Proposition monitors in UPPAAL use channel(s) to communicate that a proposition holds, is refuted or fires. A (particular) state proposition monitor, for example, broad- casts over a generatedholds channel if that particular proposition starts holding, and over a generatedrefutes channel if it stops holding. For some event propositions, in particular sensor propositions, no extra monitor has to be added to the model. A sensor implemen- tation broadcasts sensor events over a particular channel, the sensor in Figure 12.1, for example, sends a synchronization over the sensorT heater channel. Composite propo-
sition monitors or pattern/scope monitors can directly synchronize on this particular channel when they are interested in this sensor firing.
12.5.1 Sensor (Group) Proposition
Sensors and sensor groups in the UPPAAL model broadcast over a channel when they have fired, we use these channels directly in our (composite/property) monitors. A sensor (group) proposition generates nothing, the generation to UPPAAL only notes that it can
observe a sensor firing by listening on that specific channel and furthermore notes that the sensor channel is “external”, to prevent the generator from mangling its name. 12.5.2 Actuator Proposition
Actuator Propositions are monitored by the change of the variable that implements such an actuator. We allow specifying arbitrary levels in the Query language (even levels that cannot be achieved) and have constructed these monitors accordingly. That these monitors observe an arbitrary level is done under the assumption that eventually, dimming is also implemented as part of the lighting system2after which observing discrete
levels (“Off”, “On”, etc.) is no longer enough. Furthermore, we assume that actuators can start at any value, forcing us to assume that the status of the state proposition is unknown.
Consider for example a monitor for whether a single luminaire is on level 80 as depicted in Figure 12.5. The monitor is straightforward except for the use of a “hurry” channel. Since we have modeled transitions between various output levels as guards on the variable of such an actuator, transitions only enable when a change in output level is detected. The hurry channel is urgent, meaning that if such a change is detected, UPPAAL has to take the transition with this hurry channel, forcing the proposition to be propagated. If the hurry channel was omitted, UPPAAL could delay changing the status of such an actuator proposition, resulting in an inconsistency between the system and the monitors. Important to note, however, except for forcing eager execution the hurry channel changes nothing in system behavior, it is a broadcast that is never received by any other automata in the system. C start P C C P ref utes! holds! hurry! lR1level“80 hurry! lR1level‰80 lR1level“80 lR1level‰80
Figure 12.5: UPPAAL monitor for an Actuator Level Proposition that specifies that the “LuminaireRoom1” is on level 80.
12.5.3 Actuator Group Proposition
Actuator Group Propositions are much like Actuator Propositions, but instead monitor the levels of all luminaires in a particular actuator group. If any luminaire is not on
the desired level the proposition is refuted. If all luminaires are on the desired level the
proposition holds. Consider for example a monitor that monitors whether all luminaires of the “FrontLuminaires” group are on level 20 as shown in Figure 12.6.
C start P C C P ref utes! holds! hurry! lF1level“20^ lF2level“20 hurry! lF1level“20_ lF2level“20 lF1level“20^ lF2level“20 lF1level“20_ lF2level“20
Figure 12.6: UPPAAL monitor for an Actuator Group Level Proposition that specifies that the “FrontLuminaires” group is on level 20.
12.5.4 Timer Proposition
Timer propositions fire after a specified amount of time since they have last been reset. While we classify Timer propositions as atomic, their reset can be any event proposition. The Query instance of Listing 10.1, for example, specifies a timer that fires every hold time of a particular controller (for example, every 600 seconds) unless it is reset by the begin of Presentation mode or any occupancy. If we assume that this composite reset proposition is observed on a channelreset, the corresponding Timer proposition monitor
is given in Figure 12.7. start pptď600qq reset? t:“0 time! tě600 t:“0
Figure 12.7: UPPAAL monitor for a timer that fires 600 time units after a reset. 12.5.5 Controller State Proposition
To monitor whether a controller is in a specific state we synchronize with the channels used to broadcast that the controller reaches any state. If a controller sends that it reaches the state specified in the proposition, this monitor broadcasts that the proposition holds, if the controller sends that any other state is reached, the monitor broadcasts that the proposition is refuted. Furthermore, a controller initially broadcasts that it reached its initial state before anything else, no special care has to be taken to model (possible) initial state.
Consider for example a proposition for the “PresentModeController” of the example that states that that specific controller is in Presentation mode. Its corresponding mon- itor is given in Figure 12.8.
C start C ref utes! holds! levelP resentation? levelOf f? levelOn?
Figure 12.8: UPPAAL monitor for a Controller State Proposition that specifies that the “PresentModeController” is in presentation mode.