1. Patent Search
  2. Details

COMPUTER-IMPLEMENTED METHOD AND COMPUTERIZED DEVICE FOR TESTING A TECHNICAL SYSTEM

20220067239 · 2022-03-03

    Inventors

    Cpc classification

    International classification

    Abstract

    The computer-implemented method for testing a technical system having a plurality of technical components includes: providing a safety model modeling a safety relevant functionality of the technical system, providing a test model including test cases for testing the technical system, linking elements of the safety model with elements of the test model for enabling a tracing between the test cases of the test model and the safety-relevant functionality of the safety model, generating test parameters for at least one certain test case of the test cases and/or a new test case for the test model using the safety model linked to the test model, and testing the technical system using the certain test case and/or the new test case. Further, a computer program product, a computerized device and an arrangement having a technical system and a computerized device are provided.

    Claims

    1. A computer-implemented method for testing a technical system having a plurality of technical components, the method comprising: a) providing a safety model modeling a safety relevant functionality of the technical system, b) providing a test model including test cases for testing the technical system, c) linking elements of the safety model with elements of the test model for enabling a tracing between the test cases of the test model and the safety-relevant functionality of the safety model, d) generating test parameters for at least one certain test case of the test cases and/or a new test case for the test model using the safety model linked to the test model, and e) testing the technical system using the certain test case and/or the new test case.

    2. The method of claim 1, wherein, in step d), triggers and parameters of the safety model linked to the test model are analyzed for generating the test parameters for the at least one certain test case and/or the new test case for the test model.

    3. The method of claim 1, wherein the test parameters generated in step d) include preconditions for the at least one certain test case, the preconditions defining a relevant context for the safety relevant functionality when operating the technical system, and/or relevant triggers within the certain test case for triggering the safety relevant functionality.

    4. The method of claim 1, wherein, in step a), the safety model is provided as a tree of logic, such that it includes a top event associated to a violation of the safety-relevant functionality.

    5. The method of claim 4, wherein, in step a), the safety model is provided such that it includes, for each of the technical components having an input port and/or an output port, an output failure mode for modeling a certain failure visible at the output port of the technical component, or an output failure mode for modeling a certain failure visible at the output port of the technical component and an input failure mode for modeling how a certain failure propagates from the input port to the output port.

    6. The method of claim 4, wherein, in step a, the safety model is provided such that it includes, for each of the technical components having an input port and/or an output port, an input failure mode for modeling how a certain failure propagates from the input port to the output port, an output failure mode for modeling a certain failure visible at the output port of the technical component, and/or a number of basic events, each of the basic events modeling an internal component failure of the technical component.

    7. The method of claim 6, wherein the safety model includes a number of cut-sets, each of the cut-sets combining a number of basic events and adapted to cause the top event.

    8. The method of claim 4, wherein, in step c), the top event of the safety model is linked with those elements of the test model capturing a functionality that is configured to influence an occurrence of the top event.

    9. The method of claim 6, wherein, in step c), the safety model and the test model are linked such that a certain input failure mode of the safety model is linked with a certain input interface of the test model, a certain output failure mode of the safety model is linked with a certain output interface of the test model, a certain basic event of the safety model is linked with an internal component state of the test model, and/or the top event of the safety model is linked with a certain test case of the test cases of the test model.

    10. The method of claim 1, wherein a system model modeling a functional behavior of the technical system is provided, wherein in step c, the safety model and the test model are linked via the system model, wherein a certain input failure mode of the safety model is linked with a certain input interface of the test model via a certain input port of the system model, a certain output failure mode of the safety model is linked with a certain output interface of the test model via an output port of the system model, a certain basic event of the safety model is linked with a certain internal component state of the test model via an internal component failure of the system model, and/or the top event of the safety model is linked with a test case of the test model via a system function of the system model.

    11. The method of claim 1, wherein the testing for providing coverage criteria for the safety-relevant functionality is analyzed.

    12. The method of claim 11, wherein the coverage criteria are provided such that they include probabilistic criteria for each respective test case of the test cases used in step d), the probabilistic criteria indicating a probability of occurrence during operation of the technical system, wherein the probability of occurrence is derived by a probability of the cut-set corresponding to the respective test case via the linking of the test model and the safety mode, that the coverage criteria are provided such that they include qualitative criteria for each respective test case of the test cases (used in step e), the qualitative criteria being derived from the number of basic events of the cut-set corresponding to the respective test case via the linking of the test model and the safety model, and/or the coverage criteria are provided such that they include criteria of occurrence and/or of probability of occurrence for minimal cut-sets corresponding to the test cases used in step e).

    13. A computer program product, comprising a computer readable hardware storage device having computer readable program code stored therein, said program code executable by a processor of a computer system to implement a method comprising a program code for executing the method of claim 1 for testing a technical system having a plurality of technical components when run on at least one computer.

    14. A computerized device for testing a technical system having a plurality of technical components, the computerized device comprising: a first providing unit for providing a safety model modeling a safety relevant functionality of the technical system, a second providing unit for providing a test model including test cases for testing the technical system, a linking unit for linking elements of the safety model with elements of the test model for enabling a tracing between the test cases of the test model and the safety-relevant functionality of the safety model, a generating unit for generating test parameters for at least one certain test case of the test cases and/or a new test case for the test model using the safety model linked to the test model, and a testing unit for testing the technical system using the certain test case and/or the new test case.

    15. An arrangement comprising a technical system having a plurality of technical components and the computerized device for testing the technical system according to claim 14.

    Description

    BRIEF DESCRIPTION

    [0085] Some of the embodiments will be described in detail, with reference to the following figures, wherein like designations denote like members, wherein:

    [0086] FIG. 1 shows a sequence of method steps of an embodiment of a computer-implemented method for testing a technical system;

    [0087] FIG. 2 shows an example of a safety model, a system model and a test model for a technical system used by the method of FIG. 1;

    [0088] FIG. 3 shows the example of FIG. 2 additionally illustrating a linking of a certain input failure mode of the safety model with a certain input interface of the test model via a certain input port of the system model;

    [0089] FIG. 4 shows the example of FIG. 2 additionally illustrating a linking of a certain output failure mode of the safety model with a certain output interface of the test model via an output port of the system model;

    [0090] FIG. 5 shows the example of FIG. 2 additionally illustrating a linking of a certain basic event of the safety model with a certain internal component state of the test model via an internal component failure of the system model;

    [0091] FIG. 6 shows the example of FIG. 2 additionally illustrating a linking of the top event of the safety model with a test case of the test model via a system function of the system model;

    [0092] FIG. 7 shows a schematic block diagram of a computerized device for testing a technical system; and

    [0093] FIG. 8 shows a schematic block diagram of an arrangement comprising a technical system and a computerized device for testing a technical system.

    [0094] In the Figures, like reference numerals designate like or functionally equivalent elements, unless otherwise indicated.

    DETAILED DESCRIPTION

    [0095] FIG. 1 depicts a sequence of method steps of an embodiment of a computer-implemented method for testing a technical system TS. In FIG. 1, the method steps are designated with S1-S6. In the following, FIG. 1 is discussed referring to FIG. 2.

    [0096] In this regard, the left part of FIG. 2 shows an example of a safety model 10 for the technical system TS, the middle part of FIG. 2 shows an example of a system model 20 for the technical system TS and the right part of FIG. 2 shows an example of a test model 30 for the technical system TS.

    [0097] The technical system TS may be a safety-critical system, for example used in an application domain of embedded systems, such as aerospace, railway, health care, automotive or industrial automation. The technical system TS includes a plurality of technical components TC, for example including actors, sensors and/or receivers.

    [0098] As indicated above, the method of FIG. 1 includes the method steps S1-S6: In step S1, a safety model 10 modeling a safety-relevant functionality of the technical system TS is provided. As shown in the left part of FIG. 2, the safety model 10 may be provided as a classic fault tree. Alternatively, the safety model 10 may be provided as a Component Fault Tree. An example for such a Component Fault Tree is shown in the right part of FIG. 1 of the patent application US 2020/0225652 A1.

    [0099] In particular, the safety model 10 is provided such that it includes a top event TE associated to a violation of the safety-relevant functionality. For example, if the technical system TS is a railway and the safety-relevant functionality is to decelerate the railway to a certain velocity within a certain time period, then a violation of said safety-relevant functionality may be if the railway cannot be decelerated to said certain velocity within the certain time period. This violation is mapped to the top event TE of the safety model 10 of FIG. 2, for example.

    [0100] The classic fault tree of the safety model 10 of FIG. 2 comprises Boolean formula represented by OR-gates and AND-gates. Further, the classic fault tree of the safety model 10 has a number of input failure modes 11 for modeling how a certain failure propagates from an input port to an output port of a technical component TC of the technical system TS. For illustration issues, only one input failure mode 11 is designated with a reference sign in FIG. 2 to ensure readability.

    [0101] Furthermore, the classic fault tree of the safety model 10 of FIG. 2 has a number of output failure modes 12, each modeling a certain failure visible at an output port of a technical component TC. Also here, for illustration issues, only one output failure mode 12 is designated with a reference sign in FIG. 2 to ensure readability.

    [0102] Moreover, the classic fault tree of the safety model 10 of FIG. 2 has a number of basic events 13, each of the basic events 13 modeling an internal component failure of a technical component TC. Also here, for illustration issues, only one basic event 13 is designated with a reference sign in FIG. 2 to ensure readability.

    [0103] In particular, the safety model 10 includes a number of cut-sets, each of the cut-sets combining a number of basic events 13 and adapted to cause the top event TE.

    [0104] In step S2, a system model 20 is provided, said system model 20 modeling a functional behavior of the technical system TS. AS shown in the middle part of FIG. 2, the system model 20 may be embodied as a system architecture model of the technical system TS including said plurality of technical components TC.

    [0105] The system model 20 may include a number of input ports 21, a number of output ports 22 and a number of internal component failures 23. In the middle part of FIG. 2, for illustration issues, only one of the input ports is designated with the reference sign 21, only one of the output ports is designated with the reference sign 22 and only one of the internal component failures is designated with the reference sign 23.

    [0106] In step S3, a test model 30 is provided, said test model 30 including test cases C for testing the technical system TS. As shown in the right part of FIG. 2, a test case C may include an actor A, an actor B and data D. In this regard, the test case C of the test model 30 has a number of input interfaces 31, a number of output interfaces 32 and a number of internal component states 33.

    [0107] In step S4, elements of the safety model 10 are linked with elements of the test model 30, in particular using elements of the system model 20, for enabling a tracing between the test cases C of the test model 30 and the safety-relevant functionality of the safety model 10.

    [0108] In particular, the top even TE of the safety model 10 is linked with those elements of the test model 30 capturing a functionality that is configured to influence an occurrence of the top event TE.

    [0109] In step S5, test parameters for at least one certain test case C of the test cases and/or a new test case for the test model 30 are generated using the safety model 10 linked to the test model 30.

    [0110] In particular, in step S5, triggers and parameters of the safety model 10 linked to the test model 30 are analyzed for generating the test parameters for the at least one certain test case C and/or the new test case C for the test model 30.

    [0111] For example, the test parameters generated in step S5 may include preconditions for the at least one certain test case C. Said preconditions may define a relevant context for the safety relevant functionality when operating the technical system TS, and/or relevant triggers within the certain test case C for triggering the safety relevant functionality.

    [0112] In step S6, the technical system TS is tested using the certain test case and/or the new test case.

    [0113] Moreover, the testing may be analyzed for providing coverage criteria for the safety-relevant functionality.

    [0114] In particular, the coverage criteria are provided such that they include probabilistic criteria for each respective test case of the test cases C. Said probabilistic criteria may indicate a probability of occurrence during operation of the technical system TS, wherein the probability of occurrence may be derived by a probability of the cut-set corresponding the respective test case C via the linking of the test model 30 and the safety model 10.

    [0115] Further, the coverage criteria may be provided such that they include qualitative criteria for each respective test case C used in step S5. The qualitative criteria may be derived from the number of basic events 13 of the cut-set corresponding to the respective test case C via the linking of the test model 30 and the safety model 10.

    [0116] As part of the qualitative criteria, a plurality N of different classes for the test case C used in step S5 may be provided, wherein each of said N different classes may be defined by a different number M of basic events 13 configured to cause the top event TE in combination, with Mϵ[1, . . . , N].

    [0117] Additionally, the coverage criteria may be provided such they include criteria of occurrence and/or of probability of occurrence for minimal cut-sets corresponding to the test cases C.

    [0118] Details and examples for this linking according to step S4 of the safety model 10 and the test model 30 via the system model 20 are shown in FIGS. 3 to 6 which are based on the example of FIG. 2. In this regard, FIG. 3 additionally illustrates a linking of a certain input failure mode 11 of the safety model 10 with a certain input interface 31 of the test model 30 via a certain input port 21 of the system model 20.

    [0119] Moreover, FIG. 4 additionally illustrates a linking of a certain output failure mode 12 of the safety model 10 with a certain output interface 32 of the test model 30 via an output port 22 of the system model 20.

    [0120] Furthermore, FIG. 5 additionally illustrates a linking of a certain basic event 13 of the safety model 10 with a certain internal component state 33 of the test model 30 via an internal component failure 23 of the test model 20.

    [0121] Moreover, FIG. 6 additionally shows a linking of the top event TE of the safety model 10 with a test case C of the test model 30 via a system function SF of the system model 20.

    [0122] In FIG. 7, a schematic block diagram of a computerized device 100 for testing a technical system TS having a plurality of technical components TC is depicted. The computerized device 100 of FIG. 7 comprises a first providing unit 101, a second providing unit 102, a linking unit 103, a generating unit 104, and a testing unit 105.

    [0123] The first providing unit 101 is configured to provide a safety model 10 modeling a safety-relevant functionality of the technical system TS.

    [0124] The second providing unit 102 is configured to provide a test model 30 including test cases C for testing the technical system TS.

    [0125] The linking unit 103 is configured to link elements of the safety model 10 with elements of the test model 30 for enabling a tracing between the test cases C of the test model 30 and the safety-relevant functionality of the safety model 10.

    [0126] The generating unit 104 is configured to generate test parameters for at least one certain test case C of the test cases and/or a new test case for the test model 30 using the safety model 10 linked to the test model 30.

    [0127] The testing unit 105 is configured to test the technical system TS using the certain test case and/or the new test case.

    [0128] Furthermore, FIG. 8 shows a schematic block diagram of an arrangement 200 comprising a technical system TS and a computerized device 100 for testing the technical system TS.

    [0129] Although the present invention has been disclosed in the form of preferred embodiments and variations thereon, it will be understood that numerous additional modifications and variations could be made thereto without departing from the scope of the invention.

    [0130] For the sake of clarity, it is to be understood that the use of “a” or “an” throughout this application does not exclude a plurality, and “comprising” does not exclude other steps or elements.