Teaching and Training Formal Methods for Safety Critical Systems

Similar documents
Using Tool-Supported Model Based Safety Analysis - Progress and Experiences in SAML Development

Seminar Software Quality and Safety

On Traceability of Informal Specifications for Model-Based Verification

Prototype of Automated PLC Model Checking Using Continuous Integration Tools CERN Summer Student Report

Compositional Model Based Software Development

MODELLING COMPOSITIONS OF MODULAR EMBEDDED SOFTWARE PRODUCT LINES

Eclipse Support for Using Eli and Teaching Programming Languages

Modeling, Testing and Executing Reo Connectors with the. Reo, Eclipse Coordination Tools

Creating Word Outlines from Compendium on a Mac

Is Power State Table Golden?

Formal Verification for safety critical requirements From Unit-Test to HIL

Introduction to Programming Languages and Compilers. CS164 11:00-12:30 TT 10 Evans. UPRM ICOM 4029 (Adapted from: Prof. Necula UCB CS 164)

Automatized Generating of GUIs for Domain-Specific Languages

Properties of High Quality Software. CSE219, Computer Science III Stony Brook University

Model-based GUI testing using Uppaal at NOVO Nordisk

WoPeD Workflow Petri Net Designer

An Eclipse-based Integrated Environment for Developing Executable Structural Operational Semantics Specifications

Cover Page. The handle holds various files of this Leiden University dissertation

An Introductory Guide to SpecTRM

Xuandong Li. BACH: Path-oriented Reachability Checker of Linear Hybrid Automata

Experimental Comparison between AutoFOCUS3 and Papyrus-RT. Tatiana Chuprina, Florian Hölzl, Vincent Aravantinos

Introduction to Formal Methods

An Intelligent Tutoring System Prototype for Learning to Program Java TM

"Charting the Course to Your Success!" MOC B Programming in C# Course Summary

Extended Dataflow Model For Automated Parallel Execution Of Algorithms

Contents. Slide Set 1. About these slides. Outline of Slide Set 1. Typographical conventions: Italics. Typographical conventions. About these slides

Distributed Systems Programming (F21DS1) Formal Verification

Key Properties for Comparing Modeling Languages and Tools: Usability, Completeness and Scalability

APPLICATION OF A METASYSTEM IN UNIVERSITY INFORMATION SYSTEM DEVELOPMENT

Software Design. Levels in Design Process. Design Methodologies. Levels..

EMF Metrics: Specification and Calculation of Model Metrics within the Eclipse Modeling Framework

Generic Requirements Management and Verification Process for Ground Segment and Mission Operations Preparation

Coding and Unit Testing! The Coding Phase! Coding vs. Code! Coding! Overall Coding Language Trends!

P-NET Management with Java based Components

On Meaning Preservation of a Calculus of Records

CHAPTER 1 COPYRIGHTED MATERIAL. Finding Your Way in the Inventor Interface

Eclipse JWT Java Workflow Tooling. Workflow Editor (WE): Installation and Usage Tutorial

Chapter 9. Introduction to High-Level Language Programming. INVITATION TO Computer Science

Design of distributed Java application with JEstelle.

CPS122 Lecture: From Python to Java last revised January 4, Objectives:

A Visual Tool for Supporting Developers in Ontology-based Application Integration

Model-checking with the TimeLine formalism

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

An Annotation Tool for Semantic Documents

Course Syllabus: In-Depth unipaas Programming Techniques

Single-pass Static Semantic Check for Efficient Translation in YAPL

Leslie Lamport: The Specification Language TLA +

Why testing and analysis. Software Testing. A framework for software testing. Outline. Software Qualities. Dependability Properties

Simulating Task Models Using Concrete User Interface Components

Progress in Spoken Programming

Requirements Specifications

1DL321: Kompilatorteknik I (Compiler Design 1) Introduction to Programming Language Design and to Compilation

Graphiti Release Review

1DL321: Kompilatorteknik I (Compiler Design 1)

Concepts of Programming Languages

Laboratory Exercise #6 Introduction to Logic Simulation and Verilog

Comparing and Contrasting different Approaches of Code Generator(Enum,Map-Like,If-else,Graph)

COMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University

Towards Generating Domain-Specific Model Editors with Complex Editing Commands

with TestComplete 12 Desktop, Web, and Mobile Testing Tutorials

CTI Short Learning Programme in Internet Development Specialist

Performance Cockpit: An Extensible GUI Platform for Performance Tools

A GRAPHICAL TABULAR MODEL FOR RULE-BASED LOGIC PROGRAMMING AND VERIFICATION **

Software Requirements Specification for Peer Tutoring Record Keeping

Experience gained from the development of a library for creating little on-line educative applications

Web-based system for learning of communication protocols

Programming Languages 2nd edition Tucker and Noonan"

Overview of the KeY System

BIG MODELS AN ALTERNATIVE APPROACH

Investigation of System Timing Concerns in Embedded Systems: Tool-based Analysis of AADL Models

Simulation of Timed Input/Output Automata

CTI Higher Certificate in Information Systems (Internet Development)

Slide Set 1 (corrected)

Using the VMware vcenter Orchestrator Client. vrealize Orchestrator 5.5.1

Functional abstraction. What is abstraction? Eating apples. Readings: HtDP, sections Language level: Intermediate Student With Lambda

Functional abstraction

Embedded software design with Polychrony

UX Research in the Product Lifecycle

An Overview of the BLITZ System

This is the vector graphics "drawing" technology with its technical and creative beauty. SVG Inkscape vectors

INFS 214: Introduction to Computing

Automated Freedom from Interference Analysis for Automotive Software

1DL321: Kompilatorteknik I (Compiler Design 1) Introduction to Programming Language Design and to Compilation

DBMS (FYCS) Unit - 1. A database management system stores data in such a way that it becomes easier to retrieve, manipulate, and produce information.

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer

Sunburst Design - Verilog-2001 Design & Best Coding Practices by Recognized Verilog & SystemVerilog Guru, Cliff Cummings of Sunburst Design, Inc.

Automatic Generation of Execution Traces and Visualizing Sequence Diagrams

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer. Compiler Design

Designing Survivable Services from Independent Components with Basic Functionality

Spemmet - A Tool for Modeling Software Processes with SPEM

Spoofax: An Extensible, Interactive Development Environment for Program Transformation with Stratego/XT

News in RSA-RTE 10.2 updated for sprint Mattias Mohlin, January 2018

gsysc Visualization of SystemC-Projects (Extended abstract)

SERVICE PACK 12 FEATURE GUIDE FOR END-USERS. Updated for GRCC on August 22, 2013

User Task Automator. Himanshu Prasad 1, P. Geetha Priya 2, S.Manjunatha 3, B.H Namratha 4 and Rekha B. Venkatapur 5 1,2,3&4

Going With the (Data) Flow

TimeNET Optimization Environment (TOE).

Web Applications: A Simple Pluggable Architecture for Business Rich Clients

A Visual Editor for Reconfigurable Object Nets based on the ECLIPSE Graphical Editor Framework

WPS Workbench. user guide. "To help guide you through using the WPS user interface (Workbench) to create, edit and run programs"

Transcription:

Teaching and Training Formal Methods for Safety Critical Systems Michael Lipaczewski and Frank Ortmeier Computer Systems in Engineering Otto-von-Guericke University Magdeburg {michael.lipaczewski,frank.ortmeier}@ovgu.de Abstract Embedded systems become a major part in many domains. This also involves systems which might create heavy damages and injuries when they fail. However, because of the rising number of software components used within this embedded hardware, safety-related problems are hard to discover, and it is even harder to prove that there are none. One approach to guarantee the correctness of a system is model-based safety analysis. They rely on an abstract representation of the system which can then be analyzed using model checkers. The results of these analysis are in general much more precise and often reveal surprising results of failure combinations, where no one had ever thought about before. Nevertheless model-based safety analysis is not used widely. Mainly because it is not well-known and hard to apply to current safety standards which rely on manual approaches. Another fact might be, that most approaches are scientific and in most cases prototypes that are hard to use. In this paper we present some ideas and first steps towards an easy to learn and easy to use model based safety approach. Additionally we present different user-interfaces that are supposed to support the user in his learning. Keywords-Model-based, Safety Analysis I. INTRODUCTION In almost all domains, we rely on technology to make lives easier and more comfortable. To achieve this goal, technology not only have to become smarter, but also smaller. Therefore, it is necessary to replace hardware controls with software components that don t need any space besides a processing unit, and that can handle much more functionality. These systems are called cyber-physical systems. However, these systems are also used in safety-critical applications, where a failing system can endanger human lifes. Traditional safety analysis relies on hardware-based controllers, which are easy to predict. For software components, behavior is much harder to predict, and can become non-deterministic due to bugs. To cope with this kind of systems, model-based safety analysis approaches were created that are capable of modelling and analysing nondeterministic behavior. Yet, even though model-based approaches exist and model checkers are improving, they are barely used in the industry for safety-critical systems. One reason is that they are not well-known and difficult to apply. Another handycap is that they have not yet been practically shown to be at least as good as the approaches that are currently in use. Additionally, most of these tools have a steep learning curve, requiring hours to correctly set up the necessary toolchain, and days of studying before they can be used productively. In earlier work, [1], [2], we presented a language and methodology to easily model software and hardware components as well as environmental dependencies and potential malfunctions of the system. We used this language to prove the correctness of the system as well as giving a complete list of minimal failure sets that will lead to a hazardous malfunction of the whole system [3]. We also extended this language to make modeling easier [4] and to add additional types of model analysis [5]. To train students and engineers to successfully use modelbased approaches, a lot of theoretical background, tools and knowledge is needed. This involves a lot of effort before a first model can be created and checked. To improve motivation and knowledge retention, more rapid results are needed. To reduce the set of required knowledge, we simplify the modeling and verification process and hide the tool-layer from the user. The idea was to create a user-interface that supports an engineer in using model-based approaches without requiring in-depth knowledge of the underlying system. To that end, our UI provides code completion and instant code verification, as well as integration of the toolchain into the IDE. We created two different user interfaces with different abilities and target audiences. In this paper we are going to discuss the differences and scope of these two development environments. In the following sections we present the basic Safety Analysis Modeling Language (SAML) along with language extensions that help engineers to successfully build their models (Section II). Section III introduces the Eclipse-based user interface, which not only provides editor-support, but also integrates the underlying toolchain. To allow potential users to gain hands-on experience without having to install the software, we also built a web-based editor with tutorials and example models. This UI will be presented in Section IV. Section V compares the two different user interfaces with respect to their educational use. Finally, SAML can be used in non safety-critical settings as well. These non safety-related SAML extensions are explained in Section VI. Current and further work to gain more user acceptance are presented in Section VII, followed by the conclusion in Section VIII.

II. SYSTEM ANALYSIS MODELING LANGUAGE The System Analysis Modeling Language (SAML) was created as an intermediate language for high-level engineering tools and model checkers. The main benefit of this language proven semantic-preserving transformations into several different model checkers input languages, which can be used to analyze different aspects of a model using thirdparty tools. The language is used to model a set of time-discrete, synchronous finite state automata. Meaning that all automata compute their state for the next time step in parallel and only based on the previous system state. The main element of a SAML model is a component, which contains a number of states variables each defined by its integer range, and a number of update rules. Update rules consists of conditions (boolean expressions) that, when fulfilled, cause their respective assignment rules to be executed. An assignment rule can contain multiple non-deterministic expressions, which in turn can each contain a probabilistic distribution with which the automaton will go into a specified next state. Depending on which type of assignment rule is used, it is possible to express deterministic decisions (mostly used for functional behavior), probabilistic choices (e.g. to model hardware failures) and non-determinism (e.g. to model software failures with unknown probabilities). Additionally, several extensions were made to the language to be able to create models even simpler and faster: Constants are integer or double-valued variables. They can be used to group and organize probabilities, enable model parameterization, and reduce redundancies. Formulas are single-expression functions. They can be of boolean or double type and are useful to make models smaller and better readable. Sub-components are used to organize components, constants and formulas hierarchically. Enumerations also improve readability and error-freeness of models by using sets of symbolic constants instead of integer ranges. Especially for larger models, it is much easier to name the state than to find the integer that represents the desired state. Includes allow to build models spreading over several files. With this features, it is possible to create model libraries with components that are reused in several projects. Failure Components are a special type of component representing common failure occurrence patterns. These include persistent and transient failures with per-time or per-demand failure occurrences. As using failure components semantically marks the component as modelling failure occurrence patterns, algorithms that determine minimal critical failure sets can directly work on the set of failure components. Templates are used to efficiently create multiple component instances that differ only slightly from each other. All extensions aim at making the modeling of a system easier and faster, as well as improving the readability of the model. However, they do not increase the expressiveness of SAML: as all extensions can be transformed into a simple SAML model containing only components with update rules and assignment rules. Thus, a core SAML language exists that is easy to learn and use because of its simplicity. And for experienced users, advanced features can be learned step by step to enable them to model their systems more efficiently and with less errors. With this approach, trainees can succeed early without having to know the full SAML language. III. VECS FRAMEWORK We created a complete modeling and verification environment called VECS (Verification Environment for Critical Systems), where we tried to implement all features that are already used in development environments for modern programming languages. VECS allows for the execution of the third-party backend model checker for systems modelled in SAML through its IDE. Thus, the underlying model checker is hidden from the user, reducing the knowledge required to use modelbased safety analysis. VECS automatically transforms the user s SAML model into the target language, runs the according model checker and parse the results, which are then displayed inside the IDE. This integration was done using the Eclipse framework, which additionally provides a simple installation and update process, as well as a familiar and widely used window management. A screenshot of the current VECS version is given in Figure 1. Additionally, we extended the Eclipse-based SAML editor with feature such as syntax highlighting, auto-completion, auto-formatting and instant error-checking for the SAML language - features that users know from Eclipse-based editors for other programming languages. The Eclipse module outline pane and project manager are also available in VECS. The results of backend model checkers are parsed and displayed in easily readable views. Additionally, the model behavior can be simulated step by step in order to analyze and understand the cause of unexpected or incorrect behavior. Besides the user interface, the VECS framework also contains a console input for automation purposes as well as a client-server architecture for the backend model checkers that allows for the transparent execution of the model checking process on a different computer. The main intention for this remote model checking was the huge amount of RAM and time that is needed for model checking on a desktop computer. But it also enables different SAML editor frontends to use the VECS model transformation and model checking infrastructure. One of these other frontends is presented in the next section. IV. WEB-BASED TUTORIALS Another approach for even quicker introduction to SAML is our web frontend trysaml.org. It does not have (and is not

Figure 1. screenshot of the editor intended to have) all features of the full Eclipse IDE, but allows users to try out SAML without having to install any software on their computers. It also included tutorials and a SAML language reference for users not familiar with that language. The main purpose of the web editor is to familiarize interested users with the language and the results that can be generated using our approach. For model-checking, the user model is sent to our server, where it is checked using the client-server architecture of the VECS framework. As we cannot offer unlimited amount of computation power, the web editor has some limitations regarding the size of the model as well as the number of people who can use the model-checking feature simultaneously. Nevertheless, it is an easy approach to learn the language and its abilities before taking the time to set up an own SAML environment. Besides the pure editor with syntax highlighting, trysaml.org contains a beginner and an advanced tutorial to explain the different SAML elements. The beginner tutorial mainly focuses on the three main SAML concepts (components, update rules, assignment rules) and their usage. It also gives a first insight into the different types of model checkers that can be used. The advanced tutorial then introduces more language features. The web frontend also includes a number of example models that can be viewed and edited inside the browser. Figure 2 shows one step in the beginner tutorial. The editor view is on the right-hand side, while the tutorial text is displayed to the left of the editor. The current tutorial task is given above the editor. For model checking, the bottom part offers two different model checkers as well as an input field for the property to be validated. After completing the tutorial, we encourage users to download and install the Eclipse-based VECS IDE for a faster and easier way to create and verify their models. V. C OMPARISON OF U SER I NTERFACES REGARDING E DUCATION Both editors fulfill different needs of trainees. The webbased version allows for quick results and self study, while the Eclipse version can cope with bigger models and offers more assistance to the user. Table I shows a comparison of the two user interfaces with respect to teaching and usability: Software requirements that are needed to run the environment. The browser-based approach requires only a generic recent web browser, which is pre-installed on all

Figure 2. screenshot of the online editor and tutorial Eclipse-based browser-based software requirements - + integrated documentation - + interactive tutorial - + prior knowledge - + learning feedback - + # concurrent users + - editor support + o static model checks + o offline mode + - platform independence o + Table I COMPARISON OF THE DIFFERENT DEVELOPMENT ENVIRONMENTS FOR SAML consumer computers. For the Eclipse based approach, manual installation of Eclipse itself, the VECS Eclipse plugin, and additional third-party model checkers is necessary. Integrated documentation is included on the website, but not shipped with the Eclipse plugin. As the target audience of the eclipse plugin are experienced SAML users, documentation is rarely needed. Interactive tutorial is present on the website and is actually the reason why the web interface was created. Therefore self-study is possible using the web interface. In contrast, in order to work with the Eclipse version, users already have to unterstand the concepts behind SAML (e.g. by first completing the online tutorial). So the Eclipse version may only be used for learning SAML when an experienced tutor is present. Prior knowledge that is necessary or recommended to use the editor. Because the online version contains a language reference as well as a tutorial, no knowledge is needed, whereas the VECS IDE requires knowledge about the syntax of SAML, to be able to use it successfully. Learning feedback is mainly given by the web-based system, where the completion of a tutorial task by the user is recognized. For the Eclipse version, some learning effect can be achieved by the static model checks, where the user is informed about errors in the model. Nevertheless, as the Eclipse editor is not supposed to teach there is little feedback suitable for students. Number of concurrent users describes the number of people that can use the system at the same time. As the Eclipse IDE and its model checkers run directly on the user s computer, the number of concurrent users here is not limited. On the other side, because of server limitations, the number of people who can use the web-based system at the same time is severely limited. While the model syntax

checks are performed in the browser, model transformation and backend model checkers are executed on our limited number of servers, and are currently limited to about 30 concurrent model checks. Editor support is given in a limited way by the web frontend, which includes only syntax highlighting and no other advanced features. The Eclipse version comes with full support for auto-completion, quick-fixes, auto-formatting and a lot of other features known from modern development environments. Static model checks are one of the major features of the Eclipse version. Besides model syntax checks, some semantic checks can be performed (e.g. whether the probabilities for specified alternative behavior sum up to one). In the web-based version, only the syntax can be checked. Offline mode can only be supported by the Eclipse based system, as the browser-based approach requires internet access to our backend servers for model checking. Platform independence is given by both approaches. Eclipse and VECS both using Java, and thus are usable on a variety of platforms. A limiting factor is the availability of the backend model checkers for the different platforms. The model checkers currently in use for VECS are available for Windows, Linux and MacOS. The web frontend only requires a recent web browser, but no additional plugins. Thus, it cannot only be used on the three platforms where VECS is available, but also on other systems such as Solaris workstations and even smartphones and tablets. Overall, the browser-based version is mainly intended for self-study and to try out SAML, whereas VECS application ares is to support the user in every day use. But it can also be used for teaching along with a tutor. VI. NON SAFETY-RELATED APPLICATIONS FOR SAML Besides safety-related application areas, VECS can also be used to verify other system properties for other types of engineering problems. One of these areas is functional correctness, which is easy to check using qualitative model checkers, which VECS uses fo rthe computation of minimal critical failure sets anyway. Another application area is the optimization of models with respect to user-specified objective functions. Special keywords in SAML mark constants that may be varied to yield different model instances. The VECS framework is then able to determine an optimal model instance with respect to the given objective function [6]. VII. FUTURE WORKS Currently, we work on improving the user experience. Through a user study, several possible improvements on ease of modelling were identified. The most important planned improvement is the integration of a satisfiability checker to determine missing or overspecified conditions within the assignment rules at modeling time. Additionally, a graphical result viewer is planned to improve spotting and understanding of interesting aspects of model checking results. Another big topic is the graphical representation of the SAML model. In a first step, export to a graphical representation is planned, to visualize an existing model. This requires a definition of graphical elements that represent the single elements of a model. In a second step, a full graphical editor is planned. But for that goal, several problems have to be faced: Graphical models quickly grow unintelligable with increasing models size. Therefore it can be used only some modells, and a textual editor is still required for models containing many states or complex arithmetic expressions. In this context, a model import facility from UML modelling tools (e.g. Rhapsody) might also be useful. This would allow for the import of existing UML models in order to perform safety-related verification in VECS. This would also improve user acceptance for users with pre-existing UML models, as it helps then to not have to two maintain redundant models. VIII. CONCLUSION In this paper we presented the formal model specification language SAML and the VECS framework that transforms SAML models into the input language of several model checkers. Two different user interfaces were presented, each with its own advantages and disadvantages. We analyzed this development environments regarding their usability for educational purposes. The presented web-based version is a good choice for people who want to gain first experiences with SAML without having to install any software. It also offers online tutorials and a language reference, and can be used for selfstudy. The VECS Eclipse-based editor offers less self-studying abilities, but comes with advanced IDE features that are known from modern programming languages. Both frontends hide the integrated backend model checkers from the user to reduce the knowledge needed to use our model-based approach. Additionally we presented strategies to improve the userexperience as well as extending our safety-related approach towards a more general engineering tool. ACKNOWLEDGMENT Michael Lipaczewski is sponsored by the Deutsche Ministerium für Bildung und Forschung in the ViERforES project (BMBF, project-nr.: 01IM08003C). The presented software VECS can be downloaded from the website of the research group: http://cse.cs.ovgu.de - Research - Software. The online editor can be visited and used under http://www.trysaml.org.

REFERENCES [1] M. Güdemann and F. Ortmeier, A framework for qualitative and quantitative model-based safety analysis, in Proceedings of the 12 th High Assurance System Engineering Symposium (HASE 2010), 2010, pp. 132 141. [2] M. Güdemann, Qualitative and Quantitative Formal Model- Based Safety Analysis, Ph.D. dissertation, Otto-von-Guericke- Universitä Magdeburg, 2011. [Online]. Available: http: //nbn-resolving.de/urn:nbn:de:gbv:ma9:1-385 [3] F. Ortmeier, W. Reif, and G. Schellhorn, Deductive causeconsequence analysis (DCCA), in Proceedings of the 16 th IFAC World Congress. Elsevier, 2006. [4] M. Güdemann, L. Mäurer, and F. Ortmeier, On modeling probabilistic aspects of failure modes efficiently, in Proceedings of the 34th International Conference on Software Engineering SEES@ICSE2012, 2012, in review. [5] M. Güdemann and F. Ortmeier, Model-Based Multi-Objective Safety Optimization, in Proceedings of the 30 th International Conference on Computer Safety, Reliability and Security (SAFECOMP 2011). Springer LNCS, 2011, pp. 423 436. [6] S. Struck, M. Güdemann, M. Lipaczewski, and F. Ortmeier, Multi-objective optimization of formal specifications, in IEEE 14th International Symposium on High-Assurance Systems Engineering (HASE 2012), V. Winter, R. Gandhi, and A. Parakh, Eds., 2012.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback