# The COMPASTA Approach for MBSE

Alberto Bombardelli, <u>Marco Bozzano</u>, Roberto Cavada, Alessandro Cimatti, Alberto Griggio, Massimo Nazaria, Edoardo Nicolodi, Stefano Tonetta

Fondazione Bruno Kessler, Trento Italy

#### MBSE 2022



MBSE 2022, Toulouse, 22-24 November 2022

## The COMPASTA Study

- The Study at a glance
  - Acronym: COMPASTA
  - Early Technology Development, funded by the European Space Agency
  - Contractor: Fondazione Bruno Kessler (FBK), Trento, Italy
  - Duration: 18 months, ending in December 2022

#### ■ FBK

- Research Foundation (over 400 researchers)
- Embedded Systems Unit: about 30 people









**European Space Agency** 

## Background: the COMPASS tool

- Tool for model-based system/SW co-engineering
- Developed in a series of ESA studies (2008-2016)
- Input language is a variant of AADL (called SLIM)
- Functionality: formal design, formal V&V
- Based on model checking



- **Requirements specification**
- **Requirements analysis**
- Contract-based design
- **Functional verification**
- Fault injection
- **RAMS Analyses: FTA, FMEA**
- **FDIR** Analysis



specification

## Background: the TASTE tool

- Tool for model-based design of embedded, real- time systems
- Created by initiative of ESA in 2008
- Several modeling languages
  - ASN.1, AADL, SDL, Simulink, etc.
- Ecosystem: graphical editors, visualizers, code generators



- Many languages
- Push-button compilers for deployment
- Graphical editor for AADL
- Graphical editor for SDL
- High integrability





### Objectives of COMPASTA

- Integration of the existing COMPASS and TASTE toolchains
- Goal: a comprehensive, end-to-end toolchain that covers system development, early verification and validation, safety assessment and FDIR, system deployment
  - COMPASS used to build and validate a formal model of the system (HW+SW) architecture, to specify the behavior of the HW components and their faults
  - TASTE used to model the behavior of the SW components, for deployment and code generation, and to test the final implementation
- Goal: foster the adoption and the industrial exploitation of the COMPASS+TASTE integrated toolchain



#### TASTE+COMPASS: Technical approach

- Specification using AADL and SDL as specification languages
  - AADL for interface view and HW components
  - SDL for SW components
- Definition of the semantics of the composition of HW and SW
- Translation of AADL/SDL into the languages of the COMPASS back-ends
- Integration of COMPASS back-ends for V&V into TASTE
- Automated formal analyses using the back-ends
- Extended editors and visualizers



## Workflow: An Example

- Redundant power system
  - Generators charging batteries
  - Batteries powering sensors
  - Redundant lines connecting generators, batteries and sensors
- HW faults
  - Generators, batteries, sensors
- FDIR components
  - They control switches and command re-configurations in case of faults
- Requirements
  - Sensors must be powered







## Workflow: Modeling the system architecture

Using TASTE interface view (graphical editor + serialization in AADL)





## Workflow: Modeling the behavior of HW components

Modeling the behavior of HW components in SLIM (an extension of AADL)





```
system implementation Battery_1.lmp
subcomponents
 delay : data clock;
states
  base: initial state while (delay \leq 1);
transitions
  base - [when
           delay >= 1 and get_voltage.voltage < 10 and
           voltage out.voltage >= 1
          then
           delay :=0 and
           voltage_out.voltage := voltage_out.voltage - 1
         ]-> base;
  ...
end Battery 1.lmp;
```

## Workflow: Modeling the behavior of SW components

#### Modeling the behavior of SW components in SDL





## Workflow: Modeling faults

Specifying a fault injection (generator output voltage stuck-at-zero)





## Workflow: Specification of properties and contracts

#### Pattern-based modeling of properties and contracts

| Name                | Property                                                          |  |
|---------------------|-------------------------------------------------------------------|--|
| All sensors working | Globally, it is always the case that {Sensor_1.is_valid.valid and |  |
|                     | Sensor_2.is_valid.valid} holds                                    |  |
| At least one sensor | Globally, it is always the case that {Sensor_1.is_valid.valid or  |  |
| working             | Sensor_2.is_valid.valid} holds                                    |  |

| Component | Name    | Assumption                        | Guarantee                                                                                          |
|-----------|---------|-----------------------------------|----------------------------------------------------------------------------------------------------|
| Generator | power   | true                              | always(voltage_out.voltage >= 10)                                                                  |
| Battery   | power   | always(get_voltage.voltage >= 10) | always(voltage_out.voltage >= 10)                                                                  |
| Switch    | routing | true                              | always(cmd_in.cmd=cmdprimary -><br>(out_1.voltage=in_1.voltage and<br>out_2.voltage=in_2.voltage)) |
| Sensor    | Power   | always(get_voltage.voltage >= 10) | always(is_valid.valid)                                                                             |
|           |         |                                   |                                                                                                    |



## Workflow: Formal Verification



#### Formal verification

- Functional verification
- Dependability and safety assessment (FTA/ FMEA)
- FDIR analysis
- Use the COMPASS back-ends to generate the results



#### Workflow: Iterations modeling/formal verification

#### Iterate over previous steps e.g.

- I. Refine/modify architecture and components
- II. Refine/modify faults, properties and contracts
- III. Re-run verification and analyze the new results





#### Workflow: Compilation-ready model transformation

- Replace HW components with "HW\_I/O"
  - HW\_IO components represent the SW interface layer between SW and HW
  - The resulting model is a native TASTE model





#### Workflow: Deployment and code generation

Deploy the system on the final HW, and generate code using TASTE





## Workflow: Testing and Simulation

#### Test the final implementation





#### Summary

- COMPASS and TASTE provide complementary functionality
- COMPASS functionality used to:
  - Model the system architecture
  - Model the HW components and their faults
  - Validate a formal model of the system
- TASTE functionality used to:
  - Model the SW components
  - Deployment
  - Code generation
  - Testing of the deployed system



#### Conclusions

- The goal of COMPASTA is to integrate COMPASS functionality into TASTE, and produce a comprehensive, end-to-end toolchain for system design, formal verification and validation, and deployment
- The Study is ongoing final delivery in December 2022

