#### Where are we?

- SDL and MSC
  - Notation
  - Behavioral Properties
  - Analysis methods
- Petri Nets
  - Notation
  - Behavioral Properties
- Symbolic Analysis methods of finite models
- Timed automata
  - Notation
  - Semantics
  - Analysis
- Introduction to model checking ?

| TEX                                             |                        |   |                            |     |
|-------------------------------------------------|------------------------|---|----------------------------|-----|
| Computer Engineering and<br>Networks Laboratory | Discrete Event Systems | - | R. Wattenhofer / K. Lampka | 3/1 |

# SDL history (brief sketch)

- First release in 1976 using graphical syntax (orange book). The textual form was introduced later for machine processing.
- The yellow book defined the process semantics
- The red book as released in 1984, it defined a SDL system's structure, added data, etc.
- The blue book released 1988 (SDL-88) gave a formal definition. ٠
- SDL-92 contained concepts of OO: inheritance, abstract generic types for blocks processes, services parameterization of instances.
- SDL-2000 is the latest released version completely based on objectorientation. This version is accompanied by an SDL-UML-Profile.

#### Computer Engineering and vorks Laboratory

#### 3/3

#### Specification and Description Language

- SDL provides a graphical Graphic Representation (SDL/GR) as well as a textual Phrase Representation (SDL/PR) (same semantics!).
- ITU-T (Int. Telecom. Union Telecom. Standardization Sector) Recommendation Z.100, released 1992 (corrections introduced 1996).
- Found acceptance in industry, now revisions are mainly initiated by tool builders
  - => Lost a little of its clean formal basis. i.e. part of the semantics is tool dependent these days.
- Area of application:
  - Focus on telecommunication systems, but nowadays
  - process control systems, automotive applications, etc.
  - in general highly suited for (distributed real-time systems)

## тĸ

Computer Engineering and etworks Laborator

Discrete Event Systems - R. Wattenhofer / K. Lampka

3/2

### Overview (1): Structure of an SDL specification

#### SDL comprises four main

hierarchical levels:

- 1. system
- 2. blocks
- processes



- Informally: See it as tree structure
  - $\checkmark$  the root is the system,
  - $\checkmark$  the leaves are processes,
  - $\checkmark$  everything in the middle is a block.

# Overview (2): Structure of an SDL specification



IEC Web tutorial (http://www.iec.org/online/tutorials/sdl/topic02.html)

- Processes are the entities which define actual behavior
- Procedures can be viewed as some mechanism for encapsulating (sub-)behavior to be used multiple times (~function/method).
- Some tools allow also to call external functions, implemented in C++ or Java

| Computer Engineering and Discrete Event Systems - | R. Wattenhofer / K. Lampka | 3/5 |
|---------------------------------------------------|----------------------------|-----|
|---------------------------------------------------|----------------------------|-----|

#### text extension Let's start bottom-up: SDL-Processes (1) Processes are kind of automata (Extended Finite State Machines) х Each Process has its own input queue (infinite storage capacity, in principle) one input at most A state of a process is determined by - current state of process an enabling condition/ a continuous signal referring to the process' data - value of current variable in the state X. - contents of input queue i.e. before the input one output comment state changes can be triggered by input messages, where a transition or more! may execute the following actions: 0 send output modifying the process' data. a few tasks call procedure \_ should better execute loop terminate ... manipulate local variables х create new instance of process

### Overview (3): Signaling within SDL (a glance)

- · Processes interact via signals, the signals can be associated with messages (send output signals and consume input signals)
- Outputs are sent away (non-blocking).

Discrete Event Systems –

- Each signal is **buffered** at the receiving process side (FIFO)!
- Signal transmission is buffered (not immediate!)
- Routing is defined by



R. Wattenhofer / K. Lampka

block K

TE Computer Engineering and

Networks Laboratory

system ...

SIGNAL W,Y,Z;

3/6



Committee Engineering and works Laboratory



# Process-interaction (5): Signaling on routes and channels

Block level: signal routes are non-delaying

- 'implemented' by synchronization
- but the inputs are still buffered at the receiver side.

#### System level: channels can be

non-delaying

delaying

в

- 'implemented' by synchronization
- but eventually the inputs are buffered at the receiver side!



3/13

3/15

- 'implemented' by synchronization with another unbounded FIFO buffer in the middle (makes the duration of delay unpredictable).
- additionally, the inputs are buffered at the receiver side.

Keep in mind that channels and signal routes may be uni-



#### TEL

Computer Engineering and Networks Laboratory

Discrete Event Systems - R. Wattenhofer / K. Lampka

# Continuous signals (2)



Idea: Trigger process behavior without having a new input into the process' queue

Committee Engineering and

vorks Laboratory

#### **Continuous signal**

- 1. guards the branches of input-less alternatives.
- 2. guards are Boolean conditions on process data.
- 3. If available input signals are always processed first.
- 4. non-determinism among various enabled continuous signals can be resolved by assigning priorities to the conditions.

Scheduling:

- 1. check for input signal
- 2. check continuous signal with Prio 1, ....



# A data dependent process: Continuous signals (1)



# Commuter Engineering and

Discrete Event Systems - R. Wattenhofer / K. Lampka

# Time in SDL

- Some snippets from the standard:
  - " Time only progresses if all input buffers are empty."
  - "Taking a transition takes a positive, but negligible amount of time. " => time consumption of transitions can not be modeled explicitly. alternatives?

Discrete Event Systems - R. Wattenhofer / K. Lampka

Why is time interesting to discuss? ٠ because SDL allows one to set timers and to react on timeouts. and allows to refer to the current time (NOW). this construct appears handy, and is often used.



- To some extend SDL guarantee implementation. due to :
- automatic generation of code.
- automatic generation of test case.



- Recall the process-interaction via buffered FIFO queues
- Expiring of a local timer just appends a signal to the local input queue
- This implies that reaction to timeouts may not be immediate!





tworks Laboratory

3/20

Computer Engineering and Networks Laboratory

TE

Computer Engineering and Networks Laboratory

We will come back to this in the ex. class

Discrete Event Systems - R. Wattenhofer

3/19

## MSC: Message Sequence Chart

- Standardized language for describing interaction among concurrent processes
- · complements the description of a system,
- Most high-level modeling formalisms are state-based, and correspond to executable specifications (not only the ones we discuss here like SDL, PNs and TAs)
  - => Often difficult to capture "informal" initial sketches.
- · Therefore MSCs are often used for defining
  - Use- or Test-cases
  - Scenario-based requirements modeling which seems in particular of value for early design stages of systems. Furthermore MSC is often used for
  - documentation purpose
- UML-Sequence charts are based on MSCs, which is one of its heavier used parts.

| Computer Engineering and Discrete Event Systems | ; _ | R. Wattenhofer / K. Lampka | 3/21 |
|-------------------------------------------------|-----|----------------------------|------|
|-------------------------------------------------|-----|----------------------------|------|

# MSC: Message Sequence Charts



- time evolves along time lines of processes from top to bottom
   => events on the same
  - time-line are totally ordered
- Model of communication: asynchronous FIFO channels, messages can overtake each other
- Sending and Receiving of a message is ordered
   => partial order on set of events

# MSC: Message Sequence Charts



- MSCs are precedence graphs
  with locality information
- Each process instance has its own time line
- each vertical line represents a process (or the environment)
- the arrows represent signals/messages the blocks represent (internal) process activities

#### Computer Engineering and Networks Laboratory

gineering and Dis

Discrete Event Systems – R. Wattenhofer / K. Lampka

3/22

### Recall definition of partial order?

- · A relation is a set of pairs drawn from some set, say E.
- A reflexive relation is a relation that contains the pair (e,e) for each element e of E.
- A transitive relation is a relation which contains the pair (e,g) whenever it contains both (e,f) and (f,g).
- A partial order is a reflexive and transitive relation.
- A total order is a partial order which for each pair (e,f) of E (with e≠f) does either contain (e,f) or (f,e) but not both.

# MSC – Did we specify the same scenario?



# MSC - How simple!



### Definition: Basic MSC

A (basic) MSC M is a tuple (P, E, L, c, <), with

- a set P of process labels (labelling the instance axis),
- a finite set E events  $E = S \cup R \cup A$ , consisting of send events S, receive events R and action events A (task executions etc.)
- a labeling function  $L: E \leftarrow P$  (putting events on the instance axis),
- a bijection  $c: S \to R$  (for send-receive edges)
- a precedence relation  $\leq E \times E$ .

Send of a message occurs before its receipt. Events on the same instance are totally ordered **Must be well-formed: no cycles in precedence graph**.

# Computer Englis

Computer Engineering and Networks Laboratory

neering and Dis

Discrete Event Systems - R. Wattenhofer / K. Lampka

3/26

### Semantics of Basic MSC

- <\*, the transitive closure of <, defines a partial order on E
- A trace of MSC M is a linearization of the partial order <\*.
  - every trace is a finite sequence of events that "obeys" the precedence.
  - each event occurs exactly once in a trace and only after all its preceding events have already occurred in the trace so far.
  - always finite.
- Semantics of MSC M
  - is the set of all possible traces.
  - can be represented as a finite LTS (Labeled Transition System).

## MSC: Timers



- · SDL has from the very beginning been devised in combination with MSC (ITU standard Z.100/Z.120)
- · Within SDL, MSC are used
  - for requirements engineering
  - for test case engineering
  - as example scenarios which the SDL system is supposed to comply to
  - as a logging means for traces generated from an SDL system
- MSC has spinned off as a requirements engineering formalism.

# MSC: Timers, an example



#### What next?

By now it should be clear that the the design of concurrent system is difficult and error-prone and often leads to inconsistent system behaviors with respect to the desired or required behavior.

Discrete Event Systems - R. Wattenhofer / K. Lampka

# This is often a threat in real life and not acceptable §

How can we check for inconsistency?

Look for

Computer Engineering and

works Laboratory

- · safety violations like deadlocks,
- progress violations like livelocks

# Visual inspection is infeasible!

#### Committee Engineering and vorks Laboratory

3/31

## Computer-assisted verification (The TAU-tool suite)



### Variable abstraction in Tau

- Assume that you are validating a property which is independent of the exact values of the process variables
- Further assume that your SDL specification contains masses of variables used for purposes like
  - counting messages,
  - computing results,
  - logging information,
  - etc.
- It seems a good idea not to care about the variables in the property specific verification
  - => This is the essence of variable abstraction, and it is supported manually in Tau. The user has the opportunity to mask variables he guesses to be irrelevant for the verification.

Vice-versa it could also be the case that one simply assumes that variables are within some intervals => abstract interpretation

3/35



Discrete Event Systems – R. Wattenhofer / K. Lampka

#### Tau-assisted verification Does a design *D* satisfy a requirement \$?

- The Tau tool supports simulation, and some rudimentary form of state space exploration
- Simulation: generates traces through the state space
  - user-driven (that's not really verification, but useful)

#### State Space Exploration:

- explores
  - randomly (driven by a pseudo random number generator), or
  - exhaustively up to a given depth.
- checks
  - whether the encountered states satisfy some (built in) sanity requirements, which are some simple safety properties.
  - whether a given MSC (requirement) can be generated.

### E.

Computer Engineering and Networks Laboratory

Discrete

Discrete Event Systems - R. Wattenhofer / K. Lampka

3/34

# Simulation and verification within Tau.

• The simulator and validator explore the state space and allow one to view

how much of a specification has been visited in the current simulation or verification run.

- BUT, the presented data refers to the executed transitions and the visited states of the specification (=> coverage rate)
- Is this sufficient?



#### Computer Engineering and Networks Laboratory

Discrete Event Systems - R. Wattenhofer / K. Lampka

#### State - and transition coverage vs. State space coverage

#### State - and transition coverage refer to the specification level.

=> Simulator and Validator explore the state space (in parts only!).

From the TAU
 tool documentation

Symbol coverage : 100.00 All SDL symbols in the system were executed during the exploration. If the symbol coverage is not 100% the validation cannot be considered finished.....

Remark: here validation has to be read as verification.

- This is misleading! Due to concurrency, it is very well possible
  - to have a specification that is wrong (e.g. deadlocks), but a fragment of the state space with 100% of the transitions/states covered does not show this deadlock.
  - to have a specification that works 100% correct, but where less that 100% of the specification are covered.

| TEL                                             |                        |   |                            |      |
|-------------------------------------------------|------------------------|---|----------------------------|------|
| Computer Engineering and<br>Networks Laboratory | Discrete Event Systems | - | R. Wattenhofer / K. Lampka | 3/37 |

# The Relations between Different Languages and SDL/MSC





Computer Engineering and Networks Laboratory

Discrete Event Systems – R. Wattenhofer / K. Lampka

#### 3/39

#### What to do with a verified SDL spec?

Implement the system in software (and/or hardware, sometimes).

#### Do this

- automatically (code generation)
  - is supported by the Tau tool;
  - is often considered inefficient;
    One reason: Buffer-based communication disturbing in non-distributed implementations of SDL blocks;

or

- manually
  - specification is reference for the implementers,
  - specification can provide test-suites for the running code

#### Tex

Computer Engineering and Networks Laboratory Discrete Event Systems - R. Wattenhofer / K. Lampka

3/38

### Acknowledgment and Literature

#### Acknowledgements:

The presented slides contain material of Prof. H. Hermanns (Univ. des Saarlandes) and Prof. M. Siegle (Univ. der Bundeswehr Muenchen), who kindly approved this.

#### Literature

- TIMe Electronic Textbook version 4.0 September 1999
  - Chapter 13: Tutorial on SDL http://www.sintef.no/time/ELB40/ELB/SDL/SDL.pdf
  - Chapter 14: Tutorial on MSC-96
    http://www.sintef.no/time/ELB40/ELB/MSC96/MSC96.pdf
- L. Doldi:

Validation of communications systems with SDL : the art of SDL simulation and reachability analysis, Chichester Wiley, 2003 Zugriff über: http://www3.interscience.wiley.com/cgi-bin/bookhome/109867833

- More information can be found @
  - <u>http://www.sdl-forum.org</u>
  - http://www.iec.org/online/tutorials/sdl/

#### TIK Computer Engineering and