Information Technology Reference
In-Depth Information
1.1
Outline of Our Method
Our method is conceptually simple: we ground our view of a desired computer
system (or “silicon package”) in the external physical world. This is the problem
world whose phenomena are to be measured and influenced by the overall system.
Having agreed with the customer the desired behaviour in the problem world,
we record -and again obtain conformation of acceptability- assumptions about
the physical components outside the computer itself. Only then do we derive the
specification of the software to run in the computer.
To some developers, it may seem surprising to begin by discussing external
physical phenomena most of which the program can influence only indirectly.
Programs can only receive and send signals: they do not directly experience
or control any other phenomena of the problem world. So our message can be
stated negatively: the method discourages designers from jumping too early into
writing a specification of the control software.
To use our method a number of technical issues have had to be settled. How
these are resolved is discussed in Section 1.3.
As indicated, our proposed approach is first to specify the requirements of the
overall system in the physical (problem) world; then to determine -and record
as rely conditions - necessary assumptions about components of that physical
world; and only then to derive a specification of the computational part of the
control system (the symbolic world). See Figure 1.
} Rely
Physical
World
Conditions
Control
System
Fig. 1. A representation of the overall method
Most open systems must be designed to tolerate failures in the physical com-
ponents — both in the sensors and actuators, and in other components not
directly interfaced to the computer. This requirement for fault-tolerance com-
plicates the problem of deriving a specification by introducing conflicting needs
into the development process. On the one hand, it is necessary to understand
and capture enough of the complexity of the possible problem world behaviours
to accommodate a sucient class of faults to achieve the desired degree of fault-
tolerance. On the other hand, it is important to maintain clarity in the set of
Search WWH ::




Custom Search