Department of Computer Science University of Toronto Lecture 16 Modelling events Focus on states or events E g SCR table based models Explicit event semantics Comparing notations for state transition models FSMs vs Statecharts vs SCR Checking properties of state transition models Consistency Checking Model Checking using Temporal Logic When to use formal methods 2004 5 Steve Easterbrook This presentation is available free for non commercial use with attribution under a creative commons license 1 University of Toronto Department of Computer Science What are we modelling Application Domain D domain properties R requirements Machine Domain C computers P programs Starting point States of the environment Application domain events that change the state of the environment Requirements expressed as Constraints over states and events of the application domain E g When the aircraft is in the air the pilot should be prevented from accidentally engaging the reverse thrust To get to a specification For each relevant application domain event find a corresponding input event For each relevant state ensure there is a way for the machine to detect it For each required action find a corresponding output event 2004 5 Steve Easterbrook This presentation is available free for non commercial use with attribution under a creative commons license 2 Department of Computer Science University of Toronto Tabular Specifications SCR Four Variable Model System Enviroment Monitored Variables input input devices data items software Dictionaries Monitored Controlled Variables output output data items devices Controlled Enviroment Variables Tables Mode Transition Tables also Assertions Scenarios CurrentModePoweredonToo ColdTemp OKToo HotNew ModeOff T t Inactive Tt Heat T tACInactive F Off T Heat TACHeat F Off T InactiveAC F Off T Inactive Event Tables VariableTypeInitial ValueUnitsWarningFlagbooleanfalse OtherFlagbooleantrueFudgelevelenumeratedone Waterlevelreal0 0mtemperaturereal0 0degrees CurrentModePoweredonToo ColdTemp OKToo CBlipCounterinteger0milesTimeNowreal100 0secAirBrakeAccreal0 0m sec HotNew ModeOff T t Inactive Tt Heat T tACInactive F Off T Heat TACHeat F Off T InactiveTimeout F No Failure ff TACFailure CurrentModePoweredonToo ColdTemp OKToo HotNew ModeOff T t Inactive Tt Heat T tACInactive F Off T Heat TACHeat F Off T InactiveAC F Off T Inactive ModesEventsNoFailure T INMODE neverSensorFail T reset on T INMODE TimeoutalwaysneverACFailure HeatFailurenever T INMODE Warning lig ModesEventsNoFailure T INMODE neverBlah T thingy T other DoodahneveralwaysACFailure HeatFailurenever T INMODE Heater OffOn ModesEventsNoFailure T INMODE neverBlah T thingy T other DoodahneveralwaysACFailure HeatFailurenever T INMODE ACpower O Types TypeBaseTypeValuesUnitsWarningLevelenumeratedlow med high Temperatureinteger 100 100degrees CWaterlevelinteger0 100metersFlagenumeratedon off Constants Condition Tables ModesEventsNoFailuretruefalseACFailuretemp temp0temp temp0HeatFailurefalsewaterlevel lowWarning light OffOn ConstantTypeValueUnitsLowTempinteger15degrees CHighTempinteger23degrees CMaxTimeOutinteger300millisecReferenceSafetyLevelsafetytypelow TempMargininteger5degrees C ModesEventsNoFailurefalsetrueACFailure HeatFailuretruefalseBuzzer OffOn SCR Specification 2004 5 Steve Easterbrook This presentation is available free for non commercial use with attribution under a creative commons license 3 Department of Computer Science University of Toronto SCR basics Source Adapted from Heitmeyer et al 1996 Modes and Mode classes A mode class is a finite state machine with states called system modes Transitions in each mode class are triggered by events Complex systems described using several mode classes operating in parallel System State is defined as the system is in exactly one mode from each mode class and each variable has a unique value Events Single input assumption only one input event can occur at once An event occurs when any system entity changes value An input event occurs when an input variable changes value Notation We may need to refer to both the old and new value of a variable Used primed values to denote values after the event T c c c e g T y 1 y 1 y 1 F c c c A conditioned event is an event with a predicate T c WHEN d c c d 2004 5 Steve Easterbrook This presentation is available free for non commercial use with attribution under a creative commons license 4 Department of Computer Science University of Toronto Defining Mode Classes Mode Class Tables Source Adapted from Heitmeyer et al 1996 Define a disjoint set of modes states that the software can be in Each mode class has a mode table showing which events cause mode changes A mode table defines a partial function from modes and events to modes Example Current Powered Too Cold Temp OK Too Hot Mode on Off T t T t T t Inactive F T T Heat F T AC F T New Mode Inactive Heat AC Off Heat AC Off Inactive Off Inactive 2004 5 Steve Easterbrook This presentation is available free for non commercial use with attribution under a creative commons license 5 Department of Computer Science University of Toronto Defining Controlled Variables Source Adapted from Heitmeyer et al 1996 Event Tables defines how a controlled variable changes in response to input events Defines a partial function from modes and events to variable values Example Modes Heat AC C target never Inactive Off Ack tone never Beep C target Clang Condition Tables defines the value of a controlled variable under every possible condition Defines a total function from modes and conditions to variable values Example Modes Heat AC Inactive Off Warning light target temp 5 temp target 5 true Off target temp 5 temp target 5 never On 2004 5 Steve Easterbrook This presentation is available free for non commercial use with attribution under a creative commons license 6 Department of Computer Science University of Toronto Refresher FSMs and Statecharts on hook busytone Dial callee busy idle off hook Callee disconnects dialtone Dial callee idle ringtone Callee accepts connected on hook on hook on hook offhook busytone on hook idle off hook Dial callee busy dialtone Callee disconnects Dial callee idle ringtone Callee accepts connected 2004 5 Steve Easterbrook This presentation is available free for non commercial use with attribution under a creative commons license 7 Department of Computer Science University of Toronto SCR Equivalent Current Mode Idle Dialtone Busytone Ringtone Connected AC offhook dial T F F F F T T callee
View Full Document
Unlocking...