Modellbasierte Entwicklung eingebetteter Systeme IV
Transcription
Modellbasierte Entwicklung eingebetteter Systeme IV
Tagungsband Dagstuhl-Workshop MBEES: Modellbasierte Entwicklung eingebetteter Systeme IV Model-Based Development of Embedded Systems 7. – 9.4.2008 Informatik-Bericht 2008-02 TU Braunschweig Institut für Programmierung und Reaktive Systeme Technische Universität Braunschweig Mühlenpfordtstraße 23 D-38106 Braunschweig Organisationskomitee Holger Giese, Universität Potsdam Michaela Huhn, TU Braunschweig Ulrich Nickel, Hella KGaA Hueck&Co Bernhard Schätz, TU München Programmkomitee Ulrich Freund, ETAS GmbH Heiko Dörr, Carmeq GmbH Hardi Hungar, OFFIS e.V. Torsten Klein, Carmeq GmbH Stefan Kowalewski, RWTH Aachen Tiziana Margaria, Univ. Potsdam Oliver Niggemann, dSPACE GmbH Ralf Pinger, Siemens AG Bernhard Rumpe, TU Braunschweig Holger Schlingloff, Fraunhofer FIRST Andy Schürr, Univ. Darmstadt Albert Zündorf, Univ. Kassel Inhaltsverzeichnis Automatisiertes Testen mit Message Sequence Charts (MSCs) Andrea Osterloh, Oscar Slotosch.............................................................1 View-Centric Modeling of Automotive Logical Architectures Hans Grönniger, Jochen Hartmann, Holger Krahn, Stefan Kriebel, Lutz Rothhardt, Bernhard Rumpe....................................................................3 Testverfahren für Elektronik und Embedded Software in der Automobilentwicklung – eine Übersicht Gerd Baumann, Michael Brost...............................................................13 Durchgehende Systemverifikation im Automotiven Entwicklungsprozess Oliver Niggemann, Rainer Otterbach.....................................................20 Modeling Guidelines and Model Analysis Tools in Embedded Automotive Software Development Ingo Stürmer, Christian Dziobek, Hartmut Pohlheim..............................28 Integrating Timing Aspects in Model- and Component-Based Embedded Control System Development for Automotive Applications Patrick Frey, Ulrich Freund.....................................................................40 Clone Detection in Automotive Model-Based Development Florian Deissenboeck, Benjamin Hummel, Elmar Juergens, Bernhard Schätz, Stefan Wagner, Jean-Francois Girard, Stefan Teuchert...........57 Modelbasierte Softwareentwicklung mit SCADE in der Eisenbahnautomatisierung Stefan Milius, Uwe Steinke.....................................................................68 Tool Support for Developing Advanced Mechatronic Systems: Integrating the Fujaba Real-Time Tool Suite with CAMeL-View Stefan Henkler, Martin Hirsch.................................................................78 Composition of Model-based Test Coverage Criteria Mario Friske, Bernd-Holger Schlingloff, Stephan Weißleder..................87 Testbasierte Entwicklung von Steuergeräte-Funktionsmodellen Frank Tränkle, Robert Bechtold, Stefan Harms......................................95 A Service-Oriented Approach to Failure Management Vina Ermagan, Claudiu Farcas, Emilia Farcas, Ingolf H. Krüger, Massimiliano Menarini........................................................................102 Dagstuhl-Workshop MBEES: Modellbasierte Entwicklung eingebetteter Systeme IV (Model-Based Development of Embedded Systems) Die grundsätzlichen Vorteile einer intensiven Nutzung von Modellen in der Softwareentwicklung sind unter den Schlagworten „Model‐Driven Architecture“ (MDA) und „Model Driven Engineering“ (MDE) ausführlich dargestellt worden. Auch in der industriellen Anwendung werden die Vorzüge inzwischen sehr wohl gesehen. Gerade in der Entwicklung hochwertiger, eingebetteter Systeme werden domänenspezifische Modellierungswerkzeuge zunehmend nicht nur in einzelnen Phasen der Prototypentwicklung, sondern auch zur Seriencode‐ Entwicklung eingesetzt (z.B. im Automotive oder Avionic Software Engineering). Dennoch sind viele Ansätze in der Praxis noch isoliert: Modelle werden in einer oder wenigen Entwicklungsphasen für eingeschränkte Systemklassen eingesetzt. Diese Einschränkungen werden in den Beiträgen des diesjährigen Workshops von den unterschiedlichsten Seiten adressiert: Die Durchgängigkeit von der Modellierung zur Codeerzeugung, die Erweiterung von Architekturmodellen um Echtzeitaspekte und weitere für eingebettete Systeme relevante extrafunktionale Eigenschaften, die automatische Modellanalyse zur Qualitätssicherung oder als Unterstützung bei der Evolution werden thematisiert. Auf dem Weg zu einer durchgängigen Verwendung von Modellen von den Anforderungen zur Implementierung und darüber hinaus zur Validierung und Verifikation jedes Entwurfsschritts wird damit das nächste Etappenziel in Angriff genommen. Ausgangspunkt der MBEES‐Workshopreihe war und ist die Feststellung, dass sich die Modelle, die in einem modellbasierten Entwicklungsprozess eingesetzt werden, an der Problem‐ anstatt der Lösungsdomäne orientieren müssen. Dies bedingt einerseits die Bereitstellung anwendungsorientierter Modelle (z.B. MATLAB/Simulinkartige für regelungstechnische Problemstellungen, Statechart‐ artige für reaktive Anteile) und ihrer zugehörigen konzeptuellen (z.B. Komponenten, Signal, Nachrichten, Zustände) und semantischen Aspekte (z.B. synchroner Datenfluss, ereignisgesteuerte Kommunikation). Andererseits bedeutet dies auch die Abstimmung auf die jeweilige Entwicklungsphase, mit Modellen von der Anwendungsanalyse (z.B. Beispielszenarien, Schnittstellen‐ modelle) bis hin zur Implementierung (z.B. Bus‐ oder Task‐Schedules, Implementierungstypen). Für eine durchgängige modellbasierte Entwicklung ist daher im Allgemeinen die Verwendung eines Modells nicht ausreichend, sondern der Einsatz einer Reihe von abgestimmten Modellen für Sichten und Abstraktionen des zu entwickelnden Systems (z.B. funktionale Architektur, logische Architektur, technische Architektur, Hardware‐Architektur) nötig. Durch den Einsatz problem‐ statt lösungszentrierter Modelle kann in jedem Entwicklungsabschnitt von unnötigen Festlegungen abstrahiert werden. Dafür geeignete Modell‐Arten sind weiterhin in Entwicklung und werden in Zukunft immer öfter eingesetzt. Dennoch ist noch vieles zu tun, speziell im Bau effizienter Werkzeuge, Optimierung der im Einsatz befindlichen Sprachen und der Schulung der Softwareentwickler in diesem neuen Entwicklungsparadigma. Diese neuen Modell‐Arten und ihre Werkzeuge werden die Anwendung analytischer und generativer Verfahren ermöglichen und damit bereits in naher Zukunft eine effiziente Entwicklung hochqualitativer Software erlauben. Weiterhin sind im Kontext der modellbasierten Entwicklung viele, auch grund‐ legende Fragen offen, insbesondere im Zusammenhang mit der Durchgängigkeit im Entwicklungsprozess, und der Evolution langlebiger Modelle. Die in diesen Tagungsband zusammengefassten Papiere stellen zum Teil gesicherte Ergeb‐ nisse, Work‐In‐Progress, industrielle Erfahrungen und innovative Ideen aus diesem Bereich zusammen und erreichen damit eine interessante Mischung theoretischer Grundlagen und praxisbezogener Anwendung. Genau wie bei den ersten drei, im Januar 2005, 2006 und 2007 erfolgreich durchgeführten Workshops sind damit wesentliche Ziele dieses Workshops erreicht: ‐ Austausch über Probleme und existierende Ansätze zwischen den unter‐ schiedlichen Disziplinen (insbesondere Elektro‐ und Informationstechnik, Maschinenwesen/Mechatronik und Informatik) ‐ Austausch über relevante Probleme in der Anwendung/Industrie und existierende Ansätze in der Forschung ‐ Verbindung zu nationalen und internationalen Aktivitäten (z.B. Initiative des IEEE zum Thema Model‐Based Systems Engineering, GI‐AK Modellbasierte Entwicklung eingebetteter Systeme, GI‐FG Echtzeitprogrammierung, MDA Initiative der OMG) Die Themengebiete, für die dieser Workshop gedacht ist, sind fachlich sehr gut abgedeckt, auch wenn sie sich auch dieses Jahr (mit Ausnahmen) auf den automotiven Bereich konzentrieren. Sie fokussieren auf Teilaspekte modell‐ basierter Entwicklung eingebetteter Softwaresysteme. Darin enthalten sind unter anderem: ‐ Domänenspezifische Ansätze zur Modellierung von Systemen ‐ Durchgängiger Einsatz von Modellen ‐ Modellierung und Analyse spezifischer Eigenschaften eingebetteter Systeme (z.B. Echtzeit‐ und Sicherheitseigenschaften) ‐ Konstruktiver Einsatz von Modellen (Generierung) ‐ Modellbasierte Validierung und Verifikation ‐ Evolution von Modellen Das Organisationskomitee ist der Meinung, dass mit den Teilnehmern aus Industrie, Werkzeugherstellern und der Wissenschaft die bereits seit 2005 erfolgte Community‐Bildung erfolgreich weitergeführt wurde, und damit demonstriert, dass eine solide Basis zur Weiterentwicklung des sich langsam entwickelnden Felds modellbasierter Entwicklung eingebetteter Systeme existiert. Die Durchführung eines erfolgreichen Workshops ist ohne vielfache Unter‐ stützung nicht möglich. Wir danken daher den Mitarbeitern von Schloss Dagstuhl und natürlich unseren Sponsoren. Schloss Dagstuhl im April 2008, Das Organisationskomitee: Holger Giese, Univ. Potsdam Michaela Huhn, TU Braunschweig Ulrich Nickel, Hella KGaA Hueck&Co Bernhard Schätz, TU München Mit Unterstützung von Matthias Hagner, TU Braunschweig Das Arbeitsgebiet des Instituts für Programmierung und Reaktive Systeme der TU Braunschweig sind Methoden für die Spezifikation, den Entwurf, die Implementierung und die Validierung von Softwaresystemen, insbesondere für eingebettete Systeme. Der gesamte Bereich des Softwareentwurfs für eingebettete Systeme von der eigenschaftsorientierten Beschreibung des gewünschten Verhaltens über die modellbasierte Entwicklung und den Architekturentwurf bis zur Implementierungsebene und die Validierung wird durch exemplarische Forschungsarbeiten abgedeckt. Dabei werden sowohl Grundlagenarbeiten als auch Anwendungsprojekte (zum Beispiel im Bereich Automotive) durchgeführt. Der Lehrstuhl für Software Systems Engineering der TU München entwickelt in enger Kooperation mit industriellen Partnern modellbasierte Ansätze zur Entwicklung eingebetteter Software. Schwerpunkte sind dabei die Integration ereignisgetriebener und zeitgetriebener Systemanteile, die Berücksichtigung sicherheitskritischer Aspekte, modellbasierte Testfallgenerierung und modellbasierte Anforderungsanalyse, sowie den werkzeuggestützten Entwurf. Besonderer Fokus der Arbeit des Fachgebiets "Systemanalyse und Modellierung" des Hasso Plattner Instituts liegt im Bereich der modellgetriebenen Softwareentwicklung für software-intensive Systeme. Dies umfasst die UML-basierte Spezifikation von flexiblen Systemen mit Mustern und Komponenten, Ansätze zur formalen Verifikation dieser Modelle und Ansätze zur Synthese von Modellen. Darüber hinaus werden Transformationen von Modellen, Konzepte zur Codegenerierung für Struktur und Verhalten für Modelle und allgemein die Problematik der Integration von Modellen bei der modellgetriebenen Softwareentwicklung betrachtet. Als international tätiger Automobilzulieferer begründet die Hella KGaA Hueck & Co. ihre globale Wettbewerbsfähigkeit aus einer klaren Qualitätsstrategie, einem weltweitem Netzwerk und der Innovationskraft der rd. 25.000 Mitarbeiterinnen und Mitarbeiter. Licht und Elektronik für die Automobilindustrie und automobile Produkte für Handel und Werkstätten sind unsere Kerngeschäftsfelder. Mit einem Umsatz von 3,7 Milliarden Euro im Geschäftsjahr 2006/2007 ist unser Unternehmen ein weltweit anerkannter Partner der Automobilindustrie und des Handels. Die Validas AG ist ein Beratungsunternehmen im Bereich Software-Engineering für eingebettete Systeme. Die Validas AG bietet Unterstützung in allen Entwicklungsphasen, vom Requirements-Engineering bis zum Abnahmetest. Die Auswahl und Einführung qualitätssteigender Maßnahmen folgt dabei den Leitlinien modellbasierter Entwicklung, durchgängiger Automatisierung und wissenschaftlicher Grundlagen. Innerhalb der Gesellschaft für Informatik e.V. (GI) befasst sich eine große Anzahl von Fachgruppen explizit mit der Modellierung von Software- bzw. Informationssystemen. Der erst neu gegründete Querschnittsfachausschuss Modellierung der GI bietet den Mitgliedern dieser Fachgruppen der GI - wie auch nicht organisierten Wissenschaftlern und Praktikern ein Forum, um gemeinsam aktuelle und zukünftige Themen der Modellierungsforschung zu erörtern und den gegenseitigen Erfahrungsaustausch zu stimulieren. Schloss Dagstuhl wurde 1760 von dem damals regierenden Fürsten Graf Anton von Öttingen-Soetern-Hohenbaldern erbaut. Nach der französischen Revolution und der Besetzung durch die Franzosen 1794 war Dagstuhl vorübergehend im Besitz eines Hüttenwerkes in Lothringen. 1806 wurde das Schloss mit den zugehörigen Ländereien von dem französischen Baron Wilhelm de Lasalle von Louisenthal erworben. 1959 starb der Familienstamm der Lasalle von Louisenthal in Dagstuhl mit dem Tod des letzten Barons Theodor aus. Das Schloss wurde anschließend von den Franziskus-Schwestern übernommen, die dort ein Altenheim errichteten. 1989 erwarb das Saarland das Schloss zur Errichtung des Internationalen Begegnungs- und Forschungszentrums für Informatik. Das erste Seminar fand im August 1990 statt. Jährlich kommen ca. 2600 Wissenschaftler aus aller Welt zu 40 -45 Seminaren und viele sonstigen Veranstaltungen. Automatisiertes Testen mit Message Sequence Charts (MSCs) Andrea Osterloh, Oscar Slotosch Validas AG Arnulfstr. 27 80335 München www.validas.de [email protected] [email protected] Wir präsentieren einen modell-basierten Ansatz zum automatisierten Testen anhand von Testspezifikationen in Message Sequence Charts (MSCs). Die im ITU-T Standard Z.120 definierte Sprache MSC eignet sich zur Beschreibung von nachrichtenbasierten Systemen und zeichnet sich vor allem durch die für den Leser sehr intuitive Darstellung von Abläufen und Verhalten aus. Auch die Möglichkeit den Testablauf duch Highlevel MSCs (HMSC) zu strukturieren und damit die Tests aus einer Art Zustandsautomaten auszuführen, macht diese Sprache für die Testspezifikation interessant. Mit den Elementen dieses ITU-Standards lassen sich Tests unabhängig von einer Programmiersprache oder einer Schnittstellenbeschreibungssprache definieren. Auf einem solchen Abstraktionsgrad definierte Testspezifikationen eignen sich deshalb für den Einsatz auf mehreren Testebenen. In einem Entwicklungsprozess in dem mehrere Testebenen durchlebt werden, wie es im automotive Bereich der Fall ist, besteht Bedarf an der Wiederverwendbarkeit von standardisierten Spezifikationen. Es ist daher erstrebenswert, dass ein und dieselbe Testspezifikation sowohl zum Test der Spezifikation, beim Modul-Test der Software, als auch beim Integrationstest z.B. auf einem Steuergerät verwendet werden kann. In dem Vortrag wird eine solcher Ansatz vorgestellt. Mit ihrem MSC2C Codegenerator hat die Validas AG ein Tool entwickelt, dass MSCTestspezifikationen in C-Code übersetzt. Aus den MSCs wird der eigentliche Test generiert, während aus den HMSCs eine Testablaufsteuerung für die Tests erzeugt wird. Diese enthält eine intelligente Kombination aus ausführbaren Tests, Test-Coverage und Benutzerprioritäten. 1 Von der Vielzahl der MSC-Elemente stellen Nachrichten die zentrale Einheit der Testspezifikation dar, denn sie beschreiben die Kommunikation zwischen Testtreiber und System under Test (SuT). Der Schlüssel zu der Verwendbarkeit einer MSCTestspezifikation auf unterschiedlichen Testebenen liegt daher in der Umsetzung dieser MSC-Nachrichten gemäß der Zielumgebung. Zur näheren Spezifikation der Nachrichten kann ein sogenannter Nachrichtenkatalog verwendet werden. In diesem XML-basierten Spezifikationszusatz können für alle Nachrichten z.B. Datentypen der Parameter und Rückgabewerte definiert werden. Dies sind essentielle Informationen für die Umsetzung der Schnittstelle zwischen Testtreiber und SuT. Der Nachrichtenkatalog kann auch in den MSC-Editor eingebunden und von dort direkt zur Spezifikation der Nachrichten verwendet werden. Dies erleichtert die Erstellung valider MSC-Dokumente. Die Umsetzungen der Testtreiber für die einzelnen Zielumgebungen beinhalten folgende Charakteristika: 1. Test einer Matlab/Simulink Schnittstellenspezifikation Beim Test einer Matlab/Simulink Spezifikation wird der gesamte Testtreiber in eine S-Function eingebunden. Die S-Function wird mit einem Modul des MSC2C Generators erzeugt, wobei der Nachrichtenkatalog dazu verwendet wird, alle beim SuT eingehenden Nachrichten als Outports der S-Function umzusetzen und alle vom SuT zum Testtreiber laufende Nachrichten als Inports der S-Function zu verwenden. Das Modul MSC2Matlab beinhaltet Funktionen sowohl zum Generieren der SFunction als auch zum Verbinden der Ein-und Ausgänge der S-Function mit dem zu testenden Simulink Modell. 2. Software Modul-Test Beim Software-Modultest werden die beim SuT eingehenden MSC-Nachrichten direkt als Funktionsaufrufe des zu testenden Codes umgesetzt. Für vom SuT ausgehende Nachrichten werden Stubs generiert, welche mitprotokollieren, wann und mit welchen Parametern die Funktionen aufgerufen werden. 3. Integrationstest auf einem Steuergerät Beim Test einer Funktionalität oder Schnittstelle auf einem Steuergerät werden die beim SuT eingehenden MSC-Nachrichten als CAN-Nachrichten umgesetzt, welche zum Steuergerät gesendet werden. Das erwartete Verhalten wird ebenfalls anhand von vom SuT gesendeten CAN-Nachrichten abgeprüft. Manifestiert sich das Verhalten allerdings in einer Variablenänderung auf dem Steuergerät, so muss die Nachricht als eine CAN Nachricht, welche eine CCP (CAN Calibration Protocol)Abfrage der Variablen enthält, umgesetzt werden. Die Ergebnisse der Testausführung werden in einem Logfile mitprotokolliert. Mit Hilfe des MSC2C Code-Generators, kann aus diesem Logfile ein Protokoll-MSC erstellt werden. Dieses Ergebnis-MSC protokolliert den Testablauf und stellt die Abweichungen der Ausführung zur Testspezifikation heraus. Auf dieser Basis kann die Analyse der Tests leicht durchgeführt werden. 2 View-Centric Modeling of Automotive Logical Architectures Hans Grönniger1 , Jochen Hartmann2 , Holger Krahn1 , Stefan Kriebel2 , Lutz Rothhardt2 , and Bernhard Rumpe1 1 Institut für Software Systems Engineering, TU Braunschweig, Germany 2 BMW Group, München, Germany Abstract: Modeling the logical architecture is an often underestimated development step to gain an early insight into the fundamental functional properties of an automotive system. An architectural description supports developers in making design decisions for further development steps like the refinement towards a software architecture or the partition of logical functions on ECUs and buses. However, due to the large size and complexity of the system and hence the logical architecture, a good notation, method, and tooling is necessary. In this paper, we show how the logical architectures can be modeled succinctly as function nets using a SysML-based notation. The usefulness for developers is increased by comprehensible views on the complete model to describe automotive features in a self-contained way including their variants, modes, and related scenarios. 1 Introduction Developing automotive embedded systems is becoming a more and more complex task, as the involved essential complexity steadily increases. This increase and the demand for shorter development cycles enforces the reuse of artifacts from former development cycles paired with the integration of new or changed features. The AUTOSAR methodology [AUT] aims to achieve reuse by a loosely coupled componentbased architecture with well-defined interfaces and standardized forms of interaction. The approach targets at the software architecture level where the interface descriptions are already detailed and rich enough to derive a skeleton implementation (semi)-automatically. Despite its advantages software architectures are less useful in early design phases where a good overview and understanding of the (logical) functions is essential for an efficient adaptation of the system to new requirements. Detailed interface descriptions and technical aspects would overload such a description. In compliance with [Gie08] we argue that the component-based approach has its difficulties when applied to automotive features that highly depend on the cooperation of different functions. To comprehend the functionality of features, it is essential to understand how functions interact to realize the feature. Complete component-like descriptions of single functions are less useful as they only describe a part of a feature while a comprehensive understanding is necessary. We identified the following problems with notations and tools proposed or used today: • Tools that only provide full views of the system do not scale to a large amount of functions. 3 • Notations that have their roots in computer science are not likely to be accepted by users with a different professional background. • Under-specification and the abstraction from technical details are often excluded if tools aim at full code generation. Our contribution to the problem of modeling complex embedded automotive systems is thus guided by the following goals: • A comprehensible description of functions, their structure, behavior, and interactions with other functions should be supported. • Interesting functional interrelations should be presentable in a way such that they are comprehensible for all developers involved. • The system shall be modeled from different viewpoints in a way that a developer can concentrate on one aspect at a time and the conformance to the complete system can be checked automatically. In addition, the developer shall be supported in understanding how a certain viewpoint is realized in the complete system. In accordance to [vdB04, vdB06], we argue that function nets are a suitable notation for describing the logical architecture of an automotive system. We further explain how views for features including their modes and variants can help to ease the transition from requirements to a logical architecture. In addition to the aspects already explained in our previous work [GHK+ 07, GHK+ 08], we extend the view-based approach to model scenarios with UML communication diagrams [OMG05] that are also consistent to the logical architecture or other views. The rest of the paper is structured as follows. In Section 2 function net architectures and views are explained. Section 3 describes how this notation can be used within an automotive development process. Section 4 focuses on scenarios which complement the feature views to simplify the understanding and enhance the testability. Section 5 presents related work and Section 6 concludes the paper. 2 Function Nets Architecture and Views For modeling the logical architecture as function nets an appropriate notation has to be found. We evaluated UML 2.0 [OMG05] and other UML derivates like UML-RT [SGW94] and SysML [OMG06] which in general were found suitable for architecture and function net modeling [RS01, vdB04]. We favored SysML over other notations because it uses Systems Engineering terminology which is more intuitive for people with different professional backgrounds than others which have their roots in computer science. SysML internal block diagrams allow us in contrast to UML composite structure diagrams to model cross-hierarchy communication without using port delegation which was helpful to model static architectures. A more detailed discussion can be found in [GHK+ 07]. We use a subset of SysML internal block diagrams to enable compact definitions and decrease the learning effort for the notation. An internal block diagram (ibd) used as a 4 function net may only contain directed connectors to indicate the signal flow direction. Multiplicities of blocks and connectors have always the value one and are therefore omitted. An example of a function net diagram can be found in Figure 1. It shows a simplified complete function net ”CarComfort” which contains a fictitious model of a central locking functionality. It evaluates the driver’s request and opens or closes the doors accordingly. In addition, the doors close if the vehicle exceeds a certain speed limit (auto lock). Figure 1: Part of an automotive function net Syntactically, the function net is a valid SysML internal block diagram. In that example, we used three layers of hierarchy (top-level, block ”CLRequestProc” and, e.g., ”ButtonOn”). With the signal ”DriverRequestCL”, it also shows an example of cross-hierarchy communication. Instantiation is also supported. In the example, there are two doors which are instantiated by giving each block a name, in this case ”left” and ”right”. These two blocks share their behavior but not their internal state. Instantiation is an important feature that allows one to reuse of a block multiple times which also avoids redundant block definitions that are poorly maintainable [GHK+ 07]. Views are also modeled as internal block diagrams indicated by the specific diagram use !view". In general, views focus on a certain aspect of the function net. By adding a few specific properties, views can also model the environment and context of the considered aspect. Compared to the complete function net, a view may leave out blocks, signals, or hierarchy information which is present in the related complete function net. ”Env(ironmental)” blocks and non-signal communication can be added to increase the understandability. The environmental elements refer to non E/E elements that have a physical counterpart. Non-signal communication is modeled by connectors that are connected to special ports in which ”M” represents mechanical influence, ”H” hydraulics, and ”E” electrical interactions. Blocks marked with the stereotype ”ext(ernal)” are not central to the view but are necessary to form an understandable model. The example in Figure 2 shows that whole blocks from the complete function net have been left out (block ”CLRequestProc”) and that the blocks ”CentralSettingsUnit” and ”VehicleState” have been included in the view to clarify where the signals ”AutoLockStatus” and ”VehicleSpeed” originate. The physical door look ”LockActuator” is shown in the figure as an environmental element (marked with the corresponding stereotype !env"). 5 Figure 2: View of the autolock functionality including external blocks and environment Like explained in [GHK+ 07, GHK+ 08], a view and a complete function net of the system are consistent if the following consistency conditions hold. 1. Each block in a view not marked with the stereotype !env" must be part of the logical architecture. 2. Views must respect whole-part-relationships. If there is such a relationship between functions in the view, it must also be present in the complete function net. Intermediate layers may be left out, though. 3. The other way round, if two functions are in a (possibly transitive) whole-partrelationship in the complete function net and both are present in a view, they must have this relationsship in the view, too. 4. Normal communication relationships (except those originating from M, E, or H ports) shown in a view must be present in the logical architecture. If the view indicates that certain signals are involved in a communication they must be stated in the architecture. If no signal is attached to a communication link in a view at least one signal must be present in the architecture. 5. A communication relationship needs not be drawn to the exact source or target, also any superblock is sufficient if the exact source or target is omitted in the view. One view on a function net is a specialization of another view if both are consistent to the same complete function net and the following context condition holds. 6. The blocks and connectors in the specialization function net are a subset of the blocks shown in the referred function net. 3 Function Nets and Views in the Automotive Development Process The above described mechanisms to model the logical architecture as function nets and to create views on the complete model can be used for a variety of purposes. Mainly the 6 views can be used to model an automotive feature in a self-contained way. The term feature denotes a functionality that is perceptible by customers (e.g., a braking system) or an automotive engineer (e.g., system functions that effect the whole vehicle like diagnostics). Further views which are usually specializations of a feature view are used to model the variants and modes of that feature. The variants provide the same principle functionality but are distinguishable by having different individual properties. The complete function net includes all variants and through parameterization the intended variants are chosen. Modes are used to show that features change their observable behavior in a distinct way when certain conditions are fulfilled. Modes are described by a statechart where the state names correspond to the different modes of operation, whereas the transitions are used to describe the conditions which force a change of the mode of operation. As error degradation is a common example for using modes, views are then used to show the active subsystems and leave the inactive subsystems out. Further details about the use of views for modeling features, variants, and modes can be found in [GHK+ 08, GKPR08]. From a technical position, a view is consistent with a function net or view if the given constraints hold. Especially, each developer decides on his/her own which external or environmental elements are necessary to form a self-contained description. In a company where many developers concurrently work on a solution, this raises the question for modeling guidelines which standardize the use of additional elements and therefore simplify cooperative development. Figure 3 gives an overview of the development process. The requirements are captured textually in a distributed manner and form the basis for modeling features in a self-contained way by using feature and other according views. These models ease the transition to the logical architecture mainly because the same notation is used and automatic checks for conformance can be applied on the basis of the above explained consistency conditions. The logical architecture can then be further refined towards an AUTOSAR software and hardware architecture. The realization is then derived within the AUTOSAR process. Please note that the figure concentrates on the structural view point only. This view point forms the backbone of automotive software development, but has to be complemented by behavioral descriptions on the one hand, and exemplary scenarios on the other hand. For each of the view points, different diagrams exist that are related to the structural diagram on each layer of abstraction. The feature models themselves are a unit of reuse: When moving from one product line to another the still relevant features of the old product line are determined and the necessary changes on requirements are made. The according changes are reflected in the features views. Finally, the traceable connection between the feature views and the logical architecture helps to define the relevant changes in the complete function net. During the transition from one development step to another different design decisions are made. For example, going from the logical architecture to the technical architecture the developer has to determine the physical location of a logical function on a certain ECU. The reuse of existing software from a former product line is often only possible if the function is not mapped to another ECU with completely different properties. Therefore, annotations can be added to the logical architecture resp. a feature view to pre-determine the result of the placement decision. This restriction on the design space maximizes reuse. 7 Figure 3: Automotive development process 4 Using Views to Describe Scenarios As described above views can be used to model features in a self-contained way. Further specializations on this view can be used to explain the according modes and variants. This form of specification is supplemented by behavioral descriptions of the non-composed blocks using an arbitrary form of description like statecharts, Matlab/Simulink models or plain text depending on the chosen abstraction layer. These models aim at a complete description of the considered system or feature resp. their modes and variants. Nevertheless, sometimes (e.g., for safety assessments) it is important to document how the system reacts to certain external events or failures of subsystems in an exemplary fashion. In addition, the scenarios help developers to understand the system better by showing representative situations. For this kind of exemplary behavior we adopted the UML communication diagram [OMG05]. In this kind of diagram the subsystems exchange signals in the enumerated order. The basic form uses another view on the corresponding complete, feature, mode, or variant function net which includes only the active subsystems in the scenario. Therefore, communication diagrams can be used on both abstraction layers, on the feature level as scenarios on feature views and on the complete function net where scenarios for a composed automotive system are modeled. The modeled system may communicate by discrete events or by continuous signal flow. Therefore, we extended the form of communication normally used in communication diagrams by allowing the following conditions which help to describe continuous forms of interaction. The notation allows to specify multiple ranges for a certain signal, e.g., to specify that a signal is either invalid or greater than a certain value. • The value of a signal s is larger than v: s > v • The value of a signal s becomes larger than v: s >> v 8 • The value of a signal s has a certain value v : s == v • The value of a signal s changes to a certain value v : s = v • The value of a signal s is smaller than v: s < v • The value of a signal s becomes smaller than v: s << v For discrete signals also the following notation is useful: • The value of a signal s changes from v to w: s : v −> w An example for a scenario that is modeled by a communication diagram can be found in Figure 4 with a corresponding variant view of the CentralLocking function. More details on the variant mechanism used can be found in [GHK+ 08, GKPR08]. In the example the signal “VehicleSpeed” exceeds the value of 10km/h. Therefore, the block “EvalSpeed” changes its output value from “Open” to “Close”. After that, the output value of the block “Arbiter” must be “Close” and therefore the doors of the car will close (not modeled here). This interaction is modeled as CmdOpenClose == Close and not as CmdOpenClose : Open -> Close because the Arbiter may already have closed the doors by sending the output signal value “Close”, e.g., because of input values from the not modeled input signal “AutoLockStatus”. Figure 4: Variant view and a corresponding scenario Scenarios like described above could also be modeled using sequence diagrams. Discussions with developers turned up that the similarity between the complete function net and the scenarios are helpful to understand the considered system. However, sequence diagrams might be helpful to model complex interactions between few communication partners, whereas simple interactions between many communication partners can be modeled more concisely in a communication diagram. Therefore, we allow using both, sequence and communication diagrams, for modeling scenarios. Nevertheless, this form of communication diagrams can easily be transformed to a sequence diagram with the same meaning. Therefore, extensions of sequence diagrams like explained in [Rum04] could also be used in communication diagrams. The main new concepts are the following: • Communications can be marked by the stereotype !trigger" to mark that they trigger the scenario. 9 • The matching policy of the communication partners can be marked as either – complete to indicate that all occurring communication is already shown in the diagram. All additional communication that is observed in a system run is interpreted as wrong behavior. – visible to indicate that all communication between blocks shown in a diagram is actually modeled. However, there may exist other blocks not shown in the scenario that also communicate in a system run. – free to indicate that arbitrary interactions may occur additionally to the explicitly modeled communications. As described in [Rum04], these extensions can be used to automatically derive a test case from the communication diagram (with the sequence diagram as an intermediate step). The interactions in the sequence diagram are assumed to be ordered as they appear in the diagram. Additional invariants could be used to model timing constraints in the scenarios. The test cases use the triggers to invoke the actual implementation and an automaton that checks if the system shows the correct behavior. This method can be applied only if there is a traceable connection from the function nets to the actual realization. The connection is used to translate the triggers which are logical signals to, e.g., messages in the realization. Vice versa, the observed messages in the realization are transformed back to the according logical signal flow that is checked against the described interactions. If such an approach is technically to difficult, the scenarios can still be used for validating and testing the logical architecture in a simulation. 5 Related Work Function net modeling with the UML-RT is described in [vdB04]. We extended this approach by using the SysML for modeling function nets and explained its advantages. We supplement the approach by views that simplify the transition from requirements to logical architectures in early design phases as they are able to model features and their variants, modes, and also scenarios. In [RFH+ 05, WFH+ 06] service oriented modeling of automotive systems is explained. The service layer is similar to the modeling of features. Another example of an architecture description language that aims at supporting a development process from vehicle requirements to realization is being defined in the ATESST project [ATE] based on EAST-ADL [EAS]. Both works do not explicitly provide support for modeling exemplary scenarios. In addition, we explored how feature descriptions can benefit from modeling the environment together with the feature. AML [vdBBRS02, vdBBFR03] considers abstraction levels from scenarios to implementation. Unlike our use of scenarios, scenarios in [vdBBRS02] are employed in a top-down development process on a higher level of abstraction out of which the logical architecture will later be developed. In [DVM+ 05] the use of rich components is explained that employ a complex interface description including non-functional characteristics. In that approach, scenarios could be modeled as viewpoints of a component. In contrast to our approach rich components 10 focus less on the seamless transition from requirements to function nets but assume an established predefined partitioning in components. The AUTOSAR consortium [AUT] standardizes the software architecture of automotive system and allows the development of interchangeable software components. One main problem of this approach is that software architectures are too detailed in early development phases where functions nets are commonly accepted by developers. In addition, like also argued in [Gie08], the component-based approach has its difficulties when applied to automotive features that highly depend on the cooperation of different functions. 6 Conclusion In this paper, we summarized our approach for modeling the logical architecture of automotive systems using views. We regard views as suitable for describing automotive features, but also their variants and modes. More information can be found in [GHK+ 07, GHK+ 08]. In this paper we additionally introduced a scenario notation that is similar to UML communication diagrams but is a view on a function net at the same time. The syntactic proximity to the logical architecture simplifies the understanding of scenarios. Scenarios can be used to document important use-cases of features. These use-cases contain information that help developers to understand and correctly implement the intended functionality. Despite the scenarios which show exemplary behavior, the approach described in this paper focuses on structural aspects only. This is mostly sufficient for the modeling of a logical architecture because architectures mainly focus on structural properties and decomposition of functionality. For the self-contained modeling of features this approach has to be extended with full behavioral specifications to gain its full usefulness. When the proposed model types (complete function nets, views for features, modes, variants, and the described scenarios) are used to model an automotive system, a greater number of models have to be created and references between models have to be establised. We plan to investigate into existing model mangement strategies and adopt them to the needs of a model-based automotive development process in order to handle the large number models. References [ATE] ATESST Project website http://www.atesst.org. [AUT] AUTOSAR website http://www.autosar.org. [DVM+ 05] Werner Damm, Angelika Votintseva, Alexander Metzner, Bernhard Josko, Thomas Peikenkamp, and Eckard Böde. Boosting Re-use of Embedded Automotive Applications Through Rich Components. In Proceedings of Foundations of Interface Technologies 2005, 2005. 11 [EAS] EAST-EEA Architecture Description Language, available from http://www.east-eea.net. [GHK+ 07] Hans Grönniger, Jochen Hartmann, Holger Krahn, Stefan Kriebel, and Bernhard Rumpe. View-Based Modeling of Function Nets. In Proceedings of the Objectoriented Modelling of Embedded Real-Time Systems (OMER4) Workshop, Paderborn,, October 2007. [GHK+ 08] Hans Grönniger, Jochen Hartmann, Holger Krahn, Stefan Kriebel, Lutz Rothhardt, and Bernhard Rumpe. Modelling Automotive Function Nets with Views for Features, Variants, and Modes. In Proceedings of ERTS 2008, 2008. [Gie08] Holger Giese. Reuse of Innovative Functions in Automotive Software: Are Components enough or do we need Services? In Tagungsband Modellierungs-Workshop MBEFF: Modellbasierte Entwicklung von eingebetteten Fahrzeugfunktionen, 2008. [GKPR08] Hans Grönniger, Holger Krahn, Claas Pinkernell, and Bernhard Rumpe. Modeling Variants of Automotive Systems using Views. In Tagungsband ModellierungsWorkshop MBEFF: Modellbasierte Entwicklung von eingebetteten Fahrzeugfunktionen, 2008. [OMG05] Object Management Group. Unified Modeling Language: Superstructure Version 2.0 (05-07-04), August 2005. http://www.omg.org/docs/formal/05-07-04.pdf. [OMG06] Object Management Group. SysML Specification Version 1.0 (2006-05-03), August 2006. http://www.omg.org/docs/ptc/06-05-04.pdf. [RFH+ 05] S. Rittmann, A. Fleischmann, J. Hartmann, C. Pfaller, M. Rappl, and D. Wild. Integrating Service Specifications at Different Levels of Abstraction. In SOSE ’05: Proceedings of the IEEE International Workshop, pages 71–78, Washington, DC, USA, 2005. IEEE Computer Society. [RS01] Bernhard Rumpe and Robert Sandner. UML - Unified Modeling Language im Einsatz. Teil 3. UML-RT für echtzeitkritische und eingebettete Systeme. at - Automatisierungstechnik, Reihe Theorie für den Anwender, 11/2001, (11), 2001. [Rum04] Bernhard Rumpe. Modellierung mit UML. Springer, Berlin, May 2004. [SGW94] Bran Selic, Garth Gullekson, and Paul T. Ward. Real-Time Object-Oriented Modeling. John Wiley & Sons, April 1994. [vdB04] Michael von der Beeck. Function Net Modeling with UML-RT: Experiences from an Automotive Project at BMW Group. In UML Satellite Activities, pages 94–104, 2004. [vdB06] Michael von der Beeck. Eignung der UML 2.0 zur Entwicklung von Bordnetzarchitekturen. In Tagungsband des Dagstuhl-Workshops Modellbasierte Entwicklung eingebetteter Systeme, 2006. [vdBBFR03] Michael von der Beeck, Peter Braun, Ulrich Freund, and Martin Rappl. Architecture Centric Modeling of Automotive Control Software. In SAE Technical Paper Series 2003-01-0856, 2003. [vdBBRS02] Michael von der Beeck, Peter Braun, Martin Rappl, and Christian Schröder. Automotive Software Development: A Model Based Approach. In World Congress of Automotive Engineers, SAE Technical Paper Series 2002-01-0875, 2002. [WFH+ 06] 12 Doris Wild, Andreas Fleischmann, Judith Hartmann, Christian Pfaller, Martin Rappl, and Sabine Rittmann. An Architecture-Centric Approach towards the Construction of Dependable Automotive Software. In Proceedings of the SAE 2006 World Congress, 2006. Testverfahren für Elektronik und Embedded Software in der Automobilentwicklung Gerd Baumann, Michael Brost Kfz-Mechatronik / Software Forschungsinstitut für Kraftfahrwesen und Fahrzeugmotoren Stuttgart (FKFS) Pfaffenwaldring 12 70569 Stuttgart [email protected] [email protected] Abstract: Beim Test von elektronischen Steuergeräten und Embedded Software für Kraftfahrzeuge wird eine Vielzahl von Methoden eingesetzt, die sich in den einzelnen Entwicklungsphasen der Elektronik für ein neues Kraftfahrzeug signifikant unterscheiden. Hinzu kommt, dass die Kraftfahrzeugelektronik ein multidisziplinäres Arbeitsgebiet ist und dass sich die Sichtweisen und Begriffswelten der beteiligten Fachrichtungen (Maschinenbau, Fahrzeugtechnik, Elektrotechnik und Informationstechnik) fundamental unterscheiden. Ziel des Beitrags ist es, eine Übersicht zur aktuellen Situation beim Test von Automobilelektronik und -Software zu geben. Anschließend wird ein konkretes Beispiel für automatisierte Tests der Kfz-Innenraum-Elektronik vorgestellt. 1 Einführung 1.1 Motivation Aus der Informationstechnik ist bekannt, dass fast die Hälfte der Entwicklungskosten von Software auf Tests entfällt [Vig04]. Da die Embedded Software in der KfzElektronik eine dominierende Rolle spielt, liegt der Testanteil bei den Entwicklungskosten von ECU’s in einer ähnlichen Größenordnung. Das Testen von KfzElektronik und -Software ist deshalb keine Nebenaktivität, sondern ein zentraler Bestandteil des Entwicklungsprozesses, der einen wesentlichen Beitrag zur Sicherung und Verbesserung der Qualität von mechatronischen Kfz-Systemen darstellt. 1.2 Ein Beispiel Ein heutiger PKW der gehobenen Klasse enthält ca. 100 MByte ausführbare Embedded Software, die sich auf bis zu 100 Mikrocontroller verteilt. In der Softwaretechnik wird davon ausgegangen, dass bei der Implementierung ca. 25 bis 50 Fehler pro 1000 LOC 13 auftreten. Nach Abschluss aller Tests verbleiben nach Vigenschow ca. 3% Restfehler [Vig04]. Für eine fiktive Motorsteuerung mit angenommenen 106 LOC bedeutet dies, dass nach der Serieneinführung noch mehrere hundert Software-Fehler unentdeckt bleiben [Het07]. Hinzu kommen Fehler bei der Integration der Einzelsteuergeräte in das Fahrzeug-Netzwerk. Diese Zahlen verdeutlichen die Dimension der Problematik für die Automobilindustrie. 1.3 Zielsetzung von Tests Es gibt zwei grundlegende Thesen zu der Frage, was Tests leisten sollen: A) Tests sollen nachweisen, dass die Eigenschaften eines Produkts unter allen Bedingungen mit den spezifizierten Eigenschaften übereinstimmen. B) Tests dienen dem Produkteinführung. Auffinden möglichst vieler Fehler vor der Im Bereich der Softwaretechnik gilt es als theoretisch gesichert, dass ein Nachweis der vollständigen Korrektheit der Implementierung eines gegebenen Algorithmus gemäß These A) aus verschiedenen Gründen nicht möglich ist, z.B. [How87]. Diese Aussage gilt auch für elektronische Steuergeräte und deren Software, weil niemals eine Spezifikation existiert, die den Prüfling vollständig beschreibt, und weil die für das Testen verfügbare Zeit bis zum Produktionsstart stets zu kurz ist. In der Realität der Automobilentwicklung wird daher stets gemäß der „pragmatischen“ These B) getestet. 2 Die Test-Situation in der Automobilindustrie 2.1 Testebenen Für einen effektiven Testprozess muss frühzeitig festgelegt werden, welche Arten von Tests zu welcher Zeit vorgenommen werden und wer dafür verantwortlich ist. Dabei gilt es einerseits, eine angemessene Testabdeckung zu erzielen, andererseits jedoch Mehrfach-Tests zu vermeiden. Diese Aufgabe ist alles andere als trivial, vor allem im Hinblick auf den hohen Vernetzungsgrad der Automobilelektronik und die große Zahl der Zulieferer, deren Produkte in einem modernen Kraftfahrzeug optimal zusammenwirken müssen. In der Automobilindustrie hat sich das in Tabelle 1 dargestellte Vorgehensmodell durchgesetzt, welches in dieser oder ähnlicher Form von den OEMs und den großen Zulieferern praktiziert und weiterentwickelt wird, wobei im Einzelfall weitere Ebenen eingeführt oder mehrere Ebenen zusammengefasst werden. 14 Tabelle 1: Testebenen und -Verfahren in der Kraftfahrzeugelektronik-Entwicklung Testebene Fahrzeugtest GesamtverbundTest im Labor Teilverbundtest Einzel-ECU-Test Testobjekt (SuT) Fahrzeug mit vollständiger Elektronik Alle ECUs eines Fahrzeugs Alle ECUs eines Bussegments, z.B. Antriebsstrang ECU mit Software, evtl. mit Peripherie SoftwareIntegrationstest Alle Softwareteile einer ECU Software-Modultest Einzelne Funktion oder Code-Modul Bevorzugte Testverfahren Fahrversuch Subjektive Bewertung „EMV-Halle“ „CAN-Mobil“ Kommunikationstests Bordnetz-Tests Black-Box-Tests: HIL-Verbundtest „Brettaufbau“ Black-Box-Tests: Fail-Safe-Tester HIL-Test White-Box-Tests: Aufruf-Reihenfolge Timing-Analyse SIL/MIL-Verfahren White-Box-Tests: Code Reviews Coverage-Analyse Metriken SIL/MIL-Verfahren Zuständigkeit OEM, Zentralabteilung OEM, Zentralabteilung OEM, Fachabteilung OEM Zulieferer Zulieferer (Tier 1) Zulieferer (Tier 1..n) 2.2 White-Box-Test vs. Black-Box-Test White-Box-Tests erfordern die vollständige Kenntnis der internen Struktur des Prüflings. Für den Test von Software bedeutet dies, dass der Quellcode verfügbar sein muss. Eingesetzt werden White-Box-Tests vor allem für Software-Modul- und Integrationstests. White-Box-Tests sind in hohem Grade automatisierbar. Es existiert eine große Bandbreite von Testverfahren und Werkzeugen, die im Bereich der Informatik entwickelt wurden. Einzelheiten zu den einzelnen Methoden finden sich z.B. in [Dus00]. In der Kraftfahrzeugelektronik werden White-Box-Tests typischerweise beim Zulieferer durchgeführt, da der OEM in der Regel keinen Zugriff auf den Quellcode von Steuergeräte-Software hat (es sei denn, er entwickelt diesen selbst). Im Rahmen des modellbasierten Entwicklungsprozesses werden auch Software-in-the-LoopTestverfahren (SIL) eingesetzt, wobei diese häufig als Model-in-the-Loop (MIL) bezeichnet werden, falls grafische Modellierer wie SIMULINK eingesetzt werden. Beim Black-Box-Test ist die interne Struktur des Prüflings, z.B. der elektrische Schaltplan einer ECU oder der Quellcode der eingebetteten Software, nur in groben Zügen bekannt. Deshalb wird der Prüfling an seinen Eingangs- Schnittstellen mit einer Auswahl an Testsignal-Kombinationen (auch als Testvektoren bezeichnet) beaufschlagt. Anschließend wird festgestellt, ob die Ausgangssignale plausibel sind. Black-BoxVerfahren sind somit stets funktionsorientiert. Da die Menge der möglichen 15 Eingangssignalkombinationen bei umfangreichen Systemen sehr hoch ist, werden BlackBox-Tests typischerweise stichprobenartig durchgeführt. In der Kraftfahrzeugelektronik werden Black-Box-Tests auf mehreren Testebenen angewendet, insbesondere für Einzel-Steuergeräte, mehrere Steuergeräte im Verbund bis zum vollständigen Fahrzeug-Netzwerk. 2.3 Open-Loop- und Closed-Loop-Verfahren Während der vergangenen zehn Jahre hat sich das Hardware-in-the-Loop-Verfahren (HIL) als Standard-Methode für Black-Box-Tests für Kfz-Elektronik etabliert. Dieses Verfahren ist dadurch charakterisiert, dass eine oder mehrere real vorhandene ECU’s im geschlossenen Regelkreis mit einem Simulationsmodell des „Restfahrzeugs“ betrieben werden. Die Simulation wird in Echtzeit auf einem Rechner ausgeführt, der über die notwendigen Hardware-Schnittstellen zur Ein- und Ausgabe der elektrischen ECUSignale einschließlich der Datenkommunikation (CAN etc.) verfügt. O p en -L oop-Test Testreferen z V ergleich: System u nder test S tim uliE rzeug un g ECU A usgabe des R eglers (E C U ) gege n die R efere nz C losed -L oo p-Test Testreferenz V ergleich: S ystem und er test S tim uliE rzeug un g ECU M odell der R egelstrecke A usgabe des R egelkreise s gege n die R efere nz R ückführung Abbildung 1: Open-Loop- und Closed-Loop-Testverfahren HIL zählt zu den Closed-Loop-Verfahren. Es ermöglicht die Simulation nahezu beliebiger dynamischer Betriebszustände elektronisch geregelter Kfz-Systeme. Daher ist es immer dann zu empfehlen, wenn schnelle Regelungen geprüft werden sollen, z.B. bei Motor- und Getriebesteuerungen sowie bei Schlupf- und Fahrdynamikregelungen (ABS, ESP). Es ist jedoch zu beachten, dass das Testergebnis nicht nur vom Verhalten des Prüflings (ECU) beeinflusst wird, sondern auch vom verwendeten Streckenmodell, welches im Sinne der Test-Theorie streng genommen einen Bestandteil des Prüflings bildet (Abbildung 1 unten). 16 Open-Loop-Funktionstests (Abbildung 1 oben) sind vor allem für reaktive Systeme geeignet, also für ECUs, deren Verhalten sich im Wesentlichen durch Zustandsautomaten beschreiben lässt und die nicht Bestandteil von Regelkreisen mit kurzen Zeitkonstanten sind. Dies trifft auf viele Systeme im Bereich der Innenraum- und Karosserie-Elektronik zu. Hierbei lässt sich mit vergleichsweise einfachen Mitteln eine relativ hohe Testabdeckung erzielen. Im folgenden Kapitel wird ein systematisches Verfahren zur automatisierten Generierung von Black-Box-Testabläufen für zustandsorientierte Systeme in der Automobilelektronik vorgestellt, das auf dem Open-Loop-Ansatz basiert. 3 Automatisierte Testfall-Generierung aus einem UML-Testmodell 3.1 Grundlagen Am FKFS wird in enger Zusammenarbeit mit einem OEM ein neues Verfahren entwickelt, das auf Basis einer zustandsbasierten Spezifikation mit verschiedenen Elementen der Unified Modeling Language (UML) automatisiert Testfälle herleiten kann. Eine wichtige Maßgabe dabei ist die praktische Umsetzbarkeit in der Serienentwicklung. Die funktionsorientierte Spezifikation erfolgt mittels Use Cases und Protokollautomaten. Daraus werden in einem dreistufigen Prozess Testfälle erstellt. In der ersten Stufe werden alle Protokollautomaten strukturell umgeformt und UML-spezifische Elemente, Nebenläufigkeiten und Zustandshierarchien eliminiert. Die zweite Stufe des Prozesses basiert auf graphentheoretischen Algorithmen und sucht nach gegebenen Abdeckungskriterien Wege durch die resultierenden flachen Automaten. Im Anschluss erfolgt in der dritten Stufe durch Auswertung der mit allen Zuständen und Übergängen verbundenen Bedingungen die Ermittelung von Stimuli und Reaktionen des Systems. Die daraus folgenden abstrakten Testfälle werden dann mittels eines Konverters für ein spezifisches Testsystem ausgegeben. 3.2 Beispiel: Teilfunktion eines Türsteuergeräts In Abbildung 2 ist der Protokollautomat zur Spezifikation der Fensterheber-Funktion „Komfortschließen“ dargestellt. Nachdem die Zündung (Klemme 15) initial gesetzt wird, erfolgt die Rücknahme der Klemme 15 und die Freigabe der Komfortfunktion des Fensterhebers über CAN. Das Schließen des Fensters wird nur bei deaktivierter Kindersicherung (KiSi) durch zwei unterschiedliche CAN-Signale (KomfortSchliessen1 und KomfortSchliessen2) ausgelöst. Ein nachträgliches Aktivieren der Kindersicherung hat keinen Einfluss auf den Betrieb des Fensterhebers, der nach einer maximalen Betriebszeit dTBetrieb wieder deaktiviert wird. Vor einer erneuten Aktivierung des Fensterhebers tritt eine Verzögerung von dTVzNeustart in Kraft. Die Freigabe der Funktion wird durch das Öffnen einer Tür oder das Freigabesignal selbst wieder beendet. Der Ablauf der Nachlaufzeit dTNachlauf beendet ebenfalls den Betrieb des Fensterhebers. 17 Jeder Zustand definiert, ob der Motor des Fensterhebers in Betrieb ist oder nicht. Aus jedem Zustand wird daher eine Operation zur Überwachung des entsprechenden Ausganges und eine Sollvorgabe erzeugt. Abbildung 2: Protokollautomat für die Funktion „Komfortschließen der Fenster“ Abbildung 3: Mögliche Pfade durch den Zustandsautomaten 18 Aus dem Zustandsautomaten ergeben sich bis zu 16 Pfade aus der Automatenstruktur, die in Abbildung 3 dargestellt sind. Die Angaben an den einzelnen Übergängen zeigen die Anzahl der Permutationen an, für die die mit diesem Übergang verknüpfte Bedingung wahr ist. Der erste Wert zeigt dies für das Verfahren der Logikminimierung an und der zweite Wert für die Mehrfachbedingungsabdeckung. Nach Auswertung der Guard-Bedingungen gemäß Mehrfachbedingungsabdeckung folgen daraus bis zu 1914 Testfälle. Durch Anwendung der Optimierung mittels Logikminimierung kann dies auf 166 Testfälle reduziert werden. Die theoretischen Grundlagen und Algorithmen des Verfahrens werden in [Bro08] beschrieben. Diese relativ hohe Anzahl von 166 Testfällen wird auf einer Open-Loop-Testmaschine automatisch durchgeführt und die Ergebnisse werden automatisch ausgewertet. Dadurch erfordert der Test der beschriebenen Beispiel-Funktion nur wenig manuelle Arbeit von Test-Ingenieuren und führt dennoch zu einer nachvollziehbaren, hohen Testabdeckung. Zur Zeit kommt in einem Serienentwicklungsprojekt bei einem OEM die am FKFS entwickelte Testmaschine PATE zu Einsatz [Bau05]. Die generierten Testabläufe lassen sich jedoch auch auf andere Testmaschinen übertragen. Literaturverzeichnis [Vig04] [Het07] [How87] [Dus00] [Bro08] [Bau05] Vigenschow, U.: Objektorientiertes Testen und Testautomatisierung in der Praxis. dpunkt-Verlag, 2004. ISBN 3-8How879864-305-0. Hettich, G.: Qualität automobiler Elektronik. Skriptum zur Vorlesung, Universität Stuttgart, 2007. Howden, W. E.: Functional Program Testing & Analysis. McGraw-Hill Verlag, 1987. Dustin, E.; Rashka, J; Paul, J.: Software automatisch testen. Verfahren, Handhabung und Leistung. Berlin: Springer, 2000. Brost, M.; Baumann, G.; Reuss, H.-C.; UML-basierte Testfallerzeugung für Karosseriesteuergeräte. Tagung „Simulation und Test in der Funktions- und Softwareentwicklung für die Automobilelektronik“, Berlin, erscheint in 5/2008. Baumann, G.; Brost, M.; Reuss, H.-C.: P.A.T.E. - Eine neue Integrations- und Automatisierungsplattform für den Test von elektronischen Steuergeräten im Automobil. 6. Internationales Stuttgarter Symposium Kraftfahrwesen und Verbrennungsmotoren. expert-Verlag, 2005. 19 Durchgehende Systemverifikation im Automotiven Entwicklungsprozess Oliver Niggemann, Rainer Otterbach dSPACE GmbH Technologiepark 25 33100 Paderborn [email protected] [email protected] Abstract: System- und vor allem Software-Architekturmodelle sind im Bereich der automotiven Software-Entwicklung gerade dabei, die Phase von Konzeptprojekten und Vorentwicklungsaktivitäten zu verlassen und in ersten Serienprojekten Verwendung zu finden. Entscheidend für die Akzeptanz dieser neuen Ansätze wird in Zukunft u.a. die Simulierbarkeit dieser Modelle auf dem PC sein. Dies würde die frühere Verifikation der verteilten Steuergeräte- und Software-Systeme erlauben und spätere, etablierte Testphasen wie z.B. den Hardware-in-the-Loop Test entlasten. Dieser Beitrag versucht, anhand eines Prozessmodells Einsatzmöglichkeiten von Systemmodellen für die PC-basierte Simulation und damit für eine frühe Systemverifikation aufzuzeigen. Die Autoren möchten dieses Paper vor allem auch dazu nutzen, einige Fragestellungen aufzuwerfen, die aus Ihrer Sicht aktuell ungelöst und daher für eine Diskussion während des Workshops besonders interessant sind. Für diese Arbeit wurde auf Teile von bereits veröffentlichten Arbeiten zurückgegriffen, und das dSPACE Modellierungs- und Simulationswerkzeug SystemDesk wurde zur Illustrierung der Arbeitsschritte verwendet. 1 Ein Prozessmodell für Systemmodelle Die modellbasierte Entwicklung der Steuergeräte-Software und die automatische Generierung des Seriencodes haben sich weithin etabliert, zumindest auf Einzelfunktionsebene. Die Einbeziehung der Software-Architektur steckt dagegen noch in den Kinderschuhen, obwohl gerade hier der Schlüssel zur Bewältigung der zunehmenden Komplexität zu finden ist. Ein Grund liegt darin, dass Methoden und Werkzeuge für die Modellierung und erst recht für die Simulation von automotiven Software-Architekturen fehlen. Sie können auch nicht einfach aus anderen Anwendungsgebieten, zum Beispiel der Telekommunikation, übernommen werden, wie zahlreiche Versuche etwa auf der Basis von UML gezeigt haben. Ähnliches gilt für die heute bekannten, modellbasierten Entwurfswerkzeuge, die sehr gut die Sicht des 20 Funktionsentwicklers widerspiegeln, aber nicht geeignet sind, Software-Architekturen im großen Stil darzustellen. Aus diesem Grund haben sich in den letzten Jahren automotiv ausgerichtete Softwareund System-Architekturmodelle als Ergänzung zu den reinen Funktionsmodellen im Entwicklungsprozess etabliert (siehe auch [SNO07]). Erste Systementwurfswerkzeuge wie SystemDesk von dSPACE erlauben dabei die Modellierung von Funktionsnetzen und Software-Architekturen, die Abbildung von Software auf ECU-Netzwerke und die Generierung von Integrationssoftwareschichten wie z.B. die AUTOSAR RuntimeEnvironment (RTE, siehe auch [AUR]). In Zukunft werden solche Architekturmodelle darüber hinaus ausführbar sein müssen und eine frühzeitige Verifikation des Systems durch Simulation in Nicht-Echtzeit auf dem PC erlauben. Unter Einbeziehung und Erweiterung der heute vorhandenen Simulationswerkzeuge für regelungs- und steuerungstechnische Funktionen muss dies auch für vernetzte Funktionen und seriencodierte Software-Komponenten eines gesamten Steuergerätes und eines Steuergeräteverbunds möglich sein. Bei Closed-LoopSimulationen müssen Streckenmodelle mit dem Software-System verbunden werden. Requirement Level Logical Level Top-Level Requirements Vehicle Functional Architecture System Architecture Vehicle Implementation Architecture Requirements for Functionalities Subsystem Functional Architecture e.g. ECU Application Architecture e.g. ECU Implementation Architecture RTE Code Requirements for Single Functions Function Design Optimized Function Design Function Implementation Design Production Code Modularization System Level Refinement Implementation Level Bus Configurations Generation Abbildung 1: Prozessrahmen zur Erläuterung der Verwendung von System- und SoftwareArchitekturmodellen 21 Diese zu entwerfenden und zu simulierenden Modelle werden hier aus Übersichtlichkeitsgründen in drei Kategorien (grob durch Prozessschritte in der E/EEntwicklung motiviert) eingeordnet, die sich durch Verfeinerung aus den Anforderungen ergeben (horizontale Richtung in Abbildung 1). Anforderungen liegen als informelle Textdokumente oder frühzeitig entwickelte Modelle vor, zum Beispiel kann eine Lichtsteuerung relativ einfach mit Hilfe eines endlichen Automaten definiert werden. Die Modularisierung (vertikale Richtung) ist für den Umgang mit komplexen Systemen unerlässlich und dient der Arbeitsteilung zwischen Unternehmen und einzelnen Entwicklern. Der Prozessrahmen in Abbildung 1 wird hier verwendet, um zu erläutern, wie sich System-, und Software-Architekturmodelle in bestehende E/E-Entwicklungsprozesse eingliedern. Da je nach Modellkategorie (horizontale Richtung) unterschiedliche Effekte simuliert werden können, ist diese Prozessdarstellung zum anderen auch geeignet, durch eine PC-Simulation identifizierbare Systemfehler (z.B. CAN-Signalsausfälle) den Phasen des Entwicklungsprozesses zuzuordnen (siehe auch [ONS07]). Hieran ist dann erkennbar, wie solch eine Systemsimulation in Zukunft dazu beitragen kann, einige Fehler und Risiken schon früher im Test- und Absicherungsprozess zu erkennen. Diskussionspunkt: Sind Modularisierung und Modellverfeinerung verschiedene Aspekte des Modellierungsprozesses? Fehlen Modelle oder Prozessschritte in dieser Darstellung? 2 Logische Ebene Auf logischer Ebene (Modellkategorie 1) wird das System als hierarchisches Modell vernetzter Funktionalitäten oder Software-Komponenten spezifiziert. Solche logischen Software-Architekturen werden häufig von Fahrzeugherstellern in frühen Phasen verwendet, um (i) die Modularisierung und Verteilung von Fahrzeugfunktionen zu entwerfen, (ii) wieder verwendbare Software-Komponenten zu spezifizieren und (iii) Software-Schnittstellen z.B. mit Zulieferern zu vereinbaren. Auswirkungen der später zu verwendenden Hardware-Plattform werden dabei nicht berücksichtigt. Die Simulation auf logischer Ebene findet in erster Linie Fehler im logischen Zusammenspiel vernetzter Komponenten, die in der gegenseitigen Abhängigkeit der Funktionen begründet sind. Je mehr das gewünschte Systemverhalten durch verteilte Funktionen realisiert wird, desto mehr lohnt sich die frühe Simulation. Beispiele dafür sind der gesamte Bereich der Komfortelektronik, aber auch Fahrerassistenzsysteme wie adaptive Fahrgeschwindigkeitsregelung, Aktivlenkung oder Spurhalteunterstützung. AUTOSAR (siehe [AU]) bezeichnet eine Simulation auf logischer Ebene auch als Virtual-Functional-Bus (VFB) Simulation. 22 Abbildung 2 zeigt ein Beispiel für die logische Architektur einer Blinkerregelung (hier mit dem Systemmodellierungs-Werkzeug SystemDesk von dSPACE erstellt). SoftwareKomponenten sind, unabhängig von ihrer späteren Verteilung auf Steuergeräte, miteinander verbunden, um eine Gesamtfunktion zu realisieren. Diskussionspunkt: Heute findet man zunehmend zwei Arten von Modellen auf dieser Ebene: 1. Software Architekturen: Dies sind klassische Software-Modelle mit formalen Interfaces, strenger Typisierung aller Daten und Referenzen zu Implementierungsdateien. AUTOSAR ist ein Beispiel für einen Standard in diesem Bereich. Zweck dieser Modelle ist eine implementierungsgeeignete und daher formale Modellierung der Software. Die Durchgängigkeit zur Serien-Software-Entwicklung (z.B. The Mathwork’s Simulink® als Modellierungsumgebung mit dem Seriencodegenerator TargetLink von dSPACE) ist hierbei ein entscheidendes Merkmal. 2. Funktionsnetze: Diese Netze stellen eine hierarchische Dekomposition der Funktionen eines Fahrzeugs dar. Zusätzlich wird zumeist die Abbildung von Funktionen auf Steuergeräte modelliert. Solche Modelle werden oft von Fahrzeugherstellern verwendet, um sehr früh im Prozess alle benötigten Funktionen zu erfassen und verschiedene Aufteilungen von Funktionen auf Steuergeräte durchzudenken und zu bewerten. Werden sich in Zukunft beide Modelle nebeneinander etablieren? Wie wird der Übergang zwischen Anforderungen, Funktionsnetzen und Software Architekturen aussehen? Oder sind Funktionsnetze eher Bestandteil der Anforderungsebene? Wie kann diese Software-Architektur simuliert werden? Voraussetzung ist zunächst einmal, dass das Verhalten aller Komponenten implementiert wurde. In solchen frühen Phasen der Entwicklung heißt dies, dass die Komponenten entweder als ausführbare Spezifikationsmodelle vorliegen oder existierende Implementierungen aus frühen Phasen verwendet werden. Spezifikationsmodelle stammen oft von Herstellern und definieren Funktionen wie z.B. obige Blinkerregelung für die späteren Software-Entwickler bzw. für Code-Generatoren. Anders als Modelle, die später für die Software-Generierung verwendet werden, enthalten solche Modelle oft keine implementierungsnahen Angaben wie z.B. Fixpoint-Definitionen oder Startup/Shutdown-Funktionen. 23 Abbildung 2: Verschaltung von Software Komponenten auf logischer Ebene Im Folgenden wird von Software Komponenten nach dem AUTOSAR Standard ausgegangen. AUTOSAR hat den Vorteil, wieder verwertbare Software Komponenten definiert zu haben, d.h. solche Komponenten sind Plattform-unabhängig implementiert und können daher im Normalfall auch auf dem PC ausgeführt werden. Darüber hinaus weisen AUTOSAR Software-Komponenten standardisierte Schnittstellen für die Kommunikation mit ihrer Umgebung auf. Im Fall von nicht-AUTOSAR Komponenten müssen entweder die Komponenten für das Simulationswerkzeug passend „verpackt“ werden, oder es erfolgen Anpassungen im Simulationswerkzeug (bei SystemDesk z.B. sehr einfach möglich). Aus Simulationssicht müssen zwei Hauptprobleme vor einer Simulation auf logischem Niveau gelöst werden: 1. Wann und in welcher Reihenfolge werden die Funktionen in den SoftwareKomponenten (d.h. die so genanten Runnables) aufgerufen? 2. Wie wird, aufbauend auf der Reihenfolge aus Frage 1, die Kommunikation zwischen den C Modulen von der Simulationsumgebung implementiert? Hier sind ja separat entwickelte C Module zu verbinden und dafür ist es notwendig, Daten in die C Module hineinzusenden bzw. herauszuholen. Es sei darauf hingewiesen, dass dies ohne weitere Kenntnisse über den Aufbau der C Module (wie z.B. von AUTOSAR definiert) nur sehr schwer möglich ist. Die erste Frage ist durch eine Analyse der Abhängigkeiten zwischen den SoftwareKomponenten zu klären. Alle dafür notwendigen Informationen sind in der (AUTOSAR) Software Architektur vorhanden. Nachdem Software-Komponenten (bzw. deren Runnables) im Allgemeinen für die Ausführung mit einem automotiven Echtzeitbetriebssystem (z.B. AUTOSAR OS oder OSEK) implementiert wurden, ist es sinnvoll, für die Simulation einen OSEK Schedule zu erstellen und die Simulation auf dem PC mit einem OSEK Emulator durchzuführen. 24 Für die Simulation muß nun noch der Verbindungscode zwischen den SoftwareKomponenten generiert werden. Dies entspricht dem Runtime-Environment (RTE) Generierungsschritt des AUTOSAR Standards. SystemDesk verwendet hierzu die gleiche RTE-Generierung, die auch für ECU Serienprojekte zum Einsatz kommt. Diskussionspunkt: Woher kommen in solchen Szenarien die Implementierungen der Komponenten? Werden Fahrzeughersteller in Zukunft für solch eine Simulation formale Spezifikationen der Funktionen verwenden? Oder wird es ein Geschäftsmodell geben, bei dem Zulieferer simulationsfähige Versionen von Software-Komponenten an Hersteller liefern? Welche Möglichkeiten gibt es, vereinfachte Funktionsspezifikation zu modellieren? Wie kann ein Anwender also in frühen Phasen eine ausführbare Spezifikation erstellen, ohne den kompletten Implementierungsprozess durchlaufen zu müssen? 3 Systemebene Modelle auf Systemebene definieren die Verteilung von Funktionen auf Steuergeräte und die Software-Struktur der Anwendungsebene auf einem einzelnen Steuergerät. Damit wird unter anderem die Planung und Erstellung der Kommunikationsmatrizen aus der Gesamtsicht der E/E-Architektur des Fahrzeugs ermöglicht und die Arbeitsteilung zwischen Fahrzeughersteller und Zulieferern unterstützt. In der Simulation können nun zusätzliche Effekte dargestellt werden, insbesondere solche, die von den Kommunikationsbussen verursacht werden. SystemDesk simuliert nun z.B. für CAN-Busse Auswirkungen der Arbitrierung oder der in der Realität immer begrenzten Buskapazität. Die Simulation erlaubt eine grobe Abschätzung der Busauslastung und die Berücksichtigung von Kommunikationsverzögerungen bei der Analyse des zeitlichen Verhaltens der Anwendung. Diskussionspunkt: Busabschätzungen werden heute auch mit statistischen Methoden durchgeführt. Dies geschieht oft in frühen Phasen, in denen noch keine Komponentenimplementierungen vorhanden sind, d.h. eine Simulation noch nicht möglich ist. Wird es Zukunft Bedarf für beide Formen der Busabschätzung geben? Welche Methode ist für welche Fragestellungen sinnvoller? 25 4 Implementierungsebene Die Implementierungsebene dient als Basis für die Erstellung des gesamten Steuergeräte-Seriencodes. Das Systemmodell muss jetzt alle Informationen enthalten, die für die Implementierung der Funktionalitäten notwendig sind. Beispielsweise werden Informationen zur Festkomma-Arithmetik oder Abhängigkeiten zum Mode-Management des Steuergeräts ergänzt. Die Implementierungsebene bietet naturgemäß die weitreichendsten Simulationsmöglichkeiten, da hier wichtige Parameter der Seriensteuergeräte bekannt sind und der Seriencode verfügbar ist. Das Anwendungs-Timing beruht hauptsächlich auf dem zugrundeliegenden Betriebssystem-Scheduling des Steuergeräts, zum Beispiel, ob Runnables periodisch oder beim Eintreten bestimmter Ereignisse aufgerufen werden. Aus diesem Grund verwendet SystemDesk eine OSEK-Betriebssystemsimulation auf dem PC einschließlich des Scheduling-Verhaltens zur Simulation des Scheduling-Verhaltens der Anwendung. Die Fragen dabei sind, wie präzise diese Simulation ist, welche Effekte simuliert werden können und welche Effekte während eines solchen Ansatzes nicht simuliert werden. Es ist dafür wichtig, zwischen der simulierten Zeit (gesteuert von SystemDesk) und der realen Ausführungszeit auf dem PC (definiert durch den PC-Takt) zu unterscheiden. Die zur Ausführung von Tasks PC benötigte Zeit unterscheidet sich natürlich völlig von der benötigten Zeit auf dem Seriensteuergerät. Eine Möglichkeit in SystemDesk ist der Einsatz einer sogenannten NulllaufzeitAnnahme für die Simulation auf dem PC. Damit werden Tasks dann unverzüglich, d.h. ohne Zeitverbrauch, in der virtueller Simulationszeit ausgeführt. Das ist notwendig, da dem Simulator die auf dem Steuergerät notwendige Ausführungszeit nicht bekannt ist. Bei der Simulation von Steuergeräte-Anwendungen ist es ebenfalls notwendig, Teile der Basis-Software zu emulieren. SystemDesk verwendet dafür vereinfachte (PC-)Versionen der AUTOSAR Basis-Software Module. Einer der wichtigsten Aspekte ist die Betrachtung des zeitlichen Verhaltens des Systems, das maßgeblich durch das Betriebssystem-Scheduling bestimmt wird. Da SystemDesk wie bereits geschildert eine OSEK-Betriebssystemsimulation auf dem PC verwendet, kann also das SchedulingVerhalten der auf Systemebene modellierten ECUs weitgehend simuliert werden. Darüber hinaus emuliert SystemDesk zurzeit die folgenden Basis-Software-Module: Modus-Management, Fehler-Management, NV-RAM-Manager und AUTOSAR-COMSchicht. 26 Diskussionspunkt: Es stellt sich hier die Frage, für welche Szenarien die BasicSoftware mitsimuliert wird: 1. Wird die Basic-Software nur deshalb emuliert, da Applikationen diese zum Betrieb benötigen (z.B. einen NVRAM Manager)? 2. Oder sollen allgemeine Betriebszustände der Basic Software erfasst werden? In diesem Fall würde die Emulation der Basic Software ausreichen. Ein Beispiel wäre die Erfassung der aufgetreten Fehlercodes im Fehlerspeicher eines Steuergeräts. 2. Soll die Basic-Software selbst getestet werden? In diesem Fall muss natürlich die Serien-Software selbst verwendet werden können. 5 Fazit Schon heute ist es möglich, Systemmodelle z.B. nach AUTOSAR auf einem PC zu simulieren. Entsprechende Ansätze, wie sie z.B. aktuell für SystemDesk erprobt werden, erlauben dabei sowohl die Simulation von Modellen der logischen Ebene als auch die Simulation kompletter Systemmodelle, die u.a. Hardware-Topologie, Basis-Software und Busse umfassen. In Zukunft werden der etablierte Hardware-in-the-Loop Test und PC-basierte Simulationen sich ergänzen und gemeinsam zur weiteren Qualitätssicherung von E/EArchitekturen und der automotiven Software beitragen. Literaturverzeichnis [SNO07] Dirk Stichling, Oliver Niggemann, Rainer Otterbach. Effective Cooperation of System Level und ECU Centric Tools within the AUTOSAR Tool Chain. SAE World Congress & Exhibition, April 2007, Detroit, USA [ONS07] Rainer Otterbach; Oliver Niggemann; Joachim Stroop; Axel Thümmler; Ulrich Kiffmeier. System Verification throughout the Development Cycle. ATZ Automobiltechnische Zeitschrift (Edition 004/2007), Vieweg Verlag / GWV Fachverlage GmbH [AU] AUTOSAR Partnership: http://www.autosar.org/ [AUR] AUTOSAR Runtime-Enviroment Spezifikation Version 2.1, http://www.autosar.org/ 27 Modeling Guidelines and Model Analysis Tools in Embedded Automotive Software Development Ingo Stürmer1, Christian Dziobek2, Hartmut Pohlheim3 1 Model Engineering Solutions, [email protected] 2 Daimler AG, [email protected] 3 Daimler AG, [email protected] Abstract: Model-based development and automatic code generation have become an established approach in embedded software development. Numerous modeling guidelines have been defined with the purpose of enabling or improving code generation, increasing code efficiency and safety, and easing model comprehension. In this paper, we describe our experience with modeling guidelines and model analysis tools used in typical embedded automotive software development projects. Furthermore, we will describe new approaches for supporting developers in verifying and repairing modeling guideline violations. 1 Introduction The way in which automotive embedded software is developed has undergone a change. Today, executable models are used at all stages of development: from the initial design through to implementation (model-based development). Such models are designed using popular graphic modeling languages, such as Simulink and Stateflow from The MathWorks [TMW07]. Code generators that are capable of translating MATLAB Simulink and Stateflow models into efficient production code include TargetLink [TL08]* and the Real-Time Workshop/Embedded Coder [TMW07]. The software quality and efficiency are strongly dependent upon the quality of the model used for code generation. The increasing complexity of embedded controller functionality also leads to a higher complexity of the model used for automatic controller code generation. Modeling tools that are typically used for controller model design cannot provide sufficient support to the developer in dealing with increasing model complexity. One and the same issue can, for example, be modeled in different ways, thus intensifying problems such as coping with functional design, the limited resources available, and model/code maintenance. For that reason, numerous modeling guidelines have been defined with the purpose of enabling or improving code generation, increasing code efficiency and safety, and easing model comprehension. In this paper, we focus on the adoption of modeling guidelines in the model-based development of embedded software. Examples of modeling guidelines will be presented and their objectives specified. We will introduce the e-Guidelines Server: a tool for pre* TargetLink uses its own graphical notation for code generation (TargetLink blockset), which is based on the Simulink modeling language. 28 paring and administering guidelines for different projects. We will also present a case study of a large-scale software development project. In the next step, we will present methods of static analysis to verify whether modeling guidelines are being properly following. In addition to discussing the tools that are available, we will present current implementation scenarios, and provide a forecast of probable implementation scenarios in the years to come. Both methods (modeling guidelines and static model analysis) share the goal of increasing the quality of the controller model used for production code generation. 2 Modeling Guidelines for Controller Model Design An agreement to follow certain modeling guidelines is important in order to increase comprehensibility (readability) of a model, facilitate maintenance, ease testing, reuse, and expandability, and simplify the exchange of models between OEMs and suppliers. This is the aim of the MathWorks Automotive Advisory Board (MAAB) guidelines and patterns [MAAB07], for example. Publicly available guidelines such as these are often supplemented by in-house sets of modeling guidelines, for example the Daimler Modelbased Development Guidelines (DCX:2007) [Daimler07]. These provide a sound basis for checking the models used for production code generation. The adoption of such guidelines can significantly improve the efficiency of generated code. 2.1 Examples of Modeling Guidelines In the following section, we will discuss different categories of modeling guideline (see table 1). These refer to (1) model layout, (2) arithmetical problems, (3) exception handling, and (4) tool and project-specific constraints. Examples of modeling guidelines that we are using here are guidelines for model layout and arithmetical problems. As a running example, we will use a snapshot (function or module) of a TargetLink controller model (see figure 1). This model violates several modeling guidelines. The same model is depicted complying with the DCX:2007 modeling guidelines in figure 2. A large proportion of modeling guidelines focuses on the readability and proper documentation of a model. The adoption of such ‘layout guidelines’ can significantly increase the comprehensibility of a model (cf. figure 1 and figure 2). Here are some simplified examples of guidelines that can be applied to achieve a better model layout: ! Rule 1: Inports should be located on the left-hand side of a model; outports should be located on the right-hand side of a model. ! Rule 2: Signal lines should not cross. ! Rule 3: Names or blocks should not be obscured by other blocks. ! Rule 4: Signal flow should be described from left to right. ! Rule 5: No use of ‘magical numbers’. ! Rule 6: The functionality of a model should be described on each graphic model layer. Arithmetical operations, such as a multiplication with two or more operands, are carried out in Simulink using product blocks. A product block with three inputs is shown in fig- 29 ure 1 (top right). This way of modeling may create problems when the model is translated into fixed-point† code by a code generator. Intermediate results must be calculated, as they cannot be determined automatically by the code generator. For this reason, the following guideline must be followed in order to avoid arithmetical problems with fixedpoint calculation: ! Rule 7: Product blocks with more than two inputs are prohibited in models used for production code generation. A cascade of product blocks with two inputs should be used instead. An arithmetical exception with a product block can occur if the block is used for calculating the products of two numbers. If the divisor is zero, a division by zero occurs (exception). For this reason, a guideline states that the product block option “omit division by zero in production code” is selected (not shown in figure 1). If not, a division by zero might occur in the code, because no additional code for exception handling will be generated. In model-based development, different tools are used for e.g. testing the model and comparing the test results with the production code. Tools such as MTest [MES08b] or TPT [TPT07] are usually used for this purpose. Both tools require that the interface of a function or module to be tested must be ‘well-defined’. For a Simulink model, for example, this means that only single-lined names are used for ports and the names may not contain any special characters (e.g. carriage return) except underscore. For this reason, the name of the outport “est. air flow.” in figure 1 (top right) is replaced in figure 2 by the outport name “est_air_flow”. Other guidelines may be specified for specific development projects. In most cases, naming conventions are part of such projectspecific conventions. Other guidelines may take into account specific hardware types or platforms that are being used in the respective project. Table 1. Categories of modeling guidelines Category Model layout Arithmetical lems † Aim/goal Increase readability, maintainability, portability prob- Prevent typical arithmetical problems (e.g. division by zero, fixed-point limitations) Exception handling Increase robustness of the model and the generated code Tool-specific considerations Guidelines that address tool-specific considerations, e.g. ensure that the model can be tested with model testing tools such as MTest [MES08b] and TPT [TPT07] Project-specific guidelines Naming conventions; guidelines which ensure that model and code can deal with project-specific limitations (e.g. a specific hardware type) Fixed-point arithmetic is the preferred calculation method in embedded software development for reasons of limited resources and code efficiency. 30 In summary: Different categories of modeling guidelines are specified in order to address specific topics in the model-based development process. As we can see, the application of a mere seven modeling guidelines can significantly improve the quality of a model used for code generation (cf. figure 1 and figure 2). Figure 1. TargetLink model violating several modeling guidelines Figure 2. TargetLink model in compliance with Daimler modeling guidelines 31 2.2 Why do we need Modeling Guidelines This question has been posed repeatedly ever since the early days of model-based software development. Other common questions include: How should parameters and options be set up? How should blocks be ordered? How can this task be modeled? What should not be used? Why is this construct creating problems? I do not understand this model or subsystem, etc. These questions and problems have all been encountered by developers at some point in time, and in most cases, have been solved very successfully. The purpose of modeling guidelines is to collate this experience, then have a group of modeling experts inspect, verify, and process the resulting guidelines, and finally making them available to a wider group of developers. Without the knowledge contained in modeling guidelines, every modeler would have to rely on the extent of his own experience and start from the beginning in each new project, thus leading to regularly occurring problems in the modeling process. Here are just a few of the results of faulty modeling: ! A faulty model (bitwise AND/OR or logical AND/OR, missing brackets in complex logical expressions) ! A model that is difficult to read and therefore difficult to understand, thus leading to e.g. an unnecessary delay in the model review ! A model that can only be migrated to a limited extent (critical in the reutilization of libraries, for example) ! A model that is difficult to maintain ! Unsafe code (especially when using a code generator) ! Greater difficulty of model testing (model and environment are not clearly separated, clear interfaces for the model test) 2.3 Daimler Modeling Guidelines The Daimler modeling guidelines are a collection of best-practices and in-house expertise focusing on (1) the design of MATLAB Simulink, Stateflow, and TargetLink models (e.g. for cars and trucks), (2) model testing, and the (3) review of production code, which has been generated by a code generator. At present, there are over 300 guidelines and patterns for MATLAB/Simulink/Stateflow and TargetLink models alone. This number has developed over many years, and the guidelines themselves have been developed and maintained by a few experts in text document form. In the past, an update occurred approximately every 9 to 12 months. Project-specific guidelines were derived from a particular status and maintained separately. This document-heavy way of operating, with no central administration and no easy way of distributing guidelines, became unmanageable at an early stage. In response to this problem, concepts for an electronic administration of these guidelines were developed, and their principle feasibility proven. In particular the challenge of enabling simple and secure access for all Daimler employees necessitated the setting up of a central administration and publication via the public eGuidelines Server. This will be described in more detail in section 3.1. 32 3 Tool Support The purpose of this section is threefold. Firstly, to describe tool support for the management and publication of modeling guidelines. Secondly, to provide an overview of static model analysis tools that are capable of analyzing a model with regard to modeling guideline compliancy. Thirdly, to outline a case study where we used a static model analysis tool in order to (a) evaluate the maturity of a large-scale model with regard to production code generation, and (b) check the model in regard to guideline compliancy. Note that the term check does not mean model checking, i.e. a formal verification of the model. Instead we use the term model conformance checking, or check in short, to describe a program that verifies whether a model complies with a modeling guideline. 3.1 e-Guidelines Server The e-Guidelines Server [MES08a] is a web-based infrastructure for publishing and centrally administering different sets of guidelines. The tool was originally developed in the Research and Technology department at Daimler. Since 2007, the e-Guidelines Server has been a commercial tool distributed by Model Engineering Solutions. In contrast to the internal company and document-specific publication of modeling guidelines, the e-Guidelines Server enables the joint administration and consistent updating of different sets of guidelines, as well as the project-specific variants which are derived from them. Moreover, different filters and views can be created for the available guidelines. Filters can be understood as selectors for guidelines that relate to specific tool versions, or for guidelines that focus on specific model design aspects, model quality, or process-related aspects such as readability, workflow, simulation, verification and validation, and code generation (termed rationale in the following). Figure 3. GUI of the e-Guidelines Server 33 The GUI of the e-Guidelines Server is shown in figure 3. The image illustrates a typical modeling guideline, which focuses on naming conventions, e.g. ANSI C conformance of identifiers. The structure of a guideline or rule is as follows: each rule has a unique ID, a Scope in which the rule is valid (e.g. a department or a project), a Title, a Description (text and graphics), and a History field for tracking revisions (not shown in figure 3). Each rule is represented by an XML document that is transformed via XSLT transformations into an HTML document as shown in figure 3. For this reason, a rule can contain configurable meta-tags, such as Priority, MATLAB Version, TargetLink Version, and Rationale. Such meta-tags are usually used for specific filter options, e.g. you can filter for all rules that belong to the latest MATLAB version. Most guidelines available on the e-Guidelines Server are company-specific and for internal use only, such as the Daimler Model-based Development Guidelines (DCX:2007) and project-specific variants of these guidelines. Access to these guidelines is only granted to Daimler employees and development department suppliers. Some of the guidelines on the server, however, are publicly available guidelines such as the MAAB guidelines or the dSPACE guidelines for modeling and code generation with TargetLink. All Daimler development department guidelines are now hosted and centrally published on the e-Guidelines Server. As a result, no department-specific variants of specific guidelines exist, and developers can be sure that they are always accessing the latest guideline version. Centralized administration of guidelines enables project-specific guideline libraries to be compiled simply and efficiently. These are based on the main guidelines and are supplemented by project-specific modifications to individual guidelines and a few additional guidelines. Changes and updates to the main guidelines are mirrored in all projectspecific guideline libraries. The gradual drifting apart of guidelines belonging to different projects is thus avoided, and all projects use the latest guideline version. On one hand, this results in considerably reduced effort and expenditure for maintaining modeling guidelines at Daimler. While at the same time, the spread and acceptance of the guidelines in different projects is increased. 3.2 Model Analysis Tools Static model analysis tools exist for the automatic verification of models with respect to modeling guideline compliancy. The purpose of these tools is to establish a framework in which to perform checks. The check itself is a program that verifies a particular guideline. The authors are aware that prototypes stemming from different research projects are available. These tools are also capable of performing model analysis of potential violations of modeling guidelines. Here, however, we wish to restrict ourselves to a discussion of commercial tools, which can be applied in a serial industrial project. Commercial static model analysis tools that are available for MATLAB Simulink, Stateflow, and TargetLink models are the Simulink Model Advisor [TMW07] or MINT [Ric07]. With both tools, model analysis is carried out by executing a selection of MATLAB M-scripts. The checks either come with the tool or can be supplemented as user-written checks. The checks that are distributed with the tools, for example the Model Advisor checks, focus on considerations with regard to the modeling language 34 (Simulink, Stateflow), model settings, the MAAB style guidelines, or to safety process standards such as DO-178B. The results of model verification using the checks are compiled into reports. These show all detected guideline violations linked to the model. In a final step, the faulty model patterns must be investigated and, where necessary, corrected by the developer: a highly time-intensive and error-prone task. 3.3 Experience with Model Analysis Tools A problem shared by all of the above model analysis tools is their limited flexibility and adaptability. Checks that already exist in development departments, for example, cannot be directly integrated into the check management environment, or only with considerable difficulty. Moreover, existing checks must be rewritten or even reimplemented for each analysis tool. User-written checks are an integral part of the Model Advisor and MINT and cannot be executed without one of these tools. Static corrections are currently not available with the Model Advisor and MINT (though potentially possible). In a recent in-house case study at Daimler, we used the MINT framework to check a typical large-scale controller model from the automotive domain. The emphasis of this case study was on (a) evaluating the maturity of the model with regard to production code generation, and (b) checking the model with regard to guideline compliancy. It turned out that the model contained over 2,000 guideline violations. Upon closer inspection, we estimated that up to 45 percent (900) of these 2,000 violations might have been fixed automatically, if tools with automatic repair capabilities had been used. Furthermore, we estimated that approximately 43 percent could have been repaired with user feedback (interactive repair operations). Only 8 percent actually necessitated a manual correction. A final 4 percent remained undefined, which means that the modeler has to determine whether the reported violation actually constitutes a modeling guideline infringement. The manual input necessary for checking guideline compliancy is too high for the guidelines to be sensibly implemented without tool support. Adherence to guidelines can only be integrated into the development process if tools are available that efficiently support the developer in both checking guideline compliancy, and also in repairing guideline violations. In response to this challenge, static model analysis tools with automatic repair capabilities have been developed. These will be discussed in the next section. 4 How to Support the Developer? In this section, we will discuss two tools, which we believe provide efficient support for the model developer in checking and repairing guideline violations. We are currently pursuing two separate approaches in developing tools for model analysis and model repair: (1) The Model Examiner: a tool for static analysis and repair of guideline violations; (2) MATE: conducts data flow analysis and can perform complex repairs via model transformation. 35 4.1 The Model Examiner (MXAM) The Model Examiner (Model eXAMiner, MXAM [MES08a]) is a static model analysis and repair tool. MXAM was originally developed as a pilot project between Daimler and Model Engineering Solutions. The purpose of MXAM is (1) to provide model conformance checks, which are not restricted to a specific framework such as the Model Advisor, MINT or the Model Examiner itself. Rather, the generic checks can be executed (a) in any of the mentioned framework, (b) in stand-alone mode (MATLAB command line, see figure 4) or (c) in batch-processing, e.g. as part of a user-written script; (2) to provide automatic model repair functionality (see below). Tool independency of the model checks is given in that each check can be executed on the MATLAB command line and within the MXAM framework per se. For other tools, such as the Model Advisor, a small piece of wrapper software is required, that allows the checks to be loaded into the Model Advisor framework directly when MATLAB is started. Figure 4. A Model Examiner check executed from the MATLAB command line. All guidelines that can be statically checked are implemented in the Model Examiner. If automatic repair is possible (without a structural modification of the model), this is made available. In other words, the Model Examiner not only analyzes guideline violations, it also corrects guideline violations that can be repaired statically (figure 4, bottom). Furthermore, the Model Examiner displays much greater flexibility and adaptability. This allows it to be integrated into existing or planned development environments much more easily. The reports not only list guideline violations, they also document all repair operations that have been carried out (not shown in figure 4). This last point is particularly important for documentation purposes when developing safety-relevant software. The Model Examiner also has a uni-directional connection/link to the guidelines on the e- 36 Guidelines-Server. This enables the developer to access the source or the original guideline library, on the basis of which the model was checked, if a violation is detected. The Model Examiner was already pilotized within the development departments of Daimler (truck divison). MXAM was used before a model review of the controler models was carried out. As an outcome, the use of MXAM could significantly reduce the work load of a model review, since nearly all formal aspects of guideline violations (naming conventions, coloring, etc.) were detected and many of them could be corrected automatically. Apart from such formal aspects, guidelines violations were reported most developers are not aware of, since such guidelines focus on very specific limitations of code generators (e.g. unsupported rounding operations). 4.2 MATE The MATLAB Simulink and Stateflow Analysis and Transformation Environment (MATE) [ALSS07] provides support in detecting previously specified guideline violations, and in addition–in contrast to the Model Advisor or MINT–provides the possibility of automatically applying predefined model transformations, e.g. repair operations, layout improvements, and modeling pattern instantiations. MATE offers four different categories of model transformation and improvement functions: (1) Automatic repair functions: These can potentially eliminate up to 60 percent of MAAB guideline violations by means of automated model transformations. A typical straightforward repair function, for example, would be to set the actual view of every subsystem view to 100 percent; Interactive repair functions: These are high-level analysis and repair functions that require user feedback, since the required information cannot be determined automatically. One example would be autoscaling support functions, which check and calculate scaling errors by means of data flow analysis, and generating proposals for how to eliminate these errors. Such functions often need additional fixed-point scaling information or input about handling specific data types. The transformation of a product block with more than two operands (as shown in figure 1) is also a typical repair function with user feedback, as the product block can be automatically transformed into a cascade of product blocks with two operands. However, the modeler must provide additional scaling information for the intermediate results (see [ST07] for details); (3) Design pattern instantiation: The MAAB guidelines provide a rich set of modeling patterns, such as the Simulink if-then-else-if pattern and flowchart switch-case constructs. These predefined, MAAB guideline-conformant pattern instances can be automatically generated from a pattern library. For example, MATE supports instantiation of a parameterized flowchart switch-case pattern, the nesting depth of which can be configured by the modeler; and (4) Model ‘beautifying’ operations: Providing a suitable model layout is important and often requisite. For example, it is common practice to locate all Simulink inports on the left side of a subsystem. MATE provides a set of beautifying operations that, for example, align a selected set of blocks to the left, right, or center them in relation to a reference block. Furthermore, signals leading into ports of a subsystem can be easily interchanged when signal lines are overlapping. 37 Compared to the Model Advisor, MINT, and the Model Examiner, MATE is a tool that provides high-level analysis and repair functions that can hardly be handled by M-script implementation. MATE uses a meta-model of a MATLAB/Simulink/Stateflow model that can also be assessed by other tools. The analysis and transformation of the model is carried out on a model repository using the java API of MATLAB. MATE has not yet reached the required stage of maturity for an industrial application and therefore MATE will be further developed in the context of a BMBF project (also termed MATE). However, it is already evident that MATE integrates high-level functions that will play an ever greater role in future, as models become increasingly complex. The continued development of MATE will take place in the context of a research and development project. 5 Conclusions and Future Work An increasing number of serial software projects at Daimler are being implemented using models created in Simulink, Stateflow, and TargetLink. To support developers in their work, the experience collected in various project contexts has been collated and processed into guideline libraries. These provide developers with a comprehensive body of knowledge and templates/patterns on which they can rely. In the past, however, strict adherence to these guidelines always required a certain measure of discipline and a considerable amount of hard work–particularly in the initial phase of a project or when a new developer joined the team. This provided the impetus for attempting to find new ways of automating a part of such routine operations. With the help of static model verification tools such as Model Advisor, MINT, and the Model Examiner, it is now possible to check approximately 80-90% of guidelines automatically. Developers receive detailed information about which parts of their model do not comply with the guidelines and why, or which problems might arise due to the type of modeling–all at the ‘touch of a button’. This development has freed developers from a considerable part of routine operations, and at the same time, has increased general readiness to observe and implement the guidelines. Static model analysis tools can be integrated into the development process without great difficulty. The next step was to tackle the automatic repair of guideline violations. After all, 45% of guideline violations can be automatically repaired in a typical serial project, and a further 40 to 45% with the help of user feedback. Tremendous time savings can be made here through the use of tools such as the Model Examiner. In this way, the automatic verification of guideline compliancy and the repair of violations can be easily integrated in the development process of serial projects. Moreover, model quality can be increased considerably. Data flow analysis, pattern instantiation, and model transformation with tools such as MATE take this process one step further. They allow complex problems to be checked and processed, which is not possible using static model analysis tools. Admittedly, a lot more work must be invested in MATE before the tool reaches maturity. It is important to remember that all these tool-based automatizations are designed to unburden the developer from routine operations. The tools support the developer and take away ‘boring’ recurrent tasks, thus giving him time to concentrate on areas that no tool can master–the creation of models and the critical review of model parts. Manual reviews can now concentrate on the algorithm and no longer have to take a 38 whole set of more simple guidelines into account, which have in the past often obscured the view for what is more important. Almost as a byproduct, the model becomes clearer and easier to read in review thanks to the automated observance of many guidelines. This also creates a greater readiness on the part of the developer to perform a manual review, the review itself is easier to carry out, and the developer is (hopefully) able to detect the few hidden problems that hinder the testing process. Taken as a whole, guidelines, the e-Guideline Server, the Model Examiner, and MATE are all tools that effectively support us in our aim of creating efficient, safe, and error-free models for serial code development, and keeping the quality of models at a consistently high level. References [ALSS07] Ameluxen, C., Legros, E., Schürr, A., Stürmer, I.: Checking and Enforcement of Modeling Guidelines with Graph Transformations, to appear in Proc. of Application of Graph Transformations with Industrial Relevance (AGTIVE), 2007. [BOJ04] Beine, M., Otterbach, R. and Jungmann, M. Development of Safety-Critical Software Using Automatic Code Generation. SAE Paper 2004-01-0708, Society of Automotive Engineers, 2004. [Daimler07] Daimler Model-based Development http://www.eguidelines.de, internal, 2007. [MAAB07] MathWorks Automotive Advisory Board, Control Algorithm Modeling Guidelines Using MATLAB, Simulink, and Stateflow, Version 2.0”, 2007. [MES08a] Model Engineering Solutions Berlin, http://www.model-engineers.com/products, 2008. [MES08b] Model Engineering Solutions, MTest-classic, http://mtest-classic.com, 2008. [Ric07] Ricardo, Inc., MINT, http:/www.ricardo.com/mint, 2007. [SCFD06] Stürmer, I., Conrad, M., Fey, I. Dörr, H.: ‘Experiences with Model and Autocode Reviews in Model-based Software Development’, Proc. of 3rd Intl. ICSE Workshop on Software Engineering for Automotive Systems (SEAS 2006), Shanghai, 2006. [ST07] Stürmer, I., Travkin, D.: Automated Transformation of MATLAB Simulink and Stateflow Models, to appear in Proc. of 4th Workshop on Object-oriented Modeling of Embedded Real-time Systems, 2007. [TL08] dSPACE. TargetLink 2.2.1: Production Code Generator. http://www.dspace.com, 2008. [TMW07] The MathWorks Inc (product information), www.mathworks.com/products, 2007. [TPT07] Piketec GmbH Berlin, Time Partition Testing (TPT), http://www.piketec.com/, 2007. Guidelines (DCX:2007). 39 Integrating Timing Aspects in Model- and Component-Based Embedded Control System Development for Automotive Applications ∗ Patrick Frey and Ulrich Freund ETAS GmbH Borsigstr. 14 70469 Stuttgart {patrick.frey, ulrich.freund}@etas.de Abstract: Today, model-based software development for embedded control systems is well established in the automotive domain. Control algorithms are specified using high-level block diagram languages and implemented through automatic code generation. Modular software development and integration techniques such as those supported proprietarily by specific tools (e.g. ASCET [ETA06a]) have been around for more than 10 years, and the concepts are now heading towards industry-wide application through the results of the AUTOSAR initiative [AUT06b]. Still, OEMs and their suppliers are facing challenges, especially when integrating software as modules or components from different parties into the vehicles electric/electronic (E/E) system. This paper discusses how the consideration of resource consumption (especially execution time) and system level timing within a development approach which employs model- and component-based software development can lead to predictable integration. 1 Introduction Today, automotive control applications are developed using high-level block diagram languages from which target-specific implementations are automatically derived through code generation. Prominent tools which support this approach are ASCET [ETA06a] or Matlab/Simulink. Furthermore, functional validation and verification of the control algorithm behavior is performed through prototyping. For instance, the prototyping platform INTECRIO [ETA07] supports both virtual prototyping (i.e. prototyping against a simulated plant) and rapid prototyping (i.e. prototyping against the real plant) of control applications modularly developed using high-level block diagram models in ASCET or Matlab/Simulink. In the last decades, modular software development techniques have evolved as an orthogonal concept to model-based specification, design and implementation of embedded soft∗ This work has partially been supported by the ATESST and INTEREST projects. ATESST and INTEREST are Specific Targeted Research Projects (STRePs) in 6th Framework Programme (FP6) of the European Union. 40 ware. However, OEMs and their suppliers are facing challenges, especially when integrating software as modules or components1 from different parties into the vehicles electric/electronic (E/E) system. The concepts were only supported proprietarily by specific tools (e.g. ASCET [ETA06a]). The industrial initiative [AUT06b] adapts the concept of modular software development for the automotive domain, enabling an industry-wide application. Failures at integration time happen when multiple software components are integrated into a system in order to collaboratively fulfill a specific function or functions, and the integrated system does not operate as expected. Such failures can be classified as either due to interface problems, communication problems or timing problems. Interface problems occur when the implemented communication interfaces of two software modules are not compatible. Incompatibility can be caused by wrong signal resolutions (e.g. int8 instead of int32), wrong quantization (different mappings of value ranges to communicated signals) or wrong interpretation of the physical value (e.g. mph instead of kmh). Communication problems occur when data sinks are not properly supplied by data sources, e.g. when two software components communicate over a network (“dangling ends”). While interface and communication problems are rather static problems of the structural entities of a control application’s software architecture - and these problems can already be identified at pre-compile time, timing problems are problems of the dynamic behavior of the control application which occur at run-time and thus are more complicated. Timing problems constitute themselves, for example, as • timing variations in data transformation and data communication • temporally unsynchronized correlated actions • bursty processing of data transformations and data communication (temporal overload) These problems are induced into the control application or automotive software application in general by the underlying microcontroller and networking backbone. 1.1 Outline The rest of this paper is structured as follows: Section 2 gives a brief introduction into the main results of the AUTOSAR initiative. Section 3 presents an integrated approach for automotive embedded systems development which goes beyond the AUTOSAR approach. Section 4 details how timing aspects can be explicitly considered at various stages in model- & component-based embedded control system development. Section 5 explains our current efforts of implementing the consideration of timing aspects within the ETAS tool chain. Finally, Section 6 closes the paper with statements on the relevance of the presented work, draws conclusions and gives a future outlook on further work. 1 The terms software component and software module both denote the same in this paper. 41 2 AUTOSAR In the automotive industry, the results of the AUTOSAR initiative are currently considered as a major step towards the future development of automotive electric/electronic (E/E) systems. AUTOSAR proposes a • standardized, layered electronic control unit (ECU) software architecture with an application software layer, a middleware layer and a basic software layer. To increase interoperability and ease exchangeability of basic software modules from different vendors, AUTOSAR defines standardized application programming interfaces (APIs). • a software component (SWC) technology for the application software, which - together with the middleware layer which is termed Runtime Environment (RTE) enables a deployment-independent development (more precisely specification) of software components with the possibility of reallocation within the vehicle network and reuse across multiple platforms. • a methodology which describes how an AUTOSAR-based E/E system - tentatively composed of multiple ECUs interconnected through various bus systems - or part of it is actually built. In this context, AUTOSAR defines two architecture views, the virtual functional bus (VFB) view and the Mapping view2 of an automotive E/E system or part of it. Fig. 1 depicts the basic approach as proposed by AUTOSAR [AUT06b]. The central step is the mapping or deployment of software components which have been integrated into a virtual software architecture (VFB view) to single ECU nodes of an E/E system. Note that the mapping is not necessarily arbitrary but can be constrained. Additional information for the configuration of the standardized ECU basic software is provided as ECU descriptions and used in the ECU software built process. Open issues in AUTOSAR While AUTOSAR provides adequate solutions for the interface and communication problems, e.g. through strongly typed interfaces for software components, timing problems are not considered well. Furthermore, AUTOSAR only considers partial aspects of embedded systems development, namely those which are rather close to implementation. This, for instance, has become obvious from the work of the AUTOSAR Timing Team which tried to develop an appropriate timing model for AUTOSAR: a lack of higher levels of abstraction in AUTOSAR has been identified as a main source for not being able to integrate specific timing-related engineering information. 2 Note that the term “Mapping view” has not yet been defined by AUTOSAR in any specification document. We thus introduce the term in this paper in order to refer to a system where all required mappings (SWCs to ECU nodes, system signals to network frames, RunnableEntities to OS tasks) and basic software module configurations have been performed. 42 Figure 1: AUTOSAR basic approach (figure taken from [AUT06b]) In our development approach we consider the AUTOSAR results as basis. We provide extensions which go beyond the current concepts of AUTOSAR. Furthermore, we integrate timing aspects such as timing requirements gathering, early and late stage timing property determination using alternative methods as well as validation and verification through system-level timing analysis methods. 3 Model-Based Embedded Control Systems Development Fig. 2 depicts a development approach for automotive embedded systems which integrates the AUTOSAR approach. The figure is structured in several abstraction levels in two dimensions: • Architecture abstraction levels (or views) reflecting the different perspectives on an E/E system at different development stages and with different engineering focus. The architecture abstraction levels are defined according to those of the architecture description language EAST-ADL2 defined in the ATESST project (www.atesst.org). • Artifact abstraction levels on the artifacts of an embedded system development under the perspective of a specific architecture abstraction view. 43 44 Figure 2: Function architecture and software architecture in an extended V development approach with timing aspects Architecture abstraction levels (views) The architecture abstraction levels are classified into a) logical architecture views and b) technical architecture views as well as c) function architecture views and d) software architecture views. The architecture classes a) and b) are separated. This also holds for c) and d). A logical architecture view abstracts from mapping- as well as target- and implementation-specific information. A technical architecture view exactly includes the latter. A function architecture view describes a function or set of function basically from the problem domain, e.g. control engineering. A software architecture view describes a software architecture of a set of considered functions in terms of a software component technology. For the latter, we consider the software component technology as specified by AUTOSAR [AUT06a]. In Fig. 2, three architecture abstraction levels are distinguished: • The function architecture abstraction level is a logical view of a considered set of vehicle functions. Within the function architecture view, top-level functions are analyzed, hierarchically decomposed and refined into elementary functions. • The virtual software architecture abstraction level is a logical view on the software architecture of a set of considered vehicle functions. The previously hierarchically decomposed top-level vehicle functions are clustered to software components which are then aggregated to compositions. At this point, interface compliance btw. the software components can be verified which corresponds to the elimination of the above-mentioned interface and communication problems. • The technical software architecture abstraction level is a technical view on the software architecture of a completely mapped, integrated set of functions - as software components - into the E/E architecture of a vehicle. All ECU configurations (runnable-to-OS-task mappings, basic software, etc.) and bus system configurations (frame types, IDs, signal-to-frame mapping, etc.) are included. Artifact abstraction levels In Fig. 2, four artifact abstraction levels are distinguished. • The system level which - under each architecture view - contains top-level artifacts. In the function architecture view, for instance, this includes the top-level functions and their interactions. With respect to timing, top level timing requirements such as end-to-end timing requirements or sensing or actuating synchronization requirements are present. In the software architecture view, software components and their interactions are present. In the virtual software architecture, these interactions are reduced to purely logical data communication while in the technical software architecture, remote communication is reflected through system signals which are send over the vehicle network as payload of network frames. 45 • The node level is actually only used under the technical architecture view as only here the nodes of a distributed embedded system as which the E/E system of a vehicle can be considered are actually present3 . • The component level which considers single software components, in our case AUTOSAR entities such as AtomicSoftwareComponents, their InternalBehavior in the form of RunnableEntities and their access specifications to data on the structural interface of the software component. For details on the AUTOSAR software component technology see [AUT06a]. • The elementary functional building block level which contains a refinement of the top-level functions in its most detailed form, i.e. a set of interconnected, elementary functions. Elementary functions have a precise semantical specification (read inputs; perform data transformations; write outputs; terminate in deterministic time). Note that for single ECU systems the system-level and the node-level are the same. Relation between architecture views The relation between adjacent architecture abstraction levels is as follows: The link from the artifacts under the function architecture view, i.e. the elementary functions, to artifacts of the software architecture view, i.e. software components, is via the componentization of the these elementary functions. The function architecture view can give answers to the question where software components actually come from and the degrees of freedom developers have in creating software components. The possible granularity of software components in a software component architecture and possible degrees of freedom in componentization is not further discussed in this paper. The relation from the artifacts under the virtual software architecture view to the technical architecture view is via the mappings and configurations as defined by the AUTOSAR approach. Validation and verification Verification provides evidence that the technical solution as it is implemented conforms to the specification (Are we building the system right?) while validation provides evidence that the technical solution satisfies the requirements from which the specification is derived (Are we building the right system?). The validation and verification (V & V) activities are performed between artifacts on the same artifact abstraction level of adjacent architecture abstraction levels. In this paper, we focus on the validation and verification of timing aspects. Functional validation and verification through prototyping activities at different stages of the development approach can be integrated in a similar way, however, this is not discussed in this paper. 3 Note that when introducing another architectural view, e.g. a virtual technical architecture view, the node level might also be present there. 46 With respect to timing, ultimately, the goal is to provide evidence that the timing properties of a technical solution satisfy the timing requirements of the functional specification or design (verification). For system-level timing analysis, for instance, the goal is to provide evidence that the end-to-end latencies which are present in a technical solution satisfy the end-to-end latency requirements specified for the top-level functions of a functional specification. Whether the technical solution also satisfies the requirements from which the specification has been derived in first place is subject to validation. The latter requires that the technical solution (i.e. the implemented E/E system) is tested against the real plant. The techniques and technologies which we consider to conduct a system-level timing analysis for verification purposes are integrated into different stages of the sketched development approach depicted in Fig. 2 and further explained in Section 4. Other considerations The relationship between the virtual software architecture and the technical software architecture can be considered as the fulfillment of the basic AUTOSAR approach, i.e. the step from the Virtual Functional Bus view to the Mapping view of an AUTOSAR E/E system. Note that Fig. 2 abstracts from technical details such as consideration of information in the System Constraints Template or ECU configuration information. Furthermore note that Fig. 2 is not exhaustive neither on the number of possible architecture views nor on the level of detail of the artifacts under the perspective of such a view. The figure can easily be extended by integrating a virtual mapped E/E system architecture view as well a further function abstraction level, e.g. to distinguish between functional analysis and design (refer to EAST-ADL2 system model). 4 Integrating Timing Aspects in Model- and Component-Based Embedded Control Systems Development The rationale for integrating timing considerations into a model and component-based embedded control systems development approach is to be able to verify the actual timing properties of a technical solution against the original timing requirements. In the following, we explain the origin of timing requirements and timing properties and how the link between both can be established. In embedded control systems development, timing aspects need to be considered from the perspectives of the different involved engineering disciplines and their theoretical foundations [T9̈8]: • control engineering and control theory, mainly for sampled feedback control systems; this engineering discipline dictates the timing requirements • real-time computing and real-time computer science for distributed, embedded sys- 47 tems; this engineering discipline dictates the actual timing properties In the proposed development approach, the distinction of the related engineering disciplines is reflected through the different architecture abstraction levels. The function architecture abstraction level is concerned with control engineering and thus problem specification and analysis while the software architecture abstraction levels are concerned with implementation in terms of a software component technology and technical E/E system architecture. Timing requirements: Most important timing requirements from a control engineering perspective are [TES97] • minimal and preferably constant end-to-end latencies (with tolerances) which must be maintained with the proceeding dynamics of the physical system or process under control • synchronization requirements on correlated actions, i.e. sensing and actuating instants Within the sketched development approach in Fig. 2, timing requirements, especially endto-end latencies, of the top-level functions need to be captured, analyzed, decomposed and refined along the track of functional analysis and decomposition. Ultimately, for each top-level function, a set of interconnected elementary functions is derived for which delay requirements on data transformation and data communication are specified. As the elementary functions are then grouped to RunnableEntities and clustered in AtomicSoftwareComponents of a software component architecture, at this point, software component specific timing requirements or constraints can be derived from the clustered elementary functional building blocks. Timing properties: Timing properties are highly implementation dependant and can be obtained for an implementation on the technical architecture abstraction level as they are actually physically measurable or mathematically computable. On the system-level, timing properties basically are constituted as response times, i.e. actually observable end-to-end delays which relate a stimulus or single sampling instant to a response or actuation instant. These response times, however, are difficult to obtain as the resource sharing or scheduling strategies (such as priority-driven scheduling) and variable computation and communication times are difficult to combine. 48 4.1 Validation and verification of timing through best- and worst-case corner case construction Figure 3: Formal analysis vs. simulation/measurement [HPST07] The validation of the timing properties of an implemented technical solution is achieved by conducting a system-level timing analysis for the best- and worst-case corner cases. Corner case construction for system-level timing analysis requires best-case and worst-case timing properties for artifacts on lower abstraction levels such as best-case and worst-case execution times (BCETs and WCETs, resp.) for computations and worst-case transmission times (WCTTs) for data communication. The latter can be derived from the payload of the actual network frames which are send over the vehicle bus systems. The validation and verification of timing thus includes the consideration of issues which concern several artifact abstraction levels in Fig. 2: • Translating the originate timing requirements from the function architecture via the intermediate virtual architecture abstraction levels to the technical software architecture. This path has already been sketched above. • Gathering timing properties on best-case and worst-case behavior of an implementation. This applies to the component artifact abstraction level. Challenges lie in datadependent determination of best-case and worst-case behavior in order to obtain timing properties of high precision and with high context-specific expressiveness. • Analyzing system-level timing. This applies to the system and node artifact abstraction. (Reconsider node-level = system-level in specific cases). In general, methods to obtain specific timing properties can be distinguished into formal analysis methods and non-formal analysis methods. While non-formal analysis methods such as measurement-based methods are intrusive, i.e. they potentially change the actual execution time by inducing additional code for obtaining measurements, they can also only be applied very late in the development process when the full technical solution is implemented. Formal analysis-based methods use models of processor architectures and memory to compute the execution time or number of cycles for a sequence of instructions. Formal analysis-based methods can be applied at earlier stages of the development process as no target system of the complete implementation setup is actually required. 49 Communication latencies can be quite well determined based on the payload of the actual network frames which are send over the vehicle network. In this paper, we focus on single ECU systems such that communication delays induced by vehicle networks are not considered. Another approach which is not considered further in this paper for the validation of the temporal behavior of real-time systems utilizes evolutionary algorithms and targets test generation [Weg01]. Fig. 2 also depicts at which stage in the development approach the different methods for resource consumption determination and system-level timing analysis can be applied, which information is required as input and which information is obtained as output. 4.2 Resource consumption determination For the determination of actual timing properties such as worst-case execution times we consider one representative technique for a formal analysis method, namely abstract interpretation as implemented in the aiT tool from AbsInt [Gmb07a], and a non-formal analysis method, namely measurement as implemented in the RTA-Trace tool from ETAS [ETA06b]. WCET determination through abstract interpretation with aiT (AbsInt) The industry-strength tool aiT from AbsInt applies abstract interpretation in order to determine a safe upper bound for the maximum execution time (WCET). A sequence of code instructions is analyzed using a very precise processor and memory model (i.e. including cache, pipeline and branch prediction considerations). For analysis, aiT needs a compiled binary file as well as additional annotations given in a proprietary format (.ais). The annotations which are kept separate from the actual code file provide information which cannot automatically derived by aiT (such as upper bounds on loop iterations) or information to improve the analysis result. The tool performs a reconstructing of the control flow graph (CFG), followed by a value analysis to determine feasible value ranges followed by a subsequent cache and pipeline analysis. The result of the then following path analysis gives the worst-case execution time by applying integer linear programming (ILP) and solving techniques. WCET determination through measurements with RTA-Trace The other timing property determination method which we consider is a measurementbased technique. RTA-Trace [ETA06b] is a tool which directly integrates with the operating system (OS) that runs an ECU system and which provides, amongst other 50 statistical data, measurements of execution times for instrumented OS tasks and interrupt service routine (ISR) handlers. However, a running system is required. Thus, the method can first be applied at late stage of the development approach (technical software architecture abstraction level under the system or node-level artifact abstraction perspectives). Integrating WCET determination in model-based embedded control system development Automotive control applications are nowadays developed using high-level block diagram languages from which target-specific implementations are automatically derived through code generation. Integrating WCET determination with the abstract interpretation method as implemented in the aiT tool with model-based development and automatic code generation has the benefit that the required annotations can be generated either directly during target code generation or as a secondary step after code generation through the analysis of the well-structured generated target code. When the generated code can be considered as self-contained, i.e. it can be considered as a module or software component with a well defined interface specification for structural integration, then even multi-party development scenarios can be supported. 4.3 System-level timing analysis System- and node-level timing analysis has been extensively researched for single resources such as ECUs or bus systems. Recently, several system-level timing analysis approaches have been proposed which consider both ECU and bus systems and their interactions. The symbolic timing analysis for systems (SymTA/S) approach uses standard event models for event streams to couple the resource consuming entities on ECUs and bus systems and thus enables a system-level timing analysis ([RE02], [Ric04]). The SymTA/S approach is implemented in the SymTA/S tool suite [Gmb07b]. Another system-level timing analysis approach which we do not consider further in this paper is the modular performance analysis with real-time calculus (MPA-RTC, [CKT03]) approach. Integrating system-level timing analysis in component-based embedded control system development System-level timing analysis is integrated into the considered component-based embedded control system development approach by making relevant information directly available for an adequate system-level timing analysis tool. In the case of the SymTA/S tool suite, this information comprises • information on scheduling policies of ECU nodes and bus systems: these can be ei- 51 Figure 4: Implementation of proposed timing considerations: extending the ETAS tool chain (proprietary concepts) ther rather general resource sharing strategies such as the static priority preemptive, round robin, time division multiple access (TDMA) paradigms or specific implementations of those which usually occur in automotive implementations, e.g. in the ERCOS ek and RTA-OSEK operating systems, CAN-bus, FlexRay-bus. • information on OS tasks and their containments (processes or runnables): the order of the processes or runnables within the OS task, priority, type (preemptive, non-preemptive, cooperative, specific kind of ISR). Furthermore, information in the triggering and potential chaining of OS tasks is required. • information on best-case and worst-case execution times • information on minimum and maximum packet sizes for network frames The static part of the information (i.e. without the execution times which are of dynamic nature) can directly be obtained from tools which have knowledge of such information. For instance, ECU integration environments or integrated prototyping platforms such as INTECRIO [ETA07] can provide such information as it is part of the ECU configuration. The additional information about the best-case and worst-case execution times which are required for a system-level timing analysis need to be provided additionally. 52 5 Implementation of proposed timing considerations: extending the ETAS tool chain Fig. 4 depicts how the ETAS tool chain is extended to support the determination of worstcase execution times and conduct a system-level timing analysis through tool couplings to aiT (AbsInt) and SymTA/S (Symtavision). The so-enhanced tool chain covers a major excerpt of the proposed development approach, basically starting on the lowest artifact abstraction level of the function architecture and considering the final technical implementation of a single ECU system. 5.1 Support for resource consumption determination: ASCET - aiT We have integrated automatic resource consumption determination with model-based development of control applications through integrating the aiT tool into the behavioral modeling tool and integrated development environment ASCET [FHWR06]. ASCET generates suitable aiT annotation files (.aiT) and aiT project files (.apf) and starts WCET analysis requests. The results of the are both presented directly to the user as well as stored in the file system for further processing. The current integration allows an automatic WCET determination for single ECU systems completely developed in ASCET. Target-code from ASCET is generated for the ERCOS ek operating system and Infineon TriCore-based microcontrollers. As single ASCET projects are considered as modules in INTECRIO, ASCET and INTECRIO implement a component-based approach with ETAS proprietary means and file exchange formats. Information on the modules are passed via the proprietary SCOOPIX4 (.six) format from ASCET to INTECRIO where modules from different sources can be integrated, and a functional validation through virtual or rapid prototyping can be performed. Thus, the WCET analysis results from the ASCET - aiT integration can be interpreted in the context of a module. This is also depicted in Fig. 4. The separation of control algorithm specification and implementation in ASCET enables the determination of WCETs for different target platforms from the same model. In this sense, mapping-specific safe upper bounds for the execution time can be determined directly from the modeling tool without the need to set up an actual target microcontroller implementation to provide measurements. 5.2 Support for system-level timing analysis: INTECRIO - SymTA/S In order to conduct a system-level timing analysis, we use the SymTA/S tool suite. A prototypical extension to INTECRIO exports the operating system configuration information 4 SCOOP-IX = source code, objects and physics interchange format 53 Figure 5: Implementation of proposed timing considerations: extending the ETAS tool chain (AUTOSAR concepts) from an INTECRIO project to a format which can be imported by SymTA/S (.csv). SymTA/S allows to incrementally load information to obtain all required information for a complete analysis model. In this sense, we use this feature to firstly load the operating system configuration from INTECRIO and then incrementally load the target-specific WCETs which have been derived with the ASCET - aiT tool coupling into a SymTA/S system model. To fulfill the timing verification, timing requirements are added manually in SymTA/S. Currently, timing requirements are specified as end-to-end path latencies within SymTA/S. In our approach, these end-to-end path latencies are the end-to-end timing requirements which have been derived from the top-level functions in the functional architecture and translated to the technical software architecture. 6 6.1 Relevance of the work, conclusions and future outlook Relevance of the work The work presented in this paper addresses several issues which have lately been identified as general research gaps or open issues in AUTOSAR. In [Kop07], Kopetz has identified that additional levels of abstraction on top of the traditionally used implementation level are required to adequately account for the needs of the different engineering disciplines involved in overall system development. In [RER06], Richter et. al. argue why AUTOSAR requires a timing model now. In the public funded project TIMMO, several European in- 54 dustrial and university partners jointly work together on a timing model for the AUTOSAR ECU software architecture and the software component technology. 6.2 Conclusions The presented approach enables a model- and component based development of embedded control systems while considering aspects from different engineering disciplines. By integrating timing aspects such as resource consumption determination as well as systemlevel timing analysis, a reduction of overall development time can be achieved through an early detection of possible problems and a reduced number of iterative development cycles. Furthermore, the reduction of overall costs through increased utilization of available resources can be achieved. 6.3 Outlook on future work Currently we are working on how this development approach and the developed tool couplings can be applied to AUTOSAR. Fig. 5 depicts how the tool chain presented in Fig. 4 translates to AUTOSAR. The ASCET-aiT tool coupling is extended to also cover WCET analysis for AUTOSAR AtomicSoftwareComponents, more precisely for the single RunnableEntities which the InternalBehavior. We use INTECRIO as a vehicle for target-platform integration of an AUTOSAR ECU system. A prototypical extension to INTECRIO generates an ECU extract of the system description (AUTOSAR XML) for an AUTOSAR E/E system. The output XML file is used to drive the generator tools for required basic software modules for a minimal system, i.e. runtime environment (RTE), operating system (OS) and communication stack (COM-stack), the latter including the layers COM and CAN. A complete description can be found in earlier work in [FF08]. 7 Acknowledgements The authors would like to thank the anonymous reviewers for their comments. References [AUT06a] AUTOSAR. Software Component Template, 2006. [AUT06b] AUTOSAR. Technical Overview, 2006. [CKT03] Samarjit Chakraborty, Simon Künzli, and Lothar Thiele. A General Framework for Analysing System Properties in Platform-Based Embedded System Designs. In Design, Automation and Test in Europe (DATE), Munich, Germany., March 2003. [ETA06a] ETAS GmbH. ASCET Manual, Version 5.2, 2006. 55 [ETA06b] ETAS GmbH. RTA-Trace Manual, 2006. [ETA07] ETAS GmbH. INTECRIO Manual Version 3.0, 2007. [FF08] Patrick Frey and Ulrich Freund. Model-Based AUTOSAR Integration of an Engine Management System. 8th Stuttgart International Symposium Automotive and Engine Technology, March 2008. [FHWR06] Christian Ferdinand, Reinhold Heckmann, Hans-Jörg Wolff, and Christian Renz. Towards Model-Driven Development of Hard Real-Time Systems - Integrating ASCET and aiT/StackAnalyzer. Automotive Software Workshop San Diego (ASWSD 2006). Advanced Automotive Software and Systems Development: Model-Driven Development of Reliable Automotive Services. San Diego, CA (USA)., March 15-17 2006. [Gmb07a] AbsInt GmbH. aiT Worst-Case Execution Time Analyzers. http://www.absint.com/ait/, 2007. [Gmb07b] Symtavision GmbH. SymTA/S Scheduling Analysis Tool Suite v1.3.1. http://www.symtavision.com/, 2007. [HPST07] Wolfgang Haid, Simon Perathoner, Nikolay Stoimenov, and Lothar Thiele. Modular Performance Analysis with Real-Time Calculus. ARTIST2 PhD Course on Automated Formal Methods for Embedded Systems, DTU - Lyngby, Denmark - June 11, 2007. [Kop07] Hermann Kopetz. The Complexity Challenge in Embedded System Design. Research report, Technische Universität Wien, Institut für Technische Informatik, Treitlstr. 1-3/1821, 1040 Vienna, Austria, 2007. [RE02] Kai Richter and Rolf Ernst. Event model interfaces for heterogeneous system analysis, 2002. [RER06] Razvan Racu, Rolf Ernst, and Kai Richter. The Need of a Timing Model for the AUTOSAR software standard. Workshop on Models and Analysis Methods for Automotive Systems (RTSS Conference), Rio de Janeiro, Brazil,, December 2006. 56 [Ric04] Kai Richter. Compositional Scheduling Analysis Using Event Models. Phd thesis, Institut für Datentechnik und Kommunikationsnetze, Technische Universität Braunschweig, 2004. [T9̈8] Martin Törngren. Fundamentals of Implementing Real-Time Control Applications in Distributed Computer Systems. Real-Time Systems, 14(3):219–250, 1998. [TES97] Martin Törngren, Christer Eriksson, and Kristian Sandström. Deriving Timing Requirements and Constraints for Implementation of Multirate Control Applications. Internal report, Deptartment of Machine Design, The Royal Institute of Technology (KTH), Stockholm, Sweden, 1997. [Weg01] Joachim Wegener. Evolutionärer Test des Zeitverhaltens von Realzeit-Systemen. Shaker Verlag, August 2001. Clone Detection in Automotive Model-Based Development Florian Deissenboeck, Benjamin Hummel, Elmar Juergens, Bernhard Schätz, Stefan Wagner Institut für Informatik, Technische Universität München, Garching b. München Jean-François Girard, Stefan Teuchert MAN Nutzfahrzeuge AG, Elektronik Regelungs- und Steuerungssysteme, München Abstract: Model-based development is becoming an increasingly common development methodology in embedded systems engineering. Such models are nowadays an integral part of the software development and maintenance process and therefore have a major economic and strategic value for the software-developing organisations. Nevertheless almost no work has been done on a quality defect that is known to seriously hamper maintenance productivity in classic code-based development: Cloning. This paper presents an approach for the automatic detection of clones in large models as they are used in model-based development of control systems. 1 Introduction Software in the embedded domain, and especially in the automotive sector, has reached considerable size: The current BMW 7 series, for instance, implements about 270 user functions distributed over up to 67 embedded control units, amounting to about 65 megabytes of binary code. The up-coming generation of high-end vehicles will incorporate one gigabyte of on-board software [PBKS07]. Due to the large number of variants in product-lines, high cost pressure, and decreasing length of innovation cycles, the development process in this domain demands a high rate of (software) reuse. This is typically achieved by the use of general-purpose domain-specific libraries with elements like PID-controllers as well as the identification and use of application-specific elements like sensor-data plausibilisation. As a consequence of this highly reuse-oriented approach, the identification of common elements in different parts of the software provides an important asset for the automotive model-based development process. A proposed solution for the increasing size and complexity as well as for managing product lines is to rely on model-based development methods, i. e., software is not developed on the classical code level but with more abstract models specific to a particular domain. These models are then used to automatically generate production code. Especially in the automotive domain today already up to 80% of the production code deployed on embedded control units can be generated from models specified using domain-specific formalisms like Matlab/Simulink [JOB04]. Hence, it does not surprise that they exhibit a number of quality defects that are well known from classic programming languages. One such defect is the presence of redundant program elements or clones. 57 Cloning is known to hamper productivity of software maintenance in classical code-based development environments, e.g., [Kos07]. This is due to the fact that changes to cloned code are error-prone as they need to be carried out multiple times for all (potentially unknown) instances of a clone, e.g., [LPM+ 97]. Hence, the software engineering community developed a multitude of approaches and powerful tools for the detection of code clones, e.g., [JMSG07]. However, there has been very little work on cloning in the context of model-based development. Taking into account the economic importance of software developed in a model-based fashion and the well-known negative consequences of cloning for software maintenance, we consider this a precarious situation. 1.1 Contribution This paper presents an approach for the automatic detection of clones in models. The approach is based on graph theory and hence applies to all models using data-flow graphs as their fundamental basis. It consists of three steps: preprocessing and normalisation of models, extraction of clone pairs (i. e., parts of the models that are equivalent) and clustering of those pairs to also find substructures used more than twice in the models. Through the application of a suitable heuristic the approach overcomes the limits of algorithmic complexity and can be applied to large models (> 10,000 model elements) as they are typically found in the embedded domain. We demonstrate the applicability of our approach in a case study undertaken with MAN Nutzfahrzeuge, a German OEM of commercial vehicles and transport systems. Here we implemented our approach for the automatic detection of clones in Simulink/TargetLink models as they are widely used in the automotive domain. 1.2 Results and Consequences Our approach showed in the case study that there are clones in typical models used for code generation. In the analysed models with over 20,000 elements, 139 clone classes were found which affect over a third of the total model elements. By manual inspection a significant share of them were classified as relevant. Moreover, the case study shows that it is feasible to analyse models for clones. Our approach proved to be applicable to industry-relevant model sizes. Hence, it can be used to prevent the introduction of clones in models and to identify possible model parts that can be extracted into domain-specific intellectual-propery library to support a product line-like development. 2 Cloning In general, code clones are code fragments that are similar w.r.t. to some definition of similarity [Kos07]. The employed notions of similarity are heavily influenced by the program 58 representation on which clone detection is performed and the task for which it is used. The central observation motivating clone detection research is that code clones normally implement a common concept. A change to this concept hence typically requires modification of all code fragments that implement it, and therefore modifications of all clones. In a software system with cloning, a single conceptual change (e. g., a bug fix) can thus potentially require modification in multiple places, if the affected source code (or model) parts have been cloned. Since the localisation and consistent modification of all duplicates of a code (or model) fragment in a large software system can be very costly, cloning potentially increases the maintenance effort. Additionally, clones increase program volume and thus further increase maintenance efforts, since several maintenance-related activities are influenced by program size. [MNK+ 02], analyses the change history of a large COBOL legacy software system. They report that modules containing clones have suffered significantly more modifications than modules without cloning, giving empirical indication of the negative impact of cloning on maintainability. Furthermore, bugs can be introduced, if not all impacted clones are changed consistently. In [LJ07] Jiang et. al. report the discovery of numerous bugs uncovered by analysing inconsistencies between code clones in open source projects. Despite the mentioned negative consequences of cloning, the analysis of industrial and open-source software projects shows that developers frequently copy-and-paste code [LPM+ 97]. Different factors can influence a programmer’s choice to copy-and-paste existing code instead of using less problematic reuse mechanisms: Lack of reuse mechanisms in a language are often the source of duplication [KBLN04]. [Kos07] lists time pressure, insufficient knowledge of consequences of cloning, badly organised reuse processes or questionable productivity metrics (lines of code per day) as possible process-related issues. [KG06] describes situations (e. g., experimental validation of design variations) in which cloning of source code, despite its known drawbacks, can be argued to have some advantages over alternative solutions. But even if cloning is applied on purpose, as rarely as it seems to be the case, the ability to identify and track clones in evolving software is crucial during maintenance. Since neither the reasons nor the consequences for cloning are rooted in the use of textual programming languages as opposed to model-based approaches for software development, we expect cloning to also impact model-based development. 3 Models For Control Systems The models used in the development of embedded systems are taken from control engineering. Block diagrams – similar to data-flow diagrams – consisting of blocks and lines are used in this domain as structured description of these systems. Recently, tools for this domain – with Matlab/Simulink or ASCET-SD as prominent examples – are used for the generation of embedded software from models of systems under development. To that end, these block diagrams are interpreted as descriptions of time- (and value-)discrete control algorithms. By using tools like TargetLink [dG], these descriptions are translated into the computational part of a task description; by adding scheduling information, these descriptions are then combined – often using a real-time operating system – to implement an 59 .2 1.8 P z Max 1 1 In 1 I 2.5 z I-Delay I-Delay < Compare Set 1 Out 1 In 2 P 1 1 Out z D-Delay .5 0.7 D I Figure 1: Examples: Discrete saturated PI-controller and PID-controller embedded application. Figure 1 shows two examples of simple data-flow systems using the Simulink notation. Both models transform a time- and value-discrete input signal In into an output signal Out, using different types of basic function blocks: gains (indicated by triangles, e. g., P and I), adders (indicated by circles, with + and − signs stating the addition or subtraction of the corresponding signal value), one-unit delays (indicated by boxes with z1 , e. g., I-Delay), constants (indicated by boxes with numerical values, e. g., Max), comparisons (indicated by boxes with relations, e. g., Compare), and switches (indicated by boxes with forks, e. g., Set). Systems are constructed by using instances of these types of basic blocks. When instantiating basic blocks, depending on the block type different attributes are defined; e. g., constants get assigned a value, or comparisons are assigned a relation. For some blocks, even the possible input signals are declared. For example, for an adder, the number of added signals is defined, as well as the corresponding signs. By connecting them via signal lines, (basic) blocks can be combined to form more complex blocks, allowing the hierarchic decomposition of large systems into smaller subsystems. Because of this simple mechanism of composition, block diagrams are ideally suited for a modular development process, supporting the reuse of general-purpose control functions as well as applicationdomain specific IP-blocks. However, it also eases a copy-and-paste approach which – combined with the evolution of product lines typically found with embedded systems and large block libraries – potentially lead to a substantial number of clones. 4 Approach In this section we formalise the problem of clone detection in graph-based models and describe the algorithmic approach used for solving it. Basically our approach consists of three steps. First we preprocess and normalise the Simulink model, then we extract clone pairs (i. e., parts of the model that are equivalent), and finally we cluster those pairs to also find substructures used more than twice in the model. 60 Const Outport Switch Gain Sum UnitDelay Gain Sum RelOp: < UnitDelay Sum Inport Gain UnitDelay Inport Gain Sum Sum Outport Gain Figure 2: The model graph for our simple example model 4.1 Preprocessing and Normalisation The preprocessing phase consists of flattening the models (i. e., inlining all subsystems by abstracting from the subsystem hierarchy), and removing unconnected lines. This is followed by the normalisation which assigns to each block and line a label consisting of those attributes we consider relevant for differentiating them. Later two blocks or lines are considered equivalent, if they have the same label. Which information to include in the normalisation labels depends on which kind of clones should be found. For blocks usually at least the type of the block is included, while semantically irrelevant information, such as the name, the colour, or the layout position, are excluded. Additionally some of the block attributes are taken into account, e. g., for the RelationalOperator block the value of the Operator attribute is included, as this decides whether the block performs a greater or less than comparison. For the lines we store the indices of the source and destination ports in the label, with some exceptions as, e. g., for a product block the input ports do not have to be differentiated. The result of these steps is a labelled model graph with the set of vertices (or nodes) corresponding to the blocks, the directed edges corresponding to the lines, and a labelling function mapping nodes and edges to normalisation labels. As a Simulink block can have multiple ports, each of which can be connected to a line, the graph is a multi-graph. The ports are not modelled here but implicitly included in the normalisation labels of the lines. For the simple model shown in Figure 1 the model graph would be the one in Figure 2. The nodes are labelled according to our normalisation function and the grey portions of the graph mark the part we would consider a clone. 4.2 Problem Definition Having the normalised model graph from the previous section, we can now define what a clone pair is in our context. A clone pair is a pair of subgraphs, such that those subgraphs must be isomorphic regarding to the labels, the subgraphs are not overlapping clones, and the sub-graphs are not unconnected blocks distributed arbitrarily through the model. Note that we do not require them to be complete subgraphs (i. e., contain all induced lines). We denote by the size of the clone pair the number of nodes in a sub-graph. Then the goal is to find all maximal clone pairs, i. e., all such pairs which are not contained in any other pair 61 of greater size. While this problem is similar to the well-known NP-complete Maximum Common Subgraph (MCS) problem, it differs in some aspects; e.g., we do not only want to find the largest subgraph, but all maximal ones. 4.3 Detecting Clone Pairs As already discussed, the problem of finding the largest clone pair is NP-complete, we cannot expect to find an efficient (i. e., polynomial time) algorithm for enumerating all maximal ones which we could use for models containing thousands of blocks. So we developed a heuristic approach for finding clone pairs which is presented next. It basically consists of iterating over all possible pairings of nodes and proceeding in a breadth-firstsearch (BFS) manner from there. For optimization purposes, a similarity function is used. The idea of this function is to have a measure for the structural similarity of two nodes which not only looks at the normalisation labels, but also the neighbourhood of the nodes. 4.4 Clustering Clones So far we only find clone pairs, thus a subgraph which is repeated n times will result in n(n−1)/2 clone pairs being reported. The clustering phase has the purpose of aggregating those pairs into a single clone class. Instead of clustering clones by exact identity (including edges) which would miss many interesting cases differing only in one or two edges, we perform clustering only on the sets of nodes. Obviously this is an overapproximation which can lead to clusters containing clones that are only weakly related. However, as we consider manual inspection of clones to be important for deciding how to deal with them, those cases (which are rare in practice) can be dealt with there. What this boils down to, is to have a graph whose vertices are the node sets of the clone pairs and the edges are induced by the cloning relationship between them. The clone classes are then the connected components, which are easily found using standard graph traversal algorithms, or a union-find structure (see, e. g., [CLRS01]) which allows the connected components to be built online, i. e., while clone pairs are being reported, without building an explicit graph representation. 5 Case Study This section describes the case study, that was carried out with a German truck and bus manufacturer to evaluate the applicability and usefulness of our approach.We performed our experiments on a model provided by MAN Nutzfahrzeuge Group, which is a Germanbased international supplier of commercial vehicles and transport systems, mainly trucks and busses. It has over 34,000 employees world-wide of which 150 work on electronics and software development. Hence, the focus is on embedded systems in the automotive 62 Figure 3: An example for the visualisation of clones within Matlab domain. The analysed model implements the major part of the functionality of the power train management system, deployed to one ECU. It is heavily parametrised to allow its adaption to different variants of trucks and busses. The model consists of more than 20,000 TargetLink blocks, which are distributed over 71 Simulink files. Such a file is the typical development/modelling unit for Simulink/TargetLink models. 5.1 Implementation For performing practical evaluations of the detection algorithm, we implemented it as a part of the quality analysis framework ConQAT [DPS05] which is publicly available as open source software1 . This includes a Java-based parser for the Simulink model file format which makes our tool independent of the Simulink application. Additionally, we developed preprocessing facilities for the TargetLink-specific information and for flattening the Simulink models by removing subsystems that induce the models’ hierarchy. To review the detection results we extended ConQAT with functionality to layout the detected clones and to visualise them within the Simulink environment that developers are familiar with. The later is done by generating a Matlab script which assigns different colours to the blocks of each clone. An example of this is shown in Figure 3. 1 http://conqat.cs.tum.edu/ 63 25 Number of components 20 15 10 5 0 4 8 16 32 64 128 256 Size of connected component Figure 4: Size distribution of connected components in the model (logarithmically scaled in x-axis) Number of models 1 2 3 4 Number of clone classes 43 81 12 3 Table 1: Number of Files/Modelling Units the Clone Classes were Affecting 5.2 Application To be applicable to real-world models, the general approach described in Section 4 had to be slightly adapted and extended. For the normalisation labels we basically used the type, and for some of the blocks which implement several similar functions added the value of the attribute which distinguishes these functions (e. g., for the Trigonometry block this would be an attribute deciding between sine, cosine, and tangent). Overall we rather included less information into the normalisation labels not to loose potentially interesting clones. From the clones found, we discarded all those consisting of less than 5 blocks, as this is the smallest amount we still consider to be relevant at least in some cases. As this still yielded many clones consisting solely of “infrastructure blocks”, such as terminators and multiplexers, we implemented a weighting scheme, assigned each block type a weight. Clones with a total weight less than 8 also were discarded, which ensures that at least small clones are considered only, if their functional portion is large enough. 5.3 Results From the 20454 blocks nearly 9000 were abstracted out of the model during flattening the model (4314 Inports, 3199 Outports, 1412 Subsystems). The model then consisted of 3538 connected components of which 3403 could be skipped as they consisted of less than 5 blocks. Finally the clone detection was run on 4762 blocks contained in 135 connected components. The distribution of component size is shown in Figure 4, with the largest component having less than 300 blocks. We found 166 clone pairs in the models which 64 Cardinality of clone class 2 3 4 5 Number of clone classes 108 20 10 1 Table 2: Number of Clone Classes for Clone Class Cardinality Clone size 5 – 10 11 – 15 16 – 20 > 20 Number of clones 76 35 17 11 Table 3: Number of Clone Classes for Clone Size resulted in 139 clone classes after clustering and resolving inclusion structures. Of the 4762 blocks used for the clone detection 1780 were included in at least one clone (coverage of about 37%). As shown in Table 1, only about 25% of the clones were within one modelling unit (i. e., a single Simulink file), which was to be expected as such clones are more likely to be found in a manual review process as opposed to clones between modelling units, which would require both units to be reviewed by the same person within a small time frame. Table 3 gives an overview on the cardinality of the clone classes found. As mostly pairs were found, this indicates that the clustering phase is not (yet) so important. However, from our experience with source code clones and legacy systems, we would expect these numbers to slightly shift when the model grows larger and older. Table 3 shows how many clones have been found for some size ranges. The largest clone had a size of 101 and a weight of 70. Smaller clones are obviously more frequent, which is because smaller parts of the model with a more limited functionality are more likely to be useful at other places. 5.4 Discussion Our results clearly indicate that our approach is capable of detecting clones and a manual inspection of the clones showed, that many of the clones are actually relevant for practical purposes. Besides the “normal” clones, which at least should be documented to make sure that bugs are always fixed in both places, we also found two models which were nearly entirely identical. Additionally some of the clones are candidates for the project’s library, as they included functionality that is likely to be useful elsewhere. We even found clones in the library (which was included for the analysis), indicating that developers rebuilt functionality contained in the library they were not aware of. Another source of clones is the limitation of TargetLink that scaling (i. e., the mapping to concrete data types) cannot be parameterised, which leaves duplication as the only way for obtaining different scalings. The main problem we encountered is the large number of false positives as more than 65 half of the clones found are obviously clones according to our definition but would not be considered relevant by a developer (e. g., large Mux/Demux constructs). While weighting the clones was a major step in improving this ratio (without weighting there were about five times as many clones, but mostly consisting of irrelevant constructs) this still is a major area of potential improvement for the usability of our approach. 6 Future Work As the application of clone detection on model-based development has not been studied before, there is a wide field of possible further research questions. One major direction consists of improving the algorithm and the general techniques and ideas involved. The other area complementing this is to have larger case studies or to apply the algorithm to related problems to get a better understanding of its strengths and weaknesses and its general usefulness. Besides improving modeling quality, another interesting direction is the application of clone detection with a specific goal in mind, such as finding candidates for a library or finding clones in a library, where a developer rebuilt existing functionality. One could also use it the other way round and build a library of anti-patterns which includes common but discouraged model constructs (such as cascading switch blocks). Clones into these patterns then could indicate potential defects in the model. A different application would be to aid in building product lines. Both product lines and model-based development are commonly used or introduced in the industry. Using clone detection on models of different products could help in deciding whether making a product line out of them is a good idea, and in identifying the common parts of these models. Finally we would like to apply clone detection not only to Simulink models, but other kinds of models, too. As the algorithm itself is only based on graph theory, most of the adjustments for adaptation to other models are in the parsing and preprocessing phase, including normalisation. 7 Conclusions Model-based development is more and more becoming a routinely used technique in the engineering of software in embedded systems. Such models, especially when employed to generate production code, grow large and complex just like classical code. Therefore, classical quality issues can also appear in model-based development. A highly problematic and well-recognised problem is that of clones, i.e., redundant code elements. So far, no approach or tool for clone analysis of models has been developed. Existing approaches like [TBWK07] analyzing similarities between models target the computation of model differences, focus generally change management. Considering the massive impact of clones on quality and maintenance productivity, this is an unsatisfying situation. Moreover, we are in a unique position w.r.t. model-based development. We have the opportunity to introduce clone detection early in the development of large systems and product lines. In model-based development, these large systems – and especially product-lines – are now 66 emerging. This shows also the two main uses of a clone detection approach for models: (1) redundant parts can be identified that might have to be changed accordingly when one of them is changed and (2) common parts can be identified in order to place them in a library and for product-line development. References [CLRS01] T. H. Cormen, C. E. Leiserson, R. L. Rivest, and C. Stein. Introduction to Algorithms. The MIT Press and McGraw-Hill Book Company, 2nd edition, 2001. [dG] dSpace GmbH. TargetLink Production Code Generation. www.dspace.de. [DPS05] Florian Deissenboeck, Markus Pizka, and Tilman Seifert. Tool Support for Continuous Quality Assessment. In Proc. 13th IEEE Int. Workshop on Software Technology and Engineering Practice. IEEE Computer Society, 2005. [JMSG07] L Jiang, G Misherghi, Z Su, and S Glondu. DECKARD: Scalable and Accurate TreeBased Detection of Code Clones. In ICSE ’07: Proceedings of the 29th international conference on Software engineering, 2007. [JOB04] Michael Jungmann, Rainer Otterbach, and Michael Beine. Development of SafetyCritical Software Using Automatic Code Generation. In Proceedings of SAE World Congress, 2004. [KBLN04] Miryung Kim, Lawrence Bergman, Tessa Lau, and David Notkin. An Ethnographic Study of Copy and Paste Programming Practices in OOPL. In ISESE ’04: Proceedings of the 2004 International Symposium on Empirical Software Engineering, pages 83–92. IEEE Computer Society, 2004. [KG06] Cory Kapser and Michael W. Godfrey. ”Cloning Considered Harmful” Considered Harmful. In WCRE ’06: Proceedings of the 13th Working Conference on Reverse Engineering, pages 19–28. IEEE Computer Society, 2006. [Kos07] Rainer Koschke. Survey of Research on Software Clones. In Duplication, Redundancy, and Similarity in Software, Dagstuhl Seminar Proceedings, 2007. [LJ07] Edwin Chiu Lingxiao Jiang, Zhendong Su. Context-Based Detection of Clone-Related Bugs. In ESEC/FSE 2007, 2007. [LPM+ 97] B. Lague, D. Proulx, J. Mayrand, E. M. Merlo, and J. Hudepohl. Assessing the benefits of incorporating function clone detection in a development process. In Proceedings of the International Conference on Software Maintenance, 1997. [MNK+ 02] Akito Monden, Daikai Nakae, Toshihiro Kamiya, Shinichi Sato, and Kenichi Matsumoto. Software Quality Analysis by Code Clones in Industrial Legacy Software. In METRICS ’02: Proceedings of the 8th International Symposium on Software Metrics, page 87. IEEE Computer Society, 2002. [PBKS07] Alexander Pretschner, Manfred Broy, Ingolf H. Krüger, and Thomas Stauner. Software Engineering for Automotive Systems: A Roadmap. In L. Briand and A. Wolf, editors, Future of Software Engineering 2007, pages 55–71. IEEE Computer Society, 2007. [TBWK07] Christoph Treude, Stefan Berlik, Sven Wenzel, and Udo Kelter. Difference Computation of Large Models. In ACM SIGSOFT Symposium on the Foundations of Software Engineering, pages 295–304, 2007. 67 Modellbasierte Softwareentwicklung mit SCADE in der Eisenbahnautomatisierung Stefan Milius, Uwe Steinke Siemens AG Industry Sector, Mobility Division, TS RA RD I SWI Ackerstraße 22 38126 Braunschweig [email protected] [email protected] Zusammenfassung: Wir berichten in diesem Beitrag über ein momentan laufendes Pilotprojekt zur modellbasierten Entwicklung sicherheitsrelevanter Software bei Siemens Mobility im Bereich Eisenbahnautomatisierung. In der Pilotierung benutzen wir SCADE Version 6, ein Tool für die modellbasierte Entwicklung sicherheitsrelevanter Software von der Firma Esterel Technologies. Wir stellen kurz die wesentlichen Merkmale von SCADE vor, und wir berichten von den Erkenntnissen, die wir während unserer Pilotierungsphasen gewonnen haben. 1 Einführung Die Entwicklung von Produkten für Eisenbahnautomatisierung bringt verschiedene Herausforderungen mit sich. Zunächst einmal müssen die Produkte sehr hohen Sicherheitsanforderungen genügen. Um diese Anforderungen zu erfüllen, müssen aufwändige Tests, Begutachtungen und Zertifizierungen durchgeführt werden. Außerdem haben Produkte der Eisenbahnautomatisierung typischerweise einen Lebenszyklus von über 25 Jahren. Der Wechsel von hardware- zu softwareorientierten Lösungen bringt Schwierigkeiten mit sich: Mit wachsenden Systemanforderungen erhöht sich die Komplexität der Software stetig. Die zugrunde liegende Hardware wird sich im Laufe des Produktlebenszyklus ändern. Von der modellbasierten Softwareentwicklung wird ein Beitrag zur Beherrschung dieser Probleme erwartet. Die Idee ist hierbei, die wesentlichen logischen Anteile der Software eines Systems auf einer Abstraktionsebene zu beschreiben, die weitestgehend unabhängig von der konkret verwendeten Hardwareplattform ist. Das kann bis hin zu einer domänenspezifischen Beschreibung führen. Dabei ist allerdings unabdingbar, dass es keinen Bruch zwischen Modell und Implementierung gibt. Das bedeutet, es muss vermieden werden, dass Modelle und Implementierung nicht mehr konsistent zueinander sind. Dies erfordert den Einsatz von Generatoren zur automatischen Erzeugung von ausführbarem Code aus Modellen. Damit aber die Generatoren für die Entwicklung sicherheitsbezogener Software überhaupt einsatzfähig sind, muss die Qualität der Übersetzung sehr hohen Standards genügen und sie muss gegenüber Zertifizierungsbehörden begründbar sein. Ein Vorteil der modellbasierten Entwicklung gegenüber klassischer Entwicklung ist die Möglichkeit des Einsatzes von modernen Analysemethoden und -werkzeugen auf Mo- 68 dellebene (z. B. statische Modellanalyse, Modellsimulatoren oder Model Checking). Dies ermöglicht die frühe Erkennung von logischen Fehlern einer Software, bevor mit speziellen und meist teuren Werkzeugen auf der Zielhardware getestet werden muss. Auch verkürzen sich durch den Einsatz der modellbasierten Entwicklung die Zeiten zwischen Fehlererkennung und Fehlerbehebung. Für die modellbasierte Entwicklung sicherheitsrelevanter Software nutzt Siemens Mobility in der Rail Automation das Tool SCADE (Certified-Software-Factory) der Firma Esterel Technologies. SCADE erlaubt die Modellierung der logischen Funktionalität von Software eingebetteter Systeme auf einer Abstraktionsebene, die von der unterliegenden Hardwareplattform abstrahiert. Der Modellierungssprache liegt die sogenannte „synchrone Hypothese“ zugrunde: SCADE-Modelle sind zyklisch synchron getaktete Datenfluss- und Zustandsmaschinen. Die SCADE-Modellierungs-Suite unterstützt Simulation und Test auf Modellebene. Ein wesentlicher Bestandteil des Tools ist ein Codegenerator, der für die Softwareentwicklung gemäß den gängigen Normen aus Luftfahrt und Eisenbahnautomatisierung, in naher Zukunft qualifiziert sein wird. In Abschnitt 2 geben wir einen Überblick über wesentliche Elemente der SCADEToolsuite, Version 6. Im Abschnitt 3 berichten wir dann über den Einsatz von SCADE in einem Pilotprojekt bei Siemens Mobility. In Abschnitt 4 diskutieren wir unsere Erkenntnisse aus dem Pilotprojekt. Schließlich geben wir in Abschnitt 5 einen Ausblick auf zukünftige Arbeiten, die modellbasierte Entwicklung mit SCADE bei Siemens betreffen. 2 Überblick über SCADE 6 In diesem Kapitel geben wir einen kurzen Überblick über die wichtigsten Sprachmittel von SCADE 6 und erläutern die wichtigsten Elemente der SCADE-Toolsuite. Grundsätzlich unterscheidet sich die Modellierung in SCADE stark von der Modellierung in bekannten Standard-Modellierungssprachen wie zum Beispiel UML oder SysML. Der Fokus von SCADE liegt in der Beschreibung einer vollständigen Implementierung auf Modellebene und aus unserer Sicht nicht auf der Ebene einer System- oder Softwarearchitekturbeschreibung. Der Abstraktionsgrad der Sprache ist dementsprechend gering, aber angemessen. SCADE bietet eine einfache, mathematisch exakte Semantik, die den Einsatz von Analyseverfahren (statische Modellanalyse oder Model Checking) begünstigt. 2.1 Sprachmittel Die Modellierungssprache SCADE ist eine Weiterentwicklung der Datenflussbeschreibungssprache LUSTRE [H91]. SCADE liefert Modellierungsmittel für zyklisch synchron getaktete Softwaresysteme. Der gesamten Modellierung in SCADE liegt die „synchrone Hypothese“ zugrunde. Diese besagt, dass die Berechnung eines Taktzyklus eines Modells keine Zeit verbraucht. Diese Annahme stellt natürlich eine Vereinfachung dar, die von realen Systemen nicht erfüllt wird. Dennoch können alle logischen Abläufe und kausalen Zusammenhänge modelliert werden. Für die praktische Anwendung resultiert daraus lediglich die folgende 69 Restriktion: Die in einem Takt vom Modell verbrauchte Rechenzeit muss kleiner sein als die für einen Takt festgelegte zulässige Zykluszeit. Hier ein Überblick über die vorhandenen Modellierungsmittel: Daten: SCADE 6 erlaubt die Behandlung von strukturierten Daten. Alle Datenstrukturen sind statisch. Es ist möglich aus den Grundtypen (real, int, bool) Strukturen und Arrays aufzubauen. Die Modellierungssprache ist stark typisiert. Datenflussbeschreibungen: Die Modellierungssprache enthält die üblichen logischen und arithmetischen Operatoren sowie konditionale Operatoren. Weiterhin existieren temporale Operatoren für den Zugriff auf Datenflusswerte vergangener Takte. Vorhanden sind die Operatoren für den Zugriff auf Strukturen und Arrays bis hin zu dynamisch indiziertem Array-Zugriff. Es existiert jedoch keine Möglichkeit, explizit Schleifen zu beschreiben. Dafür gibt es die sogenannten „algebraischen Schleifen“ Map und Fold. Diese sind aus der funktionalen Programmierung bekannt. Map dient dazu, einen Operator mit einfachem Datentyp elementweise auf ein Array dieses Datentyps anzuwenden. Mit Fold können Berechnungen über ein Array akkumuliert werden. Map und Fold sind vielseitige Sprachmittel, die bei richtiger Anwendung zu sehr klaren und verständlichen Modellen führen. Allerdings erfordern diese Sprachmittel bei Programmierern aus dem imperativen Umfeld eine „Gewöhnungsphase“. Das Bild 1 zeigt ein Beispiel eines SCADE-Modells. Bild 1: SCADE-Modell eines einfachen Zählers Zustandsmaschinen: Die Zustandsmaschinen in SCADE sind synchron getaktete, hierarchische Zustandsmaschinen. Sie sind mit den aus der Standard-Modellierungssprache UML bekannten Statecharts vergleichbar. Ein wichtiger Unterschied ist die streng synchrone Semantik: Pro Takt ist in jeder (parallelen) Zustandsmaschine immer nur eine Transition aktiv und wird ausgeführt. Zyklische Abhängigkeiten zwischen Modellelementen sind verboten und werden auch zur Generierzeit wie Syntaxfehler behandelt. Ein Beispiel einer Zustandsmaschine zeigt Bild 2. Ein Vorteil von SCADE 6 ist, dass die beiden Beschreibungsmittel Datenfluss und Zustandsmaschine voll integriert sind und daher beliebig ineinander verschachtelt werden können. 70 Bild 2: Eine Zustandsmaschine in SCADE 2.2 Tool Suite Mit der SCADE-Suite steht ein umfangreiches Tool für die Modellierungssprache SCADE zur Verfügung. Bild 3 zeigt die SCADE-Suite im Überblick. Zusätzlich können verschiedene Anbindungen an andere Tools (Gateways) eingesetzt werden: Grafischer Editor: Jedes syntaktische Modellelement hat eine grafische Repräsentation. Im SCADE-Editor kann mit diesen grafischen Elementen modelliert werden. Es kann auch mit textlicher Modellierungssprache gearbeitet werden. Codegenerator (KCG): Der Codegenerator erzeugt aus SCADE-Modellen einen CCode. Die Qualifizierung des Codegenerators für die Entwicklung sicherheitsbezogener Software nach DO 178B, Level A und nach CENELEC EN 50128 für SIL 4, ist für den weiteren Verlauf des Jahres 2008 geplant. Zusammen mit dem bei Siemens Mobility in der Rail Automation eingesetzten zertifizierten CADUL-Compiler ergibt sich eine vollständige Automatisierung der Generierung vom Modell bis ins Zielsytem. Simulator/Debugger: Er erlaubt, den aus einem SCADE-Modell generierten Code auszuführen, auf Modellebene zu testen und zu debuggen. Der Simulator kann mittels TCLSkripten gesteuert werden und besitzt eine Automatisierungsschnittstelle. Model Test Coverage: Diese Toolkomponente erlaubt es, für eine gegebene Testsuite eines Modells strukturelle Abdeckungsmessungen zu machen. Ein Modell kann hierbei für zwei verschiedene Coverage-Kriterien automatisch instrumentiert werden: Decision Coverage (DC) und Modified Condition/Decision Coverage (MC/DC). Andere Kriterien lassen sich auf einfache Weise für (selbstmodellierte) Bibliotheken bereitstellen. 71 Anforderungen Design Verifier Grafischer Editor (Modellerstellung) Model Test Coverage Simulator/Debugger (Testsuite) vollautomatische Generierung Modell Codegenerator (KCG) C-Quellen Zertifizierter C-Compiler (z. B. CADUL) Object-Code Bild 3: Workflow mit der SCADE-Suite Design Verifier: Diese Komponente erlaubt die formale Verifikation gewisser Eigenschaften von Modellen. Die zu verifizierenden Eigenschaften werden in SCADE formuliert. Das hat den Vorteil, dass man keine neue Sprache oder Logik zur Spezifikation von Eigenschaften nutzen muss. Allerdings ist die Ausdrucksstärke der Operatoren in SCADE, beispielsweise im Verhältnis zu temporalen Logiken (LTL, CTL), eingeschränkt. Es lassen sich nur sogenannte „Safety-Eigenschaften“ verifizieren, keine „LivenessEigenschaften“.1 Requirements Gateway: Die SCADE-Suite beinhaltet eine Version des Tools Reqtify (der Firma TNI-Software). Dieses erlaubt eine Verlinkung von Elementen eines SCADEModells mit seinen Anforderungen die beispielsweise in einem Tool wie DOORS erfasst sind. Es können auch klassisch kodierte Teile einer Software oder Testfälle verlinkt werden, sodass eine durchgängige toolgestützte Verlinkung von den Anforderungen bis zu Implementation und Test möglich wird. Weitere Gateways: SCADE besitzt noch weitere Gateways zu anderen Third-PartyTools: Rhapsody, Simulink und ARTiSAN (das ARTiSAN-Gateway ist für SCADE 6.1, Okt. 2008 angekündigt). 1 „Safety-Eigenschaften“ sagen aus, dass bestimmte Zustände eines Systems nie eintreten. „LivenessEigenschaften“ sagen aus, dass bestimmte erwünschte Zustände in einem Ablauf ausgehend von einem Startzustand irgendwann in der Zukunft sicher auftreten werden. 72 3 Einsatz von SCADE bei Siemens TS RA SCADE 6 wird seit Januar 2007 in einem Pilotprojekt bei Siemens Mobility eingesetzt. Bei diesem Pilotprojekt werden Softwarekomponenten von Achszählsystemen mit SCADE modelliert. Achszähler sind Systeme, die in der Bahnautomatisierung zur Gleisfreimeldung eingesetzt werden. Bild 4 zeigt den Einsatz eines Achszählsystems an einem vollautomatischen Bahnübergang. Bild 4: Vollautomatischer Bahnübergang mit Achszählern Die gezeigten Achszählsensoren (AzE, AzA1 und AzA2) beruhen auf dem induktiven Prinzip und werden durch Überfahrung eines Rades beeinflusst, wobei auch die Fahrtrichtung eines Rades ermittelt werden kann. Die Auswertung der Sensordaten findet im Achszählrechner (AzR) statt, der sich im Betonschalthaus befindet. Der AzR ist ein sicherer Rechner nach dem Simis-Prinzip. Der sichere Rechner erfüllt einen Sicherheitsintegritätslevel (SIL) der Stufe 4 – der höchste definierte Level, siehe [N03]. Für die auf dem Rechner laufende Software gilt entsprechend der Software-SIL 4, was eine Reihe von Maßnahmen an den Softwareentwicklungsprozess impliziert, siehe [N01]. Unter anderem werden formale Methoden ausdrücklich empfohlen. Diese Anforderungen liefern eine weitere Motivation für den Einsatz modellbasierter Softwareentwicklungsmethoden. Im ersten Teil unseres Pilotprojektes wurde in einem bestehenden Achszählsystem der Teil der Software, der die Funktionalität eines Gleisabschnittes trägt, durch ein SCADEModell ersetzt. Ziele dieses ersten Teiles des Pilotprojektes waren: ! Schaffung der notwendigen technischen Rahmenbedingungen für den produktiven Einsatz (z. B. Produktionsumgebung, Testumgebung). ! Herstellung der Lauffähigkeit der modellierten Komponenten im realen System. ! Evaluation der Modellierung und der Tool-Unterstützung von SCADE 6. ! Erfahrungsaufbau mit der SCADE-Methode. 73 Nach Abschluss der ersten Phase des Pilotprojektes und den dabei gewonnenen Ergebnissen wurde beschlossen, SCADE auch im produktiven Bereich einzusetzen. Seit September 2007 wird nun in der zweiten Phase der SCADE-Pilotierung eine Komponente, eines in der Entwicklung befindlichen Systems, mit SCADE modelliert. Es handelt sich um ein Achszählsystem, das in Stellwerken zur Gleisfreimeldung eingesetzt wird. Die wichtigsten Ziele der zweiten Phase sind: ! Durchgängige Entwicklung des Achszählsystems von den Anforderungen bis zur Zertifizierung. ! Einsatz von formaler Verifikation zur frühen Erkennung von Fehlern. ! Einsatz weiterer modellbasierter Techniken, um SCADE in einen durchgängigen modellbasierten Entwicklungsprozess zu integrieren. Es wurde eine Software-Komponente mit SCADE modelliert, die das Grundstellverfahren eines Gleisabschnittes in einem Stellwerk implementiert. Durch die Bedienhandlung des Grundstellens wird ein Belegungszustandswechsel eines Gleisabschnittes von „besetzt“ nach „frei“ erzwungen. Die Bedienhandlung ist in einem Stellwerk nur in Sonderfällen zulässig und an Bedingungen geknüpft. Das Grundstellverfahren überwacht die Einhaltung dieser Bedingungen und führt den Grundstellvorgang aus. Die Anforderungen an die Software-Komponente wurden in dem RequirementsEngineering-Tool DOORS [D] erfasst und mit der Umsetzung in SCADE verlinkt. Auf diese Weise ist die Nachverfolgbarkeit besser gegeben, als durch die Norm [N01] vorgeschrieben In der Norm ist keine Verlinkung bis auf Quellcodeebene (also in unserem Fall bis auf SCADE-Modell-Ebene) gefordert – das ist allerdings durch unser Vorgehen sicher gestellt. Im Rahmen der Pilotierung wird von uns ein statistisches Testmodell erstellt. Dies wird unabhängig von dem Implementationsmodell in SCADE aus den Anforderungen abgeleitet. Bild 5 zeigt das grundsätzliche Vorgehen, siehe auch [Sc07]. Bei dem Testmodell handelt es sich im Wesentlichen um eine Markov-Kette. In einer Kooperation mit dem Fraunhofer IESE setzen wir im Rahmen einer Diplomarbeit, die am Institut für Software und Systems Engineering der TU Braunschweig angesiedelt ist, das Tool JUMBL [J] ein, um aus diesem Testmodell Testfälle zu generieren. Diese können für Belastungstests des Modells benutzt werden. Mit Hilfe der Wahrscheinlichkeiten in der Markov-Kette können bestimmte Anwendungsszenarien häufiger oder weniger häufig getestet werden. Es hat sich gezeigt, dass durch dieses Vorgehen Fehler schon in der Modellierungsphase erkannt werden, die ansonsten erst in viel späteren Phasen entdeckt würden. Im Rahmen des Testens des SCADE-Modells wird auch von dem Model-Test-CoverageFeature der SCADE-Tools Suite Gebrauch gemacht. Wie bereits erwähnt lässt sich damit die strukturelle Abdeckung des Modells durch die vom Testmodell generierte Testsuite nachweisen. Dies ist auch eine Forderung aus der Norm [N01] für den Software-SIL 4. 74 Anforderungen SCADE Modell Testmodell Code generator Generierter Code JUMBL manuell automatisch Verifikation Testfälle Analyse Bild 5: SCADE-Modell und Testmodell Ein Problem beim Test ergibt sich durch die Einbettung des Modells in das Zielsystem oder in klassisch kodierte Software. Um diese Einbettung zu erreichen, muss ein Wrapper implementiert werden, der die Schnittstellen des Modells in die des schon vorhandenen Ziel-Softwaresystems umsetzt. Da dieser Wrapper klassisch in der Zielsprache programmiert wird, lässt er sich nicht mehr auf Modellebene testen. Hier ist ein Modul- und Integrationstest nötig. Dieser Test kann innerhalb einer vorhandenen Testumgebung für Softwarekomponenten geschehen. In der Pilotierung wird für diesen integrativen Testschritt das Tool RT-Tester von Verified International [V] eingesetzt. 4 Ergebnisse und Erfahrungen In diesem Abschnitt berichten wir von den Erkenntnissen, die wir im Laufe der zwei Pilotierungsphasen gewonnen haben. Ein wesentliches Ziel des Einsatzes eines modellbasierten Softwareentwicklungstools war die Trennung von funktional logischen Anteilen der Software von der spezifischen Hardwareplattform. Dieses kann mit SCADE sehr gut umgesetzt werden. Die gewählte Abstraktionsebene erlaubt und erzwingt aufgrund ihrer präzisen Semantik einerseits die vollständige Beschreibung der logischen Funktionalität und abstrahiert andererseits hinreichend vom Zielsystem. Durch die Verwendung des Codegenerators geht das Modell ohne Bruch in die Implementierung ein. Dadurch sind unserer Meinung nach SCADE-Modelle auch prinzipiell geeignet, leicht auf andere Zielsysteme übertragen zu werden. Dies kann durch Änderung der dünnen Wrapper-Schicht eines Modells geschehen oder durch Verwendung eines anderen Code-Generators. Die Übertragung auf andere Zielsysteme ist aber bei unserer Pilotierung noch nicht verifiziert worden. Insgesamt sind das SCADE zugrunde liegende Paradigma eines zyklisch getakteten Systems und die synchrone Hypothese gut für die Umsetzung typischer Automatisierungsaufgaben geeignet. So arbeiten beispielsweise typische Prozessrechner als zyklisch getaktete Systeme. Bei dem vorhandenen Codegenerator gibt es verschiedene Optimierungsstufen, wobei der Code, der auf einer niedrigen Optimierungsstufe generiert wird, eine noch unzureichende Qualität hat. Code der höchsten Optimierungsstufe 3 hat eine brauchbare Qualität. Modellweite globale Optimierungen waren bei unseren Beispielen im generierten Code nicht erkennbar. Eine Schwierigkeit ist, dass in der Schnittstelle des zu einem Modell generierten Codes die Trennung von internem Zustand und Ein-/Ausgabedaten 75 nicht durchgängig ist: Der Codegenerator generiert zu jedem SCADE-Knoten nur eine CDatenstruktur, die sowohl die Ausgabedaten als auch die Daten des internen Zustandes des SCADE-Knotens enthält. Dies beeinträchtigt die Austauschbarkeit von Modellen innerhalb ihrer Ablaufumgebung erheblich. Hierbei sollte ein Modell durch ein abweichend implementiertes Modell mit derselben Schnittstelle einfach zu ersetzen sein. Außerdem entspricht der generierte Code nicht den MISRA-Richtlinien [M]. Der C-Code, der mit der Optimierungstufe 0 aus hierarchischen Zustandsmaschinen generiert wird, beinhaltet an mehreren Stellen ineinander verschachtelte Switch-case-Blöcke. Diese haben nur eine Auswahlalternative und besitzen keinen Default-Block. Es gibt einige problematische Punkte bei der Modellierung. Zunächst ist durch die relativ niedrige Abstraktion eine Modellierung auf der Ebene einer Systemarchitektur nicht möglich. Die Modellierung mit SCADE ist eher auf der Ebene der Implementierung angesiedelt. Es ergibt sich somit momentan noch eine Modellierungslücke zwischen den Anforderungen und der Implementierung. Gegenwärtig wird von Esterel Technologies ein Gateway zwischen SCADE und ARTiSAN entwickelt, der diese Lücke schließen soll. Eine weitere Schwierigkeit ist, SCADE-Modelle in Umgebungen zu integrieren, die nicht dem zyklisch synchronen Paradigma entsprechen. Dieser Anwendungsfall tritt auf, wenn, wie in unserem Fall, nur Teile einer „Alt-Software“ durch SCADE-Modelle ersetzt werden oder wenn das Zielsystem selbst keine zyklische synchrone Datenflussmaschine darstellt. Zwar ist die Einbettung in solchen Fällen trotzdem mit einem geeigneten Wrapper machbar, die Schnittstelle zwischen Modell und Laufzeitumgebung muss dann aber zwischen beiden „Welten“ umsetzten. Das führt dazu, dass Ergebnisse, die mittels formaler Verifikation auf Modellebene gewonnen wurden, einer sorgfältigen Interpretation bedürfen. Zudem muss in einem solchen Fall der Wrapper zusätzliche Funktionalitäten übernehmen. Er wird damit so komplex, dass ein eigener umfangreicher Modultest erforderlich ist. Beim Thema Test sind unsere Erfahrungen positiv. Durch die Beschreibung der logisch funktionalen Anteile einer Software auf Modellebene können diese Anteile frühzeitig unabhängig von der Zielhardware verifiziert werden. Durch die synchrone Hypothese gibt es jedoch wichtige Aspekte, die nicht ohne Weiteres im Modell getestet werden können – das sind Echtzeitaspekte und Performance. Diese müssen weiterhin auf der Zielhardware getestet werden. Ein Schwachpunkt beim Thema Test ist die fehlende Integration des SCADE-Simulators mit externen Debuggern. Eine Testumgebung, in der man SCADE-Modelle gemeinsam mit handgeschriebenem Code testen kann, existiert leider noch nicht. Begleitend zu unserer Pilotierung von SCADE hat eine unabhängige Evaluation der SCADE-Suite durch Siemens CT stattgefunden. Die Ergebnisse dieser Evaluation sind positiv ausgefallen. Bei der Untersuchung wurde ein Entwicklungsprozess, der auf SCADE basiert, mit einem ausgereiften Prozess verglichen, der die Programmiersprache C benutzt. Es wurde festgestellt, dass SCADE insgesamt positiv gegenüber der konventionellen Entwicklung abschneidet, wobei allerdings die Stärken von SCADE auf Konstruktion und Design liegen. Bei der Testunterstützung wurde noch Verbesserungsbedarf gesehen. 76 5 Fazit und Ausblick Zusammenfassend lässt sich feststellen, dass SCADE 6 trotz Einschränkungen bereits eine modellbasierte Entwicklung realisiert. Die Trennung von Logik und Hardware wird erreicht, sodass gerade bei langen Produktlebenszyklen der wesentliche Inhalt eines Systems unabhängig von der Hardware erhalten bleibt. Auch scheint der Einsatz von Analysetechniken vielversprechend (z. B. Model Checking mit dem SCADE Design Verifier). Auf diesem Gebiet konnten wir aber leider aufgrund der fehlenden Verfügbarkeit des Design Verifiers für SCADE 6 noch keine Erfahrungen sammeln. Ob der Einsatz von Model Checking nur zur Testunterstützung dient oder letztlich die Zertifizierung (teil)modellierter Systeme vereinfacht, bleibt im Moment noch offen. Hier sind noch intensive Gespräche mit den Zertifizierungsbehörden erforderlich. Bis ein breiter Einsatz von SCADE im produktiven Bereich erfolgen kann, müssen einige Verbesserungen realisiert werden – eine Toolstabilität ist noch nicht sichergestellt. In Zukunft wäre auch ein besseres Konzept zur Integration von Testumgebungen für Modelle mit solchen für klassisch programmierte Software und eine intuitivere Benutzerführung im Editor wünschenswert. Wir werden im Rahmen unsere Pilotierung untersuchen, wie sich Testfälle aus den Tests der Modellebene für den Integrationstest, der den Wrapper beinhaltet, wiederverwenden lassen. Trotz Einschränkungen werden bei Siemens Mobility in der Rail Automation die Aktivitäten zur modellbasierten Entwicklung mit SCADE intensiviert. SCADE wird beispielsweise für die Softwareentwicklung von Zugbeeinflussungssystemen eingesetzt. Hierbei wird auf den relevanten Zielrechnern der Simis-Reihe eine Ablaufumgebung eingesetzt werden, die sich an dem Execution-Chain-Pattern [Sz06] orientiert und zyklisch getaktet arbeitet. Diese Ablaufumgebung bietet SCADE-Modellen einen geeigneten Rahmen. Literaturverzeichnis [D] [J] [H91] [M04] [N01] [N03] [Sc07] [Sz06] [V] Telelogic DOORS, Telelogic AB, Malmö, http://www.telelogic.com/products/doors Java Usage Model Builder Library (JUMBL), Software Quality Research Laboratory, Univesity of Tennessee, http://www.cs.utk.edu/sqrl/esp/jumbl.html Halbwach, N. et al: The synchronous dataflow programming language LUSTRE, Proceedings of the IEEE 79, Nr. 9, 1991, 1305-1320. MISRA: MISRA-C: Guidelines for the Use of the C Language in Critical Systems, Oktober 2004. Norm CENELEC EN 50128: Railway application – Communications, signaling and processing systems – Software for railway control and protection systems, März 2001. Norm CENELEC EN 50129: Railway application – Communications, signaling and processing systems – Safety related electronic systems for signaling, Dezember 2003. Schieferdecker, I.: Modellbasiertes Testen, OBJEKTspektrum Mai/Juni 2007, 39-45. Schütz, D.: Execution Chain. In Longshaw, A.; Zdun, U.(Hg.): Proceedings of the 10th European Conference on Pattern Languages of Programs 2005, 1. Auflage 2006. Verified Systems International GmbH, Bremen, http://www.verified.de 77 Tool Support for Developing Advanced Mechatronic Systems: Integrating the Fujaba Real-Time Tool Suite with CAMeL-View∗ Stefan Henkler and Martin Hirsch Software Engineering Group University of Paderborn, Germany shenkler—[email protected] Abstract: The next generation of advanced mechatronic systems is expected to use its software to exploit local and global networking capabilities to enhance their functionality and to adapt their local behavior when beneficial. Such systems will therefore include complex hard real-time coordination at the network level. This coordination is further reflected locally by complex reconfiguration in form of mode management and control algorithms. We present in this paper the integration of two tools which allow the integrated specification of real-time coordination and traditional control engineering specifically targeting the required complex reconfiguration of the local behavior. 1 Introduction This paper is based on the formal tool demonstration and related paper, presented on ICSE 2007 in Minneapolis [BGH+ 07]. For mechatronic systems [BSDB00], which have to be developed in a joint effort by teams of mechanical engineers, electrical engineers, and software engineers, the advances in networking and processing power provide many opportunities. It is therefore expected that the next generation of advanced mechatronic systems will exploit these advances to realize more intelligent solutions where software is employed to exploit local and global networking capabilities to optimize and enhance their functionality by operating cooperatively. The cooperation in turn permits these systems to decide when to adapt their local behavior taking the information of cooperating subsystems into account. The development of such advanced mechatronic systems will therefore at first require means to develop software for the complex hard real-time coordination of its subsystems at the network level. Secondly, software for the complex reconfiguration of the local behavior in form of mode management and control algorithms is required, which has to proper coordinate the local reconfiguration with the coordination at the network level. ∗ This work was developed in the course of the Special Research Initiative 614 – Self-optimizing Concepts and Structures in Mechanical Engineering – University of Paderborn, and was published on its behalf and funded by the Deutsche Forschungsgemeinschaft. 78 The envisioned approach is complicated by the fact that classical engineers and software engineers employ different paradigms to describe their aspect of these systems. In software engineering discrete models such as state charts are frequently used to describe the required interaction, while the classical engineers employ continuous models to describe and analyze their control algorithms. To enable the model-based development of the outlined advanced mechatronic system, an integration between these two paradigms is required which fulfills the outlined requirements. To provide an economically feasible solution, the required integration must further reuse the concepts, analysis techniques, and even tools of both involved paradigms where possible. In [BGH+ 05], we demonstrated how to use the F UJABA R EAL -T IME T OOL S UITE1 to develop safety-critical real-time systems conform to the model-driven engineering (MDE) approach. We present in this paper the integration of two tools to bridge the development of software engineering for real-time systems with control engineering: the open source UML CASE tool F UJABA R EAL -T IME T OOL S UITE and the CAE tool CAMeLView. The employed concepts for the real-time coordination [GTB+ 03] and tool support for it have been presented in earlier work. For the the local reconfiguration only the concepts have been presented [GBSO04], while in this paper the developed tool support is described. In the remainder of this paper, we first introduce the modeling concepts for the integrated description of discrete and continuous models in Section 2. Then, we outline in Section 3 how this conceptual integration has to be paralleled at the execution level. Afterward, we discuss the benefits of our approach with respect to analysis capabilities in Section 4 and compare our approach with the related work in Section 5. We finally provide our conclusions and an outlook on planned future work. In the last Section 6, we give an overview about the planed tool demonstration. 2 Integration at the model level Modeling advanced mechatronic systems require the integration of modeling approaches used in software engineering and traditional engineering disciplines. To describe our approach for modeling these systems, we first introduce M ECHATRONIC UML for specifying discrete parts of a system in Section 2.1. As mechatronic systems have continuous parts too, we introduce in Section 2.2 block diagrams. We finally provide our approach for modeling the required integration of the different modeling paradigms in Section 2.3. 1 http://www.fujaba.de 79 2.1 Discrete Specification The software architecture of the considered mechatronic systems is specified in M ECHA TRONIC UML [BGT05] with components which are based on UML [Obj04] components. The components are self-contained units, with ports as the interface for communication. A component can contain other components and events can be delegated from the toplevel component to its subcomponents. The internals of a component are modeled with an extended version of UML State Machines. Ports are the only external access point for components and their provided and required interfaces specify all interactions which occur at the port. The interaction between the ports of the components takes place via connectors, which describe the communication channels. As UML state machines are not sufficient to describe complex time-dependent behavior (cf. [GO03]), we introduced Real-Time Statecharts (RTSC) [BGS05] as an appropriate modeling language for the discrete real-time behavior of a component and for the eventbased real-time communication between components. Real-Time Statecharts contain various Timed Automata [ACD90] related constructs. In contrast to Timed Automata, firing a transition in a RTSC consumes time. 2.2 Continuous Specification Mechatronic systems contain software to continually control the mechanic behavior. The standard notation for control engineering is a block diagram which is used to specify feedback-controllers as well as the controlled plant. Consequently, our approach uses block diagrams for the structural and behavioral specification of continuous components. Block diagrams generally consist of basic blocks, specifying behavior and hierarchy blocks that group basic and other hierarchy blocks. Each block has input and output signals. The unidirectional interconnections between the blocks describe the transfer of information. The behavior of basic blocks is usually specified by differential equations, specifying the relationship between the block’s inputs and outputs. 2.3 Hybrid Specification: Integration of Feedback-Controller Configurations As mentioned in Section 1, for mechatronic systems, it is not sufficient to specify how discrete states of a component change: Dependent on the current state, the components have to apply different feedback-controllers. In [BGT05], we introduced a new approach for the specification of hybrid behavior, which integrates discrete and continuous behavior, and even supports reconfiguration. The idea is to associate to each discrete state of a component a configuration of subordinated components. Such a configuration consists of the subordinated components and their current connection. These components are either pure continuous components (feeback- 80 controllers) or discrete or hybrid components. If the subordinated components are discrete or hybrid components, the configuration of these subordinated components consists also of the current state of the subordinated discrete or hybrid component. As hybrid components have a dynamic interface and shows just the ports required in their current state, also a configuration of components show just the in- and out-ports which are really required or used in the current state of the superordinated component. This kind of modeling leads to implied state changes: When the superordinated component changes its state, this implies reconfiguration of the subordinated components. The subordinated components reconfigure their communication connections and –if specified– their discrete state. Such implied state changes can imply further state changes, if the subordinated components embed further components. This kind of modeling leads to reconfiguration across multiple hierarchical levels. Compared to state of the art approaches, this approach has the advantage that models are of reduced size and that analyses require reduced effort (see Section 4). 3 Integration at runtime Our approach for developing reconfigurable mechatronic systems applies the model-driven development approach to develop software systems at a high level of abstractions to enable analysis approaches like model checking. Therefore, ideally, we start with platform independent models to enable the compositional formal verification (cf. [GTB+ 03]). Afterward, the platform independent model must be enhanced with platform specific information to enable code generation. The required platform specific information is based on a platform model, which specifies the platform specific worst case execution times. After providing the platform specific information, we generate code from the models. In the remainder of this section, the generated code is described. Therefore, we introduce the evaluation of the system’s components. Due to continuous and discrete parts of the considered mechatronic systems we have to consider data flow and event based evaluation. Complex reconfigurations lead to a lot of possible evaluation configurations and requires synchronization between the discrete and continuous parts. Our approach assures reconfigurations by the evaluation of the data flow and further we assure the data flow despite of reconfiguration. In the next subsections (Section 3.1, Section 3.2, and Section 3.3), we introduce our approach by considering first the discrete evaluation, then the continuous evaluation, and finally the hybrid evaluation. 3.1 Discrete Evaluation When a component is evaluated, it triggers periodically the evaluation of its embedded components. As not every embedded component belongs to every configuration, it depends on the current discrete state of the component which of the embedded components are evaluated. Then the triggered components will themselves trigger their embedded 81 components (in dependency of their discrete states) and so forth. Further, the association of configurations to discrete states leads to reconfiguration when a component changes its discrete state (e.g. when receiving an event). Due to the implied state changes (see Section 2.3), this leads to reconfiguration of the embedded components which are pure discrete, pure continuous or hybrid components. 3.2 Continuous Evaluation The continuous parts of a configuration describe the data flow between the continuous inputs and the continuous outputs of the system. To ensure stability of the continuous part of the system, the data flow may not be interrupted within a computation step. Consequential, reconfiguration may only occur between two computation steps. Therefore, we separate execution of the continuous, data flow-orientated, and the discrete, event-based, parts: At the beginning of a period, the continuous system parts are evaluated. This is followed by the evaluation of the discrete system parts. Thus, we ensure that the reconfiguration –which takes place in the discrete part– occurs after the computation of the continuous system part is finished. 3.3 Hybrid Evaluation Besides separating the continuous system parts from the discrete ones, it has to be managed which components need to be evaluated in which discrete state. Enhancing the top-level component with this information is usually not feasible as the number of global states grows exponentially with the number of components. Therefore, we compose the whole system as a tree structure consisting of single Hybrid Components to obtain an efficient implementation. Each Hybrid Component contains the information about its discrete and continuous parts –which may consist of system parts of the embedded components– itself. By the presented integration at runtime, we ensure consistent, correct data flow and an efficient implementation in spite of complex reconfiguration. Our seamless approach is realized by the Fujaba Real-Time Tool Suite in combination with the CASE Tool CAMeL. Both tools export hybrid components for the integration on the modeling level (see Section 2.3) and they export C++ code which is integrated to realize the hybrid, reconfiguration behavior. 4 Analysis capabilities For the outlined M ECHATRONIC UML approach, two specific verification tasks for the resulting systems are supported. First, the M ECHATRONIC UML approach supports model checking techniques for realtime processing at the network level. It addresses the scalability problem by supporting a 82 compositional proceeding for modeling and verification exploiting the component model and the corresponding definition of ports and connectors as well as patterns [GTB+ 03]. Secondly, a restricted subset of the outlined hierarchical component structures for modeling of discrete and continuous control behavior can be checked for the consistent reconfiguration and real-time synchronization w.r.t reconfiguration taking proactive behavior into account [GBSO04, GH06b]. As the second approach can be embedded into the first one, a combination of both approaches cover the whole real-time coordination issues from the network level down to the reconfiguration of the lowest level components. 5 Related work Related tools and techniques to M ECHATRONIC UML are CHARON, Hybrid UML with HL3 , HyROOM/HyCharts/Hybrid Sequence Charts, Massacio and Giotto, Matlab/Simulink/Stateflow, Ptolemy II, and UMLh [GH06a]. All presented tools and techniques support the specification of a system’s architecture or structure by a notion of classes or component diagrams. All approaches support modular architecture and interface descriptions of the modules. Nevertheless, they do not respect that a module can change its interface due to reconfiguration which can lead to incorrect configurations. CHARON, Masaccio, HybridUML with HL3 , UMLh , HyROOM, and HyCharts have a formally defined semantics, but due to the assumption of zero-execution times or zeroreaction times, most of them are not implementable, as it is not realizable to perform a state change infinitely fast on real physical machines. CHARON is the only approach providing an implementable semantics. HyCharts are implementable after defining relaxations to the temporal specifications. They respect that idealized continuous behavior is not implementable on discrete computer systems. Further, CHARON provides a semantic definition of refinement which enables model checking in principle. Ptolemy II even provides multiple semantics and supports their integration. Automatic verification of the real-time behavior including the reconfiguration is supported by CHARON. It even supports hybrid modelchecking. Compositional modelchecking of real-time properties is possible for CHARON and HyCharts in principle due to their definition of refinement. Schedulability analysis is supported by CHARON and Ptolemy II. Although the approaches separate the architectural description from the behavioral description, they do not support the separated specification and verification of communication, real-time behavior and hybrid behavior and their later step-wise integration. Although most of these approaches enable ruling the complexity by a modular, component-based architecture and by behavioral models that support history and hierarchical and orthogonal states, reconfiguration across multiple hierarchical levels as required for the advanced mechatronic systems envisioned and provided by the presented approach is supported by none of them. 83 All these approaches have drawbacks in modeling support, support for formal analysis, or in multiple of these categories. Although many approaches enable ruling the complexity by a modular, component-based architecture and by behavioral models that support history and hierarchical and orthogonal states, our approach is the only one that supports reconfiguration via multiple hierarchical levels. This is supported by the additional high-level modeling construct of the implied state change for modeling reconfiguration. Further, our approach enables reconfiguration by adapting the structure instead of just exchanging whole models or blinding out unused parts of the system. This is enabled by associating whole configurations instead of single components to the system’s discrete states. The presented approaches either do not support formal analysis or this is restricted to simple models as it does not scale for complex systems. Our approach is the only one that integrates high-level models, specifying hybrid behavior and reconfiguration, in a wellstructured approach for the verification of the real-time behavior of complex, distributed systems. 6 Tool support and demonstration The presented seamless approach is realized by the Fujaba Real-Time Tool Suite. We integrate the Fujaba Real-Time Tool Suite with the CASE Tool CAMeL and therefore use the ability of CAMeL to generate code. As shown in Figure 1 both tools export hybrid components, which are integrated into a hierarchical model as a input for the binding tool. The export of the tools includes already the transformation of the model formalism to a code formalism, like C++. Afterward, the binding tool combine the inputs and therefore combines both formalisms. CAMeL ! :Clock[Flywheel] d 2! r 2 # cos ! dt :Pendulum ! Fujaba d 2! # " g sin ! dt 2 [woundUp] :Clock Dynamics Model d 2! # " g sin ! dt 2 Hybrid Statecharts :Flywheel :Flywheel d 2! r 2 # cos ! dt :Pendulum Hybrid Components Hybrid Components Deployment XML XML XML XML IPANEMA :Clock :Flywheel d 2! r 2 # cos ! dt Deployment :Pendulum ! Code Code Code d 2! # " g sin ! dt 2 Integrated Hybrid Model Binding Tool int main() { initialize(); } Executable System Figure 1: Tool Integration Overview 84 [unwound] :Clock[Pendulum] The demonstration is shown by an example from the RailCab2 research project at the University of Paderborn. In this project, autonomous shuttles are developed which operate individually and make independent and decentralized operational decisions. One particular problem is to reduce the energy consumption due to air resistance by coordinating the autonomously operating shuttles in such a way that they build convoys whenever possible. Such convoys are built on-demand and require a small distance between the different shuttles such that a high reduction of energy consumption is achieved. Coordination between speed control units of the shuttles becomes a safety-critical aspect and results in a number of hard real-time constraints, which have to be addressed when building the control software of the shuttles. Additionally, different controllers are used to control the speed of a shuttle as well as the distance between the shuttles. The controllers have to be integrated with the aforementioned real-time coordination. In this demonstration, we will first show how the structure of the software is specified by component diagrams. Then we will present the behavior for the discrete components and the continuous control components respectively. Thereafter, we show how the continuous components are embedded into the discrete real-time behavior. After code generation and compilation, we show the behavior of the system using a simulation environment. 7 Conclusion The tool integration of the CAE Tool CAMeL-View and the CASE Tool Fujaba Real-Time Tool Suite enables the application of our approach by continuing using well-approved tools. It does not only integrate models, but also the synthesized source code. Future Work When changing behavior and structure of a system, reconfiguration is just the first step, a new trend deals with compositional adaptation, i.e. the behavior and the structure is changed, but the possible configurations are not all known at design time or their number is infinite. A first attempt to model compositional adaptation is given in [BG05]. There, reconfiguration rules which are based on graph transformation systems are introduced to specify compositional adaptation. Obviously, such a model also needs to be implemented, the reconfiguration rules need to be respected appropriately in the verification, and the model requires a formally defined semantics. This will be subject to future work. References [ACD90] Rajeev Alur, Costas Courcoubetis, and David Dill. Model-checking for Real-Time Systems. In Proc. of Logic in Computer Science, pages 414–425. IEEE Computer Press, June 1990. [BG05] Sven Burmester and Holger Giese. Visual Integration of UML 2.0 and Block Diagrams for Flexible Reconfiguration in Mechatronic UML. In Proc. of the IEEE Symposium on 2 http://nbp-www.upb.de/en/ 85 Visual Languages and Human-Centric Computing (VL/HCC’05), Dallas, Texas, USA, pages 109–116. IEEE Computer Society Press, September 2005. [BGH+ 05] Sven Burmester, Holger Giese, Martin Hirsch, Daniela Schilling, and Matthias Tichy. The Fujaba Real-Time Tool Suite: Model-Driven Development of Safety-Critical, RealTime Systems. In Proc. of the 27th International Conference on Software Engineering (ICSE), St. Louis, Missouri, USA, pages 670–671, May 2005. [BGH+ 07] Sven Burmester, Holger Giese, Stefan Henkler, Martin Hirsch, Matthias Tichy, Alfonso Gambuzza, Eckehard Müch, and Henner Vöcking. Tool Support for Developing Advanced Mechatronic Systems: Integrating the Fujaba Real-Time Tool Suite with CAMeL-View. In Proc. of the 29th International Conference on Software Engineering (ICSE), Minneapolis, Minnesota, USA, pages 801–804. IEEE Computer Society Press, May 2007. [BGS05] Sven Burmester, Holger Giese, and Wilhelm Schäfer. Model-Driven Architecture for Hard Real-Time Systems: From Platform Independent Models to Code. In Proc. of the European Conference on Model Driven Architecture - Foundations and Applications (ECMDA-FA’05), Nürnberg, Germany, Lecture Notes in Computer Science, pages 25– 40. Springer Verlag, November 2005. [BGT05] Sven Burmester, Holger Giese, and Matthias Tichy. Model-Driven Development of Reconfigurable Mechatronic Systems with Mechatronic UML. In Model Driven Architecture: Foundations and Applications, LNCS 3599, pages 47–61. Springer-Verlag, August 2005. [BSDB00] David Bradley, Derek Seward, David Dawson, and Stuart Burge. Mechatronics. Stanley Thornes, 2000. [GBSO04] Holger Giese, Sven Burmester, Wilhelm Schäfer, and Oliver Oberschelp. Modular Design and Verification of Component-Based Mechatronic Systems with OnlineReconfiguration. In Proc. of 12th ACM SIGSOFT Foundations of Software Engineering 2004 (FSE 2004), Newport Beach, USA, pages 179–188. ACM, November 2004. [GH06a] Holger Giese and Stefan Henkler. A Survey of Approaches for the Visual Model-Driven Development of Next Generation Software-Intensive Systems. In Journal of Visual Languages and Computing, volume 17, pages 528–550, December 2006. [GH06b] Holger Giese and Martin Hirsch. Modular Verificaton of Safe Online-Reconfiguration for Proactive Components in Mechatronic UML. In Jean-Michel Bruel, editor, Satellite Events at the MoDELS 2005 Conference, Montego Bay, Jamaica, October 2-7, 2005, Revised Selected Papers, LNCS 3844, pages 67–78. Springer Verlag, January 2006. [GO03] Susanne Graf and Ileana Ober. A Real-Time profile for UML and how to adapt it to SDL. In Proceedings of the SDL Forum’03, 2003. [GTB+ 03] H. Giese, M. Tichy, S. Burmester, W. Schäfer, and S. Flake. Towards the Compositional Verification of Real-Time UML Designs. In Proc. of the European Software Engineering Conference (ESEC), Helsinki, Finland, pages 38–47. ACM Press, September 2003. [Obj04] 86 Object Management Group. UML 2.0 Superstructure Specification, October 2004. Document: ptc/04-10-02 (convenience document). Composition of Model-based Test Coverage Criteria Mario Friske, Bernd-Holger Schlingloff, Stephan Weißleder Fraunhofer FIRST, Kekuléstraße 7, D-12489 Berlin {mario.friske|holger.schlingloff|stephan.weissleder}@first.fraunhofer.de Abstract: In this paper, we discuss adjustable coverage criteria and their combinations in model-based testing. We formalize coverage criteria and specify test goals using OCL. Then, we propose a set of functions which describe the test generation process in a generic way. Each coverage criterion is mapped to a set of test goals. Based on this set of functions, we propose a generic framework enabling flexible integration of various test generators and unified treatment of test coverage criteria. 1 Motivation In the field of software and system testing, the quality of test suites is one of the most important issues. Widely accepted means for assessing the quality of a test suite are coverage criteria. Criteria can be defined on the coverage of certain characteristics of specification, implementation, or even fault detection abilities of the test suite. The result is a large variety of defined criteria for structural, functional, and fault coverage. In the course of model-based engineering, structural coverage criteria have been adopted to models (e. g., UML state machines). Whereas existing norms and standards for safety-critical systems focus mainly on code coverage, this paper deals with model coverage criteria. An interesting aspect is the relationship between different coverage criteria. Similar criteria are related by subsumption relations (e. g., All-States [Bin99] is subsumed by AllTransitions [Bin99]). However, relationships between criteria from different groups (e. g., Multi-Dimensional [KLPU04] defined on data partitions and MCDC [Lig02] defined on control-flow graphs) are not yet thoroughly investigated and need further analysis [WS08]. Nevertheless, testers desire a means for flexibly applying combinations of different coverage criteria, because individual criteria are well investigated and allow dedicated statements on covering certain risks and aspects. In this paper, we present a generic framework that allows combining test suites at various abstraction levels. We provide functional descriptions for various stages in a coverageoriented test generation process and discuss possibilities for the composition of coverage criteria and the optimization of test suites at different levels. We formalize coverage criteria and resulting test goals in OCL [Obj06] using an example from the domain of embedded systems. The framework uses functional specifications with OCL as a means for specifying test goals. It features flexible application and combination of coverage criteria and enables to plug-in various test generators. Furthermore, the framework supports precise statements on achieved coverage relying on OCL-based traceability information. 87 The remainder of this paper is organized as follows: In the next Section, we discuss coverage criteria and their relations and introduce our running example. In Section 3, we give a functional description of a multi-stage test generation process, and formalize test coverage criteria and test goals using OCL. In Section 4, we use functional signatures and specifications of test goals with OCL for sketching a framework to compose test coverage criteria. Finally, we draw some conclusions and give an outlook to future work. 2 Relation between Coverage Criteria The aim of model-based testing is to validate a system under test (SUT) against its specification, the model. For that, a test suite is generated from the model and executed to examine the SUT. Coverage criteria qualify the relation between test cases and implementation or model. It is common sense to group coverage criteria into sets based on the same foundation, like structural (e. g. [Lig02]), functional (e. g. [Lig02]), and fault coverage (e. g. [FW93, PvBY96]). Members of one group are related by the subsume relation and visualized as subsumption hierarchy [Nta88, Zhu96, Lig02]. In [Lig02, pages 135 and 145] two subsumption hierarchies for control-flow-oriented and data-flow-oriented criteria are presented. Since both hierarchies contain the criteria Path Coverage and Branch Coverage, they can be united in a single hierarchy using these criteria as merge points. The resulting hierarchy contains a variety of control-flow-oriented (including path-based and condition-based criteria) and data-flow-based coverage criteria, as depicted in Figure 1. Path Coverage Control-Flowbased Criteria Data-Flowbased Criteria Conditionbased Criteria Branch Coverage Figure 1: Combination of Different Types of Coverage Criteria 2.1 Example: a Fail-safe Ventricular Assist Device As an example, we consider a ventricular assist device (VAD) supporting the human heart. It provides an external pulsatile drive for blood circulation, which can help patients with heart diseases to recover. The VAD is designed for stationary use with paediatric and stroke patients. Both pump and control unit are attached outside the body. There are several parameters, which can be set by the doctor via a serial connection such as systolic and diastolic pressure, desired blood flow, and pump frequency. The VAD has a redun- 88 VAD dant architecture with three pneumatic motors, two of which must be frequently running. The control unit is replicated twice, as depicted in the object model diagram in Figure 2, one processor being operational and the other being in “hot” standby mode. In case of malfunction of one motor, the active controller starts the redundant one (in the appropriate mode). In case of failure of a controller, the redundant one takes over control. VAD 1 C1:Controller checked:bool runP():void runS():void 1 itsA 1 A:Arbiter itsA checked:bool isOK():void failure():void itsC1 C2:Controller runP():void runS():void itsC2 Figure 2: Object Model Diagram for VAD with two redundant controllers In Figure 3 we give two UML2 state machines of (part of) the startup functionality of the software. Initially, the primary controller performs startup tests, reads the preset configuration, and starts the pumps. It then waits for some time to let the blood flow stabilize and compares the actual and desired pressure and flow values. A discrepancy of these values indicates a problem in one of the pumps, and the pumps are switched. Otherwise, the controller blocks itself, causing a reset, such that the roles of primary and secondary controller are switched, and self-testing is repeated. Subsequently, the VAD goes into main operational mode, where a continuous monitoring of pumps and blood circulation takes place. StatechartOfArbiter StatechartOfController runP[!checked] [min<=p && p<=max]/ itsA->GEN(isOK()); checked=true; init /itsC1->GEN(runP()); isOK/itsC2->GEN(runP()); checkC1 check isOK/itsC2->GEN(runP()); itsC1->GEN(runS()); [else] runS runS runP[checked] run_second runP CheckC2 C1isP C2isP run_prim failure/itsC2->GEN(runS()); itsC1->GEN(runP()); Figure 3: UML State Machines of VAD Controller (left) and VAD Arbiter (right) 2.2 Application of Combined Test Coverage Criteria Thorough testing of models such as shown above requires application of (a combination of) several coverage criteria each focussing on a different aspect. E. g., for the state machines shown in Figure 3, a possible reasonable strategy comprises the following criteria: Page 1 of 1 89 1. (a) All-Transitions [Bin99] as lower viable criterion for testing state machine (this subsumes the criteria All-States [Bin99] and All-Events [Bin99]), and (b) All-n-transitions [Bin99] as extended state-based criterion targeting typical failures of state machines, 2. MCDC [Lig02] covering complex decisions in action code, and 3. Boundary-Value Analysis [Mye79] focussing on correct implementation of comparisons. These criteria relate to the combined subsumption hierarchy in Figure 1 as follows: (1) results from transferring path-based criteria to state machines and (2) is a condition-based criterion. The criterion (3) is orthogonal to the depicted criteria. A data-flow-based criteria is not contained in this list, but still can be used to measure coverage achieved by applying criteria (1)–(3), see [Lig02]. Applying the above coverage criteria to the models of the VAD presented in Section 2.1 in order to generate test cases results in a number of test goals. In the following, we give an example of a test goal for each of the coverage criteria above: All-2-Transitions: The sequence of the two transition characterized by the following trigger[guards]: (1) runP[!checked], (2) [min≤p && p≤max]. MCDC: Evaluation of the guard [min≤p && p≤max] where both conditions become true (i. e., min≤p=true and p≤max=true). BVA: The upper bound of the equivalence partition “normal” (i. e., the highest value of p allowed for normal operation). Note that it is possible to fulfill all test goals described above with a single test case. 3 Specification of Coverage Criteria and Test Goals using OCL It is common practice to generate test cases in a multi-step transformation process: First, a generator applies coverage criteria to the specification (e. g., a state machine) and calculates all resulting test goals (e. g., paths through a state machine), see [IL04]. Then, the generator creates a concrete test case for each test goal (e. g. a sequence of events triggering a certain path through a state machine). We describe the multi-stage test generation process with a set of corresponding functional signatures: gen : S × CC ⇒ T S × M D goalgen : S × CC ⇒ T G testgen : T G ⇒ T S × M D where S is a specification, CC a coverage criterion, T G a set of test goals, T S the test suite, and M D meta data (e. g., describing achieved percentage of coverage). The overall 90 test generation function gen is the functional composition of the generation of test goals goalgen and the generation of logical test cases from test goals testgen: gen(S, CC) = testgen(goalgen(S, CC)). In the following, we use OCL as a means to precisely define one exemplary coverage criterion and a corresponding test goal. 3.1 Specification of Coverage Criteria in OCL In this section, we present an OCL expression that determines model elements for the coverage criterion All-2-Transitions. To satisfy this coverage criterion, a test suite has to contain all possible pairs of subsequent transitions t1 and t2 , where t1 .target = t2 .source. All OCL expressions are based on the meta model of UML state machines [Obj07, page 525]. For sake of simplicity, the context of all OCL queries is a flat StateMachine. The following expression searches for pairs of subsequent transitions. context StateMachine def: all2Transitions : Set(Sequence(Transition)) = self.region.transition->iterate( t1 : Transition; resultSet : Set(Sequence(Transition)) = Set{Sequence{}} | resultSet->union( t1.target.outgoing->iterate( t2 : Transition; tmpSet : Set(Sequence(Transition)) = Set{Sequence{}} | tmpSet->including( Sequence{t}->including(t2))))) 3.2 Specification of Test Goals in OCL In the previous section, we gave an OCL expression to define a coverage criterion on a UML model. The application of such a criterion to a specific model instance results in a set of test goals. In the following, we give two alternative OCL expressions for a particular test goal, which results from applying the coverage criterion All-2-Transitions on our example of a fail-safe Ventricular Assist Device presented in Section 2.1. The first alternative depends on the availability of unique identifiers for the corresponding model elements: context StateMachine def: goalForAll2Transitions : Sequence(Transition) = Sequence{self.region.transition->select(name = ’t1’), self.region.transition->select(name = ’t2’)} 91 It is also possible to calculate test goals using the OCL definition of the specified coverage criterion. For instance, the following expression selects the first element of the set of elements returned for the criterion All-2-Transitions: context StateMachine def: goalForAll2Transitions : Sequence(Transition) = all2Transitions->asSequence()->first() 4 A Generic Framework for Composing Coverage Criteria In this section, we sketch a possible design for a generic framework that allows flexible integration of various test generators and unified treatment of test coverage criteria. The formalization of coverage criteria and individual test goals relies on the previously defined OCL expressions. In order to integrate various test generators, they have to fulfill the following requirements: Access to test goals: We assume that the generators implement a goal-oriented approach and do not just provide a black-box functionality gen but two separated functions goalgen and testgen with independently accessible outcomes (see Section 3). Precise signatures: Each test case generator has to provide precise meta-information about it’s functionality including it’s name, accepted types of specifications (model elements), parameters, achievable coverage, and related coverage criteria. The implementation of a framework for generator integration requires clarifying the storage of test case and test goals. A unified format for test cases is not necessarily required as long as formal meta-information on the achieved coverage is accessible. We recommend specifying required and achieved test goals using OCL as presented in Section 3.2. Furthermore, a precise specification of interfaces is required. A platform supporting plugin-based software development such as Eclipse [Ecl] can be used to integrate various generators as plug-ins. Commercial off-the-shelf generators can be integrated using wrappers. Conversion functions for test goals from proprietary formats into OCL are required. As we have discussed in [FS06], testers ideally want to select coverage using a graphical interface. Various test generators can be integrated in a plug-in-based framework. Each of these generators provides detailed information on achievable coverage, which can be presented to the tester in a structured or a graphical form (e. g., as a subsumption hierarchy). The tester can select a set of coverage criteria (e. g., using sliders on a graphical visualisation of a unified subsumption hierarchy as depicted in Figure 1). The selected coverage information is passed to the generators and used to control the test generation process. Specifying test goals using OCL allows to attach detailed traceability information [Som07, Chapter 7] to each generated test case. This allows to return information to the tester about unsatisfied test goals as OCL expressions and to realize enhanced dashboard functionalities that overlap diverse generators. The tester can individually process unfulfilled test goals by manually adding test cases or treating test goals shown as being unreachable. 92 By applying more than one coverage criterion to the multi-stage test generation process, three integration options can be identified: (1) integration at coverage-criteria-layer (i. e., definition of newly combined coverage criteria), (2) integration at test-goal-layer (i. e., merging of test goals), and (3) integration at test-suite-layer (i. e., merging of test suites). The corresponding functional descriptions are the following: gen1 : S × CC1 → T S1 gen2 : S × CC2 → T S2 where ⊕ is a suitably defined merging operator. 1. CCn = CC1 ⊕ CC2 2. T Gn = T G1 ⊕ T G2 3. T Sn = T S1 ⊕ T S2 Option 1 can be reasonable if the coverage criteria are not connected by the subsumption relation. Option 2 can be realized via function goalunion : T G1 × T G2 → T Gn . Option 3 can be realized via function testunion : T S1 × T S2 → T Sn . Note that in general, the test suite resulting from the union of two test goals is not the same as the union of the test suites for the components. Usually, it is desired that the resulting test suite is optimized with respect to implicit properties like the number or the average length of test cases. One solution is a dedicated optimization operation opt : T Sn → T Sopt that optimizes a test suite according to given properties while preserving coverage. The optimization requires a weighting function. As an example, an implementation of opt could remove duplicates and inclusions from a test suite. 5 Conclusions and Outlook In this paper, we addressed specification and combination of coverage criteria. We sketched the relations between coverage criteria and provided a consistent set of functional signatures to define coverage criteria, test goals, test suites, and the corresponding generation functions. This is complemented by a formalization of coverage criteria and test goals. We substantiated our explanations by the example of a fail-safe ventricular assist device. The following benefits result from our approach: Different test case generators can be integrated and combined using test goals represented as OCL expressions. Due to the use of OCL for formalization, coverage criteria, test goals, and test suites can be compared, merged, and optimized. Integration is possible at coverage-criteria-layer, test-goal-layer, and test-suite-layer. The use of OCL enables testers to define arbitrary coverage criteria. Furthermore, using OCL allows to evaluate achieved coverage and supports analysis and completion of missing test goals. The formalization of the test suite generation process allows to trace test cases to test goals, coverage criteria, and specification elements. In the future, we plan to extend the presented approach. This includes the definition of coverage criteria on abstractions (including model-based tool support) and the prioritization of test goals. This paper did not deal with the fault detection capabilities of various (combined) coverage criteria; this topic needs to be investigated further. First steps towards this question have been done (e. g., in [PPW+ 05, WS08]). Currently we have no tool support for the presented method. We want to implement the sketched framework and a corresponding OCL-based test generator. 93 References [Bin99] R. V. Binder. Testing Object-Oriented Systems: Models, Patterns, and Tools. Object Technology Series. Addison-Wesley, 1999. [Ecl] Eclipse Foundation. Eclipse. http://www.eclipse.org/. [FS06] M. Friske and B.-H. Schlingloff. Abdeckungskriterien in der modellbasierten Testfallgenerierung: Stand der Technik und Perspektiven. In Holger Giese, Bernhard Rumpe, and Bernhard Schätz, editors, ”Modellbasierte Entwicklung eingebetteter Systeme II” (MBEES), pages 27–33. Technische Universität Braunschweig, 2006. [FW93] P. G. Frankl and E. J. Weyuker. A Formal Analysis of the Fault-Detecting Ability of Testing Methods. IEEE Transactions on Software Engineering, 19(3):202–213, 1993. [IL04] I-Logix. Rhapsody Automatic Test Generator, Release 2.3, User Guide, 2004. [KLPU04] N. Kosmatov, B. Legeard, F. Peureux, and M. Utting. Boundary Coverage Criteria for Test Generation from Formal Models. In ISSRE ’04: Proceedings of the 15th International Symposium on Software Reliability Engineering (ISSRE’04), pages 139–150, Washington, DC, USA, 2004. IEEE Computer Society. [Lig02] P. Liggesmeyer. Software-Qualität: Testen, Analysieren und Verifizieren von Software. Spektrum Akadamischer Verlag, 2002. [Mye79] G. J. Myers. The Art of Software Testing. John Wiley & Sons, Inc., 1979. [Nta88] S. C. Ntafos. A Comparison of Some Structural Testing Strategies. IEEE Transactions on Software Engineering, 14(6):868–874, 1988. [Obj06] Object Management Group. OCL 2.0 Specification, version 2.0 (formal/06-05-01), 2006. [Obj07] Object Management Group. OMG Unified Modeling Language (OMG UML), Superstructure, V2.1.2 (formal/07-11-02), 2007. [PPW+ 05] A. Pretschner, W. Prenninger, S. Wagner, C. Kühnel, M. Baumgartner, B. Sostawa, R. Zölch, and T. Stauner. One evaluation of model-based testing and its automation. In ICSE ’05: Proceedings of the 27th international conference on Software engineering, pages 392–401, New York, NY, USA, 2005. ACM. [PvBY96] A. Petrenko, G. v. Bochmann, and M. Yao. On fault coverage of tests for finite state specifications. Computer Networks and ISDN Systems, 29(1):81–106, 1996. 94 [Som07] I. Sommerville. Software Engineering. Addison-Wesley, 7th edition, 2007. [WS08] S. Weißleder and B.-H. Schlingloff. Quality of Automatically Generated Test Cases based on OCL Expressions. http://www.cs.colostate.edu/icst2008/, April 2008. [Zhu96] H. Zhu. A Formal Analysis of the Subsume Relation Between Software Test Adequacy Criteria. IEEE Transactions on Software Engineering, 22(4):248–255, 1996. Testbasierte Entwicklung von SteuergeräteFunktionsmodellen Frank Tränkle, Robert Bechtold, Stefan Harms Funktionsentwicklung & Simulation GIGATRONIK Stuttgart GmbH Hortensienweg 21 D-70374 Stuttgart [email protected] Abstract: Die modellbasierte Funktionsentwicklung für eingebettete elektronische Systeme findet in der Automobilindustrie vielfache Anwendung. Qualität und funktionale Sicherheit der entwickelten Steuergerätefunktionen werden durch Verifikation und Validierung abgesichert. Eine geeignete Methode für die durchgängige Spezifikation, Implementierung und Verifikation von SteuergeräteFunktionsmodellen besteht in der Testbasierten Entwicklungsmethode 2dev®. Der Ausgangspunkt ist eine formale Spezifikation, aus welcher sowohl ein Funktionsmodell als auch Testfälle für die vollständige Verifikation generiert werden. Als Ergebnis dieser Vorgehensweise erhält der Entwicklungsingenieur Aussagen über Definitionslücken und Widersprüche in der Spezifikation, um diese gezielt zu schließen und zu lösen. 1 Einleitung Die modellbasierte Funktionsentwicklung für elektronische Steuergeräte im Automobilbereich ist heute auf breiter Basis etabliert. Zur Entwicklung von kontinuierlichen und ereignisbasierten Reaktiven Systemen werden etablierte Entwicklungsumgebungen wie Simulink®/Stateflow®, TargetLink® und ASCET® eingesetzt. Mit den zugehörigen Auto-Code-Generatoren werden die Software-Module für elektronische Steuergeräte automatisiert aus den Funktionsmodellen generiert. Wesentliche Vorteile der modellbasierten Funktionsentwicklung sind die Reduzierung der Entwicklungszeit und -kosten sowie die Erhöhung der Produktinnovation [SC05, Co07]. In vielen Entwicklungsprojekten für Steuergeräte-Funktionen fehlt es an vollständiger Spezifikation und ausreichenden Tests. Häufige nicht beantwortete Fragen von Entwicklungsingenieuren sind: „Wann ist das Funktionsmodell fertig gestellt?“ und „Wann sind alle Tests durchgeführt?“. In den Entwicklungsprozessen fehlt häufig eine durchgängige Vorgehensweise für die Spezifikation, die Implementierung und die Verifikation der Steuergerätefunktionen. 95 Fehler in der Spezifikation oder in der Steuergerätefunktion werden zumeist erst im Hardware-In-The-Loop-Test oder Fahrversuch festgestellt. Große Iterationsschleifen sowie hohe Zeit- und Kostenaufwände sind die Folge. 2 Testbasierte Entwicklung Die Testbasierte Entwicklungsmethode 2dev® (Test-oriented Development Method) kann die Entwicklungprozesse beschleunigen und die Kosten senken [BS06]. 2dev® ist eine integrierte Methode zur formalen Spezifikation, Modellgenerierung und automatischen Verifikation von Funktionsbausteinen für elektronische Steuergeräte. Mit 2dev® werden gegenwärtig Funktionsbausteine für ereignisdiskrete Reaktive Systeme unter Einsatz von Simulink®/Stateflow® und TargetLink® entwickelt. Ein wesentliches Ziel ist die frühzeitige Erkennung und Behebung von Fehlern in der Spezifikation und damit auch im Funktionsmodell. Abbildung 1: Workflow der Testbasierten Entwicklungsmethode 2dev® 2dev® führt zur systematischen Funktionsentwicklung. Spezifikation und Funktionsmodell sind zu jeder Zeit konsistent. Die Spezifikation ist gleichermaßen formal vollständig und allgemein verständlich formuliert. Diese formale Spezifikation ist Ausgangspunkt für die folgenden Prozessschritte im 2dev®-Workflow (siehe Abbildung 1): der automatisierten Generierung sowohl des Funktionsmodells als auch der Testfälle. Der anschließende Prozessschritt Testdurchführung umfasst die Stimulation des Funktionsmodells durch die generierten Testvektoren sowie die Auswertung des simulierten Ein-/Ausgangsverhaltens durch einen Vergleich mit dem spezifizierten Verhalten. Test-Driven Development [Kb07] hat sich als eine Entwicklungsmethode in der objektorientierten Softwareentwicklung etabliert. Hier werden Unit-Tests zeitlich vor den zu testenden Software-Modulen entwickelt. Analog zu 2dev® werden bei der automatisierten Testdurchführung beispielsweise Widersprüche in der Spezifikation erkannt. In diesem Fall erfolgt eine Anpassung der Spezifikation. Diese Iterationsschleife ist fester Bestandteil des 2dev®-Workflows (siehe Abbildung 1). 96 3 Funktionsmerkmale der Testbasierten Entwicklungsmethode 2dev® 2dev® weist folgendes wesentliches Funktionsmerkmal auf: Die Methode definiert Richtlinien für die formale Spezifikation, die sowohl die automatische Modell- und Testfallgenerierung als auch die automatische Testfallauswertung ermöglichen. Die formale Spezifikation kann derzeit in Microsoft Word®, in MATLAB® oder in DOORS® erstellt werden. Für die verschiedenen Eingabeformen stehen geeignete Schablonen zur Verfügung. Der 2dev®-Testgenerator verarbeitet die Spezifikationsdokumente automatisch und generiert Testvektoren für den spezifizierten Funktionsbaustein. Der 2dev®Modellgenerator generiert aus der formalen Spezifikation ein Stateflow-Modell. Die Testaussage resultiert aus zwei Abdeckungsanalysen, der Requirements Coverage und der Model Coverage. Die Requirements Coverage wird von 2dev® generiert, während die Model Coverage mittels der Toolbox Simulink® Verification and Validation (V&V) erzeugt wird. Die Requirements Coverage deckt Definitionslücken in der formalen Spezifikation auf. Eine unvollständige formale Spezifikation wird bei der automatisierten Testdurchführung dadurch erkannt, dass für einzelne Testschritte keine Anforderungen in der Spezifikation existieren. Widersprüche in der formalen Spezifikation werden dadurch erkannt, dass für einen Testschritt beispielsweise mehrere Anforderungen aktiviert werden, diese aber ein widersprüchliches Ein-/Ausgangsverhalten definieren. Die Model Coverage prüft zusätzlich dieVollständigkeit der generierten Testfälle und deckt tote Codeanteile auf. Ein Algorithmus kann in ereignisbasierte Reaktive Systeme (Logikanteile, Entscheidungsanteile) und kontinuierliche Reaktive Systeme (Dynamikanteile, Berechnungs- und Regleranteile) unterteilt werden. 2dev® unterstützt die Entwicklung ereignisbasierter Reaktiver Systeme in Form einzelner Funktionsbausteine in Simulink®, Stateflow® oder TargetLink®. Für die Entwicklung kontinuierlicher Reaktiver Systeme existieren etablierte Methoden beispielsweise aus der Regelungstechnik. 4 Anwendungsbeispiel Als Anwendungsbeispiel für die Testbasierte Entwicklungsmethode 2dev® wird ein vereinfachter Statusgenerator einer Tempomatfunktion betrachtet. Dieser Statusgenerator ist ein ereignisbasiertes Reaktives System, das durch eine Verarbeitung der Eingangssignale Tempomat-Ein-Aus-Schalter, Geschwindigkeitsvorgabe-Taster und Bremssignal den Tempomat-Status berechnet. 97 R1 ausgeschaltet R2 Einschalten R4 Ausschalten R8 Ausschalten R5 Bremsen R3 regelnd R6, R9 unterbrochen R7 Wiederaufnahme Abbildung 2: Zustandsautomat für Tempomat-Statusgenerator Der Tempomat-Statusgenerator kann als endlicher Zustandsautomat im Spezifikationsdokument in Form einer Skizze dargestellt werden (siehe Abbildung 2). Jeder der drei Zustände repräsentiert einen gültigen Tempomat-Status. Die Bedingungen für die Transitionen werden durch logische Ausdrücke für die Eingangssignale berechnet. Dieser Zustandsautomat besitzt ein Gedächtnis. Für einen vollständigen Test müssten deshalb Eingangssignalverläufe generiert werden, die den zeitlichen Aspekt erfassen. Sowohl die Erstellung als auch die Auswertung solcher Sequenzen sind in der Regel mit einfachen Mitteln nicht automatisiert durchführbar. 2dev® umgeht diese Problematik. Eine entscheidende Spezifikationsrichtlinie von 2dev® fordert das Auslagern aller Speicherelemente aus dem Funktionsbaustein. So wird im vorliegenden Beispiel der Tempomat-Status des vorangegangen Zeitschritts als ein weiteres Eingangssignal des Funktionsbausteins definiert. Damit ergibt sich die Eingangssignalliste in Tabelle 1. Der resultierende Funktionsbaustein ist gedächtnisfrei und wird ausschließlich durch formale Wenn-Dann-Regeln beschrieben. Damit ist die Voraussetzung zur automatisierten Testdurchführung gegeben. Weitere Funktionsbausteine, wie beispielsweise Timer, Zähler und Integratoren, werden auf diese einfache Darstellung zurückgeführt. Eingangssignal Wertebereich Bedeutung Ein-Aus-Schalter {0, 1} {aus, ein} Taster für Geschwindigkeitsvorgabe {0, 1} {nicht gedrückt, gedrückt} Bremse {0, 1} {inaktiv, aktiv} Tempomat-Status des vorangegangen Zeitschritts {0, 1, 2} {ausgeschaltet, regelnd, unterbrochen} Tabelle 1: Eingangssignalliste für Tempomat-Statusgenerator 98 Die formale Spezifikation des Tempomat-Statusgenerators erfolgt in Form von WennDann-Regeln. Die Wenn-Bedingungen sind logische Ausdrücke für die Eingangssignale. Die Dann-Bedingungen definieren das Sollverhalten des Funktionsbausteins durch logische Ausdrücke für die Ausgangssignale. Als Beispiel wird die Transition „Wiederaufnahme“ des Zustandsautomaten in Abbildung 2 betrachtet. Sie ist durch die in Tabelle 2 dargestellte Wenn-Dann-Regel spezifiziert. Name R7 Funktion Tempomat Wiederaufnahme Wenn-Bedingung Wenn Tempomat-Status des vorangegangenen Zeitschritts [idxCCState_z] gleich unterbrochen und Tempomat-Ein-Aus-Schalter [sigCCOnOff] gleich ein und Taster für Geschwindigkeitsvorgabe [sigCCSetSpeed] gleich gedrückt und Bremse [sigBrake] gleich inaktiv Dann-Bedingung Dann Tempomat-Status [idxCCState] gleich regelnd Tabelle 2 Wenn-Dann-Regel zur „Tempomat-Wiederaufnahme“ Insgesamt enthält die Spezifikation für dieses Beispiel neun Wenn-Dann-Regeln zur vollständigen Beschreibung des Tempomat-Statusgenerators. Die obige Wenn-DannRegel wird zusammen mit den übrigen acht Regeln zur weiteren automatisierten Verarbeitung gemäß Abbildung 1 in der formalen Spezifikation eingegeben. Für den spezifizierten Funktionsbaustein lassen sich leicht alle 24 Testschritte durch Permutation der Signalwerte (vgl. Wertebereich in Tabelle 1) automatisch generieren (siehe Testgenerator in Abbildung 1). Der Modellgenerator überführt alle Anforderungen in ein Stateflow-Modell (siehe Abbildung 3), welches mit den 24 Testschritten stimuliert wird. Abbildung 3: Tempomat-Statusgenerator mit rückgeführtem Zustand 99 Zur Erzeugung der Requirements Coverage werden die formalen Anforderungen, die Stimuli und die Simulationsantworten herangezogen. Werden nicht alle 24 Testschritte durch die neun Requirements erfasst, liegt eine Definitionslücke in der Spezifikation vor. Existieren Anregungskombinationen, bei denen mehrere Wenn-Bedingungen erfüllt werden, die betreffenden Dann-Bedingungen jedoch Unterschiedliches fordern, liegt ein Widerspruch in der Spezifikation vor. Auf diese Weise entsteht ein Funktionsmodell aus verifizierten Funktionsbausteinen. Die Granularität der einzelnen Bausteine richtet sich maßgeblich nach der Verständlichkeit der Anforderungen. Testfallgenerierung und Simulation stellen beachtliche Minimalanforderungen hinsichtlich Speicherbedarf und Ausführungszeit. Der Einsatz von 2dev® in Steuergeräte-Entwicklungsprojekten zeigt jedoch, dass ein sinnvoll modularisiertes Funktionsmodell nicht an diese Grenzen stößt. 5 Zusammenfassung und Ausblick Zur systematischen Spezifikation, Implementierung und Verifikation von SteuergeräteFunktionsmodellen wird die Testbasierte Entwicklungsmethode 2dev® vorgestellt. Durch den Einsatz von 2dev® erhält der Entwicklungsingenieuer mehr Sicherheit. 2dev® liefert eindeutige Aussagen darüber, wann das Funktionsmodell fertig gestellt ist und wann die notwendigen Tests erfolgreich abgeschlossen sind. Dieses Verfahren wird derzeit zur direkten Verifikation der Spezifikation eingesetzt. Ohne zeitaufwändige, manuelle Implementierung des Funktionsmodells wird die Spezifikation direkt auf Vollständigkeit und Widerspruchsfreiheit hin überprüft. Die automatisiert generierten Stafeflow®-Charts lassen sich hinsichtlich der Laufzeit und Codegröße weiter optimieren. Die einfache Systematik bietet zukünftig auch die Möglichkeit Testfälle für das gesamte Funktionsmodell aus den Spezifikationen der einzelnen Funktionsbausteine zu generieren. Diese Testfälle eignen sich nicht nur zur Verifikation, sondern auch zur Validierung des Funktionsmodells. 2dev®-Spezifikationen können im Hardware-In-The-Loop-Test oder Fahrversuch wiederverwendet werden. Die Ein- und Ausgangssignale der Funktionsbausteine lassen sich mit Hilfe von Applikationswerkzeugen wie INCA® oder CANape® während der Durchführung von Fahrmanövern aufzeichnen. Durch die Anwendung des 2dev®Verifikationsverfahrens kann überprüft werden, ob das Ein-/Ausgangsverhalten dem spezifizierten Verhalten entspricht. Die Auswertung der von 2dev® berechneten Abdeckungsgrade führt außerdem zu einer direkten Aussage über die Vollständigkeit der durchgeführten Fahrmanöver. 100 Literaturverzeichnis [BS06] R. Bechtold, S. Harms, D. Baum, P. Karas: Neue Wege zur Entwicklung hochqualitativer Steuergerätesoftware – Hella AFS und GIGATRONIK 2dev®. Elektronik Automotive, Ausgabe 1/2005, S. 44-51. [Co07] M. Conrad: Using Simulink and Real-Time Workshop Embedded Coder for SafetyCritical Automotive Applications. Tagungsband des Dagstuhl-Workshops MBEES 2007, Informatik-Bericht 2007-01, TU Braunschweig, S. 41-47. [Kb02] B. Kent: Test Driven Development. By Example. Addison-Wesley Longman, Amsterdam, 2002. [SC05] R. Starbek, U. Class: Vom Prototyp zum Seriencode. Elektronik Automotive, Ausgabe 1/2005, S. 108-110. 101 A Service-Oriented Approach to Failure Management Vina Ermagan, Claudiu Farcas, Emilia Farcas, Ingolf H. Krüger, Massimiliano Menarini Department of Computer Science University of California, San Diego 9500 Gilman Drive La Jolla, CA 92093-0404, USA {vermagan, cfarcas, efarcas, ikrueger, mmenarini}@ucsd.edu Abstract: Failure management for complex, embedded systems-of-systems is a challenging task. In this paper, we argue that an interaction-based service notion allows capturing of failures end-to-end from both the development-process and the runtime perspective. To that end, we develop a formal system model introducing services and components as partial and total behavior relations, respectively. A failure-ontology, refined for the logical and the deployment architecture is presented. This ontology allows us to reduce the partiality of services by managing failures. Furthermore, the ontology gives rise to an architecture definition language capturing both logical and deployment architecture models together with a failure hypothesis. Finally, we exploit these models for the formal verification (modelchecking) of properties under the given failure hypothesis. 1 Introduction Computer systems have by now penetrated almost every aspect of our lives, changing the way we interact with the physical world. For embedded systems that control physical processes in areas where lives and assets are at stake, the demands for high software quality have increased accordingly. Managing system complexity and quality together is even more challenging as we move from monolithic systems to distributed systems of systems. Quality concerns such as reliability, manageability, scalability, and dependability crosscut the entire integrated system and cannot be addressed at the level of individual components. A key challenge in the design, deployment, and quality assurance for distributed reactive systems is how to encapsulate crosscutting concerns while integrating functionality scattered among system components. Addressing this challenge requires a transition from component-centric views to end-to-end system views, and placing the interactions between components in the center of attention. We need, therefore, modeling notations, methodologies, and tool suites for precisely and seamlessly capturing the overall goals – the services delivered by the interplay between distributed components – across all development phases. 102 A specific crosscutting concern in embedded systems is failure resilience. For example, a car has thousands of software functions implemented across a set of distributed, networked Electronic Control Units (ECUs); the car manufacturer has to integrate the ECUs from different suppliers into a coherent system-of-systems. Many errors cannot be managed on a per-component basis, because they arise from the interplay that emerges from the composition of components. Currently, such errors are discovered late in the development process, or even after deployment inducing high quality assurance and control costs. Therefore, a failure management approach that considers the crosscutting aspects of failures and failure mitigations is needed. Problem statement. Because failure management in a logically or physically distributed system is an end-to-end activity, the problem is how to approach model-based failure management systematically throughout the development process. Important research topics include, for instance, how to address both component- and service-level failures, value-added exploitation of the failure models, and scalability of failure models to varying levels of detail. Furthermore, a failure management methodology should provide low-overhead integration of failure models into existing development processes and the traceability of failures across development activities. Approach outline. In this paper, we present a service-oriented development approach that establishes a clean separation between the services provided by the system, the failure models, and the architecture implementing the services. Our foundations are (1) a precise interaction-based system model that defines components and services as complete and partial behaviors, respectively, and (2) a hierarchical failure model that defines failure detection and mitigation mechanisms as wrappers around services. The key benefit lies in the binding between the failure model and the interaction-based service model; this allows us to specify, detect, and mitigate failures at all scales: from the individualmessage level to highly complex interaction patterns. Through model exploitation, we obtain an integrated development process that goes from requirements elicitation and domain modeling, to definition of logical and deployment architecture, to synthesis of detectors and mitigators from service specifications, and to verification and validation. The remainder of the paper is organized as follows. In Section 2, we present the system, component, and service model based on the formal model of streams and relations on streams. In Section 3, we introduce the failure model together with our approach to defining architectures based on service specifications under the failure model. In Section 4, we demonstrate how to synthesize a deployment architecture model from a given architecture specification, and how to exploit this model for verifying fail-safety under a given failure hypothesis (i.e., an assumption about what failures can occur concurrently). Section 5 discusses our approach in the context of related work and Section 6 contains our conclusions and outlook. 2 System, Component, and Service Model We view a system as being decomposed into a set of components (or roles), which communicate with one another and with the environment by exchanging messages over 103 directed channels. Each component has its own state space. We denote the sets of messages and channels by M and C , respectively. At any time instant t ! ! each component computes its output based on its current state and the messages received until time instant t " 1 . Therefore, we can define the system behavior by the communication histories on the channels and the state changes of the components over time. Automotive Example – CLS: Figure 1 presents a simplified structure diagram for the Central Locking System (CLS) in automotives (a more detailed description of CLS can be found in [KNP04,BKM07]). Upon impact, an Impact Sensor (IS) will send a signal to the CLS Controller, which will command the Lock Manager (LM) to unlock the doors. The diagram shows the system entities (IS, CONTROL, and LM) and the communication channels (isc, lmc, and clm) between them. IS isc CONTROL lmc LM clm Figure 1. Simplified System Structure Diagram for the CLS Assuming asynchronous communication allows us to model channel histories by means of streams, i.e., finite and infinite sequences of messages. We denote the set of finite sequences over M by M * . For a given time instant, the content of all channels (a channel valuation) is given by a mapping C # M * , which assigns a sequence of messages to each channel; this models that a component can send multiple messages over any channel at a given point in time. Using timed streams over message sequences, we can further model communication histories over time. We call the assignment of a timed stream to a channel an infinite valuation or history: a channel history is denoted by a mapping C # (! # M * ) . Therefore, for a set of channels X & C , we denote by "# X $ %(! # (X # M * )) the set of histories of the channels in X . For simplicity we work with a single channel type here – all channels are of the same type indicated by the message set M . It is an easy exercise to add a data type system to this model [BKM07]. Components have syntactic and semantic interfaces described by their sets of channels and streams. In our terminology, we use channels to denote both component input and output ports, and communication links that connect ports. For a given component, a channel can be classified as input or output channel, depending on whether the component is the channel’s destination or source, respectively. We denote the sets of input and output channels with I and O , respectively. The pair (I ,O ) , denoted I $ O , defines the syntactic I/O interface of a component. The semantic interface defines the observable # "# behavior of the component. We call I and O the sets of input and output channel histories, respectively. By focusing on the interactions, we can define the semantic interface # "# in terms of I/O history relations Q : I # %(O ) as follows. Definition (Component and Service Model.) For a given syntactic I/O interface # "# Q : I # %(O ): I $O and I/O history relation % '% 104 Q is a component, if its I/O history relation is causal Q is a service, if its I/O history relation is causal wrt. the service domain # Dom.Q $ {x ! I : Q.x ( )} !" Causality enforces that a component’s or service’s outputs at time t depend at most on the input histories strictly before t . We denote the prefix of length t of a stream x by x *t . Definition (Causality): For a given syntactic I/O interface %I $O and I/O history rela# "# # tion '%Q : I # %(O ) , Q is causal, iff (for all x, z ! I ): x * t $ z * t + {y * (t , 1) : y ! Q.x } $ {y * (t , 1) : y ! Q.z } !" A service has a syntactic I/O interface like a component, defining the channels by which the service is connected to its environment. Both components and services relate input histories with output histories, but components are left-total relations (i.e., there is at least one output history for every input history), whereas services are partial relations over the relevant input and output streams of the system. Consequently, services emerge as generalizations of components. Architectures emerge from the parallel composition of components and services. Each service describes a certain projection of the overall system behavior providing a partial view on each of the components participating in its execution, whereas a component is complete in the sense that it describes the composition of all services in which it participates. Services “orchestrate” the interaction among system components to achieve a certain goal. Thus, we view services as formalized specializations of use cases to specify interaction scenarios. Our model highlights the duality between partial and complete knowledge about system structure and behavior. There is a broad spectrum of description techniques available, such as state machines to model components and sequence diagrams to model services. For both state machines and sequence diagrams there exist straightforward formalizations in terms of the system model introduced above. In short, the stream relation we assign to a state machine emerges as an extension of the associated state transition relation over time. This embeds state machines into the semantic model. Furthermore, there is a transformation algorithm [Kr99,Kr00] from sequence diagrams to state machines, which then induces and embedding of sequence diagrams into the semantic model. We need this last embedding in the following section, where we introduce failure models and architecture definitions as refinements of the interaction models underlying service specifications. For a full treatment of the formalization and the corresponding methodological consequences we refer the reader to [BKM07]; this reference also details specific structuring principles for service specifications, such as splicing, specification by projection, and refinement notions. 105 Ontology Logical Model Mapping Model MDA Interaction Specification Failure Taxonomy Failure Hypothesis Deployment Model Deployment Diagram Enables Mapping Code Generation Verification & Validation Figure 2. Model-based failure management approach 3 Service-Oriented Failure Model and Architecture Definition Our failure management approach, depicted in Figure 2, combines elements of Model Driven Architectures (MDA) [MCF03] with Service-Oriented Architectures (SOA): an ontology encompassing a failure taxonomy, a service-oriented logical architecture based on interactions (Figure 3) as a representation of a Platform Independent Model (PIM), and a deployment model (Figure 5) as a representation of a Platform Specific Model (PSM). We decouple the functional aspects of system behavior from the treatment of failures, and enrich the logical and deployment models typical of any MDA, with a failure hypothesis. We use a Service Architecture Definition Language (SADL) to express these elements in textual form. By mapping the logical and deployment models together, we provide a seamless approach towards end-to-end fail-safe software design and development. A failure taxonomy is a domain specific concept [Le95] (e.g., our general failure taxonomy for the automotive domain [Er07]). A comprehensive taxonomy for failures and failure management entities is essential from the very early phases of the software and systems engineering process. In our previous work [EKM06],we created such a taxonomy starting with the central entity - Failure, and then specifying two types of entities in close relationship with the Failure: Causes and Effects. A Failure has at least one Cause and manifests itself through one or more Effects. Hence, an Effect is the environmentobservable result of a Failure occurrence. We then define a Detector as an entity capable of detecting the occurrence of a Failure by monitoring its Effect. Consequently, it is important to define what type of Effects a failure can have, and leverage them to create corresponding Detectors. The Cause of a Failure is highly dependent on the application domain; for instance, it could be a software, computational hardware, or communication problem. An Effect has an associated Risk Level, depending on its consequences on the environment. An Effect can also be manifested as Unexpected Behavior (i.e., the occurrence of an event that was not supposed to happen) or a Non Occurrence Behavior (i.e., absence of an event that was supposed to happen). 106 3.1 Logical Model for Service-Oriented Architectures: The Service Repository The main entities of our logical architecture model are Services (Figure 3), which capture the various functionalities of the system in the form of interaction patterns. In short, every service is associated with an Interaction Element, which can be either atomic, or composite. Single Events (send or receive) and Messages composed from two corresponding send and receive events are examples of atomic interactions. Composite interactions emerge from the application of composition Operators such as sequencing, alternatives, loops, or parallel composition to Operands. Note that the syntactic model contained in the lower box of Figure 3 describes the heart of the language of sequence diagrams or Message Sequence Charts (MSCs) [Kr00] using the composite pattern [Ga95]. Consequently, we obtain a straightforward embedding of a service specification according to Figure 3 into the semantic framework as introduced in Section 2. To illustrate the other entities of Figure 3 in more detail, we observe that this figure defines an abstract syntax for our SADL. Consider the example SADL specification in Figure 4. It again describes aspects of the CLS case study. We begin with an Architecture block (Figure 4a). An Architecture block has a Service Repository, which encapsulates the definition of the Roles and the Services in the system; a Configuration, representing the logical and the deployment models respectively. It also has a concurrent failure number that is part of the failure hypothesis and describes an upper bound on the number of failures that can occur at the same time in the system. Figure 3. - Logical Model We exemplify in Figure 4 the following interaction: upon impact, IS will send on channel isc an Impact() message to CONTROL, which then, on channel clm, sends an unlck() message to LM. The service ends by CONTROL receiving on channel lmc the acknowledgement unlck_ok() of the unlocking from LM and then, on channel clm, confirming this receipt. 107 architecture CLS configuration CLS_deployment service_repository CLS_service_repository component description Central locking system services type ImpactSensor : sensor description Sensor that detects the impact. roles plays IS in CLS_1, CLS_2 role CONTROL can_fail true description Controller of all CLS functions end states LCKD, UNLD component ... type Controller_component : ECU end description Controlling unit for the CLS system. role LM plays CONTROL in CLS_1, CLS_2 description Interface to the Lock System. can_fail true states INITIAL end ... component end type LockMotor_component : actuator role IS description The interface to the locking system. description Sensor for detecting an impact plays LM in CLS_1, CLS_2 states INITIAL, FINAL can_fail false ... end end component end type FailManager_component : ECU service CLS_2 description A computational unit used interaction plays CLS_1_D in CLS_1 MSG(IS, CONTROL, isc, Impact()) ; can_fail false MSG(CONTROL, LM, clm, unlck()) ; end MSG(LM, CONTROL, lmc, unlck_ok()) ; connection MSG(CONTROL, LM, clm, ok())) end type CANBus_connection : CANBus description The CANBus used to connect the CLS plays clm,lmc,isc in CLS_1, CLS_2 a) can_fail false can_loose_message true end managed service CLS_1 connections service CLS_2 CAN:CANBus_connection detector deadline_failure ( end MSG(IS, CONTROL, isc, Impact()) : A components MSG(CONTROL, LM, clm, unlck()) ; (ImpactSensor1: ImpactSensor MSG(LM, CONTROL, lmc, unlck_ok()), is_connected_to CAN) deadline 10 unit ms) (ImpactSensor2: ImpactSensor mitigator is_connected_to CAN) MSG(CLS_1_D, LM, clm, unlck()) ; (FailManager: FailManager_component MSG(LM, CONTROL, lmc, unlck_ok()) is_connected_to CAN) end (LockMotor: LockMotor_component is_connected_to CAN) b) (Controller: Controller_component is_connected_to CAN) end end Figure 4. Service ADL concurrent_failures 1 a) Service repository; end b) Managed Service; c) Configuration. c) This interaction-based model provides the basics for specifying regular behaviors of a system in terms of composite interaction patterns. We add two elements to this model, namely Detection and Mitigation, to make the system capable of handling failures (see the upper box of Figure 3). We still retain the ability to specify services that do not need 108 failure management in order to keep the system specification simple whenever possible. To that end, we define two subtypes of Services: Unmanaged Services and Managed Services. Unmanaged Services define system behavior without considering failures. Managed Services require failure management. Following the decorator pattern [Ga95], a Managed Service includes another service within it, which describes the interaction scenario that needs to be fail-safe. This service can be an Unmanaged or a Managed Service, giving the model the ability to create multiple layers of failure management. Each Managed Service has a Detector and a Mitigator. The Detector is responsible for monitoring the service defined inside the Managed Service, and detects an eventual failure by observing its Effects. A Detector may employ different Detection Strategies. For example, one Detection Strategy can be based on observing interactions; another strategy could be based on observing the internal states of relevant components. A common mechanism for detecting failures is the use of time-outs. Time is captured in the model in the form of Deadlines for Interaction Elements. An Effect of a failure could be a missed Deadline. Upon occurrence of a failure, the Detector will activate the corresponding Mitigator, responsible for handling the failure occurrence. A Mitigator includes a service that specifies its behaviors and may leverage one or more Mitigation Strategies to address the failure. Figure 4b shows how we can wrap a Service in a Detector and Mitigator layer and augment it to a Managed Service in our SADL. The Detector detects if LM does not acknowledge the door unlocking within 10 ms since CONTROL sent the unlock() message. As one possible mitigation strategy, the exemplified Mitigator resends the unlock() directly to LM. 3.2 Deployment Model and the Mapping: Configuration In distributed real time systems, failures happen at runtime. In the interest of a seamless treatment of failures throughout the development process, however, it is useful to trace runtime failures that occur in the deployed system to the related entities of the logical architecture. 1..* Component fails * 1..* Compound Component Failure * fails Connection * Port Simple Component 2..* * Signal Sensor Actuator 1 * Wire Controller Figure 5. Deployment Model Figure 5 depicts a simplified physical deployment model. Its main active entities are Components. Actuators, Sensors, and Controllers are examples of different component types in automotive systems. Components (following the composite pattern [Ga95]) can be simple or compound. Components have Ports, which are entry points for Connections 109 to other Components. One example for a connection is a Wire with electrical Signals passing over it; another example is a wireless connection. The SADL represents the deployment model using a Configuration block (Figure 4c). A Configuration block includes a number of Component type and Connection type definitions. Each Component type plays one or more logical roles. This “plays” relationship provides the main grounds for mapping of the logical model to the deployment model: roles are mapped to components, channels are mapped to connections, and messages are mapped to signals. Each Component type is also augmented with a Can Fail part capturing the failure hypothesis for that component; if a component can fail, then all the roles mapped to that component can fail. The Configuration block also includes an instantiation part. Connections are instantiated from the Connection types. Components are instantiated from Component types and are connected to specific Connection instances to form a physical deployment model for the system. 4 Synthesis and Verification In this section we establish the binding between the failure models described in Section 3 with the system model of Section 2; this binding then allows us to employ formal verification techniques to verify the fail-safety of a system specified in SADL under a given failure hypothesis. In short, the binding relates the components of the deployment architecture with the roles they play in the respective services. The role behavior is extracted from the interaction patterns defined in the service repository using the algorithm translating sequence diagrams into state machines alluded to in Section 2. Finally, the resulting state machines are augmented with role behaviors for the failure detectors and mitigators to effect the failure management. The resulting set of state machines by construction implements all the behaviors specified in the service repository. To ensure that the system failure management is adequate, we have to verify that the architecture satisfies temporal properties even in presence of failures. In the following, we describe this process in more detail, and explain our implementation of a prototypic verification tool based on the SPIN model checker [Ho03]. The SADL described in Section 3 has four elements: (1) a logical model, composed of services specified by interaction patterns (in essence, sequence diagrams in textual form); (2) a deployment model, mapping interaction roles to components; (3) a failuremanagement model, described by Detectors and Mitigators of managed services; and finally (4) a failure hypothesis. Our M2Code v.2.0 tool translates a SADL specification into a Promela model suitable for verification using SPIN. The tool, developed in Ruby, performs syntax analysis and checking and generates state machines for services, detectors, and mitigators. The translation proceeds as follows. For each role, the tool generates a state machine that captures the participation of this role in all interaction patterns. This translation is possible because our service language specifies interactions as causal MSCs: each role can locally choose the next step it has to engage in to implement the global interaction. [Kr99,Kr00] presents the MSC to state charts synthesis algorithm in detail. In essence, the algorithm inserts intermediate states 110 between all incoming/outgoing messages of a role axis; then, the various role axes that describe a component’s interaction patterns are combined into a single state machine for that component. Figure 4. State Machine for an Impact Sensor Role The result of our generation algorithm is a set of Mealy automata. Each automaton captures the behavior of one role. Figure 4 shows the state machine obtained for one role in the CLS case study. Upon detecting an impact, the impact sensor sends an “Impact” message on two channels. The resulting state machine has three states and two transitions. The first transition sends “Impact” on the IC9 channel and the second on the IU12 channel. On state machine transitions, we follow the convention of indicating send and receive events with “!” and “?” prefixes, respectively. The state labels are automatically generated by the M2Code tool implementing the algorithm. Figure 5. Modified State Machine for the Impact Sensor The next step in system verification requires modifying the state machines obtained by the synthesis algorithm to account for the failures defined in the failure hypothesis. To this end, M2Code introduces states and transitions into the deployment component state machines generated as described above. For complete component failures, for instance, M2Code adds a sink state to the state machine. It then adds a transition from all other states to the sink state guarded by failure messages. Figure 5 shows the modifications applied to the example state machine from Figure 4. The three new transition added by 111 M2Code are guarded by a “kill” message on the ERRIS channel. This channel is an artifact introduced in the verification model to inject failures accordingly to the failure hypothesis. The decision to send the kill message is taken by a Promela “failure injector” process that implements the failure hypothesis. This driver is also automatically generated by M2Code. Mitigators are also modeled as state machines. Their definition is based on interactions and, therefore, the translation follows the same technique described earlier. A special treatment is reserved for Detector’s deadlines. When a deadline is present, M2Code creates non-deterministic transitions from the states that are part of the service to be managed by the detector, to the state that initiates the corresponding mitigation strategy. Note that this algorithm results in a set of state machines for the set of deployment components that together define the deployment architecture for the system defined in the SADL specification. To define a fail-safe system we give an abstract specification as an SADL specification that has only unmanaged services (we call this specification F1) and a concrete specification that extends the abstract one such that some services are managed (F2). The concrete specification set of behaviors (expressed as a set of channel valuations in Section 2) is a subset of F1’s behaviors under projection on the messages and channels defined in F1. F2 is fail-safe with respect to its failure hypothesis if, even when the failures defined in the hypothesis affect the execution, its set of projected behaviors remains a subset of F1’s behaviors. Next, we exploit this observation to formally prove fail-safety under a given failure hypothesis. For each state machine representing a deployment component type, M2Code generates a Promela program that encodes it. Moreover, it adds a failure injector in the Promela program. The failure injector models the failure hypothesis provided in the SADL and triggers failures during the verification process accordingly. With this machinery at our disposal, we can verify, for instance, LTL properties that encode the safety concerns of our system (the abstract model). One of the usages of this technique in our development process is to identify the need for new Detectors and Mitigators upfront, before even starting the implementation. Furthermore, we use this approach to identify inconsistencies within the failure hypothesis itself and improve it as part of our integration with FMEA [Re79] and FTA [Ve81] techniques. As an example, we have applied this tool to the CLS specification of Figure 4 to prove that under the given failure hypothesis, of having at most one complete component failure per run and not loosing more than one message in the CAN bus, the system will unlock all doors after a crash. We used the tool to elicit the failure hypothesis in a sequence of iterations. In fact, we elicited the requirement to replicate the impact sensor and to limit the number of messages lost in the CAN bus by executing the verification process. 112 5 Related Work Our service notion as partial interaction specification captures and goes beyond the various uses of the term service in the context of the telecommunications domain and web services. In telecommunication systems, features encapsulate self-contained pieces of functionality used to structure the interfaces of components [Pr03]. Feature interactions [Za03] should not lead to inconsistent behaviors. In contrast to our approach, this service notion is local to individual components, and their interplay is considered afterwards. Our model scales at different levels of abstractions. The consequences of modeling services as partial behaviors and components as total behaviors are that components are themselves services, components may offer a family of services, and services emerge from the interplay of several components. Web services and the corresponding technologies view services as implementation building blocks and provide open standards for technical integration concerns such as service discovery and binding. Nevertheless, web services coordinate workflows among domain objects, and may depend on other services. Therefore, the view of services as orchestrators of other services and as Facades to the underling domain objects [Ev03] is gaining popularity. In contrast to web services, we provide a formal model of services and use services as first-class modeling entities seamlessly throughout the development process. Our approach is related to Model-Driven Architecture [MCF03], but we consider services as modeling entities in both the abstract and the concrete models. We based our formal model on streams and relations over streams because they conveniently model component collaboration and directly support partial and complete behavior specifications. State-based formalisms such as statecharts [Ha87] focus on complete component specifications rather than the architectural decomposition we aim at for end-to-end failure specifications. In our approach, we use standard model-checking techniques. In particular, we use the SPIN model checker [Ho03] to verify parallel execution of automata generated from MSCs using the algorithm described in [Kr99,Kr00]. Other approaches that support model checking on interaction-based specifications exist. For example, [Ku05] gives a semantics for live sequence charts (LSCs) based on temporal logic, effectively reducing the model checking of LSCs to the verification of temporal logic formulae. [AY99] addresses the specific issues of model checking message sequence charts. Our approach differs by focusing on failures and providing techniques to modify the models to include the failure hypothesis. Our approach allows for flexible model-based development for reactive fail-safe distributed systems and fits the automotive domain and others with similar characteristics, including avionics and telecommunications. [AK98] describes how failure-tolerant systems are obtained by composing intolerant systems with two types of components – detectors and correctors – and proves that these are sufficient to create fail-safe and non-masking tolerant systems, respectively. We have similar detectors and mitigators specifications; however, we explicitly consider the communication infrastructure of distributed systems, and our detectors need only to be aware of the messages exchanged by components. Similar concepts are also present in the Fault Tolerant CORBA [OMG04,Ba01] as detectors and recovery services. Instead 113 of using heartbeat messages for detectors to identify deadlocks and crashes, our approach is more general and allows us to detect unexpected and non-occurrence behavior failures while providing a much more flexible mitigation strategy. [GJ04] extends the approach from [AK98] to non-fusion-closed systems by introducing history variables as needed. However, the system model still does not explicitly consider the communication by means of messages. Another related approach from [AAE04] describes how to synthesize fault-tolerant programs from CTL specifications and allows generating not only the program behavior but also detectors and correctors. Nevertheless, their technique is subject to the state explosion problem. Different types of tolerance are analyzed: masking tolerance, non-masking tolerance, and fail-safe tolerance. In our ontology, we can easily obtain all three types of tolerance (depending on the redundancy and the type of mitigator). To reduce the risk of implementation errors our mitigators can exploit a technique that is similar to N-Version Software [CA95]. Such systems can switch to a reducedfunctionality safe mode using a simpler version of the code, which (hopefully) doesn’t contain the error that triggered the malfunction. Our approach can also leverage previous work on software black boxes [EM00], where features are assigned to modules and hooks are used to record procedure calls. Both approaches would fit the AUTOSAR main requirements [AUT08] asking support for redundancy and FMEA compatibility from any implemented system. Our model could also be combined with architectural reconfiguration approaches such as the one presented in [TSG04,GH06]. 6 Summary and Outlook In this paper we have bridged the gap between a precise foundation for services and components, and a practical application of this foundation to prove fail-safety under a given failure hypothesis. To that end, we have introduced a domain model for serviceoriented architecture specifications, augmented with a model for failure detection and mitigation. This model gave rise to an architecture definition language for serviceoriented systems. This language allows us to specify (a) services as interaction patterns at the logical architecture level, (b) deployment architectures, (c) a mapping from logical to deployment models, and (d) failure detectors and mitigators at all levels of the architecture. Because failure detectors and mitigators are tied to the interaction patterns that define services in our approach, we were able to establish a formal relationship between a service specification with and without failure management specification. We have exploited this relationship by building a prototypic verification tool that checks if a given service architecture is fail-safe under a given failure hypothesis. There is ample opportunity for future research. We give two examples. First, the failure model itself can be interpreted as the basis for a rich domain language for failure specifications. This will give rise to a set of failure management service/design patterns that could be incorporated in a standard library for the SADL. Second, the verification tool produces as its output a counter example if the system is not fail-safe. This counter example can be analyzed for potential clues on which failure management pattern to use to mitigate against it. 114 References [AAE04] [AK98] [AUT08] [AY99] [Ba01] [BKM07] [CA95] [EKM06] [EM00] [Er07] [Ev03] [Ga95] [GH06] [GJ04] [Ha87] [Ho03] [Ku05] [KNP04] [Kr99] Attie, P. C., Arora, A., Emerson, E. A.: Synthesis of fault-tolerant concurrent programs. ACM Transactions on Programming Languages and Systems. vol. 26, 2004; pp. 125–185 Arora, A., Kulkarni, S.S.: Component based design of multitolerant systems. IEEE Transactions on Software Engineering. vol. 24, 1998; pp. 63–78. AUTOSAR. AUTOSAR Main Requirements. http://www.autosar.org/download/ AUTOSAR_MainRequirements.pdf, Version 2.0.4. Revision 2008 Alur, R., Yannakakis, M.: Model Checking of Message Sequence Charts. In Proc. 10th Intl. Conf. on Concurrency Theory (CONCUR’99). LNCS, Vol. 1664, Springer Berlin / Heidelberg, 1999; pp. 114–129 Baldoni, R., Marchetti, C., Virgillito, A., Zito, F.: Failure Management for FTCORBA Applications., In: Proceedings of the 6th International Workshop on ObjectOriented Real-Time Dependable Systems, 2001; pp. 186–193. Broy, M., Krüger, I.H., Meisinger, M.: A formal model of services. In ACM Transactions on Software Engineering and Methodology (TOSEM). 16(1):5, Feb. 2007 Chen, L., Avizienis, A.: N-Version Programming: A Fault-Tolerance Approach to Reliability of Software Operation. Software Fault Tolerance. Wiley, 1995; pp. 23–46 Ermagan, V., Krüger, I. H., Menarini, M.: Model-Based Failure Management for Distributed Reactive Systems. In (eds. Kordon F. and Sokolsky O.): Proceedings of the 13th Monterey Workshop, Composition of Embedded Systems, Scientific and Industrial Issues, Oct 2006, LNCS vol 4888, Paris, France. Springer, 2007; 53–74 Elbaum, S., Munson, J. C.: Software Black Box: an Alternative Mechanism for Failure Analysis. In Proceedings of the 11th International Symposium on Software Reliability Engineering, 2000; pp.365–376 Ermagan, V., Krueger, I., Menarini, M., Mizutani, J.I., Oguchi, K., Weir, D.: Towards model-based failure-management for automotive software. In: Proceedings of the ICSE Fourth International Workshop on Software Engineering for Automotive Systems (SEAS), IEEE Computer Society, 2007 Evans, E.: Domain Driven Design. Addison-Wesley, 2003 Gamma, E., Helm, H., Johnson R., Vlissides, J.: Design Patterns: Elements of Resuable Object-Oriented Software. Addison-Wesley Reading, Mass.,1995 Giese, H., Henkler, S.: Architecture-driven platform independent deterministic replay for distributed hard real-time systems. ACM Press New York, NY, USA, 2006; pp. 28–38. Gartner, F.C., Jhumka, A.: Automating the Addition of Fail-Safe Fault-Tolerance: Beyond Fusion-Closed Specifications. In: Formal Techniques, Modelling and Analysis of Timed and Fault-Tolerant Systems, LNCS vol 3253, Springer Berlin/Heidelberg, 2004; pp. 183–198. Harel, D.: Statecharts: A Visual Formalism for Complex Systems. Science of Computer Programming, Vol. 8(3), Elsevier Science Publishers B.V., 1987; pp. 231–274 Holzmann, G. J.: The Spin Model Checker: Primer and Reference Manual. AddisonWesley, 2003 Kugler, H., Harel, D., Pnueli, A., Lu, Y., Bontemps, Y.: Temporal Logic for ScenarioBased Specifications. In Tools and Algorithms for the Construction and Analysis of Systems. LNCS, Vol. 3440/2005, Springer Berlin / Heidelberg, 2005; pp. 445–460 Krüger, I.H., Nelson, E.C., Prasad, K.V.: Service-based Software Development for Automotive Applications. In Proceedings of CONVERGENCE 2004. Convergence Transportation Electronics Association, 2004 Krüger, I., Grosu, R., Scholz, P., Broy, M.: From MSCs to statecharts. In (Rammig, F.J., ed.): Proceedings of the IFIP WG10.3/WG10.5 international workshop on Dis- 115 tributed and Parallel Embedded Systems. Kluwer Academic Publishers, 1999; pp. 61– 71 [Kr00] Krüger, I.: Distributed System Design with Message Sequence Charts. Ph.D. dissertation, Technische Universität München, 2000 [Le95] Leveson, N.G. Safeware: system safety and computers. ACM Press New York, 1995. [MCF03] Mellor, S., Clark, A., Futagami, T.: Guest Editors' Introduction: Model-Driven Development. In IEEE Software. Vol. 20(5). IEEE Computer Society Press, 2003 [OMG04] Object Management Group. Fault Tolerant CORBA. In CORBA 3.0.3 Specification. vol. formal/04-03-21: OMG, 2004. [Pr03] Prehofer, C: Plug-and-Play Composition of Features and Feature Interactions with Statechart Diagrams. In Proceedings of the 7th International Workshop on Feature Interactions in Telecommunications and Software Systems, Ottawa, 2003; pp. 43–58 [Re79] Reifer, D. J.: Software failure modes and effects analysis. IEEE Transactions on Software Engineering. vol. 28, 1979; pp. 247–249. [TSG04] Tichy, M., Schilling, D., Giese, H.: Design of self-managing dependable systems with UML and fault tolerance patterns. In: Proceedings of the 1st ACM SIGSOFT workshop on Self-managed systems (WOSS’04), ACM Press New York, NY, USA, 2004; pp. 105–109. [Ve81] Vesely, W.E, Goldberg, F.F., Roberts, N. H.; Haasl, D.H.: Fault Tree Handbook (NUREG-0492). Washington, DC: Systems and Reliability Research, Office of Nuclear Regulatory Research, US Nuclear Regulatory Commission, 1981. [Za03] Zave, P.: Feature Interactions and Formal Specifications in Telecommunications. IEEE Computer, 26(8), IEEE Computer Society, 2003; pp. 20–30 116 Technische Universität Braunschweig Informatik-Berichte ab Nr. 2003-07 2003-07 M. Meyer, H. G. Matthies State-Space Representation of Instationary Two-Dimensional Airfoil Aerodynamics 2003-08 H. G. Matthies, A. Keese Galerkin Methods for Linear and Nonlinear Elliptic Stochastic Partial Differential Equations 2003-09 A. Keese, H. G. Matthies Parallel Computation of Stochastic Groundwater Flow 2003-10 M. Mutz, M. Huhn Automated Statechart Analysis for User-defined Design Rules 2004-01 T.-P. Fries, H. G. Matthies A Review of Petrov-Galerkin Stabilization Approaches and an Extension to Meshfree Methods 2004-02 B. Mathiak, S. Eckstein Automatische Lernverfahren zur Analyse von biomedizinischer Literatur 2005-01 T. Klein, B. Rumpe, B. Schätz (Herausgeber) Tagungsband des Dagstuhl-Workshop MBEES 2005: Modellbasierte Entwicklung eingebetteter Systeme 2005-02 T.-P. Fries, H. G. Matthies A Stabilized and Coupled Meshfree/Meshbased Method for the Incompressible Navier-Stokes Equations — Part I: Stabilization 2005-03 T.-P. Fries, H. G. Matthies A Stabilized and Coupled Meshfree/Meshbased Method for the Incompressible Navier-Stokes Equations — Part II: Coupling 2005-04 H. Krahn, B. Rumpe Evolution von Software-Architekturen 2005-05 O. Kayser-Herold, H. G. Matthies Least-Squares FEM, Literature Review 2005-06 T. Mücke, U. Goltz Single Run Coverage Criteria subsume EX-Weak Mutation Coverage 2005-07 T. Mücke, M. Huhn Minimizing Test Execution Time During Test Generation 2005-08 B. Florentz, M. Huhn A Metamodel for Architecture Evaluation 2006-01 T. Klein, B. Rumpe, B. Schätz (Herausgeber) Tagungsband des Dagstuhl-Workshop MBEES 2006: Modellbasierte Entwicklung eingebetteter Systeme 2006-02 T. Mücke, B. Florentz, C. Diefer Generating Interpreters from Elementary Syntax and Semantics Descriptions 2006-03 B. Gajanovic, B. Rumpe Isabelle/HOL-Umsetzung strombasierter Definitionen zur Verifikation von verteilten, asynchron kommunizierenden Systemen 2006-04 H. Grönniger, H. Krahn, B. Rumpe, M. Schindler, S. Völkel Handbuch zu MontiCore 1.0 - Ein Framework zur Erstellung und Verarbeitung domänenspezifischer Sprachen 2007-01 M. Conrad, H. Giese, B. Rumpe, B. Schätz (Hrsg.) Tagungsband Dagstuhl-Workshop MBEES: Modellbasierte Entwicklung eingebetteter Systeme III 2007-02 J. Rang Design of DIRK schemes for solving the Navier-Stokes-equations 2007-03 B. Bügling, M. Krosche Coupling the CTL and MATLAB 2007-04 C. Knieke, M. Huhn Executable Requirements Specification: An Extension for UML 2 Activity Diagrams 2008-01 T. Klein, B. Rumpe (Hrsg.) Workshop Modellbasierte Entwicklung von eingebetteten Fahrzeugfunktionen, Tagungsband 2008-02 H. Giese, M. Huhn, U. Nickel, B. Schätz (Hrsg.) Tagungsband des Dagstuhl-Workshop MBEES: Modellbasierte Entwicklung eingebetteter Systeme IV