Professional Documents
Culture Documents
IBM Rational Harmony Deskbook Rel 3.1.2
IBM Rational Harmony Deskbook Rel 3.1.2
The file "Deskbook Rel311.pdf" is the latest version of the Rational Harmony for Systems Engineering Deskbook Release 3.1 (“Deskbook”), released
May 28, 2010.
February
The Deskbook is2011
written for the practitioner. Screenshots, notes and best practice tips are added to the workflow descriptions. The brief introductions
are minimal rather than narrative. The Deskbook is not intended to replace training for the IBM Rational Rhapsody component of the IBM Rational
Workbench for Systems and Sofware Enigineering; it is intended to supplement it. It is assumed that the reader is familiar with UML/SysML and the
IBM Rational Rhapsody component of the IBM Rational Workbench for Systems and Software Engineering.
IBM WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE
DESKBOOK OR THE PERFORMANCE OR IMPLEMENTATION OF THE CONTENTS OF THE DESKBOOK..
Deskbook
The directory "Deskbook Rel.3.1 Requirements and Models" contains the requirements specification for the Security System example and snapshots
of the models generated with Rhapsody. Release 3.1.2
Copyright IBM Corporation 2006, 2010
IBM Corporation
Software Group
Route 100
Model-Based Systems Engineering with Rational Rhapsody and
Somers, NY 10589
U.S.A.
Rational Harmony for Systems Engineering
Licensed Materials - Property of IBM Corporation
U.S. Government Users Restricted Rights: Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both.
Other company, product, or service names may be trademarks or service marks of others.
Hans-Peter Hoffmann, Ph.D.
The Rational Software home page on the Internet can be found at ibm.com/software/rational
Chief Systems Methodologist
The IBM home page on the Internet can be found at ibm.com
hoffmape@us.ibm.com
The Deskbook is written for the practitioner. Screenshots, notes and best practice tips are added to the workflow descriptions. The brief introductions
are minimal rather than narrative. The Deskbook is not intended to replace IBM Rational Rhapsody training; it is intended to supplement it. It is
assumed that the reader is familiar with UML/SysML and the IBM Rational Rhapsody tool.
Permission to use, copy, and distribute, this Deskbook, is granted; provided, however, that the use, copy, and distribution of the Deskbook is made in
whole and not in part.
THIS DESKBOOK IS PROVIDED "AS IS." IBM MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT
NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE.
IBM WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE
DESKBOOK OR THE PERFORMANCE OR IMPLEMENTATION OF THE CONTENTS OF THE DESKBOOK..
The directory "Deskbook Rel.3.1.2 Requirements and Models" contains the requirements specification for the Security System example and
snapshots of the models generated with Rhapsody.
IBM, the IBM logo, Rational, the Rational logo, Telelogic, the Telelogic logo and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both.
Other company, product, or service names may be trademarks or service marks of others.
The Rational Software home page on the Internet can be found at ibm.com/software/rational
Andover, 06-01-09
This revision takes into consideration the feed-back that I got from “the
field”. Especially with regard to the use case analysis, I realized that
the approach needed to consider the needs of projects with a large
numbers of use cases. Nothing changed with regard to the workflow.
What changed, is the project structure. The new project structure
supports team collaboration. Each use case now may be elaborated
separately and then – iteratively - merged to a common system model.
The outlined process (Harmony for Systems Engineering) is tool
independent.
Andover, 10-12-06
The Author - by J. Rick White
Table of Contents
1 INTRODUCTION 1
1.1 Scope.................................................................................................................................................................................................................... 1
1.2 Document Overview ............................................................................................................................................................................................. 1
2 FUNDAMENTALS OF HARMONY FOR SYSTEMS ENGINEERING...............................................................................................................................2
2.1 Rational Integrated Systems / Embedded Software Development Process Harmony ........................................................................................ 2
2.2 Model-based Systems Engineering Process........................................................................................................................................................ 4
2.2.1 Requirements Analysis.................................................................................................................................................................................. 5
2.2.2 System Functional Analysis .......................................................................................................................................................................... 6
2.2.3 Design Synthesis......................................................................................................................................................................................... 10
2.2.3.1 Architectural Analysis (Trade Study).................................................................................................................................................... 11
2.2.3.2 Architectural Design ............................................................................................................................................................................. 14
2.2.3.3 Detailed Architectural Design............................................................................................................................................................... 16
2.2.4 Systems Engineering Hand-Off................................................................................................................................................................... 18
2.3 Essential SysML Artifacts of Model-based Systems Engineering ...................................................................................................................... 19
2.3.1 Requirements Diagram ............................................................................................................................................................................... 20
2.3.2 Structure Diagrams...................................................................................................................................................................................... 20
2.3.2.1 Block Definition Diagram...................................................................................................................................................................... 20
2.3.2.2 Internal Block Diagram......................................................................................................................................................................... 20
2.3.2.3 Parametric Diagram ............................................................................................................................................................................. 22
2.3.3 Behavior Diagrams ...................................................................................................................................................................................... 22
2.3.3.1 Use Case Diagram ............................................................................................................................................................................... 23
2.3.3.2 Activity Diagram ................................................................................................................................................................................... 23
2.3.3.3 Sequence Diagram .............................................................................................................................................................................. 24
2.3.3.4 Statechart Diagram .............................................................................................................................................................................. 24
2.3.4 Artifact Relationships at the Requirements Analysis / System Functional Analysis Level.......................................................................... 25
2.4 Service Request-Driven Modeling Approach ..................................................................................................................................................... 26
3 RHAPSODY PROJECT STRUCTURE............................................................................................................................................................................27
3.1 Project Structure Overview................................................................................................................................................................................. 27
3.2 Requirements Analysis Package........................................................................................................................................................................ 28
3.3 Functional Analysis Package.............................................................................................................................................................................. 29
3.4 Design Synthesis Package................................................................................................................................................................................. 30
ii | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Table of Contents
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | iii
Table of Contents
iv | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Table of Figures
Table of Figures
Fig.2-1 Rational Integrated Systems / Embedded Software Development Process Harmony.......................................................................................... 2
Fig.2-2 Model-based Systems Engineering ....................................................................................................................................................................... 4
Fig.2-3 Workflow in the Requirements Analysis Phase ..................................................................................................................................................... 5
Fig.2-4 Alternative Approaches of Building an Executable Use Case Model .................................................................................................................... 6
Fig.2-5 Derivation of a Use Case Scenario from a Use Case Black-Box Activity Diagram (Industrial Automation Use Case)........................................ 8
Fig.2-6 Workflow of the Use Case Model Rainy Day Analysis .......................................................................................................................................... 9
Fig.2-7 Workflow in the System Functional Analysis Phase .............................................................................................................................................. 9
Fig.2-8 Subphases and Workflow in the Design Synthesis Phase .................................................................................................................................. 10
Fig.2-9 Workflow and Work Product ............................................................................................................................................................................... 11
Fig.2-10 Different Shapes of Utility Curves ...................................................................................................................................................................... 12
Fig.2-11 Tasks and Workproducts in the Architectural Design Phase............................................................................................................................. 14
Fig.2-12 Nested Use Case White-Box Activity Diagram .................................................................................................................................................. 14
Fig.2-13 Allocation of Operations to Subsystems (Use Case Fig.2-5) ............................................................................................................................ 15
Fig.2-14 Workflow and Workproducts in the Detailed Architectural Design Phase ......................................................................................................... 16
Fig. 2-15 Derivation of White-Box Scenarios from a Use Case White-Box Activity Diagram (ref. Fig.2-13) ................................................................... 17
Fig.2-16 Overview of UML/SysML Interrelationship......................................................................................................................................................... 19
Fig.2-17 Taxonomy of SysML Diagrams Used in Harmony for Systems Engineering .................................................................................................... 19
Fig.2-18 Requirements Diagram ...................................................................................................................................................................................... 20
Fig.2-19 Block Definition Diagram.................................................................................................................................................................................... 20
Fig.2-20 Internal Block Diagram....................................................................................................................................................................................... 20
Fig.2-21 Standard Ports ................................................................................................................................................................................................... 21
Fig.2-22 Flow Ports .......................................................................................................................................................................................................... 21
Fig.2-23 Constraint Block Definition in a Block Definition Diagram ................................................................................................................................. 22
Fig.2-24 Parametric Diagram ........................................................................................................................................................................................... 22
Fig.2-25 Use Case Diagram............................................................................................................................................................................................. 23
Fig.2-26 Activity Diagram ................................................................................................................................................................................................. 23
Fig.2-27 Sequence Diagram ............................................................................................................................................................................................ 24
Fig.2-28 Statechart Diagram ............................................................................................................................................................................................ 24
Fig.2-29 SysML Artifacts Relationship at the Requirements Analysis / System Functional Analysis Level .................................................................... 25
Fig.4-1 Requirements Analysis Workflow and its Support through the Rhapsody SE-Toolkit......................................................................................... 34
Fig.4-2 Stakeholder Requirements Specification............................................................................................................................................................. 35
Fig.4-3 System Functional Analysis Workflow and its Support through the Rhapsody SE-Toolkit ................................................................................. 43
Fig.4-4 Workflow in the Architectural Analysis Phase and its Support through the Rhapsody SE-Toolkit ...................................................................... 63
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | v
Tables
Fig.4-5 Architectural Design Workflow and its Support through the Rhapsody SE-Toolkit ............................................................................................. 72
Fig.4-6 Detailed Architectural Design Workflow and its Support through the Rhapsody SE-Toolkit............................................................................... 81
Fig.A4-1 Use Case Black-Box Activity Diagram Uc2 ControlExit .................................................................................................................................. 116
Fig.A4-2 UC-Scenario Uc2_Sc1 .................................................................................................................................................................................... 116
Fig.A4-3 Uc-Scenario Uc2_Sc2 ..................................................................................................................................................................................... 116
Fig.A4-4 Wait States of Uc2_ControlExit ....................................................................................................................................................................... 117
Fig.A4-5 Action States of Uc2 ControlExit ..................................................................................................................................................................... 117
Fig.A4-6 Flat Statechart of Uc2_ControlExit .................................................................................................................................................................. 118
Fig.A4-7 Composite State ProcessingCardData............................................................................................................................................................ 119
Fig.A4-8 Composite State UnlockingAndLockingAccessPoint ...................................................................................................................................... 119
Fig.A4-9 Top-Level Statechart of Uc2_ControlExit ........................................................................................................................................................ 120
Tables
Tab.A1-1 Mapping Security System Requirements to Model Artifacts ............................................................................................................................ 95
Tab.A1-2 Mapping Security System Requirements to Model Artifacts (cont’d)............................................................................................................... 96
Tab.A1-3 Mapping Security System Requirements to Model Artifacts (cont’d)............................................................................................................... 97
vi | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Introduction
1 Introduction
• Section 3 describes the project structure that should be followed
1.1 Scope when the Rhapsody tool is used in a model-based systems
engineering project.
Meanwhile, many books and articles have been published about • Section 4 details a case study of the Harmony for Systems
SysML, the standardized language for model-based systems Engineering workflow using the Rhapsody tool. The chosen
engineering [1]. But in most cases, the question of how to apply it in example is a Security System. The workflow starts with the import
an integrated systems and software development process has not of stakeholder requirements into Rhapsody and ends with the
been addressed. This deskbook tries to close the gap. Based on the definition of an executable system architecture model. The
tool independent Rational® Integrated Systems/Embedded Software workflow is application oriented and focuses on the usage of the
Development Process Harmony™ it provides systems engineers with a Rhapsody SE-Toolkit.
step-by step guide on using the SysML in a way that allows a • Section 5 addresses the handoff to the subsequent subsystem
seamless transition to the subsequent system development. (SecSysController) development.
In this deskbook the chosen tool is the Rational® systems and
software design tool Rhapsody® Release 7.5 . Also provided are several appendices, including
• the documentation of the Extended System Architecture Model of
The deskbook is written for the practitioner. Screenshots, notes, and the Security System which takes into consideration the inclusion of
best practice tips are added to the workflow descriptions. The brief COTS components,
introductions are minimal rather than narrative.
• a chapter about modeling/style guidelines regarding the usage of
the various SysML diagrams in model-based systems engineering
The deskbook does not replace the Rhapsody training documentation.
It rather is intended to supplement it. It is assumed, that the reader is • a guideline how to derive a statechart diagram from the information
familiar with the UML/SysML and the Rhapsody tool. captured in an activity diagram and associated sequence diagrams,
• a guideline how to logically decompose a use case black-box
1.2 Document Overview activity diagram,
• a quick reference guide to the Rhapsody Action Language,
The deskbook is divided into 5 sections: • an overview of the Rhapsody SE-Toolkit features that are applied in
the case study, and
• Section 1 describes the scope and structure of this book.
• a set of references.
• Section 2 introduces the basic concepts of Harmony for Systems
Engineering. It starts with an overview of how the systems
Included to this deskbook is a volume containing
engineering part of the integrated systems/embedded software
development process Harmony fits into the model-driven • the Security System stakeholder requirements,
development lifecycle. Then, the task flow and the associated • for each of the SE phases the incrementally extended Rhapsody
work products in the different systems engineering phases are model database:
detailed. With regard to modeling, this section also provides an - SecSys_RA (Requirements Analysis),
overview of SysML artifacts that are considered essential for - SecSys_FA (System Functional Analysis),
model-based systems engineering, followed by an introduction to - SecSys_AA (Architectural Analysis),
the service request driven modeling approach. - SecSys_AD (Architectural Design/Detailed Architectural Design)
• the Extended System Architecture Model (SecSys_EAD).
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 1
Fundamentals of Harmony for Systems Engineering
Change Request
2 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
The software engineering workflow is characterized by the iterative The system architecture model captures the allocation of the system
incremental cycles through the software analysis and design phase, operations to the system architecture that was elaborated in the
the implementation phase, and the different levels of integration and previous architectural analysis phase. The correctness and
testing. completeness of the system architecture model is verified through
Regarding the systems engineering and implementation iterations, it model execution. Once the model is verified, the architectural design
should be noted, that the analysis iterations continue through may be analyzed with regard to performance and safety requirements.
implementation and testing, thus providing something demonstrable The analysis may include Failure Modes Effects Analysis (FMEA), and
with each iteration. Mission Criticality Analysis.
It is important to note the creation and reuse of requirements related The baselined system architecture model defines the hand-off to the
test scenarios all along the top-down design path. These scenarios subsequent HW/SW development.
are also used to assist the bottom-up integration and test phases and,
in the case of system changes, regression test cycles. Model-driven software development is supported by the Software
Implementation Model. This model is the basis for - either manual or
The Harmony process supports Model-Driven Development (MDD). In automatic - code generation [5,6].
a model-driven development, the model is the central work product of
the development processes, encompassing both analysis and design. An essential element of the model-driven development process is the
Each development phase is supported by a specific type of model. Model/Requirements Repository. It contains the configuration
controlled knowledge of the system under development, i.e.
Models that support the requirements analysis phase are
- Requirements documentation
- the Requirement Models and - Requirements traceability
- the System Use Cases Model. - Design documentation and
- Test definitions
A requirement model visualizes the taxonomy of requirements. The
system use cases model groups requirements into system use cases.
Neither of these models is executable.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 3
Fundamentals of Harmony for Systems Engineering
Next Iteration or
Change Request
Stakeholder Requirements
Stakeholder Requirements
(Draft)
System Use Cases
4 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
2.2.1 Requirements Analysis into required system functions (“shall” statements) and documented in
the Draft System Requirements Specification. For traceability, the
The objective of the requirements analysis phase is to analyze the identified system requirements are linked to the associated
process inputs. Stakeholder requirements are translated into system stakeholder requirements.
requirements that define what the system must do (functional
requirements) and how well it must perform (quality of service The next major step in the requirements analysis phase is the
requirements) definition of system use cases. A use case describes a specific
operational aspect of the system (operational thread). It specifies the
The essential steps of the requirements analysis workflow are shown behavior as perceived by the actors (user) and the message flow
in Fig.2-3. It starts with the analysis and optional refinement of the between the actors and the use case. An actor may be a person,
stakeholder requirements. Output of this phase is the Stakeholder another system or a piece of hardware external to the system under
Requirements Specification. Essentially, stakeholder requirements development (SuD). A use case does not reveal or imply the system’s
focus on required capabilities. In the next step, these are transformed internal structure (black box view).
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 5
Fundamentals of Harmony for Systems Engineering
The main emphasis of the system functional analysis phase is on the Fig.2-4 details the modeling tasks and the associated work products.
transformation of the functional system requirements into a coherent First, the use case model context is defined in an Internal Block
description of system functions (operations). The analysis is use Diagram. Elements of this diagram are instances of SysML blocks,
case-based, i.e. each system-level use case that was identified in the representing the use case and its associated actor(s). At this stage,
previous requirements analysis phase is translated into an executable the blocks are empty and not linked.
model. The model and the underlying requirements then are verified
through model execution.
Build Executable Model of Use Case
[Alternative 3]
[Alternative 1]
[Alternative 2]
Document
New / Derived Reqs Derive UC State-Based Behavior
from UC Black-Box AD and SDs
(UC Statechart Diagram)
Verify UC Model
through Model Execution
[else]
Link
UC Block Properties to Reqs
Update
Draft System Req Spec
6 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
The next step in the modeling workflow is the definition of the behavior activity diagram (ref. Fig.2-5). Ports and interfaces of the use case
of the use case block. It is captured by means of three SysML block are created from the sequence diagrams. Lastly, its state-based
diagrams: behavior is captured in a statechart diagram.
- Activity Diagram, Alternative 3 starts with the definition of the use case state-based
- Sequence Diagrams, and behavior. This approach is recommended if the system under design
- Statechart Diagram. (SuD) is strongly state-based. In this case, the creation of a use case
black-box activity diagram may even be skipped. Use case scenarios
Each diagram plays a specific role in the elaboration of the use case then are derived as paths through the statechart diagram. From the
behavior. The activity diagram – referred to as Use Case Black-Box sequence diagram then ports and associated interfaces are
Activity Diagram - describes the overall functional flow (storyboard) of generated.
the use case. It groups functional requirements in actions – in
Harmony for Systems Engineering the equivalent of operations - and It should be noted, that regardless of which approach is chosen, the
shows, how these actions/operations are linked to each other. The most important diagram in the system functional analysis process is
sequence diagram – referred to as Use Case Black-Box Sequence the use case block statechart diagram. It comprises the information of
Diagram - describes a specific path through the use case and defines both the black-box sequence diagrams and the use case black-box
the interactions (messages) between the operations and the actors. activity diagram and can be verified through model execution. The
The statechart diagram aggregates the information from the activity use case black-box activity diagram and the associated black-box
diagram (functional flow) and the sequence diagrams (actor sequence diagrams will be reused further down in the design process.
interactions). It puts this information into the context of system states
Whenever during the use case based system functional analysis new
and adds to it the system behavior due to external stimuli of different
requirements are identified or high-level requirements are detailed by
priority.
derived requirements, they need to be documented. Last at the end of
There is no mandate directing in which order these diagrams should the system functional analysis phase, these additional requirements
be generated. The order may depend on the available information and need to be approved by the stakeholders and exported to the
the modeler’s preference. Fig.2-4 shows three alternative requirements traceability tool.
approaches:
The use case model is analyzed through model execution using the
black-box use case scenarios as the basis for respective stimuli. It
Alternative 1 starts with the definition of use case scenarios.
should be noted, that - following the previously outlined key objectives
Customers often describe sequences of required system usage (e.g.
of this process - the primary focus is on the verification of the
Concept of Operations). Once a set of essential scenarios is
generated sequences rather than on the validation of the underlying
captured, the identified functional flow is merged into a common
functionality.
description in an activity diagram. Ports and interfaces are created
from the sequence diagrams (ref. section 2.4 Service Request-Driven
Modeling Approach). They define the links between the actor(s) and
the use case block in the use case model internal block diagram. The
final step in this approach is the definition of the state-based behavior
of the use case block in a statechart diagram.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 7
Fundamentals of Harmony for Systems Engineering
AD_Uc_HomingAndManualMode SD_Uc_HomingAndManualMode_Sc1
User
[OpMode==Homing"]
homeAxisD
homeAxisE
[UserInput == DirectionA] [UserI nput == DirectionB] [UserI nput == DirectionA] [UserInput == DirectionB] reqSetDirection(Direction)
checkPosAxisB
setDirection(Direction)
homeAxisB
checkPosAxisK checkPosAxisB checkPosAxisC checkPosAxisA Start
[else] reqSetSpeed(Speed)
[inSafePos]
[else] [else] homeAxisA setSpeed(Speed)
checkStatusAxisA
[inSafePos] [inSafePos]
checkPosAxisE
mvCtrldAxisAToOpenPos checkPosAxisB()
checkPosAxisG
[else]
[isHomed] homeAxisL
[else] [else] [else] [else] AxisB in Save Position
Start Start mvCmddAxisA_Normal
homeAxisG
[isHomed] [isHomed] Start
alt [AxisA Homed]
[isHomed] [isHomed]
[else] [else] Start
mvCmddAxisA_Normal()
mvCmddAxisC_Slow mvCmddAxisB_Slow
mvCmddAxisC_Normal mvCmddAxisB_Normal
[else]
[else] [else]
[else]
[isHomed] [isHomed]
[isHomed] [isHomed]
mvCmddAxisL_Normal mvCmddAxisM_Normal
mvCmddAxisD_Normal mvCmddAxisF_Normal
Start
Start Start
Fig.2-5 Derivation of a Use Case Scenario from a Use Case Black-Box Activity Diagram (Industrial Automation Use Case)
8 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
Extend UC Model w.r.t. Error/Fail Behavior Once all use cases of an iteration increment are verified, there are two
ways to proceed (ref. Fig.2-7). If use cases overlap – i.e. if they
Identify
address common system requirements - the consistency between the
Exception Behavior use case models may be checked by executing respective models
concurrently in a common framework (Use Case Collaboration Model).
Extend
UC Block Statechart Diagram
Constituents of the use case collaboration model are the instances of
[Update
the relevant use case blocks and their associated/shared actors. The
UC Functional Flow] Update correct behavior of the use case blocks due to the inputs from the
UC Black-Box Activity Diagram
[else] common actors may then be checked through visual inspection of the
[Update individual state-based behavior.
UC Model IBD] Update
UC Model Internal Block Diagram
[else]
Build
Executable Model of Use Case
Verify UC Model Record
trough Model Execution Exception Scenario(s)
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 9
Fundamentals of Harmony for Systems Engineering
Sometimes the question comes up whether a black-box functional hardware (e.g. mechanical or FPGA/ASIC) and which should be
system model – incl. an integrated black-box statechart diagram - implemented in software.
should be built in order to assure, that the system has been completely
described by the use cases. In principal, there is no reason why it
should not be done. The more pragmatic and time saving approach is
to shift this issue to the subsequent design synthesis phase. The use
Architectural Analysis
cases should have brought enough system information to start the (Trade Study)
architectural design. What is missing will be identified later when the
system architecture model will be verified through model execution.
[else] [Known
Architectural Concept]
top-down approach. Fig.2-8 depicts the essential subphases and the Detailed
associated workflow. Architectural Design
10 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
System functional analysis defines What the system should do but not One of the simplest means of determining the “how” is a technique
How it is to be done. The objective of a Trade Study in the known as the Weighted Objectives Method, developed by N. Cross [7].
architectural analysis phase is to determine the best means of This form of analysis is commonly used within the field of Engineering
achieving the capability of a particular function in a rational manner. System Design to evaluate potential solutions to functional problems.
i.e. to identify the How. It can also be used to determine the best hardware platforms for
software or decide the optimum mechanical/electrical hardware split
based upon non-functional requirements like a set of customer
Define constraints, performance or cost criteria.
Key System Functions
Fig.2-9 depicts the workflow and the associated work products in the
Architectural Analysis phase.
Build Weighted Objectives Table
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 11
Fundamentals of Harmony for Systems Engineering
12 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
10
6
MoE
4
2
Optical Scanner Fingerprint Scanner
0
400 350 300 250 200 150 100 50 0
Tab.2-1 Weighted Objectives Table of the Key System Function “Capture Biometric Data” (ref. Case Study Chapter 4)
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 13
Fundamentals of Harmony for Systems Engineering
SuD_Lvl 1
SuD
Decompose System Architecture SuD_Lvl 2
SuD
System Bock into Parts Structure Diagram UC Black-Boc Activity Dagram
(BDD, IBD)
SS1 SS2
Allocate Operations to Parts 1 1
14 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
Proc1 Proc2 Proc3
User
Start setOpMode
[OpMode == "Manual"]
User
setAxis openAxisL
User mvCtrldAxisLToBasePos
Start User
setOpMode checkPosAxisB
[UserInput =="AxisD"] setDirection homeAxisB
Start [isHomed]
Start
mvCmddAxisL_Normal
[inSafePos]
[else]
[else]
User mvCmddAxisL_Slow
[else] [else] [else] [Axis == "AxisM"]
[else] [else] [UserInput == "AxisA"]
setDirection Start
User User User User
User User User [Axis == "AxisL"] [Axis == "AxisK"] [Axis == "AxisG"] User
[Axis == "AxisD"] [Axis == "AxisE"] [Axis == "AxisF"]
setDirection setDirection setSpeed checkStatusAxisE
setDirection setDi rection setDi rection
setDirection setDirection
[else]
User User User User [else]
User User User
[Homed]
setSpeed setSpeed setSpeed setSpeed
setSpeed setSpeed setSpeed mvCmddAxisE_Slow
mvCmddAxisE_Normal
User
[UserInput == "AxisF"]
checkStatusAxisM setDirection start
checkStatusAxisL checkStatusAxisL checkStatusAxisG
checkStatusAxisD checkStatusAxisE checkStatusAxisF
[else] User
setSpeed checkStatusAxisF
[else] [else]
[else]
Start
Start Start mvCmddAxisK_Normal
User
[UserInput == "AxisG"] mvCmddAxisK_Slow
setDirection
User Start
User
[UserInput == "AxisM"]
setDirection [Homed] [else]
User
setSpeed mvCmddAxisG_Normal
mvCmddAxisG_Slow
checkStatusAxisM
Start
[Homed] [else]
mvCmddAxisM_Normal mvCmddAxisM_Slow
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 15
Fundamentals of Harmony for Systems Engineering
The focus of the detailed architectural design phase is on the definition Detailed Architectural Design
of ports and interfaces, as well as on the definition of the state-based
behavior of the system blocks at the lowest level of the architectural
decomposition. Fig.2-14 depicts the workflow and the associated work
products in the detailed architectural design phase. Derive System
White-Box Sequence Diagrams White-Box Sequence Diagrams
Leaf block ports and interfaces are identified from White-Box
Sequence Diagrams. White-box sequence diagrams are derived from [Next Use Case
White-Box AD]
the use case white-box activity diagrams that were created in the
previous architectural design phase. The focus of black-box sequence [else]
diagrams was on the identification of the required sequences of
system functions (operations). White-box activity diagrams focus on Define System Architecture
Structure Diagram (IBD)
the collaboration between the different subsystems taking into Ports and Interfaces
consideration the allocation of the operations. The received service
requests define the (provided) interfaces of a block (ref. section 2.4).
Define Statechart Diagrams
State-Based Behavior of Blocks
The derivation of white-box sequence diagrams is performed
iteratively for each use case white-box activity diagram.
Verify
Once ports and interfaces are defined, the resulting state-based System Architecture Model
behavior of each leaf block needs to be captured in a statechart
diagram.
16 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
Uc_HomingAndManualMode_WB_Sc1
displaySystemStatus(SystemStatus)
reqSetOpMode("Manual")
setOpMode("Manual")
reqSetAxis("AxisC")
setAxis("AxisC")
reqSetDirection("DirectionA")
setDirection("DirectionA")
reqSetSpeed(Speed)
setSpeed(Speed)
reqCheckPosAxisK()
checkPosAxisK(StatusAxisK)
CheckPosAxisG(StatusAxisG)
reqCheckStatusAxisC()
checkStatusAxisC(StatusAxisC)
mvCmddAxisL_Slow()
reqDisplaySystemStatus()
displaySystemStatus(SystemStatus)
Fig. 2-15 Derivation of White-Box Scenarios from a Use Case White-Box Activity Diagram (ref. Fig.2-13)
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 17
Fundamentals of Harmony for Systems Engineering
18 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
SysML reuses a subset of the UML 2.1 and extended it by systems Fig.2-17 shows the taxonomy of SysML diagrams used in Harmony for
engineering specific constructs. Fig.2-16 visualizes the relationship Systems Engineering. Essentially, there are three categories of
between the UML and SysML by means of a Venn diagram, where the diagrams:
set of language constructs that comprise the UML and SysML
languages are shown as circles marked UML 2.1 and SysML 1.0, - Structure Diagram,
respectively. The intersection of the two circles indicates the UML - Behavioral Diagram, and
modeling constructs that SysML reuses (UML4SysML). In order to - Requirements Diagram.
provide a seamless transition from systems engineering to software The color code of the Venn diagram is also applicable to this diagram.
development, a respective process should focus on UML4SysML. Some of the diagrams have two colors. This indicates that SysML
extended the initial UML artifact.
UML4SysML
The following paragraphs outline the usage of these diagrams in
Harmony for Systems Engineering. and list the elements that are
considered essential.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 19
Fundamentals of Harmony for Systems Engineering
SuD
A1 A2
RD_Reqs
«Requirement»
1 1
SRS_Req 1.1
« block» «pSS1_10
« block»
Containment
SS_A SS_B
Relationship
«Requirement» «Requirement»
SRS_Req 1.1.1.x SRS_Req 1.1.1
«derive»
«satisfy» «trace» Fig.2-19 Block Definition Diagram
«block» Uc2
SS_B
2.3.2.2 Internal Block Diagram
The SysML Internal Block Diagram shows the realization of the system
Fig.2-18 Requirements Diagram
structure defined in the Block Definition Diagram. It is composed of a
set of nested parts (i.e. instances of the system blocks) that are inter-
connected via ports and connectors.
IBD_SuD
1
1
itsSuD
1 1
itsA1 itsSS_A
pA1
pSuD pA1
pA1 pSS_B
pSS_B
1 1
itsA2 itsSS_B
pA2
pSuD pA2
pA2 pSS_A
pSS_A
20 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
Ports
A port is a named interaction point between a block or a part and its A standard port is specified via its provided and required interfaces. A
environment. It is connected with other ports via Connectors. The provided interface (denoted by a lollipop symbol) specifies a set of
SysML defines two types of ports: Standard Ports and Flow Ports. messages received at that port from elements outside the block. A
The main motivation for specifying such ports on system elements is required interface (denoted by a socket symbol) specifies a set of
to allow the design of modular reusable blocks, with clearly defined messages sent from that port to elements outside of the block. Thus,
interfaces. by characterizing an interface as required or provided, the direction of
the constituent messages at the port is defined.
Standard Ports
Flow Ports
A UML/SysML Standard Port is a named interaction point assigned to
a block, through which instances of this block can exchange A SysML Flow Port specifies the input and output items that may flow
messages. It specifies the services the owning block offers (provides) between a block and its environment. Input and output items may
to its environment as well as the services that the owning block include data as well as physical entities, such as fluids, solids, gases,
expects (requires) of its environment. and energy. The specification of what can flow is achieved by typing
the Flow Port with a specification of things that flow.
There are two different kinds of Standard Ports:
There are two different kinds of Flow Ports:
• Delegation or Relay ports forward requests to other ports.
• Behavioral ports are parts of the block that actually • An Atomic Flow Port relays a single item that flows in or out.
implements the service. • A Non-Atomic Flow Port relays multiple items, listed in a
respective “flow specification”.
Behavioral
Delegation Port
Port « Interface »
NavDat
« flowAttribute » Longitude(Out):double
1 itsB « flowAttribute » Latitude(Out):double
1 1 iB1_B2
itsA iA_B itsB1 Non-Atomic Flow Port
pA
pB pA
pA pB2
pB2
1 1
iA_B iA_B
iA_B itsGPS itsSuD
iB2_B1
iB2_B1
fp:NavDat fp:NavDat
1 iB2_B1
itsB2 Elevation:double Elevation:double
pB1
pB1
Speed:double Speed:double
iB1_B2
Atomic Flow Port
Required Provided
Interface Interface
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 21
Fundamentals of Harmony for Systems Engineering
mass:Kg
Attributes In order to minimize the overlap between the different behavioral
force:Newtons
acceleration:MetersPerSec^2
diagrams, decisions should be made upfront, which role the individual
diagrams should play in the context of the modeling workflow. The
next step should be to “standardize” the usage of diagram elements by
filtering-out in each diagram those elements that are considered
essential.
Fig.2-23 Constraint Block Definition in a Block Definition Diagram
ParD_TotalMass
1 «ConstraintProperty,ConstraintBlock»
itsNewtonLaw:NewtonLaw
force = mass * acceleration
«Attribute»
mass mass:Kg «Attribute»
force:Newtons force
«Attribute»
acceleration acceletation:MetersPerSec^2
22 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
A Use Case Diagram captures the functional requirements of a system An Activity Diagram is similar to the classic flow chart. It describes a
by describing interactions between users of the system and the workflow, business process, or algorithm by decomposing the flow of
system itself. Note that as a system is decomposed, users of a given execution into a set of actions and sub activities joined by transitions
system could be external people or other systems. A use case and various connectors. An activity diagram can be a simple linear
diagram comprises a system boundary that contains a set of use sequence of actions or it can be a complex series of parallel actions
cases. Actors lie outside of the system boundary and are bound to with conditional branching and concurrency.
use cases via associations.
NOTE: In Harmony for Systems Engineering the terms activity, action
and operation are synonymous.
A use case describes a specific usage (“operational thread”) of a
system:
Actions may be grouped and assigned to objects – e.g. subsystems.
• the behavior as perceived by the users (actors) and In this case, the activity diagram is split into swim lanes that depict the
• the message flow between the users and the use case. respective responsibilities.
A use case does not reveal or imply the system’s internal structure NOTE: Harmony for Systems Engineering uses a SysML activity pin
(“black-box view”). stereotyped ActorPin to visualize the interaction of an action/operation
UCD_SuD
with the environment. The name of the pin is the name of the
associated actor, the arrow in the pin shows the direction of the link.
pSS1_8
SuD
AD_Uc2
Uc1
Uc1 A1
op1
Uc2
pSS1_3
A1 A2
[C1]
op2 op5
A2
[else]
A2
When use cases get too complex, dependencies between use cases op7
may be defined:
• <<include>>
One use case includes another Fig.2-26 Activity Diagram
• <<extend>>
One use case provides an optional extension of another
• Generalization
One use case is a more specialized or refined version of another
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 23
Fundamentals of Harmony for Systems Engineering
Sequence Diagrams elaborate on requirements specified in use cases A Statechart Diagram describes the state-based behavior of a block.
and activity diagrams by showing how actors and blocks collaborate in In the Harmony for Systems Engineering workflow it is considered the
some behavior. A sequence diagram represents one or more most important behavior diagram, as it aggregates the information
scenarios through a use case. from both the activity diagram (functional flow) and the sequence
diagrams (interactions with the environment), and adds to it the event-
A sequence diagram is composed of vertical lifelines for the actors and driven block behavior. As the “language” of statecharts is formally
blocks along with an ordered set of messages passed between these defined, the correctness and completeness of the resulting behavior
entities over a period of time. can be verified through model execution.
• Messages are shown as horizontal lines with open arrows between
Statechart diagrams are finite statemachines that are extended by the
the vertical object lines (lifelines).
notation of
NOTE: UML/SysML differentiates between synchronous and
asynchronous messages. In Harmony for Systems Engineering the • Hierarchy
message-based communication is described via asynchronous • Concurrency
messages (two-line arrowhead). Basically, a statechart diagram is composed of a set of states joined
• Operations are depicted as reflexive (synchronous) messages (full by transitions and various connectors. An event may trigger a
arrowhead) at associated lifelines. transition from one state to another. Actions can be performed on
transitions and on state entry/exit
• Quality of Service (QoS) requirements may be added as comments
and/or constraints. SCD_Uc1Ctrl
S1
SD_Uc1_Sc1 op1
itsA1 itsUc1
op1() S2 reqDeactivateS2 reqActivateS2
reqActivateS2()
C1==true
A21
/op2
tm(5)/op4
parallel op2() [C1==true]/op3
S211 S22
Interaction Operator
10 ms tm(10)
setStatus()
[else]/op5 S212
setStatus to pA1
op3()
ev2 ev1
5 ms op4() S213
reqDeactivateS2()
op1()
Fig.2-28 Statechart Diagram
24 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Fundamentals of Harmony for Systems Engineering
Fig.2-29 shows, how the different SysML artifacts are related to each
other at the requirements analysis and system functional analysis
level.
Use Case Diagram Requirement Requirements Diagram
3..* 1
• A Requirements Diagram visualizes the dependencies of at least 3
requirements.
1 1..*
1..*
Use Case Internal Block Diagram
• Use cases are traced to at least one requirement.
1..*
1 1
is described by
• A use case should always have one Activity Diagram that captures
1 1
the functional flow. 2..*
1 5..*
Activity Diagram Sequence Diagram Block
• A use case should be described by at least 5 Sequence Diagrams.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 25
Fundamentals of Harmony for Systems Engineering
IBD_SuD
1
1
itsB1:B1
1
itsB2:B2
The approach is performed in four steps:
2
itsB2
itsB1 1 It starts with the definition of the network
reqOperation1()
operation1()
nodes by means of SysML structure
reqSetMode(ModeX)
diagrams, using blocks as the basic
structure elements. First, these blocks are
ModeX empty and not linked.
reqOperation2()
IBD_SuD operation2() 2 In the next step, the communication between
1
3 the blocks is described in a UML/SysML
reqOperation3()
itsB1:B1 1
itsB2:B2
B2 operation3() Sequence Diagram.
pB1 NOTE: In the Rhapsody tool the Sequence
reqOperation4()
reqOperation2
reqOperation4
reqSetMode
reqSetMode Diagram may be automatically generated
reqOperation1
reqOperation1 operation4()
operation2 reqOperation3
reqOperation3 from an underlying Activity Diagram by
operation4 operation1
operation1
operation3
operation3
means of the SE Toolkit (ref section 4.3.1.3)
26 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Rhapsody Project Structure
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 27
Rhapsody Project Structure
• StakeholderRequirementsPkg,
• SystemRequirementsPkg, and
• DerivedRequirementsPkg
28 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Rhapsody Project Structure
For each use case of the use case diagram, there is a package
<UseCaseName>Pkg that contains the associated model artifacts:
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 29
Rhapsody Project Structure
• ArchitecturalAnalysisPkg and The ArchitecturalAnalysisPkg contains the artifacts that are created
• ArchitecturalDesignPkg when a trade-off analysis is performed prior to the architectural design.
For details please refer to section 4.4.1.
30 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Rhapsody Project Structure
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 31
Rhapsody Project Structure
• ActorPkg
• InterfacesPkg
• TypesPkg
The ActorPkg contains the definitions of all the actors identified in the
system-level use case diagram(s). Each actor block may contain a
statechart diagram.
System-Level Definitions
32 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Getting Started
The Rhapsody tool supports model-based systems engineering through a special add-on – the SE-Toolkit. This toolkit contains features that
automate many of the tasks in a systems engineering workflow. It should be noted, that most of these features are process-independent. The focus
of this case study is on the usage of these features in the different phases of Harmony for Systems Engineering.
1 Start Rhapsody
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 33
Case Study: Requirements Analysis
Link
System Use Case to Reqs
SE-Toolkit Feature:
with trace Dependency Create Dependency
[else]
[All requirements traced
to System Use Cases]
34 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Requirements Analysis
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 35
Case Study: Requirements Analysis
36 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Requirements Analysis
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 37
Case Study: Requirements Analysis
2 In the SystemRequirementsPkg
select a system requirement.
4 In the StakeholderRequirementsPkg
select the associated stakeholder requirement. 2
5
In the SE-Toolkit dialog box
click Set Destination.
6
1
38 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Requirements Analysis
3 In the Tools Menu select Layout > Complete Relations > All
RD_SysReqsToSHReqsLinks
Disabling User Account
ID = SS11-14
ID = SS11-5
«fromWord» «fromWord»
«fromWord»
E2 - Security Lockdown MA2 - Time monitoring SS112 - Biometric Scan «satisfy»
Denied Entry Notification
«satisfy» ID = SS11-10
«satisfy»
Denied Exit Notification
Emergency Exit Image Captue
«satisfy» ID = SS11-11
ID = E1-1 ID = MA1-1
«satisfy» ID = SS11-16
«satisfy» «satisfy»
Employee ID Card Identification - Exit
«satisfy»
Accesss Precondition Security Card Information ID = SS11-3
ID = SS111-2 ID = SS111-1
Visualization of Biometric Data Check Status
«satisfy»
ID = SS11-17
Out of Date Cards - Exit Out of Date Cards - Entry
ID = SS11-4
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 39
Case Study: Requirements Analysis
Open UCD_SecuritySystem and draw the use case diagram with the
three use cases and the associated actors.
UCD_SecuritySystem
NOTE: At this stage, the actor blocks and use cases are allocated
in the UseCaseDiagramsPkg.
Security System
Uc1Control Entry
User Camera
Uc2Control Exit
Admin AccessPoint
Uc3ConfigureSecurity
System
40 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Requirements Analysis
3 5
2 1 6
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 41
Case Study: Requirements Analysis
1 In the SystemRequirementsPkg create a package 3 Move the use case and the allocated requirements into the
Uc1_RequirementsPkg. diagram.
In the Uc1_RequirementsPkg create a Requirements Diagram 4 In the Tools Menu select Layout > Complete Relations > All.
2
RD_Uc1LinksToSysReqs.
RD_Uc1LinksToSysReqs
«Requi rement»
Two Independent Security Checks
ID = SS11-1
«Requi rement» «Requi rement»
Im age Capture Three Attem pts On Biom etric Data Entry
ID = MA1-1 ID = SS11-8
«Requi rement»
«trace» «trace» «Requi rement»
Out of Date Cards - Entry Disabling User Account
«trace» «trace» «trace»
ID = SS111-4 ID = SS11-14
42 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: System Functional Analysis
SE-Toolkit Feature:
Define • Add Actor Pins
UC Functional Flow • Auto-Rename Actions
SE-Toolkit Feature:
Derive
UC Scenarios • Create New Scenario from Activity Diagram
• Perform Activity View Consistency Check
Derive
UC State-based Behavior
Verify UC Model
through Model Execution
Link
UC Block Properties to Reqs
SE-Toolkit Feature:
with satisfy Dependency Create Dependency
[else]
Merge SE-Toolkit Feature:
Uc Blocks in SuD Block Merge Blocks
Fig.4-3 System Functional Analysis Workflow and its Support through the Rhapsody SE-Toolkit
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 43
Case Study: System Functional Analysis
4.3.1 Uc1ControlEntry
4.3.1.1 Project Structure of the Uc1 Model
UCD_SecuritySystem
4
5
2 Uc1ControlEntry associated actor blocks are moved into the
ActorPkg.
5 The use case - incl. its requirements links – is moved into the 2
Uc1ControlEntryPkg in the FunctionalAnalysisPkg. Additionally,
the Toolkit feature created an empty Activity Diagram
(Uc1ControlEntryBlackBoxView).
44 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: System Functional Analysis
readSecurityCard
There is always a discussion whether actor swim lanes should be Camera
shown in an activity diagram. In many cases this may lead to “messy”, [First Request] «MessageAction»
hard to read diagrams. Focus of the activity diagram should be on the takePicture
system’s internal functional flow. [else] [else]
The SE-Toolkit feature Create New Scenario From Activity Diagram [Timeout BiometricScan]
uses the pin information when deriving sequence diagrams from the User [else]
activity diagram (ref. Section 4.3.1.3). [else] scanBiometricData
DerivedRequirementsPkg. disableUserAccount
[else]
[BiometricData Authenticated]
logAccountData
logEntryData
AccessPoint
alarm
«MessageAction»
Admin
unlockAccesspoint
«MessageAction»
lockAccesspoint
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 45
Case Study: System Functional Analysis
Uc1ControlEntryBlackBoxView
1
) Alternatively select a single action as the source.
The tool will auto-create the sequence until it
reaches a condition connector. The user is then
given the choice of which path to take.
7 6
46 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: System Functional Analysis
case block shows the sequence of realized operations, which User Uc_Uc1ControlEntry AccessPoint Camera
corresponds to the chosen sequence of actions in the activity diagram.
The sequence diagram further shows the lifelines of those actors that
interact with the use case as well as the associated message
Uc1_Sc1 (Nominal Scenario)
exchanges. The direction of the message exchange corresponds to Preconditions:
the one defined in the pin of the relevant action in the activity diagram. Security System configured
reqTakeSnapshot()
Uc1_Sc1
validateSecurityCard(CardStatus)
message_0()
SecurityCard Valid
readSecurityCard()
reqScanBiometricData()
message_1() scanBiometricData()
validateSecurityCard(CardStatus)
displayCardStatus(CardStatus) authenticateBiometricData(AuthenticationStatus)
message_2() displayAuthenticationStatus(AuthenticationStatus)
scanBiometricData()
logEntryData()
Use r
authenticateBiometricData(AuthenticationStatus)
readSecurityCard
Cam e ra
validateSecurityCard
BiometricData Authenticated
flagSecurityCardFailure
displayCardStatus
logEntryData()
[else]
[CardStatus V alid]
reqUnlockAccessPoint()
[Tim eout Biom etricScan]
t_Unlocked
[else]
Use r [else]
flagBiome tricScanFailure
authenticateBiometricData
message_3()
Adm in displayAuthe nticationStatus reqLockAccessPoint()
disableUs erAccount message_6()
[else]
[Biom etricData Authe nticated]
evAccessPointLocked()
logAccountData
logEntryData
message_5()
AccessPoint
alarm
«M ess ageAction»
Admin
unlock Access point
rese tAlarm AccessPoint [Tim eout Unlocked]
«M ess ageAction»
lockAccesspoint
Automatically Generated Sequence Diagram Manually completed Use Case Scenario Uc1_Sc1
Uc1_Sc1
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 47
Case Study: System Functional Analysis
1
Right-click Uc1_ControlEntryBlackBoxView and select
SE-Toolkit\Perform Activity View Consistency Check.
The screenshot above shows the result of the consistency check after
the first use case scenario was generated. It lists those operations
that have not yet been addressed. They will be captured in the
following exception scenarios.
48 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: System Functional Analysis
Uc1_Sc3
Uc1_Sc2
itsUser Uc 1_ControlEntry itsAdmin
User Uc_Uc1ControlEntry Admin
reqReadSecurityCard()
re qScanBiometricData()
readS ecurityCard() scanBiometricData()
disableUserAccount()
disabl eUserAccount()
Use r
Use r
readSecurityCard
readSecurityCard Cam e ra
Came ra
flagSecurityCardFailure flagSecurityCardFailure
displayCardStatus displayCardStatus
[BsFailCount==3] [BsFailCount==3]
authenticateBiom etricData
flagBiome tricScanFailure
reqResetAlarm() flagBiome tricScanFailure
authenticateBiom etricData
re qResetAlarm ()
Adm in displayAuthe nticationStatus
Admin displayAuthe nticationStatus
Manually completed Use Case Scenario Manually completed Use Case Scenario
Uc1_Sc2 (Exception Scenario 1) Uc1_Sc3 (Exception Scenario 2)
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 49
Case Study: System Functional Analysis
IBD_Uc1_ControlEntry 1 itsUc_Uc1ControlEntry
iUser_Uc_Uc1ControlEntry iUc_Uc1ControlEntry_Ca mera
pUser pCamera
iAdmin_Uc_Uc1ControlEntry iUc_Uc1ControlEntry_AccessPoint
pAdmin pAccessPoint
ScFailCount
iUc_Uc1ControlEntry_Admin BsFailCount 1
iAccessP oint_Uc_Uc1ControlEntry
t_Bs
t_Unlocked
Authentic ationS tatus
CardStatus
50 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: System Functional Analysis
State-based behavior is added to the use case block and the actors
using Statechart Diagrams. The use case statechart diagram
represents the aggregate of all flows in the black-box activity diagram
and the associated sequence diagrams. Guidelines how to derive a
statechart diagram from the information captured in the activity Behavioral Description
diagram and sequence diagrams are documented in the Appendix A3.
1 reqReadSecurityCard to pUc_Uc1ControlEntry
req Rea dSec ur ity Car d to pUc1 _Co nt ro lEn tr y
Actor statechart diagrams are typically very simple, just providing the
User
RequestEntry
RequestEntry
required events to trigger operations / state changes in the use case WaitForUserCmds
WaitForUserCmds
block. ScanFingerprint
ScanFingerprint
reqScanBiometricData to pUc1_ControlEntry
reqScanBiometricData to pUc_Uc1ControlEntry
IBD_Uc1ControlEntry
1 itsUser 1 itsUc_Uc1ControlEntry
41 itsCame ra
1 2
pUser locked
pUc1_Control Entry pCamera pUc1_Control Entry locked
Access Point
pAdmin pAccessPoint reqUnlockAccessPoint
RequestE ntry reqUn lockAcces s Point
ScanFingerprint unlocking
ScFailCount evAccessPointLocked to pUc_Uc1ControlEntry
RequestE xit 21 evAcces s PointLocked to pUc1_ControlEntry u nl oc kin g
BsFailCount itsAccessPoint
t_Bs reqLockAccessPoint tm(1000) tm(1000)
tm ( 1000 ) tm (1000)
1 itsAdmin t_Unlocked pUc1_Control Entry locking
3 Aut hentic ationStatus locking evAccessPointUnlocked to pUc_Uc1ControlEntry
evAcces s PointUnlocked to pUc1_ControlEntry
pUc1_Control Entry reqUnloc kAccessPoint
CardStatus reqLoc kAcce s s Poi nt
reqLockAccess Point
reqProcessAlert unlocked
unlocked
validateS ecurity Card
reqReadSecurit yCard
reqScanBiomet ricDat a
evAccess Point Unlock ed
3
Admin
evAccess Point Locked reqResetAlarm to pUc_Uc1ControlEntry
flagSecurityCardFailure A dminCtrl
reqProcessAlert
disableUs erAcc ount
readSecurityCard AdminCtrl
scanBiometricData reqProcessA lert
aut hentic ateBiometric Data
logEntryData
flagBiometricSc anFailure
logAccountData
Camera
displayCardStatus
4
CameraCtrl
displayAuthent icationStatus
alarm
res etAlarm
reqTakeSnapshot
reqReset Alarm
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 51
Case Study: System Functional Analysis
1 ProcessingSecurityCardData
/ScFailCount=0
ValidatingSecurityCardData
validateSecurityCard(CardStatus);...displayCardStatus(CardStatus);
[CardStatus=="Not Valid"]
[ScFailCount>3]
WaitForEntryRequest
[else] Fail3Times
Uc1ControlEntryCtrl
2 ProcessingBiometricData
WaitForEntryRequest A
/BsFailCount=0;
reqReadSecurityCard/
readSecurityCard(); WaitForBiometricScanRequest
tm(t_Bs) BsTimeout
reqTakeSnapshot to pCamera
reqScanBiometricData/
scanBiometricData();
1 ProcessingSecurityCardData AuthenticatingBiometricData
authenticateBiometricData(AuthenticationStatus); displayAuthenticationStatus(AuthenticationStatus);
Fail3Times
[CardStatus=="Valid"]
[else]/logEntryData(); Authenticated
2 ProcessingBiometricData
[AuthenticationStatus=="Not Authenticated" ]
Authenticated BsTimeout Failed3Times reqScanBiometricData/
scanBiometricData(); BiometricScanFailure
flagBiometricScanFailure(BsFailCount);
A /disableUserAccount();
logAccountData();
[BsFailCount>3]
waitForBiometricScanRequest
reqProcessAlert("User Account Disabled") to pAdmin
[else] Failed3Times
reqResetAlarm/
3 resetAlarm();
reqUnlockAccessPoint to pAccessPoint
evAccessPointLocked
A
UnlockingAccessPoint
evAccessPointUnlocked
AccessPointUnlocked
52 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: System Functional Analysis
The Uc1ControlEntry model is verified through model execution on the The Rhapsody tool provides two ways to visualize model behavior:
basis of the captured use case scenarios. The correctness and • Visualization of the state-based behavior through animation of
completeness analysis is based on the visual inspection of the model respective statecharts
behavior. • Visualization of message sequences by means of automatically
generated sequence diagrams
reqReadSecurityCard()
readSecurityCard()
reqTakeSnapshot()
validateSecurityCard(CardStatus = Valid)
displayCardStatus(CardStatus = Valid)
reqScanBiometricData()
scanBiometricData()
authenticateBiometricData(AuthenticationStatus = Authenticated)
displayAuthenticationStatus(AuthenticationStatus = Authenticated)
logEntryData()
reqUnlockAccessPoint()
tm(1000)
evAccessPointUnlocked()
tm(5000)
reqLockAccessPoint()
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 53
Case Study: System Functional Analysis
Arrow Name
The analysis via sequence diagrams is supported by the Rhapsody Description
Color Color
Sequence Diagram Compare feature. This feature enables to perform
Green Blue Msg matches in both SD
comparisons between two sequence diagrams, e.g. one capturing the
Pink Pink Msg is missing in the other SD
sequence of a required scenario and the other showing the recorded
Green Pink Msg has different arguments in the other SD
scenario. The differences between the diagrams are shown color-
Orange Orange Msg arrives at a different time in the other SD
coded. This feature may also be used to compare two runs for
Gray Gray Msg was excluded from comparison
regression testing.
Required Recorded
Sequence Sequence
54 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: System Functional Analysis
System
ID <<satisfy>> System
Requirement ID <<satisfy>>
Requirement
Employee ID Card readSecurityCard(),
SS11-3 Visualization of
Identification - Exit validateSecurityCard()
SS11-16 Security Card Check displayCardStatus()
SS11-4 Biometric Scan scanBiometricData() Status - Exit
Time Between Two Visualization of
SS11-5 t_Bs
Independent Checks SS11-17 Biometric Data Check displayAuthenticationStatus()
Status
Three Attempts On ScFailCount,
SS11-7
Employee ID Entry flagSecurityCardFailure() SS111-2 Access Precondition validateSecurityCard()
.
Three Attempts On BsFailCount, Out of Date Cards -
SS11-8 SS111-4 validateSecurityCard()
Biometric Data Entry flagBiometricScanFailure() Entry
Three Attempts On ScFailCount, Out of Date Cards -
SS11-9 SS111-5 validateSecurityCard()
Employee ID Exit flagSecurityCardFailure() Exit
logEntryData(), Approval of Biometric
Denied Entry SS112-1 authenticateBiometricData()
SS11-10 logAccountData(), Data
Notification
reqProcessAlert()
SS12-2 Entry Time t_Unlocked
logExitData(),
SS11-11
Denied Exit
logAccountData(), SS12-3 Exit Time t_Unlocked
Notification
reqProcessAlert() Automatic Securing
SS11-12 Alarm - Entry alarm() SS12-5 the Secure Area - evAccessPointLocked()
Entry
SS11-13 Alarm - Exit alarm()
Automatic Securing
SS12-6 evAccessPointLocked()
SS11-18 Alarm Reset resetAlarm() the Secure Area - Exit
Disabling User MA1-1 Image Capture reqTakeSnapshot()
SS11-14 disableUserAccount()
Account
MA2-1 Time Recording logExitData()
Visualization of
SS11-15 Security Card Check displayCardStatus() MA2-2 Alarm Conditions checkForTimeLimitViolations()
Status - Entry
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 55
Case Study: System Functional Analysis
In the SystemRequirementsPkg
4
select the relevant system requirement.
5
In the ModelingToolbox dialog box
4
click Set Destination.
3 5
6
1
2
56 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: System Functional Analysis
Move the operations and attributes from the 4 In the Tools Menu select Layout > Complete Relations > All
2
Uc_Uc1ControlEntry block into the diagram.
RD_Uc1BlockLinksToSysR
«Requi rement»
«Pri mitive Operati on»
«Pri mitive Operati on» Denied Entry or Exit Notification
logAccountData():void logEntryData
«satisfy» «satisf y»
ID = SS11-8
«Requi rement»
«Pri mitive Operati on» «Attribute»
Three Attem pts On Biom etric Data Entry
flagBiom etricScanFailure BsFailCount
«satisfy» «satisf y»
ID = SS11-6
«Requi rement»
Three Attem pts On Em ployee ID Exit
«satisf y» «satisfy»
ID = SS11-7
«Pri mitive Operati on» «Attribute»
flagSecurityCardFailure ScFailCount
«Requi rement»
Three Attem pts On Em ployee ID Entry
«satisf y» ID = SS11-5 «satisf y»
«Requi rement»
Accesss Precondition
«satisfy»
ID = SS111-1
«Requi rement»
Out of Date Cards
«satisf y»
ID = SS111-4
«Requirement»
«Attribute»
Time Betw een Tw o Independant Checks
t_Bs
«satisfy»
ID = SS11-4
«Requi rement»
«Attribute»
t_Unlocked Entry and Exit Tim e
«satisf y»
ID = SS12-2
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 57
Case Study: System Functional Analysis
4.3.2 Uc2ControlExit
4.3.2.1 Project Structure of the Uc2 Model 4.3.2.2 Definition of Uc2 Functional Flow
The generic project structure of the Uc2 model (=> Uc2ControlExitPkg NOTE: The interaction of an action node with the environment is
in the FunctionalAnalysisPkg) is created by means of the SE-Toolkit captured by means of a SysML Action Pin, stereotyped ActoPin (e.g.
feature Create System Model From Use Case. readSecurityCard).
Uc2ControlExitBlackBoxView
User Admin
UCD_SecuritySystem
readSecurityCard checkForTimeLimitViolations
validateSecurityCard
displayCardStatus
1
[CardStatus==Valid]
Admin
[else]
flagSecurityCardFailure
logExitData
AccessPoint
1 Right-click use case Uc2Control Exit and select
[ScFailCount<3]
SE-Toolkit\Create System Model From Use Case [else]
«MessageAction»
alarm unlockAccesspoint
resetAlarm «MessageAction»
lockAccesspoint
58 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: System Functional Analysis
RefSD_CheckForTimeLimitViolations
1
4.3.2.3 Definition of Uc2 Scenarios Uc_Uc2ControlExit Admin
Use case scenarios are created from the black-box activity diagram by Uc2_RefSc_CheckForTimeLimitViolations
Preconditions:
means of the SE-Toolkit feature Create New Scenario From Activity SecSys configured and activaed
Diagram.
loop
checkForTimeLimitViolations(TimeLimitFlag)
opt [TimeLimitViolation==true]
Uc2_Sc1
reqProcessAlert(AlertType="TimeLimitViolation")
User Uc2ControlExit AccessPoint
parallel
Ref
readSecurityCard()
reqReadSecSysCard()
validateSecurityCard(CardStatus) readSecurityCard()
v alidateSecurityCard(CardStatus)
displaySecurityCardStatus(CardStatus)
displayCardS tatus(CardStatus)
logExitData()
User Admin
User Admin
readSecurityCard checkForTimeLimitViolations
flagSecurityCardFailure(ScFailCount)
readSecurityCard checkForTimeLimitViolations
reqUnlockAccessPoint()
validateSecurityCard
validateSecurityCard
t_Unlocked evAccessPointUnlocked()
displayCardStatus
displayCardStatus
reqProcessAlert(AlertType="E xit Failure")
[CardStatus==Valid]
[CardStatus==Valid]
Admin
[else]
alarm()
Admin
[else]
reqLockAccessPoint() flagSecurityCardFailure
flagSecurityCardFailure logExitData
logExitData
evAccessPointLocked() AccessPoint
reqResetAlarm()
AccessPoint [ScFailCount<3]
[ScFailCount<3]
[else]
«MessageAction» resetAlarm()
[else] alarm
«MessageAction» unlockAccesspoint
alarm unlockAccesspoint Admin AccessPoint [Timeout Unlocked]
Admin AccessPoint [Timeout Unlocked]
resetAlarm «MessageAction»
lockAccesspoint
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 59
Case Study: System Functional Analysis
Behavioral Description
4.3.2.4 Definition of Ports and Interfaces
reqReadSecurityCard to pUc2_ControlExit
pUc2ControlExit
NOTE: All use case models – and later also the architectural design reqReadSecurityCard to pUc1ControlEntry
pUc1_ControlEntry
model - share common actors. The structure (i.e. ports and interfaces)
User
RequestExit RequestEntry
as well as the behavior of the actor blocks are incrementally extended WaitForUserCmds
according to the needs of the relevant model. In the internal structure ScanFingerprint
diagram below. The use case 1 related ports (pUc1ControlEntry) of reqScanBiometricData to pUc1_ControlEntry
the actor blocks User, Admin, and AccessPoint intentionally are not
shown (deleted from view - not deleted from model!).
locked
IBD_Uc1_ControlExit
evAccessPointLocked to pUc2ControlExit
reqUnlockAccessPoint
Access Point
1 itsUser 1 itsUc_Uc2ControlExit 1 itsAccessPoint evAccessPointLocked to pUc1ControlEntry unlocking
[CardStatus=="Valid"]/
logExitData();
Populated Use Case Model Uc2ControlExit
UnlockingAndLockingAccessPoint
reqProcessAlert("Exit Failure") to pAdmin
4.3.2.5 Definition of State-based Behavior
reqResetAlarm/ evAccessPointLocked
WaitForResetAlarm resetAlarm(); A
The statechart diagrams of the actors User and AccessPoint need to
be extended, taking into consideration the generation of the User’s exit TimeLimitMonitor
request (RequestExit) and the communication between the blocks CheckingForTimelimitViolations
Uc2ControlExit and AccessPoint. tm(t_Update)
checkForTimeLimitViolations(TimeLimitFlag);
Note the reuse of behavior patterns in the statechart diagram of the /TimeLimitFlag=0; [TimeLimitFlag==1]
use case block. The system states ProcessingSecurityCard Data and reqProcessAlert("TimeLimitViolation") to pAdmin
UnlockingAndLockingAccessPoint are identical to the ones used in the
use case block Uc_Uc1ControlEntry.
State-based Behavior of Use Case Block Uc_Uc2ControlExit
60 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: System Functional Analysis
readSecurityCard()
validateSecurityCard(CardStatus = Valid)
displayCardStatus(CardStatus = Valid)
logExitData()
reqUnlockAccessPoint()
tm(1000)
evAccessPointUnlocked()
tm(500)
reqLockAccessPoint()
tm(1000)
evAccessPointLocked()
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 61
Case Study: System Functional Analysis
Once all use case models are verified, the operations, receptions, and This SE-Toolkit feature copies all events, operations and attributes
attributes of each use case block are merged into the system block from all use case blocks into the SecuritySystem block.
SecuritySystem in the ArchitecturalDesignPkg
2
Right click the block SecuritySystem and select
SE-Toolkit\Merge Functional Analysis
62 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
Assign MoEs
to Candidate Solutions
SE-Toolkit Feature:
Determine Solution
Perform Trade Analysis
Merge Solutions to
Form System Architecture
Trade Study
Report
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 63
Case Study: Design Synthesis
• resetAlarm
readSecurityCard
Cam era
• scanBiometricData
[ScFailCount==3] validateSe curityCard
• authenticateBiometricData
flagSecurityCardFailure
displayCardStatus
• displayAuthenticationStatus
[else ]
[CardStatus V alid]
ControlSecSys: [Tim eout Biom etricScan]
• validateSecurityCard Us er [else ]
• flagSecurityCardFailure [else ]
scanBiom e tricData
Uc1ConpSS1_4
tBlackBoxView
• disableUserAccount
authenticateBiom e tricData
readSecurityCard checkForTimeLimitViolations
flagBiom etricScanFailure
• logExitData [else ]
[Biom e tricData Authenticated]
displayCardStatus
• checkForTimelimitViolations logAccountData
logEntryData
• unlockAccesPoint
[CardStatus==Valid]
Access Point
alarm Admin
• lockAccessPoint
[else]
«Mes sage Action»
Adm in flagSecurityCardFailure
unlockAccess point
logExitData
res etAlarm Access Point [Tim eout Unlocke d]
AccessPoint
«Mes sage Action»
[ScFailCount<3]
lockAcces spoint [else]
«MessageAction»
alarm unlockAccesspoint
resetAlarm «MessageAction»
lockAccesspoint
64 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
7
Copy the operations that are associated with the key system
function CaptureBiometricData from the Uc_Uc1_ControlEntry
Step1: Identify solutions to the chosen key system function
block into the block CaptureBiometricData. This shows what the
In this case study the chosen key function is CaptureBiometricData. OpticalScanner and FingerprintScanner should be capable of.
Possible solutions are:
• Facial Recognition
• Fingerprint Scanner
• Optical Scanner (examining iris or retina)
2
3
Step2: Select candidate solutions for further analysis 4
Facial recognition systems are at present not very reliable technology,
also they are very expensive to install and maintain.
Two practical candidate solutions remain that will be carried forward
7
for further analysis i.e.
• Fingerprint Scanner
• Optical Scanner (Cornea or Iris Scanner)
2
In the ArchitecturalAnalysisPkg create a package
TradeStudyAnalysisPkg
3
In the TradeStudyAnalysisPkg create a package 5
BiometricScanTradeStudy
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 65
Case Study: Design Synthesis
• Accuracy
• Purchase
• Installation and
• Maintenance Cost
The assessment criteria are captured in the model by adding to the BDD_CaptureBiometricDataOption
66 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
Not all assessment criteria are equal. Some are more important than
others. Assessment criteria are weighted according to their relative
importance to the overall solution. The weighting factors are
normalized to add up to 1.0.
1 Accuracy
2 Security
3 Purchase Cost
4 Installation Cost
5 Maintenance
1
In each <<moe>> attribute select the tab Tags and
add the appropriate value.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 67
Case Study: Design Synthesis
y = - x + 10
10 6
MoE
8 4
6 2
MoE
4 0
0 50 100 150 200 250 300 350 400 450
2
Purchase Cost ($)
0
0 1 2 3 4 5 6 7 8 9 10
Purchase Cost Utility Curve
Errors per thousand
0
0 200 400 600 800 1000 1200 1400 1600
68 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
1
In the browser select a block representing one of the solutions
and opend its features.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 69
Case Study: Design Synthesis
«block» «block»
FingerprintScannerArchitecture OpticalScannerArchitecture
70 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
2
Drag on the blocks OpticalScannerArchitecture and the
FingerprintScannerArchitecture. «block» «block»
FingerprintScannerArchitecture OpticalScannerArchitecture
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 71
Case Study: Design Synthesis
Fig.4-5 shows the architectural design workflow in the case study and 4.4.2.1 Security System Decomposition
lists its support by means of the SE-Toolkit.
Based on the results of the previous trade study, the constituents of
Based on the design concept that was elaborated in the previous the Security System will be
architectural analysis phase it starts with the decomposition of the
system block into parts. • Two Card Readers (one for entry and one for exit)
• a Fingerprint Scanner
The allocation of the system block operations to the parts is elaborated • a Control Unit
for each use case by graphically allocating operations in the use case
white-box activity diagrams (ref. section 2.2.3.2). The allocation is As the card readers and the fingerprint scanner are considered off-the-
formalized by means of the SE-Toolkit feature Allocate Operations shelf components, the focus of the case study will be on the
from Swimlanes. specification of the control unit – in the following referred to as
SecSysController.
Once all system block operations that capture system functional
requirements are allocated to parts, non-functional requirements (e.g. The chosen system architecture is captured in the block definition
design constraints) are allocated to the relevant parts and respective diagram BDD_SecuritySystem and the internal block diagram
trace links are established. IBD_SecuritySystem. Both diagrams are created in the
ArchitecturalDesignPkg.
BDD_SecuritySystem
Decompose
«block»
System Block into Parts SecuritySystem
1 1
CardReader FingerprintScanner
72 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
1 itsSecSysController
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 73
Case Study: Design Synthesis
74 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
Uc1ControlEntryWhiteBoxView
Camera
User
[FirstRequest] «MessageAction»
readSecurityCard
takePicture
[else] [Timeout
disableBiometricScan BiometricScan]
validateSecurityCard
[CardStatus==Pass]
displayCardStatus enableBiometricScan
[else] A [else]
flagSecurityCardFailure
flagBiometricScanFailure User
[BsFailCount<3] scanBiometricData
[else]
[ScFailCount==3] [else]
Admin
authenticateBiometricData
disableUserAccount
disableBiometricScan
«MessageAction» displayAuthenticationStatus
retAuthenticationStatus
logAccountData A
[else]
[BiometricData Uc2ControlExitWhiteBoxView
Authenticated]
Admin CardReader_Exit SecSysController
[else]
flagSecurityCardFailure logExitData
AccessPoint
White-Box Activity Diagram Uc1ControlEntry
[else] «MessageAction»
[ScFailCount==3]
unlockAccesspoint
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 75
Case Study: Design Synthesis
NOTE: In order to provide the required functionality for the chosen Summarizing the Allocation of Operations
design, two actions that do not have an associated system
requirement had to be added to the white-box activity diagrams: For each white-box activity diagram the allocation of operations may
be summarized in an Excel spreadsheet by means of the SE-Toolkit
enableBiometricScan and feature Create Allocation Table.
disableBiometricScan
Right-click Uc2ControlExitWhiteBoxView.
2
Select SE-Toolkit\Create Allocation Table
Generally it is recommended to update and verify the black-box use
case models, i.e. to generate new black-box use case scenarios. In SecSysController CardReader_Exit
this case study, this step was intentionally skipped. validateSecurityCard alarm
checkForTimeLimitViolations readSecurityCard
flagSecurityCardFailure displayCardStatus
logExitData resetAlarm
76 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
4
In the Modeling Toolbox dialog box
click Set Source.
5
In the ArchitecturalDesignPkg
select system block SecuritySystem.
4 6
6 In the Modeling Toolbox dialog box
click Set Destination.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 77
Case Study: Design Synthesis
The reason for the error messge below is, that - as mentioned in the
previous paragraph - the actions/operations enableBiometricScan and
disableBiometricScan were added afterwards to the white-box activity
diagram Uc1ControlEntry. Therefore they are not included in the set of merged
use case operations in the SecuritySystem block.
1 itsSecuritySystem
1 CardReader_Entry
alarm
readSecurityCard
displayCardStatus
resetAlarm
1 itsSecSysController
1 CardReader_Exit
alarm
readSecurityCard
displayCardStatus validateSecurityCard
resetAlarm checkForTimeLimitViolations
flagSecurityCardFailure
logExitData
flagBiometricScanFailure
In order to add these operations to the SecuritySystem block and to disableUserAccount
allocate them to the FingerprintScanner block: logEntryData
logAccountData
1 itsFingerprintScanner
78 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
1
In the SystemRequirementsPkg create the subsystem packages
- SecSysControllerReqsPkg
- CardReaderReqsPkg
- FingerprintScannerReqsPkg
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 79
Case Study: Design Synthesis
RD_SecSysCtrlLinksToSysReqs
Biometric Data Storage Processing User Request Two Independent Security Checks «Attribute»
t_Bs:int=15000
ID = SS112-2 ID = SS12-1 ID = SS11-1
«satisfy»
«satisfy»
«satisfy» «satisfy»
«block» Time Between Two Independent Checks
SecSysController
ID = SS11-5
Time Recording Denied Exit Notification Denied Entry Notification Disabling User Account
Out of Date Cards - Exit Out of Date Cards - Entry Accesss Precondition Alarm Conditions
«Attribute» «Attribute»
ScFailCount:int BsFailCount:int «Attribute»
t_Unlocked:int=5000
«satisfy» «satisfy»
«satisfy»
«satisfy» «satisfy»
Three Attempts On Employee ID Exit Three Attempts On Employee ID Entry Three Attempts On Biometric Data Entry Exit Time Entry Time
80 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 81
Case Study: Design Synthesis
2
1 In the ArchitecturalDesignPkg right-click SecuritySystem block
Select SE-Toolkit\Architectural Design Wizard
4
2
it
In the SE-Toolkit dialog box un-tick Show Operations.
4
In the Unlocated Operations / Events window select an event
and click Selected to allocate the event to the chosen part.
NOTE: If the event needs to be allocated to more than one
subsystem, drag&drop it from the pool to the part.
82 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 83
Case Study: Design Synthesis
White-box scenarios are derived from the white-box activity diagrams by means of the SE-Toolkit feature Create New Scenario From Activity
Diagram (ref. section 4.3.1.3 ). NOTE: Select as destination the ArchitecturalDesignPkg.
retAuthenticationStatus
84 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
WB_Uc1Sc1
reqReadSecurityCard()
readSecurityCard()
reqValidateSecurityCard()
reqTakeSnapshot()
validateSecurityCard(CardStatus)
CardStatus==Pass
reqDisplayCardStatus(CardStatus)
displayCardStatus(CardStatus)
reqEnableBiometricScan()
enableBiometricScan()
message_0() displayAuthenticationStatus(AuthenticationStatus)
readSecurityCard()
retAuthenticationStatus(AuthenticationStatus)
setAuthenticationStatus()
message_1()
message_2()
BiometricData
validateSecurityCard(CardStatus)
Authenticated
message_3() reqDisableBiometricScan()
enableBiometricScan()
disableBiometricScan()
message_4()
scanBiometricData() logEntryData()
authenticateBiometricData(AuthenticationStatus) reqUnlockAccessPoint()
evAccessPointLocked()
displayAuthenticationStatus(AuthenticationStatus)
message_5() reqLockAccessPoint()
logEntryData()
evAccessPointLocked()
message_6()
message_7()
message_8()
message_9()
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 85
Case Study: Design Synthesis
WB_Uc1Sc3
reqScanBiometricData()
scanBiometricData()
authenticateBiometricData(AuthenticationStatus)
WB_Uc1Sc2
reqValidateSecurityCard()
disableUserAccount()
validateSecurityCard(CardStatus)
logAccountData()
CardStatus==Fail
reqProcessAlert(AlertType)
reqDisplayCardStatus(CardStatus)
reqAlarm()
displayCardStatus(CardStatus) alarm()
flagSecurityCardFailure(ScFailCount) reqResetAlarm()
reqResetAlarm()
disableUserAccount() resetAlarm()
reqProcessAlert(AlertType)
logAccountData()
reqAlarm()
alarm()
86 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
IBD_SecuritySystem
1 itsSecuritySystem
1 CardReader_Entry
pUser_Entry
pUser pSecSysController
reqReadSecurityCard
reqDisplayCardStatus
reqAlarm
reqResetAlarm
1 itsAdmin
readSecurityCard
displayCardStatus
alarm pSecSysController
1 itsUser resetAlarm 1 itsSecSysController
pAdmin
pCardReader_Entry pCardReader_Entry pAdmin 1 itsAccessPoint
1 CardReader_Exit
pUser_Exit pAccessPoint
pCardReader_Exit pUser pSecSysController pCardReader_Exit pAccessPoint pSecSysController
pCamera
pFingerprintScanner reqReadSecurityCard pFingerprintScanner pCamera
reqDisplayCardStatus 1 itsCamera
reqAlarm evAccessPointLocked
reqResetAlarm evAccessPointUnlocked pSecSysController
readSecurityCard reqResetAlarm
displayCardStatus retAuthenticationStatus
alarm reqValidateSecurityCard
resetAlarm checkForTimeLimitViolations
disableUserAccount
flagBiometricScanFailure
1 itsFingerprintScanner flagSecurityCardFailure
pUser_FpScan
logAccountData
pUser pSecSysController logEntryData
logExitData
reqScanBiometricData validateSecurityCard
reqEnableBiometricScan
reqDisableBiometricScan
authenticateBiometricData
displayAuthenticationStatus
scanBiometricData
enableBiometricScan
disableBiometricScan
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 87
Case Study: Design Synthesis
iUser_FingerprintScanner
User
iUser_CardReader
Admin iAdmin_SecSysController
Camera
AccessPoint iAccessPoint_SecSysController
CardReader
FingerprintScanner
SecSysController iSecSysController_Admin iSecSysController_Camera iSecSysController_AccessPoint
Admin iAdmin_SecSysController
Camera
AccessPoint iAccessPoint_SecSysController
CardReader iCardReader_SecSysController
FingerprintScanner iFingerprintScanner_SecSysController
88 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
Behavioral Description
4.4.3.3 Definition of State-based Behavior
reqReadSecurityCard to pCardReader_Exit
1
reqReadSecurityCard to pUc_Uc2ControlExit
The statechart diagrams of the actors User and AccessPoint need to
be extended, taking into consideration the communication via the reqReadSecurityCard to pCardReader_Entry
additional ports in the User block (pCardReader_Entry,
pCardReader_Exit, and pFingerprintScanner) and in the AccessPoint reqReadSecurityCard to pUc_Uc1ControlEntry
(pSecSysController).
User
RequestExit RequestEntry
WaitForUserCmds
ScanFingerprint
reqScanBiometricData to pUc_Uc1ControlEntry
pAdmin pSecSysControll er
AccessPoint
2 evAccessPointLocked to pUc_Uc1ControlEntry unlocking
tm(1000) tm(1000)
evAccessPointUnlocked to pSecSysController
unlocked
reqResetAlarm to pSecSysController
2
reqResetAlarm to pUc_Uc2ControlExit
Admin
reqResetAlarm to pUc_Uc1ControlEntry
reqProcessAlert
WaitForAlert
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 89
Case Study: Design Synthesis
1 itsSecuritySystem
1 CardReader_Entry 1 itsSecSysController
pUser_Entry
pUser
pSecSysController pCardReader_Entry
pAccessPoint
pAccessPoint
1 CardReader_Exit pCamera System Architecture Model (Subsystems View)
pUser_Exit pCamera
pUser
pSecSysController pCardReader_Exit
pAdmin
1 itsFingerprintScanner pAdmin
pUser_FpScan
pUser
pSecSysController pFingerprintScanner
FingerprintScannner_Ctrl
BiometricScanDisabled
reqDisableBiometricScan/ reqEnableBiometricScan/
disableBiometricScan(); enableBiometricScan();
BiometricScanEnabled
WaitForScanRequest
AuthenticatingBiometricData
authenticateBiometricData(AuthenticationStatus);...displayAuthenticationStatus(AuthenticationStatus);
[AuthenticationStatus=="Authenticated"]
retAuthenticationStatus("Authenticated") to pSecSysController
90 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
2 CardReaderCtrl
WaitForRequest
reqReadSecurityCard/
readSecurityCard();
reqValidateSecurityCard to pSecSysController
Configuration_CR_Entry
reqDisplayCardStatus/displayCardStatus(params->CardStatus);
reqAlarm/alarm();
reqResetAlarm/ResetAlarm();
[BlockType=="Entry"]
1
[BlockType=="Exit"]
Configuration_CR_Exit
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 91
Case Study: Design Synthesis
ProcessingSecurityCardData
validateSecurityCard(CardStatus);
Note the reuse of behavior patterns in the statechart diagram of the [UserRequest=="Exit"] [UserRequest=="Entry"]
SecSysController block. The statemachines ProcessingSecurityCard reqDisplayCardStatus(CardStatus) to pCardReader_Entry
Data and ProcessingBiometricData are extended copies of the ones
used in the use case blocks, UnlockingAndLockingAccessPoint is an Fail
[CardStatus=="Valid"]
reqValidateSecurityCard SecCardFailure
reqAlarm to pCardReader_Entry
[UserRequest=="Exit"]
[UserRequest=="Entry"]
2 ProcessingBiometricData
ProcessingBiometricData
reqEnableBiometricScan to pFingerprintScanner
2
/disableUserAccount();
A logAccountData(); /BsFailCount=0
waitForBiometricScanInfo
/logEntryData(); reqProcessAlert("User Access Disabled") to pAdmin
[else]
[UserRequest=="Entry"] [UserRequest=="Exit"]
[params->AuthenticationStatus=="Authenticated" ]
reqResetAlarm to pCardReader_Exit [BsFailCount>3]
[else]
reqResetAlarm to pCardReader_Entry
BiometricScanFailure
flagBiometricScanFailure(BsFailCount);
A
TimeLimitMonitor reqDisableBiometricScan to pFingerprintScanner
92 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Case Study: Design Synthesis
itsUser SecuritySystem.Card SecuritySystem.its SecuritySystem.its itsAccessPoint itsCamera itsAdmin
Reader_Entry FingerprintScanner SecSysController
reqDisplayCardStatus(CardStatus = Valid)
reqEnableBiometricScan()
displayCardStatus(CardStatus = Valid)
enableBiometricScan()
reqScanBiometricData()
scanBiometricData()
authenticateBiometricData(AuthenticationStatus = Authenticated)
displayAuthenticationStatus(AuthenticationStatus = Authenticated)
reqSetAuthenticationStatus(AuthenticationStatus
ret = Authenticated)
reqDisableBiometricScan()
reqUnlockAccessPoint()
disableBiometricScan()
tm(1000)
evAccessPointUnlocked()
tm(5000)
reqLockAccessPoint()
tm(1000)
evAccessPointLocked()
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 93
Case Study: Hand-Off to Subsystem Development
94 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
6 Appendix
A1 Mapping Security System Requirements to Model Artifacts
<<trace>>
ID System Requirement Req. Type <<satisfy>>
Uc1 Uc2 Uc3
Two Independent Security Checks
SS11-1 Secure areas shall be protected by two independent Constraint X SecSysController
security checks.
Employee ID Card Identification - Entry
Functional readSecurityCard(),
SS11-2 Entry shall be protected by a security check based upon X
Requirement validateSecurityCard()
employee ID.
Employee ID Card Identification - Exit
Functional readSecurityCard(),
SS11-3 Exit shall be protected by a security check based upon X
Requirement validateSecurityCard()
employee ID.
Biometric Scan
Functional
SS11-4 Entry to the secure areas shall be protected by a second X scanBiometricData()
Requirement
independent security check, based upon biometric data
Time Between Two Independent Checks
SS11-5 The time between the two independent security checks Constraint X t_Bs
shall not exceed a configurable period.
Configure Time Between Two Independent Checks
Functional
SS11-6 The time between two independent security checks shall X
Requirement
be configurable.
Three Attempts On Employee ID Entry
Functional ScFailCount,
SS11-7 Upon entry the user shall be allowed three attempts on X
Requirement flagSecurityCardFailure()
card identification.
Three Attempts On Biometric Data Entry
Functional BsFailCount,
SS11-8 Upon entry the user shall be allowed three biometric data X
Requirement flagBiometricScanFailure()
entries.
Three Attempts On Employee ID Exit
Functional ScFailCount,
SS11-9 Upon exit the user shall be allowed three attempts on card X
Requirement flagSecurityCardFailure()
identification.
Denied Entry Notification logEntryData(),
Functional
SS11-10 Any denied access attempt shall be logged and account X logAccountData(),
Requirement
details sent to the administrator reqProcessAlert()
Denied Exit Notification logExitData(),
Functional
SS11-11 Any denied access attempt shall be logged and account X logAccountData(),
Requirement
details sent to the administrator reqProcessAlert()
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 95
Appendix
<<trace>>
ID System Requirement Req. Type <<satisfy>>
Uc1 Uc2 Uc3
Alarm - Entry Functional
SS11-12 X alarm()
On a denied entry an alarm signal shall be raised. Requirement
Alarm - Exit Functional
SS11-13 X alarm()
On a denied exit an alarm signal shall be raised. Requirement
Disabling User Account
Functional
SS11-14 After three failed attempts at card identification or X disableUserAccount()
Requirement
biometric data entry the user account shall be disabled
Visualization of Security Card Check Status - Entry
Functional
SS11-15 The user shall be visually informed about the status of X displayCardStatus()
Requirement
his/her ID card check.
Visualization of Security Card Check Status - Exit
Functional
SS11-16 The user shall be visually informed about the status of X displayCardStatus()
Requirement
his/her ID card check.
Visualization of Biometric Data Check Status
Functional
SS11-17 The user shall be visually informed about the status of X displayAuthenticationStatus()
Requirement
his/her biometric data check
Alarm Reset
Functional
SS11-18 Once the alarm is acknowledged, it shall be reset by X X resetAlarm()
Requirement
the Administrator
Security Card Information
SS111-1 Constraint X X ValidateSecurityCard()
Security cards shall only contain employee name and ID.
Access Precondition
Functional
SS111-2 Access to the secure area shall only be allowed with a X validateSecurityCard()
Requirement
valid security card.
Security Card Renewal Functional
SS111-3 X
Security cards shall be renewed yearly. Requirement
Out of Date Cards - Entry Functional
SS111-4 X validateSecurityCard()
Out of date cards shall deny entry. Requirement
Out of Date Cards - Exit Functional
SS111-5 X validateSecurityCard()
Out of date cards shall deny exit. Requirement
Approval of Biometric Data
Functional
SS112-1 The user shall not be allowed access unless his/her X authenticateBiometricData()
Requirement
biometric data are recognized.
Biometric Data Storage
SS112-2 Biometric data shall be stored in the system database and Constraint X FingerprintScanner
not on the security card.
BiometricScan Activation
Functional enableBiometricScan();
SS112-3 The biometric scan device shall be activated only
Requirement disableBiometricScan()
when there is a request.
96 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
<<trace>>
ID System Requirement Req. Type <<satisfy>>
Uc1 Uc2 Uc3
Processing User Request
SS12-1 Constraint X X SecSysController
The system shall only process one user at a time.
Entry Time
SS12-2 The user shall be given sufficient time to enter the secure Constraint X t_Unlocked
area.
Exit Time
SS12-3 The user shall be given sufficient time to exit the secure Constraint X t_Unlocked
area.
Configure Entry and Exit Time Functional
SS12-4 X
The time to enter and exit the area shall be customizable. Requirement
Automatic Securing the Secure Area - Entry
Functional
SS12-5 Once the user has entered the area, the system shall X evAccesspointLocked()
Requirement
automatically secure itself.
Automatic Securing the Secure Area - Exit
Functional
SS12-6 Once the user has exited the area, the system shall X evAccesspointLocked()
Requirement
automatically secure itself.
Image Capture
An image shall be taken of any person, at the initial Functional
MA1 X reqTakeSnapshot()
attempt, when trying to access a secure area for logging Requirement
time and employee ID.
Time Recording
Functional
MA2-1 The time a user spends in a secure area shall be X logExitData()
Requirement
recorded.
Alarm Conditions
Functional
MA2-2 An alarm shall notify if a person stays longer than 10 X checkForTimeLimitViolations()
Requirement
hours in the secure area.
Emergency Exit
In the event of an emergency the administrator can invoke
Functional
E1 a "Free Exit Mode". All security checks for exiting the X
Requirement
area shall be disabled until the administrator returns the
system to normal working.
Security Lockdown
The administrator can invoke a security lockdown mode - Functional
E2 X
in this event the system shall lock all access points until Requirement
the administrator returns the system to normal working.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 97
Appendix
In the case study the focus of the system architecture model was The table below specifies the control logic to be implemented in the
exclusively on the required functionality. Design aspects were SecSysController.
allocated to the respective subsystems as non-functional LED1 LED2 Alarm Remarks
requirements. All interfaces of the architectural components were Default Red Red CR_Entry, CR_Exit
functional also referred to as logical. This paragraph shows, how to Valid Card Green Yellow only CR_Entry => ready for FingerprintScan
consider realization aspects in the system architecture model of the Pass Green Green CR_Entry && approved FingerprintScan, CR_Exit
Security System. Fail <=3 Yellow Red CR_Entry, CR_Exit
Fail > 3 Red Red X CR_Entry, CR_Exit
Based on the results of the trade study it was decided that both the
card readers and the fingerprint scanner should be COTS Also the fingerprint scanner device displays the authorization result
components. The chosen devices are shown in the picture below. and the fingerprint status via two LEDs. But these LEDs are controlled
by the device itself. The communication between the device and the
SecsysContoller is via a bus. The table below specifies the control
logic to be implemented in the FingerprintScanner.
LED1 LED2
Disabled Red Red
Enabled Green Red
Pass Green Green
Fail <=3 Green Yellow
98 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
IBD_SecuritySystem_Extended
1 itsSecuritySystem
2 1 CardReader_Entry 1 itsSecSysController
pSecSysController pCardReader_Entry
1 itsUser
pUser_Entry LED1_Entry:tLED LED1_Entry:tLED
pCardReader_Entry pUser LED2_Entry:tLED LED2_Entry:tLED
1 itsAccessPoint
pCardReader_Exit Alarm_Entry:bool Alarm_Entry:bool
pAccespSS1_10
pFingerprintScanner pAccessPoint pSecSysController
1 CardReader_Exit sPoint
1 itsCamera
pSS1_3
pSecSysController pCardReader_Exit pCamera
pUser_Exit pCamera pSecSysController
pUser LED1_Exit:tLED LED1_Exit:tLED
LED2_Exit:tLED LED2_Exit:tLED 1 itsAdmin
pAdmin
Alarm_Exit:bool Alarm_Exit:bool pAdmin pSecSysController
1 itsFingerprintScanner
pUser_FpScan
pUser pSecSysController pFingerprintScanner
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 99
Appendix
FingerprintScannner_Ctrl_Extended
BiometricScanDisabled
A2.2 Extended State-based Behavior of Subsystems
reqDisableBiometricScan/ reqEnableBiometricScan/
disableBiometricScan(); enableBiometricScan();
In the CardReaderPkg right-click the block CardReader. GEN(evLED1_Red);
GEN(evLED2_Red);
GEN(evLED1_Green);
1
Select Add New Statechart, and BiometricScanEnabled
name it CardReaderCtrl_Extended.
WaitForScanRequest
name it FingerprintScannerCtrl_Extended.
[AuthenticationStatus=="Authenticated"]/
GEN(evLED2_Green);
CardReaderCtrl_Extended
Configuration_CR_Entry
LED1 LED2 chAlarm_Entry[Alarm_Entry==true]/GEN(evAlarmOn);
chAlarm_Entry[Alarm_Entry==false]/GEN(evAlarmOff);
evLED2_Red chLED1_Entry[LED1_Entry==0]/GEN(evLED1_Red);
evLED1_Red
L1Red L2Red chLED1_Entry[LED1_Entry==1]/GEN(evLED1_Yellow);
chLED1_Entry[LED1_Entry==2]/GEN(evLED1_Green);
evLED2_Yellow chLED2_Entry[LED2_Entry==0]/GEN(evLED2_Red);
evLED1_Yellow
L1Yellow L2Yellow chLED2_Entry[LED2_Entry==1]/GEN(evLED2_Yellow);
4 chLED2_Entry[LED2_Entry==2]/GEN(evLED2_Green);
evLED2_Green
evLED1_Green
L1Green L2Green
[BlockType=="Entry"]
evAlarmOn
Alarm_Off Alarm_On [BlockType=="Exit"]
evAlarmOff Configuration_CR_Exit
chAlarm_Exit[Alarm_Exit==true]/GEN(evAlarmOn);
chAlarm_Exit[Alarm_Exit==false]/GEN(evAlarmOff);
chLED1_Exit[LED1_Exit==0]/GEN(evLED1_Red);
WaitForRequest
3 chLED1_Exit[LED1_Exit==1]/GEN(evLED1_Yellow);
chLED1_Exit[LED1_Exit==2]/GEN(evLED1_Green);
reqReadSecurityCard/
chLED2_Exit[LED2_Exit==0]/GEN(evLED2_Red);
readSecurityCard();
chLED2_Exit[LED2_Exit==1]/GEN(evLED2_Yellow);
reqValidateSecurityCard to pSecSysController chLED2_Exit[LED2_Exit==2]/GEN(evLED2_Green);
100 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
ProcessingSecurityCardData_Extended
/ScFailCount=0
ValidatingSecurityCardData 1
[UserRequest=="Exit"] [UserRequest=="Entry"]
[CardStatus=="Valid"]/
setLED1_Entry(Green);
setLED2_Entry(Yellow); CardValid
SecSysControllerCtrl_Extended Fail
[else] [CardStatus=="Valid"]/
ExitControl setLED1_Exit(Green);
[else]
setLED2_Exit(Green);
waitForEntryReques A
reqValidateSecurityCard SecCardFailure
Fail flagSecurityCardFailure(ScFailCount);
[IS_PORT(pCardReader_Entry)]/
UserRequest="Entry";
[ScFailCount<=3]/ [ScFailCount>3]/
[IS_PORT(pCardReader_Exit)]/ reqTakeSnapshot to pCamera if (UserRequest=="Entry") if (UserRequest=="Entry")
UserRequest="Exit"; {setLED1_Entry(Yellow); {setLED1_Entry(Red);
setLED2_Entry(Red);} setLED2_Entry(Red);
else setAlarm_Entry(true);}
ProcessingSecurityCardData_Extended 1 {setLED1_Exit(Yellow); else
setLED2_Exit(Red);} {setLED1_Exit(Red);
CardValid Fail3Times setLED2_Exit(Red);
reqValidateSecurityCard
setAlarm_Exit(true);}
WaitForRequest
Fail3Times
[UserRequest=="Exit"]
[UserRequest=="Entry"]
2 ProcessingBiometricData_Extended ProcessingBiometricData_Extended
2
reqEnableBiometricScan to pFingerprintScanner
/disableUserAccount();
A logAccountData(); /BsFailCount=0
UnlockingAndLockingAccessPoint tm(t_Bs)
WaitForResetAlarm reqDisableBiometricScan to pFingerprintScanner
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 101
Appendix
itsUser SecuritySyst SecuritySyst SecuritySyst SecuritySyst itsCamera itsAccessPoi
em.CardRea em.CardRea em.itsFinger em.itsSecSy nt
der_Entry der_Exit printScanner sController
checkForTimeLimitViolations(TimeLimitFlag = 0)
reqValidateSecurityCard()
execution on the basis of the captured use case scenarios. The validateSecurityCard(CardStatus = Valid)
diagrams). chLED2_Entry()
LED2_Entry = 1
reqEnableBiometricScan()
evLED1_Green()
evLED2_Yellow()
User Interfaces for the Model Execution
enableBiometricScan()
scanBiometricData()
_
Entry _
Exit authenticateBiometricData(AuthenticationStatus = Authenticated)
displayAuthenticationStatus(AuthenticationStatus = Authenticated)
reqSetAuthenticationStatus(AuthenticationStatus = Authenticated)
LED2_Entry = 2
chLED2_Entry()
evLED2_Green()
reqDisableBiometricScan()
reqUnlockAccessPoint()
disableBiometricScan()
tm(1000)
evAccessPointUnlocked()
reqLockAccessPoint()
evAccessPointLocked()
LED1_Entry = 0
• Webify User Interface chLED1_Entry()
LED2_Entry = 0
chLED2_Entry()
evLED1_Red()
evLED2_Red()
102 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
A3 Modeling Guidelines
This chapter specifies the guidelines and best practices to model a system using SysML. These guidelines are a symbiosis of many years of
modeling experience in different industry branches (Aerospace, Defense, Automotive, Telecom, Medical, Industrial Automation, and Consumer
Electronics) and have been proven to significantly enhance the readability of model-based specifications.
It starts with general guidelines and drawing conventions. SysML diagrams that are considered essential and associated elements then are
discussed in detail. Finally, an approach which extends the SysML profile for project-specific needs is described.
• Create simple, focused diagrams with a small number of elements. • Organize diagrams in a hierarchical fashion. Locate diagrams in
As a rule of thumb, avoid placing more than ten major elements packages corresponding to their relative position in the system
(block, use case, actor, etc.) on a diagram. hierarchy.
• Ensure all diagrams can be printed on standard 8.5x11 or A4 • Ensure accurate and complete descriptions are entered for all
paper. model elements to assist in understanding the model and to
facilitate the eventual hand-off of the model. These descriptions
• Arrange elements in diagrams to avoid crossing of lines. All lines must also support the auto-generated documentation from the
should be straight or rectilinear. model.
• Create elements with a consistent size. Avoid clutter and chaos by • Avoid excessive use of description notes in diagrams. It’s generally
arranging elements with equidistant spacing and alignment. recommended to put these descriptions in the description field of
• The default Rhapsody fonts, shapes, symbols, line styles, and the corresponding graphical artifact
colors shall be used consistently in all packages in the model. • Do not use comments in the model.
• Position related elements close together in diagrams.
• Ensure elements in diagrams have the same level of abstraction.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 103
Appendix
System Boundary: Distinguishes the border between the actors Guidelines and Drawing Conventions
and the system containing the use cases. • A system typically has many use cases. To manage this
complexity, group use cases into Use Case Diagrams.
Association: Connects an actor with a use case, indicating which
actors carry out which use cases. • Ensure each use case has a clear goal and that its functionality
falls within the bounds of the system. Keep the goal broad enough
to break the use case down into several scenarios (rule of thumb:
Dependency: Connects two use cases, indicating which use 5<n<25 “sunny day scenarios”).
cases depend on other use cases. For simplicity, only the
<<include>> stereotype should be used for use case dependencies. • Every actor in a use case diagram must be associated with one or
Other stereotypes, like <<extend>>, should be avoided. more use cases. Every use case must be directly associated with
at least one actor
Naming Conventions
• When multiple use case diagrams are defined, use case diagrams
shall be numbered: UCD<Nr> <Use Case Diagram Name>
• When multiple use case diagrams are defined, the name of a use
case shall include the reference to its associated use case
diagram: UCD<Nr>_UC<Nr> <Use Case Name>.
• Note: Use case names may have spaces
• The use case name shall start with a verb.
104 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
User Camera
Elements and Artifacts
1 1 1
Actor: A role that an external user plays with respect to the CardReader_Exit CardReader_Entry 1 1
system. Note: This element is not shown in the Rhapsody toolbar. The «block»
SecSysController
actor needs to be defined in the browser (-> ActorsPkg) and then
dragged into the block definition diagram.
Generalization: Shows the relationship between a more general • The stick figure should only be used to visualize actors that are
system block and a more specific system block. The more specific external to the system. Actors that represent subsystems should
system block is fully consistent with the more general system block be shown as (color-coded) blocks.
and contains additional information or behavior.
Naming Conventions
Dependency: Shows the relationship between two system blocks The name of a block definition diagram should have the pre-fix
in which one block requires the presence of another block. “BDD_”.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 105
Appendix
IBD_SecuritySystem_Extended
1 itsSecuritySystem
1 1 itsSecSysController
CardReader_Entry
pSecSysController pCardReader_Entry
1 itsUser
pUser_Entry LED1_Entry:tLED LED1_Entry:tLED
pCardReader_Entry pUser LED2_Entry:tLED LED2_Entry:tLED
1 itsAccessPoint
pCardReader_Exit Alarm_Entry:bool Alarm_Entry:bool
pAccessPoint
pFingerprintScanner pAccessPoint pSecSysController
1 CardReader_Exit
1
pSecSysController pCardReader_Exit pCamera
pUser_Exit pCamera pSecSysController
pUser LED1_Exit:tLED LED1_Exit:tLED
LED2_Exit:tLED LED2_Exit:tLED 1 itsAdmin
pAdmin
Alarm_Exit:bool Alarm_Exit:bool pAdmin pSecSysController
1 itsFingerprintScanner
pUser_FpScan
pUser pSecSysController pFingerprintScanner
106 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
Naming Conventions
• The name of an internal block diagram should have the pre-fix
“IBD_”.
• Parts should keep the default name (its<BlockName) created by
Rhapsody. Only in use case models, the actor instance names
should refer to the use case: (Ucd<Nr>_) Uc<Nr>A_<ActorName>.
• Naming convention for ports: p<CounterpartName>
• Port names should be placed inside the associated part.
• Interface names should be referenced to the sender port.
Naming convention: i<Sender>_<Receiver>
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 107
Appendix
Elements and Artifacts Decision Node: A condition connector splits a single control flow
into multiple branches, each containing a guard. The guards on each
Action: An action represents a primitive operation. In Harmony branch should be orthogonal conditions, though they do not need to
for Systems Engineering also actions stereotyped cover all possibilities. An “else” guard should be added to provide a
<<MessageAction>> are used. These actions contain only messages default branch when no other guards are met.
to and/or from an actor.
Activity Final: Terminates the control flow of the activity
Subactivity: A subactivity that is further decomposed into a set diagram.
of actions and subactivities.
NOTE: A decomposed subactivity cannot partitioned into swim lanes. Diagram Connector: A diagram connector helps manage
If a decomposed sub activity needs to be partitioned into swim lanes diagram complexity by allowing jumping to different sections of the
(ref. architectural design) the parent action should be decomposed activity diagram to avoid line crossing.
using a Call Behavior action (ref. Appendix A5).
Action Pin: In SysML the Input/Output shows the input data of
Call Behavior: References to another activity diagram as an an action. In Harmony for Systems Engineering action pins -
activity (ref. Appendix A5). stereotyped <<ActorPin>> - are used to depict the link between an
action and an actor. In this case the name of the pin has the name of
the associated actor. The arrow in the pin shows the direction of the
Control Flow: Actions are linked via control flow. Execution
respective link (i.e. In, Out or In/Out).
begins in an activity when a transition flows into it. A transition from
an activity fires when the activity has completed and any guard
conditions on the transition have been met.
108 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
«MessageAction»
Guidelines and Drawing Conventions op1
forwardReq
op2
• Actor swim lanes should not be used. The link of an activity to the
actor should be described through action pins, stereotyped reqOp2()
reqOp2()
<<ActorPIN>>>. op2()
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 109
Appendix
AccessPoint
«MessageAction»
unlockAccesspoint
«MessageAction»
lockAccesspoint
itsSecSysController itsAccessPoint
reqUnlockAccessPoint()
t_Unlocked evAccessPointUnlocked()
reqLockAccessPoint()
evAccessPointLocked()
• All activities should have only one exit transition. Any scenarios
where multiple transitions flow out of an activity should be explicitly
drawn using a condition connector or a fork node.
Naming Conventions
• The diagram shall have the associated use case name in plain text
at the top of the diagram.
• Activity names shall start with a verb, beginning with a lover case
letter, and map directly to the names of operations on system
blocks.
110 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
Sequence Diagram
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 111
Appendix
112 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
Transition: A transition from a state defines the response of a Diagram Connector: A diagram connector helps manage
block in that state to an event. Transitions may flow through one or diagram complexity by allowing jumping to different sections of the
more connectors (defined below) and ultimately route to a new state or statechart diagram to avoid line crossing.
loop back to the original state. Transitions can have actions and
guards that make them conditional. EnterExit Point: A connector that links transitions across
statechart diagrams.
Default Transition: A transition that leads to the state (or the sub
state in an “or” state or “and” state) that should be entered by default. Send Action State: Graphical representation of a send signal
action.
And Line: Used to create an “and” state by dividing a state into
multiple orthogonal, concurrent regions.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 113
Appendix
Uc2ControlExitCtrl
ExitControl ProcessingSecurityCardData
WaitForExitRequest A
reqReadSecurityCard/ /ScFailCount=0
readSecurityCard();
ValidatingSecurityCardData
ProcessingSecurityCardData
validateSecurityCard(CardStatus);...displayCardStatus(CardStatus);
Fail3Times
[CardStatus=="Not Valid"]
[CardStatus=="Valid"]/
reqReadSecurityCard/ SecCardFailure
logExitData();
readSecurityCard(); flagSecurityCardFailure(ScFailCount);
UnlockingAndLockingAccessPoint
reqProcessAlert("Exit Failure") to pAdmin
[ScFailCount>3]
WaitForEntryRequest
evAccessPointLocked [else] Fail3Times
reqResetAlarm/
WaitForResetAlarm resetAlarm(); A
TimeLimitMonitor
CheckingForTimelimitViolations
tm(t_Update)
checkForTimeLimitViolations(TimeLimitFlag);
/TimeLimitFlag=0; [TimeLimitFlag==1]
reqProcessAlert("TimeLimitViolation") to pAdmin • For readability reasons, use Mealy syntax ( event [condition]/action
on transition) wherever possible. Always place the action on a
transition on a new line from the event and guard.
Statechart Diagram • Moore syntax (= action on entry, reaction in state) should be
avoided unless necessary. This feature allows a block to react to
Guidelines and Drawing Conventions events within a state without actually leaving that state via a
transition. Exceptions to this rule include
• If possible, Statechart diagrams should flow vertically from top to • protocol state machines for actors that respond to an input
bottom. The initial state should be located near the top of the with a specific output,
diagram and any termination connectors should be located near • message routing state machines that forward requests from
the bottom of the diagram. one subsystem to another subsystem, and
• Typically, all states should have at least one entry transition and at • actions in action states (ref Appendix A4).
least one exit transition. A “dead end” state should be a very rare Never use “action on exit”.
thing!
• Diagram Connectors should only be used when the readability of a
• Avoid nesting of states beyond 3 or 4 levels. Ensure complex statechart diagram is disturbed by a direct transition.
nesting is simplified with sub state diagrams.
• It is essential that the EnterExit Points connectors have meaningful
• All transition lines should be rectilinear or straight. Transitions names and the two charts that are connected can be shown side
should not cross each other or cross through states. by side, with the connecting transition being easily identifiable.
• Labels should be positioned on the left-hand side of the arrow Using similar positions of the connector on each chart may facilitate
direction. this.
114 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
Naming Conventions
• State names should be verbs and indicate the current mode or
condition of the block. Typically names are in the present tense.
Names must be unique among sibling states and should never be
the same as the name of a block or an event.
• Avoid names like “idle” or “wait”.
A3.8 Profiles
A profile extends the UML/SysML with domain-specific tags and
stereotypes. It also allows certain tool-specific properties to be Property Value
overridden to support modeling in a specific domain. These
Activity_diagram>Transition>line_style rectilinear_arrows
customizations can be applied to the entire model or to specific model
elements. Activity_diagram>DefaultTransition>line_style straight_arrows
Statechart>Transition>line_style rectilinear_arrows
Exemplarily Tab.A3-2 shows the properties of a project-specific profile
that supports the modeling guidelines outlined in the previous Statechart>DefaultTransition>line_style straight_arrows
sections. Tab.A3-1 depicts the definition of element tags that was Statechart>CompState>ShowCompName false
added to the profile in order to support the documentation.
SequenceDiagram>General>HorizontalMessageType Event
SequenceDiagram>General>SelfMessageType PrimitiveOperation
SequenceDiagram>General>ShowwAnimStateMark false
Tag Applicable To Type ObjectModelGe>Actor>ShowName Name_only
Use Case ObjectModelGe>Class>ShowName Name_only
PreCondition Sequence Diagram String
ObjectModelGe>Object>ShowName Name_only
Primitive Operation
ObjectModelGe>Inheritance>line_style rectilinear_arrows
Use Case
ObjectModelGe>Depends>line_style rectilinear_arrows
PostCondition Sequence Diagram String
Primitive Operation ObjectModelGe>Class>ShowPorts false
Tab.A3-1 Project-Specific Tags Defined in a Profile Tab.A3-2 Project-Specific Properties Defined in a Profile
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 115
Appendix
Uc2Sc2
Fig.A4-3
Uc-Scenario Uc2_Sc2
Fig.A4-1 Use Case Black-Box Activity Diagram Uc2 ControlExit
116 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
Step 1.1: Identify Wait States Step 1.2: Identify Action States
In a Wait State an object waits for an event to happen. It consumes An action state is a state whose purpose is to execute an entry action,
time while waiting for the event. after which it takes a completion transition to another state. It is a kind
of dummy state that is useful for organizing state machines into logical
In the use case black-box activity diagram identify actions with IN actor structures.
pins. In the use case black-box sequence diagrams (Fig.A4-2,
Fig.A4-3) identify the messages (receptions) that trigger the selected In the use case black-box activity diagram identify actions with multiple
actions. For each of the identified actions create in the statechart outgoing completions with guard conditions. For each of these actions
diagram a wait state named WaitFor<ReceptionName>. create in the statechart diagram an action state with the name of the
In cases where the use case black-box sequence diagram shows a action (naming convention: <ActionName>ing ) and allocate the
timeout event (Fig.A4-2: t_Unlocked)), create in the statechart diagram relevant action to it using MOORE syntax.
a wait state with a name that describes the actual system status NOTE: Besides the output-relevant action, an action-state may also
(Fig.A4-4: AccessPointUnlocked). have additional context-related actions allocated to it (Fig.A4-5: action
state ValidatingSecurityCard).
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 117
Appendix
Step 2.1: Identify the initial state Step 2.2: Identify transitions, triggering events,
and associated actions
Mark the initial state with a Default Connector. If attributes need to be
initialized (e.g. ScFailCount in Fig.A4-6), add respective actions to the The transitions between the states and associated triggering events –
default connector. including guarded condition(s) - are identified through analysis of the
captured black-box use case sequence diagrams.
118 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
Note the different transitions out of the composite state. In the case of
Step 3: Structure the Statechart hierarchically CardStatus==”Pass” the triggering condition and associated action is
captured in the top-level statechart (Fig.A4-8) as a high-level interrupt.
Step 3.1: Identify state hierarchies In the case of a third-time failure, the respective triggering condition
and associated action is captured within the ProcessingSecurityCard
Once the flat statechart is verified, look for ways to simplify it by state and linked to the top-level statechart via an EnterExit point
structuring it hierarchically. Identify states that can be aggregated. (Fail3Times).
Grouping criteria could be e.g.
• System modes
• System phases or
• Reuse of state patterns
Also look for situations where the aggregation of state transitions
simplifies the statechart. Inspection of the flat statechart reveals that
- ValidatingSecurityCard,
- FlagingSecurityCardFailure, and
- WaitFor_reqReadSecurityCard in the case of a card failure
can be considered sub-states of a composite state called
ProcessingSecurityCard (Fig.A4-7). As ScFailCount is a local
attribute, its initialization is added to the default entry of the composite
state. Furthermore, the substates FlagingSecurityCardFailure and Fig.A4-8 Composite State UnlockingAndLockingAccessPoint
WaitFor_reqReadSecurityCard can be aggregated in the composite
state ValidationFail, thus denoting the fail mode within the States in the flat statechart Fig.A4-6 that relate to the access point
ProcessingSecurityCard state. control can be aggregated into the composite state
UnlockingAndLockkingAccessPoint, as shown in Fig.A4-8 This state
includes the messages sent to the access point.
Furthermore, the states WaitFor_evAccessPointUnlocked and
WaitFor_evAccessPointLocked can be merged to one wait state called
WaitForAccessPointFeedback. The exit out of the composite state is
captured in the top-level statechart.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 119
Appendix
Fig.A4-9 shows the final structure of the top-level statechart of the use
case Uc2ControlExit.
120 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
The next steps are iteratively repeated for each selected operation.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 121
Appendix
User Uc1_HomingAndManualMode
reqSetOpMode(OpMode)
setOpMode(OpMode)
reqSetAxis(Axis)
setAxis(Axis)
reqMoveAxis()
moveAxis()
Uc1HomingAndManualModeBlackBocView HomingAndManualModeCtrl
User evReturn
[params-> WaitForModeReq
setOpMode
OpMode=="Homing"]
HomingMode reqSetOpMode
[OpMode=="Homing"]
Homing [params->
OpMode=="Manual"]
User [OpMode == "Manual"]
ManualMode
setAxis /setOpMode("Manual");
WaitForAxisReq movingAxisB
User User
[Axis == "AxisA"] reqSetAxis /setAxis("AxisB");
moveAxisA [Axis == "AxisB"] moveAxisB
movingAxisA [params-> [params-> movingAxisB WaitForMvCmd
User [else] User Axis=="AxisA"] Axis=="AxisB"]
[Axis == "AxisC"] reqMoveAxis/
moveAxisC [Axis == "AxisD"] moveAxisD moveAxisB()
movingAxisC [params-> [params-> movingAxisD
Axis=="AxisC"] Axis=="AxisD"] movingAxis
User [else]
User
Use Case Black-Box Activity Diagram Use Case Block Statechart Diagram
Fig.A5-2 Use Case HomingAndManualMode: Functional and State-based Behavior at the System Level (Level 0)
122 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
moveAxisB_Sc1
User Uc1_HomingAndManualMode
Step 3: Decompose the selected operation moveAxisB_Sc2
reqSetDirection(Direction)
reqSetDirection(Direction)
The decomposition of an operation is described in a new Activity
DirectionA selected
setDirection(Direction)
that a subactivity chart cannot be partitioned into swim lanes. The reqSetSpeed(Speed) checkPosAxisC()
opt
Name the original Activity Diagram Level0 and
[AxisA isHomed] alt [AxisB isHomed]
reqMoveAxisB()
2 reqMoveAxisB()
name the new Activity Diagram Level1_moveAxisB mvCmddAxisB_Normal()
mvCmddAxisB_Normal()
[else]
reqMoveAxisB()
mvCmddAxisB_Slow()
Level1_moveAxisB
User
setDirection
1
User
setSpeed
2
[UserInput == DirectionA] [UserInput == DirectionB]
checkPosAxisC checkPosAxisA
[else]
Step 3.2: Define the Functional Flow at the Decomposed Level
[inSafePos]
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 123
Appendix
Move the Reference Activity Diagram Level1_moveAxisB into the Verify the link by creating an extended black-box use case scenario by
1
parent activity diagram. means of the SE-Toolkit feature Create New Scenario from Activity
NOTE: Rhapsody creates in the parent activity diagram a Call Diagram.
Behavior Activity with the name of the reference activity diagram. Uc1Sc1Extended
Replace the action that was decomposed by the call behavior User Uc1_HomingAndManualMode
2
activity.
NOTE: Do not add actor pins to the activity as the interactions message_0()
setOpMode(OpMode)
with the actors is captured in the lower hierarchy.
message_1()
setAxis(Axis)
message_2()
setDirection(Direction)
message_3()
setSpeed(Speed)
checkPosAxisC()
1 checkPosAxisE()
Level1_moveAxisB checkStatusAxisB()
message_4()
mvCmddAxisB_Normal()
2 message_5()
setOpMode(OpMode)
124 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
Step 5: Link RefAD scenarios to parent Step 6: Update port(s) and interface(s)
black-box use case scenarios of the use case block
In the use case black-box scenarios replace the operation that was Update the use case block port(s) and interface(s) by means of the
decomposed and its associated service request message by an SE-Toolkit feature Create Ports And Interfaces.
Interaction Operator that references to the RefAD scenarios. Name it
<DecomposedOperationName>_Scenarios.
The interaction operator contains the links to the scenarios that were Step 7: Extend the state-based behavior
derived from the Reference Activity Diagram. of the use case block
• Alternative 1:
User Uc_Uc1HomingAndManualMode
Modify/extend the existing use case block statechart.
User Uc1_HomingAndManualMode
• Alternative 2:
reqSetOpMode(OpMode) reqSetOpMode(OpMode)
setOpMode(OpMode)
Create a copy of the existing use case block statechart
setOpMode(OpMode)
and modify/extend the copy.
reqSetAxis(Axis) reqSetAxis(Axis)
setAxis(Axis) setAxis(Axis) It is recommended to create a new use case block statechart and
reqMoveAxisB()
make it Main Behavior as shown below.
Ref
moveAxisB()
moveAxixB_Scenarios
moveAxisB_Scenarios
User Uc_Uc1HomingAndManualMode
alt
Ref Fig.A5-7 shows the extended statechart of the use case block. Note
moveAxisB_Sc2 the EnterExit point (UnsafePos) that was added to the state
ref. Scenarios in Fig. A5-3
movingAxisB in the top-level statechart. It captures the exit from the
Ref
moveAxisB_Sc1
substate in case of an anticipated envelope conflict with other axes.
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 125
Appendix
movingAxisB
/setAxis("AxisB");
reqSetAxis(Axis = AxisB)
[MvDirection=="DirectionA"] [MvDirection=="DirectionB"]
setAxis(Axis = AxisB)
checkingPosAxisC
reqSetDirection(Direction = DirectionA)
checkPosAxisC(PosAxisC);
checkingPosAxisA
setDirection(Direction = DirectionA)
[PosAxisC=="inSafePos"]
checkPosAxisA(PosAxisA);
checkingPosAxisE reqSetSpeed(Speed = 2.5)
checkPosAxisE(PosAxisE); [PosAxisA=="inSafePos"]
setSpeed(Speed = 2.5)
[PosAxisE=="inSafePos"]
checkPosAxisC(PosAxisC = inSafePos)
checkingStatusAxisB
movingAxis evReturn()
[StatusAxisB!="isHomed" &&
MvDirection=="DirectionA"]
[else]
movingAxisSlow movingAxisNormal
mvCmddAxisB_Slow(); mvCmddAxisB_Normal();
Fig.A5-7 Extended State-Based Behavior of the Use Case Block Fig.A5-8 Animated Sequence Diagram (Extended Uc1Sc1)
126 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
User
setDirection
User
setSpeed «MessageAction»
retSpeed
«MessageAction»
checkPosAxisC
retPosAxisA
[inSafePos]
checkPosAxisE
«MessageAction»
retStatusAxisB
[else]
[inSafePos]
checkStatusAxisB
[isHomed] [isHomed]
mvCmddAxisB_Normal
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 127
Appendix
The language is case sensitive. That is, “evmove” is different from The “cout” operator prints to the screen. Elements to be printed are
“evMove”. Each statement must end with a semi-colon. separated by the “<<” operator. Text strings are surrounded by double
All names must start with a letter and cannot contain spaces. Special quotes. Attributes are referenced using their names. The “endl”
characters are not permitted in names, except for underscores (_). operator prints a carriage return. So, to print out the current value of
However, a name should never start with an underscore. X, use the following command:
The following words are reserved and should not be used for names: cout << “The value of X is “ << X << endl;
asm, auto, break, case, catch, char, class, const, continue, default,
delete, do, double, else, enum, extern, float, for, friend, GEN, goto, id, If the current value of X is 5, this statement prints the following
if, inline, int, IS_IN, IS_PORT, long, new, operator, OPORT, message on the screen:
OUT_PORT, params, private, protected, public, register, return, short, The value of X is 5
signed, sizeof, static, struct, switch, template, this, throw, try, typedef,
union, unsigned, virtual, void, volatile, while.
Comparison Operators
Assignment and Arithmetic Operators
X==5 (X equal to 5)
X=1 (Sets X equal to 1)
X!=5 (X not equal to 5)
X=Y (Sets X equal to Y)
X<3 (X less than 3)
X=X+5 (Adds 5 to X)
X<=3 (X less than or equal to 3)
X=X-3 (Subtracts 3 from X)
X>4 (X greater than 4)
X=X*4 (Multiplies X by 4)
X>=4 (X greater than or equal to 4)
X=X/2 (Divides X by 2)
X>2 && X<7 (X greater than 2 and X less than 7
X=X%5 (Sets X to the remainder of X divided by 5)
X<2 || X==7 (X less than 2 or X equal to 7)
X++ (Increments X by 1)
X-- (Decrements X by 1)
128 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
Conditional Statements The “while” statement is used for conditional looping. This statement
has a single conditional expression and iterates so long as it evaluates
Conditional statements begin with the keyword “if” followed by a to true. The previous example could be implemented using a “while”
conditional expression in parenthesis, followed by the statement to statement as follows:
execute if the condition evaluates to true. You can optionally add the X=0;
“else” keyword to execute a statement if the condition evaluates to while(X<=10)
false. The “else” clause can contain another nested “if” statement as {
well. For example: cout << X << endl;
X++;
if (X<=10) }
X++;
else
X=0; Invoking Operations
Multiple statements can be grouped together by placing them in curly
braces. To invoke an operation on a block, use the operation name followed
if (X<=10) by parenthesis. For example, to invoke the “go” operation:
{ go();
X++;
cout << “The value of X is ” << X << endl; If an operation takes parameters, place them in a comma-separated
} list. For example, to invoke the “min” operation with two parameters:
else
{ min(X,Y);
X=0;
cout << “Finished” << endl;
} Generating Events
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 129
Appendix
The “IS_PORT” keyword is used to test whether the event that caused
the current transition arrived through a specific port. For example:
if (IS_PORT(p2))…
130 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 131
Appendix
132 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.
Appendix
Architectural Design
Link
Sys Reqs to Stakeholder Reqs SE-Toolkit Feature: #1.7 Merge Propertied
with satisfy Dependency of UC Blocks in SuD Block SE-Toolkit Feature: #10
Define
System-Level Use Cases Decompose SE-Toolkit Feature: #12
System Block into Parts
Link
Use Case to Reqs SE-Toolkit Feature: #1.7
with trace Dependency Graphically allocate Operations SE-Toolkit Feature: #5, #11, #15/16
In UC White-Box Activity Diagram
[else]
[All requirements [Next Use Case]
traced to Use Cases]
[else]
Derive [else]
SE-Toolkit Feature: #9
UC Statebased Behavior
Define
SE-Toolkit Feature: #7, #8, #17
Ports and Interfaces
Verify / Validate
UC Model
Define
State-Based Behavior of Blocks SE-Toolkit Feature: #9
Link
UC Block Properties to Reqs SE-Toolkit Feature: #1.7
with trace Dependency
Verify
System Architecture Model
[Next Use Case]
[else]
Design Synthesis
System Functional Analysis
© Copyright IBM Corporation 2006, 2011. All Rights Reserved. Systems Engineering Best Practices Deskbook | 133
Appendix
7 References
[1] SysML 1.0 Specification
http://www.omgsysml.org
134 | Systems Engineering Best Practices Deskbook © Copyright IBM Corporation 2006, 2011. All Rights Reserved.