The landscape is what we choose to see when we look out at the physical universe from our particular point of view. We structure and interpret our view of the landscape according to our needs and purposes. For software engineers working on a cyber-physical system the landscape can look like this:
The bipartite system is the central landscape feature: its two parts are the machine and the governed world, interacting at the interface labelled a.
The machine is the computing equipment we introduce into the world. It may be all or part of several computers, but in earlier development stages we see it as one computing machine, in which we structure software to reflect behaviour system behaviour structure. Software deployment on physical computers must wait to a later stage.
The governed world contains parts of the physical world whose behaviour is governed by the machine executing the software we develop. In a critical system, the governed behaviour is the critical dependable behaviour for which the software engineers take full professional responsibility.
The requirements world is those parts of the world in which stakeholders' requirements stipulate effects and consequences that the desired system behaviour must produce. It does not include the machine, which is instrumental in satisfying the requirements but is not itself directly subject to stakeholder requirements. It includes the governed world, but it also includes behaviours to satisfy requirements that resist formal treatment—for example, ecological, social and economic concerns—and whose satisfaction is therefore not guaranteed.
The environment is the universe beyond the machine and the requirements world, extended both in space and time. Inescapably, any system is designed only for an environment niche, where enough of its design models and assumptions are valid to allow continued operation. For example, an automotive system cannot operate underwater or in an earthquake. A critical system may demand the largest possible niche, to allow survival—albeit with reduced functionality—even in extremely adverse conditions. The niche for the Fukushima nuclear plant allowed for both earthquake and tsunami, but in 2011 both occurred together, leading to a nuclear disaster.
The very terse summary in this post gives only a distant view of the environment, raising many questions but answering none of them. Some answers are given in another post that looks a little closer and a little deeper.
Links to other posts:
→ Landscape Close-Up: A closer view of the universe as seen by a software engineer
No comments:
Post a Comment