èŠ‚ç‚¹æ–‡çŒ®

åŸºäºŽEvent-Bçš„æ··åˆç³»ç»Ÿå½¢å¼åŒ–ï¼šç†è®ºä¸Žå®žè·µ

Formalizing Hybrid Systems Using Event-B:Theory and Practice

åˆ†é¡µä¸‹è½½
åˆ†ç« ä¸‹è½½
æ•´æœ¬ä¸‹è½½
åœ¨çº¿é˜…è¯»
ä¸æ”¯æŒè¿…é›·ç‰ä¸‹è½½å·¥å…·ï¼Œè¯·å–æ¶ˆåŠ é€Ÿå·¥å…·åŽä¸‹è½½ã€‚

ã€ä½œè€…ã€‘ è‹é›¯ï¼›

ã€ä½œè€…åŸºæœ¬ä¿¡æ¯ã€‘ åŽä¸œå¸ˆèŒƒå¤§å¦ ï¼Œ è®¡ç®—æœºåº”ç”¨æŠ€æœ¯ï¼Œ 2013ï¼Œ åšå£«

ã€æ‘˜è¦ã€‘ å½“ä»Šç¤¾ä¼š,æ··åˆç³»ç»Ÿåœ¨åµŒå…¥å¼ç³»ç»Ÿå¼€å‘ä¸èµ·ç€è‡³å…³é‡è¦çš„ä½œç”¨ã€‚æ··åˆç³»ç»Ÿä¸,è½¯ä»¶æŽ§åˆ¶å™¨æŽ§åˆ¶å¤–éƒ¨çŽ¯å¢ƒçš„å˜åŒ–,ä»¥ç¦»æ•£çš„æ–¹å¼ç”±ä¼ æ„Ÿå™¨è§„å¾‹åœ°è§¦å‘æ¥æ£€æµ‹çŽ¯å¢ƒçŠ¶æ€,æŽ§åˆ¶çŽ¯å¢ƒã€‚ç›¸é‚»çš„æŽ§åˆ¶å™¨è¡Œä¸ºä¹‹é—´,çŽ¯å¢ƒä»¥è¿žç»çš„æ–¹å¼å˜åŒ–ã€‚å¦‚ä½•è®¾è®¡å‡ºä¸Žç‰©ç†çŽ¯å¢ƒæ£ç¡®åŒ¹é…çš„æŽ§åˆ¶å™¨å·²æˆä¸ºä¸€å¤§æŒ‘æˆ˜ã€‚ä¼—å¤šå¦ç§‘éƒ½ä¸æ–è´¡çŒ®äºŽè¯¥é¢†åŸŸ,åŒ…æ‹¬è®¡ç®—æœºã€ç³»ç»ŸæŽ§åˆ¶ã€æ¨¡æ‹Ÿä»¿çœŸç‰å¦ç§‘ã€‚åœ¨è¿™äº›å¦ç§‘ä¸,æˆ‘ä»¬ä¸»è¦ä»Žäº‹è®¡ç®—æœºå¦ç§‘çš„ç ”ç©¶,ä½†ä¹Ÿä¸Žç³»ç»ŸæŽ§åˆ¶ã€æ¨¡æ‹Ÿä»¿çœŸç‰å¦ç§‘ç´§å¯†ç›¸è¿žã€‚è®¡ç®—æœºå¦ç§‘å¯¹æ··åˆç³»ç»Ÿçš„ç ”ç©¶ä¸»è¦ä¸ºç³»ç»ŸéªŒè¯,ç›¸æ¯”äºŽå…¶å®ƒç ”ç©¶,æˆ‘ä»¬çš„ç ”ç©¶ä¸ä»…ä»…ç€é‡äºŽç³»ç»ŸéªŒè¯,ä¹ŸåŒæ—¶ç€é‡äºŽå»ºæ¨¡ã€è¯æ˜Žã€ä»¿çœŸã€‚æˆ‘ä»¬çš„ç ”ç©¶ç›®å¦‚ä½•æž„å»ºæ£ç¡®çš„æ··åˆç³»ç»Ÿã€‚ç¡®åˆ‡åœ°è¯´,åŸºäºŽEvent-Bæ–¹æ³•,æˆ‘ä»¬ç ”ç©¶è‡ªé¡¶å‘ä¸‹çš„æ··åˆç³»ç»Ÿå¼€å‘æ–¹æ³•ï¼šä»Žéœ€æ±‚æ–‡æ¡£,å¾—åˆ°ç²¾åŒ–ç–ç•¥,è€ŒåŽå»ºç«‹ç³»åˆ—çš„å½¢å¼åŒ–æ¨¡åž‹,æœ€ç»ˆå¼€å‘å®žçŽ°ã€‚æ¨¡åž‹å¼€å‘åŸºäºŽç³»åˆ—çš„ç²¾åŒ–æ¨¡åž‹,ä½¿å¾—ç³»ç»Ÿèƒ½å¤Ÿä»¥æ¸è¿›çš„æ–¹å¼å®žçŽ°å¼€å‘ã€‚åœ¨ç¦»æ•£è¿žç»æ··åˆç³»ç»Ÿå¼€å‘ä¸,æˆ‘ä»¬ä¸»è¦å…³æ³¨ä»¥ä¸‹é—®é¢˜ï¼šå®šä¹‰è‰¯å¥½çš„éœ€æ±‚æ–‡æ¡£ä¸Žç²¾åŒ–ç–ç•¥ã€å»ºç«‹æ··åˆç³»ç»Ÿæ¨¡åž‹ã€å®žçŽ°æ¨¡åž‹ç²¾åŒ–ã€è¯æ˜Žæ¨¡åž‹åŠç²¾åŒ–çš„æ£ç¡®æ€§ã€è¯æ˜Žç³»ç»Ÿå®‰å…¨æ€§è´¨ã€å®žçŽ°ç³»ç»Ÿä»¿çœŸç‰ã€‚æœ¬æ–‡æ‰€å±•å¼€çš„å·¥ä½œå‡å›´ç»•ä¸Šè¿°é—®é¢˜ã€‚æœ¬è®ºæ–‡çš„ä¸»è¦è´¡çŒ®å¦‚ä¸‹ï¼š(i)æ–¹æ³•å¦è´¡çŒ®åŸºäºŽEvent-Bæ–¹æ³•,åœ¨å½¢å¼åŒ–å»ºæ¨¡ä¹‹å‰,é¦–å…ˆè¦å®šä¹‰éœ€æ±‚æ–‡æ¡£åŠç²¾åŒ–ç–ç•¥ã€‚ç²¾åŒ–ç–ç•¥ç”¨äºŽå®šä¹‰ç²¾åŒ–æ¨¡åž‹ä¸å¯¹éœ€æ±‚çš„è€ƒè™‘é¡ºåº,å®žçŽ°ä»Žå½¢å¼åŒ–æ¨¡åž‹åˆ°éœ€æ±‚æ–‡æ¡£çš„å¯è¿½è¸ªæ€§,å¹¶ç”¨äºŽæ£€æŸ¥å½¢å¼åŒ–æ¨¡åž‹æ˜¯å¦å·²å®Œæ•´è€ƒè™‘éœ€æ±‚ã€‚æœ¬æ–‡æå‡ºåˆ¶å®šéœ€æ±‚æ–‡æ¡£ä¸Žç²¾åŒ–ç–ç•¥æ‰€åº”éµå¾ªçš„è§„åˆ™ã€‚(ii)ç†è®ºè´¡çŒ®æå‡ºEvent-Bå«æ—¶é—´å‡½æ•°çš„æ··åˆç³»ç»Ÿçš„å»ºæ¨¡æ–¹æ³•,å¹¶æå‡ºç¦»æ•£æ¨¡åž‹è‡³è¿žç»æ¨¡åž‹çš„ç²¾åŒ–æ–¹æ³•,ä»¥åŠè¯¥æ··åˆæ¨¡åž‹çš„åˆ†æžéªŒè¯æ–¹æ³•ã€‚ä¸ºæ”¯æŒå¤æ‚ç‰©ç†ç³»ç»Ÿ,æˆ‘ä»¬æ‰©å±•æ··åˆç³»ç»Ÿå»ºæ¨¡æ–¹æ³•,å¼•å…¥ä¸€ä¸ªæ–°çš„æ–¹æ³•,ç§°ä¸º"Click",å¹¶åŸºäºŽè¯¥æ–¹æ³•ä¸ºæ··åˆç³»ç»Ÿçš„æ—¶é—´ç‰¹æ€§æå‡ºç³»ç»ŸåŒ–çš„è®¾è®¡æ¨¡å¼ã€‚å¯¹è¿žç»è¡Œä¸ºç”±å¾®åˆ†æ–¹ç¨‹å®šä¹‰çš„æ··åˆç³»ç»Ÿ,åœ¨ä¸è§£å¾®åˆ†æ–¹ç¨‹çš„å‰æä¸‹,æˆ‘ä»¬ç ”ç©¶å¾®åˆ†æ–¹ç¨‹æ€§è´¨çš„å®šç†è¯æ˜Žæ–¹æ³•ã€‚è¯¥ç ”ç©¶åŸºäºŽæ¬§æ‹‰è¿‘ä¼¼æ–¹æ³•å’Œéžæ ‡å‡†åˆ†æžã€‚(iii)å®žè·µè´¡çŒ®è¯¥ç ”ç©¶åŒ…å«ä¼—å¤šæ¡ˆä¾‹,ç”¨äºŽåˆ†æžæ‰€æå‡ºçš„ç†è®ºåŠæ–¹æ³•ã€‚æ¡ˆä¾‹æ¶µç›–æ ¸ååº”å†·å´æŽ§åˆ¶ã€åˆ—è½¦æŽ§åˆ¶ã€é£žæœºé˜²ç¢°æ’žç³»ç»Ÿã€æ°´ç®±æŽ§åˆ¶ç‰ã€‚è¿™äº›æ¡ˆä¾‹ä¸ä»…ç”¨äºŽåˆ†æžæ‰€æå‡ºçš„ç†è®º,ä¹Ÿåœ¨ä¸€å®šç¨‹åº¦ä¸Šè¯æ˜Žäº†ç†è®ºçš„åº”ç”¨æ€§ã€‚æå‡ºæ··åˆç³»ç»Ÿå½¢å¼åŒ–å¼€å‘çš„äº’è¡¥æ–¹æ³•,åŒ…æ‹¬æ¨¡åž‹ä»¿çœŸã€ä¼ æ„Ÿå™¨å’Œæ‰§è¡Œå™¨è®¾è®¡æ¨¡å¼ã€éšå¼ä¸å˜å¼å‘çŽ°æ–¹æ³•ç‰ã€‚(iv)è½¯ä»¶è´¡çŒ®ä¸ºäº†äº’è¡¥Event-Bå½¢å¼åŒ–å¼€å‘æ–¹æ³•,å°†Event-Bæ¨¡åž‹è½¬åŒ–è‡³Simulinkæ¨¡åž‹,æˆ‘ä»¬ä¸ºEvent-Bè¨€è¯çš„ç›¸åº”å·¥å…·Rodinå¹³å°å¼€å‘äº†æ’ä»¶,å¯ä»¥è‡ªåŠ¨å®žçŽ°æ¨¡åž‹è½¬åŒ–ã€‚æ›´å¤š è¿˜åŽŸ

ã€Abstractã€‘ Nowadays, hybrid systems are very important in the development of embedded systems. In such systems, a piece of software, the controller, is supposed to manage an external situation, the environment. The controller works in a discrete fashion in that it is triggered regularly by detecting the status of the environment (using some sensors), and then reacts by sending some information to the environment (using some actuators). Between two successive controller detections and actions, the environment is evolving in a continuous way. The design of a controller that correctly matches the physical environment has become a challenge.Various scientific community have contributed with their own approaches to this area:computer science, control, and modeling and simulation communities. We mainly place ourselves in the computer science community, but we also have some connections with the control community, and the modeling and simulation community.Other works in computer science community mainly focus on software verifica-tion, here we would like to propose an approach that certainly focus on verification, but also on modeling, simulation, and proof. Our purpose is to construct hybrid systems in a correct fashion. More precisely, based on Event-B, we propose a top-down approach that supports the development of hybrid systems from requirements down to final development. For this, our con-struction is based on successive refinements, allowing the development to be done in a gradual fashion. In the development of hybrid system, we concentrate on the following key issues:well-defined requirement document and refinement strategy, modeling, refinement, proving, and simulation.Here are the main contributions of this thesis:(i) Methodology Contribution Based on Event-B, requirement document and refinement strategy need to be first defined before formal modelling. We insist a lot on the importance of writing a well defined requirement document and a careful refinement strategy. Before modeling, the refinement strategy is used to define clearly how the requirements can be gradually taken into account in successive refinements. It also helps us to trace the formal development back to the requirement document, and check whether we have taken all requirements into account. To achieve this, we propose some rules for defining the requirement document and the refinement strategy,(ii) Theoretic Contribution We explain how hybrid systems with time function can be developed in Event-B and we show how we can transform a discrete approach to a continuous one. This is based on the usage of refinement. In order to support complex physical system, we extend the approach of model-ing hybrid systems with a new one called "Click":this constitutes a systematic design pattern for the time feature of hybrid systems. For those hybrid systems where the continuous parts are defined by differential equations, we try to give a theoretical approach on how to prove properties of differential equations without solving them. This work is based on solid mathematic foundations:the usage of Euler approximations and that of non standard analysis,(iii) Practical Contribution This study contains many practical examples whose role is to explain our approach. Such examples cover nuclear cooling control, train control, aircraft collision avoidance, water tank, etc. We believe that examples are important to show that this approach to hybrid systems can be made practical. In order to improve the confidence in formal modeling, we also propose some complementary approaches for hybrid system development. This includes the usage Simulink and animation, the introduction of sensor and actuator pat-terns, and an implicit invariant discovery approach as well.(iv) Software Contribution In order to complement formal development and translate Event-B model to Simulink model, we developed a plug-in for the Rodin platform. This plug-in can perform this translation automatically.æ›´å¤š è¿˜åŽŸ

ã€å…³é”®è¯ã€‘ å½¢å¼åŒ–æ–¹æ³•ï¼› æ··åˆç³»ç»Ÿï¼› è‡ªé¡¶å‘ä¸‹å¼€å‘ï¼› Event-Bï¼› å»ºæ¨¡ä¸Žè¯æ˜Žï¼› ç²¾åŒ–ï¼› Rodinå¹³å°ï¼› Matlab/Simulinkï¼›
ã€Key wordsã€‘ Formal Methodsï¼› Hybrid Systemsï¼› Top-down Developmentï¼› Event-Bï¼› Modelling and Provingï¼› Refinementï¼› Rodin Platformï¼› Matlab/Simulinkï¼›

ã€ç½‘ç»œå‡ºç‰ˆæŠ•ç¨¿äººã€‘ åŽä¸œå¸ˆèŒƒå¤§å¦

ã€åˆ†ç±»å·ã€‘TP311.5
ã€ä¸‹è½½é¢‘æ¬¡ã€‘165
æ”»è¯»æœŸæˆæžœ

æ‰“å°æœ¬é¡µ

èŠ‚ç‚¹æ–‡çŒ®ä¸ï¼š

èŠ‚ç‚¹æ–‡çŒ®

åŸºäºŽEvent-Bçš„æ··åˆç³»ç»Ÿå½¢å¼åŒ–ï¼šç†è®ºä¸Žå®žè·µ

Formalizing Hybrid Systems Using Event-B:Theory and Practice

åŸºäºŽEvent-Bçš„æ··åˆç³»ç»Ÿå½¢å¼åŒ–ï¼šç†è®ºä¸Žå®žè·µ