You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

150 lines
4.5 KiB

  1. ctmc
  2. // constants
  3. const int MAX_COUNT;
  4. const int MIN_SENSORS = 2;
  5. const int MIN_ACTUATORS = 1;
  6. // rates
  7. const double lambda_p = 1/(365*24*60*60); // 1 year
  8. const double lambda_s = 1/(30*24*60*60); // 1 month
  9. const double lambda_a = 1/(2*30*24*60*60); // 2 months
  10. const double tau = 1/60; // 1 min
  11. const double delta_f = 1/(24*60*60); // 1 day
  12. const double delta_r = 1/30; // 30 secs
  13. // sensors
  14. module sensors
  15. s : [0..3] init 3; // number of sensors working
  16. [] s>1 -> s*lambda_s : (s'=s-1); // failure of a single sensor
  17. endmodule
  18. // input processor
  19. // (takes data from sensors and passes onto main processor)
  20. module proci
  21. i : [0..2] init 2; // 2=ok, 1=transient fault, 0=failed
  22. [] i>0 & s>=MIN_SENSORS -> lambda_p : (i'=0); // failure of processor
  23. [] i=2 & s>=MIN_SENSORS -> delta_f : (i'=1); // transient fault
  24. [input_reboot] i=1 & s>=MIN_SENSORS -> delta_r : (i'=2); // reboot after transient fault
  25. endmodule
  26. // actuators
  27. module actuators
  28. a : [0..2] init 2; // number of actuators working
  29. [] a>0 -> a*lambda_a : (a'=a-1); // failure of a single actuator
  30. endmodule
  31. // output processor
  32. // (receives instructions from main processor and passes onto actuators)
  33. module proco = proci [ i=o, s=a, input_reboot=output_reboot, MIN_SENSORS=MIN_ACTUATORS ] endmodule
  34. // main processor
  35. // (takes data from proci, processes it, and passes instructions to proco)
  36. module procm
  37. m : [0..1] init 1; // 1=ok, 0=failed
  38. count : [0..MAX_COUNT+1] init 0; // number of consecutive skipped cycles
  39. // failure of processor
  40. [] m=1 -> lambda_p : (m'=0);
  41. // processing completed before timer expires - reset skipped cycle counter
  42. [timeout] comp -> tau : (count'=0);
  43. // processing not completed before timer expires - increment skipped cycle counter
  44. [timeout] !comp -> tau : (count'=min(count+1, MAX_COUNT+1));
  45. endmodule
  46. // connecting bus
  47. module bus
  48. // flags
  49. // main processor has processed data from input processor
  50. // and sent corresponding instructions to output processor (since last timeout)
  51. comp : bool init true;
  52. // input processor has data ready to send
  53. reqi : bool init true;
  54. // output processor has instructions ready to be processed
  55. reqo : bool init false;
  56. // input processor reboots
  57. [input_reboot] true -> 1 :
  58. // performs a computation if has already done so or
  59. // it is up and ouput clear (i.e. nothing waiting)
  60. (comp'=(comp | (m=1 & !reqo)))
  61. // up therefore something to process
  62. & (reqi'=true)
  63. // something to process if not functioning and either
  64. // there is something already pending
  65. // or the main processor sends a request
  66. & (reqo'=!(o=2 & a>=1) & (reqo | m=1));
  67. // output processor reboots
  68. [output_reboot] true -> 1 :
  69. // performs a computation if it has already or
  70. // something waiting and is up
  71. // (can be processes as the output has come up and cleared pending requests)
  72. (comp'=(comp | (reqi & m=1)))
  73. // something to process it they are up or
  74. // there was already something and the main processor acts
  75. // (output now up must be due to main processor being down)
  76. & (reqi'=(i=2 & s>=2) | (reqi & m=0))
  77. // output and actuators up therefore nothing can be pending
  78. & (reqo'=false);
  79. // main processor times out
  80. [timeout] true -> 1 :
  81. // performs a computation if it is up something was pending
  82. // and nothing is waiting for the output
  83. (comp'=(reqi & !reqo & m=1))
  84. // something to process if up or
  85. // already something and main process cannot act
  86. // (down or outputs pending)
  87. & (reqi'=(i=2 & s>=2) | (reqi & (reqo | m=0)))
  88. // something to process if they are not functioning and
  89. // either something is already pending
  90. // or the main processor acts
  91. & (reqo'=!(o=2 & a>=1) & (reqo | (reqi & m=1)));
  92. endmodule
  93. // the system is down
  94. formula down = (i=2&s<MIN_SENSORS)|(count=MAX_COUNT+1)|(o=2&a<MIN_ACTUATORS)|(m=0);
  95. // transient failure has occured but the system is not down
  96. formula danger = !down & (i=1 | o=1);
  97. // the system is operational
  98. formula up = !down & !danger;
  99. // reward structures
  100. rewards "up"
  101. up : 1/3600;
  102. endrewards
  103. rewards "danger"
  104. danger : 1/3600;
  105. endrewards
  106. rewards "down"
  107. down : 1/3600;
  108. endrewards
  109. //labels
  110. // causes of failues
  111. label "fail_sensors" = i=2&s<MIN_SENSORS; // sensors have failed
  112. label "fail_actuators" = o=2&a<MIN_ACTUATORS; // actuators have failed
  113. label "fail_io" = count=MAX_COUNT+1; // IO has failed
  114. label "fail_main" = m=0; // ,main processor has failed
  115. // system status
  116. label "down" = (i=2&s<MIN_SENSORS)|(count=MAX_COUNT+1)|(o=2&a<MIN_ACTUATORS)|(m=0); // system has shutdown
  117. label "danger" = !down & (i=1 | o=1); // transient fault has occured
  118. label "up" = !down & !danger;