Here is a nother M SC, reporting a timing violatio n problem discovere d by The o Ruys a little lat er. This desi gn error has to do with the heart beat sign als and maximal l[r]
(1)Formal Methods in Software Engineering
(2)This Part
We apply the concepts, methods and tools you learnt to love in contexts that are relatively close to what the people out there are facing.
In this lecture I show you what they are facing, and I round off the entire lecture series.
(3)
Contents of this lecture
A real application.
Testing based on formal methods. Another real application.
Model construction and model checking
(4)(5)Nieuwe Waterweg Storm surge barrier
(6)First planned in 1953. Completed in 1999. Some statistical data:
Each barrier wall has the height of one Eifel Tour, and weighs twice as much.
Decision are taken 24 hrs before actual closure, Reversible until 3 hrs before closure.
Fully mechanised software controlled decision procedure.
Nieuwe Waterweg Storm surge barrier
(where ‘fully’ means FULLY’FULLY
(7)Nieuwe Waterweg Storm surge barrier
Rotterdam
‘BESW’ ‘BOS’
North Wall
(8)The Storm surge barrier
System consists of
distributed components:
north wall, south wall,
various hydraulic parts, engines, etc.
BOS (‘beslissing & ondersteunend systeem’) knows the environmental conditions;
takes decisions, based on the available data; BESW (‘besturingssysteem waterweg’)
(9)(10)The Storm surge barrier
Budget issues Total costs
> 500 million €;
Costs for software
< 10 million € (< 2%)
Control software (‘BBI’) developed mainly by CMG.
Formal specification techniques used: Z
Promela (academic SDL variant, nicer) Experience (in a nutshell):
(11)The Storm surge barrier
BBI main components BOS
is informed every 10 minute about water, wind and weather status and forecast
computes anticipated water level;
(12)The Storm surge barrier
BBI main components BESW controls
water levels in docks;
opening/closing of dock gates; moving of barrier walls;
sinking and refloating of barrier walls;
…
BESW implements the BOS instructions.
(13)Some fragments of the BBI in SDL block BOS BOS [status,stop,close,…] [data] ENV [curr]
BOS2BESW BESW2BOS
(14)BESW process fragment in SDL process BOS S_active:=ff S_ready :=tt Closing closed FROM SOUTH curr(active,ready,stopped)
- status FROM NORTH closed
S_active -N_active:=ff N_ready :=tt N_active
-active := S_-active && N_-active ready := S_ready && N_ready stopped:= S_stopped && N_stopped
- stop S_active S_active := ff S_stopped:= tt
N_active N_active := ff N_stopped:= tt … … tt tt ff ff DCL
(15)
-*
BOS process fragments in SDL
process BOS
Checking
status
Waiting
NONE
curr(active,ready,stopped)
Idle
close
Checking
data(…) …
emergency
stop
(16)Problems?
Well, here is the intended behaviour.
That’s how it should be. Good!
(17)BES W pr oc e s s f r a g m e nt in S DL process BOS S_active:=ff S_ready :=tt Closing closed FROM SOUTH curr(active,ready,stopped)
-status FROM NORTHclosed S_active -N_active:=ff N_ready :=tt N_active
-active := S_-active && N_-active ready := S_ready && N_ready stopped:= S_stopped && N_stopped stop
(18)Here is the (almost
) original MSC,
reported by Pim K
ars in November 1 998.
It was found with
the model checker
(19)(20)Storm surge barrier: Results
Z
was used for specifying the functions performed by processes; syntax and typechecking was done with the ZTC tool;
was found
very useful
to allow a too great deal of freedom and
to offer little structure for the style in which it is to be used;