[SystemSafety] Modelling and coding guidelines: "Unambiguous Graphical Representation"
dmentre at linux-france.org
Fri Feb 26 17:09:30 CET 2016
Dear Prof. Ladkin,
Le 26/02/2016 12:34, Peter Bernard Ladkin a écrit :
> On 2016-02-26 10:33 , David MENTRE wrote:
>> >Le 26/02/2016 09:43, Peter Bernard Ladkin a écrit :
>>> >>Another reason is the prevelance of MathLab/Simulink in this domain. Simulink is now an executable
>>> >>specification language. Since there is one supplier, it is de facto unambiguous (there is just one
>>> >>simulator, so the single meaning of a Simulink spec is precisely what that simulator does with the
>> >Some people have even formally defined the semantics of Simulink or a subset of it:
> I think what this says is that some people have interpreted in a formal way what they think Simulink
> diagrams should ideally mean. Whether they do mean that or not is another question.
No, at least for some of those works, they have compared their
formalisation to actual execution with Matlab/Simulink.
Presented at Fundamental Approaches to Software Engineering (FASE)
Barcelona, Spain, March 2004. Springer Verlag LNCS 2984, pp. 229–243.
An Operational Semantics for Stateflow
Grégoire Hamon and John Rushby
However, our SOS semantics is directly executable and can easily be used
to define a Stateflow interpretor whose outputs can be compared to those
from the Matlab simulator. We have done this and systematically examined
many examples; for all these examples, the traces obtained by the two
tools were the same.
I agree that such comparisons are more tests of the semantics than a
real proof of adequacy.
> It's laudable, but it's a long way from what "formally defined the semantics of Simulink" would mean
> to practicing engineers. That would further entail that (a) one of those semantics had been
> independently assessed as adequate, (b) MathWorks had accepted it, and (c) MathWorks had
> demonstrated that their simulator (the execution engine for Simulink) conformed to the semantics.
Or on the reverse, one could probably demonstrate through enough testing
that one of above semantics matches a subset of Matlab/Simulink with the
actual tool. Such work would be very close to work done on testing
compilers for aeronautics certification for example. However I'm not
sure anybody would interested in investing enough time and money to do
More information about the systemsafety