Here is a nother M SC, reporting a timing violatio n problem discovere d by The o Ruys a little lat er. This desi gn error has to do with the heart beat sign als and maximal l[r]
Trang 1Engineering Applications of Formal Methods
Lecture 31
Trang 2We apply the concepts, methods and tools you learnt to love in contexts that are
relatively close to what the people out there are facing.
In this lecture I show you what they are facing,
and I round off the entire lecture series.
Assumptions for today:
Nothing particular.
Trang 3A real application.
Testing based on formal methods.
Another real application.
Model construction and model checking
beyond what you have seen in this entire set of lectures.
A third, very real application.
Trang 4What’s this?
Trang 5Rotterdam
Trang 6Completed in 1999.
Some statistical data:
Each barrier wall has the height of one Eifel Tour, and weighs twice as much.
Decision are taken 24 hrs before actual closure, Reversible until 3 hrs before closure.
Fully mechanised software controlled
decision procedure.
Nieuwe Waterweg Storm surge barrier
Trang 7Rotterdam
‘BESW’
‘BOS’
North Wall
South Wall
Trang 8System consists of
distributed components:
north wall, south wall, various hydraulic parts, engines, etc.
BOS (‘beslissing & ondersteunend systeem’) knows the environmental conditions;
takes decisions, based on the available data;
BESW (‘besturingssysteem waterweg’) knows & controls the barrier;
carries out commands of BOS;
reports status information to BOS;
Trang 9‘BBI’
(BOSBESW Interface)
Trang 10Budget issues
Total costs
> 500 million €;
Costs for software
< 10 million € (< 2%) Control software (‘BBI’) developed mainly by
CMG.
Formal specification techniques used:
Z Promela (academic SDL variant, nicer) Experience (in a nutshell):
Difficult to learn, but pays off enormously.
Trang 11BBI main components
BOS
is informed every 10 minute about water, wind and weather status and forecast
computes anticipated water level;
assesses the anticipation relative to the closing criteria;
if needed
Trang 12BBI main components
BESW controls
water levels in docks;
opening/closing of dock gates;
moving of barrier walls;
sinking and refloating of barrier walls;
… BESW implements the BOS
instructions.
BOS and BESW are about 300 mtrs apart, and interact via redundant bidirectional channel pairs.
In particular, they exchange ‘heartbeat’ signals every 30 sec to indicate ‘I am alive’.
Trang 13block BOS
BOS
[status,stop,close,…]
[data]
ENV
[curr]
BOS2BESW BESW2BOS
system BBI
BOS
[status,
stop,
close,…]
[data, emergency]
[curr]
ENV BOS2BESW
BESW2BOS
SIGNAL status, stop, close, curr, …;
block BESW
NORTH
[closed,…]
SOUTH
[closed,…]
SIGNAL close, closed,
Trang 14process BOS
S_active:=ff S_ready :=tt
Closing
FROM SOUTH
curr(active,ready,stopped)
FROM NORTH S_active
-N_active:=ff N_ready :=tt N_active
-active := S_-active && N_-active ready := S_ready && N_ready stopped:= S_stopped && N_stopped
- stop S_active
S_active := ff
S_stopped:= tt
N_active
N_active := ff
N_stopped:= tt
…
…
tt
tt
ff
ff
DCL N_active, S_active, active Boolean;
N_ready, S_ready, ready Boolean;
N_stopped, S_stopped, stopped Boolean;
…;
Trang 15-*
BOS process fragments in SDL
process BOS
Checking
status
Waiting
NONE
curr(active,ready,stopped)
Idle
close
Checking
data(…)
…
emergency
stop
Trang 16Well, here is the intended
behaviour.
That’s how it should be.
Good!
Yahoo!
Trang 17BES W pr oc e s s f r a g m e nt in S DL
process BOS
S_active:=ff
Closing
closed FROM SOUTH
curr(active,ready,stopped)
-status FROM NORTHclosed
S_active
-N_active:=ff N_active
-active := S_-active && N_-active ready := S_ready && N_ready stopped:= S_stopped && N_stopped
stop
S_active
S_active := ff
S_stopped:= tt
…
tt
ff
Problem!
The system may get stuck if a `stop’
message arrives at the BESW while
the gates are closing.
Trang 18Here is th e (almost
) original MSC, reported by Pim K
ars in No vember 1
998.
It was fo und with
the mode l checker
SPIN.
Trang 19Here is a nother M
SC, reporting a timing
violatio n problem
discovere d by The
o Ruys a little lat
er.
This desi gn error
has to do with the heart beat sign
als and maximal ly anticip
ated dela ys when
links fai l.
I cannot explain
this prob lem, without adding t
oo much detail.
What I c an tell yo
u:
ners imp lemented
a solutio n
Trang 20Z
was used for specifying the functions performed by processes;
syntax and typechecking was done with the ZTC tool;
was found
very useful
to allow a too great deal of freedom and
to offer little structure for the style in which it is to be used;
was equipped with a common ‘style’ (comparable to a codingstandard) for using Z within the project, containing heuristics and pragmatic rules for its use.