CNES Case Study Sagar Sen Benoit Baudry Introduction1

CNES Case Study Sagar Sen Benoit Baudry

Introduction(1) International Space Station (ISS) Automated Transfer Vehicle (ATV)

Introduction(2) 1. Over 770 Procedures 2. 10, 000 Telemetry parameters 3. 50, 000 Tele-command parameters 4. Subset of UML Activity Diagrams to define activities for the ATV that use these procedures and read these parameters

Introduction(3) 1. 2. 3. 4. 5. Example Activity in the ATV An UML Activity Diagram to control Star Trackers A Safety-critical activity A star tracker can be used only < -9 degree C There is redundant star tracker if the first is non-functional There is a procedure to cool called set. Temperature

Transformation (UML 2 O 2 PL) Input Domain

Cartier: UML Activity to Alloy sig Activity extends Packageable. Element { node : set Activity. Node, edge : set Activity. Edge, � is. Read. Only : one Bool, abstract sig Activity. Node extends Redefinable. Element is. Single. Execution : one Bool { } activity : lone Activity, incoming : set Activity. Edge, outgoing : set Activity. Edge, redefined. Element : set Activity. Node }

Automatically Generated Facts on UML Metamodel fact Activity_containers { (all o : Activity |o in Package. packaged. Element) } fact Activity_node_composite { all o 1 : Activity, o 2 : Activity |all p 1 : o 1. node, p 2 : o 2. node |p 1 = p 2 implies o 1 = o 2 } fact Activity. Node_outgoing_Activity. Edge_source_opposite { all o 1 : Activity. Node, o 2 : Activity. Edge |o 2 in o 1. outgoing implies o 1 in o 2. source }

Guiding Generation Using Predicates pred Generate. And. Test. Custom { #Activity=1 and #Activity. Edge=7 and #Read. Structural. Feature. Action=5 and #Call. Operation. Action=1 and #Initial. Node=1 and #Activity. Final. Node=1 and #Decision. Node=3 } run Generate. And. Test. Custom for 30