Architecture Modeling - SPES 2020

More documents

Recommendations

Info

Architecture Modeling strong assumption true since it holds for any environment. The weak assumption states that the contract holds under the condition that the underlying hardware (BSCU) does not fail. In this case, the braking system fails only if both redundant sub-systems hydraulic system A and hydraulic system B fail. true BrakingSystem BSCUFails does not fail BrakingSystemFails shall only fail if HydraulicSystemAFails && HydraulicSystemBFails BSCUFails BrakingSystemFails HydraulicSystemAFails HydraulicSystemBFails Figure 4.3: Safety Contracts Example Since failure conditions are usually complex, abbreviations can be defined for them: failureCondition TooMuchEnergyConsumption is defined by: (consumption > 2) holds longer than 2s Later, these abbreviations may by used to simplify the definitions of safety-related patterns. 4.2 Virtual Integration Testing Technically, a component may be a (composed) system, which is constructed from a set of (sub-) components. In more detail, a system is given by a set of components, an interface and a set of named (inter-) connections. An interface is a set of directed ports, denoted inports and outports, respectively. Each port specifies a set of typed (data) flows or services 1 . In the following, we assume for simplicity that ports specify single flows. Hence, we identify ports and their corresponding flow. Furthermore, we abstract in the following discussion from the fact, that we have to distinguish between components and instances of components. This fact is important in the sense, that contracts are defined on components and not on instances (which are referred as RichComponentProperty in the SPESMM). Thus, if we have two instances of the same component, we have to uniquely identify the respective ports of these instances. Otherwise, from a formal point of view, contracts cannot distinguish behavior of different ports. If, for example, L and R in Figure 4.4 would be instances of the same component, the ports would have the same name, and could not be distinguished from a semantical viewpoint without unique identification. A connection links two ports. It either links two sub-component ports, one outport and one inport (e.g. port l2r), or one port of the system interface and one sub-component port with the same direction (e.g. port r2e), or two system interface ports of opposite direction. Each sub-component inport and each system outport must be linked to exactly one other port. Linked 1 We omit a discussion of services here, which can be seen as a derived concept. 52/ 156
Architecture Modeling ports must have the same type (we do not treat issues related to types in depth, here, so we adopt this simple principle for ease of exposition). A simple sample system is depicted in Figure 4.4, where only the connection names and not the port names are given. Figure 4.4: Simple example system In a design process, composed systems usually do not exist a-priori (except in case of re-use), but are the result of a concrete design step. For example, due to a design decision, it may be found that an initially identified air condition system shall be realized by a sequential composition of different sub-systems. The first subsystem may provide air from the environment, the second one has to bring this air to its correct temperature, and so on. Contract-based design helps in such situation not only to allocate responsibilities for the respective sub-components, but also to trace back whether the requirements of the component are satisfied when all of its sub-components satisfy their “local” requirements. The corresponding proof obligations are subsumed by so-called Virtual Integration Testing (VIT). The term virtual is due to the fact, that these proof obligations are independent from the implementation of the respective components. That is, if a virtual integration test has been performed successfully, any set of implementations satisfying the responsibilities of the respective sub-components are inherently covered by the VIT. We will discuss satisfaction of an implementation in Section 4.3. VIT defines the conditions under which the contracts of all sub-components, when put together, satisfy the contract(s) of the parent component, and which verification steps have to be performed in order to establish this property. The relevant property is denoted refinement and is discussed in Section 4.2.2. VIT also defines proof obligations necessary to verify that two (or more) components can be put together reasonably at all. Component R in the figure above could for example state, that the input values on its input l2r always are below, say, 30 ◦ C. If the guarantee of component L would state that its output on l2r is always between 25 and 35 ◦ C, it would obviously be problematic to put L and R together. Compatibility of contracts is discussed in Section 4.2.1. Compatibility is however only one property necessary to properly compose components. As for the contracts of a single component, VIT also requires that the composition of components does not violate receptiveness and consistency. This becomes particularly evident when components are composed to form a control loop as in Figure 4.4 via ports l2r and r2l, where inports and outports of components are mutually connected. Thus, a reasonable design methodology relies on receptiveness and consistency for composing components. Another proof obligation of VIT, that shall not be discussed here in detail, concerns some form of stability. In the figure above, contract CL could for example state that the output on l2r becomes 0 if the input r2l is 1, and vice verse. Contract CR could equivalently state that the output r2l becomes 0 if its input l2r becomes 1 (and vice verse). Although the respective contracts are compatible, and even strongly consistent, the resulting system will not be stable, 53/ 156
Page 1 and 2:
Architecture Modeling ∗ Andreas B
Page 3 and 4:
Contents 1 Introduction 1 2 Quick-T
Page 5 and 6: 1 Introduction This document propos
Page 7 and 8: Architecture Modeling allowing to m
Page 9 and 10: Architecture Modeling creating a vi
Page 11 and 12: Architecture Modeling the design it
Page 13 and 14: Architecture Modeling of the logica
Page 15 and 16: Architecture Modeling realization o
Page 17 and 18: Architecture Modeling can usually o
Page 19 and 20: 3 The Architecture Meta-Model In Se
Page 21 and 22: Abstraction-Levels (detail increase
Page 23 and 24: 3.2.2 Functional Perspective Archit
Page 25 and 26: Architecture Modeling The semantics
Page 27 and 28: Architecture Modeling expressed by
Page 29 and 30: Architecture Modeling computing cap
Page 31 and 32: 3.2.5 Geometrical Perspective Archi
Page 33 and 34: ShapeCompositionOperator intersecti
Page 35 and 36: Architecture Modeling The constrain
Page 37 and 38: Architecture Modeling of particular
Page 39 and 40: Architecture Modeling Shape that de
Page 41 and 42: Architecture Modeling Conjugation o
Page 43 and 44: RichComponent Architecture Modeling
Page 45 and 46: MultiplicityElement +part 0..* Rich
Page 47 and 48: ComponentC Architecture Modeling pa
Page 49 and 50: 4 Steps in Component-Based Design T
Page 51 and 52: Architecture Modeling Assume/guaran
Page 53 and 54: Architecture Modeling When specifyi
Page 55: Architecture Modeling next selectio
Page 59 and 60: established if (and only if): Archi
Page 61 and 62: 12°C < tempSelect < 35°C actTemp
Page 63 and 64: Architecture Modeling The component
Page 65 and 66: Architecture Modeling 4.3.2 Establi
Page 67 and 68: Architecture Modeling a mapping is
Page 69 and 70: Architecture Modeling Another impor
Page 71 and 72: 5 Using the Architecture Meta-Model
Page 73 and 74: Architecture Modeling Design proces
Page 75 and 76: Architecture Modeling abstraction l
Page 77 and 78: Pwr1 Pedal_Pos1 Pwr2 Pedal_Pos2 CMD
Page 79 and 80: Architecture Modeling Figure 5.4: O
Page 81 and 82: Architecture Modeling Figure 5.7: L
Page 83 and 84: Architecture Modeling Figure 5.9: T
Page 85 and 86: Architecture Modeling Figure 5.12:
Page 89 and 90: Architecture Modeling However this
Page 91 and 92: Architecture Modeling The considera
Page 97 and 98: Architecture Modeling tasks Command
Page 99 and 100: Architecture Modeling of the V, suc
Page 101 and 102: Architecture Modeling thus decorate
Page 103 and 104: Architecture Modeling In summary, P
Page 105 and 106: Architecture Modeling OEMs are incr
Page 107 and 108:
Architecture Modeling provide effec
Page 109 and 110:
Architecture Modeling Figure 5.24:
Page 111 and 112:
Architecture Modeling patterns, cap
Page 113 and 114:
Architecture Modeling 6.1 Syntax an
Page 115 and 116:
6.1.1.1.1 Attribuute Definit tion a
Page 117 and 118:
Constrrain Eventts with Co ondition
Page 119 and 120:
These events used in the “and the
Page 121 and 122:
Formalization: whenever StartButton
Page 123 and 124:
Architecture Modeling Basic bloock
Page 125 and 126:
6.1.1.1.1.3 Conditions Conditions c
Page 127 and 128:
6.1.1.1.2.2 Seammless Con ncatenati
Page 129 and 130:
e3 && (clk==0) e1 idle pre e1 idle
Page 131 and 132:
Pattern whenever event occurs condi
Page 133 and 134:
If the brake force is above 80% for
Page 135 and 136:
Pattern S3: Failure shall not be ca
Page 137 and 138:
Pattern S9: failureCondition failur
Page 139 and 140:
Pattern R2: Event occurs each perio
Page 141 and 142:
idle e1 |clk:=0 e2 && (l
Page 143 and 144:
The function : allocates a singl
Page 145 and 146:
Examplees of clocks: • Run: {c=0@
Page 147 and 148:
Architecture Modeling 1. For σ ∈
Page 149 and 150:
Architecture Modeling Traces accord
Page 151 and 152:
Architecture Modeling Definition 6.
Page 153 and 154:
Architecture Modeling the one given
Page 155 and 156:
Architecture Modeling Decomposition
Page 157 and 158:
Bibliography [1] ARINC 653 - Avioni
Page 159 and 160:
Architecture Modeling [26] Holger G
show all

Architecture Modeling - SPES 2020

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?