Specification and Verification of Dynamic Topology Systems

Formal methods for embedded systems currently mainly focus on single components or fixed configurations of finitely many components. Examples for the former case are open finite-state systems as models of single discrete controllers in a discrete environment. Examples for the latter comprise models of clusters of controllers with fixed inter-connection, that is, no controllers are added or removed at runtime and the interconnection is not re-configured, e.g., the numerous controllers in a car for airbags, braking assistance, etc. These concepts are not sufficient when many autonomous systems interact. A characteristic example is the Car Platooning application as studied by the California PATH project. The intention of car platooning is to reduce fuel consumption by dynamically merging cars into platoons where they drive with significantly reduced safety distance and hence benefit from slipstream. To faithfully model car platooning, there have to be means to describe (i) unbounded appearance and disappearance of cars within the system “highway”, (ii) topologies, that is, selective connections between cars like between leader and follower, and (iii) (asynchronous) communication. We propose to extend the particular finitary abstraction Data Type Reduction (McMillan, 2001) known for parameterised systems to the class of dynamic topology systems as characterised by (i)–(iii). As computational model, we introduce labelled transition systems where states are labelled with graphs. This allows us to model nasty but possibly critical effects like dangling links, i.e. connections to already disappeared processes. Furthermore, we introduce a first-order extension of classical temporal logic. It is process-oriented in the sense that quantified variables range over processes and follow their evolution over time. We can express properties requiring that, for instance, the particular car, which initiated a merge, will finally complete the merge. The semantics of this logic for the first time completely and explicitly treats issues such as pre-mature disappearance of processes. By re-stating the finitary DTR abstraction in terms of the graph-labelled transition system, we gain insight into the potentials and limitations of this technique; beforehand, it has only been described in terms of a construction procedure. Individual-oriented properties, which are easily lost in many other abstractions, are essentially preserved by following what we call the spotlight principle (Wachter & Westphal, 2007). Finally, we demonstrate the applicability of this approach by sketching a translation from a relevant fragment of UML and of the DCS language (Bauer, Schaefer, Toben & Westphal, 2006) into graph-labelled transition system, the latter allowed us to establish safety and liveness properties for the car platooning case-study.