AltaRica

A Formal Language for Event Oriented Modeling

A. RauzyIML/CNRS & ARBoost Technologies

Marseilles, France

Contents

I. Introductory ExamplesII. MotivationsIII. Formal ModelIV. ToolsV. Examples of UseVI. Perspectives

Contents

I. Introductory ExamplesII. MotivationsIII. Formal ModelIV. ToolsV. Examples of UseVI. Perspectives

A repairable component

node component state s: {working,failed,repair}; event failure, startRepair, endRepair; trans (s=working) |- failure -> s:=failed (s=failed) |- startRepair -> s:=repair; (s=repair) |- endRepair -> s:=working; init s:=workingedon

A Valve

node valve state closed:bool; flow input:float:in; output:float:out; event open, close; trans closed |- open -> closed:=false; not closed |- close -> closed:=true; init closed := true; assert output = if closed then 0 else input; edon

Two Valves in Series

node twoValves flow input:float:in; output:float:out; sub A:valve, B:valve; assert A.input = input, B.input = A.output, output = B.output; edon

A repairable component and its repairer

node repairableSystem event startRepair, endRepair; sub C:component, R:repairer; sync startRepair = C.startRepair and R.startJob, endRepair = C.endRepair and R.endJob;edon

Contents

I. Introductory ExamplesII. MotivationsIII. Formal ModelIV. ToolsV. Examples of UseVI. Perspectives

Motivations: Reliability Engineering

Target systems:nuclear power plants, chemical plants,avionic systems, …

Assess the risk and its consequences:what can go wrong ?what is the expectation that something goes wrong ?what are the consequences ?

Motivations: Reliability Enginering

Analyses:• Determination of failure scenarii• Assessment of failure probability• Ranking of components with respect to their contribution to the risk

Motivations: Reliability Engineering

Classical formalisms (Fault Trees, Markov Graphs, Petri Nets)– Well defined semantics– Easy to handle– Textual and graphical– Good tradeoffs expressivity/efficiency

… but • Lack of structure (PN, MG) or• Lack of expressivity (FT)

Models are hard to design and to maintain

The AltaRica Project

AltaRica: a high level formal description language• based on the notion of mode automata• compilation into low level formalisms (efficiency)• synergy with formal methods (e.g. model checking)

System Analysis

Dynamic Systems/Simulation:Differential Equationse.g. Modelica

Code generation:Data-Flow modelse.g. State Charts, Lustre

Reliability Engineering:Event driven models, non-determinisme.g. Fault Trees, Petri nets, AltaRica

Contents

I. Introductory ExamplesII. MotivationsIII. Formal ModelIV. ToolsV. Examples of UseVI. Perspectives

Mode Automata

s=1t=0

s=1t=0

s=0t=1

mode

event

: g(S,I) |- e -> S:=f(S,I)

[Marininchi98, Rauzy02]

A = <S,I,O,E,,,>• S: state variables• I: input variables• O: output variables• E: events• : transitions• : transfer function• : initial state

O = (S,I)

I OS

Algebra of Mode Automata

Product Connection Synchronization of events

Operations on mode automata

Synchronization

G1 |- e1 -> S1:=f1G2 |- e2 -> S2:=f2G3 |- e3 -> S2:=f3

e = e1 and (e2 or e3)

G1 and (G2 or G3) |- e -> S1 := if G1 then f1 else S1 S2 := if G2 then f2 else S2 S3 := if G3 then f3 else S3

fire the fireable local transitions

Two Valves in Series

node twoValves flow input:float:in; output:float:out; sub A:valve, B:valve; assert A.input = input, B.input = A.output, output = B.output; edon

A repairable component and its repairer

node repairableSystem event startRepair, endRepair; sub C:component, R:repairer; sync startRepair = C.startRepair and R.startJob, endRepair = C.endRepair and R.endJob;edon

Mode Automata: External View

View

Time schedule

traces

mode

Mode Automata

… generalize fault trees, Markov graphs, Petri nets

(P1>0) and (P2=0) |- T -> P1:=P1-1, P3:=P3+2;P3

P1

P2

T

2

remote interactions

… generalize block-diagrams

… make it possible to define hierarchies, packages, …

Categories of Events

• Timed events: take a non null time• Stochastic events (default)

• Probability distributions with parameters (exponential, Weibull, ...)

• Dirac events

• Instaneous events: take no time and may have a priority

• Immediate events• Conditional events

A Spare Unit

A Periodically Tested Component

The Extern Clause

The role of the extern clause is:• to give some interpretation to the model, e.g. priorities to transitions, probability distributions to events,• to give tools a specific information,• to provide some mechanism to extend the language.

In AltaRica Data-Flow, the syntax of the extern clause is normalized:

node … extern law <event A.failure> = exponential(0.001) ; parameter lambda = 0.001; …edon

type of the information

specified element

value

Commutation of the syntax and the semantics

node System sub A:Component, B.Component, R:RepairMen …edon

node S state A.s, B.s, R.s; …edond

syntactic composition

reachabilitygraphs

reachabilitygraph

synchronized product

Contents

I. Introductory ExamplesII. MotivationsIII. Formal ModelIV. ToolsV. Examples of UseVI. Perspectives

Tools

Workbenches• Powerful graphical user interfaces for the design of models• Graphical simulators• OCAS (Dassault Aviation), SimFia (EADS-APSYS), Saraa (Airbus)

Assessment tools• Compilers to Fault Trees• Compilers to Markov Graphs• Stochastic simulators• Generators of sequences• Compilers to formal languages (Lustre, SMV)• Model-Checkers• AltaTools, Mec V (LaBRI), Combava (ARBoost Technologies)

Combava: an AltaRica Data-Flow Toolbox

node Cmp state s: …edon

AltaRica Data-Flow

Fault Trees alta-a2b Aralia

Markov Graphsalta-mrk Mark-XPR

Monte-Carlo simulationalta-sto

Generation of sequences, model checkingalta-seq

Stepwise simulationalta-sim

Contents

I. Introductory ExamplesII. MotivationsIII. ToolsIV. Formal ModelV. Examples of UseVI. Perspectives

Models Designed So Far

3 categories of models

• Functional models• Mainly academic (Bordeaux) -> model checking

• Simple and huge dysfunctional models (~ bloc diagrams), e.g.• Dassault F7X, …• Compilation into fault trees• Treatment chain validated by certification authorities

• Complex but (relatively) small models, e.g.• Total, • Production availability, High integrity protection systems• Markov analyses, Monte-Carlo simulation

Production Availability

HPS-A

HPS-B

HPS-C

DEH-A

DEH-B

CMP-A

CMP-B

MUP

45%

45%

45%

65%

65%

52%

52%

100%

HPS 8.91 10DEH 3.11 10CMP 3.50 10

2.54 103.95 105.14 10

-5

-5

-5

-3

-3

-3

MUP 0.001

well

tank

Markov Analyses

AltaRica model

alta-a2g

Multi Phase Markovmodels with rewards

command fileMark-XPR

• Steady state probability• Transient probability• Mean sojourn time

Expectation of any quantity defined on states

Generation of (relevant) sequences

AltaRica Automaton

Sequence automaton

alta-seq sequences

automaton mySequences s1: #l<3 |- * : #l := #l+1 -> not failed : s1; s1: #l<=3 |- * : #l := #l+1 -> failed : s2; init s1 : #l := 1; accept s2;end

Model-checking: same automata with a Büchi acceptance criterion

Contents

I. Introductory ExamplesII. MotivationsIII. ToolsIV. Formal ModelV. Examples of UseVI. Perspectives

Perspectives

Find the “good” states/events formalism for reliability studies

sound mathematical basis

graphicalrepresentationgeneralization of currently

used formalismslooped systems

hierarchy

algorithmic & complexityissues (tradeoff)

connection withfunctional models

hybrid systems

higher level modeling

Motivations

Find the “good” states/events formalism for reliability studies

sound mathematical basis

graphicalrepresentationgeneralization of currently

used formalismslooped systems

hierarchy

algorithmic & complexityissues (tradeoff)

connection withfunctional models

hybrid systems

higher level modeling

These issues are welladdressed by current version(s)of AltaRica

Motivations

sound mathematical basis

graphicalrepresentationgeneralization of currently

used formalismslooped systems

hierarchy

algorithmic & complexityissues (tradeoff)

connection withfunctional models

hybrid systems

higher level modeling

Find the “good” states/events formalism for reliability studies

Higher Level Modeling

Need for• Connection to external routines• Structured types• Parametric descriptions• High level operations• … and even object oriented modeling

Extension of the language

Motivations

Find the “good” states/events formalism for reliability studies

sound mathematical basis

graphicalrepresentationgeneralization of currently

used formalismslooped systems

hierarchy

algorithmic & complexityissues (tradeoff)

connection withfunctional models

hybrid systems

higher level modeling

Normalized Graphics

Simple mode automataPetri nets

Hierarchical descriptions

Interaction diagrams

Motivations

Find the “good” states/events formalism for reliability studies

sound mathematical basis

graphicalrepresentationgeneralization of currently

used formalismslooped systems

hierarchy

algorithmic & complexityissues (tradeoff)

connection withfunctional models

hybrid systems

higher level modeling

Electric Nets

Motivations

Find the “good” states/events formalism for reliability studies

sound mathematical basis

graphicalrepresentationgeneralization of currently

used formalismslooped systems

hierarchy

algorithmic & complexityissues (tradeoff)

connection withfunctional models

hybrid systems

higher level modeling

Hybrid Systems

Mixing discrete events and continuous variation,e.g. temperature controller

Motivations

sound mathematical basis

graphicalrepresentationgeneralization of currently

used formalismslooped systems

hierarchy

algorithmic & complexityissues (tradeoff)

hybrid systems

higher level modeling

connection withfunctional models

Find the “good” states/events formalism for reliability studies

From functional to dysfunctional analyses

Sensors Command automaton [e.g. state chart]

Sensors may be subject to different failure modes• How failures of sensors impact the command?• How to derive the dysfunctional model from the functional model?

Don’t expect a silver bullet !

Architecture

Industrial Perspectives

• Airbus (Rosas, A350)

• Dassault Systems (Catia System)

• ClearSy (Atelier B)