Architecture Modeling - SPES 2020

More documents

Recommendations

Info

4.3 Satisfaction Architecture Modeling Although implementation aspects are not considered here 2 , implementing identified components is a primitive design step, and thus the necessary proof obligations shall be discussed. Formally, the contracts of a component characterize allowed behavior of the component. Thus, any implementation of a component must satisfy its contracts. In other words, an implementation of a component satisfies its specification if its behavior does not violates its specified one, or, it must not behave other than proposed by its specification. That way, the behavior of a component defined by its implementation can be seen as a refinement which has to be shown: M is a correct implementation of C if and only if [[M]] ⊆ [[C]] where M denotes an implementation of the respective component. SPESMM provides concepts to specify implementations for components employing the same underlying formal semantics as for contracts. This is however convenient only for some special cases and thus SPESMM does not rely on it. It rather provides an open and extensible approach to integrate any kind of implementations such as Real-Time StateCharts, MatLab models and even C-Code. That way, it is left to the needs of the respective design processes to reason about satisfaction, and to define sufficient and necessary conditions based on the needs, e.g., for certification. 4.3.1 Establishing Functional Specifications At least two different approaches can be distinguished to establish functional specification: formal verification due to model-checking, and testing. 4.3.1.1 Establish functional specifications with model-checking Formal verification of functional behavior is a well-established research area, and various formalisms and model-checking techniques have been developed so far. The AutoFocus and the FUJABA Real-Time tool suites for example provide effective functional verification. Formal verification techniques for Real-Time StateCharts and also for MatLab Simulink models exist. Exhaustive verification is indeed a challenging task due to complexity reasons. There are however industrial relevant approaches. For example, C-Code verification by model-checking is known to be effectively applicable for a number of years. 4.3.1.2 Establish functional specifications with testing Another way to establish functional contracts is due to HIL-testing. To this end, the implementation is executed on a prototyping platform, and execution traces are captured while running the system. In a subsequent hosted simulation, the traces are checked against the (executable) contract specifications. Indeed also other ways exist for testing, such as the implementation of the specification which runs in parallel to the implementation code. Also often more abstract implementations are considered, which is the domain of simulation. 2 see for example Sections 3 and 6.2 60/ 156
Architecture Modeling 4.3.2 Establishing Real-Time Contracts In fact, real-time contracts can be established by employing the same techniques as for functional contracts. However, establishing real-time requirements is the traditional domain of realtime scheduling theory. Implementations of the involved components, usually called tasks, are taken in order to calculate execution times for invocations of the respective components. Due to a characterization of the underlying (computational) resource, scheduling analysis calculates worst-case scenarios in order to verify whether the requirements about maximal delays are satisfied. Since real-time contracts usually define activation scenarios for components, and maximal delays, real-time scheduling scheduling theory fits well to establish real-time contracts. For more complex real-time contracts, and at higher abstraction levels where no detailed characterization of the underlying resources exist, more involved analysis techniques can be applied such as combination of scheduling analysis and model-checking. In order to improve efficiency, model-checking techniques can be combined with testing approaches [14]. 4.3.3 Establishing Safety Contracts One possible way to establish safety contracts is to perform a traditional safety analysis (like fault tree analysis) on an implementation model of the system enriched with failures. The enriched model contains the nominal as well as the dysfunctional behavior of the system. This allows to formalize the causality between failures resp. failure combinations and their effects. As a consequence, notions of (minimal) cut sets and fault trees can be formally related with a given implementation of the system. 4.3.3.1 Establish safety specification with testing Based on the enriched model, both the nominal and dysfunctional behavior may be simulated. Equipped with coverage notions that address that all failures and their combinations need to be covered, test strategies can be designed to check that the expected safety contracts hold. 4.3.3.2 Establish safety specification with symbolic methods Similar to the approach for functional specifications, safety contracts can also be established by symbolic methods that compute the causality between failure combinations and their effect. Here again, the crucial property of these methods is that they are complete (with respect to the model enriched with failures). A detailed example for this approach is given ins Section 5.1.3.4. 4.4 Deployment While the design steps discussed before reason about components of a particular design, two further design steps are important with respect to different perspectives and abstraction levels, that is, for the interfaces between whole models. Perspectives At a certain abstraction level, a system may be designed “from left to right”. Starting with the operational perspective, requirements engineering results in identifying the system boundaries and interfaces, and some top-level requirements, often called goals. In the functional perspective, the functions of the system are identified that are needed to achieve these goals. In the logical perspective, components are identified that perform the identified functions, 61/ 156
Page 1 and 2:
Architecture Modeling ∗ Andreas B
Page 3 and 4:
Contents 1 Introduction 1 2 Quick-T
Page 5 and 6:
1 Introduction This document propos
Page 7 and 8:
Architecture Modeling allowing to m
Page 9 and 10:
Architecture Modeling creating a vi
Page 11 and 12:
Architecture Modeling the design it
Page 13 and 14: Architecture Modeling of the logica
Page 15 and 16: Architecture Modeling realization o
Page 17 and 18: Architecture Modeling can usually o
Page 19 and 20: 3 The Architecture Meta-Model In Se
Page 21 and 22: Abstraction-Levels (detail increase
Page 23 and 24: 3.2.2 Functional Perspective Archit
Page 25 and 26: Architecture Modeling The semantics
Page 27 and 28: Architecture Modeling expressed by
Page 29 and 30: Architecture Modeling computing cap
Page 31 and 32: 3.2.5 Geometrical Perspective Archi
Page 33 and 34: ShapeCompositionOperator intersecti
Page 35 and 36: Architecture Modeling The constrain
Page 37 and 38: Architecture Modeling of particular
Page 39 and 40: Architecture Modeling Shape that de
Page 41 and 42: Architecture Modeling Conjugation o
Page 43 and 44: RichComponent Architecture Modeling
Page 45 and 46: MultiplicityElement +part 0..* Rich
Page 47 and 48: ComponentC Architecture Modeling pa
Page 49 and 50: 4 Steps in Component-Based Design T
Page 51 and 52: Architecture Modeling Assume/guaran
Page 53 and 54: Architecture Modeling When specifyi
Page 55 and 56: Architecture Modeling next selectio
Page 57 and 58: Architecture Modeling ports must ha
Page 59 and 60: established if (and only if): Archi
Page 61 and 62: 12°C < tempSelect < 35°C actTemp
Page 63: Architecture Modeling The component
Page 67 and 68: Architecture Modeling a mapping is
Page 69 and 70: Architecture Modeling Another impor
Page 71 and 72: 5 Using the Architecture Meta-Model
Page 73 and 74: Architecture Modeling Design proces
Page 75 and 76: Architecture Modeling abstraction l
Page 77 and 78: Pwr1 Pedal_Pos1 Pwr2 Pedal_Pos2 CMD
Page 79 and 80: Architecture Modeling Figure 5.4: O
Page 81 and 82: Architecture Modeling Figure 5.7: L
Page 83 and 84: Architecture Modeling Figure 5.9: T
Page 85 and 86: Architecture Modeling Figure 5.12:
Page 89 and 90: Architecture Modeling However this
Page 91 and 92: Architecture Modeling The considera
Page 97 and 98: Architecture Modeling tasks Command
Page 99 and 100: Architecture Modeling of the V, suc
Page 101 and 102: Architecture Modeling thus decorate
Page 103 and 104: Architecture Modeling In summary, P
Page 105 and 106: Architecture Modeling OEMs are incr
Page 107 and 108: Architecture Modeling provide effec
Page 111 and 112: Architecture Modeling patterns, cap
Page 113 and 114: Architecture Modeling 6.1 Syntax an
Page 115 and 116:
6.1.1.1.1 Attribuute Definit tion a
Page 117 and 118:
Constrrain Eventts with Co ondition
Page 119 and 120:
These events used in the “and the
Page 121 and 122:
Formalization: whenever StartButton
Page 123 and 124:
Architecture Modeling Basic bloock
Page 125 and 126:
6.1.1.1.1.3 Conditions Conditions c
Page 127 and 128:
6.1.1.1.2.2 Seammless Con ncatenati
Page 129 and 130:
e3 && (clk==0) e1 idle pre e1 idle
Page 131 and 132:
Pattern whenever event occurs condi
Page 133 and 134:
If the brake force is above 80% for
Page 135 and 136:
Pattern S3: Failure shall not be ca
Page 137 and 138:
Pattern S9: failureCondition failur
Page 139 and 140:
Pattern R2: Event occurs each perio
Page 141 and 142:
idle e1 |clk:=0 e2 && (l
Page 143 and 144:
The function : allocates a singl
Page 145 and 146:
Examplees of clocks: • Run: {c=0@
Page 147 and 148:
Architecture Modeling 1. For σ ∈
Page 149 and 150:
Architecture Modeling Traces accord
Page 151 and 152:
Architecture Modeling Definition 6.
Page 153 and 154:
Architecture Modeling the one given
Page 155 and 156:
Architecture Modeling Decomposition
Page 157 and 158:
Bibliography [1] ARINC 653 - Avioni
Page 159 and 160:
Architecture Modeling [26] Holger G
show all

Architecture Modeling - SPES 2020

Create successful ePaper yourself

Delete template?

Save as template?