Formal Modelling in the Concept Phase of Product Development

Mathijs Schuts¹, and Jozef Hooman²,³

¹Philips HealthTech, Best, The Netherlands
²Embedded Systems Innovation (ESI) by TNO, Eindhoven, The Netherlands
³Radboud University, Nijmegen, The Netherlands

Abstract—The traditional process framework for product realisation in industry often leads to a long and difficult integration phase. An important reason is that in the concept phase only informal descriptions are made about the required product, its decomposition, and the interfaces between components. We propose a formal modelling approach for the concept phase, using a new light-weight modelling tool to formalize system behaviour, decomposition and interfaces. The confidence in the product concept is increased by simulation, both manual and automatic with random system characteristics. By means of a dedicated graphical user interface, communication with different stakeholders is improved. We discuss the application of the proposed approach at Philips HealthTech.

Keywords: Formal models; software engineering; concept definition; simulation

1. Introduction

We propose a method to improve the concept phase of product realisation by means of formal techniques. A traditional development process from concept to a validated product is depicted in Figure 1, see for instance [1]. It describes six distinct phases between concept and product. During the concept phase an informal document is being created with a high level description of the concept. This document is reviewed and agreed upon by all stakeholders. The document consists of a decomposition of the developed product, the different hardware and software components it consists of, the responsibilities per component, and the interaction between the components, possibly with an informal interface description. From the concept description, different development groups concurrently start developing the component they are responsible for. This may also include 3rd party components developed by other companies.

Such a process framework provides a structured way to come from concept to product and allows the concept to be decomposed into different components such that multiple development groups can concurrently work on the different components. A frequently occurring problem in industry, however, is that the integration and validation phase takes a large amount of time and is rather uncontrollable because many problems are detected in this phase and might require a redesign of components.

An important reason for these problems is the informal nature of the concept phase. Clearly, this leads to ambiguities and inconsistencies. Moreover, only a part of the complete behaviour is described in an informal document, often only a part of the basic functional behaviour without taking errors or non-functional aspects into account. The complete behaviour is defined during the implementation phase of the different components. Hence, a large part of system behaviour is implicitly defined during the implementation phase. If multiple development groups work in parallel in realizing the concept, the integration phase can take a lot of time because the independently developed components do not work together seamlessly. Another problem is that during the integration phase sometimes issues are found in which hardware is involved. Then it is usually too late to change the hardware and a workaround in software has to be found.

To prevent these types of problems, we propose the use of formal modelling techniques in the concepts phase, because it is early in the process and all consecutive phases can benefit from an improved unambiguous concept description. Moreover, errors made in this phase are very costly to repair in a later phase [2], [3].

By making a formal model of the system in the concept phase, ambiguities, contradictions and errors are removed from the informal concept description. During modelling one is forced to think about the exceptional behaviour early in the development process. Many questions needs to be answered which would be implicitly defined during the implementation phase otherwise. Moreover, by formalizing interface descriptions, less problems during the integration phase are expected. Figure 2 depicts a graphical representation of the proposed extension of the product realisation framework.

The formal model is developed incrementally to allow updates after aligning with stakeholders and to incorporate new insights frequently. Before choosing a formal method, we first list the aspects that are important in the concept phase:

- The definition of complete system behaviour, including error scenarios.
- A clear and unambiguous definition of interfaces and concepts to support parallel development in subsequent phases.
- The possibilities to explore concepts and design decisions fast.
- Communication with stakeholders to obtain agreement on the concepts and externally visible behaviour of the product.
- The possibility to deal with a combination of hardware and software components.

Furthermore, the formal method should be easy to use by industrial engineers and scalable to large and complex systems. Based on earlier experiences, see, e.g., [4], we decided not to aim for exhaustive model checking. Since our applications consist of many asynchronous components with queues and also timing aspects are important, one almost immediately runs into state-space explosion problems.

As an alternative to increase the confidence in the system model, we will use simulation. Formal models are expressed using the Parallel Object Oriented Specification Language (POOSL). The language is supported by a simulator and a new Eclipse Integrated Development Environment (IDE). The tooling can easily be combined with a dedicated graphical user interface to support communication with all stakeholders.
The use of formal techniques in the concept phase of hardware development has been proposed in [5]. The approach uses ACL2 logic [6] for the specification of the communication structure of a system on chip. Formal proofs of desirable properties, e.g., messages reach their destination, show the correctness of the specifications.

The application of formal methods early in the development process was already described in [7]. It describes the application of tools such as PVS [8] to requirements modelling for spacecraft fault protection systems. Although the specification language of PVS appears to be easy understandable by engineers, the interactive proof of properties is far from trivial. Hence, the conclusion of [7] proposes a rapid prototyping approach, where prototypes are tested against high level objectives.

The difficulty to use formal methods early in the development process, when there are many uncertainties and information changes rapidly is also observed in [9]. They investigated the use of formal simulations based on rewriting logic, namely Maude executable specifications [10]. The approach has been applied to the design of a new security protocol.

The paper is organised as follows. More details about POOSL and tool support can be found in Section 2. Section 3 describes the application at Philips HealthTech where the proposed method has been used. The models made for this application are presented in Section 4. Section 5 contains our concluding remarks.

2. POOSL

The long-term goal of the POOSL tooling is to shorten the development time of complex high-tech systems by providing a light-weight modelling and simulation approach. It is targeted at the early phases of system development, where requirements might not yet be very clear and many decisions have to be taken about the structure of the system, the responsibilities and behaviour of the components, and their interaction.

The approach fills a gap between expensive commercial modelling tools (like MATLAB [11] and Rational Rhapsody [12]) that require detailed modelling, often close to the level of code, and drawing tools (such as Visio and UML drawing tools) that do not allow simulation. More related to the POOSL approach is the OMG specification called the Semantics of a Foundational Subset for Executable UML Models (fUML) [13] with, e.g., the Cameo Simulation Toolkit [14].

In Section 2.1 we introduce the POOSL modelling language and describe the available tool support in Section 2.2.

2.1 POOSL modelling language

POOSL is a modelling language for systems that include both software and digital hardware. It is not intended for continuous aspects, e.g., modelling physical processes by differential equations is not possible. POOSL is an object-oriented modelling language with the following aspects:

- Concurrent parallel processes. A system consists of a number of parallel processes. A process is an instance of a process class which describes the behaviour of the process by means of an imperative language. A process has a number of ports for message-based communication with its environment.
- Hierarchical structure. A number of processes can be grouped into a cluster. A cluster is an instance of a cluster class which has a number of external ports and specifies how the ports of its processes are connected.
- System definition. A system is defined by a number of instances of processes and clusters and the connections between the ports of its instances.
- Synchronization. Processes communicate by synchronous message passing along ports, similar to CSP [15] and CCS [16]. That is, both sender and receiver of a message have to wait until a corresponding communication statement is ready to execute. A process may contain parallel statements which communicate by shared memory.
- Timing. Progress of time can be represented by statements of the form \( \text{delay}(d) \). It postpones the execution of the process by \( d \) time units. All other statements do not take time. Delay statements are only executed if no other statement can be executed.
- Object-oriented data structures. Processes may use data objects that are instances of data classes. Data objects are passive sequential entities which can be created dynamically. A number of structures are predefined, such as set, queue, stack, array, matrix, etc.
- Stochastic behaviour. The language supports stochastic distribution functions; a large number of standard distribution functions are predefined, such as DiscreteUniform, Exponential, Normal, and Weibull.

The formal semantics of POOSL has been defined in [17] by means of a probabilistic structural operational semantics for the process layer and a probabilistic denotational semantics for the data layer.

2.2 POOSL tooling

As explained in [17], the operational semantics of POOSL has been implemented in a high-speed simulation engine called Rotalumis. It supports the Software/Hardware Engineering (SHE) methodology [18]. The tool SHESim [19] is intended for editing POOSL models and validating them by interactive simulation. Recently, a modern Eclipse IDE has been developed on top of an improved Rotalumis simulation engine. The combination of the last two tools have been used for the application described in this paper.

The Eclipse IDE is free available [20] and supports advanced textual editing with early validation and extensive model debugging.
3. Application at Philips

The proposed approach has been applied at Philips HealthTech, in the context of the innovation of interventional X-ray systems. These systems are intended for minimally invasive treatment of mainly cardiac and vascular diseases. The system provides advanced X-ray images to guide the physician through the arteries of the patient to the point of interest and to execute a certain medical procedure, such as placing a stent. For a new product release, we need to provide a new conceptual and methodological framework to model the system in POOSL and use simulation to increase the confidence in the model.

For reasons of confidentiality, some aspects have been renamed. This partitioning is mainly used in the case of a power failure. When all segments are powered and the mains power fails, the UPS takes over. Once this happens, the A segment is shut down in a controlled way, leaving the B segment powered by the battery of the UPS. If the battery energy level of the UPS becomes critical, also the B segment is shut down in a controlled way. Usually, the diesel generator of the hospital will provide power before this happens. An IT device is part of either the A segment or the B segment.

The new SU/SD concept uses the Intelligent Platform Management Interface (IPMI) [21], a standard interface to manage and monitor IT devices in a network. The IT devices in our system are either IPMI enabled or IPMI disabled.

- IPMI enabled IT devices are on a power tap that is continuously powered. To start-up these IT devices, the SU/SD controller sends a command via IPMI to them.

Combined with these two types of segments, this leads to four types of IT devices, as depicted in Figure 3.

This figure also shows that there are several communication mechanisms between the components.

- Power lines for turning the power on and off.
- Control lines to connect the controller to the UI and the UPS.
- The internal Ethernet network, which is used for different purposes:
  - By the SU/SD controller, to ping the Operating System (OS) of an IPMI disabled IT device to observe its shut down.
  - By the SU/SD controller, to turn on an IPMI enabled IT device and to observe the shut down of the device.

A mains disconnector switch (MDS) can be used to power the complete system. An example of a SU/SD scenario is the shut-down scenario. When all segments are powered and the SU/SD controller detects that the AllSegmentOff button is pressed by the user, it will send an AllSegmentOff-pressed notification to all registered IT devices. Next all IT devices go through the following shut-down phases:

- The applications and services running on the IT device are stopped.
- The IPMI disabled IT devices will register themselves and ask the SU/SD controller to observe their shut-down. This is needed because the controller does not know which IPMI disabled devices are connected to a power tap. The IPMI enabled devices are known to the controller by configuration.
- Once the applications and services are stopped, the OS will be shut down.

The scenario ends when the SU/SD controller has detected that all IT devices are shut down. IPMI disabled IT devices are pinged to observe that they are shut down and IPMI enabled IT devices are requested for their state via IPMI to detect that they are shut down. Next the SU/SD controller will instruct the power distribution component to turn off the switchable power taps with which the IPMI disabled IT devices are powered. The IT tap that powers the IPMI enabled IT devices remains powered while these devices are in the standby state.

In the past, an abstract model of the current start-up and shut-down concept for a simpler version of the system has been made for three model checkers: mCRL2 [22], FDR2 [23] and CADP [24]. For reasons of comparison, exactly the same model was made for all three tools, leading to 78,088,550 states and 122,354,296 transitions. Model checking such a model easily takes hours. The new concept described here is far more complex because of the many asynchronous IT devices that all exhibit different behaviour. For example, the IT devices can sometimes fail to start-up or shut down. Also the timing and order in which they start-up and shut down might be different. Hence, the new concept is too complex to model check. Consequently, we decided to model the system in POOSL and use simulation to increase the confidence in the concepts.
4. Modeling the SU/SD Concept in POOSL

This section describes the incremental approach to model the SU/SD concepts in POOSL. The scope of the model and the simulation environment is described in Section 4.1. Section 4.2 contains the modelling steps. A few details of the POOSL models can be found in Section 4.3. Our approach to test models automatically is presented in Section 4.4.

4.1 Modelling Scope and Simulator

The aim was to model the Control & Devices part of Figure 3 in POOSL. Besides the SU/SD Controller and the Power Distribution, the model should contain all four types of IT devices, i.e., all combinations of segments (A and B) and IPMI support. Moreover, to capture as much as possible of the timing and ordering behaviour, we decided to include two instances of each type.

To be able to discuss the main concepts to stakeholders, we connect the POOSL model to a simulation of the environment of the Control & Devices part. We created a Simulator in Java with the use of WindowBuilder in Eclipse to allow the manual execution of scenarios. It allows sending commands from the User Interface and power components to the model and displaying information received from the model. Additionally, one can observe the status of IT devices and even influence the behaviour of these devices, e.g., to validate scenarios in which one or more IT devices do not start-up or shut down properly. The next figure shows a screenshot of the SU/SD simulator.

There are three main columns:
- The left column contains three parts:
  - On the top, the state and the UI buttons to control the SU/SD controller are displayed.
  - In the middle, the tap state of the segments is displayed.
  - On the bottom, the UPS triggers are displayed.
- The middle part contains a column for the B segment and one for the A segment; each contains a row for the IPMI disabled IT devices and one for the IPMI enabled IT devices. For each IT device the state is displayed. The start-up and shut-down behaviour of an IT device can be simulated automatically or it can be set to manual to simulate error scenarios, where the system might fall into a Timeout (see the Internal Event in the column of the SU/SD controller).
- In the right column, the status updates of the model are displayed.

The Java simulation is connected to POOSL by means of a socket. The structure of the POOSL system model is depicted in the next figure.

The system part to be modelled (the Control & Devices part) is represented by cluster ControlDevicesCluster. It has 10 external ports, one to communicate with the SU/SD controller (simc), one for power commands (simp) and 8 for the IT devices: sim1, sim2, sim3, and sim4 for IPMI disabled devices; sim11, sim12, sim13, sim14 for IPMI enabled devices. These ports are connected to corresponding ports of the SimulationEnvironmentCluster. This cluster contains an instance of the standard Socket class provided by the POOSL library. Class UIinterface is responsible for the translation between strings of the socket interface and the SU/SD system interface.

4.2 Modelling steps

After the simulator was build, the ControlDevicesCluster has gradually been defined in POOSL. The proposed framework defines
4.3 Modelling Devices and Control

This section provides some details of the POOSL models. The first part of the model of an IT device with IPMI is shown below. It imports a library which, e.g., defines queues. Next the process class is defined, including two parameters for the IP address and the segment. All IT devices have an IP address to be able to connect them to the same network. Subsequently, the ports, the messages (only one is shown here), the variables and the initial method are defined. Note that the variables define two queues.

In the initial method `init()()`, the queues are initialized, which are FIFO by default. Next the method defines three parallel activities. The first activity defines a state machine, where the states are represented by methods. It starts the state machine by calling the initial state `ItDevNotPowered()()`.

The state is defined as a method with local variable `m`. It selects the next state based on the contents of the `ipmiQueue` or the receipt (indicated by `?`) of a particular message on one of its ports. Since switching a power tap on or off is instantaneous and cannot be refused by a process, all states allow the receipt of messages `On` and `Off` via port `outlet`.

The other two parallel activities of the `init()()` method are used
to model the asynchronous nature of the Ethernet communication. Method \texttt{MsgReceiveBuffer} receives messages on port \texttt{con} and stores them in queue \texttt{msgQueue}.

\begin{verbatim}
MsgReceiveBuffer() | m : String, ip : Integer | 
  con ? ReceiveEvent(m, ip | ip = ipAddr); 
  msgQueue add(m); 
  delay(1); 
  MsgReceiveBuffer();
\end{verbatim}

Note that POOSL allows a condition on the receive statement to express that only messages with the corresponding IP address are received. Similarly, method \texttt{IpmiReceiveBuffer} stores messages in \texttt{ipmiQueue}.

### 4.4 Extensive Model Testing

The simulator has been used to align the behaviour with internal stakeholders and to get confidence in the correctness of the behaviour. To increase the confidence without the need of many manual mouse clicks, we created a separate test environment in POOSL. Therefore, a stub is connected to every IT device. A stub is a process which randomizes the start-up and shut-down timing of an IT device. In addition, a stub randomly decides if a device fails to start-up or shut-down. Also in these random cases the system has to respond well and it needs to be forced into defined states. The next POOSL fragment depicts how the random timing and random behaviour is implemented in the Stub.

```poosl
process class ProbStubWithoutIpmiClass
  (ipAddr : Integer, 
   StartUpProp : Real, 
   ShutDownProp : Real)

ports
  sim, tester
...

Loop() | message : String |
[(msgQueue isEmpty())] message := msgQueue remove();
if message = “Booting” then 
  delay(rand random *.5.0);
  if rand random <= StartUpProp then
    sim ! Started;
    tester ! StatusUpdate(ipAddr, “Started”)
else
  tester ! StatusUpdate(ipAddr, “StartFailed”)
fi;

The stubs are configured such that they fail to start-up or shut-down in 10% of the cases.
```

```poosl
// stubs for impi disabled devices
itDev1Stub: ProbStubWithoutIpmiClass(ipAddr := 1, 
                                      StartUpProp := 0.9, 
                                      ShutDownProp := 0.5)

itDev2Stub: ProbStubWithoutIpmiClass(ipAddr := 2, 
                                      StartUpProp := 0.9, 
                                      ShutDownProp := 0.5)

itDev3Stub: ProbStubWithoutIpmiClass(ipAddr := 3, 
                                      StartUpProp := 0.9, 
                                      ShutDownProp := 0.5)

itDev4Stub: ProbStubWithoutIpmiClass(ipAddr := 4, 
                                      StartUpProp := 0.9, 
                                      ShutDownProp := 0.5)
```

```poosl
// stubs for impi enabled devices
itDev11Stub: ProbStubWithIpmiClass(ipAddr := 11, 
                                    StartUpProp := 0.9, 
                                    ShutDownProp := 0.0)

itDev12Stub: ProbStubWithIpmiClass(ipAddr := 12, 
                                    StartUpProp := 0.9, 
                                    ShutDownProp := 0.0)

itDev13Stub: ProbStubWithIpmiClass(ipAddr := 13, 
                                    StartUpProp := 0.9, 
                                    ShutDownProp := 0.0)

itDev14Stub: ProbStubWithIpmiClass(ipAddr := 14, 
                                    StartUpProp := 0.9, 
                                    ShutDownProp := 0.0)
```

In reality the IT devices are quite reliable, but to reduce testing time it is more convenient to make the IT devices less reliable. Moreover, we are interested in the error handling behaviour of the system and not in the statistical behaviour.

For the execution of scenarios initiated by a user and the UPS, a Tester process has been created to automatically drive the system. Every stub has a feedback channel to the Tester to report the status of an IT device. The next figure depicts how the Tester and Stubs are connected to the system.

![Tester and Stubs Connection Diagram](image)

The definition of the Tester is such that it leads to a deadlock when the SU/SD controller or the IT devices do not behave as intended. Already during the first simulation run we experienced such a deadlock. The cause of the problem was found using the debug possibilities of the new POOSL IDE. We simulated the model in debug mode and inspected the sequence diagram when the deadlock occurred. In this sequence diagram we saw a problem with a message about the IPMI status of an IT device. Next we inspected the variables window shown below.

<table>
<thead>
<tr>
<th>Name</th>
<th>Value</th>
</tr>
</thead>
<tbody>
<tr>
<td>delayedBatteryLow</td>
<td>false</td>
</tr>
<tr>
<td>ipmiQueue</td>
<td>Empty</td>
</tr>
<tr>
<td>Occupation</td>
<td>0</td>
</tr>
<tr>
<td>PrimQueue</td>
<td>nil</td>
</tr>
<tr>
<td>QueueingPolicy</td>
<td>&quot;FIFO&quot;</td>
</tr>
<tr>
<td>Size</td>
<td>-1</td>
</tr>
<tr>
<td>Unbounded</td>
<td>-1</td>
</tr>
<tr>
<td>estQueue</td>
<td>Empty</td>
</tr>
</tbody>
</table>

It revealed that the \texttt{ipmiQueue} was empty, which was not expected at this point in the execution. When checking the code that handles the IPMI queue, we found that the queue was emptied after the IPMI status request has been send. The race condition was fixed by changing the order; first empty the queue and then send the IPMI status request. After fixing the race condition, the model has been executed 100 000 random start-up and shut-down cycles without experiencing a single deadlock.

### 5. Concluding Remarks

In the concept phase of product definition, we have used a formal system description in POOSL in combination with a graphical user interface to align stakeholders and get confidence in the behaviour of the system. We have added a model with a formal interface description between two important components of the system that will be developed concurrently. To increase the confidence in the concept, we created an automated test driver for the system with stubs that exhibit random behaviour and random timing.

While modelling, we found several issues that were not foreseen in the draft concept. We had to address issues that would otherwise have been postponed to the implementation phase and which might
easily lead to integration problems. We observed that the definition of a formal executable model of the SU/SD system required a number of design choices. We give two examples of such choices.

- If all segments are on and the UPS indicates that the mains power input fails, then the system will shut down the A segment. If, however, during this transition one or more of the IPMI enabled IT devices fail to shut down, then the SU/SD controller has no way to force these IT devices into the right state. This could be solved by an additional tap, but given the costs of an extra tap and the small chance that this will happen (both mains power and shut down of an IT device should fail), we have decided to leave it this way. If the user experiences unexpected behaviour of the system, the user can always recover the system by turning it off and on again.

- An early version of the SU/SD controller did not track if an IPMI enabled IT device did in fact start up. However, if something is wrong with the start-up or shut-down of an IPMI enabled IT device, we want to toggle the power during shut-down in the hope that a reset will solve the issue. Once we found the described issue with the simulator, we extended the model of the SU/SD controller with a storage of the start-up status of an IPMI enabled IT device.

In addition, the model triggered many discussions about the combined behaviour of the hardware and software involved in start-up and shut-down. This resulted in a clear description of responsibilities in the final concept. Also the exceptional system behaviour when errors occur has been elaborated much more compared to the traditional approach. Note that the modelling approach required a relatively small investment. The main POOSL model and the Java simulator were made in 40 hours; the tester and the stubs required another 10 hours.

The application of exhaustive model-checking techniques to the full model is not feasible, give the large number of concurrent processes and the use of queues for asynchronous communication. Scalability problems are, for instance, reported in [25], where a transformation of POOSL models to Uppaal [26], a model-checker for timed systems, is applied to an industrial application. However, it might be possible to apply these techniques to verify certain aspects on an abstraction of the model.

In the future, we want to use the test driver for the model to validate the behaviour of the SU/SD controller by means of model-based testing. Since the interface between the test driver and the model is equal to the interface between test driver and the real implementation, we might also use our test approach for the realized system when it becomes available. The idea is to use the test driver and a thin manually written adapter that makes an Ethernet connection between the test driver and the real implementation.

References


