A case study in formal system engineering with SysML Iulia Dragomir 1 - - PowerPoint PPT Presentation

a case study in formal system engineering with sysml
SMART_READER_LITE
LIVE PREVIEW

A case study in formal system engineering with SysML Iulia Dragomir 1 - - PowerPoint PPT Presentation

Dec 16, 2023 6 likes •469 views

A case study in formal system engineering with SysML Iulia Dragomir 1 , Iulian Ober 1 and David Lesens 2 1 IRIT - University of Toulouse 2 Astrium Space Transportation July 19, 2012 Iulia Dragomir (IRIT) A case study in formal system engineering

slide-1
SLIDE 1

A case study in formal system engineering with SysML

Iulia Dragomir1, Iulian Ober1 and David Lesens2

1IRIT - University of Toulouse 2Astrium Space Transportation

July 19, 2012

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 1 / 25

slide-2
SLIDE 2

Outline

1 Full Model Driven Engineering development process 2 OMEGA SysML Profile & Toolset 3 The Automated Transfer Vehicle (ATV) case study 4 Validation results 5 Conclusions Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 2 / 25

slide-3
SLIDE 3

Outline

1 Full Model Driven Engineering development process Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 3 / 25

slide-4
SLIDE 4

Full Model Driven Engineering Process

  • Manual

+

Implementation code Implementation code

+

Software specification Software specification Manual Model transformation & refinement Generated Code generator System design System design

Papyrus or Rhapsody Papyrus or Rhapsody modeller modeller with Omega profile with Omega profile

Formal proof Formal proof Formal proof Generated This project has been partially funded by the European Space Agency.

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 4 / 25

slide-5
SLIDE 5

Outline

2 OMEGA SysML Profile & Toolset Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 5 / 25

slide-6
SLIDE 6

The OMEGA Language

SysML Profile for the specification and verification of real-time embedded systems Consists of: A large subset of SysML + Model coherence constraints + A formal operational semantics + Real-time & verification extensions

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 6 / 25

slide-7
SLIDE 7

The OMEGA Profile

Structure

SysML Block Definition Diagrams & Internal Block Diagrams Blocks with properties, operations and state machines, interconnection elements and relationships Structured data types and signals

CashDispenser

«block»

Attributes t:Timer Operations releaseMoney(amount:int) ICashDispenserController CD2CTR IControllerCashDispenser CTR4CD ICashDispenserController CD2CTR IControllerCashDispenser CTR4CD System

«block,root»

atm:ATM 1 IUserATM, IUserConsole, IVerifyPin, IUserTransaction, ICardReader User2ATM IConsoleUser, IConsole, IControllerConsole ATM2User IBankController Bank2ATM IControllerBank ATM2Bank bank:Bank 1 itsController user:User 1 itsATM User2ATM IUserATM, IUserConsole, IVerifyPin, IUserTransaction, ICardReader IConsoleUser, IConsole, IControllerConsole ATM2User Bank2ATM IBankController ATM2Bank IControllerBank

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 7 / 25

slide-8
SLIDE 8

The OMEGA Profile

Structure

SysML Block Definition Diagrams & Internal Block Diagrams Blocks with properties, operations and state machines, interconnection elements and relationships Structured data types and signals

Discrete behaviour

State machines Asynchronous communication through operations and signals

Idle InUse releaseMoney/t.set(3) /timeout(t) // begin CD2CTR ! done() ; t.reset() end

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 7 / 25

slide-9
SLIDE 9

The OMEGA Profile

Structure

SysML Block Definition Diagrams & Internal Block Diagrams Blocks with properties, operations and state machines, interconnection elements and relationships Structured data types and signals

Discrete behaviour

State machines Asynchronous communication through operations and signals

Real time

Clocks, time guards and transition urgency Discrete or continuous specified by the user

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 7 / 25

slide-10
SLIDE 10

The OMEGA Profile

Structure

SysML Block Definition Diagrams & Internal Block Diagrams Blocks with properties, operations and state machines, interconnection elements and relationships Structured data types and signals

Discrete behaviour

State machines Asynchronous communication through operations and signals

Real time

Clocks, time guards and transition urgency Discrete or continuous specified by the user

Observers

Objects monitoring the system (state and events) and giving verdicts about a safety property

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 7 / 25

slide-11
SLIDE 11

The IFx Toolset

Goal: Early model validation and debugging Principle: Transforming to communicating extended timed automata (IF Language) Functionalities

Simulation Static analysis: dead code/variable elimination, slicing, ... Model-checking: observers, state graph minimization, µ-calculus, ...

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 8 / 25

slide-12
SLIDE 12

Outline

3 The Automated Transfer Vehicle (ATV) case study Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 9 / 25

slide-13
SLIDE 13

The ATV Solar Generation System

The ATV has been developed by Astrium Space Transportation for ESA.

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 10 / 25

slide-14
SLIDE 14

The Solar Generation System Architecture

5

This document is the property of Astrium. It shall not be communicated to third parties without prior written agreement. Its content shall not be disclosed.

Main Main processor processor WING TK HDRS TK TK HDRS TK TK HDRS TK TK HDRS TK PCDU PCDU PCDU PCDU SADM SADM CMU CMU TCU TCU TCU TCU SADE SADE

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 11 / 25

slide-15
SLIDE 15

The system model

Reverse engineered from the actual system for the purpose of FullMDE 4-layer architecture 20 block types - HW, SW, MM - and 95 block instances 348 (661) ports (instances) and 372 (504) connectors (instances)

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 12 / 25

slide-16
SLIDE 16

The system model

Reverse engineered from the actual system for the purpose of FullMDE 4-layer architecture 20 block types - HW, SW, MM - and 95 block instances 348 (661) ports (instances) and 372 (504) connectors (instances) 18 interfaces for port types

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 12 / 25

slide-17
SLIDE 17

The system model

Reverse engineered from the actual system for the purpose of FullMDE 4-layer architecture 20 block types - HW, SW, MM - and 95 block instances 348 (661) ports (instances) and 372 (504) connectors (instances) 18 interfaces for port types 1-fault tolerant 62 possible hardware failures

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 12 / 25

slide-18
SLIDE 18

Formal system requirement

Property

After 10 minutes since SGS start-up, all 4 wings are deployed and the Mission and Vehicle Management is aware of it.

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 13 / 25

slide-19
SLIDE 19

Formal system requirement

Property

After 10 minutes since SGS start-up, all 4 wings are deployed and the Mission and Vehicle Management is aware of it.

SYSTEM_IS_OFF Reactions deployment_duration = 600000 SYSTEM_IS_ON /match informal "initialized" by ATV // clock.set(deployment_duration) NOT_DEPLOYED «error» [clock>=0]/clock.reset() MISSION_EVENT «success» DEPLOYED [(ATV.SGS.WING1.LOCKING @ DEPLOYED ) and ( ATV.SGS.WING2.LOCKING @ DEPLOYED ) and ( ATV.SGS.WING3.LOCKING @ DEPLOYED ) and ( ATV.SGS.WING4.LOCKING @ DEPLOYED )] [ATV.MVM @ END]/ clock.reset() NO_MISSION_EVENT «error» [clock>=0]/clock.reset()

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 13 / 25

slide-20
SLIDE 20

Outline

4 Validation results Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 14 / 25

slide-21
SLIDE 21

Verification by simulation

Scenario length: 2400 steps and one minute execution Discovered modelling errors due to reverse engineering and omitted at model review:

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 15 / 25

slide-22
SLIDE 22

Verification by simulation

Scenario length: 2400 steps and one minute execution Discovered modelling errors due to reverse engineering and omitted at model review:

Unexpected message receptions for wing parts

TK_IS_HEALTHY NON_ACTIVATED IS_ACTIVATED IS_OFF IS_ON TK_CMD_OFF to HDRS TK_CMD_OFF TK_CMD_ON to HDRS TK_CMD_ON ACTIVATE_TK DEACTIVATE_TK

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 15 / 25

slide-23
SLIDE 23

Verification by simulation

Scenario length: 2400 steps and one minute execution Discovered modelling errors due to reverse engineering and omitted at model review:

Unexpected message receptions for wing parts

TK_IS_HEALTHY NON_ACTIVATED TK_CMD_ON TK_CMD_OFF IS_ACTIVATED IS_OFF IS_ON TK_CMD_OFF to HDRS TK_CMD_OFF TK_CMD_ON to HDRS TK_CMD_ON ACTIVATE_TK DEACTIVATE_TK

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 15 / 25

slide-24
SLIDE 24

Verification by simulation

Scenario length: 2400 steps and one minute execution Discovered modelling errors due to reverse engineering and omitted at model review:

Unexpected message receptions for wing parts Ambiguous parallel receivers for Mission and Vehicle Management

S_REMOVE_SAFETY_BARRIERS_TCU1 S_REMOVE_SAFETY_BARRIERS_TCU2 SGS_EC_REMOVE_SB(TCU1) to pSGS_FSM_out SGS_EC_REMOVE_SB(TCU2) to pSGS_FSM_out SGS_CMD_RPT IDLE STEP_START SGS_ SGS_EC_PCDU_GRP(params->ACTION) to pSGS_FSM_out SG S_APR_DEPL OY_ START/ for( j=0; j<8; j+ + ) TK_REF[ j] = p aram s->TK_R EF[j]; SGS_CMD_RPT

Mission management Vehicle Configuration Management

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 15 / 25

slide-25
SLIDE 25

Verification by simulation

Scenario length: 2400 steps and one minute execution Discovered modelling errors due to reverse engineering and omitted at model review:

Unexpected message receptions for wing parts Ambiguous parallel receivers for Mission and Vehicle Management Incorrect (sequences of) requests that result in deadlocks; e.g. SADE receives deactivation before disable

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 15 / 25

slide-26
SLIDE 26

State space explosion and its cause

MVM0 manager67 FSM0 PCDU0 manager44 manager68 POWER3 POWER6 PCDU1 manager36 manager76 POWER2 POWER7 PCDU2 manager29 manager51 POWER1 POWER4 PCDU3 manager21 manager59 POWER0 POWER5 CMU10 manager13 manager30 manager4 manager45 manager60 manager66 manager77 BEHAVIOUR3 LOCKING0 BEHAVIOUR0 LOCKING1 LOCKING2 DEPLOYMENT0 LOCKING3 CMU20 manager10 manager7 BEHAVIOUR2 BEHAVIOUR1 manager5 manager6 SADG0 SADG1 manager8 manager9 SADG2 SADG3 manager11 manager12 SADG4 SADG5 manager14 manager15 SADG6 SADG7 manager16 manager83 AP0 manager1 manager17 manager18 manager19 manager2 manager20 manager24 manager26 manager34 manager35 manager23 manager25 manager28 manager33 KNIFE0 KNIFE2 KNIFE4 KNIFE5 KNIFE1 KNIFE3 KNIFE6 KNIFE7 manager22 manager27 manager32 manager31 HDRS0 HDRS1 HDRS3 HDRS2 manager39 manager41 manager49 manager50 manager38 manager40 manager43 manager48 KNIFE9 KNIFE11 KNIFE14 KNIFE15 KNIFE8 KNIFE10 KNIFE12 KNIFE13 manager37 manager42 manager47 manager46 HDRS4 HDRS5 HDRS7 HDRS6 manager53 manager55 manager58 manager63 manager54 manager56 manager64 manager65 KNIFE16 KNIFE18 KNIFE20 KNIFE21 KNIFE17 KNIFE19 KNIFE22 KNIFE23 manager52 manager57 manager62 manager61 HDRS8 HDRS9 HDRS11 HDRS10 manager70 manager72 manager75 manager80 manager71 manager73 manager81 manager82 KNIFE24 KNIFE26 KNIFE28 KNIFE29 KNIFE25 KNIFE27 KNIFE30 KNIFE31 manager69 manager74 manager79 manager78 HDRS12 HDRS13 HDRS15 HDRS14

Mission Management Software instances Hardware instances Wing 1 instances Wing 2 instances Wing 3 instances Wing 4 instances

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 16 / 25

slide-27
SLIDE 27

Non-exhaustive model-checking

Executed on a single thread with a predefined scheduling for parallel actions Still useful for discovering logical errors:

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 17 / 25

slide-28
SLIDE 28

Non-exhaustive model-checking

Executed on a single thread with a predefined scheduling for parallel actions Still useful for discovering logical errors:

Incorrect connections between the power units and the wings

PCDU1 1 IF_ P CD U _2 _W G _ PW pWING_R_out IF_PCDU_2_WG_PW pWING_N_out IF_SGS_2_PCDU p S GS _ in PCDU2 1 I F_ PC D U _2 _W G _P W pWING_R_out IF_PCDU_2_WG_PW pWING_N_out IF_SGS_2_PCDU pSGS _ in IF_PCDU_2_WG_PW pWING2_R_out IF_PCDU_2_WG_PW pWING1_R_out IF_ S GS _ 2_ PC D U pS G S_ P CD U 2_ in IF_SGS_2_PCDU pSGS_PCDU1_in IF_PCDU_2_WG_PW pWING2_N_out IF_PCDU_2_WG_PW pWING1_N_out WING1 1 IF_PCDU_2_WG_PW pP C DU _ R_ in IF_PCDU_2_WG_PW pP C DU _ N_ in WING2 1 IF_PCDU_2_WG_PW pP C DU _ R_ in IF_PCDU_2_WG_PW pP C DU _ N_ in IF_ P CD U _2 _W G _ PW pPCDU2_R_in IF_ P CD U _2 _W G _ PW pPCDU1_R_in IF_ P CD U _2 _W G _ PW pPCDU2_N_in IF_ P CD U _2 _W G _ PW pPCDU1_N_in IF_ S GS _ 2_ PC D U pPCDU2_out IF_ S GS _ 2_ PC D U pPCDU1_out pWING_R_out IF_ P CD U _2 _W G _ PW pWING_N_out IF_PCDU_2_WG_PW p S GS _ in IF_SGS_2_PCDU pWING_R_out I F_ PC D U _2 _W G _P W IF_PCDU_2_WG_PW pWING_N_out pSGS _ in IF_SGS_2_PCDU IF_PCDU_2_WG_PW pWING2_R_out pWING1_R_out IF_PCDU_2_WG_PW IF_ S GS _ 2_ PC D U pS G S_ P CD U 2_ in IF_SGS_2_PCDU pSGS_PCDU1_in IF_PCDU_2_WG_PW pWING2_N_out pWING1_N_out IF_PCDU_2_WG_PW IF_PCDU_2_WG_PW pP C DU _ R_ in pP C DU _ N_ in IF_PCDU_2_WG_PW IF_PCDU_2_WG_PW pP C DU _ R_ in pP C DU _ N_ in IF_PCDU_2_WG_PW pPCDU2_R_in IF_ P CD U _2 _W G _ PW IF_ P CD U _2 _W G _ PW pPCDU1_R_in pPCDU2_N_in IF_ P CD U _2 _W G _ PW IF_ P CD U _2 _W G _ PW pPCDU1_N_in IF_ S GS _ 2_ PC D U pPCDU2_out pPCDU1_out IF_ S GS _ 2_ PC D U

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 17 / 25

slide-29
SLIDE 29

Non-exhaustive model-checking

Executed on a single thread with a predefined scheduling for parallel actions Still useful for discovering logical errors:

Incorrect connections between the power units and the wings

PCDU1 1 IF_ P CD U _2 _W G _ PW pWING_R_out IF_PCDU_2_WG_PW pWING_N_out IF_SGS_2_PCDU p S GS _ in PCDU2 1 I F_ PC D U _2 _W G _P W pWING_R_out IF_PCDU_2_WG_PW pWING_N_out IF_SGS_2_PCDU pSGS _ in IF_PCDU_2_WG_PW pWING2_R_out IF_PCDU_2_WG_PW pWING1_R_out IF_ S GS _ 2_ PC D U pS G S_ P CD U 2_ in IF_SGS_2_PCDU pSGS_PCDU1_in IF_PCDU_2_WG_PW pWING2_N_out IF_PCDU_2_WG_PW pWING1_N_out WING1 1 IF_PCDU_2_WG_PW pP C DU _ R_ in IF_PCDU_2_WG_PW pP C DU _ N_ in WING2 1 IF_PCDU_2_WG_PW pP C DU _ R_ in IF_PCDU_2_WG_PW pP C DU _ N_ in IF_ P CD U _2 _W G _ PW pPCDU2_R_in IF_ P CD U _2 _W G _ PW pPCDU1_R_in IF_ P CD U _2 _W G _ PW pPCDU2_N_in IF_ P CD U _2 _W G _ PW pPCDU1_N_in IF_ S GS _ 2_ PC D U pPCDU2_out IF_ S GS _ 2_ PC D U pPCDU1_out pWING_R_out IF_ P CD U _2 _W G _ PW pWING_N_out IF_PCDU_2_WG_PW p S GS _ in IF_SGS_2_PCDU pWING_R_out I F_ PC D U _2 _W G _P W IF_PCDU_2_WG_PW pWING_N_out pSGS _ in IF_SGS_2_PCDU IF_PCDU_2_WG_PW pWING2_R_out pWING1_R_out IF_PCDU_2_WG_PW IF_ S GS _ 2_ PC D U pS G S_ P CD U 2_ in IF_SGS_2_PCDU pSGS_PCDU1_in IF_PCDU_2_WG_PW pWING2_N_out pWING1_N_out IF_PCDU_2_WG_PW IF_PCDU_2_WG_PW pP C DU _ R_ in pP C DU _ N_ in IF_PCDU_2_WG_PW IF_PCDU_2_WG_PW pP C DU _ R_ in pP C DU _ N_ in IF_PCDU_2_WG_PW pPCDU2_R_in IF_ P CD U _2 _W G _ PW IF_ P CD U _2 _W G _ PW pPCDU1_R_in pPCDU2_N_in IF_ P CD U _2 _W G _ PW IF_ P CD U _2 _W G _ PW pPCDU1_N_in IF_ S GS _ 2_ PC D U pPCDU2_out pPCDU1_out IF_ S GS _ 2_ PC D U

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 17 / 25

slide-30
SLIDE 30

Non-exhaustive model-checking

Executed on a single thread with a predefined scheduling for parallel actions Still useful for discovering logical errors:

Incorrect connections between the power units and the wings Unhandled received requests by the hold-down and release systems

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 17 / 25

slide-31
SLIDE 31

Non-exhaustive model-checking

Executed on a single thread with a predefined scheduling for parallel actions Still useful for discovering logical errors:

Incorrect connections between the power units and the wings Unhandled received requests by the hold-down and release systems Control and monitoring unit is already 1-fault tolerant, which makes this type of failure incorrect and removed from the set of verifiable errors

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 17 / 25

slide-32
SLIDE 32

Verification using abstractions

Abstraction

One wing structure that does not experience any hardware fault is replaced by a block with a simpler behaviour: it ends up by being deployed.

manager44 POWER3 PCDU1 manager36 POWER2 CMU10 manager13 manager4 manager45 BEHAVIOUR3 BEHAVIOUR0 LOCKING1 CMU20 manager10 manager7 BEHAVIOUR2 BEHAVIOUR1 manager12 SADG5 manager14 SADG6 manager18 manager39 manager41 manager49 manager50 manager38 manager40 manager43 manager48 KNIFE9 KNIFE11 KNIFE14 KNIFE15 KNIFE8 KNIFE10 KNIFE12 KNIFE13 manager37 manager42 manager47 manager46 HDRS4 HDRS5 HDRS7 HDRS6

s s Wing 3 instances

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 18 / 25

slide-33
SLIDE 33

Verification using abstractions

Abstraction

One wing structure that does not experience any hardware fault is replaced by a block with a simpler behaviour: it ends up by being deployed. System configuration: 1 extended wing and 3 abstract ones

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 19 / 25

slide-34
SLIDE 34

Abstract communication graph

MVM0 manager22 FSM0 PCDU0 manager0 manager6 WING0 WING1 WING2 TCU0 POWER0 PCDU1 manager14 POWER1 PCDU2 PCDU3 CMU10 manager21 manager9 DEPLOYMENT0 LOCKING0 CMU20 manager3 BEHAVIOUR0 SADG0 manager1 manager2 SADG1 manager28 manager13 manager15 manager16 manager5 KNIFE4 KNIFE5 KNIFE6 KNIFE0 manager20 manager23 AP0 manager24 manager25 manager26 manager27 manager29 manager12 manager17 manager7 manager8 KNIFE3 KNIFE7 KNIFE1 KNIFE2 manager19 manager11 manager18 manager10 HDRS3 HDRS1 HDRS2 HDRS0

Mission Management Software instances Hardware instances Wing 1 instances TCU & Wing 3 TCU_Wing 2 TCU_Wing 4

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 20 / 25

slide-35
SLIDE 35

Verification using abstractions

Abstraction

One wing structure that does not experience any hardware fault is replaced by a block with a simpler behaviour: it ends up by being deployed. System configuration: 1 extended wing and 3 abstract ones 4 configurations, each being manually modelled

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 21 / 25

slide-36
SLIDE 36

Verification using abstractions

Abstraction

One wing structure that does not experience any hardware fault is replaced by a block with a simpler behaviour: it ends up by being deployed. System configuration: 1 extended wing and 3 abstract ones 4 configurations, each being manually modelled The total number of instances is reduced by 55%

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 21 / 25

slide-37
SLIDE 37

Verification using abstractions

Abstraction

One wing structure that does not experience any hardware fault is replaced by a block with a simpler behaviour: it ends up by being deployed. System configuration: 1 extended wing and 3 abstract ones 4 configurations, each being manually modelled The total number of instances is reduced by 55% Separate verification for each 60 possible failures for each configuration

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 21 / 25

slide-38
SLIDE 38

Verification using abstractions

Abstraction

One wing structure that does not experience any hardware fault is replaced by a block with a simpler behaviour: it ends up by being deployed. System configuration: 1 extended wing and 3 abstract ones 4 configurations, each being manually modelled The total number of instances is reduced by 55% Separate verification for each 60 possible failures for each configuration Error detected: failure of the redundant thermal knife while the nominal one is enabled leads to a not deployed wing

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 21 / 25

slide-39
SLIDE 39

Towards Contract-Based Reasoning

Is the used abstraction correct?

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 22 / 25

slide-40
SLIDE 40

Towards Contract-Based Reasoning

Is the used abstraction correct? Assumption about the environment of a wing wrt the order and timing of the sent requests

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 22 / 25

slide-41
SLIDE 41

Towards Contract-Based Reasoning

Is the used abstraction correct? Assumption about the environment of a wing wrt the order and timing of the sent requests The concrete environment has to guarantee this assumption given that the wings behave as described by the abstraction

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 22 / 25

slide-42
SLIDE 42

Towards Contract-Based Reasoning

Is the used abstraction correct? Assumption about the environment of a wing wrt the order and timing of the sent requests The concrete environment has to guarantee this assumption given that the wings behave as described by the abstraction → Both steps have been formally verified within OMEGA-IFx

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 22 / 25

slide-43
SLIDE 43

Outline

5 Conclusions Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 23 / 25

slide-44
SLIDE 44

Conclusions

Modelling of a complex system design with OMEGA SysML Verification & Validation by simulation and model-checking Use of abstractions & Contract-based Reasoning

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 24 / 25

slide-45
SLIDE 45

Conclusions

Modelling of a complex system design with OMEGA SysML Verification & Validation by simulation and model-checking Use of abstractions & Contract-based Reasoning User feedback

More formal approach than the classical SysML Early detections of errors in the model Complexity in usage of the tool chain OMEGA-IFx Proof limitations

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 24 / 25

slide-46
SLIDE 46

Future Work

Formal definition of contracts within OMEGA-IFx Proof automation based on circular reasoning Automated assumption generation

Iulia Dragomir (IRIT) A case study in formal system engineering with SysML July 19, 2012 25 / 25