Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Toshinori Takai (Change Vision, Inc.)
Light-weight integration of MBSE and model-checking Oct. 13, 2021@Industry Day, MODELS2021
A part of this presentation is a collaboration with Dr. Ryo Kurachi(Nagoya University) and Dr. Toshiyuki Fujikura
1
Contents
1. Background 2. A case study 3. Processes and models in the case study 4. Observations from the case study 5. Future directions 6. Summary
2
Background
3
Taxo
nom
y
Stru
ctur
e
Conn
ectiv
ity
Proc
esse
s
Stat
es
Inte
ract
ion
Scen
ario
s
Info
rmat
ion
Para
met
ers
Cons
train
ts
Road
map
Trac
eabi
lity
Meta data Md-Tx Md-Sr Md-Cn Md-Pr - -
Conc
eptu
al D
ata
Mod
el, L
ogica
l Dat
a M
odel
,Ph
ysica
l sch
ema,
real
wor
ld re
sults
Envi
ronm
ent P
m-E
nM
easu
rem
ents
Pm
-Me
Md-Ct - Md-Tr
Strategic St-TX St-Sr St-Cn - St-St - St-Ct St-Rm St-Tr
Operational Op-Tx Op-Sr Op-Cn Op-Sr Op-St Op-ls Op-Ct - -
Services Sv-Tx Sv-Sr Sv-Cn Sv-Pr Sv-st Sv-ls Sv-Ct Sv-Rm Sv-Tr
Personnel Pr-Tx Pr-Sr Pr-Cn Pr-Pr Pr-St Pr-ls Pr-Ct Pr-Rm Pr-Tr
Resource Rs-Tx Rs-Sr Pr-Cn Rs-Pr Rs-St Rs-ls Rs-Ct Rs-Rm Rs-Tr
Security Sc-Tx Sc-Sr Sc-Cn Sc-Pr - - Sc-Ct - -
Projects Pj-Tx Pj-Sr Pj-Cn - - - Pj-Rm Pj-Tr
Standards Sd-Tx Sd-SR - - - - - Sd-Rm Sd-Tr
Actual Resources
- Ar-Sr Ar-Cn SimulationParametric/Execution/E
valuation- -
Dictionary
Overview
Requirement
In the activities of model-based systems engineering(MBSE), a lot of models must be managed consistently
To apply model-checking techniques, we have to overcome state-explosion problems. Describing verification properties in temporal logics is also difficult.
We expect, using model checking in MBSE activities, issues on model-checking are unlikely to become apparent and then, the issue on MBSE can be mitigated
Case study: a road vehicle with several subsystems
Headlamp system high-beam and low-beam modes automatic high beam for other vehicles
Remote key system open/close doors remotely
Voice control system controlling headlamp modes with driver’s voice
4
An approach with MBSE1.Determine viewpoints and model kinds for the target system 2.Construct a model based on the viewpoints and model kinds
5
Taxo
nom
y
Stru
ctur
e
Conn
ectiv
ity
Proc
esse
s
Stat
es
Inte
ract
ion
Scen
ario
s
Info
rmat
ion
Para
met
ers
Cons
train
ts
Road
map
Trac
eabi
lity
Meta data Md-Tx Md-Sr Md-Cn Md-Pr - -
Conc
eptu
al D
ata
Mod
el, L
ogica
l Dat
a M
odel
,Ph
ysica
l sch
ema,
real
wor
ld re
sults
Envi
ronm
ent P
m-E
nM
easu
rem
ents
Pm
-Me
Md-Ct - Md-Tr
Strategic St-TX St-Sr St-Cn - St-St - St-Ct St-Rm St-Tr
Operational Op-Tx Op-Sr Op-Cn Op-Sr Op-St Op-ls Op-Ct - -
Services Sv-Tx Sv-Sr Sv-Cn Sv-Pr Sv-st Sv-ls Sv-Ct Sv-Rm Sv-Tr
Personnel Pr-Tx Pr-Sr Pr-Cn Pr-Pr Pr-St Pr-ls Pr-Ct Pr-Rm Pr-Tr
Resource Rs-Tx Rs-Sr Pr-Cn Rs-Pr Rs-St Rs-ls Rs-Ct Rs-Rm Rs-Tr
Security Sc-Tx Sc-Sr Sc-Cn Sc-Pr - - Sc-Ct - -
Projects Pj-Tx Pj-Sr Pj-Cn - - - Pj-Rm Pj-Tr
Standards Sd-Tx Sd-SR - - - - - Sd-Rm Sd-Tr
Actual Resources
- Ar-Sr Ar-Cn SimulationParametric/Execution/E
valuation- -
Dictionary
Overview
Requirement
Example viewpoints and model kinds
Example models in MBSE
2. Construct a model based on the viewpoints and model kinds
7
State mode in Usage view
State model in Functional view7
Requirement model in Usage view
Connectivity model in Implementation view
Using Model-checking through MBSE tool
11
Promela (modeling language for Spin model-checker)Simulation/Model-checking
SysML model
Observations: Roles of model-checking tools for MBSE1) Considering necessary interactions among entities
2) Checking consistency of the interfaces for each entity
3) Verifying the behavior of the integrated target system
a. Preliminary checking by simulations
b. Checking comprehensively by model-checking
12
1) Considering necessary interactions among entitiesOther state models obtained through considering a headlamp with voice control and remote key systems (1): Ego-vehicle
13
Other state models obtained through considering a headlamp with voice control and remote key systems (2): A vehicle coming from the opposite direction
14
2) Checking consistency of the interfaces for each entityinconsistency among entity models can automatically detected through the interpretation to a behavioral model of a model-checking tool
15
×
×
×
3) Verifying behavior of the integrated target system b) Checking comprehensively by model-checking
17
Future direction(1): Describe verification properties using SysML models
18
□ (p1 → p2)
Miytamoto et al. : Automatic Conversion from the Structure Description on UML Sequence Chart to Linear Temporal Logic, FIT2011, 2011.
Future direction(2): Eliciting verification properties automatically from SysML models
19
Case1) properties representing consistency among models in the same view
Process model
State model
Future direction(2): Eliciting verification properties automatically from SysML models
20
Case2) properties representing consistency between the same kind of models of the different view
State model in Usage view
State model in Functional view
Future direction(3): Integrating model-checking techniques with risk/hazard analysis activities
21
A safety control structure in the context of STAMP/STPA, a hazard analysis technique Mitsuaki Tsuji, Toshinori Takai, Kazuki Kakimoto, Naoki Ishihama, Masa- fumi Katahira, and Hajimu Iida. Prioritizing
Scenarios based on STAMP/STPA Using Statistical Model Checking. 4th International Workshop on Testing Extra-Functional Properties and Quality Characteristics of Software Sys- tems (ITEQS 2020), 9 pages, March 2020.
Semi-formal model in SysML Formal model in UPPAAL
Example: Evaluating risks of hazardous scenarios using Statistical Model Checking
The test case is associated with a verification target model and a property
Future direction(4): Using results of model-checking tools for safety argumentation(1)
22
Green color represents the model-checking is succeeded
Red color represents some counterexamples are obtained
Example1: Associating verification by model-checking with requirements
23
Future direction(4): Using results of model-checking tools for safety argumentation(2) Example2: Associating verification by model-checking with evidence in Goal-Structuring Notation
A tool supporting SysML, STAMP/STPA, and GSNWe are providing a modeling tool which can deal with SysML, STAMP/STPA, GSN, and more(SCDL, etc) to realize some ideas including the ones mentioned in this presentation
24
SummaryWe conducted a case study MBSE with model-checking tools Observation: Collaborating any model-checking/simulation is indispensable for MBSE observed roles of model-checking in MBSE: Considering necessary interactions among entities Checking consistency of the interfaces for each entity Verifying behavior of the integrated target system
We show future directions on how to apply model-checking techniques in MBSE
25