1

A Context Analysis Methodfor Constructing Reliable Embedded Systems

Naoyasu Ubayashi, Toshiki Seto, Hirotoshi Kanagawa,Susumu Taniguchi, and Jun Yoshida (Kyushu Institute of Technology)Takeshi Sumi and Masayuki Hirayama (Toshiba)

May 11, 2007

MISE 200 ８

Contexts in embedded systems

Many embedded systems not only affect their contexts through actuators but also are affected by their contexts through sensors.

However, requirements analysis is mainly conducted from the viewpoint of system functions, and contexts are only roughly analyzed.

2

Unexpected behavior might emerge in a system if a developer does not recognize any possible conflicting combinations between the system and contexts.

It is difficult to decide the boundary of contexts that should be taken into account: which contexts should be included as the targets of requirements analysis.

EmbeddedSystem

Actuator

SensorContexts

Boundary ?Association ?Frame

Problem !

Today’s my talk

We propose a context-dependent requirements analysis method called CAMEmb (Context Analysis Method for Embedded systems).

3

UML Profile for Context Analysis

Formal Methods( VDM++ )

CAMEmb is a systematic approach to

exploring context boundary avoiding the frame problem,

verifying whether requirements can be satisfied under the expected contexts,

changing requirements or context boundary if not satisfied.

4

Outline

1. Motivation2. CAMEmb3. MDD based on CAMEmb4. Conclusions and Future work

5

1. Motivation

6

Example: an electric pot

water level sensor

heater

thermostat liquid

context

system

pot

The pot controls the water temperature by turning on or off the heater.

The pot changes its mode to the heat-retaining mode when the temperature becomes 100 Celsius.

The pot observes the volume from the water level.

Boil: () ==> ()Boil() == while thermostat.GetTemperature() < 100.0 do heater.On();

However, faults may occur if the expected contexts are changed.

---for example, the circumstance of the low air pressure

Should air pressure be taken into account ?

7

water level sensor

heater

thermostat Liquid

context

system

pot

Non trivial !Air

PressureAir

Pressure

Boundary

? ?This depends on user requirements.

However, it is important to check the consistency if we decide that air pressure must be taken into account.

It is also important to check the impact when air pressure is included in the expected contexts.

Problems to be tackled

The boundary of contexts should be determined from user requirements.

We must take into account the influence that occurs in the cooperation among a target system and contexts within the boundary.

We must also detect defects by recognizing any possible conflicting combinations among the system and contexts.

8

Systematic way forcontext analysis

2. CAMEmb

Context Analysis Methodfor Embedded systems

9

CAMEmb Overview

10

Formal Methods( VDM++ )

UML Profile for Context Analysis

Context modeling

11

UML profile for context analysis Steps forexploring boundary

1. Context elements (value object) observed or controlled directly by a sensor or an actuator are extracted.

2. Impact factors that affect the states (values) of these context elements are extracted using guide words.Initial

Boundary

Sensor cannot observe original data

Factor related to a specific value

Contexts that do not change the values are

ignored !The frame problem is

avoided !

FinalBoundary

Factor that determines the upper limit

Translation to VDM++

12

13

VDM++ Specificationclass Software

instance variables heater : Heater; thermostat : Thermostat; liquid_level_sensor : LiquidLevelSensor;

operations public Setup: RealWorld ==> () Setup(realworld) == (heater := new Heater(); heater.Setup(realworld); thermostat := new Thermostat(); thermostat.Setup(realworld); liquid_level_sensor := new LiquidLevelSensor(); liquid_level_sensor.Setup(realworld); );

public Boil: () ==> () Boil() == while thermostat.GetTemperature() <= 100.0 and liquid_level_sensor.IsOn() = true

do heater.On()

pre liquid_level_sensor.IsOn() = true post liquid_level_sensor.IsOn() = true;

end Software

Constraints

From user requirements(water should not be empty)

Context Validation

14

Formal Methods( VDM++ )

Lightweight Formal Methods

15

VDM++ test execution

Specification can be validated by VDM++ test execution

System Specification

Context A

Context B

Normal Air pressureCONTEXT-atmospheric-air-pressureplace-normalCONTEXT-liquid-water

Low Air PressureCONTEXT-atmospheric-air-pressureplace-lowCONTEXT-liquid-water

Results of test execution

16

Error !We must reconsider whether air pressure should be included in

the expected contexts.

Requirements refinement

17

water level sensor

heater

thermistor Liquid

contextsystem

pot

Air Pressure

Air Pressure

Boundary

Out of ScopeReconsider Hardware Requirements

Fixed to1.0 ATM

Model-based testing based on lightweight formal methods is effective forexploring context boundary andrefining requirements.

3. MDD based on CAMEmb

18

DSL construction using AspectM

19

AspectM metamodel

AspectM model

introducea new kind of

domain-specificmodel element

modifythe AspectMmetamodel

reflect

reify

MMAP

extensionpoint

new modelelement

protocols

Base level

Meta level

Editing-timestructuralreflection

[Ubayashi 2007]

Model editor for CAMEmb

20

Context model of a line trace car

Model transformation

21

Total code size: 223 LOCAutomatic generated code size: 174 LOC 78 %

Context Model

SystemModel

Java

Analysis Model Design Model Code

4. Conclusions and Future work

22

Conclusions

A context-dependent requirements analysis method is proposed.

Our approach is a new kind of MDD that explicitly takes into account the existence of contexts.

23

Future work --- CAMEmb and Problem Frame

In problem frames, relations between a machine (a system to be developed) and the real-world are explicitly described.

We are now exploring the possibility of integrating CAMEmb with problem frames.

We found that there was the similarity between our UML profile and frame patterns.

24

Context analysis with problem frames

25

TraceController（ TC ）

AABody（ BD

）

LineTrace

C

a: TC! { Right, Left} BD! { Line detected, Linemissed}b: LP! { On, Off}c: LC! { Ground Color}d: LS! { Reflected Light}r: BD! { Run, Return to Course}

r

b

ControlMachine

ControlledDomain

RequiredBehavior

AALight

Sensor（ LS ）X

Line recognitionController

(LC)

AALine

Position（ LP ）X

TransformationMachine

Output

Input

Required Behavior Frame

Transformation Frame

c

a

d

On if ground color is black