Safety Contracts for Timed Reactive Components Iulia Dragomir , - - PowerPoint PPT Presentation

Safety Contracts for Timed Reactive Components

Iulia Dragomir, Iulian Ober and Christian Percebois

IRIT - University of Toulouse

March 21, 2013

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 1 / 38

Outline

1 Motivation 2 Contract-based Reasoning 3 Component framework: Timed Input/Output Automata 4 A toy example 5 Contract framework for Timed Input/Output Automata 6 Applying contract-based reasoning on the toy example 7 Conclusions Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 2 / 38

Outline

1 Motivation Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 3 / 38

Context & Problematics

Context: development of component-based critical real-time embedded systems Let S be a component-based system and ϕ1, · · · , ϕn a set of requirements.

• A requirement is in general satisfied by the collaboration of a set of

components

• Each component is involved in the satisfaction of several requirements
• ⇒ component abstractions

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 4 / 38

Context & Problematics

Context: development of component-based critical real-time embedded systems Let S be a component-based system and ϕ1, · · · , ϕn a set of requirements.

• A requirement is in general satisfied by the collaboration of a set of

components

• Each component is involved in the satisfaction of several requirements
• ⇒ component abstractions

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 4 / 38

Context & Problematics

Context: development of component-based critical real-time embedded systems Let S be a component-based system and ϕ1, · · · , ϕn a set of requirements.

• A requirement is in general satisfied by the collaboration of a set of

components

• Each component is involved in the satisfaction of several requirements
• ⇒ component abstractions

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 4 / 38

Context & Problematics

Context: development of component-based critical real-time embedded systems Let S be a component-based system and ϕ1, · · · , ϕn a set of requirements.

• A requirement is in general satisfied by the collaboration of a set of

components Each component is involved in the satisfaction of several requirements

• ⇒ component abstractions

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 4 / 38

Context & Problematics

Context: development of component-based critical real-time embedded systems Let S be a component-based system and ϕ1, · · · , ϕn a set of requirements.

• A requirement is in general satisfied by the collaboration of a set of

components Each component is involved in the satisfaction of several requirements

• ⇒ the need for components abstractions

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 4 / 38

Verification by abstractions

• Not sufficient!

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 5 / 38

Verification by abstractions

• Not sufficient!

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 5 / 38

Verification by abstractions

• Not sufficient!

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 5 / 38

Verification by abstractions

• Not sufficient!

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 5 / 38

Verification by abstractions

• Not sufficient!

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 5 / 38

Verification by abstractions

• Not sufficient!

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 5 / 38

Verification by abstractions

• Deadlock due to the

abstraction → Not sufficient

• An abstraction has to be

correct in a context → usage of contracts

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 5 / 38

Verification by abstractions

• Deadlock due to the

abstraction → Not sufficient!

• An abstraction has to be

correct in a context → usage of contracts

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 5 / 38

Verification by abstractions

• Deadlock due to the

abstraction → Not sufficient! An abstraction has to be correct in a context → usage of contracts

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 5 / 38

Verification by abstractions

• Deadlock due to the

abstraction → Not sufficient! An abstraction has to be correct in a context → usage of contracts

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 5 / 38

Introducing contracts

• Contract:
• defines partial and abstract

component specification for

• ne component and one

requirement

• is a pair (assumption,

guarantee)

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 6 / 38

Introducing contracts

• Contract:

defines partial and abstract component specification for

• ne component and one

requirement

• is a pair (assumption,

guarantee)

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 6 / 38

Introducing contracts

• Contract:

defines partial and abstract component specification for

• ne component and one

requirement is a pair (assumption, guarantee)

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 6 / 38

Using contracts: why?

Requirement specification and decomposition

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 7 / 38

Using contracts: why?

Requirement specification and decomposition Mapping and tracing requirements

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 7 / 38

Using contracts: why?

Requirement specification and decomposition Mapping and tracing requirements Model reviews

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 7 / 38

Using contracts: why?

Requirement specification and decomposition Mapping and tracing requirements Model reviews Verification of system designs (in SysML)

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 7 / 38

Outline

2 Contract-based Reasoning Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 8 / 38

Contract-based Reasoning

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 9 / 38

Contract-based Reasoning

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 9 / 38

Contract-based Reasoning

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 9 / 38

Contract-based Reasoning

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 9 / 38

Contract-based Reasoning

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 9 / 38

Contract-based Reasoning

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 9 / 38

Contract-based Reasoning

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 9 / 38

Contract-based approach for component-based systems

Formalization of component framework

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 10 / 38

Contract-based approach for component-based systems

Formalization of component framework Verification relations

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 10 / 38

Contract-based approach for component-based systems

Formalization of component framework Verification relations

1

Contract satisfaction

2

Dominance between contracts

3

Conformance

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 10 / 38

Outline

3 Component framework: Timed Input/Output Automata Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 11 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A = (X,

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A = (X, Clk,

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A = (X, Clk, Q,

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A = (X, Clk, Q, θ,

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A = (X, Clk, Q, θ, I,

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A = (X, Clk, Q, θ, I, O,

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A = (X, Clk, Q, θ, I, O, V ,

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A = (X, Clk, Q, θ, I, O, V , H,

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A = (X, Clk, Q, θ, I, O, V , H, D,

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Component: Timed Input/Output Automaton

Definition

Timed input/output automaton A = (X, Clk, Q, θ, I, O, V , H, D, T )

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 12 / 38

Properties of a timed input/output automaton

1 Existence of point trajectories: ∀x ∈ Q, γ(x) : [0, 0] → x ∈ T Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 13 / 38

Properties of a timed input/output automaton

1 Existence of point trajectories: ∀x ∈ Q, γ(x) : [0, 0] → x ∈ T 2 Prefix, suffix and concatenation closure of T Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 13 / 38

Properties of a timed input/output automaton

1 Existence of point trajectories: ∀x ∈ Q, γ(x) : [0, 0] → x ∈ T 2 Prefix, suffix and concatenation closure of T 3 Input actions enabling: ∀x ∈ Q, ∀a ∈ I, ∃x′ ∈ Q such that x ?a

→ x′

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 13 / 38

Properties of a timed input/output automaton

1 Existence of point trajectories: ∀x ∈ Q, γ(x) : [0, 0] → x ∈ T 2 Prefix, suffix and concatenation closure of T 3 Input actions enabling: ∀x ∈ Q, ∀a ∈ I, ∃x′ ∈ Q such that x ?a

→ x′

4 Time-passage enabling: ∀x ∈ Q, ∃τ ∈ T such that τ(0) = x and

either

τ.limit time = ∞ or τ is closed and some l ∈ O ∪ V ∪ H is enabled is τ(τ.limit time)

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 13 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0]

• Trace: sequence of time-passage lengths and external actions

Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, δ]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, δ]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, δ][0, δ]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, δ][0, δ]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0][0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0][0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA behaviour

• Execution fragment: sequence of trajectories and actions

Example: α = [0, 0]!a[0, δ]ǫ[0, δ]?b[0, 0]c[0, 0]↓ b[0, 0] Trace: sequence of time-passage lengths and external actions Example: trace(α) = [0, 0]!a[0, 2 ∗ δ]?b[0, 0]c[0, 0]

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 14 / 38

TIOA composition

Composition compatibility: Yi ∩ Yj = Hi ∩ Aj = Vi ∩ Aj = Oi ∩ Oj = Ii ∩ Ij = ∅, for i = j

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 15 / 38

TIOA composition

Composition compatibility: Yi ∩ Yj = Hi ∩ Aj = Vi ∩ Aj = Oi ∩ Oj = Ii ∩ Ij = ∅, for i = j Parallel composition: x1

a

→ x′

1

(x1 ∪ x2)

a

→ (x′

1 ∪ x2)

(a ∈ A1 \ A2) x2

a

→ x′

2

(x1 ∪ x2)

a

→ (x1 ∪ x′

2)

(a ∈ A2 \ A1)

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 15 / 38

TIOA composition

Composition compatibility: Yi ∩ Yj = Hi ∩ Aj = Vi ∩ Aj = Oi ∩ Oj = Ii ∩ Ij = ∅, for i = j Parallel composition: x1

a

→ x′

1

(x1 ∪ x2)

a

→ (x′

1 ∪ x2)

(a ∈ A1 \ A2) x2

a

→ x′

2

(x1 ∪ x2)

a

→ (x1 ∪ x′

2)

(a ∈ A2 \ A1) x1

a

→ x′

1 ∧ x2 a

→ x′

2

(x1 ∪ x2)

a

→ (x′

1 ∪ x′ 2)

(a ∈ (A1 ∩ A2) ∪ (T1 ∧ T2))

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 15 / 38

TIOA composition

Composition compatibility: Yi ∩ Yj = Hi ∩ Aj = Vi ∩ Aj = Oi ∩ Oj = Ii ∩ Ij = ∅, for i = j Parallel composition: x1

a

→ x′

1

(x1 ∪ x2)

a

→ (x′

1 ∪ x2)

(a ∈ A1 \ A2) x2

a

→ x′

2

(x1 ∪ x2)

a

→ (x1 ∪ x′

2)

(a ∈ A2 \ A1) x1

a

→ x′

1 ∧ x2 a

→ x′

2

(x1 ∪ x2)

a

→ (x′

1 ∪ x′ 2)

(a ∈ (A1 ∩ A2) ∪ (T1 ∧ T2))

Theorem

The parallel composition operator is commutative and associative.

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 15 / 38

Outline

4 A toy example Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 16 / 38

Running example

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 17 / 38

Property ϕ to be checked

Property

Given δ1 < δ2, the subsystem doesn’t emit consecutive a’s or b’s.

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 18 / 38

Outline

5 Contract framework for Timed Input/Output Automata Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 19 / 38

Formal contract

Component K: a timed input/output automaton

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 20 / 38

Formal contract

Component K: a timed input/output automaton Closed component: I = O = ∅ Open component: it is not closed

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 20 / 38

Formal contract

Component K: a timed input/output automaton Closed component: I = O = ∅ Open component: it is not closed Environment E for K: a timed input/output automaton compatible with K such that IE ⊆ OK and OE ⊆ IK

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 20 / 38

Formal contract

Component K: a timed input/output automaton Closed component: I = O = ∅ Open component: it is not closed Environment E for K: a timed input/output automaton compatible with K such that IE ⊆ OK and OE ⊆ IK

Definition

A contract for a component K is a pair (A, G) of TIOA such that IA = OG and OA = IG (i.e. the composition is a closed system) and IG ⊆ IK and OG ⊆ OK (i.e. the interface of K is a refinement of that of G).

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 20 / 38

Contracts for the running example

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 21 / 38

Contracts for the running example

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 21 / 38

Contracts for the running example

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 21 / 38

Conformance relation

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 22 / 38

Conformance relation

Definition

Let K1 and K2 be two comparable components (i.e. having the same external interface). K1 K2 if tracesK1 ⊆ tracesK2.

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 22 / 38

Conformance relation

Definition

Let K1 and K2 be two comparable components (i.e. having the same external interface). K1 K2 if tracesK1 ⊆ tracesK2.

Theorem

Conformance is a preorder relation.

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 22 / 38

Conformance relation

Definition

Let K1 and K2 be two comparable components (i.e. having the same external interface). K1 K2 if tracesK1 ⊆ tracesK2.

Theorem

Conformance is a preorder relation.

Theorem

Let K1 and K2 be two comparable components with K1 K2 and E a component compatible with both K1 and K2. Then K1 E K2 E.

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 22 / 38

Refinement under context relation

Definition

Let K1 and K2 be two components such that IK2 ⊆ IK1 ∪ VK1, OK2 ⊆ OK1 ∪ VK1 and VK2 ⊆ VK1. Let E be an environment for K1 compatible with both K1 and K2. We say that K1 refines K2 in the context of E, denoted K1 ⊑E K2, if K1 E E ′ K2 E K ′ E ′ where K ′ and E ′ are defined such that both members of the conformance relation are comparable and closed.

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 23 / 38

Refinement under context relation

Definition

Let K1 and K2 be two components such that IK2 ⊆ IK1 ∪ VK1, OK2 ⊆ OK1 ∪ VK1 and VK2 ⊆ VK1. Let E be an environment for K1 compatible with both K1 and K2. We say that K1 refines K2 in the context of E, denoted K1 ⊑E K2, if K1 E E ′ K2 E K ′ E ′ where K ′ and E ′ are defined such that both members of the conformance relation are comparable and closed.

Definition

K | = C = (A, G) ⇔ K ⊑A G

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 23 / 38

Example: K1 ⊑A1 G1

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 24 / 38

Example: K1 ⊑A1 G1

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 24 / 38

Example: K1 ⊑A1 G1

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 24 / 38

Example: K1 ⊑A1 G1

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 24 / 38

Example: K1 ⊑A1 G1

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 24 / 38

Example: K1 ⊑A1 G1

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 24 / 38

Example: K1 ⊑A1 G1

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 24 / 38

Properties of refinement under context

Theorem

Given a set K of comparable components and a fixed environment E for that interface, the refinement under context relation ⊑E is a preorder over K.

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 25 / 38

Properties of refinement under context

Theorem

Given a set K of comparable components and a fixed environment E for that interface, the refinement under context relation ⊑E is a preorder over K.

Theorem

Let K1 and K2 be two components and E an environment compatible with both K1 and K2 such that E = E1 E2. K1 ⊑E1E2 K2 ⇔ K1 E1 ⊑E2 K2 E1

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 25 / 38

Properties of refinement under context

Theorem

Given a set K of comparable components and a fixed environment E for that interface, the refinement under context relation ⊑E is a preorder over K.

Theorem

Let K1 and K2 be two components and E an environment compatible with both K1 and K2 such that E = E1 E2. K1 ⊑E1E2 K2 ⇔ K1 E1 ⊑E2 K2 E1

Theorem

Let K be a component, E its environment and C = (A, G) the contract for K such that K and G are compatible with each of E and A. If (1) tracesG is closed under limits, (2) tracesG is closed under time-extension, (3) K ⊑A G and (4) E ⊑G A then K ⊑E G.

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 25 / 38

Abstract system

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 26 / 38

Abstract system

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 26 / 38

Top contract for the abstract system

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 27 / 38

Contract dominance

Definition

{Ci}n

i=1 dominates C iff ∀{Ki}n i=1 such that, ∀i, Ki |

= Ci, we have (K1 K2 · · · Kn) | = C.

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 28 / 38

Contract dominance

Definition

{Ci}n

i=1 dominates C iff ∀{Ki}n i=1 such that, ∀i, Ki |

= Ci, we have (K1 K2 · · · Kn) | = C.

Theorem

{Ci}n

i=1 dominates C if, ∀i, tracesAi, tracesGi, tracesA and tracesG are

closed under limits and under time-extension and G1 ... Gn ⊑A G A G1 ... Gi−1 Gi+1 ... Gn ⊑Gi Ai, ∀i

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 28 / 38

Outline

6 Applying contract-based reasoning on the toy example Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 29 / 38

Verifying Step 1

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 30 / 38

Verifying Step 1

1 K1 |

= C1

2 K2 |

= C2

3 K3 |

= C3

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 30 / 38

Verifying Step 2

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 31 / 38

Verifying Step 2

{C1, C2, C3} dominates C:

• tracesA, tracesA1, tracesA2, tracesA3 are closed under limits and under

time-extension

• tracesG, tracesG1, tracesG2, tracesG3 are closed under limits and under

time-extension

• G1 G2 ⊑A G
• A G2 ⊑G1 A1
• A G1 ⊑G2 A2
• A G1 G2 ⊑G3 A3

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 31 / 38

Verifying Step 2

{C1, C2, C3} dominates C:

1 tracesA, tracesA1, tracesA2, tracesA3 are closed under limits and under

time-extension

2 tracesG, tracesG1, tracesG2, tracesG3 are closed under limits and under

time-extension

• G1 G2 ⊑A G
• A G2 ⊑G1 A1
• A G1 ⊑G2 A2
• A G1 G2 ⊑G3 A3

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 31 / 38

Verifying Step 2

{C1, C2, C3} dominates C:

1 tracesA, tracesA1, tracesA2, tracesA3 are closed under limits and under

time-extension

2 tracesG, tracesG1, tracesG2, tracesG3 are closed under limits and under

time-extension

3 G1 G2 ⊑A G

• A G2 ⊑G1 A1
• A G1 ⊑G2 A2
• A G1 G2 ⊑G3 A3

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 31 / 38

Verifying Step 2

{C1, C2, C3} dominates C:

1 tracesA, tracesA1, tracesA2, tracesA3 are closed under limits and under

time-extension

2 tracesG, tracesG1, tracesG2, tracesG3 are closed under limits and under

time-extension

3 G1 G2 ⊑A G 4 A G2 ⊑G1 A1 5 A G1 ⊑G2 A2 6 A G1 G2 ⊑G3 A3 Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 31 / 38

Verifying Step 3

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 32 / 38

Verifying Step 3

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 32 / 38

Outline

7 Conclusions Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 33 / 38

Results

TIOA component framework

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 34 / 38

Results

TIOA component framework Formal contract with interface refinement

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 34 / 38

Results

TIOA component framework Formal contract with interface refinement Refinement relations based on trace inclusion

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 34 / 38

Results

TIOA component framework Formal contract with interface refinement Refinement relations based on trace inclusion Applied on a toy example

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 34 / 38

Related work

(Timed) Interface Automata Interface Input/Output Automata Timed Input/Output Automata in ECDAR

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 35 / 38

Future work

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 36 / 38

Future work

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 36 / 38

Future work

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 36 / 38

Future work

• Iulia Dragomir (IRIT)

Safety Contracts for Timed Reactive Components March 21, 2013 36 / 38

Perspectives

1 How to build contracts? Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 37 / 38

Perspectives

1 How to build contracts?

Solve for G

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 37 / 38

Perspectives

1 How to build contracts?

Solve for G Automatically generate A

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 37 / 38

Perspectives

1 How to build contracts?

Solve for G Automatically generate A

2 Automation and integration within a development process Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 37 / 38

References:

1

• I. Dragomir, I. Ober, D. Lesens. A Case Study in Formal System

Engineering with SysML. ICECCS 2012, Paris, 18/07/2012 - 20/07/2012, IEEE, p. 189-198, july 2012

2

• I. Dragomir, I.Ober, C. Percebois. Safety Contracts for Timed Reactive
• Systems. Technical report, IRIT/RT-2013-11-FR, february 2013. Available

at http://www.irit.fr/~Iulian.Ober/docs/TR-Contracts.pdf

Thank you! Any questions?

Iulia Dragomir (IRIT) Safety Contracts for Timed Reactive Components March 21, 2013 38 / 38