Peter Gorm Larsen

1
Real-Time and Distributed Development in VDM

• Peter Gorm Larsen
• (pgl_at_iha.dk)

2
Agenda

• Development Process for RT systems
• The Counter Measure System
• Requirements Capture using VDM-SL
• Sequential VDM Model
• Concurrent VDM Model
• Real-time Distributed VDM Model

3
Reactive systems Nature
The World
Environment
System
stimuli
response
4
Overview of Development Process
5
General use case for anembedded system
6
Capturing Requirements in VDM-SL

• operations
• PerformSystemReaction seq of SensorInput gt
• seq of ActuatorCommand
• PerformSystemReaction(inputseq)
• if inputseq
• then
• else SensorTreatment(hd inputseq)
• PerformSystemReaction(tl inputseq)

An accumulating parameter can be used for feedback
7
Sequential Design Model
8
Typical Design Structure

• An Environment class is needed
• A SystemName class is needed
• A World class is introduced for setting up both
  the environment and the system
• World shall contain a Run operation
• World have access to some notion of time
• The Environment has operation for creating
  signals to the system and receiving events from
  the system
• Flow of control resides with the Environment
• Each class that do actions has an isFinished
  operation

9
Concurrent Design Model

• Similar to sequential design model but
• Identification of threads
• Determine necessary communication
• Establish synchronization points
• Validation of model
• Typical design structure
• Flow of control is distributed
• Synchronization using permission predicates and
  mutex
• isFinished operations become skip with permission
  predicates
• A simple Timer class is replaced with the
  TimeStamp class

10
Concurrent Real-Time and Distributed Design Model

• Timing built in
• Use of default durations
• Use of duration and cycles statements
• Setting task switching overhead
• Typical Design Structure
• SystemName is now turned into a system
• CPUs and BUSes are introduced inside SystemName
• Environment may be turned into a system
• Some operations are made asynchronous
• Some Step like threads are made periodic
• Explicit use of TimeStamp is removed

11
Agenda

• Development Process for RT systems
• The Counter Measure System
• Requirements Capture using VDM-SL
• Sequential VDM Model
• Concurrent VDM Model
• Real-time Distributed VDM Model

12
The Counter Meassures System
13
System Description

• Flares are released in a timed sequence, the
  number of flares released and the delay between
  releases depending on the threat and its angle of
  incidence with the missile. Different places
  around an aircraft different flare dispensers or
  magazines are located dealing with threats
  arriving from different angles. The threat
  sensors relay the ID of the threat to the
  controller. For each different kind of ID and the
  angle of the missile the controller must then
  derive a plan for how to deal with the given
  threat by firing a sequence of flares with a
  given pattern with a given flare dispenser (a
  magazine) dealing with the given angle. Such a
  pattern contains the number of flares to be fired
  and the delay between each firing. The task
  communicates the stated number of firings to the
  flare release hardware with the specified delay
  between each communication. It is assumed that
  there are only two kinds of physical flares.

14
CM Requirements

• If while computing the firing sequence with a
  flare dispenser for a given threat from an angle
  treated by the same flare dispenser, another
  threat is sensed (in the same angle area), the
  system should check the priority of the more
  recent threat and, if greater than the previous
  one, should abort computation of the current
  firing sequence. Computation of the new firing
  sequence should then take place.
• If different threats are sensed with angles that
  are treated by different flare dispensers the
  corresponding firing sequences shall be performed
  in parallel.
• The controller should be capable of sending the
  first flare release command within 250
  milliseconds of receiving threat information from
  the sensor.
• The controller should be able to abort a firing
  sequence within 130 milliseconds.

15
Example Missile Responses
16
Agenda

• Development Process for RT systems
• The Counter Measure System
• Requirements Capture using VDM-SL
• Sequential VDM Model
• Concurrent VDM Model
• Real-time Distributed VDM Model

17
VDM-SL Input/Output Types

• types
• MissileInputs seq of MissileInput
• MissileInput MissileType Angle
• MissileType ltMissileAgt ltMissileBgt
  ltMissileCgt
• ltNonegt
• Angle nat
• inv num num lt 360
• Output map MagId to seq of OutputStep
• OutputStep FlareType AbsTime
• AbsTime nat

18
VDM-SL Flares and Plans

• FlareType ltFlareOneAgt ltFlareTwoAgt
• ltFlareOneBgt ltFlareTwoBgt
• ltFlareOneCgt ltFlareTwoCgt
• ltDoNothingAgt ltDoNothingBgt
• ltDoNothingCgt
• Plan seq of (FlareType Delay)
• Delay nat

19
VDM-SL Value Definitions

• values
• responseDB map MissileType to Plan
• ltMissileAgt -gt mk_(ltFlareOneAgt,900),
  mk_(ltFlareTwoAgt,500),
• mk_(ltDoNothingAgt,100),
  mk_(ltFlareOneAgt,500),
• ltMissileBgt -gt mk_(ltFlareTwoBgt,500),
  mk_(ltFlareTwoBgt,700),
• ltMissileCgt -gt mk_(ltFlareOneCgt,400),
  mk_(ltDoNothingCgt,100),
• mk_(ltFlareTwoCgt,400),
  mk_(ltFlareOneCgt,500)
• missilePriority map MissileType to nat
• ltNonegt -gt 0,
• ltMissileAgt -gt 1,
• ltMissileBgt -gt 2,
• ltMissileCgt -gt 3
• stepLength nat 100

20
CM Functionality

• CounterMeasures MissileInputs -gt Output
• CounterMeasures(missileInputs)
• CM(missileInputs,-gt,-gt,0)
• The CM parameters are
• missileInputs This parameter contains the
  missile input which has not yet been considered
  in the analysis of which flares should be fired.
  Recursion is done over this parameter such that
  in each recursive call this sequence will be one
  smaller.
• outputSoFar This parameter contains a mapping
  from the magazine identifiers to the flare
  sequence expected to be fired (and their expected
  firing time) given the missile inputs taken into
  account so far. This is the accumulating
  parameter which at the end will contain the final
  result.
• lastMissile This parameter contains mapping from
  the magazine identifier to the last missile which
  has had effect on the output so far relative to
  the MagId. The priority of this missile is
  important in relation to the next missile
  arriving.
• curTime This parameter specifies the time at
  which this missile has been detected (a multiple
  of stepLength).

21
The CM Function

• CM MissileInputs Output map MagId to
  MissileType nat -gt Output
• CM( missileInputs, outputSoFar, lastMissile,
  curTime)
• if missileInputs
• then outputSoFar
• else let mk_(curMis,angle) hd missileInputs,
• magid Angle2MagId(angle)
• in
• if magid not in set dom lastMissile or
• (magid in set dom lastMissile and
• missilePriority(curMis) gt
  missilePriority(lastMissile(magid)))
• then let newOutput InterruptPlan(curTim
  e,outputSoFar,
• 
  responseDB(curMis),
• 
  magid)
• in CM(tl missileInputs, newOutput,
• lastMissile magid -gt
  curMis,
• curTime stepLength)
• else CM(tl missileInputs, outputSoFar,
• lastMissile,curTime
  stepLength)

22
Interrupting a Plan

• InterruptPlan nat Output Plan MagId -gt
  Output
• InterruptPlan(curTime,expOutput,plan,magid)
• magid -gt (if magid in set dom expOutput
• then LeavePrefixUnchanged(expOutput(
  magid),
• curTime)
• else )
• MakeOutputFromPlan(curTime, plan)
• munion
• (magid lt- expOutput)
• LeavePrefixUnchanged seq of OutputStep nat -gt
• seq of OutputStep
• LeavePrefixUnchanged(output_l, curTime)
• output_l(i) i in set inds output_l
• let mk_(-,t) output_l(i) in t
  lt curTime

23
Converting Plan to Output

• MakeOutputFromPlan nat seq of Response -gt
• seq of OutputStep
• MakeOutputFromPlan(curTime, response)
• let output OutputAtTimeZero(response) in
• let mk_(flare,t) output(i)
• in
• mk_(flare,tcurTime)
• i in set inds output
• OutputAtTimeZero seq of Response -gt seq of
  OutputStep
• OutputAtTimeZero(response)
• let absTimes RelativeToAbsoluteTimes(response)
  in
• let mk_(firstFlare,-) hd absTimes in
• mk_(firstFlare,0)
• let mk_(-,t) absTimes(i-1),
• mk_(f,-) absTimes(i) in
• mk_(f,t) i in set 2,...,len
  absTimes

24
Final Conversions

• RelativeToAbsoluteTimes seq of Response -gt
• seq of (FlareType
  nat)
• RelativeToAbsoluteTimes(ts)
• if ts
• then
• else let mk_(f,t) hd ts,
• ns RelativeToAbsoluteTimes(tl ts) in
• mk_(f,t) let mk_(nf, nt) ns(i)
• in mk_(nf, nt t)
• i in set inds ns
• Angle2MagId Angle -gt MagId
• Angle2MagId(angle)
• if angle lt 90
• then mk_token("Magazine 1")
• elseif angle lt 180
• then mk_token("Magazine 2")
• elseif angle lt 270
• then mk_token("Magazine 3")

25
Validation using Overture

• Electronic version contains three test values
• Use interpreter with
• CounterMeassures(testval1)
• CounterMeassures(testval2)
• CounterMeassures(testval3)
• Inspect the result values
• Including timing information
• Inspect test coverage

26
Agenda

• Development Process for RT systems
• The Counter Measure System
• Requirements Capture using VDM-SL
• Sequential VDM Model
• Concurrent VDM Model
• Real-time Distributed VDM Model

27
Sequential VDM Design Model

• The classes are
• CM This is the overall system class (a
  SystemName class) that creates static public
  instances for all the system components.
• World The main class, used to combine the system
  classes and the environment and allow execution
  of scenarios.
• Environment This is used for modelling the
  environment (in this case the sensors providing
  input for the system).
• Sensor A class for modelling the hardware used
  to sense the arrival of missiles with a given
  angle.
• MissileDetector A class which takes information
  from the Sensor and passes it to one of the
  FlareController's.
• FlareController A class which controls outputs
  of flares for a given detected missile using a
  number of flare dispensers.
• FlareDispenser A class which master the actual
  firing of flares depending upon the type of the
  missile.
• Timer A timer class used to step time throughout
  the sequential VDM model.
• IO A VDM standard library class.
• GLOBAL This is a superclass providing a number
  of general definitions used by a number of the
  system and environment classes.

28
Sequential Class Diagram
29
Envisaged System Dimension

• 4 sensors covering 90 degrees each
• 1 missile detector
• 3 flare controllers covering 120 degrees of angle
  each controlling 4 flare dispensers
• 12 flare dispensers coping with 30 degrees of
  each.

30
The CM Class

• class CM
• instance variables
• public static detector MissileDetector new
  MissileDetector()
• public static sensor0 Sensor new Sensor(0)
• public static sensor1 Sensor new Sensor(90)
• public static sensor2 Sensor new
  Sensor(180)
• public static sensor3 Sensor new
  Sensor(270)
• public static controller0 FlareController
  new FlareController(0)
• public static controller1 FlareController
  new FlareController(120)
• public static controller2 FlareController
  new FlareController(240)
• public static dispenser0 FlareDispenser
  new FlareDispenser(0)
• public static dispenser1 FlareDispenser
  new FlareDispenser(30)
• public static dispenser2 FlareDispenser
  new FlareDispenser(60)
• public static dispenser3 FlareDispenser
  new FlareDispenser(90)
• public static dispenser4 FlareDispenser
  new FlareDispenser(0)
• public static dispenser5 FlareDispenser
  new FlareDispenser(30)
• public static dispenser6 FlareDispenser
  new FlareDispenser(60)
• public static dispenser7 FlareDispenser
  new FlareDispenser(90)

31
The World Class Instance Variables

• class World
• instance variables
• public static env Environment nil
• public static timerRef Timer new Timer()
• operations

32
The World Constructor

• public World () gt World
• World ()
• ( env.addSensor(CMsensor0)
• env.addSensor(CMsensor1)
• env.addSensor(CMsensor2)
• env.addSensor(CMsensor3)
• CMcontroller0.addDispenser(CMdispenser0)
• CMcontroller0.addDispenser(CMdispenser1)
• CMcontroller0.addDispenser(CMdispenser2)
• CMcontroller0.addDispenser(CMdispenser3)
• CMdetector.addController(CMcontroller0)
• CMcontroller1.addDispenser(CMdispenser4)
• CMcontroller1.addDispenser(CMdispenser5)
• CMcontroller1.addDispenser(CMdispenser6)
• CMcontroller1.addDispenser(CMdispenser7)
• CMdetector.addController(CMcontroller1)

33
The World Class Run Operation

• operations
• public Run () gt ()
• Run ()
• env.Run()
• end World

34
The Global Class Values and Types

• class GLOBAL
• values
• public SENSOR_APERTURE 90
• public FLARE_APERTURE 120
• public DISPENSER_APERTURE 30
• types
• public MissileType ltMissileAgt ltMissileBgt
  ltMissileCgt ltNonegt
• public FlareType
• ltFlareOneAgt ltFlareTwoAgt ltDoNothingAgt
• ltFlareOneBgt ltFlareTwoBgt ltDoNothingBgt
• ltFlareOneCgt ltFlareTwoCgt ltDoNothingCgt
• public Angle nat
• inv num num lt 360

35
The Global Class Operations

• operations
• public canObserve Angle Angle Angle gt bool
• canObserve (pangle, pleft, psize)
• def pright (pleft psize) mod 360 in
• if pright lt pleft
• -- check between 0,prightgt and pleft,360gt
• then return (pangle lt pright or pangle gt
  pleft)
• -- check between pleft, prightgt
• else return (pangle gt pleft and pangle lt
  pright)
• public getAperture () gt Angle Angle
• getAperture () is subclass responsibility
• end GLOBAL

36
The Environment ClassTypes and Instance Variables

• class Environment is subclass of GLOBAL
• types
• public inline EventId MissileType Angle
  Time
• public outline EventId FlareType Angle
  Time Time
• instance variables
• io IO new IO()
• inlines seq of inline
• outlines seq of outline
• ranges map nat to (Angle Angle) -gt
• sensors map nat to Sensor -gt
• inv dom ranges dom sensors
• busy bool true

37
Environment Setup Operations

• operations
• public Environment seq of char gt Environment
• Environment (fname)
• def mk_ (-,input) io.freadvalseq of
  inline(fname) in
• inlines input
• public addSensor Sensor gt ()
• addSensor (psens)
• ( dcl id nat card dom ranges 1
• atomic (
• ranges ranges munion id -gt
  psens.getAperture()
• sensors sensors munion id -gt psens
• )
• )

38
The Environment Run Operation

• public Run () gt ()
• Run ()
• (while not (isFinished() and CMdetector.isFinish
  ed()) do
• (createSignal()
• CMdetector.Step()
• WorldtimerRef.StepTime()
• )
• showResult()
• )

39
The CreateSignal Operation

• private createSignal () gt ()
• createSignal ()
• ( if len inlines gt 0
• then (dcl curtime Time
  WorldtimerRef.GetTime(),
• done bool false
• while not done do
• def mk_ (eventid, pmt, pa, pt) hd
  inlines in
• if pt lt curtime
• then (for all id in set dom ranges
  do
• def mk_(papplhs,pappsize)
  ranges(id) in
• if canObserve(pa,papplhs,p
  appsize)
• then sensors(id).trip(even
  tid,pmt,pa)
• inlines tl inlines
• done len inlines 0)
• else done true)
• else busy false)

40
The Remaining Environment Operations

• public
• handleEvent EventId FlareType Angle Time
  Time gt ()
• handleEvent (evid,pfltp,angle,pt1,pt2)
• (outlines outlines mk_ (evid,pfltp,
  angle,pt1, pt2) )
• public showResult () gt ()
• showResult ()
• def - io.writevalseq of outline(outlines)
  in skip
• public isFinished () gt bool
• isFinished ()
• return inlines and not busy
• end Environment

41
The Sensor Class

• class Sensor is subclass of GLOBAL
• instance variables
• private detector MissileDetector
• private aperture Angle
• operations
• public Sensor MissileDetector Angle gt Sensor
• Sensor (pmd,psa) (detector pmd aperture
  psa)
• public getAperture () gt GLOBALAngle
  GLOBALAngle
• getAperture () return mk_ (aperture,
  SENSOR_APERTURE)
• public trip EventId MissileType Angle gt ()
• trip (evid, pmt, pa)
• -- log and time stamp the observed threat
• CMdetector.addThreat(evid, pmt,pa,WorldtimerRe
  f.GetTime())

42
MissileDetector with Controllers

• class MissileDetector is subclass of GLOBAL
• instance variables
• ranges map nat to (Angle Angle) -gt
• controllers map nat to FlareController
  -gt
• inv dom ranges dom controllers
• threats seq of (EventId MissileType Angle
  Time)
• busy bool false
• operations
• public addController FlareController gt ()
• addController (pctrl)
• (dcl nid nat card dom ranges 1
• atomic
• (ranges ranges munion nid -gt
  pctrl.getAperture()

43
Stepping a MissileDetector

• public Step () gt ()
• Step()
• (if threats ltgt
• then def mk_ (evid,pmt, pa, pt) getThreat()
  in
• for all id in set dom ranges do
• def mk_(papplhs, pappsize)
  ranges(id) in
• if canObserve(pa, papplhs,
  pappsize)
• then controllers(id).addThreat(evid,
  pmt,pa,pt)
• busy len threats gt 0
• for all id in set dom controllers do
• controllers(id).Step()
• )

44
MissileDetectorHandling of Threats

• public addThreat EventId MissileType Angle
  Time gt ()
• addThreat (evid,pmt,pa,pt)
• (threats threats mk_ (evid,pmt,pa,pt)
• busy true )
• private getThreat () gt EventId MissileType
  Angle Time
• getThreat ()
• (dcl res EventId MissileType Angle Time
  hd threats
• threats tl threats
• return res )
• public isFinished () gt bool
• isFinished ()
• return forall id in set dom controllers
• controllers(id).isFinished()
• end MissileDetector

45
FlareController Setup Operations

• class FlareController is subclass of GLOBAL
• instance variables
• private aperture Angle
• ranges map nat to (Angle Angle) -gt
• dispensers map nat to FlareDispenser -gt
• inv dom ranges dom dispensers
• threats seq of (EventId MissileType Angle
  Time)
• busy bool false
• operations
• public FlareController Angle gt FlareController
• FlareController (papp) aperture papp
• public addDispenser FlareDispenser gt ()
• addDispenser (pfldisp)
• let angle aperture pfldisp.GetAngle() in

46
Stepping the Flare Controller

• public Step () gt ()
• Step()
• (if threats ltgt
• then def mk_ (evid,pmt, pa, pt) getThreat()
  in
• for all id in set dom ranges do
• def mk_(papplhs, pappsize)
  ranges(id) in
• if canObserve(pa, papplhs,
  pappsize)
• then dispensers(id).addThreat(evid,p
  mt,pt)
• busy len threats gt 0
• for all id in set dom dispensers do
• dispensers(id).Step())

47
FlareController Handling of Threats

• public getAperture () gt GLOBALAngle
  GLOBALAngle
• getAperture () return mk_(aperture,
  FLARE_APERTURE)
• public addThreat EventId MissileType Angle
  Time gt ()
• addThreat (evid,pmt,pa,pt)
• (threats threats mk_ (evid,pmt,pa,pt)
• busy true )
• private getThreat () gt EventId MissileType
  Angle Time
• getThreat ()
• (dcl res EventId MissileType Angle nat
  hd threats
• threats tl threats
• return res )
• public isFinished () gt bool
• isFinished ()
• return forall id in set dom dispensers
• dispensers(id).isFinished()

48
FlareDispenser Constants

• class FlareDispenser is subclass of GLOBAL
• values
• responseDB map MissileType to Plan
• ltMissileAgt -gt mk_(ltFlareOneAgt,900),
• mk_(ltFlareTwoAgt,500),
• mk_(ltDoNothingAgt,100),
• mk_(ltFlareOneAgt,500),
• ltMissileBgt -gt mk_(ltFlareTwoBgt,500),
• mk_(ltFlareTwoBgt,700),
• ltMissileCgt -gt mk_(ltFlareOneCgt,400),
• mk_(ltDoNothingCgt,100),
• mk_(ltFlareTwoCgt,400),
• mk_(ltFlareOneCgt,500)
• missilePriority map MissileType to nat
• ltNonegt -gt 0,
• ltMissileAgt -gt 1,

49
FlareDispenser Setup Operations

• types
• public Plan seq of PlanStep
• public PlanStep FlareType Time
• instance variables
• public curplan Plan
• curprio nat 0
• busy bool false
• aperture Angle
• eventid EventId
• operations
• public FlareDispenser nat gt FlareDispenser
• FlareDispenser(ang)
• aperture ang

50
Stepping the Flare Dispenser

• public Step () gt ()
• Step()
• if len curplan gt 0
• then (dcl curtime Time WorldtimerRef.GetTi
  me(),
• first PlanStep hd curplan,
• next Plan tl curplan
• let mk_(fltp, fltime) first in
• (if fltime lt curtime
• then (releaseFlare(eventid,fltp,fltime,
  curtime)
• curplan next
• if len next 0
• then (curprio 0
• busy false ) )
• )
• )

51
FlareDispenser Handling of Threats

• public addThreat EventId MissileType Time
  gt ()
• addThreat (evid, pmt, ptime)
• if missilePriority(pmt) gt curprio
• then (dcl newplan Plan ,
• newtime Time ptime
• for mk_(fltp, fltime) in responseDB(pmt)
  do
• (newplan newplan mk_ (fltp,
  newtime)
• newtime newtime fltime )
• def mk_(fltp, fltime) hd newplan in
• releaseFlare(evid,fltp,fltime,
  WorldtimerRef.GetTime())
• curplan tl newplan
• eventid evid
• curprio missilePriority(pmt)
• busy true )
• pre pmt in set dom missilePriority and pmt in set
  dom responseDB
• private releaseFlare EventId FlareType Time
  Time gt ()
• releaseFlare (evid,pfltp, pt1, pt2)
• Worldenv.handleEvent(evid,pfltp,aperture,pt1,pt
  2)

52
The Timer Class

• class Timer
• instance variables
• currentTime nat 0
• values
• stepLength nat 100
• operations
• public StepTime () gt ()
• StepTime()
• currentTime currentTime stepLength
• public GetTime () gt nat
• GetTime()
• return currentTime

53
The IO Standard Class

• class IO
• types
• public filedirective ltstartgtltappendgt
• functions
• public writeval_at_p _at_p -gt bool
• public fwriteval_at_pseq1 of char _at_p
  filedirective -gt bool
• public freadval_at_pseq1 of char -gt bool _at_p
• operations
• public echo seq of char gt bool
• public fecho seq of char seq of char
  filedirective gt bool

54
Validation using Overture

• Electronic version contains scenario.txt test
  value
• Alternative input files can be produced
• Use interpreter with
• new World().Run()
• Inspect the result value
• Including timing information
• Inspect test coverage

55
Agenda

• Development Process for RT systems
• The Counter Measure System
• Requirements Capture using VDM-SL
• Sequential VDM Model
• Concurrent VDM Model
• Real-time Distributed VDM Model

56
Moving to a Concurrent Model

• Active threads are introduced in the Environment,
  the MissileDetector, the FlareController and the
  FlareDispenser classes
• Communication between instances must be
  synchronized
• The notion of time is changed to make use of the
  TimeStamp and ClockTick classes
• The CM, GLOBAL, Sensor and IO classes are
  unchanged

57
The Updated Class Diagram
58
Updated World Class

• The constructor now also needs to to start the
  detector thread
• start(CMdetector)
• The Run operation is replaced
• public Run () gt ()
• Run ()
• (-- start the environment
• start (env)
• -- wait for the environment to handle all
  input
• env.isFinished()
• -- wait for the missile detector to finish
• CMdetector.isFinished()
• -- print the result
• env.showResult())

59
Updated Environment Class

• The Run operation is replaced with a thread
• thread
• (
• start(new ClockTick(threadid))
• while WorldtimerRef.GetTime() lt simtime do
• (if busy
• then createSignal()
• WorldtimerRef.WaitRelative(0)
• WorldtimerRef.NotifyAndIncTime()
• WorldtimerRef.Awake()
• )
• busy false
• )
• New instance variable
• simtime Time
• The isFinished operation is simplified and made
  synchronous
• public isFinished () gt ()
• isFinished () skip

60
Updated MissileDetector Class 1

• Step is replaced with a thread
• thread
• while true do
• (def mk_ (evid,pmt, pa, pt) getThreat() in
• for all id in set dom ranges do
• def mk_(papplhs, pappsize) ranges(id) in
• if canObserve(pa, papplhs, pappsize)
• then controllers(id).addThreat(evid,pmt,p
  a,pt)
• busy len threats gt 0 )

61
Updated MissileDetector Class 2

• isFinished change from forall to for all
• public isFinished () gt ()
• isFinished ()
• for all id in set dom controllers do
• controllers(id).isFinished()
• Synchronization constraints are introduced
• sync
• mutex (addThreat,getThreat)
• per getThreat gt len threats gt 0
• per isFinished gt not busy

62
Updating FlareController Class 1

• addDispenser now starts dispenser
• public addDispenser FlareDispenser gt ()
• addDispenser (pfldisp)
• let angle aperture pfldisp.GetAngle() in
• (dcl id nat card dom ranges 1
• atomic
• (ranges ranges munion
• id -gt mk_(angle,
  DISPENSER_APERTURE)
• dispensers dispensers munion id -gt
  pfldisp)
• start (pfldisp) )
• Step is replaced with a thread
• thread
• (while true do
• (def mk_ (evid,pmt, pa, pt) getThreat() in
• for all id in set dom ranges do
• def mk_(papplhs, pappsize) ranges(id)
  in
• if canObserve(pa, papplhs, pappsize)
• then dispensers(id).addThreat(evid,pmt,p
  t)
• busy len threats gt 0 ) )

63
Updating FlareController Class 2

• isFinished change from forall to for all
• public isFinished () gt ()
• isFinished ()
• for all id in set dom dispensers do
• dispensers(id).isFinished()
• Synchronization constraints are introduced
• sync
• mutex (addThreat,getThreat)
• per getThreat gt len threats gt 0
• per isFinished gt not busy

64
FlareDispenser Step is replaced with a thread

• thread
• while true do
• (WorldtimerRef.WaitRelative(TimeStampstepLen
  gth)
• evalQueue()
• WorldtimerRef.Awake())
• operations
• private evalQueue () gt ()
• evalQueue ()
• (if len curplan gt 0
• then (dcl curtime Time WorldtimerRef.GetT
  ime(),
• done bool false
• while not done do
• (dcl first PlanStep hd curplan,
• next Plan tl curplan
• let mk_(fltp, fltime) first in
• (if fltime lt curtime
• then (releaseFlare(eventid,fltp,flt
  ime,curtime)

65
Flaredispenser additional updates

• isFinished is simplified
• public isFinished () gt ()
• isFinished ()
• skip
• Synchronization is introduced
• sync
• mutex (addThreat,evalQueue)
• per isFinished gt not busy

66
The TimeStamp Class 1

• class TimeStamp
• values
• public stepLength nat 10
• instance variables
• currentTime nat 0
• wakeUpMap map nat to nat -gt
• operations
• public WaitRelative nat gt ()
• WaitRelative(val)
• AddToWakeUpMap(threadid, currentTime val)
• AddToWakeUpMap nat nat gt ()
• AddToWakeUpMap(tId, val)
• wakeUpMap wakeUpMap tId -gt val

67
The TimeStamp Class 2

• public NotifyAll () gt ()
• NotifyAll()
• let threadSet set of nat th th in set
  dom wakeUpMap
• 
  wakeUpMap(th) lt currentTime
• in
• for all t in set threadSet
• do
• NotifyThread(t)
• public NotifyAndIncTime () gt ()
• NotifyAndIncTime()
• (currentTime currentTime stepLength
• NotifyAll()
• )
• public GetTime () gt nat
• GetTime()
• return currentTime

68
The TimeStamp Class 3

• sync
• per Awake gt threadid not in set dom wakeUpMap
• mutex(NotifyAll)
• mutex(AddToWakeUpMap)
• mutex(AddToWakeUpMap, NotifyAll)
• end TimeStamp

69
A new ClockTick Class

• class ClockTick is subclass of GLOBAL
• instance variables
• tid int -1
• Operations
• public ClockTick Time gt ClockTick
• ClockTick (t) tid t
• thread while true do
• (
• WorldtimerRef.WaitRelative(1)
• WorldtimerRef.NotifyAll()
• WorldtimerRef.Awake()
• )
• end ClockTick

70
Time Progression in Details 1

• The Environment class makes sure time is
  incremented by invoking NotifyAndIncTime()
• No other threads must call this operation
• All other periodic threads must use this pattern
• PeriodicOperation()
• TimeStamp.WaitRelative(periodSize)
• TimeStamp.NotifyAll()
• TimeStamp.Awake()

71
Time Progression in Details 2

• TimeStamp.WaitRelative() places the thread in the
  wakeUpMap of the TimeStamp class.
• TimeStamp.NotifyAll() wakes up any threads in the
  wakeUpMap whos period is up.
• TimeStamp.Awake() blocks the thread, until it has
  been removed from the wakeUpMap by another thread
  calling TimeStamp.NotifyAll().

72
Validation using Overture

• Electronic version contains scenario.txt test
  value
• Alternative input files can be produced
• Use interpreter with
• new World().Run()
• Inspect the result value
• Including timing information
• Inspect test coverage

73
Agenda

• Development Process for RT systems
• The Counter Measure System
• Requirements Capture using VDM-SL
• Sequential VDM Model
• Concurrent VDM Model
• Real-time Distributed VDM Model

74
Moving to a Real-Time Distributed Model

• The timerRef instance variable is removed
• The ClockTick class is also removed
• The CM class is turned into a system
• CPUs and BUSes are added to CM
• Some operations are made asynchronous
• duration and cycles statements are introduced
• Introduction of periodic threads
• One can also use the new time keyword

75
Periodic Threads

• periodic(period,jitter,delay,offset)(Op)
• Period This is a non-negative, non-zero value
  that describes the length of the time interval
  between two adjacent events in a strictly
  periodic event stream
• Jitter This is a non-negative value that
  describes the amount of time variance that is
  allowed around a single event.
• Delay This is a non-negative value smaller than
  the period which is used to denote the minimum
  inter arrival distance between two adjacent
  events.
• Offset This is a non-negative value which is
  used to denote the absolute time value at which
  the first period of the event stream starts.

76
The Updated Class Diagram
77
Updating the CM Class

• system CM
• instance variables
• cpu1 CPU new CPU (ltFCFSgt,1E6)
• cpu2 CPU new CPU (ltFCFSgt,1E6)
• cpu3 CPU new CPU (ltFPgt,1E9)
• cpu4 CPU new CPU (ltFCFSgt,1E10)
• cpu5 CPU new CPU (ltFCFSgt,1E10)
• cpu6 CPU new CPU (ltFCFSgt,1E10)
• bus1 BUS new BUS (ltFCFSgt,1E3,cpu1,cpu3)
• bus2 BUS new BUS (ltFCFSgt,1E3,cpu2,cpu3)
• bus3 BUS new BUS (ltFCFSgt,1E3,cpu3,cpu4,cpu5,
  cpu6)

78
Deploying Objects to Processors

• public CM () gt CM
• CM ()
• (cpu1.deploy(sensor0)
• cpu1.deploy(sensor1)
• cpu2.deploy(sensor2)
• cpu2.deploy(sensor3)
• cpu3.deploy(detector)
• cpu3.deploy(controller0)
• cpu3.deploy(controller1)
• cpu3.deploy(controller2)
• cpu4.deploy(dispenser0)
• cpu4.deploy(dispenser1)
• cpu4.deploy(dispenser2)
• cpu4.deploy(dispenser3)
• cpu5.deploy(dispenser4)
• cpu5.deploy(dispenser5)
• cpu5.deploy(dispenser6)
• cpu5.deploy(dispenser7)
• cpu6.deploy(dispenser8)

79
Setting Priorities to Operations

• public CM () gt CM
• CM ()
• (cpu1.setPriority(Sensortrip,100)
• cpu2.setPriority(Sensortrip,100)
• cpu3.setPriority(MissileDetectoraddThreat,100)
  
• cpu3.setPriority(FlareControlleraddThreat,80)
  
• cpu4.setPriority(FlareDispenseraddThreat,100)
  
• cpu4.setPriority(FlareDispenserevalQueue,80)
• cpu5.setPriority(FlareDispenseraddThreat,100)
  
• cpu5.setPriority(FlareDispenserevalQueue,80)
• cpu6.setPriority(FlareDispenseraddThreat,100)
  
• cpu6.setPriority(FlareDispenserevalQueue,80)
• )

80
Updating the Environment Class

• private createSignal () gt ()
• createSignal ()
• duration (10)
• (if len inlines gt 0
• then (dcl curtime Time time, done bool
  false
• while not done do
• def mk_ (eventid, pmt, pa, pt) hd
  inlines in
• if pt lt curtime
• then (for all id in set dom ranges
  do
• def mk_(papplhs,pappsize)
  ranges(id) in
• if canObserve(pa,papplhs,pa
  ppsize)
• then sensors(id).trip(event
  id,pmt,pa)
• inlines tl inlines
• done len inlines 0)
• else done true)
• else busy false)
• thread

81
Updating the Sensor Class

• public
• async
• trip MissileType Angle gt ()
• trip (pmt, pa)
• -- log and time stamp the observed threat
• detector.addThreat(pmt,pa,time)
• pre canObserve(pa, aperture, SENSOR_APERTURE)

82
Updating the Missile Detector Class

• public
• async
• addThreat EventId MissileType Angle Time
  gt ()
• addThreat (evid,pmt,pa,pt)
• (threats threats mk_ (evid,pmt,pa,pt)
• busy true )

83
Updating the Flare Controller Class

• public
• async
• addThreat EventId MissileType Angle Time
  gt ()
• addThreat (evid,pmt,pa,pt)
• (threats threats mk_ (evid,pmt,pa,pt)
• busy true )

84
Updating the Flare Dispenser Class 1

• public
• async
• addThreat EventId MissileType Time gt ()
• addThreat (evid, pmt, ptime)
• if missilePriority(pmt) gt curprio
• then (dcl newplan Plan ,
• newtime Time ptime
• -- construct an absolute time plan
• for mk_(fltp, fltime) in responseDB(pmt)
  do
• (newplan newplan mk_ (fltp,
  newtime)
• newtime newtime fltime )
• -- immediately release the first action
• def mk_(fltp, fltime) hd newplan in
• releaseFlare(evid,fltp,fltime,time)
• -- store the rest of the plan
• curplan tl newplan
• eventid evid
• curprio missilePriority(pmt)
• busy true )

85
Updating the Flare Dispenser Class 2

• private
• async
• evalQueue () gt ()
• evalQueue ()
• duration (10)
• (if len curplan gt 0
• then (dcl curtime Time time, done bool
  false
• while not done do
• (dcl first PlanStep hd curplan,
• next Plan tl curplan
• let mk_(fltp, fltime) first in
• if fltime lt curtime
• then (releaseFlare(eventid,fltp,flti
  me,curtime)
• curplan next
• if len next 0
• then (curprio 0
• done true
• busy false ) )
• else done true ) ) )

86
Validation using Overture

• Electronic version contains scenario.txt test
  value
• Alternative input files can be produced
• Use interpreter with
• new World().Run()
• Inspect the result value
• Including timing information
• Inspect test coverage
• Show traces graphically in Overture with the
  realtime log viewer

87
Execution Overview in Log-viewer
88
Detailed Overview at one CPU
89
Summary

• What have I presented today?
• The process of developing real-time distributed
  systems using Overture
• A large counter measures example step by step
• What do you need to do now?
• Complete your concurrent model
• Continue with your project adding real-time and
  distribution
• Present your status to all of us
• Read the VDM-RT guidelines document

90
Quote of the day
There is an essential difference between embedded
and other computing systems since embedded
systems involve computation that is subject to
physical constraints, the powerful separation of
computation (software) from physicality (platform
and environment), which has been one of the
central ideas enabling the science of computing,
does not work for embedded systems.
From T. Henzinger and J. Sifakis, The Embedded
Systens Design Challenge. Proceedings of FM 2006
Formal Methods