Verifying transformations between timed automata specifications and ECA rules

spe i ations and ECA rules

HS-IDA-MD-03-002

AnnMarie Eri sson

Submitted by AnnMarie Eri sson to the University of Skovde as a dissertation towards

the degree of M.S . by examination and dissertation inthe Departmentof Computer

S i-en e.

September2003

I ertifythatallmaterialinthisdissertation whi hisnot myown workhas been identied

and that no materialisin luded for whi h adegree has already been onferredupon me.

||||||||||||{

Event-triggered real-time systems are desirable to use in environments where the arrival of

events are hard to predi t. The semanti s of an event-triggered system is well mapped to the

behaviourofan a tive databasemanagement system(ADBMS), spe iedusing

event- ondition-a tion (ECA) rules. The benets of using an a tive database, su h as persistent data storage,

on urren y ontrol, timelyresponseto event o urren eset . highlightstheneedfora

develop-mentmethod forevent-triggered real-timesystems usinga tive databases.

However,there areproblemslefttobesolvedbeforeanADBMS anbeusedwith onden e

in real-time environments. The behaviour of a real-time system must be predi table, whi h

implies a thorough analysed spe i ation with e.g. spe ied worst ase exe ution times. The

predi tabilityrequirementis anobsta leforspe ifyingreal-timesystemsasECArules,sin ethe

rules may ae t ea h other in many intri ate ways whi h makes them hard to analyse. The

intera tionbetweentherulesimpliesthatitisnotenoughtoverifythe orre tnessofsinglerules;

an analysismust onsider thebehaviour oftheentire ruleset.

Inthisdissertation,an approa hfordevelopinga tive appli ationsispresented. Amethod is

examinedwhi hstartswithananalysedhigh-leveltimedautomatonspe i ationandtransforms

the spe iedbehaviour into an impli itly analysed rule set. For this method to be useful, the

transformation from timed automata to rules must preserve the exa t behaviour of the high

levelspe i ation. Hen e,theaim ofthisdissertationisto verifytransformationsbetweentimed

automaton spe i ations andECA rules.

The ontributionofthisproje tis astru turedsetof generaltransformationsbetweentimed

automata spe i ations and ECA rules. The transformations in lude both transformations of

smalltimedautomata onstru tsfor deterministi environmentsand formally veriedtimed

au-tomatapatterns spe ifyingthebehaviourof ompositeeventsinre ent and hroni le ontext.

1 Introdu tion 1

1.1 ECArules versus timed automata . . . 1

1.2 Proje t approa h . . . 3

1.3 Results . . . 4

1.4 Outlineof this proje t . . . 4

2 Ba kground 6 2.1 Real-timesystems . . . 6

2.1.1 Event-triggered versus time-triggered systems . . . 7

2.1.2 Real-timedatabases . . . 8

2.2 A tive databases . . . 9

2.2.1 ECArules . . . 10

2.2.2 Composite events . . . 11

2.2.3 Event onsumption poli ies . . . 12

2.2.4 Exe ution model . . . 15

2.3 A tive appli ations . . . 17

2.3.1 Termination . . . 17

2.3.2 Con uen e. . . 19

2.4.1 Proof of orre tness . . . 21

2.4.2 Benets of formalmethods . . . 22

2.4.3 Formal s hema for omposite events . . . 22

2.4.4 Finite-statema hines and Finite automata . . . 26

2.4.5 Timed automaton. . . 29

2.4.6 Uppaal . . . 31

2.5 Timedautomata to ECArules . . . 34

3 Problem des ription 37 3.1 A tive real-timedatabase appli ations . . . 37

3.2 Derivinga tive rules fromtimed automata . . . 38

3.3 Aimand obje tives . . . 40

3.4 Limitationof proje t s ope . . . 42

4 Method 43 4.1 Generalize transformationsand identify limitationsof transformations . . . 43

4.2 Spe ify omposite events intimed automata . . . 44

4.3 Formally verify equivalen e of semanti s . . . 46

5 Verify transformations 48 5.1 Generalize transformationsand identify limitationsof transformations . . . 48

5.1.1 Enter state . . . 49

5.1.2 Transitionassignments . . . 50

5.1.3 Guards. . . 51

5.1.4 Time onstraints . . . 53

5.2 Spe ifyingpatterns in timed automata . . . 66 5.2.1 Conjun tion . . . 66 5.2.2 Disjun tion . . . 73 5.2.3 Sequen e . . . 75 5.3 Equivalen e of semanti s . . . 79 5.3.1 Assumptions. . . 80

5.3.2 Chroni le ContextPredi ate . . . 81

5.3.3 Operator predi ate . . . 84

5.3.4 Verifying onjun tion pattern . . . 85

5.3.5 Verifyingdisjun tionpattern . . . 95

5.3.6 Verifyingsequen e pattern . . . 99

6 Analysis 107 6.1 Generaltransformations . . . 107

6.1.1 Transforming onstru tsoftimedautomata fromadeterministi en-vironment . . . 107

6.1.2 Limitationsof transformations . . . 109

6.1.3 Prerequisite for transformations . . . 111

6.2 Composite events spe ied in timedautomata . . . 111

6.2.1 Appli ability of timed automata patterns . . . 112

6.2.2 Spe i ation and implementationissues . . . 113

6.3 Formally verify equivalen e of semanti s . . . 114

6.3.1 Choi e of formalnotation . . . 114

6.3.2 Equivalen e of behaviour . . . 115

7.1 Proje t summary . . . 121

7.2 Dis ussion . . . 122

7.2.1 Highlevelspe i ation . . . 122

7.2.2 Transformation issues. . . 123

7.2.3 Resultingrule set . . . 124

7.3 Proje t on lusion . . . 127

7.4 Contributions . . . 128

Introdu tion

Event triggered real-time systems, whi h are exposed to sporadi and a periodi event

o urren es, may take advantage of the ability to handle rea tive behaviour in an a tive

database management system (ADBMS). In traditional database systems, the semanti s

of monitoring hanges in the database is distributed, repli ated and hidden in dierent

appli ations using the database. In ontrast, the rea tive behaviour of an ADBMS is

moved fromthe appli ationsintothe ADBMS, makingit possibletomonitorand rea t to

spe i event o urren es ina entralized and timelymanner (Paton & Diaz1998).

1.1 ECA rules versus timed automata

The behaviour of an a tive database is often spe ied as a set of low-level exe utable

ECA (Event, Condition, A tion) rules, where anevent is triggeringan a tion if a ertain

ondition is true. However, the ability to spe ify a large real-time system, with high

predi tability requirements, using the ECA rule paradigm, is limiteddue to the diÆ ulty

of analyzingthe behaviourof a large rule set.

withea hotherinmanyintri ateways. Anexe utingrulemayforexampletriggeranother

rule,whi hupdatessomedata obje tsthat inturn ausestheoriginalruletobetriggered.

Behaviours like this an form an innite loop of as ade triggering that auses a

non-terminating behaviour. Another problem is to determine if the set of rules is on uent,

i.e. if the out ome of simultaneously red rules depends on inwhi h order the rules were

exe uted. If the rule set is not on uent, there may be dierent kinds of ra e onditions,

wherethe out omeof the ondition evaluation(ora tionexe ution) of twosimultaneously

triggered rules isdependent onin whi h ordertheir onditions were evaluatedor inwhi h

order their a tionswere exe uted (Paton &Diaz 1998).

The diÆ ulty of analyzing the behaviourof a set of ECA rulesis anobsta le forusing

a tive databases to develop a tive real-time appli ations. Real-time systems are required

torespondtoexternal stimuliwithin aniteand known time-period. The orre tnessof a

real-timesystem isnot onlydepending onitslogi al orre tness,but alsoonthe abilityto

meetitsspe iedtime onstraints. Therequirementonpredi tableresponse timesishard

tofullastherulebaseisonatoolowlevelofabstra tiontobethoroughlyanalyzed. There

isalso averylimited a essto CASE toolssupportingthe area of ECA rule development.

Sin e real-time systems are frequently used for monitoring and ontrolling obje ts in

environments wherefailures may lead toadisaster,the use of formalmethodsisdesirable

in the spe i ation phase of su h systems. Formal methods are based on mathemati s

and the benets of using them is that the spe i ation produ ed are unambiguous. It

is also possible to prove that ertain hara teristi s are met in the system and that the

implementationofthesystemmeetsitsspe i ation. Anexampleofaformalmethodwhi h

isdesignedtohandlethemodellingofreal-timesystemsistimedautomata,whi hisanite

automaton extended with aset of lo ks (Alur&Dill1994). If asystem is spe iedusing

timed automata, it is possible to verify hara teristi s like absen e of deadlo k and that

model he king apabilitiesmay be used forautomati veri ation ofsu h hara teristi s.

OneCASEtooldevelopedforthispurposeisUppaal(Larsen,Pettersson&Yi1997)whi h

alsoprovides the possibilityof graphi alsimulationsof timed automata models.

1.2 Proje t approa h

The desire to use a tive databases in real-time systems is one of the issues whi h

high-lightthe need for asystemati method for developing ananalysed set of a tive rules with

predi table behaviour. Our assumptionis that transforming exe utable ECA rulesfrom a

formallyveriedspe i ation, su h astimed automata,preserving the spe ied behaviour

during the transformation to rules, results in an impli itly analysed set of rules. This

requires that the exa t behaviour of the formal model is transformed; no additional

be-haviour that ae ts the operation of the system is allowed to be introdu ed during the

transformation. It is alsodesirable thatit ispossible toreverse engineer the formalmodel

fromthe rule set.

Thehighlevelaimofthisproje tistotakeadvantageofananalysedformalspe i ation

and transform its behaviour into a tive rules. This is not a new idea; it is the same idea

as transforming a C++ implementation toassembler, and the approa h has been used in

previous proje ts on erning ECA rules, for example Berndtsson, Chakravarthy & Lings

(1997) whoexplores the ability toderive ECArules from nite automata,and Falkenroth

& Torne (1999) who has onstru ted a ompilerfor this purpose. The uniqueness of this

proje t ompared to the previous approa hes is the fo us on real-time systems, as well

as the use of a high level spe i ation language with the ability to express timeliness

requirements.

Sin e onstru ting an entire rule ompiler does not t into the time frames of this

automata and ECA rules. Besides adding time onstrains to the transformation pro ess,

the fo us ofreal-timesystems are usedas anargument forlimitingthe s opeof the target

exe utionmodel inthis proje t.

1.3 Results

The result of this proje t is a set of transformations from dierent timed automata

on-stru ts to rules. Constru ts of timed automata that are hard to transform into rules are

alsoidentiedandalternativesolutionsare suggested. Tofa ilitatespe i ationand

trans-formationof ompositeevento urren es,the behaviourof ompositeeventsinre entand

hroni le ontext is spe ied as timed automata patterns. The behaviour of omposite

events is also expressed as regular expressions where it is possible, whi h will fa ilitate

the identi ationofa omposite eventinanarbitrarytimedautomaton spe i ation. The

timedautomata patterns of omposite events for hroni le ontextare formallyveried to

haveanequalbehaviourasthe ompositeeventsintherule set foranysequen e of inputs.

1.4 Outline of this proje t

Chapter 2gives aba kground about theories behind timed automata and a tiverules, as

well asa briefintrodu tion toreal-timesystems, a tive databases, formalmethods, timed

automata, Uppaaland DeeDS.Apresentationof amethodfortransforming rules between

timed automata and ECA rules developed by Eri sson (2002) is presented as well, sin e

the work in this proje t is basedupon this transformation method.

In hapter3aproblemdes riptionisgivenaswellasapresentationoftheaimspe ied

for this proje t and obje tives identied to rea h this aim. In hapter 4 the method used

of the results are presented. Chapter 7 presents a summary of results, dis ussion around

Ba kground

The following se tions will give the ba kground knowledge required to understand the

problemto be solved and on epts used inthe resultpart of this dissertation.

2.1 Real-time systems

Besides being logi ally orre t, a real-time system must also meet its timeliness

require-ments. The system must be able to answer to external stimuli within a spe ied time

period, aswell asmeetingrequirements onpossibledelay times.

Depending on the onsequen es of missing a deadline, real-time systems may be

las-sied into hard (hard essential and hard riti al), rm and soft real-time systems. In a

hard real-time system the onsequen es of missing a deadline is atastrophi , leading to

onsiderabledamagee.g. lossofhumanlives(hard riti al)or onsiderablee onomi alloss

(hard essential). In rm real-time systems the onsequen es of missinga deadline are the

lossof servi e and inasoft real-timesystem, a taskthat has missedits deadlinemay still

produ e some value to the system (Eriksson 1997).

a system has predi table response times and is suÆ iently eÆ ient. This implies that

ea h task in the system must have predi table and suÆ ient resour e requirements (e.g.

memory,bandwidth et .).

2.1.1 Event-triggered versus time-triggered systems

Depending on how the system intera ts with its environment, there are two main design

approa hes to use in the area of real-time systems (Kopetz & Verissimo 1993). In hard

real-timesystems,where the environmentismonitored intime periods, the timetriggered

approa h is most ommon. In every period the system is he king the state of the

envi-ronment and depending on the urrent state of the environment, it takes the appropriate

a tion. The advantage of the time triggered approa h is that it an be thoroughly

anal-ysed a priori. The worst ase exe utiontimes of the system an be spe ied, resulting in

a system with predi table response times onea h task. The main disadvantages are that

the system is always allo ating resour es a ording to its spe ied worst ase behaviour,

even in ases where the average resour e usage is mu h less and that sporadi tasks are

hard to handle. It is also the ase that all systems do not lend themselves to the

thor-ough a priori analyses that is required in time-triggeredsystems. There may be toolittle

knowledge about the systems behaviour a priori, for example if the system is monitoring

anunpredi table environment.

The othermajordesignapproa hforreal-timesystems isthe event triggeredapproa h,

where the system is required to handle events o urring anytime. Su h systems are idle

(or e.g. performing some ba kground task)waiting for anevent to o ur and asan event

o urs, the system is immediatelyresponding toit. Event triggered systems are harder to

analyse than time triggered systems, sin e there are analmost innitenumberof possible

dierent exe ution tra es in event triggered systems. This makes it hard to al ulate the

guarantee. Theadvantagesofeventtriggered systemsarethatthey anhandleavarietyof

tasks whose exe utionorder is not known a priori. In ontraryto time triggered systems,

they an handle overload situations without falling apart. In this dissertation, the event

triggered approa h isassumed asreal-time systems are on erned.

2.1.2 Real-time databases

Thereareseveral featuressuppliedbyadatabasemanagementsystemthatisadvantageous

touseinreal-timeappli ations. Spe i ally,adatabases hema helpstoavoidredundan y

of data and itsdes ription,transa tion support ensures orre tness of on urrent

transa -tion exe utions and ensures data integrity maintenan e, even in the presen e of failures,

et . (Ramamritham1993).

However, real-timesystems oftenhave highpredi tability requirements. Its worst ase

exe ution times and resour e usage must be known. Unfortunately, the use of databases

adds a number of sour es of unpredi tability. A ording to Ramamritham (1993) the

exe ution tra es of transa tions an depend on the data values, transa tions an abort

resultinginrollba ksandrestarts, there maybedata andresour e on i ts andtheremay

be unpredi table I/O requests.

A se ond problem is to keep the data in the database onsistent with the ontrolled

environment, sin e real-timesystems are frequently used to ontrol environment external

to the system, for example robots in a fa tory. In su h s enarios it is important that

the internal state of the system is onsistent with the orresponding external state of

the ontrolled environment. Otherwise the onsequen es may be disastrous. Imagine

for example the onsequen es if a system, ontrolling a robot whi h moves towards an

expensive target in high speed. The robots a tual distan e to the target is 5 entimetres

but a ording tothesystem state, the distan e is10 entimetres. The robotwillprobably

and the robot. This exempliesthe importan eof keeping the system onsistent with the

environment,andthatsomedata,forexampledistan es,areonlyvalidforaspe i period

of time. This implies that su h systems have timing onstraints arising from the need to

ontinuously tra k the environment, however, timing onstraints alsoarises be ause ofthe

need to make data available to the ontrolling system for its de ision making a tivities

(Ramamritham1993).

2.2 A tive databases

Traditionaldatabasemanagementsystems (DBMS) arepassive,meaningthatthey donot

automati ally rea t to hanges in the database. In su h systems a request (for example

update or query) is only exe uted if it is expli itly raised by an appli ation using the

database. An a tive database on the other hand is automati ally rea ting to spe i

hanges inthe system and performs some predened a tion asthese hangeso ur.

If it is desirable to use a tive behaviour in a passive database system, then there are

twopossibleapproa hestoa hievethis. Eitherthea tivesemanti sisimplementedinea h

appli ation using the database, or a polling me hanism is used to periodi ally he k the

database for hanges. However, ifthe a tivebehaviourisimplementedinea happli ation,

the monitoring fun tionality is distributed, repli ated and hidden among dierent

appli- ations. This is likely to be a problem when it omes to system maintenan e. Using the

polling me hanism makes it possible to represent the semanti s in one single pla e.

How-ever, thefrequen y withwhi hthedatabase ispolledisaproblemhere. Pollingthesystem

toooften auses unne essaryload, whilepollingtooseldom auses therisk ofmissingthat

2.2.1 ECA rules

In an a tive database system the rea tive behaviour is moved from the appli ation (or

polling me hanism) into the database management system. In this way the rea tive

be-haviouris entralizedand handled ina timelymanner(Paton &Diaz 1998).

The behaviourofasystem maybespe iedusing a tiverules, des ribedasECArules.

ECA rules onsists of up to three omponents; events, onditions and a tions. The event

part spe ies the event o urren e on whi h the rule is triggered. The ondition spe ies

a ondition whi hmust betrue for the a tionto beexe uted and the a tionpart spe ies

whi ha tion to be performed as the event has o urred and the ondition is evaluated to

true. If the event part is left out, the resulting rule is a produ tion rule (CA) and if the

ondition part is missing,the resultingrule isan event-a tion (EA) rule.

The event part of the ECA rule may be primitive or omposite. A primitive event

o urren e is something that happens at a point in time and is raised by a single

o ur-ren e, for example anupdate in the database, a spe ied lo k time, or anexternal event

o urren e raised by a happening outside the database. A omposite event is raised by a

ombinationofprimitiveor ompositeevents. Theo urren eofanevent anbedes ribed

asapredi ate. TheO(E;[t;t 0

℄)predi ateintrodu edbyGalton&Augusto(2001)istrueif

anevent Ehas o urred that start attime tand terminateat timet'. In this dissertation,

the notationo (E;[t;t 0

℄) introdu ed by Mellin (2003) willbe used instead of O(E;[t;t 0

℄)

sin e O an be onfused with the big-oh notation for algorithmi omplexity. Formally,

the interval fun tion [t;t 0

℄ states that start([t;t 0 ℄)= t, end([t;t 0 ℄) = t 0 and j[t;t 0 ℄j = t 0 t

2.2.2 Composite events

A ompositeeventtypemaybe ombinedbydierentoperators,likeforexample

onjun -tion, disjun tionorsequen e. Thefollowingmodelsdes ribes the o urren e of omposite

events formally(Galton &Augusto 2001). G is amodel ofthe history of events that have

o urred.

Primitive event o urren e

LetG be a model su h that:

G j=o (E;[t;t)iff prim(E)and su h anevent typehas o urred at time t.

In other words, a primitiveevent of type Ehas o urred.

Disjun tion (5)

The disjun tion operator an for example be used to spe ify that the omposite event E

o urs if an event of type E

1 ,or E

2

o urs within aspe ied time period.

G j=o (E 1 5E 2 ;[t;t 0 ℄)iff o (E 1 ;[t;t 0 ℄)_o (E 2 ;[t;t 0 ℄) Sequen e (;)

The sequen e operator an beused tospe ify that a ompositeevent oftypeE o urs if a

set of other events o ur in a spe ied sequen e. The following model expresses that the

omposite event of type E is raised if an event of type E

1

o urs before an event of type

E

2

and that both event o urren es o urs within the time period that starts with t and

G j=o (E 1 ;E 2 ;[t;t 0 ℄)iff; 9t 1 t 2 (o (E 1 ;[t;t 1 ℄)^o (E 2 ;[t 2 ;t 0 ℄)^(t 1 t>0_t 0 t 2 >0) Conjun tion (4)

The onjun tion operator an for example be used to spe ify that a omposite event of

typeEisraisedifthereisano urren eofeventE

1

and E

2

withinaspe iedtimeperiod.

G j=o (E 1 4E 2 ;[t;t 0 ℄)iff 9[t 1 ;t 2 ℄((o (E 1 ;[t;t 1 ℄)^o (E 2 ;[t 2 ;t 0 ℄))_(o (E 2 ;[t;t1℄)^o (E 1 ;[t 2 ;t 0 ℄)) _(o (E 1 ;[t;t 0 ℄)^o (E 2 ;[t 1 ;t 2 ℄)^tt 1 _t 2 t 0 ) _(o (E 2 ;[t;t 0 ℄)^o (E 1 ;[t 1 ;t 2 ℄)^tt 1 ^t 2 t 0 )) Non-o urren e (N):

Thenon-o urren eevento ursifthereisnoevento urren eofaspe iedevent,between

theo urren esoftwootherspe i events. Intheexamplebelow,thereisanon-o urren e

of an event of type E

2

if the o urren e of type E

2

does not o ur in the intervalopened

bytheo urren eofaneventoftypeE

1

and losedbytheo urren eofaneventoftypeE

3 . G j=o (N(E 1 ;E 2 ;E 3 );[t;t 0 ℄)iff 9[t 1 ;t 2 ℄(o (E 1 ;[t;t 1 ℄)^o (E 3 ;[t 2 ;t 0 ℄))^ 8[t 3 ;t 4 ℄(t 1 t 3 ^t 4 t 2 ):o (E 2 ;[t 3 ;t 4 )))

2.2.3 Event onsumption poli ies

As a omposite event is dete ted, there may be several dierent event o urren es of the

sameeventtypethat anbeusedtoformthe ompositeevent. Aneventmay arry

at the event o urren e. Sin e parameters arried by event o urren es of the same type

may be dierent, ausing dierent results, it is important to onsume event o urren es

a ording to a predened poli y. Some frequently used onsumption poli ies are re ent,

hroni le, ontinuous and umulative. The dierent onsumption poli ies an also be

de-noted as re ent, hroni le, ontinuous and umulativeparameter ontexts,as des ribed in

Chakravarthy & Mishra (1994), whi h will be used instead of onsumption poli y in this

report.

Ea h omposite event has a terminator and an initiator event. The initiator event

initiates the dete tion of the omposite event o urren e and the terminating event

ter-minates the event omposition. If for example the omposite event is a sequen e of type

E =E 1 ;E 2 ;E 3 then E 1

isthe initiatorandE

3

isthe terminatortype forthis spe i

om-posite event. Depending on whi h ontext that is on erned, the initiatorand terminator

have dierent meanings. An o urren e of a terminator event in the ontinuous ontext

may forexampleraise several instan es of a omposite event type, whileonlyone instan e

is raisedby the same event sequen e in the hroni le ontext.

In the ontinuous ontext, a omposite event is initiatedea h time an initiatingevent

(event thatstartsthe dete tionof the ompositeevent) o ursand the umulative ontext

a umulates all the primitive events until the omposite event is raised (Paton & Diaz

1998).

This proje t is fo using on real-timesystems and willonly over re ent and hroni le

ontext. Re ent ontext is useful as for example the pressure and temperatureof a liquid

in atank ismeasured. Todis overhazardous situations, the pressure must not in rease a

ertain value as the temperature is above a threshold value. For the measurements tobe

useful, onlythe most re ent values are interesting. Chroni le ontextonthe other hand is

useful asthe order ofo urren e isimportant. Itmay for examplebe useful if twosensors

time stamp of the rst sensor should be mat hed with the earliest unused time stamp of

the se ond sensor to al ulate the average speed of a ertaintrain.

Re ent ontext

Inre ent ontext,themostre entsetofevento urren esare onsidered. Ea hterminator

is raising a omposite event o urren e, even if some of the event o urren es it ontains

have taken part in another instan e of a omposite event. As an illustratingexample, let

E 1 ;E 2 and E 3

be primitive event types. E

4

is a omposite event type whi h instan e is

raisedbytheo urren eofeventsoftypeE

2 andE 3 (E 4 =E 2 4 E 3 ),E 5 isa ompositeevent

typeraised by the o urren e of an event of typeE

1 and E 2 ina sequen e (E 5 =E 1 ;E 2 ).

In anexample s enario, events of typeE

1 o ursat timet 1 and t 2 , attime t 3 anevent of type E 2

o urs followed by an event of type E

3

at time t

4

and an event of type E

2 at time t 5 where t 1 < t 2 < t 3 < t 4 < t 5

. The omposite events E

4

and E

5

is raised as in

Figure2.1.

The rst instan e of type E

4

israised as an event of type E

3

o urs for the rst time,

be ause then there is an o urren e both of type E

2

and E

3

in the event history. As an

event of type E

2

o urs for the se ond time, there is a new instan e raised of event type

E

4

, sin e there already is an event of type E

3

in the event history. Both type E

2

and E

3

are terminators in this omposite event, and ea h time a new event of type E

2

(or E

3 )

o urs, anevent of type E

4

willalsoberaisedif there isanprior instan e of E

3 (or E

2 ) in

the event history. As a new primitive event o urs in re ent ontext, the old instan e of

this event isoverwritten and onlythe most re ent o urren e issaved.

Forthe ompositeevent oftypeE

5

toberaised,the primitiveevent o urren eof type

E

2

must be raised after anevent of type E

1

. This means that only E

2

is terminator type

in the omposite event of typeE

5

, and a new instan e of type E

5

will beraised whenever

thereisano urren e oftypeE

2

afteranevento urren e oftypeE

1

Figure2.1: O urren e of event E 4 =E 2 4E 3 and E 5 =E 1 ;E 2 inre ent ontext

In Figure2.1 the event of type E

5

israised both timesas the event of type E

2

o urs.

Chroni le ontext

In hroni le ontext, event o urren es are onsumed in hroni le order and ea h event

o urren e does only parti ipate in one omposite event instan e of ea h type. An event

o urren e is invalidated if itis not of interest for any omposite event. Ifevents o ur in

anidenti al sequen e asin the previous example,the omposite events of typeE

4

and E

5

areraiseda ordingtoFigure2.2. Asopposedtothere ent ontext, these ondo urren e

of typeE

2

, doesnot raise ano urren e oftype E

4

sin e the earliero urren eof typeE

3

is onsumed by a previous instan e of E

2 4E

3

. The o urren es of type E

5

will use the

earliest unused o urren e of E

1

instead of the most re ent as inthe previous example.

2.2.4 Exe ution model

The types of events, operators and ontexts available belong to the knowledge model of

theADBMS.Theknowledgemodeldes ribeswhat an besaid abouttherules inana tive

Figure2.2: O urren e of event E

4

and E

5

in hroni le ontext

by theexe utionmodelofthea tivedatabase. Theexe utionmodelisamongotherthings

des ribing whi h oupling modes are used, transition granularity, net ee t poli y and

y le poli y. The y le poli y is determining what happens when an event o urren e is

signalled by the evaluation of a ondition, the exe uted rule may either be interrupted

by the signalled rule, or ontinue to exe ute ausing the newly triggered rule to wait.

The transition granularity is determining whether a rule is triggered by a set or a tuple

of event o urren es and the net ee t poli y determines whether an event o urren e

is on erning single o urren es (e.g. update) or if the net ee t of several o urren es

should be onsidered (e.g. only delete if update is followed by delete on the same data

item) (Paton & Diaz1998).

The ouplingmodesdeterminewhenthe onditionisevaluatedwithrespe ttotheevent

o urren e and when the a tion is exe uted with respe t to the evaluation of the

ondi-tion. The most frequently supported options for oupling modes are; immediate where

the ondition is evaluatedimmediatelyafter the event o urren e(a tion exe uted

(exe uted) in the same transa tion as the event o urren e although not ne essarily

im-mediately,and deta hed wherethe ondition(a tion)isevaluated(exe uted)inadierent

transa tion (Paton & Diaz1998).

The semanti of an a tiverule is depending onthe exe ution model of the ADBMS in

whi h it is pro essed. This means that the same rule an behave dierently in dierent

ADBMS,whi hmakes itimportanttotake the targetexe ution modelintoa ount when

analysing the behaviourof a set of a tiverules.

2.3 A tive appli ations

One of the main problems with the use of a tive rules is the diÆ ulty of analysing the

behaviour of an appli ation implemented as a set of rules. The rules may depend on

ea h other in ways that are hard to predi t and hard to analyse. It may for example

be important to restri t the order in whi h onditions of simultaneously triggered rules

are evaluated, sin e the ondition evaluation of one rule may ae t the out ome of the

ondition evaluationof another rule.

2.3.1 Termination

A rule as ade o ursas thepro essing ofone rule a tionis triggeringanother rule. Ifthe

as ade triggeringisforming a ir le asviewed in Figure2.3, thereare noguarantees that

the set of rules will terminate. (In Figure 2.3 the pro essing of rule R1 is triggering the

rule R2,whi h inturn triggersrule R3, whi h triggersrule R1 and arule as ade ir le is

formed.)

The as ade ofrule triggeringsmaynot beonlyduetothe a tionofone ruletriggering

another rule. Consider the ase where the a tion of rule R1 auses the ondition of a

R1

R2

R3

Figure2.3: Exampleof nonterminating as ade triggering

rst rule(R1) whi hsatisedthe onditionof rule R2ispartly responsible forthe as ade

triggering. This implies that it is not suÆ ient to study isolated ee ts of rule a tions,

sin e inisolation, these rules would not have aused a as ade, but their ombined ee t

may ause rule as ades. An a urate apture of as ades must involve an investigation

of omplete rule sets in ombination with possible sequen e of database states, external

updates, and rule pro essing semanti s (Falkenroth2000, p.151).

A ordingto(Vaduva1999,p.69)therearethreepossiblewaystosolvethetermination

problem. Firstly there is a run time solution whi h is handling the termination problem

during the exe ution of the rules. In this solution, the system is assuming that innite

as adetriggeringistakingpla e,andterminatesthe exe utionofrulesifa ertainnumber

ofrules aretriggered. The drawba ksof thissolutionisthataset ofrule triggeringsmight

beterminatedalthoughitwasperformingperfe tly orre t, ontheotherhand,anin orre t

ir ulartriggeringmayunne essarilyrununtilthe boundofruletriggeringisrea hed. The

se ondsolutionfortheterminationproblemistoimposesigni antsynta ti limitationsto

rule spe i ation. However, this is redu ing the expressive power of the rule spe i ation

language. Thirdly, therule set maybeanalysedtodete tsubsetsof ruleswhi hbehaviour

may lead tonon-termination. Theserules must bemodied,and the terminationanalysis

must be restarted. This is aniterativepro ess performed until aterminating rule set an

However, a omplete predi tion of the intera tions in a set of ECA rules is identied

by both (Vaduva 1999, p.83), and Falkenroth (2000) to be anunde idable problem. It is

impossible to assert with ertainty whether an intera tion between rules will take pla e

onsidering all database states and for all possible a tion statements. This is why the

approa h for solving this problemhas to ontain some restri tion, orsimpli ation of the

problem, for example to ex lude the state of the database in the analysis, orto raise the

abstra tion of the analysis, as performedin (Vaduva 1999).

An important note is that non-termination is not always an undesired property. As

already pointed out by (Falkenroth 2000, p.172),there are systems with y li behaviour,

in whi h non-terminationis dened as orre t, and onsequently, the orre tness of arule

set is appli ation dependent. This means that rule set properties whi h are orre t inone

appli ation may be in orre t inanother appli ationand vi eversa.

2.3.2 Con uen e

In a set of ECA rules whi h are triggered simultaneously, there might be dependen ies

between the rules, ausing a non deterministi behaviour of the system. The reason for

thisisthatthe out omeofthe exe utionoftwosimultaneouslytriggeredrulesmaydepend

onin whi horder the ondition part of the rules whereevaluated, orin whi horder their

a tionparts were exe uted (Paton& Diaz1998). Thisis be ausethe ondition evaluation

ora tionexe utionofrule R1mayae t theout ome ofthe onditionevaluationora tion

exe utionof rule R2and vi e versa.

The termination and on uen e properties are important hara teristi s for a set of

a tiverulesand they aregiven alotof attention inthe resear harea ofa tiverules. There

are dierent approa hes to ta kle these problems, Comai &Tan a (2003)are forexample

translatingtherulesetofanyADBMSintoaninternallanguageandlogi al lauses,proving

Tan a (2003)istaking the semanti dieren es indierent exe utionmodelsintoa ount.

Thesedieren es may ausearule tobehavedierentlydependingoninwhi h ADBMSit

is exe uted.

2.3.3 A Distributed A tive Real-time Database System (DeeDS)

The implementation of ECA rules varies in syntax and semanti s. In some ases, the

semanti of a rule iseasy enough to be expressed in generalterms, and then transformed

to the exa t syntax of the a tual ADBMS. However, in ases where for example time is

onsidered,andevento urren esaretriggeredrelativetoea hother,itisbene ialtouse

an existing ADBMS as a framework for transformations. In this proje t, the ECA rules

introdu edinthe rulemanagerofDeeDS (Andler,Berndtsson, Eftring, Eriksson,Hansson

&Mellin1995)willbeused in aseswhere aspe i frameworkisneeded. The framework

ould be any ommer ial or a ademi ECA syntax supporting timeliness, however, the

timeliness requirement are likely to require some extended form of ECA rules, whi h is

spe i for ea h database. In DeeDS, it is possible to spe ify temporalattributes likefor

example deadlines and exe ution times in the extended form of ECA rules proposed by

Eriksson (1998)

Sin e predi tability is an important hara teristi in real-time systems, the only

ou-pling mode allowed in DeeDS is deta hed. If the a tion is allowed to exe ute in the

triggeringtransa tion,theexe utiontimeofthe triggeringtransa tionwillvarydepending

on if the a tion part of the rule is exe uted, and in that ase, the exe ution time of the

a tion. To be sure that the exe ution time of the transa tion is not hanged, the a tion

2.4 Formal methods

The software developed todayisbe omingmoreand more omplexand isused in

in reas-ingly riti al situations. The orre tness of omputer systems are be oming a dominant

issue foralarge lass of appli ations,andone approa h togainhigher onden eina

sys-temistouseformalmethods. However,itisimportanttounderstandthat formalmethods

are not asilverbulletfor developingperfe t software. A ordingtoHall(1990)theirmost

fundamentallimitationsarise fromtwofa ts: somethings annever beproven and we an

make mistakesin the proofs of the things we an prove.

Sin e the real world is not a formal system, a proof does not show that things in the

real world willhappen as you expe t. You an never be sure that your spe i ations are

orre t, no matter how mu h you prove about them. However, despite that the use of

formal methods does not give any absolute guarantees for the system orre tness, formal

spe i ations are better at exposing mistakes made than informal spe i ation methods.

It isalsothe ase that asanerror is exposed; people are more ready toagree that itis an

error than in aninformal spe i ation, where it issometimes not lear what is being said

(Hall1990).

2.4.1 Proof of orre tness

Althoughitisnot possible toprove the orre tness of thespe i ation withrespe t tothe

realworld,somethingsa tually anbeproven. Usingaspe i ationbasedonmathemati s

makes itpossible todemonstratethat one formalstatementfollows fromanother and this

is howa proof is ondu ted. However, even if there isa su essful proof showing that the

implementation orresponds to the spe i ation, the behaviour of the system is ae ted

by three fa tors limiting the usefulness of the proof: the behaviour of the programming

are ru ially important for safety riti al systems whi h imply that the proof must be

omplemented with systemati testing methods, espe ially for non-fun tional properties

su h astimeliness.

2.4.2 Benets of formal methods

Any high quality system must meet both its fun tional and non-fun tional requirements.

Even if it is possible to at h and orre t errors and deviations from the spe i ation in

the last phases of a system development proje t, it might be very expensive to orre t

the errors in late stages of a development pro ess. This implies that a fault avoidan e

te hnique, likeformalmethods, whi hhavehigh probabilityof at hing errorsinthe early

stageofthedevelopmentpro ess,mightredu ethetotaldevelopment ostduetolesseort

spent ontesting and orre ting expensive errors.

The pro ess of showing that the system satises itsspe i ation is namedsystem

ver-i ation. To be able toperform a formalveri ation of a system, in ludingformalproofs,

aformalspe i ation is needed (Wing 1990). However, sin e the spe i ation itselfmight

be wrong, the use of formalmethods must be omplemented with testing. The validation

of asystem ismainly on erned with the issue of testingand debugging. However, formal

spe i ations an also be used in the testing phase, to generate test- ases, redu ing the

time spent ontesting.

2.4.3 Formal s hema for omposite events

The state of a system whi h is implemented using a tive rules an be represented as

histories of event o urren es. In su h models, ea h update of an event history (ea h

time an event o urs) auses a hange of state. In Mellin & Andler (2002) and Mellin

used inthis dissertation asa base forprovingequivalen e of the behaviourbetween timed

automaton spe i ations and o urren es of omposite events. The reason for hoosing

the s hema presented in Mellin & Andler (2002) is that it takes the pro essing of events

into a ount,and it is possible to ompare behaviour of operators indierent ontexts.

The s hema presented in Mellin & Andler (2002) is based on set theory where state

transformations are based onevent o urren es and operator rules. For ea h operator in

ea h ontext, a rule is formally formulated based on the set of o urred events, and as

the pre ondition of the operator rule is true, a omposite event is raised. Ea h operator

maintainsahistoryofusedandinvalidatedevento urren esforthatoperator,represented

assets. Aneventisused astheevento urren ehasbeenusedto ontributetoa omposite

event, and it is invalidated as it an not be used to form a omposite event o urren e.

In hroni le ontext, a used event is a onsumed event that an not be used to form a

new omposite event, whilea usedeventinre ent ontextmay ontributetoseveral other

ompositeevent o urren es.

The urrentstateisthestateofalleventhistories,soano urren eofamonitoredevent

auses a hange in the event histories and hen e, auses a hange of state. The inferen e

system presented by Mellin&Andler (2002),and inshort des ribed in this se tionand in

se tion 5.3, isa rule based transformation between states.

Event o urren es

An event of type E may be primitive, denoted prim(E), or omposite. Axioms stated for

theevents hemades ribed inMellin&Andler(2002)arethatprimitiveevento urren es

are instantaneous and there are no simultaneous o urren es of primitive events of the

same type.

A omposite event o urren e is omposed by other event o urren es and may o ur

start(span( ))isthetimeofo urren efortheinitiatoreventandend(span( ))isthetime

of o urren efor the terminator event of the event o urren e . The relation (E;[t;t 0

℄)

is used todes ribe that an event of typeE has o urred in the time interval[t;t 0

℄.

Therelationbetweeninitiators/terminatorsandthe ompositeeventtheyhaveinitiated

or terminated are des ribed as an ordered pair h 0

; i, where iot(h 0

; i) gives the set of

0

, where 0

iseither the initiator,orthe terminator,of the ompositeevento urren e .

The subs ript ! is used todenote terminatorsand  isused to denoteinitiators.

Event types

Theset ofallmonitoredevent typesisdenotedE

m

. Theset ofeventtypesthat aninitiate

a ompositeeventisdenotedE

whilethesetofeventtypesthat anterminatea omposite

event is denoted E

!

O urren e histories

The generated set G ontains the history of all primitive and omposite events that have

o urred so far. Ea h time a primitive or omposite event o urs, it is inserted inthe set

G.

8 2G(end(span( ))now)

As anevent isused orinvalidated,itisinserted intheset of used orinvalidatedevents

for that event type; U

(E) is a set of h 0

; i for E where 0

is the used initiator; U

! (E) is aset of h 0 ; i forE where 0

isthe used terminator;I

(E)is aset of invalidatedinitiator

o urren es of type E and I

!

(E) is a set of invalidatedterminator o urren es of type E.

The tuple (U  (E);U ! (E);I  (E);I !

(E)) des ribes the state of ea hE.

Let s 0 ;s 1 ;:::;s n

represent the history of states of event omposition, then s

i

the set of operator states. Thatis, s i is dened asG;[ E (U  (E);U ! (E);I  (E);I ! (E)). In

otherwords,thestateS

i

istheeventhistoryG togetherwithallusedandinvalidatedevent

historiesforallmonitoredeventtypes. Ea hoperator typehas aset of operatorrulesthat

transformss i intos j . Example Assume G =f (E 1 ;[1;1℄); (E 1 ;[2;2℄); (E 2 ;[3;3℄); (E 2 ;[4;4℄); (E 2 ;[5;5℄)g

The omposite event type E = E

1 ;E

2

is monitored in hroni le ontext, the set of

monitoredevent typesE

m

isfE;E

1 ;E

2

g,theset ofinitiatortypesE

forEisfE

1

gandthe

set of terminator typesE

!

for E isfE

2

g. Given the o urren e history G, twoo urren es

of E willbeformed using the followingevent o urren es: f (E

1 ;[1;1℄); (E 2 ;[3;3℄)gand f (E 1 ;[2;2℄); (E 2

;[4;4℄)g. The sets ontaining used and invalidated o urren es will be

the following: U  (E)=fh (E 1 ;[1;1℄); (E;[1;3℄)i;h (E 1 ;[2;2℄); (E;[2;4℄)ig U ! (E)=fh (E 2 ;[3;3℄); (E;[1;3℄)i;h (E 2 ;[4;4℄); (E;[2;4℄)ig I  (E)=; I ! (E)=f (E 2 ;[5;5℄)g

In other words, the event o urren es that have initiated a omposite event of type

E is in luded in the set of used initiators for that type (U

), and the event o urren es

that have terminated the omposite event E is in luded inthe set of used terminatorsfor

that type (U

!

). In the example history G there are no invalidated initiator o urren es,

however, the event o urren e (E

2

;[5;5℄) is an invalidated terminator o urren e, sin e

there are nomat hing unused o urren eof the initiatortype E

1 .

2.4.4 Finite-state ma hines and Finite automata

The behaviour of many kinds of ma hines, in luding omponents in omputers, an be

modelled using a stru ture alled nite state ma hine. A state ma hine onsists of a set

of states, in luding a starting state, a set of transitions, an input alphabet, a transition

fun tion that assignsa new state for ea h pair of state and input, and anoutputfun tion

that assigns anoutput toea h pair of states and inputs (Rosen 1999).

Amodelthatis loselyrelatedtonite-statema hinesisniteautomata. Thedieren e

isthat niteautomata,insteadofprodu inganoutputsequen e, haveaset ofnal states.

Theniteautomatonprodu esana eptan eorreje tionoftheinputsequen e, depending

onifanalstateisrea hedbytheinputsequen eornot. Finitestateautomata anbeused

aslanguage re ognizers,whi hisapreferable hara teristi inmodelling ompilers(Rosen

1999). Astring is said tobe re ognized(or a epted) by a nite automatonif ittakesthe

ma hinefromthe initialstatetoanal state. The language re ognized(or a epted) by a

state ma hine is theset ofallstrings that arere ognized by the state ma hine. Twonite

state automata are alled equivalentif they re ognize the same language (Rosen1999).

Finite-state automaton example

As previouslyexemplied inEri sson (2002),anite-state automaton an bedes ribed as

a tuple (  , S, S0, E, F), where  is the input alphabet, S is a set of states, S0 is the

initialstateandEisasetof edges(EisasubsetofSxSx). Giventhe input thestateof

the automatonis transforming fromsto s'if fs;s 0

; g isa subsetof E (Alur&Dill1994).

F denotes the set of states a epted by the automaton. The orresponding values for the

S0_accept

S1

S2_accept

1

0

1

0

0

Figure 2.4: State diagramof anite-state automaton

 =f1;0g

 S =fS0;S1;S2g

 S0is the starting state.

 E =f(S0;S0;0);(S0;S1;1);(S1;S0;0);(S1;S2;1);(S2;S1;0)g

 F =fS0;S2g

A word  over the alphabet  in the example may be 001011. The language L

re -ognized by the automaton M inFigure 2.4 is the sets of inputs that take the automaton

from its start state S0 to one of the nal states S0 or S2. The set of strings a epted by

the automatonis denoted L(M). Torea h the nalstate S0orS2, any string ofones and

zeros that are not ontaining more than two onse utive ones, and that does not ontain

a single one, are required.

The nite state automaton des ribed in Figure2.4 is a deterministi automaton. In a

deterministi automaton there is a unique next state given by the transition fun tion for

ea hstateand inputpair. Ifthere an beseveral possiblenext statesforea hpair ofstate

S0_start

S2_accept

S1_accept

0

1

0

Figure 2.5: Automaton a epting language 0 [ 10 

Finite automata and regular languages

Alanguageof anautomatoniseverystringthatisderivablefromthe startingstate. Every

language that is a epted by a nite automata is a regular language and every regular

language is a epted by a nite automaton (Salling 1998, p. 43). This result was proved

by Kleene 1956 and is alledKleenes theorem.

Aregularlanguage anbeexpressedinasetnotation alledregularexpressions(Salling

1998, p. 23). The operators of regular expressions are Kleene losure, union and

on ate-nation. A on atenation ofa set Aand B, denotedAB, is theset of allstrings ofthe form

xy wherex isastringinAand y isastringinB.TheKleene losureofaset A,denotedby

A 

is the set onsisting of on atenations of arbitrary many strings from A (Rosen 1999,

p. 648).

Iff0g [ (f1g(f0g 

))isaregularlanguageoverthealphabetf1,0g,thenthe orresponding

regularexpressionis(0[(1(0 

))). Theautomatona eptingthelanguagef0g[(f1g(f0g 

))

is shown in Figure 2.5. To redu e the number of parentheses used, there are order

on-ventions touse. The order onventions of regularexpressions are rst Kleene losurethen

on atenationandlasttheunionoperator. Theexpression(0[(1(0 

))) anthenbewritten

0 [10 

(Salling 1998). The notation A +

is equal to A 

ex ept that A +

does not ontain

the empty string. Table 2.1 shows some examplesof regular expressions.

Expression Strings

10 

A 1followed by any number of 0s(in luding no zeros)

(10) 

Any numberof opies of 10(in luding the nullstring)

0[ 01 The string 0or the string 01

0(0[1) 

any string beginningwith 0

(0 

1) 

Any string not ending with 0

Table 2.1: Some regularexpressions rewritten from (Rosen1999, p. 657)

is a subset of the language re ognized by another nite automaton, this problem an

be seen as a string omparison problem, whi h he ks whether two strings are identi al

(Brookshear 1989, p. 269). The expressive power of a regular language is limited due to

itsnitememoryandinabilityto ountinputsandoutputs. This iswhy amoreexpressive

language is needed in more omplexsituations.

2.4.5 Timed automaton

Finite state ma hines an not reason easilyabout time, sin e in the best ase, time must

be represented by ounting lo k ti ks, whi h may ause a state explosion. Instead, to

in lude time onstrains in the nite automaton model, a timed automaton may be used.

A timed automaton is a nite automaton extended with a set of real-valued lo ks. A

timedautomaton a epts timed words, whi h meansthat areal valued timeof o urren e

isasso iatedwithea hsymbol. Asanautomatonmakesa hoi etotakeastatetransition,

the hoi e of the next state depends both on the input symbol read and the time value of

the input symbol.

The lo ksmayberesetindependentlyofea hotherduringatransitionandtheirvalue

maybeusedasguardsontransitions. Theadditionofaniteset ofrealvalue lo ksmakes

it possible toprovereal-timerequirements of nite-state systems (Alur& Dill1994).

The state of the timed automaton is the state of the nite automaton together with

S0(Accept)

S1

0

x >= 5

0

x:=0

x>=5

1

x<5

0

Figure 2.6: State diagramof a timedautomaton

table. A ordingto Alur& Dill(1994) atimed transitiontable are dened asa tuple (,

S, S0, C, E) where , S and S0 are dened as ina regular automaton, C is a nite set of

lo ks and E gives the set of transitions. The set of transitions in a timed automaton is

in reasedwiththesetof lo kstoberesetinthetransition,andthe setof lo k onstraints

forthe transition. Ea hsymbolpresentedtothe automatonrepresents ano urringevent,

and the time value atta hedto itrepresentsthe timewhen the symbolispresented tothe

system. A ordingto Alur & Dill (1994) a pair (,) is referred to as a timed word over

the alphabetif  is aninniteword over and  is anin reasing time sequen e. A set

of timed words over is referred toas atimed language.

Timed automaton example

The exampleautomaton inFigure2.6 has thealphabet=f0;1g. Ana epted language

L for this automaton would be a sequen e of zeros while time is below 5, followed by a

single one as the time in reases above 5, followed by anarbitrary number of zeros.

A formalnotation isoften used to express the language of an automaton. The formal

notationfor the a epted language inthe example would be:

L =f(;)j8i( i <5! i =0)^9j(( j >=5^8i( i < j ^ i =0))! j =1) ^8i(( i >=5^9j(j <i^ j =1))! i =0)g

S1

S0(start)

S2(accepting)

S3

b

a

a

x:=0

x<2

b

a

x:=0

Figure2.7: Timed Bu hi automaton redrawn fromAlur &Dill(1994)

In the example 8i(

i

< 5 ! 

i

= 0) express the a eptan e riteria of only zeros

as the time is below 5, 9j((

j >= 5 ^8i( i <  j ^ i = 0)) !  j = 1) aptures the

riteria of a one if the time is above or equal to 5 and all previous inputs are zero and

8i(( i >= 5^9j(j <i^ j =1)) ! i

=0)denotes that afterthe single one there willbe

anarbitrary number of zeros.

Timed regular languages are dened by Alur & Dill (1994) to be the lass of timed

languagesa epted by atimed B u hiautomaton. Su hautomatonshaveaset ofa epting

states and a run over the automaton is a epting if some a epting state is repeated

innitelyoften. Thisisforexamplethe aseinFigure2.7whi ha eptsthetimedlanguage

L=f((ab) ! ;)j9i8j i( 2j < 2j 1 +2)g. 2.4.6 Uppaal

A timed automaton is analysable; it is for example possible to he k if a ertain state

is rea hable within a limited time period. However, performing these he ks manually is

diÆ ultandtime onsuming. Fortunatelythereare CASE toolsdevelopedwiththe aimof

solving these tasks. Uppaal is a CASE tool developed jointly by Uppsala University and

Aalborg University. The analysing apabilities of Uppaal are for example model he king

automata. Ea htimed automataissimulatingapro ess whi h isable tosyn hronizewith

other automatons. As the model is built, it is possible to visually simulate its behaviour

in the CASE tool, aswell asverifying its orre tness using queries.

Bothlivenessandsafetypropertiesmaybe he ked usingtheverierinUppaal.

Che k-ingsafetyistoensurethatbadthingsneverhappen. Considerforexamplearailway ontrol

system,whi hmustguaranteethatatmostonetrain anpasssome riti alpointatatime.

If the railway ontrol is modelled in Uppaal, it is possible to automati ally he k if this

property holds using the verier. It is also possible to he k that good things eventually

happen(liveness),imaginefor examplethata ertain trainmust beable to ross a riti al

tra k se tionwithin a spe i time period(Yi, Pettersson &Daniels 1994).

The notation for an initialstate in Uppaal is a double ir le, but there is no expli it

notation for an a epting state. In this dissertation, all gures showing an automaton

is produ ed by Uppaal, so a epting states are named < Statename >a epting, sin e

there isno spe ial notationfor itin Uppaal. Sin e the start state inUppaal has the same

notationasana eptingstateinothernotations(double ir le),thestartstatesarenamed

<Statename>startin this dissertation toavoid onfusion.

Sin eatimedautomatonspe i ation an bebuiltup byanetworkoftimedautomata,

there is a need for ommuni ation between ooperating automata. In Uppaal this

om-muni ation is performed by syn hronizing on global hannels. If an automaton sends

informationon hannel x (the ex lamationmark x! is the notation for send), another

au-tomatonmustbeable tosyn hronizeandre eivethe message(thequestion markx? isthe

notationforre eivingamessageonthe hannelx). Iftwoautomatonsaresyn hronizingon

a hannel,they mayonlytakethe syn hronisingtransitionifthe syn hronizing automaton

takes itstransition simultaneously.

Figure 2.8 shows an example of a fragment of an Uppaal spe i ation with two

P1

P2

P3

S1

t <= 4

S2

t<=5

S3

channel!

x == 4

y:=3

t == 4

channel?

x:=4

Figure2.8: Example of Uppaal spe i ation

se ond automata onsist of the state S1, S2 and S3. In state S1, there is atime invariant

x4,meaningthatthe system maynot remaininthis stateasthe time isaboveorequal

to4,and onthetransitionbetween S1and S2thereisatime guardt ==4. The invariant

togetherwiththetimeguardfor esthetimedautomatontotakethetransitionbetweenS1

and S2exa tly asthe lo k variable t is equal to4. In state S2, the system is not allowed

towait for more than one time ti k, sin e there isan invariant fort 5.

Thename onventionforvariablesintimedautomatamodelsinthisdissertationisthat

lo k variablesstarts with t, guards are pla ed atthe very start of transitions,

syn hroni-sations are pla ed onthe middle and assignmentsare pla edat the end of transitions.

In thisreport, thereareguresprodu edinUppaalwhi harenot exa tlyfollowingthe

Uppaal semanti . The reason for this is to gain in reased understandability of the issues

des ribed. It isfor example not yet possible tospe ify aguard as true orfalse in Uppaal,

as inFigure5.2, aninteger whi hmay takeone of the values one or zero are usually used

for this purpose.

Uppaal is not the only CASE toolavailablefor spe ifying systems in timedautomata.

Two other tools worth mentioning are Kronos and HyTe h (Yovine 1997). The CASE

and analysing apabilities (Berard & Sierra 2000). However, the abilityto model integers

in Uppaal, whi h is useful when it omes to modelling omposite events, is one of the

reasons why Uppaal is hosen for this proje t.

2.5 Timed automata to ECA rules

In a re ent study, Eri sson (2002) proposes a method for deriving ECA rules from timed

automata spe i ations. The main idea of this method is to transform the analysed

be-haviourofatimedautomatonintoasetof impli itlyanalysedrules. Thespe i ationsare

onsideredtohaveequivalentbehaviourifthey areprodu inganidenti aloutputsequen e

given anidenti al sequen e of inputs(Abadi & Lamport 1991).

In Eri sson (2002) a ase study was performed, where the method was applied on a

timed automaton spe i ation of a produ tion ell. The out ome of applying the method

wasa set of ruleswhi hmaintainedthe behaviourof the timedautomaton, given that the

order of event o urren es waspredi table.

A prerequisite forthe developed methodistodivide the set ofstates inthe automaton

spe i ationintoexternalandinternalstates. Externalstates arestateswhi hareae ting

the systems external behaviour and internal states are dened as states whi h are only

serving as help states needed in the spe i ation language, for example to model time

delays.

The methodis basedon that ea h arrivaltoan externalstate in the timed automaton

istransformedtoanevento urren eintherulebase. Transitionassignmentsaremapped

tomethods, whi hare exe uted in the a tion part of the derived ECArule.

The de ision to map ea h arrival to an external state in the automaton to an event

o urren e in the rule base has several advantages, however, it also auses a mismat h in

possibletomaptheguardintheautomatontoa onditionintherulesetforall ases. This

is be ause an automaton is waiting in its state until a guard be omes true, but an ECA

rule evaluates its ondition on e, and if the ondition is false, the rule ondition will not

be evaluated again untila new event of that type o urs. In the previous ase-study, this

mismat h was solved by using omposite events; however, a general solution for guarded

transitions is missing.

Rule derivation approa h

The method for deriving ECA rules assumes that the spe i ation is modelled inUppaal

and built up by several syn hronizing sub automata. The method developed in Eri sson

(2002) onsistsof the following steps.

I Identify external states.

Determine whi h states inea h automaton are internal (help states for the

automa-ton), and whi h states are external, and relevant for the forth oming derivation of

rules.

II Identify pre onditions forexternal transitions.

For every transition between two external states in every model, determine whi h

states all sub automata must be in for the transition to be exe uted (the event

a eptan e state of the entire model), and values ofrelevant variables.

III Identify post onditions for external transitions.

Foreverytransitionbetweentwoexternalstatesineveryautomaton,determinewhi h

statesallsubautomatamustbeinandvaluesofrelevantvariablesimmediatelyafter

IV Express the a tion part of the transition asa method whereit ispossible.

V Identify redundant transitions.

Determine if redundant transitions, e.g. transitions that have the same pre- and

post- onditions, and that are syn hronising, an be omposed intoone single rule.

VI Express the entering of external states asprimitive event o urren es.

Express the entering of every external state inthe model as aprimitiveevent inthe

ECArule spe i ation language.

VII Identify and spe ify omposite events.

Identify if there are omposite events (If the pre ondition of the rule depends on

more than one automaton), and in that ase, whi h primitiveevents the omposite

event are ombined of.

VIII Formulate the set of rules.

Atta h the ondition and a tion parts of the transitionto formulate rules

A proofofprin iplewasperformed asa asestudy whereatimedautomaton

spe i a-tionofaprodu tion ellfortreatingmetalbri ksweretransformedintoaset ofECArules.

The ase study was fo used onthe orre tness of the behaviour of the entire appli ation,

Problem des ription

This se tion will larify the aim of this proje t, as well as present the arguments behind

the aim.

3.1 A tive real-time database appli ations

Event triggered real-timesystems may take advantage of the persistent storage and event

monitoring apabilitiesofana tivedatabase. However,despitelotsofpriorworkinthearea

of a tive databases, ECA rules are still notorious for its low level spe i ation language,

whi h makes su h systems really hard to analyse and maintain. The rules are ae ting

ea hother, dire tlyand indire tly, inaway thatmakes athorough analyse ofthe systems

behaviour impossible if no onstraints are set on the design of the rule set (Falkenroth

2000). In ontrary, the desire to use a tive databases in real-time systems requires an

analysedand predi tablebehaviourofthe ruleset, whi halsomustguaranteethat ertain

deadlines an bemet.

The problem of analysing the behaviour of a set of rules, and the desire to use a tive

developmentofpredi tablea tivereal-timeappli ations. A ordingtoPaton&Diaz(1998)

the area of developing a tive appli ations la k appropriate design methodologies, even in

ases where time onstraints are not onsidered. Several approa hes exist for verifying

dierent hara teristi sofanexistingruleset, however, the development oftheset ofrules

and the veri ation of the behaviour of the entire rule set in a ertain exe ution model

with respe t to its spe i ation, are usually not onsidered. The set of rules are usually

assumedtomagi allyappear andthereispoorguidan e forthe developeronhowto reate

a predi table rule set fromfor example a formalspe i ation, and how to design a set of

rules whi his possible tomaintain, hange and reuse.

3.2 Deriving a tive rules from timed automata

There are several benetsof spe ifyingand analysing the behaviourof a real-timesystem

in a formal timed automaton notation. It is for example possible to verify that a ertain

state will be rea hed within a spe i time, and that the system will not deadlo k (if the

system implements the spe i ation orre tly). The orre tness of the models may be

automati allyanalysedbysome oftheCASE toolsavailableforautomati veri ationand

simulationof timed automaton models, for example Uppaal (Larsenet al.1997).

However, thereisnoobviouswayof takingadvantage ofthesebenetswhenspe ifying

a real-time appli ation using an a tive database. Furthermore, there is no CASE-tool or

method support for verifying that the behaviour of the implemented rule set orresponds

to the behaviour spe ied in the timed automaton. In the ultimate s enario, the set of

rules that implements the behaviour of the timed automaton is automati ally generated

fromthe timedautomaton spe i ation.

To rea h the vision of automati ally generating a tive rules from an arbitrary timed

timed automaton into a set of ECA rules. This means that as an event o urs, it must

have the same ee t in both the timed automaton and the rule set. However, it is not

enoughthatthe ruleset isrea tingonallevento urren esthatare spe iedinthe timed

automaton, it is also the ase that in a given state, the rule set may only rea t on event

o urren es that is also a epted in the timed automaton in that parti ular state. As

the exa t behaviour of the timed automaton is transformed to a set of ECA rules, the

behaviour of the rule set isimpli itly analysed, sin e the analysed behaviourof the timed

automaton ismaintained duringthe transformation.

In the work of Eri sson (2002), a method was proposed for transforming a timed

au-tomaton spe i ation to ECA rules. A proof of prin iple was performed as a ase study,

however, the transformationswere appli ationspe i ,and transformationsfromarbitrary

spe i ations was not onsidered.

Re allthat ana tivedatabase mayrea tonbothprimitiveand omposite event

o ur-ren es. A primitiveevent o urren e isdened by Eri sson(2002) tobetransformed from

the arrival to an external state in the timed automaton. However, the semanti s of for

examplesyn hronization istransformed toa ompositeevent,and insu h ases the

trans-formation must also onsider the urrent ontext. This is be ause the same set of states

and transitions ina timedautomaton may betransformed todierent types of omposite

events depending onthe urrent ontext.

To gain in reased onden e in the proposed method, the equivalen e of mappings

between onstru ts in the timed automaton and the rule set must be further investigated

and veried, espe iallywith emphasis of omposite events in dierent ontext, whi h was

3.3 Aim and obje tives

Theaimof reatinganentireCASE toolforgeneratingarule set fromatimedautomaton

is out of s ope of this proje t. However, verifying the orre tness of the transformation

in some exe ution models and identifying patterns in the timed automaton spe i ation,

whi h are exa tly mapping to o urren es of omposite events in the rule set, is a step

forward towards su h automation. In this proje t, a subset of the transformation

on-stru ts identied in Eri sson (2002) will be re onstru ted to an appli ation independent

format before they are transformed into ECA rules, to in rease the appli ability of the

proposed method on arbitrary spe i ations. The transformed subset will be expanded

toalso in ludetransformationsof the behaviour between patterns of timedautomata and

ompositeevents indierent ontexts.

The aim of this proje t is to verify orre tness of transformations between a set of

ap-pli ation independent onstru ts in timed automata and its resulting rules. The veried

transformations will be a subset of the transformations performed in Eri sson (2002)

ex-panded with transformationsof omposite events.

To rea hthe aim the following obje tives must be fullled:

Generalize transformations and identify limitationsof transformations

In the previous ase study, the transformations were only veried for one parti ular

ap-pli ation. To be able to apply the method proposed in Eri sson (2002) on an arbitrary

spe i ation, a subset of the transformations found in the previous ase-study will be

re onstru ted to appli ation independent onstru ts of timed automata before they are