## Control law diagrams in Circus (2005)

Venue: | In FM’05 |

Citations: | 7 - 2 self |

### BibTeX

@INPROCEEDINGS{Cavalcanti05controllaw,

author = {Ana Cavalcanti and Phil Clayton and Malvern England},

title = {Control law diagrams in Circus},

booktitle = {In FM’05},

year = {2005},

pages = {253--268},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

Abstract. Control diagrams are routinely used by engineers in the design of control systems. Yet, currently the formal verification of programs that implement the diagrams is a challenge. We present a strategy to translate block diagrams to Circus, a notation that combines Z, CSP, and a refinement calculus. This work is based on existing tools that produce Z and CSP specifications from discrete-time block diagrams. By using a combined notation, we provide a specification that considers both functional and behavioural aspects of the diagrams, and can cover a wider range of blocks. Moreover, the Circus refinement calculus can be used to derive or verify implementations, and reason about the block diagrams.

### Citations

582 |
The Theory and Practice of Concurrency
- Roscoe
- 1998
(Show Context)
Citation Context ...nerates defines how the outputs of a cycle can be determined in terms of the inputs (and possibly, state information). QinetiQ developed another tool, called ClaSP, to support the definition of a CSP =-=[16]-=- specification that captures the parallelism inherent in a control law diagram. In principle, the computation embedded in the blocks can be performed in parallel; order is imposed only by the wiring. ... |

474 |
Programming from Specifications
- MORGAN
- 1990
(Show Context)
Citation Context ...ads to processes that have a large number of states and are difficult to model check. Circus is a language for refinement; it includes specification constructs from Z and Morgan’s refinement calculus =-=[13]-=-, CSP constructs to model communicaZ Z pidspec Differentiator Product �= Product M2 pidspec Differentiator UnitDelay �= UnitDelay g (X0 �= 0 e 0) Z pidspec Differentiator In1? : U; In2? : U; Product ... |

60 |
A.: The semantics of Circus
- Woodcock, Cavalcanti
- 2002
(Show Context)
Citation Context ... the computation embedded in the blocks can be performed in parallel; order is imposed only by the wiring. ClaSP is used in the verification by model checking of distributed cyclic scheduling. Circus =-=[19,6]-=- is a combination of Z and CSP with a refinement calculus; it aims at the specification and design of state-rich reactive systems. Circus includes a theory and a technique of refinement that support t... |

35 |
Hoare and He Jifeng. Unifying Theories of Programming
- R
- 1998
(Show Context)
Citation Context ...ory and a technique of refinement that support the calculation of concurrent implementations from centralised specifications. The semantics is based on Hoare and He’s unifying theories of programming =-=[9]-=-. In this work, we give a semantics to control diagrams using Circus, so that we can capture functionality and concurrency. We reuse ClawZ and ClaSP, which capture a partial semantics of these diagram... |

34 |
How to combine Z with process algebra
- Fischer
- 1998
(Show Context)
Citation Context ...a diagram over any number of cycles, and the inherent parallelism between blocks. Cyclic diagrams involving feedback loops are also covered. There are several combinations of Z with a process algebra =-=[8]-=-; Circus is distinctive in its refinement theory. Our semantics opens the possibility of reasoning about control law diagrams using refinement. We discussed some examples, based on a PID controller. P... |

26 | Translating discrete-time Simulink to Lustre
- Caspi, Curic, et al.
(Show Context)
Citation Context ... are also working on a theorem prover and a model checker for Circus, all based on ProofPower. These tools will be a powerful resource in the analysis of control diagrams and their implementation. In =-=[5]-=-, a translation from discrete-time Simulink diagrams to Lustre is presented. It formalises the typing system of Simulink and type-checks diagrams before the translation; it also handles multirate diag... |

24 | Formal semantics and analysis methods for Simulink Stateflow models. Unpublished report
- Tiwari
(Show Context)
Citation Context ...grams. The finite state machine reacts to events triggered in the Simulink model; the reactions lead to state changes that affect the behavior of the Simulink model. Stateflow diagrams are studied in =-=[18,17]-=-. We will investigate the use of Circus to model stateflow diagrams; it seems promising as Circus can cope with both the data and reactive aspects of the problem. Ultimately, we want to cover the whol... |

23 | ZRC - A Refinement Calculus for Z - Cavalcanti, Woodcock - 1999 |

16 |
A Refinement Strategy for Circus
- Cavalcanti, Sampaio, et al.
- 2003
(Show Context)
Citation Context ... the computation embedded in the blocks can be performed in parallel; order is imposed only by the wiring. ClaSP is used in the verification by model checking of distributed cyclic scheduling. Circus =-=[19,6]-=- is a combination of Z and CSP with a refinement calculus; it aims at the specification and design of state-rich reactive systems. Circus includes a theory and a technique of refinement that support t... |

13 | Clawz: Control laws in Z
- Arthan, Caseley, et al.
- 2000
(Show Context)
Citation Context ...asoning [4,3, 10]. Our work has a different focus: derivation and verification of implementations, as opposed to validation of systems. Discrete-time diagrams written using Simulink are considered in =-=[2]-=-. Simulink is a popular tool that is part of the Matlab environment [1]; its use in the avionics and automotive sectors is standard. In [2] we find the description a tool, ClawZ, that translates contr... |

11 | Using Z—Specification - Woodcock, Davies - 1996 |

4 |
Generalised substitution language and differentials
- Blow, Galloway
- 2002
(Show Context)
Citation Context ... a major concern; numerical modelling and simulation are the established techniques. Recently, there have been efforts to use logic to capture the meaning of control diagrams and to support reasoning =-=[4,3, 10]-=-. Our work has a different focus: derivation and verification of implementations, as opposed to validation of systems. Discrete-time diagrams written using Simulink are considered in [2]. Simulink is ... |

1 |
6th International Workshop on Hybrid Systems
- Boulton, Hardy, et al.
- 2003
(Show Context)
Citation Context ... a major concern; numerical modelling and simulation are the established techniques. Recently, there have been efforts to use logic to capture the meaning of control diagrams and to support reasoning =-=[4,3, 10]-=-. Our work has a different focus: derivation and verification of implementations, as opposed to validation of systems. Discrete-time diagrams written using Simulink are considered in [2]. Simulink is ... |

1 |
Workshop on Formalising Continuous Mathematics
- Mahony
- 2002
(Show Context)
Citation Context ...ID controllers are considered in [3], where weakest preconditions are used for reasoning about control systems; the technique can be extended to handle static analysis of programs and concurrency. In =-=[12]-=-, Mahony used Isabelle/HOL tools to mechanise an assertion reasoning technique based on predicate transformers for dataflow networks with feedback loops. This is a graphical notation like control law ... |

1 |
Verification of Picture Generated Code
- O’Halloran, Smith
- 1999
(Show Context)
Citation Context ...r [11]. ClawZ has been extensively and successfully used at the Systems Assurance Group at QinetiQ in the proof of correctness of Ada programs with respect tosSimulink specifications. As described in =-=[14]-=-, the output of ClawZ is used to construct a refinement conjecture (called a compliance argument) that can be formally verified using tools integrated with ProofPower. In Z, reactivity and concurrency... |

1 |
Model Checking for Stateflow Diagram with Floating Point Variables and Complex Expressions
- Spencer
- 2002
(Show Context)
Citation Context ...grams. The finite state machine reacts to events triggered in the Simulink model; the reactions lead to state changes that affect the behavior of the Simulink model. Stateflow diagrams are studied in =-=[18,17]-=-. We will investigate the use of Circus to model stateflow diagrams; it seems promising as Circus can cope with both the data and reactive aspects of the problem. Ultimately, we want to cover the whol... |