MISE 200８
A Context Analysis Method
for Constructing Reliable Embedded Systems
Naoyasu Ubayashi, Toshiki Seto, Hirotoshi Kanagawa,
Susumu Taniguchi, and Jun Yoshida (Kyushu Institute of Technology)
Takeshi Sumi and Masayuki Hirayama (Toshiba)
May 11, 2007
1
Contexts in embedded systems
 Unexpected behavior might emerge in a
system
Many embedded
systems does
not only
affect
their any
if a developer
not
recognize
contexts conflicting
through actuators
but also arebetween
affected by
possible
combinations
theirsystem
contextsand
through
sensors.
the
contexts.
requirements
analysis
is mainly conducted
ItHowever,
is difficult
to decide
the boundary
of
from the viewpoint
of system
functions,
contexts
that should
be taken
into and
account:
contexts
are only should
roughly analyzed.
which
contexts
be included as the
targets of requirements analysis.
Association ?
Embedded
System
Actuator
Boundary ?
Frame
Problem !
Sensor
Contexts
2
Today’s my talk
CAMEmb
is a systematic approach to
 We propose a context-dependent requirements
analysis method called CAMEmb (Context Analysis
exploring
boundary
Method forcontext
Embedded
systems). avoiding the
frame problem,
verifying whether requirements can
UMLbe
Profile for
Context Analysis
satisfied under the expected contexts,
changing requirements or context boundary if
not satisfied.
Formal Methods
( VDM++ )
3
Outline
1.
2.
3.
4.
Motivation
CAMEmb
MDD based on CAMEmb
Conclusions and Future work
4
1. Motivation
5
Example: an electric pot
However,
faults may occur if the expected
pot
contexts are changed.
thermostat
liquid
---for
example,
the
circumstance
of
water level sensor
the low air pressure
context
heater
system
Boil:
() ==> ()
The pot controls the water temperature by turning on or off the heater.
Boil()
==
The pot
changes its mode to the heat-retaining mode when the
temperature
becomes 100 Celsius.
while
thermostat.GetTemperature()
< 100.0
The pot observes the volume from the water level.
do heater.On();
6
Should air pressure be taken into
account ?
Boundary
Non trivial !
This depends on user
Air
requirements.
Pressure
Air
Pressure
?
However, it is important to ?
check the consistency
pot
if we decide that air pressure must be taken into
account.
thermostat
Liquid
water level sensor
It
is also important to check the impact when air
pressure
system is included in the expected contexts.
heater
context
7
Problems to be tackled



The boundary of contexts should be determined from
user requirements.
We must take into account the influence that occurs
in the cooperation among a target system and
contexts within the boundary.
We must also detect defects by recognizing any
possible conflicting combinations among the system
and contexts.
Systematic way for
context analysis
8
2. CAMEmb
Context Analysis Method
for Embedded systems
9
CAMEmb Overview
UML Profile for
Context Analysis
Formal Methods
( VDM++ )
10
Context modeling
UML profile for context analysis
Steps for
exploring boundary
1. Context
(value
Contextselements
that do not
object) the
observed
change
valuesor
are
controlled
directly
by a
ignored
!
sensor
or an
actuatorisare
The
frame
problem
extracted.
avoided !
Sensor cannot
observe
original data
Initial
Boundary
Final
Boundary
Factor that
determines
the upper limit
Factor related
to a specific
value
2. Impact factors that affect
the states (values) of
these context elements
are extracted using guide
words.
11
Translation to VDM++
12
VDM++ Specification
class Software
instance variables
heater : Heater;
thermostat : Thermostat;
liquid_level_sensor : LiquidLevelSensor;
operations
public Setup: RealWorld ==> ()
Setup(realworld) ==
(heater := new Heater();
heater.Setup(realworld);
thermostat := new Thermostat();
thermostat.Setup(realworld);
liquid_level_sensor :=
new LiquidLevelSensor();
liquid_level_sensor.Setup(realworld);
);
public Boil: () ==> ()
Boil() ==
while thermostat.GetTemperature() <= 100.0
and
liquid_level_sensor.IsOn() = true
do heater.On()
Constraints
pre liquid_level_sensor.IsOn() = true
post liquid_level_sensor.IsOn() = true;
end Software
From user
requirements
(water should
not be empty)
13
Context Validation
Formal Methods
( VDM++ )
Lightweight Formal Methods
14
VDM++ test execution
Specification can be validated
by VDM++ test execution
Context A
System
Specification
Normal Air pressure
CONTEXT-atmospheric-air-pressureplace-normal
CONTEXT-liquid-water
Context B
Low Air Pressure
CONTEXT-atmospheric-air-pressureplace-low
CONTEXT-liquid-water
15
Results of test execution
Error !
We must reconsider
whether air pressure
should be included in
the expected
contexts.
16
Requirements refinement
Boundary
Air
Pressure
Air
Pressure
lightweight
Model-based testing based on
formal
methods
is effective
for
Reconsider
Hardware
Requirements
Out of Scope
exploring context boundary and
pot
refining
requirements.
thermistor
Liquid
water level sensor
system
heater
Fixed to
1.0 ATM
context
17
3. MDD based on CAMEmb
18
DSL construction using AspectM
Meta level
reify
protocols
modify
the AspectM
metamodel
AspectM metamodel
extension
point
MMAP
Editing-time
structural
reflection
Base level
AspectM model
reflect
new model
element
[Ubayashi 2007]
introduce
a new kind of
domain-specific
model element
19
Model editor for CAMEmb
Context model of a line trace car
20
Model transformation
Analysis Model
Design Model
Code
Context
Model
Java
System
Model
Total code size: 223 LOC
Automatic generated code size: 174 LOC
78 %
21
4. Conclusions
and Future work
22
Conclusions


A context-dependent requirements analysis method
is proposed.
Our approach is a new kind of MDD that explicitly
takes into account the existence of contexts.
23
Future work
--- CAMEmb and Problem Frame



In problem frames, relations between a machine (a
system to be developed) and the real-world are
explicitly described.
We are now exploring the possibility of integrating
CAMEmb with problem frames.
We found that there was the similarity between our
UML profile and frame patterns.
24
Context analysis with problem frames
Required Behavior Frame
Control
Machine
Controlled
Domain
Trace
Controller
（TC）
a
r
C
On if ground
color is black
Transformation Frame
Transformation
Machine
Body
（BD）
AA
Required
Behavior
b
Output
c
Line
Position
AA
（LP） X
Input
d
Light
Sensor
AA
（LS） X
Line recognition
Controller
(LC)
Line
Trace
a: TC! { Right, Left}
BD! { Line detected, Linemissed}
b: LP! { On, Off}
c: LC! { Ground Color}
d: LS! { Reflected Light}
r: BD! { Run, Return to Course}
25