INCOSEILTAM Seminar INCOSE Contract Based System Engineering Alberto
INCOSE/ILTAM Seminar INCOSE/ Contract Based System Engineering Alberto Ferrari March 5 th, 2010 ALES S. r. l. and PARADES S. C. a R. L. alberto. ferrari@ales. eu. com Advanced Laboratory on Embedded Systems S. r. l. A Research and Innovation Company
Outline ü Motivation ü Introducing Contracts ü Contract Based System Engineering ü Run-time Verification of Satisfaction ü Discrete Contract Compatibility Checking ü Hybrid Contracts ü Conclusions 9/17/2020 ALES S. r. l. Company Proprietary 2
Motivations ü Large (embedded) systems are distributed and complex — Collaboration of several (sw) components — Wide interaction with the environment ü Requirements are provided in natural language — Ambiguous interpretation leading to errors ü Validation of assumptions are made only very late in the design flow ü Different tools to specify and develop the (sw) components ü Several designers concur to the design and development of the system 9/17/2020 ALES S. r. l. Company Proprietary 3
Current Requirements in Sys. ML ü The «requirement» stereotype represents a text based requirement <<requirement>> System. Req Id = Text = <<derive. Reqt>> <<requirement>> Block. Req 1 Id = Text = <<satisfy>> <<block> Block 1 <<verify>> <<Test. Case> TC 1 9/17/2020 • Includes id and text properties ü Requirements hierarchy describes requirements contained in a specification ü Requirements relationships include Derive. Reqt, Satisfy, Verify, Refine, Trace, Copy ALES S. r. l. Company Proprietary 4
From Requirements to Implementations ts en m ire ce u q pa Re s l ve nts e L e gh rem i H ui q Re allocation allocate/ refine trace composition satisfaction el ts v Le en m w Lo uire q Re n io at t en e em ac pl sp m I 9/17/2020 ALES S. r. l. Company Proprietary 5
Outline ü Motivation ü Introducing Contracts ü Contract Based System Engineering ü Run-time Verification of Satisfaction ü Discrete Contract Compatibility Checking ü Hybrid Contracts ü Conclusions 9/17/2020 ALES S. r. l. Company Proprietary 6
Introducing Contracts ü Provide a methods to formalize requirements — (semi-)formal – Patterns Environment • Allows to apply analysis techniques • Reduce/avoid ambiguities • Supporting traceability — Distinguish between • What is assumed from the environment Assumptions • What must be guaranteed by the component Promise 9/17/2020 ALES S. r. l. Company Proprietary Contract (Ass, Prom) Component 7
Component and Contracts ü Enrich Components with Contracts Assumption — Determine boundary conditions on design context under which component is promising its services Promise — Provide guarantees if component is used in assumed design context ü Contracts cover several aspects (Multiview) — Assumptions and Promises are organized in viewpoints • Behaviour, Safety, Real-Time, Power …. • Shared information allows specification of cross viewpoint dependencies ü Contracts specify the behavior at the interface of the component — completely defines implementation space of components covering all viewpoints Contract — E. g. characterizes when component upgrades during product lifetime are (Ass, Prom) permissible Component ü A component with its contracts is called Rich Component 9/17/2020 ALES S. r. l. Company Proprietary 8
Contract Abstraction s 1 s 2 (Ass, Prom) Component s 3 ü (s 1(tk), s 2(i) , s 3(t)) abstracted as a ü An is defined as a set of behaviors üA is defined as the assertion — — üA is represented by the pair — 9/17/2020 ALES S. r. l. Company Proprietary 9
Contracts in Natural Language Client Contract of Client 9/17/2020 msg ack Contract of Server ALES S. r. l. Company Proprietary Server 10
Contracts in Formal Language Client AC PC ack msg ack Server AS PS ack msg msg ack msg Contract of Client 9/17/2020 Contract of Server ALES S. r. l. Company Proprietary 11
Incompatible Contracts!!! Client AC AS msg ack Server PC PS ack msg msg Fail 9/17/2020 ack msg msg ALES S. r. l. Company Proprietary 12
Modified Contracts in Natural Language Client msg ack Server every two Contract of Client 9/17/2020 Contract of Server ALES S. r. l. Company Proprietary 13
Modified Contracts in Formal Language Client ack msg ack ack Server ack msg msg msg ack Contract of Client 9/17/2020 msg ack Contract of Server ALES S. r. l. Company Proprietary 14
Compatible Contracts! Client AC AS msg ack Server PC PS ack msg msg 9/17/2020 msg ack ALES S. r. l. Company Proprietary ack 15
Parallel Composition of Contracts Client msg ack Server Definition: Result: 9/17/2020 ALES S. r. l. Company Proprietary 16
Contract Compatibility Client msg ack Server Definition: 9/17/2020 ALES S. r. l. Company Proprietary 17
Satisfaction of Contracts Client msg ack Server MC MS Client Implementation Server Implementation Definition: Result: 9/17/2020 ALES S. r. l. Company Proprietary 18
Contract Dominance Client msg ack Server Contract of Client Refined Contract of Client 9/17/2020 ALES S. r. l. Company Proprietary 19
Outline ü Motivation ü Introducing Contracts ü Contract Based System Engineering ü Run-time Verification of Satisfaction ü Discrete Contract Compatibility Checking ü Hybrid Contracts ü Conclusions 9/17/2020 ALES S. r. l. Company Proprietary 20
Towards a fully Engineered Design Flow Are requirements consistent? co de io sit po m Network requirements specification n Sub-System specification Network selection and configuration 9/17/2020 te Is sub-system specification consistent with requirements? Is implementation consistent Sub-System implementation with specification? ALES S. r. l. Company Proprietary in lem System partitioning gr ob pr at io n System requirements Integration Are integrated components compatible? Network components Sub-System deployment 21
Contract Based Design Methodology From Requirements to Implementations using Contracts ts en m re ce i qu spa e R compatibility ct a r nt ce o C spa dominance parallel composition satisfaction n tio a t en e em ac pl sp m I 9/17/2020 ALES S. r. l. Company Proprietary 22
Associating Contracts to Different System Levels Contracts Enable: • Speculative Design • Concurrent Engineering • Verification Decomposition 9/17/2020 ALES S. r. l. Company Proprietary 23
Contracts for Design and Verification: Relations and Analyses in g Contract compatibility verification al at io n rtu in m le Contract satisfaction verification Integration n io sit Network requirements specification po m co de System partitioning te ob gr netlist synthesis Vi (Ariadne, nu. SMV, COSI) pr System requirements capture with contracts En gi ne er compatibility Network components dominance Sub-System contract specification Sub-System deployment Network selection and configuration compatibility satisfaction 9/17/2020 Sub-System implementation ALES S. r. l. Company Proprietary 24
Speeds Technologies overview ü Heterogeneous Rich Component specification language (Sys. ML alike) to capture Architecture, Behavior and Requirements by contracts. ü Contract Specifications Language (CSL): Higher level language wrt to the HRC low-level FSM-based language. ü Speeds Bus / Speeds Repository — Unique platform for exchanging/storing of models and invoking services ü Hosted Simulation protocol for run-time verification ü Analysis tools for (formal) compatibility, dominance and satisfiability verification ü Process Advisor (“Speeds Desktop”) — control analysis services invocation, provide measurements of the design 9/17/2020 ALES S. r. l. Company Proprietary 25
SPEEDS Contract Based Approach HRC is the Lingua franca on embedded systems: everyone understands and speaks the same language ü Modeling tools are enhanced with importers/exporters (tool vendors) — For structure (only HRC) — For behavior (both HRC & HS enabled C code) ü Benefits: — Multiple tool for specification, simulation & analysis of heterogeneous systems — Contracts: formal requirements together with the model — Unique universal semantic foundation 9/17/2020 ALES S. r. l. Company Proprietary 26
SPEEDS architecture SCADE Simulink SCADE Display Rhapsody Tool Z RT-Builder Adapter HRC meta-model Adapter Process Advisor SPEEDS Bus AP - editor Analysis Y DESYRE SPEEDS Repository Compatibility Satisfaction Dominance 9/17/2020 ALES S. r. l. Company Proprietary 27
Outline ü Motivation ü Introducing Contracts ü Contract Based System Engineering ü Run-time Verification of Satisfaction ü Discrete Contract Compatibility Checking ü Hybrid Contracts ü Conclusions 9/17/2020 ALES S. r. l. Company Proprietary 28
Satisfaction Relation Checking ts en m re ce i qu spa e R compatibility ct a r nt ce o C spa dominance parallel composition satisfaction n tio a t en e em ac pl sp m I 9/17/2020 ALES S. r. l. Company Proprietary 29
The System: Car and Cruise Control On Cruise state Off Resume Cruise speed Set Quick. Accel Throttle cmd Quick. Decel Accel Brake Gear Vehicule Speed Engine Rpm 9/17/2020 ALES S. r. l. Company Proprietary 30
The System Behaviour using Contracts ü The Cruise Control controls the throttle of the engine management of the Car to keep constant the speed of the car…blah … ü SPEEDS contracts formalism to capture requirements SPEEDS Contracts 9/17/2020 Brake Disengagement Speed Control Quality ALES S. r. l. Company Proprietary 31
Contract “Brake Disengagement” English, CSL, EFSM ü English: Whenever the brake pedal is pressed, the throttle is set to 0 — Assumption: Brake pedal is pressed. — CSL : Always[ brake > 0 ] compiled TRUE brake > 0 — Promise: Brake pedal is pressed implies throttle = 0 — CSL: Always[ brake > 0 => throttle = 0 ] compiled TRUE (brake > 0) => throttle = 0 9/17/2020 ALES S. r. l. Company Proprietary 32
Design Methodology From Requirements to Contracts and to Implementations t en s m re ce i qu spa e R compatibility ct a r nt ce o C spa dominance parallel composition n io at t en e em ac pl sp satisfaction Im 9/17/2020 ALES S. r. l. Company Proprietary 33
Satisfaction Check for discrete systems Scade Rhapsody Simulink Hosted Simulation compliant export HRC meta-model SPEEDS Bus AP - editor Contract: “Whenever the brake pedal is pressed, the throttle is set to 0” SPEEDS Repository Always[ brake > 0 throttle = 0 ] 9/17/2020 ALES S. r. l. Company Proprietary 34
Satisfaction Check for discrete systems HRC meta-model SPEEDS Bus • Contracts • Hosted Simulation compliant C code 9/17/2020 AP - editor Rich Component: HRC model contracts TRUE (brake > 0) throttle = 0 implementation void F(){ if( … ){ } } ALES S. r. l. Company Proprietary 35
Closing the System Model and Run-Time Verification ü The top-level schematic is captured in Rhapsody or RTBuilder and translated (automatically) to HRC — Imported (automatically) in DESYRE — The monitor is automatically synthesized from the contracts — The run-time verification is performed by the hosted-simulation Cruise Control (Contract) Monitor Driver Model (SCADE) 9/17/2020 Environment ALES S. r. l. Company Proprietary 36
Hosted Simulation ü Need to use several COTS tools and share models among them ü Old solution: Co-Simulation — Low performance due to communication and coordination overhead — The user is required to have all the tools to execute the simulation — Each tool must have simulation capabilities ü Our approach: Hosted Simulation — Import components and allows for simulation in a single tool (referred as hosting tool) — Hosted simulation protocol • Coordinate the simulation • Preserves the semantics of the source model ü Requirement — All tools export c-code conforming to the hosted simulation interfaces — Hosting tools: implement the protocol natively 9/17/2020 ALES S. r. l. Company Proprietary 37
Desyre: A simulation based analysis framework Design integration platform capable of supporting University and Industrial research efforts for dependable distributed real-time embedded systems Methodology: ü Platform based design methodology: Function/Architecture/Mapping ü Contract Based design methodology Modeling: ü Performance modeling for architectures and backannotation ü TLM modeling of components and TLM integration: TLM refinement, SPIRIT integration capability ü Simulink TLM component integration capability ü Simulink/SCADE/Rhapsody hosted simulation integration capability (development) ü C/C++ execution model integration ü Sys. ML component and architecture integration (development) Verification: ü SPEEDS Hosted Simulation ü TLM simulation Virtual prototyping ü Code validation by simulation 9/17/2020 Co-emulation between DESYRE models and Micaz WSN Contract Based Verification: ü Monitor Synthesis and Hosted Simulation ü Compatibility and Consistency Checking (development) by Formal Verification ü Hybrid Contract verification (development) by Formal Verification ü Automatic test vector generation (future) Design Space Exploration and Synthesis: ü Integration of COSI for synthesis of network topology ü Design space deployment and exploration (mapping) Additional Analysis: ü Safety analysis (to be developed) ü ALES S. r. l. Company Proprietary 38
Satisfaction Check for discrete systems SPEEDS Case studies: • Water. Tank discretized • UTOPAR (Cruise Control) • INTERNAL trace-based hosted simulations HRC model contracts TRUE (brake > 0) throttle = 0 Monitor Synthesis implementation void F(){ if( … ){ IP wrapper Monitor IP IPIP Component IPIP IP } } Composition Generation sim ulat ion Composition DESYRE Simulator results DESYRE Design Framework 9/17/2020 SPEEDS Bus & SPEEDS repository ALES S. r. l. Company Proprietary 39
Outline ü Motivation ü Introducing Contracts ü Contract Based System Engineering ü Run-time Verification of Satisfaction ü Discrete Contract Compatibility Checking ü Hybrid Contracts ü Conclusions 9/17/2020 ALES S. r. l. Company Proprietary 40
Compatibility Check for Discrete Systems m er in Contract satisfaction verification m co de System partitioning on n io iti Sub-System deployment dominance Sub-System contract specification Network components Network selection and configuration compatibility satisfaction 9/17/2020 at Integration s po Network requirements specification gr in le te netlist synthesis Vi (Ariadne, nu. SMV, COSI) ob pr System requirements capture with contracts rtu al En gi ne compatibility g Contract compatibility verification Sub-System implementation ALES S. r. l. Company Proprietary 41
Nu. SMV Based Compatibility Analysis ü Nu. SMV used as analysis engine — Nu. SMV is a verification tool provided by FBK , Trento Italy, and a special license has been provided to ALES/PARADES for the distribution inside SPEEDS — Models of assumptions and promises translated in the SMV language — Compatibility set up as a game between the system and its environment — Environment tries to avoid (hit) the failure state ü Output — Nu. SMV generates a game strategy that shows how to avoid (compatible), or how to hit (incompatible) a failure state — Strategy used to drive a simulation with the system — In case of incompatibility, a violating trace is generated
Server/Client Example Client AC AS msg ack Server PC PS ac k msg msg Fail msg ack msg Violation trace: (msg, msg) 9/17/2020 ALES S. r. l. Company Proprietary 43
Outline ü Motivation ü Introducing Contracts ü Contract Based System Engineering ü Run-time Verification of Satisfaction ü Discrete Contract Compatibility Checking ü Hybrid Contracts ü Conclusions 9/17/2020 ALES S. r. l. Company Proprietary 44
Satisfaction for hybrid systems ü Water tank case study Rhapsody Contract 1: “The tank should never overflow” Always [wl >= 0 & wl <= H] Contract 2: “After the first 10 seconds, the water level should be always confined in [WLmin, WLmax]” whenever [Startup] occurs [wl >= 3 m & wl <= 5 m] holds during following [Startup+10 sec, FALSE) 9/17/2020 ALES S. r. l. Company Proprietary Tank Implementation 45
Hybrid analysis – ü http: //www. parades. rm. cnr. it/ariadne ü ARIADNE: hybrid reachability analysis by over(under) approximation • • CWI (Dutch national research institute), University of Udine University of Verona PARADES ü PARADES activities: — Driving specifications — Connection with SPEEDS technologies — Problem “transformation” definition — Implementation of the SPEEDS connection hrc 2 ariadne ü Technology aspect — Transformations using ATL and Kermeta — Eclipse modeling related technologies: emf, plugin & PDE, extension location 9/17/2020 ALES S. r. l. Company Proprietary 46
Satisfaction for hybrid systems HRC model Reachability analysis contracts implementation Composition & Transformation Violation! ARIADNE DESYRE Design Framework 9/17/2020 SPEEDS Bus & repository ALES S. r. l. Company Proprietary 47
Adding a controller contract 9/17/2020 ALES S. r. l. Company Proprietary 48
(Hybrid) Dominance Relation Checking Introducing a new proportional (gain scheduling) controller: Does the system controlled with the new controller can substitute the previous system ? Dominance checking: t* 9/17/2020 From time t* on, the over-approximation of the contract satisfied by the proportional controller is fully contained inside the innerapproximation of the contract related to the hysteresis controller -> The proportional controller dominates the hysteresis one. I. e. the latter can substitute the former one. ALES S. r. l. Company Proprietary 49
Conclusion ü Contract Based System Engineering (CBSE) allows to fill the gap between natural language requirements and implementation (from model on) ü HRC is enabling heterogeneous specification and tool cooperation ü SPEEDS infrastructure allows the tools to be integrated ü Hosted simulation protocol (HS) allows to perform cross -tool run-time verification of satisfaction relations ü DESYRE is a tool embedding HRC and HS to support designer in a CBSE flow. ü Hybrid contracts can be effectively used and satisfaction and dominance can be proved (up to some limits…) 9/17/2020 ALES S. r. l. Company Proprietary 50
Thanks to ü Leonardo Mangeruca ü Christos Sofronis ü Luca Benvenuti ü Orlando Ferrante ü Emanuele Mazzi 9/17/2020 ALES S. r. l. Company Proprietary 51
- Slides: 51
