150 likes | 171 Views
Explore the network layer design with state diagrams and critical properties ensuring system safety and performance. Validate the model using Promela and Xspin for robust functionality.
E N D
Onboard Diagnostics Diagnostics III Project Manager: Dennis Kelly Documentation Manager: Paul Robinson Facilitator: Richard Ford Research Manager: Arif Momim
Network Layer/Controller • Control logic of system responsible for the transmission of messages on a Controller Area Network (CAN) • Components • Segmentor • Reassembler • Timer
Network Layer/Controller (cont.) • Functionality • Segmentation of messages • Reassembly of messages • Handling of timeouts and other errors • Conformance to ISO 15765-2 specifications • Models focus on operation of a single network controller • Reaffirms concept of connection-less communication • Handling of errors at every state • Faulty communication must not cause deadlock
Network Layer/Controller (cont.) • Scenario - Send Segmented Message • Send N_USData.request • Send L_Data.request(FF N_PDU) • Receive L_Data.confirm(FF N_PDU) • Receive L_Data.indication(FC N_PDU) • Send L_Data.request(CF N_PDU) • Receive L_Data.confirm(CF N_PDU) • Send N_USData.confirm(N_OK)
Network Layer/Controller (cont.) • Scenario - Send Segmented Message (cont.)
Key Model - State Diagram • Models the behavior of the Network Layer • Shows how the Network Layer receives, processes, and delivers messages from one Diagnostics Application to another • Shows how the Network Layer responds to unexpected events such as a timeout or an unexpected Protocol Data Unit (PDU)
Critical Properties • Safety Properties • Used to ensure that nothing undesirable will happen given a certain set of conditions • Liveness Properties • Used to ensure that something good eventually happens in the system
Critical Properties (cont.) • Safety Properties • If an N_USData.confirm is issued, then an N_USData.request was issued at some prior point • If an N_USData.request is issued, then an N_USData.confirm is also issued • A timeout in sending an N_PDU by the network layer must cause an N_TIMEOUT_A to be issued to the application layer • If Node A is receiving a message from Node B, then Node B cannot be receiving a message from Node A
Critical Properties (cont.) • Liveness Properties • Upon the start of the system, N_As(MAX), N_Ar(MAX), N_Cr(MAX) and N_WFTmax are set • If an L_Data.request is issued then an L_Data.confirm is eventually issued • If a timeout occurs in the data link layer then the transmission/reception of the message must stop and an N_USData.confirm must be sent to the application layer • If the network layer is waiting for a flow control, then it eventually receives an L_Data.indication
Promela and Xspin • Liveness Properties • If an L_Data.request is issued, then an L_Data.confirm is eventually issued • If the network layer is waiting for a flow control then it eventually receives an L_Data.indication • Safety Properties • If an N_USData.confirm is issued, then an N_USData.request was issued at some prior point • Models Encoded • Send Unsegmented Messages state diagram • Send Segmented Message state diagram
Results of Xspin Verification • In the course of verifying these properties, several inconsistencies in the state diagrams were encountered • Two states that served the same purpose were consolidated into a single state • A new variable was defined to help control the proper execution • All the critical properties were verified using Xspin
Prototype • Network Service Data Unit (N_SDU) • Source Address (N_SA) • Target Address (N_TA) • User I/O • Send N_USData.request • Cause Timeout • Result_USDT
Prototype (cont.) • Scenarios • Send Unsegmented Message • Send N_USData.request • Send L_Data.request(SF N_PDU) • Receive L_Data.confirm(SF N_PDU) • Send N_USData.confirm(N_OK) • Receive Unsegmented Message • Receive L_Data.indication(SF N_PDU) • Send N_USData.indication(N_OK)
Prototype (cont.) • Scenarios (cont.) • Send Segmented Message • Send N_USData.request • Send L_Data.request(FF N_PDU) • Receive L_Data.confirm(FF N_PDU) • Receive L_Data.indication(FC N_PDU) • Send L_Data.request(CF N_PDU) • Receive L_Data.confirm(CF N_PDU) • Send N_USData.confirm(N_OK) • Receive Unsegmented Message • Receive L_Data.indication(FF N_PDU) • Send L_Data.request(FC N_PDU), Send N_USData_FF.indication • Receive L_Data.indication(CF N_PDU) • Send N_USData.indication(N_OK)
Prototype (cont.) • Scenarios (cont.) • Send Unsegmented Message, timeout occurs • Send N_USData.request • Send L_Data.request(SF N_PDU) • Timeout occurs • Send N_USData.indication(N_TIMEOUT_A)