Automating Model Composition for Design Verification

Similar documents
Requirement Formaliza0on in Modelica

Requirement Formalization in Modelica. Lena Buffoni, Linköping University (with material from Wladimir Schamai)

EXPRESSING REQUIREMENTS IN MODELICA

Modelling & Simulation of Complex Socio-Cyber- Physical Systems and Large Scale Systems of Systems

ModelicaML: Getting Started Issue April 2012

Aerospace Software Engineering

Metamodelling & Metaprogramming. Lena Buffoni

Integrated Modeling of CPS including Requirements: Open Source MBSE Tools Based on Modelica and UML

A Model Driven Approach for Requirements Engineering of Industrial Automation Systems

Verification and Validation of Models for Embedded Software Development Prashant Hegde MathWorks India Pvt. Ltd.

Fault Tolerance Analysis using OpenModelica with Figaro Extensions for Modelica

Dependability studies, focus on fault trees and Figaro language

Metamodelling & Metaprogramming. Lena Buffoni

Enhancing the RAMSAS method for Systems Reliability Analysis through Modelica

Comodeling Revisited: Execution of Behavior Trees in Modelica

Coding and Unit Testing! The Coding Phase! Coding vs. Code! Coding! Overall Coding Language Trends!

An Overview of the SysML-Modelica Transformation Specification

Software architecture in ASPICE and Even-André Karlsson

Excel on the Java VM. Generating Fast Code from Spreadsheet Models. Peter Arrenbrecht codewise.ch / Abacus Research AG Submission ID: 30

Modeling and Simulation for Heterogeneous systems

Software Engineering 2 A practical course in software engineering. Ekkart Kindler

Symbolic Evaluation/Execution

On the link between Architectural Description Models and Modelica Analyses Models

An introduction to Scheme

Software Testing Fundamentals. Software Testing Techniques. Information Flow in Testing. Testing Objectives

CODE ANALYSES FOR NUMERICAL ACCURACY WITH AFFINE FORMS: FROM DIAGNOSIS TO THE ORIGIN OF THE NUMERICAL ERRORS. Teratec 2017 Forum Védrine Franck

Developing AUTOSAR Compliant Embedded Software Senior Application Engineer Sang-Ho Yoon

Software Quality Assurance. David Janzen

Modeling physical properties. Controller, plant and environment model

Verification of Requirements For Safety-Critical Software

CSC236 Week 5. Larry Zhang

A SOFTWARE ENVIRONMENT FOR VERIFIABLE MODELING AND SIMULATION. Amanda Grace Rapsang Arjun Saha Kannan M. Moudgalya G. Sivakumar

Testing Process and Methods. CS 490MT/5555, Spring 2017, Yongjie Zheng

Software Visualization Revolution Based on Complexity Science - An Introduction to NSE Software Visualization Paradigm

Reading Assignment. Symbolic Evaluation/Execution. Move from Dynamic Analysis to Static Analysis. Move from Dynamic Analysis to Static Analysis

Second assignment came out Monday evening. Find defects in Hnefetafl rules written by your classmates. Topic: Code Inspection and Testing

A SEMI-FORMAL METHOD TO VERIFY CORRECTNESS OF FUNCTIONAL REQUIREMENTS SPECIFICATIONS OF COMPLEX EMBEDDED SYSTEM

ISO Compliant Automatic Requirements-Based Testing for TargetLink

ISO compliant verification of functional requirements in the model-based software development process

raceability Support in OpenModelica Using Open Services for Lifecycle Collaboration (OSLC)

2015 The MathWorks, Inc. 1

A Proposal for Verified Code Generation from Modelica

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

A Solver-Independent Platform for Modeling Constrained Objects Involving Discrete and Continuous Domains

Woodcote Primary School Learning Ladder Maths Milestone 1 Autumn

Application note Level (closed vessel) SITRANS P DSIII. Unrestricted

Offline Model-based Testing and Runtime Monitoring

Problem. Prove that the square of any whole number n is a multiple of 4 or one more than a multiple of 4.

Functional Programming. Pure Functional Languages

A Structured Approach for Efficient Model-Based Testing in Large IT Projects

Contaminant Source Identification for Priority Nodes in Water Distribution Systems

Research Collection. Formal background and algorithms. Other Conference Item. ETH Library. Author(s): Biere, Armin. Publication Date: 2001

1 Visible deviation from the specification or expected behavior for end-user is called: a) an error b) a fault c) a failure d) a defect e) a mistake

Experimental Methods I

Verification and Test with Model-Based Design

Verification and Validation. Assuring that a software system meets a user s needs. Verification vs Validation. The V & V Process

Verification of Cyber-Physical Controller Software Using the AVM Meta Tool Suite and HybridSAL

Name Core Date Accentuate the Negative

OpenVera Assertions. March Synopsys, Inc.

2008 International ANSYS Conference

DO-178C / ED-12C Model Based Supplement. Pierre Lionne, SC-205 / WG-71 SG-4 Co-Chairman 1 Nov. 2011

Verification Overview Testing Theory and Principles Testing in Practice. Verification. Miaoqing Huang University of Arkansas 1 / 80

MURPHY S COMPUTER LAWS

Knowledge-based Systems for Industrial Applications

Statements 2. a operator= b a = a operator b

Verification and Validation. Ian Sommerville 2004 Software Engineering, 7th edition. Chapter 22 Slide 1

Introduction to Scheme

ARTIFICIAL INTELLIGENCE. Uncertainty: fuzzy systems

UNIT-4 Black Box & White Box Testing

Variability and Type Calculation for Equation of Modelica. model

Part 5. Verification and Validation

Towards Unified System Modeling and Simulation with ModelicaML: Modeling of Executable Behavior Using Graphical Notations

K Reference Card. Complete example

SOFTWARE QUALITY OBJECTIVES FOR SOURCE CODE

Mixed Critical Architecture Requirements (MCAR)

Question 1: What is a code walk-through, and how is it performed?

Using Code Coverage to Improve the Reliability of Embedded Software. Whitepaper V

Guidelines for deployment of MathWorks R2010a toolset within a DO-178B-compliant process

Modelica Change Proposal MCP-0021 Component Iterators Status: Under Evaluation , version v2, #1848

UNIT-4 Black Box & White Box Testing

Proline Prowirl 72, 73

Beginner s Introduction to TC 3.0. February 6, 2013

FOURTH GRADE Mathematics Standards for the Archdiocese of Detroit

Introduction to Software Testing Chapter 5.1 Syntax-based Testing

Increasing Embedded Software Confidence Model and Code Verification. Daniel Martins Application Engineer MathWorks

AK-SM 720 Boolean logic REFRIGERATION AND AIR CONDITIONING. User guide

Challenges in component based programming. Lena Buffoni

Building a Bridge: from Pre-Silicon Verification to Post-Silicon Validation

Variants and Traceability as the Challenge

Structure of Abstract Syntax trees for Colored Nets in PNML

Functional Programming. Pure Functional Languages

Programming in C++ Prof. Partha Pratim Das Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Chapter 10 Verification and Validation of Simulation Models. Banks, Carson, Nelson & Nicol Discrete-Event System Simulation

TDDD04: Integration and System level testing. Lena Buffoni

Darshan Institute of Engineering & Technology for Diploma Studies

Some notes about Event-B and Rodin

Software Testing Lecture 1. Justin Pearson

Developing Optimization Algorithms for Real-World Applications

Quality Indicators for Automotive Test Case Specifications

Compiler in sicherheitsrelevanten Projekten Was bedeutet das für die Testumgebung?

Transcription:

Automating Model Composition for Design Verification Wladimir Schamai (Airbus Group Innovations) Lena Buffoni (Linköping University) Peter Fritzson (Linköping University) Daniel Bouskela (EDF) MODPROD 2015

Problem Description Complex physical systems exhibit large numbers of Dynamic continuous states: Physical states (temperature, pressure, mass flow) Dynamic discrete states: Operating modes (normal, dysfunctional, I&C) They are subject to large numbers of requirements And need many test scenarios for proper verification Challenge: Possible combinatorial explosion of situations to be explored Question: How to efficiently verify system designs against requirements? 2

Solution Proposal Automate as much as possible the testing of complex systems Formalize natural-language requirements into monitor models Create executable model of the system behavior Use the requirements models as observer of the behavioral model to automatically detect possible violations of the requirements during simulations Use a generator of test scenarios* (to stimulate the design model) that comply with test coverage criteria violation monitors Requirements Requirements model What the system should guarantee E.g. Cavitation should never happen Behavioral model Predicted behavior of the designed system P t k / Q 2 t 3 *not addressed in this presentation

Example of Informal Requirements When they are in operation, pumps shall not cavitate. The water temperature shall not vary by more than 10 C per hour. When the system is in operation, there should be no less than two pumps in operation for more than 2 seconds. Violation shall not occur more than 3 times per year with a confidence rate of [a given percentage]. 4

Formalizing Requirements Each individual requirement is formalized into a violation monitor model that indicates at any simulated time: untested (default), satisfied, violated Modeling language: a new Modelica library with constructs adapted for requirements formalization See presentation Lena Buffoni, et al. Requirement Formalization in Modelica Effort for formalization: Typically a fraction compared to system designs modeling effort Added value: Executable monitor models which can be used in simulations, or monitoring of a system in operation Detection of impreciseness or errors in the requirement statement

Model Dependencies System design model alternatives/versions DM DM DM Requirements violation monitors SM SM SM Scenarios (system model stimuli) AM AM AM Additional computation models

Challenge: Integration of Models Models are created independently By different persons In different points in time in system development Models cannot/should not be modified, e.g. because they are Library components Black-boxes Ownership, missing knowledge about model details, etc. Which models will need to be integrated is not known in advance It is often not possible/practical to agree on fixed interfaces in advance

Requirement, Design and Scenario Requirement 1: Violation Monitor At least 2 pumps shall be in operation at any time. model Req input Integer numberofoppumps = 0 "number of operating pumps"; constant Integer minnumberofoppumps = 2 "min. number of operating pumps"; output Integer status(start=0,fixed=true) "indication of requirement violation, 0 = not evaluated, 1 = not violated, 2 = violated"; algorithm if numberofoppumps < minnumberofoppumps then status := 2 "2 means violated"; else status := 1 "1 means NOT violated"; end if; end Req; Verification Scenario 1 model Scenario output Boolean pump1active "turn on pump1 = true, turn off pump1 = false"; output Boolean pump2active "turn on pump2 = true, turn off pump2 = false"; output Boolean pump3active "turn on pump3 = true, turn off pump3 = false"; System Design Alternative 1 model System PA pump1; PB pump2; PB pump3; end System; model PA input Boolean on = false "to turn the pump on or off"; end PA; model PB input Boolean switchedon = false "to switch the pump on or off"; Real volflowrate "volume flow rate of the pump"; equation if switchedon then volflowrate = 1; else volflowrate = 0; end if; end PB; algorithm if time > 0 and time <= 10 then pump3active := false; elseif time > 0 and time <= 20 then pump2active := false; elseif time > 0 and time <= 30 then pump2active := true; else pump1active := true; pump2active := true; pump3active := true; end if; end Scenario;

Verification Model Simulation Verification Model 1 model VerificationModel1 Binding Expressions Req req1 ( numberofoppumps = sum({ (if sys.pump1.on then 1 else 0), (if sys.pump2.volflowrate > 0 then 1 else 0), (if sys.pump3.volflowrate > 0 then 1 else 0)}) ); System sys ( pump1(on = pump2(switchedon = pump3(switchedon = ); scen.pump1active), scen.pump2active), scen.pump3active) Scenario scen; end VerificationModel1; Question: What is necessary to enable generating the binding expressions automatically?

Composition of Verification Models Use Case: User selects the system design model to be verified against requirements Tool identifies scenarios that can stimulate the selected system model Tool identifies requirements that are implemented in the selected system model Tool composes verification models, generates code, simulate, generates report. Designs Alternative Models Scenario Models Requirement Monitors DM DM DM SM SM SM SM SM SM SM 1 1. Verification Model 2. Verification Model n. Verification Model VM DM1 SM1 VM DM1 SM2

Questions For a given model: How to bind components? What is necessary in order to determine which components need to be bound? How to generate correct binding expression (=glue code) automatically? For an automated/guided verification model composition approach: How to find valid combinations of models? E.g., design verification: For a selected system model, how to find requirements that are implemented and can be tested, and scenarios that can be used to stimulate the system?

Binding: Basic Idea The binding concept enables capturing of potential interaction between models Some models require data: Clients Some models can provide the required data: Providers However, clients and providers do not know each other a priori Mediators captures many-to-many relation between clients and providers Multiple clients may require the same data Data from several providers may be needed in order to compute data required by one client clients mediator providers C C M P P

Binding: Why Mediators? Assume c1 and c2 both require data from p1 and p2 for clients providers C1 P2 C2 P2 Group data required by several clients Enables reuse of existing mediators, allows using array reduction functions More concise and consistent clients mediator providers C1 C2 M1 P1 P2

Binging Specification Example R1 When the BPS is under maintenance, it must not be activated R2 In the absence of any BPS component failure or in the presence of a single BPS sensor failure, when the BPS is not under maintenance, and in case of loss of MPS: R3 In the absence of any BPS component failure or in the presence of a single BPS sensor failure, the BPS must not be spuriously activated. Text in requirement statement Mediators Type R1 R3 R2 BPS is under maintenance isbpsundermaintenace Boolean activated isbpsactivated Boolean absence of any BPS component failure isnobpscomponentfailure Boolean presence of a single BPS sensor failure issinglebpssensorfailure Boolean loss of MPS ismpsloss Boolean

Binging Specification Example Clients Mediators Providers (what information is required by 1..* clients?) (how to compute the required data?) violation R1 monitor isbpsundermaintenace isbpsactivated System Design Alternatives or Versions violation R3 monitor isnobpscomponentfailure issinglebpssensorfailure ismpsloss

Binding: What do we need to capture? name mediator type template client reference client reference provider reference provider reference ismandatory client id template provider id template Mediator name reflects what is needed by clients Mediator type must be compatible to its clients Client or provider id is the qualified name of the client or provider model (e.g. Package1.Model1.component1) Client ismandatory (default=true) indicates whether the client must be bound. (If needed) Mediator template may only contain predefined macros (e.g. sum(:), toarray(:), card(:), min(:), max(:), etc.) (If needed) Client or provider template may contain expressions including references to components within the client or provider models (e.g. in Modelica using the dot-notation)

Binging Specification Example (XML) <mediator name="numberofoperatingpumps" requiredtype="integer"> <client mandatory="true" qualifiedname="req.numberofoppumps" /> <provider qualifiedname="pa.on"> <template>if getpath() then 1 else 0</template> </provider> <provider qualifiedname="pb.volflowrate"> <template>if getpath() > 0 then 1 else 0</template> </provider> client id provider id provider template mediator template <template>sum(:)</template> </mediator> Verification Model model VerificationModel1 Generates the binding expressions Req req1 ( numberofoppumps = sum({ (if sys.pump1.on then 1 else 0), (if sys.pump2.volflowrate > 0 then 1 else 0), (if sys.pump3.volflowrate > 0 then 1 else 0)}) ); System sys(); Scenario scen; end VerificationModel1;

Binging Specification Example GUI example in ModelicaML - Mediators group information needed by the requirement violation monitors

Verification (using simulation) Modeling Proposal in FO-L (requirements / properties modeling language) H Requirements model FO-L model Modelica model Observation operator Verification model H H H H Architecture models Engineering database Behavioral models External function External data Component Internal state (dynamic variable) Static attribute Instance binding Class binding Modelica (system behavior) FO-L (system architecture modeling) 1 Translate to Modelica code + bindingspecification.xml 2 Generate verification models 3 Simulate and analyze results

Conclusion The presented approach for automating model composition has the following advantages: No need for modifying existing models Enables a flexible integration of decoupled models (no need for fixed interfaces) Exposing and grouping of information about what data is needed by clients will reduce analysis work Automated generation of binding expressions will reduce modeling errors and the manual modeling effort. Further application example: Traceability between models (e.g. requirements, scenario and system design alternatives)

Thank you for your attention!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback