您的当前位置：首页 Managing Verification Activities Using SVM

Managing Verification Activities Using SVM

来源：九壹网

ManagingVeriﬁcationActivitiesUsingSVM

BillAldrich1,AnsgarFehnker2,PeterH.Feiler3,ZhiHan2,BruceH.Krogh2,

EricLim1,andShivaSivashankar4

TheMathworks,Inc.,3AppleHillDrNatick,MA01760-2098

Dept.Elec.andComp.Eng.,CarnegieMellonUniversityPittsburgh,PA15213SoftwareEngineeringInstitute,CarnegieMellonUniversityPittsburgh,PA152134

Emmeskay,Inc.,44191PlymouthOaksBlvdSuite300,Plymouth,MI48170

Abstract.SVM(SystemVeriﬁcationManager)managestheapplica-tionofveriﬁcationmethodsformodel-baseddevelopmentofembeddedsystemsbyprovidingintegratedrepresentationsofrequirements,systemarchitecture,modelsandveriﬁcationmethods.DevelopedinJavawithinMATLAB󰀁,SVMsupportsalltypesoftoolsformodellingandveriﬁca-tionthroughanextensibleframeworkofdataandcodingstructures.ThispaperpresentsthemainfeaturesofSVMandillustratesitsapplicationtoembeddedcontrolandsignalprocessingsystems.

1Introduction

SVM(SystemVeriﬁcationManager)supportsmodel-baseddesignofembed-dedsystemsoftwarebyprovidinganintegratedenvironmentforspecifyingandmanagingtherelationshipsbetweensystemrequirements,systemarchitectures,systemmodels,veriﬁcationmethods,andresultsofveriﬁcationactivities.Im-plementedinJavawithintheMATLAB󰀁environment,SVMisanextensibleenvironmentdesignedtosupporttheuseofmultiplemodelling,simulation,andveriﬁcationtools.SVMobjectsencapsulatetheinformationrequiredforman-agingthedevelopmentprocesswithpointerstotheactualmodelsandtoolsusedtocarryoutthedesign.Thus,SVMfacilitatesmodel-baseddevelopmentwithoutimposingconstraintsonthemodelsormethodsusedfordesignandimplementation.

SVMprovidesmultipleviewsthatallowthesystemdesignprocesstoevolvealongseveraldimensionswithoutadvocatingorenforcingaparticulardesignprocessormethodology.Requirements,forexample,canbeentered,imported,updated,andelaboratedasthesystemdevelops.Newmodelsandveriﬁcationmethodscanbeintroducedwhenevertheyareneeded.Diﬀerentrepresentations(calledvariants)ofcomponentsinthesystemarchitecturecanbedeﬁnedandinvokedasthedesignmovesfromalgorithmdevelopmenttoexecutablecodeforthetargetprocessor.SVMprovidesseveralfeaturesformodel-baseddevel-opmentthathavenotbeenintegratedpreviouslyintoasingletool,including:requirementstraceability,systemarchitecture,modelmanagement,veriﬁcationactivities,andresultsmanagement.

Section2describesthemainfeaturesofSVM.Thesefeaturesarethenillus-tratedforanembeddedcontrollerinanautomotiveengineapplication(Sect.3)andasignalprocessingapplication(Sect.4).Section5summarizesthecontri-butionsofthisworkandplansforfuturedevelopment.

2OverviewofSVM

SVMdoesnotprescribeaparticulardevelopmentapproach.Instead,itsupportsarangeofdevelopmentprocesses.Ononehanditsupportsthedevelopmentofasystemfromrequirementsintoasystemarchitecturethatgetsrealizedthroughaseriesofmodels,andthespeciﬁcationofveriﬁcationconditionsthatmustbemetinordertoconsidergivenrequirementstobesatisﬁed.OntheotherhandSVMsupportsthemanagementofanexistingsetofmodelsforasystembyorganizingthemintoacommonsystemarchitecture,bykeepingarecordoftheveriﬁcationactivitiesthatareroutinelyperformedonmodelsthroughmodelanalysis,simulationruns,andmodelexecution,andbyautomatingthebookkeepingoftheveriﬁcationresults.

ThissectiondescribesSVMfeaturesfordeﬁningveriﬁcationactivitiesandformanagingtheirexecutionandresults.Section2.1describestherepresenta-tionofSVMrequirementsandhowrequirementsareenteredandassociatedwithmodelsandveriﬁcationactivities.Section2.2describeshowmodelsarerepre-sentedinSVMandtherelationshipsbetweenSVMmodelobjectsandtheactualmodelsinthe“native”toolenvironments.Italsodescribestherepresentationofthesystemarchitectureandtheconceptofmodelvariantswherebymultiplemodelscanbeassociatedwithcomponentsofthesystemarchitecturetoreﬂecttheevolutionofthesystemdevelopmentprocess,andhowconsistencybetweenmodelsandthearchitectureischeckedandmaintained.Section2.3presentstheconceptsofveriﬁcationmethodsandveriﬁcationactivities,anddescribeshowtheyaredeﬁnedinSVMtobeassociatedwithparticularmodelsandrequire-ments.Section2.4describeshowSVMprovidesaccesstoveriﬁcationresultsandpropagatesthestatusofresultsthroughtherequirementshierarchy.2.1

RequirementsTraceability

SVMsupportsrequirements-drivenveriﬁcation.Allveriﬁcationactivitiesareas-sociatedwithandinitiatedfromaspeciﬁcrequirementinarequirementtreethatisdisplayedandmanagedthroughaninteractivewindow.Therequirementsview,showninFig.1,includesthenameanddescriptionoftherequirement,alongwiththestatusofitsveriﬁcation.

Requirementsareentered,viewedandmanagedinahierarchicaltreestruc-ture.Thisallowsthecascadingofrequirementsintomultiplesub-requirements,whichinturncanbefurtherpartitionedintomanageablesub-sub-requiremententities.Atypicalsafetycriticaldesignprocessinvolvessuccessivecyclesofreﬁn-ingrequirementsfromonelevelofabstractionintomoredetailedrequirementsatalowerlevelofabstraction.Theseprocessesarenaturallyrepresentedwith

Fig.1.SVMrequirementsviewforanembeddedcontrolapplication(seeSect.3)

arequirementshierarchy.[6].Sucharequirementtreecanbeenteredmanuallyorimportedfromanexistingrequirementsdocument.Currently,thesetofre-quirements(andallassociatedsub-requirements)beneathagivennodeintherequirementtreeinaprojectcanbeimportedfrom(andexportedto)aspread-sheetinExcelformat.Arequirementisveriﬁedeitherbyexecutinganydirectlyassociatedveriﬁcationactivitiesand/orbyverifyinganysub-requirements.Theveriﬁcationactivityforarequirementischosenfromthelistofregisteredver-iﬁcationmethodsandisinstantiatedwithspeciﬁcvaluesforitsinputs.Thisoperationcreatesanassociationbetweentherequirementanditsveriﬁcationac-tivities.Typically,toverifyarequirement,atestisexecutedontheworkproductandtheresultsofthetestareanalyzedtoinferiftheveriﬁcationcriteriahavebeensatisﬁed.SVMallowstheusertoimporttheworkproductasasystemmodel(orasanelementwithinthesystemmodel)andthenallowstheusertopickthissystemmodelduringveriﬁcationactivitydeﬁnition.SVMstoresandkeepstrackofsuchrelationshipstoadvisetheusertore-verifyrequirementswhenworkproductsarechanged.

Asisfrequentlypracticed,thepartitioning(orcascading)ofrequirementsintosub-requirementsgenerallyfollowsthepartitioningofthesystemintosub-systemsandcomponents.SVMallowsuserstoassociaterequirementsandsub-requirementswithnodesinthesystemarchitecture.Thisrelationshipcanbeusedtoguidetheuserinthesystemdevelopmentandveriﬁcationprocess.Aftertheveriﬁcationactivitiesaredeﬁned,theusercaninvokeveriﬁcationatanyre-quirementnodefromthecontextmenuintherequirementsview.WhentheuserrequestsveriﬁcationonaparticularrequirementinSVM,thetooltriestoverifyallthesub-requirements(includingallnestedlevels)andtheninfersthatthere-quirementhaspassedveriﬁcationonlyifallofitssub-requirementshavepassed.Theveriﬁcationstatusistrackedanddisplayedintherequirementsviewandthisstatuscanbeoneofthefollowing-passed,failed,inprogress,TBD(ToBeDecided)orinspect.Theinspectstatusﬂagsveriﬁcationactivitieswhoseresultsmustbemanuallyinspectedtodetermineiftheypassed.Thisstatuscanalso

beusedwhentheveriﬁcationactivityabortsduetoanerrorintheveriﬁcationscript.

SVMmaintainsassociationsbetweendiﬀerentobjects,suchasrequirements,veriﬁcationactivities,systemmodelsandsystemarchitecture.Theseassocia-tionsarevisuallyindicatedwithwindowsynchronizationandpropagatechangestorequirementsthatneedre-veriﬁcation.WhentheSVMwindows(views)aresynchronizedandanode(orobject)isselectedinoneoftheviews,theasso-ciatedentitiesinotherwindowsgethighlighted.ChangepropagationenablesSVMtoadvisetheusertore-verifyarequirementwheneveritoroneofitsveriﬁcationactivitiesisupdatedoraddedorsub-requirementisadded.Insuchinstances,thestatusontheaﬀectedrequirementandallofitsancestorsarere-settoTBD.Similarly,ifthemodelsintheirnativetooldomainsarechanged,SVMassociatesthesechangestoaﬀectedsystemmodelsandultimatelytotherequirementswhichusethesemodelsforveriﬁcation.Sincemodelsareusuallyassembledusingreusablelibrarycomponents,thisprovidesapowerfulmecha-nismtotracetheimpactofchangesatacomponentlevel(model)toveriﬁcationofrequirementsatthesystemlevel.2.2

ModelManagement

Embeddedsystemsaretypicallydesignedtoreﬂectasystemarchitecturethatidentiﬁesthefunctionalcomponentsinthesystem.Thearchitecturebecomesthereferenceforidentifyingtherolesofvariousmodelsdevelopedduringthedesignprocess.Similarly,systemrequirements,bothfunctionalandpara-functional,suchasresponsetime,latency,andtoleranceofincompleteandinaccuratedatastreams,aretypicallyexpressedintermsofthesystemanditssubsystems.Duringthedevelopmentadditionalclaimsandobservationsoffunctionalandpara-functionalsystempropertiesmaybemade.ThismakesthearchitecturealsoareferencepointfortherequirementsandclaimshierarchyasdiscussedinSect.2.1.Finally,requirementsandclaimsarevalidatedthroughveriﬁcationactivitiesthatareassociatedwithrequirementsandclaims(seesection4).Thoseveriﬁ-cationactivitiesareappliedtomodelsthatrepresentthesystemorsubsystem,whoserequirementistobevalidated.Thus,thesystemarchitectureprovidesabridgebetweentheveriﬁcationofrequirementsandthemodelsusedintheveriﬁcation-asshowninFig.2.

SVMprovidestwoviewsofthesystemarchitecture,atreeview,andablockdiagramview,bothshowninFig.3.Thetreeviewreﬂectsthecompositionalhierarchyofthesystem.Thegraphicalviewreﬂectstheinteractionsbetweensystemcomponents,typicallyrepresentedbyportsandconnections.

Wehaveenhancedthebasicsystemarchitecturedescriptionwithsemanticinformationabouttheapplicationdomaininordertosupportconsistencyanal-ysisofsystempropertiesthatotherwiseareundocumentedandresultinhiddensideeﬀects.Examplesofcommonproblemsaremistakingwheelspeedforcarspeed,usingmetersinsteadoffeet,orusinganabsolutecoordinatesystemin-steadofarelativeone.Figure4illustrateshowSVMidentiﬁesthesemismatchesinthesystemarchitecture.Semanticinformationcanalsoincludeboundson

Fig.2.SVMsystemarchitectureasreferencepoint

Fig.3.Treeandblockdiagramviewofthesystemarchitecture

valuesandratesofchangessuchasaconstraintonastreamofsetpoints,whosechangeinsuccessivedatavaluesisexpectedtostaywithinboundsacceptabletothereceivingcontroller.Systemarchitecturesdecoratedwithsuchadditionalinformationcanbecheckedforsemanticconsistencyearlyinthedevelopmentlifecycle.

Suchamodel-basedapproachtoarchitecturemodellingandanalysisispro-motedbytheModel-DrivenArchitectureinitiativeoftheObjectManagementGroup(OMG)[1]andisincorporatedintheSocietyofAutomotiveEngineers(SAE)ArchitectureAnalysis&DesignLanguage(AADL)standardforembed-dedreal-timesystemscurrentlyinballot[3].Thisstandardistargetedfortheavionics,aerospace,andautomotiveindustries.SVMmaintainsanabstractionofsuchmodelswithinformationthatisrelevanttotheveriﬁcationofsystem

Fig.4.Semanticinconsistencyinthesystemarchitecture

requirements.Theabstractionoftheseexternalmodelsrepresentsthemodelledsystemstructureandtheinteractionbetweenitssubsystems.Thisinformationisautomaticallyextractedfromtheexternalmodels.

Allmodelsandtheircomponentsrelatebacktothesystemarchitecturethatdeﬁnesacommonhierarchyandinteractiontopology.SVMprovidesoperationsforderivingthesystemarchitecturefromasinglemodelorfromacollectionofmodels.Similarly,itprovidesoperationsforcomparingamodelagainstitsarchi-tecture,andforidentifyingdiﬀerencesinthestructureandinteractiontopologybetweenmodels.Justasthesystemarchitecturecanbesemanticallyenriched,themodelabstractionmaintainedbySVMcanbedecoratedwithdomain-speciﬁcinformation.Semanticconsistencyisveriﬁedbetweenabstractedmodelsandthesystemarchitecture,withinthesystemarchitecture,andbetweentheabstractedmodelandtheactualexternalmodel.Theconceptofmodelabstractionandstaticcheckinghasbeenexploredpreviouslybythesoftwareengineeringcom-munity[2].Iftheexternalmodellingnotationdoesnotsupportthepresentationofsuchinformation,SVMprovidesthiscapabilityasanextensiontotheexter-naltool.Forexample,thecurrentreleaseofMathWorksSimulinkhasalimiteddatadictionarycapabilityfocusingontheconsistentuseofimplementationtypessuchasshortandlongintegers,etc.SVMextendsthesemodelswithinformationrelatedtotheapplicationdomain.2.3

VeriﬁcationActivities

TheveriﬁcationactivitiesassociatedwithSVMrequirementsaredeﬁnedintwosteps.First,veriﬁcationmethods(VMs),deﬁnedbyMATLAB󰀁m-code,areregisteredwithunboundvariables.RegisteredVMsaretheninvokedandin-stantiatedasveriﬁcationactivities(VAs)bybindingtheVMvariablestothemodelsandsignalsassociatedwithaparticularrequirement.

Fig.5.Veriﬁcationmethodregistrationinterface.

Figure5showstheVMregistrationuserinterface,whichhasthreepanestodeﬁnethevariablesintheVM(showninFig.5),theVMcodetobeexe-cuted,andthefunctionsforreviewingresultsfromtheVM(alsom-code).VMcodecaninvokeanymodelsandtoolsthroughthestandardMATLAB󰀁pro-grammingconstructs.Veriﬁcationparameters(unboundvariables)areassignednames,types,anddescriptionstoassisttheuserwhentheVMisinstantiatedasamethod.Severalpre-registeredVMsareavailablewithSVM,including:stepresponseanalysis;comparativemodelsimulation;discretemodelchecking(SMV);hybridmodelchecking(Checkmate);Dymolasimulation;batchsimu-lationondatasets;andmexcompile.UserscanaddadditionalVMs.VMsareinstantiatedasVAsfromtherequirementswindow,asshowninFig.6.TheuserselectsoneoftheregisteredVMstobeappliedfortherequirementandbindsthevariablesthatidentifythemodels,signalsanddatatobeusedfortheVA.2.4

ResultsManagement

SVMautomaticallymanagestherecordkeepingoftheexecutionofveriﬁcationactivitiesandtheirresults.Itdoessointhreeways:itmaintainstheresultstatus,itarchivestheresultsforlaterexamination,anditmanagestheimpactofchangesinmodelsandveriﬁcationmethodsbyinvalidatingpreviousveriﬁcationresultsthatarepotentiallyaﬀectedbythechanges.

Averiﬁcationactivityisinoneofseveralstates.Itmayneedtobeexecuted,itsexecutionmaybeinprogress,itmayhavecompletedbypassingorfailing,oritmayrequireexaminationtodeterminewhetheritissatisﬁed.SVMallowsveriﬁcationactivitiesofindividualrequirementstobeorganizedintoveriﬁca-tionfolders.Thosefolderscanrepresentdiﬀerentlifecyclephases,andcontainsdiﬀerentlogicexpressionstoindicatetheconditionsunderwhichthecontainedsetofveriﬁcationactivitiesandfoldersisconsideredsatisﬁed.Thisveriﬁcation

Fig.6.Deﬁningaveriﬁcationactivityforarequirement.

resultstatusisnotonlypropagateduptheveriﬁcationfolderhierarchy,butalsouptherequirementshierarchy.Suchaccumulationofveriﬁcationresultstatusprovidesasimplevisualcueastothedegreetowhichrequirementsofasystemarebeingsatisﬁedaswellasaquantiﬁcationofsuchpass/failcoverage.

Averiﬁcationactivitythattakestheformofmodelcheckingmayproducecounterexampleswhenthemodelcheckingconditionisnotsatisﬁed.Asimu-lationrunmayproducelogsofproducedoutput,tracesofstatechangesetc.Similarly,probesintheexecutingcodeofasystemmayproduceatrailofitsexecution.Thisinformationmaybeevaluatedduringtheexecutionofthever-iﬁcationactivitytodeterminetheresultsstatus.SVMkeepstrackofsuchin-formationthatisproducedbyexternaltools.Itusestheﬁlesystemtoidentifyandarchiveresultsrelatedtoaparticularveriﬁcationmethod.Beforeexecut-ingaveriﬁcationmethodthetoolcreatesanewresultsdirectoryandmakesittheworkingMATLAB󰀁directory.Thisallowsveriﬁcationmethodstoproducecommonoutputﬁleswithoutconﬂictingwiththeresultsofotherveriﬁcationmethods.SVMuserscanlaterexaminetheseresultsthroughmanualinspectiontoreviewtheautomatedevaluationoftheveriﬁcationconditionandtodrawadditionalconclusions.

SVMnotonlyautomatestherecordingofveriﬁcationresults,butitalsocanautomatetheidentiﬁcationandautomaticexecutionofveriﬁcationactivitiesthathaveyettobeexecuted.Furthermore,SVMcanmanagetheimpactofchangesmadetomodels,librarycomponentsofmodels,toconﬁgurationsofmodels,toveriﬁcationmethods,toparametersanddatasetsthatareinputtotheveriﬁcationactivity.

SVMtrackschangestoexternalmodelsanddataﬁlesintwoways.First,ittrackssuchchangesiftheyareinitiatedthroughSVMbytheuseropeningamodelordataﬁlethroughSVMandmakingmodiﬁcations.Second,changesmadethroughanexternaltoolwithouttheinvolvementofSVMareidentiﬁedbytrackingmechanismssuchasrecordingmodiﬁcationdatesofﬁlesorchecksumsofﬁlecontentsandcomparingthemtotheactualﬁlesatstartupofSVMorat

userrequest.SVMalsosupportschangeimpactmanagementbyincorporatingideasexploredinpreviousresearchonthistopic[9,7,4].SinceSVMhasarecordofrelevantdependenciesitcaninvalidatetheresultstatusofanypreviouslycom-pletedveriﬁcationactivitywhoseresultispotentiallyimpactedbythechange.SVMunderusercontrolautomaticallyre-executestheseveriﬁcationactivitiestodeterminewhethertherequirementsarestillsatisﬁed.ThesamedependencyinformationcanbeusedbySVMtoprovidewhat-ifimpactanalysis,i.e.,topredicttheamountofreveriﬁcationnecessaryasaresultofachangebeforethechangeismade.

3AnEmbeddedControlApplication

ThissectiondealswithanapplicationfromtheDARPAprojectModelBasedIntegrationofEmbeddedSoftware(MoBIES).Thisprojectproposedtwoauto-motivecasestudies,oneofthemisanElectronicThrottleControl(ETC)system.TheETCsystemisacomponentthatreplacesthemechanicallinkbetweenthepedalandthethrottleplateinanautomobile.

ProblemStatementTheETCsystemwaspartofanOpenExperimentalPlat-form(OEP).TheOEPwasusedtoillustratethemodelbasedapproachtoproduceembeddedcode.Inthissectionwewillfocusonthemodellingphase,andillustratetheuseofmultiplemodelsandveriﬁcationfolders.

Applicationof(SVM)SystemVeriﬁcationManagerFigure1depictsthere-quirementstreefortheETCsystem.TheﬁrstsetofrequirementswaspartoftheinformaldescriptionoftheETCsystem.ThisdescriptionwasprovidedbytheOEPalongwithaSimulinkandStateﬂowmodel.Amongtherequirementswererisetime,settletimeandovershootrequirements.Theserequirementsweredeﬁnedforasingleexecutionofthesystemwithstepinput.Satisfactionoftherequirementcantypicallybetestedbysingle(orﬁnitelymany)runsofthesimu-lationmodel.Forthisexampleweﬁndthattherisetimerequirementissatisﬁed,whereasthesteadystateerrorrequirementisviolated.

ThesecondsetofrequirementsdealwithasimpliﬁedversionoftheOEPmodel.AlthoughtheETCsystemisessentiallyjustaDCmotorandaspring,controlledbyaslidingmodecontroller,andalinearﬁlterfortheinput,theOEPmodelcontainmoredetails.Thismainly,becauseitservedatthesametimeasblueprintforanimplementation.Fortheveriﬁcationwemodeltheplant,theslidingmodelcontrollerandtheﬁlter,butweomitforexampledetailsfromactuatorandsensors.Thismodelisapiecewiselineartime-invariant7th-ordersystem.

ToformallyverifyrequirementsoftheETCsystemforasetofinitialstates,reachabilityanalysisisperformedonthe7th-ordermodelusingproceduresfromRRT(ReachabilityanalysisinReducedstatespaceToolbox)[5].Complexityofreachabilitycomputationsforcontinuousandhybriddynamicsystemstypi-callygrowsdramaticallywiththedimensionofthecontinuousstatespace.To

Fig.7.Theveriﬁcationfolderscanbeusedtogroupveriﬁcationactivities.

avoidperformingreachabilityanalysisinthefull-orderstatespace,thetoolRRTcomputesanover-approximationofthesetreachablestatesusingreduced-ordermodels.TheproceduresinRRTﬁrstconstructareduced-ordermodelusingthebalanceandtruncation(B&T)[8]method.Itthenestimatestheupper-boundontheapproximationerrorintroducedbymodelreduction.Finally,conservativeover-approximationsofthereachablestatesarecomputed,whichincorporatetheerrorbounds.

Thereducedorderreachabilityanalysisprovideseﬃcientanalysisattheex-penseofbiggerover-approximationerrors.Adrasticreductionoftheordermightmayleadtoalargeapproximationerror,andthustoinconclusiveresults.Ontheotherhand,iftheprocedureﬁndsthatthereducedordermodelsatisﬁestherequirement,weknowthatthefullordermodelsatisﬁestherequirement.Wedeﬁnemultipleveriﬁcationactivitieswithdiﬀerentchoicesofreducedorders.Ifanyoftheseveriﬁcationactivitiesﬁndsthatthepropertyissatisﬁed,weknowthattheoverallrequirementissatisﬁed.TheveriﬁcationfolderReducedordercontainsallveriﬁcationactivities.ToreﬂectthatonlyoneoftheseactivitieshastoreturnPASS,weselecttheoptionORfromthecontextmenuSetVeriﬁcationLogic(Fig.7).

FutureWorkThecurrentimplementationSVMevaluatesallveriﬁcationactivi-ties.Ifaveriﬁcationfoldercontainsmultipleactivities,ofwhichonlyonehastopass,theSVMcouldstopassoonasoneactivitypasses.ThestatusofthefolderwillbePASSEDregardlessoftheoutcomeoftheremainingactivities.Similarly,ifallactivitieshavetopass,theevaluationmightstopassoonasoneactivityfails.AfuturereleaseoftheSVMshouldgivetheusertheoptiontoeithereval-uateallactivitiesregardlessoftheresult,ortostopevaluationassoonasthestatusofthefoldercanbedetermined.

Fig.8.SignalClassiﬁer:ApplicationLevel.

4ASignalProcessingApplication

InthissectionweconsidertheapplicationofSVMtoasignalclassiﬁcationdevelopmentproject.ThegoalofthisprojectistoproduceeﬃcientembeddablecodestartingfromaprototypedesignimplementedinMATLAB󰀁usingthebuilt-inlanguageandsignalprocessingfunctions.WeneedtoensurethattheﬁnalimplementationisabletogenerateembeddablecodeandisfunctionallyequivalenttotheprototypeMATLAB󰀁Mcodewithinanacceptabletolerance.SVMisusedtopreciselyidentifydiscrepanciesbetweentheimplementationsandtotracethesetospeciﬁccomponentsinthedesign.

ProblemStatementThisapplicationclassiﬁesincomingsignalasPhaseShiftKeyed(PSK),FrequencyShiftKeyed(FSK),ornoneoftheabove(NOTA)basedonsignalfeaturessuchasbandwidth,symbolrate,kurtosis,numberofspectraltones,andnumberofphasestates.Themodel-basedimplementationisdoneinSimulinkandStateﬂowsothatembeddableC-codecanbeautomaticallygeneratedusingReal-TimeWorkshop.

DesignTheSimulinkmodelisarrangedinanapplication,component,andprim-itiveblockhierarchy.Thisarrangementiswellsuitedtoamodelbasedimple-mentationbecauseitclearlyillustratesthecontrolanddataﬂow.Figure8showsthetoplevelSimulinkdiagram.Theapplicationiscomposedofﬁvefeatureex-tractorcomponentsthatprocessesinputsignalstoproducesignalcharacteristicsthatareusedtodeterminesignalmodulation.Thesecomponentsarebuiltwithprimitiveblocks,eachofwhichperformsaspeciﬁcsignaloperation.

TheunderlyingimplementationoftheprimitiveblocksleveragesthesignalprocessingcapabilitiesofSimulinkandtheSignalProcessingBlocksetexten-sionproduct.Insomecasestheprimitiveblockfunctionrequiressomecustomcapabilitybeyondthebuilt-inlibraryofsignalprocessingcomponents.State-ﬂowisusedinmanyofthesecasestoincorporatearbitrarystructuredcontrolﬂowsuchaswhileloopsandnestedif-thenelseconstructs.Figure9showstwo

Fig.9.SignalClassiﬁer:ComponentLevel.

Fig.10.VeriﬁcationMethodusetocompareSimulinkimplementationagainstrefer-enceM-codeimplementation.

blockimplementations:OBFFTthatsimplyencapsulatesthebuilt-inFFT,andOBBWest,thebandwidthestimator,thatisaStateﬂowchart.

Applicationof(SVM)SystemVeriﬁcationManagerVerifyingtheSimulinkmodelimplementationagainstthereferenceMATLAB󰀁implementationcanbete-dious,consideringthenumberofcomponentsthatmustbeindividuallyveriﬁed.SVMhelpstheuserorganizesrequirements,veriﬁcationactivitiesandresultsallinonecentralpoint.

ToverifytheSimulinkcomponentimplementations,weneedtestinputsandoutput.WedevisedasystemshowninFig.10tocapturetheseoutputsasasideeﬀectofexecutingtheoverallprototypesignalclassiﬁcationapplication.ThereferenceinputsdrivetheSimulinkblockstogivetestoutputsthatare

Fig.11.Associatingveriﬁcationmethodforeachblock.

Fig.12.VeriﬁcationResults.

comparedagainstthereferenceM-functionsblockstodetermineiftheresultsmeetaspeciﬁedtolerance.

ThisveriﬁcationmethodisimplementedasanMfunctionregisteredwithinSVM.RegisteringagenericoperationsuchasthisenablesustoinstantiateandparameterizethefunctionfromwithintheSVMuserinterface.AsshowninFig.11eachprimitiveandcomponentblockhasaninstantiationofthemethodwithitsownsetifparametervalues.

Aftereachveriﬁcationactivity,theresultsareautomaticallyorganizedinaseparatefolderbySVMandcanbeeasilyaccessedwithintheSVMenvironment.Forexample,theOBPSDprimitiveblock,whichcomputesthepowerspectrumdensity,followsthereferenceMATLAB󰀁implementationveryclosely.Theerrorisontheorderof10-14whichisclosetoﬂoatingpointprecision(Fig12).

Verifyingablockagainstonesignaldoesnotguaranteethattherequirementswillbemetforanentirerangeofsignals.SVMprovidesaneasymethodtorepeat

Fig.13.Cloningveriﬁcationactivityforasetofinputsignals.

theveriﬁcationforasetofsignalsbycloningtheveriﬁcationactivity,asshowninFig.13.Bybreakingdowntheveriﬁcationstomanageablemodelprimitivecomponents,theusercannoweasilylocateandtroubleshootareaswithinamodelthatcausesittodeviatefromrequirements.Theveriﬁcationactivitiesareautomaticallyorganizedwithinaveriﬁcationfoldertoallowtheusertoeasilybrowsetheresults.

Oftentimes,anupdatetoaprimitiveblockwillhavesigniﬁcantramiﬁcationstootherpartofthemodel.SVMhastheabilitytoidentifythesedependenciesandappropriatelyresettheveriﬁcationstatus.IftheuserupdatesaprimitiveblockallveriﬁcationactivitiesthatdependsonthissystemmodelwillhavetheirveriﬁcationstatusresettoTBD(tobedetermined).

FutureWorkTheconceptofcloningaveriﬁcationactivityforasetofinputsignalsdoesnotensureeverypartofamodelistested.AspartoftheSimulinkPerformanceToolspackagethereisatoolcalledModelCoverage,whichrecordsallsimulationpathsandgeneratesareportindicatinguntestedportionsofamodelforagivensetofinputsignals.TheSVMveriﬁcationmethodwillbeenhancedtoleveragethiscapabilitytogivetheuseradditionalveriﬁcationin-formationtoensurethemodelwillmeettheirspeciﬁedrequirements.

5Discussion

ThispaperdescribesthefeaturesofthecurrentbetaversionofSVM(availableathttp://www.ece.cmu.edu/∼webk/svm).SVMhasbeenappliedtoseveralexam-plesintheDARPAMoBIESprogram,includingtheelectronicthrottlecontrol(ETC)andasoftwareradiodigitalsignalprocessingsystem,describedinthispaper.Currentdevelopmentisfocusingonenhancingthedevelopmentenviron-mentfordeﬁningveriﬁcationmethodsandveriﬁcationactivities.

WearealsoinvestigatingmethodsforincreasingthecapabilityofSVMtosupportheterogeneousveriﬁcationactivities,bywhichwemeantheapplicationofmultipleformalismsandtoolstoacquireinformationaboutthedesignandsystemperformance.Thecurrentmechanismsforcombiningveriﬁcationstatusinformationintherequirementstreeareaﬁrststepinthisdirection.Require-mentscanbesatisﬁedusingawiderangeofveriﬁcationmethods,includingsim-ulation,modelchecking,theoremproving,anddesignerevaluationofempiricalresults.WeaimtoincreasethepowerofSVMbyintroducingricherrepresenta-tionsoftherelationshipsamongmodelsandveriﬁcationactivitiessothatfurtherinferencescouldbeobtainedautomatically.Towardsthatend,wearedevelop-inganontologyforhybridsystemveriﬁcationthatwillsupportcombiningandreasoningaboutinformationfromheterogeneousveriﬁcationactivities.

References

1.OMGmodeldrivenarchitecture.http://www.omg.org/mda.

2.E.M.Clarke,O.Grumberg,andD.E.Long.Modelcheckingandabstraction.InNineteenthAnnualACMSymposiumonPrinciplesofProgrammingLanguages,1992.

3.P.Feiler,B.Lewis,andS.Vestal.TheSAEArchitectureAnalysis&DesignLan-guage(AADL)Standard:Abasisformodel-basedarchitecture-drivenembeddedsystemsengineering.InIFIPWorldComputerCongress-WorkshoponArchitec-tureDescriptionLanguages(WADL04),2004.

4.P.H.FeilerandJunLi.Managinginconsistencyinreconﬁgurablesystems.InIEEProceedingsSoftware,pages172–179,1998.

5.Z.HanandB.H.Krogh.Usingreduced-ordermodelsinreachabilityanalysisofhybridsystems.InIEEEProcofAmericanControlConference,2004,toappear.6.L.A.Johnson.Softwareconsiderationsinairbornesystemsandequipmentcertiﬁ-cation.Technicalreport,RTCAInc.,1992.DocumentRTCA/DO-178B.

7.JunLiandP.H.Feiler.Impactanalysisinreal-timecontrolsystems.InProceedingsofInternationalConferenceonSoftwareMaintenance(ICSM),pages443–452.IEEECSPress,1999.

8.B.C.Moore.Principalcomponentanalysisinlinearsystems:Controllability,ob-servabilityandmodelreduction.IEEETransactiononAutomaticControl,26(1),Feb1981.

9.D.E.Perry.ThelogicofpropagationintheInscapeEnvironment.InACMSIG-SOFT’ThirdSymposiumonSoftwareTesting,AnalysisandVeriﬁcation,pages114–21,19.

因篇幅问题不能全部显示，请点此查看更多更全内容

查看全文