Verification of Component-based Distributed Real-time Systems

Component-based software architectures enable reuse by separating application-specific concerns into modular components that are shielded from each other and from common concerns addressed by underlying services. Even so, concerns such as invocation rates, execution latencies, deadlines, and concurrency and scheduling semantics still cross-cut component boundaries in many real-time systems. Verification of these systems therefore must consider how composition of components relates to timing, resource utilization, and other properties. However, existing approaches only address a sub-set of the concerns that must be modeled in component-based distributed real-time systems, and a new more comprehensive approach is thus needed. To address that need, this paper offers three contributions to the state of the art in verification of component-based distributed real-time systems: (1) it introduces a formal model called real-time component automata that combines and extends interface automata and timed automata models; (2) it presents new component composition operations for single-threaded and cooperative multitasking forms of concurrency; and (3) it describes how the composed models can be combined with task locations, a scheduling model, and a communication delay model, to generate a combined representation of the application components and supporting services that can be verified by existing model checkers. These contributions are embodied in an open-source tool prototype called the Real-time Component Model Translator (RTCMT)

Modeling Timed Component-Based Real-time Systems

Component based middleware helps to facilitate software reuse by separating application-specific concerns into modular components that are shielded from the concerns of other components and from the common concerns addressed by underlying middleware services. In real-time systems, concerns such as invocation rates, execution latencies, deadlines, and concurrency semantics cross-cut multiple component and middleware abstractions. Thus, the verification of these systems must consider features of the application components (e.g., their execution latencies and relative invocation rates) and of the supporting middleware (e.g., concurrency and scheduling) together. However, existing approaches only address a sub-set of the features that must be modeled in component based real-time systems, and a new more comprehensive approach is needed. To address that need, this paper offers three main contributions to the state of the art in the verification of component based real-time systems: (1) it introduces a formal model called component automata that combines new input/output rate specifications with input/output actions and timed internal actions from the existing interface automata and timed automata models respectively; (2) it presents new component composition operations for single-threaded and cooperative multi-tasking, in addition to composition under the preemptive multi-tasking semantics assumed by interface automata; and (3) it describes how the composed component models then can be combined with task location specifications, a scheduling model, and a communication delay model, to generate a combined timed automaton representation of the components and middleware that can be verified by existing timed model checkers. This research was supported in part by NSF grant CCF-0448562 titled CAREER: Time and Event Based System Software Construction

Formal Modeling and Verification of Motor Drive Software for Networked Motion Control Systems

Abstract: This paper presents a model-based approach to the design and verification of motor drive software for networked motion control systems. We develop a formal model for an Ethernetbased motion system, where, using timed automata, we describe the concurrent and synchronized behaviors of the components, i.e., motion controller, motor drives, and communication links. The drive, in particular, is modeled in enough detail to accurately reflect the software implementation used in a real drive. We use the design of multitasked drive software with fixed-priority preemptive scheduling. With UPPAAL model checking, we verify the precision and accuracy of the rendered motion in terms of the requirements on the actuation delay at each drive and the actuation deviation between different drives, respectively. The analysis results demonstrate the benefits of our model-based approach in the safety verification and design space exploration of motor drive software. We show that it is possible to verify deadlock freeness and real-time schedulability in an early design phase. And, for varying number of drives and size of messages, we can successfully determine the combination of task periods that leads to the best precision and accuracy

A Forward On-The-Fly Approach for Safety and Reachability Controller Synthesis of Timed Systems

RÉSUMÉ Cette thèse s’intéresse à la synthèse de contrôleurs pour des systèmes temps réel (systèmes temporisés). Partant d’un système temps réel modélisé par un réseau de Petri temporel composé de transitions contrôlables et non contrôlables (TPN), le contrôle vise à forcer, en restreignant les intervalles de franchissement des transitions contrôlables, le système à satisfaire les propriétés souhaitées. Nous proposons, dans cette thèse, un algorithme pour synthétiser de tels contrôleurs pour des propriétés de sûreté et d’accessibilité. Cet algorithme, basé sur la méthode de graphe de classes d’états, calcule à la volée les classes d’états atteignables du TPN tout en collectant progressivement les sous-intervalles de tir à éviter, afin de satisfaire les propriétés souhaitées. Avec cet algorithme, il n’est plus nécessaire de calculer les prédécesseurs contrôlables et de partitionner récursivement les classes d’états jusqu’à atteindre un point fixe, comme c’est le cas dans les autres approches basées sur l’exploration, en avant et en arrière, de l’espace des états du système. Nous prouvons formellement la correction de l’algorithme, puis nous montrons que dans la catégorie des contrôleurs basés sur la restriction des intervalles de tir, l’algorithme, proposé dans cette thèse, synthétise un contrôleur optimal (le plus permissif possible). Afin d’atténuer davantage le problème d’explosion combinatoire, nous montrons comment combiner cette approche avec une abstraction par l’inclusion, par union-convexe ou par enveloppe-convexe. Nous montrons également comment exploiter cet algorithme pour générer des contrôleurs décentralisés. Enfin, nous proposons d’appliquer cet algorithme pour contrôler des TPN par des chronomètres. Notre algorithme permet de partitionner les intervalles des transitions en “bons” et “mauvais” sous-intervalles (à éviter). L’idée est d’utiliser des chronomètres pour suspendre les tâches (transitions) durant leurs mauvais sous-intervalles et les activer dans leurs “bons sous-intervalles”. Il s’agit donc de contrôler les réseaux de Petri temporels en associant des chronomètres aux transitions contrôlables, pour obtenir ainsi des réseaux de Petri temporels contrôlés.----------ABSTRACT This thesis deals with controller synthesis for real time systems (timed systems). Given a real time system modeled as a Time Petri Net (TPN) with controllable and uncontrollable transitions, the control aims at forcing the system to satisfy properties of interest, by limiting the firing intervals of controllable transitions. We propose, in this thesis, an algorithm to synthesize such controllers for safety / reachability properties. This algorithm, based on the state class graph method, computes on-the-fly the reachable state classes of the TPN while collecting progressively firing subintervals to be avoided so that the property is satisfied. It does not need to compute controllable predecessors and then split state classes until reaching a fixpoint, as it is the case for other approaches based on backward and forward exploration of state space of the system. We prove formally the correctness of the algorithm and show that, in the category of state dependent controllers based on the restriction of firing intervals, the algorithm proposed in this thesis, synthesizes maximally permissive controllers. In order to attenuate the state explosion problem, we show how to combine efficiently this approach with an abstraction by inclusion, convex union or convex hull. Afterwards, we discuss the compatibility of this method with distributed systems and decentralized controllers. Finally, we apply this algorithm to control TPN with controllable and uncontrollable transitions by stopwatch. In this approach, we find the subintervals violating the given properties and our objective is to suspend the tasks (transitions) during their bad subintervals and to resume them later. The controller is synthesized through the same algorithm already introduced. In this approach, we suggest to control time Petri nets by associating stopwatches to controllable transitions and to achieve a controlled time Petri nets

An Experiment in Design and Analysis of Real-Time Applications

In the paper some experiences of joining two methodologies, which were originally independently developed in different institutions, with the goal to overcome the possible discrepancies due to the separate design of the hardware and the software part of an embedded real-time application are presented. Based on Multiprocessor PEARL, Specification PEARL has been developed in FERI, Maribor. Hardware and system architecture of an application can be described and gradually refined. Application software can be designed using LACATRE tool, developed at INSA, Lyon. Decisions about the application design taken in each tool have influence to the ones taken in the other, thus allowing for parallel design of both parts. Both designs are subsequently verified and eventually joined for feasibility estimation by co-simulation. The application program is coded using the ObjectPEARL language. The real-time system design cycle is closed by the execution time analysis and measurements upon which it is then considered about further program and/or hardware part reconfiguration. This feature is supported by the specific compiler, which includes the execution time analyser. The article reports on the work that was done in the framework of the PROTEUS project in co-operation of the teams from FERI Maribor, Slovenia, and INSA de Lyon, France

Towards a new methodology for design, modelling, and verification of reconfigurable distributed control systems based on a new extension to the IEC 61499 standard

In order to meet user requirements and system environment changes, reconfigurable control systems must dynamically adapt their structure and behaviour without disrupting system operation. IEC 61499 standard provides limited support for the design and verification of such systems. In fact, handling different reconfiguration scenarios at runtime is difficult since function blocks in IEC 61499 cannot be changed at run-time. Hence, this thesis promotes an IEC 61499 extension called reconfigurable function block (RFB) that increases design readability and smoothly switches to the most appropriate behaviour when a reconfiguration event occurs. To ensure system feasibility after reconfiguration, in addition to the qualitative verification, quantitative verification based on probabilistic model checking is addressed in a new RFBA approach. The latter aims to transform the designed RFB model automatically into a generalised reconfigurable timed net condition/event system model (GRTNCES) using a newly developed environment called RFBTool. The GR-TNCES fits well with RFB and preserves its semantic. Using the probabilistic model checker PRISM, the generated GR-TNCES model is checked using defined properties specified in computation tree logic. As a result, an evaluation of system performance and an estimation of reconfiguration risks are obtained. The RFBA methodology is applied on a distributed power system case study.Dynamische Anforderungen und Umgebungen erfordern rekonfigurierbare Anlagen und Steuerungssysteme. Rekonfiguration ermöglicht es einem System, seine Struktur und sein Verhalten an interne oder externe Änderungen anzupassen. Die Norm IEC 61499 wurde entwickelt, um (verteilte) Steuerungssysteme auf Basis von Funktionsbausteinen zu entwickeln. Sie bietet jedoch wenig Unterstützung für Entwurf und Verifikation. Die Tatsache, dass eine Rekonfiguration das System-Ausführungsmodell verändert, erschwert die Entwicklung in IEC 61499 zusätzlich. Daher schlägt diese Dissertation rekonfigurierbare Funktionsbausteine (RFBs) als Erweiterung der Norm vor. Ein RFB verarbeitet über einen Master-Slave-Automaten Rekonfigurationsereignisse und löst das entsprechende Verhalten aus. Diese Hierarchie trennt das Rekonfigurationsmodell vom Steuerungsmodell und vereinfacht so den Entwurf. Die Funktionalität des Entwurfs muss verifiziert werden, damit die Ausführbarkeit des Systems nach einer Rekonfiguration gewährleistet ist. Hierzu wird das entworfene RFB-Modell automatisch in ein generalised reconfigurable timed net condition/event system übersetzt. Dieses wird mit dem Model-Checker PRISM auf qualitative und quantitative Eigenschaften überprüft. Somit wird eine Bewertung der Systemperformanz und eine Einschätzung der Rekonfigurationsrisiken erreicht. Die RFB-Methodik wurde in einem Softwarewerkzeug umgesetzt und in einer Fallstudie auf ein dezentrales Stromnetz angewendet