Doctor of Philosophy

dissertationOver the last decade, cyber-physical systems (CPSs) have seen significant applications in many safety-critical areas, such as autonomous automotive systems, automatic pilot avionics, wireless sensor networks, etc. A Cps uses networked embedded computers to monitor and control physical processes. The motivating example for this dissertation is the use of fault- tolerant routing protocol for a Network-on-Chip (NoC) architecture that connects electronic control units (Ecus) to regulate sensors and actuators in a vehicle. With a network allowing Ecus to communicate with each other, it is possible for them to share processing power to improve performance. In addition, networked Ecus enable flexible mapping to physical processes (e.g., sensors, actuators), which increases resilience to Ecu failures by reassigning physical processes to spare Ecus. For the on-chip routing protocol, the ability to tolerate network faults is important for hardware reconfiguration to maintain the normal operation of a system. Adding a fault-tolerance feature in a routing protocol, however, increases its design complexity, making it prone to many functional problems. Formal verification techniques are therefore needed to verify its correctness. This dissertation proposes a link-fault-tolerant, multiflit wormhole routing algorithm, and its formal modeling and verification using two different methodologies. An improvement upon the previously published fault-tolerant routing algorithm, a link-fault routing algorithm is proposed to relax the unrealistic node-fault assumptions of these algorithms, while avoiding deadlock conservatively by appropriately dropping network packets. This routing algorithm, together with its routing architecture, is then modeled in a process-algebra language LNT, and compositional verification techniques are used to verify its key functional properties. As a comparison, it is modeled using channel-level VHDL which is compiled to labeled Petri-nets (LPNs). Algorithms for a partial order reduction method on LPNs are given. An optimal result is obtained from heuristics that trace back on LPNs to find causally related enabled predecessor transitions. Key observations are made from the comparison between these two verification methodologies

Contributions to the deadlock problem in multithreaded software applications observed as Resource Allocation Systems

Desde el punto de vista de la competencia por recursos compartidos sucesivamente reutilizables, se dice que un sistema concurrente compuesto por procesos secuenciales está en situación de bloqueo si existe en él un conjunto de procesos que están indefinidamente esperando la liberación de ciertos recursos retenidos por miembros del mismo conjunto de procesos. En sistemas razonablemente complejos o distribuidos, establecer una política de asignación de recursos que sea libre de bloqueos puede ser un problema muy difícil de resolver de forma eficiente. En este sentido, los modelos formales, y particularmente las redes de Petri, se han ido afianzando como herramientas fructíferas que permiten abstraer el problema de asignación de recursos en este tipo de sistemas, con el fin de abordarlo analíticamente y proveer métodos eficientes para la correcta construcción o corrección de estos sistemas. En particular, la teoría estructural de redes de Petri se postula como un potente aliado para lidiar con el problema de la explosión de estados inherente a aquéllos. En este fértil contexto han florecido una serie de trabajos que defienden una propuesta metodológica de diseño orientada al estudio estructural y la correspondiente corrección física del problema de asignación de recursos en familias de sistemas muy significativas en determinados contextos de aplicación, como el de los Sistemas de Fabricación Flexible. Las clases de modelos de redes de Petri resultantes asumen ciertas restricciones, con significado físico en el contexto de aplicación para el que están destinadas, que alivian en buena medida la complejidad del problema. En la presente tesis, se intenta acercar ese tipo de aproximación metodológica al diseño de aplicaciones software multihilo libres de bloqueos. A tal efecto, se pone de manifiesto cómo aquellas restricciones procedentes del mundo de los Sistemas de Fabricación Flexible se muestran demasiado severas para aprehender la versatilidad inherente a los sistemas software en lo que respecta a la interacción de los procesos con los recursos compartidos. En particular, se han de resaltar dos necesidades de modelado fundamentales que obstaculizan la mera adopción de antiguas aproximaciones surgidas bajo el prisma de otros dominios: (1) la necesidad de soportar el anidamiento de bucles no desplegables en el interior de los procesos, y (2) la posible compartición de recursos no disponibles en el arranque del sistema pero que son creados o declarados por un proceso en ejecución. A resultas, se identifica una serie de requerimientos básicos para la definición de un tipo de modelos orientado al estudio de sistemas software multihilo y se presenta una clase de redes de Petri, llamada PC2R, que cumple dicha lista de requerimientos, manteniéndose a su vez respetuosa con la filosofía de diseño de anteriores subclases enfocadas a otros contextos de aplicación. Junto con la revisión e integración de anteriores resultados en el nuevo marco conceptual, se aborda el estudio de propiedades inherentes a los sistemas resultantes y su relación profunda con otros tipos de modelos, la confección de resultados y algoritmos eficientes para el análisis estructural de vivacidad en la nueva clase, así como la revisión y propuesta de métodos de resolución de los problemas de bloqueo adaptadas a las particularidades físicas del dominio de aplicación. Asimismo, se estudia la complejidad computacional de ciertas vertientes relacionadas con el problema de asignación de recursos en el nuevo contexto, así como la traslación de los resultados anteriormente mencionados sobre el dominio de la ingeniería de software multihilo, donde la nueva clase de redes permite afrontar problemas inabordables considerando el marco teórico y las herramientas suministradas para subclases anteriormente explotadas

Recent advances in petri nets and concurrency

CEUR Workshop Proceeding

Hybrid Multiresolution Simulation & Model Checking: Network-On-Chip Systems

abstract: Designers employ a variety of modeling theories and methodologies to create functional models of discrete network systems. These dynamical models are evaluated using verification and validation techniques throughout incremental design stages. Models created for these systems should directly represent their growing complexity with respect to composition and heterogeneity. Similar to software engineering practices, incremental model design is required for complex system design. As a result, models at early increments are significantly simpler relative to real systems. While experimenting (verification or validation) on models at early increments are computationally less demanding, the results of these experiments are less trustworthy and less rewarding. At any increment of design, a set of tools and technique are required for controlling the complexity of models and experimentation. A complex system such as Network-on-Chip (NoC) may benefit from incremental design stages. Current design methods for NoC rely on multiple models developed using various modeling frameworks. It is useful to develop frameworks that can formalize the relationships among these models. Fine-grain models are derived using their coarse-grain counterparts. Moreover, validation and verification capability at various design stages enabled through disciplined model conversion is very beneficial. In this research, Multiresolution Modeling (MRM) is used for system level design of NoC. MRM aids in creating a family of models at different levels of scale and complexity with well-formed relationships. In addition, a variant of the Discrete Event System Specification (DEVS) formalism is proposed which supports model checking. Hierarchical models of Network-on-Chip components may be created at different resolutions while each model can be validated using discrete-event simulation and verified via state exploration. System property expressions are defined in the DEVS language and developed as Transducers which can be applied seamlessly for model checking and simulation purposes. Multiresolution Modeling with verification and validation capabilities of this framework complement one another. MRM manages the scale and complexity of models which in turn can reduces V&V time and effort and conversely the V&V helps ensure correctness of models at multiple resolutions. This framework is realized through extending the DEVS-Suite simulator and its applicability demonstrated for exemplar NoC models.Dissertation/ThesisDoctoral Dissertation Computer Science 201

Business Process Visualization - Use Cases, Challenges, Solutions

The proper visualization and monitoring of their (ongoing) business processes is crucial for any enterprise. Thus a broad spectrum of processes has to be visualized ranging from simple, short–running processes to complex long–running ones (consisting of up to hundreds of activities). In any case, users shall be able to quickly understand the logic behind a process and to get a quick overview of related tasks. One practical problem arises when different fragments of a business process are scattered over several systems where they are often modeled using different process meta models (e.g., High–Level Petri Nets). The challenge is to find an integrated and user–friendly visualization for these business processes. In this paper we discover use cases relevant in this context. Since existing graph layout approaches have focused on general graph drawing so far we further develop a specific approach for layouting business process graphs. The work presented in this paper is embedded within a larger project (Proviado) on the visualization of automotive processes

An agile and adaptive holonic architecture for manufacturing control

Tese de doutoramento. Engenharia Electrotécnica e de Computadores. 2004. Faculdade de Engenharia. Universidade do Port

Operating guidelines for services

In the paradigm of service-oriented computing, companies organize their core competencies as services and may request other functionalities from services of other companies. Services provide high flexibility, platform independent loose coupling, and distributed execution. They may thus help to reduce the complexity of dynamically binding and integrating heterogenous processes within and across organizations. The vision of service-oriented architectures is to provide a framework for publishing new services, for on demand searching for and discovery of existing services, and for dynamically binding services to achieve common business goals. That way, each individual organization gains more flexibility to dynamically react on new challenges. As services may be created or modified, or collaborations may be restructured at any point in time, a new challenge arises in this setting—the challenge for deciding the compatibility of the composed services before their actual binding. Recent literature distinguishes four different aspects of service compatibility: syntactical, behavioral, semantical, and non-functional compatibility. In this thesis, we focus on behavioral compatibility and abstract from the other aspects. Potential behavioral incompatibilities between services include deadlocks (two services wait for a message of each other), livelocks (two services keep exchanging messages without progressing), and pending messages that have been sent but cannot be received anymore. For stateful services that interact via asynchronous message passing, deciding behavioral compatibility is far from trivial. Local changes to one service may introduce errors in some or even all other services of an interaction. The verification of behavioral compatibility suffers from state explosion problems and is restricted by privacy issues. That is, the parties of an interaction are essentially autonomous and may be competitors in other business fields. Consequently, they do not want to reveal the internals of their processes to the other participants in order to hide trade secrets. To systematically approach this challenge, we introduce a formal framework based on Petri nets and automata for service modeling and formalize behavioral compatibility as deadlock freedom of the composition of the services. The main contribution of this thesis is to introduce the concept of the operating guideline of a service. Operating guidelines provide a formal characterization of the set of all behaviorally compatible services R for a given service S. Usually, this set is infinite. However, the operating guideline OGS of a service S serves as a finite representation of this infinite set. Furthermore, the operating guideline of S reveals only internals that are inevitably necessary to decide behavioral compatibility with S. We provide a construction method of operating guidelines for finite-state services with bounded communication. Operating guidelines can be used in many applications in the context of serviceoriented computing. The most fundamental application is to support the discovery of behaviorally compatible services. To this end, we develop a matching procedure that efficiently decides whether a given service R is characterized by the operating guideline OGS of a service S. If R matches, then both services R and S are behaviorally compatible and can be bound together to interact with each other. If R does not match with OGS, then the services are behaviorally incompatible and may run into severe behavioral errors and not reach their common business goal. Operating guidelines can furthermore be applied in the novel research areas of service substitutability and the generation of adapter services, for instance. To this end, we develop methods to compare the sets of services characterized by the operating guidelines OGS and OGS0 . If OGS0 characterizes more services than OGS, then the service S can be substituted by the service S0 without loosing any behaviorally compatible interaction partner R. Furthermore, we show how to synthesize a service R from the operating guideline OGS such that R is behaviorally compatible to S by construction. All results presented in this thesis are implemented in our service analysis tool Fiona. Fiona may compute operating guidelines for services modeled as Petri nets. It may match a service with an operating guideline, compare operating guidelines for equivalence or an inclusion relation, and synthesize service adapters for behaviorally incompatible services. Together with the tool BPEL2oWFN— which translates web services specified in BPEL into Petri net models of the services—we can immediately apply our results to services that stem from practic