Why Adopt?

These blog posts have focused on the adoption of Model-Based Design.  The choice of the word “adoption” was intentional.  When I visit a customer I tell them the following.

“80% of what I will recommend is generic best practices, common
across all Model-Based Design.  The next 10% is a selection of common
patterns in use relevant to your industry and regulatory needs.
The last 10% is the unique part of your development; your intellectual property”

Why do I say this?  Model-Based Design, from an architecture, data, and V&V perspective is now a mature field.  In a mature field, time should be spent on developing the IP aspects of design, not infrastructural components.  To that end, there is a significant body of best practices available for companies to reference.  (See the reference page for a small subset.)

How to succeed at adoption?

As this blog has spoken about on a number of occasions adoption is a process.  To succeed there are 5 key activities that need to be performed

Related image

  1. Take background training
  2. Education on existing MBD frameworks (see references)
  3. Identify non-conforming cases (your 10% IP)
  4. Validate MBD approach for non-conforming cases
  5. Utilize external resources

External resources: final thoughts

Success often comes from knowing when to ask for outside help, either from other groups within your company who have already blazed a trail or from outside support groups (such as training and consulting.)  Utilizing support early in the adoption process enables a faster rate of adoption with fewer implementation issues.

 

Image result for external resources

 

Translate: essence, not the content

Very few projects start off with a clean slate; the majority have some body of existing text-based code (C/C++/Asembler) which needs to be either translated or wrapped into the Model-Based Design environment.  For the cases where translation is the desired path, the objective should be the translation of the essence (e.g. requirements) not the content.

Why translate essence, not content?

First, every programing language has unique constructs which may or may not be directly replicable in other languages.  Because of this, a common failure mode is to try and directly replicate coding patterns in the MBD environment.

catTrans_1.jpg

Second, when you translate the based on the requirements you have the opportunity to improve upon the existing code.

There is a function for that…

It is common with text-based algorithms to implement basic functions such as table look ups, integrators, etcetera.  While in some edge cases the text-based implementation is more efficient this is less common with the growing maturity of Model-Based Design tools.

blocks

Further, the small efficiency gains from the existing implementation are frequently less important than the clarity found by using built in blocks.

It is really a…

In text based languages truth tables and state machines are implemented as either a series of if/then/else or switch/case statements.  Within MBD environment both truth tables and state machines have direct implementations.

Pushing things too far…

The final note, there are some areas where text based modeling makes the most sense.  Generally, this is in the area of long complex equations.  While they can be rendered in block form they are more easily read in text form.  With that in mind, I recommend using MATLAB blocks for longer equations.

simpleMath

The image above, the Pythagorean theorem, is relatively simple.  Yet even it would be more easily read as

C = sqrt(A^2 + B^2)

Final thoughts (part 1)

When translation occurs it is important that the new implementation is validated against the behavior of the existing code.  Failure to do so can result in larger system level errors.

Final thoughts (part 2)

In my translation example, I used the simple phrase “I have the cutest cat in the world”  I submit the following images to back that claim up

 

 

 

Clean code: clean models?

In a recent customer conversation, I was asked if there was a mapping of Model-Based Design (MBD) constructs to the concepts of “smells” found in  Martin Fowler Clean Code. Fowler’s book was written targeting the Java, however, many of the concepts have direct mapping onto other programming languages.  Maping onto other object-oriented text-based languages are easily seen.  Hence the question of how OO smells could be mapped onto MBD.

Note: I am reviewing this in the context of developing embedded code using Simulink and Embedded Coder. The Clean Code was written with object-oriented user interfacing code (e.g. web pages, spreadsheets,…)

Fowler’s book defines 7 primary sources of smells:

  1. Comments:  Covers lack of comments, obsolete comments or out of date comments
  2. Environment: Covers the automation of build and test operations
  3. Functions: Covers definition of function interfaces and dead code
  4. General: 36 guidelines that cover a range of coding best practices
  5. Java: Issues specific to the Java programing language
  6. Names: Covers fundamentals of naming conventions
  7. Tests: Covers best practices for testing

Image result for 7 deadly sins

Quick overview

For some of the smells, there is a direct and easy mapping.

Comments: Models are, to an extent, self-documenting.  Additional documentation should be added as needed.  Fowler’s recommendation on keeping comments concise and up-to-date are directly mappable.

Environment: The smells in this section deal with automation of the build and test steps. There is a direct mapping for these smells and the recommendations for automation are standard for MBD environments

Naming conventions: For information on naming conventions (from and earlier MathWorks blog I wrote): A few thought on Naming Conventions

Tests: The smells for tests are standard recommendations for testing.  Earlier blog posts on testing can provide the mapping onto these smells.

Image result for quick

Deeper look

Of the 7 smells, I want to spend more time looking at both the “Functions” and “General” groupings.

Image result for the deep

Functions

Fowler has 4 smells related to functions, of the 4 MBD conforms to 1.5 of them.

  1. Too many arguments:  Control of physical systems require multiple bits of information.  Fowler’s recommendation of 0 ~3 input arguments doesn’t hold.  (It is also a function of object oriented programming that allows for that rule).  At the same time validate that the inputs to the function are required.  The MBD smell for function arguments is found in non-required inputs.
  2. Output arguments:  Like input arguments modeling control systems requires output arguments to continue the control flow.
  3. Flag arguments: Control algorithms frequently depend on modal conditions.  It is preferable to use these conditions to control enabled type subsystems or modal logic within a Stateflow chart.  Hence the .5 agreement on this one.
  4. Dead functions: Full agreement here; avoid dead functions at all cost.

Image result for enabled subsystem simulink

General

The generalImage result for general category includes 36 different code smells; I have subcategorized them into N themes

  1. Clear functionality: The behavior and function of the model should be clear from its construction.  Further, all functionality of the model should be implemented.
  2. Readability: The model should be easy to read.  The MAAB style guidelines have a direct mapping for this category.
  3. Encapsulation: The model’s functionality should exist within a scope of the model; e.g. there should not be calculations dependent on methods outside of the model.  I wrote about these issues in the Model Architecture section of this blog.
  4. Scope of  variables: With the exception of user defined I/O and parameters MBD tools automatically define the scope of variables making these rules, for the most part, irrelevant
  5. Reuse: Smells dealing with the reuse, and failure to reuse.  These rules are directly mappable looking at the use of Referenced Models and Libraries to achieve the aim.
  6. Object-oriented issues: Not applicable

Final thoughts

The concepts put forth in the book “Clean Code” represent a useful set of guidelines for understanding coding best practices.  To the extent that models map onto code the concepts behind “Clean Code” apply.    However, MBD abstracts many concepts behind coding into a higher level language, placing the clarity and encapsulation of the actual code into the hands of the code generation tool.

Side note:

Late in my conversation with the customer, I realized that I was talking to someone from Denmark about smells.  I regret that I did not take the opportunity to make a reference to Hamlet.  (Something is rotten in the state of Denmark)

Image result for hamlet

 

 

Fail safe, fail friendly

.I drive a vehicle with an all drive-by wire setup.  Drive-by wire brake, throttle, and PRNDL (the shifting mechanism for those of you not in the Auto Industry (Park, Reverse…)  While as a controls engineer, and an environmentalist, I like both the performance increase and the weight savings to fuel savings that this brings it raises the question, what do you do when the system fails?

Image result for drive by wire throttle body

Primary mode: Fail safe

The first rule of safety critical software (and a break in a vehicle is safety critical) is to fail in a safe fashion.  There are several modes in which a brake can fail, from worst to best

  • Complete sensor failure: on highway
  • Partial sensor failure: on highway
  • Complete sensor failure: parked
  • Partial sensor failure: parked

First, what is a partial failure? A partial failure is when part of, but not all of, a redundant system sends back data that is not in alignment with the other parts.  Standard protocols for drive by wire brakes is to have 3 redundant sensors to determine

Of the four scenarios, the first is the most dangerous and poses an interesting question “what is the fail safe behavior?”  Hard braking could result in a rear end collision.  Failure to brake could result in running into someone.  Of course, this problem is no different from the one found in traditional fully mechanical/hydraulic systems.  For an overview of what to do if this happens, take a look at this article.

Secondary mode: Fail friendly

So what does it mean to “fail friendly?”  In a fail friendly scenario, the objective is for the system to maintain the maximum functionality without putting the user or the device in danger.   In the example of the brake failure, with an all electronic version, the vehicle could allow driving at speeds up to 5 mph.  This mode allows the driver to safely move the vehicle off of roads into a safe parking location.

 

Final thoughts

The way in which systems fail directly impact the end users experience of the product. Providing the secondary fail friendly mode results in a more positive user experience.

Traceability

While traceability plays a key role in the software development process for many groups it presents as a high impact burden.  Modern software tools can simplify the traceability process however it all begins with the requirements.

Why is traceability important?

The objective of traceability is to ensure that requirements are met in the final product. Image result for traceability design v mathworksThis is achieved by the creation of traceability “check-ins” at each stage of the development process.  A check-in serves two purposes.  First, they ensure that the design process does not “drift” too far from the requirements.  Second, they provide formal documentation of adherence to the defined development processes.

How do we “check-in?”

Check-ins should be an automated processesImage result for check in where information is cross checked between the current state of the models and the requirements.   If the requirements are written in a testable format than the check in consists of running the tests and a human verification of the test result.  If they are not written in a testable format or the complexity is such that automated testing is not possible then a manual review is required.

Check-in deliverables

The primary deliverable of the check-in is a traceability report.  It documents that at each step in the process the model and related artifacts were validated against the requirements.

Image result for traceability matrix simulink

Final thoughts

Traceability is one of the core activities of a safety critical software design process.  Implementation of automated requirements tracing is greatly simplified in a Model-Based Design environment that includes simulation capabilities.