Incremental Case Study: New Railway networked, University of - - PowerPoint PPT Presentation

SLIDE 1

1

University of Paderborn

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite

Sven Burmester, Holger Giese, Martin Hirsch, and Daniela Schilling Software Engineering Group University of Paderborn Warburger Str. 100 D-33098 Paderborn, Germany [burmi|hg|mahirsch|das]@upb.de

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

2

Mechatronic systems of the future will be …

networked, hard real-time, safety-critical, embedded, and will contain

complex software. How to ensure correctness? A shuttle system that builds convoys to optimize the energy consumption: safety-critical maneuvers Case Study: New Railway Technology Paderborn A shuttle system that builds convoys to optimize the energy consumption: safety-critical maneuvers

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

3

Verify UML models with Real-Time

Model checking: limited today due to two main obstacles: (1) state explosion restricted model size (2) batch style model checking vs. iterative design process incremental design and verification with UML/RT (FUJABA Real-Time Tool Suite) Underlying techniques (Outline): I. Restrict approach to a UML/RT subset II. compositional reasoning [ESEC03]

• III. mapping of the UML/RT subset to HUppaal
• IV. incremental checking of modified submodels

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

4

S2 S1

Elements:

• Components

Elements:

• Components
• Ports
• Connectors
• Patterns
• Roles

Elements:

• Components
• Ports

Elements:

• Components
• Ports
• Connectors

Elements:

• Components
• Ports
• Connectors
• Patterns

Elements:

• Components
• Ports
• Connectors
• Patterns
• Roles

Distance Coordination :Shuttle :Shuttle

frontRole rearRole frontRole rearRole

Distance Coordination :Shuttle :Shuttle

frontRole rearRole frontRole rearRole

Distance Coordination :Shuttle :Shuttle

frontRole rearRole frontRole rearRole

Distance Coordination :Shuttle :Shuttle

frontRole rearRole rearRole frontRole

Distance Coordination :Shuttle :Shuttle

frontRole rearRole frontRole rearRole

Distance Coordination :Shuttle :Shuttle

frontRole rearRole frontRole rearRole

• I. UML/RT Subset

Pattern (Distance Coordination): Model: Statecharts for roles and connector Specification: required OCL RT properties Components (Shuttles): Model: Statecharts for ports (refined roles) and synchronization Specification: local OCL constraints

statechart statechart statechart statechart statechart statechart statechart

OCL OCL OCL

SLIDE 2

2

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

5

Real-Time Statecharts

RT @ PIM:

• Add Clocks

(s. TA)

resets guards invariants

• Deadline

intervals for each transition

Automatic code synthesis later ensures that the specified real- time properties are guaranteed Automatic code synthesis later ensures that the specified real- time properties are guaranteed

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

6

Pattern Specification & Verification

Example:

• No collision for convoys

Roles:

• Interface
• RT Statechart
• Invariants

Pattern:

• Set of roles
• Connector
• Properties

Modelchecking:

MRearRole || MFrontRole || MConnector Ö φ ∧ ¬δ

• II. Compositional Reasoning

φ = AG ¬(RearRole.convoy ∧ FrontRole.noConvoy)

RearRole.convoy ⇒ CanBrakeFully FrontRole.convoy ⇒ ¬CanBrakeFully Becomes later part

• f the invariants ψj of

the components

Distance Coordination

frontRole rearRole

statechart statechart statechart

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

7

Component Design & Verification

Behavior:

Port statecharts which refine the related role protocols A synchronization statechart which coordinates all realized roles Iterations until appropriate component behavior has been found

Model checking:

MRearPort || MFrontPort || MSynchronisation Ö ψ ∧ ¬δ

with ψ =(RearPort.convoy ⇒ CanBrakeFully) ∧ (FrontPort.convoy ⇒ ¬CanBrakeFully)

ψ = combination of all role invariants

:Distance Coordination

:Shuttle

frontRole rearRole

:Distance Coordination

refining

statechart statechart

Distance Coordination

frontRole rearRole

statechart statechart statechart

statechart

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

8

After Composition?

Theorem (in [ESEC03]): All systems build of verified components that cooperate only via verified patterns via correctly refined pattern roles (= syntactical correct composition) will behave correctly. Theorem (in [ESEC03]): All systems build of verified components that cooperate only via verified patterns via correctly refined pattern roles (= syntactical correct composition) will behave correctly.

:Shuttle :Shuttle

frontRole rearRole

Distance Coordination

frontRole rearRole

Distance Coordination Distance Coordination

SLIDE 3

3

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

9

• III. Mapping (RTSC ExHTA HTA)

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

10

RTSC ExHTA

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

11

ExHTA HTA: Priorities

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

12

Asynchronous Messages & History

SLIDE 4

4

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

13

Abstract form Methods …

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

14

Mapping Process

Compositional reasoning:

Pattern mapping (closed model):

Map role statecharts Map connector Parallel composition

Component Mapping (open model)

Map port statecharts

special treatment of external events ( closed model)

Map synchronization statechart Parallel composition

Also other submodels … Remark: Currently no OCL Mapping TCTL is used

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

15

• IV. Incremental Design & Verification

Consistency Management detects updates Model Checking of modified parts (background) Modes: true, false,

unsafe (not up-to-date)

Incremental Design and Formal Verification with UML/RT in the FUJABA Real-Time Tool Suite 11.10.2004 Holger Giese

University of Paderborn Software Engineering Group

16

Conclusion

Sufficient UML/RT subset (mechatronic control) Compositional Verification with Patterns & Components Automatic mapping of UML/RT models to HUPPAAL Consistency management for properties

incremental and iterative design and verification

Current Work

Other model checking back ends (RAVEN) Hybrid UML models (presented on FSE04)

Future Work

Counter examples visualization

www. .de