Model-Based Design: Differencing best practices…

Difference reports are a staple of software development, they allow you to quickly see what has changed.  Model-Based Design, with its graphical environment, presents some unique issues in differencing; we will examine them with this post.

Differencing best practices

The following best practice hold regardless of the development environment

  1. Reasonable diffing cadence: Finding the difference between two objects is easy if the number of changes are small; however if large structural, or multiple-point changes have occurred difference operations become difficult if not impossible.  Perform differencing operations when no more then 5% of the object has changed.
  2. Diff function changes / ignore visual changes: Visual changes, such as the use of indents in textual languages, or block placement in graphical, do not impact the behavior of the code.  While these changes may violate modeling guidelines they should be ignored during the diff operations
  3. Include the authors: Have both the original author and updating person take part in the review for complex issues.
  4. Test after diffing: After performing the difference operations have been run the files should be run through their test suites to ensure that the changes did not have a negative impact.

Don’t judge a model by its cover

In text based languages changes in the text are it; with Model-Based development environments it is the combination of the

  • Block connections: How the blocks are connected to each other determines execution order and data flow.
  • Block parameters: How the block is parameterized determines the functionality of the block
  • Model configuration: The model can have parameters that influence the behavior system beyond the data set by the blocks

Image result for model difference simulink image

Final comment

It is possible to diff the underlying text files that define graphical models; at one point in time this was the only method that was possible.  However, doing this presents multiple problems and should be avoided.

  1. Determining what is significant: The text representations often encode information into parameters / structures.  Often it is not obvious what are significant changes versus cosmetic.
  2. Block changes: The text representation can have the same functionality “shifted” in the code to a new location depending on where it shows up in the model; however this is often not a functional change.
  3. Interpretation: When reviewing the text changes the reviewers then have to interpret what the text means.


Table lookup algorithms provide a powerful tool for the modeling of systems the following are some basic tips for making your table look up’s fast and accurate

Pre-process your data

Table data often comes from real-world sources.  This presents two issues

  1. Errors in the data: Validate that any anomalous readings are removed from the data
  2. Non-uniform input axis: Real-world measurements frequently have jitter on the exact “place” of measurement.  Data should be renormalized to a uniform input axis

Know your boundaries

WithImage result for the doors this is the end tables, there are always limits on the input axes range.   Understanding the behavior of the table outside of the known range is important.  There are two basic options

  1. Hold last value: In this instance, the last value at the tale boundary is used for all data outside of the axes
  2. Interpolate data: In this case, the output data is extended beyond the known boundary.  For data near the boundaries this is generally acceptable; however, the accuracy can quickly break down as inputs exceed the

There are three approaches to handling this issue

  1. Expand the range of valid data: This is the ideal solution but is often not possible due to sampling reasons.
  2. Pre-interpolate the data: Create data outside of the range with “safe” values based on engineering knowledge.
  3. Limit the input data range: Create a “hard stop” at the data edge.

Reduce, reuse, recycle…

It is common for multiple tables to share the same input axis; in this case, sharing the index lookup across multiple tables is one method for reducing the total number of calculations required by the algorithm.

Image result for pre-lookup table simulink

Data types and discontinuities


Image result for the cascades virginia tech
Table: Good before and after the fall

lookup algorithms are not well suited for data with discontinuities.  When working with such data either piecewise approaches are used or the region in which the discontinuity appears has additional data points to handle the sharp change.

A similar issue is working with integer-based data and interpolation.  When the outputs from the table are integer values then either interpolation should not be enabled or all possible input coordinates should be part of the input axes.

So there you go, a few quick suggestions for working with tables!



Orthogonal redundancy…

ThereImage result for measure twice cut once is an old saying “measure twice, cut once”‘; wise words of caution before you take an irrevocable action.  However, if you have a faulty measuring tape then measuring twice will just produce the same error twice.

Orthogonal redundancy is an approach to safety-critical software where the same dependent variable is calculated using 2 or more methods.  In the woodworking example, this could be done by using a standard tape measure the first time and laser guide the second.

Achieving software orthogonality

There are three basic approaches to software orthogonality, listed in terms of “strength”

  1. Unique algorithms:
  2. Common algorithm: unique parameterization
  3. Common algorithm: unique inputs

Unique algorithm:

Using a unique algorithm has the advantage that it removes the chance of a common point of failure; e.g. if one algorithm can overflow, the second doesn’t.  (Mind you, you should catch the overflow problem).  The downside to this approach then is that you need to create validation test cases for each unique algorithm

Common algorithm: unique parameterization

InImage result for throttle body sensor volt versus angle this case, the same algorithm is used however the parameterization is different for each instance.  This is commonly seen for hardware sensors, such as unique scaling on a set of analog input sensors.  For example, as in the image shown a simple linear equation (y = m*x + b) can be used to determine the throttle angle, however, the coefficient or “m” and “b” are different.

Common algorithm: unique inputs

This final approach is used when the input source data is suspect or can fail.  The solution, in this case, is to create multiple input sources for the same data.  The throttle body example above, redundant sensors, is an example of this; a more robust example would be to have two different types of sensors.

When and how?

UsingImage result for who what when where orthogonal algorithms requires additional execution steps and memory; both for the algorithm and for the validation of results against each other.  Because of this, the use of the algorithms should be limited to safety critical calculations.

The standard way to use multiple results is with triple redundancy.  The results are compared with each other, as long as they are in agreement (within tolerance) of each other then the result is passed on.  If two of the three agree that value is used. If there is no agreement then the results are flagged as an error.

Scenario-based testing

In scenario-based testing, the test author configures the input data to “move” the system through a set of desired states or maneuvers.  A simple example of this would be a “wide-open throttle” scenario for automobiles

  1. Key set to crankImage result for prndl
    1. Hold .1 second
  2. Key set to run
  3. Together
    1. Brake to 100%
    2. PRNDL to Drive
  4. Together
    1. Brake to 0%
    2. Throttle to 100%
      Measure time to 60 MPH

Reusing scenarios

In scenario-based testing, there are often common “starting points”.  In our example above the common starting point would be the first 3 steps.  In the example that follows, using a Test Sequence block I implemented the common steps as a single, grouped, step.scenarioRuse

When the common setup is complete the sequence block then moves onto another “grouped” step which implements the specific test.  Optionally a second or third “common setup” sequence could be defined before the actual test begins.

Chained data

AnotherImage result for criminal cat method of reusing scenarios is to “chain data” together.  In this case, a series of input data files are concatenated and played in sequence into the simulation.  To continue this example the first three steps would be one data file and then either the “WOT” or “idelWarmUp” would contribute to the next data file.  (Please imagine the image is of a fat cat named “Nate”  (Con-Cat-Ton-Nate)

Why perform scenario-based testing?

Scenario-based testing allows us to validate that models behave in the way we expect and the way we designed, if I “put the pedal to the metal” the car accelerates quickly.  Most frequently I use them to

  • Validation of state machine behavior
  • Exercising diagnostic code
  • Validate requirements
  • Debug models under development



Art and engineering

Every once and a while I take a dip into my design philosophy.  This video is one of those posts.  A short meditation on the link between systems that we design and inhabit.  The image I show in the video is the same as the header and image shown below.  If you have a chance go to the Detroit Institute of Art (DIA) and see it in person!



Bubble wrap syndrome (BWS): A safety critical issue

We all know what it is:

Bubble wrap syndrome (BWS): The overwhelming desire to “pop” cells
 a sheet of bubble wrap.  See also Packing Peanut Popping (PPP).

Even if it isn’t a real psychiatric diagnosis it makes for a good, slightly humorous, starting point of this post.  Bubble wrap is designed to protect items in shipping.  When we “pop” bubbles we decrease the effectiveness of the wrap.  In the software domain, this corresponds to the slow creep of “features” into the diagnostic code.

The road to heck…

By Image result for the road to helldesign diagnostic code is isolated from the functional code.  Because of this diagnostic code will, sometimes, duplicate calculations that exist in the functional code.  It can be tempting to interleave, reuse, those calculations for both the functional and diagnostic code.

There are three problems with this

  1. Unit test interference: by mixing the functional and diagnostic code you prevent unit testing of the components.
  2. Development independence / common failure mode: Mixing the two components together you run the risk of introducing a common failure mode in the analysis of the data.
  3. Link to a common processor: for some safety critical systems diagnostic code runs on a separate processor or core.


Where are the boundaries?

In this Image result for boundary watersexample, the “Proposed Mines” are the possible infestation of our pristine “boundary waters” diagnostic code.  The question is “how close is to close?”  The following rules of thumb can be applied

  1. The functional code should not depend on any output from the diagnostic beyond the diagnostic flags.
  2. The diagnostic code should not make calls to functional code
  3. The diagnostic code should not perform filtering, table lookups or integration operations
  4. The diagnostic code should be non-interuptable.


Many tools, many formats…

Welcome to my latest blog, I have tried for a “dynamic” whiteboard experience today; I apologize in advance for the occasional motion blur.

The focus of this video is how to exchange data between multiple tools, with a recommended approach of settling on a common data format that all tools can read and write into.  A list of common data formats can be found here: