CN113434116B - Modeling and verifying method of mode-based letter fusion system for period controller - Google Patents
Modeling and verifying method of mode-based letter fusion system for period controller Download PDFInfo
- Publication number
- CN113434116B CN113434116B CN202110607529.XA CN202110607529A CN113434116B CN 113434116 B CN113434116 B CN 113434116B CN 202110607529 A CN202110607529 A CN 202110607529A CN 113434116 B CN113434116 B CN 113434116B
- Authority
- CN
- China
- Prior art keywords
- discrete
- mode
- continuous
- cond
- condition
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/10—Requirements analysis; Specification techniques
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/3604—Software analysis for verifying properties of programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
- G06F8/35—Creation or generation of source code model driven
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Quality & Reliability (AREA)
- Devices For Executing Special Programs (AREA)
Abstract
The invention discloses a modeling and verifying method of a mode-based letter fusion system facing a period controller, which comprises the following steps: respectively constructing a discrete mode and a continuous mode on an abstract level and a discrete control flow and a continuous control flow on a concrete level by utilizing a letter fusion system modeling language; combining the obtained modeling models of the abstract level and the concrete level to obtain a complete letter fusion system model which is represented in a graphical mode; and converting variables, discrete modes, continuous modes, discrete mode control flows and continuous mode control flows in the obtained complete letter fusion system model into a hybrid automaton according to translation rules, and performing formal verification and property analysis. The method can display the interface graphically, facilitates the understanding and the model building of the user, also builds an effective bridge between the model and the high-confidence formalized property verification tool, and saves the time and the cost for developing the letter fusion system model and verifying the high-confidence property.
Description
Technical Field
The invention belongs to the technical field of trusted software, smart cities and aerospace, and relates to a modeling and verification method of a mode-based letter fusion system for a period controller.
Background
A letter fusion system is a dynamic system consisting of continuous dynamics, which generally model the interaction of the physical environment, and discrete dynamics, which generally model the operation of the control system. The combination of computing and control can lead to very complex system designs, and therefore they are often found in the aerospace, automotive industry and factory automation design fields. In the field of aerospace, embedded software and an operating environment thereof have the characteristics of high complexity, uncertainty and high real-time requirement. This requires that the modeling language must be able to describe different components of the system and environment, to deeply characterize the model of the embedded software, and to be able to combine and express multiple interaction modes. The spacecraft controller is generally designed as a periodic module, monitors the evolution of the physical environment, and has strong sensitivity to time. Since the calculation and control combination of such a periodic controller is complex and the safety requirement for system design is high, how to model it and perform formal analysis remains a great challenge.
Disclosure of Invention
In order to solve the defects in the prior art, the invention aims to provide a mode-based letter fusion system modeling and verification method facing a periodic controller, so as to model a letter fusion system and perform high-confidence formalized analysis. The modeling method of the letter fusion system can model the letter fusion system in an abstract level at a mode layer, abstractly represents the interaction transfer relationship between a controller and a physical environment and between the controller and the physical environment, and macroscopically expresses a complex system interaction mode, so that an engineer can efficiently understand and analyze the system requirements and model the system requirements so as to find whether inconsistent or ambiguous places exist in the requirements; secondly, each discrete mode comprises a discrete control flow to construct specific control logic of the controller, and each continuous mode comprises a continuous control flow to construct specific physical change rules of the environment. The combination of abstract and concrete level modeling constitutes a complete modeling of the letter fusion system and is easily represented graphically. The invention provides a bridge for connecting HHML and a high-confidence verification tool of a letter fusion system, and can perform related high-confidence formal verification and property analysis on the basis.
The invention provides a modeling and verifying method of a mode-based letter fusion system facing a period controller, which comprises the following steps:
the method comprises the following steps of firstly, utilizing a letter fusion system modeling language HHML to respectively construct a discrete mode representing a controller and an interactive transfer relation and a continuous mode representing a physical environment and the interactive transfer relation on an abstract level;
secondly, a discrete control flow representing control logic and a continuous control flow representing a physical change rule on a specific level are respectively constructed by utilizing a letter fusion system modeling language HHML;
combining the modeling model of the abstract layer obtained in the step one and the modeling model of the concrete layer obtained in the step two to obtain a complete letter fusion system model, and representing the model in a graphical mode;
and step four, converting variables, discrete modes, continuous modes, discrete mode control flows and continuous mode control flows in the complete letter fusion system model obtained in the step three into a hybrid automaton according to translation rules, and performing related high-confidence formal verification and property analysis.
In the first step, the modeling of the abstract level is carried out in a mode layer, the modeling of the abstract level can represent the controller, the physical environment and the interactive transfer relationship between the controller and the physical environment in an abstract mode, and the complex system interactive mode is expressed macroscopically; the mode layer is a letter fusion system at an abstract level and comprises a discrete mode and a continuous mode; the discrete mode refers to a controller and a transfer relation of an abstract level; the continuous mode refers to the physical environment of the abstract level and the transfer relationship thereof.
In the second step, the discrete control flow refers to a specific control logic of a discrete mode; the continuous control flow refers to a specific physical change rule of a continuous mode; the control logic comprises assignment, sampling, function calling, skipping, divergence, sequential execution, condition judgment, circulation and the like; the physical change rule comprises an explicit differential equation and a condition at the time of termination; the conditions at the termination include discrete conditions representing a change in state of the controller and continuous conditions representing a change in physical environment; the discrete condition specifically comprises the judgment of discrete variables such as signals, switches and the like; the continuous condition specifically includes judgment of a continuous variable.
In step three, the graphical representation graphically depicts the discrete modes and their control logic, the transition relationships between the discrete modes, the continuous modes and their physical change rules, the transition relationships between the continuous modes, and so on.
The grammar of the letter fusion system model of the invention is defined as follows:
HModel::=(Dictionary,Modes)
Dictionary::={var|var=(name,arrti,type,initval)}
Modes::=(dModes,cModes)
the HModel is a hybrid model and is composed of a Dictionary and mode models. The dictionary contains variables var, and variables can be added and deleted in the dictionary and initialized when the model is built. The variable var is a quadruple, name is a variable name, arrti is an attribute of the variable, type is a type of the variable, and initval is an initial value of the variable. The modes are composed of discrete modes dModes and continuous modes cModes, and the system can only be in one discrete mode and one continuous mode at the same time.
The discrete mode represents the controller and transfer relationship at the abstraction level, and the grammar of a discrete mode dMode is defined as follows:
dMode::=(name,period,(dflow|dModes),dTrans)
dTran::=(dm,priority,dguard,dm′)
dguard::=cond|Duration(cond,c)|After(cond,c)
a discrete mode dMode is a quadruple, wherein name represents the label of the discrete mode; period represents the period of the discrete mode, which allows the discrete mode to process a series of periodic tasks in a certain time interval; dflow and dModes respectively represent a control flow and a sub-mode of the discrete mode, if the sub-mode is included, the discrete mode does not contain the control flow, otherwise, the discrete mode contains the control flow, and therefore the control relation and the data relation between the discrete modes can be embedded in an iterative mode; dTranss represents a collection of transition relationships between discrete modes. The sub-modes refer to a plurality of discrete modes embedded in the discrete modes.
For a certain transfer relationship dTran, it is also a quadruple. Where dm represents the source discrete pattern of the branching relationship, priority represents the priority of the branching relationship, dguard represents the discrete pattern branching condition, and dm' represents the target discrete pattern of the branching relationship.
For the discrete mode transition condition dguard, it may be the basic condition cond (boolean condition), or may be the temporal predicates Duration (cond, c) and After (cond, c). When condition cond is satisfied c consecutive cycles, Duration (cond, c) is true. After the condition cond is satisfied for the c-th cycle, After After (cond, c) is true. For example:
Duration(x>1,3)
meaning that x > 1 is satisfied at a certain period t and x > 1 is satisfied at both the following t +1 and t +2, then Duration (x > 1, 3) is satisfied at the t +3 th period.
After(x>1,3)
Indicating that x > 1 is satisfied at a certain period t, After t +3 th period, After (x > 1, 3) is satisfied.
The discrete control flow is used for representing a calculation process and control logic of a specific layer of the controller, and a basic grammar of the discrete control flow dflow is defined as follows:
dflow::=declare|stmts|dflow;dflow
stmts::=pstmt|cstmt
pstmt::=x:=stmt|x←cv|call func|skip|⊥
cstmt::=stmt;stmt|while cond do stmts|if cond then stmts else stmts
wherein dflow represents the discrete mode task execution and computation process, which includes the combination between the local declaration decle, the control statements stmts and dflow. The control statement consists of an atomic statement pstmt and a compound statement cstmt. Atomic sentences are of several types: and assignment x: continuous variable sample x ← cv, function call, null statement skip and divergence ±. The compound statement cstmt contains three basic control structures, namely, sequential combination stmt; stmt, loop cond do stmts and conditional if cond the stmts else stmts.
The continuous mode represents the physical environment and transfer relationship of the period controller at the abstract level, and the grammar of a continuous mode cMOde is defined as follows:
cMode::=(name,cflow,cTrans)
cTran::=(cm,priority,cguard,cm′)
cguard::=When(cond)
a continuous mode cMOde is a triple, where name represents the label of the continuous mode; the change rule of the cflow continuous mode is expressed by a differential equation; cTrans represents a collection of transition relationships between consecutive patterns.
For a certain transfer relationship, cTran, is a quadruple. Where cm denotes a source continuous pattern of the migration relationship, priority denotes a priority of the migration relationship, cguard denotes a continuous pattern migration condition, and cm' denotes a target continuous pattern of the migration relationship.
For the continuous mode transition condition cguard, it is composed of the condition cond together with the predicate When. This distinguishes continuous mode transition conditions from discrete mode transition conditions on the one hand, and on the other hand means that continuous mode will always wait for control commands from the controller, and that transitions between continuous modes will occur as soon as the continuous mode transition conditions are met.
The continuous control flow cflow describes the physical change rule of the physical world in a specific layer under a continuous mode, and the grammar of the continuous control flow cflow is defined as follows:
cflow::=eq until cond
eq::=der v=expr|eq||eq|Idel
the continuous control flow cflow is composed of a differential equation eq and a condition unitary cond at the end, where the condition cond may be a judgment of a discrete variable and a continuous variable, and when the condition cond is satisfied, the control flow in the continuous mode will stop executing but not necessarily shift to other continuous modes; when the continuous mode transfer condition is met, the continuous control flow is transferred; the continuous transfer conditions are referred to as cguard.
The differential equation eq expresses the law of change using an explicit ordinary differential equation der v ═ expr. eq can be a combination of one or more equations, where Idle is a special case, meaning that the continuous variable remains unchanged.
In the fourth step, the rule for converting variables in the model of the HHML built-up object fusion system into the hybrid automaton is as follows:
the invention represents a conversion target-hybrid automaton by a six-tuple, specifically,
(loc,var,inv,flow,jumps,init)
wherein loc represents a finite set of continuous states, var represents a variable set, inv represents a set of invariants of each continuous state, flow represents a set of continuous state control flows, jumps represents a set of jumps of the automaton, each jump is a quadruple as shown below, and init represents initialization of continuous variables.
jumps::={jump|jump={l begin ,l end ,guard,reset}},
Wherein l begin Representing the source state of the hybrid automaton jump,/ end The target state of the jump of the hybrid automaton is shown, the guard shows the condition of the jump, and the reset shows the updating operation of the variable in the jump process.
The rules for converting variables in the model built by HHML to the hybrid automaton can be expressed as follows:
Tr(v)=(-,var∪v,-,-,-,init∪v.inival)
the variables in the HHML are divided into continuous variables, discrete variables and constants, the variable types comprise integer types, floating point types and Boolean types, and the variables in the hybrid automata are generally unified into the floating point type continuous variables. Thus, the Boolean variables will be converted to 1/0, with the other variables converted to floating point types. These variables are then directly converted to continuous variables in a hybrid automaton. To reduce the number of transition variables, the constants will be transformed into the hybrid automaton in the form of actual values. In HHML, the variable is assigned an initial value inival, corresponding to the initial variable init in the hybrid automaton. Tr (v) represents a rule for converting variables in the built model to the hybrid automaton, and v represents the converted variables; the elements that are not changed are denoted by "-".
Since the hybrid automaton has no discrete mode, the name of the discrete mode is added to var as a variable, and since the variable types supported by the hybrid automaton are a shaping type and a floating point type, an 1/0 flag is used to distinguish whether the system is in the discrete mode. Finally, a time term t is added to record the period of the discrete mode, and the initial value is 0.
In step four, the rule for converting the discrete mode in the model of the HHML-based building-object fusion system to the hybrid automaton is as follows:
in HHML, a discrete pattern supports pattern nesting, i.e., it may contain several sub-patterns, which is not supported in a hybrid automaton. The discrete patterns must be "flattened" prior to conversion, i.e., all of the simplified discrete patterns contain no sub-patterns and maintain semantic consistency during conversion. The conditions satisfied by the flattened discrete pattern are as follows:
dmodes′={dm|dm.dflow≠emplty∧dm∈dmodes}
it means that none of the flattened discrete patterns contains sub-patterns, the discrete patterns containing sub-patterns are removed, and the semantic consistency is maintained in the conversion process. Wherein, dmodes' represents a flattened discrete pattern set, dm represents any discrete pattern, dmodes represents an original discrete pattern set, and dm.
loc is a set of continuous states of the hybrid automaton, each of which needs to contain the same discrete pattern, considering that different continuous states can receive the command of the controller. In the conversion rule, a certain continuous state 1 ∈ loc in the automaton is taken as an example, and other states are the same. The following rule indicates that a transition of the discrete pattern has occurred after one cycle.
Tr(dm)=(-,-,-,flow∪t′=1,jumps∪jps,-)
where jps={jp|jp=(l,l,(t≥dm.period;dm.name==1;dguard),
(dm.name=0;dm′.name=1;dm′.dflow;t=0))
∧(dm,-,dguard,dm′)∈dm.dTrans}
In order to convert the period of the discrete pattern and express the change in time, a rule adds a change speed t' of time to 1 to each flow of the automaton. Period is appended to the guard condition where the automaton takes a transition, when the transition occurs, the time-shaping variable t will be initialized, reset to 0 to indicate the end of the cycle, i.e. let t equal to 0. determining which discrete mode the system is currently in, namely determining whether the variable name is 1, if so, determining that the system is in the dm mode, and if not, determining that the system is not in the dm mode; the discrete mode transition condition dguard is then converted to guard. Once the transition occurs, the discrete control flow dm '. dflow of the target mode will be executed, and the current discrete mode will be changed from dm to dm ', that is, let dm.name be 0 and dm '. name be 1. Since no transition occurs between the continuous modes, the target continuous state is still the source continuous state l; the single equal sign in the rule represents definition and assignment; the double equal sign indicates that the rules are similar after judging whether the two sides are equal.
In the above rules, tr (dm) represents a rule for translating a discrete pattern, dm represents a translated discrete pattern, flow represents a set of control flows of the hybrid automata, t' 1 represents a time change speed of 1, jumps represents a set of migration relationships of the hybrid automata, jps represents a set of migration relationships newly added after conversion, jp represents a certain relationship in the set of migration relationships jps, 1 represents a certain state in the hybrid automata, dm.
The following rule indicates that no transition of the discrete pattern occurs after one cycle.
Tr(dm)=(-,-,-,flow∪t′=1,jumps∪jps,-)
where jps={jp|jp=(l,l,t≥dm.period;dm.name==1,dm.dflow;t=0}
The rule indicates that when no transition occurs in the discrete pattern, dm.dflow is executed, entering the next cycle at the end of the cycle. The other parameters are the same as the rules when the discrete pattern transitions.
In the fourth step, the rule for converting the discrete control flow in the model of the HHML-based letter fusion system into the hybrid automaton is as follows:
the hybrid automaton only supports partial control flow, so that conversion rules for conditional statements and time predicates are given.
For conditional statement if cond the stmt in discrete control flow 1 else stmt 2 The invention sets the following rules:
Tr(cd)=(-,-,-,-,jumps∪jps,-)
i.e., the discrete control flow dflow containing conditional statements will be split in half and separately stmt will be used at jps 1 And stmt 2 Instead, the branch condition is divided into a condition cond and a condition
Wherein the condition cond represents a judgment condition, stmt 1 Indicating an operation to be performed when a condition is satisfied, the condition
Indicates that the judgment condition is not satisfied, stmt 2 Tr (cd) represents a rule for translating a conditional statement, cd represents a translated conditional statement, jumps represents a set of migration relationships in the hybrid automaton, jps represents a set of newly added migration relationships in the hybrid automatonAnd 1 denotes a certain state of the hybrid automaton.
The time predicate transformation rule in the modeling of the letter fusion system is introduced below.
Tr(Duration(cond,c))=(-,var∪cnt,-,-,jumps∪jps,init∪cnt=0)
Tr(After(cond,c))=(-,var∪cnt,-,-,jumps∪jps,init∪cnt=0)
where jps=(-,-,cnt≥c,-)∪(-,-,cond,cnt=cnt+1)∪(-,-,cnt>0,cnt=cnt+1)
Both of the above rules introduce an additional count variable cnt. In Duration, when one cycle of the discrete mode ends, cnt will be incremented by 1 if cond is true, otherwise it will be reset to 0. When cnt ≧ c, the expression of Duration (cond, c) is true. Similarly, for After (cond, c), cnt will be incremented by 1 at the end of the cycle when cond is true or cnt > 0, and the expression is true when cnt ≧ c. The condition cond represents a judgment condition, c represents the number of cycles required to be met by the time predicate, var represents a variable set, cnt represents a variable used for counting, jumps represents a set of migration relations in the hybrid automaton, jps represents a set of newly added migration relations in the hybrid automaton, and init represents a set of initial variables in the hybrid automaton.
In the fourth step, the rule for converting the continuous mode in the model of the HHML-based object fusion system and the control flow thereof to the hybrid automaton is as follows:
the continuous mode and its control flow are switched as follows.
Tr(cm)=(loc∪cm.name,-,inv∪cm.cond,flow∪cm.eq,jumps∪cm.cguards,-)
The continuous states of the hybrid automaton and the continuous patterns of HHML are semantically equivalent, and thus a one-to-one conversion can be performed. The name of the continuous mode only needs to be converted into the label loc; the differential equation eq can be converted into a differential equation in the automaton control flow; the condition cond at termination after the unity can be converted to invariance inv in the automaton. The transition cTrans between successive modes is equivalent to the transition jump behavior in the hybrid automaton, and no reset operation is performed during the transition. The method comprises the steps of establishing a model, establishing a state in the model, and establishing a state in the model, wherein loc represents a state in the model, wherein loc, cm.
The beneficial effects of the invention include: the method has the advantages of being capable of carrying out strict software requirement analysis and modeling, being easy to describe the embedded software operating environment, being capable of graphically representing and carrying out sufficiently high-confidence property verification on the software.
Drawings
Fig. 1 shows a discrete pattern and its control flow in a letter fusion system according to embodiment 1 of the present invention.
Fig. 2 is a continuous mode and a control flow thereof in the letter fusion system according to embodiment 2 of the present invention.
Fig. 3 is a hybrid automaton model to which a transformation rule is applied to transform a model of a lunar lander slow descent phase based on a belief fusion system in embodiment 3 of the present invention.
FIG. 4 is a flowchart of a modeling and verification method of a pattern-based token fusion system for a period controller according to the present invention.
Detailed Description
The invention is further described in detail with reference to the following specific examples and the accompanying drawings. The procedures, conditions, experimental methods and the like for carrying out the present invention are general knowledge and common general knowledge in the art except for the contents specifically mentioned below, and the present invention is not particularly limited.
Exemplary embodiments of the present disclosure will be described in detail below, taking as an example a slow descent phase of a lunar lander. And in the slow descending stage of the lunar lander, the physical equipment and the control program form a sampling data control system. The system continuously adjusts the thrust applied to the lander to ensure that the lander keeps stable in the slow descending stage, so that the lander smoothly enters the free falling stage to finish landing. The invention divides a letter fusion system into a current stage of a guidance program and lander dynamics, wherein the former is a discrete mode, and the latter is a continuous mode. Easy graphics is a big feature of HHML language. Example 1 represents a discrete mode of the guidance program, example 2 represents a continuous mode of the lander dynamics, and example 3 represents a flow of translating the model into a hybrid automaton.
Example 1
For example, fig. 1 shows a discrete pattern and its control flow in a letter fusion system, which is composed of two discrete patterns. One discrete mode is a guidance mode guidance _ program with a period of 0.128s, which first samples the mass m, the position r and the velocity v of the current lunar lander, which are continuous variables in the continuous mode. The specific impulse Isp of the lander thrust engine is then determined from the thrust Fc exerted on the lander. Finally, a series of calculations are carried out to obtain a new thrust Fc exerted on the lander, wherein m' represents the updated mass of the lander, DeltaT represents a sampling period, a represents the intermediate variable of the acceleration, alC represents the required acceleration, c1 and c2 represent control coefficients in the guidance process, and gM represents the gravity acceleration. Another discrete mode is a free fall mode with a period of 0.128s, at this time, the system stops guiding the lunar lander and sends a signal for stopping guiding, namely, signal true indicates that no other operation is performed after the signal is sent out. The guard condition r ≦ 6 ^ After (r > 0, 80) for the transition from guidance mode to free-fall mode is true when the lander is at a height below 6m and 80 cycles have elapsed during the current slow descent phase.
Example 2
Fig. 2 shows a continuous mode and a control flow thereof in the letter fusion system. It consists of three consecutive modes. The continuous mode one dynamic _1 and the continuous mode two dynamic _2 both represent the change rule of the current position r, the speed v and the mass m of the lander during system guidance, are represented by differential equations, and the condition of the two at the termination is that r is less than or equal to 0. When the thrust Fc exerted on the lander by the controller is more than 3000, the continuous mode one is transferred to the continuous mode two, and when Fc is less than or equal to 3000, the continuous mode two is transferred to the continuous mode one. The continuous mode three dynamic _3 represents the change rule when the system does not apply thrust any more and the lander starts to freely fall, and the condition at the end is that r is less than or equal to 0. Only when the system sends out signal will enter into continuous mode three from continuous mode one or two.
Example 3
FIG. 3 is a hybrid automatic model for converting the letter fusion system model in the slow descent phase of the lunar lander by applying the conversion rule. For the sake of simplicity of pictures, g _ p.dflow is used for representing the control flow of the guidance mode, g _ p.dflow _1 is used for representing the control flow after the first half sentence of the conditional sentence replaces the conditional sentence, g _ p.dflow _2 is used for representing the control flow after the second half sentence of the conditional sentence replaces the conditional sentence, and dynamic _1.cflow, dynamic _2.cflow and dynamic _3.cflow are used for representing the control flow of the continuous mode respectively. According to the rule, new variables t and cnt are introduced to respectively represent time and a counter, and variable names g _ p and s _ g are introduced to represent the discrete mode currently located. Other control flows and transfer conditions are converted one by one according to rules, and are not described in detail herein. Through testing, the converted hybrid automaton can be successfully applied to a verification tool for verifying the correlation property.
Therefore, through modeling of the letter fusion system in the slow descent phase of the lunar lander, namely the letter fusion system modeling language HHML, the interaction and the calculation process between controllers and between physical environments can be clearly and accurately represented, and graphical representation is given. On the other hand, the conversion rule can be successfully applied to the established model and converted into the hybrid automata, so that the model development and the verification personnel can be guided to better verify the relevant properties and follow-up work.
It should be noted that, in this document, the terms "comprises," "comprising," "has," "having" or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method of the above embodiments can be implemented by software, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on this understanding, the technical solutions of the present invention may be embodied in the form of software products, which essentially or partially contribute to the prior art.
The protection of the present invention is not limited to the above embodiments. Variations and advantages that may occur to those skilled in the art may be incorporated into the invention without departing from the spirit and scope of the inventive concept, and the scope of the appended claims is intended to be protected.
Claims (10)
1. A modeling and verification method of a mode-based letter fusion system facing a cycle controller is characterized by comprising the following steps:
the method comprises the following steps of firstly, utilizing a letter fusion system modeling language HHML to respectively construct a discrete mode for representing a controller and an interactive transfer relation and a continuous mode for representing a physical environment and the interactive transfer relation on an abstract level; in the first step, the modeling of the abstract level is carried out in a mode layer, the controller, the physical environment and the interactive transfer relationship between the controller and the physical environment are abstractly expressed, and the complex system interactive mode is macroscopically expressed; the mode layer is a letter fusion system at an abstract level and comprises a discrete mode and a continuous mode; the discrete mode refers to a controller and a transfer relation of an abstract level; the continuous mode refers to the physical environment of an abstract level and the transfer relationship of the physical environment;
secondly, a discrete control flow representing control logic and a continuous control flow representing a physical change rule on a specific level are respectively constructed by utilizing a letter fusion system modeling language HHML; in the second step, the discrete control flow refers to a specific control logic of a discrete mode; the continuous control flow refers to a specific physical change rule of a continuous mode; the control logic comprises assignment, sampling, function calling, skipping, divergence, sequential execution, condition judgment and circulation; the physical change rule comprises an explicit differential equation and a condition at the time of termination; the conditions at the termination include discrete conditions representing a change in state of the controller and continuous conditions representing a change in physical environment; the discrete condition specifically comprises judgment of a discrete variable; the continuous condition specifically comprises judgment of a continuous variable;
step three, combining the modeling of the abstract layer obtained in the step one and the modeling of the concrete layer obtained in the step two to obtain a complete letter fusion system model, and representing the model in a graphical mode; the letter fusion system model is defined as:
HModel::=(Dictionary,Modes),
Dictionary::={var|var=(name,arrti,type,initval)},
Modes::=(dModes,cModes),
the HModel is a mixed model and consists of a Dictionary and mode models; the dictionary comprises variables var, and the variables are added and deleted in the dictionary and initialized when the model is built; the variable var is a quadruple, name is a variable name, arrti is an attribute of the variable, type is a type of the variable, and initval is an initial value of the variable; the modes consist of a discrete mode dModes and a continuous mode cModes, and the system can only be in a discrete mode and a continuous mode at the same time;
step four, converting variables, discrete modes, continuous modes, discrete mode control flows and continuous mode control flows in the complete letter fusion system model obtained in the step three into a hybrid automaton according to translation rules, and performing related high-confidence formal verification and property analysis; in the fourth step, the rule for converting the discrete mode in the model of the HHML-based object fusion system into the hybrid automata is as follows:
in HHML, discrete patterns support pattern nesting, which must be "flattened" before switching, and the flattened discrete patterns satisfy the following conditions:
dmodes′={dm|dm.dflow≠empty∧dm∈dmodes},
the flattening means that the simplified discrete modes do not contain sub-modes, the discrete modes containing the sub-modes are removed, and the semantic consistency is kept in the conversion process; wherein, dmodes' represents a flattened discrete pattern set, dm represents any discrete pattern, dmodes represents an original discrete pattern set, and dm.
2. The method of claim 1, wherein in step three, the graphical representation graphically depicts discrete modes and their control logic, transition relationships between discrete modes, continuous modes and their physical change laws, and transition relationships between continuous modes.
3. The method of claim 2, wherein the discrete mode dModes is defined as:
dMode::=(name,period,(dflow|dModes),dTrans),
dTran::=(dm,priority,dguard,dm′),
dguard::=cond|Duration(cond,c)|After(cond,c),
each discrete mode dMode is a quadruplet, and the name represents a label of the discrete mode; period represents the period of a discrete mode, and the discrete mode processes a series of periodic tasks in a certain time interval; dfiow and dModes respectively represent a control flow and a sub-mode of the discrete mode, if the sub-mode is included, the discrete mode does not contain the control flow, otherwise, the discrete mode contains the control flow, and therefore the control relation and the data relation between the discrete modes can be embedded in an iteration mode; dTranss represents a set of transfer relationships between discrete modes; the sub-modes refer to a plurality of embedded discrete modes in the discrete modes;
the transfer relationship dTran is a quadruple; wherein dm represents a source discrete pattern of the transfer relationship, priority represents a priority of the transfer relationship, dguard represents a discrete pattern transfer condition, and dm' represents a target discrete pattern of the transfer relationship;
the discrete mode transition condition dguard comprises condition cond, time predicate Duration (cond, c) and After (cond, c); duration (cond, c) is true when condition cond is satisfied for c consecutive cycles; after the condition cond is satisfied for the c-th cycle, After After (cond, c) is true.
4. The method of claim 3, wherein the discrete control flow dflow is defined as:
dflow::=declare|stmts|dflow;dflow,
stmts::=pstmt|cstmt,
pstmt::=x:=stmt|x←cv|callfunc|skip|⊥,
cstmt::=stmt;stmt|while cond do stmts|if cond then stmts else stmts,
wherein dflow represents the execution task and the calculation process of the discrete mode, and comprises the combination of a local declaration detail, a control statement stmts and dfiow; the control statement consists of an atomic statement pstmt and a compound statement cstmt; the atomic statements include the following types: assigning x: ← stmt, continuous variable sample x ← cv, function call full, null statement skip and divergence ±; the compound statement cstmt contains three basic control structures, namely, a sequential combination stmt; stmt, loop cond do stmts and conditional if cond the stmts else stmts.
5. The method of claim 2, wherein the continuous mode cMode is defined as:
cMode::=(name,cflow,cTrans),
cTran::=(cm,priority,cguard,cm′),
cguard::=When(cond),
wherein, each continuous mode cMOde is a triple, and the name represents a label of the continuous mode; cflow represents the change rule of the continuous mode and is expressed by a differential equation; cTrans represents a set of transfer relationships between successive patterns;
the transfer relationship cTran is a quadruplet; wherein cm represents a source continuous mode of a transfer relationship, priority represents a priority of the transfer relationship, cguard represents a continuous mode transfer condition, and cm' represents a target continuous mode of the transfer relationship;
the continuous mode transfer condition cguard comprises a condition cond and a predicate When; the continuous mode transition condition is distinguished from the discrete mode transition condition, while the continuous mode will always wait for the control command of the controller, and once the continuous mode transition condition is satisfied, the transition between the continuous modes will occur immediately.
6. The method of claim 5, wherein the continuous control flow cflow is defined as:
cflow::=eq until cond,
eq::=der v=expr|eq||eq|Idel,
the continuous control flow cflow is composed of a differential equation eq and a condition unitary cond at the end, the condition cond is a judgment on a discrete variable and a continuous variable, and when the condition cond is satisfied, the control flow in the continuous mode stops being executed but is not necessarily transferred to other continuous modes; when the continuous mode transfer condition is met, the continuous control flow is transferred; the continuous transfer conditions refer to cguard;
the differential equation eq expresses a change rule by using an explicit ordinary differential equation der v ═ expr; the eq is a combination of one or more differential equations; where Idle is a special case that means that the continuous variable remains unchanged.
7. The method according to claim 1, wherein in step four, the conversion target-hybrid automaton is represented by a six-tuple, in particular,
(loc,var,inv,flow,jumps,init),
wherein loc represents a finite set of continuous states, var represents a variable set, inv represents a set of invariants of each continuous state, flow represents a set of continuous state control flows, jumps represents a set of jumping of the automaton as shown below, each jump is a quadruple, and init represents initialization of continuous variables; the generalized representation of jumps is as follows:
jumps::={jump|jump={l begin ,l end ,guard,reset}},
wherein l begin Representing the source state of the hybrid automaton jump,/ end Representing the target state of the hybrid automata jump, representing the jump condition by the guard, and representing the updating operation to the variable in the jump process by the reset; and/or the presence of a gas in the gas,
in step four, the rules for converting variables in the model built by HHML to the hybrid automata can be expressed as follows:
Tr(v)=(-,var∪v,-,-,-,init∪v.inival),
the variables in the HHML are divided into continuous variables, discrete variables and constants, the variable types comprise integer types, floating point types and Boolean types, the variables in the hybrid automaton are unified into the floating point type continuous variables, the Boolean variables are converted into 1/0, and other variables are converted into the floating point types; directly converting the variables into continuous variables in the hybrid automaton; converting the constant into the hybrid automaton in the form of an actual value; an initial value inival of the variable in HHML, corresponding to the initial variable init in the hybrid automaton; tr (v) represents a rule for converting variables in the built model to the hybrid automaton, and v represents the converted variables; "-" indicates an element that has not changed;
because the hybrid automata has no discrete mode, the name of the discrete mode is added to var as a variable, and because the variable types supported by the hybrid automata are shaping and floating point types, a special value 1/0 mark is used for distinguishing whether the system is in the discrete mode; finally, a time term t is added to record the period of the discrete mode, and the initial value is 0.
8. The method of claim 1, wherein loc is a set of continuous states of the hybrid automaton, each continuous state being required to contain the same discrete pattern, taking into account that different continuous states can receive the command of the controller; a certain continuous state l in the conversion rule setting automaton belongs to loc, and other states are the same;
the following rule indicates that a transition of the discrete pattern has occurred after one cycle:
Tr(dm)=(-,-,-,flow∪t′,jumps∪jps,-),
where jps={jp|jp=(l,l,(t≥dm.period;dm.name==1;dguard),
(dm.name=0;dm′.name=1;dm′.dflow;t=0)),
∧(dm,-,dguard,dm′)∈dm.dTrans},
in order to convert the period of the discrete pattern and express the change of time, the rule adds the change speed t' of time to each flow of the automaton; the condition t is more than or equal to dm, period is added to guard conditions of the automaton for transition, when the transition occurs, a time integer variable t is initialized and reset to 0 to represent the end of the period, namely, t is made to be 0; determining which discrete mode the system is currently in, namely determining whether the variable name is 1, if so, determining that the system is in the dm mode, and if not, determining that the system is not in the dm mode; then converting the discrete mode transfer condition dguard into guard; once the transition occurs, the discrete control flow dm '. dflow of the target mode will be executed, and the current discrete mode will be changed from dm to dm ', that is, let dm.name be 0 and dm '. name be 1; since no transition occurs between the continuous modes, the target continuous state is still the source continuous state 1; the single equal sign in the rule represents definition and assignment; the double equal signs indicate whether the two sides are equal or not;
in the above rules, tr (dm) represents a rule for translating a discrete pattern, dm represents a translated discrete pattern, flow represents a set of control flows of a hybrid automaton, t 'represents a time change speed, jumps represents a set of migration relationships of the hybrid automaton, jps represents a set of migration relationships newly added after conversion, jp represents a relationship in a migration relationship set jps, 1 represents a state in the hybrid automaton, dm.period represents a period of the discrete pattern, dm.name represents a label of the discrete pattern, dguard represents a migration condition of the discrete pattern, dm' represents a target discrete pattern of migration, dm '. name represents a label of the target discrete pattern, dm'. dflow represents a control flow of the target pattern, and dm.dtrans represents a set of transfer relationships of the discrete pattern dm;
the following rule indicates that no transition of the discrete pattern occurs after one cycle:
Tr(dm)=(-,-,-,flow∪t’,jumps∪jps,-),
where jps={jp|jp=(l,l,t≥dm.period;dm.name==1,dm.dflow;t=0},
the rule indicates that when no transition occurs in the discrete mode, dm.dflow is executed, and the next cycle is entered at the end of the cycle; the other parameters are the same as the rules when the discrete pattern transitions.
9. The method of claim 1, wherein in step four, the rules for switching discrete control flows in the HHML letter fusion system model to hybrid automata are as follows:
for conditional statement if cond the stmt in discrete control flow 1 else stmt 2 The following rules are set:
Tr(cd)=(-,-,-,-,jumps∪jps,-),
where
i.e., the discrete control flow dflow containing conditional statements will be split in half and separately stmt will be used at jps 1 And stmt 2 Instead, the branch condition is divided into condition cond and condition
Wherein the condition cond represents a judgment condition, stmt 1 Indicating an operation to be performed when a condition is satisfied, the condition
Indicates that the judgment condition is not satisfied, stmt 2 Tr (cd) represents a rule for translating a conditional statement, cd represents a translated conditional statement, jumps represents a set of migration relationships in the hybrid automaton, jps represents a set of newly added migration relationships in the hybrid automaton1 represents a certain state of the hybrid automaton;
for the time predicate transformation in discrete control flow, the following rules are set:
Tr(Duration(cond,c))=(-,var∪cnt,-,-,jumps∪jps,init∪cnt=0);
where
Tr(After(cond,c))=(-,var∪cnt,-,-,jumps∪jps,init∪cnt=0);
where jps=(-,-,cnt≥c,-)∪(-,-,cond,cnt=cnt+1)∪(-,-,cnt>0,cnt=cnt+1);
both of the above two rules introduce an additional count variable cnt; in Duration, when one cycle of the discrete mode ends, cnt will be increased by 1 if cond is true, otherwise it will be reset to 0; when cnt ≧ c, the expression of Duration (cond, c) is true; similarly, for After (cond, c), when cond is true or cnt > 0, cnt will be incremented by 1 at the end of the cycle, when cnt ≧ c, the expression is true; the condition cond is a judgment condition, c represents the number of cycles required to be met by the time predicate, var represents a variable set, cnt represents a variable used for counting, jumps represents a set of migration relations in the hybrid automaton, jps represents a set of newly added migration relations in the hybrid automaton, and init represents a set of initial variables in the hybrid automaton.
10. The method of claim 1, wherein in step four, the rules for switching the continuous patterns in the HHML-based artifact fusion system model and their control flow to the hybrid automata are as follows:
Tr(cm)=(loc∪cm.name,-,inv∪cm.cond,flow∪cm.eq,jumps∪cm.cguards,-),
the continuous states of the hybrid automaton and the continuous patterns of the HHML are semantically equivalent, performing a one-to-one conversion; the name of the continuous mode only needs to be converted into the label loc; the differential equation eq is converted into a differential equation in the flow of the control flow of the automaton; converting the conditional cond after the unity into an invariant inv in an automaton; the transition cTrans between the continuous modes is equivalent to the transition jump behavior in the hybrid automaton, and no reset operation is performed during the transition; the method comprises the steps of establishing a model, establishing a linear model, and establishing a linear model, wherein loc represents a state in the linear model, where loc, where loc, represents a set, where loc, is, where loc, represents a set, where loc, represents a set, where loc, of a set, where loc, represents a set, where loc.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110607529.XA CN113434116B (en) | 2021-06-01 | 2021-06-01 | Modeling and verifying method of mode-based letter fusion system for period controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110607529.XA CN113434116B (en) | 2021-06-01 | 2021-06-01 | Modeling and verifying method of mode-based letter fusion system for period controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113434116A CN113434116A (en) | 2021-09-24 |
| CN113434116B true CN113434116B (en) | 2022-09-20 |
Family
ID=77803371
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110607529.XA Active CN113434116B (en) | 2021-06-01 | 2021-06-01 | Modeling and verifying method of mode-based letter fusion system for period controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113434116B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2569714A1 (en) * | 2004-06-08 | 2005-12-22 | Dartdevices Corporation | Architecture, apparatus and method for device team recruitment and content renditioning for universal device interoperability platform |
| CN110245085A (en) * | 2019-04-08 | 2019-09-17 | 华东师范大学 | The embedded real-time operating system verification method and system examined using on-time model |
| CN112419775A (en) * | 2020-08-12 | 2021-02-26 | 华东师范大学 | Digital twin intelligent parking method and system based on reinforcement learning |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8655636B2 (en) * | 2010-06-23 | 2014-02-18 | Iowa State University Research Foundation, Inc. | Semantic translation of time-driven simulink diagrams using input/output extended finite automata |
-
2021
- 2021-06-01 CN CN202110607529.XA patent/CN113434116B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CA2569714A1 (en) * | 2004-06-08 | 2005-12-22 | Dartdevices Corporation | Architecture, apparatus and method for device team recruitment and content renditioning for universal device interoperability platform |
| CN110245085A (en) * | 2019-04-08 | 2019-09-17 | 华东师范大学 | The embedded real-time operating system verification method and system examined using on-time model |
| CN112419775A (en) * | 2020-08-12 | 2021-02-26 | 华东师范大学 | Digital twin intelligent parking method and system based on reinforcement learning |
Non-Patent Citations (3)
| Title |
|---|
| 一种面向控制软件需求分析的方法;张丽芸等;《计算机应用研究》;20130215(第02期);全文 * |
| 基于时间自动机的信息物理融合系统建模与验证;陈志辉;《计算机与现代化》;20121015(第10期);全文 * |
| 智慧城市综合感知与智能决策的进展及应用;龚健雅等;《测绘学报》;20191215(第12期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113434116A (en) | 2021-09-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Ghezzi et al. | TRIO: A logic language for executable specifications of real-time systems | |
| Felder et al. | Proving properties of real-time systems through logical specifications and Petri net models | |
| Sirjani et al. | Verification of cyberphysical systems | |
| Hüttel | Transitions and trees: an introduction to structural operational semantics | |
| Taibi | Formalising design patterns composition | |
| Campos | A quantitative approach to the formal verification of real-time systems | |
| Ge et al. | Integrated formal verification of safety-critical software | |
| Frehse et al. | A toolchain for verifying safety properties of hybrid automata via pattern templates | |
| CN113434116B (en) | Modeling and verifying method of mode-based letter fusion system for period controller | |
| Brau et al. | Heterogeneous models and analyses in the design of real-time embedded systems-an avionic case-study | |
| CN115758789B (en) | Software architecture design and architecture transfer method of complex real-time embedded system | |
| Bride et al. | N-PAT: A Nested Model-Checker: (System Description) | |
| Goorden et al. | Modeling guidelines for component-based supervisory control synthesis | |
| Perháč et al. | Another tool for structural operational semantics visualization of simple imperative language | |
| Miller et al. | RTAEval: A framework for evaluating runtime assurance logic | |
| Dhananjayan et al. | A metric temporal logic specification interface for real-time discrete-event control | |
| Bauer et al. | Towards automatic verification of embedded control software | |
| Li et al. | Translating CPS with shared-variable concurrency in spaceex | |
| Deschamps | Scheduling of a cyber-physical system simulation | |
| Birkinshaw et al. | Modelling the client-server behaviour of parallel real-time systems using Petri nets | |
| Wachtel et al. | Programming in natural language building algorithms from human descriptions | |
| Hu et al. | HHML: A Hierarchical Hybrid Modeling Language for Mode-based Periodic Controllers. | |
| EP0230721A2 (en) | Multiprocessor control system | |
| Gawron et al. | Semi-automated synthesis of control system software through graph search | |
| Kook et al. | Representation of models for solving real-world physics problems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |