPkg contains the system-level data definitions.
System-Level Definitions
Case Study: Getting Started
4 Case Study: Security System

Harmony for Systems Engineering is a tool independent process. In this section a case study exemplifies, how the workflow that was outlined in the
previous sections is applied using the Rhapsody tool. The chosen example is a Security System.
The case study covers all phases of the model-based systems engineering process, i.e. requirements analysis, system functional analysis, and
design synthesis, including associated requirements management and traceability. The workflow starts with the import of stakeholder requirements
into Rhapsody and ends with the definition of an executable architecture model. The architectural design concept is elaborated through a trade study.
The case study also addresses the hand-off to the subsystem development.
The Rhapsody tool supports model-based systems engineering through a special add-on – the SE-Toolkit. This toolkit contains features that
automate many of the tasks in a systems engineering workflow. It should be noted, that most of these features are process-independent. The focus
of this case study is on the usage of these features in the different phases of Harmony for Systems Engineering.
It is assumed, that the reader is familiar with the Rhapsody tool.
4.1 Getting Started

A Harmony for Systems Engineering compliant project structure (ref.
section 2) may be created by means of the SE-Toolkit feature Create
Harmony Project.
1 Start Rhapsody
In the main menu select File > New 5

2
Enter project name (SecuritySystem) and
select/define the associated project directory.
3
For the Type select the SysML profile.
Add the Harmony profile:

4
In the main menu select File > Add Profile to Model
Double-klick Harmony
Double-klick Harmony.sbs
5 Right-click the project name in the browser and

select SE-Toolkit\Create Harmony Project.
Case Study: Requirements Analysis
4.2 Requirements Analysis

The workflow followed in the case study is shown in Fig. 4-1. An
important part of the workflow is the definition of trace links between
the generated system requirements and the associated stakeholder
requirement as well as the trace links between the system Import
Stakeholder ReqSpec
requirements and the use cases. The creation of respective
dependencies is supported by the Rhapsody SE-Toolkit.
Generate
System Requirements
Once the system-level use cases are defined and the complete
coverage of the functional and non-functional system requirements is
assured, the requirements analysis phase ends Link
SE-Toolkit Feature:
Sys Reqs to Stakeholder Reqs
with satisfy Dependency Create Dependency
NOTE: Requirements traceability by means of the Rhapsody
Gateway and Teleogic Doors will not be addressed in this case
study. Define
System-Level Use Case
Link
System Use Case to Reqs
SE-Toolkit Feature:
with trace Dependency Create Dependency
[else]
[All requirements traced
to System Use Cases]
Fig.4-1 Requirements Analysis Workflow and its Support through

the Rhapsody SE-Toolkit
4.2.1 Import of Stakeholder Requirements
Requirements analysis starts with the import of the stakeholder

requirements specification into Rhapsody. The requirements may be
imported manually or via the Rhapsody Gateway. In the case study
the stakeholder requirements are imported from a Word document
through the Rhapsody Gateway.
Rhapsody Gateway puts the stakeholder requirements into the
RequirementsPkg. The original Word document can be found in the
Controlled Files folder. Stakeholder requirements are located in the
StakehoderRequirementsPkg and stereotyped <<fromWord>>.
Security System – Stakeholder Requirements Specification

System Overview
SS12: Access Priority and Time
SS1:System Summary The system will only process one user at a time, giving them sufficient time to enter
A security system is to be developed that controls entry and exit to a building through a and exit the area before automatically securing itself.
single point of entry. Identification of personnel will be made by two independent
checks. Each person will be photographed upon entry and their time in the building SS13: Exit requirements
monitored. The user is not allowed to exit until the security card has been successfully authorized.
Nominal System Specifcation Personnel Monitoring
SS11: Security Checks MA1: Image Capture

Secure areas are to be protected by two independent security checks, one based upon An image is to be taken of any person, at the first attempt, when trying to access a
an employee ID and one based upon biometric data. Access to secure areas will be secure area for logging time and employee ID.
unavailable until the users ID is confirmed. The time between the two independent
security checks will not exceed a configurable period. The user is allowed three MA2: Time monitoring
attempts at biometric and / or card identification before access is completely disabled. The time a user spends in a secure area is to be recorded. An alarm will notify
Any denied access attempt is to be recorded and sent to the administrator. administration/security if a person stays longer than 10 hours in the secure area.
Identification Requirements Emergency Requirements
SS111: Security Card E1: Emergency Exit

Access will be denied to any user unless he has a valid Security Card. Security cards In the event of an emergency the administrator can invoke a "Free Exit Mode". All
only contain the employee name and ID and will be renewed yearly. Out of date security checks for exiting the area are to be disabled until the administrator returns the
security cards cause a denial of access. system to normal working.
SS112: Biometric Scan E2: Security Lockdown

Access will be denied to any user unless their biometric data is recognized. The The administrator can invoke a security lockdown mode - in this event the system will
biometric data is to be stored in the system database and not on the security card. lock all access points until the administrator returns the system to normal working.
Fig.4-2 Stakeholder Requirements Specification
4.2.2 Generation of System Requirements
Stakeholder requirements typically are problem-oriented statements.

They focus on required capabilities. Once they are imported into
Rhapsody, they need to be converted into solution-oriented (“shall”)
statements. The output of this transformation process is the –
preliminary – System Requirements Specification.
System requirements are derived by decomposing the stakeholder

requirements into sets of basic required functionality. Tab. 1 lists the
identified system requirements. They form the basis for the
subsequent system functional analysis and design synthesis phases.
System requirements are stored in the SystemRequirementsPkg of the

RequirementsAnalysisPkg.
ID System Requirement Req. Type ID System Requirement Req. Type

Authorization of Security Card - Entry
SS11-1
Two Independent Security Checks
Constraint Functional
SS111-2 Access to the secure area shall only be allowed with a valid security
Secure areas shall be protected by two independent security checks. Requirement
card.
Employee ID Card Identification - Entry
Functional Security Card Renewal Functional
SS11-2 Entry shall be protected by a security check based upon employee SS111-3
Requirement Security cards shall be renewed yearly. Requirement
ID.
Functional Out of Date Cards - Entry Functional
SS11-3
Employee ID Card Identification - Exit SS111-4
Exit shall be protected by a security check based upon employee ID. Requirement Out of date cards shall deny entry. Requirement
Out of Date Cards - Exit Functional
Biometric Scan
Functional SS111-5
SS11-4 Entry to the secure areas shall be protected by a second Out of date cards shall deny exit. Requirement
Requirement
independent security check, based upon biometric data Approval of Biometric Data
Functional
SS112-1 The user shall not be allowed access unless his/her biometric data are
Time Between Two Independent Checks Requirement
SS11-5 The time between the two independent security checks shall not Constraint recognized.
exceed a configurable period. Biometric Data Storage
Configure Time Between Two Independent Checks SS112-2 Biometric data shall be stored in the system database and not on the Constraint
Functional security card.
SS11-6 The time between two independent security checks shall be
Requirement
configurable. Processing User Request
SS12-1 Constraint
Three Attempts On Employee ID Entry The system shall only process one user at a time.
Functional
SS11-7 Upon entry the user shall be allowed three attempts on card Entry Time
Requirement SS12-2 Constraint
identification. The user shall be given sufficient time to enter the secure area.
Three Attempts On Biometric Data Entry Functional Exit Time
SS11-8 SS12-3 Constraint
Upon entry the user shall be allowed three biometric data entries. Requirement The user shall be given sufficient time to exit the secure area.
Three Attempts On Employee ID Exit Configure Entry and Exit Time Functional
Functional SS12-4
SS11-9 Upon exit the user shall be allowed three attempts on card The time to enter and exit the area shall be customizable. Requirement
Requirement
identification.
Automatic Securing the Secure Area - Entry
Denied Entry Notification Functional
Functional SS12-5 Once the user has entered the area, the system shall automatically
SS11-10 Any denied access attempt shall be logged and account details sent Requirement
Requirement secure itself.
to the administrator
Automatic Securing the Secure Area - Exit
Denied Exit Notification Functional
Functional SS12-6 Once the user has exited the area, the system shall automatically
SS11-11 Any denied access attempt shall be logged and account details sent Requirement
Requirement secure itself.
to the administrator
Authorization of Security Card - Exit
Alarm - Entry Functional Functional
SS11-12 SS13-1 The user shall not be allowed to exit until the security card has been
On a denied entry an alarm signal shall be raised. Requirement Requirement
successfully authorized.
Alarm - Exit Functional Image Capture
SS11-13 Functional
On a denied exit an alarm signal shall be raised. Requirement MA1-1 An image shall be taken of any person, at the initial attempt, when
Requirement
Disabling User Account trying to access a secure area.
Functional
SS11-14 After three failed attempts at card identification or biometric data Time Recording Functional
Requirement MA2-1
entry the user account shall be disabled The time a user spends in a secure area shall be recorded. Requirement
Visualization of Security Card Check Status - Entry Timelimit Violation
Functional Functional
SS11-15 The user shall be visually informed about the status of his/her ID MA2-2 An alarm shall notify the administration if a person stays longer than 10
Requirement Requirement
card check. hours in the secure area.
Visualization of Security Card Check Status - Exit Emergency Exit
Functional
SS11-16 The user shall be visually informed about the status of his/her ID In the event of an emergency all security checks for exiting the area Functional
Requirement E1-1
card check. shall be disabled until the administrator returns the system to normal Requirement
Visualization of Biometric Data Check Status working.
The user shall be visually informed about the status of his/her Functional Security Lockdown
SS11-17 Functional
biometric data check Requirement E2-1 In the event of a security lockdown, the system shall lock all access
Requirement
points until the administrator returns the system to normal working.
Tab.4-1 System Requirements for the Security System
4.2.3 Linking System Requirements to Stakeholder Requirements
System requirements are linked to the associated stakeholder

requirements through a <<satisfy>> dependency. The creation of this
dependency is supported by the SE-Toolkit feature Create
Dependency.
In the Tools Menu select Tools > SE-Toolkit\Modeling Toolbox

1 4
In the dialog box select Dependencies.
Select dependency Satisfy.
2 In the SystemRequirementsPkg
select a system requirement.
3 In the ModelingToolbox dialog box

click Set Source.
4 In the StakeholderRequirementsPkg
select the associated stakeholder requirement. 2
5
In the SE-Toolkit dialog box
click Set Destination.

Click Create Dependency.
3 5
6
1
Visualization of the <<satisfy>> Dependencies in a Requirements Diagram

In the RequirementsPkg create a Requirements Diagram Move the stakeholder requirements and system requirements into
1 2
RD_SysReqsToSHReqsLinks. the diagram.
3 In the Tools Menu select Layout > Complete Relations > All
RD_SysReqsToSHReqsLinks
Disabling User Account
ID = SS11-14
Approval of Biometric Data Three Attempts On Employee ID Entry

Time Recording
ID = SS112-1 ID = SS11-7
ID = MA2-1
Three Attempts On Employee ID Exit

Security Lockdown Biometric Data Storage
Alarm Conditions
ID = SS11-9
ID = E2-1 «satisfy» ID = SS112-2
ID = MA2-2
«satisfy»
«satisfy» «satisfy» «satisfy» Time Between Two Independent Checks
ID = SS11-5
«fromWord» «fromWord»
«fromWord»
E2 - Security Lockdown MA2 - Time monitoring SS112 - Biometric Scan «satisfy»
Denied Entry Notification
«satisfy» ID = SS11-10
«satisfy»
Denied Exit Notification
Emergency Exit Image Captue
ID = E1-1 ID = MA1-1
«satisfy» «satisfy» Three Attempts On Biometric Data Entry

«satisfy»
ID = SS11-8
«fromWord» «fromWord» «satisfy»
E1 - Emergency Exit MA1 - Image Capture
«satisfy»
ID = SS11-1
«Requirement» «fromWord» «satisfy»

SS1 - Enty and Exit Control System SS11 - Security Checks Visualization of Security Card Check Status - Exit
Visualization of Security Card Check Status - Entry

«fromWord» «fromWord» «satisfy»
SS13 - Exit requirements SS12 - Access Priority and Time ID = SS11-15
«satisfy»
«satisfy» «satisfy» Employee ID Card Identification - Entry

«satisfy» «satisfy»
Processing User Request Exit Time ID = SS11-2
ID = SS12-1 ID = SS12-3 Alarm - Exit
Authorization of Security Card - Exit Entry Time
«fromWord»
SS111 - Security Card «satisfy»
ID = SS13-1 ID = SS12-2 Alarm - Entry
Employee ID Card Identification - Exit
«satisfy»
Accesss Precondition Security Card Information ID = SS11-3
ID = SS111-2 ID = SS111-1
Visualization of Biometric Data Check Status
«satisfy»
ID = SS11-17
Out of Date Cards - Exit Out of Date Cards - Entry
ID = SS111-5 ID = SS111-4 Biometric Scan
ID = SS11-4
4.2.4 Definition of System-Level Use Cases
The system requirements of the Security System are grouped into

three use cases:
• Uc1ControlEntry
• Uc2ControlExit
• Uc3ConfigureSecuritySystem
The associated actors are
• User
• Administrator
• Camera and
• Access Point
Open UCD_SecuritySystem and draw the use case diagram with the
three use cases and the associated actors.
UCD_SecuritySystem
NOTE: At this stage, the actor blocks and use cases are allocated
in the UseCaseDiagramsPkg.
Security System
Uc1Control Entry
User Camera
Uc2Control Exit
Admin AccessPoint
Uc3ConfigureSecurity
System
Use Case Diagram of the Security System
4.2.5 Linking Requirements to Use Cases

In the Tools Menu select
System functional and performance requirements are linked to the use 1 Tools > SE-Toolkit\Modeling Toolbox
case with a <<trace>> dependency. There are two ways to implement In the dialog box select Dependencies.
this dependency: Tick dependency Trace.
- in the browser, using the SE-Toolkit feature Create Dependency
- graphically, in a Requirements Diagram. 2 In the UseCaseDiagramsPkg
It is recommended to start with the toolkit feature Create Dependency. select use case Uc1ControlEntry.
If necessary – e.g. for discussions or documentation purposes - the
dependencies may then be visualized in a Requirements Diagram. In the ModelingToolbox dialog box
3
click Set Source.
Exemplary, the linking process will be shown for the use case
Uc1ControlEntry. The respective links of the other use cases are In the SystemRequirementsPkg
listed in the Appendix. 4 select the requirement the use case is linked to.
In the ModelingToolbox dialog box

5

6
click Create Dependency.
3 5
2 1 6
Visualization of the <<trace>> Dependencies in a Requirements Diagram
1 In the SystemRequirementsPkg create a package 3 Move the use case and the allocated requirements into the
Uc1_RequirementsPkg. diagram.
In the Uc1_RequirementsPkg create a Requirements Diagram 4 In the Tools Menu select Layout > Complete Relations > All.
2
RD_Uc1LinksToSysReqs.
RD_Uc1LinksToSysReqs
«Requi rement»
ID = SS11-1
«Requi rement» «Requi rement»
Im age Capture Three Attem pts On Biom etric Data Entry
ID = MA1-1 ID = SS11-8

Employee ID Card Identification - Entry Biom etric Scan
ID = SS11-2 ID = SS11-4
«Requirement» «Requi rement»

Accesss Precondition «trace» Appr oval of Biometric Data
«trace» «trace»
ID = SS111-2 ID = SS112-1
«trace» «trace»
Three Attem pts On Em ployee ID Entry Visualization of Biometric Data Check Status
«trace» «trace»
ID = SS11-7 ID = SS11-17
«trace» «trace»
Processing User Request Uc1 Control Biom etric Data Storage
«trace» Entry «trace»
ID = SS12-1 ID = SS112-2
«Requi rement» «trace» «Requi rement»

«trace»
Security Card Inform ation Denied Entry Notification
ID = SS111-1 «trace» «trace» ID = SS11-10
«Requi rement»
«trace» «trace» «Requi rement»
Out of Date Cards - Entry Disabling User Account
«trace» «trace» «trace»
ID = SS111-4 ID = SS11-14

Visualization of Secutity Card Check Status - Entry Alarm - Entry
ID = SS11-15 ID = SS11-12

Entry Time Autom atic Securing the Area - Entry
ID = SS12-2 ID = SS12-5
«Requi rement»
Tim e Between Two Independent Checks
ID = SS11-5
Case Study: System Functional Analysis
4.3 System Functional Analysis

System functional analysis is use case based. Each use case is The system functional analysis workflow is supported by a number of
translated into an executable model. The model and the underlying features of the Rhapsody SE-Toolkit. Fig.4-3 details the workflow
requirements then are verified through model execution. Exemplarily, and lists its support through the SE-Toolkit in the respective phases.
the two use cases Uc1ControlEntry and Uc2ControlExit will be NOTE: In the case study, the chosen approach essentially follows the
translated into executable models. “Alternative 2” approach described in section 2.2.3.
Define SE-Toolkit Feature:

Use Case Model Context Create System Model from Use Case
SE-Toolkit Feature:
Define • Add Actor Pins
UC Functional Flow • Auto-Rename Actions
SE-Toolkit Feature:
Derive
UC Scenarios • Create New Scenario from Activity Diagram
• Perform Activity View Consistency Check
Define SE Toolkit Feature:

Ports and Interfaces Create Ports And Interfaces
Derive
UC State-based Behavior
Verify UC Model
through Model Execution
Link
UC Block Properties to Reqs
SE-Toolkit Feature:
with satisfy Dependency Create Dependency
[Next Use Case]
[else]
Merge SE-Toolkit Feature:
Uc Blocks in SuD Block Merge Blocks
Fig.4-3 System Functional Analysis Workflow and its Support through the Rhapsody SE-Toolkit
4.3.1 Uc1ControlEntry
4.3.1.1 Project Structure of the Uc1 Model
A project structure that complies with the recommended one outlined

in section 3, may be created automatically by means of the SE-Toolkit
feature Create System Model From Use Case.
1 Right-click use case Uc1 Control Entry and select

SE-Toolkit\Create System Model From Use Case.
UCD_SecuritySystem
4
5
2 Uc1ControlEntry associated actor blocks are moved into the
ActorPkg.
3 IBD_Uc1ControlEntry contains the instances of the actors and

the use case block created through the SE-Toolkit feature (no
links between the parts).
4 System Block Uc_Uc1ControlEntry created through the SE-

Toolkit feature.
5 The use case - incl. its requirements links – is moved into the 2
Uc1ControlEntryPkg in the FunctionalAnalysisPkg. Additionally,
the Toolkit feature created an empty Activity Diagram
(Uc1ControlEntryBlackBoxView).
4.3.1.2 Definition of Uc1 Functional Flow Uc1ControlEntryBlackBoxView

User
readSecurityCard
There is always a discussion whether actor swim lanes should be Camera
shown in an activity diagram. In many cases this may lead to “messy”, [First Request] «MessageAction»
hard to read diagrams. Focus of the activity diagram should be on the takePicture
system’s internal functional flow. [else] [else]
A recommended alternative is to capture the interactions of an action [ScFailCount==3] validateSecurityCard

with the environment by means of a SysML Action Pin, stereotyped
ActorPin (e.g. readSecurityCard). In this case the name of the flagSecurityCardFailure
displayCardStatus
ActorPin must be the name of the associated actor. The arrow in the
pins shows the direction of the respective link (i.e. In, Out or In/Out).
The creation of actor pins is supported by the SE-Toolkit (right-click on
the relevant action and select Add Actor Pins). [else]
[CardStatus Valid]
The SE-Toolkit feature Create New Scenario From Activity Diagram [Timeout BiometricScan]
uses the pin information when deriving sequence diagrams from the User [else]
activity diagram (ref. Section 4.3.1.3). [else] scanBiometricData
NOTE: The action node resetAlarm – initiated by the Administrator – [BsFailCount==3]

was added although there is no respective system requirement. It is authenticateBiometricData
considered a derived requirement. Derived requirements are flagBiometricScanFailure
stereotyped <<DerivedRequirenent>> and stored in the Admin displayAuthenticationStatus
DerivedRequirementsPkg. disableUserAccount
[else]
[BiometricData Authenticated]
logAccountData
logEntryData
AccessPoint
alarm
«MessageAction»
Admin
unlockAccesspoint
resetAlarm AccessPoint [Timeout Unlocked]
«MessageAction»
lockAccesspoint
NOTE: If an activity diagram contains too many details,

some actions may be placed in a Reference Activity
Diagram. Do not use SubActivity Diagrams because these
can contain actions only for a single swim lane. In the later
white-box activity diagrams the actions may span a number
of swim lanes. For more details please refer to Appendix A4.
Uc1ControlEntryBlackBoxView
4.3.1.3 Definition of Uc1 Scenarios

3
Use case scenarios are created from the black-box activity

diagram by means of the SE-Toolkit feature Create New Scenario
From Activity Diagram.
1 In the Tools Menu

select Tools > SE-Toolkit\Modeling Toolbox.

select Generate SDs.
3 Hold down Ctrl and select in the black-box

activity diagram a sequence of actions. 1)

click Set Source.
4
5 In the browser select
system block Uc_Uc1ControlEntry.

7 In the ModelingToolbox dialog box click

Create New Scenario From Activity Diagram.
1
) Alternatively select a single action as the source.
The tool will auto-create the sequence until it
reaches a condition connector. The user is then
given the choice of which path to take.
7 6
Extending the Automatically Generated Sequence Diagram

In the automatically created sequence diagram the lifeline of the use Uc1_Sc1
case block shows the sequence of realized operations, which User Uc_Uc1ControlEntry AccessPoint Camera
corresponds to the chosen sequence of actions in the activity diagram.
The sequence diagram further shows the lifelines of those actors that
interact with the use case as well as the associated message
Uc1_Sc1 (Nominal Scenario)
exchanges. The direction of the message exchange corresponds to Preconditions:
the one defined in the pin of the relevant action in the activity diagram. Security System configured
The message names are generic and need to be manually updated

and realized.
reqReadSecurityCard()
readSecurityCard()
reqTakeSnapshot()
Uc1_Sc1
validateSecurityCard(CardStatus)
User Uc_Uc1ControlEntry AccessPoint Camera

displayCardStatus(CardStatus)
t_Bs
message_0()
SecurityCard Valid
readSecurityCard()
reqScanBiometricData()
message_1() scanBiometricData()
displayCardStatus(CardStatus) authenticateBiometricData(AuthenticationStatus)
message_2() displayAuthenticationStatus(AuthenticationStatus)
scanBiometricData()
logEntryData()
Use r
authenticateBiometricData(AuthenticationStatus)
readSecurityCard
Cam e ra
[Firs t Request] «M ess ageAction»

[else]
takePicture
displayAuthenticationStatus(AuthenticationStatus)
[ScFailCount==3]
[else]
validateSecurityCard
BiometricData Authenticated
flagSecurityCardFailure
displayCardStatus
logEntryData()
[else]
[CardStatus V alid]
reqUnlockAccessPoint()
[Tim eout Biom etricScan]
t_Unlocked
[else]
Use r [else]
scanBiom etricData message_4() evAccessPointUnlocked()

[BsFailCount==3]
flagBiome tricScanFailure
authenticateBiometricData
message_3()
Adm in displayAuthe nticationStatus reqLockAccessPoint()
disableUs erAccount message_6()
[else]
[Biom etricData Authe nticated]
evAccessPointLocked()
logAccountData
logEntryData
message_5()
AccessPoint
alarm
«M ess ageAction»
Admin
unlock Access point
rese tAlarm AccessPoint [Tim eout Unlocked]
«M ess ageAction»
lockAccesspoint
Automatically Generated Sequence Diagram Manually completed Use Case Scenario Uc1_Sc1
Uc1_Sc1
Activity View Consistency Check

The consistency between actions of the black-box activity diagram and
the operations in the derived use case scenarios may be checked by
means of the of the SE-Toolkit feature Perform Activity View
Consistency Check.
For the selected Activity View the feature confirms that

• Each action on the activity diagram appears on at least one of the
sequence diagrams referenced by the Activity View
• Each operation on the referenced sequence diagrams appears at
least once on the activity diagram
1
Right-click Uc1_ControlEntryBlackBoxView and select
SE-Toolkit\Perform Activity View Consistency Check.
The screenshot above shows the result of the consistency check after
the first use case scenario was generated. It lists those operations
that have not yet been addressed. They will be captured in the
following exception scenarios.
Uc1_Sc3
Uc1_Sc2
itsUser Uc 1_ControlEntry itsAdmin
User Uc_Uc1ControlEntry Admin
Uc 1_Sc 3 (Ex ception S cenario 2)

Uc1_Sc2 (Exception S cenario 1)
Preconditi ons:
Preconditions:
Va lid security card,
Card v alidation failed three times
Bi ometric Scan fa iled thre e times,
re qScanBiometricData()
readS ecurityCard() scanBiometricData()
v alidateS ecurityCard(CardStatus) authenticateBiometric Data(Authentica tionSta tus)
displayCardS tatus(CardS tatus) displa yAuthentica tionStatus(AuthenticationS tatus)
Security Card Not V alid Bi ometric Data Not Authenticated
flagSecurityCardFailure(S cFailCount) flagBiometricScanFailure (BsFailCount)
ScFailCount > 3 Bs FailCount >3
disableUserAccount()
disabl eUserAccount()
Use r
Use r
readSecurityCard
readSecurityCard Cam e ra
Came ra
[Firs t Request] «M ess ageAction» logAccountData() [else]

[Firs t Request] «M ess ageAction»
logAccountData()
[else] takePicture
takePicture
[else] [else]
[ScFailCount==3] [ScFailCount==3] validateSecurityCard

flagSecurityCardFailure flagSecurityCardFailure
displayCardStatus displayCardStatus
reqP rocessAlert(AlertType="User Account Disabled") re qProcessAl ert(AlertType="User Acc ount Di sabled")

[else] [else]
[CardStatus Valid] [CardStatus Valid]
[Timeout BiometricScan] [Tim eout Biom etricScan]
Use r [else] alarm() Use r [else]

alarm()
[else] [else]
scanBiom etricData scanBiom etricData
[BsFailCount==3] [BsFailCount==3]
authenticateBiom etricData
flagBiome tricScanFailure
reqResetAlarm() flagBiome tricScanFailure
authenticateBiom etricData
re qResetAlarm ()
Adm in displayAuthe nticationStatus
Admin displayAuthe nticationStatus
disableUs erAccount resetAlarm() disableUs erAccount

re setAlarm()
[else]
[Biom etricData Authe nticated] [else]
logAccountData [Biom etricData Authe nticated]
logAccountData
logEntryData
logEntryData
AccessPoint
alarm AccessPoint
alarm
«M ess ageAction»
Admin «Mess ageAction»
unlock Access point Admin
unlock Access point
«M ess ageAction»
«Mess ageAction»
lockAccesspoint
lockAccesspoint
Manually completed Use Case Scenario Manually completed Use Case Scenario
Uc1_Sc2 (Exception Scenario 1) Uc1_Sc3 (Exception Scenario 2)
4.3.1.4 Definition of Ports and Interfaces
The definition of ports and associated interfaces is automated in

Rhapsody by means of the SE-Toolkit feature Create Ports And
Interfaces. Pre-condition: All messages and operations in the
sequence diagrams are realized.
1 Right-click the package
Uc1_ControlEntry_BBScenarios and select
Naming convention for ports: p<TargetName>
SE-Toolkit\Create Ports And Interfaces.
Interface names are referenced to the sender port.
Naming convention: i< Sender >_< Receiver > 2
Manually connect ports.
IBD_Uc1_ControlEntry 1 itsUc_Uc1ControlEntry
iUser_Uc_Uc1ControlEntry iUc_Uc1ControlEntry_Ca mera
pUser pCamera
iAdmin_Uc_Uc1ControlEntry iUc_Uc1ControlEntry_AccessPoint
pAdmin pAccessPoint
ScFailCount
iUc_Uc1ControlEntry_Admin BsFailCount 1
iAccessP oint_Uc_Uc1ControlEntry
t_Bs
t_Unlocked
Authentic ationS tatus
CardStatus
reqReadS ecurit yCard

reqScanB iomet ricDat a
evA ccess Point Unlock ed
1 itsCame ra
1 itsUser evA ccess Point Locked
iUser_Uc_Uc1ControlEntry flagSecurityCardFailure iUc_Uc1ControlEntry_Ca mera
pUc1_Control Entry disableUs erAcc ount pUc1_Control Entry
readSecurityCard
RequestEntry
scanBiometricData reqTakeSnapshot
ScanFingerprint
aut hentic ateBiometric Data
RequestExit iUc_Uc1ControlEntry_AccessP oint
logE ntryData
1 itsAccessPoint
iAdmin_Uc_Uc1ControlEntry flagBiometricSc anFailure
1 itsAdmin logA ccountData pUc1_Control Entry
displayCardStatus
pUc1_ControlEntry displayAuthent icationStatus reqUnloc kAccessPoint
alarm iAccessP oint_Uc_Uc1ControlEntry reqLockA ccess Point
reqProcessAlert res etAlarm
iUc_Uc1ControlEntry_Admin
reqReset Alarm
Internal Block Diagram IBD_Uc1_ControlEntry with Ports and Interfaces

NOTE: The interface definitions and
associated event definitions are allocated in
For readability reasons it is recommended not to show the interface the InterfacesPkg.
names in the diagram. Deselect in each block the Display Option
“Show Port Interfaces”.
4.3.1.5 Definition of State-based Behavior
State-based behavior is added to the use case block and the actors
using Statechart Diagrams. The use case statechart diagram
represents the aggregate of all flows in the black-box activity diagram
and the associated sequence diagrams. Guidelines how to derive a
statechart diagram from the information captured in the activity Behavioral Description
diagram and sequence diagrams are documented in the Appendix A3.
1 reqReadSecurityCard to pUc_Uc1ControlEntry
req Rea dSec ur ity Car d to pUc1 _Co nt ro lEn tr y
Actor statechart diagrams are typically very simple, just providing the
User
RequestEntry
RequestEntry
required events to trigger operations / state changes in the use case WaitForUserCmds
WaitForUserCmds
block. ScanFingerprint
ScanFingerprint
reqScanBiometricData to pUc1_ControlEntry
reqScanBiometricData to pUc_Uc1ControlEntry
IBD_Uc1ControlEntry
1 itsUser 1 itsUc_Uc1ControlEntry
41 itsCame ra
1 2
pUser locked
pUc1_Control Entry pCamera pUc1_Control Entry locked
Access Point
pAdmin pAccessPoint reqUnlockAccessPoint
RequestE ntry reqUn lockAcces s Point
ScanFingerprint unlocking
ScFailCount evAccessPointLocked to pUc_Uc1ControlEntry
RequestE xit 21 evAcces s PointLocked to pUc1_ControlEntry u nl oc kin g
BsFailCount itsAccessPoint
t_Bs reqLockAccessPoint tm(1000) tm(1000)
tm ( 1000 ) tm (1000)
1 itsAdmin t_Unlocked pUc1_Control Entry locking
3 Aut hentic ationStatus locking evAccessPointUnlocked to pUc_Uc1ControlEntry
evAcces s PointUnlocked to pUc1_ControlEntry
pUc1_Control Entry reqUnloc kAccessPoint
CardStatus reqLoc kAcce s s Poi nt
reqLockAccess Point
reqProcessAlert unlocked
unlocked
validateS ecurity Card
reqReadSecurit yCard
reqScanBiomet ricDat a
evAccess Point Unlock ed
3
Admin
evAccess Point Locked reqResetAlarm to pUc_Uc1ControlEntry
flagSecurityCardFailure A dminCtrl
reqProcessAlert
disableUs erAcc ount
readSecurityCard AdminCtrl
scanBiometricData reqProcessA lert
aut hentic ateBiometric Data
logEntryData
flagBiometricSc anFailure
logAccountData
Camera
displayCardStatus
4
CameraCtrl
displayAuthent icationStatus
alarm
res etAlarm
reqTakeSnapshot
reqReset Alarm
Behavioral Description of Actors

Populated Use Case Model Uc1ControlEntry
1 ProcessingSecurityCardData
/ScFailCount=0
ValidatingSecurityCardData
validateSecurityCard(CardStatus);...displayCardStatus(CardStatus);
[CardStatus=="Not Valid"]
State-based Behavior of Use Case Uc1ControlEntry reqReadSecurityCard/ SecCardFailure

readSecurityCard(); flagSecurityCardFailure(ScFailCount);
[ScFailCount>3]
WaitForEntryRequest
[else] Fail3Times
Uc1ControlEntryCtrl
2 ProcessingBiometricData
WaitForEntryRequest A
/BsFailCount=0;
reqReadSecurityCard/
readSecurityCard(); WaitForBiometricScanRequest
tm(t_Bs) BsTimeout
reqTakeSnapshot to pCamera
reqScanBiometricData/
scanBiometricData();
1 ProcessingSecurityCardData AuthenticatingBiometricData
authenticateBiometricData(AuthenticationStatus); displayAuthenticationStatus(AuthenticationStatus);
Fail3Times
[CardStatus=="Valid"]
[else]/logEntryData(); Authenticated
[AuthenticationStatus=="Not Authenticated" ]
Authenticated BsTimeout Failed3Times reqScanBiometricData/
scanBiometricData(); BiometricScanFailure
flagBiometricScanFailure(BsFailCount);
A /disableUserAccount();
logAccountData();
[BsFailCount>3]
waitForBiometricScanRequest
reqProcessAlert("User Account Disabled") to pAdmin
[else] Failed3Times
UnlockingAndLockingAccessPoint WaitForResetAlarm 3 UnlockingAndLockingAccessPoint
reqResetAlarm/
3 resetAlarm();
reqUnlockAccessPoint to pAccessPoint
evAccessPointLocked
A
UnlockingAccessPoint
evAccessPointUnlocked
AccessPointUnlocked
A statechart should be hierarchically structured. This tm(t_Unlocked)
allows the reuse of behavior-patterns in later phases (e.g. reqLockAccessPoint to pAccessPoint

Detailed Architectural Design).
LockingAccessPoint
4.3.1.6 Uc1 Model Verification
The Uc1ControlEntry model is verified through model execution on the The Rhapsody tool provides two ways to visualize model behavior:
basis of the captured use case scenarios. The correctness and • Visualization of the state-based behavior through animation of
completeness analysis is based on the visual inspection of the model respective statecharts
behavior. • Visualization of message sequences by means of automatically
generated sequence diagrams
User Uc_Uc1ControlEntry AccessPoint Camera
readSecurityCard()
reqTakeSnapshot()
validateSecurityCard(CardStatus = Valid)
displayCardStatus(CardStatus = Valid)
scanBiometricData()
authenticateBiometricData(AuthenticationStatus = Authenticated)
displayAuthenticationStatus(AuthenticationStatus = Authenticated)
logEntryData()
tm(1000)
evAccessPointUnlocked()
tm(5000)
reqLockAccessPoint()
Animated Sequence Diagram (Uc1Sc1) Animated Statechart Diagram (Uc1ControlEntryCtr)
Arrow Name
The analysis via sequence diagrams is supported by the Rhapsody Description
Color Color
Sequence Diagram Compare feature. This feature enables to perform
Green Blue Msg matches in both SD
comparisons between two sequence diagrams, e.g. one capturing the
Pink Pink Msg is missing in the other SD
sequence of a required scenario and the other showing the recorded
Green Pink Msg has different arguments in the other SD
scenario. The differences between the diagrams are shown color-
Orange Orange Msg arrives at a different time in the other SD
coded. This feature may also be used to compare two runs for
Gray Gray Msg was excluded from comparison
regression testing.
Required Recorded
Sequence Sequence
Sequence Diagram Compare: Scenario Uc1_Sc1
4.3.1.7 Linking Uc1 Block Properties to Requirements
In order to assure that all Uc1 allocated functional and performance

requirements are considered, traceability links from the Uc1 block
properties to the system requirements are established using a satisfy
dependency.
System
ID <<satisfy>> System
Requirement ID <<satisfy>>
Requirement
Employee ID Card readSecurityCard(),
SS11-3 Visualization of
Identification - Exit validateSecurityCard()
SS11-16 Security Card Check displayCardStatus()
SS11-4 Biometric Scan scanBiometricData() Status - Exit
Time Between Two Visualization of
SS11-5 t_Bs
Independent Checks SS11-17 Biometric Data Check displayAuthenticationStatus()
Status
Three Attempts On ScFailCount,
SS11-7
Employee ID Entry flagSecurityCardFailure() SS111-2 Access Precondition validateSecurityCard()
.
Three Attempts On BsFailCount, Out of Date Cards -
SS11-8 SS111-4 validateSecurityCard()
Biometric Data Entry flagBiometricScanFailure() Entry
Three Attempts On ScFailCount, Out of Date Cards -
SS11-9 SS111-5 validateSecurityCard()
Employee ID Exit flagSecurityCardFailure() Exit
logEntryData(), Approval of Biometric
Denied Entry SS112-1 authenticateBiometricData()
SS11-10 logAccountData(), Data
Notification
reqProcessAlert()
SS12-2 Entry Time t_Unlocked
logExitData(),
SS11-11
Denied Exit
logAccountData(), SS12-3 Exit Time t_Unlocked
Notification
reqProcessAlert() Automatic Securing
SS11-12 Alarm - Entry alarm() SS12-5 the Secure Area - evAccessPointLocked()
Entry
SS11-13 Alarm - Exit alarm()
Automatic Securing
SS12-6 evAccessPointLocked()
SS11-18 Alarm Reset resetAlarm() the Secure Area - Exit
Disabling User MA1-1 Image Capture reqTakeSnapshot()
SS11-14 disableUserAccount()
Account
MA2-1 Time Recording logExitData()
Visualization of
SS11-15 Security Card Check displayCardStatus() MA2-2 Alarm Conditions checkForTimeLimitViolations()
Status - Entry
Tab.4-2 Links of Uc_Uc1ControlEntry Block Properties to System Requirements
There are two ways to implement the <<satisfy>> dependency listed in

Tab.4-2.
- directly in the browser using the SE-Toolkit feature In the Tools Menu select
1
Create Dependency, or Tools > SE-Toolkit\Modeling Toolbox
- graphically, in a Requirement Diagram. In the dialog box select Dependencies.
Tick dependency Satisfy.
It is recommended to start with the SE-Toolkit feature Create
Dependency. If considered necessary – e.g. for discussions or In the system block SecuritySystem select a property
2
documentation purposes - the dependencies may then be visualized in you want to link to a system requirement.
a Requirements Diagram.
3
In the Modeling Toolbox dialog box
click Set Source.
In the SystemRequirementsPkg
4
select the relevant system requirement.
5
4
6 In the Modeling Toolbox dialog box

click Create Dependency.
3 5
6
1
2
Visualization of the Dependencies in a Requirements Diagram
In the RequirementsPkg create a Requirements Diagram 3

Move the associated system requirements from the
1 RD_Uc1BlockLinksToSysReqs. SystemRequirementsPkg into the diagram.
Move the operations and attributes from the 4 In the Tools Menu select Layout > Complete Relations > All
2
Uc_Uc1ControlEntry block into the diagram.
RD_Uc1BlockLinksToSysR
«Requi rement»
«Pri mitive Operati on»
«Pri mitive Operati on» Denied Entry or Exit Notification
logAccountData():void logEntryData
«satisfy» «satisf y»
ID = SS11-8
«Requi rement»
«Pri mitive Operati on» «Attribute»
Three Attem pts On Biom etric Data Entry
flagBiom etricScanFailure BsFailCount
«satisfy» «satisf y»
ID = SS11-6
«Requi rement»
Three Attem pts On Em ployee ID Exit
«satisf y» «satisfy»
ID = SS11-7
«Pri mitive Operati on» «Attribute»
flagSecurityCardFailure ScFailCount
«Requi rement»
Three Attem pts On Em ployee ID Entry
«satisf y» ID = SS11-5 «satisf y»
«Requi rement»
Accesss Precondition
«satisfy»
ID = SS111-1
«Pri mitive Operati on» «Requi rement»

validateSecurityCard Security Card Inform ation
«Requi rement»
Out of Date Cards
«satisf y»
ID = SS111-4
«Requirement»
«Attribute»
Time Betw een Tw o Independant Checks
t_Bs
«satisfy»
ID = SS11-4
«Requi rement»
«Attribute»
t_Unlocked Entry and Exit Tim e
«satisf y»
ID = SS12-2
SecSysControl Block Properties Mapped to System Requirements (Excerpt)
4.3.2 Uc2ControlExit
4.3.2.1 Project Structure of the Uc2 Model 4.3.2.2 Definition of Uc2 Functional Flow
The generic project structure of the Uc2 model (=> Uc2ControlExitPkg NOTE: The interaction of an action node with the environment is
in the FunctionalAnalysisPkg) is created by means of the SE-Toolkit captured by means of a SysML Action Pin, stereotyped ActoPin (e.g.
feature Create System Model From Use Case. readSecurityCard).
Uc2ControlExitBlackBoxView
User Admin
UCD_SecuritySystem
readSecurityCard checkForTimeLimitViolations
displayCardStatus
1
[CardStatus==Valid]
Admin
[else]
logExitData
AccessPoint
1 Right-click use case Uc2Control Exit and select
[ScFailCount<3]
SE-Toolkit\Create System Model From Use Case [else]
«MessageAction»
alarm unlockAccesspoint
Admin AccessPoint [Timeout Unlocked]
resetAlarm «MessageAction»
lockAccesspoint
Functional Flow in Uc2ControlExit (Black-Box View)
RefSD_CheckForTimeLimitViolations
1
4.3.2.3 Definition of Uc2 Scenarios Uc_Uc2ControlExit Admin
Use case scenarios are created from the black-box activity diagram by Uc2_RefSc_CheckForTimeLimitViolations
Preconditions:
means of the SE-Toolkit feature Create New Scenario From Activity SecSys configured and activaed
Diagram.
loop
checkForTimeLimitViolations(TimeLimitFlag)
opt [TimeLimitViolation==true]
Uc2_Sc1
reqProcessAlert(AlertType="TimeLimitViolation")
User Uc2ControlExit AccessPoint
Uc2_Sc1 (Nominal Scenario

Preconditions:
SecSys configured and activated, Uc2_Sc2
CardReader enabled
User Uc_Uc2ControlExit Admin
parallel
Ref
Uc2_RefSc_CheckForTimeLimitViolations 1 Uc2_Sc2 (Exception Scenario)

Preconditions:
SecSys configured,
Card Validation failed three times,
reqReadSecurityCard() CardReader enabled
readSecurityCard()
reqReadSecSysCard()
validateSecurityCard(CardStatus) readSecurityCard()
v alidateSecurityCard(CardStatus)
displaySecurityCardStatus(CardStatus)
SecurityCard Valid Validation Failed
displayCardS tatus(CardStatus)
logExitData()
User Admin
User Admin
flagSecurityCardFailure(ScFailCount)
t_Unlocked evAccessPointUnlocked()
displayCardStatus
displayCardStatus
reqProcessAlert(AlertType="E xit Failure")
[CardStatus==Valid]
[CardStatus==Valid]
Admin
[else]
alarm()
Admin
[else]
reqLockAccessPoint() flagSecurityCardFailure
flagSecurityCardFailure logExitData
logExitData
evAccessPointLocked() AccessPoint
reqResetAlarm()
AccessPoint [ScFailCount<3]
[ScFailCount<3]
[else]
«MessageAction» resetAlarm()
[else] alarm
«MessageAction» unlockAccesspoint
alarm unlockAccesspoint Admin AccessPoint [Timeout Unlocked]
resetAlarm «MessageAction» lockAccesspoint
lockAccesspoint
Manually completed Manually completed

Use Case Scenario Uc2_Sc1 (Nominal Scenario) Use Case Scenario Uc2_Sc2 (Exception Scenario)
Behavioral Description
reqReadSecurityCard to pUc2_ControlExit
pUc2ControlExit
NOTE: All use case models – and later also the architectural design reqReadSecurityCard to pUc1ControlEntry
pUc1_ControlEntry
model - share common actors. The structure (i.e. ports and interfaces)
User
RequestExit RequestEntry
as well as the behavior of the actor blocks are incrementally extended WaitForUserCmds
according to the needs of the relevant model. In the internal structure ScanFingerprint
diagram below. The use case 1 related ports (pUc1ControlEntry) of reqScanBiometricData to pUc1_ControlEntry
the actor blocks User, Admin, and AccessPoint intentionally are not
shown (deleted from view - not deleted from model!).
locked
IBD_Uc1_ControlExit
evAccessPointLocked to pUc2ControlExit
reqUnlockAccessPoint
Access Point
1 itsUser 1 itsUc_Uc2ControlExit 1 itsAccessPoint evAccessPointLocked to pUc1ControlEntry unlocking
pUc2_ControlExit pUser tm(1000)

pUc2_ControlExit tm(1000)
pAccessPoint
pAdmin locking evAccessPointUnlocked to pUc1ControlEntry
Reques tEntry
Reques tExit reqLockAcces s Point
CardStatus
ScanFingerprint reqU nlockAcces s Point
ScFailCount reqLockAccessPoint evAccessPointUnlocked to pUc2ControlExit
t_U nlocked
1 itsAdmin Tim eLim itFlag unlocked
t_U pdate
pUc2_ControlExit
evAccessPointLocked Extended Actor Behavior of Uc_Uc2ControlExit
evAccessPointUnlocked
reqReadSecurityCard
alarm Uc2ControlExitCtrl
checkForTimeLimitViolations
ExitControl
displayCardStatus
f lagSecurityCardFailure WaitForExitRequest A
logEntryData
logExitData reqReadSecurityCard/
readSecurityCard readSecurityCard();
reqResetAlarm ProcessingSecurityCardData
resetAlarm Fail3Times
[CardStatus=="Valid"]/
logExitData();
Populated Use Case Model Uc2ControlExit
UnlockingAndLockingAccessPoint
reqProcessAlert("Exit Failure") to pAdmin
reqResetAlarm/ evAccessPointLocked
WaitForResetAlarm resetAlarm(); A
The statechart diagrams of the actors User and AccessPoint need to
be extended, taking into consideration the generation of the User’s exit TimeLimitMonitor
request (RequestExit) and the communication between the blocks CheckingForTimelimitViolations
Uc2ControlExit and AccessPoint. tm(t_Update)
checkForTimeLimitViolations(TimeLimitFlag);
Note the reuse of behavior patterns in the statechart diagram of the /TimeLimitFlag=0; [TimeLimitFlag==1]
use case block. The system states ProcessingSecurityCard Data and reqProcessAlert("TimeLimitViolation") to pAdmin
UnlockingAndLockingAccessPoint are identical to the ones used in the
use case block Uc_Uc1ControlEntry.
State-based Behavior of Use Case Block Uc_Uc2ControlExit
4.3.2.6 Uc2 Model Verification

User Uc_Uc2ControlExit AccessPoint
The Uc2ControlExit model is verified through model execution on the

basis of the captured use case scenarios. The correctness and checkForTimeLimitViolations(TimeLimitFlag = 0)
completeness analysis is based on the visual inspection of the model OMStartBehaviorEvent()

behavior.
readSecurityCard()
validateSecurityCard(CardStatus = Valid)
logExitData()
tm(1000)
tm(500)
tm(1000)
Verification of the Use Case Model Uc2ControlExit

through Model Execution (Uc2Sc1)
4.3.2.7 Linking Uc2 Block Properties to Requirements
With the exception of the operation checkForTimeLimitViolations and

the associated timeout attribute t_Update all properties of the use case
ControExit are identical to the properties of the use case ControlEntry
and do not need to linked.
4.3.3 Merging Use Case Blocks
Once all use case models are verified, the operations, receptions, and This SE-Toolkit feature copies all events, operations and attributes
attributes of each use case block are merged into the system block from all use case blocks into the SecuritySystem block.
SecuritySystem in the ArchitecturalDesignPkg
1 In the ArchitecturalDesignPkg create a system block

SecuritySystem 3 Duplicates are noted.
2
Right click the block SecuritySystem and select
SE-Toolkit\Merge Functional Analysis
4 Copies are traced back to the origines.

4
SecuritySystem Block with Merged Operations/Attributes
Case Study: Design Synthesis
4.4 Design Synthesis

4.4.1 Architectural Analysis (Trade-Off Analysis)
Define
The focus of the Architectural Analysis is on the determination of a Key System Functions
solution that fulfills best the required functionality identified in the
system functional analysis phase. Fig.4-4 details the architectural
analysis workflow and lists its support through the Rhapsody SE- Build Weighted Objectives Table
Toolkit in the respective phases.
Define
NOTE: In the case study the solution of only one key system function Candidate Solutions
(Capture Biometric Data) will be elaborated. Therefore the phase
Merge Solutions to Form System Architecture will be skipped.
Define
Assessment Criteria
Assign SE-Toolkit Feature:

Weights to Criteria Copy MOEs to Children
Define Utility Curve

for each Criterion
Assign MoEs
to Candidate Solutions
SE-Toolkit Feature:
Determine Solution
Perform Trade Analysis
[Next Key System Function]

[else]
Merge Solutions to
Form System Architecture
Trade Study
Report
Fig.4-4 Workflow in the Architectural Analysis Phase and

its Support through the Rhapsody SE-Toolkit
4.4.1.1 Definition of Key System Functions
The objective of this stage is to group the system functions together in

Step2: Define and apply first cut design criteria
such a way that each group can be realized by a physical component.
Typically, the first cut design criterion is to decide which of the key
functions would be realized as a COTS component or developed
Step1: Group related system functions into key system functions internally. In this case study it was decided that the functions
ReadCardInformation and CaptureBiometricData would be bought and
The following 3 key system functions were identified through analysis
the function ControlSecSys developed internally.
of the use case black-box activity diagrams:
Due to the number of ways in which the key function
CaptureBiometricData can be realized, it was decided to carry out a
ReadCardInfomation:
Trade Study. It was not considered necessary for the key function
• readSecurityCard
ReadCardInformation.
• displayCardStatus Uc1ControlEntryBlackBoxView
• alarm
Us er
• resetAlarm
readSecurityCard
Cam era
[First Request] «Mes sage Action»

[else ]
take Picture
CaptureBiometricData: [else ]
• scanBiometricData
[ScFailCount==3] validateSe curityCard
• authenticateBiometricData
displayCardStatus
• displayAuthenticationStatus
[else ]
[CardStatus V alid]
ControlSecSys: [Tim eout Biom etricScan]
• validateSecurityCard Us er [else ]
• flagSecurityCardFailure [else ]
scanBiom e tricData
Uc1ConpSS1_4
tBlackBoxView
• flagBiometricCheckFailure [Bs FailCount==3]

User Admin
• disableUserAccount
authenticateBiom e tricData
flagBiom etricScanFailure
• logAccountData Adm in displayAuthe nticationStatus

• logEntryData disable Use rAccount
• logExitData [else ]
[Biom e tricData Authenticated]
displayCardStatus
• checkForTimelimitViolations logAccountData
logEntryData
• unlockAccesPoint
[CardStatus==Valid]
Access Point
alarm Admin
• lockAccessPoint
[else]
«Mes sage Action»
Adm in flagSecurityCardFailure
unlockAccess point
logExitData
res etAlarm Access Point [Tim eout Unlocke d]
AccessPoint
«Mes sage Action»
[ScFailCount<3]
lockAcces spoint [else]
«MessageAction»
alarm unlockAccesspoint
lockAccesspoint
4.4.1.2 Definition of Candidate Solutions

Move the blocks onto BDD_CaptureBiometricDataOptions and
The objective of this phase is to identify possible solutions for a 6
join them together using inheritance associations.
chosen key system function.
7
Copy the operations that are associated with the key system
function CaptureBiometricData from the Uc_Uc1_ControlEntry
Step1: Identify solutions to the chosen key system function
block into the block CaptureBiometricData. This shows what the
In this case study the chosen key function is CaptureBiometricData. OpticalScanner and FingerprintScanner should be capable of.
Possible solutions are:
• Facial Recognition
• Fingerprint Scanner
• Optical Scanner (examining iris or retina)
2
3
Step2: Select candidate solutions for further analysis 4
Facial recognition systems are at present not very reliable technology,
also they are very expensive to install and maintain.
Two practical candidate solutions remain that will be carried forward
7
for further analysis i.e.
• Fingerprint Scanner
• Optical Scanner (Cornea or Iris Scanner)
This information can now be entered into the model. BDD_CaptureBiometricDataOption
1 In the DesignSynthesisPkg create a package

ArchitecturalAnalysisPkg
2
In the ArchitecturalAnalysisPkg create a package
TradeStudyAnalysisPkg
3
In the TradeStudyAnalysisPkg create a package 5
BiometricScanTradeStudy
In the BiometricScanTradeStudy package create a Block 6

4
Definition Diagram called BDD_CaptureBiometricDataOptions
5 In the BiometricScanTradeStudy create the following blocks

- Capture Biometric Data
- Optical Scanner
- FingerprintScanner
4.4.1.3 Definition of Assessment Criteria
Assessment criteria typically are based upon customer constraints,

required performance characteristics, and/or cost.
Assessment criteria are normally subjective but can also be very

specific. A subjective target could be low cost. A specific target could
be a precise measure of accuracy i.e. +/- 0.1 mm. In this case study
the assessment criteria are a mixture of both.
The assessment criteria and the associated classification in this case

study are:
• Accuracy
• Purchase
• Installation and
• Maintenance Cost
The assessment criteria are captured in the model by adding to the BDD_CaptureBiometricDataOption
block CaptureBiometricData for each assessment criterion a

respective attribute, stereotyped <<moe>>.
4.4.1.4 Assigning Weights to Assessment Criteria
Not all assessment criteria are equal. Some are more important than
others. Assessment criteria are weighted according to their relative
importance to the overall solution. The weighting factors are
normalized to add up to 1.0.
Step 1: Rank the assessment criteria

The ranking for the assessment criteria in this case study is 1
1 Accuracy
2 Security
3 Purchase Cost
4 Installation Cost
5 Maintenance
Step 2: Assign weightings to assessment criteria

In the case study the weightings of the chosen assessment criteria are
• Accuracy: 0.30
• Security : 0.25
BDD_CaptureBiometricDataOption
• Purchase Cost: 0.20
• Installation Cost: 0.15
• Maintenance Cost: 0.10
These values are represented in the model by a tag called weight

attached to each of the <<moe>> attributes.
1
In each <<moe>> attribute select the tab Tags and
add the appropriate value.
The CaptureBiometricData block attributes are copied into the

solutions blocks by means of the SE-Toolkit feature
Copy MOEs to Children.
2 Right-click the CaptureBiometricData block and

select SE-Toolkit\Copy MOEs to Children.
4.4.1.5 Definition of a Utility Curve for each Criterion

With regards to the purchase cost it is assumed that ideally the target
The utility curve is a function that compares the outcome of an
figure that the company would wish to pay for the hardware is $0 and
objective analysis to a target and outputs a normalized value typically
the maximum is $400 dollars a unit. This gives a utility curve - based
between 0 and 10 to indicate how well the target is met.
upon the linear graph formula described earlier - of
To determine the MoE for accuracy create a linear utility curve that Purchase cost MoE=-0.025*Purchase Cost + 10 .
examined the relationship between errors/thousand readings
(0-10 errors per thousand) and a scale of 0-10. y = -0.025x + 10
10
y = - x + 10
10 6
MoE
8 4
6 2
MoE
4 0
0 50 100 150 200 250 300 350 400 450
2
Purchase Cost ($)
0
0 1 2 3 4 5 6 7 8 9 10
Purchase Cost Utility Curve
Errors per thousand
For the installation cost of the hardware, a maximum budget of

Accuracy Utility Curve $1500 was estimated for 10 units. This gives a utility curve described
by the function
NOTE: For a simple linear function the utility curve can be calculated
Installation Cost MoE=-0.0067*installation cost +10
from the following formula
MoE=-(MoE range/target range)+MOE range

y = -0.0067x + 10
10
This simple chart yields the formula
8
Accuracy MoE=-Errors Per Thousand + 10
6
MoE
4
0
0 200 400 600 800 1000 1200 1400 1600
Total Installations cost $
Installation Cost Utility Curve
4.4.1.6 Assigning Measures of Effectiveness (MoE)

to each Solution
Accuracy: Fingerprint scanners are approximately in the order of 2-3 1

failures per 1000. For an error per thousands value of 2.5 this yields 2 3
an MoE of 7.5 for the fingerprint scanner. Optical scanning systems
have failure rates of 0.001 per 1000. this yields an MoE of 9.999 or
effectively 10 for the optical scanner.
Purchase Cost: For the hardware to capture biometric data it has
been estimated at $110 dollars for the finger print scanner and $ 250
for the optical scanner. From the purchase cost utility function, a
purchase cost MoE of 7.25 is calculated for the fingerprint scanner and
a purchase cost MoE of 3.75 for the optical scanner.
Installation Cost: For 10 units it was estimated to be $ 600 for the
fingerprint scanner and $ 1175 for the optical scanner. From the
installation cost utility function, an installation cost MoE of 6.0 is
calculated for the fingerprint scanner and an installation cost MoE of
2.12 for the optical scanner.
Security: It has been found that optical scanners (iris or retina) are
impossible to fool, whereas fingerprint scanners have been fooled with
relatively simple methods. With this mind it was decided to give BDD_CaptureBiometricDataOption
fingerprint scanners a security MoE of 8.0 and optical scanners a
security MoE of 10.0.
Maintenance: Both systems under consideration need little
maintenance. However, optical scanners need slightly more
maintenance than fingerprint scanners due to their sensitivity to light
and the degree of cleanliness required. With this mind it was decided
to give fingerprint scanners am maintenance MoE of 8.0 and optical
scanners and maintenance MoE of 6.0.
1
In the browser select a block representing one of the solutions
and opend its features.
2 Select the attribute tab.
Select the attribute to be edited and in the Initial Value field

3
enter the expected value.
4 Select and edit each attribute in turn.
Repeat steps 1-4 for each bock representing a solution.
4.4.1.7 Determination of Solution
Once each of the key functions has a number of possible solutions

with MoEs assigned to them, it is possible to combine the various
solutions in order to determine the optimum solution for the
architecture.
The means of building the possible architectures is through the

Solution Architecture Diagram. It shows the component options
required to build the final variant architectures for the complete
architecture or key function. The two possible variant architectures in 1
this case, consist of either the FingerprintScanner or the
OpticalScanner. There are no additional components required.
2
Step 1: Build Solution Architecture Diagram
This diagram is created in the TradeStudyAnalysisPackage. It shows 4

the composition of the final product as made up from possible
solutions. Using this diagram it is possible to mix several different
solutions to key functions to realize complete system architecture. In
this instance there is only one component to be analyzed for each
architecture. BDD_SolutionArchitecture
«block» «block»
FingerprintScannerArchitecture OpticalScannerArchitecture
1 In the BiometricScanTradeStudy package create a

Block Definition Diagram BDD_SolutionArchitecture. 1 1
«block» «block»
2 Create a block called FingerprintScannerArchitecture. FingerprintScanner Optical Scanner
Drag on the FingerprintScanner block and using the

3
decomposition relationship make it part of the
OpticalScannerArchitecture.
3 5
4 Create a block called OpticalScannerArchitecture.
5 Drag on the OpticalScanner block and using the decomposition

relationship make it part of the OpticalScannerArchitecture.
Step 2: Perform Weighted Objectives calculation

Excel will then open up with the results of the analysis. From this
Once the possible solution architectures are in place, the analysis to analysis it can be seen that the Fingerprint Scanner scores slightly
determine the best solution from the presented options can be carried higher (despite the higher scores for the optical scanner in the areas of
out. The means of doing this analysis is the Weighted Objectives accuracy and security) and so will be selected as the implementation
Calculation. It is used to determine the solution for a particular of the function ScanBiometricData.
function. It consists of multiplying the value for each MoE by its
respective importance weighting, and then adding the resultant values
together. This is carried out for each solution for each function. The
sum of the combined solutions with the highest score is selected as
the implementation for that particular architecture or function. The
actual calculation is carried out and displayed within an Excel
spreadsheet.
1
To support this calculation within Rhapsody and Excel, one further
diagram is required: the Option Analysis Diagram. The option analysis
diagram shows all the variant architecture solutions for the key
function under consideration.
1 In the BiometricScanTradeStudy package create a

Block Definition Diagram BDD_OptionAnalysis.
BDD_OptionAnalysis
2
Drag on the blocks OpticalScannerArchitecture and the
FingerprintScannerArchitecture. «block» «block»
FingerprintScannerArchitecture OpticalScannerArchitecture
In the browser right-click BDD_OptionAnalysis and

3
select SE-Toolkit\Perform Trade Analysis.
Rhapsdy Generated Weighted Objectives Table (Excel)
4.4.2 Architectural Design
Fig.4-5 shows the architectural design workflow in the case study and 4.4.2.1 Security System Decomposition
lists its support by means of the SE-Toolkit.
Based on the results of the previous trade study, the constituents of
Based on the design concept that was elaborated in the previous the Security System will be
architectural analysis phase it starts with the decomposition of the
system block into parts. • Two Card Readers (one for entry and one for exit)
• a Fingerprint Scanner
The allocation of the system block operations to the parts is elaborated • a Control Unit
for each use case by graphically allocating operations in the use case
white-box activity diagrams (ref. section 2.2.3.2). The allocation is As the card readers and the fingerprint scanner are considered off-the-
formalized by means of the SE-Toolkit feature Allocate Operations shelf components, the focus of the case study will be on the
from Swimlanes. specification of the control unit – in the following referred to as
SecSysController.
Once all system block operations that capture system functional
requirements are allocated to parts, non-functional requirements (e.g. The chosen system architecture is captured in the block definition
design constraints) are allocated to the relevant parts and respective diagram BDD_SecuritySystem and the internal block diagram
trace links are established. IBD_SecuritySystem. Both diagrams are created in the
ArchitecturalDesignPkg.
BDD_SecuritySystem
Decompose
«block»
System Block into Parts SecuritySystem
1 1
Graphically allocate Operations SE-Toolkit Feature: User Camera

in Uc White-Box Activity Diagram Create Allocation Table
1 1 1
[Next Use Case]
Admin AccessPoint
[else]
SE-Toolkit Feature:
Formalize Allocation by copying Allocate Operations
Operations into Parts from Swimlanes
CardReader_Exit CardReader_Entry 1 1
«block»
Allocate Non-Functional Reqs SE-Toolkit Feature: SecSysController
and define Traceability Links Create Dependency
CardReader FingerprintScanner
Fig.4-5 Architectural Design Workflow and its Support

through the Rhapsody SE-Toolkit Block Definition Diagram BDD_Security System
IBD_SecuritySystem It is recommended to standardize the structure of the Architectural

DesignPkg. If a system block is decomposed into parts, each part
1 itsUser
1 itsSecuritySystem
1 itsAccessPoint should be allocated to a corresponding package within a package
named <SystemBlockName>DecompositionPkg. The creation of
1 CardReader_Entry:CardReader
this structure is automated by means of the SE-Toolkit feature
Create Sub Packages:
1 itsAdmin 1 itsCamera
1 CardReader_Exit:CardReader
Right-click the SecuritySystem block,

1
select SE-Toolkit\Create Sub Packages
1 itsFingerprintScanner
1 itsSecSysController
Internal Block Diagram IBD_Security System
By defining a composition relationship between the system block

SecuritySystem and the subsystem blocks in the block definition
diagram, automatically instances of the subsystem blocks are created
in the SecuritySystem block. As two instances of the CardReader are
needed (CardReaderEntry and CardReader_Exit) the composition
relationship in the block definition diagram needs to be defined twice.
Name the instances accordingly.
4.4.2.2 Graphical Allocation of Operations
The allocation of operations to the parts of a system block is

elaborated graphically (White-Box Activity Diagram). Black-box use
case activity diagrams are partitioned into swim lanes, each of which
corresponds to a part of the decomposed system block (case study:
CardReader_Entry, CardReader_Exit, FingerprintScanner, and
SecSysController). Based on design considerations, operations (≡
2
actions) then are “moved” to respective swim lanes. An essential
requirement is that the initial links between the operations are
maintained.
1 In the SecuritySystemDecompositionPkg create a package

SecuritySystemWB_AD.
In the Uc1ControlExitPkg right-click

2
Uc1ControlEntryBlackBoxView and select
Duplicate Activity View.
Rename the copied Activity View to

3
Uc1_SecSysWhiteBoxView and
move it into the SecuritySystemWB_AD package.
In the Uc2ControlExitPkg right-click

4 Uc2ControlExitBlackBoxView and select
SE-Toolkit\Duplicate Activity View.
1
5
Rename the copied Activity View to
Uc2_SecSysWhiteBoxView and 3
move it into the SecuritySystemWB_AD package.
6 Partition Uc1ControlEntryWhiteBoxView into swimlanes:

CardReader_Entry, FingerprintScanner, and SecSysController.
7 Partition Uc2ControlExitWhiteBoxView into swimlanes:

CardReader_Exit and SecSysController.
Creating a White-Box Activity Diagram:
On top of the copied black-box activity diagram create an empty
activity diagram with swimlanes. Move the operations “bottom-
up" into the subsystem swimlanes.
Uc1ControlEntryWhiteBoxView
CardReader_Entry SecSysController FingerprintScanner
Camera
User
[FirstRequest] «MessageAction»
readSecurityCard
takePicture
[else] [Timeout
disableBiometricScan BiometricScan]
[CardStatus==Pass]
displayCardStatus enableBiometricScan
[else] A [else]
flagBiometricScanFailure User
[BsFailCount<3] scanBiometricData
[else]
[ScFailCount==3] [else]
Admin
disableUserAccount
disableBiometricScan
«MessageAction» displayAuthenticationStatus
retAuthenticationStatus
logAccountData A
[else]
[BiometricData Uc2ControlExitWhiteBoxView
Authenticated]
Admin CardReader_Exit SecSysController
«MessageAction» logEntryData disableBiometricScan

alarm
resetAlarm
AccessPoint
User Admin
readSecurityCard validateSecurityCard checkForTimeLimitViolations
unlockAccesspoint
AccessPoint [Timeout Unlocked]
displayCardStatus
«MessageAction»
lockAccesspoint [CardStatus==Valid]
[else]
flagSecurityCardFailure logExitData
AccessPoint
White-Box Activity Diagram Uc1ControlEntry
[else] «MessageAction»
[ScFailCount==3]
unlockAccesspoint
alarm «MessageAction» «MessageAction»

resetAlarm lockAccesspoint
resetAlarm
White-Box Activity Diagram Uc2ControlExit
NOTE: In order to provide the required functionality for the chosen Summarizing the Allocation of Operations
design, two actions that do not have an associated system
requirement had to be added to the white-box activity diagrams: For each white-box activity diagram the allocation of operations may
be summarized in an Excel spreadsheet by means of the SE-Toolkit
enableBiometricScan and feature Create Allocation Table.
A respective derived requirement needed to be formulated and stored Right-click Uc1ControlEntryWhiteBoxView.

1
in the DerivedRequirementsPkg. Select SE-Toolkit\Create Allocation Table
FingerprintScanner SecSysController CardReader_Entry

scanBiometricData validateSecurityCard alarm
authenticateBiometricData flagBiometricScanFailure displayCardStatus
enableBiometricScan disableUserAccount readSecurityCard
disableBiometricScan flagSecurityCardFailure resetAlarm
displayAuthenticationStatus logEntryData
logAccountData
Allocation Table of Uc1ControlEntryWhiteBoxView (Excel Spreadsheet)
Right-click Uc2ControlExitWhiteBoxView.
2
Select SE-Toolkit\Create Allocation Table
Generally it is recommended to update and verify the black-box use
case models, i.e. to generate new black-box use case scenarios. In SecSysController CardReader_Exit
this case study, this step was intentionally skipped. validateSecurityCard alarm
checkForTimeLimitViolations readSecurityCard
flagSecurityCardFailure displayCardStatus
logExitData resetAlarm
Allocation Table of Uc2ControlExitWhiteBoxView (Excel Spreadsheet)
4.4.2.3 Formalizing the Allocation of Operations
Once an allocation concept is elaborated, the allocation is formalized by

copying the system block operations and receptions – incl.
5
documentation and requirements dependencies - to respective
subsystem blocks. This process is supported by the SE-Toolkit feature
Allocate Operations from Swimlanes.
In the Tools Menu select

1
Tools > SE-Toolkit\Modeling Toolbox

2
select Harmony.
3
In the SecuritySystemWB_AD package
3
select Activity Diagram(s)
4
click Set Source.
5
In the ArchitecturalDesignPkg
select system block SecuritySystem.
4 6

click Allocate Operations from Swimlanes
The reason for the error messge below is, that - as mentioned in the
previous paragraph - the actions/operations enableBiometricScan and
disableBiometricScan were added afterwards to the white-box activity
diagram Uc1ControlEntry. Therefore they are not included in the set of merged
use case operations in the SecuritySystem block.
1 itsSecuritySystem
1 CardReader_Entry
alarm
readSecurityCard
displayCardStatus
resetAlarm
1 itsSecSysController
1 CardReader_Exit
alarm
readSecurityCard
displayCardStatus validateSecurityCard
resetAlarm checkForTimeLimitViolations
logExitData
flagBiometricScanFailure
In order to add these operations to the SecuritySystem block and to disableUserAccount
allocate them to the FingerprintScanner block: logEntryData
logAccountData
1 In the dialog box select Errors,

scanBiometricData
2 Select Action enableBiometricScan and authenticateBiometricData

enableBiometricScan
Action disableBiometricScan disableBiometricScan
displayAuthenticationStatus
3 click Accept Selected.
System Operations allocated to Subsystem Blocks
4.4.2.4 Allocation of Non-functional Requirements
So far the focus was on the allocation of system-level operations and

associated functional system requirements to the parts of the chosen
architectural decomposition. Latest at this stage, derived functional
requirements should have been approved and linked to respective
operations. The next task in the architectural design phase is the
allocation of non-functional requirements. In order to assure that all
non-functional requirements are considered, traceability links from the
relevant subsystem block to the non-functional system requirements
need to be defined using a satisfy dependency.
Once all functional and non-functional requirements are mapped to the

architecture, it is recommended to reflect the partitioning by grouping
the requirements in the SystemRequirementsPkg accordingly:
1
In the SystemRequirementsPkg create the subsystem packages
- SecSysControllerReqsPkg
- CardReaderReqsPkg
- FingerprintScannerReqsPkg
2 Move the system requirements incl. the – approved – derived

requirements into respective packages
The subsystem requirements package is part of the later hand-off from

systems engineering to the subsequent subsystem development.
RD_SecSysCtrlLinksToSysReqs
Biometric Data Storage Processing User Request Two Independent Security Checks «Attribute»
t_Bs:int=15000
ID = SS112-2 ID = SS12-1 ID = SS11-1
«satisfy»
«satisfy»
«block» Time Between Two Independent Checks
SecSysController
ID = SS11-5
Time Recording Denied Exit Notification Denied Entry Notification Disabling User Account
ID = MA2-1 ID = SS11-11 ID = SS11-10 ID = SS11-14
«satisfy» «satisfy» «satisfy» «satisfy» «satisfy» «satisfy»
«Primitiv e Operation» «Primitiv e Operation» «Primitiv e Operation» «Primitiv e Operation»

logExitData():void logAccountData():void logEntryData():void disableUserAccount():void
Out of Date Cards - Exit Out of Date Cards - Entry Accesss Precondition Alarm Conditions
ID = SS111-5 ID = SS111-4 ID = SS111-2 ID = MA2-2
«satisfy» «satisfy» «satisfy» «satisfy»
«Primitiv e Operation» «Primitiv e Operation»

validateSecurityCard(CardStatus:OMString):void checkForTimeLimitViolations(TimeLimitFlag:int=0):void
«Attribute» «Attribute»
ScFailCount:int BsFailCount:int «Attribute»
t_Unlocked:int=5000
«satisfy»
Three Attempts On Employee ID Exit Three Attempts On Employee ID Entry Three Attempts On Biometric Data Entry Exit Time Entry Time
ID = SS11-9 ID = SS11-7 ID = SS11-8 ID = SS12-3 ID = SS12-2
«satisfy» «satisfy» «satisfy»
«Primitiv e Operation» «Primitiv e Operation»

flagSecurityCardFailure(ScFailCount:int):void flagBiometricScanFailure(BsFailCount:int):void
Visualization of the Traceability Links between Subsystem SecSysController Properties and

Associated Functional / Non-functional System Requirements in a Requirements Diagram
4.4.3 Detailed Architectural Design
In this case study the architectural design phase stopped at the

subsystem level. The focus of the subsequent detailed architectural SE-Toolkit Features:
design phase is on the definition of the resulting subsystem ports and • Create New Scenario
from Activity Diagram
interfaces and the state-based behavior of each subsystem. Derive
White-Box Sequence Diagrams • Perform Swimlane
Consistency Check
Fig.4-6 details the workflow and its support by means of the SE- • Architectural Design Wizard
[Next Use Case
Toolkit. The subsystem ports and interfaces are identified from White- White-Box AD]
Box Sequence Diagrams. White-box sequence diagrams are derived
from the use case white-box activity diagrams that were created in the [else]
previous architectural design phase. The focus of black-box sequence
diagrams was on the identification of the required sequences of Define SE-Toolkit Feature:
Ports and Interfaces Create Ports And Interfaces
system functions (operations). White-box activity diagrams focus on
the collaboration between the different subsystems taking into
consideration the allocation of the operations.
Define
State-Based Behavior of Blocks
The derivation of white-box sequence diagrams is performed
iteratively for each use case white-box activity diagram.
Verify
Once the state-based behavior of each subsystem block is defined, System Architecture Model
the correctness and completeness of the system architecture model is
checked through model execution.
Fig.4-6 Detailed Architectural Design Workflow and its Support

through the Rhapsody SE-Toolkit
4.4.3.1 Derive White-Box Sequence Diagrams
Step1: Allocate Events
The allocation of SecuritySystem block receptions (events) to the

subsystems is performed by means of the SE-Toolkit feature
Architectural Design Wizard.
NOTE: This SE-Toolkit feature may also be used for allocating
operations.
2
1 In the ArchitecturalDesignPkg right-click SecuritySystem block
Select SE-Toolkit\Architectural Design Wizard
4
2
it
In the SE-Toolkit dialog box un-tick Show Operations.
3 In the Parts drop-down menue select a part.
4
In the Unlocated Operations / Events window select an event
and click Selected to allocate the event to the chosen part.
NOTE: If the event needs to be allocated to more than one
subsystem, drag&drop it from the pool to the part.
System Receptions (Events) allocated to Subsystem Blocks
Allocation of SecuritySystem Events to Parts

through the Architectural Design Wizard
Step 2: Derive White-Box Scenarios
White-box scenarios are derived from the white-box activity diagrams by means of the SE-Toolkit feature Create New Scenario From Activity
Diagram (ref. section 4.3.1.3 ). NOTE: Select as destination the ArchitecturalDesignPkg.
retAuthenticationStatus
WB_Uc1Sc1
User CardReader SecSysController FingerprintScanner AccessPoint Camera

Entry
readSecurityCard()
reqValidateSecurityCard()
reqTakeSnapshot()
CardStatus==Pass
reqDisplayCardStatus(CardStatus)
displayCardStatus(CardStatus)
reqEnableBiometricScan()
enableBiometricScan()
Automatically generated reqScanBiometricData()

Sequence Diagram WB_Uc1Sc1 scanBiometricData()
User CardReader SecSysContr FingerprintS AccessPoint Camera

Entry oller canner
message_0() displayAuthenticationStatus(AuthenticationStatus)
readSecurityCard()
retAuthenticationStatus(AuthenticationStatus)
setAuthenticationStatus()
message_1()
message_2()
BiometricData
Authenticated
message_3() reqDisableBiometricScan()
disableBiometricScan()
message_4()
scanBiometricData() logEntryData()
authenticateBiometricData(AuthenticationStatus) reqUnlockAccessPoint()
displayAuthenticationStatus(AuthenticationStatus)
message_5() reqLockAccessPoint()
logEntryData()
message_6()
message_7()
message_8()
message_9()
White-Box Use Case Scenario WB_Uc1Sc1 (Nominal Scenario)

Manually added service requests and operations marked in red
WB_Uc1Sc3
itsUser CardReader SecSysController FingerprintScanner itsAdmin

_Entry
scanBiometricData()
WB_Uc1Sc2
User CardReader SecSysController Admin displayAuthenticationStatus(AuthenticationStatus)

Entry
retAuthenticationStatus(AuthenticationStatus)
flagBiometricScanFailure(BsFailCount)
readSecurityCard() reqDisableBiometricScan()
disableUserAccount()
logAccountData()
CardStatus==Fail
reqProcessAlert(AlertType)
reqDisplayCardStatus(CardStatus)
reqAlarm()
displayCardStatus(CardStatus) alarm()
flagSecurityCardFailure(ScFailCount) reqResetAlarm()
reqResetAlarm()
disableUserAccount() resetAlarm()
reqProcessAlert(AlertType)
logAccountData()
reqAlarm()
alarm()
Manually completed White-Box Use Case Scenario

reqResetAlarm()
reqResetAlarm()
WB_Uc1Sc3 (Exception Scenario 2)
resetAlarm()
Manually completed White-Box Use Case Scenario

WB_Uc1Sc2 (Exception Scenario 1)

1
Right-click the package WB_UseCaseScenarios and
Once all black-box use case scenarios are decomposed into select SE-Toolkit\SE-Toolkit\Create Ports And Interfaces.
white-box scenarios, the resulting subsystem ports and NOTE: The SE-Toolkit feature only defines the behavioral
interfaces can be defined by means of the SE-Toolkit feature ports and associated required/provides interfaces.
Create Ports And Interfaces.
2 Manually add Delegation Ports and associated interfaces.
3 Manually connect ports.
IBD_SecuritySystem
1 itsSecuritySystem
1 CardReader_Entry
pUser_Entry
pUser pSecSysController
reqReadSecurityCard
reqDisplayCardStatus
reqAlarm
reqResetAlarm
1 itsAdmin
readSecurityCard
displayCardStatus
alarm pSecSysController
1 itsUser resetAlarm 1 itsSecSysController
pAdmin
pCardReader_Entry pCardReader_Entry pAdmin 1 itsAccessPoint
1 CardReader_Exit
pUser_Exit pAccessPoint
pCardReader_Exit pUser pSecSysController pCardReader_Exit pAccessPoint pSecSysController
pCamera
pFingerprintScanner reqReadSecurityCard pFingerprintScanner pCamera
reqDisplayCardStatus 1 itsCamera
reqAlarm evAccessPointLocked
reqResetAlarm evAccessPointUnlocked pSecSysController
readSecurityCard reqResetAlarm
displayCardStatus retAuthenticationStatus
alarm reqValidateSecurityCard
resetAlarm checkForTimeLimitViolations
disableUserAccount
flagBiometricScanFailure
1 itsFingerprintScanner flagSecurityCardFailure
pUser_FpScan
logAccountData
pUser pSecSysController logEntryData
logExitData
reqScanBiometricData validateSecurityCard
reqEnableBiometricScan
reqDisableBiometricScan
displayAuthenticationStatus
scanBiometricData
enableBiometricScan
Populated Internal Block Diagram of the System Architecture Model
Documentation of System Interfaces (ICD)

A commonly used artifact for the documentation of the communication
in a network is the N-squared (N2) chart. In an N2 chart the basic
nodes of communication are located on the diagonal, resulting in an
NxN matrix for a set of N nodes. For a given node, all outputs (SysML
required interfaces) are located in the row of that node and inputs
(SysML provided interfaces) are in the column of that node. The
diagram below depicts the N2 chart of the Security System
architecture.
The N2 chart of the Security System architecture. may be generated

by means of the SE-Toolkit feature Generate N2 Matrix:
In the ArchitecturalDesignPkg right-click the internal block diagram
IBD_SecuritySystem and select SE-Toolkit\Generate N2 Matrix.
NOTE: In the N2 chart below the SecuritySystem colum/row

describes the system-level interfaces (= delegation port interfaces).
SecuritySystem User Admin Camera AccessPoint
SecuritySystem iSecSysController_Admin iSecSysController_Camera iSecSysController_AccessPoint
iUser_FingerprintScanner
User
iUser_CardReader
Admin iAdmin_SecSysController
Camera
AccessPoint iAccessPoint_SecSysController
CardReader
FingerprintScanner
SecSysController iSecSysController_Admin iSecSysController_Camera iSecSysController_AccessPoint
CardReader FingerprintScanner SecSysController

SecuritySystem
User iUser_CardReader iUser_FingerprintScanner
Admin iAdmin_SecSysController
Camera
AccessPoint iAccessPoint_SecSysController
CardReader iCardReader_SecSysController
FingerprintScanner iFingerprintScanner_SecSysController
SecSysController iSecSysController_CardReader iSecSysController_FingerprintScanner
N2 Chart of the Security System Architecture
Behavioral Description
reqReadSecurityCard to pCardReader_Exit
1
reqReadSecurityCard to pUc_Uc2ControlExit
The statechart diagrams of the actors User and AccessPoint need to
be extended, taking into consideration the communication via the reqReadSecurityCard to pCardReader_Entry
additional ports in the User block (pCardReader_Entry,
pCardReader_Exit, and pFingerprintScanner) and in the AccessPoint reqReadSecurityCard to pUc_Uc1ControlEntry
(pSecSysController).
User
RequestExit RequestEntry
WaitForUserCmds
ScanFingerprint
reqScanBiometricData to pUc_Uc1ControlEntry
IBD_SecuritySystem reqScanBiometricData to pFingerprintScanner
1 its Sec ur ity Sys tem 1 itsAccessPoint 2
pAc cess Point pSecSysController 2 locked

1 1 itsUser
1 itsCamera
pCardReader_Entry pUser_Entry
pCamera pSec SysController evAccessPointLocked to pSecSysController
pCar dReader_Exit pUser_Exit
pFingerprintSc anner pUser_FpScan 1 itsAdmin evAccessPointLocked to pUc_Uc2ControlExit reqUnlockAccessPoint
pAdmin pSecSysControll er
AccessPoint
2 evAccessPointLocked to pUc_Uc1ControlEntry unlocking
tm(1000) tm(1000)
locking evAccessPointUnlocked to pUc_Uc1ControlEntry

System Architecture Model (Context View)
reqLockAccessPoint evAccessPointUnlocked to pUc_Uc2ControlExit
evAccessPointUnlocked to pSecSysController
unlocked
reqResetAlarm to pSecSysController
2
reqResetAlarm to pUc_Uc2ControlExit
Admin
reqResetAlarm to pUc_Uc1ControlEntry
reqProcessAlert
WaitForAlert
Extended Actor Behavior for the System Architecture Model
1 itsSecuritySystem
1 CardReader_Entry 1 itsSecSysController
pUser_Entry
pUser
pSecSysController pCardReader_Entry
pAccessPoint
pAccessPoint
1 CardReader_Exit pCamera System Architecture Model (Subsystems View)
pUser_Exit pCamera
pUser
pSecSysController pCardReader_Exit
pAdmin
1 itsFingerprintScanner pAdmin
pUser_FpScan
pUser
pSecSysController pFingerprintScanner
FingerprintScannner_Ctrl
BiometricScanDisabled
reqDisableBiometricScan/ reqEnableBiometricScan/
disableBiometricScan(); enableBiometricScan();
BiometricScanEnabled
WaitForScanRequest
retAuthenticationStatus("Not Authenticated") to pSecSysController reqScanBiometricData/

scanBiometricData()
[AuthenticationStatus=="Not Authenticated"]
AuthenticatingBiometricData
authenticateBiometricData(AuthenticationStatus);...displayAuthenticationStatus(AuthenticationStatus);
[AuthenticationStatus=="Authenticated"]
retAuthenticationStatus("Authenticated") to pSecSysController
State-based Behavior of the FingerprintScanner Block
State-based Behavior of the CardReader Block

The state-based behavior of the CardReader block has to take into 2
consideration the different roles the card reader plays in the Security
System. It is either used for entry control or exit control. A
Constructor need to be defined to assign the relevant instance of the
CardReader block to its associated role.
2 CardReaderCtrl
WaitForRequest
readSecurityCard();
reqValidateSecurityCard to pSecSysController
Configuration_CR_Entry
reqDisplayCardStatus/displayCardStatus(params->CardStatus);
reqAlarm/alarm();
reqResetAlarm/ResetAlarm();
[BlockType=="Entry"]
1
[BlockType=="Exit"]
Configuration_CR_Exit
In the CardReader block, reqDisplayCardStatus/displayCardStatus(params->CardStatus);

1 reqAlarm/alarm();
right-click Operations > Add New > Constructor: reqResetAlarm/ResetAlarm();
Add the argument CR of type OMString.
Initialize the CardReader instances:

2 State-based Behavior of the CardReader Block
CardReader_Entry -> CardReader(“Entry”),
CardReader_Exit -> CardReader(“Exit”)
ProcessingSecurityCardData
State-based Behavior of the SecSysController Block /ScFailCount=0

1
validateSecurityCard(CardStatus);
Note the reuse of behavior patterns in the statechart diagram of the [UserRequest=="Exit"] [UserRequest=="Entry"]
SecSysController block. The statemachines ProcessingSecurityCard reqDisplayCardStatus(CardStatus) to pCardReader_Entry
Data and ProcessingBiometricData are extended copies of the ones
used in the use case blocks, UnlockingAndLockingAccessPoint is an Fail
[CardStatus=="Valid"]
unchanged copy. [else]

CardValid
reqDisplayCardStatus(CardStatus) to pCardReader_Exit
SecSysController_Ctrl
reqValidateSecurityCard
ExitControl [CardStatus=="Valid"]
WaitForRequest Fail
waitForEntryRequest A [else]
reqValidateSecurityCard SecCardFailure
[IS_PORT(pCardReader_Entry)]/ [ScFailCount<=3] flagSecurityCardFailure(ScFailCount);

UserRequest="Entry"; [else]
[IS_PORT(pCardReader_Exit)]/ reqTakeSnapshot to pCamera reqAlarm to pCardReader_Exit

UserRequest="Exit";
[UserRequest=="Exit"] Fail3Times
ProcessingSecurityCardData 1
CardValid Fail3Times [UserRequest=="Entry"]
reqAlarm to pCardReader_Entry
[UserRequest=="Exit"]
[UserRequest=="Entry"]
ProcessingBiometricData
Authenticated BsTimeout Failed3Times
reqEnableBiometricScan to pFingerprintScanner
2
/disableUserAccount();
A logAccountData(); /BsFailCount=0
waitForBiometricScanInfo
/logEntryData(); reqProcessAlert("User Access Disabled") to pAdmin
UnlockingAndLockingAccessPoint retAuthenticationStatus tm(t_Bs)
WaitForResetAlarm reqDisableBiometricScan to pFingerprintScanner
evAccessPointLocked reqResetAlarm BsTimeout
[else]
[UserRequest=="Entry"] [UserRequest=="Exit"]
[params->AuthenticationStatus=="Authenticated" ]
reqResetAlarm to pCardReader_Exit [BsFailCount>3]
[else]
reqResetAlarm to pCardReader_Entry
BiometricScanFailure
flagBiometricScanFailure(BsFailCount);
A
TimeLimitMonitor reqDisableBiometricScan to pFingerprintScanner
CheckingForTimelimitViolations reqDisableBiometricScan to pFingerprintScanner Authenticated

tm(t_Update)
[TimeLimitFlag==1] reqAlarm to pCardReader_Entry

/TimeLimitFlag=0;
Failed3Times
reqProcessAlert("TimeLimitViolation") to pAdmin
itsUser SecuritySystem.Card SecuritySystem.its SecuritySystem.its itsAccessPoint itsCamera itsAdmin
Reader_Entry FingerprintScanner SecSysController
4.4.3.4 System Architecture Model checkForTimeLimitViolations(TimeLimitFlag = 0)

Verification
The system architecture model is verified through model readSecurityCard()
execution on the basis of the captured use case reqValidateSecurityCard()

scenarios. The correctness and completeness analysis
is based on the visual inspection of the model behavior reqTakeSnapshot()
(animated statecharts and sequence diagrams). validateSecurityCard(CardStatus = Valid)
reqDisplayCardStatus(CardStatus = Valid)
scanBiometricData()
authenticateBiometricData(AuthenticationStatus = Authenticated)
reqSetAuthenticationStatus(AuthenticationStatus
ret = Authenticated)
reqDisableBiometricScan()
tm(1000)
tm(5000)
tm(1000)
Animated Sequence Diagram (WB_Uc1Sc1)
Case Study: Hand-Off to Subsystem Development
5 Hand-Off to Subsystem Development

In the Security System case study it was decided that the card readers
and the fingerprint scanner should be COTS components while the
SecSysController subsystem had to be developed. The marked
packages of the Security System model on the right define the hand-
off from systems engineering to the subsequent SecSysController
development. It should be noted that it does not address the
partitioning between hardware and software. The focus exclusively is
on the required functionality and associated design constraints.
1
The following packages define the hand-off to the SecSysController
development. It is important to note that these packages are handed-
off as read-only (Rhapsody: As Reference):
1 The SecSysControllerReqsPkg contains the allocated

functional and non-functional subsystem requirements.
2 The SecSysControllerPkg contains:

• the definition of attributes, operations, ports, logical
interfaces, and subsystem state-based behavior.
• Additionally, the package SecSysController_UcSD contains
copies of the use case scenarios confined to interactions of
the SecSysController with its counterparts, i.e. subsystems
and/or external actors.
3
3 The SecuritySystemWB_AD package contains the use case
white-box activity diagrams associated with the
SecSysController.
2
4 The ActorsPkg contains the external stimuli.
5 The InterfacesPkg contains the verified logical interface

definitions of the system under design. Changes should be
4
done in a controlled fashion – e.g. via configuration
5
management.
Appendix
6 Appendix
A1 Mapping Security System Requirements to Model Artifacts
<<trace>>
ID System Requirement Req. Type <<satisfy>>
Uc1 Uc2 Uc3
SS11-1 Secure areas shall be protected by two independent Constraint X SecSysController
security checks.
Employee ID Card Identification - Entry
Functional readSecurityCard(),
SS11-2 Entry shall be protected by a security check based upon X
Requirement validateSecurityCard()
employee ID.
Employee ID Card Identification - Exit
Functional readSecurityCard(),
SS11-3 Exit shall be protected by a security check based upon X
Requirement validateSecurityCard()
employee ID.
Biometric Scan
Functional
SS11-4 Entry to the secure areas shall be protected by a second X scanBiometricData()
Requirement
independent security check, based upon biometric data
Time Between Two Independent Checks
SS11-5 The time between the two independent security checks Constraint X t_Bs
shall not exceed a configurable period.
Configure Time Between Two Independent Checks
Functional
SS11-6 The time between two independent security checks shall X
Requirement
be configurable.
Three Attempts On Employee ID Entry
Functional ScFailCount,
SS11-7 Upon entry the user shall be allowed three attempts on X
Requirement flagSecurityCardFailure()
card identification.
Three Attempts On Biometric Data Entry
Functional BsFailCount,
SS11-8 Upon entry the user shall be allowed three biometric data X
Requirement flagBiometricScanFailure()
entries.
Three Attempts On Employee ID Exit
Functional ScFailCount,
SS11-9 Upon exit the user shall be allowed three attempts on card X
Requirement flagSecurityCardFailure()
identification.
Denied Entry Notification logEntryData(),
Functional
SS11-10 Any denied access attempt shall be logged and account X logAccountData(),
Requirement
details sent to the administrator reqProcessAlert()
Denied Exit Notification logExitData(),
Functional
SS11-11 Any denied access attempt shall be logged and account X logAccountData(),
Requirement
details sent to the administrator reqProcessAlert()
Tab.A1-1 Mapping Security System Requirements to Model Artifacts
Appendix
<<trace>>
Uc1 Uc2 Uc3
Alarm - Entry Functional
SS11-12 X alarm()
On a denied entry an alarm signal shall be raised. Requirement
Alarm - Exit Functional
SS11-13 X alarm()
On a denied exit an alarm signal shall be raised. Requirement
Disabling User Account
Functional
SS11-14 After three failed attempts at card identification or X disableUserAccount()
Requirement
biometric data entry the user account shall be disabled
Visualization of Security Card Check Status - Entry
Functional
SS11-15 The user shall be visually informed about the status of X displayCardStatus()
Requirement
his/her ID card check.
Visualization of Security Card Check Status - Exit
Functional
SS11-16 The user shall be visually informed about the status of X displayCardStatus()
Requirement
his/her ID card check.
Visualization of Biometric Data Check Status
Functional
SS11-17 The user shall be visually informed about the status of X displayAuthenticationStatus()
Requirement
his/her biometric data check
Alarm Reset
Functional
SS11-18 Once the alarm is acknowledged, it shall be reset by X X resetAlarm()
Requirement
the Administrator
Security Card Information
SS111-1 Constraint X X ValidateSecurityCard()
Security cards shall only contain employee name and ID.
Access Precondition
Functional
SS111-2 Access to the secure area shall only be allowed with a X validateSecurityCard()
Requirement
valid security card.
Security Card Renewal Functional
SS111-3 X
Security cards shall be renewed yearly. Requirement
Out of Date Cards - Entry Functional
SS111-4 X validateSecurityCard()
Out of date cards shall deny entry. Requirement
Out of Date Cards - Exit Functional
SS111-5 X validateSecurityCard()
Out of date cards shall deny exit. Requirement
Approval of Biometric Data
Functional
SS112-1 The user shall not be allowed access unless his/her X authenticateBiometricData()
Requirement
biometric data are recognized.
Biometric Data Storage
SS112-2 Biometric data shall be stored in the system database and Constraint X FingerprintScanner
not on the security card.
BiometricScan Activation
Functional enableBiometricScan();
SS112-3 The biometric scan device shall be activated only
Requirement disableBiometricScan()
when there is a request.
Tab.A1-2 Mapping Security System Requirements to Model Artifacts (cont’d)
Appendix
<<trace>>
Uc1 Uc2 Uc3
Processing User Request
SS12-1 Constraint X X SecSysController
The system shall only process one user at a time.
Entry Time
SS12-2 The user shall be given sufficient time to enter the secure Constraint X t_Unlocked
area.
Exit Time
SS12-3 The user shall be given sufficient time to exit the secure Constraint X t_Unlocked
area.
Configure Entry and Exit Time Functional
SS12-4 X
The time to enter and exit the area shall be customizable. Requirement
Automatic Securing the Secure Area - Entry
Functional
SS12-5 Once the user has entered the area, the system shall X evAccesspointLocked()
Requirement
automatically secure itself.
Automatic Securing the Secure Area - Exit
Functional
SS12-6 Once the user has exited the area, the system shall X evAccesspointLocked()
Requirement
automatically secure itself.
Image Capture
An image shall be taken of any person, at the initial Functional
MA1 X reqTakeSnapshot()
attempt, when trying to access a secure area for logging Requirement
time and employee ID.
Time Recording
Functional
MA2-1 The time a user spends in a secure area shall be X logExitData()
Requirement
recorded.
Alarm Conditions
Functional
MA2-2 An alarm shall notify if a person stays longer than 10 X checkForTimeLimitViolations()
Requirement
hours in the secure area.
Emergency Exit
In the event of an emergency the administrator can invoke
Functional
E1 a "Free Exit Mode". All security checks for exiting the X
Requirement
area shall be disabled until the administrator returns the
system to normal working.
Security Lockdown
The administrator can invoke a security lockdown mode - Functional
E2 X
in this event the system shall lock all access points until Requirement
the administrator returns the system to normal working.
Tab.A1-3 Mapping Security System Requirements to Model Artifacts (cont’d)
Appendix
A2 Extended Architectural Model of the Security System
In the case study the focus of the system architecture model was The table below specifies the control logic to be implemented in the
exclusively on the required functionality. Design aspects were SecSysController.
allocated to the respective subsystems as non-functional LED1 LED2 Alarm Remarks
requirements. All interfaces of the architectural components were Default Red Red CR_Entry, CR_Exit
functional also referred to as logical. This paragraph shows, how to Valid Card Green Yellow only CR_Entry => ready for FingerprintScan
consider realization aspects in the system architecture model of the Pass Green Green CR_Entry && approved FingerprintScan, CR_Exit
Security System. Fail <=3 Yellow Red CR_Entry, CR_Exit
Fail > 3 Red Red X CR_Entry, CR_Exit
Based on the results of the trade study it was decided that both the
card readers and the fingerprint scanner should be COTS Also the fingerprint scanner device displays the authorization result
components. The chosen devices are shown in the picture below. and the fingerprint status via two LEDs. But these LEDs are controlled
by the device itself. The communication between the device and the
SecsysContoller is via a bus. The table below specifies the control
logic to be implemented in the FingerprintScanner.
LED1 LED2
Disabled Red Red
Enabled Green Red
Pass Green Green
Fail <=3 Green Yellow
From the system modeling point of view it was decided to model
• The bus communication between the devices and the

Card Reader Fingerprint Scanner SecSysController using SysML/UML Standard Ports.
• The control of the card readers’ LEDs and alarm device using
SysML Flow Ports.
With regard to the card reader devices the following assumptions were
made:
• The security card information is provided to the SecSysControler

via a bus communication
• Two LEDs display the result of the security card validation as well
as the Security System status. The LEDs are connected to and
controlled by the SecsysController.
• Also the alarm device within the card readers is connected to and
controlled by the SecSysController.
Appendix
A2.1 Extended System Architecture

Copy IBD_SecuritySystem, name the new Internal Block Diagram
1
IBD_SecuritySystem_Extended. 1
Add (Atomic) Flowports to

2 itsSecSysController, CardReader_Entry, and CardReader_Exit.
NOTE: Flowports that are not associated with a CardReader instance

are Removed from View in the respective part.
3 In the TypesPkg define the type of the flowport attribute LEDx_xxxx as

Enumeration with the values Red, Yellow, Green.
IBD_SecuritySystem_Extended
1 itsSecuritySystem
2 1 CardReader_Entry 1 itsSecSysController
1 itsUser
pUser_Entry LED1_Entry:tLED LED1_Entry:tLED
pCardReader_Entry pUser LED2_Entry:tLED LED2_Entry:tLED
1 itsAccessPoint
pCardReader_Exit Alarm_Entry:bool Alarm_Entry:bool
pAccespSS1_10
pFingerprintScanner pAccessPoint pSecSysController
1 CardReader_Exit sPoint
1 itsCamera
pSS1_3
pSecSysController pCardReader_Exit pCamera
pUser_Exit pCamera pSecSysController
pUser LED1_Exit:tLED LED1_Exit:tLED
LED2_Exit:tLED LED2_Exit:tLED 1 itsAdmin
pAdmin
Alarm_Exit:bool Alarm_Exit:bool pAdmin pSecSysController
pUser_FpScan
pUser pSecSysController pFingerprintScanner
Populated Internal Block Diagram of the Extended System Architecture Model
Appendix
FingerprintScannner_Ctrl_Extended
BiometricScanDisabled
A2.2 Extended State-based Behavior of Subsystems
reqDisableBiometricScan/ reqEnableBiometricScan/
disableBiometricScan(); enableBiometricScan();
In the CardReaderPkg right-click the block CardReader. GEN(evLED1_Red);
GEN(evLED2_Red);
GEN(evLED1_Green);
1
Select Add New Statechart, and BiometricScanEnabled
name it CardReaderCtrl_Extended.
WaitForScanRequest
Right-click the Statchart and reqScanBiometricData/

2 reqSetAuthenticationStatus("Not Authenticated") to pSecSysController scanBiometricData()
select Set As Main Behavior.
[AuthenticationStatus != "Authenticated"]/
GEN(evLED2_Yellow);
In the FingerprintScannerPkg right-click the block
3 FingerprintScanner. AuthenticatingBiometricData
Select Add New Statechart and authenticateBiometricData(AuthenticationStatus);
name it FingerprintScannerCtrl_Extended.
[AuthenticationStatus=="Authenticated"]/
GEN(evLED2_Green);
4 Right-click the Statchart and reqSetAuthenticationStatus("Authenticated") to pSecSysController
select Set As Main Behavior.

LED1 LED2
LED1Red LED1Green LED2Red LED2Yellow LED2Green
evLED1_Green evLED2_Red evLED2_Yellow evLED2_Green

evLED1_Red
CardReaderCtrl_Extended
Configuration_CR_Entry
LED1 LED2 chAlarm_Entry[Alarm_Entry==true]/GEN(evAlarmOn);
chAlarm_Entry[Alarm_Entry==false]/GEN(evAlarmOff);
evLED2_Red chLED1_Entry[LED1_Entry==0]/GEN(evLED1_Red);
evLED1_Red
L1Red L2Red chLED1_Entry[LED1_Entry==1]/GEN(evLED1_Yellow);
chLED1_Entry[LED1_Entry==2]/GEN(evLED1_Green);
evLED2_Yellow chLED2_Entry[LED2_Entry==0]/GEN(evLED2_Red);
evLED1_Yellow
L1Yellow L2Yellow chLED2_Entry[LED2_Entry==1]/GEN(evLED2_Yellow);
4 chLED2_Entry[LED2_Entry==2]/GEN(evLED2_Green);
evLED2_Green
evLED1_Green
L1Green L2Green
[BlockType=="Entry"]
evAlarmOn
Alarm_Off Alarm_On [BlockType=="Exit"]
evAlarmOff Configuration_CR_Exit
chAlarm_Exit[Alarm_Exit==true]/GEN(evAlarmOn);
chAlarm_Exit[Alarm_Exit==false]/GEN(evAlarmOff);
chLED1_Exit[LED1_Exit==0]/GEN(evLED1_Red);
WaitForRequest
3 chLED1_Exit[LED1_Exit==1]/GEN(evLED1_Yellow);
chLED1_Exit[LED1_Exit==2]/GEN(evLED1_Green);
chLED2_Exit[LED2_Exit==0]/GEN(evLED2_Red);
readSecurityCard();
chLED2_Exit[LED2_Exit==1]/GEN(evLED2_Yellow);
reqValidateSecurityCard to pSecSysController chLED2_Exit[LED2_Exit==2]/GEN(evLED2_Green);
Appendix
ProcessingSecurityCardData_Extended
/ScFailCount=0
ValidatingSecurityCardData 1
Extended State-based Behavior of the SecSysController Block validateSecurityCard(CardStatus);
[UserRequest=="Exit"] [UserRequest=="Entry"]
setLED1_Entry(Green);
setLED2_Entry(Yellow); CardValid
SecSysControllerCtrl_Extended Fail
[else] [CardStatus=="Valid"]/
ExitControl setLED1_Exit(Green);
[else]
setLED2_Exit(Green);
waitForEntryReques A
reqValidateSecurityCard SecCardFailure
Fail flagSecurityCardFailure(ScFailCount);
[IS_PORT(pCardReader_Entry)]/
UserRequest="Entry";
[ScFailCount<=3]/ [ScFailCount>3]/
[IS_PORT(pCardReader_Exit)]/ reqTakeSnapshot to pCamera if (UserRequest=="Entry") if (UserRequest=="Entry")
UserRequest="Exit"; {setLED1_Entry(Yellow); {setLED1_Entry(Red);
setLED2_Entry(Red);} setLED2_Entry(Red);
else setAlarm_Entry(true);}
ProcessingSecurityCardData_Extended 1 {setLED1_Exit(Yellow); else
setLED2_Exit(Red);} {setLED1_Exit(Red);
CardValid Fail3Times setLED2_Exit(Red);
reqValidateSecurityCard
setAlarm_Exit(true);}
WaitForRequest
Fail3Times
[UserRequest=="Exit"]
[UserRequest=="Entry"]
2 ProcessingBiometricData_Extended ProcessingBiometricData_Extended
Authenticated BsTimeout Failed3Times
2
reqEnableBiometricScan to pFingerprintScanner
/disableUserAccount();
A logAccountData(); /BsFailCount=0
/logEntryData(); reqProcessAlert("User Access Disabled") to pAdmin waitForBiometricScanInfo
UnlockingAndLockingAccessPoint tm(t_Bs)
WaitForResetAlarm reqDisableBiometricScan to pFingerprintScanner
evAccessPointLocked reqResetAlarm BsTimeout

reqSetAuthenticationStatus
[else]
[UserRequest=="Exit"]/
[UserRequest=="Entry"]/ [params->AuthenticationStatus=="Authenticated" ]/
setAlarm_Exit(false); setLED2_Entry(Green);
setAlarm_Entry(false); [BsFailCount>3]/
setAlarm_Entry(true); [else]
A
BiometricScanFailure
TimeLimitMonitor flagBiometricScanFailure(BsFailCount);
CheckingForTimelimitViolations reqDisableBiometricScan to pFingerprintScanner

tm(t_Update)
reqDisableBiometricScan to pFingerprintScanner
Authenticated
/TimeLimitFlag=0; [TimeLimitFlag==1]
reqProcessAlert("TimeLimitViolation") to pAdmin reqAlarm to pCardReader_Entry

Failed3Times
Appendix
itsUser SecuritySyst SecuritySyst SecuritySyst SecuritySyst itsCamera itsAccessPoi
em.CardRea em.CardRea em.itsFinger em.itsSecSy nt
der_Entry der_Exit printScanner sController
checkForTimeLimitViolations(TimeLimitFlag = 0)
A2.3 Verification of the reqReadSecurityCard()
Extended System Architecture Model readSecurityCard()
The extended system architecture model is verified through model reqTakeSnapshot()
execution on the basis of the captured use case scenarios. The validateSecurityCard(CardStatus = Valid)
correctness and completeness analysis is based on the visual LED1_Entry = 2
inspection of the model behavior (animated statecharts and sequence chLED1_Entry()
diagrams). chLED2_Entry()
LED2_Entry = 1
evLED1_Green()
evLED2_Yellow()
User Interfaces for the Model Execution
• Panel Diagram reqScanBiometricData()
scanBiometricData()
_
Entry _
Exit authenticateBiometricData(AuthenticationStatus = Authenticated)
reqSetAuthenticationStatus(AuthenticationStatus = Authenticated)
LED2_Entry = 2
chLED2_Entry()
evLED2_Green()
reqDisableBiometricScan()
tm(1000)
Slide Card Fingerprint Scan Slide Card

tm(5000)
Alarm Entry Alarm Exit

Reset Alarm tm(1000)
LED1_Entry = 0
• Webify User Interface chLED1_Entry()
LED2_Entry = 0
chLED2_Entry()
evLED1_Red()
evLED2_Red()
Animated Sequence Diagram (WB_Uc1Sc1)
Appendix
A3 Modeling Guidelines
This chapter specifies the guidelines and best practices to model a system using SysML. These guidelines are a symbiosis of many years of
modeling experience in different industry branches (Aerospace, Defense, Automotive, Telecom, Medical, Industrial Automation, and Consumer
Electronics) and have been proven to significantly enhance the readability of model-based specifications.
It starts with general guidelines and drawing conventions. SysML diagrams that are considered essential and associated elements then are
discussed in detail. Finally, an approach which extends the SysML profile for project-specific needs is described.
A3.1 General Guidelines and Drawing Conventions

The following guidelines and drawing conventions are recommended for all diagrams:
• Create simple, focused diagrams with a small number of elements. • Organize diagrams in a hierarchical fashion. Locate diagrams in
As a rule of thumb, avoid placing more than ten major elements packages corresponding to their relative position in the system
(block, use case, actor, etc.) on a diagram. hierarchy.
• Ensure all diagrams can be printed on standard 8.5x11 or A4 • Ensure accurate and complete descriptions are entered for all
paper. model elements to assist in understanding the model and to
facilitate the eventual hand-off of the model. These descriptions
• Arrange elements in diagrams to avoid crossing of lines. All lines must also support the auto-generated documentation from the
should be straight or rectilinear. model.
• Create elements with a consistent size. Avoid clutter and chaos by • Avoid excessive use of description notes in diagrams. It’s generally
arranging elements with equidistant spacing and alignment. recommended to put these descriptions in the description field of
• The default Rhapsody fonts, shapes, symbols, line styles, and the corresponding graphical artifact
colors shall be used consistently in all packages in the model. • Do not use comments in the model.
• Position related elements close together in diagrams.
• Ensure elements in diagrams have the same level of abstraction.
Appendix
A3.2 Use Case Diagram UCD_SecuritySystem
Use Case Diagrams capture the functional requirements of a system

by describing interactions between users of the system and the Security System
system itself. Users of a given system could be external people or

other systems. A use case diagram is comprised of a system Uc1Control Entry
Camera
boundary that contains a set of use cases. Actors lie outside of the User
system boundary and are bound to use cases via associations.

Uc2Control Exit
Elements and Artifacts

Admin AccessPoint
Uc3ConfigureSecurity
Use Case: A use case defines the system context. Name use System
cases using verbs that describe their ultimate goal.
Actor: A role that an external user plays with respect to the

system. Note that external users could be people or other systems. Use Case Diagram
Use domain-specific, role-based names for actors.
System Boundary: Distinguishes the border between the actors Guidelines and Drawing Conventions
and the system containing the use cases. • A system typically has many use cases. To manage this
complexity, group use cases into Use Case Diagrams.
Association: Connects an actor with a use case, indicating which
actors carry out which use cases. • Ensure each use case has a clear goal and that its functionality
falls within the bounds of the system. Keep the goal broad enough
to break the use case down into several scenarios (rule of thumb:
Dependency: Connects two use cases, indicating which use 5<n<25 “sunny day scenarios”).
cases depend on other use cases. For simplicity, only the
<<include>> stereotype should be used for use case dependencies. • Every actor in a use case diagram must be associated with one or
Other stereotypes, like <<extend>>, should be avoided. more use cases. Every use case must be directly associated with
at least one actor
Naming Conventions
• When multiple use case diagrams are defined, use case diagrams
shall be numbered: UCD<Nr> <Use Case Diagram Name>
• When multiple use case diagrams are defined, the name of a use
case shall include the reference to its associated use case
diagram: UCD<Nr>_UC<Nr> <Use Case Name>.
• Note: Use case names may have spaces
• The use case name shall start with a verb.
Appendix
A3.3 Block Definition Diagram

The SysML Block Definition Diagram shows the basic structural BDD_SecuritySystem
«block»
elements (blocks) and their relationships / dependencies. Basic SecuritySystem
structural elements may be actors and subsytems or interfaces. 1 1
User Camera
1 1 1
Block: An entity that can contain data and behavior. A system

block may be decomposed into sub-blocks. A system block is a re- Admin AccessPoint
usable design element.
Actor: A role that an external user plays with respect to the CardReader_Exit CardReader_Entry 1 1
system. Note: This element is not shown in the Rhapsody toolbar. The «block»
SecSysController
actor needs to be defined in the browser (-> ActorsPkg) and then
dragged into the block definition diagram.
Interface: A contract comprised of event receptions and/or CardReader FingerprintScanner
operations. In Harmony for Systems Engineering an interface only

contains event receptions. Any system block that realizes the interface
Block Definition Diagram
must fulfill that contract. An interface does not contain behavior.
Association: Represents a bidirectional relationship between Guidelines and Drawing Conventions

system blocks and actors.
• Use the Label feature on the Display Options to keep block names
Directed Association: Represents a uni-directional relationship simple within block definition diagrams, even when they are
between system blocks and actors. referencing blocks across packages.
• Blocks should not show attributes, operations and ports.
Directed Composition: Shows the hierarchical decomposition of • Use the composition relationship to show block decomposition – do
a system block into its sub-blocks. not show blocks inside other blocks.
Generalization: Shows the relationship between a more general • The stick figure should only be used to visualize actors that are
system block and a more specific system block. The more specific external to the system. Actors that represent subsystems should
system block is fully consistent with the more general system block be shown as (color-coded) blocks.
and contains additional information or behavior.
Naming Conventions
Dependency: Shows the relationship between two system blocks The name of a block definition diagram should have the pre-fix
in which one block requires the presence of another block. “BDD_”.
Appendix

A3.4 Internal Block Diagram
StandardPort: A named interaction point assigned to a block,
The SysML Internal Block Diagram shows the realization of the system
through which instances of this block can exchange messages.
structure defined in the Block Definition Diagram. It is comprised of a
set of nested parts (i.e. instances of the blocks) that are inter-
FlowPort: specifies the input and output items that may flow
connected via ports and connectors.
between a block and its environment. Input and output items may
include data as well as physical entities, such as fluids, solids, gases,
and energy.
Connector: A connection between two ports through which

information flows via interfaces. When two parts share the same
parent part, the connection between the two blocks is modeled
with a single connector. However, when two parts have different
parents, the connection between the two parts requires multiple
connectors routed through delegation ports.
IBD_SecuritySystem_Extended
1 itsSecuritySystem
1 1 itsSecSysController
CardReader_Entry
1 itsUser
pUser_Entry LED1_Entry:tLED LED1_Entry:tLED
pCardReader_Entry pUser LED2_Entry:tLED LED2_Entry:tLED
1 itsAccessPoint
pCardReader_Exit Alarm_Entry:bool Alarm_Entry:bool
pAccessPoint
pFingerprintScanner pAccessPoint pSecSysController
1 CardReader_Exit
1
pSecSysController pCardReader_Exit pCamera
pUser_Exit pCamera pSecSysController
pUser LED1_Exit:tLED LED1_Exit:tLED
LED2_Exit:tLED LED2_Exit:tLED 1 itsAdmin
pAdmin
Alarm_Exit:bool Alarm_Exit:bool pAdmin pSecSysController
pUser_FpScan
pUser pSecSysController pFingerprintScanner
Internal Block Diagram
Appendix
Guidelines and Drawing Conventions

• Show part decomposition by placing sub parts inside of their
owning part.
• When possible, try to arrange parts in a vertical fashion. Also, try
to place ports that communicate outside of the system tier on the
left side of the block and ports that communicate within the system
tier on the right side of the block.
• Use the Label feature on the Display Options to keep part names
simple within internal block diagrams, even when they are
referencing parts or system blocks across packages.
• Depending on the level of detail you are trying to convey in the
diagram, you may hide or show attributes, and operations. All
communication between parts occurs through ports and well
defined interfaces.
• Depending on the level of detail you are trying to convey in a
specific diagram, you may hide the pictograms of port interfaces
(lollipop/socket) to avoid clutter.
• Avoid creating “gigantic” internal block diagrams that show all port
connections between every part in the system, as these diagrams
quickly become over-cluttered and unreadable. Instead create
separate internal block diagrams with a mission focussed on
showing a specific collaboration or part decomposition.
Naming Conventions
• The name of an internal block diagram should have the pre-fix
“IBD_”.
• Parts should keep the default name (its<BlockName) created by
Rhapsody. Only in use case models, the actor instance names
should refer to the use case: (Ucd<Nr>_) Uc<Nr>A_<ActorName>.
• Naming convention for ports: p<CounterpartName>
• Port names should be placed inside the associated part.
• Interface names should be referenced to the sender port.
Naming convention: i<Sender>_<Receiver>
Appendix
Initial Flow: A control flow that leads to the initial action in

A3.5 Activity Diagram the activity diagram.
The Activity Diagram describes a workflow, business process, or
algorithm by decomposing the flow of execution into a set of actions Fork Node: A compound control flow that connects a single
and sub activities. An activity diagram can be a simple linear control flow to multiple concurrent activities.
sequence of actions or it can be a complex series of parallel actions
with conditional branching and concurrency. Swim lanes can be
added to the activity diagram to indicate the entities responsible for Join Node: A compound control flow that merges the control
performing each activity. flow from multiple concurrent activities.
NOTE: In Harmony for Systems Engineering the terms activity, action

and operation are synonymous. Swim Lane Frame: Draws a frame around the entire set of
activitie so that they can be partitioned into swim lanes.
If an activity diagram is used to describe a workflow there are no
limitations of using elements (Rhapsody mode: "Analysis"). If an
Swim Lane Divider: Places a vertical partition within the swim
activity diagram is used to describe a macro containing operations
lane frame. Each swim lane represents an entity that is responsible
(Rhapsody mode: "Design") there are limitations. The reason for the
for performing the activities in that swim lane. Control flows can cross
limitations is that SW-code for testing purposes is generated.
swim lanes.
Elements and Artifacts Decision Node: A condition connector splits a single control flow
into multiple branches, each containing a guard. The guards on each
Action: An action represents a primitive operation. In Harmony branch should be orthogonal conditions, though they do not need to
for Systems Engineering also actions stereotyped cover all possibilities. An “else” guard should be added to provide a
<<MessageAction>> are used. These actions contain only messages default branch when no other guards are met.
to and/or from an actor.
Activity Final: Terminates the control flow of the activity
Subactivity: A subactivity that is further decomposed into a set diagram.
of actions and subactivities.
NOTE: A decomposed subactivity cannot partitioned into swim lanes. Diagram Connector: A diagram connector helps manage
If a decomposed sub activity needs to be partitioned into swim lanes diagram complexity by allowing jumping to different sections of the
(ref. architectural design) the parent action should be decomposed activity diagram to avoid line crossing.
using a Call Behavior action (ref. Appendix A5).
Action Pin: In SysML the Input/Output shows the input data of
Call Behavior: References to another activity diagram as an an action. In Harmony for Systems Engineering action pins -
activity (ref. Appendix A5). stereotyped <<ActorPin>> - are used to depict the link between an
action and an actor. In this case the name of the pin has the name of
the associated actor. The arrow in the pin shows the direction of the
Control Flow: Actions are linked via control flow. Execution
respective link (i.e. In, Out or In/Out).
begins in an activity when a transition flows into it. A transition from
an activity fires when the activity has completed and any guard
conditions on the transition have been met.
Appendix
Uc2ControlExitWhiteBoxView • Use the statechart action language to express guards to provide

the best transition to statechart diagrams. See the appendix A5 for
CardReader_Exit SecSysController more details on Rhapsody’s action language.
• All control flow lines should be rectilinear or straight. Control flows
User Admin should not cross each other or cross through activities.
readSecurityCard validateSecurityCard checkForTimeLimitViolations
• Diagram connectors should only be used when the readability of an
activity diagram is disturbed by a direct control flow.
displayCardStatus
[CardStatus==Valid]
• Control flows and initial flows cannot have triggers.
[else]
flagSecurityCardFailure logExitData • To reference another activity diagram as an activity, drag that

activity diagram from the browser onto the diagram. This creates a
AccessPoint
call behavior activity that links to the external activity diagram (ref
[else]
[ScFailCount==3]
«MessageAction»
Appendix A5).
unlockAccesspoint
Admin AccessPoint [Timeout Unlocked] • Generally, an activity should correspond to an operation to be
alarm «MessageAction» «MessageAction» performed in the associated block. Exception: Activities
resetAlarm lockAccesspoint stereotyped <<Message Action>> which describe the reception or
resetAlarm
transmittion of a message, e.g.
SS1 SS2 SS3

Activity Diagram
«MessageAction»
Guidelines and Drawing Conventions op1
forwardReq
op2
• In Harmony for Systems Engineering, the activity diagram is used

exclusively to describe the functional flow through a use case.
Therefore, select the activity diagram mode “”Analysis”.
SS1 SS2 SS3
• Document the pre-conditions in the respective tag of the diagram.
op1()
• Actor swim lanes should not be used. The link of an activity to the
actor should be described through action pins, stereotyped reqOp2()
reqOp2()
<<ActorPIN>>>. op2()
• When performing a recursive decomposition of a complex system,

the activities at one system tier can become the use cases in the
next lower system tier.
• Activity diagrams should flow vertically from top to bottom. The
initial activity should be located near the top of the diagram and any
termination states should be located near the bottom of the
diagram.
Appendix
Note: In the case of a message exchange with external actors

respective actor pins need to be added to the message action, e.g.
AccessPoint
«MessageAction»
unlockAccesspoint
AccessPoint [Timeout Unlocked]
«MessageAction»
lockAccesspoint
itsSecSysController itsAccessPoint
t_Unlocked evAccessPointUnlocked()
• All activities should have only one exit transition. Any scenarios
where multiple transitions flow out of an activity should be explicitly
drawn using a condition connector or a fork node.
Naming Conventions
• The diagram shall have the associated use case name in plain text
at the top of the diagram.
• Activity names shall start with a verb, beginning with a lover case
letter, and map directly to the names of operations on system
blocks.
Appendix
A3.6 Sequence Diagram Elements and Artifacts

Sequence Diagrams elaborate on requirements specified in use cases
and activity diagrams by showing how actors and blocks collaborate in
Instance Line: Draws a vertical lifeline for an actor or
some behavior. A sequence diagram represents one or more
block.
scenarios through a use case.
A sequence diagram is comprised of vertical lifelines for the actors and
blocks along with an ordered set of messages passed between these Message: Creates a horizontal message line between two
entities over a period of time. lifelines or looped back onto the same lifeline. All messages
between blocks are considered asynchronous. Reflexive (loop
back) messages are considered synchronous operations and
moveAxisB_Sc1
User Uc1_HomingAndManualMode represent simple, private activities within the block.
Condition Mark: Represents a mode/state change in a

Preconditions:
ManualMode and AxisB selected block. Can also be used to specify preconditions and post
reqSetDirection(Direction)
conditions for each instance on the sequence diagram.
Time Interval: An annotation on a lifeline that identifies a

DirectionA selected time constraint between two points in the scenario.
reqSetSpeed(Speed)
setSpeed(Speed)
Interaction Occurrence (Reference Sequence Diagram):
checkPosAxisC()
Helps manage scenario complexity by cross-referencing other
sequence diagrams.
opt [AxisC inSafePos]
checkPosAxisE() Interaction Operator: Helps to group related elements in

a sequence diagram. This includes the option of defining specific
opt [AxisE inSafePos]
conditions under which each group of elements will occur.
checkStatusAxisB()
Operand Separator: Used to create subgroups of
alt [AxisB isHomed] interaction operators (e.g. concurrent operations or alternatives).
reqMoveAxisB()
mvCmddAxisB_Normal()
Partition Line: Used to divide a scenario into sections of
[else] related messages. Each partition line has its own text field used
reqMoveAxisB() to describe that section of the scenario.
mvCmddAxisB_Slow()
Constraint: A semantic condition or restriction expressed

as text.
Sequence Diagram
Appendix
Guidelines and Drawing Conventions Naming Conventions

• Pre- and post-conditions should be documented in condition marks The following table summarizes the recommended naming
on respective lifelines or in respective tags of the diagram. conventions for asynchronous messages:
• If possible, arrange lifelines such that the message exchange
occurs in a “general” left-to-right flow from the top of the sequence Name Description
down to the bottom. In other words, arrange the order of lifelines to
minimize message zigzagging. req<Service> Used to request a service (operation) on a
block. These messages are followed by a
• For documentation reasons the print-out of a scenario should be reflexive message on the receiving block
captured on one page. indicating the execution of the service.
• Divide complicated scenarios into manageable, well-documented, Example: reqReadSecurityCard
logically related groups of messages using partition lines.
The corresponding reflexive message
• Interaction Operators should not be nested deeper than 3 hierarchy name excludes the “req” prefix and begins
levels. with a lower case letter:
• Extract reused portions of scenarios into separate sequence Example: readSecurityCard
diagrams that are included using interaction occurrences.
• All message lines should be horizontal, rather than diagonal. ret<Service>Status Used to provide results of a service
Asynchronous messages between blocks have an open arrowhead (operation) back to the requester.
and synchronous, reflexive messages have a filled arrowhead. Example:
• Stereotype messages according to their associated protocol retAuthenticateBiometricDataStatus
(e.g. M1553, Ethernet, etc …).
ev<Event> Used to send a notification of change
• Use the statechart diagram action language to express constraints
to provide the best transition to statechart diagrams. Example: evAccessPointLocked
See the appendix A6 for more details on Rhapsody’s action
language.
• If a condition mark represents a mode/state change in reaction to a
respective message, the condition mark should match the name of
the state in the statechart diagram.
• Do not show operations on the actor lifelines.
• Do not use timeout in a sequence diagram. Rather describe a time
constraint by means of Time Intervals.
Appendix
A3.7 Statechart Diagram

A Statechart Diagram shows the state-based behavior of a block
across many scenarios. It is comprised of a set of states joined by Join Synch Bar: A compound transition that merges transitions
transitions and various connectors. An event may trigger a transition from different orthogonal states.
from one state to another. Actions can be performed on transitions
and on state entry/exit. See the appendix for more details on Condition Connector: A condition connector splits a single
Rhapsody’s action language. transition into multiple branches, each with a guard. The guards on
Classically, a statechart diagram depicts the behavior of reactive each branch should be orthogonal conditions, though they do not
blocks – that is, blocks that maintain their history over time and react need to cover all possibilities. An “else” guard can be added to
to events. However, when modeling a system, the behavior of blocks provide a default branch when no other guards are met.
is always captured in statechart diagrams backed by supporting
attributes and operations, as all communication between blocks occurs History Connector: A history connector is placed in an “or”
through ports using asynchronous events. state to remember its last active sub state. When the “or” state is re-
entered, it automatically returns to that sub state. The transition
Elements and Artifacts coming out of the history connector is the default transition taken
when there is no history.
State: A state typically models a period of time during the life of a

Termination Connector: A termination connector destroys the
block while it is performing an activity or waiting for some event to
block.
occur. States can also be used to model a set of related values in a
block. A state that contains multiple sub states is called an “or” state
or composite state. A state that contains two or more concurrent Junction Connector: A junction connector helps manage
regions is called an “and” state or orthogonal state. Actions can be diagram complexity by combining several incoming transitions into a
performed on state entry and exit. single outgoing transition.
Transition: A transition from a state defines the response of a Diagram Connector: A diagram connector helps manage
block in that state to an event. Transitions may flow through one or diagram complexity by allowing jumping to different sections of the
more connectors (defined below) and ultimately route to a new state or statechart diagram to avoid line crossing.
loop back to the original state. Transitions can have actions and
guards that make them conditional. EnterExit Point: A connector that links transitions across
statechart diagrams.
Default Transition: A transition that leads to the state (or the sub
state in an “or” state or “and” state) that should be entered by default. Send Action State: Graphical representation of a send signal
action.
And Line: Used to create an “and” state by dividing a state into
multiple orthogonal, concurrent regions.
Fork Synch Bar: A compound transition that connects a single

transition to multiple orthogonal destinations.
Appendix
Uc2ControlExitCtrl
ExitControl ProcessingSecurityCardData
WaitForExitRequest A
reqReadSecurityCard/ /ScFailCount=0
readSecurityCard();
ProcessingSecurityCardData
validateSecurityCard(CardStatus);...displayCardStatus(CardStatus);
Fail3Times
[CardStatus=="Not Valid"]
reqReadSecurityCard/ SecCardFailure
logExitData();
readSecurityCard(); flagSecurityCardFailure(ScFailCount);
UnlockingAndLockingAccessPoint
reqProcessAlert("Exit Failure") to pAdmin
[ScFailCount>3]
WaitForEntryRequest
evAccessPointLocked [else] Fail3Times
reqResetAlarm/
WaitForResetAlarm resetAlarm(); A
TimeLimitMonitor
CheckingForTimelimitViolations
tm(t_Update)
/TimeLimitFlag=0; [TimeLimitFlag==1]
reqProcessAlert("TimeLimitViolation") to pAdmin • For readability reasons, use Mealy syntax ( event [condition]/action
on transition) wherever possible. Always place the action on a
transition on a new line from the event and guard.
Statechart Diagram • Moore syntax (= action on entry, reaction in state) should be
avoided unless necessary. This feature allows a block to react to
Guidelines and Drawing Conventions events within a state without actually leaving that state via a
transition. Exceptions to this rule include
• If possible, Statechart diagrams should flow vertically from top to • protocol state machines for actors that respond to an input
bottom. The initial state should be located near the top of the with a specific output,
diagram and any termination connectors should be located near • message routing state machines that forward requests from
the bottom of the diagram. one subsystem to another subsystem, and
• Typically, all states should have at least one entry transition and at • actions in action states (ref Appendix A4).
least one exit transition. A “dead end” state should be a very rare Never use “action on exit”.
thing!
• Diagram Connectors should only be used when the readability of a
• Avoid nesting of states beyond 3 or 4 levels. Ensure complex statechart diagram is disturbed by a direct transition.
nesting is simplified with sub state diagrams.
• It is essential that the EnterExit Points connectors have meaningful
• All transition lines should be rectilinear or straight. Transitions names and the two charts that are connected can be shown side
should not cross each other or cross through states. by side, with the connecting transition being easily identifiable.
• Labels should be positioned on the left-hand side of the arrow Using similar positions of the connector on each chart may facilitate
direction. this.
Appendix
Naming Conventions
• State names should be verbs and indicate the current mode or
condition of the block. Typically names are in the present tense.
Names must be unique among sibling states and should never be
the same as the name of a block or an event.
• Avoid names like “idle” or “wait”.
A3.8 Profiles
A profile extends the UML/SysML with domain-specific tags and
stereotypes. It also allows certain tool-specific properties to be Property Value
overridden to support modeling in a specific domain. These
Activity_diagram>Transition>line_style rectilinear_arrows
customizations can be applied to the entire model or to specific model
elements. Activity_diagram>DefaultTransition>line_style straight_arrows
Statechart>Transition>line_style rectilinear_arrows
Exemplarily Tab.A3-2 shows the properties of a project-specific profile
that supports the modeling guidelines outlined in the previous Statechart>DefaultTransition>line_style straight_arrows
sections. Tab.A3-1 depicts the definition of element tags that was Statechart>CompState>ShowCompName false
added to the profile in order to support the documentation.
SequenceDiagram>General>HorizontalMessageType Event
SequenceDiagram>General>SelfMessageType PrimitiveOperation
SequenceDiagram>General>ShowwAnimStateMark false
Tag Applicable To Type ObjectModelGe>Actor>ShowName Name_only
Use Case ObjectModelGe>Class>ShowName Name_only
PreCondition Sequence Diagram String
ObjectModelGe>Object>ShowName Name_only
Primitive Operation
ObjectModelGe>Inheritance>line_style rectilinear_arrows
Use Case
ObjectModelGe>Depends>line_style rectilinear_arrows
PostCondition Sequence Diagram String
Primitive Operation ObjectModelGe>Class>ShowPorts false
Use Case ObjectModelGe>Class>ShowPortsInterfaces false

Constraint Sequence Diagram String UseCaseGe>Actor>ShowName Name_only
Primitive Operation UseCaseGe>UseCase>ShowName Name_only
Tab.A3-1 Project-Specific Tags Defined in a Profile Tab.A3-2 Project-Specific Properties Defined in a Profile
Appendix
A4 Guideline: Deriving a Statechart Diagram Uc2Sc1
This guideline describes how to derive state-based behavior from the

information captured in an activity diagram and associated sequence
diagrams. The steps are detailed using as example the use case
Uc2_ControlExit.
Fig.A4-1 shows the activity diagram Uc2_ControlExitBlackBoxView of

the use case Uc2_Control Exit. It describes the functional flow of the
use case by decomposing the flow of execution into a set of action
nodes joined by transitions and condition connectors.
Fig.A4-2
Uc2_ControlExitBlackBoxView
UC-Scenario Uc2_Sc1
Uc2Sc2
Fig.A4-3
Uc-Scenario Uc2_Sc2
Fig.A4-1 Use Case Black-Box Activity Diagram Uc2 ControlExit
Fig.A4-2 and Fig.A4-3 show the black-box sequence diagrams that

were generated from the black-box activity diagram by means of the
Rhapsody SE Toolkit feature Create New Scenario From Activity
Diagram. The information from the activity diagram and its associated
sequence diagrams will be used to identify and capture the state-
based system behavior in a statechart diagram.
Appendix
Step1: Identify Wait States and Action States
Step 1.1: Identify Wait States Step 1.2: Identify Action States
In a Wait State an object waits for an event to happen. It consumes An action state is a state whose purpose is to execute an entry action,
time while waiting for the event. after which it takes a completion transition to another state. It is a kind
of dummy state that is useful for organizing state machines into logical
In the use case black-box activity diagram identify actions with IN actor structures.
pins. In the use case black-box sequence diagrams (Fig.A4-2,
Fig.A4-3) identify the messages (receptions) that trigger the selected In the use case black-box activity diagram identify actions with multiple
actions. For each of the identified actions create in the statechart outgoing completions with guard conditions. For each of these actions
diagram a wait state named WaitFor<ReceptionName>. create in the statechart diagram an action state with the name of the
In cases where the use case black-box sequence diagram shows a action (naming convention: <ActionName>ing ) and allocate the
timeout event (Fig.A4-2: t_Unlocked)), create in the statechart diagram relevant action to it using MOORE syntax.
a wait state with a name that describes the actual system status NOTE: Besides the output-relevant action, an action-state may also
(Fig.A4-4: AccessPointUnlocked). have additional context-related actions allocated to it (Fig.A4-5: action
state ValidatingSecurityCard).
Fig.A4-4 Wait States of Uc2_ControlExit Fig.A4-5 Action States of Uc2 ControlExit
Appendix
Step 2: Connect States
Step 2.1: Identify the initial state Step 2.2: Identify transitions, triggering events,
and associated actions
Mark the initial state with a Default Connector. If attributes need to be
initialized (e.g. ScFailCount in Fig.A4-6), add respective actions to the The transitions between the states and associated triggering events –
default connector. including guarded condition(s) - are identified through analysis of the
captured black-box use case sequence diagrams.
Select a use case scenario. Replicate the scenario in the statechart

diagram as follows:
Start from the initial state. In the sequence diagram identify the event
and – if needed – guarded condition(s) that trigger a transition and the
associated action(s). In the statechart diagram identify the target
state. Connect the two states. Label the transition following MEALEY
syntax: Event [Condition] / Action. If the target state is an action
state, add to the transition label only those actions that are not
allocated to the state. Proceed in the sequence diagram and repeat
the outlined connecting steps in the statechart diagram.
Repeat the replication of scenarios in the statechart for all captured

use case scenarios.
Step 2.3: Execute the Statechart
Verify the correctness of the captured state-based behavior through

model execution using the black-box use case scenarios as the basis
for respective stimuli.
Fig.A4-6 Flat Statechart of Uc2_ControlExit

( : Uc2_Sc1 Sequence )
Appendix
Note the different transitions out of the composite state. In the case of
Step 3: Structure the Statechart hierarchically CardStatus==”Pass” the triggering condition and associated action is
captured in the top-level statechart (Fig.A4-8) as a high-level interrupt.
Step 3.1: Identify state hierarchies In the case of a third-time failure, the respective triggering condition
and associated action is captured within the ProcessingSecurityCard
Once the flat statechart is verified, look for ways to simplify it by state and linked to the top-level statechart via an EnterExit point
structuring it hierarchically. Identify states that can be aggregated. (Fail3Times).
Grouping criteria could be e.g.
• System modes
• System phases or
• Reuse of state patterns
Also look for situations where the aggregation of state transitions
simplifies the statechart. Inspection of the flat statechart reveals that
- ValidatingSecurityCard,
- FlagingSecurityCardFailure, and
- WaitFor_reqReadSecurityCard in the case of a card failure
can be considered sub-states of a composite state called
ProcessingSecurityCard (Fig.A4-7). As ScFailCount is a local
attribute, its initialization is added to the default entry of the composite
state. Furthermore, the substates FlagingSecurityCardFailure and Fig.A4-8 Composite State UnlockingAndLockingAccessPoint
WaitFor_reqReadSecurityCard can be aggregated in the composite
state ValidationFail, thus denoting the fail mode within the States in the flat statechart Fig.A4-6 that relate to the access point
ProcessingSecurityCard state. control can be aggregated into the composite state
UnlockingAndLockkingAccessPoint, as shown in Fig.A4-8 This state
includes the messages sent to the access point.
Furthermore, the states WaitFor_evAccessPointUnlocked and
WaitFor_evAccessPointLocked can be merged to one wait state called
WaitForAccessPointFeedback. The exit out of the composite state is
captured in the top-level statechart.
Fig.A4-7 Composite State ProcessingCardData
Appendix
Fig.A4-9 shows the final structure of the top-level statechart of the use
case Uc2ControlExit.
Fig.A4-9 Top-Level Statechart of Uc2_ControlExit
Step 3.2: Execute the Statechart

Verify the correctness of the captured state-based behavior through
model execution using the black-box use case scenarios as the basis
for respective stimuli.
Appendix
A5 Guideline: Logical Decomposition of a Use Case Black-Box Activity Diagram

An important artifact in the Harmony for Systems Engineering UCD_MultiAxisSystem
workflow is the activity diagram associated with a use case. In the

Fuctional Analysis phase the use case black-box activity diagram MultiAxesSystem
describes the functional flow (storyboard) of a use case. It groups

functional requirements in actions – in Harmony for Systems Uc1HomingAnd
ManualMode
Engineering the equivalent of operations - and shows the associated
flow of information within the system and between the system and its User
environment (actors). In the architectural design phase the use case

white-box activity diagram supports the allocation of actions/operations
to an architectural structure.
Fig.A5-1 Use Case Diagram UCD_MultiAxesSystem
A system-level use case and the associated black-box activity diagram
describe the required functionality at a high level of abstraction – in Fig.A5-2 shows the functional and state-based behavior of the use
this section referred to as logical decomposition level 0. In order to case at the top-level – also referred to as decomposition level 1. The
provide the relevant information for the implementation, sequence diagram in Fig.A5-2 describes the use case scenario of a
actions/operations identified at this level may need to be detailed manual movement of AxisB. The associated operation will be
further. Experiences show, that if a level 0 action/operation needs to decomposed in the following paragraphs.
be logically decomposed, the decomposition seldom exceeds level 2.
The logical decomposition is performed in 8 steps.
This section describes the workflow, associated work products, and
provides guidelines that should be followed when activities/operations
of a use case black-box activity diagram are logically decomposed. Step 1: Identify operations that need to be decomposed
The different steps are outlined using the industrial automation
example shown in Section 2.2.2. A prerequisite for this step is, that the use case block behavior at the
NOTE: For didactical reasons I did not show hierarchy in Fig.2-5, the chosen system decomposition level was verified through model
use case black-box activity diagram. execution.
The chosen system is a complex multi-axis manufacturing machine.

Key components of this machine are 10 movable axes with partly Step 2: Rank the identified operations
overlapping working envelopes. For the case study the use case
covering the Homing And Manual Mode was chosen (Fig.A5-1. In order to achieve a common level of decomposition, the identified
operations need to be ranked according to their importance. Each of
the selected operations then will be decomposed by only one level
before the next level of decomposition may be considered.
The next steps are iteratively repeated for each selected operation.
Appendix
Black-Box Use Case Scenario

Uc1Sc1
User Uc1_HomingAndManualMode
reqSetOpMode(OpMode)
setOpMode(OpMode)
reqSetAxis(Axis)
setAxis(Axis)
reqMoveAxis()
moveAxis()
Uc1HomingAndManualModeBlackBocView HomingAndManualModeCtrl
User evReturn
[params-> WaitForModeReq
setOpMode
OpMode=="Homing"]
HomingMode reqSetOpMode
[OpMode=="Homing"]
Homing [params->
OpMode=="Manual"]
User [OpMode == "Manual"]
ManualMode
setAxis /setOpMode("Manual");
WaitForAxisReq movingAxisB
User User
[Axis == "AxisA"] reqSetAxis /setAxis("AxisB");
moveAxisA [Axis == "AxisB"] moveAxisB
movingAxisA [params-> [params-> movingAxisB WaitForMvCmd
User [else] User Axis=="AxisA"] Axis=="AxisB"]
[Axis == "AxisC"] reqMoveAxis/
moveAxisC [Axis == "AxisD"] moveAxisD moveAxisB()
movingAxisC [params-> [params-> movingAxisD
Axis=="AxisC"] Axis=="AxisD"] movingAxis
User [else]
User
moveAxisE [Axis == "AxisE"] [Axis == "AxisF"] [params-> [params-> movingAxisF

moveAxisF movingAxisE
Axis=="AxisE"] Axis=="AxisF"]
User [else] User
movingAxisG [params-> [params-> movingAxisK

moveAxisG [Axis == "AxisG"] [Axis == "AxisK"] moveAxisK
Axis=="AxisG"] Axis=="AxisK"]
User [else] User
[Axis == "AxisL"] movingAxisL [params-> [params-> movingAxisM
moveAxisL [Axis == "AxisM"] moveAxisM
Axis=="AxisL"] Axis=="AxisM"]
Use Case Black-Box Activity Diagram Use Case Block Statechart Diagram
Fig.A5-2 Use Case HomingAndManualMode: Functional and State-based Behavior at the System Level (Level 0)
Appendix
moveAxisB_Sc1
Step 3: Decompose the selected operation moveAxisB_Sc2
The workflow is shown for the operation moveAxisB in Fig.A5-2.

User Uc1_HomingAndManualMode Preconditions:
ManualMode and AxisB selected
Step 3.1: Create a Reference Activity Diagram Preconditions:

ManualMode and AxisB selected
The decomposition of an operation is described in a new Activity
DirectionA selected
Diagram – in the following referred to as Reference Activity Diagram. reqSetSpeed(Speed)

setSpeed(Speed)
Do not use the Rhapsody feature Subactivity. The reason for this is, DirectionB selected
that a subactivity chart cannot be partitioned into swim lanes. The reqSetSpeed(Speed) checkPosAxisC()
capability to allocate the decomposed operations to swimlanes is

setSpeed(Speed)
opt [AxisC inSafePos]
crucial in the architectural design phase. checkPosAxisA()
checkPosAxisE()
1 Right-click Uc1HomingAndManualBlackBoxView opt

[AxisA inSafePos] opt [AxisE inSafePos]
> Add New > Diagrams > Activity Diagram checkStatusAxisB()
checkStatusAxisB()
opt
Name the original Activity Diagram Level0 and
[AxisA isHomed] alt [AxisB isHomed]
reqMoveAxisB()
2 reqMoveAxisB()
name the new Activity Diagram Level1_moveAxisB mvCmddAxisB_Normal()
[else]
reqMoveAxisB()
mvCmddAxisB_Slow()
Level1_moveAxisB
User
setDirection
1
User
setSpeed
2
[UserInput == DirectionA] [UserInput == DirectionB]
checkPosAxisC checkPosAxisA
[else]
Step 3.2: Define the Functional Flow at the Decomposed Level
[inSafePos]
In Fig.A5-3 the activity diagram Level1_moveAxisB captures the check checkPosAxisE
for possible axis envelope overlaps as well as direction dependent and

[else]
axis position dependent (homed/not homed) speed limitations of the [else]
Fig.A5-3
manual movement. [inSafePos] [inSafePos] Reference Activity Diagram
checkStatusAxisB checkStatusAxisB Level1_moveAxisB and
Step 3.3: Derive Scenarios from the Reference Activity Diagram Associated Derived
[isHomed]
[isHomed]
Scenarios
Capture the essential scenarios by means of the SE-Toolkit feature
User
[else]
[else]
Create New Scenario From Activity Diagram. Check the mvCmddAxisB_Slow
User
consistency between the actions in the Reference Activity Diagram mvCmddAxisB_Normal
and the operations in the derived scenarios by means of the SE-

Toolkit feature Perform Activity View Consistency Check.
Appendix
Step 4: Link the Reference Activity Diagram

to the parent activity diagram
Move the Reference Activity Diagram Level1_moveAxisB into the Verify the link by creating an extended black-box use case scenario by
1
parent activity diagram. means of the SE-Toolkit feature Create New Scenario from Activity
NOTE: Rhapsody creates in the parent activity diagram a Call Diagram.
Behavior Activity with the name of the reference activity diagram. Uc1Sc1Extended
Replace the action that was decomposed by the call behavior User Uc1_HomingAndManualMode
2
activity.
NOTE: Do not add actor pins to the activity as the interactions message_0()
setOpMode(OpMode)
with the actors is captured in the lower hierarchy.
message_1()
setAxis(Axis)
message_2()
message_3()
setSpeed(Speed)
checkPosAxisC()
1 checkPosAxisE()
Level1_moveAxisB checkStatusAxisB()
message_4()
2 message_5()
setOpMode(OpMode)
Fig.A5-5 Automatically generated Extended Uc1Sc1 Sequence Diagram
NOTE: There is no need to manually complete the service request

messages in the automatically generated sequence diagram. For the
verification of the link only the correct sequence of operations is
relevant.
Fig.A5-4 Linking the Reference Activity Diagram

to the Parent Activity Diagam
Appendix
Step 5: Link RefAD scenarios to parent Step 6: Update port(s) and interface(s)
black-box use case scenarios of the use case block
In the use case black-box scenarios replace the operation that was Update the use case block port(s) and interface(s) by means of the
decomposed and its associated service request message by an SE-Toolkit feature Create Ports And Interfaces.
Interaction Operator that references to the RefAD scenarios. Name it
<DecomposedOperationName>_Scenarios.
The interaction operator contains the links to the scenarios that were Step 7: Extend the state-based behavior
derived from the Reference Activity Diagram. of the use case block
There are two ways to proceed:

Uc1Sc1 Uc1Sc1
• Alternative 1:
User Uc_Uc1HomingAndManualMode
Modify/extend the existing use case block statechart.
• Alternative 2:
reqSetOpMode(OpMode) reqSetOpMode(OpMode)
setOpMode(OpMode)
Create a copy of the existing use case block statechart
setOpMode(OpMode)
and modify/extend the copy.
reqSetAxis(Axis) reqSetAxis(Axis)
setAxis(Axis) setAxis(Axis) It is recommended to create a new use case block statechart and
reqMoveAxisB()
make it Main Behavior as shown below.
Ref
moveAxisB()
moveAxixB_Scenarios
moveAxisB_Scenarios
User Uc_Uc1HomingAndManualMode
alt
Ref Fig.A5-7 shows the extended statechart of the use case block. Note
moveAxisB_Sc2 the EnterExit point (UnsafePos) that was added to the state
ref. Scenarios in Fig. A5-3
movingAxisB in the top-level statechart. It captures the exit from the
Ref
moveAxisB_Sc1
substate in case of an anticipated envelope conflict with other axes.
Step 8: Execute the use case model
Fig.A5-6 Linking RefAD_MoveAxisB Scenarios to

Verify the correctness of the extended use case block through use
Black-Box Use Case Scenario Uc1Sc1 case model execution (Fig.A5-8).
Appendix
movingAxisB
/setAxis("AxisB");
[PosAxisA=="inUnsafePos"|| waitForDirectionReq Uc1Sc1Extended

PosAxisC=="inUnsafePos"||
PosAxisE=="inUnsafePos"|| reqSetDirection/
StatusAxisB!="isHomed" && MvDirection=params->Direction; itsUser itsUc1_HomingAndManualMode
MvDirection=="DirectionB"] setDirection(params->Direction);
waitForSpeedReq
UnsafePos
reqSetSpeed/ reqSetOpMode(OpMode = Manual)
setSpeed(params->Speed);
checkingPreconditionsForMovement setOpMode(OpMode = Manual)
reqSetAxis(Axis = AxisB)
[MvDirection=="DirectionA"] [MvDirection=="DirectionB"]
setAxis(Axis = AxisB)
checkingPosAxisC
reqSetDirection(Direction = DirectionA)
checkPosAxisC(PosAxisC);
checkingPosAxisA
setDirection(Direction = DirectionA)
[PosAxisC=="inSafePos"]
checkPosAxisA(PosAxisA);
checkingPosAxisE reqSetSpeed(Speed = 2.5)
checkPosAxisE(PosAxisE); [PosAxisA=="inSafePos"]
setSpeed(Speed = 2.5)
[PosAxisE=="inSafePos"]
checkPosAxisC(PosAxisC = inSafePos)
checkingStatusAxisB
checkStatusAxisB(StatusAxisB); checkPosAxisE(PosAxisE = inSafePos)
[StatusAxisB=="Homed" || checkStatusAxisB(StatusAxisB = isHomed)

StatusAxisB!="Homed" &&
MvDirection=="DirectionA"]
reqMoveAxis()
waitForMvCmd
reqMoveAxis
movingAxis evReturn()
[StatusAxisB!="isHomed" &&
MvDirection=="DirectionA"]
[else]
movingAxisSlow movingAxisNormal
mvCmddAxisB_Slow(); mvCmddAxisB_Normal();
Fig.A5-7 Extended State-Based Behavior of the Use Case Block Fig.A5-8 Animated Sequence Diagram (Extended Uc1Sc1)
Appendix
Outlook: Allocation of the decomposed operations in the

Architectural Design phase
In the architectural design phase the level 1 use case black-box

activity diagram and its associated Reference Activity Diagram(s) are
partitioned into swim lanes that represent the components of the
architectural structure. Based on the chosen design concept, the
operations then are “moved” into respective swim lanes.
Fig.A5-9 shows the allocation of the constituents of the decomposed
operation moveAxisB.
:Proc1 :Proc2 :Proc3
User
setDirection
User
setSpeed «MessageAction»
retSpeed
[UserInput == DirectionA] [UserInput == DirectionB]

checkPosAxisA
«MessageAction»
checkPosAxisC
retPosAxisA
[else] [else] [inSafePos]

checkStatusAxisB
[inSafePos]
checkPosAxisE
«MessageAction»
retStatusAxisB
[else]
[inSafePos]
checkStatusAxisB
[isHomed] [isHomed]
User [else] [else]

mvCmddAxisB_Slow
User
mvCmddAxisB_Normal
Fig.A5-9 Allocation of RefAD_MoveAxisB Operations to Subsystems

in the Architectural Design Phase
Appendix
A6 Rhapsody Action Language

This section provides a brief introduction to the action language applied
in the Rhapsody tool.
Basic Syntax Printing
The language is case sensitive. That is, “evmove” is different from The “cout” operator prints to the screen. Elements to be printed are
“evMove”. Each statement must end with a semi-colon. separated by the “<<” operator. Text strings are surrounded by double
All names must start with a letter and cannot contain spaces. Special quotes. Attributes are referenced using their names. The “endl”
characters are not permitted in names, except for underscores (_). operator prints a carriage return. So, to print out the current value of
However, a name should never start with an underscore. X, use the following command:
The following words are reserved and should not be used for names: cout << “The value of X is “ << X << endl;
asm, auto, break, case, catch, char, class, const, continue, default,
delete, do, double, else, enum, extern, float, for, friend, GEN, goto, id, If the current value of X is 5, this statement prints the following
if, inline, int, IS_IN, IS_PORT, long, new, operator, OPORT, message on the screen:
OUT_PORT, params, private, protected, public, register, return, short, The value of X is 5
signed, sizeof, static, struct, switch, template, this, throw, try, typedef,
union, unsigned, virtual, void, volatile, while.
Comparison Operators
Assignment and Arithmetic Operators
X==5 (X equal to 5)
X=1 (Sets X equal to 1)
X!=5 (X not equal to 5)
X=Y (Sets X equal to Y)
X<3 (X less than 3)
X=X+5 (Adds 5 to X)
X<=3 (X less than or equal to 3)
X=X-3 (Subtracts 3 from X)
X>4 (X greater than 4)
X=X*4 (Multiplies X by 4)
X>=4 (X greater than or equal to 4)
X=X/2 (Divides X by 2)
X>2 && X<7 (X greater than 2 and X less than 7
X=X%5 (Sets X to the remainder of X divided by 5)
X<2 || X==7 (X less than 2 or X equal to 7)
X++ (Increments X by 1)
X-- (Decrements X by 1)
Appendix
Conditional Looping Statements
Conditional Statements The “while” statement is used for conditional looping. This statement
has a single conditional expression and iterates so long as it evaluates
Conditional statements begin with the keyword “if” followed by a to true. The previous example could be implemented using a “while”
conditional expression in parenthesis, followed by the statement to statement as follows:
execute if the condition evaluates to true. You can optionally add the X=0;
“else” keyword to execute a statement if the condition evaluates to while(X<=10)
false. The “else” clause can contain another nested “if” statement as {
well. For example: cout << X << endl;
X++;
if (X<=10) }
X++;
else
X=0; Invoking Operations
Multiple statements can be grouped together by placing them in curly
braces. To invoke an operation on a block, use the operation name followed
if (X<=10) by parenthesis. For example, to invoke the “go” operation:
{ go();
X++;
cout << “The value of X is ” << X << endl; If an operation takes parameters, place them in a comma-separated
} list. For example, to invoke the “min” operation with two parameters:
else
{ min(X,Y);
X=0;
cout << “Finished” << endl;
} Generating Events
The “OUT_PORT” and “GEN” keywords are used to generate events

Incremental Looping Statements through ports. For example, to send an event named “evStart” out the
port named “p2”, issue the following statement:
Incremental looping is accomplished using the “for” statement. It
OUT_PORT(p2)->GEN(evStart);
holds three sections separated by semicolons to specify: 1) an
initialization statement, 2) a conditional expression, and 3) an To generate an event with parameters, place them into a comma-
increment statement. For example, to iteratively set the value of X separated list. For example, to generate an event named “evMove”
from 0 to 10 while printing out its value: with two parameters for velocity and direction:
for (X=0; X<=10; X++) OUT_PORT(p2)->GEN(evMove(10,2));
cout << X << endl;
NOTE: The “OPORT” keyword can be used in place of “OUT_PORT”.
Appendix
Referring to Event Parameters in Transitions
The “params” keyword followed by the “->” operator is used to

reference the parameters of the event that caused the current
transition. For example, if an event named “evMove” has a parameter
named “velocity”, that parameter can be referenced using “params-
>velocity”. This syntax can also be embedded in statements within the
action on the transition. For example:
if (params->velocity <= 5)
Testing the Port on which an Event Arrives
The “IS_PORT” keyword is used to test whether the event that caused
the current transition arrived through a specific port. For example:
if (IS_PORT(p2))…
Testing the State of a State Machine
The “IS_IN” keyword is used to test whether a state machine is in a

specific state. For example, to test whether the state machine of a
block is in a state called “Accelerating”:
if (IS_IN(Accelerating))
Appendix
A7 Rhapsody SE-Toolkit (Overview)
SE-Toolkit Feature Description

1.1 Add Hyperlink(s) Adds a hyperlink from the source(s) to the destination(s).
1.2 Add Anchor(s) Adds an anchor from the source(s) to the destination(s)
Adds selected sequence diagram(s) as
1.3 Add SD Ref(s)
Referenced Sequences to the use case.
1.4 Add Event Reception(s) Adds receptions of the chosen events to the target interface.
Maps the seletec value type to the selected unit.
4.5 Add Value Typr
Tags of the value type are populated from the unit.
Modeling Copies any operations, receptions, and attributes
1 1.6 Merge Blocks
Toolbox from the source blocks to a single destination block.
1.7 Create Dependency Creates dependencies between model elements.
For each reflexive message on the selected sequence(s)
1.8 Populate Activity Diagram
an action is created on the selected activity diagram
1.9 Allocate Operations Copies operations allocated to a swimlane in a
from Swimlanes White-Box Activity Diagram into the relevant sub-system block.
Creates a sequence diagram from selected actions in an activity diagram.
1.10 Create New Scenario
If the source is a single action then the user will be asked to choose a path
from Activity Diagram
each time a condition connector is encountered
Tab.A7-1 Rhapsody SE-Toolkit Features
Appendix
SE-Toolkit Feature Description

2 Create Harmony Project Creates a Harmony for Systems Engineering compliant project structure
Creates a Harmony for Systems Engineering compliant package structure
3 Create System Model from Use Case
for the use case model
4 Auto-Rename Actions Harmonizes the action statement and action name in an activity diagram.
Adds SysML action pins stereotyped <<ActorPin>> to the selected action on an
5 Add Actor Pins
activity diagram. User selects the direction and the actor from a drop down list.
Checks the consistency between actions of the black-box activity diagram
6 Perform Activity View Consistency Check
and the operations in the derived use case scenarios.
Creates behavioral ports and associated interfaces
7 Create Ports and Interfaces
based on scenarios captured in sequence diagrams
8 Connect Ports Creates links between ports on an internal block diagram
Creates wait state(s) and actition states based on
9 Create Initial Statechart
the information captured in an Activity Diagram .
Copies all operations, event receptions and attributes
10 Merge Functional Analysis
from all use case blocks into the selected block
11 Duplicate Activity View Makes a copy of an activity view and strips away any referenced scenarios
Creates a package per subsystem and
12 Create Sub Packages
moves subsystem blocks into those packages.
Copies operations from one architectural layer to another and
13 Architectural Design Wizard
tracks when operations have been allocated.
Checks consistency between the allocated actions in swimlanes
14 Perform Swimlane Consistency Check
against the allocated operations in subsystem blocks.
Summarizes the allocation of operations of a white-box activity diagram
15 Create Allocation Table
in an Excel spreadsheet.
As ‘Create Allocation Table’ – except in a CSV form.
16 Create Allocation CSV File
Added to the model as a controlled file.
Creates an Excel spreadsheet of the
17 Generate N2 Matrix
provided and required interface matrix from an internal block diagram
18 Copy MoEs to Children Copies the MoE attributes of the key function block into the solution blocks.
19 Copy MoEs from Base Copies the MoE attributes of the key function block into a selected solution block.
Calculates for a set of solutions a Weighted Objectives Table and
20 Perform Trade Analysis
displays the results in an Excel spreadsheet.
Tab.A7-2 Rhapsody SE-Toolkit Features cont’d
Appendix
Harmony/SE Workflow and its Support through

Import
Stakeholder ReqSpec
the Rhapsody Toolkit
Generate
System Requirements
Architectural Design
Link
Sys Reqs to Stakeholder Reqs SE-Toolkit Feature: #1.7 Merge Propertied
with satisfy Dependency of UC Blocks in SuD Block SE-Toolkit Feature: #10
Define
System-Level Use Cases Decompose SE-Toolkit Feature: #12
System Block into Parts
Link
Use Case to Reqs SE-Toolkit Feature: #1.7
with trace Dependency Graphically allocate Operations SE-Toolkit Feature: #5, #11, #15/16
In UC White-Box Activity Diagram
[else]
[All requirements [Next Use Case]
traced to Use Cases]
[else]
Formalize Allocation by copying

Requirements Analysis Operations into Parts SE-Toolkit Feature: #1.9, #13, #14
Allocate Non-functional Reqs and

define Traceability Links SE-Toolkit Feature: #1.7
Define
Use Case Model Context SE-Toolkit Feature: #3 [Next Level of
Decomposition]
Define SE-Toolkit Feature: #4, #5

UC Functional Flow
[else]
Detailed Architectural Design
Derive SE-Toolkit Feature: #1.10, #6
UC Scenarios Derive
White-Box Sequence Diagrams
SE-Toolkit Feature: #1.10, #14
Define SE-Toolkit Feature: #7, #8

Ports and Interfaces [Next Use Case]
Derive [else]
SE-Toolkit Feature: #9
UC Statebased Behavior
Define
SE-Toolkit Feature: #7, #8, #17
Ports and Interfaces
Verify / Validate
UC Model
Define
State-Based Behavior of Blocks SE-Toolkit Feature: #9
Link
UC Block Properties to Reqs SE-Toolkit Feature: #1.7
with trace Dependency
Verify
System Architecture Model
[Next Use Case]
[else]
Design Synthesis
System Functional Analysis
Appendix
7 References
[1] SysML 1.0 Specification
http://www.omgsysml.org
[2] “UML 2.0-Based Systems Engineering Using a Model-Driven Development Approach”,

Hans-Peter Hoffmann, CrossTalk, Vol. 18 No. 11, November 2005
[3] “SysML-Based Systems Engineering Using a Model-based Development Approach”,

Hans-Peter Hoffmann, Proceedings of INCOSE 2006 16th International Symposium
[4] “Harmony/SE - Model-Based Systems Engineering Using SysML”

Hans-Peter Hoffmann, Proceedings of the SDR ’08 Technical Conference and Product Exposition, 2008
[5] “The Harmony Process: The Transition to Software Engineering”,

Bruce Douglass, I-Logix/Telelogic Whitepaper 2006
[6] “The Harmony Process: The Development Spiral”,

Bruce Douglass, I-Logix/Telelogic Whitepaper 2006
[7] “Engineering Design Methods: Strategies for Product Design”

Nigel Cross, Wiley, 1989

IBM Rational Harmony Deskbook Rel 3.1.2

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IBM Rational Harmony Deskbook Rel 3.1.2

Uploaded by

Copyright:

Available Formats

IBM Software Group Foreword

Systems Engineering Best Practices with the Rational

© 2011 IBM Corporation

Copyright IBM Corporation 2006, 2011

Licensed Materials - Property of IBM Corporation

The IBM home page on the Internet can be found at ibm.com

Foreword to the Deskbook Release 3.0

Here it is – the long awaited next iteration. I completely restructured

I want to thank two colleagues who deserve special mentions with

Any feed-back for the next iteration (release) is appreciated.

Foreword to the Deskbook Release 2.0

© Copyright IBM Corporation 2006, 2010. All Rights Reserved.

3.4.1 Architectural Analysis Package ................................................................................................................................................................... 30

4.4.2.1 Security System Decomposition .......................................................................................................................................................... 72

Fig.A5-1 Use Case Diagram UCD_MultiAxesSystem ................................................................................................................................................... 121

Tab.A3-1 Project-Specific Tags Defined in a Profile...................................................................................................................................................... 115

Tab.A7-1 Rhapsody SE-Toolkit Features ...................................................................................................................................................................... 131

2 Fundamentals of Harmony for Systems Engineering

2.1 Rational Integrated Systems / Embedded Software Development Process Harmony

Stakeholder Harmony™ for

Model / Requirements Repository

Fig.2-1 Rational Integrated Systems / Embedded Software Development Process Harmony

In the system functional analysis phase the focus is on the translation

There are two types of executable models supporting the design

2.2 Model-based Systems Engineering Process

System Requirements Requirements Analysis

Updated System Requirements System Functional Analysis System-Level

Links providing traceability

Fig.2-2 Model-based Systems Engineering

Use cases may be structured hierarchically – but care should be taken

Fig.2-3 Workflow in the Requirements Analysis Phase

2.2.2 System Functional Analysis

Define Use Case Model Context

Define UC Scenarios Define UC Functional Flow Define UC State-Based Behavior

Derive UC Functional Flow Derive UC Scenarios Derive UC Scenarios

Define Ports And Interfaces Define Ports And Interfaces

[Rainy Day Analysis]

Fig.2-4 Alternative Approaches of Building an Executable Use Case Model

Alternative 2 starts with the definition of the use case functional

Start setOpMode User Uc_HomingAndManualMode

User [OpMode == "Manual"]

[else] [else] openAxisL

User User User reqSetAxis("AxisA")

[inSafePos] [inSafePos] [inSafePos] [inSafePos]

Start Start mvCmddAxisA_Slow()

[else] [else] [else] [Axis == "AxisM"]

User User User User

User User User User

setSpeed setSpeed setSpeed setSpeed

checkStatusAxisL checkStatusAxisL checkStatusAxisG checkStatusAxisM

mvCmddAxisF_Slow mvCmddAxisL_Slow mvCmddAxisM_Slow

Start [else] Start

[Next Use Case]

2.2.3 Design Synthesis Architectural Design

The focus of the design synthesis phase is on the development of a

Design synthesis typically starts at each level of the architectural

Depending on the hand-off to the subsequent subsystem

2.2.3.1 Architectural Analysis (Trade Study)

Identify Key System Functions

Fig.2-9 Workflow and Work Product

Identify Assessment Criteria

Define Utility Curves for each Criterion Determine Solution

Merge Possible Solutions to form System Architecture