formal modelling and safety analysis of an embedded...
TRANSCRIPT
![Page 1: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/1.jpg)
Formal Modelling and Safety Analysis of anEmbedded Control System for
Construction Equipment:an Industrial Case Study using VDM
Takayuki Mori
Newcastle University, UKKomatsu Ltd., Japan
20 June 2011
![Page 2: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/2.jpg)
Outline
• Background and motivation
• Case study
– Informal description of control specifications and safety requirements
– Formal modelling using VDM++
– Validation and safety analysis
• Conclusions
2
![Page 3: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/3.jpg)
• Komatsu Ltd.
– Construction and mining equipment manufacturer
– Founded in Komatsu, Japan, in 1921
– Main products:
• Bulldozer
• Hydraulic excavator
• Wheel loader
• Dump truck
Background and motivation
3
![Page 4: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/4.jpg)
My main work
• Development of control systems for wheel loaders
– Control specifications description
– Software design
– Implementation
– Testing
• Currently studying at Newcastle University
• My research interest
– Applying formal methods to our development activities to make our control software more reliable
4
![Page 5: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/5.jpg)
Safety for construction equipment
• Safety is a critical factor for construction equipment
• Safety should be ensured even if a fault has occurred in the system
• To ensure safety…Failure Mode and Effects Analysis (FMEA)
5
![Page 6: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/6.jpg)
FMEA process
1. Identify all potential faults (failure modes)
2. Analyse the effects of each fault
3. Estimate the risk of the fault
4. If the risk is not allowable, consider
– A way to detect the fault
– Measures to be taken in case the fault has been detected
5. Re-estimate the risk
6
![Page 7: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/7.jpg)
Motivation
• FMEA is not an easy task
– Usually, dozens of potential faults in one controller
– A measure against a fault might affect various parts of the control system
• The research aims to:
– Describe the specifications of fault detection and measures formally (using formal modelling notation VDM++)
– Check if the specifications are consistent and safety is ensured
7
![Page 8: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/8.jpg)
Outline
• Background and motivation
• Case study
– Informal description of control specifications and safety requirements
– Formal modelling using VDM++
– Validation and safety analysis
• Conclusions
8
![Page 9: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/9.jpg)
Modelling target
• A part of a transmission control system for wheel loaders
“Specifications of detecting the direction lever position”
9
![Page 10: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/10.jpg)
Modelling target
• Transmission control system
10
Vehicle speedEngine speed…
Direction leverSpeed lever
Transmissioncontroller
Transmissionvalves
![Page 11: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/11.jpg)
Modelling target
• Detecting the direction lever position
– Moving direction is frequently switched
– Detecting the lever position is crucial for safety
– The scale and complexity are moderate
11
Direction lever
Transmissioncontroller
![Page 12: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/12.jpg)
System diagram
12
Digital input: F
Digital input: N
Digital input: R
Analogue input
Direction lever Transmission controller
![Page 13: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/13.jpg)
Electrical characteristics
• Open-circuit of digital input and holding the lever in the middle position cannot be distinguished
• Detected positions by digital and analogue might differ
13
Analogue input voltage
![Page 14: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/14.jpg)
Control specifications
• Specifications of detecting the direction lever position
1. Normally, digital input is valid.
2. If a fault has been detected in digital input, analogue input becomes valid.
3. If analogue input also has a fault, the lever position is recognised as N.
4. If digital input has recovered from the fault, digital input should be valid again. However, analogue input remains valid unless the positions detected by digital and analogue input are consistent with each other.
14
![Page 15: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/15.jpg)
Lever detection by digital input
15
Short-circuit to power
Open-circuit or short-circuit to ground orthe direction lever is in the middle position
![Page 16: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/16.jpg)
Fault detection and measures
• Possible Faults of the System
– Open-circuit, short-circuit or improper operation
• An example
16
![Page 17: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/17.jpg)
Safety requirements
17
R1: If any fault occurs in the system, the detectedposition of the direction lever must be consistentwith the actual lever position or recognised asneutral (N).
R2: If any fault occurs in the system, the detectedposition of the direction lever must not change toF or R without lever manipulation by the operatorof the vehicle.
![Page 18: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/18.jpg)
Outline
• Background and motivation
• Case study
– Informal description of control specifications and safety requirements
– Formal modelling using VDM++
– Validation and safety analysis
• Conclusions
18
![Page 19: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/19.jpg)
Class diagram
• All association arrows from Manager and inheritance arrows to Common are hidden for legibility
19
LeverPositionDetection
DirectionLever
DirectionLeverDigital
DirectionLeverAnalogue
Environment
DigitalInput AnalogueInput
Manager
Fault
Timer Common
FaultDinOpenMinor FaultDinShort FaultAinShort
FaultDinOpenSevere FaultAinOpen FaultAinInternal
![Page 20: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/20.jpg)
Class diagram
• Managing model execution
20
LeverPositionDetection
DirectionLever
DirectionLeverDigital
DirectionLeverAnalogue
Environment
DigitalInput AnalogueInput
Manager
Fault
Timer Common
FaultDinOpenMinor FaultDinShort FaultAinShort
FaultDinOpenSevere FaultAinOpen FaultAinInternal
![Page 21: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/21.jpg)
Class diagram
• Input/Output
21
LeverPositionDetection
DirectionLever
DirectionLeverDigital
DirectionLeverAnalogue
Environment
DigitalInput AnalogueInput
Manager
Fault
Timer Common
FaultDinOpenMinor FaultDinShort FaultAinShort
FaultDinOpenSevere FaultAinOpen FaultAinInternal
![Page 22: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/22.jpg)
Class diagram
• Fault detection
22
LeverPositionDetection
DirectionLever
DirectionLeverDigital
DirectionLeverAnalogue
Environment
DigitalInput AnalogueInput
Manager
Fault
Timer Common
FaultDinOpenMinor FaultDinShort FaultAinShort
FaultDinOpenSevere FaultAinOpen FaultAinInternal
![Page 23: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/23.jpg)
Class diagram
• Control logic
23
LeverPositionDetection
DirectionLever
DirectionLeverDigital
DirectionLeverAnalogue
Environment
DigitalInput AnalogueInput
Manager
Fault
Timer Common
FaultDinOpenMinor FaultDinShort FaultAinShort
FaultDinOpenSevere FaultAinOpen FaultAinInternal
![Page 24: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/24.jpg)
Types
• Declared in the Common class
public Time = nat;
public Direction = <DIR_F> | <DIR_N> | <DIR_R>;
public AinState = Direction
| <SUB_R>
| <MID_RN>
| <MID_FN>
| <SUPER_F>;
24
![Page 25: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/25.jpg)
Type: AinState
25
<SUPER_F>
<SUB_R>
<DIR_R>
<DIR_F>
<DIR_N>
<MID_FN>
<MID_RN>
![Page 26: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/26.jpg)
• Periodic sequential model
– Manager class controls the whole model
– Instantiation and update of objects
Model execution
26
+ update() : void
Manager
+ update() : void
- attribute1
Class1
+ update() : void
- timer : Time
Timer
+ update() : void
- attribute2
Class2
System timer
![Page 27: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/27.jpg)
Class diagram
• Input/Output
27
LeverPositionDetection
DirectionLever
DirectionLeverDigital
DirectionLeverAnalogue
Environment
DigitalInput AnalogueInput
Manager
Fault
Timer Common
FaultDinOpenMinor FaultDinShort FaultAinShort
FaultDinOpenSevere FaultAinOpen FaultAinInternal
![Page 28: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/28.jpg)
Environment class
• Components outside the controller
• Provide input to the controller
• Receive output from the controller
28
+ getDinValue() : bool
+ getAinValue() : AinState
+ setDetectLevPosition() : void
- trace : map Time to SysState
Environment
DigitalInput
AnalogueInput
LeverPositionDetection
Timer
System timer
set
get
get
![Page 29: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/29.jpg)
Environment class
types
Public SysState :: dinF : bool
dinN : bool
dinR : bool
ain : AinState
levPos : LeverPosition
detectLevPos : [Direction];
instance variables
private trace : map Time to SysState;
29
![Page 30: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/30.jpg)
Environment class
• An example
trace :=
{0 |-> mk_SysState( false, true, false, <DIR_N>, <DIR_N>, nil),
1 |-> mk_SysState( false, false, false, <MID_FN>, <MID_FN_>, nil),
2 |-> mk_SysState( true, false, false, <DIR_F>, <DIR_F>, nil),
...
};
30
Digital input Actual lever position
Analogue input Detected lever position
![Page 31: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/31.jpg)
Class diagram
• Fault detection
31
LeverPositionDetection
DirectionLever
DirectionLeverDigital
DirectionLeverAnalogue
Environment
DigitalInput AnalogueInput
Manager
Fault
Timer Common
FaultDinOpenMinor FaultDinShort FaultAinShort
FaultDinOpenSevere FaultAinOpen FaultAinInternal
![Page 32: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/32.jpg)
Fault class
• Represent the notion of faults
• Recall the informal description…
32
![Page 33: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/33.jpg)
Fault class
• State diagram of fault
33
NORMAL DETECTING
CONFIRMEDRECOVERING
[errorState()] / timer.reset()
[recoveryState()] / timer.reset()
[not recoveryState()]
[not errorState()]
[timer.getTime() >= detectingTime][timer.getTime() >= recoveryTime]
Initial
![Page 34: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/34.jpg)
+ update() : void
- errorState() : bool
- recoveryState() : bool
+ getFaultState() : FaultState
Fault framework
34
DigitalInput
- state : FaultState
- detectingTime : Time
- recoveryTime : Time
Fault
- errorState() : bool
- recoveryState() : bool
ConcreteFault1
+ reset() : void
+ getTime() : Time
Timer
AnalogueInput
- errorState() : bool
- recoveryState() : bool
ConcreteFault2
Control logicclasses
![Page 35: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/35.jpg)
Class diagram
• Control logic
35
LeverPositionDetection
DirectionLever
DirectionLeverDigital
DirectionLeverAnalogue
Environment
DigitalInput AnalogueInput
Manager
Fault
Timer Common
FaultDinOpenMinor FaultDinShort FaultAinShort
FaultDinOpenSevere FaultAinOpen FaultAinInternal
![Page 36: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/36.jpg)
+ update() : void
Direction
Detection of the lever position
36
- detectLevPos : Direction
LeverPositionDetection
+ update() : void
+ getPosition() : [Direction]
+ update() : void
DirectionLeverDigital
+ update() : void
DirectionLeverAnalogue
Environment DigitalInput AnalogueInput
+ getFaultState()
Fault# position : Direction
DirectionLever
FaultMode*
3
![Page 37: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/37.jpg)
Safety requirements
• Described as postconditions in Environment
37
R1: If any fault occurs in the system, the detectedposition of the direction lever must be consistentwith the actual lever position or recognised asneutral (N).
R2: If any fault occurs in the system, the detectedposition of the direction lever must not change toF or R without lever manipulation by the operatorof the vehicle.
![Page 38: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/38.jpg)
Safety requirements
• Safety requirements are evaluated when the detected lever position is set to Environment
38
+ getDinValue() : bool
+ getAinValue() : AinState
+ setDetectLevPosition() : void
- trace : map Time to SysState
Environment
Timer
System timer
+ update() : void
- detectLevPos : Direction
LeverPositionDetection
setDetectLevPosition()
![Page 39: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/39.jpg)
Safety requirements
public setDetectLevPosition : Direction ==> ()
setDetectLevPosition(dir) ==
trace(sysTime.getTime()).detectLevPos := dir
pre
sysTime.getTime() in set dom trace
postIfLeverIsFThenNotR() andIfLeverIsRThenNotF() andIfLeverIsNThenN() andNotMoveWithoutOperation();
39
![Page 40: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/40.jpg)
Safety requirements
private IfLeverIsFThenNotR: () ==> boolIfLeverIsFThenNotR() ==
let curTime = sysTime.getTime()in
return(((curTime >= Manager`SafetyCheckTime) and
(forall t in set{curTime – Manager`SafetyCheckTime,..., curTime} &trace(t).levPos = <DIR_F>))
=> trace(curTime).detectLevPos <> <DIR_R>)post RESULT;
=> Safety requirement R1
40
![Page 41: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/41.jpg)
Safety requirements
private NotMoveWithoutOperation: () ==> boolNotMoveWithoutOperation() ==
let curTime = sysTime.getTime()in
return(((curTime >= Manager`SafetyCheckTime) and
(forall t in set{curTime – Manager`SafetyCheckTime,..., curTime - 1} &(trace(t).levPos = trace(curTime).levPos andtrace(t).detectLevPos = <DIR_N>)))
=> trace(curTime).detectLevPos = <DIR_N>)post RESULT;
=> Safety requirement R2
41
![Page 42: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/42.jpg)
Outline
• Background and motivation
• Case study
– Informal description of control specifications and safety requirements
– Formal modelling using VDM++
– Validation and safety analysis
• Conclusions
42
![Page 43: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/43.jpg)
Validation
• Check if
– the model behaves as expected
– the safety requirements are satisfied
• The model is executed with various time series of input data (test scenarios)
• The results are compared with expected values
• Testing framework "VDMUnit" is used
43
![Page 44: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/44.jpg)
An example of test cases
44
class SystemTest1 is subclass of TestCase, Environmenttypesprivate TestData :: inData : SysState
expectVal : [Direction];valuesprivate testData: map Time to TestData ={
0 |-> mk_TestData(mk_SysState(false, true, false,<DIR_N>, <DIR_N>, nil), <DIR_N>),
1 |-> mk_TestData(mk_SysState(false, false, false,<MID_FN>, <MID_FN_>, nil), <DIR_N>),
2 |-> mk_TestData(mk_SysState(true, false, false,<DIR_F>, <DIR_F>, nil), <DIR_F>),
...};
![Page 45: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/45.jpg)
45
operationspublic runTest : () ==> ()runTest() ==(
let testInData = {t |-> testData(t).inData | t in set dom testData}in (
dcl mgr : Manager := new Manager(testInData);for t = 0 to (card dom testData - 1)do (
mgr.update();assertTrue("t=" ˆ VDMUtil`val2seq_of_char*nat+(t) ˆ ", failed.",
mgr.env.getTrace()(t).detectLevPos =testData(t).expectVal)
))
);end SystemTest1
![Page 46: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/46.jpg)
46
Start test - Direction Lever TestStart test - System testAll 647 tests passed.End test - Direction Lever Test*** All Tests Passed. ***
Start test - Direction Lever TestStart test - System testSystem test, Test1, t=3, failed.System test, Test5, t=23, failed.2 of 647 tests failed.End test - Direction Lever Test*** ERROR! ***
new TestMain().executeSystemTest()
Success
Failure
![Page 47: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/47.jpg)
Results of validation
• Testing with 14 scenarios has been executed
• Test scenarios:
– Normal lever manipulation (without faults)
– Digital input F open-circuits, and then recovers
– …
• Confirmed the model behaved as expected for all input data elaborated
47
![Page 48: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/48.jpg)
Results of validation
• Test coverage (generated by Overture)
– DirectionLeverDigital`update: 98.6%
– Fault`doFaultNormal: 89.4%
– The others: 100.0%
• The untested statements can never be executed under the current specifications
• Virtually whole model was tested
48
![Page 49: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/49.jpg)
Safety requirements violated
• Safety requirements violation has been discovered for certain input data series
49
R2: If any fault occurs in the system, the detectedposition of the direction lever must not change toF or R without lever manipulation by the operatorof the vehicle.
Start test - Direction Lever TestStart test - System testError 4072: Postcondition failure: post_NotMoveWithoutOperation in 'Environment'
![Page 50: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/50.jpg)
Safety requirements violated
• However, the case could never happen in reality
• Caused by a coincidence of several rare accidents
1. Direction lever is in the middle of the positions F and N
2. No digital input signals are “on”
3. Analogue input signal indicates the position F
4. Digital input N periodically short-circuits to power with a short period (less than the fault detecting time)
5. Then, the short-circuit recovers
=> Detected lever position changes from N to F without lever manipulation
50
![Page 51: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/51.jpg)
Outline
• Background and motivation
• Case study
– Informal description of control specifications and safety requirements
– Formal modelling using VDM++
– Validation and safety analysis
• Conclusions
51
![Page 52: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/52.jpg)
Conclusions
• A part of control systems of construction equipment has been formally modelled using VDM++
• A modelling pattern: a fault framework has been introduced
• The model has been tested using VDMUnit
• Violation of a safety requirement has been found
• This demonstrates availability of formal modelling to a practical control system
52
![Page 53: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/53.jpg)
Future work
• Apply the approach to a larger scale system
• Improve testing environment
• Challenge formal verification of the model using a verification tool, e.g. UPPAAL
– check if there exists another case which violates the safety requirements
53
![Page 54: Formal Modelling and Safety Analysis of an Embedded ...overturetool.org/workshops/9/WS9_TakayukiMoriPresentation.pdf · Formal Modelling and Safety Analysis of an Embedded Control](https://reader034.vdocument.in/reader034/viewer/2022050223/5f68ac945f5e7a6135131f0b/html5/thumbnails/54.jpg)
Thank you for listening.
54