CN102436375A - Characters per second (CPS) Modeling and verification method based on model transformation - Google Patents

Characters per second (CPS) Modeling and verification method based on model transformation Download PDF

Info

Publication number
CN102436375A
CN102436375A CN2011103323364A CN201110332336A CN102436375A CN 102436375 A CN102436375 A CN 102436375A CN 2011103323364 A CN2011103323364 A CN 2011103323364A CN 201110332336 A CN201110332336 A CN 201110332336A CN 102436375 A CN102436375 A CN 102436375A
Authority
CN
China
Prior art keywords
transition
mode
model
source
hybriduml
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011103323364A
Other languages
Chinese (zh)
Other versions
CN102436375B (en
Inventor
李必信
朱敏
李加凯
陈乔乔
翟小祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southeast University
Original Assignee
Southeast University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southeast University filed Critical Southeast University
Priority to CN201110332336.4A priority Critical patent/CN102436375B/en
Publication of CN102436375A publication Critical patent/CN102436375A/en
Application granted granted Critical
Publication of CN102436375B publication Critical patent/CN102436375B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides a characters per second (CPS) modeling and a verification method based on model transformation, which is mainly used for processing the CPS modeling and attribute verification problems. The related key operation includes that (1) adopting Hybrid (unified modeling language) UML to conduct CPS modeling, transforming the built Hybrid UML model into operation model Hybrid Programs of a differential dynamic logic method, defining regulations for the model transformation according to the relation of elements between the Hybrid UML and a Hybrid Programs meta-model, generating a template which the regulations are applied to, and performing model transformation to automatically generate the Hybrid Programs according to the model level application regulation; and (2) generating input codes on the obtained Hybrid Programs according to the input form of a theorem prover KeYmaera, and performing reasoning and verification in the KeYmaera.

Description

A kind of CPS modeling and verification method based on model conversion
Technical field
The present invention is a kind of CPS modeling and verification method based on model conversion, is mainly used in CPS is carried out modeling and checking.
Background technology
(Cyber Physical System's information physical system CPS) combines physical process with calculating, through embedded system and network physical equipment is monitored and controlled, and calculates with physical process to influence each other through feedback mechanism.Can CPS satisfy design requirement; It is most important concerning system design is implemented; Verification technique can confirm whether system satisfies some attribute; Remedied the deficiency that can't proof system there be defective in traditional measuring technology, improved and guaranteeing system security, aspects such as reliability have played crucial effect.Formalization verification method utilizes mathematical method to verify whether the attribute of stipulations is correct.General model testing technology is applied to the system of finite state, and CPS has discrete and continuous behavior, has unlimited state, to what the checking work of extensive CPS became challenge is arranged more.
Increasing formal verification method is applied to the CPS checking; Wherein based on differential dynamic logic (dL; Differential Dynamic Logic) theorem proving method can be applicable to the attribute checking of extensive CPS effectively and accurately when CPS is verified; Because its operation model Hybrid Programs (hereinafter to be referred as HP) is difficult to carry out the general work of modeling intuitively, be difficult to embody the vague generalization of design especially in the CPS design phase.
Summary of the invention
The present invention is directed to the defective of differential dynamic logic method, use HybridUML that CPS is carried out modeling, proposing a kind of is the model conversion method of HP with the HybridUML model conversion, is beneficial to the reasoning checking that the HP that is converted to carries out the CPS attribute.With general model conversion is that formal model verifies it also is the focus of field of software engineering research.HybridUML is a kind of expansion of UML, remedied UML do not have accurately semantic with can not be to the deficiency of continuous state modeling, and kept the general characteristic intuitively of UML simultaneously.
A kind of CPS modeling and verification method of the present invention based on model conversion; Be used for CPS is carried out modeling and checking; Can directly carry out the formalization modeling, and automodel converts the operation model of differential dynamic logic method into, and then use theorem prover to verify CPS.Compare with the method in past, the CPS model that the present invention both can build unified modeling language is well verified, has remedied general inadequately, the general weakness of HP again.
Technical scheme: method of the present invention at first utilizes HybirdUML that CPS is carried out modeling, carries out the operation model HP (Hybrid Programs) that automodel converts the differential dynamic logic into again, generates the input of input code as theorem prover then.
Concrete steps of the present invention are following:
Step 1). analyze the formalized description of the operation model HP that provides differential dynamic logic method validation CPS; Comprise that InitBlock representes INIT block; DJ representes the set of discrete transition; CE representes the continually varying set, and HPSkeleton and HPContent represent framework and the content of Hybrid Programs respectively
Step 2). represent on the basis in HybridUML meta-model data structure, the formalization representation of the source and target Mode of increase Mode and Agent classification, top layer Mode, transition, transition classification etc.,
Step 3). the form of definition model conversion rule, comprise that RuleType representes the type of rule, be divided into mapping ruler and processing rule, Mapping/Processing representes the mapping or the processing procedure of rule, Return Result representes to return the result of rule treatments,
Step 4). set up shared variable table rule CreateShareVariableTable; The variable of sharing between each line display Agent of table; Being used to solve HybridUML has variable that action scope restriction is arranged, and variable is all the problem of global variable among the Hybrid Programs
Step 5). carry out the conversion that static structure arrives HPSkeleton in the HybridUML model,
Step 6). setting up regular CreateTransitionPath is that two transition of source Mode merge with transition with the target Mode of other transition,
Step 7). set up regular EliminateJunction the bifurcation in the constitutional diagram of HybridUML is merged
Step 8). set up regular FlatHierarchyMode, launch according to the kind of transition level with the HybridUML constitutional diagram
Step 9). the simple state figure after definition digraph TransitionGraph representes to launch, the summit of figure is made up of atom Mode among the HybridUML, and the limit between the summit representes with these two transition that the summit is a source and target,
Step 10). the regular MappingTGtoHP that sets up the transition conversion converts the transition among the TransitionGraph among the Hybrid Programs transition,
Step 11). the template TemplateHUtoHP that create-rule is used, organize the rule of setting up in step 4) to the step 10), generate corresponding Hybrid Programs model for the HybridUML model applying template of importing,
Step 12). utilize differential dynamic logic formula that the CPS attribute is carried out stipulations,
Step 13). according to the input format requirement of theorem prover KeYmaera, the attribute formula in Hybrid Programs model that obtains and the step 12) is formatd, generate the input code of KeYmaera,
Step 14). the input code that step 13) obtains is verified as KeYmaera.
The foundation of step 4) to step 10) model conversion rule:
The model conversion rule is divided into mapping ruler and processing rule two big classes:
Mapping ruler is mapped as the HPContent in the Hybrid Programs formalized description with the dynamic behaviour of HybridUML, and static structure is mapped as HPSkeleton;
Processing rule is handled to help mapping ruler to shine upon HybridUML static structure and dynamic behaviour.
In the step 1); To Hybrid Programs formalized description; Hybrid Programs is divided into five major parts, and InitBlock representes INIT block, and DJ representes the set of discrete transition; CE representes the continually varying set, and HPSkeleton and HPContent represent framework and the content of Hybrid Programs respectively.
Description of drawings
Fig. 1 is the formal definition figure of transformation rule.
Fig. 2 is theorem prover KeYmaera input format figure.
Fig. 3 is an ETCS train MA dynamic assignment synoptic diagram.
Fig. 4 is that ETCS forms structural drawing.
Fig. 5 is the constitutional diagram of Agent Train.
Fig. 6 is the constitutional diagram of Agent RBC.
Fig. 7 is a schematic flow sheet of the present invention.
Table 1 is HybridUML and Hybrid Program model element corresponding relation:
Figure BSA00000600531300031
Embodiment
Below in conjunction with accompanying drawing and embodiment the present invention is further specified as follows:
Step 1). analyze the formalized description of the operation model Hybrid Programs that provides differential dynamic logic method validation CPS; Comprise that InitBlock representes INIT block; DJ representes the set of discrete transition; CE representes the continually varying set, and HPSkeleton and HPContent represent framework and the content of Hybrid Programs respectively.
A basic Hybrid Program model representation is following:
HPModel=(InitBlock,DJ,CE,HPSkeleton,HPContent)
InitBlock representes INIT block, comprises the statement and the initialization of the used variable of HP; DJ representes the set of discrete transition, and each discrete transition is made up of discrete element of jumping collection; CE representes the continually varying set, and each changes behavior continuously and is made up of the differential equation; HPSkeleton representes the framework of HP, and the concrete realization of HP is contained in HPContent; HPContent is made up of the DJ of control structure connection and the element of CE set.
Step 2)., represent on the basis formalization representation of the source and target Mode of increase Mode and Agent classification, top layer Mode, transition, transition classification etc. according to the needs of conversion in HybridUML meta-model data structure.The concrete formalization representation that increases is following:
1, the classification of Mode and Agent; Whether there is sub-Mode that Mode is divided into compound Mode and the sub-Mode of atom Mode. is not defined as compound Mode for sky according to Mode; Whether otherwise being defined as atom Mode. has sub-Agent that Mode is divided into compound Agent and atom A gent according to Agent; Atom A gent has factum, and compound Agent does not then have. be respectively prerequisite and conclusion before and after the following period ().
kind M:M→{CompositeMode,PrimitiveMode}
Figure BSA00000600531300032
Figure BSA00000600531300033
kind A:A→{CompositeAgent,PrimitiveAgent}
∀ a ∈ A , | behaviror A ( a ) | = 1 · kind A ( a ) : = PrimitiveAgent
2, the formalization representation of top layer Mode.
Have only atom A gent just to comprise top layer Mode, be used for representing its behavior: TM A: A → behavior A(A), ∀ a ∈ A · Kin d A ( a ) = PrimitiveAgent
3, the source and target reference mark of transition.
SrcT and tarT represent the source and target reference mark of transition respectively, the source Mode of newly-increased transition and the expression of target Mode.
srcMode T:T→{M∪MI}tarMode T:T→{M∪MI}
Not only exchange control between Mode and its sub-Mode instance of transition also has the control exchange between the sub-Mode instance, satisfy so srcModeT and tarModeT are essential:
∨srcMode T(t)∈MI∧tarMode T(t)∈MI
∨srcMode T(t)∈MI∧tarMode T(t)∈M
4, the classification of transition collection.
According to the kind at transition source and target reference mark the transition of Mode are divided into three types: get into the transition collection, withdraw from transition collection and inner transition collection.
■ gets into transition collection (EntryTransitions), and expression transition source is the entering reference mark of Mode, and the transition target is the set of transition at the entering reference mark of sub-Mode instance.
EntryTransitions T:M→T
Figure BSA00000600531300042
∧tar T(t)∈CPI∧kind CP(cp CPI(tar T(t)))=entry
The inner transition collection (InternalTranstions) of ■ are represented the set of transition between the inner sub-Mode instance of compound Mode.
InternalTransitions T:M→T
∀ t ∈ T · src T ( t ) ∈ CPI
∧kind CP(cp CPI(src T(t)))=exit∧tar T(t)∈CPI
∧kind CP(cp CPI(tar T(t)))=entry
■ withdraws from transition collection (ExitTransitions), and expression transition source is the reference mark of withdrawing from of sub-Mode instance, and the transition target is the set of the transition of withdrawing from the reference mark of Mode.
ExitTransitions T:M→T
∀ t ∈ T · src T ( t ) ∈ CPI
∧kind CP(cp CPI(src T(t)))=exit
∧tar T(t)∈CP∧kind CP(tar T(t))=exit
Step 3). the form of definition model conversion rule.
Difference according to function is divided into two types with rule: mapping ruler and processing rule.Mapping ruler is mapped to the target element model with the element in the meta-model of source satisfying under certain restraint condition, and processing rule be to source model handle the intermediary that obtains changing or to the optimization of source model so that change.RuleType representes the type of rule, is divided into MappingRule and ProcessingRule, respectively expression mapping and processing rule.Declaration partly is the regular variable that will use or the explanation of data structure, and Mapping/Processing representes the mapping or the processing procedure of rule, and Return Result partly returns the result of rule treatments.
Step 4). set up shared variable table rule CreateShareVariableTable.
Having action scope at the HybridUML variable limits; The value of coming shared variable through the variable connector between the different Agent. and in HP, have only global variable; So be that the variable reach is a The model. at the former variable when being mapped to the latter; It possibly be the variable of sharing and be taken as different variablees and handle; In order to address this problem, set up a shared variable table, be used for indicating the variable of sharing between the different Agent; Unifying variable among the HP after conversion handles. the variable that each line display is shared among the shared variable table ShareVaribleTable, form by the variable port variable corresponding for every with it. and all shared variables have been formed the shared variable table in the system.
Step 5). carry out the conversion that static structure arrives HPSkeleton in the HybridUML model.
Agent is layering and parallel among the HybridUML, and combination Agent self does not have behavior description, and atom A gent comprises a state machine and describes its behavior.Consider to have only a situation that has continuous dynamic behaviour among all atom A gent at most.Suppose that AP is the finite aggregate of atom A gent, AP ∈ A ∩ AI,
Figure BSA00000600531300051
Figure BSA00000600531300052
Walk abreast between the Agent, in HP, handle parallel like this: establishing a0 ∈ AP is the atom A gent with continuous dynamic behaviour, a 0The continuous variation of state only receive the influence that communicates with on other Agent discrete time point; And needn't consider communication process. link the state of a0 and other atom A gent through uncertain selection operator (∩) and repeat operator (*); Each possible time point is carried out modeling, and need be to the communication process modeling.The regular called after MappingStructureToHP of mapping.
Step 6). setting up regular CreateTransitionPath is that two transition of source Mode merge with transition with the target Mode of other transition.Mode possibly be that atom Mode also possibly be compound Mode under the source and target reference mark of transition in the HybridUML; The reference mark also possibly be point of crossing (junction); And the source and target of transition all is a state of atom in the HP model, so need the constitutional diagram of level be launched into the simple state figure of the composition of atom Mode.After the level constraint succession through Mode, each Mode in the HybridUML constitutional diagram has inherited the pact of its upper strata Mode.For each transition in the constitutional diagram, if the source or the target Mode of transition is compound Mode, then need to its last layer or down one deck seek transition, all be atom Mode up to the source and target of transition.In the path process of seeking transition, if transition t 2With transition t 1Target control point be the reference mark, source, then in transition collection T, add with t 1The reference mark, source be the reference mark, source, t 2Target control point be the transition of target control point, behind pending the finishing with t 1, t 2Concentrate deletion, the regular called after CreateTransitionPath. of processing from transition
Step 7). set up regular EliminateJunction the bifurcation in the constitutional diagram of HybridUML is merged.
For each transition in the HybridUML transition collection; If transition target control point is the point of crossing; With this point of crossing the transition application rule CreateTransitionPath at reference mark, source then with these transition and each; Concentrate up to transition that not have transition be source or target control point with the point of crossing, satisfy: t ∈ Tkind CP(cp CPI(src T(t))) ≠ junction ∧ kind CP(cp CPI(tar T(t))) ≠ regular called after EliminateJunction that junction. handles.
Step 8). set up regular FlatHierarchyMode, launch according to the kind of transition level with the HybridUML constitutional diagram.
For a top layer Mode, all sub-Mode are added to formation with it, and all get into transition at first to handle it, get into transition for each, if the Mode under the target control point of transition is compound Mode, all of this compound Mode of searching processing get into transition; Handle and withdraw from transition, withdraw from transition for each, if Mode is compound Mode under the reference mark, source of transition, all of this compound Mode of searching processing withdraw from transition; Handle inner transition at last, for the target Mode of inner transition, if compound Mode then seeks the entering transition of handling compound Mode, if the source Mode of inner transition is compound Mode, it withdraws from transition to seek processing.For each the compound Mode that runs in the processing procedure, all sub-Mode add formation with it, handle every of head of the queue and deletion then and are sky up to formation.
Step 9). the simple state figure after definition digraph TransitionGraph representes to launch.
TransitionGraph (M TG, T TG) be constitutional diagram launch the back by atom Mode and between the digraph formed of transition, the vertex set M that wherein schemes TGBe the set of atom Mode in the HybridUML model,
Figure BSA00000600531300053
T TGSet for the limit
Figure BSA00000600531300061
Figure BSA00000600531300062
Concern t={ between the limit<v, w>| t ∈ T TGV=srcMode M(t), w=tarMode M(t) }, expression is source Mode with v, and w is the transition of target Mode.
Step 10). set up the regular MappingTGtoHP of transition conversion.
Through after the step 9); Obtain TransitionGraph; Two types of dynamic behaviours of the HybridUML that it comprises: discrete transition and variation continuously correspond respectively to the discrete transition (discrete jump) and the transition (continuous evolution) continuously of HP model.Trigger event in the discrete transition of HybridUML, the transition condition, and transition carry out action respectively with the discrete corresponding element of transition of HP, in order to identify the state of current active among the current HP, newly-increased marking variable ActiveState in InitBlock.Whether place, the source Mode that in the HP transition, at first judges transition is ActiveState, if just carry out the triggering of incident, after executing the transition action, ActiveState is set to the Mode at transition target control point place, accomplishes the transfer of control.MappingTGtoHP is following:
Figure BSA00000600531300063
Step 11). the template TemplateHUtoHP that create-rule is used, organize the rule of setting up in step 4) to the step 10), generate corresponding Hybrid Programs model for the HybridUML model applying template of importing.
In order to organize the rule of foundation, newly add the foundation that two methods are accomplished template.The RenameSharedVariables method is changed to the variable of sharing in the HP model of the same name; The MergeHPModel method will be merged into the HP model that each atom A gent is transformed into. and to set up the rule application template according to the rule that obtains, can generate object module according to the template executing rule. the template of rule application is as follows:
Figure BSA00000600531300071
Step 12). utilize differential dynamic logic formula that the CPS attribute is carried out stipulations.
Step 13). according to the input format requirement of theorem prover KeYmaera, the attribute formula in Hybrid Programs model that obtains and the step 12) is formatd, generate the input code of KeYmaera.The HP model that obtains after the conversion can carry out manual reasoning checking; Input as theorem prover KeYmaera also need be carried out form output to the HP model; Expression is regional corresponding to the statement and the starting condition of state variable and variate-value to the explanation .InitBlock in this zone between # number; HPSkeleton and HPContent are corresponding to the dynamic behaviour of system; The attribute of verifying utilizes the dL formula to describe. and in addition, used symbol must replace with input accordingly among the KeYmaera in some special logics, replaces with like ∪ ++ import etc.
Step 14). the input code that step 13) obtains is verified as KeYmaera.
In order to specify above-mentioned steps, this example is chosen European railway control system and is analyzed as an example for 3 grades.3 grades of (ETCS-3 of European Train Control System; European Train Control System Level 3) follows the segmentation principle (Moving Block Principle) of going; Train only allows in the mobile mandate MA (Movement Authority) of its current appointment, to go, and wireless blocking controller RBC (Radio Block Controller) is according to all train operation situation dynamic assignment MA in its compass of competency.Freely go at far stage train; To ST (Start Talking) some entering neg (negotiation) stage; At neg stage RBC or mandate or refusal train increase MA; If RBC does not have in time to authorize new MA, then reduce speed now in arrival SB (Start Breaking) some train entering cor (correct) stage.
The security of this example checking dynamic assignment MA agreement is even train goes distributing in its MA all the time.ETCS train MA dynamic assignment synoptic diagram such as Fig. 3.
Step 1). utilize the template TemplateHUtoHP of rule application, organize each rule to carry out the conversion of model.This step is corresponding to above-mentioned steps 11).
Step 2) .Hybrid Program model representation is following:
HPModel=(InitBlock,DJ,CE,HPSkeleton,HPContent)
Step 3). utilize the formalization representation of the source and target Mode, transition classification etc. of HybridUML and newly-increased Mode and Agent classification, top layer Mode, transition that ETCS is carried out modeling.ETCS forms structural drawing such as Fig. 4.
The constitutional diagram of Agent Train such as Fig. 5; The constitutional diagram of Agent RBC such as Fig. 6.
For Fig. 5, have
(C.1)conSpeedup≡v≤recommendedSpeed
(A.1)actSpeedup≡a:=*;?(-b≤a≤A)
(C.2)conSlowdown≡v≥recommendedSpeed
(A.2)actSlowdown≡a:=*;?(-b≤a≤0)
( A . 3 ) actSetSB &equiv; SB : = v 2 2 b + ( A b + 1 ) ( A 2 &epsiv; 2 + &epsiv; * v )
(C.3)conBeyondSB≡m-z≤SB
(C.4)conEnergentcy≡rbc.message:=emergency
(A.4)actBrake≡a:=-b
(C.5)flowDrive≡z′=v,v′=a,t′=1
(C.6)invDrive≡v≥0∧t≤ε
Step 4). utilize the model conversion rule schemata of definition, the beginning application rule.
Step 5) .. utilizes shared variable table rule CreateShareVariableTable to set up shared variable table ShareVaribleTable.
Message:Train Message:RBC
Recommendspeed:Train Recommendspeed:RBC
Step 6). carry out the conversion that static structure arrives HPSkeleton in the HybridUML model.Obtain HP:
Ψ→[ETCS *]
ETCS≡(ctrl;drive)∪rbc
Step 7). utilizing regular CreateTransitionPath is that two transition of source Mode merge with transition with the target Mode of an other transition,
Step 8). utilize regular EliminateJunction that the bifurcation in the constitutional diagram of HybridUML is merged, modeling is not used bifurcation so this step can skip in this example.
Step 9). utilize regular FlatHierarchyMode, launch according to the kind of transition level with the HybridUML constitutional diagram.
Step 10). step 8) obtains TransitionGraph after launching.
Step 11). utilize the regular MappingTGtoHP of transition conversion to convert the transition among the TransitionGraph among the Hybrid Programs transition, it is following to obtain HP:
ETCS≡(train∪rbc) *
train?≡ctrl;drive
ctrl?≡σ 1∪σ 2∪σ 3∪σ 4
σ 1≡(?ActiveState=drive;?(v≤recommedspeed);a:=*;?(-b≤a≤A);
SB : = v 2 2 b + ( A b + 1 ) ( A 2 &epsiv; 2 + &epsiv; * v ) ;
(?(m-z≤SB∨message=emergency);a:=-b;ActiveState:=drive)
σ 1≡?ActiveState=drive;?(v≤recommedspeed);a:=*;?(-b≤a≤A);
SB : = v 2 2 b + ( A b + 1 ) ( A 2 &epsiv; 2 + &epsiv; * v ) ;
(?(m-z≤SB∧message!=emergency);a:=-b;ActiveState:=drive)
σ 1≡?ActiveState=drive;?(v≥recommedspeed);a:=*;?(-b≤a≤0);
SB : = v 2 2 b + ( A b + 1 ) ( A 2 &epsiv; 2 + &epsiv; * v ) ;
(?(m-z≤SB∨message=emergency);a:=-b;ActiveState:=drive)
σ 1≡?ActiveState=drive;?(v≥recommedspeed);a:=*;?(-b≤a≤0);
SB : = v 2 2 b + ( A b + 1 ) ( A 2 &epsiv; 2 + &epsiv; * v ) ;
(?(m-z≤SB∧message!=emergency);a:=-b;ActiveState:=drive)
drive≡?ActiveState=drive;t:=0;(z′=v,v′=a,t′=1&v≥0∧t≤ε)
rbc?≡m?essage:=em?ergency
∪(m:=*,recommedSpeed:=*;?(recommedSpeed:>0))
Figure BSA00000600531300101
Wherein SB is derived as:
Figure BSA00000600531300102
Figure BSA00000600531300103
Step 12). utilize differential dynamic logic formula that the CPS attribute is carried out stipulations.It is following to obtain HP:
Ψ≡ActiveState=drive
∧v 2≤2b(m-z)∧b>0∧A≥0
ETCS≡(ctrl;drive)∪rbc
ctrl≡σ 1∪σ 2∪σ 3∪σ 4
Step 13). according to the input format requirement of theorem prover KeYmaera, the attribute formula in Hybrid Programs model that obtains and the step 12) is formatd, the input code that generates KeYmaera is following:
Figure BSA00000600531300111
Step 14). the input code that step 13) obtains is verified as KeYmaera.In KeYmaera, verify and used for 236 steps; Produce 10 reasoning branches; Obtain satisfying formula ζ establishment under the starting condition Ψ; Promptly under the constraint of satisfying Ψ, train can not exceed the MA that distributes to it at any state that goes, and every row train all satisfies between this attribute train and can not bump.

Claims (10)

1. CPS modeling and verification method based on a model conversion, its characteristic comprises the steps:
The step 1) analysis provides the formalized description of the operation model Hybrid Programs of differential dynamic logic method validation CPS:
Represent INIT block with InitBlock;
Represent the set of discrete transition with DJ;
Represent the continually varying set with CE;
Framework and the content of representing Hybrid Programs with HPSkeleton and HPContent respectively;
Step 2) represent on the basis in HybridUML meta-model data structure, increase:
The formalization representation of the source and target Mode of Mode and Agent classification, top layer Mode, transition, transition classification;
The form of step 3) definition model conversion rule:
Represent regular type with RuleType, the type of rule is divided into mapping ruler and processing rule;
Mapping or the processing procedure of representing rule with Mapping/Processing;
The result who representes to return rule treatments with Return Result;
Step 4) is set up shared variable table rule CreateShare VariableTable:
The variable of sharing between each line display Agent of table, being used for solving the HybridUML variable has action scope to limit, and variable is all the problem of global variable among the Hybrid Programs;
Step 5) is carried out the conversion that static structure arrives HPSkeleton in the HybridUML model;
Step 6) is set up regular CreateTransitionPath, is that two transition of source Mode merge with transition with the target Mode of another transition;
Step 7) is set up regular EliminateJunction, and the bifurcation in the constitutional diagram of HybridUML is merged;
Step 8) is set up regular FlatHierarchyMode, launches according to the kind of the transition level with the HybridUML constitutional diagram;
Simple state figure after step 9) definition digraph TransitionGraph representes to launch, the summit of figure is made up of atom Mode among the HybridUML, and the limit between the summit is represented with these two transition that the summit is a source and target;
Step 10) is set up the regular MappingTGtoHP of transition conversion, converts the transition among the TransitionGraph among the Hybrid Programs transition;
The template TemplateHUtoHP that the step 11) create-rule is used organizes the transformation rule of setting up in step 4) to the step 10), and the HybridUML model applying template of importing is generated corresponding Hybrid Programs model;
Step 12) utilizes differential dynamic logic formula that the CPS attribute is carried out stipulations;
Step 13) formats the attribute formula in Hybrid Programs model that obtains and the step 12) according to the input format requirement of theorem prover KeYmaera, generates the input code of KeYmaera at last;
Step 14) is verified the input code that step 13) obtains as KeYmaera.
2. according to the said method of claim 1, it is characterized in that said step 2) in, the concrete formalization representation that increases is following:
(1), the classification of Mode and Agent: whether have sub-Mode that Mode is divided into compound Mode and the sub-Mode of atom Mode. is not defined as compound Mode for sky according to Mode; Whether otherwise being defined as atom Mode. has sub-Agent that Mode is divided into compound Agent and atom A gent according to Agent; Atom A gent has factum, and compound Agent does not then have;
(2), the formalization representation of top layer Mode: have only atom A gent just to comprise top layer Mode, be used for representing its behavior:
(3), the source and target reference mark of transition:
SrcT and tarT represent the source and target reference mark of transition respectively, the source Mode and the expression of target Mode: the srcMode of newly-increased transition T: T → { M ∪ MI}tarMode T: T → { M ∪ MI}
Not only exchange control between Mode and its sub-Mode instance of transition also has the control exchange between the sub-Mode instance, srcModeT and tarModeT are essential to be satisfied:
Figure FSA00000600531200022
∨srcMode T(t)∈MI∧tarMode T(t)∈MI
∨srcMode T(t)∈MI∧tarMode T(t)∈M
(4), the classification of transition collection:
According to the kind at transition source and target reference mark the transition of Mode are divided into three types: get into the transition collection, withdraw from transition collection and inner transition collection;
■ gets into the transition collection, and expression transition source is the entering reference mark of Mode, and the transition target is the set of transition at the entering reference mark of sub-Mode instance;
The inner transition collection of ■ is represented the set of transition between the inner sub-Mode instance of compound Mode;
■ withdraws from the transition collection, and expression transition source is the reference mark of withdrawing from of sub-Mode instance, and the transition target is the set of the transition of withdrawing from the reference mark of Mode.
3. according to the said method of claim 1, it is characterized in that in the said step 5),
Agent is layering and parallel among the HybridUML, and combination Agent self does not have behavior description, and atom A gent comprises a state machine and describes its behavior;
Suppose that AP is the finite aggregate of atom A gent, AP ∈ A ∩ AI, &ForAll; a &Element; AP &CenterDot; Kind A ( a ) = PrimitiveAgent ;
Walk abreast between the Agent, the processing parallel method is in HP: establish a 0∈ AP is the atom A gent with continuous dynamic behaviour, a 0The continuous variation of state only receive the influence that communicates with on other Agent discrete time point, and needn't consider communication process; State through uncertain selection operator (∩) and repeat operator (*) binding a0 and other atom A gent carries out modeling to each possible time point, and need be to the communication process modeling.
4. according to the said method of claim 1; It is characterized in that in the step 6); Mode possibly be that atom Mode also possibly be compound Mode under the source and target reference mark of transition in the HybridUML; The reference mark possibly be the point of crossing also, and the source and target of transition all is a state of atom in the HP model, so need the constitutional diagram of level be launched into the simple state figure of the composition of atom Mode; After the level constraint succession through Mode, each Mode in the HybridUML constitutional diagram has inherited the pact of its upper strata Mode; For each transition in the constitutional diagram, if the source or the target Mode of transition is compound Mode, then need to its last layer or down one deck seek transition, all be atom Mode up to the source and target of transition; In the path process of seeking transition, if transition t 2With transition t 1Target control point be the reference mark, source, then in transition collection T, add with t 1The reference mark, source be the reference mark, source, t 2Target control point be the transition of target control point, behind pending the finishing with t 1, t 2Concentrate deletion from transition.
5. according to the said method of claim 1; It is characterized in that in the step 7); For each transition in the HybridUML transition collection,, with this point of crossing the transition application rule CreateTransitionPath at reference mark, source then with these transition and each if transition target control point is the point of crossing; Concentrate up to transition that not have transition be source or target control point with the point of crossing, satisfy: t ∈ Tkind CP(cp CPI(src T(t))) ≠ junction ∧ kind CP(cp CPI(tar T(t))) ≠ junction.
6. according to the said method of claim 1, it is characterized in that in the step 8) that for a top layer Mode, all sub-Mode are added to formation with it,
All get into transition at first to handle it, get into transition for each, if the Mode under the target control point of transition is compound Mode, all of this compound Mode of searching processing get into transition;
Handle and withdraw from transition, withdraw from transition for each, if Mode is compound Mode under the reference mark, source of transition, all of this compound Mode of searching processing withdraw from transition;
Handle inner transition at last, for the target Mode of inner transition, if compound Mode then seeks the entering transition of handling compound Mode, if the source Mode of inner transition is compound Mode, it withdraws from transition to seek processing; For each the compound Mode that runs in the processing procedure, all sub-Mode add formation with it, handle every of head of the queue and deletion then and are sky up to formation.
7. according to the said method of claim 1, it is characterized in that in the step 9) TransitionGraph (M TG, T TG) be constitutional diagram launch the back by atom Mode and between the digraph formed of transition, the vertex set M that wherein schemes TGBe the set of atom Mode in the HybridUML model,
Figure FSA00000600531200031
Figure FSA00000600531200032
T TGSet for the limit
Figure FSA00000600531200033
Figure FSA00000600531200034
Concern t={ between the limit<v, w>| t ∈ T TGV=srcMode M(t), w=tarMode M(t) }, expression is source Mode with v, and w is the transition of target Mode.
8. according to the said method of claim 1; It is characterized in that in the step 10),, obtain TransitionGraph through after the step 9); Two types of dynamic behaviours of the HybridUML that it comprises: discrete transition and variation continuously correspond respectively to the discrete transition and transition continuously of HP model;
Trigger event, transition condition and transition in the discrete transition of HybridUML carry out action respectively with the discrete corresponding element of transition of HP; In order to identify the state of current active among the current HP, newly-increased marking variable ActiveState in InitBlock;
In the HP transition, judge at first whether place, the source Mode of transition is ActiveState, if just carry out the triggering of incident, after executing the transition action, ActiveState is set to the Mode at transition target control point place, accomplishes the transfer of control.
9. according to the said method of claim 1, it is characterized in that in the step 11) foundation of step 4) to step 10) model conversion rule:
The model conversion rule is divided into mapping ruler and processing rule two big classes:
Mapping ruler is mapped as the HPContent in the Hybrid Programs formalized description with the dynamic behaviour of HybridUML, and static structure is mapped as HPSkeleton;
Processing rule is handled to help mapping ruler to shine upon HybridUML static structure and dynamic behaviour;
In order to organize the rule of foundation; Newly add two methods and accomplish the foundation of template: the RenameSharedVariables method is changed to the variable of sharing in the HP model of the same name; The MergeHPModel method will be merged into the HP model that each atom A gent is transformed into. and set up the rule application template according to the rule that obtains, can generate object module according to the template executing rule.
10. according to the said method of claim 1; It is characterized in that in the step 13); The HP model that obtains after the conversion can carry out manual reasoning checking, also need carry out form output to the HP model as the input of theorem prover KeYmaera, and expression is regional corresponding to the statement and the starting condition of state variable and variate-value to the explanation .InitBlock in this zone between # number; HPSkeleton and HPContent are corresponding to the dynamic behaviour of system, and the attribute that verify utilizes the dL formula to describe; In addition, used symbol must replace with input accordingly among the KeYmaera in the specific logical.
CN201110332336.4A 2011-10-28 2011-10-28 Characters per second (CPS) Modeling and verification method based on model transformation Expired - Fee Related CN102436375B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110332336.4A CN102436375B (en) 2011-10-28 2011-10-28 Characters per second (CPS) Modeling and verification method based on model transformation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110332336.4A CN102436375B (en) 2011-10-28 2011-10-28 Characters per second (CPS) Modeling and verification method based on model transformation

Publications (2)

Publication Number Publication Date
CN102436375A true CN102436375A (en) 2012-05-02
CN102436375B CN102436375B (en) 2014-05-07

Family

ID=45984455

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110332336.4A Expired - Fee Related CN102436375B (en) 2011-10-28 2011-10-28 Characters per second (CPS) Modeling and verification method based on model transformation

Country Status (1)

Country Link
CN (1) CN102436375B (en)

Cited By (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103281329A (en) * 2013-06-07 2013-09-04 东南大学 Cloud application correctness verification method based on SoaML
CN103514331A (en) * 2013-09-30 2014-01-15 西北工业大学 Method for converting Simulink model into UML model
CN103699762A (en) * 2014-01-15 2014-04-02 苏州大学 CPS (Cyber-Physical System) attribute verification method based on statistical model checking (SMC)
CN103699743A (en) * 2013-12-25 2014-04-02 西北工业大学 CPS (cyber physical system) modeling and verifying method based on conversion from CPS-ADL (architecture description language) model into hybrid program
CN103714208A (en) * 2013-12-25 2014-04-09 西北工业大学 Method for conducting modeling through coordination of structural models and behavior models of scenario-driven CPS system
CN104662541A (en) * 2012-08-10 2015-05-27 科姆索公司 System and method for creating application interfaces for forming and solving problems in a modeling system
CN106527383A (en) * 2016-12-15 2017-03-22 中国科学院沈阳自动化研究所 CPS control system for industry and realization method thereof
CN106647411A (en) * 2017-01-12 2017-05-10 西北工业大学 Agent construction method and Agent construction device of information physical fusion system CPS
CN107180133A (en) * 2017-05-18 2017-09-19 苏州大学 A kind of method and device of CPS modelings
CN107885487A (en) * 2017-11-20 2018-04-06 广西师范大学 The method that a kind of test of information physical emerging system and need satisfaction are examined
CN110262795A (en) * 2019-03-15 2019-09-20 北京航空航天大学 A kind of application system deployment architecture modeling and verification method
CN111722599A (en) * 2020-05-07 2020-09-29 杭州电子科技大学 CPS modeling and analyzing method based on object-oriented generalized stochastic Petri network
CN113672206A (en) * 2021-09-02 2021-11-19 北京航空航天大学 X language hybrid modeling platform and modeling method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359219A (en) * 2007-08-01 2009-02-04 株式会社电装 Method and device for controlling equipment based on multiple-input/one-output control
US20090094575A1 (en) * 2007-10-03 2009-04-09 Siemens Corporate Research, Inc. System and Method For Applying Model-Based Testing To Train Control Systems

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101359219A (en) * 2007-08-01 2009-02-04 株式会社电装 Method and device for controlling equipment based on multiple-input/one-output control
US20090094575A1 (en) * 2007-10-03 2009-04-09 Siemens Corporate Research, Inc. System and Method For Applying Model-Based Testing To Train Control Systems

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
朱敏等: "基于微分动态逻辑的CPS建模与属性验证", 《电子学报》 *

Cited By (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104662541A (en) * 2012-08-10 2015-05-27 科姆索公司 System and method for creating application interfaces for forming and solving problems in a modeling system
CN104662541B (en) * 2012-08-10 2018-02-06 科姆索公司 Create the System and method for for being used for the Application Program Interface of generation and Solve problems in modeling
CN103281329B (en) * 2013-06-07 2016-05-25 东南大学 A kind of cloud application correctness verification method based on SoaML
CN103281329A (en) * 2013-06-07 2013-09-04 东南大学 Cloud application correctness verification method based on SoaML
CN103514331A (en) * 2013-09-30 2014-01-15 西北工业大学 Method for converting Simulink model into UML model
CN103514331B (en) * 2013-09-30 2016-08-31 西北工业大学 A kind of method from Simulink model conversion to uml model
CN103714208B (en) * 2013-12-25 2017-05-17 西北工业大学 Method for conducting modeling through coordination of structural models and behavior models of scenario-driven CPS system
CN103699743A (en) * 2013-12-25 2014-04-02 西北工业大学 CPS (cyber physical system) modeling and verifying method based on conversion from CPS-ADL (architecture description language) model into hybrid program
CN103714208A (en) * 2013-12-25 2014-04-09 西北工业大学 Method for conducting modeling through coordination of structural models and behavior models of scenario-driven CPS system
CN103699743B (en) * 2013-12-25 2017-01-25 西北工业大学 CPS (cyber physical system) modeling and verifying method based on conversion from CPS-ADL (architecture description language) model into hybrid program
CN103699762A (en) * 2014-01-15 2014-04-02 苏州大学 CPS (Cyber-Physical System) attribute verification method based on statistical model checking (SMC)
CN103699762B (en) * 2014-01-15 2016-09-28 苏州大学 A kind of CPS attribute verification method based on statistical model detection
CN106527383A (en) * 2016-12-15 2017-03-22 中国科学院沈阳自动化研究所 CPS control system for industry and realization method thereof
CN106647411A (en) * 2017-01-12 2017-05-10 西北工业大学 Agent construction method and Agent construction device of information physical fusion system CPS
CN106647411B (en) * 2017-01-12 2019-02-26 西北工业大学 The Agent building method and device of information physical emerging system CPS
CN107180133A (en) * 2017-05-18 2017-09-19 苏州大学 A kind of method and device of CPS modelings
CN107180133B (en) * 2017-05-18 2020-08-25 苏州大学 CPS modeling method and device
CN107885487A (en) * 2017-11-20 2018-04-06 广西师范大学 The method that a kind of test of information physical emerging system and need satisfaction are examined
CN110262795A (en) * 2019-03-15 2019-09-20 北京航空航天大学 A kind of application system deployment architecture modeling and verification method
CN111722599A (en) * 2020-05-07 2020-09-29 杭州电子科技大学 CPS modeling and analyzing method based on object-oriented generalized stochastic Petri network
CN111722599B (en) * 2020-05-07 2021-10-29 杭州电子科技大学 CPS modeling and analyzing method based on object-oriented generalized stochastic Petri network
CN113672206A (en) * 2021-09-02 2021-11-19 北京航空航天大学 X language hybrid modeling platform and modeling method
CN113672206B (en) * 2021-09-02 2024-04-02 北京航空航天大学 X language hybrid modeling platform and modeling method

Also Published As

Publication number Publication date
CN102436375B (en) 2014-05-07

Similar Documents

Publication Publication Date Title
CN102436375B (en) Characters per second (CPS) Modeling and verification method based on model transformation
Seshia et al. Design automation of cyber-physical systems: Challenges, advances, and opportunities
James et al. Techniques for modelling and verifying railway interlockings
US20170236234A1 (en) Risk management method and system for a land transporation system
Limbrée et al. Verification of railway interlocking-compositional approach with OCRA
James et al. Verification of scheme plans using CSP|| B
Agirre et al. The VALU3S ECSEL project: Verification and validation of automated systems safety and security
CN102184136B (en) Method for checking operation state and demand consistency of AADL (Architecture Analysis and Design Language) model
Fremont et al. Safety in autonomous driving: Can tools offer guarantees?
Zheng et al. Automated test approach based on all paths covered optimal algorithm and sequence priority selected algorithm
Jiang et al. Safety-assured formal model-driven design of the multifunction vehicle bus controller
Fang et al. Formal verification and simulation for platform screen doors and collision avoidance in subway control systems
Sohier et al. Improving simulation specification with MBSE for better simulation validation and reuse
Yang et al. Modeling and verification of RBC handover protocol
Gallina et al. Using safety contracts to guide the integration of reusable safety elements within ISO 26262
James SAT-based Model Checking and its applications to Train Control Systems
Baheri Exploring the role of simulator fidelity in the safety validation of learning‐enabled autonomous systems
Kloos et al. A systematic approach to construct compositional behaviour models for network-structured safety-critical systems
Gentile et al. Test specification patterns for automatic generation of test sequences
Saddem-Yagoubi et al. Toward Usable Formal Models for Safety and Performance Evaluation of ERTMS/ETCS Level 3: The PERFORMINGRAIL Project
Boudi et al. Colored Petri Nets formal transformation to B machines for safety critical software development
Möstl On Timing in Technical Safety Requirements for Mixed-Critical Designs
Bu et al. Incremental online verification of dynamic cyber-physical systems
Belta et al. Formal Synthesis of Cyber-Physical Systems (Dagstuhl Seminar 17201)
Iliasov et al. The SafeCap project on railway safety verification and capacity simulation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140507

Termination date: 20161028