spe i ations and ECA rules
HS-IDA-MD-03-002
AnnMarie Eri sson
Submitted by AnnMarie Eri sson to the University of Skovde as a dissertation towards
the degree of M.S . by examination and dissertation inthe Departmentof Computer
S i-en e.
September2003
I ertifythatallmaterialinthisdissertation whi hisnot myown workhas been identied
and that no materialisin luded for whi h adegree has already been onferredupon me.
||||||||||||{
Event-triggered real-time systems are desirable to use in environments where the arrival of
events are hard to predi t. The semanti s of an event-triggered system is well mapped to the
behaviourofan a tive databasemanagement system(ADBMS), spe iedusing
event- ondition-a tion (ECA) rules. The benets of using an a tive database, su h as persistent data storage,
on urren y ontrol, timelyresponseto event o urren eset . highlightstheneedfora
develop-mentmethod forevent-triggered real-timesystems usinga tive databases.
However,there areproblemslefttobesolvedbeforeanADBMS anbeusedwith onden e
in real-time environments. The behaviour of a real-time system must be predi table, whi h
implies a thorough analysed spe i ation with e.g. spe ied worst ase exe ution times. The
predi tabilityrequirementis anobsta leforspe ifyingreal-timesystemsasECArules,sin ethe
rules may ae t ea h other in many intri ate ways whi h makes them hard to analyse. The
intera tionbetweentherulesimpliesthatitisnotenoughtoverifythe orre tnessofsinglerules;
an analysismust onsider thebehaviour oftheentire ruleset.
Inthisdissertation,an approa hfordevelopinga tive appli ationsispresented. Amethod is
examinedwhi hstartswithananalysedhigh-leveltimedautomatonspe i ationandtransforms
the spe iedbehaviour into an impli itly analysed rule set. For this method to be useful, the
transformation from timed automata to rules must preserve the exa t behaviour of the high
levelspe i ation. Hen e,theaim ofthisdissertationisto verifytransformationsbetweentimed
automaton spe i ations andECA rules.
The ontributionofthisproje tis astru turedsetof generaltransformationsbetweentimed
automata spe i ations and ECA rules. The transformations in lude both transformations of
smalltimedautomata onstru tsfor deterministi environmentsand formally veriedtimed
au-tomatapatterns spe ifyingthebehaviourof ompositeeventsinre ent and hroni le ontext.
1 Introdu tion 1
1.1 ECArules versus timed automata . . . 1
1.2 Proje t approa h . . . 3
1.3 Results . . . 4
1.4 Outlineof this proje t . . . 4
2 Ba kground 6 2.1 Real-timesystems . . . 6
2.1.1 Event-triggered versus time-triggered systems . . . 7
2.1.2 Real-timedatabases . . . 8
2.2 A tive databases . . . 9
2.2.1 ECArules . . . 10
2.2.2 Composite events . . . 11
2.2.3 Event onsumption poli ies . . . 12
2.2.4 Exe ution model . . . 15
2.3 A tive appli ations . . . 17
2.3.1 Termination . . . 17
2.3.2 Con uen e. . . 19
2.4.1 Proof of orre tness . . . 21
2.4.2 Benets of formalmethods . . . 22
2.4.3 Formal s hema for omposite events . . . 22
2.4.4 Finite-statema hines and Finite automata . . . 26
2.4.5 Timed automaton. . . 29
2.4.6 Uppaal . . . 31
2.5 Timedautomata to ECArules . . . 34
3 Problem des ription 37 3.1 A tive real-timedatabase appli ations . . . 37
3.2 Derivinga tive rules fromtimed automata . . . 38
3.3 Aimand obje tives . . . 40
3.4 Limitationof proje t s ope . . . 42
4 Method 43 4.1 Generalize transformationsand identify limitationsof transformations . . . 43
4.2 Spe ify omposite events intimed automata . . . 44
4.3 Formally verify equivalen e of semanti s . . . 46
5 Verify transformations 48 5.1 Generalize transformationsand identify limitationsof transformations . . . 48
5.1.1 Enter state . . . 49
5.1.2 Transitionassignments . . . 50
5.1.3 Guards. . . 51
5.1.4 Time onstraints . . . 53
5.2 Spe ifyingpatterns in timed automata . . . 66 5.2.1 Conjun tion . . . 66 5.2.2 Disjun tion . . . 73 5.2.3 Sequen e . . . 75 5.3 Equivalen e of semanti s . . . 79 5.3.1 Assumptions. . . 80
5.3.2 Chroni le ContextPredi ate . . . 81
5.3.3 Operator predi ate . . . 84
5.3.4 Verifying onjun tion pattern . . . 85
5.3.5 Verifyingdisjun tionpattern . . . 95
5.3.6 Verifyingsequen e pattern . . . 99
6 Analysis 107 6.1 Generaltransformations . . . 107
6.1.1 Transforming onstru tsoftimedautomata fromadeterministi en-vironment . . . 107
6.1.2 Limitationsof transformations . . . 109
6.1.3 Prerequisite for transformations . . . 111
6.2 Composite events spe ied in timedautomata . . . 111
6.2.1 Appli ability of timed automata patterns . . . 112
6.2.2 Spe i ation and implementationissues . . . 113
6.3 Formally verify equivalen e of semanti s . . . 114
6.3.1 Choi e of formalnotation . . . 114
6.3.2 Equivalen e of behaviour . . . 115
7.1 Proje t summary . . . 121
7.2 Dis ussion . . . 122
7.2.1 Highlevelspe i ation . . . 122
7.2.2 Transformation issues. . . 123
7.2.3 Resultingrule set . . . 124
7.3 Proje t on lusion . . . 127
7.4 Contributions . . . 128
Introdu tion
Event triggered real-time systems, whi h are exposed to sporadi and a periodi event
o urren es, may take advantage of the ability to handle rea tive behaviour in an a tive
database management system (ADBMS). In traditional database systems, the semanti s
of monitoring hanges in the database is distributed, repli ated and hidden in dierent
appli ations using the database. In ontrast, the rea tive behaviour of an ADBMS is
moved fromthe appli ationsintothe ADBMS, makingit possibletomonitorand rea t to
spe i event o urren es ina entralized and timelymanner (Paton & Diaz1998).
1.1 ECA rules versus timed automata
The behaviour of an a tive database is often spe ied as a set of low-level exe utable
ECA (Event, Condition, A tion) rules, where anevent is triggeringan a tion if a ertain
ondition is true. However, the ability to spe ify a large real-time system, with high
predi tability requirements, using the ECA rule paradigm, is limiteddue to the diÆ ulty
of analyzingthe behaviourof a large rule set.
withea hotherinmanyintri ateways. Anexe utingrulemayforexampletriggeranother
rule,whi hupdatessomedata obje tsthat inturn ausestheoriginalruletobetriggered.
Behaviours like this an form an innite loop of as ade triggering that auses a
non-terminating behaviour. Another problem is to determine if the set of rules is on uent,
i.e. if the out ome of simultaneously red rules depends on inwhi h order the rules were
exe uted. If the rule set is not on uent, there may be dierent kinds of ra e onditions,
wherethe out omeof the ondition evaluation(ora tionexe ution) of twosimultaneously
triggered rules isdependent onin whi h ordertheir onditions were evaluatedor inwhi h
order their a tionswere exe uted (Paton &Diaz 1998).
The diÆ ulty of analyzing the behaviourof a set of ECA rulesis anobsta le forusing
a tive databases to develop a tive real-time appli ations. Real-time systems are required
torespondtoexternal stimuliwithin aniteand known time-period. The orre tnessof a
real-timesystem isnot onlydepending onitslogi al orre tness,but alsoonthe abilityto
meetitsspe iedtime onstraints. Therequirementonpredi tableresponse timesishard
tofullastherulebaseisonatoolowlevelofabstra tiontobethoroughlyanalyzed. There
isalso averylimited a essto CASE toolssupportingthe area of ECA rule development.
Sin e real-time systems are frequently used for monitoring and ontrolling obje ts in
environments wherefailures may lead toadisaster,the use of formalmethodsisdesirable
in the spe i ation phase of su h systems. Formal methods are based on mathemati s
and the benets of using them is that the spe i ation produ ed are unambiguous. It
is also possible to prove that ertain hara teristi s are met in the system and that the
implementationofthesystemmeetsitsspe i ation. Anexampleofaformalmethodwhi h
isdesignedtohandlethemodellingofreal-timesystemsistimedautomata,whi hisanite
automaton extended with aset of lo ks (Alur&Dill1994). If asystem is spe iedusing
timed automata, it is possible to verify hara teristi s like absen e of deadlo k and that
model he king apabilitiesmay be used forautomati veri ation ofsu h hara teristi s.
OneCASEtooldevelopedforthispurposeisUppaal(Larsen,Pettersson&Yi1997)whi h
alsoprovides the possibilityof graphi alsimulationsof timed automata models.
1.2 Proje t approa h
The desire to use a tive databases in real-time systems is one of the issues whi h
high-lightthe need for asystemati method for developing ananalysed set of a tive rules with
predi table behaviour. Our assumptionis that transforming exe utable ECA rulesfrom a
formallyveriedspe i ation, su h astimed automata,preserving the spe ied behaviour
during the transformation to rules, results in an impli itly analysed set of rules. This
requires that the exa t behaviour of the formal model is transformed; no additional
be-haviour that ae ts the operation of the system is allowed to be introdu ed during the
transformation. It is alsodesirable thatit ispossible toreverse engineer the formalmodel
fromthe rule set.
Thehighlevelaimofthisproje tistotakeadvantageofananalysedformalspe i ation
and transform its behaviour into a tive rules. This is not a new idea; it is the same idea
as transforming a C++ implementation toassembler, and the approa h has been used in
previous proje ts on erning ECA rules, for example Berndtsson, Chakravarthy & Lings
(1997) whoexplores the ability toderive ECArules from nite automata,and Falkenroth
& Torne (1999) who has onstru ted a ompilerfor this purpose. The uniqueness of this
proje t ompared to the previous approa hes is the fo us on real-time systems, as well
as the use of a high level spe i ation language with the ability to express timeliness
requirements.
Sin e onstru ting an entire rule ompiler does not t into the time frames of this
automata and ECA rules. Besides adding time onstrains to the transformation pro ess,
the fo us ofreal-timesystems are usedas anargument forlimitingthe s opeof the target
exe utionmodel inthis proje t.
1.3 Results
The result of this proje t is a set of transformations from dierent timed automata
on-stru ts to rules. Constru ts of timed automata that are hard to transform into rules are
alsoidentiedandalternativesolutionsare suggested. Tofa ilitatespe i ationand
trans-formationof ompositeevento urren es,the behaviourof ompositeeventsinre entand
hroni le ontext is spe ied as timed automata patterns. The behaviour of omposite
events is also expressed as regular expressions where it is possible, whi h will fa ilitate
the identi ationofa omposite eventinanarbitrarytimedautomaton spe i ation. The
timedautomata patterns of omposite events for hroni le ontextare formallyveried to
haveanequalbehaviourasthe ompositeeventsintherule set foranysequen e of inputs.
1.4 Outline of this proje t
Chapter 2gives aba kground about theories behind timed automata and a tiverules, as
well asa briefintrodu tion toreal-timesystems, a tive databases, formalmethods, timed
automata, Uppaaland DeeDS.Apresentationof amethodfortransforming rules between
timed automata and ECA rules developed by Eri sson (2002) is presented as well, sin e
the work in this proje t is basedupon this transformation method.
In hapter3aproblemdes riptionisgivenaswellasapresentationoftheaimspe ied
for this proje t and obje tives identied to rea h this aim. In hapter 4 the method used
of the results are presented. Chapter 7 presents a summary of results, dis ussion around
Ba kground
The following se tions will give the ba kground knowledge required to understand the
problemto be solved and on epts used inthe resultpart of this dissertation.
2.1 Real-time systems
Besides being logi ally orre t, a real-time system must also meet its timeliness
require-ments. The system must be able to answer to external stimuli within a spe ied time
period, aswell asmeetingrequirements onpossibledelay times.
Depending on the onsequen es of missing a deadline, real-time systems may be
las-sied into hard (hard essential and hard riti al), rm and soft real-time systems. In a
hard real-time system the onsequen es of missing a deadline is atastrophi , leading to
onsiderabledamagee.g. lossofhumanlives(hard riti al)or onsiderablee onomi alloss
(hard essential). In rm real-time systems the onsequen es of missinga deadline are the
lossof servi e and inasoft real-timesystem, a taskthat has missedits deadlinemay still
produ e some value to the system (Eriksson 1997).
a system has predi table response times and is suÆ iently eÆ ient. This implies that
ea h task in the system must have predi table and suÆ ient resour e requirements (e.g.
memory,bandwidth et .).
2.1.1 Event-triggered versus time-triggered systems
Depending on how the system intera ts with its environment, there are two main design
approa hes to use in the area of real-time systems (Kopetz & Verissimo 1993). In hard
real-timesystems,where the environmentismonitored intime periods, the timetriggered
approa h is most ommon. In every period the system is he king the state of the
envi-ronment and depending on the urrent state of the environment, it takes the appropriate
a tion. The advantage of the time triggered approa h is that it an be thoroughly
anal-ysed a priori. The worst ase exe utiontimes of the system an be spe ied, resulting in
a system with predi table response times onea h task. The main disadvantages are that
the system is always allo ating resour es a ording to its spe ied worst ase behaviour,
even in ases where the average resour e usage is mu h less and that sporadi tasks are
hard to handle. It is also the ase that all systems do not lend themselves to the
thor-ough a priori analyses that is required in time-triggeredsystems. There may be toolittle
knowledge about the systems behaviour a priori, for example if the system is monitoring
anunpredi table environment.
The othermajordesignapproa hforreal-timesystems isthe event triggeredapproa h,
where the system is required to handle events o urring anytime. Su h systems are idle
(or e.g. performing some ba kground task)waiting for anevent to o ur and asan event
o urs, the system is immediatelyresponding toit. Event triggered systems are harder to
analyse than time triggered systems, sin e there are analmost innitenumberof possible
dierent exe ution tra es in event triggered systems. This makes it hard to al ulate the
guarantee. Theadvantagesofeventtriggered systemsarethatthey anhandleavarietyof
tasks whose exe utionorder is not known a priori. In ontraryto time triggered systems,
they an handle overload situations without falling apart. In this dissertation, the event
triggered approa h isassumed asreal-time systems are on erned.
2.1.2 Real-time databases
Thereareseveral featuressuppliedbyadatabasemanagementsystemthatisadvantageous
touseinreal-timeappli ations. Spe i ally,adatabases hema helpstoavoidredundan y
of data and itsdes ription,transa tion support ensures orre tness of on urrent
transa -tion exe utions and ensures data integrity maintenan e, even in the presen e of failures,
et . (Ramamritham1993).
However, real-timesystems oftenhave highpredi tability requirements. Its worst ase
exe ution times and resour e usage must be known. Unfortunately, the use of databases
adds a number of sour es of unpredi tability. A ording to Ramamritham (1993) the
exe ution tra es of transa tions an depend on the data values, transa tions an abort
resultinginrollba ksandrestarts, there maybedata andresour e on i ts andtheremay
be unpredi table I/O requests.
A se ond problem is to keep the data in the database onsistent with the ontrolled
environment, sin e real-timesystems are frequently used to ontrol environment external
to the system, for example robots in a fa tory. In su h s enarios it is important that
the internal state of the system is onsistent with the orresponding external state of
the ontrolled environment. Otherwise the onsequen es may be disastrous. Imagine
for example the onsequen es if a system, ontrolling a robot whi h moves towards an
expensive target in high speed. The robots a tual distan e to the target is 5 entimetres
but a ording tothesystem state, the distan e is10 entimetres. The robotwillprobably
and the robot. This exempliesthe importan eof keeping the system onsistent with the
environment,andthatsomedata,forexampledistan es,areonlyvalidforaspe i period
of time. This implies that su h systems have timing onstraints arising from the need to
ontinuously tra k the environment, however, timing onstraints alsoarises be ause ofthe
need to make data available to the ontrolling system for its de ision making a tivities
(Ramamritham1993).
2.2 A tive databases
Traditionaldatabasemanagementsystems (DBMS) arepassive,meaningthatthey donot
automati ally rea t to hanges in the database. In su h systems a request (for example
update or query) is only exe uted if it is expli itly raised by an appli ation using the
database. An a tive database on the other hand is automati ally rea ting to spe i
hanges inthe system and performs some predened a tion asthese hangeso ur.
If it is desirable to use a tive behaviour in a passive database system, then there are
twopossibleapproa hestoa hievethis. Eitherthea tivesemanti sisimplementedinea h
appli ation using the database, or a polling me hanism is used to periodi ally he k the
database for hanges. However, ifthe a tivebehaviourisimplementedinea happli ation,
the monitoring fun tionality is distributed, repli ated and hidden among dierent
appli- ations. This is likely to be a problem when it omes to system maintenan e. Using the
polling me hanism makes it possible to represent the semanti s in one single pla e.
How-ever, thefrequen y withwhi hthedatabase ispolledisaproblemhere. Pollingthesystem
toooften auses unne essaryload, whilepollingtooseldom auses therisk ofmissingthat
2.2.1 ECA rules
In an a tive database system the rea tive behaviour is moved from the appli ation (or
polling me hanism) into the database management system. In this way the rea tive
be-haviouris entralizedand handled ina timelymanner(Paton &Diaz 1998).
The behaviourofasystem maybespe iedusing a tiverules, des ribedasECArules.
ECA rules onsists of up to three omponents; events, onditions and a tions. The event
part spe ies the event o urren e on whi h the rule is triggered. The ondition spe ies
a ondition whi hmust betrue for the a tionto beexe uted and the a tionpart spe ies
whi ha tion to be performed as the event has o urred and the ondition is evaluated to
true. If the event part is left out, the resulting rule is a produ tion rule (CA) and if the
ondition part is missing,the resultingrule isan event-a tion (EA) rule.
The event part of the ECA rule may be primitive or omposite. A primitive event
o urren e is something that happens at a point in time and is raised by a single
o ur-ren e, for example anupdate in the database, a spe ied lo k time, or anexternal event
o urren e raised by a happening outside the database. A omposite event is raised by a
ombinationofprimitiveor ompositeevents. Theo urren eofanevent anbedes ribed
asapredi ate. TheO(E;[t;t 0
℄)predi ateintrodu edbyGalton&Augusto(2001)istrueif
anevent Ehas o urred that start attime tand terminateat timet'. In this dissertation,
the notationo (E;[t;t 0
℄) introdu ed by Mellin (2003) willbe used instead of O(E;[t;t 0
℄)
sin e O an be onfused with the big-oh notation for algorithmi omplexity. Formally,
the interval fun tion [t;t 0
℄ states that start([t;t 0 ℄)= t, end([t;t 0 ℄) = t 0 and j[t;t 0 ℄j = t 0 t
2.2.2 Composite events
A ompositeeventtypemaybe ombinedbydierentoperators,likeforexample
onjun -tion, disjun tionorsequen e. Thefollowingmodelsdes ribes the o urren e of omposite
events formally(Galton &Augusto 2001). G is amodel ofthe history of events that have
o urred.
Primitive event o urren e
LetG be a model su h that:
G j=o (E;[t;t)iff prim(E)and su h anevent typehas o urred at time t.
In other words, a primitiveevent of type Ehas o urred.
Disjun tion (5)
The disjun tion operator an for example be used to spe ify that the omposite event E
o urs if an event of type E
1 ,or E
2
o urs within aspe ied time period.
G j=o (E 1 5E 2 ;[t;t 0 ℄)iff o (E 1 ;[t;t 0 ℄)_o (E 2 ;[t;t 0 ℄) Sequen e (;)
The sequen e operator an beused tospe ify that a ompositeevent oftypeE o urs if a
set of other events o ur in a spe ied sequen e. The following model expresses that the
omposite event of type E is raised if an event of type E
1
o urs before an event of type
E
2
and that both event o urren es o urs within the time period that starts with t and
G j=o (E 1 ;E 2 ;[t;t 0 ℄)iff; 9t 1 t 2 (o (E 1 ;[t;t 1 ℄)^o (E 2 ;[t 2 ;t 0 ℄)^(t 1 t>0_t 0 t 2 >0) Conjun tion (4)
The onjun tion operator an for example be used to spe ify that a omposite event of
typeEisraisedifthereisano urren eofeventE
1
and E
2
withinaspe iedtimeperiod.
G j=o (E 1 4E 2 ;[t;t 0 ℄)iff 9[t 1 ;t 2 ℄((o (E 1 ;[t;t 1 ℄)^o (E 2 ;[t 2 ;t 0 ℄))_(o (E 2 ;[t;t1℄)^o (E 1 ;[t 2 ;t 0 ℄)) _(o (E 1 ;[t;t 0 ℄)^o (E 2 ;[t 1 ;t 2 ℄)^tt 1 _t 2 t 0 ) _(o (E 2 ;[t;t 0 ℄)^o (E 1 ;[t 1 ;t 2 ℄)^tt 1 ^t 2 t 0 )) Non-o urren e (N):
Thenon-o urren eevento ursifthereisnoevento urren eofaspe iedevent,between
theo urren esoftwootherspe i events. Intheexamplebelow,thereisanon-o urren e
of an event of type E
2
if the o urren e of type E
2
does not o ur in the intervalopened
bytheo urren eofaneventoftypeE
1
and losedbytheo urren eofaneventoftypeE
3 . G j=o (N(E 1 ;E 2 ;E 3 );[t;t 0 ℄)iff 9[t 1 ;t 2 ℄(o (E 1 ;[t;t 1 ℄)^o (E 3 ;[t 2 ;t 0 ℄))^ 8[t 3 ;t 4 ℄(t 1 t 3 ^t 4 t 2 ):o (E 2 ;[t 3 ;t 4 )))
2.2.3 Event onsumption poli ies
As a omposite event is dete ted, there may be several dierent event o urren es of the
sameeventtypethat anbeusedtoformthe ompositeevent. Aneventmay arry
at the event o urren e. Sin e parameters arried by event o urren es of the same type
may be dierent, ausing dierent results, it is important to onsume event o urren es
a ording to a predened poli y. Some frequently used onsumption poli ies are re ent,
hroni le, ontinuous and umulative. The dierent onsumption poli ies an also be
de-noted as re ent, hroni le, ontinuous and umulativeparameter ontexts,as des ribed in
Chakravarthy & Mishra (1994), whi h will be used instead of onsumption poli y in this
report.
Ea h omposite event has a terminator and an initiator event. The initiator event
initiates the dete tion of the omposite event o urren e and the terminating event
ter-minates the event omposition. If for example the omposite event is a sequen e of type
E =E 1 ;E 2 ;E 3 then E 1
isthe initiatorandE
3
isthe terminatortype forthis spe i
om-posite event. Depending on whi h ontext that is on erned, the initiatorand terminator
have dierent meanings. An o urren e of a terminator event in the ontinuous ontext
may forexampleraise several instan es of a omposite event type, whileonlyone instan e
is raisedby the same event sequen e in the hroni le ontext.
In the ontinuous ontext, a omposite event is initiatedea h time an initiatingevent
(event thatstartsthe dete tionof the ompositeevent) o ursand the umulative ontext
a umulates all the primitive events until the omposite event is raised (Paton & Diaz
1998).
This proje t is fo using on real-timesystems and willonly over re ent and hroni le
ontext. Re ent ontext is useful as for example the pressure and temperatureof a liquid
in atank ismeasured. Todis overhazardous situations, the pressure must not in rease a
ertain value as the temperature is above a threshold value. For the measurements tobe
useful, onlythe most re ent values are interesting. Chroni le ontextonthe other hand is
useful asthe order ofo urren e isimportant. Itmay for examplebe useful if twosensors
time stamp of the rst sensor should be mat hed with the earliest unused time stamp of
the se ond sensor to al ulate the average speed of a ertaintrain.
Re ent ontext
Inre ent ontext,themostre entsetofevento urren esare onsidered. Ea hterminator
is raising a omposite event o urren e, even if some of the event o urren es it ontains
have taken part in another instan e of a omposite event. As an illustratingexample, let
E 1 ;E 2 and E 3
be primitive event types. E
4
is a omposite event type whi h instan e is
raisedbytheo urren eofeventsoftypeE
2 andE 3 (E 4 =E 2 4 E 3 ),E 5 isa ompositeevent
typeraised by the o urren e of an event of typeE
1 and E 2 ina sequen e (E 5 =E 1 ;E 2 ).
In anexample s enario, events of typeE
1 o ursat timet 1 and t 2 , attime t 3 anevent of type E 2
o urs followed by an event of type E
3
at time t
4
and an event of type E
2 at time t 5 where t 1 < t 2 < t 3 < t 4 < t 5
. The omposite events E
4
and E
5
is raised as in
Figure2.1.
The rst instan e of type E
4
israised as an event of type E
3
o urs for the rst time,
be ause then there is an o urren e both of type E
2
and E
3
in the event history. As an
event of type E
2
o urs for the se ond time, there is a new instan e raised of event type
E
4
, sin e there already is an event of type E
3
in the event history. Both type E
2
and E
3
are terminators in this omposite event, and ea h time a new event of type E
2
(or E
3 )
o urs, anevent of type E
4
willalsoberaisedif there isanprior instan e of E
3 (or E
2 ) in
the event history. As a new primitive event o urs in re ent ontext, the old instan e of
this event isoverwritten and onlythe most re ent o urren e issaved.
Forthe ompositeevent oftypeE
5
toberaised,the primitiveevent o urren eof type
E
2
must be raised after anevent of type E
1
. This means that only E
2
is terminator type
in the omposite event of typeE
5
, and a new instan e of type E
5
will beraised whenever
thereisano urren e oftypeE
2
afteranevento urren e oftypeE
1
Figure2.1: O urren e of event E 4 =E 2 4E 3 and E 5 =E 1 ;E 2 inre ent ontext
In Figure2.1 the event of type E
5
israised both timesas the event of type E
2
o urs.
Chroni le ontext
In hroni le ontext, event o urren es are onsumed in hroni le order and ea h event
o urren e does only parti ipate in one omposite event instan e of ea h type. An event
o urren e is invalidated if itis not of interest for any omposite event. Ifevents o ur in
anidenti al sequen e asin the previous example,the omposite events of typeE
4
and E
5
areraiseda ordingtoFigure2.2. Asopposedtothere ent ontext, these ondo urren e
of typeE
2
, doesnot raise ano urren e oftype E
4
sin e the earliero urren eof typeE
3
is onsumed by a previous instan e of E
2 4E
3
. The o urren es of type E
5
will use the
earliest unused o urren e of E
1
instead of the most re ent as inthe previous example.
2.2.4 Exe ution model
The types of events, operators and ontexts available belong to the knowledge model of
theADBMS.Theknowledgemodeldes ribeswhat an besaid abouttherules inana tive
Figure2.2: O urren e of event E
4
and E
5
in hroni le ontext
by theexe utionmodelofthea tivedatabase. Theexe utionmodelisamongotherthings
des ribing whi h oupling modes are used, transition granularity, net ee t poli y and
y le poli y. The y le poli y is determining what happens when an event o urren e is
signalled by the evaluation of a ondition, the exe uted rule may either be interrupted
by the signalled rule, or ontinue to exe ute ausing the newly triggered rule to wait.
The transition granularity is determining whether a rule is triggered by a set or a tuple
of event o urren es and the net ee t poli y determines whether an event o urren e
is on erning single o urren es (e.g. update) or if the net ee t of several o urren es
should be onsidered (e.g. only delete if update is followed by delete on the same data
item) (Paton & Diaz1998).
The ouplingmodesdeterminewhenthe onditionisevaluatedwithrespe ttotheevent
o urren e and when the a tion is exe uted with respe t to the evaluation of the
ondi-tion. The most frequently supported options for oupling modes are; immediate where
the ondition is evaluatedimmediatelyafter the event o urren e(a tion exe uted
(exe uted) in the same transa tion as the event o urren e although not ne essarily
im-mediately,and deta hed wherethe ondition(a tion)isevaluated(exe uted)inadierent
transa tion (Paton & Diaz1998).
The semanti of an a tiverule is depending onthe exe ution model of the ADBMS in
whi h it is pro essed. This means that the same rule an behave dierently in dierent
ADBMS,whi hmakes itimportanttotake the targetexe ution modelintoa ount when
analysing the behaviourof a set of a tiverules.
2.3 A tive appli ations
One of the main problems with the use of a tive rules is the diÆ ulty of analysing the
behaviour of an appli ation implemented as a set of rules. The rules may depend on
ea h other in ways that are hard to predi t and hard to analyse. It may for example
be important to restri t the order in whi h onditions of simultaneously triggered rules
are evaluated, sin e the ondition evaluation of one rule may ae t the out ome of the
ondition evaluationof another rule.
2.3.1 Termination
A rule as ade o ursas thepro essing ofone rule a tionis triggeringanother rule. Ifthe
as ade triggeringisforming a ir le asviewed in Figure2.3, thereare noguarantees that
the set of rules will terminate. (In Figure 2.3 the pro essing of rule R1 is triggering the
rule R2,whi h inturn triggersrule R3, whi h triggersrule R1 and arule as ade ir le is
formed.)
The as ade ofrule triggeringsmaynot beonlyduetothe a tionofone ruletriggering
another rule. Consider the ase where the a tion of rule R1 auses the ondition of a
R1
R2
R3
Figure2.3: Exampleof nonterminating as ade triggering
rst rule(R1) whi hsatisedthe onditionof rule R2ispartly responsible forthe as ade
triggering. This implies that it is not suÆ ient to study isolated ee ts of rule a tions,
sin e inisolation, these rules would not have aused a as ade, but their ombined ee t
may ause rule as ades. An a urate apture of as ades must involve an investigation
of omplete rule sets in ombination with possible sequen e of database states, external
updates, and rule pro essing semanti s (Falkenroth2000, p.151).
A ordingto(Vaduva1999,p.69)therearethreepossiblewaystosolvethetermination
problem. Firstly there is a run time solution whi h is handling the termination problem
during the exe ution of the rules. In this solution, the system is assuming that innite
as adetriggeringistakingpla e,andterminatesthe exe utionofrulesifa ertainnumber
ofrules aretriggered. The drawba ksof thissolutionisthataset ofrule triggeringsmight
beterminatedalthoughitwasperformingperfe tly orre t, ontheotherhand,anin orre t
ir ulartriggeringmayunne essarilyrununtilthe boundofruletriggeringisrea hed. The
se ondsolutionfortheterminationproblemistoimposesigni antsynta ti limitationsto
rule spe i ation. However, this is redu ing the expressive power of the rule spe i ation
language. Thirdly, therule set maybeanalysedtodete tsubsetsof ruleswhi hbehaviour
may lead tonon-termination. Theserules must bemodied,and the terminationanalysis
must be restarted. This is aniterativepro ess performed until aterminating rule set an
However, a omplete predi tion of the intera tions in a set of ECA rules is identied
by both (Vaduva 1999, p.83), and Falkenroth (2000) to be anunde idable problem. It is
impossible to assert with ertainty whether an intera tion between rules will take pla e
onsidering all database states and for all possible a tion statements. This is why the
approa h for solving this problemhas to ontain some restri tion, orsimpli ation of the
problem, for example to ex lude the state of the database in the analysis, orto raise the
abstra tion of the analysis, as performedin (Vaduva 1999).
An important note is that non-termination is not always an undesired property. As
already pointed out by (Falkenroth 2000, p.172),there are systems with y li behaviour,
in whi h non-terminationis dened as orre t, and onsequently, the orre tness of arule
set is appli ation dependent. This means that rule set properties whi h are orre t inone
appli ation may be in orre t inanother appli ationand vi eversa.
2.3.2 Con uen e
In a set of ECA rules whi h are triggered simultaneously, there might be dependen ies
between the rules, ausing a non deterministi behaviour of the system. The reason for
thisisthatthe out omeofthe exe utionoftwosimultaneouslytriggeredrulesmaydepend
onin whi horder the ondition part of the rules whereevaluated, orin whi horder their
a tionparts were exe uted (Paton& Diaz1998). Thisis be ausethe ondition evaluation
ora tionexe utionofrule R1mayae t theout ome ofthe onditionevaluationora tion
exe utionof rule R2and vi e versa.
The termination and on uen e properties are important hara teristi s for a set of
a tiverulesand they aregiven alotof attention inthe resear harea ofa tiverules. There
are dierent approa hes to ta kle these problems, Comai &Tan a (2003)are forexample
translatingtherulesetofanyADBMSintoaninternallanguageandlogi al lauses,proving
Tan a (2003)istaking the semanti dieren es indierent exe utionmodelsintoa ount.
Thesedieren es may ausearule tobehavedierentlydependingoninwhi h ADBMSit
is exe uted.
2.3.3 A Distributed A tive Real-time Database System (DeeDS)
The implementation of ECA rules varies in syntax and semanti s. In some ases, the
semanti of a rule iseasy enough to be expressed in generalterms, and then transformed
to the exa t syntax of the a tual ADBMS. However, in ases where for example time is
onsidered,andevento urren esaretriggeredrelativetoea hother,itisbene ialtouse
an existing ADBMS as a framework for transformations. In this proje t, the ECA rules
introdu edinthe rulemanagerofDeeDS (Andler,Berndtsson, Eftring, Eriksson,Hansson
&Mellin1995)willbeused in aseswhere aspe i frameworkisneeded. The framework
ould be any ommer ial or a ademi ECA syntax supporting timeliness, however, the
timeliness requirement are likely to require some extended form of ECA rules, whi h is
spe i for ea h database. In DeeDS, it is possible to spe ify temporalattributes likefor
example deadlines and exe ution times in the extended form of ECA rules proposed by
Eriksson (1998)
Sin e predi tability is an important hara teristi in real-time systems, the only
ou-pling mode allowed in DeeDS is deta hed. If the a tion is allowed to exe ute in the
triggeringtransa tion,theexe utiontimeofthe triggeringtransa tionwillvarydepending
on if the a tion part of the rule is exe uted, and in that ase, the exe ution time of the
a tion. To be sure that the exe ution time of the transa tion is not hanged, the a tion
2.4 Formal methods
The software developed todayisbe omingmoreand more omplexand isused in
in reas-ingly riti al situations. The orre tness of omputer systems are be oming a dominant
issue foralarge lass of appli ations,andone approa h togainhigher onden eina
sys-temistouseformalmethods. However,itisimportanttounderstandthat formalmethods
are not asilverbulletfor developingperfe t software. A ordingtoHall(1990)theirmost
fundamentallimitationsarise fromtwofa ts: somethings annever beproven and we an
make mistakesin the proofs of the things we an prove.
Sin e the real world is not a formal system, a proof does not show that things in the
real world willhappen as you expe t. You an never be sure that your spe i ations are
orre t, no matter how mu h you prove about them. However, despite that the use of
formal methods does not give any absolute guarantees for the system orre tness, formal
spe i ations are better at exposing mistakes made than informal spe i ation methods.
It isalsothe ase that asanerror is exposed; people are more ready toagree that itis an
error than in aninformal spe i ation, where it issometimes not lear what is being said
(Hall1990).
2.4.1 Proof of orre tness
Althoughitisnot possible toprove the orre tness of thespe i ation withrespe t tothe
realworld,somethingsa tually anbeproven. Usingaspe i ationbasedonmathemati s
makes itpossible todemonstratethat one formalstatementfollows fromanother and this
is howa proof is ondu ted. However, even if there isa su essful proof showing that the
implementation orresponds to the spe i ation, the behaviour of the system is ae ted
by three fa tors limiting the usefulness of the proof: the behaviour of the programming
are ru ially important for safety riti al systems whi h imply that the proof must be
omplemented with systemati testing methods, espe ially for non-fun tional properties
su h astimeliness.
2.4.2 Benets of formal methods
Any high quality system must meet both its fun tional and non-fun tional requirements.
Even if it is possible to at h and orre t errors and deviations from the spe i ation in
the last phases of a system development proje t, it might be very expensive to orre t
the errors in late stages of a development pro ess. This implies that a fault avoidan e
te hnique, likeformalmethods, whi hhavehigh probabilityof at hing errorsinthe early
stageofthedevelopmentpro ess,mightredu ethetotaldevelopment ostduetolesseort
spent ontesting and orre ting expensive errors.
The pro ess of showing that the system satises itsspe i ation is namedsystem
ver-i ation. To be able toperform a formalveri ation of a system, in ludingformalproofs,
aformalspe i ation is needed (Wing 1990). However, sin e the spe i ation itselfmight
be wrong, the use of formalmethods must be omplemented with testing. The validation
of asystem ismainly on erned with the issue of testingand debugging. However, formal
spe i ations an also be used in the testing phase, to generate test- ases, redu ing the
time spent ontesting.
2.4.3 Formal s hema for omposite events
The state of a system whi h is implemented using a tive rules an be represented as
histories of event o urren es. In su h models, ea h update of an event history (ea h
time an event o urs) auses a hange of state. In Mellin & Andler (2002) and Mellin
used inthis dissertation asa base forprovingequivalen e of the behaviourbetween timed
automaton spe i ations and o urren es of omposite events. The reason for hoosing
the s hema presented in Mellin & Andler (2002) is that it takes the pro essing of events
into a ount,and it is possible to ompare behaviour of operators indierent ontexts.
The s hema presented in Mellin & Andler (2002) is based on set theory where state
transformations are based onevent o urren es and operator rules. For ea h operator in
ea h ontext, a rule is formally formulated based on the set of o urred events, and as
the pre ondition of the operator rule is true, a omposite event is raised. Ea h operator
maintainsahistoryofusedandinvalidatedevento urren esforthatoperator,represented
assets. Aneventisused astheevento urren ehasbeenusedto ontributetoa omposite
event, and it is invalidated as it an not be used to form a omposite event o urren e.
In hroni le ontext, a used event is a onsumed event that an not be used to form a
new omposite event, whilea usedeventinre ent ontextmay ontributetoseveral other
ompositeevent o urren es.
The urrentstateisthestateofalleventhistories,soano urren eofamonitoredevent
auses a hange in the event histories and hen e, auses a hange of state. The inferen e
system presented by Mellin&Andler (2002),and inshort des ribed in this se tionand in
se tion 5.3, isa rule based transformation between states.
Event o urren es
An event of type E may be primitive, denoted prim(E), or omposite. Axioms stated for
theevents hemades ribed inMellin&Andler(2002)arethatprimitiveevento urren es
are instantaneous and there are no simultaneous o urren es of primitive events of the
same type.
A omposite event o urren e is omposed by other event o urren es and may o ur
start(span( ))isthetimeofo urren efortheinitiatoreventandend(span( ))isthetime
of o urren efor the terminator event of the event o urren e . The relation (E;[t;t 0
℄)
is used todes ribe that an event of typeE has o urred in the time interval[t;t 0
℄.
Therelationbetweeninitiators/terminatorsandthe ompositeeventtheyhaveinitiated
or terminated are des ribed as an ordered pair h 0
; i, where iot(h 0
; i) gives the set of
0
, where 0
iseither the initiator,orthe terminator,of the ompositeevento urren e .
The subs ript ! is used todenote terminatorsand isused to denoteinitiators.
Event types
Theset ofallmonitoredevent typesisdenotedE
m
. Theset ofeventtypesthat aninitiate
a ompositeeventisdenotedE
whilethesetofeventtypesthat anterminatea omposite
event is denoted E
!
O urren e histories
The generated set G ontains the history of all primitive and omposite events that have
o urred so far. Ea h time a primitive or omposite event o urs, it is inserted inthe set
G.
8 2G(end(span( ))now)
As anevent isused orinvalidated,itisinserted intheset of used orinvalidatedevents
for that event type; U
(E) is a set of h 0
; i for E where 0
is the used initiator; U
! (E) is aset of h 0 ; i forE where 0
isthe used terminator;I
(E)is aset of invalidatedinitiator
o urren es of type E and I
!
(E) is a set of invalidatedterminator o urren es of type E.
The tuple (U (E);U ! (E);I (E);I !
(E)) des ribes the state of ea hE.
Let s 0 ;s 1 ;:::;s n
represent the history of states of event omposition, then s
i
the set of operator states. Thatis, s i is dened asG;[ E (U (E);U ! (E);I (E);I ! (E)). In
otherwords,thestateS
i
istheeventhistoryG togetherwithallusedandinvalidatedevent
historiesforallmonitoredeventtypes. Ea hoperator typehas aset of operatorrulesthat
transformss i intos j . Example Assume G =f (E 1 ;[1;1℄); (E 1 ;[2;2℄); (E 2 ;[3;3℄); (E 2 ;[4;4℄); (E 2 ;[5;5℄)g
The omposite event type E = E
1 ;E
2
is monitored in hroni le ontext, the set of
monitoredevent typesE
m
isfE;E
1 ;E
2
g,theset ofinitiatortypesE
forEisfE
1
gandthe
set of terminator typesE
!
for E isfE
2
g. Given the o urren e history G, twoo urren es
of E willbeformed using the followingevent o urren es: f (E
1 ;[1;1℄); (E 2 ;[3;3℄)gand f (E 1 ;[2;2℄); (E 2
;[4;4℄)g. The sets ontaining used and invalidated o urren es will be
the following: U (E)=fh (E 1 ;[1;1℄); (E;[1;3℄)i;h (E 1 ;[2;2℄); (E;[2;4℄)ig U ! (E)=fh (E 2 ;[3;3℄); (E;[1;3℄)i;h (E 2 ;[4;4℄); (E;[2;4℄)ig I (E)=; I ! (E)=f (E 2 ;[5;5℄)g
In other words, the event o urren es that have initiated a omposite event of type
E is in luded in the set of used initiators for that type (U
), and the event o urren es
that have terminated the omposite event E is in luded inthe set of used terminatorsfor
that type (U
!
). In the example history G there are no invalidated initiator o urren es,
however, the event o urren e (E
2
;[5;5℄) is an invalidated terminator o urren e, sin e
there are nomat hing unused o urren eof the initiatortype E
1 .
2.4.4 Finite-state ma hines and Finite automata
The behaviour of many kinds of ma hines, in luding omponents in omputers, an be
modelled using a stru ture alled nite state ma hine. A state ma hine onsists of a set
of states, in luding a starting state, a set of transitions, an input alphabet, a transition
fun tion that assignsa new state for ea h pair of state and input, and anoutputfun tion
that assigns anoutput toea h pair of states and inputs (Rosen 1999).
Amodelthatis loselyrelatedtonite-statema hinesisniteautomata. Thedieren e
isthat niteautomata,insteadofprodu inganoutputsequen e, haveaset ofnal states.
Theniteautomatonprodu esana eptan eorreje tionoftheinputsequen e, depending
onifanalstateisrea hedbytheinputsequen eornot. Finitestateautomata anbeused
aslanguage re ognizers,whi hisapreferable hara teristi inmodelling ompilers(Rosen
1999). Astring is said tobe re ognized(or a epted) by a nite automatonif ittakesthe
ma hinefromthe initialstatetoanal state. The language re ognized(or a epted) by a
state ma hine is theset ofallstrings that arere ognized by the state ma hine. Twonite
state automata are alled equivalentif they re ognize the same language (Rosen1999).
Finite-state automaton example
As previouslyexemplied inEri sson (2002),anite-state automaton an bedes ribed as
a tuple ( , S, S0, E, F), where is the input alphabet, S is a set of states, S0 is the
initialstateandEisasetof edges(EisasubsetofSxSx). Giventhe input thestateof
the automatonis transforming fromsto s'if fs;s 0
; g isa subsetof E (Alur&Dill1994).
F denotes the set of states a epted by the automaton. The orresponding values for the
S0_accept
S1
S2_accept
1
0
1
0
0
Figure 2.4: State diagramof anite-state automaton
=f1;0g
S =fS0;S1;S2g
S0is the starting state.
E =f(S0;S0;0);(S0;S1;1);(S1;S0;0);(S1;S2;1);(S2;S1;0)g
F =fS0;S2g
A word over the alphabet in the example may be 001011. The language L
re -ognized by the automaton M inFigure 2.4 is the sets of inputs that take the automaton
from its start state S0 to one of the nal states S0 or S2. The set of strings a epted by
the automatonis denoted L(M). Torea h the nalstate S0orS2, any string ofones and
zeros that are not ontaining more than two onse utive ones, and that does not ontain
a single one, are required.
The nite state automaton des ribed in Figure2.4 is a deterministi automaton. In a
deterministi automaton there is a unique next state given by the transition fun tion for
ea hstateand inputpair. Ifthere an beseveral possiblenext statesforea hpair ofstate
S0_start
S2_accept
S1_accept
0
1
0
Figure 2.5: Automaton a epting language 0 [ 10
Finite automata and regular languages
Alanguageof anautomatoniseverystringthatisderivablefromthe startingstate. Every
language that is a epted by a nite automata is a regular language and every regular
language is a epted by a nite automaton (Salling 1998, p. 43). This result was proved
by Kleene 1956 and is alledKleenes theorem.
Aregularlanguage anbeexpressedinasetnotation alledregularexpressions(Salling
1998, p. 23). The operators of regular expressions are Kleene losure, union and
on ate-nation. A on atenation ofa set Aand B, denotedAB, is theset of allstrings ofthe form
xy wherex isastringinAand y isastringinB.TheKleene losureofaset A,denotedby
A
is the set onsisting of on atenations of arbitrary many strings from A (Rosen 1999,
p. 648).
Iff0g [ (f1g(f0g
))isaregularlanguageoverthealphabetf1,0g,thenthe orresponding
regularexpressionis(0[(1(0
))). Theautomatona eptingthelanguagef0g[(f1g(f0g
))
is shown in Figure 2.5. To redu e the number of parentheses used, there are order
on-ventions touse. The order onventions of regularexpressions are rst Kleene losurethen
on atenationandlasttheunionoperator. Theexpression(0[(1(0
))) anthenbewritten
0 [10
(Salling 1998). The notation A +
is equal to A
ex ept that A +
does not ontain
the empty string. Table 2.1 shows some examplesof regular expressions.
Expression Strings
10
A 1followed by any number of 0s(in luding no zeros)
(10)
Any numberof opies of 10(in luding the nullstring)
0[ 01 The string 0or the string 01
0(0[1)
any string beginningwith 0
(0
1)
Any string not ending with 0
Table 2.1: Some regularexpressions rewritten from (Rosen1999, p. 657)
is a subset of the language re ognized by another nite automaton, this problem an
be seen as a string omparison problem, whi h he ks whether two strings are identi al
(Brookshear 1989, p. 269). The expressive power of a regular language is limited due to
itsnitememoryandinabilityto ountinputsandoutputs. This iswhy amoreexpressive
language is needed in more omplexsituations.
2.4.5 Timed automaton
Finite state ma hines an not reason easilyabout time, sin e in the best ase, time must
be represented by ounting lo k ti ks, whi h may ause a state explosion. Instead, to
in lude time onstrains in the nite automaton model, a timed automaton may be used.
A timed automaton is a nite automaton extended with a set of real-valued lo ks. A
timedautomaton a epts timed words, whi h meansthat areal valued timeof o urren e
isasso iatedwithea hsymbol. Asanautomatonmakesa hoi etotakeastatetransition,
the hoi e of the next state depends both on the input symbol read and the time value of
the input symbol.
The lo ksmayberesetindependentlyofea hotherduringatransitionandtheirvalue
maybeusedasguardsontransitions. Theadditionofaniteset ofrealvalue lo ksmakes
it possible toprovereal-timerequirements of nite-state systems (Alur& Dill1994).
The state of the timed automaton is the state of the nite automaton together with
S0(Accept)
S1
0
x >= 5
0
x:=0
x>=5
1
x<5
0
Figure 2.6: State diagramof a timedautomaton
table. A ordingto Alur& Dill(1994) atimed transitiontable are dened asa tuple (,
S, S0, C, E) where , S and S0 are dened as ina regular automaton, C is a nite set of
lo ks and E gives the set of transitions. The set of transitions in a timed automaton is
in reasedwiththesetof lo kstoberesetinthetransition,andthe setof lo k onstraints
forthe transition. Ea hsymbolpresentedtothe automatonrepresents ano urringevent,
and the time value atta hedto itrepresentsthe timewhen the symbolispresented tothe
system. A ordingto Alur & Dill (1994) a pair (,) is referred to as a timed word over
the alphabetif is aninniteword over and is anin reasing time sequen e. A set
of timed words over is referred toas atimed language.
Timed automaton example
The exampleautomaton inFigure2.6 has thealphabet=f0;1g. Ana epted language
L for this automaton would be a sequen e of zeros while time is below 5, followed by a
single one as the time in reases above 5, followed by anarbitrary number of zeros.
A formalnotation isoften used to express the language of an automaton. The formal
notationfor the a epted language inthe example would be:
L =f(;)j8i( i <5! i =0)^9j(( j >=5^8i( i < j ^ i =0))! j =1) ^8i(( i >=5^9j(j <i^ j =1))! i =0)g
S1
S0(start)
S2(accepting)
S3
b
a
a
x:=0
x<2
b
a
x:=0
Figure2.7: Timed Bu hi automaton redrawn fromAlur &Dill(1994)
In the example 8i(
i
< 5 !
i
= 0) express the a eptan e riteria of only zeros
as the time is below 5, 9j((
j >= 5 ^8i( i < j ^ i = 0)) ! j = 1) aptures the
riteria of a one if the time is above or equal to 5 and all previous inputs are zero and
8i(( i >= 5^9j(j <i^ j =1)) ! i
=0)denotes that afterthe single one there willbe
anarbitrary number of zeros.
Timed regular languages are dened by Alur & Dill (1994) to be the lass of timed
languagesa epted by atimed B u hiautomaton. Su hautomatonshaveaset ofa epting
states and a run over the automaton is a epting if some a epting state is repeated
innitelyoften. Thisisforexamplethe aseinFigure2.7whi ha eptsthetimedlanguage
L=f((ab) ! ;)j9i8j i( 2j < 2j 1 +2)g. 2.4.6 Uppaal
A timed automaton is analysable; it is for example possible to he k if a ertain state
is rea hable within a limited time period. However, performing these he ks manually is
diÆ ultandtime onsuming. Fortunatelythereare CASE toolsdevelopedwiththe aimof
solving these tasks. Uppaal is a CASE tool developed jointly by Uppsala University and
Aalborg University. The analysing apabilities of Uppaal are for example model he king
automata. Ea htimed automataissimulatingapro ess whi h isable tosyn hronizewith
other automatons. As the model is built, it is possible to visually simulate its behaviour
in the CASE tool, aswell asverifying its orre tness using queries.
Bothlivenessandsafetypropertiesmaybe he ked usingtheverierinUppaal.
Che k-ingsafetyistoensurethatbadthingsneverhappen. Considerforexamplearailway ontrol
system,whi hmustguaranteethatatmostonetrain anpasssome riti alpointatatime.
If the railway ontrol is modelled in Uppaal, it is possible to automati ally he k if this
property holds using the verier. It is also possible to he k that good things eventually
happen(liveness),imaginefor examplethata ertain trainmust beable to ross a riti al
tra k se tionwithin a spe i time period(Yi, Pettersson &Daniels 1994).
The notation for an initialstate in Uppaal is a double ir le, but there is no expli it
notation for an a epting state. In this dissertation, all gures showing an automaton
is produ ed by Uppaal, so a epting states are named < Statename >a epting, sin e
there isno spe ial notationfor itin Uppaal. Sin e the start state inUppaal has the same
notationasana eptingstateinothernotations(double ir le),thestartstatesarenamed
<Statename>startin this dissertation toavoid onfusion.
Sin eatimedautomatonspe i ation an bebuiltup byanetworkoftimedautomata,
there is a need for ommuni ation between ooperating automata. In Uppaal this
om-muni ation is performed by syn hronizing on global hannels. If an automaton sends
informationon hannel x (the ex lamationmark x! is the notation for send), another
au-tomatonmustbeable tosyn hronizeandre eivethe message(thequestion markx? isthe
notationforre eivingamessageonthe hannelx). Iftwoautomatonsaresyn hronizingon
a hannel,they mayonlytakethe syn hronisingtransitionifthe syn hronizing automaton
takes itstransition simultaneously.
Figure 2.8 shows an example of a fragment of an Uppaal spe i ation with two
P1
P2
P3
S1
t <= 4
S2
t<=5
S3
channel!
x == 4
y:=3
t == 4
channel?
x:=4
Figure2.8: Example of Uppaal spe i ation
se ond automata onsist of the state S1, S2 and S3. In state S1, there is atime invariant
x4,meaningthatthe system maynot remaininthis stateasthe time isaboveorequal
to4,and onthetransitionbetween S1and S2thereisatime guardt ==4. The invariant
togetherwiththetimeguardfor esthetimedautomatontotakethetransitionbetweenS1
and S2exa tly asthe lo k variable t is equal to4. In state S2, the system is not allowed
towait for more than one time ti k, sin e there isan invariant fort 5.
Thename onventionforvariablesintimedautomatamodelsinthisdissertationisthat
lo k variablesstarts with t, guards are pla ed atthe very start of transitions,
syn hroni-sations are pla ed onthe middle and assignmentsare pla edat the end of transitions.
In thisreport, thereareguresprodu edinUppaalwhi harenot exa tlyfollowingthe
Uppaal semanti . The reason for this is to gain in reased understandability of the issues
des ribed. It isfor example not yet possible tospe ify aguard as true orfalse in Uppaal,
as inFigure5.2, aninteger whi hmay takeone of the values one or zero are usually used
for this purpose.
Uppaal is not the only CASE toolavailablefor spe ifying systems in timedautomata.
Two other tools worth mentioning are Kronos and HyTe h (Yovine 1997). The CASE
and analysing apabilities (Berard & Sierra 2000). However, the abilityto model integers
in Uppaal, whi h is useful when it omes to modelling omposite events, is one of the
reasons why Uppaal is hosen for this proje t.
2.5 Timed automata to ECA rules
In a re ent study, Eri sson (2002) proposes a method for deriving ECA rules from timed
automata spe i ations. The main idea of this method is to transform the analysed
be-haviourofatimedautomatonintoasetof impli itlyanalysedrules. Thespe i ationsare
onsideredtohaveequivalentbehaviourifthey areprodu inganidenti aloutputsequen e
given anidenti al sequen e of inputs(Abadi & Lamport 1991).
In Eri sson (2002) a ase study was performed, where the method was applied on a
timed automaton spe i ation of a produ tion ell. The out ome of applying the method
wasa set of ruleswhi hmaintainedthe behaviourof the timedautomaton, given that the
order of event o urren es waspredi table.
A prerequisite forthe developed methodistodivide the set ofstates inthe automaton
spe i ationintoexternalandinternalstates. Externalstates arestateswhi hareae ting
the systems external behaviour and internal states are dened as states whi h are only
serving as help states needed in the spe i ation language, for example to model time
delays.
The methodis basedon that ea h arrivaltoan externalstate in the timed automaton
istransformedtoanevento urren eintherulebase. Transitionassignmentsaremapped
tomethods, whi hare exe uted in the a tion part of the derived ECArule.
The de ision to map ea h arrival to an external state in the automaton to an event
o urren e in the rule base has several advantages, however, it also auses a mismat h in
possibletomaptheguardintheautomatontoa onditionintherulesetforall ases. This
is be ause an automaton is waiting in its state until a guard be omes true, but an ECA
rule evaluates its ondition on e, and if the ondition is false, the rule ondition will not
be evaluated again untila new event of that type o urs. In the previous ase-study, this
mismat h was solved by using omposite events; however, a general solution for guarded
transitions is missing.
Rule derivation approa h
The method for deriving ECA rules assumes that the spe i ation is modelled inUppaal
and built up by several syn hronizing sub automata. The method developed in Eri sson
(2002) onsistsof the following steps.
I Identify external states.
Determine whi h states inea h automaton are internal (help states for the
automa-ton), and whi h states are external, and relevant for the forth oming derivation of
rules.
II Identify pre onditions forexternal transitions.
For every transition between two external states in every model, determine whi h
states all sub automata must be in for the transition to be exe uted (the event
a eptan e state of the entire model), and values ofrelevant variables.
III Identify post onditions for external transitions.
Foreverytransitionbetweentwoexternalstatesineveryautomaton,determinewhi h
statesallsubautomatamustbeinandvaluesofrelevantvariablesimmediatelyafter
IV Express the a tion part of the transition asa method whereit ispossible.
V Identify redundant transitions.
Determine if redundant transitions, e.g. transitions that have the same pre- and
post- onditions, and that are syn hronising, an be omposed intoone single rule.
VI Express the entering of external states asprimitive event o urren es.
Express the entering of every external state inthe model as aprimitiveevent inthe
ECArule spe i ation language.
VII Identify and spe ify omposite events.
Identify if there are omposite events (If the pre ondition of the rule depends on
more than one automaton), and in that ase, whi h primitiveevents the omposite
event are ombined of.
VIII Formulate the set of rules.
Atta h the ondition and a tion parts of the transitionto formulate rules
A proofofprin iplewasperformed asa asestudy whereatimedautomaton
spe i a-tionofaprodu tion ellfortreatingmetalbri ksweretransformedintoaset ofECArules.
The ase study was fo used onthe orre tness of the behaviour of the entire appli ation,
Problem des ription
This se tion will larify the aim of this proje t, as well as present the arguments behind
the aim.
3.1 A tive real-time database appli ations
Event triggered real-timesystems may take advantage of the persistent storage and event
monitoring apabilitiesofana tivedatabase. However,despitelotsofpriorworkinthearea
of a tive databases, ECA rules are still notorious for its low level spe i ation language,
whi h makes su h systems really hard to analyse and maintain. The rules are ae ting
ea hother, dire tlyand indire tly, inaway thatmakes athorough analyse ofthe systems
behaviour impossible if no onstraints are set on the design of the rule set (Falkenroth
2000). In ontrary, the desire to use a tive databases in real-time systems requires an
analysedand predi tablebehaviourofthe ruleset, whi halsomustguaranteethat ertain
deadlines an bemet.
The problem of analysing the behaviour of a set of rules, and the desire to use a tive
developmentofpredi tablea tivereal-timeappli ations. A ordingtoPaton&Diaz(1998)
the area of developing a tive appli ations la k appropriate design methodologies, even in
ases where time onstraints are not onsidered. Several approa hes exist for verifying
dierent hara teristi sofanexistingruleset, however, the development oftheset ofrules
and the veri ation of the behaviour of the entire rule set in a ertain exe ution model
with respe t to its spe i ation, are usually not onsidered. The set of rules are usually
assumedtomagi allyappear andthereispoorguidan e forthe developeronhowto reate
a predi table rule set fromfor example a formalspe i ation, and how to design a set of
rules whi his possible tomaintain, hange and reuse.
3.2 Deriving a tive rules from timed automata
There are several benetsof spe ifyingand analysing the behaviourof a real-timesystem
in a formal timed automaton notation. It is for example possible to verify that a ertain
state will be rea hed within a spe i time, and that the system will not deadlo k (if the
system implements the spe i ation orre tly). The orre tness of the models may be
automati allyanalysedbysome oftheCASE toolsavailableforautomati veri ationand
simulationof timed automaton models, for example Uppaal (Larsenet al.1997).
However, thereisnoobviouswayof takingadvantage ofthesebenetswhenspe ifying
a real-time appli ation using an a tive database. Furthermore, there is no CASE-tool or
method support for verifying that the behaviour of the implemented rule set orresponds
to the behaviour spe ied in the timed automaton. In the ultimate s enario, the set of
rules that implements the behaviour of the timed automaton is automati ally generated
fromthe timedautomaton spe i ation.
To rea h the vision of automati ally generating a tive rules from an arbitrary timed
timed automaton into a set of ECA rules. This means that as an event o urs, it must
have the same ee t in both the timed automaton and the rule set. However, it is not
enoughthatthe ruleset isrea tingonallevento urren esthatare spe iedinthe timed
automaton, it is also the ase that in a given state, the rule set may only rea t on event
o urren es that is also a epted in the timed automaton in that parti ular state. As
the exa t behaviour of the timed automaton is transformed to a set of ECA rules, the
behaviour of the rule set isimpli itly analysed, sin e the analysed behaviourof the timed
automaton ismaintained duringthe transformation.
In the work of Eri sson (2002), a method was proposed for transforming a timed
au-tomaton spe i ation to ECA rules. A proof of prin iple was performed as a ase study,
however, the transformationswere appli ationspe i ,and transformationsfromarbitrary
spe i ations was not onsidered.
Re allthat ana tivedatabase mayrea tonbothprimitiveand omposite event
o ur-ren es. A primitiveevent o urren e isdened by Eri sson(2002) tobetransformed from
the arrival to an external state in the timed automaton. However, the semanti s of for
examplesyn hronization istransformed toa ompositeevent,and insu h ases the
trans-formation must also onsider the urrent ontext. This is be ause the same set of states
and transitions ina timedautomaton may betransformed todierent types of omposite
events depending onthe urrent ontext.
To gain in reased onden e in the proposed method, the equivalen e of mappings
between onstru ts in the timed automaton and the rule set must be further investigated
and veried, espe iallywith emphasis of omposite events in dierent ontext, whi h was
3.3 Aim and obje tives
Theaimof reatinganentireCASE toolforgeneratingarule set fromatimedautomaton
is out of s ope of this proje t. However, verifying the orre tness of the transformation
in some exe ution models and identifying patterns in the timed automaton spe i ation,
whi h are exa tly mapping to o urren es of omposite events in the rule set, is a step
forward towards su h automation. In this proje t, a subset of the transformation
on-stru ts identied in Eri sson (2002) will be re onstru ted to an appli ation independent
format before they are transformed into ECA rules, to in rease the appli ability of the
proposed method on arbitrary spe i ations. The transformed subset will be expanded
toalso in ludetransformationsof the behaviour between patterns of timedautomata and
ompositeevents indierent ontexts.
The aim of this proje t is to verify orre tness of transformations between a set of
ap-pli ation independent onstru ts in timed automata and its resulting rules. The veried
transformations will be a subset of the transformations performed in Eri sson (2002)
ex-panded with transformationsof omposite events.
To rea hthe aim the following obje tives must be fullled:
Generalize transformations and identify limitationsof transformations
In the previous ase study, the transformations were only veried for one parti ular
ap-pli ation. To be able to apply the method proposed in Eri sson (2002) on an arbitrary
spe i ation, a subset of the transformations found in the previous ase-study will be
re onstru ted to appli ation independent onstru ts of timed automata before they are