OMEGA OMEGA IST-2001 - Project 33522 IST-2001-33522 Experiences with the Omega tool set in the context of the MARS case study Yuri Yushtein Jozef Hooman Radboud University Nijmegen Embedded Systems Institute, Eindhoven OMEGA Workshop - Grenoble, 17 February 2005 1
OMEGA OMEGA Topic IST-2001-33522 Report about experiences with main part of Omega tool set on industrial case study, Medium Altitude Reconnaissance System (MARS) of Dutch National Aerospace Laboratory (NLR) Note: � Not addressing all features of the tools, � Not showing full power of tools � Not always based on latest, current version of tool, but often experience with preliminary version during development within Omega See other talks and demos for more details of tools OMEGA Workshop - Grenoble, 17 February 2005 2
OMEGA OMEGA Overview IST-2001-33522 � Introduction MARS case study � Relevant part Omega tool set, used on MARS: Yuri � LSCs (Weizmann) � Untimed Verification using UVE (OFFIS) � Timed Verification using IF (Verimag) � Interactive Verification using PVS (RUN, Weizmann, CAU) � Redesign to facilitate compositional techniques and Jozef to investigate combined use of tools � Summary OMEGA Workshop - Grenoble, 17 February 2005 3
OMEGA OMEGA MARS overview IST-2001-33522 Purpose: counteract image quality degradation caused by forward motion of aircraft OMEGA Workshop - Grenoble, 17 February 2005 4
OMEGA OMEGA MARS overview (2) IST-2001-33522 Case study scope DatabusManager 1 :DatabusController 1 -controllerStatus : int : ControllerMonitor -currentStatusOK : int 1 -previousStatusOK : int +controllerStatusOK(): <<Actor>> 1 1 :AltitudeDataSource -msgERROR : int 1 -msgCount : int :MessageReceiver -timeoutCount : int -AltMsgTimeoutCount : int -NavMsgTimeoutCount : int 1 -NavMsgCount : int -AltMsgCount : int <<Actor>> 1 1 : NavigationDataSource -msgERROR : int -msgCount : int -timeoutCount : int <<Actor>> OMEGA Workshop - Grenoble, 17 February 2005 5
OMEGA OMEGA MARS environment constraints IST-2001-33522 � Data sources provide data with the 25 ms cycle and a jitter of ± 5 ms � The data sources are independent and are not 5 synchronised 25 � The data messages may occasionally be lost due to the transmission errors � The Data-bus Controller may exhibit built-in-test errors OMEGA Workshop - Grenoble, 17 February 2005 6
OMEGA OMEGA MARS properties subject to verification IST-2001-33522 � Timely detection of Data-bus Controller error, based on built-in-test facility of controller, and proper recovery � Timely detection of Data-bus error, based on data message arrival monitoring, and proper recovery OMEGA Workshop - Grenoble, 17 February 2005 7
OMEGA OMEGA Relevant Part Omega Tool Set IST-2001-33522 Untimed Model Checking XMI UML- UVE based CASE tool Timed Model Timed Checking Omega IF Kernel Interactive LSC Verification Play-in PVS Play-out OMEGA Workshop - Grenoble, 17 February 2005 8
OMEGA OMEGA Scenario-based requirements modelling IST-2001-33522 Tool support � Modelling with LSCs, PlayEngine tool � Play-In facility – automated LSC capturing � Play-Out facility – model simulation � Model verification based on SMV model checker � Property specification with existential or universal LSCs OMEGA Workshop - Grenoble, 17 February 2005 9
OMEGA OMEGA IST-2001-33522 Scenario-based requirements modelling (2) � UML Sequence Diagram example (camera control) ControlPanel AvionicsDatabus RCU Trigger & Exposure Camera module navigation data timing, conditions, ordering altitude data constraints, etc. compute framerate Cyclical airdata atomic compute FMC sequences framerate value FMC value relating diagrams start filming activate exposures trigger pulses FMC signal OMEGA Workshop - Grenoble, 17 February 2005 10
OMEGA OMEGA IST-2001-33522 Scenario-based requirements modelling (3) � External data sources pre-chart timing non-deterministic constraint choice OMEGA Workshop - Grenoble, 17 February 2005 11
OMEGA OMEGA IST-2001-33522 Scenario-based requirements modelling (4) � Data processing and transfer condition forbidden element OMEGA Workshop - Grenoble, 17 February 2005 12
OMEGA OMEGA IST-2001-33522 Scenario-based requirements modelling (5) � LSC representation of the properties OMEGA Workshop - Grenoble, 17 February 2005 13
OMEGA OMEGA IST-2001-33522 Scenario-based requirements modelling (6) Conclusions � Possibility to verify high-level (timed) requirements � More effective for transaction-based systems � Play-Out and verification for autonomous systems � Play-Out – early system simulation � Play-In effective for “human-in-the-loop” systems � GUI Play-In is artificial for autonomous systems � Play-In can be used to capture anti-scenarios � No model export/connection to other tools � GUI development for Play-In relies on VB OMEGA Workshop - Grenoble, 17 February 2005 14
OMEGA OMEGA Untimed UML modelling and verification IST-2001-33522 Tool Support � UML modelling with Rhapsody tool � Verification with UML Verification Environment (UVE) � UVE performs untimed model checking � A system run is seen in terms of run-to-completion steps � Property specification with propositional logic and temporal logic patterns � Counterexamples are given as discrete-time timing diagrams and LSC traces OMEGA Workshop - Grenoble, 17 February 2005 15
OMEGA OMEGA IST-2001-33522 Untimed UML modelling and verification (3) Class behaviour modelling /NavMsgTimeoutCount = 0; AltMsgTimeoutCount = 0; evNavDataMsg/NavMsgTimeoutCount = 0; evNavDataMsgTimeout/NavMsgTimeoutCount += 1; Operational evAltDataMsg/AltMsgTimeoutCount = 0; evAltDataMsgTimeout/AltMsgTimeoutCount += 1; [NavMsgTimeoutCount == 3 || AltMsgTimeoutCount == 3]/NavMsgCount = 0; evControllerOK/NavMsgTimeoutCount = 0; AltMsgCount = 0; AltMsgTimeoutCount = 0; evControllerError ControllerError [NavMsgCount >= 2 && AltMsgCount >= 2]/NavMsgTimeoutCount = 0; AltMsgTimeoutCount = 0; evControllerError evNavDataMsg/NavMsgCount += 1; evNavDataMsgTimeout/NavMsgCount = 0; BusError evAltDataMsg/AltMsgCount += 1; evAltDataMsgTimeout/AltMsgCount = 0; Statechart of the MessageReceiver OMEGA Workshop - Grenoble, 17 February 2005 16
OMEGA OMEGA IST-2001-33522 Untimed UML modelling and verification (4) Verification example *** property *** T he Prop e rty 'inv_P_imp lie s_fina lly_Q_B__imme d ia te ' with *** specification *** P = root->p _Da ta b usMa na ge r->itsDa ta b usControlle r->IS_IN(Error) *** Q = root->p _Da ta b usMa na ge r->itsMe ssa ge Re c e ive r->IS_IN(Controlle rError) *** ma x_X_Va l = 4 *** *** und e r the a ssump tions 'first_P_imp lie s_glob a lly_Q__imme d ia te ' with *** specification of *** P = root->p _Da ta b usMa na ge r->itsDa ta b usControlle r->IS_IN(Error) assumptions *** Q = root->p _Da ta b usMa na ge r->itsDa ta b usControlle r->IS_IN(Error) *** *** a nd a ssump tion 'inv_fina lly_P_B__imme d ia te ' with *** *** P = ES_e vPollControlle r(ENV, root->p _Da ta b usMa na ge r->itsControlle rMonitor) *** ma x_X_Va l = 5 *** *** with 'nd e t'-mod e e xte rna l e ve nt list *** non-deterministic *** root->p _Da ta b usMa na ge r->itsDa ta b usControlle r, e vControlle rBIT _OK external event *** root->p _Da ta b usMa na ge r->itsDa ta b usControlle r, e vControlle rBIT _ERROR trace *** root->p _Da ta b usMa na ge r->itsControlle rMonitor, e vPollControlle r *** root->p _Da ta b usMa na ge r->itsNa vig a tionDa ta Sourc e , e vSe nd Msg(0) *** root->p _Da ta b usMa na ge r->itsNa vig a tionDa ta Sourc e , e vSe nd Msg(1) *** root->p _Da ta b usMa na ge r->itsAltitud e Da ta Sourc e , e vSe nd Msg(0) *** root->p _Da ta b usMa na ge r->itsAltitud e Da ta Sourc e , e vSe nd Msg(1) *** *** d oe s not hold . verification *** result *** A c ounte re xa mp le tra c e is ge ne ra te d . Ple a se sta nd b y... *** OMEGA Workshop - Grenoble, 17 February 2005 17
Recommend
More recommend