TTM/PAT: Specifying and Verifying Timed Transition Models

Transcription

1 TTM/PAT: Specifying and Verifying Timed Transition Models Jonathan S. Ostroff 1, Chen-Wei Wang 1,Yang Liu 2, Jun Sun 3, and Simon Hudon 1 1 Department of Electrical Engineering & Computer Science, York University 2 School of Computer Engineering, Nanyang Technological University 3 Singapore University of Technology and Design FTSCS 13, Queenstown

2 Contents Introduction TTM/PAT: Architecture TTM/PAT: Resources Contributions A Pacemaker Example A TTM for Pacemaker Evaluation: A Nuclear Shutdown System More in this Paper: TTM Semantics Extended Work: Compositional Reasoning Conclusion Further References

3 Introduction Timed Transition Models (TTMs) guarded transition systems for describing reactive systems found useful in modelling a production nuclear reactor SDS TTMs were represented manually in foreign languages We propose a textual modelling language for TTMs: a discrete time domain [t ick event] system as a composition of module instances global & local timers [monotonicity] demonic assignments [compositional reasoning] time bounds & fairness constraints [event level] LTL properties language [untimed & timed] native tool support in PAT [simulation & checking]

4 TTM/PAT: Architecture TTM Module Reference:

5 TTM/PAT: Resources Reference:

6 Contributions 1. The textual syntax for the TTM notation 2. An operational semantics for TTMs using LTS (i.e., digitization) for this talk, we do not address it in details [see the paper] 3. Implemented tool support in PAT

7 A Pacemaker Example an electronic device implanted into the body to detect (or sense) natural cardiac stimulations regulate the heart beat by delivering electrical stimuli (or paces) over leads with electrodes that are in contact with the heart

8 In the VVI mode, the hysteresis rate interval (HRI=1200ms) is the default maximum time between two consecutive sensing s. Case of Pacing: no sensing has occurred within the current rate interval, then a pace is delivered hysteresis pacing is disabled by restricting the new cycle to the lower rate interval (LRI = 1000ms) Case of Sensing: a heartbeat is sensed within the current rate interval, then further sensing is disabled for a ventricular refractory period (VRP = 400ms) to avoid noise following the heartbeat once VRP is over, the cycle is relaxed to a larger HRI without delivering a pace

9 Heart Ventricle Controller new_cycle[0, 0] start t hbn[vrp, *] when!pace do ri := HRI, sense := true computer_delay[1, 1], vsense[0, 0] when sense do ri := HRI, sense := false new_cycle[0, 0] start t hbp[0, 0] when pace ^ t do ri := LRI, pace := false VRP computer_delay[1, 1] vpace[0, 0] when!sense && t = ri do ri := LRI, pace := true

10 A TTM for Pacemaker Constants and timers #define VRP 400; #define LRI 1000; #define HRI 1200; timers end t: 0.. (HRI+1) enabledinit share initialization sense: BOOL = false // channel: sent from Heart, received by Controller pace : BOOL = false // channel: sent from Controller, received by Heart end

11 Module of Environment the human heart module HEART interface pace: share BOOL sense : share BOOL local ri : INT = HRI last_ri : INT = HRI // record ri before hbn or hbp occurs pc : INT = 0 events hbn[vrp, *] // natural heart beat when!pace && pc==0 do sense := true, ri := HRI, last_ri:=ri, // ri denotes prestate value pc := 1 end hbp[0,0] // paced heart beat when pace && VRP <= t && pc==0 do pace := false, ri := LRI, last_ri := ri, pc := 1 end new_cycle[0,0] // restart a new cycle when pc==1 start t do pc := 0 end interface or local variables variable modifier: in, out, share events: guards, time bounds, start or stop timers, simultaneous assignments

12 Module of Controller the ventricle controller module VENTRICLE_CONTROLLER interface pace : share BOOL sense: share BOOL local ri : INT = HRI pc: INT = 0 events vpace[0,0] when pc==0 &&!sense && t==ri do ri := LRI, pace := true, pc:= 1 end vsense[0,0] when pc==0 && sense do ri := HRI, sense := false, pc :=1 end compute_delay[1,1] when pc==1 do pc:= 0 end end

13 Module Instantiations & Compositions instances H = HEART (share pace, share sense) VC = VENTRICLE_CONTROLLER (share pace, share sense) end composition System = H VC end We also support iterated composition, e.g., in the Fischer s algorithm: composition fischer = i: PROCESS(share x, share c, in i) end

14 Properties Language: TTM vs Uppaal Assertion TCTL of Uppaal LTL of TTM/PAT Henceforth p S = A p S = p Eventually p S = A p S = p Whenever p, eventually q S = p q S = (p ( q)) Infinitely often p S = t rue p S = p Referring to a state M.state pc = state Non-Zenoness S = t ick p until q S = p q q releases p S = q p Nesting of temporal operators e.g., ( p (p q)) Referring to occurrences of event e e Timer t has increased monotonically mono (t) Eventually henceforth p S = p S possibly maintains p S = E p inverse of S = ( p) S possibly reaches p S = E p S reaches p Nesting of path quantifiers p

15 Formalizing Requirements We translate a list of requirements into LTL formulas: 1. A natural heartbeat occurs only in the interval [VRP, H.last_ri] in the cardiac cycle. System = (H.hbn VRP t H.last_ri) We couldn t use H.ri since it has already been changed by H.hbn. 2. Infinitely often, a natural or paced heart beat occurs between VRP and HRI time units from each other (note. LRI < HRI). No events illegally set the value of timer t. System = ( H.new_cycle t = 0 mono(t) ( (H.hbn H.hbp) VRP t HRI ) )

16 We also translate a list of healthiness conditions into LTL formulas: 1. Clock ticks infinitely often (non-zeno behaviour). System = tick 2. Timer t is always bounded by HRI. System = (t HRI + 1)

17 Demo: Locating the Pacemaker Example

18 TTM/PAT: Static Type Checking

19 TTM/PAT: Generating Reachability Graph

20 TTM/PAT: Graphical Simulation

21 TTM/PAT: Verification

22 TTM/PAT: Generating Counter-Example

23 TTM/PAT: Traceability of Counter-Examples

24 Evaluation: A Nuclear Shutdown System Context Diagram of SDS Nuclear Reactor State Diagram of SDS Controller both_hi[1,1] delay[29,29] power_low[1,1] power_hi[1,1] power_hi[1,1] relay:=open Trip Relay SDS Controller Pressure Power power_low[1,1] relay:=close delay[19,19] Analog Implementation of SDS Controller Pressure AND Timer1 AND Timer2 Relay Power

25 Liveness & Safety Properties Liveness Response Formula F res : Henceforth, if Power and Pressure simultaneously exceed their threshold values for at least 2 clock ticks, and 30 ticks later Power exceeds its threshold for another 2 ticks, then within 30 to 32 ticks, open the reactor relay for at least 20 ticks. [pattern: (p q)] Safety Recovery Formula F rec : Henceforth, if the relay is open for 20 ticks, and after the 20th tick the power is low for at least 2 ticks, then the relay is closed before the 22nd tick. [pattern: ( (T power_low = 2 rela y = open) )]

26 TTM/PAT outperforms manual encodings in Uppaal and SAL Property Controller Model TTM: t ick Result TTM/PAT Uppaal SAL F res : System Response F ires : Initialized System Response SP EC PROG SP EC r PROG r SP EC PROG SP EC r PROG r SP EC r1 SP EC r PROG r1 PROG r >1h #states: 421,442 #states: 1,771,396 #trans.: 821,121 #trans: 1,771,396 F rec : System Recovery SP EC PROG SP EC r PROG r SP EC r1 SP EC r PROG r1 PROG r >1h Unit of Measurement: Seconds

27 More in this Paper: TTM Semantics Abstract Syntax Single Machine Digitation using LTS turning event occurrences (e.g., t ick) into state predicates scheduling real-time: time bounds [l, u] e.g., spontaneous ([0, ]), instantaneous ([0, 0]) fairness assumptions: just (weak) vs compassionate (strong) e.g. just enter[0, ] when... do... end Multiple Machines module instantiation module composition iterated composition

28 Extended Work: Compositional Reasoning Motivation. local reasoning w.r.g. an arbitrary environment Rule m1 = m P m2 m Q P Q R m1 m2 = R Demonic, non-deterministic assignments to model event actions: a :: b :: BOOL c :: {on, off} d :: ARRAY[STATE](20) type STATE = {low, high} end module Plant interface power : out STATE = low pressure : out STATE = low events update[1, ] do power :: STATE, pressure :: STATE end

29 Conclusion textual syntax for the convenient, expressive TTM notation modules, events, time bounds, fairness assumptions untimed and timed LTL properties [mono. of timer, non-zeno] LTS semantics (i.e., digitization) tool support for automated encoding: TTM/PAT static type checking graphical simulation model checking & traceable counter-examples significantly better performance than encodings in Uppaal and SAL will improve the performance (e.g., BDD, DBM) event-based syntax is amenable to theorem proving when model checking runs out of steam!

30 Further References Compositional Reasoning using TTM/PAT J. S. Ostroff, C.-W. Wang, and S. Hudon. (2013) TTM/PAT: A Tool for Modelling and Verifying Timed Transition Models. Tech Report CSE

31 Please Question/Comment/Criticize.

32 in FTSCS 13 Index 2 Contents 3 Introduction 4 TTM/PAT: Architecture 5 TTM/PAT: Resources 6 Contributions 7 A Pacemaker Example 10 A TTM for Pacemaker 10 Constants and timers 11 Module of Environment the human heart 12 Module of Controller the ventricle controller 13 Module Instantiations & Compositions

33 in FTSCS Properties Language: TTM vs Uppaal 15 Formalizing Requirements 18 TTM/PAT: Static Type Checking 19 TTM/PAT: Generating Reachability Graph 20 TTM/PAT: Graphical Simulation 21 TTM/PAT: Verification 22 TTM/PAT: Generating Counter-Example 23 TTM/PAT: Traceability of Counter-Examples 24 Evaluation: A Nuclear Shutdown System 25 Liveness & Safety Properties 26 TTM/PAT outperforms manual encodings in Uppaal and SAL 27 More in this Paper: TTM Semantics 28 Extended Work: Compositional Reasoning

34 29 Conclusion 30 Further References 32 Index