© 2011 terma a/s 1 vdm-rt: distributed real-time modeling industrial phd student, sune wolff terma...

1© 2011 Terma A/S

VDM-RT: Distributed Real-time Modeling

Industrial PhD Student, Sune Wolff

Terma A/S ([email protected])

Engineering College of Aarhus ([email protected])

2© 2011 Terma A/S

The Presenter

• Sune Wolff, 29 years• B.Sc, Electronic Engineering (2004 – 2006)• Technical Student

• CERN, Frensh-Swiss border (2007)• M.Sc, Technical IT (2008 – 2009)• Research Assistant

• Engineering College og Aarhus (2009)• Industrial PhD Student, Terma A/S (2010 – 2012)

• “Development Process For Multi-Disciplinary Embedded Control Systems”

• Co-simulation of continuous-time and discrete-event models

3© 2011 Terma A/S

Agenda

Development Process for RT systems

• The Counter Measure System

• Requirements Capture using VDM-SL

• Sequential VDM++ Model

• Concurrent VDM++ Model

• Real-time Distributed VDM++ Model

• Co-simulation

4© 2011 Terma A/S

Overview of Development Process

5© 2011 Terma A/S

Reactive Systems

Environment System

Stimuli

Response

• Embedded systems characteristics• Continuously reacting on sensor input, and adjusting actuator

output to reach or maintain a defined setpoint• Example

• Temperature controller• Cruise controller

6© 2011 Terma A/S

Requirements Capture in VDM-SL

• Often an accumulated parameter is used for feedback

operations

PerformSystemReaction: seq of SensorInput ==> seq of ActuatorCommand PerformSystemReaction(inputseq) == if inputseq = [] then [] else SensorTreatment(hd inputseq) ^ PerformSystemReaction(tl inputseq)

7© 2011 Terma A/S

Sequential Design Model

8© 2011 Terma A/S

Typical Design Structure

• An Environment class is needed• A SystemName class is needed• A World class is introduced for setting up both the environment and

the system• World shall contain a Run operation• World have access to some notion of time• The Environment has operation for creating signals to the system

and receiving events from the system• Flow of control resides with the Environment• Each class that do actions has an isFinished operation

9© 2011 Terma A/S

Concurrent Design Model

• Similar to sequential design model but• Identification of threads• Determine necessary communication• Establish synchronization points• Validation of model

• Typical design structure• Flow of control is distributed• Synchronization using permission predicates and mutex• isFinished operations become skip with permission

predicates• A simple Timer class is replaced with the TimeStamp class

10© 2011 Terma A/S

Distributed Real-time Model

• Timing built in:• Use of default cycles• Use of duration and cycles statements• Setting task switching overhead

• Typical Design Structure• SystemName is now turned into a system• CPU’s and BUS’es are introduced inside SystemName• Environment may be turned into a system• Some operations are made asynchronous• Some Step like threads are made periodic• Explicit use of TimeStamp is removed

11© 2011 Terma A/S

Agenda


The Counter Measure System

• Requirements Capture using VDM-SL




• Co-simulation

12© 2011 Terma A/S

Counter Measure System

13© 2011 Terma A/S

System Description

• Counter Measure (CM) is a combination of evasive maneuvers and a timed sequence of flares released

• CM depends on type of threat and incoming angle• Threat sensors pass threat info to the controller• Flare dispensers are placed around the aircraft• A sequence of flares are fired to counter the threat (no

maneuver in this model)• Assumption: only two types of flares are equiped

14© 2011 Terma A/S

Requirements

• If while reacting to a given threat from an angle, another threat is sensed in the same angle area, the system should check the priority of the more recent threat and, if greater than the previous one, should abort computation of the current firing sequence. Computation of the new firing sequence should then take place.

• If different threats are sensed with angles that are treated by different flare dispensers the corresponding firing sequences shall be performed in parallel.

• The controller must be capable of sending the first flare release command within 250 ms of receiving threat information from the sensor.

• The controller must be able to abort a firing sequence within 130 ms.

15© 2011 Terma A/S

Example CM Responses

16© 2011 Terma A/S

Agenda



Requirements Capture using VDM-SL




• Co-simulation

17© 2011 Terma A/S

CM Model

• Please get hold of the four models (SL, PP seq, PP conc, RT)• http://sourceforge.net/projects/overture/files/Examples/

• Get this slideshow from CourseAdmin

18© 2011 Terma A/S

VDM-SL Input/Output Types

types MissileInputs = seq of MissileInput;

MissileInput = MissileType * Angle;

MissileType = <MissileA> | <MissileB> | <MissileC> | <None>;

Angle = natinv num == num <= 360;

Output = map MagId to seq of OutputStep;

OutputStep = FlareType * AbsTime;

AbsTime = nat;

20© 2011 Terma A/S

VDM-SL Value Definition

valuesresponseDB : map MissileType to Plan = {<MissileA> |-> [mk_(<FlareOneA>,900), mk_(<FlareTwoA>,500), mk_(<DoNothingA>,100), mk_(<FlareOneA>,500)], <MissileB> |-> [mk_(<FlareTwoB>,500), mk_(<FlareTwoB>,700)], <MissileC> |-> [mk_(<FlareOneC>,400), mk_(<DoNothingC>,100), mk_(<FlareTwoC>,400), mk_(<FlareOneC>,500)] };

missilePriority : map MissileType to nat = {<None> |-> 0, <MissileA> |-> 1, <MissileB> |-> 2, <MissileC> |-> 3};

stepLength : nat = 100

21© 2011 Terma A/S

CM Functionality

CounterMeasures: MissileInputs -> OutputCounterMeasures(missileInputs) == CM(missileInputs,{|->},{|->},0);

The CM parameters are:missileInputs: This parameter contains the missile input which has not yet been

considered in the analysis of which flares should be fired. Recursion is done over this parameter such that in each recursive call this sequence will be one smaller.

outputSoFar: This parameter contains a mapping from the magazine identifiers to the flare sequence expected to be fired (and their expected firing time) given the missile inputs taken into account so far. This is the accumulating parameter which at the end will contain the final result.

lastMissile: This parameter contains mapping from the magazine identifier to the last missile which has had effect on the output so far relative to the MagId. The priority of this missile is important in relation to the next missile arriving.

curTime: This parameter specifies the time at which this missile has been detected (a multiple of stepLength).

22© 2011 Terma A/S

The CM Function

CM: MissileInputs * Output * map MagId to [MissileType] * nat -> OutputCM( missileInputs, outputSoFar, lastMissile, curTime) == if missileInputs = [] then outputSoFar else let mk_(curMis,angle) = hd missileInputs, magid = Angle2MagId(angle) in if magid not in set dom lastMissile or (magid in set dom lastMissile and missilePriority(curMis) > missilePriority(lastMissile(magid))) then let newOutput = InterruptPlan(curTime,outputSoFar, responseDB(curMis), magid) in CM(tl missileInputs, newOutput, lastMissile ++ {magid |-> curMis}, curTime + stepLength) else CM(tl missileInputs, outputSoFar, lastMissile,curTime + stepLength);

23© 2011 Terma A/S

Interrupting a Plan

InterruptPlan: nat * Output * Plan * MagId -> OutputInterruptPlan(curTime,expOutput,plan,magid) == {magid |-> (if magid in set dom expOutput then LeavePrefixUnchanged(expOutput(magid), curTime) else []) ^ MakeOutputFromPlan(curTime, plan)} munion

({magid} <-: expOutput);

LeavePrefixUnchanged: seq of OutputStep * nat -> seq of OutputStepLeavePrefixUnchanged(output_l, curTime) == [output_l(i) | i in set inds output_l & let mk_(-,t) = output_l(i) in t <= curTime]

24© 2011 Terma A/S

Converting Plan to Output

MakeOutputFromPlan : nat * seq of Response -> seq of OutputStepMakeOutputFromPlan(curTime, response) == let output = OutputAtTimeZero(response) in [let mk_(flare,t) = output(i) in mk_(flare,t+curTime) | i in set inds output];

OutputAtTimeZero : seq of Response -> seq of OutputStepOutputAtTimeZero(response) == let absTimes = RelativeToAbsoluteTimes(response) in let mk_(firstFlare,-) = hd absTimes in [mk_(firstFlare,0)] ^ [ let mk_(-,t) = absTimes(i-1), mk_(f,-) = absTimes(i) in mk_(f,t) | i in set {2,...,len absTimes}];

25© 2011 Terma A/S

Validation using Overture

• Electronic version contains three test values• Use interpreter with:

• ”CounterMeassures(testval1)”• ”CounterMeassures(testval2)”• ”CounterMeassures(testval3)”

• Inspect the result values• Including timing information• Inspect test coverage

26© 2011 Terma A/S

Agenda




Sequential VDM++ Model



• Co-simulation

27© 2011 Terma A/S


The classes are:• CM: This is the overall system class (a SystemName class) that creates static public

instances for all the system components. • World: The main class, used to combine the system classes and the environment and

allow execution of scenarios.• Environment: This is used for modelling the environment (in this case the sensors

providing input for the system).• Sensor: A class for modelling the hardware used to sense the arrival of missiles with a

given angle.• MissileDetector: A class which takes information from the Sensor and passes it to

one of the FlareController's.• FlareController: A class which controls outputs of flares for a given detected missile

using a number of flare dispensers.• FlareDispenser: A class which master the actual firing of flares depending upon the

type of the missile.• Timer: A timer class used to step time throughout the sequential VDM++ model.• IO: A VDM++ standard library class.• GLOBAL: This is a superclass providing a number of general definitions used by a

number of the system and environment classes.

28© 2011 Terma A/S

Class Diagram

29© 2011 Terma A/S

System Dimensions

• 4 sensors covering 90 degrees each• 1 missile detector;• 3 flare controllers covering 120 degrees of angle

each controlling 4 flare dispensers;• 12 flare dispensers coping with 30 degrees of each.

30© 2011 Terma A/S

Exercise

• Four groups• Environment + Sensor• Missile detector• Flare controller• Flare dispenser

• 15 min preparation• 5-10 min presentation

32© 2011 Terma A/S

The Global Class Operations

operations

public canObserve: Angle * Angle * Angle ==> boolcanObserve (pangle, pleft, psize) == def pright = (pleft + psize) mod 360 in if pright < pleft -- check between [0,pright> and [pleft,360> then return (pangle < pright or pangle >= pleft) -- check between [pleft, pright> else return (pangle >= pleft and pangle < pright); public getAperture: () ==> Angle * AnglegetAperture () == is subclass responsibility;

end GLOBAL

33© 2011 Terma A/S

Tne Environment Class

class Environment is subclass of GLOBAL

types

public inline = EventId * MissileType * Angle * Time;public outline = EventId * FlareType * Angle * Time * Time;

instance variablesio : IO := new IO();

inlines : seq of inline := [];outlines : seq of outline := [];

ranges : map nat to (Angle * Angle) := {|->};sensors : map nat to Sensor := {|->};inv dom ranges = dom sensors;

busy : bool := true;

34© 2011 Terma A/S

Environment Setup Operations

operations

public Environment: seq of char ==> EnvironmentEnvironment (fname) == def mk_ (-,input) = io.freadval[seq of inline](fname) in inlines := input;

public addSensor: Sensor ==> ()addSensor (psens) == ( dcl id : nat := card dom ranges + 1; atomic ( ranges := ranges munion {id |-> psens.getAperture()}; sensors := sensors munion {id |-> psens} ) );

35© 2011 Terma A/S

Environment Run Operation

public Run: () ==> ()

Run () ==

(while not (isFinished() and CM`detector.isFinished()) do

(createSignal();

CM`detector.Step();

World`timerRef.StepTime();

);

showResult()

);

36© 2011 Terma A/S

Create Signal

private createSignal: () ==> ()createSignal () == ( if len inlines > 0 then (dcl curtime : Time := World`timerRef.GetTime(), done : bool := false; while not done do def mk_ (eventid, pmt, pa, pt) = hd inlines in if pt <= curtime then (for all id in set dom ranges do def mk_(papplhs,pappsize) = ranges(id) in if canObserve(pa,papplhs,pappsize) then sensors(id).trip(eventid,pmt,pa); inlines := tl inlines; done := len inlines = 0) else done := true) else busy := false);

37© 2011 Terma A/S

The Sensor Class

class Sensor is subclass of GLOBAL

instance variables

private detector : MissileDetector;private aperture : Angle;

operations

public Sensor: MissileDetector * Angle ==> SensorSensor (pmd,psa) == (detector := pmd; aperture := psa);

public getAperture: () ==> GLOBAL`Angle * GLOBAL`AnglegetAperture () == return mk_ (aperture, SENSOR_APERTURE);

public trip: EventId * MissileType * Angle ==> ()trip (evid, pmt, pa) == -- log and time stamp the observed threat CM`detector.addThreat(evid, pmt,pa,World`timerRef.GetTime())pre canObserve(pa, aperture, SENSOR_APERTURE)

end Sensor

38© 2011 Terma A/S

Missile Detector and Controllers

class MissileDetector is subclass of GLOBAL

instance variables

ranges : map nat to (Angle * Angle) := {|->};controllers : map nat to FlareController := {|->};inv dom ranges = dom controllers;

threats : seq of (EventId * MissileType * Angle * Time) := [];

busy : bool := false

operations

public addController: FlareController ==> ()addController (pctrl) == (dcl nid : nat := card dom ranges + 1; atomic (ranges := ranges munion {nid |-> pctrl.getAperture()}; controllers := controllers munion {nid |-> pctrl} ); );

39© 2011 Terma A/S

Stepping a Missile Detector

public Step: () ==> ()Step() == (if threats <> [] then def mk_ (evid,pmt, pa, pt) = getThreat() in for all id in set dom ranges do def mk_(papplhs, pappsize) = ranges(id) in if canObserve(pa, papplhs, pappsize) then controllers(id).addThreat(evid,pmt,pa,pt); busy := len threats > 0; for all id in set dom controllers do controllers(id).Step() );

40© 2011 Terma A/S

Missile Detector Handling Threats

public addThreat: EventId * MissileType * Angle * Time ==> ()addThreat (evid,pmt,pa,pt) == (threats := threats ^ [mk_ (evid,pmt,pa,pt)]; busy := true );

private getThreat: () ==> EventId * MissileType * Angle * TimegetThreat () == (dcl res : EventId * MissileType * Angle * Time := hd threats; threats := tl threats; return res );

public isFinished: () ==> boolisFinished () == return forall id in set dom controllers & controllers(id).isFinished()

end MissileDetector

41© 2011 Terma A/S

Flare Controller Setup Operations

class FlareController is subclass of GLOBAL

instance variables

private aperture : Angle;ranges : map nat to (Angle * Angle) := {|->};dispensers : map nat to FlareDispenser := {|->};inv dom ranges = dom dispensers;threats : seq of (EventId * MissileType * Angle * Time) := [];busy : bool := false

operations

public FlareController: Angle ==> FlareControllerFlareController (papp) == aperture := papp;

public addDispenser: FlareDispenser ==> ()addDispenser (pfldisp) == let angle = aperture + pfldisp.GetAngle() in (dcl id : nat := card dom ranges + 1; atomic (ranges := ranges munion {id |-> mk_(angle, DISPENSER_APERTURE)}; dispensers := dispensers munion {id |-> pfldisp}); );

42© 2011 Terma A/S

Stepping the Flare Controller

public Step: () ==> ()Step() == (if threats <> [] then def mk_ (evid,pmt, pa, pt) = getThreat() in for all id in set dom ranges do def mk_(papplhs, pappsize) = ranges(id) in if canObserve(pa, papplhs, pappsize) then dispensers(id).addThreat(evid,pmt,pt); busy := len threats > 0; for all id in set dom dispensers do dispensers(id).Step());

43© 2011 Terma A/S

Flare Controller Handling Threats

public getAperture: () ==> GLOBAL`Angle * GLOBAL`AnglegetAperture () == return mk_(aperture, FLARE_APERTURE);

public addThreat: EventId * MissileType * Angle * Time ==> ()addThreat (evid,pmt,pa,pt) == (threats := threats ^ [mk_ (evid,pmt,pa,pt)]; busy := true );

private getThreat: () ==> EventId * MissileType * Angle * TimegetThreat () == (dcl res : EventId * MissileType * Angle * nat := hd threats; threats := tl threats; return res );

public isFinished: () ==> boolisFinished () == return forall id in set dom dispensers & dispensers(id).isFinished();

end FlareController

44© 2011 Terma A/S

Flare Dispenser Constants

class FlareDispenser is subclass of GLOBAL

values

responseDB : map MissileType to Plan = {<MissileA> |-> [mk_(<FlareOneA>,900), mk_(<FlareTwoA>,500), mk_(<DoNothingA>,100), mk_(<FlareOneA>,500)], <MissileB> |-> [mk_(<FlareTwoB>,500), mk_(<FlareTwoB>,700)], <MissileC> |-> [mk_(<FlareOneC>,400), mk_(<DoNothingC>,100), mk_(<FlareTwoC>,400), mk_(<FlareOneC>,500)] };

missilePriority : map MissileType to nat = { <None> |-> 0, <MissileA> |-> 1, <MissileB> |-> 2, <MissileC> |-> 3 }

45© 2011 Terma A/S

Flare Dispenser Setup Operations

types

public Plan = seq of PlanStep;

public PlanStep = FlareType * Time;

instance variables

public curplan : Plan := [];curprio : nat := 0;busy : bool := false;aperture : Angle;eventid : [EventId];

operations

public FlareDispenser: nat ==> FlareDispenserFlareDispenser(ang) == aperture := ang;

public GetAngle: () ==> natGetAngle() == return aperture;

46© 2011 Terma A/S

Stepping the Flare Dispenser

public Step: () ==> ()Step() == if len curplan > 0 then (dcl curtime : Time := World`timerRef.GetTime(), first : PlanStep := hd curplan, next : Plan := tl curplan; let mk_(fltp, fltime) = first in (if fltime <= curtime then (releaseFlare(eventid,fltp,fltime,curtime); curplan := next; if len next = 0 then (curprio := 0; busy := false ) ) ) );

47© 2011 Terma A/S

Flare Dispenser Handling Threats

public addThreat: EventId * MissileType * Time ==> ()addThreat (evid, pmt, ptime) == if missilePriority(pmt) > curprio then (dcl newplan : Plan := [], newtime : Time := ptime; for mk_(fltp, fltime) in responseDB(pmt) do (newplan := newplan ^ [mk_ (fltp, newtime)]; newtime := newtime + fltime ); def mk_(fltp, fltime) = hd newplan in releaseFlare(evid,fltp,fltime, World`timerRef.GetTime()); curplan := tl newplan; eventid := evid; curprio := missilePriority(pmt); busy := true )pre pmt in set dom missilePriority and pmt in set dom responseDB;;

private releaseFlare: EventId * FlareType * Time * Time ==> ()releaseFlare (evid,pfltp, pt1, pt2) == World`env.handleEvent(evid,pfltp,aperture,pt1,pt2);

public isFinished: () ==> boolisFinished () == return not busy

end FlareDispenser

48© 2011 Terma A/S

Validation Using Overture

• Electronic version contains scenario.txt test value• Alternative input files can be produced• Use interpreter with:

• ”new World().Run() ”• Inspect the result value• Including timing information• Inspect test coverage

49© 2011 Terma A/S

Agenda





Concurrent VDM++ Model


• Co-simulation

50© 2011 Terma A/S

What has Changed?

• Exercise – 10 minutes• Discuss with your neighbour what has been changed from the

sequential model to the concurrent model.

51© 2011 Terma A/S

Moving to Concurrent Model

• Active threads are introduced in the Environment, the MissileDetector, the FlareController and the FlareDispenser classes

• Communication between instances must be synchronized

• The notion of time is changed to make use of the TimeStamp and ClockTick classes

• The CM, GLOBAL, Sensor and IO classes are unchanged

52© 2011 Terma A/S

Updated Class Diagram

53© 2011 Terma A/S

The Time Stamp Class 1/3

class TimeStamp

values

public stepLength : nat = 10;

instance variables currentTime : nat := 0;wakeUpMap : map nat to nat := {|->};

operations

public WaitRelative : nat ==> ()WaitRelative(val) == AddToWakeUpMap(threadid, currentTime + val);

AddToWakeUpMap : nat * nat ==> ()AddToWakeUpMap(tId, val) == wakeUpMap := wakeUpMap ++ { tId |-> val };

NotifyThread(tId) == wakeUpMap := {tId} <-: wakeUpMap;

54© 2011 Terma A/S


public NotifyAll : () ==> ()NotifyAll() == let threadSet : set of nat = {th | th in set dom wakeUpMap & wakeUpMap(th) <= currentTime } in for all t in set threadSet do NotifyThread(t);

public NotifyAndIncTime : () ==> ()NotifyAndIncTime() == (currentTime := currentTime + stepLength; NotifyAll(); );

public GetTime : () ==> natGetTime() == return currentTime;

public Awake: () ==> ()Awake() == skip;

55© 2011 Terma A/S


sync

per Awake => threadid not in set dom wakeUpMap;

mutex(NotifyAll);

mutex(AddToWakeUpMap);

mutex(AddToWakeUpMap, NotifyAll);

end TimeStamp

56© 2011 Terma A/S

Time Progression

• The Environment class makes sure time is incremented by invoking NotifyAndIncTime()

• No other threads must call this operation• All other periodic threads must use this pattern:

PeriodicOperation(); TimeStamp.WaitRelative(periodSize); TimeStamp.NotifyAll();TimeStamp.Awake();

• TimeStamp.WaitRelative() places the thread in the wakeUpMap of the TimeStamp class.

• TimeStamp.NotifyAll() wakes up any threads in the wakeUpMap whos period is up.

• TimeStamp.Awake() blocks the thread, until it has been removed from the wakeUpMap by another thread calling TimeStamp.NotifyAll().

57© 2011 Terma A/S

New Clock Tick Class

class ClockTick is subclass of GLOBAL

instance variables tid : int := -1

operations

public ClockTick : Time ==> ClockTickClockTick (t) == tid := t;

thread while true do ( World`timerRef.WaitRelative(1); World`timerRef.NotifyAll(); World`timerRef.Awake(); )

end ClockTick

58© 2011 Terma A/S

Updated Environment Class

• The Run operation is replaced with a threadthread( start(new ClockTick(threadid)); while World`timerRef.GetTime() < simtime do (if busy then createSignal(); World`timerRef.WaitRelative(0); World`timerRef.NotifyAndIncTime(); World`timerRef.Awake(); ); busy := false)

• New instance variablesimtime : Time

• The isFinished operation is simplified and made synchronouspublic isFinished : () ==> ()isFinished () == skip;

syncmutex(handleEvent);mutex(createSignal);per isFinished => not busy;

59© 2011 Terma A/S



• ”new World().Run() ”• Inspect the result value• Including timing information• Inspect test coverage

61© 2011 Terma A/S

What has Changed?

• Exercise – 10 minutes• Discuss with your neighbour what has been changed from the

concurrent model to the distributed real-time model.

62© 2011 Terma A/S

Moving to a Distributed Real-time Model

• The timerRef instance variable is removed• The ClockTick class is also removed• The CM class is turned into a system• CPU’s and BUS’es are added to CM• Some operations are made asynchronous• duration and cycles statements are introduced• Introduction of periodic threads• One can also use the new time keyword

63© 2011 Terma A/S

Periodic Threads

periodic(period,jitter,delay,offset)(Op)

Period: This is a non-negative, non-zero value that describes the length of the time interval between two adjacent events in a strictly periodic event stream

Jitter: This is a non-negative value that describes the amount of time variance that is allowed around a single event.

Delay: This is a non-negative value smaller than the period which is used to denote the minimum inter arrival distance between two adjacent events.

Offset: This is a non-negative value which is used to denote the absolute time value at which the first period of the event stream starts.

65© 2011 Terma A/S

The CM System Class

system CM

instance variablescpu1 : CPU := new CPU (<FCFS>,1E6);cpu2 : CPU := new CPU (<FCFS>,1E6);cpu3 : CPU := new CPU (<FP>,1E9);cpu4 : CPU := new CPU (<FCFS>,1E10);cpu5 : CPU := new CPU (<FCFS>,1E10);cpu6 : CPU := new CPU (<FCFS>,1E10);bus1 : BUS := new BUS (<FCFS>,1E3,{cpu1,cpu3});bus2 : BUS := new BUS (<FCFS>,1E3,{cpu2,cpu3});bus3 : BUS := new BUS (<FCFS>,1E3,{cpu3,cpu4,cpu5,cpu6});

66© 2011 Terma A/S

Deploying Objects

public CM: () ==> CMCM () == (cpu1.deploy(sensor0); cpu1.deploy(sensor1); cpu2.deploy(sensor2); cpu2.deploy(sensor3); cpu3.deploy(detector); cpu3.deploy(controller0); cpu3.deploy(controller1); cpu3.deploy(controller2); cpu4.deploy(dispenser0); cpu4.deploy(dispenser1); cpu4.deploy(dispenser2); cpu4.deploy(dispenser3);

…)

67© 2011 Terma A/S

Setting Priority to Operations

public CM: () ==> CMCM () == (cpu3.setPriority(MissileDetector`addThreat,100); cpu3.setPriority(FlareController`addThreat,80); )

68© 2011 Terma A/S

Asynchronous Operations

class Sensor

operations

public async trip: MissileType * Angle ==> ()

trip (pmt, pa) ==

-- log and time stamp the observed threat

detector.addThreat(pmt,pa,time)

pre canObserve(pa, aperture, SENSOR_APERTURE)

end Sensor

69© 2011 Terma A/S



• ”new World().Run() ”• Inspect the result value• Including timing information• Inspect test coverage• Show traces graphically in Overture with the realtime

log viewer

73© 2011 Terma A/S

What is Lacking in the CM Model?

• Purpose of the CM model• Analyse timing constraints on response• Interrupting plan• Evaluate different distribution strategies (in the VDM-RT model)

• What about the physical world?• Aircraft movement (ex. evasive maneuvers)• Flare trajectory

74© 2011 Terma A/S

Why Model the Physical World?

• CM programs are designed for level flight• What happens if the aircraft does an evasive maneuver while

dispensing flares?• How will the generated thermal picture differ from the intended

one?• Can we counter this change by altering the delays specified in

the threat response?

77© 2011 Terma A/S

Purpose of Model

1. Analyze how much the thermal picture is distorted during different maneuvers

• Which maneuver distorts the thermal picture the most?• Is there any need for changing the sequence?

2. Develop algorithm that changes the sequence of flares at run-time to counter the distortion

• Can the algorithm ensure that the original picture is drawn no matter which maneuver the aircraft is doing?

• Can the algorithm draw ”any” picture? Ex. make it look like the aircraft is flying in another direction?

78© 2011 Terma A/S

Exercise – 10 minutes

• How would you make a model of this?• Can it be done purely in VDM?

• Why / why not?• How would you do it?

• Pros and cons

79© 2011 Terma A/S

Destecs Project

Overture – discrete event 20-sim – continuous time

20-sim – 3d animation

Stimuli

Response

80© 2011 Terma A/S

Short demo

2

2 ACvF dd

DispenseForce

DragForce flareinitialflare onaccelerativv

flare

ddispenseflare mass

FFonaccelerati

flareinitialflare vpositionposition

Drag coefficient

© 2011 terma a/s 1 vdm-rt: distributed real-time modeling industrial phd student, sune wolff terma...

Documents