Clafer: Lightweight Modeling of Structure, Behaviour, and Variability

Embedded software is growing fast in size and complexity, leading to intimate mixture of complex architectures and complex control. Consequently, software specification requires modeling both structures and behaviour of systems. Unfortunately, existing languages do not integrate these aspects well, usually prioritizing one of them. It is common to develop a separate language for each of these facets. In this paper, we contribute Clafer: a small language that attempts to tackle this challenge. It combines rich structural modeling with state of the art behavioural formalisms. We are not aware of any other modeling language that seamlessly combines these facets common to system and software modeling. We show how Clafer, in a single unified syntax and semantics, allows capturing feature models (variability), component models, discrete control models (automata) and variability encompassing all these aspects. The language is built on top of first order logic with quantifiers over basic entities (for modeling structures) combined with linear temporal logic (for modeling behaviour). On top of this semantic foundation we build a simple but expressive syntax, enriched with carefully selected syntactic expansions that cover hierarchical modeling, associations, automata, scenarios, and Dwyer's property patterns. We evaluate Clafer using a power window case study, and comparing it against other notations that substantially overlap with its scope (SysML, AADL, Temporal OCL and Live Sequence Charts), discussing benefits and perils of using a single notation for the purpose

Development of a framework for automated systematic testing of safety-critical embedded systems

“This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted without the explicit permission of the copyright holder." “Copyright IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.”In this paper we introduce the development of a framework for testing safety-critical embedded systems based on the concepts of model-based testing. In model-based testing the test cases are derived from a model of the system under test. In our approach the model is an automaton model that is automatically extracted from the C-source code of the system under test. Beside random test data generation the test case generation uses formal methods, in detail model checking techniques. To find appropriate test cases we use the requirements defined in the system specification. To cover further execution paths we developed an additional, to our best knowledge, novel method based on special structural coverage criteria. We present preliminary results on the model extraction using a concrete industrial case study from the automotive domain

Software dependability modeling using an industry-standard architecture description language

Performing dependability evaluation along with other analyses at architectural level allows both making architectural tradeoffs and predicting the effects of architectural decisions on the dependability of an application. This paper gives guidelines for building architectural dependability models for software systems using the AADL (Architecture Analysis and Design Language). It presents reusable modeling patterns for fault-tolerant applications and shows how the presented patterns can be used in the context of a subsystem of a real-life application

A model for requirements traceability in an heterogeneous model-based design process. Application to automotive embedded systems

Requirements traceability modeling is a key issue in real-time embedded design process. In such systems, requirements are of different nature (software-related, system-related, functional and non functional) and must be traced through a multi level design flow which integrates multiple and heterogeneous models. Validation and Verification (V&V) activities must be performed on models and on the final product to check if they are matching the initial require-ments. Results of a design and of V&V activities must impact the traceability information. We propose the DARWIN4REQ metamodel for requirement traceability based on three indepen-dent flows (requirement model, solution model and V&V model). The DARWIN4REQ metamodel establishes the link between these flows and allows a full traceability of requirements including the heterogeneous models. This paper presents the DARWIN4REQ metamodel and its use in the context of heterogeneous models for requirement modeling, design and V&V. An automotive application illustrates the approach with SYSML, EAST_ADL2 and MARTE for the design and SIMULINK, SyNDEx and TIMESQUARE for V&V activities

Modeling and Analysis of Mixed Synchronous/Asynchronous Systems

Practical safety-critical distributed systems must integrate safety critical and non-critical data in a common platform. Safety critical systems almost always consist of isochronous components that have synchronous or asynchronous interface with other components. Many of these systems also support a mix of synchronous and asynchronous interfaces. This report presents a study on the modeling and analysis of asynchronous, synchronous, and mixed synchronous/asynchronous systems. We build on the SAE Architecture Analysis and Design Language (AADL) to capture architectures for analysis. We present preliminary work targeted to capture mixed low- and high-criticality data, as well as real-time properties in a common Model of Computation (MoC). An abstract, but representative, test specimen system was created as the system to be modeled

Design of formal languages and interfaces: "formal" does not mean "unreadable".

This chapter provides an introduction to a work that aims to apply the achievements of engineering psychology to the area of formal methods, focusing on the specification phase of a system development process. Formal methods often assume that only two factors should be satisfied: the method must be sound and give such a representation, which is concise and beautiful from the mathematical point of view, without taking into account any question of readability, usability, or tool support. This leads to the fact that formal methods are treated by most engineers as something that is theoretically important but practically too hard to understand and to use, where even some small changes of a formal method can make it more understandable and usable for an average engineer

Specification and verification of radiation therapy system with respiratory compensation using Uppaal

The goal of radiation therapy is to give as much dose as possible to the target volume of tissue and avoid giving any dose to a healthy tissue. Advances of the digital control allow performing accurate plans and treatments. Unfortunately, motion compensation during the treatment remains a considerable problem. Currently, a combination of the different techniques, such as gating (restricting movement of patient) and periodic emission are used to avoid damaging healthy tissue. This paper focuses on systems that completely compensate respiratory movement (up to certain limit) and start by investigating adequacy of the existing hardware and software platform. In this paper a radiation therapy system consisting of a HexaPOD couch with 6-degrees movement, a tracking camera, a marker (markers) and a controller is modeled. A formal un-timed model was evaluated and found to be insufficient to completely determine adequacy of the system to compensate respiratory motion. Therefore, un-timed model was extended to include time and investigated. It provides more information than un-timed model, but does not answer all interesting question. Therefore, based on the results further research directions are sketched