5th NASA LFM Workshop 2000 Oscar Slotosch, TU München, slide: 1 Williamsburg 6.13 - 6.16.2000 1....

5th NASA LFM Workshop 20005th NASA LFM Workshop 2000

Oscar Slotosch, TU München, Oscar Slotosch, TU München, slide: slide: 11Williamsburg Williamsburg 6.13 - 6.16.20006.13 - 6.16.2000

1. AutoFocus: Concepts2. Model Description Techniques3. Consistency Checks4. Simulation5. Project Quest: Validation6. Model Checking & Abstraction7. Testcase generation8. Verification9. Summary

Contents:

Introduction toIntroduction to



Conceps of AConceps of AUTOUTOFFOCUSOCUS/Quest/Quest

formal, logical foundation: FOCUS, mathematical models and methods for distributed systems based on traces and stream processing functions (combine functions & states)

view orientation: different views of a semantic model

modularity: hierarchic views

orthogonal concepts

integration: close connection to other languages and tools



Contributions of AContributions of AUTOUTOFFOCUSOCUS/Quest/Quest software engineering

structure systems modular consistency validation integration into process (requirements, design, implementation, test)

formal methods & tools application evaluation integration into SWE process improve (faciliate) inputs (and outputs) to formal tools

teaching & research plattform for experimentation (case studies, prototypes, research, ...) teach students practitcal SWE & programing

industry create spin-off company: Validas AG provide support and introduction to highest software quality



Modeling with AModeling with AUTOUTOFFOCUSOCUS

description techniques (views) structure: System Structure Diagrams (SSDs) behaviour: State Transition Diagrams (STDs) interaction: Extended Event Traces (EETs) data: Data Type Definitions (DTDs)

common attributes of views hierarchy conceptual & semantic model integration



Example: Traffic LightsExample: Traffic Lights lights for pedestrians and cars request buttons and indicators for pedestrians task: developm correct controller for lights



System Structure Diagram (SSD)System Structure Diagram (SSD) structure and interfaces

network of distributed components typed, directed data flow channels ports for interfaces (I/O) local variables

hierachy sub-SSDs in components ports connect views



State Transition Diagram (STD)State Transition Diagram (STD) behaviour of components

states transitions with:

• precondition: x>0• input: set?x• output: timeout!• actions: t=x-1• label starting

hierachy substates described with STDs interface points for interlevel transitions



Extended Event Trace (EET)Extended Event Trace (EET)

DetCLOSE DetOPEN Split Compare_Logic

1 - *

SelectHighIWLTrigger.Present

SelectHighIWLTrigger1.Present



notCLOSE.Present

OWL3.S25

Initialization

communication of components axis: for each component messages: with port patterns: ticks: x=0 modiefiers: indicate repetition

hierachy boxes: contain alternative EETs component hierachy

applications requirements test cases counter examples protocols of simulation



Data Type Definition (DTD)Data Type Definition (DTD) define types and functions for

channels, ports and variables

define values (terms) and patterns for transitions, messages and properties

hierachy: DTDs import DTDs types use other types

// type of car´s lightsdata CarColor = Red | RedYellow | Green(Int) | Yellow;// type of signalsdata Signal = Present;// function for switchingconst TG = 10;fun switching(Red) = RedYellow | switching(RedYellow) = Green(TG) | switching(Green(0)) = Yellow | switching(Green(n)) = Green(n-1) | switching(Yellow) = Red; None;



Conceptual ModelsConceptual Models

model:

views:

Ports

Component

0..*

1

OutChannels SourcePort

0..* 1

InChannel DestinationPort

0..1 1

SubComponents

SuperComponent

0..*

0..1

Channels0..*

1

0..1

0..*

SuperComponent

SubComponents

1

0..*

Component

Channels 0..*

Component

Ports

10..*

SourcePortOutChannels

10..1

DestinationPortInChannel

Component

-Name:String

Channel

-Name:String

-Type:MIFType

Port

-Name:String

-Direction:Direction

-Type:MIFType



Consistency ChecksConsistency Checks inter and intra view checks based on conceptual model user defineable example: every channel has two ports with

the same type



Create Consistency ChecksCreate Consistency Checks



Apply Consistency ChecksApply Consistency Checks



Semantic ModelSemantic Model simple synchronous model (no buffers) global takt for all components all components synchronously do

read their inputs from channels execute transitions write outputs to channels start new cycle

main application area: embedded systems



SimulationSimulation



Multimedia AnimationMultimedia Animation in addition to the generated environment advantages

easy handling (click buttons) user-definable graphical animation easy integration to other programs

example: Formula Graphics Animation



Implementation of AnimationImplementation of AnimationAUTOFOCUS-Simulation

AUTOFOCUS-Environment

Simulation server multimedia client

Device-Dependent

Java-RMI-Interface

RMI

Multimedia Application

Windows-Messages



The Project The Project client: German Information Security Agency (BSI) goal: improve quality of software way: combine CASE tool with formal methods

connect to tools: VSE, SMV, SATO, CTE generate test cases

partners in the project: TUM, DFKI, DC, ist duration: 1997-1999 casestudy: emergeny closing system Oostershelde



Structure of Structure of

Eng1

Eng {Engine}

Fuel

Eng2

Eng1

Eng {Engine}

f irst {PAlarm}

Fuel

Eng1

Eng {Engine}

Eng2

Nil

Temp

Alarmlist e

alarmlist e

f irst {PAlarm}

Eng2

Cons

Eng1

Eng {Engine}

rest {List {PAlarm}}

Nil

Temp

PonR

Eng2

Cons

rest {List {PAlarm}}

PonR Nil Cons

1

2

3

4

5

6

7

8

9

10

11

Classification Tree Editor

CTE

JavaProgram

SMVSPEC AF ( AG ((closeHappend & Consider_OPEN &

A [!FORBIDOpen U OPENpuls] &

A [notCLOSE U OPEN]) -> AF OPEN ))

-- specification is true

resources used:user time: 0.67 s, system time 0.03 sBDD nodes allocated: 39050Bytes allocated: 1703936BDD nodes representing transition relation: 24820 + 13

FOCUS



Model Checking ProcessModel Checking Process

modelmodel propertyproperty++ verifiedverified

counter examplecounter examplefalsefalse

timeout

timeout

SMVSMV

SMVSMV

false(k)false(k)SATOSATO

SATOSATOtrue(k)true(k)

true(max)true(max)

??

tootoocomplex complex modelmodel

time

outtim

eout

refinerefine refinerefinecorrectcorrect

abstract & abstract & reduce modelreduce model

correctnesscorrectness conditionsconditions

truetrue



AbstractionsAbstractions abstract (simple) and concrete (complex) models check abstract model and relay on concrete one generate proof conditions for selected properties proving correctness is quite simple finding abstractions (for certain properties) is not!

“Abstraction Chooser“ supports user (type correctness)

example: Int -> Bool, 0->False, 1->True, 2->...



PropertiesProperties

simple temporal logic describe the model user support

specification pattern model-based editor consistency checks



Model Checking Run Model Checking Run



Testsequence GenerationTestsequence Generation based on models (conceptual & semantic)

reach all states of STD execute all transitions of STD test all communications between components produce certain output (e.g. withdraw money

from a modeled ATM)

classify variables of model using CTE according to definition of their type

execute test: EET <-> Java class



Classification with CTEClassification with CTE



Selection of Test CasesSelection of Test Cases

ClassificationtreeClassificationtree

Combination-Combination-tabelletabelle



Example: TransitionstourExample: Transitionstour



Verifikation using VSE IIVerifikation using VSE II VSE II theorem prover (DFKI) connected:

translation: model -> VSE spec VSE II theorems for correctness of abstractions (partial) translation VSE spec -> model

VSE II: interactive verification TLA-like logic good proof management visualization of proof structures



Screenshot VSE IIScreenshot VSE II



Case Study: Storm Surge BarrierCase Study: Storm Surge Barrier

application systemmodel

Open23Voter

Statemachine

PulseGenerator

Local Variables: Int t = 0

And

FORBIDopen:Signal

OPENallowed:Signal

OPENtrigger:Signal

OTrigger:SignalOPENpuls:Signal

OPEN:Signal

OPENdif1OK:Signal

OPENdif2OK:SignalOPENdif3OK:Signal

OPENdifOK:Signal

notCLOSEtoAND:Signal

notCLOSEtoSM:Signal



Adequate Models: SSDs, STDsAdequate Models: SSDs, STDssafety critical requirements formulatedsafety critical requirements formulated

FORBIDopen?;OPENdifOK?:OPENallowed!Present:

OPENpuls?:OPENtrigger!Present;OPENallowed!Present:

State1 State2

State3

notCLOSEtoSM?;FORBIDopen?:OPENallowed!Present:

FORBIDopen?Present::

OPENdifOK?Present;notCLOSEtoSM?Present;FORBIDopen?:OPENtrigger!Present;OPENallowed!Present:

OPENpuls?Present::

client‘s model: AUTOFOCUS:



Complete ModelComplete Model

HW

D

IWL1:SensorSig

IWL2:SensorSig

IWL3:SensorSig

OWL1:SensorSig

OWL2:SensorSig

OWL3:SensorSig

SelectHighIWLTrigger:Signal FORBIDopen:Signal

OPENallowed:Signal

OPEN:Signal

notCLOSE:Signal

Determine_CLOSE

D

Determine_OPEN

D

Compare_Logic

D

notCLOSE:Sig

OPENallowe

OPEN:Signa

I1OK:Sig

I2OK:Sig

I3OK:Sig

O1OK:Sig

O2OK:Sig

O3OK:Sig

OI1OK:Si

OI2OK:Si

OI3OK:Si

OPENdif1

OPENdif2

OPENdif3

FORBIDopen:SignalSelectHighIWLTrigger:Signal

IWL1:S

IWL2:S

IWL3:Se

OWL1:S

OWL2:S

OWL3:S

notCLOSE2:Signal

IWLlowerTrigger

D

OWLlowerTrigger

D

OWLlowerIWL

D

IWLsubOWLlowerOPENDif

D

IWL1b:SensorSig

OWL2b:SensorSig

OWL3b:Se

IWL2c:SensorSig

IWL3c:SensorSig

I1OK:Signal

I2OK:Signal

I3OK:Signal

O1OK:Signal

O2OK:Signal

O3OK:Signal

OI1OK:Signa

OI2OK:Signa

OI3OK:Signa

OPENdif1OK:Signal

OPENdif2OK:Signal

OPENdif3OK:Signal

OWL1a:SensorSig

SelectHighIWLTrigger:Sign

OWL1b:SensorSig

OWL1c:SensorSigOWL2c:SensorSig

OWL2a:SensorSig

OWL3c:SensorSig

OWL3a:SensorSig

IWL1c:SensorSig

IWL1a:SensorSig

IWL2b:SensorSig

IWL2a:SensorSig

IWL3b:SensorSig

IWL3a:SensorS

IWL23Voter

OWL23Voter

OI23Voter

GE_1

Monostable_multivibrator

And

realNotCLOSE:Signal

I1OK:Signal

I2OK:Signal

I3OK:Signal

O1OK:Signal

O2OK:Signal

O3OK:Signal

OI1OK:Signal

OI2OK:Signal

OI3OK:Signal

IWLlowerTrigger:Signal

OWLlowerTrigger:Sig

OWLlowerIWL:Signal

notCLOSE:Signal

notCLOSEPulse:Signal

realNotCLOSEtoAND:Signal

Open23Voter

Statemachine

PulseGenerator

And

FORBIDopen:Signal

OPENallowed:Signal

OPENtrigger:Signal

OTrigger:Signal

OPENpuls:Signal

OPEN:Signal

OPENdif1OK:Signal

OPENdif2OK:Signal

OPENdif3OK:Signal

OPENdifOK:Signal

notCLOSEtoAND:Signal

notCLOSEtoSM:Signal

CompareIWL1

CompareIWL2

CompareIWL3

SelectHighIWLTrigger1:Signa

I1OK:Signal

I2OK:Signal

I3OK:Signal

IWL1a:SensorSig

IWL2a:SensorSig

IWL3a:SensorSig

SelectHighIWLTrigger2:Signal

SelectHighIWLTrigger3:Signa

CompareOWL1

CompareOWL2

CompareOWL3

O1OK:Signal

O2OK:Signal

O3OK:Signal

OWL1a:SensorSig

OWL2a:SensorSig

OWL3a:SensorSig

CompareOPEN_DIFFERENCE1



IWL1c:SensorSig

OWL1c:SensorSig

IWL2c:SensorSig

OWL2c:SensorSig

IWL3c:SensorSig

OWL3c:SensorSig

OPENdif1OK:Signal

OPENdif2OK:Signal

OPENdif3OK:Signal

CompareIWL_OWL1

CompareIWL_OWL2

CompareIWL_OWL3

IWL1b:SensorSig

OWL1b:SensorSig

IWL2b:SensorSig

OWL2b:SensorSig

IWL3b:SensorSig

OWL3b:SensorSig

OI1OK:Signal

OI2OK:Signal

OI3OK:Signal



Hybrid Model: Mars Polar LanderHybrid Model: Mars Polar Lander explicit model of time discretizations of

diffential equations functions to compute

next values generation of

continuous diagrams



Polar Lander: The ModelPolar Lander: The Model



ConclusionConclusion download modelling tool http://autofocus.in.tum.de buy validation tools from BSI & Validas (10K $) Validas Spin-Off for support & tailoring http://validas.de pilot users from avionic industry todo:

improve user interface (Undo, Zooming,Popups,..) integration of security modelling support development: e.g. combine two components/states requirements tracing through the models integration of constraint handlers & solvers

5th NASA LFM Workshop 2000 Oscar Slotosch, TU München, slide: 1 Williamsburg 6.13 - 6.16.2000 1....

Documents

Transcript of 5th NASA LFM Workshop 2000 Oscar Slotosch, TU München, slide: 1 Williamsburg 6.13 - 6.16.2000 1....