The present invention relates to a new reactive system and a method for implementing thereof, and particularly, although not exclusively, to reusing an existing reactive system in a new reactive system.
A reactive system is implemented to produce certain outputs or desired responses in response to an input or an event. For example, a computer may be used as a reactive system for calculating a sum of two numbers, in which the two numbers are the inputs and the sum is the output. In an alternative example, a lighting system is a reactive system that may be used to light up one or more lighting elements in response to an actuation of a dimmer in the lighting system.
Different reactive systems may be implemented with different scales and complexities. In some industrial scale reactive systems, the complexity of the system is extremely high and thus may require large amount of effort in the development of such reactive system.
On the other hand, reactive systems are usually specifically designed and implemented. Thus it is generally not possible that an existing reactive system may be used for a new application with different requirements since the input/output for the existing reactive system may not be compatible with the new application.
In accordance with the first aspect of the present invention, there is provided a method for implementing a new reactive system comprising the steps of:
In an embodiment of the first aspect, wherein the supervisory control is arranged to modify a predefined processing pattern of the existing reactive system with the supervisory control rule set to a modified processing pattern for use in the new reactive system.
In an embodiment of the first aspect, wherein the existing reactive system is arranged to process the at least one input to produce the at least one output based on the predefined processing pattern.
In an embodiment of the first aspect, wherein the existing reactive system is a black-box system.
In an embodiment of the first aspect, wherein a modification to the existing reactive system is prohibited.
In an embodiment of the first aspect, the method further comprises the step of indicating at least one incompatible input to the new reactive system whereupon a determination of an incompatibility between the at least one output produced by the existing reactive system and the expected output.
In an embodiment of the first aspect, wherein the supervisory control is arranged to modify the predefined processing pattern to the modified processing pattern whereupon the reactive system receives an incompatible input.
In an embodiment of the first aspect, wherein the supervisory control is arranged to prevent the at least one incompatible input from being processed by the existing reactive system.
In an embodiment of the first aspect, wherein the supervisory control is arranged to prevent an incompatible output from being produced by the new reactive system.
In an embodiment of the first aspect, wherein the supervisory control is arranged to prevent an execution of an instruction being incompatible to the existing reactive system.
In an embodiment of the first aspect, wherein the steps of comparing the at least one output with an expected output representative of an output expected to be obtained by applying the at least one input to the new reactive system and determining if the at least one output would be compatible with the expected output are steps of a learning-based test.
In an embodiment of the first aspect, wherein the learning-based test further comprises the step of receiving at least one requirement associated with the at least one input and the expected output, wherein the at least one requirement is expressed using Propositional Linear Temporal Logic.
In an embodiment of the first aspect, wherein the learning-based test further comprises the step of obtaining a constructed hypothesis model for the existing reactive system.
In an embodiment of the first aspect, wherein the compatibility between the at least one output and the expected output of the new reactive system is represented by a verdicts set arranged to indicate whether the at least one requirement are satisfied.
In an embodiment of the first aspect, the method further comprises the steps of:
In accordance with the second aspect of the present invention, there is provided a new reactive system comprising:
In an embodiment of the second aspect, wherein the supervisory control is arranged to modify a predefined processing pattern of the existing reactive system with the supervisory control rule set to a modified processing pattern for use in the new reactive system.
In an embodiment of the second aspect, wherein the existing reactive system is arranged to process the at least one input to produce the at least one output based on the predefined processing pattern.
In an embodiment of the second aspect, wherein the existing reactive system is a black-box system.
In an embodiment of the second aspect, wherein a modification to the existing reactive system is prohibited.
In an embodiment of the second aspect, wherein the processing module is further arranged to indicate at least one incompatible input to the new reactive system whereupon a determination of an incompatibility between the at least one output produced by the existing reactive system and the expected output.
In an embodiment of the second aspect, wherein the supervisory control is arranged to modify the predefined processing pattern to the modified processing pattern whereupon the reactive system receives an incompatible input.
In an embodiment of the second aspect, wherein the supervisory control is arranged to prevent the at least one incompatible input from being processed by the existing reactive system.
In an embodiment of the second aspect, wherein the supervisory control is arranged to prevent an incompatible output from being produced by the new reactive system.
In an embodiment of the second aspect, wherein the supervisory control is arranged to prevent an execution of an instruction being incompatible to the existing reactive system.
In an embodiment of the second aspect, wherein the processing module is arranged to employ a learning-based test to the new reactive system so as to determine the compatibility between the at least one output and the expected output.
In an embodiment of the second aspect, wherein the processing module is further arranged to receive at least one requirement associated with the at least one input and the expected output, wherein the at least one requirement is expressed using Propositional Linear Temporal Logic.
In an embodiment of the second aspect, wherein the processing module is further arranged to obtain a constructed hypothesis model for the existing reactive system.
In an embodiment of the second aspect, wherein the compatibility between the at least one output and the expected output of the new reactive system is represented by a verdicts set arranged to indicate whether the at least one requirement are satisfied.
In an embodiment of the second aspect, wherein the processing module is further arranged to repeat learning-based test against the new reactive system with the supervisory control to determine if at least one new output produced by the new reactive system would be compatible with the expected output, wherein the supervisory control rule set is modified based on a compatibility between the at least one new output and the expected output.
Embodiments of the present invention will now be described, by way of example, with reference to the accompanying drawings in which:
The inventors have, through their own research, trials and experiments, devised that software reuse is an effective approach to addressing software crisis in modern software engineering. Reactive systems perform state-based nonterminating processes that are interrupt-driven and interact with the environment in order to enable, enforce, or prevent certain behaviour in the environment. In real applications of black-box reactive systems, the source code and development models of the reused components are often unavailable, so it is not possible to modify its internals. In many domains, such as dependable systems, component based development is utilized to a lesser degree, since the reused software components must satisfy requirements critically before they are reused to assure the foundational quality. If a component does not satisfy a user requirement, and it can neither be modified either, the developer has to abandon it and develop a new one. The development process cannot enjoy the benefit of software reuse. This research proposes a remedy for the failed components and still enables software reuse.
The control logic of the fault prevention component may be designed by the supervisory control theory of logical discrete-event systems. The theory enforces a plant to follow its requirement behaviour through a closed-loop supervisor. In the theory, a plant is modelled as a finite state automaton. A set of requirements for the plant is also specified as finite state automata. The theory derives methods and tools that can automatically synthesize a maximally permissive supervisor that governs the plant to meet the specifications. The supervisor is maximally permissive since it allows the largest freedom to the plant. However, when a plant is a black-box reactive system, the source code and its logical model is unknown. Supervisory control theory is hence not directly applicable to the black-box system. This paper utilizes an automata learning algorithm to construct a logical model for the black-box reactive system, such that the application domain of supervisory control theory is enlarged.
Automata learning is defined as the process of learning an unknown regular grammar given some additional information. Some classical algorithms are the ID algorithm, the L* algorithm and the RPNI algorithm. These algorithms construct a hypothesis automaton at one-time, while the RPNI2 algorithm, IID algorithm, and IDS algorithm produce hypothesis automaton models incrementally. Automata learning algorithms may be gradually used in software engineering such as formal verification, software testing, model inference and so on. These algorithms are mostly cantered on learning an abstraction model of a complex software system, such that the behaviour of a system can be analysed statistically.
Among these techniques, learning-based testing is a technique for specification-based black-box requirements testing. Learning-based testing may be used to test procedural systems and reactive systems. Combining automata learning algorithms with model checking technology, LBTest is a practical tool for producing high-quality test cases for reactive systems testing. Not only is a set of efficient test cases with high coverage percentage produced by LBTest, but it also iteratively builds hypothesis automata models for the system under test.
Automata learning algorithms combined with supervisory control theory are studied. If the specification is clear but not formalized as an automaton, L* learning algorithm may be used to synthesize a supervisor without the specification model. Queries may be used to an equivalence oracle and an incomplete membership oracle in the L* to learn a minimal deterministic finite automaton consistent with the supremal controllable sublanguage of a known specification language and an unknown plant. An automatic decentralized supervisor synthesis method may be used for an unknown plant using the L* algorithm. However, all these aforementioned methods do not focus on the control for actual black-box systems. The inventors devise that when a plant to be controlled is an executable black-box reactive system without source code and a logical model, supervisory control theory may be applied to enjoy the benefit of software reuse.
With reference to
In this embodiment, one or more input is applied to the existing reactive system to produce a corresponding output based on a predefined processing pattern of the existing reactive system. The predefined processing pattern is used to govern the transformation of one or more input to one or more output in a fixed and repeatable manner, such that every time the reactive system may produce identical output(s) whereupon receiving corresponding input(s).
In this embodiment, new reactive system, the processing module and the existing reactive system are implemented by or for operation on a computer. The computer may be implemented by any computing architecture, including stand-alone PC, client/server architecture, “dumb” terminal/mainframe architecture, or any other appropriate architecture. The computing device is appropriately programmed to implement the invention.
Referring to
The server may include storage devices such as a disk drive 108 which may encompass solid state drives, hard disk drives, optical drives or magnetic tape drives. The server 100 may use a single disk drive or multiple disk drives. The server 100 may also have a suitable operating system 116 which resides on the disk drive or in the ROM of the server 100.
The system has a database 120 residing on a disk or other storage device which is arranged to store at least one record 122. The database 120 is in communication with the server 100 with an interface, which is implemented by computer software residing on the server 100. Alternatively, the database 120 may also be implemented as a stand-alone database system in communication with the server 100 via an external computing network, or other types of communication links.
With reference to
In this embodiment, the new reactive system 200 is implemented by including or reusing an existing reactive system 202 which may be originally designed for other applications or systems. Therefore such existing reactive system 202 may be partially not compatible with a new application or system which includes the new reactive system 200.
The new reactive system 200 is designed to fulfil a number of predefined requirements which may be expressed as one or more expected output representing an output expected to be obtained by applying certain inputs to the new reactive system 200. Such expected output may be partially different from the output produced by the existing reactive system 202 when the same input is applied to the existing reactive system 202.
In some example embodiments, the existing reactive system 202 and/or the new reactive system 200 is implemented as computer-executable instructions and the abovementioned software reuse method may be applied. Alternatively, one or more components of the new reactive system 200 including the existing reactive system 202 may be differently implemented, such as a programmable logic unit, a microcontroller, or any other suitable processing unit which may operate as part or whole of a reactive system.
Preferably, the processing module 204 is arranged to compare the output and the expected output so as to determine the compatibility between the expected output and the output produced by the existing reactive system 202. The determined compatibility may be used for indicating one or more input which is incompatible for the new reactive system 200. For example, a faulty or undesired output (which fails to match with the expected output) may be produced by the existing reactive system 202 in response to the applied incompatible input to the existing reactive system 202, or the existing reactive system 202 may execute one or more incompatible instructions in response to such incompatible input applied which may further cause an operation failure of the reactive system.
Due to a limitation that the existing reactive system 202 may be a black-box system which may prohibit a modification to the existing reactive system 202, it is not possible to modify internal processing pattern of the existing reactive system 202 associated with the inputs and the outputs. Therefore it is unavoidable that the existing produces faulty outputs when incompatible inputs are applied to the new reactive system 200 and hence the existing reactive system 202.
For example, the black-box system 202 may be implemented with instructions or source codes which are unknown to a developer of a new reactive system 200, and the modification to these internal instructions or source codes is not possible. It is desirable to prevent the produced incompatible or faulty output from being produced as a new output of the new reactive system 200.
Preferably, the determined compatibility may be further used for generating a supervisory control rule set arranged for supervisory control of the existing reactive system 202. For example, the supervisory control may be arranged to modify the predefined processing pattern with the supervisory control rule set to a modified processing pattern for use in the new reactive system 200, such that the new reactive system 200 may only produces desired and/or correct output in response to one or more applied input based on the modified processing pattern. Preferably, the supervisory control is implemented as a computer-executable program.
For example, the supervisory control may be arranged to modify the predefined processing pattern to the modified processing pattern whereupon the reactive system receives an incompatible input. This may include preventing a incompatible input from being processed by the existing reactive system 202 such that the existing reactive system 202 does not produce a faulty output, or preventing an incompatible output from being produced by the new reactive system 200 when such incompatible output is produced by the existing reactive system 202 in response to the applied incompatible input to the new reactive system 200.
In an example embodiment, the processing module 204 is arranged to perform a test (such as a learning-based test) so as to compare the output produced by the existing reactive system 202 and the expected output and to determine the compatibility between the outputs with a number of steps described as follows:
A deterministic finite automaton, denoted by A, is a quintuple A=(Q,Σ,δ,q0,Qm),
where:
The language generated by automaton A is:
={sεΣ*|ε(q0) is defined}.
The language marked by automaton A is:
m(A)={sε(A)|δ(q0,s)εQm}.
(A) is the generated language of A, while m(A) is its marked language. The prefix closure of language is the language, denoted by consisting of all the prefixes of all the strings in . Formally, ={sεΣ*|(∃tεΣ)[stε]} is obtained.
Supervisory control theory (SCT) is a branch of systems control theory concerning the logical behavior of discrete-event systems (DES). Assume a DES, namely a plant, modeled by an automaton G with an event set Σ. The specifications that the plant must satisfy are specified as an automaton ii that has the same event set as G. The premise is that the behavior of G may not act as the specifications and must be modified through feedback control. In order to alter the behavior of G, a supervisory controller is introduced, which is denoted by an automaton V. The function of the supervisor V is to restrict the behavior of the plant model G to a proper subset of m(G) that satisfies the specifications (H). It is desirable to adjoin a supervisor V interacting with G in a feedback manner to meet the specification model.
Let Σ be partitioned into two disjoint subsets Σc and Σu, where Σ=Σc∪Σu. Σc is the set of controllable events: the events can be prevented from happening or disabled by the supervisor V. Σu is the set of uncontrollable events: the events cannot be prevented from happening or disabled by the supervisor V. The transition function of G can be controlled by V in the sense that the controllable events of G can be dynamically disabled by V. Γ={γε2Σ|Σu⊂γ⊂Σ} is the set of control patterns, each of which is a set of events allowed to occur. Formally, a supervisor control for G is a mapping V: (G)→Γ. The pair (G,V) can be written as V/G, suggesting “G under the supervision of V”. Assume K⊂Σ*. Let KΣu denote the set of strings of the form sσu with sεK and σuεΣu. Then a language KεΣs is controllable with respect to G if and only if
={K⊂|K is controllable with respect to G}.
The supremal element of (E) is sup (E)=∪{K|Kε(E)}, which denotes the maximally permissive supervisor for G.
In an example embodiment, the learning-based test further comprises the step of receiving at least one requirement associated with the at least one input and the expected output, wherein the at least one requirement is expressed using Propositional Linear Temporal Logic.
Propositional linear temporal logic (PLTL) is a logical formalism specifying linear temporal properties of reactive systems. PLTL formulae over the set AP of atomic propositions are formed according to the following grammar:
φ::=true|αφ1φ2|:φ|φ1∪φ2,
where αεAP and both φ1 and φ2 are PLTL formulas. The full power of propositional logic is obtained by using the boolean connectives and , ◯ is the next operator, standing for the next state. The until operator u allows to derive the temporal modalities ⋄ and □, where ⋄ means eventually (or in the future) and □ has the meaning of always (from now on forever). ⋄φ=true∪φ, while □φ=⋄φ.
The basic idea of learning-based testing (LBT) is to automatically generate a large number of high-quality test cases by combing a model checking algorithm with an incremental model learning algorithm. The two algorithms are applied to the system under test (SUT) in iterative feedback loops which optimize test cases construction based on previous test outcomes. Test verdicts are test results indicating whether the tests are passed or not. LBTest is a practical tool for LBT of reactive systems. For reactive systems software testing, it is conventional to assume that an SUT can be adequately modeled by an automaton model. By using test cases as queries, it is possible to construct a logical hypothesis model for a black-box reactive system without a priori model.
An important assumption of automata learning algorithms is that the SUT is deterministic in its behavior. Furthermore, an automaton learning algorithm may only be guaranteed to terminate if the input and output events sets are finite. When an SUT involves infinite data types such as integer or floating point types, they must be finitely approximated using appropriate representative values. In an example embodiment, LBTest requires four data components:
1) a black-box reactive system under testing S;
2) a PLTL requirements set R;
3) a constructed hypothesis model M for S;
4) a verdicts set VE indicating whether the requirements are satisfied or not.
In the above four data components, 1) and 2) are basic input data, whereas 3) and 4) are output data. Preferably, a constructed hypothesis model for the existing reactive system 202 is obtained as a testing result of LBT, and the compatibility between the at least one output and the expected output of the new reactive system 200 is represented by a verdicts set arranged to indicate whether the at least one requirement are satisfied. If both the input data are available, one can use LBTest properly.
In an example embodiment, LBT and SCT may be integrated for the implementation of a new reactive system 200 which includes the existing reactive system 202. Before integrating an existing software component, the developer must test whether the component meets all system requirements. If the component violates any requirement, it must be modified if possible. In real applications, however, the source code and development models of the reused component are often unavailable. Then the problematic component has to be abandoned and the developer must develop a new software component. The development process thus cannot enjoy the benefit of software reuse. In order to enjoy the benefit of software reuse, the present invention provides a remedy for the failed component. The “fault prevention” remedy can monitor the reactive system behavior and prevents it from reaching faulty states.
For the application of SCT, an automaton model for a plant is essential. However, the logical model of a black-box reactive system is unavailable. In an embodiment of the invention, it is achieved by introducing an automata learning algorithm, which infers an automaton model for the black-box reactive system on the basis of all available input and output data. Using LBTest, a logical automaton model for the reactive system can be constructed automatically. The user requirements are written in PLTL, which can be checked in LBTest using model checker μSMV. Simultaneously, a plenty of test cases are generated, which are used for requirements test. When LBTest finishes the testing, verdicts for each requirement are given. If the system does not pass the test, counter examples are given. Advantageously, an online fault prevention program may be used to avoid the fault sequences, rather than completely abandon the reused software or existing reactive system 202.
The automaton model constructed by LBTest is employed as a logical model of the system. The requirements are described by another automaton. A supervisor for the system model restricted to the requirements is computed using SCT. By adjoining the supervisor, it will be possible to vary the language generated by the plant model within certain limits. The whole behavior of system is governed. Then the supervisor is transformed to an executable program. This control program is patched to the reused component to monitor the system behavior and govern it to act as user requirements.
In one example embodiment, the method for implementing a new reactive system 200 may comprise procedures as follows. Firstly, a learning-based testing technique is employed to thoroughly test the reactive system against design requirements. At the same time, a plenty of hypothesis automaton models for the reactive system are built iteratively according to the relationship of input and output trajectories. If the system passes the test, the reused software component satisfies the development requirements; otherwise, the reused software component fails the requirements. In the latter case, supervisory control theory is subsequently applicable to produce a supervisor for the constructed automaton of the system. Then the supervisor is transformed to an executable program to control the given black-box reactive system 202. Finally, in order to assure the satisfiability of user requirements, the system under control, including the reused software reactive system, and the added executable program for the supervisor, is tested again by LBTest to confirm the satisfaction to the requirements.
With reference to
Prepare a wrapper for the reactive system.
First of all, with reference to
fin: Σin→X is a function with domain Σin and codomain X. fin(σ)={x|xεX}, where σεΣin. fin is an injective function.
fout(y)={q|qεPwr(Σout)}, where yεY and Pwr(Σout) is the power set of Σout. fout:Y→Pwr(Σout) is a function with domain Y and codomain Pwr(Σout). fout is an injective and many to one function.
The larger Σin is, the more realistic the system is simulated. The finer Y is partitioned, the more precise the model is. The combination of P and W can be seen as an SUT S, which is one of the input data of LBTest. When P involves infinite data types, both the input data and output data must be finitely approximated using other appropriate discrete values in W, which can be denoted by events set Σin and Σout, respectively. W can be written in Java. Then S is produced in the form of a .jar file.
Formalize user requirements as a PLTL formula.
At the very beginning, user requirements may be given in natural languages. An atomic proposition set AP must be derived according to Σin and Σout. In real applications, an input event in Σin is either controllable or uncontrollable. Assume Σin=Σin
Test the SUT with LBTest.
Both S and P are loaded into LBTest. A hypothesis automaton model G for S associated with R is produced. When S is sufficiently small to be fully learned, LBT is a sound and complete method to detect errors. However, for S of an industrial size, the use of incremental learning algorithms is essential to achieve scalable testing. Meanwhile, a series of test cases are generated. In this procedure, the satisfiability of R is tested effectively. A verdict V E ε{‘Pass’, ‘Warnings’, ‘Failed’} is produced. If VE=‘Pass’, the verification process terminates. Otherwise, turn to Step 4.
Construct an automaton model for user requirements.
According to SCT, specifications may be specified as an automaton. Then a supervisor V can be computed to govern the plant to meet. Assume E=(H).
Compute a Supervisory Controller for G by SCT.
G can be used as a plant model.
There are two kinds of automata learning algorithms used in LBTest: complete learning such as L* and incremental learning such as IKL. The output automata for both algorithms are DFAs, which are generators of formal languages. Thus, G can be used as a plant model.
An automaton which is behavioral equivalence to the system can be constructed.
If a complete learning algorithm such as Ls is used in LBTest, a complete model that is behavior equivalent to the system is constructed. If an incremental learning algorithm such as IKL is used in LBTest, a series of hypothesis models M1, M2, . . . , Ml are generated. This sequence M1, M2, . . . , Ml will finitely converge to an behavioral equivalent model M for P, when the test cases are sufficiently large. So, a behavioral equivalence model for the system can always be constructed.
A maximally permissive supervisor for G restricted to H is computed using SCT. Control actions can be derived from the supervisors. There are also some tools for SCT computation (TCT, DESUMA, Supremica, etc.), which may be used to compute a supervisor automatically. Then, a supervisory V for G is built. If (V)=Ø, G is restricted too strictly to follow the behavior of the requirements. Otherwise, turn to Step 6.
Implement the supervisor as an executable program.
According to the control actions of the supervisor V, an executable program EP such as a Java program is derived. The program monitors the behavior of P and prevents it from entering “faulty program section”.
Program control for the black-box system.
By monitoring the behavior of the system, EP enforces the black-box reactive system P to follow the behavior of the requirement R. With reference to
Test the complete system under control.
Optionally, the learning-based test may be repeatedly applied against the new reactive system 200 with the supervisory control to determine if at least one new output produced by the new reactive system 200 would be compatible with the expected output; and the supervisory control rule set further modified based on a compatibility between the at least one new output and the expected output.
The SUT derived in Step 7 is regarded as a new system. It is tested again in LBTest according to Step 1 to Step 3 to assure the satisfiability for R. Then the whole work for the proposed method terminates. Otherwise, turn to Step 3 to construct a more realistic model for P by prolonging a longer learning time. If P is a large system, a longer learning time should be set in LBTest to produce a more precise model as far as possible.
The method can terminate.
If G is a behavioral equivalence model for P, whether (V)=Ø or not the proposed method can terminate according to the above discussion. If S′ does not pass the test, a new model for P can be constructed in LBTest by setting a longer learning time. Then turn to Step 4. According to Proposition 2, an automaton which is behavioral equivalence to the system can be constructed in finite time as long as the input and output data sets are sufficiently large. Then the proposed method terminates.
From Step 1 to Step 3, LBT is used for system requirements testing and hypothesis automaton model constructing of the black-box reactive system 202. From Step 4 to Step 5, SCT is used to compute a supervisor for the system model. From Step 6 to Step 7, the supervisor is transformed to an executable program to govern the black-box reactive system 202 to follow the behavior of user requirements. In the final step, the system under control is tested to assure the satisfiability of user requirements. In conclusion, the proposed method enlarges the application domain of SCT to control black-box reactive system 202. And a component may be reused even if it does not satisfy user requirements at first.
These embodiments are advantages in that the method discussed adds a “fault prevention” component that monitors the reactive system behavior and prevents it from reaching faulty sections by integrating learning-based testing and supervisory control of discrete-event systems. The method is effective as long as the input and corresponding output data of reactive systems are observable.
Advantageously, the method iteratively builds automaton models of the reactive system according to the relationship of input and output trajectories of the system. Such that the constructed automata models are used to generate high efficiency test cases to reach high test coverage percentage. If the system under test does not satisfy user requirements, SCT is subsequently applied to produce a supervisor for the constructed model of the system.
The supervisor may be transformed to an executable program to monitor the behavior of the integrated system, including the reused reactive system and the control program. Therefore, the control program may prevent the black-box reactive system from reaching faulty program sections. In addition, in order to assure satisfiability of user requirements, the system under control may be tested again by LBTest to confirm the satisfaction for the requirements.
These embodiments are also advantageous in that the invention enable the application of supervisory control theory to complex systems without priori models. And the other is to improve the efficiency of the reactive system software reuse by correcting its faulty behavior online.
In one example embodiment, the method for implementing a new reactive system 200 may be used for implementing a cruise controller (CC) with a reused reactive system.
A CC is an embedded safety critical component commonly used in modern vehicles. Four data types in Σ={in, mode, speed, button} are involved in CC. Σin={brake, dec, gas, acc, switch} is input event set. The symbolic inputs brake and gas are used to denote deceleration and acceleration events issued by the vehicle driver, while the input events dec and acc denote deceleration and acceleration from the external environment due to physical factors such as moving uphill or downhill, respectively. The symbolic input switch is used to turn on or turn off the CC button.
Table I shows the symbolic values of the input data type (column one) and their encodings (column two) of events. For simplicity, the input data is expressed as Σin={d, d, g, a, s}. These symbolic values and encodings may be entered into LBTest (for example as a configuration file) by the user. Table II shows the symbolic values of all output data types for the CC. This table identifies three output types: mode, speed and button in the column one. The symbolic values taken by each data type are shown in the second column in Table II. They are manual, cruise and disengaged for the mode data type, and zero, one and two for the speed data type. The values of the button are on and off. In fact, the speed of a vehicle is a continuous value. In this example, we discretize the continuous speed into three partition classes coarsely, symbolically named zero, one and two. Intuitively one is an acceptable range of cruise speeds, while the other classes stand for too slow or too fast for cruising, respectively. For example, symbolic values are zero when 0.0≦speed<60.0, one when 60.0≦speed<120.0, and two when speed≧120.0.
First, a wrapper W for CC denoted by P is written using Java. The combination of P and W composes the SUT S. The user requirement is a safety property: if the mode of a vehicle is in manual and the speed is at two, even if the cruise button is in on, it cannot enter into the cruise mode. It means that if the speed is at two, it is too fast to cruise for a vehicle. The PLTL formula that describes this property is given as R:
□(mode=manualbutton=of fspeed=twoinput=switch→◯(mode=cruise)).
S and R are loaded into LBTest and perform the test. An automaton model G for the CC is constructed, as shown in
First, we build an automaton model for the requirement R. According to the explicit explanation of R and the hypothesis model G for the CC, we construct an automaton model for R, denoted by H, which is shown in
Each event in Σin is either controllable or uncontrollable. Different supervisors are derived according to different controllable and uncontrollable event sets. In theory, there are 32 possible uncontrollable event subsets of Σin. The corresponding controllable event subsets are their complement sets for Σin. All the possible uncontrollable event subsets of Σin are listed as an element in the following sets:
Σin
Σin
Σin
Σin
Σin
Aiming at every element of these sets, a maximally permissive supervisor is computed by SCT. As a result, some supervisors for different uncontrollable event sets are the same. In order to simplify the results, we put those uncontrollable event sets which have the same supervisor in one set Σin
The transition function of Gi is controlled by Vi in the sense that the controllable events of G can be dynamically controlled by supervisor Vi. The corresponding control actions of the computed supervisors are listed in Table IV.
The supervisor V1 for sets in Σin
3) An Example Supervisor Suggested:
In certain examples, both the event brake and gas may be mastered by drivers. Therefore, b and g are always uncontrollable for the CC internal control. In this situation, a feasible maximum permissive controller is suggested in
In another example embodiment, the method for implementing a new reactive system 200 may be used for implementing a brake-by-wire (BBW) system with a reused reactive system.
A simulink model of BBW was developed by Volvo Technology AB and its corresponding Java code was developed. The BBW is composed of five electronic control units (ECUs). The central ECU is connected with a brake pedal and a gas pedal, while the other four ECUs are attached to four wheels. The software components on the central ECU run the sensor of the brake pedal, and calculate the global brake torque from the brake pedal position and distribute the global torque to the four wheels. The software components on each wheel ECU will measure the wheel speed, control the brake actuator and implement the ABS controller.
Two types of floating input data denoted by breakPedalPos and gasPedalPos are involved in BBW, which are received from the positions of the brake and gas pedals, respectively. The input data is mapped to the discrete input event set Σin={brake, acc idle}, where brake and acc stand for a driver presses the brake pedal and gas pedal, respectively, while idle means no operation. There are three types of output values: vehSpeed denoting the vehicle speed, rotational speeds of the four wheels (front right, front left, rear right and rear left) denoted by ωSpeedFIR, ωSpeedFL, ωSpeedRP and ωSpeedRL, and the torque values on the four wheels denoted by torqueOnFR, torqueOnFL, torqueOnRR and torqueOnRL, respectively. The slipFR, slipFL, slipRR and slipRL stand for the slipping states of four wheels. The discrete formulas and the corresponding symbolic outputs values are shown in Table V. If vehSpeed>10 km/h, we assume that the vehicle is moving, otherwise, the vehicle is still. For simplicity, only the output values of the rear right wheel are listed as an example. If ωSpeedRR>0, the output value for WheelRoateRR is nonZero. If torqueOnRR>0, the output value for torqueOnRR is nonZero.
The BBW is a hard real-time safety critical system. Feng, etc. specified three strict safety requirements and tested them using LBTest [28]. One of the requirements failed the test. In order to reuse the BBW system without changing the source code, the proposed method is applied to BBW.
For safety purposes, the ABS controller in the BBW system shall release the corresponding brake actuator when the slip rate of any wheel is larger than the threshold and the vehicle is moving at a speed of above certain values. The requirement which did not pass the test is: if the brake pedal is pressed and the actual speed of the vehicle is larger than 10 km/h and the slippage sensor shows that a wheel is slipping, the corresponding brake torque at the wheel should be zero. By taking the rear right wheel as an example, the corresponding PLTL formula is:
□(in=brakespecd=movingslipRR=slip→◯(torqueRR=zero)).
The test was repeated in LBTest, and many counter examples are given. One of them is the execution event trace ‘idle, acc, acc, acc, brake, brake, brake, brake, brake’. The corresponding state transition sequence is ‘(under1, still, zero, noSlip), (under1, still, zero, noSlip), (10, moving, zero, noSlip), (20, moving, zero, noSlip), (30, moving, zero, noSlip), (20, moving, zero, slip), (1, still, nonZero, slip), (under1, still, nonZero, noSlip), (under1, still, nonZero, noSlip), (under1, still, nonZero, noSlip)’. At state ‘(20, moving, zero, slip)’, when the driver presses the brake pedal, the torque value for next state should be zero, since the vehicle is moving and the rear right wheel is slipping. However, the behavior of the counter example shows that the torque value on that wheel is nonZero, which violates the requirement. A hypothesis automaton model for BBW with 360 states and 1080 transitions is constructed at the same time, as shown in
In SCT, an automaton for specifications is needed. We construct the automaton model for the requirement according to the model in
In the above two example embodiments, the CC is a small pedagogical example, while the BBW is an industrial one. By adjoining a ‘fault prevention’ component to the system under control, the proposed method is successfully used to enable the software reuse in the case of some requirements are not satisfied. Both the systems under control are tested again in LBTest, and the ‘Pass’ results show that the systems are well controlled, which reinforce the feasibility of the proposed method.
Although not required, the embodiments described with reference to the Figures can be implemented as an application programming interface (API) or as a series of libraries for use by a developer or can be included within another software application, such as a terminal or personal computer operating system or a portable computing device operating system. Generally, as program modules include routines, programs, objects, components and data files assisting in the performance of particular functions, the skilled person will understand that the functionality of the software application may be distributed across a number of routines, objects or components to achieve the same functionality desired herein.
It will also be appreciated that where the methods and systems of the present invention are either wholly implemented by computing system or partly implemented by computing systems then any appropriate computing system architecture may be utilised. This will include stand alone computers, network computers and dedicated hardware devices. Where the terms “computing system” and “computing device” are used, these terms are intended to cover any appropriate arrangement of computer hardware capable of implementing the function described.
It will be appreciated by persons skilled in the art that the term “database” may include any form of organized or unorganized data storage devices implemented in either software, hardware or a combination of both which are able to implement the function described.
It will be appreciated by persons skilled in the art that numerous variations and/or modifications may be made to the invention as shown in the specific embodiments without departing from the spirit or scope of the invention as broadly described. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive.
Any reference to prior art contained herein is not to be taken as an admission that the information is common general knowledge, unless otherwise indicated.
Number | Date | Country | Kind |
---|---|---|---|
2015101642 | Nov 2015 | AU | national |