In the Transport industry, for example, it is impossible to exhaustively
or even adequately verify the real-time control systems of modern vehicles (terrestrial
(road & rail), nautical and aeronautical) using formal methods, or by building
physical vehicles and driving or flying them around for a year or two, as is
current state-of-the-art practice. We have seen the results of these approaches
to verification in the embarrassing stalling of luxury cars on freeways due to
improbable, and clearly poorly tested, communications occurring between electronic
control units, such as air conditioning controllers and engine ignition controllers.
- Validation: Proof of, or declaration that a model corresponds
precisely to the defined capabilities (function, timing, behavior) of the real object
or the specification ascribed to it.
- Verification: The process of validation, that is - the action
of establishing the correctness of a model with respect to its object or specification
by analytical and/or experimental means.
- Relative Validation: Since EST’s verification process is
simulation based, our definition of validation is the equivalence of all responses,
in function and timing, between the Golden Reference Mode (GRM)l and
any executable system model under test (in EST’s case constituted from mapped
mixed abstract and/or proxy-physical subsystem models), under the domain of the
same stimulation data sets - this generates an equivalence class. Relative validation
may be applied recursively through the model hierarchy where a correspondence
exists between a subsystem in the GRM and a subsystem in the executable system
model under test.
- The EST operational validation definition leads to the powerful Principle
of Substitutability of models: Models in the same equivalence class
may be arbitrarily substituted for each other (necessarily, under the same stimulation
domain).
The Relative Validation of complex real-time controllers (or, by the Principal
of Substitutability, families of controllers) that control super systems. This
is a big deal - especially where faulty control is more than capable of killing
people.
Constraint Note: A Vehicle Control Architecture (VCA) model
by itself is not sufficient to verify its own operation, since vehicles necessarily
interact with each other, the infrastructure, and with the systems that monitor
and control traffic. The context of operations is a critical element of verification
of both systems and subsystems.
- EST's simulation technology uniquely provides the massive
capability required to enable the verification and Relative Validation of entire
families of real-time control systems quickly and efficiently by simulating both
the families of control systems under test, and the GRM simultaneously and checking
the function and timing responses of all systems at every relevant step (of which
there may be many millions) for equivalence.
- The GRM may be an existing hardware control system. This
enables Hardware in the Loop Simulation (HILS) capability within EST’s technology.
- In a modeled environment, it is the ability to apply the
verification process easily, efficiently and seamlessly for complex systems and
for their subsystems, and vice versa. For example, the verification of the engine
as a subsystem in the context in which it operates - the Power Train, and the
verification of the Power Train in the context of the VCA, that enables accurate,
ultra high performance simulation based V&V to replace the popular but inefficient
and, ultimately insufficient, hardware in the loop (HILS) V&V process.
- EST's unique ability to provide near real-time simulation performance of
entire super-systems (such as a complete automobile or aircraft) makes entire
system verification using a virtual super-system a world first success for EST.
Since entire super-system verification takes place in near real time, the EST
virtual super-system model and ultra high performance simulation engine will,
for automotive super-systems, displace the use of hardware in-the-loop simulation
(HILS) at a considerable saving in set-up time and cost and with an increase
in productivity.
- EST’s scalable simulation technology enables both systems and their context
to be modeled and incorporated into the verification process.
- You never need to go beyond the EST technology to solve a verification or
validation problem.
Verification can be performed formally or via simulation. Each method has its
short-comings. Formal verification largely fails when the analog characteristics
of time and signals need to be accounted for, or when a formal proof becomes
too large to human-check either the proof or the mechanisms and their applications
that produced the proof. Simulation verification fails when the data sets used
in the simulation are insufficient - typically interpreted, incorrectly, as the
data sets are incomplete.
- Verification of model based systems should NEVER use the classical "V" process.
In model-based design, the "V" process is actually maximally INEFFICIENT.
- The "V" process is only relevant for physical systems.
- In a model-driven methodology, the verification of physical systems uses
the verification suites developed as part of the architecture and design process
to validate the physical artifact. This is the vestigial "V" process.
- The system verification process is a major element of the commitment to architecting
and designing a system. There are various sub-processes that are relevant for
the various technologies that may be used in realizing a system.
- Realization is a process of mapping a specification to an implementation
in some underlying technology, that may include:
- Software
- Physical technologies
- Electronics, mechanics, chemical, thermal, optical, acoustic, radio.
- These processes will be explored in more detail in the Technology Pages of
the EST web.
|
