PresentationPDF Available

Real-World Contracts - Rich Semantics for Formal Interfaces

Authors:
A. Benjamin Hocking at Dependable Computing
A. Benjamin Hocking
  • Dependable Computing
Download file PDF
Read file
Download citation

Abstract and Figures

Real-world types, machine-world types, and their correspondence capture critical information about how a cyber-physical system is situated with respect to its environment. Formal analysis of systems necessarily abstracts away some details of the real-world in creating models of how the environment and system of interest interact. However, this abstraction needs to include a representation of how real-world types correspond to their machine-world counterparts. Real-World Contracts address this need by representing real-world types in a formal language, such as PVS. The process of creating Real-World Contract relies on several components: 1. Defining real-world types in a formal language. 2. Defining machine-world types in a formal language. 3. Defining the correspondence between real-world and machine-world types in a formal language. 4. Creating formal contracts that explicitly use real-world and machine-world types in their construction. Defining real-world types in a formal language requires representing the relevant information about the environment in which a model is situated. This information will include details about what is being represented, dimensional analysis, and feasible ranges of values for the types. Additionally, rules for how this real-world information combines under different scenarios (such as addition and multiplication) need to be formally defined for proof verification tools to verify consistency of the real-world types and to prove putative theorems over these types. Defining machine-world types in a formal language requires defining the types as represented within the cyber-physical system. Machine-world types describe not only the actual machine type (e.g., integer) used to represent the information, but also critical information about the scale, offset, and allowable range for the information being processed. As with real-world types, formal rules also need to be created defining how machine-world types combine under different scenarios. Defining the correspondence between real-world and machine-world types requires creating a syntax for representing details such as latency, update rates, and errors in measurement. These correspondence rules also need to describe how the details are affected when outputs from one component become inputs to another. Finally, once a real-world type system and its machine-world correspondence have been formally defined, these definitions need to be used when creating formal contracts for the system. Using real-world types in defining formal contracts allows for the expression of properties about these real-world values that cannot otherwise be expressed. In this talk, we illustrate the creation and analysis of real-world contracts by way of application to a simple, hypothetical liquid storage tank. Specifically, we formally define real-world types associated with the example, create rules for how these real-world types combine, formally describe a machine-world representation of this information and the correspondence between that representation and the real-world types, and demonstrate formal contracts using these real-world and machine-world types.
No caption available
… 
No caption available
… 
No caption available
… 
No caption available
… 
No caption available
… 
Figures - uploaded by A. Benjamin Hocking
Author content
All figure content in this area was uploaded by A. Benjamin Hocking
Content may be subject to copyright.
Content uploaded by A. Benjamin Hocking
Author content
All content in this area was uploaded by A. Benjamin Hocking on Dec 12, 2016
Content may be subject to copyright.
DEPENDABLE
COMPUTING
Real-World Contracts
Rich Semantics for
Formal Interfaces
Dr. As hl ie Be nj ami n H oc kin g
De pe nd ab l e C ompu ti ng
June 11, 2 01 5
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
DEPENDABLE
COMPUTING
Real-World Contracts and Rich
Semantics for Formal Interfaces
Systems-of-systems and their component
systems have contracts, either formally or
informally
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 2
DEPENDABLE
COMPUTING
Real-World Contracts and Rich
Semantics for Formal Interfaces
Systems-of-systems and their component
systems have contracts, either formally or
informally
One side of a contract is an interface
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 2
DEPENDABLE
COMPUTING
Real-World Contracts and Rich
Semantics for Formal Interfaces
Systems-of-systems and their component
systems have contracts, either formally or
informally
One side of a contract is an interface
Interfaces account for
Syntax
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Structure or form
of the interface
6/11/2015 2
DEPENDABLE
COMPUTING
Real-World Contracts and Rich
Semantics for Formal Interfaces
Systems-of-systems and their component
systems have contracts, either formally or
informally
One side of a contract is an interface
Interfaces account for
Syntax
Context
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
What assumptions
are made about the
real-world?
6/11/2015 2
DEPENDABLE
COMPUTING
Real-World Contracts and Rich
Semantics for Formal Interfaces
Systems-of-systems and their component
systems have contracts, either formally or
informally
One side of a contract is an interface
Interfaces account for
Syntax
Context
Semantics
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
What is the meaning
of the interface
constituents?
6/11/2015 2
DEPENDABLE
COMPUTING
Rich Semantics for Formal Interfaces
Overview
Component of Problem-Derived, World-Situated
Machine Model discussed on Tuesday
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 3
DEPENDABLE
COMPUTING
Rich Semantics for Formal Interfaces
Overview
Component of Problem-Derived, World-Situated
Machine Model discussed on Tuesday
Based on formally described real-world and
machine-world types
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 3
DEPENDABLE
COMPUTING
Rich Semantics for Formal Interfaces
Overview
Component of Problem-Derived, World-Situated
Machine Model discussed on Tuesday
Based on formally described real-world and
machine-world types
Formal description of
What a system can guarantee (post-conditions)
What a system can assume (pre-conditions)
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 3
DEPENDABLE
COMPUTING
Rich Semantics for Formal Interfaces
Overview
Component of Problem-Derived, World-Situated
Machine Model discussed on Tuesday
Based on formally described real-world and
machine-world types
Formal description of
What a system can guarantee (post-conditions)
What a system can assume (pre-conditions)
Dependent on formal correspondence between
real-world and machine-world types
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 3
DEPENDABLE
COMPUTING
Outline
Motivating example
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 4
DEPENDABLE
COMPUTING
Outline
Motivating example
Real-World Types
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 4
DEPENDABLE
COMPUTING
Outline
Motivating example
Real-World Types
Formal Correspondence
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 4
DEPENDABLE
COMPUTING
Outline
Motivating example
Real-World Types
Formal Correspondence
Interface Guarantees
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 4
DEPENDABLE
COMPUTING
Outline
Motivating example
Real-World Types
Formal Correspondence
Interface Guarantees
Interface Assumptions
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 4
DEPENDABLE
COMPUTING
Outline
Motivating example
Real-World Types
Formal Correspondence
Interface Guarantees
Interface Assumptions
Interface Matching
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 4
DEPENDABLE
COMPUTING
Liquid Tank
Example
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Valve
max height
sensor high
min height
sensor low
Controller
Pump
Sensor
Sensor
Alarm
overflow height
underflow height
Single-Input,
Single-Output
(SISO)
6/11/2015 5
DEPENDABLE
COMPUTING
Real-World Types
In the real world, phenomena have contexts and
semantics, for example
Dimensionality (e.g., length, mass, time)
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 6
DEPENDABLE
COMPUTING
Real-World Types
In the real world, phenomena have contexts and
semantics, for example
Dimensionality (e.g., length, mass, time)
Units (e.g., m or ft)
Reference frame
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 6
DEPENDABLE
COMPUTING
Real-World Types
In the real world, phenomena have contexts and
semantics, for example
Dimensionality (e.g., length, mass, time)
Units (e.g., m or ft)
Reference frame
Accuracy
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 6
DEPENDABLE
COMPUTING
Real-World Types
In the real world, phenomena have contexts and
semantics, for example
Dimensionality (e.g., length, mass, time)
Units (e.g., m or ft)
Reference frame
Accuracy
Latency
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 6
DEPENDABLE
COMPUTING
Real-World Types
In the real world, phenomena have contexts and
semantics, for example
Dimensionality (e.g., length, mass, time)
Units (e.g., m or ft)
Reference frame
Accuracy
Latency
May be general (e.g., pressure) or specific (e.g., static
pressure at the right-side static-pressure port)
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 6
DEPENDABLE
COMPUTING
Why Real-World Types Matter
Consider aircraft state:
[x, y, z, vx, vy, vz, φ, θ, ψ, p, q, r]
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 7
DEPENDABLE
COMPUTING
Why Real-World Types Matter
Consider aircraft state:
[x, y, z, vx, vy, vz, φ, θ, ψ, p, q, r]
Many important details:
Semantics
Units
Reference frames
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 7
DEPENDABLE
COMPUTING
Why Real-World Types Matter
Consider aircraft state:
[x, y, z, vx, vy, vz, φ, θ, ψ, p, q, r]
Many important details:
Semantics
Units
Reference frames
As domain experts, you know what these are
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 7
DEPENDABLE
COMPUTING
Why Real-World Types Matter
Consider aircraft state:
[x, y, z, vx, vy, vz, φ, θ, ψ, p, q, r]
Many important details:
Semantics
Units
Reference frames
As domain experts, you know what these are
Software developers responsible for implementing the system
probably do not
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 7
DEPENDABLE
COMPUTING
Why Real-World Types Matter
Consider aircraft state:
[x, y, z, vx, vy, vz, φ, θ, ψ, p, q, r]
The underlying real-world types matter to the
control law
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 8
DEPENDABLE
COMPUTING
Why Real-World Types Matter
Consider aircraft state:
[x, y, z, vx, vy, vz, φ, θ, ψ, p, q, r]
The underlying real-world types matter to the
control law
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
How does the
architecture/software
represent these?
6/11/2015 8
DEPENDABLE
COMPUTING
Why Real-World Types Matter
Consider aircraft state:
[x, y, z, vx, vy, vz, φ, θ, ψ, p, q, r]
The underlying real-world types matter to the
control law
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
How does the
architecture/software
represent these?
IEEE floating point
Arrays
6/11/2015 8
DEPENDABLE
COMPUTING
Why Real-World Types Matter
Consider aircraft state:
[x, y, z, vx, vy, vz, φ, θ, ψ, p, q, r]
The underlying real-world types matter to the
control law
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
How does the
architecture/software
represent these?
IEEE floating point
Arrays
How should the
architecture/software
represent these?
6/11/2015 8
DEPENDABLE
COMPUTING
Why Real-World Types Matter
Consider aircraft state:
[x, y, z, vx, vy, vz, φ, θ, ψ, p, q, r]
The underlying real-world types matter to the
control law
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
How does the
architecture/software
represent these?
IEEE floating point
Arrays
How should the
architecture/software
represent these?
Distances & velocities
Angles & rates
w/ Reference frames!
6/11/2015 8
DEPENDABLE
COMPUTING
Why Real-World Types Matter
Consider aircraft state:
[x, y, z, vx, vy, vz, φ, θ, ψ, p, q, r]
The underlying real-world types matter to the
control law
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
How does the
architecture/software
represent these?
IEEE floating point
Arrays
How should the
architecture/software
represent these?
Distances & velocities
Angles & rates
w/ Reference frames!
The type system should support
the application
6/11/2015 8
DEPENDABLE
COMPUTING
Tank System
Simulink Model with Real-World Types
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 9
DEPENDABLE
COMPUTING
Tank System
Simulink Model with Real-World Types
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Uses real-world
dimensionality that
can be statically
verified
6/11/2015 9
DEPENDABLE
COMPUTING
Tank System
Simulink Model with Real-World Types
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Could also include more
realistic latency
information, where
appropriate
6/11/2015 9
DEPENDABLE
COMPUTING
Simulink2PVS
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
PVS PVS Proofs
Simulink Models
(with real-world
types)
PVS
Specification
(from model)
Simulink2PVS
PVS Properties
(from Assert blocks)
PVS
Measurement
Theories
6/11/2015 10
DEPENDABLE
COMPUTING
Simulink2PVS
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
PVS PVS Proofs
Simulink Models
(with real-world
types)
PVS
Specification
(from model)
Simulink2PVS
PVS Properties
(from Assert blocks)
PVS
Measurement
Theories
Simulink model
blocks/lines are
marked with units
6/11/2015 10
DEPENDABLE
COMPUTING
Simulink2PVS
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
PVS PVS Proofs
Simulink Models
(with real-world
types)
PVS
Specification
(from model)
Simulink2PVS
PVS Properties
(from Assert blocks)
PVS
Measurement
Theories
Simulink2PVS parses
the model to…
6/11/2015 10
DEPENDABLE
COMPUTING
Simulink2PVS
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
PVS PVS Proofs
Simulink Models
(with real-world
types)
PVS
Specification
(from model)
Simulink2PVS
PVS Properties
(from Assert blocks)
PVS
Measurement
Theories
Simulink2PVS parses
the model to…
…create a PVS
specification
corresponding to
the model…
6/11/2015 10
DEPENDABLE
COMPUTING
Simulink2PVS
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
PVS PVS Proofs
Simulink Models
(with real-world
types)
PVS
Specification
(from model)
Simulink2PVS
PVS Properties
(from Assert blocks)
PVS
Measurement
Theories
Simulink2PVS parses
the model to…
…create a PVS
specification
corresponding to
the model…
…and generate
formal properties.
6/11/2015 10
DEPENDABLE
COMPUTING
Simulink2PVS
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
PVS PVS Proofs
Simulink Models
(with real-world
types)
PVS
Specification
(from model)
Simulink2PVS
PVS Properties
(from Assert blocks)
PVS
Measurement
Theories
Specialized PVS
theories specify what
real-world operations
are allowed
6/11/2015 10
DEPENDABLE
COMPUTING
Simulink2PVS
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
PVS PVS Proofs
Simulink Models
(with real-world
types)
PVS
Specification
(from model)
Simulink2PVS
PVS Properties
(from Assert blocks)
PVS
Measurement
Theories
PVS uses all of this
information to implicitly
perform dimensional
analysis while proving that
the model has the desired
properties
6/11/2015 10
DEPENDABLE
COMPUTING
Tank Controller
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
1
Pump
State
1
Liquid at High Threshold
2
Liquid at Low Threshold
2
Tank1Controller
high
low
pump
valve
pump1
valve1
Tank1Controller
z
1
Pump Delay
z
1
Valve Delay
6/11/2015 11
DEPENDABLE
COMPUTING
Tank Controller
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
1
Pump
State
1
Liquid at High Threshold
2
Liquid at Low Threshold
2
Tank1Controller
high
low
pump
valve
pump1
valve1
Tank1Controller
z
1
Pump Delay
z
1
Valve Delay
function [pump1, valve1] =
Tank1Controller(high, low, pump, valve)
%#codegen
if (high)
pump1 = false;
valve1 = true;
elseif (~low)
pump1 = true;
valve1 = false;
else
pump1 = pump;
valve1 = valve;
end
6/11/2015 11
DEPENDABLE
COMPUTING
Tank Controller
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
1
Pump
State
1
Liquid at High Threshold
2
Liquid at Low Threshold
2
Tank1Controller
high
low
pump
valve
pump1
valve1
Tank1Controller
z
1
Pump Delay
z
1
Valve Delay
Controller only deals
with machine-world
information
6/11/2015 11
DEPENDABLE
COMPUTING
Tank Controller
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
1
Pump
State
1
Liquid at High Threshold
2
Liquid at Low Threshold
2
Tank1Controller
high
low
pump
valve
pump1
valve1
Tank1Controller
z
1
Pump Delay
z
1
Valve Delay
Although it still
contains
latencies
6/11/2015 11
DEPENDABLE
COMPUTING
Machine-World Types
Fundamental parameters of machine-world
types
Representation
Range
Permissible operations on the type
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 12
DEPENDABLE
COMPUTING
Machine-World Types
Fundamental parameters of machine-world
types
Representation
Range
Permissible operations on the type
Always associated with a real-world type
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 12
DEPENDABLE
COMPUTING
Machine-World Types
Fundamental parameters of machine-world
types
Representation
Range
Permissible operations on the type
Always associated with a real-world type
Always highly specific
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 12
DEPENDABLE
COMPUTING
Machine-World Types
Fundamental parameters of machine-world
types
Representation
Range
Permissible operations on the type
Always associated with a real-world type
Always highly specific
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
These must be
captured
6/11/2015 12
DEPENDABLE
COMPUTING
Machine-World Types
Fundamental parameters of machine-world
types
Representation
Range
Permissible operations on the type
Always associated with a real-world type
Always highly specific
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
These must be
captured
This association
must also be
captured
6/11/2015 12
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Many important details:
- Semantics
- Units
- Reference frames
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Many important details:
- Semantics
- Units
- Reference frames
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Many important details:
- Semantics
- Units
- Reference frames
Parameters based on properties of
the machine:
- Representation
- Range
- Permissable operations
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Many important details:
- Semantics
- Units
- Reference frames
Parameters based on properties of
the machine:
- Representation
- Range
- Permissable operations
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Many important details:
- Semantics
- Units
- Reference frames
Parameters based on properties of
the machine:
- Representation
- Range
- Permissable operations
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Many important details:
- Semantics
- Units
- Reference frames
Parameters based on properties of
the machine:
- Representation
- Range
- Permissable operations
Aircraft state
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Many important details:
- Semantics
- Units
- Reference frames
Parameters based on properties of
the machine:
- Representation
- Range
- Permissable operations
Aircraft state
IEEE floating point
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Many important details:
- Semantics
- Units
- Reference frames
Parameters based on properties of
the machine:
- Representation
- Range
- Permissable operations
Aircraft state
IEEE floating point
We need a way to bind the real-
world semantics to the machine-
world representation
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Correspondence Model
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Correspondence Model
Natural-
Language
Explication
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Correspondence Model
Natural-
Language
Explication
Real-world Semantics
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Correspondence Model
Natural-
Language
Explication
Real-world Semantics
Machine Semantics
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Correspondence Model
Natural-
Language
Explication
Real-world Semantics
Machine Semantics
Approximation Mapping
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Correspondence Model
Natural-
Language
Explication
Real-world Semantics
Machine Semantics
Approximation Mapping
Type Rules
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Correspondence Model
Natural-
Language
Explication
Real-world Semantics
Machine Semantics
Approximation Mapping
Type Rules
Makes the type system
support the application
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Correspondence Model
Natural-
Language
Explication
Real-world Semantics
Machine Semantics
Approximation Mapping
Type Rules
Makes the type system
support the application
Machine-world types originated
in the machine and the type
rules are all about the machine
6/11/2015 13
DEPENDABLE
COMPUTING
Types & Correspondence
Phase I Foundation
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Continuous Math
Infinite Sets
Real Analysis
Limit Calculus
Differential Equations
•Continuous Functions
Real World
Discrete Math
Finite Sets
Set Theory
Predicate Calculus
Propositional Calculus
•Discrete Functions
Machine World
Entity
Component
Interfaces &
Connections
Correspondence Model
Natural-
Language
Explication
Real-world Semantics
Machine Semantics
Approximation Mapping
Type Rules
6/11/2015 13
DEPENDABLE
COMPUTING
Interface Guarantee
Example
Tank system guarantees that flow rate is bounded between rate_low
and rate_high, when in CORRECT_NORMAL mode
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 14
DEPENDABLE
COMPUTING
Interface Guarantee
Example
Tank system guarantees that flow rate is bounded between rate_low
and rate_high, when in CORRECT_NORMAL mode
Flow rate is formally defined to include dimensionality constraints of
volume per time
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 14
DEPENDABLE
COMPUTING
Interface Guarantee
Example
Tank system guarantees that flow rate is bounded between rate_low
and rate_high, when in CORRECT_NORMAL mode
Flow rate is formally defined to include dimensionality constraints of
volume per time
Specification of system functionality contains real-world information
including dimensionality, units, latency, and accuracy
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 14
DEPENDABLE
COMPUTING
Interface Guarantee
Example
Tank system guarantees that flow rate is bounded between rate_low
and rate_high, when in CORRECT_NORMAL mode
Flow rate is formally defined to include dimensionality constraints of
volume per time
Specification of system functionality contains real-world information
including dimensionality, units, latency, and accuracy
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
flow_rate_is_bounded: LEMMA
FORALL(siso_state: siso_system.state_type):
siso_state`mode =CORRECT_NORMAL =>
bounded_flow_rate(siso_sys(siso_state))
bounded_flow_rate(siso_state: siso_system.state_type): bool =
(siso_state`flow_rate <= flow_rate_high) AND
(siso_state`flow_rate >= flow_rate_low)
6/11/2015 14
DEPENDABLE
COMPUTING
Liquid Tank
Example
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Valve
max height
sensor high
min height
sensor low
Controller
Pump
Sensor
Sensor
Alarm
overflow height
underflow height
Single-Input,
Single-Output
(SISO)
6/11/2015 15
DEPENDABLE
COMPUTING
Interface Assumption
Example
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Guarantee that flow rate is bounded between rate_low and rate_high
assumes state of the system is in CORRECT_NORMAL mode.
flow_rate_is_bounded: LEMMA
FORALL(siso_state: siso_system.state_type):
siso_state`mode =CORRECT_NORMAL =>
bounded_flow_rate(siso_sys(siso_state))
bounded_flow_rate(siso_state: siso_system.state_type): bool =
(siso_state`flow_rate <= flow_rate_high) AND
(siso_state`flow_rate >= flow_rate_low)
6/11/2015 16
DEPENDABLE
COMPUTING
Interface Assumption
Example
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Guarantee that flow rate is bounded between rate_low and rate_high
assumes state of the system is in CORRECT_NORMAL mode.
This real-world assumption requires:
Machine-world state is in NORMAL mode
flow_rate_is_bounded: LEMMA
FORALL(siso_state: siso_system.state_type):
siso_state`mode =CORRECT_NORMAL =>
bounded_flow_rate(siso_sys(siso_state))
bounded_flow_rate(siso_state: siso_system.state_type): bool =
(siso_state`flow_rate <= flow_rate_high) AND
(siso_state`flow_rate >= flow_rate_low)
6/11/2015 16
DEPENDABLE
COMPUTING
Interface Assumption
Example
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Guarantee that flow rate is bounded between rate_low and rate_high
assumes state of the system is in CORRECT_NORMAL mode.
This real-world assumption requires:
Machine-world state is in NORMAL mode
Tank has no cracks
flow_rate_is_bounded: LEMMA
FORALL(siso_state: siso_system.state_type):
siso_state`mode =CORRECT_NORMAL =>
bounded_flow_rate(siso_sys(siso_state))
bounded_flow_rate(siso_state: siso_system.state_type): bool =
(siso_state`flow_rate <= flow_rate_high) AND
(siso_state`flow_rate >= flow_rate_low)
6/11/2015 16
DEPENDABLE
COMPUTING
Interface Assumption
Example
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Guarantee that flow rate is bounded between rate_low and rate_high
assumes state of the system is in CORRECT_NORMAL mode.
This real-world assumption requires:
Machine-world state is in NORMAL mode
Tank has no cracks
Sensors are working as designed
flow_rate_is_bounded: LEMMA
FORALL(siso_state: siso_system.state_type):
siso_state`mode =CORRECT_NORMAL =>
bounded_flow_rate(siso_sys(siso_state))
bounded_flow_rate(siso_state: siso_system.state_type): bool =
(siso_state`flow_rate <= flow_rate_high) AND
(siso_state`flow_rate >= flow_rate_low)
6/11/2015 16
DEPENDABLE
COMPUTING
Interface Assumption
Example
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Guarantee that flow rate is bounded between rate_low and rate_high
assumes state of the system is in CORRECT_NORMAL mode.
This real-world assumption requires:
Machine-world state is in NORMAL mode
Tank has no cracks
Sensors are working as designed
Valve and pump are working as designed
flow_rate_is_bounded: LEMMA
FORALL(siso_state: siso_system.state_type):
siso_state`mode =CORRECT_NORMAL =>
bounded_flow_rate(siso_sys(siso_state))
bounded_flow_rate(siso_state: siso_system.state_type): bool =
(siso_state`flow_rate <= flow_rate_high) AND
(siso_state`flow_rate >= flow_rate_low)
6/11/2015 16
DEPENDABLE
COMPUTING
Interface Matching
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Packets
Packet Size: 16 bits
Rate: 2 Hz
Latency: 500 ms
Error: None
Packet Size: 16 bits
Rate: 1 Hz
Latency: 1 s
Error: None
Transmitter Receiver
Subset of real-
world information
6/11/2015 17
DEPENDABLE
COMPUTING
Interface Matching
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Packets
Packet Size: 16 bits
Rate: 2 Hz
Latency: 500 ms
Error: None
Packet Size: 16 bits
Rate: 1 Hz
Latency: 1 s
Error: None
Transmitter Receiver
PVS
Representation PVS
Representation
6/11/2015 17
DEPENDABLE
COMPUTING
Interface Matching
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
Packets
Packet Size: 16 bits
Rate: 2 Hz
Latency: 500 ms
Error: None
Packet Size: 16 bits
Rate: 1 Hz
Latency: 1 s
Error: None
Transmitter Receiver
PVS
Representation PVS
Representation
Matching
Lemma
PVS
Proof
Receiver rate is no
higher, receiver latency
is no lower, other
values are equal
6/11/2015 17
DEPENDABLE
COMPUTING
Conclusion
Rich Semantics for Interfaces rely on
Appropriate representation of real-world types
Context
Semantics
Assumptions that a system can rely on
Guarantees about what the system will do
Correspondence model between machine-world and
real-world types
Real-World Contracts rely on verification of two
interfaces
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 18
DEPENDABLE
COMPUTING
Questions?
S5 Approved for Public Release.
Case Number 88ABW-2015-2784
6/11/2015 19
... The current implementation of our approach focuses on dimensions, units, and scale factors because these are the most fundamental physical properties. Nevertheless, there are several other physical properties that must also be considered in the design of cyber-physical systems, including: reference frames, accuracy, precision, and latency [8]. Future work will expand on the current implementation by developing a syntax for representing this additional information in SIMULINK models that is easy to read and easy to write, and by further enhancing the static analysis capabilities currently provided by the measurement library in PVS. ...
View
ResearchGate has not been able to resolve any references for this publication.