IIST and UNU - UNU-IIST - United Nations University
IIST and UNU - UNU-IIST - United Nations University
IIST and UNU - UNU-IIST - United Nations University
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Case study: the Gas Burner 16<br />
Figure 3(b) illustrates the refinement of the basic patterns. The grey area indicates the requirements,<br />
while the dark area (contained in the grey area) illustrates the TLA design.<br />
The following law is a generalisation of Law 12 for general functional restrictions.<br />
Law 13 If l f(l) for any l b , f(l) > b for any l > b , <strong>and</strong> c sup l>b<br />
l−f(l)<br />
⌊f(l)/b⌋ , then<br />
D<br />
∫<br />
p f(l) ⊇ 〈 [0, b] ↑ p ↓ [c, ∞] 〉 .<br />
5 Case study: the Gas Burner<br />
The Gas Burner problem was first stated in [13] <strong>and</strong> has been a st<strong>and</strong>ard example of hybrid<br />
system design. A gas burner can be in any state of being idle, purging (waiting the leaked gas<br />
to disperse), attempting to ignite, monitoring flame when igniting, or burning after successful<br />
ignition. There is no leak in idling or purging, but there is always leak in any attempt of ignition<br />
before burning. In this paper, we consider a challenging version of the example in which the<br />
burning phase may have some leak due to the possibility of disturbance from the environment<br />
(see [10]).<br />
The main requirement is to ensure that the total gas leak in every 30 seconds does not exceed<br />
4 seconds. This can be neatly specified in Duration Calculus as follows:<br />
D (l 30 ⇒ ∫ Leak 4) .<br />
Our treatment of this problem consists of several steps of automata decomposition hierarchically.<br />
This process may be viewed as “refinement”, as each step corresponds to a reduction of<br />
nondeterminism. On the other h<strong>and</strong>, if the target automaton is constructed <strong>and</strong> model-checked<br />
first, the reversed process can be used to establish the link between the checked model <strong>and</strong> the<br />
original specification for verification purposes.<br />
We first decompose the original requirement into burning <strong>and</strong> non-burning phases generated<br />
by a cyclic automaton. For simplicity, we intend to use the 2-segment refinement Law 11 <strong>and</strong><br />
thus need to construct a slow automaton that takes at least 30 seconds to change state. Since<br />
the original specification is in a special form, we need to consider only intervals of length 30<br />
<strong>and</strong> choose g(·) <strong>and</strong> h(·) (to characterise the amount of leak) such that for any t 0 <strong>and</strong> t 1 ,<br />
if t 0 + t 1 = 30 g(t 0 ) + h(t 1 ) 4 . For convenience, we choose g(t) ̂= B 1 ⊳ t ∈ [B 1 , 30] ⊲ l <strong>and</strong><br />
h(t) ̂= B 2 ⊳ t ∈ [B 2 , 30] ⊲ l . We now obtain our first refinement (illustrated in Figure 5).<br />
D (l 30 ⇒ ∫ Leak 4)<br />
⊇<br />
D (l 30 ⇒ ∫ Leak B 1 ) ⊳ Burn ⊲ D (l 30 ⇒ ∫ Leak B 2 )<br />
∧ 〈 [a, ∞] ↑ Burn ↓ [b, ∞] 〉<br />
Report No. 301,<br />
<strong>UNU</strong>-<strong>IIST</strong>, P.O. Box 3058, Macau
Change language