TIVDM1Modelling unordered collections1 Peter Gorm Larsen.

TIVDM1 Modelling unordered collections 1

Modelling unordered collections

Peter Gorm Larsen


Agenda

Set Characteristics and Primitives• The Minimum Safety Altitude Warning System• The Robot Controller


Set Characteristics

• Sets are unordered collections of elements• There is only one copy of each element• The elements themselves can be arbitrary

complex, e.g. they can be sets as well• Sets in VDM++ are finite• Set types in VDM++ are written as:

• set of Type


Set Membership

• If an object x is a member (an element) of a set A, then we write “x A”; if it is not a member then we write “x A”.

• “x A” can be written as “x in set A”• “x A” can be written as “x not in set A”


Set Enumeration

• A set enumeration consists of a comma-separated list enclosed between curly braces, ”{…}”

• For example• {1,5,8,1,3}• {true, false}• {{}, {4,3},{2,4}}• {‘g’,’o’,’d’}• {3.567, 0.33455,7,7,7,7}

Are all sets• The empty set can be written as “{ }” or “”


The Subset Relation

• The set A is said to be a subset of the set B if every element of A is also an element of B.

• The subset relation is written as ”A B” or as ”A subset B”

• Quick examples:• {1,2,3} {1,2,3,4,5}• { } {1,2,3}• {3,2,3,2} {2,3}


Set Equality

• Two sets are equal if both are subsets of each other i.e.• A B and B A implies that A = B

• Quick examples:• {2,4,1,2} = {4,1,2}• {true, true, false} = {false, true}• {1,1,1,1,1,1,1,1,1,1,1,1} = {1}• {3,4,5} = {3,5,5}


Proper Subsets

• The set A is said to be a proper subset of the set B if every element of A is also an element of B and B has at least member that is not a member of A.

• The subset relation is written as ”A B” or as ”A psubset B”

• Quick examples:• {1,2,3} {1,2,3,4,5}• { } {1,2,3}• {3,2,3,2} {2,3}


Set Cardinality

• The cardinality of a set is the number of distinct elements i.e. its size

• The cardinality of a set S is written as “card S”• Quick examples:

• card {1,2,3} • card { } • card {3,2,3,2}


Powersets

• If S is a set then the power set of S is the set of all subsets of S.

• The powerset of a set S is written as “P S” or “power S”

• Quick examples:• power {1,2,2}• power { } • power {3,2,3,1}• power power {6,7}


Set Union

• The union of two sets combines all their elements into one set

• The union of two sets A and B is written as ”A B” or ”A union B”

• Quick examples:• {1,2,2} union {1,6,5}• { } union {true} • {3,2,3,1} union {4}


Set Intersection

• The intersection of two sets is the set of all elements that are in both of the original sets

• The intersection of two sets A and B is written as ”A B” or ”A inter B”

• Quick examples:• {1,2,2} inter {1,6,5}• { } inter {true} • {3,2,3,1} inter {4}


Distributed Set Operators• Union and intersection can be distributed over a set of

sets• Distributed set union

• To be written as (or dunion in ASCII) • dunion {{ 2,4},{3,1,2},{2,3,4,3}}• dunion {{ 2,4},{3,1,1},{}}• dunion {{true},{false},{}}

• Distributed set intersection• To be written as (or dinter in ASCII)• dinter {{ 2,4},{3,1,2},{2,3,4,3}}• dinter {{ 2,4},{3,1,1},{}}• dinter {{true},{false},{}}


Set Difference

• The set difference of two sets A and B is the set of elements from A which is not in B

• The set difference of two sets A and B is written as ”A \ B”

• Quick examples:• {1,2,2} \ {1,6,5} • { } \ {true} • {3,2,3,1} \ {4}


Overview of Set Operators

e in set s1 Membership () A * set of A -> bool

e not in set s1 Not membership () A * set of A -> bool

s1 union s2 Union () set of A * set of A -> set of A

s1 inter s2 Intersection () set of A * set of A -> set of A

s1 \ s2 Difference (\) set of A * set of A -> set of A

s1 subset s2 Subset () set of A * set of A -> bool

s1 psubset s2 Proper subset () set of A * set of A -> bool

s1 = s2 Equality (=) set of A * set of A -> bool

s1 <> s2 Inequality (≠) set of A * set of A -> bool

card s1 Cardinality set of A -> nat

dunion s1 Distr. Union () set of set of A -> set of A

dinter s1 Distr. Intersection () set of set of A -> set of A

power s1 Finite power set (P) set of A -> set of set of A


Set Comprehensions

• Using predicates to define sets implicitly• In VDM++ formulated like:

• {element | list of bindings & predicate}

• The predicate part is optional• Quick examples:

• {3 * x | x : nat & x < 3} or {3 * x | x in set {0,…,2}}

• {x | x : nat & x < 5} or {x | x in set {0,…,4}}


Questions

• What are the set enumerations for:• {x|x : nat & x < 3}• {x|x : nat & x > 3 and x < 6}• {{y}| y in set {3,1,7,3}}• {x+y| x in set {1,2}, y in set {7,8}}• {mk_(x,y)| x in set {1,2,7}, y in set {2,7,8} & x > y}• {y|y in set {0,1,2} & exists x in set {0,…,3} & x = 2 * y}• {x = 7| x in set {1,…,10} & x < 6}


Set Range Expressions

• The set range expression is a special case of a set comprehension. It has the form• {e1, ..., e2}

• where e1 and e2 are numeric expressions. The set range expression denotes the set of integers from e1 to e2 inclusive.

• If e2 is smaller than e1 the set range expression denotes the empty set.

• Examples:• {2.718,...,3.141}• {3.141,...,2.718}• {1,...,5}• {8,...,6}


Agenda

Set Characteristics and Primitives The Minimum Safety Altitude Warning System• The Robot Controller


MSAW General Monitoring

500´ Threshold

Terrain Clearance Altitude

Minimum Safe Altitude (MSA)


MSAW Approach Path Monitoring

Runway

Glideslope Path

1 nm

Alarm Trigger Area

(100´ below glideslope path)


UK Civil Aviation Authority

Minimum Safe Altitude Warning (MSAW) utilises secondary surveillance radar (SSR) responses from aircraft transponders and trajectory tracking to determine whether it is likely that the aircraft may be exposed to an unacceptable risk of Controlled Flight Into Terrain (CFIT). MSAW is normally implemented locally within the radar display system software and compares predicted aircraft trajectories with a database of levels at which an alert will be triggered within specific geographic areas. The system is technically complex (due to the need to compensate for radar processing delays) and requires careful installation, commissioning and operation to ensure that false alert occurrences do not present a hazard to operations.


MSAW Requirements

• Radar(s) must track flying objects using their transponders

• Height of obstacles must be known statically• Flying objects must be warned against obstacles

close to their flight path• New areas with obstacles can be defined• The MSAW system must ensure the safety of flying

objects against static obstacles• Other flying objects (dynamic) is NOT a part of MSAW

(dealt with using TCAS)


UML Class Diagram


A Collection of Flying Objects

• What instance variables should the FO class have?

• How should the airspace association between the Airspace and FO be made?

class FOinstance variablesid : Id;coord : Coordinates;alt : Altitude; end FO

class Airspaceinstance variables airspace : set of FO;inv forall x,y in set airspace & x <> y => x.getId() <> y.getId()end Airspace


Adding New Flying Objects

It must be possible to add new flying objects to an airspace:

public addFO : FO ==> ()

addFO(fo) ==

airspace := airspace union {fo}

pre fo.getId() not in set

{f.getId() | f in set airspace}


Get Hold of a Particular FO

Given a particular identifier we need to be able to find the flying object with that transponder

public getFO : Id ==> FO

getFO(id) ==

find that value fo in the set airspace where fo.getId() equals id

VDM++ Construct (let-be-such-that expression):

let x in set s be st predicate on x

in

expression using x


Get Hold of a Particular FOUsing the let-be-such-that expression we get

public getFO : Id ==> FOgetFO(id) == let fo in set airspace be st fo.getId() = id in return fopre FOExists(id,airspace);

and

functions

FOExists: Id * set of FO -> boolFOExists(id,space) == exists fo in set space & fo.getId() = id


Removing Existing Flying Objects

It must also be possible to remove existing flying objects from an airspace:

public removeFO : Id ==> ()

removeFO(id) ==

airspace := airspace \ {getFO(id)}

pre FOExists(id,airspace)

where we reuse the getFO operation


Complete AirSpace Class

• This completes the AirSpace class• Visibility shown with icons• Stereotypes used to seperate operations and functions• Signatures can be listed


Constructor for Flying Objects

• Constructors in VDM++ use operation syntax• Return type is implicit, so no return is needed

public FO : Id * Coordinates * Altitude ==> FO

FO(i,co,al) ==

(id := i;

coord := co;

alt := al;

);


What Instance Variables in Radar?

• What information is needed for each radar?

instance variables

location : Coordinates;

range : nat1;

detected : set of FO


What can a radar see?

• Scanning from a radar

public Scan : AirSpace ==> ()

Scan(as) ==

detected := { x | x in set as.airspace & InRange(x) };

private InRange : FO ==> bool

InRange(obj) ==

let foLocation = obj.getCoordinates()

in

return isPointInRange(location,range,foLocation);


A circle from a given point

• In the GLOBAL class general functionality is present

functions

protected isPointInRange : Coordinates * nat1 *

Coordinates -> bool

isPointInRange(center,range,point) ==

(center.X - point.X)**2 + (center.Y - point.Y)**2 <=

range**2;


The Obstacles Class

What information do we need about an obstacle?instance variables

MSA : MinimumSafetyAltitude ;

location : Coordinates;

radius : nat1;

securityRadius : nat;

type : ObstacleType;

Where we inherit the following typespublic

ObstacleType = <Natural>|<Artificial>|<Airport>|<Military_Area>;

public FOWarning = ObstacleType;

public RadarWarning = <Saturated>;

public MinimumSafetyAltitude = nat | <NotAllowed>;


The AirTrafficController Classclass AirTrafficController is subclass of GLOBAL

instance variables

radars : set of Radar := {};

obstacles : set of Obstacle := {};

operations

public addRadar : Radar ==> ()

addRadar(r) ==

radars := {r} union radars;

public addObstacle : Obstacle ==> ()

addObstacle(ob) ==

obstacles := {ob} union obstacles;


Finding Treats for FOspublic findThreats : () ==> ()

findThreats() ==

let allFOs = dunion { r.getDetected() | r in set radars }

in

(for all fo in set allFOs

do

for all ob in set obstacles

do

if isFOinVicinities(ob,fo) and not isFOatSafeAltitude(ob,fo)

then writeObjectWarning(ob,fo);

for all r in set radars

do

if r.saturatedRadar()

then writeRadarWarning(r)

);


Conditions for Warnings

isFOinVicinities : Obstacle * FO -> bool

isFOinVicinities(obs,fo) ==

let obsloc = obs.getCoordinates(),

secureRange = obs.getSecureRange(),

foloc = fo.getCoordinates()

in

isPointInRange(obsloc,secureRange,foloc);

isFOatSafeAltitude : Obstacle * FO -> bool

isFOatSafeAltitude(obs,fo) ==

let msa = obs.getMSA()

in

if msa = <NotAllowed>

then false

else msa < fo.getAltitude();


Saturating a radarThere is a limit to how many FO´s a radar can deal with at one time. We call this saturation of a radar.

class Radar

values

maxFOs : nat1 = 4;

instance variables range : nat1; detected : set of FO …operations

public saturatedRadar : () ==> boolsaturatedRadar() == return card detected > range / maxFOs;

end Radar


Detecting FOs with multiple radars

Some radars will have overlap so it may be interesting to collect the FOs that are detected by at least 2 radars:

public detectedByTwoRadars : set of Radar -> set of FOdetectedByTwoRadars(radars) == dunion {a.getDetected() inter b.getDetected() | a,b in set radars & a <> b};

FOs that are detected by all radars may also be interesting: public detectedByAllRadars : set of Radar -> set of FOdetectedByAllRadars(radars) == dinter {x.getDetected()

| x in set radars};


The World Classclass Worldinstance variables public static env : [Environment] := nil;

public static timerRef : Timer := new Timer(); operations

public World : () ==> WorldWorld() == (env := new Environment("scenario.txt"); env.setAirSpace(MSAWàirspace); MSAWàtc.addRadar(MSAW`radar1); MSAWàtc.addRadar(MSAW`radar2); MSAWàtc.addObstacle(MSAW`militaryZone)); public Run : () ==> ()Run() == env.Run();

end World


The Environment Class (1)class Environment is subclass of GLOBALoperations public Environment : String ==> EnvironmentEnvironment(fname) == def mk_(-,input) = io.freadval[seq of inline](fname) in inlines := input;

public Run : () ==> ()Run() == (while not isFinished() do (updateFOs(); MSAW`atc.Step(); World`timerRef.StepTime(); ); showResult() );…end Environment


The Environment Class (2)class Environment is subclass of GLOBALoperations updateFOs : () ==> ()updateFOs() == (if len inlines > 0 then (dcl curtime : Time := World`timerRef.GetTime(), done : bool := false; while not done do def mk_(id,x,y, altitude,pt) = hd inlines in if pt <= curtime then (airspace.updateFO(id,mk_Coordinates(x,y),altitude); inlines := tl inlines; done := len inlines = 0 ) else done := true) else busy := false ); …end Environment


Updating a Flying ObjectsSince flying objects move we need to be able to update them:class AirSpace

public updateFO : Id * Coordinates * Altitude ==> ()

updateFO(id,coord,alt) ==

if FOExists(id,airspace)

then let fo = getFO(id)

in

(fo.setCoordinates(coord);

fo.setAltitude(alt))

else let newfo = new FO(id,coord,alt)

in

airspace := airspace union {newfo}

…

end AirSpace

where we reuse the getFO operation again


Stepping in ATC

Now all radars needs to have a chance to scan:

class AirTrafficController is subclass of GLOBAL

…

public Step : () ==> ()

Step() ==

(for all r in set radars do

r.Scan(MSAW`airspace);

findThreats();

);

end AirTrafficController


Agenda

Set Characteristics and Primitives The Minimum Safety Altitude Warning System The Robot Controller


The Robot Controller

• A system for navigating a robot from a start point, via a collection of waypoints to a final destination, where it performs some task, e.g., delivering a payload.


Existing Subsystems

• Position Sensor: This is used to find the robot's current location and the direction in which it is moving.

• Steering Controller: This controls the direction in which the robot travels.

• Steering Monitor: A system used to ensure that the steering controller is operating within known safe boundaries.


Controller Requirements

1. The robot's current position is always available to the controller from a position sensor.

2. The robot has a predetermined journey plan based on a collection of waypoints.

3. The robot must navigate from waypoint to waypoint without missing any.

4. The robot moves only horizontally or vertically in the Cartesian plane. It is not physically capable of changing direction with an angle greater than 90o. Attempts to do so should be logged.

5. If the robot is off-course, i.e., it cannot find a route to the next waypoint, it should stop in its current position.

6. The robot is able to detect obstacles in its path.


Class Diagram for Robot Controller


A Collection of Points

• What instance variables should the Point class have?

• How should the journeyPlan association between the Controller and Point be made?

class Pointinstance variablesx: nat;y: nat;index: natend Point

class Controllerinstance variablesjourneyPlan : set of Point;end Controller


Example Journey Plan

{new Point(1, 4, 1),

new Point(4, 5, 2),

new Point(6, 8, 3),

new Point(10, 8, 4),



new Point(11, 13, 7)}


Getting a Point at a Particular Index

public static GetPointAtIndex: set of Point * nat ->

Point

GetPointAtIndex(pts, index) ==

find that value p in the set pts where p.GetIndex() equals index

VDM++ Construct:

let x in set s be st predicate on x

in

expression using x


The GetPointAtIndex Operation

public static GetPointAtIndex: set of Point * nat ->

Point

GetPointAtIndex(pts, index) ==

let p in set pts be st p.GetIndex() = index

in

p

pre exists p in set pts & p.GetIndex() = index;


Checking Coordinates

• What is the value of: • new Point(1,1,1) in set {new Point(1,1,1)}

• Assume we have an operation inside Point:• GetCoord: () ==> nat * nat

• How can we then test whether a waypoint has been reached?• wp.GetCoord() in set {o.GetCoord()|o in set obs}


Arriving at a Waypoint

• journeyPlan desirable index properties1. Next waypoint has index 1

2. Final waypoint has index equal to number of waypoints

3. Indices are numbered consecutively

• Modeled as invariant inside Controller:• inv {p.GetIndex() | p in set journeyPlan} =

{1,..., card journeyPlan};


Taking a Step on a Journey

• Inside the Point class:public TakeStep: () ==> PointTakeStep() ==( index := index - 1; return self)pre index > 1;

• Inside Route:static public TakeStep: set of Point -> set of PointTakeStep(pts) == let laterPoints = {pt | pt in set pts & pt.GetIndex() <> 1} in {p.TakeStep() | p in set laterPoints};


Controlling the Robot

1. Find out the robot's current position.

2. Find out the next waypoint that the robot must visit.

3. If this waypoint has the same location as the current position then there are two possibilities:• Either this is the last waypoint, i.e., the robot has reached its

final destination and can therefore complete its journey• or there are further waypoints to visit, in which case the journey

plan must be updated.

Otherwise do nothing.

4. Calculate the commands needed by the steering controller to get the robot to this next waypoint.

5. Give these commands to the steering controller.


The Update OperationUpdate: () ==> ()Update() == let currentPosition = ins.GetPosition() in ( if Route`GetPointAtIndex(journeyPlan,1).GetCoord() = currentPosition.GetCoord() then if card journeyPlan = 1 then CompleteJourney() else ( journeyPlan := Route`TakeStep(journeyPlan); let obstacles = obs.GetData(), route = PlotCourse(obstacles) in if route = nil then emergencyBrake.Enable() else def dfps = ComputeDesiredSteerPosition( ins.GetDirection(), route.GetPoint(2), str.GetPosition()) in AdjustSteering(dfps) ));


Neighbours of a Journey Point

class Point

…

public Neighbour: () ==> set of Point

Neighbour () ==

return {new Point(x, y1, index + 1)

| y1 in set {y-1,y+1}

& y1 >= 0} union

{new Point(x1, y, index + 1)

| x1 in set {x-1,x+1}

& x1 >= 0};

end Point


Plotting a Courseclass Controller…PlotCourse: set of (nat * nat) ==> [Route]PlotCourse(obstacles) == let nextWaypoint = Route`GetPointAtIndex(journeyPlan, 1), posRoutes = Route`AvoidanceRoutes(obstacles, ins.GetPosition(), nextWaypoint) in if posRoutes = {} then return nil else ShortestFeasibleRoute(posRoutes);

end Controller


Avoiding Obstacles

class Route…staticpublic AvoidanceRoutes( obstacles: set of (nat * nat), currentPosition: Point, nextWaypoint: Point) routes:set of Routepost forall r in set routes & r.GetFirst().GetCoord() = currentPosition.GetCoord() and r.GetLast().GetCoord() = nextWaypoint.GetCoord() and r.GetCoords() inter obstacles = {}; end Route

Does this work?


An Invariant for the Route Class

class Route…instance variables

points: set of Point;inv forall p1, p2 in set points & p1.GetCoord() = p2.GetCoord() => p1 = p2 and forall p in set points & p.GetIndex() <> card points => GetNext(p).GetCoord() in set {n.GetCoord() | n in set p.Neighbour()}

end Route


Summary

• What have I presented today? • The notion of sets as unordered collections

• The basic operations in VDM++ for manipulating sets

• The MSAW system

• The robot controller example

• What do you need to do now?• Continue with your project

• Present your status to all of us

• Read chapter 7 before next lecture


Quote of the day

By Albert Einstein(1879 - 1955)

Do not worry about your difficulties in Mathematics.

I can assure you mine are still greater.

TIVDM1Modelling unordered collections1 Peter Gorm Larsen.

Documents

Transcript of TIVDM1Modelling unordered collections1 Peter Gorm Larsen.