Architecture Modeling - SPES 2020
Architecture Modeling - SPES 2020
Architecture Modeling - SPES 2020
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Architecture</strong> <strong>Modeling</strong><br />
ports must have the same type (we do not treat issues related to types in depth, here, so we adopt<br />
this simple principle for ease of exposition). A simple sample system is depicted in Figure 4.4,<br />
where only the connection names and not the port names are given.<br />
Figure 4.4: Simple example system<br />
In a design process, composed systems usually do not exist a-priori (except in case of re-use),<br />
but are the result of a concrete design step. For example, due to a design decision, it may be<br />
found that an initially identified air condition system shall be realized by a sequential composition<br />
of different sub-systems. The first subsystem may provide air from the environment, the<br />
second one has to bring this air to its correct temperature, and so on. Contract-based design<br />
helps in such situation not only to allocate responsibilities for the respective sub-components,<br />
but also to trace back whether the requirements of the component are satisfied when all of<br />
its sub-components satisfy their “local” requirements. The corresponding proof obligations are<br />
subsumed by so-called Virtual Integration Testing (VIT). The term virtual is due to the fact, that<br />
these proof obligations are independent from the implementation of the respective components.<br />
That is, if a virtual integration test has been performed successfully, any set of implementations<br />
satisfying the responsibilities of the respective sub-components are inherently covered by the<br />
VIT. We will discuss satisfaction of an implementation in Section 4.3.<br />
VIT defines the conditions under which the contracts of all sub-components, when put together,<br />
satisfy the contract(s) of the parent component, and which verification steps have to be<br />
performed in order to establish this property. The relevant property is denoted refinement and<br />
is discussed in Section 4.2.2. VIT also defines proof obligations necessary to verify that two<br />
(or more) components can be put together reasonably at all. Component R in the figure above<br />
could for example state, that the input values on its input l2r always are below, say, 30 ◦ C. If the<br />
guarantee of component L would state that its output on l2r is always between 25 and 35 ◦ C, it<br />
would obviously be problematic to put L and R together. Compatibility of contracts is discussed<br />
in Section 4.2.1.<br />
Compatibility is however only one property necessary to properly compose components. As<br />
for the contracts of a single component, VIT also requires that the composition of components<br />
does not violate receptiveness and consistency. This becomes particularly evident when components<br />
are composed to form a control loop as in Figure 4.4 via ports l2r and r2l, where inports<br />
and outports of components are mutually connected. Thus, a reasonable design methodology<br />
relies on receptiveness and consistency for composing components.<br />
Another proof obligation of VIT, that shall not be discussed here in detail, concerns some<br />
form of stability. In the figure above, contract CL could for example state that the output on<br />
l2r becomes 0 if the input r2l is 1, and vice verse. Contract CR could equivalently state that<br />
the output r2l becomes 0 if its input l2r becomes 1 (and vice verse). Although the respective<br />
contracts are compatible, and even strongly consistent, the resulting system will not be stable,<br />
53/ 156