Under consideration for publication in Formal Aspects of Computing The formal design of distributed controllers with dSL and Spin by Bram De Wachter et al.
Under consideration for publication in Formal Aspects of Computing
The formal design of distributed
controllers with dSL and Spin
Bram De Wachter1, Alexandre Genon1, Thierry Massart and C edric Meuter1
fbdewacht, agenon, tmassart, cmeuterg@ulb.ac.be,
Universit e Libre de Bruxelles,
Computer Science Department,
ULB CP212, boulevard du Triomphe, 1050 Bruxelles,
Belgium
Abstract. We study the formal verication of programs written in dSL, an extension of the standard
ST language used to program industrial controllers. It proposes a trade o between industrial and formal
verication worlds. The main advantage of dSL is to provide a transparent code distribution through low level
communication mechanisms. The behavior of the synthesized distributed system can therefore be formally
modeled, easily monitored and formally veried. The verication of a dSL program, realized with the Spin
tool, is eased by the denition of a lattice of models linked with a simulation relation preserving next-free
Ltl formulae. We show that, although dSL is an industrial programming language, it gives the possibility
to verify systems designed with it. We illustrate the benet of our approach with a simple control system of
two canal locks.
Keywords: Industrial process control, transparent code distribution, verication, Spin
1. Introduction
Industrial process control goes hand in hand with distributed systems. This is due to the physically dis-
tributed nature of the environment that is continuously controlled through various devices such as sensors
and actuators. Development of such distributed systems is a complicated task, even for experienced pro-
grammers. The burden of combining the physical complexity of the process, the communication schemes of
the distributed parts, the need to provide simple and fast control and the extreme reliability and robustness
requirements make the development of such systems hard.
To simplify the work of the distributed systems designer, classical solutions exist, (CORBA, DCOM, EJB,...).
They handle the communication aspects and allow the programmer to concentrate on the functional aspects
of the system. Unfortunately, these solutions are generally quite heavy, and the communications aspects are
not formally specied. These systems are also dicult to monitor because of their complexity.
In a previous work we introduced a solution to this problem in the form of the dSL language [DMM03]
which is a simple, imperative and event driven language. It is specically designed to program distributed
industrial control systems and is an extension of the standard ST language [BMS97] widely used in the
1 Work supported by the Region de Bruxelles Capitale, grant no. RBC-BR 227/3298.
Correspondence and oprint requests to: B. De Wachter, A. Genon, T. Massart and C. Meuter2 B. De Wachter, A. Genon, T. Massart and C. Meuter
industry to program such controllers. The main advantage of dSL is at the programming level: it provides a
transparent code distribution using low level communication mechanisms. Therefore, most of the time, the
dSL programmer can ignore all the communication aspects between controllers of the distributed system.
This automatic distribution mechanism is however not the subject of this paper. More details on that can
be found in [DMM03, WGM05].
In this paper, we study the problem of formally verifying systems designed with dSL. In order to do so, we
rst give the formal semantics of dSL in terms of state machines communicating through FIFO channels. We
show that although dSL is a high-level automatically distributed programming language, the behavior of the
synthesized system can still be formally modeled and easily monitored - which is an important concern for
these kind of systems. However, because of the distributed nature of dSL, one program may lead to several
dierent semantics, depending on the physical environment in which it will execute. Fortunately, the main
theoretical result of this paper shows the existence of a relation between all these semantics which can be
exploited during the verication.
On the practical side, we show how to translate dSL into Promela, the language used by the Spin model
checker, using this formal semantics. As a case study, we illustrate our approach on the design of a control
system of two canal locks.
The paper is organized as follows: First, in section 2, we detail related proposals and justify the relevance
of our solution. Then, in section 3, we give an informal introduction of the dSL language. Next, in section
4, we present the syntax and the formal semantics of a subset of the dSL language. In section 5, we discuss
the relation between the dierent distributions of a given dSL program and how it can be used during the
verication phase. Section 6 presents the translation of dSL to Promela. The case study, a locks controller
designed in dSL, is presented in section 7. Finally, some concluding remarks are given in section 8.
2. Motivations and other approaches
The problem of distributing applications that control reactive systems has been studied for many years now
and several interesting observations made on these studies shaped the design of dSL. We comment in more
detail works on process algebra, Synchronous Languages, and higher level frameworks such as Unity. The
choice of the distributed execution environment used by dSL is motivated by a discussion on shared memory
systems and thread migration.
Other approaches In the world of process algebra, the problem of automated distribution is dened as a
correctness preserving transformation of a centralized specication into a semantically equivalent distributed
one. (e.g. for bisimulation equivalence [Mil89], see [Mas92, BL95]). It has also been studied on various types
of labeled transition systems ([CMT99, Mor99, SEM03]). These works solved part of the problem. However,
contrary to programming languages, the notion of variables does not exist in these formalisms and other
solutions had therefore to be found.
In a higher level framework, Chandy and Misra have proposed the Unity approach [KMC88] to model and
design asynchronous or synchronous parallel programs. Let us recall that the principle in Unity, similar to
the one proposed by the B method [Abr96], is to use a design modeling language together with a proof
system to provide, through several design decisions, correct parallel programs. Central in this framework
is the separation between the concern of program development and the physical architecture on which it
is implemented. The program development phase provides the specication of the Unity program in itself
using guarded, multiple assignment statements. During the second phase, starting from a Unity program, a
mapping to an architecture is used to describe a possible implementation. Various possibilities are proposed
to implement a Unity program on a distributed architecture. The program variables can be seen as shared
variables or communication can be done through FIFO channels. In both cases, a protocol must be explicitly
given to preserve the data integrity or synchronize the execution ow. This implies that, each time the target
architecture is modied (e.g. adding or removing processor(s), moving variable(s), rening the distribution,
...), the Unity program has to be modied at the communication level, to t this new distribution. Therefore,
the Unity program must be designed with a desired mapping in mind, which has a negative impact on the
reconguration exibility of applications and the transparency of the physical distribution.
On the programming language side, the most relevant works on automated distribution of reactive systems
have been done in the domain of synchronous languages such as Esterel [BG92], Lustre [CPHP87] and Signal
[LGLL91], which answered questions on how to specify controllers in a natural and semantically well denedThe formal design of distributed controllers with dSL and Spin 3
way. Unfortunately, because the semantics must be preserved, the distribution of synchronous languages
suer from a performance problem which, in practice, may not be acceptable. Indeed, the synchronous pro-
gramming scheme found in these languages supposes that time is dened as a sequence of instants which are
common to all parallel processes contained in the specication. Although this allows the use of synchronous
broadcast [Ber89, BB91] resulting in sequential code, a strong synchronization scheme must be used to pre-
serve these instants when such programs are distributed [Gir94, Aub97]. This strong synchronization has
several drawbacks in an industrial environment. First of all, to keep all processes in pace, numerous messages
need to be exchanged at each global instant. Secondly, all participating processes have to advance at the
speed of the slowest process. Finally, the failure of one of the processes makes the whole system deadlock.
To the best of our knowledge, the synchronous approach has no answer to these shortcomings. We believe
therefore that, although perfectly suitable for tightly coupled homogeneous systems and having the benet
of simplicity when it comes to specifying a controller, the simplicity of the synchronous approach is too costly
in terms of performance when applied to loosely coupled heterogeneous systems. Moreover, in practice, the
strong synchronization of all processes is rarely needed and must therefore not be used as a default.
These observations motivate the makeup of dSL. At the design level, Unity seems more sound than what
is proposed with the direct use of programming languages (among which dSL), since a Unity design goes
through the correctness proof for the design before doing the implementation. Unfortunately, the industrial
control world has not yet integrated this more formal approach to design real systems, and still uses more
specialized programming languages dened as industrial standards. The philosophy of dSL goes therefore
in the other direction: it proposes a language close to the used standards and provides a framework to
formally verify the designed systems. With the drawbacks of synchronous languages in mind, dSL rejects the
synchronous product [Mil81] used in synchronous languages at the detriment of indeterminism, and adopts
semantics based on asynchronous composition of local instantaneous code and global distributed code. We
shortly comment how the execution environment handles both codes.
Execution Environment For the distributed code, several models of execution are proposed in the lit-
erature. These models can be divided into two sets based on the way they achieve data locality : either
move the data to the executing processor, or move the execution to the processor which has the data in
memory. Many systems based on the rst solution, such as Distributed Shared Memory systems [NL91], have
been studied. These systems, despite oering a transparent distributed environment, suer from undesirable
border eects which are generally problematic in an industrial environment. First, the need to replicate data
in these systems [HHG99], may result in unstable performance as observed in [NL91]. Secondly, since the
data moves around, the supervision of such systems and its error-recovery - both indispensable features in
industrial applications - may become too complicated [MP97] on dSL's target hardware. For these reasons,
dSL uses the second solution, a concept known as process or thread migration [Esk90] where a thread of
execution is halted on one site, its context (local variables and program counter) is sent to another site,
where its context is restored and execution continues. Thread migration is known to enable dynamic load
distribution, fault tolerance, eased system administration, data access locality and mobile computing [JC02].
However, in our system, all instructions and global variables are statically assigned to the participating sites
and thread migration, determined at compile time, is used to obtain data access locality. This has three ben-
ets: (1) following the state of the system is very easy, (2) all communication and synchronization messages
can statically be calculated, resulting in a predictable execution, (3) the communication between processes
can, in practice, be reduced to very low level mechanisms. However, we lose the benets of dynamic load
balancing and fault tolerance2 since the migration policy used in dSL is static.
The local code uses an event driven scheme and, for a given component, must be able to run without
any synchronization that would make it wait on other components. This asynchronous composition has
the advantage that the failure of one site does not introduce deadlocks in atomic code on other sites. The
sequential code, on the other hand, can be executed in a totally distributed and cooperative manner. These
assumptions, of course, imply some restrictions on code and have consequences on the way data values are
transmitted between distributed processes.
The shape of dSL can thus be synthesized as an imperative language using a hybrid execution scheme
2 Fault tolerant dSL systems can be obtained through the additional possibility to test failures in the communications and
hardware (see \unknown values" in [DMM03]); but needs extra coding and the explicit use of redundancies.4 B. De Wachter, A. Genon, T. Massart and C. Meuter
Fig. 1. dSL architecture
composed of two types of code : local or atomic instantaneous code, and distributed sequential code that
executes using statically calculated thread migration.
3. Informal introduction to dSL
dSL 3 is a simple imperative language with static variables; a variable can be (1) internal to the program (2)
linked to an input (sensor) or (3) linked to an output (actuator). dSL has kept the general way industrial
controllers operate through an input sampling, treatment, writing cycle. However, in dSL each site executes
such cycles asynchronously from the others. dSL is event driven, i.e., an event is specied by the change
in some variable's value. dSL also oers limited Object-Oriented features. Variables and methods can be
structured into objects, but we will not detail this aspect any further in this paper.
As illustrated in gure 1, a dSL program is written as if the entire environment can be accessed without
the need for explicit communication or synchronization primitives (we shall see that some restrictions are
imposed to apply this principle). The designer of such program must then provide a localization table to
specify the physical localization (site) of each I/O variable. The dSL compiler then automatically distributes
the code among the dierent execution sites. In this phase, the distributer optimizes the distributed code in
order to minimize the expected number of exchanged messages during execution. We show in [WGM05] that
the production of ecient code can be formulated as an optimization problem on weighted graphs, which is
shown equivalent to the NP-Hard multiterminal cut problem [DJP+94].
The distributed code is compiled to an assembler-like language. This assembler-like code is interpreted by a
set of dSL Virtual Machines which are interconnected through a network and transmit data through Fifo
queues. A dSL virtual machine is available for each type of execution site. Indeed, an execution site can
either be a supervisor, i.e. a computer with a user interface, or a programmable controller connected to the
industrial equipment to control through sensors and actuators. This equipment will be referred to as the
environment in the rest of the paper.
The benets of this approach are (1) maintainability (only one language is used) (2) exibility (changing
an actuator / sensor from one site to another does not imply changes on the program),(3) simplicity (since
communication/distribution is done implicitly, the programmer does not need to come up with synchroniza-
tion schemes to handle particular tasks). Another advantage, as we will see later, is to be able to verify the
correctness of a program, independently of the distribution of the variables among the dierent execution
sites.
Atomic and sequential code As we have mentioned previously, the design of dSL has been dictated by
the execution paradigm used in the world of industrial process control that requires an immediate reaction to
events and their instantaneous treatments. In practice, by default, this forbids any hidden synchronization
delaying execution and in particular synchronization which implies inter-site communications (through a
relatively slow network). A clear way must therefore exist to express that inter-site synchronization is allowed.
Hence dSL distinguishes between two types of code:
 atomic or event-driven code which must execute in an atomic manner, and can therefore not be distributed
 non atomic or sequential code which can execute in a distributed manner, using inter-site communications
to synchronize or transfer values between sites.
3 dSL is the successor of the language SL (Supervision Language) developed by the Macq Electronique company, Belgium that
was originally designed for controlling and supervising industrial processesThe formal design of distributed controllers with dSL and Spin 5
Event-driven code can be dened using the WHEN keyword. This implies that two variables appearing in the
same WHEN must be localized on the same execution site. To relax this constraint, two mechanisms have been
dened: (1) the LAUNCH instruction allowing to start sequential code, and (2) the \~" operator.
The principle of the tilde operator is to access a local variable, whose value is the last known value of a
remote one. For every variable x, the dSL semantics imposes that each site i has also a variable ~x. Lets
denote by i(~ x) the value of the copy of x local to site i. Every time x is modied, each i(~ x) is updated
asynchronously through a broadcast over the Fifo channels. Therefore, the code y := ~x where y is local
to site i corresponds to y := i(~ x), i.e. y receives some, maybe old value of the (remote) variable x.
This feature becomes useful when a program is not distributable. Indeed, one can use the local ~x variable
instead of requiring direct access to x, which constraints more the dSL program (see Example program).
Using ~x, the programmer now has a more exible dSL program that may be further distributed. But tilded
variables must be used with care : only when the exact value of a variable which cannot be local is not needed
(e.g. temperature which evolves slowly) or if the program is built such that it is known that the tilded value
is equal to the real one.
On the other hand, sequential code can be dened using the SEQUENCE keyword. A SEQUENCE cannot have
more than one instance executed simultaneously. A SEQUENCE can have local variables (i.e. which scopes are
limited to the SEQUENCE). When needed, these variables can be transmitted from site to site to ensure a
coherent execution of the SEQUENCE. Note that SEQUENCEs are exclusively called through the use of LAUNCHs.
Example program To illustrate the dSL concepts, let us give a simplied example of a program that
receives input values through an input variable temperature, linked to a temperature sensor and switches
on (o) a heater when the temperature is below 0 oC (above 20 oC). Two indicators in a control panel are
used to monitor the status of the heater. The rst one (led) indicates the state of the heater and the second
one (alarm) indicates that a maintenance check is needed. For that purpose, a boolean variable maintenance
is set when the heater has been turned on or o a thousand times. The program will be used in a physical
conguration with 2 execution sites: (1) the control panel, where the output variables led and alarm will
be located and (2) the heater where the output variable heater and the input variable temperature will
be located. The location of the other variables are initially unspecied. However, at rst sight, it would be
impossible to have maintenance, temperature and alarm on the same execution site. Indeed, WHENs W2 and
W3 require maintenance to be on the heater site, whereas the following WHEN :
WHEN maintenance THEN
alarm:=true;
END_WHEN
would require maintenance to be on the control panel site. Therefore, in order to make the distribution
possible, we need to relax the constraints on one of those WHEN. In the example, presented in gure 2 we
chose to use the local variable ~maintenance in the condition of WHEN W1.
4. dSL's syntax and semantics
A dSL program contains 5 elements. (1) global variables declarations including all I/O variables (2) METHOD
denitions (3) WHEN denitions (4) SEQUENCE denitions and (5) an initialization sequence. In order to
keep the semantics simple, we present only a subset of the dSL language. In this subset, we make the
following restrictions: (1) methods are supposed to be inlined, which implies that recursive calls are forbidden;
(2) since no recursion is allowed, all variables are considered to be declared globally; (3) only boolean
variables are considered; (4) SEQUENCEs and LAUNCHs are not considered. Indeed, although very convenient
for the programmer, SEQUENCEs and LAUNCHs do not increase the expressiveness of the language and can be
equivalently translated into code using only WHENs and tilde, as explained in [Gen04]. In this paper, we only
consider well-formed dSL programs where each used variable has been properly dened and each WHEN uses
at least one global variable.
From now on, we will use the following notations:
 V ar(P) denotes the set of non tilded variables appearing in the program P. This set is partitioned into
V arin(P), V arout(P) and V ar(P) which correspond respectively to the input, output and internal (i.e.
non I/O) variables.6 B. De Wachter, A. Genon, T. Massart and C. Meuter
GLOBAL_VAR
led : BOOL;
heater : BOOL;
alarm : BOOL;
temperature : BOOL;
maintenance : BOOL;
control : INT;
END_VAR
SEQUENCE set_heater(state : BOOL)
(* Make the led's state correspond to
the heater's action *)
control := control+1;
IF control == 1000 THEN
control := 0;
maintenance := TRUE;
END_IF;
led := state;
heater := state;
END_SEQUENCE
WHEN ~maintenance THEN (* W1 *)
alarm := TRUE;
END_WHEN
WHEN temperature < 0 THEN (* W2 *)
(* Turn on the heater *)
IF (NOT maintenance) THEN
LAUNCH set_heater (TRUE);
END_IF;
END_WHEN
WHEN temperature > 20 THEN (* W3 *)
(* Turn off the heater *)
IF (NOT maintenance) THEN
LAUNCH set_heater (FALSE);
END_IF;
END_WHEN
SEQUENCE init()
control := 0;
maintenance := FALSE;
(* Initially turn the heater off *)
LAUNCH set_heater(temperature < 0);
END_SEQUENCE
Fig. 2. simple dSL program
 V ar(w) denotes the set of non tilded variables appearing in the WHEN w.
 V ar(e) returning the set of variables (tilded or not) appearing in expression e.
 Whens(P) denotes the set of WHENs appearing in the program P.
 Cond(w) denotes the triggering condition of the WHEN w.
 Body(w) denotes the body of the WHEN w.
 ~ X denotes the set of tilded variables corresponding to X, ~ X = f~ xjx 2 Xg.
Moreover, in order to dene the dSL semantics, extended instructions are added to the language which will
be used to describe some internal treatment:
 INPUT id, modeling the sampling of the input variable id,
 OUTPUT id, modeling the update of the output variable id,
 BCAST id, modeling the broadcast of the variable id to all execution sites,
 MSG, modeling the treatment of messages from the Fifo channel.
Preliminary denitions
In order to dene the structural operational semantics of a dSL program, we need some preliminary deni-
tions. First of all, the semantics will be dened in terms of a labeled transition system. We briey recall this
notion.
Denition 1 (Labeled transition system). A labeled transition systems L is a tuple (Q;q0;;!) where :
 Q is a set of states,
 q0 2 Q is the initial state,
  is a set of symbols called the alphabet, with  62  ( is the internal action),
 ! Q  ( [ fg)  Q is the transition relation.

Given two states q;q0 2 Q, for any a 2 ([fg), we note q
a   ! q0 if (q;a;q0) 2!, and for any w = a1a2:::an
in ( [ fg), we note q
w   ! q0 if there exists a sequence of transitions q0
a1   ! q1 qn 1
an     ! qn with q = q0
and q0 = qn. Note that if w = , we have q = q0 = qn = q0.The formal design of distributed controllers with dSL and Spin 7
Additionally, the behavior of a dSL program depends on the distribution of its variables. Therefore its
semantics will be parametrized by a distribution of its variables. Intuitively, a distribution of a well-formed
dSL program is a partition of the set of its variables respecting the atomic constraints imposed by WHENs.
That is, if two variables appear un-tilded in the same WHEN, they must be localized on the same execution
site. Let us dene formally the notion of distribution.
Denition 2 (Distribution of a well-formed dSL program). A distribution of a well-formed dSL pro-
gram P is a partition D = fV1;V2;:::;Vng of V ar(P) such that
8w 2 Whens(P)8v;v0 2 V ar(w);9V 2 D;(fv;v0g  V )
We note DP the set of all distributions of P. 
Moreover, given a well formed dSL program P and a distribution D of P, we need to dene the distributed
context in which P will execute. Indeed, the partition of the variables given by D imposes a partition of the
set of WHENs of P.
Denition 3 (Distributed execution context). Given a dSL program P, and a distribution D = fV1;
V2;:::; Vng of P, we dene the distributed execution context of P w.r.t. D as follows:
E
P
D = (W1;W2;:::;Wn)
where each Wi = fw 2 Whens(P)jV ar(w)  Vig. We will also need to divide Wi into the sets of whens
conditioned on a specic variable : Wi=x = fw 2 Wi j x 2 V ar(Cond(w))g
In the following, we will call each (Wi) a local execution context and will denote it by (EP
D)i. Note that, since
D is a distribution of P, we have
S
i2[1::n] Wi = Whens(P) and 8i;j 2 [1::n];(i 6= j) =) (Wi \ Wj = ;) 
Finally, to abbreviate the semantics rules, we need to dene some auxiliary functions.
Denition 4 (Input sampling, output writing). Given a set of variables V, we dene Sample(V ), re-
spectively Write(V ), as a list of instructions performing the input, respectively output, of the variables in
V in the order of their declaration in the program text :
Sample(fI1;::;Ikg) = INPUT(I1);:::;INPUT(Ik)
Write(fO1;::;Ok0g) = OUTPUT(O1);:::;OUTPUT(Ok0)

Denition 5 (Treatment of WHENs). Given a set of WHENs W, we dene Treat(W) as a list of instructions
processing all WHENs in W, in the order of appearance in the program text, as follows:
Treat(W) = !1;!2;:::;!jWj
where 8i 2 [1::jWj] :
!i = IF (Cond(wi) AND NOT old condwi) THEN Body(wi); END IF old condwi := Cond(wi);
The variables old condwi introduced here are fresh variables, added to V ar(P) and initially set to ?. 
Structural operational semantics
Informally, the behavior of a dSL program can be seen as the parallel composition of n processes, one for
each site, communicating with the environment to control. Each process i governs a set of variables in Vi
and communicates with the other processes through Fifo channels. In particular, these Fifo channels allow
to update the value of the tilde variables, which are the local value of the distant variables.
The execution of each process i is an innite loop of cycles called Input-Process-Output cycle because it
contains three phases. (1) Input : variables linked to inputs change their values according to the physical
state of the device they are attached to, (2) Process : events are triggered, incoming messages are processed
and (3) Output : variables linked to the outputs force the physical state of the devices they are connected to.
The formal structural operational semantics for a well formed dSL program P, w.r.t. a distribution D is8 B. De Wachter, A. Genon, T. Massart and C. Meuter
given below as a labeled transition system which visible actions are updates to/from the environment of the
I/O variables. Let us rst dene a global state of a dSL program.
Denition 6 (Global state of a dSL program). Given a distribution D = fV1;V2;:::;Vng of a well
formed dSL program P, we dene a global state G of P as follows:
G  ((!1;1;1);(!2;2;2);:::;(!n;n;n))
where 8i 2 [1::n];(!i;i;i) is the local state of process i with the following components:
 !i is the workload. It gives the sequence of instructions (including extended instructions) remaining to
be executed in the current cycle of process i.
 i : (Vi [ ^ V ar(P)) 7! f>;?g is a valuation function for:
{ the global variables owned by process i.
{ the tilded (local) copies of all variables.
 i 2 ((V ar(P)  f>;?g) [ fg) is the receiving communication channel of process i. Each message
indicates the update of a variable. Additionally,  is used to enforce the end of the message treatment.
We will note GP
D the set of global states of a dSL program P; given a distribution D. 
We can now introduce the semantics rules which will provide the transition relation of the labeled transition
systems. The rst two rules are global rules acting on the entire global state. The rst one expresses the
interleaving semantics; i.e. if in a local state, a transition can be taken, then from any global state containing
this local state, the same transition can be taken, only modifying that local state. It can be noticed here, that
at a global level, unlike synchronous languages like Esterel or Lustre, dSL has an asynchronous semantics.
[Interleaving]
(EP
D)i ` (!i;i;i)
a   ! (!0
i;0
i;0
i)
EP
D ` ((!1;1;1);:::;(!i;i;i);:::;(!n;n;n))
a   ! ((!1;1;1);:::;(!0
i;0
i;0
i);:::;(!n;n;n))
8a 2 fg [ 
The second global rule corresponds to the broadcast. If a process has to perform a broadcast corresponding
to a change of value of a variable, then a -transition is taken, leading to a global state where all the receiving
communication channels are updated. Note that a message is also appended to the channel of the process
performing the broadcast. Indeed, this local process might have an asynchronous (tilded) copy of its own
variable, and this copy needs to be (asynchronously) updated as well.
[Broadcast]
EP
D ` ((!1;1;1);:::;(BCAST(x);!i;i;i);:::;(!n;n;n))
   ! ((!1;1;0
1);:::;(!i;i;0
i);:::;(!n;n;0
n))
where 8j 2 [1::n] : 0
j = j  (x;i(x))
The other rules described below are local rules; i.e. dening how a local process makes a move. The rst of
these local rules corresponds to the beginning of a new cycle. If, at a point in the execution, the workload of
process i becomes empty ("), then a new Input-Process-Output cycle is scheduled in the workload. Therefore,
this rule dictates the cyclic behavior of each process. Note that, in order to model the non instantaneous
behavior of the network, a  marker is inserted to delimit the messages ( 1) that will be treated during this
cycle.
[Cycle start]
(EP
D)i ` (";i;i)
   ! (Sample(V arin(P) \ Vi);Treat(Wi);MSG;Write(V arout(P) \ Vi);i;0
i)
0
i =  1     2 ^ i =  1   2
The second local rule describes the sampling of an input from the environment. When doing so, the valuation
of the input variable is updated according to this sampling, and the new value is broadcast to all other
processes. Moreover, the transition is labeled with the sampled variable and the value that has been read.The formal design of distributed controllers with dSL and Spin 9
[Input]
(EP
D)i ` (INPUT(x);!i;i;i)
x?a     ! (BCAST(x);!i;i[x 7! a];i)
8a 2 f>;?g
The following two rules describe the message treatment phase. In this phase, some messages are read from
the receiving channel and the local valuation is updated accordingly (i.e. the local asynchronous - tilded -
copy is set to the new value). Due to this change of valuation, some WHENs might be triggered. Thus, all WHENs
that might be triggered by this change of valuation are considered before continuing the message treatment.
Note that messages are of the form (x;v) where x is the updated variable and v is its value.
[Message treatment]
(EP
D)i ` (MSG;!i;i;(x;v)  i)
   ! (Treat(Wi=~ x);MSG;!i;i[e x 7! v];i)
[End of message treatment]
(EP
D)i ` (MSG;!i;i;  i)
   ! (!i;i;i)
Note that the reception may not be instantaneous, that is, the end of message treatment rule may be applied
while there are still some messages left in the Fifo channel. The  marker, inserted when the cycle start
start rule was red, assures that new messages received during this cycle are not treated.
Note also that these rules can be modied to handle one Fifo channel between each couple of processes. We
showed in [Gen04] that this does not change any result presented in this paper. For simplicity, we present
here our semantics with only one channel for each process. However, the translation and the case study in
section 6 is performed using the full semantics with a Fifo channel between each couple of processes.
The next rule corresponds to the treatment of an assignment in the workload. Besides the usual eect of the
assignment (the local valuation is updated), the new value needs to be broadcast and the WHENs that may
be triggered by this assignment need to be scheduled for treatment.
[Assignment]
(EP
D)i ` (x := e;!i;i;i)
   ! (BCAST(x);Treat(Wi=x);!i;i[x 7! i(e)];i)
The following rule corresponds to the treatment of an IF statement. As expected, if the condition evaluates
to >, the code of the THEN part is inserted in the workload, otherwise (the condition evaluates to ?), the
code of the ELSE part is inserted.
[If]
(EP
D)i ` (IF e THEN !> ELSE !? ENDIF;!i;i;i)
   !

(!>;!i;i;i) if i(e) = >
(!?;!i;i;i) if i(e) = ?
The last local rule corresponds to the output of a variable. In this case, nothing needs to be done, apart from
ring a transition labeled by the output variable and its new value and removing this abstract instruction
from the workload.
[Output]
(EP
D)i ` (OUTPUT(x);!i;i;i)
x!i(x)
          ! (!i;i;i)
Using those semantics rules, given a well-formed dSL program P and a distribution D of P, we can dene a
labeled transition system describing the behavior of P w.r.t. D.
Denition 7 (Distributed semantics of a dSL program). Given a well-formed dSL program P and a
distribution D = fV1;:::;Vng of P, we dene the distributed semantics of P w.r.t. D, noted JPKD as a labeled
transition system (GP
D;G0
D;(V ar(P)  f!;?g  f>;?g);!) where:
 G0
D = ((!1;1;1);:::;(!n;n;n)) where 8i 2 [1::n] : !i = ", i = ", 8x 2 (Vi [ ^ V ar(P)) : i(x) = ?
 ! is such that (G;a;G0) 2! if and only if EP
D ` G
a   ! G0 can be derived from one of the structural
operational semantics rules given previously.10 B. De Wachter, A. Genon, T. Massart and C. Meuter

5. Hierarchy of distributions and semantics
In the previous section, we have seen that the semantics of a dSL program P is parameterized by a distribution
of its variables. Therefore, if we want to formally verify P independently of its variables localisation, we should
be verifying it w.r.t. every possible distribution. This is however clearly not acceptable. We will see in this
section that fortunately, for a given dSL program P, there exists a lattice of allowed distributions. For two
distributions D1 and D2 related by this lattice and with D1 more distributed than D2, we will show that
the set of possible behaviors of D2 is included in the set of possible behaviors of D1. Hence, every valid trace
property  on P w.r.t D1 is also valid on P for D2. In particular if  is valid for the maximal distribution,
then it holds for any distribution. The contraposition of this results states that if a property  does not hold
on P for D2, it does not hold either on P for D1.
A case study, presented in the next sections, illustrates how these results can be used to verify completely
or partially some program, depending on the computer resources available to verify it.
Denition 8 (Distribution renement). Let D = fV1;V2;:::;Vkg and D0 = fV 0
1;V 0
2;:::;V 0
l g be two dis-
tributions of a dSL program P. We say that distribution D0 is a renement of distribution D, noted D  D0
if
8V
0 2 D
0 9V 2 D  V
0  V

We can now formally dene the maximal distribution of a well-formed dSL program, which is the most rened
distribution.
Denition 9 (Maximal distribution of a well-formed dSL program). The maximal distribution of
a well-formed dSL program P is the distribution Dmax such that
6 9D 6= Dmax : Dmax  D

Note that Dmax is unique. Indeed, Suppose D1 6= D2 both maximal, then there exist two global variables
x;y with fx;yg  V for some partition V of D1 and x 2 V 0;y 2 V 00 for some partitions V 0;V 00 of D2
with V 0 6= V 00. Therefore, by denition 2, it can be seen that V can be split into V \ V 0 and V \ V 00. By
denitions 9 and 8, D1 is therefore not maximal. Also note that two WHENs are not necessarily on dierent
sites in Dmax, this is for example the case if they both use the same global variable.
Now we have to prove that this distribution induces a semantics that includes all possible behavior. For that,
we use the notion of weak simulation. Let us recall this denition.
Denition 10 (Weak simulation relation). Given two labeled transition systems L1 = (Q1;q0
1;;!1),
L2 = (Q2;q0
2;;!2). A binary relation R  Q1 Q2 is a weak simulation relation for L1 and L2 if and only
if for all q1 2 Q1;q2 2 Q2;a 2  [ fg, if (q1;q2) 2 R then
8q0
1 :

q1
a   ! q0
1

=)

9q0
2 : q2
b a   ! q0
2 ^ ((q0
1;q0
2) 2 R

where
b a 2

  a   if a 2 
 if a 62  (i.e. a = )

A LTS L1 = (Q1;q0
1;;!1) can be simulated by a LTS L2 = (Q2;q0
2;;!2), noted, L1 . L2 if there exists
a simulation relation R such that (q0
1;q0
2) 2 R.
We can now prove that if a distribution D0 of P renes distribution D of P (D  D0), then JPKD can be
simulated by JPKD0 (JPKD . JPKD0).The formal design of distributed controllers with dSL and Spin 11
Theorem 1 (Simulation). Given a well-formed dSL program P, let D = fV1;V2;:::;Vng and D0 = fV 0
1;
V 0
2;:::;V 0
l g be two distributions of P. We have that, if D0 renes D then JPKD0 simulates JPKD :
(D  D0) =) (JPKD . JPKD0)
Proof. The proof can be found in appendix A. 
Intuitively, this means that every step that can perform P with distribution D can be simulated by P using
a more rened distribution D0. Theorem 1 implies the following well known results.
Corollary 1 (Ltl properties). Given a well-formed dSL program P, let D = fV1; V2;:::;Vng and D0 =
fV 0
1;V 0
2;:::;V 0
l g be two distributions of P. If D0 renes D then for every next free Ltl property  :
(JPKD0 j= ) =) (JPKD j= )

This corollary and its contraposition are also useful in the verication phase.
Corollary 2 (Distribution lattice). Given a well-formed dSL program P. Let Dmin = fV ar(P)g. We
have that h fJPKDjD 2 DPg ; . i is a lattice with respectively, JPKDmin and JPKDmax as minimal and
maximal elements. 
Therefore, a program P is safe for any distribution D if it is safe for the maximal distribution Dmax. On
the other hand, if P is shown not safe for some distribution D, then it is also not safe for any more rened
distribution D0. This can be used in two ways to tackle the validation of a program P. First, one can use
model-checking. In this case, considering P w.r.t its maximal distribution Dmax is enough to ensure the
validity of P. On the other hand, on can use testing to try and nd errors. In such case, one can start with
the centralized distribution Dmin. Indeed, if an error is detected in this distribution, then it will be also be
present in any other distributions.
6. dSL to Promela
Aiming at the automatic verication of dSL, we now briey describe how to translate a dSL program
into Promela, the input language for the Spin model checker. The specication language Promela is much
like any common imperative language (including global/local variables, if, do control ow and common
expression evaluation) with a syntax close to the C programming language. The primary use of Promela
is in formal specications, it has not been designed for programming purposes. For example, it is enriched
with non determinism inspired by Dijkstra's guarded command language. Moreover, Promela allows the
dynamic creation of processes and has a rich set of primitives for interprocess communication, such as
shared variables and Fifo queues. The Promela language has been designed with process specications in
mind, and computation should be abstracted before writing a specication in Promela. More details about
this language can be found in [Hol03]. The semantics of dSL allows an almost immediate translation of a
given dSL program into Promela. Remark, however, that this translation depends on the distribution used
to run this program, meaning that the Promela specication will change every time another distribution is
used. In this section, we rst give the restrictions imposed by the use of Promela. Next, we describe how to
eciently model the environment. Finally, we detail the translation of the code for the dierent dSL sites
into Promela. A dedicated tool performs this translation automatically, except for the environment which
must still be specied manually. This translation will be used to perform verication on the case study of
section 7.
Restrictions Translating full dSL into Promela is dicult for two reasons. First of all, recursive functions
are dicult to translate into Promela. However, recursion is generally not a desired feature for industrial
controllers. The second diculty comes from the restrictive nite state space representation used by the
Spin model checker, which imposes a bound on the sizes of the communication channels. Static analysis
techniques can be used to detect problematic systems, where no such bound exists [LMW04].
The constructs omitted in the semantics description (LAUNCH and SEQUENCE) can easily be translated, either
by replacing them using the constructs that are included in the semantics (a general description is given in
[Gen04]), or by direct translation into Promela. The rst solution is considered here.12 B. De Wachter, A. Genon, T. Massart and C. Meuter
Modeling the environment We have several solutions to model the environment of a dSL program in
Promela. We could consider the environment as an individual process that reacts on outputs and continually
changes the inputs of the dSL program. But this approach is quite inecient. Indeed, consider the behavior
of a process i, and more particularly its innite Input-Process-Output loop. Since inputs are sampled at the
beginning of such a cycle, and outputs are written at the end, the changes of the environment during the
cycle have no eect whatsoever on the process phase of i. Thus, to avoid unnecessary interleaving between
the environment and the dierent dSL processes, the part of the environment connected to this process
should be frozen as long as process i is in its process phase. To achieve this, we integrate this part of the
environment into the specication of process i (by means of inlining). Doing so allows the environment to
change state only when the process reaches its input phase. The communications between the process and
its part of the environment is done through shared variables (representing the I/O variables).
Modeling the processes The processes described in the semantics can be coded almost as-is into Promela
processes using a straightforward syntactical transformation. Indeed, each dSL process can be translated
into a Promela process that consists of an innite loop performing the following steps : input-process-output.
The input and output phases are interactions with the environment as described above. The process phase
does the following steps :
 Input treatment : the triggering condition of all WHENs owned by this process are considered consecutively,
this to reacts to the input changes.
 Message treatment : reads the messages sent by other processes. This message treatment is translated
into a loop reading a non-deterministic number of messages from the input channel for this process. Every
time a message is read, WHENs depending on the updated variable are checked for execution.
For this translation to work, we must have a special treatment for all assignments in the original dSL program.
Indeed, an assignment x:=e; is translated into Promela as follows :
 x:=e;: the assignment is also performed in Promela.
 ch1!x,e, ..., chk!x,e: broadcasts the new value to all sites that use ~x.
 consider all WHENs conditioned on x.
According to the formal semantics, communications between the dierent processes are modeled using
Promela's chan and are kept reliable but not instantaneous.
In order to reduce the state space search, two changes with respect to the formal semantics are added in
the Promela specication. First, the update messages caused by the assignment to a variable x are only
sent to sites that use x, and not to all sites. The correctness of this optimization with respect to the formal
semantics can easily be shown. Since a process not using ~x, never accesses its local copy of x, the behavior
of this process remains the same if we omit to send it the updates of x.
Second, we use Promela's atomic construct to merge all transitions in the process phase of a particular
process together into one meta transition4. To justify this reduction, observe that exterior processes can
not have any eect on the behavior of the process phase and that its progression has no inuence on other
processes. Indeed, a process is only inuenced by its Fifo channels and the environment, and neither of
them are consulted during processing. On the other hand, the environment remains unchanged during this
phase, and another process can only observe the modication of the Fifo channels when messages are sent.
Although the introduction of atomic groups such messages together, this has no eect since the number of
messages received in the input phase is non deterministic.
Caused by our asynchronous execution scheme which imposes that processes can only observe their own
local variables, this reduction can be applied to any dSL program. Notice that the process phase contains
most of the controller's behavior, and that this reduction is therefore substantial.
7. Case study : a canal lock controller
4 Note that, since messages are sent during the process phase and Fifo channels might be full, the use of Promela's d step is
prohibitedThe formal design of distributed controllers with dSL and Spin 13
Lock 1￿
Bottom
Gate
Top
Gate
Lock 2
Bottom
Gate
Top
Gate
Fig. 3. Canal locks
WHEN lock2.bottom_gate.button_open THEN
IF (~lock2.top_gate.closed) AND (not lock2.top_gate.order_given) AND
(~lock1.top_gate.closed) AND (not lock1.top_gate.order_given) AND
(~lock2.water.down) AND (not lock2.water_order_given)
THEN
not_allowed_led := false;
lock2.bottom_gate.order_given := false;
LAUNCH lock2.bottom_gate<-open();
ELSE
not_allowed_led := true;
END_IF;
END_WHEN
Fig. 4. WHEN monitoring the command \open the bottom gate of lock2"
The problem To illustrate dSL concepts and the verication of a dSL program, we study the design of a
controller for a system composed of two consecutive locks. As presented in gure 3, each lock is composed
of two gates, a top and a bottom one. In between the top and the bottom gates of each lock, the water
level can be controlled (i.e. the inside of a lock can be lled or emptied). The dierent commands of this
system (opening/closing a gate, emptying/lling a lock) can be accessed via a control panel. For this system
to function properly, several constraints must be satised: (1) two consecutive gates cannot be opened at the
same time, (2) a gate can only be opened if the water level on each side is the same, and (3) the water level
inside a lock can only be changed if both its top and bottom gates are closed. The purpose of the controller
is to ensure that the previous constraints are veried at all time. Whenever a command is introduced via the
control panel, before taking the appropriate action, the controller must rst check that it will not jeopardize
the system, in which case, the action is not taken, and a red light on the control panel is switched on to
indicate an error.
The solution The idea to implement the controller in dSL is the following. Whenever an order is given,
a corresponding boolean variable order given is set (there is an order given variable for each gate and
one for the water level of each lock). When receiving a command, the controller has to check that all the
requirements are satised and, using those order given variables, that no order on the checked gates and
water levels are given (note that an order to close a gate can never violate a constraints). The order given
variables are, of course, reset when an order is completed. In this implementation, each command is monitored
by a WHEN construct. As an example, gure 4 presents the WHEN monitoring the command \open the bottom
gate of lock2" (the complete dSL source can be found in appendix B.1).
Note that for all the order given variables, the '~' operator cannot be used. For example, in gure 4,
if lock2.top gate.order given was tilded, when an order is given to open the bottom gate of lock2,
the controller would check if ~lock2.top gate.order given is false. However, in that case, because of
communication delays, an order might have been given. The controller would then allow the bottom gate of
lock2 to open while the top gate is ordered to open, which leads to a violation of the given constraints.
Translation into Promela We now explain how to translate the dSL program for the canal lock controller
into Promela. Remember that this translation depends on a given distribution. Here, we have considered
several possible distributions, from the minimal distribution to the maximal distribution. For this particular14 B. De Wachter, A. Genon, T. Massart and C. Meuter
inline flip_flop_behavior(sensor_flipped, sensor_flopped, order_cmd, order_dir) {
if :: order_cmd && sensor_flopped ->
if :: order_dir == ORDER_TO_FLOP -> skip;
:: order_dir == ORDER_TO_FLIP -> sensor_flopped = false;
fi;
:: order_cmd && !sensor_flopped && !sensor_flipped ->
if :: order_dir == ORDER_TO_FLOP -> sensor_flopped = true;
:: order_dir == ORDER_TO_FLIP -> sensor_flipped = true;
:: skip;
fi;
:: order_cmd && sensor_flipped ->
if :: order_dir == ORDER_TO_FLOP -> sensor_flipped = false;
:: order_dir == ORDER_TO_FLIP -> skip;
fi;
:: skip;
fi;
}
Fig. 5. Flip op behavior
application, the maximal distribution consists of 11 sites, where 4 of the 11 sites each monitor a single
control button responsible for sending the command to close one of the gates. Results for this extreme
conguration are hard to obtain since the number of processes makes the state space size explode. In the
7-sites distribution, the control panel, each gate and each water level is controlled by a single site, while the
3-sites distribution has the control panel on one site, and each lock controlled by another site. The 2-sites
distribution has one site for both locks, and one for the control panel.
Note that each of these distributions with more sites is a renement of a distribution with less sites which
allows us to illustrate the simulation relation. Note however that in practice, due to theorem 1, the correctness
of for example the 7-sites distribution is sucient to prove the correctness of the 3-sites, 2-sites and 1-site
distribution.
The gates and the water levels are modeled using a ip-op behavior (see gure 5) that has four states : ipped
(1,0), opped(0,1), ipping(0,0) and opping(0,0). It can receive an order to ip, to op or to do nothing.
The behavior is obvious, and can easily be adapted for the gates (ipped  opened, opped  closed) as for
the water level (ipped  up, opped  down). A nondeterministic choice makes the gate (and the water)
move from opened (up) to closed (down) by allowing the model to stay in the ipping, respectively opping
state. Modeling the operator is straightforward, a nondeterministic choice lets the operator choose one of
the twelve buttons (lock{1/2}.{top/btm}_gate.btn_{open/close} and lock{1/2}.btn_{empty/fill}).
Problem in the locks controller! At rst glance, this implementation seems to work. However, after mod-
eling it in Promela as explained in section 6 and using Spin model checker to verify the given constraints, we
found out that it is faulty. Indeed, as shown in gure 6, two consecutive gates (top gate of lock 1 and bottom
gate of lock 2) can be opened at the same time. In this case, three orders are given to the top gate of lock 1:
an order to open, followed by an order to close (before the gate is completely opened) and nally an order
to open. Because of communication, the reset order given() and the value of ~lock1.top_gate_closed
are delayed (respectively because of the launch and '~'). Therefore when the order to open the bottom gate
of lock 2 is given, the controller believes that the top gate of lock 1 is closed and that no order has been
given to it. This allows the opening of the bottom gate of lock 2, which violates the constraints.
An easy way to correct this, would be to allow a command to a gate (or a water level) only if its order given
is false (in other words, only allowing one order at a time). However, this would not be a viable solution.
Indeed, imagine a boat breaks down while the gate is closing, the controller would not allow to open a gate
until it is completely closed, and the boat would be crushed down! So, instead of blocking all commands while
an ordered is processed, we disable the commands only during the time needed to verify the (distributed)
constraints. To achieve this, a sequential execution checks that the issued command can be executed, by
migrating the condition to all intervening sites. As illustrated in gure 7, this is done by means of a SEQUENCE
construct that evaluates, in the local variable check, that all the conditions are satised. In the example
of gure 7, the rst part of the constraint (check := (lock2.top gate.closed and lock2.water down);)
will be evaluated on the site where lock2 is localized, then the value of check will be migrated to the site
where lock1 is localized to evaluate the second part (check := (check and lock1.top gate.closed);).The formal design of distributed controllers with dSL and Spin 15
lock1 lock2 controler
lock1.top_gate.reset_order_given()
~lock1.top_gate.closed = true
lock1.top_gate.open()
lock1.top_gate.closed = false
(top gate opening)
lock2.bottom_gate.button_open = true
lock2.bottom_gate.order_given := true
lock1.top_gate.button_open = true
lock1.top_gate.order_given := true
lock1.top_gate.close()
lock1.top_gate.closed = true
(top gate closing)
lock1.top_gate.open()
lock1.top_gate.closed = false
(top gate opening)
lock2.bottom_gate.open()
lock1.bottom_gate.closed := false
(bottom gate opening)
both the top gate of lock1 and the
 bottom gate of lock2 are opening!
(top gate closed)
lock1.top_gate.button_close = true
lock1.top_gate.order_given := true
lock1.top_gate.button_open = true
lock1.top_gate.order_given := true
Fig. 6. Error trace
WHEN lock2.bottom_gate.btn_open and not disabled THEN
disabled := true;
launch open_bottom_gate_lock2;
END_WHEN
SEQUENCE open_bottom_gate_lock2()
VAR
check : bool;
END_VAR
check := (lock2.top_gate.closed AND lock2.water_down);
check := (check AND lock1.top_gate.closed);
IF check THEN
not_allowed_led := false;
LAUNCH lock2.bottom_gate<-open();
ELSE
not_allowed_led := true;
END_IF;
disabled := false;
END_SEQUENCE
Fig. 7. WHEN / SEQUENCE monitoring the command \open the bottom gate of lock2"
Since the control panel is disabled during this task, we can be sure that the variable check is true if and only
if the constraints are satised, in which case, the corresponding action(s) is (are) taken. This introduces the
need for classical distributed systems mechanisms such as semaphores.
Verication Two properties were checked on the model. the rst property expresses all the constraints
presented in section 7. It is expressed in Ltl using the formula [] !global bad where global bad is dened
in Spin as follows:
#define global_bad ( (!lock1_top_gate_closed && !lock1_bottom_gate_closed) ||
(!lock1_top_gate_closed && !lock2_bottom_gate_closed) ||
(!lock2_bottom_gate_closed && !lock2_top_gate_closed) ||
(!lock1_bottom_gate_closed && !lock1_water_down) ||
(!lock1_top_gate_closed && !lock1_water_up) ||
(!lock2_bottom_gate_closed && !lock2_water_down) ||
(!lock2_top_gate_closed && !lock2_water_up) ||
)
The second property expresses only the fact that the two middle gates (i.e top gate of lock1 and bottom gate
of lock 2) of the locks are opened at the same time. It is expressed in Ltl using the formula [] !middle bad
where middle bad is dened in Spin as follows:
#define middle_bad (!lock1_top_gate_closed && !lock2_bottom_gate_closed)16 B. De Wachter, A. Genon, T. Massart and C. Meuter
Sites Btn Channels Property P.O. Veried Time States Memory
1 2 Instant global bad yes
p
0:03.25 1.41e+04 1.432 MB
2 2 Instant global bad yes  0:14.52 8.37e+04 3.064 MB
3 2 Instant global bad yes  0:08.00 9.54e+04 3.569 MB
7 2 Instant global bad yes  0:09.74 7.82e+04 3.645 MB
11 2 Instant global bad yes  5:38.48 1.41e+06 68.557 MB
1 1 Normal middle bad yes
p
0:07.80 3.98e+04 2.457 MB
2 1 Normal middle bad yes
p
0:43.22 1.29e+05 4.908 MB
3 1 Normal middle bad yes
p
0:37.13 1.39e+05 5.311 MB
7 1 Normal middle bad yes  21:14.36 1.91e+06 77.581 MB
11 1 Normal middle bad yes  0:54.93 2.07e+05 10.383 MB
1 1 Instant middle bad no
p
0:00.15 437 0.409 MB
1 1 Instant middle bad yes
p
0:00.15 437 0.409 MB
2 1 Instant middle bad no
p
0:01.04 8133 0.709 MB
2 1 Instant middle bad yes
p
0:01.08 8132 0.709 MB
3 1 Instant middle bad no
p
0:00.72 10136 0.805 MB
3 1 Instant middle bad yes
p
0:00.73 10133 0.805 MB
7 1 Instant middle bad no
p
0:11.46 146401 6.206 MB
7 1 Instant middle bad yes
p
0:11.96 146338 6.206 MB
11 1 Instant middle bad no N/A Timeout 2.10+07 1 GB
11 1 Instant middle bad yes
p
18:03.57 5.43e+06 261.717 MB
Fig. 8. Results of the verication of global bad and middle bad properties on the rst (faulty) version of the canal lock
controller.
The verication was made using Spin version 4.2.4, on a 3 GHz Intel Xeon machine with 2GB of memory.
Some representative results corresponding to the verication of these properties on the rst (faulty) version
of the canal lock controller are shown in gure 8. The rst column indicates the number of execution sites,
respectively 1 (minimal), 2, 3, 7 and nally 11 (maximal). The second column indicates the maximum number
of times each button can be pressed. The next column indicates whether or not messages are taken from their
queues as soon as possible. The fourth and fth columns shows respectively the property that was checked,
and whether or not partial order reduction was used. The four remaining columns show respectively, whether
the property was veried or not, the time needed for the verication, the number of states explored and the
memory usage. First of all, by examining the rst two sets of experiments, we can observe that the results
are coherent with theorem 1. That is, if the error in gure 6 is found in a distribution (indicated by  in
column 6), it is also found in more rened distributions. Finally, in the third set of experiments, we can
observe that the gain of partial order reduction on time and memory used is limited. The gain is substantial
only for the maximal distribution. This is because, in the specication, we intensively use atomic blocks to
reduce the state space, therefore reducing the eciency of the partial order reduction.
8. Conclusions
In this paper, we presented dSL, an environment to design industrial distributed process control systems. We
pointed out the main advantages of using dSL, compared to other approaches like synchronous languages,
design languages (like B or Unity) or solutions using shared variables. Among the advantages, dSL is rst
a programming language which extends the ST standard, guaranteeing its use in practice. dSL also pro-
vides automatic code distribution and includes two features (SEQUENCE and tilded variables) which allows
the programmer to be isolated from the physical distribution of the system. Moreover, we dened simple
operational semantics, parametrized by the distribution used for its execution. A dSL program is seen as a
composition of asynchronous processes communicating through Fifo channels. The main result states that
a more rened distribution can simulate a less rened one, which in its turn allows to dene a lattice of
semantics, where every next-free Ltl property is preserved from its maximal element (most rened) to its
minimal element (single site).
We also showed how this semantics can easily be veried using the explicit state model checker Spin, using
a translation into its input language Promela. We showed that \real" size programs (here, a design withThe formal design of distributed controllers with dSL and Spin 17
more than 60 boolean variables) can be model checked using a fair amount of time and memory. This is due
to the special structure of dSL programs, where the processing phase of the input-process-output cycle can
safely be handled in a single transition in the state space.
In the future, we would like to automate the entire translation of dSL to Promela, and to apply various
algorithms such as slicing and abstraction to reduce the complexity of the resulting model. In an eort to
simplify the designer's task, we must nd an intuitive and accessible way to model the environment. Since
control of industrial processes often uses standard devices, we could provide the designer with a library of
common pre-modeled and parametrized environment behaviors. We should also provide a dSL library of
classical distributed mechanisms (i.e. semaphores, mutex).
Acknowledgments The authors gratefully acknowledge the many helpful suggestions of the reviewers
which greatly improved the overall quality of the paper.
References
[Abr96] J.-R. Abrial. The B-Book: Assigning Programs to Meanings. ISBN 0-521-49619-5. Cambridge University Press,
UK, 1996.
[Aub97] P. Aubry. Mises en oeuvre distribues de programmes synchrones (th ese). Phd thesis, IFSIC, Rennes, France,
October 1997.
[BB91] A. Benveniste and G. Berry. The synchronous approach to reactive and real-time systems. In Proceedings of the
IEEE, volume 79, pages 1270{1282, 1991.
[Ber89] G. Berry. Real time programming: Special purpose or general purpose languages. Information Processing 89, G.X.
Ritter (Ed.), Elsevier Science Publishers B.V., North-Holland, 1989. 11-18.
[BG92] Gerard Berry and Georges Gonthier. The esterel synchronous programming language: Design, semantics, imple-
mentation. Science of Computer Programming, 19(2):87{152, 1992.
[BL95] H. Brinksma and R. Langerak. Functionality decomposition by compositional correctness preserving transforma-
tion. South African Computer Journal, 13:2{13, 95.
[BMS97] F. Bonfattti, P.D. Monari, and U. Sampieri. IEC 1131-3 programming methodology. Software engineering methods
for industrial automated systems. ISBN 2-9511585-0-5. CJ International Editions, 1997.
[CMT99] I. Castellani, M. Mukund, and P. S. Thiagarajan. Synthesizing Distributed Transition Systems from Global
Specication. In Foundations of Software Technology and Theoretical Computer Science, pages 219{231, 1999.
[CPHP87] P. Caspi, D. Pilaud, N. Halbwachs, and J. Plaice. Lustre: A declarative language for programming synchronous
systems. Conf Rec 14th Ann ACM Symp on Princ Prog Langs, 1987.
[DJP+94] Elias Dahlhaus, David S. Johnson, Christos H. Papadimitriou, P. D. Seymour, and Miha lis Yannakakis. The
complexity of multiterminal cuts. SIAM J. Comput., 23(4):864{894, 1994.
[DMM03] B. DeWachter, C. Meuter, and T. Massart. dsl: An environment with automatic code distribution for industrial con-
trol systems. In M. Papatriantalou and Ph. Hunel, editors, "Principles of Distributed Systems: 7th International
Conference, volume 3114 of LNCS, pages 132{145, La Martinique, December 2003. Springer-Verlag.
[Esk90] M. Rasit Eskicioglu. Design issues of process migration facilities in distributed systems. In IEEE Computer Society
Technical Committe on Operating Systems and Application Environments Newsletter, volume 4, pages 3{13, 1990.
[Gen04] Alexandre Genon. On the verication of dsl, a language to design distributed industrial control systems. Technical
report, U.L.B., September 2004.
[Gir94] A. Girault. Sur la R epartition de Programmes Synchrones. Phd thesis, INPG, Grenoble, France, January 1994.
[HHG99] J. Hennessy, M. Heinrich, and A. Gupta. Cache-coherent distributed shared memory: Perspectives on its devel-
opment and future challenges. Proc. of the IEEE, Special Issue on Distributed Shared Memory, 87(3):418{429,
1999.
[Hol03] Gerard J. Holzmann. The Spin Model Checker - Primer and Reference Manual. Addison-Wesley Publ., 2003.
[JC02] H. Jiang and V. Chaudhary. On improving thread migration: Safety and performance. In Proceedings: 9th Interna-
tional Conference on High Performance Computing 2002, volume 2552 of LNCS, pages 474{484, Berlin, Germany,
December 2002. Springer-Verlag.
[KMC88] J. Misra K. Mani Chandy. Parallel program design: a foundation. Addison-Wesley Longman Publishing Co., Inc.,
1988.
[LGLL91] P. LeGuernic, T. Gautier, M. LeBorgne, and C. LeMaire. Programming real time applications with signal. Pro-
ceedings of the IEEE, 79(9):1321-1336, September 1991.
[LMW04] S. Leue, R. Mayr, and W. Wei. A scalable incomplete test for the boundedness of uml rt models. In K. Jensen
and A. Podelski, editors, Proceedings: 10th International Conference, TACAS 2004, volume 2988 of LNCS, pages
327{341, Barcelona, Spain, March 2004. ETAPS 2004, Springer-Verlag.
[Mas92] T. Massart. A calculus to dene correct transformations of LOTOS specications. In Proceedings of the FORTE'91
conference, pages 281{296, 1992.
[Mil81] R. Milner. On relating synchrony and asynchrony. Technical Report CSR-75-80, Computer Science Dept., Edin-
burgh Univ., 1981.
[Mil89] R. Milner. Communication and Concurrency. PHI Series in Computer Science. Prentice Hall, 1989.18 B. De Wachter, A. Genon, T. Massart and C. Meuter
[Mor99] Ren e Morin. Decompositions of Asynchronous Systems. In Proc. CONCUR'98, Springer Lect. Notes in Comp.
Sci. 1466, pages 549{565. Springer, 1999.
[MP97] C. Morin and I. Puaut. A survey of recoverable distributed shared memory systems. IEEE Trans. on Parallel and
Distributed Systems, 8(9):959{969, 1997.
[NL91] B. Nizeberg and V. Lo. Distributed shared memory: A survey of issues and algorithms. IEEE Computer, vol. 24,
no.8, pp. 52-60, Aug. 1991.
[SEM03] Alin Stefanescu, Javier Esparza, and Anca Muscholl. Synthesis of distributed algorithms using asynchronous
automata. In R. Amadio and D. Lugiez, editors, Proceedings of the 14th International Conference on Concurrency
Theory (CONCUR'03), volume 2761, pages 27{41. Springer, September 2003.
[WGM05] Bram De Wachter, Alexandre Genon, and Thierry Massart. From static code distribution to more shrinkage for
the multiterminal cut. Technical Report 537, ULB, 2005. Submitted.The formal design of distributed controllers with dSL and Spin 19
A. Proof of Theorem 1
Denition 11 (Workload distribution). Let !;!1;!2 be three workloads (i.e. sequences of instructions,
including abstract instructions). We have that (!1;!2) is a distribution of !, noted (!1;!2)  !, if and only
if
! =  ^ !1 =  ^ !2 = 
! = x;!0 and one of the following holds:
x = MSG ^ !1 = MSG;!0
1 ^ !2 = MSG;!0
2 ^ (!0
1;!0
2)  !0
x 62 fMSG;g ^ !1 = x;!0
1 ^ (!0
1;!2)  !0
x 62 fMSG;g ^ !2 = x;!0
2 ^ (!1;!0
2)  !0

Lemma 1. Given a well-formed dSL program P and D = (V1;:::;Vn), D0 = (V 0
1;:::;V 0
n;V 0
n+1) two distribu-
tions of P such that 8i 2 [1::n   1] : Vi = V 0
i and Vn = V 0
n [ V 0
n+1, let (EP
D)n = (Wn), (EP
D0)n = (W 0
n) and
(EP
D0)n+1 = (W 0
n+1), we have :
V arin(P) \ Vn = (V arin(P) \ V 0
n) [ (V arin(P) \ V 0
n+1)
V ar(P) \ Vn = (V ar(P) \ V 0
n) [ (V ar(P) \ V 0
n+1)
V arout(P) \ Vn = (V arout(P) \ V 0
n) [ (V arout(P) \ V 0
n+1)
Wn = W 0
n [ W 0
n+1

Lemma 2 (One-split simulation). Given a well-formed dSL program P and two distributions D =
(V1;:::;Vn), D0 = (V 0
1;:::;V 0
n;V 0
n+1) of P such that 8i 2 [1::n   1] : Vi = V 0
i and that Vn = V 0
n [ V 0
n+1.
We have that JPKD0 simulates JPKD:
JPKD . JPKD0
Proof. We dene a relation R  GP
D  GP
D0 such that if G = ((!G
1 ;G
1 ;G
1 );(!G
2 ;G
2 ;G
2 );:::; (!G
n;G
n;G
n))
and G0 = ((!G
0
1 ;G
0
1 ;G
0
1 );(!G
0
2 ;G
0
2 ;G
0
2 );:::;(!G
0
n ;G
0
n ;G
0
n );(!G
0
n+1;G
0
n+1;G
0
n+1)), (G;G0) 2 R if and only if:
1. (!G
i ;G
i ;G
i ) = (!G
0
i ;G
0
i ;G
0
i ), 8i 2 [1::n   1]
2. G
0
n = G
0
n+1 = G
n
3. 8x 2 (V 0
n [ ^ V ar(P) [ OldCond(W 0
n)); G
n (x) = G
0
n (x)
4. 8x 2 (V 0
n+1 [ ^ V ar(P) [ OldCond(W 0
n+1)); G
n (x) = G
0
n+1(x)
5. (!G
0
n ;!G
0
n+1)  !G
n
We prove that R is a simulation relation for JPKD and JPKD0. More precisely, we prove that if (G;G0) 2 R,
for all a 2 fg [ (V ar(P)  f!;?g  f>;?g):
8H ;

G
a  ! H

=)

9H
0 ; G
0 
a  ! H
0 ^ ((H;H
0) 2 R)

In the rest of the proof, we will use the following notation:
 H = ((!H
1 ;H
1 ;H
1 );(!H
2 ;H
2 ;H
2 );:::;(!H
n ;H
n ;H
n ))
 H0 = ((!H
0
1 ;H
0
1 ;H
0
1 );(!H
0
2 ;H
0
2 ;H
0
2 );:::;(!H
0
n ;H
0
n ;H
0
n );(!H
0
n+1;H
0
n+1;H
0
n+1)).
Moreover, given a global state G, we note (G)i the ith component of G.
The transition G
a  ! H can be derived from one of two global semantics rules: interleaving or broadcast.
[Broadcast] According to the broadcast semantics rule, if a global transition is red, it means that one of
the local processes has a BCAST(x) at the beginning of its workload. Let i denote that local process. We have
two possibilities:20 B. De Wachter, A. Genon, T. Massart and C. Meuter
1. i 6= n : since (G;G0) 2 R, we have that (G)i = (G0)i. Since the broadcast can be red by (G)i in JPKD,
it can also be red by (G0)i in JPKD0. It follows directly that:
G0   ! H0
The message is added to all Fifo channels. Therefore, Fifo channels in H and H0 are identical. It is
then easy to see that (H;H0) 2 R.
2. i = n : we have that !G
n = BCAST(x);!H
n . Moreover, since (G;G0) 2 R, we have that (!G
0
n ;!G
0
n+1)  !G
n .
Thus, by denition of , there are two possibilities:
(a) !G
0
n = BCAST(x);!H
0
n and !G
0
n+1 = !H
0
n+1, then G0   ! H0 can be deduced from the broadcast semantics
rule. The abstract instruction BCAST(x) is removed from !G
0
n , and by denition of , we have !H
n 
(!H
0
n ;!H
0
n+1). The message is added to every Fifo channel and the Fifo in H and H0 are identical. It
is then easy to see that (H;H0) 2 R.
(b) !G
0
n = !H
0
n and !G
0
n+1 = BCAST(x);!H
0
n+1, the case is symmetrical.
[Interleaving] According to the interleaving semantics rule, if a global transition is red from G, it means
that one of the local processes can re a local transition. Let i denote that local process. We have two
possibilities:
1. i 6= n : since (G;G0) 2 R, we have that (G0)i = (G)i. Since the local transition can be red by (G)i in
JPKD, it can also be red by (G0)i in JPKD0. It follows that:
G
0 a  ! H
0
Only the local process i changes, the other local processes remain unchanged. Therefore, since (H)i =
(H0)i, we have that (H;H0) 2 R.
2. i = n : this case must be considered more carefully. As (G;G0) 2 R, we have that (!G
0
n ;!G
0
n+1)  !G
n .
Let us consider each local rule separately :
[Cycle Start] In this case, we have !G
n = ; (a = ). Moreover, by denition of , we have that
!G
0
n = !G
0
n+1 = , thus, we can apply the cycle start rule in both (G0)n and (G0)n+1. Let us construct
a transition sequence performing both start cycles from G0 :
G0   ! G00   ! H0
Where
(G0)n
  ! (G00)n ^ 8i 6= n : (G0)i = (G00)i Cycle start in local process n
(G00)n+1
  ! (H0)n+1 ^ 8i 6= n + 1 : (G00)i = (H0)i Cycle start in local process n+1
Considering G0 and H0, we have the following equalities :
H
n =  1     2(where G
n =  1   2) ^ G
n = H
n

H
0
n =  1     2(where 
G
0
n =  1   2) ^ 
G
0
n = 
H
0
n
H
0
n+1 =  1     2(where G
0
n+1 =  1   2) ^ G
0
n+1 = H
0
n+1
Indeed, the valuations on the variables remain the same when the cycle start rule is applied. For the
Fifo channels, the end of message symbol () is inserted at the same place in all cases. Let us look
at !H
n , by lemma 1, we know that every input/output/WHEN treatment instruction inserted in !H
n will
be inserted either in !H
0
n or !H
0
n+1. More formally, this gives :
(Sample(V arin(P) \ V 0
n);Sample(V arin(P) \ V 0
n+1))  Sample(V arin(P) \ Vn)
(Write(V arout(P) \ V 0
n);Write(V arout(P) \ V 0
n+1))  Write(V arout(P) \ Vn)
(Treat(W 0
n);Treat(W 0
n+1))  Treat(Wn)The formal design of distributed controllers with dSL and Spin 21
Thus, we have (!H
0
n ;!H
0
n+1)  !H
n and G0   ! H0 and (H;H0) 2 R.
[Input] In this case, we have !G
n = INPUT(x);H
n ;(a = x?v). Then, as (!G
0
n ;!G
0
n+1)  !G
n , there are
two possibilities:
(a) if !G
0
n = INPUT(x);H
0
n and !H
0
n+1 = !G
0
n+1, we can apply the input semantics rule to (G0)n, thus we
have (G0)n
a  ! (H0)n. The valuation for x is modied accordingly. Thus, we have H
n = G
n [x 7! v]
and H
0
n = G
0
n [x 7! v]. Therefore, by denition of , we have that (H
0
n ;!H
0
n+1)  H
n and by
interleaving, we can perform G0 a  ! H0. In conclusion, we have :
!H
n = BCAST(x);H
n
!H
0
n = BCAST(x);H
0
n
We can conclude that (H;H0) 2 R.
(b) if !G
0
n+1 = INPUT(x);!H
0
n+1 and !H
0
n = !G
0
n , the case is symmetrical.
[Message treatment] In this case, we have !G
n = MSG;H
n , (a = ). Then, as (!G
0
n ;!G
0
n+1)  !G
n ,
we have:
!G
0
n = MSG;H
0
n
!G
0
n+1 = MSG;H
0
n+1
We can then apply the same rule to (G0)n and (G0)n+1, we then have a sequence of transitions :
G0   ! G00   ! H0
Where
(G0)n
  ! (G00)n ^ 8i 6= n(G0)i = (G00)i
(G00)n+1
  ! (H0)n+1 ^ 8i 6= n + 1(G00)i = (H0)i
If G
  ! H results from the application of the end of message treatment rule, then we have that
G
n =    . By denition of R, we have that G
n = G
0
n = G
0
n+1. Thus, we may simply apply the end
of message treatment rule to (G0)n and (G0)n+1.
If the message treatment rule is applied, then we have G
n = (x;v)0, as G
0
n = G
0
n+1 = G
n, the same
message can be read by the three processes, the valuation will be modied accordingly and the list of
whens will be inserted in the workload. We have :
!H
n = Treat(Wn=~ x)H
n
!H
0
n = Treat(W 0
n=~ x)H
0
n
!H
0
n+1 = Treat(W 0
n+1=~ x)H
0
n+1
Then, by lemma 1, we have Wn=~ x = W 0
n=~ x [ W 0
n+1=~ x. It follows that
(Treat(W 0
n=~ x);Treat(W 0
n+1=~ x))  Treat(Wn=~ x)
Moreover (H
0
n ;H
0
n+1)  H
n , and, thus, (!H
0
n ;!H
0
n+1)  !H
n . As the modications brought to the Fifo
channels and the valuations are the same, we can conclude that (H;H0) 2 R.
In all the cases, we have G0   ! H0 and (H;H0) 2 R.
[Assignment] In this case, we have !G
n = x := e;H
n ;(a = ). Then, as (!G
0
n ;!G
0
n+1)  !G
n , there are
two possibilities:
(a) if !G
0
n = x := e;H
0
n and !G
0
n+1 = !H
0
n+1, we can apply the assignment rule to (G0)n, thus (G0)n
  !
(H0)n, and, by interleaving, we have G0   ! H0. We have H
n = G
n [x 7! G
n (e)] and H
0
n = G
0
n [x 7!
G
0
n (e)]. Thus, the valuation H
n and H
0
n remain coherent. As x is not in the domain of H
0
n+1, H
0
n+122 B. De Wachter, A. Genon, T. Massart and C. Meuter
and H
n remain also coherent.
If x 2 V (P), we need to show that Wn=x = W 0
n=x, that is, they share the same set of WHENs
(partially) conditioned on this variable. Note that, by construction of W 0
n, we already have that
W 0
n  Wn and, thus, W 0
n;x  Wn=x. Let us suppose that 9w 2 Wn : w 62 W 0
n. Thus, w 2 W 0
n+1,
but w needs to access x, and the atomicity constraints induced by the WHENs are violated. Thus,
D0 would not be a distribution and we must have W 0
n=x = Wn=x. In conclusion, we have :
!H
n = BCAST(x);Treat(Wn=x);H
n
!H
0
n = BCAST(x);Treat(W 0
n=x);H
0
n
As (H
0
n ;!H
0
n+1)  H
0
n , it is straightforward to see that (!H
0
n ;!H
0
n+1)  !H
n .
The case where x 2 OldCond(P) is trivial, as nothing is inserted in the workload, we directly have
H
n = !H
n and H
0
n = !H
0
n .
In the remaining cases (x 2 V (p) or x 2 OldCond(P)), we have G0   ! H0 and, therefore,
(H;H0) 2 R.
(b) If !G
0
n+1 = x := e;H
0
n+1 and !G
0
n = !H
0
n , the case is symmetrical.
[If] In this case, we have !G
n = IF e THEN !> ELSE !? ENDIF;H
n , (a = ). Then, again, as
(!G
0
n ;!G
0
n+1)  !G
n , there are two possibilities:
(a) if !G
0
n = IF e THEN !> ELSE !? ENDIF;H
0
n and !G
0
n+1 = !H
0
n+1, we can apply the if rule to (G0)n, thus
(G0)n
  ! (H0)n and, by interleaving, we have G0   ! H0. As (G;G0) 2 R, we have G
0
n (e)G
n (e)
and the same branch of the IF statement will be executed afterwards. We then have :
!H
n = !>;H
n !H
0
n = !>;H
0
n if G
n (e) = >
!H
n = !?;H
n !H
0
n = !?;H
0
n if G
n (e) = ?
As (H
0
n ;!H
0
n+1)  H
n (by denition of ), we have (!H
0
n ;!H
0
n+1)  !H
n . In conclusion, we have
G0   ! H0 and (H;H0) 2 R.
(b) if !G
0
n+1 = IF e THEN !> ELSE !? ENDIF;H
0
n+1 and !G
0
n = !H
0
n , the case is symmetrical.
[Output] In this case, we have !G
n = OUTPUT(x);!H
n ;(a = x!v). Then, as usual, as (!G
0
n ;!G
0
n+1)  !G
n ,
there are two possibilities:
(a) if !G
0
n = OUTPUT(x);!H
0
n and !G
0
n+1 = !H
0
n+1, we can apply the output rule to (G0)n. Therefore, we
have (G0)n
a
0
 ! (H0)n and, by interleaving, G0 a
0
 ! H0. As (G;G0) 2 R, we have G
0
n (x) = (x)G
n .
Thus, a = a0, as the same value will be given in output. As (by denition of ) (!H
0
n ;!H
0
n+1)  !H
n ,
we have (H;H0) 2 R.
(b) if !G
0
n+1 = OUTPUT(x);!H
0
n+1 and !G
0
n = !H
0
n , the case is symmetrical.
Finally, it easy to prove that (G0
D;G0
D0) 2 R. Indeed, according to denition 7, both in G0
D and G0
D0,
the workloads are empty, the valuations are assigning all variables to ? and the Fifo channel are empty.
Therefore, by denition of R and by denition 11, we have (G0
D;G0
D0) 2 R and :
JPKD . JPKD0

Lemma 3 (Distribution decomposition). Let D = fV1;V2;:::;Vkg and D0 = fV 0
1;V 0
2;:::;V 0
l g be two
distributions such that D  D0. We have that there exists a nite sequence of distributions D1;:::;Dn (with
n = l   k + 1), such that
D = D1  D2  :::  Dn = D0
such that 8i 2 [2::n] : Di is obtained by one split of Di 1 The formal design of distributed controllers with dSL and Spin 23
Theorem 1 (Simulation). Given a well-formed dSL program P = (V;V ;W;W), let D = fV1;V2;:::;Vng
and D0 = fV 0
1;V 0
2;:::;V 0
l g be two distributions of P. We have that, if D0 renes D then JPKD0 simulates
JPKD:
(D  D
0) =) (JPKD . JPKD0)
Proof. This is a direct consequence of lemma 2, lemma 3, and the transitivity of the simulation relation. 
B. Lock controller : dSL source
B.1. First attempt
CLASS Gate
motor_direction, motor_command, opened, closed, order_given : BOOL;
button_open, button_close : BOOL;
END_CLASS
CLASS Lock
water_up, water_down, water_command, water_direction, water_order_given : BOOL;
bottom_gate, top_gate : GATE;
button_fill, button_empty : BOOL;
END_CLASS
GLOBAL_VAR
lock1, lock2 : Lock;
not_allowed_led : BOOL;
END_VAR
(* Gates *)
METHOD GATE::move(direction : BOOL)
self.motor_direction := direction;
self.motor_command := TRUE;
END_METHOD
METHOD GATE::reset_order_given()
self.order_given := FALSE;
not_allowed_led := FALSE;
END_METHOD
(* Equivalent to WHEN G.closed OR G.opened THEN ... for every object G of class GATE *)
WHEN IN GATE self.closed OR self.opened THEN (* W1 = self -> lock1.bottom_gate *)
self.motor_command := FALSE; (* W2 = self -> lock1.top_gate *)
LAUNCH self<-reset_order_given(); (* W3 = self -> lock2.bottom_gate *)
END_WHEN (* W4 = self -> lock2.top_gate *)
(* Locks *)
METHOD LOCK::water_move(direction : BOOL)
IF NOT self.water_down THEN
self.water_command := TRUE;
self.water_direction := direction;
END_IF;
END_METHOD
METHOD LOCK::reset_water_order_given()
self.water_order_given := FALSE;
not_allowed_led := FALSE;
END_METHOD
WHEN IN LOCK self.water_up OR self.water_down THEN (* W5 = self -> lock1 *)
self.water_command := FALSE; (* W6 = self -> lock2 *)
LAUNCH self<-reset_water_order_given();
END_WHEN24 B. De Wachter, A. Genon, T. Massart and C. Meuter
WHEN lock1.bottom_gate.button_open THEN (* W7 *)
IF (~lock1.top_gate.closed) AND (NOT lock1.top_gate.order_given) AND
(~lock1.water_down) AND (NOT lick1.water_order_given)
THEN
not_allowed_led := FALSE;
lock1.bottom_gate.order_given := TRUE;
LAUNCH lock1.bottom_gate<-move(TRUE); (*open*)
ELSE
not_allowed_led := TRUE;
END_IF;
END_WHEN
WHEN lock1.top_gate.button_open THEN (* W8 *)
IF (~lock1.bottom_gate.closed) AND (NOT lock1.bottom_gate.order_given) AND
(~lock2.bottom_gate.closed) AND (NOT lock2.bottom_gate.order_given) AND
(~lock1.water_up) AND (NOT lock1.water_order_given)
THEN
not_allowed_led := FALSE;
lock1.top_gate.order_given := TRUE;
LAUNCH lock1.top_gate<-move(TRUE); (*open*)
ELSE
not_allowed_led := TRUE;
END_IF;
END_WHEN
WHEN lock1.bottom_gate.button_close THEN (* W9 *)
LAUNCH lock1.bottom_gate<-move(FALSE); (*close*)
END_WHEN
WHEN lock1.top_gate.button_close THEN (* W10 *)
LAUNCH lock1.top_gate<-move(FALSE); (*close*)
END_WHEN
WHEN lock1.button_fill THEN (* W11 *)
IF (~lock1.bottom_gate.closed) AND (NOT lock1.bottom_gate.order_given) AND
(~lock1.top_gate.closed) AND (NOT lock1.top_gate.order_given)
THEN
not_allowed_led := FALSE;
lock1.water_order_given := TRUE;
LAUNCH lock1<-water_move(TRUE);
ELSE
not_allowed_led := TRUE;
END_IF;
END_WHEN
WHEN lock1.button_empty THEN (* W12 *)
IF (~lock1.bottom_gate.closed) AND (NOT lock1.bottom_gate.order_given) AND
(~lock1.top_gate.closed) AND (NOT lock1.top_gate.order_given)
THEN
not_allowed_led := FALSE;
lock1.water_order_given := TRUE;
LAUNCH lock1<-water_move(FALSE);
ELSE
not_allowed_led := TRUE;
END_IF;
END_WHEN
WHEN lock2.bottom_gate.button_open THEN (* W13 *)
... (* Same as W8, replace lock1 with lock2 ; switch top, bottom; switch up, down *)
WHEN lock2.top_gate.button_open THEN (* W14 *)
... (* Same as W7, replace lock1 with lock2 ; switch top, bottom; switch up, down *)
WHEN lock2.bottom_gate.button_close THEN (* W15 *)
LAUNCH lock2.bottom_gate<-move(FALSE); (*close*)
END_WHENThe formal design of distributed controllers with dSL and Spin 25
WHEN lock2.top_gate.button_close THEN (* W16 *)
LAUNCH lock2.top_gate<-move(FALSE); (*close*)
END_WHEN
WHEN lock2.button_fill THEN (* W17 *)
... (* Same as W11, replace lock1 with lock2 *)
WHEN lock2.button_empty THEN (* W18 *)
... (* Same as W12, replace lock1 with lock2 *)
(* main program *)
SEQUENCE init
not_allowed_led := FALSE;
END_SEQUENCE
B.2. Second attempt
(* Same as attempt 1, without the order given instructions : *)
CLASS GATE ... END_CLASS
CLASS LOCK ... END_CLASS
METHOD GATE::open() ... END_METHOD
METHOD GATE::close()... END_METHOD
METHOD GATE::reset_order_given() ... END_METHOD
WHEN IN GATE self.closed OR self.opened THEN ... END_WHEN
METHOD LOCK::empty() ... END_METHOD
METHOD LOCK::fill() ... END_METHOD
(* Commands on lock1 *)
WHEN lock1.bottom_gate.button_open AND NOT disabled THEN
disabled := true;
LAUNCH open_bottom_gate_lock1;
END_WHEN
SEQUENCE open_bottom_gate_lock1
VAR
check : bool;
END_VAR
check := (lock1.top_gate.closed AND lock1.water_down);
IF check THEN
not_allowed_led := FALSE;
LAUNCH lock1.bottom_gate<-open();
ELSE
not_allowed_led := TRUE;
END_IF;
disabled := false;
END_SEQUENCE
WHEN lock1.top_gate.button_open AND NOT disabled THEN
disabled := true;
LAUNCH open_top_gate_lock1;
END_WHEN
SEQUENCE open_top_gate_lock1
VAR
check : bool;
END_VAR
check := (lock1.bottom_gate.closed AND lock1.water_up);
check := (check AND lock2.bottom_gate.closed);
IF check THEN
not_allowed_led := FALSE;
LAUNCH lock1.top_gate<-open();
ELSE
not_allowed_led := TRUE;26 B. De Wachter, A. Genon, T. Massart and C. Meuter
END_IF;
disabled := false;
END_SEQUENCE
WHEN lock1.bottom_gate.button_close THEN
LAUNCH lock1.bottom_gate<-close();
END_WHEN
WHEN lock1.top_gate.button_close THEN
LAUNCH lock1.top_gate<-close();
END_WHEN
WHEN lock1.button_fill AND NOT disabled THEN
disabled := true;
LAUNCH fill_lock1;
END_WHEN
SEQUENCE fill_lock1
VAR
check : bool;
END_VAR
check := (lock1.top_gate.closed AND lock1.bottom_gate.closed);
IF check THEN
not_allowed_led := FALSE;
LAUNCH lock1<-fill();
ELSE
not_allowed_led := TRUE;
END_IF;
disabled := false;
END_SEQUENCE
WHEN lock1.button_empty AND NOT disabled THEN
disabled := true;
LAUNCH empty_lock1;
END_WHEN
SEQUENCE empty_lock1
(* same as fill_lock1, replace empty() with fill() *)
...
(* Commands on lock2 : same as commands on lock1,
replace lock1 with lock2,
switch top and bottom,
switch up and down. *)
...
SEQUENCE init
not_allowed_led := FALSE;
SEQUENCE