Zürcher Hochschule für Angewandte Wissenschaften



School of Engineering IAMP Institut für Angewandte Mathematik und Physik



# **FBIS Development**

Sven Stefan Krauss, Christian Sommer, Jan Brunner ZHAW Zurich University of Applied Sciences, Switzerland

# FBIS Development Introduction

# Introduction

#### Name

- Sven Stefan Krauss
- Computer Engineering
- Certified Functional Safety Engineer (TÜV Rheinland)

### Role

- Project Manager HIL-Systems
- Technical Lead HIL-Systems
- QA



School of Engineering



Many thanks to Annika for taking this picture during ESS construction site visit for PSS in November 2016

# Agenda







Zürcher Hochschule für Angewandte Wissenschafter



## **FBIS Development**

### **Mission**

 Development of FBIS is guided by IEC 61508 ed. 2

#### Strategy

- FBIS is not considered as safetyrelated system, but a protection system
- Adaption of safety to protection
- Main focus on reliability and availability, i.e. hardware metrics and architecture constraints

#### **Protection System**

- PIL Protection Integrity Level
- PF Protection Function

#### **Hardware Metrics**

- PFH Probability of Failure per Hour
- HFT Hardware Fault Tolerance
- SSF Safe Failure Fraction

Zürcher Hochschule für Angewandte Wissenschafter



## **FBIS Development**

# FBIS

- Is part of the Machine Protection System (MPS)
- Implements or is part of Protection Functions

## E/E/PE System

 Protection related logic will be realized in FPGA firmware → programmable electronic system

## **Standard**

- IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems
- Part 1: General Requirements
- Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems

## **Compliance Planning**

- Tailoring of IEC 61508-1 and IEC 61508-2
- Compliance Matrix (work in progress)

Zürcher Hochschule für Angewandte Wissenschaften







Zürcher Hochschule für Angewandte Wissenschaften







## Figure 5 Relationship and scope for IEC 61508-2 and IEC 61508-3



# FBIS Development FBIS Lifecycle

Zürcher Hochschule für Angewandte Wissenschaften





## **FBIS-SRS**

#### **System Requirements Specification**

Document which collects FBIS

- Functional Requirements
- Non-Functional Requirements

#### Purpose

- Provides a common point of reference for FBIS expectations and limits
- Used for further development
- Used for verification activities

#### ZHAW - Institute of Applied Mathematics and Physics 7 Functional System Requirements 7.1 Interfaces 7.1.1 LPSID Interface #IISSUE:62882 The FBIS shall have an interface for the LPSID according to the specification in /FBIS-LPSID-IDD/ The LPSID may request a beam-switch off via FBIS and is hence considered to be a Sensor System in this document. 7.1.2 LPSVAC Interface #[ISSUE:63711] The FBIS shall have an interface for the LPSVAC according to the specification in TBD The LPSVAC may request a beam-switch off via FBIS and is hence considered to be a Sensor System in this document 7.1.3 LPSMAG Interface #USSUE:63819 The FBIS shall have an interface for the LPSMAG according to the specification in TBD. The ACCT Digital Processing Boards may request a beam-switch off via FBIS and are hence considered to be Sensor Systems in this document. The LPSMAG is considered to be a Sensor System in this document 7.1.4 ACCT Digital Processing Board Interface #[ISSUE:63619] The FBIS shall have interfaces to the ACCT Digital Processing Boards according to the specification in TBD 7.1.5 RF Fast Interlock Module Interface #[ISSUE:63828] The FBIS shall have interfaces to the RF Fast Interlock Modules according to the specification in TBD. The RF Fast Interlock Modules may request a beam-switch off via FBIS and are hence considered to be Sensor Systems In this document 7.1.6 Fast Gate Valve Interface #IISSUE:638461 The FBIS shall have interfaces to the Fast Gate Valves according to the specification in TBD The Fast Gate Valves may request a beam-switch off via FBIS and are hence considered to be Sensor Systems in this document 7.1.7 ESS Timing System Interface The FBIS shall have an interface to the ESS Timing System according to the specification in (FBIS-TS-IDD/ The ESS Timing System has a dual role. It provides timing and configuration information and is used to inhibit the proton beam. Hence, it is considered to be an Actuation Systems and a Higher-Level Safety and Control System in this document.

Page: 20 / 73 Version: 1D

Zürcher Hochschule für Angewandte Wissenschaften

> Engineering IAMP Institut für Angewandte Mathematik und Physik

School of

#### Zürcher Hochschule für Angewandte Wissenschafter



## **FBIS-SRS**

#### **Requirements Management**

- We use CodeBeamer for requirements management
- SRS is realized as issue tracker
- Requirements are realized as tracker items
- FBIS-SRS is a generated document

#### CodeBeamer

Using CodeBeamer for Requirements Management provides per requirement:

- Automatic unique ID
- Status
- Log
- Traceability
- Workflow

**FBIS-SRS** in CodeBeamer



Zürcher Hochschule für Angewandte Wissenschaften

> Engineering IAMP Institut für Angewandte

School of

# **FBIS-SRS**

## **Requirements Guidelines**

Wiki <u>Requirement Guidelines</u>

#### Purpose

- Provides a common language templates for requirement texts
- Provides quality criteria for requirement and set of requirements
- Adapted from EARS: The Easy Approach to Requirements Syntax, Alistair Mavin et al (2009)

## **Quality Criteria**

Single requirement

- Identifiable
- Atomic
- Clear
- Precise
- Feasible

Set of requirements, i.e. SRS

- Completeness
- Consistency
- Freedom from contradiction

Zürcher Hochschule für Angewandte Wissenschaften

> School of Engineering

## **FBIS-SRS**

Example requirement



ür Angewandte Wissenschafter

School of Engineering

für Angewandte Wissenschatten

School of
Engineering
IAMP Institut für Angewandte
Mathematik und Physik



shall: 266 mandatory requirements, needs to be verified and validated should: 14 design goals

# Agenda







#### Zürcher Hochschule für Angewandte Wissenschafter



## Verification

 "[...] verification is the activity of demonstrating for each phase of the relevant safety lifecycle (overall, E/E/PE system and software), by analysis, mathematical reasoning and/or tests, that, for the specific inputs, the outputs meet in all respects the objectives and requirements set for the specific phase." IEC61508-4 3.8.1 verification confirmation by examination and provision of objective evidence that the requirements have been fulfilled

#### Zürcher Hochschule für Angewandte Wissenschafter



## Validation

 "[...] Validation is the activity of demonstrating that the safety-related system under consideration, before or after installation, meets in all respects the safety requirements specification for that safety-related system." IEC61508-4 3.8.2 validation confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled

Zürcher Hochschule für Angewandte Wissenschaften

# FBIS Verification & Validation Terms and Definitions

School of Engineering IAMP Institut für Angewandte Mathematik und Physik

# **Verification Method**

- Test
- Analysis
- Review
- Demonstration
- Inspection
- Simulation

Main focus on IEC61508 terms and definitions, some terms and definitions from other standards are also used or adapted.





TARDIS Time And Relative Dimension(s) In Space From BBC TV-Show "Doctor Who" Source: https://de.wikipedia.org/wiki/TARDIS#/media/File:TARDIS2.jpg

#### Zürcher Hochschule für Angewandte Wissenschaften



### Test

#### Purpose

 To demonstrate that the system under test reacts/performs like expected.

## **Typical for**

- Functional Requirements
- Performance Requirements

### IEC61508-7

- B.5.1 Black box testing
- B.6.1 Fault insertion testing
- B.6.9 Worst-case testing
- C.5.27 Model based testing (test case generation)

# MIL-STD-961E

An element of verification in which scientific principles and procedures are applied to determine the properties or functional capabilities of items.

#### Example

 Stimulate inputs and observe outputs, compare actual output with expected output.

Zürcher Hochschule für Angewandte Wissenschafter



# Analysis

### Purpose

 Show by analysis / calculation that the system will meet its requirements.

## **Typical for**

- Reliability Requirements
- Availability Requirements

## IEC61508-7

- B.6.6.5 Fault tree analysis (FTA)
- B.6.6.6 Markov models
- B.6.6.7 Reliability block diagrams (RBD)

#### MIL-STD-961E Analysis

An element of verification that uses established technical or mathematical models or simulations, algorithms, charts, graphs, circuit diagrams, or other scientific principles and procedures to provide evidence that stated requirements were met.

- Calculate hardware metrics (MTBF, SFF, PFH) using Reliability Block Diagram, Fault Tree Analysis or Markov analysis.
- STPA for qualitative analysis of a proposed functional architecture

Zürcher Hochschule für Angewandte Wissenschaften



### Review

### Purpose

 To check whether work products (specification, design documents, code, etc.) are correct and complete.

## **Typical for**

- Documents
- Source Code

## IEC61508-7

- B.2.6 Inspection of the Specification
- B.3.7 Inspection (reviews and analysis)
- B.3.8 Walk-through
- C.5.14 Formal inspections

# Adapted from IEEE-Std. 1028\* **3.5 Review**

A process or meeting during which a work product, set of work products, or a lifecycle process is presented to project personnel, managers, users, customers, user representatives, auditors or other interested parties for examination, comment or approval.

- Review of a Requirements
   Specification Document to check whether requirements are complete, feasible and verifiable.
- Formal Code Inspection\*\* to check whether a algorithm is correctly implemented.

<sup>\*</sup> Original text: "A process or meeting during which a software product, set of software products, or a software process [...]"

#### Zürcher Hochschule für Angewandte Wissenschafter



## **Demonstration**

### Purpose

 To demonstrate that the system can handle specific scenarios.

## **Typical for**

- Environmental Requirements
- Human Factor Requirements
- Performance Requirements

## IEC61508-7

- B.6.1 Functional testing under environmental conditions
- B.6.2 Interference surge immunity testing
- B.5.3 Statistical testing

#### MIL-STD-961E Demonstration

An element of verification that involves the actual operation of an item to provide evidence that the required functions were accomplished under specific scenarios. The items may be instrumented and performance monitored.

- Electromagnetic Interferences (EMI), ESD
- Shock and Vibration
- Temperature
- Network load tests

#### Zürcher Hochschule für Angewandte Wissenschafter



## Inspection

#### Purpose

To check that the system will meet its specified properties.

## **Typical for**

- Physical requirements (dimensions, weight, etc.)
- Data requirements

## IEC61508-7

B.6.4 Static analysis

#### MIL-STD-961E Inspection

An element of verification that is generally nondestructive and typically includes the use of sight, hearing, smell, touch, and taste; simple physical manipulation; and mechanical and electrical gauging and measurement.

- Check if the system under verification fits into a 19" rack.
- Check if the system contains a specific log entry in a specific format

#### Zürcher Hochschule für Angewandte Wissenschafter



## Simulation

#### Purpose

 To display significant aspects of the behavior of the system

### **Typical for**

- Hardware circuit design
- FPGA Timing

#### References

B.3.6 Simulation

# IEC61508-7 B.3.6 Simulation

To carry out a systematic and complete inspection of an electrical/electronic circuit, of both the functional performance and the correct dimensioning of the components.

- Simulate hardware circuits for part stress data
- Simulate FPGA timing behavior using a virtual testbench

#### Zürcher Hochschule für Angewandte Wissenschaf

# FBIS Verification & Validation Terms and Definitions

School of Engineering IAMP Institut für Angewandte Mathematik und Physik

# Simulation (= Animation)

### Purpose

 To display significant aspects of the behavior of the system

## **Typical for**

- System operational behavior
- Test case and data generation

## IEC61508-7

- C.5.17 Prototyping/animation
- C.5.26 Animation of specification and design
- C.5.27 Model based testing (test case generation)

#### IEC61508-4 3.8.14 Animation

simulated operation of the software system (or of some significant portion of the system) to display significant aspects of the behaviour of the system, for instance applied to a requirements specification in an appropriate format or an appropriate high-level representation of the system design.

- Simulate behavior using final state machine
- Simulate behavior using MATLAB/Simulink
- Generate test cases using MATLAB/Simulink

# FBIS Verification & Validation Verification Cross Reference Matrix

## **FBIS-VCRM**

### **Verification Cross Reference Matrix**

VCRM defines for each requirement

- verification method
- verification idea

#### Purpose

- Defines starting point for detailed verification and validation plans
- Defines acceptance criteria for each requirement
- Identifies required verification resources

| <br>á                                                                                     |
|-------------------------------------------------------------------------------------------|
| Required Interfaces:                                                                      |
| Serial Datalink Precondition:                                                             |
| • n/a<br>Procedure:                                                                       |
| <ul> <li>Send cyclic messages over serial datalink</li> </ul>                             |
| Change message datafields for "LPSVAC Proton Beam Mode"     Acceptance Criteria:          |
| <ul> <li>LPSVAC_PROTON_BEAM_DESTINATION is set according to message datafields</li> </ul> |
|                                                                                           |

|  | LPSVAC Proton Beam Destination Errors                                           |  |
|--|---------------------------------------------------------------------------------|--|
|  | Test                                                                            |  |
|  | Simulate LPSVAC using HIL-Simulator<br>Required Interfaces:                     |  |
|  | Serial Datalink Preconditions:                                                  |  |
|  | LPSVAC_PROTON_BEAM_DESTINATION is set to "Target" Procedure:                    |  |
|  | <ul> <li>Send messages using HIL-Simulator</li> </ul>                           |  |
|  | Change message datafields to simulate error conditions     Acceptance Criteria: |  |
|  | LPSVAC_PROTON_BEAM_DESTINATION is set to "None" for error conditions            |  |

#### 4.2.1.2.9 LPSVAC Proton Beam Mode Inpu

| Verification Technique Test Covered by testing of related requirements | <u>#ISSUE:837141</u>   |                                            |  |
|------------------------------------------------------------------------|------------------------|--------------------------------------------|--|
| Covered by testing of related requirements Verification Idea           | Requirement            | LPSVAC Proton Beam Mode Input              |  |
| Verification Idea                                                      | Verification Technique | Test                                       |  |
| ci ovno i lotar ocan                                                   | Verification Idea      | Covered by testing of related requirements |  |
| LPSVAC Proton Beam Mode Errors                                         |                        | LPSVAC Proton Beam Mode State              |  |
|                                                                        |                        | LPSVAC Proton Beam Mode Errors             |  |

#### 4.2.1.2.10 LPSVAC Proton Beam Mode

| #[ISSUE:65149]         |                                            |  |
|------------------------|--------------------------------------------|--|
| Requirement            | LPSVAC Proton Beam Mode                    |  |
| Verification Technique | Test                                       |  |
|                        | Covered by testing of related requirements |  |
| Verification Idea      | LPSVAC Proton Beam Mode State              |  |
|                        | LPSVAC Proton Beam Mode Errors             |  |

#### 4.2.1.2.11 LPSVAC Proton Beam Mode State

| #ISSUE:65152]        |                                     |  |
|----------------------|-------------------------------------|--|
| rement LPSV          | LPSVAC Proton Beam Mode State       |  |
| ation Technique Test | Test                                |  |
| ation Idea Simul     | Simulate LPSVAC using HIL-Simulator |  |
|                      |                                     |  |

Page: 21 / 89 Version: 1D

Zürcher Hochschule für Angewandte Wissenschafter

> School of Engineering

# FBIS Verification & Validation Verification Cross Reference Matrix

Zürcher Hochschule für Angewandte Wissenschaften

> School of Engineering IAMP Institut für Angewandte Mathematik und Physik

#### **FBIS-VCRM**

Example VCRM record

#### **Reference to RequirementID**

#### Verification method

| 4.3.1.1. | ACCT_5 Beam Permit Evaluation |
|----------|-------------------------------|
| #IISSUE1 | 36251                         |

| #[ISSUE:63625]         |                                                                                                                                                                                                                                                                                                                     |                                                                                                                                                                        |
|------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Requirement            | ACCT_5 Beam Permit Evaluation                                                                                                                                                                                                                                                                                       |                                                                                                                                                                        |
| Verification Technique | Test                                                                                                                                                                                                                                                                                                                | •                                                                                                                                                                      |
| Verification Idea      | Simulate ACCT_5_BEAM_PERMIT<br>Required Interfaces: •<br>• Discrete<br>Preconditions: •<br>• Input is configured to "No<br>Procedure: •<br>• For each proton beam des<br>• Reset<br>• Set ACCT_5_BEAM_PER<br>• Wait<br>• Set ENFORCED_PROTO<br>• Set ACCT_5_BEAM_PER<br>• Reset<br>• Loop<br>Acceptance Criteria: • | - Required interfaces Preconditions Masking" Procedure stination do: RMIT to "OK" ON_BEAM_DESTINATION to new proton beam destination RMIT to "NOK" Acceptance Criteria |
|                        | GLOBAL_BEAM_PERMIT                                                                                                                                                                                                                                                                                                  | T <sub>k</sub> is set according table.                                                                                                                                 |

# FBIS Verification & Validation Verification Cross Reference Matrix

Zürcher Hochschule für Angewandte Wissenschaften

> School of Engineering IAMP Institut für Angewandte Mathematik und Physik



# FBIS Verification & Validation Testing

Zürcher Hochschule für Angewandte Wissenschafter



# Testing

## Goal

- Verification and validation of FBIS functional requirements
- Verification of performance requirements

## Challenges

- Actual behavior of the Device-under-Test (DuT) needs to be observable
- Observed behavior needs to be checked against expected behavior
- Test oracle problem: how to get the expected results for defined inputs
- Creation of meaningful test cases and test data, i.e. test coverage
- Timing Measurement

# FBIS Verification & Validation Testing

Zürcher Hochschule für Angewandte Wissenschafter



# Testing

## Vision

Use Model Based Testing for FBIS verification (testing)

### Strategy

- Build a Hardware-in-the-Loop (HiL) Simulator to support verification and validation activities
- Combine testing techniques for Model Based Testing running on the HIL Simulator
- Demonstrate planned approach on CERN BIS
- Apply approach on ESS FBIS

## **IEC61508-7 Techniques and Measures**

- C.5.27 Model Based Testing
- B.5.1 Black box testing
- B.6.1 Fault insertion testing
- B.6.9 Worst-case testing
- C.5.17 Prototyping/animation
- C.5.26 Animation of specification and design

# Agenda

Zürcher Hochschule für Angewandte Wissenschaften





Zürcher Hochschule für Angewandte Wissenschafte

# FBIS Verification & Validation Test System

## Hardware-in-the-Loop

## **Applications**

- Testing of Cyber-Physical Systems
- Testing of Reactive Real-Time Systems

## Goal

Testing of Fast Beam Interlock System (FBIS)

- Functional Requirements, i.e. logic
- Performance Requirements, i.e. timing





#### Zürcher Hochschule für Angewandte Wissenscha

# FBIS Verification & Validation Test System

School of Engineering IAMP Institut für Angewandte Mathematik und Physik

# Hardware-in-the-Loop

## **Cyber-Physical System**

- integrations of computation and physical processes
- Reads sensor feedback signals
- Provides actuator control signals

### **HiL Simulator**

- Reads actuator control signals
- Emulates physical process (plant)
- Provides simulated sensor feedback



Lee, Edward A. (2008) Cyber Physical Systems: Design Challenges. EECS Department, University of California, Berkeley. Technical Report UCB/EECS-2008-8; <u>http://www2.eecs.berkeley.edu/Pubs/TechRpts/2008/EECS-2008-8.html</u>

Zürcher Fachhochschule; © Sven Stefan Krauss

# FBIS Verification & Validation Test System

Zürcher Hochschule für Angewandte Wissenschaft





Wieringa, R.J. (2003) Design Methods for Reactive Systems: Yourdon, Statemate, and the UML. Elsevier Science.

#### Zürcher Hochschule für Angewandte Wissenscha

# FBIS Verification & Validation Test System





[TBD: time].

## FBIS Verification & Validation Test System

#### Hardware-in-the-Loop

#### **Demo Test Rig**

- NI PXIe-1082
   8-Slot 3U PXI Express Chassis
- PXIe-8880 RT Intel® Xeon® E5-2618L v3 Octa-Core Processor 2,3 GHz
- PXI-7858R
   NI Multifunction RIO with Kintex-7 325T FPGA, 1MS/s AI, DRAM
- PXIe-7975R
   NI FlexRIO FPGA Kintex7 2GB
- PXIe-6547-64
   HSDIO 64 DIGIO 100MHz

**PXIe-8880** 



PXIe-6547 (hidden)

School of Engineering IAMP Institut für Angewandte Mathematik und Physik



# FBIS Verification & Validation Test System

School of Engineering

Mathematik und Physik

### Hardware-in-the-Loop

### Second Test Rig (1/2)

- NI PXIe-1045
   18-Slot 3U PXI Express Chassis
- PXIe-8880 RT Intel® Xeon® E5-2618L v3 Octa-Core Processor 2,3 GHz
- PXIe-6536
   High-Speed Digital I/O
- PXIe-6366
   X Series Multifunction DAQ
- PXIe-7972R
   FlexRIO FPGA Module



# FBIS Verification & Validation Test System

School of Engineering IAMP Institut für Angewandte Mathematik und Physik

## Hardware-in-the-Loop

## Second Test Rig (2/2)

- PXIe-2515
   High-Speed Digital I/O Signal Insertion Switch
- PXIe-4112
   2 Channel Power Supply
- PXIe-4142
   4-channel Source-Measurement Unit



> School of Engineering

IAMP Institut für Angewandte Mathematik und Physik

# FBIS Verification & Validation Test System

### Hardware-in-the-Loop

### Test applications out of the box

- Digital signal generation and acquisition
- Analogue signal generation and acquisition
- Fault injection tests
- Verification of control algorithms
- Comparison behavior system-undertest with Simulink control reference model



# FBIS Verification & Validation Test System

#### Software

### NI VeriStand

 Extendable software environment for configuring real-time test applications

### System Explorer

- Modular system definition
- Hardware configuration
- Model configuration
- Channel definition and configuration

### **NI VeriStand Engine**

- Handles channel communication
- Handles execution
- Extendable with custom devices







Configuring Real-Time Testing Applications <u>http://www.ni.com/white-paper/13068/en/</u>

> School of Engineering

IAMP Institut für Angewandte Mathematik und Physik

# FBIS Verification & Validation Test System

### **Software Defined Test System**

#### Simulink Model

Integration of Simulink models

#### **Custom Device**

- Custom implemented device
- Developed in LabVIEW
- Communicates via channels
- Inline Custom Device
- Asynchronous Custom Device

#### **FPGA Personality**

 Execution of a custom made FPGA code written in LabVIEW FPGA



# FBIS Verification & Validation Test System

School of Engineering IAMP Institut für Angewandte Mathematik und Physik

## **Software Defined Test System**

### **NI VeriStand Engine**

- Manages channel communication
- Manages execution loops

#### Loops

- Primary Control Loop
- Model Execution Loop
- Asynchronous Custom Device Loop(s)



NI VeriStand Engine Architecture <u>http://www.ni.com/product-documentation/13033/en/</u>

# FBIS Verification & Validation Test System

### **Software Defined Test System**

#### **Custom Device for Logic Testing**

- Driver for PXIe-6547
- Testing of logic behavior
- Digital stimulus-response testing based on channel data
- Channels for digital output
- Channels for digital input
- Optimized for integration with Simulink models

#### Channels

- 32 Input Channels
- 32 Output Channels



| File Edit Tools Help                                |                                   |            |                                                             |              |
|-----------------------------------------------------|-----------------------------------|------------|-------------------------------------------------------------|--------------|
| 12 🖬 🛛 X 🗋 🗛 🖽 🗶 🗎                                  | <u>A</u>                          |            |                                                             |              |
| Test HSDIO Static Custom Device     S Targets       | Pide-6547 Static Custom Device Re | m Settings |                                                             |              |
| E GB ctt-lab-t-7115<br>E Mardware<br>Custom Devices | Name<br>Pile-6547 Static          |            | 010 31 136 010 30<br>0ND 2 38 010 30                        | ()           |
| HW Input Channels                                   | Description                       |            | 010 29 3 37 010 20<br>0ND 4 30 0ND                          | W anna       |
| - 000 0<br>- 000 1                                  |                                   | •          | 0x0.27 6 39 010.26<br>0x0 8 40 0x0<br>0x0 7 41 010.24       | 00           |
| - 000 2<br>- 000 3<br>- 000 4                       |                                   |            | 010 23 0 40 000<br>010 23 0 40 010 22<br>000 10 48 000      | \ <b>©</b> = |
| = 000 5<br>= 000 6                                  |                                   |            | 010 21 11 46 010 20<br>0ND 12 46 0ND<br>010 19 13 47 010 10 | 0-           |
| - 0007<br>- 0008<br>- 0009                          | x                                 |            | 0ND 114 48 0NO<br>010 17 15 49 010 10<br>0ND 10 50 0ND      | 0=           |
| - 000 10                                            |                                   |            | 010 15 17 51 010 14<br>0ND 18 52 RESERVED                   |              |
| - 000 11<br>- 000 12                                | Device                            |            | 010 13 19 53 010 12<br>080 20 56 080                        | 8 80         |
| = 000 13<br>= 000 14                                | N HSDIO1                          | -          | DID 11 21 55 DID 10<br>OND 22 56 OND                        | 8            |
| - 000 15<br>- 000 16                                | Input Channels                    |            | 0109 23 57 0108<br>6ND 24 58 6ND                            | 2            |
| - DIO 17                                            | 8                                 |            | 0107 25 59 010 5<br>PF11 26 50 RESERVED                     | 8 M.         |
| - 000 18<br>- 000 19                                | Output Channels                   |            | 010.6 27 61 010.4<br>0ND 28 82 0ND                          |              |
| - 000 20<br>- 000 21                                | 0,1                               |            | 010 3 20 83 010 2<br>FF13 30 64 PF12                        |              |
| - 000 22                                            |                                   |            | 010 1 31 05 010 0<br>0ND 32 06 0ND                          |              |
| = 000 23<br>= 000 24                                | 1                                 | ie.        | CUK OUT 30 87 STROBE<br>6ND 34 68 0ND                       | Î⊕_Î         |
| - 010 25<br>- 010 26                                |                                   |            | 0/                                                          | 12           |
| - 000 27<br>- 000 28                                |                                   |            |                                                             |              |
| <ul> <li>DED 29</li> </ul>                          |                                   |            |                                                             |              |
| - DIO 30<br>- DIO 31                                |                                   |            |                                                             |              |
| HW Output Channels                                  |                                   |            |                                                             |              |
| And these Chapman                                   | *                                 |            |                                                             |              |

# FBIS Verification & Validation Test System

### **Software Defined Test System**

#### **Custom Device for HSDIO Testing**

- Driver for PXIe-6547
- Digital stimulus-response testing
- Playback of predefined stimulus files
- Signal generation and acquisition up to 50 MHz
- Integrated timing measurement
- Trigger configuration

#### Channels

- Control Channels
- Status Channels
- Timing Channels



| Edit Tosko Help      Charles Traing 2.0      Charles Traing 2.0      Trayets      Trayets      Trayets      Trayets      Trayets      Charles            | Content Conce for High Spreed Digital (2) (HSURD) Training Nerre HSURD Test Decryption Configuration Trigger Stmulus Preview Decryption CERV (8) Timing Measurement                                                     |
|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| A Mores<br>ed Scale<br>Control (Control (Contro) (Control (Contro) (Contro) (Contro) (Contro) (Co | About<br>Curtant Device for H5000 Testing<br>Safety-Critical Systems Research Lab<br>Zurich University of Applied Sciences<br>to Statistical Systems Research Lab<br>SWITZERAND<br>Heig: Technical Suspent Report a bus |

| File Edit Tools Help                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 🔉 🗃 🖬   X 🕲 🕲 X   🗛 🗃 🚹                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          |
| Carety to the second seco | Control Description         Name         FOSD Test         Description         Configuration         Tegenery, StM         Description         Tegenery, StM         Number of sample; 300         Clock Server, Description Clock         To Configuration         Description         Descolspan="2">Description <tr< th=""></tr<> |

# FBIS Verification & Validation Test System



### **Software Defined Test System**

# FPGA Personality for Optical Protection Line (OPL)

- Generation of square-wave signal up to 10 MHz
- Reading of square-wave signal
- OPL break detection
- Digital out signal for OK/NOK
- Work in progress

#### Channels

- Control Channels
- Status Channels



## Agenda







Zürcher Hochschule für Angewandte Wissenschafter



### Model Based Testing (MBT)

- black-box approach in which common testing tasks such as test case generation (TCG) and test results evaluation are based on a model of the system (application) under test (SUT).
- Model-based testing is the automatic generation of efficient test cases/procedures using models of system requirements and specified functionality

IEC61508-7 C.5.27 Model based testing (test case generation)

Aim: To facilitate efficient automatic test case generation from system models and to generate highly repeatable test suites.

# FBIS Verification & Validation Model Based Testing

School of Engineering IAMP Institut für Angewandte Mathematik und Physik

## Model Based Testing (MBT)

### **Necessary Building Blocks for MBT**

- Functional blocks are the building blocks to build a system model
- Functional blocks needs to be verified
- A bottom-up approach is used, i.e. a number of verified functional blocks will be integrated into a system model
- Verified system model will be used as a test oracle for comparison with realized hardware



#### Zürcher Hochschule für Angewandte Wissenschafter

School of Engineering

IAMP Institut für Angewandte Mathematik und Physik

## System Model

Use a bottom up approach to create a system model:

- 1. Create a verified functional block
- 2. Integrate verified functional block in system model
- 3. Check with SDV if system model is verifiable
- 4. Generate testcases and testharness
- 5. Run simulation
- 6. Review test coverage report
- 7. Repeat steps 1-6 as necessary





Zürcher Hochschule für Angewandte Wissenschafter



### **Verified Functional Block**

For a verified functional block do:

- 1. Get requirements subset
- 2. Create functional block in Simulink
- 3. Add verification block
- 4. Create verification script in MATLAB
- 5. Add test objectives for Simulink Design Verifier
- 6. Generate testcases and testharness
- 7. Run simulation
- 8. Review test coverage report

Requirements Functional Block

Verification Block Verification Script

Test Harness Test Cases

Test Report Test Coverage



Zürcher Hochschule für Angewandte Wissenschafter





### Requirements

- The System Requirements Specification (SRS) defines the desired behavior using textual and tabular functional requirements.
- A subset of related requirements is selected from the SRS and from detailed requirement specifications which allows the tester to build a functional block.

#### 2.1.1 DISABLE

The disable output allows a USER\_PERMIT to be ignored when the relevant USER\_ENABLE is TRUE. This allows any channel that is not being used to be deactivated.



Figure 5 : DISABLE Functional Block

The required functionality corresponds to the following truth table:

| USER_PERMIT | USER_PERMIT_FAULT | USER_ENABLE | OUTPUT |
|-------------|-------------------|-------------|--------|
| TRUE        | TRUE              | TRUE        | FALSE  |
| FALSE       | TRUE              | TRUE        | FALSE  |
| TRUE        | FALSE             | TRUE        | TRUE   |
| FALSE       | FALSE             | TRUE        | FALSE  |
| 'x'         | <b>`x</b> ′       | FALSE       | TRUE   |

Table 4 : Truth Table of DISABLE Behaviour

Essentially this means that the OUTPUT of the DISABLE block is forced TRUE when the relevant USER\_ENABLE is FALSE. If the USER\_ENABLE is TRUE, the OUTPUT is only TRUE when USER\_PERMIT is TRUE and USER\_PERMIT\_FAULT is FALSE.

Zürcher Hochschule für Angewandte Wissenschafter





### **Functional Block**

- A functional block is created in Simulink for the set of related functional requirements.
- The functional block provides a executable specification for these requirements.
- Simulation of the functional block allows the tester to verify intended behavior versus specified behavior to reveal specification errors.



# FBIS Verification & Validation Model Based Testing

School of Engineering IAMP Institut für Angewandte Mathematik und Physik

---

Relationa

Assertion block

Operator

CheckDisable

MATLAB Function

user enable



3

USER PERMIT FAULT IN

4

USER ENABLE IN

**DISABLE UUT.slx: Verification Subsystem** 

simulation with an error message when results are not identical.

Zürcher Fachhochschule; © Sven Stefan Krauss

54

Assertion

# FBIS Verification & Validation Model Based Testing

School of Engineering IAMP Institut für Angewandte Mathematik und Physik



y = x;

be verified in that way.



# FBIS Verification & Validation Model Based Testing

School of Engineering IAMP Institut für Angewandte Mathematik und Physik



 Simulink Design Verifier (SDV) uses formal model checking techniques to find test cases.

 See formal methods presentation for details

# FBIS Verification & Validation Model Based Testing

School of Engineering IAMP Institut für Angewandte Mathematik und Physik



# FBIS Verification & Validation Model Based Testing

School of Engineering IAMP Institut für Angewandte Mathematik und Physik



# FBIS Verification & Validation Model Based Testing

School of Engineering IAMP Institut für Angewandte Mathematik und Physik

**Test Objectives** 

Test Harness Test Cases Simulation Run Test Coverage

## Test Coverage

- SDV will report test coverage metrics for the generated test cases after the simulation run.
- When test coverage does not meet required criteria, the test cases needs to be adjusted.





| Metric                | Coverage                     |
|-----------------------|------------------------------|
| Cyclomatic Complexity | 3                            |
| Condition (C1)        | 50% (2/4) condition outcomes |
| Decision (D1)         | 25% (1/4) decision outcomes  |

#### Decisions analyzed

| integer index value                                                                                                                                                           | 25% |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----|
| calculated to 0 based on inputs FF (output row 1)                                                                                                                             | 0/1 |
| calculated to 1 based on inputs FT (output row 2 ) $% \left( \left( {{{\left( {{{\left( {{{\left( {{{\left( {{{{}}}} \right)}} \right)}}} \right)}_{2}}}} \right)} \right)$   | 0/1 |
| calculated to 2 based on inputs TF (output row 3 ) $% \left( \left( {{{\left( {{{\left( {{{\left( {{{\left( {{{c}}} \right)}} \right.} \right)}} \right)}}} \right)} \right)$ | 0/1 |
| calculated to 3 based on inputs TT (output row 4)                                                                                                                             | 1/1 |

#### Conditions analyzed

| Description | True | False |
|-------------|------|-------|
| input(1)    | 1    | 0     |
| input(2)    | 1    | 0     |

Zürcher Fachhochschule; © Sven Stefan Krauss

## Agenda

Zürcher Hochschule für Angewandte Wissenschaften









#### **CERN BIS Case Study**

- Demonstrate approach on CERN BIS
- Case study is based mainly on Engineering Specification Standard CIBM Matrix Specification [3]
- All CERN BIS related images are taken from [1-3]

#### References

- Todd, B., Dinius, A., Nouchi, P., Puccio, B., & Schmidt, R. (2005, October). The architecture, design and realisation of the LHC beam interlock system. In Proceedings of the 10th ICALEPCS International Conference on Accelerator & Large Experimental Physics Control System, Geneva Switzerland.
- 2. Puccio, B. et. al. (2005). Engineering Specification THE BEAM INTERLOCK SYSTEM FOR THE LHC, LHC-CIB-ES-0001-00-10
- 3. Todd, B. et. al. (2007). Engineering Specification BEAM INTERLOCK SYSTEM STANDARD CIBM MATRIX SPECIFICATION, AB-CO-MI 11-2007

#### 8. OPERATION OF THE BEAM INTERLOCK SYSTEM

#### 8.1 EXPLOITATION MODES OF THE BEAM INTERLOCK SYSTEM

The modes of the LHC Beam Interlock System (see fig.6) for each of the two LHC beams are:

- OPERATION
  - BEAM PERMIT
  - NO BEAM PERMIT
- TEST

#### 8.1.1 BEAM PERMIT

If BEAM\_PERMIT = TRUE for one of the LHC beams, extraction of this beam from the SPS and subsequent transfer and injection into the LHC is permitted, provided that SPS extraction interlocks and transfer line interlocks give permission. When the beam permit disappears (transition from TRUE to FALSE), this beam is dumped by the Beam Dumping System.

#### 8.1.2 NO BEAM PERMIT

If BEAM\_PERMIT = FALSE for one of the LHC beams, injection of this beam is inhibited. In this mode there should never be circulating beam in the LHC, since the transition from TRUE to FALSE should always dump the beam before. Since it takes some time to transmit the signals to the SPS extraction and LHC injection, there is a dead time of about 100  $\mu$ s: when the beam dump fires, injection will be disable only after such dead time.

#### 8.1.3 TEST MODE STAND ALONE

There is a test mode for each of the beams. In this mode it shall not be possible to give general beam permit. It is possible to close only one of the two BEAM PERMIT LOOPS for each beam in test mode:

- The Beam Interlock User Interface sets the USER\_PERMIT = TRUE for one of the two
  redundant branches. This is done for all users, and for each Beam Interlock
  Controller.
- This will enable the 10 MHz signal circulating in one BEAM PERMIT LOOP.
- In this mode the second loop will be forced to remain open. It must never be
  possible to close both loops in test mode at the same time.

Extract of the BIS specification [2]

School of

für Angewandte Wissenschafter



Zürcher Hochschule für Angewandte Wissenschaften



#### Principle functionality of CERN's Beam Interlock System (BIS) [2]



Zürcher Hochschule für Angewandte Wissenschaften





Matrixes Logic diagram with involved MMU registers

Matrices Logic Diagram [2]

Zürcher Hochschule für Angewandte Wissenschaften





Zürcher Hochschule für Angewandte Wissenschaften





Logical Block Diagram [3]

Zürcher Hochschule für Angewandte Wissenschaften



**DISABLE Logic Specification [3]** 

#### 2.1.1 DISABLE

The disable output allows a USER\_PERMIT to be ignored when the relevant USER\_ENABLE is TRUE. This allows any channel that is not being used to be deactivated.



Figure 5 : DISABLE Functional Block

The required functionality corresponds to the following truth table:

| USER_PERMIT | USER_PERMIT_FAULT | USER_ENABLE | OUTPUT |
|-------------|-------------------|-------------|--------|
| TRUE        | TRUE              | TRUE        | FALSE  |
| FALSE       | TRUE              | TRUE        | FALSE  |
| TRUE        | FALSE             | TRUE        | TRUE   |
| FALSE       | FALSE             | TRUE        | FALSE  |
| 'x'         | `x′               | FALSE       | TRUE   |

Table 4 : Truth Table of DISABLE Behaviour

Essentially this means that the OUTPUT of the DISABLE block is forced TRUE when the relevant USER\_ENABLE is FALSE. If the USER\_ENABLE is TRUE, the OUTPUT is only TRUE when USER\_PERMIT is TRUE and USER\_PERMIT\_FAULT is FALSE.

Specification of the DISABLE functional block [3]

#### **DISABLE Simulink Block**





Zürcher Hochschule für Angewandte Wissenschaften

> School of Engineering IAMP Institut für Angewandte Mathematik und Physik

#### School of Engineering

IAMP Institut für Angewandte





Engineering IAMP Institut für Angewandte Mathematik und Physik

#### **DISABLE Verification Subsystem**



```
function y = CheckDisable(user permit, user permit fault, user enable)
                      if (user permit==true) && (user permit fault==true) && (user enable==true)
Verification script in
                          x = false;
    MATLAB
                      elseif (user permit==false) && (user permit fault==true) && (user enable==true)
                          x = false:
                      elseif (user permit==true) && (user permit fault==false) && (user enable==true)
                          x = true;
                      elseif (user permit==false) && (user permit fault==false) && (user enable==true)
                          x = false:
                      elseif (user enable==false)
                          x = true;
                      else
                          x = false;
                      end
```

#### **DISABLE SDV Generated Test Cases**



Child Systems:

s: <u>DISABLE</u>

| Metric                | Coverage (this object) | Coverage (inc. descendants)   | Simulation |
|-----------------------|------------------------|-------------------------------|------------|
| Cyclomatic Complexity | 1                      | 6                             |            |
| Condition (C1)        | NA                     | 100% (4/4) condition outcomes | without    |
| Decision (D1)         | NA                     | 100% (6/6) decision outcomes  | Errors     |
| Test Objective        | NA                     | 100% (2/2) objective outcomes |            |

Zürcher Hochschule für Angewandte Wissenschaften

> School of Engineering IAMP Institut für Angewandte Mathematik und Physik

#### 2.1.2 MASK

A sub-set of the USER\_PERMIT signals can be ignored if the SAFE\_BEAM\_FLAG\_FP is TRUE and the operator chooses to do so by setting the relevant bit in the USER\_MASK register.



Figure 6 : MASK Functional Block

Thus the output of the block follows the input according to the following truth-table:

| USER_PERMIT | MASK  | SAFE_BEAM_FLAG | OUTPUT |
|-------------|-------|----------------|--------|
| `x′         | TRUE  | TRUE           | TRUE   |
| TRUE        | TRUE  | FALSE          | TRUE   |
| FALSE       | TRUE  | FALSE          | FALSE  |
| TRUE        | FALSE | TRUE           | TRUE   |
| FALSE       | FALSE | TRUE           | FALSE  |
| TRUE        | FALSE | FALSE          | TRUE   |
| FALSE       | FALSE | FALSE          | FALSE  |

Table 5 : Truth Table of MASK Behaviour

Thus the OUTPUT of the MASK is TRUE when the relevant USER\_MASK is TRUE and the SAFE\_BEAM\_FLAG\_FP is TRUE, otherwise the OUTPUT of MASK is the same as the INPUT.

The MASK signals are only applied to half of the inputs, USER\_PERMIT 1 through 7 cannot be masked, 8 through 14 map to the USER\_MASK vector as follows:

| USER_PERMIT<br>index | USER_MASK<br>index |
|----------------------|--------------------|
| 8                    | 1                  |
| 9                    | 2                  |
| 10                   | 3                  |
| 11                   | 4                  |
| 12                   | 5                  |
| 13                   | 6                  |
| 14                   | 7                  |

Zürcher Hochschule für Angewandte Wissenschaften



| USER_MASK      | СОТРОТ |
|----------------|--------|
| SAFE_BEAM_FLAG |        |
| MASK           |        |



#### 2.1.3 FILTER

This block is very simple, having a single input and output

INPUT\_n -> FILTER -> OUTPUT\_n Figure 7 : FILTER Functional Block

The OUTPUT is a filtered version of the INPUT, with glitches removed from the input signal. A glitch is considered by the following definition:

This is shown in the following diagram



Figure 8 : Definition of a Glitch

When the glitch filter's input is TRUE, any change to FALSE followed by a return to TRUE with a FALSE duration lasting less that 1.6 microseconds is to be considered as a glitch.

The glitch filter is to be applied to every USER\_PERMIT signal, after the DISABLE and MASK functions have been applied.



Zürcher Hochschule für Angewandte Wissenschaften

> School of Engineering

IAMP Institut für Angewandte Mathematik und Physik

#### 2.1.4 MATRIX

MATRIX takes the USER\_PERMIT signals that have been passed through the DISABLE, MASK and FILTER blocks as inputs and derives LOCAL\_BEAM\_PERMIT, which is only TRUE when all USER\_PERMITS are TRUE.



Figure 9 : MATRIX Functional Block

The ARM output is TRUE when the MATRIX has been initialised using LATCH\_INIT and has received a LATCH\_REARM signal.

LOCAL\_BEAM\_PERMIT is only TRUE when SOFTWARE\_PERMIT and all of the connected INPUTS and are TRUE, and when the MATRIX is correctly ARMED.

When the MATRIX is first powered, LOCAL\_BEAM\_PERMIT must be set FALSE; a transition to TRUE cannot take place until LATCH\_INIT has been set TRUE.

When LATCH\_ENABLE is TRUE every LOCAL\_BEAM\_PERMIT transition from TRUE to FALSE will result in the LOCAL\_BEAM\_PERMIT being held FALSE. A return to TRUE will only be permitted after a LATCH\_REARM command has been received.

1 INPUT 1 INPUT 1 INPUT 2 INPUT 3 2 INPUT 4 INPUT 2 INPUT\_5 INPUT\_6 3 INPUT 3 INPUT 7 INPUT 8 4 INPUT 9 INPUT 4 INPUT\_10 INPUT\_11 (5) INPUT\_12 INPUT 5 INPUT\_13 INPUT\_14 6 SOFTWARE\_PERMIT INPUT 6 MATRIX (7 INPUT 7 AND ( 0 -C1 OUTPUT INPUT 8 9 INPUT 9 10 INPUT\_10 Simplified model (11)12 INPUT\_12 (13) INPUT\_13 (14 INPUT\_14 15 SOFTWARE\_PERMIT Logical

Zürcher Hochschule für Angewandte Wissenschaften

#### School of Engineering IAMP Institut für Angewandte Mathematik und Physik

Operator

#### Hardware in the Loop Concept



Idea: Compare BIS Beam Permit Status with simulated Beam Permit Status

School of Engineering

ür Angewandte Wissenschaften

IAMP Institut für Angewandte Mathematik und Physik

#### Hardware



Zürcher Hochschule für Angewandte Wissenschaften





für Angewandte Wissenschaften

#### Simulink Model with VeriStand Adapter



The VeriStand adapter will reflect the hardware setup. This helps to identify untestable logic for this hardware configuration.



School of Engineering IAMP Institut für Angewandte Mathematik und Physik

### Simulink Model VeriStand Channel Interfaces



The input and output ports will be available in VeriStand's System Explorer. Use the Stimulus Profile Editor for hand written test cases.

Zürcher Hochschule für Angewandte Wissenschafter



### Simulink Model with Test Conditions and Test Objectives



Test conditions are used to limit test cases to tests which can be performed with connected hardware without manual input or input via serial interface. Simulink Design Verifier used to generate test cases.

#### Zürcher Fachhochschule; © Sven Stefan Krauss

# CERN BIS Case Study

#### **SDV Generated Test Cases**



Zürcher Hochschule für Angewandte Wissenschaften

> School of Engineering IAMP Institut für Angewandte Mathematik und Physik

Zürcher Hochschule für Angewandte Wissenschaften



### Simulink Test Coverage Report

#### Summary

| Model Hierarchy/Complexity |     |     |    | Test 1 |    |     |      |      |           |      |           |
|----------------------------|-----|-----|----|--------|----|-----|------|------|-----------|------|-----------|
|                            |     |     | D1 |        | C1 | 1   | MCDC | Test | Condition | Test | Objective |
| 1. BIS_HW                  | 162 | 30% | -  | 39%    | -  | 14% | •    | 100% | _         | 100% |           |
| 2BIS_LOGIC                 | 159 | 30% | -  | 39%    | -  | 14% | •    |      | NA        |      | NA        |
| 3 DISABLE_BLOCK            | 121 | 26% | -  | 21%    | •  |     | NA   |      | NA        |      | NA        |
| 4 <u>DISABLE.1</u>         | 5   | 50% |    | 75%    |    |     | NA   |      | NA        |      | NA        |
| 5 <u>DISABLE.10</u>        | 5   | 17% | •  | 0%     |    |     | NA   |      | NA        |      | NA        |
| 6 <u>DISABLE.11</u>        | 5   | 17% | •  | 0%     |    |     | NA   |      | NA        |      | NA        |
| 7 <u>DISABLE.12</u>        | 5   | 17% | •  | 0%     |    |     | NA   |      | NA        |      | NA        |
| 8 <u>DISABLE.13</u>        | 5   | 17% | •  | 0%     |    |     | NA   |      | NA        |      | NA        |
| 9 <u>DISABLE.14</u>        | 5   | 17% | •  | 0%     |    |     | NA   |      | NA        |      | NA        |
| 10 <u>DISABLE.2</u>        | 5   | 50% |    | 75%    | _  |     | NA   |      | NA        |      | NA        |
| 11 <u>DISABLE.3</u>        | 5   | 17% | •  | 0%     |    |     | NA   |      | NA        |      | NA        |
| 12 <u>DISABLE.4</u>        | 5   | 17% | •  | 0%     |    |     | NA   |      | NA        |      | NA        |
| 13 <u>DISABLE.5</u>        | 5   | 17% | •  | 0%     |    |     | NA   |      | NA        |      | NA        |
| 14 <u>DISABLE.6</u>        | 5   | 17% | •  | 0%     |    |     | NA   |      | NA        |      | NA        |
| 15 <u>DISABLE.7</u>        | 5   | 17% | •  | 0%     |    |     | NA   |      | NA        |      | NA        |
| 16 <u>DISABLE.8</u>        | 5   | 50% | _  | 75%    | _  |     | NA   |      | NA        |      | NA        |
| 17 <u>DISABLE.9</u>        | 5   | 50% |    | 75%    | _  |     | NA   |      | NA        |      | NA        |
| 18 <u>MASK.1</u>           | 2   | 50% |    | 50%    |    | 0%  |      |      | NA        |      | NA        |
| 19                         | 2   | 50% |    | 50%    |    | 0%  |      |      | NA        |      | NA        |
| 20 <u>MASK.3</u>           | 2   | 50% |    | 50%    |    | 0%  |      |      | NA        |      | NA        |
| 21 <u>MASK.4</u>           | 2   | 50% |    | 50%    |    | 0%  |      |      | NA        |      | NA        |
| 22 <u>MASK.5</u>           | 2   | 50% |    | 50%    |    | 0%  |      |      | NA        |      | NA        |
| 23 <u>MASK.6</u>           | 2   | 50% |    | 50%    | _  | 0%  |      |      | NA        |      | NA        |
| 24 <u>MASK.7</u>           | 2   | 50% |    | 50%    | _  | 0%  |      |      | NA        |      | NA        |
| 25 <u>MATRIX</u>           | 1   |     | NA | 63%    |    | 27% | -    |      | NA        |      | NA        |

Zürcher Hochschule für Angewandte Wissenschaften

# CERN BIS Case Study



### Simulink Test Coverage Report

#### MC/DC analysis (combinations in parentheses did not occur)

| Decision/Condition    | True Out                                | False Out                  |
|-----------------------|-----------------------------------------|----------------------------|
| expression for output |                                         |                            |
| input port 1          | TTTTTTTTTTTTTTTTT                       | FTTTTTTTTTTTTTTT           |
| input port 2          | TTTTTTTTTTTTTTTT                        | TFTTTTTTTTTTTTTT           |
| input port 3          | TTTTTTTTTTTTTTT                         | (TTFTTTTTTTTTTTTT)         |
| input port 4          | TTTTTTTTTTTTTTTT                        | (TTTFTTTTTTTTTTTT)         |
| input port 5          | TTTTTTTTTTTTTTTT                        | (TTTTFTTTTTTTTTTT)         |
| input port 6          | TTTTTTTTTTTTTTTT                        | (TTTTTFFTTTTTTTTTT)        |
| input port 7          | TTTTTTTTTTTTTTTT                        | (TTTTTT <b>F</b> TTTTTTTT) |
| input port 8          | TTTTTTTTTTTTTTTT                        | TTTTTTTFFTTTTTTTT          |
| input port 9          | TTTTTTTTTTTTTTTT                        | TTTTTTTTFFTTTTTTT          |
| input port 10         | TTTTTTTTTTTTTT                          | (TTTTTTTTT <b>F</b> TTTTT) |
| input port 11         | TTTTTTTTTTTTTTTT                        | (TTTTTTTTTT <b>F</b> TTTT) |
| input port 12         | TTTTTTTTTTTTTTTTTT                      | (TTTTTTTTTT <b>F</b> TTT)  |
| input port 13         | TTTTTTTTTTTTTTTTTTT                     | (TTTTTTTTTTT <b>F</b> TT)  |
| input port 14         | TTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT | (TTTTTTTTTTT <b>F</b> T)   |
| input port 15         | TTTTTTTTTTTTTTTTTTTTTTTTT               | (TTTTTTTTTTTTT <b>F</b> )  |

Zürcher Hochschule für Angewandte Wissenschafter



### **Testing of Logical Behavior**

### **Results**

CERN BIS logical behavior is **identical**  $\checkmark$  to simulated behavior, when

- 1. Matrices have been initialized
- 2. Matrices have been rearmed
- 3. Software Permit has been set using nodal script via serial interface

| BSS.nivsser* * + |                  |                  |                  |         |       | 100% • |
|------------------|------------------|------------------|------------------|---------|-------|--------|
|                  |                  |                  |                  |         |       |        |
| FLAGS            | SW PERMIT        |                  |                  | Da      |       |        |
| <b>2</b>         |                  |                  |                  | C.      |       |        |
| USER PERMITS     | 1.2744           | ENABLE SIM       | MASK SIM         | OUT     |       |        |
| USER PERMIT 1    |                  | ENABLED 1        |                  | HW LBP  |       |        |
| USER PERMIT A    | USER PERMIT B1   | 12               |                  | LRP A   | LEP B |        |
| USER PERMIT 2    |                  |                  |                  |         |       |        |
| USER PERMIT A    | 2 USER PERMIT B2 | ENABLED 2        |                  | SIM LBP |       | 1      |
| USER PERMIT 8    |                  |                  |                  | LEP A   |       |        |
| 1                |                  | ENABLED 8        | MASK 1           |         |       |        |
| USER PERMET A    | 8 USER PERMIT B8 | 2                |                  |         |       |        |
| USER PERMIT 9    |                  | ENABLED 9        | MASK 2           |         |       |        |
| USER PERMIT A    | 9 USER PERMIT B9 | 53               |                  |         |       |        |
| DEBUG            |                  |                  |                  |         |       |        |
| USER PERMIT DE   | BUG              | USER ENABLE DEBU | G USER MASK DEBL | IG      |       |        |
| <b>9</b> 1100    | 00011            | ¥ 110000011      | D.               | 0       |       |        |
| CERN-BIS         | SDM.nivsseq      |                  |                  |         |       |        |
| <b>b</b>         | ldle             | Time             | it i             |         |       |        |

**Timing Measurement** 

### **Measurement Configuration**

- Sample Clock 50 MHz
- Resolution 20ns
- Trigger  $OK \rightarrow NOK$

### **Results**

- 4.34µs for LBP A
- 5.02µs for LBP B





| 1.1 Command 1.3 Time(t) | 1.1 State                |  |  |  |  |
|-------------------------|--------------------------|--|--|--|--|
| 1.2 Test Set            | 1.2 Busy                 |  |  |  |  |
| 1.4 Digital Output U32  | 2.1 Stimulus(t)          |  |  |  |  |
| 1.2 Busy                | 2.2 Response(t) 11111111 |  |  |  |  |
|                         | 3.1 Received Samples 600 |  |  |  |  |
|                         | t7 t0 t1                 |  |  |  |  |
|                         | t8<br>4.34µ              |  |  |  |  |
|                         | t9<br>5.02µ              |  |  |  |  |
|                         | t31                      |  |  |  |  |





Zürcher Hochschule für Angewandte Wissenschaften



### Testing

- Only few hardware ports are connected → low coverage
- Test automation must take into account serial interface commands
   → design to test in new FBIS implementation
- Current Simulink model implementation is limited to test functional behavior of a reactive system
- Concept required to include timing constraints in Simulink model

### Experiences

- Simulink design verifier can be used to generate test cases, best practice is to use a bottom up approach
- Test cases combined with verification scripts to verify Simulink functional blocks against specification
- Model integration in NI VeriStand is straight forward, but needs to reflect real hardware conncections.

Zürcher Hochschule für Angewandte Wissenschaften





#### Contact:



Sven Stefan Krauss svenstefan.krauss@zhaw.ch



Martin Rejzek martin.rejzek@zhaw.ch



Christian Hilbes christian.hilbes@zhaw.ch

http://www.iamp.zhaw.ch/sks