Contents & Goals Last Lecture: • ./. Real-Time Systems This Lecture: Introduction • Educational Objectives: • Be able to decide whether you want to stay with us or not. Lecture 01: Introduction (IOW: an advertisement for the lecture.) • Agree on formalia. • Content: 2013-04-16 • Overview: content (and non-content) of the lecture. • Definition reactive, real-time, hybrid system. • Outlook on methodology for precise development of (provably) correct – 01 – 2013-04-16 – Sprelim – real-time systems. – 01 – 2013-04-16 – main – – 01 – 2013-04-16 – main – Dr. Bernd Westphal • Formalia: dates/times, exercises, exam admission. • Literature Albert-Ludwigs-Universit¨ at Freiburg, Germany • A formal model of real-time behaviour. 2 /37 3 /37 Subject of the Lecture What is a Real-Time System? What is a Real-Time System? Classical example: Airbag Controller • Other example: Gas Burner fire crash gas valve Controller flame sensor Requirement : “When a crash is detected, fire the airbag.” ignition • When firing too early : airbag ineffective. • Leakage is practically unavoidable: • When firing too late : additional threat. • for ignition, first open valve – 01 – 2013-04-16 – Sgasburner – • then ignite the available gas Say, 300ms (plus/minus small ε ) after a crash is the right TM time to fire. – 01 – 2013-04-16 – Sairbag – – 01 – 2013-04-16 – Sairbag – • ignition may fail. . . Then the precise requirement is “When a crash is detected at time t , fire the airbag at t + 300 ms ± ε .” • Leakage is safety critical : Igniting large amounts of leaked gas may lead to a dangerous explosion. 4 /37 5 /37 6 /37
No, Really, What is a Real-Time System? Other Definitions [Douglass, 1999] Definitions: Reactive vs. Real-Time vs. Hybrid Systems • The examples have in common that • “A real-time system is one that has performance deadlines on its • Reactive Systems interact with their environment it matters , when in time computations and actions.” by reacting to inputs from the environment with certain outputs. the output for a given input (sequence) takes place. • A Real-Time System is a reactive system which, for certain inputs, • Distinguish: For instance, has to compute the corresponding outputs within given time bounds. • “ Hard deadlines: performance requirements that absolutely must be • “fire” 300ms after “crash”, • A Hybrid System is a real-time system consisting of continuous and met each and every event or time mark.” • within any interval of at least 60s, leakage ( = have the gas valve open discrete components. The continuous components are time-dependent “(Late data can be bad data.)” without a flame) amounts to at most 5% of the time. (!) physical variables ranging over a continous value set. • “ Soft deadlines: for instance about average response times.” Note: quantitative (here) vs. qualitative notions of time (untimed). “(Late data is still good.)” • A system is called Safety Critical • Often: There is a physical environment, which has a notion of time, and if and only if a malfunction can cause loss of goods, money, or even life. • Design Goal: which evolves while our controller is computing. A timely system , i.e. one meeting its performance requirements. • (Half-) Contrast: vending machine for soft-drinks: • Note: performance can in general be any unit of quantities: Reactive Systems • If the customer is really thirsty, she’ll wait. – 01 – 2013-04-16 – Srtdef – – 01 – 2013-04-16 – Srtdef – – 01 – 2013-04-16 – Srtdef – • (discrete) number of steps or processor instructions, • Neither the usage of a really fast or a really slow Real-Time Systems • (discrete or continuous) number of seconds, contemporary controller causes a violation of • etc. Hybrid Systems (timing) requirements. • (Real) Contrast: transformational systems, such as computing π . 7 /37 8 /37 9 /37 The Problem: Constructing Safety-critical RT Systems The Problem: Constructing Safety-critical RT Systems Constructing Safety-critical RT Systems: Examples • Reactive systems can be partioned into: • Reactive systems can be partioned into: sensors sensors fire crash Controller plant controller plant controller actuators actuators • “In constructing a real-time system the aim is to control a physically “When a crash is detected at time t , fire the airbag at t + 300 ms ± ε .” existing environment, the plant , in such a way that the controlled plant satisfies all desired (timing) requirements.” • A controller program is easy: • The design of safety critical ( reactive ) systems requires a high degree while (true) do of precision: poll_sensors(); We want — at best — to be sure that a design meets its requirements. if (crash) tmr.start(300ms); – 01 – 2013-04-16 – Srtdef – – 01 – 2013-04-16 – Srtdef – – 01 – 2013-04-16 – Srtdef – • Real-time systems are often safety-critical . if (tmr.elapsed()) fire := 1; update_actuators(); od • The lecture presents approaches for the precise development of real-time systems based on formal, mathematical methods. • And likely to be believed to be correct. 10 /37 10 /37 11 /37
Constructing Safety-critical RT Systems: Examples Constructing Safety-critical RT Systems: Examples Prerequisites for Precise Development of Real-Time Systems • More complicated: additional features . sensors gas valve plant controller flame sensor actuators fire crash Controller To ignition design a controller that (provably) meets its requirements off we need • Leakage is safety critical : • a formal model of behaviour in (quantitative) time, Igniting large amounts of leaked gas may lead to a dangerous explosion. • More complicated: distributed implementation . • • Controller program for ignition is easy: • while (!flame) do • m / s open_valve(); Sens Controller Act – 01 – 2013-04-16 – Srtdef – – 01 – 2013-04-16 – Srtdef – – 01 – 2013-04-16 – Srtdef – wait(t); Then we can devise a methodology to get from requirements to a (correct) ignite(); implementation — here: following [Olderog and Dierks, 2008]. od • Is it correct ? (Here: Is it avoiding dangerous explosions?) 12 /37 13 /37 14 /37 Prerequisites for Precise Development of Real-Time Systems Prerequisites for Precise Development of Real-Time Systems Sketch of the Methodology: Gas Burner Example • Requirements sensors sensors plant controller plant controller • At most 5% of any at least 60s long interval amounts to leakage. actuators actuators • Reflective Design To To • Time intervals with leakage last at most 1s. design a controller that (provably) meets its requirements design a controller that (provably) meets its requirements • After each leak, wait 30s before opening valve again. we need we need • a formal model of behaviour in (quantitative) time, • a formal model of behaviour in (quantitative) time, • Constructive Design • a language to concisely, conveniently specifiy requirements on behaviour, • a language to concisely, conveniently specifiy requirements on behaviour, • PLC Automaton • • a language to specify behaviour of controllers, (open valve for 0.5s; ignite; • • a notion of “meet” and a methodology to verify (or prove) “meeting”. if no flame after 0.1s close valve) – 01 – 2013-04-16 – Srtdef – – 01 – 2013-04-16 – Srtdef – – 01 – 2013-04-16 – Sintro – gas valve flame sensor Then we can devise a methodology to get from requirements to a (correct) Then we can devise a methodology to get from requirements to a (correct) • Implementation implementation — here: following [Olderog and Dierks, 2008]. implementation — here: following [Olderog and Dierks, 2008]. • IEC 61131-3 program ignition 14 /37 14 /37 15 /37
Recommend
More recommend
