Lecture 13: Requirements Analysis

Similar documents
! Role of RE in software and systems engineering! Current techniques, notations, methods, processes and tools used in RE

CSC2106S Requirements Engineering

Week 2 Class Notes 1

Red Dragon. Feasibility of a Dragon-derived Mars lander for scientific and human-precursor missions. May 7, 2013

R2U2 in Space: System & Software Health Management for Small Satellites

How Software Errors Contribute to Satellite Failures -

SOFT 423: Software Requirements

A New Systems-Theoretic Approach to Safety. Dr. John Thomas

A New Approach to Safety in Software-Intensive Systems

Lessons Learned: 100 Questions That Should Be Asked during Technical Reviews

Focusing Software Education on Engineering

Goals for this Lecture. Lecture 5: Introduction to Analysis. Requirements Engineering. IEEE definition of requirement

Lecture 9: Estimation and Prioritization" Project Planning"

University of Toronto. CSC340F Information Systems Analysis and Design

Stanford Center for AI Safety

Why Projects Fail. NASA s Mars Climate Orbiter Project. Case Study. A High Tech, High Profile Failure

Chapter 7 Information Redux

Robotics for Space Exploration Today and Tomorrow. Chris Scolese NASA Associate Administrator March 17, 2010

Spacecraft Autonomy. Seung H. Chung. Massachusetts Institute of Technology Satellite Engineering Fall 2003

ATPE Simulator: Simulation Tool for Onboard GNC Development and Validation

Engineering Sciences and Technology. Landing on Mars

Dan Dvorak and Lorraine Fesq Jet Propulsion Laboratory, California Institute of Technology. Jonathan Wilmot NASA Goddard Space Flight Center

Requirements Analysis aka Requirements Engineering. Requirements Elicitation Process

AVSS Project. ENAE483 Fall 2012

Key Areas for Collaboration

Understand that technology has different levels of maturity and that lower maturity levels come with higher risks.

OUTLINE. Mars Program Independent Assessment Team Report dated 3/14/00 (This Report)

By the end of this chapter, you should: Understand what is meant by engineering design. Understand the phases of the engineering design process.

Introduction to Real-time software systems Draft Edition

Ethics. Paul Jackson. School of Informatics University of Edinburgh

Exercise 10. Linear Slides EXERCISE OBJECTIVE

Operating Instructions

Assurance Cases The Home for Verification*

Domain Understanding and Requirements Elicitation

Software processes, quality, and standards Static analysis

VEHICLE INTEGRATED NAVIGATION SYSTEM

Intro to Systems Theory and STAMP John Thomas and Nancy Leveson. All rights reserved.

Towards Integrated System and Software Modeling for Embedded Systems

HOLY ANGEL UNIVERSITY COLLEGE OF INFORMATION AND COMMUNICATIONS TECHNOLOGY ROBOT MODELING AND PROGRAMMING COURSE SYLLABUS

How to Guide: Controlling Blinds in C-Bus

DUSD (S&T) Software Intensive Systems

Jet Propulsion Laboratory

Professor Hausi A. Müller PhD PEng FCAE Department of Computer Science Faculty of Engineering University of Victoria

CHAPTER 1: INTRODUCTION TO SOFTWARE ENGINEERING DESIGN

Overview of Recent Lunar Robotic Science and Exploration Studies at JPL

The Virtual Spacecraft Reference Facility

Engineering Diploma Resource Guide ST150 ETP Research & Design (Engineering)

Designing for recovery New challenges for large-scale, complex IT systems

Morse Code Autonomous Challenge. Overview. Challenge. Activity. Difficulty. Materials Needed. Class Time. Grade Level. Learning Focus.

Back to the Basics Current Transformer (CT) Testing

The International Lunar Network (ILN) and the US Anchor Nodes mission

Some prior experience with building programs in Scratch is assumed. You can find some introductory materials here:

Mars Climate Orbiter. Mishap Investigation Board. Phase I Report

Engineering for Success in the Space Industry

ARGUING THE SAFETY OF MACHINE LEARNING FOR HIGHLY AUTOMATED DRIVING USING ASSURANCE CASES LYDIA GAUERHOF BOSCH CORPORATE RESEARCH

Mechatronics Engineering and Automation Faculty of Engineering, Ain Shams University MCT-151, Spring 2015 Lab-4: Electric Actuators

A Methodology for Effective Reuse of Design Simulators in Operational Contexts: Lessons Learned in European Space Programmes

Case study Acceleration test. Abbie Hutty Spacecraft Structures Engineer, Airbus Defence and Space

2014 Mechatronics. Higher. Finalised Marking Instructions

COVENANT UNIVERSITY NIGERIA TUTORIAL KIT OMEGA SEMESTER PROGRAMME: MECHANICAL ENGINEERING

The Evolution of Nano-Satellite Proximity Operations In-Space Inspection Workshop 2017

Connect + compatible

LESSONS LEARNED TELEMTRY REDUNDANCY AND COMMANDING OF CRITICAL FUNCTIONS

ARTES Competitiveness & Growth Full Proposal. Requirements for the Content of the Technical Proposal

EE 215 Semester Project SPECTRAL ANALYSIS USING FOURIER TRANSFORM

Switch-on-to-Fault Schemes in the Context of Line Relay Loadability

SENSORS SESSION. Operational GNSS Integrity. By Arne Rinnan, Nina Gundersen, Marit E. Sigmond, Jan K. Nilsen

Human-Computer Interaction

[ 4 ] Using pulse train input (F01 = 12)

Autonomous and Autonomic Systems: With Applications to NASA Intelligent Spacecraft Operations and Exploration Systems

Scheduling Algorithms Exploring via Robotics Learning

Rev.8 03/08 SSRMAN-1P SERIES USERS MANUAL SSR INTELLIGENT PHASE ANGLE CONTROL MODULE COPYRIGHT 2008 NUWAVE TECHNOLOGIES, INC.

Proximity Operations Nano-Satellite Flight Demonstration (PONSFD) Overview

APPROXIMATE KNOWLEDGE OF MANY AGENTS AND DISCOVERY SYSTEMS

FINAL - EST Electrical Service Technician Answer Schedule

Dipartimento di Elettronica Informazione e Bioingegneria Robotics

Dr. Carl Brandon & Dr. Peter Chapin Vermont Technical College (Brandon),

VARIABLE FREQUENCY DRIVE SPECIFICATION

Built-in soft-start feature. Up-Slope and Down-Slope. Power-Up safe start feature. Motor will only start if pulse of 1.5ms is detected.

ExoMars and Beyond. Thales Alenia Space. Feb 28th, 9:00 AM. Follow this and additional works at:

Autonomous Control for Unmanned

Call for Ideas. for the Next Exploration Science and Technology Mission of the European Space Exploration Programme - Aurora

ANTENNA ELEMENTS INTEGRATED INTO THE PARACHUTES OF PLANETARY ENTRY PROBES

COMET DISTRIBUTED ELEVATOR CONTROLLER CASE STUDY

MICROSCOPE Mission operational concept

General Support Technology Programme (GSTP) Period 6 Element 3: Technology Flight Opportunities (TFO)

SWEN 256 Software Process & Project Management

The light sensor, rotation sensor, and motors may all be monitored using the view function on the RCX.

Gyroscopic Landing Gear controller and sequencer GS-200. Users Guide.

Integrating Spaceborne Sensing with Airborne Maritime Surveillance Patrols

Lecture 10, Part 1: Non-Functional Requirements (NFRs)

P/N: AX TECHNICAL DATASHEET #TDAX Single Input, Dual Output Valve Controller 1 Universal Input, +5V reference CAN (SAE J1939)

Capability in Complexity SHOAL-REPORT J590

Fault Management Architectures and the Challenges of Providing Software Assurance

Digiflight II SERIES AUTOPILOTS

Embedded Robotics. Software Development & Education Center

Case 1 - ENVISAT Gyroscope Monitoring: Case Summary

Worksheet Answer Key: Tree Measurer Projects > Tree Measurer

Lecture 2: Embedded Systems: An Introduction

Leveraging Simulation to Create Better Software Systems in an Agile World. Jason Ard Kristine Davidsen 4/8/2013

Transcription:

Lecture 13: Requirements Analysis 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 1 Mars Polar Lander Launched 3 Jan 1999 Mission Land near South Pole Dig for water ice with a robotic arm Fate: Arrived 3 Dec 1999 No signal received after initial phase of descent Cause: Several candidate causes Most likely is premature engine shutdown due to noise on leg sensors 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 2 1

What happened? We don t know for sure: spacecraft not designed to send telemetry during descent This decision severely criticized by review boards Possible causes: 1. Lander failed to separate from cruise stage (plausible but unlikely) 2. Landing site too steep (plausible) 3. Heatshield failed (plausible) 4. Loss of control due to dynamic effects (plausible) 5. Loss of control due to center-of-mass shift (plausible) 6. Premature Shutdown of Descent Engines (most likely!) 7. Parachute drapes over lander (plausible) 8. Backshell hits lander (plausible but unlikely) 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 3 Cause of error Premature Shutdown Scenario Magnetic sensor on each leg senses touchdown Legs unfold at 1500m above surface software accepts transient signals on touchdown sensors during unfolding Factors System requirement to ignore the transient signals But the software requirements did not describe the effect Engineers present at code inspection didn t understand the effect Not caught in testing because: Unit testing didn t include the transients Sensors improperly wired during integration tests (no touchdown detected!) Result of error Engines shut down before spacecraft has landed estimated at 40m above surface, travelling at 13 m/s estimated impact velocity 22m/s (spacecraft would not survive this) nominal touchdown velocity 2.4m/s 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 4 2

SYSTEM REQUIREMENTS 1) The touchdown sensors shall be sampled at 100-Hz rate. The sampling process shall be initiated prior to lander entry to keep processor demand constant. However, the use of the touchdown sensor data shall not begin until 12 meters above the surface. 2) Each of the 3 touchdown sensors shall be tested automatically and independently prior to use of the touchdown sensor data in the onboard logic. The test shall consist of two (2) sequential sensor readings showing the expected sensor status. If a sensor appears failed, it shall not be considered in the FLIGHT SOFTWARE REQUIREMENTS 3.7.2.2.4.2 Processing a. The lander flight software shall cyclically check the state of each of the three touchdown sensors (one at 100 Hz during EDL. b. The lander flight software shall be able to cyclically check the touchdown event state with or without touchdown event generation enabled. c. Upon enabling touchdown event generation, the lan flight software shall attempt to detect failed sens marking the sensor as bad when the sensor indicat touchdown state on two consecutive reads. d. The lander flight software shall generate the landin event based on two consecutive reads indicating touchdown from any one of good the touchdown sensors. descent engine termination decision. 3) Touchdown determination shall be based on two. sequential reads of a single sensor indicating touchdown. Adapted Figure from 7-9. the MPL Report System of Requirements the Loss of Mapping the Mars to Flight Polar Software Lander Requirements and Deep Space 2 Missions -- JPL Special Review Board (Casani Report) - March 2000. See http://www.nasa.gov/newsinfo/marsreports.html 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 5 Quality = Fitness for purpose Software technology is everywhere Affects nearly all aspects of our lives But our experience of software technology is often frustrating/disappointing Software is designed for a purpose If it doesn t work well then either: the designer didn t have an adequate understanding of the purpose or we are using the software for a purpose different from the intended one Requirements analysis is about identifying this purpose Inadequate understanding of the purpose leads to poor quality software The purpose is found in human activities E.g. Purpose of a banking system comes from the business activities of banks and the needs of their customers The purpose is often complex: Many different kinds of people and activities Conflicting interests among them 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 6 3

Designing for people What is the real goal of software design? Creating new programs, components, algorithms, user interfaces,? Making human activities more effective, efficient, safe, enjoyable,? How rational is the design process? Hard systems view: Software problems can be decomposed systematically The requirements can be represented formally in a specification This specification can be validated to ensure it is correct A correct program is one that satisfies such a specification Soft systems view: Software development is is embedded in a complex organisational context There are multiple stakeholders with different values and goals Software design is part of an ongoing learning process by the organisation Requirements can never be adequately captured in a specification Participation of users and others throughout development is essential Reconciliation: Hard systems view okay if there is local consensus on the nature of the problem 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 7 Separate the problem from the solution A separate problem description is useful: Most obvious problem might not the right one to solve Problem Situation Problem statement can be discussed with stakeholders Problem statement can be used to evaluate design choices Problem statement is a source of good test cases Still need to check: Solution correctly solves the stated problem Problem statement corresponds to the needs of the stakeholders Correspondence Correctness Problem Statement Implementation Statement Verification Validation System 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 8 4

But design changes the world change Problem Situation System implementation statement abstract model of world problem statement 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 9 Intertwining of problems and solutions Independent General Implementation Dependence Dependent Path of exploration Level of Detail Detailed Problem Statement Implementation Statement 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 10 5

A problem to describe E.g. land a spacecraft on Mars mission goals cost savings gravity landing sites project team safety margins bus management altitude error recovery elapsed time memory management touch sensors command sequences thrusters timers things the machine cannot observe shared things things private to the machine 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 11 Thinking about Software Requirements D - domain properties R - requirements C - computers P - programs Domain Properties (assumptions): things in the application domain that are true whether or not we ever build the proposed system (System) Requirements: things in the application domain that we wish to be made true by delivering the proposed system Many of which will involve phenomena the machine has no access to A (Software) Specification: is a description of the behaviours that the program must have in order to meet the requirements Can only be written in terms of shared phenomena! 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 12 6

Fitness for purpose? Two correctness (verification) criteria: The Program running on a particular Computer satisfies the Specification The Specification, in the context of the given domain properties, satisfies the requirements Two completeness (validation) criteria: We discovered all the important requirements We discovered all the relevant domain properties Example: Requirement R: Reverse thrust shall only be enabled when the aircraft is moving on the runway Domain Properties D: Wheel pulses on if and only if wheels turning Wheels turning if and only if moving on runway Specification S: Reverse thrust enabled if and only if wheel pulses on Verification: S, D R 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 13 Another Example Requirement R: The database shall only be accessible by authorized personnel Domain Properties D: Authorized personnel have passwords Passwords are never shared with non-authorized personnel Specification S: Access to the database shall only be granted after the user types an authorized password S + D entail R But what if the domain assumptions are wrong? 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 15 7

But we can also move the boundaries E.g. Elevator control system: people waiting people in the elevator people wanting to go to a particular floor Elevator motors Safety rules Elevator call buttons Floor request buttons button lights Current floor indicators Motor on/off Door open/close Scheduling algorithm Control program We can shift things around: E.g. Add some sensors to detect when people are waiting This changes the nature of the problem to be solved 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 17 Observations Analysis is not necessarily a sequential process: Don t have to write the problem statement before the solution statement (Re-)writing a problem statement can be useful at any stage of development RE activities continue throughout the development process The problem statement will be imperfect RE models are approximations of the world will contain inaccuracies and inconsistencies will omit some information. assess the risk that these will cause serious problems! Perfecting a specification may not be cost-effective Requirements analysis has a cost For different projects, the cost-benefit balance will be different Depends on the consequences of getting it wrong! Problem statement should never be treated as fixed Change is inevitable, and therefore must be planned for There should be a way of incorporating changes periodically 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 18 8

What do Requirements Analysts do? Starting point Some notion that there is a problem that needs solving e.g. dissatisfaction with the current system e.g. a new business opportunity e.g. a potential saving of cost, time, resource usage, etc. A Requirements Analyst is an agent of change The requirements analyst must: identify the problem / opportunity Which problem needs to be solved? (identify problem Boundaries) Where is the problem? (understand the Context/Problem Domain) Whose problem is it? (identify Stakeholders) Why does it need solving? (identify the stakeholders Goals) When does it need solving? (identify Development Constraints) What might prevent us solving it? (identify Feasibility and Risk) How might a software system help? (collect some Scenarios / Use Cases) 2008 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 19 9

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback