applying asd in designing and verifying: bex orchestration controller

Harsh Beohar

Applying ASD in Designing And Applying ASD in Designing And Verifying: Verifying:

BeX Orchestration ControllerBeX Orchestration Controller

CONFIDENTIAL BL-Components, Harsh Beohar, April 04, 2008 22

GoalGoal

• To briefly describe ASD as a methodology.To briefly describe ASD as a methodology.

• To describe the behavior of system under design in brief.To describe the behavior of system under design in brief.

• To briefly describe the scenarios which are designed using ASD.To briefly describe the scenarios which are designed using ASD.

• Problems encountered while using ASD.Problems encountered while using ASD.


ASD Methodology[1]ASD Methodology[1]


ASD Road MapASD Road Map


Mealy MachineMealy Machine

• Differences with Automaton:Differences with Automaton:– A Mealy machine does not have final states A Mealy machine does not have final states – In Mealy machine each transition produces output based on current state In Mealy machine each transition produces output based on current state

and input.and input.• This motivates us to model a reactive system through Mealy Machine.This motivates us to model a reactive system through Mealy Machine.• To enable the use of predicates in transition of states, we need to add one more To enable the use of predicates in transition of states, we need to add one more

tuple in Mealy Machine.tuple in Mealy Machine.• M=(Q,M=(Q,ΣΣ,,ΓΓ,P,,P,δδ,,λλ,q,qii))

– Q : is a finite set of states.Q : is a finite set of states.– ΣΣ : is a finite set of stimulus S (finite input alphabet). : is a finite set of stimulus S (finite input alphabet).– ΓΓ : is a finite set of responses R (finite output alphabet). : is a finite set of responses R (finite output alphabet).– P : is a set of unbounded predicates.P : is a set of unbounded predicates.– δδ : : Q Q × × ΣΣ →→ Q (next state function). Q (next state function).– λλ : : Q Q × × ΣΣ →→ ΓΓ (output function). (output function).– qqii : initial state : initial state


Box structure development methodology (BSDM)Box structure development methodology (BSDM)

• Operates by identifying and refining abstractions to develop a software system Operates by identifying and refining abstractions to develop a software system through 3 views[2]:through 3 views[2]:

– Black Box. Black Box.

– State Box.State Box.

– Clear Box.Clear Box.

• Black box is a state-free description of external view of system.Black box is a state-free description of external view of system.

• Let S & R denote the set of stimulus and response respectively of a system. Let S & R denote the set of stimulus and response respectively of a system. Then the black box function BB of a system isThen the black box function BB of a system is

• Defined as total function that maps stimulus history to responses.Defined as total function that maps stimulus history to responses.

RSBB *:

CONFIDENTIAL BL-Components, Harsh Beohar, April 04, 2008

BSDM contd…BSDM contd…

• State Box is derived from black box and introduces internal state.State Box is derived from black box and introduces internal state.

• Let Q,S and R denote the set of states, stimuli and responses Let Q,S and R denote the set of states, stimuli and responses respectively. Then, the state box is given asrespectively. Then, the state box is given as

• Clear box is an implementation of state box in any high level Clear box is an implementation of state box in any high level language, C++, Java etc.language, C++, Java etc.

)()(: RQSQSB


Sequence Based SpecificationSequence Based Specification

• SBS[3] is a method for producing consistent, complete and traceably SBS[3] is a method for producing consistent, complete and traceably correct software specifications.correct software specifications.

• SBS is used to derive black box function.SBS is used to derive black box function.• Black box function and next state function (Black box function and next state function (δδ) from Mealy machine are ) from Mealy machine are

used to derive state box functions.used to derive state box functions.• In [3], Prowell and Poore presented the SBS method for systematically In [3], Prowell and Poore presented the SBS method for systematically

defining:defining:– Consistency: Each stimulus history maps to only one response.Consistency: Each stimulus history maps to only one response.– Completeness: A response is defined for every stimulus history.Completeness: A response is defined for every stimulus history.– Correctness: Requirements Traceability.Correctness: Requirements Traceability.

• A sample sequence based specification A sample sequence based specification OrchestrationControllerOrchestrationController


Verification = CSP + Model CheckingVerification = CSP + Model Checking

• ASD uses CSP as a formal method to handle concurrency.ASD uses CSP as a formal method to handle concurrency.

• Model checking is performed by generating CSP, and using FDR2 to Model checking is performed by generating CSP, and using FDR2 to verify system properties.verify system properties.

• Specification Implementation: means that every behavior of Specification Implementation: means that every behavior of Implementation is also behavior of Specification.Implementation is also behavior of Specification.

• In more detail, Let In more detail, Let IIii and and IIuu denote the set of implemented and used denote the set of implemented and used

interfaces of a component respectively. Let interfaces of a component respectively. Let DD denote the design of that denote the design of that component. Then, Verum check forcomponent. Then, Verum check for

• Also, they check for requirements by specifying requirements in CSP Also, they check for requirements by specifying requirements in CSP and then checking through the above refinements.and then checking through the above refinements.

ii

I||| DIu

u

||)|||(FD


Converting SBS into CSP using state box[4]Converting SBS into CSP using state box[4]


ASD concepts:ASD concepts:Durative and Non-durative actionsDurative and Non-durative actions

Thus, durative and non-durative action can be seen as asynchronous and synchronous calls respectively.


ASD concepts:ASD concepts:Monitor SemanticsMonitor Semantics


ASD concepts:ASD concepts:

• Run to Completion semantics means :Run to Completion semantics means :– Once a stimulus has fired, all corresponding responses will be processed Once a stimulus has fired, all corresponding responses will be processed

completely in the specified order.completely in the specified order.ANDAND

– All state predicates are updated before the state transition is made.All state predicates are updated before the state transition is made.• Call-back Semantics: Callback events are decoupled via queue mechanism. Call-back Semantics: Callback events are decoupled via queue mechanism.

This decoupling happens in thread context different from a calling thread, known This decoupling happens in thread context different from a calling thread, known as DPC server thread.as DPC server thread.

• Synchronization semantics:Synchronization semantics:– Get Client MutexGet Client Mutex

• Get Client DPCMutex Get Client DPCMutex • Call ProcessingCall Processing• Release Client DPCMutexRelease Client DPCMutex• Conditional Wait (DPC call-back)Conditional Wait (DPC call-back)

– Release Client MutexRelease Client Mutex


A sample example for CBA sample example for CB


Events with parametersEvents with parameters

• Chan.Stim[i>>]: specifies that the parameter value ‘i’ will be captured on Chan.Stim[i>>]: specifies that the parameter value ‘i’ will be captured on entry into a context variable associated with the name ‘i’. To be entry into a context variable associated with the name ‘i’. To be meaningful, ‘i’ should be an “in” parameter. meaningful, ‘i’ should be an “in” parameter.

• Chan.Stim[i<<]: to denote ‘i’ is an out parameter.Chan.Stim[i<<]: to denote ‘i’ is an out parameter.

• Chan.Rsp[i>>]: to denote ‘i’ is an in parameter.Chan.Rsp[i>>]: to denote ‘i’ is an in parameter.

• Chan.Rsp[i<<]: to denote ‘i’ is an out parameter.Chan.Rsp[i<<]: to denote ‘i’ is an out parameter.

• Chan.event[$Chan.event[$xx]: ]: x x is a literal (usually used for enumerated constant.) is a literal (usually used for enumerated constant.)

• Parameters are removed from event in generation of CSP scripts. Parameters are removed from event in generation of CSP scripts.

• Callback Events should not have an out parameter.Callback Events should not have an out parameter.


Introduction to BeX ControllerIntroduction to BeX Controller

• Workflow is based on the concept of centralized controller, named as Workflow is based on the concept of centralized controller, named as Orchestration Controller.Orchestration Controller.

• Aim is to design this Orchestration Controller using ASD and provide it Aim is to design this Orchestration Controller using ASD and provide it as a study model.as a study model.

• An orchestration scenario comprises a number of ordered stimuli to An orchestration scenario comprises a number of ordered stimuli to realise an overall system function that involves multiple units.realise an overall system function that involves multiple units.

• It is a It is a logicallogical flow of messages/stimuli between the Orchestration flow of messages/stimuli between the Orchestration Controller and other units in the System. Controller and other units in the System.


Some terminology Some terminology

• System: collection of software components one is interested in System: collection of software components one is interested in specifying. specifying.

• Environment: all entities external to the system with which the system Environment: all entities external to the system with which the system (when implemented) directly communicates.(when implemented) directly communicates.

• Stimuli: Events (inputs, interrupts, invocations) in environment which Stimuli: Events (inputs, interrupts, invocations) in environment which can affect system behavior.can affect system behavior.

• Responses: System behavior[s] which are observable in the Responses: System behavior[s] which are observable in the environment. environment.

• These above definitions are very helpful to make a context diagram.These above definitions are very helpful to make a context diagram.


Current Context DiagramCurrent Context Diagram

Offers X-Ray Specific

Functionality

For Displaying & Selecting Acquisition Parameters

Patient Administration

ImplementsBE-FE interface

Orchestration Controller

Preparation Controller

Selection Controller

FEClient

X-Ray IP Service proxy

Acquisition Service proxy

Patient Admin Service proxy

System Boundary


Scenarios IdentifiedScenarios Identified

• Prepare-Unprepare : handled in Preparation Controller.Prepare-Unprepare : handled in Preparation Controller.

• Select Acquisition Case : handled in Selection Controller.Select Acquisition Case : handled in Selection Controller.

• Select Acquisition Protocol Step : handled in Selection Controller.Select Acquisition Protocol Step : handled in Selection Controller.

• System Startup/Shutdown: handled in Orchestration Controller.System Startup/Shutdown: handled in Orchestration Controller.

• EPX Validation with User.EPX Validation with User.

• EPX Validation without User.EPX Validation without User.

• Select Examination.Select Examination.


Prepare-Unprepare ScenarioPrepare-Unprepare Scenario

• The The preparationpreparation of an image acquisition is of an image acquisition is initiated only by Front Endinitiated only by Front End (by pressing a foot pedal). Similarly, the (by pressing a foot pedal). Similarly, the un-preparationun-preparation of an image of an image acquisition is acquisition is initiated by FEinitiated by FE (by releasing a foot pedal). (by releasing a foot pedal).

• The The FE always start and stop acquisition by invoking a requestFE always start and stop acquisition by invoking a request (to (to Orchestration Controller) Prepare and Unprepare, respectively.Orchestration Controller) Prepare and Unprepare, respectively.

• Orchestration Controller Orchestration Controller informs FE with Prepared if the services are informs FE with Prepared if the services are prepared.prepared. Similarly for Unprepare. Similarly for Unprepare.

• If Orchestration Controller If Orchestration Controller informs FE with PrepareFailedinforms FE with PrepareFailed message then message then FE FE must sent an Unprepare messagemust sent an Unprepare message for before requesting for next for before requesting for next prepare cycle.prepare cycle.


Prepare ScenarioPrepare Scenario

IPreparationControllerINT.XRayIPServicePrepared

IPreparationControllerINT.AcquisitionPrepared

Orchestration Controller

Preparation Controller

Acquisition Service

XRay IP Service

IFEClientAcquisitionCB.Prepare

IPreparationController.Prepare

IPreparationControllerINT.Prepare

IPreparationControllerINT.Prepare

Note

FEClient

IPreparationControllerCB.Prepared

IFEClientAcquisition.Prepared

Note

Note: The order in which the services return their result is not fixed, depends on how much time they need to process the prepare request.


Decisions MadeDecisions Made

• Prepare-Unprepare Scenarios :Prepare-Unprepare Scenarios :– The orchestration-controller will send a Prepare command to the The orchestration-controller will send a Prepare command to the

services for next run even though the after-run-data for current run services for next run even though the after-run-data for current run has not yet been received.has not yet been received.

– The services will prepare and send Prepared/PrepareFailed to the The services will prepare and send Prepared/PrepareFailed to the orchestration controller.orchestration controller.

– The orchestration-controller will then wait for the after-run-data from The orchestration-controller will then wait for the after-run-data from the FE (with a time-out). the FE (with a time-out).

– If AfterRunData is received, Orchestration will send prepared to FE If AfterRunData is received, Orchestration will send prepared to FE upon receiving the AfterRunData and handle the AfterRunData upon receiving the AfterRunData and handle the AfterRunData asynchronously.asynchronously.


Mealy Machine* For Mealy Machine* For Preparation ControllerPreparation Controller

*=Exact [Stimuli & Predicate]/Response can be found in excel sheet.

Sorry for slight abuse of notation for the sake of simplicity in the figure.


Mealy Machine for Orchestration ControllerMealy Machine for Orchestration Controller

Dotted line represents flow due to failure.


Further Work.Further Work.

• Represent the remaining scenarios as Sequence Based Specification Represent the remaining scenarios as Sequence Based Specification (in Excel Sheet).(in Excel Sheet).

• Model Check Model Check

– Preparation Controller (Interface Model), Preparation Controller (Interface Model),

– PAACSelector (Interface Model), and PAACSelector (Interface Model), and

– Orchestration Controller (Design Model).Orchestration Controller (Design Model).

– Does Individual components and components under parallel Does Individual components and components under parallel composition are deadlock free, live lock free?composition are deadlock free, live lock free?

• Still to explore code-generation limitations and test case generation Still to explore code-generation limitations and test case generation while using ASD.while using ASD.


ASD Limitations.ASD Limitations.

• Routing a message from any Service to the Orchestration Controller Routing a message from any Service to the Orchestration Controller [w.r.t Context Diagram] becomes complex as compared to [w.r.t Context Diagram] becomes complex as compared to implementation in any high level language.implementation in any high level language.

• ASD assumes if processes are in different process boundaries then the ASD assumes if processes are in different process boundaries then the channel which provides communication is ideal (it will never channel which provides communication is ideal (it will never breakdown).breakdown).

• Unable to describe how to transform data, whether data is to be stored Unable to describe how to transform data, whether data is to be stored persistently. persistently.

• A complete system is impossible to design and verify in ASD if foreign A complete system is impossible to design and verify in ASD if foreign components are present. A foreign component is generally a components are present. A foreign component is generally a handwritten component or a component whose implementation is handwritten component or a component whose implementation is generated by other tools.generated by other tools.

• Only suited to design systems having complex state behavior.Only suited to design systems having complex state behavior.


ConclusionsConclusions

• Design can be rigorously verified against their requirements and Design can be rigorously verified against their requirements and interface specification.interface specification.

• ASD (in particular SBS method) helps in making design decisions.ASD (in particular SBS method) helps in making design decisions.

• Not for a complete system, but the test cases to ASD components can Not for a complete system, but the test cases to ASD components can be generated. (by selecting an option “usage model” in the plug-in.)be generated. (by selecting an option “usage model” in the plug-in.)

• Compared to conventional software development lifecycle, design Compared to conventional software development lifecycle, design errors can be found before implementation phase.errors can be found before implementation phase.

• This methodology is understandable to all project stakeholders.This methodology is understandable to all project stakeholders.


ReferencesReferences

• [1] Guy Broadfoot and Philippa J. Hopcroft. An Analytical Software [1] Guy Broadfoot and Philippa J. Hopcroft. An Analytical Software Design System. Design System. World Intellectual Property OrganizationWorld Intellectual Property Organization, Nov 2005., Nov 2005.

• [2] Harlan D. Mills, Richard C. Linger, and Alan R. Hevner. [2] Harlan D. Mills, Richard C. Linger, and Alan R. Hevner. Principles of Principles of Information Systems Analysis and Design.Information Systems Analysis and Design. Academic Press Academic Press Professional, CA, USA, 1986.Professional, CA, USA, 1986.

• [3] S. J. Prowell and J. H. Poore. Foundations of Sequence-Based [3] S. J. Prowell and J. H. Poore. Foundations of Sequence-Based Software SpecificationSoftware Specification. IEEE Trans. Of Soft. Eng.,. IEEE Trans. Of Soft. Eng., 2003 2003

• [4] Guy Broadfoot and Philippa J. Hopcroft. Combining the Box [4] Guy Broadfoot and Philippa J. Hopcroft. Combining the Box Structured development method and CSP. Structured development method and CSP. In Proceedings of 19In Proceedings of 19thth IEEE IEEE International Conference on Automated Software Engineering, International Conference on Automated Software Engineering, 2004.2004.

applying asd in designing and verifying: bex orchestration controller

Documents

implementation of state

state function

state box functions

asclear box

black box function bb

bsdm contdstate box

finite set of states

q output function