sp
/
Tempest_in_Action
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
16 Commits
1 Branch
0 Tags
24 MiB
 
 
 
 
 
 
Tree: 68f01f6a3c
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '68f01f6a3c'
${ noResults }
Tempest_in_Action/tempest-devel/resources/examples/testfiles/ctmc/embedded2.sm

151 lines
4.5 KiB
Raw Blame History

ctmc
// constants
const int MAX_COUNT = 2;
const int MIN_SENSORS = 2;
const int MIN_ACTUATORS = 1;
// rates
const double lambda_p = 1/(365*24*60*60); // 1 year
const double lambda_s = 1/(30*24*60*60); // 1 month
const double lambda_a = 1/(2*30*24*60*60); // 2 months
const double tau = 1/60; // 1 min
const double delta_f = 1/(24*60*60); // 1 day
const double delta_r = 1/30; // 30 secs
// sensors
module sensors
s : [0..3] init 3; // number of sensors working
[] s>1 -> s*lambda_s : (s'=s-1); // failure of a single sensor
endmodule
// input processor
// (takes data from sensors and passes onto main processor)
module proci
i : [0..2] init 2; // 2=ok, 1=transient fault, 0=failed
[] i>0 & s>=MIN_SENSORS -> lambda_p : (i'=0); // failure of processor
[] i=2 & s>=MIN_SENSORS -> delta_f : (i'=1); // transient fault
[input_reboot] i=1 & s>=MIN_SENSORS -> delta_r : (i'=2); // reboot after transient fault
endmodule
// actuators
module actuators
a : [0..2] init 2; // number of actuators working
[] a>0 -> a*lambda_a : (a'=a-1); // failure of a single actuator
endmodule
// output processor
// (receives instructions from main processor and passes onto actuators)
module proco = proci [ i=o, s=a, input_reboot=output_reboot, MIN_SENSORS=MIN_ACTUATORS ] endmodule
// main processor
// (takes data from proci, processes it, and passes instructions to proco)
module procm
m : [0..1] init 1; // 1=ok, 0=failed
count : [0..MAX_COUNT+1] init 0; // number of consecutive skipped cycles
// failure of processor
[] m=1 -> lambda_p : (m'=0);
// processing completed before timer expires - reset skipped cycle counter
[timeout] comp -> tau : (count'=0);
// processing not completed before timer expires - increment skipped cycle counter
[timeout] !comp -> tau : (count'=min(count+1, MAX_COUNT+1));
endmodule
// connecting bus
module bus
// flags
// main processor has processed data from input processor
// and sent corresponding instructions to output processor (since last timeout)
comp : bool init true;
// input processor has data ready to send
reqi : bool init true;
// output processor has instructions ready to be processed
reqo : bool init false;
// input processor reboots
[input_reboot] true -> 1 :
// performs a computation if has already done so or
// it is up and ouput clear (i.e. nothing waiting)
(comp'=(comp | (m=1 & !reqo)))
// up therefore something to process
& (reqi'=true)
// something to process if not functioning and either
// there is something already pending
// or the main processor sends a request
& (reqo'=!(o=2 & a>=1) & (reqo | m=1));
// output processor reboots
[output_reboot] true -> 1 :
// performs a computation if it has already or
// something waiting and is up
// (can be processes as the output has come up and cleared pending requests)
(comp'=(comp | (reqi & m=1)))
// something to process it they are up or
// there was already something and the main processor acts
// (output now up must be due to main processor being down)
& (reqi'=(i=2 & s>=2) | (reqi & m=0))
// output and actuators up therefore nothing can be pending
& (reqo'=false);
// main processor times out
[timeout] true -> 1 :
// performs a computation if it is up something was pending
// and nothing is waiting for the output
(comp'=(reqi & !reqo & m=1))
// something to process if up or
// already something and main process cannot act
// (down or outputs pending)
& (reqi'=(i=2 & s>=2) | (reqi & (reqo | m=0)))
// something to process if they are not functioning and
// either something is already pending
// or the main processor acts
& (reqo'=!(o=2 & a>=1) & (reqo | (reqi & m=1)));
endmodule
// the system is down
formula down = (i=2&s<MIN_SENSORS)|(count=MAX_COUNT+1)|(o=2&a<MIN_ACTUATORS)|(m=0);
// transient failure has occured but the system is not down
formula danger = !down & (i=1 | o=1);
// the system is operational
formula up = !down & !danger;
// reward structures
rewards "up"
up : 1/3600;
endrewards
rewards "danger"
danger : 1/3600;
endrewards
rewards "down"
down : 1/3600;
endrewards
//labels
// causes of failues
label "fail_sensors" = i=2&s<MIN_SENSORS; // sensors have failed
label "fail_actuators" = o=2&a<MIN_ACTUATORS; // actuators have failed
label "fail_io" = count=MAX_COUNT+1; // IO has failed
label "fail_main" = m=0; // ,main processor has failed
// system status
label "down" = (i=2&s<MIN_SENSORS)|(count=MAX_COUNT+1)|(o=2&a<MIN_ACTUATORS)|(m=0); // system has shutdown
label "danger" = !down & (i=1 | o=1); // transient fault has occured
label "up" = !down & !danger;