Methods for the Development of Distributed Real-Time Embedded Systems using VDM by Wolf S et al.
  
COMPUTING 
SCIENCE 
Methods for the Development of Distributed 
Real-Time Embedded Systems using VDM 
 
 
Peter Gorm Larsen, John Fitzgerald, Sune Wolff 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
TECHNICAL REPORT SERIES 
 
No. CS-TR-1164 August 2009 
TECHNICAL REPORT SERIES 
              
 
No. CS-TR-1163  August, 2009 
 
 
Methods for the Development of Distributed Real-Time Embedded 
Systems using VDM 
 
Peter Gorm Larsen, Aarhus School of Engineering, Denmark 
John Fitzgerald, School of Computing Science, Newcastle University, UK 
Sune Wolff, Aarhus School of Engineering, Denmark 
 
 
Abstract 
 
 
The development of distributed real-time embedded systems presents a significant practical challenge 
both because of the complexity of distributed computation and because of the need to rapidly assess a 
wide variety of design alternatives in early stages when requirements are often volatile. Formal 
methods can address some of these challenges but are often thought to require greater initial investment 
and longer development cycles than is desirable for the development of non-critical systems in highly 
competitive markets. In this paper we propose an approach that takes advantage of formal modelling 
and analysis technology in a lightweight way, making significant use of readily available tools. We 
describe an incremental approach in which detail is progressively added to abstract system-level 
specifications of functional and timing properties via intermediate models that express system 
architecture, concurrency and distribution. The approach is illustrated using a model of a home 
automation system. The models are expressed using the Vienna Development Method (VDM) and are 
validated primarily by scenario-based tests. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
© 2009 University of Newcastle upon Tyne. 
Printed and published by the University of Newcastle upon Tyne, 
Computing Science, Claremont Tower, Claremont Road, 
Newcastle upon Tyne, NE1 7RU, England. 
Bibliographical details 
 
WOLF, S., FITZGERALD, J., GORM LARSEN, P. 
 
Methods for the Development of Distributed Real-Time Embedded Systems using VDM  
[By] S Wolf, J Fitzgerald, P Gorm Larsen 
 
Newcastle upon Tyne: University of Newcastle upon Tyne: Computing Science, 2009. 
 
(University of Newcastle upon Tyne, Computing Science, Technical Report Series, No. CS-TR-1163) 
 
Added entries 
 
UNIVERSITY OF NEWCASTLE UPON TYNE 
Computing Science. Technical Report Series.  CS-TR-1163 
 
 
Abstract 
 
The development of distributed real-time embedded systems presents a significant practical challenge both 
because of the complexity of distributed computation and because of the need to rapidly assess a wide variety of 
design alternatives in early stages when requirements are often volatile. Formal methods can address some of these 
challenges but are often thought to require greater initial investment and longer development cycles than is 
desirable for the development of non-critical systems in highly competitive markets. In this paper we propose an 
approach that takes advantage of formal modelling and analysis technology in a lightweight way, making 
significant use of readily available tools. We describe an incremental approach in which detail is progressively 
added to abstract system-level specifications of functional and timing properties via intermediate models that 
express system architecture, concurrency and distribution. The approach is illustrated using a model of a home 
automation system. The models are expressed using the Vienna Development Method (VDM) and are validated 
primarily by scenario-based tests. 
 
About the author 
 
John Fitzgerald is a specialist in the engineering of dependable computing systems, particularly in rigorous 
analysis and design tools. His research concerns the use of formal methods, especially machine-assisted proof, to 
analyse models of systems in the early stages of development. He is perhaps most closely associated with the 
Vienna Development Method (VDM). A particular area of interest is predictable dynamic resilience: the design of 
systems which reconfigure in response to threats. John is currently on secondment to the Deploy project, leading 
its work package on Achieving and Demonstrating Dependability through the deployment of formal methods in 
five major industry sectors. He also started the work on resilience-explicit computing in the ReSIST European 
Network of Excellence on Resilience in Information Society technologies.  
 
John took his PhD (in modularity and formal proof) at Manchester University, before joining the newly-formed 
BAESYSTEMS Dependable Computing Systems Centre at Newcastle, where he developed specification and 
design techniques for real-time avionic systems. He went on to study the potential for industrial application of 
formal modelling (specifically, VDM and its support tools) as an EPSRC Fellow and later as a Lecturer at 
Newcastle. He returned to the University in 2003, having established design and validation activities at Transitive, 
a successful new SME in the embedded processor market. He has led several EU and industry-supported research 
projects in the communications, aircraft, software and power sectors. John has worked as a visiting scholar at 
institutes in Denmark, Japan and Poland and serves on several international program committees. He is Chairman 
of Formal Methods Europe, the main European body bringing together researchers and practitioners in rigorous 
methods of systems development. He is a member of the BCS, the ACM and the IEEE Computer Society. He is a 
member the Committee of the BCS Special Interest group on Formal Aspects of Computing (BCS-FACS).  
 
 
Peter Gorm Larsen is Professor of Computer Technology and Embedded Systems at The Engineering College of 
Aarhus, Denmark. He also works as an independent consultant. 
 
Peter is an authority on system modelling, and particularly the Vienna Development Method. Alongside research 
on VDM’s foundations, he has pioneered the development of industrial-strength tool support for model-oriented 
specification languages, latterly heading the group that developed what are now the CSK VDM Tools(R)products. 
He has developed and delivered many courses in applicable formal methods. He was co-author with John 
Fitzgerald of "Modelling Systems: Practical Tools and Techniques in Software Development" and continues to 
collaborate closely, for example on object-oriented design using formal techniques. Until recently, he was Chief 
Business Solution Architect with Systematic Software Engineering A/S, a leading software development company 
based at Aarhus in Denmark.  
 
 
Suggested keywords 
REAL TIME, DEVELOPMENT, EMBEDDED SYSTEMS 
 
 
 
 
 
Methods for the Development of Distributed
Real-Time Embedded Systems using VDM
Peter Gorm Larsen, Aarhus School of Engineering, Denmark
John Fitzgerald, School of Computing Science, Newcastle University, UK
Sune Wolff, Aarhus School of Engineering, Denmark
August 14, 2009
Abstract
The development of distributed real-time embedded systems presents a signifi-
cant practical challenge both because of the complexity of distributed computation
and because of the need to rapidly assess a wide variety of design alternatives in
early stages when requirements are often volatile. Formal methods can address
some of these challenges but are often thought to require greater initial investment
and longer development cycles than is desirable for the development of non-critical
systems in highly competitive markets. In this paper we propose an approach that
takes advantage of formal modelling and analysis technology in a lightweight way,
making significant use of readily available tools. We describe an incremental ap-
proach in which detail is progressively added to abstract system-level specifica-
tions of functional and timing properties via intermediate models that express sys-
tem architecture, concurrency and distribution. The approach is illustrated using a
model of a home automation system. The models are expressed using the Vienna
Development Method (VDM) and are validated primarily by scenario-based tests.
1 Introduction
The development of distributed embedded systems presents a considerable challenge.
Designs for such systems are typically complex because of the need to address timing,
concurrency and distribution aspects in addition to functionality. This complexity hin-
ders the validation of designs and the exploration of alternatives. As a consequence
design errors can prove expensive to correct if not detected early. The problem is made
worse by the characteristics of the embedded systems business, in which sound design
decisions have to be made early and rapidly in order to achieve a short time to market.
Formal models have a potentially valuable role to play in managing the complex-
ity of embedded systems design. Rapid feedback from the machine-assisted analy-
sis of such models has the potential to reduce the risk of expensive re-working as a
consequence of the late detection of defects. However, models that incorporate the
description of functionality alongside timing behaviour and distribution across shared
1
computing resources are themselves potentially complex. Moving too rapidly to such
a complex model can increase modelling and design costs in the long run.
While there are many formal notations for the representation of distributed and
real-time systems, guides to practical methods for model construction and analysis
are essential if these approaches are to be deployed successfully in industrial settings.
Such methods should be incremental, allowing the staged introduction of detail. They
should also allow the decomposition of the validation task by permitting tool-supported
analysis of the models produced at each stage. They should use tools that maximise
the value gained in return for sustainable levels of investment in training as well as in
creating and analysing formal models.
In this paper we propose a pragmatic and tool-supported method for the stepwise
development of models of distributed embedded systems. At each step in our method,
we develop a model that considers an additional aspect of the design problem, such as
distribution or concurrency. Formal notations provide explicit support for these aspects,
and tools provide an analytic capability based on static analysis and systematic testing
of models at each stage. Our approach uses and extends the Vienna Development
Method (VDM) [1, 2, 3, 4] and its tools (VDMTOOLS [5] and Overture [6]). In recent
work we have extended VDM with modelling abstractions and test-based analysis tools
that support the object-oriented description of distributed real-time systems [7, 8, 9].
This paper extends previous work by providing a comprehensive description of the
method of model derivation and forms a contribution to the methodological guidelines
accompanying VDMTOOLS [10].
VDM technology is briefly introduced in Section 2. Section 3 presents our ap-
proach to the development of formal models of distributed real-time systems. Sec-
tions 4 to 7 describe the models constructed at each phase in the development, inter-
leaved with examples drawn from a case study development of a “home automation”
system. Section 8 describes validation techniques and tools. Finally, Sections 9 and 10
discuss related work, draw conclusions from the study and identify further work. Ap-
pendix A provides the full distributed real-time design model for the case study.
2 VDM Modelling Languages and Tool Support
VDM is a well-established formal method [11] based on a group of formal modelling
languages that share a large common core, and which are each specialised for mod-
elling different classes of system. The common core is based on the VDM Specifi-
cation Language (VDM-SL) [3], standardised by ISO [12, 13], which provides facili-
ties for the functional specification of sequential systems. The principal extensions of
VDM-SL are VDM++ [4], which adds features for object-oriented modelling and con-
currency, and VICE (VDM++ In Constrained Environments) [14, 7, 15], which adds
features for describing real-time computations and distributed systems. In the remain-
der of this section, we focus on the features of VDM modelling languages necessary
for the models shown in the paper. For more detailed information, the reader is referred
to the texts cited above and to the VDM Portal [16].
2
2.1 VDM Notations
Models in VDM are based on data type definitions built from simple abstract types
such as bool, nat and char and type constructors that allow user-defined product
and union types and collection types such as (finite) sets, sequences and mappings.
Type membership may be restricted by predicate invariants. Persistent state is defined
by means of typed variables, again restricted by invariants. Operations that may modify
the state can be defined implicitly, using pre- and post-condition predicates, or explic-
itly, using imperative statements. Such operations denote relations between inputs and
pre-states and outputs and post-states, allowing for nondeterminism. Functions are
defined in a similar way to operations, but may not refer to state variables and are
deterministic.
Object-oriented models in VDM (using the VDM++ extensions) are composed of
class specifications which may be linked by single or multiple inheritance. Each ob-
ject’s persistent state consists of typed instance variables. Operations are re-entrant
and their invocation is defined with synchronous (rendezvous) semantics. Operation
execution may be constrained by permission predicates [17], which are Boolean ex-
pressions over instance variables. If a permission predicate evaluates to false on
an operation call, the call is blocked until the predicate becomes true again. Such
predicates can make use of history counters that, for each object, count the number
of requests, activations and completions per operation. A shorthand mutex permis-
sion predicate allows the user to specify mutual exclusion between the executions of
specified operations.
In object-oriented VDM models, classes may be active or passive. The instances
of an active class have their own threads of control; instances of passive classes are
always manipulated from threads of control of objects belonging to active classes. A
thread executes a sequence of statements. Each thread is created whenever the object
that houses it is created but the thread needs to be started explicitly using a start
statement. Each thread terminates when the statement in the body of the thread com-
pletes execution. It is also possible to specify threads that do not terminate, and this
feature is valuable in modelling reactive systems. Concurrent access to data is managed
explicitly by the objects encapsulating the shared variables.
The VICE extensions to VDM support the description and analysis of real-time
and distributed systems. They include primitives for modelling deployment over a dis-
tributed hardware architecture and support for asynchronous communication. Within
a special system class, the modeller can specify computation resources (CPUs) con-
nected in a communication topology by buses. Two predefined classes, CPU and BUS
allow scheduling and performance characteristics of CPUs and buses to be readily ex-
pressed.
The semantics of VDM have been extended with a notion of time so that any thread
running on a computation resource or any message in transit on a communication re-
source can cause time to elapse. Each construct in the modelling language has a default
time associated with it, which can be changed by the user if desired.
Operations may be specified as asynchronous, allowing the caller to resume its
own thread after the call is initiated. A new thread is created, automatically started and
scheduled to execute the body of the asynchronous operation. Special (duration
3
and cycles) statements may be used in operation bodies to specify time delays that
are independent of or dependent upon processor capacity. The time delay incurred by
a message transfer over a bus can be made dependent on the size of the message being
transferred and on the bandwidth of the bus.
2.2 Semantics and Validation Techniques
The core VDM specification language has formally defined denotational semantics [12,
18], a proof theory [19, 20, 21] and rules for formal refinement [2]. Operational seman-
tics have been defined [22] as part of the effort to develop an interpreter for the exe-
cutable subset of VDM. These semantic definitions are themselves given in VDM and
the language extensions to support object-orientation, concurrency, real-time and dis-
tribution have all been specified in VDM in the same way. This also includes constructs
supporting loose specification [23] and operational semantics for features supporting
real-time and distributed systems [7, 24, 25].
The availability of formal semantics makes it possible to conduct a wide range of
analyses on VDM models. We use the term Integrity Checking to refer to the generation
and discharging of proof obligations [26, 27]. Proof obligations are logical conjectures
that are to be proven if a model is to be regarded as well-formed and consistent. In
broad terms, this means that there exists at least one semantically correct model. Auto-
mated proof support is being developed for discharging proof obligations [28, 29, 30].
A high priority guiding development of VDM in the last two decades has been
take-up of the technology by industry (see Section 2.4 below). The perceived high bar-
rier to the initial use of proof and model-checking technology has led to a relatively
greater emphasis being placed on validation through testing. As a result, validation has
mostly been through testing of executable models, and there is considerable method-
ological and tool support for this approach. Model validation in VDMTOOLS is mainly
supported by an interpreter allowing the execution of models written in the large exe-
cutable subset of the language. Scenarios defined by the user are essentially test cases
consisting of scripts invoking the model’s functionality. The interpreter executes the
script over the model and returns observable results as well as an execution trace con-
taining, for each event, a time stamp and an indication of the part of the model in which
it appeared.
2.3 VDM Tool Support
VDM is supported by an industry-strength tool set VDMTOOLS owned and developed
by CSK Systems [5, 31] and derived from the former IFAD VDM-SL Toolbox [32].
The tools offer syntax checking, type checking and proof obligation generation capa-
bilities, code generators, a pretty printer, a CORBA-based Application Programming
Interface (API) and links to external tools for UML modelling to support round-trip
engineering. It is worth noting that the development of VDMTOOLS has itself been
done using VDM [33].
The Overture project [6] is developing an open source Eclipse extension that is
designed to provide a common interface to all available tools for VDM, covering all
dialects [34] and to include proof support [30, 27]. The showtrace plug-in (illustrated
4
in Section 8.2) has been developed to allow execution traces to be displayed graphi-
cally so that the user can readily inspect behaviour after the execution of a scenario,
and thereby gain insight into the ordering and timing of message exchange, thread ac-
tivation and operation invocation. A new project on “Design Support and Tooling for
Embedded Control Software” (DESTECS) [35] will add co-simulation to the platform,
allowing models of the physical environment, based on continuous time, to be analysed
alongside discrete event models of controllers in VDM.
2.4 Industrial Use of VDM
Successful industry use has been a major driver behind the development of methods
and tools for VDM in the past fifteen years, influencing the development of tool sup-
port [36]. Over that period, several of the non-secret projects have been particularly
significant. The ConForm study at British Aerospace [37, 38] and the Dust-Expert
project carried out by Adelard in the UK [39, 40] strongly suggested that benefits
could be gained from early-stage abstract modelling using a tool-supported formal-
ism, even with only testing available as an analytic tool. More recent applications
have used the object-oriented extensions, notably the key components of the TradeOne
back-office system developed by CSK systems for the Japanese stock exchange [4] and
the development of an operating system for an integrated circuit for cellular telephone
applications by Sony [41, 42]. A common factor in many VDM applications has been
the use of formal models as a way of gaining rapid early feedback on requirements and
designs. The goal of providing such useful feedback during the development of embed-
ded systems has motivated the methodological work reported here. Our concentration
on validation through testing has been motivated by the desire to maintain a low barrier
to entry-level use [43].
3 An Incremental Approach to Model Construction
As indicated in Section 1, the goal of our work is a method for developing formal
models of distributed real-time systems that is incremental and allows tool-supported
validation of the models produced at each stage. We propose a stepwise approach [10]
which exploits the capabilities of each of the VDM modelling language extensions
described in Section 2. Our approach aims to assist the management of complexity
by enabling the developer to consider a different facet of the modelled system at each
stage. The steps themselves are as follows:
1. System Boundary Definition
2. Sequential Design Modelling
3. Concurrent Design Modelling
4. Distributed Real-time Design Modelling
5
Figure 1: Overview of Models Produced
In the design of embedded systems, a key early decision is the drawing of the
boundary between the environment, which consists of elements that can not be con-
trolled by the designer, and the controller that is to be developed. In particular, this
allows the developer to state assumptions about environment behaviour and the guar-
antees that describe the correct operation of the controller in a valid environment. The
first stage of our method involves making the system boundary, assumptions and guar-
antees explicit. Such an explicit abstract description can be given informally or using
both formal and informal elements side by side. It may also be given purely formally,
often using domain-specific notations, though we will not illustrate that aspect in this
paper. Support for modelling and analysis using more realistic environment models is
the subject of current research [35].
Based on this abstract description, an object-oriented architecture is introduced,
creating a sequential model with structure expressed using the features of VDM++.
Consideration of the synchronisation of concurrent activities is deferred in order to
focus on functional aspects. In the next stage, this sequential model is extended to
encompass concurrency and thread synchronisation (still using the VDM++ language,
which includes concurrency modelling features). Subsequently, the concurrent design
model may be extended with real-time information using the VICE extensions. Finally,
distribution over a distributed embedded architecture can be described, using the VICE
extensions. At this stage it may prove necessary to revisit the concurrent design model,
since design decisions made at that stage may prove to be infeasible when real-time
information is added to the model (for instance, the model may not be able to meet its
deadlines). From the concurrent and distributed real-time VDM++ design model an
implementation may subsequently be developed. Testing of the final implementation
and the various design-oriented models may be able to exploit the more abstract models
as a test oracle. Note that the approach suggested here enables continuous validation
of the models if these are written in executable subsets of the different VDM dialects.
Figure 1 gives an overview of the relationships between the products in our pro-
posed method. The downward arrows indicate the primary flow of information when-
6
ever a phase has been completed whereas the upward arrows show iteration that might
follow the detection of modelling errors in the validation of the model produced at
each stage. Note that this is not intended as a process model, but rather a rational struc-
ture for the relationships between the models produced. Internal iterations, and even
iterations between models, are likely to occur in practice.
We do not claim that the models introduced at each stage in our approach are neces-
sarily formal refinements of their predecessors. Our intended output is a comprehensive
model of the target system that can serve as a basis for subsequent development, pos-
sibly using refinement. We are therefore introducing detail in a staged manner, where
the executions at each level might, informally, be seen as providing a finer level of
granularity than its predecessor.
In the following sections, we step through each stage in our approach, identify-
ing the features peculiar to each type of model and the typical structures of models
produced. As a running illustration, we present a case study on environment control
in the home [44] used in the Danish Enterprise and Construction Authority’s project
“Minimum Configuration - Home Automation” [45]. Working from the perspective of
the domestic user, the project’s goal was to create a platform incorporating the range
of domestic IT technologies, in order to improve the usability of these products. In
Section 8, we describe the validation techniques that can be applied to models in the
example.
4 System Boundary Definition
As indicated in Section 3, defining the boundary between the environment and the en-
gineered system is an important step on the way to specifying the assumptions under
which the system operates and the guarantees that it offers when those assumptions
are satisfied. Given the explicit statement of these contracts, it should be possible to
formulate sound engineering arguments for the overall system having desirable prop-
erties.
4.1 System Requirements and Gurantees
There are many approaches to systematic requirements capture, and we do not pro-
pose a particular method here. However, past studies [37] and recent industry experi-
ence [41, 46] suggest that the development of a formal model can have a strong positive
effect on the identification of defects in requirements. We have provided rough guide-
lines on the extraction of “first pass” models from natural language requirements [3, 4]
but other more structured approaches exist, targeted at embedded systems. For ex-
ample, the approach of Hayes, Jackson and Jones [47] uses the expression of desired
system-level behaviour coupled with modelling the environment as a means of deduc-
ing the specifications of control systems. Such an approach provides ways of reaching
initial models that can be expressed using the formal notations that we consider here.
The assumptions made about the environment are key to the formulation of engi-
neering arguments. In order to derive precise statements of environmental assumptions,
7
the model developer must enter into dialogue with domain experts. The kind of envi-
ronment is likely to determine the formalism in which these assumptions can be most
naturally expressed. For example, if the assumptions have to do with a moving mechan-
ical device, it would most likely best be described in a formalism including differential
equations; if the assumptions are logical in nature it may be more natural to express it
in VDM.
The purpose of an initial model of the engineered system is to provide a basis for
the precise and accurate description of its functionality. In our approach, the focus is
on functionality rather than the static structure of a design or the dynamic architecture
of processors on which such a design might be implemented – those features are in-
troduced in the later models. At this stage in the modelling process, functional and
timing requirements can be captured. For the systems to which we have applied our
approach so far (e.g. [10, 9]), an appropriate initial model is usually structured around
one top-level function taking as input a sequence of events acting as stimuli on the
controller from its environment. The output will then be the trace of events generated
by the system.
4.2 Case Study: System Boundaries
Our aim in this case study is to provide a small example of the design models devel-
oped following our process, rather than to focus on the derivation of the problem de-
scription. We therefore give a short and informal description of the system boundary,
requirements and guarantees.
Home automation in its simplest form combines sensors measuring ambient char-
acteristics such as temperature and humidity with actuators that can have some indirect
effect on the same properties, for example by adjusting a thermostat, or opening or
closing a window. These nodes communicate with a central controller which adjusts
the actuators according to the sensed environment values.
In our case study, we will consider a single room with control unit and four interface
nodes: a temperature sensor, a temperature actuator, a humidity sensor and a humidity
actuator. The engineered system is to be the controller, sensors and actuators. The en-
vironment consists of the ambient characteristics of the room (temperature, humidity)
and the target temperature set by a human user.
We will assume that the temperature and humidity outside the room are lower than
those in the room so that the environment assumptions can be described as:
Temperature: When the thermostat setting changes, the room temperature responds
instantly. In addition, when the window is opened, the temperature is also low-
ered instantly.
Humidity: When the window is opened, the humidity drops instantly.
Target Temperature: For the purposes of this example, the target temperature is fixed.
The system delivers the following functionality: when a change is sensed in the envi-
ronment temperature and humidity variables, the system must take measures to counter
this change and regain the target temperature and humidity of the room. For space rea-
sons only extracts of the VDM models are shown in this article except for the final
8
Figure 2: Generic Class Diagram for Sequential Design of an Embedded System
VICE model that can be found in Appendix A. However all of the VDM models can
be found in full online at [16].
5 Sequential Design Modelling
The purpose of the sequential design model is to provide a description of the static
structure of the system under development in terms of classes, without making any
commitment to a specific architecture for the dynamic system. For the techniques of
class structure derivation, the reader is referred to a standard text such as [48]. In
general, we would expect data defined by composite record types in the basic system
model to appear as class definitions with instance variables corresponding to record
fields. Activities in the basic model that are functionally independent will typically be
encapsulated in separate classes in the sequential design. For an embedded system,
each kind of sensor and actuator will typically get its own class. We find that it is ad-
visable to add a World class that sets up and manages the interaction between objects
representing the environment and those representing the system under development. In
this section we consider the representation of such a class structure in VDM as well as
aspects that are specific to embedded systems.
9
5.1 Class Descriptions in VDM
Class diagrams in the Unified Modelling Language (UML) provide a convenient nota-
tion for the expression of object-oriented class structures. Tool support exists in both
VDMTOOLS and Overture [49], allowing class diagrams developed in a UML tool
to be translated into VDM class definitions with the same inheritance and association
structure. Consistency is maintained between the two views: a modification to either
the VDM or the UML is reflected in the other model. In fact these tools enable round-
trip engineering between a UML class diagram view of a system and a VDM textual
view.
Where possible, invariants on types and instance variables should be identified and
specified. Pre-conditions should be specified for all operations and functions that are
non-total, and post-conditions should be specified wherever appropriate, especially if
they provide a clear, distinct, representation of functionality that is not simply a restate-
ment of the expression in the function or operation body.
5.2 Typical Design Structure
Figure 2 illustrates a typical class structure for reactive embedded systems of the kind
covered by our method. We advocate the structural separation of the environment and
the technical system, shown here by the classes Environment and SystemName
respectively. A World class sets up instances of both environment and system and
manages the interaction between them, and so manages the execution of test scenarios
during validation.
The Environment should contain operations to provide input for the embed-
ded system (createSignal) and operations to receive feedback from the system
(handleEvent). In order to indicate when processing is finished locally an opera-
tion isFinished should be included in all environment and system classes that play
an active role in a scenario. The signature of isFinished will, in the sequential
model, typically yield a Boolean result, though this will not be the case in the con-
current and distributed models. For all the classes that need to conduct active tasks
this functionality is normally organised into Step operations that describe the func-
tionality that to be performed each time the instances of the class are scheduled to be
executed. For the Environment class it is also necessary to provide an operation
(showResult) that can show the result of running a given scenario. So extracts from
the Environment class looks like:
class Environment
types
-- Input file: TempIn, HumidIn, TimeIn
public inline = nat * nat * nat;
operations
CreateSignal: () ==> ()
CreateSignal() ==
10
if len inlines > 0
then (dcl curtime : nat := time;
let mk_(tempIn, humidIn, timeIn) = hd inlines
in
(if timeIn <= curtime
then (SetTemp(tempIn);
SetHumid(humidIn);
inlines := tl inlines;
)
)
else (ShowResults();
finished := true;
);
...
end Environment
In order to avoid passing object references around the system, we recommend
the use of public static instances from the World class and the overall system class
SystemName in order for them to be accessible throughout the model. This also in-
cludes a global discrete time notion: in the sequential model a basic Timer class is
appropriate, but in the concurrent model a stronger notion of time and synchronisation
is required (see Section 6 below).
Normally, we expect the flow of control in the sequential model to be steered from
the Environment. This is because most reactive systems are designed to respond
to stimuli by sending commands to the actuators to control the environment in the de-
sired fashion. However, there are exceptions to this where the system is intended to
react when a stimulus from the environment is absent; for example, a cardiac pace-
maker might be expected to produce a stimulus when a natural pulse is expected but
not detected. In such cases we recommend modelling the omission of the expected
stimuli by using special stimuli from the environment. At the sequential level this is
typically done using a loop until both the environment and the system are finished (us-
ing different isFinished operations). Inside the loop Step operations are used for
progressing time and passing control.
5.3 Case Study: Sequential Design Model
In this step, we construct the first design model in our development process. This
sequential model expresses core functionality of the system which remains constant
through the later models. Deciding on an initial class structure for the model is the first
step. The responsibility of each class is as follows:
Environment: In addition to the functionality described in Section 5.2, this class de-
fines instance variables envTemp and envHumid representing the temperature
and humidity of the room respectively. Operations are included to set, read, in-
crease and decrease these two instance variables.
Sensor: Instances of this superclass includes the instance variables and operations that
11
Figure 3: UML class diagram of the different home automation models
12
all sensors have in common, including an identifier, a sensor type (TempSensor
or HumidSensor) and the most recent measured value. Operations to get iden-
tifier and type, and to read the value, are also included in this class. The operation
Step does not contain the same functionality for all sensor types, so the defini-
tion of this operation is a responsibility of the subclasses.
TemperatureSensor: This subclass defines the functionality specific to temperature
sensors. The operation Step gets a new temperature reading from an instance
variable of the Environment class using the latter’s public operation ReadTemp:
public Step: () ==> ()
Step() ==
Value := World‘env.ReadTemp();
The use of this operation will be clearer when the host controller class is de-
scribed below.
HumidSensor: This subclass is very similar to the temperature sensor class. Only
the Step operation is different, reading the humidity from the Environment
class.
HostController: This class defines the central functionality of the controller. We
would normally expect there to be just one instance of the class. It contains
instance variables to represent the measured temperature and humidity as well
as the target temperature and humidity. It also has a collection containing all
the sensor and actuator nodes that are configured into the system (a NodeMap),
mapping the identifier of each node to its type. The class defines operations
AddNode and RemoveNode that maintain the mapping.
instance variable
NodeMap : map nat to NetworkTypes‘nodeType := {|->};
An instance of the HostController class will control the entire system, us-
ing the Step operation defined in the class as follows:
private Step: () ==> ()
Step() ==
(HA‘TempNode.Step();
HA‘HumidNode.Step();
UpdateValues();
Algorithm();
HA‘WinNode.Step();
HA‘ThermNode.Step();
);
First the Step operations of the two sensors are invoked to obtain the most re-
cent temperature and humidity readings. Following this, the host controller reads
all the values from the sensors using the UpdateValues operation which runs
through all the sensors in the NodeMap and calls ReadValue on these. Once
the host controller has read the most recent measurements, it runs its control
algorithm, given by the following explicit operation definition:
13
private Algorithm: () ==> ()
Algorithm() ==
(if (Humid > TargetHumid)
then (HA‘WinNode.SetCorrection(<OPEN>);
HA‘ThermNode.SetCorrection(<NONE>);
)
...
);
Inside the algorithm, the host controller tests whether the measures of tempera-
ture and humidity differ from the target values. If this is the case, the actuators
will be manipulated in order to correct this. Once all corrections have been made,
the host controller invokes the Step operations of the actuators to ensure that
the corrections just set will be carried out in the Environment.
Actuator: This superclass defines the instance variables and operations that are com-
mon to all actuators, including an identifier and a type, along with an instance
variable called Corr, which describes the desired correction state of the actu-
ator. A window can either be “open” or “closed” for example. The class also
includes operations to get the identifier, type and correction. Finally it contains
a Step operation, which, as with the Sensor class, is the responsibility of any
subclass.
Window: This subclass defines the type-specific functionality of window actuators.
Again, this functionality is provided by a Step operation:
private Step: () ==> ()
Step() ==
(if (GetCorr() = <OPEN>)
then (World‘env.DecHumid();
World‘env.DecTemp();
);
);
The operation tests the state of the instance variable Corr. If the window needs
to be open, the temperature and humidity in the room are decreased. Based on the
rules for manipulating temperature and humidity, the values of the environment
temperature and humidity are not changed if the window needs to be closed.
Thermostat: The Step operation defined in this class is somewhat different, mainly
because the thermostat has three possible states:
private Step: () ==> ()
Step() ==
(dcl tempCorr: NetworkTypes‘correction := GetCorr();
if tempCorr = <INC>
then World‘env.IncTemp()
elseif tempCorr = <DEC>
then World‘env.DecTemp();
14
);
First the correction state set by the host controller is read. If the thermostat needs
to increase or decrease the temperature, the environment temperature is increased
or decreased. If the correction state is set to “none” the Step operation does not
change the temperature of the environment.
Remaining Classes: The HA class (HomeAutomation) is the central system class, and
defines public static instances of all the components in the system. A World
object is used for testing purposes. Both of these classes have greater responsi-
bilities defined in the later models.
6 Concurrent Design Modelling
The objective in developing the concurrent VDM++ design model is to take the first
steps towards a particular dynamic architecture, deferring for the moment the complex-
ity introduced by real-time behaviour and distribution concerns.
6.1 Aspects of Concurrency: Threads, Communication and Syn-
chronisation
The first steps in developing a concurrent model are the identification of computations
that can be performed independently of one another and their separation into inde-
pendent threads. Often, this separation will be forced by hardware constraints and/or
pre-defined architectural requirements. While it is worthwhile identifying as many
independent threads as possible, this should be balanced against the complexity of un-
derstanding and validation. Syntactically such threads are expressed as VDM++ state-
ments written after a thread keyword. If a class is active (i.e. defines a thread) each
instance of the class then has its own instance of this thread which must be explicitly
started.
As threads are identified, it is necessary to specify the communication between
them in terms of both communication events and any necessary object sharing. Classes
that define objects that contain shared data are responsible for ensuring synchronised
access. Explicit synchronisation points may also be required to orchestrate the ordering
of events among threads or to ensure data freshness. Permission predicates and mutual
exclusion constraints (Section 2.1) can be defined for the operations in a class in a
special sync part of the class definition.
6.2 Typical Design Structure
The general structure of the sequential model (Figure 2) is typically retained for the
concurrent model. The main changes from the sequential model are as follows:
• Flow of control is no longer centrally managed in the Environment object,
but is distributed to all the active parties. As a result, the bodies of the Step
operations are typically turned into threads.
15
• Synchronisation between threads is specified using permission predicates and
mutex constraints.
• The signatures for the isFinished operations are changed so that no value is
returned. Instead, the Boolean expressions typically become permission pred-
icates. This is a way to block the threads requesting each operation until the
corresponding instance is indeed finished.
• It is recommended that the simple Timer class is replaced by a combination
of the standard TimeStamp class and the ClockTick class. TimeStamp
is a subclass of the WaitNotify class used in Java [50] in order to easily
synchronise the steps taken when the flow of control is distributed to multiple
threads. ClockTick is used to ensure lock-stepping between different concur-
rent threads. The use of these classes is illustrated below in the case study.
6.3 Case Study: Concurrent Design Model
When addressing the concurrency aspects of the home automation system, all processes
that need to run in parallel are turned into threads. Following this, all resources that are
needed by multiple threads must be identified so that access can be synchronised.
Identification of Threads: Instead of having the host controller invoke the Step op-
eration of the sensors and actuators, these processes run as parallel processes
in the concurrent model. Naturally, the host controller also runs in a separate
thread. In order to support the use of dynamic input, the Environment class
is also given its own thread. This way, the class can read input from a text file
and change the temperature and humidity in parallel with the running system.
Notion of Time: In order to simulate time in the concurrent model, three additional
classes are introduced: WaitNotify, TimeStamp and ClockTick as rec-
ommended. Below is an example of the Step operation of the temperature
sensor expressed as a thread:
thread(
while true do (
Value := World‘env.ReadTemp();
World‘timerRef.WaitRelative(10);
)
)
When the operation WaitRelative is called, the thread identifier is placed
in a WakeUpMap in the TimeStamp class, where it is mapped to the time at
which the thread is required to wake up. Using the definition above, the thread
runs periodically every 10 time units. The thread in the ClockTick class wakes
up every time unit, and invokes the operation NotifyAndIncTime, which
increments the global clock and checks the WakeUpMap to see if any threads
need to be awakened.
16
Shared Resources: It is essential that multiple threads can access shared resources
without corrupting the data. The main source of shared data is the Environment
class which contains the environment variables and the operations to manipulate
them. The sensor and actuator subclasses also have some shared resources. All
sensors contain a Value instance variable which is changed during thread exe-
cution within the sensor object and read from the host controller. Similarly the
actuators have the correction instance variable, which the host controller sets and
the classes themselves read during thread execution.
Synchronisation: In the Environment class several mutex assertions are used to
protect the temperature variable:
sync
mutex(IncTemp);
mutex(DecTemp);
mutex(SetTemp);
mutex(ReadTemp, IncTemp, DecTemp, SetTemp);
Similar mutex assertions are used for the humidity variable. The first three
mutex constraints require that all operations that change the value of the tem-
perature and humidity can only be called one at a time. This ensures that the
window and thermostat classes cannot call DecTemp at the same time. In ad-
dition, only one of the four types of operation: Inc, Dec, Set and Read can
be called at a time. This ensures that the window class can not call DecTemp
at the same time as the thermostat class calls IncTemp which could corrupt the
temperature data in the environment object.
Permission predicates provide a further means to ensure synchronisation, be-
cause an operation cannot be activated until the permission predicate is true. In
the Environment thread a permission predicate is used:
sync
per IsFinished => finished;
The instance variable finished is set to true once all the input has been read
into the system. This ensures that the model execution will not terminate before
all the input has been read.
7 Distributed Real-Time Design Modelling
The purpose of the distributed real-time design model is to add information on real
timing constraints, and to describe any allocation of system functionality to multiple
processors using the predefined BUS and CPU classes. Following a timing analysis, it
might be concluded that a proposed system architecture is in fact infeasible, necessi-
tating revision of the system architecture, redeployment of functionality to CPUs, or
modifications to the capabilities of the CPUs themselves. This enables the exploration
of properties of alternative system architectures in order to find potential bottlenecks.
17
7.1 Aspects of Real-Time and Distribution: Duration and Cycle
Statements and Task Switching Overhead
Where the designer has a priori knowledge of real-time characteristics of design ele-
ments, for example where off-the-shelf components are being reused, it is possible to
give precise estimates of fixed execution times via duration statements. The mod-
elling language also supports cycles statements, which can be used to give precise
estimates of execution time relative to a processor (in the form of the number of ex-
pected clock cycles). For example, when modelling a closed loop system, a duration
statement might be used to record the delay between sending a command to an actuator
and seeing its effect at a sensor.
Depending on the level of accuracy required, it may be worth elaborating the en-
vironment model at this stage. For example, rather than have a single environment
instance, several objects might be allocated to one or more processors.
The task switching overhead for the target real-time kernel should be ascertained
and then used to configure the task switching overhead in VDMTOOLS during execu-
tion of the model. Whenever there is a task switch between two tasks on a CPU, the
time is stepped forward by the task switching overhead time.
7.2 Typical Design Structure
In our approach, the general structure from Figure 2 is still recommended for the real-
time distributed model. The main changes from the concurrent model are as follows:
• The SystemName class is extended with additional instance variables for the
CPUs and buses in the system architecture. A class that is to define such a
deployment is identified by using a system rather than class keyword. The
class’ constructor then defines the actual allocation of static instance variables to
CPUs. In addition, the constructor can be used to define the priority of operations
on CPUs that operate a priority-based scheduling scheme.
• In most cases a common virtual CPU is used for all objects that are not a part
of a declared system class describing a deployment architecture. However, the
Environment class may also be a defined as a system in order to enforce
restrictions such as limiting the concurrent execution of environment functions.
• Deployment to processors allows the modeller to take advantage of potential
asynchrony where a calling operation need not wait for the called operation to
complete. Note that the user does not need to know where every instance is
deployed; the interpreter looks up the relevant deployment information (which
is concentrated in the system class and not spread about the model) before
passing calling parameters over the BUS to the relevant CPU.
• Some of the threads (typically those that previously had Step functionality) are
made periodic.
18
Figure 4: Period (p), jitter (j), delay (d) and offset (o)
• The explicit notion of time modelled at the concurrent level using the TimeStamp
class is removed. Now time is implicit and a keyword time is used to refer to
the current global time.
7.3 Case Study: Distributed Real-Time Design Model
In the home automation model, the syntax for periodic threads is changed because of
the use of the built-in time concept:
thread
-- period of thread (period, jitter, delay, offset)
periodic(500,0,0,0) (PeriodicOp)
public PeriodicOp: () ==> ()
PeriodicOp() ==
cycles(1E6)
Value := World‘env.ReadTemp();
The timing characteristics of a periodic thread are given by a 4-tuple (p, j, d, o): p
describes the period; j is the jitter, d is the minimum time between invocations of
PeriodicOp and o is the initial offset (see Figure 4).
Each time the period has elapsed the thread executes the PeriodicOp which in
the case of the temperature sensor invokes the ReadTemp operation. As can be seen
in the definition of PeriodicOp, it is also possible to specify how many CPU cycles
the operation will take to complete. This becomes significant in the allocation of the
thread to a CPU.
In modelling the distribution, the HA class is changed into a system type class.
The VDMTOOLS interpreter automatically creates an instance of the system hardware
architecture with its associated deployed artifacts when the model is interpreted, and
this is where the distribution of processes to CPUs is described. In addition to the public
static instances of the system components, the HA system contains instance variables
for CPUs and buses:
system HA
instance variables
cpu1 : CPU := new CPU(<FCFS>, 1E6); -- cpu for controller
19
cpu2 : CPU := new CPU(<FCFS>, 1E6); -- cpu for sensors
cpu3 : CPU := new CPU(<FCFS>, 1E6); -- cpu for actuators
-- bus connecting host controller and sensors
bus1 : BUS := new BUS(<FCFS>, 1E6, {cpu1, cpu2});
-- bus connecting host controller and actuators
bus2 : BUS := new BUS(<FCFS>, 1E6, {cpu1, cpu3});
The CPUs can be configured to operate in different ways, and run at different speeds. In
the example above, all CPUs use a ”First Come - First Served” scheduling mechanism
and can perform 1 million instructions per time unit. The buses can also be configured
and it is further necessary to specify which CPUs communicate over which bus. In
the system constructor, the different components of the system can be deployed to the
available CPUs:
public HA: () ==> HA
HA() ==
(cpu1.deploy(Host);
cpu2.deploy(TempNode);
cpu2.deploy(HumidNode);
cpu3.deploy(ThermNode);
cpu3.deploy(WinNode);
);
All these settings and configurations can be changed, in order to tweak the performance
of the system, and explore different distribution strategies and alternative system archi-
tectures.
8 Validation Technology
Validation takes place on each of the models produced through the process that we have
outlined. In this context we use the term validation conjecture for a logical expression
describing a property which is expected to hold in a VDM model. A systematic testing
approach [4] has been used to validate the models derived during the staged develop-
ment process. “Validation” in this context refers to the activity of gaining confidence
that the formal models developed are consistent with the requirements expressed in the
requirements document [9]. As indicated in Section 2.2, the tools for proof-based vali-
dation are not as advanced as those supporting model testing by execution. The initial
system model, which is typically expressed in the core VDM specification language,
can be validated by proof or by testing. VDMTOOLS automatically generates proof
obligations from the model and these may be discharged using theories of the basic
VDM logic and types [19, 21].
In order to facilitate validation of the model by domain experts who may be unfa-
miliar with the modelling notation itself, a graphical user interface can be connected
to the VDMTOOLS interpreter by means of the tools’ CORBA-based API. This allows
an external program to manage the GUI, reflecting the current state of the model back
to the expert user, who can then invoke operations to change the state, allowing the
20
execution of scenarios [51].
8.1 Test-based Validation
For unit testing it is possible to make use of VDMUnit [4] (inspired by the JUnit frame-
work from Java). In addition a combinatorial testing feature [52] has been developed
in the Overture context. This enables an automatic test in a fashion similar to model
checkers.
Initially, a full suite of unit and integration tests was made for the Sequential model,
ensuring that every part of the model was exercised and that the model reacted accord-
ing to the specified requirements.
In order to validate the Concurrent and Distributed Real-Time models, several
scenario-based tests were used. Consider the following example:
mk_(3000,[mk_(18,75,500),
mk_(22,85,1200),
mk_(25,80,2100),
...])
Here the first 3000 in the first field indicates the duration of the simulation. The other
field is a sequence of events, each shown as a tuple consisting of a temperature, a
humidity and a time at which the event is to occur. Using these scenarios as system
tests, the temperature and humidity in the Environmentwere altered, and the system
would subsequently make sure that the specified target temperature and humidity were
reached. During these system tests, several different distribution strategies were tried
out in order to fine-tune the system, and gain an overview of the price/performance
trade-off.
The Concurrent and Distributed Real-Time models should be executed using the
same scheduling policies that are likely to be available in the target processors. There
is not yet a formal static deadlock analysis for the concurrency part of VDM, so confi-
dence in deadlock freedom is limited by the comprehensiveness of the scenarios used
as test cases. A general guarantee of deadlock freedom cannot be constructed because
of the expressiveness of the permission predicates available in the language. However,
it is possible to introduce a sound but incomplete analysis adding to the existing proof
obligation analysis and this is planned for the future.
The test scenarios used on the Concurrent and Distributed Real-Time models could
also be used on the Sequential model. The only change needed would be in having
several invocations of the Step operations in the different classes, since the Sequential
model contains no threads.
8.2 Timing Analysis
An important part of validation is confirming timing behaviour at the CPU and system
levels. Execution of the model generates a timed trace that can be analysed, for example
to establish that no periodic threads miss their deadlines and that all real-time response
requirements are satisfied (all hard real-time deadlines are met in the scenarios used).
Here the Overture showtrace tool [8] is particularly useful. It provides:
21
Figure 5: Overview of the physical architecture
Figure 6: Overview execution on multiple CPUs
• A graphical overview of the physical architecture with the CPUs and the buses
as shown in Figure 5.
• An overview of the execution and communication between CPUs as shown in
Figure 6. The horizontal lines at the top represent the CPUs and the two lowest
ones represent the buses. Each event that has appeared gives rise to new time
listed at the bottom of the figure.
• A detailed overview of the instances at a single CPU as shown in Figure 7, show-
ing execution and communication. Here time is advanced from top to bottom and
the vertical lines represent the objects that are allocated to the given CPU so it is
possible to determine the time intervals over which objects are active.
It is also possible to formulate timing predicates over timed traces using a language
similar to Real Time Logic [53], visualising these directly using showtrace [54].
9 Related Work
Efforts are being made to support the incremental development of formal models, but
this approach has not so far been extended to model-oriented specifications of real-time
systems with explicit deployment. Work in SCTL/MUST [55] addresses the iterative
22
Figure 7: Detailed view of execution on a single CPU
production of early-stage models of real-time systems. As in our approach, valida-
tion by testing is supported and the model production process gives feedback to the
requirements scenarios. The Credo project [56] focuses on modelling and analysis of
evolutionary structures for distributed services and also includes formal models, in a
combination of Creol [57] and Reo [58], similar to those described here but so far
without considering deployment issues.
Related work has been done by Suhaib et al. [59] in proposing a method derived
from that of eXtreme Programming, in which “user stories” are expressed as LTL
formulae representing properties which are model-checked. On each iteration, new
user stories are addressed. The ordering of properties is significant for the practical
tractability of the analysis on each iteration. In the context of research on real-time
UML [60], a combination of UML and SDL with a rigorous semantic foundation has
been presented [61]. However, in this work the ability to carry out the validation is
more limited when deployment is considered. Burmester et al. [62] describe support
for an iterative development process for real-time system models in extended UML by
means of compositional model checking, and Uchitel et al. [63] address the incremental
development of message sequence charts, again model-checking the models developed
in each iteration.
In terms of the underlying formalism, VDM shares some features with other model-
oriented specification languages that allow the expression of functionality and tempo-
ral properties. The most similar examples include Timed RSL [64], Timed CSP with
Object-Z [65] and timed extensions to B [66]. The majority of these focus on support
for verification of design steps by model checking and proof rather than validation in
early development stages, and none deal explicitly with deployment. In the context
of UML, a strand of research on validation of system models using a real-time pro-
file [67, 68] proposes recording ‘duration constraints’ using observer state machines or
OCL-like expressions.
23
The work presented here does not claim to do any form of formal refinement but
we consider it possible to add a liberal notion of refinement such as those embodied
in the notions of retrenchment [69], refinement in Event-B [70], and flexible refine-
ment [71]. Again, the introduction of time and deployment are not yet explored in
these frameworks.
10 Concluding Remarks and Further Work
We have described a method for the construction of formal models of potentially com-
plex distributed real-time control systems. The models support validation of system
properties, including timing behaviour on a specific embedded and distributed system
architecture. Our approach is based on the staged introduction of detail into a se-
ries of extended VDM models derived from an initial abstract specification based on
initial requirements. Robust tools support validation, predominantly using scenario-
based testing at each stage. The method forms a part of the guidelines accompanying
VDMTOOLS and is intended for serious industry application. The underlying VDM
technology has been applied to significant studies in several industrial sectors [25].
Considering our methodology, we have not so far addressed the process of deriving
a specification of a system that is embedded in a real-world environment. Systematic
approaches such as that of Hayes, Jackson and Jones [47] are worth further investiga-
tion here, in that they can also lead to clearer initial separations of the controller under
development and the model of the environment [35].
We have so far only provided preliminary guidance on the outline structure of the
VDM models in our chain. There is potentially great value in developing model pat-
terns appropriate to embedded applications [72]. Such patterns have the potential to
aid model construction, and also to support validation by encouraging re-use of test
scenarios and, where appropriate, proofs. Since we use a staged approach, we expect
patterns to encompass several models from our chain [73].
Our approach has been very pragmatic because it is meant to be an aid to system
architects when they try to take informed decisions between alternative candidate sys-
tem architectures. Thus, we have not yet formalised the incremental addition of detail
that occurs in each of our model development steps. In particular, we would like to
drive useful proof obligations out of each of these steps. An examination of this issue
must treat atomicity in the abstract and sequential models (for example in handling the
maintenance of invariants).
The validation of execution traces does not replace formal verification. Neverthe-
less, when development resources, especially time, are short, rapid checking of valida-
tion conjectures offers a means of assessing key properties of the formal model. Once
conjectures have been defined and have been used to validate the execution of the model
(which also serves as a validation of the conjectures themselves), they can be used (with
event transformation) to validate log files generated by the final implementation of a
system. The validation framework discussed here might be extended to support the
evaluation of fault tolerance strategies at the architectural level. Co-simulation, com-
bining the interpreter executing a model of a controller with a continuous time simula-
tor, suggest that it is possible to model faults at the interface between the two without
24
polluting the models of either the controller or the environment process [74, 35].
Acknowledgments
We are grateful to the anonymous referees for their extremely valuable review com-
ments. In addition, we are grateful to many members of the VDM community for
their valuable contributions to the work reported in this paper, especially Nick Battle,
Shin Sahara and Marcel Verhoef. Fitzgerald’s work has been supported by the EU
Framework 7 project “Deploy” on industrial deployment of formal system engineering
methods and the EPSRC platform grant on Trustworthy Ambient Systems (TrAmS).
Larsen’s and Wolff’s work has been supported by the “Minimum Configuration – Home
Automation” project.
References
[1] D. Bjørner and C.B. Jones, editors. The Vienna Development Method: The Meta-
Language, volume 61 of Lecture Notes in Computer Science. Springer-Verlag,
1978.
[2] Cliff B. Jones. Systematic Software Development Using VDM. Prentice-Hall
International, Englewood Cliffs, New Jersey, second edition, 1990. ISBN 0-13-
880733-7.
[3] John Fitzgerald and Peter Gorm Larsen. Modelling Systems – Practical Tools
and Techniques in Software Development. Cambridge University Press, Second
edition, 2009. ISBN 0-521-62348-0.
[4] John Fitzgerald, Peter Gorm Larsen, Paul Mukherjee, Nico Plat, and Marcel Ver-
hoef. Validated Designs for Object–oriented Systems. Springer, New York, 2005.
[5] John Fitzgerald, Peter Gorm Larsen, and Shin Sahara. VDMTools: Advances in
Support for Formal Modeling in VDM. Sigplan Notices, 43(2):3–11, February
2008.
[6] Overture-Core-Team. Overture Web site. http://www.overturetool.org, 2007.
[7] Marcel Verhoef, Peter Gorm Larsen, and Jozef Hooman. Modeling and Validat-
ing Distributed Embedded Real-Time Systems with VDM++. In Jayadev Misra,
Tobias Nipkow, and Emil Sekerinski, editors, FM 2006: Formal Methods, pages
147–162. Lecture Notes in Computer Science 4085, 2006.
[8] J. S. Fitzgerald, P. G. Larsen, S. Tjell, and M. Verhoef. Validation Support for
Real-Time Embedded Systems in VDM++. In Bojan Cukic and Jing Dong, edi-
tors, Proc. HASE 2007: 10th IEEE High Assurance Systems Engineering Sympo-
sium, pages 331–340. IEEE, November 2007.
[9] Hugo Daniel Macedo, Peter Gorm Larsen, and John Fitzgerald. Incremental De-
velopment of a Distributed Real-Time Model of a Cardiac Pacing System using
25
VDM. In Jorge Cuellar, Tom Maibaum, and Kaisa Sere, editors, FM 2008: For-
mal Methods, 15th International Symposium on Formal Methods, volume 5014
of Lecture Notes in Computer Science, pages 181–197. Springer-Verlag, 2008.
[10] CSK. Development Guidelines for Real Time Systems using VDMTools. Tech-
nical report, CSK Systems, 2008.
[11] J. S. Fitzgerald and P. G. Larsen and M. Verhoef. Vienna Development Method.
Wiley Encyclopedia of Computer Science and Engineering, 2008. edited by Ben-
jamin Wah, John Wiley & Sons, Inc.
[12] Information technology – Programming languages, their environments and sys-
tem software interfaces – Vienna Development Method – Specification Language
– Part 1: Base language, December 1996.
[13] Nico Plat and Peter Gorm Larsen. An Overview of the ISO/VDM-SL Standard.
Sigplan Notices, 27(8):76–82, August 1992.
[14] Paul Mukherjee, Fabien Bousquet, Je´roˆme Delabre, Stephen Paynter, and Pe-
ter Gorm Larsen. Exploring Timing Properties Using VDM++ on an Industrial
Application. In J.C. Bicarregui and J.S. Fitzgerald, editors, Proceedings of the
Second VDM Workshop, September 2000. Available at www.vdmportal.org.
[15] Marcel Verhoef and Peter Gorm Larsen. Interpreting Distributed System Archi-
tectures Using VDM++ – A Case Study. In Brian Sauser and Gerrit Muller,
editors, 5th Annual Conference on Systems Engineering Research, March 2007.
Available at http://www.stevens.edu/engineering/cser/.
[16] The VDM Portal. http://www.vdmportal.org, 2007.
[17] Kevin Lano. Logic Specification of Reactive and Real-time Systems. Journal of
Logic and Computation, 8(5):679–711, 1998.
[18] Peter Gorm Larsen and Wiesław Pawłowski. The Formal Semantics of ISO
VDM-SL. “Computer Standards and Interfaces”, 17(5–6):585–602, September
1995.
[19] Juan Bicarregui, John Fitzgerald, Peter Lindsay, Richard Moore, and Brian
Ritchie. Proof in VDM: A Practitioner’s Guide. FACIT. Springer-Verlag, 1994.
ISBN 3-540-19813-X.
[20] Peter Gorm Larsen. Towards Proof Rules for VDM-SL. PhD thesis, Techni-
cal University of Denmark, Department of Computer Science, March 1995. ID-
TR:1995-160.
[21] J. S. Fitzgerald. The Typed Logic of Partial Functions and the Vienna Develop-
ment Method. In D. Bjørner and M. C. Henson, editors, Logics of Specification
Languages, EATCS Monographs in Theoretical Computer Science, pages 427–
461. Springer, 2007.
26
[22] Peter Gorm Larsen and Poul Bøgh Lassen. An Executable Subset of Meta-IV
with Loose Specification. In VDM ’91: Formal Software Development Methods.
VDM Europe, Springer-Verlag, March 1991.
[23] Peter Gorm Larsen and Bo Stig Hansen. Semantics for underdetermined expres-
sions. Formal Aspects of Computing, 8(1):47–66, January 1996.
[24] Jozef Hooman and Marcel Verhoef. Formal Semantics of a VDM Extension for
Distributed Embedded Systems. To appear, 2008.
[25] Marcel Verhoef. Modeling and Validating Distributed Embedded Real-Time Con-
trol Systems. PhD thesis, Radboud University Nijmegen, 2008. ISBN 978-90-
9023705-3.
[26] Bernhard K. Aichernig and Peter Gorm Larsen. A Proof Obligation Genera-
tor for VDM-SL. In John S. Fitzgerald, Cliff B. Jones, and Peter Lucas, edi-
tors, FME’97: Industrial Applications and Strengthened Foundations of Formal
Methods (Proc. 4th Intl. Symposium of Formal Methods Europe, Graz, Austria,
September 1997), volume 1313 of Lecture Notes in Computer Science, pages
338–357. Springer-Verlag, September 1997. ISBN 3-540-63533-5.
[27] Augusto Ribeiro. An Extended Proof Obligation Generator for VDM++/OML.
Master’s thesis, Minho University with exchange to Engineering College of
Arhus, July 2008.
[28] S. Agerholm. Translating specifications in VDM-SL to PVS. In J. von Wright,
J. Grundy, and J. Harrison, editors, Proceedings of the 9th International Confer-
ence on Theorem Proving in Higher Order Logics (TPHOLs’96), volume 1125 of
Lecture Notes of Computer Science. Springer-Verlag, 1996.
[29] Sten Agerholm and Jacob Frost. Towards an integrated case and theorem prov-
ing tool for vdm-sl. In John Fitzgerald, Cliff B. Jones, and Peter Lucas, edi-
tors, FME’97: Industrial Applications and Strengthened Foundations of Formal
Methods (Proc. 4th Intl. Symposium of Formal Methods Europe, Graz, Austria,
September 1997), volume 1313 of Lecture Notes in Computer Science, pages
278–297. Springer-Verlag, September 1997. ISBN 3-540-63533-5.
[30] Sander Vermolen. Automatically Discharging VDM Proof Obligations using
HOL. Master’s thesis, Radboud University Nijmegen, Computer Science De-
partment, August 2007.
[31] CSK. VDMTools homepage. http://www.vdmtools.jp/en/, 2007.
[32] Rene´ Elmstrøm, Peter Gorm Larsen, and Poul Bøgh Lassen. The IFAD VDM-SL
Toolbox: A Practical Approach to Formal Specifications. ACM Sigplan Notices,
29(9):77–80, September 1994.
[33] Peter Gorm Larsen. Ten Years of Historical Development: “Bootstrapping”
VDMTools. Journal of Universal Computer Science, 7(8):692–709, 2001.
27
[34] David Holst Møller and Christian Rane Paysen Thillermann. Using Eclipse for
Exploring an Integration Architecture for VDM. Master’s thesis, Aarhus Univer-
sity/Engineering College of Aarhus, June 2009.
[35] DESTECS (Design Support and Tooling for Embedded Control Software). Euro-
pean Research Project, June 2009. http://destecs.org.
[36] J. S. Fitzgerald and P. G. Larsen. Triumphs and Challenges for the Industrial Ap-
plication of Model-Oriented Formal Methods. In T. Margaria, A. Philippou, and
B. Steffen, editors, Proc. 2nd Intl. Symp. on Leveraging Applications of Formal
Methods, Verification and Validation (ISoLA 2007), 2007.
[37] Peter Gorm Larsen, John Fitzgerald, and Tom Brookes. Applying Formal Speci-
fication in Industry. IEEE Software, 13(3):48–56, May 1996.
[38] T.M. Brookes, J.S. Fitzgerald, and P.G. Larsen. Formal and Informal Specifica-
tions of a secure System Component: Final Results in a Comparative Study. In
Marie-Claude Gaudel and Jim Woodcock, editors, FME’96: Industrial Benefit
and Advances in Formal Methods, pages 214–227. Springer-Verlag, March 1996.
[39] Tim Clement, Ian Cottam, Peter Froome, and Claire Jones. The Development of
a Commercial “Shrink-Wrapped Application” to Safety Integrity Level 2: the
DUST-EXPERT Story. In Safecomp’99, Toulouse, France, September 1999.
Springer Verlag. LNCS 1698, ISBN 3-540-66488-2.
[40] Sunil Vadera, F. Meziane, and M. Huang. Experience with mural in formalising
dust-expert. Information and Software Technology, 43:231–240, 2001.
[41] Taro Kurita, Miki Chiba, and Yasumasa Nakatsugawa. Application of a For-
mal Specification Language in the Development of the “Mobile FeliCa” IC Chip
Firmware for Embedding in Mobile Phone. In J. Cuellar, T. Maibaum, and
K. Sere, editors, FM 2008: Formal Methods, Lecture Notes in Computer Sci-
ence, pages 425–429. Springer-Verlag, May 2008.
[42] T. Kurita and Y. Nakatsugawa. The application of vdm++ to the development
of firmware for a smart card ic chip. Intl. Journal of Software and Informatics,
3(2-3), October 2009.
[43] Fuyuki Ishikawa, Kenji Taguchi, and Shinichi Honiden. How Top-Level Engi-
neers Learn and Investigate VDM: Experiences in the Top SE Project. November
2009. The 7th Overture workshop at FM’09.
[44] Sune Wolff. Universal Multiprotocol Home Automation Framework. Master’s
thesis, Aarhus University/Engineering College of Aarhus, December 2008.
[45] Sune Wolff, Peter Gorm Larsen, Kenneth Lausdahl, Augusto Ribeiro, and
Thomas Skjødeberg Toftegaard. Facilitating Home Automation Through Wire-
less Protocol Interoperability. In Submitted for publication, June 2009.
28
[46] P.G. Larsen and J. S. Fitzgerald. Recent Industrial Applications of Formal Meth-
ods in Japan. In P. Boca and J. P. Bowen, editors, Proc. BCS-FACS Workshop on
Formal Methods in Industry. British Computer Society, 2008.
[47] C. B. Jones, I. J. Hayes, and M. Jackson. Deriving Specifications for Systems That
Are Connected to the Physical World. In Formal Methods and Hybrid Real-Time
Systems, volume 4700 of Lecture Notes in Computer Science. Springer-Verlag,
2007.
[48] Bruce Powel Douglass. Doing Hard Time – Developing Real-Time Systems with
UML Objects, Frameworks, and Patterns. Addison-Wesley, 1999. ISBN 0-201-
49837-5.
[49] Kenneth Lausdahl, Hans Kristian Agerlund Lintrup, and Peter Gorm Larsen.
Connecting UML and VDM++ with Open Tool Support. In Formal Methods
09, November 2009.
[50] Guy Steele James Gosling, Bill Joy and Gilad Bracha. The Java Language Spec-
ification, Second Edition. The Java Series. Addison Wesley, 2000.
[51] Sten Agerholm and Peter Gorm Larsen. Modeling and Validating SAFER
in VDM-SL. In Michael Holloway, editor, Fourth NASA Langley For-
mal Methods Workshop. NASA, September 1997. Available from http://atb-
www.larc.nasa.gov/Lfm97/proceedings/.
[52] Peter Gorm Larsen, Kenneth Lausdahl, and Nick Battle. Combinatorial Testing
for VDM++. In Submitted for publication, July 2009.
[53] F. Jahanian and A.K. Mok. Modechart: A Specification Language for Real-Time
Systems. IEEE Transactions on Software Engineering, 20(12):933–947, Decem-
ber 1994.
[54] John Fitzgerald, Peter Gorm Larsen, Simon Tjell, and Marcel Verhoef. Validation
Support for Distributed Real-Time Embedded Systems in VDM++. Technical
Report CS-TR:1017, School of Computing Science, Newcastle University, April
2007.
[55] Ana Ferna´ndez Vilas, Jose´ J. Pazos Arias, Rebeca P. Diaz Redondo, and
A. Bele´n Barraga´ns Martinez. Formalizing Incremental Design in Real-time
Area: SCTL/MUS-T. In Proceedings of the 26 th Annual International Com-
puter Software and Applications Conference (COMPSAC’02). IEEE, 2002.
[56] Frank de Boer. CREDO: Modeling and Analysis of Evolutionary Structures for
Distributed Services, 2007. http://www.cwi.nl/projects/credo/.
[57] Einar Broch Johnsen and Olaf Owe. An Asynchronous Communication Model
for Distributed Concurrent Objects. Software and Systems Modeling, 6(1):39–58,
March 2007.
29
[58] Farhad Arbab. Reo: a Channel-Based Coordination Model for Component Com-
position. Mathematical Structures in Computer Science, 14(3):329–366, 2004.
[59] Syed M. Suhaib, Deepak A. Mathaikutty, Sandeep K. Shukla, and David Berner.
XFM: An Incremental Methodology for Developing Formal Models. ACM Trans-
actions on Design Automation of Electronic Systems, 10(4):589–609, October
2005.
[60] Bruce Powel Douglass. Real Time UML – Advances in the UML for Real-Time
Systems. Addison-Wesley, third edition, 2004.
[61] Gjalt de Jong. A UML-Based Design Methodology for Real-Time and Embedded
Systems. In Proceedings of the 2002 Design, Automation and Test in Europe
Conference and Exhibition (DATE.02). IEEE, 2002.
[62] Sven Burmester, Holger Giese, Martin Hirsch, and Daniela Schilling. Incre-
mental Design and Formal Verification with UML/RT in the FUJABA Real-Time
Tool Suite. In Proceedings of the International Workshop on Specification and
validation of UML models for Real Time and embedded Systems, SVERTS2004.
UML2004, 2004.
[63] Sebastian Uchitel, Jeff Kramer, and Jeff Magee. Incremental Elaboration of
Scenario-Based Specifications and Behavior Models Using Implied Scenarios.
ACM Transactions on Software Engineering and Methodology, 13(1):37–85, Jan-
uary 2004.
[64] C. George and X. Yong. An Operational Semantics for Timed RAISE. Tech-
nical Report 149, United Nations University Intl. Inst. for Software Technology,
November 1998.
[65] J. Derrick. Timed CSP and Object-Z. In D. Bert, J. Bowen, S. King, and
M. Walden, editors, ZB2003: Formal Specification and Development in Z and
B, volume 2651 of Lecture Notes in Computer Science. Springer-Verlag, June
2003.
[66] M. Rached, J. P. Bodeveix, M. Filali, and O. Nasr. A Timed B Method for Mod-
elling Real Time Reactive Systems. In Proc. 2nd. South-East European Work-
shop on Formal Methods, pages 181–195. South East European Research Centre
(SEERC), 2006.
[67] I. Ober, S. Graf, and I. Ober. Validating Timed UML Models by Simulation and
Verification. Software Tools for Technology Transfer, 8(2):128–145, 2006.
[68] S. Graf and J. Hooman. Correct Development of Embedded Systems. In Proc.
European Workshop on Software Architecture; Languages, Styles, Models, Tools
and Applications (EWSA 2004), co-located with ICSE 2004, pages 241–249.
Springer-Verlag, 2004.
30
[69] R. Banach and M. Poppleton. Retrenchment, Refinement and Simulation. In ZB
2000: Formal Specification and Development in Z and B, volume 1878 of Lecture
Notes in Computer Science. Springer-Verlag, 2000.
[70] Jean-Raymond Abrial. Modeling in Event-B: System and Software Engineering.
Cambridge University Press, 2009. To appear. See also http://www.event-b.org.
[71] Steve Reeves and David Streader. General Refinement, Part Two: Flexible Re-
finement. Electronic Notes in Theoretical Computer Science, 214:309–329, 1008.
[72] Sune Wolff. Formalising Concurrent and Distributed Design Patterns with VDM.
November 2009. The 7th Overture workshop at FM’09.
[73] A. Iliasov. Refinement Patterns for Rapid Development of Dependable Systems.
In EFTS ’07: Proceedings of the 2007 Workshop on Engineering Fault Tolerant
Systems. ACM, 2007.
[74] Z. H. Andrews, J. S. Fitzgerald, and M. Verhoef. Resilience Modelling through
Discrete Event and Continuous Time Co-Simulation. In Proc. 37th Annual
IFIP/IEEE Intl. Conf. on Dependable Systems and Networks (Supp. Volume),
pages 350–351. IEEE Computer Society, June 2007.
31
A The Distributed Real-Time Design Home Automa-
tion Model
This appendix contains the full model of the distributed real-time design for the home
automation case study used in this article.
A.1 The Home Automation System
system HA
instance variables
-- cpu for host controller
cpu1 : CPU := new CPU(<FCFS>, 1E9);
-- cpu for sensors
cpu2 : CPU := new CPU(<FCFS>, 1E6);
-- cpu for actuators
cpu3 : CPU := new CPU(<FCFS>, 1E6);
cpu4 : CPU := new CPU(<FCFS>, 1E6);
-- bus connecting host controller and sensors
bus1 : BUS := new BUS(<FCFS>, 1E3, {cpu1, cpu2, cpu3, cpu4 });
public static Host : HostController
:= new HostController(20, 75);
public static TempNode : TemperatureSensor
:= new TemperatureSensor(1, <TEMPSENSOR>, 0);
public static HumidNode : HumidSensor
:= new HumidSensor(2, <HUMIDSENSOR>, 0);
public static ThermNode : Thermostat
:= new Thermostat(3, <THERMOSTAT>);
public static WinNode : Window
:= new Window(4, <WINDOW>);
operations
public HA: () ==> HA
HA() ==
(cpu1.deploy(Host);
cpu2.deploy(TempNode);
cpu2.deploy(HumidNode);
cpu3.deploy(ThermNode);
cpu4.deploy(WinNode);
);
32
end HA
A.2 The World Class
class World
instance variables
public static env : [Environment] := nil;
operations
public World: () ==> World
World() ==
(env := new Environment("scenario.txt");
HA‘Host.AddNode(HA‘TempNode.GetID(),HA‘TempNode.GetType());
HA‘Host.AddNode(HA‘HumidNode.GetID(),HA‘HumidNode.GetType());
HA‘Host.AddNode(HA‘ThermNode.GetID(),HA‘ThermNode.GetType());
HA‘Host.AddNode(HA‘WinNode.GetID(),HA‘WinNode.GetType());
start(HA‘TempNode);
start(HA‘HumidNode);
start(HA‘ThermNode);
start(HA‘WinNode);
start(HA‘Host);
);
public Run: () ==> ()
Run() ==
(-- start environment creating input
start(env);
-- wait til environment has finished creating input
env.IsFinished();
);
end World
A.3 The Environment Class
class Environment
instance variables
io : IO := new IO();
inlines : seq of inline := [];
outlines : seq of outline := [];
simtime : nat;
33
finished : bool := false;
envTemp : nat := 0;
envHumid : nat := 0;
inv envTemp >= 0;
inv envHumid >= 0;
types
-- Input file: TempIn, HumidIn, TimeIn
public inline = nat * nat * nat;
-- Output: Time, TempValue, HumidValue
public outline = nat * nat * nat;
operations
public Environment: seq of char ==> Environment
Environment(fname) ==
let mk_(-,mk_(t,input)) =
io.freadval[nat * seq of inline](fname)
in
(inlines := input;
simtime := t;
envTemp := 20;
envHumid := 75;
);
pre fname <> []
post inlines <> [] and simtime > 0;
CreateSignal: () ==> ()
CreateSignal() ==
if len inlines > 0
then (dcl curtime : nat := time;
let mk_(tempIn, humidIn, timeIn) = hd inlines
in
(if timeIn <= curtime
then (SetTemp(tempIn);
SetHumid(humidIn);
inlines := tl inlines;
)
)
else (ShowResults();
finished := true;
);
ShowResults: () ==> ()
ShowResults() ==
34
def - = io.writeval[seq of outline](outlines) in skip;
public HandleEvent: nat * nat * nat ==> ()
HandleEvent(curTime, TempValue, HumidValue) ==
outlines := outlines ˆ [mk_(curTime, TempValue, HumidValue)];
public SetTemp: nat ==> ()
SetTemp(t) ==
envTemp := t;
public SetHumid: nat ==> ()
SetHumid(h) ==
envHumid := h;
public ReadTemp: () ==> nat
ReadTemp() ==
return envTemp;
public IncTemp: () ==> ()
IncTemp() ==
envTemp := envTemp + 1;
public DecTemp: () ==> ()
DecTemp() ==
envTemp := envTemp - 1;
public ReadHumid: () ==> nat
ReadHumid() ==
return envHumid;
public IncHumid: () ==> ()
IncHumid() ==
envHumid := envHumid + 1;
public DecHumid: () ==> ()
DecHumid() ==
envHumid := envHumid - 1;
public IsFinished: () ==> ()
IsFinished() ==
skip;
sync
mutex(IncTemp);
mutex(DecTemp);
35
mutex(SetTemp);
mutex(ReadTemp, IncTemp, DecTemp, SetTemp);
mutex(IncHumid);
mutex(DecHumid);
mutex(SetHumid);
mutex(ReadHumid, IncHumid, DecHumid, SetHumid);
per IsFinished => finished;
thread
-- period of thread (period, jitter, delay, offset)
periodic(1000,0,0,0) (CreateSignal)
end Environment
A.4 The Host Controller Class
class HostController
instance variables
finished : bool := false;
print : bool := true;
TargetTemp : nat;
Temp : nat := 0;
TargetHumid : nat;
Humid : nat := 0;
NodeMap : map nat to NetworkTypes‘nodeType := { |-> };
operations
public HostController: nat * nat ==> HostController
HostController(t, h) ==
(TargetTemp := t;
TargetHumid := h;
);
public UpdateValues: () ==> ()
UpdateValues() ==
cycles(1E9)
(for all r in set rng NodeMap do
(if (r = <HUMIDSENSOR>)
then Humid := HA‘HumidNode.ReadValue();
if (r = <TEMPSENSOR>)
then Temp := HA‘TempNode.ReadValue();
);
36
);
public GetTemp: () ==> nat
GetTemp() ==
return Temp;
public GetHumid: () ==> nat
GetHumid() ==
return Humid;
private Algorithm: () ==> ()
Algorithm() ==
(if (Humid > TargetHumid)
then (HA‘WinNode.SetCorrection(<OPEN>);
HA‘ThermNode.SetCorrection(<NONE>);
print := true;
)
elseif (Temp > TargetTemp)
then (HA‘WinNode.SetCorrection(<CLOSE>);
HA‘ThermNode.SetCorrection(<DEC>);
print := true;
)
elseif (Temp < TargetTemp)
then (HA‘WinNode.SetCorrection(<CLOSE>);
HA‘ThermNode.SetCorrection(<INC>);
print := true;
)
else (HA‘WinNode.SetCorrection(<CLOSE>);
HA‘ThermNode.SetCorrection(<NONE>);
if print
then (World‘env.HandleEvent(time, Temp, Humid);
printStr("Target values reached");
let - = new IO().writeval[nat](time)
in skip;
);
print := false;
);
);
private printStr: seq of char ==> ()
printStr(str) ==
(print := false;
let - = new IO().echo(str)
in skip;
);
37
public AddNode: nat * NetworkTypes‘nodeType ==> ()
AddNode(id, type) ==
NodeList := NodeList ++ {id |-> type}
pre id not in set dom NodeList
post card(dom NodeList) = card(dom NodeList˜) + 1;
public RemoveNode: nat * NetworkTypes‘nodeType ==> ()
RemoveNode(id, type) ==
if (NodeList(id) = type)
then NodeList := {id} <-: NodeList
pre id in set dom NodeList
post card(dom NodeList) = card(dom NodeList˜) - 1;
private PeriodicOp: () ==> ()
PeriodicOp() ==
(UpdateValues();
Algorithm();
);
public IsFinished: () ==> ()
IsFinished() ==
skip;
sync
per IsFinished => finished;
per printStr => print;
thread
-- period of thread (period, jitter, delay, offset)
periodic(400,0,0,0) (PeriodicOp)
end HostController
A.5 The Sensor Class
class Sensor
instance variables
protected ID : nat;
protected Type : NetworkTypes‘nodeType;
protected Value : nat;
operations
38
public GetID: () ==> nat
GetID() ==
return ID;
public GetType: () ==> NetworkTypes‘nodeType
GetType() ==
return Type;
public ReadValue: () ==> nat
ReadValue() ==
cycles (1E3)
return Value;
public Step: () ==> ()
Step() ==
is subclass responsibility
end Sensor
A.6 The Temperature Sensor Class
class TemperatureSensor is subclass of Sensor
instance variables
finished : bool := false;
operations
public TemperatureSensor: nat * NetworkTypes‘nodeType * nat
==> TemperatureSensor
TemperatureSensor (id, type, val) ==
(ID := id;
Type := type;
Value := val;
);
public PeriodicOp: () ==> ()
PeriodicOp() ==
cycles(1E6)
Value := World‘env.ReadTemp();
public IsFinished: () ==> ()
IsFinished() ==
skip;
39
sync
per IsFinished => finished;
thread
-- period of thread (period, jitter, delay, offset)
periodic(400,0,0,0) (PeriodicOp)
end TemperatureSensor
A.7 The Humidity Sensor Class
class HumidSensor is subclass of Sensor
instance variables
finished : bool := false;
operations
public HumidSensor: nat * NetworkTypes‘nodeType * nat
==> HumidSensor
HumidSensor (id, type, val) ==
(ID := id;
Type := type;
Value := val;
);
public PeriodicOp: () ==> ()
PeriodicOp () ==
cycles(1E6)
Value := World‘env.ReadHumid();
public IsFinished: () ==> ()
IsFinished() ==
skip;
sync
per IsFinished => finished;
thread
-- period of thread (period, jitter, delay, offset)
40
periodic(400,0,0,0) (PeriodicOp)
end HumidSensor
A.8 The Actuator Class
class Actuator
instance variables
protected ID : nat;
protected Type : NetworkTypes‘nodeType;
protected Corr : NetworkTypes‘correction;
operations
public GetID: () ==> nat
GetID() ==
return ID;
public GetType: () ==> NetworkTypes‘nodeType
GetType() ==
return Type;
public Step: () ==> ()
Step() ==
is subclass responsibility
end Actuator
A.9 The Thermostat Class
class Thermostat is subclass of Actuator
instance variables
finished : bool := false;
operations
public Thermostat: nat * NetworkTypes‘nodeType ==> Thermostat
Thermostat (id, type) ==
(ID := id;
Type := type;
Corr := <NONE>;
);
41
private PeriodicOp: () ==> ()
PeriodicOp() ==
cycles(1E9)
(dcl tempCorr: NetworkTypes‘correction := GetCorrection();
if (tempCorr = <INC>)
then World‘env.IncTemp()
elseif (tempCorr = <DEC>)
then World‘env.DecTemp();
);
async public SetCorrection: NetworkTypes‘correction ==> ()
SetCorrection(cor) ==
cycles(1E9)
Corr := cor
pre (cor = <INC>) or (cor = <DEC>) or (cor = <NONE>);
public GetCorrection: () ==> NetworkTypes‘correction
GetCorrection() ==
return Corr;
public IsFinished: () ==> ()
IsFinished() ==
skip;
sync
per IsFinished => finished;
mutex(SetCorrection, GetCorrection);
thread
-- period of thread (period, jitter, delay, offset)
periodic(1000,0,0,0) (PeriodicOp)
end Thermostat
A.10 The Window Class
class Window is subclass of Actuator
instance variables
finished : bool := false;
operations
42
public Window: nat * NetworkTypes‘nodeType ==> Window
Window (id, type) ==
(ID := id;
Type := type;
Corr := <CLOSE>;
);
private PeriodicOp: () ==> ()
PeriodicOp() ==
cycles(1E9)
(dcl tempCorr: NetworkTypes‘correction := GetCorrection();
if (tempCorr = <OPEN>)
then (World‘env.DecHumid();
World‘env.DecTemp();
);
);
async public SetCorrection: NetworkTypes‘correction ==> ()
SetCorrection(cor) ==
cycles(1E9)
Corr := cor
pre (cor = <OPEN>) or (cor = <CLOSE>);
public GetCorrection: () ==> NetworkTypes‘correction
GetCorrection() ==
return Corr;
public IsFinished: () ==> ()
IsFinished() ==
skip;
sync
per IsFinished => finished;
mutex(SetCorrection, GetCorrection);
thread
-- period of thread (period, jitter, delay, offset)
periodic(1000,0,0,0) (PeriodicOp)
end Window
43
A.11 The Network Types Class
class NetworkTypes
types
public nodeType = <TEMPSENSOR> | <HUMIDSENSOR> | <WINDOW> |
<THERMOSTAT> | <HOSTCONTROL> | <NONE>;
public correction = <INC> | <DEC> | <OPEN> | <CLOSE> | <NONE>;
end NetworkTypes
44
