1 DDG Redundant Ethernet David Harty MSE 595. 2 USS Cole (DDG 67)

1

DDG Redundant Ethernet

David HartyMSE 595

2

USS Cole (DDG 67)

3

Machinery Control System

EPCPU EPCPU SCU1 SCU2 PACC

UEC1A UEC1B UEC2A UEC2B

EOWW

Bridge

4

SCU to UEC

5

Specifications?

●Two channels of communication exist and are handled by one process each.●If both channels are connected, one process becomes the primary channel, and one becomes the backup channel.●Only one process at a time shall communicate status requests and control commands to the UEC. ●If the UEC is in local control, the SCU will continue to receive and request status updates from the UEC, but will not issue control messages.●Error Status Messages shall be transmitted indicating the health of the communication channels.●It shall not be possible for both channels to be acting as either the primary or backup channel.

6

Activity Chart

7

ET_CONTROL

8

Semaphores (concurrency)

9

Timeouts

10

Determinism

11

ET_CH_A

12

ET_CH_B

13

ET_CONDITION

14

SMV-mainMODULE main ()

VAR

-- semaphore

et_sem : {0,1}; uec_in_local : {0,1};

-- modules

et_ch_a : process et_ch(et_sem, uec_in_local); et_ch_b : process et_ch(et_sem, uec_in_local); et_condition : process et_condition(et_ch_a.ch_fail, et_ch_b.ch_fail);

15

SMV-et_ch_*MODULE et_ch (et_sem, uec_in_local)

VAR-- outputs -- signify to outside world, com has failed ch_fail : {0,1};

-- internal values

-- com indicates com port is alive and well com : {0,1};

-- indicates when a status request has been sent over the com request_sent : {0,1};

-- the return value from select indicates the existence of incoming message -- 0 for no messages, >1 for messages, -- values greater than 1 have been abstracted out. select_return : {0,1};

-- indicates that the control message has been sent over the com control_sent : {0,1}; -- used to indicate time out for error_delay clock : {0,1};

16

SMV-et_ch_*-- set the state init(state) := init_socket; next(state) := case -- init_socket state = init_socket & com = 1 & et_sem = 1 : requesting_status; state = init_socket & com = 1 & et_sem = 0 : keep_alive; state = init_socket & com = 0 : error_delay; -- keep_alive state = keep_alive & com = 1 & et_sem = 1 : requesting_status; state = keep_alive & com = 0 : error_delay; -- requesting_status state = requesting_status & com = 1 & request_sent = 1 :socket_select; state = requesting_status & com = 0 : error_delay; -- socket_select state = socket_select & com = 1 & select_return = 0 : requesting_status; state = socket_select & com = 1 & select_return = 1 : receiving_status; state = socket_select & com = 0 : error_delay; -- receiving_status state = receiving_status & com = 1 & uec_in_local = 1: requesting_status; state = receiving_status & com = 1 & uec_in_local = 0: sending_control; state = receiving_status & com = 0 : error_delay; -- sending_control state = sending_control & com = 1 & control_sent : requesting_status; state = sending_control & com = 0 : error_delay; -- error_delay state = error_delay & clock = 1 : init_socket; -- default 1 : state ; esac;

17

SMV-et_condition-- assign error codes init(et_error_code) := 0; next(et_error_code) := case state = comm_ok & ch_fail_a = 1 & ch_fail_b = 0 : ch_loss_a; state = comm_ok & ch_fail_b = 1 & ch_fail_a = 0 : ch_loss_b; state = comm_ok & ch_fail_a = 1 & ch_fail_b = 1 : comm_loss; state = ch_loss_a & ch_fail_a = 0 & ch_fail_b = 0 : comm_ok; state = ch_loss_a & ch_fail_b = 1 : comm_loss; state = ch_loss_b & ch_fail_a = 0 & ch_fail_b = 0 : comm_ok; state = ch_loss_b & ch_fail_a = 1 : comm_loss; state = comm_loss & ch_fail_a = 1 & ch_fail_b = 0 : ch_loss_a; state = comm_loss & ch_fail_b = 1 & ch_fail_a = 0 : ch_loss_b; state = comm_loss & ch_fail_a = 0 & ch_fail_b = 0 : comm_ok; 1 : state; esac;-- assign states init(state) := comm_ok; next(state) := case state = comm_ok & ch_fail_a = 1 & ch_fail_b = 0 : ch_loss_a; state = comm_ok & ch_fail_b = 1 & ch_fail_a = 0 : ch_loss_b; state = comm_ok & ch_fail_a = 1 & ch_fail_b = 1 : comm_loss; state = ch_loss_a & ch_fail_a = 0 & ch_fail_b = 0 : comm_ok; state = ch_loss_a & ch_fail_b = 1 : comm_loss; state = ch_loss_b & ch_fail_a = 0 & ch_fail_b = 0 : comm_ok; state = ch_loss_b & ch_fail_a = 1 : comm_loss; state = comm_loss & ch_fail_a = 1 & ch_fail_b = 0 : ch_loss_a; state = comm_loss & ch_fail_b = 1 & ch_fail_a = 0 : ch_loss_b; state = comm_loss & ch_fail_a = 0 & ch_fail_b = 0 : comm_ok; 1 : state; esac;

18

SMV-SPECs●Only one channel shall be able to communicate at any time

-- only one connection can be in communicate mode at any time-- performed for both channels

SPEC AG ( (et_ch_a.state=keep_alive)-> !(et_ch_b.state=keep_alive) )

SPEC AG( (et_ch_a.state = requesting_status |

et_ch_a.state = socket_select | et_ch_a.state = receiving_status |

et_ch_a.state = sending_control ) -> !(et_ch_b.state = requesting_status |

et_ch_b.state = socket_select | et_ch_b.state = receiving_status |

et_ch_b.state = sending_control ) )

19

SMV-SPECs

●If the system is in local control, the com channels shall not enter the send control message state.

-- ensure that if uec_in_local, we cannot enter the send control message stateSPEC AG( ( -- if uec is in local

(uec_in_local=1) &

-- and the current state is not sending control !(et_ch_a.state = sending_control |

et_ch_b.state = sending_control) )->

-- implies that the next state will not be sending control !( AX(et_ch_a.state = sending_control) |

AX(et_ch_b.state = sending_control)) )

20

SMV-SPECs

●Loss of the com for a channel will create an error condition

-- a loss of the com implies that either we are currently in an-- error condition, or the next state is error delay SPEC AG( (et_ch_a.ch_fail = 1) -> (et_ch_a.state=init_socket | et_ch_a.state=error_delay | AX(et_ch_a.state=error_delay) ) )

-- a loss of the com implies that an error code will be generated,-- in this, or the next state

SPEC AG( (et_ch_a.ch_fail = 1 & !(et_ch_a.state=init_socket |

et_ch_a.state=error_delay) ) ->

((et_condition.et_error_code=1) | AX(et_condition.et_error_code=1) ) )

21

SMV-SPECs

●If a channel enters a failure mode, it shall be able to attempt to connect again in the future

SPEC

AG( (AX(et_ch_a.state=error_delay)) ->

(AX(AF(et_ch_a.state=init_socket) ) ) )

●Error conditions shall be maintained

-- a loss of the both channels implies that an COM_LOSS error code-- will be generated, in this, or the next state

SPEC

AG( (et_ch_a.ch_fail = 1 & et_ch_b.ch_fail = 1 &

!(et_ch_a.state=init_socket | et_ch_a.state=error_delay | et_ch_b.state=init_socket | et_ch_b.state=error_delay) )->

( (et_condition.et_error_code=3) | AX(et_condition.et_error_code=3) ) )

22

SMV-SPECs-- only one connection can be in communicate mode at any time SPEC AG ( (et_ch_a.state=keep_alive)->!(et_ch_b.state=keep_alive) )

-- a loss of the com implies that either we are currently in an-- error condition, or the next state is error delay SPEC AG( (et_ch_a.ch_fail = 1) -> (et_ch_a.state=init_socket | et_ch_a.state=error_delay | AX(et_ch_a.state=error_delay) ) )

-- a loss of the com implies that an error code will be generated, in this, or the next state SPEC AG( (et_ch_a.ch_fail = 1 & !(et_ch_a.state=init_socket | et_ch_a.state=error_delay) ) -> ((et_condition.et_error_code=1) | AX(et_condition.et_error_code=1) ) )

-- a loss of the com implies that we will inevitably reach the error_delay state SPEC AG( (et_ch_a.ch_fail = 1 & !(et_ch_a.state=init_socket | et_ch_a.state=error_delay) ) -> AF(et_ch_a.state=error_delay ) )

-- a loss of the both channels implies that an COM_LOSS error -- code will be generated, in this, or the next state SPEC AG( (et_ch_a.ch_fail = 1 & et_ch_b.ch_fail = 1 & !(et_ch_a.state=init_socket | et_ch_a.state=error_delay | et_ch_b.state=init_socket | et_ch_b.state=error_delay) ) -> ((et_condition.et_error_code=3) | AX(et_condition.et_error_code=3) ) )