- Email: [email protected]
Specification of Hybrid Components of Control Systems
Copyright © IFAC Intelligent Manufacturing Systems. Gramado - RS. Brazil. 1998
SPECIFICATION OF HYBRID COMPONENTS OF CONTROL SYSTEMS Juri Vain, Alar Kuusik and Marko KiHiramees
Tallinn Technical University Institute of Cybernetics
Abstract: Stepwise refinement design strategy for control systems is described and the need for uniform commitment structures of specifications is motivated. A conceptual framework for sensor specifications is defined in terms of a set of virtual inputs/outputs and abstraction functions on their value domains. Hybrid dynamics of sensors is characterized using a small set of generalized phases and phase transitions. Conceptual description is formalized using hybrid automata. For modeling the degradation of dependability and trustiness of sensors, an aging function is introduced. Applicability of this approach is demonstrated on a real specification example - temperature sensor AD590KH. Copyright © 1998 IFA C Keywords: refinement, formal specification, hybrid automata, fault tolerance, sensors
1. INTRODUCTION
uniform specification layouts and unify verification routines for such specifications.
Design of control system components for safety critical applications requires high confidence about correctness of design decisions made. The dramatically increased capabilities of currently available hardware have lead to concerns about the safety and accountability of unsystematic approaches and demands for more rigorous approaches based on mathematical theory and formal methods [1]. Approaches such as stepwise refinement [2] and compositional methods pose a strong discipline on the development phases, requiring careful use of specification transformation rules or correctness proof after each development step [3]. Although the formal methods are powerful and supported by software tools, for reaching a reasonably effective and feasible design the expertise in control engineering is needed.
Specification and verification problems are discussed in context of so called "verify-while-design" development methods. The selection of the method is motivated by the fact that the problem of "inventing" a design for a given requirements specification reduces often to the problem of selecting typical for control engineering software and hardware components, like sensors, controller programs, actuators and their connection architectures. Therefore, in practice the focus is rather on integration problems of standard components than on design of a particular component as for traditional software engineering applications. Another important feature of component design is that dependability is a prime concern while proving correctness of design for realistic working conditions. The behavior of a component may drastically differ from that whether it is functioning in normal or in extreme situation. This naturally leads to the modeling paradigm where components are considered as hybrid systems with continuous evolution phases (modeling functional modes) which alternate with jumps and switching between phases.
To give a conceptual framework guiding construction of specifications for control system components we have taken an attempt to define a generalized specification structure for sensors taking into consideration both their functional as well as dependability characteristics which allow to get
73
Generally, we say that system SyS I implements the system SYS1, if there is a refinement relation between Sys I and Sys 2 ·
This paper is organized as follows. In Section 2, stepwise refinement design strategy for control systems is described and the need for uniform commitment structures of specifications is motivated. Section 3 provides a conceptual framework for sensor specifications: we define main phases, state invariants for phases and introduce a function characterizing aging process of sensors. Concrete specification example of an integrating temperature sensor AD590KH is given in Section 4.
Definition. Refinement relation (using model inclusion): System Sys) refines a system SYS2, if the model of system Sys) includes in the model of system SYS2 (i.e. is its special case).
System is a structure [Univ ID] , where Univ denotes the state space with time domain and D is the behavior of the system in Univ (D -logical formula).
2. DESIGN BY REFINEMENT On abstract level a control system design problem can be stated as follows [1): Given: - state space of the plant; - goal of the control; - constraints to be met by the control.
Formally: System Sys) [Univ) ID)) refines the system SyS2 [Univ2 ID 2) (Sys) [> SYS2), iff SysJ ~ Sys, where Sys [UnivID) , Univ = Univ) u Univ2 and D = D2 (i.e., DJ ~ D2)·
= =
Each requirement can be stated formally as an assumption-commitment pair connected by logical implication:
=
According to this view the component design is a sequence of refinement steps, where each step can be specified as control specification by assumption and commitment pairs. Let us make an observation that in this specification form assumptions about each particular component specify properties of its implementation, i.e. expected properties of its subcomponents and their composition. It allows one to represent assumptions as a conjunction of lower level components' specification commitments. Conjunctive form is due to the parallel composition.
=
Requirement Assumption ~ Commitment where
Assumption (A) - specifies constraints coming from properties of the plant and assumptions about the behavior of control system; Commitment (C) - specifies required behavior of the plant (constraints on observable state changes). The set of requirements (R) has the following conjunctive form :
Thus, the hierarchy of step-wise refinement steps having on each step for a component C j commitment Cj , provides the hierarchy of commitments and proof obligations (see fig. 1.) for the verification of refinement correctness. Having a refmement hierarchy and proof obligation construction scheme for intermediate design steps, one still needs specification forms for (possibly reusable) component classes used in final step.
Find: - specification of the control Control so that
Control => R or 1\ ( Control /\ ~) => C; Typically control specification can be refined into the form where it has the structure,
=
3. SPECIFICAnON OF SENSORS
Con Speccontroller 1\ SpecOCflllJ1or 1\ Specseman whereSpeccontrollm SpecocflllJ/tJn Specsemor denote
For
respectively specifications of the controller, actuators and sensors. Assuming compositionality of design specifications of parallel components in control system, each further design refinement step concerns only the specification of a particular component and its implementation. Thus, component design problem has the form: Given: - specification Spec p of a component P , (e.g. Spec p = SpeccDntroller) Find: - implementation Implp of P (by program or by hardware) so that
compositional
specifications
[5)
we
need
Fig. 1. Refinement tree (Cc is the commitment of the environment)
Implp sat Spec p ••
74
Thus, for adequate mode ling of sensor behavior the set of inputs of the sensor model should comprise measuring inputs (basic inputs), impacts of environment and derivatives of both (virtual inputs). For modeling synergetic effects of mutually dependent inputs we can model such effect by introducing additional combined inputS and assume in sequel that all abstract inputs are independent.
input/output description of sensors. For distinguishing different modes in sensor dynamics we consider it as an hybrid system and use hybrid automata [4] for its specification. A hybrid automaton consists of a transition system (TS), labeling of the transition system, set of real-valued variables X with their derivates X'. The transition system TS = (Q, Qo, Qf, 1) consists of four components: 1. A set Q of phases. 2. A set Qo of initial phases. 3. A set Qf of final phases. 4. A set T of transitions between phases
3.2 Abstraction o/input and output value domains An important modeling assumption about sensors as
hybrid systems is that their behavior (functionality) depends not only quantitatively but also qualitatively on their input values, Here two aspects should be distinguished: how (abstract) inputs influence on dependability and how on trustiness of measurement results.
The labeling associates with each phase q predicates: init(X) - initialization of the variables inv(X) - invariant of the phase flow(X)C) -dynamics of the variables in the phase and with each transition t a predicate: guard(X) - enabledness of the transition Modeling assumptions about TS are discussed in the sequel.
By the effect the inputs have on the behavior of sensor, we separate the whole set of behaviors into fixed set of modes. For concise definition of modes, the value domain ~ of input Ii is partitioned by aging rate (the measure of dependability change) of the sensor and by trustiness of outputs into two sets of sub-regions {Ir , ~s, ~F} and {~T, ~U } , where
3.1 State variables
Due to compositionality we assume that only observable state variables are inputs and outputs of the sensor. The inputs and outputs are modelled by the variables from X. The input-output relations are defined by theflow predicates.
~N U liS U
It
= liT U ~U = l i and It (] liS (] I;F = l iT (] liU = 0
(1)
We call them to NSF-partitioning and TUpartitioning respectively. Region I;N corresponds to input values which are specified as working conditions where slow aging (which often even can be ignored) takes place, I;S denotes the input values which cause the stress (forced aging), and values in ~F lead to fatal failure of the sensor. ~T denotes input values for which the corresponding output values are trustable and I;U denotes the complement of liT to l i
Inputs. In [1] inputs are defined as observables which directly depend on the physical process the sensor is measuring and which have functional relationship with outputs. We call those basic inputs. Dependency on other environmental factors is mode led usually as deviation of output values from nominal values caused by disturbances and errors. For safety critical applications we still need explicit representation of the influence of disturbances on 110 behavior. Therefore, we extend the meaning of inputs by so called virtual inputs. From the dependability point of view there is no principal difference between input signals coming from the process and external impacts coming from the process environment. For instance, input values exceeding their allowed value range may cause damages and corruption of measurement data like any other disturbance; on the other hand, effects of disturbances when relatively small may be ignored or modeled as a constant output with deviation O.
(liU = l i.\ I;T).
Each region ~i , j E {N, T, S, F} is specified as an interval ~i = [It ;I;i'] or a pair of intervals 1/ = (li1i,lui), where and I;i+ ,It denote respectively lower and upper bounds of the interval I;i. Assuming the property ( 1) it is easy to see that specifications of input regions ~N, I;s, and ~T provide complete definition of partitionings NSF and TU. As to sensor outputs, there is only one value domain Oil to be specified. It characterizes the trustiness of output values, For all other output values Oj l2'0iT we say that these are trustless. Having defined input and output value regions we can now introduce symbolic values instead of concrete values to denote the fact that concrete value belongs to particular region of values.
Besides, also fast change of input values, although they stay within the allowed value range, may cause same failure or stress effects like disturbances and unexpected input values do. Examples of dynamic disturbances are ripple of supply voltage, mechanical acceleration and sharp impulses of current.
75
3.3
Phases
Names of fixed value regions constitute the set of abstract values which are used as tenns in definitions of phase invariants and transition conditions. Phase invariants gij =inv(X) for a phase qijEQ can be defined in tenns of relations on abstract input and output values in the general fonn: gij=gi I\ gj ~ i\ (2) where g i - denotes the conditions on regions given by NSF-partitioning, gj - conditions defined on regions of TU-partitioning and .5"oi .)· - conditions defined on Table 1 gives structured definition of phase invariants on the set of atomic constraints on input value regions, or in other words, on the set of abstract values of inputs. Still, using abstract input values the number of possible value combinations is 6 for each input and number of possible phases 6n, where n is the number of abstract inputs. Reduction of the number of phases can be achieved by abstracting from particular inputs, i.e., by quantification over the set of inputs. For instance, we say that the sensor is in phase qs,t if at least one input is in the stress region and non is in the failure and non in the trustless region. The whole set Q Q = { qj,j l iE {n,s,f} , j E {t,u}} of phases can be defined by phase invariants as in table 1.
Fig. 2 Phase transition diagram of fatal failure prone sensors
3.4 Set of initial phases
Having defined specification fonnulas qij for all phases and for the set of initial phases Qo, we can construct now the specification for whole sensor as follows:
Or
i E {n,s}, j E {t,u}}. Introduction of fatal failures into the model (no recovery procedure is assumed) means that any phase sequence including the phase qt,u , is tenninating in qt,u, i.e., Qf = { qt,u } (see phase transition diagram in fIg.2). 3.6 Phase transition conditions
One can easily see that due to the condition (1) phase invariants are mutually exclusive. On the other hand, the whole state space is reachable. Thus, phase transition conditions can be derived directly from transition destination phase invariants by following rule: having an arbitrary phase transition qij ~ qkl , we get the transition guards from (2) as andecedent of destination phase invariant, i.e., gk 1\ gl'
We assume that feasible are only those initial conditions where the sensor readings are trustable. It is often the case that after the start sensors are working under the stress. Qo = { qi,j : i E {n,s},j E {t}}
CsellS()r
= Qo /\ Qf
/\
1\ q ij i,j
where i ranges over phase indices i E {n,s,f} , and j ranges over j E {t,u}.
3.5 Setoffinalphases 3.7 Modeling phase evolution
In ideal case fault tolerant sensor behaves like a reactive system, i.e., its behavior comprises possibly infinite sequence of phases from the phase set { q i,j I
Functions describing sensor behavior during phases typically map input values to output values where the
Table 1: Phase invariants
~ gi Normal (slow aging) gl= nl:ik E[1 ,111): Ik E IkN Stress (forced aging) gl= s-
I:ik, 3p E[l,III): Ik d kF 1\ ID E I"S Fatal failure glr= 3kE[1 ,I II]: Ik EI/
gl= tI:iIE[1 ,III] : ~E I)T
gl= u--.gt)
gOn.t= I:imE[l,IOI): OmE OmT
gOn.u= 3 mE[l,IOI] : ami: OmT
gOs.t= I:imE[l,IOI): OmE Om T
gOs,u= 3 mE[1 ,IOI] : ami: OmT
gOt.t = FALSE
g\u= I:imE[l ,IOI]: ami: OmT 76
concrete mapping depends on particular physical principle the sensor is built upon. Therefore, we do not give here general constraints on the state functions besides those determining reliability of the sensors. Fig. 3. Automata for NSF and TU partitioning
3.8 Modeling aging ofsensors
H=«Q=QIXQ2, Qo=Q 1oXQ2o, Qr =QlrxQ2vQlxQ2r, T), X=X I V X2, init(X), inv(X), flow(X,X'), guard(X)), where (q\,q2 1),(q I2,q2 2) eT, if (qll ,qI2)eTI or (q2 1,q22)eT2or qll =q12 or q21 =q22; the init, inv, and guard result from conjunction of the component predicates. The composition of the flow predicate is explained later
Specifying dependability features of sensors we should capture its behavior through the whole lifecycle (from its start to some fatal failure). For safety critical applications only mode\ing static modes is not sufficient. One important feature which should be taken into account is degradation of its capabilities (e.g., measurement accuracy, ability to withstand to stress, creeping of sensor robustness parameters, etc). We express it in terms of changes of input regions themselves.
Transition system We build the transition system from the transition systems for each input and output by the parallel composition. For every input we get two transition systems corresponding to NSF and TU partitioning (see fig. 3). We get a similar TU transition system for every output, i.e., there is a phase in the automaton for every region of input and output values.
To model this phenomenon we introduce for each bound of input regions so called aging function. The aging function is a monotonously decreasing time dependent function. We assume that it depends on phases and the time spent in each particular phase during sensor's current age t . For simplicity we can use a linear approximation of that function. For an input region I j its bound I j * (either upper I{' or lower changes in time as follows:
TU transition system: Q = {T, U}, Qo = {T}, Qr= {U}, T = {(T, U),(U, T)}
In
I~ (t)
=
I~ (0)
II!
L L
a~
j=1 ke{n,s.f1
NSF transition system: Q= {N,S,F}'Qo= {N,S},Qr= {F}, T = {(N, S), (S, N), (S, F)}
t-s
f gr dt
(3)
0
Variables
where I j*(O) denotes the initial value of the bound, cfj is an aging coefficient characterizing the changing rate of I j * which is caused by the j-th input being in the k-th phase during the period when j holds; j denotes the projection of k-th phase invariant on j-th input (here due to the need for integration, numeric interpretation of the binary function j is assumed).
t
As defmed in (l) the domain of every input I; is
partitioned by aging rate (NSF partitioning) and trustiness (TU partitioning). Due to completeness of partitionings they are specified by boundary values (Its, I;sN, I;Ns, I jSF, I;UT, I;ru) of regions (see fig. 4).
t
t
Boundary variables (OjUT, Ojru) for the output regions are defmed in the same way. These together with inputs and outputs form the set of variables for the refined model.
3.9 Representing the aging by hybrid automata For modeling the aging process by hybrid automaton according to the formula (3) we need a refined version of the sensor model. We use parallel composition property of hybrid automaton for constructing the model.
x= I
j
v OJ V I;FS V I;sN V I;NS V I;sF V I;UT V I;ru V O·UT V J
o.n; J
Labeling predicates N
S
F
We use here a special form of parallel composition. The parallel composition of two hybrid automaton
I
I
IFS , I,SN
H1=«QI,Q\"Qlr,T 1), X, initql(X), inv ql(X), flow ql(X'X'), guardtl(X)), H'=«Q2,
• Ij
INS I
ISF I
U
T
U
F
S
• Ij
ILl t
111) I
is defined as Fig. 4. Boundary variables ofNSF and TU partitionings 77
Predicates init, inv, flow, and guard associated with phases and transitions specify the behavior of the automaton. Predicates inv and guard determine the transition behavior. Invariants specify when it is allowed to be in the phase by upper and lower bounds to input and output variables. Guards of the transitions are enabled at the boundary points showing to which phase to move next. For instance for the S phase of input Ij the predicates are: invSj(X) == (~ ~ IjFS 1\ Ij ~ IjSN ) V (Ij ~ IjSF FS SF guar~s.F)(X) == (I j = Ij v Ij = Ij ) guard(s.N)(X) == (lj = ~ ss V Ij = IjSN )
1\
•
Observables: Abstract inputs: 1= {tm' t'm'vS' V'sRd , where tm - measured temperature; t'm - slew rate of tm; Vs - supply voltage; V 's - ripple of Vs; RL - load resistance: Outputs: 0= {IF}, where, IF - output current: trustable region [263;333] fJA maximal allowed error: ±0.5fJA (±O.5°q • Initial values of input regions (envirorunent: air) • Aging coefficients For bounds of all input regions we give their upper and lower estimates in symbolic form. There are two aging rates: - aging under the stress: aOs E [lj*(0)/13000, Ij*(O)/l] (Ilhour) - aging in normal mode: a on E [I j*(0)/175000 , I j*(0)/87000] (llhour). • Input-output relation (phase qj.j : i E {n,s}, j E {t}) IF E [263 + 1.25 t*m - 0.5; 263 + 1.25 t*m + 0.5],
Ij ~ IjNS )
The flow predicates specify the dynamics of the system. We don't say anything about input/output dependencies within phases. It is determined by the type of sensor. Instead, only dynamics of these dependencies (aging) is considered. We assume that the aging process is linear. It means that the derivative of the border variables is constant at every phase and it is represented by constants d'; of the formula (3). For a complete specification we need a constant for every boundary variable at every N, S, and F phase. So we get a flow predicate for every phase q: flow q(X') == A •.k -'-iT.k' = a·•k 1\ ').m 1\ . om, = a·Jm ' for ) iE[I,III], kE{N,S,F,T,U},jE[I,IOI], mE {T,U}, In parallel composition predicates are conjugated.
the
where t*m = tm + 10 5. CONCLUSION In this paper a conceptual framework is introduced for derivation of formal specifications of sensors. Realistic properties of sensors like trustiness and degradation of fault resistance, which are important for safety critical applications, are explicitly presented and translated into hybrid automata formalism.
independent flow
4. CASE STIJDY: TEMPERATURE SENSOR AD590KH To capture the behavior of a sensor in terms of phase formulas, we follow the general framework given in section 3. It is sufficient to specify types and abstract values of observables, define initial values and aging coefficients of function (3), and give input-output relation for phases where outputs are trustable (in other phases input-output relations are out of interest because they are useless by definition oftrustiness). As demonstrated in case of IC temperature sensor AD590KH [6] specification can be composed in concise tabular form which can be easily translated into the hybrid automata formalism.
REFERENCES [I] A.Ravn. Design of Embedded Real-Time Computing Systems. Thesis for the degree of Doctor Technices. Technical University ofDerunark, 1995. [2] R.Kurki-Suonio, K.Sysm, J.Vain. Real-Time specification and modeling with joint actions. Science of Computer Programming 20 (1993). [3] J.Hooman, J.Vain. Integating methods for the design of real-time systems. Journal of Systems Architecture 42 (1996) 489-502. [4] T. A. Henzinger The theory of hybrid automata. In Proceedings, 11th Annual IEEE Symposium on Logic in Computer Science, pages 278-292, New Brunswick, New Jersey, 27-30 July 1996. IEEE Comp. Soc. Press. [5] J. Hooman. Specification and Compositional Verification of Real-Time Systems. Lecture Notes in Computer Science 558, Springer-Verlag, 1991. [6] http://www.analog.com!
Table 2 Sensor AD590KH specification
~
I,T
IN
IS
°c
[-10;60]
[-55;150]
[-100;-55[, ]150;200]
°C/min V
[-1,1] [4; 7.5]
-
-
[0;30]
[-20; 0[, ]30; 44]
V'S
V
[0; I] [0; 25]
-
-
RL
ill
I1 tm
t'·In
Vs
Unit
•
•
-
78
SPECIFICATION OF HYBRID COMPONENTS OF CONTROL SYSTEMS Juri Vain, Alar Kuusik and Marko KiHiramees
Tallinn Technical University Institute of Cybernetics
Abstract: Stepwise refinement design strategy for control systems is described and the need for uniform commitment structures of specifications is motivated. A conceptual framework for sensor specifications is defined in terms of a set of virtual inputs/outputs and abstraction functions on their value domains. Hybrid dynamics of sensors is characterized using a small set of generalized phases and phase transitions. Conceptual description is formalized using hybrid automata. For modeling the degradation of dependability and trustiness of sensors, an aging function is introduced. Applicability of this approach is demonstrated on a real specification example - temperature sensor AD590KH. Copyright © 1998 IFA C Keywords: refinement, formal specification, hybrid automata, fault tolerance, sensors
1. INTRODUCTION
uniform specification layouts and unify verification routines for such specifications.
Design of control system components for safety critical applications requires high confidence about correctness of design decisions made. The dramatically increased capabilities of currently available hardware have lead to concerns about the safety and accountability of unsystematic approaches and demands for more rigorous approaches based on mathematical theory and formal methods [1]. Approaches such as stepwise refinement [2] and compositional methods pose a strong discipline on the development phases, requiring careful use of specification transformation rules or correctness proof after each development step [3]. Although the formal methods are powerful and supported by software tools, for reaching a reasonably effective and feasible design the expertise in control engineering is needed.
Specification and verification problems are discussed in context of so called "verify-while-design" development methods. The selection of the method is motivated by the fact that the problem of "inventing" a design for a given requirements specification reduces often to the problem of selecting typical for control engineering software and hardware components, like sensors, controller programs, actuators and their connection architectures. Therefore, in practice the focus is rather on integration problems of standard components than on design of a particular component as for traditional software engineering applications. Another important feature of component design is that dependability is a prime concern while proving correctness of design for realistic working conditions. The behavior of a component may drastically differ from that whether it is functioning in normal or in extreme situation. This naturally leads to the modeling paradigm where components are considered as hybrid systems with continuous evolution phases (modeling functional modes) which alternate with jumps and switching between phases.
To give a conceptual framework guiding construction of specifications for control system components we have taken an attempt to define a generalized specification structure for sensors taking into consideration both their functional as well as dependability characteristics which allow to get
73
Generally, we say that system SyS I implements the system SYS1, if there is a refinement relation between Sys I and Sys 2 ·
This paper is organized as follows. In Section 2, stepwise refinement design strategy for control systems is described and the need for uniform commitment structures of specifications is motivated. Section 3 provides a conceptual framework for sensor specifications: we define main phases, state invariants for phases and introduce a function characterizing aging process of sensors. Concrete specification example of an integrating temperature sensor AD590KH is given in Section 4.
Definition. Refinement relation (using model inclusion): System Sys) refines a system SYS2, if the model of system Sys) includes in the model of system SYS2 (i.e. is its special case).
System is a structure [Univ ID] , where Univ denotes the state space with time domain and D is the behavior of the system in Univ (D -logical formula).
2. DESIGN BY REFINEMENT On abstract level a control system design problem can be stated as follows [1): Given: - state space of the plant; - goal of the control; - constraints to be met by the control.
Formally: System Sys) [Univ) ID)) refines the system SyS2 [Univ2 ID 2) (Sys) [> SYS2), iff SysJ ~ Sys, where Sys [UnivID) , Univ = Univ) u Univ2 and D = D2 (i.e., DJ ~ D2)·
= =
Each requirement can be stated formally as an assumption-commitment pair connected by logical implication:
=
According to this view the component design is a sequence of refinement steps, where each step can be specified as control specification by assumption and commitment pairs. Let us make an observation that in this specification form assumptions about each particular component specify properties of its implementation, i.e. expected properties of its subcomponents and their composition. It allows one to represent assumptions as a conjunction of lower level components' specification commitments. Conjunctive form is due to the parallel composition.
=
Requirement Assumption ~ Commitment where
Assumption (A) - specifies constraints coming from properties of the plant and assumptions about the behavior of control system; Commitment (C) - specifies required behavior of the plant (constraints on observable state changes). The set of requirements (R) has the following conjunctive form :
Thus, the hierarchy of step-wise refinement steps having on each step for a component C j commitment Cj , provides the hierarchy of commitments and proof obligations (see fig. 1.) for the verification of refinement correctness. Having a refmement hierarchy and proof obligation construction scheme for intermediate design steps, one still needs specification forms for (possibly reusable) component classes used in final step.
Find: - specification of the control Control so that
Control => R or 1\ ( Control /\ ~) => C; Typically control specification can be refined into the form where it has the structure,
=
3. SPECIFICAnON OF SENSORS
Con Speccontroller 1\ SpecOCflllJ1or 1\ Specseman whereSpeccontrollm SpecocflllJ/tJn Specsemor denote
For
respectively specifications of the controller, actuators and sensors. Assuming compositionality of design specifications of parallel components in control system, each further design refinement step concerns only the specification of a particular component and its implementation. Thus, component design problem has the form: Given: - specification Spec p of a component P , (e.g. Spec p = SpeccDntroller) Find: - implementation Implp of P (by program or by hardware) so that
compositional
specifications
[5)
we
need
Fig. 1. Refinement tree (Cc is the commitment of the environment)
Implp sat Spec p ••
74
Thus, for adequate mode ling of sensor behavior the set of inputs of the sensor model should comprise measuring inputs (basic inputs), impacts of environment and derivatives of both (virtual inputs). For modeling synergetic effects of mutually dependent inputs we can model such effect by introducing additional combined inputS and assume in sequel that all abstract inputs are independent.
input/output description of sensors. For distinguishing different modes in sensor dynamics we consider it as an hybrid system and use hybrid automata [4] for its specification. A hybrid automaton consists of a transition system (TS), labeling of the transition system, set of real-valued variables X with their derivates X'. The transition system TS = (Q, Qo, Qf, 1) consists of four components: 1. A set Q of phases. 2. A set Qo of initial phases. 3. A set Qf of final phases. 4. A set T of transitions between phases
3.2 Abstraction o/input and output value domains An important modeling assumption about sensors as
hybrid systems is that their behavior (functionality) depends not only quantitatively but also qualitatively on their input values, Here two aspects should be distinguished: how (abstract) inputs influence on dependability and how on trustiness of measurement results.
The labeling associates with each phase q predicates: init(X) - initialization of the variables inv(X) - invariant of the phase flow(X)C) -dynamics of the variables in the phase and with each transition t a predicate: guard(X) - enabledness of the transition Modeling assumptions about TS are discussed in the sequel.
By the effect the inputs have on the behavior of sensor, we separate the whole set of behaviors into fixed set of modes. For concise definition of modes, the value domain ~ of input Ii is partitioned by aging rate (the measure of dependability change) of the sensor and by trustiness of outputs into two sets of sub-regions {Ir , ~s, ~F} and {~T, ~U } , where
3.1 State variables
Due to compositionality we assume that only observable state variables are inputs and outputs of the sensor. The inputs and outputs are modelled by the variables from X. The input-output relations are defined by theflow predicates.
~N U liS U
It
= liT U ~U = l i and It (] liS (] I;F = l iT (] liU = 0
(1)
We call them to NSF-partitioning and TUpartitioning respectively. Region I;N corresponds to input values which are specified as working conditions where slow aging (which often even can be ignored) takes place, I;S denotes the input values which cause the stress (forced aging), and values in ~F lead to fatal failure of the sensor. ~T denotes input values for which the corresponding output values are trustable and I;U denotes the complement of liT to l i
Inputs. In [1] inputs are defined as observables which directly depend on the physical process the sensor is measuring and which have functional relationship with outputs. We call those basic inputs. Dependency on other environmental factors is mode led usually as deviation of output values from nominal values caused by disturbances and errors. For safety critical applications we still need explicit representation of the influence of disturbances on 110 behavior. Therefore, we extend the meaning of inputs by so called virtual inputs. From the dependability point of view there is no principal difference between input signals coming from the process and external impacts coming from the process environment. For instance, input values exceeding their allowed value range may cause damages and corruption of measurement data like any other disturbance; on the other hand, effects of disturbances when relatively small may be ignored or modeled as a constant output with deviation O.
(liU = l i.\ I;T).
Each region ~i , j E {N, T, S, F} is specified as an interval ~i = [It ;I;i'] or a pair of intervals 1/ = (li1i,lui), where and I;i+ ,It denote respectively lower and upper bounds of the interval I;i. Assuming the property ( 1) it is easy to see that specifications of input regions ~N, I;s, and ~T provide complete definition of partitionings NSF and TU. As to sensor outputs, there is only one value domain Oil to be specified. It characterizes the trustiness of output values, For all other output values Oj l2'0iT we say that these are trustless. Having defined input and output value regions we can now introduce symbolic values instead of concrete values to denote the fact that concrete value belongs to particular region of values.
Besides, also fast change of input values, although they stay within the allowed value range, may cause same failure or stress effects like disturbances and unexpected input values do. Examples of dynamic disturbances are ripple of supply voltage, mechanical acceleration and sharp impulses of current.
75
3.3
Phases
Names of fixed value regions constitute the set of abstract values which are used as tenns in definitions of phase invariants and transition conditions. Phase invariants gij =inv(X) for a phase qijEQ can be defined in tenns of relations on abstract input and output values in the general fonn: gij=gi I\ gj ~ i\ (2) where g i - denotes the conditions on regions given by NSF-partitioning, gj - conditions defined on regions of TU-partitioning and .5"oi .)· - conditions defined on Table 1 gives structured definition of phase invariants on the set of atomic constraints on input value regions, or in other words, on the set of abstract values of inputs. Still, using abstract input values the number of possible value combinations is 6 for each input and number of possible phases 6n, where n is the number of abstract inputs. Reduction of the number of phases can be achieved by abstracting from particular inputs, i.e., by quantification over the set of inputs. For instance, we say that the sensor is in phase qs,t if at least one input is in the stress region and non is in the failure and non in the trustless region. The whole set Q Q = { qj,j l iE {n,s,f} , j E {t,u}} of phases can be defined by phase invariants as in table 1.
Fig. 2 Phase transition diagram of fatal failure prone sensors
3.4 Set of initial phases
Having defined specification fonnulas qij for all phases and for the set of initial phases Qo, we can construct now the specification for whole sensor as follows:
Or
i E {n,s}, j E {t,u}}. Introduction of fatal failures into the model (no recovery procedure is assumed) means that any phase sequence including the phase qt,u , is tenninating in qt,u, i.e., Qf = { qt,u } (see phase transition diagram in fIg.2). 3.6 Phase transition conditions
One can easily see that due to the condition (1) phase invariants are mutually exclusive. On the other hand, the whole state space is reachable. Thus, phase transition conditions can be derived directly from transition destination phase invariants by following rule: having an arbitrary phase transition qij ~ qkl , we get the transition guards from (2) as andecedent of destination phase invariant, i.e., gk 1\ gl'
We assume that feasible are only those initial conditions where the sensor readings are trustable. It is often the case that after the start sensors are working under the stress. Qo = { qi,j : i E {n,s},j E {t}}
CsellS()r
= Qo /\ Qf
/\
1\ q ij i,j
where i ranges over phase indices i E {n,s,f} , and j ranges over j E {t,u}.
3.5 Setoffinalphases 3.7 Modeling phase evolution
In ideal case fault tolerant sensor behaves like a reactive system, i.e., its behavior comprises possibly infinite sequence of phases from the phase set { q i,j I
Functions describing sensor behavior during phases typically map input values to output values where the
Table 1: Phase invariants
~ gi Normal (slow aging) gl= nl:ik E[1 ,111): Ik E IkN Stress (forced aging) gl= s-
I:ik, 3p E[l,III): Ik d kF 1\ ID E I"S Fatal failure glr= 3kE[1 ,I II]: Ik EI/
gl= tI:iIE[1 ,III] : ~E I)T
gl= u--.gt)
gOn.t= I:imE[l,IOI): OmE OmT
gOn.u= 3 mE[l,IOI] : ami: OmT
gOs.t= I:imE[l,IOI): OmE Om T
gOs,u= 3 mE[1 ,IOI] : ami: OmT
gOt.t = FALSE
g\u= I:imE[l ,IOI]: ami: OmT 76
concrete mapping depends on particular physical principle the sensor is built upon. Therefore, we do not give here general constraints on the state functions besides those determining reliability of the sensors. Fig. 3. Automata for NSF and TU partitioning
3.8 Modeling aging ofsensors
H=«Q=QIXQ2, Qo=Q 1oXQ2o, Qr =QlrxQ2vQlxQ2r, T), X=X I V X2, init(X), inv(X), flow(X,X'), guard(X)), where (q\,q2 1),(q I2,q2 2) eT, if (qll ,qI2)eTI or (q2 1,q22)eT2or qll =q12 or q21 =q22; the init, inv, and guard result from conjunction of the component predicates. The composition of the flow predicate is explained later
Specifying dependability features of sensors we should capture its behavior through the whole lifecycle (from its start to some fatal failure). For safety critical applications only mode\ing static modes is not sufficient. One important feature which should be taken into account is degradation of its capabilities (e.g., measurement accuracy, ability to withstand to stress, creeping of sensor robustness parameters, etc). We express it in terms of changes of input regions themselves.
Transition system We build the transition system from the transition systems for each input and output by the parallel composition. For every input we get two transition systems corresponding to NSF and TU partitioning (see fig. 3). We get a similar TU transition system for every output, i.e., there is a phase in the automaton for every region of input and output values.
To model this phenomenon we introduce for each bound of input regions so called aging function. The aging function is a monotonously decreasing time dependent function. We assume that it depends on phases and the time spent in each particular phase during sensor's current age t . For simplicity we can use a linear approximation of that function. For an input region I j its bound I j * (either upper I{' or lower changes in time as follows:
TU transition system: Q = {T, U}, Qo = {T}, Qr= {U}, T = {(T, U),(U, T)}
In
I~ (t)
=
I~ (0)
II!
L L
a~
j=1 ke{n,s.f1
NSF transition system: Q= {N,S,F}'Qo= {N,S},Qr= {F}, T = {(N, S), (S, N), (S, F)}
t-s
f gr dt
(3)
0
Variables
where I j*(O) denotes the initial value of the bound, cfj is an aging coefficient characterizing the changing rate of I j * which is caused by the j-th input being in the k-th phase during the period when j holds; j denotes the projection of k-th phase invariant on j-th input (here due to the need for integration, numeric interpretation of the binary function j is assumed).
t
As defmed in (l) the domain of every input I; is
partitioned by aging rate (NSF partitioning) and trustiness (TU partitioning). Due to completeness of partitionings they are specified by boundary values (Its, I;sN, I;Ns, I jSF, I;UT, I;ru) of regions (see fig. 4).
t
t
Boundary variables (OjUT, Ojru) for the output regions are defmed in the same way. These together with inputs and outputs form the set of variables for the refined model.
3.9 Representing the aging by hybrid automata For modeling the aging process by hybrid automaton according to the formula (3) we need a refined version of the sensor model. We use parallel composition property of hybrid automaton for constructing the model.
x= I
j
v OJ V I;FS V I;sN V I;NS V I;sF V I;UT V I;ru V O·UT V J
o.n; J
Labeling predicates N
S
F
We use here a special form of parallel composition. The parallel composition of two hybrid automaton
I
I
IFS , I,SN
H1=«QI,Q\"Qlr,T 1), X, initql(X), inv ql(X), flow ql(X'X'), guardtl(X)), H'=«Q2,
• Ij
INS I
ISF I
U
T
U
F
S
• Ij
ILl t
111) I
is defined as Fig. 4. Boundary variables ofNSF and TU partitionings 77
Predicates init, inv, flow, and guard associated with phases and transitions specify the behavior of the automaton. Predicates inv and guard determine the transition behavior. Invariants specify when it is allowed to be in the phase by upper and lower bounds to input and output variables. Guards of the transitions are enabled at the boundary points showing to which phase to move next. For instance for the S phase of input Ij the predicates are: invSj(X) == (~ ~ IjFS 1\ Ij ~ IjSN ) V (Ij ~ IjSF FS SF guar~s.F)(X) == (I j = Ij v Ij = Ij ) guard(s.N)(X) == (lj = ~ ss V Ij = IjSN )
1\
•
Observables: Abstract inputs: 1= {tm' t'm'vS' V'sRd , where tm - measured temperature; t'm - slew rate of tm; Vs - supply voltage; V 's - ripple of Vs; RL - load resistance: Outputs: 0= {IF}, where, IF - output current: trustable region [263;333] fJA maximal allowed error: ±0.5fJA (±O.5°q • Initial values of input regions (envirorunent: air) • Aging coefficients For bounds of all input regions we give their upper and lower estimates in symbolic form. There are two aging rates: - aging under the stress: aOs E [lj*(0)/13000, Ij*(O)/l] (Ilhour) - aging in normal mode: a on E [I j*(0)/175000 , I j*(0)/87000] (llhour). • Input-output relation (phase qj.j : i E {n,s}, j E {t}) IF E [263 + 1.25 t*m - 0.5; 263 + 1.25 t*m + 0.5],
Ij ~ IjNS )
The flow predicates specify the dynamics of the system. We don't say anything about input/output dependencies within phases. It is determined by the type of sensor. Instead, only dynamics of these dependencies (aging) is considered. We assume that the aging process is linear. It means that the derivative of the border variables is constant at every phase and it is represented by constants d'; of the formula (3). For a complete specification we need a constant for every boundary variable at every N, S, and F phase. So we get a flow predicate for every phase q: flow q(X') == A •.k -'-iT.k' = a·•k 1\ ').m 1\ . om, = a·Jm ' for ) iE[I,III], kE{N,S,F,T,U},jE[I,IOI], mE {T,U}, In parallel composition predicates are conjugated.
the
where t*m = tm + 10 5. CONCLUSION In this paper a conceptual framework is introduced for derivation of formal specifications of sensors. Realistic properties of sensors like trustiness and degradation of fault resistance, which are important for safety critical applications, are explicitly presented and translated into hybrid automata formalism.
independent flow
4. CASE STIJDY: TEMPERATURE SENSOR AD590KH To capture the behavior of a sensor in terms of phase formulas, we follow the general framework given in section 3. It is sufficient to specify types and abstract values of observables, define initial values and aging coefficients of function (3), and give input-output relation for phases where outputs are trustable (in other phases input-output relations are out of interest because they are useless by definition oftrustiness). As demonstrated in case of IC temperature sensor AD590KH [6] specification can be composed in concise tabular form which can be easily translated into the hybrid automata formalism.
REFERENCES [I] A.Ravn. Design of Embedded Real-Time Computing Systems. Thesis for the degree of Doctor Technices. Technical University ofDerunark, 1995. [2] R.Kurki-Suonio, K.Sysm, J.Vain. Real-Time specification and modeling with joint actions. Science of Computer Programming 20 (1993). [3] J.Hooman, J.Vain. Integating methods for the design of real-time systems. Journal of Systems Architecture 42 (1996) 489-502. [4] T. A. Henzinger The theory of hybrid automata. In Proceedings, 11th Annual IEEE Symposium on Logic in Computer Science, pages 278-292, New Brunswick, New Jersey, 27-30 July 1996. IEEE Comp. Soc. Press. [5] J. Hooman. Specification and Compositional Verification of Real-Time Systems. Lecture Notes in Computer Science 558, Springer-Verlag, 1991. [6] http://www.analog.com!
Table 2 Sensor AD590KH specification
~
I,T
IN
IS
°c
[-10;60]
[-55;150]
[-100;-55[, ]150;200]
°C/min V
[-1,1] [4; 7.5]
-
-
[0;30]
[-20; 0[, ]30; 44]
V'S
V
[0; I] [0; 25]
-
-
RL
ill
I1 tm
t'·In
Vs
Unit
•
•
-
78