CIS 4930/6930: Principles of Cyber-Physical Systems Timed Automata: - PowerPoint PPT Presentation

CIS 4930/6930: Principles of Cyber-Physical Systems Timed Automata: A Case Study Hao Zheng Department of Computer Science and Engineering University of South Florida H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 1 / 23

A Jobshop Conveyor belt Jobs Jobbers H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 2 / 23

A Jobshop • Assume: two jobbers, and two tools: a hammer and a mallet. • These tools are shared by jobbers. • A job can be easy, hard, or average. • If a job is easy, no tool is used. • If a job is hard, the hammer is used. • Otherwise, either the hammer or the mallet is used. • The belts run around a constant speed, i.e. • jobs appear on one belt from time to time. • Exact timing will be specified later. H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 3 / 23

The Actor Model Jobber 1 new finished right belt left belt Hammer Mallet jobs jobs Jobber 2 H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 4 / 23

Modeling Left Belt This belt keeps sending jobs, easy , hard , or average, to the job shop. jobHard ! jobEasy ! l 0 jobAvge ! Three different channels have to be used as UPPAAL does not support passing values through channels. H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 5 / 23

Modeling Right Belt jobDone ? l 0 H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 6 / 23

Modeling Tools A tool (hammer or mallet) can be free or taken . get hammer ? get mallet ? free taken free taken free hammer ? free mallet ? H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 7 / 23

Modeling Jobbers work easy easy free hammer ! jobEasy ? ! work r e m m a h aver 1 t e g jobAvge ? avge idle g e t m a l work l e t ! aver 2 jobHard ? free mallet ! get hammer ! work hard hard free hammer ! H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 8 / 23

Timing for Jobbers • [5 , 7] seconds to finish an easy job. • [10 , 12] seconds to finish an average job with the hammer. • [15 , 17] seconds to finish an average job with the mallet. • [20 , 22] seconds to finish a hard job. H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 9 / 23

Jobbers with Timing 5 ≥ x work x := 0 easy easy x ≤ 7 r ! m e m jobEasy ? h a e e f r get hammer ! work aver 1 jobAvge ? avge idle get mallet ! work aver 2 jobHard ? f r e e m a l l e t ! get hammer ! work hard hard free hammer ! Timing labeled similarly for other jobs. H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 10 / 23

Jobbers with Timing (1) Jobber starts the easy job immediately. x ≥ 5 Urgent locations in UPPAAL. work x := 0 easy easy U x ≤ 7 free hammer ! jobEasy ? get hammer ! work aver 1 jobAvge ? avge idle get mallet ! work aver 2 jobHard ? free mallet ! get hammer ! work hard hard free hammer ! H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 11 / 23

Communications • Whenever a job is ready and a jobber is ready for the next job, the job is transferred immediately. • Whenever a tool is free and a jobber needs it, the tool is transferred immediately. Urgent channels in UPPAAL: whenever two edges → p ′ and q ch ! ch ? → q ′ p − − − are enabled, they take place immediately. In our model, urgent jobEasy, jobHard, jobAvge, get hammer, get mallet, free hammer, free mallet H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 12 / 23

Verification Problem 1 Is it possible that the left belt delivers jobs too fast for the jobbers to handle with the following timing parameters? • An easy job is delivered within jobHard ! [2 , 5] seconds since last delivered job. • An average job is delivered within [4 , 9] seconds since last delivered l 0 jobEasy ! job. • A hard job is delivered within [10 , 12] seconds since last jobAvge ! delivered job. H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 13 / 23

Verification Problem 1: Modeling Left Belt l 1 y ≤ 12 y ≥ 10 / y := 0 jobHard ! y := 0 l 2 l 0 y ≥ 2 / y ≤ 5 jobEasy ! y ≥ 4 / y := 0 jobAvge ! l 3 y ≤ 9 What would happen if the left belt is too fast such that jobbers are overwhelmed by too many jobs? H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 14 / 23

Verification Problem 1: Modeling Left Belt l 1 y ≤ 12 y ≥ 10 / y := 0 jobHard ! y := 0 l 2 l 0 y ≥ 2 / y ≤ 5 jobEasy ! y ≥ 4 / y := 0 jobAvge ! l 3 y ≤ 9 What would happen if the left belt is too fast such that jobbers are overwhelmed by too many jobs? deadlock. H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 14 / 23

Verification Problem 1: Modeling Left Belt Or, the bad situation can be modeled explicitly. y > 12/ l 1 fail := true y ≤ 12 y ≥ 10 / y := 0 jobHard ! y := 0 y > 5/ fail := true l 0 l 2 Bad y ≥ 2 / y ≤ 5 jobEasy ! y ≥ 4 / y := 0 jobAvge ! / l 3 9 > y e u r y ≤ 9 t = : i l a f H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 15 / 23

Modeling Left Belt: Another versioin In UPPAAL, urgent channels cannot be combined with clock constraints! y = 10 / l 1 l 2 y ≤ 10 y ≤ 12 l 3 jobHard ! y := 0 y ≤ 2 y := 0 l 0 y = 2 / U jobEasy ! y := 0 l 4 jobAvge ! y ≤ 5 l 6 l 5 y ≤ 9 y ≤ 4 y = 4 / H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 16 / 23

Verification Problem 2 Suppose that the right belt runs in a speed such that it can take the finished jobs in every 5 to 6 jobDone ? l 0 seconds. Can it take every finished jobs from the jobbers? H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 17 / 23

Verification Problem 2: Modeling Right Belt l 0 z ≥ 5, jobDone ?/ z ≤ 6 z := 0 H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 18 / 23

Verification Problem 2: Modeling Right Belt l 0 z ≥ 5, jobDone ?/ z ≤ 6 z := 0 z < 5, jobDone ?/ fail := false Bad H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 18 / 23

Verification Problem 2: Modeling Right Belt z > 6/ z := 0 l 0 z ≥ 5, jobDone ?/ z ≤ 6 z := 0 z < 5, jobDone ?/ fail := false Bad H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 18 / 23

Verification Problem 3 Given a sequence of jobs, what is the minimal amount time that all jobs are finished? H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 19 / 23

Verification Problem 3 Given a sequence of jobs, what is the minimal amount time that all jobs are finished? A new model for the left belt. l 2 l 1 l 9 end jobAvge ! jobAvge ! jobHard ! jobHard ! jobAvge ! l 3 l 0 l 8 jobHard ! jobAvge ! jobAvge ! jobHard ! jobEasy ! jobEasy ! l 4 l 5 l 6 l 7 H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 19 / 23

Verification Problem 3 • Need to declare clock now to record the total time when all ten jobs are finished. H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 20 / 23

Verification Problem 3 • Need to declare clock now to record the total time when all ten jobs are finished. • Ask UPPAAL to check the following property E<> (left_belt.end && jobber1.idle && jobber2.idle) H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 20 / 23

Verification Problem 3 • Need to declare clock now to record the total time when all ten jobs are finished. • Ask UPPAAL to check the following property E<> (left_belt.end && jobber1.idle && jobber2.idle) • UPPAAL will return a trace showing the satisfaction of the above property. • The trace includes the value of now , but not necessarily the minimal. H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 20 / 23

Verification Problem 3 • Need to declare clock now to record the total time when all ten jobs are finished. • Ask UPPAAL to check the following property E<> (left_belt.end && jobber1.idle && jobber2.idle) • UPPAAL will return a trace showing the satisfaction of the above property. • The trace includes the value of now , but not necessarily the minimal. • Go to Menu − → Diagnostic Trace , and select the option Fastest . • UPPAAL will produce a trace including now with the minimal value. H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 20 / 23

Verification Problem 4 Given the same sequence of jobs for Problem 3, what is the maximal amount of time to finish all ten jobs? • Computing the largest value for now can be done indirectly. • Check the property A[] now>=200 imply (left_belt.end && jobber1.idle && jobber2.idle) H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 21 / 23

Verification Problem 4 Given the same sequence of jobs for Problem 3, what is the maximal amount of time to finish all ten jobs? • Computing the largest value for now can be done indirectly. • Check the property A[] now>=200 imply (left_belt.end && jobber1.idle && jobber2.idle) • If satisfied, what does it mean? H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 21 / 23

Verification Problem 4 Given the same sequence of jobs for Problem 3, what is the maximal amount of time to finish all ten jobs? • Computing the largest value for now can be done indirectly. • Check the property A[] now>=200 imply (left_belt.end && jobber1.idle && jobber2.idle) • If satisfied, what does it mean? • It does not necessarily mean the maximal amount of time to finish all ten jobs. Time keeps passing by when the system is in (left_belt.end && jobber1.idle && jobber2.idle) H. Zheng (CSE USF) CIS 4930/6930: Principles of CPS 21 / 23