Information Technology Reference
In-Depth Information
of the required behaviour of the overall system. This process is illustrated in
Section 2.
The approach to describing fault-tolerant behaviour is less firm but a number
of ideas are explored in Section 3. Our basichopeistobeabletoformalisea
notion of layered specifications in which one can for example state the behav-
iour desired in the absence of component failures (with one set of rely/guarantee
predicates) separately from a description of (presumably) more restricted behav-
iour in the presence of faults. (There might of course be several layers of such
fault-tolerance.) The motivation here is very like that for VDM's “error condi-
tions” (see [Daw91]) but we discuss in Section 4.3 why the notion of changing
from the well-behaved to the fault-tolerant phase is dicult (and the direction
in which we are seeking a resolution of the diculty.)
2
The Sluice Gate Example
The example considered in detail in this paper concerns a sluice gate (as in-
troduced in [Jac00]) designed to control the flow of water in a farm irrigation
channel. The gate is pictured in Figure 2; it consists of a barrier sliding in ver-
tical guides and positioned across the flow of water in the irrigation channel.
The barrier is raised and lowered by a reversible motor which drives a rack-and-
pinion mechanism engaging with the guide at each side. When the barrier is fully
raised it is open and the flow of water is unimpeded; when the barrier is fully
down it is closed and the flow of water is blocked. The guides are equipped with
stops that prevent the barrier from moving beyond the guide limits. There are
top and bottom sensors which should be set on when the barrier is fully raised
or fully down respectively.
The idea outlined in Section 1.1 is to write an initial specification based on a
wide view of a
system
, including both the
machine
and the
problem world
.The
machine is the computer, executing the control program to be developed. The
problem world is that part of physical reality in which the problem resides and
in which the effects of the system, once installed and set in operation, will be
evaluated.
Motor
Gate
Top &
Bottom
Sensors
✹
✹
Water
Mechanism
Fig. 2.
A representation of a sluice gate
Search WWH ::
Custom Search