University of TorontoDepartment of Computer Science© 2004-5 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 1Lecture 14:Modelling “events” Focus on states or events? E.g. SCR table-based models Explicit event semantics Comparing notations for state transition models FSMs vs. Statecharts vs. SCR Checking properties of state transition models Consistency Checking Model Checking, using Temporal Logic When to use formal methodsUniversity of TorontoDepartment of Computer Science© 2004-5 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 2What are we modelling? Starting point: States of the environment (Application domain) events that change the state of the environment Requirements expressed as: Constraints over states and events of the application domainE.g. “When the aircraft is in the air, the pilot should be prevented from accidentally engagingthe reverse thrust”I.e. “In state X, event Y shall be prevented” To get to a specification: For each relevant application domain event, find a corresponding input event For each relevant state, ensure there is a way for the machine to detect it For each required action, find a corresponding output eventApplication DomainMachine DomainD - domain propertiesR - requirementsC - computersP - programsUniversity of TorontoDepartment of Computer Science© 2004-5 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 3softwareMonitored VariablesEnviro-mentSysteminputdevicesinputdataitemsdataitemsoutputdevicesoutputControlled VariablesEnviro-mentTabular Specifications: SCRFour Variable Model:CurrentModePoweredonToo ColdTemp OKToo HotNew ModeOff@T-t-Inactive@Tt--Heat@T--tACInactive@F---Off-@T--Heat---@TACHeat@F---Off--@T-InactiveAC@F---Off--@T-InactiveModesEventsNoFailure@T(INMODE)neverBlah@T(thingy)@T(other)DoodahneveralwaysACFailure, HeatFailurenever@T(INMODE)ACpower =OffOnModesEventsNoFailurefalsetrueACFailure, HeatFailuretruefalseBuzzer =OffOnModesEventsNoFailuretruefalseACFailuretemp > temp0temp <= temp0HeatFailurefalsewaterlevel =lowWarning light =OffOnVariableTypeInitial ValueUnitsWarningFlagbooleanfalse-OtherFlagbooleantrueFudgelevelenumeratedone-Waterlevelreal0.0mtemperaturereal0.0degrees CBlipCounterinteger0milesTimeNowreal100.0secAirBrakeAccreal0.0m/secConstantTypeValueUnitsLowTempinteger15degrees CHighTempinteger23degrees CMaxTimeOutinteger300millisecReferenceSafetyLevelsafetytypelow-TempMargininteger5degrees CTypeBaseTypeValuesUnitsWarningLevelenumeratedlow,med,high-Temperatureinteger-100..100degrees CWaterlevelinteger0..100metersFlagenumeratedon, off-Dictionaries:Monitored/ControlledVariablesTypesConstantsMode Transition TablesCurrentModePoweredonToo ColdTemp OKToo HotNew ModeOff@T-t-Inactive@Tt--Heat@T--tACInactive@F---Off-@T--Heat---@TACHeat@F---Off--@T-InactiveTimeout@F---No Failure-ff@TACFailureCurrentModePoweredonToo ColdTemp OKToo HotNew ModeOff@T-t-Inactive@Tt--Heat@T--tACInactive@F---Off-@T--Heat---@TACHeat@F---Off--@T-InactiveAC@F---Off--@T-InactiveModesEventsNoFailure@T(INMODE)neverBlah@T(thingy)@T(other)DoodahneveralwaysACFailure, HeatFailurenever@T(INMODE)Heater =OffOnModesEventsNoFailure@T(INMODE)neverSensorFail@T(reset=on)@T(INMODE)TimeoutalwaysneverACFailure, HeatFailurenever@T(INMODE)Warning light =OffOnEvent TablesCondition TablesTables:also:Assertions,Scenarios,...SCR SpecificationUniversity of TorontoDepartment of Computer Science© 2004-5 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 4Source: Adapted from Heitmeyer et. al. 1996.SCR basics Modes and Mode classes A mode class is a finite state machine, with states called system modes Transitions in each mode class are triggered by events Complex systems described using several mode classes operating in parallel Overall system state is: the system is in exactly one mode from each mode class… …and each variable has a unique value Events An event occurs when any system entity changes value An input event occurs when an input variable changes value Single input assumption - only one input event can occur at once Notation: We may need to refer to both the old and new value of a variable: ‘Primes’ denote values after the event:@T(c) ≡ ¬c ∧ c’ e.g. @T(y=1) ≡ y≠1 ∧ y’=1@F(c) ≡ c ∧ ¬c’ A conditioned event is an event with a predicate@T(c) WHEN d ≡ ¬c ∧ c’ ∧ dUniversity of TorontoDepartment of Computer Science© 2004-5 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 5 Mode Class Tables Define a (disjoint) set of modes (states) that the software can be in. Each mode class has a mode table showing which events cause mode changes A mode table defines a partial function from modes and events to modes Example:Defining Mode ClassesSource: Adapted from Heitmeyer et. al. 1996.CurrentModePoweredonToo ColdTemp OKToo HotNew ModeOff@T-t-Inactive@Tt--Heat@T--tACInactive@F---Off-@T--Heat---@TACHeat@F---Off--@T-InactiveAC@F---Off--@T-InactiveUniversity of TorontoDepartment of Computer Science© 2004-5 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 6 Event Tables defines how a controlled variable changes in response to input events Defines a partial function from modes and events to variable values Example: Condition Tables defines the value of a controlled variable under every possible condition Defines a total function from modes and conditions to variable values Example:Defining Controlled VariablesSource: Adapted from Heitmeyer et. al. 1996.ModesHeattarget - temp ! 5target - temp >5ACtemp - target ! 5temp - target >5Inactive, OfftrueneverWarning light =OffOnModesHeat, AC@C(target)neverInactive, Offnever@C(target)Ack_tone =BeepClangUniversity of TorontoDepartment of Computer Science© 2004-5 Steve Easterbrook. This presentation is available free for non-commercial use with attribution under a creative commons license. 7offhookidle connectedringtonedialtonebusytoneon hookon hookon hookon hookoff hookDial[calleebusy]Dial[callee
View Full Document
Unlocking...