Real-Time Systems. Design Principles for Distributed Embedded Applications. Herman Kopetz. Second Edition (811374), страница 17
Текст из файла (страница 17)
As we will show in the latterpart of this section, the semantic content of a variable is invariant to a change inrepresentation. The requirement of semantic precision demands that the conceptthat is associated with a variable name and the domain of values of the variable areunambiguously defined in the model of the given application.Example: Consider the variable name engine-temperature that is used in an automotiveapplication. This concept is too abstract to be meaningful to an automotive engineer, sincethere are different temperatures in an automotive engine: the temperature of the oil, thetemperature of the water, or the temperature in the combustion chamber of the engine.The unambiguous definition of a concept does not only relate to the meaning of theconcept associated with the variable, but also to the specification of the domain ofvalues of the variable.
In many computer languages, the type of a variable, which isintroduced as an attribute of the variable name, specifies primitive attributes of thevalue domain of the variable. These primitive attributes, like integer or floatingpoint number, are often not sufficient to properly describe all relevant attributes ofthe value domain. An extension of the type system will alleviate the problem.402 SimplicityExample: If we declare the value domain of the variable temperature to be floating pointwe still have not specified whether the temperature is measured in units of Celsius, Kelvinor Fahrenheit.Example: The Mars Climate Orbiter crash occurred because the ground-based softwareused different system units than the flight software.
The first of the recommendations in thereport of the mishap investigation board was that the MPL (Mars Polar Lander) project verifythe consistent use of units throughout the MPL spacecraft design and operation [NAS99].In different language communities, different variable names may be used to point tothe same concept. For example, in an English speaking language community thetemperature of the air may be abbreviated by t-air, while a German speakingcommunity may call it t-luft. If we change the representation of the value domainof a variable, e.g., if we replace the units for measuring the temperature fromCelsius to Fahrenheit and adapt the value of the variable accordingly, the semanticcontent expressed by the variable remains the same.Example: On the surface the two variables t-air ¼ 86 and t-luft ¼ 30 are completelydifferent since they have different names and different values.
If, however, t-air and t-luftrefer to the same concept, i.e., the temperature of the air, and the value of t-air is expressedin degrees Fahrenheit and that of t-luft in degrees Celsius, then it becomes evident that thesemantic contents of these two variables are the same.These differences in the representations of the semantic content of a variablebecome important when we look at gateway components which link two subsystems of a system of systems that have been developed by two different organizations according to two different architectural styles.
The term architectural stylerefers to all explicit and implicit principles, rules and conventions that are followedby an organization in the design of a system, e.g., the representation of data,protocols, syntax, naming, and semantics, etc.. The gateway component musttranslate the variable names and representations from one architectural style tothe other architectural style, while keeping the semantic content invariant.Data that describe the properties of (object) data is sometimes called metadata. In our model of a variable, data that describes the properties of the fixedparts of a variable is meta data, while the variable part of a variable, the value set,is (object) data. Meta data thus describes the properties of the concept that isreferred to by the variable name.
Since meta data can become object data ofanother level, the distinction between data and meta data is relative to theviewpoint of the observer.Example: The price of a product is data, while the currency used to denote the price, thetime interval and the location where this price is applicable are meta data.2.3The Essence of Model BuildingGiven the rather limited cognitive capabilities of the rational subsystem of thehuman mind we can only develop a rational understanding of the world around usif we build simple models of those properties that are of relevance and interest to2.3 The Essence of Model Building41us and disregard (abstract from) detail that proves to be irrelevant for the givenpurpose.
A model is thus a deliberate simplification of reality with the objectiveof explaining a chosen property of reality that is relevant for a particularpurpose.Example: The purpose of a model in Celestial Mechanics is the explanation ofthe movements of the heavenly bodies in the universe. For this purpose it makessense to introduce the abstract concept of a mass point and to reduce the whole diversityof the world to a single mass point in space in order that the interactions with othermass points (heavenly bodies) can be studied without any distraction by unnecessarydetail.When a new level of abstraction (a new model) is introduced that successfullyconceptualizes the properties relevant for the given purpose and disregards the rest,simplicity emerges.
Such simplicity, made possible by the formation of properconcepts, give rise to new insights that are at the roots of the laws of nature.As Popper [Pop68] points out, due to the inherent imperfection of the abstractionand induction process, laws of nature can only be falsified, but never be proven tobe absolutely correct.2.3.1Purpose and ViewpointAt the start of any modeling activity, a clear purpose of the model must beestablished.
Formulating the precise questions the model must address helps toconcretize the purpose of the model. If the purpose of a model is not crystal clear, orif there are multiple divergent purposes to satisfy, then it is not possible to developa simple model.Example: The purpose of a model of behavior of a real-time computer system is to provideanswers to the question at what points in real-time will the computer system produce whatkind of outputs. If our computer system is a System-on-Chip (SoC) with a billion transistors,then we must find a hierarchy of behavioral models to meet our purpose.The recursive application of the principles of abstraction leads to such a hierarchy ofmodels that Hayakawa [Hay90] calls the abstraction ladder. Starting with basic-levelconcepts that are essential for understanding a domain, more general concepts can beformed by abstraction and more concrete concepts can be formed by refinement.At the lowest level of the abstraction ladder are the direct sensory experiences.Example: The Four Universe Model of Avizienis [Avi82] introduces a hierarchy ofmodels in order to simplify the description of the behavior of a computer system.
At thelowest level of the hierarchy, the physical level, the analog signals of the circuits areobserved, such as the rise time of the voltages as a transistor performs a switching operation. The analysis of a circuit behavior at the physical (analog) level becomes difficult assoon as more and more transistors get involved (emerging complexity). The next higherlevel, the digital logic level, abstracts from the physical analog quantities and the densetime and introduces binary logic values (high or low) of signals at discrete instants,resulting in a much simpler representation of the behavior of an elementary circuit, e.g.an AND gate (emerging simplicity).
Complexity creeps in again as we combine more and422 Simplicitypurpose AFig. 2.1 Purpose andabstraction level of a modelabstractionlevel A1abstractionlevel A2purpose Breal systemabstractionlevel B1abstractionlevel B2more logic circuits. The next higher level, the information level, lumps a (possible large)sequence of binary values into a meaningful data structure, (e.g., a pointer, a real-valuedvariable or a complete picture) and introduces powerful high-level operations on these datastructures. Finally, at the external level, only the services of the computer system to theenvironment, as seen by an outside user, are of relevance.A posed question about a distinct property of a real system gives rise to theconstruction of a hierarchy of models of that system that are intended to answerthe posed question. Figure 2.1 depicts two hierarchies of models that are introducedto serve two purposes, purpose A and purpose B.
Purpose A could refer to ahierarchy of behavioral models, while purpose B could refer to a hierarchy ofdependability models of the same real system. At the top of each hierarchy is thestated purpose. i.e., the questions that must be answered. The different levels of thehierarchy – the abstraction levels – are introduced to support a stepwise refinementof the stated question considering more detail, where each step takes considerationof the limited cognitive capabilities of the human mind.
At the low end of thehierarchy is the real system. The analysis is substantially simplified if the structureof the model corresponds with the structure of the system. Otherwise we have toresolve a structure clash that complicates the issues.Example: The model for predicting the temporal properties of the behavior of a real-timecomputer system is straightforward if there is a predictable sequence of computational andcommunication actions between the start of a computation and the termination of acomputation. Conversely, if the actual durations of the computational and communicationactions depend on global system activity (e.g., arbitration for access to shared resourcessuch as caches, communication links, etc.) then it will not be possible to construct a simplemodel for predicting the temporal properties of the behavior.2.3.2The Grand ChallengeWhereas the natural scientist must uncover the regularities in a given reality and findappropriate concepts at a suitable level of abstraction in order to formulate modelsand theories that explain the observed phenomena, the computer scientist is – at leasttheoretically – in a much better position: The computer scientist has the freedom todesign the system – an artifact – which is the subject of his modeling.
![](https://s.studizba.com/z.php?f=/templates/si/i/noavatar.png&w=100&h=100&t=1"){kind=avatar}
