Architecture Modeling - SPES 2020

More documents

Recommendations

Info

4.2.3 Examples VIT Example for Functional Contracts Architecture Modeling In the following, the application of VIT is discussed by a set of simple examples. We start with a example for VIT checking of functional specifications as depicted in Figure 4.5. It shows an air conditioning system providing tempered air. The AirTempSystem component has input ports for the currently selected and the current temperature, and an output port for the temperature of the provided air. The corresponding contract to AirTempSystem states that the difference between selected and current air temperature must be at most 0.5 ◦ C. The contract further states that whenever some temperature has been selected, it takes at most 60 seconds for the system to provide air of this temperature. The strong assumption of the contract has three parts. The first part states that the selected temperature is in the range of between 12 ◦ C and 35 ◦ C. The second part states that the sensor value actTemp for the actual temperature is updated each 20 ms. And the third assumption requires from the environment that the actually measured temperature must not differ more than 0.2 ◦ C from the provided air. C1 C2 C tempSelect actTemp 12°C < tempSelect < 35°C actTemp occurs each 20ms always abs(actTemp – flowTemp) < 0.2°C AirTempSystem 12°C < tempSelect < 35°C actTemp occurs each 20ms whenever chg(tempSelect) occurs nomTemp = tempSelect holds during [10ms, chg(tempSelect) [ Whenever actTemp occurs control.act = actTemp && control.nom = nomTemp occurs within [12ms, 14ms] tempSelectStore AirTempControl whenever chg(tempSelect) occurs abs(flowTemp – tempSelect) < 0.5°C holds during [60s, chg(tempSelect) [ nomTemp C3 control occurs each 20ms with jitter 2ms control AirCondition Figure 4.5: VIT Example with Functional Contracts whenever control occurs abs(flowTemp - control.nom) < abs(control.act - control.nom) + epsilon holds during [10ms, control [ flowTemp In order to perform VIT, we start with the VIT condition stating that the strong assumption of the component, together with all local contracts must imply all local strong assumptions. As Figure 4.6 shows, this is trivial to see for the local contracts C1 and C2. For C3 = (A3s,A3w,G3), we can employ existing results from real-time analysis allowing us to derive a periodical activation pattern for the occurrence of control events from contract C2. This concludes the strong VIT condition, requiring that all strong assumptions of the sub-components are satisfied if the strong assumptions of the parent component is (and if all local contracts are satisfied). Interestingly, the example shows that different aspects of a design are often closely entangled, in this case the functional and the real-time aspect. Showing satisfaction of the guarantee of C needs a little more effort. Firstly, we can derive a new guarantee from C1 and C2, and G3 that replaces in G3 occurrences of control.nom by 56/ 156
12°C < tempSelect < 35°C actTemp occurs each 20ms always abs(actTemp – flowTemp) < 0.2°C 12°C < tempSelect < 35°C actTemp occurs each 20ms control occurs each 20ms with jitter 2ms Architecture Modeling whenever chg(tempSelect) occurs abs(flowTemp – tempSelect) < 0.5°C holds during [60s, chg(tempSelect) [ whenever chg(tempSelect) occurs nomTemp = tempSelect holds during [10ms, chg(tempSelect) [ Whenever actTemp occurs control.act = actTemp && control.nom = nomTemp occurs within [12ms, 14ms] control occurs each 20ms with jitter 2ms whenever control occurs abs(flowTemp – tempSelect) < abs(actTemp- tempSelect) + epsilon holds during [10ms, control [ whenever control occurs abs(flowTemp - control.nom) < abs(control.act - control.nom) + epsilon holds during [10ms, control [ Figure 4.6: VIT Example with Functional Contracts: Proof Chain tempSelect. We can further calculate which epsilon is needed in G3 to achieve a maximal temperature difference of 0.5 ◦ C for the air conditioning. To this end, we need the activation frequency of the AirCondition component (20 ms), the maximum delay for control.act to become the value of the selected temperature in case of a modification of tempSelect (24 ms). The maximum change of the selected temperature is 23 ◦ C. Due to the activation period, the air condition has about 6000 cycles to achieve this temperature change (within 60 seconds minus delays). So in each cycle, the temperature change must be at least ≈ 0.004 ◦ C. Together with the assumption about the maximal deviation of airTemp from the air flow temperature (0.2 ◦ C) of C, we can further derive the guarantee of C. Due to this we have shown dominance C against the local contracts, which concludes the VIT. VIT Example for Real-Time Contracts Figure 4.7 depicts another simple decomposition situation of another part of the same system. The local components have real-time contracts associated stating about the activation pattern and maximum delays. The contract of the parent component AirTempSystem in fact specifies an end-to-end deadline. Note that all assumptions in this example are strong. The proof chain of the VIT for the example is shown in Figure 4.8. We start VIT by showing compatibility of the local contracts C1 and C2. To this end, we derive a new guarantee from the local contract C1 = (A1s,A1w,G1). According to [23], C1 implies contract C1 ′ = (A1s,A1w,G1 ′ ) where: G1 ′ = actTemp occurs each 50ms with jitter 7ms With this, one can easily show implication of the strong assumption A2s of contract C2, and thus G1 ′ =⇒ A2s. Since the whole system is acyclic, stability is not an issue here. Also receptiveness is not an issue for such real-time contracts, because the assumptions reason about input ports only, and the guarantees reason about the delay between inports and outports. The whole system thus satisfies C1 ∧C2 =⇒ A1s ∧ A2s. Furthermore, it can be shown that assumption As is a strict subset of A1s. This in advance completes the strong VIT condition, and also the first part of the dominance relation between C and C1 ∧C2 (all weak assumptions are true). 57/ 156
Page 1 and 2:
Architecture Modeling ∗ Andreas B
Page 3 and 4:
Contents 1 Introduction 1 2 Quick-T
Page 5 and 6:
1 Introduction This document propos
Page 7 and 8:
Architecture Modeling allowing to m
Page 9 and 10: Architecture Modeling creating a vi
Page 11 and 12: Architecture Modeling the design it
Page 13 and 14: Architecture Modeling of the logica
Page 15 and 16: Architecture Modeling realization o
Page 17 and 18: Architecture Modeling can usually o
Page 19 and 20: 3 The Architecture Meta-Model In Se
Page 21 and 22: Abstraction-Levels (detail increase
Page 23 and 24: 3.2.2 Functional Perspective Archit
Page 25 and 26: Architecture Modeling The semantics
Page 27 and 28: Architecture Modeling expressed by
Page 29 and 30: Architecture Modeling computing cap
Page 31 and 32: 3.2.5 Geometrical Perspective Archi
Page 33 and 34: ShapeCompositionOperator intersecti
Page 35 and 36: Architecture Modeling The constrain
Page 37 and 38: Architecture Modeling of particular
Page 39 and 40: Architecture Modeling Shape that de
Page 41 and 42: Architecture Modeling Conjugation o
Page 43 and 44: RichComponent Architecture Modeling
Page 45 and 46: MultiplicityElement +part 0..* Rich
Page 47 and 48: ComponentC Architecture Modeling pa
Page 49 and 50: 4 Steps in Component-Based Design T
Page 51 and 52: Architecture Modeling Assume/guaran
Page 53 and 54: Architecture Modeling When specifyi
Page 55 and 56: Architecture Modeling next selectio
Page 57 and 58: Architecture Modeling ports must ha
Page 59: established if (and only if): Archi
Page 63 and 64: Architecture Modeling The component
Page 65 and 66: Architecture Modeling 4.3.2 Establi
Page 67 and 68: Architecture Modeling a mapping is
Page 69 and 70: Architecture Modeling Another impor
Page 71 and 72: 5 Using the Architecture Meta-Model
Page 73 and 74: Architecture Modeling Design proces
Page 75 and 76: Architecture Modeling abstraction l
Page 77 and 78: Pwr1 Pedal_Pos1 Pwr2 Pedal_Pos2 CMD
Page 79 and 80: Architecture Modeling Figure 5.4: O
Page 81 and 82: Architecture Modeling Figure 5.7: L
Page 83 and 84: Architecture Modeling Figure 5.9: T
Page 85 and 86: Architecture Modeling Figure 5.12:
Page 89 and 90: Architecture Modeling However this
Page 91 and 92: Architecture Modeling The considera
Page 97 and 98: Architecture Modeling tasks Command
Page 99 and 100: Architecture Modeling of the V, suc
Page 101 and 102: Architecture Modeling thus decorate
Page 103 and 104: Architecture Modeling In summary, P
Page 105 and 106: Architecture Modeling OEMs are incr
Page 107 and 108: Architecture Modeling provide effec
Page 111 and 112:
Architecture Modeling patterns, cap
Page 113 and 114:
Architecture Modeling 6.1 Syntax an
Page 115 and 116:
6.1.1.1.1 Attribuute Definit tion a
Page 117 and 118:
Constrrain Eventts with Co ondition
Page 119 and 120:
These events used in the “and the
Page 121 and 122:
Formalization: whenever StartButton
Page 123 and 124:
Architecture Modeling Basic bloock
Page 125 and 126:
6.1.1.1.1.3 Conditions Conditions c
Page 127 and 128:
6.1.1.1.2.2 Seammless Con ncatenati
Page 129 and 130:
e3 && (clk==0) e1 idle pre e1 idle
Page 131 and 132:
Pattern whenever event occurs condi
Page 133 and 134:
If the brake force is above 80% for
Page 135 and 136:
Pattern S3: Failure shall not be ca
Page 137 and 138:
Pattern S9: failureCondition failur
Page 139 and 140:
Pattern R2: Event occurs each perio
Page 141 and 142:
idle e1 |clk:=0 e2 && (l
Page 143 and 144:
The function : allocates a singl
Page 145 and 146:
Examplees of clocks: • Run: {c=0@
Page 147 and 148:
Architecture Modeling 1. For σ ∈
Page 149 and 150:
Architecture Modeling Traces accord
Page 151 and 152:
Architecture Modeling Definition 6.
Page 153 and 154:
Architecture Modeling the one given
Page 155 and 156:
Architecture Modeling Decomposition
Page 157 and 158:
Bibliography [1] ARINC 653 - Avioni
Page 159 and 160:
Architecture Modeling [26] Holger G
show all

Architecture Modeling - SPES 2020

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?