Die Präsentation wird geladen. Bitte warten

Die Präsentation wird geladen. Bitte warten

2.3 Timed Automata and Real-Time Statecharts

Ähnliche Präsentationen


Präsentation zum Thema: "2.3 Timed Automata and Real-Time Statecharts"—  Präsentation transkript:

1 2.3 Timed Automata and Real-Time Statecharts

2 Prize: 100 € Amazon voucher Task:
Coding Contest Prize: 100 € Amazon voucher Task: Implement a BUZZER app Server-client application Android (4.0+) front-end Java back-end Submit your complete source code until Dec. 23, 2012 to My footnote text - My Name Timed Automata und Realtime Statecharts

3 Summary State Machines
Different Semantics possible Trade-off: Flexibility (for the developer) vs. clarity (compactness) Precise specification necessary to guarantee unambiguouity (many developers are involved) to enable formal analysis (to prove that requirements are fulfilled) Timed Automata und Realtime Statecharts

4 Timed Automata

5 Timed Automata Based on State Machines
Finite state machine with clocks Clocks handle time which is continuous Clock values can be tested or reset Timed Automata und Realtime Statecharts

6 A Hot Topic Ein digitales Detail stellt die Deutsche Bahn und den Siemens-Konzern vor große Probleme: Das Kommando zum Anhalten eines ICE-3-Zugs irrt etwa eine Sekunde lang durch den Rechner, bis es ausgeführt wird. Nach SPIEGEL-Informationen verweigerte das Eisenbahn-Bundesamt deshalb die Zulassung. Die acht neuen ICE vom Typ Velaro sind schon lange bestellt, doch Siemens darf nicht liefern - wegen Problemen an der Steuerungssoftware. Nach Informationen des SPIEGEL traten bei Testfahrten des ICE 3 mit den bei der Deutschen Bahn üblichen Doppelzügen schwerwiegende Kommunikationsprobleme in der Software auf. Wird der Befehl zur Aktivierung der Bremsen ausgelöst, erlaubt sich die Steuerung eine Art Gedenksekunde, ehe sie das Kommando umsetzt. Bei einer Geschwindigkeit von 250 Stundenkilometern kommt der Zug nach einer Vollbremsung deshalb erst rund 70 Meter später zum Stehen als die alten ICE. Trotzdem strebte Siemens die Zulassung des ICE 3 an.“ (SPON ) Timed Automata und Realtime Statecharts

7 Timed Automata Finite state machine with real-valued clocks Locations
Clocks handle time which is continuous Clock values can be tested or reset Locations Represent states Transitions Messages Guards Actions Timed Automata und Realtime Statecharts

8 A simple alarm clock Goal: Problem:
Model an alarm clock that rings after a specified time. When the snooze button is pressed the alarm is postponed for 5 minutes. The alarm shall not sound more than 10 minutes. Problem: UML allows only rather informal specification of time in State Machines. Timed Automata und Realtime Statecharts

9 A simple alarm clock Solution: Add a clock “clock1”
Clock runs in back-ground during execution Clock conditions can serve as guards Clock can be reset (or set to any other time) Timed Automata und Realtime Statecharts

10 A simple alarm clock Invariants ensure that the state is active at most the given amount of time Requirement: “The alarm shall not sound more than 10 minutes.” Timed Automata und Realtime Statecharts

11 Timed Automata Locations Transitions Clocks Represent states Guards
Tells when the transition is enabled Actions Clocks Test them in guards Reset them in actions Invariants on states Timed Automata und Realtime Statecharts

12 Networked Timed Automata
Channels are used to synchronize TA Both automata take respective transition simultaneously Channels are bidirectional Can have an assigned priority Original definition Only 1:1 synchronization Later versions: 1:n synchronization (one ! and many ?) Acts as a guard Transition cannot be taken unless both processes are in the state that enables synchronization NETWORKED Synchronisation pair is chosen non-deterministically if several combinations are enabled and no broadcast defined Timed Automata und Realtime Statecharts

13 Networked Timed Automata
Locations Represent states Transitions Guards Tells when the transition is enabled Action Clocks Test them in guards Reset them in actions Invariants on states Local and global Channels Way of synchronizing processes Timed Automata und Realtime Statecharts

14 Timed Automata Definition
A Timed Automaton is a 9-Tupel (L, L0, Ch, A, C, G, Gc, I, E) L : finite, non-empty set of locations (states) L L : initial location Ch: finite set of channels used for synchronization A : set of actions (including synchronizations) C : finite set of clocks G : finite set of guards on the variables and clocks Gc G: finite set of propositions depending only on the clocks from C (time constraints) I : L → Gc assigns a time invariant to a location E: finite set of edges between locations, A Time Constraint on the set of clocks C is defined as φ(C) := c < x | c ≤ x | c = x | c > x | c ≥ x | φ1  φ2 where c is a clock from C and is constant. propositions = Aussagen phi Timed Automata und Realtime Statecharts

15 Tool Support for Networked Timed Automaton: UPPAAL
Uppaal is an integrated tool environment for modeling, simulation and verification of real-time systems. Key features of Uppaal v.4 A graphical system editor allowing graphical descriptions of systems. A graphical simulator which provides graphical visualization. A requirement specification editor. A model-checker for automatic verification. Generation of diagnostic trace UPPAAL is free for academic use only. Uppsala University, Sweden and Aalborg University, Denmark Quelle: Timed Automata und Realtime Statecharts

16 Example: Scientists crossing a bridge
Scenario: Dijkstra, Turing, Knuth, and Petri are on the return of a conference when their car breaks down in the dark. They cannot stay in the car because there are wild and dangerous animals in the woods. Across a moldered bridge is a house in which they can stay for the night. Timed Automata und Realtime Statecharts

17 Example: Scientists crossing a bridge
Requirements The bridge can carry at most two people at the same time They have only one flashlight which only lasts one hour and cannot be thrown. The bridge can only be crossed with the flashlight otherwise it’s too dark. The speed of a pair is determined by the speed of the slower person. The times each scientist needs to cross the bridge are: 5 min, 10 min, 20 min, and 25 min. How do they manage to cross the river within an hour? Timed Automata und Realtime Statecharts

18 Global Declarations and Templates
Urgent location: Time is not allowed to pass in this state. So one of the outgoing transitions is taken “immediately”, though interlea-ving with other processes is allowed. automaton template for scientists automaton template for the flashlight Legend: guards (green) location name (red) update (purple) sync (cyan) Timed Automata und Realtime Statecharts

19 System declarations Timed Automata und Realtime Statecharts

20 System simulation Timed Automata und Realtime Statecharts

21 System simulation Timed Automata und Realtime Statecharts

22 Specifying requirements
Two different kinds of requirements: Safety: “something bad will not happen” Liveness: “something good will happen” where P ::= (Atomic Propositions) Proc.I oc | (Process Proc at Location Ioc) c = n | c < n | c <= n | (Clock comparison) P and P | P or P | P -> P | (Boolean combinations) not P | P imply P In einer kommenden Vorlesung wird darauf genauer eingegangen. Timed Automata und Realtime Statecharts

23 System verification Verify that the system has no deadlock
A[] not deadlock  Property is satisfied. Verify that it is possible for every scientist to reach the safe side within 60 minutes: E<> Knuth.safe and Petri.safe and Dijkstra.safe and Turing.safe and time <= 60  Property is satisfied.  Scheduling problem reformulated as reachability property Timed Automata und Realtime Statecharts

24 System verification Verify that the system has no deadlock
A[] not deadlock  Property is satisfied. Verify that it is possible for every scientist to reach the safe side within 60 minutes: E<> Knuth.safe and Petri.safe and Dijkstra.safe and Turing.safe and time <= 60  Property is satisfied.  Scheduling problem reformulated as reachability property Hint: Activate fastest diagnostic trace to see fastest solution trace in Simulator Timed Automata und Realtime Statecharts

25 Real-Time Statecharts

26 Example: Convoys in RailCab System
Motivation RailCabs build convoys to save energy ( slipstream) Safety critical, because only small space between RailCabs => Software has to be correct i.e. “It can never happen that FrontRole is in state convoy and RearRole is in state noConvoy.” Idea: Specify complex communication between roles independently from other system behavior  Validation possible ConvoyCoordination Slipstream = Windschatten Role: front Role: rear RailCab RailCab Fahrtrichtung Timed Automata und Realtime Statecharts

27 Coordination Patterns & Realtime Statecharts
Coordination Pattern specifies communication of roles Each role specified by a Real-Time Statechart ConvoyCoordination front rear Timed Automata und Realtime Statecharts

28 Real-Time Statecharts
Combine UML Statemachines by concepts of Timed Automata to add timing constraints: periods, deadlines, (worst case) execution times Clocks: assigned to a Statechart apply for all states of the Statechart apply recursively within hierarchically Statecharts cf: clock name Clock guard Clock-Reset state invariant [Hei09] Feuern von Transitionen kostet im Allgemeinen Zeit  Einsatz von Deadline-Intervallen deadline Timed Automata und Realtime Statecharts

29 Mapping RTSCs to Timed Automata
Real-Time Statecharts enable hierarchy Timed Automata do not support hierarchy  Real-Time Statecharts have to be flattened to verify them with Uppaal Timed Automata und Realtime Statecharts

30 Mapping RTSCs to Timed Automata
Timed Automata assume execution of transitions in zero time But: Transitions can have side effects like function calls These are not executable in zero time Therefore, deadlines and WCETs are introduced in RTSCs Can be mapped to Timed Automata (time is consumed within states) Timed Automata und Realtime Statecharts

31 Mapping RTSCs to Timed Automata
RTSC of FrontRole Timed Automata of FrontRole Hier wird nur Kommunikation verifiziert werden. /convoyProposal wird asychron versendet convoyProposal? wird synchron durchgeführt Wie kann man asynchrone Komm. auf synchrone abbilden? A: Nachricht auf Kanal legen, Nachricht im Kanal speichern, Nachricht an Empfänger übermitteln Timed Automata und Realtime Statecharts

32 Mapping RTSCs to Timed Automata
RTSC of RearRole Timed Automata of RearRole Timed Automata und Realtime Statecharts

33 Verification Input: Timed Automata for FrontRole and RearRole of RailCab Possible Verifications: No Deadlocks: A[ ] not deadlock  Property is satisfied. It can never happen that FrontRole is in state convoy and RearRole is in state noConvoy: A[] not (FrontRole.convoy and RearRole.noConvoy)  Property is satisfied. Timed Automata und Realtime Statecharts

34 Conclusion Timed Automata Real-Time Statecharts
Finite state machine with continuous clocks and channels for synchronization Automatic verification of requirements via model checking possible Real-Time Statecharts Combination of UML Statecharts and Timed Automata Can be transformed to Timed Automata Coordination Patterns describe complex communications between roles Role behavior is defined by Real-Time Statecharts Timed Automata und Realtime Statecharts


Herunterladen ppt "2.3 Timed Automata and Real-Time Statecharts"

Ähnliche Präsentationen


Google-Anzeigen