# Formal Methods for Exquisite Systems Embedded and Distributed Real-Time

Hugo Macedo

Universidade do Minho

January 24, 2008

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

# Table of contents

Motivation

VDM Concurrency

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

VDM Concurrent

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

## Plan

#### Motivation

VDM Concurrency

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

▲ロト ▲帰 ト ▲ 三 ト ▲ 三 ト ● の Q ()

### Devices connected to the physical world

- Better described by its world interaction
- Interaction via sensors and actuators
- Embedded systems
- Control programs
- Modes

# Try to apply formal methods

Scenario:

ESA will deploy a robot with a drill in the moon. It should drill  ${\sf x}$  centimeters long and stop.

Problem:

- What are the pre and post conditions?
- How could we check them?
- Possible solutions?
- How to model?

# Add the Real-Time Dimension

- Scheduling issues
- Time dependability
- Hard/Soft deadlines
- Periodicity

# Also the Distributed Dimension

- Synchronous/Asynchronous
- Physical vs Logical Time
- Communication Pattern

・ロト ・ 同ト ・ ヨト ・ ヨト

3

Dac

# Worst Hybrid Systems!

### Discrete/Continue Modeling



Figure: The water tank example

Pacemaker Case-Study

990

Exercise Case-Study

### Changes start early

### Requirements



VDM VICE

Pacemaker Case-Study

Exercise Case-Study

# Industrially Valid Approach

### VDM

- VICE
- CSK successes

VDM Concurrency

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

▲□▶ ▲□▶ ▲ 臣▶ ▲ 臣▶ ― 臣 … のへで

# Plan

Motivation

VDM Concurrency

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

< ロ > < 同 > < 三 > < 三 > 、 三 、 の < ()</p>

# **VDM** Concurrency

- Concurrency in VDM++ is based on threads
- Threads communicate using shared objects
- Synchronization on shared objects is specified using permission predicates

Pacemaker Case-Study

Exercise Case-Study

◆ロト ◆昼 ト ◆臣 ト ◆臣 ト ◆ 日 ト

# Threading

### Threads

```
thread
(
    dcl id := threadid;
        ...
    while true do
        ...
)
```

Interpreter Commands

- threads
- curthread ( threadid )
- selthreadid

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

< □ > < □ > < 三 > < 三 > < 三 > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □

# Synchronization

- sync
- mutex
- history counters
- per

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

< □ > < □ > < 三 > < 三 > < 三 > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □

# **History Counters**

| <b>#req</b> op | The number of times that op has been requested |
|----------------|------------------------------------------------|
| #act op        | The number of times that op has been activated |
| <b>#fin</b> op | The number of times that op has been finalized |
| #active op     | The number of active executions of op          |

## Synchronization Examples

### A buffer with Put and Get operations

sync

```
per Put => #active(Get) = 0
```

```
per Get => #active(Put) = 0
```

```
per Get => buffer <> []
```

# Synchronization Examples

### A buffer with Put and Get operations

sync

```
per Put => #active(Get) = 0
```

```
per Get => #active(Put) = 0
```

```
per Get => buffer <> []
```

Or

sync

mutex(Put, Get)

VDM Concurrent

VDM VICE

Pacemaker Case-Study

900

Exercise Case-Study

## Plan

Motivation

VDM Concurrency

#### VDM VICE

Pacemaker Case-Study

Exercise Case-Study

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

# VDM VICE Extension

- New primitives
- Methodology
- Toolbox extension
- Validation support

# Language Extensions

### Concurrency

- periodic (threads)
- async

### Real-Time

- time
- duration
- cycles

### Distribution

- system
- CPU
- BUS

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

# Model paradigm



### Model paradigm



▲□▶ ▲□▶ ▲ 臣▶ ▲ 臣▶ ― 臣 … のへで

# Incremental Development

- VDM-SL
- Sequential
- Concurrent
- Distributed Real-Time

VDM Concurrence

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

## Plan

Motivation

VDM Concurrency

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

VDM Concurrence

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

## Problem Domain



• I'm not a physician!

• Bradycardia

VDM Concurrence

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

### Problem Domain

- Operating modes
- External unit
- Accelerometer



900

Pacemaker Case-Study

Exercise Case-Study

◆ロト ◆昼 ト ◆臣 ト ◆臣 ト ◆ 日 ト

## DOO operating mode

- D: Pace Atria and Ventricle
- O: Ignore Atria senses
- O: Ignore Ventricle senses

Pacemaker Case-Study

▲ロト ▲帰 ト ▲ 三 ト ▲ 三 ト ● の Q ()

### Requirements

- FixedAV: There must be a 1500 ms period between an atrial event and a ventricular pace.
  - LRL: The number of pulses per minute delivered in atria must be at least 60.
  - URL: The number of pulses per minute delivered in ventricle must be at most 120.

VDM Concurrency

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

< □ > < □ > < 三 > < 三 > < 三 > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □ > < □

# Abstract

- Eliciting requirements
- Single function
- DC

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

# Example: DOO Mode

Pacemaker Case-Study

Exercise Case-Study

▲□▶ ▲□▶ ▲ 臣▶ ▲ 臣▶ ― 臣 … のへで

### Example: DOO Mode

Chamber = <ATRIA> | <VENTRICLE>;

SensedTimeline = set of (Chamber \* Time);

ReactionTimeline = set of (Chamber \* Time);

### Example: DOO Mode

```
Chamber = <ATRIA> | <VENTRICLE>;
SensedTimeline = set of (Chamber * Time);
ReactionTimeline = set of (Chamber * Time);
Pacemaker (mk_(inp,n) : SensedTimeline * Time) r : ReactionTimeline
post let nPulsesAtria = card {i | i in set r & i.#1 = <ATRIA>},
         nPulsesVentricle = card {i | i in set r & i.#1 = <VENTRICLE>}
     in nPulsesAtria / n >= (LRL / 60) / 1000
         and
         nPulsesVentricle / n <= (URL / 120) / 1000
         and
         forall mk (<ATRIA>.ta) in set r &
             (exists mk (<VENTRICLE>.tv) in set r & tv = ta + FixedAV) :
```

VDM Concurrency

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

▲□▶ ▲□▶ ▲ 臣▶ ▲ 臣▶ ― 臣 … のへで

## Sequential

- 00 model
- Sequential DR-T
- Env/System
- CCS

VDM Concurrenc

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

# Sequential

- OO model
- Sequential DR-T
- Env/System
- CCS



900

Pacemaker Case-Study

Exercise Case-Study

▲ロト ▲帰 ト ▲ 三 ト ▲ 三 ト ● の Q ()

### Example: Environment

```
public
Run: () ==> ()
Run () ==
  (
  while not (isFinished())
  do
      (
      createSignal();
      Pacemaker'rateController.Step();
      Pacemaker'heartController.Step();
      World'timerRef.StepTime();
      );
```

VDM Concurrenc

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

# Concurrent

- Free the concurrency
- Wait/Notify
- Permission predicates



・ロト ・ 同ト ・ ヨト

500

Pacemaker Case-Study

Exercise Case-Study

< ロ > < 同 > < 三 > < 三 > 、 三 、 の < ()</p>

## Example: Environment

```
thread
 (
 start(new ClockTick(threadid));
 while not finished() do
  ( if busy
    then createSignal();
    World'timerRef.NotifyAndIncTime();
    World'timerRef.WaitRelative(0);
  );
);
```

Pacemaker Case-Study

Exercise Case-Study

▲ロト ▲帰 ト ▲ 三 ト ▲ 三 ト ● の Q ()

## Example: Environment

```
thread
  (
   start(new ClockTick(threadid));
   while not finished() do
     ( if busy
       then createSignal();
       World'timerRef.NotifyAndIncTime();
       World'timerRef.WaitRelative(0):
     );
  );
sync
mutex (handleEvent,showResult);
mutex (createSignal);
per isFinished => not busy and time >= simtime;
```

Pacemaker Case-Study

Exercise Case-Study

# Distributed Real-Time

- Time modelling
- Physical architecture
- VDMTools time



Exercise Case-Study

▲□▶ ▲□▶ ▲ 臣▶ ▲ 臣▶ ― 臣 … のへで

# Examples

#### Environment

thread

periodic (1000,10,900,0) (createSignal);

Exercise Case-Study

< ロ > < 同 > < 三 > < 三 > 、 三 、 の < ()</p>

## Examples

#### Environment

#### thread

```
periodic (1000,10,900,0) (createSignal);
```

#### Lead

Requirement: Pulses must have 4 ms width.

```
private
dischargePulse : Pulse * Chamber ==> ()
dischargePulse (p,c) ==
    duration(4)
World'env.handleEvent(p,c,time);
```

Exercise Case-Study

◆ロト ◆昼 ト ◆臣 ト ◆臣 ト ◆ 日 ト

## Examples

#### System

instance variables

cpu1 : CPU := new CPU(<FCFS>,1E6); cpu2 : CPU := new CPU(<FCFS>,1E6); cpu3 : CPU := new CPU(<FCFS>,1E6); cpu4 : CPU := new CPU(<FP>,1E6);

Exercise Case-Study

▲ロト ▲帰 ト ▲ 三 ト ▲ 三 ト ● の Q ()

## Examples

System

instance variables

cpu1 : CPU := new CPU(<FCFS>,1E6); cpu2 : CPU := new CPU(<FCFS>,1E6); cpu3 : CPU := new CPU(<FCFS>,1E6); cpu4 : CPU := new CPU(<FP>,1E6);

#### Connecting CPU's

```
-- Lead (artia) <-> HeartController
bus1 : BUS := new BUS(<FCFS>,1E6,{cpu1,cpu4});
-- Lead (ventricle) <-> HeartController
bus2 : BUS := new BUS(<FCFS>,1E6,{cpu2,cpu4});
-- Accelerometer <-> RateController
bus3 : BUS := new BUS(<FCFS>,1E6,{cpu3,cpu4});
```

Pacemaker Case-Study

Exercise Case-Study

## Architecture Visualization



▲□▶ ▲□▶ ▲ 臣▶ ▲ 臣▶ ― 臣 … のへで

Pacemaker Case-Study

## Validation



VDM Concurrence

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

# Plan

Motivation

VDM Concurrency

VDM VICE

Pacemaker Case-Study

Exercise Case-Study

< ロ > < 同 > < 三 > < 三 > < 三 > < ○ < ○ </p>

# A Simple ABS System

A typical ABS is composed of a central electronic unit, four speed sensors (one for each wheel), and two or more hydraulic valves on the brake circuit. The electronic unit constantly monitors the rotation speed of each wheel. When it senses that any number of wheels are rotating considerably slower than the others it moves the valves to decrease the pressure on the braking circuit, effectively reducing the braking force on that wheel. This process is repeated continuously, and this causes the characteristic pulsing feel through the brake pedal. A typical anti-lock system can apply and release braking pressure up to 20 times a second.

▲□▶ ▲□▶ ▲□▶ ▲□▶ ▲□▶ ■ のへで

