首页 > 解决方案 > 汽车 > NISSAN在基于模 NISSAN在基于模型的设计中使用Reactis测试和验证控制器模型

Model Validation with Reactis at NISSAN Group

Experiences Adopting Model-Based Design

For more than a decade Nissan Group. has been developing and deploying a model-based design (MBD) process to ensure quality in the continually growing base of control software deployed in its vehicles. This note describes model validation in this process using the Reactis® testing and validation tool developed by Reactive Systems, Inc.

 

The 2000 model year Sentra CA was the first massproduced Nissan vehicle developed using MBD. This car was also the first in the world to be certified as a P-ZEV (Partial Zero Emission Vehicle) by the California Air Resources Board. As shown in Figure 1 both the size and complexity of engine control software has exploded since 2000. At the same time, development cycles became shorter. In order to ensure the quality of software in such a challenging environment, Nissan group adopted MBD.

 

MBD Validation Process

Verification and Validation plays an important part in the MBD process. Verification is the process of checking that the system correctly implements its specification, whereas validation ensures that the specification correctly captures the intentions of requirements.

In the Nissan process, Reactis supports the latter, namely checking that the executable specification (a Simulink® model) behaves correctly. In a manual process, this activity consists of creating a set of test cases, executing the tests on the model, and confirming that the outputs of the model are as expected. In effect, this aspect of validation requires
us to answer question 1: does the model respond to the enumerated input scenarios as expected? An even more challenging task is to answer question 2: are there any unexpected and undesirable behaviors?

 

Nissan group has leveraged Reactis to help answer these questionsmore efficiently. As shown in Figure 2, the Nissan process mandates the development of a Component Specification Design (a Simulink model) to serve as an executable specification for the Component Detailed Design.

 

Engineers use Reactis to develop a test suite that achieves 100% MC/DC coverage of the Component Specification Design. Since the generated tests contain both the inputs that achieve full coverage and the outputs the Component Specification Design responds with, the generated test suite makes it easy to check if the Component Detailed Design behaves as expected.

 

Specifically the generated tests are executed on the Detailed Design and its outputs are compared against those stored in the tests. Deploying this process both reduced the engineering effort to answer question 1 above and increased confidence that it was answered correctly.

 

Answering question 1 helps determine if the Detailed Design behaves as the Specification Design. The goal of question 2 is to check if the Detailed Design includes any unintended functionality that is not included in the Specification Design. The Nissan process finds unexpected behavior by requiring the examination of the coverage of the Detailed Design achieved when running the tests generated from the Specification design. Uncovered parts of the Detailed Design indicate behaviors not included in the Specification.

 

A side benefit of the process is the detection of runtime errors. Reactis flags runtime errors detected while generating or running tests. These include overflows, divide-by-zeros, and bad indexes to a multiport switch. These can be flagged either when generating the tests from the Specification Design or when running them on the Detailed Design. Interestingly, Nissan group has found that more bugs are uncovered answering question 2 than question 1. One possible reason for this is that question 1 deals with scenarios considered by engineers during the development of the specification and models, whereas question 2 deals with unexpected scenarios. Reactis has proved efficient at shining a light on these unexpected scenarios.

 

Transitioning to Production MBD Validation


After the initial successes of the validation process described above, Nissan group decided to mandate the process for all new powertrain software. The first step in production deployment was to develop a set of rules and checklists to guide the engineers who would perform the validation work.

 

Some internal tools were developed to help implement, monitor, and enforce the validation process. Finally when the rules and supporting tools were in place, end users were trained.Initially there was some resistance to the new process due to the perception that it added additional work above and beyond that of more traditional validation approaches. However, as the new process became better understood, was improved, and ultimately demonstrated improved efficiency, appreciation for the process grew throughout the powertrain engineering team.

 

Why Nissan group Selected Reactis

Nissan group considered a number of different possible tools for automatically generating tests from Simulink models. A number of factors played into the selection of Reactis. First was the level of coverage that could be achieved with Reactis. In contrast to tools employing simple static analysis, the dynamic test generation technique of Reactis often obtains very high levels of coverage fully automatically. Additionally, when part of a model is not exercised by the automatically-generated tests, Reactis offers a simple user interface to manually construct tests to fill the gaps.

 

A second factor contributing to the selection of Reactis was the availability of the Reactis team to address Nissan group concerns and suggestions. The wide-scale application of Reactis to production models did uncover some bugs in Reactis; however, Nissan group appreciated the speed of remedies and regression testing put in place to ensure they did not recur. The two companies also cooperated on enhancements to Reactis that improved the efficiency of the Nissan process.

 

Conclusions


The MBD validation process was first applied to the development of powertrain applications including variable valve event & lift systems and boost pressure control systems for GT-R. More recently the process has been employed in the development of electric vehicles and body electronics.