Quasi-equal clock reduction for networks of timed automata replaces equivalence classes of clocks... more Quasi-equal clock reduction for networks of timed automata replaces equivalence classes of clocks which are equal except for unstable phases, i.e., points in time where these clocks differ on their valuation, by a single representative clock. An existing approach yields significant reductions of the overall verification time but is limited to so-called wellformed networks and local queries, i.e., queries which refer to a single timed automaton only. In this work we present two new transformations. The first, for networks of timed automata, summarises unstable phases without losing information under weaker well-formedness assumptions than needed by the existing approach. The second, for queries, now supports the full query language of Uppaal. We demonstrate that the cost of verifying non-local properties is much lower in transformed networks than in their original counterparts with quasi-equal clocks.
Parts of the results of the paper presented at the 17th Annual Workshop on Microprogramming, 1984... more Parts of the results of the paper presented at the 17th Annual Workshop on Microprogramming, 1984SIGLETIB: RN 3147 (94) / FIZ - Fachinformationszzentrum Karlsruhe / TIB - Technische Informationsbibliothekrev. November 1984DEGerman
In future mixed traffic Highly Automated Vehicles (HAV) will have to resolve interactions with hu... more In future mixed traffic Highly Automated Vehicles (HAV) will have to resolve interactions with human operated traffic. A particular problem for HAVs is detection of human states influencing safety critical decisions and driving behavior of humans. We demonstrate the value proposition of neurophysiological sensors and driver models for optimizing performance of HAVs under safety constraints in mixed traffic applications.
• A counterexample guided abstraction refinement approach for linear hybrid automata with large d... more • A counterexample guided abstraction refinement approach for linear hybrid automata with large discrete state space is proposed. • The approach relies on abstraction algorithms replacing the original state set by state sets of simpler shape. • We provide benchmark results showing the relative merits of the approach.
... Purchase this Book. Source, Pages: 293. Medium: Paperback. Year of Publication: 2001. ISBN:35... more ... Purchase this Book. Source, Pages: 293. Medium: Paperback. Year of Publication: 2001. ISBN:3540620079. Authors, Carlos Delgado Kloos, Editors, W. Damm, ... Collaborative Colleagues: Carlos Delgado Kloos: colleagues. W. Damm: colleagues. ...
Cyber-physical systems combine a cyber side (computing and networking) with a physical side (mech... more Cyber-physical systems combine a cyber side (computing and networking) with a physical side (mechanical, electrical, and chemical processes). In many cases, the cyber component controls the physical side using sensors and actuators that observe the physical system and actuate the controls. Such systems present the biggest challenges as well as the biggest opportunities in several large industries, including electronics, energy, automotive, defense and aerospace, telecommunications, instrumentation, industrial automation. Engineers today do successfully design cyber-physical systems in a variety of industries. Unfortunately, the development of systems is costly, and development schedules are difficult to stick to. The complexity of cyber-physical systems, and particularly the increased performance that is offered from interconnecting what in the past have been separate systems, increases the design and verification challenges. As the complexity of these systems increases, our inabili...
SafeTRANS ist ein gemeinnutziger deutscher Verein, der sich insbesondere zum Ziel gesetzt hat, Pr... more SafeTRANS ist ein gemeinnutziger deutscher Verein, der sich insbesondere zum Ziel gesetzt hat, Prozesse, Methoden und Werkzeuge zu erforschen, die die Entwicklung sicherer Embedded Systems in der Verkehrstechnik zu verbessern. Im Januar 2015 wurde dazu ein Arbeitskreis Hochautomatisierte Systeme: Safety, Testen und Entwicklungsprozesse gegrundet. Hierin wollen Teilnehmer aus unterschiedlichen Bereichen der Verkehrstechnik zusammenarbeiten, um gemeinsame Ansatze fur die Entwicklung und den Test von hochautomatisierten sicherheitskritischen Systemen zu erarbeiten. Als ein erster gemeinsamer Arbeitspunkt wurde die Definition eines interperabelen Umweltmodels fur die Umgebung der mobilen Plattform identifiziert. Dieses Uberblickspaper stellt kurz den Verein SafeTRANS und dessen Arbeitskreis dar und gibt dann einen Uberblick uber die Resultate einschlagiger durch SafeTRANS initiierter Projekte zu Methoden der Modellierung und Absicherung der Mensch-Assistenzsystem-Interaktion und er Sich...
Validation and Verification of Automated Systems, 2019
We demonstrate on a small case study how the scenario subspace of a world model violating a safet... more We demonstrate on a small case study how the scenario subspace of a world model violating a safety property φ can be partitioned into a list of scenarios based on model checking and the Traffic Sequence Chart (TSC) formalism. The presented process therefore iteratively generates scenarios that cover a part of the not yet covered scenario space. The process is guided by counterexamples to the already established list of scenarios and φ. The tool-supported abstraction step of deriving a scenario from a concrete counterexample is driven by the predicates of the symbol dictionary, which is part of any TSC specification Damm et al. TSCs (i) directly provide a visualization of the generated candidate abstractions, to help an expert to determine the right level of abstraction and (ii) formally specify scenarios which enables the outlined analysis tasks supporting the scenario definition.
We consider systems composed of an unbounded number of uniformly designed linear hybrid automata,... more We consider systems composed of an unbounded number of uniformly designed linear hybrid automata, whose dynamic behavior is determined by their relation to neighboring systems. We present a class of such systems and a class of safety properties whose verification can be reduced to the verification of (small) families of "neighboring" systems of bounded size, and identify situations in which such verification problems are decidable, resp. fixed parameter tractable. We illustrate the approach with an example from coordinated vehicle guidance, and describe an implementation which allows us to perform such verification tasks automatically.
ATRs (AVACS Technical Reports) are freely downloadable from www.avacs.org Copyright c ○ June 2009... more ATRs (AVACS Technical Reports) are freely downloadable from www.avacs.org Copyright c ○ June 2009 by the author(s)
2011 6th IEEE International Symposium on Industrial and Embedded Systems, 2011
We address the complete design flow from specification models of new automotive functions capture... more We address the complete design flow from specification models of new automotive functions captured in Matlab-Simulink to their distributed execution on hierarchical bus-based electronic architectures hosting the release of already deployed automotive functions. We propose an automated design space exploration process resulting in a costoptimized extension of the existing target hardware and an allocation of balanced task structures automatically derived from the specification model on this modified target hardware which is sufficient to guarantee both system-level timing requirements and deadlines extracted from the Matlab-Simulink specification model.
During the last few years many different memory consistency protocols have been proposed. These r... more During the last few years many different memory consistency protocols have been proposed. These range from strong models like sequential consistency or processor consistency to weak ones like weak ordering, release consistency and SCNF. Implementations of these protocols are usually transparent to application programs: They try to hide as much detail as possible, usually leaving 'well behaved' applications with a sequential consistent memory view. There are two reasons why a different approach to memory consistency is chosen in this paper. On one hand this transparency of protocols imposes a limit on the amount of information about data access categories that can be given by applications. More information could reduce coherence overhead substantially. On the other hand sequential consistency is not the only feasible programming model for writing parallel programs. Most applications do not rely on the strong limitations given by it, because they synchronize to access shared...
Most strong cache coherence protocols provide a sequential consistent memory model. Weak coherenc... more Most strong cache coherence protocols provide a sequential consistent memory model. Weak coherence models often give an, albeit restricted, view of this model, too. However, there are many different possibilities to write parallel programs and not all of them are based on sequential consistency. This paper presents a new cache coherence protocol that provides many different ways of implementing coherence and synchronization. Using this protocol threads can exploit knowledge about how they use data and decide which coherence scheme to use. An implementation of the protocol in a NUMA environment is described in detail and discussed. Keywords: weak cache coherency, sequential consistency, NUMA. e-mail: [email protected] 1 Introduction Weak cache coherence protocols have been the object of extensive studies (e.g. [Mos93], [GLL + 90], [GGH91], [Ste90], [Egg91], [ZB92]). The goal almost everybody seems to have agreed upon is to provide programmers with a machi...
Quasi-equal clock reduction for networks of timed automata replaces equivalence classes of clocks... more Quasi-equal clock reduction for networks of timed automata replaces equivalence classes of clocks which are equal except for unstable phases, i.e., points in time where these clocks differ on their valuation, by a single representative clock. An existing approach yields significant reductions of the overall verification time but is limited to so-called wellformed networks and local queries, i.e., queries which refer to a single timed automaton only. In this work we present two new transformations. The first, for networks of timed automata, summarises unstable phases without losing information under weaker well-formedness assumptions than needed by the existing approach. The second, for queries, now supports the full query language of Uppaal. We demonstrate that the cost of verifying non-local properties is much lower in transformed networks than in their original counterparts with quasi-equal clocks.
Parts of the results of the paper presented at the 17th Annual Workshop on Microprogramming, 1984... more Parts of the results of the paper presented at the 17th Annual Workshop on Microprogramming, 1984SIGLETIB: RN 3147 (94) / FIZ - Fachinformationszzentrum Karlsruhe / TIB - Technische Informationsbibliothekrev. November 1984DEGerman
In future mixed traffic Highly Automated Vehicles (HAV) will have to resolve interactions with hu... more In future mixed traffic Highly Automated Vehicles (HAV) will have to resolve interactions with human operated traffic. A particular problem for HAVs is detection of human states influencing safety critical decisions and driving behavior of humans. We demonstrate the value proposition of neurophysiological sensors and driver models for optimizing performance of HAVs under safety constraints in mixed traffic applications.
• A counterexample guided abstraction refinement approach for linear hybrid automata with large d... more • A counterexample guided abstraction refinement approach for linear hybrid automata with large discrete state space is proposed. • The approach relies on abstraction algorithms replacing the original state set by state sets of simpler shape. • We provide benchmark results showing the relative merits of the approach.
... Purchase this Book. Source, Pages: 293. Medium: Paperback. Year of Publication: 2001. ISBN:35... more ... Purchase this Book. Source, Pages: 293. Medium: Paperback. Year of Publication: 2001. ISBN:3540620079. Authors, Carlos Delgado Kloos, Editors, W. Damm, ... Collaborative Colleagues: Carlos Delgado Kloos: colleagues. W. Damm: colleagues. ...
Cyber-physical systems combine a cyber side (computing and networking) with a physical side (mech... more Cyber-physical systems combine a cyber side (computing and networking) with a physical side (mechanical, electrical, and chemical processes). In many cases, the cyber component controls the physical side using sensors and actuators that observe the physical system and actuate the controls. Such systems present the biggest challenges as well as the biggest opportunities in several large industries, including electronics, energy, automotive, defense and aerospace, telecommunications, instrumentation, industrial automation. Engineers today do successfully design cyber-physical systems in a variety of industries. Unfortunately, the development of systems is costly, and development schedules are difficult to stick to. The complexity of cyber-physical systems, and particularly the increased performance that is offered from interconnecting what in the past have been separate systems, increases the design and verification challenges. As the complexity of these systems increases, our inabili...
SafeTRANS ist ein gemeinnutziger deutscher Verein, der sich insbesondere zum Ziel gesetzt hat, Pr... more SafeTRANS ist ein gemeinnutziger deutscher Verein, der sich insbesondere zum Ziel gesetzt hat, Prozesse, Methoden und Werkzeuge zu erforschen, die die Entwicklung sicherer Embedded Systems in der Verkehrstechnik zu verbessern. Im Januar 2015 wurde dazu ein Arbeitskreis Hochautomatisierte Systeme: Safety, Testen und Entwicklungsprozesse gegrundet. Hierin wollen Teilnehmer aus unterschiedlichen Bereichen der Verkehrstechnik zusammenarbeiten, um gemeinsame Ansatze fur die Entwicklung und den Test von hochautomatisierten sicherheitskritischen Systemen zu erarbeiten. Als ein erster gemeinsamer Arbeitspunkt wurde die Definition eines interperabelen Umweltmodels fur die Umgebung der mobilen Plattform identifiziert. Dieses Uberblickspaper stellt kurz den Verein SafeTRANS und dessen Arbeitskreis dar und gibt dann einen Uberblick uber die Resultate einschlagiger durch SafeTRANS initiierter Projekte zu Methoden der Modellierung und Absicherung der Mensch-Assistenzsystem-Interaktion und er Sich...
Validation and Verification of Automated Systems, 2019
We demonstrate on a small case study how the scenario subspace of a world model violating a safet... more We demonstrate on a small case study how the scenario subspace of a world model violating a safety property φ can be partitioned into a list of scenarios based on model checking and the Traffic Sequence Chart (TSC) formalism. The presented process therefore iteratively generates scenarios that cover a part of the not yet covered scenario space. The process is guided by counterexamples to the already established list of scenarios and φ. The tool-supported abstraction step of deriving a scenario from a concrete counterexample is driven by the predicates of the symbol dictionary, which is part of any TSC specification Damm et al. TSCs (i) directly provide a visualization of the generated candidate abstractions, to help an expert to determine the right level of abstraction and (ii) formally specify scenarios which enables the outlined analysis tasks supporting the scenario definition.
We consider systems composed of an unbounded number of uniformly designed linear hybrid automata,... more We consider systems composed of an unbounded number of uniformly designed linear hybrid automata, whose dynamic behavior is determined by their relation to neighboring systems. We present a class of such systems and a class of safety properties whose verification can be reduced to the verification of (small) families of "neighboring" systems of bounded size, and identify situations in which such verification problems are decidable, resp. fixed parameter tractable. We illustrate the approach with an example from coordinated vehicle guidance, and describe an implementation which allows us to perform such verification tasks automatically.
ATRs (AVACS Technical Reports) are freely downloadable from www.avacs.org Copyright c ○ June 2009... more ATRs (AVACS Technical Reports) are freely downloadable from www.avacs.org Copyright c ○ June 2009 by the author(s)
2011 6th IEEE International Symposium on Industrial and Embedded Systems, 2011
We address the complete design flow from specification models of new automotive functions capture... more We address the complete design flow from specification models of new automotive functions captured in Matlab-Simulink to their distributed execution on hierarchical bus-based electronic architectures hosting the release of already deployed automotive functions. We propose an automated design space exploration process resulting in a costoptimized extension of the existing target hardware and an allocation of balanced task structures automatically derived from the specification model on this modified target hardware which is sufficient to guarantee both system-level timing requirements and deadlines extracted from the Matlab-Simulink specification model.
During the last few years many different memory consistency protocols have been proposed. These r... more During the last few years many different memory consistency protocols have been proposed. These range from strong models like sequential consistency or processor consistency to weak ones like weak ordering, release consistency and SCNF. Implementations of these protocols are usually transparent to application programs: They try to hide as much detail as possible, usually leaving 'well behaved' applications with a sequential consistent memory view. There are two reasons why a different approach to memory consistency is chosen in this paper. On one hand this transparency of protocols imposes a limit on the amount of information about data access categories that can be given by applications. More information could reduce coherence overhead substantially. On the other hand sequential consistency is not the only feasible programming model for writing parallel programs. Most applications do not rely on the strong limitations given by it, because they synchronize to access shared...
Most strong cache coherence protocols provide a sequential consistent memory model. Weak coherenc... more Most strong cache coherence protocols provide a sequential consistent memory model. Weak coherence models often give an, albeit restricted, view of this model, too. However, there are many different possibilities to write parallel programs and not all of them are based on sequential consistency. This paper presents a new cache coherence protocol that provides many different ways of implementing coherence and synchronization. Using this protocol threads can exploit knowledge about how they use data and decide which coherence scheme to use. An implementation of the protocol in a NUMA environment is described in detail and discussed. Keywords: weak cache coherency, sequential consistency, NUMA. e-mail: [email protected] 1 Introduction Weak cache coherence protocols have been the object of extensive studies (e.g. [Mos93], [GLL + 90], [GGH91], [Ste90], [Egg91], [ZB92]). The goal almost everybody seems to have agreed upon is to provide programmers with a machi...
Uploads
Papers by W. Damm