AltaRica A Formal Language for Event Oriented Modeling A. Rauzy IML/CNRS & ARBoost Technologies Marseilles, France
Contents I.Introductory Examples II.Motivations III.Formal Model IV.Tools V.Examples of Use VI.Perspectives
Contents I.Introductory Examples II.Motivations III.Formal Model IV.Tools V.Examples of Use VI.Perspectives
A repairable component node component state s: {working,failed,repair}; event failure, startRepair, endRepair; trans (s=working) |- failure -> s:=failed (s=failed) |- startRepair -> s:=repair; (s=repair) |- endRepair -> s:=working; init s:=working edon
A Valve node valve state closed:bool; flow input:float:in; output:float:out; event open, close; trans closed |- open -> closed:=false; not closed |- close -> closed:=true; init closed := true; assert output = if closed then 0 else input; edon
Two Valves in Series node twoValves flow input:float:in; output:float:out; sub A:valve, B:valve; assert A.input = input, B.input = A.output, output = B.output; edon
A repairable component and its repairer node repairableSystem event startRepair, endRepair; sub C:component, R:repairer; sync startRepair = C.startRepair and R.startJob, endRepair = C.endRepair and R.endJob; edon
Contents I.Introductory Examples II.Motivations III.Formal Model IV.Tools V.Examples of Use VI.Perspectives
Motivations: Reliability Engineering Target systems: nuclear power plants, chemical plants, avionic systems, … Assess the risk and its consequences: what can go wrong ? what is the expectation that something goes wrong ? what are the consequences ?
Motivations: Reliability Enginering Analyses: Determination of failure scenarii Assessment of failure probability Ranking of components with respect to their contribution to the risk
Motivations: Reliability Engineering Classical formalisms (Fault Trees, Markov Graphs, Petri Nets) –Well defined semantics –Easy to handle –Textual and graphical –Good tradeoffs expressivity/efficiency … but Lack of structure (PN, MG) or Lack of expressivity (FT) Models are hard to design and to maintain
The AltaRica Project AltaRica: a high level formal description language based on the notion of mode automata compilation into low level formalisms (efficiency) synergy with formal methods (e.g. model checking)
System Analysis Dynamic Systems/Simulation: Differential Equations e.g. Modelica Code generation: Data-Flow models e.g. State Charts, Lustre Reliability Engineering: Event driven models, non-determinism e.g. Fault Trees, Petri nets, AltaRica
Contents I.Introductory Examples II.Motivations III.Formal Model IV.Tools V.Examples of Use VI.Perspectives
Mode Automata s=1 t=0 s=1 t=0 s=0 t=1 mode event : g(S,I) |- e -> S:=f(S,I) [Marininchi98, Rauzy02] A = S: state variables I: input variables O: output variables E: events : transitions : transfer function : initial state O = (S,I) IOS
Algebra of Mode Automata ProductConnection Synchronization of events Operations on mode automata Synchronization G1 |- e1 -> S1:=f1 G2 |- e2 -> S2:=f2 G3 |- e3 -> S2:=f3 e = e1 and (e2 or e3) G1 and (G2 or G3) |- e -> S1 := if G1 then f1 else S1 S2 := if G2 then f2 else S2 S3 := if G3 then f3 else S3 fire the fireable local transitions
Two Valves in Series node twoValves flow input:float:in; output:float:out; sub A:valve, B:valve; assert A.input = input, B.input = A.output, output = B.output; edon
A repairable component and its repairer node repairableSystem event startRepair, endRepair; sub C:component, R:repairer; sync startRepair = C.startRepair and R.startJob, endRepair = C.endRepair and R.endJob; edon
Mode Automata: External View View Time schedule traces mode
Mode Automata … generalize fault trees, Markov graphs, Petri nets (P1>0) and (P2=0) |- T -> P1:=P1-1, P3:=P3+2; P3 P1 P2 T 2 remote interactions … generalize block-diagrams … make it possible to define hierarchies, packages, …
Categories of Events Timed events: take a non null time Stochastic events (default) Probability distributions with parameters (exponential, Weibull,...) Dirac events Instaneous events: take no time and may have a priority Immediate events Conditional events
A Spare Unit
A Periodically Tested Component
The Extern Clause The role of the extern clause is: to give some interpretation to the model, e.g. priorities to transitions, probability distributions to events, to give tools a specific information, to provide some mechanism to extend the language. In AltaRica Data-Flow, the syntax of the extern clause is normalized: node … extern law = exponential(0.001) ; parameter lambda = 0.001; … edon type of the information specified element value
Commutation of the syntax and the semantics node System sub A:Component, B.Component, R:RepairMen … edon node S state A.s, B.s, R.s; … edond syntactic composition reachability graphs reachability graph synchronized product
Contents I.Introductory Examples II.Motivations III.Formal Model IV.Tools V.Examples of Use VI.Perspectives
Tools Workbenches Powerful graphical user interfaces for the design of models Graphical simulators OCAS (Dassault Aviation), SimFia (EADS-APSYS), Saraa (Airbus) Assessment tools Compilers to Fault Trees Compilers to Markov Graphs Stochastic simulators Generators of sequences Compilers to formal languages (Lustre, SMV) Model-Checkers AltaTools, Mec V (LaBRI), Combava (ARBoost Technologies)
Combava: an AltaRica Data-Flow Toolbox node Cmp state s: … edon AltaRica Data-Flow Fault Trees alta-a2b Aralia Markov Graphs alta-mrk Mark-XPR Monte-Carlo simulation alta-sto Generation of sequences, model checking alta-seq Stepwise simulation alta-sim
Contents I.Introductory Examples II.Motivations III.Tools IV.Formal Model V.Examples of Use VI.Perspectives
Models Designed So Far 3 categories of models Functional models Mainly academic (Bordeaux) -> model checking Simple and huge dysfunctional models (~ bloc diagrams), e.g. Dassault F7X, … Compilation into fault trees Treatment chain validated by certification authorities Complex but (relatively) small models, e.g. Total, Production availability, High integrity protection systems Markov analyses, Monte-Carlo simulation
Production Availability HPS-A HPS-B HPS-C DEH-A DEH-B CMP-A CMP-B MUP 45% 65% 52% 100% HPS DEH CMP MUP0.001 well tank
Markov Analyses AltaRica model alta-a2g Multi Phase Markov models with rewards command fileMark-XPR Steady state probability Transient probability Mean sojourn time Expectation of any quantity defined on states
Generation of (relevant) sequences AltaRica Automaton Sequence automaton alta-seqsequences automaton mySequences s1: #l not failed : s1; s1: #l failed : s2; init s1 : #l := 1; accept s2; end Model-checking: same automata with a Büchi acceptance criterion
Contents I.Introductory Examples II.Motivations III.Tools IV.Formal Model V.Examples of Use VI.Perspectives
Perspectives Find the “good” states/events formalism for reliability studies sound mathematical basis graphical representation generalization of currently used formalisms looped systems hierarchy algorithmic & complexity issues (tradeoff) connection with functional models hybrid systems higher level modeling
Motivations Find the “good” states/events formalism for reliability studies sound mathematical basis graphical representation generalization of currently used formalisms looped systems hierarchy algorithmic & complexity issues (tradeoff) connection with functional models hybrid systems higher level modeling These issues are well addressed by current version(s) of AltaRica
Motivations sound mathematical basis graphical representation generalization of currently used formalisms looped systems hierarchy algorithmic & complexity issues (tradeoff) connection with functional models hybrid systems higher level modeling Find the “good” states/events formalism for reliability studies
Higher Level Modeling Need for Connection to external routines Structured types Parametric descriptions High level operations … and even object oriented modeling Extension of the language
Motivations Find the “good” states/events formalism for reliability studies sound mathematical basis graphical representation generalization of currently used formalisms looped systems hierarchy algorithmic & complexity issues (tradeoff) connection with functional models hybrid systems higher level modeling
Normalized Graphics Simple mode automata Petri nets Hierarchical descriptions Interaction diagrams
Motivations Find the “good” states/events formalism for reliability studies sound mathematical basis graphical representation generalization of currently used formalisms looped systems hierarchy algorithmic & complexity issues (tradeoff) connection with functional models hybrid systems higher level modeling
Electric Nets
Motivations Find the “good” states/events formalism for reliability studies sound mathematical basis graphical representation generalization of currently used formalisms looped systems hierarchy algorithmic & complexity issues (tradeoff) connection with functional models hybrid systems higher level modeling
Hybrid Systems Mixing discrete events and continuous variation, e.g. temperature controller
Motivations sound mathematical basis graphical representation generalization of currently used formalisms looped systems hierarchy algorithmic & complexity issues (tradeoff) hybrid systems higher level modeling connection with functional models Find the “good” states/events formalism for reliability studies
From functional to dysfunctional analyses Sensors Command automaton [e.g. state chart] Sensors may be subject to different failure modes How failures of sensors impact the command? How to derive the dysfunctional model from the functional model? Don’t expect a silver bullet !
Architecture
Industrial Perspectives Airbus (Rosas, A350) Dassault Systems (Catia System) ClearSy (Atelier B)