formal methods for interactive systems
play

Formal Methods for Interactive Systems Part 8 Cognitive - PowerPoint PPT Presentation

Sep 16, 2023 •48 likes •1.42k views

Formal Methods for Interactive Systems Part 8 Cognitive Architectures Antonio Cerone United Nations University International Institute for Software Technology Macau SAR China email: antonio@iist.unu.edu web: www.iist.unu.edu A. Cerone,

  1. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Knowledge Role • goal formulation • operation selection • operation application • goal completion A. Cerone, UNU-IIST – p.9/46

  2. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Knowledge Role • goal formulation • operation selection • operation application • goal completion Steps are triggered by knowledge availability A. Cerone, UNU-IIST – p.9/46

  3. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Knowledge Role • goal formulation • operation selection • operation application • goal completion Steps are triggered by knowledge availability knowledge availability = ⇒ recursion: new space problem invoked with goal = find needed knowledge A. Cerone, UNU-IIST – p.9/46

  4. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs SOAR Executable Cognitive Architecture developped by Allen Newell, John Laird and Paul Rosembloom in 1983 [Newell et a. 87] Used by the University of Michigan http://sitemaker.umich.edu/soar/ A. Cerone, UNU-IIST – p.10/46

  5. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs PUM Programmable User Models Psychologically Constrained Architecture which an interface designer is invited to program to simulate a user performing a range of tasks with a proposed interface [Young et a. 89] A. Cerone, UNU-IIST – p.11/46

  6. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs PUM Philosophy The interface designer • must program the PUM respecting the constraints = ⇒ driven interface design = ⇒ explicit “user program” A. Cerone, UNU-IIST – p.12/46

  7. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs PUM Philosophy The interface designer • must program the PUM respecting the constraints = ⇒ driven interface design = ⇒ explicit “user program” • run the model ( = ⇒ “user program” is executable) to make predictions = ⇒ show source of predictions and strategy options A. Cerone, UNU-IIST – p.12/46

  8. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs PUM Purposes • Outcome: predictive evaluation to tell the designer usability of a proposed design before it is actually built A. Cerone, UNU-IIST – p.13/46

  9. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs PUM Purposes • Outcome: predictive evaluation to tell the designer usability of a proposed design before it is actually built • Benefits for the designer: • to draw the designer attention to issues of usability • to provide a way of reasoning about usability A. Cerone, UNU-IIST – p.13/46

  10. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs PUMA: PUM Applications Research Project aim to • Bring the PUM metodology into industrial design • Using formal methods to effectively implement PUM PUMA Research Group Website: http://www.cs.mdx.ac.uk/puma/ A. Cerone, UNU-IIST – p.14/46

  11. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Detecting User Errors Work by Curzon and Blandford [Curzon et al. 01]: • PUM defined in the HOL Theorem Prover = ⇒ Generic User Model described by sets of non-deterministic rules A. Cerone, UNU-IIST – p.15/46

  12. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Detecting User Errors Work by Curzon and Blandford [Curzon et al. 01]: • PUM defined in the HOL Theorem Prover = ⇒ Generic User Model described by sets of non-deterministic rules • Programming performed using SML = ⇒ target the Generic User Model to a particular design A. Cerone, UNU-IIST – p.15/46

  13. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Detecting User Errors Work by Curzon and Blandford [Curzon et al. 01]: • PUM defined in the HOL Theorem Prover = ⇒ Generic User Model described by sets of non-deterministic rules • Programming performed using SML = ⇒ target the Generic User Model to a particular design • Automated Correctness Proof A. Cerone, UNU-IIST – p.15/46

  14. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Detecting User Errors Work by Curzon and Blandford [Curzon et al. 01]: • PUM defined in the HOL Theorem Prover = ⇒ Generic User Model described by sets of non-deterministic rules • Programming performed using SML = ⇒ target the Generic User Model to a particular design • Automated Correctness Proof • Informal reasoning to detect errors A. Cerone, UNU-IIST – p.15/46

  15. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving Well-Formed Formulae A. Cerone, UNU-IIST – p.16/46

  16. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving false ❍ ❨ ❍ ❍ Well-Formed Formulae ✟ ✟ ✟ ✙ true A. Cerone, UNU-IIST – p.16/46

  17. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving false ✟ ❍ ❨ ✟ ❍ ✙ ✟ ❍ Class of Models Well-Formed Formulae ❍ ❨ ✟ ❍ ✟ ❍ ✙ ✟ true A. Cerone, UNU-IIST – p.16/46

  18. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving false ✟ ❍ ❨ ✟ ❍ ✙ ✟ ❍ Class of Models Well-Formed Formulae ❍ ❨ ✟ ❍ ✟ ❍ ✙ ✟ true ∈ System Model A. Cerone, UNU-IIST – p.16/46

  19. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving false ✟ ❨ ❍ ✟ ❍ ✙ ✟ ❍ Class of Models Well-Formed Formulae ❍ ❨ ✟ ❍ ✟ ❍ ✟ ✙ true ⊆ ∈ System Model Properties A. Cerone, UNU-IIST – p.16/46

  20. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving false ✟ ❍ ❨ ✟ ❍ ✙ ✟ ❍ Class of Models Well-Formed Formulae ❨ ❍ ✟ ❍ ✟ ❍ ✙ ✟ true ⊆ ∈ ✂ ✂ System Model Properties ✂ ✂ ✂ ✛ ✂ ✂ Axioms A. Cerone, UNU-IIST – p.16/46

  21. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving false ✟ ❍ ❨ ✟ ❍ ✙ ✟ ❍ Class of Models Well-Formed Formulae ❨ ❍ ✟ ❍ ✟ ❍ ✟ ✙ true ⊆ ∈ ✂ ✂ System Model Properties ✂ ✂ ✂ ✛ ✂ ✂ Axioms ✲ Inference Rules A. Cerone, UNU-IIST – p.16/46

  22. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving false ✟ ❍ ❨ ✟ ❍ ✙ ✟ ❍ Class of Models Well-Formed Formulae ❍ ❨ ✟ ❍ ✟ ❍ ✟ ✙ true ⊆ ∈ ✂ ✂ System Model Properties ✂ ✂ ✂ ✛ ✂ ✂ Axioms Theorems ✻ ✲ Inference Rules A. Cerone, UNU-IIST – p.16/46

  23. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving false ✟ ❍ ❨ ✟ ❍ ✙ ✟ ❍ Class of Models Well-Formed Formulae ❍ ❨ ✟ ❍ ✟ ❍ ✙ ✟ true ⊆ ∈ ✂ ✂ System Model Properties ✂ ✂ ✂ ✛ ✂ ✂ Axioms Theorems ✻ ❄ ✲ Inference Rules A. Cerone, UNU-IIST – p.16/46

  24. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving false ✟ ❍ ❨ ✟ ❍ ✙ ✟ ❍ Class of Models Well-Formed Formulae ❨ ❍ ✟ ❍ ✟ ❍ ✟ ✙ true ⊆ ∈ ✂ ✂ System Model Properties ✂ ✂ ⊆ ✂ ✛ ✂ ✂ Axioms Theorems ✻ ❄ ✲ Inference Rules A. Cerone, UNU-IIST – p.16/46

  25. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving: Pros & Cons • Advantages A. Cerone, UNU-IIST – p.17/46

  26. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving: Pros & Cons • Advantages • Maximum Modelling Expressivity A. Cerone, UNU-IIST – p.17/46

  27. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving: Pros & Cons • Advantages • Maximum Modelling Expressivity • Infinite State Systems A. Cerone, UNU-IIST – p.17/46

  28. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving: Pros & Cons • Advantages • Maximum Modelling Expressivity • Infinite State Systems • Complex data structure A. Cerone, UNU-IIST – p.17/46

  29. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving: Pros & Cons • Advantages • Maximum Modelling Expressivity • Infinite State Systems • Complex data structure • Disadvantages A. Cerone, UNU-IIST – p.17/46

  30. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving: Pros & Cons • Advantages • Maximum Modelling Expressivity • Infinite State Systems • Complex data structure • Disadvantages • Semidecidability A. Cerone, UNU-IIST – p.17/46

  31. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving: Pros & Cons • Advantages • Maximum Modelling Expressivity • Infinite State Systems • Complex data structure • Disadvantages • Semidecidability • Verification procedure not fully automated A. Cerone, UNU-IIST – p.17/46

  32. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving: Pros & Cons • Advantages • Maximum Modelling Expressivity • Infinite State Systems • Complex data structure • Disadvantages • Semidecidability • Verification procedure not fully automated • Tools difficult to use A. Cerone, UNU-IIST – p.17/46

  33. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving: Pros & Cons • Advantages • Maximum Modelling Expressivity • Infinite State Systems • Complex data structure • Disadvantages • Semidecidability • Verification procedure not fully automated • Tools difficult to use • No scalability A. Cerone, UNU-IIST – p.17/46

  34. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Theorem-proving: Pros & Cons • Advantages • Maximum Modelling Expressivity • Infinite State Systems • Complex data structure • Disadvantages • Semidecidability • Verification procedure not fully automated • Tools difficult to use • No scalability • Does not allow debugging A. Cerone, UNU-IIST – p.17/46

  35. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Model-Checking: Pros & Cons • Advantages A. Cerone, UNU-IIST – p.18/46

  36. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Model-Checking: Pros & Cons • Advantages • Decidability A. Cerone, UNU-IIST – p.18/46

  37. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Model-Checking: Pros & Cons • Advantages • Decidability • May be fully automated A. Cerone, UNU-IIST – p.18/46

  38. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Model-Checking: Pros & Cons • Advantages • Decidability • May be fully automated • Better usability tools A. Cerone, UNU-IIST – p.18/46

  39. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Model-Checking: Pros & Cons • Advantages • Decidability • May be fully automated • Better usability tools • Good scalability A. Cerone, UNU-IIST – p.18/46

  40. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Model-Checking: Pros & Cons • Advantages • Decidability • May be fully automated • Better usability tools • Good scalability • Allows debugging A. Cerone, UNU-IIST – p.18/46

  41. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Model-Checking: Pros & Cons • Advantages • Decidability • May be fully automated • Better usability tools • Good scalability • Allows debugging • Disadvantages A. Cerone, UNU-IIST – p.18/46

  42. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Model-Checking: Pros & Cons • Advantages • Decidability • May be fully automated • Better usability tools • Good scalability • Allows debugging • Disadvantages • Limited Expressivity A. Cerone, UNU-IIST – p.18/46

  43. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Model-Checking: Pros & Cons • Advantages • Decidability • May be fully automated • Better usability tools • Good scalability • Allows debugging • Disadvantages • Limited Expressivity • Finite State Systems A. Cerone, UNU-IIST – p.18/46

  44. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Model-Checking: Pros & Cons • Advantages • Decidability • May be fully automated • Better usability tools • Good scalability • Allows debugging • Disadvantages • Limited Expressivity • Finite State Systems • Limited data structure A. Cerone, UNU-IIST – p.18/46

  45. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Sets of Rules to describe • reactive behaviour: user reacts to a stimulus that clearly indicates that a particular action should be taken (independently of the goal) A. Cerone, UNU-IIST – p.19/46

  46. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Sets of Rules to describe • reactive behaviour: user reacts to a stimulus that clearly indicates that a particular action should be taken (independently of the goal) • communication goals: user knows a task-dependent mental list of information that must be communicated to the device A. Cerone, UNU-IIST – p.19/46

  47. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Sets of Rules to describe • reactive behaviour: user reacts to a stimulus that clearly indicates that a particular action should be taken (independently of the goal) • communication goals: user knows a task-dependent mental list of information that must be communicated to the device • completion: subsidiary tasks generated in achieving the goal A. Cerone, UNU-IIST – p.19/46

  48. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Sets of Rules to describe • reactive behaviour: user reacts to a stimulus that clearly indicates that a particular action should be taken (independently of the goal) • communication goals: user knows a task-dependent mental list of information that must be communicated to the device • completion: subsidiary tasks generated in achieving the goal • abort: no rational action is available A. Cerone, UNU-IIST – p.19/46

  49. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Sets of Rules to describe • reactive behaviour: user reacts to a stimulus that clearly indicates that a particular action should be taken (independently of the goal) • communication goals: user knows a task-dependent mental list of information that must be communicated to the device • completion: subsidiary tasks generated in achieving the goal • abort: no rational action is available nondeterministic rules = ⇒ rule disjunction A. Cerone, UNU-IIST – p.19/46

  50. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Reactive Behaviour ( stimulus t ) ∧ NEXT reaction t A. Cerone, UNU-IIST – p.20/46

  51. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Reactive Behaviour ( stimulus t ) ∧ NEXT reaction t NEXT does not require that the action is taken on the next cycle, but rather that it is taken before any other user action A. Cerone, UNU-IIST – p.20/46

  52. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Reactive Behaviour ( stimulus t ) ∧ NEXT reaction t To target the generic user model to a particular device, it is applied to a concrete list in SML [( stimulus 1 , reaction 1 ) ; ... ; ( stimulus n , reaction n )] A. Cerone, UNU-IIST – p.20/46

  53. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Reactive Behaviour ( stimulus t ) ∧ NEXT reaction t [( stimulus 1 , reaction 1 ) ; ... ; ( stimulus n , reaction n )] Example: [( light , push button ) ; ( wait msg , pause ) ; ( card msg , take card ) ; ( cash msg , take cash )] A. Cerone, UNU-IIST – p.20/46

  54. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Reactive Behaviour ( stimulus t ) ∧ NEXT reaction t ✓✏ ✓✏ stimulus ✲ ✲ ✒✑ ✒✑ ✻ ✚ ✙ action [( stimulus 1 , reaction 1 ) ; ... ; ( stimulus n , reaction n )] Example: [( light , push button ) ; ( wait msg , pause ) ; ( card msg , take card ) ; ( cash msg , take cash )] A. Cerone, UNU-IIST – p.20/46

  55. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Reactive Behaviour ( stimulus t ) ∧ NEXT reaction t ✓✏ ✓✏ stimulus ✲ ✲ R ✒✑ ✒✑ ✻ ✚ ✙ action R 1 = R / f 1 where f 1 ( stimulus ) = light f 1 ( reactions ) = push button [( stimulus 1 , reaction 1 ) ; ... ; ( stimulus n , reaction n )] Example: [( light , push button ) ; ( wait msg , pause ) ; ( card msg , take card ) ; ( cash msg , take cash )] A. Cerone, UNU-IIST – p.20/46

  56. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Communication Goals ∼ ( goalachieved t ) ∧ ( guard t ) ∧ NEXT action t A. Cerone, UNU-IIST – p.21/46

  57. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Communication Goals ∼ ( goalachieved t ) ∧ ( guard t ) ∧ NEXT action t Example: [( has card , insert card ) ; ( TRUE , insert pin )] A. Cerone, UNU-IIST – p.21/46

  58. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Communication Goals ∼ ( goalachieved t ) ∧ ( guard t ) ∧ NEXT action t Example: [( has card , insert card ) ; ( TRUE , insert pin )] Goal: HasGotCash A. Cerone, UNU-IIST – p.21/46

  59. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Communication Goals ∼ ( goalachieved t ) ∧ ( guard t ) ∧ NEXT action t Example: [( has card , insert card ) ; ( TRUE , insert pin )] Goal: HasGotCash ✓✏ ✓✏ ✓✏ ✓✏ notach cond action ✲ ✲ ✲ ✲ C ✒✑ ✒✑ ✒✑ ✒✑ A. Cerone, UNU-IIST – p.21/46

  60. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Communication Goals ∼ ( goalachieved t ) ∧ ( guard t ) ∧ NEXT action t Example: [( has card , insert card ) ; ( TRUE , insert pin )] Goal: HasGotCash ✓✏ ✓✏ ✓✏ ✓✏ notach cond action ✲ ✲ ✲ ✲ C ✒✑ ✒✑ ✒✑ ✒✑ ✞ ☎ notach ✓✏ ✓✏ ❄ goal ✲ ✲ G ✒✑ ✒✑ A. Cerone, UNU-IIST – p.21/46

  61. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Completion if ((( invariant t ) ∧ ( goalachieved t )) ∨ (( finished ( t − 1 )) then action finished t else — disjunction of nondeterministic rules — Invariant: VALUE possession t ≥ VALUE possession 1 ✓✏ ✓✏ ✓✏ ✓✏ notach cond action ✲ ✲ ✲ ✲ C ✒✑ ✒✑ ✒✑ ✒✑ ✞ ☎ notach ✓✏ ✓✏ ❄ goal ✲ ✲ G ✒✑ ✒✑ A. Cerone, UNU-IIST – p.22/46

  62. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Completion if ((( invariant t ) ∧ ( goalachieved t )) ∨ (( finished ( t − 1 )) then action finished t else — disjunction of nondeterministic rules — Invariant: VALUE possession t ≥ VALUE possession 1 ✓✏ ✓✏ ✓✏ ✓✏ notach cond action ✲ ✲ ✲ ✲ C ✒✑ ✒✑ ✒✑ ✒✑ ✞ ☎ notach ✓✏ ✓✏ ❄ goal ✲ ✲ G ✒✑ ✒✑ finished ✓✏ ❄ ✒✑ A. Cerone, UNU-IIST – p.22/46

  63. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Completion if ((( invariant t ) ∧ ( goalachieved t )) ∨ (( finished ( t − 1 )) then action finished t else — disjunction of nondeterministic rules — Invariant: VALUE possession t ≥ VALUE possession 1 ✓✏ ✓✏ ✓✏ ✓✏ notach cond action ✲ ✲ ✲ ✲ C ✒✑ ✒✑ ✒✑ ✒✑ ✞ ☎ ✞ ☎ notach invariant ✓✏ ✓✏ ✓✏ ✓✏ ❄ ❄ pert goal ✲ ✲ ✲ ✲ G I ✒✑ ✒✑ ✒✑ ✒✑ ✻ finished finished ✚ ✙ ✓✏ ✓✏ ❄ ❄ restore ✒✑ ✒✑ A. Cerone, UNU-IIST – p.22/46

  64. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Completion if ((( invariant t ) ∧ ( goalachieved t )) ∨ (( finished ( t − 1 )) then action finished t else — disjunction of nondeterministic rules — Invariant: VALUE possession t ≥ VALUE possession 1 ✓✏ ✓✏ ✓✏ ✓✏ notach cond action ✲ ✲ ✲ ✲ C ✒✑ ✒✑ ✒✑ ✒✑ ✞ ☎ ✞ ☎ notach invariant ✓✏ ✓✏ ✓✏ ✓✏ ❄ ❄ pert goal ✲ ✲ ✲ ✲ G I ✒✑ ✒✑ ✒✑ ✒✑ ✻ finished finished ✚ ✙ ✓✏ ✓✏ ❄ ✞ ✞ ❄ finished finished ✲ ✲ restore ✝ ✝ ✒✑ ✒✑ A. Cerone, UNU-IIST – p.22/46

  65. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs CSP Architecture ✓✏ ✓✏ ✓✏ ☎ stimulus ✲ ✲ ✲ ✆ finished R ✛ finished ✒✑ ✒✑ ✒✑ ✻ ✚ ✙ action ✞ ☎ finished ✓✏ ✓✏ ✓✏ ✓✏ ✓✏ ❄ notach cond action finished ✲ ✲ ✲ ✲ ✲ C ✒✑ ✒✑ ✒✑ ✒✑ ✒✑ ✞ ☎ ✞ ☎ notach invariant ✓✏ ✓✏ ✓✏ ✓✏ ❄ ❄ pert goal ✲ ✲ ✲ ✲ G I ✒✑ ✒✑ ✒✑ ✒✑ ✻ finished finished ✚ ✙ ✓✏ ✓✏ ❄ ✞ ✞ ❄ finished finished ✲ ✲ restore ✝ ✝ ✒✑ ✒✑ A. Cerone, UNU-IIST – p.23/46

  66. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs User Model HOL A. Cerone, UNU-IIST – p.24/46

  67. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs User Model HOL Rule disjunction A. Cerone, UNU-IIST – p.24/46

  68. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs User Model HOL Rule disjunction CSP A. Cerone, UNU-IIST – p.24/46

  69. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs User Model HOL Rule disjunction CSP U = R 1 � ... � R m � (( C 1 � G ) | [ { goal , finished } ] | ... ... | [ { goal , finished } ] | ( C n � G )) � I 1 � ... � I s A. Cerone, UNU-IIST – p.24/46

  70. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs User Model HOL Rule disjunction CSP U = R 1 � ... � R m � (( C 1 � G ) | [ { goal , finished } ] | ... ... | [ { goal , finished } ] | ( C n � G )) � I 1 � ... � I s What’s missing? A. Cerone, UNU-IIST – p.24/46

  71. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs EXERCISE How to guarantee that all reactive behaviours and communication goals are performed atomically within the user model? A. Cerone, UNU-IIST – p.25/46

  72. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Formal Verification HOL — Correctness Theorem A. Cerone, UNU-IIST – p.26/46

  73. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Formal Verification HOL — Correctness Theorem ⊢ ∀ state traces . initial state ∧ device specification ∧ user model ⊃ ∃ t . ( invariant t ) ∧ ( goalachieved t ) A. Cerone, UNU-IIST – p.26/46

  74. Models | Architectures | SOAR | PUM | PUMA | Theorem Proving | Model Checking | Rules | Exams | Refs Formal Verification HOL — Correctness Theorem ⊢ ∀ state traces . initial state ∧ device specification ∧ user model ⊃ ∃ t . ( invariant t ) ∧ ( goalachieved t ) CSP A. Cerone, UNU-IIST – p.26/46

Recommend

Presentation for 4th International Workshop on Formal Methods for Interactive Systems: FMIS 2011,

Presentation for 4th International Workshop on Formal Methods for Interactive Systems: FMIS 2011,

Presentation for 4th International Workshop on Formal Methods for Interactive Systems: FMIS 2011, Limerick, Ireland, 21 June 2011 Formal Modeling and Analysis For Interactive Hybrid Systems Ellen J. Bass Systems and Information Engineering,

280 views • 26 slides
Formal Methods for Interactive Systems Part 10 Reverse Engineering with Matrix Algebra

Formal Methods for Interactive Systems Part 10 Reverse Engineering with Matrix Algebra

Formal Methods for Interactive Systems Part 10 Reverse Engineering with Matrix Algebra Antonio Cerone United Nations University International Institute for Software Technology Macau SAR China email: antonio@iist.unu.edu web:

1.36k views • 94 slides
Formal Methods for Interactive Systems Part 1 Motivations and History Antonio Cerone

Formal Methods for Interactive Systems Part 1 Motivations and History Antonio Cerone

Formal Methods for Interactive Systems Part 1 Motivations and History Antonio Cerone United Nations University International Institute for Software Technology Macau SAR China email: antonio@iist.unu.edu web: www.iist.unu.edu A. Cerone,

983 views • 77 slides
Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why Formalisms? Relationships Flaws Some systems Conclusions Why Formal Methods? We already can build systems. Roman Engineers built

671 views • 12 slides
Interactive theorem proving, automated reasoning, and dynamical systems Jeremy Avigad

Interactive theorem proving, automated reasoning, and dynamical systems Jeremy Avigad

Interactive theorem proving, automated reasoning, and dynamical systems Jeremy Avigad Department of Philosophy and Department of Mathematical Sciences Carnegie Mellon University April 2016 Formal methods Formal methods = logic-based

459 views • 43 slides
Formal Methods for Interactive Systems Part 3 Task Analysis Antonio Cerone United Nations

Formal Methods for Interactive Systems Part 3 Task Analysis Antonio Cerone United Nations

Formal Methods for Interactive Systems Part 3 Task Analysis Antonio Cerone United Nations University International Institute for Software Technology Macau SAR China email: antonio@iist.unu.edu web: www.iist.unu.edu A. Cerone, UNU-IIST

1.24k views • 100 slides
Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical foundations of computer science 2 Formal Methods Logical foundations of computer science A language that machines can understand 2 Formal Methods

1.22k views • 121 slides
1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

Preliminaries Hallmarks of a Formal Approach Formal Systems in Information Technology 1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January 15, 2014 Generated on Wednesday 15 th January, 2014, 09:54

517 views • 49 slides
Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3. Course syllabus 4. Course objectives Introductory Lecture 5. Course organization 1. Lecturer 2. Formal Methods Name: Dilian Gurov Formal

56 views • 3 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

631 views • 33 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

1.75k views • 151 slides
Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

1.67k views • 123 slides
Where Are We? How to model systems CISC422/853: Formal Methods Theoretically : FSAs in

Where Are We? How to model systems CISC422/853: Formal Methods Theoretically : FSAs in

Where Are We? How to model systems CISC422/853: Formal Methods Theoretically : FSAs in Software Engineering: Practically : BIR, PROMELA How to express properties Computer-Aided Verification Assertions, invariants

196 views • 9 slides
Deductive Verification Of Hybrid Systems Lectures on Formal Methods for Cyber-Physical Systems

Deductive Verification Of Hybrid Systems Lectures on Formal Methods for Cyber-Physical Systems

Deductive Verification Of Hybrid Systems Lectures on Formal Methods for Cyber-Physical Systems SOKENDAI, 07/29/19 Jrmy Dubut National Institute of Informatics Japanese-French Laboratory of Informatics Objectives of this lecture

986 views • 84 slides
Formal Methods and Systems David Cock, ETH Zrich 18/01/16 Overview Correctness challenges

Formal Methods and Systems David Cock, ETH Zrich 18/01/16 Overview Correctness challenges

Formal Methods and Systems David Cock, ETH Zrich 18/01/16 Overview Correctness challenges in Barrelfish. System configuration using SAT. Tracing and online invariant checking. Better languages for Systems. 18 January 2016

359 views • 18 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4) Contents INTRODUCTION INTRODUCTION DEFINITION AND OVERVIEW OF FORMAL METHODS SPECIFICATION METHODS LIFE CYCLES AND

317 views • 19 slides
Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan

Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan

Formal Methods for Critical Systems: A verified implementation of nested procedures Tristan Crolard 1 ICAR15 8-9 October 2015 Joint work with: 1 Pierre Courtieu, 1 , 2 Maria-Virginia Aponte, Julia Lawall 3 1. CNAM / Cedric / CPR team 2.

980 views • 71 slides
Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process What are Formal Methods? Advantages and Disadvantages of Formal Methods Formal Methods in the Requirement Process Mathematical Formulas

561 views • 20 slides
Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin (FMICS

Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin (FMICS

Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin 2000 Andrew Butterfield c Formal Methods for Industrial Critical Systems at Trinity College, University of Dublin (FMICS 2003, Rros, June 7th 2003)

1.02k views • 16 slides
Formal Methods in Resilient Systems Design using a Flexible Contract Approach Sponsor:

Formal Methods in Resilient Systems Design using a Flexible Contract Approach Sponsor:

Formal Methods in Resilient Systems Design using a Flexible Contract Approach Sponsor: OUSD(R&E) | CCDC By Dr. Azad Madni 11 th Annual SERC Sponsor Research Review November 19, 2019 FHI 360 CONFERENCE CENTER 1825 Connecticut Avenue NW, 8

374 views • 34 slides
Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Formal Methods for Probabilistic Systems Annabelle McIver Carroll Morgan Source-level

Formal Methods for Probabilistic Systems Annabelle McIver Carroll Morgan Source-level

1 Formal Methods for Probabilistic Systems Annabelle McIver Carroll Morgan Source-level program logic Meta-theorems for loops Examples Relational operational model Almost-certain termination Hermans Graph

985 views • 66 slides

More recommend