Development of Critical Systems

1
Development Process of Safety Critical Systems by
AutoFocus and Quest
Prof. Dr. Manfred Broy, Dr. Oscar
Slotosch Software Systems Engineering TU München
2
Development Process

• starting from requirements
• model based development (modelling code
  generation)
• graphical description techniques (views)
• many validation steps available
• requirements tracing
• consistency checks
• simulation
• testing
• test execution
• test case determination
• automatic test sequence generation
• formal verification
• (bounded) model checking
• determinism checking
• abstractions
• theorem proving

DOORS
DOORS
AutoFocus
model con-struction kit
3
Quest Concepts

• integrated process basis for integrated tools
• modelling validation generation ? correct
  systems
• formal semantic basis for advanced validation

SMV
SATO
OCL
VSE
DOORS
CTE
ADA
Java
Eclipse
C
Prolog
4
Example Car Seat

• develop controller of a car seat
• hardware
• panel for user interaction with buttons
• B1 forward
• B2 backward
• S store
• M1 memory 1
• M2 memory 2
• Ev buttons send events (pressed/released)
• E electronic motor for adjustment
• C commands left/right/stop
• O output ticks (for completion of turns)

M1
M2
5
User Requirements

• R1 seat position can be adjusted using the panel
• R2 movement takes place while buttons are
  pressed
• R21 B1 (green) moves the seat forward
• R22 B2 (red) moves the seat backward
• R23 M (M1 or M2) moves to the stored position
• R3 two positions can be stored using the memory
  keys as follows
• R31 Press S
• R32 Release S
• R33 Press M (M1 or M2)
• R34 Release M

6
System Structure Diagram (SSD)
component

• structure and interfaces
• network of distributed components
• typed, directed data flow channels
• ports for interfaces (I/O)
• local variables
• hierarchy
• sub-SSDs in components
• ports connect views

local variables
port
channel
hierarchic component
7
Data Type Definitions (DTD)

• define types, constants and functions for
• channels, ports and variables
• define values (terms) and patterns for
• transitions, messages and properties
• hierarchy
• DTDs import DTDs
• types use other types

types
values
data Commands left right stop data Events
FwdPressed FwdReleased
RevPressed RevReleased SPressed
SReleased M1Pressed M1Released
M2Pressed M2Released data Ticks
turn const MaxPos 100
constant
8
RequirementsExtended Event Trace (EET)

• communication of components
• axis for each component
• messages with port patterns
• ticks indicate time
• modifiers indicate repetition
• conditions describe states
• hierarchy
• boxes contain alternative EETs
• component hierarchy
• applications
• requirements
• test cases
• counter examples
• protocols of simulation

box
message
state condition
axis
tick
modifier
9
Prototyping

• generation of prototypes from EETs
• algorithm with patent
• combines several EETs
• generates a prototype for each axis

10
Determinism Check

• detects underspecifications automatically
• based on symbolic evaluation
• restricted to finite number of inputs

missing pattern in transition On_to_On Panel?
11
State Transition Diagrams (STDs)

• behavior of components
• states
• transitions
• refers to interfaces (ports)
• hierarchy
• substates described with STDs
• interface points for
  interlevel transitions

input
output
PCaction
precondition
label
12
Static Consistency Checks

• user definable, automatically
• for static inconsistencies incompleteness
• precondition for simulation
• example each component has refinement
  (substructure) or behaviour (STD)
• advanced checks with OCL

We forgot to model the STD environment (motor)
13
Simulation
14
Validation Framework

• based on the component-models of AutoFocus
• initiated from the BSI within the project Quest
• numerous methods for different purposes
• formal and informal techniques
• tool-architecture includes other tools

15
More Formal Methods

• model checking SMV, Mucke
• bounded model checking SATO
• transition checker (test sequences) SATO
• abstraction techniques Quest
• theorem proving VSE II
• type checking Quest
• consistency checks OCL

16
Less Formal Methods

• simulation AutoFocus
• testing
• selection of test values CTE
• determination of transition tour sequences Quest
• executing tests (load run) Quest test driver
• constraint solving simulation Eclipse
• search backward
• different heuristics
• interactive
• prototyping MSC2STD
• code generation C, Java, Prolog

17
Seat Example Validation Results

• consistency check found syntactic errors
• simulation found modeling errors (incomplete
  model)
• determinism found specification error
  (underspecification what happens if more than
  one button is pressed? Priorities?)
• bounded MC detected deviations motor position
  differs from controller position value, property
  ltgt(Controller.CurrentMotor.Position) failed
  with counter example
• requirements tracing ensures that all
  requirements are implemented

18
Large Applications Validations

• BSI storm surge barrier (model checking)
• GD smart card (constraint solving, MC)
• TUM mars polar lander (hybrid model simulation)
• DC complex seat (real-time code generation)

19
Future

• Validas Model Validation AG
• marketing for Quest tools Validas Validation
  Framework
• consulting, training, research
• development tools and applications
• fields from formal methods to CASE tools
• coming features
• general model construction kit (DOORS into
  CASE-Tools)
• ADA development
• generation of CODE
• testing interface to ATTOL-tools (white box)
• more test generation methods
• further applications
• certified electronic purse for palm PDA
• leading edge system
• validated smart cards

20
Conclusion

• integrated process ? integrated tools
• formal basis ? model validation
• graphical UML-RT like models
• free download http// autofocus.in.tum.de
• Validation Framework http//
  validas.de