Industrial Application of the System-Level Simplex Architecture for Real-Time Embedded System Safety by Bak, Stanley
c© 2009 by Stanley Zbigniew Bak. All rights reserved.
INDUSTRIAL APPLICATION OF THE SYSTEM-LEVEL SIMPLEX
ARCHITECTURE FOR REAL-TIME EMBEDDED SYSTEM SAFETY
BY
STANLEY ZBIGNIEW BAK
B.S., Rensselaer Polytecnic Institute, 2007
THESIS
Submitted in partial fulfillment of the requirements
for the degree of Master of Science in Computer Science
in the Graduate College of the
University of Illinois at Urbana-Champaign, 2009
Urbana, Illinois
Adviser:
Associate Professor Marco Caccamo
Abstract
Cyberphysical systems differ from traditional computer programming applications in that software
bugs and mistakes have immediate, possibly dangerous, physical-world consequences. Rather than
requiring all control software be formally verified, which is often impractical, we develop a framework
based on the Simplex Architecture, where an untrusted complex controller is allowed to actuate the
plant while being monitored by a simpler, verified safety controller and associated decision logic. We
use hardware/software co-design to eliminate large classes of potential software bugs associated with
system control by developing the System-Level Simplex Architecture. Then, within an industrial case
study, we use model-checking to help create and verify the safety-critical decision logic component
of the System-Level Simplex Architecture, in the end generating verified VHDL (hardware) code.
ii
Acknowledgments
This project would not have been possible without the support of many people. Many thanks to my
adviser, Marco Caccamo, who guided me throughout the research and thesis process. My other PhD
adviser Lui Sha was essential to guiding the development of the System-Level Simplex Architecture.
Ashley Greer and the folks at John Deere also significantly helped shape this thesis. Thanks to the
University of Illinois at Urbana-Champaign Computer Science department for twice awarding me the
Debra and Ira Cohen Graduate Fellowship (and thanks to Debra and Ira Cohen for sponsoring the
fellowship), which helped provide financial means to perform this work. Finally, thanks to parents
and friends who helped relieve the stress inherent in performing research.
Although industrial support was essential to the completion of this thesis, any opinions, findings,
and conclusions or recommendations expressed in this publication are those of the author and do
not necessarily reflect the views of John Deere.
iii
Table of Contents
Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1 Background Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.1.1 The Simplex Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1.2 Other Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Thesis Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 2 System-Level Simplex . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.1 System-Level Versus Application-Level . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Inverted Pendulum Prototype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.3 Cardiac Pacemaker Prototype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 3 Application Within Industry . . . . . . . . . . . . . . . . . . . . . . . . 11
3.1 Application Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.2 Formal Problem Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3.3 Discrete Problem Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.4 Model Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
3.5 Properties and Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.5.1 Rollover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.5.2 Overslip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.5.3 Oversteer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.5.4 Collision . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.6 Behavior Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.6.1 Rollover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3.6.2 Overslip . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.6.3 Oversteer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.7 Behavior Description and VMaude . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
3.7.1 Maude Decision Module Behavior Description . . . . . . . . . . . . . . . . . . 29
3.7.2 VMaude Decision Module Behavior Description . . . . . . . . . . . . . . . . . 31
3.8 Code Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.9 Improving Model-Checking Run Time . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Chapter 4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Appendix A Code Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
A.1 Inverted Pendulum VHDL Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
A.2 Model Generator Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
A.3 Sample Model File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
A.4 VMaude Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
A.5 Roll VMaude Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
A.6 Roll VHDL Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
A.7 VHDL Generator Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72




Modern cyberphysical systems are growing in complexity and must meet strict requirements involv-
ing reliability, safety, and performance. Reliability and safety are difficult to scale using traditional
designs because large systems have high complexity, and high system complexity creates more pos-
sibilities for errors. Additionally, high performance often demands significant system complexity,
intensifying the problem.
One approach which deals with complex systems in safety-critical environments is the Simplex
Architecture [7,19–21]. This architecture provides safety guarantees by “using simplicity to control
complexity”. It uses a simple safety controller subsystem to ensure the stability of the plant.
This conservative safety control core is then complemented by a high-performance complex control
subsystem. A decision module then uses the high-performance complex controller whenever possible,
but will switch to the safety controller when safety is jeopardized. The Simplex design has been
previously been applied to improve the safety of a diving controller [8], a fleet of remote-controlled
cars [7], and a set of advanced aircraft maneuvers [18].
There are two major concerns when the Simplex Architecture is used in a safety-critical system,
both of which are addressed in this thesis.
• First, using Simplex as originally described, at the software level, creates a large body of un-
verified dependencies. For example, if the simple safety controller and the high-performance
complex controller both use a shared operating system, a bug in the operating system may
destabilize the plant. By using hardware/software co-design, the System-Level Simplex Archi-
tecture eliminates such common dependencies and therefore provides more robust control.
• Second, applying Simplex to a system requires a verifiably correct safety controller and decision
module, which are nontrivial to produce. Previous work [20] used control theory to produce
these subsystems in a continuous state space. However, no techniques has previously been
provided which can verifiably use Simplex in discrete or hybrid (mixed discrete and continuous)
systems. We go through an in-depth case study which uses model-checking to construct a
verifiably correct trusted computing base for the System-Level Simplex Architecture. The
case study focuses on control of autonomous John Deere vehicles, and the investigated models
are not always continuous.
1.1 Background Knowledge
In order to put the thesis into context, we begin by providing background knowledge about the
thesis topic. First, an overview of previously-developed Simplex research is provided in Section
1
1.1.1. Then, other related ideas are given in Section 1.1.2.
1.1.1 The Simplex Architecture
The original Simplex Architecture provides a fail-operational mechanism for a malfunctioning soft-
ware controller. The architecture permits online modification and upgrade to control software with-
out sacrificing safety. It is a robust design where complex controller bugs can be detected and fixed
during run-time without jeopardizing safety.
The Simplex Architecture uses three subsystems: safety, complex, and decision. The safety
subsystem has a simple, reliable controller which provides verifiably safe performance. This is used
in case the complex controller malfunctions. The complex subsystem drives the system during
regular operation, as long as it does not jeopardize system liveliness. This controller can be changed
and upgraded while the system is running and may even contain bugs (therefore it does not need to
be verified, or may even be too complex to fully verify). The decision subsystem chooses which of
the two previously-mentioned controllers to use. An overview of the system is shown in Figure 1.1.
Figure 1.1: The Simplex Architecture maintains safety in spite of errors by switching between two
controllers.
The safety subsystem and decision subsystem must be verified to guarantee that, in every possible
way the complex controller can malfunction, the safety controller will actuate the system in time
to prevent a violation of the operational constraints. In a continuous space, one way to construct
these two components correctly leverages on control theory.
First, a set of operational state constraints are obtained to provide the definition of system
liveliness. Next, we can obtain the safe region by calculating a Lyapunov function [3]. The safety
controller should always be able to prevent violations of operational constraints if used within the
safe region. We then take a subset of the safety state region, the recoverable region, to be the
region where we use the complex controller, such that leaving the smaller state space is interpreted
as being in danger of committing a safety violation. If the system leaves the recoverable region
(perhaps because of a complex controller malfunction), the safety controller takes control and drives
the system, thus preserving system liveliness. Of course, the system designer must ensure the safety
controller has a chance to take over while still in the safe region; our state should not be able to
2
jump from inside the recoverable region to outside the safe region in a single control iteration. An
abstract representation of these state spaces in two dimensions is shown in Figure 1.2.
Figure 1.2: The safe region is a set of states with which the safety controller can maintain system
liveliness. This can be determined in a continuous state space through a Lyapunov function. The
recoverable region is a subset of the safe region that can tolerate aggressive actuation without exiting
the safe region in a single control iteration.
We stress that a good decision module will use the complex controller whenever it is functioning
correctly and only switch to the safety controller when in danger of violating the safety condition.
1.1.2 Other Related Work
Other research has been performed on producing robust and reliable cyberphysical systems.
One method such method is N-version programming [4]. In this method, multiple versions of
software are independently created from the same specification. Then, all are run and the result
given by the majority of versions is taken as the output of the system. One drawback with this
method is the lack of statistical independence of bugs [5, 9]. Additionally, for a constant amount of
development effort, N-version programming is actually less reliable than focusing on a single version
over a wide range of parameter values [20].
Another reliability mechanism is the recovery block concept [15]. In this approach, several
alternative methods are developed. We first run the fully featured one and check if it is correct. If
it is, we use it. Otherwise, we try the simpler ones. The essential difference between recovery blocks
and the Simplex Architecture is that the former is a backward recovery method while the latter is
a forward recovery method.
A common engineering practice to increase system reliability in spite of unreliable hardware is
triple modular redundancy (TMR) [11]. In this scheme, three versions of identical hardware running
an identical program are run with the same input. The output is then voted upon, such that if any
one of the outputs is incorrect (due to a hardware failure or random environmental interference [12]),
the overall system continues to function correctly. This technique, unlike the Simplex Architecture,
is powerless against errors in the logic of the program, since all three modules will produce the
identically incorrect output. However, it is effective against random hardware failures and other
transient faults and thus can be used in conjunction with the Simplex Architecture to prevent both
logical and random errors.
3
1.2 Thesis Overview
This thesis is divided into two main chapters for the two main contributions. First, we describe
the System-Level Simplex Architecture in Chapter 2, which uses hardware/software co-design to
eliminate common dependencies between the Simplex subsystems. Next, in Chapter 3, we go through
an in-depth case study which uses model checking to construct a System-Level Simplex system
targeted for partially autonomous John Deere tractors. These two main chapters are followed up by
key insights and conclusions in Chapter 4. Finally, in Appendix A, we include the source code for




The original Simplex design, which we will now refer to as the Application-Level Simplex Architec-
ture, can still be vulnerable to certain types of faults, particularly bugs in the operating system,
middleware, and the underlying microprocessor. We address these concerns in Section 2.1 by in-
troducing the novel idea of the System-Level Simplex Architecture. Then, we demonstrate the
robustness of System-Level Simplex Architecture by building two prototypes. In Section 2.2, we
describe an inverted pendulum prototype, and in Section 2.3, we describe a prototype cardiac pace-
maker built using the System-Level Simplex design.
2.1 System-Level Versus Application-Level
Simplex, as described earlier in Section 1.1.1, contains three main subsystems. The complex con-
troller is an unverified component which drives the system under normal operation. If the complex
controller misbehaves, the safety controller takes over prior to the system collapsing and recovers
the plant. The decision module determines when to perform the switching action, so as to never
violate a particular safety requirement.
The Application-Level Simplex Architecture has all three subsystems located at the application-
level. This works well for protecting the system from faults directly from complex controller, however
it does not provide safety for indirect faults of underlying components. For example, if the operating
system which runs all three subsystems in the Application-Level Simplex Architecture contains a
bug and crashes, plant safety can no longer be guaranteed. In fact, the microprocessor, the operating
system, and any middleware are required to be correct for a verifiable safe system. We relax this
requirement in the System-Level Simplex Architecture by performing hardware/software partitioning
on the system. The two Simplex safety-critical components, the safety controller and the decision
module, are moved into a dedicated processing unit outside of the microprocessor.
Notice that this is hardware/software co-design, except that we perform this move not for typical
reasons of performance and power consumption, but instead to protect from software-related faults.
This is a novel idea, using hardware/software co-design to improve system safety.
The system designer has a choice for the dedicated processing unit which will run the Simplex
safety core. One option is to use a microcontroller to run the two safety core subsystems. However,
in safety-critical systems, even processors are not completely trusted [24], and we would prefer
to eliminate this underlying complexity (we will touch on this point in our pacemaker prototype
in Section 2.3). We instead run the Simplex safety core on dedicated hardware. Ideally, for a
production version, we would produce an Application-Specific Integrated Circuit (ASIC). Instead,
5
to save time and money, we opted to construct our prototypes using Field Programmable Gate
Arrays (FPGAs). The same VHDL code used to program an FPGA can be used to produce an
ASIC.
By moving the Simplex safety core to isolated hardware, we can also provide temporal correctness
for the monitored safety properties. If the high-performance complex subsystem does not produce
a control command in the appropriate time, whether caused by an RTOS bug, poor cache perfor-
mance or excessive bus contention, the conservative safety controller’s output is used. Since the
safety controller runs in parallel on isolated hardware (which prevents run-time variations caused
by resource sharing), the temporal constraints are met by design.
We now describe two prototype systems which we developed using the System-Level Simplex
Architecture. First, we describe an inverted pendulum, and later we provide details about our
cardiac pacemaker prototype.
2.2 Inverted Pendulum Prototype
An inverted pendulum is a classical control testbed where a rod must be maintained upright by
moving a cart along a track. Additionally, an inverted pendulum presents an obvious failure state
when the rod falls over. We implemented the System-Level Simplex Architecture on an inverted
pendulum and evaluated its robustness in the presence of various failures. The VHDL source code
for our inverted pendulum prototype is listed in Appendix A.1.
Automatic control for an inverted pendulum is a well-studied stability problem. By taking
measurements of our specific inverted pendulum, we were able to generate code for the safety
controller using Matlab Simulink. The generated code was 86 lines of C code which consisted of a
sequence of simple matrix operations. We translated this C code into a VHDL state machine, which
performed the required mathematical operations to drive the safety controller. The resultant VHDL
module was 880 lines long and used a well-tested, open-source floating point unit1 [2].
The stability of an inverted pendulum can be modeled with a Lyapunov function [3]. We take
a subset of this stable region to be the recoverable region where aggressive action can be tolerated.
When the state is in this recoverable region, we use the voltage value from the complex controller
to actuate the motor on the cart of the inverted pendulum. Otherwise, the safety controller’s result
is used.
Our hardware implementation resides on an externally-powered Xilinx ML505 FPGA. The FPGA
uses a PCIe port to communicate with the software portion of the Architecture. The software por-
tion can run on any computer capable of using the PCIe bus, although our current driver is written
for Linux. The operating system does not even need to be aware of real-time requirements, as the
System-Level Simplex Architecture will safely handle any timing faults that occur. Our implementa-
tion, however, uses Linux/RK [14] as the OS for the complex controller. Through memory-mapped
I/O, the complex controller reads the most recent angle and track position and suggests a motor
voltage to the hardware-based decision module.
Through the implementation, we successfully demonstrated that the software-based complex
controller was able to actuate the inverted pendulum as long as it did not jeopardize safety. When
1Alternatively, we could have used fixed-point arithmetic if the complexity of the FPU was undesired.
6
the pendulum’s state left the recoverable region, the safety controller took over and prevented the
pendulum from collapsing. In this way, we verified that the system was able to tolerate the following
faults:
• No Output: The complex controller sends no output. This can occur, for example, if it enters
an infinite loop.
• Maximum Voltage: The complex controller sends a control command to the motor to run
at the highest speed possible.
• Wrong Way — Maximum Voltage: A control command is sent to the motor to go as fast
as possible in the direction that will most quickly destabilize the pendulum.
• Time Degraded Control: A control bug design by a senior control engineer from Honeywell
which, over time, provides increasingly degraded control. A video of this bug is available [25].
• Operating System Crash: The operating system running the complex controller crashes.
• Timing Faults: The software-based complex controller runs below its required frequency.
This can be because of a lack of real-time scheduling, or an over-utilized system.
• Computer Reboot: The computer running the complex controller is shut down and restarted.
We outline two of the faults in detail: the wrong way bug, and the computer reboot bug.
Wrong Way — Maximum Voltage
The pendulum should remain balanced even if the complex controller outputs a motor voltage that
would normally destabilize the system. This test took an extreme case of this where we used a
working inverted pendulum controller for a few seconds, and then output the maximum voltage
in the direction opposite of that needed to stabilize the pendulum. The decision module detected
that the system state was no longer in the recoverable region and switched control to the safety
subsystem. The safety controller returned the pendulum to a stable state and control was again
given to the complex subsystem after a few seconds. Measurements from one iteration of this process
are given in Figure 2.1.
Computer Reboot
The System-Level Simplex Architecture provides protection from arbitrary operating system behav-
ior, including rebooting the system. From the decision module’s perspective, the computer rebooting
is equivalent to a complex controller that sends no output. We ran this test on our inverted pendu-
lum setup, and the pendulum remained stable throughout the reboot process. Additionally, after
the computer restarted, the software-based complex controller was able to regain control of the in-
verted pendulum using memory-mapped I/O with the FPGA. This is significant because a common
remedy for software problems is rebooting the computer; a malfunctioning complex controller can
be repaired in this fashion while the system remains stable and safe.
7
Figure 2.1: When the inverted pendulum state passes the edge of the recoverable region (dashed
line), the safety controller takes over and prevents system collapse.
2.3 Cardiac Pacemaker Prototype
An artificial pacemaker is a piece of hardware inserted into a patient’s body in order to regulate
his or her heart rate. Detailed designs of cardiac pacemakers have been disclosed [17, 23]. Here, we
examine the practicality and usefulness of the System-Level Simplex Architecture in this real-time
safety-critical application.
We investigate two practical considerations for using the System-Level Simplex Architecture:
• Can the system be divided up into a safe controller and a complex controller such that the
most likely causes of failure are contained in the complex controller?
• Is implementing the safety controller and decision module on FPGA hardware possible and
practical?
The first concern, the division of the system into complex and simple controllers, is domain-
specific. In order to address this, we must examine some properties of artificial pacemakers.
The first generation of artificial pacemakers actuated the heart at a set interval. This functional-
ity was sufficient to keep the patient alive, however, problems did arise. For example, when a healthy
person walks up stairs or performs strenuous action, his heart rate increases. The first generation
of pacemakers did not take this into account and patients would become dizzy or uncomfortable
throughout the day. Additional functionality was added to pacemakers to detect if the heart rate
should be increased by monitoring the patient’s body, for example using accelerometer readings in
conjunction with advanced algorithms to infer the patient’s current activity level [23]. Requirements
were then added on top of this to preserve smooth heart-rate transitions, rather then suddenly jump-
ing from 65 to 120 beats per minute because of a sudden large acceleration. Additionally, modern
pacemakers attempt to detect and log anomalous events with the heart to aid a doctor’s diagno-
sis. The logged data must be retrieved, and this is done through wireless communication with an
external device.
Modern pacemakers have many other requirements, however we already covered enough to apply
8
the System-Level Simplex Architecture. The rate-adaptive pacing modes, where the heart rate
changes over time, require complex functionality. The pacing rate to which we should change is
a function of the current rate, as well as the past and present accelerometer readings. The safety
properties we want to enforce are that the heart rate should be between a lower rate limit and an
upper rate limit, and should not change by more than some rate smoothing parameter. These are the
properties we codify into the decision module. The safety controller is a simple implementation that
meets our requirements. We choose a safe controller that slows down the heart to the resting rate
(lower rate limit) in a way that satisfies the rate smoothing requirement. This safety controller does
not have rate-adaptive functionality, but instead it acts a fail-operational mode that will maintain
safety for the patient.
Our second concern is the feasibility of implementing the Simplex safety core on dedicated hard-
ware. Software engineering is typically much easier than programming an algorithm in hardware,
so we must confirm that the safety controller and decision module are practical to implement. In
our prototype, we take advantage of reprogrammable hardware components2 (FPGAs). In order to
program an FPGA we must provide a description of the hardware using a Hardware Description
Language (HDL) such as VHDL. In the case of the pacemaker, the pacing controller is described
using a finite state machine.
The finite state machine description of the pacemaker behavior is also useful in verification.
The pacemaker finite state machine model was manually described in Maude [6] and exhaustively
searched using the Maude model checker for safety violations, for all possible behaviors of the
complex controller. The idea of using model-checking to produce a safe decision module is explored
in great detail during the industrial case-study presented in Chapter 3.
Implementing the pacemaker on a modern FPGA also provides us with a means to control
power consumption. Xilinx FPGAs have several clock regions which can be toggled on or off [1].
By implementing a soft processor on the FPGA for the complex subsystem, the processor’s clock
can be disabled when the battery is low. In CMOS circuits, preventing transistor state changes
(by stopping the clock) results in near-zero power consumption. This provides the System-Level
Simplex the possibility to provide power isolation from the complex controller.
Comparison with Existing Pacemaker Reliability Mechanisms
Artificial pacemakers are safety-critical systems and as such they already contain some reliabil-
ity mechanisms. We compare the existing reliability mechanisms found in one previous-generation
pacemaker description [23] to the proposed design created using the System-Level Simplex Archi-
tecture. We focus on two mechanisms for enhanced reliability which were present in the pacemaker
description we examined.
The first is a watchdog timer which is periodically reset during normal system execution. If the
execution hangs at some point, the timer will not be reset and will timeout. The timeout triggers
a high-priority interrupt which signals that an anomalous event has occurred and the system is
reinitialized. Alternately, the system can instead shut down as a fail-safe mechanism.
The watchdog timer mechanism is compatible with the System-Level Simplex Architecture. It
provides a means to restart the system when it enters a rare error state. However, the watchdog
2A production pacemaker would likely use an application-specific integrated circuit (ASIC) for the final product.
ASICs can be manufactured using the same VHDL code used to program an FPGA.
9
timer does not protect the system from unsafe pacing, only system hangs. Additionally, deterministic
bugs in the program will continue to restart the system, whereas a System-Level Simplex system is
able to function safely in spite of deterministic bugs in the complex controller.
The other safety mechanism we examine is a redundant pacemaker system which, at first, appears
to be similar to the System-Level Simplex Architecture. This system provides a simpler pacing mode
without rate-adaption. This system is activated, and the microprocessor is deactivated when “a fault
is detected in the operation of the microprocessor circuit.” This component, like the System-Level
Simplex Architecture, provides protection from microprocessor errors. This is a real cause of concern
with this specific pacemaker design because it uses a custom pacemaker-specific microprocessor.
However, it does not provide protection from logical faults in the software. Additionally, control
is switched to this system when any fault in the microprocessor is detected. In the System-Level
Simplex Architecture, a microprocessor fault that only affects the logging mechanism (perhaps
because of a rarely used instruction), one that does not compromise safety, would not mandate a




To provide further insight into the Simplex Architecture and its application, we now go through
an in-depth case study applying the architecture towards control of partially autonomous tractors.
While describing the case study, in addition to presenting our conclusions, we will also explain key
insights we discovered while going through the process.
We will first provide a an overview of the application in Section 3.1. Next, we describe the
formal model generation process in Section 3.4. Then, we outline the three specific properties we
investigated in Section 3.5, and the process of determining a verifiably correct decision module for
each property in Section 3.6. Exactly describing the decision module behaviors is done in Section 3.7,
followed up by VHDL-code generation in Section 3.8 and insights about improving model-checking
run time in Section 3.9.
3.1 Application Overview
In collaboration with John Deere, we have been working to verify certain properties dealing with
the behavior of autonomous tractors. We are not providing the autonomous behavior itself, but
instead providing a way to guarantee that the tractor will never misbehave, in spite of a complex and
unverified controller. This is particularly important for autonomous tractors, since a human operator
brings a large amount of intuition that is used, but not immediately apparent when operating a
tractor. For example, if a human is driving a tractor at a rapid velocity on a steep hill, he intuitively
knows not to turn sharply uphill or the tractor may roll over. This may be left out of a high-level
automated controller which is attempting to go from point A to point B as quickly as possible.
Additionally, controllers are not perfect, so even if such considerations are present in the high-level
code, their implementations may contain bugs or miss edge cases. Our goal then, is to be able
to use a high-level controller which we did not develop, and be able to provide a guarantee that
the composite system of the high-level controller and our Simplex instance always meets certain
properties, for example never rolling over.
In contrast to the previous prototype implementations (the inverted pendulum and the rate-
adaptive cardiac pacemaker), tractors are generally safe when they do nothing. For instance, to
stop a tractor from rolling over it suffices to stop the tractor from moving. The challenge here is
less in developing a fail-operational system, but more towards a fail-safe system. Thus, the majority
of the development and verification effort is involved with developing the decision module, and the
safety controllers are relatively simpler.
Given this goal of producing a verifiable decision module, we made a number of decisions up
11
front which impact the final system. First, we chose to use the System-Level version of the Sim-
plex Architecture. Second, we deviated from the pure System-Level Simplex previously described
for smoother system integration. Lastly, we using a discretized state space approximation of the
continuous space the tractor exists in. We now describe and justify each of these decisions in detail.
As discussed earlier, the System-Level instantiation of the Simplex Architecture reduces the size
of the trusted computing base in the system. In this application, we decided to use an FPGA as the
platform for our Simplex Safety Core, the decision module and safety controller. If we had used the
more traditional Simplex approach, bugs or failures in dependent modules such as the Real-Time
Operating System (which for John Deere can be a commercial or internally-developed operating
system) may result in misbehavior. This decision impacts the final code generation, as we targeted
VHDL, a hardware description language.
In order to smooth integration with an existing Deere system, we deviated from the pure System-
Level Simplex design we described in the earlier section. In a pure design, the complex controller
would be on one side of the system, which was only connected to the Simplex module, which
then connected to the rest of the system. This was the design used in the Inverted Pendulum
testbed. However, to smooth integration we instead logically connected the system in this fashion,
but physically all the communication went through a shared CAN bus. This was the least intrusive
way to provide the System-Level Simplex functionality. This distinction is shown in Figure 3.1.
Figure 3.1: The logical application design (left) matches the System-Level guidelines, although the
physical design (right) differs. The dotted line represents actuation commands.
Lastly, we used a discrete state space to aid in our verification step. The reason for discretizing
the continuous state space was because we planned to use a model-checking tool, Maude [6], to verify
the correctness of the decision logic. Model-checking tools work strictly on discrete state spaces, so
we needed to perform this transformation. Notice that this is different from the technique used in
previous Simplex publications [20]. Particularly, in earlier work, classical control theory was used
directly within the continuous space to guide the decision module’s switching logic. Our approach
works on the continuous space by mapping the continuous space into discrete elements. This has the
advantage of being able to handle a larger class of scenarios. In particular hybrid systems, systems
with both discrete and continuous elements, can be modeled with our model-checking approach, but
12
not with classical control theory. The disadvantage is that the mapping from a continuous space to
discrete elements must be done carefully. Informally, it can never be the case that an unsafe state in
the continuous space maps to a safe state in the discrete space. This is expressed formally in next
section.
3.2 Formal Problem Description
Now, we describe the class of problems we attempt to solve in a formal manner. Throughout the
description, we consider the toy problem of a train driving on a finite-sized straight track, which
should not fall off either end of the track (at position ± 20 relative to the start position of the
train). The train has four modes, forward (+2 m/s2), backward(−1 m/s2), cruising(0 m/s2),
and breaking(± 5 m/s2or0m/s2). Breaking mode always sets the acceleration against the current
velocity of the train (and is 0 if the train is still). Initially, the train is in cruising mode at position
0 with no velocity or acceleration.
Our model consists a state space consisting of n dimensions where each dimension has its own
domain D1 to Dn. For example, in our train problem we consider four dimensions(n = 4), in
order, the acceleration, velocity, and the position of the train relative to start of the track, as well
as the mode the train is in. The ordering was done arbitrarily. The domains D1 (acceleration
domain) = D2 (velocity domain) = D3 (position domain) = R. The domain of the mode, D4 is
{forward, backward, cruising, breaking}.
A state of the system is an assignment of an element of the associated domain for each of the
dimensions. It is represented by an ordered tuple, σ = (σ1, σ2, . . . , σn) which each σi is an element of
the associated domain Di. For example, one possible state for our train system is (0, 2, 10.5, cruising),
corresponding to the state where the acceleration is 0, the velocity is 2, and the position is 10.5, and
the train is in cruising mode. The set of all possible states is of the system S.
Next, we define a time-transition function, τ : S × R → P(S) (where P denotes the powerset),
which describes how the state changes over time. The time-transition function takes as input a state
of the system, and a time duration, and gives us the set of possible resultant states of the system.
In an accurate deterministic system such as our train example, there is only one resultant state for a
given initial start and time duration. However, in other models, due to environmental disturbances
or actuator/sensor inaccuracies, we may get a set of possible states.
The τ function can not be arbitrary, but rather it must satisfy the Time-Transition Invariant,
which informally states that the resultant state set should only depend on the cumulative time that
has passed. This is formally defined in Equation 3.1.




In our train example, we define a time-transition function which relates the position, velocity,
acceleration, and state of the train based on the mode of the train. Below, we define a case for each
scenario, forwards mode, backwards mode, cruising mode, breaking to a stop while moving forward,
breaking to a stop while moving backward, breaking while moving forward, breaking while moving
13
backward, and breaking while not moving. In particular,
∀(accel, vel, pos∈R, mode∈{forward, backward, cruising, breaking}, time∈R+),
τ((accel, vel, pos,mode), time) =
{(2, vel + 2 ∗ time, pos + vel ∗ time + time2, forward)} if mode = forward
{(−1, vel− time, pos + vel ∗ time− 12 ∗ time2, backward)} if mode = backward
{(0, vel, pos + vel ∗ time, cruising)} if mode = cruising
τ((accel, vel, pos, breaking), vel5 ) if mode = breaking and vel > 0
and time > vel5
τ((accel, vel, pos, breaking), vel−5 ) if mode = breaking and vel < 0
and time > vel−5
{(−5, vel− 5 ∗ time, pos + vel ∗ time− 52 ∗ time2, breaking)} if mode = breaking and vel > 0
and time ≤ vel5
{(5, vel + 5 ∗ time, pos + vel ∗ time + 52 ∗ time2, breaking)} if mode = breaking and vel < 0
and time ≤ vel5
{(0, 0, pos, breaking)} if mode = breaking and vel = 0
The next step would be to show that this time-transition function satisfies the Time-Transition
Invariant of Equation 3.1. Since the provided time-transition function τ always results in one state
and never modifies the mode dimension, we can decompose the proof for each mode. We now show
the proof for when mode = forward, although the other modes can also be proven in a similar
fashion.
When mode = forward, the time transition function is τ((accel, vel, pos, forward), time) = {(2, vel
+ 2 * time, pos + vel * time + time2, forward)}. To prove the Time-Transition Invariant in this




τ(σ′, y) = τ((accel, vel, pos, forward), x+ y)




= τ((2, vel + 2 ∗ x, pos + vel ∗ x+ x2, forward), y)
= (2, vel + 2 ∗ x+ 2 ∗ y, pos + vel ∗ x+ x2 + (vel + 2 ∗ x) ∗ y + y2, forward)
= (2, vel + 2 ∗ (x+ y), pos + vel ∗ (x+ y) + (x+ y)2, forward)
= τ((accel, vel, pos, forward), x+ y) 
Given this definition of states and the time-transition function, each command is modeled as a
state modification. This modification can not (usually) be done arbitrarily, but rather is subject to
the problem-specific constraints.
For example, in our train system, commands correspond to changes in the mode dimension.
14
The are no actions corresponding to position changes directly, so modifying the position dimension
during a command is not allowed.
The execution of the system can be thought of as a repeating cycle consisting of a command,
which modifies the state directly, followed by the passage of time, which gives us a set of possible
resultant states according to the time-transition function τ .
Finally, within our formal model there is the notion of safe and unsafe states. This problem-
specific notion divides the state space into states that are considered safe, and states which should
be avoided and are considered unsafe. This notion of unsafe states is captured by the function
υ : S → {true, false}. In our train example, we use this to define when the train has fallen off the
track. Particularly, ∀(accel, vel, pos∈R, mode∈{forward, backward, cruising, breaking}),
υ((accel, vel, pos,mode)) =
{
true if pos < 20 or pos > 20
false otherwise
We are now ready to formally specify the workings of the Simplex pattern within this architecture.
In the systems we consider there is a control period, c ∈ R+, which determines the length of the
control interval of the composite Simplex system. The complex controller, as well as the simple
controller, run at this predetermined frequency, producing commands which are state modifications.
We model the complex controller and simple controller, respectively, as functions α : S → S and
β : S → S which, given an input state σ ∈ S, produce an output state σ′ ∈ S. These functions
are not arbitrary, but rather can only modify dimensions of the system which the controllers are
allowed to directly modify. For example, our train system controllers only have access to the mode
dimension of the system.
If we are at the start of a control interval and the system is in state σ ∈ S, the complex controller
and simple controller will output post-command states α(σ) = σcomplex, and β(σ) = σsimple. The
decision module will then, given the current state of the system and the two proposed system-
state modifications, choose one command and apply the corresponding system-state modification.
This is also modeled as a function δ : S × S → S. This is again, not an arbitrary function, but
the output is restricted. Particularly, if δ(σcomplex, σsimple) = σresult, then σresult must be equal to
σcomplex or σsimple. After the command state modification, for the duration of the control interval c,
the system will be modified naturally and the next state will be a state in the set of states obtained
from the time-transition function τ . At this point another command decision will be made repeating
the procedure described above, although now with a different system state.
In general, the two main challenges involved with Simplex are determining the safety controller
behavior and determining the decision logic behavior. However, for the example train system, as well
as for the John Deere tractor system we will soon describe, the safety controller is straightforward.
It is clear, for example, that most direct way for the train to avoid falling off the edge of the track
is to always set the mode to breaking1. The main challenge, therefore, is to develop the decision
module logic that will determine which command to apply. The primary requirement of the decision
module is that the state of the system will never be unsafe. Formally the challenge is to come up
1One may argue that it may be better to slow down prior to applying the breaks. However, the safety controller
should be considered a backup that ideally would never be used. Therefore, we believe such comfort requirements are
better suited as part of the complex controller.
15
with a function δ that, for any function α (which is a valid control function in that it only modifies
the controlled dimensions), satisfies Equation 3.2.
∀(σ∈S)¬υ(σ)⇒ ∀(t∈R+|t≤s,σ′∈τ(δ(α(σ),β(σ)),t))¬υ(σ′) (3.2)
Here, β is the known simple controller, and s is the predetermined control period. The above
equation states that for every safe state, the state during and at the end of the control period will
also be a safe one. If the initial state is safe, then by induction the state will always be safe over all
time.
There is another requirement for the decision module which is more informal. It requires that
the complex controller’s commands should be used until we are in danger of entering an unsafe
state. While the first requirement is related to safety-critical demands, this requirement deals with
mission-critical aspects. For example, it is (probably) useless to use a decision module within our
train example which always uses the safety controller (keeps the breaks on), over all time, even
though the resultant system is safe and never falls off either end of the track.
3.3 Discrete Problem Approach
Given the problem described in the previous section, we now must determine a way to construct the
appropriate decision logic function δ. Our approach involves performing model checking, which is
a proof technique which enumerates a finite set of states, checking the condition on each one. The
condition we check is that the system state at the beginning of each control iteration is safe, and
then recursively performing the same check for all states that result, for all possible commands from
that state. As soon as a state is encountered which has already been checked, it can be dropped
without rechecking.
Since we only check states at the start of each control iteration, this creates an additional
requirement which must be satisfied. Particularly, if at any time during the time-elapse portion of
the control loop the system becomes unsafe, it should also be unsafe at the end of the time-elapse
portion of the control loop. Formally, the condition we need to show, for the particular model we
are checking, is
(∀(σ∈S)¬υ(σ)⇒ ¬υ(τ(δ(α(σ), β(σ)), s)))⇒
(∀(σ∈S)¬υ(σ)⇒ ∀(t∈R+|t≤s)¬υ(τ(δ(α(σ), β(σ)), t)))
Additionally, in order for the model checking to complete, the number of safe states reachable
from the initial state must be finite. This may not be true if the allowed commands at a safe state
are infinite (for example, if the command sets a real-valued acceleration directly). Thus, in order
to accommodate model-checking requirements, we discretize all continuous dimensions within our
model. Formally, for each dimension in our model i, if the dimension is real-valued continuous, we
must provide a discretization function, i : R→ R, which maps the continuous space to a finite set
of values, as described in equation 3.3.
16
∀(x,y∈R|x≤y)∃(n∈Z)n > |{r ∈ R|∃(z∈R|x≤z≤y)i(z) = r}| (3.3)
This equation states that for any range [x, y], the cardinality of the set resulting from discretizing
all elements within the range is finite. This alone, however, does not guarantee there will be a finite
number of states to search. In order to provide a finite search-state guarantee, we combine this
discretization function with a bound on the allowed ranges on each real-valued dimension, which
guarantees a finite number of possible values for each dimension, and therefore a finite number of
states in the aggregate system. This is not as limiting as it appears. For example in our models is
reasonable that a tractor will have a maximum and minimum velocity, or a maximum and minimum
steering angle.
The discretization, however, must be done carefully, so that no unsafe states in the continuous
domain get mapped to safe states in the discrete domain. If this is not the case, the result of the
model-checking search is invalid and can not be trusted. This is made formal in Equation 3.4.
∀(i∈Z|(0<i≤n) and Di=R)∀(e1∈D1,e2∈D2,...,en∈Dn)υ((e1, e2, . . . , en))⇒ (3.4)
υ((e1, e2, . . . , i(ei), . . . , en))
Again, n here represents the number of dimensions in the system. Although, we have only
dealt with continuous dimensions that are real-valued, any ordered continuous dimension could
follow similar requirements to guarantee a finite-set of reachable states whose model-checking will
complete with a valid result.
The final concern is the time it takes to perform the model checking, which is very dependent
on the discretization function e which is chosen. If each continuous dimension is discretized into
millions of discrete values, exploring the aggregate system may become intractable. Thus, the choice
of discretization function can be used to tune the performance of the model-checking search.
3.4 Model Generation
The first step in the industrial design process for System-Level Simplex is to create the model of
the system for which we are interested. In our case we want to model movement-based properties
of tractors. However, since John Deere produces several types of tractors, as well as combines and
other vehicles, it would be prudent to have a common generator for all of these models. Additionally,
by creating a model generator we are reducing the chance for human error while manually creating
the model, as well as eliminating the need to know Maude (our model checking tool) before a model
is constructed. The model generator source code is listed in Appendix A.2.
In order to decide which properties were important for the models, we first needed to figure
out which specific properties we wanted to check. However, for sake of presentation we push that
discussion into Section 3.5. We came up with a list of 27 model properties which are of interest, and
we describe each of them here.
1. TimeDiscretizationConstant: The discrete unit of time, in milliseconds
17
2. DistanceDiscretizationConstant: The discrete unit of distance, in millimeters
3. AngleDiscretizationConstant: The discrete unit of angle measurement, in milliradians
4. WheelBase: The wheel base of the tractor, measured in millimeters
5. Track: The wheel base of the tractor, measured in millimeters
6. CogHeight: The height of the center of gravity, measured in millimeters




8. ForwardsMaxAccel: The maximum acceleration when moving forward, in millimeters
second2
.
9. BackwardsMinAccel: The minimum acceleration when moving backward, in millimeters
second2
.




11. MinVel: The minimum velocity of the tractor, in millimeterssecond .
12. MaxVel: The maximum velocity of the tractor, in millimeterssecond .
13. MinSteeringAngle: The minimum steering angle of the tractor’s wheels, in milliradians.
Straight wheels have a 0 milliradian measurement.
14. MaxSteeringAngle: The maximum steering angle of the tractor’s wheels, in milliradians.
Straight wheels have a 0 milliradian measurement.
15. DeltaSteeringAngle: The speed at which the steering angle can change, in milliradianssecond .
16. MaxSlope: The maximum tilt of the terrain, in milliradians.
17. MaxDeltaSlope: The maximum change in slope at the maximum velocity of the tractor.
This is expressed in milliradianssecond .
18. BestRawAccel: While on the least slippery surface, the acceleration of the wheels during the
measurement. This is used for the overslip function, and is elaborated upon further in Section
3.5.
19. BestObservedAccel: While on the least slippery surface, the acceleration observed by the
tractor during the measurement. This is used for the overslip function, and is elaborated upon
further in Section 3.5.
20. WorstRawAccel: While on the most slippery surface, the acceleration of the wheels during
the measurement. This is used for the overslip function, and is elaborated upon further in
Section 3.5.
21. WorstObservedAccel: While on the most slippery surface, the acceleration observed by the
tractor during the measurement. This is used for the overslip function, and is elaborated upon
further in Section 3.5.
18
22. TimeFromBestToWorst: The time, in milliseconds that it takes the tractor to drive, at
the maximum velocity, from the most slippery surface to the least slippery surface. Can be
pessimistic.
23. SkidBestRawAccel: While on the least slippery surface, the expected acceleration of the
turn based on the wheel angle during the measurement. This is used for the oversteer function,
and is elaborated upon further in Section 3.5.
24. SkidBestObservedAccel: While on the least slippery surface, the acceleration observed of
the turn during the measurement. This can be calculated using the radius of the turn and the
time elapsed to complete the turn. This is used for the oversteer function, and is elaborated
upon further in Section 3.5.
25. SkidWorstRawAccel: While on the most slippery surface, the expected acceleration of the
turn based on the wheel angle during the measurement. This is used for the oversteer function,
and is elaborated upon further in Section 3.5.
26. SkidWorstObservedAccel: While on the most slippery surface, the acceleration observed of
the turn during the measurement. This can be calculated using the radius of the turn and the
time elapsed to complete the turn. This is used for the oversteer function, and is elaborated
upon further in Section 3.5.
27. SkidTimeFromBestToWorst: The maximum time, in milliseconds that it can take the
tractor to drive from the least slippery surface to the most slippery surface. This can be the
same value as TimeFromBestToWorst.
A sample file containing reasonable parameters has been given in our code reference in Appendix
A.3. This file is used as input for a Java program which produces a three distinct tractor models, one
for each of the properties we are checking. The advantage of having three different models instead
of one common model, is that we are able to eliminate irrelevant dimensions within the model, and
therefore decrease model-checking time. For example, the model dealing with the overslip property,
which deals with how the wheels slip based on the surface, does not contain the steering dimension
or the terrain slope dimension.
The model generator program itself, whose code is in our code reference Section 3.4, reads in
the input file, and performs certain checks to make sure the generated model makes sense. Some of
the checks are syntax-based, for example an ill-defined model file that contains multiple equals signs
will not be accepted. Other checks are sanity checks, for instance if, during a skid measurement,
the output acceleration, the acceleration of the tractor that was observed, is greater than the input
acceleration, the acceleration of the tractor exerted by the wheels, an error is reported and the
models are not generated. The last potential fatal error that can occur while running the generator
is that the various dimensions do not fit together. For example, if the maximum speed of the tractor
is 1ms and the distance discretization constant is 1m, but the time discretization constant is 0.5s, a
model can not be generated. This is because if we are accelerating at full speed, after one time step,
0.5s, the tractor is at a speed that does not match our distance discretization constant. In this case,
the generator will report and error and exit. For different dimensions, for instance the friction-based
dimensions, instead of exiting, the maximum slip is pessimistically decreased until the range of the
19
slip fits within the rest of the model. This pessimism is then reported as a warning so the user can
chose to accept it, or rectify the model appropriately.
3.5 Properties and Behavior
Within an autonomous tractor system, we desire several properties to be monitored through the
Simplex framework. Here, we present some of the properties we explored, three of which we applied
Simplex towards, rollover, overslip, and oversteer, and one property that did not easily fit the
Simplex framework, collision. Notice that these are not all safety-critical as is the traditional use for
Simplex, but rather some properties such as overslip, the tractor slipping excessively, are properties
that, if ignored, will cause in degraded performance (in the case of overslip, wasted fuel).
3.5.1 Rollover
Rollover is a condition that occurs when a tractor tips over, usually due to a sharp turn. Since
tractors have an elevated center of gravity, rollover is a real concern. Prior to the widespread
installation of tractor roll cages, under human operation, rollover accidents accounted for about
50% of tractor-related fatalities at a rate of 5.4 deaths per 100,000 tractors [10]. In the autonomous
tractor scenario, the main concern is not rollover operator fatalities (since there is no operator), but
rather damage to equipment, which for autonomous vehicles has an estimated cost from $10,000 to
$200,000 [16]. Due to this cost, rollover should be avoided.
Within our system, we consider the tractor to be violating the rollover condition whenever one
pair of wheels leaves the ground. Although according to the strict definition this is not yet rollover,
such a condition should never come up during normal tractor operation and would thus like to be
avoided. An outline of the rollover situation used for our modeling is shown in Figure 3.2. In the
figure, θ is the angle calculated by the provided track and center of gravity height. The other angle
α is the slope of the terrain which is equal to the roll angle of the tractor. Flift is the lifting force
due to the force of the turn, Fturn, and Fstability is the stability force due to the force of gravity
Fgrav. The velocity of the tractor is v, the mass m, and the angular velocity due to turning is
ω = v ∗ sin(θ)/WHEEL-BASE.
Notice that there are two opposite forces, Flift and Fstability, which can be used to tell if tractor
is rolling over. By solving for these forces, as shown in Figure 3.3, and comparing them, we can
determine if the tractor is rolling over. The final rollover equation we use is
g > vω ∗ sin(θ)/cos(θ + α)
where g is the force of gravity. Notice this equation make intuitive sense, as the best chance of
violating the rollover condition occurs during a sharp turn uphill (this is the reason that turns on
the on-ramps of highways or turns of race tracks are often banked so you are turning downhill).
In order to prevent rollover, the safety controller must reduce Flift. Our safety controller does
this by reducing Fturn, the contributing force to Flift, in two ways: 1) straightening the wheels, which
reduces ω, and therefore Fturn, and 2) slowing down, which reduces v and therefore also reduces
Fturn. Other options which were less practical were increasing the track distance or lowering the
20
Figure 3.2: The rollover condition is violated whenever Flift exceeds Fstability.
Figure 3.3: The values of Flift and Fstability can be computed for comparison.
21
center of gravity (this would reduce θ and therefore Flift).
Reducing the velocity is almost always a valid action to take, however, there was some initial re-
sistance to manipulating the steering angle. The complex controller may turning to avoid something,
where it would be better for the tractor to rollover. However, when we determined the potential
violation state region for rollover (described more in Section 3.6), if we were only manipulated the
velocity, we noticed the tractor could not reach its maximum speed, even if the wheels were straight
and the ground was flat. This was because if the complex controller turned the wheels as sharply
as possible, and the terrain got more steep, the tractor could not slow down fast enough to avoid
rollover. Therefore, to allow the complex controller maximum freedom during normal operation, we
decided it would be acceptable for the safety controller to manipulate the wheel angle.
3.5.2 Overslip
Overslip is a performance property that becomes violated when the tractor does not operate effi-
ciently due to the wheels slipping. The calculation for slip is straightforward, and given by
slip = 1− acceloutput
accelinput
where acceloutput is the observed acceleration of the tractor, and accelinput is the linear acceleration
of the wheels.
The more interesting part of this performance property is the modeling of the slip, the way in
which the tractor system’s experienced slip changes over time. We came up with three properties
we wanted to contain within our modeling of the slip:
• The tractor should almost always experience some slip, this may be very small or very large,
dependent upon the terrain and the force being applied.
• The larger the force applied, the more slip is experienced, on all terrains. The increase in slip
is slow for small forces, and faster for larger forces.
• The peak efficiency occurs between 5% and 20% slip, based on tractor parameters.
Based on these properties, we came up with a quadratically increasing slip model, as shown in
Figure 3.4. In this model, each surface has an x-intercept value which defines the slip on that surface
as a function of force. This slip is given by







where accelinput is the linear acceleration of the wheels and x-intercept is a value specific to the
particular surface on which we are driving. Although x-intercept is not used in the violation equation,
it is used in the model, and therefore must be calculated. Given an accelinput (linear wheel velocity),
and acceloutput (observed tractor velocity), we can compute x-intercept by setting the actual slip,










which can then be used to calculate the proper x-intercept for the least and most slippery surfaces,
with the surfaces in between being interpolated linearly.
Figure 3.4: The quadratically increasing slip model was used within the overslip performance prop-
erty modeling.
In the model-checking search, we compare the current state’s slip value, 1 − acceloutputaccelinput with an
efficiency threshold, and, if the slip is unacceptably high, the property is considered violated. The
safety controller’s command always reduces the force applied by reducing accelinput, which according
to our model will reduce slip.
Notice that this slip model is may not exactly correspond with one intuitive notion of slip, namely
that it checks for slip in the acceleration, but not the velocity. Indeed, if the acceleration is zero,
but the velocity is nonzero, the tractor, according to this model, is not experiencing any slip. This
decision was based on the notion that slip is related to the force that was applied, which corresponds
to the acceleration. Even accepting that slip is a function of force, there is another unanticipated
property of this slip model, which was not discovered until after we were determining the decision
logic switching behavior. This will further be discussed in the overslip behavior determination in
Section 3.6.2.
3.5.3 Oversteer
Oversteering was the last property for which we applied Simplex. This property is violated when,
for example, the wheels are turned at 45 degrees, but the actual tractor is turning at a much lower
angle, say 20 degrees. This is usually caused by the conditions on the ground, such as a loose sand
surface, or muddy ground. The corrective action in this case is counterintuitive in that we can
obtain a lower skid value by reducing the steering angle, whereas increasing the steering angle will
likely increase skid. Doing this, however, may be in conflict with higher-level control that only cares
about the resultant steering angle. Despite this, for tractor efficiency we do want to prevent excessive
skid from being experienced by the tractor. Thus, the corrective action to prevent oversteer is to
23
straighten the wheels.
In terms of modeling, we used a similar skid model to the one used in overslip shown previously
in Figure 3.4. However, since the wheels are now slipping at an angle, the x-intercept for the surfaces
is likely to be different. We therefore require separate measurements in the model generation file to
calculate proper x-intercepts for the oversteer property.
3.5.4 Collision
Avoiding collisions was also considered as a property for which we could apply Simplex. However,
after our initial investigation we decided that it did not easily fit the Simplex framework.
In particular, the biggest issue with collision is discerning obstacles which the tractor should
go around, such as large boulders, and objects that is the tractor could pass through, such as tall
grass. Although the complex controller makes such a distinction using machine learning techniques,
we want to provide a verifiable system. In this case, the safety controller would have to be as
complicated as the complex controller, there was no benefit from the point of view of verification
effort to include it.
However, there are some indirect collision-based properties that we could apply Simplex towards.
For example, if the complex controller is not trusted completely we may set a maximum speed which
we are allowed to pass through detected obstacles, in order to minimize potential damage in the
case of a misclassification. In this case, the simple controller would only need to detect that objects
exist in the path of the tractor, not necessarily what type of objects are there.
3.6 Behavior Determination
The next step in the industrial system-level Simplex process is to determine when to switch to the
safety controller. In order to make this determination, we leverage on the Maude model-checking
tool.
Given a generated Maude model, and the properties we are interested in monitoring, we can
already run Maude model-checking searches and detect that an unconstrained model, one that
always uses the complex controller, results in property violations. Furthermore, we can print out all
the reachable states that violate our properties, the static state violations, to a text file and display
that information graphically to gain insight into the violation region.
Notice, however, that these states are only the states where a violation is actively occurring,
which is a subset of the states we should never enter. Particularly, there may be states that,
although themselves do not violate properties, may result in future violations even if we use the
safety controller. These dynamic state violations should also be avoided. We could use Maude to
calculate these states by, at each state we enter, performing a sub-search which uses only the simple
controller, and seeing if the property condition can become violated for all possible external changes
and disturbances. Ideally, the user would not need to input any extra information here since our
model-checking tool can explore this subset of the model completely. However, in order to speed up
the search, we instead relied on the user to provide a worst-case change in the system state. This
is not as difficult as it first appears, as it is clear a tractor is more likely to rollover if the slope of
the terrain increases in the future, or that we are more likely to experience overslip if the terrain
24
becomes more slippery in the future. After the user provides these worst-case model transitions, we
use Maude to search for all states where, if we were to enter them, even the safety controller could
not guarantee that the property would not be violated. This is exactly the information needed to
drive the decision module. We will now describe this in slightly more detail for the three properties
we checked: rollover, overslip, and oversteer.
3.6.1 Rollover
In order to determine the rollover switching logic, we needed to input to Maude two pieces of
information: the behavior of the safety controller, and the worst-case change in the nonactuated
system state. Our rollover model has three dimensions, the velocity of the tractor (pessimistically
assuming a worst-case friction scenario for breaking), the slope of the terrain, and the steering angle
of the wheels. Any dimensions not directly modified by the safety controller would be part of the
worst-case system state change.
There were two choices for the safety controller, one which slowed the tractor down and straight-
ened the wheels, and the other one which only slowed down the tractor. Initially, we considered the
safety controller that just slowed the tractor down. However, in this case the worst-case state change
would increase the steering angle of the wheels, while at the same time increasing the slope of the
terrain. This turned out to lead to an extremely pessimistic decision module which could not allow
the tractor to reach full speed on flat ground with straight wheels, since it would not be able to slow
down in time if the complex controller turned the wheels sharply to one side and the terrain slope
increased. For this reason, we instead used the safety controller that both straightened the wheels
and slowed down the tractor. The worst-case environmental change, then, was just an increase in the
terrain’s slope. The associated Maude code, which recursively defines the can-lead-to-violation
function, is shown in Code Block 1. The first two rewrite equations define the non-recursive case
where the state does, and does not violate the rollover condition, respectively. The last rewrite
equation is the recursive call which makes use of the reduce-vel and reduce-steerAngle rewrite
equations for the safety controller, as well as the increase-slope rewrite equation for the worst-case
state change.
Code Block 1 This Maude code is used to determine which states may lead to future violations
even if the safety controller is used.
eq can-lead-to-violation(vel(0) steerAngle(0) slope(Slope)) = false .
ceq can-lead-to-violation(vel(Vel) steerAngle(Steer) slope(Slope)) = true
if roll-force(advance-vel(Vel) advance-steerAngle(Steer)
advance-slope(Slope)) >= 9810.0 .
eq can-lead-to-violation(vel(Vel) steerAngle(Steer) slope(Slope)) =
can-lead-to-violation(reduce-vel(Vel) reduce-steerAngle(Steer)
increase-slope(Slope)) [owise] .
Using this information, we were able to use Maude to search the entire model for all states where
can-lead-to-violation evaluates to true. Again, these are the states where, if a worst-case state
change occurs, even using the safety controller can not guarantee that rollover will not occur. These
dynamic state violations can then be plotted graphically. For rollover, we plotted these states on
25
three 2D graphs2. Next, we determined linear bounds on the region of states that should be avoided.
Although we did this operation manually, it could have been automated by using an n-dimensional
convex hull algorithm [13]. These linear bounds can then be used to drive the decision module
behavior. The dynamic state violation graph, as well as the linear bounds we used, are shown in
Figure 3.5.
Figure 3.5: Three sets of linear bounds on the dynamic state violations (shown as points) in the
rollover model drive the decision module’s behavior.
3.6.2 Overslip
The overslip model also contains three dimensions: acceleration, velocity, and the terrain’s x-
intercept (as defined in the overslip property discussion, Section 3.5.2). This model differs from
the rollover model in that the dimensions have dependencies, most notably that velocity depends
on acceleration. This means that, when we define the safety controller and worst-case state change,
we do not have to provide an explicit modification for the velocity since it’s determined by the
acceleration.
The safety controller here is clear, slow down the tractor by modifying the acceleration dimension.
The worst-case state change, then, is a decrease in the x-intercept dimension, which corresponds to
the surface becoming more slippery. Our model generator defines the reduce-accel rewrite equation
automatically, as shown in Code Block 2. This is used to compute the can-lead-to-violation
function in the overslip model.
Code Block 2 This Maude code describes a decrease in acceleration, which is used to model the
overslip safety controller.
ceq reduce-accel(cur-accel) = cur-accel + (-1500) if cur-accel > 1500 .
ceq reduce-accel(cur-accel) = cur-accel + (1500) if cur-accel < -1500 .
eq reduce-accel(cur-accel) = 0 [owise] .
As with the rollover model, we use Maude to search for all system states where
can-lead-to-violation evaluates to true, which correspond to the dynamic state violations in
the overslip model. Since our property equation has almost no reliance on velocity, we simply
ignored that dimension when graphing the dynamic state violations (or more formally, we projected
the 3D dynamic state violations onto the velocity/x-intercept plane, which may give us a slightly
2A 3d state graph could alternatively have been used, as we will show with the oversteer condition.
26
more pessimistic decision module and is therefore allowed). One might even consider eliminating
velocity as a dimension within this model, since initially it appears to have no bearing on the
property equation. This intuition clarifies the condition that an automated system could use to
prune unnecessary dimensions from a larger model: a dimension can be pruned only if it is not
mentioned in the property equation, and does not directly affect any dimensions that are within the
model. However, this pruning condition is not true in this case, since the changes allowed in the
acceleration are based on whether the tractor is moving forwards or backwards (which is determined
by the velocity). In hindsight, having a two-state dimension {forward, backward} for this discrete
state change would have been more efficient than checking all the various velocities.
We chose linear bounds on the dynamic state violations that should be avoided in order to
guarantee the property. This is shown in Figure 3.6.
Figure 3.6: Linear bounds on the dynamic state violations (shown as points) in the overslip model
are used to prevent overslip when the acceleration is positive.
One initially unexpected observation of the dynamic state violations is that, since the initial
overslip property equation (as described in Section 3.5.2) uses the square of the acceleration, overslip
could occur both when the tractor was speeding up as well as slowing down. This is not because
of incorrect modeling, as, for example, anti-lock breaks in cars are actually used to prevent such
slipping when acceleration is negative. This was, however, against the informal notion we set out with
overslip, so we modified the property condition for overslip to consider only positive accelerations
(when the tractor was going in reverse, we proved via model-checking that overslip could never occur
even at full negative acceleration, although this is a model-dependent check). This is the reason the
linear bounds in Figure 3.6 only bound the dynamic state violation with positive accelerations.
27
3.6.3 Oversteer
The final property needing decision module behavior is the oversteer condition. The system state
in the oversteer model also contains three dimensions: the velocity of the tractor (assuming worst-
case breaking), the steering angle of the wheels, and the x-intercept of the terrain. Notice that the
x-intercept used in this model is different from the x-intercept in the overslip condition, since in
oversteer the wheels are skidding almost perpendicular to the intended direction of the tractor, and
are therefore going to experience friction differently.
For the safety controller, we reduce the steering angle and decrease the velocity. This means
that the worst-case external state change corresponds to a decrease in the x-intercept (the surface
becoming more slippery). The Maude code for this worst-case change, which is produced by our
model generator for the specific tractor model we used, is shown in Code Block 3. The decreaseXInt
rewrite equation is used to define the can-lead-to-violation function.
Code Block 3 This generated Maude code recursively defines the worst-case external state change
for a particular tractor model for the oversteer condition. When the x-intercept decreases, the
modeled tractor experiences increased skidding.
op decreaseXInt(_) : Int -> Int .
ceq decreaseXInt(cur-x-intercept) = cur-x-intercept - 1760
if cur-x-intercept > 4274 .
eq decreaseXInt(cur-x-intercept) = 4274 [owise] .
Next, we use the Maude model checker to find all states within the oversteer model where
can-lead-to-violation evaluates to true. These dynamic state violations are plotted in three
dimensions in Figure 3.7. Two planes are used to linearly bound the dynamic state violations in
three dimensions.
Figure 3.7: Two planes bound the dynamic state violations (shown as points) within the oversteer
state space. On the right, a rotated view clearly shows all dynamic state violations residing within
the state-space defined by the two planes.
28
3.7 Behavior Description and VMaude
Now that we have calculated which states should be avoided, we can exactly describe the behavior
of the decision module. At each control iteration, the decision module receives commands from the
complex controller. Using these, in addition to a worst-case evaluation of nonactuated dimensions,
it predicts the future state of the system. If this future state falls outside of the linear bounds we
calculated above, if the future state is not a dynamic state violation, the complex controller is used.
Otherwise, the safety controller is used.
We can exactly describe the decision module behavior in various ways. One option is to directly
code the behavior in Maude, and then perform a model check on the aggregate Simplex controller
in the tractor state space to verify that it does not violate the property equations. This is useful for
showing the correctness of the decision module, however it does not easily translate into production
code. For this reason, we created a Maude module describing the syntax and semantics of VMaude,
which is VHDL-structured Maude code. Although VMaude code remains executable within Maude,
it has a direct correspondence with a VHDL module. This means that the VMaude version of the
decision module can be model-checked, in addition to being easily and automatically translatable
to executable VHDL hardware code.
We now present the two behavior description methods and associated model-checking searches.
First, we show how to describe the decision module in pure Maude in Section 3.7.1. Next, in Section
3.7.2, we describe VMaude and the VMaude decision modules, as well as the process of formally
proving equivalence with the corresponding original Maude decision modules.
3.7.1 Maude Decision Module Behavior Description
The Maude-based decision module consists of two parts. First, a prediction of the future state space
is made based on the complex-controller command (if no command is received in a timely manner,
a default can be used). This future state is then checked to see if it is in the dynamic state violation
space defined by the linear bounds derived in Section 3.6. We go through this process for the three
properties we modeled: rollover, overslip, and oversteer.
The Maude code for the Simplex decision module for the rollover condition is shown in Code
Block 4. There are two rewrite equations for this code. The first one checks if the predicted
worst-case next state, which consists of NewVel, NewSteer and increase-slope(Slope), is within
the linear bounds for the dynamic state violations. If it is, the safety controller is used (by setting
the next state to reduce-vel(Vel) reduce-steerAngle(Steer) slope(NewSlope)). The second
equation uses the complex controller (sets the next state to vel(NewVel) steerAngle(NewSteer)
slope(NewSlope)), if the first equation’s condition evaluates to false, as indicated by the [owise]
(otherwise) condition.
The linear bounds checked by this module correspond to the lines shown in Figure 3.5. When
the steering angle is positive, three sets of bounds (one for each 2D state space in the figure) are
given in Equations 3.5, 3.6, and 3.7.
29
Code Block 4 This Maude code describes the decision module within the rollover model.
ceq simplex-evaluate(Vel Steer Slope
vel(NewVel) steerAngle(NewSteer) slope(NewSlope))
= reduce-vel(Vel) reduce-steerAngle(Steer) slope(NewSlope)
if ((NewSteer > 0 and
((increase-slope(Slope) == slope(600) and NewSteer > 2400 - NewVel quo 5)
or (increase-slope(Slope) == slope(800) and
((NewVel < 5000 and NewSteer > 3557 - (NewVel * 4) quo 7) or
(NewVel >= 5000 and NewSteer > 700)))
or (increase-slope(Slope) == slope(1000) and NewVel > 2900 and
((NewVel < 4900 and NewSteer > 1770 - (NewVel * 3) quo 10) or
(NewVel >= 4900 and NewSteer > 300)))))
or (NewSteer < 0 and
((increase-slope(- Slope) == slope(600) and
(- NewSteer) > 2400 - NewVel quo 5)
or (increase-slope(- Slope) == slope(800) and
((NewVel < 5000 and (- NewSteer) > 3557 - (NewVel * 4) quo 7) or
(NewVel >= 5000 and (- NewSteer) > 700)))
or (increase-slope(- Slope) == slope(1000) and NewVel > 2900 and
((NewVel < 4900 and (- NewSteer) > 1770 - (NewVel * 3) quo 10) or
(NewVel >= 4900 and (- NewSteer) > 300)))))) .
eq simplex-evaluate(Vel Steer Slope
vel(NewVel) steerAngle(NewSteer) slope(NewSlope))
= vel(NewVel) steerAngle(NewSteer) slope(NewSlope) [owise] .
increase-slope(Slope) = 600 and NewSteer > 2400− NewVel
5
(3.5)
increase-slope(Slope) = 800 and NewVel < 5000 and
NewSteer > 3557− 4 ∗ NewVel
7
or NewVel ≥ 5000 and NewSteer > 700 (3.6)
increase-slope(Slope) = 1000 and NewVel > 2900 and, NewVel < 4900
and NewSteer > 1770 -
3 ∗ NewVel
10
or NewVel ≥ 4900 and NewSteer > 300 (3.7)
Notice that these are the same equations as in the first half of the condition of the first rewrite
equation in the Maude code in Code Block 4. The second half of the first rewrite equation’s condition
defines the symmetric cases where the steering angle is negative.
The decision module for the overslip condition is a bit simpler, since the dynamic state violations
are defined on one two dimensional state space with no symmetric cases. The condition used to
check if can use the complex controller is shown in Equation 3.8.







Finally, for the oversteer property, we also create the Maude code describing the behavior of the
decision module. The two equations for the two planes that bound the dynamic state violations in
30
the oversteer model (shown graphically in Figure 3.7) are shown in Equations 3.9 and 3.10. Notice
that these plane equations contain floating-point numbers, which are not easily represented in a
hardware description language like VHDL. Thus, the associated hardware code uses approximations
for these numbers, and it is necessary to prove that these approximations do not alter the behavior
of the decision module. Performing this proof is described in the VMaude discussion in Section
3.7.2.
nextSteerAngle ≥ 400 (3.9)
nextSteerAngle ≥ −0.511 ∗ nextVel + 0.153 ∗ reduceXInt(curXInt) + 2030 (3.10)
For any of the models, after we have codified the decision module in Maude, we can run state-
space searches to see if property violations can occur. This is used to verify the correctness of the
Maude decision module. For oversteer, for example, we can search for a property violation on the
aggregate system. The associated rewrite rules and search statement are shown in Code Block 5.
The search statement is searching for static state violations. Informally the search statement is
saying that, in the TRACTOR model, starting at the initial state and use zero or more rewrites
(=>*), find all states where the skid at that state is greater than 0.3 (30%). After a few minutes,
this search finishes checking the entire model without producing any such states, indicating that the
decision module indeed prevents the system from violating the oversteer condition. Similar searches
were performed for rollover and overslip.
Code Block 5 This Maude code searches for static state violations within the oversteer model.
--- compute angular velocity in non-slip situation
eq angVel(curVel, curSteer) = float(curVel) * sin(float(curSteer) / 1000.0) /
float(WHEEL-BASE) .
--- compute skid
eq skid(curVel, curSteer, curXint) = ((angVel(curVel, curSteer) * float(curVel))
/ float(curXint)) * ((angVel(curVel, curSteer) *
float(curVel)) / float(curXint)) .
--- search for static state violations




skid(Vel:Int, SteerAngle:Int, XInt:Int ) > 0.3 .
3.7.2 VMaude Decision Module Behavior Description
The eventual output of the System-Level Simplex Industrial case study should be VHDL code for
the verified decision module. In order to minimize coding errors between the verifiably correct
Maude version of the decision module and the final implementation, we strive to generate this
final code automatically. For this reason we provide an intermediate representation called VMaude,
or VHDL-structured Maude, which, although written and executable within Maude, has a direct
correspondence to VHDL code.
First, we describe VMaude and show some example formal semantics for the language. Second,
31
we show an example decision module written in VMaude, which remains executable within Maude
and serves to demonstrate some of the restrictions while using VMaude. Last, we formally prove an
equivalence between the VMaude decision module and one of the previously-developed pure Maude
decision modules.
VMaude contains a number of simple constructs which, when combined, can be used to perform
the linear bounds operations necessary for the decision module. It is not a complete definition of
all the semantics of VHDL within Maude, but rather, it defines enough VHDL semantics to do
something useful, to perform the decision module’s linear bounds operations.
That said, there are two main types of statements in VMaude. The first kind is used to define
signals(variables), their direction (input / output / internal), and their bit lengths. The second kind
is used to define the finite state machine that performs logical operations. The state machine has
some implicit behavior. It is in state 0 initially and when idle, and transitions to state 1 when the
’start signal is asserted. When the state machine transitions back into state 0 (presumably after
performing some computation), the ’done signal is asserted for one clock cycle. Additionally, the
user must define a ’fsmState internal signal with an appropriate bit length, which is used to store
the value of the current state of the finite state machine. The actual finite state machine behaves
according to the user-provided VMaude statements. The following list includes all currently allowed
VMaude state machine statements:
• assignInt: assigns an integer to a signal and deterministically transitions to another state
• assignSignal: assigns a signal to another signal and deterministically transitions to another
state
• assignAddSignalInt: assigns the sum of a signal and an integer to another signal and deter-
ministically transitions to another state
• assignAddSignalSignal: assigns the sum of a signal and another signal to yet another signal
and deterministically transitions to another state
• assignMultSignalInt: assigns the product of a signal and an integer to another signal and
deterministically transitions to another state
• assignShiftRightSignalInt: assigns the value of a signal shifted logically to the right by an
integer to another signal and deterministically transitions to another state
• conditionalGreaterSignalInt: branches to one of two provided next states, based on
whether a provided signal is greater than a provided integer
• conditionalEqualsSignalInt: branches to one of two provided next states, based on whether
a provided signal is equal to a provided integer
• conditionalGreaterSignalSignal: branches to one of two provided next states, based on
whether a provided signal is greater than another provided signal
• conditionalLesserSignalInt: branches to one of two provided next states, based on whether
a provided signal is less than a provided integer
32
By combining these statements, we are able to create the decision modules for all the properties
within our case study. In order to be executable within Maude, however, these statements need
corresponding Maude semantics. Consider the conditionalGreaterSignalInt statement. The
formal semantics for this statement in Maude are shown in Code Block 6.
Code Block 6 This Maude code formally defines the semantics of the VMaude
conditionalGreaterSignalInt statement.
--- Conditional Greater Signal Int
ceq iterate( Lines conditionalGreaterSignalInt(StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum) signal-value(’fsmState Length StateNum) )
=
iterate( incrementCycleCount(
setValue( Lines conditionalGreaterSignalInt(StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum)
signal-value(’fsmState Length StateNum)
, ’fsmState , TrueNextStateNum)
))
if getInternalValue(VarName, Lines) > IntValue .
eq iterate( Lines conditionalGreaterSignalInt(StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum) signal-value(’fsmState Length StateNum) )
=
iterate( incrementCycleCount(







Particularly, notice that if the first rewrite equation executes, if the condition getInternalValue(
VarName, Lines) > IntValue evaluates to true, then we do a setValue on the ’fsmState signal
to TrueNextStateNum. If the first rewrite equations does not match, the second one will (since the
second one’s condition is [owise][otherwise]). In the second rewrite equation, we do a setValue
on the ’fsmState signal to FalseNextStateNum. These two equations then together provide the
executable Maude semantics for the conditionalGreaterSignalInt VMaude statement. Similar
semantics were written for the nine other VMaude state machine statements, and are available in
our code reference in Appendix A.4.
The next step is to write the decision module in VMaude. This is a manual process, however,
any errors made at this step can be detected by the Maude engine, as we will later demonstrate. The
manually-coded VMaude decision module for the oversteer property is shown in Code Block 7. For
reference, we have also included the rollover VMaude code in Appendix A.5, and the corresponding
VHDL code in Appendix A.6.
Notice that VMaude is less expressive than pure Maude. For example, VMaude can not deal
with floating-point numbers directly (which makes sense since neither can VHDL) and thus fractions
must be used to provide appropriate approximations. Additionally, arbitrary division is not allowed,
but instead only bit shifts can be performed which effectively limits us to dividing by powers of two.
In the sample code in Code Block 7, starting at state 9, we can not use the floating point value
-0.511, so instead we end up multiplying by -131, and then shifting to the right by 8 (which is
effectively a division by 256). Hence, −131256 is used as an approximation for -0.511. One concern with
33











(signal ’rhs 32) --- right hand side
(signal ’rhs2 32) --- right hand side temporary value
--- first we make steerAngle positive
(state 1 assignSignal ’steerAngle ’iNextSteerAngle 2)
(state 2 conditionalGreaterSignalInt ’steerAngle 0 4 3)
(state 3 assignMultSignalInt ’steerAngle ’steerAngle -1 4)
--- check 1: iNextSteerAngle < 400
(state 4 conditionalLesserSignalInt ’steerAngle 400 20 5)
--- next compute nextXInt
(state 5 assignSignal ’nextXInt ’iCurXInt 6)
(state 6 assignAddSignalInt ’nextXInt ’nextXInt -1760 7) --- nextXInt -= 1760
(state 7 conditionalGreaterSignalInt ’nextXInt 4274 9 8) --- lower bound by 4274
(state 8 assignInt ’nextXInt 4274 9)
--- now allow if curSteer < -0.511 * Vel + 0.153 * Xint + 2040
--- -0.511 ~= -131 / 256 ; 0.153 ~= 313/2048
(state 9 assignSignal ’rhs ’iNextVel 10)
(state 10 assignMultSignalInt ’rhs ’rhs -131 11)
(state 11 assignShiftRightSignalInt ’rhs ’rhs 8 12)
(state 12 assignSignal ’rhs2 ’nextXInt 13)
(state 13 assignMultSignalInt ’rhs2 ’rhs2 313 14)
(state 14 assignShiftRightSignalInt ’rhs2 ’rhs2 11 15)
(state 15 assignAddSignalSignal ’rhs ’rhs ’rhs2 16)
(state 16 assignAddSignalInt ’rhs ’rhs 2040 17)
(state 17 conditionalGreaterSignalSignal ’rhs ’steerAngle 20 21)
--- set ’allow output signal
(state 20 assignInt ’allow 1 0) --- ’allow command; done
(state 21 assignInt ’allow -1 0) --- ’disallow command; done
34
this is that −131256 is not exactly equal to -0.511, so that the resultant decision module may not behave
the same as the floating-point based Maude decision module. We now address this important issue.
Manually translating from the pure Maude decision module to a VMaude version introduces
two sources of errors. First, as described above, approximations may have to be used to overcome
VMaude restrictions (which are there because of VHDL restrictions). Second, manually coding the
module my introduce other bugs because it is not an automatic process. Ideally we would want to
prove that the decision made by the VMaude decision module is always the same as the pure Maude
decision module.
Since VMaude has formal Maude semantics, we can leverage on the Maude engine to prove this
for us. For every state in our tractor model, we can compare the output of the pure Maude decision
module and the VMaude decision module. If any discrepancies are found, they are reported. In
practice, we came across both approximation errors (as in the oversteer VMaude code) and manual
coding errors such as transitioning to an unintended state. Since the Maude engine gives us the
parameters where the decisions diverge, debugging the VMaude code is greatly simplified. When
the Maude search no longer reports violations, the two modules are behaviorally identical for every
state in the model.
The way this was done was, at each state, Maude checks the outputs of the two decision mod-
ules. If the outputs are different, we transition to a state with the DifferentBehavior operator,
which contains the values of the dimensions for the current state and the proposed next state.
Since there are no semantics defined for the DifferentBehavior operator, it will stop Maude
from further rewriting the term. The search, then, simply looks for any states which contain the
DifferentBehavior operator. The search statement for the oversteer module is shown in Code
Block 8.
Code Block 8 This search checks for divergent behavior between the pure Maude decision module
and the VMaude decision module.
--- search for instances of different behavior
search in TRACTOR : initial
=>*
DifferentBehavior(nextVel:Int nextSteerAngle:Int nextXInt:Int
curVel:Int curSteerAngle:Int curXInt:Int) .
3.8 Code Generation
The final step of the Industrial System-Level Simplex case study to generate VHDL code which
can directly run on FPGA hardware. Since the decision module is already written in VMaude, this
process is straightforward. In order to eliminate errors from manual translation, we have written a
Java program which performs this translation automatically. Although this program is not formally
verified, the translation is straightforward, and does not contain complex logic. We have included
the source code for reference in Appendix A.7.
For example, consider the VMaude conditionalGreaterSignalInt statement. This statement
takes in two potential next states, and branches to one of them depending on the value of a provided
signal and a provided integer. An input VMaude statement is shown in Code Block 9. The portion
35
of the Java code of the translator associated with this particular translation is in Code Block 10,
which produces the final VHDL code presented in Code Block 11.
Code Block 9 VMaude statements such as this one are input into the Java-based VHDL generator,
and processed by the code in Code Block 10
(state 2 conditionalGreaterSignalInt ’worstCaseSlope 1000 3 4)
Code Block 10 Java code translates the VMaude conditionalGreaterSignalInt statement to
VHDL code, resulting in the VHDL code shown in Code Block 11.
else if (tokens[2].equals("conditionalGreaterSignalInt"))
{
String sig = tokens[3].substring(1);






Code Block 11 This VHDL code is produced by the Java-based generator from the VMaude code
in Code Block 9.
when 2 =>





The final output of the code generator is a complete VHDL module, which can be immediately
synthesized and run on hardware. We took a generated VHDL module for the decision module
associated with the rollover property and simulated it directly using Xilinx’s ISE Simulator. This
tool has no knowledge of Maude or VMaude, and directly simulates the VHDL Code. The simulation
trace is shown in Figure 3.8. In the testbench for this simulation, at 100 ns, four things occur. The
start signal is asserted for one clock cycle, the value of 200 milliradians is set as to slope, the
nextSteering signal is set to 1400 milliradians, and the future state velocity, nextVelocity, is set
to 6000 millimeters per second. Over the next several clock cycles, the value of fsmState changes
as the decision module goes through the finite state machine. At time 170 ns, the state machine
finishes and transitions back to state 0. The done signal is asserted, and the allow output signal is
also asserted, indicating that the complex controller should be allowed to actuate the system.
3.9 Improving Model-Checking Run Time
The potential model-checking time of a system varies widely, from fractions of a second to hundreds
of years, if done incorrectly. This section provides insight into managing model-checking run time.
We first disclose methods used to significantly reduce the model-checking time during development,
and later describe future ideas for performing this important operation.
36
Figure 3.8: The generated VHDL code can be run through hardware synthesis, or, as shown here,
simulated in a VHDL simulator.
We used four techniques to reduce the size of the state space, and therefore decrease model-
checking time. First, we took advantage of symmetry within our models. For example, in the
rollover model, whether the wheels are turning left or right only affects the signs of variables within
our rollover equation. Therefore, we can immediately eliminate half of the state space by only model-
checking nonnegative steering angles. For the final check, however, we must restore the model to
the complete state space. Second, we statically checked whether properties could be violated in
certain situations, and pruned parts of the model if it was always safe. For example, in the overslip
model, we calculated that even at maximum velocity, the tractor could not experience overslip while
in reverse. Therefore, we removed any negative velocities from our model. Third, we eliminated
entire dimensions through careful manipulation. Both in the rollover model, and in the oversteer
model, we do not model acceleration, but instead only consider velocity and assume worst-case
breaking. This significantly reduced model-checking time since there was one less dimension. The
fourth technique we used, if the model-checking time was still unacceptably high, was to increase
the discretization constants. This essentially creates a more pessimistic decision module, however,
large enough discretization constants will always result in a tractable state space.
In the future, we can also consider to add other means to reduce model-checking time. One
radical approach we started investigating was, instead of checking the entire model oﬄine, running
a hardware model-checker online, and checking some amount of time into the future of the current
state. Then, if no violations are detected several seconds into the future (and we proved this was all
we needed to check for this particular model), the complex controller can be used. In this way, the
entire state space, even if unmanageably large, never needs to be checked. The drawbacks of this is
that a generic, real-time hardware model checker does not exist, so we instead strived to generate
37
specific hardware code for the particular property we were using. The other promising future
approach for reducing model-checking time is the use of model abstractions. Model abstractions
provide a way to collapse several states of a system into a single state, while preserving the model-
checking result. This is shown abstractly in Figure 3.9. Here, the grey states are states which are
externally guaranteed to not violate the property condition, whereas the white ones may represent
states where violations may occur. Since no violation states are abstracted onto a nonviolation
state, we can say the abstraction is invariant preserving, and will therefore preserve the result of
model checking (this is the same reason we can take an infinite continuous dimension and model
it as a finite number of discrete states). In the future, we plan to investigate ways in which these
abstractions can be automatically derived, or externally proven and input by the user.
Figure 3.9: Model abstractions can collapse several states into a single one, improving model-




The future trend of computing is an increased interaction with physical environments. These cyber-
physical systems, however, must be designed carefully in order to prevent monetary losses and, more
importantly, avoid bodily harm. In this thesis, we have significantly progressed the state-of-the-art
by addressing key issues with the Simplex Architecture.
We first described the System-Level Simplex Architecture, a novel framework which protects
the system against a superset of faults when compared with the original Application-Level Simplex
Architecture. We reduced the potential for failure of the composite Simplex system by moving the
safety controller and decision module to dedicated hardware. The novel idea here is performing
hardware/software co-design, but not for the classical reasons of power savings or performance
optimization, but rather to provide system safety.
We also went through an in-depth case study, which used model checking to produce a verifi-
ably correct Simplex safety core. Unlike previous control theory techniques, our model checking
approach is easily applicable to discrete and hybrid (mixed discrete and continuous) systems. This
is important, since we expect a large portion of cyberphysical systems to be best modeled as hybrid
systems.
In the future, we plan to build upon both of these key results.
Hardware/software co-design, we believe, is applicable to more than just the classical uses for
power and performance. In addition to safety, we believe a hardware processor is an ideal place for
certain security checks. In one proposed attack, a timing covert channel was created by hardware,
which would extract keyboard input and diverge collected information by minutely tweaking the
timing of network packets [22]. A hardware block could receive this information prior to forwarding
it to the network card and examine the precise timing of the data stream for potential covert
channels.
In terms of model-checking for Simplex correctness, a number of additions are planned. First, to
increase the applicability of our approach, we will allow well-known formats such as Simulink models
to input system dynamics and safety controller behavior. We also plan to examine the composability
problem where multiple safety properties are monitored by Simplex concurrently. This is particularly
challenging if the safety controller behaviors are not always identical. Another direction here is to
decrease the model-checking time by automatically deriving invariant preserving abstractions, which
will effectively collapse a large number of states in the model to a smaller number which can be




This appendix lists the source code several important programs we developed while investigating
the System-Level Simplex Architecture.
A.1 Inverted Pendulum VHDL Code




−− sbak2@uiuc . edu
l i b r a r y IEEE ;
use IEEE . STD LOGIC 1164 .ALL;
use IEEE .STD LOGIC ARITH .ALL;
use IEEE .STD LOGIC UNSIGNED.ALL;
−−−− Uncomment the f o l l ow ing l i b r a r y de c l a r a t i on i f i n s t a n t i a t i n g
−−−− any Xi l inx p r im i t i v e s in t h i s code .
−−l i b r a r y UNISIM ;
−−use UNISIM . VComponents . a l l ;
e n t i t y i o l o g i c i s
Port (
data pre sent : in s t d l o g i c ;
c l k : in STD LOGIC;
i npu t b i t s : in STD LOGIC VECTOR (7 downto 0 ) ;
ou tput b i t s : out STD LOGIC VECTOR (7 downto 0) := ( other s => ’ 0 ’ ) ;
send now : out STD LOGIC := ’ 0 ’ ;
l e d s i g n a l : out STD LOGIC := ’ 0 ’ ;
l e d s i g n a l 2 : out STD LOGIC := ’ 0 ’ ;
mem volts : in s t d l o g i c v e c t o r (31 downto 0 ) ;
mem updated : in s t d l o g i c v e c t o r (31 downto 0 ) ;
mem track : out s t d l o g i c v e c t o r (31 downto 0) := ( other s => ’ 0 ’ ) ;
mem angle : out s t d l o g i c v e c t o r (31 downto 0) := ( other s => ’ 0 ’ )
) ;
end i o l o g i c ;
a r ch i t e c t u r e Behaviora l o f i o l o g i c i s
component h r c o n t r o l l e r
port (
s t a r t : in s t d l o g i c ;
c l ock : in s t d l o g i c ;
angle : in s t d l o g i c v e c t o r (31 downto 0 ) ;
t rack : in s t d l o g i c v e c t o r (31 downto 0 ) ;
c x vo l t s : out s t d l o g i c v e c t o r (31 downto 0 ) ;
ou tput ava i l : out s t d l o g i c ;
−−−−−−−−−−−−−−−−− FPU s i g n a l s
s t a r t i : out s t d l o g i c ;
opa i : out s t d l o g i c v e c t o r (31 downto 0 ) ;
opb i : out s t d l o g i c v e c t o r (31 downto 0 ) ;
f pu op i : out s t d l o g i c v e c t o r (2 downto 0 ) ;
rmode i : out s t d l o g i c v e c t o r (1 downto 0 ) ;
output o : in s t d l o g i c v e c t o r (31 downto 0 ) ;




component r ang e l im i t
port (
s t a r t : in s t d l o g i c ;
c l ock : in s t d l o g i c ;
v o l t i n : in s t d l o g i c v e c t o r (31 downto 0 ) ;
min value : in s t d l o g i c v e c t o r (31 downto 0 ) ;
max value : in s t d l o g i c v e c t o r (31 downto 0 ) ;
vo l t ou t : out s t d l o g i c v e c t o r (31 downto 0 ) ;
ou tput ava i l : out s t d l o g i c ;
i n range : out s t d l o g i c ;
−−−−−−−−−−−−−−−−− FPU s i g n a l s
s t a r t i : out s t d l o g i c ;
opa i : out s t d l o g i c v e c t o r (31 downto 0 ) ;
opb i : out s t d l o g i c v e c t o r (31 downto 0 ) ;
f pu op i : out s t d l o g i c v e c t o r (2 downto 0 ) ;
rmode i : out s t d l o g i c v e c t o r (1 downto 0 ) ;
output o : in s t d l o g i c v e c t o r (31 downto 0 ) ;
ready o : in s t d l o g i c
) ;
end component ;
−−− s i g n a l s f o r r ang e l im i t
s i g n a l r l s t a r t : s t d l o g i c := ’ 0 ’ ;
s i g n a l r l v o l t i n : s t d l o g i c v e c t o r (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l r l v o l t o u t : s t d l o g i c v e c t o r (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l r l o u t p u t a v a i l : s t d l o g i c := ’ 0 ’ ;
s i g n a l r l r ange min : s t d l o g i c v e c t o r (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l r l range max : s t d l o g i c v e c t o r (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l r l a n g l e : s t d l o g i c v e c t o r (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l r l t r a c k : s t d l o g i c v e c t o r (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l r l i n r a n g e : s t d l o g i c := ’ 0 ’ ;
−−− r l fpu outputs
SIGNAL r l s t a r t i : s t d l o g i c := ’ 0 ’ ;
SIGNAL r l o p a i : s t d l o g i c v e c t o r (31 downto 0 ) ;
SIGNAL r l o p b i : s t d l o g i c v e c t o r (31 downto 0 ) ;
SIGNAL r l f p u o p i : s t d l o g i c v e c t o r (2 downto 0 ) ;
SIGNAL r l rmode i : s t d l o g i c v e c t o r (1 downto 0 ) ;
−−− other s i g n a l s
s i g n a l last mem updated : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l s end c lock count : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l va l out : STD LOGIC VECTOR (7 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l r e c e i v ed t r a ck : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l r e c e i v ed ang l e : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l t emp rece ived t rack : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l t emp rece ived ang l e : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l h i g h r e l t r a c k : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l h i g h r e l a n g l e : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l s end vo l t s : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l f i n a l v o l t s o u t : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l r a n g e l im i t e d f i n a l v o l t s : STD LOGIC VECTOR (31 downto 0) := ( other s =>
’ 0 ’ ) ;
type r e s e t s t a t e s i s ( got0 , got1 , got2 , got3 ) ;
s i g n a l r e s e t s t a t e : r e s e t s t a t e s := got0 ;
s i g n a l r e s t a r t r e c e i v e : STD LOGIC := ’ 0 ’ ;
s i g n a l second count : i n t e g e r := 0 ;
s i g n a l cont ro l l e r shutdown t ime : i n t e g e r := 0 ;
−−− s i g n a l s f o r the high r e l i a b i l i t y c o n t r o l l e r
s i g n a l h r s t a r t : STD LOGIC := ’ 0 ’ ;
s i g n a l h r v o l t s : STD LOGIC VECTOR (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l h r ou tpu t ava i l : STD LOGIC := ’ 0 ’ ;
type r e c e i v e s t a t e s i s ( r e c e i v e t r a ck1 , r e c e i v e t r a ck2 , r e c e i v e t r a ck3 ,
r e c e i v e t r a ck4 ,
r e c e i v e ang l e 1 , r e c e i v e ang l e 2 , r e c e i v e ang l e 3 , r e c e i v e ang l e 4 ,
r e s e t f sm s t a r t , w a i t f o r r e s e t ) ;
41
s i g n a l r e c e i v e s t a t e : r e c e i v e s t a t e s := wa i t f o r r e s e t ;
−−− hr fpu outputs
SIGNAL h r s t a r t i : s t d l o g i c := ’ 0 ’ ;
SIGNAL hr opa i : s t d l o g i c v e c t o r (31 downto 0 ) ;
SIGNAL hr opb i : s t d l o g i c v e c t o r (31 downto 0 ) ;
SIGNAL h r f pu op i : s t d l o g i c v e c t o r (2 downto 0 ) ;
SIGNAL hr rmode i : s t d l o g i c v e c t o r (1 downto 0 ) ;
−−−−−−−− fpu below
SIGNAL f p u s t a r t i : s t d l o g i c := ’ 0 ’ ;
SIGNAL fpu opa i : s t d l o g i c v e c t o r (31 downto 0 ) ;
SIGNAL fpu opb i : s t d l o g i c v e c t o r (31 downto 0 ) ;
SIGNAL fpu f pu op i : s t d l o g i c v e c t o r (2 downto 0 ) ;
SIGNAL fpu rmode i : s t d l o g i c v e c t o r (1 downto 0 ) ;
SIGNAL fpu output o : s t d l o g i c v e c t o r (31 downto 0 ) ;
SIGNAL fpu ready o : s t d l o g i c ;
SIGNAL fpu i n e o : s t d l o g i c ;
SIGNAL fpu ove r f l ow o : s t d l o g i c ;
SIGNAL fpu under f l ow o : s t d l o g i c ;
SIGNAL fpu d i v z e r o o : s t d l o g i c ;
SIGNAL f pu i n f o : s t d l o g i c ;
SIGNAL fpu z e r o o : s t d l o g i c ;
SIGNAL fpu qnan o : s t d l o g i c ;
SIGNAL fpu snan o : s t d l o g i c ;
−− semaphorish s t u f f
s i g n a l s t a r t f i n a l r a n g e c h e c k s t a t e : i n t e g e r := 10 ;
s i g n a l s t a r t r e l i a b l e c o n t r o l l e r s t a t e : i n t e g e r := 10 ;
s i g n a l s emaphore check ing f ina l r ange : s t d l o g i c := ’ 0 ’ ;
s i g n a l semaphore running hrc : s t d l o g i c := ’ 0 ’ ;
−− slow c lock
s i g n a l s l ow c l o ck : s t d l o g i c := ’ 0 ’ ;
−− constants
constant CONSTANT 5 0 : s t d l o g i c v e c t o r (31 downto 0) := X”409 eb852 ” ; −− i t ’ s
r e a l l y 4 .96
constant CONSTANT m 5 0 : s t d l o g i c v e c t o r (31 downto 0) := X”c09eb852 ” ; −− same
here , −4.96
constant CONSTANT 1 0 : s t d l o g i c v e c t o r (31 downto 0) := X”3 f800000 ” ;
constant CONSTANT m 1 0 : s t d l o g i c v e c t o r (31 downto 0) := X”bf800000 ” ;
constant CONSTANT 10 0 : s t d l o g i c v e c t o r (31 downto 0) := X”41200000”;
constant CONSTANT m 10 0 : s t d l o g i c v e c t o r (31 downto 0) := X”c1200000 ” ;
COMPONENT fpu
PORT(
c l k i : IN s t d l o g i c ;
opa i : IN s t d l o g i c v e c t o r (31 downto 0 ) ;
opb i : IN s t d l o g i c v e c t o r (31 downto 0 ) ;
f pu op i : IN s t d l o g i c v e c t o r (2 downto 0 ) ;
rmode i : IN s t d l o g i c v e c t o r (1 downto 0 ) ;
s t a r t i : IN s t d l o g i c ;
output o : OUT s t d l o g i c v e c t o r (31 downto 0 ) ;
ready o : OUT s t d l o g i c ;
i n e o : OUT s t d l o g i c ;
ove r f l ow o : OUT s t d l o g i c ;
under f low o : OUT s t d l o g i c ;
d i v z e r o o : OUT s t d l o g i c ;
i n f o : OUT s t d l o g i c ;
z e ro o : OUT s t d l o g i c ;
qnan o : OUT s t d l o g i c ;




my fpu : fpu PORT MAP(
c l k i => s low c lock ,
opa i => fpu opa i ,
opb i => fpu opb i ,
f pu op i => f pu fpu op i ,
rmode i => fpu rmode i ,
output o => fpu output o ,
s t a r t i => f p u s t a r t i ,
ready o => fpu ready o ,
i n e o => f pu ine o ,
ove r f l ow o => fpu over f l ow o ,
under f low o => fpu under f low o ,
d i v z e r o o => f pu d iv z e r o o ,
i n f o => f pu i n f o ,
42
z e ro o => fpu ze ro o ,
qnan o => fpu qnan o ,
snan o => fpu snan o
) ;
p increment input : p roce s s ( c lk ) begin
i f r i s i n g e d g e ( c lk ) then
i f s l ow c l o ck = ’0 ’ then
s l ow c l o ck <= ’1 ’ ;
e l s e
s l ow c l o ck <= ’0 ’ ;
end i f ;
i f cont ro l l e r shutdown t ime > 0 then
cont ro l l e r shutdown t ime <= cont ro l l e r shutdown t ime − 1 ;
end i f ;
i f r e c e i v ed t r a ck = x”00000000” then
l e d s i g n a l <= ’1 ’ ;
e l s e
l e d s i g n a l <= ’0 ’ ;
end i f ;
−− we need to send at 50 hz and one second i s 33000000 t i c k s
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
−− 57600 bps
i f s end c lock count >= 330000 then −− was 660000
send c lock count <= ( other s => ’ 0 ’ ) ;
e l s e
−− send r e s e t byte 1/4
i f s end c lock count = 1 then
i f second count < 1000 then
second count <= second count + 1 ;
e l s e
second count <= 0;
end i f ;
send now <= ’1 ’ ;
ou tput b i t s <= x” f f ” ;
e l s i f s end c lock count = 10312 then
send now <= ’0 ’ ;
e l s i f s end c lock count = 10313 then
−− send r e s e t byte 2/4
send now <= ’1 ’ ;
ou tput b i t s <= x” f f ” ;
e l s i f s end c lock count = 20624 then
send now <= ’0 ’ ;
e l s i f s end c lock count = 20625 then
−− send r e s e t byte 3/4
send now <= ’1 ’ ;
ou tput b i t s <= x” f f ” ;
e l s i f s end c lock count = 30937 then
send now <= ’0 ’ ;
e l s i f s end c lock count = 30938 then
−− send r e s e t byte 4/4
send now <= ’1 ’ ;
ou tput b i t s <= x” f f ” ;
−− s t a r t the envelope c a l c u l a t i o n f o r whatever va lues we cu r r en t l y have
e l s i f s end c lock count = 41249 then
send now <= ’0 ’ ;
−−− get the l a t e s t value f o r the vo l t s we ’ re sending
s end vo l t s <= f i n a l v o l t s o u t ;
e l s i f s end c lock count = 41250 then
−− send data byte 1/4
send now <= ’1 ’ ;
ou tput b i t s <= send vo l t s (7 downto 0 ) ;
e l s i f s end c lock count = 51562 then
send now <= ’0 ’ ;
e l s i f s end c lock count = 51563 then
−− send data byte 2/4
send now <= ’1 ’ ;
ou tput b i t s <= send vo l t s (15 downto 8 ) ;
e l s i f s end c lock count = 61874 then
send now <= ’0 ’ ;
e l s i f s end c lock count = 61875 then
−− send data byte 3/4
send now <= ’1 ’ ;
ou tput b i t s <= send vo l t s (23 downto 16 ) ;
e l s i f s end c lock count = 72187 then
43
send now <= ’0 ’ ;
e l s i f s end c lock count = 72188 then
−− send data byte 4/4
send now <= ’1 ’ ;
ou tput b i t s <= send vo l t s (31 downto 24 ) ;
e l s i f s end c lock count = 82499 then
send now <= ’0 ’ ;
end i f ;
s end c lock count <= send c lock count + 1 ;
end i f ;
−−−−−−−−−− HIGH RELIABLE CONTROLLER CODE BELOW −−−−−−−−−−−−
case s t a r t r e l i a b l e c o n t r o l l e r s t a t e i s
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
when 0 =>
semaphore running hrc <= ’1 ’ ;
s t a r t r e l i a b l e c o n t r o l l e r s t a t e <= 1;
when 1 =>
−− t h i s i s f a l s e i f there was a c o l l i s i o n
s t a r t r e l i a b l e c o n t r o l l e r s t a t e <= 2;
h r s t a r t <= ’0 ’ ;
when 2 =>
h r s t a r t <= ’1 ’ ;
s t a r t r e l i a b l e c o n t r o l l e r s t a t e <= 3;
when 3 =>
h r s t a r t <= ’0 ’ ;
s t a r t r e l i a b l e c o n t r o l l e r s t a t e <= 4;
l e d s i g n a l 2 <= ’1 ’ ;
when other s =>
end case ;
i f h r ou tpu t ava i l = ’1 ’ then
l e d s i g n a l 2 <= ’0 ’ ;
f i n a l v o l t s o u t <= hr vo l t s ;
semaphore running hrc <= ’0 ’ ;
s t a r t r e l i a b l e c o n t r o l l e r s t a t e <= 10;
end i f ;
−−−−−−−−−−−−− HIGH RELIABLE CONTROLLER CODE ABOVE −−−−−−−−−−−−
−−−−−−−−−−−−− FINAL RANGE CHECK BELOW −−−−−−−−−−−−−−
case s t a r t f i n a l r a n g e c h e c k s t a t e i s
when 0 =>
−− s t o r e them once here so they don ’ t get changed i f we update
r l a n g l e <= re c e i v ed ang l e ;
r l t r a c k <= re c e i v ed t r a ck ;
i f semaphore running hrc = ’0 ’ then
s t a r t f i n a l r a n g e c h e c k s t a t e <= 1;
end i f ;
when 1 =>
s emaphore check ing f ina l r ange <= ’0 ’ ;
s t a r t f i n a l r a n g e c h e c k s t a t e <= 10;
when 2 =>
r l s t a r t <= ’0 ’ ;
−−− stay in s tage 2 means we ’ re checking track po s i t i on
when 3 =>
−− check angle
r l range max <= CONSTANT 1 0 ;
r l r ange min <= CONSTANT m 1 0 ;
r l v o l t i n <= r l a n g l e ;
r l s t a r t <= ’1 ’ ;
s t a r t f i n a l r a n g e c h e c k s t a t e <= 4;
when 4 =>
r l s t a r t <= ’0 ’ ;
−−− stay in s tage 4 means we ’ re checking angle
when 8 =>
−− 8 means envelope means check f i n a l range
r l range max <= CONSTANT 5 0 ;
r l r ange min <= CONSTANT m 5 0 ;
r l v o l t i n <= f i n a l v o l t s o u t ;
r l s t a r t <= ’1 ’ ;
s t a r t f i n a l r a n g e c h e c k s t a t e <= 9;
when 9 =>
−−− 9 means we ’ re doing f i n a l range l im i t i n g
r l s t a r t <= ’0 ’ ;
when other s =>
end case ;
44
−− r l v o l t o u t <= [−5 , 5 ] f i n a l v o l t s o u t
−− r l a n g l e <= [−1 , 1 ] ???
−− r l t r a c k <= [−10 , 10 ] ???
i f r l o u t p u t a v a i l = ’1 ’ then
i f s t a r t f i n a l r a n g e c h e c k s t a t e = 2 then
−− we ju s t checked track
i f r l i n r a n g e = ’1 ’ then
s t a r t f i n a l r a n g e c h e c k s t a t e <= 3; −− check angle
e l s e
s t a r t f i n a l r a n g e c h e c k s t a t e <= 8; −− use value from r e l i a b l e c o n t r o l l e r
−− don ’ t use the exper imenta l c o n t r o l l e r un t i l we ’ re in the envelope f o r
5 s e c s
cont ro l l e r shutdown t ime <= 165000000;
end i f ;
e l s i f s t a r t f i n a l r a n g e c h e c k s t a t e = 4 then
i f r l i n r a n g e = ’1 ’ then
s t a r t f i n a l r a n g e c h e c k s t a t e <= 8;
i f cont ro l l e r shutdown t ime = 0 then
i f mem updated /= last mem updated then −− there was an update ! use i t
last mem updated <= mem updated ;
end i f ;
end i f ;
e l s e
−− don ’ t use the exper imenta l c o n t r o l l e r un t i l we ’ re in the envelope f o r
5 s e c s
cont ro l l e r shutdown t ime <= 165000000;
end i f ;
e l s i f s t a r t f i n a l r a n g e c h e c k s t a t e = 9 then
r a n g e l im i t e d f i n a l v o l t s <= r l v o l t o u t ;
s t a r t f i n a l r a n g e c h e c k s t a t e <= 10;
−− we ’ re done with envelope , e x i t c r i t i c a l s e c t i on
s emaphore check ing f ina l r ange <= ’0 ’ ;
end i f ;
end i f ;
−−−−−−−−−−−−− FINAL RANGE CHECK ABOVE −−−−−−−−−−−−−
i f r e s t a r t r e c e i v e = ’1 ’ then
r e s t a r t r e c e i v e <= ’0 ’ ;
r e c e i v e s t a t e <= re c e i v e t r a c k 1 ;
e l s i f data pre sent = ’1 ’ then
−− we have r e c e i v ed data which i s in i npu t b i t s
i f i n pu t b i t s = x” f f ” then
i f r e s e t s t a t e = got0 then
r e s e t s t a t e <= got1 ;
e l s i f r e s e t s t a t e = got1 then
r e s e t s t a t e <= got2 ;
e l s i f r e s e t s t a t e = got2 then
r e s e t s t a t e <= got3 ;
e l s e −− r e s e t s t a t e = got4 !
r e s e t s t a t e <= got3 ; −− not r e a l l y neces sary s i n c e i t w i l l remain the same
r e s t a r t r e c e i v e <= ’1 ’ ;
end i f ;
e l s e
r e s e t s t a t e <= got0 ;
end i f ;
case r e c e i v e s t a t e i s
when r e c e i v e t r a c k 1 =>
t emp rece ived t rack <= x”000000” & inpu t b i t s ;
r e c e i v e s t a t e <= re c e i v e t r a c k 2 ;
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
when r e c e i v e t r a c k 2 =>
t emp rece ived t rack <= x”0000” & inpu t b i t s & temp rece ived t rack (7
downto 0 ) ;
r e c e i v e s t a t e <= re c e i v e t r a c k 3 ;
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
when r e c e i v e t r a c k 3 =>
45
t emp rece ived t rack <= x”00” & inpu t b i t s & temp rece ived t rack (15 downto
0 ) ;
r e c e i v e s t a t e <= re c e i v e t r a c k 4 ;
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
when r e c e i v e t r a c k 4 =>
−− i f i n pu t b i t s /= x” f f ” then −− shouldn ’ t happen , but you never know
temp rece ived t rack <= inpu t b i t s & temp rece ived t rack (23 downto 0 ) ;
−−end i f ;
r e c e i v e s t a t e <= re c e i v e ang l e 1 ;
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
when r e c e i v e ang l e 1 =>
t emp rece ived ang l e <= x”000000” & inpu t b i t s ;
r e c e i v e s t a t e <= re c e i v e ang l e 2 ;
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
when r e c e i v e ang l e 2 =>
t emp rece ived ang l e <= x”0000” & inpu t b i t s & temp rece ived ang l e (7
downto 0 ) ;
r e c e i v e s t a t e <= re c e i v e ang l e 3 ;
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
when r e c e i v e ang l e 3 =>
t emp rece ived ang l e <= x”00” & inpu t b i t s & temp rece ived ang l e (15 downto
0 ) ;
r e c e i v e s t a t e <= re c e i v e ang l e 4 ;
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
when r e c e i v e ang l e 4 =>
r e c e i v ed ang l e <= inpu t b i t s & temp rece ived ang l e (23 downto 0 ) ;
r e c e i v ed t r a ck <= temp rece ived t rack ;
−− s t o r e the va lues f o r the exper imenta l c o n t r o l l e r
s t a r t r e l i a b l e c o n t r o l l e r s t a t e <= 0;
r e c e i v e s t a t e <= r e s e t f sm s t a r t ;
−− s t a r t to send data ( the r e s u l t should be ready soon enough )
s end c lock count <= ( other s => ’ 0 ’ ) ;
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
when other s =>
end case ;
end i f ;
end i f ;
end proce s s ;
h r c o n t r o l l e r i n s t : h r c o n t r o l l e r PORT MAP(
s t a r t => hr s t a r t ,
c l ock => s low c lock ,
angle => r e c e i v ed ang l e ,
t rack => r e c e i v ed t ra ck ,
c x vo l t s => hr vo l t s ,
ou tput ava i l => hr output ava i l ,
−−−−−−−−−−−−−−−−− FPU s i g n a l s
s t a r t i => h r s t a r t i ,
opa i => hr opa i ,
opb i => hr opb i ,
f pu op i => hr fpu op i ,
rmode i => hr rmode i ,
output o => fpu output o ,
ready o => fpu ready o
) ;
r l i n s t : r ang e l im i t PORT MAP(
s t a r t => r l s t a r t ,
c l ock => s low c lock ,
v o l t i n => r l v o l t i n ,
vo l t ou t => r l v o l t o u t ,
ou tput ava i l => r l o u tpu t ava i l ,
i n range => r l i n r ang e ,
min value => r l range min ,
max value => r l range max ,
−−−−−−−−−−−−−−−−− FPU s i g n a l s
s t a r t i => r l s t a r t i ,
opa i => r l o p a i ,
opb i => r l o pb i ,
f pu op i => r l f p u o p i ,
rmode i => r l rmode i ,
46
output o => fpu output o ,
ready o => fpu ready o
) ;
h r r l u s e f p u : proce s s ( h r s t a r t i , r l s t a r t i ) begin
i f h r s t a r t i = ’1 ’ then
f p u s t a r t i <= ’1 ’ ;
f pu opa i <= hr opa i ;
f pu opb i <= hr opb i ;
f pu f pu op i <= hr f pu op i ;
fpu rmode i <= hr rmode i ;
e l s i f r l s t a r t i = ’1 ’ then
f p u s t a r t i <= ’1 ’ ;
f pu opa i <= r l o p a i ;
f pu opb i <= r l o p b i ;
f pu f pu op i <= r l f p u o p i ;
fpu rmode i <= r l rmode i ;
e l s e
f p u s t a r t i <= ’0 ’ ;
end i f ;
end proce s s ;
end Behaviora l ;
A.2 Model Generator Code
The Model generator is split into five files. The two main ones, Main.java, and DiscreteBounded-
MaxModel.java, are listed here, in that order.
import java . i o . BufferedReader ;
import java . i o . F i l e ;
import java . i o . Fi leInputStream ;
import java . i o . IOException ;
import java . i o . InputStreamReader ;
import java . i o . PrintStream ;
/∗∗
∗ Main module f o r generat ing Maude model code
∗
∗ You can sp e c i f y d i s c r e t i z a t i o n constants f o r the var ious parameters we
model . These are done by
∗ g iv ing a mul t ip l e o f the base unit ( which i s the minimum po s s i b l e d i s c r e t e
value ) . Base un i t s are
∗
∗ Distance : m i l l ime t e r s
∗ Angle : m i l l i r a d i a n s
∗ Time : m i l l i s e c ond s
∗
∗ For example , i f the d i s c r e t i z a t i o n constant f o r a c c e l e r a t i o n i s 10 , then
each unit o f v e l o c i t y
∗ counts as one cent imeter per second , and each unit o f a c c e l e r a t i o n i s in





pub l i c c l a s s Main
{
pr iva t e s t a t i c f i n a l i n t UNDEFINED = −1999999999;
// a c c e l and ve l
p r i va t e f i n a l s t a t i c i n t FORWARDS MIN ACCEL INDEX = 0;
p r i va t e f i n a l s t a t i c i n t FORWARDS MAX ACCEL INDEX = 1;
p r i va t e f i n a l s t a t i c i n t BACKWARDS MIN ACCEL INDEX = 2;
p r i va t e f i n a l s t a t i c i n t BACKWARDS MAX ACCEL INDEX = 3;
p r i va t e f i n a l s t a t i c i n t MIN VEL INDEX = 4;
p r i va t e f i n a l s t a t i c i n t MAX VEL INDEX = 5;
p r i va t e f i n a l s t a t i c i n t BEST RAW ACCEL INDEX = 6;
p r i va t e f i n a l s t a t i c i n t BEST OBSERVED ACCEL INDEX = 7;
p r i va t e f i n a l s t a t i c i n t WORST RAW ACCEL INDEX = 8;
p r i va t e f i n a l s t a t i c i n t WORST OBSERVED ACCEL INDEX = 9;
p r i va t e f i n a l s t a t i c i n t TIME FROM BEST TO WORST INDEX = 10;
p r i va t e f i n a l s t a t i c i n t TIME DISCRETIZATION CONSTANT INDEX = 11;
p r i va t e f i n a l s t a t i c i n t DISTANCE DISCRETIZATION CONSTANT INDEX = 12;
p r i va t e f i n a l s t a t i c i n t ANGLE DISCRETIZATION CONSTANT INDEX = 13;
p r i va t e f i n a l s t a t i c i n t MIN STEERING ANGLE INDEX = 14;
p r i va t e f i n a l s t a t i c i n t MAX STEERING ANGLE INDEX = 15;
47
pr iva t e f i n a l s t a t i c i n t DELTA STEERING ANGLE INDEX = 16;
p r i va t e f i n a l s t a t i c i n t WHEEL BASE INDEX = 17;
p r i va t e f i n a l s t a t i c i n t TRACK INDEX = 18;
p r i va t e f i n a l s t a t i c i n t COG HEIGHT INDEX = 19;
p r i va t e f i n a l s t a t i c i n t MAX SLOPE INDEX = 20;
p r i va t e f i n a l s t a t i c i n t MAX DELTA SLOPE INDEX = 21;
p r i va t e f i n a l s t a t i c i n t SKID BEST RAW ACCEL INDEX = 22;
p r i va t e f i n a l s t a t i c i n t SKID BEST OBSERVED ACCEL INDEX = 23;
p r i va t e f i n a l s t a t i c i n t SKID WORST RAW ACCEL INDEX = 24;
p r i va t e f i n a l s t a t i c i n t SKID WORST OBSERVED ACCEL INDEX = 25;
p r i va t e f i n a l s t a t i c i n t SKID TIME FROM BEST TO WORST INDEX = 26;
p r i va t e s t a t i c f i n a l i n t NUM INDEX = 27;
p r i va t e s t a t i c f i n a l St r ing [ ] INDEX NAMES =
{
” forwardsminacce l ” ,
” forwardsmaxaccel ” ,




” bes t rawacce l ” ,
” be s tobse rvedacce l ” ,
”worstrawacce l ” ,
” wors tobse rvedacce l ” ,
” t imefrombesttoworst ” ,
” t imed i s c r e t i z a t i on c on s t an t ” ,
” d i s t a n c e d i s c r e t i z a t i o n c on s t an t ” ,
” ang l e d i s c r e t i z a t i o n c on s t an t ” ,
”mins tee r ingang l e ” ,
”maxsteer ingangle ” ,
” d e l t a s t e e r i n g ang l e ” ,
”wheelbase ” ,
” track ” ,
” coghe ight ” ,
”maxslope ” ,
”maxdeltas lope ” ,
” sk idbe s t rawacce l ” ,
” sk idbe s t ob s e rv edac c e l ” ,
” sk idwors t rawacce l ” ,
” sk idwor s tobse rvedacce l ” ,
” sk idt imef rombesttoworst ”
} ;
p r i va t e s t a t i c i n t [ ] parameterValues = new in t [NUM INDEX ] ;
p r i va t e s t a t i c i n t wo r s t x i n t e r c ep t = −1; // ca l cu l a t ed during doTerrain
pub l i c s t a t i c void main ( St r ing [ ] args )
{
f i n a l St r ing SLIP DIR = ” s l i p mode l ” ;
f i n a l St r ing ROLL DIR = ” ro l l mode l ” ;
f i n a l St r ing SKID DIR = ” skid model ” ;
S t r ing l o adF i l e = ”” ; // the f i l e to load from
i f ( args . l ength > 0)
l o adF i l e = args [ 0 ] ;
e l s e
{
BufferedReader in = new BufferedReader (new InputStreamReader ( System . in ) ) ;
System . out . p r in t (” Please enter model txt f i l ename : ” ) ;
t ry
{
l o adF i l e = in . readLine ( ) ;
}
catch ( IOException e )
{
System . e r r . p r i n t l n ( e ) ;
}
}
loadValues ( l o adF i l e ) ;
new F i l e ( SLIP DIR ) . mkdirs ( ) ;
new F i l e (ROLL DIR ) . mkdirs ( ) ;
new F i l e (SKID DIR ) . mkdirs ( ) ;
doAccel ( SLIP DIR ) ;
doTerra inS l ip ( SLIP DIR ) ;
doVeloc i ty (ROLL DIR ) ;
doSteer ing (ROLL DIR ) ;
doSlope (ROLL DIR ) ;
48
doVeloc i ty (SKID DIR ) ;
doTerrainSkid (SKID DIR ) ;
doSteer ing (SKID DIR ) ;
System . out . p r i n t l n (” Exit ing . . . ” ) ;
System . e x i t ( 0 ) ;
}
pr iva t e s t a t i c void loadValues ( St r ing f i l ename )
{
// san i ty check
i f (NUM INDEX != INDEX NAMES. length )
{
System . e r r . p r i n t l n (” i n t e r n a l san i ty check f a i l e d : NUM INDEX !=
INDEX NAMES. length ” ) ;
System . e x i t ( 1 ) ;
}
f o r ( i n t x = 0 ; x < NUM INDEX; ++x)
parameterValues [ x ] = UNDEFINED;
i f ( f i l ename == ””)
{
System . out . p r i n t l n (” Generating formal models from sample parameters . . . ” ) ;
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] = 500; // in ms
parameterValues [DISTANCE DISCRETIZATION CONSTANT INDEX] = 250; // in
m i l l ime t e r s
parameterValues [ANGLE DISCRETIZATION CONSTANT INDEX] = 250; // in
m i l l i r a d i a n s
parameterValues [FORWARDS MIN ACCEL INDEX] = −4000; // mm/s ˆ2
parameterValues [FORWARDS MAX ACCEL INDEX] = 3000; // mm/s ˆ2
parameterValues [BACKWARDS MIN ACCEL INDEX] = −2000; // mm/s ˆ2
parameterValues [BACKWARDS MAX ACCEL INDEX] = 4000; // mm/s ˆ2
parameterValues [MIN VEL INDEX] = −4000; // mm/s
parameterValues [MAX VEL INDEX] = 6000; // mm/s
parameterValues [BEST RAW ACCEL INDEX] = 4000; // mm/s ˆ2
parameterValues [BEST OBSERVED ACCEL INDEX] = 3000; // mm/s ˆ2
parameterValues [WORST RAW ACCEL INDEX] = 4000; // mm/s ˆ2
parameterValues [WORST OBSERVED ACCEL INDEX] = 1000; // mm/s ˆ2
parameterValues [TIME FROM BEST TO WORST INDEX] = 2000; // in ms
parameterValues [MIN STEERING ANGLE INDEX] = −1500; // in m i l l i r a d i a n s
parameterValues [MAX STEERING ANGLE INDEX] = 1500; // in m i l l i r a d i a n s
parameterValues [DELTA STEERING ANGLE INDEX] = 1000; // in m i l l i r a d i a n s /
second
parameterValues [WHEEL BASE INDEX] = 4000; // mm
parameterValues [TRACK INDEX] = 2000; // mm
parameterValues [COG HEIGHT INDEX] = 1000; // mm
parameterValues [MAX SLOPE INDEX] = 1000; // in m i l l i r ad i an s , 1000 = ˜57
degrees
parameterValues [MAX DELTA SLOPE INDEX] = 250; // m i l l i r a d i a n s per second
parameterValues [SKID BEST RAW ACCEL INDEX] = 4000; // mm/s ˆ2
parameterValues [SKID BEST OBSERVED ACCEL INDEX] = 3500; // mm/s ˆ2
parameterValues [SKID WORST RAW ACCEL INDEX] = 4000; // mm/s ˆ2
parameterValues [SKID WORST OBSERVED ACCEL INDEX] = 500; // mm/s ˆ2
parameterValues [SKID TIME FROM BEST TO WORST INDEX] = 2000; // in ms
}
e l s e
{
// load them from f i l ename
try
{
BufferedReader in = new BufferedReader (new InputStreamReader (new
Fi leInputStream ( f i l ename ) ) ) ;
f o r ( St r ing s = in . readLine ( ) ; s != nu l l ; s = in . readLine ( ) )
{
// f i r s t trim comments
i n t commentIndex = s . indexOf ( ” ; ” ) ;
i f ( commentIndex != −1)
s = s . subs t r ing (0 , commentIndex ) ;
s . trim ( ) ;
// ignore blank l i n e s
i f ( s . l ength ( ) == 0)
cont inue ;
49
Str ing [ ] words = s . s p l i t (”=”);
i f ( words . l ength != 2)
{
System . e r r . p r i n t l n (”Warning : Model txt f i l e l i n e ’” + s + ” ’ does not
conta in exac t ly one equa l s s i gn ’= ’”) ;
cont inue ;
}
words [ 0 ] = words [ 0 ] . trim ( ) . toLowerCase ( ) ;
words [ 1 ] = words [ 1 ] . trim ( ) . toLowerCase ( ) ;
boolean found = f a l s e ;
f o r ( i n t x = 0 ; x < INDEX NAMES. length ; ++x)
{
i f (INDEX NAMES[ x ] . equa l s ( words [ 0 ] ) )
{
parameterValues [ x ] = In t ege r . pa r s e In t ( words [ 1 ] ) ;




i f ( ! found )
{
System . out . p r i n t l n (”Warning : Unknown parameter ’” + words [ 0 ] + ” ’ from
l i n e ’” + s + ” ’ ” ) ;
}
}
in . c l o s e ( ) ;
}
catch ( Exception e )
{
System . e r r . p r i n t l n ( e ) ;
System . e x i t ( 1 ) ;
}
}
f o r ( i n t x = 0 ; x < NUM INDEX; ++x)
i f ( parameterValues [ x ] == UNDEFINED)
{
System . e r r . p r i n t l n (” Error : Parameter ” + INDEX NAMES[ x ] + ” was l e f t
undef ined . ” ) ;
System . e x i t ( 1 ) ;
}
}
pub l i c s t a t i c void doSteer ing ( St r ing d i r )
{
Str ing s tee r ingFi l ename = d i r + F i l e . s eparato r + ” trac tor−s t e e r i n g .maude ” ;
DiscreteBoundedMaxModel steerModel = new DiscreteBoundedMaxModel ( nul l ,
” s tee rAng le ” ) ;
steerModel . s e tD i s c r e t i z a t i onCons tan t ( parameterValues [ANGLE DISCRETIZATION CONSTA
NT INDEX ] ) ;
steerModel . s e tTimeDiscre t i zat ionConstant ( parameterValues [TIME DISCRETIZATION CON
STANT INDEX ] ) ;
// steerModel . setIndependentRange (−90 , 90 ) ;
steerModel . setDependentRange ( parameterValues [MIN STEERING ANGLE INDEX] ,
parameterValues [MAX STEERING ANGLE INDEX ] ) ; // approximately [−PI /2 , PI /2 ]
steerModel . setPos i t iveIndependentRange(−parameterValues [DELTA STEERING ANGLE IND
EX] , parameterValues [DELTA STEERING ANGLE INDEX ] ) ;
steerModel . setNegativeIndependentRange(−parameterValues [DELTA STEERING ANGLE IND
EX] , parameterValues [DELTA STEERING ANGLE INDEX ] ) ;
PropertyModule steerModule = new PropertyModule (”TRACTOR−STEERING” ) ;
steerModule . addBodyGenerator ( steerModel ) ;
// add reduce
in t de l taSteerAnglePerStep = parameterValues [DELTA STEERING ANGLE INDEX] ∗
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] / 1000;
steerModule . addBodyGenerator (new Str ingGenerator (” op reduce−s tee rAng le : Int
−> SORT STEERANGLE . ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” ceq
reduce−s tee rAng le ( cur−s tee rAng le ) = steerAng le ( cur−s tee rAng le + ” +
50
−de l taSteerAnglePerStep + ”) i f cur−s tee rAng le > ” + del taSteerAnglePerStep + ”
. ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” ceq
reduce−s tee rAng le ( cur−s tee rAng le ) = steerAng le ( cur−s tee rAng le + ” +
deltaSteerAnglePerStep + ”) i f cur−s tee rAng le < ” + −de l taSteerAnglePerStep + ”
. ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” eq
reduce−s tee rAng le ( cur−s tee rAng le ) = steerAng le (0) [ owise ] . ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” op i n i t i a l −s tee rAng le : −>
SORT STATE . ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” eq i n i t i a l −s tee rAng le =
steerAng le (0) . ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” op WHEEL−BASE : −> Int . ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” eq WHEEL−BASE = ” +
parameterValues [WHEEL BASE INDEX] + ” . ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” op TRACK : −> Int . ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” eq TRACK = ” +
parameterValues [TRACK INDEX] + ” . ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” op COG−HEIGHT : −> Int . ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator (” eq COG−HEIGHT = ” +
parameterValues [COG HEIGHT INDEX] + ” . ” ) ) ;
steerModule . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
t ry
{
PrintStream ps = new PrintStream ( stee r ingFi l ename ) ;
steerModule . generate ( ps ) ;
ps . c l o s e ( ) ;
}
catch ( Exception e )
{
System . out . p r i n t l n ( e ) ;
}
}
pub l i c s t a t i c void doVeloc i ty ( St r ing d i r e c t o r y )
{
Str ing acce lFi l ename = d i r e c t o r y + F i l e . s eparato r + ” trac tor−ve l . maude ” ;
i f ( wo r s t x i n t e r c ep t == −1)
{
System . e r r . p r i n t l n (” Error : doTerrain must be done be fo r e doVeloc i ty ( need
wo r s t x i n t e r c ep t ) ” ) ;
System . e x i t ( 1 ) ;
}
f l o a t forwardsS l ipBreak ing = ( parameterValues [FORWARDS MIN ACCEL INDEX] ∗
parameterValues [FORWARDS MIN ACCEL INDEX] ) / ( f l o a t ) ( wo r s t x i n t e r c ep t ∗
wor s t x i n t e r c ep t ) ;
f l o a t backwardsSl ipBreaking = ( parameterValues [BACKWARDS MAX ACCEL INDEX] ∗
parameterValues [BACKWARDS MAX ACCEL INDEX] ) / ( f l o a t ) ( wo r s t x i n t e r c ep t ∗
wor s t x i n t e r c ep t ) ;
i n t forwardsBreakingAcce l = ( in t ) ( parameterValues [FORWARDS MIN ACCEL INDEX] ∗
(1.0− f o rwardsS l ipBreak ing ) ) ;
i n t backwardsBreakingAccel = ( in t ) ( parameterValues [BACKWARDS MAX ACCEL INDEX]
∗ (1.0− backwardsSl ipBreaking ) ) ;
i f ( parameterValues [TIME DISCRETIZATION CONSTANT INDEX] > 1000)
{
System . e r r . p r i n t l n (” e r r o r : time d i s c r e t i z a t i o n constant > 1000 ( can ’ t
compute s t eps per second ) ” ) ;
System . e x i t ( 1 ) ;
}
i n t stepsPerSecond = 1000 /
parameterValues [TIME DISCRETIZATION CONSTANT INDEX ] ;
//System . out . p r i n t l n (” stepsPerSecond = ” + stepsPerSecond ) ;
f o r ( ; ( forwardsBreakingAcce l / stepsPerSecond ) %
parameterValues [DISTANCE DISCRETIZATION CONSTANT INDEX] != 0 | |
forwardsBreakingAcce l % stepsPerSecond != 0 ; )
++forwardsBreakingAcce l ;
51
f o r ( ; ( backwardsBreakingAccel / stepsPerSecond ) %
parameterValues [DISTANCE DISCRETIZATION CONSTANT INDEX] != 0 | |
backwardsBreakingAccel % stepsPerSecond != 0 ; )
−−backwardsBreakingAccel ;
i n t i d e a l f o rwa rd s b r e a k i n g a c c e l = ( in t )((1.0− f o rwardsS l ipBreak ing ) ∗
parameterValues [FORWARDS MIN ACCEL INDEX ] ) ;
i n t i d ea l ba ckward s b r eak ing ac c e l = ( in t )((1.0− backwardsSl ipBreaking ) ∗
parameterValues [BACKWARDS MAX ACCEL INDEX] ) ;
System . out . p r i n t l n (”INFO( pessimism ) : ” + (100 .0 − (100 .0 ∗
forwardsBreakingAcce l / i d e a l f o rwa rd s b r e a k i n g a c c e l ) ) + ”% change in worst
case forward breaking in ” + d i r e c t o r y
+ ” (” + id e a l f o rwa rd s b r e a k i n g a c c e l + ” −> ” + forwardsBreakingAcce l
+”)”);
System . out . p r i n t l n (”INFO( pessimism ) : ” + (100 .0 − (100 .0 ∗
backwardsBreakingAccel / i d ea l ba ckward s b r eak ing ac c e l ) )
+ ”% change in worst case backwards breaking in ” + d i r e c t o r y + ” (”
+ idea l ba ckward s b r eak ing ac c e l + ” −> ” + backwardsBreakingAccel +”)”);
DiscreteBoundedMaxModel velModel = new DiscreteBoundedMaxModel ( nul l , ” ve l ” ) ;
velModel . s e tD i s c r e t i z a t i onCons tan t ( parameterValues [DISTANCE DISCRETIZATION CONST
ANT INDEX ] ) ;
velModel . s e tTimeDiscre t i zat ionConstant ( parameterValues [TIME DISCRETIZATION CONST
ANT INDEX ] ) ;
velModel . setPos i t iveIndependentRange ( forwardsBreakingAccel ,
parameterValues [FORWARDS MAX ACCEL INDEX] ) ; // in mm/s ˆ2
velModel . setNegativeIndependentRange ( parameterValues [BACKWARDS MIN ACCEL INDEX] ,
backwardsBreakingAccel ) ; // in mm/s ˆ2
velModel . setDependentRange ( parameterValues [MIN VEL INDEX] ,
parameterValues [MAX VEL INDEX ] ) ; // in mm/s
PropertyModule velModule = new PropertyModule (”TRACTOR−VEL” ) ;
velModule . addBodyGenerator ( velModel ) ;
// add reduce
velModule . addBodyGenerator (new Str ingGenerator (” op reduce−ve l : Int −>
SORT VEL . ” ) ) ;
velModule . addBodyGenerator (new Str ingGenerator (” ceq reduce−ve l ( cur−ve l ) =
ve l ( cur−ve l + ” + forwardsBreakingAcce l / stepsPerSecond + ”) i f cur−ve l > ”
+ −forwardsBreakingAcce l / stepsPerSecond + ” . ” ) ) ;
velModule . addBodyGenerator (new Str ingGenerator (” ceq reduce−ve l ( cur−ve l ) =
ve l ( cur−ve l + ” + backwardsBreakingAccel / stepsPerSecond + ”) i f cur−ve l < ”
+ −backwardsBreakingAccel / stepsPerSecond + ” . ” ) ) ;
velModule . addBodyGenerator (new Str ingGenerator (” eq reduce−ve l ( cur−ve l ) =
ve l (0) [ owise ] . ” ) ) ;
velModule . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
velModule . addBodyGenerator (new Str ingGenerator (” op i n i t i a l −ve l : −>
SORT STATE . ” ) ) ;
velModule . addBodyGenerator (new Str ingGenerator (” eq i n i t i a l −ve l = ve l (0) . ” ) ) ;
velModule . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
velModule . addBodyGenerator (new Str ingGenerator (” op VEL−INCREMENT : −> Int
. ” ) ) ;
velModule . addBodyGenerator (new Str ingGenerator (” eq VEL−INCREMENT = ” +
parameterValues [DISTANCE DISCRETIZATION CONSTANT INDEX] + ” . ” ) ) ;
t ry
{
PrintStream ps = new PrintStream ( acce lFi l ename ) ;
velModule . generate ( ps ) ;
ps . c l o s e ( ) ;
}
catch ( Exception e )
{
System . out . p r i n t l n ( e ) ;
}
}
pub l i c s t a t i c void doSlope ( St r ing d i r e c t o r y )
{
Str ing s lopeFi lename = d i r e c t o r y + F i l e . s eparato r + ” trac tor−s l ope .maude ” ;
DiscreteBoundedMaxModel slopeModel = new DiscreteBoundedMaxModel ( nul l ,
” s l ope ” ) ;
s lopeModel . s e tD i s c r e t i z a t i onCons tan t ( parameterValues [ANGLE DISCRETIZATION CONSTA
NT INDEX ] ) ;
52
slopeModel . s e tTimeDiscre t i zat ionConstant ( parameterValues [TIME DISCRETIZATION CON
STANT INDEX ] ) ;
s lopeModel . setPos i t iveIndependentRange(−parameterValues [MAX DELTA SLOPE INDEX] ,
parameterValues [MAX DELTA SLOPE INDEX ] ) ; // in mm/s ˆ2
slopeModel . setNegativeIndependentRange(−parameterValues [MAX DELTA SLOPE INDEX] ,
parameterValues [MAX DELTA SLOPE INDEX ] ) ; // in mm/s ˆ2
slopeModel . setDependentRange(−parameterValues [MAX SLOPE INDEX] ,
parameterValues [MAX SLOPE INDEX ] ) ; // in mm/s
PropertyModule slopeModule = new PropertyModule (”TRACTOR−SLOPE” ) ;
slopeModule . addBodyGenerator ( slopeModel ) ;
i n t s lopePerTick = parameterValues [MAX DELTA SLOPE INDEX] ∗
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] / 1000;
slopeModule . addBodyGenerator (new Str ingGenerator(”−−− max s lope increment ” ) ) ;
slopeModule . addBodyGenerator (new Str ingGenerator (” op inc rease−s l ope : Int −>
SORT SLOPE . ” ) ) ;
slopeModule . addBodyGenerator (new Str ingGenerator (” eq
inc rease−s l ope ( cur−s l ope ) = s lope ( trim−s l ope ( cur−s l ope + ” + slopePerTick + ”))
. ” ) ) ;
slopeModule . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
slopeModule . addBodyGenerator (new Str ingGenerator (” op i n i t i a l −s l ope : −>
SORT STATE . ” ) ) ;
slopeModule . addBodyGenerator (new Str ingGenerator (” eq i n i t i a l −s l ope = s lope (0)
. ” ) ) ;
t ry
{
PrintStream ps = new PrintStream ( s lopeFi lename ) ;
slopeModule . generate ( ps ) ;
ps . c l o s e ( ) ;
}
catch ( Exception e )
{
System . out . p r i n t l n ( e ) ;
}
}
pub l i c s t a t i c void doAccel ( St r ing d i r e c t o r y )
{
Str ing acce lFi l ename = d i r e c t o r y + F i l e . s eparato r + ” trac tor−a c c e l . maude ” ;
DiscreteBoundedMaxModel accelModel = new DiscreteBoundedMaxModel (” raw−a c c e l ” ,
”raw−ve l ” ) ;
accelModel . s e tD i s c r e t i z a t i onCons tan t ( parameterValues [DISTANCE DISCRETIZATION CON
STANT INDEX ] ) ; // mm
accelModel . s e tTimeDiscre t i zat ionConstant ( parameterValues [TIME DISCRETIZATION CON
STANT INDEX ] ) ; // ms
accelModel . setPos i t iveIndependentRange ( parameterValues [FORWARDS MIN ACCEL INDEX]
, parameterValues [FORWARDS MAX ACCEL INDEX] ) ; // in mm/s ˆ2
accelModel . setNegativeIndependentRange ( parameterValues [BACKWARDS MIN ACCEL INDEX
] , parameterValues [BACKWARDS MAX ACCEL INDEX] ) ; // in mm/s ˆ2
accelModel . setDependentRange ( parameterValues [MIN VEL INDEX] ,
parameterValues [MAX VEL INDEX ] ) ; // in mm/s
PropertyModule accelModule = new PropertyModule (”TRACTOR−ACCEL” ) ;
accelModule . addBodyGenerator ( accelModel ) ;
i f ( ( parameterValues [FORWARDS MIN ACCEL INDEX] ∗
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] ) % 1000 != 0)
{
System . e r r . p r i n t l n (”FORWARDS MIN ACCEL INDEX(” +
parameterValues [FORWARDS MIN ACCEL INDEX] + ”) ∗
TIME DISCRETIZATION CONSTANT INDEX(” +
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] + ”) i s not d i v i s i b l e
by 1000”) ;
System . e x i t ( 1 ) ;
}
i f ( ( parameterValues [BACKWARDS MAX ACCEL INDEX] ∗
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] ) % 1000 != 0)
{
System . e r r . p r i n t l n (”BACKWARDS MAX ACCEL INDEX(” +
parameterValues [BACKWARDS MAX ACCEL INDEX] + ”) ∗
TIME DISCRETIZATION CONSTANT INDEX(” +
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] + ”) i s not d i v i s i b l e
53
by 1000”) ;
System . e x i t ( 1 ) ;
}
// add reduce
in t forwardReduceStep = parameterValues [FORWARDS MIN ACCEL INDEX] ∗
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] / 1000;
i n t backwardsReduceStep = parameterValues [BACKWARDS MAX ACCEL INDEX] ∗
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] / 1000;
accelModule . addBodyGenerator (new Str ingGenerator (” vars cur−a c c e l : Int . ” ) ) ;
accelModule . addBodyGenerator (new Str ingGenerator (” op reduce−a c c e l : Int −>
Int . ” ) ) ;
accelModule . addBodyGenerator (new Str ingGenerator (” ceq reduce−a c c e l ( cur−a c c e l )
= cur−a c c e l + (” + forwardReduceStep
+ ”) i f cur−a c c e l > ” + −forwardReduceStep + ” . ” ) ) ;
accelModule . addBodyGenerator (new Str ingGenerator (” ceq reduce−a c c e l ( cur−a c c e l )
= cur−a c c e l + (” + backwardsReduceStep
+ ”) i f cur−a c c e l < ” + −backwardsReduceStep + ” . ” ) ) ;
accelModule . addBodyGenerator (new Str ingGenerator (” eq reduce−a c c e l ( cur−a c c e l )
= 0 [ owise ] . ” ) ) ;
accelModule . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
accelModule . addBodyGenerator (new Str ingGenerator (” op i n i t i a l −a c c e l : −>
SORT STATE . ” ) ) ;
accelModule . addBodyGenerator (new Str ingGenerator (” eq i n i t i a l −a c c e l =
advance−raw−a c c e l (0 raw−ve l ( 0 ) ) raw−ve l (0) . ” ) ) ;
accelModule . addBodyGenerator (new Str ingGenerator (” op VEL−INCREMENT : −> Int
. ” ) ) ;
accelModule . addBodyGenerator (new Str ingGenerator (” eq VEL−INCREMENT = ” +
parameterValues [DISTANCE DISCRETIZATION CONSTANT INDEX] + ” . ” ) ) ;
t ry
{
PrintStream ps = new PrintStream ( acce lFi l ename ) ;
accelModule . generate ( ps ) ;
ps . c l o s e ( ) ;
}
catch ( Exception e )
{




∗ parameterValues [ SKID BEST VEL IDEAL INDEX ] = 0 ; // mm/s
parameterValues [SKID BEST WHEEL ANGLE INDEX] = 0 ; // m i l l i r a d i a n s
parameterValues [ SKID BEST RADIUS INDEX ] = 0 ; //mm
parameterValues [ SKID BEST TIME INDEX ] = 0 ; // ms
parameterValues [ SKID WORST VEL IDEAL INDEX] = 0 ; // mm/s
parameterValues [SKID WORST WHEEL ANGLE INDEX] = 0 ; // m i l l i r a d i a n s
parameterValues [SKID WORST RADIUS INDEX] = 0 ; // mm
parameterValues [SKID WORST TIME INDEX] = 0 ; // ms
parameterValues [SKID TIME FROM BEST TO WORST INDEX] = 2000; // ms
∗/
pub l i c s t a t i c void doTerrainSkid ( St r ing d i r e c t o r y )
{
Str ing acce lFi l ename = d i r e c t o r y + F i l e . s eparato r +
” trac tor−s k i d t e r r a i n .maude ” ;
i n t b e s t r aw ac c e l = parameterValues [SKID BEST RAW ACCEL INDEX ] ;
i n t b e s t ob s e r v ed a c c e l = parameterValues [SKID BEST OBSERVED ACCEL INDEX ] ;
i n t wor s t raw acce l = parameterValues [SKID WORST RAW ACCEL INDEX ] ;
i n t wor s t ob s e rv ed ac c e l = parameterValues [SKID WORST OBSERVED ACCEL INDEX ] ;
System . out . p r i n t l n (”On best sur face , i d e a l a c c e l = ” + be s t r aw ac c e l + ” ,
observed ac c e l = ” + be s t ob s e r v ed a c c e l ) ;
System . out . p r i n t l n (”On worst sur face , i d e a l a c c e l = ” + wors t raw acce l + ” ,
observed ac c e l = ” + wor s t ob s e rv ed ac c e l ) ;
i n t t ime f r om bes t to wor s t =
parameterValues [SKID TIME FROM BEST TO WORST INDEX ] ;
i f ( b e s t r aw ac c e l <= be s t ob s e r v ed a c c e l )
{
System . e r r . p r i n t l n (” Error : Skid Terrain Best raw ac c e l (” + be s t r aw ac c e l
+ ”) must be more than best observed a c c e l (” + be s t ob s e r v ed a c c e l + ” ) ” ) ;
54
System . ex i t ( 0 ) ;
}
i f ( wor s t raw acce l <= wor s t ob s e rv ed ac c e l )
{
System . e r r . p r i n t l n (” Error : Skid Terrain Worst raw ac c e l (” + wors t raw acce l
+ ”) must be more than worst observed a c c e l (” + wor s t ob s e rv ed ac c e l +
” ) ” ) ;
System . e x i t ( 0 ) ;
}
i n t b e s t s l i p = 1000 − (1000 ∗ be s t ob s e r v ed a c c e l ) / b e s t r aw ac c e l ;
i n t b e s t x i n t e r c e p t = ( in t )Math . round ( be s t r aw ac c e l / Math . sq r t ( b e s t s l i p /
1 0 0 0 . 0 ) ) ;
i n t wo r s t s l i p = 1000 − (1000 ∗ wor s t ob s e rv ed acc e l ) / wor s t raw acce l ;
wo r s t x i n t e r c ep t = ( in t )Math . round ( wor s t raw acce l / Math . sq r t ( wo r s t s l i p /
1 0 0 0 . 0 ) ) ;
i n t i n i t i a l w o r s t x i n t e r c e p t = wor s t x i n t e r c ep t ;
i f ( t ime f r om bes t to wor s t %
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] != 0)
{
System . e r r . p r i n t l n (” Error : Skid time from best to worst (” +
t ime f r om bes t to wor s t +
”) i s not a mul t ip l e o f the time d i s c r i t a t i o n constant (”
+ parameterValues [TIME DISCRETIZATION CONSTANT INDEX] + ” ) ” ) ;
System . e x i t ( 1 ) ;
}
i n t s t ep coun t f r om be s t t o wor s t = t ime f r om bes t to wor s t /
parameterValues [TIME DISCRETIZATION CONSTANT INDEX ] ;
//System . out . p r i n t l n (” s t eps = ” + s t ep coun t f r om be s t t o wor s t ) ;
i n t x i n t e r c e p t d i f = b e s t x i n t e r c e p t − wor s t x i n t e r c ep t ;
i n t x i n t e r c e p t s t e p = x i n t e r c e p t d i f / s t ep coun t f r om be s t t o wor s t ;
/// here we want to decrease wo r s t x i n t e r c ep t such that b e s t x i n t e r c e p t −
wor s t x i n t e r c ep t
/// i s exac t ly d i v i s i b l e by s t ep coun t f r om be s t t o wor s t and
/// x i n t e r c e p t d i f ∗ t imeDi sc r e t i za t i onConstant % 1000 = 0
// f i r s t i n c r e a s e x i n t e r c e p t d i f i f neces sary
// to make sure ( x i n t e r c e p t d i f ∗ TIME DISCRETIZATION CONSTANT) % 1000 = 0
f o r ( ; ( x i n t e r c e p t s t e p ∗
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] ) % 1000 != 0 | |
( b e s t x i n t e r c e p t − wor s t x i n t e r c ep t ) % s t ep coun t f r om be s t t o wor s t
!= 0 ; )
{
−−wor s t x i n t e r c ep t ;
++x i n t e r c e p t d i f ;
x i n t e r c e p t s t e p = ( x i n t e r c e p t d i f / s t ep coun t f r om be s t t o wor s t ) ;
}
//System . out . p r i n t l n (” x i n t e r c e p t d i f = ” + x i n t e r c e p t d i f ) ;
//System . out . p r i n t l n (” s t ep coun t f r om be s t t o wor s t = ” +
s t ep coun t f r om be s t t o wor s t ) ;
System . out . p r i n t l n (”INFO( pessimism ) : subtracted ” + (100 ∗
( i n i t i a l w o r s t x i n t e r c e p t−wor s t x i n t e r c ep t ) ) / ( f l o a t ) i n i t i a l w o r s t x i n t e r c e p t
+
”% from worst−case x i n t e r c ep t in ” + d i r e c t o r y + ” (” +
i n i t i a l w o r s t x i n t e r c e p t + ” −> ” +
wor s t x i n t e r c ep t + ” ) ” ) ;
DiscreteBoundedMaxModel x int Model = new DiscreteBoundedMaxModel ( nul l ,
”x−i n t e r c ep t ” ) ;
//System . out . p r i n t l n (” d i s c constant = ” + x i n t e r c e p t s t e p ) ;
x int Model . s e tD i s c r e t i z a t i onCons tan t ( x i n t e r c e p t s t e p ) ;
x int Mode l . s e tTimeDiscre t i zat ionConstant ( parameterValues [TIME DISCRETIZATION CO
NSTANT INDEX ] ) ;
x int Model . setPos i t iveIndependentRange(− x i n t e r c e p t d i f ∗ 1000 /
t ime f rom bes t to wors t , x i n t e r c e p t d i f ∗ 1000 / t ime f r om bes t to wor s t ) ; //
in x i n t ∗1000/ s
x int Model . setDependentRange ( wor s t x in t e r c ep t , b e s t x i n t e r c e p t ) ; // in
x i n t ∗1000
PropertyModule x int Module = new PropertyModule (”TRACTOR−TERRAIN” ) ;
x int Module . addBodyGenerator ( x int Model ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” op i n i t i a l −x−i n t e r c ep t :
−> SORT STATE . ” ) ) ;
55
x int Module . addBodyGenerator (new Str ingGenerator (
”eq i n i t i a l −x−i n t e r c ep t = x−i n t e r c ep t (” + be s t x i n t e r c e p t + ”) . ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” op decreaseXInt ( ) : Int
−> Int . ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” ceq
decreaseXInt ( cur−x−i n t e r c ep t ) = cur−x−i n t e r c ep t − ”+ x i n t e r c e p t s t e p + ” i f
cur−x−i n t e r c ep t > ” + wor s t x i n t e r c ep t + ” . ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” eq
decreaseXInt ( cur−x−i n t e r c ep t ) = ” + wor s t x i n t e r c ep t + ” [ owise ] . ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” op XINT−INCREMENT : −> Int
. ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” eq XINT−INCREMENT = ” +
x i n t e r c e p t s t e p + ” . ” ) ) ;
t ry
{
PrintStream ps = new PrintStream ( acce lFi l ename ) ;
x int Module . generate ( ps ) ;
ps . c l o s e ( ) ;
}
catch ( Exception e )
{
System . out . p r i n t l n ( e ) ;
}
}
pub l i c s t a t i c void doTerra inS l ip ( St r ing d i r e c t o r y )
{
Str ing acce lFi l ename = d i r e c t o r y + F i l e . s eparato r +
” trac tor−s l i p t e r r a i n .maude ” ;
i n t b e s t r aw ac c e l = parameterValues [BEST RAW ACCEL INDEX ] ;
i n t b e s t ob s e r v ed a c c e l = parameterValues [BEST OBSERVED ACCEL INDEX ] ;
i n t wor s t raw acce l = parameterValues [WORST RAW ACCEL INDEX] ;
i n t wor s t ob s e rv ed ac c e l = parameterValues [WORST OBSERVED ACCEL INDEX] ;
i n t t ime f r om bes t to wor s t = parameterValues [TIME FROM BEST TO WORST INDEX ] ;
i f ( b e s t r aw ac c e l <= be s t ob s e r v ed a c c e l )
{
System . e r r . p r i n t l n (” Error : S l i p Terrain Best raw ac c e l (” + be s t r aw ac c e l
+ ”) must be more than best observed a c c e l (” + be s t ob s e r v ed a c c e l + ” ) ” ) ;
System . e x i t ( 0 ) ;
}
i f ( wor s t raw acce l <= wor s t ob s e rv ed ac c e l )
{
System . e r r . p r i n t l n (” Error : S l i p Terrain Worst raw ac c e l (” + wors t raw acce l
+ ”) must be more than worst observed a c c e l (” + wor s t ob s e rv ed ac c e l +
” ) ” ) ;
System . e x i t ( 0 ) ;
}
i n t b e s t s l i p = 1000 − (1000 ∗ be s t ob s e r v ed a c c e l ) / b e s t r aw ac c e l ;
i n t b e s t x i n t e r c e p t = ( in t )Math . round ( be s t r aw ac c e l / Math . sq r t ( b e s t s l i p /
1 0 0 0 . 0 ) ) ;
i n t wo r s t s l i p = 1000 − (1000 ∗ wor s t ob s e rv ed acc e l ) / wor s t raw acce l ;
wo r s t x i n t e r c ep t = ( in t )Math . round ( wor s t raw acce l / Math . sq r t ( wo r s t s l i p /
1 0 0 0 . 0 ) ) ;
i n t i n i t i a l w o r s t x i n t e r c e p t = wor s t x i n t e r c ep t ;
i f ( t ime f r om bes t to wor s t %
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] != 0)
{
System . e r r . p r i n t l n (” Error : S l i p time from best to worst (” +
t ime f r om bes t to wor s t +
”) i s not a mul t ip l e o f the time d i s c r i t a t i o n constant (”
+ parameterValues [TIME DISCRETIZATION CONSTANT INDEX] + ” ) ” ) ;
System . e x i t ( 1 ) ;
}
i n t s t ep coun t f r om be s t t o wor s t = t ime f r om bes t to wor s t /
parameterValues [TIME DISCRETIZATION CONSTANT INDEX ] ;
//System . out . p r i n t l n (” s t eps = ” + s t ep coun t f r om be s t t o wor s t ) ;
i n t x i n t e r c e p t d i f = b e s t x i n t e r c e p t − wor s t x i n t e r c ep t ;
i n t x i n t e r c e p t s t e p = x i n t e r c e p t d i f / s t ep coun t f r om be s t t o wor s t ;
56
/// here we want to decrease wo r s t x i n t e r c ep t such that b e s t x i n t e r c e p t −
wor s t x i n t e r c ep t
/// i s exac t ly d i v i s i b l e by s t ep coun t f r om be s t t o wor s t and
/// x i n t e r c e p t d i f ∗ t imeDi sc r e t i za t i onConstant % 1000 = 0
// f i r s t i n c r e a s e x i n t e r c e p t d i f i f neces sary
// to make sure ( x i n t e r c e p t d i f ∗ TIME DISCRETIZATION CONSTANT) % 1000 = 0
f o r ( ; ( x i n t e r c e p t s t e p ∗
parameterValues [TIME DISCRETIZATION CONSTANT INDEX] ) % 1000 != 0 | |
( b e s t x i n t e r c e p t − wor s t x i n t e r c ep t ) % s t ep coun t f r om be s t t o wor s t
!= 0 ; )
{
−−wor s t x i n t e r c ep t ;
++x i n t e r c e p t d i f ;
x i n t e r c e p t s t e p = ( x i n t e r c e p t d i f / s t ep coun t f r om be s t t o wor s t ) ;
}
//System . out . p r i n t l n (” x i n t e r c e p t d i f = ” + x i n t e r c e p t d i f ) ;
//System . out . p r i n t l n (” s t ep coun t f r om be s t t o wor s t = ” +
s t ep coun t f r om be s t t o wor s t ) ;
System . out . p r i n t l n (”INFO( pessimism ) : subtracted ” + (100 ∗
( i n i t i a l w o r s t x i n t e r c e p t−wor s t x i n t e r c ep t ) ) / ( f l o a t ) i n i t i a l w o r s t x i n t e r c e p t
+
”% from worst−case x i n t e r c ep t in ” + d i r e c t o r y + ” (” +
i n i t i a l w o r s t x i n t e r c e p t + ” −> ” +
wor s t x i n t e r c ep t + ” ) ” ) ;
DiscreteBoundedMaxModel x int Model = new DiscreteBoundedMaxModel ( nul l ,
”x−i n t e r c ep t ” ) ;
//System . out . p r i n t l n (” d i s c constant = ” + x i n t e r c e p t s t e p ) ;
x int Model . s e tD i s c r e t i z a t i onCons tan t ( x i n t e r c e p t s t e p ) ;
x int Mode l . s e tTimeDiscre t i zat ionConstant ( parameterValues [TIME DISCRETIZATION CO
NSTANT INDEX ] ) ;
x int Model . setPos i t iveIndependentRange(− x i n t e r c e p t d i f ∗ 1000 /
t ime f rom bes t to wors t , x i n t e r c e p t d i f ∗ 1000 / t ime f r om bes t to wor s t ) ; //
in x i n t ∗1000/ s
x int Model . setDependentRange ( wor s t x in t e r c ep t , b e s t x i n t e r c e p t ) ; // in
x i n t ∗1000
in t s t epDi f = parameterValues [TIME DISCRETIZATION CONSTANT INDEX] ∗
x i n t e r c e p t d i f ∗ 1000 / ( t ime f r om bes t to wor s t ∗ 1000) ;
PropertyModule x int Module = new PropertyModule (”TRACTOR−TERRAIN” ) ;
x int Module . addBodyGenerator ( x int Model ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” op i n i t i a l −x−i n t e r c ep t :
−> SORT STATE . ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (
”eq i n i t i a l −x−i n t e r c ep t = x−i n t e r c ep t (” + be s t x i n t e r c e p t + ”) . ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” op decreaseXInt ( ) : Int
−> Int . ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” ceq
decreaseXInt ( cur−x−i n t e r c ep t ) = cur−x−i n t e r c ep t − ”+ stepDi f + ” i f
cur−x−i n t e r c ep t > ” + wor s t x i n t e r c ep t + ” . ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” eq
decreaseXInt ( cur−x−i n t e r c ep t ) = ” + wor s t x i n t e r c ep t + ” [ owise ] . ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator ( ” ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” op XINT−INCREMENT : −> Int
. ” ) ) ;
x int Module . addBodyGenerator (new Str ingGenerator (” eq XINT−INCREMENT = ” +
stepDi f + ” . ” ) ) ;
t ry
{
PrintStream ps = new PrintStream ( acce lFi l ename ) ;
x int Module . generate ( ps ) ;
ps . c l o s e ( ) ;
}
catch ( Exception e )
{




import java . i o . PrintStream ;
57
/∗∗
∗ This models where we have one va r i ab l e depending on another l i k e v e l o c i t y
depends on a c c e l e r a t i o n
∗
∗ Both va r i a b l e s are bounded with upper and lower bounds
∗ The independent va r i ab l e has a range that i t can vary in when the dependent
one i s po s i t i v e ,
∗ and a d i f f e r e n t range f o r when the dependent value i s negat ive
∗
∗ For example , the po s s i b l e a c c e l e r a t i o n changes are d i f f e r e n t when the
t r a c t o r i s in r ev e r s e versus




pub l i c c l a s s DiscreteBoundedMaxModel extends Generatable
{
pr iva t e i n t d i s c r e t i z a t i onCons t an t = 1 ;
p r i va t e i n t t imeDi sc r e t i za t i onConstant = 1 ;
p r i va t e boolean dividedRanges = f a l s e ; // have we div ided the ranges by the
time d i s c r e t i z a t i o n constant ?
pr i va t e St r ing independentValue = nu l l ;
p r i va t e St r ing dependentValue = nu l l ;
p r i va t e i n t [ ] dependentRange = new in t [ 2 ] ;
p r i va t e i n t [ ] pos it iveIndependentRange = new in t [ 2 ] ;
p r i va t e i n t [ ] negativeIndependentRange = new in t [ 2 ] ;
pub l i c DiscreteBoundedMaxModel ( St r ing independentValue , St r ing dependentValue )
{
t h i s . independentValue = independentValue ;
t h i s . dependentValue = dependentValue ;
}
pub l i c void s e tD i s c r e t i z a t i onCons tan t ( i n t d i s c r i t i z a t i o nCon s t an t )
{
t h i s . d i s c r e t i z a t i onCons t an t = d i s c r i t i z a t i o nCon s t an t ;
}
pub l i c void setTimeDiscre t i zat ionConstant ( i n t t imeDi s c r i t i z a t i onCons tant )
{
t h i s . t imeDi sc r e t i za t i onConstant = t imeDi s c r i t i z a t i onCons tant ;
}
pub l i c void setDependentRange ( i n t min , i n t max)
{
dependentRange [ 0 ] = min ;
dependentRange [ 1 ] = max ;
}
pub l i c void setPos i t iveIndependentRange ( i n t min , i n t max)
{
posit iveIndependentRange [ 0 ] = min ;
pos it iveIndependentRange [ 1 ] = max ;
}
pub l i c void setNegativeIndependentRange ( i n t min , i n t max)
{
negativeIndependentRange [ 0 ] = min ;
negativeIndependentRange [ 1 ] = max ;
}
pub l i c void generateDependentModule ( PrintStream out ) throws Exception
{
// t h i s module only has the dependent va r i ab l e in the module ( l e s s s t a t e )
St r ing sortDependent = ”SORT ” + dependentValue . toUpperCase ( ) ;
out . p r i n t l n (” s o r t s ” + sortDependent + ” . ” ) ;
out . p r i n t l n ( ) ;
out . p r i n t l n (” subsort ” + ” ” + sortDependent + ” < SORT STATE . ” ) ;
out . p r i n t l n ( ) ;
// out . p r i n t l n (” op trim−” + independentValue + ”( ) : Int −> Int . ” ) ;
out . p r i n t l n (” op trim−” + dependentValue + ”( ) : Int −> Int . ” ) ;
out . p r i n t l n (” op advance−” + dependentValue + ”( ) : Int −> ” + sortDependent
+ ” . ” ) ;
out . p r i n t l n (” op ” + dependentValue + ”( ) : Int −> ” + sortDependent + ” . ” ) ;
out . p r i n t l n ( ) ;
58
out . p r i n t l n (” vars cur−” + dependentValue + ” : Int . ” ) ;
out . p r i n t l n ( ) ;
out . p r i n t l n ( ) ;
out . p r i n t l n(”−−− advance ” + dependentValue ) ;
i f ( dividedRanges == f a l s e )
{
checkRanges ( ) ;
negativeIndependentRange [ 0 ] = t imeDi sc r e t i za t i onConstant ∗
negativeIndependentRange [ 0 ] / 1000;
negativeIndependentRange [ 1 ] = t imeDi sc r e t i za t i onConstant ∗
negativeIndependentRange [ 1 ] / 1000;
pos it iveIndependentRange [ 0 ] = t imeDi sc re t i za t i onConstant ∗
posit iveIndependentRange [ 0 ] / 1000;
pos it iveIndependentRange [ 1 ] = t imeDi sc re t i za t i onConstant ∗
posit iveIndependentRange [ 1 ] / 1000;
dividedRanges = true ;
}
i n t min = Math . min ( negativeIndependentRange [ 0 ] , pos it iveIndependentRange [ 0 ] ) ;
i n t max = Math .max( negativeIndependentRange [ 1 ] , pos it iveIndependentRange [ 1 ] ) ;
//System . out . p r i n t l n ( dependentValue + ” range = ” + min + ” , ” + max + ” ;
stepsPerSecond = ” + stepsPerSecond ) ;
f o r ( i n t x = max ; x >= min ; x −= di s c r e t i z a t i onCons t an t )
{
i n t value = x ;
// case 1 : we ’ re in negat ive range but not in p o s i t i v e range
i f ( x >= negativeIndependentRange [ 0 ] && x <= negativeIndependentRange [ 1 ] &&
(x < posit iveIndependentRange [ 0 ] | | x > posit iveIndependentRange [ 1 ] ) )
{
out . p r i n t l n (” c r l advance−” + dependentValue + ”( cur−” + dependentValue + ”)
=> ” + dependentValue +
”( trim−” + dependentValue + ”( cur−” + dependentValue + ” + ” + value +
”)) i f cur−” + dependentValue + ” <= ” + (−value ) + ” . ” ) ;
}
// case 2 : we ’ re in p o s i t i v e range but not in negat ive range
e l s e i f ( x >= posit iveIndependentRange [ 0 ] && x <=
posit iveIndependentRange [ 1 ] &&
(x < negativeIndependentRange [ 0 ] | | x > negativeIndependentRange [ 1 ] ) )
{
out . p r i n t l n (” c r l advance−” + dependentValue + ”( cur−” + dependentValue + ”)
=> ” + dependentValue +
”( trim−” + dependentValue + ”( cur−” + dependentValue + ” + ” + value +
”)) i f cur−” + dependentValue + ” >= ” + (−value ) + ” . ” ) ;
}
// case 3 : we ’ re in range f o r both
e l s e
{
out . p r i n t l n (” r l advance−” + dependentValue + ”( cur−” + dependentValue + ”)
=> ” + dependentValue +
”( trim−” + dependentValue + ”( cur−” + dependentValue + ” + ” + value +
”)) . ” ) ;
}
}
// i f they de f ined a dependent range
i f ( dependentRange [ 0 ] != dependentRange [ 1 ] )
{
out . p r i n t l n ( ) ;
out . p r i n t l n(”−−− trim ” + dependentValue ) ;
out . p r i n t l n (” ceq trim−” + dependentValue + ”( cur−” + dependentValue + ”) = ”
+ dependentRange [ 1 ] + ” i f cur−” + dependentValue + ” > ” +
dependentRange [ 1 ] + ” . ” ) ;
out . p r i n t l n (” ceq trim−” + dependentValue + ”( cur−” + dependentValue + ”) = ”
+ dependentRange [ 0 ] + ” i f cur−” + dependentValue + ” < ” +
dependentRange [ 0 ] + ” . ” ) ;
out . p r i n t l n (” eq trim−” + dependentValue + ”( cur−” + dependentValue + ”) = ”
+ ”cur−” + dependentValue + ” [ owise ] . ” ) ;
}
out . p r i n t l n ( ) ;
}
pr iva t e void checkRanges ( ) throws Exception
{
i n t min = Math . min ( negativeIndependentRange [ 0 ] , pos it iveIndependentRange [ 0 ] ) ;
i n t max = Math .max( negativeIndependentRange [ 1 ] , pos it iveIndependentRange [ 1 ] ) ;
f l o a t stepsPerSecond = 1000/ t imeDi sc r e t i za t i onConstant ;
59
// generate r u l e s
i f ( (max − min) % d i s c r e t i z a t i onCons t an t != 0)
{
throw new Exception (”Range [ ” + min + ” , ” + max
+ ” ] i s not d i v i s i b l e by d i s c r e t i z a t i onCons t an t (” + d i s c r e t i z a t i onCons t an t
+ ” ) ” ) ;
}
i f (Math . round ( ( pos it iveIndependentRange [ 1 ] − posit iveIndependentRange [ 0 ] ) /
stepsPerSecond ) % d i s c r e t i z a t i onCons t an t != 0)
{
throw new Exception (” Po s i t i v e Independent Range [ ” +
posit iveIndependentRange [ 0 ] + ” , ”
+ posit iveIndependentRange [ 1 ]
+ ” ] / stepsPerSecond (” + stepsPerSecond + ”) = ” +
Math . round ( ( pos it iveIndependentRange [ 1 ] − posit iveIndependentRange [ 0 ] ) /
stepsPerSecond ) +
” i s not d i v i s i b l e by d i s c r e t i z a t i onCons t an t (” + d i s c r e t i z a t i onCons t an t +
” ) ” ) ;
}
i f (Math . round ( ( negativeIndependentRange [ 1 ] − negativeIndependentRange [ 0 ] ) /
stepsPerSecond ) % d i s c r e t i z a t i onCons t an t != 0)
{
throw new Exception (” Negative Independent Range [ ” +
negativeIndependentRange [ 0 ]
+ ” , ” +
negativeIndependentRange [ 1 ]
+ ” ] / stepsPerSecond (” + stepsPerSecond + ”) = ”
+Math . round ( ( negativeIndependentRange [ 1 ] − negativeIndependentRange [ 0 ] ) /
stepsPerSecond ) +
” i s not d i v i s i b l e by d i s c r e t i z a t i onCons t an t (” + d i s c r e t i z a t i onCons t an t +
” ) ” ) ;
}
i f (Math . round ( ( dependentRange [ 1 ] − dependentRange [ 0 ] ) / stepsPerSecond ) %
d i s c r e t i z a t i onCons t an t != 0)
{
throw new Exception (”Range [ ” + dependentRange [ 1 ] + ” , ” + dependentRange [ 0 ]
+ ” ] / stepsPerSecond (” + stepsPerSecond + ”) = ” +
Math . round ( ( dependentRange [ 1 ] − dependentRange [ 0 ] ) / stepsPerSecond )
+ ” i s not d i v i s i b l e by d i s c r e t i z a t i onCons t an t (” + d i s c r e t i z a t i onCons t an t
+ ” ) ” ) ;
}
}
pub l i c void generateIndependentDependentModule ( PrintStream out ) throws
Exception
{
Str ing sort Independent = ”SORT ” + independentValue . toUpperCase ( ) ;
S t r ing sortDependent = ”SORT ” + dependentValue . toUpperCase ( ) ;
out . p r i n t l n (” s o r t s ” + sort Independent + ” ” + sortDependent + ” . ” ) ;
out . p r i n t l n ( ) ;
out . p r i n t l n (” subsort ” + sortIndependent + ” ” + sortDependent + ” <
SORT STATE . ” ) ;
out . p r i n t l n ( ) ;
// out . p r i n t l n (” op trim−” + independentValue + ”( ) : Int −> Int . ” ) ;
out . p r i n t l n (” op trim−” + dependentValue + ”( ) : Int −> Int . ” ) ;
out . p r i n t l n (” op advance−” + independentValue + ”( ) : Int ” + sortDependent
+ ” −> ” + sortIndependent + ” . ” ) ;
out . p r i n t l n (” op ” + independentValue + ”( ) : Int −> ” + sortIndependent + ”
. ” ) ;
out . p r i n t l n (” op ” + dependentValue + ”( ) : Int −> ” + sortDependent + ” . ” ) ;
out . p r i n t l n ( ) ;
out . p r i n t l n (” vars cur−” + dependentValue + ” cur−” + independentValue + ” :
Int . ” ) ;
out . p r i n t l n ( ) ;
out . p r i n t l n(”−−− advance ” + independentValue ) ;
// modify by time d i s c value
i f ( dividedRanges == f a l s e )
{
checkRanges ( ) ;
negativeIndependentRange [ 0 ] = t imeDi sc r e t i za t i onConstant ∗
negativeIndependentRange [ 0 ] / 1000;
negativeIndependentRange [ 1 ] = t imeDi sc r e t i za t i onConstant ∗
negativeIndependentRange [ 1 ] / 1000;
60
posit iveIndependentRange [ 0 ] = t imeDi sc re t i za t i onConstant ∗
posit iveIndependentRange [ 0 ] / 1000;
pos it iveIndependentRange [ 1 ] = t imeDi sc re t i za t i onConstant ∗
posit iveIndependentRange [ 1 ] / 1000;
dividedRanges = true ;
}
// gene ra t i v e r u l e s
i n t min = Math . min ( negativeIndependentRange [ 0 ] , pos it iveIndependentRange [ 0 ] ) ;
i n t max = Math .max( negativeIndependentRange [ 1 ] , pos it iveIndependentRange [ 1 ] ) ;
/∗
System . out . p r i n t l n (” so r t = ” + sortDependent ) ;
System . out . p r i n t l n (” ranges = pos [ ” + posit iveIndependentRange [ 0 ] + ” , ” +
posit iveIndependentRange [ 1 ] + ” ] , neg [ ” +
negativeIndependentRange [ 0 ] + ” , ” + negativeIndependentRange [ 1 ] + ”]\n ” ) ;
System . out . p r i n t l n (”min = ” + min + ” , max = ” + max + ” ; timeDiscConstant =
” + t imeDisc r e t i za t i onConstant ) ;
∗/
i f ( (max − min) % d i s c r e t i z a t i onCons t an t != 0)
{
throw new Exception (”Range [ ” + min + ” , ” + max
+ ” ] i s not d i v i s i b l e by d i s c r e t i z a t i onCons t an t (” + d i s c r e t i z a t i onCons t an t
+ ” ) ” ) ;
}
i f ( ( pos it iveIndependentRange [ 1 ] − posit iveIndependentRange [ 0 ] ) %
d i s c r e t i z a t i onCons t an t != 0)
{
throw new Exception (” Po s i t i v e Independent Range [ ” +
posit iveIndependentRange [ 0 ] + ” , ”
+ posit iveIndependentRange [ 1 ]
+ ” ] i s not d i v i s i b l e by d i s c r e t i z a t i onCons t an t (” + d i s c r e t i z a t i onCons t an t
+ ” ) ” ) ;
}
i f ( ( negativeIndependentRange [ 1 ] − negativeIndependentRange [ 0 ] ) %
d i s c r e t i z a t i onCons t an t != 0)
{
throw new Exception (” Negative Independent Range [ ” +
negativeIndependentRange [ 0 ]
+ ” , ” +
negativeIndependentRange [ 1 ]
+ ” ] i s not d i v i s i b l e by d i s c r e t i z a t i onCons t an t (” + d i s c r e t i z a t i onCons t an t
+ ” ) ” ) ;
}
i f ( ( dependentRange [ 1 ] − dependentRange [ 0 ] ) % d i s c r e t i z a t i onCons t an t != 0)
{
throw new Exception (”Range [ ” + dependentRange [ 1 ] + ” , ” + dependentRange [ 0 ]
+ ” ] i s not d i v i s i b l e by d i s c r e t i z a t i onCons t an t (” + d i s c r e t i z a t i onCons t an t
+ ” ) ” ) ;
}
f o r ( i n t x = max ; x >= min ; x −= di s c r e t i z a t i onCons t an t )
{
// r l advance−raw−a c c e l ( cur−raw−a c c e l raw−ve l ( cur−raw−ve l ) ) =>
raw−a c c e l (250) .
// case 1 : we ’ re in negat ive range but not in p o s i t i v e range
i f ( x >= negativeIndependentRange [ 0 ] && x <= negativeIndependentRange [ 1 ] &&
(x < posit iveIndependentRange [ 0 ] | | x > posit iveIndependentRange [ 1 ] ) )
{
i f ((−x) < dependentRange [ 0 ] ) // out o f range
cont inue ;
out . p r i n t l n (” c r l advance−” +
independentValue + ”( cur−” + independentValue + ” ” + dependentValue +
”( cur−” + dependentValue + ”)) => ”
+ independentValue + ”(” + x + ”) i f cur−”
+ dependentValue + ” <= ” + (−x) + ” . ” ) ;
}
// case 2 : we ’ re in p o s i t i v e range but not in negat ive range
e l s e i f ( x >= posit iveIndependentRange [ 0 ] && x <=
posit iveIndependentRange [ 1 ] &&
(x < negativeIndependentRange [ 0 ] | | x > negativeIndependentRange [ 1 ] ) )
{
i f ((−x) > dependentRange [ 1 ] ) // out o f range
cont inue ;
out . p r i n t l n (” c r l advance−” +
61
independentValue + ”( cur−” + independentValue + ” ” + dependentValue +
”( cur−” + dependentValue + ”)) => ”
+ independentValue + ”(” + x + ”) i f cur−”
+ dependentValue + ” >= ” + (−x) + ” . ” ) ;
}
// case 3 : we ’ re in range f o r both
e l s e
{
out . p r i n t l n (” r l advance−” +
independentValue + ”( cur−” + independentValue + ” ” + dependentValue +
”( cur−” + dependentValue + ”)) => ”
+ independentValue + ”(” + x + ”) . ” ) ;
}
}
// i f they de f ined a dependent range
i f ( dependentRange [ 0 ] != dependentRange [ 1 ] )
{
out . p r i n t l n ( ) ;
out . p r i n t l n(”−−− trim ” + dependentValue ) ;
out . p r i n t l n (” ceq trim−” + dependentValue + ”( cur−” + dependentValue + ”) = ”
+ dependentRange [ 1 ] + ” i f cur−” + dependentValue + ” > ” +
dependentRange [ 1 ] + ” . ” ) ;
out . p r i n t l n (” ceq trim−” + dependentValue + ”( cur−” + dependentValue + ”) = ”
+ dependentRange [ 0 ] + ” i f cur−” + dependentValue + ” < ” +
dependentRange [ 0 ] + ” . ” ) ;
out . p r i n t l n (” eq trim−” + dependentValue + ”( cur−” + dependentValue + ”) = ”
+ ”cur−” + dependentValue + ” [ owise ] . ” ) ;
}
// d i s c r e t e incrementat ion o f dependent va r i ab l e ( depends on time
d i s c r e t i z a t i o n constant )
out . p r i n t l n ( ) ;
// op vel−d i s c r e t e−increment : Int −> Int .
// eq vel−d i s c r e t e−increment ( curAcce l ) = curAcce l / t imeDi sc r e t i za t i onConstant
i f ( ( d i s c r e t i z a t i onCons t an t ∗ t imeDi sc r e t i za t i onConstant ) % 1000 != 0)
{
throw new Exception (” Error : d i s c r e t i z a t i onCons t an t (” +
d i s c r e t i z a t i onCons t an t +
”) ∗ t imeDi sc r e t i za t i onConstant (” + t imeDi sc r e t i za t i onConstant + ”) does ”
+
”not evenly d iv ide 1000”) ;
}
out . p r i n t l n (” op ” + dependentValue + ”−d i s c r e t e−increment : Int −> Int . ” ) ;
out . p r i n t l n (” eq ” + dependentValue + ”−d i s c r e t e−increment ( cur−” +
independentValue +
”) = ( cur−” + independentValue + ” ∗ ” + t imeDisc r e t i za t i onConstant + ”)
quo 1000 . ” ) ;
out . p r i n t l n ( ) ;
}
pub l i c void generate ( PrintStream out ) throws Exception
{
i f ( independentValue == nu l l )
generateDependentModule ( out ) ;
e l s e
generateIndependentDependentModule ( out ) ;
}
}
A.3 Sample Model File
Here is a sample model file, which can be input into our model generator to produce a formal Maude
model of the system.
; This i s an example o f an input model f o r the Maude Formal Model Generator
; Designed in c o l l a bo r a t i o n with John Deere
; c reated by Stan Bak ( s bak2@ i l l i n o i s . edu ) , 3/2009
; The d i s c r e t e uni t o f time , in m i l l i s e c ond s
TimeDiscret izat ionConstant = 500
; The d i s c r e t e uni t o f d i s tance , in m i l l ime t e r s
D i s tanceDi s c r e t i za t i onCons tant = 250
62
; The d i s c r e t e uni t o f angle measurement , in m i l l i r a d i a n s
Ang leDi sc re t i zat ionConstant = 200
; These de f i n e the phys i ca l dimensions o f the t r a c t o r . The measurements f o r the




; These de f i n e the po t en t i a l behavior o f the t r a c t o r when the v e l o c t i y i s
p o s i t i v e
; S ince breaking i s t y p i c a l l y more in t en s e than ac c e l e r a t i ng , expect the min
ac c e l here to
; have a higher abso lute value . Expressed in m i l l ime t e r s / second ˆ2
ForwardsMinAccel = −3000
ForwardsMaxAccel = 2000
; Same as above , except when the v e l o c i t y i s negat ive
BackwardsMinAccel = −1000
BackwardsMaxAccel = 3000
; These are the abso lute l im i t s o f the v e l o c i t y o f the t r a c t o r . Expressed in
m i l l ime t e r s / second
MinVel = −1000
MaxVel = 6500
; These de f i n e the behavior o f the s t e e r i n g o f the t r a c t o r . The ang l e s are
expressed in
; m i l l i r ad i an s , and we de f i n e a minimum and maximum angle . 1 .5 rad ians ˜= 86
degrees . The
; de l t a s t e e r i n g angle i s maximum change in s t e e r i n g per second
( m i l l i r a d i a n s / second )
MinSteeringAngle = −1400
MaxSteeringAngle = 1400
DeltaSteer ingAngle = 800
; These cha r a t e r i z e the t e r r a i n . MaxSlope i s the maximum t i l t o f the t e r ra in ,
in m i l l i r a d i a n s .
; 1 radian ˜= 57 degrees . Max de l ta s l ope i s the maximum change in s l ope at the
maximum ve l o c i t y o f the t r a c t o r . This i s expressed in m i l l i r a d i a n s per second
MaxSlope = 1000
MaxDeltaSlope = 400
; The next va lues measure the f r i c t i o n o f var ious s u r f a c e s where our t r a c t o r
w i l l operate .
; Two measurements are required , one on the l e a s t s l i pp e r y sur face , and one on
the most
; s l i pp e r y su r f a c e ( the ones between w i l l be i n f e r r e d ) . Raw or i d e a l a c c e l
r e f e r s to the
; a c c e l e r a t i o n without s l i p ( the one reported on the CAN bus ) . observed
a c c e l e r a t i o n i s
; a c c e l e r a t i o n a f t e r s l i p . Best i s f o r the l e a s t s l i pp e r y sur face , worst means
most





; This i s the time in m i l l i s e c ond s that i t takes to dr ive from the l e a s t
s l i pp e r y su r f a c e to
; the most s l i pp e r y su r f a c e . S ince t h i s i s j u s t a performance funct ion , i t ’ s
okay to be
; s l i g h t l y o f f . A l a r g e r value w i l l be l e s s p e s s im i s t i c at the expense o f
po t en t i a l l a t e r
; d e t e c t i on .
TimeFromBestToWorst = 2000
; These are the same as above , except they are used f o r the sk id ( ov e r s t e e r i n g )
model . The
; a c c e l e r a t i o n here i s r e f e r i n g to the a c c e l e r a t i o n o f the turn , which can be
i n f e r e d by
; performing a turn and measuring the d i f f e r e n c e between the expected rad ius
and the observed









This Maude file defines the semantics for all the implemented VMaude statements.
−−− Stanley Bak
−−− s b ak2@ i l l i n o i s . edu
−−− 5/2009
−−− VMaude Semantics De f i n i t i o n F i l e
−−−− notes :
−−− you must have ( cyc le−count ) in your l i s t o f VMaude program
−−− you must de f i n e a s i g n a l named ’ fsmState
mod VHDL−STRUCTURED i s
pr INT .
pr QID .
s o r t SORT VHDL LINE .
s o r t VARIABLE VALUE .
so r t SORT INITIAL VALUE .
op : SORT VHDL LINE SORT VHDL LINE −> SORT VHDL LINE [ assoc comm id :
no l i n e ] .
op no l i n e : −> SORT VHDL LINE .
op : SORT INITIAL VALUE SORT INITIAL VALUE −> SORT INITIAL VALUE [ assoc
comm id : noinput ] .
op noinput : −> SORT INITIAL VALUE .
s o r t s SORT VHDL INPUT SORT VHDL OUTPUT SORT VHDL SIGNAL SORT VHDL STATE .
subsort SORT VHDL INPUT SORT VHDL OUTPUT SORT VHDL SIGNAL SORT VHDL STATE <
SORT VHDL LINE .
vars VarValue IntValue Length OtherLength OldInt StateNum NextStateNum
TrueNextStateNum FalseNextStateNum Count : Int .
vars VarName OtherVarName ThirdVarName : Qid .
vars Lines : SORT VHDL LINE .
vars O t h e r I n i t i a l i z e r s : SORT INITIAL VALUE .
op ( input ) : Qid Int −> SORT VHDL INPUT .
op input−value ( ) : Qid Int Int −> SORT VHDL INPUT .
eq ( input VarName Length ) = input−value (VarName Length 0) .
op ( output ) : Qid Int −> SORT VHDL OUTPUT .
op output−value ( ) : Qid Int Int −> SORT VHDL OUTPUT .
eq ( output VarName Length ) = output−value (VarName Length 0) .
op ( s i g n a l ) : Qid Int −> SORT VHDL SIGNAL .
op s igna l−value ( ) : Qid Int Int −> SORT VHDL SIGNAL .
eq ( s i g n a l VarName Length ) = s igna l−value (VarName Length 0) .
op ( cyc le−count ) : −> SORT VHDL LINE .
op cyc l ecount ( ) : Int −> SORT VHDL LINE .
eq ( cyc le−count ) = cyc lecount (0) .
−−− ex t rac t a value from within the module
op ge t Inte rna lVa lue ( , ) : Qid SORT VHDL LINE −> Int .
eq ge t In te rna lVa lue (VarName , Lines input−value (VarName Length VarValue ) ) =
VarValue .
eq ge t In te rna lVa lue (VarName , Lines s i gna l−value (VarName Length VarValue ) ) =
VarValue .
−−− get a value o f the output value ( not to be used within the module )
op getOutputValue ( , ) : Qid SORT VHDL LINE −> Int .
eq getOutputValue (VarName , Lines s i gna l−value ( ’ fsmState Length 0)
output−value (VarName OtherLength VarValue ) ) = VarValue .
−−− wrap a value to predetermined length
op wrap ( , ) : Int Int −> Int .
ceq wrap (VarValue , Length ) = wrap (VarValue − (2 ˆ ( Length ) ) , Length ) i f Length
> 0 and VarValue > 2 ˆ ( Length − 1) . −−− over f low
ceq wrap (VarValue , Length ) = wrap (VarValue + (2 ˆ ( Length ) ) , Length ) i f Length
> 0 and VarValue <= − (2 ˆ ( Length − 1)) . −−− underf low
eq wrap (VarValue , Length ) = VarValue [ owise ] . −−− in range
−−− s e t a s i gna l , r e tu rns l i n e s with s i g n a l s e t
op setValue ( , , ) : SORT VHDL LINE Qid Int −> SORT VHDL LINE .
eq setValue ( s i gna l−value (VarName Length OldInt ) Lines , VarName , VarValue )
= s igna l−value (VarName Length wrap (VarValue , Length ) ) Lines .
eq setValue ( output−value (VarName Length OldInt ) Lines , VarName , VarValue )
= output−value (VarName Length wrap (VarValue , Length ) ) Lines .
−−− i n i t i a l i z e an input value , do not use during execut ion
64
op i n i t i a l i z e I n pu tVa l u e ( , , ) : SORT VHDL LINE Qid Int −> SORT VHDL LINE
.
eq i n i t i a l i z e I n pu tVa l u e ( input−value (VarName Length OldInt ) Lines , VarName
, VarValue ) = input−value (VarName Length wrap (VarValue , Length ) ) Lines .
−−− increment cyc l e count
op incrementCycleCount : SORT VHDL LINE −> SORT VHDL LINE .
eq incrementCycleCount ( Lines cyc l ecount ( VarValue ) ) = Lines
cyc l ecount ( VarValue + 1) .
op i t e r a t e ( ) : SORT VHDL LINE −> SORT VHDL LINE .
−−− execut ion , use getValue to get the value o f outputs
op run ( ) : SORT VHDL LINE −> SORT VHDL LINE .
eq run ( Lines ) = i t e r a t e ( incrementCycleCount ( setValue ( Lines , ’ fsmState , 1 ) ) ) .
−−− execut ion with input va lues
op i n i t i a lV a l u e ( ) : Qid Int −> SORT INITIAL VALUE .
op run ( , ) : SORT INITIAL VALUE SORT VHDL LINE −> SORT VHDL LINE .
eq run ( i n i t i a lV a l u e (VarName IntValue ) O t h e r I n i t i a l i z e r s , Lines ) =
run ( O t h e r I n i t i a l i z e r s , i n i t i a l i z e I n pu tVa l u e ( Lines , VarName , IntValue ) ) .
eq run ( noinput , Lines ) = run ( Lines ) .
−−− get the cyc l e count
op getCycleCount ( ) : SORT VHDL LINE −> Int .
eq getCycleCount ( Lines cyc l ecount (Count ) ) = Count .
−−− we reve r t ed back to s t a t e 0 ( should be done , stop i t e r a t i n g )
eq i t e r a t e ( Lines s i gna l−value ( ’ fsmState Length 0) ) = Lines
s i gna l−value ( ’ fsmState Length 0) .
−−− Assign Int
op ( s t a t e a s s i gn In t ) : Int Qid Int Int −> SORT VHDL STATE .
op a s s i gn In t ( ) : Int Qid Int Int −> SORT VHDL STATE .
eq ( s t a t e StateNum as s i gn In t VarName IntValue NextStateNum) =
as s i gn In t ( StateNum VarName IntValue NextStateNum) .
eq i t e r a t e ( Lines a s s i gn In t ( StateNum VarName IntValue NextStateNum)
s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue (
setValue (
Lines a s s i gn In t ( StateNum VarName IntValue NextStateNum)






−−− Assign S igna l
op ( s t a t e a s s i gnS i gna l ) : Int Qid Qid Int −> SORT VHDL STATE .
op a s s i gnS i gna l ( ) : Int Qid Qid Int −> SORT VHDL STATE .
eq ( s t a t e StateNum as s i gnS i gna l VarName OtherVarName NextStateNum) =
as s i gnS i gna l ( StateNum VarName OtherVarName NextStateNum) .
eq i t e r a t e ( Lines a s s i gnS i gna l ( StateNum VarName OtherVarName NextStateNum)
s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue (
setValue (
Lines a s s i gnS i gna l ( StateNum VarName OtherVarName NextStateNum)
s igna l−value ( ’ fsmState Length StateNum)
, VarName




−−− Assign Add S igna l Int
op ( s t a t e ass ignAddSigna l Int ) : Int Qid Qid Int Int −>
SORT VHDL STATE .
op ass ignAddSigna l Int ( ) : Int Qid Qid Int Int −> SORT VHDL STATE .
eq ( s t a t e StateNum ass ignAddSigna l Int VarName OtherVarName IntValue
NextStateNum) = ass ignAddSigna l Int ( StateNum VarName OtherVarName IntValue
NextStateNum) .
eq i t e r a t e ( Lines ass ignAddSigna l Int ( StateNum VarName OtherVarName IntValue
NextStateNum) s igna l−value ( ’ fsmState Length StateNum) )
=
65
i t e r a t e ( incrementCycleCount (
setValue (
setValue (
Lines ass ignAddSigna l Int ( StateNum VarName OtherVarName IntValue
NextStateNum) s igna l−value ( ’ fsmState Length StateNum)
, VarName




−−− Assign Add S igna l S igna l
op ( s t a t e ass ignAddSigna lS igna l ) : Int Qid Qid Qid Int −>
SORT VHDL STATE .
op ass ignAddSigna lS igna l ( ) : Int Qid Qid Qid Int −> SORT VHDL STATE .
eq ( s t a t e StateNum ass ignAddSigna lS igna l VarName OtherVarName ThirdVarName
NextStateNum) = ass ignAddSigna lS igna l ( StateNum VarName OtherVarName
ThirdVarName NextStateNum) .
eq i t e r a t e ( Lines ass ignAddSigna lS igna l ( StateNum VarName OtherVarName
ThirdVarName NextStateNum) s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue (
setValue (
Lines ass ignAddSigna lS igna l ( StateNum VarName OtherVarName ThirdVarName
NextStateNum) s igna l−value ( ’ fsmState Length StateNum)
, VarName





−−− Assign Mult S igna l Int
op ( s t a t e as s i gnMul tS igna l In t ) : Int Qid Qid Int Int −>
SORT VHDL STATE .
op as s i gnMul tS igna l In t ( ) : Int Qid Qid Int Int −> SORT VHDL STATE .
eq ( s t a t e StateNum ass ignMul tS igna l In t VarName OtherVarName IntValue
NextStateNum) = ass i gnMul tS igna l In t ( StateNum VarName OtherVarName IntValue
NextStateNum) .
eq i t e r a t e ( Lines a s s i gnMul tS igna l In t ( StateNum VarName OtherVarName IntValue
NextStateNum) s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue (
setValue (
Lines a s s i gnMul tS igna l In t ( StateNum VarName OtherVarName IntValue
NextStateNum) s igna l−value ( ’ fsmState Length StateNum)
, VarName




−−− Assign Sh i f t Right S igna l Int
op ( s t a t e a s s i gnSh i f tR i gh tS i gna l I n t ) : Int Qid Qid Int Int −>
SORT VHDL STATE .
op a s s i gnSh i f tR i gh tS i gna l I n t ( ) : Int Qid Qid Int Int −>
SORT VHDL STATE .
eq ( s t a t e StateNum as s i gnSh i f tR i gh tS i gna l I n t VarName OtherVarName IntValue
NextStateNum) = as s i gnSh i f tR i gh tS i gna l I n t ( StateNum VarName OtherVarName
IntValue NextStateNum) .
eq i t e r a t e ( Lines a s s i gnSh i f tR i gh tS i gna l I n t ( StateNum VarName OtherVarName
IntValue NextStateNum) s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue (
setValue (
Lines a s s i gnSh i f tR i gh tS i gna l I n t ( StateNum VarName OtherVarName IntValue
NextStateNum) s igna l−value ( ’ fsmState Length StateNum)
, VarName




−−− Condit iona l Greater S igna l Int
op ( s t a t e cond i t i ona lGr ea t e rS i gna l I n t ) : Int Qid Int Int Int −>
SORT VHDL STATE .
op cond i t i ona lGr ea t e rS i gna l I n t ( ) : Int Qid Int Int Int −>
SORT VHDL STATE .
eq ( s t a t e StateNum cond i t i ona lGr ea t e rS i gna l I n t VarName IntValue
66
TrueNextStateNum FalseNextStateNum ) = cond i t i ona lGr ea t e rS i gna l I n t ( StateNum
VarName IntValue TrueNextStateNum FalseNextStateNum ) .
ceq i t e r a t e ( Lines cond i t i ona lGr ea t e rS i gna l I n t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue ( Lines cond i t i ona lGr ea t e rS i gna l I n t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum)
, ’ fsmState
, TrueNextStateNum)
) ) i f g e t In te rna lVa lue (VarName , Lines ) > IntValue .
eq i t e r a t e ( Lines c ond i t i ona lGr ea t e rS i gna l I n t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue ( Lines cond i t i ona lGr ea t e rS i gna l I n t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum)
, ’ fsmState
, FalseNextStateNum )
) ) [ owise ] .
−−− Condit iona l Equals S igna l Int
op ( s t a t e cond i t i ona lEqua l sS i gna l In t ) : Int Qid Int Int Int −>
SORT VHDL STATE .
op cond i t i ona lEqua l sS i gna l In t ( ) : Int Qid Int Int Int −>
SORT VHDL STATE .
eq ( s t a t e StateNum cond i t i ona lEqua l sS i gna l In t VarName IntValue
TrueNextStateNum FalseNextStateNum ) = cond i t i ona lEqua l sS i gna l In t ( StateNum
VarName IntValue TrueNextStateNum FalseNextStateNum ) .
ceq i t e r a t e ( Lines cond i t i ona lEqua l sS i gna l In t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue ( Lines cond i t i ona lEqua l sS i gna l In t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum)
, ’ fsmState
, TrueNextStateNum)
) ) i f g e t In te rna lVa lue (VarName , Lines ) == IntValue .
eq i t e r a t e ( Lines cond i t i ona lEqua l sS i gna l In t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue ( Lines cond i t i ona lEqua l sS i gna l In t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum)
, ’ fsmState
, FalseNextStateNum )
) ) [ owise ] .
−−− Condit iona l Greater S igna l S igna l
op ( s t a t e cond i t i ona lGr ea t e rS i gna lS i gna l ) : Int Qid Qid Int Int −>
SORT VHDL STATE .
op cond i t i ona lGr ea t e rS i gna lS i gna l ( ) : Int Qid Qid Int Int −>
SORT VHDL STATE .
eq ( s t a t e StateNum cond i t i ona lGr ea t e rS i gna lS i gna l VarName OtherVarName
TrueNextStateNum FalseNextStateNum ) = cond i t i ona lGr ea t e rS i gna lS i gna l ( StateNum
VarName OtherVarName TrueNextStateNum FalseNextStateNum ) .
ceq i t e r a t e ( Lines cond i t i ona lGr ea t e rS i gna lS i gna l ( StateNum VarName
OtherVarName TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length
StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue ( Lines cond i t i ona lGr ea t e rS i gna lS i gna l ( StateNum VarName OtherVarName
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum)
, ’ fsmState
, TrueNextStateNum)
) ) i f g e t In te rna lVa lue (VarName , Lines ) > get In te rna lVa lue (OtherVarName ,
Lines ) .
eq i t e r a t e ( Lines cond i t i ona lGr ea t e rS i gna lS i gna l ( StateNum VarName OtherVarName
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue ( Lines cond i t i ona lGr ea t e rS i gna lS i gna l ( StateNum VarName OtherVarName
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum)
, ’ fsmState
, FalseNextStateNum )
) ) [ owise ] .
67
−−− Condit iona l Lesse r S igna l Int
op ( s t a t e c ond i t i o na lL e s s e r S i gna l I n t ) : Int Qid Int Int Int −>
SORT VHDL STATE .
op c ond i t i o na lL e s s e r S i gna l I n t ( ) : Int Qid Int Int Int −>
SORT VHDL STATE .
eq ( s t a t e StateNum cond i t i o na lL e s s e r S i gna l I n t VarName IntValue
TrueNextStateNum FalseNextStateNum ) = cond i t i o n a lL e s s e r S i gna l I n t ( StateNum
VarName IntValue TrueNextStateNum FalseNextStateNum ) .
ceq i t e r a t e ( Lines c ond i t i o na lL e s s e r S i gna l I n t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue ( Lines c ond i t i o n a lL e s s e r S i gna l I n t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum)
, ’ fsmState
, TrueNextStateNum)
) ) i f g e t In te rna lVa lue (VarName , Lines ) < IntValue .
eq i t e r a t e ( Lines c ond i t i o n a lL e s s e r S i gna l I n t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum) )
=
i t e r a t e ( incrementCycleCount (
setValue ( Lines c ond i t i o n a lL e s s e r S i gna l I n t ( StateNum VarName IntValue
TrueNextStateNum FalseNextStateNum ) s igna l−value ( ’ fsmState Length StateNum)
, ’ fsmState
, FalseNextStateNum )
) ) [ owise ] .
endm
A.5 Roll VMaude Code
The VMaude code for the rollover decision module is listed here.
( cyc le−count )
( input ’ i S l ope 16)
( input ’ iNextStee r ing 16)
( input ’ nextVe loc i ty 16)
( output ’ a l low 1)
( s i g n a l ’ s l ope 16)
( s i g n a l ’ nextStee r ing 16)
( s i g n a l ’ fsmState 8)
( s i g n a l ’ worstCaseSlope 16)
( s i g n a l ’ r ightHandSide 32) −−− r i gh t hand s i d e o f l i n e a r equat ions
( s i g n a l ’ l e f tHandSide 32) −−− l e f t hand s i d e o f l i n e a r equat ions
−−−−− f i r s t check i f curStee r i s negat ive , i f so curSlope ∗= −1, curStee r ∗= −1
( s t a t e 1 cond i t i ona lGr ea t e rS i gna l I n t ’ iNextStee r ing 0 52 54)
( s t a t e 52 a s s i gnS i gna l ’ s l ope ’ i S l ope 53)
( s t a t e 53 a s s i gnS i gna l ’ nextStee r ing ’ iNextStee r ing 41) −−− s t a t e 41 assumes
s t e e r i n g > 0
( s t a t e 54 a s s i gnS i gna l ’ s l ope ’ i S l ope 55)
( s t a t e 55 as s i gnMul tS igna l In t ’ s l ope ’ s l ope −1 56)
( s t a t e 56 a s s i gnS i gna l ’ nextStee r ing ’ iNextStee r ing 57)
( s t a t e 57 as s i gnMul tS igna l In t ’ nextStee r ing ’ nextStee r ing −1 41)
( s t a t e 41 ass ignAddSigna l Int ’ worstCaseSlope ’ s l ope 200 42) −−− i n c r e a s e s l ope
to f i nd worst−case s l ope
( s t a t e 42 cond i t i ona lGr ea t e rS i gna l I n t ’ worstCaseSlope 1000 43 44) −−− trim
worst−case s l ope
( s t a t e 43 a s s i gn In t ’ worstCaseSlope 1000 44) −−− trim worst−case s l ope
( s t a t e 44 cond i t i ona lEqua l sS i gna l In t ’ worstCaseSlope 600 7 45) −−− i f
’ worstCaseSlope == 600 , s t a t e := 7
( s t a t e 45 cond i t i ona lEqua l sS i gna l In t ’ worstCaseSlope 800 8 46) −−− i f
’ worstCaseSlope == 800 , s t a t e := 8
( s t a t e 46 cond i t i ona lEqua l sS i gna l In t ’ worstCaseSlope 1000 9 10) −−− i f
’ worstCaseSlope == 1000 , s t a t e := 9 , otherwi se s t a t e := 10
−−−−− s t a t e 7 , ’ worstCaseSlope i s 600
( s t a t e 7 a s s i gnS i gna l ’ r ightHandSide ’ nextVe loc i ty 12)
( s t a t e 12 as s i gnMul tS igna l In t ’ r ightHandSide ’ r ightHandSide 51 13) −−− 1/5 ˜=
51/256
( s t a t e 13 a s s i gnSh i f tR i gh tS i gna l I n t ’ r ightHandSide ’ r ightHandSide 8 14)
( s t a t e 14 as s i gnMul tS igna l In t ’ r ightHandSide ’ r ightHandSide −1 15)
( s t a t e 15 ass ignAddSigna l Int ’ r ightHandSide ’ r ightHandSide 2400 16)
( s t a t e 16 a s s i gnS i gna l ’ l e f tHandSide ’ nextStee r ing 17)
( s t a t e 17 cond i t i ona lGr ea t e rS i gna lS i gna l ’ l e f tHandSide ’ r ightHandSide 0 10)
68
−−−−− s t a t e 8 , ’ worstCaseSlope i s 800
( s t a t e 8 cond i t i ona lGr ea t e rS i gna l I n t ’ nextVe loc i ty 5000 19 20) −−− i f NewVel >
5000 check newsteer in 19
( s t a t e 19 c ond i t i o na lL e s s e r S i gna l I n t ’ nextStee r ing 700 10 0) −−− i f S t e e r ing <
700 ’ allow , e l s e deny
−−−− newvel <= 5000 , check l i n e equat ion
( s t a t e 20 a s s i gnS i gna l ’ l e f tHandSide ’ nextStee r ing 21)
( s t a t e 21 a s s i gnS i gna l ’ r ightHandSide ’ nextVe loc i ty 22)
( s t a t e 22 as s i gnMul tS igna l In t ’ r ightHandSide ’ r ightHandSide 146 23) −−− 4/7 ˜=
146/256
( s t a t e 23 a s s i gnSh i f tR i gh tS i gna l I n t ’ r ightHandSide ’ r ightHandSide 8 24)
( s t a t e 24 as s i gnMul tS igna l In t ’ r ightHandSide ’ r ightHandSide −1 25)
( s t a t e 25 ass ignAddSigna l Int ’ r ightHandSide ’ r ightHandSide 3557 26)
( s t a t e 26 cond i t i ona lGr ea t e rS i gna lS i gna l ’ l e f tHandSide ’ r ightHandSide 0 10)
−−−−− s t a t e 9 , ’ worstCaseSlope i s 1000
( s t a t e 9 cond i t i ona lGr ea t e rS i gna l I n t ’ nextVe loc i ty 2900 27 10) −−− ’ a l low i f
newvel <= 2900
( s t a t e 27 cond i t i ona lGr ea t e rS i gna l I n t ’ nextStee r ing 300 28 10) −−− ’ a l low i f
newsteer <= 300
−−− check l i n e equat ion
( s t a t e 28 a s s i gnS i gna l ’ l e f tHandSide ’ nextStee r ing 29)
( s t a t e 29 a s s i gnS i gna l ’ r ightHandSide ’ nextVe loc i ty 30)
( s t a t e 30 as s i gnMul tS igna l In t ’ r ightHandSide ’ r ightHandSide 77 31) −−− 3/10 ˜=
77/256
( s t a t e 31 a s s i gnSh i f tR i gh tS i gna l I n t ’ r ightHandSide ’ r ightHandSide 8 32)
( s t a t e 32 as s i gnMul tS igna l In t ’ r ightHandSide ’ r ightHandSide −1 33)
( s t a t e 33 ass ignAddSigna l Int ’ r ightHandSide ’ r ightHandSide 1770 34)
( s t a t e 34 cond i t i ona lGr ea t e rS i gna lS i gna l ’ l e f tHandSide ’ r ightHandSide 0 10)
−−− ’ a l low or deny s t a t e s
( s t a t e 10 a s s i gn In t ’ a l low −1 0) −−− ’ a l low command ; done
−−− f o r deny ju s t t r a n s i t i o n to s t a t e 0
A.6 Roll VHDL Code
The generated VHDL code for the rollover module is listed here.
−− Created from Template Blank Module us ing VHDL Entity Editor by Stan Bak
l i b r a r y IEEE ;
use IEEE . STD LOGIC 1164 .ALL;
use IEEE .NUMERIC STD.ALL;
use IEEE .STD LOGIC UNSIGNED.ALL;
en t i t y input i s
port (
c l ock : in s t d l o g i c := ’ 0 ’ ;
s t a r t : in s t d l o g i c := ’ 0 ’ ;
done : out s t d l o g i c := ’ 0 ’ ;
i S l ope : in s igned (15 downto 0) := ( other s => ’ 0 ’ ) ;
iNextStee r ing : in s igned (15 downto 0) := ( other s => ’ 0 ’ ) ;
nextVe loc i ty : in s igned (15 downto 0) := ( other s => ’ 0 ’ ) ;
a l low : out s igned (0 downto 0) := ( other s => ’ 0 ’ )
) ;
end input ;
a r ch i t e c t u r e Behaviora l o f input i s
s i g n a l s l ope : s igned (15 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l nextStee r ing : s igned (15 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l fsmState : i n t e g e r range 0 to 255 := 0 ;
s i g n a l worstCaseSlope : s igned (15 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l r ightHandSide : s igned (31 downto 0) := ( other s => ’ 0 ’ ) ;
s i g n a l l e f tHandSide : s igned (31 downto 0) := ( other s => ’ 0 ’ ) ;
begin
proce s s ( c l ock ) begin
i f r i s i n g e d g e ( c lock ) then
case fsmState i s
when 0 =>
done <= ’0 ’ ;
i f s t a r t = ’1 ’ then
fsmState <= 1;
end i f ;
when 1 =>
69
i f iNextStee r ing > 0 then
fsmState <= 52;
e l s e
fsmState <= 54;
end i f ;
when 52 =>
s l ope <= to s i gned ( t o i n t e g e r ( i S l ope ) , 1 6 ) ;
fsmState <= 53;
when 53 =>
nextStee r ing <= to s i gned ( t o i n t e g e r ( iNextStee r ing ) , 1 6 ) ;
fsmState <= 41;
when 54 =>
s l ope <= to s i gned ( t o i n t e g e r ( i S l ope ) , 1 6 ) ;
fsmState <= 55;
when 55 =>
s l ope <= to s i gned ( t o i n t e g e r ( s l ope ) ∗ (−1) , 1 6 ) ;
fsmState <= 56;
when 56 =>
nextStee r ing <= to s i gned ( t o i n t e g e r ( iNextStee r ing ) , 1 6 ) ;
fsmState <= 57;
when 57 =>
nextStee r ing <= to s i gned ( t o i n t e g e r ( nextStee r ing ) ∗ (−1) , 1 6 ) ;
fsmState <= 41;
when 41 =>
worstCaseSlope <= s lope + (200 ) ;
fsmState <= 42;
when 42 =>
i f worstCaseSlope > 1000 then
fsmState <= 43;
e l s e
fsmState <= 44;
end i f ;
when 43 =>
worstCaseSlope <= to s i gned (1000 , 16 ) ;
fsmState <= 44;
when 44 =>
i f worstCaseSlope = 600 then
fsmState <= 7;
e l s e
fsmState <= 45;
end i f ;
when 45 =>
i f worstCaseSlope = 800 then
fsmState <= 8;
e l s e
fsmState <= 46;
end i f ;
when 46 =>
i f worstCaseSlope = 1000 then
fsmState <= 9;
e l s e
fsmState <= 10;
end i f ;
when 7 =>
r ightHandSide <= to s i gned ( t o i n t e g e r ( nextVe loc i ty ) , 3 2 ) ;
fsmState <= 12;
when 12 =>
r ightHandSide <= to s i gned ( t o i n t e g e r ( r ightHandSide ) ∗ (51) , 3 2 ) ;
fsmState <= 13;
when 13 =>
r ightHandSide <= rightHandSide s r l ( 8 ) ;
fsmState <= 14;
when 14 =>
r ightHandSide <= to s i gned ( t o i n t e g e r ( r ightHandSide ) ∗ (−1) , 3 2 ) ;
fsmState <= 15;
when 15 =>
r ightHandSide <= rightHandSide + (2400 ) ;
fsmState <= 16;
when 16 =>
l e f tHandSide <= to s i gned ( t o i n t e g e r ( nextStee r ing ) , 3 2 ) ;
fsmState <= 17;
when 17 =>
i f l e f tHandSide > r ightHandSide then
done <= ’1 ’ ;
fsmState <= 0;
e l s e
fsmState <= 10;
end i f ;
when 8 =>
i f nextVe loc i ty > 5000 then
fsmState <= 19;
e l s e
fsmState <= 20;
end i f ;
when 19 =>
70
i f nextStee r ing < 700 then
fsmState <= 10;
e l s e
done <= ’1 ’ ;
fsmState <= 0;
end i f ;
when 20 =>
l e f tHandSide <= to s i gned ( t o i n t e g e r ( nextStee r ing ) , 3 2 ) ;
fsmState <= 21;
when 21 =>
r ightHandSide <= to s i gned ( t o i n t e g e r ( nextVe loc i ty ) , 3 2 ) ;
fsmState <= 22;
when 22 =>
r ightHandSide <= to s i gned ( t o i n t e g e r ( r ightHandSide ) ∗ (146) , 3 2 ) ;
fsmState <= 23;
when 23 =>
r ightHandSide <= rightHandSide s r l ( 8 ) ;
fsmState <= 24;
when 24 =>
r ightHandSide <= to s i gned ( t o i n t e g e r ( r ightHandSide ) ∗ (−1) , 3 2 ) ;
fsmState <= 25;
when 25 =>
r ightHandSide <= rightHandSide + (3557 ) ;
fsmState <= 26;
when 26 =>
i f l e f tHandSide > r ightHandSide then
done <= ’1 ’ ;
fsmState <= 0;
e l s e
fsmState <= 10;
end i f ;
when 9 =>
i f nextVe loc i ty > 2900 then
fsmState <= 27;
e l s e
fsmState <= 10;
end i f ;
when 27 =>
i f nextStee r ing > 300 then
fsmState <= 28;
e l s e
fsmState <= 10;
end i f ;
when 28 =>
l e f tHandSide <= to s i gned ( t o i n t e g e r ( nextStee r ing ) , 3 2 ) ;
fsmState <= 29;
when 29 =>
r ightHandSide <= to s i gned ( t o i n t e g e r ( nextVe loc i ty ) , 3 2 ) ;
fsmState <= 30;
when 30 =>
r ightHandSide <= to s i gned ( t o i n t e g e r ( r ightHandSide ) ∗ (77) , 3 2 ) ;
fsmState <= 31;
when 31 =>
r ightHandSide <= rightHandSide s r l ( 8 ) ;
fsmState <= 32;
when 32 =>
r ightHandSide <= to s i gned ( t o i n t e g e r ( r ightHandSide ) ∗ (−1) , 3 2 ) ;
fsmState <= 33;
when 33 =>
r ightHandSide <= rightHandSide + (1770 ) ;
fsmState <= 34;
when 34 =>
i f l e f tHandSide > r ightHandSide then
done <= ’1 ’ ;
fsmState <= 0;
e l s e
fsmState <= 10;
end i f ;
when 10 =>
al low <= to s i gned (−1, 1 ) ;
done <= ’1 ’ ;
fsmState <= 0;
when other s =>
end case ;
end i f ;
end proce s s ;
end Behaviora l ;
71
A.7 VHDL Generator Code
The VMaude to VHDL generator, contains several files, mostly dealing with parsing and generating
VHDL. The source file with the main logic for doing the translation is provided below.
import java . i o . BufferedReader ;
import java . i o . Buf feredWriter ;
import java . i o . Fi leInputStream ;
import java . i o . FileOutputStream ;
import java . i o . InputStreamReader ;
import java . i o . OutputStreamWriter ;





∗ VHDL−s t ruc tured Maude to VHDL Trans lator
∗
∗ Sample o f VHDL−Structured Maude :
( cyc le−count )
( input ’ s l ope 16)
( input ’ s l ope2 16)
( output ’ output 8)
( s i g n a l ’ fsmState 8)
( s i g n a l ’ i n t e r n a l 8)
( s i g n a l ’ i n t e r na l 2 4)
( s t a t e 1 a s s i gn In t ’ i n t e r n a l 9 2)
( s t a t e 2 a s s i gn In t ’ i n t e r na l 2 9 3)
( s t a t e 3 cond i t i ona lGr ea t e rS i gna lS i gna l ’ s l ope ’ s l ope2 4 5)
( s t a t e 4 a s s i gn In t ’ output 4 0)
( s t a t e 5 a s s i gn In t ’ output 5 0)
∗/
pub l i c c l a s s Main
{
pr iva t e s t a t i c VHDL Entity en t i t y = nu l l ;
p r i va t e s t a t i c TreeMap <Str ing , Integer> signalToSizeMap = new TreeMap
<Str ing , Integer >();
pub l i c s t a t i c void main ( St r ing [ ] args )
{
Str ing inputFilename = ” input . txt ” ;
St r ing outputFilename ;
St r ing baseName = ”SafeBehavior ” ;
St r ing behaviora lFi lename = ”beh . txt ” ;
i f ( args . l ength > 0)
inputFilename = args [ 0 ] ;
i n t per iodIndex = inputFilename . indexOf ( ’ . ’ ) ;
i f ( per iodIndex != −1)
baseName = inputFilename . subs t r ing (0 , per iodIndex ) ;
outputFilename = baseName + ” . vhd ” ;
en t i t y = new VHDL Entity ( baseName ) ;
en t i t y . createBlank (baseName ) ;
t ry
{
BufferedReader f i n = new BufferedReader (new
InputStreamReader (new Fi leInputStream ( inputFilename ) ) ) ;
Buf feredWriter fout = new BufferedWriter (new
OutputStreamWriter (new FileOutputStream ( behaviora lFi lename ) ) ) ;
in i t i a lWork ( fout ) ;
f o r ( St r ing l i n e = f i n . readLine ( ) ; l i n e != nu l l ; l i n e =
f i n . readLine ( ) )
{
// trim comments
i n t commentIndex = l i n e . indexOf(”−−−”);
i f ( commentIndex != −1)
l i n e = l i n e . subs t r ing (0 , commentIndex ) ;
72
// trim whitespace
l i n e = l i n e . trim ( ) ;
i f ( l i n e . l ength ( ) == 0) // blank l i n e
cont inue ;
// check f o r parentheses
i f ( l i n e . l ength ( ) < 2 | | l i n e . charAt (0) != ’ ( ’
| | l i n e . charAt ( l i n e . l ength ( ) − 1) != ’ ) ’ )
{
System . e r r . p r i n t l n (” Error : l i n e does




i n t l en = l i n e . l ength ( ) ;
l i n e = l i n e . subs t r ing (1 , l en − 1 ) ;
// f i n a l l y p r in t out the r e s u l t
proce s sL ine ( l i n e , fout ) ;
}
f inalWork ( fout ) ;
f i n . c l o s e ( ) ;
f out . c l o s e ( ) ;
// s e t en t i t y behav io ra l f i l e
en t i t y . addBehavior ( behaviora lFi lename ) ;
// okay now pr in t the en t i t y
en t i t y . p r in tEnt i ty ( outputFilename ) ;
System . out . p r i n t l n (”Done ! ” ) ;
}
catch ( Exception e )
{
System . e r r . p r i n t l n ( e ) ;
}
System . ex i t ( 0 ) ;
}
/∗∗
∗ Set up en t i t y and behav io ra l f i l e
∗ @param fout the behavior f i l e bu f f e r edwr i t e r to pr in t the vhdl to
∗ @throws Exception i f there ’ s a f i l e I /O e r r o r
∗/
pr i va t e s t a t i c void in i t i a lWork ( Buf feredWriter fout ) throws Exception
{
en t i t y . addSignal (new VHDL Signal (” c lock ” , ” s t d l o g i c ” ,
S i gna lD i r e c t i on . IN , ” ’ 0 ’ ” ) ) ;
f out . wr i te (”\ nprocess ( c l ock ) begin\n ” ) ;
fout . wr i te (” i f r i s i n g e d g e ( c lock ) then\n ” ) ;
fout . wr i te (” case fsmState i s \n ” ) ;
fout . wr i te (”\ twhen 0 =>\n ” ) ;
fout . wr i te (”\ t\ tdone <= ’0 ’ ;\n\n ” ) ;
fout . wr i te (”\ t\ t i f s t a r t = ’1 ’ then\n ” ) ;
fout . wr i te (”\ t\ t\ t f smState <= 1;\n ” ) ;
fout . wr i te (”\ t\ tend i f ;\n ” ) ;
en t i t y . addSignal (new VHDL Signal (” s t a r t ” , ” s t d l o g i c ” ,
S i gna lD i r e c t i on . IN , ” ’ 0 ’ ” ) ) ;
s e t S i g n a l S i z e (” ’ s t a r t ” , 1 ) ;
en t i t y . addSignal (new VHDL Signal (” done ” , ” s t d l o g i c ” ,
S i gna lD i r e c t i on .OUT, ” ’ 0 ’ ” ) ) ;
s e t S i g n a l S i z e (” ’ done ” , 1 ) ;
}
/∗∗
∗ Complete the Behaviora l f i l e
∗ @param fout the behavior f i l e bu f f e r edwr i t e r to pr in t the vhdl to
∗ @throws Exception i f there ’ s a f i l e I /O e r r o r
∗/
pr i va t e s t a t i c void finalWork ( Buf feredWriter fout ) throws Exception
{
f out . wr i te (”\ twhen other s =>\n ” ) ;
fout . wr i te (” end case ;\n ” ) ;
fout . wr i te (” end i f ;\n ” ) ;




∗ Add a t r a n s i t i o n to the output stream of the fsmState s i g n a l
∗ @param tabs the number o f tabs to put be fo r e each output l i n e
∗ @param to the de s t i na t i on state , should be an i n t e g e r
∗ @param fout the stream to wr i te to
∗ @throws Exception i f an IO e r r o r occurs or i n t e g e r parse e r r o r s
∗/
pr i va t e s t a t i c void fsmTrans i t ion ( i n t tabs , S t r ing to , Buf feredWriter
fout ) throws Exception
{
i n t s t a t e = Int ege r . pa r s e In t ( to ) ;
i f ( s t a t e == 0) // done !
{
f o r ( i n t x = 0 ; x < tabs ; ++x)
fout . wr i te (”\ t ” ) ;
fout . wr i te (” done <= ’1 ’ ;\n ” ) ;
}
f o r ( i n t x = 0 ; x < tabs ; ++x)
fout . wr i te (”\ t ” ) ;
fout . wr i te (” fsmState <= ” + s ta t e + ”;\n ” ) ;
}
/∗∗
∗ This does the actua l one−to−one t r a n s l a t i o n s f o r the convers ion
∗ @param l i n e the current l i n e , non−blank with comments and
parentheses removed
∗ @param fout the behavior f i l e bu f f e r edwr i t e r to pr in t the vhdl to
∗ @throws Exception i f there ’ s a f i l e I /O e r r o r
∗/
pr i va t e s t a t i c void proces sL ine ( St r ing l i n e , Buf feredWriter fout )
throws Exception
{
Str ing tokens [ ] = l i n e . s p l i t (” ” ) ;
t ry
{
i f ( tokens . l ength == 1 &&
tokens [ 0 ] . equa l s (” cyc le−count ”) )
; // do nothing
e l s e i f ( tokens . l ength == 3 &&
tokens [ 0 ] . equa l s (” input ”) && tokens [ 1 ] . l ength ( ) > 1)
{
// ( input ’ s l ope 16)
St r ing name = tokens [ 1 ] . subs t r ing ( 1 ) ;
i n t l en = Int ege r . pa r s e In t ( tokens [ 2 ] ) ;
s e t S i g n a l S i z e ( tokens [ 1 ] , l en ) ;
en t i t y . addSignal (new VHDL Signal (name ,
” s igned (” + ( len−1) + ” downto 0)” , S i gna lD i r e c t i on . IN , ”( other s => ’ 0 ’ )” ) ) ;
}
e l s e i f ( tokens . l ength == 3 &&
tokens [ 0 ] . equa l s (” output ”) && tokens [ 1 ] . l ength ( ) > 1)
{
// ( output ’ output 8)
St r ing name = tokens [ 1 ] . subs t r ing ( 1 ) ;
i n t l en = Int ege r . pa r s e In t ( tokens [ 2 ] ) ;
s e t S i g n a l S i z e ( tokens [ 1 ] , l en ) ;
en t i t y . addSignal (new VHDL Signal (name ,
” s igned (” + ( len−1) + ” downto 0)” , S i gna lD i r e c t i on .OUT, ”( other s => ’ 0 ’ )” ) ) ;
}
e l s e i f ( tokens . l ength == 3 &&
tokens [ 0 ] . equa l s (” s i g n a l ”) && tokens [ 1 ] . equa l s (” ’ fsmState ”) )
{
// ( s i g n a l ’ fsmState 8)
i n t l en = Int ege r . pa r s e In t ( tokens [ 2 ] ) ;
s e t S i g n a l S i z e ( tokens [ 1 ] , l en ) ;
i n t rangeMax = ( in t )Math . round (Math . pow(2 ,
l en ) ) − 1 ;
en t i t y . addSignal (new VHDL Signal (” fsmState ” ,
” i n t e g e r range 0 to ” + rangeMax , S i gna lD i r e c t i on .INTERNAL, ”0” ) ) ;
}
e l s e i f ( tokens . l ength == 3 &&
tokens [ 0 ] . equa l s (” s i g n a l ”) && tokens [ 1 ] . l ength ( ) > 1)
{
// ( s i g n a l ’ appple 8)
St r ing name = tokens [ 1 ] . subs t r ing ( 1 ) ;
i n t l en = Int ege r . pa r s e In t ( tokens [ 2 ] ) ;
s e t S i g n a l S i z e ( tokens [ 1 ] , l en ) ;
74
en t i t y . addSignal (new VHDL Signal (name ,
” s igned (” + ( len−1) + ” downto 0)” , S i gna lD i r e c t i on .INTERNAL, ”( other s => ’ 0 ’ )”
) ) ;
}
e l s e i f ( tokens . l ength > 4 && tokens [ 0 ] . equa l s (” s t a t e ”) )
{
i n t stateNum = Intege r . pa r s e In t ( tokens [ 1 ] ) ;
f out . wr i te (”\ twhen ” + stateNum + ” =>\n\ t\ t ” ) ;
i f ( tokens [ 2 ] . equa l s (” a s s i gn In t ”) )
{
Str ing name = tokens [ 3 ] . subs t r ing ( 1 ) ;
fout . wr i te (name + ” <= to s i gned (” +
tokens [ 4 ] + ” , ” + ge tS i gna l S i z e ( tokens [ 3 ] ) + ”) ;\n ” ) ;
f smTrans i t ion (2 , tokens [ 5 ] , f out ) ;
}
e l s e i f ( tokens [ 2 ] . equa l s (” a s s i gnS i gna l ”) )
{
Str ing name = tokens [ 3 ] . subs t r ing ( 1 ) ;
S t r ing rhs = tokens [ 4 ] . subs t r ing ( 1 ) ;
fout . wr i te (name + ” <=
to s i gned ( t o i n t e g e r (” + rhs + ”) , ” + ge tS i gna l S i z e ( tokens [ 3 ] ) + ”) ;\n ” ) ;
f smTrans i t ion (2 , tokens [ 5 ] , f out ) ;
}
e l s e i f
( tokens [ 2 ] . equa l s (” ass ignAddSigna l Int ”) ) // add i s okay to s imulate without
ca s t i ng
{
Str ing name = tokens [ 3 ] . subs t r ing ( 1 ) ;
S t r ing rhsS ig = tokens [ 4 ] . subs t r ing ( 1 ) ;
fout . wr i te (name + ” <= ” + rhsS ig + ” +
(” + tokens [ 5 ] + ”) ;\n ” ) ;
f smTrans i t ion (2 , tokens [ 6 ] , f out ) ;
}
e l s e i f
( tokens [ 2 ] . equa l s (” ass ignAddSigna lS igna l ”) ) // add i s okay to s imulate without
ca s t i ng
{
Str ing name = tokens [ 3 ] . subs t r ing ( 1 ) ;
S t r ing rhsS ig = tokens [ 4 ] . subs t r ing ( 1 ) ;
S t r ing rhsS ig2 = tokens [ 5 ] . subs t r ing ( 1 ) ;
fout . wr i te (name + ” <= ” + rhsS ig + ” +
” + rhsS ig2 + ”;\n ” ) ;
f smTrans i t ion (2 , tokens [ 6 ] , f out ) ;
}
e l s e i f
( tokens [ 2 ] . equa l s (” as s i gnMul tS igna l In t ”) ) // mult needs ca s t i ng f o r c o r r e c t
s imulat ion
{
Str ing name = tokens [ 3 ] . subs t r ing ( 1 ) ;
S t r ing rhsS ig = tokens [ 4 ] . subs t r ing ( 1 ) ;
fout . wr i te (name + ” <=
to s i gned ( t o i n t e g e r (” + rhsS ig + ”) ∗ (” + tokens [ 5 ] + ”) , ” +
ge tS i gna l S i z e ( tokens [ 4 ] ) + ”) ;\n ” ) ;
f smTrans i t ion (2 , tokens [ 6 ] , f out ) ;
}
e l s e i f
( tokens [ 2 ] . equa l s (” a s s i gnSh i f tR i gh tS i gna l I n t ”) ) // s r l s imu la te s okay without
cas t
{
Str ing name = tokens [ 3 ] . subs t r ing ( 1 ) ;
S t r ing rhsS ig = tokens [ 4 ] . subs t r ing ( 1 ) ;
fout . wr i te (name + ” <= ” + rhsS ig + ”
s r l (” + tokens [ 5 ] + ”) ;\n ” ) ; // s r l = s h i f t r i gh t l o g i c a l
f smTrans i t ion (2 , tokens [ 6 ] , f out ) ;
}
e l s e i f
( tokens [ 2 ] . equa l s (” cond i t i ona lGr ea t e rS i gna l I n t ”) )
{
Str ing s i g = tokens [ 3 ] . subs t r ing ( 1 ) ;
fout . wr i te (” i f ” + s i g + ” > ” +
tokens [ 4 ] + ” then\n ” ) ;
f smTrans i t ion (3 , tokens [ 5 ] , f out ) ;
fout . wr i te (”\ t\ t e l s e \n ” ) ;
f smTrans i t ion (3 , tokens [ 6 ] , f out ) ;
fout . wr i te (”\ t\ tend i f ;\n ” ) ;
}
e l s e i f
( tokens [ 2 ] . equa l s (” cond i t i ona lEqua l sS i gna l In t ”) )
{
Str ing s i g = tokens [ 3 ] . subs t r ing ( 1 ) ;
fout . wr i te (” i f ” + s i g + ” = ” +
75
tokens [ 4 ] + ” then\n ” ) ;
f smTrans i t ion (3 , tokens [ 5 ] , f out ) ;
fout . wr i te (”\ t\ t e l s e \n ” ) ;
f smTrans i t ion (3 , tokens [ 6 ] , f out ) ;
fout . wr i te (”\ t\ tend i f ;\n ” ) ;
}
e l s e i f
( tokens [ 2 ] . equa l s (” cond i t i ona lGr ea t e rS i gna lS i gna l ”) )
{
Str ing s i g = tokens [ 3 ] . subs t r ing ( 1 ) ;
S t r ing otherS ig =
tokens [ 4 ] . subs t r ing ( 1 ) ;
fout . wr i te (” i f ” + s i g + ” > ” +
otherS ig + ” then\n ” ) ;
f smTrans i t ion (3 , tokens [ 5 ] , f out ) ;
fout . wr i te (”\ t\ t e l s e \n ” ) ;
f smTrans i t ion (3 , tokens [ 6 ] , f out ) ;
fout . wr i te (”\ t\ tend i f ;\n ” ) ;
}
e l s e i f
( tokens [ 2 ] . equa l s (” c ond i t i o na lL e s s e r S i gna l I n t ”) )
{
Str ing s i g = tokens [ 3 ] . subs t r ing ( 1 ) ;
fout . wr i te (” i f ” + s i g + ” < ” +
tokens [ 4 ] + ” then\n ” ) ;
f smTrans i t ion (3 , tokens [ 5 ] , f out ) ;
fout . wr i te (”\ t\ t e l s e \n ” ) ;
f smTrans i t ion (3 , tokens [ 6 ] , f out ) ;
fout . wr i te (”\ t\ tend i f ;\n ” ) ;
}
e l s e
{
throw new Exception (” (2 ) Unprocessable
l i n e : ’” + l i n e + ” ’ ” ) ;
}
}
e l s e
{
throw new Exception (” (1 ) Unprocessable l i n e : ’”
+ l i n e + ” ’ ” ) ;
}
}
catch ( Exception e )
{
System . out . p r i n t l n (” Parse Error on l i n e ’” + l i n e +





∗ Set the s i z e f o r a s i gna l , which can then be r e t r i e v ed us ing
getS igna lValue
∗ @param signalName the name of the s i gna l , with the Qid requ i r ed ’
∗ @param s i z e the s i z e o f the a s s o c i a t ed s i g n a l
∗ @throws Exception i f the s i g n a l a l ready has a s i z e s e t
∗/
pr i va t e s t a t i c void s e t S i g n a l S i z e ( St r ing signalName , i n t s i z e ) throws
Exception
{
i f ( signalToSizeMap . get ( signalName ) != nu l l )
throw new Exception (” S igna l ’” + signalName + ” ’
a l ready has i t s s i z e s e t . ” ) ;
signalToSizeMap . put ( signalName , s i z e ) ;
}
/∗∗
∗ Get the s i z e o f s i gna l , p r ev i ou s l y s e t with s e t S i g n a l S i z e
∗ @param signalName the name of the s i g n a l we want the s i z e of , with
the Qid−neces sary ’
∗ @return the s i z e o f the s i g n a l
∗ @throws Exception i f the s i gna l ’ s s i z e was not p r ev i ou s l y s e t with
s e t S i g n a l S i z e
∗/
pr i va t e s t a t i c i n t g e tS i gna l S i z e ( St r ing signalName ) throws Exception
{
In t ege r i = signalToSizeMap . get ( signalName ) ;
i f ( i == nu l l )
throw new Exception (” S igna l ’” + signalName + ” ’ does
not have a s e t s i z e . ” ) ;
76





[1] Markus Adhiwiyogo. Virtex-4 clocking resources. www.xilinx.com/ publications/ xcellonline/
xcell 52/ xc v4xesium52.htm, 2005.
[2] Jidan Al-Eryani. Opencores.org: Floating point unit. www.opencores.org.uk/ projects.cgi/
web/ fpu100/, 2006.
[3] Karl J. Astrom and Bjorn Wittenmark. Computer-controlled systems: theory and design (2nd
ed.). Prentice-Hall, Inc., Upper Saddle River, NJ, USA, 1990.
[4] A. Avizienis and L. Chen. On the implementation of n-version programming for software fault
tolerance during program execution. In COMPSAC 77, pages 149–155, 1977.
[5] Susan S. Brilliant, John C. Knight, and Nancy G. Leveson. Analysis of faults in an n-version
software experiment. IEEE Trans. Softw. Eng., 16(2):238–247, 1990.
[6] Manuel Clavel, Francisco Dura´n, Steven Eker, Patrick Lincoln, Narciso Mart´ı-Oliet, Jose´
Meseguer, and Carolyn L. Talcott, editors. All About Maude - A High-Performance Logical
Framework, How to Specify, Program and Verify Systems in Rewriting Logic, volume 4350 of
Lecture Notes in Computer Science. Springer, 2007.
[7] Tanya L. Crenshaw, Elsa Gunter, C. L. Robinson, Lui Sha, and P. R. Kumar. The simplex
reference model: Limiting fault-propagation due to unreliable components in cyber-physical
system architectures. In RTSS ’07: Proceedings of the 28th IEEE International Real-Time
Systems Symposium, pages 400–412, Washington, DC, USA, 2007. IEEE Computer Society.
[8] Software Engineering Institute. The simplex distributed pilot study. www.sei.cmu.edu/ sim-
plex/ demonstrations/ distributed.html, 1999.
[9] John C. Knight and Nancy G. Leveson. An experimental evaluation of the assumption of
independence in multiversion programming. Software Engineering, 12(1):96–109, 1986.
[10] J. Liu and P. D. Ayers. Off-road vehicle rollover and field testing of stability index. ASABE
1999, 1999.
[11] R. E. Lyons and W. Vanderkulk. The use of triple-modular redundancy to improve computer
reliability. IBM Research and Development, 6:200–209, 1962.
[12] K. Morris. Fpgas in space. FPGA and Programmable Logic Journal, August 2004.
[13] Qhull. Qhull. www.qhull.org/, 1995.
[14] Raj Rajkumar. Linux/ rk. www.cs.cmu.edu/ rajkumar/ linux-rk.html, 2008.
[15] Brian Randell. The evolution of the recovery block concept. In Lyu, editor, Software Fault
Tolerance, chapter 1, pages 1–21. 1995.
[16] W. S. Reid. Safety in perspective, for autonomous off road equipment. ASABE 2004, 2004.
78
[17] Boston Scientific. Pacemaker system specifcation. sqrl.mcmaster.ca/ SQRLDocuments/
PACEMAKER.pdf, 2007.
[18] Danbing Seto, Enrique Ferreira, and Theodore F. Marz. Case study: Development of a base-
line controller for automatic landing of an f-16 aircraft using linear matrix inequalities (lmis).
Technical Report Cmu/ sei-99-Tr-020.
[19] Lui Sha. Dependable system upgrade. In RTSS ’98: Proceedings of the IEEE Real-Time
Systems Symposium, page 440, Washington, DC, USA, 1998. IEEE Computer Society.
[20] Lui Sha. Using simplicity to control complexity. IEEE Softw., 18(4):20–28, 2001.
[21] Lui Sha, R. Rajkumar, and M. Gagliardi. Evolving dependable real-time systems. In 1996
IEEE Aerospace Applications Conference. Proceedings, pages 335–46, Aspen, CO, 3–10 1996.
IEEE New York, NY, USA.
[22] Gaurav Shah, Andres Molina, and Matt Blaze. Keyboards and covert channels. In USENIX-
SS’06: Proceedings of the 15th conference on USENIX Security Symposium, Berkeley, CA, USA,
2006. USENIX Association.
[23] John G. Webster, editor. Design of cardiac pacemakers. IEEE Press, Piscataway, NJ, 1995.
ecow.engr.wisc.edu/ cgi-bin/ get/ bme/ 762/ webster/ designofca/.
[24] Y.C. Yeh. Triple-triple redundant 777 primary flight computer. Aerospace Applications Con-
ference, 1996. Proceedings., 1996 IEEE, 1:293–307 vol.1, Feb 1996.
[25] YouTube. Ortega demo - 4:35. www.youtube.com/ watch?v=-r1siUQpyik, 2009.
79
