Professional Documents
Culture Documents
5/19/2013
Acknowledgements
Outline of Presentation
Introduction
Why use Model-Based Development?
Requirements
Design
Implementation: Code Generation
Verification and Validation
Pitfalls
5/19/2013
Test
Requirements
Specification
System
Integration
Test
Design
Integration
Unit Test
Implementation
Object Code
Analysis
What is Model
Model--Based Development?
Properties
Visualization
Analysis
Testing
Prototyping
Code/test generation
Specification
Model
Code
Test oracle
Requirements
Analysis
Properties
System
Specification/Model
System
Test
Integration
Test
Integration
Specification
Test
Implementation
5/19/2013
Product
Tools
Benefits Claimed
Airbus
A340
SCADE
With Code
Generator
Eurocopter
EC-155/135
Autopilot
GE &
Lockheed
Martin
Schneider
Electric
FADEDC Engine
Controls
SCADE
With Code
Generator
ADI Beacon
US
Spaceware
PSA
CSEE
Transport
Honeywell
Commercial
Aviation
Systems
Not Stated
Nuclear Power
Plant Safety
Control
DCX Rocket
SCADE
With Code
Generator
MATRIXx
Electrical
Management
System
Subway
Signaling System
SCADE
With Code
Generator
SCADE
With Code
Generator
MATLAB
Simulink
Primus Epic
Flight Control
System
Not Stated
Reduction in Errors
50% Reduction in Cycle Time
Decreased Cost
8X Reduction in Errors while
Complexity Increased 4x
5X Increase in Productivity
No Coding Errors
Received FAA Certification
Slide courtesy of Steve Miller in Proving the Shalls 2006 Rockwell Collins, Inc. All rights reserved.
Does Model
Model--Based Development
Scale??
Scale
Systems Developed Using MBD
Airbus A380
Flight Control
Auto Pilot
Fight Warning
Cockpit Display
Fuel Management
Landing Gear
Length
239 ft 6 in
Braking
Wingspan
261 ft 10 in
Steering
1,235,000 lbs
Anti-Icing
Passengers
Up to 840
Range
9,383 miles
Slide courtesy of Steve Miller in Proving the Shalls 2006 Rockwell Collins, Inc. All rights reserved.
5/19/2013
10
A Personal Anecdote
11
Outline of Presentation
Introduction
Why use Model-Based Development?
Requirements
Design
Implementation: Code Generation
Verification and Validation
Pitfalls
5/19/2013
12
Formal Verification
Code Generation
Complete implementation
Code skeleton
Prototyping
Communication with Customer
5/19/2013
13
14
15
Outline of Presentation
Introduction
Why use Model-Based Development?
Requirements
Design
Implementation: Code Generation
Verification and Validation
Pitfalls
5/19/2013
16
17
JustNo
Stateflow model of
Tetris game (included
in the Stateflow Demo
models from the
Mathworks!).
Diagram is essentially a
control-flow graph of a
program that
implements tetris.
*Much* harder to read
and modify than an
equivalent program.
5/19/2013
18
Tools Matter
Expressible != Easy
Anecdote: Simulink vs. SCADE at Rockwell
Collins in 2006
SCADE had formal pedigree, strong analysis
But tools kept crashing on our Windows boxes
19
Outline of Presentation
Introduction
Why use Model-Based Development?
Requirements
Design
Implementation: Code Generation
Verification and Validation
Pitfalls
5/19/2013
20
Analysis Pyramid
Theorem
Proving
Perfect Verification
Exhaustive Testing
(Infinite Effort)
Model Checking
Temporal Properties
Of Finite systems.
MCDC
Testing
Data Flow
Analysis
Simplistic
Program
Analysis
Pessimistic
Inaccuracy
Precise Analysis
of Simple
Syntactic
Properties
Typical
Testing
Optimistic
Inaccuracy
Simplified
Properties
5/19/2013
WhyDr.
WeMichal
Model Young
- Mike Whalen
Pyramid
Adopted from
21
What We Need
Perfect Verification
Access to Many
Exhaustive Testing
Tools and
(Infinite Effort)Techniques
Theorem
Proving
Model Checking
Temporal Properties
Of Finite Systems
MCDC
Testing
Data Flow
Analysis
Simplistic
Program
Analysis
Precise Analysis
of Simple
Syntactic
Properties
Pessimistic
Inaccuracy
Typical
Testing
Optimistic
Inaccuracy
Simplified
Properties
5/19/2013
22
MBD Is a V&V
V&V--Enabling
Technology
23
while(a<0) {
a=a-1;
b=b*a;
}
printf(%d,
b);
Compiler
Test Case
Generator
Generated
Tests
MBD Model
Possible to generate test
suites that satisfy very
rigorous structural
coverage metrics
Coverage
Metric
5/19/2013
24
Object Code
Code Generator
+ Compiler
Test Case
Generator
Generated
Tests
Coverage
Metric
5/19/2013
25
Object Code
Code Generator
+ Compiler
Test Case
Generator
Generated
Tests
Coverage
Metric
Oracle
26
5/19/2013
27
Property
True
Analysis Tool
Property False:
Test Case
Oracle
5/19/2013
28
Modeled in Simulink
Translated to NuSMV
6.8 x 1021 Reachable States
Mode Controller B
Example Requirement
Mode A1 => Mode B1
Counterexample Found in
Less than Two Minutes
Found 27 Errors
Slide Rockwell Collins, 2008
5/19/2013
29
Example Requirement:
Drive the Maximum Number of Display Units
Given the Available Graphics Processors
5/19/2013
30
Sponsored by AFRL
Wright Patterson VA
Directorate
1
sync
2
sync<>
input_a
3
input_b
4
input_c
5
[trigger]
[B]
DST
[C]
Data Store
Read
status_b
7
[status_c]
[DSTi]
[A]
input_a
f ailreport
[B]
input_b
[C]
failreport
[status_a]
status_a
[status_b]
status_b
[status_c]
status_c
[prev_sel]
prev_sel
trip_level
trip_level
trip_level1
failure_report
failure_report
[A]
input_a
[B]
input_b
failure_report
[C]
input_c
[DSTi]
dst_index
Failure_Processing
Failure_Isolation
input_c
pc
persistence_cnt<pc>
persistence_cnt
trip_level
pc
persist_lim
persistence limit
[MS]
persist_lim
persist_lim
tc
totalizer_cnt<tc>
MS
triplex_input_monitor
3
totalizer_cnt
[trigger]
trigger
[A]
input_a
[B]
input_b
[C]
input_c
[DSTi]
input_sel
DST_index
4
input_sel
[prev_sel]
triplex_input_selector
Phase I Results
Effort
(% total)
Modeled in Simulink
Translated to NuSMV
model checker
[MS]
mon_f ailure_report
DOC
Text
double
Extract Bits
[trigger]
[status_b]
dst_index
Extract Bits
[0 3]
Index
Vector
[status_a]
status_a
6
status_c
8
[DSTi]
[A]
Testing
Model-Checking
5/19/2013
Errors
Found
60%
40%
12
31
5/19/2013
32
Outline of Presentation
Introduction
Why use Model-Based Development?
Requirements
Design
Implementation: Code Generation
Verification and Validation
Pitfalls
5/19/2013
33
Problem 1:
Using Models Where They Dont Fit
5/19/2013
34
5/19/2013
35
Remedies
36
Problem 2
Believing Testing Can be Eliminated
5/19/2013
37
Requirements
Properties
System
Specification/Model
Extensive Testing
Integration
(MC/DC)
Implementation
5/19/2013
38
It Simply Moves
Concept
Formation
Requirements
Properties
System
Specification/Model
Extensive Testing
Integration
(MC/DC)
Implementation
5/19/2013
39
Requirements
Properties
Analysis
System
Specification/Model
Specification
Test
Integration
Implementation
System
Test
Integration
Test
Unit Test
5/19/2013
40
Problem 3
Believing the Model is Everything
5/19/2013
41
Modeling Frenzy
Concept
Formation
Requirements
Modeling is
so much fun
Specification/Model
How do we
know the model
is right?
Test
Properties
System
Integration
Implementation
5/19/2013
42
Remedies
5/19/2013
43
Problem 4
Trusting Verification
5/19/2013
44
5/19/2013
45
Remedies
46
Conclusions
47
Questions?
5/19/2013
48
References
M. Whalen, D. Greve, L. Wagner, S. Miller, Model Checking Information Flow. In Design and Verification of
Microprocessor Systems for High-Assurance Applications. D. Hardin, Ed. Springer, 2010.
M. Whalen, P. Godefroid, L. Mariani, A. Polini, N. Tillman, and W. Visser. FITE: Future Integrated Testing
Environment. Workshop on the Future of Software Engineering Research 2010 (FoSER), Santa Fe, New Mexico,
November 7-8, 2010.
S. Miller, M. Whalen, and D. Cofer. Software Model Checking Takes Off. Communications of the ACM, Volume
53, No 2, February 2010.
D. Hardin, T. D. Hiratzka, D. R. Johnson, L. Wagner, and M. Whalen. Development of Security Software: A HighAssurance Methodology. Proceedings of the 11th International Conference of Formal Engineering Methods (ICFEM
2009), Rio de Janeiro, Brazil, December, 2009.
M. Whalen, D. Cofer, S. Miller, B. Krogh, and W. Storm. Integration of Formal Analysis into a Model-Based
Software Development Process. 12th International Workshop on Industrial Critical Systems (FMICS 2007), Berlin,
Germany, July, 2007.
S. Miller, A. Tribble, M. Whalen, and M.P.E. Heimdahl. Proving the Shalls: Early Validation of Requirements
through Formal Methods, Journal of Software Tools for Technology Transfer. Volume 8 Issue 4, August 2006.
M.P.E. Heimdahl, Y. Choi, and M. Whalen. Deviation Analysis: A New Use for Model Checking, Automated
Software Engineering, Volume 12, Number 3, July, 2005.
M. Whalen, B. Fischer, and J. Schumann. Certifying Synthesized Code. Proceedings of Formal Methods Europe
2002, Copenhagen, Denmark, July 2002
M. Whalen, B. Fischer, and J. Schumann. AutoBayes/CC Combining Program Synthesis with Automatic Code
Certification. Proceedings of Conference on Automated Deduction 18, Copenhagen, Denmark, July 2002.
5/19/2013
49
Participants
University of Pennsylvania
U. Penn Hospital System
University of Minnesota
CIMIT/MGH
50