ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are...
Transcript of ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are...
![Page 1: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/1.jpg)
Wladimir Schamai (EADS Innovation Works, Germany)Philipp Helle (EADS Innovation Works, UK)Peter Fritzson (Linköping University, Sweden)Chris Paredis (Georgia Institute of Technology, USA)
![Page 2: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/2.jpg)
Motivation
![Page 3: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/3.jpg)
– Natural language is understood by everyone
– Formal methods are overwhelming or overdone
– Formal methods are not widely used in industry
– For certification, authorities demand requirements to be written innatural language
– …
– Textual requirements cannot be processed by computers: How toformalize requirements so that they can be processed and evaluatedduring system simulations in order to detect errors or inconsistencies?
![Page 4: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/4.jpg)
AgreedInput
Out of scope: Writing good requirements,requirements analysis and negotiation.
GO
![Page 5: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/5.jpg)
Most rail systems have some form of train protection system that use track-side signals to indicate potentiallydangerous situations to the driver. The simplest train protection systems consist of signals with two states: greento continue along the track and red to apply the brake to stop the train. More sophisticated systems include detailedinformation such as speed profiles for each section of the track.
Accidents still occur using a train protection system when a driver fails to notice or respond correctly to a signal.To reduce the risk of these accidents, Automated Train Protection (ATP) systems are used that automate the train’sresponse to the track-side signals by sensing each signal and monitoring the driver’s reaction. If the driver fails toact appropriately, the ATP system takes control of the train and responds as required.
![Page 6: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/6.jpg)
ID: xyzText: If at any time the controller calculates a "caution"signal, it shall, within 0.5 seconds, enable the alarm in thedriver cabin.
ID: xyzText: If the alarm in the driver cabin has been activated dueto a "caution" signal and the train speed is not decreasingby at least 0.5 m/s^2 within 2 seconds after activation ofalarm, then the controller shall within 0.5 seconds activatethe automatic braking.
ID: xyzText: If at any time the controller calculates a "danger"signal it shall within 0.5 seconds activate the brakingsystem and enable the alarm in the driver cabin.
TextualSystem
RequirementExamples
RequirementsManagement Tool(e.g. IBM Rational DOORS)
![Page 7: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/7.jpg)
1.
2.
3.
4.
5.
6.
7.
![Page 8: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/8.jpg)
System Tester
SystemDesigner
RequirementsAnalyst
![Page 9: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/9.jpg)
Selected
RequirementsAnalyst
in collaboration withSystem Designer
1. Read a requirement
2. Decide if this requirement shall beevaluated using a simulation model(involve the System Designer)
3. Is this requirement complete,unambiguous and testable by usinga simulation model?
4. If yes: Mark this requirement asselected
Agreed
![Page 10: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/10.jpg)
– “If at any time the controller calculates a "caution" signal, it shall, within0.5 seconds, enable the alarm in the driver cabin.”
– “If the alarm in the driver cabin has been activated due to a "caution"signal and the train speed is not decreasing by at least 0.5 m/s^2 within2 seconds after activation of alarm, then the controller shall within 0.5seconds activate the automatic braking.“
– “If at any time the controller calculates a "danger" signal it shall within0.5 seconds activate the braking system and enable the alarm in thedriver cabin.“
![Page 11: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/11.jpg)
Example of requirements that are not selected:– “The sensors shall be attached to the side of the train and read information
from approaching track-side signals, i.e. they detect what the signal is signalingto the train driver.”
• Why not?– We do not plan to create a model that will contain all information required to
detect whether the sensors are attached to the side of the train. “Simulation”may not be best suited means to verify this requirement. “Inspection” of thedesign may be more appropriate.
– “The ATP system shall consist of a central controller and five boundarysubsystems that manage the sensors, speedometer, brakes, alarm and a resetmechanism.”
• Why not?– This is a design constraint to be taken into account. “Inspection” of the design
will be sufficient to verify this requirement.
![Page 12: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/12.jpg)
RequirementsAnalyst
Selected textualrequirements
![Page 13: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/13.jpg)
1. Identify measurable properties addressed in the requirementstatement
2. Formalize properties and define requirement violation monitor
Textual“If at any time the controller calculates a "caution" signal, it shall, within0.5 seconds, enable the alarm in the driver cabin.”
Formalized
RequirementsAnalyst
![Page 14: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/14.jpg)
SystemDesigner
![Page 15: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/15.jpg)
– This model will contain the information required forreproducing tests results
– One test case can be used for evaluating one or morerequirements
– For example, models that simulate the environment of thesystem, models that stimulate the system, models thatmonitor specific values, etc.
System Testerin collaboration with
System Designer
![Page 16: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/16.jpg)
System Testerin collaboration with
System Designer
![Page 17: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/17.jpg)
System Testerin collaboration with
System Designer
![Page 18: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/18.jpg)
System Tester
![Page 19: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/19.jpg)
– For each test model include the simulation configuration:
• Which design model, test cases and requirements were included
• Requirements violations, if any.
• This configuration allows the reproducing of test results
– The reports can be used as reference for product verification
System Tester
SimulationSummary
Report
SystemDesigner
RequirementsAnalyst
![Page 20: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/20.jpg)
vVDR is a method for the verification of design against requirements byusing simulations
The method applicability depends on– Design simulation models that are planned to be created– Quality (testability, completeness and correctness) of requirements to be
verified
Formalization and modeling activities are performed by different rolesaccording to their competencies
The separation of requirements, designs and test cases– Enables reuse and combination of requirements in different test cases for
different design alternatives– Enables a automated re-evaluation of requirements along the system design
evolution
![Page 22: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/22.jpg)
![Page 23: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/23.jpg)
![Page 24: ModelicaML vVDR Schamai v01 · –Natural language is understood by everyone – Formal methods are overwhelming or overdone – Formal methods are not widely used in industry –](https://reader034.fdocuments.in/reader034/viewer/2022043003/5f80c31482892a07ef401de3/html5/thumbnails/24.jpg)