Planning and Optimizing a Test Campaign
=======================================
J S Jenkins
-----------

# Overview

# Terminology

|Term|Concept and Interpretation|
|-------|--------------|
| quantity | A measurable property of an object. Example: cylinder head temperature. |
| constraint | A relational expression involving at least one quantity. Example: cylinder head temperature less than 100 &deg;C. |
| scenario | A named conjunction of constraints. state of the world. Examples: idling (speed 0 m/s), level driving at highway speed (speed 28 m/s, roadway pitch 0&deg;), moderate weather conditions (ambient temperature 20 &deg;C). (For the purposes of this example, we do not require the specific constraints.) |
| situation | A conjunction of scenarios used to specify conditions of applicability of a requirement. Examples: idling under moderate weather conditions, level driving at highway speed under moderate weather conditions.
|requirement| A constraint on a quantity that applies during a disjunction of situations. Examples: While idling under moderate weather conditions or level driving at highway speed under moderate weather condititions, the cylinder head temperature shall not exceed 100 &deg;C.
|configuration| A conjunction of scenarios that stand as proxies for real-world scenarios for the purposes of testing and verification. See Situations to Configurations below.

# Workflow Example

## Sample Requirement Set

Following the terminology above, we generate a set of named quantities, a set of named scenarios, and a set of named requirements. Each requirement applies during a disjunction of unnamed situations. These situations are conjunctions of scenarios and can be represented by the sets of scenarios to be conjoined. Because a scenario is itself a conjunction of constraints, a situation expresses a set of constraints in _disjunctive normal form_.

Because constraints necessarily limit the state space, an empty situation denotes _always and everywhere_. A requirement such as "The vehicle dry mass shall not exceed 1500 kg." is interpreted to apply during an empty situation.

Each generated requirement is randomly a disjunction of one or two situations, each of which is randomly assigned a conjunction of zero to five scenarios.

Finally, each requirement is randomly assigned a quantity to constrain. For the purposes of this experiment, the particular constraint is irrelevant.

In [1]:
import json

quantities_file = "build/quantities.json"
scenarios_file = "build/scenarios.json"
requirements_file = "build/requirements.json"

quantities = json.load(fp = open(quantities_file))
scenarios = json.load(fp = open(scenarios_file))["scenarios"]
requirements = json.load(fp = open(requirements_file))["requirements"]

print(f"{len(quantities)} quantities")
print(f"{len(scenarios)} scenarios")
print(f"{len(requirements)} requirements")


50 quantities
20 scenarios
200 requirements


## Grouping by Situation

If two or more requirements apply in the same situation, it may be more efficient (and/or less error-prone) to verify them in a single activity with that situation in effect. Accordingly, the first step in the workflow is to group requirements by situation. Having done so, we obtain a map from each unique situation to the requirements that explictly apply during that situation and the quantities constrained by those requirements.

While it is impractical to conduct "blind" testing in a rigorous sense (the constraints imposed by requirements are known to testers), there is an argument that the requirements verification process should be separated into a data collection step that merely collects observations of constrained quantities regardless of the actual constraints, and a subsequent step (perhaps performed by others) that verifies conformance of those observations with the relevant constraints. In the following, we focus on the data collection activities. The verification step is a straightforward computation.

In principle, we could proceed directly to testing at this point. In practice, however, other considerations apply. These will be addressed below.

In [2]:
tests_file = "build/tests.json"
tests = json.load(open(tests_file))
print(f"{len(tests)} distinct situations")

190 distinct situations


## Situations to Configurations

Some real-world scenarios may be impractical, if not impossible, to replicate in a test venue. A spacecraft requirement that applies "during interplanetary cruise", for example, would not generally be verified by placing the spacecraft on an interplanetary cruise trajectory. Instead, we would assert a set of scenarios that may involve use of test facilities (e.g., in the thermal vacuum chamber), fixtures (e.g., attached to ground support equipment), environmental simulations (e.g., a heat lamp intensity value) that stand as proxies for the real world for the purpose of testing.

As mentioned above, a requirement that applies "always and everywhere" is denoted with an empty situation. For example, a vehicle dry mass requirement may apply in principle to its entire lifetime. For practical reasons, however, we would expect to verify it _once_ under a particular scenario (on a scale). So while the requirement's situation is empty, its configuration is not.

In the general case, the verification planning for each requirement will entail enumerating the sets of scenarios under which it is to be tested and explaining how these proxy scenario sets adequately represent the real world situations. In keeping with existing verification and validation practices, we call these testing scenario sets _configurations_.

The mapping of situations to configurations is antecedent to (and peripheral to) the analysis that follows, so we do not address it further. For the purpose of this demonstration, we simply take the original situations as the test configurations. In practice, the set of configurations may be larger than, smaller than, or the same size as the set of situations.

In [3]:
print(f"{len(tests)} distinct configurations")

190 distinct configurations


## Costs

We assume a simple model for the cost of conducting a test campaign, which we take to be a traversal through the set of configurations, and in each configuration, observing all quantities constrained by any requirement that applies in that configuration. We further assume that the campaign begins and ends in an empty configuration.

We partition this cost into _reconfiguration cost_ and _observation cost_.

### Configuration Setup/Teardown Cost

Assume that each scenario has an associated pair of setup and teardown costs. For technical reasons to be explained below we assume that setup and teardown costs for any scenario are equal. (As each setup is paired with a teardown, this limitation is inconsequential.)

We define a _reconfiguration cost_ between any two configurations _C_<sub>1</sub> and _C_<sub>2</sub> as the sum of the teardown costs for all scenarios in _C_<sub>1</sub> but not in _C_<sub>2</sub>, plus the sum of the setup costs for all scenarios in _C_<sub>2</sub> but not in _C_<sub>1</sub>.

The reconfiguration cost of the campaign is the sum of reconfiguration costs for every adjacent pair of configurations in the campaign. Obviously, this value depends both on the specific configurations in effect and the order of the campaign.

For the purpose of the demonstration we randomly assign each scenario a setup/teardown cost between 1 and 20.

### Observation Cost

We assume each quantity has an associated cost of observation, assuming that any necessary configuration for that observation are in effect. The observation cost of a configuration is the sum of the observation costs for all quantities constrained by any requirement that applies in that configuration.

The observation cost of the campaign is the sum of the observation cost of each configuration. It does not depend on the order of the campaign.

For the purpose of the demonstration we randomly assign each quantity an observation cost between 1 and 20.

## Configuration Sufficiency

By definition, if a requirement applies in a particular configuration _C_<sub>1</sub>, then it applies in any configuration _C_<sub>2</sub> for which _C_<sub>1</sub> ⊆ _C_<sub>2</sub>.
For example, if _C_<sub>1</sub> corresponds to the scenario set {_S_<sub>1</sub>, _S_<sub>2</sub>} and _C_<sub>2</sub> corresponds to the scenario set {_S_<sub>1</sub>, _S_<sub>2</sub>, _S_<sub>3</sub>}, then
the state of the world represented by by _C_<sub>2</sub> (_S_<sub>1</sub> ∧ _S_<sub>2</sub> ∧ _S_<sub>3</sub>) implies the state of the world implied by _C_<sub>1</sub> (_S_<sub>1</sub> ∧ _S_<sub>2</sub>), and therefore
any requirement that applies during _C_<sub>1</sub> also applies during _C_<sub>2</sub>.

In [4]:
tests_pruned_file = "build/tests-pruned.json"
tests_pruned = json.load(open(tests_pruned_file))
print(f"{len(tests_pruned)} distinct configurations")

190 distinct configurations


## Campaign Partitioning