The contribution of this thesis is a combination of constructive and analytical techniques that support the component-based specification and analysis of self-adaptive mecha- tronic systems as part of a model-driven approach. As a key novelty compared to related approaches, we combine formal verification and simulation-based testing for achieving a scalable analysis for ensuring correctness of the software of a self-adaptive mechatronic
system. In particular, we contribute a transactional execution of hierarchical reconfig- urations including an approach for their verification (C1), a verification procedure for showing correct refinements of communication protocols (C2), and support for simu- lating self-adaptive mechatronic systems in MATLAB/Simulink (C3). We integrate our contributions into the MECHATRONICUML method. As a result, our contributions en- hance the existing development process of MECHATRONICUML [HSST13, BDG+14b] as outlined in Figure 1.3. All of our contributions have been implemented as part of the MECHATRONICUML Tool Suite [DGB+14].
Domain-Specific Design and Development
Derive Component
Model Specify CommunicationProtocols
component model communication protocol integrated
platform-independent model
S1 S2
domain-spanning
conceptual design Specify ComponentReconfiguration
reconfiguration behavior real-time component behavior Specify Real-Time Behavior of Components S4 S3 Transactional Execution of Hierarchical Reconfigurations Verification of Correct Refinements Simulation Support in MATLAB/Simulink C1 C2 C3
process step contribution parallel execution artefact
Simulate Platform- Independent
Model S5
domain-spanning
conceptual design softwareartifacts
Specify Platform- Independent Model Specify Platform- Specific Model Domain-Spanning Conceptual Design platform-independent model platform- independent SW-model Legend
Figure 1.3: Excerpt of the Design Process for the Development of Self-Adaptive Mecha- tronic Systems (cf. [HSST13, GV14])
The starting point for the process, shown in Figure 1.3, is the domain-spanning concep- tual design [GFDK09, GSG+09] that has been created collaboratively by experts from all disciplines involved in building the mechatronic system, e.g., mechanical engineer- ing, control engineering, and software engineering. It includes all information about use cases, functions, and system elements that affect more than one discipline. Based on the domain-spanning conceptual design, each of the involved disciplines starts the domain-specific design and development phase. In this phase, the software engineers execute the MECHATRONICUML process [HSST13, BDG+14b], which consists of two main phases in accordance to the model-driven architecture approach [Gro14]. Thus, the process starts by creating a platform-independent model of the software. Then, the software engineers derive a platform-specific model of the software and define a deploy- ment of the software to the hardware platform. The contributions of this thesis address the specification of the platform-independent model.
The software engineer starts specifying the platform-independent model in Step S1by deriving an initial component model from the domain-spanning conceptual design. In
this thesis, we unify the existing component models of MECHATRONICUML and pro- vide an extension that enables a concise, declarative specification of hierarchical recon- figurations. This specification forms the basis for a transactional execution of recon- figurations (C1) that respects ACI-properties of database systems [BHG87]. These are
atomicity, i.e., either all component instances reconfigure or none does, consistency,
i.e., each reconfiguration produces a consistent component instance configuration, and
isolation, i.e., reconfigurations do not interfere with each other.
In Step S2, the software engineer specifies a communication protocol for each interaction between components. This includes a formal verification of the protocol behavior using model checking [GTB+03, EHH+13, Ger13].
After specifying the communication protocols, the software engineer needs to specify the real-time behavior for each component of the component model. This real-time be- havior needs to include the communication protocols that have been specified and ver- ified in Step S2such that the verified safety and liveness properties are not invalidated. We support the software engineer in this step by an integrated verification procedure that verifies whether the real-time behavior of a component correctly refines a commu- nication protocol according to a formal refinement definition (C2). As a byproduct, our approach automatically selects a suitable refinement definition out of a set of possible refinement definitions.
In Step S4, the software engineer specifies the reconfiguration behavior of the compo- nents using our aforementioned extensions of the component model. In addition, we extend this step by an approach for verifying that the reconfiguration behavior fulfills the required ACI-properties and meets all hard real-time deadlines (C1). The result of Steps S3and S4is a platform-independent model of the software.
Finally, the software engineer needs to analyze whether event-discrete software and time-continuous feedback controllers have been integrated correctly by using a MIL simulation in Step S5. We support the software engineer in this step by automatically deriving a simulation model that includes both, the real-time behavior and the recon- figuration behavior of the components. The simulation model is then extended by the implementations of the feedback controllers and the environment model. The MIL simu- lation may then be carried out using MATLAB/Simulink. It enables the engineers of the different disciplines to validate the whole self-adaptive mechatronic system by simula- tion and enables to use the code generation facilities of MATLAB/Simulink for deriving source code for the system.