predictable development of reliable embedded systems ir. marcel verhoef - chess (with...
Post on 19-Dec-2015
216 views
TRANSCRIPT
![Page 1: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/1.jpg)
Predictable Development of ReliableEmbedded Systems
ir. Marcel Verhoef - CHESS
http://www.chess.nlhttp://www.marcelverhoef.nl
(with contributions from prof. dr. Peter Gorm Larsen, Engineering College Aarhus)
![Page 2: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/2.jpg)
Agenda - “Back to the Future”
• Introduction and Background
• Using VDM++ and VDMTools: theory and
practice
• In the past : successful projects in industry
• In the present : architecture and deployment
• In the future : continuous time co-simulation
• Conclusions
![Page 4: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/4.jpg)
Predictable Development?
• Source: The Chaos Report (http://www.standishgroup.com)
Software Project Characteristics 1995
Cancelled before delivery 31 %
Exceeds time scale & cost, reduced functionality 53 %
On time and budget 16 %
Mean time overrun 190 %
Mean cost overrun 222 %
Mean functionality delivered 60 %
![Page 5: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/5.jpg)
Predictable Development?
• Source: Jim Johnson, “My Life Is Failure”, ISBN 1-4243-0841-0
Software Project Characteristics 1995 2004
Cancelled before delivery 31 % 18 %
Exceeds time scale & cost, reduced functionality 53 % 53 %
On time and budget 16 % 29 %
Mean time overrun 190 % 84 %
Mean cost overrun 222 % 56 %
Mean functionality delivered 60 % 64 %
![Page 6: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/6.jpg)
Reliable Systems?
![Page 7: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/7.jpg)
![Page 8: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/8.jpg)
Uptime: 125 years
Reliable Systems?
Source: Tom Henzinger, FM 2006 invited talk
![Page 9: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/9.jpg)
The problem : dealing with complexity
• System complexity is increasing continuously
• We choose to put that complexity in software
• More and more software becomes business
critical
• More and more software becomes safety
critical
![Page 10: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/10.jpg)
The problem : dealing with complexity
400 horses 100 CPUs
![Page 11: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/11.jpg)
Software Development Engineering
• Engineering is conservative– application of science– embedded within mature processes– with effective quality and risk management– to build practical systems cost-effectively
• Software development is opportunistic– ruled by fashion (platform, languages, methodologies)– usually not well organised, error-prone and lacking
discipline– very hard to predict (both quality and quantity)
![Page 12: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/12.jpg)
Successful engineering approaches
• Build system models to gain confidence in requirements and designs
• use of abstraction– well-focused– problem-oriented– unambiguous– precise
• use of rigour– objective– repeatable– exploration– analysis
![Page 13: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/13.jpg)
An Approach To Modelling Computing Systems
• Vienna Development Method (VDM)– Invented at IBM research laboratory in Vienna in the 70’s
• VDM-SL (specification language, ISO/IEC 13817-1:1996)• VDM++ (object-oriented extension)
– model-oriented language with formal syntax and semantics
• simple and abstract data types (sets, sequences, maps,...)• uses invariants to restrict type membership• implicit specification (using pre- and post conditions)• explicit specification (functional or imperative)
– referential transparent functions– operations with side effects on state variables
![Page 14: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/14.jpg)
VDM-SL module structure
module module <module-name><module-name>
definitionsdefinitions
end end <module-name><module-name>
DefinitionsDefinitions
InterfaceInterface
statestate
typestypes
valuesvalues
functionsfunctions
operationsoperations
......
parametersparameters
importsimports
instantiationsinstantiations
exportsexports
......
![Page 15: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/15.jpg)
VDM++ class structure
class class <class-name><class-name>
end end <class-name><class-name>
instance variablesinstance variables
......
typestypes
valuesvalues
functionsfunctions
operationsoperations
......
threadthread
......
syncsync
......
Internal object stateInternal object state
DefinitionsDefinitions
Dynamic behaviourDynamic behaviour
Synchronization controlSynchronization control
![Page 16: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/16.jpg)
Tool support for VDM
The Rose-VDM++ Link
Document Generator
Code Generators- C++, Java
Syntax & Type Checker
API (Corba), DL Facility
Interpreter (Debugger)
Integrity CheckerJava to VDM++
![Page 17: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/17.jpg)
The Past
Using VDMTools In The Commercial Enterprise
(1998 - 2002)
![Page 18: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/18.jpg)
Dutch Government - Department of Defense (1)
• information management system
• mission-critical system component
• coupling to very large database
• 2 man-year development effort
• 98% VDM-SL (400 pages ± 15 kloc)
• ± 90 kloc C++ (code generation)
• delivered on-time and within budget
• no errors found after release
• still in use today
• return on investment : within project
![Page 19: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/19.jpg)
Dutch Government - Department of Defense (2)
![Page 20: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/20.jpg)
Flower Auction at Aalsmeer (1)
• largest covered market place in the world (1.000.000 m2)
• spot market for fresh cut flowers and plants
• 13 auction clocks in 4 halls
• world market share 45%
• Kenia, Israel, Ethiopia Aalsmeer Germany, Japan
• 44000 transactions per day
• 6.9 M Euro turnover per day
• obviously mission critical
1.0 e6 m2 200 football fields
![Page 21: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/21.jpg)
Flower Auction at Aalsmeer (2)
• “Dutch auctioning” process
• up : 60 Hz down : 30 Hz
• transaction : 5 seconds max
• new : on-line participation
• many challenges– unknown application area
– use novel technology
– unclear requirements
– inexperienced team
– no development process
• used VDM++ and UML
• completed successfully
![Page 22: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/22.jpg)
The Present
Enhancing VDMTools For Embedded Systems
joint work with Peter Gorm Larsen and Jozef Hooman[ LNCS 4085, FM 2006, pp 147-162 ]
![Page 23: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/23.jpg)
Enhancing VDMTools For Embedded Systems
• Motivation: early life-cycle system architecting
• VDM++ for distributed embedded real-time
• Case Study : In-Car Radio Navigation System
![Page 24: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/24.jpg)
early life-cycle system architecting (1)
• design paradox : “shooting at a moving target”– volatile requirements & many unknowns (not just
technical)
– nevertheless key architecture decisions must be made
• additional complications– business case always evolves over time
– out-of-phase development usually occurs, for examplemechanics electronics software
– technology evolves much faster than project elapse time
![Page 25: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/25.jpg)
early life-cycle system architecting (2)
• key problems– system-level overview is usually lacking (dominating
view)
– methods do not sufficiently support design iteration(building models takes too much time and effort)
• the proposed solution– notational extensions for context aware software models
(explicit notion of architecture and deployment)
– improve tool support for early model validation (enhanced visualisation)
![Page 26: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/26.jpg)
VDM++ for distributed embedded real-time
• old VDMTools VICE version 6.6– all software implicitly deployed on a single CPU– only synchronous operation calls are allowed– only absolute notion of time (duration)– only strict periodic behaviour can be specified
• new VDMTools VICE version 8.0– hardware architecture can be described using BUS and
CPU– explicit deployment of software (class instances) on CPUs– support for synchronous and asynchronous operation calls– absolute and relative notion of time (duration and cycles)– elaborate periodic behaviour (period, jitter or burst, offset)
![Page 27: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/27.jpg)
Example: In-Car Radio Navigation System
• car radio with built-in navigation system
• several applications may execute concurrently
• user-interface needs to be responsive at all times
• traffic messages must be processed on time
• what is a suitable architecture for this product?
![Page 28: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/28.jpg)
“Change Volume” application
![Page 29: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/29.jpg)
“Handle TMC” application
![Page 30: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/30.jpg)
Proposed Architecture Alternatives
![Page 31: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/31.jpg)
Absolute and relative elapse time
class Radiooperations
async public AdjustVolume: nat ==> ()AdjustVolume (pno) ==
( duration (150) skip; RadNavSys`mmi.UpdateVolume(pno) );
async public HandleTMC: nat ==> ()HandleTMC (pno) ==
( cycles (10000) skip; RadNavSys`navigation.DecodeTMC(pno) )
end Radio
![Page 32: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/32.jpg)
Absolute and relative elapse time
class Radiooperations
async public AdjustVolume: nat ==> ()AdjustVolume (pno) ==
( duration (150) skip; RadNavSys`mmi.UpdateVolume(pno) );
async public HandleTMC: nat ==> ()HandleTMC (pno) ==
( cycles (10000) skip; RadNavSys`navigation.DecodeTMC(pno) )
end Radio
![Page 33: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/33.jpg)
Specifying the hardware architecture (1)
system RadNavSys
instance variables
-- create the class instancesstatic public mmi := new MMI();static public radio := new Radio();static public navigation := new Navigation();
![Page 34: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/34.jpg)
Specifying the hardware architecture (2)
...
-- create the computation resourcesCPU1 : CPU := new CPU(<FP>, 22E6, 0);CPU2 : CPU := new CPU(<FP>, 11E6, 0);CPU3 : CPU := new CPU(<FP>, 113E6, 0);
-- create the communication resourceBUS1 : BUS := new BUS(<FCFS>, 72E3, 0, {CPU1, CPU2, CPU3})
![Page 35: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/35.jpg)
Specifying the hardware architecture (3)
...
operations
public RadNavSys: () ==> RadNavSysRadNavSys () == ( CPU1.deploy(mmi); CPU2.deploy(radio); CPU3.deploy(navigation) )
end RadNavSys
![Page 36: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/36.jpg)
Modeling the environment of the systemclass TransmitTMC...operations
async createSignal: () ==> ()createSignal () == ( dcl num : nat := getNum(); e2s := e2s munion {num |-> time}; RadNavSys`radio.HandleTMC(num) );
async public handleEvent: nat ==> ()handleEvent (pev) == s2e := s2e munion {pev |-> time} post forall idx in set dom s2e & s2e(idx) – e2s(idx) <= 1000
threadperiodic (3000, 4500, 1000, 0) (createSignal)
end TransmitTMC
![Page 37: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/37.jpg)
In-Car Radio Navigation System Overview
![Page 38: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/38.jpg)
Visualisation - ShowTrace “system view”
![Page 39: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/39.jpg)
Visualisation - ShowTrace “resource view”
![Page 40: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/40.jpg)
Enhanced Modelling Support - Summary
• Simple and intuitive language extensions
• Significant improvement expressiveness
• Much better domain applicability
• Significant decrease in model size
• “backward compatible” semantics
• Exploration of deployment and performance
feasible
• Early detection of design bottlenecks by
visualization
![Page 41: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/41.jpg)
The Future
Embedding VDMTools Into System Engineering
joint work with Peter Visser, Jozef Hooman and Jan Broenink
[ LNCS 4591, IFM 2007, pp 639-658 ]
![Page 42: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/42.jpg)
Embedding VDM++ Into System Engineering
• Motivation : multi-disciplinary system-level design
• Showdown : Continuous Time meets Discrete Event
• Case Study I : water tank level controller
• Case Study II : printer paper path controller
![Page 43: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/43.jpg)
Beyond the Ordinary: Design of Embedded Real-time Control
• BODERC project @ ESI
• Sept 2002 - Apr 2007
• Multi-disciplinary design– mechanics– electronics– software
• High-tech systems focus
• Early life cycle trade-off analysis
• Industry as a laboratory
• http://www.esi.nl/boderc
![Page 44: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/44.jpg)
Design of High-Tech Systems - State of Practice
• design is typically mono-disciplinary organised
• domain specific methodsand custom tools are used
• out-of-phase development and system-level focus lacking
• cross-cutting concerns postponed to the integration phase
• late validation & feedback
“ INTEGRATION HELL ”
requirements
mec
hani
cs
elec
tron
ics
softw
are
PR
OJE
CT
EL
AP
SE
TIM
E
systemintegration
and test
ST
RO
NG
TE
NS
ION
![Page 45: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/45.jpg)
Multi-disciplinary Systems Design - The Vision
• system level approach
• model-driven design
• integrated models & tools
• rapid evaluation
• early feedback
• support design dialogue
• continuous integration
• continuous validation
• less effort overall
• higher quality
requirements
PR
OJE
CT
EL
AP
SE
TIM
E
WE
AK
TE
NS
ION
integrated models
test & integration
mec
hani
cs
elec
tron
ics
softw
are
![Page 46: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/46.jpg)
The Challenge - Integrated Design Models (1)
• Notations and analysis techniques used by the disciplines are fundamentally different
– mechanics : finite element methods– electronics : differential or difference equations– software : labelled transition systems
• Is a common notation feasible* at all? * [Henzinger & Sifakis, FM 2006 key note, LNCS 4085, pp 1-15]
![Page 47: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/47.jpg)
The Challenge - Integrated Design Models (2)
• scope of discipline specific tools is widening– Matlab Simulink Stateflow, Real-Time Workshop, TrueTime– Rhapsody Simulink– UML SysML
• bigger piece of the pie satisfy all stakeholders (disciplines)
• problems : poor abstraction, restrictive model of computation
• novel actor-based techniques* : Ptolemy-II
• problems : disruptive approach, weak semantics
* [ http://ptolemy.eecs.berkeley.edu ]
![Page 48: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/48.jpg)
Our Approach - Integrated Design Models (3)
• Cross the continuous time - discrete event divide
• Select a well-defined (formal) notation on either side
• Explore semantic integration of those notations
• Implement tool support for this reconciled semantics
• Analyse combined models by (reliable) co-simulation
![Page 49: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/49.jpg)
Expected benefits - Integrated Design Models (4)
• good abstraction facilities on both sides of the divide
• supports light-weight modelling required in early stages
• few Model of Computation (MoC) specific restrictions
avoid a-priori design bias
• fits in design flow
low threshold for industrial uptake
• inspired by previous experience (INFORMA EU project)
weak coupling between VDMTools and Simulink
![Page 50: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/50.jpg)
Continuous Time Realm - Bond Graphs
• dynamic systems modelling, physics domain independent– mechanics– electronics– pneumatics
• graphical notation: Bond graphs*
• formal analysis for algebraic loops and differential causalities
• model validation through simulation and visualisation
• industry grade tool support http://www.20sim.com
* [ Gawthrop, Bevan, IEEE Control Systems Magazine, April 2007, pp 24 - 45 ]
![Page 51: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/51.jpg)
Continuous Time Realm - Informal Semantics
• sets of differential equations
• approximate solution(s) numerically by
• discrete integration over some time interval
• many “solver” algorithms available e.g. Euler
• CT shares state variables with DE model
• capture state events : zero-crossing detection
• capture time events : proceed to time t > now
![Page 52: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/52.jpg)
Our Approach by Example - Water Tank Level Controller
level
![Page 53: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/53.jpg)
Co-Simulation - Sharing State Variables
“SENSOR”
“ACTUATOR”
“INTERRUPTS”
LEVEL
VALVE
CTDElwm hwm
![Page 54: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/54.jpg)
Co-Simulation - State and Time Events
REE (var, p) FEE (var, p)
TE (t)
p
t
var = p(t)
lwm = FEE (level, 2.0) hwm = REE (level, 3.0)
![Page 55: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/55.jpg)
Our Approach by Example - water tank case (2)
![Page 56: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/56.jpg)
Our Approach by Example - water tank case (3)
![Page 57: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/57.jpg)
Our Approach by Example - water tank case (4)
![Page 58: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/58.jpg)
Printer paper path - case study (1)
![Page 59: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/59.jpg)
continuousvalidation
Printer paper path - case study (2)
VDM++ VDMTools
Bondgraphs
20-sim
co-simresults
VDM++ VDMTools
Bondgraphs
20-sim SIL simresults
C++ HOSTCOMPILER DLL
VDM++ VDMTools C++ TARGETCOMPILER ctrl app
measure-ments
![Page 60: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/60.jpg)
Printer paper path - case study (3)
Pinch3Pinch2Pinch1 Pinch4
q
0
Animation
FrictionModel
FeedSheet
ENCPWM
PaperDetectorsBeltDisturbance and Gear
DrivenCouplingDriving
Pinch
DC
Motor
K
Rad2Rev
VInternalMotorVelocity
K
H_Bridge
PaperPower
MotorVelocity
PWM
GYMotorConstant
RElectricalResistance
1
I
ElectricalInductance
MSe 1
RCoulombFriction
I
InertiaMotorAxis
rotationelectricity
Rot2Trans_Paper
CoulombFriction
J
PichInertiaViscousFriction
p_transp_rot
![Page 61: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/61.jpg)
Printer paper path - case study (4)
SetpointProfile
getSetpoint()addElement()getIntegratedSetpoint()calcSetpoint()calcIntegratedSetpoint()
SequenceController
initIdle()initPeak()initNominal()setStopProfile()setBeginAtProfile()makeAccProfile()makeDistanceProfile()setLoopController()
PidController
getEnc()limit()CtrlLoop()calcPID()getSetpoint()setPwm()setUpPID()PidController()getIntegratedSetpoint()addProfileElement()
-profile-loopctrl
0..10..1
Supervisor
init()pimUpEvent()fuseUpEvent()Supervisor()pimDownEvent()corrDownEvent()alignDownEvent()setPimSeqCtrl()setCorrSeqCtrl()setFuseSeqCtrl()setAlignSeqCtrl()setEjectSeqCtrl()
0..1-pimSeqCtrl 0..1
0..1-corrSeqCtrl 0..1
0..1-fuseSeqCtrl 0..1
0..1-alignSeqCtrl 0..1
0..1-ejectSeqCtrl 0..1
![Page 62: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/62.jpg)
Printer paper path - case study (5)
![Page 63: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/63.jpg)
Printer paper path - case study (6)
![Page 64: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/64.jpg)
Printer paper path - case study (7)
![Page 65: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/65.jpg)
Printer paper path - case study (8)
![Page 66: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/66.jpg)
VDM++ In System Engineering - Summary
• Promising academic research results– coupling does not restrict tools or add complexity– co-simulation enables cross discipline design dialogue– small models due to powerful CT and DE abstraction– low effort design evaluation– discipline specific analysis on models is still possible– light-weight modelling can provide accurate answers
• generic integrated operational semantics• (vendor) independent of continuous time simulator• caveat : not yet available in VDMTools
![Page 67: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/67.jpg)
Conclusions (1)
• VDM++ very suitable for managing complexity
• Applicable to embedded systems domain
• Not disruptive to current design practices
• Level of rigour can be chosen depending on task
• Improves quality of design dialogue dramatically
• Consistent documentation reduces maintenance
cost
![Page 68: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/68.jpg)
Conclusions (2)
• VDM++ and VDMTools help the system architect to– increase confidence in the design– to reduce project and product risks– while dealing with uncertainty– while working under high time pressure
• the system architect is empowered to– bridge the gap between the engineering disciplines– deal with design complexity in a cost-effective way
![Page 69: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/69.jpg)
Back To The Future? The Future is Now!
Thank You for Your Attention
http://www.marcelverhoef.nlhttp://www.vdmtools.jp/en
![Page 70: Predictable Development of Reliable Embedded Systems ir. Marcel Verhoef - CHESS (with contributions from](https://reader030.vdocuments.us/reader030/viewer/2022032800/56649d2a5503460f949ffbc7/html5/thumbnails/70.jpg)
Questions?