The document discusses model-based automatic offline MMI testing at Novo Nordisk, focusing on the testing of embedded devices and user interaction through MMI flows. It highlights the transition from manual to automated verification processes using UML state machine diagrams to improve efficiency and documentation of test coverage. Key outcomes include enhanced software quality, easier regression testing, and improved collaboration among stakeholders.

1. Model-based Automatic Offline MMI Testing @ Novo Nordisk A/S Jacob Illum, CISS Ulrik Hørlyk Hjort, BestPractice Consulting I-DAY @ FM2009, Eindhoven, Nov. 5th

2. Overview CISS and Uppaal Novo Nordisk A/S System Testing of Embedded Devices @ Novo Nordisk. Demo Experiences Conclusion/Future work

3. CISS Focus Areas Applikationer Teknologi Værktøj Modeller Metoder Protokoller Design- og Prog.sprog Operativ system HW platform GPS Open source Home automation Mobile robotter Intelligente sensorer Ad hoc netværk Mobiltlf Audio/Video Konsum elektr Kontrolsystemer Automobile X-by wire Algoritmik SW-udvikling Effektforbrug Pålidelighed Test & Validering Hybride systemer Kommunikationsteori Model Based Development of Embedded Software Intelligent Sensor Networks Embedded & RT Platform LAB Safety Critical Software Systems Embedded System Testing & Verification HW/SW Co-Design, Design Space Exploration Resource Optimal Scheduling Security High Level Programming Languages for ES IT in Automation

4. Timed Automata Synchronization Guard Invariant Reset [Alur & Dill’89] Resource

5. Timed Automata Resource Semantics: ( Idle , x=0 )  ( Idle , x=2.5) d(2.5)  ( InUse , x=0 ) use?  ( InUse , x=5) d(5)  ( Idle , x=5) done!  ( Idle , x=8) d(3)  ( InUse , x=0 ) use? [Alur & Dill’89]

6. Timed Automata Resource Semantics: ( Idle , x=0 )  ( Idle , x=2.5) d(2.5)  ( InUse , x=0 ) use?  ( InUse , x=5) d(5)  ( Idle , x=5) done!  ( Idle , x=8) d(3)  ( InUse , x=0 ) use? [Alur & Dill’89] Synchronization Guard Invariant Reset

7. Timed Automata Resource Semantics: ( Idle , x=0 )  ( Idle , x=2.5) d(2.5)  ( InUse , x=0 ) use?  ( InUse , x=5) d(5)  ( Idle , x=5) done!  ( Idle , x=8) d(3)  ( InUse , x=0 ) use? [Alur & Dill’89] Synchronization Guard Invariant Reset

8. Timed Automata Resource Semantics: ( Idle , x=0 )  ( Idle , x=2.5) d(2.5)  ( InUse , x=0 ) use?  ( InUse , x=5) d(5)  ( Idle , x=5) done!  ( Idle , x=8) d(3)  ( InUse , x=0 ) use? [Alur & Dill’89] Synchronization Guard Invariant Reset

9. Timed Automata Resource Semantics: ( Idle , x=0 )  ( Idle , x=2.5) d(2.5)  ( InUse , x=0 ) use?  ( InUse , x=5) d(5)  ( Idle , x=5) done!  ( Idle , x=8) d(3)  ( InUse , x=0 ) use? [Alur & Dill’89] Synchronization Guard Invariant Reset

10. Composition Resource Task Shared variable Synchronization Semantics: ( Idle , Init , B=0, x=0)  ( Idle , Init , B=0 , x=3.1415 ) d(3.1415)  ( InUse , Using , B=6, x=0 ) use  ( InUse , Using , B=6, x=6 ) d(6)  ( Idle , Done , B=6 , x=6 ) done

11. Composition Resource Task Semantics: ( Idle , Init , B=0, x=0)  ( Idle , Init , B=0 , x=3.1415 ) d(3.1415)  ( InUse , Using , B=6, x=0 ) use  ( InUse , Using , B=6, x=6 ) d(6)  ( Idle , Done , B=6 , x=6 ) done Shared variable Synchronization

12. Composition Resource Task Semantics: ( Idle , Init , B=0, x=0)  ( Idle , Init , B=0 , x=3.1415 ) d(3.1415)  ( InUse , Using , B=6, x=0 ) use  ( InUse , Using , B=6, x=6 ) d(6)  ( Idle , Done , B=6 , x=6 ) done Shared variable Synchronization

13. Composition Resource Task Semantics: ( Idle , Init , B=0, x=0)  ( Idle , Init , B=0 , x=3.1415 ) d(3.1415)  ( InUse , Using , B=6, x=0 ) use  ( InUse , Using , B=6, x=6 ) d(6)  ( Idle , Done , B=6 , x=6 ) done Shared variable Synchronization

14. Advanced Features int [0,1234] ivar = 42; typedef struct { bool sL; } base_t; base_t Base; bool func(base_t & bt) { if (ivar < 31) return bt.sL; else return true ; } Template ( base_t & bt )

15. The Case An embedded device for medical purposes. MMI for user interaction. Strong process requirements from FDA. A B C D E F G H I J K L M N O P Q R

16. Automatic verification of requirements. Use cases and MMI flows. Simple scripting system to simulate user actions and to verify the system response.

18. Works well for use cases but not for MMI flows

19. MMI Flows verification old way: MMI Flow as Visio drawings. Manually written javascript testcases. Difficult to review. Difficult to document coverage Difficult to manage when MMI flow changes.

20. MMI Flow verification new way Generate the javascript testcases automatic from the MMI flow. MMI flows as UML statemachine diagrams

21. Future Work UML Real-time profile Model concurrency Requirements verification Tool integration Rational Systems Developer, Rational Rhapsody, Enterprise Architect Test scripts from verification More use cases

22. Experiences Automatic verification that MMI implementation follow the specification. High documented software quality since the whole MMI flow is verified. Easy to do regression tests when MMI flows are updated. Test coverage is documented by the tool.

23. Experiences Information of deadlocks in the model. Better review and analysis of models and test models. Flows are validated aready at the design phase.

24. Experiences Models are in standard UML and gives a more excact model to work from and to communicate between the team (stackholders, designers, developers, testers etc.)

25. Questions? Thank you for your attention!