CN112329208A - Method for realizing modeling and verification of multi-clock-constrained collaborative unmanned system - Google Patents

Abstract

The invention discloses a method for realizing modeling and verification of a multi-clock constraint-oriented collaborative unmanned system, which comprises the following steps: providing a framework of the collaborative unmanned system, establishing a field modeling summary file SysML Profile of the collaborative unmanned system, and extracting professional terms, relations and operations of the professional terms and relations to the collaborative unmanned system; defining a single-clock and multi-clock system, and giving definition and relation semantics related to the clocks; modeling and verifying the collaborative unmanned system according to a model driving system development process; the automatic overtaking method comprises the steps of designing an automatic overtaking case, providing natural language requirements of a system, constructing a state machine model of the system, converting the state machine model into a corresponding CCSL model, and verifying the state machine model on a special simulation platform TimeSquare of a clock constraint protocol language. The method is safe and effective, and the modeling and the verification are carried out simultaneously, so that the method can be popularized and applied to other safety critical modeling fields of the multi-clock constraint system.

Description

Method for realizing modeling and verification of multi-clock-constrained collaborative unmanned system

Technical Field

The invention relates to a modeling and verification implementation method of a multi-clock constraint system, in particular to a modeling and verification implementation method of a multi-clock constraint cooperative unmanned system.

Background

Modeling and verification of a multi-clock constraint system, particularly modeling and verification oriented to a cooperative unmanned system, relates to natural language requirement modeling, a model driving development method of software, a model conversion technology and verification of a software model.

Modeling and verification of multi-clock restraint systems, particularly for safety-critical unmanned systems, there are three main types of current academic research and enterprise applications: 1, directly adopting a formal modeling language to carry out modeling for natural language requirements. The formal modeling language needs to have a certain formal modeling theoretical basis and is not beneficial to the communication among system interest correlators; 2, modeling is performed by using a common system modeling language sysml (system modeling language). The method is a general modeling language for all systems, and for a collaborative unmanned system, a modeler and an analyst need to provide a modeling summary file in the field, so that the model can be reused conveniently, and the modeling and verification analysis time can be saved; and 3, system modeling and system verification are carried out separately. Most defects of the system are generated in the system modeling and designing stage, and for the system with safety concern, the verification of the system is required to be carried out at the system designing stage, so that the defects of the system and the dangers of the system during operation are avoided as much as possible.

Disclosure of Invention

The purpose of the invention is as follows: the invention aims to provide a method for realizing modeling and verification of a multi-clock-constraint cooperative unmanned system.

The technical scheme is as follows: the invention discloses a method for realizing modeling and verification of a multi-clock constraint-oriented collaborative unmanned system, which comprises the following steps of:

s1, providing a framework of the collaborative unmanned system, establishing a field modeling summary file SysML Profile of the collaborative unmanned system, and extracting professional terms, relations and behavior operations of the collaborative unmanned system;

s2, defining a single-clock and multi-clock system, and giving definition and relation semantics related to the clocks;

s3, modeling the collaborative unmanned system according to the development process of the model driving system of the system;

and S4, for the cooperative unmanned system, constructing a state machine model of the system according to the natural language requirement of the system, converting the state machine model into a corresponding CCSL model, and verifying the state machine model on a special simulation platform TimeSquare of a clock constraint protocol language.

Further, the cooperative unmanned driving system in step S1 includes a cooperative sensing module, a brain-like driving module, and a vehicle control execution module, where the cooperative sensing module obtains information of surrounding vehicles, pedestrians, and roads through communication between a sensor and a vehicle, where the sensor includes a laser sensor, a radar sensor, and a camera, and the vehicle communication includes vehicle-to-vehicle communication, vehicle-to-road communication, and a global positioning system; the cooperative perception module transmits the acquired surrounding traffic environment information to a brain-like driving module, and the brain-like driving module comprises a scene understanding module and a behavior decision module; the scene understanding module carries out data fusion processing on the perception information obtained by the collaborative perception module and outputs information which can be processed by the brain-like driving module, the brain-like driving module invokes the behavior decision module according to the data fused by the scene understanding module, and the behavior decision module generates decision information; the behavior decision module transmits the decision information to the vehicle control execution module to generate corresponding vehicle control actions, and feeds back the behavior result to the surrounding traffic environment.

Further, the domain modeling summary file SysML Profile of the collaborative unmanned driving system in step S1 includes modeling terms, operations and relationships between modules of the system, the structural characteristics of the collaborative awareness module include sensor data, network communication, traffic snapshots and sensor tools, and the behavior characteristics of the obtained traffic information include vehicle-to-vehicle communication, vehicle-to-road communication and sensor awareness; the cooperative sensing module monitors the user and the traffic environment; the user structure characteristics comprise user identity identification, gender and age, and the user behavior characteristics comprise vehicle starting, starting point and end point information input and artificial control; the structural characteristics of the traffic environment comprise weather, road types, surrounding vehicles and surrounding pedestrians, and the behavior characteristics of the traffic environment comprise environment updating and data transmission; the cooperative sensing module triggers the scene understanding module, the cooperative sensing module is used for processing sensed user and environment information and outputting effective information which can be understood by a computer, the structural characteristics of the scene understanding module comprise traffic rules and prior traffic information, and the behavior characteristics of the scene understanding module comprise data fusion, traffic sign identification and observation; the output of the scene understanding module triggers a behavior decision module, a decision system generates behavior decision information of the vehicle by using the scene understanding information subjected to fusion processing, wherein the structural characteristics of the decision system comprise road application, road occupation, required acceleration, required speed, application withdrawal and occupation withdrawal, and the behavior characteristics of the decision system comprise road control, longitudinal control and transverse control; the input of the behavior decision information excites a vehicle control execution module, the vehicle control execution module controls the vehicle according to the input of the behavior decision information, the structural characteristics of the vehicle control execution module comprise space-time trajectory, advancing direction, transverse acceleration and emergency control, the behavior characteristics of the vehicle control execution module comprise brake control, steering control, accelerator control and gear control, and the vehicle control information is fed back to the user and the traffic environment, so that the user and the surrounding traffic environment can verify and control the vehicle execution information.

Further, in step S2, the single-clock system is defined as a main clock that needs to be established in the system, and the clock of each subsystem or sub-component must be referenced to the main clock, and samples are taken in the main clock to complete the clock system interacting with the overall system; the multi-clock system is defined as a clock system which has no global clock, each subsystem/sub-component obeys multiple clock frequencies, has an independent clock to control the action behavior of the subsystem/sub-component, and realizes the running of the global system through the partial order interaction relationship of the behavior among local subsystems.

Further, the clock constraint specification language CCSL in step S2 is a formal specification language based on a clock and clock constraints, the clock representing a trigger state of a signal at each discrete time point; the clock constraint describes a logic relationship between signal clocks, and the clock constraint includes a clock relationship and a clock expression, and specifically includes:

(1) logic clocks, clock scheduling and related definition of clock history;

logic clock: a logic clock c is defined as a sequence of finite or infinite clock jumps,

a set of non-0 natural numbers; for each one of c_iE { tick, idle }, which indicates that the clock is in a trigger state tick or a non-trigger state idle in the state of the time i;

clock scheduling: a clock schedule sigma reflects the trigger state of all clocks at each moment in discrete time, and is a finite or infinite sequence

Is a set of 0 and positive integers; sigma (i) epsilon 2^cRepresents a set of clocks that trigger at time i, formally defined as:

wherein C represents a set of finite logic clocks;

clock history: for a given clock schedule σ, the clock history records the number of triggers that each clock has expired to the current time in σ, formally defined as:

wherein H_σ(c, i) represents the number of triggers that a logic clock c expires to time i in clock schedule σ; h_σ(c, i +1) stands for in clock scheduling σThe logic clock c is cut off to the triggering times of the time i + 1; h_σ(c,0) represents the number of triggers for the logic clock c to expire at time 0 in clock schedule σ; i, j represents the time of the clock;

(2) clock relationship semantics;

the priority relationship is: logic clock c₁Faster than the logic clock c₂Triggering of (1);

wherein H_σ(c₁I) represents the logic clock c in clock scheduling σ₁The number of triggers until time i; h_σ(c₂I) represents the logic clock c in clock scheduling σ₂The number of triggers until time i;

② mutual exclusion relationship: if logic clock c₁Is triggered, then logic clock c₂Not trigger and vice versa;

③ child-hour relationship: at any time, if the logic clock c₁Triggered then logic clock c₂Must be triggered;

fourthly, simultaneously relating: logic clock c₁And logic clock c₂Triggering at the same time;

a causal relationship: logic clock c₁Is not slower than the logic clock c₂Triggering of (1);

sixthly, the alternating relation is as follows: logic clock c₁And logic clock c₂Alternately triggering;

wherein, c₁(i) Representing a logic clock c₁At the i-th time, c₂(i) Representing a logic clock c₂At the i-th time, c₁(i +1) represents a logic clock c₁Time i + 1;

(3) a time-clock expression semantic;

combining clocks: triggering of clock and only if logic clock c₁OR logic clock c₂Triggering of (1);

clock crossing: triggering of clock crossing and only if logic clock c₁And logic clock c₂Simultaneously triggering;

clock delay: triggering and logic clock c of the clock₂Are simultaneously triggered at c₂Before, there is a logic clock c₁And logic clock c₂Trigger ratio logic clock c₁D more triggering times;

clock period: triggering of this clock is with p logical clocks c₁The triggering of (2) is periodic triggering;

wherein H_σ(c₀I) represents the logic clock c in clock scheduling σ₀The number of triggers until time i;

clock sampling: the clock is based on the clock and the logic clock c₂For logic clock c₁Sampling, in particular the toggling of the clock and the logic clock c₂Triggered simultaneously at time i and preceded by a time j,0<j is less than or equal to i, the logic clock c of the moment₁And at any time

Logic clock c₂Not triggering;

sixthly, strictly sampling by a clock: the clock is based on the clock and the logic clock c₂For logic clock c₁Performing rigorous sampling, in particular, the triggering of the clock and the logic clock c₂Triggered simultaneously at time i and preceded by a time j,0<j<i, the time logic clock c₁And at any time

Logic clock c₂Not triggering;

upper clock bound: the clock defines a logical clock c₁And logic clock c₂The fastest clock among the slow-triggering clocks;

clock lower bound: the clock defines a logical clock c₁And logic clock c₂The slowest clock among the triggered fast clocks;

further, the collaborative unmanned system model driven development process in step S3 specifically includes: firstly, analyzing system requirements in a natural language form by a system designer, extracting basic concepts of system design and relations among the concepts, and constructing a calculation irrelevant model; secondly, through model conversion, adding logic data related to application, and converting a calculation-independent model into a platform-independent model; then, converting the platform-independent model into a platform-dependent model by adding specific platform-dependent data; finally, converting the platform-related model into a system text code through conversion from the model to the text; in the process of model drive development of a software system, meta-models and corresponding summary files of a source model, a conversion model and a target model need to be constructed for conversion from a platform-independent model to a platform-dependent model, wherein the meta-models define the grammar and the semantics of a conversion language, and the summary files define the grammar and the semantics of a specific conversion language and take specific application platform and domain knowledge into consideration; the conversion model defines the conversion rule from the state machine diagram meta model to the formal clock constraint reduction language; the source model, the conversion model and the target model are respectively obeyed to the source meta-model, the conversion meta-model and the target meta-model, wherein the source model and the target model are respectively instantiated into a platform-independent model and a platform-dependent model, and model conversion from the platform-independent model to the platform-dependent model is completed.

Further, in step S3, coordinating formal definition of the meta model and the state machine diagram of the unmanned system;

(1) the meta-model of the collaborative unmanned system is a quadruple: AAM:: ═ B_A,R_A,E_A,C_A)；

①B_ARepresenting a system block definition diagram;

B_A＝{Perception,Understanding,Planner,Actuator,User,Environment,KnowledgeBase}；

wherein a permission represents a Perception; underranging represents scene Understanding; planner represents behavioral decision-making; actuator denotes execution; user represents a User; environment represents an Environment; knowledgbasee represents a traffic knowledge base;

②R_Athe relationship of system functions is defined;

wherein monitor represents monitoring; trigger represents trigger; precedence represents the precedence; stimulus stands for stimulation; response represents feedback; invoke represents a call;

③E_Arepresenting the system operating function, E_A:B_A×R_A→B_A；

④C_AConstraint information, S, is defined_A＝{Invariant,Precondition,Postcondition}；

Wherein Invariant represents an invariance; precondition represents a prerequisite; postcondition denotes a post condition;

(2) giving a formal definition of a state machine diagram;

the syntax for formalized representation of the state machine diagram is defined as the six-tuple SMD: (S, S)₀,E,G,Act,Tr)；

S represents a state set in a state machine diagram;

②S₀representing an initial set of states in a state machine diagram;

thirdly, E represents a set of trigger events in state transition;

g represents a set of satellite viewing conditions in state transition;

act represents a set of migration actions in state migration;

sixthly, Tr represents a set of migration relations in the state machine diagram,

wherein sv and tv are respectively a source state and a target state of a migration relationship, when a trigger event occurs and guard conditions are met, Tr executes a migration action to trigger the migration between the bodies in the state machine diagram;

the semantics of the formalized representation of the state machine diagram are as follows:

operating semantics in sequence:

wherein s is_sRepresenting the source state, s_tRepresenting a target state, e representing a trigger event in state transition, g representing a satellite condition in state transition, a representing a transition action in state transition, when the trigger event and the satellite condition are satisfied, the transition action is executed,

migration occurs;

selecting operation semantics: different migration conditions will cause different migration to occur;

wherein choice represents a selection operation, e_iRepresents a trigger event in state transition i, g_iIndicating satellite Condition in State transition i, a_iRepresenting a migration action in the state migration i;

wherein s is_s1The first of the source states is represented,_e1[g₁]/a₁,e₂[g₂]/a₂and_ei[g_i]/a_irepresenting different migration conditions, respectively representing trigger events, guard conditions and migration actions in the 1 st, 2 nd and i-th migration conditions, s_t1、s_t2And s_tiRespectively representing the 1 st, 2 nd and ith target states;

and thirdly, forking operation semantics: the bifurcation operation is that under the same migration condition, the migration target state is a composite state consisting of two or more orthogonal nodes;

wherein fork represents a fork operation, r₁.s_1int,r₂.s_2int,r_n.s_nintRespectively representing target states of 1 st, 2 nd and ith orthogonal areas in the bifurcation operation;

wherein the content of the first and second substances,_e[g]a trigger event and guard condition representing a migration condition;

fourthly, converging operation semantics: the merging operation is to be migrated to a target state by two or more mutually independent, concurrent and synchronous orthogonal source states;

join→(r₁.s_1fin|r₂.s_2fin|…|r_n.s_nfin)×e×g×a×s_t；

where join represents a join operation, r₁.s_1fin,r₂.s_2finAnd r_n.s_nfinRespectively representing initial states respectively belonging to the 1 st, 2 nd and ith orthogonal regions of the merging operation;

s33, defining a mapping rule between the meta-model and the state-based clock constraint specification language, and converting the formalized state machine diagram into a formalized clock constraint specification language CCSL according to the mapping rule;

the model conversion rules between the state machine graph meta-model and the clock constraint reduction language are as follows:

conversion between states: mapping the state in the state machine diagram to the state in the CCSL protocol;

wherein s is_smdRepresents the state of the state machine diagram smd, S_smdDenotes s_smdSet of (1), s_ccslRepresenting states, S, in a clock constraint specification language, CCSL_ccslDenotes s_ccslA set of (a);

triggering the mapping between the event and the clock: mapping the trigger event in the state machine diagram to a logic clock in a CCSL protocol;

wherein E is_smdRepresents a set of edges in the state machine diagram, λ (Tr) represents an action in the migration relationship in CCSL, Tr_ccslA set representing migration relationships in the CCSL;

③ the mapping rule between guard condition and Boolean condition in the clock constraint reduction language: mapping guard conditions in a state machine to Boolean expressions in CCSL;

wherein G is_smdRepresenting a set of guard conditions, Tr, in a state machine diagram_choice.BoolRepresents selection of Boolean condition, Tr, in CCSL_ccslRepresents Tr_choice.BoolA set of (a);

fourthly, the mapping rule between the operation semantics of the sequential expression: mapping sequence expressions in a state machine diagram to Boolean sequence condition migration in a CCSL protocol;

wherein s is₁、s₂Representing two states, Tr, in a state machine diagram_smdRepresents a set s 'representing a migration relationship in CCSL'₁、s’₂Represents two states in the CCSL;

selecting a mapping rule between expression operation semantics: mapping a selection expression in a state machine diagram to Boolean selection condition migration in a CCSL protocol;

wherein S is_s、S_tThe source state and the target state are respectively represented, and the CR.choice represents a set of selection operation states in a CCSL clock relationship;

sixthly, mapping rules among the operation semantics of the bifurcated expression are as follows: mapping a bifurcated expression in a state machine diagram to clock synchronization condition migration in a CCSL protocol;

wherein r is_1,2,…,nRepresenting different orthogonal regions, s, in a state machine diagram_{1int,2int,…,nint}Representing target states, s 'of the 1 st, 2 nd and nth orthogonal regions in a fork operation'_sIs a source state in CCSL, tr'₁,tr’₂,tr’_nRepresenting different target states after a fork operation in the CCSL;

seventhly, converging and selecting a mapping rule between expression operation semantics: mapping a confluent expression in a state machine diagram to conditional migration of a clock delay expression in a CCSL protocol;

wherein s is_{1fin,2fin,…,nfin}Indicating a confluenceOperating initial states, s ', of the 1 st, 2 nd and i-th orthogonal regions'₁、s’₂、s’_nRepresenting different initial states of the CCSL merge operation.

Has the advantages that: compared with the prior art, the invention has the following good technical effects:

(1) the invention provides a field modeling summary file SysML Profile of a collaborative unmanned system for the first time, and the summary file unifies field modeling terms, operations and relationships, thereby being beneficial to communication of field modeling personnel and saving modeling time.

(2) The invention converts the semi-formal model into the formal clock constraint reduction language, provides the meta-model of the state machine diagram, and defines the mapping rule between the meta-model and the state-based clock constraint language.

(3) The invention analyzes and verifies the multi-clock model in a model verification tool TimeSquare.

The method can be popularized and applied to other safety critical modeling fields of the multi-clock constraint system, and has wide application prospect.

Drawings

FIG. 1 is a schematic diagram of the general architecture of a collaborative unmanned system;

FIG. 2 is a schematic diagram of a collaborative unmanned driving domain modeling summary file;

FIG. 3 is a schematic diagram of a multi-clock binding system architecture;

FIG. 4 is a schematic diagram of clock relationship semantics;

FIG. 5 is a schematic diagram of the semantics of a clock expression;

FIG. 6 is a schematic diagram of a software system model driven development flow;

FIG. 7 is a schematic diagram of a collaborative unmanned system cut-in scenario;

FIG. 8 is a state machine diagram of a coordinated driverless system cut-in behavior;

FIG. 9 is a diagram illustrating simulation results according to an embodiment of the present invention.

Detailed Description

The invention is described in detail below with reference to the figures and specific embodiments.

The invention discloses a method for realizing modeling and verification of a multi-clock constraint-oriented collaborative unmanned system, which specifically comprises the following steps:

s1, a framework of the collaborative unmanned system is provided, a field modeling summary file SysML Profile of the collaborative unmanned system is established, professional terms, relations and behavior operations of the collaborative unmanned system are extracted, communication between system design and analysts is facilitated, modeling and verification time is saved, and modeling accuracy is improved.

As shown in fig. 1, the cooperative unmanned driving system includes a cooperative sensing module, a brain-like driving module, and a vehicle control execution module, and forms a closed loop of "sensing-understanding-decision-execution-environment". The cooperative sensing module obtains information of surrounding vehicles, pedestrians and roads through communication between a sensor and the vehicles, wherein the sensor comprises a laser sensor, a radar sensor, a camera and the like, and the vehicle communication comprises vehicle-to-vehicle communication, vehicle-to-road communication, a global positioning system and the like; the cooperative perception module transmits the acquired surrounding traffic environment information to the brain-like driving module, the brain-like driving module comprises a scene understanding module and a behavior decision module, and the main functions of the brain-like driving module are scene understanding and behavior decision; the scene understanding module carries out data fusion processing on the perception information obtained by the cooperative perception module and outputs information which can be processed by the brain-like driving module, the brain-like driving module invokes the behavior decision module according to the data fused by the scene understanding module, and the behavior decision module generates decision information, namely safe driving control information; the behavior decision module transmits the decision information to the vehicle control execution module to generate corresponding vehicle control actions, and feeds back a behavior result to the surrounding traffic environment; the execution information of the vehicle control execution module mainly comprises longitudinal motion planning (acceleration, braking and the like) and transverse motion planning (steering and the like).

Through reading a large number of references, for the modeling capability of the collaborative unmanned system, the fact that the domain concepts of the existing general system modeling language SysML are unclear, the relationships among the concepts are disordered, and a general unified domain modeling extension language is lacked is found. Based on the problems, the invention expands and constructs the SysML Profile of the field modeling file, which is used for improving the modeling accuracy of the collaborative unmanned system and saving the modeling time.

As shown in fig. 2, the domain modeling Profile SysML Profile of the collaborative unmanned system mainly includes the relationships between modeling terms, operations, and modules of the system. The structural characteristics of the cooperative sensing module comprise sensor data, network communication, traffic snapshots, sensor tools and the like, and the behavior characteristics for acquiring traffic information comprise vehicle-to-vehicle communication, vehicle-to-road communication, sensor sensing and the like. The cooperative sensing module monitors the user and the traffic environment; the user structure characteristics mainly comprise user identity identification, gender, age and the like, and the user behavior characteristics mainly comprise vehicle starting, starting point and end point information input, artificial control and the like; the structural characteristics of the traffic environment comprise weather, road types, surrounding vehicles, surrounding pedestrians and the like, and the behavior characteristics of the traffic environment comprise environment updating, data transmission and the like; the cooperative sensing module triggers the scene understanding module, the cooperative sensing module is mainly used for processing sensed user and environment information and outputting effective information which can be understood by a computer, the structural characteristics of the scene understanding module comprise traffic rules, prior traffic information and the like, and the behavior characteristics of the scene understanding module comprise data fusion, traffic sign identification, observation and the like; the output of the scene understanding module triggers a behavior decision module, a decision system generates behavior decision information of the vehicle by using the scene understanding information subjected to fusion processing, wherein the structural characteristics of the decision system comprise road application, road occupation, required acceleration, required speed, application withdrawal, occupation withdrawal and the like, and the behavior characteristics of the decision system comprise road control, longitudinal control, transverse control and the like; the input of the behavior decision information excites a vehicle control execution module, the vehicle control execution module controls the vehicle according to the input of the behavior decision information, the structural characteristics of the vehicle control execution module comprise space-time trajectory, advancing direction, transverse acceleration, emergency control and the like, the behavior characteristics of the vehicle control execution module comprise brake control, steering control, accelerator control, gear control and the like, and the vehicle control information is fed back to the user and the traffic environment, so that the user and the surrounding traffic environment verify and control the vehicle execution information. Fig. 2 also lists two enumeration modules, and the traffic snapshot structure characteristics include an occupied road number, an applied road number, a position, a speed, an acceleration and a safety distance; enumerated sensor tool names include laser sensors, radar sensors, cameras, and vision sensors.

S2, defining a single-clock and multi-clock system, and giving definition and relation semantics related to the clocks. The method specifically comprises the following steps:

s21, defining a single clock system and a multi-clock system;

the present invention describes a distributed embedded system as a single clock system or a multi-clock system, as shown in fig. 3, the single clock system is defined as a clock system in which a master clock needs to be established, and the clock of each subsystem or sub-component must be referred to the master clock, and sampling is performed in the master clock to complete the interaction with the overall system. The multi-clock system is defined as a clock system which has no global clock, each subsystem/sub-component obeys multiple clock frequencies, has an independent clock to control the action behavior of the subsystem/sub-component, and realizes the running of the global system through the partial order interaction relationship of the behavior among local subsystems. The multi-clock system is a globally asynchronous locally synchronous distributed system and is suitable for describing a distributed and highly concurrent collaborative unmanned system.

S22, giving definition of clock correlation and definition and semantics of clock relation and clock expression of clock Constraint Specification language CCSL (clock Constraint Specification language);

the clock constraint specification language CCSL is a formal specification language based on clocks and clock constraints, and the clocks represent the trigger state of a signal at each discrete time point; the clock constraints describe the logical relationship between the signal clocks, and include the clock relationship and the clock expression, whose specific semantic graph representation is shown in fig. 4 and 5.

(1) Logic clocks, clock scheduling and related definition of clock history;

logic clock: a logic clock c being defined as consisting of a finite or infinite clock jitterThe sequence of the sequence is determined by the sequence,

is a set of natural numbers (excluding 0). For each one of c_iAn element { tick, idle } indicates that the clock can be either a triggered state tick or an un-triggered state idle in the state at time i.

Clock scheduling: a clock schedule sigma reflects the trigger state of all clocks at each moment in discrete time, and is a finite or infinite sequence

Is a set of 0 and positive integers. Sigma (i) epsilon 2^cRepresents a set of clocks that trigger at time i, formally defined as:

where C represents a set of finite logic clocks.

Clock history: for a given clock schedule σ, the clock history records the number of triggers that each clock has expired to the current time in σ, formally defined as:

wherein H_σ(c, i) represents the number of triggers that a logic clock c expires to time i in clock schedule σ; h_σ(c, i +1) represents the number of triggers for the logic clock c to expire at time i +1 in the clock schedule σ; h_σ(c,0) represents the number of triggers for the logic clock c to expire at time 0 in clock schedule σ; i. j represents the time of the clock.

(2) Clock relationship semantics, as shown in FIG. 4;

the priority relationship is: logic clock c₁Faster than the logic clock c₂Is triggered.

Wherein H_σ(c₁I) represents the logic clock c in clock scheduling σ₁The number of triggers until time i; h_σ(c₂I) represents the logic clock c in clock scheduling σ₂By the number of triggers to time i.

② mutual exclusion relationship: if logic clock c₁Is triggered, then logic clock c₂Not trigger and vice versa.

③ child-hour relationship: at any time, if the logic clock c₁Triggered then logic clock c₂Must be triggered.

Fourthly, simultaneously relating: logic clock c₁And logic clock c₂And simultaneously triggered.

A causal relationship: logic clock c₁Is not slower than the logic clock c₂Is triggered.

Sixthly, the alternating relation is as follows: logic clock c₁And logic clock c₂And (4) alternately triggering.

Wherein, c₁(i) Representing a logic clock c₁At the i-th time, c₂(i) Representing a logic clock c₂At the i-th time, c₁(i +1) represents a logic clock c₁At time i + 1.

(3) The clock expression semantics, as shown in fig. 5;

combining clocks: triggering of clock and only if logic clock c₁OR logic clock c₂Is triggered.

Clock crossing: triggering of clock crossing and only if logic clock c₁And logic clock c₂While simultaneously triggering.

Clock delay: triggering and logic clock c of the clock₂Are simultaneously triggered at c₂Before, there is a logic clock c₁And logic clock c₂Trigger ratio logic clock c₁The number of triggers of (d) is large.

Clock period: triggering of this clock is with p logical clocks c₁Is triggered periodically.

Wherein H_σ(c₀I) stands for scheduling at clockIn sigma, logic clock c₀By the number of triggers to time i.

Clock sampling: the clock is based on the clock and the logic clock c₂For logic clock c₁Sampling, in particular the toggling of the clock and the logic clock c₂Triggered simultaneously at time i and preceded by a time j,0<j is less than or equal to i (including the moment i), and the moment logic clock c₁And at any time

Logic clock c₂And not triggered.

Sixthly, strictly sampling by a clock: the clock is based on the clock and the logic clock c₂For logic clock c₁Performing rigorous sampling, in particular, the triggering of the clock and the logic clock c₂Triggered simultaneously at time i and preceded by a time j,0<j<i (excluding the time i), the time logic clock c₁And at any time

Logic clock c₂And not triggered.

Upper clock bound: the clock defines a ratio of logic clocks c₁And logic clock c₂The fastest clock among the slow-triggering clocks.

Clock lower bound: the clock defines a ratio of logic clocks c₁And logic clock c₂Of the clock that triggers fastA clock.

And S3, modeling the collaborative unmanned system according to the model driving system development process of the system.

S31, driving a development process by the aid of a collaborative unmanned system model;

as shown in fig. 6, model-driven development of software systems, especially for safety-critical systems, is necessary and critical, and can effectively reduce the defects of the systems. Firstly, analyzing system requirements in a natural language form by a system designer, extracting basic concepts of system design and relations among the concepts, and constructing a calculation irrelevant model; secondly, through model conversion, adding logic data related to application, and converting a calculation-independent model into a platform-independent model; then, converting the platform-independent model into a platform-dependent model by adding specific platform-dependent data; and finally, converting the platform-related model into a system text code through conversion from the model to the text. In the process of model drive development of a software system, the key point is the conversion from a platform-independent model to a platform-dependent model, meta-models of a source model, a conversion model and a target model and corresponding summary files need to be constructed, the meta-models define the grammar and the semantics of a conversion language, the summary files define the grammar and the semantics of a specific conversion language, and specific application platform and domain knowledge are considered; the transformation model defines the transformation rules from the state machine graph meta-model to the formalized clock constraint specification language. The source model, the conversion model and the target model are respectively subject to a source meta-model, a conversion meta-model and a target meta-model, wherein the source model and the target model can be respectively instantiated into a platform-independent model and a platform-dependent model, the model conversion from the platform-independent model to the platform-dependent model is completed, and the specific flow of the model conversion refers to fig. 6. The invention is based on the development process of model drive, and carries out modeling and verification on the cooperative unmanned system.

S32, providing formal definitions of the meta model and the state machine diagram of the collaborative unmanned system;

(1) the meta-model of the collaborative unmanned system is a quadruple: AAM:: ═ B_A,R_A,E_A,C_A)；

①B_ARepresenting a system block definition diagram;

B_A＝{Perception,Understanding,Planner,Actuator,User,Environment,KnowledgeBase}；

wherein a permission represents a Perception; underranging represents scene Understanding; planner represents behavioral decision-making; actuator denotes execution; user represents a User; environment represents an Environment; knowledgbasee represents a traffic knowledge base.

②R_AThe relationship of system functions is defined;

wherein monitor represents monitoring; trigger represents trigger; precedence represents the precedence; stimulus stands for stimulation; response represents feedback; invoke represents a call.

③E_ARepresenting the system operating function, E_A:B_A×R_A→B_A；

④C_AConstraint information, S, is defined_A＝{Invariant,Precondition,Postcondition}；

Wherein Invariant represents an invariance; precondition represents a prerequisite; postcondition denotes a Postcondition.

(2) Giving a formal definition of a state machine diagram;

the syntax for formalized representation of the state machine diagram is defined as the six-tuple SMD: (S, S)₀,E,G,Act,Tr)；

S represents a state set in a state machine diagram;

②S₀representing an initial set of states in a state machine diagram;

thirdly, E represents a set of trigger events in state transition;

g represents a set of satellite viewing conditions in state transition;

act represents a set of migration actions in state migration;

sixthly, Tr represents a set of migration relations in the state machine diagram,

and when a trigger event occurs and guard conditions are met, Tr executes a migration action to trigger the migration between the bodies in the state machine diagram.

The semantics of the formalized representation of the state machine diagram are as follows:

operating semantics in sequence:

wherein s is_sRepresenting the source state, s_tRepresenting a target state, e representing a trigger event in state transition, g representing a satellite condition in state transition, a representing a transition action in state transition, when the trigger event and the satellite condition are satisfied, the transition action is executed,

migration occurs;

selecting operation semantics: different migration conditions will cause different migration to occur;

wherein choise denotes a select operation, s_sRepresenting the source state, s_tRepresenting the target state, e_iRepresents a trigger event in state transition i, g_iIndicating satellite Condition in State transition i, a_iIndicating a migration action in state migration i.

Wherein s is_s1Representing a first source state, e₁[g₁]/a₁,e₂[g₂]/a₂And e_i[g_i]/a_iRepresenting different migration conditions, respectively representing trigger events, guard conditions and migration actions in the 1 st, 2 nd and i-th migration conditions, s_t1,s_t2And s_tiRepresenting the 1 st, 2 nd and ith target states.

And thirdly, forking operation semantics: the bifurcation operation is that under the same migration condition, the migration target state is a composite state consisting of two or more orthogonal nodes.

Wherein fork represents a fork operation, r₁.s_1int,r₂.s_2int,r_n.s_nintIndicating the target states of the 1 st, 2 nd and ith orthogonal regions in the fork operation.

Wherein the content of the first and second substances,_e[g]trigger events and guard conditions representing migration conditions.

Fourthly, converging operation semantics: the join operation is a migration from two or more mutually independent, concurrent and synchronous orthogonal source states to one target state.

join→(r₁.s_1fin|r₂.s_2fin|…|r_n.s_nfin)×e×g×a×s_t；

Where join represents a join operation, r₁.s_1fin,r₂.s_2finAnd r_n.s_nfinIndicating the initial states belonging to the 1 st, 2 nd and ith orthogonal regions of the merging operation, respectively.

S33, defining a mapping rule between the meta-model and the state-based clock constraint specification language, and converting the formalized state machine diagram into a formalized clock constraint specification language CCSL according to the mapping rule;

the model conversion rules between the state machine graph meta-model and the clock constraint reduction language are as follows:

conversion between states: mapping the state in the state machine diagram to the state in the CCSL protocol;

wherein s is_smdRepresents the state of the state machine diagram smd, S_smdDenotes s_smdSet of (1), s_ccslRepresenting states, S, in a clock constraint specification language, CCSL_ccslDenotes s_ccslA collection of (a).

Triggering the mapping between the event and the clock: mapping the trigger event in the state machine diagram to a logic clock in a CCSL protocol;

wherein E is_smdRepresents a set of edges in the state machine diagram, λ (Tr) represents an action in the migration relationship in CCSL, Tr_ccslRepresenting a set of migration relationships in the CCSL.

③ the mapping rule between guard condition and Boolean condition in the clock constraint reduction language: mapping guard conditions in a state machine to Boolean expressions in CCSL;

wherein G is_smdRepresenting a set of guard conditions, Tr, in a state machine diagram_choice.BoolRepresents selection of Boolean condition, Tr, in CCSL_ccslRepresents Tr_choice.BoolA collection of (a).

Fourthly, the mapping rule between the operation semantics of the sequential expression: mapping sequence expressions in a state machine diagram to Boolean sequence condition migration in a CCSL protocol;

wherein s is₁、s₂Representing two states, Tr, in a state machine diagram_smdRepresents a set s 'representing a migration relationship in CCSL'₁、s’₂Representing two states in the CCSL.

Selecting a mapping rule between expression operation semantics: mapping a selection expression in a state machine diagram to Boolean selection condition migration in a CCSL protocol;

wherein S is_s、S_tChoice represents the set of selected operating states in the CCSL clock relationship.

Sixthly, mapping rules among the operation semantics of the bifurcated expression are as follows: mapping a bifurcated expression in a state machine diagram to clock synchronization condition migration in a CCSL protocol;

wherein r is_1,2,…,nRepresenting different orthogonal regions, s, in a state machine diagram_{1int,2int,…,nint}Representing target states, s 'of the 1 st, 2 nd and nth orthogonal regions in a fork operation'_sIs a source state in CCSL, tr'₁,tr’₂,tr’_nIndicating different target states after a fork operation in the CCSL.

Seventhly, converging and selecting a mapping rule between expression operation semantics: mapping a confluent expression in a state machine diagram to conditional migration of a clock delay expression in a CCSL protocol;

wherein s is_{1fin,2fin,…,nfin}Denotes an initial state, s'₁,’s₂,s’_nRepresenting different initial states of the CCSL merge operation.

And S4, for the cooperative unmanned system, constructing a state machine model of the system according to the natural language requirement of the system, converting the state machine model into a corresponding CCSL model, and verifying the state machine model on a special simulation platform TimeSquare of a clock constraint protocol language.

Example (b): according to the modeling and verification method, the requirements of the overtaking behavior of the unmanned automobile are modeled and verified in the expressway scene.

First, a description of the requirements of the collaborative unmanned overtaking system is given, as shown in fig. 7: when the current self-vehicle on the road has the intention of overtaking, the turn light is firstly required to be turned on to prompt that the surrounding vehicle has the intention of overtaking, and at the moment, three safety-critical things need to be confirmed: the first is the need to confirm whether the vehicle is within a safe distance from the adjacent lane-change vehicle; secondly, after the surrounding vehicles observe the lane change signal, the rear vehicles cannot accelerate; and thirdly, sending a passing signal to the front vehicle. After receiving the overtaking request signal, the Ego-front-vehicle needs to reply to the agreement or refusal within a certain time (reaction time, supposing 4 seconds), if Ego-vehicle does not receive reply information or refusal information within the reaction time, the Ego-vehicle Ego-vehicle cannot implement lane change overtaking, and needs to keep the original state to advance; lane change overtaking may also not be implemented if the safety distance constraint is not satisfied with surrounding on-demand road vehicles. Lane change overtaking can be implemented only when the agreement information is received within the appointed reaction time and the safety distance is met. The overtaking action can be decomposed into two times of lane change, firstly, the first lane change is carried out to the applied road, the acceleration is needed to advance after the lane change, in the process, the previously agreed vehicles cannot accelerate, when the relative spatial position of the self vehicle ego-vehicle exceeds the self vehicle ego-front-vehicle in front of the self vehicle and the safe distance of the lane change is met, the self vehicle carries out the second lane change, and the time interval of the two lane change overtaking cannot exceed overtaking specified time, such as 10 seconds.

Next, a state machine description of the case system is given in conjunction with the extended domain modeling summary file in step S1 and the formal definition of the meta model and the state machine diagram of the collaborative unmanned system in step S3 of the modeling and verification method described above, as shown in fig. 8.

The natural language requirements are processed with reference to the domain extension file and the extraction introduction of the meta model, and the state machine diagram comprises 10 states, an initial state, a final state and states s 1-s 8 (respectively, a left-turn signal, a lane change application, a lane change disallowance, collision detection, a first lane change, an overtaking implementation, a right-turn signal and a second lane change). Where the s4 collision detection state is a composite state, containing two sub-states for collision detection of the preceding vehicle and potential collision detection of the following vehicle, respectively. The state S2 includes a state invariance specifying that the waiting time for the lane change request does not exceed 4S, the state S6 includes a state invariance specifying that the overtaking time does not exceed 10S, and the preceding overtaken vehicle cannot accelerate during the overtaking process. In the transition condition from the state S6 to the state S7, it is specified that the overtaking vehicle position and the overtaken vehicle position are separated by a distance greater than the safety distance, the overtaking time is about 10S, and the triggered transition action of the overtaking vehicle is an accelerated overtaking.

Then, a model of a clock constraint reduction language for the co-unmanned system vehicle passing case is constructed in combination with the above steps S2 and S3.

First, we will introduce the meaning of clock abbreviations in the CCSL protocol: an ego vehicle steering signal ego _ turn _ signal: ets, an application road is in accordance with a safe distance application _ lane _ safe distance: asd, a vehicle behind the ego vehicle can not accelerate ego _ before _ no _ access: ebna, an ego vehicle application lane change ego _ send _ lanechange: esl, a vehicle ahead of the ego vehicle replies to an agreement ego _ front _ age: efa, a vehicle ahead of the ego vehicle replies to an agreement ego _ front _ distance: efd, an ego vehicle can not overtake ego _ no _ overrating: eno, a vehicle ahead of the ego vehicle can not accelerate ego _ front _ no _ access: efna, and an ego vehicle replies to an overtake completion ego _ send _ overlance: eso.

CCSL1：ets～(asd*ebna)；

The ego-vehicle steering signal ets alternates with the clock crossing (if and only if the clock asd and the clock ebna trigger simultaneously).

CCSL2：(asd∨ebna)≤esl；

The upper clock bound asd V ebna is the fastest clock among the clocks that are slower than the triggering of clock asd and clock ebna, which triggered or caused the occurrence of clock esl.

The toggling of clock efa + efd (toggling of clock efa or clock efd) is slower by 4s than the toggling of clock esl.

CCSL4：efd≡eno；

The clock efd and the clock eno occur simultaneously, namely when the self-vehicle receives an unexpected signal returned by the front vehicle coupler, the self-vehicle is triggered to not overtake.

CCSL5：(efa∨asd)≡efna；

The upper clock bound efa V-old is the fastest clock among the clocks that are slower than the triggers of clock efa and clock asd, whose occurrence triggers the coincidence of clock efna, i.e., the vehicle in front cannot accelerate.

The activation of the clock efa is faster than the activation of the clock eso and the ego vehicle completes the overtaking action eso within the former vehicle's consent efa overtaking 10 s.

Finally, by combining the verification guiding idea of the step S4, in the simulation verification tool timessquare, simulation verification analysis is performed on the constructed clock constraint reduction language model, and the result shows that the multi-clock constraint relationship satisfies the requirement description of the system, as shown in fig. 9. Table 1 shows the correspondence between the CCSL specifications and the validation tool TimeSquare expression.

TABLE 1 CCSL protocol and TimeSquare expression

For any collaborative unmanned system, according to the method provided by the invention, firstly, natural language requirements are analyzed, concepts of the created system, logical relations among the concepts and required function operations are extracted according to the field modeling summary file which is established in an expanding way in the invention, and a state machine model of the system is established; then converting the state machine model into a multi-clock-protocol constraint language according to the semantic mapping rule of the model conversion to obtain a CCSL multi-clock-protocol model; and finally, performing clock relation analysis on the created model by using a special verification tool of the multi-clock protocol model.

Claims (7)

1. The method for realizing the modeling and verification of the multi-clock constraint-oriented collaborative unmanned system is characterized by comprising the following steps of:

s1, providing a framework of the collaborative unmanned system, establishing a field modeling summary file SysML Profile of the collaborative unmanned system, and extracting professional terms, relations and behavior operations of the collaborative unmanned system;

s2, defining a single-clock and multi-clock system, and giving definition and relation semantics related to the clocks;

s3, modeling the collaborative unmanned system according to the development process of the model driving system of the system;

and S4, for the cooperative unmanned system, constructing a state machine model of the system according to the natural language requirement of the system, converting the state machine model into a corresponding CCSL model, and verifying the state machine model on a special simulation platform TimeSquare of a clock constraint protocol language.

2. The method for modeling and verifying the collaborative unmanned aerial system facing multiple clock constraints according to claim 1, wherein the collaborative unmanned aerial system in step S1 comprises a collaborative sensing module, a brain-like driving module and a vehicle control execution module, the collaborative sensing module obtains surrounding vehicles, pedestrians and road information through sensor and vehicle communication, wherein the sensor comprises a laser sensor, a radar sensor and a camera, and the vehicle communication comprises vehicle-to-vehicle communication, vehicle-to-road communication and a global positioning system; the cooperative perception module transmits the acquired surrounding traffic environment information to a brain-like driving module, and the brain-like driving module comprises a scene understanding module and a behavior decision module; the scene understanding module carries out data fusion processing on the perception information obtained by the collaborative perception module and outputs information which can be processed by the brain-like driving module, the brain-like driving module invokes the behavior decision module according to the data fused by the scene understanding module, and the behavior decision module generates decision information; the behavior decision module transmits the decision information to the vehicle control execution module to generate corresponding vehicle control actions, and feeds back the behavior result to the surrounding traffic environment.

3. The method for implementing modeling and verification of a multi-clock constraint-oriented collaborative unmanned aerial vehicle system according to claim 1, wherein the SysML Profile of the domain modeling Profile of the collaborative unmanned aerial vehicle system in step S1 includes modeling terms, operations and relationships between modules of the system, the structural characteristics of the collaborative awareness modules include sensor data, network communication, traffic snapshots and sensor tools, and the behavior characteristics of obtaining traffic information include vehicle-to-vehicle communication, vehicle-to-road communication and sensor awareness; the cooperative sensing module monitors the user and the traffic environment; the user structure characteristics comprise user identity identification, gender and age, and the user behavior characteristics comprise vehicle starting, starting point and end point information input and artificial control; the structural characteristics of the traffic environment comprise weather, road types, surrounding vehicles and surrounding pedestrians, and the behavior characteristics of the traffic environment comprise environment updating and data transmission; the cooperative sensing module triggers the scene understanding module, the cooperative sensing module is used for processing sensed user and environment information and outputting effective information which can be understood by a computer, the structural characteristics of the scene understanding module comprise traffic rules and prior traffic information, and the behavior characteristics of the scene understanding module comprise data fusion, traffic sign identification and observation; the output of the scene understanding module triggers a behavior decision module, a decision system generates behavior decision information of the vehicle by using the scene understanding information subjected to fusion processing, wherein the structural characteristics of the decision system comprise road application, road occupation, required acceleration, required speed, application withdrawal and occupation withdrawal, and the behavior characteristics of the decision system comprise road control, longitudinal control and transverse control; the input of the behavior decision information excites a vehicle control execution module, the vehicle control execution module controls the vehicle according to the input of the behavior decision information, the structural characteristics of the vehicle control execution module comprise space-time trajectory, advancing direction, transverse acceleration and emergency control, the behavior characteristics of the vehicle control execution module comprise brake control, steering control, accelerator control and gear control, and the vehicle control information is fed back to the user and the traffic environment, so that the user and the surrounding traffic environment can verify and control the vehicle execution information.

4. The method for modeling and verifying the collaborative unmanned system based on multi-clock constraint according to claim 1, wherein the single-clock system is defined in step S2 as a master clock needs to be established in the system, and the clock of each subsystem or sub-component must be referenced to the master clock, and the sampling is performed in the master clock to complete the clock system interacting with the overall system; the multi-clock system is defined as a clock system which has no global clock, each subsystem/sub-component obeys multiple clock frequencies, has an independent clock to control the action behavior of the subsystem/sub-component, and realizes the running of the global system through the partial order interaction relationship of the behavior among local subsystems.

5. The method for modeling and validating a multi-clock constraint oriented collaborative unmanned aerial system according to claim 1, wherein the Clock Constraint Specification Language (CCSL) in step S2 is a formal specification language based on clocks and clock constraints, and the clocks represent trigger states of a signal at each discrete time point; the clock constraint describes a logic relationship between signal clocks, and the clock constraint includes a clock relationship and a clock expression, and specifically includes:

(1) logic clocks, clock scheduling and related definition of clock history;

logic clock: a logic clock c is defined as a sequence of finite or infinite clock jumps,

a set of non-0 natural numbers; for each one of c_iE { tick, idle }, which indicates that the clock is in a trigger state tick or a non-trigger state idle in the state of the time i;

clock scheduling: a clock schedule sigma, which reflects the trigger state of all clocks at each moment in discrete time, is a finite or infinite sequence sigma (0) sigma (1) … sigma (i) …,

is a set of 0 and positive integers; sigma (i) epsilon 2^cRepresents a set of clocks that trigger at time i, formally defined as:

wherein C represents a set of finite logic clocks;

clock history: for a given clock schedule σ, the clock history records the number of triggers that each clock has expired to the current time in σ, formally defined as:

wherein H_σ(c, i) represents the number of triggers that a logic clock c expires to time i in clock schedule σ; h_σ(c, i +1) represents the number of triggers for the logic clock c to expire at time i +1 in the clock schedule σ; h_σ(c,0) represents the number of triggers for the logic clock c to expire at time 0 in clock schedule σ; i, j represents the time of the clock;

(2) clock relationship semantics;

the priority relationship is: logic clock c₁Faster than the logic clock c₂Triggering of (1);

wherein H_σ(c₁I) represents the logic clock c in clock scheduling σ₁The number of triggers until time i; h_σ(c₂I) represents the logic clock c in clock scheduling σ₂The number of triggers until time i;

② mutual exclusion relationship: if logic clock c₁Is triggered, then logic clock c₂Not trigger and vice versa;

③ child-hour relationship: at any time, if the logic clock c₁Triggered then logic clock c₂Must be triggered;

fourthly, simultaneously relating: logic clock c₁And logic clock c₂Triggering at the same time;

a causal relationship: logic clock c₁Is not slower than the logic clock c₂Triggering of (1);

sixthly, the alternating relation is as follows: logic clock c₁And logic clock c₂Alternately triggering;

wherein, c₁(i) Representing a logic clock c₁At the i-th time, c₂(i) Representing a logic clock c₂At the i-th time, c₁(i +1) represents a logic clock c₁Time i + 1;

(3) a time-clock expression semantic;

combining clocks: triggering of clock and only if logic clock c₁OR logic clock c₂Triggering of (1);

clock crossing: triggering of clock crossing and only if logic clock c₁And logic clock c₂Simultaneously triggering;

clock delay: triggering and logic clock c of the clock₂Are simultaneously triggered at c₂Before, there is a logic clock c₁Is triggered byAnd logic clock c₂Trigger ratio logic clock c₁D more triggering times;

clock period: triggering of this clock is with p logical clocks c₁The triggering of (2) is periodic triggering;

wherein H_σ(c₀I) represents the logic clock c in clock scheduling σ₀The number of triggers until time i;

clock sampling: the clock is based on the clock and the logic clock c₂For logic clock c₁Sampling, in particular the toggling of the clock and the logic clock c₂Triggered simultaneously at time i and preceded by a time j,0<j is less than or equal to i, the logic clock c of the moment₁And at any time

Logic clock c₂Not triggering;

sixthly, strictly sampling by a clock: the clock is based on the clock and the logic clock c₂For logic clock c₁Performing rigorous sampling, in particular, the triggering of the clock and the logic clock c₂Triggered simultaneously at time i and preceded by a time j,0<j<i, the time logic clock c₁And at any time

Logic clock c₂Do not touchHair is sent;

upper clock bound: the clock defines a logical clock c₁And logic clock c₂The fastest clock among the slow-triggering clocks;

clock lower bound: the clock defines a logical clock c₁And logic clock c₂The slowest clock among the triggered fast clocks;

6. the method for implementing modeling and verification of a multi-clock constraint-oriented collaborative unmanned aerial system according to claim 1, wherein the collaborative unmanned aerial system model-driven development process in step S3 is specifically as follows: firstly, analyzing system requirements in a natural language form by a system designer, extracting basic concepts of system design and relations among the concepts, and constructing a calculation irrelevant model; secondly, through model conversion, adding logic data related to application, and converting a calculation-independent model into a platform-independent model; then, converting the platform-independent model into a platform-dependent model by adding specific platform-dependent data; finally, converting the platform-related model into a system text code through conversion from the model to the text; in the process of model drive development of a software system, meta-models and corresponding summary files of a source model, a conversion model and a target model need to be constructed for conversion from a platform-independent model to a platform-dependent model, wherein the meta-models define the grammar and the semantics of a conversion language, and the summary files define the grammar and the semantics of a specific conversion language and take specific application platform and domain knowledge into consideration; the conversion model defines the conversion rule from the state machine diagram meta model to the formal clock constraint reduction language; the source model, the conversion model and the target model are respectively obeyed to the source meta-model, the conversion meta-model and the target meta-model, wherein the source model and the target model are respectively instantiated into a platform-independent model and a platform-dependent model, and model conversion from the platform-independent model to the platform-dependent model is completed.

7. The method for modeling and verifying the collaborative unmanned aerial system based on multi-clock constraints as claimed in claim 1, wherein in step S3, meta-models and state machine diagrams of the collaborative unmanned aerial system are formally defined;

(1) the meta-model of the collaborative unmanned system is a quadruple: AAM:: ═ B_A,R_A,E_A,C_A)；

①B_ARepresenting a system block definition diagram;

B_A＝{Perception,Understanding,Planner,Actuator,User,Environment,KnowledgeBase}；

wherein a permission represents a Perception; underranging represents scene Understanding; planner represents behavioral decision-making; actuator denotes execution; user represents a User; environment represents an Environment; knowledgbasee represents a traffic knowledge base;

②R_Athe relationship of system functions is defined;

wherein monitor represents monitoring; trigger represents trigger; precedence represents the precedence; stimulus stands for stimulation; response represents feedback; invoke represents a call;

③E_Arepresenting the system operating function, E_A:B_A×R_A→B_A；

④C_AConstraint information, S, is defined_A＝{Invariant,Precondition,Postcondition}；

Wherein Invariant represents an invariance; precondition represents a prerequisite; postcondition denotes a post condition;

(2) giving a formal definition of a state machine diagram;

the syntax for formalized representation of the state machine diagram is defined as the six-tuple SMD: (S, S)₀,E,G,Act,Tr)；

S represents a state set in a state machine diagram;

②S₀representing an initial set of states in a state machine diagram;

thirdly, E represents a set of trigger events in state transition;

g represents a set of satellite viewing conditions in state transition;

act represents a set of migration actions in state migration;

sixthly, Tr represents a set of migration relations in the state machine diagram,

wherein sv and tv are respectively a source state and a target state of a migration relationship, when a trigger event occurs and guard conditions are met, Tr executes a migration action to trigger the migration between the bodies in the state machine diagram;

the semantics of the formalized representation of the state machine diagram are as follows:

operating semantics in sequence:

e belongs to E, G belongs to G, a belongs to Act, wherein s belongs to E, G belongs to G, a belongs to Act_sRepresenting the source state, s_tRepresenting a target state, e representing a trigger event in state transition, g representing a satellite condition in state transition, a representing a transition action in state transition, when the trigger event and the satellite condition are satisfied, the transition action is executed,

migration occurs;

selecting operation semantics: different migration conditions will cause different migration to occur;

wherein choice represents a selection operation, e_iRepresents a trigger event in state transition i, g_iIndicating satellite Condition in State transition i, a_iRepresenting a migration action in the state migration i;

wherein s is_s1Representing a first source state, e₁[g₁]/a₁,e₂[g₂]/a₂And e_i[g_i]/a_iRepresenting different migration conditions, respectively representing trigger events, guard conditions and migration actions in the 1 st, 2 nd and i-th migration conditions, s_t1、s_t2And s_tiRespectively representing the 1 st, 2 nd and ith target states;

and thirdly, forking operation semantics: the bifurcation operation is that under the same migration condition, the migration target state is a composite state consisting of two or more orthogonal nodes;

wherein fork represents a fork operation, r₁.s_1int,r₂.s_2int,r_n.s_nintRespectively representing target states of 1 st, 2 nd and ith orthogonal areas in the bifurcation operation;

wherein e [ g ]]A trigger event and guard condition representing a migration condition;

fourthly, converging operation semantics: the merging operation is to be migrated to a target state by two or more mutually independent, concurrent and synchronous orthogonal source states;

join→(r₁.s_1fin|r₂.s_2fin|…|r_n.s_nfin)×e×g×a×s_t；

where join represents a join operation, r₁.s_1fin,r₂.s_2finAnd r_n.s_nfinRespectively representing initial states respectively belonging to the 1 st, 2 nd and ith orthogonal regions of the merging operation;

s33, defining a mapping rule between the meta-model and the state-based clock constraint specification language, and converting the formalized state machine diagram into a formalized clock constraint specification language CCSL according to the mapping rule;

the model conversion rules between the state machine graph meta-model and the clock constraint reduction language are as follows:

conversion between states: mapping the state in the state machine diagram to the state in the CCSL protocol;

wherein s is_smdRepresents the state of the state machine diagram smd, S_smdDenotes s_smdSet of (1), s_ccslRepresenting states, S, in a clock constraint specification language, CCSL_ccslDenotes s_ccslA set of (a);

triggering the mapping between the event and the clock: mapping the trigger event in the state machine diagram to a logic clock in a CCSL protocol;

wherein E is_smdRepresenting a set of edges, λ, in a state machine diagram(Tr) represents an action in a migration relationship in CCSL, Tr_ccslA set representing migration relationships in the CCSL;

③ the mapping rule between guard condition and Boolean condition in the clock constraint reduction language: mapping guard conditions in a state machine to Boolean expressions in CCSL;

wherein G is_smdRepresenting a set of guard conditions, Tr, in a state machine diagram_choice.BoolRepresents selection of Boolean condition, Tr, in CCSL_ccslRepresents Tr_choice.BoolA set of (a);

fourthly, the mapping rule between the operation semantics of the sequential expression: mapping sequence expressions in a state machine diagram to Boolean sequence condition migration in a CCSL protocol;

wherein s is₁、s₂Representing two states, Tr, in a state machine diagram_smdRepresents a set s 'representing a migration relationship in CCSL'₁、s'₂Represents two states in the CCSL;

selecting a mapping rule between expression operation semantics: mapping a selection expression in a state machine diagram to Boolean selection condition migration in a CCSL protocol;

wherein S is_s、S_tThe source state and the target state are respectively represented, and the CR.choice represents a set of selection operation states in a CCSL clock relationship;

sixthly, mapping rules among the operation semantics of the bifurcated expression are as follows: mapping a bifurcated expression in a state machine diagram to clock synchronization condition migration in a CCSL protocol;

wherein r is_1,2,…,nRepresenting different orthogonal regions, s, in a state machine diagram_{1int,2int,…,nint}Representing target states, s 'of the 1 st, 2 nd and nth orthogonal regions in a fork operation'_sIs the source state in CCSL, tr₁’,tr’₂,tr'_nRepresenting different target states after a fork operation in the CCSL;

seventhly, converging and selecting a mapping rule between expression operation semantics: mapping a confluent expression in a state machine diagram to conditional migration of a clock delay expression in a CCSL protocol;

wherein s is_{1fin,2fin,…,nfin}Denotes an initial state, s'₁、s'₂、s'_nRepresenting different initial states of the CCSL merge operation.

Images