2

Following is a safety controller with input and output safety control Condition given below for designing a state machine: Here SignalOk, SignalWeak and SignalLost are measurements signal quality of steering angle. SteeringAngle signal itself contains the original steering data. In case of 3 consecutive SignalOk, system controller will output ValidSignal with the steering angle data. In other cases, signal will be considered as CorrputSignal. I am using UML 2 state charts(Harel charts). This is so far what I have done:

state machine

N.B.:Parallel states and broadcasting is not supported yet, but nested states are supported. I don't know how to model this stream of inputs in state machine, any kind of help will be appreciated.

Priom Biswas
  • 85
  • 2
  • 12
  • I can't figure out, what you want to express with the diagram. What is `RmtSteeringSignalOk`? From your text, I would think the possible Signals are `SignalOk`, `SignalWeak` and `SignalLost`. Or are these the possible results of a measurement? When is this measurement made? By whom? Why is the SteeringAngle signal alone triggering a transition? If the SteeringSignal is not OK SteeringAngle should not trigger anything. – Axel Scheithauer Oct 12 '21 at 14:37
  • @AxelScheithauer Please consider RmtSteeringSignalOk as signal ok. These signals are generated by a pwm decoder and feed to the mentioned safety controller for making the decision of a valid or corrupt signal. – Priom Biswas Oct 12 '21 at 14:38
  • @AxelScheithauer When a driver presses steering button on the remote control, a PWM decoder generates signalok, signalweak and signalloss which are measurements about the steering signal strength. SteeringAngle signal is the original signal which contains the amount of steering angle, an unsigned integer. – Priom Biswas Oct 12 '21 at 14:45
  • Ok, then this pwm decoder will send `SignalOk` and `SteeringAngle` at the same time. Since `Ready` and 'CheckFirstSignal` react to both signals, the state machine will proceed to `CheckSecondSignal` immediately. I think you should remove the transitions for `SteeringAngle`. You are not even interested in the first two steering angles. Only the third one will be transmitted. Since we don't know, which signal is processed first, I would defer `SteeringAngle` in `CheckSecondSignal` and react to it in `CheckThirdSignal` with an internal transition `SteeringAngle/ValidSignal`. – Axel Scheithauer Oct 12 '21 at 15:00
  • @AxelScheithauer, I think you are right. You could enter this as an 'answer'. Please use the 'comment' function only to ask for clarification. – www.admiraalit.nl Oct 12 '21 at 15:02
  • Is this the correct description? The pwm decoder checks the signal and then sends the `SteeringAngle` and either `SignalOk` or `SignalWeak`. If it doesn't receive a signal within a specified time, it sends `SignalLost`. The `SafetyControl` shall wait for three consecutive 'SignalOk' signals and then start transmitting `ValidSignal` on each incoming `SteeringAngle`. If a `SignalWeak` or `SignalLost` is received it shall always go back to `Ready`. – Axel Scheithauer Oct 12 '21 at 15:21
  • @AxelScheithauer This is exactly what I meant. – Priom Biswas Oct 12 '21 at 16:31

1 Answers1

2

First I would recommend renaming the states, so that they don't resemble actions. I suggest to name them First Ok received, Second Ok received and Ok confirmed.

Since the SteeringAngle shall be ignored the first two times, the only transition triggered by it should be an internal transition in Ok confirmed. This transition will also invoke ValidSignal.

Nothing is specified about the order of SteeringAngle and SignalOk. Therefore, SteeringAngle should be deferred in Second Ok received. This way, even it it comes first, it will stay in the event pool.

Any reception of SignalWeak or SignalLost should return to Ready. You could do this with a local transition of Operational to Ready.

One additional recommendation: Define an Initial state in Operational and target the SystemOk transition to Operational. The effect is the same, but it results in a better separation of the two top level states.

Axel Scheithauer
  • 2,758
  • 5
  • 13
  • Thank you very much for the solution. I have one question though. In case of **SignalWeak** or **SignalLost**, I have to invoke **CorruptSignal**. Can this be modeled as the effect of **SignalWeak** or **SignalLost** in their transition path? – Priom Biswas Oct 12 '21 at 17:10
  • **Internal Transitions** are currently not supported by the tool I am using for state machine validation. I am not sure how to model the steering angle signal. So far I have come up with the model [State Machine](https://ibb.co/pdYVHL1) – Priom Biswas Oct 13 '21 at 09:22
  • 1
    Yes, the effect of the `SignalWeak` and `SignalLost` transitions can be `CorruptSignal`. And you only need one transition, since each transition can define many triggers. Of course the effect is the same when you define two transitions. It's just more work. – Axel Scheithauer Oct 13 '21 at 16:35
  • 1
    If you can't use internal transitions, you can replace them with external ones, if entry, exit or do behaviors are not defined. Then external transitions have the same effect. So I would simply create an external transition from `Ok confirmed` to itself with `SteeringAngle/SignalOk;ValidSignal`. – Axel Scheithauer Oct 13 '21 at 16:38