Abstract: blob blob blob
Introduction
Digital computers are increasingly being used for software control of complex systems. Consequently more emphasis is being placed on the safety aspects of these computers and the constraints that they must work under. In recent literature this has given rise to the term safety-critical computing .
The purpose of this paper is to show parallel processing paradigms to be a mature solution to safety-critical computing systems, which can improve the reliability, safety, and performance of real-time control applications. The control community has embraced the flexibility and performance of parallel processing, for example transputers and occam , in a wide range of applications. Yet there still remains a significant need for the introduction of the formal theories which underpin these solutions. By utilising these formalisms, the control engineer can gain more confidence in the software developed A brief discussion of the application of parallel processing in real-time control leads into a short résumé of the various industry standards and their implications for control engineers. The paper concentrates on the formal techniques which are available to the software designer for the development of parallel control systems. A comprehensive review of the maturity and applicability of these techniques to the design of safe, parallel real-time systems is given. The emphasis will be on push button formal methods by considering the automated tools available to support the mathematics. This is considered as the only practical way of applying formal techniques [Aus-93].
Livelock and Deadlock are two examples of common design faults in parallel processing systems. These symptoms are caused by a lack of understanding of the behaviour of the systems by the engineers who build them, and are not the result of some "emergent behaviour" that appears by virtue of it being parallel. Once this myth has been dismissed, it becomes clear that what is needed is a set of tools and formalisms that aid understanding of parallel systems.
Good engineering practice has been acknowledged by Bennet [Ben-93] to be sadly lacking in software design. However, techniques for the construction of robust control applications have been demonstrated that do not require exhaustive formal proofs, such as the client-server communication model . We can increase the standards of our designs by using tools to enforce good engineering practice; these are techniques already available to us, but would benefit from consolidation into CASE technology. Secondly, we can build on this by adding hide-away formal mathematics in CASE technology, which allow rigorous checks and proofs to be made. Application of the second set of techniques would be much easier to achieve if the first set was imposed on the designer through CASE technology.
Parallel processing
Parallel processing offers the control engineer the high performance expected from modern real-time systems. It also offers the possibility of fault tolerance through redundant components. It is also argued that parallel processing offers new avenues for increasing the reliability and performance of control software (Figure 1.) .
Parallel processing invites a simpler design route. The world is an inherently parallel place and the decomposition of a parallel problem lends itself naturally to a parallel implementation, avoiding the complexity which evolves from forcing a sequential solution . Each parallel process is simple and self contained which aids analysis. Performance may be scaled by adding extra hardware instead of optimising the code, and this hardware also leads to increased reliability, introducing the possibility of fault tolerance through redundant hardware. These Performance versus reliability of safety systems.
properties of parallel systems constitute our main argument for the use of parallel solutions in control systems, and we be presented in detail in this paper.
Standards: The emerging trends
There are a wide variety of standards bodies throughout the world concerned with software development. It is to these standards systems designers will turn for guidance when choosing a method for developing their system. This section briefly outlines four of the plethora of standards. It is apparent that the standards authorities are moving towards certification as means of quality assurance. The implication being, that the control engineer must be aware of these standards and the techniques advocated in the standards. The standards presented are IEC 65A, ISO 9000, MOD 0055, and HSE-87; these give a taste of the range of application of current standards.
The ISO 9000 standard does not directly address safety-related computer control systems, but does provide a framework for applying quality assurance within software development. There is a strong belief within the industry that this should be one of the minimum requirements for any software development, and compliance with ISO 9000 is required by the IEC 65A standards for all levels of software development.
IEC 65A is a suite of standards that provides a classification of software integrity levelsfrom high risk to normal. At the normal level, ISO 9000 compliance is sufficient. High risk software requires a formal specification and application of correctness proofs. This standard explicitly mentions CCS, CSP, HOL, LOTOS, OBJ, Temporal Logic, VDM and Z as suitable methods.
The UK Health and Safety Executive (HSE) has produced its own set of guidelines for the design of safety-related computer systems, and suggests BS5750 (UK equivalent to ISO 9000) as a minimum requirement., but the central theme of the guidelines is diversity through a number of independent elements to provide sufficient redundancy to guard against failures.
UK defence standard 00-55 is based on the Ministry of Defence's procurement lifecycle. It specifies requirements for all safety-critical defence equipment. This is twinned with standard 00-56, which is aimed at a standardised approach for the whole system, including its interface with the environment. The standard extends to tools and support software used in developing, testing, certifying and maintaining safety-critical systems through all the phases of the software lifeycle. Formal specifications and proofs are required for all critical components.
Formal methods: The strong contenders
The standards prescribe formal methods but give no advice as to which to use. To comply to these standards formal methods will have to be adopted by the control engineer. This section will form the crux of the paper, introducing some of the more mature formal methods which are applicable in the parallel processing domain. For example, CSP, CCS, CSR, Petri nets and temporal logics are introduced together with their associated support tools, PAM, Concurrency Workbench and Design/CPN. Specific examples that are applicable to real-time, and parallel, control systems will be used.
Formal methods for parallel processing
Some key formalisms applicable to parallel processing are described. Emphasis will be placed on mature methods such as Communicating Sequential Processes (CSP), Calculus of Communicating Systems (CCS), Petri Nets, and Communicating Shared resources (CSR). Examples will be used to isolate some of the key issues which the designer will have to be aware of, and some of the classic solutions. For example, the proof of deadlock freedom is a complex problem particular to systems which exhibit concurrency.
Coloured Petri nets
Coloured Petri nets are an extension to Place/Transition nets and a refinement of Predicate/Transition nets which allows tokens to represent data values from a multiset or colour set. Resultant nets are generally smaller than the equivalent Place/Transition net, because similar parts of the net may be folded into one, and the distinction between parts of the net can be made by the identity of the tokens. Tokens can now represent complex data objects, the notion of a colour set is analogous to data typing in programming languages. The example Petri net in figure 3 demonstrates the main features of coloured Petri nets (the example is an extract from some multipriority scheduling model). A colour set Process has been defined which is a tuple of priority and state for some simple scheduling system. Expressions on the input arcs to the two transitions specify which values from the multisets of input places may move down the arcs. The backslash in the expression 1'(pri, state) is the multiset operator, in this case it states that just one instance of the tuple moves down the arc. Transition guards such as [pri>0] are Boolean expressions that guard the firing of a transition. A transition can only fire when the guard expression becomes true. Output arcs may contain arc functions which generate new token values. In this example, the function next() changes the value of a process's state. The modelling power of a Petri net is greatly increased with just these few simple features. Hierarchical coloured nets [Met-93] allows a logical decomposition of a system, and is the major step forward in the acceptance of Petri nets for modelling purposes.
Temporal extensions for real-time analysis
Equally important to the design of a real-time system, is the analysis of its temporal behaviour. The temporal extensions for the formalisms described in sections 4.1, will be described. In addition, temporal logics and weakest precondition analysis will also be introduced. It will be shown how these facilitate the construction of parallel real-time systems, showing how timing constraints, scheduling and worst case behaviour are analysed.
Adding time to a design is important for two reasons. Firstly, it allows quantitative statements to be made about real-time properties of the system. Secondly, this timewise refinement of the design removes some of the non-determinism of the untimed system. As a design becomes more deterministic, it becomes easier to understand. Provided that the design incorporates a faithful representation of actual program instruction timings and time constraints, it would appear sensible to add as many timing details as possible to the design. This assumes a design environment that can tell when design changes affect these timing properties. Welch suggests that "we can make no assumptions about the mechanisms of any multi-processing scheduler... Relying on such properties to verify the absence of deadlock is implementation dependent and, therefore, unsafe" However, Suonio et al put the point that it is worthwhile including implementation dependent information into the system model, because this stops the designer relying on implicit assumptions about the system, and all the required mechanisms are made explicit in some stage of the design [Suo-92].
Automated tools: The way forward
The potential for automation of some of these formalisms would reduce the requirement for the designer to be an expert in every detail of the method. This ensures the engineer can concentrate on the "control problem" involved. Automated tools which support some of the formalisms will be presented. For example, Figure 2 shows an example using a Petri net design tool called Design/CPN. A discussion will be made showing how these formal methods may be integrated into the design process, and the benefits gained from abstracting the mathematics behind a graphical veneer. Finally directions for future research and development in this area will be considered, for example the need for push button formal methods will be discussed.
Figure 2. A coloured Petri net tool.
Design/CPN is a commercial CASE tool that fully supports coloured Petri nets. The designer builds a model through a graphical interface and the tool automatically checks the syntax of the diagram. In this way, the designer can construct models without requiring detailed knowledge of the underlying net theory. Simulation of the net is possible, and this interaction with the model can be thought of as an executable specification, or even a route to rapid prototyping. Many of the features of the tool can be accessed through a functional programming language called ML, allowing extra facilities to be added very simply. Design/CPN adds two features to coloured Petri nets; time and hierarchical composition. A duration can be specified for any transition which causes a delay before firing can occur. Any output tokens inherit a timestamp value which is the current value of a monotonically increasing global clock. This model of time is simple but intuitive. Hierarchy is supported by having substitution transitions which are an abstraction of a more detailed net specified in a sub-net below. This allows for composition of the system in either a bottom-up or top-down manner.
Petri nets, process algebra and temporal logic have close associations, and the fact that the three can be highly integrated suggestst that a hierarchical Petri net model of a system is an ideal way of building understandable systems that are amenable to the rigorous design and analysis techniques demanded of safety-related systems.
Conclusions
Present and future standards will enforce the use of formal methods. As a consequence of this, control engineers must be competent in the use of formal reasoning. This paper will have shown, for the specific case of parallel processing, the implications of these standards and requirement for formal methods. A broad perspective on the skills the control engineer must master is presented by through a review of the maturer formalisms, and their associated problems and tools. To conclude, the only way these techniques can realistically be applied is by the introduction of automated tools into a well structured design environment. To this end, future research must be directed towards push-button formal methods [Cro-91].
Formal methods are succinct, can have fairly simple semantics and can describe parallel behaviour, time and safety properties. They allow us to reason about the behaviour of system and more fully understand it.
Use of formal methods and structured methods together -i.e. Design/CPN and StP. There is not yet a strong base of software engineers experienced in formal methods, so currently it would appear more practical to take an overall design in something like StP and take certain specifically safety-critical parts of the system and model their behaviour in a more formal manner, by someone competent in formal methods. says that "if you cannot write down a formal description of the system, then you do not understand it". He goes on to suggest that the time and effort in training engineers to understand and use formal methods (in this case Z) is no more than for a structured method such as SSADM or Yourdon. This should give us hope for a more widespread takeup of formal methods.
Standards require the use of formal methods. Rather than restricting us, these methods empower us with greater understanding of the system under study and provide a platform for rigorous analysis of the correctness of our designs. Formal methods that are graphical and intuitive , such as Petri nets, can be used proficiently be engineers with a minimum of training.
