Verifying Response Times in Networked Automation Systems Using Jitter
  Bounds by Srinivasan, Seshadhri et al.
Verifying Response Times in Networked Automation Systems Using Jitter
Bounds
Seshadhri Srinivasan1, Furio Bounapane 2, Ju¨ri Vain2, and Srini Ramaswamy3
Abstract— Networked Automation Systems (NAS) have to
meet stringent response time during operation. Verifying re-
sponse time of automation is an important step during design
phase before deployment. Timing discrepancies due to hard-
ware, software and communication components of NAS affect
the response time. This investigation uses model templates for
verifying the response time in NAS. First, jitter bounds model
the timing fluctuations of NAS components. These jitter bounds
are the inputs to model templates that are formal models of
timing fluctuations. The model templates are atomic action
patterns composed of three composition operators- sequential,
alternative, and parallel and embedded in time wrapper that
specifies clock driven activation conditions. Model templates
in conjunction with formal model of technical process offer
an easier way to verify the response time. The investigation
demonstrates the proposed verification method using an indus-
trial steam boiler with typical NAS components in plant floor.
I. INTRODUCTION
Networked automation systems (NAS) in industrial au-
tomation refer to systems with networked sensors, actuators
and controllers [1]. Response time is defined as the difference
between the cause of an event (a new sensor measurement)
to the effect on the technical process. Industrial automation
systems are real-time systems requiring fast response times
(typically in milli-seconds). Response time in NAS need
to be verified during design phase to avoid re-design after
deployment. The importance of response time in NAS is
demonstrated from the numerous approaches proposed in
literature (see, [2]-[4] and references therein). Computing the
bound of timing fluctuations remains the focus of these ap-
proaches. Numerous applications of NAS has been reported
in literature (see,[20]-[22] and references therein).
Timed model-checking is a promising technique to analyse
critical systems, because it performs exhaustive checking
using formal models. Recent research uses tools from model-
checking to verify the response time in NAS. To our best
knowledge, Frey et al. [5] were the first to use model-
checking tools in NAS to study component failures using
probabilistic model checking (PMC) without proposing a
formal model. Later, the authors studied the simulation
This work was supported by Group of Researchers in Automatic Control
Engineering (GRACE)
1 S. Seshadhri is with the Dept. of Engineering, University of Sannio,
Benevento Italy
4 Furio Buonopane is with Engineering Department (DICEA),
University of Naples Federico II, Naples, Italy, 80125 e-mail: fu-
rio.buonopane@gmail.com
3Srini Ramaswamy is with India Corporate Research Center, ABB Global
Industries and Services Ltd., Bangalore, India srini.ramaswamy@in.abb.com
2 Ju¨ri Vain is with the Institute of Cybernetics at Tallinn University of
Technology, Estonia
of response time using Dymola/Modelica NAS component
models in [6]. This method suffers from the limitations of
simulation i.e. to test specific scenarios against exhaustive
verification offered by model checking. The model-checking
methods proposed in [7] and [8] lack the support of mod-
elling framework and therefore, are restricted to specific
architecture or scenarios. Vogel-Heuser et al. [9] presented
a component oriented modelling approach that captures the
timing requirements and specifications to verify response
time in NAS.
A reading of the literature reveals that modelling the
timing fluctuations due to communication, physical and
software components of NAS and their time-variations offer
stiff challenge to verify the timing performance using timed-
model checking. To overcome these challenges, this inves-
tigation uses NAS component models capturing the timing
fluctuations as jitter. Composition of these components using
the time-chain model in [9] with additional specification
on jitter bounds, and nature of their variation (termed as
behaviour) leads to the jitter time-chain. The jitter time-chain
is used to create model templates of NAS components for
verifying response times. The model templates are atomic
action patterns with three composition operators to model
the jitter. The model templates of jitter in conjunction
with the formal model of the process defines the formal
model required for verifying the response time. The use
of model template simplifies the procedure for generating
formal model useful for verifying response time of NAS.
The main contributions of this investigation are- jitter
based model for verifying the timing performance of NAS,
model patterns that use jitter bounds to model the timing
imperfections, and illustration of the verification procedure
using steam boiler in industrial plant-floor. The paper has
five sections including the introduction. Section II, presents
the jitter based timing model of NAS and the discussion
on model patterns is in section III. Example in section IV
illustrates the use of model templates, and section V presents
the conclusion of the investigation.
II. MODELLING TIMING IMPERFECTIONS IN NAS
The timing imperfections in NAS are due to hardware,
software, and communication components. Hardware timing
imperfections are due to sensors, actuators, signal process-
ing, and controller hardware. Fig. 1 shows the sources of
hardware jitter in NAS. The hardware jitter is modelled to
be constant as the variation happens over long-time frames.
Software jitter are mainly due to scheduling, cache memory,
pre-emption, interrupts, context switching, dynamic control
ar
X
iv
:1
50
7.
04
30
0v
1 
 [c
s.S
Y]
  1
5 J
ul 
20
15
algorithms, multiple loops and asynchronous communication
between tasks. As software timing imperfections are usually
measured using execution times (such as best-case execution
time, worst-case execution time, average execution time etc.)
they naturally suggest the use of deterministic model.
The timing imperfections in NAS can be broadly classified
into three broad categories, they are: (i) hardware, (ii)
software, and (iii) network- induced [10], [20]. Model of the
timing discrepancies is required to verify the response time
using formal models. Based on the timing imperfections the
delay time-chain can be drawn as shown in Fig. 2.
Hardware timing imperfections are due to sensors, actua-
tors, signal processing, and controller hardware. The sources
of hardware jitter in NAS due to NAS components is shown
in Fig. 1. This investigation proposes to model the hard-
ware jitter as constant, as usually the timing imperfections
are found to vary over long time-frames. Software jitter
are mainly due to scheduling, cache memory, pre-emption,
interrupts, context switching, dynamic control algorithms,
multiple loops and asynchronous communication between
tasks. As software timing imperfections are usually measured
using execution times (such as best-case execution time,
worst-case execution time, average execution time etc.) they
naturally suggest the use of deterministic model.
Fig. 1. Hardware timing jitter
Communication related timing imperfections include la-
tencies, and data-loss. Latencies in communication channels
depend on many parameter such as length of communication
channel, channel load, protocol employed, network interface
card employed in automation, and contention ratio. As these
parameters are inherently random, they make communication
latencies time-varying and many models have been proposed
for modeling time-varying delays (see, [10]-[19]). The timing
imperfections are modeled using jitter bounds on individual
components. Communication jitter is modeled using to be
time-varying but bounded as
JC ∈ [JminC , JmaxC ] (1)
where JC is the total communication jitter, JminC and J
max
C
are the minimum and maximum communication jitter, re-
spectively. Therefore, the total jitter in NAS is
JT = JH + JS + JC (2)
where JT is the total jitter in the NAS, JH , and JS are the
hardware, software, and communication jitter, respectively.
Fig. 2. Time-Chain for timing performance specification
III. MODEL PATTERNS FOR RESPONSE TIME
VERIFICATION
Having obtained the model of NAS by composing com-
ponents, the time chain can be generated as a formal model
using model patterns that take the jitter bounds as inputs.
To construct the time-chain, this investigation assumes two
types of timing performance components:
• components that are activated by some external event
using model patterns (see, model patterns in Fig. 3)
• components are activated periodically each with possi-
bly different period and jitter
To model timing fluctuations this investigation proposes
structural modeling approach that considers the models that
are constructed from an atomic action pattern (Figure 4(a))
by means of three composition operators: sequential (Fig.
3(b)), alternative (Fig. 3 (c)), and parallel composition ((Fig.
3 (d)). For parallel composition an additional channel match-
ing constraint is required: when ever there is a synchroniza-
tion condition in one of the parallel components then there
must be also matching synchronization condition in the other
parallel component. We call the models constructed that way
well-formed models. Atomic action model pattern captures
the lower and upper bound as [lbound, ubound] as shown in
Fig. 3 (a). This model pattern for delay is particularly useful
in scenarios requiring action triggered by an external event
(induced by another component). The communication jitter
Fig. 3. Delay model patterns
on a component can be modeled using interval characteriza-
tion of the jitter.
Sequential and alternative compositions are defined as
applications of location merging operator ⊕ on two well-
formed timed automata.
Post1 ⊕ Pre2 (3)
where Post1 and Pre2 indicate respectively the Post- and
Pre-locations of the first and second component automata
post-conditions of the automata (see, Fig. 3 (b). This can
be used in scenarios wherein one timing imperfection due
to one component results in timing imperfection in other
component.
The other composition model pattern is the alternative
composition shown in Fig. 3 (c) and the result of the model
pattern is given by
Pre1+Pre2∨Post1+Post2∨(Pre1+Pre2, Post1, Post2)
(4)
In parallel composition (‖) shown in Fig. 3 (d) the in and
out indicate the channel name suffixes , and ? indicate the
synchronization direction. The model patterns of Fig. 3 give
the formal models for capturing jitter in NAS along with the
physical components that are triggered by an external event
(synchronization condition ”in?” in Fig. 3(a)).
A. Timing Wrapper
For modeling the periodically triggered (by clock) actions
the construct timing wrapper is introduced in addition to
main model patterns described in Subsection A. (Due to
the limited space other clock triggered activation patters
implementable in Timing Wrapper are not considered in this
paper. ) timing wrapper introduces an auxillary clock Cl
that is needed for modelling the activation period with jitter
within the interval [Jitlb, Jitub] as shown in Fig. 4.
The model patterns described in this section along with
the timing wrapper can be used to capture the timing
imperfections as jitter in the formal model of NAS along
Fig. 4. Timing Wrapper
with that of the technical process. Thus timing model of the
time-chain (see, Fig. 2) for timing performance specification
can be constructed from patterns 1-4 depending on the way
of activation of each component in the time chain.
The next step of the work-flow consists of simulation
of both the process and the timing components to identify
critical operating points of the technical process and the test
conditions for the NAS timing components. Simulation of
technical process can be used to identify the critical points
that needs to be tested. The following example illustrates the
use of simulation to study the timing performance.
IV. RESULTS
This section presents an example of using the work-flow
for timed-model checking. The example considered is a
steam boiler.
A. Description of the Technical Process
The steam boiler consists of two pumps P1 and P2 and
heater as shown in Fig. 5. Here, w, u1(t), u2(t), d denote
the water-level of the boiler (w > 0), inflow of pump 1 in
l/min, inflow of pump 2 in l/min, and the power of the
boiler. The vaporization ratio is denoted using r˙.
Fig. 5. Steam Boiler
Assumptions:
At each point of time t pump Pi either is working (ui(t) =
Pi) or is stopped (ui(t) = 0). There is delay Ti between i-th
switching on and when the pump starts actually pumping.
There is no such a delay when the pump is switched off.
The working of steam boiler can be described using the
hybrid automata in Fig. 6
Fig. 6. Hybrid model of the boiler
The model-templates using action model patterns and
composition operators can be used to construct the formal
model of the timing fluctuations, and time-wrapper can be
used in case of periodic operations. This formal model can
be composed with the formal model of the components of
the steam boiler that could be used for verifying the response
times of NAS. These formal models are modeled in UPPAAL
as timed-automata [23] models shown in Fig. 7. The reaction
time verification on given model is implemented by a model
checking query that uses standard TCTL logic operator ”time
bounded leads to”, i.e., Stimulus→d Response, where Stim-
ulus and Response are 1st order state formuli that specify
the begin and end events of the reaction time bound d to be
verified.
Fig. 7. UPPAAL formal model of the steam boiler with model templates
V. CONCLUSION
This paper presented a simulation driven verification work-
flow for verifying the response time in NAS. The approach
modelled the timing discrepancies in the NAS components
using jitter bounds based on their occurrence as constant,
deterministic and time-varying. Obtained jitter bounds were
used to generate model templates considering various sce-
narios that arise in NAS. Then simulation is done on the
technical process along with knowledge of jitter to obtain
results useful for model abstraction and verification. The
inputs from the modelling, template generation, and simu-
lation steps are used to verify the response time of the NAS.
The work-flow was illustrated using a plant-floor example
of steam boiler and pH neutralization process. Extending the
work-flow to verify other timing properties and extending
to verify multi-core automation systems are future course of
this investigation.
REFERENCES
[1] B. Vogel-Heuser, J. Folmer, G. Frey, L. Liu, H. Hermanns, and A.
Hartmanns, “ Modeling of networked automation systems for simulation
and model checking of time behavior”, Proceedings of the 2012 9th
IEEE Multi-conference on Systems, Signals and Devices, pp. 1-5.
[2] N. Pereira, E. Tovar, and L. M. Pinho, “Timeliness in COTS Factory-
floor distributed systems: what role for simulation?,” Proceedings
of IEEE International Workshop on Factory Communication Systems,
2004, pp. 13–21.
[3] M.-H. Hung, J. Tsai, F.-T. Cheng, and H.-C. Yang, “Development
of an Ethernet-based equipment integration framework for factory
automation”, Robotics and Computer-Integrated Manufacturing, vol.
20, no. 5, pp. 369–383.
[4] B. Addad, S. Amari, and J. Lesage, (2010), “Analytic calculus of
response time in networked automation systems”, IEEE Transactions
on Automation Science and Engineering, Vol. 7, no. 4, pp. 858–869.
[5] J. Greifeneder, and G. Frey, “Probabilistic delay time analysis in net-
worked automation systems”, Proceedings of the 10th IEEE Conference
on Emerging Technologies and Factory Automation (ETFA 2005), Vol.
1, pp.4-8.
[6] L. Liu, and G. Frey, “Simulation approach for evaluating response times
in networked automation systems”, Proceedings of IEEE Conference
on Emerging Technologies and Factory Automation, 2007, pp. 1061–
1068.
[7] M. Mazzolini, A. Brusaferri, and E. Carpanzano, “Model-checking
based verification approach for advanced industrial automation solu-
tions”, Proceedings of IEEE Conference on Emerging Technologies
and Factory Automation (ETFA), 2010 , pp. 1–8.
[8] S. Ruel, O. De Smet, , and J. M. Faure, “Finding the bounds of
response time of networked automation systems by iterative proofs”,
In Proceedings of the 13th IFAC Symposium on Information Control
Problems in Manufacturing 2009.
[9] B. Vogel-Heuser, S. Feldmann, T. Werner, and C. Diedrich, “Modeling
network architecture and time behavior of Distributed Control Systems
in industrial plant automation”, Proceedings of 37th Annual Conference
on IEEE Industrial Electronics Society’, 2011, pp. 2232–2237.
[10] Seshadhri, S., Estimation and design methodologies for networked
control systems with communication constraints, PhD dissertation, NIT-
Trichy, 2010.
[11] F. Lian, James R. Moyne, and Dawn M. Tilbury, “Performance
evaluation of control networks: Ethernet, ControlNet, and DeviceNet”
Control Systems, IEEE 21, no. 1 (2001), pp. 66-83.
[12] S. Seshadhri, and R. Ayyagari. ”Dynamic controller for Network
Control Systems with random communication delay”, International
Journal of Systems, Control and Communications 3, no. 2 (2011): 178-
193.
[13] Seshadhri, S., and R. Ayyagari. ”Platooning over packet-dropping
links.” International Journal of Vehicle Autonomous Systems 9.1
(2011): 46-62.
[14] Srinivasan, S.; Vallabhan, M.; Ramaswamy, S.; Ashok, S.; Ra-
makalyan, A. and Venkateswaran, N. Hybrid systems approach for net-
worked control systems subjected to random communication delays and
packet dropouts Advances in Control and Optimization of Dynamical
Systems (ACODS 2012), 2012
[15] Srinivasan, S., Vallabhan, M., Ramaswamy, S., and Kotta, U. (2013,
June). Adaptive LQR controller for Networked Control Systems sub-
jected to random communication delays. In American Control Confer-
ence (ACC), 2013 (pp. 783-787). IEEE.
[16] Srinivasan, S., Vallabhan, M., Ramaswamy, S., and Kotta, U. (2013,
May). Adaptive regulator for networked control systems: MATLAB and
true time implementation. In Control and Decision Conference (CCDC),
2013 25th Chinese (pp. 2551-2555). IEEE.
[17] Seshadhri, S., and Ayyagari, R. (2009, October). Hybrid Controllers
for Systems with Random Communication Delays. In ARTCom (pp.
954-958).
[18] Srinivasan, Seshadhri, and Ramakalyan Ayyagari. ”Advanced driver
assistance system for AHS over communication links with random
packet dropouts.” Mechanical Systems and Signal Processing 49.1
(2014): 53-62.
[19] J. Nilsson, “Real-time control systems with delays”, PhD dissertation,
Department of Automatic Control, Lund Institute of Technology, 1998.
[20] M. Vallabhan, S. Seshadhri, S. Ashok, S. Ramaswmay, and R. Ayya-
gari, “An analytical framework for analysis and design of networked
control systems with random delays and packet losses”, In Proceedings
of the 25th Canadian Conference on Electrical and Computer Engineer-
ing (CCECE), 2012
[21] S. Seshadhri and R. Ayyagari, ”Advanced driver assistance system
for AHS over communication links with random packet dropouts”,
Mechanical Systems and Signal Processing, vol. 49, no.1, pp. 53-62.
[22] D. Ganesh Perumal, G. SaravanaKumar, Subathra, B., Srinivasan,
Seshadhri, Ramaswamy, Srini, “Nonlinear State Estimation Based Pre-
dictive Path Planning Algorithm Using Infrastructure-to-Vehicle (I2V)
Communication for Intelligent Vehicles”, Proceedings of the Second
International Conference on Emerging Research in Computing, Infor-
mation, Communication and Applications (ERCICA 2014).
[23] J. Bengtsson and W. Yi, “Timed automata: Semantics, algorithms and
tools,” in Lectures on Concurrency and Petri Nets, ser. Lecture Notes in
Computer Science, J. Desel, W. Reisig, and G. Rozenberg, Eds. Springer
Berlin Heidelberg, 2004, vol. 3098, pp. 87–124. [Online]. Available:
http://dx.doi.org/10.1007/978-3-540-27755-2
