Modeling the Behavior of Automotive
Embedded Systems with EAST-ADL
Lei Feng, DeJiu Chen, Martin Törngren
Embedded Control Systems/Mechatronics, KTH
2012-02-06
www.ices.kth.se
1
Outline
Basics on EAST-ADL
Behavior Modeling in EAST-ADL
The Behavior Annex
Model transformation from EAST-ADL to
SPIN
Conclusions and Future Works
www.ices.kth.se
2
What is EAST-ADL?
A domain specific Architecture Description Language (ADL)
to support Model-Based Development of automotive
embedded systems
Motivated by the increasing complexity and criticality of
vehicle electronics
Errors caused by engineering flaws are major threat to
safety
Improved engineering methods are necessary
Model-based
Management of
Engineering info.
www.ices.kth.se
3
Developers’ Wishes
Describe the overall “system” in one language
Specify both hierarchy and interactions
Allocate SW components to HW components
Explore and evaluate design solutions
Model based analysis and reasoning
Consistent interfaces, error propagation, timing analysis, etc.
Communicate and report generation
Generate the code automatically
……
www.ices.kth.se
4
As Time Goes By
ADAMS
T2U
SAFE
EDONA
CESAR
TIMMO
EAST-EEA
ATESST
ATESST2
MAENAD
AUTOSAR
JASPAR
Volvo Exploitation
2000
EEA AIL
UML2
Titus
SYSML
AADL
2005
EAST-ADL
UML2
SYSML
AADL
AUTOSAR
EAST-ADL
2010
EAST-ADL2
www.ices.kth.se
UML2
SYSML
AADL
AUTOSAR
EASTADL2
EAST-ADL
5
EAST-ADL Abstraction Levels
Vehicle & Analysis Levels are special for EAST-ADL
Support for the OEM’s views
Features of the vehicle, Variability
Vehicle Level
Analysis Level
Abstract functions, requirements
Design Level
Implementation Level
HW topology, SW component,
allocation
System implementation by AUTOSAR
www.ices.kth.se
6
Vehicle and Analysis Levels
www.ices.kth.se
7
www.ices.kth.se
PedalAngle
<<Function>>
BrakePlantModel
<<EnvironmentModel>> DemonstratorEM
WheelSpeedFL BrakeForce
Design Level
Function interaction
End-to-end
Autosar support
8
Implementation Level
A straightforward mapping from the design level model to
the Autosar model
www.ices.kth.se
9
Outline
Basics on EAST-ADL
Behavior Modeling in EAST-ADL
An illustrative example
The Behavior Annex
Model transformation from EAST-ADL to
SPIN
Conclusions and Future Works
www.ices.kth.se
10
Leader-Follower Decision
2 pursuing vehicles in the same lane
Each vehicle periodically broadcasts its own
position and velocity and listens to the other
The vehicles decide their roles locally according to
the position
The follower must have the identical velocity as
the leader
www.ices.kth.se
11
Behavior Modeling in EAST-ADL
Asynchronous components (Function type)
Run-to-completion
Triggers of components
Periodic, event (data receive event and client server
event)
Communication ports
A message buffer at each incoming FlowPort
The semantics of the buffer is fixed in EAST-ADL
o
o
o
o
Buffered message queue of length 1,
Non-blocking
Over-writable
Persistent data
www.ices.kth.se
12
A Snapshot of the Behavior Model
Functional block
Output data port
Input data port
www.ices.kth.se
13
Limitations of Standard EAST-ADL
The behavior modeling is limited to attributes at
the component level, such as
Operational modes
Communication
Execution triggers
The details within the component are supplied by
external tools, e.g., Simulink, UML, C code, etc.
Wanted: Early verification of the functional
correctness of automotive embedded systems
www.ices.kth.se
14
Behavior Annex
Proposed by KTH through ATESST2, being
further developed through MAENAD
A formal modeling approach to capture the
dynamics inside components
A core for defining mapping rules and algorithm
to transform the behavior model to various
analysis tools
www.ices.kth.se
15
www.ices.kth.se
16
Integration with External Analysis
Techniques
Analysis
of
EAST analysis modeling support
Related External tools (analysis
model/engine)
System
Discrete
Behaviors
BehaviorAnnex BehaviorModel VFM/FAA/FDA/HWA;
BehaviorAnnex BehaviorModel EnvironmentModel;
BehaviorAnnex RequirementsModel;
SPIN;
UPPAAL;
StateMate;
Petri-net…
System
Physical
Dynamics
BehaviorAnnex BehaviorModel Environment Model;
BehaviorAnnex BehaviorModel HWA ;
BehaviorAnnex RequirementsModel;
Modelica;
Multisim,
VHDL-AMS;
Safety
BehaviorAnnex ErrorModel VFM/FAA/FDA/HWA;
PANDORA/HiPHOPS;
AltaRica…
Reliability
BehaviorAnnex ErrorModel VFM/FAA/FDA/HWA;
Markov Model…
Faultinjection
BehaviorAnnex V&V Model VFM/FAA/FDA/HWA;
Simulink Tool-box (e.g.,
Mogentes)…
Timing
BehaviorAnnex TimingModel VFM/FAA/FDA/HWA;
MAST, RT-DRUID…
StateFlow
&
Simulink;
HRC;
www.ices.kth.se
AADL;
17
Outline
Basics on EAST-ADL
Behavioral Modeling in EAST-ADL
The Behavior Annex
Model transformation from EAST-ADL to SPIN
Conclusions and Future Works
www.ices.kth.se
18
The Principle of Model Checking
System: L(S), the set of all possible executions of
S
Property: L(p), the set of valid/desirable executions
Prove that: L(S) ⊆ L(p)
Method: to prove L(S) ⊆ L(p),
We can prove L(S) ∩ (U\L(p))=∅
That is, L(S) ∩ L(¬p)=∅
If I = ∅, then S sat. p
Otherwise, elements in I are
counter examples
I
U
L(S)
www.ices.kth.se
L(p)
19
Logic Model Checker SPIN
SPIN: a powerful open-source software tool for
detecting software defects in multi-thread software
Exhaustive verification
No quantitative consideration on time
Properties of the SPIN model
Finite-state: guarantees decidability
Asynchronous: no hidden synchronization btw processes
Non-deterministic: multiple execution choices may be valid
and the choice is arbitrary
www.ices.kth.se
20
Elements of SPIN Model
3 basic objects in SPIN model:
process1
process2
Message
channels
www.ices.kth.se
21
Essential for EAST to SPIN Mapping
A behavior state machine is mapped to an asynchronous
SPIN process
A parameter is mapped to a SPIN data
SPIN allows: bit, bool, byte, short, int, unsigned, and
structure
A message queue inside a receiver FlowPort is mapped to
a buffered SPIN message channel
Function triggers are mapped to message channels
preCondition and postCondition of a Transformation are
mapped to assertion
www.ices.kth.se
22
Model Transformation Example
SPIN process
Buffered msg. chan.
Execution trigger
Modeled by synch. chan.
• 5 asyn. Processes
• About 10 msg. chan.
• Each proc. has about
20 states
www.ices.kth.se
23
www.ices.kth.se
24
www.ices.kth.se
25
Requirements on the System
Free of deadlock
There can be at most 1 leader at any time
When a leader is elected and maintained, the
two vehicles will eventually have the identical
velocity
The vehicle velocity is always in a given range
A counter example is identified by SPIN
www.ices.kth.se
26
Free of Deadlock
Free of deadlock
www.ices.kth.se
27
At Most 1 leader
Valid
only if two actions at TakeLeaderRoleAction are atomic
24,195,561 states; 38,683,842 transitions
8.293 M memory
Elapsed time 176 seconds
www.ices.kth.se
28
Conclusions & Future Work
A brief introduction to EAST-ADL behavior modeling
and behavior annex
Consistent with the existing definitions
Sufficient for various analysis techniques
Friendly to external verification tools
Model transformation method from EAST-ADL to
SPIN
Future works
Refine behavior annex and the SPIN transformation
Investigate the transformation to other verification tools,
especially UPPAAL
Formal analysis on timed properties
www.ices.kth.se
29