A timeband framework for modelling real-time systems

Complex real-time systems must integrate physical processes with digital control, human operation and organisational structures. New scientific foundations are required for specifying, designing and implementing these systems. One key challenge is to cope with the wide range of time scales and dynamics inherent in such systems. To exploit the unique properties of time, with the aim of producing more dependable computer-based systems, it is desirable to explicitly identify distinct time bands in which the system is situated. Such a framework enables the temporal properties and associated dynamic behaviour of existing systems to be described and the requirements for new or modified systems to be specified. A system model based on a finite set of distinct time bands is motivated and developed in this paper

Reasoning About the Reliability of Multi-version, Diverse Real-Time Systems

This paper is concerned with the development of reliable real-time systems for use in high integrity applications. It advocates the use of diverse replicated channels, but does not require the dependencies between the channels to be evaluated. Rather it develops and extends the approach of Little wood and Rush by (for general systems) by investigating a two channel system in which one channel, A, is produced to a high level of reliability (i.e. has a very low failure rate), while the other, B, employs various forms of static analysis to sustain an argument that it is perfect (i.e. it will never miss a deadline). The first channel is fully functional, the second contains a more restricted computational model and contains only the critical computations. Potential dependencies between the channels (and their verification) are evaluated in terms of aleatory and epistemic uncertainty. At the aleatory level the events ''A fails" and ''B is imperfect" are independent. Moreover, unlike the general case, independence at the epistemic level is also proposed for common forms of implementation and analysis for real-time systems and their temporal requirements (deadlines). As a result, a systematic approach is advocated that can be applied in a real engineering context to produce highly reliable real-time systems, and to support numerical claims about the level of reliability achieved

Deriving specifications of control programs for cyber physical systems

Cyber Physical Systems (CPS) exist in a physical environment and comprise both physical components and a control program. Physical components are inherently liable to failure and yet an overall CPS is required to operate safely, reliably and cost effectively. This paper proposes a framework for deriving the specification of the software control component of a CPS from an understanding of the behaviour required of the overall system in its physical environment. The two key elements of this framework are (i) an extension to the use of rely/guarantee conditions to allow specifications to be obtained systematically from requirements (as expressed in terms of the required behaviour in the environment) and nested assumptions (about the physical components of the CPS); and (ii) the use of time bands to record the temporal properties required of the CPS at a number of different granularities. The key contribution is in combining these ideas; using time bands overcomes a significant drawback in earlier work. The paper also addresses the means by which the reliability of a CPS can be addressed by challenging each rely condition in the derived specification and, where appropriate, improve robustness and/or define weaker guarantees that can be delivered with respect to the corresponding weaker rely conditions

A Rely-Guarantee Specification of Mixed-Criticality Scheduling

The application considered is mixed-criticality scheduling. The core formal approaches used are Rely-Guarantee conditions and the Timeband framework; these are applied to give a layered description of job scheduling which includes resilience to jobs overrunning their expected execution time. A novel formal modelling idea is proposed to handle the relationship between actual time and its approximation in hardware clocks.Comment: This paper will appear in a Festschrift - on publication we will insert a pointer to the boo

Timed circus : Timed CSP with the miracle

Timed Circus is a compact extension to Circus; that is, it inherits only the CSP part of Circus while introducing time. Although it looks much like timed CSP from the viewpoint of syntax, its semantics is very different from that of timed CSP because it uses a complete lattice in the implication ordering instead of the complete partial order of the standard failures-divergences model of CSP. The complete lattice gives rise to a number of strange processes which violate some axioms of CSP, especially when the miracle (the top element) and SKIP meet time. In this paper, compared with timed CSP, we will extensively explore such strange processes which turn out to be very useful in specifying a distinct property that 'something must occur'. Finally, we use a simple example to demonstrate how our model can contribute to modelling temporal behaviours with multiple time scales in complex systems

Deriving real-time action systems with multiple time bands using algebraic reasoning

The verify-while-develop paradigm allows one to incrementally develop programs from their specifications using a series of calculations against the remaining proof obligations. This paper presents a derivation method for real-time systems with realistic constraints on their behaviour. We develop a high-level interval-based logic that provides flexibility in an implementation, yet allows algebraic reasoning over multiple granularities and sampling multiple sensors with delay. The semantics of an action system is given in terms of interval predicates and algebraic operators to unify the logics for an action system and its properties, which in turn simplifies the calculations and derivations

Reasoning algebraically about refinement on TSO architectures

The Total Store Order memory model is widely implemented by modern multicore architectures such as x86, where local buffers are used for optimisation, allowing limited forms of instruction reordering. The presence of buffers and hardware-controlled buffer flushes increases the level of non-determinism from the level specified by a program, complicating the already difficult task of concurrent programming. This paper presents a new notion of refinement for weak memory models, based on the observation that pending writes to a process' local variables may be treated as if the effect of the update has already occurred in shared memory. We develop an interval-based model with algebraic rules for various programming constructs. In this framework, several decomposition rules for our new notion of refinement are developed. We apply our approach to verify the spinlock algorithm from the literature

Formalised responsibility modelling for automated socio-technical systems analysis

Modelling the structure of social-technical systems as a basis for informing software system design is a difficult compromise. Formal methods struggle to capture the scale and complexity of the heterogeneous organisations that use technical systems. Conversely, informal approaches lack the rigour needed to inform the software design and construction process or enable automated analysis. We revisit the concept of responsibility modelling, which models social technical systems as a collection of actors who discharge their responsibilities, whilst using and producing resources in the process. In this thesis responsibility modelling is formalised as a structured approach for socio-technical system specification and modelling, with well-defined semantics and support for automated structure and validity analysis. We provide structured definitions for entity types and relations, and define the semantics of delegation and dependency. A constraint logic is introduced, providing simple specification of complex interactions between entities. Additionally, we introduce the ability to explicitly model uncertainty. To support this formalism, we present a new software toolkit that supports modelling and automatic analysis of responsibility models in both graphical and textual form. The new methodology is validated by applying it to case studies across different problem domains. A study of nuclear power station emergency planning is validated by comparison to a similar study performed with earlier forms of responsibility modelling, and a study of the TCAS mid-air collision avoidance system is validated by evaluation with domain experts. Additionally, we perform an explorative study of responsibility modelling understanding and applicability through a qualitative study of modellers

Model for forecasting residential heat demand based on natural gas consumption and energy performance indicators

The forecasting of energy and natural gas consumption is a topic that spans different temporal and spatial scales and addresses scenarios that vary significantly in consistency and extension. Therefore, although forecasting models share common aims, the specific scale at which each model has been developed strongly impacts its features and the parameters that are to be considered or neglected. There are models designed to handle time scales, such as decades, years, and months, down to daily or hourly models of consumption. Similarly, there are patterns of forecasted consumption that range from continents or groups of nations down to the most limited targets of single individual users, passing through all intermediate levels. This paper describes a model that is able to provide a short-term profile of the hourly heat demand of end-users of a District Heating Network (DHN). The simulator uses the hourly natural gas consumptions of large groups of users and their correlation with the outside air temperature. Next, a procedure based on standards for estimating the energy performance of buildings is defined to scale results down to single-user consumption. The main objective of this work is to provide a simple and fast tool that can be used as a component of wider models of DHNs to improve the control strategies and the management of load variations. The novelty of this work lies in the development of a plain algebraic model for predicting hourly heat demand based only on average daily temperature and historical data of natural gas consumption. Whereas aggregated data of natural gas consumption for groups of end users are measured hourly or even more frequently, the thermal demand is typically evaluated over a significantly longer time horizon, such as a month or more. Therefore, the hourly profile of a single user's thermal demand is commonly unknown, and only long-term averaged values are available and predictable. With this model, used in conjunction with common weather forecasting services that reliably provide the average temperature of the following day, it is possible to predict the expected hourly heat demand one day in advance and day-by-day