Page 1
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.1
CSC 4504 : Langages formels et applications
(La méthode Event-B)
J Paul Gibson, A207
[email protected]
http://www-public.it-sudparis.eu/~gibson/Teaching/Event-B/
TrafficLights
http://www-public.it-sudparis.eu/~gibson/Teaching/Event-B/TrafficLights.pdf
Thanks to Ken Robinson: System Modelling and Design - Traffic Lights 2008
Page 2
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.2
North
South
West East
Safe State
System0: 2-Way JunctionNo Turns
Page 3
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.3
North
South
West East
Safe State
System0: 2-Way JunctionNo Turns
Page 4
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.4
North
South
West East
Safe State
System0: 2-Way JunctionNo Turns
Page 5
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.5
North
South
West East
Safe State
System0: 2-Way JunctionNo Turns
Page 6
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.6
North
South
West East
Safe State
System0: 2-Way JunctionNo Turns
Page 7
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.7
North
South
West East
System0: 2-Way JunctionNo Turns
UnSafe State
Page 8
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.8
North
South
West East
System0: 2-Way JunctionNo Turns
Inconsistent State:Safe or Unsafe?
Page 9
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.9
North
South
West East
System0: 2-Way JunctionNo Turns
Inconsistent State:Safe or Unsafe?
Page 10
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.10
System0: 2-Way Junction, No Turns
Representing State of the System: level of abstraction of junction
Safe Inconsistent Unsafe
North
South
East
West
R R R A G
R R R A G
R A G R R
R A G R R
G G A A
G G A A
G A G A
G A G A
R R G G A A X X X X X X
G A R A R G X X X X X X
X X X X X X R R G G A A
X X X X X X G A R A R G
Page 11
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.11
System0: 2-Way Junction, No Turns
Representing State of the System: level of abstraction of junction
Safe Unsafe
NorthSouth
EastWest
R R R A G
R A G R R
G G A A
G A G A
This is a better starting level of abstraction: we can refine the model to add detail later (and additional invariants to ensure consistency)
Page 12
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.12
System0: 2-Way Junction, No Turns
Representing State of the System: level of abstraction of each light
Which level is best for representing the state of each light?How do we cope with problems due to inconsistency
OnOffOff
R
OffOnOff
A
OffOffOn
G
OffOnOn
?
OffOnOn
?
OffOffOff
?
Page 13
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.13
North
South
West East
System0: 2-Way JunctionNo Turns
State Represented in diagrams as RG
Page 14
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.14
System0: 2-Way Junction No Turns – Safe Systems
RRRG
1 Safe System: but not useful
RR
2 Safe System: but not fair
GRRR
3 Safe System: fair but not correct
RG
Page 15
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.15
System0: 2-Way Junction No Turns – Safe Systems
RGRA GRRR
4 Safe System: correct but is it fair?
AR
Page 16
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.16
System0: 2-Way Junction No Turns – Safe Systems
RGRA GRRR
5 Safe System: correct and fair (and deterministic) but requires splitting abstract state RR into 2 different concrete RR states
AR
RR
Page 17
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.17
System0: 2-Way Junction No Turns – A refinement removes nondeterminism
RGRA GRRR AR
RR
RGRA GRRR AR
refinement
Page 18
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.18
System0: TrafficLights_ctx0 in RODIN
Page 19
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.19
System0: TrafficLights_ctx0 in RODIN
Page 20
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.20
System0: TrafficLights_ctx0 in RODIN
Page 21
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.21
System0: TrafficLights_ctx0 in RODIN
Add axioms to define function OppositeDirection
Now we can model the system transitions in a machine that sees this context
Page 22
2009: J Paul Gibson T&MSP-CSC 4504 : Langages formels et applications Event-B/TrafficLights.22
System0: TrafficLights_mch0 in RODIN