Turn Indicator Model Overview

Similar documents
A Real-World Benchmark Model for Testing Concurrent Real-Time Systems in the Automotive Domain

Model-based testing in the automotive industry challenges and solutions

Testing Distributed Systems

Applied Formal Methods - From CSP to Executable Hybrid Specifications

Practical Model-based Testing With Papyrus and RT-Tester

Dr. Ing. Cornelia Zahlten. Prof. Dr. Jan Peleska. Concepts and Implementation. Hard Real-Time Test Tools

In this presentation,...

Automated Freedom from Interference Analysis for Automotive Software

Finite State Machines and Statecharts

DIVERSITY TG Automatic Test Case Generation from Matlab/Simulink models. Diane Bahrami, Alain Faivre, Arnault Lapitre

Feature Modeling. Krzysztof Czarnecki & Simon Helsen University of Waterloo

The Event-B Modelling Notation

Testing Operating Systems with RT-Tester

From Signal to Service

CA314 Object Oriented Analysis & Design - 7. File name: CA314_Section_07_Ver01 Author: L Tuohey No. of pages: 16

DEVELOPMENT OF DISTRIBUTED AUTOMOTIVE SOFTWARE The DaVinci Methodology

13 AutoFocus 3 - A Scientific Tool Prototype for Model-Based Development of Component-Based, Reactive, Distributed Systems

Chapter 8 : Multiprocessors

Section 8. The Basic Step Algorithm

Architectural Styles - Finale

Software Architecture. Lecture 4

EXPERIENCES FROM MODEL BASED DEVELOPMENT OF DRIVE-BY-WIRE CONTROL SYSTEMS

Chapter 2 Overview of the Design Methodology

A CAN-Based Architecture for Highly Reliable Communication Systems

An Agent Modeling Language Implementing Protocols through Capabilities

Communication Networks for the Next-Generation Vehicles

ANSI C CODE SYNTHESIS FOR MLDESIGNER FINITE STATE MACHINES

Composition of State Machines

Model Checking of Statecharts using Automatic White Box Test Generation

Refinement Using µ-charts: The Compaq Grand Slam Cup Case Study Revisited

A Test Case Generation Algorithm for Real-Time Systems

Impact of Platform Abstractions on the Development Workflow

FROM SYNCHRONOUS SPECIFICATIONS TO ASYNCHRONOUS DISTRIBUTED IMPLEMENTATIONS Technische Universitiit Miinchen Peter Scholz

EP A1 (19) (11) EP A1 (12) EUROPEAN PATENT APPLICATION. (43) Date of publication: Bulletin 2012/45

Real-time Ethernet Residual Bus Simulation: A Model-Based Testing Approach for the Next-Generation In-Car Network

Database Management Systems

Łabiak G., Miczulski P. (IIE, UZ, Zielona Góra, Poland)

Adapting Commit Protocols for Large-Scale and Dynamic Distributed Applications

The Encoding Complexity of Network Coding

Editor. Analyser XML. Scheduler. generator. Code Generator Code. Scheduler. Analyser. Simulator. Controller Synthesizer.

Chapter 4. Capturing the Requirements. 4th Edition. Shari L. Pfleeger Joanne M. Atlee

Effective commissioning of bus bar protection systems using a dynamic simulation in the field

A Synchronization Algorithm for Distributed Systems

instruction fetch memory interface signal unit priority manager instruction decode stack register sets address PC2 PC3 PC4 instructions extern signals

Fault tolerant TTCAN networks

InControl INCONTROL OVERVIEW

TIMES A Tool for Modelling and Implementation of Embedded Systems

Thirty one Problems in the Semantics of UML 1.3 Dynamics

Chapter 2 State Estimation and Visualization

Characteristics of Mult l ip i ro r ce c ssors r

Formal Verification for safety critical requirements From Unit-Test to HIL

Modeling, Testing and Executing Reo Connectors with the. Reo, Eclipse Coordination Tools

NOTES ON OBJECT-ORIENTED MODELING AND DESIGN

Comparison of CAN Gateway Modules for Automotive and Industrial Control Applications

Automotive and industrial use cases for CAN FD


UML-based framework for simulation of distributed ECU systems in automotive applications

The Montana Toolset: OSATE Plugins for Analysis and Code Generation

Mixed-Criticality Systems based on a CAN Router with Support for Fault Isolation and Selective Fault-Tolerance

Lecture 16: Hierarchical State Machines II

in Mainz (Germany) Sponsored by Allen Bradley National Semiconductor Philips Semiconductors Organized by

DeviceNet - CIP on CAN Technology

2-PHASE COMMIT PROTOCOL

INCA-LIN V7.2 User s Guide

In examining performance Interested in several things Exact times if computable Bounded times if exact not computable Can be measured

Concurrent Models of Computation

Joint Entity Resolution

OPAX - An Open Peer-to-Peer Architecture for XML Message Exchange

Fork Sequential Consistency is Blocking

Incompatibility Dimensions and Integration of Atomic Commit Protocols

A Generic Multi-node State Monitoring Subsystem

Fast and Accurate Source-Level Simulation Considering Target-Specific Compiler Optimizations

An Introduction to Modular Process Nets

DISCRETE-event dynamic systems (DEDS) are dynamic

Concurrent & Distributed Systems Supervision Exercises

Testing Distributed Systems

Model-based Analysis of Event-driven Distributed Real-time Embedded Systems

System models for distributed systems

INCONSISTENT DATABASES

Interrupts, timers and counters

Self-stabilizing Byzantine Digital Clock Synchronization

ADR. - Configuration and Functionality USER MANUAL

Design For High Performance Flexray Protocol For Fpga Based System

For 100% Result Oriented IGNOU Coaching and Project Training Call CPD: ,

Interaction Testing. Chapter 15

A Hardware-in-the-Loop Testing Platform Based on a Common Off-The-Shelf Non-Real-Time Simulation PC

BMW Service Training. Bluetooth Mobile Phone Seminar Working Material

Formal Modeling and Verification of Interlocking Systems Featuring Sequential Release

Aquila T2D Taximeter User Guide

Introducing MESSIA: A Methodology of Developing Software Architectures Supporting Implementation Independence

CONSIDERATIONS CONCERNING PARALLEL AND DISTRIBUTED ARCHITECTURE FOR INTELLIGENT SYSTEMS

High Performance Computing. University questions with solution

DS28CM00. I²C/SMBus Silicon Serial Number

Introduction to Modeling

Moby/plc { Graphical Development of. University of Oldenburg { Department of Computer Science. P.O.Box 2503, D Oldenburg, Germany

Database Design. IIO30100 Tietokantojen suunnittelu. Michal Zabovsky. Presentation overview

½ Caution! Introduction. Blind.switch 5701/1.0

Systems. Roland Kammerer. 10. November Institute of Computer Engineering Vienna University of Technology. Communication Protocols for Embedded

Real-Time Component Software. slide credits: H. Kopetz, P. Puschner

Interaction Testing! Chapter 15!!

Transcription:

Turn Indicator Model Overview Jan Peleska 1, Florian Lapschies 1, Helge Löding 2, Peer Smuda 3, Hermann Schmid 3, Elena Vorobev 1, and Cornelia Zahlten 2 1 Department of Mathematics and Computer Science University of Bremen, Germany {jp,elenav,florian}@informatik.uni-bremen.de 2 Verified Systems International GmbH, Bremen, Germany {hloeding,cmz}@verified.de 3 Daimler AG, Stuttgart, Germany {peer.smuda,hermann.s.schmid}@daimler.com System Interface. In Fig. 1 the interface between system under test (SUT) and testing environment (TE) is shown. Due to the state-based nature of the hardware interfaces (discretes, periodic CAN or LIN bus messages repeatedly sending state information) the modeling formalism handles interfaces as shared variables. The TE can stimulate the SUT via all interfaces affecting the turn indication functionality in the operational environment: in CentralLockingRM {0, 1, 2} denotes the remote control for opening and closing cars by means of the central locking system. Signal in CrashEvent {0, 1} activates a crash impact simulator, and in EmSwitch {0, 1} simulates the not pressed / pressed status of the emergency flash switch on the dashboard. Signal in IgnSwitch {0, 6} denotes the current status of the ignition switch, and in TurnIndLvr {0, 2} the status of the turn indicator lever. In special-purpose vehicles (SPV), such as taxis or police cars, additional redundant interfaces for activation of emergency flashing and turn indicators exist (e. g., in EmSwitchSPV {0, 1}). Observe that these redundant interfaces may be in contradicting states, so that the control software has to perform a priority-dependent resolution of conflicts. Inputs to the SUT marked by OPTION specify different variants of vehicle style and equipments, each affecting the behavior of the turn indication functions. In contrast to the other input interfaces to the SUT, options remain stable during execution of a test procedure, since their change requires a reset of the automotive controllers, accompanied by a procedure for loading new option parameters. If the TE component does not contain any behavioral specifications, the test generator will create arbitrary timed sequences of input vectors suitable to reach the test goals, only observing the range specifications associated with each input signal. This may lead to unrealistic tests. Therefore the TE may be decomposed into concurrent components (typically called simulations) whose behavior describe the admissible (potentially non-deterministic) interaction of the SUT environment on some or all interfaces. The test generator interprets these simulations as additional constraints, so that only sequences of input vectors are created, whose restrictions to the input signals controlled by TE components comply with the transition relations of these simulations.

SUT outputs are captured in the interface (Fig. 1 shows only a subset of them). The indicator lights are powered by the SUT via interfaces pwmratio FL {0, 120},... where, for example, FL stands for forward left and RL for rear right. The TE measures the percentage of the observed power output generated by the lamp controllers, in comparison with the expected value, 100% denoting exact identity. System integration testing is performed in grey box style: apart from the SUT outputs observable by end users, the TE also monitors bus messages produced by the cooperating controllers performing the turn indication service. Message tim EFS {0, 1}, for example, denotes a single bit in the CAN message sent from a central controller to the peripheral controllers in order to indicate whether the emergency flash switch indicator on the dashboard should be activated, and tim FL {0, 1} is the on/off command to the controller managing the forward-left indicator light. TestEnvironment SystemUnderTest <<interface,te2sut>> <<interface,sut2te>> in_centrallockingrm: int in_crashevent: int in_emswitch: int in_emswitchhighprio: int in_emswitchlowprio: int in_emswitchspv: int in_ignswitch: int in_theftalarm: int in_turnindlvr: int in_turnindlvrspv: int OPTION_Country: int OPTION_Trailer: int OPTION_VehicleStyle: int oc_flashcmdlock: int oc_flashcmdunlock: int pwmratio_fl: int pwmratio_fr: int pwmratio_rl: int pwmratio_rr: int pwmratio_sm_fl: int pwmratio_sm_fr: int pwmratio_sm_rl: int pwmratio_sm_rr: int pwmratio_efs: int pwmratio_tl: int pwmratio_tr: int tim_efs: int tim_fl: int tim_fr: int tim_rl: int tim_rr: int tim_sm_fl: int tim_sm_fr: int tm_sm_rl: int... Sunday, May 22, 2011 Fig. 1. Interface between test environment and system under test. First-Level SUT Decomposition. Fig. 2 shows the functional decomposition of the SUT functionality. Component NormalAndEmerFlashing controls left/right turn indication, emergency flashing and the dependencies between both func-

tions (see below). Component OpenCloseFlashing models the indicator-related reactions to opening and closing vehicles with the central locking system. Crash- Flashing models indications triggered by the crash impact controller. TheftFlashing controls reactions triggered by the theft alarm system. These functions interact with each other, as shown in the interface dependencies depicted in Fig. 2: the occurrence of a crash, for example, affects the emergency flash function, and opening a car de-activates a theft alarm. The local decisions of the above components are fed into the priority handling component where conflicts between indication-related commands are resolved: if, for example, the central locking system is activated while emergency flashing is active, the open/close flashing patterns (one time for open, 3 times for close) are not generated; instead, emergency flashing continues. Similarly, switching of the emergency switch has no effect if the high-priority emergency interface (in EmSwitchHighPrio {0, 1}) is still active. Priority handling outputs the function to be performed and relays the left-hand/right-hand/both sides flashing information to the components OnOff- Duration and AffectedLamps. The former determines the durations for switching lights on and off, respectively, during one flashing period. These durations depend both on the status of the ignition switch and the function to be performed. The latter specifies which lamps and dashboard indications have to participate in the flashing cycles. This depends on the OPTION VehicleStyle which determines, for example, the existence of side marker lamps (interfaces pwmratio SM FL, FR, RL, RR), and on the OPTION Trailer which indicates the existence of a trailer coupling, so that the trailer turn indication lamps (pwmratio TL, TR) have to be activated. Moreover, the affected lamps and indications depend on the function to be performed: open-close flashing, for example, affects indication lamps on both sides, but the emergency flash switch indicator (pwmratio EFS) is not activated, while this indicator is affected by emergency, crash and theft flashing. The MessageHandling component transmits duration and identification of affected lamps and indicators on a bus and synchronizes the flash cycles by re-transmission of this message at the beginning of each flashing cycle. Finally, component lamp control comprises all output control functions, each function controlling the flashing cycles of a single lamp or dashboard indicator. Behavioral Semantics. Model components behave and interact according to a concurrent synchronous real-time semantics, which is close to Harel s original micro-step semantics of Statecharts [1]. Each leaf component of the model is associated with a hierarchic state machine. At each step starting in some model pre-state σ 0, all components possessing enabled state machine transitions process them in a synchronous manner, using σ 0 as the pre-state. The writes of all state machine transitions affect the post-state σ 1 of the micro-step. Two concurrent components trying to write different values to the same variable in the same micro-step cause a racing condition which is reflected by deadlock of the transition relation and in contrast to interleaving semantics considered as a modeling error. Micro-steps are discrete transitions performed in zero time. Inputs to the SUT remain unchanged between discrete transitions. If the system

is in a stable state, that is, all state machine transitions are disabled, time passes in a delay transition, while the system state remains stable. The delay must not exceed the next point in time when a discrete transition becomes enabled, due to timeout condition. At the end of a delay transition, new inputs to the SUT may be placed on each interface. The distinction between discrete and delay transitions is quite common in concurrent real-time formalisms, and it is also applied to interleaving semantics, as, for example, in Timed Automata [2]. The detailed formal specification of the semantic interpretation of the model is also published on the web site given above. Deployment and Signal Mapping. In order to support re-use, the model introduced in this section only specifies a functional decomposition. Its deployment on a distributed system of automotive controllers, the network topology, and the concrete interfaces implementing the logical ones shown in the model, depend on the vehicle production series. Even the observability of signals may vary between series, due to different increments in the test equipment. For this reason, model interfaces are mapped to concrete ones by means of a signal map: this map associates concrete signal names which may be written to or read from in the TE with the abstract signals occurring in the model and in case of SUT outputs specify their acceptable tolerances. During test executions, the complete SUT model runs on the test engine against the SUT, in order to detect discrepancies between expected and observed behavior on the fly. During this back-to-back execution, all observable SUT outputs are checked against the expected ones calculated according to the model. To this end, all state machines in the SUT-portion of the model are transformed into separate tasks by a model-to-text generator. Depending on the TE infrastructure, these tasks can be distributed on several CPU cores and TE computers. As a consequence, every observable SUT output is continuously checked against its expected value. Values which are not observable are calculated by the corresponding model components and passed on to other components consuming these values, so that they can proceed their computations without the availability of the corresponding value produced by the SUT. References 1. Harel, D., Naamad, A.: The statemate semantics of statecharts. ACM Transactions on Software Engineering and Methodology 5(4), 293 333 (October 1996) 2. Springintveld, J., Vaandrager, F., D Argenio, P.: Testing timed automata. Theoretical Computer Science 254(1-2), 225 257 (March 2001)

IgnSwitchBusRouting NormalAndEmerFlashing OpenCloseFlashing CrashFlashing TheftFlashing PriorityHandling OnOffDuration MessageHandling AffectedLamps LampControl Sunday, May 22, 2011 Fig. 2. First-level decomposition of system under test.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback