The behavior of a component must be predictable, deterministic. When a request for ser- vice arrives at an interface, the component must react by providing a response. When a component receives a request for service at an interface, which will be discussed later, it reacts by doing one of the following actions:
• performing internal processing and becoming silent, a log monitoring component for
example;
• performing an internal processing and sending a response to the calling component,
• performing an internal processing, sending an output request to another component to
get more information or perform further processing, and finally, sending the response to the initial caller.
input request
output response internal
output request
Figure 10: The different types of events
Therefore, response events are either internal, output response, or output request events. On the other hand, the request for service, stimulus, can be an external input request or an internal event. Having internal events as stimulus enables modeling periodic events that stimulate the component to perform monitoring or self control activities. Therefore, stimulus events are either internal or input requests. Figure 10 depicts the different kinds of events occurring at a component. A service is defined as a function that maps stimulus
to response with the help of data and time constraints as described bellow.
Data Constraint: In general, a stimulus may have more than one possible response. Data
constraints are used to avoid this nondeterminism. For each possible response, a data con-
straint is defined such that only one data constraint can be true at an instant. Therefore, only one response will be selected. A data constraint is a special type of constraint that is used to decide whether or not a specific response for a requested service should be sent. The decision is based on evaluating a logical expression defined over the values of the data pa- rameters associated with the stimulus and the attributes of the stimulus and the component. The response is given only if the constraint evaluates to true. The set of data constraints is Ω = {ω = (Aω, s, r, χω) | Aω ⊆ As∪ Aø, s ∈ Σstimulus, r ∈ Σresponse, χω ∈ C} where
As is the set of attributes in the stimulus and Aø is the set of attributes of the component,
which will be defined later in this chapter. If s has n responses than there must be n number of mutually exclusive data constraints defined for the responses of s in Ω. This ensures that the responses of s are mutually exclusive which ensures determinism.
Time Constraint: The correct behavior of real-time systems does not depend only on the provided services but also on the time at which the services are provided. Therefore, service provision can be governed by time constraints. A time constraint specifies the maximum amount of time allowed to elapse between the time of receiving a stimulus and the time of sending the response. This is an essential requirement for safety critical systems where timeliness is a critical factor in defining safety. The set of time constraints is Γ = {γ =
(Aγ, χγ, s, r, δ) | Aγ ⊆ A, χγ ∈ C, s ∈ Σstimulus, r ∈ Σresponse, δ : N} where δ
defines the maximum safe time, the maximum safe time interval between the occurrence of a stimulus and the occurrence of its corresponding response. If χγ(Aγ) evaluates to true
then the maximum safe time is enforced on the response. However, if χγ(Aγ) evaluates to
false, then the maximum safe time need not be enforced.
A response event can be accompanied by executing several update statements that set the values of local attributes. Also, a response can be accompanied by several actions, which are internal or external events that occur after a response. Service is formalized in Definition 2.
Definition 2 Let Γ be a finite set of time constraints, Ω be a finite set of data constraints, Σstimulus= Σinternal∪ Σinput, and Σresponse = Σinternal∪ Σoutput. A service is defined as
a function Θ : Σstimulus × Ω × Γ × N → Σresponse × PU × S × N
where U is a set of update statements defined using the function assign : D → A such that
assign(α) = ν assigns a value ν from the domain D to an attribute α ∈ Ar∪ Aø where
Ar is the set of attributes of the response and Aø is the set of attributes of the component,
and S ⊂ Σoutput∪ Σinternalis a set of actions triggered by the service.
The precondition for the function is defined as follows: Let s ∈ Σstimulus, s = {Λs, As, χs, ?} such that:
• Λs ⊆ Λ, Λs = {λsi = (Di, νi, χi) | Di ∈ T, νi : Di, χi ∈ C} • As ⊆ A, As= {αsi = (D0i, νi0, χ0i) | Di0 ∈ T, νi0 : Di0, χ0i ∈ C}
The stimulus occurs if the following conditions are satisfied:
• the constraints defined for the data parameters are satisfied. That is,V(Di,νi,χi)χi(νi) =
true,
• the constraints defined for the attributes are satisfied. That is, V(D0
i,νi0,χ0i)χ
0
i(νi0) =
• the additional constraint defined in the stimulus specification is satisfied. That is, χs= true
Θ(s, ωsr, γsr, t1) = (r, R, t2) where t1 is the time at which the stimulus occurs, t2 is the time at which the response occurs, and:
1. r is extracted from the tuple ωsr = (Aωsr, s, r, χi) ∈ Ωs such that χi evaluates to
true,
2. select γsr = (A, χγsr, s, r, δ) ∈ Γ 3. The post condition of the function is:
a. r = (Λr, Ar, χr, SYr), where SYr ∈ {!, !!, ²},
b. Λr ⊆ Λ, Ar ⊆ A, R ⊆ Σoutput ∪ Σinternal, and
c. |t2− t1| ≤ δ.
For convenience, we define the function φ : Σstimulus → P Σresponse such that φ(s) 6= ∅.
This function maps each stimulus to the set of responses associated with it.
Service stimulus data constraint start time response set of updates set of actions finish time time constraint Figure 11: Service Figure 11 Depicts a service.
Safety Property: Safety properties can be defined at a component level to enforce safe behavior. A component safety property is an invariant over the behavior of a component. The behavior can be defined using timed automata which will be discussed later. A safety property is regarded as a special type of constraint over the services provided by the com- ponent. A contract defines a nonempty set of services and safety properties. The rationale
a contract for other components that provide similar services and to enable reconfiguration of its specification. The reconfiguration updates maximum safe time, data constraints, and services for different system configurations and deployment plans.
Definition 3 We define a set of safety properties P = {p = (Σp, χ) | Σp ⊆ Σ, χ ∈ C}. A
contract Ξ is defined as a tuple Ξ = (Θ, Ω, Γ, P).
The service definition must satisfy the following conditions:
• ∀γ1, γ2 ∈ Γ, γ1 = (A1, χ1, s1, r1, δ1) ∧ γ2 = (A2, χ2, s2, r2, δ2) → s1 6=
s2 ∨ r1 6= r2. That is, it is not possible to define two different time constraints for
the same stimulus-response (service).
• ∀ω1, ω2 ∈ Ω, ω1 = (A1, s1, r1, χ1) ∧ ω2 = (A2, s2, r2, χ2) → s1 6= s2 ∨ r1 6=
r2. That is, it is not possible to define two different data constraints for the same
stimulus-response (service).
• ∀s ∈ Σstimulus, |φ(s)| > 1 → ∃Ωs ⊆ Ω • ∀ω1, ω2 ∈ Ωs, ω1 = (A1, s, r1, χ1),
ω2 = (A2, s, r2, χ2), ω1 6= ω2 ∧ χ1⊕ χ2, i.e. if a stimulus has multiple possible
responses then we must define a service for every stimulus-response relation and assign it a different data constraint. The data constraints must be mutually exclusive. Example 2 Assume a real-time Continuous Glucose Monitoring system which consists of
(1) a sensor inserted subcutaneously in the abdominal area to measure interstitial fluid glucose levels, and (2) a small mobile monitoring device. The sensor takes glucose readings regularly and relays it to the monitoring device. The monitoring device has an attribute which specifies an alarm threshold glucose level. If the current glucose reading is above the defined threshold then the monitoring device should trigger the alarm within 5 units of time to alert the patient to potentially dangerous glucose level and display the level. Otherwise, the monitoring device should just display the current glucose level. The following defines only the service definition part of this example for the monitoring device.
Let Λ = {λglucose} where λglucose = (N, ν, true) is the data parameter defining the
current glucose level.
Let A1 = {threshold} where threshold = (N, ν, true).
Let Σ = {Level, Alarm, Display} be the set of events where Σinput = {Level} and
ΣInternal = {Alarm, Display} such that: Level = (Λ, ∅, true, ?),
Let Γ = {γ} where γ = (∅, true, Level?, Alarm, 5).
Let Ω = {ωalarm, ωnormal} where ωalarm = (∅, Level?, Alarm, λglucose ≥ threshold) and
ωnormal = (∅, Level?, Display, λglucose < threshold). The service definitions are:
Θ(Level?, ωalarm, γ, t1) = (Alarm, ∅, {Display}, t2) and
Θ(Level?, ωnormal, γ, t1) = (Display, ∅, ∅, t2).