Establishing IV&V Properties Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate School 9/4/20091Establishing IV&V Properties.

Slides:

Advertisements

Similar presentations

Automated Evaluation of Runtime Object States Against Model-Level States for State-Based Test Execution Frank(Weifeng) Xu, Gannon University Dianxiang.

Advertisements

©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 12Slide 1 Software Design l Objectives To explain how a software design may be represented.

Timed Automata.

1 Software Engineering Lecture 11 Software Testing.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

Chapter 7 – Object-Oriented Design

Run Time Monitoring of Reactive System Models Mikhail Auguston Naval Postgraduate School Mark Trakhtenbrot Holon Academic Institute of.

® IBM Software Group © 2014 IBM Corporation Innovation for a smarter planet MBSE for Complex Systems Development Dr. Bruce Powel Douglass, Ph.D. Chief.

Formal Methods of Systems Specification Logical Specification of Hard- and Software Prof. Dr. Holger Schlingloff Institut für Informatik der.

Spin Tutorial (some verification options). Assertion is always executable and has no other effect on the state of the system than to change the local.

Informatics 43 – May 7, Restatement of Goals for Testing Want to verify software’s correctness  Need to test  Need to decide on test cases  No.

7M701 1 Software Engineering Object-oriented Design Sommerville, Ian (2001) Software Engineering, 6 th edition: Chapter 12 )

L4-1-S1 UML Overview © M.E. Fayad SJSU -- CmpE Software Architectures Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

1 Objectives To introduces the concept of software Design. To introduce the concept of Object- Oriented Design (OOD). To Define various aspects about object.

Copyright © 2006 The McGraw-Hill Companies, Inc. Programming Languages 2nd edition Tucker and Noonan Chapter 18 Program Correctness To treat programming.

5/24/011 Advanced Tool Integration for Embedded Systems Assurance Insup Lee Department of Computer and Information Science University of Pennsylvania.

IV&V Facility Model-based Design Verification IVV Annual Workshop September, 2009 Tom Hempler.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

System/Software Testing

September 24, 2007 NASA IV&V Facility Workshop on Validation Morgantown, WV 1 A Framework for Computer-aided Validation Presented by Bret Michael Joint.

UPPAAL Ghaith Haddad. Introduction UPPAAL is a tool for modeling, validation and verification of real-time systems. Appropriate for systems that can be.

Implementation Yaodong Bi. Introduction to Implementation Purposes of Implementation – Plan the system integrations required in each iteration – Distribute.

ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.

1. 2 Purpose of This Presentation ◆ To explain how spacecraft can be virtualized by using a standard modeling method; ◆ To introduce the basic concept.

Protecting the Public, Astronauts and Pilots, the NASA Workforce, and High-Value Equipment and Property Mission Success Starts With Safety Believe it or.

Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.

Generic Instrument Processing Facility Interface Specifications A. BuongiornoFrascati 12 /10/2012 ESA EOP-GS 1.

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: Sequencing Properties Copyright , Matt Dwyer, John Hatcliff,

Using Architecture and Analysis Design Language (AADL) to Independently Validate and Verify (IV&V) System Performance Requirements and Design Performance.

BE-SECBS FISA 2003 November 13th 2003 page 1 DSR/SAMS/BASP IRSN BE SECBS – IRSN assessment Context application of IRSN methodology to the reference case.

Requirements as Usecases Capturing the REQUIREMENT ANALYSIS DESIGN IMPLEMENTATION TEST.

Today’s Agenda  HW #1  Finish Introduction  Input Space Partitioning Software Testing and Maintenance 1.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Modern VLSI Design 4e: Chapter 8 Copyright  2008 Wayne Wolf Topics Basics of register-transfer design: –data paths and controllers; –ASM charts. Pipelining.

Unified Modeling Language* Keng Siau University of Nebraska-Lincoln *Adapted from “Software Architecture and the UML” by Grady Booch.

L6-S1 UML Overview 2003 SJSU -- CmpE Advanced Object-Oriented Analysis & Design Dr. M.E. Fayad, Professor Computer Engineering Department, Room #283I College.

Page 1 Analysis of Asynchronous Systems Steven P. Miller Michael W. Whalen {spmiller, Advanced Computing Systems Rockwell.

1 Qualitative Reasoning of Distributed Object Design Nima Kaveh & Wolfgang Emmerich Software Systems Engineering Dept. Computer Science University College.

Validating Requirements Determining Completeness and Correctness of Requirements Using the System Reference Model IV&V Workshop 16 September 2009.

IV&V T ESTING S TRATEGIES FOR I NDEPENDENT V ERIFICATION OF NASA M ISSION S OFTWARE I MPLEMENTATION 3 rd Annual Workshop on Independent Validation and.

MODES-650 Advanced System Simulation Presented by Olgun Karademirci VERIFICATION AND VALIDATION OF SIMULATION MODELS.

Reusing Modeling Elements in IV&V Thomas Otani Naval Postgraduate School 2009 NASA Independent Verification and Validation (IVV) Annual Workshop John Ryan.

2015 Concurrency: logical properties 1 ©Magee/Kramer 2 nd Edition Chapter 14 Logical Properties Satisfied? Not satisfied?

OMT Modeling 1. Object Model : presented by the object model and the data dictionary. 2. Dynamic Model: presented by the state diagrams and event flow.

Architecture View Models A model is a complete, simplified description of a system from a particular perspective or viewpoint. There is no single view.

1 UML Modeling of Spacecraft Onboard Instruments Takahiro Yamada, JAXA/ISAS April 2005.

Testing OO software. State Based Testing State machine: implementation-independent specification (model) of the dynamic behaviour of the system State:

13-1 Chapter 13 Concurrency Topics Introduction Introduction to Subprogram-Level Concurrency Semaphores Monitors Message Passing Java Threads C# Threads.

IV&V Facility Assertion–Based Requirements Validation Patrick Theeke (PMP, CSQE) John Ryan September 8, 2008.

Dimensions of Formal Verification and Validation Doron Drusinsky Bret Michael Mantak Shing Naval Postgraduate School.

Modern VLSI Design 3e: Chapter 8 Copyright  1998, 2002 Prentice Hall PTR Topics n Basics of register-transfer design: –data paths and controllers; –ASM.

Software Quality Assurance and Testing Fazal Rehman Shamil.

1 Assertion based Verification: the Instrumentation Approach Doron Drusinsky ©

Dynamic Testing.

Software Systems Verification and Validation Laboratory Assignment 4 Model checking Assignment date: Lab 4 Delivery date: Lab 4, 5.

1 Phase Testing. Janice Regan, For each group of units Overview of Implementation phase Create Class Skeletons Define Implementation Plan (+ determine.

September 8, 2008NASA IV&V Facility Workshop on Validation Morgantown, WV 1 SRM Reuse Presented by Thomas W. Otani Joint work with Doron Drusinsky, Bret.

1 Sections 7.2 – 7.7 Nested Control Statements Fundamentals of Java: AP Computer Science Essentials, 4th Edition Lambert / Osborne.

Testing Tutorial 7.

Graph Coverage for Specifications CS 4501 / 6501 Software Testing

CS 641 – Requirements Engineering

Model-Driven Analysis Frameworks for Embedded Systems

Programming Languages 2nd edition Tucker and Noonan

Test Automation CS 4501 / 6501 Software Testing

Design and Implementation

Graph Coverage for Specifications CS 4501 / 6501 Software Testing

Class 4: Repetition Pretest Posttest Counting Flowchart these!

Programming Languages 2nd edition Tucker and Noonan

Presentation transcript:

Establishing IV&V Properties Steve Raque, NASA IV&V Facility Dr. Doron Drusinsky, Naval Postgraduate School 9/4/20091Establishing IV&V Properties

Outline IV&V Objectives for establishing properties Concepts refresher – Assertion Statecharts – Uses for Assertion Statecharts in IV&V Discovering critical Properties (with examples) – Reentrance – Order & Precedence – Bounded Eventualities – Loops – Invariants Integrating with other parts of the SRM 9/4/20092Establishing IV&V Properties Not mutually exclusive categories Not all-inclusive

IV&V Objectives for Establishing Properties Common understanding of the system – Precise understanding asserted – Acceptable/unacceptable scenarios Provide specific requirements to be found in the developer’s specifications Provide specific scenarios and test objectives to be found in the developer’s test program Provide scenarios and test objectives for independent testing Provide test oracle for verifying the implementation – i.e a mechanism to evaluate the actual results of a test as pass or no-pass [Binder] Provide a source for automated verification test generation 9/4/2009Establishing IV&V Properties3

Statechart Assertions Each Statechart Assertion is a formal specification of a “single” requirement. – It is a requirement, not an implementation of the requirement – Easily represents sequential/temporal logic aspects – It specifies what behavior must be observed, not how it must be implemented – It is compatible with any implementation that produces the specified behavior – One-to-one correspondence of requirements to statechart assertions improves understanding, allows testing for complex interactions among requirements, and improves reuse. StateRover makes them executable by generating JAVA code Assertion statecharts are Turing equivalent (can perform any computation) A statechart assertion is fundamentally a monitoring device that observes system behavior and determines whether that behavior is valid Dynamic approach - based on runtime state of system during (simulated or real) execution Observed behavior is valid when it matches the behavior specification coded into the assertion, and invalid when it violates the specification An assertion is run against observable behavior, typically supplied by some executable artifact running under a test scenario 4

Requirements that come from analysis of the SRM IV&V Understanding of Requirement IV&V Understanding of Requirement Natural Language Requirement Represented By Statechart Assertion Formalized By Validation Test Suite Validated By Good and Bad Scenarios Formalized By 5 SRM UML and Use Case Artifacts Analysis Creates Generated from UML

DISCOVERING CRITICAL PROPERTIES 9/4/2009Establishing IV&V Properties6

The GRAIL context 9/4/2009Establishing IV&V Properties7

Reentrance 9/4/2009Establishing IV&V Properties8 Once this sequence (or any main engine burn sequence) begins, we don’t want another burn sequence starting.

Reentrance 9/4/2009Establishing IV&V Properties9 At most one propulsion burn sequence (per orbiter) can be active at any given time.

Order and Precedence 9/4/2009Establishing IV&V Properties10 Order is important. There is some minimal time for warm-up. Order is important. There is some maximum time (for efficiency).

Order and Precedence 9/4/2009Establishing IV&V Properties11

Bounded Eventualities 9/4/2009Establishing IV&V Properties12 It is critical that the main engine burn will happen within some tolerance of the prescribed time. It is also critical that the constant pitch rate maneuver begins very close to the beginning of the burn and ends very close to the end of the burn

Bounded Eventualities(2) 9/4/2009Establishing IV&V Properties13 Once LOI sequence is uploaded, the orbiter will, within the time prescribed by the command sequence parameters (± Δt1), perform a burn for the duration prescribed in the command sequence parameters (± Δt2)

Bounded Eventualities 9/4/2009Establishing IV&V Properties14 openFuelValve is mapped to p startConstantPitchManeuver is mapped to q closeFuelValve is mapped to p stopConstantPitchManeuver is mapped to q An alternative that scales to n concurrent events is in the backup

Loops 9/4/2009Establishing IV&V Properties15 Analysis of the Attitude Control states during the LOI scenario yields loops and transitions that we want to specify out of the system. No direct transition There is likely some prudent dwell time in InertialHold There is some limit to the overall cycling between SlewAbsolute and a burn state during a period of time

Loops 9/4/2009Establishing IV&V Properties16 The Attitude Control subsystem cannot change modes from Slew to LOIDeltaV or visa-versa without being in the InertialHold mode for at least TBD seconds.

Loops 9/4/2009Establishing IV&V Properties17 The Attitude Control subsystem can toggle between Slew and LOIDeltaV modes at most TBD times per TBD minutes. Note how this is a pattern that is applicable to several mode transitions (i.e. not just during LOI)

More Loops 9/4/2009Establishing IV&V Properties18 There is a limit to the number of times we should let the Kalman Filter reset before taking a different action.

More Loops 9/4/2009Establishing IV&V Properties19 Whenever the Kalman filter is reset more than TBD times in a TBD minute interval, then Safe Mode should be entered within TBD seconds afterward

Properties from Hazard Analysis 9/4/2009Establishing IV&V Properties20 The DPR instrument shall remain powered OFF from launch until termination of FTS (flight termination system) control. In the GPM Mission, if the DPR instrument is powered, it causes RF interference with the range safety destruct receiver.

Observations It is easier to discover critical properties where humans are not making the critical decisions, the system/software is. Knowing the right categories of questions to ask and having a skeptical attitude leads to discovering many potential properties. Access to knowledge of the subject area is important to deciding which properties are worth capturing. 9/4/2009Establishing IV&V Properties21

BACKUP 9/4/2009Establishing IV&V Properties22

Alternative Concurrent Timing 9/4/2009Establishing IV&V Properties23 With n>2 events, this approach results in n threads. The previous approach results in n! sequences to draw.